Subversion Repositories ALCASAR

#!/bin/bash

# $Id: alcasar-watchdog.sh 2250 2017-05-22 22:00:03Z tom.houdayer $

# alcasar-watchdog.sh

# by Rexy

# This script is distributed under the Gnu General Public License (GPL)

# - Ce script prévient les usagers de l'indisponibilité de l'accès Internet

# - Il déconnecte les usagers dont les équipements réseau ne répondent plus (leur onglet 'status.php' a été fermé)

# - Il deconnecte les usagers dont les adresses MAC sont usurpées

#

# - This script tells users that Internet access is down

# - It logs out users whose PCs are quiet (their status tab is closed)

# - It logs out users whose MAC address is used by other systems (usurped)

CONF_FILE="/usr/local/etc/alcasar.conf"

EXTIF=`grep ^EXTIF= $CONF_FILE|cut -d"=" -f2`			# EXTernal InterFace

INTIF=`grep ^INTIF= $CONF_FILE|cut -d"=" -f2`			# INTernal InterFace

private_ip_mask=`grep PRIVATE_IP= $CONF_FILE|cut -d"=" -f2`

private_ip_mask=${private_ip_mask:=192.168.182.1/24}

PRIVATE_IP=`echo "$private_ip_mask" |cut -d"/" -f1`		# @ip du portail (côté LAN)

PRIVATE_IP=${PRIVATE_IP:=192.168.182.1}

current_users_file="/var/tmp/havp/current_users.txt"		# file containing active users with their "status.php" tab open

DIR_WEB="/var/www/html"

Index_Page="$DIR_WEB/index.php"

IPTABLES="/sbin/iptables"

TUNIF="tun0"							# listen device for chilli daemon

OLDIFS=$IFS

IFS=$'\n'

function lan_down_alert ()

# users are redirected on ALCASAR IP address if a LAN problem is detected

{

	case $LAN_DOWN in

	"1")

		logger "$EXTIF (WAN card) link down"

		echo "$EXTIF (WAN card) link down"

		/bin/sed -i "s?diagnostic =.*?diagnostic = \"$EXTIF (WAN card) link down\";?g" $Index_Page

		;;

	"2")

		logger "can't contact the default router"

		echo "can't contact the default router"

		/bin/sed -i "s?diagnostic =.*?diagnostic = \"can't contact the default router\";?g" $Index_Page

		;;

	esac

	net_pb=`grep "network_pb = true;" $Index_Page|wc -l`

	if [ $net_pb = "0" ] # user alert (only the first time)	

		then

		/bin/sed -i "s?^\$network_pb.*?\$network_pb = true;?g" $Index_Page

		$IPTABLES -I PREROUTING -t nat -i $TUNIF -p udp --dport domain -j REDIRECT --to-port 56

	fi

}

function lan_test ()

# LAN connectiivity testing

{

	watchdog_process=`ps -C alcasar-watchdog.sh|wc -l`

	if [[ $(expr $watchdog_process) -gt 3 ]]

		then

		echo "ALCASAR watchdog is already running"

		exit 0

	fi

	# EXTIF testing

	LAN_DOWN="0"

	if [ `/sbin/ip link | grep $EXTIF|grep "NO-CARRIER" | wc -l` -eq "1" ]

		then

		LAN_DOWN="1"

	fi

	# Default GW testing

	if [ $LAN_DOWN -eq "0" ]

		then

		IP_GW=`/sbin/ip route list|grep ^default|cut -d" " -f3`

		arp_reply=`/usr/sbin/arping -I$EXTIF -c1 $IP_GW|grep response|cut -d" " -f2`

		if [ $arp_reply -eq "0" ]

	       		then

			LAN_DOWN="2"

		fi

	fi

	# if LAN pb detected, users are warned

	if [ $LAN_DOWN != "0" ]

		then

			lan_down_alert

	# else switch in normal mode

	else

		echo "Internet access is OK for now"

		net_pb=`grep "network_pb = true;" $Index_Page|wc -l`

		if [ $net_pb != "0" ]

			then

			/bin/sed -i "s?^\$network_pb.*?\$network_pb = false;?g" $Index_Page

			$IPTABLES -D PREROUTING -t nat -i $TUNIF -p udp --dport domain -j REDIRECT --to-port 56

		fi

	fi

}

usage="Usage: alcasar-watchdog.sh {-lt --lan_test}"

case $1 in

	-\? | -h* | --h*)

		echo "$usage"

		exit 0

		;;

	-lt | --lan_test)

		lan_test

		exit 0

		;;

	*)

		lan_test

		# We disconnect inactive users (its means that their 'status.php' tab has been closed --> their ip address isn't in $current_users_file)

		# process each equipment known by chilli to check if IP address is usurped (with arping)

		for system in `/usr/sbin/chilli_query list |grep -v "\.0\.0\.0"`

		do

			active_ip=`echo $system |cut -d" " -f2`

			active_session=`echo $system |cut -d" " -f5`

			active_mac=`echo $system | cut -d" " -f1`

			active_user=`echo $system |cut -d" " -f6`

			#We disconnect inactive user here :

			#We check if this is not an auth @MAC and if he is still connected

			if [ "$active_user" != "$active_mac" ] && [ $(expr $active_session) -eq 1 ]; then

				if [ -e $current_users_file ]; then

					# We check if user @IP is in 'current_users.txt'

					cmp_user_ok=$(cat $current_users_file | grep $active_ip | wc -w)

					# If not we disconnect this user.

					if [ $cmp_user_ok -eq 0 ]; then

						logger "alcasar-watchdog : $active_ip ($active_mac) can't be contact. We disconnects the user ($active_user)."

						/usr/sbin/chilli_query logout $active_mac

					fi

					# Remove the user's IP from 'current_users.txt'. Every user need to insert their @IP everytime to prove their connectivity.

					sed -i "/^$active_ip/d" $current_users_file

				else # "/tmp/current_user.txt" does not exists. We disconnect every users.

					logger "alcasar-watchdog : The file /var/tmp/havp/current_users.txt doen't' exist. We disconnects the user $active_user"

					/usr/sbin/chilli_query logout $active_mac

				fi

			fi

			# IP usurpation test : process only equipment with an authenticated user

			if [[ $(expr $active_session) -eq 1 ]]

			then

				arp_reply=`/usr/sbin/arping -b -I$INTIF -s$PRIVATE_IP -c2 -w4 $active_ip|grep "Unicast reply"|wc -l`

				# disconnect users whose equipement is usurped. For example, if there are 2 same @MAC it will make 3 lines in output.

				if [[ $(expr $arp_reply) -gt 2 ]]

	       				then 

					echo "$(date "+[%x-%X] : ")alcasar-watchdog : $active_ip is usurped ($active_mac). Alcasar disconnect the user ($active_user)." >> /var/Save/security/watchdog.log

					logger "alcasar-watchdog : $active_ip is usurped ($active_mac). Alcasar disconnect the user ($active_user)."

					/usr/sbin/chilli_query logout $active_mac

					chmod 644 /var/Save/security/watchdog.log

				fi

			fi

		done

		;;

esac	

IFS=$OLDIFS