Subversion Repositories ALCASAR

Compare Revisions

No changes between revisions

Regard whitespace Rev 3039 → Rev 3040

/CHANGELOG
8,11 → 8,12
- Add a third RPM repository (http://ftp.free.fr)
- Improve firewall local rules
- Add SMTP to the list of openned ports (for filtered users)
- Adapt user page when HTTPS is enabled with an official certificate
- Adapt user page when HTTPS is enabled with an official certificate (Thanks to Alexandre VEZIN)
ACC
- avoid password preload text in password forms
- improve "let's encrypt" & "Internet connexion" forms
- Add an overlay with spinner on all submit forms
- Avoid password preload text in password forms
- Improve "let's encrypt" & "Internet connexion" forms
- Add an overlay with spinner on all submit forms (Thanks to Alexandre VEZIN)
- SSH : admin can disable it on EXTIF (WAN). Admin can change the listen port (Thanks to Alexandre VEZIN)
BUGS
- Adapt "alcasar-network.sh" when ALCASAR is in DHCP mode
- Adapt "alcasar-watchdog.sh" when ALCASAR is in multiWAN mode
/alcasar.sh
2171,7 → 2171,8
# ALCASAR conf file
echo "HTTPS_LOGIN=off" >> $CONF_FILE
echo "HTTPS_CHILLI=off" >> $CONF_FILE
echo "SSH=on" >> $CONF_FILE
echo "SSH=off" >> $CONF_FILE
echo "SSH_WAN=22" >> $CONF_FILE
echo "SSH_ADMIN_FROM=0.0.0.0/0.0.0.0" >> $CONF_FILE
echo "LDAP=off" >> $CONF_FILE
echo "LDAP_SERVER=127.0.0.1" >> $CONF_FILE
/conf/sudoers
13,7 → 13,7
User_Alias SMS=gammu_smsd # gammu-smsd owner
 
# Cmnd alias specification
Cmnd_Alias NET=/sbin/ip,/sbin/arping,/sbin/arp,/usr/sbin/tcpdump,/usr/local/bin/alcasar-watchdog.sh,/usr/local/bin/alcasar-dhcp.sh,/usr/local/bin/alcasar-dns-local.sh,/usr/local/bin/alcasar-network.sh,/usr/local/bin/alcasar-list-ip_gw.sh # network commands
Cmnd_Alias NET=/sbin/ip,/sbin/arping,/sbin/arp,/usr/sbin/tcpdump,/usr/local/bin/alcasar-watchdog.sh,/usr/local/bin/alcasar-dhcp.sh,/usr/local/bin/alcasar-dns-local.sh,/usr/local/bin/alcasar-network.sh,/usr/local/bin/alcasar-list-ip_gw.sh,/usr/local/bin/alcasar-ssh.sh # network commands
Cmnd_Alias URPMI=/usr/sbin/urpmi,/usr/sbin/urpmi.update # packages managment
Cmnd_Alias BYPASS=/usr/local/bin/alcasar-bypass.sh # authentication bypass
Cmnd_Alias RADDB=/usr/bin/radwho,/usr/sbin/chilli_query # manage users in command line
/scripts/alcasar-iptables.sh
42,6 → 42,8
TMP_ip_gw_save="/tmp/ipset_ip_gw_save" # tmp file for already connected ips
SSH=`grep ^SSH= $CONF_FILE|cut -d"=" -f2` # sshd active (on/off)
SSH=${SSH:=off}
SSH_PORT=`grep ^SSH_WAN= $CONF_FILE|cut -d"=" -f2` #ssh WAN port
SSH_PORT=${SSH_PORT:=0}
SSH_ADMIN_FROM=`grep ^SSH_ADMIN_FROM= $CONF_FILE|cut -d"=" -f2`
SSH_ADMIN_FROM=${SSH_ADMIN_FROM:="0.0.0.0/0.0.0.0"} # WAN IP address to reduce ssh access (all ip allowed on LAN side)
IPTABLES="/sbin/iptables"
51,6 → 53,9
PROXY=`grep ^PROXY= $CONF_FILE|cut -d"=" -f2`
PROXY_IP=`grep ^PROXY_IP= $CONF_FILE|cut -d"=" -f2`
nb_gw=`grep ^WAN $CONF_FILE|wc -l`
HOST=`grep ^HOSTNAME= $CONF_FILE|cut -d"=" -f2`
DOM=`grep ^DOMAIN= $CONF_FILE|cut -d"=" -f2`
DOMAIN="$HOST.$DOM"
 
# Allow requests to internal DNS if activated
if [ "$INT_DNS_ACTIVE" = "on" ]
392,9 → 397,12
then
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -m conntrack --ctstate NEW -j NFLOG --nflog-group 2 --nflog-prefix "RULE ssh-from-LAN -- ACCEPT"
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -s $SSH_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport ssh -m conntrack --ctstate NEW --syn -j NFLOG --nflog-group 2 --nflog-prefix "RULE ssh-from-WAN -- ACCEPT"
$IPTABLES -A INPUT -i $EXTIF -s $SSH_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport ssh -m conntrack --ctstate NEW -j ACCEPT
if [ $SSH_PORT -gt 0 ]
then
$IPTABLES -A INPUT -i $EXTIF -s $SSH_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport $SSH_PORT -m conntrack --ctstate NEW --syn -j NFLOG --nflog-group 2 --nflog-prefix "RULE ssh-from-WAN -- ACCEPT"
$IPTABLES -A INPUT -i $EXTIF -s $SSH_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport $SSH_PORT -m conntrack --ctstate NEW -j ACCEPT
fi
fi
 
# Insertion de règles locales
# Here, we add local rules (i.e. VPN from Internet)
/scripts/alcasar-ssh.sh
0,0 → 1,93
#!/bin/bash
 
# alcasar-ssh.sh
# by Alexandre Vezin
 
# enable/disable SSH on external NIC (EXTIF). Set the listen port on EXTIF
# activation/désactivation de SSH sur la carte réseau externe (EXTIF). Définit le port d'écoute sur EXTIF
 
SED="/bin/sed -i"
CAT="/bin/cat"
GREP="/bin/grep"
ALCASAR_CONF="/usr/local/etc/alcasar.conf"
SSH_CONF="/etc/ssh/sshd_config"
 
usage="Usage: alcasar-ssh.sh {--off | -off} | {--on | -on} [-p port]"
 
nb_args=$#
args=$1
echo "Checking args" >> '/tmp/alcasar_sms_tmp.log'
if [ $nb_args -eq 0 ]
then
echo "No args" >> '/tmp/alcasar_sms_tmp.log'
echo "$usage"
exit 1
fi
 
while getopts ":p:" portarg; do
case "${portarg}" in
p)
echo "Port check" >> '/tmp/alcasar_sms_tmp.log'
SSH_PORT=${OPTARG}
echo "Port : $SSH_PORT" >> /tmp/alcasar_sms_tmp.log
if [ $SSH_PORT -lt 0 ] || [ $SSH_PORT -gt 65535 ]
then
echo "Invalid port" >> /tmp/alcasar_sms_tmp.log
echo "The port $SSH_PORT is invalid"
exit 1
fi
;;
esac
done
 
case $args in
-\? | -h* | --h*)
echo "$usage"
exit 0
;;
--off | -off)
echo "off" >> '/tmp/alcasar_sms_tmp.log'
# Editing Alcasar configuration - Deleting the port
$SED "s/^SSH_WAN=.*/SSH_WAN=/g" $ALCASAR_CONF
# Editing SSH configuration - Deleting any port other than 22
$SED "/^.*Port\s[0-9]*/{/\s22$/!d}" $SSH_CONF
# Applying iptables
/usr/local/bin/alcasar-iptables.sh
# Restarting SSH
/usr/bin/systemctl restart sshd
exit 0
;;
--on | -on)
SSH_PORT=${SSH_PORT:=22}
echo "on" >> '/tmp/alcasar_sms_tmp.log'
$SED "s/^SSH_WAN=.*/SSH_WAN=$SSH_PORT/g" $ALCASAR_CONF
# Checking if there is already a port other than set
if [ `grep -E "^.*Port\s[0-9]*" /etc/ssh/sshd_config| grep -vEc "\s22$"` -gt 0 ]
then
if [ $SSH_PORT -ne 22 ]
then
# Editing SSH configuration - Changing any port other than 22
$SED "/\s22$/! s/^.*Port\s[0-9]*/Port $SSH_PORT/" $SSH_CONF
else
# Editing SSH configuration - Deleting any port other than 22 (as 22 port is used)
$SED "/^.*Port\s[0-9]*/{/\s22$/!d}" $SSH_CONF
fi
else
if [ $SSH_PORT -ne 22 ]
then
# Adding the new SSH port in the config
echo "Port $SSH_PORT" >> $SSH_CONF
fi
fi
# Applying iptables
/usr/local/bin/alcasar-iptables.sh
# Restarting SSH
/usr/bin/systemctl restart sshd
exit 0
;;
*)
echo "Argument inconnu : $1"
echo "$usage"
exit 1
;;
esac
Property changes:
Added: svn:eol-style
+native
\ No newline at end of property
Added: svn:executable
+*
\ No newline at end of property
/web/acc/admin/network.php
78,12 → 78,13
$l_yes = "Oui";
$l_no = "Non";
$l_ssl_title = "Chiffrer les flux d'authentification entre les utilisateurs et ALCASAR";
$l_cert_from = "Date d'émission";
$l_ssh_title = "SSH";
$l_ssh_port = "Port";
$l_ssh_activate = "Activer SSH";
$l_cert_expiration = "Date d'expiration :";
$l_cert_commonname = "Nom commun :";
$l_cert_organization = "Organisation :";
$l_upload_certificate = "Importer un certificat officiel";
$l_le_renewal = "Renouveler le certificat Let's Encrypt";
$l_le_integration = "Intégrer un certificat Let's Encrypt";
$l_le_status = "Status :";
$l_disabled = "Inactif";
143,13 → 144,14
$l_yes = "Si";
$l_no = "No";
$l_ssl_title = "La autenticación de cifrado fluye entre usuarios y ALCASAR";
$l_cert_from = "Fecha de emisión";
$l_ssh_title = "SSH";
$l_ssh_port = "Puerto";
$l_ssh_activate = "Activar SSH";
$l_cert_expiration = "Fecha de vencimiento:";
$l_cert_commonname = "Common name:";
$l_cert_organization = "Organización:";
$l_upload_certificate = "Importar un certificado";
$l_le_integration = "Integración con Let's Encrypt";
$l_le_renewal = "Renovación del certificado Let's Encrypt";
$l_le_status = "Estado:";
$l_disabled = "Desactivado";
$l_pending_validation = "Validación pendiente";
207,13 → 209,14
$l_yes = "Yes";
$l_no = "No";
$l_ssl_title = "Cipher authentication flows between users and ALCASAR";
$l_cert_from = "Date of issue";
$l_ssh_title = "SSH";
$l_ssh_port = "Port";
$l_ssh_activate = "Activate SSH";
$l_cert_expiration = "Expiration date:";
$l_cert_commonname = "Common name:";
$l_cert_organization = "Organization:";
$l_upload_certificate = "Import an officlal certificate";
$l_le_integration = "Integrate a Let's Encrypt certificate";
$l_le_renewal = "Renewing the Let's Encrypt certificate";
$l_le_status = "Status:";
$l_disabled = "Disabled";
$l_pending_validation = "Pending validation";
370,6 → 373,14
}
}
break;
case 'enable_wan_ssh': // Activate SSH on WAN
if (isset($_POST['togglessh'])) {
exec('sudo /usr/local/bin/alcasar-ssh.sh --on -p'.escapeshellarg($_POST["ssh_port"]));
} else{
exec('sudo /usr/local/bin/alcasar-ssh.sh --off');
}
header('Location: '.$_SERVER['PHP_SELF']);
exit();
case 'https_login': // Set HTTPS login status
if ($_POST['https_login'] === 'on') {
exec('sudo /usr/local/bin/alcasar-https.sh --on');
1167,6 → 1178,20
</div>
<br>
<div class="panel">
<div class="panel-header"><?= $l_ssh_title ?></div>
<div class="panel-row">
<form method="post" action="<?= htmlspecialchars($_SERVER['PHP_SELF']) ?>">
<input type="hidden" name="choix" value="enable_wan_ssh">
<input type="checkbox" name="togglessh" id="togglessh" <?= is_numeric($conf['SSH_WAN'])? "checked": "" ?> onchange="document.getElementById('sshtable').style.display = this.checked ? 'block' : 'none';"> <b>Activer SSH <!-- TODO : Mettre traduction --></b><br>
<div id="sshtable" style="display:<?= is_numeric($conf['SSH_WAN'])? "block": "none" ?>">
<label for="ssh_port"><?= $l_ssh_port ?></label> : <input style="width:120px" type="text" id="ssh_port" name="ssh_port" value="<?= is_numeric($conf['SSH_WAN']) ? $conf['SSH_WAN']:22 ?>" /><br>
</div>
<input type="submit" onClick="document.getElementById('ldoverlay').style.display='block';" value="<?= $l_apply ?>"><br>
</form>
</div>
</div>
<br>
<div class="panel">
<div class="panel-header"><?= $l_import_cert ?></div>
<div class="panel-row">
<div class="panel-cell">
1173,7 → 1198,6
<?php
$certificateInfos = openssl_x509_parse(file_get_contents('/etc/pki/tls/certs/alcasar.crt'));
$cert_expiration_date = date('d-m-Y H:i:s', $certificateInfos['validTo_time_t']);
$cert_from_date = date('d-m-Y H:i:s', $certificateInfos['validFrom_time_t']);
$domain = $certificateInfos['subject']['CN'];
$organization = (isset($certificateInfos['subject']['O'])) ? $certificateInfos['subject']['O'] : '';
$CAdomain = $certificateInfos['issuer']['CN'];
1181,7 → 1205,6
?>
<h3><?= $l_current_certificate ?></h3>
<b><?= $l_cert_commonname ?></b> <?= $domain ?><br>
<b><?= $l_cert_from ?></b> <?= $cert_from_date ?><br>
<b><?= $l_cert_expiration ?></b> <?= $cert_expiration_date ?><br>
<b><?= $l_cert_organization ?></b> <?= $organization ?><br>
<b><?= $l_validated ?></b> <?= $CAdomain ?> (<?= $CAorganization ?>)<br>
1224,10 → 1247,8
} else {
$step = 1;
}
if ($step === 2) {
echo "<h3>$l_le_renewal</h3>";
} else { echo "<h3>$l_le_integration</h3>";}
?>
<h3><?= $l_le_integration ?></h3>
<?php if ($step === 1): ?>
<form method="post" action="<?= htmlspecialchars($_SERVER['PHP_SELF']) ?>">
<input type="hidden" name="choix" value="le_issueCert">
1241,6 → 1262,7
<input type="hidden" name="choix" value="le_renewCert">
<?= $l_le_status ?> <?= $l_pending_validation ?><br>
<?= $l_le_domain_name ?> <?= $LE_conf['domainRequest'] ?><br>
<?= $l_le_ask_on ?> <?= date('d-m-Y H:i:s', $LE_conf['dateIssueRequest']) ?><br>
<?= $l_le_dns_entry_txt ?> "<?= '_acme-challenge.'.$LE_conf['domainRequest'] ?>"<br>
<?= $l_le_challenge ?> "<?= $LE_conf['challenge'] ?>"<br>
<input type="submit" onClick="document.getElementById('ldoverlay').style.display='block';" name="recheck" value="<?= $l_recheck ?>"> <input type="submit" onClick="document.getElementById('ldoverlay').style.display='block';" name="cancel" value="<?= $l_cancel ?>"><br>