Line 1... |
Line 1... |
1 |
#!/bin/bash
|
1 |
#!/bin/bash
|
2 |
# $Id: alcasar.sh 2711 2019-03-10 23:23:31Z tom.houdayer $
|
2 |
# $Id: alcasar.sh 2724 2019-05-05 19:05:53Z rexy $
|
3 |
|
3 |
|
4 |
# alcasar.sh
|
4 |
# alcasar.sh
|
5 |
# ALCASAR is a Free and open source NAC created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
|
5 |
# ALCASAR is a Free and open source NAC created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
|
6 |
# This script is distributed under the Gnu General Public License (GPL)
|
6 |
# This script is distributed under the Gnu General Public License (GPL)
|
7 |
# team@alcasar.net
|
7 |
# team@alcasar.net
|
Line 104... |
Line 104... |
104 |
done
|
104 |
done
|
105 |
if [ "$response" = "n" ] || [ "$response" = "N" ]
|
105 |
if [ "$response" = "n" ] || [ "$response" = "N" ]
|
106 |
then
|
106 |
then
|
107 |
exit 1
|
107 |
exit 1
|
108 |
fi
|
108 |
fi
|
109 |
}
|
109 |
} # End of license()
|
110 |
|
110 |
|
111 |
header_install ()
|
111 |
header_install()
|
112 |
{
|
112 |
{
|
113 |
clear
|
113 |
clear
|
114 |
echo "-----------------------------------------------------------------------------"
|
114 |
echo "-----------------------------------------------------------------------------"
|
115 |
echo " ALCASAR V$VERSION Installation"
|
115 |
echo " ALCASAR V$VERSION Installation"
|
116 |
echo "Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau"
|
116 |
echo "Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau"
|
117 |
echo "-----------------------------------------------------------------------------"
|
117 |
echo "-----------------------------------------------------------------------------"
|
118 |
}
|
- |
|
- |
|
118 |
} # End of header_install()
|
119 |
|
119 |
|
120 |
########################################################
|
120 |
########################################################
|
121 |
## Function "testing" ##
|
121 |
## Function "testing" ##
|
122 |
## - Test Mageia version ##
|
122 |
## - Test Mageia version ##
|
123 |
## - Test ALCASAR version (if already installed) ##
|
123 |
## - Test ALCASAR version (if already installed) ##
|
Line 253... |
Line 253... |
253 |
else echo "External interface (Internet) used: $EXTIF"
|
253 |
else echo "External interface (Internet) used: $EXTIF"
|
254 |
fi
|
254 |
fi
|
255 |
|
255 |
|
256 |
if [ -z "$INTIF" ]; then
|
256 |
if [ -z "$INTIF" ]; then
|
257 |
interfacesList=$(/usr/sbin/ip -br link show | cut -d' ' -f1 | grep -v "^\(lo\|tun0\|$EXTIF\)\$")
|
257 |
interfacesList=$(/usr/sbin/ip -br link show | cut -d' ' -f1 | grep -v "^\(lo\|tun0\|$EXTIF\)\$")
|
258 |
interfacesCount=$(echo "$interfacesList" | wc -l)
|
258 |
interfacesCount=$(echo "$interfacesList" | wc -w)
|
259 |
if [ $interfacesCount -eq 0 ]; then
|
259 |
if [ $interfacesCount -eq 0 ]; then
|
260 |
if [ "$Lang" == 'fr' ]
|
260 |
if [ "$Lang" == 'fr' ]
|
261 |
then echo "Aucune interface de disponible pour le réseau interne"
|
261 |
then echo "Aucune interface de disponible pour le réseau interne"
|
262 |
else echo "No interface available for the internal network"
|
262 |
else echo "No interface available for the internal network"
|
263 |
fi
|
263 |
fi
|
Line 265... |
Line 265... |
265 |
elif [ $interfacesCount -eq 1 ]; then
|
265 |
elif [ $interfacesCount -eq 1 ]; then
|
266 |
INTIF="$interfacesList"
|
266 |
INTIF="$interfacesList"
|
267 |
else
|
267 |
else
|
268 |
interfacesSorted=$(/usr/sbin/ip -br addr | grep -v "^\(lo\|tun0\|$EXTIF\) " | sort -b -k3n -k2r -k1)
|
268 |
interfacesSorted=$(/usr/sbin/ip -br addr | grep -v "^\(lo\|tun0\|$EXTIF\) " | sort -b -k3n -k2r -k1)
|
269 |
interfacePreferred=$(echo "$interfacesSorted" | head -1 | cut -d' ' -f1)
|
269 |
interfacePreferred=$(echo "$interfacesSorted" | head -1 | cut -d' ' -f1)
|
270 |
|
- |
|
271 |
if [ "$Lang" == 'fr' ]
|
270 |
if [ "$Lang" == 'fr' ]
|
272 |
then echo 'Liste des interfaces disponible :'
|
271 |
then echo 'Liste des interfaces disponible :'
|
273 |
else echo 'List of available interfaces:'
|
272 |
else echo 'List of available interfaces:'
|
274 |
fi
|
273 |
fi
|
275 |
echo "$interfacesSorted"
|
274 |
echo "$interfacesSorted"
|
Line 414... |
Line 413... |
414 |
echo "Verify the DNS IP addresses"
|
413 |
echo "Verify the DNS IP addresses"
|
415 |
fi
|
414 |
fi
|
416 |
exit 1
|
415 |
exit 1
|
417 |
fi
|
416 |
fi
|
418 |
echo ". : ok"
|
417 |
echo ". : ok"
|
419 |
} # end of testing ()
|
418 |
} # End of testing()
|
420 |
|
419 |
|
421 |
#######################################################################
|
420 |
#######################################################################
|
422 |
## Function "init" ##
|
421 |
## Function "init" ##
|
423 |
## - Creation of ALCASAR conf file "/usr/local/etc/alcasar.conf ##
|
422 |
## - Creation of ALCASAR conf file "/usr/local/etc/alcasar.conf ##
|
424 |
## - Creation of random password for GRUB, mariadb (admin and user) ##
|
423 |
## - Creation of random password for GRUB, mariadb (admin and user) ##
|
Line 939... |
Line 938... |
939 |
$SED "s?^tmpdir.*?tmpdir=/tmp?g" /etc/my.cnf
|
938 |
$SED "s?^tmpdir.*?tmpdir=/tmp?g" /etc/my.cnf
|
940 |
$SED "s?^port.*?#&?g" /etc/my.cnf # we use unix socket only
|
939 |
$SED "s?^port.*?#&?g" /etc/my.cnf # we use unix socket only
|
941 |
$SED "s?^;collation_server =.*?collation_server = utf8_unicode_ci?g" /etc/my.cnf
|
940 |
$SED "s?^;collation_server =.*?collation_server = utf8_unicode_ci?g" /etc/my.cnf
|
942 |
$SED "s?^;character_set_server =.*?character_set_server = utf8?g" /etc/my.cnf # accentuated user names are allowed
|
941 |
$SED "s?^;character_set_server =.*?character_set_server = utf8?g" /etc/my.cnf # accentuated user names are allowed
|
943 |
[ -e /etc/my.cnf.d/feedback.cnf ] && $SED "s?^plugin-load.*?#&?g" /etc/my.cnf.d/feedback.cnf # remove the feedback plugin (ALCASAR doesn't report anything !)
|
942 |
[ -e /etc/my.cnf.d/feedback.cnf ] && $SED "s?^plugin-load.*?#&?g" /etc/my.cnf.d/feedback.cnf # remove the feedback plugin (ALCASAR doesn't report anything !)
|
- |
|
943 |
[ -e /etc/my.cnf.d/auth_gssapi.cnf ] && $SED "s?^plugin-load.*?#&?g" /etc/my.cnf.d/auth_gssapi.cnf # remove GSS plugin (ALCASAR doesn't use Kerberos)
|
944 |
/usr/sbin/mysqld-prepare-db-dir > /dev/null 2>&1
|
944 |
/usr/sbin/mysqld-prepare-db-dir > /dev/null 2>&1
|
945 |
/usr/bin/systemctl set-environment MYSQLD_OPTS="--skip-grant-tables --skip-networking"
|
945 |
/usr/bin/systemctl set-environment MYSQLD_OPTS="--skip-grant-tables --skip-networking"
|
946 |
/usr/bin/systemctl start mysqld
|
946 |
/usr/bin/systemctl start mysqld
|
947 |
nb_round=1
|
947 |
nb_round=1
|
948 |
while [ ! -S /var/lib/mysql/mysql.sock ] && [ $nb_round -lt 10 ] # we wait until mariadb is on
|
948 |
while [ ! -S /var/lib/mysql/mysql.sock ] && [ $nb_round -lt 10 ] # we wait until mariadb is on
|
Line 955... |
Line 955... |
955 |
echo "Problème : la base données 'MariaDB' ne s'est pas lancée !"
|
955 |
echo "Problème : la base données 'MariaDB' ne s'est pas lancée !"
|
956 |
exit
|
956 |
exit
|
957 |
fi
|
957 |
fi
|
958 |
# Secure the server
|
958 |
# Secure the server
|
959 |
/usr/bin/mysql --execute "GRANT ALL PRIVILEGES ON *.* TO root@'localhost' IDENTIFIED BY '$mysqlpwd';"
|
959 |
/usr/bin/mysql --execute "GRANT ALL PRIVILEGES ON *.* TO root@'localhost' IDENTIFIED BY '$mysqlpwd';"
|
960 |
|
- |
|
961 |
MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --execute"
|
960 |
MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --execute"
|
962 |
$MYSQL "DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;"
|
961 |
$MYSQL "DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;"
|
963 |
$MYSQL "CONNECT mysql;DELETE from user where User='';DELETE FROM user WHERE User='root' AND Host NOT IN ('localhost','127.0.0.1','::1');FLUSH PRIVILEGES;"
|
962 |
$MYSQL "CONNECT mysql;DELETE from user where User='';DELETE FROM user WHERE User='root' AND Host NOT IN ('localhost','127.0.0.1','::1');FLUSH PRIVILEGES;"
|
964 |
# Create 'radius' database
|
963 |
# Create 'radius' database
|
965 |
$MYSQL "CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;"
|
964 |
$MYSQL "CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;"
|
Line 1047... |
Line 1046... |
1047 |
[ -e /lib/systemd/system/radiusd.service.default ] || cp /lib/systemd/system/radiusd.service /lib/systemd/system/radiusd.service.default
|
1046 |
[ -e /lib/systemd/system/radiusd.service.default ] || cp /lib/systemd/system/radiusd.service /lib/systemd/system/radiusd.service.default
|
1048 |
$SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /lib/systemd/system/radiusd.service
|
1047 |
$SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /lib/systemd/system/radiusd.service
|
1049 |
/usr/bin/systemctl daemon-reload
|
1048 |
/usr/bin/systemctl daemon-reload
|
1050 |
# Allow apache to change some conf files (ie : ldap on/off)
|
1049 |
# Allow apache to change some conf files (ie : ldap on/off)
|
1051 |
chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/mods-available
|
1050 |
chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/mods-available
|
1052 |
} # End freeradius ()
|
1051 |
} # End of freeradius()
|
1053 |
|
1052 |
|
1054 |
#############################################################################
|
1053 |
#############################################################################
|
1055 |
## Function "chilli" ##
|
1054 |
## Function "chilli" ##
|
1056 |
## - Creation of the conf file and init file (systemd) for coova-chilli ##
|
1055 |
## - Creation of the conf file and init file (systemd) for coova-chilli ##
|
1057 |
## - Adapt the authentication web page (intercept.php) ##
|
1056 |
## - Adapt the authentication web page (intercept.php) ##
|
Line 1415... |
Line 1414... |
1415 |
|
1414 |
|
1416 |
[Install]
|
1415 |
[Install]
|
1417 |
WantedBy=multi-user.target
|
1416 |
WantedBy=multi-user.target
|
1418 |
EOF
|
1417 |
EOF
|
1419 |
|
1418 |
|
1420 |
} # end of tinyproxy
|
1419 |
} # end of tinyproxy()
|
- |
|
1420 |
|
1421 |
##############################################################################
|
1421 |
##############################################################
|
1422 |
## function "ulogd" ##
|
1422 |
## function "ulogd" ##
|
1423 |
## - Ulog config for multi-log files ##
|
1423 |
## - Ulog config for multi-log files ##
|
1424 |
##############################################################################
|
1424 |
##############################################################
|
1425 |
ulogd ()
|
1425 |
ulogd()
|
1426 |
{
|
1426 |
{
|
1427 |
# Three instances of ulogd (three different logfiles)
|
1427 |
# Three instances of ulogd (three different logfiles)
|
1428 |
[ -d /var/log/firewall ] || mkdir -p /var/log/firewall
|
1428 |
[ -d /var/log/firewall ] || mkdir -p /var/log/firewall
|
1429 |
nl=1
|
1429 |
nl=1
|
Line 1444... |
Line 1444... |
1444 |
chown -R root:apache /var/log/firewall
|
1444 |
chown -R root:apache /var/log/firewall
|
1445 |
chmod 750 /var/log/firewall
|
1445 |
chmod 750 /var/log/firewall
|
1446 |
chmod 640 /var/log/firewall/*
|
1446 |
chmod 640 /var/log/firewall/*
|
1447 |
} # End of ulogd ()
|
1447 |
} # End of ulogd()
|
1448 |
|
1448 |
|
1449 |
|
- |
|
1450 |
##########################################################
|
1449 |
##########################################################
|
1451 |
## Function "nfsen" ##
|
1450 |
## Function "nfsen" ##
|
1452 |
## - install the nfsen grapher ##
|
1451 |
## - install the nfsen grapher ##
|
1453 |
## - install the two plugins porttracker & surfmap ##
|
1452 |
## - install the two plugins porttracker & surfmap ##
|
1454 |
##########################################################
|
1453 |
##########################################################
|
Line 1510... |
Line 1509... |
1510 |
# see https://adullact.net/forum/forum.php?thread_id=319545&forum_id=1601&group_id=450
|
1509 |
# see https://adullact.net/forum/forum.php?thread_id=319545&forum_id=1601&group_id=450
|
1511 |
# cp $DIR_CONF/nfsen/SURFmap_*.tar.gz /tmp/
|
1510 |
# cp $DIR_CONF/nfsen/SURFmap_*.tar.gz /tmp/
|
1512 |
# cp $DIR_CONF/nfsen/GeoLiteCity* /tmp/
|
1511 |
# cp $DIR_CONF/nfsen/GeoLiteCity* /tmp/
|
1513 |
# tar xzf /tmp/SURFmap_*.tar.gz -C /tmp/
|
1512 |
# tar xzf /tmp/SURFmap_*.tar.gz -C /tmp/
|
1514 |
# cd /tmp/
|
1513 |
# cd /tmp/
|
1515 |
# /usr/bin/sh SURFmap/install.sh
|
1514 |
# /usr/bin/sh SURFmap/install.sh (no more used since Google sells the access to googleMap API)
|
1516 |
# clear the installation
|
1515 |
# clear the installation
|
1517 |
# rm -rf /tmp/SURFmap*
|
1516 |
# rm -rf /tmp/SURFmap*
|
1518 |
rm -rf /tmp/nfsen-*
|
1517 |
rm -rf /tmp/nfsen-*
|
1519 |
cd $DirTmp || { echo "Unable to find $DirTmp directory"; exit 1; }
|
1518 |
cd $DirTmp || { echo "Unable to find $DirTmp directory"; exit 1; }
|
1520 |
chown -R apache:apache /var/www/html/acc/manager/nfsen /usr/share/nfsen /var/log/nfsen
|
1519 |
chown -R apache:apache /var/www/html/acc/manager/nfsen /usr/share/nfsen /var/log/nfsen
|
Line 1531... |
Line 1530... |
1531 |
$SED "s?^DatabaseDir.*?DatabaseDir /var/log/vnstat?g" /etc/vnstat.conf
|
1530 |
$SED "s?^DatabaseDir.*?DatabaseDir /var/log/vnstat?g" /etc/vnstat.conf
|
1532 |
[ -e $DIR_ACC/manager/stats/config.php.default ] || cp $DIR_ACC/manager/stats/config.php $DIR_ACC/manager/stats/config.php.default
|
1531 |
[ -e $DIR_ACC/manager/stats/config.php.default ] || cp $DIR_ACC/manager/stats/config.php $DIR_ACC/manager/stats/config.php.default
|
1533 |
$SED "s?\$iface_list =.*?\$iface_list = array('$EXTIF');?" $DIR_ACC/manager/stats/config.php
|
1532 |
$SED "s?\$iface_list =.*?\$iface_list = array('$EXTIF');?" $DIR_ACC/manager/stats/config.php
|
1534 |
$SED "s?\$iface_title\['.*?\$iface_title\['$EXTIF'\] = \$title;?" $DIR_ACC/manager/stats/config.php
|
1533 |
$SED "s?\$iface_title\['.*?\$iface_title\['$EXTIF'\] = \$title;?" $DIR_ACC/manager/stats/config.php
|
1535 |
/usr/bin/vnstat -i $EXTIF -u --force
|
1534 |
/usr/bin/vnstat -i $EXTIF -u --force
|
1536 |
} # End of vnstat
|
1535 |
} # End of vnstat()
|
1537 |
|
1536 |
|
1538 |
##################################################################
|
1537 |
###################################################################
|
1539 |
## Function "dnsmasq" ##
|
1538 |
## Function "dnsmasq" ##
|
1540 |
## - creation of the conf files of the 4 intances of dnsmasq ##
|
1539 |
## - creation of the conf files of dnsmasq (whitelist for ipset )##
|
1541 |
## - creation of the file managing domain name (local & remote) ##
|
- |
|
1542 |
##################################################################
|
1540 |
###################################################################
|
1543 |
dnsmasq ()
|
1541 |
dnsmasq()
|
1544 |
{
|
1542 |
{
|
1545 |
[ -d /var/log/dnsmasq ] || mkdir /var/log/dnsmasq
|
1543 |
[ -d /var/log/dnsmasq ] || mkdir /var/log/dnsmasq
|
1546 |
[ -e /etc/dnsmasq.conf.default ] || mv /etc/dnsmasq.conf /etc/dnsmasq.conf.default
|
1544 |
[ -e /etc/dnsmasq.conf.default ] || mv /etc/dnsmasq.conf /etc/dnsmasq.conf.default
|
1547 |
# 3rd dnsmasq listen on udp 55 ("dnsmasq with whitelist")
|
1545 |
# dnsmasq listen on udp 55 ("dnsmasq with whitelist")
|
1548 |
cat << EOF > /etc/dnsmasq-whitelist.conf
|
1546 |
cat << EOF > /etc/dnsmasq-whitelist.conf
|
1549 |
# Configuration file for "dnsmasq with whitelist"
|
1547 |
# Configuration file for "dnsmasq with whitelist"
|
1550 |
# ADD Toulouse university whitelist domains
|
1548 |
# ADD Toulouse university whitelist domains
|
1551 |
pid-file=/var/run/dnsmasq-whitelist.pid
|
1549 |
pid-file=/var/run/dnsmasq-whitelist.pid
|
1552 |
listen-address=127.0.0.1
|
1550 |
listen-address=127.0.0.1
|
Line 1560... |
Line 1558... |
1560 |
filterwin2k
|
1558 |
filterwin2k
|
1561 |
ipset=/#/wl_ip_allowed # dynamically add the resolv IP address in the Firewall rules
|
1559 |
ipset=/#/wl_ip_allowed # dynamically add the resolv IP address in the Firewall rules
|
1562 |
server=$DNS1
|
1560 |
server=$DNS1
|
1563 |
server=$DNS2
|
1561 |
server=$DNS2
|
1564 |
EOF
|
1562 |
EOF
|
1565 |
|
- |
|
1566 |
# Create dnsmasq-whitelist unit
|
1563 |
# Create dnsmasq-whitelist unit
|
1567 |
mv /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq.service.default
|
1564 |
mv /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq.service.default
|
1568 |
cp /lib/systemd/system/dnsmasq.service.default /lib/systemd/system/dnsmasq-whitelist.service
|
1565 |
cp /lib/systemd/system/dnsmasq.service.default /lib/systemd/system/dnsmasq-whitelist.service
|
1569 |
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-whitelist.conf?g" /lib/systemd/system/dnsmasq-whitelist.service
|
1566 |
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-whitelist.conf?g" /lib/systemd/system/dnsmasq-whitelist.service
|
1570 |
$SED "s?^PIDFile=.*?PIDFile=/var/run/dnsmasq-whitelist.pid?g" /lib/systemd/system/dnsmasq-whitelist.service
|
1567 |
$SED "s?^PIDFile=.*?PIDFile=/var/run/dnsmasq-whitelist.pid?g" /lib/systemd/system/dnsmasq-whitelist.service
|
1571 |
} # End dnsmasq
|
1568 |
} # End of dnsmasq()
|
1572 |
|
1569 |
|
1573 |
##################################################
|
1570 |
#########################################################
|
1574 |
## Function "unbound" ##
|
1571 |
## Function "unbound" ##
|
- |
|
1572 |
## - create the conf files for 4 unbound services ##
|
- |
|
1573 |
## - create the systemd files for 4 unbound services ##
|
1575 |
##################################################
|
1574 |
#########################################################
|
1576 |
unbound ()
|
1575 |
unbound ()
|
1577 |
{
|
1576 |
{
|
1578 |
[ -d /etc/unbound/conf.d ] || mkdir -p /etc/unbound/conf.d
|
1577 |
[ -d /etc/unbound/conf.d ] || mkdir -p /etc/unbound/conf.d
|
1579 |
[ -d /etc/unbound/conf.d/common ] || mkdir /etc/unbound/conf.d/common
|
1578 |
[ -d /etc/unbound/conf.d/common ] || mkdir /etc/unbound/conf.d/common
|
1580 |
[ -d /etc/unbound/conf.d/common/local-forward ] || mkdir /etc/unbound/conf.d/common/local-forward
|
1579 |
[ -d /etc/unbound/conf.d/common/local-forward ] || mkdir /etc/unbound/conf.d/common/local-forward
|
Line 1583... |
Line 1582... |
1583 |
[ -d /etc/unbound/conf.d/blacklist ] || mkdir /etc/unbound/conf.d/blacklist
|
1582 |
[ -d /etc/unbound/conf.d/blacklist ] || mkdir /etc/unbound/conf.d/blacklist
|
1584 |
[ -d /etc/unbound/conf.d/whitelist ] || mkdir /etc/unbound/conf.d/whitelist
|
1583 |
[ -d /etc/unbound/conf.d/whitelist ] || mkdir /etc/unbound/conf.d/whitelist
|
1585 |
[ -d /etc/unbound/conf.d/blackhole ] || mkdir /etc/unbound/conf.d/blackhole
|
1584 |
[ -d /etc/unbound/conf.d/blackhole ] || mkdir /etc/unbound/conf.d/blackhole
|
1586 |
[ -d /var/log/unbound ] || { mkdir /var/log/unbound; chown unbound:unbound /var/log/unbound; }
|
1585 |
[ -d /var/log/unbound ] || { mkdir /var/log/unbound; chown unbound:unbound /var/log/unbound; }
|
1587 |
[ -e /etc/unbound/unbound.conf.default ] || cp /etc/unbound/unbound.conf /etc/unbound/unbound.conf.default
|
1586 |
[ -e /etc/unbound/unbound.conf.default ] || cp /etc/unbound/unbound.conf /etc/unbound/unbound.conf.default
|
1588 |
|
- |
|
1589 |
# Local static DNS configuration
|
1587 |
# Local static DNS configuration
|
1590 |
[ -e /etc/unbound/conf.d/common/local-dns/global.conf ] || touch /etc/unbound/conf.d/common/local-dns/global.conf
|
1588 |
[ -e /etc/unbound/conf.d/common/local-dns/global.conf ] || touch /etc/unbound/conf.d/common/local-dns/global.conf
|
1591 |
|
1589 |
|
1592 |
# Forward zone configuration file for all unbound dns servers
|
1590 |
# Forward zone configuration file for all unbound dns servers
|
1593 |
cat << EOF > /etc/unbound/conf.d/common/forward-zone.conf
|
1591 |
cat << EOF > /etc/unbound/conf.d/common/forward-zone.conf
|
Line 1659... |
Line 1657... |
1659 |
server:
|
1657 |
server:
|
1660 |
verbosity: 1
|
1658 |
verbosity: 1
|
1661 |
hide-version: yes
|
1659 |
hide-version: yes
|
1662 |
hide-identity: yes
|
1660 |
hide-identity: yes
|
1663 |
do-ip6: no
|
1661 |
do-ip6: no
|
1664 |
|
- |
|
1665 |
include: /etc/unbound/conf.d/common/forward-zone.conf
|
1662 |
include: /etc/unbound/conf.d/common/forward-zone.conf
|
1666 |
include: /etc/unbound/conf.d/common/local-forward/*
|
1663 |
include: /etc/unbound/conf.d/common/local-forward/*
|
1667 |
include: /etc/unbound/conf.d/common/local-dns/*
|
1664 |
include: /etc/unbound/conf.d/common/local-dns/*
|
1668 |
include: /etc/unbound/conf.d/forward/*
|
1665 |
include: /etc/unbound/conf.d/forward/*
|
1669 |
EOF
|
1666 |
EOF
|
Line 1687... |
Line 1684... |
1687 |
do-ip6: no
|
1684 |
do-ip6: no
|
1688 |
logfile: "/var/log/unbound/unbound-blacklist.log"
|
1685 |
logfile: "/var/log/unbound/unbound-blacklist.log"
|
1689 |
chroot: ""
|
1686 |
chroot: ""
|
1690 |
define-tag: "blacklist"
|
1687 |
define-tag: "blacklist"
|
1691 |
log-local-actions: yes
|
1688 |
log-local-actions: yes
|
1692 |
|
- |
|
1693 |
include: /etc/unbound/conf.d/common/forward-zone.conf
|
1689 |
include: /etc/unbound/conf.d/common/forward-zone.conf
|
1694 |
include: /etc/unbound/conf.d/common/local-forward/*
|
1690 |
include: /etc/unbound/conf.d/common/local-forward/*
|
1695 |
include: /etc/unbound/conf.d/common/local-dns/*
|
1691 |
include: /etc/unbound/conf.d/common/local-dns/*
|
1696 |
include: /etc/unbound/conf.d/blacklist/*
|
1692 |
include: /etc/unbound/conf.d/blacklist/*
|
1697 |
|
- |
|
1698 |
include: /usr/local/share/unbound-bl-enabled/*
|
1693 |
include: /usr/local/share/unbound-bl-enabled/*
|
1699 |
EOF
|
1694 |
EOF
|
1700 |
|
1695 |
|
1701 |
# Configuration file for $INTIF of whitelist unbound
|
1696 |
# Configuration file for $INTIF of whitelist unbound
|
1702 |
cat << EOF > /etc/unbound/conf.d/whitelist/iface.${INTIF}.conf
|
1697 |
cat << EOF > /etc/unbound/conf.d/whitelist/iface.${INTIF}.conf
|
Line 1715... |
Line 1710... |
1715 |
hide-version: yes
|
1710 |
hide-version: yes
|
1716 |
hide-identity: yes
|
1711 |
hide-identity: yes
|
1717 |
do-ip6: no
|
1712 |
do-ip6: no
|
1718 |
do-not-query-localhost: no
|
1713 |
do-not-query-localhost: no
|
1719 |
define-tag: "whitelist"
|
1714 |
define-tag: "whitelist"
|
1720 |
|
- |
|
1721 |
local-zone: "." transparent
|
1715 |
local-zone: "." transparent
|
1722 |
local-zone-tag: "." "whitelist"
|
1716 |
local-zone-tag: "." "whitelist"
|
1723 |
|
- |
|
1724 |
include: /usr/local/share/unbound-wl-enabled/*
|
1717 |
include: /usr/local/share/unbound-wl-enabled/*
|
1725 |
include: /etc/unbound/conf.d/whitelist/*
|
1718 |
include: /etc/unbound/conf.d/whitelist/*
|
1726 |
include: /etc/unbound/conf.d/common/local-dns/*
|
1719 |
include: /etc/unbound/conf.d/common/local-dns/*
|
1727 |
include: /etc/unbound/conf.d/common/local-forward/*
|
1720 |
include: /etc/unbound/conf.d/common/local-forward/*
|
1728 |
|
- |
|
1729 |
forward-zone:
|
1721 |
forward-zone:
|
1730 |
name: "."
|
1722 |
name: "."
|
1731 |
forward-addr: 127.0.0.1@55
|
1723 |
forward-addr: 127.0.0.1@55
|
1732 |
EOF
|
1724 |
EOF
|
1733 |
|
1725 |
|
Line 1748... |
Line 1740... |
1748 |
server:
|
1740 |
server:
|
1749 |
verbosity: 1
|
1741 |
verbosity: 1
|
1750 |
hide-version: yes
|
1742 |
hide-version: yes
|
1751 |
hide-identity: yes
|
1743 |
hide-identity: yes
|
1752 |
do-ip6: no
|
1744 |
do-ip6: no
|
1753 |
|
- |
|
1754 |
include: /etc/unbound/conf.d/blackhole/*
|
1745 |
include: /etc/unbound/conf.d/blackhole/*
|
1755 |
include: /etc/unbound/conf.d/common/local-dns/*
|
1746 |
include: /etc/unbound/conf.d/common/local-dns/*
|
1756 |
include: /etc/unbound/conf.d/common/local-forward/*
|
1747 |
include: /etc/unbound/conf.d/common/local-forward/*
|
1757 |
EOF
|
1748 |
EOF
|
1758 |
|
1749 |
|
Line 1760... |
Line 1751... |
1760 |
then
|
1751 |
then
|
1761 |
cp -f /lib/systemd/system/unbound.service /lib/systemd/system/unbound.service.default
|
1752 |
cp -f /lib/systemd/system/unbound.service /lib/systemd/system/unbound.service.default
|
1762 |
fi
|
1753 |
fi
|
1763 |
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound.conf?g" /lib/systemd/system/unbound.service
|
1754 |
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound.conf?g" /lib/systemd/system/unbound.service
|
1764 |
$SED "s?^After=.*?After=syslog.target network-online.target chilli.service?g" /lib/systemd/system/unbound.service
|
1755 |
$SED "s?^After=.*?After=syslog.target network-online.target chilli.service?g" /lib/systemd/system/unbound.service
|
1765 |
|
- |
|
1766 |
for list in blacklist blackhole whitelist
|
1756 |
for list in blacklist blackhole whitelist
|
1767 |
do
|
1757 |
do
|
1768 |
cp -f /lib/systemd/system/unbound.service /lib/systemd/system/unbound-$list.service
|
1758 |
cp -f /lib/systemd/system/unbound.service /lib/systemd/system/unbound-$list.service
|
1769 |
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound-$list.conf?g" /lib/systemd/system/unbound-$list.service
|
1759 |
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound-$list.conf?g" /lib/systemd/system/unbound-$list.service
|
1770 |
$SED "s?^PIDFile=.*?PIDFile=/var/run/unbound-$list.pid?g" /lib/systemd/system/unbound-$list.service
|
1760 |
$SED "s?^PIDFile=.*?PIDFile=/var/run/unbound-$list.pid?g" /lib/systemd/system/unbound-$list.service
|
1771 |
done
|
1761 |
done
|
1772 |
|
- |
|
1773 |
$SED "s?^After=.*?After=syslog.target network-online.target chilli.service dnsmasq-whitelist.service?g" /lib/systemd/system/unbound-whitelist.service
|
1762 |
$SED "s?^After=.*?After=syslog.target network-online.target chilli.service dnsmasq-whitelist.service?g" /lib/systemd/system/unbound-whitelist.service
|
1774 |
} # End unbound
|
1763 |
} # End of unbound()
|
1775 |
|
1764 |
|
1776 |
##################################################
|
1765 |
##################################################
|
1777 |
## Function "dhcpd" ##
|
1766 |
## Function "dhcpd" ##
|
1778 |
##################################################
|
1767 |
##################################################
|
1779 |
dhcpd ()
|
1768 |
dhcpd()
|
1780 |
{
|
1769 |
{
|
1781 |
[ -e /etc/dhcpd.conf.default ] || cp /etc/dhcpd.conf /etc/dhcpd.conf.default
|
1770 |
[ -e /etc/dhcpd.conf.default ] || cp /etc/dhcpd.conf /etc/dhcpd.conf.default
|
1782 |
|
- |
|
1783 |
cat <<EOF > /etc/dhcpd.conf
|
1771 |
cat <<EOF > /etc/dhcpd.conf
|
1784 |
ddns-update-style none;
|
1772 |
ddns-update-style none;
|
1785 |
subnet $PRIVATE_NETWORK netmask $PRIVATE_NETMASK {
|
1773 |
subnet $PRIVATE_NETWORK netmask $PRIVATE_NETMASK {
|
1786 |
option routers $PRIVATE_IP;
|
1774 |
option routers $PRIVATE_IP;
|
1787 |
option subnet-mask $PRIVATE_NETMASK;
|
1775 |
option subnet-mask $PRIVATE_NETMASK;
|
1788 |
option domain-name-servers $PRIVATE_IP;
|
1776 |
option domain-name-servers $PRIVATE_IP;
|
1789 |
|
- |
|
1790 |
range dynamic-bootp $PRIVATE_SECOND_IP $PRIVATE_LAST_IP;
|
1777 |
range dynamic-bootp $PRIVATE_SECOND_IP $PRIVATE_LAST_IP;
|
1791 |
default-lease-time 21600;
|
1778 |
default-lease-time 21600;
|
1792 |
max-lease-time 43200;
|
1779 |
max-lease-time 43200;
|
1793 |
}
|
1780 |
}
|
1794 |
EOF
|
1781 |
EOF
|
1795 |
}
|
1782 |
} # End of dhcpd()
|
1796 |
|
1783 |
|
1797 |
##########################################################
|
1784 |
##########################################################
|
1798 |
## Function "BL" ##
|
1785 |
## Function "BL" ##
|
1799 |
## - copy Toulouse BL ##
|
1786 |
## - copy Toulouse BL ##
|
1800 |
## - adapt this BL to ALCASAR architecture ##
|
1787 |
## - adapt this BL to ALCASAR architecture ##
|
Line 1855... |
Line 1842... |
1855 |
# adapt the Toulouse BL to ALCASAR architecture
|
1842 |
# adapt the Toulouse BL to ALCASAR architecture
|
1856 |
$DIR_DEST_BIN/alcasar-bl.sh --adapt
|
1843 |
$DIR_DEST_BIN/alcasar-bl.sh --adapt
|
1857 |
# enable the default categories
|
1844 |
# enable the default categories
|
1858 |
$DIR_DEST_BIN/alcasar-bl.sh --cat_choice
|
1845 |
$DIR_DEST_BIN/alcasar-bl.sh --cat_choice
|
1859 |
rm -rf /tmp/blacklists
|
1846 |
rm -rf /tmp/blacklists
|
1860 |
} # End BL()
|
1847 |
} # End of BL()
|
1861 |
|
1848 |
|
1862 |
#######################################################
|
1849 |
#######################################################
|
1863 |
## Function "cron" ##
|
1850 |
## Function "cron" ##
|
1864 |
## - write all cron & anacron files ##
|
1851 |
## - write all cron & anacron files ##
|
1865 |
#######################################################
|
1852 |
#######################################################
|
Line 1937... |
Line 1924... |
1937 |
@daily root $DIR_DEST_BIN/alcasar-letsencrypt.sh --cron > /dev/null 2>&1
|
1924 |
@daily root $DIR_DEST_BIN/alcasar-letsencrypt.sh --cron > /dev/null 2>&1
|
1938 |
EOF
|
1925 |
EOF
|
1939 |
|
1926 |
|
1940 |
# removing the users crons
|
1927 |
# removing the users crons
|
1941 |
rm -f /var/spool/cron/*
|
1928 |
rm -f /var/spool/cron/*
|
1942 |
} # End cron()
|
1929 |
} # End of cron()
|
1943 |
|
1930 |
|
1944 |
######################################################################
|
1931 |
######################################################################
|
1945 |
## Fonction "Fail2Ban" ##
|
1932 |
## Fonction "Fail2Ban" ##
|
1946 |
##- Adapt conf file to ALCASAR ##
|
1933 |
##- Adapt conf file to ALCASAR ##
|
1947 |
##- Secure items : DDOS, SSH-Brute-Force, Intercept.php Brute-Force ##
|
1934 |
##- Secure items : DDOS, SSH-Brute-Force, Intercept.php Brute-Force ##
|
Line 1958... |
Line 1945... |
1958 |
# fail2ban unit
|
1945 |
# fail2ban unit
|
1959 |
[ -e /lib/systemd/system/fail2ban.service.default ] || cp /lib/systemd/system/fail2ban.service /lib/systemd/system/fail2ban.service.default
|
1946 |
[ -e /lib/systemd/system/fail2ban.service.default ] || cp /lib/systemd/system/fail2ban.service /lib/systemd/system/fail2ban.service.default
|
1960 |
$SED '/ExecStart=/a\ExecStop=/usr/bin/fail2ban-client stop' /usr/lib/systemd/system/fail2ban.service
|
1947 |
$SED '/ExecStart=/a\ExecStop=/usr/bin/fail2ban-client stop' /usr/lib/systemd/system/fail2ban.service
|
1961 |
$SED '/Type=/a\PIDFile=/var/run/fail2ban/fail2ban.pid' /usr/lib/systemd/system/fail2ban.service
|
1948 |
$SED '/Type=/a\PIDFile=/var/run/fail2ban/fail2ban.pid' /usr/lib/systemd/system/fail2ban.service
|
1962 |
$SED '/After=*/c After=syslog.target network.target lighttpd.service' /usr/lib/systemd/system/fail2ban.service
|
1949 |
$SED '/After=*/c After=syslog.target network.target lighttpd.service' /usr/lib/systemd/system/fail2ban.service
|
1963 |
} # End fail2ban()
|
1950 |
} # End of fail2ban()
|
1964 |
|
1951 |
|
1965 |
#########################################################
|
1952 |
#########################################################
|
1966 |
## Fonction "gammu_smsd" ##
|
1953 |
## Fonction "gammu_smsd" ##
|
1967 |
## - Creating of SMS management database ##
|
1954 |
## - Creating of SMS management database ##
|
1968 |
## - Write the gammu a gammu_smsd conf files ##
|
1955 |
## - Write the gammu a gammu_smsd conf files ##
|
Line 2047... |
Line 2034... |
2047 |
#KERNEL=="ttyUSB0",ATTRS{idVendor}=="12d1",RUN+="$DIR_DEST_BIN/alcasar-sms.sh --mode"
|
2034 |
#KERNEL=="ttyUSB0",ATTRS{idVendor}=="12d1",RUN+="$DIR_DEST_BIN/alcasar-sms.sh --mode"
|
2048 |
#EOF
|
2035 |
#EOF
|
2049 |
# Udev rule for fixing the enumeration of ttyUSB port on some MODEM (when they switch randomly the order of their ports at boot time)
|
2036 |
# Udev rule for fixing the enumeration of ttyUSB port on some MODEM (when they switch randomly the order of their ports at boot time)
|
2050 |
# example : http://hintshop.ludvig.co.nz/show/persistent-names-usb-serial-devices/
|
2037 |
# example : http://hintshop.ludvig.co.nz/show/persistent-names-usb-serial-devices/
|
2051 |
|
2038 |
|
2052 |
} # End gammu_smsd()
|
2039 |
} # End of gammu_smsd()
|
2053 |
|
2040 |
|
2054 |
############################################################
|
2041 |
############################################################
|
2055 |
## Fonction "msec" ##
|
2042 |
## Fonction "msec" ##
|
2056 |
## - Apply the "fileserver" security level ##
|
2043 |
## - Apply the "fileserver" security level ##
|
2057 |
## - remove the "system request" for rebboting ##
|
2044 |
## - remove the "system request" for rebboting ##
|
Line 2082... |
Line 2069... |
2082 |
EOF
|
2069 |
EOF
|
2083 |
# apply now hourly & daily checks
|
2070 |
# apply now hourly & daily checks
|
2084 |
/usr/sbin/msec
|
2071 |
/usr/sbin/msec
|
2085 |
/etc/cron.weekly/msec
|
2072 |
/etc/cron.weekly/msec
|
2086 |
|
2073 |
|
2087 |
} # End msec()
|
2074 |
} # End of msec()
|
2088 |
|
- |
|
2089 |
|
2075 |
|
2090 |
##################################################################
|
2076 |
##################################################################
|
2091 |
## Fonction "letsencrypt" ##
|
2077 |
## Fonction "letsencrypt" ##
|
2092 |
## - Install Let's Encrypt client ##
|
2078 |
## - Install Let's Encrypt client ##
|
2093 |
## - Prepare Let's Encrypt ALCASAR configuration file ##
|
2079 |
## - Prepare Let's Encrypt ALCASAR configuration file ##
|
Line 2136... |
Line 2122... |
2136 |
EOF
|
2122 |
EOF
|
2137 |
|
2123 |
|
2138 |
cd $pwdInstall || { echo "Unable to find $pwdInstall directory"; exit 1; }
|
2124 |
cd $pwdInstall || { echo "Unable to find $pwdInstall directory"; exit 1; }
|
2139 |
rm -rf /tmp/acme.sh-*
|
2125 |
rm -rf /tmp/acme.sh-*
|
2140 |
|
2126 |
|
2141 |
} # END letsencrypt()
|
2127 |
} # End of letsencrypt()
|
2142 |
|
2128 |
|
2143 |
##################################################################
|
2129 |
##################################################################
|
2144 |
## Fonction "post_install" ##
|
2130 |
## Fonction "post_install" ##
|
2145 |
## - Modifying banners (locals et ssh) & prompts ##
|
2131 |
## - Modifying banners (locals et ssh) & prompts ##
|
2146 |
## - SSH config ##
|
2132 |
## - SSH config ##
|
Line 2350... |
Line 2336... |
2350 |
then
|
2336 |
then
|
2351 |
read
|
2337 |
read
|
2352 |
fi
|
2338 |
fi
|
2353 |
clear
|
2339 |
clear
|
2354 |
reboot
|
2340 |
reboot
|
2355 |
} # End post_install ()
|
2341 |
} # End of post_install()
|
2356 |
|
2342 |
|
2357 |
#####################################################################################
|
2343 |
#####################################################################################
|
2358 |
# Main Install loop #
|
2344 |
# Main Install loop #
|
2359 |
#####################################################################################
|
2345 |
#####################################################################################
|
2360 |
dir_exec=`dirname "$0"`
|
2346 |
dir_exec=`dirname "$0"`
|
Line 2384... |
Line 2370... |
2384 |
-\? | -h* | --h*)
|
2370 |
-\? | -h* | --h*)
|
2385 |
echo "$usage"
|
2371 |
echo "$usage"
|
2386 |
exit 0
|
2372 |
exit 0
|
2387 |
;;
|
2373 |
;;
|
2388 |
-i | --install)
|
2374 |
-i | --install)
|
- |
|
2375 |
for func in license testing
|
- |
|
2376 |
do
|
2389 |
header_install
|
2377 |
header_install
|
- |
|
2378 |
$func
|
- |
|
2379 |
if [ $DEBUG_ALCASAR == "on" ]
|
2390 |
license
|
2380 |
then
|
- |
|
2381 |
echo "*** 'debug' : end of install '$func' ***"
|
2391 |
header_install
|
2382 |
read
|
- |
|
2383 |
fi
|
2392 |
testing
|
2384 |
done
|
2393 |
# RPMs install
|
2385 |
# RPMs install
|
2394 |
$DIR_SCRIPTS/alcasar-urpmi.sh
|
2386 |
$DIR_SCRIPTS/alcasar-urpmi.sh
|
2395 |
if [ "$?" != "0" ]
|
2387 |
if [ "$?" != "0" ]
|
2396 |
then
|
2388 |
then
|
2397 |
exit 0
|
2389 |
exit 0
|