Subversion Repositories ALCASAR

Rev

Rev 3097 | Rev 3110 | Go to most recent revision | Show entire file | Ignore whitespace | Details | Blame | Last modification | View Log

Rev 3097 Rev 3099
Line 1... Line 1...
1 
#!/bin/bash
 1 
#!/bin/bash
2 
#  $Id: alcasar.sh 3097 2022-12-12 18:35:11Z rexy $
 2 
#  $Id: alcasar.sh 3099 2022-12-28 11:30:30Z rexy $
3 
 
 3 
 
4 
# ALCASAR is a Free and open source NAC (Network Access Controler) created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
 4 
# ALCASAR is a Free and open source NAC (Network Access Controler) created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
5 
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares Coovachilli, freeradius, mariaDB, lighttpd, php, netfilter, e2guardian, ntpd, openssl, dnsmasq, unbound, gammu, clamav, Ulog, fail2ban, vnstat, wkhtml2pdf, ipt_NETFLOW, NFsen and NFdump
 5 
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares Coovachilli, freeradius, mariaDB, lighttpd, php, netfilter, e2guardian, ntpd, openssl, unbound, gammu, clamav, Ulog, fail2ban, vnstat, wkhtml2pdf, ipt_NETFLOW, NFsen and NFdump
6 
# contact : info@alcasar.net
 6 
# contact : info@alcasar.net
7 
 
 7 
 
8 
# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
 8 
# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
9 
# This script is distributed under the Gnu General Public License (GPLV3)
 9 
# This script is distributed under the Gnu General Public License (GPLV3)
10 
 
 10 
 
Line 25... Line 25...
25 
#	e2guardian		: E2Guardian filtering HTTP proxy configuration
 25 
#	e2guardian		: E2Guardian filtering HTTP proxy configuration
26 
#	antivirus		: Clamav & freshclam configuration
 26 
#	antivirus		: Clamav & freshclam configuration
27 
#	ulogd			: Log system in userland (match NFLOG target of iptables)
 27 
#	ulogd			: Log system in userland (match NFLOG target of iptables)
28 
#	nfsen			: Configuration of Netflow grapher (nfsen) & netflow collector (nfcapd)
 28 
#	nfsen			: Configuration of Netflow grapher (nfsen) & netflow collector (nfcapd)
29 
#	unbound			: Name server configuration
 29 
#	unbound			: Name server configuration
30 
#	dnsmasq			: Name server configuration (for whitelist ipset support)
 - 
 
31 
#	vnstat			: Little network stat daemon
 30 
#	vnstat			: Little network stat daemon
32 
#	BL				: Adaptation of Toulouse University BlackList : split into 3 BL (for unbound, for e2guardian and for Netfilter)
 31 
#	BL				: Adaptation of Toulouse University BlackList : split into 3 BL (for unbound, for e2guardian and for Netfilter)
33 
#	cron			: Logs export + watchdog + connexion statistics
 32 
#	cron			: Logs export + watchdog + connexion statistics
34 
#	fail2ban		: Fail2ban IDS installation and configuration
 33 
#	fail2ban		: Fail2ban IDS installation and configuration
35 
#	gammu_smsd		: Autoregister addon via SMS (gammu-smsd)
 34 
#	gammu_smsd		: Autoregister addon via SMS (gammu-smsd)
Line 1495... Line 1494...
1495 
	$SED "s?^\$thisInterface.*?\$thisInterface = \"$EXTIF\";?" $DIR_ACC/manager/vnstat/index.php
 1494 
	$SED "s?^\$thisInterface.*?\$thisInterface = \"$EXTIF\";?" $DIR_ACC/manager/vnstat/index.php
1496 
	cp /lib/systemd/system/vnstat.service /etc/systemd/system/vnstat.service
 1495 
	cp /lib/systemd/system/vnstat.service /etc/systemd/system/vnstat.service
1497 
	$SED "s?^ReadWritePaths=.*?ReadWritePaths=/var/log?g" /etc/systemd/system/vnstat.service
 1496 
	$SED "s?^ReadWritePaths=.*?ReadWritePaths=/var/log?g" /etc/systemd/system/vnstat.service
1498 
} # End of vnstat()
 1497 
} # End of vnstat()
1499 
 
 1498 
 
1500 
###################################################################
 - 
 
1501 
##                           "dnsmasq"                           ##
 - 
 
1502 
## - creation of the conf files of dnsmasq (whitelist for ipset )##
 - 
 
1503 
###################################################################
 - 
 
1504 
dnsmasq()
 - 
 
1505 
{
 - 
 
1506 
	[ -d /var/log/dnsmasq ] || mkdir /var/log/dnsmasq
 - 
 
1507 
	[ -e /etc/dnsmasq.conf.default ] || mv /etc/dnsmasq.conf /etc/dnsmasq.conf.default
 - 
 
1508 
	# dnsmasq listen on udp 55 ("dnsmasq with whitelist")
 - 
 
1509 
	cat << EOF > /etc/dnsmasq-whitelist.conf
 - 
 
1510 
# Configuration file for "dnsmasq with whitelist"
 - 
 
1511 
# ADD Toulouse university whitelist domains
 - 
 
1512 
pid-file=/run/dnsmasq-whitelist.pid
 - 
 
1513 
listen-address=127.0.0.1
 - 
 
1514 
port=55
 - 
 
1515 
no-dhcp-interface=lo
 - 
 
1516 
bind-interfaces
 - 
 
1517 
cache-size=1024
 - 
 
1518 
domain-needed
 - 
 
1519 
expand-hosts
 - 
 
1520 
bogus-priv
 - 
 
1521 
filterwin2k
 - 
 
1522 
ipset=/#/wl_ip_allowed	# dynamically add the resolv IP address in the Firewall rules
 - 
 
1523 
server=$DNS1
 - 
 
1524 
server=$DNS2
 - 
 
1525 
EOF
 - 
 
1526 
 
 - 
 
1527 
# Don't run dnsmasq service. Create dnsmasq-whitelist unit
 - 
 
1528 
	systemctl disable dnsmasq.service
 - 
 
1529 
	cp -f /lib/systemd/system/dnsmasq.service /etc/systemd/system/dnsmasq-whitelist.service
 - 
 
1530 
	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-whitelist.conf?g" /etc/systemd/system/dnsmasq-whitelist.service
 - 
 
1531 
	$SED "s?^PIDFile=.*?PIDFile=/run/dnsmasq-whitelist.pid?g" /etc/systemd/system/dnsmasq-whitelist.service
 - 
 
1532 
} # End of dnsmasq()
 - 
 
1533 
 
 - 
 
1534 
#########################################################
 1499 
#########################################################
1535 
##                     "unbound"                       ##
 1500 
##                     "unbound"                       ##
1536 
## - create the conf files for 4 unbound services      ##
 1501 
## - create the conf files for 4 unbound services      ##
1537 
## - create the systemd files for 4 unbound services   ##
 1502 
## - create the systemd files for 4 unbound services   ##
1538 
#########################################################
 1503 
#########################################################
Line 1655... Line 1620...
1655 
EOF
 1620 
EOF
1656 
 
 1621 
 
1657 
# Configuration file for whitelist unbound
 1622 
# Configuration file for whitelist unbound
1658 
	cat << EOF > /etc/unbound/unbound-whitelist.conf
 1623 
	cat << EOF > /etc/unbound/unbound-whitelist.conf
1659 
server:
 1624 
server:
- 
 
 1625 
	module-config: "ipset validator iterator"
1660 
	verbosity: 1
 1626 
	verbosity: 1
1661 
	hide-version: yes
 1627 
	hide-version: yes
1662 
	hide-identity: yes
 1628 
	hide-identity: yes
1663 
	do-ip6: no
 1629 
	do-ip6: no
1664 
	do-not-query-localhost: no
 1630 
	do-not-query-localhost: no
1665 
	define-tag: "whitelist"
 1631 
	define-tag: "whitelist"
1666 
	local-zone: "." transparent
 1632 
	local-zone: "." transparent
1667 
	local-zone-tag: "." "whitelist"
 1633 
	local-zone-tag: "." "whitelist"
- 
 
 1634 
	include: /etc/unbound/conf.d/common/forward-zone.conf
1668 
	include: /etc/unbound/conf.d/common/local-forward/*
 1635 
	include: /etc/unbound/conf.d/common/local-forward/*
1669 
	include: /etc/unbound/conf.d/common/local-dns/*
 1636 
	include: /etc/unbound/conf.d/common/local-dns/*
1670 
	include: /etc/unbound/conf.d/whitelist/*
 1637 
	include: /etc/unbound/conf.d/whitelist/*
1671 
	include: /usr/local/share/unbound-wl-enabled/*
 1638 
	include: /usr/local/share/unbound-wl-enabled/*
1672 
forward-zone:
 1639 
	username: ""
1673 
	name: "."
 1640 
ipset:
1674 
	forward-addr: 127.0.0.1@55
 1641 
	name-v4: "wl_ip_allowed"
1675 
EOF
 1642 
EOF
1676 
 
 1643 
 
1677 
# Configuration file for $INTIF of blackhole unbound
 1644 
# Configuration file for $INTIF of blackhole unbound
1678 
	cat << EOF > /etc/unbound/conf.d/blackhole/iface.${INTIF}.conf
 1645 
	cat << EOF > /etc/unbound/conf.d/blackhole/iface.${INTIF}.conf
1679 
server:
 1646 
server:
Line 1703... Line 1670...
1703 
	do
 1670 
	do
1704 
		cp -f /lib/systemd/system/unbound.service /etc/systemd/system/unbound-$list.service
 1671 
		cp -f /lib/systemd/system/unbound.service /etc/systemd/system/unbound-$list.service
1705 
		$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound-$list.conf?g" /etc/systemd/system/unbound-$list.service
 1672 
		$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound-$list.conf?g" /etc/systemd/system/unbound-$list.service
1706 
		$SED "s?^PIDFile=.*?PIDFile=/run/unbound-$list.pid?g" /etc/systemd/system/unbound-$list.service
 1673 
		$SED "s?^PIDFile=.*?PIDFile=/run/unbound-$list.pid?g" /etc/systemd/system/unbound-$list.service
1707 
	done
 1674 
	done
1708 
	$SED "s?^After=.*?After=syslog.target network-online.target chilli.service dnsmasq-whitelist.service?g" /etc/systemd/system/unbound-whitelist.service
 1675 
	$SED "s?^After=.*?After=syslog.target network-online.target chilli.service?g" /etc/systemd/system/unbound-whitelist.service
1709 
} # End of unbound()
 1676 
} # End of unbound()
1710 
 
 1677 
 
1711 
##################################################
 1678 
##################################################
1712 
##                   "dhcpd"                    ##
 1679 
##                   "dhcpd"                    ##
1713 
##################################################
 1680 
##################################################
Line 1821... Line 1788...
1821 
15 1 1 * * root $DIR_DEST_BIN/alcasar-clean_radacct > /dev/null 2>&1
 1788 
15 1 1 * * root $DIR_DEST_BIN/alcasar-clean_radacct > /dev/null 2>&1
1822 
35 5 * * 0 root $DIR_DEST_BIN/alcasar-activity_report.sh > /dev/null 2>&1
 1789 
35 5 * * 0 root $DIR_DEST_BIN/alcasar-activity_report.sh > /dev/null 2>&1
1823 
EOF
 1790 
EOF
1824 
	cat <<EOF > /etc/cron.d/alcasar-watchdog
 1791 
	cat <<EOF > /etc/cron.d/alcasar-watchdog
1825 
# 'alcasar-watchdog.sh' : run the "watchdog" (every 10')
 1792 
# 'alcasar-watchdog.sh' : run the "watchdog" (every 10')
1826 
# 'alcasar-flush_ipset_wl.sh' : empty the IPSET of the whitelisted IP loaded dynamically with dnsmasq-whitelist hook (every sunday at 0:05 am)
 1793 
# 'alcasar-flush_ipset_wl.sh' : empty the IPSET of the whitelisted IP loaded dynamically with unbound-whitelist hook (every sunday at 0:05 am)
1827 
# 'alcasar-watchdog.sh --disconnect-permanent-users' : disconnect users with attribute "Alcasar-Status-Page-Must-Stay-Open" (daily --> see "cron.daily")
 1794 
# 'alcasar-watchdog.sh --disconnect-permanent-users' : disconnect users with attribute "Alcasar-Status-Page-Must-Stay-Open" (daily --> see "cron.daily")
1828 
# 'alcasar-watchdog-hl.sh' : (optionnaly) remove the IP 0.0.0.0 from chilli cache memory
 1795 
# 'alcasar-watchdog-hl.sh' : (optionnaly) remove the IP 0.0.0.0 from chilli cache memory
1829 
*/10 * * * * root $DIR_DEST_BIN/alcasar-watchdog.sh > /dev/null 2>&1
 1796 
*/10 * * * * root $DIR_DEST_BIN/alcasar-watchdog.sh > /dev/null 2>&1
1830 
0 5 * * 0 root $DIR_DEST_BIN/alcasar-flush_ipset_wl.sh > /dev/null 2>&1
 1797 
0 5 * * 0 root $DIR_DEST_BIN/alcasar-flush_ipset_wl.sh > /dev/null 2>&1
1831 
@daily root $DIR_DEST_BIN/alcasar-watchdog.sh --disconnect-permanent-users > /dev/null 2>&1
 1798 
@daily root $DIR_DEST_BIN/alcasar-watchdog.sh --disconnect-permanent-users > /dev/null 2>&1
Line 2230... Line 2197...
2230 
	do
 2197 
	do
2231 
		find /var/log/$dir -type f -name "*.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]" -exec gzip {} \;
 2198 
		find /var/log/$dir -type f -name "*.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]" -exec gzip {} \;
2232 
	done
 2199 
	done
2233 
	/usr/bin/systemctl daemon-reload
 2200 
	/usr/bin/systemctl daemon-reload
2234 
# processes started at boot time (Systemctl)
 2201 
# processes started at boot time (Systemctl)
2235 
	for i in alcasar-network mysqld lighttpd php-fpm ntpd iptables unbound unbound-blacklist unbound-whitelist dnsmasq-whitelist unbound-blackhole radiusd nfcapd e2guardian clamav-daemon clamav-freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban vnstat sshd
 2202 
	for i in alcasar-network mysqld lighttpd php-fpm ntpd iptables unbound unbound-blacklist unbound-whitelist unbound-blackhole radiusd nfcapd e2guardian clamav-daemon clamav-freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban vnstat sshd
2236 
	do
 2203 
	do
2237 
		/usr/bin/systemctl -q enable $i.service
 2204 
		/usr/bin/systemctl -q enable $i.service
2238 
	done
 2205 
	done
2239 
 
 2206 
 
2240 
# disable processes at boot time (Systemctl)
 2207 
# disable processes at boot time (Systemctl)
Line 2475... Line 2442...
2475 
				then echo "#### Installation avec mise à jour ####";
 2442 
				then echo "#### Installation avec mise à jour ####";
2476 
				else echo "#### Installation with update     ####";
 2443 
				else echo "#### Installation with update     ####";
2477 
			fi
 2444 
			fi
2478 
			mode="update"
 2445 
			mode="update"
2479 
		fi
 2446 
		fi
2480 
		for func in init network CA ACC time_server init_db freeradius chilli e2guardian antivirus ulogd nfsen vnstat dnsmasq unbound dhcpd BL cron fail2ban gammu_smsd msec letsencrypt mail_service post_install
 2447 
		for func in init network CA ACC time_server init_db freeradius chilli e2guardian antivirus ulogd nfsen vnstat unbound dhcpd BL cron fail2ban gammu_smsd msec letsencrypt mail_service post_install
2481 
		do
 2448 
		do
2482 
			$func
 2449 
			$func
2483 
			if [ $DEBUG_ALCASAR == "on" ]
 2450 
			if [ $DEBUG_ALCASAR == "on" ]
2484 
			then
 2451 
			then
2485 
				echo "*** 'debug' : end of function '$func' ***"
 2452 
				echo "*** 'debug' : end of function '$func' ***"