#Установка ABILLS 5.01 mod IPN
#UBUNTU 8.04 LTS
apt-get update
apt-get upgrade
#Теперь установим нужный нам софт:
apt-get install mysql-server mysql-client apache2 libdbi-perl libdbd-mysql-perl libdigest-md4-perl libdigest-sha1-perl libcrypt-des-perl snmp flow-tools libpcap-dev build-essential linux-libc-dev
#Вводим команды:
cd /usr/abills/libexec/
ln -s ../Abills/modules/Ipn/traffic2sql traffic2sql
#добавляем файл abills_usr.sql в базу
mysql -u root -p < abills_usr.sql
#Загружаем шаблон таблиц базы данных:
mysql -D abills -u root -p < abills.sql
mysql -D abills -u root -p < Ipn.sql
#Все, SQL’ные разборки закончены.
#Установка Apache
#При установке из репозитария никаких дополнительных телодвижений не требуется:
cat /etc/apache2/mods-available/rewrite.load
a2enmod rewrite
#Правим файл /etc/apache2/sites-enabled/000-default
nano /etc/apache2/sites-enabled/000-default
#Abills version 0.4. Default ABillS port is 9443
#Listen 9443
#Alias for web report
Alias "/reports" "/usr/abills/webreports"
<Directory "/usr/abills/webreports">
AllowOverride All
Order allow,deny
Allow from all
</Directory>
# Main server config
<VirtualHost *>
AddDefaultCharset cp1251
DocumentRoot "/usr/abills/cgi-bin"
#ServerName http://www.example.com:9443
#ServerAdmin admin@example.com
ErrorLog /var/log/apache2/abills-error.log
#TransferLog /var/log/httpd/abills-access.log
CustomLog /var/log/apache2/abills-access_log common
<IfModule ssl_module>
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /usr/abills/Certs/server.crt
SSLCertificateKeyFile /usr/abills/Certs/server.key
<FilesMatch "\.(cgi)$">
SSLOptions +StdEnvVars
</FilesMatch>
BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog /var/log/abills-ssl_request.log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</IfModule>
# User interface
<Directory "/usr/abills/cgi-bin">
<IfModule ssl_module>
SSLOptions +StdEnvVars
</IfModule>
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule ^(.*) - [E=HTTP_CGI_AUTHORIZATION:%1]
#Anti TRACE
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
Options Indexes ExecCGI SymLinksIfOwnerMatch
</IfModule>
AddHandler cgi-script .cgi
Options Indexes ExecCGI FollowSymLinks
AllowOverride none
DirectoryIndex index.cgi
Order allow,deny
Allow from all
<Files ~ "\.(db|log)$">
Order allow,deny
Deny from all
</Files>
#For hotspot solution
#ErrorDocument 404 "/abills/"
#directoryIndex "/abills" index.cgi
</Directory>
#Admin interface
<Directory "/usr/abills/cgi-bin/admin">
<IfModule ssl_module>
SSLOptions +StdEnvVars
</IfModule>
AddHandler cgi-script .cgi
Options Indexes ExecCGI FollowSymLinks
AllowOverride none
DirectoryIndex index.cgi
order deny,allow
allow from all
</Directory>
<Directory "/usr/abills/cgi-bin/cards">
<IfModule ssl_module>
SSLOptions +StdEnvVars
</IfModule>
Options Indexes ExecCGI FollowSymLinks
AllowOverride all
DirectoryIndex index.php
order deny,allow
allow from all
</Directory>
</VirtualHost>
# Даем права
chown -Rf www-data /usr/abills/cgi-bin
chown -Rf www-data /usr/abills/Abills/templates
#Каталог backup предназначен для хранения архива БД, по умолчанию он не создается, но #для работы весьма желателен:
mkdir /usr/abills/backup
mkdir /usr/abills/backup/ipn
chown -Rf www-data /usr/abills/backup
chown -Rf www-data /usr/abills/backup/ipn
#Создаем лог файл:
touch /usr/abills/var/log/abills.log
#даем права на запись
chmod 777 /usr/abills/var/log/abills.log
# Правим файл конфигурации абилса
cp /usr/abills/libexec/config.pl.default /usr/abills/libexec/config.pl
nano /usr/abills/libexec/config.pl
#!/usr/bin/perl -w
# Abills configuretion file
$PROGRAM='~AsmodeuS~ Billing System';
#DB configuration
$conf{dbhost}='localhost';
$conf{dbname}='';
$conf{dbuser}='';
$conf{dbpasswd}='';
$conf{dbtype}='mysql';
#For MySQL 5 and highter (cp1251, utf8)
$conf{dbcharset}='';
#Mail configuration
$conf{ADMIN_MAIL}='admin@yourhost.com';
$conf{USERS_MAIL_DOMAIN}='yourhost.com';
$conf{MAIL_CHARSET}='windows-1251';
$conf{default_language}='russian';
$conf{default_charset}='windows-1251';
$conf{WEB_TITLE}='';
@MODULES = ('Dv',
'Cards',
'Ipn',
'Docs',
'Msgs',
'Sqlcmd');
%ACCT = ();
#For VoIP GNU Gatekeeper accounting
$ACCT{gnugk} = 'Voip_aaa';
%AUTH = ();
#For VoIP GNU Gatekeeper Auth
$AUTH{gnugk} = 'Voip_aaa';
#Technical works
#$conf{tech_works}='Technical works';
#Periodic functions
$conf{p_admin_mails}=1; # Send periodic admin reports
$conf{p_users_mails}=1; # Send user warning messages
# chap encryption decription key
$conf{secretkey}="test12345678901234567890";
$conf{s_detalization}=1; #make session detalization recomended for vpn leathed lines
$conf{ERROR2DB}=1;
$conf{version}='0.51b'; #01.06.2010
######### IPN ############
$conf{USERNAMEREGEXP}="^[A-Za-z0-9_][A-za-z0-9_-]*\$";
$conf{IPN_DETAIL}=1;
$conf{IPN_DETAIL_MIN_SIZE}=1024;
$conf{IPN_DETAIL_CLEAN_PERIOD}=30;
$conf{IPN_USERMENU}=1;
$conf{IPN_DEPOSIT_OPERATION}=1;
$conf{IPN_FW_FIRST_RULE}=20000;
#$conf{IPN_FW_START_RULE}="sudo iptables -I FORWARD -s 192.168.5.100 -d 0/0 -j ACCEPT; sudo iptables -I FORWARD -s 0/0 -d 192.168.5.100 -j ACCEPT";
#$conf{IPN_FW_STOP_RULE}="sudo iptables -I FORWARD -s 192.168.5.100 -d 0/0 -j DROP; sudo iptables -I FORWARD -s 0/0 -d 192.168.5.100 -j DROP";
#$conf{IPN_FW_START_RULE}="sudo iptables -I FORWARD -s %IP -d 0/0 -j ACCEPT; sudo iptables -I FORWARD -s 0/0 -d %IP -j ACCEPT";
#$conf{IPN_FW_STOP_RULE}="sudo iptables -t nat -A REDIR_AUTH -s %IP -j REDIRECT --to-ports 80; sudo iptables -I FORWARD -s %IP -d 0/0 -j DROP; sudo iptables -I FORWARD -s 0/0 -d %IP -j DROP";
#$conf{IPN_STATIC_IP}=1;
$conf{IPN_FW_RULE_UID}=1;
$conf{IPN_FW_START_RULE}="sudo iptables -t nat -I REDIR_AUTH -s %IP -j RETURN; sudo iptables -I FORWARD -s %IP -d 0/0 -j ACCEPT; sudo iptables -I FORWARD -s 0/0 -d %IP -j ACCEPT; sudo /usr/abills/libexec/linkupdown ipn up eth1 %LOGIN %IP". ' > /dev/null 2>&1;'. "/usr/local/bin/sudo /sbin/ipfw -q add %NUM allow ip from %IP to any; /usr/local/bin/sudo /sbin/ipfw -q add %NUM allow ip from any to %IP";
$conf{IPN_FW_STOP_RULE}="sudo iptables -I FORWARD -s %IP -d 0/0 -j DROP; sudo iptables -I FORWARD -s 0/0 -d %IP -j DROP; sudo /usr/abills/libexec/linkupdown ipn down eth2 %LOGIN %IP". ' > /dev/null 2>&1;'. "/usr/local/bin/sudo /sbin/ipfw -q delete %NUM";
$conf{IPN_FILTER}="sudo /usr/abills/libexec/ipn_filter.sh";
$conf{MSGS_REDIRECT_FILTER_ADD}='EXEC:/home/asm/abills/misc/msgs_filter.sh %ACTION% %UIDS%;RAD:mpd-table-static+="100=%IP%"';
$conf{MSGS_REDIRECT_FILTER_DEL}='EXEC:/usr/local/bin/sudo /usr/abills/misc/msgs_filter.sh %IP%';
$conf{IPN_CLUBMONITOR}=1;
########## cards ################
$conf{CARDS_BRUTE_LIMIT}=5;
$conf{CARDS_BRUTE_CLEAN_PERIOD}=2;
$conf{CARDS_PAYMENT_PIN_LENGTH}=8;
$conf{CARDS_PIN_SYMBOLS}='0123456789';
$conf{CARDS_SHOW_PINS}=1;
$conf{CARDS_LOGIN_PASSWD_SAME}=1;
$conf{CARDS_PAYMENTS_EXTERNAL}='/usr/abills/misc/cards_external.sh';
####################################
#Octets direction
# server - Count octets from server side
# user - Count octets from user side (default)
$conf{octets_direction}='user';
#Check web interface brute force
$conf{wi_bruteforce}=10;
#Minimum session costs
$conf{MINIMUM_SESSION_TIME}=10; # minimum session time for push session to db
$conf{MINIMUM_SESSION_TRAF}=200; # minimum session trafic for push session to db
#System admin id
#ID for system operation, periodic procces
$conf{SYSTEM_ADMIN_ID}=1;
#System Langs
$conf{LANGS}="english:English;
russian:Русский;
ukraine:Українська;
bulgarian:Болгарска;
french:French";
#Web interface
$conf{PASSWD_LENGTH}=6;
$conf{MAX_USERNAME_LENGTH}=15;
# User name expration
$conf{USERNAMEREGEXP}="^[a-z0-9_][a-z0-9_-]*\$";
$conf{list_max_recs}=25;
$conf{web_session_timeout} = 1800;
$conf{user_chg_passwd}='no';
#Max session traffic Mb
$conf{MAX_SESSION_TRAFFIC} = 2047;
# Exppp options
#$conf{DV_EXPPP_NETFILES}='/usr/abills/cgi-bin/admin/nets/';
#Auto assigning MAC in first connect
$conf{MAC_AUTO_ASSIGN}=1;
$conf{KBYTE_SIZE} = 1024;
# Check script rannig time
$conf{time_check}=1;
# Debug mod
$conf{debug}=10;
$conf{foreground}=0;
$conf{debugmods}='LOG_ALERT LOG_WARNING LOG_ERR LOG_INFO';
#show auth and accounting time need Time::HiRes module (available from CPAN)
# Log levels. For details see <syslog.h>
%log_levels = ('LOG_EMERG' => 0,
'LOG_ALERT' => 1,
'LOG_CRIT' => 2,
'LOG_ERR' => 3,
'LOG_WARNING' => 4,
'LOG_NOTICE' => 5,
'LOG_INFO' => 6,
'LOG_DEBUG' => 7,
'LOG_SQL' =>
;#Check password from radius or FTP servers for web interface
#Radius
#$conf{check_access} = { NAS_IP => '192.168.101.17:1812',
# NAS_FRAMED_IP => '192.168.101.17',
# NAS_SECRET => 'test'
# };
# FTP
# $conf{check_access} = { NAS_IP => '192.168.101.17:21'
# };
#Firewall start rule numbers
# (GLobal, Class 1, Class 2)
@START_FW = (5000, 3000, 1000);
# Backup SQL data
$conf{BACKUP_DIR}='/usr/abills/backup';
# Folders and files
$base_dir='/usr/abills/';
$lang_path=$base_dir . 'language/';
$lib_path=$base_dir .'libexec/';
$var_dir=$base_dir .'var/';
$conf{SPOOL_DIR}=$base_dir.'var/q';
# Template folder
$conf{TPL_DIR} = $base_dir . 'Abills/templates/';
$conf{LOG_DEBUG} = $base_dir . 'var/log/abills.debug';
$conf{WEB_LOGFILE} = 'weblog.log';
$conf{LOGFILE} = $base_dir . 'var/log/abills.log';
$conf{LOG_ACCT} = $base_dir . 'var/log/acct.log';
#For file auth type allow file
$conf{extern_acct_dir}=$base_dir.'libexec/ext_acct/';
$conf{MAILBOX_PATH}='/var/mail/';
# Low bounds
use POSIX qw(strftime);
$DATE = strftime "%Y-%m-%d", localtime(time);
$TIME = strftime "%H:%M:%S", localtime(time);
$curtime = strftime("%F %H.%M.%S", localtime(time));
$year = strftime("%Y", localtime(time));
#*******************************************************************
# log_print ($level, $text)
#
#*******************************************************************
sub log_print {
my ($level, $text) = @_;
my $DATE = strftime "%Y-%m-%d", localtime(time);
my $TIME = strftime "%H:%M:%S", localtime(time);
if ($conf{debugmods} =~ /$level/) {
if (defined($conf{foreground}) && $conf{foreground} == 1) {
print "$DATE $TIME $level: $text\n";
}
else {
open(FILE, ">>$conf{LOGFILE}") || die "Can't open file '$conf{LOGFILE}' $!\n";
print FILE "$DATE $TIME $level: $text\n";
close(FILE);
}
}
}
nano /etc/sudoers
www-data ALL = NOPASSWD: /usr/abills/misc/pppd_kill
www-data ALL = NOPASSWD: /usr/abills/libexec/linkupdown
www-data ALL = NOPASSWD: /sbin/iptables
В /etc/crontab заносим
*/5 * * * * root /usr/abills/libexec/billd -all
1 0 * * * root /usr/abills/libexec/periodic daily
1 0 1 * * root /usr/abills/libexec/periodic monthly
#ежедневное автоматическое резервное копирование базы данных
1 3 * * * root /usr/abills/libexec/periodic backup
*/5 * * * * root /usr/abills/libexec/traffic2sql 2 flowdir=/usr/abills/var/log/ipn/ FLOW_CAT=/usr/bin/flow-cat FLOW_PRINT=/usr/bin/flow-print
Правим файл /usr/abills/Abills/defs.conf
#SNMP Communities For checker and other SNMP base function
$SNMPWALK = '/usr/bin/snmpwalk';
$SNMPSET = '/usr/bin/snmpset';
$GZIP = '/bin/gzip';
$TAR='/bin/tar';
$MYSQLDUMP = '/usr/bin/mysqldump';
$IFCONFIG='/sbin/ifconfig';
$IPFW='/sbin/ipfw';
#$MYSQLDUMP = '/usr/local/mysql/bin/mysqldump';
nano /etc/init.d/rc.iptables
#!/bin/bash
IPT="/sbin/iptables"
INTERFACE="eth1";
######## INTERFACES #########
INET="eth0"
############################################################################################
# Начало скрипта
start_fw()
{
# включаем пересылку пакетов
echo 1 > /proc/sys/net/ipv4/ip_forward
# стандартные действия
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD DROP
/sbin/depmod -a
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state
# удаляем все имеющиеся правила
$IPT -F
$IPT -F -t nat
$IPT -F -t mangle
$IPT -X
$IPT -X -t nat
$IPT -X -t mangle
$IPT -A FORWARD -j DROP
$IPT -t nat -N REDIR_AUTH
$IPT -t nat -A REDIR_AUTH -p tcp -m multiport --dports 80,443 -j REDIRECT --to 9443
$IPT -t nat -A PREROUTING -s 192.168.5.0/24 -p tcp -m multiport --dports 80,443 -j REDIR_AUTH
$IPT -t nat -A POSTROUTING -s 192.168.5.0/24 -j SNAT --to-source 81.25.225.234
}
#############################Скрипт################################
case "$1" in start) echo -n "ЗАПУСК: iptables"
start_fw
echo "."
;;
stop) echo -n "ОСТАНОВКА : iptables"
iptables -F
iptables -X
echo "."
;;
save) echo -n "Сохранение : iptables"
iptables-save > /etc/rules-save
echo "."
;;
restart) echo -n "рестарт : iptables"
iptables -F
iptables -X
start_fw
echo "."
;;
reload|force-reload) echo -n "перезагрузка конфигурации firewall: iptables"
echo "."
;;
*) echo "Usage: /etc/init.d/rc.iptables
start|stop|restart|reload|force-reload"
exit 1
;;
esac
exit 0
Делаем его исполняемым
chmod +x /etc/init.d/rc.iptables
Добавляем в автозагрузку
update-rc.d rc.iptables start 40 S . stop 89 0 6 .
nano /etc/init.d/shaper.sh#!/bin/sh
INTERFACE='eth0';
TC="/sbin/tc"
TCQA="${TC} qdisc add dev ${INTERFACE}"
TCQD="${TC} qdisc del dev ${INTERFACE}"
$TCQD root &>/dev/null
$TCQD ingress &>/dev/null
$TCQA root handle 1: htb
$TCQA handle ffff: ingress
echo "Shaper UP"
Добавляем в автозагрузку
nano /etc/rc.local
/etc/init.d/shaper.sh
/etc/init.d/routes
/usr/local/bin/ipcad -rds
nano /usr/local/etc/ipcad.conf
#ABillS IPCAD auto config
# INterface for capture
interface eth0;
interface eth1;
# Use port detalisation
capture-ports enable;
# Agregate some ports
#aggregate 1024-65535 into 65535; /* Aggregate wildly */
#aggregate 3128-3128 into 3128; /* Protect these ports */
#aggregate 150-1023 into 1023; /* General low range */
# Export stats 127.0.0.1 ���� 9996
netflow export destination 127.0.0.1 9996 ;
netflow export version 5; # NetFlow export format version {1|5}
netflow timeout active 30; # Timeout when flow is active, in minutes
netflow timeout inactive 15; # Flow inactivity timeout, in seconds
netflow engine-type 73; # v5 engine_type; 73='I' for "IPCAD"
netflow engine-id 1; # Useful to differentiate multiple ipcads.
dumpfile = ipcad.dump;
chroot = /var/ipcad/;
pidfile = ipcad.pid;
rsh enable at 127.0.0.1;
memory_limit = 16m;
# uid = 65534;
# gid = 65534;
nano /etc/flow-tools/flow-capture.conf
-w /usr/abills/var/log/ipn/ -n 287 -N 0 0/0/9996
-w /usr/abills/var/log/ipn/ -n 275 0/192.168.5.5/9996
