Subversion Repositories ALCASAR

Compare Revisions

Regard whitespace Rev 3040 → Rev 3041

/scripts/alcasar-iptables.sh
42,6 → 42,8
TMP_ip_gw_save="/tmp/ipset_ip_gw_save" # tmp file for already connected ips
SSH=`grep ^SSH= $CONF_FILE|cut -d"=" -f2` # sshd active (on/off)
SSH=${SSH:=off}
SSH_LAN=`grep ^SSH_LAN= $CONF_FILE|cut -d"=" -f2` # local SSH active
SSH_LAN=${SSH_LAN:=off}
SSH_PORT=`grep ^SSH_WAN= $CONF_FILE|cut -d"=" -f2` #ssh WAN port
SSH_PORT=${SSH_PORT:=0}
SSH_ADMIN_FROM=`grep ^SSH_ADMIN_FROM= $CONF_FILE|cut -d"=" -f2`
395,8 → 397,11
# SSHD server access if enabled
if [ $SSH = on ]
then
if [ $SSH_LAN = on ]
then
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -m conntrack --ctstate NEW -j NFLOG --nflog-group 2 --nflog-prefix "RULE ssh-from-LAN -- ACCEPT"
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -j ACCEPT
fi
if [ $SSH_PORT -gt 0 ]
then
$IPTABLES -A INPUT -i $EXTIF -s $SSH_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport $SSH_PORT -m conntrack --ctstate NEW --syn -j NFLOG --nflog-group 2 --nflog-prefix "RULE ssh-from-WAN -- ACCEPT"
/scripts/alcasar-ssh.sh
3,40 → 3,56
# alcasar-ssh.sh
# by Alexandre Vezin
 
# enable/disable SSH on external NIC (EXTIF). Set the listen port on EXTIF
# activation/désactivation de SSH sur la carte réseau externe (EXTIF). Définit le port d'écoute sur EXTIF
# enable/disable SSH on external card
# activation/désactivation de SSH sur la carte réseau externe
 
SED="/bin/sed -i"
CAT="/bin/cat"
GREP="/bin/grep"
SYSTEMCTL="/bin/systemctl"
ALCASAR_CONF="/usr/local/etc/alcasar.conf"
SSH_CONF="/etc/ssh/sshd_config"
 
usage="Usage: alcasar-ssh.sh {--off | -off} | {--on | -on} [-p port]"
usage="Usage: alcasar-ssh.sh {--off | -off} | {--on | -on} [-p port] [-i allowed ip] {-l lan} | {-w wan}" # | {--all | -all} à add pour off all?
 
nb_args=$#
args=$1
echo "Checking args" >> '/tmp/alcasar_sms_tmp.log'
if [ $nb_args -eq 0 ]
then
echo "No args" >> '/tmp/alcasar_sms_tmp.log'
echo "$usage"
exit 1
fi
 
while getopts ":p:" portarg; do
while getopts ":p:i:wl" portarg; do
case "${portarg}" in
p)
echo "Port check" >> '/tmp/alcasar_sms_tmp.log'
SSH_PORT=${OPTARG}
echo "Port : $SSH_PORT" >> /tmp/alcasar_sms_tmp.log
NUM_REGEX='^[0-9]+$'
if ! [[ $SSH_PORT =~ $NUM_REGEX ]];
then
echo "The port+$SSH_PORT+is invalid"
exit 1
fi
if [ $SSH_PORT -lt 0 ] || [ $SSH_PORT -gt 65535 ]
then
echo "Invalid port" >> /tmp/alcasar_sms_tmp.log
echo "The port $SSH_PORT is invalid"
echo "The port+$SSH_PORT+is invalid"
exit 1
fi
;;
i)
IP_FROM=${OPTARG}
ipcalc -c $IP_FROM
if [ $? -ne 0 ]
then
exit 1;
fi
;;
w)
NETWORK="wan"
;;
l)
NETWORK="lan"
;;
esac
done
 
46,7 → 62,9
exit 0
;;
--off | -off)
echo "off" >> '/tmp/alcasar_sms_tmp.log'
$NETWORK={NETWORK:="none"}
if [ $NETWORK == "wan" ]
then
# Editing Alcasar configuration - Deleting the port
$SED "s/^SSH_WAN=.*/SSH_WAN=/g" $ALCASAR_CONF
# Editing SSH configuration - Deleting any port other than 22
53,15 → 71,41
$SED "/^.*Port\s[0-9]*/{/\s22$/!d}" $SSH_CONF
# Applying iptables
/usr/local/bin/alcasar-iptables.sh
# Restarting SSH
/usr/bin/systemctl restart sshd
elif [ $NETWORK == "lan" ]
then
# Editing Alcasar configuration
$SED "s/^SSH_LAN=.*/SSH_LAN=off/g" $ALCASAR_CONF
# Applying iptables
/usr/local/bin/alcasar-iptables.sh
else
echo "$usage"
exit 0
fi
# Check if LAN and WAN is off
LAN_STATUS = `grep ^SSH_LAN= $CONF_FILE|cut -d"=" -f2`
LAN_STATUS=${LAN_STATUS:=off}
WAN_STATUS = `grep ^SSH_WAN= $CONF_FILE|cut -d"=" -f2`
WAN_STATUS=${WAN_STATUS:=off}
if [ $LAN_STATUS == off ] && [ $WAN_STATUS == off ]
then
$SYSTEMCTL stop sshd
$SYSTEMCTL disable sshd
else
$SYSTEMCTL restart sshd
fi
exit 0
;;
--on | -on)
NETWORK=${NETWORK:="none"}
if [ $NETWORK == "wan" ]
then
# Setting accepted IP in Alcasar configuration
IP_FROM=${IP_FROM:="0.0.0.0\/0"}
$SED "s ^SSH_ADMIN_FROM=.* SSH_ADMIN_FROM=$IP_FROM g" $ALCASAR_CONF
# Setting SSH port in Alcasar configuration
SSH_PORT=${SSH_PORT:=22}
echo "on" >> '/tmp/alcasar_sms_tmp.log'
$SED "s/^SSH_WAN=.*/SSH_WAN=$SSH_PORT/g" $ALCASAR_CONF
# Checking if there is already a port other than set
# Checking if there is already a port other than 22 set
if [ `grep -E "^.*Port\s[0-9]*" /etc/ssh/sshd_config| grep -vEc "\s22$"` -gt 0 ]
then
if [ $SSH_PORT -ne 22 ]
81,9 → 125,27
fi
# Applying iptables
/usr/local/bin/alcasar-iptables.sh
# Restarting SSH
/usr/bin/systemctl restart sshd
elif [ $NETWORK == "lan" ]
then
# Editing Alcasar configuration
$SED "s/^SSH_LAN=.*/SSH_LAN=on/g" $ALCASAR_CONF
# Applying iptables
/usr/local/bin/alcasar-iptables.sh
else
echo "$usage"
exit 0
fi
# Check if sshd is enabled
SSHD_STATUS=`systemctl is-enabled sshd`
SSHD_STATUS=${SSHD_STATUS:=disabled}
if [ $SSHD_STATUS == "enabled" ]
then
$SYSTEMCTL restart sshd
else
$SYSTEMCTL enable sshd
$SYSTEMCTL restart sshd
fi
exit 0
;;
*)
echo "Argument inconnu : $1"
/web/acc/admin/network.php
80,7 → 80,9
$l_ssl_title = "Chiffrer les flux d'authentification entre les utilisateurs et ALCASAR";
$l_ssh_title = "SSH";
$l_ssh_port = "Port";
$l_ssh_activate = "Activer SSH";
$l_ssh_from = "IP autorisée";
$l_ssh_wan_activate = "Activer SSH sur WAN";
$l_ssh_lan_activate = "Activer SSH sur LAN";
$l_cert_expiration = "Date d'expiration :";
$l_cert_commonname = "Nom commun :";
$l_cert_organization = "Organisation :";
146,7 → 148,9
$l_ssl_title = "La autenticación de cifrado fluye entre usuarios y ALCASAR";
$l_ssh_title = "SSH";
$l_ssh_port = "Puerto";
$l_ssh_activate = "Activar SSH";
$l_ssh_from = "IP autorizada";
$l_ssh_wan_activate = "Activar SSH on WAN";
$l_ssh_lan_activate = "Activar SSH on LAN";
$l_cert_expiration = "Fecha de vencimiento:";
$l_cert_commonname = "Common name:";
$l_cert_organization = "Organización:";
211,7 → 215,9
$l_ssl_title = "Cipher authentication flows between users and ALCASAR";
$l_ssh_title = "SSH";
$l_ssh_port = "Port";
$l_ssh_activate = "Activate SSH";
$l_ssh_from = "Authorized IP";
$l_ssh_wan_activate = "Activate SSH on WAN";
$l_ssh_lan_activate = "Activate SSH on LAN";
$l_cert_expiration = "Expiration date:";
$l_cert_commonname = "Common name:";
$l_cert_organization = "Organization:";
373,16 → 379,30
}
}
break;
case 'enable_lan_ssh': // Activate SSH on LAN
if (isset($_POST['sshlan'])) {
exec('sudo /usr/local/bin/alcasar-ssh.sh --on -l');
header('Location: '.$_SERVER['PHP_SELF']);
} else{
exec('sudo /usr/local/bin/alcasar-ssh.sh --off -l');
header('Location: '.$_SERVER['PHP_SELF']);
}
exit();
case 'enable_wan_ssh': // Activate SSH on WAN
if (isset($_POST['togglessh'])) {
exec('sudo /usr/local/bin/alcasar-ssh.sh --on -p'.escapeshellarg($_POST["ssh_port"]));
exec('sudo /usr/local/bin/alcasar-ssh.sh --on -w -p'.escapeshellarg($_POST["ssh_port"]).' -i'.escapeshellarg($_POST["ssh_from"]),$output,$exitCode);
if($exitCode === 1){
echo("<html><script>if(!alert(`$l_error_bad_ip_port`)){window.location.href = window.location.href;}</script></html>");
} else{
exec('sudo /usr/local/bin/alcasar-ssh.sh --off');
header('Location: '.$_SERVER['PHP_SELF']);
}
} else{
exec('sudo /usr/local/bin/alcasar-ssh.sh --off -w');
header('Location: '.$_SERVER['PHP_SELF']);
}
exit();
case 'https_login': // Set HTTPS login status
if ($_POST['https_login'] === 'on') {
if (isset($_POST['https_login'])) {
exec('sudo /usr/local/bin/alcasar-https.sh --on');
} else {
exec('sudo /usr/local/bin/alcasar-https.sh --off');
1168,10 → 1188,7
<div class="panel-row">
<form method="post" action="<?= htmlspecialchars($_SERVER['PHP_SELF']) ?>">
<input type="hidden" name="choix" value="https_login">
<select name="https_login">
<option value="on"<?= (($conf['HTTPS_LOGIN'] === 'on') ? ' selected' : '') ?>><?= $l_yes ?></option>
<option value="off"<?= (($conf['HTTPS_LOGIN'] === 'off') ? ' selected' : '') ?>><?= $l_no ?></option>
</select>
<input type="checkbox" name="https_login" id="https_login" <?= ($conf['HTTPS_LOGIN'] === 'on')? "checked": "" ?>><b><?= $l_ssl_title ?></b><br>
<input type="submit" onClick="document.getElementById('ldoverlay').style.display='block';" value="<?= $l_apply ?>"><br>
</form>
</div>
1179,16 → 1196,40
<br>
<div class="panel">
<div class="panel-header"><?= $l_ssh_title ?></div>
<table width="100%" cellspacing="0" cellpadding="5" border="1">
<tr>
<td width="50%" align="center">
<div class="panel-row">
<form method="post" action="<?= htmlspecialchars($_SERVER['PHP_SELF']) ?>">
<input type="hidden" name="choix" value="enable_lan_ssh">
<input type="checkbox" name="sshlan" id="sshlan" <?= $conf['SSH_LAN'] === 'on' ? "checked": "" ?>> <b><?= $l_ssh_lan_activate ?></b><br><br>
<input type="submit" onClick="document.getElementById('ldoverlay').style.display='block';" value="<?= $l_apply ?>"><br>
</form>
</div>
</td>
<td width="50%" align="center">
<div class="panel-row">
<form method="post" action="<?= htmlspecialchars($_SERVER['PHP_SELF']) ?>">
<input type="hidden" name="choix" value="enable_wan_ssh">
<input type="checkbox" name="togglessh" id="togglessh" <?= is_numeric($conf['SSH_WAN'])? "checked": "" ?> onchange="document.getElementById('sshtable').style.display = this.checked ? 'block' : 'none';"> <b>Activer SSH <!-- TODO : Mettre traduction --></b><br>
<input type="checkbox" name="togglessh" id="togglessh" <?= is_numeric($conf['SSH_WAN'])? "checked": "" ?> onchange="document.getElementById('sshtable').style.display = this.checked ? 'block' : 'none';"> <b><?= $l_ssh_wan_activate ?></b><br><br>
<div id="sshtable" style="display:<?= is_numeric($conf['SSH_WAN'])? "block": "none" ?>">
<label for="ssh_port"><?= $l_ssh_port ?></label> : <input style="width:120px" type="text" id="ssh_port" name="ssh_port" value="<?= is_numeric($conf['SSH_WAN']) ? $conf['SSH_WAN']:22 ?>" /><br>
<table cellspacing="2" cellpadding="3" border="1">
<tr>
<th><?= $l_ssh_port ?></th><th><?= $l_ssh_from ?></th>
</tr>
<tr>
<td><input style="width:120px" type="text" id="ssh_port" name="ssh_port" value="<?= is_numeric($conf['SSH_WAN']) ? $conf['SSH_WAN']:22 ?>" /></td>
<td><input style="width:120px" type="text" id="ssh_from" name="ssh_from" value="<?= $conf['SSH_ADMIN_FROM'] ?>" /></td>
</tr>
</table>
<p>Activer sur tout réseau : 0.0.0.0/0</p>
</div>
<input type="submit" onClick="document.getElementById('ldoverlay').style.display='block';" value="<?= $l_apply ?>"><br>
</form>
</div>
</td>
</tr>
</table>
</div>
<br>
<div class="panel">