Subversion Repositories ALCASAR

Rev

Rev 2947 | Rev 2964 | Go to most recent revision | Only display areas with differences | Ignore whitespace | Details | Blame | Last modification | View Log

Rev 2947 Rev 2956
1
#!/bin/bash
1
#!/bin/bash
2
#  $Id: alcasar.sh 2947 2021-04-21 16:36:52Z rexy $
2
#  $Id: alcasar.sh 2956 2021-05-24 19:57:17Z rexy $
3
 
3
 
4
# alcasar.sh
4
# alcasar.sh
5
# ALCASAR is a Free and open source NAC created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
5
# ALCASAR is a Free and open source NAC created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
6
# This script is distributed under the Gnu General Public License (GPL)
6
# This script is distributed under the Gnu General Public License (GPL)
7
#  team@alcasar.net
7
#  team@alcasar.net
8
 
8
 
9
# ALCASAR Install script -  CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...]
9
# ALCASAR Install script -  CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...]
10
# Ce programme est un logiciel libre ; This software is free and open source
10
# Ce programme est un logiciel libre ; This software is free and open source
11
# elle que publiée par la Free Software Foundation ; soit la version 3 de la Licence.
11
# elle que publiée par la Free Software Foundation ; soit la version 3 de la Licence.
12
# Ce programme est distribué dans l'espoir qu'il sera utile, mais SANS AUCUNE GARANTIE ;
12
# Ce programme est distribué dans l'espoir qu'il sera utile, mais SANS AUCUNE GARANTIE ;
13
# sans même une garantie implicite de COMMERCIABILITE ou DE CONFORMITE A UNE UTILISATION PARTICULIERE.
13
# sans même une garantie implicite de COMMERCIABILITE ou DE CONFORMITE A UNE UTILISATION PARTICULIERE.
14
# Voir la Licence Publique Générale GNU pour plus de détails.
14
# Voir la Licence Publique Générale GNU pour plus de détails.
15
 
15
 
16
# Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau)
16
# Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau)
17
# ALCASAR est architecturé autour d'une distribution Linux Mageia minimaliste et les logiciels libres suivants :
17
# ALCASAR est architecturé autour d'une distribution Linux Mageia minimaliste et les logiciels libres suivants :
18
# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
18
# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
19
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares :
19
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares :
20
 
20
 
21
# Coovachilli, freeradius, mariaDB, lighttpd, netfilter, e2guardian, ntpd, openssl, dnsmasq, unbound, gammu, clamav, Ulog, fail2ban, NFsen and NFdump
21
# Coovachilli, freeradius, mariaDB, lighttpd, netfilter, e2guardian, ntpd, openssl, dnsmasq, unbound, gammu, clamav, Ulog, fail2ban, NFsen and NFdump
22
 
22
 
23
# Options :
23
# Options :
24
#       -i or --install
24
#       -i or --install
25
#       -u or --uninstall
25
#       -u or --uninstall
26
# Functions :
26
# Functions :
27
#	testing			: connectivity tests, free space test and mageia version test
27
#	testing			: connectivity tests, free space test and mageia version test
28
#	init			: Installation of RPM and scripts
28
#	init			: Installation of RPM and scripts
29
#	network			: Network parameters
29
#	network			: Network parameters
30
#	ACC				: ALCASAR Control Center installation
30
#	ACC				: ALCASAR Control Center installation
31
#	CA				: Certification Authority initialization
31
#	CA				: Certification Authority initialization
32
#	time_server		: NTPd configuration
32
#	time_server		: NTPd configuration
33
#	init_db			: Initilization of radius database managed with MariaDB
33
#	init_db			: Initilization of radius database managed with MariaDB
34
#	freeradius		: FreeRadius initialisation
34
#	freeradius		: FreeRadius initialisation
35
#	chilli			: coovachilli initialisation (+authentication page)
35
#	chilli			: coovachilli initialisation (+authentication page)
36
#	e2guardian		: E2Guardian filtering HTTP proxy configuration
36
#	e2guardian		: E2Guardian filtering HTTP proxy configuration
37
#	antivirus		: clamav & freshclam configuration
37
#	antivirus		: clamav & freshclam configuration
38
#	ulogd			: log system in userland (match NFLOG target of iptables)
38
#	ulogd			: log system in userland (match NFLOG target of iptables)
39
#	nfsen			: Configuration of Netflow grapher (nfsen) & netflow collector (nfcapd)
39
#	nfsen			: Configuration of Netflow grapher (nfsen) & netflow collector (nfcapd)
40
#	unbound			: Name server configuration
40
#	unbound			: Name server configuration
41
#	dnsmasq			: Name server configuration (for whitelist ipset support)
41
#	dnsmasq			: Name server configuration (for whitelist ipset support)
42
#	vnstat			: little network stat daemon
42
#	vnstat			: little network stat daemon
43
#	BL				: Adaptation of Toulouse University BlackList : split into 3 BL (for unbound, for e2guardian and for Netfilter)
43
#	BL				: Adaptation of Toulouse University BlackList : split into 3 BL (for unbound, for e2guardian and for Netfilter)
44
#	cron			: Logs export + watchdog + connexion statistics
44
#	cron			: Logs export + watchdog + connexion statistics
45
#	fail2ban		: Fail2ban IDS installation and configuration
45
#	fail2ban		: Fail2ban IDS installation and configuration
46
#	gammu_smsd		: Autoregister addon via SMS (gammu-smsd)
46
#	gammu_smsd		: Autoregister addon via SMS (gammu-smsd)
47
#	msec			: Mandriva security package configuration
47
#	msec			: Mandriva security package configuration
48
#	letsencrypt		: Let's Encrypt client
48
#	letsencrypt		: Let's Encrypt client
49
#	post_install	: Security, log rotation, etc.
49
#	post_install	: Security, log rotation, etc.
50
 
50
 
51
DEBUG_ALCASAR='off'; export DEBUG_ALCASAR	# Debug mode = wait (hit key) after each function
51
DEBUG_ALCASAR='off'; export DEBUG_ALCASAR	# Debug mode = wait (hit key) after each function
52
DATE=`date '+%d %B %Y - %Hh%M'`
52
DATE=`date '+%d %B %Y - %Hh%M'`
53
DATE_SHORT=`date '+%d/%m/%Y'`
53
DATE_SHORT=`date '+%d/%m/%Y'`
54
Lang=`echo $LANG|cut -c 1-2`
54
Lang=`echo $LANG|cut -c 1-2`
55
mode="install"
55
mode="install"
56
# ******* Files parameters - paramètres fichiers *********
56
# ******* Files parameters - paramètres fichiers *********
57
DIR_INSTALL=`pwd`						# current directory
57
DIR_INSTALL=`pwd`						# current directory
58
DIR_CONF="$DIR_INSTALL/conf"			# install directory (with conf files)
58
DIR_CONF="$DIR_INSTALL/conf"			# install directory (with conf files)
59
DIR_SCRIPTS="$DIR_INSTALL/scripts"		# install directory (with script files)
59
DIR_SCRIPTS="$DIR_INSTALL/scripts"		# install directory (with script files)
60
DIR_BLACKLIST="$DIR_INSTALL/blacklist"	# install directory (with blacklist files)
60
DIR_BLACKLIST="$DIR_INSTALL/blacklist"	# install directory (with blacklist files)
61
DIR_SAVE="/var/Save"					# backup directory (traceability_log, user_db, security_log)
61
DIR_SAVE="/var/Save"					# backup directory (traceability_log, user_db, security_log)
62
DIR_WEB="/var/www/html"					# directory of Lighttpd
62
DIR_WEB="/var/www/html"					# directory of Lighttpd
63
DIR_DG="/etc/e2guardian"				# directory of E2Guardian
63
DIR_DG="/etc/e2guardian"				# directory of E2Guardian
64
DIR_ACC="$DIR_WEB/acc"					# directory of the 'ALCASAR Control Center'
64
DIR_ACC="$DIR_WEB/acc"					# directory of the 'ALCASAR Control Center'
65
DIR_DEST_BIN="/usr/local/bin"			# directory of ALCASAR scripts
65
DIR_DEST_BIN="/usr/local/bin"			# directory of ALCASAR scripts
66
DIR_DEST_ETC="/usr/local/etc"			# directory of ALCASAR conf files
66
DIR_DEST_ETC="/usr/local/etc"			# directory of ALCASAR conf files
67
DIR_DEST_SHARE="/usr/local/share"		# directory of share files used by ALCASAR (unbound for instance)
67
DIR_DEST_SHARE="/usr/local/share"		# directory of share files used by ALCASAR (unbound for instance)
68
CONF_FILE="$DIR_DEST_ETC/alcasar.conf"	# central ALCASAR conf file
68
CONF_FILE="$DIR_DEST_ETC/alcasar.conf"	# central ALCASAR conf file
69
PASSWD_FILE="/root/ALCASAR-passwords.txt"	# text file with the passwords and shared secrets
69
PASSWD_FILE="/root/ALCASAR-passwords.txt"	# text file with the passwords and shared secrets
70
# ******* DBMS parameters - paramètres SGBD ********
70
# ******* DBMS parameters - paramètres SGBD ********
71
DB_RADIUS="radius"						# database name used by FreeRadius server
71
DB_RADIUS="radius"						# database name used by FreeRadius server
72
DB_USER="radius"						# user name allows to request the users database
72
DB_USER="radius"						# user name allows to request the users database
73
DB_GAMMU="gammu"						# database name used by Gammu-smsd
73
DB_GAMMU="gammu"						# database name used by Gammu-smsd
74
# ******* Network parameters - paramètres réseau *******
74
# ******* Network parameters - paramètres réseau *******
75
HOSTNAME="alcasar"						# default hostname
75
HOSTNAME="alcasar"						# default hostname
76
DOMAIN="localdomain"					# default local domain
76
DOMAIN="localdomain"					# default local domain
77
EXTIF=''								# EXTIF is connected to the ISP broadband modem/router (In France : Box-FAI)
77
EXTIF=''								# EXTIF is connected to the ISP broadband modem/router (In France : Box-FAI)
78
INTIF=''								# INTIF is connected to the consultation network
78
INTIF=''								# INTIF is connected to the consultation network
79
MTU="1500"
79
MTU="1500"
80
DEFAULT_PRIVATE_IP_MASK="192.168.182.1/24"	# Default ALCASAR IP address
80
DEFAULT_PRIVATE_IP_MASK="192.168.182.1/24"	# Default ALCASAR IP address
81
# ****** Paths - chemin des commandes *******
81
# ****** Paths - chemin des commandes *******
82
SED="/bin/sed -i"
82
SED="/bin/sed -i"
83
# ****************** End of global parameters *********************
83
# ****************** End of global parameters *********************
84
 
84
 
85
license()
85
license()
86
{
86
{
87
	if [ $Lang == "fr" ]
87
	if [ $Lang == "fr" ]
88
	then
88
	then
89
		cat $DIR_INSTALL/gpl-warning.fr.txt | more
89
		cat $DIR_INSTALL/gpl-warning.fr.txt | more
90
	else
90
	else
91
		cat $DIR_INSTALL/gpl-warning.txt | more
91
		cat $DIR_INSTALL/gpl-warning.txt | more
92
	fi
92
	fi
93
	response=0
93
	response=0
94
	PTN='^[oOyYnN]?$'
94
	PTN='^[oOyYnN]?$'
95
	until [[ "$response" =~ $PTN ]]
95
	until [[ "$response" =~ $PTN ]]
96
	do
96
	do
97
		if [ $Lang == "fr" ]
97
		if [ $Lang == "fr" ]
98
			then echo -n "Acceptez-vous les termes de cette licence (O/n)? : "
98
			then echo -n "Acceptez-vous les termes de cette licence (O/n)? : "
99
			else echo -n "Do you accept the terms of this license (Y/n)? : "
99
			else echo -n "Do you accept the terms of this license (Y/n)? : "
100
		fi
100
		fi
101
		read response
101
		read response
102
	done
102
	done
103
	if [ "$response" = "n" ] || [ "$response" = "N" ]
103
	if [ "$response" = "n" ] || [ "$response" = "N" ]
104
	then
104
	then
105
		exit 1
105
		exit 1
106
	fi
106
	fi
107
} # End of license()
107
} # End of license()
108
 
108
 
109
header_install()
109
header_install()
110
{
110
{
111
	clear
111
	clear
112
	echo "-----------------------------------------------------------------------------"
112
	echo "-----------------------------------------------------------------------------"
113
	echo "                     ALCASAR V$VERSION Installation"
113
	echo "                     ALCASAR V$VERSION Installation"
114
	echo "Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau"
114
	echo "Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau"
115
	echo "-----------------------------------------------------------------------------"
115
	echo "-----------------------------------------------------------------------------"
116
} # End of header_install()
116
} # End of header_install()
117
 
117
 
118
########################################################
118
########################################################
119
##              Function "testing_system"             ##
119
##              Function "testing_system"             ##
120
## - Test Mageia version                              ##
120
## - Test Mageia version                              ##
121
## - Test ALCASAR version (if already installed)      ##
121
## - Test ALCASAR version (if already installed)      ##
122
## - Test free space on /var  (>10G)                  ##
122
## - Test free space on /var  (>10G)                  ##
123
## - Test Internet access                             ##
123
## - Test Internet access                             ##
124
########################################################
124
########################################################
125
testing_system()
125
testing_system()
126
{
126
{
127
# Test of Mageia version
127
# Test of Mageia version
128
# extract the current Mageia version and hardware architecture (i586 ou X64)
128
# extract the current Mageia version and hardware architecture (i586 ou X64)
129
	fic=`cat /etc/product.id`
129
	fic=`cat /etc/product.id`
130
	unknown_os=0
130
	unknown_os=0
131
	old="$IFS"
131
	old="$IFS"
132
	IFS=","
132
	IFS=","
133
	set $fic
133
	set $fic
134
	for i in "$@"
134
	for i in "$@"
135
	do
135
	do
136
		if [ "`echo $i|grep distribution|cut -d'=' -f1`" == "distribution" ]
136
		if [ "`echo $i|grep distribution|cut -d'=' -f1`" == "distribution" ]
137
			then
137
			then
138
			DISTRIBUTION=`echo $i|cut -d"=" -f2`
138
			DISTRIBUTION=`echo $i|cut -d"=" -f2`
139
			unknown_os=`expr $unknown_os + 1`
139
			unknown_os=`expr $unknown_os + 1`
140
		fi
140
		fi
141
		if [ "`echo $i|grep version|cut -d'=' -f1`" == "version" ]
141
		if [ "`echo $i|grep version|cut -d'=' -f1`" == "version" ]
142
			then
142
			then
143
			CURRENT_VERSION=`echo $i|cut -d"=" -f2`
143
			CURRENT_VERSION=`echo $i|cut -d"=" -f2`
144
			unknown_os=`expr $unknown_os + 1`
144
			unknown_os=`expr $unknown_os + 1`
145
		fi
145
		fi
146
		if [ "`echo $i|grep arch|cut -d'=' -f1`" == "arch" ]
146
		if [ "`echo $i|grep arch|cut -d'=' -f1`" == "arch" ]
147
			then
147
			then
148
			ARCH=`echo $i|cut -d"=" -f2`
148
			ARCH=`echo $i|cut -d"=" -f2`
149
			unknown_os=`expr $unknown_os + 1`
149
			unknown_os=`expr $unknown_os + 1`
150
		fi
150
		fi
151
	done
151
	done
152
	if [ "$ARCH" != "x86_64" ]
152
	if [ "$ARCH" != "x86_64" ]
153
		then
153
		then
154
		if [ $Lang == "fr" ]
154
		if [ $Lang == "fr" ]
155
			then echo "Votre architecture matérielle doit être en 64bits"
155
			then echo "Votre architecture matérielle doit être en 64bits"
156
			else echo "You hardware architecture must be 64bits"
156
			else echo "You hardware architecture must be 64bits"
157
		fi
157
		fi
158
		exit 1
158
		exit 1
159
	fi
159
	fi
160
	IFS="$old"
160
	IFS="$old"
161
	if [[ ( $unknown_os != 3 ) || ("$DISTRIBUTION" != "Mageia" ) || ( "$CURRENT_VERSION" != "7" ) ]]
161
	if [[ ( $unknown_os != 3 ) || ("$DISTRIBUTION" != "Mageia" ) || ( "$CURRENT_VERSION" != "7" ) ]]
162
	then
162
	then
163
		if [ -e /var/tmp/alcasar-conf.tar.gz ] # update
163
		if [ -e /var/tmp/alcasar-conf.tar.gz ] # update
164
			then
164
			then
165
			echo
165
			echo
166
			if [ $Lang == "fr" ]
166
			if [ $Lang == "fr" ]
167
				then
167
				then
168
				echo "La mise à jour automatique d'ALCASAR ne peut pas être réalisée."
168
				echo "La mise à jour automatique d'ALCASAR ne peut pas être réalisée."
169
				echo "1 - Effectuez une sauvegarde des fichiers de traçabilité et de la base des usagers via l'ACC"
169
				echo "1 - Effectuez une sauvegarde des fichiers de traçabilité et de la base des usagers via l'ACC"
170
				echo "2 - Installez Linux-Mageia 7.1 (64bits) et ALCASAR (cf. doc d'installation)"
170
				echo "2 - Installez Linux-Mageia 7.1 (64bits) et ALCASAR (cf. doc d'installation)"
171
				echo "3 - Importez votre base des usagers"
171
				echo "3 - Importez votre base des usagers"
172
			else
172
			else
173
				echo "The automatic update of ALCASAR can't be performed."
173
				echo "The automatic update of ALCASAR can't be performed."
174
				echo "1 - Save your traceability files and the user database"
174
				echo "1 - Save your traceability files and the user database"
175
				echo "2 - Install Linux-Mageia 7.1 (64bits) & ALCASAR (cf. installation doc)"
175
				echo "2 - Install Linux-Mageia 7.1 (64bits) & ALCASAR (cf. installation doc)"
176
				echo "3 - Import your users database"
176
				echo "3 - Import your users database"
177
			fi
177
			fi
178
		else
178
		else
179
			if [ $Lang == "fr" ]
179
			if [ $Lang == "fr" ]
180
				then echo "L'installation d'ALCASAR ne peut pas être réalisée."
180
				then echo "L'installation d'ALCASAR ne peut pas être réalisée."
181
				else echo "The installation of ALCASAR can't be performed."
181
				else echo "The installation of ALCASAR can't be performed."
182
			fi
182
			fi
183
		fi
183
		fi
184
		echo
184
		echo
185
		if [ $Lang == "fr" ]
185
		if [ $Lang == "fr" ]
186
			then echo "Le système d'exploitation doit être remplacé (Mageia7.1-64bits)"
186
			then echo "Le système d'exploitation doit être remplacé (Mageia7.1-64bits)"
187
			else echo "The OS must be replaced (Mageia7.1-64bits)"
187
			else echo "The OS must be replaced (Mageia7.1-64bits)"
188
		fi
188
		fi
189
		exit 1
189
		exit 1
190
	fi
190
	fi
191
 
191
 
192
# Test if ALCASAR is already installed
192
# Test if ALCASAR is already installed
193
	if [ -e $CONF_FILE ]
193
	if [ -e $CONF_FILE ]
194
	then
194
	then
195
		current_version=`grep ^VERSION= $CONF_FILE | cut -d"=" -f2`
195
		current_version=`grep ^VERSION= $CONF_FILE | cut -d"=" -f2`
196
		if [ $Lang == "fr" ]
196
		if [ $Lang == "fr" ]
197
			then echo "La version $current_version d'ALCASAR est déjà installée"
197
			then echo "La version $current_version d'ALCASAR est déjà installée"
198
			else echo "ALCASAR version $current_version is already installed"
198
			else echo "ALCASAR version $current_version is already installed"
199
		fi
199
		fi
200
		response=0
200
		response=0
201
		PTN='^[12]$'
201
		PTN='^[12]$'
202
		until [[ "$response" =~ $PTN ]]
202
		until [[ "$response" =~ $PTN ]]
203
		do
203
		do
204
			if [ $Lang == "fr" ]
204
			if [ $Lang == "fr" ]
205
				then echo -n "Tapez '1' pour une mise à jour; Tapez '2' pour une réinstallation : "
205
				then echo -n "Tapez '1' pour une mise à jour; Tapez '2' pour une réinstallation : "
206
				else echo -n "Hit '1' for an update; Hit '2' for a reinstallation : "
206
				else echo -n "Hit '1' for an update; Hit '2' for a reinstallation : "
207
			fi
207
			fi
208
			read response
208
			read response
209
		done
209
		done
210
		if [ "$response" = "2" ]
210
		if [ "$response" = "2" ]
211
		then
211
		then
212
			rm -f /var/tmp/alcasar-conf*
212
			rm -f /var/tmp/alcasar-conf*
213
		else
213
		else
214
# Create the archive of conf files
214
# Create the archive of conf files
215
			$DIR_SCRIPTS/alcasar-conf.sh --create
215
			$DIR_SCRIPTS/alcasar-conf.sh --create
216
			mode="update"
216
			mode="update"
217
		fi
217
		fi
218
	fi
218
	fi
219
# Free /var (when updating) and test free space
219
# Free /var (when updating) and test free space
220
	[ -d /var/log/netflow ] && rm -rf /var/log/netflow  # remove old porttracker RRD database
220
	[ -d /var/log/netflow ] && rm -rf /var/log/netflow  # remove old porttracker RRD database
221
	[ -d /var/lib/clamav ] && rm -rf /var/lib/clamav/* # remove old clamav database
221
	[ -d /var/lib/clamav ] && rm -rf /var/lib/clamav/* # remove old clamav database
222
	journalctl -q --vacuum-files 1  # remove previous journal logs
222
	journalctl -q --vacuum-files 1  # remove previous journal logs
223
	free_space=`df -BG --output=avail /var|tail -1|tr -d '[:space:]G'`
223
	free_space=`df -BG --output=avail /var|tail -1|tr -d '[:space:]G'`
224
	if [ $free_space -lt 10 ]
224
	if [ $free_space -lt 10 ]
225
		then
225
		then
226
		if [ $Lang == "fr" ]
226
		if [ $Lang == "fr" ]
227
			then echo "Espace disponible insuffisant sur /var ($free_space Go au lieu de 10 Go au minimum)"
227
			then echo "Espace disponible insuffisant sur /var ($free_space Go au lieu de 10 Go au minimum)"
228
			else echo "not enough free space on /var ($free_space GB instead of at least 10 GB)"
228
			else echo "not enough free space on /var ($free_space GB instead of at least 10 GB)"
229
		fi
229
		fi
230
	exit 0
230
	exit 0
231
	fi
231
	fi
232
} # End of testing_system
232
} # End of testing_system
233
 
233
 
234
########################################################
234
########################################################
235
##             Function "testing_network"             ##
235
##             Function "testing_network"             ##
236
## - Test Internet access                             ##
236
## - Test Internet access                             ##
237
########################################################
237
########################################################
238
testing_network()
238
testing_network()
239
{
239
{
240
# Detect external/internal interfaces
240
# Detect external/internal interfaces
241
	if [ -z "$EXTIF" ]; then
241
	if [ -z "$EXTIF" ]; then
242
		EXTIF=$(/usr/sbin/ip route list | awk '/^default / {print $5}')
242
		EXTIF=$(/usr/sbin/ip route list | awk '/^default / {print $5}')
243
		if [ -z "$EXTIF" ]; then
243
		if [ -z "$EXTIF" ]; then
244
			if [ "$Lang" == 'fr' ]
244
			if [ "$Lang" == 'fr' ]
245
				then echo "Aucune passerelle par défaut configurée"
245
				then echo "Aucune passerelle par défaut configurée"
246
				else echo "No default gateway configured"
246
				else echo "No default gateway configured"
247
			fi
247
			fi
248
			exit 1
248
			exit 1
249
		fi
249
		fi
250
	fi
250
	fi
251
	if [ "$Lang" == 'fr' ]
251
	if [ "$Lang" == 'fr' ]
252
		then echo "Interface externe (Internet) utilisée : $EXTIF"
252
		then echo "Interface externe (Internet) utilisée : $EXTIF"
253
		else echo "External interface (Internet) used: $EXTIF"
253
		else echo "External interface (Internet) used: $EXTIF"
254
	fi
254
	fi
255
 
255
 
256
	if [ -z "$INTIF" ]; then
256
	if [ -z "$INTIF" ]; then
257
		interfacesList=$(/usr/sbin/ip -br link show | cut -d' ' -f1 | grep -v "^\(lo\|tun0\|$EXTIF\)\$")
257
		interfacesList=$(/usr/sbin/ip -br link show | cut -d' ' -f1 | grep -v "^\(lo\|tun0\|$EXTIF\)\$")
258
		interfacesCount=$(echo "$interfacesList" | wc -w)
258
		interfacesCount=$(echo "$interfacesList" | wc -w)
259
		if [ $interfacesCount -eq 0 ]; then
259
		if [ $interfacesCount -eq 0 ]; then
260
			if [ "$Lang" == 'fr' ]
260
			if [ "$Lang" == 'fr' ]
261
				then echo "Aucune interface de disponible pour le réseau interne"
261
				then echo "Aucune interface de disponible pour le réseau interne"
262
				else echo "No interface available for the internal network"
262
				else echo "No interface available for the internal network"
263
			fi
263
			fi
264
			exit 1
264
			exit 1
265
		elif [ $interfacesCount -eq 1 ]; then
265
		elif [ $interfacesCount -eq 1 ]; then
266
			INTIF="$interfacesList"
266
			INTIF="$interfacesList"
267
		else
267
		else
268
			interfacesSorted=$(/usr/sbin/ip -br addr | grep -v "^\(lo\|tun0\|$EXTIF\) " | sort -b -k3n -k2r -k1)
268
			interfacesSorted=$(/usr/sbin/ip -br addr | grep -v "^\(lo\|tun0\|$EXTIF\) " | sort -b -k3n -k2r -k1)
269
			interfacePreferred=$(echo "$interfacesSorted" | head -1 | cut -d' ' -f1)
269
			interfacePreferred=$(echo "$interfacesSorted" | head -1 | cut -d' ' -f1)
270
			if [ "$Lang" == 'fr' ]
270
			if [ "$Lang" == 'fr' ]
271
				then echo 'Liste des interfaces disponible :'
271
				then echo 'Liste des interfaces disponible :'
272
				else echo 'List of available interfaces:'
272
				else echo 'List of available interfaces:'
273
			fi
273
			fi
274
			echo "$interfacesSorted"
274
			echo "$interfacesSorted"
275
			response=''
275
			response=''
276
			while true; do
276
			while true; do
277
				if [ "$Lang" == 'fr' ]
277
				if [ "$Lang" == 'fr' ]
278
					then echo -n "Choix de l'interface interne ? [$interfacePreferred] "
278
					then echo -n "Choix de l'interface interne ? [$interfacePreferred] "
279
					else echo -n "Choice of internal interface ? [$interfacePreferred] "
279
					else echo -n "Choice of internal interface ? [$interfacePreferred] "
280
				fi
280
				fi
281
				read response
281
				read response
282
 
282
 
283
				[ -z "$response" ] && response="$interfacePreferred"
283
				[ -z "$response" ] && response="$interfacePreferred"
284
 
284
 
285
				# Check if interface exist
285
				# Check if interface exist
286
				if [ "$(echo "$interfacesList" | grep -c "^$response\$")" -eq 1 ]; then
286
				if [ "$(echo "$interfacesList" | grep -c "^$response\$")" -eq 1 ]; then
287
					INTIF="$response"
287
					INTIF="$response"
288
					break
288
					break
289
				else
289
				else
290
					if [ "$Lang" == 'fr' ]
290
					if [ "$Lang" == 'fr' ]
291
						then echo "Interface \"$response\" introuvable"
291
						then echo "Interface \"$response\" introuvable"
292
						else echo "Interface \"$response\" not found"
292
						else echo "Interface \"$response\" not found"
293
					fi
293
					fi
294
				fi
294
				fi
295
			done
295
			done
296
		fi
296
		fi
297
	fi
297
	fi
298
	if [ "$Lang" == 'fr' ]
298
	if [ "$Lang" == 'fr' ]
299
		then echo "Interface interne utilisée : $INTIF"
299
		then echo "Interface interne utilisée : $INTIF"
300
		else echo "Internal interface used: $INTIF"
300
		else echo "Internal interface used: $INTIF"
301
	fi
301
	fi
302
 
302
 
303
	if [ $Lang == "fr" ]
303
	if [ $Lang == "fr" ]
304
		then echo -n "Tests des paramètres réseau : "
304
		then echo -n "Tests des paramètres réseau : "
305
		else echo -n "Network parameters tests: "
305
		else echo -n "Network parameters tests: "
306
	fi
306
	fi
307
# Remove conf file if NIC is not plugged (ie : GSM/WIFI/Bt dongles)
307
# Remove conf file if NIC is not plugged (ie : GSM/WIFI/Bt dongles)
308
	cd /etc/sysconfig/network-scripts/ || { echo "Unable to find /etc/sysconfig/network-scripts directory"; exit 1; }
308
	cd /etc/sysconfig/network-scripts/ || { echo "Unable to find /etc/sysconfig/network-scripts directory"; exit 1; }
309
	IF_INTERFACES=`ls ifcfg-*|cut -d"-" -f2|grep -v "^lo"|cut -d"*" -f1`
309
	IF_INTERFACES=`ls ifcfg-*|cut -d"-" -f2|grep -v "^lo"|cut -d"*" -f1`
310
	for i in $IF_INTERFACES
310
	for i in $IF_INTERFACES
311
	do
311
	do
312
		if [ "$(/usr/sbin/ip link | grep -c " $i:")" -eq 0 ]; then
312
		if [ "$(/usr/sbin/ip link | grep -c " $i:")" -eq 0 ]; then
313
			rm -f ifcfg-$i
313
			rm -f ifcfg-$i
314
 
314
 
315
			if [ $Lang == "fr" ]
315
			if [ $Lang == "fr" ]
316
				then echo "Suppression : ifcfg-$i"
316
				then echo "Suppression : ifcfg-$i"
317
				else echo "Deleting: ifcfg-$i"
317
				else echo "Deleting: ifcfg-$i"
318
			fi
318
			fi
319
		fi
319
		fi
320
	done
320
	done
321
	cd $DIR_INSTALL || { echo "Unable to find $DIR_INSTALL directory"; exit 1; }
321
	cd $DIR_INSTALL || { echo "Unable to find $DIR_INSTALL directory"; exit 1; }
322
	echo -n "."
322
	echo -n "."
323
# Test Ethernet NIC links state
323
# Test Ethernet NIC links state
324
	interfacesDown=$(/usr/sbin/ip -br link | grep "^\($EXTIF\|$INTIF\) " | grep 'NO-CARRIER' | cut -d' ' -f1)
324
	interfacesDown=$(/usr/sbin/ip -br link | grep "^\($EXTIF\|$INTIF\) " | grep 'NO-CARRIER' | cut -d' ' -f1)
325
	if [ ! -z "$interfacesDown" ]; then
325
	if [ ! -z "$interfacesDown" ]; then
326
		for i in $interfacesDown; do
326
		for i in $interfacesDown; do
327
			if [ $Lang == "fr" ]
327
			if [ $Lang == "fr" ]
328
			then
328
			then
329
				echo -e "\nÉchec"
329
				echo -e "\nÉchec"
330
				echo "Le lien réseau de la carte $i n'est pas actif."
330
				echo "Le lien réseau de la carte $i n'est pas actif."
331
				echo "Assurez-vous que cette carte est bien connectée à un équipement (commutateur, A.P., etc.)"
331
				echo "Assurez-vous que cette carte est bien connectée à un équipement (commutateur, A.P., etc.)"
332
			else
332
			else
333
				echo -e "\nFailed"
333
				echo -e "\nFailed"
334
				echo "The link state of $i interface is down."
334
				echo "The link state of $i interface is down."
335
				echo "Make sure that this network card is connected to a switch or an A.P."
335
				echo "Make sure that this network card is connected to a switch or an A.P."
336
			fi
336
			fi
337
		done
337
		done
338
		exit 1
338
		exit 1
339
	fi
339
	fi
340
	echo -n "."
340
	echo -n "."
341
# Test EXTIF config files
341
# Test EXTIF config files
342
	PUBLIC_IP_MASK=`/usr/sbin/ip addr show $EXTIF | grep '^\s*inet\s' | awk '{ print $2 }'`
342
	PUBLIC_IP_MASK=`/usr/sbin/ip addr show $EXTIF | grep '^\s*inet\s' | awk '{ print $2 }'`
343
	PUBLIC_IP=`echo $PUBLIC_IP_MASK | cut -d'/' -f1`
343
	PUBLIC_IP=`echo $PUBLIC_IP_MASK | cut -d'/' -f1`
344
	PUBLIC_GATEWAY=`/usr/sbin/ip route list | awk -v EXTIF="$EXTIF" '(/^default / && $5 == EXTIF) {print $3}'`
344
	PUBLIC_GATEWAY=`/usr/sbin/ip route list | awk -v EXTIF="$EXTIF" '(/^default / && $5 == EXTIF) {print $3}'`
345
	if [ "$(echo $PUBLIC_IP|wc -c)" -lt 7 ] || [ "$(echo $PUBLIC_GATEWAY|wc -c)" -lt 7 ]
345
	if [ "$(echo $PUBLIC_IP|wc -c)" -lt 7 ] || [ "$(echo $PUBLIC_GATEWAY|wc -c)" -lt 7 ]
346
	then
346
	then
347
		if [ $Lang == "fr" ]
347
		if [ $Lang == "fr" ]
348
		then
348
		then
349
			echo -e "\nÉchec"
349
			echo -e "\nÉchec"
350
			echo "La carte réseau connectée à Internet ($EXTIF) n'est pas correctement configurée."
350
			echo "La carte réseau connectée à Internet ($EXTIF) n'est pas correctement configurée."
351
			echo "Renseignez les champs suivants dans le fichier '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
351
			echo "Renseignez les champs suivants dans le fichier '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
352
			echo "Appliquez les changements : 'systemctl restart network'"
352
			echo "Appliquez les changements : 'systemctl restart network'"
353
		else
353
		else
354
			echo -e "\nFailed"
354
			echo -e "\nFailed"
355
			echo "The Internet connected network card ($EXTIF) isn't well configured."
355
			echo "The Internet connected network card ($EXTIF) isn't well configured."
356
			echo "The folowing parametres must be set in the file '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
356
			echo "The folowing parametres must be set in the file '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
357
			echo "Apply the new configuration: 'systemctl restart network'"
357
			echo "Apply the new configuration: 'systemctl restart network'"
358
		fi
358
		fi
359
		echo "DEVICE=$EXTIF"
359
		echo "DEVICE=$EXTIF"
360
		echo "IPADDR="
360
		echo "IPADDR="
361
		echo "NETMASK="
361
		echo "NETMASK="
362
		echo "GATEWAY="
362
		echo "GATEWAY="
363
		echo "DNS1="
363
		echo "DNS1="
364
		echo "DNS2="
364
		echo "DNS2="
365
		echo "ONBOOT=yes"
365
		echo "ONBOOT=yes"
366
		exit 1
366
		exit 1
367
	fi
367
	fi
368
	echo -n "."
368
	echo -n "."
369
# Test if default GW is set on EXTIF (router or ISP provider equipment)
369
# Test if default GW is set on EXTIF (router or ISP provider equipment)
370
	if [ "$(/usr/sbin/ip route list|grep " $EXTIF "|grep -c '^default ')" -ne 1 ] ; then
370
	if [ "$(/usr/sbin/ip route list|grep " $EXTIF "|grep -c '^default ')" -ne 1 ] ; then
371
		if [ $Lang == "fr" ]
371
		if [ $Lang == "fr" ]
372
		then
372
		then
373
			echo -e "\nÉchec"
373
			echo -e "\nÉchec"
374
			echo "Vous n'avez pas configuré l'accès à Internet ou le câble réseau n'est pas sur la bonne carte."
374
			echo "Vous n'avez pas configuré l'accès à Internet ou le câble réseau n'est pas sur la bonne carte."
375
			echo "Réglez ce problème puis relancez ce script."
375
			echo "Réglez ce problème puis relancez ce script."
376
		else
376
		else
377
			echo -e "\nFailed"
377
			echo -e "\nFailed"
378
			echo "You haven't configured Internet access or Internet link is on the wrong Ethernet card"
378
			echo "You haven't configured Internet access or Internet link is on the wrong Ethernet card"
379
			echo "Resolv this problem, then restart this script."
379
			echo "Resolv this problem, then restart this script."
380
		fi
380
		fi
381
		exit 1
381
		exit 1
382
	fi
382
	fi
383
	echo -n "."
383
	echo -n "."
384
# Test if default GW is alive
384
# Test if default GW is alive
385
	arp_reply=`/usr/sbin/arping -b -I$EXTIF -c1 -w2 $PUBLIC_GATEWAY|grep response|cut -d" " -f2`
385
	arp_reply=`/usr/sbin/arping -b -I$EXTIF -c1 -w2 $PUBLIC_GATEWAY|grep response|cut -d" " -f2`
386
	if [ "$(expr $arp_reply)" -eq 0 ]
386
	if [ "$(expr $arp_reply)" -eq 0 ]
387
		then
387
		then
388
		if [ $Lang == "fr" ]
388
		if [ $Lang == "fr" ]
389
		then
389
		then
390
			echo -e "\nÉchec"
390
			echo -e "\nÉchec"
391
			echo "Le routeur de sortie ou la Box Internet ($PUBLIC_GATEWAY) ne répond pas."
391
			echo "Le routeur de sortie ou la Box Internet ($PUBLIC_GATEWAY) ne répond pas."
392
			echo "Réglez ce problème puis relancez ce script."
392
			echo "Réglez ce problème puis relancez ce script."
393
		else
393
		else
394
			echo -e "\nFailed"
394
			echo -e "\nFailed"
395
			echo "The Internet gateway or the ISP equipment ($PUBLIC_GATEWAY) doesn't answered."
395
			echo "The Internet gateway or the ISP equipment ($PUBLIC_GATEWAY) doesn't answered."
396
			echo "Resolv this problem, then restart this script."
396
			echo "Resolv this problem, then restart this script."
397
		fi
397
		fi
398
		exit 1
398
		exit 1
399
	fi
399
	fi
400
	echo -n "."
400
	echo -n "."
401
# Test Internet connectivity
401
# Test Internet connectivity
402
	domainTested='www.google.com'
402
	domainTested='www.google.com'
403
	/usr/bin/curl -s --head "$domainTested" &>/dev/null
403
	/usr/bin/curl -s --head "$domainTested" &>/dev/null
404
	if [ $? -ne 0 ]; then
404
	if [ $? -ne 0 ]; then
405
		if [ $Lang == "fr" ]
405
		if [ $Lang == "fr" ]
406
		then
406
		then
407
			echo -e "\nLa tentative de connexion vers Internet a échoué ($domainTested)."
407
			echo -e "\nLa tentative de connexion vers Internet a échoué ($domainTested)."
408
			echo "Vérifiez que la carte $EXTIF est bien connectée au routeur du FAI."
408
			echo "Vérifiez que la carte $EXTIF est bien connectée au routeur du FAI."
409
			echo "Vérifiez la validité des adresses IP des DNS."
409
			echo "Vérifiez la validité des adresses IP des DNS."
410
		else
410
		else
411
			echo -e "\nThe Internet connection try failed ($domainTested)."
411
			echo -e "\nThe Internet connection try failed ($domainTested)."
412
			echo "Please, verify that the $EXTIF card is connected with the Internet gateway."
412
			echo "Please, verify that the $EXTIF card is connected with the Internet gateway."
413
			echo "Verify the DNS IP addresses"
413
			echo "Verify the DNS IP addresses"
414
		fi
414
		fi
415
		exit 1
415
		exit 1
416
	fi
416
	fi
417
	echo ". : ok"
417
	echo ". : ok"
418
} # End of testing_network()
418
} # End of testing_network()
419
 
419
 
420
#######################################################################
420
#######################################################################
421
##                    Function "init"                                ##
421
##                    Function "init"                                ##
422
## - Creation of ALCASAR conf file "/usr/local/etc/alcasar.conf      ##
422
## - Creation of ALCASAR conf file "/usr/local/etc/alcasar.conf      ##
423
## - Creation of random password for GRUB, mariadb (admin and user)  ##
423
## - Creation of random password for GRUB, mariadb (admin and user)  ##
424
#######################################################################
424
#######################################################################
425
init()
425
init()
426
{
426
{
427
	if [ "$mode" != "update" ]
427
	if [ "$mode" != "update" ]
428
	then
428
	then
429
# On affecte le nom d'organisme
429
# On affecte le nom d'organisme
430
		header_install
430
		header_install
431
		ORGANISME=!
431
		ORGANISME=!
432
		PTN='^[a-zA-Z0-9-]*$'
432
		PTN='^[a-zA-Z0-9-]*$'
433
		until [[ "$ORGANISME" =~ $PTN ]]
433
		until [[ "$ORGANISME" =~ $PTN ]]
434
		do
434
		do
435
			if [ $Lang == "fr" ]
435
			if [ $Lang == "fr" ]
436
				then echo -n "Entrez le nom de votre organisme : "
436
				then echo -n "Entrez le nom de votre organisme : "
437
				else echo -n "Enter the name of your organism : "
437
				else echo -n "Enter the name of your organism : "
438
			fi
438
			fi
439
			read ORGANISME
439
			read ORGANISME
440
			if [ "$ORGANISME" == "" ]
440
			if [ "$ORGANISME" == "" ]
441
			then
441
			then
442
				ORGANISME=!
442
				ORGANISME=!
443
			fi
443
			fi
444
		done
444
		done
445
	fi
445
	fi
446
# On crée aléatoirement les mots de passe et les secrets partagés
446
# On crée aléatoirement les mots de passe et les secrets partagés
447
# We create random passwords and shared secrets
447
# We create random passwords and shared secrets
448
	rm -f $PASSWD_FILE
448
	rm -f $PASSWD_FILE
449
	echo "#####  ALCASAR ($ORGANISME) security passwords  #####" > $PASSWD_FILE
449
	echo "#####  ALCASAR ($ORGANISME) security passwords  #####" > $PASSWD_FILE
450
	grub2pwd=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c8`
450
	grub2pwd=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c8`
451
	pbkdf2=`( echo $grub2pwd ; echo $grub2pwd ) | \
451
	pbkdf2=`( echo $grub2pwd ; echo $grub2pwd ) | \
452
		LC_ALL=C /usr/bin/grub2-mkpasswd-pbkdf2 | \
452
		LC_ALL=C /usr/bin/grub2-mkpasswd-pbkdf2 | \
453
		grep -v '[eE]nter password:' | \
453
		grep -v '[eE]nter password:' | \
454
		sed -e "s/PBKDF2 hash of your password is //"`
454
		sed -e "s/PBKDF2 hash of your password is //"`
455
	echo "GRUB2_PASSWORD=$pbkdf2" > /boot/grub2/user.cfg
455
	echo "GRUB2_PASSWORD=$pbkdf2" > /boot/grub2/user.cfg
456
	[ -e /root/grub.default ] || cp /etc/grub.d/10_linux /root/grub.default
456
	[ -e /root/grub.default ] || cp /etc/grub.d/10_linux /root/grub.default
457
	cp -f $DIR_CONF/grub-10_linux /etc/grub.d/10_linux  # Request password only on menu editing attempts (not when selecting an entry)
457
	cp -f $DIR_CONF/grub-10_linux /etc/grub.d/10_linux  # Request password only on menu editing attempts (not when selecting an entry)
458
	chmod 0600 /boot/grub2/user.cfg
458
	chmod 0600 /boot/grub2/user.cfg
459
	echo "# Login name and password to protect GRUB2 boot menu (!!!qwerty keyboard) : " > $PASSWD_FILE
459
	echo "# Login name and password to protect GRUB2 boot menu (!!!qwerty keyboard) : " > $PASSWD_FILE
460
	echo "GRUB2_user=root" >> $PASSWD_FILE
460
	echo "GRUB2_user=root" >> $PASSWD_FILE
461
	echo "GRUB2_password=$grub2pwd" >> $PASSWD_FILE
461
	echo "GRUB2_password=$grub2pwd" >> $PASSWD_FILE
462
	mysqlpwd=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16`
462
	mysqlpwd=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16`
463
	echo "# Login name and Password of MariaDB administrator:" >> $PASSWD_FILE
463
	echo "# Login name and Password of MariaDB administrator:" >> $PASSWD_FILE
464
	echo "db_root=$mysqlpwd" >> $PASSWD_FILE
464
	echo "db_root=$mysqlpwd" >> $PASSWD_FILE
465
	radiuspwd=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16`
465
	radiuspwd=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16`
466
	echo "# Login name and password of MariaDB user:" >> $PASSWD_FILE
466
	echo "# Login name and password of MariaDB user:" >> $PASSWD_FILE
467
	echo "db_user=$DB_USER" >> $PASSWD_FILE
467
	echo "db_user=$DB_USER" >> $PASSWD_FILE
468
	echo "db_password=$radiuspwd" >> $PASSWD_FILE
468
	echo "db_password=$radiuspwd" >> $PASSWD_FILE
469
	secretuam=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16`
469
	secretuam=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16`
470
	echo "# Shared secret between the script 'intercept.php' and coova-chilli:" >> $PASSWD_FILE
470
	echo "# Shared secret between the script 'intercept.php' and coova-chilli:" >> $PASSWD_FILE
471
	echo "secret_uam=$secretuam" >> $PASSWD_FILE
471
	echo "secret_uam=$secretuam" >> $PASSWD_FILE
472
	secretradius=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16`
472
	secretradius=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16`
473
	echo "# Shared secret between coova-chilli and FreeRadius:" >> $PASSWD_FILE
473
	echo "# Shared secret between coova-chilli and FreeRadius:" >> $PASSWD_FILE
474
	echo "secret_radius=$secretradius" >> $PASSWD_FILE
474
	echo "secret_radius=$secretradius" >> $PASSWD_FILE
475
	chmod 640 $PASSWD_FILE
475
	chmod 640 $PASSWD_FILE
476
#  copy scripts in in /usr/local/bin
476
#  copy scripts in in /usr/local/bin
477
	cp -fr $DIR_SCRIPTS/alcasar* $DIR_DEST_BIN/. ; chown -R root:root $DIR_DEST_BIN/alcasar* ; chmod -R 740 $DIR_DEST_BIN/alcasar*
477
	cp -fr $DIR_SCRIPTS/alcasar* $DIR_DEST_BIN/. ; chown -R root:root $DIR_DEST_BIN/alcasar* ; chmod -R 740 $DIR_DEST_BIN/alcasar*
478
#  copy conf files in /usr/local/etc
478
#  copy conf files in /usr/local/etc
479
	cp -f $DIR_CONF/etc/alcasar* $DIR_DEST_ETC/. ; chown -R root:apache $DIR_DEST_ETC ; chmod 770 $DIR_DEST_ETC ; chmod 660 $DIR_DEST_ETC/alcasar*
479
	cp -f $DIR_CONF/etc/alcasar* $DIR_DEST_ETC/. ; chown -R root:apache $DIR_DEST_ETC ; chmod 770 $DIR_DEST_ETC ; chmod 660 $DIR_DEST_ETC/alcasar*
480
	$SED "s?^DB_RADIUS=.*?DB_RADIUS=\"$DB_RADIUS\"?g" $DIR_DEST_BIN/alcasar-mysql.sh
480
	$SED "s?^DB_RADIUS=.*?DB_RADIUS=\"$DB_RADIUS\"?g" $DIR_DEST_BIN/alcasar-mysql.sh
481
# generate central conf file
481
# generate central conf file
482
	cat <<EOF > $CONF_FILE
482
	cat <<EOF > $CONF_FILE
483
##########################################
483
##########################################
484
##                                      ##
484
##                                      ##
485
##          ALCASAR Parameters          ##
485
##          ALCASAR Parameters          ##
486
##                                      ##
486
##                                      ##
487
##########################################
487
##########################################
488
 
488
 
489
INSTALL_DATE=$DATE
489
INSTALL_DATE=$DATE
490
VERSION=$VERSION
490
VERSION=$VERSION
491
ORGANISM=$ORGANISME
491
ORGANISM=$ORGANISME
492
EOF
492
EOF
493
	chmod o-rwx $CONF_FILE
493
	chmod o-rwx $CONF_FILE
494
} # End of init()
494
} # End of init()
495
 
495
 
496
#########################################################
496
#########################################################
497
##                    Function "network"               ##
497
##                    Function "network"               ##
498
## - Define the several network address                ##
498
## - Define the several network address                ##
499
## - Define the DNS naming                             ##
499
## - Define the DNS naming                             ##
500
## - INTIF parameters (consultation network)           ##
500
## - INTIF parameters (consultation network)           ##
501
## - Write "/etc/hosts" file                           ##
501
## - Write "/etc/hosts" file                           ##
502
## - write "hosts.allow" & "hosts.deny" files          ##
502
## - write "hosts.allow" & "hosts.deny" files          ##
503
#########################################################
503
#########################################################
504
network()
504
network()
505
{
505
{
506
	header_install
506
	header_install
507
	if [ "$mode" != "update" ]
507
	if [ "$mode" != "update" ]
508
		then
508
		then
509
		if [ $Lang == "fr" ]
509
		if [ $Lang == "fr" ]
510
			then echo "Par défaut, l'adresse IP d'ALCASAR sur le réseau de consultation est : $DEFAULT_PRIVATE_IP_MASK"
510
			then echo "Par défaut, l'adresse IP d'ALCASAR sur le réseau de consultation est : $DEFAULT_PRIVATE_IP_MASK"
511
			else echo "The default ALCASAR IP address on consultation network is : $DEFAULT_PRIVATE_IP_MASK"
511
			else echo "The default ALCASAR IP address on consultation network is : $DEFAULT_PRIVATE_IP_MASK"
512
		fi
512
		fi
513
		response=0
513
		response=0
514
		PTN='^[oOyYnN]?$'
514
		PTN='^[oOyYnN]?$'
515
		until [[ "$response" =~ $PTN ]]
515
		until [[ "$response" =~ $PTN ]]
516
		do
516
		do
517
			if [ $Lang == "fr" ]
517
			if [ $Lang == "fr" ]
518
				then echo -n "Voulez-vous utiliser cette adresse et ce plan d'adressage (recommandé) (O/n)? : "
518
				then echo -n "Voulez-vous utiliser cette adresse et ce plan d'adressage (recommandé) (O/n)? : "
519
				else echo -n "Do you want to use this IP address and this IP addressing plan (recommanded) (Y/n)? : "
519
				else echo -n "Do you want to use this IP address and this IP addressing plan (recommanded) (Y/n)? : "
520
			fi
520
			fi
521
			read response
521
			read response
522
		done
522
		done
523
		if [ "$response" = "n" ] || [ "$response" = "N" ]
523
		if [ "$response" = "n" ] || [ "$response" = "N" ]
524
		then
524
		then
525
			PRIVATE_IP_MASK="0"
525
			PRIVATE_IP_MASK="0"
526
			PTN='^\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\)/[012]\?[[:digit:]]$'
526
			PTN='^\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\)/[012]\?[[:digit:]]$'
527
			until [[ $(expr "$PRIVATE_IP_MASK" : $PTN) -gt 0 ]]
527
			until [[ $(expr "$PRIVATE_IP_MASK" : $PTN) -gt 0 ]]
528
			do
528
			do
529
				if [ $Lang == "fr" ]
529
				if [ $Lang == "fr" ]
530
					then echo -n "Entrez l'adresse IP d'ALCASAR au format CIDR (a.b.c.d/xx) : "
530
					then echo -n "Entrez l'adresse IP d'ALCASAR au format CIDR (a.b.c.d/xx) : "
531
					else echo -n "Enter ALCASAR IP address in CIDR format (a.b.c.d/xx) : "
531
					else echo -n "Enter ALCASAR IP address in CIDR format (a.b.c.d/xx) : "
532
				fi
532
				fi
533
				read PRIVATE_IP_MASK
533
				read PRIVATE_IP_MASK
534
			done
534
			done
535
		else
535
		else
536
			PRIVATE_IP_MASK=$DEFAULT_PRIVATE_IP_MASK
536
			PRIVATE_IP_MASK=$DEFAULT_PRIVATE_IP_MASK
537
		fi
537
		fi
538
	else
538
	else
539
		PRIVATE_IP_MASK=`grep ^PRIVATE_IP= /var/tmp/conf/etc/alcasar.conf|cut -d"=" -f2`
539
		PRIVATE_IP_MASK=`grep ^PRIVATE_IP= /var/tmp/conf/etc/alcasar.conf|cut -d"=" -f2`
540
		rm -rf /var/tmp/conf
540
		rm -rf /var/tmp/conf
541
	fi
541
	fi
542
# Define LAN side global parameters
542
# Define LAN side global parameters
543
	hostnamectl set-hostname $HOSTNAME.$DOMAIN
543
	hostnamectl set-hostname $HOSTNAME.$DOMAIN
544
	PRIVATE_NETWORK=`/bin/ipcalc -n $PRIVATE_IP_MASK | cut -d"=" -f2`				# private network address (ie.: 192.168.182.0)
544
	PRIVATE_NETWORK=`/bin/ipcalc -n $PRIVATE_IP_MASK | cut -d"=" -f2`				# private network address (ie.: 192.168.182.0)
545
	private_network_ending=`echo $PRIVATE_NETWORK | cut -d"." -f4`					# last octet of LAN address
545
	private_network_ending=`echo $PRIVATE_NETWORK | cut -d"." -f4`					# last octet of LAN address
546
	PRIVATE_NETMASK=`/bin/ipcalc -m $PRIVATE_IP_MASK | cut -d"=" -f2`				# private network mask (ie.: 255.255.255.0)
546
	PRIVATE_NETMASK=`/bin/ipcalc -m $PRIVATE_IP_MASK | cut -d"=" -f2`				# private network mask (ie.: 255.255.255.0)
547
	PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP_MASK |cut -d"=" -f2`					# network prefix (ie. 24)
547
	PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP_MASK |cut -d"=" -f2`					# network prefix (ie. 24)
548
	PRIVATE_IP=`echo $PRIVATE_IP_MASK | cut -d"/" -f1`						# ALCASAR private ip address (consultation LAN side)
548
	PRIVATE_IP=`echo $PRIVATE_IP_MASK | cut -d"/" -f1`						# ALCASAR private ip address (consultation LAN side)
549
	if [ $PRIVATE_IP == $PRIVATE_NETWORK ]								# when entering network address instead of ip address
549
	if [ $PRIVATE_IP == $PRIVATE_NETWORK ]								# when entering network address instead of ip address
550
	then
550
	then
551
		PRIVATE_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 1`
551
		PRIVATE_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 1`
552
		PRIVATE_IP_MASK=`echo $PRIVATE_IP/$PRIVATE_PREFIX`
552
		PRIVATE_IP_MASK=`echo $PRIVATE_IP/$PRIVATE_PREFIX`
553
	fi
553
	fi
554
	private_ip_ending=`echo $PRIVATE_IP | cut -d"." -f4`						# last octet of LAN address
554
	private_ip_ending=`echo $PRIVATE_IP | cut -d"." -f4`						# last octet of LAN address
555
	PRIVATE_SECOND_IP=`echo $PRIVATE_IP | cut -d"." -f1-3`"."`expr $private_ip_ending + 1`		# second network address (ex.: 192.168.182.2)
555
	PRIVATE_SECOND_IP=`echo $PRIVATE_IP | cut -d"." -f1-3`"."`expr $private_ip_ending + 1`		# second network address (ex.: 192.168.182.2)
556
	PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX						# ie.: 192.168.182.0/24
556
	PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX						# ie.: 192.168.182.0/24
557
	classe=$((PRIVATE_PREFIX/8))									# ie.: 2=classe B, 3=classe C
557
	classe=$((PRIVATE_PREFIX/8))									# ie.: 2=classe B, 3=classe C
558
	PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK | cut -d"." -f1-$classe`.				# compatibility with hosts.allow et hosts.deny (ie.: 192.168.182.)
558
	PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK | cut -d"." -f1-$classe`.				# compatibility with hosts.allow et hosts.deny (ie.: 192.168.182.)
559
	PRIVATE_MAC=`/usr/sbin/ip link show $INTIF | grep ether | cut -d" " -f6| sed 's/:/-/g'| awk '{print toupper($0)}'` 	# MAC address of INTIF
559
	PRIVATE_MAC=`/usr/sbin/ip link show $INTIF | grep ether | cut -d" " -f6| sed 's/:/-/g'| awk '{print toupper($0)}'` 	# MAC address of INTIF
560
# Define Internet parameters
560
# Define Internet parameters
561
	DNS1=`cat /etc/sysconfig/network-scripts/ifcfg-$EXTIF | grep '^DNS1='| cut -d"=" -f2`	# 1st DNS server
561
	DNS1=`cat /etc/sysconfig/network-scripts/ifcfg-$EXTIF | grep '^DNS1='| cut -d"=" -f2`	# 1st DNS server
562
	DNS2=`cat /etc/sysconfig/network-scripts/ifcfg-$EXTIF | grep '^DNS2=' | cut -d"=" -f2`	# 2nd DNS server
562
	DNS2=`cat /etc/sysconfig/network-scripts/ifcfg-$EXTIF | grep '^DNS2=' | cut -d"=" -f2`	# 2nd DNS server
563
	DNS1=${DNS1:=208.67.220.220}
563
	DNS1=${DNS1:=208.67.220.220}
564
	DNS2=${DNS2:=208.67.222.222}
564
	DNS2=${DNS2:=208.67.222.222}
565
	PUBLIC_NETMASK=`/bin/ipcalc -m $PUBLIC_IP_MASK | cut -d"=" -f2`
565
	PUBLIC_NETMASK=`/bin/ipcalc -m $PUBLIC_IP_MASK | cut -d"=" -f2`
566
	PUBLIC_PREFIX=`/bin/ipcalc -p $PUBLIC_IP $PUBLIC_NETMASK|cut -d"=" -f2`
566
	PUBLIC_PREFIX=`/bin/ipcalc -p $PUBLIC_IP $PUBLIC_NETMASK|cut -d"=" -f2`
567
	PUBLIC_NETWORK=`/bin/ipcalc -n $PUBLIC_IP/$PUBLIC_PREFIX|cut -d"=" -f2`
567
	PUBLIC_NETWORK=`/bin/ipcalc -n $PUBLIC_IP/$PUBLIC_PREFIX|cut -d"=" -f2`
568
# Write network parameters in the conf file
568
# Write network parameters in the conf file
569
	echo "HOSTNAME=$HOSTNAME" >> $CONF_FILE
569
	echo "HOSTNAME=$HOSTNAME" >> $CONF_FILE
570
	echo "DOMAIN=$DOMAIN" >> $CONF_FILE
570
	echo "DOMAIN=$DOMAIN" >> $CONF_FILE
571
	echo "EXTIF=$EXTIF" >> $CONF_FILE
571
	echo "EXTIF=$EXTIF" >> $CONF_FILE
572
	echo "INTIF=$INTIF" >> $CONF_FILE
572
	echo "INTIF=$INTIF" >> $CONF_FILE
573
# Retrieve NIC name of other consultation LAN
573
# Retrieve NIC name of other consultation LAN
574
	INTERFACES=`/usr/sbin/ip link|grep '^[[:digit:]]:'|grep -v "^lo\|$EXTIF\|tun0"|cut -d " " -f2|tr -d ":"`
574
	INTERFACES=`/usr/sbin/ip link|grep '^[[:digit:]]:'|grep -v "^lo\|$EXTIF\|tun0"|cut -d " " -f2|tr -d ":"`
575
	for i in $INTERFACES
575
	for i in $INTERFACES
576
	do
576
	do
577
		SUB=`echo ${i:0:2}`
577
		SUB=`echo ${i:0:2}`
578
		if [ $SUB = "wl" ]
578
		if [ $SUB = "wl" ]
579
			then WIFIF=$i
579
			then WIFIF=$i
580
		elif [ "$i" != "$INTIF" ] && [ $SUB != "ww" ]
580
		elif [ "$i" != "$INTIF" ] && [ $SUB != "ww" ]
581
			then LANIF=$i
581
			then LANIF=$i
582
		fi
582
		fi
583
	done
583
	done
584
	if [ -n "$WIFIF" ]
584
	if [ -n "$WIFIF" ]
585
		then echo "WIFIF=$WIFIF" >> $CONF_FILE
585
		then echo "WIFIF=$WIFIF" >> $CONF_FILE
586
	elif [ -n "$LANIF" ]
586
	elif [ -n "$LANIF" ]
587
		then echo "LANIF=$LANIF" >> $CONF_FILE
587
		then echo "LANIF=$LANIF" >> $CONF_FILE
588
	fi
588
	fi
589
	IP_SETTING=`grep BOOTPROTO /etc/sysconfig/network-scripts/ifcfg-$EXTIF|cut -d"=" -f2` # test static or dynamic
589
	IP_SETTING=`grep BOOTPROTO /etc/sysconfig/network-scripts/ifcfg-$EXTIF|cut -d"=" -f2` # test static or dynamic
590
	if [ $IP_SETTING == "dhcp" ]
590
	if [ $IP_SETTING == "dhcp" ]
591
	then
591
	then
592
		DHCP_DNS_servers=`cat /var/lib/dhclient/dhclient--$EXTIF.lease |grep domain-name-servers|sed -n "1 p"| rev|cut -d" " -f1|rev|tr -d ';'`
592
		DHCP_DNS_servers=`cat /var/lib/dhclient/dhclient--$EXTIF.lease |grep domain-name-servers|sed -n "1 p"| rev|cut -d" " -f1|rev|tr -d ';'`
593
		DNS1=`echo $DHCP_DNS_servers | cut -d"," -f1`
593
		DNS1=`echo $DHCP_DNS_servers | cut -d"," -f1`
594
		DNS2=`echo $DHCP_DNS_servers | cut -d"," -f2`
594
		DNS2=`echo $DHCP_DNS_servers | cut -d"," -f2`
595
		echo "PUBLIC_IP=dhcp" >> $CONF_FILE
595
		echo "PUBLIC_IP=dhcp" >> $CONF_FILE
596
		echo "GW=dhcp" >> $CONF_FILE
596
		echo "GW=dhcp" >> $CONF_FILE
597
	else
597
	else
598
		echo "PUBLIC_IP=$PUBLIC_IP/$PUBLIC_PREFIX" >> $CONF_FILE
598
		echo "PUBLIC_IP=$PUBLIC_IP/$PUBLIC_PREFIX" >> $CONF_FILE
599
		echo "GW=$PUBLIC_GATEWAY" >> $CONF_FILE
599
		echo "GW=$PUBLIC_GATEWAY" >> $CONF_FILE
600
	fi
600
	fi
601
	echo "DNS1=$DNS1" >> $CONF_FILE
601
	echo "DNS1=$DNS1" >> $CONF_FILE
602
	echo "DNS2=$DNS2" >> $CONF_FILE
602
	echo "DNS2=$DNS2" >> $CONF_FILE
-
 
603
	echo "PROXY=off" >> $CONF_FILE
-
 
604
	echo "PROXY_IP=\"192.168.0.100:80\"" >> $CONF_FILE
-
 
605
	echo "PUBLIC_WEIGHT=1" >> $CONF_FILE
603
	echo "PUBLIC_MTU=$MTU" >> $CONF_FILE
606
	echo "PUBLIC_MTU=$MTU" >> $CONF_FILE
604
	echo "PRIVATE_IP=$PRIVATE_IP_MASK" >> $CONF_FILE
607
	echo "PRIVATE_IP=$PRIVATE_IP_MASK" >> $CONF_FILE
605
	echo "DHCP=on" >> $CONF_FILE
608
	echo "DHCP=on" >> $CONF_FILE
606
	echo "EXT_DHCP_IP=" >> $CONF_FILE
609
	echo "EXT_DHCP_IP=" >> $CONF_FILE
607
	echo "RELAY_DHCP_IP=" >> $CONF_FILE
610
	echo "RELAY_DHCP_IP=" >> $CONF_FILE
608
	echo "RELAY_DHCP_PORT=" >> $CONF_FILE
611
	echo "RELAY_DHCP_PORT=" >> $CONF_FILE
609
	echo "INT_DNS_DOMAIN=" >> $CONF_FILE
612
	echo "INT_DNS_DOMAIN=" >> $CONF_FILE
610
	echo "INT_DNS_IP=" >> $CONF_FILE
613
	echo "INT_DNS_IP=" >> $CONF_FILE
611
	echo "INT_DNS_ACTIVE=off" >> $CONF_FILE
614
	echo "INT_DNS_ACTIVE=off" >> $CONF_FILE
612
# network default
615
# network default
613
	[ -e /etc/sysconfig/network.default ] || cp /etc/sysconfig/network /etc/sysconfig/network.default
616
	[ -e /etc/sysconfig/network.default ] || cp /etc/sysconfig/network /etc/sysconfig/network.default
614
	cat <<EOF > /etc/sysconfig/network
617
	cat <<EOF > /etc/sysconfig/network
615
NETWORKING=yes
618
NETWORKING=yes
616
FORWARD_IPV4=true
619
FORWARD_IPV4=true
617
EOF
620
EOF
618
# write "/etc/hosts"
621
# write "/etc/hosts"
619
	[ -e /etc/hosts.default ] || cp /etc/hosts /etc/hosts.default
622
	[ -e /etc/hosts.default ] || cp /etc/hosts /etc/hosts.default
620
	cat <<EOF > /etc/hosts
623
	cat <<EOF > /etc/hosts
621
127.0.0.1	localhost
624
127.0.0.1	localhost
622
$PRIVATE_IP	$HOSTNAME
625
$PRIVATE_IP	$HOSTNAME
623
EOF
626
EOF
624
# write EXTIF (Internet) config
627
# write EXTIF (Internet) config
625
	[ -e /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF ] || cp /etc/sysconfig/network-scripts/ifcfg-$EXTIF /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF
628
	[ -e /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF ] || cp /etc/sysconfig/network-scripts/ifcfg-$EXTIF /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF
626
	if [ $IP_SETTING == "dhcp" ]
629
	if [ $IP_SETTING == "dhcp" ]
627
	then
630
	then
628
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
631
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
629
DEVICE=$EXTIF
632
DEVICE=$EXTIF
630
BOOTPROTO=dhcp
633
BOOTPROTO=dhcp
631
DNS1=127.0.0.1
634
DNS1=127.0.0.1
632
PEERDNS=no
635
PEERDNS=no
633
RESOLV_MODS=yes
636
RESOLV_MODS=yes
634
ONBOOT=yes
637
ONBOOT=yes
635
NOZEROCONF=yes
638
NOZEROCONF=yes
636
METRIC=10
639
METRIC=10
637
MII_NOT_SUPPORTED=yes
640
MII_NOT_SUPPORTED=yes
638
IPV6INIT=no
641
IPV6INIT=no
639
IPV6TO4INIT=no
642
IPV6TO4INIT=no
640
ACCOUNTING=no
643
ACCOUNTING=no
641
USERCTL=no
644
USERCTL=no
642
MTU=$MTU
645
MTU=$MTU
643
EOF
646
EOF
644
	else
647
	else
645
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
648
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
646
DEVICE=$EXTIF
649
DEVICE=$EXTIF
647
BOOTPROTO=static
650
BOOTPROTO=static
648
IPADDR=$PUBLIC_IP
651
IPADDR=$PUBLIC_IP
649
NETMASK=$PUBLIC_NETMASK
652
NETMASK=$PUBLIC_NETMASK
650
GATEWAY=$PUBLIC_GATEWAY
653
GATEWAY=$PUBLIC_GATEWAY
651
DNS1=$DNS1
654
DNS1=$DNS1
652
DNS2=$DNS2
655
DNS2=$DNS2
653
RESOLV_MODS=yes
656
RESOLV_MODS=yes
654
ONBOOT=yes
657
ONBOOT=yes
655
METRIC=10
658
METRIC=10
656
NOZEROCONF=yes
659
NOZEROCONF=yes
657
MII_NOT_SUPPORTED=yes
660
MII_NOT_SUPPORTED=yes
658
IPV6INIT=no
661
IPV6INIT=no
659
IPV6TO4INIT=no
662
IPV6TO4INIT=no
660
ACCOUNTING=no
663
ACCOUNTING=no
661
USERCTL=no
664
USERCTL=no
662
MTU=$MTU
665
MTU=$MTU
663
EOF
666
EOF
664
	fi
667
	fi
665
# write INTIF (consultation LAN) in normal mode
668
# write INTIF (consultation LAN) in normal mode
666
cp -f /etc/sysconfig/network-scripts/ifcfg-$INTIF /etc/sysconfig/network-scripts/default-ifcfg-$INTIF
669
cp -f /etc/sysconfig/network-scripts/ifcfg-$INTIF /etc/sysconfig/network-scripts/default-ifcfg-$INTIF
667
	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$INTIF
670
	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$INTIF
668
DEVICE=$INTIF
671
DEVICE=$INTIF
669
BOOTPROTO=static
672
BOOTPROTO=static
670
ONBOOT=yes
673
ONBOOT=yes
671
NOZEROCONF=yes
674
NOZEROCONF=yes
672
MII_NOT_SUPPORTED=yes
675
MII_NOT_SUPPORTED=yes
673
IPV6INIT=no
676
IPV6INIT=no
674
IPV6TO4INIT=no
677
IPV6TO4INIT=no
675
ACCOUNTING=no
678
ACCOUNTING=no
676
USERCTL=no
679
USERCTL=no
677
EOF
680
EOF
678
# write INTIF in bypass mode (see "alcasar-bypass.sh")
681
# write INTIF in bypass mode (see "alcasar-bypass.sh")
679
	cat <<EOF > /etc/sysconfig/network-scripts/bypass-ifcfg-$INTIF
682
	cat <<EOF > /etc/sysconfig/network-scripts/bypass-ifcfg-$INTIF
680
DEVICE=$INTIF
683
DEVICE=$INTIF
681
BOOTPROTO=static
684
BOOTPROTO=static
682
IPADDR=$PRIVATE_IP
685
IPADDR=$PRIVATE_IP
683
NETMASK=$PRIVATE_NETMASK
686
NETMASK=$PRIVATE_NETMASK
684
ONBOOT=yes
687
ONBOOT=yes
685
METRIC=10
688
METRIC=10
686
NOZEROCONF=yes
689
NOZEROCONF=yes
687
MII_NOT_SUPPORTED=yes
690
MII_NOT_SUPPORTED=yes
688
IPV6INIT=no
691
IPV6INIT=no
689
IPV6TO4INIT=no
692
IPV6TO4INIT=no
690
ACCOUNTING=no
693
ACCOUNTING=no
691
USERCTL=no
694
USERCTL=no
692
EOF
695
EOF
693
######### Config WIFIF (consultation WIFI) ou LANIF (consultation LAN) in normal mode #################
696
######### Config WIFIF (consultation WIFI) ou LANIF (consultation LAN) in normal mode #################
694
	if [ -n "$WIFIF" ] && [ "$WIFIF" != "$INTIF" ]
697
	if [ -n "$WIFIF" ] && [ "$WIFIF" != "$INTIF" ]
695
	then
698
	then
696
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$WIFIF
699
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$WIFIF
697
DEVICE=$WIFIF
700
DEVICE=$WIFIF
698
BOOTPROTO=static
701
BOOTPROTO=static
699
ONBOOT=yes
702
ONBOOT=yes
700
NOZEROCONF=yes
703
NOZEROCONF=yes
701
MII_NOT_SUPPORTED=yes
704
MII_NOT_SUPPORTED=yes
702
IPV6INIT=no
705
IPV6INIT=no
703
IPV6TO4INIT=no
706
IPV6TO4INIT=no
704
ACCOUNTING=no
707
ACCOUNTING=no
705
USERCTL=no
708
USERCTL=no
706
EOF
709
EOF
707
	elif [ -n "$LANIF" ]
710
	elif [ -n "$LANIF" ]
708
	then
711
	then
709
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$LANIF
712
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$LANIF
710
DEVICE=$LANIF
713
DEVICE=$LANIF
711
BOOTPROTO=static
714
BOOTPROTO=static
712
ONBOOT=yes
715
ONBOOT=yes
713
NOZEROCONF=yes
716
NOZEROCONF=yes
714
MII_NOT_SUPPORTED=yes
717
MII_NOT_SUPPORTED=yes
715
IPV6INIT=no
718
IPV6INIT=no
716
IPV6TO4INIT=no
719
IPV6TO4INIT=no
717
ACCOUNTING=no
720
ACCOUNTING=no
718
USERCTL=no
721
USERCTL=no
719
EOF
722
EOF
720
	fi
723
	fi
721
# write hosts.allow & hosts.deny
724
# write hosts.allow & hosts.deny
722
	[ -e /etc/hosts.allow.default ]  || cp /etc/hosts.allow /etc/hosts.allow.default
725
	[ -e /etc/hosts.allow.default ]  || cp /etc/hosts.allow /etc/hosts.allow.default
723
	cat <<EOF > /etc/hosts.allow
726
	cat <<EOF > /etc/hosts.allow
724
ALL: LOCAL, 127.0.0.1, localhost, $PRIVATE_IP
727
ALL: LOCAL, 127.0.0.1, localhost, $PRIVATE_IP
725
sshd: ALL
728
sshd: ALL
726
ntpd: $PRIVATE_NETWORK_SHORT
729
ntpd: $PRIVATE_NETWORK_SHORT
727
EOF
730
EOF
728
	[ -e /etc/host.deny.default ]  || cp /etc/hosts.deny /etc/hosts.deny.default
731
	[ -e /etc/host.deny.default ]  || cp /etc/hosts.deny /etc/hosts.deny.default
729
	cat <<EOF > /etc/hosts.deny
732
	cat <<EOF > /etc/hosts.deny
730
ALL: ALL: spawn ( /bin/echo "service %d demandé par %c" | /bin/mail -s "Tentative d'accès au service %d par %c REFUSE !!!" security ) &
733
ALL: ALL: spawn ( /bin/echo "service %d demandé par %c" | /bin/mail -s "Tentative d'accès au service %d par %c REFUSE !!!" security ) &
731
EOF
734
EOF
732
	chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau)
735
	chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau)
733
# create the ip_blocked file with a first line (LAN between ALCASAR and the Internet GW)
736
# create the ip_blocked file with a first line (LAN between ALCASAR and the Internet GW)
734
	echo "#$PUBLIC_NETWORK/$PUBLIC_PREFIX LAN-ALCASAR-BOX" > $DIR_DEST_ETC/alcasar-ip-blocked
737
	echo "#$PUBLIC_NETWORK/$PUBLIC_PREFIX LAN-ALCASAR-BOX" > $DIR_DEST_ETC/alcasar-ip-blocked
735
# load conntrack ftp module
738
# load conntrack ftp module
736
	[ -e /etc/modprobe.preload.default ] || cp /etc/modprobe.preload /etc/modprobe.preload.default
739
	[ -e /etc/modprobe.preload.default ] || cp /etc/modprobe.preload /etc/modprobe.preload.default
737
	echo "nf_conntrack_ftp" >>  /etc/modprobe.preload
740
	echo "nf_conntrack_ftp" >>  /etc/modprobe.preload
738
# load ipt_NETFLOW module
741
# load ipt_NETFLOW module
739
	echo "ipt_NETFLOW" >>  /etc/modprobe.preload
742
	echo "ipt_NETFLOW" >>  /etc/modprobe.preload
740
# modify iptables service files (start with "alcasar-iptables.sh" and stop with flush)
743
# modify iptables service files (start with "alcasar-iptables.sh" and stop with flush)
741
	cp /lib/systemd/system/iptables.service /etc/systemd/system/iptables.service
744
	cp /lib/systemd/system/iptables.service /etc/systemd/system/iptables.service
742
	$SED 's/ExecStart=\/usr\/libexec\/iptables.init start/ExecStart=\/usr\/local\/bin\/alcasar-iptables.sh/' /etc/systemd/system/iptables.service
745
	$SED 's/ExecStart=\/usr\/libexec\/iptables.init start/ExecStart=\/usr\/local\/bin\/alcasar-iptables.sh/' /etc/systemd/system/iptables.service
743
	[ -e /usr/libexec/iptables.init.default ] || cp /usr/libexec/iptables.init /usr/libexec/iptables.init.default
746
	[ -e /usr/libexec/iptables.init.default ] || cp /usr/libexec/iptables.init /usr/libexec/iptables.init.default
744
	$SED "s?\[ -f \$IPTABLES_CONFIG \] .*?#&?" /usr/libexec/iptables.init # comment the test (flush all rules & policies)
747
	$SED "s?\[ -f \$IPTABLES_CONFIG \] .*?#&?" /usr/libexec/iptables.init # comment the test (flush all rules & policies)
-
 
748
# create the alcasar-network unit
-
 
749
	cat << EOF > /etc/systemd/system/alcasar-network.service
-
 
750
#  This file is part of systemd.
745
#
751
#
-
 
752
#  systemd is free software; you can redistribute it and/or modify it
-
 
753
#  under the terms of the GNU General Public License as published by
-
 
754
#  the Free Software Foundation; either version 2 of the License, or
-
 
755
#  (at your option) any later version.
-
 
756
 
-
 
757
# This unit starts alcasar-network.sh script.
-
 
758
[Unit]
-
 
759
Description=alcasar-network.sh execution
-
 
760
After=network.target iptables.service
-
 
761
 
-
 
762
[Service]
-
 
763
Type=oneshot
-
 
764
RemainAfterExit=yes
-
 
765
ExecStart=$DIR_DEST_BIN/alcasar-network.sh
-
 
766
ExecStop=$DIR_DEST_BIN/alcasar-network.sh
-
 
767
TimeoutSec=0
-
 
768
 
-
 
769
[Install]
-
 
770
WantedBy=multi-user.target
-
 
771
EOF
-
 
772
	/usr/bin/systemctl daemon-reload
-
 
773
 
746
# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
774
# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is started at the end of this script in order not to cut network flow in case of using ssh
747
} # End of network()
775
} # End of network()
748
 
776
 
749
##################################################################
777
##################################################################
750
##                      Fonction "CA"                           ##
778
##                      Fonction "CA"                           ##
751
## - Creating the CA and the server certificate (lighttpd)      ##
779
## - Creating the CA and the server certificate (lighttpd)      ##
752
##################################################################
780
##################################################################
753
CA()
781
CA()
754
{
782
{
755
	$DIR_DEST_BIN/alcasar-CA.sh
783
	$DIR_DEST_BIN/alcasar-CA.sh
756
	chmod 755 /etc/pki/
784
	chmod 755 /etc/pki/
757
	chown root:apache /etc/pki/CA; chmod 750 /etc/pki/CA
785
	chown root:apache /etc/pki/CA; chmod 750 /etc/pki/CA
758
	chown root:apache /etc/pki/CA/alcasar-ca.crt; chmod 640 /etc/pki/CA/alcasar-ca.crt
786
	chown root:apache /etc/pki/CA/alcasar-ca.crt; chmod 640 /etc/pki/CA/alcasar-ca.crt
759
	chown root:root /etc/pki/CA/private; chmod 700 /etc/pki/CA/private
787
	chown root:root /etc/pki/CA/private; chmod 700 /etc/pki/CA/private
760
	chmod 600 /etc/pki/CA/private/*
788
	chmod 600 /etc/pki/CA/private/*
761
	chown -R root:apache /etc/pki/tls/private; chmod 750 /etc/pki/tls/private
789
	chown -R root:apache /etc/pki/tls/private; chmod 750 /etc/pki/tls/private
762
	chmod 640 /etc/pki/tls/private/*
790
	chmod 640 /etc/pki/tls/private/*
763
	chmod 644 /etc/pki/tls/certs/* # "freshclam" need to access to that bundle
791
	chmod 644 /etc/pki/tls/certs/* # "freshclam" need to access to that bundle
764
} # End of CA()
792
} # End of CA()
765
 
793
 
766
###################################################
794
###################################################
767
##                  Function "ACC"               ##
795
##                  Function "ACC"               ##
768
## - copy ALCASAR Control Center (ACC) files     ##
796
## - copy ALCASAR Control Center (ACC) files     ##
769
## - configuration of the web server (Lighttpd)  ##
797
## - configuration of the web server (Lighttpd)  ##
770
## - creation of the first ACC admin account     ##
798
## - creation of the first ACC admin account     ##
771
## - secure the ACC access                       ##
799
## - secure the ACC access                       ##
772
###################################################
800
###################################################
773
ACC()
801
ACC()
774
{
802
{
775
	[ -d $DIR_WEB ] && rm -rf $DIR_WEB
803
	[ -d $DIR_WEB ] && rm -rf $DIR_WEB
776
	mkdir $DIR_WEB
804
	mkdir $DIR_WEB
777
# Copy & adapt ACC files
805
# Copy & adapt ACC files
778
	cp -rf $DIR_INSTALL/web/* $DIR_WEB/
806
	cp -rf $DIR_INSTALL/web/* $DIR_WEB/
779
	$SED "s?99/99/9999?$DATE_SHORT?g" $DIR_ACC/menu.php
807
	$SED "s?99/99/9999?$DATE_SHORT?g" $DIR_ACC/menu.php
780
	$SED "s?\$DB_RADIUS = .*?\$DB_RADIUS = \"$DB_RADIUS\"\;?g" $DIR_ACC/welcome.php
808
	$SED "s?\$DB_RADIUS = .*?\$DB_RADIUS = \"$DB_RADIUS\"\;?g" $DIR_ACC/welcome.php
781
	$SED "s?\$DB_USER = .*?\$DB_USER = \"$DB_USER\"\;?g" $DIR_ACC/welcome.php
809
	$SED "s?\$DB_USER = .*?\$DB_USER = \"$DB_USER\"\;?g" $DIR_ACC/welcome.php
782
	$SED "s?\$radiuspwd = .*?\$radiuspwd = \"$radiuspwd\"\;?g" $DIR_ACC/welcome.php
810
	$SED "s?\$radiuspwd = .*?\$radiuspwd = \"$radiuspwd\"\;?g" $DIR_ACC/welcome.php
783
	chown -R apache:apache $DIR_WEB/*
811
	chown -R apache:apache $DIR_WEB/*
784
# copy & adapt "freeradius-web" files
812
# copy & adapt "freeradius-web" files
785
	cp -rf $DIR_CONF/freeradius-web/ /etc/
813
	cp -rf $DIR_CONF/freeradius-web/ /etc/
786
	[ -e /etc/freeradius-web/admin.conf.default ] || cp /etc/freeradius-web/admin.conf /etc/freeradius-web/admin.conf.default
814
	[ -e /etc/freeradius-web/admin.conf.default ] || cp /etc/freeradius-web/admin.conf /etc/freeradius-web/admin.conf.default
787
	$SED "s?^general_domain:.*?general_domain: $DOMAIN?g" /etc/freeradius-web/admin.conf
815
	$SED "s?^general_domain:.*?general_domain: $DOMAIN?g" /etc/freeradius-web/admin.conf
788
	$SED "s?^sql_username:.*?sql_username: $DB_USER?g" /etc/freeradius-web/admin.conf
816
	$SED "s?^sql_username:.*?sql_username: $DB_USER?g" /etc/freeradius-web/admin.conf
789
	$SED "s?^sql_password:.*?sql_password: $radiuspwd?g" /etc/freeradius-web/admin.conf
817
	$SED "s?^sql_password:.*?sql_password: $radiuspwd?g" /etc/freeradius-web/admin.conf
790
	cat <<EOF > /etc/freeradius-web/naslist.conf
818
	cat <<EOF > /etc/freeradius-web/naslist.conf
791
nas1_name: alcasar-$ORGANISME
819
nas1_name: alcasar-$ORGANISME
792
nas1_model: Network Access Controler
820
nas1_model: Network Access Controler
793
nas1_ip: $PRIVATE_IP
821
nas1_ip: $PRIVATE_IP
794
nas1_port_num: 0
822
nas1_port_num: 0
795
nas1_community: public
823
nas1_community: public
796
EOF
824
EOF
797
	chown -R apache:apache /etc/freeradius-web/
825
	chown -R apache:apache /etc/freeradius-web/
798
# create the log & backup structure :
826
# create the log & backup structure :
799
# - base = users database
827
# - base = users database
800
# - archive = tarball of "base + http firewall + netflow"
828
# - archive = tarball of "base + http firewall + netflow"
801
# - security = watchdog log
829
# - security = watchdog log
802
# - conf_file = archive conf file (usefull in updating process)
830
# - conf_file = archive conf file (usefull in updating process)
803
	for i in base archive security activity_report iot_captures;
831
	for i in base archive security activity_report iot_captures;
804
	do
832
	do
805
		[ -d $DIR_SAVE/$i ] || mkdir -p $DIR_SAVE/$i
833
		[ -d $DIR_SAVE/$i ] || mkdir -p $DIR_SAVE/$i
806
	done
834
	done
807
	chown -R root:apache $DIR_SAVE
835
	chown -R root:apache $DIR_SAVE
808
# Configuring & securing php
836
# Configuring & securing php
809
	[ -e /etc/php.d/05_date.ini.default ] || cp /etc/php.d/05_date.ini /etc/php.d/05_date.ini.default
837
	[ -e /etc/php.d/05_date.ini.default ] || cp /etc/php.d/05_date.ini /etc/php.d/05_date.ini.default
810
	timezone=`timedatectl show --property=Timezone|cut -d"=" -f2`
838
	timezone=`timedatectl show --property=Timezone|cut -d"=" -f2`
811
	$SED "s?^;date.timezone =.*?date.timezone = $timezone?g" /etc/php.d/05_date.ini
839
	$SED "s?^;date.timezone =.*?date.timezone = $timezone?g" /etc/php.d/05_date.ini
812
	[ -e /etc/php.ini.default ] || cp /etc/php.ini /etc/php.ini.default
840
	[ -e /etc/php.ini.default ] || cp /etc/php.ini /etc/php.ini.default
813
	$SED "s?^upload_max_filesize.*?upload_max_filesize = 100M?g" /etc/php.ini
841
	$SED "s?^upload_max_filesize.*?upload_max_filesize = 100M?g" /etc/php.ini
814
	$SED "s?^post_max_size.*?post_max_size = 100M?g" /etc/php.ini
842
	$SED "s?^post_max_size.*?post_max_size = 100M?g" /etc/php.ini
815
	$SED "s?^display_errors.*?display_errors = Off?" /etc/php.ini
843
	$SED "s?^display_errors.*?display_errors = Off?" /etc/php.ini
816
	$SED "s?^display_startup_errors.*?display_startup_errors = Off?" /etc/php.ini
844
	$SED "s?^display_startup_errors.*?display_startup_errors = Off?" /etc/php.ini
817
	$SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini
845
	$SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini
818
	$SED "s?^expose_php.*?expose_php = Off?g" /etc/php.ini
846
	$SED "s?^expose_php.*?expose_php = Off?g" /etc/php.ini
819
	$SED "s?^allow_url_fopen.*?allow_url_fopen = Off?" /etc/php.ini
847
	$SED "s?^allow_url_fopen.*?allow_url_fopen = Off?" /etc/php.ini
820
# Configuring & securing Lighttpd
848
# Configuring & securing Lighttpd
821
	rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README*
849
	rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README*
822
	[ -e /etc/lighttpd/lighttpd.conf.default ] || cp /etc/lighttpd/lighttpd.conf /etc/lighttpd/lighttpd.conf.default
850
	[ -e /etc/lighttpd/lighttpd.conf.default ] || cp /etc/lighttpd/lighttpd.conf /etc/lighttpd/lighttpd.conf.default
823
	$SED "s?^server\.use-ipv6.*?server\.use-ipv6 = \"disable\"?g" /etc/lighttpd/lighttpd.conf
851
	$SED "s?^server\.use-ipv6.*?server\.use-ipv6 = \"disable\"?g" /etc/lighttpd/lighttpd.conf
824
	$SED "s?^#server\.bind.*?server\.bind = \"$PRIVATE_IP\"?g" /etc/lighttpd/lighttpd.conf
852
	$SED "s?^#server\.bind.*?server\.bind = \"$PRIVATE_IP\"?g" /etc/lighttpd/lighttpd.conf
825
	$SED "s?^server\.bind.*?server\.bind = \"$PRIVATE_IP\"?g" /etc/lighttpd/lighttpd.conf
853
	$SED "s?^server\.bind.*?server\.bind = \"$PRIVATE_IP\"?g" /etc/lighttpd/lighttpd.conf
826
	$SED "s?^#server\.tag.*?server\.tag = \"\"?g" /etc/lighttpd/lighttpd.conf
854
	$SED "s?^#server\.tag.*?server\.tag = \"\"?g" /etc/lighttpd/lighttpd.conf
827
	echo "include \"vhosts.d/alcasar.conf\"" >> /etc/lighttpd/lighttpd.conf
855
	echo "include \"vhosts.d/alcasar.conf\"" >> /etc/lighttpd/lighttpd.conf
828
 
856
 
829
	[ -e /etc/lighttpd/modules.conf.default ] || cp /etc/lighttpd/modules.conf /etc/lighttpd/modules.conf.default
857
	[ -e /etc/lighttpd/modules.conf.default ] || cp /etc/lighttpd/modules.conf /etc/lighttpd/modules.conf.default
830
	$SED "s?^#[ ]*\"mod_auth\",.*?\"mod_auth\",?g" /etc/lighttpd/modules.conf
858
	$SED "s?^#[ ]*\"mod_auth\",.*?\"mod_auth\",?g" /etc/lighttpd/modules.conf
831
	$SED "s?^#[ ]*\"mod_alias\",.*?\"mod_alias\",?g" /etc/lighttpd/modules.conf
859
	$SED "s?^#[ ]*\"mod_alias\",.*?\"mod_alias\",?g" /etc/lighttpd/modules.conf
832
	$SED "s?^#[ ]*\"mod_redirect\",.*?\"mod_redirect\",?g" /etc/lighttpd/modules.conf
860
	$SED "s?^#[ ]*\"mod_redirect\",.*?\"mod_redirect\",?g" /etc/lighttpd/modules.conf
833
	$SED "/^[ ]*\"mod_redirect\",/a\"mod_openssl\"," /etc/lighttpd/modules.conf
861
	$SED "/^[ ]*\"mod_redirect\",/a\"mod_openssl\"," /etc/lighttpd/modules.conf
834
	$SED "s?^#include \"conf.d/fastcgi.conf\".*?include \"conf.d/fastcgi.conf\"?g" /etc/lighttpd/modules.conf
862
	$SED "s?^#include \"conf.d/fastcgi.conf\".*?include \"conf.d/fastcgi.conf\"?g" /etc/lighttpd/modules.conf
835
 
863
 
836
	[ -e /etc/lighttpd/conf.d/fastcgi.conf.default ] || cp /etc/lighttpd/conf.d/fastcgi.conf /etc/lighttpd/conf.d/fastcgi.conf.default
864
	[ -e /etc/lighttpd/conf.d/fastcgi.conf.default ] || cp /etc/lighttpd/conf.d/fastcgi.conf /etc/lighttpd/conf.d/fastcgi.conf.default
837
	cp $DIR_CONF/lighttpd/conf.d/fastcgi.conf /etc/lighttpd/conf.d/fastcgi.conf
865
	cp $DIR_CONF/lighttpd/conf.d/fastcgi.conf /etc/lighttpd/conf.d/fastcgi.conf
838
 
866
 
839
	[ -e /etc/php-fpm.conf.default ] || cp /etc/php-fpm.conf /etc/php-fpm.conf.default
867
	[ -e /etc/php-fpm.conf.default ] || cp /etc/php-fpm.conf /etc/php-fpm.conf.default
840
	$SED "s?^;listen\.owner.*?listen\.owner = apache?g" /etc/php-fpm.conf
868
	$SED "s?^;listen\.owner.*?listen\.owner = apache?g" /etc/php-fpm.conf
841
	$SED "s?^;listen\.group.*?listen\.group = apache?g" /etc/php-fpm.conf
869
	$SED "s?^;listen\.group.*?listen\.group = apache?g" /etc/php-fpm.conf
842
	$SED "s?^;listen\.mode.*?listen\.mode = 0660?g" /etc/php-fpm.conf
870
	$SED "s?^;listen\.mode.*?listen\.mode = 0660?g" /etc/php-fpm.conf
843
 
871
 
844
	[ -d /etc/lighttpd/vhosts.d ] || mkdir /etc/lighttpd/vhosts.d
872
	[ -d /etc/lighttpd/vhosts.d ] || mkdir /etc/lighttpd/vhosts.d
845
	cp $DIR_CONF/lighttpd/vhosts.d/* /etc/lighttpd/vhosts.d/
873
	cp $DIR_CONF/lighttpd/vhosts.d/* /etc/lighttpd/vhosts.d/
846
	$SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$PRIVATE_IP"':443" {/g' /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf
874
	$SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$PRIVATE_IP"':443" {/g' /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf
847
	$SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$PRIVATE_IP"':443" {/g' /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf
875
	$SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$PRIVATE_IP"':443" {/g' /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf
848
	$SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$PRIVATE_IP\"/g" /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf
876
	$SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$PRIVATE_IP\"/g" /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf
849
	$SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$PRIVATE_IP\"/g" /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf
877
	$SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$PRIVATE_IP\"/g" /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf
850
	ln -s /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf /etc/lighttpd/vhosts.d/alcasar.conf
878
	ln -s /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf /etc/lighttpd/vhosts.d/alcasar.conf
851
 
879
 
852
	[ -d /var/log/lighttpd ] || mkdir /var/log/lighttpd
880
	[ -d /var/log/lighttpd ] || mkdir /var/log/lighttpd
853
	[ -e /var/log/lighttpd/access.log ] || touch /var/log/lighttpd/access.log
881
	[ -e /var/log/lighttpd/access.log ] || touch /var/log/lighttpd/access.log
854
	[ -e /var/log/lighttpd/error.log ] || touch /var/log/lighttpd/error.log
882
	[ -e /var/log/lighttpd/error.log ] || touch /var/log/lighttpd/error.log
855
 
883
 
856
	chown -R apache:apache /var/log/lighttpd
884
	chown -R apache:apache /var/log/lighttpd
857
 
885
 
858
# Creation of the first account (in 'admin' profile)
886
# Creation of the first account (in 'admin' profile)
859
	if [ "$mode" = "install" ]
887
	if [ "$mode" = "install" ]
860
	then
888
	then
861
		header_install
889
		header_install
862
# Creation of keys file for the admin account ("admin")
890
# Creation of keys file for the admin account ("admin")
863
		[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
891
		[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
864
		mkdir -p $DIR_DEST_ETC/digest
892
		mkdir -p $DIR_DEST_ETC/digest
865
		chmod 755 $DIR_DEST_ETC/digest
893
		chmod 755 $DIR_DEST_ETC/digest
866
		if [ $Lang == "fr" ]
894
		if [ $Lang == "fr" ]
867
			then echo "Création du premier compte administrateur : "
895
			then echo "Création du premier compte administrateur : "
868
			else echo "Creation of the first admin account : "
896
			else echo "Creation of the first admin account : "
869
		fi
897
		fi
870
		until [ -s $DIR_DEST_ETC/digest/key_admin ]
898
		until [ -s $DIR_DEST_ETC/digest/key_admin ]
871
		do
899
		do
872
			$DIR_DEST_BIN/alcasar-profil.sh --add admin
900
			$DIR_DEST_BIN/alcasar-profil.sh --add admin
873
		done
901
		done
874
	fi
902
	fi
875
# Creation of ACC certs links
903
# Creation of ACC certs links
876
	[ -d /var/www/html/certs ] || mkdir /var/www/html/certs
904
	[ -d /var/www/html/certs ] || mkdir /var/www/html/certs
877
	ln -s /etc/pki/CA/alcasar-ca.crt /var/www/html/certs/certificat_alcasar_ca.crt
905
	ln -s /etc/pki/CA/alcasar-ca.crt /var/www/html/certs/certificat_alcasar_ca.crt
878
# Run lighttpd after coova (in order waiting tun0 to be up)
906
# Run lighttpd after coova (in order waiting tun0 to be up)
879
	cp /lib/systemd/system/lighttpd.service /etc/systemd/system/lighttpd.service
907
	cp /lib/systemd/system/lighttpd.service /etc/systemd/system/lighttpd.service
880
	$SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /etc/systemd/system/lighttpd.service
908
	$SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /etc/systemd/system/lighttpd.service
881
	# Log file for ACC access imputability
909
	# Log file for ACC access imputability
882
	[ -e $DIR_SAVE/security/acc_access.log ] || touch $DIR_SAVE/security/acc_access.log
910
	[ -e $DIR_SAVE/security/acc_access.log ] || touch $DIR_SAVE/security/acc_access.log
883
	chown root:apache $DIR_SAVE/security/acc_access.log
911
	chown root:apache $DIR_SAVE/security/acc_access.log
884
	chmod 664 $DIR_SAVE/security/acc_access.log
912
	chmod 664 $DIR_SAVE/security/acc_access.log
885
# Copy IEEE-MAC-manuf list (origin from sanitized nmac file : see linuxnet.ca)
913
# Copy IEEE-MAC-manuf list (origin from sanitized nmac file : see linuxnet.ca)
886
    cp $DIR_CONF/nmap-mac-prefixes /usr/local/share/
914
    cp $DIR_CONF/nmap-mac-prefixes /usr/local/share/
887
} # End of ACC()
915
} # End of ACC()
888
 
916
 
889
#############################################################
917
#############################################################
890
##               Function "time_server"                    ##
918
##               Function "time_server"                    ##
891
## - Configuring NTP server                                ##
919
## - Configuring NTP server                                ##
892
#############################################################
920
#############################################################
893
time_server()
921
time_server()
894
{
922
{
895
# Set the Internet time server
923
# Set the Internet time server
896
	[ -e /etc/ntp/step-tickers.default ] || cp /etc/ntp/step-tickers /etc/ntp/step-tickers.default
924
	[ -e /etc/ntp/step-tickers.default ] || cp /etc/ntp/step-tickers /etc/ntp/step-tickers.default
897
	cat <<EOF > /etc/ntp/step-tickers
925
	cat <<EOF > /etc/ntp/step-tickers
898
0.fr.pool.ntp.org	# adapt to your country
926
0.fr.pool.ntp.org	# adapt to your country
899
1.fr.pool.ntp.org
927
1.fr.pool.ntp.org
900
2.fr.pool.ntp.org
928
2.fr.pool.ntp.org
901
EOF
929
EOF
902
	[ -e /etc/ntp.conf.default ] || cp /etc/ntp.conf /etc/ntp.conf.default
930
	[ -e /etc/ntp.conf.default ] || cp /etc/ntp.conf /etc/ntp.conf.default
903
	cat <<EOF > /etc/ntp.conf
931
	cat <<EOF > /etc/ntp.conf
904
server 0.fr.pool.ntp.org	# adapt to your country
932
server 0.fr.pool.ntp.org	# adapt to your country
905
server 1.fr.pool.ntp.org
933
server 1.fr.pool.ntp.org
906
server 2.fr.pool.ntp.org
934
server 2.fr.pool.ntp.org
907
server 127.127.1.0   		# local clock si NTP internet indisponible ...
935
server 127.127.1.0   		# local clock si NTP internet indisponible ...
908
fudge 127.127.1.0 stratum 10
936
fudge 127.127.1.0 stratum 10
909
restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap
937
restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap
910
restrict 127.0.0.1
938
restrict 127.0.0.1
911
driftfile /var/lib/ntp/drift
939
driftfile /var/lib/ntp/drift
912
logfile /var/log/ntp.log
940
logfile /var/log/ntp.log
913
disable monitor
941
disable monitor
914
EOF
942
EOF
915
	chown -R ntp:ntp /var/lib/ntp
943
	chown -R ntp:ntp /var/lib/ntp
916
# Synchronize now
944
# Synchronize now
917
	ntpd -4 -q -g &
945
	ntpd -4 -q -g &
918
} # End of time_server()
946
} # End of time_server()
919
 
947
 
920
#####################################################################
948
#####################################################################
921
##                     Function "init_db"                          ##
949
##                     Function "init_db"                          ##
922
## - Mysql initialization                                          ##
950
## - Mysql initialization                                          ##
923
## - Set admin (root) password                                     ##
951
## - Set admin (root) password                                     ##
924
## - Remove unused users & databases                               ##
952
## - Remove unused users & databases                               ##
925
## - Radius database creation                                      ##
953
## - Radius database creation                                      ##
926
## - Copy of accounting tables (mtotacct, totacct) & userinfo      ##
954
## - Copy of accounting tables (mtotacct, totacct) & userinfo      ##
927
#####################################################################
955
#####################################################################
928
init_db()
956
init_db()
929
{
957
{
930
	if [ "`systemctl is-active mysqld`" == "active" ]
958
	if [ "`systemctl is-active mysqld`" == "active" ]
931
	then
959
	then
932
		systemctl stop mysqld
960
		systemctl stop mysqld
933
	fi
961
	fi
934
	rm -rf /var/lib/mysql # to be sure that there is no former installation
962
	rm -rf /var/lib/mysql # to be sure that there is no former installation
935
	[ -e /etc/my.cnf.default ] || cp /etc/my.cnf /etc/my.cnf.default
963
	[ -e /etc/my.cnf.default ] || cp /etc/my.cnf /etc/my.cnf.default
936
	$SED "s?^tmpdir.*?tmpdir=/tmp?g" /etc/my.cnf
964
	$SED "s?^tmpdir.*?tmpdir=/tmp?g" /etc/my.cnf
937
	$SED "s?^port.*?#&?g" /etc/my.cnf # we use unix socket only
965
	$SED "s?^port.*?#&?g" /etc/my.cnf # we use unix socket only
938
	$SED "s?^;collation_server =.*?collation_server = utf8_unicode_ci?g" /etc/my.cnf
966
	$SED "s?^;collation_server =.*?collation_server = utf8_unicode_ci?g" /etc/my.cnf
939
	$SED "s?^;character_set_server =.*?character_set_server = utf8?g" /etc/my.cnf  # accentuated user names are allowed
967
	$SED "s?^;character_set_server =.*?character_set_server = utf8?g" /etc/my.cnf  # accentuated user names are allowed
940
	[ -e /etc/my.cnf.d/feedback.cnf ] && $SED "s?^plugin-load.*?#&?g" /etc/my.cnf.d/feedback.cnf # remove the feedback plugin (ALCASAR doesn't report anything !)
968
	[ -e /etc/my.cnf.d/feedback.cnf ] && $SED "s?^plugin-load.*?#&?g" /etc/my.cnf.d/feedback.cnf # remove the feedback plugin (ALCASAR doesn't report anything !)
941
	[ -e /etc/my.cnf.d/auth_gssapi.cnf ] && $SED "s?^plugin-load.*?#&?g" /etc/my.cnf.d/auth_gssapi.cnf # remove GSS plugin (ALCASAR doesn't use Kerberos)
969
	[ -e /etc/my.cnf.d/auth_gssapi.cnf ] && $SED "s?^plugin-load.*?#&?g" /etc/my.cnf.d/auth_gssapi.cnf # remove GSS plugin (ALCASAR doesn't use Kerberos)
942
	/usr/sbin/mysqld-prepare-db-dir > /dev/null 2>&1
970
	/usr/sbin/mysqld-prepare-db-dir > /dev/null 2>&1
943
	/usr/bin/systemctl set-environment MYSQLD_OPTS="--skip-grant-tables --skip-networking"
971
	/usr/bin/systemctl set-environment MYSQLD_OPTS="--skip-grant-tables --skip-networking"
944
	/usr/bin/systemctl start mysqld
972
	/usr/bin/systemctl start mysqld
945
	nb_round=1
973
	nb_round=1
946
	while [ ! -S /var/lib/mysql/mysql.sock ] && [ $nb_round -lt 10 ] # we wait until mariadb is on
974
	while [ ! -S /var/lib/mysql/mysql.sock ] && [ $nb_round -lt 10 ] # we wait until mariadb is on
947
	do
975
	do
948
		nb_round=`expr $nb_round + 1`
976
		nb_round=`expr $nb_round + 1`
949
		sleep 2
977
		sleep 2
950
	done
978
	done
951
	if [ ! -S /var/lib/mysql/mysql.sock ]
979
	if [ ! -S /var/lib/mysql/mysql.sock ]
952
	then
980
	then
953
		echo "Problème : la base données 'MariaDB' ne s'est pas lancée !"
981
		echo "Problème : la base données 'MariaDB' ne s'est pas lancée !"
954
		exit
982
		exit
955
	fi
983
	fi
956
# Secure the server
984
# Secure the server
957
	/usr/bin/mysql --execute "GRANT ALL PRIVILEGES ON *.* TO root@'localhost' IDENTIFIED BY '$mysqlpwd';"
985
	/usr/bin/mysql --execute "GRANT ALL PRIVILEGES ON *.* TO root@'localhost' IDENTIFIED BY '$mysqlpwd';"
958
	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --execute"
986
	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --execute"
959
	$MYSQL "DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;"
987
	$MYSQL "DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;"
960
	$MYSQL "CONNECT mysql;DELETE from user where User='';DELETE FROM user WHERE User='root' AND Host NOT IN ('localhost','127.0.0.1','::1');FLUSH PRIVILEGES;"
988
	$MYSQL "CONNECT mysql;DELETE from user where User='';DELETE FROM user WHERE User='root' AND Host NOT IN ('localhost','127.0.0.1','::1');FLUSH PRIVILEGES;"
961
# Create 'radius' database
989
# Create 'radius' database
962
	$MYSQL "CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;"
990
	$MYSQL "CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;"
963
# Add an empty radius database structure
991
# Add an empty radius database structure
964
	/usr/bin/mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/empty-radiusd-db.sql
992
	/usr/bin/mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/empty-radiusd-db.sql
965
# modify the start script in order to close accounting connexion when the system is comming down or up
993
# modify the start script in order to close accounting connexion when the system is comming down or up
966
	cp /lib/systemd/system/mysqld.service /etc/systemd/system/mysqld.service
994
	cp /lib/systemd/system/mysqld.service /etc/systemd/system/mysqld.service
967
	$SED "/^ExecStart=/a ExecStop=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /etc/systemd/system/mysqld.service
995
	$SED "/^ExecStart=/a ExecStop=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /etc/systemd/system/mysqld.service
968
	$SED "/^ExecStop=/a ExecStartPost=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /etc/systemd/system/mysqld.service
996
	$SED "/^ExecStop=/a ExecStartPost=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /etc/systemd/system/mysqld.service
969
	/usr/bin/systemctl unset-environment MYSQLD_OPTS
997
	/usr/bin/systemctl unset-environment MYSQLD_OPTS
970
	/usr/bin/systemctl daemon-reload
998
	/usr/bin/systemctl daemon-reload
971
} # End of init_db()
999
} # End of init_db()
972
 
1000
 
973
###################################################################
1001
###################################################################
974
##                       Function "freeradius"                   ##
1002
##                       Function "freeradius"                   ##
975
## - Set the configuration files                                 ##
1003
## - Set the configuration files                                 ##
976
## - Set the shared secret between coova-chilli and freeradius   ##
1004
## - Set the shared secret between coova-chilli and freeradius   ##
977
## - Adapt the Mysql conf file and counters                      ##
1005
## - Adapt the Mysql conf file and counters                      ##
978
###################################################################
1006
###################################################################
979
freeradius()
1007
freeradius()
980
{
1008
{
981
	cp -f $DIR_CONF/empty-radiusd-db.sql /etc/raddb/
1009
	cp -f $DIR_CONF/empty-radiusd-db.sql /etc/raddb/
982
	chown -R radius:radius /etc/raddb
1010
	chown -R radius:radius /etc/raddb
983
	[ -e /etc/raddb/radiusd.conf.default ] || cp /etc/raddb/radiusd.conf /etc/raddb/radiusd.conf.default
1011
	[ -e /etc/raddb/radiusd.conf.default ] || cp /etc/raddb/radiusd.conf /etc/raddb/radiusd.conf.default
984
# Set radius global parameters (radius.conf)
1012
# Set radius global parameters (radius.conf)
985
	$SED "s?^[\t ]*#[\t ]*user =.*?user = radius?g" /etc/raddb/radiusd.conf
1013
	$SED "s?^[\t ]*#[\t ]*user =.*?user = radius?g" /etc/raddb/radiusd.conf
986
	$SED "s?^[\t ]*#[\t ]*group =.*?group = radius?g" /etc/raddb/radiusd.conf
1014
	$SED "s?^[\t ]*#[\t ]*group =.*?group = radius?g" /etc/raddb/radiusd.conf
987
	$SED "s?^[\t ]*status_server =.*?status_server = no?g" /etc/raddb/radiusd.conf
1015
	$SED "s?^[\t ]*status_server =.*?status_server = no?g" /etc/raddb/radiusd.conf
988
	$SED "s?^[\t ]*proxy_requests.*?proxy_requests = no?g" /etc/raddb/radiusd.conf # remove the proxy function
1016
	$SED "s?^[\t ]*proxy_requests.*?proxy_requests = no?g" /etc/raddb/radiusd.conf # remove the proxy function
989
	$SED "s?^[\t ]*\$INCLUDE proxy.conf.*?#\$INCLUDE proxy.conf?g" /etc/raddb/radiusd.conf # remove the proxy function
1017
	$SED "s?^[\t ]*\$INCLUDE proxy.conf.*?#\$INCLUDE proxy.conf?g" /etc/raddb/radiusd.conf # remove the proxy function
990
# Add ALCASAR & Coovachilli dictionaries
1018
# Add ALCASAR & Coovachilli dictionaries
991
	[ -e /etc/raddb/dictionary.default ] || cp /etc/raddb/dictionary /etc/raddb/dictionary.default
1019
	[ -e /etc/raddb/dictionary.default ] || cp /etc/raddb/dictionary /etc/raddb/dictionary.default
992
	cp $DIR_CONF/radius/dictionary.alcasar /etc/raddb/
1020
	cp $DIR_CONF/radius/dictionary.alcasar /etc/raddb/
993
	echo '$INCLUDE dictionary.alcasar' > /etc/raddb/dictionary
1021
	echo '$INCLUDE dictionary.alcasar' > /etc/raddb/dictionary
994
	cp /usr/share/doc/coova-chilli/dictionary.coovachilli /etc/raddb/
1022
	cp /usr/share/doc/coova-chilli/dictionary.coovachilli /etc/raddb/
995
	echo '$INCLUDE dictionary.coovachilli' >> /etc/raddb/dictionary
1023
	echo '$INCLUDE dictionary.coovachilli' >> /etc/raddb/dictionary
996
# Set "client.conf" to describe radius clients (coova on 127.0.0.1)
1024
# Set "client.conf" to describe radius clients (coova on 127.0.0.1)
997
	[ -e /etc/raddb/clients.conf.default ] || cp -f /etc/raddb/clients.conf /etc/raddb/clients.conf.default
1025
	[ -e /etc/raddb/clients.conf.default ] || cp -f /etc/raddb/clients.conf /etc/raddb/clients.conf.default
998
	cat << EOF > /etc/raddb/clients.conf
1026
	cat << EOF > /etc/raddb/clients.conf
999
client localhost {
1027
client localhost {
1000
	ipaddr = 127.0.0.1
1028
	ipaddr = 127.0.0.1
1001
	secret = $secretradius
1029
	secret = $secretradius
1002
	shortname = chilli
1030
	shortname = chilli
1003
	nas_type = other
1031
	nas_type = other
1004
}
1032
}
1005
EOF
1033
EOF
1006
# Set Virtual server
1034
# Set Virtual server
1007
    # Remvoveing all except "alcasar virtual site")
1035
    # Remvoveing all except "alcasar virtual site")
1008
	# INFO : To enable 802.1X, add the "innser-tunnel" virtual server (link in sites-enabled)  Change the firewall rules to allow "radius" extern connections.
1036
	# INFO : To enable 802.1X, add the "innser-tunnel" virtual server (link in sites-enabled)  Change the firewall rules to allow "radius" extern connections.
1009
	cp $DIR_CONF/radius/alcasar /etc/raddb/sites-available/alcasar
1037
	cp $DIR_CONF/radius/alcasar /etc/raddb/sites-available/alcasar
1010
	cp $DIR_CONF/radius/alcasar-with-ldap /etc/raddb/sites-available/alcasar-with-ldap
1038
	cp $DIR_CONF/radius/alcasar-with-ldap /etc/raddb/sites-available/alcasar-with-ldap
1011
	chown radius:apache /etc/raddb/sites-available/alcasar*
1039
	chown radius:apache /etc/raddb/sites-available/alcasar*
1012
	chmod 660 /etc/raddb/sites-available/alcasar*
1040
	chmod 660 /etc/raddb/sites-available/alcasar*
1013
	rm -f /etc/raddb/sites-enabled/*
1041
	rm -f /etc/raddb/sites-enabled/*
1014
	ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar
1042
	ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar
1015
# Set modules
1043
# Set modules
1016
	# Add custom LDAP "available module"
1044
	# Add custom LDAP "available module"
1017
	# INFO : To enable 802.1X, add the "eap" module and verify access to the keys (/etc/pki/tls/private/radius.pem). Change the firewall rules to allow "radius" extern connections.
1045
	# INFO : To enable 802.1X, add the "eap" module and verify access to the keys (/etc/pki/tls/private/radius.pem). Change the firewall rules to allow "radius" extern connections.
1018
	cp -f $DIR_CONF/radius/ldap-alcasar /etc/raddb/mods-available/
1046
	cp -f $DIR_CONF/radius/ldap-alcasar /etc/raddb/mods-available/
1019
	chown -R radius:radius /etc/raddb/mods-available/ldap-alcasar
1047
	chown -R radius:radius /etc/raddb/mods-available/ldap-alcasar
1020
	# Set only usefull modules for ALCASAR (! the module 'ldap-alcasar' is enabled only via ACC)
1048
	# Set only usefull modules for ALCASAR (! the module 'ldap-alcasar' is enabled only via ACC)
1021
	rm -rf  /etc/raddb/mods-enabled/*
1049
	rm -rf  /etc/raddb/mods-enabled/*
1022
	for mods in sql sqlcounter attr_filter expiration logintime pap expr always
1050
	for mods in sql sqlcounter attr_filter expiration logintime pap expr always
1023
	do
1051
	do
1024
		ln -s /etc/raddb/mods-available/$mods /etc/raddb/mods-enabled/$mods
1052
		ln -s /etc/raddb/mods-available/$mods /etc/raddb/mods-enabled/$mods
1025
	done
1053
	done
1026
# Configure SQL module
1054
# Configure SQL module
1027
	[ -e /etc/raddb/mods-available/sql.default ] || cp /etc/raddb/mods-available/sql /etc/raddb/mods-available/sql.default
1055
	[ -e /etc/raddb/mods-available/sql.default ] || cp /etc/raddb/mods-available/sql /etc/raddb/mods-available/sql.default
1028
	$SED "s?^[\t ]*driver =.*?driver = \"rlm_sql_mysql\"?g" /etc/raddb/mods-available/sql
1056
	$SED "s?^[\t ]*driver =.*?driver = \"rlm_sql_mysql\"?g" /etc/raddb/mods-available/sql
1029
	$SED "s?^[\t ]*dialect =.*?dialect = \"mysql\"?g" /etc/raddb/mods-available/sql
1057
	$SED "s?^[\t ]*dialect =.*?dialect = \"mysql\"?g" /etc/raddb/mods-available/sql
1030
	$SED "s?^[\t ]*radius_db =.*?radius_db = \"$DB_RADIUS\"?g" /etc/raddb/mods-available/sql
1058
	$SED "s?^[\t ]*radius_db =.*?radius_db = \"$DB_RADIUS\"?g" /etc/raddb/mods-available/sql
1031
	$SED "s?^#[\t ]*server =.*?server = \"localhost\"?g" /etc/raddb/mods-available/sql
1059
	$SED "s?^#[\t ]*server =.*?server = \"localhost\"?g" /etc/raddb/mods-available/sql
1032
	$SED "s?^#[\t ]*port =.*?port = \"3306\"?g" /etc/raddb/mods-available/sql
1060
	$SED "s?^#[\t ]*port =.*?port = \"3306\"?g" /etc/raddb/mods-available/sql
1033
	$SED "s?^#[\t ]*login =.*?login = \"$DB_USER\"?g" /etc/raddb/mods-available/sql
1061
	$SED "s?^#[\t ]*login =.*?login = \"$DB_USER\"?g" /etc/raddb/mods-available/sql
1034
	$SED "s?^#[\t ]*password =.*?password = \"$radiuspwd\"?g" /etc/raddb/mods-available/sql
1062
	$SED "s?^#[\t ]*password =.*?password = \"$radiuspwd\"?g" /etc/raddb/mods-available/sql
1035
	# no TLS encryption on 127.0.0.1
1063
	# no TLS encryption on 127.0.0.1
1036
	$SED "s?^[\t ]*ca_file =.*?#&?g" /etc/raddb/mods-available/sql
1064
	$SED "s?^[\t ]*ca_file =.*?#&?g" /etc/raddb/mods-available/sql
1037
	$SED "s?^[\t ]*ca_path =.*?#&?g" /etc/raddb/mods-available/sql
1065
	$SED "s?^[\t ]*ca_path =.*?#&?g" /etc/raddb/mods-available/sql
1038
	$SED "s?^[\t ]*certificate_file =.*?#&?g" /etc/raddb/mods-available/sql
1066
	$SED "s?^[\t ]*certificate_file =.*?#&?g" /etc/raddb/mods-available/sql
1039
	$SED "s?^[\t ]*private_key_file =.*?#&?g" /etc/raddb/mods-available/sql
1067
	$SED "s?^[\t ]*private_key_file =.*?#&?g" /etc/raddb/mods-available/sql
1040
	$SED "s?^[\t ]*cipher =.*?#&?g" /etc/raddb/mods-available/sql
1068
	$SED "s?^[\t ]*cipher =.*?#&?g" /etc/raddb/mods-available/sql
1041
	$SED "s?^[\t ]*tls_required =.*?tls_required = no?g" /etc/raddb/mods-available/sql
1069
	$SED "s?^[\t ]*tls_required =.*?tls_required = no?g" /etc/raddb/mods-available/sql
1042
# queries.conf modifications : case sensitive for username, check simultaneous use, patch on 'postauth' table, etc.
1070
# queries.conf modifications : case sensitive for username, check simultaneous use, patch on 'postauth' table, etc.
1043
	[ -e /etc/raddb/mods-config/sql/main/mysql/queries.conf.default ] || cp /etc/raddb/mods-config/sql/main/mysql/queries.conf /etc/raddb/mods-config/sql/main/mysql/queries.conf.default
1071
	[ -e /etc/raddb/mods-config/sql/main/mysql/queries.conf.default ] || cp /etc/raddb/mods-config/sql/main/mysql/queries.conf /etc/raddb/mods-config/sql/main/mysql/queries.conf.default
1044
	cp -f $DIR_CONF/radius/queries.conf /etc/raddb/mods-config/sql/main/mysql/queries.conf
1072
	cp -f $DIR_CONF/radius/queries.conf /etc/raddb/mods-config/sql/main/mysql/queries.conf
1045
	chown -R radius:radius /etc/raddb/mods-config/sql/main/mysql/queries.conf
1073
	chown -R radius:radius /etc/raddb/mods-config/sql/main/mysql/queries.conf
1046
# sqlcounter modifications
1074
# sqlcounter modifications
1047
	[ -e /etc/raddb/mods-available/sqlcounter.default ] || cp /etc/raddb/mods-available/sqlcounter /etc/raddb/mods-available/sqlcounter.default
1075
	[ -e /etc/raddb/mods-available/sqlcounter.default ] || cp /etc/raddb/mods-available/sqlcounter /etc/raddb/mods-available/sqlcounter.default
1048
	cp -f $DIR_CONF/radius/sqlcounter /etc/raddb/mods-available/sqlcounter
1076
	cp -f $DIR_CONF/radius/sqlcounter /etc/raddb/mods-available/sqlcounter
1049
	chown -R radius:radius /etc/raddb/mods-available/sqlcounter
1077
	chown -R radius:radius /etc/raddb/mods-available/sqlcounter
1050
# make certain that mysql is up before freeradius start
1078
# make certain that mysql is up before freeradius start
1051
	cp /lib/systemd/system/radiusd.service /etc/systemd/system/radiusd.service
1079
	cp /lib/systemd/system/radiusd.service /etc/systemd/system/radiusd.service
1052
	$SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /etc/systemd/system/radiusd.service
1080
	$SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /etc/systemd/system/radiusd.service
1053
	/usr/bin/systemctl daemon-reload
1081
	/usr/bin/systemctl daemon-reload
1054
# Allow apache to change some conf files (ie : ldap on/off)
1082
# Allow apache to change some conf files (ie : ldap on/off)
1055
	chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/mods-available
1083
	chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/mods-available
1056
	chmod 750 /etc/raddb /etc/raddb/sites-available /etc/raddb/mods-available
1084
	chmod 750 /etc/raddb /etc/raddb/sites-available /etc/raddb/mods-available
1057
} # End of freeradius()
1085
} # End of freeradius()
1058
 
1086
 
1059
#############################################################################
1087
#############################################################################
1060
##                           Function "chilli"                             ##
1088
##                           Function "chilli"                             ##
1061
## - Creation of the conf file and init file (systemd) for coova-chilli    ##
1089
## - Creation of the conf file and init file (systemd) for coova-chilli    ##
1062
## - Adapt the authentication web page (intercept.php)                     ##
1090
## - Adapt the authentication web page (intercept.php)                     ##
1063
#############################################################################
1091
#############################################################################
1064
chilli()
1092
chilli()
1065
{
1093
{
1066
# chilli unit for systemd
1094
# chilli unit for systemd
1067
	cat << EOF > /etc/systemd/system/chilli.service
1095
	cat << EOF > /etc/systemd/system/chilli.service
1068
#  This file is part of systemd.
1096
#  This file is part of systemd.
1069
#
1097
#
1070
#  systemd is free software; you can redistribute it and/or modify it
1098
#  systemd is free software; you can redistribute it and/or modify it
1071
#  under the terms of the GNU General Public License as published by
1099
#  under the terms of the GNU General Public License as published by
1072
#  the Free Software Foundation; either version 2 of the License, or
1100
#  the Free Software Foundation; either version 2 of the License, or
1073
#  (at your option) any later version.
1101
#  (at your option) any later version.
1074
 
1102
 
1075
# This unit launches coova-chilli a captive portal
1103
# This unit launches coova-chilli a captive portal
1076
[Unit]
1104
[Unit]
1077
Description=chilli is a captive portal daemon
1105
Description=chilli is a captive portal daemon
1078
After=network.target
1106
After=network.target
1079
 
1107
 
1080
[Service]
1108
[Service]
1081
Type=forking
1109
Type=forking
1082
ExecStart=/usr/libexec/chilli start
1110
ExecStart=/usr/libexec/chilli start
1083
ExecStop=/usr/libexec/chilli stop
1111
ExecStop=/usr/libexec/chilli stop
1084
ExecReload=/usr/libexec/chilli reload
1112
ExecReload=/usr/libexec/chilli reload
1085
PIDFile=/run/chilli.pid
1113
PIDFile=/run/chilli.pid
1086
 
1114
 
1087
[Install]
1115
[Install]
1088
WantedBy=multi-user.target
1116
WantedBy=multi-user.target
1089
EOF
1117
EOF
1090
# init file creation
1118
# init file creation
1091
	[ -e /etc/init.d/chilli.default ] || mv /etc/init.d/chilli /etc/init.d/chilli.default
1119
	[ -e /etc/init.d/chilli.default ] || mv /etc/init.d/chilli /etc/init.d/chilli.default
1092
	cat <<EOF > /etc/init.d/chilli
1120
	cat <<EOF > /etc/init.d/chilli
1093
#!/bin/sh
1121
#!/bin/sh
1094
#
1122
#
1095
# chilli CoovaChilli init
1123
# chilli CoovaChilli init
1096
#
1124
#
1097
# chkconfig: 2345 65 35
1125
# chkconfig: 2345 65 35
1098
# description: CoovaChilli
1126
# description: CoovaChilli
1099
### BEGIN INIT INFO
1127
### BEGIN INIT INFO
1100
# Provides:       chilli
1128
# Provides:       chilli
1101
# Required-Start: network
1129
# Required-Start: network
1102
# Should-Start:
1130
# Should-Start:
1103
# Required-Stop:  network
1131
# Required-Stop:  network
1104
# Should-Stop:
1132
# Should-Stop:
1105
# Default-Start:  2 3 5
1133
# Default-Start:  2 3 5
1106
# Default-Stop:
1134
# Default-Stop:
1107
# Description:    CoovaChilli access controller
1135
# Description:    CoovaChilli access controller
1108
### END INIT INFO
1136
### END INIT INFO
1109
 
1137
 
1110
[ -f /usr/sbin/chilli ] || exit 0
1138
[ -f /usr/sbin/chilli ] || exit 0
1111
. /etc/init.d/functions
1139
. /etc/init.d/functions
1112
CONFIG=/etc/chilli.conf
1140
CONFIG=/etc/chilli.conf
1113
pidfile=/run/chilli.pid
1141
pidfile=/run/chilli.pid
1114
[ -f \$CONFIG ] || {
1142
[ -f \$CONFIG ] || {
1115
	echo "\$CONFIG Not found"
1143
	echo "\$CONFIG Not found"
1116
	exit 0
1144
	exit 0
1117
}
1145
}
1118
current_users_file="/tmp/current_users.txt"	# file containing active users
1146
current_users_file="/tmp/current_users.txt"	# file containing active users
1119
RETVAL=0
1147
RETVAL=0
1120
prog="chilli"
1148
prog="chilli"
1121
case \$1 in
1149
case \$1 in
1122
	start)
1150
	start)
1123
		if [ -f \$pidfile ] ; then
1151
		if [ -f \$pidfile ] ; then
1124
			gprintf "chilli is already running"
1152
			gprintf "chilli is already running"
1125
		else
1153
		else
1126
			gprintf "Starting \$prog: "
1154
			gprintf "Starting \$prog: "
1127
			echo '' > \$current_users_file && chown root:apache \$current_users_file && chmod 660 \$current_users_file
1155
			echo '' > \$current_users_file && chown root:apache \$current_users_file && chmod 660 \$current_users_file
1128
			rm -f /run/chilli* # cleaning
1156
			rm -f /run/chilli* # cleaning
1129
			/usr/sbin/modprobe tun >/dev/null 2>&1
1157
			/usr/sbin/modprobe tun >/dev/null 2>&1
1130
			echo 1 > /proc/sys/net/ipv4/ip_forward
1158
			echo 1 > /proc/sys/net/ipv4/ip_forward
1131
			[ -e /dev/net/tun ] || {
1159
			[ -e /dev/net/tun ] || {
1132
				(cd /dev;
1160
				(cd /dev;
1133
				mkdir net;
1161
				mkdir net;
1134
				cd net;
1162
				cd net;
1135
				mknod tun c 10 200)
1163
				mknod tun c 10 200)
1136
			}
1164
			}
1137
			ifconfig $INTIF 0.0.0.0
1165
			ifconfig $INTIF 0.0.0.0
1138
			/usr/sbin/ethtool -K $INTIF gro off
1166
			/usr/sbin/ethtool -K $INTIF gro off
1139
			daemon /usr/sbin/chilli -c \$CONFIG --pidfile=\$pidfile &
1167
			daemon /usr/sbin/chilli -c \$CONFIG --pidfile=\$pidfile &
1140
			RETVAL=\$?
1168
			RETVAL=\$?
1141
		fi
1169
		fi
1142
		;;
1170
		;;
1143
 
1171
 
1144
	reload)
1172
	reload)
1145
		killall -HUP chilli
1173
		killall -HUP chilli
1146
		;;
1174
		;;
1147
 
1175
 
1148
	restart)
1176
	restart)
1149
		\$0 stop
1177
		\$0 stop
1150
		sleep 2
1178
		sleep 2
1151
		\$0 start
1179
		\$0 start
1152
		;;
1180
		;;
1153
 
1181
 
1154
	status)
1182
	status)
1155
		status chilli
1183
		status chilli
1156
		RETVAL=0
1184
		RETVAL=0
1157
		;;
1185
		;;
1158
 
1186
 
1159
	stop)
1187
	stop)
1160
		if [ -f \$pidfile ] ; then
1188
		if [ -f \$pidfile ] ; then
1161
			gprintf "Shutting down \$prog: "
1189
			gprintf "Shutting down \$prog: "
1162
			killproc /usr/sbin/chilli
1190
			killproc /usr/sbin/chilli
1163
			RETVAL=\$?
1191
			RETVAL=\$?
1164
			[ \$RETVAL = 0 ] && rm -f \$pidfile
1192
			[ \$RETVAL = 0 ] && rm -f \$pidfile
1165
			[ -e \$current_users_file ] && rm -f \$current_users_file
1193
			[ -e \$current_users_file ] && rm -f \$current_users_file
1166
		else
1194
		else
1167
			gprintf "chilli is not running"
1195
			gprintf "chilli is not running"
1168
		fi
1196
		fi
1169
		;;
1197
		;;
1170
 
1198
 
1171
	*)
1199
	*)
1172
		echo "Usage: \$0 {start|stop|restart|reload|status}"
1200
		echo "Usage: \$0 {start|stop|restart|reload|status}"
1173
		exit 1
1201
		exit 1
1174
esac
1202
esac
1175
echo
1203
echo
1176
EOF
1204
EOF
1177
	chmod a+x /etc/init.d/chilli
1205
	chmod a+x /etc/init.d/chilli
1178
	ln -s /etc/init.d/chilli /usr/libexec/chilli
1206
	ln -s /etc/init.d/chilli /usr/libexec/chilli
1179
# conf file creation
1207
# conf file creation
1180
	[ -e /etc/chilli.conf.default ] || cp /etc/chilli.conf /etc/chilli.conf.default
1208
	[ -e /etc/chilli.conf.default ] || cp /etc/chilli.conf /etc/chilli.conf.default
1181
	#NTP Option configuration for DHCP
1209
	#NTP Option configuration for DHCP
1182
	#DHCP Options : rfc2132
1210
	#DHCP Options : rfc2132
1183
		#dhcp option value will be convert in hexa.
1211
		#dhcp option value will be convert in hexa.
1184
		#NTP option (or 'option 42') is like :
1212
		#NTP option (or 'option 42') is like :
1185
		#
1213
		#
1186
		#    Code   Len         Address 1               Address 2
1214
		#    Code   Len         Address 1               Address 2
1187
		#   +-----+-----+-----+-----+-----+-----+-----+-----+--
1215
		#   +-----+-----+-----+-----+-----+-----+-----+-----+--
1188
		#   |  42 |  n  |  a1 |  a2 |  a3 |  a4 |  a1 |  a2 |  ...
1216
		#   |  42 |  n  |  a1 |  a2 |  a3 |  a4 |  a1 |  a2 |  ...
1189
		#   +-----+-----+-----+-----+-----+-----+-----+-----+--
1217
		#   +-----+-----+-----+-----+-----+-----+-----+-----+--
1190
		#
1218
		#
1191
		#Code : 42 => 2a
1219
		#Code : 42 => 2a
1192
		#Len : 4 => 04
1220
		#Len : 4 => 04
1193
	PRIVATE_IP_HEXA=$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f1)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f2)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f3)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f4)")
1221
	PRIVATE_IP_HEXA=$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f1)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f2)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f3)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f4)")
1194
	cat <<EOF > /etc/chilli.conf
1222
	cat <<EOF > /etc/chilli.conf
1195
# coova config for ALCASAR
1223
# coova config for ALCASAR
1196
cmdsocket	/run/chilli.sock
1224
cmdsocket	/run/chilli.sock
1197
unixipc		chilli.$INTIF.ipc
1225
unixipc		chilli.$INTIF.ipc
1198
pidfile		/run/chilli.pid
1226
pidfile		/run/chilli.pid
1199
net		$PRIVATE_NETWORK_MASK
1227
net		$PRIVATE_NETWORK_MASK
1200
dhcpif		$INTIF
1228
dhcpif		$INTIF
1201
ethers		$DIR_DEST_ETC/alcasar-ethers
1229
ethers		$DIR_DEST_ETC/alcasar-ethers
1202
#nodynip
1230
#nodynip
1203
#statip
1231
#statip
1204
dynip		$PRIVATE_NETWORK_MASK
1232
dynip		$PRIVATE_NETWORK_MASK
1205
domain		$DOMAIN
1233
domain		$DOMAIN
1206
dns1		$PRIVATE_IP
1234
dns1		$PRIVATE_IP
1207
dns2		$PRIVATE_IP
1235
dns2		$PRIVATE_IP
1208
uamlisten	$PRIVATE_IP
1236
uamlisten	$PRIVATE_IP
1209
uamport		3990
1237
uamport		3990
1210
uamuiport	3991
1238
uamuiport	3991
1211
macauth
1239
macauth
1212
macpasswd	password
1240
macpasswd	password
1213
strictmacauth
1241
strictmacauth
1214
locationname	$HOSTNAME.$DOMAIN
1242
locationname	$HOSTNAME.$DOMAIN
1215
radiusserver1	127.0.0.1
1243
radiusserver1	127.0.0.1
1216
radiusserver2	127.0.0.1
1244
radiusserver2	127.0.0.1
1217
radiussecret	$secretradius
1245
radiussecret	$secretradius
1218
radiusauthport	1812
1246
radiusauthport	1812
1219
radiusacctport	1813
1247
radiusacctport	1813
1220
uamserver	http://$HOSTNAME.$DOMAIN/intercept.php
1248
uamserver	http://$HOSTNAME.$DOMAIN/intercept.php
1221
redirurl
1249
redirurl
1222
radiusnasid	$HOSTNAME.$DOMAIN
1250
radiusnasid	$HOSTNAME.$DOMAIN
1223
uamsecret	$secretuam
1251
uamsecret	$secretuam
1224
uamallowed	$HOSTNAME,$HOSTNAME.$DOMAIN
1252
uamallowed	$HOSTNAME,$HOSTNAME.$DOMAIN
1225
coaport		3799
1253
coaport		3799
1226
conup		$DIR_DEST_BIN/alcasar-conup.sh
1254
conup		$DIR_DEST_BIN/alcasar-conup.sh
1227
condown		$DIR_DEST_BIN/alcasar-condown.sh
1255
condown		$DIR_DEST_BIN/alcasar-condown.sh
1228
macup		$DIR_DEST_BIN/alcasar-macup.sh
1256
macup		$DIR_DEST_BIN/alcasar-macup.sh
1229
include		$DIR_DEST_ETC/alcasar-uamallowed
1257
include		$DIR_DEST_ETC/alcasar-uamallowed
1230
include		$DIR_DEST_ETC/alcasar-uamdomain
1258
include		$DIR_DEST_ETC/alcasar-uamdomain
1231
dhcpopt		2a04$PRIVATE_IP_HEXA
1259
dhcpopt		2a04$PRIVATE_IP_HEXA
1232
#dhcpgateway		none
1260
#dhcpgateway		none
1233
#dhcprelayagent		none
1261
#dhcprelayagent		none
1234
#dhcpgatewayport	none
1262
#dhcpgatewayport	none
1235
sslkeyfile	/etc/pki/tls/private/alcasar.key
1263
sslkeyfile	/etc/pki/tls/private/alcasar.key
1236
sslcertfile	/etc/pki/tls/certs/alcasar.crt
1264
sslcertfile	/etc/pki/tls/certs/alcasar.crt
1237
sslcafile	/etc/pki/tls/certs/server-chain.pem
1265
sslcafile	/etc/pki/tls/certs/server-chain.pem
1238
#redirssl
1266
#redirssl
1239
#uamuissl
1267
#uamuissl
1240
EOF
1268
EOF
1241
# create files for "DHCP static ip" and "DHCP static ip info". Reserve the second IP address for INTIF (the first one is for tun0)
1269
# create files for "DHCP static ip" and "DHCP static ip info". Reserve the second IP address for INTIF (the first one is for tun0)
1242
	echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers
1270
	echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers
1243
	echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers-info
1271
	echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers-info
1244
# create files for trusted domains and urls
1272
# create files for trusted domains and urls
1245
	touch $DIR_DEST_ETC/alcasar-uamallowed $DIR_DEST_ETC/alcasar-uamdomain
1273
	touch $DIR_DEST_ETC/alcasar-uamallowed $DIR_DEST_ETC/alcasar-uamdomain
1246
	chown root:apache $DIR_DEST_ETC/alcasar-*
1274
	chown root:apache $DIR_DEST_ETC/alcasar-*
1247
	chmod 660 $DIR_DEST_ETC/alcasar-*
1275
	chmod 660 $DIR_DEST_ETC/alcasar-*
1248
# Configuration des fichier WEB d'interception (secret partagé avec coova-chilli)
1276
# Configuration des fichier WEB d'interception (secret partagé avec coova-chilli)
1249
	$SED "s?^\$uamsecret =.*?\$uamsecret = \"$secretuam\";?g" $DIR_WEB/intercept.php
1277
	$SED "s?^\$uamsecret =.*?\$uamsecret = \"$secretuam\";?g" $DIR_WEB/intercept.php
1250
# user 'chilli' creation (in order to run conup/off and up/down scripts
1278
# user 'chilli' creation (in order to run conup/off and up/down scripts
1251
	chilli_exist=`grep -c ^chilli: /etc/passwd`
1279
	chilli_exist=`grep -c ^chilli: /etc/passwd`
1252
	if [ "$chilli_exist" == "1" ]
1280
	if [ "$chilli_exist" == "1" ]
1253
	then
1281
	then
1254
		userdel -r chilli 2>/dev/null
1282
		userdel -r chilli 2>/dev/null
1255
	fi
1283
	fi
1256
	groupadd -f chilli
1284
	groupadd -f chilli
1257
	useradd -r -g chilli -s /bin/false -c "system user for coova-chilli" chilli
1285
	useradd -r -g chilli -s /bin/false -c "system user for coova-chilli" chilli
1258
}  # End of chilli()
1286
}  # End of chilli()
1259
 
1287
 
1260
################################################################
1288
################################################################
1261
##                   Function "e2guardian"                    ##
1289
##                   Function "e2guardian"                    ##
1262
## - Set the parameters of this HTML proxy (as controler)     ##
1290
## - Set the parameters of this HTML proxy (as controler)     ##
1263
################################################################
1291
################################################################
1264
e2guardian()
1292
e2guardian()
1265
{
1293
{
1266
# Adapt systemd unit
1294
# Adapt systemd unit
1267
	cp /lib/systemd/system/e2guardian.service /etc/systemd/system/e2guardian.service
1295
	cp /lib/systemd/system/e2guardian.service /etc/systemd/system/e2guardian.service
1268
	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/e2guardian -c /etc/e2guardian/e2guardian.conf?g" /etc/systemd/system/e2guardian.service
1296
	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/e2guardian -c /etc/e2guardian/e2guardian.conf?g" /etc/systemd/system/e2guardian.service
1269
	$SED "s?^After=.*?After=network.target chilli.service?g" /etc/systemd/system/e2guardian.service
1297
	$SED "s?^After=.*?After=network.target chilli.service?g" /etc/systemd/system/e2guardian.service
1270
# Adapt the main conf file
1298
# Adapt the main conf file
1271
	[ -e $DIR_DG/e2guardian.conf.default ] || cp $DIR_DG/e2guardian.conf $DIR_DG/e2guardian.conf.default
1299
	[ -e $DIR_DG/e2guardian.conf.default ] || cp $DIR_DG/e2guardian.conf $DIR_DG/e2guardian.conf.default
1272
# French deny HTML page
1300
# French deny HTML page
1273
	$SED "s?^language =.*?language = 'french'?g" $DIR_DG/e2guardian.conf
1301
	$SED "s?^language =.*?language = 'french'?g" $DIR_DG/e2guardian.conf
1274
# 2 filtergroups (8080 & 8090)
1302
# 2 filtergroups (8080 & 8090)
1275
	$SED "s?^filtergroups =.*?filtergroups = 2?g" $DIR_DG/e2guardian.conf
1303
	$SED "s?^filtergroups =.*?filtergroups = 2?g" $DIR_DG/e2guardian.conf
1276
# Listen on 8080 (HTTP for BL users) only on LAN side
1304
# Listen on 8080 (HTTP for BL users) only on LAN side
1277
	$SED "s?^filterip =.*?filterip = $PRIVATE_IP?g" $DIR_DG/e2guardian.conf
1305
	$SED "s?^filterip =.*?filterip = $PRIVATE_IP?g" $DIR_DG/e2guardian.conf
1278
	$SED "s?^filterports =.*?filterports = 8080?g" $DIR_DG/e2guardian.conf
1306
	$SED "s?^filterports =.*?filterports = 8080?g" $DIR_DG/e2guardian.conf
1279
# Listen on 8090 (HTTP for WL/AV users) only on LAN side
1307
# Listen on 8090 (HTTP for WL/AV users) only on LAN side
1280
	$SED "/^filterip = $PRIVATE_IP/a filterip = $PRIVATE_IP" $DIR_DG/e2guardian.conf
1308
	$SED "/^filterip = $PRIVATE_IP/a filterip = $PRIVATE_IP" $DIR_DG/e2guardian.conf
1281
	$SED "/^filterports = 8080/a filterports = 8090" $DIR_DG/e2guardian.conf
1309
	$SED "/^filterports = 8080/a filterports = 8090" $DIR_DG/e2guardian.conf
1282
# E2guardian doesn't listen transparently on 8443 (HTTPS) (only in future version)
1310
# E2guardian doesn't listen transparently on 8443 (HTTPS) (only in future version)
1283
	$SED "s?^transparenthttpsport =.*?#transparenthttpsport = 8443?g" $DIR_DG/e2guardian.conf
1311
	$SED "s?^transparenthttpsport =.*?#transparenthttpsport = 8443?g" $DIR_DG/e2guardian.conf
1284
# Don't log
1312
# Don't log
1285
	$SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/e2guardian.conf
1313
	$SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/e2guardian.conf
1286
# Disable HTML content control (weighted & banned)
1314
# Disable HTML content control (weighted & banned)
1287
	$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/e2guardian.conf
1315
	$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/e2guardian.conf
1288
# Enable authport plugin
1316
# Enable authport plugin
1289
	$SED "s?^#authplugin = '/etc/e2guardian/authplugins/port.conf'?authplugin = '/etc/e2guardian/authplugins/port.conf'?g" $DIR_DG/e2guardian.conf
1317
	$SED "s?^#authplugin = '/etc/e2guardian/authplugins/port.conf'?authplugin = '/etc/e2guardian/authplugins/port.conf'?g" $DIR_DG/e2guardian.conf
1290
	$SED "s?^#mapauthtoports =.*?mapauthtoports = off?g" $DIR_DG/e2guardian.conf
1318
	$SED "s?^#mapauthtoports =.*?mapauthtoports = off?g" $DIR_DG/e2guardian.conf
1291
# Enable clamd scanner
1319
# Enable clamd scanner
1292
	$SED "s?^#contentscanner = '/etc/e2guardian/contentscanners/clamdscan.conf'?contentscanner = '/etc/e2guardian/contentscanners/clamdscan.conf'?g" $DIR_DG/e2guardian.conf
1320
	$SED "s?^#contentscanner = '/etc/e2guardian/contentscanners/clamdscan.conf'?contentscanner = '/etc/e2guardian/contentscanners/clamdscan.conf'?g" $DIR_DG/e2guardian.conf
1293
 
1321
 
1294
# Adapt the first group conf file
1322
# Adapt the first group conf file
1295
	[ -e $DIR_DG/e2guardianf1.conf.default ] || cp $DIR_DG/e2guardianf1.conf $DIR_DG/e2guardianf1.conf.default
1323
	[ -e $DIR_DG/e2guardianf1.conf.default ] || cp $DIR_DG/e2guardianf1.conf $DIR_DG/e2guardianf1.conf.default
1296
	$SED "s/^reportinglevel =.*/reportinglevel = 3/g" $DIR_DG/e2guardianf1.conf
1324
	$SED "s/^reportinglevel =.*/reportinglevel = 3/g" $DIR_DG/e2guardianf1.conf
1297
	$SED "s/^groupname =.*/groupname = 'blacklisted users'/g" $DIR_DG/e2guardianf1.conf
1325
	$SED "s/^groupname =.*/groupname = 'blacklisted users'/g" $DIR_DG/e2guardianf1.conf
1298
	$SED "s/^#htmltemplate =.*/htmltemplate = 'alcasar-e2g.html'/g" $DIR_DG/e2guardianf1.conf
1326
	$SED "s/^#htmltemplate =.*/htmltemplate = 'alcasar-e2g.html'/g" $DIR_DG/e2guardianf1.conf
1299
 
1327
 
1300
# copy & adapt HTML templates
1328
# copy & adapt HTML templates
1301
	cp $DIR_CONF/alcasar-e2g-fr.html /usr/share/e2guardian/languages/french/alcasar-e2g.html
1329
	cp $DIR_CONF/alcasar-e2g-fr.html /usr/share/e2guardian/languages/french/alcasar-e2g.html
1302
	cp $DIR_CONF/alcasar-e2g-en.html /usr/share/e2guardian/languages/ukenglish/alcasar-e2g.html
1330
	cp $DIR_CONF/alcasar-e2g-en.html /usr/share/e2guardian/languages/ukenglish/alcasar-e2g.html
1303
	$SED "s?\/\/[a-z.]*\/?\/\/$HOSTNAME.$DOMAIN\/?g" /usr/share/e2guardian/languages/french/alcasar-e2g.html
1331
	$SED "s?\/\/[a-z.]*\/?\/\/$HOSTNAME.$DOMAIN\/?g" /usr/share/e2guardian/languages/french/alcasar-e2g.html
1304
	$SED "s?\/\/[a-z.]*\/?\/\/$HOSTNAME.$DOMAIN\/?g" /usr/share/e2guardian/languages/ukenglish/alcasar-e2g.html
1332
	$SED "s?\/\/[a-z.]*\/?\/\/$HOSTNAME.$DOMAIN\/?g" /usr/share/e2guardian/languages/ukenglish/alcasar-e2g.html
1305
 
1333
 
1306
###### ALCASAR special filtering ####
1334
###### ALCASAR special filtering ####
1307
# RAZ bannedphraselist
1335
# RAZ bannedphraselist
1308
	cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default
1336
	cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default
1309
	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (comment what is not)
1337
	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (comment what is not)
1310
# Disable URL control with regex
1338
# Disable URL control with regex
1311
    cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default
1339
    cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default
1312
	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (comment what is not)
1340
	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (comment what is not)
1313
# Replace the default deny HTML page (only fr & uk) --> !!! search why our pages make the server crash... 
1341
# Replace the default deny HTML page (only fr & uk) --> !!! search why our pages make the server crash... 
1314
#	[ -e /usr/share/e2guardian/languages/french/template.html.default ] || mv /usr/share/e2guardian/languages/french/template.html /usr/share/e2guardian/languages/french/template.html.default
1342
#	[ -e /usr/share/e2guardian/languages/french/template.html.default ] || mv /usr/share/e2guardian/languages/french/template.html /usr/share/e2guardian/languages/french/template.html.default
1315
#	cp -f $DIR_CONF/template-fr.html /usr/share/e2guardian/languages/french/template.html
1343
#	cp -f $DIR_CONF/template-fr.html /usr/share/e2guardian/languages/french/template.html
1316
#	[ -e /usr/share/e2guardian/languages/ukenglish/template.html.default ] || mv /usr/share/e2guardian/languages/ukenglish/template.html /usr/share/e2guardian/languages/ukenglish/template.html.default
1344
#	[ -e /usr/share/e2guardian/languages/ukenglish/template.html.default ] || mv /usr/share/e2guardian/languages/ukenglish/template.html /usr/share/e2guardian/languages/ukenglish/template.html.default
1317
#	cp -f $DIR_CONF/template.html /usr/share/e2guardian/languages/ukenglish/template.html
1345
#	cp -f $DIR_CONF/template.html /usr/share/e2guardian/languages/ukenglish/template.html
1318
# Dont filtering files by extension or mime-type (empty list)
1346
# Dont filtering files by extension or mime-type (empty list)
1319
	[ -e $DIR_DG/lists/bannedextensionlist.default ] || mv $DIR_DG/lists/bannedextensionlist $DIR_DG/lists/bannedextensionlist.default
1347
	[ -e $DIR_DG/lists/bannedextensionlist.default ] || mv $DIR_DG/lists/bannedextensionlist $DIR_DG/lists/bannedextensionlist.default
1320
	touch $DIR_DG/lists/bannedextensionlist
1348
	touch $DIR_DG/lists/bannedextensionlist
1321
	[ -e $DIR_DG/lists/bannedmimetypelist.default ] || mv $DIR_DG/lists/bannedmimetypelist $DIR_DG/lists/bannedmimetypelist.default
1349
	[ -e $DIR_DG/lists/bannedmimetypelist.default ] || mv $DIR_DG/lists/bannedmimetypelist $DIR_DG/lists/bannedmimetypelist.default
1322
	touch $DIR_DG/lists/bannedmimetypelist
1350
	touch $DIR_DG/lists/bannedmimetypelist
1323
# Empty LAN IP list that won't be WEB filtered
1351
# Empty LAN IP list that won't be WEB filtered
1324
	[ -e $DIR_DG/lists/exceptioniplist.default ] || mv $DIR_DG/lists/exceptioniplist $DIR_DG/lists/exceptioniplist.default
1352
	[ -e $DIR_DG/lists/exceptioniplist.default ] || mv $DIR_DG/lists/exceptioniplist $DIR_DG/lists/exceptioniplist.default
1325
	touch $DIR_DG/lists/exceptioniplist
1353
	touch $DIR_DG/lists/exceptioniplist
1326
# Creation of ALCASAR banned site list
1354
# Creation of ALCASAR banned site list
1327
	[ -e $DIR_DG/lists/greysitelist.default ] || mv $DIR_DG/lists/greysitelist $DIR_DG/lists/greysitelist.default
1355
	[ -e $DIR_DG/lists/greysitelist.default ] || mv $DIR_DG/lists/greysitelist $DIR_DG/lists/greysitelist.default
1328
	cat <<EOF > $DIR_DG/lists/greysitelist
1356
	cat <<EOF > $DIR_DG/lists/greysitelist
1329
# E2guardian filter config for ALCASAR
1357
# E2guardian filter config for ALCASAR
1330
# In ALCASAR E2guardian filters only URLs (domains are filtered with unbound)
1358
# In ALCASAR E2guardian filters only URLs (domains are filtered with unbound)
1331
# block all SSL and CONNECT tunnels
1359
# block all SSL and CONNECT tunnels
1332
**s
1360
**s
1333
# block all SSL and CONNECT tunnels specified only as an IP
1361
# block all SSL and CONNECT tunnels specified only as an IP
1334
*ips
1362
*ips
1335
# block all sites specified only by an IP
1363
# block all sites specified only by an IP
1336
*ip
1364
*ip
1337
EOF
1365
EOF
1338
# Creation of ALCASAR empty banned URLs list (filled later with Toulouse BL --> see BL function)
1366
# Creation of ALCASAR empty banned URLs list (filled later with Toulouse BL --> see BL function)
1339
	[ -e $DIR_DG/lists/bannedurllist.default ] || mv $DIR_DG/lists/bannedurllist $DIR_DG/lists/bannedurllist.default
1367
	[ -e $DIR_DG/lists/bannedurllist.default ] || mv $DIR_DG/lists/bannedurllist $DIR_DG/lists/bannedurllist.default
1340
	cat <<EOF > $DIR_DG/lists/bannedurllist
1368
	cat <<EOF > $DIR_DG/lists/bannedurllist
1341
# E2guardian filter config for ALCASAR
1369
# E2guardian filter config for ALCASAR
1342
EOF
1370
EOF
1343
# Creation of files for rehabilited domains and urls
1371
# Creation of files for rehabilited domains and urls
1344
	[ -e $DIR_DG/lists/exceptionsitelist.default ] || mv $DIR_DG/lists/exceptionsitelist $DIR_DG/lists/exceptionsitelist.default
1372
	[ -e $DIR_DG/lists/exceptionsitelist.default ] || mv $DIR_DG/lists/exceptionsitelist $DIR_DG/lists/exceptionsitelist.default
1345
	[ -e $DIR_DG/lists/exceptionurllist.default ] || mv $DIR_DG/lists/exceptionurllist $DIR_DG/lists/exceptionurllist.default
1373
	[ -e $DIR_DG/lists/exceptionurllist.default ] || mv $DIR_DG/lists/exceptionurllist $DIR_DG/lists/exceptionurllist.default
1346
	touch $DIR_DG/lists/exceptionsitelist
1374
	touch $DIR_DG/lists/exceptionsitelist
1347
	touch $DIR_DG/lists/exceptionurllist
1375
	touch $DIR_DG/lists/exceptionurllist
1348
# Add Bing to the safesearch url regext list (parental control)
1376
# Add Bing to the safesearch url regext list (parental control)
1349
	[ -e $DIR_DG/lists/urlregexplist.default ] || cp $DIR_DG/lists/urlregexplist $DIR_DG/lists/urlregexplist.default
1377
	[ -e $DIR_DG/lists/urlregexplist.default ] || cp $DIR_DG/lists/urlregexplist $DIR_DG/lists/urlregexplist.default
1350
	cat <<EOF >> $DIR_DG/lists/urlregexplist
1378
	cat <<EOF >> $DIR_DG/lists/urlregexplist
1351
 
1379
 
1352
# Bing - add 'adlt=strict'
1380
# Bing - add 'adlt=strict'
1353
#"(^http://[0-9a-z]+\.bing\.[a-z]+[-/%.0-9a-z]*\?)(.*)"->"\1\2&adlt=strict"
1381
#"(^http://[0-9a-z]+\.bing\.[a-z]+[-/%.0-9a-z]*\?)(.*)"->"\1\2&adlt=strict"
1354
EOF
1382
EOF
1355
# 'Safesearch' regex actualisation
1383
# 'Safesearch' regex actualisation
1356
	$SED "s?images?search?g" $DIR_DG/lists/urlregexplist
1384
	$SED "s?images?search?g" $DIR_DG/lists/urlregexplist
1357
# change the google safesearch ("safe=strict" instead of "safe=vss")
1385
# change the google safesearch ("safe=strict" instead of "safe=vss")
1358
	$SED "s?safe=vss?safe=strict?g" $DIR_DG/lists/urlregexplist
1386
	$SED "s?safe=vss?safe=strict?g" $DIR_DG/lists/urlregexplist
1359
 
1387
 
1360
# Create & adapt the second group conf file (av + av_wl)
1388
# Create & adapt the second group conf file (av + av_wl)
1361
	cp $DIR_DG/e2guardianf1.conf.default $DIR_DG/e2guardianf2.conf
1389
	cp $DIR_DG/e2guardianf1.conf.default $DIR_DG/e2guardianf2.conf
1362
	$SED "s?^reportinglevel =.*?reportinglevel = 3?g" $DIR_DG/e2guardianf2.conf
1390
	$SED "s?^reportinglevel =.*?reportinglevel = 3?g" $DIR_DG/e2guardianf2.conf
1363
	$SED "s?^groupname =.*?groupname = 'antimalware + whitelested users'?g" $DIR_DG/e2guardianf2.conf
1391
	$SED "s?^groupname =.*?groupname = 'antimalware + whitelested users'?g" $DIR_DG/e2guardianf2.conf
1364
	$SED "s?^urllist = 'name=banned,messageno=501,path=/etc/e2guardian/lists/bannedurllist'?urllist = 'name=banned,messageno=501,path=/etc/e2guardian/lists/bannedurllist.default'?g" $DIR_DG/e2guardianf2.conf # no banned urls
1392
	$SED "s?^urllist = 'name=banned,messageno=501,path=/etc/e2guardian/lists/bannedurllist'?urllist = 'name=banned,messageno=501,path=/etc/e2guardian/lists/bannedurllist.default'?g" $DIR_DG/e2guardianf2.conf # no banned urls
1365
 
1393
 
1366
# create log folder
1394
# create log folder
1367
    mkdir -p /var/log/e2guardian
1395
    mkdir -p /var/log/e2guardian
1368
	chown -R e2guardian /etc/e2guardian /var/log/e2guardian
1396
	chown -R e2guardian /etc/e2guardian /var/log/e2guardian
1369
} # End of e2guardian()
1397
} # End of e2guardian()
1370
 
1398
 
1371
##################################################################
1399
##################################################################
1372
##                     Function "antivirus"                     ##
1400
##                     Function "antivirus"                     ##
1373
## - Set the parameters of clamav and freshclam                 ##
1401
## - Set the parameters of clamav and freshclam                 ##
1374
##################################################################
1402
##################################################################
1375
antivirus()
1403
antivirus()
1376
{
1404
{
1377
# Clamd unit adaptation to e2guardian
1405
# Clamd unit adaptation to e2guardian
1378
	cp /lib/systemd/system/clamav-daemon.service /etc/systemd/system/clamav-daemon.service
1406
	cp /lib/systemd/system/clamav-daemon.service /etc/systemd/system/clamav-daemon.service
1379
	$SED "/^[Service]/a ExecStartPre=\/bin\/chown e2guardian:e2guardian \/run\/clamav" /etc/systemd/system/clamav-daemon.service
1407
	$SED "/^[Service]/a ExecStartPre=\/bin\/chown e2guardian:e2guardian \/run\/clamav" /etc/systemd/system/clamav-daemon.service
1380
	$SED "/^[Service]/a ExecStartPre=\/bin\/mkdir -p \/run\/clamav" /etc/systemd/system/clamav-daemon.service
1408
	$SED "/^[Service]/a ExecStartPre=\/bin\/mkdir -p \/run\/clamav" /etc/systemd/system/clamav-daemon.service
1381
	cp /lib/systemd/system/clamav-daemon.socket /etc/systemd/system/clamav-daemon.socket
1409
	cp /lib/systemd/system/clamav-daemon.socket /etc/systemd/system/clamav-daemon.socket
1382
	$SED "s?^SocketUser=.*?SocketUser=e2guardian?g" /etc/systemd/system/clamav-daemon.socket
1410
	$SED "s?^SocketUser=.*?SocketUser=e2guardian?g" /etc/systemd/system/clamav-daemon.socket
1383
	$SED "s?^SocketGroup=.*?SocketGroup=e2guardian?g" /etc/systemd/system/clamav-daemon.socket
1411
	$SED "s?^SocketGroup=.*?SocketGroup=e2guardian?g" /etc/systemd/system/clamav-daemon.socket
1384
# Clamd conf adaptation to e2guardian
1412
# Clamd conf adaptation to e2guardian
1385
[ -e /etc/clamd.conf.default ] || cp /etc/clamd.conf /etc/clamd.conf.default
1413
[ -e /etc/clamd.conf.default ] || cp /etc/clamd.conf /etc/clamd.conf.default
1386
	$SED "s?^MaxThreads.*?MaxThreads 32?g" /etc/clamd.conf
1414
	$SED "s?^MaxThreads.*?MaxThreads 32?g" /etc/clamd.conf
1387
	$SED "s?^#LogTime.*?LogTime yes?g" /etc/clamd.conf # enable logtime for each message
1415
	$SED "s?^#LogTime.*?LogTime yes?g" /etc/clamd.conf # enable logtime for each message
1388
	$SED "s?^LogVerbose.*?LogVerbose no?g" /etc/clamd.conf
1416
	$SED "s?^LogVerbose.*?LogVerbose no?g" /etc/clamd.conf
1389
	$SED "s?^#LogRotate.*?LogRotate yes?g" /etc/clamd.conf
1417
	$SED "s?^#LogRotate.*?LogRotate yes?g" /etc/clamd.conf
1390
	$SED "s?^User.*?User e2guardian?g" /etc/clamd.conf
1418
	$SED "s?^User.*?User e2guardian?g" /etc/clamd.conf
1391
	$SED "s?^TemporaryDirectory.*?TemporaryDirectory /var/lib/e2guardian/tmp?g" /etc/clamd.conf
1419
	$SED "s?^TemporaryDirectory.*?TemporaryDirectory /var/lib/e2guardian/tmp?g" /etc/clamd.conf
1392
	chown -R e2guardian:e2guardian /var/log/clamav /var/lib/clamav
1420
	chown -R e2guardian:e2guardian /var/log/clamav /var/lib/clamav
1393
	chmod 775 /var/log/clamav /var/lib/clamav
1421
	chmod 775 /var/log/clamav /var/lib/clamav
1394
	chmod 664 /var/log/clamav/*
1422
	chmod 664 /var/log/clamav/*
1395
# update virus database every 4 hours (24h/6)
1423
# update virus database every 4 hours (24h/6)
1396
	[ -e /etc/freshclam.conf.default ] || cp /etc/freshclam.conf /etc/freshclam.conf.default
1424
	[ -e /etc/freshclam.conf.default ] || cp /etc/freshclam.conf /etc/freshclam.conf.default
1397
	$SED "s?^Checks.*?Checks 6?g" /etc/freshclam.conf
1425
	$SED "s?^Checks.*?Checks 6?g" /etc/freshclam.conf
1398
	$SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf
1426
	$SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf
1399
	$SED "s?^DatabaseOwner.*?DatabaseOwner e2guardian?g" /etc/freshclam.conf
1427
	$SED "s?^DatabaseOwner.*?DatabaseOwner e2guardian?g" /etc/freshclam.conf
1400
	$SED "/^DatabaseMirror/a DatabaseMirror db.fr.clamav.net" /etc/freshclam.conf
1428
	$SED "/^DatabaseMirror/a DatabaseMirror db.fr.clamav.net" /etc/freshclam.conf
1401
	$SED "s?^MaxAttempts.*?MaxAttempts 3?g" /etc/freshclam.conf
1429
	$SED "s?^MaxAttempts.*?MaxAttempts 3?g" /etc/freshclam.conf
1402
# update now
1430
# update now
1403
	/usr/bin/freshclam --no-warnings --quiet
1431
	/usr/bin/freshclam --no-warnings --quiet
1404
} # End of antivirus()
1432
} # End of antivirus()
1405
 
1433
 
1406
##############################################################
1434
##############################################################
1407
##                            function "ulogd"              ##
1435
##                            function "ulogd"              ##
1408
## - Ulog config for multi-log files                        ##
1436
## - Ulog config for multi-log files                        ##
1409
##############################################################
1437
##############################################################
1410
ulogd()
1438
ulogd()
1411
{
1439
{
1412
# Three instances of ulogd (three different logfiles)
1440
# Three instances of ulogd (three different logfiles)
1413
	[ -d /var/log/firewall ] || mkdir -p /var/log/firewall
1441
	[ -d /var/log/firewall ] || mkdir -p /var/log/firewall
1414
	nl=1
1442
	nl=1
1415
	for log_type in traceability ssh ext-access
1443
	for log_type in traceability ssh ext-access
1416
	do
1444
	do
1417
		cp -f /lib/systemd/system/ulogd.service /etc/systemd/system/ulogd-$log_type.service
1445
		cp -f /lib/systemd/system/ulogd.service /etc/systemd/system/ulogd-$log_type.service
1418
		[ -e /var/log/firewall/$log_type.log ] || echo "" > /var/log/firewall/$log_type.log
1446
		[ -e /var/log/firewall/$log_type.log ] || echo "" > /var/log/firewall/$log_type.log
1419
		cp -f $DIR_CONF/ulogd-sample.conf /etc/ulogd-$log_type.conf
1447
		cp -f $DIR_CONF/ulogd-sample.conf /etc/ulogd-$log_type.conf
1420
		$SED "s?^group=.*?group=$nl?g" /etc/ulogd-$log_type.conf
1448
		$SED "s?^group=.*?group=$nl?g" /etc/ulogd-$log_type.conf
1421
		cat << EOF >> /etc/ulogd-$log_type.conf
1449
		cat << EOF >> /etc/ulogd-$log_type.conf
1422
[emu1]
1450
[emu1]
1423
file="/var/log/firewall/$log_type.log"
1451
file="/var/log/firewall/$log_type.log"
1424
sync=1
1452
sync=1
1425
EOF
1453
EOF
1426
		$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/ulogd -c /etc/ulogd-$log_type.conf $ULOGD_OPTIONS?g" /etc/systemd/system/ulogd-$log_type.service
1454
		$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/ulogd -c /etc/ulogd-$log_type.conf $ULOGD_OPTIONS?g" /etc/systemd/system/ulogd-$log_type.service
1427
		nl=`expr $nl + 1`
1455
		nl=`expr $nl + 1`
1428
	done
1456
	done
1429
	chown -R root:apache /var/log/firewall
1457
	chown -R root:apache /var/log/firewall
1430
	chmod 750 /var/log/firewall
1458
	chmod 750 /var/log/firewall
1431
	chmod 640 /var/log/firewall/*
1459
	chmod 640 /var/log/firewall/*
1432
}  # End of ulogd()
1460
}  # End of ulogd()
1433
 
1461
 
1434
##########################################################
1462
##########################################################
1435
##                    Function "nfsen"                  ##
1463
##                    Function "nfsen"                  ##
1436
## - configure NetFlow collector (nfcapd)               ##
1464
## - configure NetFlow collector (nfcapd)               ##
1437
## - configure NetFlow grapher (nfsen-ng)               ##
1465
## - configure NetFlow grapher (nfsen-ng)               ##
1438
##########################################################
1466
##########################################################
1439
nfsen()
1467
nfsen()
1440
{
1468
{
1441
	groupadd -f nfcapd
1469
	groupadd -f nfcapd
1442
	id -u nfcapd >/dev/null 2>&1 || useradd -r -g nfcapd -s /bin/false -c "system user for nfcapd" nfcapd
1470
	id -u nfcapd >/dev/null 2>&1 || useradd -r -g nfcapd -s /bin/false -c "system user for nfcapd" nfcapd
1443
# nfcapd unit for systemd
1471
# nfcapd unit for systemd
1444
	cat << EOF > /etc/systemd/system/nfcapd.service
1472
	cat << EOF > /etc/systemd/system/nfcapd.service
1445
#  This file is part of systemd.
1473
#  This file is part of systemd.
1446
#
1474
#
1447
#  systemd is free software; you can redistribute it and/or modify it
1475
#  systemd is free software; you can redistribute it and/or modify it
1448
#  under the terms of the GNU General Public License as published by
1476
#  under the terms of the GNU General Public License as published by
1449
#  the Free Software Foundation; either version 2 of the License, or
1477
#  the Free Software Foundation; either version 2 of the License, or
1450
#  (at your option) any later version.
1478
#  (at your option) any later version.
1451
 
1479
 
1452
# This unit launches nfcapd (a Netflow collector).
1480
# This unit launches nfcapd (a Netflow collector).
1453
[Unit]
1481
[Unit]
1454
Description=Netflow Capture Daemon
1482
Description=Netflow Capture Daemon
1455
After=network-online.target iptables.service
1483
After=network-online.target iptables.service
1456
 
1484
 
1457
[Service]
1485
[Service]
1458
Type=exec
1486
Type=exec
1459
ExecStartPre=/bin/mkdir -p /run/nfcapd
1487
ExecStartPre=/bin/mkdir -p /run/nfcapd
1460
ExecStartPre=/bin/chown nfcapd:nfcapd /run/nfcapd
1488
ExecStartPre=/bin/chown nfcapd:nfcapd /run/nfcapd
1461
PIDFile=/run/nfcapd/nfcapd.pid
1489
PIDFile=/run/nfcapd/nfcapd.pid
1462
ExecStart=/usr/bin/nfcapd -w -D -b 127.0.0.1 -p 2055 -u nfcapd -g nfcapd -B 200000 -t 300 -S 7 -z -P /run/nfcapd/nfcapd.pid -I alcasar_netflow -l /var/log/nfsen/profiles-data/live/alcasar_netflow
1490
ExecStart=/usr/bin/nfcapd -w -D -b 127.0.0.1 -p 2055 -u nfcapd -g nfcapd -B 200000 -t 300 -S 7 -z -P /run/nfcapd/nfcapd.pid -I alcasar_netflow -l /var/log/nfsen/profiles-data/live/alcasar_netflow
1463
ExecReload=/bin/kill -HUP $MAINPID
1491
ExecReload=/bin/kill -HUP $MAINPID
1464
 
1492
 
1465
[Install]
1493
[Install]
1466
WantedBy=multi-user.target
1494
WantedBy=multi-user.target
1467
EOF
1495
EOF
1468
    [ -d /var/log/nfsen/profiles-data/live/alcasar_netflow ] || mkdir -p /var/log/nfsen/profiles-data/live/alcasar_netflow
1496
    [ -d /var/log/nfsen/profiles-data/live/alcasar_netflow ] || mkdir -p /var/log/nfsen/profiles-data/live/alcasar_netflow
1469
    [ -d /run/nfcapd ] || mkdir -p /run/nfcapd
1497
    [ -d /run/nfcapd ] || mkdir -p /run/nfcapd
1470
    chown -R nfcapd:nfcapd /var/log/nfsen /run/nfcapd
1498
    chown -R nfcapd:nfcapd /var/log/nfsen /run/nfcapd
1471
} # End of nfsen()
1499
} # End of nfsen()
1472
 
1500
 
1473
###########################################################
1501
###########################################################
1474
##                     Function "vnstat"                 ##
1502
##                     Function "vnstat"                 ##
1475
## - Initialization of vnstat and vnstat-dashboard       ##
1503
## - Initialization of vnstat and vnstat-dashboard       ##
1476
###########################################################
1504
###########################################################
1477
vnstat()
1505
vnstat()
1478
{
1506
{
1479
	# vnstat
1507
	# vnstat
1480
	[ -e /etc/vnstat.conf.default ] || cp /etc/vnstat.conf /etc/vnstat.conf.default
1508
	[ -e /etc/vnstat.conf.default ] || cp /etc/vnstat.conf /etc/vnstat.conf.default
1481
	$SED "s?^Interface.*?Interface \"$EXTIF\"?g" /etc/vnstat.conf
1509
	$SED "s?^Interface.*?Interface \"$EXTIF\"?g" /etc/vnstat.conf
1482
	$SED "s?^DatabaseDir.*?DatabaseDir /var/log/vnstat?g" /etc/vnstat.conf
1510
	$SED "s?^DatabaseDir.*?DatabaseDir /var/log/vnstat?g" /etc/vnstat.conf
1483
	$SED "s?^MaxBandwidth.*?MaxBandwidth 10000?g" /etc/vnstat.conf
1511
	$SED "s?^MaxBandwidth.*?MaxBandwidth 10000?g" /etc/vnstat.conf
1484
	# vnstat-dashboard
1512
	# vnstat-dashboard
1485
	$SED "s?^\$thisInterface.*?\$thisInterface = \"$EXTIF\";?" $DIR_ACC/manager/vnstat/index.php
1513
	$SED "s?^\$thisInterface.*?\$thisInterface = \"$EXTIF\";?" $DIR_ACC/manager/vnstat/index.php
1486
	cp /lib/systemd/system/vnstat.service /etc/systemd/system/vnstat.service
1514
	cp /lib/systemd/system/vnstat.service /etc/systemd/system/vnstat.service
1487
	$SED "s?^PIDFile=.*?PIDFile=/run/vnstat/vnstat.pid?g" /etc/systemd/system/vnstat.service
1515
	$SED "s?^PIDFile=.*?PIDFile=/run/vnstat/vnstat.pid?g" /etc/systemd/system/vnstat.service
1488
} # End of vnstat()
1516
} # End of vnstat()
1489
 
1517
 
1490
###################################################################
1518
###################################################################
1491
##                     Function "dnsmasq"                        ##
1519
##                     Function "dnsmasq"                        ##
1492
## - creation of the conf files of dnsmasq (whitelist for ipset )##
1520
## - creation of the conf files of dnsmasq (whitelist for ipset )##
1493
###################################################################
1521
###################################################################
1494
dnsmasq()
1522
dnsmasq()
1495
{
1523
{
1496
	[ -d /var/log/dnsmasq ] || mkdir /var/log/dnsmasq
1524
	[ -d /var/log/dnsmasq ] || mkdir /var/log/dnsmasq
1497
	[ -e /etc/dnsmasq.conf.default ] || mv /etc/dnsmasq.conf /etc/dnsmasq.conf.default
1525
	[ -e /etc/dnsmasq.conf.default ] || mv /etc/dnsmasq.conf /etc/dnsmasq.conf.default
1498
	# dnsmasq listen on udp 55 ("dnsmasq with whitelist")
1526
	# dnsmasq listen on udp 55 ("dnsmasq with whitelist")
1499
	cat << EOF > /etc/dnsmasq-whitelist.conf
1527
	cat << EOF > /etc/dnsmasq-whitelist.conf
1500
# Configuration file for "dnsmasq with whitelist"
1528
# Configuration file for "dnsmasq with whitelist"
1501
# ADD Toulouse university whitelist domains
1529
# ADD Toulouse university whitelist domains
1502
pid-file=/run/dnsmasq-whitelist.pid
1530
pid-file=/run/dnsmasq-whitelist.pid
1503
listen-address=127.0.0.1
1531
listen-address=127.0.0.1
1504
port=55
1532
port=55
1505
no-dhcp-interface=lo
1533
no-dhcp-interface=lo
1506
bind-interfaces
1534
bind-interfaces
1507
cache-size=1024
1535
cache-size=1024
1508
domain-needed
1536
domain-needed
1509
expand-hosts
1537
expand-hosts
1510
bogus-priv
1538
bogus-priv
1511
filterwin2k
1539
filterwin2k
1512
ipset=/#/wl_ip_allowed	# dynamically add the resolv IP address in the Firewall rules
1540
ipset=/#/wl_ip_allowed	# dynamically add the resolv IP address in the Firewall rules
1513
server=$DNS1
1541
server=$DNS1
1514
server=$DNS2
1542
server=$DNS2
1515
EOF
1543
EOF
1516
	# Don't run dnsmasq service. Create dnsmasq-whitelist unit
1544
	# Don't run dnsmasq service. Create dnsmasq-whitelist unit
1517
	systemctl disable dnsmasq.service
1545
	systemctl disable dnsmasq.service
1518
	cp -f /lib/systemd/system/dnsmasq.service /etc/systemd/system/dnsmasq-whitelist.service
1546
	cp -f /lib/systemd/system/dnsmasq.service /etc/systemd/system/dnsmasq-whitelist.service
1519
	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-whitelist.conf?g" /etc/systemd/system/dnsmasq-whitelist.service
1547
	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-whitelist.conf?g" /etc/systemd/system/dnsmasq-whitelist.service
1520
	$SED "s?^PIDFile=.*?PIDFile=/run/dnsmasq-whitelist.pid?g" /etc/systemd/system/dnsmasq-whitelist.service
1548
	$SED "s?^PIDFile=.*?PIDFile=/run/dnsmasq-whitelist.pid?g" /etc/systemd/system/dnsmasq-whitelist.service
1521
} # End of dnsmasq()
1549
} # End of dnsmasq()
1522
 
1550
 
1523
#########################################################
1551
#########################################################
1524
##              Function "unbound"                     ##
1552
##              Function "unbound"                     ##
1525
## - create the conf files for 4 unbound services      ##
1553
## - create the conf files for 4 unbound services      ##
1526
## - create the systemd files for 4 unbound services   ##
1554
## - create the systemd files for 4 unbound services   ##
1527
#########################################################
1555
#########################################################
1528
unbound ()
1556
unbound ()
1529
{
1557
{
1530
	[ -d /etc/unbound/conf.d ] || mkdir -p /etc/unbound/conf.d
1558
	[ -d /etc/unbound/conf.d ] || mkdir -p /etc/unbound/conf.d
1531
	[ -d /etc/unbound/conf.d/common ] || mkdir /etc/unbound/conf.d/common
1559
	[ -d /etc/unbound/conf.d/common ] || mkdir /etc/unbound/conf.d/common
1532
	[ -d /etc/unbound/conf.d/common/local-forward ] || mkdir /etc/unbound/conf.d/common/local-forward
1560
	[ -d /etc/unbound/conf.d/common/local-forward ] || mkdir /etc/unbound/conf.d/common/local-forward
1533
	[ -d /etc/unbound/conf.d/common/local-dns ] || mkdir /etc/unbound/conf.d/common/local-dns
1561
	[ -d /etc/unbound/conf.d/common/local-dns ] || mkdir /etc/unbound/conf.d/common/local-dns
1534
	[ -d /etc/unbound/conf.d/forward ] || mkdir /etc/unbound/conf.d/forward
1562
	[ -d /etc/unbound/conf.d/forward ] || mkdir /etc/unbound/conf.d/forward
1535
	[ -d /etc/unbound/conf.d/blacklist ] || mkdir /etc/unbound/conf.d/blacklist
1563
	[ -d /etc/unbound/conf.d/blacklist ] || mkdir /etc/unbound/conf.d/blacklist
1536
	[ -d /etc/unbound/conf.d/whitelist ] || mkdir /etc/unbound/conf.d/whitelist
1564
	[ -d /etc/unbound/conf.d/whitelist ] || mkdir /etc/unbound/conf.d/whitelist
1537
	[ -d /etc/unbound/conf.d/blackhole ] || mkdir /etc/unbound/conf.d/blackhole
1565
	[ -d /etc/unbound/conf.d/blackhole ] || mkdir /etc/unbound/conf.d/blackhole
1538
	[ -d /var/log/unbound ] || mkdir /var/log/unbound
1566
	[ -d /var/log/unbound ] || mkdir /var/log/unbound
1539
	chown unbound:unbound /var/log/unbound
1567
	chown unbound:unbound /var/log/unbound
1540
	[ -e /etc/unbound/unbound.conf.default ] || cp /etc/unbound/unbound.conf /etc/unbound/unbound.conf.default
1568
	[ -e /etc/unbound/unbound.conf.default ] || cp /etc/unbound/unbound.conf /etc/unbound/unbound.conf.default
1541
 
1569
 
1542
# Forward zone configuration file for all unbound dns servers
1570
# Forward zone configuration file for all unbound dns servers
1543
	cat << EOF > /etc/unbound/conf.d/common/forward-zone.conf
1571
	cat << EOF > /etc/unbound/conf.d/common/forward-zone.conf
1544
forward-zone:
1572
forward-zone:
1545
	name: "."
1573
	name: "."
1546
	forward-addr: $DNS1
1574
	forward-addr: $DNS1
1547
	forward-addr: $DNS2
1575
	forward-addr: $DNS2
1548
EOF
1576
EOF
1549
 
1577
 
1550
# Custom configuration file for manual DNS configuration
1578
# Custom configuration file for manual DNS configuration
1551
	cat << EOF > /etc/unbound/conf.d/common/local-forward/custom.conf
1579
	cat << EOF > /etc/unbound/conf.d/common/local-forward/custom.conf
1552
## Ajouter un bloc pour chaque nom de domaine géré par un autre seveur DNS
1580
## Ajouter un bloc pour chaque nom de domaine géré par un autre seveur DNS
1553
## Add one block for each domain name managed by an other DNS server
1581
## Add one block for each domain name managed by an other DNS server
1554
##
1582
##
1555
## Example:
1583
## Example:
1556
##
1584
##
1557
## server:
1585
## server:
1558
##     local-zone: "<your_domain>." transparent
1586
##     local-zone: "<your_domain>." transparent
1559
## forward-zone:
1587
## forward-zone:
1560
##     name: "<your_domain>."
1588
##     name: "<your_domain>."
1561
##     forward-addr: <@IP_domain_server>
1589
##     forward-addr: <@IP_domain_server>
1562
##
1590
##
1563
EOF
1591
EOF
1564
 
1592
 
1565
# Configuration file of ALCASAR main domains for $INTIF
1593
# Configuration file of ALCASAR main domains for $INTIF
1566
	cat << EOF > /etc/unbound/conf.d/common/local-dns/${INTIF}.conf
1594
	cat << EOF > /etc/unbound/conf.d/common/local-dns/${INTIF}.conf
1567
server:
1595
server:
1568
	local-data: "$HOSTNAME.$DOMAIN A $PRIVATE_IP"
1596
	local-data: "$HOSTNAME.$DOMAIN A $PRIVATE_IP"
1569
	local-data-ptr: "$PRIVATE_IP $HOSTNAME.$DOMAIN"
1597
	local-data-ptr: "$PRIVATE_IP $HOSTNAME.$DOMAIN"
1570
EOF
1598
EOF
1571
 
1599
 
1572
# Configuration file for lo of forward unbound
1600
# Configuration file for lo of forward unbound
1573
	cat << EOF > /etc/unbound/conf.d/forward/iface.lo.conf
1601
	cat << EOF > /etc/unbound/conf.d/forward/iface.lo.conf
1574
server:
1602
server:
1575
	interface: 127.0.0.1@53
1603
	interface: 127.0.0.1@53
1576
	access-control-view: 127.0.0.1/8 lo
1604
	access-control-view: 127.0.0.1/8 lo
1577
view:
1605
view:
1578
	name: "lo"
1606
	name: "lo"
1579
	local-data: "$HOSTNAME A 127.0.0.1"
1607
	local-data: "$HOSTNAME A 127.0.0.1"
1580
	local-data: "$HOSTNAME.$DOMAIN A 127.0.0.1"
1608
	local-data: "$HOSTNAME.$DOMAIN A 127.0.0.1"
1581
	local-data-ptr: "127.0.0.1 $HOSTNAME.$DOMAIN"
1609
	local-data-ptr: "127.0.0.1 $HOSTNAME.$DOMAIN"
1582
	view-first: yes
1610
	view-first: yes
1583
EOF
1611
EOF
1584
 
1612
 
1585
# Configuration file for $INTIF of forward unbound
1613
# Configuration file for $INTIF of forward unbound
1586
	cat << EOF > /etc/unbound/conf.d/forward/iface.${INTIF}.conf
1614
	cat << EOF > /etc/unbound/conf.d/forward/iface.${INTIF}.conf
1587
server:
1615
server:
1588
	interface: ${PRIVATE_IP}@53
1616
	interface: ${PRIVATE_IP}@53
1589
	access-control-view: $PRIVATE_NETWORK_MASK $INTIF
1617
	access-control-view: $PRIVATE_NETWORK_MASK $INTIF
1590
view:
1618
view:
1591
	name: "$INTIF"
1619
	name: "$INTIF"
1592
	view-first: yes
1620
	view-first: yes
1593
EOF
1621
EOF
1594
 
1622
 
1595
# Configuration file for main unbound
1623
# Configuration file for main unbound
1596
	cat << EOF > /etc/unbound/unbound.conf
1624
	cat << EOF > /etc/unbound/unbound.conf
1597
server:
1625
server:
1598
	verbosity: 1
1626
	verbosity: 1
1599
	hide-version: yes
1627
	hide-version: yes
1600
	hide-identity: yes
1628
	hide-identity: yes
1601
	do-ip6: no
1629
	do-ip6: no
1602
	include: /etc/unbound/conf.d/common/forward-zone.conf
1630
	include: /etc/unbound/conf.d/common/forward-zone.conf
1603
	include: /etc/unbound/conf.d/common/local-forward/*
1631
	include: /etc/unbound/conf.d/common/local-forward/*
1604
	include: /etc/unbound/conf.d/common/local-dns/*
1632
	include: /etc/unbound/conf.d/common/local-dns/*
1605
	include: /etc/unbound/conf.d/forward/*
1633
	include: /etc/unbound/conf.d/forward/*
1606
EOF
1634
EOF
1607
 
1635
 
1608
# Configuration file for $INTIF of blacklist unbound
1636
# Configuration file for $INTIF of blacklist unbound
1609
	cat << EOF > /etc/unbound/conf.d/blacklist/iface.${INTIF}.conf
1637
	cat << EOF > /etc/unbound/conf.d/blacklist/iface.${INTIF}.conf
1610
server:
1638
server:
1611
	interface: ${PRIVATE_IP}@54
1639
	interface: ${PRIVATE_IP}@54
1612
	access-control: $PRIVATE_IP_MASK allow
1640
	access-control: $PRIVATE_IP_MASK allow
1613
	access-control-tag: $PRIVATE_IP_MASK "blacklist"
1641
	access-control-tag: $PRIVATE_IP_MASK "blacklist"
1614
	access-control-tag-action: $PRIVATE_IP_MASK "blacklist" redirect
1642
	access-control-tag-action: $PRIVATE_IP_MASK "blacklist" redirect
1615
	access-control-tag-data: $PRIVATE_IP_MASK "blacklist" "A $PRIVATE_IP"
1643
	access-control-tag-data: $PRIVATE_IP_MASK "blacklist" "A $PRIVATE_IP"
1616
EOF
1644
EOF
1617
 
1645
 
1618
# Configuration file for blacklist unbound
1646
# Configuration file for blacklist unbound
1619
	cat << EOF > /etc/unbound/unbound-blacklist.conf
1647
	cat << EOF > /etc/unbound/unbound-blacklist.conf
1620
server:
1648
server:
1621
	verbosity: 1
1649
	verbosity: 1
1622
	hide-version: yes
1650
	hide-version: yes
1623
	hide-identity: yes
1651
	hide-identity: yes
1624
	do-ip6: no
1652
	do-ip6: no
1625
	logfile: "/var/log/unbound/unbound-blacklist.log"
1653
	logfile: "/var/log/unbound/unbound-blacklist.log"
1626
	chroot: ""
1654
	chroot: ""
1627
	define-tag: "blacklist"
1655
	define-tag: "blacklist"
1628
	log-local-actions: yes
1656
	log-local-actions: yes
1629
	include: /etc/unbound/conf.d/common/forward-zone.conf
1657
	include: /etc/unbound/conf.d/common/forward-zone.conf
1630
	include: /etc/unbound/conf.d/common/local-forward/*
1658
	include: /etc/unbound/conf.d/common/local-forward/*
1631
	include: /etc/unbound/conf.d/common/local-dns/*
1659
	include: /etc/unbound/conf.d/common/local-dns/*
1632
	include: /etc/unbound/conf.d/blacklist/*
1660
	include: /etc/unbound/conf.d/blacklist/*
1633
	include: /usr/local/share/unbound-bl-enabled/*
1661
	include: /usr/local/share/unbound-bl-enabled/*
1634
EOF
1662
EOF
1635
 
1663
 
1636
# Configuration file for $INTIF of whitelist unbound
1664
# Configuration file for $INTIF of whitelist unbound
1637
	cat << EOF > /etc/unbound/conf.d/whitelist/iface.${INTIF}.conf
1665
	cat << EOF > /etc/unbound/conf.d/whitelist/iface.${INTIF}.conf
1638
server:
1666
server:
1639
	interface: ${PRIVATE_IP}@55
1667
	interface: ${PRIVATE_IP}@55
1640
	access-control: $PRIVATE_IP_MASK allow
1668
	access-control: $PRIVATE_IP_MASK allow
1641
	access-control-tag: $PRIVATE_IP_MASK "whitelist"
1669
	access-control-tag: $PRIVATE_IP_MASK "whitelist"
1642
	access-control-tag-action: $PRIVATE_IP_MASK "whitelist" redirect
1670
	access-control-tag-action: $PRIVATE_IP_MASK "whitelist" redirect
1643
	access-control-tag-data: $PRIVATE_IP_MASK "whitelist" "A $PRIVATE_IP"
1671
	access-control-tag-data: $PRIVATE_IP_MASK "whitelist" "A $PRIVATE_IP"
1644
EOF
1672
EOF
1645
 
1673
 
1646
# Configuration file for whitelist unbound
1674
# Configuration file for whitelist unbound
1647
	cat << EOF > /etc/unbound/unbound-whitelist.conf
1675
	cat << EOF > /etc/unbound/unbound-whitelist.conf
1648
server:
1676
server:
1649
	verbosity: 1
1677
	verbosity: 1
1650
	hide-version: yes
1678
	hide-version: yes
1651
	hide-identity: yes
1679
	hide-identity: yes
1652
	do-ip6: no
1680
	do-ip6: no
1653
	do-not-query-localhost: no
1681
	do-not-query-localhost: no
1654
	define-tag: "whitelist"
1682
	define-tag: "whitelist"
1655
	local-zone: "." transparent
1683
	local-zone: "." transparent
1656
	local-zone-tag: "." "whitelist"
1684
	local-zone-tag: "." "whitelist"
1657
	include: /etc/unbound/conf.d/common/local-forward/*
1685
	include: /etc/unbound/conf.d/common/local-forward/*
1658
	include: /etc/unbound/conf.d/common/local-dns/*
1686
	include: /etc/unbound/conf.d/common/local-dns/*
1659
	include: /etc/unbound/conf.d/whitelist/*
1687
	include: /etc/unbound/conf.d/whitelist/*
1660
	include: /usr/local/share/unbound-wl-enabled/*
1688
	include: /usr/local/share/unbound-wl-enabled/*
1661
forward-zone:
1689
forward-zone:
1662
	name: "."
1690
	name: "."
1663
	forward-addr: 127.0.0.1@55
1691
	forward-addr: 127.0.0.1@55
1664
EOF
1692
EOF
1665
 
1693
 
1666
# Configuration file for $INTIF of blackhole unbound
1694
# Configuration file for $INTIF of blackhole unbound
1667
	cat << EOF > /etc/unbound/conf.d/blackhole/iface.${INTIF}.conf
1695
	cat << EOF > /etc/unbound/conf.d/blackhole/iface.${INTIF}.conf
1668
server:
1696
server:
1669
	interface: ${PRIVATE_IP}@56
1697
	interface: ${PRIVATE_IP}@56
1670
	access-control-view: $PRIVATE_NETWORK_MASK $INTIF
1698
	access-control-view: $PRIVATE_NETWORK_MASK $INTIF
1671
view:
1699
view:
1672
	name: "$INTIF"
1700
	name: "$INTIF"
1673
	local-zone: "." redirect
1701
	local-zone: "." redirect
1674
	local-data: ". A $PRIVATE_IP"
1702
	local-data: ". A $PRIVATE_IP"
1675
EOF
1703
EOF
1676
 
1704
 
1677
# Configuration file for blackhole unbound
1705
# Configuration file for blackhole unbound
1678
	cat << EOF > /etc/unbound/unbound-blackhole.conf
1706
	cat << EOF > /etc/unbound/unbound-blackhole.conf
1679
server:
1707
server:
1680
	verbosity: 1
1708
	verbosity: 1
1681
	hide-version: yes
1709
	hide-version: yes
1682
	hide-identity: yes
1710
	hide-identity: yes
1683
	do-ip6: no
1711
	do-ip6: no
1684
	include: /etc/unbound/conf.d/common/local-forward/*
1712
	include: /etc/unbound/conf.d/common/local-forward/*
1685
	include: /etc/unbound/conf.d/common/local-dns/*
1713
	include: /etc/unbound/conf.d/common/local-dns/*
1686
	include: /etc/unbound/conf.d/blackhole/*
1714
	include: /etc/unbound/conf.d/blackhole/*
1687
EOF
1715
EOF
1688
 
1716
 
1689
	cp /lib/systemd/system/unbound.service /etc/systemd/system/unbound.service
1717
	cp /lib/systemd/system/unbound.service /etc/systemd/system/unbound.service
1690
	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound.conf?g" /etc/systemd/system/unbound.service
1718
	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound.conf?g" /etc/systemd/system/unbound.service
1691
	$SED "s?^After=.*?After=syslog.target network-online.target chilli.service?g" /etc/systemd/system/unbound.service
1719
	$SED "s?^After=.*?After=syslog.target network-online.target chilli.service?g" /etc/systemd/system/unbound.service
1692
	for list in blacklist blackhole whitelist
1720
	for list in blacklist blackhole whitelist
1693
	do
1721
	do
1694
		cp -f /lib/systemd/system/unbound.service /etc/systemd/system/unbound-$list.service
1722
		cp -f /lib/systemd/system/unbound.service /etc/systemd/system/unbound-$list.service
1695
		$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound-$list.conf?g" /etc/systemd/system/unbound-$list.service
1723
		$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound-$list.conf?g" /etc/systemd/system/unbound-$list.service
1696
		$SED "s?^PIDFile=.*?PIDFile=/run/unbound-$list.pid?g" /etc/systemd/system/unbound-$list.service
1724
		$SED "s?^PIDFile=.*?PIDFile=/run/unbound-$list.pid?g" /etc/systemd/system/unbound-$list.service
1697
	done
1725
	done
1698
	$SED "s?^After=.*?After=syslog.target network-online.target chilli.service dnsmasq-whitelist.service?g" /etc/systemd/system/unbound-whitelist.service
1726
	$SED "s?^After=.*?After=syslog.target network-online.target chilli.service dnsmasq-whitelist.service?g" /etc/systemd/system/unbound-whitelist.service
1699
} # End of unbound()
1727
} # End of unbound()
1700
 
1728
 
1701
##################################################
1729
##################################################
1702
##              Function "dhcpd"                ##
1730
##              Function "dhcpd"                ##
1703
##################################################
1731
##################################################
1704
dhcpd()
1732
dhcpd()
1705
{
1733
{
1706
	[ -e /etc/dhcpd.conf.default ] || cp /etc/dhcpd.conf /etc/dhcpd.conf.default
1734
	[ -e /etc/dhcpd.conf.default ] || cp /etc/dhcpd.conf /etc/dhcpd.conf.default
1707
	cat <<EOF > /etc/dhcpd.conf
1735
	cat <<EOF > /etc/dhcpd.conf
1708
ddns-update-style none;
1736
ddns-update-style none;
1709
subnet $PRIVATE_NETWORK netmask $PRIVATE_NETMASK {
1737
subnet $PRIVATE_NETWORK netmask $PRIVATE_NETMASK {
1710
	option routers $PRIVATE_IP;
1738
	option routers $PRIVATE_IP;
1711
	option subnet-mask $PRIVATE_NETMASK;
1739
	option subnet-mask $PRIVATE_NETMASK;
1712
	option domain-name-servers $PRIVATE_IP;
1740
	option domain-name-servers $PRIVATE_IP;
1713
	range dynamic-bootp $PRIVATE_SECOND_IP $PRIVATE_LAST_IP;
1741
	range dynamic-bootp $PRIVATE_SECOND_IP $PRIVATE_LAST_IP;
1714
	default-lease-time 21600;
1742
	default-lease-time 21600;
1715
	max-lease-time 43200;
1743
	max-lease-time 43200;
1716
}
1744
}
1717
EOF
1745
EOF
1718
} # End of dhcpd()
1746
} # End of dhcpd()
1719
 
1747
 
1720
##########################################################
1748
##########################################################
1721
##                      Function "BL"                   ##
1749
##                      Function "BL"                   ##
1722
## - copy & adapt Toulouse BL to ALCASAR architecture   ##
1750
## - copy & adapt Toulouse BL to ALCASAR architecture   ##
1723
##     - domain names for unbound-bl & unbound-wl       ##
1751
##     - domain names for unbound-bl & unbound-wl       ##
1724
##     - URLs for E²guardian                            ##
1752
##     - URLs for E²guardian                            ##
1725
##     - IPs for NetFilter                              ##
1753
##     - IPs for NetFilter                              ##
1726
## - copy additional BLs (TOR + Ultrasurf + C&C)        ##
1754
## - copy additional BLs (TOR + Ultrasurf + C&C)        ##
1727
##########################################################
1755
##########################################################
1728
BL()
1756
BL()
1729
{
1757
{
1730
	# copy the Toulouse university BL in order to be adapted to ALCASAR architecture (alcasar-bl.sh -adapt)
1758
	# copy the Toulouse university BL in order to be adapted to ALCASAR architecture (alcasar-bl.sh -adapt)
1731
	rm -rf $DIR_DG/lists/blacklists
1759
	rm -rf $DIR_DG/lists/blacklists
1732
	mkdir -p /tmp/blacklists
1760
	mkdir -p /tmp/blacklists
1733
	cp $DIR_BLACKLIST/blacklists.tar.gz /tmp/blacklists/
1761
	cp $DIR_BLACKLIST/blacklists.tar.gz /tmp/blacklists/
1734
# creation of the additional BL and WL categorie named "ossi" (for domain names & ip only)
1762
# creation of the additional BL and WL categorie named "ossi" (for domain names & ip only)
1735
	mkdir -p $DIR_DG/lists/blacklists/ossi-bl
1763
	mkdir -p $DIR_DG/lists/blacklists/ossi-bl
1736
	touch $DIR_DG/lists/blacklists/ossi-bl/domains
1764
	touch $DIR_DG/lists/blacklists/ossi-bl/domains
1737
	echo "ossi-bl" >> $DIR_DEST_ETC/alcasar-bl-categories-enabled
1765
	echo "ossi-bl" >> $DIR_DEST_ETC/alcasar-bl-categories-enabled
1738
	mkdir -p $DIR_DG/lists/blacklists/ossi-wl
1766
	mkdir -p $DIR_DG/lists/blacklists/ossi-wl
1739
	touch $DIR_DG/lists/blacklists/ossi-wl/domains
1767
	touch $DIR_DG/lists/blacklists/ossi-wl/domains
1740
	echo "ossi-wl" >> $DIR_DEST_ETC/alcasar-wl-categories-enabled
1768
	echo "ossi-wl" >> $DIR_DEST_ETC/alcasar-wl-categories-enabled
1741
# add additional BL files
1769
# add additional BL files
1742
	for x in $(ls $DIR_BLACKLIST | grep -v "^blacklists")
1770
	for x in $(ls $DIR_BLACKLIST | grep -v "^blacklists")
1743
	do
1771
	do
1744
		mkdir $DIR_DG/lists/blacklists/ossi-bl-$x
1772
		mkdir $DIR_DG/lists/blacklists/ossi-bl-$x
1745
		cp $DIR_BLACKLIST/$x  $DIR_DG/lists/blacklists/ossi-bl-$x/domains
1773
		cp $DIR_BLACKLIST/$x  $DIR_DG/lists/blacklists/ossi-bl-$x/domains
1746
		echo "ossi-bl-$x" >> $DIR_DEST_ETC/alcasar-bl-categories-enabled
1774
		echo "ossi-bl-$x" >> $DIR_DEST_ETC/alcasar-bl-categories-enabled
1747
	done
1775
	done
1748
	chown -R e2guardian:apache $DIR_DG
1776
	chown -R e2guardian:apache $DIR_DG
1749
	chown -R root:apache $DIR_DEST_SHARE
1777
	chown -R root:apache $DIR_DEST_SHARE
1750
	chmod -R g+rw $DIR_DG $DIR_DEST_SHARE
1778
	chmod -R g+rw $DIR_DG $DIR_DEST_SHARE
1751
# adapt the Toulouse BL to ALCASAR architecture
1779
# adapt the Toulouse BL to ALCASAR architecture
1752
	$DIR_DEST_BIN/alcasar-bl.sh --adapt
1780
	$DIR_DEST_BIN/alcasar-bl.sh --adapt
1753
# enable the default categories
1781
# enable the default categories
1754
	$DIR_DEST_BIN/alcasar-bl.sh --cat_choice
1782
	$DIR_DEST_BIN/alcasar-bl.sh --cat_choice
1755
	rm -rf /tmp/blacklists
1783
	rm -rf /tmp/blacklists
1756
} # End of BL()
1784
} # End of BL()
1757
 
1785
 
1758
#######################################################
1786
#######################################################
1759
##                  Function "cron"                  ##
1787
##                  Function "cron"                  ##
1760
## - write all cron & anacron files                  ##
1788
## - write all cron & anacron files                  ##
1761
#######################################################
1789
#######################################################
1762
cron()
1790
cron()
1763
{
1791
{
1764
# 'crontab' with standard cron at midnight instead of 4:0 am (default)
1792
# 'crontab' with standard cron at midnight instead of 4:0 am (default)
1765
	[ -e /etc/crontab.default ] || cp /etc/crontab /etc/crontab.default
1793
	[ -e /etc/crontab.default ] || cp /etc/crontab /etc/crontab.default
1766
	cat <<EOF > /etc/crontab
1794
	cat <<EOF > /etc/crontab
1767
SHELL=/usr/bin/bash
1795
SHELL=/usr/bin/bash
1768
PATH=/sbin:/bin:/usr/sbin:/usr/bin
1796
PATH=/sbin:/bin:/usr/sbin:/usr/bin
1769
MAILTO=root
1797
MAILTO=root
1770
HOME=/
1798
HOME=/
1771
 
1799
 
1772
# run-parts
1800
# run-parts
1773
01 * * * * root nice -n 19 run-parts --report /etc/cron.hourly
1801
01 * * * * root nice -n 19 run-parts --report /etc/cron.hourly
1774
02 0 * * * root nice -n 19 run-parts --report /etc/cron.daily
1802
02 0 * * * root nice -n 19 run-parts --report /etc/cron.daily
1775
22 0 * * 0 root nice -n 19 run-parts --report /etc/cron.weekly
1803
22 0 * * 0 root nice -n 19 run-parts --report /etc/cron.weekly
1776
42 0 1 * * root nice -n 19 run-parts --report /etc/cron.monthly
1804
42 0 1 * * root nice -n 19 run-parts --report /etc/cron.monthly
1777
EOF
1805
EOF
1778
	[ -e /etc/anacrontab.default ] || cp /etc/anacrontab /etc/anacrontab.default
1806
	[ -e /etc/anacrontab.default ] || cp /etc/anacrontab /etc/anacrontab.default
1779
	cat <<EOF >> /etc/anacrontab
1807
	cat <<EOF >> /etc/anacrontab
1780
7	8	cron.MysqlDump		nice /etc/cron.d/alcasar-mysql
1808
7	8	cron.MysqlDump		nice /etc/cron.d/alcasar-mysql
1781
7	10	cron.logExport		nice /etc/cron.d/alcasar-archive
1809
7	10	cron.logExport		nice /etc/cron.d/alcasar-archive
1782
EOF
1810
EOF
1783
	cat <<EOF > /etc/cron.d/alcasar-mysql
1811
	cat <<EOF > /etc/cron.d/alcasar-mysql
1784
# Verify, repair and export users database (every monday at 4:45 am)
1812
# Verify, repair and export users database (every monday at 4:45 am)
1785
45 4 * * 1 root $DIR_DEST_BIN/alcasar-mysql.sh --dump
1813
45 4 * * 1 root $DIR_DEST_BIN/alcasar-mysql.sh --dump
1786
# Remove users whose expiration date is exceeded for more more than 7 days (every Monday at 4:40 am)
1814
# Remove users whose expiration date is exceeded for more more than 7 days (every Monday at 4:40 am)
1787
40 4 * * * root $DIR_DEST_BIN/alcasar-mysql.sh --expire_user 2>&1 >/dev/null
1815
40 4 * * * root $DIR_DEST_BIN/alcasar-mysql.sh --expire_user 2>&1 >/dev/null
1788
EOF
1816
EOF
1789
	cat <<EOF > /etc/cron.d/alcasar-archive
1817
	cat <<EOF > /etc/cron.d/alcasar-archive
1790
# Archiving logs (traceability & users database) (every Monday at 5:35 am)
1818
# Archiving logs (traceability & users database) (every Monday at 5:35 am)
1791
35 5 * * 1 root $DIR_DEST_BIN/alcasar-archive.sh --now
1819
35 5 * * 1 root $DIR_DEST_BIN/alcasar-archive.sh --now
1792
EOF
1820
EOF
1793
	cat <<EOF > /etc/cron.d/alcasar-ticket-clean
1821
	cat <<EOF > /etc/cron.d/alcasar-ticket-clean
1794
# Remove password files (created when importing users by CSV files) and user's PDF voucher (every hours at 30')
1822
# Remove password files (created when importing users by CSV files) and user's PDF voucher (every hours at 30')
1795
30 * * * *  root $DIR_DEST_BIN/alcasar-ticket-clean.sh
1823
30 * * * *  root $DIR_DEST_BIN/alcasar-ticket-clean.sh
1796
EOF
1824
EOF
1797
	cat <<EOF > /etc/cron.d/alcasar-distrib-updates
1825
	cat <<EOF > /etc/cron.d/alcasar-distrib-updates
1798
# Update the system (everyday at 3:30 am)
1826
# Update the system (everyday at 3:30 am)
1799
30 3 * * *  root /usr/sbin/urpmi --auto-update --auto 2>&1
1827
30 3 * * *  root /usr/sbin/urpmi --auto-update --auto 2>&1
1800
EOF
1828
EOF
1801
	cat <<EOF > /etc/cron.d/alcasar-connections-stats
1829
	cat <<EOF > /etc/cron.d/alcasar-connections-stats
1802
# Connection stats update (accounting). These Perl scripts are from "dialup_admin" (cf. wiki.freeradius.org/Dialup_admin).
1830
# Connection stats update (accounting). These Perl scripts are from "dialup_admin" (cf. wiki.freeradius.org/Dialup_admin).
1803
# 'alcasar-tot_stats' : aggregate the daily connections of users and write it in the table 'totacct' (everyday at 1:01 pm)
1831
# 'alcasar-tot_stats' : aggregate the daily connections of users and write it in the table 'totacct' (everyday at 1:01 pm)
1804
# 'alcasar-monthly_tot_stat' : aggregate the monthly connections of users and write it in table 'mtotacct' (everyday at 1h05 pm)
1832
# 'alcasar-monthly_tot_stat' : aggregate the monthly connections of users and write it in table 'mtotacct' (everyday at 1h05 pm)
1805
# 'alcasar-truncate_raddact' : remove the user' session log older than 365 days (applying French law : "LCEN") (every month, the first at 01:10 pm)
1833
# 'alcasar-truncate_raddact' : remove the user' session log older than 365 days (applying French law : "LCEN") (every month, the first at 01:10 pm)
1806
# 'alcasar-clean_radacct' : close the sessions openned for more than 30 days (every month, the first at 01:15 pm)
1834
# 'alcasar-clean_radacct' : close the sessions openned for more than 30 days (every month, the first at 01:15 pm)
1807
# 'alcasar-activity_report.sh' : generate an activity report in PDF (every sunday at 5:35 pm)
1835
# 'alcasar-activity_report.sh' : generate an activity report in PDF (every sunday at 5:35 pm)
1808
1 1 * * * root $DIR_DEST_BIN/alcasar-tot_stats > /dev/null 2>&1
1836
1 1 * * * root $DIR_DEST_BIN/alcasar-tot_stats > /dev/null 2>&1
1809
5 1 * * * root $DIR_DEST_BIN/alcasar-monthly_tot_stats > /dev/null 2>&1
1837
5 1 * * * root $DIR_DEST_BIN/alcasar-monthly_tot_stats > /dev/null 2>&1
1810
10 1 1 * * root $DIR_DEST_BIN/alcasar-truncate_radacct > /dev/null 2>&1
1838
10 1 1 * * root $DIR_DEST_BIN/alcasar-truncate_radacct > /dev/null 2>&1
1811
15 1 1 * * root $DIR_DEST_BIN/alcasar-clean_radacct > /dev/null 2>&1
1839
15 1 1 * * root $DIR_DEST_BIN/alcasar-clean_radacct > /dev/null 2>&1
1812
35 5 * * 0 root $DIR_DEST_BIN/alcasar-activity_report.sh > /dev/null 2>&1
1840
35 5 * * 0 root $DIR_DEST_BIN/alcasar-activity_report.sh > /dev/null 2>&1
1813
EOF
1841
EOF
1814
	cat <<EOF > /etc/cron.d/alcasar-watchdog
1842
	cat <<EOF > /etc/cron.d/alcasar-watchdog
1815
# 'alcasar-watchdog.sh' : run the "watchdog" (every 10')
1843
# 'alcasar-watchdog.sh' : run the "watchdog" (every 10')
1816
# 'alcasar-flush_ipset_wl.sh' : empty the IPSET of the whitelisted IP loaded dynamically with dnsmasq-whitelist hook (every sunday at 0:05 am)
1844
# 'alcasar-flush_ipset_wl.sh' : empty the IPSET of the whitelisted IP loaded dynamically with dnsmasq-whitelist hook (every sunday at 0:05 am)
1817
# 'alcasar-watchdog.sh --disconnect-permanent-users' : disconnect users with attribute "Alcasar-Status-Page-Must-Stay-Open" (daily --> see "cron.daily")
1845
# 'alcasar-watchdog.sh --disconnect-permanent-users' : disconnect users with attribute "Alcasar-Status-Page-Must-Stay-Open" (daily --> see "cron.daily")
1818
# 'alcasar-watchdog-hl.sh' : (optionnaly) remove the IP 0.0.0.0 from chilli cache memory
1846
# 'alcasar-watchdog-hl.sh' : (optionnaly) remove the IP 0.0.0.0 from chilli cache memory
1819
*/10 * * * * root $DIR_DEST_BIN/alcasar-watchdog.sh > /dev/null 2>&1
1847
*/10 * * * * root $DIR_DEST_BIN/alcasar-watchdog.sh > /dev/null 2>&1
1820
0 5 * * 0 root $DIR_DEST_BIN/alcasar-flush_ipset_wl.sh > /dev/null 2>&1
1848
0 5 * * 0 root $DIR_DEST_BIN/alcasar-flush_ipset_wl.sh > /dev/null 2>&1
1821
@daily root $DIR_DEST_BIN/alcasar-watchdog.sh --disconnect-permanent-users > /dev/null 2>&1
1849
@daily root $DIR_DEST_BIN/alcasar-watchdog.sh --disconnect-permanent-users > /dev/null 2>&1
1822
#* * * * * root $DIR_DEST_BIN/alcasar-watchdog-hl.sh > /dev/null 2>&1
1850
#* * * * * root $DIR_DEST_BIN/alcasar-watchdog-hl.sh > /dev/null 2>&1
1823
EOF
1851
EOF
1824
	cat <<EOF > /etc/cron.d/alcasar-daemon-watchdog
1852
	cat <<EOF > /etc/cron.d/alcasar-daemon-watchdog
1825
# start dead daemons (after boot process and every 20')
1853
# start dead daemons (after boot process and every 20')
1826
@reboot root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
1854
@reboot root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
1827
*/20 * * * * root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
1855
*/20 * * * * root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
1828
EOF
1856
EOF
1829
	cat <<EOF > /etc/cron.d/alcasar-rsync-bl
1857
	cat <<EOF > /etc/cron.d/alcasar-rsync-bl
1830
# Automatic update the BL (every 12 hours). The enabled categories are listed in '/usr/local/etc/update_cat.conf' (no sync if empty).
1858
# Automatic update the BL (every 12 hours). The enabled categories are listed in '/usr/local/etc/update_cat.conf' (no sync if empty).
1831
0 */12 * * * root $DIR_DEST_BIN/alcasar-bl-autoupdate.sh --update_cat > /dev/null 2>&1
1859
0 */12 * * * root $DIR_DEST_BIN/alcasar-bl-autoupdate.sh --update_cat > /dev/null 2>&1
1832
EOF
1860
EOF
1833
	cat <<EOF > /etc/cron.d/alcasar-rsync-ossi_bl
1861
	cat <<EOF > /etc/cron.d/alcasar-rsync-ossi_bl
1834
# Automatic update the OSSI BLs (every 12 hours) by running the custom update scripts specified in '/usr/local/etc/update_ossi_cat.conf'.
1862
# Automatic update the OSSI BLs (every 12 hours) by running the custom update scripts specified in '/usr/local/etc/update_ossi_cat.conf'.
1835
0 */12 * * * root /bin/bash /usr/local/etc/update_ossi_cat.conf > /dev/null 2>&1
1863
0 */12 * * * root /bin/bash /usr/local/etc/update_ossi_cat.conf > /dev/null 2>&1
1836
EOF
1864
EOF
1837
	cat <<EOF > /etc/cron.d/alcasar-letsencrypt
1865
	cat <<EOF > /etc/cron.d/alcasar-letsencrypt
1838
# Automatic renew the Let's Encrypt certificate (daily --> see "cron.daily")
1866
# Automatic renew the Let's Encrypt certificate (daily --> see "cron.daily")
1839
@daily root $DIR_DEST_BIN/alcasar-letsencrypt.sh --cron > /dev/null 2>&1
1867
@daily root $DIR_DEST_BIN/alcasar-letsencrypt.sh --cron > /dev/null 2>&1
1840
EOF
1868
EOF
1841
	cat <<EOF > /etc/cron.d/alcasar-nfcapd-expire
1869
	cat <<EOF > /etc/cron.d/alcasar-nfcapd-expire
1842
# Remove netflow files older than one year (daily --> see "cron.daily")
1870
# Remove netflow files older than one year (daily --> see "cron.daily")
1843
@daily root /usr/bin/nfexpire -e /var/log/nfsen/profiles-data/live/alcasar_netflow -t 365d
1871
@daily root /usr/bin/nfexpire -e /var/log/nfsen/profiles-data/live/alcasar_netflow -t 365d
1844
EOF
1872
EOF
1845
# removing the users crons
1873
# removing the users crons
1846
	rm -f /var/spool/cron/*
1874
	rm -f /var/spool/cron/*
1847
} # End of cron()
1875
} # End of cron()
1848
 
1876
 
1849
########################################################################
1877
########################################################################
1850
##                        Fonction "Fail2Ban"                         ##
1878
##                        Fonction "Fail2Ban"                         ##
1851
##- Adapt conf file to ALCASAR                                        ##
1879
##- Adapt conf file to ALCASAR                                        ##
1852
##- Secure items : DDOS, SSH-Brute-Force, Intercept & ACC brute-Force ##
1880
##- Secure items : DDOS, SSH-Brute-Force, Intercept & ACC brute-Force ##
1853
########################################################################
1881
########################################################################
1854
fail2ban()
1882
fail2ban()
1855
{
1883
{
1856
# adapt fail2ban to Mageia (fedora like) & ALCASAR behaviour
1884
# adapt fail2ban to Mageia (fedora like) & ALCASAR behaviour
1857
[ -e /etc/fail2ban/jail.conf.default ] || cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.default
1885
[ -e /etc/fail2ban/jail.conf.default ] || cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.default
1858
$SED "s?^before =.*?before = paths-fedora.conf?g" /etc/fail2ban/jail.conf
1886
$SED "s?^before =.*?before = paths-fedora.conf?g" /etc/fail2ban/jail.conf
1859
 
1887
 
1860
# add 5 jails and their filters
1888
# add 5 jails and their filters
1861
## sshd : Ban after 3 failed attempts (ie. brute-force). This "jail" uses the default "sshd" f2b filter.
1889
## sshd : Ban after 3 failed attempts (ie. brute-force). This "jail" uses the default "sshd" f2b filter.
1862
cat << EOF > /etc/fail2ban/jail.d/01-alcasar_sshd.conf
1890
cat << EOF > /etc/fail2ban/jail.d/01-alcasar_sshd.conf
1863
[sshd]
1891
[sshd]
1864
enabled = true
1892
enabled = true
1865
#enabled  = false
1893
#enabled  = false
1866
maxretry = 3
1894
maxretry = 3
1867
bantime = 3m
1895
bantime = 3m
1868
findtime = 5m
1896
findtime = 5m
1869
EOF
1897
EOF
1870
 
1898
 
1871
## lighttpd-auth : Ban after 3 failed attempts on ACC. This "jail" uses the default "lighttpd-auth" f2b filter.
1899
## lighttpd-auth : Ban after 3 failed attempts on ACC. This "jail" uses the default "lighttpd-auth" f2b filter.
1872
cat << EOF > /etc/fail2ban/jail.d/02-alcasar_lighttpd-auth.conf
1900
cat << EOF > /etc/fail2ban/jail.d/02-alcasar_lighttpd-auth.conf
1873
[lighttpd-auth]
1901
[lighttpd-auth]
1874
enabled = true
1902
enabled = true
1875
#enabled  = false
1903
#enabled  = false
1876
maxretry = 3
1904
maxretry = 3
1877
bantime = 3m
1905
bantime = 3m
1878
findtime = 3m
1906
findtime = 3m
1879
EOF
1907
EOF
1880
 
1908
 
1881
## mod-evasive : Ban after 3 failed retrieve page attempts (ie : unknown page)
1909
## mod-evasive : Ban after 3 failed retrieve page attempts (ie : unknown page)
1882
cat << EOF > /etc/fail2ban/jail.d/03-alcasar_mod-evasive.conf
1910
cat << EOF > /etc/fail2ban/jail.d/03-alcasar_mod-evasive.conf
1883
[alcasar_mod-evasive]
1911
[alcasar_mod-evasive]
1884
#enabled = true
1912
#enabled = true
1885
enabled = false
1913
enabled = false
1886
backend = auto
1914
backend = auto
1887
filter = alcasar_mod-evasive
1915
filter = alcasar_mod-evasive
1888
action = iptables-allports[name=alcasar_mod-evasive]
1916
action = iptables-allports[name=alcasar_mod-evasive]
1889
logpath = /var/log/lighttpd/access.log
1917
logpath = /var/log/lighttpd/access.log
1890
maxretry = 3
1918
maxretry = 3
1891
bantime = 3m
1919
bantime = 3m
1892
findtime = 3m
1920
findtime = 3m
1893
EOF
1921
EOF
1894
cat << EOF > /etc/fail2ban/filter.d/alcasar_mod-evasive.conf
1922
cat << EOF > /etc/fail2ban/filter.d/alcasar_mod-evasive.conf
1895
[Definition]
1923
[Definition]
1896
failregex =  <HOST> .+\] "[^"]+" 403
1924
failregex =  <HOST> .+\] "[^"]+" 403
1897
ignoreregex =
1925
ignoreregex =
1898
EOF
1926
EOF
1899
 
1927
 
1900
### alcasar_intercept : ban after 5 failed user login attemps on intercept.php
1928
### alcasar_intercept : ban after 5 failed user login attemps on intercept.php
1901
cat << EOF > /etc/fail2ban/jail.d/04-alcasar_intercept.conf
1929
cat << EOF > /etc/fail2ban/jail.d/04-alcasar_intercept.conf
1902
[alcasar_intercept]
1930
[alcasar_intercept]
1903
enabled = true
1931
enabled = true
1904
#enabled = false
1932
#enabled = false
1905
backend = auto
1933
backend = auto
1906
filter = alcasar_intercept
1934
filter = alcasar_intercept
1907
action = iptables-allports[name=alcasar_intercept]
1935
action = iptables-allports[name=alcasar_intercept]
1908
logpath = /var/log/lighttpd/access.log
1936
logpath = /var/log/lighttpd/access.log
1909
maxretry = 5
1937
maxretry = 5
1910
bantime = 3m
1938
bantime = 3m
1911
findtime = 3m
1939
findtime = 3m
1912
EOF
1940
EOF
1913
cat << EOF > /etc/fail2ban/filter.d/alcasar_intercept.conf
1941
cat << EOF > /etc/fail2ban/filter.d/alcasar_intercept.conf
1914
[Definition]
1942
[Definition]
1915
failregex = <HOST> .* \"GET \/intercept\.php\?res=failed\&reason=reject
1943
failregex = <HOST> .* \"GET \/intercept\.php\?res=failed\&reason=reject
1916
ignoreregex =
1944
ignoreregex =
1917
EOF
1945
EOF
1918
 
1946
 
1919
## alcasar_change-pwd : ban after 5 failed user change password attempts
1947
## alcasar_change-pwd : ban after 5 failed user change password attempts
1920
cat << EOF > /etc/fail2ban/jail.d/05-alcasar_change-pwd.conf
1948
cat << EOF > /etc/fail2ban/jail.d/05-alcasar_change-pwd.conf
1921
[alcasar_change-pwd]
1949
[alcasar_change-pwd]
1922
enabled = true
1950
enabled = true
1923
#enabled = false
1951
#enabled = false
1924
backend = auto
1952
backend = auto
1925
filter = alcasar_change-pwd
1953
filter = alcasar_change-pwd
1926
action = iptables-allports[name=alcasar_change-pwd]
1954
action = iptables-allports[name=alcasar_change-pwd]
1927
logpath = /var/log/lighttpd/access.log
1955
logpath = /var/log/lighttpd/access.log
1928
maxretry = 5
1956
maxretry = 5
1929
bantime = 3m
1957
bantime = 3m
1930
findtime = 3m
1958
findtime = 3m
1931
EOF
1959
EOF
1932
cat << EOF > /etc/fail2ban/filter.d/alcasar_change-pwd.conf
1960
cat << EOF > /etc/fail2ban/filter.d/alcasar_change-pwd.conf
1933
[Definition]
1961
[Definition]
1934
failregex = <HOST> .* \"POST \/password\.php
1962
failregex = <HOST> .* \"POST \/password\.php
1935
ignoreregex =
1963
ignoreregex =
1936
EOF
1964
EOF
1937
 
1965
 
1938
# allow reading of 2 log files (fail2ban & watchdog).
1966
# allow reading of 2 log files (fail2ban & watchdog).
1939
	[ -e /var/log/fail2ban.log ] || /usr/bin/touch /var/log/fail2ban.log
1967
	[ -e /var/log/fail2ban.log ] || /usr/bin/touch /var/log/fail2ban.log
1940
	[ -e $DIR_SAVE/security/watchdog.log ] || /usr/bin/touch $DIR_SAVE/security/watchdog.log
1968
	[ -e $DIR_SAVE/security/watchdog.log ] || /usr/bin/touch $DIR_SAVE/security/watchdog.log
1941
	chmod 644 /var/log/fail2ban.log
1969
	chmod 644 /var/log/fail2ban.log
1942
	chmod 644 $DIR_SAVE/security/watchdog.log
1970
	chmod 644 $DIR_SAVE/security/watchdog.log
1943
	/usr/bin/touch /var/log/auth.log
1971
	/usr/bin/touch /var/log/auth.log
1944
# fail2ban unit
1972
# fail2ban unit
1945
cp /lib/systemd/system/fail2ban.service /etc/systemd/system/fail2ban.service
1973
cp /lib/systemd/system/fail2ban.service /etc/systemd/system/fail2ban.service
1946
$SED '/ExecStart=/a\ExecStop=/usr/bin/fail2ban-client stop' /etc/systemd/system/fail2ban.service
1974
$SED '/ExecStart=/a\ExecStop=/usr/bin/fail2ban-client stop' /etc/systemd/system/fail2ban.service
1947
$SED '/Type=/a\PIDFile=/run/fail2ban/fail2ban.pid' /etc/systemd/system/fail2ban.service
1975
$SED '/Type=/a\PIDFile=/run/fail2ban/fail2ban.pid' /etc/systemd/system/fail2ban.service
1948
$SED '/After=*/c After=syslog.target network.target lighttpd.service' /etc/systemd/system/fail2ban.service
1976
$SED '/After=*/c After=syslog.target network.target lighttpd.service' /etc/systemd/system/fail2ban.service
1949
} # End of fail2ban()
1977
} # End of fail2ban()
1950
 
1978
 
1951
#########################################################
1979
#########################################################
1952
##                   Fonction "gammu_smsd"             ##
1980
##                   Fonction "gammu_smsd"             ##
1953
## - Creating of SMS management database               ##
1981
## - Creating of SMS management database               ##
1954
## - Write the gammu a gammu_smsd conf files           ##
1982
## - Write the gammu a gammu_smsd conf files           ##
1955
#########################################################
1983
#########################################################
1956
gammu_smsd()
1984
gammu_smsd()
1957
{
1985
{
1958
# Create 'gammu' system user
1986
# Create 'gammu' system user
1959
	groupadd -f gammu_smsd
1987
	groupadd -f gammu_smsd
1960
	useradd -r -g gammu_smsd -s /bin/false -c "system user for gammu_smsd" gammu_smsd
1988
	useradd -r -g gammu_smsd -s /bin/false -c "system user for gammu_smsd" gammu_smsd
1961
	usermod -a -G dialout gammu_smsd
1989
	usermod -a -G dialout gammu_smsd
1962
 
1990
 
1963
# Create 'gammu' database
1991
# Create 'gammu' database
1964
	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --execute"
1992
	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --execute"
1965
	$MYSQL "CREATE DATABASE IF NOT EXISTS $DB_GAMMU; GRANT ALL ON $DB_GAMMU.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd'; FLUSH PRIVILEGES;"
1993
	$MYSQL "CREATE DATABASE IF NOT EXISTS $DB_GAMMU; GRANT ALL ON $DB_GAMMU.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd'; FLUSH PRIVILEGES;"
1966
# Add a gammu database structure
1994
# Add a gammu database structure
1967
	/usr/bin/mysql -u$DB_USER -p$radiuspwd $DB_GAMMU < $DIR_CONF/empty-gammu-smsd-db.sql
1995
	/usr/bin/mysql -u$DB_USER -p$radiuspwd $DB_GAMMU < $DIR_CONF/empty-gammu-smsd-db.sql
1968
 
1996
 
1969
# Config file for the gammu_smsd daemon & gammu (ttyUSB0 as default com port)
1997
# Config file for the gammu_smsd daemon & gammu (ttyUSB0 as default com port)
1970
	cat << EOF > /etc/gammurc
1998
	cat << EOF > /etc/gammurc
1971
[gammu]
1999
[gammu]
1972
device = /dev/ttyUSB0
2000
device = /dev/ttyUSB0
1973
connection = at115200
2001
connection = at115200
1974
EOF
2002
EOF
1975
 
2003
 
1976
	cat << EOF > /etc/gammu_smsd_conf
2004
	cat << EOF > /etc/gammu_smsd_conf
1977
[gammu]
2005
[gammu]
1978
port = /dev/ttyUSB0
2006
port = /dev/ttyUSB0
1979
connection = at115200
2007
connection = at115200
1980
 
2008
 
1981
[smsd]
2009
[smsd]
1982
PIN = 1234
2010
PIN = 1234
1983
logfile = /var/log/gammu-smsd/gammu-smsd.log
2011
logfile = /var/log/gammu-smsd/gammu-smsd.log
1984
logformat = textall
2012
logformat = textall
1985
debuglevel = 0
2013
debuglevel = 0
1986
 
2014
 
1987
service = sql
2015
service = sql
1988
driver = native_mysql
2016
driver = native_mysql
1989
user = $DB_USER
2017
user = $DB_USER
1990
password = $radiuspwd
2018
password = $radiuspwd
1991
pc = localhost
2019
pc = localhost
1992
database = $DB_GAMMU
2020
database = $DB_GAMMU
1993
 
2021
 
1994
RunOnReceive = sudo $DIR_DEST_BIN/alcasar-sms.sh --new_sms
2022
RunOnReceive = sudo $DIR_DEST_BIN/alcasar-sms.sh --new_sms
1995
 
2023
 
1996
StatusFrequency = 30
2024
StatusFrequency = 30
1997
;LoopSleep = 2
2025
;LoopSleep = 2
1998
 
2026
 
1999
;ResetFrequency = 300
2027
;ResetFrequency = 300
2000
;HardResetFrequency = 120
2028
;HardResetFrequency = 120
2001
 
2029
 
2002
CheckSecurity = 1
2030
CheckSecurity = 1
2003
CheckSignal = 1
2031
CheckSignal = 1
2004
CheckBattery = 0
2032
CheckBattery = 0
2005
EOF
2033
EOF
2006
	chmod 755 /etc/gammu_smsd_conf /etc/gammurc
2034
	chmod 755 /etc/gammu_smsd_conf /etc/gammurc
2007
 
2035
 
2008
# Create the systemd unit
2036
# Create the systemd unit
2009
	cat << EOF > /etc/systemd/system/gammu-smsd.service
2037
	cat << EOF > /etc/systemd/system/gammu-smsd.service
2010
[Unit]
2038
[Unit]
2011
Description=SMS daemon for Gammu
2039
Description=SMS daemon for Gammu
2012
Documentation=man:gammu-smsd(1)
2040
Documentation=man:gammu-smsd(1)
2013
After=network.target mysql.service
2041
After=network.target mysql.service
2014
 
2042
 
2015
[Service]
2043
[Service]
2016
Type=forking
2044
Type=forking
2017
ExecStart=/usr/bin/gammu-smsd --config /etc/gammu_smsd_conf --user=gammu_smsd --group=gammu_smsd --pid=/run/gammu-smsd.pid --daemon
2045
ExecStart=/usr/bin/gammu-smsd --config /etc/gammu_smsd_conf --user=gammu_smsd --group=gammu_smsd --pid=/run/gammu-smsd.pid --daemon
2018
ExecReload=/bin/kill -HUP $MAINPID
2046
ExecReload=/bin/kill -HUP $MAINPID
2019
ExecStopPost=/bin/rm -f /run/gammu-smsd.pid
2047
ExecStopPost=/bin/rm -f /run/gammu-smsd.pid
2020
PIDFile=/run/gammu-smsd.pid
2048
PIDFile=/run/gammu-smsd.pid
2021
 
2049
 
2022
[Install]
2050
[Install]
2023
WantedBy=multi-user.target
2051
WantedBy=multi-user.target
2024
EOF
2052
EOF
2025
 
2053
 
2026
# Log folder for gammu-smsd
2054
# Log folder for gammu-smsd
2027
	[ -d /var/log/gammu-smsd ] || mkdir /var/log/gammu-smsd
2055
	[ -d /var/log/gammu-smsd ] || mkdir /var/log/gammu-smsd
2028
	chmod 755 /var/log/gammu-smsd
2056
	chmod 755 /var/log/gammu-smsd
2029
 
2057
 
2030
# Udev rule for Modeswitch (switch from "mass_storage" mode to "ttyUSB" modem) needed with some Huawei MODEM (idVendor: 12d1)
2058
# Udev rule for Modeswitch (switch from "mass_storage" mode to "ttyUSB" modem) needed with some Huawei MODEM (idVendor: 12d1)
2031
# normally not needed now since modeswitch is managed by udev (see Mageia RPM)
2059
# normally not needed now since modeswitch is managed by udev (see Mageia RPM)
2032
#cat << EOF > /lib/udev/rules.d/66-huawei.rules
2060
#cat << EOF > /lib/udev/rules.d/66-huawei.rules
2033
#KERNEL=="ttyUSB0",ATTRS{idVendor}=="12d1",RUN+="$DIR_DEST_BIN/alcasar-sms.sh --mode"
2061
#KERNEL=="ttyUSB0",ATTRS{idVendor}=="12d1",RUN+="$DIR_DEST_BIN/alcasar-sms.sh --mode"
2034
#EOF
2062
#EOF
2035
# Udev rule for fixing the enumeration of ttyUSB port on some MODEM (when they switch randomly the order of their ports at boot time)
2063
# Udev rule for fixing the enumeration of ttyUSB port on some MODEM (when they switch randomly the order of their ports at boot time)
2036
# example : http://hintshop.ludvig.co.nz/show/persistent-names-usb-serial-devices/
2064
# example : http://hintshop.ludvig.co.nz/show/persistent-names-usb-serial-devices/
2037
 
2065
 
2038
} # End of gammu_smsd()
2066
} # End of gammu_smsd()
2039
 
2067
 
2040
############################################################
2068
############################################################
2041
##                 Fonction "msec"                        ##
2069
##                 Fonction "msec"                        ##
2042
## - Apply the "fileserver" security level                ##
2070
## - Apply the "fileserver" security level                ##
2043
## - remove the "system request" for rebooting            ##
2071
## - remove the "system request" for rebooting            ##
2044
## - Fix several file permissions                         ##
2072
## - Fix several file permissions                         ##
2045
############################################################
2073
############################################################
2046
msec()
2074
msec()
2047
{
2075
{
2048
 
2076
 
2049
# Apply fileserver security level
2077
# Apply fileserver security level
2050
[ -e /etc/security/msec/security.conf.default ] || cp /etc/security/msec/security.conf /etc/security/msec/security.conf.default
2078
[ -e /etc/security/msec/security.conf.default ] || cp /etc/security/msec/security.conf /etc/security/msec/security.conf.default
2051
echo "BASE_LEVEL=fileserver" > /etc/security/msec/security.conf
2079
echo "BASE_LEVEL=fileserver" > /etc/security/msec/security.conf
2052
 
2080
 
2053
# Set permissions monitoring and enforcement
2081
# Set permissions monitoring and enforcement
2054
cat <<EOF > /etc/security/msec/perm.local
2082
cat <<EOF > /etc/security/msec/perm.local
2055
/var/log/firewall/                      root.apache     750
2083
/var/log/firewall/                      root.apache     750
2056
/var/log/firewall/*                     root.apache     640
2084
/var/log/firewall/*                     root.apache     640
2057
/etc/security/msec/perm.local           root.root       640
2085
/etc/security/msec/perm.local           root.root       640
2058
/etc/security/msec/level.local          root.root       640
2086
/etc/security/msec/level.local          root.root       640
2059
/etc/freeradius-web                     root.apache     750
2087
/etc/freeradius-web                     root.apache     750
2060
/etc/freeradius-web/admin.conf          root.apache     640
2088
/etc/freeradius-web/admin.conf          root.apache     640
2061
/etc/raddb/client.conf                  radius.radius   640
2089
/etc/raddb/client.conf                  radius.radius   640
2062
/etc/raddb/radius.conf                  radius.radius   640
2090
/etc/raddb/radius.conf                  radius.radius   640
2063
/etc/raddb/mods-available/ldap          radius.apache   660
2091
/etc/raddb/mods-available/ldap          radius.apache   660
2064
/etc/raddb/sites-available/alcasar      radius.apache   660
2092
/etc/raddb/sites-available/alcasar      radius.apache   660
2065
/etc/pki/CA/                            root.apache     750 force
2093
/etc/pki/CA/                            root.apache     750 force
2066
/etc/pki/CA/*                           root.apache     640 force 
2094
/etc/pki/CA/*                           root.apache     640 force 
2067
/etc/pki/CA/private/                    root.root       700 force
2095
/etc/pki/CA/private/                    root.root       700 force
2068
/etc/pki/CA/private/*                   root.root       600 force
2096
/etc/pki/CA/private/*                   root.root       600 force
2069
/etc/pki/tls/private/                   root.apache     750 force
2097
/etc/pki/tls/private/                   root.apache     750 force
2070
/etc/pki/tls/private/*                  root.apache     640 force
2098
/etc/pki/tls/private/*                  root.apache     640 force
2071
/var/log/clamav/                        e2guardian.e2guardian   755 force
2099
/var/log/clamav/                        e2guardian.e2guardian   755 force
2072
/var/log/clamav/*                       e2guardian.e2guardian   764 force
2100
/var/log/clamav/*                       e2guardian.e2guardian   764 force
2073
/var/lib/clamav/                        e2guardian.e2guardian   755 force
2101
/var/lib/clamav/                        e2guardian.e2guardian   755 force
2074
EOF
2102
EOF
2075
# apply now hourly & daily checks
2103
# apply now hourly & daily checks
2076
/usr/sbin/msec
2104
/usr/sbin/msec
2077
/etc/cron.weekly/msec
2105
/etc/cron.weekly/msec
2078
 
2106
 
2079
} # End of msec()
2107
} # End of msec()
2080
 
2108
 
2081
##################################################################
2109
##################################################################
2082
##                   Fonction "letsencrypt"                     ##
2110
##                   Fonction "letsencrypt"                     ##
2083
## - Install Let's Encrypt client                               ##
2111
## - Install Let's Encrypt client                               ##
2084
## - Prepare Let's Encrypt ALCASAR configuration file           ##
2112
## - Prepare Let's Encrypt ALCASAR configuration file           ##
2085
##################################################################
2113
##################################################################
2086
letsencrypt()
2114
letsencrypt()
2087
{
2115
{
2088
	echo "Installing Let's Encrypt client..."
2116
	echo "Installing Let's Encrypt client..."
2089
	# Remove potential old installers
2117
	# Remove potential old installers
2090
	rm -rf /tmp/acme.sh-*
2118
	rm -rf /tmp/acme.sh-*
2091
	# Extract acme.sh
2119
	# Extract acme.sh
2092
	tar xzf ./conf/letsencrypt-client/acme.sh-*.tar.gz -C /tmp/
2120
	tar xzf ./conf/letsencrypt-client/acme.sh-*.tar.gz -C /tmp/
2093
	pwdInstall=$(pwd)
2121
	pwdInstall=$(pwd)
2094
	cd /tmp/acme.sh-* || { echo "Unable to find ACME directory"; exit 1; }
2122
	cd /tmp/acme.sh-* || { echo "Unable to find ACME directory"; exit 1; }
2095
	acmesh_installDir="/opt/acme.sh"
2123
	acmesh_installDir="/opt/acme.sh"
2096
	acmesh_confDir="/usr/local/etc/letsencrypt"
2124
	acmesh_confDir="/usr/local/etc/letsencrypt"
2097
	acmesh_userAgent="ALCASAR"
2125
	acmesh_userAgent="ALCASAR"
2098
	# Install acme.sh
2126
	# Install acme.sh
2099
	./acme.sh --install \
2127
	./acme.sh --install \
2100
		--home $acmesh_installDir \
2128
		--home $acmesh_installDir \
2101
		--config-home $acmesh_confDir/data \
2129
		--config-home $acmesh_confDir/data \
2102
		--certhome $acmesh_confDir/certs \
2130
		--certhome $acmesh_confDir/certs \
2103
		--accountkey $acmesh_confDir/ca/account.key \
2131
		--accountkey $acmesh_confDir/ca/account.key \
2104
		--accountconf $acmesh_confDir/data/account.conf \
2132
		--accountconf $acmesh_confDir/data/account.conf \
2105
		--useragent $acmesh_userAgent \
2133
		--useragent $acmesh_userAgent \
2106
		--nocron \
2134
		--nocron \
2107
		> /dev/null
2135
		> /dev/null
2108
	if [ $? -ne 0 ]; then
2136
	if [ $? -ne 0 ]; then
2109
		echo "Error during installation of Let's Encrypt client (acme.sh)."
2137
		echo "Error during installation of Let's Encrypt client (acme.sh)."
2110
	fi
2138
	fi
2111
	# Create configuration file
2139
	# Create configuration file
2112
	cat <<EOF > /usr/local/etc/alcasar-letsencrypt
2140
	cat <<EOF > /usr/local/etc/alcasar-letsencrypt
2113
email=
2141
email=
2114
dateIssueRequest=
2142
dateIssueRequest=
2115
domainRequest=
2143
domainRequest=
2116
challenge=
2144
challenge=
2117
dateIssued=
2145
dateIssued=
2118
dnsapi=
2146
dnsapi=
2119
dateNextRenewal=
2147
dateNextRenewal=
2120
EOF
2148
EOF
2121
	cd $pwdInstall || { echo "Unable to find $pwdInstall directory"; exit 1; }
2149
	cd $pwdInstall || { echo "Unable to find $pwdInstall directory"; exit 1; }
2122
	rm -rf /tmp/acme.sh-*
2150
	rm -rf /tmp/acme.sh-*
2123
} # End of letsencrypt()
2151
} # End of letsencrypt()
2124
 
2152
 
2125
##################################################################
2153
##################################################################
2126
##                    Fonction "post_install"                   ##
2154
##                    Fonction "post_install"                   ##
2127
## - Modifying banners (locals et ssh) & prompts                ##
2155
## - Modifying banners (locals et ssh) & prompts                ##
2128
## - SSH config                                                 ##
2156
## - SSH config                                                 ##
2129
## - sudoers config & files security                            ##
2157
## - sudoers config & files security                            ##
2130
## - log rotate & ANSSI security parameters                     ##
2158
## - log rotate & ANSSI security parameters                     ##
2131
## - Apply former conf in case of an update                     ##
2159
## - Apply former conf in case of an update                     ##
2132
##################################################################
2160
##################################################################
2133
post_install()
2161
post_install()
2134
{
2162
{
2135
# change the SSHD options
2163
# change the SSHD options
2136
	cp -f $DIR_CONF/banner /etc/ssh/alcasar-banner-ssh
2164
	cp -f $DIR_CONF/banner /etc/ssh/alcasar-banner-ssh
2137
	echo " V$VERSION" >> /etc/ssh/alcasar-banner-ssh
2165
	echo " V$VERSION" >> /etc/ssh/alcasar-banner-ssh
2138
	chmod 644 /etc/ssh/alcasar-banner-ssh ; chown root:root /etc/ssh/alcasar-banner-ssh
2166
	chmod 644 /etc/ssh/alcasar-banner-ssh ; chown root:root /etc/ssh/alcasar-banner-ssh
2139
	[ -e /etc/ssh/sshd_config.default ] || cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default
2167
	[ -e /etc/ssh/sshd_config.default ] || cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default
2140
	$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
2168
	$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
2141
	$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
2169
	$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
2142
# sshd listens on EXTIF & INTIF
2170
# sshd listens on EXTIF & INTIF
2143
	$SED "s?^#ListenAddress 0\.0\.0\.0.*?ListenAddress 0\.0\.0\.0?g" /etc/ssh/sshd_config
2171
	$SED "s?^#ListenAddress 0\.0\.0\.0.*?ListenAddress 0\.0\.0\.0?g" /etc/ssh/sshd_config
2144
# sshd authorized certificate for root login
2172
# sshd authorized certificate for root login
2145
	$SED "s?^PermitRootLogin.*?PermitRootLogin without-password?g" /etc/ssh/sshd_config
2173
	$SED "s?^PermitRootLogin.*?PermitRootLogin without-password?g" /etc/ssh/sshd_config
2146
	$SED "s?^X11Forwarding.*?#X11Forwarding yes?g" /etc/ssh/sshd_config
2174
	$SED "s?^X11Forwarding.*?#X11Forwarding yes?g" /etc/ssh/sshd_config
2147
 
2175
 
2148
# postfix banner anonymisation
2176
# postfix banner anonymisation
2149
	$SED "s?^smtpd_banner =.*?smtpd_banner = \$myhostname ESMTP?g" /etc/postfix/main.cf
2177
	$SED "s?^smtpd_banner =.*?smtpd_banner = \$myhostname ESMTP?g" /etc/postfix/main.cf
2150
	chown -R postfix:postfix /var/lib/postfix
2178
	chown -R postfix:postfix /var/lib/postfix
2151
# ALCASAR conf file
2179
# ALCASAR conf file
2152
	echo "HTTPS_LOGIN=off" >> $CONF_FILE
2180
	echo "HTTPS_LOGIN=off" >> $CONF_FILE
2153
	echo "HTTPS_CHILLI=off" >> $CONF_FILE
2181
	echo "HTTPS_CHILLI=off" >> $CONF_FILE
2154
	echo "SSH=on" >> $CONF_FILE
2182
	echo "SSH=on" >> $CONF_FILE
2155
	echo "SSH_ADMIN_FROM=0.0.0.0/0.0.0.0" >> $CONF_FILE
2183
	echo "SSH_ADMIN_FROM=0.0.0.0/0.0.0.0" >> $CONF_FILE
2156
	echo "LDAP=off" >> $CONF_FILE
2184
	echo "LDAP=off" >> $CONF_FILE
2157
	echo "LDAP_SERVER=127.0.0.1" >> $CONF_FILE
2185
	echo "LDAP_SERVER=127.0.0.1" >> $CONF_FILE
2158
	echo "LDAP_BASE=cn=Users;dc=serverad;dc=localdomain" >> $CONF_FILE
2186
	echo "LDAP_BASE=cn=Users;dc=serverad;dc=localdomain" >> $CONF_FILE
2159
	echo "LDAP_UID=sAMAccountName" >> $CONF_FILE
2187
	echo "LDAP_UID=sAMAccountName" >> $CONF_FILE
2160
	echo "LDAP_FILTER=" >> $CONF_FILE
2188
	echo "LDAP_FILTER=" >> $CONF_FILE
2161
	echo "LDAP_USER=alcasar" >> $CONF_FILE
2189
	echo "LDAP_USER=alcasar" >> $CONF_FILE
2162
	echo "LDAP_PASSWORD=" >> $CONF_FILE
2190
	echo "LDAP_PASSWORD=" >> $CONF_FILE
2163
	echo "LDAP_SSL=on" >> $CONF_FILE
2191
	echo "LDAP_SSL=on" >> $CONF_FILE
2164
	echo "LDAP_CERT_REQUIRED=" >> $CONF_FILE
2192
	echo "LDAP_CERT_REQUIRED=" >> $CONF_FILE
2165
	echo "SMS=off" >> $CONF_FILE
2193
	echo "SMS=off" >> $CONF_FILE
2166
	echo "SMS_NUM=" >> $CONF_FILE
2194
	echo "SMS_NUM=" >> $CONF_FILE
-
 
2195
	echo "## MULTIWAN : WANx=@IPx,Weightx" >> $CONF_FILE
2167
	echo "MULTIWAN=off" >> $CONF_FILE
2196
	echo "MULTIWAN=off" >> $CONF_FILE
2168
	echo "FAILOVER=30" >> $CONF_FILE
-
 
2169
	echo "## WANx=active,@IPx/mask,GWx,Weight,MTUx" >> $CONF_FILE
-
 
2170
	echo "#WAN1=\"1,$EXTIF:1,192.168.2.20/24,192.168.2.6,1,1500\"" >> $CONF_FILE
2197
	echo "#WAN1=\"192.168.0.250,1\"" >> $CONF_FILE
2171
	echo "#WAN2=\"1,$EXTIF:2,192.168.3.20/24,192.168.3.1,2,1500\"" >> $CONF_FILE
2198
	echo "#WAN2=\"192.168.0.251,1\"" >> $CONF_FILE
2172
	echo "BL_PUREIP=on" >> $CONF_FILE
2199
	echo "BL_PUREIP=on" >> $CONF_FILE
2173
	echo "BL_SAFESEARCH=off" >> $CONF_FILE
2200
	echo "BL_SAFESEARCH=off" >> $CONF_FILE
2174
	echo "WL_SAFESEARCH=off" >> $CONF_FILE
2201
	echo "WL_SAFESEARCH=off" >> $CONF_FILE
2175
	echo "IOT_CAPTURE=off" >> $CONF_FILE
2202
	echo "IOT_CAPTURE=off" >> $CONF_FILE
2176
	echo "WIFI4EU=off" >> $CONF_FILE
2203
	echo "WIFI4EU=off" >> $CONF_FILE
2177
	echo "WIFI4EU_CODE=123e4567-e89b-12d3-a456-426655440000" >> $CONF_FILE
2204
	echo "WIFI4EU_CODE=123e4567-e89b-12d3-a456-426655440000" >> $CONF_FILE
2178
# Prompt customisation (colors)
2205
# Prompt customisation (colors)
2179
	[ -e /etc/bashrc.default ]  || cp /etc/bashrc /etc/bashrc.default
2206
	[ -e /etc/bashrc.default ]  || cp /etc/bashrc /etc/bashrc.default
2180
	cp -f $DIR_CONF/bashrc /etc/. ; chmod 644 /etc/bashrc ; chown root:root /etc/bashrc
2207
	cp -f $DIR_CONF/bashrc /etc/. ; chmod 644 /etc/bashrc ; chown root:root /etc/bashrc
2181
	$SED "s?^ORGANISME.*?ORGANISME=$ORGANISME?g" /etc/bashrc
2208
	$SED "s?^ORGANISME.*?ORGANISME=$ORGANISME?g" /etc/bashrc
2182
	$SED "s?^alias ll=.*?alias ll=\"ls -al --color\"?g" /etc/profile.d/60alias.sh
2209
	$SED "s?^alias ll=.*?alias ll=\"ls -al --color\"?g" /etc/profile.d/60alias.sh
2183
# sudoers configuration for "apache" & "sysadmin"
2210
# sudoers configuration for "apache" & "sysadmin"
2184
	[ -e /etc/sudoers.default ]  || cp /etc/sudoers /etc/sudoers.default
2211
	[ -e /etc/sudoers.default ]  || cp /etc/sudoers /etc/sudoers.default
2185
	cp -f $DIR_CONF/sudoers /etc/ ; chmod 440 /etc/sudoers ; chown root:root /etc/sudoers
2212
	cp -f $DIR_CONF/sudoers /etc/ ; chmod 440 /etc/sudoers ; chown root:root /etc/sudoers
2186
	$SED "s?^Host_Alias.*?Host_Alias	LAN_ORG=$PRIVATE_NETWORK/$PRIVATE_NETMASK,localhost		#réseau de l'organisme?g" /etc/sudoers
2213
	$SED "s?^Host_Alias.*?Host_Alias	LAN_ORG=$PRIVATE_NETWORK/$PRIVATE_NETMASK,localhost		#réseau de l'organisme?g" /etc/sudoers
2187
# Modify some logrotate files (gammu, ulogd)
2214
# Modify some logrotate files (gammu, ulogd)
2188
	cp -f $DIR_CONF/logrotate.d/* /etc/logrotate.d/
2215
	cp -f $DIR_CONF/logrotate.d/* /etc/logrotate.d/
2189
	chmod 644 /etc/logrotate.d/*
2216
	chmod 644 /etc/logrotate.d/*
2190
# Log compression
2217
# Log compression
2191
	$SED "s?^delaycompress.*?#&?g" /etc/logrotate.conf
2218
	$SED "s?^delaycompress.*?#&?g" /etc/logrotate.conf
2192
# actualisation des fichiers logs compressés
2219
# actualisation des fichiers logs compressés
2193
	for dir in firewall e2guardian lighttpd
2220
	for dir in firewall e2guardian lighttpd
2194
	do
2221
	do
2195
		find /var/log/$dir -type f -name "*.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]" -exec gzip {} \;
2222
		find /var/log/$dir -type f -name "*.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]" -exec gzip {} \;
2196
	done
2223
	done
2197
# create the alcasar-load_balancing unit
-
 
2198
	cat << EOF > /etc/systemd/system/alcasar-load_balancing.service
-
 
2199
#  This file is part of systemd.
-
 
2200
#
-
 
2201
#  systemd is free software; you can redistribute it and/or modify it
-
 
2202
#  under the terms of the GNU General Public License as published by
-
 
2203
#  the Free Software Foundation; either version 2 of the License, or
-
 
2204
#  (at your option) any later version.
-
 
2205
 
-
 
2206
# This unit lauches alcasar-load-balancing.sh script.
-
 
2207
[Unit]
-
 
2208
Description=alcasar-load_balancing.sh execution
-
 
2209
After=network.target iptables.service
-
 
2210
 
-
 
2211
[Service]
-
 
2212
Type=oneshot
-
 
2213
RemainAfterExit=yes
-
 
2214
ExecStart=$DIR_DEST_BIN/alcasar-load_balancing.sh start
-
 
2215
ExecStop=$DIR_DEST_BIN/alcasar-load_balancing.sh stop
-
 
2216
TimeoutSec=0
-
 
2217
 
-
 
2218
[Install]
-
 
2219
WantedBy=multi-user.target
-
 
2220
EOF
-
 
2221
	/usr/bin/systemctl daemon-reload
2224
	/usr/bin/systemctl daemon-reload
2222
# processes launched at boot time (Systemctl)
2225
# processes started at boot time (Systemctl)
2223
	for i in alcasar-load_balancing mysqld lighttpd php-fpm ntpd iptables unbound unbound-blacklist unbound-whitelist dnsmasq-whitelist unbound-blackhole radiusd nfcapd e2guardian clamav-daemon clamav-freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban vnstat sshd
2226
	for i in alcasar-network mysqld lighttpd php-fpm ntpd iptables unbound unbound-blacklist unbound-whitelist dnsmasq-whitelist unbound-blackhole radiusd nfcapd e2guardian clamav-daemon clamav-freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban vnstat sshd
2224
	do
2227
	do
2225
		/usr/bin/systemctl -q enable $i.service
2228
		/usr/bin/systemctl -q enable $i.service
2226
	done
2229
	done
2227
 
2230
 
2228
# disable processes at boot time (Systemctl)
2231
# disable processes at boot time (Systemctl)
2229
	for i in ulogd gpm dhcpd
2232
	for i in ulogd gpm dhcpd
2230
	do
2233
	do
2231
		/usr/bin/systemctl -q disable $i.service
2234
		/usr/bin/systemctl -q disable $i.service
2232
	done
2235
	done
2233
 
2236
 
2234
# Apply some security rules (some are from French cybersecurity Agency - ANSSI)
2237
# Apply some security rules (some are from French cybersecurity Agency - ANSSI)
2235
# ignore ICMP broadcast (smurf attack)
2238
# ignore ICMP broadcast (smurf attack)
2236
	echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" > /etc/sysctl.d/alcasar.conf
2239
	echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" > /etc/sysctl.d/alcasar.conf
2237
# ignore ICMP errors bogus
2240
# ignore ICMP errors bogus
2238
	echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" >> /etc/sysctl.d/alcasar.conf
2241
	echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" >> /etc/sysctl.d/alcasar.conf
2239
# remove ICMP redirects responces
2242
# remove ICMP redirects responces
2240
	echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.d/alcasar.conf
2243
	echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.d/alcasar.conf
2241
	echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.d/alcasar.conf
2244
	echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.d/alcasar.conf
2242
# enable SYN Cookies (Syn flood attacks)
2245
# enable SYN Cookies (Syn flood attacks)
2243
	echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.d/alcasar.conf
2246
	echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.d/alcasar.conf
2244
# enable kernel antispoofing
2247
# enable kernel antispoofing
2245
	echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.d/alcasar.conf
2248
	echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.d/alcasar.conf
2246
# ignore source routing
2249
# ignore source routing
2247
	echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.d/alcasar.conf
2250
	echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.d/alcasar.conf
2248
# set conntrack timer to 1h (3600s) instead of 5 weeks
2251
# set conntrack timer to 1h (3600s) instead of 5 weeks
2249
	echo "net.netfilter.nf_conntrack_tcp_timeout_established = 3600" >> /etc/sysctl.d/alcasar.conf
2252
	echo "net.netfilter.nf_conntrack_tcp_timeout_established = 3600" >> /etc/sysctl.d/alcasar.conf
2250
# disable log_martians (ALCASAR is often installed between two private network addresses)
2253
# disable log_martians (ALCASAR is often installed between two private network addresses)
2251
	echo "net.ipv4.conf.all.log_martians = 0" >> /etc/sysctl.d/alcasar.conf
2254
	echo "net.ipv4.conf.all.log_martians = 0" >> /etc/sysctl.d/alcasar.conf
2252
# disable iptables_helpers
2255
# disable iptables_helpers
2253
	echo "net.netfilter.nf_conntrack_helper = 0" >> /etc/sysctl.d/alcasar.conf
2256
	echo "net.netfilter.nf_conntrack_helper = 0" >> /etc/sysctl.d/alcasar.conf
2254
# Switch to the router mode
2257
# Switch to the router mode
2255
	echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.d/alcasar.conf
2258
	echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.d/alcasar.conf
2256
# Remove unused service ipv6
2259
# Remove unused service ipv6
2257
	echo "net.ipv6.conf.all.disable_ipv6 = 1" >> /etc/sysctl.d/alcasar.conf
2260
	echo "net.ipv6.conf.all.disable_ipv6 = 1" >> /etc/sysctl.d/alcasar.conf
2258
	echo "net.ipv6.conf.all.autoconf = 0" >> /etc/sysctl.d/alcasar.conf
2261
	echo "net.ipv6.conf.all.autoconf = 0" >> /etc/sysctl.d/alcasar.conf
2259
	echo "net.ipv6.conf.default.disable_ipv6 = 1" >> /etc/sysctl.d/alcasar.conf
2262
	echo "net.ipv6.conf.default.disable_ipv6 = 1" >> /etc/sysctl.d/alcasar.conf
2260
	echo "net.ipv6.conf.default.autoconf = 0" >> /etc/sysctl.d/alcasar.conf
2263
	echo "net.ipv6.conf.default.autoconf = 0" >> /etc/sysctl.d/alcasar.conf
2261
# switch to multi-users runlevel (instead of x11)
2264
# switch to multi-users runlevel (instead of x11)
2262
	ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
2265
	ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
2263
# disable Core dump file
2266
# disable Core dump file
2264
	[ -e /etc/security/limits.conf.default ]  || cp /etc/security/limits.conf /etc/security/limits.conf.default
2267
	[ -e /etc/security/limits.conf.default ]  || cp /etc/security/limits.conf /etc/security/limits.conf.default
2265
	$SED "/^# End of file.*/i*\tsoft\tcore\t0\n*\thard\tcore\t0" /etc/security/limits.conf
2268
	$SED "/^# End of file.*/i*\tsoft\tcore\t0\n*\thard\tcore\t0" /etc/security/limits.conf
2266
 
2269
 
2267
# GRUB2 modifications (Wait time : 3s - ALCASAR entry - VGA=791 - Change the default banner
2270
# GRUB2 modifications (Wait time : 3s - ALCASAR entry - VGA=791 - Change the default banner
2268
	[ -e /etc/default/grub.default ]  || cp /etc/default/grub /etc/default/grub.default
2271
	[ -e /etc/default/grub.default ]  || cp /etc/default/grub /etc/default/grub.default
2269
	$SED "s?^GRUB_TIMEOUT=.*?GRUB_TIMEOUT=3?g" /etc/default/grub
2272
	$SED "s?^GRUB_TIMEOUT=.*?GRUB_TIMEOUT=3?g" /etc/default/grub
2270
	$SED "s?^GRUB_DISTRIBUTOR=.*?GRUB_DISTRIBUTOR=ALCASAR?g" /etc/default/grub
2273
	$SED "s?^GRUB_DISTRIBUTOR=.*?GRUB_DISTRIBUTOR=ALCASAR?g" /etc/default/grub
2271
	[ -e /etc/mageia-release.default ]  || cp /etc/mageia-release /etc/mageia-release.default
2274
	[ -e /etc/mageia-release.default ]  || cp /etc/mageia-release /etc/mageia-release.default
2272
	vm_vga=`lsmod | egrep -c "virtio|vmwgfx"` # test if in VM
2275
	vm_vga=`lsmod | egrep -c "virtio|vmwgfx"` # test if in VM
2273
	if [ $vm_vga == 0 ] # is not a VM
2276
	if [ $vm_vga == 0 ] # is not a VM
2274
	then
2277
	then
2275
		cp -f $DIR_CONF/banner /etc/mageia-release # ALCASAR ASCII-Art
2278
		cp -f $DIR_CONF/banner /etc/mageia-release # ALCASAR ASCII-Art
2276
		echo >> /etc/mageia-release
2279
		echo >> /etc/mageia-release
2277
		$SED "s?^GRUB_CMDLINE_LINUX_DEFAULT=\"?&vga=791 ?" /etc/default/grub
2280
		$SED "s?^GRUB_CMDLINE_LINUX_DEFAULT=\"?&vga=791 ?" /etc/default/grub
2278
	fi
2281
	fi
2279
	if [ $Lang == "fr" ]
2282
	if [ $Lang == "fr" ]
2280
	then
2283
	then
2281
		echo "Bienvenue sur ALCASAR V$VERSION" >> /etc/mageia-release
2284
		echo "Bienvenue sur ALCASAR V$VERSION" >> /etc/mageia-release
2282
		echo "Connectez-vous à l'URL 'https://$HOSTNAME.$DOMAIN/acc'" >> /etc/mageia-release
2285
		echo "Connectez-vous à l'URL 'https://$HOSTNAME.$DOMAIN/acc'" >> /etc/mageia-release
2283
	else
2286
	else
2284
		echo "Welcome on ALCASAR V$VERSION" >> /etc/mageia-release
2287
		echo "Welcome on ALCASAR V$VERSION" >> /etc/mageia-release
2285
		echo "Connect to 'https://$HOSTNAME.$DOMAIN/acc'" >> /etc/mageia-release
2288
		echo "Connect to 'https://$HOSTNAME.$DOMAIN/acc'" >> /etc/mageia-release
2286
	fi
2289
	fi
2287
	/usr/bin/update-grub2
2290
	/usr/bin/update-grub2
2288
# Load and apply the previous conf file
2291
# Load and apply the previous conf file
2289
	if [ "$mode" = "update" ]
2292
	if [ "$mode" = "update" ]
2290
	then
2293
	then
2291
		$DIR_DEST_BIN/alcasar-archive.sh --now # exports current logs in $DIR_SAVE/archive
2294
		$DIR_DEST_BIN/alcasar-archive.sh --now # exports current logs in $DIR_SAVE/archive
2292
		$DIR_DEST_BIN/alcasar-conf.sh --load
2295
		$DIR_DEST_BIN/alcasar-conf.sh --load
2293
		PARENT_SCRIPT=`basename $0`
2296
		PARENT_SCRIPT=`basename $0`
2294
		export PARENT_SCRIPT # to avoid stop&start process during the installation process
2297
		export PARENT_SCRIPT # to avoid stop&start process during the installation process
2295
		$DIR_DEST_BIN/alcasar-conf.sh --apply
2298
		$DIR_DEST_BIN/alcasar-conf.sh --apply
2296
		$DIR_DEST_BIN/alcasar-file-clean.sh # Clean & sort conf files. Add uamallowed domains to the dns-blackhole conf
2299
		$DIR_DEST_BIN/alcasar-file-clean.sh # Clean & sort conf files. Add uamallowed domains to the dns-blackhole conf
2297
		$SED "s?^INSTALL_DATE=.*?INSTALL_DATE=$DATE?g" $CONF_FILE
2300
		$SED "s?^INSTALL_DATE=.*?INSTALL_DATE=$DATE?g" $CONF_FILE
2298
		$SED "s?^VERSION=.*?VERSION=$VERSION?g" $CONF_FILE
2301
		$SED "s?^VERSION=.*?VERSION=$VERSION?g" $CONF_FILE
2299
	fi
2302
	fi
2300
	rm -f /var/tmp/alcasar-conf*
2303
	rm -f /var/tmp/alcasar-conf*
2301
	chown -R root:apache $DIR_DEST_ETC/*
2304
	chown -R root:apache $DIR_DEST_ETC/*
2302
	chmod -R 660 $DIR_DEST_ETC/*
2305
	chmod -R 660 $DIR_DEST_ETC/*
2303
	chmod ug+x $DIR_DEST_ETC/digest
2306
	chmod ug+x $DIR_DEST_ETC/digest
2304
	cd $DIR_INSTALL || { echo "Unable to find $DIR_INSTALL directory"; exit 1; }
2307
	cd $DIR_INSTALL || { echo "Unable to find $DIR_INSTALL directory"; exit 1; }
2305
	echo ""
2308
	echo ""
2306
	echo "#############################################################################"
2309
	echo "#############################################################################"
2307
	if [ $Lang == "fr" ]
2310
	if [ $Lang == "fr" ]
2308
		then
2311
		then
2309
		echo "#                        Fin d'installation d'ALCASAR                       #"
2312
		echo "#                        Fin d'installation d'ALCASAR                       #"
2310
		echo "#                                                                           #"
2313
		echo "#                                                                           #"
2311
		echo "#         Application Libre pour le Contrôle Authentifié et Sécurisé        #"
2314
		echo "#         Application Libre pour le Contrôle Authentifié et Sécurisé        #"
2312
		echo "#                     des Accès au Réseau ( ALCASAR )                       #"
2315
		echo "#                     des Accès au Réseau ( ALCASAR )                       #"
2313
		echo "#                                                                           #"
2316
		echo "#                                                                           #"
2314
		echo "#############################################################################"
2317
		echo "#############################################################################"
2315
		echo
2318
		echo
2316
		echo "- ALCASAR sera fonctionnel après redémarrage du système"
2319
		echo "- ALCASAR sera fonctionnel après redémarrage du système"
2317
		echo
2320
		echo
2318
		echo "- Lisez attentivement la documentation d'exploitation"
2321
		echo "- Lisez attentivement la documentation d'exploitation"
2319
		echo
2322
		echo
2320
		echo "- Le centre de controle d'ALCASAR (ACC) est à l'adresse http://$HOSTNAME.$DOMAIN"
2323
		echo "- Le centre de controle d'ALCASAR (ACC) est à l'adresse http://$HOSTNAME.$DOMAIN"
2321
		echo
2324
		echo
2322
		echo "                   Appuyez sur 'Entrée' pour continuer"
2325
		echo "                   Appuyez sur 'Entrée' pour continuer"
2323
	else
2326
	else
2324
		echo "#                        End of ALCASAR install process                     #"
2327
		echo "#                        End of ALCASAR install process                     #"
2325
		echo "#                                                                           #"
2328
		echo "#                                                                           #"
2326
		echo "#         Application Libre pour le Contrôle Authentifié et Sécurisé        #"
2329
		echo "#         Application Libre pour le Contrôle Authentifié et Sécurisé        #"
2327
		echo "#                     des Accès au Réseau ( ALCASAR )                       #"
2330
		echo "#                     des Accès au Réseau ( ALCASAR )                       #"
2328
		echo "#                                                                           #"
2331
		echo "#                                                                           #"
2329
		echo "#############################################################################"
2332
		echo "#############################################################################"
2330
		echo
2333
		echo
2331
		echo "- The system will be rebooted in order to operate ALCASAR"
2334
		echo "- The system will be rebooted in order to operate ALCASAR"
2332
		echo
2335
		echo
2333
		echo "- Read the exploitation documentation"
2336
		echo "- Read the exploitation documentation"
2334
		echo
2337
		echo
2335
		echo "- The ALCASAR Control Center (ACC) is at http://$HOSTNAME.$DOMAIN"
2338
		echo "- The ALCASAR Control Center (ACC) is at http://$HOSTNAME.$DOMAIN"
2336
		echo
2339
		echo
2337
		echo "                   Hit 'Enter' to continue"
2340
		echo "                   Hit 'Enter' to continue"
2338
	fi
2341
	fi
2339
	sleep 2
2342
	sleep 2
2340
	if [ "$mode" == "install" ] || [ "$DEBUG_ALCASAR" == "on" ]
2343
	if [ "$mode" == "install" ] || [ "$DEBUG_ALCASAR" == "on" ]
2341
	then
2344
	then
2342
		read
2345
		read
2343
	fi
2346
	fi
2344
	clear
2347
	clear
2345
	reboot
2348
	reboot
2346
} # End of post_install()
2349
} # End of post_install()
2347
 
2350
 
2348
#####################################################################################
2351
#####################################################################################
2349
#                                   Main Install loop                               #
2352
#                                   Main Install loop                               #
2350
#####################################################################################
2353
#####################################################################################
2351
dir_exec=`dirname "$0"`
2354
dir_exec=`dirname "$0"`
2352
if [ $dir_exec != "." ]
2355
if [ $dir_exec != "." ]
2353
then
2356
then
2354
	echo "Lancez ce programme depuis le répertoire de l'archive d'ALCASAR"
2357
	echo "Lancez ce programme depuis le répertoire de l'archive d'ALCASAR"
2355
	echo "Launch this program from the ALCASAR archive directory"
2358
	echo "Launch this program from the ALCASAR archive directory"
2356
	exit 0
2359
	exit 0
2357
fi
2360
fi
2358
if [ $EUID -gt 0 ]
2361
if [ $EUID -gt 0 ]
2359
then
2362
then
2360
	echo "Vous devez être \"root\" pour installer ALCASAR (commande 'su')"
2363
	echo "Vous devez être \"root\" pour installer ALCASAR (commande 'su')"
2361
	echo "You must be \"root\" to install ALCASAR ('su' command)"
2364
	echo "You must be \"root\" to install ALCASAR ('su' command)"
2362
	exit 0
2365
	exit 0
2363
fi
2366
fi
2364
VERSION=`cat $DIR_INSTALL/VERSION`
2367
VERSION=`cat $DIR_INSTALL/VERSION`
2365
usage="Usage: alcasar.sh {-i or --install} | {-u or --uninstall}"
2368
usage="Usage: alcasar.sh {-i or --install} | {-u or --uninstall}"
2366
nb_args=$#
2369
nb_args=$#
2367
args=$1
2370
args=$1
2368
if [ $nb_args -eq 0 ]
2371
if [ $nb_args -eq 0 ]
2369
then
2372
then
2370
	nb_args=1
2373
	nb_args=1
2371
	args="-h"
2374
	args="-h"
2372
fi
2375
fi
2373
chmod -R u+x $DIR_SCRIPTS/*
2376
chmod -R u+x $DIR_SCRIPTS/*
2374
case $args in
2377
case $args in
2375
	-\? | -h* | --h*)
2378
	-\? | -h* | --h*)
2376
		echo "$usage"
2379
		echo "$usage"
2377
		exit 0
2380
		exit 0
2378
		;;
2381
		;;
2379
	-i | --install)
2382
	-i | --install)
2380
		for func in license testing_system testing_network
2383
		for func in license testing_system testing_network
2381
		do
2384
		do
2382
			header_install
2385
			header_install
2383
			$func
2386
			$func
2384
			if [ $DEBUG_ALCASAR == "on" ]
2387
			if [ $DEBUG_ALCASAR == "on" ]
2385
			then
2388
			then
2386
				echo "*** 'debug' : end of function '$func' ***"
2389
				echo "*** 'debug' : end of function '$func' ***"
2387
				read
2390
				read
2388
			fi
2391
			fi
2389
		done
2392
		done
2390
# RPMs install
2393
# RPMs install
2391
			if [ "$mode" == "update" ] # to avoid updating unbound during the V5.3.3 update (to be removed after this version)
-
 
2392
			then
-
 
2393
				echo "/^unbound/" >> /etc/urpmi/skip.list
-
 
2394
			fi
-
 
2395
		$DIR_SCRIPTS/alcasar-rpm.sh
2394
		$DIR_SCRIPTS/alcasar-rpm.sh
2396
		if [ "$?" != "0" ]
2395
		if [ "$?" != "0" ]
2397
		then
2396
		then
2398
			exit 0
2397
			exit 0
2399
		fi
2398
		fi
2400
		if [ -e $CONF_FILE ]
2399
		if [ -e $CONF_FILE ]
2401
		then
2400
		then
2402
# Uninstall or update the running version
2401
# Uninstall or update the running version
2403
			if [ "$mode" == "update" ]
2402
			if [ "$mode" == "update" ]
2404
			then
2403
			then
2405
				$DIR_DEST_BIN/alcasar-uninstall.sh -update
2404
				$DIR_DEST_BIN/alcasar-uninstall.sh -update
2406
			else
2405
			else
2407
				$DIR_DEST_BIN/alcasar-uninstall.sh -full
2406
				$DIR_DEST_BIN/alcasar-uninstall.sh -full
2408
			fi
2407
			fi
2409
		fi
2408
		fi
2410
		if [ $DEBUG_ALCASAR == "on" ]
2409
		if [ $DEBUG_ALCASAR == "on" ]
2411
		then
2410
		then
2412
			echo "*** 'debug' : end of cleaning ***"
2411
			echo "*** 'debug' : end of cleaning ***"
2413
			read
2412
			read
2414
		fi
2413
		fi
2415
# Test if conf file
2414
# Test if conf file
2416
		if [ -e /var/tmp/alcasar-conf.tar.gz ]
2415
		if [ -e /var/tmp/alcasar-conf.tar.gz ]
2417
		then
2416
		then
2418
# Extract some info from the previous configuration file
2417
# Extract some info from the previous configuration file
2419
			cd /var/tmp
2418
			cd /var/tmp
2420
			tar -xf /var/tmp/alcasar-conf.tar.gz conf/etc/alcasar.conf
2419
			tar -xf /var/tmp/alcasar-conf.tar.gz conf/etc/alcasar.conf
2421
			if [ "$mode" == "install" ] # don't display this if updating a running version
2420
			if [ "$mode" == "install" ] # don't display this if updating a running version
2422
			then
2421
			then
2423
				header_install
2422
				header_install
2424
				ORGANISME=`grep ^ORGANISM= conf/etc/alcasar.conf|cut -d"=" -f2`
2423
				ORGANISME=`grep ^ORGANISM= conf/etc/alcasar.conf|cut -d"=" -f2`
2425
				PREVIOUS_VERSION=`grep ^VERSION= conf/etc/alcasar.conf|cut -d"=" -f2`
2424
				PREVIOUS_VERSION=`grep ^VERSION= conf/etc/alcasar.conf|cut -d"=" -f2`
2426
				MAJ_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f1`
2425
				MAJ_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f1`
2427
				MIN_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f2`
2426
				MIN_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f2`
2428
				UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f3|cut -c1`
2427
				UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f3|cut -c1`
2429
				if [ $Lang == "fr" ]
2428
				if [ $Lang == "fr" ]
2430
					then echo "Le fichier de configuration d'une version $MAJ_PREVIOUS_VERSION.$MIN_PREVIOUS_VERSION.$UPD_PREVIOUS_VERSION a été trouvé";
2429
					then echo "Le fichier de configuration d'une version $MAJ_PREVIOUS_VERSION.$MIN_PREVIOUS_VERSION.$UPD_PREVIOUS_VERSION a été trouvé";
2431
					else echo "The configuration file of an old version has been found";
2430
					else echo "The configuration file of a version $MAJ_PREVIOUS_VERSION.$MIN_PREVIOUS_VERSION.$UPD_PREVIOUS_VERSION has been found";
2432
				fi
2431
				fi
2433
				response=0
2432
				response=0
2434
				PTN='^[oOnNyY]?$'
2433
				PTN='^[oOnNyY]?$'
2435
				until [[ "$response" =~ $PTN ]]
2434
				until [[ "$response" =~ $PTN ]]
2436
				do
2435
				do
2437
					if [ $Lang == "fr" ]
2436
					if [ $Lang == "fr" ]
2438
						then echo -n "Voulez-vous l'utiliser (O/n)? ";
2437
						then echo -n "Voulez-vous l'utiliser (O/n)? ";
2439
						else echo -n "Do you want to use it (Y/n)?";
2438
						else echo -n "Do you want to use it (Y/n)?";
2440
					fi
2439
					fi
2441
					read response
2440
					read response
2442
					if [ "$response" = "n" ] || [ "$response" = "N" ]
2441
					if [ "$response" = "n" ] || [ "$response" = "N" ]
2443
					then
2442
					then
2444
						rm -f /var/tmp/alcasar-conf*
2443
						rm -f /var/tmp/alcasar-conf*
2445
						rm -rf /var/tmp/conf
2444
						rm -rf /var/tmp/conf
2446
					fi
2445
					fi
2447
				done
2446
				done
2448
			fi
2447
			fi
2449
			cd $DIR_INSTALL
2448
			cd $DIR_INSTALL
2450
		fi
2449
		fi
2451
# Test if update
2450
# Test if update
2452
		if [ -e /var/tmp/alcasar-conf.tar.gz ]
2451
		if [ -e /var/tmp/alcasar-conf.tar.gz ]
2453
		then
2452
		then
2454
			if [ $Lang == "fr" ]
2453
			if [ $Lang == "fr" ]
2455
				then echo "#### Installation avec mise à jour ####";
2454
				then echo "#### Installation avec mise à jour ####";
2456
				else echo "#### Installation with update     ####";
2455
				else echo "#### Installation with update     ####";
2457
			fi
2456
			fi
2458
			mode="update"
2457
			mode="update"
2459
		fi
2458
		fi
2460
		for func in init network CA ACC time_server init_db freeradius chilli e2guardian antivirus ulogd nfsen vnstat dnsmasq unbound dhcpd BL cron fail2ban gammu_smsd msec letsencrypt post_install
2459
		for func in init network CA ACC time_server init_db freeradius chilli e2guardian antivirus ulogd nfsen vnstat dnsmasq unbound dhcpd BL cron fail2ban gammu_smsd msec letsencrypt post_install
2461
		do
2460
		do
2462
			$func
2461
			$func
2463
			if [ $DEBUG_ALCASAR == "on" ]
2462
			if [ $DEBUG_ALCASAR == "on" ]
2464
			then
2463
			then
2465
				echo "*** 'debug' : end of function '$func' ***"
2464
				echo "*** 'debug' : end of function '$func' ***"
2466
				read
2465
				read
2467
			fi
2466
			fi
2468
		done
2467
		done
2469
		;;
2468
		;;
2470
	-u | --uninstall)
2469
	-u | --uninstall)
2471
		if [ ! -e $DIR_DEST_BIN/alcasar-uninstall.sh ]
2470
		if [ ! -e $DIR_DEST_BIN/alcasar-uninstall.sh ]
2472
		then
2471
		then
2473
			if [ $Lang == "fr" ]
2472
			if [ $Lang == "fr" ]
2474
				then echo "ALCASAR n'est pas installé!";
2473
				then echo "ALCASAR n'est pas installé!";
2475
				else echo "ALCASAR isn't installed!";
2474
				else echo "ALCASAR isn't installed!";
2476
			fi
2475
			fi
2477
			exit 0
2476
			exit 0
2478
		fi
2477
		fi
2479
		response=0
2478
		response=0
2480
		PTN='^[oOyYnN]?$'
2479
		PTN='^[oOyYnN]?$'
2481
		until [[ "$response" =~ $PTN ]]
2480
		until [[ "$response" =~ $PTN ]]
2482
		do
2481
		do
2483
			if [ $Lang == "fr" ]
2482
			if [ $Lang == "fr" ]
2484
				then echo -n "Voulez-vous créer le fichier de configuration de la version actuelle (O/n)? ";
2483
				then echo -n "Voulez-vous créer le fichier de configuration de la version actuelle (O/n)? ";
2485
				else echo -n "Do you want to create the running version configuration file (Y/n)? ";
2484
				else echo -n "Do you want to create the running version configuration file (Y/n)? ";
2486
			fi
2485
			fi
2487
			read response
2486
			read response
2488
		done
2487
		done
2489
		if [ "$response" = "o" ] || [ "$response" = "O" ] || [ "$response" = "Y" ] || [ "$response" = "y" ]
2488
		if [ "$response" = "o" ] || [ "$response" = "O" ] || [ "$response" = "Y" ] || [ "$response" = "y" ]
2490
		then
2489
		then
2491
			$DIR_SCRIPTS/alcasar-conf.sh --create
2490
			$DIR_SCRIPTS/alcasar-conf.sh --create
2492
		else
2491
		else
2493
			rm -f /var/tmp/alcasar-conf*
2492
			rm -f /var/tmp/alcasar-conf*
2494
		fi
2493
		fi
2495
# Uninstall the running version
2494
# Uninstall the running version
2496
		$DIR_DEST_BIN/alcasar-uninstall.sh -full
2495
		$DIR_DEST_BIN/alcasar-uninstall.sh -full
2497
		;;
2496
		;;
2498
	*)
2497
	*)
2499
		echo "Argument inconnu :$1";
2498
		echo "Argument inconnu :$1";
2500
		echo "Unknown argument :$1";
2499
		echo "Unknown argument :$1";
2501
		echo "$usage"
2500
		echo "$usage"
2502
		exit 1
2501
		exit 1
2503
		;;
2502
		;;
2504
esac
2503
esac
2505
# end of script
2504
# end of script
2506
 
2505
 
2507
 
2506
 
2508

Generated by GNU Enscript 1.6.6.
2507

Generated by GNU Enscript 1.6.6.
2509
 
2508
 
2510
 
2509
 
2511
 
2510