WebSVN – ALCASAR – Diff – /alcasar.sh

 #!/bin/bash
-#  $Id: alcasar.sh 2835 2020-06-15 21:30:20Z rexy $
+#  $Id: alcasar.sh 2840 2020-06-27 22:35:40Z rexy $
 # alcasar.sh
 # ALCASAR is a Free and open source NAC created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
 # This script is distributed under the Gnu General Public License (GPL)
 #  team@alcasar.net
 # Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau)
 # ALCASAR est architecturé autour d'une distribution Linux Mageia minimaliste et les logiciels libres suivants :
 # Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
 # ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares :
-# Coovachilli, freeradius, mariaDB, lighttpd, netfilter, e2guardian, ntpd, openssl, dnsmasq, unbound, gammu, havp, libclamav, Ulog, fail2ban, tinyproxy, NFsen and NFdump
+# Coovachilli, freeradius, mariaDB, lighttpd, netfilter, e2guardian, ntpd, openssl, dnsmasq, unbound, gammu, clamav, Ulog, fail2ban, NFsen and NFdump
 # Options :
 #       -i or --install
 #       -u or --uninstall
 #	time_server		: NTPd configuration
 #	init_db			: Initilization of radius database managed with MariaDB
 #	freeradius		: FreeRadius initialisation
 #	chilli			: coovachilli initialisation (+authentication page)
 #	e2guardian		: E2Guardian filtering HTTP proxy configuration
-#	antivirus		: HAVP + libclamav configuration
+#	antivirus		: clamav & freshclam configuration
-#	tinyproxy		: little proxy for user filtered with "WL + antivirus" and "antivirus"
 #	ulogd			: log system in userland (match NFLOG target of iptables)
 #	nfsen			: Configuration of Netflow grapher (nfsen) & netflow collector (nfcapd)
 #	unbound			: Name server configuration
 #	dnsmasq			: Name server configuration (for whitelist ipset support)
 #	vnstat			: little network stat daemon
 	$SED "s?^After=.*?After=network.target chilli.service?g" /lib/systemd/system/e2guardian.service
 	[ -e $DIR_DG/e2guardian.conf.default ] || cp $DIR_DG/e2guardian.conf $DIR_DG/e2guardian.conf.default
 # Adapt the main conf file
 # French deny HTML page
 	$SED "s?^language =.*?language = 'french'?g" $DIR_DG/e2guardian.conf
-# Listen only on LAN side
+# 2 filtergroups (8080 & 8090)
-	$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" $DIR_DG/e2guardian.conf
+	$SED "s?^filtergroups =.*?filtergroups = 2?g" $DIR_DG/e2guardian.conf
-# E2guardian listens on 8080 (HTTP)
+# Listen on 8080 (HTTP for BL users) only on LAN side
+	$SED "s?^filterip =.*?filterip = $PRIVATE_IP?g" $DIR_DG/e2guardian.conf
 	$SED "s?^filterports =.*?filterports = 8080?g" $DIR_DG/e2guardian.conf
+# Listen on 8090 (HTTP for WL/AV users) only on LAN side
+	$SED "/^filterip = $PRIVATE_IP/a filterip = $PRIVATE_IP" $DIR_DG/e2guardian.conf
+	$SED "/^filterports = 8080/a filterports = 8090" $DIR_DG/e2guardian.conf
 # E2guardian listens transparently on 8443 (HTTPS)
 	$SED "s?^transparenthttpsport =.*?transparenthttpsport = 8443?g" $DIR_DG/e2guardian.conf
-# DG send its flow to HAVP (127.0.0.1:8090)
-	$SED "s?^#proxyip.*?proxyip = 127.0.0.1?g" $DIR_DG/e2guardian.conf
-	$SED "s?^#proxyport.*?proxyport = 8090?g" $DIR_DG/e2guardian.conf
 # Don't log
 	$SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/e2guardian.conf
 # Disable HTML content control (weighted & banned)
 	$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/e2guardian.conf
+# Enable authport plugin
+	$SED "s?^#authplugin = '/etc/e2guardian/authplugins/port.conf'?authplugin = '/etc/e2guardian/authplugins/port.conf'?g" $DIR_DG/e2guardian.conf
+	$SED "s?^#mapauthtoports =.*?mapauthtoports = off?g" $DIR_DG/e2guardian.conf
+# Enable clamd scanner
+	$SED "s?^#contentscanner = '/etc/e2guardian/contentscanners/clamdscan.conf'?contentscanner = '/etc/e2guardian/contentscanners/clamdscan.conf'?g" $DIR_DG/e2guardian.conf
+# RAZ bannedphraselist
-    cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default
+	cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default
 	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (comment what is not)
 # Disable URL control with regex
     cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default
 	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (comment what is not)
-# Adapt the first group file (only one for instance)
+# Adapt the first group conf file
 	[ -e $DIR_DG/e2guardianf1.conf.default ] || cp $DIR_DG/e2guardianf1.conf $DIR_DG/e2guardianf1.conf.default
 # Reporting (deny page) in HTML
 	$SED "s/^reportinglevel =.*/reportinglevel = 3/g" $DIR_DG/e2guardianf1.conf
+# Copy the fist group conf file to the second
+	cp $DIR_DG/e2guardianf1.conf $DIR_DG/e2guardianf2.conf
 # Replace the default deny HTML page (only fr & uk) --> !!! search why our pages make the server crash...
 #	[ -e /usr/share/e2guardian/languages/french/template.html.default ] || mv /usr/share/e2guardian/languages/french/template.html /usr/share/e2guardian/languages/french/template.html.default
 #	cp -f $DIR_CONF/template-fr.html /usr/share/e2guardian/languages/french/template.html
 #	[ -e /usr/share/e2guardian/languages/ukenglish/template.html.default ] || mv /usr/share/e2guardian/languages/ukenglish/template.html /usr/share/e2guardian/languages/ukenglish/template.html.default
 #	cp -f $DIR_CONF/template.html /usr/share/e2guardian/languages/ukenglish/template.html
 	chown -R e2guardian /etc/e2guardian /var/log/e2guardian
 } # End of e2guardian()
 ##################################################################
 ##                     Function "antivirus"                     ##
-## - Set the parameters of havp, libclamav and freshclam        ##
+## - Set the parameters of clamav and freshclam                 ##
 ##################################################################
 antivirus()
+{
-# create 'havp' user
-	havp_exist=`grep -c ^havp: /etc/passwd`
-	if [ "$havp_exist" == "1" ]
+# Clamd adaptation to e2guardian
-	then
-		userdel -r havp 2>/dev/null
-		groupdel havp 2>/dev/null
-	fi
-	groupadd -f havp
-	useradd -r -g havp -s /bin/false -c "system user for havp (antivirus proxy)" havp
-	mkdir -p /var/tmp/havp /var/log/havp /run/havp /var/log/clamav /var/lib/clamav
-	chown -R havp:havp /var/tmp/havp /var/log/havp /run/havp
-	chown -R clamav:clamav /var/log/clamav /var/lib/clamav
-	[ -e /etc/havp/havp.config.default ] || cp /etc/havp/havp.config /etc/havp/havp.config.default
+[ -e /etc/clamd.conf.default ] || cp /etc/clamd.conf /etc/clamd.conf.default
-	$SED "/^REMOVETHISLINE/d" /etc/havp/havp.config
+	$SED "s?^User.*?User e2guardian?g" /etc/clamd.conf
-	$SED "s?^# PIDFILE.*?PIDFILE /run/havp/havp.pid?g" /etc/havp/havp.config	# pidfile
-	$SED "s?^# TRANSPARENT.*?TRANSPARENT false?g" /etc/havp/havp.config		# transparent mode
-	$SED "s?^# BIND_ADDRESS.*?BIND_ADDRESS 127.0.0.1?g" /etc/havp/havp.config	# we listen only on loopback
-	$SED "s?^# PORT.*?PORT 8090?g" /etc/havp/havp.config				# datas come on port 8090 (on loopback)
-	$SED "s?^# TIMEFORMAT.*?TIMEFORMAT %Y %b %d %H:%M:%S?g" /etc/havp/havp.config	# Log format
-	$SED "s?^ENABLECLAMLIB.*?ENABLECLAMLIB true?g" /etc/havp/havp.config		# active libclamav AV
-	$SED "s?^# LOG_OKS.*?LOG_OKS false?g" /etc/havp/havp.config			# log only when malware matches
-	$SED "s?^# SERVERNUMBER.*?SERVERNUMBER 10?g" /etc/havp/havp.config		# 10 daemons are started simultaneously
-	$SED "s?^# SCANIMAGES.*?SCANIMAGES false?g" /etc/havp/havp.config		# doesn't scan image files
-	$SED "s?^# SKIPMIME.*?SKIPMIME image\/\* video\/\* audio\/\*?g" /etc/havp/havp.config # doesn't scan some multimedia files
-	$SED "s?^# SCANTEMPFILE.*?SCANTEMPFILE /var/tmp/havp/havp-XXXXXX?g" /etc/havp/havp.config		# Use our special tmp FS (memfs)
-	$SED "s?^# TEMPDIR.*?TEMPDIR /var/tmp/havp?g" /etc/havp/havp.config		# Use our special tmp FS (memfs)
-# skip checking of youtube flow (too heavy load / risk too low)
-	[ -e /etc/havp/whitelist.default ] || cp /etc/havp/whitelist /etc/havp/whitelist.default
-	echo "# Whitelist youtube flow" >> /etc/havp/whitelist
+	chown -R e2guardian:e2guardian /var/log/clamav /var/lib/clamav
-	echo "*.youtube.com/*" >> /etc/havp/whitelist
-# adapt init script and systemd unit
-	[ -e /etc/init.d/havp.default ] || cp /etc/init.d/havp /etc/init.d/havp.default
-	cp -f $DIR_CONF/havp-init /etc/init.d/havp
+	chmod 775 /var/log/clamav /var/lib/clamav
-    cp -f $DIR_CONF/havp.service /lib/systemd/system/
-	# replace of the intercept page (template)
+	chmod 664 /var/log/clamav/*
-	cp -f $DIR_CONF/virus-fr.html /etc/havp/templates/fr/virus.html
-	cp -f $DIR_CONF/virus-en.html /etc/havp/templates/en/virus.html
 # update virus database every 4 hours (24h/6)
 	[ -e /etc/freshclam.conf.default ] || cp /etc/freshclam.conf /etc/freshclam.conf.default
 	$SED "s?^Checks.*?Checks 6?g" /etc/freshclam.conf
 	$SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf
 	$SED "/^DatabaseMirror/a DatabaseMirror db.fr.clamav.net" /etc/freshclam.conf
 	$SED "s?MaxAttempts.*?MaxAttempts 3?g" /etc/freshclam.conf
+	$SED "s?^DatabaseOwner.*?DatabaseOwner e2guardian?g" /etc/freshclam
 # update now
 	/usr/bin/freshclam --no-warnings --quiet
 } # End of antivirus()
-################################################################################
-##                           Function "tinyproxy"                             ##
-## - Set the parameters of tinyproxy (proxy between filtered users and havp)  ##
-################################################################################
-tinyproxy()
-{
-	tinyproxy_exist=`grep -c ^tinyproxy: /etc/passwd`
-	if [ "$tinyproxy_exist" == "1" ]
-	then
-		userdel -r tinyproxy 2>/dev/null
-		groupdel tinyproxy 2>/dev/null
-	fi
-	groupadd -f tinyproxy
-	useradd -r -g tinyproxy -s /bin/false -c "system user for tinyproxy" tinyproxy
-	mkdir -p /run/tinyproxy /var/log/tinyproxy
-	chown -R tinyproxy.tinyproxy /run/tinyproxy /var/log/tinyproxy
-	[ -e /etc/tinyproxy/tinyproxy.conf.default ] || cp /etc/tinyproxy/tinyproxy.conf /etc/tinyproxy/tinyproxy.conf.default
-	$SED "s?^User.*?User tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
-	$SED "s?^Group.*?Group tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
-	$SED "s?^Port.*?Port 8090?g" /etc/tinyproxy/tinyproxy.conf			# Listen Port
-	$SED "s?^#Listen.*?Listen $PRIVATE_IP?g" /etc/tinyproxy/tinyproxy.conf		# Listen NIC (only intif)
-	$SED "s?^#LogFile.*?LogFile \"/var/log/tinyproxy/tinyproxy.log\"?g" /etc/tinyproxy/tinyproxy.conf
-	$SED "s?^#PidFile.*?PidFile \"/run/tinyproxy/tinyproxy.pid\"?g" /etc/tinyproxy/tinyproxy.conf
-	$SED "s?^LogLevel.*?LogLevel Error?g" /etc/tinyproxy/tinyproxy.conf		# Only errors are logged
-	$SED "s?^#Upstream.*?Upstream http 127.0.0.1:8090?g" /etc/tinyproxy/tinyproxy.conf	# forward to HAVP
-	$SED "s?^#DisableViaHeader.*?DisableViaHeader Yes?g" /etc/tinyproxy/tinyproxy.conf	# Stealth mode
-	$SED "s?^Allow.*?Allow $PRIVATE_NETWORK_MASK?g" /etc/tinyproxy/tinyproxy.conf	# Allow from LAN
-# Create the systemd unit
-cat << EOF > /lib/systemd/system/tinyproxy.service
-#  This file is part of systemd.
-#
-#  systemd is free software; you can redistribute it and/or modify it
-#  under the terms of the GNU General Public License as published by
-#  the Free Software Foundation; either version 2 of the License, or
-#  (at your option) any later version.
-# This unit launches tinyproxy (a very light proxy).
-# The "sleep 2" is needed because the pid file isn't ready for systemd
-[Unit]
-Description=Tinyproxy Web Proxy Server
-After=network-online.target iptables.service
-[Service]
-Type=forking
-ExecStartPre=/bin/chown -R tinyproxy.tinyproxy /run/tinyproxy /var/log/tinyproxy
-ExecStartPre=/bin/sleep 2
-PIDFile=/run/tinyproxy/tinyproxy.pid
-ExecStart=/usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf
-ExecStop=/usr/bin/killall -9 tinyproxy
-[Install]
-WantedBy=multi-user.target
-EOF
-} # end of tinyproxy()
 ##############################################################
 ##                            function "ulogd"              ##
 ## - Ulog config for multi-log files                        ##
 ##############################################################
 ulogd()
 ##- Secure items : DDOS, SSH-Brute-Force, Intercept.php Brute-Force ##
 ######################################################################
 fail2ban()
+{
 	/usr/bin/sh $DIR_CONF/fail2ban.sh
-# allow reading of 2 log files (fail2ban & watchdog). HAVP is treated in its section
+# allow reading of 2 log files (fail2ban & watchdog).
 	[ -e /var/log/fail2ban.log ] || /usr/bin/touch /var/log/fail2ban.log
 	[ -e /var/Save/security/watchdog.log ] || /usr/bin/touch /var/Save/security/watchdog.log
 	chmod 644 /var/log/fail2ban.log
 	chmod 644 /var/Save/security/watchdog.log
 	/usr/bin/touch /var/log/auth.log
 ## - log rotate & ANSSI security parameters                     ##
 ## - Apply former conf in case of an update                     ##
 ##################################################################
 post_install()
+{
-# change the SSH banner
+# change the SSHD options
 	cp -f $DIR_CONF/banner /etc/ssh/alcasar-banner-ssh
 	echo " V$VERSION" >> /etc/ssh/alcasar-banner-ssh
 	chmod 644 /etc/ssh/alcasar-banner-ssh ; chown root:root /etc/ssh/alcasar-banner-ssh
 	[ -e /etc/ssh/sshd_config.default ] || cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default
 	$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
 	$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
-# postfix banner anonymisation
-	$SED "s?^smtpd_banner =.*?smtpd_banner = \$myhostname ESMTP?g" /etc/postfix/main.cf
-	chown -R postfix:postfix /var/lib/postfix
-# sshd liste on EXTIF & INTIF
+# sshd listens on EXTIF & INTIF
 	$SED "s?^#ListenAddress 0\.0\.0\.0.*?ListenAddress 0\.0\.0\.0?g" /etc/ssh/sshd_config
 # sshd authorized certificate for root login
 	$SED "s?^PermitRootLogin.*?PermitRootLogin without-password?g" /etc/ssh/sshd_config
+	$SED "s?^X11Forwarding.*?#X11Forwarding yes?g" /etc/ssh/sshd_config
+# postfix banner anonymisation
+	$SED "s?^smtpd_banner =.*?smtpd_banner = \$myhostname ESMTP?g" /etc/postfix/main.cf
+	chown -R postfix:postfix /var/lib/postfix
 # ALCASAR conf file
 	echo "HTTPS_LOGIN=off" >> $CONF_FILE
 	echo "HTTPS_CHILLI=off" >> $CONF_FILE
 	echo "SSH=on" >> $CONF_FILE
 	echo "SSH_ADMIN_FROM=0.0.0.0/0.0.0.0" >> $CONF_FILE
 [Install]
 WantedBy=multi-user.target
 EOF
 	/usr/bin/systemctl daemon-reload
 # processes launched at boot time (Systemctl)
-	for i in alcasar-load_balancing mysqld lighttpd php-fpm ntpd iptables unbound unbound-blacklist unbound-whitelist dnsmasq-whitelist unbound-blackhole radiusd nfcapd e2guardian clamav-freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban havp tinyproxy vnstat sshd
+	for i in alcasar-load_balancing mysqld lighttpd php-fpm ntpd iptables unbound unbound-blacklist unbound-whitelist dnsmasq-whitelist unbound-blackhole radiusd nfcapd e2guardian clamav-daemon clamav-freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban vnstat sshd
 	do
 		/usr/bin/systemctl -q enable $i.service
 	done
 # disable processes at boot time (Systemctl)
 # GRUB2 modifications (Wait time : 3s - ALCASAR entry - VGA=791 - Change the default banner
 	[ -e /etc/default/grub.default ]  || cp /etc/default/grub /etc/default/grub.default
 	$SED "s?^GRUB_TIMEOUT=.*?GRUB_TIMEOUT=3?g" /etc/default/grub
 	$SED "s?^GRUB_DISTRIBUTOR=.*?GRUB_DISTRIBUTOR=ALCASAR?g" /etc/default/grub
 	[ -e /etc/mageia-release.default ]  || cp /etc/mageia-release /etc/mageia-release.default
-	vm_vga=`lsmod | egrep -c "virtio|vmwgfx"` # test if in VM
+	vm_vga=`lsmod | egrep -c "virtio|vmwgfx|vbox"` # test if in VM
 	if [ $vm_vga == 0 ] # is not a VM
 	then
 		cp -f $DIR_CONF/banner /etc/mageia-release # ALCASAR ASCII-Art
 		echo >> /etc/mageia-release
 		$SED "s?^GRUB_CMDLINE_LINUX_DEFAULT=\"?&vga=791 ?" /etc/default/grub
 				then echo "#### Installation avec mise à jour ####";
 				else echo "#### Installation with update     ####";
 			fi
 			mode="update"
 		fi
-		for func in init network CA ACC time_server init_db freeradius chilli e2guardian antivirus tinyproxy ulogd nfsen vnstat dnsmasq unbound dhcpd BL cron fail2ban gammu_smsd msec letsencrypt post_install
+		for func in init network CA ACC time_server init_db freeradius chilli e2guardian antivirus ulogd nfsen vnstat dnsmasq unbound dhcpd BL cron fail2ban gammu_smsd msec letsencrypt post_install
 		do
 			$func
 			if [ $DEBUG_ALCASAR == "on" ]
 			then
 				echo "*** 'debug' : end of install '$func' ***"

Subversion Repositories ALCASAR

(root)/alcasar.sh – Rev 2835 → 2840