Subversion Repositories ALCASAR

Rev

Rev 2874 | Rev 2882 | Go to most recent revision | Only display areas with differences | Ignore whitespace | Details | Blame | Last modification | View Log

Rev 2874 Rev 2881
1
#!/bin/bash
1
#!/bin/bash
2
#  $Id: alcasar.sh 2874 2020-10-31 13:54:28Z rexy $
2
#  $Id: alcasar.sh 2881 2020-11-09 22:49:19Z rexy $
3
 
3
 
4
# alcasar.sh
4
# alcasar.sh
5
# ALCASAR is a Free and open source NAC created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
5
# ALCASAR is a Free and open source NAC created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
6
# This script is distributed under the Gnu General Public License (GPL)
6
# This script is distributed under the Gnu General Public License (GPL)
7
#  team@alcasar.net
7
#  team@alcasar.net
8
 
8
 
9
# ALCASAR Install script -  CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...]
9
# ALCASAR Install script -  CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...]
10
# Ce programme est un logiciel libre ; This software is free and open source
10
# Ce programme est un logiciel libre ; This software is free and open source
11
# elle que publiée par la Free Software Foundation ; soit la version 3 de la Licence.
11
# elle que publiée par la Free Software Foundation ; soit la version 3 de la Licence.
12
# Ce programme est distribué dans l'espoir qu'il sera utile, mais SANS AUCUNE GARANTIE ;
12
# Ce programme est distribué dans l'espoir qu'il sera utile, mais SANS AUCUNE GARANTIE ;
13
# sans même une garantie implicite de COMMERCIABILITE ou DE CONFORMITE A UNE UTILISATION PARTICULIERE.
13
# sans même une garantie implicite de COMMERCIABILITE ou DE CONFORMITE A UNE UTILISATION PARTICULIERE.
14
# Voir la Licence Publique Générale GNU pour plus de détails.
14
# Voir la Licence Publique Générale GNU pour plus de détails.
15
 
15
 
16
# Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau)
16
# Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau)
17
# ALCASAR est architecturé autour d'une distribution Linux Mageia minimaliste et les logiciels libres suivants :
17
# ALCASAR est architecturé autour d'une distribution Linux Mageia minimaliste et les logiciels libres suivants :
18
# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
18
# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
19
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares :
19
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares :
20
 
20
 
21
# Coovachilli, freeradius, mariaDB, lighttpd, netfilter, e2guardian, ntpd, openssl, dnsmasq, unbound, gammu, clamav, Ulog, fail2ban, NFsen and NFdump
21
# Coovachilli, freeradius, mariaDB, lighttpd, netfilter, e2guardian, ntpd, openssl, dnsmasq, unbound, gammu, clamav, Ulog, fail2ban, NFsen and NFdump
22
 
22
 
23
# Options :
23
# Options :
24
#       -i or --install
24
#       -i or --install
25
#       -u or --uninstall
25
#       -u or --uninstall
26
# Functions :
26
# Functions :
27
#	testing			: connectivity tests, free space test and mageia version test
27
#	testing			: connectivity tests, free space test and mageia version test
28
#	init			: Installation of RPM and scripts
28
#	init			: Installation of RPM and scripts
29
#	network			: Network parameters
29
#	network			: Network parameters
30
#	ACC				: ALCASAR Control Center installation
30
#	ACC				: ALCASAR Control Center installation
31
#	CA				: Certification Authority initialization
31
#	CA				: Certification Authority initialization
32
#	time_server		: NTPd configuration
32
#	time_server		: NTPd configuration
33
#	init_db			: Initilization of radius database managed with MariaDB
33
#	init_db			: Initilization of radius database managed with MariaDB
34
#	freeradius		: FreeRadius initialisation
34
#	freeradius		: FreeRadius initialisation
35
#	chilli			: coovachilli initialisation (+authentication page)
35
#	chilli			: coovachilli initialisation (+authentication page)
36
#	e2guardian		: E2Guardian filtering HTTP proxy configuration
36
#	e2guardian		: E2Guardian filtering HTTP proxy configuration
37
#	antivirus		: clamav & freshclam configuration
37
#	antivirus		: clamav & freshclam configuration
38
#	ulogd			: log system in userland (match NFLOG target of iptables)
38
#	ulogd			: log system in userland (match NFLOG target of iptables)
39
#	nfsen			: Configuration of Netflow grapher (nfsen) & netflow collector (nfcapd)
39
#	nfsen			: Configuration of Netflow grapher (nfsen) & netflow collector (nfcapd)
40
#	unbound			: Name server configuration
40
#	unbound			: Name server configuration
41
#	dnsmasq			: Name server configuration (for whitelist ipset support)
41
#	dnsmasq			: Name server configuration (for whitelist ipset support)
42
#	vnstat			: little network stat daemon
42
#	vnstat			: little network stat daemon
43
#	BL				: Adaptation of Toulouse University BlackList : split into 3 BL (for unbound, for e2guardian and for Netfilter)
43
#	BL				: Adaptation of Toulouse University BlackList : split into 3 BL (for unbound, for e2guardian and for Netfilter)
44
#	cron			: Logs export + watchdog + connexion statistics
44
#	cron			: Logs export + watchdog + connexion statistics
45
#	fail2ban		: Fail2ban IDS installation and configuration
45
#	fail2ban		: Fail2ban IDS installation and configuration
46
#	gammu_smsd		: Autoregister addon via SMS (gammu-smsd)
46
#	gammu_smsd		: Autoregister addon via SMS (gammu-smsd)
47
#	msec			: Mandriva security package configuration
47
#	msec			: Mandriva security package configuration
48
#	letsencrypt		: Let's Encrypt client
48
#	letsencrypt		: Let's Encrypt client
49
#	post_install	: Security, log rotation, etc.
49
#	post_install	: Security, log rotation, etc.
50
 
50
 
51
DEBUG_ALCASAR='off'; export DEBUG_ALCASAR	# Debug mode = wait (hit key) after each function
51
DEBUG_ALCASAR='off'; export DEBUG_ALCASAR	# Debug mode = wait (hit key) after each function
52
DATE=`date '+%d %B %Y - %Hh%M'`
52
DATE=`date '+%d %B %Y - %Hh%M'`
53
DATE_SHORT=`date '+%d/%m/%Y'`
53
DATE_SHORT=`date '+%d/%m/%Y'`
54
Lang=`echo $LANG|cut -c 1-2`
54
Lang=`echo $LANG|cut -c 1-2`
55
mode="install"
55
mode="install"
56
# ******* Files parameters - paramètres fichiers *********
56
# ******* Files parameters - paramètres fichiers *********
57
DIR_INSTALL=`pwd`						# current directory
57
DIR_INSTALL=`pwd`						# current directory
58
DIR_CONF="$DIR_INSTALL/conf"			# install directory (with conf files)
58
DIR_CONF="$DIR_INSTALL/conf"			# install directory (with conf files)
59
DIR_SCRIPTS="$DIR_INSTALL/scripts"		# install directory (with script files)
59
DIR_SCRIPTS="$DIR_INSTALL/scripts"		# install directory (with script files)
60
DIR_BLACKLIST="$DIR_INSTALL/blacklist"	# install directory (with blacklist files)
60
DIR_BLACKLIST="$DIR_INSTALL/blacklist"	# install directory (with blacklist files)
61
DIR_SAVE="/var/Save"					# backup directory (traceability_log, user_db, security_log)
61
DIR_SAVE="/var/Save"					# backup directory (traceability_log, user_db, security_log)
62
DIR_WEB="/var/www/html"					# directory of Lighttpd
62
DIR_WEB="/var/www/html"					# directory of Lighttpd
63
DIR_DG="/etc/e2guardian"				# directory of E2Guardian
63
DIR_DG="/etc/e2guardian"				# directory of E2Guardian
64
DIR_ACC="$DIR_WEB/acc"					# directory of the 'ALCASAR Control Center'
64
DIR_ACC="$DIR_WEB/acc"					# directory of the 'ALCASAR Control Center'
65
DIR_DEST_BIN="/usr/local/bin"			# directory of ALCASAR scripts
65
DIR_DEST_BIN="/usr/local/bin"			# directory of ALCASAR scripts
66
DIR_DEST_ETC="/usr/local/etc"			# directory of ALCASAR conf files
66
DIR_DEST_ETC="/usr/local/etc"			# directory of ALCASAR conf files
67
DIR_DEST_SHARE="/usr/local/share"		# directory of share files used by ALCASAR (unbound for instance)
67
DIR_DEST_SHARE="/usr/local/share"		# directory of share files used by ALCASAR (unbound for instance)
68
CONF_FILE="$DIR_DEST_ETC/alcasar.conf"	# central ALCASAR conf file
68
CONF_FILE="$DIR_DEST_ETC/alcasar.conf"	# central ALCASAR conf file
69
PASSWD_FILE="/root/ALCASAR-passwords.txt"	# text file with the passwords and shared secrets
69
PASSWD_FILE="/root/ALCASAR-passwords.txt"	# text file with the passwords and shared secrets
70
# ******* DBMS parameters - paramètres SGBD ********
70
# ******* DBMS parameters - paramètres SGBD ********
71
DB_RADIUS="radius"						# database name used by FreeRadius server
71
DB_RADIUS="radius"						# database name used by FreeRadius server
72
DB_USER="radius"						# user name allows to request the users database
72
DB_USER="radius"						# user name allows to request the users database
73
DB_GAMMU="gammu"						# database name used by Gammu-smsd
73
DB_GAMMU="gammu"						# database name used by Gammu-smsd
74
# ******* Network parameters - paramètres réseau *******
74
# ******* Network parameters - paramètres réseau *******
75
HOSTNAME="alcasar"						# default hostname
75
HOSTNAME="alcasar"						# default hostname
76
DOMAIN="localdomain"					# default local domain
76
DOMAIN="localdomain"					# default local domain
77
EXTIF=''								# EXTIF is connected to the ISP broadband modem/router (In France : Box-FAI)
77
EXTIF=''								# EXTIF is connected to the ISP broadband modem/router (In France : Box-FAI)
78
INTIF=''								# INTIF is connected to the consultation network
78
INTIF=''								# INTIF is connected to the consultation network
79
MTU="1500"
79
MTU="1500"
80
DEFAULT_PRIVATE_IP_MASK="192.168.182.1/24"	# Default ALCASAR IP address
80
DEFAULT_PRIVATE_IP_MASK="192.168.182.1/24"	# Default ALCASAR IP address
81
# ****** Paths - chemin des commandes *******
81
# ****** Paths - chemin des commandes *******
82
SED="/bin/sed -i"
82
SED="/bin/sed -i"
83
# ****************** End of global parameters *********************
83
# ****************** End of global parameters *********************
84
 
84
 
85
license()
85
license()
86
{
86
{
87
	if [ $Lang == "fr" ]
87
	if [ $Lang == "fr" ]
88
	then
88
	then
89
		cat $DIR_INSTALL/gpl-warning.fr.txt | more
89
		cat $DIR_INSTALL/gpl-warning.fr.txt | more
90
	else
90
	else
91
		cat $DIR_INSTALL/gpl-warning.txt | more
91
		cat $DIR_INSTALL/gpl-warning.txt | more
92
	fi
92
	fi
93
	response=0
93
	response=0
94
	PTN='^[oOyYnN]?$'
94
	PTN='^[oOyYnN]?$'
95
	until [[ "$response" =~ $PTN ]]
95
	until [[ "$response" =~ $PTN ]]
96
	do
96
	do
97
		if [ $Lang == "fr" ]
97
		if [ $Lang == "fr" ]
98
			then echo -n "Acceptez-vous les termes de cette licence (O/n)? : "
98
			then echo -n "Acceptez-vous les termes de cette licence (O/n)? : "
99
			else echo -n "Do you accept the terms of this license (Y/n)? : "
99
			else echo -n "Do you accept the terms of this license (Y/n)? : "
100
		fi
100
		fi
101
		read response
101
		read response
102
	done
102
	done
103
	if [ "$response" = "n" ] || [ "$response" = "N" ]
103
	if [ "$response" = "n" ] || [ "$response" = "N" ]
104
	then
104
	then
105
		exit 1
105
		exit 1
106
	fi
106
	fi
107
} # End of license()
107
} # End of license()
108
 
108
 
109
header_install()
109
header_install()
110
{
110
{
111
	clear
111
	clear
112
	echo "-----------------------------------------------------------------------------"
112
	echo "-----------------------------------------------------------------------------"
113
	echo "                     ALCASAR V$VERSION Installation"
113
	echo "                     ALCASAR V$VERSION Installation"
114
	echo "Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau"
114
	echo "Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau"
115
	echo "-----------------------------------------------------------------------------"
115
	echo "-----------------------------------------------------------------------------"
116
} # End of header_install()
116
} # End of header_install()
117
 
117
 
118
########################################################
118
########################################################
119
##              Function "testing_system"             ##
119
##              Function "testing_system"             ##
120
## - Test Mageia version                              ##
120
## - Test Mageia version                              ##
121
## - Test ALCASAR version (if already installed)      ##
121
## - Test ALCASAR version (if already installed)      ##
122
## - Test free space on /var  (>10G)                  ##
122
## - Test free space on /var  (>10G)                  ##
123
## - Test Internet access                             ##
123
## - Test Internet access                             ##
124
########################################################
124
########################################################
125
testing_system()
125
testing_system()
126
{
126
{
127
# Test of Mageia version
127
# Test of Mageia version
128
# extract the current Mageia version and hardware architecture (i586 ou X64)
128
# extract the current Mageia version and hardware architecture (i586 ou X64)
129
	fic=`cat /etc/product.id`
129
	fic=`cat /etc/product.id`
130
	unknown_os=0
130
	unknown_os=0
131
	old="$IFS"
131
	old="$IFS"
132
	IFS=","
132
	IFS=","
133
	set $fic
133
	set $fic
134
	for i in "$@"
134
	for i in "$@"
135
	do
135
	do
136
		if [ "`echo $i|grep distribution|cut -d'=' -f1`" == "distribution" ]
136
		if [ "`echo $i|grep distribution|cut -d'=' -f1`" == "distribution" ]
137
			then
137
			then
138
			DISTRIBUTION=`echo $i|cut -d"=" -f2`
138
			DISTRIBUTION=`echo $i|cut -d"=" -f2`
139
			unknown_os=`expr $unknown_os + 1`
139
			unknown_os=`expr $unknown_os + 1`
140
		fi
140
		fi
141
		if [ "`echo $i|grep version|cut -d'=' -f1`" == "version" ]
141
		if [ "`echo $i|grep version|cut -d'=' -f1`" == "version" ]
142
			then
142
			then
143
			CURRENT_VERSION=`echo $i|cut -d"=" -f2`
143
			CURRENT_VERSION=`echo $i|cut -d"=" -f2`
144
			unknown_os=`expr $unknown_os + 1`
144
			unknown_os=`expr $unknown_os + 1`
145
		fi
145
		fi
146
		if [ "`echo $i|grep arch|cut -d'=' -f1`" == "arch" ]
146
		if [ "`echo $i|grep arch|cut -d'=' -f1`" == "arch" ]
147
			then
147
			then
148
			ARCH=`echo $i|cut -d"=" -f2`
148
			ARCH=`echo $i|cut -d"=" -f2`
149
			unknown_os=`expr $unknown_os + 1`
149
			unknown_os=`expr $unknown_os + 1`
150
		fi
150
		fi
151
	done
151
	done
152
	if [ "$ARCH" != "x86_64" ]
152
	if [ "$ARCH" != "x86_64" ]
153
		then
153
		then
154
		if [ $Lang == "fr" ]
154
		if [ $Lang == "fr" ]
155
			then echo "Votre architecture matérielle doit être en 64bits"
155
			then echo "Votre architecture matérielle doit être en 64bits"
156
			else echo "You hardware architecture must be 64bits"
156
			else echo "You hardware architecture must be 64bits"
157
		fi
157
		fi
158
		exit 1
158
		exit 1
159
	fi
159
	fi
160
	IFS="$old"
160
	IFS="$old"
161
	if [[ ( $unknown_os != 3 ) || ("$DISTRIBUTION" != "Mageia" ) || ( "$CURRENT_VERSION" != "7" ) ]]
161
	if [[ ( $unknown_os != 3 ) || ("$DISTRIBUTION" != "Mageia" ) || ( "$CURRENT_VERSION" != "7" ) ]]
162
	then
162
	then
163
		if [ -e /var/tmp/alcasar-conf.tar.gz ] # update
163
		if [ -e /var/tmp/alcasar-conf.tar.gz ] # update
164
			then
164
			then
165
			echo
165
			echo
166
			if [ $Lang == "fr" ]
166
			if [ $Lang == "fr" ]
167
				then
167
				then
168
				echo "La mise à jour automatique d'ALCASAR ne peut pas être réalisée."
168
				echo "La mise à jour automatique d'ALCASAR ne peut pas être réalisée."
169
				echo "1 - Effectuez une sauvegarde des fichiers de traçabilité et de la base des usagers via l'ACC"
169
				echo "1 - Effectuez une sauvegarde des fichiers de traçabilité et de la base des usagers via l'ACC"
170
				echo "2 - Installez Linux-Mageia 7.1 (64bits) et ALCASAR (cf. doc d'installation)"
170
				echo "2 - Installez Linux-Mageia 7.1 (64bits) et ALCASAR (cf. doc d'installation)"
171
				echo "3 - Importez votre base des usagers"
171
				echo "3 - Importez votre base des usagers"
172
			else
172
			else
173
				echo "The automatic update of ALCASAR can't be performed."
173
				echo "The automatic update of ALCASAR can't be performed."
174
				echo "1 - Save your traceability files and the user database"
174
				echo "1 - Save your traceability files and the user database"
175
				echo "2 - Install Linux-Mageia 7.1 (64bits) & ALCASAR (cf. installation doc)"
175
				echo "2 - Install Linux-Mageia 7.1 (64bits) & ALCASAR (cf. installation doc)"
176
				echo "3 - Import your users database"
176
				echo "3 - Import your users database"
177
			fi
177
			fi
178
		else
178
		else
179
			if [ $Lang == "fr" ]
179
			if [ $Lang == "fr" ]
180
				then echo "L'installation d'ALCASAR ne peut pas être réalisée."
180
				then echo "L'installation d'ALCASAR ne peut pas être réalisée."
181
				else echo "The installation of ALCASAR can't be performed."
181
				else echo "The installation of ALCASAR can't be performed."
182
			fi
182
			fi
183
		fi
183
		fi
184
		echo
184
		echo
185
		if [ $Lang == "fr" ]
185
		if [ $Lang == "fr" ]
186
			then echo "Le système d'exploitation doit être remplacé (Mageia7.1-64bits)"
186
			then echo "Le système d'exploitation doit être remplacé (Mageia7.1-64bits)"
187
			else echo "The OS must be replaced (Mageia7.1-64bits)"
187
			else echo "The OS must be replaced (Mageia7.1-64bits)"
188
		fi
188
		fi
189
		exit 1
189
		exit 1
190
	fi
190
	fi
191
 
191
 
192
# Test if ALCASAR is already installed
192
# Test if ALCASAR is already installed
193
	if [ -e $CONF_FILE ]
193
	if [ -e $CONF_FILE ]
194
	then
194
	then
195
		current_version=`grep ^VERSION= $CONF_FILE | cut -d"=" -f2`
195
		current_version=`grep ^VERSION= $CONF_FILE | cut -d"=" -f2`
196
		if [ $Lang == "fr" ]
196
		if [ $Lang == "fr" ]
197
			then echo "La version $current_version d'ALCASAR est déjà installée"
197
			then echo "La version $current_version d'ALCASAR est déjà installée"
198
			else echo "ALCASAR version $current_version is already installed"
198
			else echo "ALCASAR version $current_version is already installed"
199
		fi
199
		fi
200
		response=0
200
		response=0
201
		PTN='^[12]$'
201
		PTN='^[12]$'
202
		until [[ "$response" =~ $PTN ]]
202
		until [[ "$response" =~ $PTN ]]
203
		do
203
		do
204
			if [ $Lang == "fr" ]
204
			if [ $Lang == "fr" ]
205
				then echo -n "Tapez '1' pour une mise à jour; Tapez '2' pour une réinstallation : "
205
				then echo -n "Tapez '1' pour une mise à jour; Tapez '2' pour une réinstallation : "
206
				else echo -n "Hit '1' for an update; Hit '2' for a reinstallation : "
206
				else echo -n "Hit '1' for an update; Hit '2' for a reinstallation : "
207
			fi
207
			fi
208
			read response
208
			read response
209
		done
209
		done
210
		if [ "$response" = "2" ]
210
		if [ "$response" = "2" ]
211
		then
211
		then
212
			rm -f /var/tmp/alcasar-conf*
212
			rm -f /var/tmp/alcasar-conf*
213
		else
213
		else
214
# Create the archive of conf files
214
# Create the archive of conf files
215
			$DIR_SCRIPTS/alcasar-conf.sh --create
215
			$DIR_SCRIPTS/alcasar-conf.sh --create
216
			mode="update"
216
			mode="update"
217
		fi
217
		fi
218
	fi
218
	fi
219
# Free /var (when updating) and test free space
219
# Free /var (when updating) and test free space
220
	[ -d /var/log/netflow ] && rm -rf /var/log/netflow  # remove old porttracker RRD database
220
	[ -d /var/log/netflow ] && rm -rf /var/log/netflow  # remove old porttracker RRD database
221
	[ -d /var/lib/clamav ] && rm -rf /var/lib/clamav/* # remove old clamav database
221
	[ -d /var/lib/clamav ] && rm -rf /var/lib/clamav/* # remove old clamav database
222
	journalctl -q --vacuum-files 1  # remove previous journal logs
222
	journalctl -q --vacuum-files 1  # remove previous journal logs
223
	free_space=`df -BG --output=avail /var|tail -1|tr -d '[:space:]G'`
223
	free_space=`df -BG --output=avail /var|tail -1|tr -d '[:space:]G'`
224
	if [ $free_space -lt 10 ]
224
	if [ $free_space -lt 10 ]
225
		then
225
		then
226
		if [ $Lang == "fr" ]
226
		if [ $Lang == "fr" ]
227
			then echo "Espace disponible insuffisant sur /var ($free_space Go au lieu de 10 Go au minimum)"
227
			then echo "Espace disponible insuffisant sur /var ($free_space Go au lieu de 10 Go au minimum)"
228
			else echo "not enough free space on /var ($free_space GB instead of at least 10 GB)"
228
			else echo "not enough free space on /var ($free_space GB instead of at least 10 GB)"
229
		fi
229
		fi
230
	exit 0
230
	exit 0
231
	fi
231
	fi
232
} # End of testing_system
232
} # End of testing_system
233
 
233
 
234
########################################################
234
########################################################
235
##             Function "testing_network"             ##
235
##             Function "testing_network"             ##
236
## - Test Internet access                             ##
236
## - Test Internet access                             ##
237
########################################################
237
########################################################
238
testing_network()
238
testing_network()
239
{
239
{
240
# Detect external/internal interfaces
240
# Detect external/internal interfaces
241
	if [ -z "$EXTIF" ]; then
241
	if [ -z "$EXTIF" ]; then
242
		EXTIF=$(/usr/sbin/ip route list | awk '/^default / {print $5}')
242
		EXTIF=$(/usr/sbin/ip route list | awk '/^default / {print $5}')
243
		if [ -z "$EXTIF" ]; then
243
		if [ -z "$EXTIF" ]; then
244
			if [ "$Lang" == 'fr' ]
244
			if [ "$Lang" == 'fr' ]
245
				then echo "Aucune passerelle par défaut configurée"
245
				then echo "Aucune passerelle par défaut configurée"
246
				else echo "No default gateway configured"
246
				else echo "No default gateway configured"
247
			fi
247
			fi
248
			exit 1
248
			exit 1
249
		fi
249
		fi
250
	fi
250
	fi
251
	if [ "$Lang" == 'fr' ]
251
	if [ "$Lang" == 'fr' ]
252
		then echo "Interface externe (Internet) utilisée : $EXTIF"
252
		then echo "Interface externe (Internet) utilisée : $EXTIF"
253
		else echo "External interface (Internet) used: $EXTIF"
253
		else echo "External interface (Internet) used: $EXTIF"
254
	fi
254
	fi
255
 
255
 
256
	if [ -z "$INTIF" ]; then
256
	if [ -z "$INTIF" ]; then
257
		interfacesList=$(/usr/sbin/ip -br link show | cut -d' ' -f1 | grep -v "^\(lo\|tun0\|$EXTIF\)\$")
257
		interfacesList=$(/usr/sbin/ip -br link show | cut -d' ' -f1 | grep -v "^\(lo\|tun0\|$EXTIF\)\$")
258
		interfacesCount=$(echo "$interfacesList" | wc -w)
258
		interfacesCount=$(echo "$interfacesList" | wc -w)
259
		if [ $interfacesCount -eq 0 ]; then
259
		if [ $interfacesCount -eq 0 ]; then
260
			if [ "$Lang" == 'fr' ]
260
			if [ "$Lang" == 'fr' ]
261
				then echo "Aucune interface de disponible pour le réseau interne"
261
				then echo "Aucune interface de disponible pour le réseau interne"
262
				else echo "No interface available for the internal network"
262
				else echo "No interface available for the internal network"
263
			fi
263
			fi
264
			exit 1
264
			exit 1
265
		elif [ $interfacesCount -eq 1 ]; then
265
		elif [ $interfacesCount -eq 1 ]; then
266
			INTIF="$interfacesList"
266
			INTIF="$interfacesList"
267
		else
267
		else
268
			interfacesSorted=$(/usr/sbin/ip -br addr | grep -v "^\(lo\|tun0\|$EXTIF\) " | sort -b -k3n -k2r -k1)
268
			interfacesSorted=$(/usr/sbin/ip -br addr | grep -v "^\(lo\|tun0\|$EXTIF\) " | sort -b -k3n -k2r -k1)
269
			interfacePreferred=$(echo "$interfacesSorted" | head -1 | cut -d' ' -f1)
269
			interfacePreferred=$(echo "$interfacesSorted" | head -1 | cut -d' ' -f1)
270
			if [ "$Lang" == 'fr' ]
270
			if [ "$Lang" == 'fr' ]
271
				then echo 'Liste des interfaces disponible :'
271
				then echo 'Liste des interfaces disponible :'
272
				else echo 'List of available interfaces:'
272
				else echo 'List of available interfaces:'
273
			fi
273
			fi
274
			echo "$interfacesSorted"
274
			echo "$interfacesSorted"
275
			response=''
275
			response=''
276
			while true; do
276
			while true; do
277
				if [ "$Lang" == 'fr' ]
277
				if [ "$Lang" == 'fr' ]
278
					then echo -n "Choix de l'interface interne ? [$interfacePreferred] "
278
					then echo -n "Choix de l'interface interne ? [$interfacePreferred] "
279
					else echo -n "Choice of internal interface ? [$interfacePreferred] "
279
					else echo -n "Choice of internal interface ? [$interfacePreferred] "
280
				fi
280
				fi
281
				read response
281
				read response
282
 
282
 
283
				[ -z "$response" ] && response="$interfacePreferred"
283
				[ -z "$response" ] && response="$interfacePreferred"
284
 
284
 
285
				# Check if interface exist
285
				# Check if interface exist
286
				if [ "$(echo "$interfacesList" | grep -c "^$response\$")" -eq 1 ]; then
286
				if [ "$(echo "$interfacesList" | grep -c "^$response\$")" -eq 1 ]; then
287
					INTIF="$response"
287
					INTIF="$response"
288
					break
288
					break
289
				else
289
				else
290
					if [ "$Lang" == 'fr' ]
290
					if [ "$Lang" == 'fr' ]
291
						then echo "Interface \"$response\" introuvable"
291
						then echo "Interface \"$response\" introuvable"
292
						else echo "Interface \"$response\" not found"
292
						else echo "Interface \"$response\" not found"
293
					fi
293
					fi
294
				fi
294
				fi
295
			done
295
			done
296
		fi
296
		fi
297
	fi
297
	fi
298
	if [ "$Lang" == 'fr' ]
298
	if [ "$Lang" == 'fr' ]
299
		then echo "Interface interne utilisée : $INTIF"
299
		then echo "Interface interne utilisée : $INTIF"
300
		else echo "Internal interface used: $INTIF"
300
		else echo "Internal interface used: $INTIF"
301
	fi
301
	fi
302
 
302
 
303
	if [ $Lang == "fr" ]
303
	if [ $Lang == "fr" ]
304
		then echo -n "Tests des paramètres réseau : "
304
		then echo -n "Tests des paramètres réseau : "
305
		else echo -n "Network parameters tests: "
305
		else echo -n "Network parameters tests: "
306
	fi
306
	fi
307
# Remove conf file if NIC is not plugged (ie : GSM/WIFI/Bt dongles)
307
# Remove conf file if NIC is not plugged (ie : GSM/WIFI/Bt dongles)
308
	cd /etc/sysconfig/network-scripts/ || { echo "Unable to find /etc/sysconfig/network-scripts directory"; exit 1; }
308
	cd /etc/sysconfig/network-scripts/ || { echo "Unable to find /etc/sysconfig/network-scripts directory"; exit 1; }
309
	IF_INTERFACES=`ls ifcfg-*|cut -d"-" -f2|grep -v "^lo"|cut -d"*" -f1`
309
	IF_INTERFACES=`ls ifcfg-*|cut -d"-" -f2|grep -v "^lo"|cut -d"*" -f1`
310
	for i in $IF_INTERFACES
310
	for i in $IF_INTERFACES
311
	do
311
	do
312
		if [ "$(/usr/sbin/ip link | grep -c " $i:")" -eq 0 ]; then
312
		if [ "$(/usr/sbin/ip link | grep -c " $i:")" -eq 0 ]; then
313
			rm -f ifcfg-$i
313
			rm -f ifcfg-$i
314
 
314
 
315
			if [ $Lang == "fr" ]
315
			if [ $Lang == "fr" ]
316
				then echo "Suppression : ifcfg-$i"
316
				then echo "Suppression : ifcfg-$i"
317
				else echo "Deleting: ifcfg-$i"
317
				else echo "Deleting: ifcfg-$i"
318
			fi
318
			fi
319
		fi
319
		fi
320
	done
320
	done
321
	cd $DIR_INSTALL || { echo "Unable to find $DIR_INSTALL directory"; exit 1; }
321
	cd $DIR_INSTALL || { echo "Unable to find $DIR_INSTALL directory"; exit 1; }
322
	echo -n "."
322
	echo -n "."
323
# Test Ethernet NIC links state
323
# Test Ethernet NIC links state
324
	interfacesDown=$(/usr/sbin/ip -br link | grep "^\($EXTIF\|$INTIF\) " | grep 'NO-CARRIER' | cut -d' ' -f1)
324
	interfacesDown=$(/usr/sbin/ip -br link | grep "^\($EXTIF\|$INTIF\) " | grep 'NO-CARRIER' | cut -d' ' -f1)
325
	if [ ! -z "$interfacesDown" ]; then
325
	if [ ! -z "$interfacesDown" ]; then
326
		for i in $interfacesDown; do
326
		for i in $interfacesDown; do
327
			if [ $Lang == "fr" ]
327
			if [ $Lang == "fr" ]
328
			then
328
			then
329
				echo -e "\nÉchec"
329
				echo -e "\nÉchec"
330
				echo "Le lien réseau de la carte $i n'est pas actif."
330
				echo "Le lien réseau de la carte $i n'est pas actif."
331
				echo "Assurez-vous que cette carte est bien connectée à un équipement (commutateur, A.P., etc.)"
331
				echo "Assurez-vous que cette carte est bien connectée à un équipement (commutateur, A.P., etc.)"
332
			else
332
			else
333
				echo -e "\nFailed"
333
				echo -e "\nFailed"
334
				echo "The link state of $i interface is down."
334
				echo "The link state of $i interface is down."
335
				echo "Make sure that this network card is connected to a switch or an A.P."
335
				echo "Make sure that this network card is connected to a switch or an A.P."
336
			fi
336
			fi
337
		done
337
		done
338
		exit 1
338
		exit 1
339
	fi
339
	fi
340
	echo -n "."
340
	echo -n "."
341
# Test EXTIF config files
341
# Test EXTIF config files
342
	PUBLIC_IP_MASK=`/usr/sbin/ip addr show $EXTIF | grep '^\s*inet\s' | awk '{ print $2 }'`
342
	PUBLIC_IP_MASK=`/usr/sbin/ip addr show $EXTIF | grep '^\s*inet\s' | awk '{ print $2 }'`
343
	PUBLIC_IP=`echo $PUBLIC_IP_MASK | cut -d'/' -f1`
343
	PUBLIC_IP=`echo $PUBLIC_IP_MASK | cut -d'/' -f1`
344
	PUBLIC_GATEWAY=`/usr/sbin/ip route list | awk -v EXTIF="$EXTIF" '(/^default / && $5 == EXTIF) {print $3}'`
344
	PUBLIC_GATEWAY=`/usr/sbin/ip route list | awk -v EXTIF="$EXTIF" '(/^default / && $5 == EXTIF) {print $3}'`
345
	if [ "$(echo $PUBLIC_IP|wc -c)" -lt 7 ] || [ "$(echo $PUBLIC_GATEWAY|wc -c)" -lt 7 ]
345
	if [ "$(echo $PUBLIC_IP|wc -c)" -lt 7 ] || [ "$(echo $PUBLIC_GATEWAY|wc -c)" -lt 7 ]
346
	then
346
	then
347
		if [ $Lang == "fr" ]
347
		if [ $Lang == "fr" ]
348
		then
348
		then
349
			echo -e "\nÉchec"
349
			echo -e "\nÉchec"
350
			echo "La carte réseau connectée à Internet ($EXTIF) n'est pas correctement configurée."
350
			echo "La carte réseau connectée à Internet ($EXTIF) n'est pas correctement configurée."
351
			echo "Renseignez les champs suivants dans le fichier '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
351
			echo "Renseignez les champs suivants dans le fichier '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
352
			echo "Appliquez les changements : 'systemctl restart network'"
352
			echo "Appliquez les changements : 'systemctl restart network'"
353
		else
353
		else
354
			echo -e "\nFailed"
354
			echo -e "\nFailed"
355
			echo "The Internet connected network card ($EXTIF) isn't well configured."
355
			echo "The Internet connected network card ($EXTIF) isn't well configured."
356
			echo "The folowing parametres must be set in the file '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
356
			echo "The folowing parametres must be set in the file '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
357
			echo "Apply the new configuration: 'systemctl restart network'"
357
			echo "Apply the new configuration: 'systemctl restart network'"
358
		fi
358
		fi
359
		echo "DEVICE=$EXTIF"
359
		echo "DEVICE=$EXTIF"
360
		echo "IPADDR="
360
		echo "IPADDR="
361
		echo "NETMASK="
361
		echo "NETMASK="
362
		echo "GATEWAY="
362
		echo "GATEWAY="
363
		echo "DNS1="
363
		echo "DNS1="
364
		echo "DNS2="
364
		echo "DNS2="
365
		echo "ONBOOT=yes"
365
		echo "ONBOOT=yes"
366
		exit 1
366
		exit 1
367
	fi
367
	fi
368
	echo -n "."
368
	echo -n "."
369
# Test if default GW is set on EXTIF (router or ISP provider equipment)
369
# Test if default GW is set on EXTIF (router or ISP provider equipment)
370
	if [ "$(/usr/sbin/ip route list|grep " $EXTIF "|grep -c '^default ')" -ne 1 ] ; then
370
	if [ "$(/usr/sbin/ip route list|grep " $EXTIF "|grep -c '^default ')" -ne 1 ] ; then
371
		if [ $Lang == "fr" ]
371
		if [ $Lang == "fr" ]
372
		then
372
		then
373
			echo -e "\nÉchec"
373
			echo -e "\nÉchec"
374
			echo "Vous n'avez pas configuré l'accès à Internet ou le câble réseau n'est pas sur la bonne carte."
374
			echo "Vous n'avez pas configuré l'accès à Internet ou le câble réseau n'est pas sur la bonne carte."
375
			echo "Réglez ce problème puis relancez ce script."
375
			echo "Réglez ce problème puis relancez ce script."
376
		else
376
		else
377
			echo -e "\nFailed"
377
			echo -e "\nFailed"
378
			echo "You haven't configured Internet access or Internet link is on the wrong Ethernet card"
378
			echo "You haven't configured Internet access or Internet link is on the wrong Ethernet card"
379
			echo "Resolv this problem, then restart this script."
379
			echo "Resolv this problem, then restart this script."
380
		fi
380
		fi
381
		exit 1
381
		exit 1
382
	fi
382
	fi
383
	echo -n "."
383
	echo -n "."
384
# Test if default GW is alive
384
# Test if default GW is alive
385
	arp_reply=`/usr/sbin/arping -b -I$EXTIF -c1 -w2 $PUBLIC_GATEWAY|grep response|cut -d" " -f2`
385
	arp_reply=`/usr/sbin/arping -b -I$EXTIF -c1 -w2 $PUBLIC_GATEWAY|grep response|cut -d" " -f2`
386
	if [ "$(expr $arp_reply)" -eq 0 ]
386
	if [ "$(expr $arp_reply)" -eq 0 ]
387
		then
387
		then
388
		if [ $Lang == "fr" ]
388
		if [ $Lang == "fr" ]
389
		then
389
		then
390
			echo -e "\nÉchec"
390
			echo -e "\nÉchec"
391
			echo "Le routeur de sortie ou la Box Internet ($PUBLIC_GATEWAY) ne répond pas."
391
			echo "Le routeur de sortie ou la Box Internet ($PUBLIC_GATEWAY) ne répond pas."
392
			echo "Réglez ce problème puis relancez ce script."
392
			echo "Réglez ce problème puis relancez ce script."
393
		else
393
		else
394
			echo -e "\nFailed"
394
			echo -e "\nFailed"
395
			echo "The Internet gateway or the ISP equipment ($PUBLIC_GATEWAY) doesn't answered."
395
			echo "The Internet gateway or the ISP equipment ($PUBLIC_GATEWAY) doesn't answered."
396
			echo "Resolv this problem, then restart this script."
396
			echo "Resolv this problem, then restart this script."
397
		fi
397
		fi
398
		exit 1
398
		exit 1
399
	fi
399
	fi
400
	echo -n "."
400
	echo -n "."
401
# Test Internet connectivity
401
# Test Internet connectivity
402
	domainTested='www.google.com'
402
	domainTested='www.google.com'
403
	/usr/bin/curl -s --head "$domainTested" &>/dev/null
403
	/usr/bin/curl -s --head "$domainTested" &>/dev/null
404
	if [ $? -ne 0 ]; then
404
	if [ $? -ne 0 ]; then
405
		if [ $Lang == "fr" ]
405
		if [ $Lang == "fr" ]
406
		then
406
		then
407
			echo -e "\nLa tentative de connexion vers Internet a échoué ($domainTested)."
407
			echo -e "\nLa tentative de connexion vers Internet a échoué ($domainTested)."
408
			echo "Vérifiez que la carte $EXTIF est bien connectée au routeur du FAI."
408
			echo "Vérifiez que la carte $EXTIF est bien connectée au routeur du FAI."
409
			echo "Vérifiez la validité des adresses IP des DNS."
409
			echo "Vérifiez la validité des adresses IP des DNS."
410
		else
410
		else
411
			echo -e "\nThe Internet connection try failed ($domainTested)."
411
			echo -e "\nThe Internet connection try failed ($domainTested)."
412
			echo "Please, verify that the $EXTIF card is connected with the Internet gateway."
412
			echo "Please, verify that the $EXTIF card is connected with the Internet gateway."
413
			echo "Verify the DNS IP addresses"
413
			echo "Verify the DNS IP addresses"
414
		fi
414
		fi
415
		exit 1
415
		exit 1
416
	fi
416
	fi
417
	echo ". : ok"
417
	echo ". : ok"
418
} # End of testing_network()
418
} # End of testing_network()
419
 
419
 
420
#######################################################################
420
#######################################################################
421
##                    Function "init"                                ##
421
##                    Function "init"                                ##
422
## - Creation of ALCASAR conf file "/usr/local/etc/alcasar.conf      ##
422
## - Creation of ALCASAR conf file "/usr/local/etc/alcasar.conf      ##
423
## - Creation of random password for GRUB, mariadb (admin and user)  ##
423
## - Creation of random password for GRUB, mariadb (admin and user)  ##
424
#######################################################################
424
#######################################################################
425
init()
425
init()
426
{
426
{
427
	if [ "$mode" != "update" ]
427
	if [ "$mode" != "update" ]
428
	then
428
	then
429
# On affecte le nom d'organisme
429
# On affecte le nom d'organisme
430
		header_install
430
		header_install
431
		ORGANISME=!
431
		ORGANISME=!
432
		PTN='^[a-zA-Z0-9-]*$'
432
		PTN='^[a-zA-Z0-9-]*$'
433
		until [[ "$ORGANISME" =~ $PTN ]]
433
		until [[ "$ORGANISME" =~ $PTN ]]
434
		do
434
		do
435
			if [ $Lang == "fr" ]
435
			if [ $Lang == "fr" ]
436
				then echo -n "Entrez le nom de votre organisme : "
436
				then echo -n "Entrez le nom de votre organisme : "
437
				else echo -n "Enter the name of your organism : "
437
				else echo -n "Enter the name of your organism : "
438
			fi
438
			fi
439
			read ORGANISME
439
			read ORGANISME
440
			if [ "$ORGANISME" == "" ]
440
			if [ "$ORGANISME" == "" ]
441
			then
441
			then
442
				ORGANISME=!
442
				ORGANISME=!
443
			fi
443
			fi
444
		done
444
		done
445
	fi
445
	fi
446
# On crée aléatoirement les mots de passe et les secrets partagés
446
# On crée aléatoirement les mots de passe et les secrets partagés
447
# We create random passwords and shared secrets
447
# We create random passwords and shared secrets
448
	rm -f $PASSWD_FILE
448
	rm -f $PASSWD_FILE
449
	echo "#####  ALCASAR ($ORGANISME) security passwords  #####" > $PASSWD_FILE
449
	echo "#####  ALCASAR ($ORGANISME) security passwords  #####" > $PASSWD_FILE
450
	grub2pwd=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c8`
450
	grub2pwd=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c8`
451
	pbkdf2=`( echo $grub2pwd ; echo $grub2pwd ) | \
451
	pbkdf2=`( echo $grub2pwd ; echo $grub2pwd ) | \
452
		LC_ALL=C /usr/bin/grub2-mkpasswd-pbkdf2 | \
452
		LC_ALL=C /usr/bin/grub2-mkpasswd-pbkdf2 | \
453
		grep -v '[eE]nter password:' | \
453
		grep -v '[eE]nter password:' | \
454
		sed -e "s/PBKDF2 hash of your password is //"`
454
		sed -e "s/PBKDF2 hash of your password is //"`
455
	echo "GRUB2_PASSWORD=$pbkdf2" > /boot/grub2/user.cfg
455
	echo "GRUB2_PASSWORD=$pbkdf2" > /boot/grub2/user.cfg
456
	[ -e /root/grub.default ] || cp /etc/grub.d/10_linux /root/grub.default
456
	[ -e /root/grub.default ] || cp /etc/grub.d/10_linux /root/grub.default
457
	cp -f $DIR_CONF/grub-10_linux /etc/grub.d/10_linux  # Request password only on menu editing attempts (not when selecting an entry)
457
	cp -f $DIR_CONF/grub-10_linux /etc/grub.d/10_linux  # Request password only on menu editing attempts (not when selecting an entry)
458
	chmod 0600 /boot/grub2/user.cfg
458
	chmod 0600 /boot/grub2/user.cfg
459
	echo "# Login name and password to protect GRUB2 boot menu (!!!qwerty keyboard) : " > $PASSWD_FILE
459
	echo "# Login name and password to protect GRUB2 boot menu (!!!qwerty keyboard) : " > $PASSWD_FILE
460
	echo "GRUB2_user=root" >> $PASSWD_FILE
460
	echo "GRUB2_user=root" >> $PASSWD_FILE
461
	echo "GRUB2_password=$grub2pwd" >> $PASSWD_FILE
461
	echo "GRUB2_password=$grub2pwd" >> $PASSWD_FILE
462
	mysqlpwd=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16`
462
	mysqlpwd=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16`
463
	echo "# Login name and Password of MariaDB administrator:" >> $PASSWD_FILE
463
	echo "# Login name and Password of MariaDB administrator:" >> $PASSWD_FILE
464
	echo "db_root=$mysqlpwd" >> $PASSWD_FILE
464
	echo "db_root=$mysqlpwd" >> $PASSWD_FILE
465
	radiuspwd=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16`
465
	radiuspwd=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16`
466
	echo "# Login name and password of MariaDB user:" >> $PASSWD_FILE
466
	echo "# Login name and password of MariaDB user:" >> $PASSWD_FILE
467
	echo "db_user=$DB_USER" >> $PASSWD_FILE
467
	echo "db_user=$DB_USER" >> $PASSWD_FILE
468
	echo "db_password=$radiuspwd" >> $PASSWD_FILE
468
	echo "db_password=$radiuspwd" >> $PASSWD_FILE
469
	secretuam=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16`
469
	secretuam=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16`
470
	echo "# Shared secret between the script 'intercept.php' and coova-chilli:" >> $PASSWD_FILE
470
	echo "# Shared secret between the script 'intercept.php' and coova-chilli:" >> $PASSWD_FILE
471
	echo "secret_uam=$secretuam" >> $PASSWD_FILE
471
	echo "secret_uam=$secretuam" >> $PASSWD_FILE
472
	secretradius=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16`
472
	secretradius=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16`
473
	echo "# Shared secret between coova-chilli and FreeRadius:" >> $PASSWD_FILE
473
	echo "# Shared secret between coova-chilli and FreeRadius:" >> $PASSWD_FILE
474
	echo "secret_radius=$secretradius" >> $PASSWD_FILE
474
	echo "secret_radius=$secretradius" >> $PASSWD_FILE
475
	chmod 640 $PASSWD_FILE
475
	chmod 640 $PASSWD_FILE
476
#  copy scripts in in /usr/local/bin
476
#  copy scripts in in /usr/local/bin
477
	cp -fr $DIR_SCRIPTS/alcasar* $DIR_DEST_BIN/. ; chown -R root:root $DIR_DEST_BIN/alcasar* ; chmod -R 740 $DIR_DEST_BIN/alcasar*
477
	cp -fr $DIR_SCRIPTS/alcasar* $DIR_DEST_BIN/. ; chown -R root:root $DIR_DEST_BIN/alcasar* ; chmod -R 740 $DIR_DEST_BIN/alcasar*
478
#  copy conf files in /usr/local/etc
478
#  copy conf files in /usr/local/etc
479
	cp -f $DIR_CONF/etc/alcasar* $DIR_DEST_ETC/. ; chown -R root:apache $DIR_DEST_ETC ; chmod 770 $DIR_DEST_ETC ; chmod 660 $DIR_DEST_ETC/alcasar*
479
	cp -f $DIR_CONF/etc/alcasar* $DIR_DEST_ETC/. ; chown -R root:apache $DIR_DEST_ETC ; chmod 770 $DIR_DEST_ETC ; chmod 660 $DIR_DEST_ETC/alcasar*
480
	$SED "s?^DB_RADIUS=.*?DB_RADIUS=\"$DB_RADIUS\"?g" $DIR_DEST_BIN/alcasar-mysql.sh
480
	$SED "s?^DB_RADIUS=.*?DB_RADIUS=\"$DB_RADIUS\"?g" $DIR_DEST_BIN/alcasar-mysql.sh
481
# generate central conf file
481
# generate central conf file
482
	cat <<EOF > $CONF_FILE
482
	cat <<EOF > $CONF_FILE
483
##########################################
483
##########################################
484
##                                      ##
484
##                                      ##
485
##          ALCASAR Parameters          ##
485
##          ALCASAR Parameters          ##
486
##                                      ##
486
##                                      ##
487
##########################################
487
##########################################
488
 
488
 
489
INSTALL_DATE=$DATE
489
INSTALL_DATE=$DATE
490
VERSION=$VERSION
490
VERSION=$VERSION
491
ORGANISM=$ORGANISME
491
ORGANISM=$ORGANISME
492
EOF
492
EOF
493
	chmod o-rwx $CONF_FILE
493
	chmod o-rwx $CONF_FILE
494
} # End of init()
494
} # End of init()
495
 
495
 
496
#########################################################
496
#########################################################
497
##                    Function "network"               ##
497
##                    Function "network"               ##
498
## - Define the several network address                ##
498
## - Define the several network address                ##
499
## - Define the DNS naming                             ##
499
## - Define the DNS naming                             ##
500
## - INTIF parameters (consultation network)           ##
500
## - INTIF parameters (consultation network)           ##
501
## - Write "/etc/hosts" file                           ##
501
## - Write "/etc/hosts" file                           ##
502
## - write "hosts.allow" & "hosts.deny" files          ##
502
## - write "hosts.allow" & "hosts.deny" files          ##
503
#########################################################
503
#########################################################
504
network()
504
network()
505
{
505
{
506
	header_install
506
	header_install
507
	if [ "$mode" != "update" ]
507
	if [ "$mode" != "update" ]
508
		then
508
		then
509
		if [ $Lang == "fr" ]
509
		if [ $Lang == "fr" ]
510
			then echo "Par défaut, l'adresse IP d'ALCASAR sur le réseau de consultation est : $DEFAULT_PRIVATE_IP_MASK"
510
			then echo "Par défaut, l'adresse IP d'ALCASAR sur le réseau de consultation est : $DEFAULT_PRIVATE_IP_MASK"
511
			else echo "The default ALCASAR IP address on consultation network is : $DEFAULT_PRIVATE_IP_MASK"
511
			else echo "The default ALCASAR IP address on consultation network is : $DEFAULT_PRIVATE_IP_MASK"
512
		fi
512
		fi
513
		response=0
513
		response=0
514
		PTN='^[oOyYnN]?$'
514
		PTN='^[oOyYnN]?$'
515
		until [[ "$response" =~ $PTN ]]
515
		until [[ "$response" =~ $PTN ]]
516
		do
516
		do
517
			if [ $Lang == "fr" ]
517
			if [ $Lang == "fr" ]
518
				then echo -n "Voulez-vous utiliser cette adresse et ce plan d'adressage (recommandé) (O/n)? : "
518
				then echo -n "Voulez-vous utiliser cette adresse et ce plan d'adressage (recommandé) (O/n)? : "
519
				else echo -n "Do you want to use this IP address and this IP addressing plan (recommanded) (Y/n)? : "
519
				else echo -n "Do you want to use this IP address and this IP addressing plan (recommanded) (Y/n)? : "
520
			fi
520
			fi
521
			read response
521
			read response
522
		done
522
		done
523
		if [ "$response" = "n" ] || [ "$response" = "N" ]
523
		if [ "$response" = "n" ] || [ "$response" = "N" ]
524
		then
524
		then
525
			PRIVATE_IP_MASK="0"
525
			PRIVATE_IP_MASK="0"
526
			PTN='^\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\)/[012]\?[[:digit:]]$'
526
			PTN='^\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\)/[012]\?[[:digit:]]$'
527
			until [[ $(expr "$PRIVATE_IP_MASK" : $PTN) -gt 0 ]]
527
			until [[ $(expr "$PRIVATE_IP_MASK" : $PTN) -gt 0 ]]
528
			do
528
			do
529
				if [ $Lang == "fr" ]
529
				if [ $Lang == "fr" ]
530
					then echo -n "Entrez l'adresse IP d'ALCASAR au format CIDR (a.b.c.d/xx) : "
530
					then echo -n "Entrez l'adresse IP d'ALCASAR au format CIDR (a.b.c.d/xx) : "
531
					else echo -n "Enter ALCASAR IP address in CIDR format (a.b.c.d/xx) : "
531
					else echo -n "Enter ALCASAR IP address in CIDR format (a.b.c.d/xx) : "
532
				fi
532
				fi
533
				read PRIVATE_IP_MASK
533
				read PRIVATE_IP_MASK
534
			done
534
			done
535
		else
535
		else
536
			PRIVATE_IP_MASK=$DEFAULT_PRIVATE_IP_MASK
536
			PRIVATE_IP_MASK=$DEFAULT_PRIVATE_IP_MASK
537
		fi
537
		fi
538
	else
538
	else
539
		PRIVATE_IP_MASK=`grep ^PRIVATE_IP= /var/tmp/conf/etc/alcasar.conf|cut -d"=" -f2`
539
		PRIVATE_IP_MASK=`grep ^PRIVATE_IP= /var/tmp/conf/etc/alcasar.conf|cut -d"=" -f2`
540
		rm -rf /var/tmp/conf
540
		rm -rf /var/tmp/conf
541
	fi
541
	fi
542
# Define LAN side global parameters
542
# Define LAN side global parameters
543
	hostnamectl set-hostname $HOSTNAME.$DOMAIN
543
	hostnamectl set-hostname $HOSTNAME.$DOMAIN
544
	PRIVATE_NETWORK=`/bin/ipcalc -n $PRIVATE_IP_MASK | cut -d"=" -f2`				# private network address (ie.: 192.168.182.0)
544
	PRIVATE_NETWORK=`/bin/ipcalc -n $PRIVATE_IP_MASK | cut -d"=" -f2`				# private network address (ie.: 192.168.182.0)
545
	private_network_ending=`echo $PRIVATE_NETWORK | cut -d"." -f4`					# last octet of LAN address
545
	private_network_ending=`echo $PRIVATE_NETWORK | cut -d"." -f4`					# last octet of LAN address
546
	PRIVATE_NETMASK=`/bin/ipcalc -m $PRIVATE_IP_MASK | cut -d"=" -f2`				# private network mask (ie.: 255.255.255.0)
546
	PRIVATE_NETMASK=`/bin/ipcalc -m $PRIVATE_IP_MASK | cut -d"=" -f2`				# private network mask (ie.: 255.255.255.0)
547
	PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP_MASK |cut -d"=" -f2`					# network prefix (ie. 24)
547
	PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP_MASK |cut -d"=" -f2`					# network prefix (ie. 24)
548
	PRIVATE_IP=`echo $PRIVATE_IP_MASK | cut -d"/" -f1`						# ALCASAR private ip address (consultation LAN side)
548
	PRIVATE_IP=`echo $PRIVATE_IP_MASK | cut -d"/" -f1`						# ALCASAR private ip address (consultation LAN side)
549
	if [ $PRIVATE_IP == $PRIVATE_NETWORK ]								# when entering network address instead of ip address
549
	if [ $PRIVATE_IP == $PRIVATE_NETWORK ]								# when entering network address instead of ip address
550
	then
550
	then
551
		PRIVATE_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 1`
551
		PRIVATE_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 1`
552
		PRIVATE_IP_MASK=`echo $PRIVATE_IP/$PRIVATE_PREFIX`
552
		PRIVATE_IP_MASK=`echo $PRIVATE_IP/$PRIVATE_PREFIX`
553
	fi
553
	fi
554
	private_ip_ending=`echo $PRIVATE_IP | cut -d"." -f4`						# last octet of LAN address
554
	private_ip_ending=`echo $PRIVATE_IP | cut -d"." -f4`						# last octet of LAN address
555
	PRIVATE_SECOND_IP=`echo $PRIVATE_IP | cut -d"." -f1-3`"."`expr $private_ip_ending + 1`		# second network address (ex.: 192.168.182.2)
555
	PRIVATE_SECOND_IP=`echo $PRIVATE_IP | cut -d"." -f1-3`"."`expr $private_ip_ending + 1`		# second network address (ex.: 192.168.182.2)
556
	PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX						# ie.: 192.168.182.0/24
556
	PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX						# ie.: 192.168.182.0/24
557
	classe=$((PRIVATE_PREFIX/8))									# ie.: 2=classe B, 3=classe C
557
	classe=$((PRIVATE_PREFIX/8))									# ie.: 2=classe B, 3=classe C
558
	PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK | cut -d"." -f1-$classe`.				# compatibility with hosts.allow et hosts.deny (ie.: 192.168.182.)
558
	PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK | cut -d"." -f1-$classe`.				# compatibility with hosts.allow et hosts.deny (ie.: 192.168.182.)
559
	PRIVATE_MAC=`/usr/sbin/ip link show $INTIF | grep ether | cut -d" " -f6| sed 's/:/-/g'| awk '{print toupper($0)}'` 	# MAC address of INTIF
559
	PRIVATE_MAC=`/usr/sbin/ip link show $INTIF | grep ether | cut -d" " -f6| sed 's/:/-/g'| awk '{print toupper($0)}'` 	# MAC address of INTIF
560
# Define Internet parameters
560
# Define Internet parameters
561
	DNS1=`cat /etc/sysconfig/network-scripts/ifcfg-$EXTIF | grep '^DNS1='| cut -d"=" -f2`	# 1st DNS server
561
	DNS1=`cat /etc/sysconfig/network-scripts/ifcfg-$EXTIF | grep '^DNS1='| cut -d"=" -f2`	# 1st DNS server
562
	DNS2=`cat /etc/sysconfig/network-scripts/ifcfg-$EXTIF | grep '^DNS2=' | cut -d"=" -f2`	# 2nd DNS server
562
	DNS2=`cat /etc/sysconfig/network-scripts/ifcfg-$EXTIF | grep '^DNS2=' | cut -d"=" -f2`	# 2nd DNS server
563
	DNS1=${DNS1:=208.67.220.220}
563
	DNS1=${DNS1:=208.67.220.220}
564
	DNS2=${DNS2:=208.67.222.222}
564
	DNS2=${DNS2:=208.67.222.222}
565
	PUBLIC_NETMASK=`/bin/ipcalc -m $PUBLIC_IP_MASK | cut -d"=" -f2`
565
	PUBLIC_NETMASK=`/bin/ipcalc -m $PUBLIC_IP_MASK | cut -d"=" -f2`
566
	PUBLIC_PREFIX=`/bin/ipcalc -p $PUBLIC_IP $PUBLIC_NETMASK|cut -d"=" -f2`
566
	PUBLIC_PREFIX=`/bin/ipcalc -p $PUBLIC_IP $PUBLIC_NETMASK|cut -d"=" -f2`
567
	PUBLIC_NETWORK=`/bin/ipcalc -n $PUBLIC_IP/$PUBLIC_PREFIX|cut -d"=" -f2`
567
	PUBLIC_NETWORK=`/bin/ipcalc -n $PUBLIC_IP/$PUBLIC_PREFIX|cut -d"=" -f2`
568
# Write network parameters in the conf file
568
# Write network parameters in the conf file
569
	echo "HOSTNAME=$HOSTNAME" >> $CONF_FILE
569
	echo "HOSTNAME=$HOSTNAME" >> $CONF_FILE
570
	echo "DOMAIN=$DOMAIN" >> $CONF_FILE
570
	echo "DOMAIN=$DOMAIN" >> $CONF_FILE
571
	echo "EXTIF=$EXTIF" >> $CONF_FILE
571
	echo "EXTIF=$EXTIF" >> $CONF_FILE
572
	echo "INTIF=$INTIF" >> $CONF_FILE
572
	echo "INTIF=$INTIF" >> $CONF_FILE
573
# Retrieve NIC name of other consultation LAN
573
# Retrieve NIC name of other consultation LAN
574
	INTERFACES=`/usr/sbin/ip link|grep '^[[:digit:]]:'|grep -v "^lo\|$EXTIF\|tun0"|cut -d " " -f2|tr -d ":"`
574
	INTERFACES=`/usr/sbin/ip link|grep '^[[:digit:]]:'|grep -v "^lo\|$EXTIF\|tun0"|cut -d " " -f2|tr -d ":"`
575
	for i in $INTERFACES
575
	for i in $INTERFACES
576
	do
576
	do
577
		SUB=`echo ${i:0:2}`
577
		SUB=`echo ${i:0:2}`
578
		if [ $SUB = "wl" ]
578
		if [ $SUB = "wl" ]
579
			then WIFIF=$i
579
			then WIFIF=$i
580
		elif [ "$i" != "$INTIF" ] && [ $SUB != "ww" ]
580
		elif [ "$i" != "$INTIF" ] && [ $SUB != "ww" ]
581
			then LANIF=$i
581
			then LANIF=$i
582
		fi
582
		fi
583
	done
583
	done
584
	if [ -n "$WIFIF" ]
584
	if [ -n "$WIFIF" ]
585
		then echo "WIFIF=$WIFIF" >> $CONF_FILE
585
		then echo "WIFIF=$WIFIF" >> $CONF_FILE
586
	elif [ -n "$LANIF" ]
586
	elif [ -n "$LANIF" ]
587
		then echo "LANIF=$LANIF" >> $CONF_FILE
587
		then echo "LANIF=$LANIF" >> $CONF_FILE
588
	fi
588
	fi
589
	IP_SETTING=`grep BOOTPROTO /etc/sysconfig/network-scripts/ifcfg-$EXTIF|cut -d"=" -f2` # test static or dynamic
589
	IP_SETTING=`grep BOOTPROTO /etc/sysconfig/network-scripts/ifcfg-$EXTIF|cut -d"=" -f2` # test static or dynamic
590
	if [ $IP_SETTING == "dhcp" ]
590
	if [ $IP_SETTING == "dhcp" ]
591
	then
591
	then
592
		echo "PUBLIC_IP=dhcp" >> $CONF_FILE
592
		echo "PUBLIC_IP=dhcp" >> $CONF_FILE
593
		echo "GW=dhcp" >> $CONF_FILE
593
		echo "GW=dhcp" >> $CONF_FILE
594
	else
594
	else
595
		echo "PUBLIC_IP=$PUBLIC_IP/$PUBLIC_PREFIX" >> $CONF_FILE
595
		echo "PUBLIC_IP=$PUBLIC_IP/$PUBLIC_PREFIX" >> $CONF_FILE
596
		echo "GW=$PUBLIC_GATEWAY" >> $CONF_FILE
596
		echo "GW=$PUBLIC_GATEWAY" >> $CONF_FILE
597
	fi
597
	fi
598
	echo "DNS1=$DNS1" >> $CONF_FILE
598
	echo "DNS1=$DNS1" >> $CONF_FILE
599
	echo "DNS2=$DNS2" >> $CONF_FILE
599
	echo "DNS2=$DNS2" >> $CONF_FILE
600
	echo "PUBLIC_MTU=$MTU" >> $CONF_FILE
600
	echo "PUBLIC_MTU=$MTU" >> $CONF_FILE
601
	echo "PRIVATE_IP=$PRIVATE_IP_MASK" >> $CONF_FILE
601
	echo "PRIVATE_IP=$PRIVATE_IP_MASK" >> $CONF_FILE
602
	echo "DHCP=on" >> $CONF_FILE
602
	echo "DHCP=on" >> $CONF_FILE
603
	echo "EXT_DHCP_IP=" >> $CONF_FILE
603
	echo "EXT_DHCP_IP=" >> $CONF_FILE
604
	echo "RELAY_DHCP_IP=" >> $CONF_FILE
604
	echo "RELAY_DHCP_IP=" >> $CONF_FILE
605
	echo "RELAY_DHCP_PORT=" >> $CONF_FILE
605
	echo "RELAY_DHCP_PORT=" >> $CONF_FILE
606
	echo "INT_DNS_DOMAIN=" >> $CONF_FILE
606
	echo "INT_DNS_DOMAIN=" >> $CONF_FILE
607
	echo "INT_DNS_IP=" >> $CONF_FILE
607
	echo "INT_DNS_IP=" >> $CONF_FILE
608
	echo "INT_DNS_ACTIVE=off" >> $CONF_FILE
608
	echo "INT_DNS_ACTIVE=off" >> $CONF_FILE
609
# network default
609
# network default
610
	[ -e /etc/sysconfig/network.default ] || cp /etc/sysconfig/network /etc/sysconfig/network.default
610
	[ -e /etc/sysconfig/network.default ] || cp /etc/sysconfig/network /etc/sysconfig/network.default
611
	cat <<EOF > /etc/sysconfig/network
611
	cat <<EOF > /etc/sysconfig/network
612
NETWORKING=yes
612
NETWORKING=yes
613
FORWARD_IPV4=true
613
FORWARD_IPV4=true
614
EOF
614
EOF
615
# write "/etc/hosts"
615
# write "/etc/hosts"
616
	[ -e /etc/hosts.default ] || cp /etc/hosts /etc/hosts.default
616
	[ -e /etc/hosts.default ] || cp /etc/hosts /etc/hosts.default
617
	cat <<EOF > /etc/hosts
617
	cat <<EOF > /etc/hosts
618
127.0.0.1	localhost
618
127.0.0.1	localhost
619
$PRIVATE_IP	$HOSTNAME
619
$PRIVATE_IP	$HOSTNAME
620
EOF
620
EOF
621
# write EXTIF (Internet) config
621
# write EXTIF (Internet) config
622
	[ -e /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF ] || cp /etc/sysconfig/network-scripts/ifcfg-$EXTIF /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF
622
	[ -e /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF ] || cp /etc/sysconfig/network-scripts/ifcfg-$EXTIF /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF
623
	if [ $IP_SETTING == "dhcp" ]
623
	if [ $IP_SETTING == "dhcp" ]
624
	then
624
	then
625
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
625
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
626
DEVICE=$EXTIF
626
DEVICE=$EXTIF
627
BOOTPROTO=dhcp
627
BOOTPROTO=dhcp
628
DNS1=127.0.0.1
628
DNS1=127.0.0.1
629
PEERDNS=no
629
PEERDNS=no
630
RESOLV_MODS=yes
630
RESOLV_MODS=yes
631
ONBOOT=yes
631
ONBOOT=yes
632
NOZEROCONF=yes
632
NOZEROCONF=yes
633
METRIC=10
633
METRIC=10
634
MII_NOT_SUPPORTED=yes
634
MII_NOT_SUPPORTED=yes
635
IPV6INIT=no
635
IPV6INIT=no
636
IPV6TO4INIT=no
636
IPV6TO4INIT=no
637
ACCOUNTING=no
637
ACCOUNTING=no
638
USERCTL=no
638
USERCTL=no
639
MTU=$MTU
639
MTU=$MTU
640
EOF
640
EOF
641
	else
641
	else
642
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
642
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
643
DEVICE=$EXTIF
643
DEVICE=$EXTIF
644
BOOTPROTO=static
644
BOOTPROTO=static
645
IPADDR=$PUBLIC_IP
645
IPADDR=$PUBLIC_IP
646
NETMASK=$PUBLIC_NETMASK
646
NETMASK=$PUBLIC_NETMASK
647
GATEWAY=$PUBLIC_GATEWAY
647
GATEWAY=$PUBLIC_GATEWAY
648
DNS1=$DNS1
648
DNS1=$DNS1
649
DNS2=$DNS2
649
DNS2=$DNS2
650
RESOLV_MODS=yes
650
RESOLV_MODS=yes
651
ONBOOT=yes
651
ONBOOT=yes
652
METRIC=10
652
METRIC=10
653
NOZEROCONF=yes
653
NOZEROCONF=yes
654
MII_NOT_SUPPORTED=yes
654
MII_NOT_SUPPORTED=yes
655
IPV6INIT=no
655
IPV6INIT=no
656
IPV6TO4INIT=no
656
IPV6TO4INIT=no
657
ACCOUNTING=no
657
ACCOUNTING=no
658
USERCTL=no
658
USERCTL=no
659
MTU=$MTU
659
MTU=$MTU
660
EOF
660
EOF
661
	fi
661
	fi
662
# write INTIF (consultation LAN) in normal mode
662
# write INTIF (consultation LAN) in normal mode
663
cp -f /etc/sysconfig/network-scripts/ifcfg-$INTIF /etc/sysconfig/network-scripts/default-ifcfg-$INTIF
663
cp -f /etc/sysconfig/network-scripts/ifcfg-$INTIF /etc/sysconfig/network-scripts/default-ifcfg-$INTIF
664
	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$INTIF
664
	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$INTIF
665
DEVICE=$INTIF
665
DEVICE=$INTIF
666
BOOTPROTO=static
666
BOOTPROTO=static
667
ONBOOT=yes
667
ONBOOT=yes
668
NOZEROCONF=yes
668
NOZEROCONF=yes
669
MII_NOT_SUPPORTED=yes
669
MII_NOT_SUPPORTED=yes
670
IPV6INIT=no
670
IPV6INIT=no
671
IPV6TO4INIT=no
671
IPV6TO4INIT=no
672
ACCOUNTING=no
672
ACCOUNTING=no
673
USERCTL=no
673
USERCTL=no
674
EOF
674
EOF
675
# write INTIF in bypass mode (see "alcasar-bypass.sh")
675
# write INTIF in bypass mode (see "alcasar-bypass.sh")
676
	cat <<EOF > /etc/sysconfig/network-scripts/bypass-ifcfg-$INTIF
676
	cat <<EOF > /etc/sysconfig/network-scripts/bypass-ifcfg-$INTIF
677
DEVICE=$INTIF
677
DEVICE=$INTIF
678
BOOTPROTO=static
678
BOOTPROTO=static
679
IPADDR=$PRIVATE_IP
679
IPADDR=$PRIVATE_IP
680
NETMASK=$PRIVATE_NETMASK
680
NETMASK=$PRIVATE_NETMASK
681
ONBOOT=yes
681
ONBOOT=yes
682
METRIC=10
682
METRIC=10
683
NOZEROCONF=yes
683
NOZEROCONF=yes
684
MII_NOT_SUPPORTED=yes
684
MII_NOT_SUPPORTED=yes
685
IPV6INIT=no
685
IPV6INIT=no
686
IPV6TO4INIT=no
686
IPV6TO4INIT=no
687
ACCOUNTING=no
687
ACCOUNTING=no
688
USERCTL=no
688
USERCTL=no
689
EOF
689
EOF
690
######### Config WIFIF (consultation WIFI) ou LANIF (consultation LAN) in normal mode #################
690
######### Config WIFIF (consultation WIFI) ou LANIF (consultation LAN) in normal mode #################
691
	if [ -n "$WIFIF" ] && [ "$WIFIF" != "$INTIF" ]
691
	if [ -n "$WIFIF" ] && [ "$WIFIF" != "$INTIF" ]
692
	then
692
	then
693
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$WIFIF
693
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$WIFIF
694
DEVICE=$WIFIF
694
DEVICE=$WIFIF
695
BOOTPROTO=static
695
BOOTPROTO=static
696
ONBOOT=yes
696
ONBOOT=yes
697
NOZEROCONF=yes
697
NOZEROCONF=yes
698
MII_NOT_SUPPORTED=yes
698
MII_NOT_SUPPORTED=yes
699
IPV6INIT=no
699
IPV6INIT=no
700
IPV6TO4INIT=no
700
IPV6TO4INIT=no
701
ACCOUNTING=no
701
ACCOUNTING=no
702
USERCTL=no
702
USERCTL=no
703
EOF
703
EOF
704
	elif [ -n "$LANIF" ]
704
	elif [ -n "$LANIF" ]
705
	then
705
	then
706
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$LANIF
706
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$LANIF
707
DEVICE=$LANIF
707
DEVICE=$LANIF
708
BOOTPROTO=static
708
BOOTPROTO=static
709
ONBOOT=yes
709
ONBOOT=yes
710
NOZEROCONF=yes
710
NOZEROCONF=yes
711
MII_NOT_SUPPORTED=yes
711
MII_NOT_SUPPORTED=yes
712
IPV6INIT=no
712
IPV6INIT=no
713
IPV6TO4INIT=no
713
IPV6TO4INIT=no
714
ACCOUNTING=no
714
ACCOUNTING=no
715
USERCTL=no
715
USERCTL=no
716
EOF
716
EOF
717
	fi
717
	fi
718
# write hosts.allow & hosts.deny
718
# write hosts.allow & hosts.deny
719
	[ -e /etc/hosts.allow.default ]  || cp /etc/hosts.allow /etc/hosts.allow.default
719
	[ -e /etc/hosts.allow.default ]  || cp /etc/hosts.allow /etc/hosts.allow.default
720
	cat <<EOF > /etc/hosts.allow
720
	cat <<EOF > /etc/hosts.allow
721
ALL: LOCAL, 127.0.0.1, localhost, $PRIVATE_IP
721
ALL: LOCAL, 127.0.0.1, localhost, $PRIVATE_IP
722
sshd: ALL
722
sshd: ALL
723
ntpd: $PRIVATE_NETWORK_SHORT
723
ntpd: $PRIVATE_NETWORK_SHORT
724
EOF
724
EOF
725
	[ -e /etc/host.deny.default ]  || cp /etc/hosts.deny /etc/hosts.deny.default
725
	[ -e /etc/host.deny.default ]  || cp /etc/hosts.deny /etc/hosts.deny.default
726
	cat <<EOF > /etc/hosts.deny
726
	cat <<EOF > /etc/hosts.deny
727
ALL: ALL: spawn ( /bin/echo "service %d demandé par %c" | /bin/mail -s "Tentative d'accès au service %d par %c REFUSE !!!" security ) &
727
ALL: ALL: spawn ( /bin/echo "service %d demandé par %c" | /bin/mail -s "Tentative d'accès au service %d par %c REFUSE !!!" security ) &
728
EOF
728
EOF
729
	chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau)
729
	chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau)
730
# create the ip_blocked file with a first line (LAN between ALCASAR and the Internet GW)
730
# create the ip_blocked file with a first line (LAN between ALCASAR and the Internet GW)
731
	echo "#$PUBLIC_NETWORK/$PUBLIC_PREFIX LAN-ALCASAR-BOX" > $DIR_DEST_ETC/alcasar-ip-blocked
731
	echo "#$PUBLIC_NETWORK/$PUBLIC_PREFIX LAN-ALCASAR-BOX" > $DIR_DEST_ETC/alcasar-ip-blocked
732
# load conntrack ftp module
732
# load conntrack ftp module
733
	[ -e /etc/modprobe.preload.default ] || cp /etc/modprobe.preload /etc/modprobe.preload.default
733
	[ -e /etc/modprobe.preload.default ] || cp /etc/modprobe.preload /etc/modprobe.preload.default
734
	echo "nf_conntrack_ftp" >>  /etc/modprobe.preload
734
	echo "nf_conntrack_ftp" >>  /etc/modprobe.preload
735
# load ipt_NETFLOW module
735
# load ipt_NETFLOW module
736
	echo "ipt_NETFLOW" >>  /etc/modprobe.preload
736
	echo "ipt_NETFLOW" >>  /etc/modprobe.preload
737
# modify iptables service files (start with "alcasar-iptables.sh" and stop with flush)
737
# modify iptables service files (start with "alcasar-iptables.sh" and stop with flush)
738
	[ -e /lib/systemd/system/iptables.service.default ] || cp /lib/systemd/system/iptables.service /lib/systemd/system/iptables.service.default
738
	[ -e /lib/systemd/system/iptables.service.default ] || cp /lib/systemd/system/iptables.service /lib/systemd/system/iptables.service.default
739
	$SED 's/ExecStart=\/usr\/libexec\/iptables.init start/ExecStart=\/usr\/local\/bin\/alcasar-iptables.sh/' /lib/systemd/system/iptables.service
739
	$SED 's/ExecStart=\/usr\/libexec\/iptables.init start/ExecStart=\/usr\/local\/bin\/alcasar-iptables.sh/' /lib/systemd/system/iptables.service
740
	[ -e /usr/libexec/iptables.init.default ] || cp /usr/libexec/iptables.init /usr/libexec/iptables.init.default
740
	[ -e /usr/libexec/iptables.init.default ] || cp /usr/libexec/iptables.init /usr/libexec/iptables.init.default
741
	$SED "s?\[ -f \$IPTABLES_CONFIG \] .*?#&?" /usr/libexec/iptables.init # comment the test (flush all rules & policies)
741
	$SED "s?\[ -f \$IPTABLES_CONFIG \] .*?#&?" /usr/libexec/iptables.init # comment the test (flush all rules & policies)
742
#
742
#
743
# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
743
# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
744
} # End of network()
744
} # End of network()
745
 
745
 
746
##################################################################
746
##################################################################
747
##                      Fonction "CA"                           ##
747
##                      Fonction "CA"                           ##
748
## - Creating the CA and the server certificate (lighttpd)      ##
748
## - Creating the CA and the server certificate (lighttpd)      ##
749
##################################################################
749
##################################################################
750
CA()
750
CA()
751
{
751
{
752
	$DIR_DEST_BIN/alcasar-CA.sh
752
	$DIR_DEST_BIN/alcasar-CA.sh
753
	chmod 755 /etc/pki/
753
	chmod 755 /etc/pki/
754
	chown root:apache /etc/pki/CA; chmod 750 /etc/pki/CA
754
	chown root:apache /etc/pki/CA; chmod 750 /etc/pki/CA
755
	chown root:apache /etc/pki/CA/alcasar-ca.crt; chmod 640 /etc/pki/CA/alcasar-ca.crt
755
	chown root:apache /etc/pki/CA/alcasar-ca.crt; chmod 640 /etc/pki/CA/alcasar-ca.crt
756
	chown root:root /etc/pki/CA/private; chmod 700 /etc/pki/CA/private
756
	chown root:root /etc/pki/CA/private; chmod 700 /etc/pki/CA/private
757
	chmod 600 /etc/pki/CA/private/*
757
	chmod 600 /etc/pki/CA/private/*
758
	chown -R root:apache /etc/pki/tls/private; chmod 750 /etc/pki/tls/private
758
	chown -R root:apache /etc/pki/tls/private; chmod 750 /etc/pki/tls/private
759
	chmod 640 /etc/pki/tls/private/*
759
	chmod 640 /etc/pki/tls/private/*
760
	chmod 644 /etc/pki/tls/certs/* # "freshclam" need to access to that bundle
760
	chmod 644 /etc/pki/tls/certs/* # "freshclam" need to access to that bundle
761
} # End of CA()
761
} # End of CA()
762
 
762
 
763
###################################################
763
###################################################
764
##                  Function "ACC"               ##
764
##                  Function "ACC"               ##
765
## - copy ALCASAR Control Center (ACC) files     ##
765
## - copy ALCASAR Control Center (ACC) files     ##
766
## - configuration of the web server (Lighttpd)  ##
766
## - configuration of the web server (Lighttpd)  ##
767
## - creation of the first ACC admin account     ##
767
## - creation of the first ACC admin account     ##
768
## - secure the ACC access                       ##
768
## - secure the ACC access                       ##
769
###################################################
769
###################################################
770
ACC()
770
ACC()
771
{
771
{
772
	[ -d $DIR_WEB ] && rm -rf $DIR_WEB
772
	[ -d $DIR_WEB ] && rm -rf $DIR_WEB
773
	mkdir $DIR_WEB
773
	mkdir $DIR_WEB
774
# Copy & adapt ACC files
774
# Copy & adapt ACC files
775
	cp -rf $DIR_INSTALL/web/* $DIR_WEB/
775
	cp -rf $DIR_INSTALL/web/* $DIR_WEB/
776
	$SED "s?99/99/9999?$DATE_SHORT?g" $DIR_ACC/menu.php
776
	$SED "s?99/99/9999?$DATE_SHORT?g" $DIR_ACC/menu.php
777
	$SED "s?\$DB_RADIUS = .*?\$DB_RADIUS = \"$DB_RADIUS\"\;?g" $DIR_ACC/welcome.php
777
	$SED "s?\$DB_RADIUS = .*?\$DB_RADIUS = \"$DB_RADIUS\"\;?g" $DIR_ACC/welcome.php
778
	$SED "s?\$DB_USER = .*?\$DB_USER = \"$DB_USER\"\;?g" $DIR_ACC/welcome.php
778
	$SED "s?\$DB_USER = .*?\$DB_USER = \"$DB_USER\"\;?g" $DIR_ACC/welcome.php
779
	$SED "s?\$radiuspwd = .*?\$radiuspwd = \"$radiuspwd\"\;?g" $DIR_ACC/welcome.php
779
	$SED "s?\$radiuspwd = .*?\$radiuspwd = \"$radiuspwd\"\;?g" $DIR_ACC/welcome.php
780
	chown -R apache:apache $DIR_WEB/*
780
	chown -R apache:apache $DIR_WEB/*
781
# copy & adapt "freeradius-web" files
781
# copy & adapt "freeradius-web" files
782
	cp -rf $DIR_CONF/freeradius-web/ /etc/
782
	cp -rf $DIR_CONF/freeradius-web/ /etc/
783
	[ -e /etc/freeradius-web/admin.conf.default ] || cp /etc/freeradius-web/admin.conf /etc/freeradius-web/admin.conf.default
783
	[ -e /etc/freeradius-web/admin.conf.default ] || cp /etc/freeradius-web/admin.conf /etc/freeradius-web/admin.conf.default
784
	$SED "s?^general_domain:.*?general_domain: $DOMAIN?g" /etc/freeradius-web/admin.conf
784
	$SED "s?^general_domain:.*?general_domain: $DOMAIN?g" /etc/freeradius-web/admin.conf
785
	$SED "s?^sql_username:.*?sql_username: $DB_USER?g" /etc/freeradius-web/admin.conf
785
	$SED "s?^sql_username:.*?sql_username: $DB_USER?g" /etc/freeradius-web/admin.conf
786
	$SED "s?^sql_password:.*?sql_password: $radiuspwd?g" /etc/freeradius-web/admin.conf
786
	$SED "s?^sql_password:.*?sql_password: $radiuspwd?g" /etc/freeradius-web/admin.conf
787
	cat <<EOF > /etc/freeradius-web/naslist.conf
787
	cat <<EOF > /etc/freeradius-web/naslist.conf
788
nas1_name: alcasar-$ORGANISME
788
nas1_name: alcasar-$ORGANISME
789
nas1_model: Network Access Controler
789
nas1_model: Network Access Controler
790
nas1_ip: $PRIVATE_IP
790
nas1_ip: $PRIVATE_IP
791
nas1_port_num: 0
791
nas1_port_num: 0
792
nas1_community: public
792
nas1_community: public
793
EOF
793
EOF
794
	chown -R apache:apache /etc/freeradius-web/
794
	chown -R apache:apache /etc/freeradius-web/
795
# create the log & backup structure :
795
# create the log & backup structure :
796
# - base = users database
796
# - base = users database
797
# - archive = tarball of "base + http firewall + netflow"
797
# - archive = tarball of "base + http firewall + netflow"
798
# - security = watchdog log
798
# - security = watchdog log
799
# - conf_file = archive conf file (usefull in updating process)
799
# - conf_file = archive conf file (usefull in updating process)
800
	for i in base archive security activity_report conf_file;
800
	for i in base archive security activity_report conf_file;
801
	do
801
	do
802
		[ -d $DIR_SAVE/$i ] || mkdir -p $DIR_SAVE/$i
802
		[ -d $DIR_SAVE/$i ] || mkdir -p $DIR_SAVE/$i
803
	done
803
	done
804
	chown -R root:apache $DIR_SAVE
804
	chown -R root:apache $DIR_SAVE
805
# Configuring & securing php
805
# Configuring & securing php
806
	[ -e /etc/php.ini.default ] || cp /etc/php.ini /etc/php.ini.default
806
	[ -e /etc/php.ini.default ] || cp /etc/php.ini /etc/php.ini.default
807
	timezone=`cat /etc/sysconfig/clock|grep ZONE|cut -d"=" -f2`
807
	timezone=`cat /etc/sysconfig/clock|grep ZONE|cut -d"=" -f2`
808
	$SED "s?^;date.timezone =.*?date.timezone = $timezone?g" /etc/php.ini
808
	$SED "s?^;date.timezone =.*?date.timezone = $timezone?g" /etc/php.ini
809
	$SED "s?^upload_max_filesize.*?upload_max_filesize = 100M?g" /etc/php.ini
809
	$SED "s?^upload_max_filesize.*?upload_max_filesize = 100M?g" /etc/php.ini
810
	$SED "s?^post_max_size.*?post_max_size = 100M?g" /etc/php.ini
810
	$SED "s?^post_max_size.*?post_max_size = 100M?g" /etc/php.ini
811
	$SED "s?^display_errors.*?display_errors = Off?" /etc/php.ini
811
	$SED "s?^display_errors.*?display_errors = Off?" /etc/php.ini
812
	$SED "s?^display_startup_errors.*?display_startup_errors = Off?" /etc/php.ini
812
	$SED "s?^display_startup_errors.*?display_startup_errors = Off?" /etc/php.ini
813
	$SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini
813
	$SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini
814
	$SED "s?^expose_php.*?expose_php = Off?g" /etc/php.ini
814
	$SED "s?^expose_php.*?expose_php = Off?g" /etc/php.ini
815
	$SED "s?^allow_url_fopen.*?allow_url_fopen = Off?" /etc/php.ini
815
	$SED "s?^allow_url_fopen.*?allow_url_fopen = Off?" /etc/php.ini
816
# Configuring & securing Lighttpd
816
# Configuring & securing Lighttpd
817
	rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README*
817
	rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README*
818
	[ -e /etc/lighttpd/lighttpd.conf.default ] || cp /etc/lighttpd/lighttpd.conf /etc/lighttpd/lighttpd.conf.default
818
	[ -e /etc/lighttpd/lighttpd.conf.default ] || cp /etc/lighttpd/lighttpd.conf /etc/lighttpd/lighttpd.conf.default
819
	$SED "s?^server\.use-ipv6.*?server\.use-ipv6 = \"disable\"?g" /etc/lighttpd/lighttpd.conf
819
	$SED "s?^server\.use-ipv6.*?server\.use-ipv6 = \"disable\"?g" /etc/lighttpd/lighttpd.conf
820
	$SED "s?^#server\.bind.*?server\.bind = \"$PRIVATE_IP\"?g" /etc/lighttpd/lighttpd.conf
820
	$SED "s?^#server\.bind.*?server\.bind = \"$PRIVATE_IP\"?g" /etc/lighttpd/lighttpd.conf
821
	$SED "s?^server\.bind.*?server\.bind = \"$PRIVATE_IP\"?g" /etc/lighttpd/lighttpd.conf
821
	$SED "s?^server\.bind.*?server\.bind = \"$PRIVATE_IP\"?g" /etc/lighttpd/lighttpd.conf
822
	$SED "s?^#server\.tag.*?server\.tag = \"\"?g" /etc/lighttpd/lighttpd.conf
822
	$SED "s?^#server\.tag.*?server\.tag = \"\"?g" /etc/lighttpd/lighttpd.conf
823
	echo "include \"vhosts.d/alcasar.conf\"" >> /etc/lighttpd/lighttpd.conf
823
	echo "include \"vhosts.d/alcasar.conf\"" >> /etc/lighttpd/lighttpd.conf
824
 
824
 
825
	[ -e /etc/lighttpd/modules.conf.default ] || cp /etc/lighttpd/modules.conf /etc/lighttpd/modules.conf.default
825
	[ -e /etc/lighttpd/modules.conf.default ] || cp /etc/lighttpd/modules.conf /etc/lighttpd/modules.conf.default
826
	$SED "s?^#[ ]*\"mod_auth\",.*?\"mod_auth\",?g" /etc/lighttpd/modules.conf
826
	$SED "s?^#[ ]*\"mod_auth\",.*?\"mod_auth\",?g" /etc/lighttpd/modules.conf
827
	$SED "s?^#[ ]*\"mod_alias\",.*?\"mod_alias\",?g" /etc/lighttpd/modules.conf
827
	$SED "s?^#[ ]*\"mod_alias\",.*?\"mod_alias\",?g" /etc/lighttpd/modules.conf
828
	$SED "s?^#[ ]*\"mod_redirect\",.*?\"mod_redirect\",?g" /etc/lighttpd/modules.conf
828
	$SED "s?^#[ ]*\"mod_redirect\",.*?\"mod_redirect\",?g" /etc/lighttpd/modules.conf
829
	$SED "/^[ ]*\"mod_redirect\",/a\"mod_openssl\"," /etc/lighttpd/modules.conf
829
	$SED "/^[ ]*\"mod_redirect\",/a\"mod_openssl\"," /etc/lighttpd/modules.conf
830
	$SED "s?^#include \"conf.d/fastcgi.conf\".*?include \"conf.d/fastcgi.conf\"?g" /etc/lighttpd/modules.conf
830
	$SED "s?^#include \"conf.d/fastcgi.conf\".*?include \"conf.d/fastcgi.conf\"?g" /etc/lighttpd/modules.conf
831
 
831
 
832
	[ -e /etc/lighttpd/conf.d/fastcgi.conf.default ] || cp /etc/lighttpd/conf.d/fastcgi.conf /etc/lighttpd/conf.d/fastcgi.conf.default
832
	[ -e /etc/lighttpd/conf.d/fastcgi.conf.default ] || cp /etc/lighttpd/conf.d/fastcgi.conf /etc/lighttpd/conf.d/fastcgi.conf.default
833
	cp $DIR_CONF/lighttpd/conf.d/fastcgi.conf /etc/lighttpd/conf.d/fastcgi.conf
833
	cp $DIR_CONF/lighttpd/conf.d/fastcgi.conf /etc/lighttpd/conf.d/fastcgi.conf
834
 
834
 
835
	[ -e /etc/php-fpm.conf.default ] || cp /etc/php-fpm.conf /etc/php-fpm.conf.default
835
	[ -e /etc/php-fpm.conf.default ] || cp /etc/php-fpm.conf /etc/php-fpm.conf.default
836
	$SED "s?^;listen\.owner.*?listen\.owner = apache?g" /etc/php-fpm.conf
836
	$SED "s?^;listen\.owner.*?listen\.owner = apache?g" /etc/php-fpm.conf
837
	$SED "s?^;listen\.group.*?listen\.group = apache?g" /etc/php-fpm.conf
837
	$SED "s?^;listen\.group.*?listen\.group = apache?g" /etc/php-fpm.conf
838
	$SED "s?^;listen\.mode.*?listen\.mode = 0660?g" /etc/php-fpm.conf
838
	$SED "s?^;listen\.mode.*?listen\.mode = 0660?g" /etc/php-fpm.conf
839
 
839
 
840
	[ -d /etc/lighttpd/vhosts.d ] || mkdir /etc/lighttpd/vhosts.d
840
	[ -d /etc/lighttpd/vhosts.d ] || mkdir /etc/lighttpd/vhosts.d
841
	cp $DIR_CONF/lighttpd/vhosts.d/* /etc/lighttpd/vhosts.d/
841
	cp $DIR_CONF/lighttpd/vhosts.d/* /etc/lighttpd/vhosts.d/
842
	$SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$PRIVATE_IP"':443" {/g' /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf
842
	$SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$PRIVATE_IP"':443" {/g' /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf
843
	$SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$PRIVATE_IP"':443" {/g' /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf
843
	$SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$PRIVATE_IP"':443" {/g' /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf
844
	$SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$PRIVATE_IP\"/g" /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf
844
	$SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$PRIVATE_IP\"/g" /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf
845
	$SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$PRIVATE_IP\"/g" /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf
845
	$SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$PRIVATE_IP\"/g" /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf
846
	ln -s /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf /etc/lighttpd/vhosts.d/alcasar.conf
846
	ln -s /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf /etc/lighttpd/vhosts.d/alcasar.conf
847
 
847
 
848
	[ -d /var/log/lighttpd ] || mkdir /var/log/lighttpd
848
	[ -d /var/log/lighttpd ] || mkdir /var/log/lighttpd
849
	[ -e /var/log/lighttpd/access.log ] || touch /var/log/lighttpd/access.log
849
	[ -e /var/log/lighttpd/access.log ] || touch /var/log/lighttpd/access.log
850
	[ -e /var/log/lighttpd/error.log ] || touch /var/log/lighttpd/error.log
850
	[ -e /var/log/lighttpd/error.log ] || touch /var/log/lighttpd/error.log
851
 
851
 
852
	chown -R apache:apache /var/log/lighttpd
852
	chown -R apache:apache /var/log/lighttpd
853
 
853
 
854
# Creation of the first account (in 'admin' profile)
854
# Creation of the first account (in 'admin' profile)
855
	if [ "$mode" = "install" ]
855
	if [ "$mode" = "install" ]
856
	then
856
	then
857
		header_install
857
		header_install
858
# Creation of keys file for the admin account ("admin")
858
# Creation of keys file for the admin account ("admin")
859
		[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
859
		[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
860
		mkdir -p $DIR_DEST_ETC/digest
860
		mkdir -p $DIR_DEST_ETC/digest
861
		chmod 755 $DIR_DEST_ETC/digest
861
		chmod 755 $DIR_DEST_ETC/digest
862
		if [ $Lang == "fr" ]
862
		if [ $Lang == "fr" ]
863
			then echo "Création du premier compte administrateur : "
863
			then echo "Création du premier compte administrateur : "
864
			else echo "Creation of the first admin account : "
864
			else echo "Creation of the first admin account : "
865
		fi
865
		fi
866
		until [ -s $DIR_DEST_ETC/digest/key_admin ]
866
		until [ -s $DIR_DEST_ETC/digest/key_admin ]
867
		do
867
		do
868
			$DIR_DEST_BIN/alcasar-profil.sh --add admin
868
			$DIR_DEST_BIN/alcasar-profil.sh --add admin
869
		done
869
		done
870
	fi
870
	fi
871
# Creation of ACC certs links
871
# Creation of ACC certs links
872
	[ -d /var/www/html/certs ] || mkdir /var/www/html/certs
872
	[ -d /var/www/html/certs ] || mkdir /var/www/html/certs
873
	ln -s /etc/pki/CA/alcasar-ca.crt /var/www/html/certs/certificat_alcasar_ca.crt
873
	ln -s /etc/pki/CA/alcasar-ca.crt /var/www/html/certs/certificat_alcasar_ca.crt
874
# Run lighttpd after coova (in order waiting tun0 to be up)
874
# Run lighttpd after coova (in order waiting tun0 to be up)
875
	$SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /lib/systemd/system/lighttpd.service
875
	$SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /lib/systemd/system/lighttpd.service
876
	# Log file for ACC access imputability
876
	# Log file for ACC access imputability
877
	[ -e /var/Save/security/acc_access.log ] || touch /var/Save/security/acc_access.log
877
	[ -e /var/Save/security/acc_access.log ] || touch /var/Save/security/acc_access.log
878
	chown root:apache /var/Save/security/acc_access.log
878
	chown root:apache /var/Save/security/acc_access.log
879
	chmod 664 /var/Save/security/acc_access.log
879
	chmod 664 /var/Save/security/acc_access.log
880
} # End of ACC()
880
} # End of ACC()
881
 
881
 
882
#############################################################
882
#############################################################
883
##               Function "time_server"                    ##
883
##               Function "time_server"                    ##
884
## - Configuring NTP server                                ##
884
## - Configuring NTP server                                ##
885
#############################################################
885
#############################################################
886
time_server()
886
time_server()
887
{
887
{
888
# Set the Internet time server
888
# Set the Internet time server
889
	[ -e /etc/ntp/step-tickers.default ] || cp /etc/ntp/step-tickers /etc/ntp/step-tickers.default
889
	[ -e /etc/ntp/step-tickers.default ] || cp /etc/ntp/step-tickers /etc/ntp/step-tickers.default
890
	cat <<EOF > /etc/ntp/step-tickers
890
	cat <<EOF > /etc/ntp/step-tickers
891
0.fr.pool.ntp.org	# adapt to your country
891
0.fr.pool.ntp.org	# adapt to your country
892
1.fr.pool.ntp.org
892
1.fr.pool.ntp.org
893
2.fr.pool.ntp.org
893
2.fr.pool.ntp.org
894
EOF
894
EOF
895
	[ -e /etc/ntp.conf.default ] || cp /etc/ntp.conf /etc/ntp.conf.default
895
	[ -e /etc/ntp.conf.default ] || cp /etc/ntp.conf /etc/ntp.conf.default
896
	cat <<EOF > /etc/ntp.conf
896
	cat <<EOF > /etc/ntp.conf
897
server 0.fr.pool.ntp.org	# adapt to your country
897
server 0.fr.pool.ntp.org	# adapt to your country
898
server 1.fr.pool.ntp.org
898
server 1.fr.pool.ntp.org
899
server 2.fr.pool.ntp.org
899
server 2.fr.pool.ntp.org
900
server 127.127.1.0   		# local clock si NTP internet indisponible ...
900
server 127.127.1.0   		# local clock si NTP internet indisponible ...
901
fudge 127.127.1.0 stratum 10
901
fudge 127.127.1.0 stratum 10
902
restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap
902
restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap
903
restrict 127.0.0.1
903
restrict 127.0.0.1
904
driftfile /var/lib/ntp/drift
904
driftfile /var/lib/ntp/drift
905
logfile /var/log/ntp.log
905
logfile /var/log/ntp.log
906
disable monitor
906
disable monitor
907
EOF
907
EOF
908
	chown -R ntp:ntp /var/lib/ntp
908
	chown -R ntp:ntp /var/lib/ntp
909
# Synchronize now
909
# Synchronize now
910
	ntpd -4 -q -g &
910
	ntpd -4 -q -g &
911
} # End of time_server()
911
} # End of time_server()
912
 
912
 
913
#####################################################################
913
#####################################################################
914
##                     Function "init_db"                          ##
914
##                     Function "init_db"                          ##
915
## - Mysql initialization                                          ##
915
## - Mysql initialization                                          ##
916
## - Set admin (root) password                                     ##
916
## - Set admin (root) password                                     ##
917
## - Remove unused users & databases                               ##
917
## - Remove unused users & databases                               ##
918
## - Radius database creation                                      ##
918
## - Radius database creation                                      ##
919
## - Copy of accounting tables (mtotacct, totacct) & userinfo      ##
919
## - Copy of accounting tables (mtotacct, totacct) & userinfo      ##
920
#####################################################################
920
#####################################################################
921
init_db()
921
init_db()
922
{
922
{
923
	if [ "`systemctl is-active mysqld`" == "active" ]
923
	if [ "`systemctl is-active mysqld`" == "active" ]
924
	then
924
	then
925
		systemctl stop mysqld
925
		systemctl stop mysqld
926
	fi
926
	fi
927
	rm -rf /var/lib/mysql # to be sure that there is no former installation
927
	rm -rf /var/lib/mysql # to be sure that there is no former installation
928
	[ -e /etc/my.cnf.default ] || cp /etc/my.cnf /etc/my.cnf.default
928
	[ -e /etc/my.cnf.default ] || cp /etc/my.cnf /etc/my.cnf.default
929
	$SED "s?^tmpdir.*?tmpdir=/tmp?g" /etc/my.cnf
929
	$SED "s?^tmpdir.*?tmpdir=/tmp?g" /etc/my.cnf
930
	$SED "s?^port.*?#&?g" /etc/my.cnf # we use unix socket only
930
	$SED "s?^port.*?#&?g" /etc/my.cnf # we use unix socket only
931
	$SED "s?^;collation_server =.*?collation_server = utf8_unicode_ci?g" /etc/my.cnf
931
	$SED "s?^;collation_server =.*?collation_server = utf8_unicode_ci?g" /etc/my.cnf
932
	$SED "s?^;character_set_server =.*?character_set_server = utf8?g" /etc/my.cnf  # accentuated user names are allowed
932
	$SED "s?^;character_set_server =.*?character_set_server = utf8?g" /etc/my.cnf  # accentuated user names are allowed
933
	[ -e /etc/my.cnf.d/feedback.cnf ] && $SED "s?^plugin-load.*?#&?g" /etc/my.cnf.d/feedback.cnf # remove the feedback plugin (ALCASAR doesn't report anything !)
933
	[ -e /etc/my.cnf.d/feedback.cnf ] && $SED "s?^plugin-load.*?#&?g" /etc/my.cnf.d/feedback.cnf # remove the feedback plugin (ALCASAR doesn't report anything !)
934
	[ -e /etc/my.cnf.d/auth_gssapi.cnf ] && $SED "s?^plugin-load.*?#&?g" /etc/my.cnf.d/auth_gssapi.cnf # remove GSS plugin (ALCASAR doesn't use Kerberos)
934
	[ -e /etc/my.cnf.d/auth_gssapi.cnf ] && $SED "s?^plugin-load.*?#&?g" /etc/my.cnf.d/auth_gssapi.cnf # remove GSS plugin (ALCASAR doesn't use Kerberos)
935
	/usr/sbin/mysqld-prepare-db-dir > /dev/null 2>&1
935
	/usr/sbin/mysqld-prepare-db-dir > /dev/null 2>&1
936
	/usr/bin/systemctl set-environment MYSQLD_OPTS="--skip-grant-tables --skip-networking"
936
	/usr/bin/systemctl set-environment MYSQLD_OPTS="--skip-grant-tables --skip-networking"
937
	/usr/bin/systemctl start mysqld
937
	/usr/bin/systemctl start mysqld
938
	nb_round=1
938
	nb_round=1
939
	while [ ! -S /var/lib/mysql/mysql.sock ] && [ $nb_round -lt 10 ] # we wait until mariadb is on
939
	while [ ! -S /var/lib/mysql/mysql.sock ] && [ $nb_round -lt 10 ] # we wait until mariadb is on
940
	do
940
	do
941
		nb_round=`expr $nb_round + 1`
941
		nb_round=`expr $nb_round + 1`
942
		sleep 2
942
		sleep 2
943
	done
943
	done
944
	if [ ! -S /var/lib/mysql/mysql.sock ]
944
	if [ ! -S /var/lib/mysql/mysql.sock ]
945
	then
945
	then
946
		echo "Problème : la base données 'MariaDB' ne s'est pas lancée !"
946
		echo "Problème : la base données 'MariaDB' ne s'est pas lancée !"
947
		exit
947
		exit
948
	fi
948
	fi
949
# Secure the server
949
# Secure the server
950
	/usr/bin/mysql --execute "GRANT ALL PRIVILEGES ON *.* TO root@'localhost' IDENTIFIED BY '$mysqlpwd';"
950
	/usr/bin/mysql --execute "GRANT ALL PRIVILEGES ON *.* TO root@'localhost' IDENTIFIED BY '$mysqlpwd';"
951
	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --execute"
951
	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --execute"
952
	$MYSQL "DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;"
952
	$MYSQL "DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;"
953
	$MYSQL "CONNECT mysql;DELETE from user where User='';DELETE FROM user WHERE User='root' AND Host NOT IN ('localhost','127.0.0.1','::1');FLUSH PRIVILEGES;"
953
	$MYSQL "CONNECT mysql;DELETE from user where User='';DELETE FROM user WHERE User='root' AND Host NOT IN ('localhost','127.0.0.1','::1');FLUSH PRIVILEGES;"
954
# Create 'radius' database
954
# Create 'radius' database
955
	$MYSQL "CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;"
955
	$MYSQL "CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;"
956
# Add an empty radius database structure
956
# Add an empty radius database structure
957
	/usr/bin/mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/empty-radiusd-db.sql
957
	/usr/bin/mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/empty-radiusd-db.sql
958
# modify the start script in order to close accounting connexion when the system is comming down or up
958
# modify the start script in order to close accounting connexion when the system is comming down or up
959
	[ -e /lib/systemd/system/mysqld.service.default ] || cp /lib/systemd/system/mysqld.service /lib/systemd/system/mysqld.service.default
959
	[ -e /lib/systemd/system/mysqld.service.default ] || cp /lib/systemd/system/mysqld.service /lib/systemd/system/mysqld.service.default
960
	$SED "/^ExecStart=/a ExecStop=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /usr/lib/systemd/system/mysqld.service
960
	$SED "/^ExecStart=/a ExecStop=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /usr/lib/systemd/system/mysqld.service
961
	$SED "/^ExecStop=/a ExecStartPost=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /lib/systemd/system/mysqld.service
961
	$SED "/^ExecStop=/a ExecStartPost=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /lib/systemd/system/mysqld.service
962
	/usr/bin/systemctl unset-environment MYSQLD_OPTS
962
	/usr/bin/systemctl unset-environment MYSQLD_OPTS
963
	/usr/bin/systemctl daemon-reload
963
	/usr/bin/systemctl daemon-reload
964
} # End of init_db()
964
} # End of init_db()
965
 
965
 
966
###################################################################
966
###################################################################
967
##                       Function "freeradius"                   ##
967
##                       Function "freeradius"                   ##
968
## - Set the configuration files                                 ##
968
## - Set the configuration files                                 ##
969
## - Set the shared secret between coova-chilli and freeradius   ##
969
## - Set the shared secret between coova-chilli and freeradius   ##
970
## - Adapt the Mysql conf file and counters                      ##
970
## - Adapt the Mysql conf file and counters                      ##
971
###################################################################
971
###################################################################
972
freeradius()
972
freeradius()
973
{
973
{
974
	cp -f $DIR_CONF/empty-radiusd-db.sql /etc/raddb/
974
	cp -f $DIR_CONF/empty-radiusd-db.sql /etc/raddb/
975
	chown -R radius:radius /etc/raddb
975
	chown -R radius:radius /etc/raddb
976
	[ -e /etc/raddb/radiusd.conf.default ] || cp /etc/raddb/radiusd.conf /etc/raddb/radiusd.conf.default
976
	[ -e /etc/raddb/radiusd.conf.default ] || cp /etc/raddb/radiusd.conf /etc/raddb/radiusd.conf.default
977
# Set radius global parameters (radius.conf)
977
# Set radius global parameters (radius.conf)
978
	$SED "s?^[\t ]*#[\t ]*user =.*?user = radius?g" /etc/raddb/radiusd.conf
978
	$SED "s?^[\t ]*#[\t ]*user =.*?user = radius?g" /etc/raddb/radiusd.conf
979
	$SED "s?^[\t ]*#[\t ]*group =.*?group = radius?g" /etc/raddb/radiusd.conf
979
	$SED "s?^[\t ]*#[\t ]*group =.*?group = radius?g" /etc/raddb/radiusd.conf
980
	$SED "s?^[\t ]*status_server =.*?status_server = no?g" /etc/raddb/radiusd.conf
980
	$SED "s?^[\t ]*status_server =.*?status_server = no?g" /etc/raddb/radiusd.conf
981
	$SED "s?^[\t ]*proxy_requests.*?proxy_requests = no?g" /etc/raddb/radiusd.conf # remove the proxy function
981
	$SED "s?^[\t ]*proxy_requests.*?proxy_requests = no?g" /etc/raddb/radiusd.conf # remove the proxy function
982
	$SED "s?^[\t ]*\$INCLUDE proxy.conf.*?#\$INCLUDE proxy.conf?g" /etc/raddb/radiusd.conf # remove the proxy function
982
	$SED "s?^[\t ]*\$INCLUDE proxy.conf.*?#\$INCLUDE proxy.conf?g" /etc/raddb/radiusd.conf # remove the proxy function
983
# Add ALCASAR & Coovachilli dictionaries
983
# Add ALCASAR & Coovachilli dictionaries
984
	[ -e /etc/raddb/dictionary.default ] || cp /etc/raddb/dictionary /etc/raddb/dictionary.default
984
	[ -e /etc/raddb/dictionary.default ] || cp /etc/raddb/dictionary /etc/raddb/dictionary.default
985
	cp $DIR_CONF/radius/dictionary.alcasar /etc/raddb/
985
	cp $DIR_CONF/radius/dictionary.alcasar /etc/raddb/
986
	echo '$INCLUDE dictionary.alcasar' > /etc/raddb/dictionary
986
	echo '$INCLUDE dictionary.alcasar' > /etc/raddb/dictionary
987
	cp /usr/share/doc/coova-chilli/dictionary.coovachilli /etc/raddb/
987
	cp /usr/share/doc/coova-chilli/dictionary.coovachilli /etc/raddb/
988
	echo '$INCLUDE dictionary.coovachilli' >> /etc/raddb/dictionary
988
	echo '$INCLUDE dictionary.coovachilli' >> /etc/raddb/dictionary
989
# Set "client.conf" to describe radius clients (coova on 127.0.0.1)
989
# Set "client.conf" to describe radius clients (coova on 127.0.0.1)
990
	[ -e /etc/raddb/clients.conf.default ] || cp -f /etc/raddb/clients.conf /etc/raddb/clients.conf.default
990
	[ -e /etc/raddb/clients.conf.default ] || cp -f /etc/raddb/clients.conf /etc/raddb/clients.conf.default
991
	cat << EOF > /etc/raddb/clients.conf
991
	cat << EOF > /etc/raddb/clients.conf
992
client localhost {
992
client localhost {
993
	ipaddr = 127.0.0.1
993
	ipaddr = 127.0.0.1
994
	secret = $secretradius
994
	secret = $secretradius
995
	shortname = chilli
995
	shortname = chilli
996
	nas_type = other
996
	nas_type = other
997
}
997
}
998
EOF
998
EOF
999
# Set Virtual server
999
# Set Virtual server
1000
    # Remvoveing all except "alcasar virtual site")
1000
    # Remvoveing all except "alcasar virtual site")
1001
	# INFO : To enable 802.1X, add the "innser-tunnel" virtual server (link in sites-enabled)  Change the firewall rules to allow "radius" extern connections.
1001
	# INFO : To enable 802.1X, add the "innser-tunnel" virtual server (link in sites-enabled)  Change the firewall rules to allow "radius" extern connections.
1002
	cp $DIR_CONF/radius/alcasar /etc/raddb/sites-available/alcasar
1002
	cp $DIR_CONF/radius/alcasar /etc/raddb/sites-available/alcasar
1003
	cp $DIR_CONF/radius/alcasar-with-ldap /etc/raddb/sites-available/alcasar-with-ldap
1003
	cp $DIR_CONF/radius/alcasar-with-ldap /etc/raddb/sites-available/alcasar-with-ldap
1004
	chown radius:apache /etc/raddb/sites-available/alcasar*
1004
	chown radius:apache /etc/raddb/sites-available/alcasar*
1005
	chmod 660 /etc/raddb/sites-available/alcasar*
1005
	chmod 660 /etc/raddb/sites-available/alcasar*
1006
	rm -f /etc/raddb/sites-enabled/*
1006
	rm -f /etc/raddb/sites-enabled/*
1007
	ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar
1007
	ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar
1008
# Set modules
1008
# Set modules
1009
	# Add custom LDAP "available module"
1009
	# Add custom LDAP "available module"
1010
	# INFO : To enable 802.1X, add the "eap" module and verify access to the keys (/etc/pki/tls/private/radius.pem). Change the firewall rules to allow "radius" extern connections.
1010
	# INFO : To enable 802.1X, add the "eap" module and verify access to the keys (/etc/pki/tls/private/radius.pem). Change the firewall rules to allow "radius" extern connections.
1011
	cp -f $DIR_CONF/radius/ldap-alcasar /etc/raddb/mods-available/
1011
	cp -f $DIR_CONF/radius/ldap-alcasar /etc/raddb/mods-available/
1012
	chown -R radius:radius /etc/raddb/mods-available/ldap-alcasar
1012
	chown -R radius:radius /etc/raddb/mods-available/ldap-alcasar
1013
	# Set only usefull modules for ALCASAR (! the module 'ldap-alcasar' is enabled only via ACC)
1013
	# Set only usefull modules for ALCASAR (! the module 'ldap-alcasar' is enabled only via ACC)
1014
	rm -rf  /etc/raddb/mods-enabled/*
1014
	rm -rf  /etc/raddb/mods-enabled/*
1015
	for mods in sql sqlcounter attr_filter expiration logintime pap expr always
1015
	for mods in sql sqlcounter attr_filter expiration logintime pap expr always
1016
	do
1016
	do
1017
		ln -s /etc/raddb/mods-available/$mods /etc/raddb/mods-enabled/$mods
1017
		ln -s /etc/raddb/mods-available/$mods /etc/raddb/mods-enabled/$mods
1018
	done
1018
	done
1019
# Configure SQL module
1019
# Configure SQL module
1020
	[ -e /etc/raddb/mods-available/sql.default ] || cp /etc/raddb/mods-available/sql /etc/raddb/mods-available/sql.default
1020
	[ -e /etc/raddb/mods-available/sql.default ] || cp /etc/raddb/mods-available/sql /etc/raddb/mods-available/sql.default
1021
	$SED "s?^[\t ]*driver =.*?driver = \"rlm_sql_mysql\"?g" /etc/raddb/mods-available/sql
1021
	$SED "s?^[\t ]*driver =.*?driver = \"rlm_sql_mysql\"?g" /etc/raddb/mods-available/sql
1022
	$SED "s?^[\t ]*dialect =.*?dialect = \"mysql\"?g" /etc/raddb/mods-available/sql
1022
	$SED "s?^[\t ]*dialect =.*?dialect = \"mysql\"?g" /etc/raddb/mods-available/sql
1023
	$SED "s?^[\t ]*radius_db =.*?radius_db = \"$DB_RADIUS\"?g" /etc/raddb/mods-available/sql
1023
	$SED "s?^[\t ]*radius_db =.*?radius_db = \"$DB_RADIUS\"?g" /etc/raddb/mods-available/sql
1024
	$SED "s?^#[\t ]*server =.*?server = \"localhost\"?g" /etc/raddb/mods-available/sql
1024
	$SED "s?^#[\t ]*server =.*?server = \"localhost\"?g" /etc/raddb/mods-available/sql
1025
	$SED "s?^#[\t ]*port =.*?port = \"3306\"?g" /etc/raddb/mods-available/sql
1025
	$SED "s?^#[\t ]*port =.*?port = \"3306\"?g" /etc/raddb/mods-available/sql
1026
	$SED "s?^#[\t ]*login =.*?login = \"$DB_USER\"?g" /etc/raddb/mods-available/sql
1026
	$SED "s?^#[\t ]*login =.*?login = \"$DB_USER\"?g" /etc/raddb/mods-available/sql
1027
	$SED "s?^#[\t ]*password =.*?password = \"$radiuspwd\"?g" /etc/raddb/mods-available/sql
1027
	$SED "s?^#[\t ]*password =.*?password = \"$radiuspwd\"?g" /etc/raddb/mods-available/sql
1028
	# no TLS encryption on 127.0.0.1
1028
	# no TLS encryption on 127.0.0.1
1029
	$SED "s?^[\t ]*ca_file =.*?#&?g" /etc/raddb/mods-available/sql
1029
	$SED "s?^[\t ]*ca_file =.*?#&?g" /etc/raddb/mods-available/sql
1030
	$SED "s?^[\t ]*ca_path =.*?#&?g" /etc/raddb/mods-available/sql
1030
	$SED "s?^[\t ]*ca_path =.*?#&?g" /etc/raddb/mods-available/sql
1031
	$SED "s?^[\t ]*certificate_file =.*?#&?g" /etc/raddb/mods-available/sql
1031
	$SED "s?^[\t ]*certificate_file =.*?#&?g" /etc/raddb/mods-available/sql
1032
	$SED "s?^[\t ]*private_key_file =.*?#&?g" /etc/raddb/mods-available/sql
1032
	$SED "s?^[\t ]*private_key_file =.*?#&?g" /etc/raddb/mods-available/sql
1033
	$SED "s?^[\t ]*cipher =.*?#&?g" /etc/raddb/mods-available/sql
1033
	$SED "s?^[\t ]*cipher =.*?#&?g" /etc/raddb/mods-available/sql
1034
	$SED "s?^[\t ]*tls_required =.*?tls_required = no?g" /etc/raddb/mods-available/sql
1034
	$SED "s?^[\t ]*tls_required =.*?tls_required = no?g" /etc/raddb/mods-available/sql
1035
# queries.conf modifications : case sensitive for username, check simultaneous use, patch on 'postauth' table, etc.
1035
# queries.conf modifications : case sensitive for username, check simultaneous use, patch on 'postauth' table, etc.
1036
	[ -e /etc/raddb/mods-config/sql/main/mysql/queries.conf.default ] || cp /etc/raddb/mods-config/sql/main/mysql/queries.conf /etc/raddb/mods-config/sql/main/mysql/queries.conf.default
1036
	[ -e /etc/raddb/mods-config/sql/main/mysql/queries.conf.default ] || cp /etc/raddb/mods-config/sql/main/mysql/queries.conf /etc/raddb/mods-config/sql/main/mysql/queries.conf.default
1037
	cp -f $DIR_CONF/radius/queries.conf /etc/raddb/mods-config/sql/main/mysql/queries.conf
1037
	cp -f $DIR_CONF/radius/queries.conf /etc/raddb/mods-config/sql/main/mysql/queries.conf
1038
	chown -R radius:radius /etc/raddb/mods-config/sql/main/mysql/queries.conf
1038
	chown -R radius:radius /etc/raddb/mods-config/sql/main/mysql/queries.conf
1039
# sqlcounter modifications
1039
# sqlcounter modifications
1040
	[ -e /etc/raddb/mods-available/sqlcounter.default ] || cp /etc/raddb/mods-available/sqlcounter /etc/raddb/mods-available/sqlcounter.default
1040
	[ -e /etc/raddb/mods-available/sqlcounter.default ] || cp /etc/raddb/mods-available/sqlcounter /etc/raddb/mods-available/sqlcounter.default
1041
	cp -f $DIR_CONF/radius/sqlcounter /etc/raddb/mods-available/sqlcounter
1041
	cp -f $DIR_CONF/radius/sqlcounter /etc/raddb/mods-available/sqlcounter
1042
	chown -R radius:radius /etc/raddb/mods-available/sqlcounter
1042
	chown -R radius:radius /etc/raddb/mods-available/sqlcounter
1043
# make certain that mysql is up before freeradius start
1043
# make certain that mysql is up before freeradius start
1044
	[ -e /lib/systemd/system/radiusd.service.default ] || cp /lib/systemd/system/radiusd.service /lib/systemd/system/radiusd.service.default
1044
	[ -e /lib/systemd/system/radiusd.service.default ] || cp /lib/systemd/system/radiusd.service /lib/systemd/system/radiusd.service.default
1045
	$SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /lib/systemd/system/radiusd.service
1045
	$SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /lib/systemd/system/radiusd.service
1046
	/usr/bin/systemctl daemon-reload
1046
	/usr/bin/systemctl daemon-reload
1047
# Allow apache to change some conf files (ie : ldap on/off)
1047
# Allow apache to change some conf files (ie : ldap on/off)
1048
	chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/mods-available
1048
	chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/mods-available
1049
	chmod 750 /etc/raddb /etc/raddb/sites-available /etc/raddb/mods-available
1049
	chmod 750 /etc/raddb /etc/raddb/sites-available /etc/raddb/mods-available
1050
} # End of freeradius()
1050
} # End of freeradius()
1051
 
1051
 
1052
#############################################################################
1052
#############################################################################
1053
##                           Function "chilli"                             ##
1053
##                           Function "chilli"                             ##
1054
## - Creation of the conf file and init file (systemd) for coova-chilli    ##
1054
## - Creation of the conf file and init file (systemd) for coova-chilli    ##
1055
## - Adapt the authentication web page (intercept.php)                     ##
1055
## - Adapt the authentication web page (intercept.php)                     ##
1056
#############################################################################
1056
#############################################################################
1057
chilli()
1057
chilli()
1058
{
1058
{
1059
# chilli unit for systemd
1059
# chilli unit for systemd
1060
	cat << EOF > /lib/systemd/system/chilli.service
1060
	cat << EOF > /lib/systemd/system/chilli.service
1061
#  This file is part of systemd.
1061
#  This file is part of systemd.
1062
#
1062
#
1063
#  systemd is free software; you can redistribute it and/or modify it
1063
#  systemd is free software; you can redistribute it and/or modify it
1064
#  under the terms of the GNU General Public License as published by
1064
#  under the terms of the GNU General Public License as published by
1065
#  the Free Software Foundation; either version 2 of the License, or
1065
#  the Free Software Foundation; either version 2 of the License, or
1066
#  (at your option) any later version.
1066
#  (at your option) any later version.
1067
 
1067
 
1068
# This unit launches coova-chilli a captive portal
1068
# This unit launches coova-chilli a captive portal
1069
[Unit]
1069
[Unit]
1070
Description=chilli is a captive portal daemon
1070
Description=chilli is a captive portal daemon
1071
After=network.target
1071
After=network.target
1072
 
1072
 
1073
[Service]
1073
[Service]
1074
Type=forking
1074
Type=forking
1075
ExecStart=/usr/libexec/chilli start
1075
ExecStart=/usr/libexec/chilli start
1076
ExecStop=/usr/libexec/chilli stop
1076
ExecStop=/usr/libexec/chilli stop
1077
ExecReload=/usr/libexec/chilli reload
1077
ExecReload=/usr/libexec/chilli reload
1078
PIDFile=/run/chilli.pid
1078
PIDFile=/run/chilli.pid
1079
 
1079
 
1080
[Install]
1080
[Install]
1081
WantedBy=multi-user.target
1081
WantedBy=multi-user.target
1082
EOF
1082
EOF
1083
# init file creation
1083
# init file creation
1084
	[ -e /etc/init.d/chilli.default ] || mv /etc/init.d/chilli /etc/init.d/chilli.default
1084
	[ -e /etc/init.d/chilli.default ] || mv /etc/init.d/chilli /etc/init.d/chilli.default
1085
	cat <<EOF > /etc/init.d/chilli
1085
	cat <<EOF > /etc/init.d/chilli
1086
#!/bin/sh
1086
#!/bin/sh
1087
#
1087
#
1088
# chilli CoovaChilli init
1088
# chilli CoovaChilli init
1089
#
1089
#
1090
# chkconfig: 2345 65 35
1090
# chkconfig: 2345 65 35
1091
# description: CoovaChilli
1091
# description: CoovaChilli
1092
### BEGIN INIT INFO
1092
### BEGIN INIT INFO
1093
# Provides:       chilli
1093
# Provides:       chilli
1094
# Required-Start: network
1094
# Required-Start: network
1095
# Should-Start:
1095
# Should-Start:
1096
# Required-Stop:  network
1096
# Required-Stop:  network
1097
# Should-Stop:
1097
# Should-Stop:
1098
# Default-Start:  2 3 5
1098
# Default-Start:  2 3 5
1099
# Default-Stop:
1099
# Default-Stop:
1100
# Description:    CoovaChilli access controller
1100
# Description:    CoovaChilli access controller
1101
### END INIT INFO
1101
### END INIT INFO
1102
 
1102
 
1103
[ -f /usr/sbin/chilli ] || exit 0
1103
[ -f /usr/sbin/chilli ] || exit 0
1104
. /etc/init.d/functions
1104
. /etc/init.d/functions
1105
CONFIG=/etc/chilli.conf
1105
CONFIG=/etc/chilli.conf
1106
pidfile=/run/chilli.pid
1106
pidfile=/run/chilli.pid
1107
[ -f \$CONFIG ] || {
1107
[ -f \$CONFIG ] || {
1108
	echo "\$CONFIG Not found"
1108
	echo "\$CONFIG Not found"
1109
	exit 0
1109
	exit 0
1110
}
1110
}
1111
current_users_file="/var/tmp/havp/current_users.txt"	# file containing active users
1111
current_users_file="/var/tmp/havp/current_users.txt"	# file containing active users
1112
RETVAL=0
1112
RETVAL=0
1113
prog="chilli"
1113
prog="chilli"
1114
case \$1 in
1114
case \$1 in
1115
	start)
1115
	start)
1116
		if [ -f \$pidfile ] ; then
1116
		if [ -f \$pidfile ] ; then
1117
			gprintf "chilli is already running"
1117
			gprintf "chilli is already running"
1118
		else
1118
		else
1119
			gprintf "Starting \$prog: "
1119
			gprintf "Starting \$prog: "
1120
			echo '' > \$current_users_file && chown apache:apache \$current_users_file
1120
			echo '' > \$current_users_file && chown apache:apache \$current_users_file
1121
			rm -f /run/chilli* # cleaning
1121
			rm -f /run/chilli* # cleaning
1122
			/usr/sbin/modprobe tun >/dev/null 2>&1
1122
			/usr/sbin/modprobe tun >/dev/null 2>&1
1123
			echo 1 > /proc/sys/net/ipv4/ip_forward
1123
			echo 1 > /proc/sys/net/ipv4/ip_forward
1124
			[ -e /dev/net/tun ] || {
1124
			[ -e /dev/net/tun ] || {
1125
				(cd /dev;
1125
				(cd /dev;
1126
				mkdir net;
1126
				mkdir net;
1127
				cd net;
1127
				cd net;
1128
				mknod tun c 10 200)
1128
				mknod tun c 10 200)
1129
			}
1129
			}
1130
			ifconfig $INTIF 0.0.0.0
1130
			ifconfig $INTIF 0.0.0.0
1131
			/usr/sbin/ethtool -K $INTIF gro off
1131
			/usr/sbin/ethtool -K $INTIF gro off
1132
			daemon /usr/sbin/chilli -c \$CONFIG --pidfile=\$pidfile &
1132
			daemon /usr/sbin/chilli -c \$CONFIG --pidfile=\$pidfile &
1133
			RETVAL=\$?
1133
			RETVAL=\$?
1134
		fi
1134
		fi
1135
		;;
1135
		;;
1136
 
1136
 
1137
	reload)
1137
	reload)
1138
		killall -HUP chilli
1138
		killall -HUP chilli
1139
		;;
1139
		;;
1140
 
1140
 
1141
	restart)
1141
	restart)
1142
		\$0 stop
1142
		\$0 stop
1143
		sleep 2
1143
		sleep 2
1144
		\$0 start
1144
		\$0 start
1145
		;;
1145
		;;
1146
 
1146
 
1147
	status)
1147
	status)
1148
		status chilli
1148
		status chilli
1149
		RETVAL=0
1149
		RETVAL=0
1150
		;;
1150
		;;
1151
 
1151
 
1152
	stop)
1152
	stop)
1153
		if [ -f \$pidfile ] ; then
1153
		if [ -f \$pidfile ] ; then
1154
			gprintf "Shutting down \$prog: "
1154
			gprintf "Shutting down \$prog: "
1155
			killproc /usr/sbin/chilli
1155
			killproc /usr/sbin/chilli
1156
			RETVAL=\$?
1156
			RETVAL=\$?
1157
			[ \$RETVAL = 0 ] && rm -f \$pidfile
1157
			[ \$RETVAL = 0 ] && rm -f \$pidfile
1158
			[ -e \$current_users_file ] && rm -f \$current_users_file
1158
			[ -e \$current_users_file ] && rm -f \$current_users_file
1159
		else
1159
		else
1160
			gprintf "chilli is not running"
1160
			gprintf "chilli is not running"
1161
		fi
1161
		fi
1162
		;;
1162
		;;
1163
 
1163
 
1164
	*)
1164
	*)
1165
		echo "Usage: \$0 {start|stop|restart|reload|status}"
1165
		echo "Usage: \$0 {start|stop|restart|reload|status}"
1166
		exit 1
1166
		exit 1
1167
esac
1167
esac
1168
echo
1168
echo
1169
EOF
1169
EOF
1170
	chmod a+x /etc/init.d/chilli
1170
	chmod a+x /etc/init.d/chilli
1171
	ln -s /etc/init.d/chilli /usr/libexec/chilli
1171
	ln -s /etc/init.d/chilli /usr/libexec/chilli
1172
# conf file creation
1172
# conf file creation
1173
	[ -e /etc/chilli.conf.default ] || cp /etc/chilli.conf /etc/chilli.conf.default
1173
	[ -e /etc/chilli.conf.default ] || cp /etc/chilli.conf /etc/chilli.conf.default
1174
	#NTP Option configuration for DHCP
1174
	#NTP Option configuration for DHCP
1175
	#DHCP Options : rfc2132
1175
	#DHCP Options : rfc2132
1176
		#dhcp option value will be convert in hexa.
1176
		#dhcp option value will be convert in hexa.
1177
		#NTP option (or 'option 42') is like :
1177
		#NTP option (or 'option 42') is like :
1178
		#
1178
		#
1179
		#    Code   Len         Address 1               Address 2
1179
		#    Code   Len         Address 1               Address 2
1180
		#   +-----+-----+-----+-----+-----+-----+-----+-----+--
1180
		#   +-----+-----+-----+-----+-----+-----+-----+-----+--
1181
		#   |  42 |  n  |  a1 |  a2 |  a3 |  a4 |  a1 |  a2 |  ...
1181
		#   |  42 |  n  |  a1 |  a2 |  a3 |  a4 |  a1 |  a2 |  ...
1182
		#   +-----+-----+-----+-----+-----+-----+-----+-----+--
1182
		#   +-----+-----+-----+-----+-----+-----+-----+-----+--
1183
		#
1183
		#
1184
		#Code : 42 => 2a
1184
		#Code : 42 => 2a
1185
		#Len : 4 => 04
1185
		#Len : 4 => 04
1186
	PRIVATE_IP_HEXA=$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f1)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f2)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f3)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f4)")
1186
	PRIVATE_IP_HEXA=$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f1)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f2)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f3)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f4)")
1187
	cat <<EOF > /etc/chilli.conf
1187
	cat <<EOF > /etc/chilli.conf
1188
# coova config for ALCASAR
1188
# coova config for ALCASAR
1189
cmdsocket	/run/chilli.sock
1189
cmdsocket	/run/chilli.sock
1190
unixipc		chilli.$INTIF.ipc
1190
unixipc		chilli.$INTIF.ipc
1191
pidfile		/run/chilli.pid
1191
pidfile		/run/chilli.pid
1192
net		$PRIVATE_NETWORK_MASK
1192
net		$PRIVATE_NETWORK_MASK
1193
dhcpif		$INTIF
1193
dhcpif		$INTIF
1194
ethers		$DIR_DEST_ETC/alcasar-ethers
1194
ethers		$DIR_DEST_ETC/alcasar-ethers
1195
#nodynip
1195
#nodynip
1196
#statip
1196
#statip
1197
dynip		$PRIVATE_NETWORK_MASK
1197
dynip		$PRIVATE_NETWORK_MASK
1198
domain		$DOMAIN
1198
domain		$DOMAIN
1199
dns1		$PRIVATE_IP
1199
dns1		$PRIVATE_IP
1200
dns2		$PRIVATE_IP
1200
dns2		$PRIVATE_IP
1201
uamlisten	$PRIVATE_IP
1201
uamlisten	$PRIVATE_IP
1202
uamport		3990
1202
uamport		3990
1203
uamuiport	3991
1203
uamuiport	3991
1204
macauth
1204
macauth
1205
macpasswd	password
1205
macpasswd	password
1206
strictmacauth
1206
strictmacauth
1207
locationname	$HOSTNAME.$DOMAIN
1207
locationname	$HOSTNAME.$DOMAIN
1208
radiusserver1	127.0.0.1
1208
radiusserver1	127.0.0.1
1209
radiusserver2	127.0.0.1
1209
radiusserver2	127.0.0.1
1210
radiussecret	$secretradius
1210
radiussecret	$secretradius
1211
radiusauthport	1812
1211
radiusauthport	1812
1212
radiusacctport	1813
1212
radiusacctport	1813
1213
uamserver	http://$HOSTNAME.$DOMAIN/intercept.php
1213
uamserver	http://$HOSTNAME.$DOMAIN/intercept.php
1214
redirurl
1214
redirurl
1215
radiusnasid	$HOSTNAME.$DOMAIN
1215
radiusnasid	$HOSTNAME.$DOMAIN
1216
uamsecret	$secretuam
1216
uamsecret	$secretuam
1217
uamallowed	$HOSTNAME,$HOSTNAME.$DOMAIN
1217
uamallowed	$HOSTNAME,$HOSTNAME.$DOMAIN
1218
coaport		3799
1218
coaport		3799
1219
conup		$DIR_DEST_BIN/alcasar-conup.sh
1219
conup		$DIR_DEST_BIN/alcasar-conup.sh
1220
condown		$DIR_DEST_BIN/alcasar-condown.sh
1220
condown		$DIR_DEST_BIN/alcasar-condown.sh
1221
macup		$DIR_DEST_BIN/alcasar-macup.sh
1221
macup		$DIR_DEST_BIN/alcasar-macup.sh
1222
include		$DIR_DEST_ETC/alcasar-uamallowed
1222
include		$DIR_DEST_ETC/alcasar-uamallowed
1223
include		$DIR_DEST_ETC/alcasar-uamdomain
1223
include		$DIR_DEST_ETC/alcasar-uamdomain
1224
dhcpopt		2a04$PRIVATE_IP_HEXA
1224
dhcpopt		2a04$PRIVATE_IP_HEXA
1225
#dhcpgateway		none
1225
#dhcpgateway		none
1226
#dhcprelayagent		none
1226
#dhcprelayagent		none
1227
#dhcpgatewayport	none
1227
#dhcpgatewayport	none
1228
sslkeyfile	/etc/pki/tls/private/alcasar.key
1228
sslkeyfile	/etc/pki/tls/private/alcasar.key
1229
sslcertfile	/etc/pki/tls/certs/alcasar.crt
1229
sslcertfile	/etc/pki/tls/certs/alcasar.crt
1230
#redirssl
1230
#redirssl
1231
#uamuissl
1231
#uamuissl
1232
EOF
1232
EOF
1233
# create files for "DHCP static ip" and "DHCP static ip info". Reserve the second IP address for INTIF (the first one is for tun0)
1233
# create files for "DHCP static ip" and "DHCP static ip info". Reserve the second IP address for INTIF (the first one is for tun0)
1234
	echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers
1234
	echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers
1235
	echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers-info
1235
	echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers-info
1236
# create files for trusted domains and urls
1236
# create files for trusted domains and urls
1237
	touch $DIR_DEST_ETC/alcasar-uamallowed $DIR_DEST_ETC/alcasar-uamdomain
1237
	touch $DIR_DEST_ETC/alcasar-uamallowed $DIR_DEST_ETC/alcasar-uamdomain
1238
	chown root:apache $DIR_DEST_ETC/alcasar-*
1238
	chown root:apache $DIR_DEST_ETC/alcasar-*
1239
	chmod 660 $DIR_DEST_ETC/alcasar-*
1239
	chmod 660 $DIR_DEST_ETC/alcasar-*
1240
# Configuration des fichier WEB d'interception (secret partagé avec coova-chilli)
1240
# Configuration des fichier WEB d'interception (secret partagé avec coova-chilli)
1241
	$SED "s?^\$uamsecret =.*?\$uamsecret = \"$secretuam\";?g" $DIR_WEB/intercept.php
1241
	$SED "s?^\$uamsecret =.*?\$uamsecret = \"$secretuam\";?g" $DIR_WEB/intercept.php
1242
# user 'chilli' creation (in order to run conup/off and up/down scripts
1242
# user 'chilli' creation (in order to run conup/off and up/down scripts
1243
	chilli_exist=`grep -c ^chilli: /etc/passwd`
1243
	chilli_exist=`grep -c ^chilli: /etc/passwd`
1244
	if [ "$chilli_exist" == "1" ]
1244
	if [ "$chilli_exist" == "1" ]
1245
	then
1245
	then
1246
		userdel -r chilli 2>/dev/null
1246
		userdel -r chilli 2>/dev/null
1247
	fi
1247
	fi
1248
	groupadd -f chilli
1248
	groupadd -f chilli
1249
	useradd -r -g chilli -s /bin/false -c "system user for coova-chilli" chilli
1249
	useradd -r -g chilli -s /bin/false -c "system user for coova-chilli" chilli
1250
}  # End of chilli()
1250
}  # End of chilli()
1251
 
1251
 
1252
################################################################
1252
################################################################
1253
##                   Function "e2guardian"                    ##
1253
##                   Function "e2guardian"                    ##
1254
## - Set the parameters of this HTML proxy (as controler)     ##
1254
## - Set the parameters of this HTML proxy (as controler)     ##
1255
################################################################
1255
################################################################
1256
e2guardian()
1256
e2guardian()
1257
{
1257
{
1258
# Adapt systemd unit
1258
# Adapt systemd unit
1259
[ -e /lib/systemd/system/e2guardian.service.default ] || cp /lib/systemd/system/e2guardian.service /lib/systemd/system/e2guardian.service.default
1259
[ -e /lib/systemd/system/e2guardian.service.default ] || cp /lib/systemd/system/e2guardian.service /lib/systemd/system/e2guardian.service.default
1260
	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/e2guardian -c /etc/e2guardian/e2guardian.conf?g" /lib/systemd/system/e2guardian.service
1260
	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/e2guardian -c /etc/e2guardian/e2guardian.conf?g" /lib/systemd/system/e2guardian.service
1261
	$SED "s?^After=.*?After=network.target chilli.service?g" /lib/systemd/system/e2guardian.service
1261
	$SED "s?^After=.*?After=network.target chilli.service?g" /lib/systemd/system/e2guardian.service
1262
	[ -e $DIR_DG/e2guardian.conf.default ] || cp $DIR_DG/e2guardian.conf $DIR_DG/e2guardian.conf.default
1262
	[ -e $DIR_DG/e2guardian.conf.default ] || cp $DIR_DG/e2guardian.conf $DIR_DG/e2guardian.conf.default
1263
# Adapt the main conf file
1263
# Adapt the main conf file
1264
# French deny HTML page
1264
# French deny HTML page
1265
	$SED "s?^language =.*?language = 'french'?g" $DIR_DG/e2guardian.conf
1265
	$SED "s?^language =.*?language = 'french'?g" $DIR_DG/e2guardian.conf
1266
# 2 filtergroups (8080 & 8090)
1266
# 2 filtergroups (8080 & 8090)
1267
	$SED "s?^filtergroups =.*?filtergroups = 2?g" $DIR_DG/e2guardian.conf
1267
	$SED "s?^filtergroups =.*?filtergroups = 2?g" $DIR_DG/e2guardian.conf
1268
# Listen on 8080 (HTTP for BL users) only on LAN side
1268
# Listen on 8080 (HTTP for BL users) only on LAN side
1269
	$SED "s?^filterip =.*?filterip = $PRIVATE_IP?g" $DIR_DG/e2guardian.conf
1269
	$SED "s?^filterip =.*?filterip = $PRIVATE_IP?g" $DIR_DG/e2guardian.conf
1270
	$SED "s?^filterports =.*?filterports = 8080?g" $DIR_DG/e2guardian.conf
1270
	$SED "s?^filterports =.*?filterports = 8080?g" $DIR_DG/e2guardian.conf
1271
# Listen on 8090 (HTTP for WL/AV users) only on LAN side
1271
# Listen on 8090 (HTTP for WL/AV users) only on LAN side
1272
	$SED "/^filterip = $PRIVATE_IP/a filterip = $PRIVATE_IP" $DIR_DG/e2guardian.conf
1272
	$SED "/^filterip = $PRIVATE_IP/a filterip = $PRIVATE_IP" $DIR_DG/e2guardian.conf
1273
	$SED "/^filterports = 8080/a filterports = 8090" $DIR_DG/e2guardian.conf
1273
	$SED "/^filterports = 8080/a filterports = 8090" $DIR_DG/e2guardian.conf
1274
# E2guardian doesn't listen transparently on 8443 (HTTPS) (only in future version)
1274
# E2guardian doesn't listen transparently on 8443 (HTTPS) (only in future version)
1275
	$SED "s?^transparenthttpsport =.*?#transparenthttpsport = 8443?g" $DIR_DG/e2guardian.conf
1275
	$SED "s?^transparenthttpsport =.*?#transparenthttpsport = 8443?g" $DIR_DG/e2guardian.conf
1276
# Don't log
1276
# Don't log
1277
	$SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/e2guardian.conf
1277
	$SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/e2guardian.conf
1278
# Disable HTML content control (weighted & banned)
1278
# Disable HTML content control (weighted & banned)
1279
	$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/e2guardian.conf
1279
	$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/e2guardian.conf
1280
# Enable authport plugin
1280
# Enable authport plugin
1281
	$SED "s?^#authplugin = '/etc/e2guardian/authplugins/port.conf'?authplugin = '/etc/e2guardian/authplugins/port.conf'?g" $DIR_DG/e2guardian.conf
1281
	$SED "s?^#authplugin = '/etc/e2guardian/authplugins/port.conf'?authplugin = '/etc/e2guardian/authplugins/port.conf'?g" $DIR_DG/e2guardian.conf
1282
	$SED "s?^#mapauthtoports =.*?mapauthtoports = off?g" $DIR_DG/e2guardian.conf
1282
	$SED "s?^#mapauthtoports =.*?mapauthtoports = off?g" $DIR_DG/e2guardian.conf
1283
# Enable clamd scanner
1283
# Enable clamd scanner
1284
	$SED "s?^#contentscanner = '/etc/e2guardian/contentscanners/clamdscan.conf'?contentscanner = '/etc/e2guardian/contentscanners/clamdscan.conf'?g" $DIR_DG/e2guardian.conf
1284
	$SED "s?^#contentscanner = '/etc/e2guardian/contentscanners/clamdscan.conf'?contentscanner = '/etc/e2guardian/contentscanners/clamdscan.conf'?g" $DIR_DG/e2guardian.conf
1285
 
1285
 
1286
# Adapt the first group conf file
1286
# Adapt the first group conf file
1287
	[ -e $DIR_DG/e2guardianf1.conf.default ] || cp $DIR_DG/e2guardianf1.conf $DIR_DG/e2guardianf1.conf.default
1287
	[ -e $DIR_DG/e2guardianf1.conf.default ] || cp $DIR_DG/e2guardianf1.conf $DIR_DG/e2guardianf1.conf.default
1288
	$SED "s/^reportinglevel =.*/reportinglevel = 3/g" $DIR_DG/e2guardianf1.conf
1288
	$SED "s/^reportinglevel =.*/reportinglevel = 3/g" $DIR_DG/e2guardianf1.conf
1289
	$SED "s/^groupname =.*/groupname = 'blacklisted users'/g" $DIR_DG/e2guardianf1.conf
1289
	$SED "s/^groupname =.*/groupname = 'blacklisted users'/g" $DIR_DG/e2guardianf1.conf
1290
	$SED "s/^#htmltemplate =.*/htmltemplate = 'alcasar-e2g.html'/g" $DIR_DG/e2guardianf1.conf
1290
	$SED "s/^#htmltemplate =.*/htmltemplate = 'alcasar-e2g.html'/g" $DIR_DG/e2guardianf1.conf
1291
 
1291
 
1292
# copy & adapt HTML templates
1292
# copy & adapt HTML templates
1293
	cp $DIR_CONF/alcasar-e2g-fr.html /usr/share/e2guardian/languages/french/alcasar-e2g.html
1293
	cp $DIR_CONF/alcasar-e2g-fr.html /usr/share/e2guardian/languages/french/alcasar-e2g.html
1294
	cp $DIR_CONF/alcasar-e2g-en.html /usr/share/e2guardian/languages/ukenglish/alcasar-e2g.html
1294
	cp $DIR_CONF/alcasar-e2g-en.html /usr/share/e2guardian/languages/ukenglish/alcasar-e2g.html
1295
	$SED "s?\/\/[a-z.]*\/?\/\/$HOSTNAME.$DOMAIN\/?g" /usr/share/e2guardian/languages/french/alcasar-e2g.html
1295
	$SED "s?\/\/[a-z.]*\/?\/\/$HOSTNAME.$DOMAIN\/?g" /usr/share/e2guardian/languages/french/alcasar-e2g.html
1296
	$SED "s?\/\/[a-z.]*\/?\/\/$HOSTNAME.$DOMAIN\/?g" /usr/share/e2guardian/languages/ukenglish/alcasar-e2g.html
1296
	$SED "s?\/\/[a-z.]*\/?\/\/$HOSTNAME.$DOMAIN\/?g" /usr/share/e2guardian/languages/ukenglish/alcasar-e2g.html
1297
 
1297
 
1298
###### ALCASAR special filtering ####
1298
###### ALCASAR special filtering ####
1299
# RAZ bannedphraselist
1299
# RAZ bannedphraselist
1300
	cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default
1300
	cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default
1301
	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (comment what is not)
1301
	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (comment what is not)
1302
# Disable URL control with regex
1302
# Disable URL control with regex
1303
    cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default
1303
    cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default
1304
	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (comment what is not)
1304
	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (comment what is not)
1305
# Replace the default deny HTML page (only fr & uk) --> !!! search why our pages make the server crash... 
1305
# Replace the default deny HTML page (only fr & uk) --> !!! search why our pages make the server crash... 
1306
#	[ -e /usr/share/e2guardian/languages/french/template.html.default ] || mv /usr/share/e2guardian/languages/french/template.html /usr/share/e2guardian/languages/french/template.html.default
1306
#	[ -e /usr/share/e2guardian/languages/french/template.html.default ] || mv /usr/share/e2guardian/languages/french/template.html /usr/share/e2guardian/languages/french/template.html.default
1307
#	cp -f $DIR_CONF/template-fr.html /usr/share/e2guardian/languages/french/template.html
1307
#	cp -f $DIR_CONF/template-fr.html /usr/share/e2guardian/languages/french/template.html
1308
#	[ -e /usr/share/e2guardian/languages/ukenglish/template.html.default ] || mv /usr/share/e2guardian/languages/ukenglish/template.html /usr/share/e2guardian/languages/ukenglish/template.html.default
1308
#	[ -e /usr/share/e2guardian/languages/ukenglish/template.html.default ] || mv /usr/share/e2guardian/languages/ukenglish/template.html /usr/share/e2guardian/languages/ukenglish/template.html.default
1309
#	cp -f $DIR_CONF/template.html /usr/share/e2guardian/languages/ukenglish/template.html
1309
#	cp -f $DIR_CONF/template.html /usr/share/e2guardian/languages/ukenglish/template.html
1310
# Dont filtering files by extension or mime-type (empty list)
1310
# Dont filtering files by extension or mime-type (empty list)
1311
	[ -e $DIR_DG/lists/bannedextensionlist.default ] || mv $DIR_DG/lists/bannedextensionlist $DIR_DG/lists/bannedextensionlist.default
1311
	[ -e $DIR_DG/lists/bannedextensionlist.default ] || mv $DIR_DG/lists/bannedextensionlist $DIR_DG/lists/bannedextensionlist.default
1312
	touch $DIR_DG/lists/bannedextensionlist
1312
	touch $DIR_DG/lists/bannedextensionlist
1313
	[ -e $DIR_DG/lists/bannedmimetypelist.default ] || mv $DIR_DG/lists/bannedmimetypelist $DIR_DG/lists/bannedmimetypelist.default
1313
	[ -e $DIR_DG/lists/bannedmimetypelist.default ] || mv $DIR_DG/lists/bannedmimetypelist $DIR_DG/lists/bannedmimetypelist.default
1314
	touch $DIR_DG/lists/bannedmimetypelist
1314
	touch $DIR_DG/lists/bannedmimetypelist
1315
# Empty LAN IP list that won't be WEB filtered
1315
# Empty LAN IP list that won't be WEB filtered
1316
	[ -e $DIR_DG/lists/exceptioniplist.default ] || mv $DIR_DG/lists/exceptioniplist $DIR_DG/lists/exceptioniplist.default
1316
	[ -e $DIR_DG/lists/exceptioniplist.default ] || mv $DIR_DG/lists/exceptioniplist $DIR_DG/lists/exceptioniplist.default
1317
	touch $DIR_DG/lists/exceptioniplist
1317
	touch $DIR_DG/lists/exceptioniplist
1318
# Creation of ALCASAR banned site list
1318
# Creation of ALCASAR banned site list
1319
	[ -e $DIR_DG/lists/greysitelist.default ] || mv $DIR_DG/lists/greysitelist $DIR_DG/lists/greysitelist.default
1319
	[ -e $DIR_DG/lists/greysitelist.default ] || mv $DIR_DG/lists/greysitelist $DIR_DG/lists/greysitelist.default
1320
	cat <<EOF > $DIR_DG/lists/greysitelist
1320
	cat <<EOF > $DIR_DG/lists/greysitelist
1321
# E2guardian filter config for ALCASAR
1321
# E2guardian filter config for ALCASAR
1322
# In ALCASAR E2guardian filters only URLs (domains are filtered with unbound)
1322
# In ALCASAR E2guardian filters only URLs (domains are filtered with unbound)
1323
# block all SSL and CONNECT tunnels
1323
# block all SSL and CONNECT tunnels
1324
**s
1324
**s
1325
# block all SSL and CONNECT tunnels specified only as an IP
1325
# block all SSL and CONNECT tunnels specified only as an IP
1326
*ips
1326
*ips
1327
# block all sites specified only by an IP
1327
# block all sites specified only by an IP
1328
*ip
1328
*ip
1329
EOF
1329
EOF
1330
# Creation of ALCASAR empty banned URLs list (filled later with Toulouse BL --> see BL function)
1330
# Creation of ALCASAR empty banned URLs list (filled later with Toulouse BL --> see BL function)
1331
	[ -e $DIR_DG/lists/bannedurllist.default ] || mv $DIR_DG/lists/bannedurllist $DIR_DG/lists/bannedurllist.default
1331
	[ -e $DIR_DG/lists/bannedurllist.default ] || mv $DIR_DG/lists/bannedurllist $DIR_DG/lists/bannedurllist.default
1332
	cat <<EOF > $DIR_DG/lists/bannedurllist
1332
	cat <<EOF > $DIR_DG/lists/bannedurllist
1333
# E2guardian filter config for ALCASAR
1333
# E2guardian filter config for ALCASAR
1334
EOF
1334
EOF
1335
# Creation of files for rehabilited domains and urls
1335
# Creation of files for rehabilited domains and urls
1336
	[ -e $DIR_DG/lists/exceptionsitelist.default ] || mv $DIR_DG/lists/exceptionsitelist $DIR_DG/lists/exceptionsitelist.default
1336
	[ -e $DIR_DG/lists/exceptionsitelist.default ] || mv $DIR_DG/lists/exceptionsitelist $DIR_DG/lists/exceptionsitelist.default
1337
	[ -e $DIR_DG/lists/exceptionurllist.default ] || mv $DIR_DG/lists/exceptionurllist $DIR_DG/lists/exceptionurllist.default
1337
	[ -e $DIR_DG/lists/exceptionurllist.default ] || mv $DIR_DG/lists/exceptionurllist $DIR_DG/lists/exceptionurllist.default
1338
	touch $DIR_DG/lists/exceptionsitelist
1338
	touch $DIR_DG/lists/exceptionsitelist
1339
	touch $DIR_DG/lists/exceptionurllist
1339
	touch $DIR_DG/lists/exceptionurllist
1340
# Add Bing to the safesearch url regext list (parental control)
1340
# Add Bing to the safesearch url regext list (parental control)
1341
	[ -e $DIR_DG/lists/urlregexplist.default ] || cp $DIR_DG/lists/urlregexplist $DIR_DG/lists/urlregexplist.default
1341
	[ -e $DIR_DG/lists/urlregexplist.default ] || cp $DIR_DG/lists/urlregexplist $DIR_DG/lists/urlregexplist.default
1342
	cat <<EOF >> $DIR_DG/lists/urlregexplist
1342
	cat <<EOF >> $DIR_DG/lists/urlregexplist
1343
 
1343
 
1344
# Bing - add 'adlt=strict'
1344
# Bing - add 'adlt=strict'
1345
#"(^http://[0-9a-z]+\.bing\.[a-z]+[-/%.0-9a-z]*\?)(.*)"->"\1\2&adlt=strict"
1345
#"(^http://[0-9a-z]+\.bing\.[a-z]+[-/%.0-9a-z]*\?)(.*)"->"\1\2&adlt=strict"
1346
EOF
1346
EOF
1347
# 'Safesearch' regex actualisation
1347
# 'Safesearch' regex actualisation
1348
	$SED "s?images?search?g" $DIR_DG/lists/urlregexplist
1348
	$SED "s?images?search?g" $DIR_DG/lists/urlregexplist
1349
# change the google safesearch ("safe=strict" instead of "safe=vss")
1349
# change the google safesearch ("safe=strict" instead of "safe=vss")
1350
	$SED "s?safe=vss?safe=strict?g" $DIR_DG/lists/urlregexplist
1350
	$SED "s?safe=vss?safe=strict?g" $DIR_DG/lists/urlregexplist
1351
 
1351
 
1352
# Create & adapt the second group conf file (av + av_wl)
1352
# Create & adapt the second group conf file (av + av_wl)
1353
	cp $DIR_DG/e2guardianf1.conf.default $DIR_DG/e2guardianf2.conf
1353
	cp $DIR_DG/e2guardianf1.conf.default $DIR_DG/e2guardianf2.conf
1354
	$SED "s?^reportinglevel =.*?reportinglevel = 3?g" $DIR_DG/e2guardianf2.conf
1354
	$SED "s?^reportinglevel =.*?reportinglevel = 3?g" $DIR_DG/e2guardianf2.conf
1355
	$SED "s?^groupname =.*?groupname = 'antimalware + whitelested users'?g" $DIR_DG/e2guardianf2.conf
1355
	$SED "s?^groupname =.*?groupname = 'antimalware + whitelested users'?g" $DIR_DG/e2guardianf2.conf
1356
	$SED "s?^urllist = 'name=banned,messageno=501,path=/etc/e2guardian/lists/bannedurllist'?urllist = 'name=banned,messageno=501,path=/etc/e2guardian/lists/bannedurllist.default'?g" $DIR_DG/e2guardianf2.conf # no banned urls
1356
	$SED "s?^urllist = 'name=banned,messageno=501,path=/etc/e2guardian/lists/bannedurllist'?urllist = 'name=banned,messageno=501,path=/etc/e2guardian/lists/bannedurllist.default'?g" $DIR_DG/e2guardianf2.conf # no banned urls
1357
 
1357
 
1358
# create log folder
1358
# create log folder
1359
    mkdir -p /var/log/e2guardian
1359
    mkdir -p /var/log/e2guardian
1360
	chown -R e2guardian /etc/e2guardian /var/log/e2guardian
1360
	chown -R e2guardian /etc/e2guardian /var/log/e2guardian
1361
} # End of e2guardian()
1361
} # End of e2guardian()
1362
 
1362
 
1363
##################################################################
1363
##################################################################
1364
##                     Function "antivirus"                     ##
1364
##                     Function "antivirus"                     ##
1365
## - Set the parameters of clamav and freshclam                 ##
1365
## - Set the parameters of clamav and freshclam                 ##
1366
##################################################################
1366
##################################################################
1367
antivirus()
1367
antivirus()
1368
{
1368
{
1369
# Clamd adaptation to e2guardian
1369
# Clamd adaptation to e2guardian
1370
[ -e /lib/systemd/system/clamav-daemon.service.default ] || cp /lib/systemd/system/clamav-daemon.service /lib/systemd/system/clamav-daemon.service.default
1370
[ -e /lib/systemd/system/clamav-daemon.service.default ] || cp /lib/systemd/system/clamav-daemon.service /lib/systemd/system/clamav-daemon.service.default
1371
	$SED "/^[Service]/a ExecStartPre=\/bin\/chown e2guardian:e2guardian \/run\/clamav" /lib/systemd/system/clamav-daemon.service
1371
	$SED "/^[Service]/a ExecStartPre=\/bin\/chown e2guardian:e2guardian \/run\/clamav" /lib/systemd/system/clamav-daemon.service
1372
	$SED "/^[Service]/a ExecStartPre=\/bin\/mkdir -p \/run\/clamav" /lib/systemd/system/clamav-daemon.service
1372
	$SED "/^[Service]/a ExecStartPre=\/bin\/mkdir -p \/run\/clamav" /lib/systemd/system/clamav-daemon.service
1373
[ -e /lib/systemd/system/clamav-daemon.socket.default ] || cp /lib/systemd/system/clamav-daemon.socket /lib/systemd/system/clamav-daemon.socket.default
1373
[ -e /lib/systemd/system/clamav-daemon.socket.default ] || cp /lib/systemd/system/clamav-daemon.socket /lib/systemd/system/clamav-daemon.socket.default
1374
	$SED "s?^SocketUser=.*?SocketUser=e2guardian?g" /lib/systemd/system/clamav-daemon.socket
1374
	$SED "s?^SocketUser=.*?SocketUser=e2guardian?g" /lib/systemd/system/clamav-daemon.socket
1375
	$SED "s?^SocketGroup=.*?SocketGroup=e2guardian?g" /lib/systemd/system/clamav-daemon.socket
1375
	$SED "s?^SocketGroup=.*?SocketGroup=e2guardian?g" /lib/systemd/system/clamav-daemon.socket
1376
	
1376
	
1377
[ -e /etc/clamd.conf.default ] || cp /etc/clamd.conf /etc/clamd.conf.default
1377
[ -e /etc/clamd.conf.default ] || cp /etc/clamd.conf /etc/clamd.conf.default
1378
	$SED "s?^MaxThreads.*?MaxThreads 32?g" /etc/clamd.conf
1378
	$SED "s?^MaxThreads.*?MaxThreads 32?g" /etc/clamd.conf
1379
	$SED "s?^#LogTime.*?LogTime yes?g" /etc/clamd.conf # enable logtime for each message
1379
	$SED "s?^#LogTime.*?LogTime yes?g" /etc/clamd.conf # enable logtime for each message
1380
	$SED "s?^LogVerbose.*?LogVerbose no?g" /etc/clamd.conf
1380
	$SED "s?^LogVerbose.*?LogVerbose no?g" /etc/clamd.conf
1381
	$SED "s?^#LogRotate.*?LogRotate yes?g" /etc/clamd.conf
1381
	$SED "s?^#LogRotate.*?LogRotate yes?g" /etc/clamd.conf
1382
	$SED "s?^User.*?User e2guardian?g" /etc/clamd.conf
1382
	$SED "s?^User.*?User e2guardian?g" /etc/clamd.conf
1383
	$SED "s?^TemporaryDirectory.*?TemporaryDirectory /var/lib/e2guardian/tmp?g" /etc/clamd.conf
1383
	$SED "s?^TemporaryDirectory.*?TemporaryDirectory /var/lib/e2guardian/tmp?g" /etc/clamd.conf
1384
	chown -R e2guardian:e2guardian /var/log/clamav /var/lib/clamav
1384
	chown -R e2guardian:e2guardian /var/log/clamav /var/lib/clamav
1385
	chmod 775 /var/log/clamav /var/lib/clamav
1385
	chmod 775 /var/log/clamav /var/lib/clamav
1386
	chmod 664 /var/log/clamav/*
1386
	chmod 664 /var/log/clamav/*
1387
# update virus database every 4 hours (24h/6)
1387
# update virus database every 4 hours (24h/6)
1388
	[ -e /etc/freshclam.conf.default ] || cp /etc/freshclam.conf /etc/freshclam.conf.default
1388
	[ -e /etc/freshclam.conf.default ] || cp /etc/freshclam.conf /etc/freshclam.conf.default
1389
	$SED "s?^Checks.*?Checks 6?g" /etc/freshclam.conf
1389
	$SED "s?^Checks.*?Checks 6?g" /etc/freshclam.conf
1390
	$SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf
1390
	$SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf
1391
	$SED "s?^DatabaseOwner.*?DatabaseOwner e2guardian?g" /etc/freshclam.conf
1391
	$SED "s?^DatabaseOwner.*?DatabaseOwner e2guardian?g" /etc/freshclam.conf
1392
	$SED "/^DatabaseMirror/a DatabaseMirror db.fr.clamav.net" /etc/freshclam.conf
1392
	$SED "/^DatabaseMirror/a DatabaseMirror db.fr.clamav.net" /etc/freshclam.conf
1393
	$SED "s?^MaxAttempts.*?MaxAttempts 3?g" /etc/freshclam.conf
1393
	$SED "s?^MaxAttempts.*?MaxAttempts 3?g" /etc/freshclam.conf
1394
# update now
1394
# update now
1395
	/usr/bin/freshclam --no-warnings --quiet
1395
	/usr/bin/freshclam --no-warnings --quiet
1396
} # End of antivirus()
1396
} # End of antivirus()
1397
 
1397
 
1398
##############################################################
1398
##############################################################
1399
##                            function "ulogd"              ##
1399
##                            function "ulogd"              ##
1400
## - Ulog config for multi-log files                        ##
1400
## - Ulog config for multi-log files                        ##
1401
##############################################################
1401
##############################################################
1402
ulogd()
1402
ulogd()
1403
{
1403
{
1404
# Three instances of ulogd (three different logfiles)
1404
# Three instances of ulogd (three different logfiles)
1405
	[ -d /var/log/firewall ] || mkdir -p /var/log/firewall
1405
	[ -d /var/log/firewall ] || mkdir -p /var/log/firewall
1406
	nl=1
1406
	nl=1
1407
	for log_type in traceability ssh ext-access
1407
	for log_type in traceability ssh ext-access
1408
	do
1408
	do
1409
		[ -e /lib/systemd/system/ulogd-$log_type.service ] || cp -f /lib/systemd/system/ulogd.service /lib/systemd/system/ulogd-$log_type.service
1409
		[ -e /lib/systemd/system/ulogd-$log_type.service ] || cp -f /lib/systemd/system/ulogd.service /lib/systemd/system/ulogd-$log_type.service
1410
		[ -e /var/log/firewall/$log_type.log ] || echo "" > /var/log/firewall/$log_type.log
1410
		[ -e /var/log/firewall/$log_type.log ] || echo "" > /var/log/firewall/$log_type.log
1411
		cp -f $DIR_CONF/ulogd-sample.conf /etc/ulogd-$log_type.conf
1411
		cp -f $DIR_CONF/ulogd-sample.conf /etc/ulogd-$log_type.conf
1412
		$SED "s?^group=.*?group=$nl?g" /etc/ulogd-$log_type.conf
1412
		$SED "s?^group=.*?group=$nl?g" /etc/ulogd-$log_type.conf
1413
		cat << EOF >> /etc/ulogd-$log_type.conf
1413
		cat << EOF >> /etc/ulogd-$log_type.conf
1414
[emu1]
1414
[emu1]
1415
file="/var/log/firewall/$log_type.log"
1415
file="/var/log/firewall/$log_type.log"
1416
sync=1
1416
sync=1
1417
EOF
1417
EOF
1418
		$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/ulogd -u ulogd -c /etc/ulogd-$log_type.conf $ULOGD_OPTIONS?g" /lib/systemd/system/ulogd-$log_type.service
1418
		$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/ulogd -u ulogd -c /etc/ulogd-$log_type.conf $ULOGD_OPTIONS?g" /lib/systemd/system/ulogd-$log_type.service
1419
		nl=`expr $nl + 1`
1419
		nl=`expr $nl + 1`
1420
	done
1420
	done
1421
	chown -R root:apache /var/log/firewall
1421
	chown -R root:apache /var/log/firewall
1422
	chmod 750 /var/log/firewall
1422
	chmod 750 /var/log/firewall
1423
	chmod 640 /var/log/firewall/*
1423
	chmod 640 /var/log/firewall/*
1424
}  # End of ulogd()
1424
}  # End of ulogd()
1425
 
1425
 
1426
##########################################################
1426
##########################################################
1427
##                    Function "nfsen"                  ##
1427
##                    Function "nfsen"                  ##
1428
## - configure NetFlow collector (nfcapd)               ##
1428
## - configure NetFlow collector (nfcapd)               ##
1429
## - configure NetFlow grapher (nfsen-ng)               ##
1429
## - configure NetFlow grapher (nfsen-ng)               ##
1430
##########################################################
1430
##########################################################
1431
nfsen()
1431
nfsen()
1432
{
1432
{
1433
	groupadd -f nfcapd
1433
	groupadd -f nfcapd
1434
	id -u nfcapd >/dev/null 2>&1 || useradd -r -g nfcapd -s /bin/false -c "system user for nfcapd" nfcapd
1434
	id -u nfcapd >/dev/null 2>&1 || useradd -r -g nfcapd -s /bin/false -c "system user for nfcapd" nfcapd
1435
# nfcapd unit for systemd
1435
# nfcapd unit for systemd
1436
	cat << EOF > /lib/systemd/system/nfcapd.service
1436
	cat << EOF > /lib/systemd/system/nfcapd.service
1437
#  This file is part of systemd.
1437
#  This file is part of systemd.
1438
#
1438
#
1439
#  systemd is free software; you can redistribute it and/or modify it
1439
#  systemd is free software; you can redistribute it and/or modify it
1440
#  under the terms of the GNU General Public License as published by
1440
#  under the terms of the GNU General Public License as published by
1441
#  the Free Software Foundation; either version 2 of the License, or
1441
#  the Free Software Foundation; either version 2 of the License, or
1442
#  (at your option) any later version.
1442
#  (at your option) any later version.
1443
 
1443
 
1444
# This unit launches nfcapd (a Netflow collector).
1444
# This unit launches nfcapd (a Netflow collector).
1445
[Unit]
1445
[Unit]
1446
Description=Netflow Capture Daemon
1446
Description=Netflow Capture Daemon
1447
After=network-online.target iptables.service
1447
After=network-online.target iptables.service
1448
 
1448
 
1449
[Service]
1449
[Service]
1450
Type=exec
1450
Type=exec
1451
ExecStartPre=/bin/mkdir -p /run/nfcapd
1451
ExecStartPre=/bin/mkdir -p /run/nfcapd
1452
ExecStartPre=/bin/chown nfcapd:nfcapd /run/nfcapd
1452
ExecStartPre=/bin/chown nfcapd:nfcapd /run/nfcapd
1453
PIDFile=/run/nfcapd/nfcapd.pid
1453
PIDFile=/run/nfcapd/nfcapd.pid
1454
ExecStart=/usr/bin/nfcapd -w -D -b 127.0.0.1 -p 2055 -u nfcapd -g nfcapd -B 200000 -t 300 -S 7 -z -P /run/nfcapd/nfcapd.pid -I alcasar_netflow -l /var/log/nfsen/profiles-data/live/alcasar_netflow
1454
ExecStart=/usr/bin/nfcapd -w -D -b 127.0.0.1 -p 2055 -u nfcapd -g nfcapd -B 200000 -t 300 -S 7 -z -P /run/nfcapd/nfcapd.pid -I alcasar_netflow -l /var/log/nfsen/profiles-data/live/alcasar_netflow
1455
ExecReload=/bin/kill -HUP $MAINPID
1455
ExecReload=/bin/kill -HUP $MAINPID
1456
 
1456
 
1457
[Install]
1457
[Install]
1458
WantedBy=multi-user.target
1458
WantedBy=multi-user.target
1459
EOF
1459
EOF
1460
    [ -d /var/log/nfsen/profiles-data/live/alcasar_netflow ] || mkdir -p /var/log/nfsen/profiles-data/live/alcasar_netflow
1460
    [ -d /var/log/nfsen/profiles-data/live/alcasar_netflow ] || mkdir -p /var/log/nfsen/profiles-data/live/alcasar_netflow
1461
    [ -d /run/nfcapd ] || mkdir -p /run/nfcapd
1461
    [ -d /run/nfcapd ] || mkdir -p /run/nfcapd
1462
    chown -R nfcapd:nfcapd /var/log/nfsen /run/nfcapd
1462
    chown -R nfcapd:nfcapd /var/log/nfsen /run/nfcapd
1463
} # End of nfsen()
1463
} # End of nfsen()
1464
 
1464
 
1465
###########################################################
1465
###########################################################
1466
##                     Function "vnstat"                 ##
1466
##                     Function "vnstat"                 ##
1467
## - Initialization of vnstat and vnstat-dashboard       ##
1467
## - Initialization of vnstat and vnstat-dashboard       ##
1468
###########################################################
1468
###########################################################
1469
vnstat()
1469
vnstat()
1470
{
1470
{
1471
    # vnstat
1471
    # vnstat
1472
    [ -e /etc/vnstat.conf.default ] || cp /etc/vnstat.conf /etc/vnstat.conf.default
1472
    [ -e /etc/vnstat.conf.default ] || cp /etc/vnstat.conf /etc/vnstat.conf.default
1473
	$SED "s?^Interface.*?Interface \"$EXTIF\"?g" /etc/vnstat.conf
1473
	$SED "s?^Interface.*?Interface \"$EXTIF\"?g" /etc/vnstat.conf
1474
	$SED "s?^DatabaseDir.*?DatabaseDir /var/log/vnstat?g" /etc/vnstat.conf
1474
	$SED "s?^DatabaseDir.*?DatabaseDir /var/log/vnstat?g" /etc/vnstat.conf
1475
    # vnstat-dashboard
1475
    # vnstat-dashboard
1476
    $SED "s?^\$thisInterface.*?\$thisInterface = \"$EXTIF\";?" $DIR_ACC/manager/vnstat/index.php
1476
    $SED "s?^\$thisInterface.*?\$thisInterface = \"$EXTIF\";?" $DIR_ACC/manager/vnstat/index.php
1477
	[ -e /lib/systemd/system/vnstat.service.default ] || cp /lib/systemd/system/vnstat.service /lib/systemd/system/vnstat.service.default
1477
	[ -e /lib/systemd/system/vnstat.service.default ] || cp /lib/systemd/system/vnstat.service /lib/systemd/system/vnstat.service.default
1478
    $SED "s?^PIDFILE=.*?PIDFILE=/run/vnstat/vnstat.pid?g" /lib/systemd/system/vnstat.service
1478
    $SED "s?^PIDFILE=.*?PIDFILE=/run/vnstat/vnstat.pid?g" /lib/systemd/system/vnstat.service
1479
} # End of vnstat()
1479
} # End of vnstat()
1480
 
1480
 
1481
###################################################################
1481
###################################################################
1482
##                     Function "dnsmasq"                        ##
1482
##                     Function "dnsmasq"                        ##
1483
## - creation of the conf files of dnsmasq (whitelist for ipset )##
1483
## - creation of the conf files of dnsmasq (whitelist for ipset )##
1484
###################################################################
1484
###################################################################
1485
dnsmasq()
1485
dnsmasq()
1486
{
1486
{
1487
	[ -d /var/log/dnsmasq ] || mkdir /var/log/dnsmasq
1487
	[ -d /var/log/dnsmasq ] || mkdir /var/log/dnsmasq
1488
	[ -e /etc/dnsmasq.conf.default ] || mv /etc/dnsmasq.conf /etc/dnsmasq.conf.default
1488
	[ -e /etc/dnsmasq.conf.default ] || mv /etc/dnsmasq.conf /etc/dnsmasq.conf.default
1489
	# dnsmasq listen on udp 55 ("dnsmasq with whitelist")
1489
	# dnsmasq listen on udp 55 ("dnsmasq with whitelist")
1490
	cat << EOF > /etc/dnsmasq-whitelist.conf
1490
	cat << EOF > /etc/dnsmasq-whitelist.conf
1491
# Configuration file for "dnsmasq with whitelist"
1491
# Configuration file for "dnsmasq with whitelist"
1492
# ADD Toulouse university whitelist domains
1492
# ADD Toulouse university whitelist domains
1493
pid-file=/run/dnsmasq-whitelist.pid
1493
pid-file=/run/dnsmasq-whitelist.pid
1494
listen-address=127.0.0.1
1494
listen-address=127.0.0.1
1495
port=55
1495
port=55
1496
no-dhcp-interface=lo
1496
no-dhcp-interface=lo
1497
bind-interfaces
1497
bind-interfaces
1498
cache-size=1024
1498
cache-size=1024
1499
domain-needed
1499
domain-needed
1500
expand-hosts
1500
expand-hosts
1501
bogus-priv
1501
bogus-priv
1502
filterwin2k
1502
filterwin2k
1503
ipset=/#/wl_ip_allowed	# dynamically add the resolv IP address in the Firewall rules
1503
ipset=/#/wl_ip_allowed	# dynamically add the resolv IP address in the Firewall rules
1504
server=$DNS1
1504
server=$DNS1
1505
server=$DNS2
1505
server=$DNS2
1506
EOF
1506
EOF
1507
	# Create dnsmasq-whitelist unit
1507
	# Create dnsmasq-whitelist unit
1508
	mv /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq.service.default
1508
	mv /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq.service.default
1509
	cp /lib/systemd/system/dnsmasq.service.default /lib/systemd/system/dnsmasq-whitelist.service
1509
	cp /lib/systemd/system/dnsmasq.service.default /lib/systemd/system/dnsmasq-whitelist.service
1510
	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-whitelist.conf?g" /lib/systemd/system/dnsmasq-whitelist.service
1510
	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-whitelist.conf?g" /lib/systemd/system/dnsmasq-whitelist.service
1511
	$SED "s?^PIDFile=.*?PIDFile=/run/dnsmasq-whitelist.pid?g" /lib/systemd/system/dnsmasq-whitelist.service
1511
	$SED "s?^PIDFile=.*?PIDFile=/run/dnsmasq-whitelist.pid?g" /lib/systemd/system/dnsmasq-whitelist.service
1512
} # End of dnsmasq()
1512
} # End of dnsmasq()
1513
 
1513
 
1514
#########################################################
1514
#########################################################
1515
##              Function "unbound"                     ##
1515
##              Function "unbound"                     ##
1516
## - create the conf files for 4 unbound services      ##
1516
## - create the conf files for 4 unbound services      ##
1517
## - create the systemd files for 4 unbound services   ##
1517
## - create the systemd files for 4 unbound services   ##
1518
#########################################################
1518
#########################################################
1519
unbound ()
1519
unbound ()
1520
{
1520
{
1521
	[ -d /etc/unbound/conf.d ] || mkdir -p /etc/unbound/conf.d
1521
	[ -d /etc/unbound/conf.d ] || mkdir -p /etc/unbound/conf.d
1522
	[ -d /etc/unbound/conf.d/common ] || mkdir /etc/unbound/conf.d/common
1522
	[ -d /etc/unbound/conf.d/common ] || mkdir /etc/unbound/conf.d/common
1523
	[ -d /etc/unbound/conf.d/common/local-forward ] || mkdir /etc/unbound/conf.d/common/local-forward
1523
	[ -d /etc/unbound/conf.d/common/local-forward ] || mkdir /etc/unbound/conf.d/common/local-forward
1524
	[ -d /etc/unbound/conf.d/common/local-dns ] || mkdir /etc/unbound/conf.d/common/local-dns
1524
	[ -d /etc/unbound/conf.d/common/local-dns ] || mkdir /etc/unbound/conf.d/common/local-dns
1525
	[ -d /etc/unbound/conf.d/forward ] || mkdir /etc/unbound/conf.d/forward
1525
	[ -d /etc/unbound/conf.d/forward ] || mkdir /etc/unbound/conf.d/forward
1526
	[ -d /etc/unbound/conf.d/blacklist ] || mkdir /etc/unbound/conf.d/blacklist
1526
	[ -d /etc/unbound/conf.d/blacklist ] || mkdir /etc/unbound/conf.d/blacklist
1527
	[ -d /etc/unbound/conf.d/whitelist ] || mkdir /etc/unbound/conf.d/whitelist
1527
	[ -d /etc/unbound/conf.d/whitelist ] || mkdir /etc/unbound/conf.d/whitelist
1528
	[ -d /etc/unbound/conf.d/blackhole ] || mkdir /etc/unbound/conf.d/blackhole
1528
	[ -d /etc/unbound/conf.d/blackhole ] || mkdir /etc/unbound/conf.d/blackhole
1529
	[ -d /var/log/unbound ] || mkdir /var/log/unbound
1529
	[ -d /var/log/unbound ] || mkdir /var/log/unbound
1530
	chown unbound:unbound /var/log/unbound
1530
	chown unbound:unbound /var/log/unbound
1531
	[ -e /etc/unbound/unbound.conf.default ] || cp /etc/unbound/unbound.conf /etc/unbound/unbound.conf.default
1531
	[ -e /etc/unbound/unbound.conf.default ] || cp /etc/unbound/unbound.conf /etc/unbound/unbound.conf.default
1532
 
1532
 
1533
# Forward zone configuration file for all unbound dns servers
1533
# Forward zone configuration file for all unbound dns servers
1534
	cat << EOF > /etc/unbound/conf.d/common/forward-zone.conf
1534
	cat << EOF > /etc/unbound/conf.d/common/forward-zone.conf
1535
forward-zone:
1535
forward-zone:
1536
	name: "."
1536
	name: "."
1537
	forward-addr: $DNS1
1537
	forward-addr: $DNS1
1538
	forward-addr: $DNS2
1538
	forward-addr: $DNS2
1539
EOF
1539
EOF
1540
 
1540
 
1541
# Custom configuration file for manual DNS configuration
1541
# Custom configuration file for manual DNS configuration
1542
	cat << EOF > /etc/unbound/conf.d/common/local-forward/custom.conf
1542
	cat << EOF > /etc/unbound/conf.d/common/local-forward/custom.conf
1543
## Ajouter un bloc pour chaque nom de domaine géré par un autre seveur DNS
1543
## Ajouter un bloc pour chaque nom de domaine géré par un autre seveur DNS
1544
## Add one block for each domain name managed by an other DNS server
1544
## Add one block for each domain name managed by an other DNS server
1545
##
1545
##
1546
## Example:
1546
## Example:
1547
##
1547
##
1548
## server:
1548
## server:
1549
##     local-zone: "<your_domain>." transparent
1549
##     local-zone: "<your_domain>." transparent
1550
## forward-zone:
1550
## forward-zone:
1551
##     name: "<your_domain>."
1551
##     name: "<your_domain>."
1552
##     forward-addr: <@IP_domain_server>
1552
##     forward-addr: <@IP_domain_server>
1553
##
1553
##
1554
EOF
1554
EOF
1555
 
1555
 
1556
# Configuration file of ALCASAR main domains for $INTIF
1556
# Configuration file of ALCASAR main domains for $INTIF
1557
	cat << EOF > /etc/unbound/conf.d/common/local-dns/${INTIF}.conf
1557
	cat << EOF > /etc/unbound/conf.d/common/local-dns/${INTIF}.conf
1558
server:
1558
server:
1559
	local-data: "$HOSTNAME.$DOMAIN A $PRIVATE_IP"
1559
	local-data: "$HOSTNAME.$DOMAIN A $PRIVATE_IP"
1560
	local-data-ptr: "$PRIVATE_IP $HOSTNAME.$DOMAIN"
1560
	local-data-ptr: "$PRIVATE_IP $HOSTNAME.$DOMAIN"
1561
EOF
1561
EOF
1562
 
1562
 
1563
# Configuration file for lo of forward unbound
1563
# Configuration file for lo of forward unbound
1564
	cat << EOF > /etc/unbound/conf.d/forward/iface.lo.conf
1564
	cat << EOF > /etc/unbound/conf.d/forward/iface.lo.conf
1565
server:
1565
server:
1566
	interface: 127.0.0.1@53
1566
	interface: 127.0.0.1@53
1567
	access-control-view: 127.0.0.1/8 lo
1567
	access-control-view: 127.0.0.1/8 lo
1568
view:
1568
view:
1569
	name: "lo"
1569
	name: "lo"
1570
	local-data: "$HOSTNAME A 127.0.0.1"
1570
	local-data: "$HOSTNAME A 127.0.0.1"
1571
	local-data: "$HOSTNAME.$DOMAIN A 127.0.0.1"
1571
	local-data: "$HOSTNAME.$DOMAIN A 127.0.0.1"
1572
	local-data-ptr: "127.0.0.1 $HOSTNAME.$DOMAIN"
1572
	local-data-ptr: "127.0.0.1 $HOSTNAME.$DOMAIN"
1573
	view-first: yes
1573
	view-first: yes
1574
EOF
1574
EOF
1575
 
1575
 
1576
# Configuration file for $INTIF of forward unbound
1576
# Configuration file for $INTIF of forward unbound
1577
	cat << EOF > /etc/unbound/conf.d/forward/iface.${INTIF}.conf
1577
	cat << EOF > /etc/unbound/conf.d/forward/iface.${INTIF}.conf
1578
server:
1578
server:
1579
	interface: ${PRIVATE_IP}@53
1579
	interface: ${PRIVATE_IP}@53
1580
	access-control-view: $PRIVATE_NETWORK_MASK $INTIF
1580
	access-control-view: $PRIVATE_NETWORK_MASK $INTIF
1581
view:
1581
view:
1582
	name: "$INTIF"
1582
	name: "$INTIF"
1583
	view-first: yes
1583
	view-first: yes
1584
EOF
1584
EOF
1585
 
1585
 
1586
# Configuration file for main unbound
1586
# Configuration file for main unbound
1587
	cat << EOF > /etc/unbound/unbound.conf
1587
	cat << EOF > /etc/unbound/unbound.conf
1588
server:
1588
server:
1589
	verbosity: 1
1589
	verbosity: 1
1590
	hide-version: yes
1590
	hide-version: yes
1591
	hide-identity: yes
1591
	hide-identity: yes
1592
	do-ip6: no
1592
	do-ip6: no
1593
	include: /etc/unbound/conf.d/common/forward-zone.conf
1593
	include: /etc/unbound/conf.d/common/forward-zone.conf
1594
	include: /etc/unbound/conf.d/common/local-forward/*
1594
	include: /etc/unbound/conf.d/common/local-forward/*
1595
	include: /etc/unbound/conf.d/common/local-dns/*
1595
	include: /etc/unbound/conf.d/common/local-dns/*
1596
	include: /etc/unbound/conf.d/forward/*
1596
	include: /etc/unbound/conf.d/forward/*
1597
EOF
1597
EOF
1598
 
1598
 
1599
# Configuration file for $INTIF of blacklist unbound
1599
# Configuration file for $INTIF of blacklist unbound
1600
	cat << EOF > /etc/unbound/conf.d/blacklist/iface.${INTIF}.conf
1600
	cat << EOF > /etc/unbound/conf.d/blacklist/iface.${INTIF}.conf
1601
server:
1601
server:
1602
	interface: ${PRIVATE_IP}@54
1602
	interface: ${PRIVATE_IP}@54
1603
	access-control: $PRIVATE_IP_MASK allow
1603
	access-control: $PRIVATE_IP_MASK allow
1604
	access-control-tag: $PRIVATE_IP_MASK "blacklist"
1604
	access-control-tag: $PRIVATE_IP_MASK "blacklist"
1605
	access-control-tag-action: $PRIVATE_IP_MASK "blacklist" redirect
1605
	access-control-tag-action: $PRIVATE_IP_MASK "blacklist" redirect
1606
	access-control-tag-data: $PRIVATE_IP_MASK "blacklist" "A $PRIVATE_IP"
1606
	access-control-tag-data: $PRIVATE_IP_MASK "blacklist" "A $PRIVATE_IP"
1607
EOF
1607
EOF
1608
 
1608
 
1609
# Configuration file for blacklist unbound
1609
# Configuration file for blacklist unbound
1610
	cat << EOF > /etc/unbound/unbound-blacklist.conf
1610
	cat << EOF > /etc/unbound/unbound-blacklist.conf
1611
server:
1611
server:
1612
	verbosity: 1
1612
	verbosity: 1
1613
	hide-version: yes
1613
	hide-version: yes
1614
	hide-identity: yes
1614
	hide-identity: yes
1615
	do-ip6: no
1615
	do-ip6: no
1616
	logfile: "/var/log/unbound/unbound-blacklist.log"
1616
	logfile: "/var/log/unbound/unbound-blacklist.log"
1617
	chroot: ""
1617
	chroot: ""
1618
	define-tag: "blacklist"
1618
	define-tag: "blacklist"
1619
	log-local-actions: yes
1619
	log-local-actions: yes
1620
	include: /etc/unbound/conf.d/common/forward-zone.conf
1620
	include: /etc/unbound/conf.d/common/forward-zone.conf
1621
	include: /etc/unbound/conf.d/common/local-forward/*
1621
	include: /etc/unbound/conf.d/common/local-forward/*
1622
	include: /etc/unbound/conf.d/common/local-dns/*
1622
	include: /etc/unbound/conf.d/common/local-dns/*
1623
	include: /etc/unbound/conf.d/blacklist/*
1623
	include: /etc/unbound/conf.d/blacklist/*
1624
	include: /usr/local/share/unbound-bl-enabled/*
1624
	include: /usr/local/share/unbound-bl-enabled/*
1625
EOF
1625
EOF
1626
 
1626
 
1627
# Configuration file for $INTIF of whitelist unbound
1627
# Configuration file for $INTIF of whitelist unbound
1628
	cat << EOF > /etc/unbound/conf.d/whitelist/iface.${INTIF}.conf
1628
	cat << EOF > /etc/unbound/conf.d/whitelist/iface.${INTIF}.conf
1629
server:
1629
server:
1630
	interface: ${PRIVATE_IP}@55
1630
	interface: ${PRIVATE_IP}@55
1631
	access-control: $PRIVATE_IP_MASK allow
1631
	access-control: $PRIVATE_IP_MASK allow
1632
	access-control-tag: $PRIVATE_IP_MASK "whitelist"
1632
	access-control-tag: $PRIVATE_IP_MASK "whitelist"
1633
	access-control-tag-action: $PRIVATE_IP_MASK "whitelist" redirect
1633
	access-control-tag-action: $PRIVATE_IP_MASK "whitelist" redirect
1634
	access-control-tag-data: $PRIVATE_IP_MASK "whitelist" "A $PRIVATE_IP"
1634
	access-control-tag-data: $PRIVATE_IP_MASK "whitelist" "A $PRIVATE_IP"
1635
EOF
1635
EOF
1636
 
1636
 
1637
# Configuration file for whitelist unbound
1637
# Configuration file for whitelist unbound
1638
	cat << EOF > /etc/unbound/unbound-whitelist.conf
1638
	cat << EOF > /etc/unbound/unbound-whitelist.conf
1639
server:
1639
server:
1640
	verbosity: 1
1640
	verbosity: 1
1641
	hide-version: yes
1641
	hide-version: yes
1642
	hide-identity: yes
1642
	hide-identity: yes
1643
	do-ip6: no
1643
	do-ip6: no
1644
	do-not-query-localhost: no
1644
	do-not-query-localhost: no
1645
	define-tag: "whitelist"
1645
	define-tag: "whitelist"
1646
	local-zone: "." transparent
1646
	local-zone: "." transparent
1647
	local-zone-tag: "." "whitelist"
1647
	local-zone-tag: "." "whitelist"
1648
	include: /etc/unbound/conf.d/common/local-forward/*
1648
	include: /etc/unbound/conf.d/common/local-forward/*
1649
	include: /etc/unbound/conf.d/common/local-dns/*
1649
	include: /etc/unbound/conf.d/common/local-dns/*
1650
	include: /etc/unbound/conf.d/whitelist/*
1650
	include: /etc/unbound/conf.d/whitelist/*
1651
	include: /usr/local/share/unbound-wl-enabled/*
1651
	include: /usr/local/share/unbound-wl-enabled/*
1652
forward-zone:
1652
forward-zone:
1653
	name: "."
1653
	name: "."
1654
	forward-addr: 127.0.0.1@53
1654
	forward-addr: 127.0.0.1@55
1655
EOF
1655
EOF
1656
 
1656
 
1657
# Configuration file for $INTIF of blackhole unbound
1657
# Configuration file for $INTIF of blackhole unbound
1658
	cat << EOF > /etc/unbound/conf.d/blackhole/iface.${INTIF}.conf
1658
	cat << EOF > /etc/unbound/conf.d/blackhole/iface.${INTIF}.conf
1659
server:
1659
server:
1660
	interface: ${PRIVATE_IP}@56
1660
	interface: ${PRIVATE_IP}@56
1661
	access-control-view: $PRIVATE_NETWORK_MASK $INTIF
1661
	access-control-view: $PRIVATE_NETWORK_MASK $INTIF
1662
view:
1662
view:
1663
	name: "$INTIF"
1663
	name: "$INTIF"
1664
	local-zone: "." redirect
1664
	local-zone: "." redirect
1665
	local-data: ". A $PRIVATE_IP"
1665
	local-data: ". A $PRIVATE_IP"
1666
EOF
1666
EOF
1667
 
1667
 
1668
# Configuration file for blackhole unbound
1668
# Configuration file for blackhole unbound
1669
	cat << EOF > /etc/unbound/unbound-blackhole.conf
1669
	cat << EOF > /etc/unbound/unbound-blackhole.conf
1670
server:
1670
server:
1671
	verbosity: 1
1671
	verbosity: 1
1672
	hide-version: yes
1672
	hide-version: yes
1673
	hide-identity: yes
1673
	hide-identity: yes
1674
	do-ip6: no
1674
	do-ip6: no
1675
	include: /etc/unbound/conf.d/common/local-forward/*
1675
	include: /etc/unbound/conf.d/common/local-forward/*
1676
	include: /etc/unbound/conf.d/common/local-dns/*
1676
	include: /etc/unbound/conf.d/common/local-dns/*
1677
	include: /etc/unbound/conf.d/blackhole/*
1677
	include: /etc/unbound/conf.d/blackhole/*
1678
EOF
1678
EOF
1679
 
1679
 
1680
	if [ ! -e /lib/systemd/system/unbound.service.default ]
1680
	if [ ! -e /lib/systemd/system/unbound.service.default ]
1681
	then
1681
	then
1682
		cp -f /lib/systemd/system/unbound.service /lib/systemd/system/unbound.service.default
1682
		cp -f /lib/systemd/system/unbound.service /lib/systemd/system/unbound.service.default
1683
	fi
1683
	fi
1684
	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound.conf?g" /lib/systemd/system/unbound.service
1684
	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound.conf?g" /lib/systemd/system/unbound.service
1685
	$SED "s?^After=.*?After=syslog.target network-online.target chilli.service?g" /lib/systemd/system/unbound.service
1685
	$SED "s?^After=.*?After=syslog.target network-online.target chilli.service?g" /lib/systemd/system/unbound.service
1686
	for list in blacklist blackhole whitelist
1686
	for list in blacklist blackhole whitelist
1687
	do
1687
	do
1688
		cp -f /lib/systemd/system/unbound.service /lib/systemd/system/unbound-$list.service
1688
		cp -f /lib/systemd/system/unbound.service /lib/systemd/system/unbound-$list.service
1689
		$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound-$list.conf?g" /lib/systemd/system/unbound-$list.service
1689
		$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound-$list.conf?g" /lib/systemd/system/unbound-$list.service
1690
		$SED "s?^PIDFile=.*?PIDFile=/run/unbound-$list.pid?g" /lib/systemd/system/unbound-$list.service
1690
		$SED "s?^PIDFile=.*?PIDFile=/run/unbound-$list.pid?g" /lib/systemd/system/unbound-$list.service
1691
	done
1691
	done
1692
	$SED "s?^After=.*?After=syslog.target network-online.target chilli.service dnsmasq-whitelist.service?g" /lib/systemd/system/unbound-whitelist.service
1692
	$SED "s?^After=.*?After=syslog.target network-online.target chilli.service dnsmasq-whitelist.service?g" /lib/systemd/system/unbound-whitelist.service
1693
} # End of unbound()
1693
} # End of unbound()
1694
 
1694
 
1695
##################################################
1695
##################################################
1696
##              Function "dhcpd"                ##
1696
##              Function "dhcpd"                ##
1697
##################################################
1697
##################################################
1698
dhcpd()
1698
dhcpd()
1699
{
1699
{
1700
	[ -e /etc/dhcpd.conf.default ] || cp /etc/dhcpd.conf /etc/dhcpd.conf.default
1700
	[ -e /etc/dhcpd.conf.default ] || cp /etc/dhcpd.conf /etc/dhcpd.conf.default
1701
	cat <<EOF > /etc/dhcpd.conf
1701
	cat <<EOF > /etc/dhcpd.conf
1702
ddns-update-style none;
1702
ddns-update-style none;
1703
subnet $PRIVATE_NETWORK netmask $PRIVATE_NETMASK {
1703
subnet $PRIVATE_NETWORK netmask $PRIVATE_NETMASK {
1704
	option routers $PRIVATE_IP;
1704
	option routers $PRIVATE_IP;
1705
	option subnet-mask $PRIVATE_NETMASK;
1705
	option subnet-mask $PRIVATE_NETMASK;
1706
	option domain-name-servers $PRIVATE_IP;
1706
	option domain-name-servers $PRIVATE_IP;
1707
	range dynamic-bootp $PRIVATE_SECOND_IP $PRIVATE_LAST_IP;
1707
	range dynamic-bootp $PRIVATE_SECOND_IP $PRIVATE_LAST_IP;
1708
	default-lease-time 21600;
1708
	default-lease-time 21600;
1709
	max-lease-time 43200;
1709
	max-lease-time 43200;
1710
}
1710
}
1711
EOF
1711
EOF
1712
} # End of dhcpd()
1712
} # End of dhcpd()
1713
 
1713
 
1714
##########################################################
1714
##########################################################
1715
##                      Function "BL"                   ##
1715
##                      Function "BL"                   ##
1716
## - copy & adapt Toulouse BL to ALCASAR architecture   ##
1716
## - copy & adapt Toulouse BL to ALCASAR architecture   ##
1717
##     - domain names for unbound-bl & unbound-wl       ##
1717
##     - domain names for unbound-bl & unbound-wl       ##
1718
##     - URLs for E²guardian                            ##
1718
##     - URLs for E²guardian                            ##
1719
##     - IPs for NetFilter                              ##
1719
##     - IPs for NetFilter                              ##
1720
## - copy additional BLs (TOR + Ultrasurf + C&C)        ##
1720
## - copy additional BLs (TOR + Ultrasurf + C&C)        ##
1721
##########################################################
1721
##########################################################
1722
BL()
1722
BL()
1723
{
1723
{
1724
	# copy the Toulouse university BL in order to be adapted to ALCASAR architecture (alcasar-bl.sh -adapt)
1724
	# copy the Toulouse university BL in order to be adapted to ALCASAR architecture (alcasar-bl.sh -adapt)
1725
	rm -rf $DIR_DG/lists/blacklists
1725
	rm -rf $DIR_DG/lists/blacklists
1726
	mkdir -p /tmp/blacklists
1726
	mkdir -p /tmp/blacklists
1727
	cp $DIR_BLACKLIST/blacklists.tar.gz /tmp/blacklists/
1727
	cp $DIR_BLACKLIST/blacklists.tar.gz /tmp/blacklists/
1728
# creation of the additional BL and WL categorie named "ossi" (for domain names & ip only)
1728
# creation of the additional BL and WL categorie named "ossi" (for domain names & ip only)
1729
	mkdir -p $DIR_DG/lists/blacklists/ossi-bl
1729
	mkdir -p $DIR_DG/lists/blacklists/ossi-bl
1730
	touch $DIR_DG/lists/blacklists/ossi-bl/domains
1730
	touch $DIR_DG/lists/blacklists/ossi-bl/domains
1731
	echo "ossi-bl" >> $DIR_DEST_ETC/alcasar-bl-categories-enabled
1731
	echo "ossi-bl" >> $DIR_DEST_ETC/alcasar-bl-categories-enabled
1732
	mkdir -p $DIR_DG/lists/blacklists/ossi-wl
1732
	mkdir -p $DIR_DG/lists/blacklists/ossi-wl
1733
	touch $DIR_DG/lists/blacklists/ossi-wl/domains
1733
	touch $DIR_DG/lists/blacklists/ossi-wl/domains
1734
	echo "ossi-wl" >> $DIR_DEST_ETC/alcasar-wl-categories-enabled
1734
	echo "ossi-wl" >> $DIR_DEST_ETC/alcasar-wl-categories-enabled
1735
# add additional BL files
1735
# add additional BL files
1736
	for x in $(ls $DIR_BLACKLIST | grep -v "^blacklists")
1736
	for x in $(ls $DIR_BLACKLIST | grep -v "^blacklists")
1737
	do
1737
	do
1738
		mkdir $DIR_DG/lists/blacklists/ossi-bl-$x
1738
		mkdir $DIR_DG/lists/blacklists/ossi-bl-$x
1739
		cp $DIR_BLACKLIST/$x  $DIR_DG/lists/blacklists/ossi-bl-$x/domains
1739
		cp $DIR_BLACKLIST/$x  $DIR_DG/lists/blacklists/ossi-bl-$x/domains
1740
		echo "ossi-bl-$x" >> $DIR_DEST_ETC/alcasar-bl-categories-enabled
1740
		echo "ossi-bl-$x" >> $DIR_DEST_ETC/alcasar-bl-categories-enabled
1741
	done
1741
	done
1742
	chown -R e2guardian:apache $DIR_DG
1742
	chown -R e2guardian:apache $DIR_DG
1743
	chown -R root:apache $DIR_DEST_SHARE
1743
	chown -R root:apache $DIR_DEST_SHARE
1744
	chmod -R g+rw $DIR_DG $DIR_DEST_SHARE
1744
	chmod -R g+rw $DIR_DG $DIR_DEST_SHARE
1745
# adapt the Toulouse BL to ALCASAR architecture
1745
# adapt the Toulouse BL to ALCASAR architecture
1746
	$DIR_DEST_BIN/alcasar-bl.sh --adapt
1746
	$DIR_DEST_BIN/alcasar-bl.sh --adapt
1747
# enable the default categories
1747
# enable the default categories
1748
	$DIR_DEST_BIN/alcasar-bl.sh --cat_choice
1748
	$DIR_DEST_BIN/alcasar-bl.sh --cat_choice
1749
	rm -rf /tmp/blacklists
1749
	rm -rf /tmp/blacklists
1750
} # End of BL()
1750
} # End of BL()
1751
 
1751
 
1752
#######################################################
1752
#######################################################
1753
##                  Function "cron"                  ##
1753
##                  Function "cron"                  ##
1754
## - write all cron & anacron files                  ##
1754
## - write all cron & anacron files                  ##
1755
#######################################################
1755
#######################################################
1756
cron()
1756
cron()
1757
{
1757
{
1758
# 'crontab' with standard cron at midnight instead of 4:0 am (default)
1758
# 'crontab' with standard cron at midnight instead of 4:0 am (default)
1759
	[ -e /etc/crontab.default ] || cp /etc/crontab /etc/crontab.default
1759
	[ -e /etc/crontab.default ] || cp /etc/crontab /etc/crontab.default
1760
	cat <<EOF > /etc/crontab
1760
	cat <<EOF > /etc/crontab
1761
SHELL=/usr/bin/bash
1761
SHELL=/usr/bin/bash
1762
PATH=/sbin:/bin:/usr/sbin:/usr/bin
1762
PATH=/sbin:/bin:/usr/sbin:/usr/bin
1763
MAILTO=root
1763
MAILTO=root
1764
HOME=/
1764
HOME=/
1765
 
1765
 
1766
# run-parts
1766
# run-parts
1767
01 * * * * root nice -n 19 run-parts --report /etc/cron.hourly
1767
01 * * * * root nice -n 19 run-parts --report /etc/cron.hourly
1768
02 0 * * * root nice -n 19 run-parts --report /etc/cron.daily
1768
02 0 * * * root nice -n 19 run-parts --report /etc/cron.daily
1769
22 0 * * 0 root nice -n 19 run-parts --report /etc/cron.weekly
1769
22 0 * * 0 root nice -n 19 run-parts --report /etc/cron.weekly
1770
42 0 1 * * root nice -n 19 run-parts --report /etc/cron.monthly
1770
42 0 1 * * root nice -n 19 run-parts --report /etc/cron.monthly
1771
EOF
1771
EOF
1772
	[ -e /etc/anacrontab.default ] || cp /etc/anacrontab /etc/anacrontab.default
1772
	[ -e /etc/anacrontab.default ] || cp /etc/anacrontab /etc/anacrontab.default
1773
	cat <<EOF >> /etc/anacrontab
1773
	cat <<EOF >> /etc/anacrontab
1774
7	8	cron.MysqlDump		nice /etc/cron.d/alcasar-mysql
1774
7	8	cron.MysqlDump		nice /etc/cron.d/alcasar-mysql
1775
7	10	cron.logExport		nice /etc/cron.d/alcasar-archive
1775
7	10	cron.logExport		nice /etc/cron.d/alcasar-archive
1776
EOF
1776
EOF
1777
	cat <<EOF > /etc/cron.d/alcasar-mysql
1777
	cat <<EOF > /etc/cron.d/alcasar-mysql
1778
# Verify, repair and export users database (every monday at 4:45 am)
1778
# Verify, repair and export users database (every monday at 4:45 am)
1779
45 4 * * 1 root $DIR_DEST_BIN/alcasar-mysql.sh --dump
1779
45 4 * * 1 root $DIR_DEST_BIN/alcasar-mysql.sh --dump
1780
# Remove users whose expiration date is exceeded for more more than 7 days (every Monday at 4:40 am)
1780
# Remove users whose expiration date is exceeded for more more than 7 days (every Monday at 4:40 am)
1781
40 4 * * * root $DIR_DEST_BIN/alcasar-mysql.sh --expire_user 2>&1 >/dev/null
1781
40 4 * * * root $DIR_DEST_BIN/alcasar-mysql.sh --expire_user 2>&1 >/dev/null
1782
EOF
1782
EOF
1783
	cat <<EOF > /etc/cron.d/alcasar-archive
1783
	cat <<EOF > /etc/cron.d/alcasar-archive
1784
# Archiving logs (traceability & users database) (every Monday at 5:35 am)
1784
# Archiving logs (traceability & users database) (every Monday at 5:35 am)
1785
35 5 * * 1 root $DIR_DEST_BIN/alcasar-archive.sh --now
1785
35 5 * * 1 root $DIR_DEST_BIN/alcasar-archive.sh --now
1786
EOF
1786
EOF
1787
	cat <<EOF > /etc/cron.d/alcasar-ticket-clean
1787
	cat <<EOF > /etc/cron.d/alcasar-ticket-clean
1788
# Remove password files (created when importing users by CSV files) and user's PDF voucher (every hours at 30')
1788
# Remove password files (created when importing users by CSV files) and user's PDF voucher (every hours at 30')
1789
30 * * * *  root $DIR_DEST_BIN/alcasar-ticket-clean.sh
1789
30 * * * *  root $DIR_DEST_BIN/alcasar-ticket-clean.sh
1790
EOF
1790
EOF
1791
	cat <<EOF > /etc/cron.d/alcasar-distrib-updates
1791
	cat <<EOF > /etc/cron.d/alcasar-distrib-updates
1792
# Update the system (everyday at 3:30 am)
1792
# Update the system (everyday at 3:30 am)
1793
30 3 * * *  root /usr/sbin/urpmi --auto-update --auto 2>&1
1793
30 3 * * *  root /usr/sbin/urpmi --auto-update --auto 2>&1
1794
EOF
1794
EOF
1795
	cat <<EOF > /etc/cron.d/alcasar-connections-stats
1795
	cat <<EOF > /etc/cron.d/alcasar-connections-stats
1796
# Connection stats update (accounting). These Perl scripts are from "dialup_admin" (cf. wiki.freeradius.org/Dialup_admin).
1796
# Connection stats update (accounting). These Perl scripts are from "dialup_admin" (cf. wiki.freeradius.org/Dialup_admin).
1797
# 'alcasar-tot_stats' : aggregate the daily connections of users and write it in the table 'totacct' (everyday at 1:01 pm)
1797
# 'alcasar-tot_stats' : aggregate the daily connections of users and write it in the table 'totacct' (everyday at 1:01 pm)
1798
# 'alcasar-monthly_tot_stat' : aggregate the monthly connections of users and write it in table 'mtotacct' (everyday at 1h05 pm)
1798
# 'alcasar-monthly_tot_stat' : aggregate the monthly connections of users and write it in table 'mtotacct' (everyday at 1h05 pm)
1799
# 'alcasar-truncate_raddact' : remove the user' session log older than 365 days (applying French law : "LCEN") (every month, the first at 01:10 pm)
1799
# 'alcasar-truncate_raddact' : remove the user' session log older than 365 days (applying French law : "LCEN") (every month, the first at 01:10 pm)
1800
# 'alcasar-clean_radacct' : close the sessions openned for more than 30 days (every month, the first at 01:15 pm)
1800
# 'alcasar-clean_radacct' : close the sessions openned for more than 30 days (every month, the first at 01:15 pm)
1801
# 'alcasar-activity_report.sh' : generate an activity report in PDF (every sunday at 5:35 pm)
1801
# 'alcasar-activity_report.sh' : generate an activity report in PDF (every sunday at 5:35 pm)
1802
1 1 * * * root $DIR_DEST_BIN/alcasar-tot_stats > /dev/null 2>&1
1802
1 1 * * * root $DIR_DEST_BIN/alcasar-tot_stats > /dev/null 2>&1
1803
5 1 * * * root $DIR_DEST_BIN/alcasar-monthly_tot_stats > /dev/null 2>&1
1803
5 1 * * * root $DIR_DEST_BIN/alcasar-monthly_tot_stats > /dev/null 2>&1
1804
10 1 1 * * root $DIR_DEST_BIN/alcasar-truncate_radacct > /dev/null 2>&1
1804
10 1 1 * * root $DIR_DEST_BIN/alcasar-truncate_radacct > /dev/null 2>&1
1805
15 1 1 * * root $DIR_DEST_BIN/alcasar-clean_radacct > /dev/null 2>&1
1805
15 1 1 * * root $DIR_DEST_BIN/alcasar-clean_radacct > /dev/null 2>&1
1806
35 5 * * 0 root $DIR_DEST_BIN/alcasar-activity_report.sh > /dev/null 2>&1
1806
35 5 * * 0 root $DIR_DEST_BIN/alcasar-activity_report.sh > /dev/null 2>&1
1807
EOF
1807
EOF
1808
	cat <<EOF > /etc/cron.d/alcasar-watchdog
1808
	cat <<EOF > /etc/cron.d/alcasar-watchdog
1809
# 'alcasar-watchdog.sh' : run the "watchdog" (every 10')
1809
# 'alcasar-watchdog.sh' : run the "watchdog" (every 10')
1810
# 'alcasar-flush_ipset_wl.sh' : empty the IPSET of the whitelisted IP loaded dynamically with dnsmasq-whitelist hook (every sunday at 0:05 am)
1810
# 'alcasar-flush_ipset_wl.sh' : empty the IPSET of the whitelisted IP loaded dynamically with dnsmasq-whitelist hook (every sunday at 0:05 am)
1811
# 'alcasar-watchdog-hl.sh' : (optionnaly) remove the IP 0.0.0.0 from chilli cache memory
1811
# 'alcasar-watchdog-hl.sh' : (optionnaly) remove the IP 0.0.0.0 from chilli cache memory
1812
*/10 * * * * root $DIR_DEST_BIN/alcasar-watchdog.sh > /dev/null 2>&1
1812
*/10 * * * * root $DIR_DEST_BIN/alcasar-watchdog.sh > /dev/null 2>&1
1813
0 5 * * 0 root $DIR_DEST_BIN/alcasar-flush_ipset_wl.sh > /dev/null 2>&1
1813
0 5 * * 0 root $DIR_DEST_BIN/alcasar-flush_ipset_wl.sh > /dev/null 2>&1
1814
#* * * * * root $DIR_DEST_BIN/alcasar-watchdog-hl.sh > /dev/null 2>&1
1814
#* * * * * root $DIR_DEST_BIN/alcasar-watchdog-hl.sh > /dev/null 2>&1
1815
EOF
1815
EOF
1816
	cat <<EOF > /etc/cron.d/alcasar-daemon-watchdog
1816
	cat <<EOF > /etc/cron.d/alcasar-daemon-watchdog
1817
# start dead daemons (after boot process and every 18')
1817
# start dead daemons (after boot process and every 18')
1818
@reboot root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
1818
@reboot root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
1819
*/18 * * * * root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
1819
*/18 * * * * root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
1820
EOF
1820
EOF
1821
	cat <<EOF > /etc/cron.d/alcasar-rsync-bl
1821
	cat <<EOF > /etc/cron.d/alcasar-rsync-bl
1822
# Automatic update the BL (every 12 hours). The enabled categories are listed in '/usr/local/etc/update_cat.conf' (no sync if empty).
1822
# Automatic update the BL (every 12 hours). The enabled categories are listed in '/usr/local/etc/update_cat.conf' (no sync if empty).
1823
0 */12 * * * root $DIR_DEST_BIN/alcasar-bl-autoupdate.sh --update_cat > /dev/null 2>&1
1823
0 */12 * * * root $DIR_DEST_BIN/alcasar-bl-autoupdate.sh --update_cat > /dev/null 2>&1
1824
EOF
1824
EOF
1825
	cat <<EOF > /etc/cron.d/alcasar-rsync-ossi_bl
1825
	cat <<EOF > /etc/cron.d/alcasar-rsync-ossi_bl
1826
# Automatic update the OSSI BLs (every 12 hours) by running the custom update scripts specified in '/usr/local/etc/update_ossi_cat.conf'.
1826
# Automatic update the OSSI BLs (every 12 hours) by running the custom update scripts specified in '/usr/local/etc/update_ossi_cat.conf'.
1827
0 */12 * * * root /bin/bash /usr/local/etc/update_ossi_cat.conf > /dev/null 2>&1
1827
0 */12 * * * root /bin/bash /usr/local/etc/update_ossi_cat.conf > /dev/null 2>&1
1828
EOF
1828
EOF
1829
	cat <<EOF > /etc/cron.d/alcasar-letsencrypt
1829
	cat <<EOF > /etc/cron.d/alcasar-letsencrypt
1830
# Automatic renew the Let's Encrypt certificate (daily --> see "cron.daily")
1830
# Automatic renew the Let's Encrypt certificate (daily --> see "cron.daily")
1831
@daily root $DIR_DEST_BIN/alcasar-letsencrypt.sh --cron > /dev/null 2>&1
1831
@daily root $DIR_DEST_BIN/alcasar-letsencrypt.sh --cron > /dev/null 2>&1
1832
EOF
1832
EOF
1833
	cat <<EOF > /etc/cron.d/alcasar-nfcapd-expire
1833
	cat <<EOF > /etc/cron.d/alcasar-nfcapd-expire
1834
# Remove netflow files older than one year
1834
# Remove netflow files older than one year
1835
@daily root /usr/bin/nfexpire -e /var/log/nfsen/profiles-data/live/alcasar_netflow -t 365d
1835
@daily root /usr/bin/nfexpire -e /var/log/nfsen/profiles-data/live/alcasar_netflow -t 365d
1836
EOF
1836
EOF
1837
# removing the users crons
1837
# removing the users crons
1838
	rm -f /var/spool/cron/*
1838
	rm -f /var/spool/cron/*
1839
} # End of cron()
1839
} # End of cron()
1840
 
1840
 
1841
########################################################################
1841
########################################################################
1842
##                        Fonction "Fail2Ban"                         ##
1842
##                        Fonction "Fail2Ban"                         ##
1843
##- Adapt conf file to ALCASAR                                        ##
1843
##- Adapt conf file to ALCASAR                                        ##
1844
##- Secure items : DDOS, SSH-Brute-Force, Intercept & ACC brute-Force ##
1844
##- Secure items : DDOS, SSH-Brute-Force, Intercept & ACC brute-Force ##
1845
########################################################################
1845
########################################################################
1846
fail2ban()
1846
fail2ban()
1847
{
1847
{
1848
# adapt fail2ban to Mageia (fedora like) & ALCASAR behaviour
1848
# adapt fail2ban to Mageia (fedora like) & ALCASAR behaviour
1849
[ -e /etc/fail2ban/jail.conf.default ] || cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.default
1849
[ -e /etc/fail2ban/jail.conf.default ] || cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.default
1850
$SED "s?^before =.*?before = paths-fedora.conf?g" /etc/fail2ban/jail.conf
1850
$SED "s?^before =.*?before = paths-fedora.conf?g" /etc/fail2ban/jail.conf
1851
 
1851
 
1852
# add 5 jails and their filters
1852
# add 5 jails and their filters
1853
## sshd : Ban after 3 failed attempts (ie. brute-force). This "jail" uses the default "sshd" f2b filter.
1853
## sshd : Ban after 3 failed attempts (ie. brute-force). This "jail" uses the default "sshd" f2b filter.
1854
cat << EOF > /etc/fail2ban/jail.d/01-alcasar_sshd.conf
1854
cat << EOF > /etc/fail2ban/jail.d/01-alcasar_sshd.conf
1855
[sshd]
1855
[sshd]
1856
enabled = true
1856
enabled = true
1857
#enabled  = false
1857
#enabled  = false
1858
maxretry = 3
1858
maxretry = 3
1859
bantime = 3m
1859
bantime = 3m
1860
findtime = 5m
1860
findtime = 5m
1861
EOF
1861
EOF
1862
 
1862
 
1863
## lighttpd-auth : Ban after 3 failed attempts on ACC. This "jail" uses the default "lighttpd-auth" f2b filter.
1863
## lighttpd-auth : Ban after 3 failed attempts on ACC. This "jail" uses the default "lighttpd-auth" f2b filter.
1864
cat << EOF > /etc/fail2ban/jail.d/02-alcasar_lighttpd-auth.conf
1864
cat << EOF > /etc/fail2ban/jail.d/02-alcasar_lighttpd-auth.conf
1865
[lighttpd-auth]
1865
[lighttpd-auth]
1866
enabled = true
1866
enabled = true
1867
#enabled  = false
1867
#enabled  = false
1868
maxretry = 3
1868
maxretry = 3
1869
bantime = 3m
1869
bantime = 3m
1870
findtime = 3m
1870
findtime = 3m
1871
EOF
1871
EOF
1872
 
1872
 
1873
## mod-evasive : Ban after 3 failed retrieve page attempts (ie : unknown page)
1873
## mod-evasive : Ban after 3 failed retrieve page attempts (ie : unknown page)
1874
cat << EOF > /etc/fail2ban/jail.d/03-alcasar_mod-evasive.conf
1874
cat << EOF > /etc/fail2ban/jail.d/03-alcasar_mod-evasive.conf
1875
[alcasar_mod-evasive]
1875
[alcasar_mod-evasive]
1876
#enabled = true
1876
#enabled = true
1877
enabled = false
1877
enabled = false
1878
backend = auto
1878
backend = auto
1879
filter = alcasar_mod-evasive
1879
filter = alcasar_mod-evasive
1880
action = iptables-allports[name=alcasar_mod-evasive]
1880
action = iptables-allports[name=alcasar_mod-evasive]
1881
logpath = /var/log/lighttpd/access.log
1881
logpath = /var/log/lighttpd/access.log
1882
maxretry = 3
1882
maxretry = 3
1883
bantime = 3m
1883
bantime = 3m
1884
findtime = 3m
1884
findtime = 3m
1885
EOF
1885
EOF
1886
cat << EOF > /etc/fail2ban/filter.d/alcasar_mod-evasive.conf
1886
cat << EOF > /etc/fail2ban/filter.d/alcasar_mod-evasive.conf
1887
[Definition]
1887
[Definition]
1888
failregex =  <HOST> .+\] "[^"]+" 403
1888
failregex =  <HOST> .+\] "[^"]+" 403
1889
ignoreregex =
1889
ignoreregex =
1890
EOF
1890
EOF
1891
 
1891
 
1892
### alcasar_intercept : ban after 5 failed user login attemps on intercept.php
1892
### alcasar_intercept : ban after 5 failed user login attemps on intercept.php
1893
cat << EOF > /etc/fail2ban/jail.d/04-alcasar_intercept.conf
1893
cat << EOF > /etc/fail2ban/jail.d/04-alcasar_intercept.conf
1894
[alcasar_intercept]
1894
[alcasar_intercept]
1895
enabled = true
1895
enabled = true
1896
#enabled = false
1896
#enabled = false
1897
backend = auto
1897
backend = auto
1898
filter = alcasar_intercept
1898
filter = alcasar_intercept
1899
action = iptables-allports[name=alcasar_intercept]
1899
action = iptables-allports[name=alcasar_intercept]
1900
logpath = /var/log/lighttpd/access.log
1900
logpath = /var/log/lighttpd/access.log
1901
maxretry = 5
1901
maxretry = 5
1902
bantime = 3m
1902
bantime = 3m
1903
findtime = 3m
1903
findtime = 3m
1904
EOF
1904
EOF
1905
cat << EOF > /etc/fail2ban/filter.d/alcasar_intercept.conf
1905
cat << EOF > /etc/fail2ban/filter.d/alcasar_intercept.conf
1906
[Definition]
1906
[Definition]
1907
failregex = <HOST> .* \"GET \/intercept\.php\?res=failed\&reason=reject
1907
failregex = <HOST> .* \"GET \/intercept\.php\?res=failed\&reason=reject
1908
ignoreregex =
1908
ignoreregex =
1909
EOF
1909
EOF
1910
 
1910
 
1911
## alcasar_change-pwd : ban after 5 failed user change password attempts
1911
## alcasar_change-pwd : ban after 5 failed user change password attempts
1912
cat << EOF > /etc/fail2ban/jail.d/05-alcasar_change-pwd.conf
1912
cat << EOF > /etc/fail2ban/jail.d/05-alcasar_change-pwd.conf
1913
[alcasar_change-pwd]
1913
[alcasar_change-pwd]
1914
enabled = true
1914
enabled = true
1915
#enabled = false
1915
#enabled = false
1916
backend = auto
1916
backend = auto
1917
filter = alcasar_change-pwd
1917
filter = alcasar_change-pwd
1918
action = iptables-allports[name=alcasar_change-pwd]
1918
action = iptables-allports[name=alcasar_change-pwd]
1919
logpath = /var/log/lighttpd/access.log
1919
logpath = /var/log/lighttpd/access.log
1920
maxretry = 5
1920
maxretry = 5
1921
bantime = 3m
1921
bantime = 3m
1922
findtime = 3m
1922
findtime = 3m
1923
EOF
1923
EOF
1924
cat << EOF > /etc/fail2ban/filter.d/alcasar_change-pwd.conf
1924
cat << EOF > /etc/fail2ban/filter.d/alcasar_change-pwd.conf
1925
[Definition]
1925
[Definition]
1926
failregex = <HOST> .* \"POST \/password\.php
1926
failregex = <HOST> .* \"POST \/password\.php
1927
ignoreregex =
1927
ignoreregex =
1928
EOF
1928
EOF
1929
 
1929
 
1930
# allow reading of 2 log files (fail2ban & watchdog).
1930
# allow reading of 2 log files (fail2ban & watchdog).
1931
	[ -e /var/log/fail2ban.log ] || /usr/bin/touch /var/log/fail2ban.log
1931
	[ -e /var/log/fail2ban.log ] || /usr/bin/touch /var/log/fail2ban.log
1932
	[ -e /var/Save/security/watchdog.log ] || /usr/bin/touch /var/Save/security/watchdog.log
1932
	[ -e /var/Save/security/watchdog.log ] || /usr/bin/touch /var/Save/security/watchdog.log
1933
	chmod 644 /var/log/fail2ban.log
1933
	chmod 644 /var/log/fail2ban.log
1934
	chmod 644 /var/Save/security/watchdog.log
1934
	chmod 644 /var/Save/security/watchdog.log
1935
	/usr/bin/touch /var/log/auth.log
1935
	/usr/bin/touch /var/log/auth.log
1936
# fail2ban unit
1936
# fail2ban unit
1937
[ -e /lib/systemd/system/fail2ban.service.default ] || cp /lib/systemd/system/fail2ban.service /lib/systemd/system/fail2ban.service.default
1937
[ -e /lib/systemd/system/fail2ban.service.default ] || cp /lib/systemd/system/fail2ban.service /lib/systemd/system/fail2ban.service.default
1938
$SED '/ExecStart=/a\ExecStop=/usr/bin/fail2ban-client stop' /usr/lib/systemd/system/fail2ban.service
1938
$SED '/ExecStart=/a\ExecStop=/usr/bin/fail2ban-client stop' /usr/lib/systemd/system/fail2ban.service
1939
$SED '/Type=/a\PIDFile=/run/fail2ban/fail2ban.pid' /usr/lib/systemd/system/fail2ban.service
1939
$SED '/Type=/a\PIDFile=/run/fail2ban/fail2ban.pid' /usr/lib/systemd/system/fail2ban.service
1940
$SED '/After=*/c After=syslog.target network.target lighttpd.service' /usr/lib/systemd/system/fail2ban.service
1940
$SED '/After=*/c After=syslog.target network.target lighttpd.service' /usr/lib/systemd/system/fail2ban.service
1941
} # End of fail2ban()
1941
} # End of fail2ban()
1942
 
1942
 
1943
#########################################################
1943
#########################################################
1944
##                   Fonction "gammu_smsd"             ##
1944
##                   Fonction "gammu_smsd"             ##
1945
## - Creating of SMS management database               ##
1945
## - Creating of SMS management database               ##
1946
## - Write the gammu a gammu_smsd conf files           ##
1946
## - Write the gammu a gammu_smsd conf files           ##
1947
#########################################################
1947
#########################################################
1948
gammu_smsd()
1948
gammu_smsd()
1949
{
1949
{
1950
# Create 'gammu' system user
1950
# Create 'gammu' system user
1951
	groupadd -f gammu_smsd
1951
	groupadd -f gammu_smsd
1952
	useradd -r -g gammu_smsd -s /bin/false -c "system user for gammu_smsd" gammu_smsd
1952
	useradd -r -g gammu_smsd -s /bin/false -c "system user for gammu_smsd" gammu_smsd
1953
	usermod -a -G dialout gammu_smsd
1953
	usermod -a -G dialout gammu_smsd
1954
 
1954
 
1955
# Create 'gammu' database
1955
# Create 'gammu' database
1956
	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --execute"
1956
	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --execute"
1957
	$MYSQL "CREATE DATABASE IF NOT EXISTS $DB_GAMMU; GRANT ALL ON $DB_GAMMU.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd'; FLUSH PRIVILEGES;"
1957
	$MYSQL "CREATE DATABASE IF NOT EXISTS $DB_GAMMU; GRANT ALL ON $DB_GAMMU.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd'; FLUSH PRIVILEGES;"
1958
# Add a gammu database structure
1958
# Add a gammu database structure
1959
	/usr/bin/mysql -u$DB_USER -p$radiuspwd $DB_GAMMU < $DIR_CONF/empty-gammu-smsd-db.sql
1959
	/usr/bin/mysql -u$DB_USER -p$radiuspwd $DB_GAMMU < $DIR_CONF/empty-gammu-smsd-db.sql
1960
 
1960
 
1961
# Config file for the gammu_smsd daemon & gammu (ttyUSB0 as default com port)
1961
# Config file for the gammu_smsd daemon & gammu (ttyUSB0 as default com port)
1962
	cat << EOF > /etc/gammurc
1962
	cat << EOF > /etc/gammurc
1963
[gammu]
1963
[gammu]
1964
device = /dev/ttyUSB0
1964
device = /dev/ttyUSB0
1965
connection = at115200
1965
connection = at115200
1966
EOF
1966
EOF
1967
 
1967
 
1968
	cat << EOF > /etc/gammu_smsd_conf
1968
	cat << EOF > /etc/gammu_smsd_conf
1969
[gammu]
1969
[gammu]
1970
port = /dev/ttyUSB0
1970
port = /dev/ttyUSB0
1971
connection = at115200
1971
connection = at115200
1972
 
1972
 
1973
[smsd]
1973
[smsd]
1974
PIN = 1234
1974
PIN = 1234
1975
logfile = /var/log/gammu-smsd/gammu-smsd.log
1975
logfile = /var/log/gammu-smsd/gammu-smsd.log
1976
logformat = textall
1976
logformat = textall
1977
debuglevel = 0
1977
debuglevel = 0
1978
 
1978
 
1979
service = sql
1979
service = sql
1980
driver = native_mysql
1980
driver = native_mysql
1981
user = $DB_USER
1981
user = $DB_USER
1982
password = $radiuspwd
1982
password = $radiuspwd
1983
pc = localhost
1983
pc = localhost
1984
database = $DB_GAMMU
1984
database = $DB_GAMMU
1985
 
1985
 
1986
RunOnReceive = sudo $DIR_DEST_BIN/alcasar-sms.sh --new_sms
1986
RunOnReceive = sudo $DIR_DEST_BIN/alcasar-sms.sh --new_sms
1987
 
1987
 
1988
StatusFrequency = 30
1988
StatusFrequency = 30
1989
;LoopSleep = 2
1989
;LoopSleep = 2
1990
 
1990
 
1991
;ResetFrequency = 300
1991
;ResetFrequency = 300
1992
;HardResetFrequency = 120
1992
;HardResetFrequency = 120
1993
 
1993
 
1994
CheckSecurity = 1
1994
CheckSecurity = 1
1995
CheckSignal = 1
1995
CheckSignal = 1
1996
CheckBattery = 0
1996
CheckBattery = 0
1997
EOF
1997
EOF
1998
	chmod 755 /etc/gammu_smsd_conf /etc/gammurc
1998
	chmod 755 /etc/gammu_smsd_conf /etc/gammurc
1999
 
1999
 
2000
# Create the systemd unit
2000
# Create the systemd unit
2001
	cat << EOF > /lib/systemd/system/gammu-smsd.service
2001
	cat << EOF > /lib/systemd/system/gammu-smsd.service
2002
[Unit]
2002
[Unit]
2003
Description=SMS daemon for Gammu
2003
Description=SMS daemon for Gammu
2004
Documentation=man:gammu-smsd(1)
2004
Documentation=man:gammu-smsd(1)
2005
After=network.target mysql.service
2005
After=network.target mysql.service
2006
 
2006
 
2007
[Service]
2007
[Service]
2008
Type=forking
2008
Type=forking
2009
ExecStart=/usr/bin/gammu-smsd --config /etc/gammu_smsd_conf --user=gammu_smsd --group=gammu_smsd --pid=/run/gammu-smsd.pid --daemon
2009
ExecStart=/usr/bin/gammu-smsd --config /etc/gammu_smsd_conf --user=gammu_smsd --group=gammu_smsd --pid=/run/gammu-smsd.pid --daemon
2010
ExecReload=/bin/kill -HUP $MAINPID
2010
ExecReload=/bin/kill -HUP $MAINPID
2011
ExecStopPost=/bin/rm -f /run/gammu-smsd.pid
2011
ExecStopPost=/bin/rm -f /run/gammu-smsd.pid
2012
PIDFile=/run/gammu-smsd.pid
2012
PIDFile=/run/gammu-smsd.pid
2013
 
2013
 
2014
[Install]
2014
[Install]
2015
WantedBy=multi-user.target
2015
WantedBy=multi-user.target
2016
EOF
2016
EOF
2017
 
2017
 
2018
# Log folder for gammu-smsd
2018
# Log folder for gammu-smsd
2019
	[ -d /var/log/gammu-smsd ] || mkdir /var/log/gammu-smsd
2019
	[ -d /var/log/gammu-smsd ] || mkdir /var/log/gammu-smsd
2020
	chmod 755 /var/log/gammu-smsd
2020
	chmod 755 /var/log/gammu-smsd
2021
 
2021
 
2022
# Udev rule for Modeswitch (switch from "mass_storage" mode to "ttyUSB" modem) needed with some Huawei MODEM (idVendor: 12d1)
2022
# Udev rule for Modeswitch (switch from "mass_storage" mode to "ttyUSB" modem) needed with some Huawei MODEM (idVendor: 12d1)
2023
# normally not needed now since modeswitch is managed by udev (see Mageia RPM)
2023
# normally not needed now since modeswitch is managed by udev (see Mageia RPM)
2024
#cat << EOF > /lib/udev/rules.d/66-huawei.rules
2024
#cat << EOF > /lib/udev/rules.d/66-huawei.rules
2025
#KERNEL=="ttyUSB0",ATTRS{idVendor}=="12d1",RUN+="$DIR_DEST_BIN/alcasar-sms.sh --mode"
2025
#KERNEL=="ttyUSB0",ATTRS{idVendor}=="12d1",RUN+="$DIR_DEST_BIN/alcasar-sms.sh --mode"
2026
#EOF
2026
#EOF
2027
# Udev rule for fixing the enumeration of ttyUSB port on some MODEM (when they switch randomly the order of their ports at boot time)
2027
# Udev rule for fixing the enumeration of ttyUSB port on some MODEM (when they switch randomly the order of their ports at boot time)
2028
# example : http://hintshop.ludvig.co.nz/show/persistent-names-usb-serial-devices/
2028
# example : http://hintshop.ludvig.co.nz/show/persistent-names-usb-serial-devices/
2029
 
2029
 
2030
} # End of gammu_smsd()
2030
} # End of gammu_smsd()
2031
 
2031
 
2032
############################################################
2032
############################################################
2033
##                 Fonction "msec"                        ##
2033
##                 Fonction "msec"                        ##
2034
## - Apply the "fileserver" security level                ##
2034
## - Apply the "fileserver" security level                ##
2035
## - remove the "system request" for rebooting            ##
2035
## - remove the "system request" for rebooting            ##
2036
## - Fix several file permissions                         ##
2036
## - Fix several file permissions                         ##
2037
############################################################
2037
############################################################
2038
msec()
2038
msec()
2039
{
2039
{
2040
 
2040
 
2041
# Apply fileserver security level
2041
# Apply fileserver security level
2042
[ -e /etc/security/msec/security.conf.default ] || cp /etc/security/msec/security.conf /etc/security/msec/security.conf.default
2042
[ -e /etc/security/msec/security.conf.default ] || cp /etc/security/msec/security.conf /etc/security/msec/security.conf.default
2043
echo "BASE_LEVEL=fileserver" > /etc/security/msec/security.conf
2043
echo "BASE_LEVEL=fileserver" > /etc/security/msec/security.conf
2044
 
2044
 
2045
# Set permissions monitoring and enforcement
2045
# Set permissions monitoring and enforcement
2046
cat <<EOF > /etc/security/msec/perm.local
2046
cat <<EOF > /etc/security/msec/perm.local
2047
/var/log/firewall/                      root.apache     750
2047
/var/log/firewall/                      root.apache     750
2048
/var/log/firewall/*                     root.apache     640
2048
/var/log/firewall/*                     root.apache     640
2049
/etc/security/msec/perm.local           root.root       640
2049
/etc/security/msec/perm.local           root.root       640
2050
/etc/security/msec/level.local          root.root       640
2050
/etc/security/msec/level.local          root.root       640
2051
/etc/freeradius-web                     root.apache     750
2051
/etc/freeradius-web                     root.apache     750
2052
/etc/freeradius-web/admin.conf          root.apache     640
2052
/etc/freeradius-web/admin.conf          root.apache     640
2053
/etc/raddb/client.conf                  radius.radius   640
2053
/etc/raddb/client.conf                  radius.radius   640
2054
/etc/raddb/radius.conf                  radius.radius   640
2054
/etc/raddb/radius.conf                  radius.radius   640
2055
/etc/raddb/mods-available/ldap          radius.apache   660
2055
/etc/raddb/mods-available/ldap          radius.apache   660
2056
/etc/raddb/sites-available/alcasar      radius.apache   660
2056
/etc/raddb/sites-available/alcasar      radius.apache   660
2057
/etc/pki/CA/                            root.apache     750 force
2057
/etc/pki/CA/                            root.apache     750 force
2058
/etc/pki/CA/*                           root.apache     640 force 
2058
/etc/pki/CA/*                           root.apache     640 force 
2059
/etc/pki/CA/private/                    root.root       700 force
2059
/etc/pki/CA/private/                    root.root       700 force
2060
/etc/pki/CA/private/*                   root.root       600 force
2060
/etc/pki/CA/private/*                   root.root       600 force
2061
/etc/pki/tls/private/                   root.apache     750 force
2061
/etc/pki/tls/private/                   root.apache     750 force
2062
/etc/pki/tls/private/*                  root.apache     640 force
2062
/etc/pki/tls/private/*                  root.apache     640 force
2063
/var/log/clamav/                        e2guardian.e2guardian   755 force
2063
/var/log/clamav/                        e2guardian.e2guardian   755 force
2064
/var/log/clamav/*                       e2guardian.e2guardian   764 force
2064
/var/log/clamav/*                       e2guardian.e2guardian   764 force
2065
/var/lib/clamav/                        e2guardian.e2guardian   755 force
2065
/var/lib/clamav/                        e2guardian.e2guardian   755 force
2066
EOF
2066
EOF
2067
# apply now hourly & daily checks
2067
# apply now hourly & daily checks
2068
/usr/sbin/msec
2068
/usr/sbin/msec
2069
/etc/cron.weekly/msec
2069
/etc/cron.weekly/msec
2070
 
2070
 
2071
} # End of msec()
2071
} # End of msec()
2072
 
2072
 
2073
##################################################################
2073
##################################################################
2074
##                   Fonction "letsencrypt"                     ##
2074
##                   Fonction "letsencrypt"                     ##
2075
## - Install Let's Encrypt client                               ##
2075
## - Install Let's Encrypt client                               ##
2076
## - Prepare Let's Encrypt ALCASAR configuration file           ##
2076
## - Prepare Let's Encrypt ALCASAR configuration file           ##
2077
##################################################################
2077
##################################################################
2078
letsencrypt()
2078
letsencrypt()
2079
{
2079
{
2080
	echo "Installing Let's Encrypt client..."
2080
	echo "Installing Let's Encrypt client..."
2081
	# Remove potential old installers
2081
	# Remove potential old installers
2082
	rm -rf /tmp/acme.sh-*
2082
	rm -rf /tmp/acme.sh-*
2083
	# Extract acme.sh
2083
	# Extract acme.sh
2084
	tar xzf ./conf/letsencrypt-client/acme.sh-*.tar.gz -C /tmp/
2084
	tar xzf ./conf/letsencrypt-client/acme.sh-*.tar.gz -C /tmp/
2085
	pwdInstall=$(pwd)
2085
	pwdInstall=$(pwd)
2086
	cd /tmp/acme.sh-* || { echo "Unable to find ACME directory"; exit 1; }
2086
	cd /tmp/acme.sh-* || { echo "Unable to find ACME directory"; exit 1; }
2087
	acmesh_installDir="/opt/acme.sh"
2087
	acmesh_installDir="/opt/acme.sh"
2088
	acmesh_confDir="/usr/local/etc/letsencrypt"
2088
	acmesh_confDir="/usr/local/etc/letsencrypt"
2089
	acmesh_userAgent="ALCASAR"
2089
	acmesh_userAgent="ALCASAR"
2090
	# Install acme.sh
2090
	# Install acme.sh
2091
	./acme.sh --install \
2091
	./acme.sh --install \
2092
		--home $acmesh_installDir \
2092
		--home $acmesh_installDir \
2093
		--config-home $acmesh_confDir/data \
2093
		--config-home $acmesh_confDir/data \
2094
		--certhome $acmesh_confDir/certs \
2094
		--certhome $acmesh_confDir/certs \
2095
		--accountkey $acmesh_confDir/ca/account.key \
2095
		--accountkey $acmesh_confDir/ca/account.key \
2096
		--accountconf $acmesh_confDir/data/account.conf \
2096
		--accountconf $acmesh_confDir/data/account.conf \
2097
		--useragent $acmesh_userAgent \
2097
		--useragent $acmesh_userAgent \
2098
		--nocron \
2098
		--nocron \
2099
		> /dev/null
2099
		> /dev/null
2100
	if [ $? -ne 0 ]; then
2100
	if [ $? -ne 0 ]; then
2101
		echo "Error during installation of Let's Encrypt client (acme.sh)."
2101
		echo "Error during installation of Let's Encrypt client (acme.sh)."
2102
	fi
2102
	fi
2103
	# Create configuration file
2103
	# Create configuration file
2104
	cat <<EOF > /usr/local/etc/alcasar-letsencrypt
2104
	cat <<EOF > /usr/local/etc/alcasar-letsencrypt
2105
email=
2105
email=
2106
dateIssueRequest=
2106
dateIssueRequest=
2107
domainRequest=
2107
domainRequest=
2108
challenge=
2108
challenge=
2109
dateIssued=
2109
dateIssued=
2110
dnsapi=
2110
dnsapi=
2111
dateNextRenewal=
2111
dateNextRenewal=
2112
EOF
2112
EOF
2113
	cd $pwdInstall || { echo "Unable to find $pwdInstall directory"; exit 1; }
2113
	cd $pwdInstall || { echo "Unable to find $pwdInstall directory"; exit 1; }
2114
	rm -rf /tmp/acme.sh-*
2114
	rm -rf /tmp/acme.sh-*
2115
} # End of letsencrypt()
2115
} # End of letsencrypt()
2116
 
2116
 
2117
##################################################################
2117
##################################################################
2118
##                    Fonction "post_install"                   ##
2118
##                    Fonction "post_install"                   ##
2119
## - Modifying banners (locals et ssh) & prompts                ##
2119
## - Modifying banners (locals et ssh) & prompts                ##
2120
## - SSH config                                                 ##
2120
## - SSH config                                                 ##
2121
## - sudoers config & files security                            ##
2121
## - sudoers config & files security                            ##
2122
## - log rotate & ANSSI security parameters                     ##
2122
## - log rotate & ANSSI security parameters                     ##
2123
## - Apply former conf in case of an update                     ##
2123
## - Apply former conf in case of an update                     ##
2124
##################################################################
2124
##################################################################
2125
post_install()
2125
post_install()
2126
{
2126
{
2127
# change the SSHD options
2127
# change the SSHD options
2128
	cp -f $DIR_CONF/banner /etc/ssh/alcasar-banner-ssh
2128
	cp -f $DIR_CONF/banner /etc/ssh/alcasar-banner-ssh
2129
	echo " V$VERSION" >> /etc/ssh/alcasar-banner-ssh
2129
	echo " V$VERSION" >> /etc/ssh/alcasar-banner-ssh
2130
	chmod 644 /etc/ssh/alcasar-banner-ssh ; chown root:root /etc/ssh/alcasar-banner-ssh
2130
	chmod 644 /etc/ssh/alcasar-banner-ssh ; chown root:root /etc/ssh/alcasar-banner-ssh
2131
	[ -e /etc/ssh/sshd_config.default ] || cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default
2131
	[ -e /etc/ssh/sshd_config.default ] || cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default
2132
	$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
2132
	$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
2133
	$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
2133
	$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
2134
# sshd listens on EXTIF & INTIF
2134
# sshd listens on EXTIF & INTIF
2135
	$SED "s?^#ListenAddress 0\.0\.0\.0.*?ListenAddress 0\.0\.0\.0?g" /etc/ssh/sshd_config
2135
	$SED "s?^#ListenAddress 0\.0\.0\.0.*?ListenAddress 0\.0\.0\.0?g" /etc/ssh/sshd_config
2136
# sshd authorized certificate for root login
2136
# sshd authorized certificate for root login
2137
	$SED "s?^PermitRootLogin.*?PermitRootLogin without-password?g" /etc/ssh/sshd_config
2137
	$SED "s?^PermitRootLogin.*?PermitRootLogin without-password?g" /etc/ssh/sshd_config
2138
	$SED "s?^X11Forwarding.*?#X11Forwarding yes?g" /etc/ssh/sshd_config
2138
	$SED "s?^X11Forwarding.*?#X11Forwarding yes?g" /etc/ssh/sshd_config
2139
 
2139
 
2140
# postfix banner anonymisation
2140
# postfix banner anonymisation
2141
	$SED "s?^smtpd_banner =.*?smtpd_banner = \$myhostname ESMTP?g" /etc/postfix/main.cf
2141
	$SED "s?^smtpd_banner =.*?smtpd_banner = \$myhostname ESMTP?g" /etc/postfix/main.cf
2142
	chown -R postfix:postfix /var/lib/postfix
2142
	chown -R postfix:postfix /var/lib/postfix
2143
# ALCASAR conf file
2143
# ALCASAR conf file
2144
	echo "HTTPS_LOGIN=off" >> $CONF_FILE
2144
	echo "HTTPS_LOGIN=off" >> $CONF_FILE
2145
	echo "HTTPS_CHILLI=off" >> $CONF_FILE
2145
	echo "HTTPS_CHILLI=off" >> $CONF_FILE
2146
	echo "SSH=on" >> $CONF_FILE
2146
	echo "SSH=on" >> $CONF_FILE
2147
	echo "SSH_ADMIN_FROM=0.0.0.0/0.0.0.0" >> $CONF_FILE
2147
	echo "SSH_ADMIN_FROM=0.0.0.0/0.0.0.0" >> $CONF_FILE
2148
	echo "LDAP=off" >> $CONF_FILE
2148
	echo "LDAP=off" >> $CONF_FILE
2149
	echo "LDAP_SERVER=127.0.0.1" >> $CONF_FILE
2149
	echo "LDAP_SERVER=127.0.0.1" >> $CONF_FILE
2150
	echo "LDAP_BASE=cn=Users;dc=serverad;dc=localdomain" >> $CONF_FILE
2150
	echo "LDAP_BASE=cn=Users;dc=serverad;dc=localdomain" >> $CONF_FILE
2151
	echo "LDAP_UID=sAMAccountName" >> $CONF_FILE
2151
	echo "LDAP_UID=sAMAccountName" >> $CONF_FILE
2152
	echo "LDAP_FILTER=" >> $CONF_FILE
2152
	echo "LDAP_FILTER=" >> $CONF_FILE
2153
	echo "LDAP_USER=alcasar" >> $CONF_FILE
2153
	echo "LDAP_USER=alcasar" >> $CONF_FILE
2154
	echo "LDAP_PASSWORD=" >> $CONF_FILE
2154
	echo "LDAP_PASSWORD=" >> $CONF_FILE
2155
	echo "LDAP_SSL=on" >> $CONF_FILE
2155
	echo "LDAP_SSL=on" >> $CONF_FILE
2156
	echo "LDAP_CERT_REQUIRED=" >> $CONF_FILE
2156
	echo "LDAP_CERT_REQUIRED=" >> $CONF_FILE
2157
	echo "SMS=off" >> $CONF_FILE
2157
	echo "SMS=off" >> $CONF_FILE
2158
	echo "SMS_NUM=" >> $CONF_FILE
2158
	echo "SMS_NUM=" >> $CONF_FILE
2159
	echo "MULTIWAN=off" >> $CONF_FILE
2159
	echo "MULTIWAN=off" >> $CONF_FILE
2160
	echo "FAILOVER=30" >> $CONF_FILE
2160
	echo "FAILOVER=30" >> $CONF_FILE
2161
	echo "## WANx=active,@IPx/mask,GWx,Weight,MTUx" >> $CONF_FILE
2161
	echo "## WANx=active,@IPx/mask,GWx,Weight,MTUx" >> $CONF_FILE
2162
	echo "#WAN1=\"1,$EXTIF:1,192.168.2.20/24,192.168.2.6,1,1500\"" >> $CONF_FILE
2162
	echo "#WAN1=\"1,$EXTIF:1,192.168.2.20/24,192.168.2.6,1,1500\"" >> $CONF_FILE
2163
	echo "#WAN2=\"1,$EXTIF:2,192.168.3.20/24,192.168.3.1,2,1500\"" >> $CONF_FILE
2163
	echo "#WAN2=\"1,$EXTIF:2,192.168.3.20/24,192.168.3.1,2,1500\"" >> $CONF_FILE
2164
	echo "BL_PUREIP=on" >> $CONF_FILE
2164
	echo "BL_PUREIP=on" >> $CONF_FILE
2165
	echo "BL_SAFESEARCH=off" >> $CONF_FILE
2165
	echo "BL_SAFESEARCH=off" >> $CONF_FILE
2166
	echo "WL_SAFESEARCH=off" >> $CONF_FILE
2166
	echo "WL_SAFESEARCH=off" >> $CONF_FILE
2167
	echo "IOT_CAPTURE=off" >> $CONF_FILE
2167
	echo "IOT_CAPTURE=off" >> $CONF_FILE
2168
# Prompt customisation (colors)
2168
# Prompt customisation (colors)
2169
	[ -e /etc/bashrc.default ]  || cp /etc/bashrc /etc/bashrc.default
2169
	[ -e /etc/bashrc.default ]  || cp /etc/bashrc /etc/bashrc.default
2170
	cp -f $DIR_CONF/bashrc /etc/. ; chmod 644 /etc/bashrc ; chown root:root /etc/bashrc
2170
	cp -f $DIR_CONF/bashrc /etc/. ; chmod 644 /etc/bashrc ; chown root:root /etc/bashrc
2171
	$SED "s?^ORGANISME.*?ORGANISME=$ORGANISME?g" /etc/bashrc
2171
	$SED "s?^ORGANISME.*?ORGANISME=$ORGANISME?g" /etc/bashrc
2172
# sudoers configuration for "apache" & "sysadmin"
2172
# sudoers configuration for "apache" & "sysadmin"
2173
	[ -e /etc/sudoers.default ]  || cp /etc/sudoers /etc/sudoers.default
2173
	[ -e /etc/sudoers.default ]  || cp /etc/sudoers /etc/sudoers.default
2174
	cp -f $DIR_CONF/sudoers /etc/ ; chmod 440 /etc/sudoers ; chown root:root /etc/sudoers
2174
	cp -f $DIR_CONF/sudoers /etc/ ; chmod 440 /etc/sudoers ; chown root:root /etc/sudoers
2175
	$SED "s?^Host_Alias.*?Host_Alias	LAN_ORG=$PRIVATE_NETWORK/$PRIVATE_NETMASK,localhost		#réseau de l'organisme?g" /etc/sudoers
2175
	$SED "s?^Host_Alias.*?Host_Alias	LAN_ORG=$PRIVATE_NETWORK/$PRIVATE_NETMASK,localhost		#réseau de l'organisme?g" /etc/sudoers
2176
# Modify some logrotate files (gammu, ulogd)
2176
# Modify some logrotate files (gammu, ulogd)
2177
	cp -f $DIR_CONF/logrotate.d/* /etc/logrotate.d/
2177
	cp -f $DIR_CONF/logrotate.d/* /etc/logrotate.d/
2178
	chmod 644 /etc/logrotate.d/*
2178
	chmod 644 /etc/logrotate.d/*
2179
# Log compression
2179
# Log compression
2180
	$SED "s?^delaycompress.*?#&?g" /etc/logrotate.conf
2180
	$SED "s?^delaycompress.*?#&?g" /etc/logrotate.conf
2181
# actualisation des fichiers logs compressés
2181
# actualisation des fichiers logs compressés
2182
	for dir in firewall e2guardian lighttpd
2182
	for dir in firewall e2guardian lighttpd
2183
	do
2183
	do
2184
		find /var/log/$dir -type f -name "*.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]" -exec gzip {} \;
2184
		find /var/log/$dir -type f -name "*.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]" -exec gzip {} \;
2185
	done
2185
	done
2186
# create the alcasar-load_balancing unit
2186
# create the alcasar-load_balancing unit
2187
	cat << EOF > /lib/systemd/system/alcasar-load_balancing.service
2187
	cat << EOF > /lib/systemd/system/alcasar-load_balancing.service
2188
#  This file is part of systemd.
2188
#  This file is part of systemd.
2189
#
2189
#
2190
#  systemd is free software; you can redistribute it and/or modify it
2190
#  systemd is free software; you can redistribute it and/or modify it
2191
#  under the terms of the GNU General Public License as published by
2191
#  under the terms of the GNU General Public License as published by
2192
#  the Free Software Foundation; either version 2 of the License, or
2192
#  the Free Software Foundation; either version 2 of the License, or
2193
#  (at your option) any later version.
2193
#  (at your option) any later version.
2194
 
2194
 
2195
# This unit lauches alcasar-load-balancing.sh script.
2195
# This unit lauches alcasar-load-balancing.sh script.
2196
[Unit]
2196
[Unit]
2197
Description=alcasar-load_balancing.sh execution
2197
Description=alcasar-load_balancing.sh execution
2198
After=network.target iptables.service
2198
After=network.target iptables.service
2199
 
2199
 
2200
[Service]
2200
[Service]
2201
Type=oneshot
2201
Type=oneshot
2202
RemainAfterExit=yes
2202
RemainAfterExit=yes
2203
ExecStart=$DIR_DEST_BIN/alcasar-load_balancing.sh start
2203
ExecStart=$DIR_DEST_BIN/alcasar-load_balancing.sh start
2204
ExecStop=$DIR_DEST_BIN/alcasar-load_balancing.sh stop
2204
ExecStop=$DIR_DEST_BIN/alcasar-load_balancing.sh stop
2205
TimeoutSec=0
2205
TimeoutSec=0
2206
 
2206
 
2207
[Install]
2207
[Install]
2208
WantedBy=multi-user.target
2208
WantedBy=multi-user.target
2209
EOF
2209
EOF
2210
	/usr/bin/systemctl daemon-reload
2210
	/usr/bin/systemctl daemon-reload
2211
# processes launched at boot time (Systemctl)
2211
# processes launched at boot time (Systemctl)
2212
	for i in alcasar-load_balancing mysqld lighttpd php-fpm ntpd iptables unbound unbound-blacklist unbound-whitelist dnsmasq-whitelist unbound-blackhole radiusd nfcapd e2guardian clamav-daemon clamav-freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban vnstat sshd
2212
	for i in alcasar-load_balancing mysqld lighttpd php-fpm ntpd iptables unbound unbound-blacklist unbound-whitelist dnsmasq-whitelist unbound-blackhole radiusd nfcapd e2guardian clamav-daemon clamav-freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban vnstat sshd
2213
	do
2213
	do
2214
		/usr/bin/systemctl -q enable $i.service
2214
		/usr/bin/systemctl -q enable $i.service
2215
	done
2215
	done
2216
 
2216
 
2217
# disable processes at boot time (Systemctl)
2217
# disable processes at boot time (Systemctl)
2218
	for i in ulogd gpm dhcpd
2218
	for i in ulogd gpm dhcpd
2219
	do
2219
	do
2220
		/usr/bin/systemctl -q disable $i.service
2220
		/usr/bin/systemctl -q disable $i.service
2221
	done
2221
	done
2222
 
2222
 
2223
# Apply some security rules (some are from French cybersecurity Agency - ANSSI)
2223
# Apply some security rules (some are from French cybersecurity Agency - ANSSI)
2224
# ignore ICMP broadcast (smurf attack)
2224
# ignore ICMP broadcast (smurf attack)
2225
	echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" > /etc/sysctl.d/alcasar.conf
2225
	echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" > /etc/sysctl.d/alcasar.conf
2226
# ignore ICMP errors bogus
2226
# ignore ICMP errors bogus
2227
	echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" >> /etc/sysctl.d/alcasar.conf
2227
	echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" >> /etc/sysctl.d/alcasar.conf
2228
# remove ICMP redirects responces
2228
# remove ICMP redirects responces
2229
	echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.d/alcasar.conf
2229
	echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.d/alcasar.conf
2230
	echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.d/alcasar.conf
2230
	echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.d/alcasar.conf
2231
# enable SYN Cookies (Syn flood attacks)
2231
# enable SYN Cookies (Syn flood attacks)
2232
	echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.d/alcasar.conf
2232
	echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.d/alcasar.conf
2233
# enable kernel antispoofing
2233
# enable kernel antispoofing
2234
	echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.d/alcasar.conf
2234
	echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.d/alcasar.conf
2235
# ignore source routing
2235
# ignore source routing
2236
	echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.d/alcasar.conf
2236
	echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.d/alcasar.conf
2237
# set conntrack timer to 1h (3600s) instead of 5 weeks
2237
# set conntrack timer to 1h (3600s) instead of 5 weeks
2238
	echo "net.netfilter.nf_conntrack_tcp_timeout_established = 3600" >> /etc/sysctl.d/alcasar.conf
2238
	echo "net.netfilter.nf_conntrack_tcp_timeout_established = 3600" >> /etc/sysctl.d/alcasar.conf
2239
# disable log_martians (ALCASAR is often installed between two private network addresses)
2239
# disable log_martians (ALCASAR is often installed between two private network addresses)
2240
	echo "net.ipv4.conf.all.log_martians = 0" >> /etc/sysctl.d/alcasar.conf
2240
	echo "net.ipv4.conf.all.log_martians = 0" >> /etc/sysctl.d/alcasar.conf
2241
# disable iptables_helpers
2241
# disable iptables_helpers
2242
	echo "net.netfilter.nf_conntrack_helper = 0" >> /etc/sysctl.d/alcasar.conf
2242
	echo "net.netfilter.nf_conntrack_helper = 0" >> /etc/sysctl.d/alcasar.conf
2243
# Switch to the router mode
2243
# Switch to the router mode
2244
	echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.d/alcasar.conf
2244
	echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.d/alcasar.conf
2245
# Remove unused service ipv6
2245
# Remove unused service ipv6
2246
	echo "net.ipv6.conf.all.disable_ipv6 = 1" >> /etc/sysctl.d/alcasar.conf
2246
	echo "net.ipv6.conf.all.disable_ipv6 = 1" >> /etc/sysctl.d/alcasar.conf
2247
	echo "net.ipv6.conf.all.autoconf = 0" >> /etc/sysctl.d/alcasar.conf
2247
	echo "net.ipv6.conf.all.autoconf = 0" >> /etc/sysctl.d/alcasar.conf
2248
	echo "net.ipv6.conf.default.disable_ipv6 = 1" >> /etc/sysctl.d/alcasar.conf
2248
	echo "net.ipv6.conf.default.disable_ipv6 = 1" >> /etc/sysctl.d/alcasar.conf
2249
	echo "net.ipv6.conf.default.autoconf = 0" >> /etc/sysctl.d/alcasar.conf
2249
	echo "net.ipv6.conf.default.autoconf = 0" >> /etc/sysctl.d/alcasar.conf
2250
# switch to multi-users runlevel (instead of x11)
2250
# switch to multi-users runlevel (instead of x11)
2251
	ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
2251
	ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
2252
# disable Core dump file
2252
# disable Core dump file
2253
	[ -e /etc/security/limits.conf.default ]  || cp /etc/security/limits.conf /etc/security/limits.conf.default
2253
	[ -e /etc/security/limits.conf.default ]  || cp /etc/security/limits.conf /etc/security/limits.conf.default
2254
	$SED "/^# End of file.*/i*\tsoft\tcore\t0\n*\thard\tcore\t0" /etc/security/limits.conf
2254
	$SED "/^# End of file.*/i*\tsoft\tcore\t0\n*\thard\tcore\t0" /etc/security/limits.conf
2255
 
2255
 
2256
# GRUB2 modifications (Wait time : 3s - ALCASAR entry - VGA=791 - Change the default banner
2256
# GRUB2 modifications (Wait time : 3s - ALCASAR entry - VGA=791 - Change the default banner
2257
	[ -e /etc/default/grub.default ]  || cp /etc/default/grub /etc/default/grub.default
2257
	[ -e /etc/default/grub.default ]  || cp /etc/default/grub /etc/default/grub.default
2258
	$SED "s?^GRUB_TIMEOUT=.*?GRUB_TIMEOUT=3?g" /etc/default/grub
2258
	$SED "s?^GRUB_TIMEOUT=.*?GRUB_TIMEOUT=3?g" /etc/default/grub
2259
	$SED "s?^GRUB_DISTRIBUTOR=.*?GRUB_DISTRIBUTOR=ALCASAR?g" /etc/default/grub
2259
	$SED "s?^GRUB_DISTRIBUTOR=.*?GRUB_DISTRIBUTOR=ALCASAR?g" /etc/default/grub
2260
	[ -e /etc/mageia-release.default ]  || cp /etc/mageia-release /etc/mageia-release.default
2260
	[ -e /etc/mageia-release.default ]  || cp /etc/mageia-release /etc/mageia-release.default
2261
	vm_vga=`lsmod | egrep -c "virtio|vmwgfx"` # test if in VM
2261
	vm_vga=`lsmod | egrep -c "virtio|vmwgfx"` # test if in VM
2262
	if [ $vm_vga == 0 ] # is not a VM
2262
	if [ $vm_vga == 0 ] # is not a VM
2263
	then
2263
	then
2264
		cp -f $DIR_CONF/banner /etc/mageia-release # ALCASAR ASCII-Art
2264
		cp -f $DIR_CONF/banner /etc/mageia-release # ALCASAR ASCII-Art
2265
		echo >> /etc/mageia-release
2265
		echo >> /etc/mageia-release
2266
		$SED "s?^GRUB_CMDLINE_LINUX_DEFAULT=\"?&vga=791 ?" /etc/default/grub
2266
		$SED "s?^GRUB_CMDLINE_LINUX_DEFAULT=\"?&vga=791 ?" /etc/default/grub
2267
	fi
2267
	fi
2268
	if [ $Lang == "fr" ]
2268
	if [ $Lang == "fr" ]
2269
	then
2269
	then
2270
		echo "Bienvenue sur ALCASAR V$VERSION" >> /etc/mageia-release
2270
		echo "Bienvenue sur ALCASAR V$VERSION" >> /etc/mageia-release
2271
		echo "Connectez-vous à l'URL 'https://$HOSTNAME.$DOMAIN/acc'" >> /etc/mageia-release
2271
		echo "Connectez-vous à l'URL 'https://$HOSTNAME.$DOMAIN/acc'" >> /etc/mageia-release
2272
	else
2272
	else
2273
		echo "Welcome on ALCASAR V$VERSION" >> /etc/mageia-release
2273
		echo "Welcome on ALCASAR V$VERSION" >> /etc/mageia-release
2274
		echo "Connect to 'https://$HOSTNAME.$DOMAIN/acc'" >> /etc/mageia-release
2274
		echo "Connect to 'https://$HOSTNAME.$DOMAIN/acc'" >> /etc/mageia-release
2275
	fi
2275
	fi
2276
	/usr/bin/update-grub2
2276
	/usr/bin/update-grub2
2277
# Load and apply the previous conf file
2277
# Load and apply the previous conf file
2278
	if [ "$mode" = "update" ]
2278
	if [ "$mode" = "update" ]
2279
	then
2279
	then
2280
		$DIR_DEST_BIN/alcasar-archive.sh --now # exports current logs in /var/Save/archive
2280
		$DIR_DEST_BIN/alcasar-archive.sh --now # exports current logs in /var/Save/archive
2281
		$DIR_DEST_BIN/alcasar-conf.sh --load
2281
		$DIR_DEST_BIN/alcasar-conf.sh --load
2282
		PARENT_SCRIPT=`basename $0`
2282
		PARENT_SCRIPT=`basename $0`
2283
		export PARENT_SCRIPT # to avoid stop&start process during the installation process
2283
		export PARENT_SCRIPT # to avoid stop&start process during the installation process
2284
		$DIR_DEST_BIN/alcasar-conf.sh --apply
2284
		$DIR_DEST_BIN/alcasar-conf.sh --apply
2285
		$DIR_DEST_BIN/alcasar-file-clean.sh # Clean & sort conf files. Add uamallowed domains to the dns-blackhole conf
2285
		$DIR_DEST_BIN/alcasar-file-clean.sh # Clean & sort conf files. Add uamallowed domains to the dns-blackhole conf
2286
		$SED "s?^INSTALL_DATE=.*?INSTALL_DATE=$DATE?g" $CONF_FILE
2286
		$SED "s?^INSTALL_DATE=.*?INSTALL_DATE=$DATE?g" $CONF_FILE
2287
		$SED "s?^VERSION=.*?VERSION=$VERSION?g" $CONF_FILE
2287
		$SED "s?^VERSION=.*?VERSION=$VERSION?g" $CONF_FILE
2288
	fi
2288
	fi
2289
	rm -f /var/tmp/alcasar-conf*
2289
	rm -f /var/tmp/alcasar-conf*
2290
	chown -R root:apache $DIR_DEST_ETC/*
2290
	chown -R root:apache $DIR_DEST_ETC/*
2291
	chmod -R 660 $DIR_DEST_ETC/*
2291
	chmod -R 660 $DIR_DEST_ETC/*
2292
	chmod ug+x $DIR_DEST_ETC/digest
2292
	chmod ug+x $DIR_DEST_ETC/digest
2293
	cd $DIR_INSTALL || { echo "Unable to find $DIR_INSTALL directory"; exit 1; }
2293
	cd $DIR_INSTALL || { echo "Unable to find $DIR_INSTALL directory"; exit 1; }
2294
	echo ""
2294
	echo ""
2295
	echo "#############################################################################"
2295
	echo "#############################################################################"
2296
	if [ $Lang == "fr" ]
2296
	if [ $Lang == "fr" ]
2297
		then
2297
		then
2298
		echo "#                        Fin d'installation d'ALCASAR                       #"
2298
		echo "#                        Fin d'installation d'ALCASAR                       #"
2299
		echo "#                                                                           #"
2299
		echo "#                                                                           #"
2300
		echo "#         Application Libre pour le Contrôle Authentifié et Sécurisé        #"
2300
		echo "#         Application Libre pour le Contrôle Authentifié et Sécurisé        #"
2301
		echo "#                     des Accès au Réseau ( ALCASAR )                       #"
2301
		echo "#                     des Accès au Réseau ( ALCASAR )                       #"
2302
		echo "#                                                                           #"
2302
		echo "#                                                                           #"
2303
		echo "#############################################################################"
2303
		echo "#############################################################################"
2304
		echo
2304
		echo
2305
		echo "- ALCASAR sera fonctionnel après redémarrage du système"
2305
		echo "- ALCASAR sera fonctionnel après redémarrage du système"
2306
		echo
2306
		echo
2307
		echo "- Lisez attentivement la documentation d'exploitation"
2307
		echo "- Lisez attentivement la documentation d'exploitation"
2308
		echo
2308
		echo
2309
		echo "- Le centre de controle d'ALCASAR (ACC) est à l'adresse http://$HOSTNAME.$DOMAIN"
2309
		echo "- Le centre de controle d'ALCASAR (ACC) est à l'adresse http://$HOSTNAME.$DOMAIN"
2310
		echo
2310
		echo
2311
		echo "                   Appuyez sur 'Entrée' pour continuer"
2311
		echo "                   Appuyez sur 'Entrée' pour continuer"
2312
	else
2312
	else
2313
		echo "#                        End of ALCASAR install process                     #"
2313
		echo "#                        End of ALCASAR install process                     #"
2314
		echo "#                                                                           #"
2314
		echo "#                                                                           #"
2315
		echo "#         Application Libre pour le Contrôle Authentifié et Sécurisé        #"
2315
		echo "#         Application Libre pour le Contrôle Authentifié et Sécurisé        #"
2316
		echo "#                     des Accès au Réseau ( ALCASAR )                       #"
2316
		echo "#                     des Accès au Réseau ( ALCASAR )                       #"
2317
		echo "#                                                                           #"
2317
		echo "#                                                                           #"
2318
		echo "#############################################################################"
2318
		echo "#############################################################################"
2319
		echo
2319
		echo
2320
		echo "- The system will be rebooted in order to operate ALCASAR"
2320
		echo "- The system will be rebooted in order to operate ALCASAR"
2321
		echo
2321
		echo
2322
		echo "- Read the exploitation documentation"
2322
		echo "- Read the exploitation documentation"
2323
		echo
2323
		echo
2324
		echo "- The ALCASAR Control Center (ACC) is at http://$HOSTNAME.$DOMAIN"
2324
		echo "- The ALCASAR Control Center (ACC) is at http://$HOSTNAME.$DOMAIN"
2325
		echo
2325
		echo
2326
		echo "                   Hit 'Enter' to continue"
2326
		echo "                   Hit 'Enter' to continue"
2327
	fi
2327
	fi
2328
	sleep 2
2328
	sleep 2
2329
	if [ "$mode" == "install" ] || [ "$DEBUG_ALCASAR" == "on" ]
2329
	if [ "$mode" == "install" ] || [ "$DEBUG_ALCASAR" == "on" ]
2330
	then
2330
	then
2331
		read
2331
		read
2332
	fi
2332
	fi
2333
	clear
2333
	clear
2334
	reboot
2334
	reboot
2335
} # End of post_install()
2335
} # End of post_install()
2336
 
2336
 
2337
#####################################################################################
2337
#####################################################################################
2338
#                                   Main Install loop                               #
2338
#                                   Main Install loop                               #
2339
#####################################################################################
2339
#####################################################################################
2340
dir_exec=`dirname "$0"`
2340
dir_exec=`dirname "$0"`
2341
if [ $dir_exec != "." ]
2341
if [ $dir_exec != "." ]
2342
then
2342
then
2343
	echo "Lancez ce programme depuis le répertoire de l'archive d'ALCASAR"
2343
	echo "Lancez ce programme depuis le répertoire de l'archive d'ALCASAR"
2344
	echo "Launch this program from the ALCASAR archive directory"
2344
	echo "Launch this program from the ALCASAR archive directory"
2345
	exit 0
2345
	exit 0
2346
fi
2346
fi
2347
if [ $EUID -gt 0 ]
2347
if [ $EUID -gt 0 ]
2348
then
2348
then
2349
	echo "Vous devez être \"root\" pour installer ALCASAR (commande 'su')"
2349
	echo "Vous devez être \"root\" pour installer ALCASAR (commande 'su')"
2350
	echo "You must be \"root\" to install ALCASAR ('su' command)"
2350
	echo "You must be \"root\" to install ALCASAR ('su' command)"
2351
	exit 0
2351
	exit 0
2352
fi
2352
fi
2353
VERSION=`cat $DIR_INSTALL/VERSION`
2353
VERSION=`cat $DIR_INSTALL/VERSION`
2354
usage="Usage: alcasar.sh {-i or --install} | {-u or --uninstall}"
2354
usage="Usage: alcasar.sh {-i or --install} | {-u or --uninstall}"
2355
nb_args=$#
2355
nb_args=$#
2356
args=$1
2356
args=$1
2357
if [ $nb_args -eq 0 ]
2357
if [ $nb_args -eq 0 ]
2358
then
2358
then
2359
	nb_args=1
2359
	nb_args=1
2360
	args="-h"
2360
	args="-h"
2361
fi
2361
fi
2362
chmod -R u+x $DIR_SCRIPTS/*
2362
chmod -R u+x $DIR_SCRIPTS/*
2363
case $args in
2363
case $args in
2364
	-\? | -h* | --h*)
2364
	-\? | -h* | --h*)
2365
		echo "$usage"
2365
		echo "$usage"
2366
		exit 0
2366
		exit 0
2367
		;;
2367
		;;
2368
	-i | --install)
2368
	-i | --install)
2369
		for func in license testing_system
2369
		for func in license testing_system
2370
		do
2370
		do
2371
			header_install
2371
			header_install
2372
			$func
2372
			$func
2373
			if [ $DEBUG_ALCASAR == "on" ]
2373
			if [ $DEBUG_ALCASAR == "on" ]
2374
			then
2374
			then
2375
				echo "*** 'debug' : end of function '$func' ***"
2375
				echo "*** 'debug' : end of function '$func' ***"
2376
				read
2376
				read
2377
			fi
2377
			fi
2378
		done
2378
		done
2379
# RPMs install
2379
# RPMs install
2380
		$DIR_SCRIPTS/alcasar-urpmi.sh
2380
		$DIR_SCRIPTS/alcasar-urpmi.sh
2381
		if [ "$?" != "0" ]
2381
		if [ "$?" != "0" ]
2382
		then
2382
		then
2383
			exit 0
2383
			exit 0
2384
		fi
2384
		fi
2385
		if [ -e $CONF_FILE ]
2385
		if [ -e $CONF_FILE ]
2386
		then
2386
		then
2387
# Uninstall or update the running version
2387
# Uninstall or update the running version
2388
			if [ "$mode" == "update" ]
2388
			if [ "$mode" == "update" ]
2389
			then
2389
			then
2390
				$DIR_DEST_BIN/alcasar-uninstall.sh -update
2390
				$DIR_DEST_BIN/alcasar-uninstall.sh -update
2391
			else
2391
			else
2392
				$DIR_DEST_BIN/alcasar-uninstall.sh -full
2392
				$DIR_DEST_BIN/alcasar-uninstall.sh -full
2393
			fi
2393
			fi
2394
		fi
2394
		fi
2395
		if [ $DEBUG_ALCASAR == "on" ]
2395
		if [ $DEBUG_ALCASAR == "on" ]
2396
		then
2396
		then
2397
			echo "*** 'debug' : end of cleaning ***"
2397
			echo "*** 'debug' : end of cleaning ***"
2398
			read
2398
			read
2399
		fi
2399
		fi
2400
# Test if conf file
2400
# Test if conf file
2401
		if [ -e /var/tmp/alcasar-conf.tar.gz ]
2401
		if [ -e /var/tmp/alcasar-conf.tar.gz ]
2402
		then
2402
		then
2403
# Extract some info from the previous configuration file
2403
# Extract some info from the previous configuration file
2404
			cd /var/tmp
2404
			cd /var/tmp
2405
			tar -xf /var/tmp/alcasar-conf.tar.gz conf/etc/alcasar.conf
2405
			tar -xf /var/tmp/alcasar-conf.tar.gz conf/etc/alcasar.conf
2406
			if [ "$mode" == "install" ] # don't display this if updating a running version
2406
			if [ "$mode" == "install" ] # don't display this if updating a running version
2407
			then
2407
			then
2408
				header_install
2408
				header_install
2409
				ORGANISME=`grep ^ORGANISM= conf/etc/alcasar.conf|cut -d"=" -f2`
2409
				ORGANISME=`grep ^ORGANISM= conf/etc/alcasar.conf|cut -d"=" -f2`
2410
				PREVIOUS_VERSION=`grep ^VERSION= conf/etc/alcasar.conf|cut -d"=" -f2`
2410
				PREVIOUS_VERSION=`grep ^VERSION= conf/etc/alcasar.conf|cut -d"=" -f2`
2411
				MAJ_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f1`
2411
				MAJ_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f1`
2412
				MIN_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f2`
2412
				MIN_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f2`
2413
				UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f3|cut -c1`
2413
				UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f3|cut -c1`
2414
				if [ $Lang == "fr" ]
2414
				if [ $Lang == "fr" ]
2415
					then echo "Le fichier de configuration d'une version $MAJ_PREVIOUS_VERSION.$MIN_PREVIOUS_VERSION.$UPD_PREVIOUS_VERSION a été trouvé";
2415
					then echo "Le fichier de configuration d'une version $MAJ_PREVIOUS_VERSION.$MIN_PREVIOUS_VERSION.$UPD_PREVIOUS_VERSION a été trouvé";
2416
					else echo "The configuration file of an old version has been found";
2416
					else echo "The configuration file of an old version has been found";
2417
				fi
2417
				fi
2418
				response=0
2418
				response=0
2419
				PTN='^[oOnNyY]?$'
2419
				PTN='^[oOnNyY]?$'
2420
				until [[ "$response" =~ $PTN ]]
2420
				until [[ "$response" =~ $PTN ]]
2421
				do
2421
				do
2422
					if [ $Lang == "fr" ]
2422
					if [ $Lang == "fr" ]
2423
						then echo -n "Voulez-vous l'utiliser (O/n)? ";
2423
						then echo -n "Voulez-vous l'utiliser (O/n)? ";
2424
						else echo -n "Do you want to use it (Y/n)?";
2424
						else echo -n "Do you want to use it (Y/n)?";
2425
					fi
2425
					fi
2426
					read response
2426
					read response
2427
					if [ "$response" = "n" ] || [ "$response" = "N" ]
2427
					if [ "$response" = "n" ] || [ "$response" = "N" ]
2428
					then
2428
					then
2429
						rm -f /var/tmp/alcasar-conf*
2429
						rm -f /var/tmp/alcasar-conf*
2430
						rm -rf /var/tmp/conf
2430
						rm -rf /var/tmp/conf
2431
					fi
2431
					fi
2432
				done
2432
				done
2433
			fi
2433
			fi
2434
			cd $DIR_INSTALL
2434
			cd $DIR_INSTALL
2435
		fi
2435
		fi
2436
# Test if update
2436
# Test if update
2437
		if [ -e /var/tmp/alcasar-conf.tar.gz ]
2437
		if [ -e /var/tmp/alcasar-conf.tar.gz ]
2438
		then
2438
		then
2439
			if [ $Lang == "fr" ]
2439
			if [ $Lang == "fr" ]
2440
				then echo "#### Installation avec mise à jour ####";
2440
				then echo "#### Installation avec mise à jour ####";
2441
				else echo "#### Installation with update     ####";
2441
				else echo "#### Installation with update     ####";
2442
			fi
2442
			fi
2443
			mode="update"
2443
			mode="update"
2444
		fi
2444
		fi
2445
		for func in testing_network init network CA ACC time_server init_db freeradius chilli e2guardian antivirus ulogd nfsen vnstat dnsmasq unbound dhcpd BL cron fail2ban gammu_smsd msec letsencrypt post_install
2445
		for func in testing_network init network CA ACC time_server init_db freeradius chilli e2guardian antivirus ulogd nfsen vnstat dnsmasq unbound dhcpd BL cron fail2ban gammu_smsd msec letsencrypt post_install
2446
		do
2446
		do
2447
			$func
2447
			$func
2448
			if [ $DEBUG_ALCASAR == "on" ]
2448
			if [ $DEBUG_ALCASAR == "on" ]
2449
			then
2449
			then
2450
				echo "*** 'debug' : end of function '$func' ***"
2450
				echo "*** 'debug' : end of function '$func' ***"
2451
				read
2451
				read
2452
			fi
2452
			fi
2453
		done
2453
		done
2454
		;;
2454
		;;
2455
	-u | --uninstall)
2455
	-u | --uninstall)
2456
		if [ ! -e $DIR_DEST_BIN/alcasar-uninstall.sh ]
2456
		if [ ! -e $DIR_DEST_BIN/alcasar-uninstall.sh ]
2457
		then
2457
		then
2458
			if [ $Lang == "fr" ]
2458
			if [ $Lang == "fr" ]
2459
				then echo "ALCASAR n'est pas installé!";
2459
				then echo "ALCASAR n'est pas installé!";
2460
				else echo "ALCASAR isn't installed!";
2460
				else echo "ALCASAR isn't installed!";
2461
			fi
2461
			fi
2462
			exit 0
2462
			exit 0
2463
		fi
2463
		fi
2464
		response=0
2464
		response=0
2465
		PTN='^[oOyYnN]?$'
2465
		PTN='^[oOyYnN]?$'
2466
		until [[ "$response" =~ $PTN ]]
2466
		until [[ "$response" =~ $PTN ]]
2467
		do
2467
		do
2468
			if [ $Lang == "fr" ]
2468
			if [ $Lang == "fr" ]
2469
				then echo -n "Voulez-vous créer le fichier de configuration de la version actuelle (O/n)? ";
2469
				then echo -n "Voulez-vous créer le fichier de configuration de la version actuelle (O/n)? ";
2470
				else echo -n "Do you want to create the running version configuration file (Y/n)? ";
2470
				else echo -n "Do you want to create the running version configuration file (Y/n)? ";
2471
			fi
2471
			fi
2472
			read response
2472
			read response
2473
		done
2473
		done
2474
		if [ "$response" = "o" ] || [ "$response" = "O" ] || [ "$response" = "Y" ] || [ "$response" = "y" ]
2474
		if [ "$response" = "o" ] || [ "$response" = "O" ] || [ "$response" = "Y" ] || [ "$response" = "y" ]
2475
		then
2475
		then
2476
			$DIR_SCRIPTS/alcasar-conf.sh --create
2476
			$DIR_SCRIPTS/alcasar-conf.sh --create
2477
		else
2477
		else
2478
			rm -f /var/tmp/alcasar-conf*
2478
			rm -f /var/tmp/alcasar-conf*
2479
		fi
2479
		fi
2480
# Uninstall the running version
2480
# Uninstall the running version
2481
		$DIR_DEST_BIN/alcasar-uninstall.sh -full
2481
		$DIR_DEST_BIN/alcasar-uninstall.sh -full
2482
		;;
2482
		;;
2483
	*)
2483
	*)
2484
		echo "Argument inconnu :$1";
2484
		echo "Argument inconnu :$1";
2485
		echo "Unknown argument :$1";
2485
		echo "Unknown argument :$1";
2486
		echo "$usage"
2486
		echo "$usage"
2487
		exit 1
2487
		exit 1
2488
		;;
2488
		;;
2489
esac
2489
esac
2490
# end of script
2490
# end of script
2491
 
2491
 
2492
 
2492
 
2493

Generated by GNU Enscript 1.6.6.
2493

Generated by GNU Enscript 1.6.6.
2494
 
2494
 
2495
 
2495
 
2496
 
2496