BlueGreycalmElegant

Català-Valencià – Catalan中文 – Chinese (Simplified)中文 – Chinese (Traditional)Česky – CzechDansk – DanishNederlands – DutchEnglish – EnglishSuomi – FinnishFrançais – FrenchDeutsch – Germanעברית – Hebrewहिंदी – HindiMagyar – HungarianBahasa Indonesia – IndonesianItaliano – Italian日本語 – Japanese한국어 – KoreanМакедонски – Macedonianमराठी – MarathiNorsk – NorwegianPolski – PolishPortuguês – PortuguesePortuguês – Portuguese (Brazil)Русский – RussianSlovenčina – SlovakSlovenščina – SlovenianEspañol – SpanishSvenska – SwedishTürkçe – TurkishУкраїнська – UkrainianOëzbekcha – Uzbek

Compare Revisions

• This comparison shows the changes necessary to convert path

  → /scripts/ @ 1

  → /scripts/ @ HEAD

  ↔ Reverse comparison

• Compare Path:	Rev

  With Path:	Rev

No changes between revisions

Ignore whitespace Rev 1 → Rev HEAD

/scripts/alcasar-uninstall.sh
0,0 → 1,418
#!/bin/bash
# $Id$
# alcasar-uninstall.sh
# by Franck BOUIJOUX, Pascal LEVANT and Richard REY
# This script is distributed under the Gnu General Public License (GPL)
# Désinstallation ou mise à jour d'ALCASAR
# Uninstall or update ALCASAR
SED="/bin/sed -i"
[ -z $DEBUG_ALCASAR ] && DEBUG_ALCASAR='off'
init ()
{
echo -en "(3) : "
rm -f /root/ALCASAR* && echo -n "1, " # The files in /usr/local/ will be removed at the end (still usefull here)
[ -e /boot/grub2/user.cfg ] && rm -f /boot/grub2/user.cfg && echo -n "2, "
[ -e /root/grub.default ] && mv -f /root/grub.default /etc/grub.d/10_linux && echo -n "3"
}
ACC ()
{
echo -en "(11) : "
[ -d /var/www/html ] && rm -rf /var/www/html && echo -n "1, "
[ -d /etc/freeradius-web ] && rm -rf /etc/freeradius-web && echo -n "2, "
[ -e /etc/php.d/05_date.ini.default ] && mv -f /etc/php.d/05_date.ini.default /etc/php.d/05_date.ini && echo -n "3, "
[ -e /etc/php.ini.default ] && mv -f /etc/php.ini.default /etc/php.ini && echo -n "4, "
[ -e /etc/lighttpd/lighttpd.conf.default ] && mv -f /etc/lighttpd/lighttpd.conf.default /etc/lighttpd/lighttpd.conf && echo -n "5, "
[ -e /etc/lighttpd/modules.conf.default ] && mv -f /etc/lighttpd/modules.conf.default /etc/lighttpd/modules.conf && echo -n "6, "
[ -e /etc/lighttpd/conf.d/fastcgi.conf.default ] && mv -f /etc/lighttpd/conf.d/fastcgi.conf.default /etc/lighttpd/conf.d/fastcgi.conf && echo -n "7, "
[ -e /etc/php-fpm.conf.default ] && mv -f /etc/php-fpm.conf.default /etc/php-fpm.conf && echo -n "8, "
[ -d /etc/lighttpd/vhosts.d ] && rm -rf /etc/lighttpd/vhosts.d && echo -n "9, "
[ -d /usr/local/etc/digest ] && rm -rf /usr/local/etc/digest && echo -n "10, "
[ -e /etc/systemd/system/lighttpd.service ] && rm -f /etc/systemd/system/lighttpd.service && echo -n "11"
}
CA ()
{
echo -en "(5) : "
[ -e /etc/pki/CA/alcasar-ca.crt ] && rm -f /etc/pki/CA/alcasar-ca.crt && echo -n "1, "
[ -e /etc/pki/CA/private/alcasar-ca.key ] && rm -f /etc/pki/CA/private/alcasar-ca.key && echo -n "2, "
[ -e /etc/pki/tls/certs/alcasar.crt ] && rm -f /etc/pki/tls/certs/alcasar.crt && echo -n "3, "
[ -e /etc/pki/tls/private/alcasar.key ] && rm -f /etc/pki/tls/private/alcasar.key && echo -n "4, "
[ -e /etc/pki/tls/private/alcasar.pem ] && rm -f /etc/pki/tls/private/alcasar.pem && echo -n "5"
}
time_server ()
{
echo -en "(1) : "
[ -e /etc/ntp.conf.default ] && mv /etc/ntp.conf.default /etc/ntp.conf && echo -n "1"
}
init_db ()
{
echo -en "(2) : "
[ -e /etc/my.cnf.default ] && mv -f /etc/my.cnf.default /etc/my.cnf && echo -n "1, "
if [ -e /etc/systemd/system/mysqld.service ]
then
rm /etc/systemd/system/mysqld.service
echo -n "2"
fi
/usr/bin/systemctl daemon-reload
rm -rf /var/lib/mysql
}
freeradius ()
{
echo -en "(22) : "
[ -e /etc/raddb/empty-radiusd-db.sql ] && rm /etc/raddb/empty-radiusd-db.sql && echo -n "1, "
[ -e /etc/raddb/radiusd.conf.default ] && mv /etc/raddb/radiusd.conf.default /etc/raddb/radiusd.conf && echo -n "2, "
[ -e /etc/raddb/dictionary.default ] && mv /etc/raddb/dictionary.default /etc/raddb/dictionary && echo -n "3, "
[ -e /etc/raddb/dictionary.alcasar ] && rm /etc/raddb/dictionary.alcasar && echo -n "4, "
[ -e /etc/raddb/dictionary.coovachilli ] && rm /etc/raddb/dictionary.coovachilli && echo -n "5, "
[ -e /etc/raddb/clients.conf.default ] && mv /etc/raddb/clients.conf.default /etc/raddb/clients.conf && echo -n "6, "
[ -e /etc/raddb/sites-enabled/alcasar ] && rm /etc/raddb/sites-enabled/alcasar && echo -n "7, "
[ -e /etc/raddb/sites-available/alcasar ] && rm /etc/raddb/sites-available/alcasar && echo -n "8, "
[ -e /etc/raddb/sites-available/alcasar-with-ldap ] && rm /etc/raddb/sites-available/alcasar-with-ldap && echo -n "9, "
[ -e /etc/raddb/mods-available/ldap-alcasar ] && rm /etc/raddb/mods-available/ldap-alcasar && echo -n "10, "
i=10
for mods in sql sqlcounter attr_filter expiration logintime pap expr always
do
i=`expr $i + 1`
[ -e /etc/raddb/mods-enabled/$mods ] && rm /etc/raddb/mods-enabled/$mods && echo -n "$i, "
done
[ -e /etc/raddb/mods-available/sql.default ] && mv /etc/raddb/mods-available/sql.default /etc/raddb/mods-available/sql && echo -n "19, "
[ -e /etc/raddb/mods-config/sql/main/mysql/queries.conf.default ] && mv /etc/raddb/mods-config/sql/main/mysql/queries.conf.default /etc/raddb/mods-config/sql/main/mysql/queries.conf && echo -n "20, "
[ -e /etc/raddb/mods-available/sqlcounter.default ] && mv /etc/raddb/mods-available/sqlcounter.default /etc/raddb/mods-available/sqlcounter && echo -n "21, "
if [ -e /etc/systemd/system/radiusd.service ]; then
rm -f /etc/systemd/system/radiusd.service
echo -n "22"
fi
}
chilli ()
{
echo -en "(4) : "
[ -e /etc/init.d/chilli.default ] && mv /etc/init.d/chilli.default /etc/init.d/chilli && echo -n "1, "
[ -e /usr/libexec/chilli ] && rm /usr/libexec/chilli && echo -n "2, "
[ -e /etc/chilli.conf.default ] && mv /etc/chilli.conf.default /etc/chilli.conf && echo -n "3, "
[ -e /etc/systemd/system/chilli.service ] && rm /etc/systemd/system/chilli.service && echo -n "4"
}
e2guardian ()
{
echo -en "(8) : "
[ -d /var/e2guardian ] && rm -rf /var/e2guardian
[ -d /var/dansguardian ] && rm -rf /var/dansguardian
if [ -e /etc/systemd/system/e2guardian.service ]; then
rm -f /etc/systemd/system/e2guardian.service
echo -n "1, "
fi
[ -e /etc/e2guardian/e2guardian.conf.default ] && mv /etc/e2guardian/e2guardian.conf.default /etc/e2guardian/e2guardian.conf && echo -n "2, "
[ -e /usr/share/e2guardian/languages/french/alcasar-e2g.html ] && rm /usr/share/e2guardian/languages/french/alcasar-e2g.html && echo -n "3, "
[ -e /usr/share/e2guardian/languages/ukenglish/alcasar-e2g.html ] && rm /usr/share/e2guardian/languages/ukenglish/alcasar-e2g.html && echo -n "4, "
[ -e /etc/e2guardian/e2guardianf1.conf.default ] && mv /etc/e2guardian/e2guardianf1.conf.default /etc/e2guardian/e2guardianf1.conf && echo -n "5, "
[ -d /etc/e2guardian/lists/group1 ] && rm -rf /etc/e2guardian/lists/group1 && echo -n "6, "
[ -e /etc/e2guardian/lists/common/exceptioniplist.default ] && mv /etc/e2guardian/lists/common/exceptioniplist.default /etc/e2guardian/lists/common/exceptioniplist && echo -n "7, "
[ -e /etc/e2guardian/e2guardianf2.conf ] && rm -f /etc/e2guardian/e2guardianf2.conf && echo -n "8."
}
antivirus ()
{
echo -en "(4) : "
if [ -e /etc/systemd/system/clamav-daemon.service ]; then
rm -f /etc/systemd/system/clamav-daemon.service
echo -n "1, "
fi
if [ -e /etc/systemd/system/clamav-daemon.socket ]; then
rm -f /etc/systemd/system/clamav-daemon.socket
echo -n "2, "
fi
[ -e /etc/clamd.conf.default ] && mv /etc/clamd.conf.default /etc/clamd.conf && echo -n "3, "
[ -e /etc/freshclam.conf.default ] && mv /etc/freshclam.conf.default /etc/freshclam.conf && echo -n "4"
}
ulogd ()
{
echo -en "(6) : "
i=0
for log_type in traceability ssh ext-access
do
i=`expr $i + 1`
[ -e /etc/ulogd-$log_type.conf ] && rm -f /etc/ulogd-$log_type.conf && echo -n "$i, "
i=`expr $i + 1`
[ -e /etc/systemd/system/ulogd-$log_type.service ] && rm -f /etc/systemd/system/ulogd-$log_type.service && echo -n "$i, "
done
}
nfsen ()
{
# we don't remove user "nfcapd" & nfcapd folders in order to keep data when updating
echo -en "(1) : "
[ -e /etc/systemd/system/nfcapd.service ] && rm -f /etc/systemd/system/nfcapd.service && echo -n "1"
}
vnstat ()
{
echo -en "(2) : "
[ -e /etc/vnstat.conf.default ] && mv /etc/vnstat.conf.default /etc/vnstat.conf && echo -n "1, "
if [ -e /etc/systemd/system/vnstat.service ]; then
rm -f /etc/systemd/system/vnstat.service
echo -n "2"
fi
}
unbound ()
{
echo -en "(9) : "
[ -e /etc/unbound/unbound.conf.default ] && mv /etc/unbound/unbound.conf.default /etc/unbound/unbound.conf && echo -n "1, "
[ -e /etc/unbound/unbound-blacklist.conf ] && rm -f /etc/unbound/unbound-blacklist.conf && echo -n "2, "
[ -e /etc/unbound/unbound-whitelist.conf ] && rm -f /etc/unbound/unbound-whitelist.conf && echo -n "3, "
[ -e /etc/unbound/unbound-blackhole.conf ] && rm -f /etc/unbound/unbound-blackhole.conf && echo -n "4, "
[ -e /etc/unbound/conf.d ] && rm -rf /etc/unbound/conf.d && echo -n "5, "
i=6
for list in blacklist blackhole whitelist
do
if [ -e /etc/systemd/system/unbound-$list.service ]
then
rm -f /etc/systemd/system/unbound-$list.service
echo -n "$i, "
fi
i=`expr $i + 1`
done
if [ -e /etc/systemd/system/unbound.service ]; then
rm -f /etc/systemd/system/unbound.service
echo -n "9"
fi
}
dhcpd ()
{
echo -en "(1) : "
[ -e /etc/dhcpd.conf.default ] && mv /etc/dhcpd.conf.default /etc/dhcpd.conf && echo -n "1"
}
cron ()
{
# /etc/cron.d/alcasar-daemon-watchdog is removed at the beginning of this script
echo -en "(12) : "
i=1
for cron in `ls /etc/cron.d/alcasar-* 2>/dev/null`
do
rm $cron && echo -n "$i, "
i=`expr $i + 1`
done
[ -e /etc/crontab.default ] && mv /etc/crontab.default /etc/crontab && echo -n "11, "
[ -e /etc/anacrontab.default ] && mv /etc/anacrontab.default /etc/anacrontab && echo -n "12"
}
fail2ban ()
{
echo -en "(11) : "
[ -e /etc/fail2ban/jail.conf.default ] && mv /etc/fail2ban/jail.conf.default /etc/fail2ban/jail.conf && echo -n "1, "
[ -e /etc/fail2ban/action.d/iptables-allports.conf.default ] && mv /etc/fail2ban/action.d/iptables-allports.conf.default /etc/fail2ban/action.d/iptables-allports.conf # only for ALCASAR version <= V3.5.1
i=2
for filter in `ls /etc/fail2ban/filter.d/alcasar_* 2>/dev/null`
do
i=`expr $i + 1`
rm $filter && echo -n "$i, "
done
for jail in `ls /etc/fail2ban/jail.d/*alcasar_* 2>/dev/null`
do
i=`expr $i + 1`
rm $jail && echo -n "$i, "
done
if [ -e /etc/systemd/system/fail2ban.service ]; then
rm -f /etc/systemd/system/fail2ban.service
echo -n "11"
fi
}
gammu_smsd ()
{
echo -en "(4) : "
[ -e /etc/gammu_smsd_conf ] && rm -f /etc/gammu_smsd_conf && echo -n "1, "
[ -e /etc/systemd/system/gammu-smsd.service ] && rm -f /etc/systemd/system/gammu-smsd.service && echo -n "2, "
[ -e /var/log/gammu-smsd ] && rm -rf /var/log/gammu-smsd && echo -n "3, "
userdel -r gammu_smsd 2>/dev/null && echo -n "4"
#[ -e /lib/udev/rules.d/66-huawei.rules ] && rm -f /lib/udev/rules.d/66-huawei.rules && echo -n "4"
}
msec ()
{
echo -en "(2) : "
if [ -e /etc/security/msec/security.conf ]; then
[ -e /etc/security/msec/security.conf.default ] && mv /etc/security/msec/security.conf.default /etc/security/msec/security.conf && echo -n "1, "
[ -e /etc/security/msec/perm.local ] && rm -f /etc/security/msec/perm.local && echo -n "2"
else
echo -n "uninstalled"
fi
}
letsencrypt ()
{
echo -en "(3) : "
[ -e /usr/local/etc/letsencrypt ] && rm -rf /usr/local/etc/letsencrypt && echo -n "1, "
[ -e /opt/acme.sh/acme.sh ] && /opt/acme.sh/acme.sh --uninstall --nocron 1>/dev/null && echo -n "2, "
[ -e /opt/acme.sh ] && rm -rf /opt/acme.sh && echo -n "3"
}
mail_service()
{
echo -en "(1) : "
[ -e /etc/postfix/main.cf.orig ] && mv /etc/postfix/main.cf.orig /etc/postfix/main.cf && echo -n "1"
}
post_install ()
{
echo -en "(7) : "
[ -e /etc/mageia-release.default ] && mv -f /etc/mageia-release.default /etc/mageia-release && echo -n "1, "
[ -e /etc/ssh/alcasar-banner-ssh ] && rm -f /etc/ssh/alcasar-banner-ssh && echo -n "2, "
[ -e /etc/ssh/sshd_config.default ] && mv -f /etc/ssh/sshd_config.default /etc/ssh/sshd_config && echo -n "3, "
[ -e /etc/bashrc.default ] && mv -f /etc/bashrc.default /etc/bashrc && echo -n "4, "
[ -e /etc/sudoers.default ] && mv -f /etc/sudoers.default /etc/sudoers && echo -n "5, "
[ -e /etc/security/limits.conf.default ] && mv -f /etc/security/limits.conf.default /etc/security/limits.conf && echo -n "6, "
[ -e /etc/default/grub.default ] && mv -f /etc/default/grub.default /etc/default/grub && echo -n "7"
}
usage="Usage: alcasar-uninstall.sh {-update or --update} | {-full or --full}"
nb_args=$#
args=$1
if [ $nb_args -eq 0 ]; then
nb_args=1
args="-h"
fi
case $args in
-\? | -h* | --h*)
echo "$usage"
exit 0
;;
--update | -update)
mode="update"
;;
--full | -full)
mode="full"
;;
*)
echo "Argument inconnu :$1";
echo "$usage"
exit 1
;;
esac
clear
if [ $mode == "full" ]; then
echo "----------------------------------------------------------------------------"
echo "** Uninstall/Désinstallation d'ALCASAR **"
echo "----------------------------------------------------------------------------"
services="vnstat clamav-daemon clamav-freshclam ntpd php-fpm lighttpd radiusd mysqld unbound unbound-blacklist unbound-whitelist unbound-blackhole nfcapd fail2ban iptables ulogd-ext-access ulogd-ssh ulogd-traceability e2guardian sshd chilli"
/usr/local/bin/alcasar-logout.sh all # logout everybody
else
echo "--------------------------------------------------------------------------"
echo "** update/mise à jour d'ALCASAR **"
echo "--------------------------------------------------------------------------"
# unbound, iptables & sshd should stay on to allow remote update
services="vnstat clamav-daemon clamav-freshclam ntpd php-fpm lighttpd radiusd mysqld unbound-blacklist unbound-whitelist unbound-blackhole nfcapd fail2ban ulogd-ext-access ulogd-ssh ulogd-traceability e2guardian chilli"
/usr/local/bin/alcasar-bypass.sh -on # to allow remote update + users stay connected during the update
fi
echo "Stopping services : "
# remove daemon watchdog in order to not restart alcasar daemons during the uninstall process
[ -e /etc/cron.d/alcasar-daemon-watchdog ] && rm -f /etc/cron.d/alcasar-daemon-watchdog
/usr/local/bin/alcasar-sms.sh --stop
for i in $services
do
service_exist=`systemctl list-unit-files | grep ^$i.service | wc -l`
if [ $service_exist -eq 1 ]; then
/usr/bin/systemctl disable $i.service
/usr/bin/systemctl stop $i.service 1>/dev/null
sleep 1
else
echo "The service $i.service doesn't exist !"
fi
done
echo "Check the service clearing"
for i in $services
do
if [ `systemctl is-active $i.service` == "active" ]; then
echo "The service '$i' need to be killed"
/usr/bin/systemctl stop $i.service
killall $i
fi
done
[ $mode == "update" ] && /usr/bin/systemctl reload sshd # reload sshd in case of remote update
echo "Reset ALCASAR main functions : "
for func in init ACC CA time_server init_db freeradius chilli e2guardian antivirus ulogd nfsen vnstat unbound dhcpd cron fail2ban gammu_smsd msec letsencrypt mail_service post_install
do
echo -en "\n- $func "
$func
if [ $DEBUG_ALCASAR == "on" ]; then
echo -n " *** 'debug' : end removing function '$func' *** "
read a
fi
done
if [ $mode == "full" ]; then
echo -en "\n- network(10) : "
hostnamectl set-hostname localhost.localdomain
chmod a-x /etc/sysconfig/network-scripts/default-*
i=0
for nic in `ls /etc/sysconfig/network-scripts/default-*|cut -d'-' -f4`
do
i=`expr $i + 1`
/sbin/ifdown $nic
[ -e /etc/sysconfig/network-scripts/default-ifcfg-$nic ] && mv -f /etc/sysconfig/network-scripts/default-ifcfg-$nic /etc/sysconfig/network-scripts/ifcfg-$nic && echo -n "$i ($nic), "
done
[ -e /etc/sysconfig/network.default ] && mv -f /etc/sysconfig/network.default /etc/sysconfig/network && echo -n "3, "
[ -e /etc/hosts.default ] && mv -f /etc/hosts.default /etc/hosts && echo -n "4, "
[ -e /etc/hosts.allow.default ] && mv -f /etc/hosts.allow.default /etc/hosts.allow && echo -n "5, "
[ -e /etc/hosts.deny.default ] && mv -f /etc/hosts.deny.default /etc/hosts.deny && echo -n "6, "
[ -e /etc/modprobe.preload.default ] && mv -f /etc/modprobe.preload.default /etc/modprobe.preload && echo -n "7, "
if [ -e /etc/systemd/system/alcasar-network.service ]; then
rm -f /etc/systemd/system/alcasar-network.service
echo -n "8, "
fi
if [ -e /etc/systemd/system/iptables.service ]; then
rm -f /etc/systemd/system/iptables.service
echo -n "9, "
fi
[ -e /usr/libexec/iptables.init.default ] && mv -f /usr/libexec/iptables.init.default /usr/libexec/iptables.init && echo -n "10"
/usr/bin/systemctl restart network
sleep 1
fi
# Reset "skip.list" (we keep "kernel" in order not to download kernel we don't want to have)
echo "/^kernel/" > /etc/urpmi/skip.list
if [ `grep -E '^exclude=' /etc/dnf/dnf.conf |wc -l` -eq "1" ]; then
$SED "s?^exclude=.*?exclude=kernel\*?g" /etc/dnf/dnf.conf
else
echo "exclude=kernel*" >> /etc/dnf/dnf.conf
fi
# Cleaning (remove all "old" alcasar scripts)
echo -en "\n- End of cleaning ...\n"
for rm_fic in /usr/local/bin /usr/local/etc /usr/local/sbin
do
rm -rf $rm_fic/alcasar*
done
/usr/bin/update-grub2
if [ $mode == "full" ]; then
echo -n "Waiting for Network to be up again : "
i=0
while [ $i -lt 10 ] # We wait 10 seconds max
do
echo -n "."
DNS1=`grep ^nameserver /etc/resolv.conf|awk -F" " '{print $2}'|head -n 1`
if [ "$DNS1" != "" ] && [ "$DNS1" != "127.0.0.1" ]; then
i=9
echo -n "ok"
fi
i=`expr $i + 1`
sleep 1
done
fi
echo
Property changes:
Added: svn:eol-style
+LF
\ No newline at end of property
Added: svn:executable
+*
\ No newline at end of property
Added: svn:keywords
+Id Author Date
\ No newline at end of property

/scripts/alcasar-bl.sh
0,0 → 1,378
#!/bin/bash
# $Id$
# alcasar-bl.sh
# by Franck BOUIJOUX and Richard REY
# This script is distributed under the Gnu General Public License (GPL)
# Gestion de la BL pour le filtrage de domaine (via unbound) et d'URL (via E2guardian)
# Manage the BL for domain filtering (with unbound) and URL filtering (with E2guardian)
DIR_CONF="/usr/local/etc"
CONF_FILE="$DIR_CONF/alcasar.conf"
private_ip_mask=`grep ^PRIVATE_IP= $CONF_FILE|cut -d"=" -f2`
private_ip_mask=${private_ip_mask:=192.168.182.1/24}
DIR_tmp="/tmp/blacklists"
FILE_tmp="/tmp/filesfilter.txt"
FILE_ip_tmp="/tmp/filesipfilter.txt"
DIR_DG="/etc/e2guardian/lists"
DIR_DG_BL="$DIR_DG/blacklists"
DIR_DG_GROUP1="$DIR_DG/group1"
GLOBAL_USAGE="$DIR_CONF/alcasar-global-usage" # file containing the description of the lists
BL_CATEGORIES="$DIR_CONF/alcasar-bl-categories" # list of names of the BL categories
WL_CATEGORIES="$DIR_CONF/alcasar-wl-categories" # ' ' WL categories
BL_CATEGORIES_ENABLED="$DIR_CONF/alcasar-bl-categories-enabled" # ' ' BL enabled categories
WL_CATEGORIES_ENABLED="$DIR_CONF/alcasar-wl-categories-enabled" # ' ' WL enabled categories
DIR_SHARE="/usr/local/share"
DIR_DNS_BL="$DIR_SHARE/unbound-bl" # all the BL in the Unbound format
DIR_DNS_WL="$DIR_SHARE/unbound-wl" # all the WL ' ' '
DIR_IP_BL="$DIR_SHARE/iptables-bl" # all the IP addresses of the BL
DIR_IP_WL="$DIR_SHARE/iptables-wl" # IP ossi disabled WL
DIR_DNS_BL_ENABLED="$DIR_SHARE/unbound-bl-enabled" # symbolic link to the domains BL (only enabled categories)
DIR_DNS_WL_ENABLED="$DIR_SHARE/unbound-wl-enabled" # ' ' ' WL ' '
DIR_IP_BL_ENABLED="$DIR_SHARE/iptables-bl-enabled" # ' ' ip BL (only enabled categories)
DIR_IP_WL_ENABLED="$DIR_SHARE/iptables-wl-enabled" # ' ' ip WL (ossi and ossi-* imported from ACC)
REHABILITATED_DNS_FILE="/etc/unbound/conf.d/blacklist/rehabilitated.conf"
BL_SERVER="dsi.ut-capitole.fr"
SED="/bin/sed -i"
# enable/disable the BL & WL categories
function cat_choice (){
mkdir -p $DIR_tmp
for LIST in $DIR_IP_BL_ENABLED $DIR_DNS_BL_ENABLED $DIR_IP_WL_ENABLED $DIR_DNS_WL_ENABLED
do
if [ ! -e $LIST ] # only on install stage
then
mkdir $LIST
else
rm -rf ${LIST:?}/*
fi
chown root:apache $LIST
chmod 770 $LIST
done
# update categories with rsync
if [ ! -e $DIR_CONF/update_cat.conf ]
then
touch $DIR_CONF/update_cat.conf
chown root:apache $DIR_CONF/update_cat.conf
chmod 660 $DIR_CONF/update_cat.conf
fi
$SED "/\.Include/d" $DIR_DG_GROUP1/bannedurllist # cleaning E2G url blacklisted
# $SED "/\.Include/d" $DIR_DG_GROUP1/bannedsitelist # cleaning E2G domain blacklisted (now managed by unbound)
$SED "s?^[^#]?#&?g" $BL_CATEGORIES $WL_CATEGORIES # cleaning BL & WL categories file (comment all lines)
# process the file $BL_CATEGORIES with the choice of categories
for ENABLE_CATEGORIE in `cat $BL_CATEGORIES_ENABLED`
do
$SED "/\/$ENABLE_CATEGORIE$/d" $BL_CATEGORIES
$SED "1i\/etc\/e2guardian\/lists\/blacklists\/$ENABLE_CATEGORIE" $BL_CATEGORIES
ln -sf $DIR_DNS_BL/$ENABLE_CATEGORIE.conf $DIR_DNS_BL_ENABLED/$ENABLE_CATEGORIE
ln -sf $DIR_IP_BL/$ENABLE_CATEGORIE $DIR_IP_BL_ENABLED/$ENABLE_CATEGORIE
# echo ".Include<$DIR_DG_BL/$ENABLE_CATEGORIE/domains>" >> $DIR_DG_GROUP1/bannedsitelist # Blacklisted domains are managed by unbound
echo ".Include<$DIR_DG_BL/$ENABLE_CATEGORIE/urls>" >> $DIR_DG_GROUP1/bannedurllist
done
sort +0.0 -0.2 $BL_CATEGORIES -o $FILE_tmp
mv $FILE_tmp $BL_CATEGORIES
sort +0.0 -0.2 $BL_CATEGORIES_ENABLED -o $FILE_tmp
mv $FILE_tmp $BL_CATEGORIES_ENABLED
chown root:apache $BL_CATEGORIES $BL_CATEGORIES_ENABLED
chmod 660 $BL_CATEGORIES $BL_CATEGORIES_ENABLED
# process the file $WL_CATEGORIES with the choice of categories
for ENABLE_CATEGORIE in `cat $WL_CATEGORIES_ENABLED`
do
$SED "/\/$ENABLE_CATEGORIE$/d" $WL_CATEGORIES
$SED "1i\/etc\/e2guardian\/lists\/blacklists\/$ENABLE_CATEGORIE" $WL_CATEGORIES
ln -sf $DIR_DNS_WL/$ENABLE_CATEGORIE.conf $DIR_DNS_WL_ENABLED/$ENABLE_CATEGORIE
done
sort +0.0 -0.2 $WL_CATEGORIES -o $FILE_tmp
mv $FILE_tmp $WL_CATEGORIES
sort +0.0 -0.2 $WL_CATEGORIES_ENABLED -o $FILE_tmp
mv $FILE_tmp $WL_CATEGORIES_ENABLED
chown root:apache $WL_CATEGORIES $WL_CATEGORIES_ENABLED
chmod 660 $WL_CATEGORIES $WL_CATEGORIES_ENABLED
}
# cleaning file and split it ("domains" in $FILE_tmp & "IP" in $FILE_ip_tmp)
function clean_split (){
$SED '/^[.#]/d' $FILE_tmp # remove commented lines and lines beginning with a dot
$SED '/^\s*$/d' $FILE_tmp # remove empty lines
$SED '/[äâëêïîöôüû@,]/d' $FILE_tmp # remove line with "chelou" characters
# extract ip addresses and ip networks for iptables.
awk '/^([0-9]{1,3}\.){3}[0-9]{1,3}$/{print "add bl_ip_blocked " $0}' $FILE_tmp > $FILE_ip_tmp
awk '/^([0-9]{1,3}\.){3}[0-9]{1,3}\/[0-9]{1,2}$/{print "add bl_ip_blocked " $0}' $FILE_tmp >> $FILE_ip_tmp
# extract domain names for unbound.
$SED -n '/^\([0-9]\{1,3\}\.\)\{3\}[0-9]\{1,3\}/!p' $FILE_tmp
# Retrieve max Top Level Domain for domain name synthax
#MAX_TLD=$(curl http://data.iana.org/TLD/tlds-alpha-by-domain.txt | grep -v '-' | grep -v '#' | wc -L)
#if [ $(echo $MAX_TLD | wc -c) -eq 0 ];then
# MAX_TLD=18
#fi
# search for correction grep -E "([a-zA-Z0-9_-.]+\.){1,2}[a-zA-Z]{2,$MAX_TLD}" $ossi_custom_dir/domains > $FILE_tmp
}
usage="Usage: alcasar-bl.sh { -cat_choice or --cat_choice } | { -download or --download } | { -adapt or --adapt } | { -reload or --reload }"
nb_args=$#
args=$1
if [ $nb_args -eq 0 ]
then
args="-h"
fi
case $args in
-\? | -h* | --h*)
echo "$usage"
exit 0
;;
# Retrieve Toulouse University BL
-download | --download)
rm -rf /tmp/con_ok.html
`/usr/bin/curl $BL_SERVER -# -o /tmp/con_ok.html`
if [ ! -e /tmp/con_ok.html ]
then
echo "Erreur : le serveur de blacklist ($BL_SERVER) n'est pas joignable"
else
rm -rf /tmp/con_ok.html $DIR_tmp
mkdir $DIR_tmp
wget -P $DIR_tmp http://$BL_SERVER/blacklists/download/blacklists.tar.gz
md5sum $DIR_tmp/blacklists.tar.gz | cut -d" " -f1 > $DIR_tmp/md5sum
chown -R apache:apache $DIR_tmp
fi
;;
# enable/disable categories (used only during the alcasar install process)
-cat_choice | --cat_choice)
cat_choice
;;
# Adapt Toulouse University BL to ALCASAR architecture (unbound + DG + iptables)
-adapt | --adapt)
echo -n "Adaptation process of Toulouse University blackList. Please wait : "
if [ -f $DIR_tmp/blacklists.tar.gz ] # when downloading the last version of the BL
then
# keep custom files (ossi)
for x in $(ls -1 $DIR_DG_BL | grep "^ossi-*")
do
mv $DIR_DG_BL/$x $DIR_tmp
done
rm -rf $DIR_DG_BL $DIR_IP_BL
mkdir $DIR_DG_BL $DIR_IP_BL
tar zxf $DIR_tmp/blacklists.tar.gz --directory=$DIR_DG/
# replace the global_usage file of the archive
cp -f $GLOBAL_USAGE $DIR_DG_BL/global_usage
chown -R e2guardian:apache $DIR_DG
chmod -R 770 $DIR_DG
# Add the two local categories (ossi-bl & ossi-wl) to the usage file
# Add the custom categories (ossi-tor_nodes) to the usage file
cat <<EOF >> $DIR_DG_BL/global_usage
NAME: ossi-bl
DEFAULT_TYPE: black
SOURCE: ALCASAR Team
DESC FR: sites blacklistés ajoutés localement
DESC EN: blacklisted sites add locally
NAME FR: ossi-bl
NAME EN: ossi-bl
NAME: ossi-wl
DEFAULT_TYPE: white
SOURCE: ALCASAR Team
DESC FR: sites autorisés ajoutés localement
DESC EN: whitelisted sites add locally
NAME FR: ossi-wl
NAME EN: ossi-wl
NAME: ossi-bl-tor_nodes
DEFAULT_TYPE: black
SOURCE: ALCASAR Team
DESC FR: Adresses IP des noeuds (routeurs) d'entrée du réseau TOR
DESC EN: IP addresses of input TOR nodes (routers)
NAME FR: Noeuds TOR
NAME EN: TOR nodes
NAME: ossi-bl-ultrasurf
DEFAULT_TYPE: black
SOURCE: ALCASAR Team
DESC FR: Adresses IP des point de sortie ULTRASURF
DESC EN: IP addresses of output points of ULTRASURF
NAME FR: Points de sortie ULTRASURF
NAME EN: ULTRASURF output points
NAME: ossi-bl-candc
DEFAULT_TYPE: black
SOURCE: Bambenek Consulting: https://osint.bambenekconsulting.com
DESC FR: liste des URLs et IPs des serveurs command & control
DESC EN: list of URLs and IPs of command & control servers
NAME FR: Serveurs Command & Control
NAME EN: Command & Control Server
EOF
# Retrieve custom files (ossi)
for x in $(ls -1 $DIR_tmp | grep "^ossi-*")
do
mv $DIR_tmp/$x $DIR_DG_BL
done
fi
rm -f $BL_CATEGORIES $WL_CATEGORIES $WL_CATEGORIES_ENABLED
rm -rf $DIR_DNS_BL $DIR_DNS_WL $DIR_IP_BL $DIR_IP_WL
rm -rf $DIR_DNS_BL_ENABLED $DIR_DNS_WL_ENABLED $DIR_IP_BL_ENABLED $DIR_IP_WL_ENABLED
touch $BL_CATEGORIES $WL_CATEGORIES
mkdir $DIR_DNS_BL $DIR_DNS_WL $DIR_IP_BL $DIR_IP_WL
mkdir $DIR_DNS_BL_ENABLED $DIR_DNS_WL_ENABLED $DIR_IP_BL_ENABLED $DIR_IP_WL_ENABLED
find $DIR_DG_BL/ -type f -name domains > $FILE_tmp # retrieve directory name where a domain file exist
$SED "s?\/domains??g" $FILE_tmp # remove "/domains" suffix
for dir_categorie in `cat $FILE_tmp` # create the blacklist and the whitelist files
do
categorie=`echo $dir_categorie|cut -d "/" -f6`
categorie_type=`grep -A1 ^NAME:[$' '$'\t']*$categorie\$ $DIR_DG_BL/global_usage | grep ^DEFAULT_TYPE | cut -d":" -f2 | tr -d " \t"`
if [ "$categorie_type" == "white" ]
then
echo "$categorie" >> $WL_CATEGORIES_ENABLED
fi
echo "$dir_categorie" >> $BL_CATEGORIES
echo "$dir_categorie" >> $WL_CATEGORIES
done
rm -f $FILE_tmp
# Verify that the enabled categories are effectively in the BL (need after an update of the BL)
for ENABLE_CATEGORIE in `cat $BL_CATEGORIES_ENABLED`
do
ok=`grep /$ENABLE_CATEGORIE$ $BL_CATEGORIES|wc -l`
if [ $ok != "1" ]
then
$SED "/^$ENABLE_CATEGORIE$/d" $BL_CATEGORIES_ENABLED
fi
done
# Verify that the enabled categories are effectively in the WL (need after an update of the WL)
for ENABLE_CATEGORIE in `cat $WL_CATEGORIES_ENABLED`
do
ok=`grep /$ENABLE_CATEGORIE$ $WL_CATEGORIES|wc -l`
if [ $ok != "1" ]
then
$SED "/^$ENABLE_CATEGORIE$/d" $WL_CATEGORIES_ENABLED
fi
done
# Creation of Unbound and Iptables BL and WL
for LIST in $BL_CATEGORIES $WL_CATEGORIES # for each list (bl and wl)
do
for PATH_FILE in `cat $LIST` # for each category
do
DOMAIN=`basename $PATH_FILE`
echo -n "$DOMAIN, "
if [ ! -f $PATH_FILE/urls ] # create 'urls' file if it doesn't exist
then
touch $PATH_FILE/urls
chown e2guardian:apache $PATH_FILE/urls
fi
cp $PATH_FILE/domains $FILE_tmp
clean_split # clean ossi custom files & split them for unbound and for iptables
if [ "$LIST" == "$BL_CATEGORIES" ]
then
# adapt to the unbound syntax for the blacklist
$SED "s?.*?local-zone: & typetransparent\nlocal-zone-tag: & blacklist?g" $FILE_tmp
mv $FILE_tmp $DIR_DNS_BL/$DOMAIN.conf
mv $FILE_ip_tmp $DIR_IP_BL/$DOMAIN
else
# adapt to the unbound syntax for the whitelist
$SED "s?.*?local-zone: & transparent?g" $FILE_tmp
$SED "p; s? transparent? ipset?g" $FILE_tmp # duplicate lines to enable ipset module
mv $FILE_tmp $DIR_DNS_WL/$DOMAIN.conf
fi
done
done
echo
chown -R root:apache $BL_CATEGORIES $WL_CATEGORIES $BL_CATEGORIES_ENABLED $WL_CATEGORIES_ENABLED $DIR_DNS_BL $DIR_DNS_WL $DIR_IP_BL $DIR_IP_WL
chmod 770 $DIR_DNS_BL $DIR_DNS_WL $DIR_IP_BL $DIR_IP_WL
chmod -f 660 $BL_CATEGORIES $WL_CATEGORIES $BL_CATEGORIES_ENABLED $WL_CATEGORIES_ENABLED $DIR_DNS_BL/* $DIR_DNS_WL/* $DIR_IP_BL/* $DIR_IP_WL/*
rm -f $FILE_tmp $FILE_ip_tmp
rm -rf $DIR_tmp
;;
# reload when selected categories are changed or when ossi change his custom files
-reload | --reload)
# for E2Gardian
cat_choice
# for unbound (rehabilitated domain names)
rm -f $REHABILITATED_DNS_FILE
if [ "$(wc -w $DIR_DG_GROUP1/exceptionsitelist | cut -d " " -f1)" != "0" ]
then
touch $REHABILITATED_DNS_FILE
while read -r domain; do
[ -z "$domain" ] && continue
echo "local-zone: $domain typetransparent" >> $REHABILITATED_DNS_FILE
echo "local-zone-tag: $domain \"\"" >> $REHABILITATED_DNS_FILE
done < $DIR_DG_GROUP1/exceptionsitelist
fi
# adapt OSSI BL & WL custom files
for dir in $DIR_DNS_BL_ENABLED $DIR_DNS_WL_ENABLED $DIR_IP_BL_ENABLED $DIR_IP_WL_ENABLED $DIR_DNS_BL $DIR_DNS_WL $DIR_IP_BL $DIR_IP_WL
do
rm -f $dir/ossi*
done
find $DIR_DG_BL/ -type f -name domains | grep ossi- > $FILE_tmp # retrieve ossi directories name where a domain file exist
$SED "s?\/domains??g" $FILE_tmp # remove "/domains" suffix
for ossi_custom_dir in `cat $FILE_tmp` # create the blacklist and the whitelist files
do
chown -R root:apache $ossi_custom_dir
chmod 770 $ossi_custom_dir
ossi_categorie=`echo $ossi_custom_dir|cut -d "/" -f6`
short_categorie=`echo "$ossi_categorie" | cut -d"-" -f2`
if [ $short_categorie == "bl" ]
then
categorie_type="black"
else
categorie_type="white"
fi
$SED "s/\r//" $ossi_custom_dir/domains $ossi_custom_dir/urls # remove Windows <CR> from custom file
cp $ossi_custom_dir/domains $FILE_tmp
clean_split # clean ossi custom files & split them for unbound and for iptables
if [ $categorie_type == "white" ]
then
# adapt the file to the unbound syntax and enable it if needed
# for the WL
$SED "s?.*?local-zone: & transparent?g" $FILE_tmp
$SED "p; s? transparent? ipset?g" $FILE_tmp # duplicate lines to enable ipset module
mv $FILE_tmp $DIR_DNS_WL/$ossi_categorie.conf
mv $FILE_ip_tmp $DIR_IP_WL/$ossi_categorie
enabled=`grep ^$ossi_categorie$ $WL_CATEGORIES_ENABLED | wc -l`
if [ $enabled == "1" ]
then
$SED "/\/$ossi_categorie$/d" $WL_CATEGORIES
$SED "1i\/etc\/e2guardian\/lists\/blacklists\/$ossi_categorie" $WL_CATEGORIES
ln -sf $DIR_DNS_WL/$ossi_categorie.conf $DIR_DNS_WL_ENABLED/$ossi_categorie
ln -sf $DIR_IP_WL/$ossi_categorie $DIR_IP_WL_ENABLED/$ossi_categorie
fi
else
# for the BL
$SED "s?.*?local-zone: & typetransparent\nlocal-zone-tag: & blacklist?g" $FILE_tmp
mv $FILE_tmp $DIR_DNS_BL/$ossi_categorie.conf
mv $FILE_ip_tmp $DIR_IP_BL/$ossi_categorie
enabled=`grep ^$ossi_categorie$ $BL_CATEGORIES_ENABLED | wc -l`
if [ $enabled == "1" ]
then
$SED "/\/$ossi_categorie$/d" $BL_CATEGORIES
$SED "1i\/etc\/e2guardian\/lists\/blacklists\/$ossi_categorie" $BL_CATEGORIES
ln -sf $DIR_DNS_BL/$ossi_categorie.conf $DIR_DNS_BL_ENABLED/$ossi_categorie
ln -sf $DIR_IP_BL/$ossi_categorie $DIR_IP_BL_ENABLED/$ossi_categorie
fi
fi
done
for file in $BL_CATEGORIES $BL_CATEGORIES_ENABLED $WL_CATEGORIES $WL_CATEGORIES_ENABLED
do
sort +0.0 -0.2 $file -o $FILE_tmp
mv $FILE_tmp $file
chown root:apache $file
chmod 660 $file
done
chown -R root:apache $DIR_DNS_BL $DIR_DNS_WL $DIR_IP_BL $DIR_IP_WL
chmod 660 $DIR_DNS_BL/* $DIR_DNS_WL/* $DIR_IP_BL/* $DIR_IP_WL/*
if [ "$PARENT_SCRIPT" != "alcasar-conf.sh" ] # don't launch on install stage
then
/usr/bin/systemctl restart unbound-blacklist
/usr/bin/systemctl restart unbound-whitelist
/usr/bin/systemctl restart e2guardian
/usr/local/bin/alcasar-iptables.sh
fi
;;
*)
echo "Argument inconnu :$1";
echo "$usage"
exit 1
;;
esac
Property changes:
Added: svn:eol-style
+LF
\ No newline at end of property
Added: svn:executable
+*
\ No newline at end of property
Added: svn:keywords
+Id Author Date
\ No newline at end of property

/scripts/alcasar-conf.sh
0,0 → 1,524
#!/bin/bash
# $Id$
# alcasar-conf.sh
# by REXY
# This script is distributed under the Gnu General Public License (GPL)
# Ce script permet la mise à jour d'un ALCASAR
# - (alcasar-conf.sh -create) : création de l'archive des fichiers de configuration (/var/tmp/alcasar-conf.tar.gz)
# - (alcasar-conf.sh -load) : chargement de l'archive des fichiers de configuration. Le cas échéant, c'est ici qu'on met à jour les fichiers entre versions
# - (alcasar-conf.sh -apply) : application des directives du fichier de conf central "/usr/local/etc/alcasar.conf". Peut aussi être exploité à chaud après avoir changé des valeurs du fichier de conf.
# This script allows ALCASAR update
# - (alcasar-conf.sh -create) : create the configuration files backup (/var/tmp/alcasar-conf.tar.gz)
# - (alcasar-conf.sh -load) : load the backup of configuration files. If needed, it's here we update files between versions
# - (alcasar-conf.sh -load) : apply ALCASAR central configuration file "/usr/local/etc/alcasar.conf". Can be use after changes of conf file values.
DIR_UPDATE="/var/tmp/conf" # répertoire de stockage des fichier de conf pour une mise à jour
DIR_WEB="/var/www/html" # répertoire du centre de gestion
DIR_BIN="/usr/local/bin" # scripts directory
DIR_ETC="/usr/local/etc" # conf directory
DIR_E2G="/etc/e2guardian/lists" # Toulouse BL directory
DIR_BLACKLIST="$DIR_E2G/blacklists" # Toulouse BL directory
CONF_FILE="$DIR_ETC/alcasar.conf" # main alcasar conf file
PASSWD_FILE="/root/ALCASAR-passwords.txt"
DB_USER=$(grep '^db_user=' $PASSWD_FILE | cut -d'=' -f 2-)
DB_PASS=$(grep '^db_password=' $PASSWD_FILE | cut -d'=' -f 2-)
EXTIF=`grep ^EXTIF= $CONF_FILE|cut -d"=" -f2` # EXTernal InterFace
INTIF=`grep ^INTIF= $CONF_FILE|cut -d"=" -f2` # INTernal InterFace
MTU=`grep ^PUBLIC_MTU= $CONF_FILE|cut -d"=" -f2`
DHCP_mode=`grep ^DHCP= $CONF_FILE|cut -d"=" -f2`
INT_DNS_mode=`grep ^INT_DNS_ACTIVE= $CONF_FILE|cut -d"=" -f2`
HOSTNAME=`grep ^HOSTNAME= $CONF_FILE|cut -d"=" -f2`
DOMAIN=`grep ^DOMAIN= $CONF_FILE|cut -d"=" -f2`
DOMAIN=${DOMAIN:=localdomain}
DNS1=`grep ^DNS1= $CONF_FILE | cut -d'=' -f2` # To configure WL domain names
HTTPS_LOGIN=`grep ^HTTPS_LOGIN= $CONF_FILE | cut -d'=' -f2`
SED="/bin/sed -i"
private_network_calc ()
{
PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP $PRIVATE_NETMASK |cut -d"=" -f2` # prefixe du réseau (ex. 24)
PRIVATE_NETWORK=`/bin/ipcalc -n $PRIVATE_IP $PRIVATE_NETMASK| cut -d"=" -f2` # @ réseau de consultation (ex.: 192.168.182.0)
PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX # @ + masque du réseau de consult (192.168.182.0/24)
classe=$((PRIVATE_PREFIX/8)); classe_sup=`expr $classe + 1`; # classes de réseau (ex.: 2=classe B, 3=classe C)
PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK | cut -d"." -f1-$classe`. # @ compatible hosts.allow et hosts.deny (ex.: 192.168.182.)
PRIVATE_BROADCAST=`/bin/ipcalc -b $PRIVATE_NETWORK_MASK | cut -d"=" -f2` # private network broadcast (ie.: 192.168.182.255)
private_broadcast_ending=`echo $PRIVATE_BROADCAST | cut -d"." -f$classe_sup` # last octet of LAN broadcast
private_ip_ending=`echo $PRIVATE_IP | cut -d"." -f4` # last octet of LAN address
PRIVATE_SECOND_IP=`echo $PRIVATE_IP | cut -d"." -f1-3`"."`expr $private_ip_ending + 1` # second network address (ex.: 192.168.182.2)
PRIVATE_LAST_IP=`echo $PRIVATE_BROADCAST | cut -d"." -f1-3`"."`expr $private_broadcast_ending - 1` # last network address (ex.: 192.168.182.254)
PRIVATE_MAC=`/sbin/ip link show $INTIF | grep ether | cut -d" " -f6| sed 's/:/-/g'| awk '{print toupper($0)}'` # MAC address of INTIF
}
usage="Usage: alcasar-conf.sh {--create or -create} | {--load or -load} | {--apply or -apply}"
nb_args=$#
args=$1
if [ $nb_args -eq 0 ]
then
nb_args=1
args="-h"
fi
case $args in
-\? | -h* | --h*)
echo "$usage"
exit 0
;;
###################################################
## Create an archive conf file ##
###################################################
--create|-create)
[ -d $DIR_UPDATE ] && rm -rf $DIR_UPDATE
mkdir $DIR_UPDATE
# backup the users database (test to delete in future version)
$DIR_BIN/alcasar-mysql.sh --dump
cp /var/Save/base/"$(ls -1t /var/Save/base|head -1)" $DIR_UPDATE
# backup organism logo
cp -f $DIR_WEB/images/organisme.png $DIR_UPDATE
# backup E2D BL/WL custom files
mkdir $DIR_UPDATE/custom_bl
for i in urlregexplist exceptionsitelist bannedurllist
do
cp $DIR_E2G/group1/$i $DIR_UPDATE/custom_bl/
done
cp $DIR_E2G/common/exceptioniplist $DIR_UPDATE/custom_bl/
cp -rf $DIR_BLACKLIST/ossi-* $DIR_UPDATE/custom_bl/ 2>/dev/null
# backup conf files (main conf file, filtering, digest, etc.)
mkdir $DIR_UPDATE/etc/
cp -rf $DIR_ETC/* $DIR_UPDATE/etc/
cp -f /etc/hosts $DIR_UPDATE/etc/
# backup of the security certificates (server & CA)
cp -f /etc/pki/tls/certs/alcasar.crt* $DIR_UPDATE
cp -f /etc/pki/tls/private/alcasar.key* $DIR_UPDATE
[ -e /etc/pki/tls/private/alcasar.pem ] && cp -f /etc/pki/tls/private/alcasar.pem $DIR_UPDATE # since V3.3
cp -f /etc/pki/CA/alcasar-ca.crt $DIR_UPDATE
cp -f /etc/pki/CA/private/alcasar-ca.key $DIR_UPDATE
if [ -e /etc/pki/tls/certs/server-chain.pem ]; then
cp -f /etc/pki/tls/certs/server-chain.pem $DIR_UPDATE # autosigned and official if exist
else
cp -f /etc/pki/tls/certs/alcasar.crt $DIR_UPDATE/server-chain.pem
fi
# backup gammu conf file (if necessary)
SMS=`grep ^SMS= $CONF_FILE|cut -d"=" -f2`
if [ "$SMS" == "on" ]
then
cp -f /etc/gammurc $DIR_UPDATE
cp -f /etc/gammu_smsd_conf $DIR_UPDATE
fi
# archive file creation
cd /var/tmp || { echo "Unable to find /var/tmp directory"; }
tar -cf alcasar-conf.tar conf/
gzip -f alcasar-conf.tar
cp alcasar-conf.tar.gz /var/www/html/acc/backup/alcasar-conf.tar.gz
chown apache:apache /var/www/html/acc/backup/alcasar-conf.tar.gz
rm -rf $DIR_UPDATE
;;
###################################################
## Load an archive conf file ##
###################################################
--load|-load)
if [ ! -f /var/tmp/alcasar-conf.tar.gz ]; then
echo "Conf file not found (/var/tmp/alcasar-conf.tar.gz) !"
return 1
fi
CURRENT_DIR=`pwd` # install folder
cd /var/tmp
tar -xf alcasar-conf.tar.gz
# update alcasar.conf parameters
PREVIOUS_VERSION=`grep ^VERSION= $DIR_UPDATE/etc/alcasar.conf|cut -d"=" -f2`
MAJ_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f1`
MIN_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f2`
UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f3|cut -c1`
for line in `cat $DIR_UPDATE/etc/alcasar.conf | grep "=" | grep -Ev "^#| |VERSION|INSTALL_DATE|PUBLIC|GW|EXTIF|INTIF"`
do
key=`echo $line | cut -d"=" -f1`
key=$key=
value=`echo $line|cut -d"=" -f2-`
if [ "$value" != "" ]
then
sed -i "s?^$key.*?$key$value?g" /usr/local/etc/alcasar.conf
fi
done
# lighttpd need a .pem certificate (aggregation with private key & server crt)
[ ! -f $DIR_UPDATE/alcasar.pem ] && (cat $DIR_UPDATE/alcasar.key; echo; cat $DIR_UPDATE/alcasar.crt) > $DIR_UPDATE/alcasar.pem
# Retrieve organism logo
[ -e $DIR_UPDATE/organisme.png ] && cp -f $DIR_UPDATE/organisme.png $DIR_WEB/images/
chown apache:apache $DIR_WEB/images/organisme.png $DIR_WEB/intercept.php
# Retrieve the security certificates (CA and server)
cp -f $DIR_UPDATE/alcasar-ca.crt /etc/pki/CA/
cp -f $DIR_UPDATE/alcasar-ca.key /etc/pki/CA/private/
cp -f $DIR_UPDATE/alcasar.crt /etc/pki/tls/certs/
cp -f $DIR_UPDATE/alcasar.key /etc/pki/tls/private/
cp -f $DIR_UPDATE/alcasar.pem /etc/pki/tls/private/
[ -e $DIR_UPDATE/server-chain.pem ] && cp -f $DIR_UPDATE/server-chain.pem /etc/pki/tls/certs/ # autosigned and official if exist
chmod 755 /etc/pki/
chown root:apache /etc/pki/CA; chmod 750 /etc/pki/CA
chown root:apache /etc/pki/CA/alcasar-ca.crt; chmod 640 /etc/pki/CA/alcasar-ca.crt
chown root:root /etc/pki/CA/private; chmod 700 /etc/pki/CA/private
chmod 600 /etc/pki/CA/private/*
chown -R root:apache /etc/pki/tls/private; chmod 750 /etc/pki/tls/private
chmod 640 /etc/pki/tls/private/*
chmod 644 /etc/pki/tls/certs/*
# Import of the users database
$DIR_BIN/alcasar-mysql.sh --import "$(ls $DIR_UPDATE/alcasar-users-database*)"
# Retrieve local parameters
[ -d $DIR_UPDATE/etc/digest ] && cp -rf $DIR_UPDATE/etc/digest $DIR_ETC/ # ACC accounts
[ -e $DIR_UPDATE/etc/alcasar-iptables-local.sh ] && cp -f $DIR_UPDATE/etc/alcasar-iptables-local.sh $DIR_ETC/ # local FW rules
[ -e $DIR_UPDATE/etc/alcasar-iptables-local-mac-filtered ] && cp -f $DIR_UPDATE/etc/alcasar-iptables-local-mac-filtered $DIR_ETC/ # blocked MAC addresses
[ -e $DIR_UPDATE/etc/alcasar-services ] && cp -f $DIR_UPDATE/etc/alcasar-services $DIR_ETC/ # protocols filtering for users (profil 3 : customized with ACC)
[ -e $DIR_UPDATE/etc/alcasar-uamdomain ] && cp -f $DIR_UPDATE/etc/alcasar-uamdomain $DIR_ETC/ # exception domain names
[ -e $DIR_UPDATE/etc/alcasar-uamallowed ] && cp -f $DIR_UPDATE/etc/alcasar-uamallowed $DIR_ETC/ # exception IP_addresses or network_IP_addresses
[ -e $DIR_UPDATE/etc/alcasar-ethers ] && cp -f $DIR_UPDATE/etc/alcasar-ethers $DIR_ETC/ # DHCP static hosts
[ -e $DIR_UPDATE/etc/alcasar-ethers-info ] && cp -f $DIR_UPDATE/etc/alcasar-ethers-info $DIR_ETC/ # DHCP static hosts information
[ -e $DIR_UPDATE/etc/hosts ] && cp -f $DIR_UPDATE/etc/hosts /etc/ # local host name resolution
[ -e $DIR_UPDATE/etc/alcasar-letsencrypt ] && cp -f $DIR_UPDATE/etc/alcasar-letsencrypt $DIR_ETC/ # Letsencrypt local conf
[ -d $DIR_UPDATE/etc/letsencrypt ] && cp -rf $DIR_UPDATE/etc/letsencrypt $DIR_ETC/ # Letsencrypt local conf files
[ -e $DIR_UPDATE/gammurc ] && cp -f $DIR_UPDATE/gammurc /etc/ # Gammu conf file
[ -e $DIR_UPDATE/gammu_smsd_conf ] && cp -f $DIR_UPDATE/gammu_smsd_conf /etc/ # Gammu_smsd conf file
# Retrieve BL/WL custom files
cp -f $DIR_UPDATE/custom_bl/exceptioniplist $DIR_E2G/common/
cp -f $DIR_UPDATE/custom_bl/exceptionsitelist $DIR_E2G/group1/
cp -f $DIR_UPDATE/custom_bl/urlregexplist $DIR_E2G/
cp -f $DIR_UPDATE/custom_bl/bannedurllist $DIR_E2G/group1/
cp -rf $DIR_UPDATE/custom_bl/ossi-* $DIR_BLACKLIST/ 2>/dev/null
chown -R e2guardian:apache $DIR_E2G
chmod -R g+rw $DIR_E2G
# Adapt DNS/URL filtering
PARENT_SCRIPT=`basename $0`
export PARENT_SCRIPT
$DIR_BIN/alcasar-bl.sh -cat_choice
$DIR_BIN/alcasar-bl.sh -reload
# admin profile update (admin + manager + backup)
$DIR_BIN/alcasar-profil.sh --list
# Apply changes between versions
## V5.5 --> V6.0
## remove dnsmasq service
[ -e /etc/dnsmasq-whitelist.conf ] && rm -f /etc/dnsmasq*
[ -e /etc/systemd/system/dnsmasq-whitelist.service ] && rm -f /etc/systemd/system/dnsmasq* && urpme dnsmasq
# Remove the update folder
rm -rf $DIR_UPDATE
;;
####################################################
## Configure ALCASAR according to alcasar.conf ##
####################################################
--apply|-apply)
PTN="\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([012]?[0-9]|3[0-2])\b"
PRIVATE_IP_MASK=`grep ^PRIVATE_IP= $CONF_FILE|cut -d"=" -f2`
if ! echo $PRIVATE_IP_MASK | grep -q -E $PTN
then
echo "Syntax error for PRIVATE_IP_MASK ($PRIVATE_IP_MASK)"
exit 0
fi
PUBLIC_IP_MASK=`grep ^PUBLIC_IP= $CONF_FILE|cut -d"=" -f2`
PTN="\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b"
if [[ "$PUBLIC_IP_MASK" == "dhcp" ]]
then
PUBLIC_GATEWAY="dhcp"
DHCP_DNS_servers=`cat /var/lib/dhclient/dhclient--$EXTIF.lease |grep domain-name-servers|sed -n "1 p"| rev|cut -d" " -f1|rev|tr -d ';'`
DNS1=`echo $DHCP_DNS_servers | cut -d"," -f1`
DNS2=`echo $DHCP_DNS_servers | cut -d"," -f2`
else
if ! echo $PUBLIC_IP_MASK | grep -q -E $PTN
then
echo "Syntax error for PUBLIC_IP_MASK ($PUBLIC_IP_MASK)"
exit 0
fi
PUBLIC_IP=`echo $PUBLIC_IP_MASK | cut -d"/" -f1`
PUBLIC_NETMASK=`/bin/ipcalc -m $PUBLIC_IP_MASK | cut -d"=" -f2`
PUBLIC_GATEWAY=`grep ^GW= $CONF_FILE|cut -d"=" -f2`
if ! echo $PUBLIC_GATEWAY | grep -q -E $PTN
then
echo "Syntax error for the Gateway IP ($PUBLIC_GATEWAY)"
exit 0
fi
DNS1=`grep ^DNS1= $CONF_FILE|cut -d"=" -f2`
if ! echo $DNS1 | grep -q -E $PTN
then
echo "Syntax error for the IP address of the first DNS server ($DNS1)"
exit 0
fi
DNS2=`grep ^DNS2= $CONF_FILE|cut -d"=" -f2`
if ! echo $DNS2 | grep -q -E $PTN
then
echo "Syntax error for the IP address of the second DNS server ($DNS2)"
exit 0
fi
fi
PRIVATE_IP=`echo $PRIVATE_IP_MASK | cut -d"/" -f1`
PRIVATE_NETMASK=`/bin/ipcalc -m $PRIVATE_IP_MASK | cut -d"=" -f2`
private_network_calc
INSTALL_DATE=`grep ^INSTALL_DATE= $CONF_FILE|cut -d"=" -f2`
ORGANISME=`grep ^ORGANISM= $CONF_FILE|cut -d"=" -f2-`
BL_SAFESEARCH=`grep ^BL_SAFESEARCH= $CONF_FILE|cut -d"=" -f2`
WL_SAFESEARCH=`grep ^WL_SAFESEARCH= $CONF_FILE|cut -d"=" -f2`
BL_PUREIP=`grep ^BL_PUREIP= $CONF_FILE|cut -d"=" -f2`
DHCP_mode=`grep ^DHCP= $CONF_FILE|cut -d"=" -f2`
if [ "$PARENT_SCRIPT" != "alcasar.sh" ] # don't launch on install stage
then
if [ "$DHCP_mode" = "off" ] || [ "$DHCP_mode" = "Off" ] || [ "$DHCP_mode" = "OFF" ]
then
$DIR_BIN/alcasar-dhcp.sh --off
else
$DIR_BIN/alcasar-dhcp.sh --on
fi
# Set the local DNS (or not)
if [ "$INT_DNS_mode" = "on" ] || [ "$INT_DNS_mode" = "On" ] || [ "$INT_DNS_mode" = "ON" ]
then
$DIR_BIN/alcasar-dns-local.sh --on-without-restart
else
$DIR_BIN/alcasar-dns-local.sh --off-without-restart
fi
# Set the pure ip option (or not)
if [ "$BL_PUREIP" = "off" ] || [ "$BL_PUREIP" = "Off" ] || [ "$BL_PUREIP" = "OFF" ]
then
bl_filter_param+="--pureip_off"
else
bl_filter_param+="--pureip_on"
fi
# Set the safesearch options (or not)
bl_filter_param=""
if [ "$BL_SAFESEARCH" = "on" ] || [ "$BL_SAFESEARCH" = "On" ] || [ "$BL_SAFESEARCH" = "ON" ]
then
bl_filter_param+="--safesearch_on "
else
bl_filter_param+="--safesearch_off "
fi
$DIR_BIN/alcasar-url_filter_bl.sh $bl_filter_param
if [ "$WL_SAFESEARCH" = "on" ] || [ "$WL_SAFESEARCH" = "On" ] || [ "$WL_SAFESEARCH" = "ON" ]
then
$DIR_BIN/alcasar-url_filter_wl.sh --safesearch_on
else
$DIR_BIN/alcasar-url_filter_wl.sh --safesearch_off
fi
# Reload the local dns configuration
$DIR_BIN/alcasar-dns-local.sh --reload
# Logout everybody
$DIR_BIN/alcasar-logout.sh all
# Services stop
echo -n "Stop services : "
for i in ntpd e2guardian unbound unbound-whitelist unbound-blacklist unbound-blackhole chilli network lighttpd
do
/usr/bin/systemctl stop $i && echo -n "$i, "
done
echo
fi
# EXTIF config
if [ $PUBLIC_IP_MASK == "dhcp" ]
then
cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
DEVICE=$EXTIF
BOOTPROTO=dhcp
DNS1=127.0.0.1
PEERDNS=no
RESOLV_MODS=yes
ONBOOT=yes
METRIC=10
MII_NOT_SUPPORTED=yes
IPV6INIT=no
IPV6TO4INIT=no
ACCOUNTING=no
USERCTL=no
MTU=$MTU
NOZEROCONF=yes
EOF
else # set the static configuration for EXTIF in multi-gw mode
$DIR_BIN/alcasar-network.sh --apply
fi
# INTIF config (for bypass mode only)
$SED "s?^IPADDR=.*?IPADDR=$PRIVATE_IP?" /etc/sysconfig/network-scripts/bypass-ifcfg-$INTIF
$SED "s?^NETMASK=.*?NETMASK=$PRIVATE_NETMASK?" /etc/sysconfig/network-scripts/bypass-ifcfg-$INTIF
# NTP server
$SED "/127.0.0.1/!s?^restrict.*?restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap?g" /etc/ntp.conf
# host.allow
cat <<EOF > /etc/hosts.allow
ALL: LOCAL, 127.0.0.1, localhost, $PRIVATE_IP
sshd: ALL
ntpd: $PRIVATE_NETWORK_SHORT
EOF
# Set hostname
hostnamectl set-hostname $HOSTNAME.$DOMAIN
# /etc/hosts (retriving local hostnames)
cp /etc/hosts /tmp/hosts
echo "127.0.0.1 localhost" > /etc/hosts
echo "$PRIVATE_IP $HOSTNAME $HOSTNAME.$DOMAIN" >> /etc/hosts
while read -r line
do
if ! echo $line | grep -E -q "^([0-9\.\t ]+alcasar( |$)|127\.0\.0)"
then
echo $line >> /etc/hosts
fi
done < /tmp/hosts
rm -f /tmp/hosts
# MOTD
$SED "s@'https://\(.\+\)/acc'@'https://$HOSTNAME.$DOMAIN/acc'@" /etc/mageia-release
# Lighttpd
$SED "s?^server\.bind.*?server\.bind = \"$PRIVATE_IP\"?g" /etc/lighttpd/lighttpd.conf
$SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$PRIVATE_IP"':443" {/g' /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf
$SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$PRIVATE_IP\"/g" /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf
# FreeRADIUS
$SED "s?^nas1_name:.*?nas1_name: alcasar-$ORGANISME?g" /etc/freeradius-web/naslist.conf
$SED "s?^nas1_ip:.*?nas1_ip: $PRIVATE_IP?g" /etc/freeradius-web/naslist.conf
# CoovaChilli
$SED "s/^uamallowed.*/uamallowed\t$HOSTNAME,$HOSTNAME.$DOMAIN/g" /etc/chilli.conf
$SED "s/^locationname.*/locationname\t$HOSTNAME.$DOMAIN/g" /etc/chilli.conf
$SED "s/^domain.*/domain\t\t$DOMAIN/g" /etc/chilli.conf
[ "`grep ^HTTPS_LOGIN= $CONF_FILE | cut -d'=' -f2`" == "on" ] && chilli_login_protocol="https" || chilli_login_protocol="http"
$SED "s/^uamserver.*/uamserver\t$chilli_login_protocol:\/\/$HOSTNAME.$DOMAIN\/intercept.php/" /etc/chilli.conf
$SED "s/^radiusnasid.*/radiusnasid\t$HOSTNAME.$DOMAIN/g" /etc/chilli.conf
$SED "s?^net.*?net\t\t$PRIVATE_NETWORK_MASK?g" /etc/chilli.conf
$SED "s?^dns1.*?dns1\t\t$PRIVATE_IP?g" /etc/chilli.conf
$SED "s?^dns2.*?dns2\t\t$PRIVATE_IP?g" /etc/chilli.conf
$SED "s?^uamlisten.*?uamlisten\t$PRIVATE_IP?g" /etc/chilli.conf
PRIVATE_IP_HEXA=$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f1)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f2)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f3)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f4)")
$SED "s?^dhcpopt.*?dhcpopt\t\t2a04$PRIVATE_IP_HEXA?g" /etc/chilli.conf
# modify the DHCP static ip file. Reserve the second IP address for INTIF (the first one is for tun0). Keep previous entries
$SED "s?^$PRIVATE_MAC.*?$PRIVATE_MAC $PRIVATE_SECOND_IP?" $DIR_ETC/alcasar-ethers $DIR_ETC/alcasar-ethers-info
# unbound
# removing unbound configuration files
rm -f /etc/unbound/conf.d/{forward,blacklist,whitelist,blackhole}/iface.*
rm -f /etc/unbound/conf.d/common/forward-zone.conf
# Configuration file for the dns servers forward-zone
cat << EOF > /etc/unbound/conf.d/common/forward-zone.conf
forward-zone:
name: "."
forward-addr: $DNS1
forward-addr: $DNS2
EOF
# Configuration file for lo of forward
cat << EOF > /etc/unbound/conf.d/forward/iface.lo.conf
server:
interface: 127.0.0.1@53
access-control-view: 127.0.0.1/8 lo
view:
name: "lo"
local-data: "$HOSTNAME A 127.0.0.1"
local-data: "$HOSTNAME.$DOMAIN A 127.0.0.1"
local-data-ptr: "127.0.0.1 $HOSTNAME.$DOMAIN"
view-first: yes
EOF
# Configuration file for $INTIF of forward
cat << EOF > /etc/unbound/conf.d/forward/iface.${INTIF}.conf
server:
interface: ${PRIVATE_IP}@53
access-control-view: $PRIVATE_NETWORK_MASK $INTIF
view:
name: "$INTIF"
view-first: yes
EOF
# Configuration file for $INTIF of blacklist
cat << EOF > /etc/unbound/conf.d/blacklist/iface.${INTIF}.conf
server:
interface: ${PRIVATE_IP}@54
access-control: $PRIVATE_IP_MASK allow
access-control-tag: $PRIVATE_IP_MASK "blacklist"
access-control-tag-action: $PRIVATE_IP_MASK "blacklist" redirect
access-control-tag-data: $PRIVATE_IP_MASK "blacklist" "A $PRIVATE_IP"
EOF
# Configuration file for $INTIF of whitelist
cat << EOF > /etc/unbound/conf.d/whitelist/iface.${INTIF}.conf
server:
interface: ${PRIVATE_IP}@55
access-control: $PRIVATE_IP_MASK allow
access-control-tag: $PRIVATE_IP_MASK "whitelist"
access-control-tag-action: $PRIVATE_IP_MASK "whitelist" redirect
access-control-tag-data: $PRIVATE_IP_MASK "whitelist" "A $PRIVATE_IP"
EOF
# Configuration file for $INTIF of blackhole unbound
cat << EOF > /etc/unbound/conf.d/blackhole/iface.${INTIF}.conf
server:
interface: ${PRIVATE_IP}@56
access-control-view: $PRIVATE_NETWORK_MASK $INTIF
view:
name: "$INTIF"
local-zone: "." redirect
local-data: ". A $PRIVATE_IP"
EOF
# dhcpd
cat <<EOF > /etc/dhcpd.conf
ddns-update-style none;
subnet $PRIVATE_NETWORK netmask $PRIVATE_NETMASK {
option routers $PRIVATE_IP;
option subnet-mask $PRIVATE_NETMASK;
option domain-name-servers $PRIVATE_IP;
range dynamic-bootp $PRIVATE_SECOND_IP $PRIVATE_LAST_IP;
default-lease-time 21600;
max-lease-time 43200;
}
EOF
$DIR_BIN/alcasar-dns-local.sh -hosts_to_unbound # add local name resolution to unbound (forward & blackhole)
# E2guardian
$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" /etc/e2guardian/e2guardian.conf
$SED "s?\/\/[a-z.]*\/?\/\/$HOSTNAME.$DOMAIN\/?g" /usr/share/e2guardian/languages/french/alcasar-e2g.html
$SED "s?\/\/[a-z.]*\/?\/\/$HOSTNAME.$DOMAIN\/?g" /usr/share/e2guardian/languages/ukenglish/alcasar-e2g.html
# Prompts
$SED "s?^ORGANISME.*?ORGANISME=$ORGANISME?g" /etc/bashrc
# sudoers
$SED "s?^Host_Alias.*?Host_Alias LAN_ORG=$PRIVATE_NETWORK/$PRIVATE_NETMASK,localhost #réseau de l'organisme?g" /etc/sudoers
# gammu-smsd
$SED "s?^user =.*?user = $DB_USER?g" /etc/gammu_smsd_conf
$SED "s?^password =.*?password = $DB_PASS?g" /etc/gammu_smsd_conf
# HTTPS login (Y/n)
if [ "$HTTPS_LOGIN" = "on" ] || [ "$HTTPS_LOGIN" = "On" ] || [ "$HTTPS_LOGIN" = "ON" ]
then
$SED "s?^HTTPS_LOGIN=.*?HTTPS_LOGIN=on?" $CONF_FILE
$SED "s?^HTTPS_CHILLI=.*?HTTPS_CHILLI=on?" $CONF_FILE
$SED "s?^uamserver.*?uamserver\thttps://$HOSTNAME.$DOMAIN/intercept.php?" /etc/chilli.conf
$SED "s?^#redirssl.*?redirssl?" /etc/chilli.conf
$SED "s?^#uamuissl.*?uamuissl?" /etc/chilli.conf
rm -f /etc/lighttpd/vhosts.d/alcasar.conf
ln -s /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf /etc/lighttpd/vhosts.d/alcasar.conf
else
$SED "s?^HTTPS_LOGIN=.*?HTTPS_LOGIN=off?" $CONF_FILE
$SED "s?^HTTPS_CHILLI=.*?HTTPS_CHILLI=off?" $CONF_FILE
$SED "s?^uamserver.*?uamserver\thttp://$HOSTNAME.$DOMAIN/intercept.php?" /etc/chilli.conf
$SED "s?^redirssl.*?#&?" /etc/chilli.conf
$SED "s?^uamuissl.*?#&?" /etc/chilli.conf
rm -f /etc/lighttpd/vhosts.d/alcasar.conf
ln -s /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf /etc/lighttpd/vhosts.d/alcasar.conf
fi
# Services start
if [ "$PARENT_SCRIPT" != "alcasar.sh" ] # don't launch on install stage
then
/usr/bin/systemctl start network && echo -n "Start service : network" && sleep 1
$DIR_BIN/alcasar-dhcp.sh -$DHCP_mode && echo -n ", chilli" # apply DHCP mode and start CoovaChilli
for i in unbound unbound-blackhole ntpd
do
sleep 1
/usr/bin/systemctl start $i && echo -n ", $i"
done
$DIR_BIN/alcasar-bl.sh -reload && echo -n ", unbound-blacklist, unbound-whitelist, e2guardian, iptables"
/usr/bin/systemctl restart lighttpd && echo -n ", lighttpd"
fi
# Email user registration
$DIR_BIN/alcasar-mail-install.sh
# Start / Stop LDAP authentification
if [ "$PARENT_SCRIPT" != "alcasar.sh" ] # don't launch on install stage
then
LDAP_mode=`grep ^LDAP= $CONF_FILE|cut -d"=" -f2`
if [ $LDAP_mode = "on" ]
then
$DIR_BIN/alcasar-ldap.sh --on
else
$DIR_BIN/alcasar-ldap.sh --off
fi
fi
# Start / Stop Gammu-smsd (SMS)
if [ "$PARENT_SCRIPT" != "alcasar.sh" ] # don't launch on install stage
then
SMS_mode=`grep ^SMS= $CONF_FILE|cut -d"=" -f2`
if [ $SMS_mode = "on" ]
then
$DIR_BIN/alcasar-sms.sh --start
fi
fi
echo
;;
*)
echo "Argument inconnu : $1";
echo "$usage"
exit 1
;;
esac
Property changes:
Added: svn:eol-style
+LF
\ No newline at end of property
Added: svn:executable
+*
\ No newline at end of property
Added: svn:keywords
+Id Author Date
\ No newline at end of property

/scripts/alcasar-iptables.sh
0,0 → 1,588
#!/bin/bash
# $Id$
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
# This script writes the netfilter rules for ALCASAR
# Rexy - 3abtux - CPN
#
# Reminders
# There are four channels for log :
# 1 tracability of the consultation equipment with The 'Netflow' kernel module (iptables target = NETFLOW);
# 2 protection of ALCASAR with the Ulog group 1 (default group)
# 3 SSH on ALCASAR with the Ulog group 2;
# 4 extern access attempts on ALCASAR with the Ulog group 3.
# The bootps/dhcp (67) port is always open on tun0/INTIF by coova
CONF_FILE="/usr/local/etc/alcasar.conf"
EXTIF=`grep ^EXTIF= $CONF_FILE|cut -d"=" -f2` # EXTernal InterFace
INTIF=`grep ^INTIF= $CONF_FILE|cut -d"=" -f2` # INTernal InterFace
TUNIF="tun0" # listen device for chilli daemon
private_ip_mask=`grep ^PRIVATE_IP= $CONF_FILE|cut -d"=" -f2`
private_ip_mask=${private_ip_mask:=192.168.182.1/24}
PRIVATE_IP=`echo $private_ip_mask | cut -d"/" -f1` # ALCASAR LAN IP address
private_network=`/bin/ipcalc -n $private_ip_mask|cut -d"=" -f2` # LAN IP address (ie.: 192.168.182.0)
private_prefix=`/bin/ipcalc -p $private_ip_mask|cut -d"=" -f2` # LAN prefix (ie. 24)
PRIVATE_NETWORK_MASK=$private_network/$private_prefix # LAN IP address + prefix (192.168.182.0/24)
public_ip_mask=`grep ^PUBLIC_IP= $CONF_FILE|cut -d"=" -f2` # ALCASAR WAN IP address
dhcp_on_extif="off"
if [[ "$public_ip_mask" == "dhcp" ]]
then
dhcp_on_extif="on"
PTN="\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([012]?[0-9]|3[0-2])\b"
public_ip_mask=`ip addr show $EXTIF | grep -o -E $PTN`
fi
PUBLIC_IP=`echo $public_ip_mask | cut -d"/" -f1`
dns1=`grep ^DNS1= $CONF_FILE|cut -d"=" -f2`
dns2=`grep ^DNS2= $CONF_FILE|cut -d"=" -f2`
dns1=${dns1:=208.67.220.220}
dns2=${dns2:=208.67.222.222}
DNSSERVERS="$dns1,$dns2" # first and second public DNS servers
INT_DNS_IP=`grep INT_DNS_IP $CONF_FILE|cut -d"=" -f2` # Adresse du serveur DNS interne
INT_DNS_ACTIVE=`grep INT_DNS_ACTIVE $CONF_FILE|cut -d"=" -f2` # Activation de la redirection DNS interne
BL_IP_CAT="/usr/local/share/iptables-bl-enabled" # categories files of the BlackListed IP
WL_IP_CAT="/usr/local/share/iptables-wl-enabled" # categories files of the WhiteListed IP
TMP_users_set_save="/tmp/users_set_save" # tmp file for backup users set
TMP_set_save="/tmp/ipset_save" # tmp file for blacklist and whitelist creation
TMP_ip_gw_save="/tmp/ipset_ip_gw_save" # tmp file for already connected ips
SSH_LAN=`grep ^SSH_LAN= $CONF_FILE|cut -d"=" -f2` # SSH LAN port
SSH_LAN=${SSH_LAN:=0}
SSH_WAN=`grep ^SSH_WAN= $CONF_FILE|cut -d"=" -f2` # SSH WAN port
SSH_WAN=${SSH_WAN:=0}
SSH_WAN_ADMIN_FROM=`grep ^SSH_ADMIN_FROM= $CONF_FILE|cut -d"=" -f2|cut -d"/" -f2`
SSH_WAN_ADMIN_FROM=${SSH_WAN_ADMIN_FROM:="0.0.0.0"}
SSH_WAN_ADMIN_FROM=$([ "$SSH_WAN_ADMIN_FROM" == "0.0.0.0" ] && echo "0.0.0.0/0" || echo "$SSH_WAN_ADMIN_FROM" )
SSH_LAN_ADMIN_FROM=`grep ^SSH_ADMIN_FROM= $CONF_FILE|cut -d"=" -f2|cut -d"/" -f1`
SSH_LAN_ADMIN_FROM=${SSH_LAN_ADMIN_FROM:="0.0.0.0"}
SSH_LAN_ADMIN_FROM=$([ "$SSH_LAN_ADMIN_FROM" == "0.0.0.0" ] && echo "$PRIVATE_NETWORK_MASK" || echo "$SSH_LAN_ADMIN_FROM" )
IPTABLES="/sbin/iptables"
REHABILITED_IP="/etc/e2guardian/lists/common/exceptioniplist"
ALLOWED_SITES="/usr/local/etc/alcasar-site-direct" # WEB Sites allowed for all (no av and no filtering for av_bl users)
MULTIWAN=`grep ^MULTIWAN $CONF_FILE|cut -d"=" -f2`
PROXY=`grep ^PROXY= $CONF_FILE|cut -d"=" -f2`
PROXY_IP=`grep ^PROXY_IP= $CONF_FILE|cut -d"=" -f2`
nb_gw=`grep ^WAN $CONF_FILE|wc -l`
interlan=`grep ^INTERLAN= $CONF_FILE|cut -d"=" -f2`
interlan=${interlan:=off}
# Allow requests to internal DNS if activated
if [ "$INT_DNS_ACTIVE" = "on" ]
then
DNSSERVERS="$DNSSERVERS,$INT_DNS_IP"
fi
#ipset name list for load_balancing
gw_list="gw0"
if [ "$MULTIWAN" == "on" ] || [ "$MULTIWAN" == "On" ]; then
for ((i=1 ; i<=$nb_gw ; i++)); do
gw_list="${gw_list} gw$i"
done
fi
# Sauvegarde des SET des utilisateurs connectés si ils existent
# Saving SET of connected users if it exists
ipset list not_filtered 1>/dev/null 2>&1
if [ $? -eq 0 ];
then
ipset save not_filtered > $TMP_users_set_save
ipset save av >> $TMP_users_set_save
ipset save av_bl >> $TMP_users_set_save
ipset save av_wl >> $TMP_users_set_save
ipset save proto_0 >> $TMP_users_set_save
ipset save proto_1 >> $TMP_users_set_save
ipset save proto_2 >> $TMP_users_set_save
ipset save proto_3 >> $TMP_users_set_save
fi
# Sauvegarde de la liste de toutes les IP déjà connectées pour les réintégrer dans le load balancing
# Saving all of the already connected IP in order to put them back in the load balancing after
if [ ! -f $TMP_ip_gw_save ];then
# Save only if alcasar-network.sh --save has not been executed before
for i in $gw_list;do
ipset list $i 1>/dev/null 2>&1
if [ $? -eq 0 ]
then
# the cut -d":" -f5 deletes all the lines with a :, i.e all the lines execpt the members
ipset list $i | cut -d":" -f5 | sed '/^[[:space:]]*$/d' >> $TMP_ip_gw_save
fi
done
fi
# Chargement de la sonde NetFlow (module noyau ipt_NETFLOW)
# loading of NetFlow probe (ipt_NETFLOW kernel module)
modprobe ipt_NETFLOW destination=127.0.0.1:2055
# Effacement des règles existantes
# Flush all existing rules
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
$IPTABLES -F INPUT
$IPTABLES -F FORWARD
$IPTABLES -F OUTPUT
# Suppression des chaines utilisateurs sur les tables filter et nat
# Flush non default rules on filter and nat tables
$IPTABLES -X
$IPTABLES -t nat -X
# Stratégies par défaut
# Default policies
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
#############################
# IPSET #
#############################
# destruction de tous les SET
# destroy all SET
ipset flush
ipset destroy
###### BL set ###########
# Calcul de la taille / Compute the length
bl_set_length=$(wc -l $BL_IP_CAT/* | awk '{print $1}' | tail -n 1)
# Chargement / loading
echo "create bl_ip_blocked hash:net family inet hashsize 1024 maxelem $bl_set_length" > $TMP_set_save
for category in `ls -1 $BL_IP_CAT | cut -d '@' -f1`
do
cat $BL_IP_CAT/$category >> $TMP_set_save
done
ipset -! restore < $TMP_set_save
rm -f $TMP_set_save
# Suppression des ip réhabilitées / Removing of rehabilitated ip
for ip in $(cat $REHABILITED_IP)
do
ipset -q del bl_ip_blocked $ip
done
# ipset for exception web sites (usefull for filtered users = av_bl)
ipset create site_direct hash:net hashsize 1024
for site in $(cat $ALLOWED_SITES)
do
ipset add site_direct $site
done
###### WL set ###########
# taille fixe, car peuplé par unbound / fixe length due to unbound dynamic loading
wl_set_length=65536
# Chargement Loading
echo "create wl_ip_allowed hash:net family inet hashsize 1024 maxelem $wl_set_length" > $TMP_set_save
#get ip-wl files from ACC
for category in `ls -1 $WL_IP_CAT |cut -d '@' -f1`
do
cat $WL_IP_CAT/$category >> $TMP_set_save
done
ipset -! restore < $TMP_set_save
rm -f $TMP_set_save
# Restoration des SET des utilisateurs connectés si ils existent sinon création des SET
# Restoring the connected users SETs if available, otherwise creating SETs
if [ -e $TMP_users_set_save ];
then
ipset -! restore < $TMP_users_set_save
rm -f $TMP_users_set_save
else
ipset create not_filtered hash:ip hashsize 1024
ipset create av hash:ip hashsize 1024
ipset create av_bl hash:ip hashsize 1024
ipset create av_wl hash:ip hashsize 1024
# pour les filtrages de protocole par utilisateur / For network protocols filtering by user
ipset create proto_0 hash:ip hashsize 1024
ipset create proto_1 hash:ip hashsize 1024
ipset create proto_2 hash:ip hashsize 1024
ipset create proto_3 hash:ip hashsize 1024
fi
#ipsets for load balancing
for i in $gw_list; do
ipset create $i hash:ip
done
cat $TMP_ip_gw_save | while read ip; do
gw_min="gw0"
weight=`grep ^PUBLIC_WEIGHT= $CONF_FILE | cut -d"=" -f2`
already=`ipset list $gw_min | grep Number\ of\ entries: | cut -d":" -f2`
#The *1000 is here to avoid working on floats in bash
gw_min_value=$((1000 * $already / $weight))
i=1
for gw in $gw_list;do
if [ "$gw" != "gw0" ]; then
weight=`grep ^WAN$i= $CONF_FILE | awk -F'"' '{ print $2 }' | awk -F ',' '{ print $2 }'`
already=`ipset list $gw | grep Number\ of\ entries: | cut -d":" -f2`
value=$((1000 * $already / $weight))
if [ $value -lt $gw_min_value ]
then
gw_min_value=$value
gw_min=$gw
fi
i=$(($i+1))
fi
done
ipset add $gw_min $ip
done
rm -f $TMP_ip_gw_save
#############################
# PREROUTING #
#############################
# Marquage (et journalisation) des paquets qui tentent d'accéder directement aux ports d'écoute du proxy HTTP/HTTPS (E2Guardian) pour pouvoir les rejeter en INPUT
# Mark (and log) the direct attempts to E2guardian listen ports in order to REJECT them in INPUT rules
# 8080 = ipset av_bl
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8080 -j NFLOG --nflog-group 1 --nflog-prefix "RULE direct-proxy -- DENY "
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8080 -j MARK --set-mark 1
# 8081 = ipset av_wl + av (to be redefine)
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8081 -j NFLOG --nflog-group 1 --nflog-prefix "RULE direct-proxy -- DENY "
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8081 -j MARK --set-mark 2
# 8443 = tranparent HTTPS for ipsets av_bl + av_wl + av (future version)
#$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8443 -j NFLOG --nflog-group 1 --nflog-prefix "RULE direct-proxy -- DENY "
#$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8443 -j MARK --set-mark 6
# Marquage des paquets qui tentent d'accéder directement aux ports d'écoute DNS (UNBOUND) pour pouvoir les rejeter en INPUT
# Mark the direct attempts to DNS ports (UNBOUND) in order to REJECT them in INPUT rules
# 54 = ipset av_bl
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp --dport 54 -j MARK --set-mark 3
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p udp --dport 54 -j MARK --set-mark 3
# 55 = ipset av_wl
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp --dport 55 -j MARK --set-mark 4
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p udp --dport 55 -j MARK --set-mark 4
# 56 = blackall
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp --dport 56 -j MARK --set-mark 5
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p udp --dport 56 -j MARK --set-mark 5
# redirection DNS des usagers
# users DNS redirection
# 54 = ipset av_bl
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_bl src -p udp --dport domain -j REDIRECT --to-port 54
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_bl src -p tcp --dport domain -j REDIRECT --to-port 54
# 55 = ipset av_wl
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_wl src -p udp --dport domain -j REDIRECT --to-port 55
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_wl src -p tcp --dport domain -j REDIRECT --to-port 55
# 53 = all other users
$IPTABLES -A PREROUTING -t nat -i $TUNIF ! -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 53
$IPTABLES -A PREROUTING -t nat -i $TUNIF ! -d $PRIVATE_IP -p tcp --dport domain -j REDIRECT --to-port 53
# Redirection HTTP des usagers 'av_bl' cherchant à joindre les IP de la blacklist vers ALCASAR (page 'accès interdit')
# Redirect HTTP of 'av_bl' users who want blacklist IP to ALCASAR ('access denied' page)
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_bl src -m set --match-set bl_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port 80
# Redirection HTTP des usagers 'av_wl' cherchant à joindre les IP qui ne sont pas dans la WL vers ALCASAR (page 'accès interdit')
# Redirect HTTP of 'av_wl' users who want IP not in the WL to ALCASAR ('access denied' page)
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_wl src -m set ! --match-set wl_ip_allowed dst -p tcp --dport http -j REDIRECT --to-port 80
# Journalisation des usagers "av_bl + av_wl + av" (paquets SYN uniquement). Les autres protocoles sont journalisés en FORWARD par netflow.
# accounting of "av_bl + av_wl + av" users (only syn packets). Other protocols are logged in FORWARD by netflow
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_bl src ! -d $PRIVATE_IP -p tcp --dport http -m conntrack --ctstate NEW -j NFLOG --nflog-group 1 --nflog-prefix "RULE F_http -- ACCEPT "
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_wl src ! -d $PRIVATE_IP -p tcp --dport http -m conntrack --ctstate NEW -j NFLOG --nflog-group 1 --nflog-prefix "RULE F_http -- ACCEPT "
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av src ! -d $PRIVATE_IP -p tcp --dport http -m conntrack --ctstate NEW -j NFLOG --nflog-group 1 --nflog-prefix "RULE F_http -- ACCEPT "
# Redirection des requêtes HTTP des usagers "av_bl + av_wl + av" vers E2guardian
# Redirect outbound "av_bl + av_wl +av" users HTTP requests to E2guardian
# 8080 = ipset av_bl
#$IPTABLES -A PREROUTING -t mangle -i $TUNIF -m set --match-set av_bl src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP -p tcp --dport http -j MARK --set-mark 200
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_bl src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8080
# 8081 = ipset av_wl & av
#$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_wl src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8081
#$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8081
# Redirection des requêtes HTTPS sortantes des usagers av_bl + av_wl + av vers E2Guardian (in a future version - don't forget to set E2guardian as a tranparent HTTPS proxy)
# Redirect outbound HTTPS requests of av_bl + av_wl + av users to E2Guardian
#$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_bl src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP -p tcp --dport https -j REDIRECT --to-port 8443
#$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_wl src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP -p tcp --dport https -j REDIRECT --to-port 8443
#$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP -p tcp --dport https -j REDIRECT --to-port 8443
# Redirection des requêtes NTP vers le serveur NTP local
# Redirect NTP request in local NTP server
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p udp --dport ntp -j REDIRECT --to-port 123
#Récupération de la marque associée à une gw pour chaque connection
$IPTABLES -A PREROUTING -t mangle -j CONNMARK --restore-mark
if [ "$PROXY" == "on" ] || [ "$PROXY" == "On" ];then
$IPTABLES -A PREROUTING -t nat -i $TUNIF ! -d $PRIVATE_IP -p tcp -m multiport --dports http,https -j DNAT --to-destination $PROXY_IP
fi
#Marquage pour le load balancing
if [ "$MULTIWAN" == "on" ] || [ "$MULTIWAN" == "On" ]; then
temp_index=200
for i in $gw_list; do
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -m set --match-set $i src -j MARK --set-mark $temp_index
temp_index=$(($temp_index+1))
done
fi
#############################
# INPUT #
#############################
# Tout passe sur loopback
# accept all on loopback
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
# Rejet des demandes de connexions non conformes (FIN-URG-PUSH, XMAS, NullScan, SYN-RST et NEW not SYN)
# Drop non standard connexions (FIN-URG-PUSH, XMAS, NullScan, SYN-RST and NEW not SYN)
$IPTABLES -A INPUT -p tcp --tcp-flags FIN,URG,PSH FIN,URG,PSH -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPTABLES -A INPUT -p tcp -m tcp ! --syn -m conntrack --ctstate NEW -j DROP
# Si configuré, on autorise les réponses DHCP sur EXTIF
# If configured, DHCP responses are allowed on EXTIF
if [[ "$dhcp_on_extif" == "on" ]]
then
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 68 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -p udp --dport 68 -j ACCEPT
fi
# On rejette les trame en broadcast et en multicast sur EXTIF (évite leur journalisation)
# Drop broadcast & multicast on EXTIF to avoid log
$IPTABLES -A INPUT -m addrtype --dst-type BROADCAST,MULTICAST -j DROP
# On autorise les retours de connexions légitimes par INPUT
# Conntrack on INPUT
$IPTABLES -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# On interdit les connexions directes aux ports d'écoute d'E2Guardian. Les packets concernés ont été marqués et loggués dans la table mangle (PREROUTING)
# Deny direct connections on E2Guardian listen ports. The concerned paquets have been marked and logged in mangle table (PREROUTING)
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8080 -m mark --mark 1 -j REJECT --reject-with tcp-reset # av_bl
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8081 -m mark --mark 2 -j REJECT --reject-with tcp-reset # av_wl + av
#$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8443 -m mark --mark 6 -j REJECT --reject-with tcp-reset # av_bl + av_wl + av (future version)
# On autorise les connexions HTTP/HTTPS légitimes vers E2Guardian
# Allow HTTP connections to E2Guardian
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport 8080 -m conntrack --ctstate NEW --syn -j ACCEPT
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport 8081 -m conntrack --ctstate NEW --syn -j ACCEPT
#$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport 8443 -m conntrack --ctstate NEW --syn -j ACCEPT # (future version)
# On interdit les connexions directes aux ports d'écoupe DNS (UNBOUND). Les packets concernés ont été marqués dans la table mangle (PREROUTING)
# Deny direct connections to DNS ports (UNBOUND). The concerned paquets are marked in mangle table (PREROUTING)
$IPTABLES -A INPUT -i $TUNIF -p udp --dport 54 -m mark --mark 3 -j REJECT --reject-with icmp-port-unreachable
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 54 -m mark --mark 3 -j REJECT --reject-with tcp-reset
$IPTABLES -A INPUT -i $TUNIF -p udp --dport 55 -m mark --mark 4 -j REJECT --reject-with icmp-port-unreachable
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 55 -m mark --mark 4 -j REJECT --reject-with tcp-reset
$IPTABLES -A INPUT -i $TUNIF -p udp --dport 56 -m mark --mark 5 -j REJECT --reject-with icmp-port-unreachable
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 56 -m mark --mark 5 -j REJECT --reject-with tcp-reset
# On autorise les connexion DNS légitime
# Allow DNS connections
# ipset = av_bl
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport 54 -j ACCEPT
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport 54 -j ACCEPT
# ipset = av_wl
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport 55 -j ACCEPT
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport 55 -j ACCEPT
# blackall
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport 56 -j ACCEPT
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport 56 -j ACCEPT
# On accepte l'accès aux services internes
# Internal services access
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport domain -j ACCEPT # DNS
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport domain -j ACCEPT # DNS
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p icmp --icmp-type 8 -j ACCEPT # Réponse ping # ping responce
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p icmp --icmp-type 0 -j ACCEPT # Requête ping # ping request
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport https -j ACCEPT # Pages d'authentification et MCC # authentication pages and MCC
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport http -j ACCEPT # Page d'avertissement filtrage # Filtering warning pages
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport 3990:3991 -j ACCEPT # Requêtes de deconnexion usagers # Users logout requests
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport ntp -j ACCEPT # Serveur local de temps # local time server
# Accès au serveur SSHD si activé en LAN et WAN
# SSHD server access in LAN and WAN if enabled
if [ $SSH_LAN -gt 0 ]
then
$IPTABLES -A INPUT -i $TUNIF -s $SSH_LAN_ADMIN_FROM -d $PRIVATE_IP -p tcp --dport $SSH_LAN -m conntrack --ctstate NEW -j NFLOG --nflog-group 2 --nflog-prefix "RULE ssh-from-LAN -- ACCEPT"
$IPTABLES -A INPUT -i $TUNIF -s $SSH_LAN_ADMIN_FROM -d $PRIVATE_IP -p tcp --dport $SSH_LAN -j ACCEPT
fi
if [ $SSH_WAN -gt 0 ]
then
$IPTABLES -A INPUT -i $EXTIF -s $SSH_WAN_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport $SSH_WAN -m conntrack --ctstate NEW --syn -j NFLOG --nflog-group 2 --nflog-prefix "RULE ssh-from-WAN -- ACCEPT"
$IPTABLES -A INPUT -i $EXTIF -s $SSH_WAN_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport $SSH_WAN -j ACCEPT
fi
# Insertion de règles locales
# Here, we add local rules (i.e. VPN from Internet)
if [ -f /usr/local/etc/alcasar-iptables-local.sh ]; then
. /usr/local/etc/alcasar-iptables-local.sh
fi
# Journalisation et rejet des connexions (autres que celles autorisées) effectuées depuis le LAN
# Deny and log on INPUT from the LAN
$IPTABLES -A INPUT -i $TUNIF -m conntrack --ctstate NEW -j NFLOG --nflog-group 3 --nflog-prefix "RULE rej-int -- REJECT "
$IPTABLES -A INPUT -i $TUNIF -p tcp -j REJECT --reject-with tcp-reset
$IPTABLES -A INPUT -i $TUNIF -p udp -j REJECT --reject-with icmp-port-unreachable
# Interdiction d'accès à INTIF (n'est utile que lorsque chilli est arrêté).
# Reject INTIF access (only when chilli is down)
$IPTABLES -A INPUT -i $INTIF -j NFLOG --nflog-group 3 --nflog-prefix "RULE Protect1 -- REJECT "
$IPTABLES -A INPUT -i $INTIF -j REJECT
# Journalisation et rejet des connexions initiées depuis le réseau extérieur (test des effets du paramètre --limit en cours)
# On EXTIF, the access attempts are log in channel 2 (we should test --limit option to avoid deny of service)
$IPTABLES -A INPUT -i $EXTIF -m conntrack --ctstate NEW -j NFLOG --nflog-group 3 --nflog-threshold 10 --nflog-prefix "RULE rej-ext -- DROP"
#############################
# FORWARD #
#############################
# Blocage des IPs du SET bl_ip_blocked pour le SET av_bl
# Deny IPs of the SET bl_ip_blocked for the set av_bl
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set av_bl src -m set --match-set bl_ip_blocked dst -p icmp -j REJECT --reject-with icmp-host-prohibited
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set av_bl src -m set --match-set bl_ip_blocked dst -p udp -j REJECT --reject-with icmp-host-prohibited
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set av_bl src -m set --match-set bl_ip_blocked dst -p tcp -j REJECT --reject-with tcp-reset
# Active le suivi de session
# Allow Conntrack
$IPTABLES -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Compute uamallowed IP (ie : IP address of equipments connected between ALCASAR and router like DMZ, own servers, etc.)
nb_uamallowed=`wc -l /usr/local/etc/alcasar-uamallowed | cut -d" " -f1`
if [ $nb_uamallowed != "0" ]
then
while read ip_allowed_line
do
ip_allowed=`echo $ip_allowed_line|cut -d"\"" -f2`
$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m conntrack --ctstate NEW -j NETFLOW
$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m conntrack --ctstate NEW -j ACCEPT
done < /usr/local/etc/alcasar-uamallowed
fi
# filtrage protocole par utilisateur (profile 1 : http, https)
# protocols filtering for users (profil 1 : http, https)
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_1 src -s $PRIVATE_NETWORK_MASK -p tcp -m multiport ! --dports http,https -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_1 src -s $PRIVATE_NETWORK_MASK -p udp -m multiport ! --dports http,https -m conntrack --ctstate NEW -j REJECT --reject-with icmp-port-unreachable
# filtrage protocole par utilisateur (profile 2 : http https smtp pop3 pop3s imap imaps ftp sftp ssh)
# protocols filtering for users (profil 2 : http https smtp pop3 pop3s imap imaps ftp sftp ssh)
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_2 src -s $PRIVATE_NETWORK_MASK -p tcp -m multiport ! --dports smtp,http,https,pop3,pop3s,imap,imaps,ftp,ftp-data,sftp,ssh -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_2 src -s $PRIVATE_NETWORK_MASK -p udp -m multiport ! --dports smtp,http,https,pop3,pop3s,imap,imaps,ftp,ftp-data,sftp,ssh -m conntrack --ctstate NEW -j REJECT --reject-with icmp-port-unreachable
# filtrage protocole par utilisateur (profile 3 : personnalisable via l'ACC)
# protocols filtering for users (profil 3 : customized with ACC)
custom_tcp_protocols_list='';custom_udp_protocols_list=''
while read svc_line
do
svc_on=`echo $svc_line|cut -b1`
if [ $svc_on != "#" ]
then
svc_name=`echo $svc_line|cut -d" " -f1`
svc_port=`echo $svc_line|cut -d" " -f2`
if [ $svc_name = "icmp" ]
then
svc_icmp="on"
else
if [ "$custom_tcp_protocols_list" == "" ]
then
custom_tcp_protocols_list=$svc_port
else
custom_tcp_protocols_list=`echo $custom_tcp_protocols_list","$svc_port`
fi
udp_svc=`grep -E "[[:space:]]$svc_port/udp" /etc/services|wc -l`
if [ $udp_svc = "1" ] # udp service exist
then
if [ "$custom_udp_protocols_list" == "" ]
then
custom_udp_protocols_list=$svc_port
else
custom_udp_protocols_list=`echo $custom_udp_protocols_list","$svc_port`
fi
fi
fi
fi
done < /usr/local/etc/alcasar-services
if [ "$custom_tcp_protocols_list" == "" ]
then
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_3 src -s $PRIVATE_NETWORK_MASK -j REJECT
else
if [ "$svc_icmp" != "on" ]
then
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_3 src -s $PRIVATE_NETWORK_MASK -p icmp -j REJECT --reject-with icmp-proto-unreachable
fi
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_3 src -s $PRIVATE_NETWORK_MASK -p tcp -m multiport ! --dports $custom_tcp_protocols_list -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_3 src -s $PRIVATE_NETWORK_MASK -p udp -m multiport ! --dports $custom_udp_protocols_list -m conntrack --ctstate NEW -j REJECT --reject-with icmp-port-unreachable
fi
# On autorise (ou pas) les utilisateurs à accéder au réseau situé entre ALCASAR et le routeur Internet
# Users are allowed (or not allowed) to access the network between ALCASAR and the Internet router
if [ "$interlan" != "on" ]
then
$IPTABLES -A FORWARD -i $TUNIF -d $public_ip_mask -j DROP
fi
# Blocage des usagers 'av_wl' cherchant à joindre les IP qui ne sont pas dans la WL
# Block 'av_wl' users who want IP not in the WL
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set av_wl src -m set ! --match-set wl_ip_allowed dst -j DROP
# journalisation et autorisation des connections sortant du LAN
# Allow forward connections with log
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m conntrack --ctstate NEW -j NETFLOW
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m conntrack --ctstate NEW -j ACCEPT
#############################
# OUTPUT #
#############################
# On laisse tout sortir sur la carte interne (voir les règles suivantes pour la carte externe)
# We let everything out on INTIF (see following rules for the EXTIF)
$IPTABLES -A OUTPUT ! -o $EXTIF -j ACCEPT
# Si configuré, on autorise les requêtes DHCP sur EXTIF
# Allow DHCP requests on EXTIF if configured
if [[ "$dhcp_on_extif" == "on" ]]
then
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport 67 -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTIF -p udp --dport 67 -j ACCEPT
fi
# On autorise les requêtes DNS vers les serveurs DNS identifiés
# Allow DNS requests to identified DNS servers
$IPTABLES -A OUTPUT -o $EXTIF -d $DNSSERVERS -p udp --dport domain -m conntrack --ctstate NEW -j ACCEPT
# On autorise les requêtes HTTP et HTTPS avec log Netflow (en provenance de E2guardian)
# HTTP & HTTPS requests are allowed with netflow log (from E2guardian)
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport http -j NETFLOW
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport http -j ACCEPT
#$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport https -j NETFLOW # When E2guardian will be in HTTPS transparent proxy)
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport https -j ACCEPT
# On autorise les requêtes RSYNC sortantes (maj BL de Toulouse)
# RSYNC requests are allowed (update of Toulouse BL)
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport rsync -j ACCEPT
# On autorise les requêtes FTP
# FTP requests are allowed
# modprobe nf_conntrack_ftp # no more needed with kernel > 5.15.85
# $IPTABLES -t raw -A OUTPUT -p tcp --dport ftp -j CT --helper ftp # no more needed with kernel > 5.15.85
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport ftp -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTIF -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# On autorise les requêtes NTP
# NTP requests are allowed
$IPTABLES -A OUTPUT -o $EXTIF -p udp --dport ntp -j ACCEPT
# On autorise les requêtes ICMP (ping)
# ICMP (ping) requests are allowed
$IPTABLES -A OUTPUT -o $EXTIF -p icmp --icmp-type 8 -j ACCEPT
# On autorise les requêtes LDAP
# LDAP requests are allowed
$IPTABLES -A OUTPUT -o $EXTIF -p tcp -m multiport --dports ldap,ldaps -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTIF -p udp -m multiport --dports ldap,ldaps -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
#############################
# POSTROUTING #
#############################
# Traduction dynamique d'adresse en sortie
# Dynamic NAT on EXTIF
$IPTABLES -A POSTROUTING -t nat -o $EXTIF -j MASQUERADE
#Sauvegarde de la marque associée à la connexion pour le load balancing
$IPTABLES -A POSTROUTING -t mangle -j CONNMARK --save-mark
#############################
# FAIL2BAN #
#############################
# Reload Fail2Ban
if systemctl -q is-active fail2ban; then
/usr/bin/fail2ban-client ping &>/dev/null && /usr/bin/fail2ban-client -q reload &>/dev/null
fi
Property changes:
Added: svn:eol-style
+LF
\ No newline at end of property
Added: svn:executable
+*
\ No newline at end of property
Added: svn:keywords
+Id Author Date
\ No newline at end of property

/scripts/alcasar-url_filter_bl.sh
0,0 → 1,126
#!/bin/bash
# Id: $Id$
# alcasar-url_filter.sh
# by REXY
# This script is distributed under the Gnu General Public License (GPL)
# Active / désactive : safesearch des moteurs de recherche
# Enable / disable : search engines safesearch
# Active / désactive : le filtrage des url contenant une adresse ip à la place d'un nom de domaine
# Enable / disable : filter of urls containing ip address instead of domain name
CONF_FILE="/usr/local/etc/alcasar.conf"
DIR_DG_GROUP1="/etc/e2guardian/lists/group1"
UNBOUND_BL_DOMAIN_FILTER_CONF="/etc/unbound/conf.d/blacklist/domainfilter.conf"
SED="/bin/sed -i"
safesearch="Off"
pureip="Off"
usage="Usage: alcasar-url_filter_bl.sh { -safesearch_on or -safesearch_off } & { -pureip_on or -pureip_off }"
nb_args=$#
googledomains="google.com. google.ad. google.ae. google.com.af. google.com.ag. google.com.ai. google.al. google.am. google.co.ao. google.com.ar. google.as. google.at. google.com.au. google.az. google.ba. google.com.bd. google.be. google.bf. google.bg. google.com.bh. google.bi. google.bj. google.com.bn. google.com.bo. google.com.br. google.bs. google.bt. google.co.bw. google.by. google.com.bz. google.ca. google.cd. google.cf. google.cg. google.ch. google.ci. google.co.ck. google.cl. google.cm. google.cn. google.com.co. google.co.cr. google.com.cu. google.cv. google.com.cy. google.cz. google.de. google.dj. google.dk. google.dm. google.com.do. google.dz. google.com.ec. google.ee. google.com.eg. google.es. google.com.et. google.fi. google.com.fj. google.fm. google.fr. google.ga. google.ge. google.gg. google.com.gh. google.com.gi. google.gl. google.gm. google.gp. google.gr. google.com.gt. google.gy. google.com.hk. google.hn. google.hr. google.ht. google.hu. google.co.id. google.ie. google.co.il. google.im. google.co.in. google.iq. google.is. google.it. google.je. google.com.jm. google.jo. google.co.jp. google.co.ke. google.com.kh. google.ki. google.kg. google.co.kr. google.com.kw. google.kz. google.la. google.com.lb. google.li. google.lk. google.co.ls. google.lt. google.lu. google.lv. google.com.ly. google.co.ma. google.md. google.me. google.mg. google.mk. google.ml. google.com.mm. google.mn. google.ms. google.com.mt. google.mu. google.mv. google.mw. google.com.mx. google.com.my. google.co.mz. google.com.na. google.com.nf. google.com.ng. google.com.ni. google.ne. google.nl. google.no. google.com.np. google.nr. google.nu. google.co.nz. google.com.om. google.com.pa. google.com.pe. google.com.pg. google.com.ph. google.com.pk. google.pl. google.pn. google.com.pr. google.ps. google.pt. google.com.py. google.com.qa. google.ro. google.ru. google.rw. google.com.sa. google.com.sb. google.sc. google.se. google.com.sg. google.sh. google.si. google.sk. google.com.sl. google.sn. google.so. google.sm. google.sr. google.st. google.com.sv. google.td. google.tg. google.co.th. google.com.tj. google.tk. google.tl. google.tm. google.tn. google.to. google.com.tr. google.tt. google.com.tw. google.co.tz. google.com.ua. google.co.ug. google.co.uk. google.com.uy. google.co.uz. google.com.vc. google.co.ve. google.vg. google.co.vi. google.com.vn. google.vu. google.ws. google.rs. google.co.za. google.co.zm. google.co.zw. google.cat."
youtubedomains="www.youtube.com m.youtube.com youtubei.googleapis.com youtube.googleapis.com www.youtube-nocookie.com"
safesearch=""
pureip=""
if [ $nb_args -lt 1 ]
then
echo "$usage"
exit 1
fi
while [ $nb_args -ge 1 ]
do
arg=${!nb_args}
case $arg in
-\? | -h* | --h*)
echo "$usage"
exit 0
;;
# Safe search activation
-safesearch_on | --safesearch_on)
safesearch="On"
;;
# Safe search deactivation
-safesearch_off | --safesearch_off)
safesearch="Off"
;;
# pure_ip activation
-pureip_on | --pureip_on)
pureip="On"
;;
# pureip deactivation
-pureip_off | --pureip_off)
pureip="Off"
;;
*)
echo "Argument inconnu :$arg";
echo "$usage"
exit 1
;;
esac
nb_args=$(expr $nb_args - 1)
done
if [ "$safesearch" == "On" ]
then
$SED "s?^#\"?\"?g" $DIR_DG_GROUP1/urlregexplist # on décommente les lignes de regles
# add 'SafeSearch' redirection for google searching
google_safe_server=`host -ta forcesafesearch.google.com | grep "address" | cut -d" " -f4` # retrieve google forcesafesearch ip
# config file header
echo "server:" > $UNBOUND_BL_DOMAIN_FILTER_CONF
for domain in $googledomains
do
echo -e "\tlocal-zone: \"$domain\" redirect" >> $UNBOUND_BL_DOMAIN_FILTER_CONF
echo -e "\tlocal-data: \"$domain A $google_safe_server\"" >> $UNBOUND_BL_DOMAIN_FILTER_CONF
done
# add 'SafeSearch' redirection for youtube searching
youtube_safe_server=`host -ta restrict.youtube.com | grep "address" | cut -d" " -f4` # retrieve youtube restrict ip
for domain in $youtubedomains
do
echo -e "\tlocal-zone: \"$domain\" redirect" >> $UNBOUND_BL_DOMAIN_FILTER_CONF
echo -e "\tlocal-data: \"$domain A $youtube_safe_server\"" >> $UNBOUND_BL_DOMAIN_FILTER_CONF
done
# add 'SafeSearch' redirection for bing searching
bing_safe_server=`host -ta strict.bing.com | grep "address" | cut -d" " -f4` # retrieve bing strict ip
echo -e "\tlocal-zone: \"www.bing.com\" redirect" >> $UNBOUND_BL_DOMAIN_FILTER_CONF
echo -e "\tlocal-data: \"www.bing.com A $bing_safe_server\"" >> $UNBOUND_BL_DOMAIN_FILTER_CONF
# add 'SafeSearch' redirection for qwant searching
qwant_safe_server=`host -ta safeapi.qwant.com | grep "address" | cut -d" " -f4` # retrieve qwant strict ip
echo -e "\tlocal-zone: \"api.qwant.com\" redirect" >> $UNBOUND_BL_DOMAIN_FILTER_CONF
echo -e "\tlocal-data: \"api.qwant.com A $qwant_safe_server\"" >> $UNBOUND_BL_DOMAIN_FILTER_CONF
$SED 's/^BL_SAFESEARCH=.*/BL_SAFESEARCH=on/g' $CONF_FILE
elif [ "$safesearch" == "Off" ]
then
$SED "s?^[^#]?#&?g" $DIR_DG_GROUP1/urlregexplist
[ -e $UNBOUND_BL_DOMAIN_FILTER_CONF ] && rm -f $UNBOUND_BL_DOMAIN_FILTER_CONF
$SED 's/^BL_SAFESEARCH=.*/BL_SAFESEARCH=off/g' $CONF_FILE
fi
if [ "$pureip" == "On" ]
then
$SED "s/^\#\*ip$/*ip/g" $DIR_DG_GROUP1/bannedsitelist
$SED "s/^\#\*ips$/*ips/g" $DIR_DG_GROUP1/bannedsitelist
$SED 's/^BL_PUREIP=.*/BL_PUREIP=on/g' $CONF_FILE
elif [ "$pureip" == "Off" ]
then
$SED "s/^\*ip$/#*ip/g" $DIR_DG_GROUP1/bannedsitelist
$SED "s/^\*ips$/#*ips/g" $DIR_DG_GROUP1/bannedsitelist
$SED 's/^BL_PUREIP=.*/BL_PUREIP=off/g' $CONF_FILE
fi
systemctl restart e2guardian
systemctl restart unbound-blacklist
Property changes:
Added: svn:eol-style
+LF
\ No newline at end of property
Added: svn:executable
+*
\ No newline at end of property
Added: svn:keywords
+Id Author Date
\ No newline at end of property

/scripts/alcasar-rpm.sh
0,0 → 1,292
#!/bin/bash
# alcasar-rpm.sh
# by 3abtux and Rexy
# This script is distributed under the Gnu General Public License (GPL)
# script de mise en place des dépots RPM + installation des RPM complémentaires
# configure the RPM repository + complementary RPM installation
Lang=`echo $LANG|cut -c 1-2`
SED="/bin/sed -i"
VERSION="9"
ARCH="x86_64"
# The kernel version we compile netflow for
KERNEL="kernel-server-6.6.22-1.mga9"
# ****** Alcasar needed RPMS - paquetages nécessaires au fonctionnement d'Alcasar ******
# (old) perl-Socket6 : needed by nfsen
# "fonts-dejavu-common" & "fonts-ttf-dejavu" : fonts needed by wkhtmltopdf
# "lsscsi" & nvme-cli" & "php-dom" : needed by phpsysinfo
# "socat" : avoid a warning when run the install script of letsencrypt ("acme.sh")
# "sudo" : needed after a reinstallation (to be investigated)
# "postfix" + "cyrus-sasl" + "lib64sasl2-plug-plain" : email registration method
# "nmap" : "/usr/share/nmap/nmap-mac-prefixes" is used to display MAC manufacturers in ACC
PACKAGES="vim-enhanced freeradius freeradius-mysql freeradius-ldap lighttpd lighttpd-mod_auth php-fpm php-gd php-ldap php-mysqli php-mbstring php-sockets php-curl php-pdo_sqlite php-cli php-dom php-filter unbound e2guardian postfix mariadb ntpsec bind-utils openssh-server rng-utils rsync fail2ban gnupg2 ulogd ipset usb_modeswitch vnstat dos2unix p7zip msec kernel-userspace-headers kernel-firmware kernel-firmware-nonfree dhcp-server tcpdump fonts-dejavu-common fonts-ttf-dejavu lsscsi nvme-cli sudo socat postfix cyrus-sasl lib64sasl2-plug-plain iftop"
rpm_repository_sync ()
{
cat <<EOF > /etc/urpmi/urpmi.cfg
{
downloader: wget
}
EOF
echo ${!MIRRORLIST}
urpmi.addmedia core --probe-synthesis --mirrorlist ${!MIRRORLIST} /media/core/release
urpmi.addmedia core-updates --update --probe-synthesis --mirrorlist ${!MIRRORLIST} /media/core/updates
urpmi.addmedia nonfree --probe-synthesis --mirrorlist ${!MIRRORLIST} /media/nonfree/release
urpmi.addmedia nonfree-updates --update --probe-synthesis --mirrorlist ${!MIRRORLIST} /media/nonfree/updates
}
rpm_error ()
{
# restore previous rpm conf file & removed RPMs
[ -e /etc/urpmi/urpmi.cfg.old ] && mv /etc/urpmi/urpmi.cfg.old /etc/urpmi/urpmi.cfg
urpmi --no-verify-rpm --auto rpms/$ARCH/wkhtmltopdf*.rpm
echo
if [ $Lang == "fr" ]
then
echo "Relancez l'installation ultérieurement."
echo "Si vous rencontrez à nouveau ce problème, modifier les variables MIRRORLIST[1&2] du fichier 'scripts/alcasar-rpm.sh'"
else
echo "Try an other install later."
echo "If this problem occurs again, change the MIRRORLIST[1&2] variables in the file 'scripts/alcasar-rpm.sh'"
fi
}
# We prefer wget than curl
urpmi --no-verify-rpm --auto rpms/$ARCH/wget*.rpm
# Set the RPM repository (if not already set)
cp /etc/urpmi/urpmi.cfg /etc/urpmi/urpmi.cfg.old
ACTIVE_REPO=`cat /etc/urpmi/urpmi.cfg|grep "mageia.org"|wc -l`
MIRROR_NBR=3
# For French
MIRRORLIST1="http://ftp.free.fr/mirrors/mageia.org/distrib/$VERSION/$ARCH"
# For Europeans
MIRRORLIST2="https://www.mirrorservice.org/pub/mageia/distrib/$VERSION/$ARCH"
# For everybody
MIRRORLIST3="https://mirrors.mageia.org/api/mageia.$VERSION.$ARCH.list"
try_nb="0"; nb_repository="0"
while [ "$nb_repository" != "4" ]
do
try_nb=`expr $try_nb + 1`
MIRRORLIST="MIRRORLIST$try_nb"
rpm_repository_sync
nb_repository=`cat /etc/urpmi/urpmi.cfg|grep mirrorlist|wc -l`
if [ "$nb_repository" != "4" ]
then
if [ $Lang == "fr" ]
then
echo "Une erreur a été détectée lors de la synchronisation avec le dépot N°$try_nb."
else
echo "An error occurs when synchronising the repositories N°$try_nb"
fi
if [ $(expr $try_nb) -eq $MIRROR_NBR ]
then
rpm_error
exit 1
fi
if [ $Lang == "fr" ]
then
echo "Voulez-vous tenter une synchronisation avec un autre dépôt ? (O/n)"
else
echo "Do you want to try a synchronisation with an other repository? (Y/n)"
fi
response=0
PTN='^[oOnNyY]?$'
until [[ "$response" =~ $PTN ]]
do
read response
done
if [ "$response" = "n" ] || [ "$response" = "N" ]
then
[ -e /etc/urpmi/urpmi.cfg.old ] && mv /etc/urpmi/urpmi.cfg.old /etc/urpmi/urpmi.cfg # restore previous rpm conf file
exit 1
fi
fi
done
# At this time, we only skip Kernel update
echo "/^kernel/" > /etc/urpmi/skip.list
if [ `grep -E '^exclude=' /etc/dnf/dnf.conf |wc -l` -eq "1" ]; then
$SED "s?^exclude=.*?exclude=kernel\*?g" /etc/dnf/dnf.conf
else
echo "exclude=kernel*" >> /etc/dnf/dnf.conf
fi
# download the kernel used by ALCASAR
if [ $Lang == "fr" ]
then
echo "Récupération du noyau Linux exploité par ALCASAR. Veuillez patienter ..."
else
echo "Download the Linux kernel used by ALCASAR. Please wait ..."
fi
urpmi --auto --quiet $KERNEL
# download updated RPM in cache
if [ $Lang == "fr" ]
then
echo "Récupération des paquetages de mise à jour. Veuillez patienter ..."
echo "Il est temps d'aller prendre un café (ou une bonne bière) ;-)"
else
echo "Updated RPM download. Please wait ..."
echo "You should now take a coffe (or a good beer) ;-)"
fi
urpmi --auto --auto-update --quiet --test --retry 2
if [ "$?" != "0" ]
then
echo
if [ $Lang == "fr" ]
then
echo "Une erreur a été détectée lors de la récupération des paquetages."
else
echo "An error occurs when downloading RPMS"
fi
rpm_error
exit 1
fi
# update with cached RPM
urpmi --auto --auto-update
if [ "$?" != "0" ]
then
echo
if [ $Lang == "fr" ]
then
echo "Une erreur a été détectée lors de la mise à jour des paquetages."
else
echo "An error occurs when updating packages"
fi
rpm_error
exit 1
fi
# Clean the RPM cache
urpmi --clean
# Download of ALCASAR specifics RPM in cache (and test)
if [ $Lang == "fr" ]
then
echo "Récupération des paquetages complémentaires. Veuillez patienter ..."
else
echo "Download of complementary packages. Please wait ..."
fi
urpmi --auto --no-recommends $PACKAGES --quiet --test --retry 2
if [ "$?" != "0" ]
then
echo
if [ $Lang == "fr" ]
then
echo "Une erreur a été détectée lors de la récupération des paquetages complémentaires."
else
echo "An error occurs when downloading complementary packages"
fi
rpm_error
exit 1
fi
# update with cached RPM
urpmi --auto --no-recommends $PACKAGES
if [ "$?" != "0" ]
then
echo
if [ $Lang == "fr" ]
then
echo "Une erreur a été détectée lors de l'installation des paquetages complémentaires."
else
echo "An error occurs when installing complementary packages"
fi
rpm_error
exit 1
fi
# Keep only the kernel version we compil netflow with, and remove all others
kernelVersion=$(rpm -qa | grep -e ^kernel-server -e ^kernel-desktop)
for i in $kernelVersion
do
if [ $i != $KERNEL ];then
urpme --auto $i
fi
done
# delete unused RPMs
if [ $Lang == "fr" ]
then
echo "Cleaning the system : "
else
echo "Nettoyage du système : "
fi
unused_rpm="shorewall mandi plymouth squid polkit pm-utils dnsmasq clamav clamd clamav-db"
/usr/sbin/urpme --auto -a $unused_rpm
for rpm in `rpm -qa|grep mga7`; do urpme --auto $rpm; done
/usr/sbin/urpme --auto --auto-orphans
# Save chilli launch script (erase with new rpm one)
[ -e /etc/chilli.conf ] && cp /etc/chilli.conf /tmp/
# Install home made RPMs
for pkg in `ls rpms/$ARCH/*.rpm`
do
urpmi --no-verify --auto $pkg
done
# restore chilli launch script
[ -e /tmp/chilli.conf ] && mv /tmp/chilli.conf /etc/
# Clean the RPM cache
urpmi --clean
# the ipt-netflow RPM add the kernel module ipt_NETFLOW (the modules dependance tree need to be updated). "2>/dev/null" in order not to display a error (the running kernel is not the ALCASAR one during the installation process)
/sbin/depmod -a 2>/dev/null
# test if all needed rpms are correctly installed
count_pkg=0; nb_pkg=0;
for pkg in $PACKAGES
do
nb_pkg=`expr $nb_pkg + 1`
if rpm -q --quiet $pkg ; then
count_pkg=`expr $count_pkg + 1`
else
echo "error installing $pkg"
fi
done
if [ $count_pkg -ne $nb_pkg ]
then
exit 1
fi
# test if all custom rpms are correctly installed
count_pkg=0; nb_pkg=0;
for pkg in `ls rpms/$ARCH/|sed 's/.x86_64.rpm//'`
do
nb_pkg=`expr $nb_pkg + 1`
if rpm -q --quiet $pkg ; then
count_pkg=`expr $count_pkg + 1`
else
echo "error installing $pkg"
fi
done
if [ $count_pkg -ne $nb_pkg ]
then
exit 1
fi
# .rpmnew handling (unused with ALCASAR)
[ -e /etc/shadow.rpmnew ] && rm -f /etc/shadow.rpmnew
[ -e /etc/sysconfig/system.rpmnew ] && rm -f /etc/sysconfig/system.rpmnew
[ -e /etc/rpm/macros.rpmnew ] && rm -f /etc/rpm/macros.rpmnew
[ -e /etc/fstab.rpmnew ] && rm -f /etc/fstab.rpmnew
[ -e /etc/shells.rpmnew ] && rm -f /etc/shells.rpmnew
[ -e /etc/hosts.rpmnew ] && rm -f /etc/hosts.rpmnew
[ -e /etc/systemd/journald.conf.rpmnew ] && rm -f /etc/systemd/journald.conf.rpmnew
[ -e /etc/raddb/certs/dh.rpmnew ] && rm -f /etc/raddb/certs/dh.rpmnew
# .rpmnew handling (used with ALCASAR)
[ -e /etc/php.ini.rpmnew ] && mv -f /etc/php.ini.rpmnew /etc/php.ini.default
[ -e /etc/lighttpd/lighttpd.conf.rpmnew ] && mv -f /etc/lighttpd/lighttpd.conf.rpmnew /etc/lighttpd/lighttpd.conf.default
[ -e /etc/lighttpd/modules.conf.rpmnew ] && mv -f /etc/lighttpd/modules.conf.rpmnew /etc/lighttpd/modules.conf.default
[ -e /etc/e2guardian/e2guardian.conf.rpmnew ] && mv -f /etc/e2guardian/e2guardian.conf.rpmnew /etc/e2guardian/e2guardian.conf.default
[ -e /etc/e2guardian/e2guardianf1.conf.rpmnew ] && mv -f /etc/e2guardian/e2guardianf1.conf.rpmnew /etc/e2guardian/e2guardianf1.conf.default
[ -e /etc/e2guardian/lists/urlregexplist.rpmnew ] && mv -f /etc/e2guardian/lists/urlregexplist.rpmnew /etc/e2guardian/lists/urlregexplist.default
[ -e /etc/e2guardian/lists/bannedregexpurllist.rpmnew ] && mv -f /etc/e2guardian/lists/bannedregexpurllist.rpmnew /etc/e2guardian/lists/bannedregexpurllist.default
[ -e /etc/vnstat.conf.rpmnew ] && mv -f /etc/vnstat.conf.rpmnew /etc/vnstat.conf.default
[ -e /etc/fail2ban/jail.conf.rpmnew ] && mv -f /etc/fail2ban/jail.conf.rpmnew /etc/fail2ban/jail.conf.default
[ -e /etc/ssh/sshd_config.rpmnew ] && mv -f /etc/ssh/sshd_config.rpmnew /etc/ssh/sshd_config.default
exit 0
Property changes:
Added: svn:eol-style
+native
\ No newline at end of property
Added: svn:executable
+*
\ No newline at end of property

/scripts/alcasar-bl-autoupdate.sh
0,0 → 1,130
#!/bin/bash
# $Id: alcasar-bl.sh 2688 2019-01-18 23:15:49Z lucas.echard $
# alcasar-autoupdate.sh
# by Sven RATH and Rexy
# This script is distributed under the Gnu General Public License (GPL)
# Gestion de la BL pour le filtrage de domaine (via unbound) et d'URL (via E2guardian)
# Manage the BL for DnsBlackHole (unbound) and URL filtering (E2guardian)
FILE_tmp="/tmp/filesfilter.txt"
FILE_ip_tmp="/tmp/filesipfilter.txt"
DIR_DG="/etc/e2guardian/lists"
DIR_DG_BL="$DIR_DG/blacklists"
DIR_SHARE="/usr/local/share"
DIR_DNS_BL="$DIR_SHARE/unbound-bl" # all the BL in the Unbound format
DIR_DNS_WL="$DIR_SHARE/unbound-wl" # all the WL ' ' '
DIR_IP_BL="$DIR_SHARE/iptables-bl" # all the IP addresses of the BL
DIR_IP_WL="$DIR_SHARE/iptables-wl" # IP ossi disabled WL
CNC_BL_NAME="ossi-bl-candc"
CNC_URL="https://osint.bambenekconsulting.com/feeds/"
CNC_DNS=${CNC_URL}c2-dommasterlist-high.txt
CNC_IP=${CNC_URL}c2-ipmasterlist-high.txt
SED="/bin/sed -i"
CURL="/usr/bin/curl"
# cleaning file and split it ("domains" in $FILE_tmp & "IP" in $FILE_ip_tmp)
function clean_split (){
$SED '/^#.*/d' $FILE_tmp # remove commented lines
$SED '/^\s*$/d' $FILE_tmp # remove empty lines
$SED '/[äâëêïîöôüû@,]/d' $FILE_tmp # remove line with "chelou" characters
# extract ip addresses for iptables.
awk '/^([0-9]{1,3}\.){3}[0-9]{1,3}$/{print "add bl_ip_blocked " $0}' $FILE_tmp > $FILE_ip_tmp
# extract domain names for unbound.
$SED -n '/^\([0-9]\{1,3\}\.\)\{3\}[0-9]\{1,3\}/!p' $FILE_tmp
# Retrieve max Top Level Domain for domain name synthax
#MAX_TLD=$(curl http://data.iana.org/TLD/tlds-alpha-by-domain.txt | grep -v '-' | grep -v '#' | wc -L)
#if [ $(echo $MAX_TLD | wc -c) -eq 0 ];then
# MAX_TLD=18
#fi
# search for correction grep -E "([a-zA-Z0-9_-.]+\.){1,2}[a-zA-Z]{2,$MAX_TLD}" $ossi_custom_dir/domains > $FILE_tmp
}
usage="Usage: alcasar-bl-autoupdate.sh { -update_cat or --update_cat | -update_ossi-bl-candc or --update_ossi-bl-candc }"
nb_args=$#
args=$1
if [ $nb_args -eq 0 ]
then
args="-h"
fi
case $args in
-\? | -h* | --h*)
echo "$usage"
exit 0
;;
# Update the categories of Toulouse BL listed in "/usr/local/etc/update_cat.conf" (via rsync). Cron runs this function every 12h
-update_cat | --update_cat)
if [ $(cat /usr/local/etc/update_cat.conf | wc -l) -ne 0 ]
then
echo -n "Updating categories in /usr/local/etc/update_cat.conf ..."
cat /usr/local/etc/update_cat.conf | while read LIGNE_RSYNC
do
CATEGORIE=$(echo $LIGNE_RSYNC | cut -d' ' -f1)
URL=$(echo $LIGNE_RSYNC | cut -d' ' -f2)
PATH_FILE=$(find $DIR_DG_BL/ -type d -name $CATEGORIE) # retrieve directory name of the category
rsync -rv $URL $(dirname $PATH_FILE ) #rsync inside of the blacklist directory
# Creation of unbound and Iptables BL and WL
DOMAIN=$(basename $PATH_FILE)
cp $PATH_FILE/domains $FILE_tmp
clean_split # clean ossi custom files & split them for unbound and for iptables
black=`grep black $PATH_FILE/usage |wc -l`
if [ $black == "1" ]
then
# adapt to the unbound syntax for the blacklist
$SED "s?.*?local-zone: & typetransparent\nlocal-zone-tag: & blacklist?g" $FILE_tmp
mv $FILE_tmp $DIR_DNS_BL/$DOMAIN.conf
mv $FILE_ip_tmp $DIR_IP_BL/$DOMAIN
else
# adapt to the unbound syntax for the whitelist
$SED "s?.*?local-zone: & transparent?g" $FILE_tmp
$SED "p; s? transparent? ipset?g" $FILE_tmp # duplicate lines to enable ipset module
mv $FILE_tmp $DIR_DNS_WL/$DOMAIN.conf
mv $FILE_ip_tmp $DIR_IP_WL/$DOMAIN
fi
rm -f $FILE_tmp $FILE_ip_tmp
done
/usr/local/bin/alcasar-bl.sh --reload
else
echo -n "/usr/local/etc/update_cat.conf is empty ..."
fi
echo
;;
# Update C&C-Server Blacklist (TODO : check that there is a difference between two downloads)
-update_ossi-bl-candc | --update_ossi-bl-candc)
# check availability of the lists
echo "Downloading blacklists from ${CNC_URL}..."
STATUS_DNS_BL=$(${CURL} --connect-timeout 5 --write-out %{http_code} --silent --output /dev/null ${CNC_DNS})
STATUS_IP_BL=$(${CURL} --connect-timeout 5 --write-out %{http_code} --silent --output /dev/null ${CNC_IP})
# if downloaded successfully
if [ $STATUS_DNS_BL = 200 ] && [ $STATUS_IP_BL = 200 ]; then
## parse domain names and ips from feed (cut first 19 lines (comments) and extract first column)
CNC_DOMAINS=$($CURL $CNC_DNS | tail -n +19 | awk -F, '{print $1}')
CNC_IPS=$($CURL $CNC_IP | tail -n +19 | awk -F, '{print $1}')
## create files and adapt downloaded data to alcasar structure (add newlines after each ip/domain)
BL_DIR=${DIR_DG_BL}/${CNC_BL_NAME}
rm -rf ${BL_DIR}
mkdir $BL_DIR
echo $CNC_DOMAINS | tr " " "\n" > ${BL_DIR}/urls
echo $CNC_IPS | tr " " "\n" > ${BL_DIR}/domains
## reload ossi-blacklists to add the created blacklist to ALCASAR
echo "Download successfull."
/usr/local/bin/alcasar-bl.sh --reload
exit 0
# if server responded with a code different than 200
else
## 000 means that curl failed
if [ $STATUS_DNS_BL = 000 ] || [ $STATUS_IP_BL = 000 ]; then
echo "ERROR: curl could not access the internet to download blacklists."
echo "This appears to be an error on your side: please check the connection to the internet."
else
echo "ERROR: could not donwload blacklists: Server returned non-200 codes:"
echo "${CNC_DNS} returned ${STATUS_DNS_BL}"
echo "${CNC_IP} returned ${STATUS_IP_BL}"
echo "Check the availability of the sites. Maybe the server removed its content or changed its address."
fi
exit 1
fi
;;
esac
Property changes:
Added: svn:eol-style
+native
\ No newline at end of property
Added: svn:executable
+*
\ No newline at end of property

/scripts/alcasar-daemon.sh
0,0 → 1,92
#!/bin/bash
# $Id$
# alcasar-daemon.sh
# by Franck BOUIJOUX & Rexy
# This script is distributed under the Gnu General Public License (GPL)
# Watchdog of Services
# With the option "-after-update" checks if services or system need to be restarted after a RPM update
# See /etc/cron.d/alcasar-daemon-watchdog for config the time
conf_file="/usr/local/etc/alcasar.conf"
SMS=`grep ^SMS= $conf_file|cut -d"=" -f2` # SMS active (on/off)
SMS=${SMS:=off}
LDAP=`grep ^LDAP= $conf_file|cut -d"=" -f2` # ldap active (on/off)
LDAP=${LDAP:=off}
INTIF=`grep ^INTIF= $conf_file|cut -d"=" -f2` # INTIF name
EXTIF=`grep ^EXTIF= $conf_file|cut -d"=" -f2` # EXTIF name
SERVICES="mysqld lighttpd php-fpm ntpd unbound unbound-blacklist unbound-whitelist unbound-blackhole radiusd nfcapd e2guardian ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban sshd vnstat gammu-smsd"
nb_available_srv=`echo $SERVICES|wc -w`
function ServiceTest () {
service=$1
if [ $(/usr/bin/systemctl is-active $service) != "active" ]; then
logger -t alcasar-daemon -i "$service is inactive. Activation attempt"
echo "the $service service is disabled! trying to start it..."
if [ $service == 'gammu-smsd' ]; then
/usr/local/bin/alcasar-sms.sh --start
fi
if [ $service == 'sshd' ]; then
[ -s /etc/ssh/ssh_host_rsa_key ] || rm -f /etc/ssh/ssh_host_* # sometimes sshd doesn't initialise its keys
fi
/usr/bin/systemctl start $service.service
else
nb_srv=$((nb_srv+1))
fi
}
usage="Usage: alcasar-daemon.sh {-after-update}"
case $1 in
-\? | -h* | --h*)
echo "$usage"
exit 0
;;
-after-update)
# TODO : check precisely which processes should be restarted (reboot the system or restart alcasar processes)
# extract processes name : for i in `dnf needs-restarting|cut -d " " -f3|sort -u|tr -d ":"|rev|cut -d"/" -f1|rev`;do;echo $i;done
# system_processes=`dnf needs-restarting|grep -E 'dbus|python|systemd|agetty'|wc -l` # processes to be restarted after glibc update
nb_processes=`dnf needs-restarting|wc -l`
if [ $nb_processes -ne 0 ]; then
reboot
fi
;;
*)
for NIC in $EXTIF $INTIF
do
if [ `/usr/sbin/ip a show $NIC|grep DOWN|wc -l` -eq "1" ]; then
echo "The network interface card '$NIC' is down! Try to enable it"
/usr/sbin/ifup $NIC
fi
done
nb_srv=0
for service in $SERVICES; do
if [ $service == 'gammu-smsd' ]; then
if [ $SMS != "ON" ] && [ $SMS != "on" ] && [ $SMS != "On" ]; then
nb_available_srv=$((nb_available_srv-1))
continue
fi
fi
ServiceTest $service
done
if [ $nb_available_srv -ne $nb_srv ]; then
echo "Restart this script to know if all is ok"
else
echo "$nb_srv services needed by ALCASAR are started."
fi
if [ `cat /proc/modules|grep -c ^ipt_NETFLOW` == 0 ]; then
logger -t alcasar-daemon -i "ipt_netflow is inactive."
echo "The Log system is disabled! try to know why (modprobe ipt_NETFLOW)"
else
echo "The Log system is active"
fi
if [ ! -e /etc/raddb/mods-enabled/ldap ]; then
if [ $LDAP == "ON" ] || [ $LDAP == "on" ] || [ $LDAP == "On" ]; then
echo "Enabling LDAP..."
/usr/local/bin/alcasar-ldap.sh -on
fi
fi
;;
esac
Property changes:
Added: svn:eol-style
+LF
\ No newline at end of property
Added: svn:executable
+*
\ No newline at end of property
Added: svn:keywords
+Id Author Date
\ No newline at end of property

/scripts/alcasar-iptables-bypass.sh
0,0 → 1,157
#!/bin/bash
# $Id$
# alcasar-iptables-bypass.sh
# by Rexy - 3abtux
# This script is distributed under the Gnu General Public License (GPL)
# Applique les regles du parefeu en mode ByPass
# Set the firewall rules in 'ByPass' mode
CONF_FILE="/usr/local/etc/alcasar.conf"
private_ip_mask=`grep ^PRIVATE_IP= $CONF_FILE|cut -d"=" -f2`
private_ip_mask=${private_ip_mask:=192.168.182.1/24}
private_network=`/bin/ipcalc -n $private_ip_mask|cut -d"=" -f2` # LAN IP address (ie.: 192.168.182.0)
private_prefix=`/bin/ipcalc -p $private_ip_mask|cut -d"=" -f2` # LAN prefix (ie. 24)
IPTABLES="/sbin/iptables"
EXTIF=`grep ^EXTIF= $CONF_FILE|cut -d"=" -f2` # EXTernal InterFace
INTIF=`grep ^INTIF= $CONF_FILE|cut -d"=" -f2` # INTernal InterFace
TUNIF="tun0" # listen device for chilli daemon
PRIVATE_NETWORK_MASK=$private_network/$private_prefix # Lan IP address + prefix (192.168.182.0/24)
PRIVATE_IP=`echo $private_ip_mask | cut -d"/" -f1` # ALCASAR LAN IP address
public_ip_mask=`grep ^PUBLIC_IP= $CONF_FILE|cut -d"=" -f2` # ALCASAR WAN IP address
if [[ "$public_ip_mask" == "dhcp" ]]
then
PTN="\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([012]?[0-9]|3[0-2])\b"
public_ip_mask=`ip addr show $EXTIF | grep -o -E $PTN`
fi
PUBLIC_IP=`echo $public_ip_mask | cut -d"/" -f1`
SSH_LAN=`grep ^SSH_LAN= $CONF_FILE|cut -d"=" -f2` # SSH LAN port
SSH_LAN=${SSH_LAN:=0}
SSH_WAN=`grep ^SSH_WAN= $CONF_FILE|cut -d"=" -f2` # SSH WAN port
SSH_WAN=${SSH_WAN:=0}
SSH_WAN_ADMIN_FROM=`grep ^SSH_ADMIN_FROM= $CONF_FILE|cut -d"=" -f2|cut -d"/" -f2`
SSH_WAN_ADMIN_FROM=${SSH_WAN_ADMIN_FROM:="0.0.0.0"}
SSH_WAN_ADMIN_FROM=$([ "$SSH_WAN_ADMIN_FROM" == "0.0.0.0" ] && echo "0.0.0.0/0" || echo "$SSH_WAN_ADMIN_FROM" )
SSH_LAN_ADMIN_FROM=`grep ^SSH_ADMIN_FROM= $CONF_FILE|cut -d"=" -f2|cut -d"/" -f1`
SSH_LAN_ADMIN_FROM=${SSH_LAN_ADMIN_FROM:="0.0.0.0"}
SSH_LAN_ADMIN_FROM=$([ "$SSH_LAN_ADMIN_FROM" == "0.0.0.0" ] && echo "$PRIVATE_NETWORK_MASK" || echo "$SSH_LAN_ADMIN_FROM" )
interlan=`grep ^INTERLAN= $CONF_FILE|cut -d"=" -f2`
interlan=${interlan:=off}
# On vide (flush) toutes les règles existantes
# Flush all existing rules
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -F INPUT
$IPTABLES -F FORWARD
$IPTABLES -F OUTPUT
# On indique les politiques par défaut
# Default policies
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
# On efface toutes les chaînes qui ne sont pas par défaut dans les tables filter et nat
# Flush non default rules on filter and nat tables
$IPTABLES -X
$IPTABLES -t nat -X
# On autorise tout sur loopback
# accept all on loopback
$IPTABLES -A OUTPUT -o lo -j ACCEPT
$IPTABLES -A INPUT -i lo -j ACCEPT
#############################
# INPUT #
#############################
# SSHD rules if activate
if [ $SSH_LAN -gt 0 ]
then
$IPTABLES -A INPUT -i $INTIF -s $SSH_LAN_ADMIN_FROM -d $PRIVATE_IP -p tcp --dport $SSH_LAN -m conntrack --ctstate NEW -j NFLOG --nflog-group 2 --nflog-prefix "RULE ssh-from-LAN -- ACCEPT"
$IPTABLES -A INPUT -i $INTIF -s $SSH_LAN_ADMIN_FROM -d $PRIVATE_IP -p tcp --dport $SSH_LAN -j ACCEPT
fi
if [ $SSH_WAN -gt 0 ]
then
$IPTABLES -A INPUT -i $EXTIF -s $SSH_WAN_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport $SSH_WAN -m conntrack --ctstate NEW --syn -j NFLOG --nflog-group 2 --nflog-prefix "RULE ssh-from-WAN -- ACCEPT"
$IPTABLES -A INPUT -i $EXTIF -s $SSH_WAN_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport $SSH_WAN -j ACCEPT
fi
# Insertion de règles locales
# Here, we add local rules (i.e. VPN from Internet)
if [ -f /usr/local/etc/alcasar-iptables-local.sh ]; then
. /usr/local/etc/alcasar-iptables-local.sh
fi
# on autorise les requêtes dhcp
# accept dhcp
$IPTABLES -A INPUT -i $INTIF -p udp -m udp --sport bootpc --dport bootps -j ACCEPT
# On drop le broadcast et le multicast sur les interfaces (sans Log)
# Drop broadcast & multicast
$IPTABLES -A INPUT -m addrtype --dst-type BROADCAST,MULTICAST -j DROP
# On autorise l'accès aux services internes
# Allow Internal access
$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport domain -j ACCEPT # DNS
$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport domain -j ACCEPT # DNS
$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p icmp --icmp-type 8 -j ACCEPT # Réponse ping # ping responce
$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p icmp --icmp-type 0 -j ACCEPT # Requête ping # ping request
$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport https -j ACCEPT # ACC
$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport http -j ACCEPT # ACC
$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport ntp -j ACCEPT # Serveur local de temps # local time server
# On autorise le retour des connexions entrante déjà acceptées
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# On interdit et on log le reste sur les 2 interfaces d'accès
$IPTABLES -A INPUT -i $INTIF -j NFLOG --nflog-group 1 --nflog-prefix "RULE rej-int -- REJECT "
$IPTABLES -A INPUT -i $EXTIF -j NFLOG --nflog-group 1 --nflog-prefix "RULE rej-ext -- REJECT "
$IPTABLES -A INPUT -p tcp -j REJECT --reject-with tcp-reset
$IPTABLES -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
#############################
# FORWARD #
#############################
# On autorise les retours de connexions légitimes par FORWARD
# Conntrack on forward
$IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
# On autorise (ou pas) les utilisateurs à accéder au réseau situé entre ALCASAR et le routeur Internet
# Users are allowed (or not allowed) to access the network between ALCASAR and the Internet router
if [ "$interlan" != "on" ]
then
$IPTABLES -A FORWARD -i $TUNIF -d $public_ip_mask -j DROP
fi
# Insertion de règles de blocage
# Here, we add block rules
if [ -s /usr/local/etc/alcasar-ip-blocked ]; then
while read ip_line
do
ip_on=`echo $ip_line|cut -b1`
if [ $ip_on != "#" ]
then
ip_blocked=`echo $ip_line|cut -d" " -f1`
$IPTABLES -A FORWARD -d $ip_blocked -j NFLOG --nflog-group 1 --nflog-prefix "RULE IP-blocked -- REJECT "
$IPTABLES -A FORWARD -d $ip_blocked -j REJECT
fi
done < /usr/local/etc/alcasar-ip-blocked
fi
# On autorise les demandes de connexions sortantes
$IPTABLES -A FORWARD -i $INTIF -m state --state NEW -j NFLOG --nflog-group 1 --nflog-prefix "RULE Transfert -- ACCEPT "
$IPTABLES -A FORWARD -i $INTIF -m state --state NEW -j ACCEPT
#############################
# POSTROUTING #
#############################
# On active le masquage d'adresse par translation (NAT)
$IPTABLES -A POSTROUTING -t nat -o $EXTIF -j MASQUERADE
# on ne sauvegarde pas les règles. En cas de reboot, on repasse ainsi automatiquement en mode normal (bypass -off)
# Fin du script des regles du parefeu
Property changes:
Added: svn:eol-style
+LF
\ No newline at end of property
Added: svn:executable
+*
\ No newline at end of property
Added: svn:keywords
+Id Author Date
\ No newline at end of property

/scripts/alcasar-watchdog.sh
0,0 → 1,180
#!/bin/bash
# $Id$
# alcasar-watchdog.sh
# by Rexy
# This script is distributed under the Gnu General Public License (GPL)
# - Ce script prévient les usagers de l'indisponibilité de l'accès Internet
# - Il déconnecte les usagers dont les équipements réseau ne répondent plus (leur onglet 'status.php' a été fermé)
# - Il deconnecte les usagers dont les adresses MAC sont usurpées
#
# - This script tells users that Internet access is down
# - It logs out users whose PCs are quiet (their status tab is closed)
# - It logs out users whose MAC address is used by other systems (usurped)
CONF_FILE="/usr/local/etc/alcasar.conf"
EXTIF=`grep ^EXTIF= $CONF_FILE|cut -d"=" -f2` # EXTernal InterFace
INTIF=`grep ^INTIF= $CONF_FILE|cut -d"=" -f2` # INTernal InterFace
private_ip_mask=`grep ^PRIVATE_IP= $CONF_FILE|cut -d"=" -f2`
private_ip_mask=${private_ip_mask:=192.168.182.1/24}
PRIVATE_IP=`echo $private_ip_mask |cut -d"/" -f1`
PRIVATE_IP=${PRIVATE_IP:=192.168.182.1}
MULTIWAN=`grep ^MULTIWAN= $CONF_FILE|cut -d"=" -f2`
current_users_file="/tmp/current_users.txt" # file containing active users with their "status.php" tab open
DIR_WEB="/var/www/html"
Index_Page="$DIR_WEB/index.php"
IPTABLES="/sbin/iptables"
TUNIF="tun0" # listen device for chilli daemon
OLDIFS=$IFS
IFS=$'\n'
function lan_down_alert ()
# users are redirected on ALCASAR IP address if a LAN problem is detected
{
case $LAN_DOWN in
"1")
logger -t alcasar-watchdog "$EXTIF (WAN card) link down"
echo "$EXTIF (WAN card) link down"
/bin/sed -i "s?diagnostic =.*?diagnostic = \"$EXTIF (WAN card) link down\";?g" $Index_Page
;;
"2")
logger -t alcasar-watchdog "can't contact the default router"
echo "can't contact the default router"
/bin/sed -i "s?diagnostic =.*?diagnostic = \"can't contact the default router\";?g" $Index_Page
;;
"3")
logger -t alcasar-watchdog "can't resolv DNS queries"
echo "can't resolv DNS queries"
/bin/sed -i "s?diagnostic =.*?diagnostic = \"can't resolv DNS queries\";?g" $Index_Page
;;
esac
net_pb=`grep "network_pb = true;" $Index_Page|wc -l`
if [ $net_pb = "0" ] # if previously up
then
/bin/sed -i "s?^\$network_pb.*?\$network_pb = true;?g" $Index_Page
$IPTABLES -I PREROUTING -t nat -i $TUNIF -p udp --dport domain -j REDIRECT --to-port 56
fi
}
function lan_test ()
# LAN connectiivity testing
{
watchdog_process=`ps -C alcasar-watchdog.sh|wc -l`
if [[ $(expr $watchdog_process) -gt 3 ]]
then
echo "ALCASAR watchdog is already running"
exit 0
fi
# EXTIF testing
LAN_DOWN="0"
if [ `/sbin/ip link | grep $EXTIF|grep "NO-CARRIER" | wc -l` -eq "1" ]
then
LAN_DOWN="1"
fi
# Default GW testing
if [ $LAN_DOWN -eq "0" ]
then
GW_EXIST=`/sbin/ip route list|grep ^default|wc -l`
if [ $GW_EXIST -eq "0" ] # no GW defined !
then
systemctl restart network
else
if [ "$MULTIWAN" == "off" ] || [ "$MULTIWAN" == "Off" ]
then
IP_GW=`/sbin/ip route list|grep ^default|cut -d" " -f3`
arp_reply=`LANG=en_US.UTF-8 /usr/sbin/arping -I$EXTIF -c1 $IP_GW|grep response|cut -d" " -f2`
if [ $arp_reply -eq "0" ]
then
LAN_DOWN="2"
fi
fi
fi
fi
# DNS request testing (twice)
if [ $LAN_DOWN -eq "0" ]
then
dns_reply=`/usr/bin/host -W1 www.free.fr|grep SERVFAIL|wc -l`
if [ $dns_reply -eq "1" ]
then
dns_reply=`/usr/bin/host -W1 www.startpage.com|grep SERVFAIL|wc -l`
if [ $dns_reply -eq "1" ]
then LAN_DOWN="3"
fi
fi
fi
# if LAN pb detected, users are warned
if [ $LAN_DOWN != "0" ]
then
lan_down_alert
# else switch in normal mode
else
echo "Internet access is OK for now"
net_pb=`grep "network_pb = true;" $Index_Page|wc -l`
if [ $net_pb != "0" ] # if already down
then
/bin/sed -i "s?^\$network_pb.*?\$network_pb = false;?g" $Index_Page
$IPTABLES -D PREROUTING -t nat -i $TUNIF -p udp --dport domain -j REDIRECT --to-port 56
fi
fi
}
usage="Usage: alcasar-watchdog.sh {-lt --lan_test | --disconnect-permanent-users}"
case $1 in
-\? | -h* | --h*)
echo "$usage"
exit 0
;;
-lt | --lan_test)
lan_test
exit 0
;;
--disconnect-permanent-users)
/bin/sed -i '/PERM/d' $current_users_file
exit 0
;;
*)
lan_test
# We disconnect inactive users (its means that their 'status.php' tab has been closed --> their ip address isn't in $current_users_file)
# process each equipment known by chilli
for system in `/usr/sbin/chilli_query list | grep -v "0\.0\.0\.0"`
do
active_ip=`echo $system |cut -d" " -f2`
active_session=`echo $system |cut -d" " -f5`
active_mac=`echo $system | cut -d" " -f1`
active_user=`echo $system |cut -d" " -f6`
# We check if the user isn't an auth @MAC and if he is still connected
if [ "$active_user" != "$active_mac" ] && [ $(expr $active_session) -eq 1 ]; then
if [ -e $current_users_file ]; then
# We check if user @IP is in 'current_users.txt'
cmp_user_ok=$(cat $current_users_file | awk -F':' "\$1 == \"$active_ip\" {print \$2}")
# If not we disconnect this user.
if [ -z "$cmp_user_ok" ]; then
logger -t alcasar-watchdog "$active_ip ($active_mac) doesn't contact ALCASAR any more. We disconnects the user ($active_user)."
/usr/sbin/chilli_query logout $active_mac
elif [ "$cmp_user_ok" == "TEMP" ]; then
# Remove the user's IP from 'current_users.txt'. Every user status page need to insert their @IP everytime to prove their connectivity.
# We don't disconnect when $cmp_user_ok == "PERM" (status page not needed)
sed -i "/^$active_ip:$cmp_user_ok\$/d" $current_users_file
fi
else # "current_user.txt" does not exists. We disconnect every users.
logger -t alcasar-watchdog "The file /tmp/current_users.txt doesn't' exist. We disconnects the user $active_user"
/usr/sbin/chilli_query logout $active_mac
fi
fi
# IP usurpation test : process only equipment with an authenticated user
if [[ $(expr $active_session) -eq 1 ]]
then
arp_reply=`LANG=en_US.UTF-8 /usr/sbin/arping -b -I$INTIF -s$PRIVATE_IP -c1 -w4 $active_ip|grep -c "Unicast reply"`
# disconnect users whose equipement is usurped. For example, if there are 2 same @MAC it will make 2 lines in output.
if [[ $(expr $arp_reply) -gt 1 ]]
then
echo "[$(date +"%Y-%m-%d %H:%M:%S")] : alcasar-watchdog : $active_ip is usurped ($active_mac). Alcasar disconnect the user ($active_user)." >> /var/Save/security/watchdog.log
logger -t alcasar-watchdog "$active_ip is usurped ($active_mac). Alcasar disconnect the user ($active_user)."
/usr/sbin/chilli_query logout $active_mac
chmod 644 /var/Save/security/watchdog.log
fi
fi
done
;;
esac
IFS=$OLDIFS
Property changes:
Added: svn:eol-style
+LF
\ No newline at end of property
Added: svn:executable
+*
\ No newline at end of property
Added: svn:keywords
+Id Author Date
\ No newline at end of property

/scripts/alcasar-letsencrypt.sh
0,0 → 1,284
#!/bin/bash
#
# $Id$
#
# alcasar-letsencrypt.sh
# by Tom HOUDAYER & Rexy
#
# This script is distributed under the Gnu General Public License (GPL)
#
# Manage Let's Encrypt for ALCASAR integration
CONF_FILE="/usr/local/etc/alcasar-letsencrypt"
ACCOUNT_EMAIL=""
DOMAIN=""
DNS_API=""
DEBUG=false
STAGING_SERVER=""
FORCE=""
OPT_PARAMS=""
ACMESH_HOME="/usr/local/etc/letsencrypt"
ACMESH_BIN="/opt/acme.sh/acme.sh"
LE_SERVER="letsencrypt"
usage="Usage: alcasar-letsencrypt.sh
--issue -d alcasar.domain.tld --email alcasar@domain.tld [--dns-api dns_registrar] [--force] [--staging]
--renew [-d alcasar.domain.tld] [--force] [--staging]"
################################################################################
# ISSUE #
################################################################################
issue() {
if [ ! -f $ACMESH_BIN ]; then
echo "The client does not seem to be installed."
return 1
fi
TMP_OUTPUT=$(mktemp --suffix=_ALCASAR-LE)
if [ ! -z $ACCOUNT_EMAIL ]; then
emailField=" --accountemail $ACCOUNT_EMAIL"
sed -i "s/^email=.*/email=$ACCOUNT_EMAIL/" $CONF_FILE
else
emailField=""
fi
rm -rf $ACMESH_HOME/certs/*
$DEBUG && debugOpt=" --debug" || debugOpt=""
[ ! -z "$DNS_API" ] && dnsApiOpt="$DNS_API" || dnsApiOpt="--yes-I-know-dns-manual-mode-enough-go-ahead-please"
$ACMESH_BIN --config-home $ACMESH_HOME/data \
$STAGING_SERVER $FORCE $debugOpt \
$emailField \
--issue --dns $dnsApiOpt -d $DOMAIN \
$OPT_PARAMS \
--server $LE_SERVER \
> $TMP_OUTPUT 2>&1
exitCode=$?
$DEBUG && cat $TMP_OUTPUT && echo -e "\n\n"
sed -i "s/^domainRequest=.*/domainRequest=$DOMAIN/" $CONF_FILE
sed -i "s/^dateIssueRequest=.*/dateIssueRequest=$(date +%s)/" $CONF_FILE
sed -i "s/^dnsapi=.*/dnsapi=${DNS_API:="dns"}/" $CONF_FILE
if ! _handle_client_response $TMP_OUTPUT; then
if [ $exitCode -ne 0 ]; then
echo -e "Error!\n"
cat $TMP_OUTPUT
rm -f $TMP_OUTPUT
return 1
else
echo -e "Unknown state\n"
cat $TMP_OUTPUT
fi
fi
rm -f $TMP_OUTPUT
}
################################################################################
# RENEW #
################################################################################
renew() {
if [ ! -f $ACMESH_BIN ]; then
echo "The client does not seem to be installed."
return 1
fi
TMP_OUTPUT=$(mktemp --suffix=_ALCASAR-LE)
$DEBUG && debugOpt=" --debug" || debugOpt=""
[ ! -z "$DNS_API" ] && dnsApiOpt="" || dnsApiOpt="--yes-I-know-dns-manual-mode-enough-go-ahead-please"
$ACMESH_BIN --config-home $ACMESH_HOME/data \
$STAGING_SERVER $FORCE $debugOpt \
--renew -d $DOMAIN $dnsApiOpt \
$OPT_PARAMS \
--server $LE_SERVER \
> $TMP_OUTPUT 2>&1
exitCode=$?
$DEBUG && cat $TMP_OUTPUT && echo -e "\n\n"
if ! _handle_client_response $TMP_OUTPUT; then
if [ $exitCode -ne 0 ]; then
echo -e "Error!\n"
cat $TMP_OUTPUT
rm -f $TMP_OUTPUT
return 1
else
echo -e "Unknown state\n"
cat $TMP_OUTPUT
fi
fi
rm -f $TMP_OUTPUT
}
################################################################################
# CRON TASK #
################################################################################
cron_task() {
if [ $(grep '^dateNextRenewal=' $CONF_FILE | cut -d'=' -f2) -le $(date +%s) ]; then
logger -t alcasar-letsencrypt "Launch CRON task."
renew
fi
}
################################################################################
# HANDLE CLIENT RESPONSE #
################################################################################
_handle_client_response() {
[ $# -lt 1 ] && return 1
responseFile=$1
# issue / renew
if [ $(cat $responseFile | grep "Add the following TXT record:" -c) -ne 0 ]; then
challenge=$(cat $responseFile | grep -E "TXT value: '[0-9a-zA-Z_-]+'" -o | cut -d"'" -f2)
sed -i "s/^challenge=.*/challenge=$challenge/" $CONF_FILE
echo "Add the following TXT record:"
echo "Domain: '_acme-challenge.$DOMAIN'"
echo "TXT value: '$challenge'"
elif [ $(cat $responseFile | grep "Cert success." -c) -ne 0 ]; then
sed -i "s/^challenge=.*/challenge=/" $CONF_FILE
sed -i "s/^dateIssued=.*/dateIssued=$(date +%s)/" $CONF_FILE
sed -i "s/^dateNextRenewal=.*/dateNextRenewal=$(date +%s -d '2 months - 3 days')/" $CONF_FILE
install_cert
logger -t alcasar-letsencrypt "Certificate \"$DOMAIN\" imported."
echo "Certificate imported."
[ -z $DNS_API ] && echo "Note: you can delete the TXT record."
elif [ $(cat $responseFile | grep "Domains not changed." -c) -ne 0 ]; then
echo "Domain not changed"
elif [ $(cat $responseFile | grep "$DOMAIN is already verified, skip dns-01." -c) -ne 0 ]; then
echo "Domain already verified"
elif [ $(cat $responseFile | grep "Error add txt for domain:_acme-challenge.$DOMAIN" -c) -ne 0 ]; then
echo "Error add txt for domain:_acme-challenge.$DOMAIN"
elif [ $(cat $responseFile | grep "Please add the TXT records to the domains, and retry again." -c) -ne 0 ]; then
echo "Dns record not added yet, you need to add it manually and retry again."
elif [ $(cat $responseFile | grep 'new-authz error: {"type":"urn:acme:error:malformed","detail":"Error creating new authz :: \(.*\)","status": 400}' -c) -ne 0 ]; then
errorMsg=$(cat $responseFile | grep 'new-authz error: {"type":"urn:acme:error:malformed","detail":"Error creating new authz :: \(.*\)","status": 400}' | sed 's/.*new-authz error: {"type":"urn:acme:error:malformed","detail":"Error creating new authz :: \(.*\)","status": 400}.*/\1/')
echo "Incorrect domain name"
echo "$errorMsg"
elif [ $(cat $responseFile | grep "'$DOMAIN' is not a issued domain, skip." -c) -ne 0 ]; then
echo "'$DOMAIN' is not a issued domain"
# renew
elif [ $(cat $responseFile | grep "Skip, Next renewal time is: " -c) -ne 0 ]; then
nextRenewal=$(cat $responseFile | grep 'Skip, Next renewal time is: ' | sed 's/.*Skip, Next renewal time is: \(.*\)/\1/')
echo "Skip, Next renewal time is: $nextRenewal"
echo "Add '--force' to force to renew."
elif [ $(cat $responseFile | grep "$DOMAIN:Verify error:Correct value not found for DNS challenge" -c) -ne 0 ]; then
echo "Correct value not found for DNS challenge"
elif [ $(cat $responseFile | grep "Unable to update challenge :: The challenge is not pending." -c) -ne 0 ]; then
echo "The challenge is not pending. You need to issue."
else
return 2
fi
return 0
}
################################################################################
# INSTALL CERTIFICATE #
################################################################################
install_cert() {
echo "Importing certificate to ALCASAR..."
LE_cert_folder="$( echo "$ACMESH_HOME/certs/$DOMAIN"*"")"
if [ ! -f $LE_cert_folder"/"$DOMAIN.cer ]; then
echo "Certificate not found."
return 1
fi
/usr/local/bin/alcasar-importcert.sh \
-i $LE_cert_folder"/"$DOMAIN.cer \
-k $LE_cert_folder"/"$DOMAIN.key \
-c $LE_cert_folder/fullchain.cer \
> /dev/null 2>&1
if [ $? -ne 0 ]; then
echo "Error."
return 1
fi
}
################################################################################
# MAIN #
################################################################################
if [ $# -eq 0 ]; then
echo "$usage"
exit 1
fi
cmd=""
while [ $# -gt 0 ]; do
case $1 in
-\? | -h | --help)
echo "$usage"
exit 0
;;
--issue)
cmd="issue"
shift 1
;;
--renew)
cmd="renew"
shift 1
;;
--cron)
cmd="cron"
shift 1
;;
--install-cert)
cmd="install-cert"
shift 1
;;
--email)
ACCOUNT_EMAIL="$2"
shift 2
;;
--domain | -d)
DOMAIN="$2"
shift 2
;;
--dns-api)
DNS_API="$2"
shift 2
;;
--force)
FORCE="--force"
shift 1
;;
--staging)
STAGING_SERVER="--staging"
shift 1
;;
--debug)
DEBUG=true
shift 1
;;
*)
found=false
for param in "--dnssleep"; do
if [ $1 == $param ]; then
OPT_PARAMS="$OPT_PARAMS $1 $2"
shift 2
found=true
break
fi
done
if ! $found; then
echo "Unknown argument: $1"
echo "$usage"
exit 1
fi
;;
esac
done
if [ -z $DOMAIN ]; then
if [ $(grep '^domainRequest=' $CONF_FILE | cut -d'=' -f2 | wc --chars) -gt 1 ]; then
DOMAIN="$(grep '^domainRequest=' $CONF_FILE | cut -d'=' -f2)"
else
DOMAIN="$(grep '^HOSTNAME=' /usr/local/etc/alcasar.conf | cut -d'=' -f2).$(grep '^DOMAIN=' /usr/local/etc/alcasar.conf | cut -d'=' -f2)"
fi
fi
case $cmd in
issue)
issue
;;
renew)
renew
;;
cron)
cron_task
;;
install-cert)
install_cert
;;
*) exit 1 ;;
esac
Property changes:
Added: svn:eol-style
+LF
\ No newline at end of property
Added: svn:executable
+*
\ No newline at end of property
Added: svn:keywords
+Id
\ No newline at end of property

/scripts/alcasar-rpm-download.sh
0,0 → 1,156
#!/bin/bash
# $Id$
# alcasar-rpm-download.sh
# by Franck BOUIJOUX and Richard REY
# This script is distributed under the Gnu General Public License (GPL)
# récupération des RPM nécessaires dans un fichier tarball
# retrieve needed RPM in a tarball file
VERSION="8"
ARCH="x86_64"
# The kernel version we compile netflow for
KERNEL="kernel-server-5.15.126-1.mga8-1-1.mga8"
# ****** Alcasar needed RPMS - paquetages nécessaires au fonctionnement d'Alcasar ******
# (old) perl-Socket6 : needed by nfsen
# "fonts-dejavu-common" & "fonts-ttf-dejavu" : fonts needed by wkhtmltopdf
# "lsscsi" & nvme-cli" : needed by phpsysinfo
# "socat" : avoid a warning when run the install script of letsencrypt ("acme.sh")
# "sudo" : needed after a reinstallation (to be investigated)
# "clamav" + "clamav-db" : needed because of a lack of mutual dependance
# "postfix" + "cyrus-sasl" + "lib64sasl2-plug-plain" : email registration method
PACKAGES="vim-enhanced freeradius freeradius-mysql freeradius-ldap lighttpd lighttpd-mod_auth php-fpm php-gd php-ldap php-mysqli php-mbstring php-sockets php-curl php-pdo_sqlite php-cli php-filter unbound e2guardian postfix mariadb ntp bind-utils openssh-server rng-utils rsync clamav clamav-db clamd fail2ban gnupg2 ulogd ipset usb_modeswitch vnstat dos2unix p7zip msec kernel-userspace-headers kernel-firmware-nonfree dhcp-server tcpdump fonts-dejavu-common fonts-ttf-dejavu lsscsi nvme-cli sudo socat postfix cyrus-sasl lib64sasl2-plug-plain iftop"
rpm_repository_sync ()
{
cat <<EOF > /etc/urpmi/urpmi.cfg
{
downloader: wget
}
EOF
urpmi.addmedia core --probe-synthesis --mirrorlist ${!MIRRORLIST} /media/core/release
urpmi.addmedia core-updates --update --probe-synthesis --mirrorlist ${!MIRRORLIST} /media/core/updates
urpmi.addmedia nonfree --probe-synthesis --mirrorlist ${!MIRRORLIST} /media/nonfree/release
urpmi.addmedia nonfree-updates --update --probe-synthesis --mirrorlist ${!MIRRORLIST} /media/nonfree/updates
}
rpm_error ()
{
echo
echo "Relancez l'installation ultérieurement."
echo "Si vous rencontrez à nouveau ce problème, modifier les variables MIRRORLIST[1&2] du fichier 'scripts/alcasar-rpm.sh'"
echo "Try an other install later."
echo "If this problem occurs again, change the MIRRORLIST[1&2] variables in the file 'scripts/alcasar-rpm.sh'"
}
# extract the current architecture (i586 ou X64)
fic=`cat /etc/product.id`
old="$IFS"
IFS=","
set $fic
for i in $*
do
if [ "`echo $i|grep arch|cut -d'=' -f1`" == "arch" ]
then
ARCH=`echo $i|cut -d"=" -f2`
fi
done
IFS="$old"
# We prefer wget than curl
wget_exist=`rpm -qa|grep wget|wc -l`
if [ "$wget_exist" -eq "0" ]
then
urpmi --no-verify-rpm --auto ../rpms/$ARCH/wget*.rpm
fi
# Set the RPM repository
MIRROR_NBR=2
# For french ALCASARistes
MIRRORLIST1="http://www.mirrorservice.org/sites/mageia.org/pub/mageia/distrib/$VERSION/$ARCH"
# For International install
MIRRORLIST2="http://mirrors.mageia.org/api/mageia.$VERSION.$ARCH.list"
try_nb="0"; nb_repository="0"
while [ "$nb_repository" != "4" ]
do
try_nb=`expr $try_nb + 1`
MIRRORLIST="MIRRORLIST$try_nb"
rpm_repository_sync
nb_repository=`cat /etc/urpmi/urpmi.cfg|grep mirrorlist|wc -l`
if [ "$nb_repository" != "4" ]
then
echo "Une erreur a été détectée lors de la synchronisation avec le dépot N°$try_nb."
echo "An error occurs when synchronising the repositories N°$try_nb"
if [ $(expr $try_nb) -eq $MIRROR_NBR ]
then
rpm_error
exit 1
fi
echo "Voulez-vous tenter une synchronisation avec un autre dépôt (O/n)?"
echo "Do you want to try a synchronisation with an other repository (Y/n)?"
response=0
PTN='^[oOnNyY]?$'
until [[ "$response" =~ $PTN ]]
do
read response
done
if [ "$response" = "n" ] || [ "$response" = "N" ]
then
exit 1
fi
fi
done
# delete unused RPMs
echo "Cleaning the system : "
for rm_rpm in shorewall dhcp-server cyrus-sasl distcache-server avahi mandi radeontool mondo mindi
do
/usr/sbin/urpme --auto $rm_rpm --auto-orphans 2>/dev/null
echo -n "."
done
urpmi --clean
# download RPM in cache
echo "Récupération des paquetages de mise à jour. Veuillez patienter ..."
echo "Updated RPM download. Please wait ..."
echo "Il est temps d'aller prendre un café :-) "
echo "You should now take a Beer ;-) "
urpmi --auto --auto-update --quiet --test --retry 2
if [ "$?" != "0" ]
then
echo
echo "Une erreur a été détectée lors de la récupération des paquetages."
echo "An error occurs when downloading RPMS"
rpm_error
exit 1
fi
# update with cached RPM
urpmi --auto --auto-update --noclean
if [ "$?" != "0" ]
then
echo
echo "Une erreur a été détectée lors de la mise à jour des paquetages."
echo "An error occurs when updating packages"
rpm_error
exit 1
fi
# Download of ALCASAR specifics RPM in cache (and test)
echo "Récupération des paquetages complémentaires. Veuillez patienter ..."
echo "Download of complementary packages. Please wait ..."
urpmi --auto $KERNEL --quiet --test --retry 2
urpmi --auto $PACKAGES --quiet --test --retry 2
if [ "$?" != "0" ]
then
echo
echo "Une erreur a été détectée lors de la récupération des paquetages complémentaires."
echo "An error occurs when downloading complementary packages"
rpm_error
exit 1
fi
echo "archive creation. Please wait..."
cd /var/cache/urpmi
tar -czf rpms-$ARCH.tar.gz rpms/
# Clean the RPM cache
urpmi --clean
mv rpms-$ARCH.tar.gz /root/
cd
echo "Your RPM archive file is /root/rpms-$ARCH.tar.gz"
exit 0
Property changes:
Added: svn:eol-style
+LF
\ No newline at end of property
Added: svn:executable
+*
\ No newline at end of property
Added: svn:keywords
+Id Author Date
\ No newline at end of property

/scripts/alcasar-certificates.sh
0,0 → 1,119
#!/bin/sh
# Id: $Id$
# alcasar-certificates.sh
# by Franck BOUIJOUX and REXY
# This script is distributed under the Gnu General Public License (GPL)
# Script permettant
# - d'exporter les certificats d'un serveur pour les transposer sur un autre.
# This script allows
# - export certificates server to move them.
DIR_EXPORT="/root/Certificats"
DIR_PKI="/etc/pki"
DIR_SAVE="/root/PKI_SAVE"
DIR_IMPORT="/root/Certificats"
usage="Usage: alcasar-certificates.sh {--export or -x} | {--import or -i <FileOfCertificate.tar.gz>} "
nb_args=$#
args=$1
if [ $nb_args -eq 0 ]
then
nb_args=1
args="-h"
fi
NOW="$(date +%G%m%d-%Hh%M)" # date et heure du moment
FILE="certificates-$NOW"
DIR_SAVE=$DIR_SAVE-$NOW
# Function of export
function certs_export() {
# Export of CA Certificate
cd /root
tar cvf $FILE.tar $DIR_PKI/CA/{alcasar-ca.crt,private/alcasar-ca.key}
# Export of server Certificate
tar rvf $FILE.tar $DIR_PKI/tls/{certs/alcasar.crt,private/alcasar.key,certs/server-chain.pem}
gzip $FILE.tar
echo "Le fichier des certificats exportés est : $FILE.tar.gz"
} # end function export
function archive() {
# Sauvegarde de la pki actuelle
[ -d $DIR_SAVE ] || mkdir $DIR_SAVE
# Save of CA Certificate
cd $DIR_PKI/CA/
cp alcasar-ca.crt $DIR_SAVE/.
cp private/alcasar-ca.key $DIR_SAVE/.
# Save of server Certificate
cd $DIR_PKI/tls
cp certs/alcasar.crt $DIR_SAVE/.
cp private/alcasar.key $DIR_SAVE/.
cp certs/server-chain.pem $DIR_SAVE/.
} # end function archive
function import() {
echo "Would you like to Import New Certificates in ALCASAR ?"
read response
if [ $response = "y" ] || [ $response = "o" ] || [ $response = "Y" ] || [ $response = "O" ]
then
[ -d $DIR_IMPORT ] || mkdir $DIR_IMPORT
rm -rf $DIR_IMPORT/*
# Import of CA Certificate
tar xzvf $1 --directory=$DIR_IMPORT
(cat $DIR_PKI/tls/private/alcasar.key; echo; cat $DIR_PKI/tls/certs/alcasar.crt) > $DIR_PKI/tls/private/alcasar.pem
echo "Import new certificates in ALCASAR !!!"
cp -r $DIR_IMPORT/* /.
chown root:apache $DIR_PKI/CA/{alcasar-ca.crt,private/alcasar-ca.key}
chown root:apache $DIR_PKI/tls/{certs/alcasar.crt,private/alcasar.key,private/alcasar.pem,certs/server-chain.pem}
chmod 750 $DIR_PKI/CA/{alcasar-ca.crt,private/alcasar-ca.key}
chmod 750 $DIR_PKI/tls/{certs/alcasar.crt,private/alcasar.key,private/alcasar.pem,certs/server-chain.pem}
service lighttpd restart
else
echo "You are not import new certificates !!!"
exit 0
fi
} # end import
# Core script
case $args in
-\? | -h* | --h*)
echo "$usage"
exit 0
;;
--export | -x)
archive
certs_export
;;
--import | -i)
nb_args=$#
if [ $nb_args -eq 1 ]
then
echo "Il faut passer un fichier de certificat en paramètre !!!"
exit 0
fi
import $2
;;
*)
echo "Unknown argument :$1";
echo "$usage"
exit 1
;;
esac
exit 0
Property changes:
Added: svn:eol-style
+native
\ No newline at end of property
Added: svn:executable
+*
\ No newline at end of property

/scripts/alcasar-ssh.sh
0,0 → 1,168
#!/bin/bash
# alcasar-ssh.sh
# by Alexandre Vezin
# enable/disable SSH on external card
# activation/désactivation de SSH sur la carte réseau externe
SED="/bin/sed -i"
CAT="/bin/cat"
GREP="/bin/grep"
SYSTEMCTL="/bin/systemctl"
ALCASAR_CONF="/usr/local/etc/alcasar.conf"
SSH_CONF="/etc/ssh/sshd_config"
usage="Usage: alcasar-ssh.sh {--off | -off} | {--on | -on} [-p port] [-i allowed ip] {-l lan} | {-w wan}" # | {--all | -all} à add pour off all?
nb_args=$#
args=$1
if [ $nb_args -eq 0 ]
then
echo "$usage"
exit 1
fi
while getopts ":p:i:wl" portarg; do
case "${portarg}" in
p)
SSH_PORT=${OPTARG}
NUM_REGEX='^[0-9]+$'
if ! [[ $SSH_PORT =~ $NUM_REGEX ]];
then
echo "The port $SSH_PORT is invalid"
exit 1
fi
if [ $SSH_PORT -lt 0 ] || [ $SSH_PORT -gt 65535 ]
then
echo "The port $SSH_PORT is invalid"
exit 1
fi
;;
i)
IP_FROM=${OPTARG}
ipcalc -c $IP_FROM
if [ $? -ne 0 ]
then
exit 1;
fi
;;
w)
NETWORK="wan"
;;
l)
NETWORK="lan"
;;
esac
done
case $args in
-\? | -h* | --h*)
echo "$usage"
exit 0
;;
--off | -off)
NETWORK=${NETWORK:="none"}
if [ $NETWORK == "wan" ]
then
# Editing Alcasar configuration - Deleting the port
$SED "s/^SSH_WAN=.*/SSH_WAN=0/g" $ALCASAR_CONF
# Editing SSH configuration - Deleting any port other than 22
$SED "/^.*Port\s[0-9]*/{/\s22$/!d}" $SSH_CONF
# Applying iptables
/usr/local/bin/alcasar-iptables.sh
elif [ $NETWORK == "lan" ]
then
# Editing Alcasar configuration
$SED "s/^SSH_LAN=.*/SSH_LAN=0/g" $ALCASAR_CONF
# Applying iptables
/usr/local/bin/alcasar-iptables.sh
else
echo "$usage"
exit 0
fi
$SYSTEMCTL restart sshd
exit 0
;;
--on | -on)
NETWORK=${NETWORK:="none"}
if [ $NETWORK == "wan" ]
then
# Getting LAN IP
LAN_IP=`$GREP "^SSH_ADMIN_FROM=" $ALCASAR_CONF |cut -d"=" -f2|cut -d"/" -f1`
# Setting accepted IP in Alcasar configuration
IP_FROM=${IP_FROM:="0.0.0.0"}
$SED "s ^SSH_ADMIN_FROM=.* SSH_ADMIN_FROM=$LAN_IP/$IP_FROM g" $ALCASAR_CONF
# Setting SSH port in Alcasar configuration
SSH_PORT=${SSH_PORT:=22}
$SED "s/^SSH_WAN=.*/SSH_WAN=$SSH_PORT/g" $ALCASAR_CONF
LAN_PORT=`$GREP "^SSH_LAN=" $ALCASAR_CONF | cut -d"=" -f2`
LAN_PORT=${LAN_PORT:=0}
# Checking if there is already a port other than the LAN port set
if [ `grep -E "^.*Port\s[0-9]*" /etc/ssh/sshd_config| grep -vEc "\s$LAN_PORT$"` -gt 0 ]
then
if [ $SSH_PORT -ne $LAN_PORT ]
then
# Editing SSH configuration - Changing any port other than the LAN port
$SED "/\s$LAN_PORT$/! s/^.*Port\s[0-9]*/Port $SSH_PORT/" $SSH_CONF
else
# Editing SSH configuration - Deleting any port other than the LAN port
$SED "/^.*Port\s[0-9]*/{/\s$LAN_PORT$/!d}" $SSH_CONF
fi
else
if [ $SSH_PORT -ne $LAN_PORT ]
then
# Adding the new SSH port in the config
echo "Port $SSH_PORT" >> $SSH_CONF
fi
fi
# Applying iptables
/usr/local/bin/alcasar-iptables.sh
elif [ $NETWORK == "lan" ]
then
# Getting WAN IP
WAN_IP=`$GREP "^SSH_ADMIN_FROM=" $ALCASAR_CONF |cut -d"=" -f2|cut -d"/" -f2`
# Setting accepted IP in Alcasar configuration
IP_FROM=${IP_FROM:="0.0.0.0"}
$SED "s ^SSH_ADMIN_FROM=.* SSH_ADMIN_FROM=$IP_FROM/$WAN_IP g" $ALCASAR_CONF
# Editing Alcasar configuration
$SED "s/^SSH_LAN=.*/SSH_LAN=$SSH_PORT/g" $ALCASAR_CONF
# Setting SSH port in Alcasar configuration
SSH_PORT=${SSH_PORT:=22}
$SED "s/^SSH_LAN=.*/SSH_LAN=$SSH_PORT/g" $ALCASAR_CONF
WAN_PORT=`$GREP "^SSH_WAN=" $ALCASAR_CONF | cut -d"=" -f2`
WAN_PORT=${WAN_PORT:=0}
# Checking if there is already a port other than the WAN port set
if [ `grep -E "^.*Port\s[0-9]*" /etc/ssh/sshd_config| grep -vEc "\s$WAN_PORT$"` -gt 0 ]
then
if [ $SSH_PORT -ne $WAN_PORT ]
then
# Editing SSH configuration - Changing any port other than the WAN port
$SED "/\s$WAN_PORT$/! s/^.*Port\s[0-9]*/Port $SSH_PORT/" $SSH_CONF
else
# Editing SSH configuration - Deleting any port other than the WAN port
$SED "/^.*Port\s[0-9]*/{/\s$WAN_PORT$/!d}" $SSH_CONF
fi
else
if [ $SSH_PORT -ne $WAN_PORT ]
then
# Adding the new SSH port in the config
echo "Port $SSH_PORT" >> $SSH_CONF
fi
fi
# Applying iptables
/usr/local/bin/alcasar-iptables.sh
else
echo "$usage"
exit 0
fi
$SYSTEMCTL restart sshd
exit 0
;;
*)
echo "Argument inconnu : $1"
echo "$usage"
exit 1
;;
esac
Property changes:
Added: svn:eol-style
+native
\ No newline at end of property
Added: svn:executable
+*
\ No newline at end of property

/scripts/alcasar-activity_report.sh
0,0 → 1,715
#!/bin/bash
# $Id$
#
# Create an activity report for ALCASAR every week (sunday at 5.35 pm --> see cron.d).
# We read configuration files and logs to create cool charts.
# Written by Raphaël PION, Rexy & Tom HOUDAYER
CONF_FILE='/usr/local/etc/alcasar.conf'
# files
DIR_TMP="/var/tmp"
TMP_AV="$DIR_TMP/av_count.txt"
TMP_BL="$DIR_TMP/bl_count.txt"
TMP_BL_WEEK="$DIR_TMP/bl_count_week.txt"
TMP_BL_WEEK_CAT="$DIR_TMP/bl_count_week_cat.txt"
# Model loaded to create charts
DIR_BUILD="/var/www/html/acc/manager/activity_report/"
MODEL_CHARTJS="$DIR_BUILD/models/Chart.report.js"
MODEL_TABINFO="$DIR_BUILD/models/tabinfo.html"
# Where the report will be created.
HTML_REPORT="$DIR_BUILD/alcasar-report-$(date +%F).html"
# TIME VALUE
C_TS=$(date +"%s") #current timestamp
MAX_DAY_AGO=7
SECS_AGO=$(date --date="$MAX_DAY_AGO days ago" +"%s") #timestamp ago
STEP_TS=$((C_TS-$SECS_AGO)) #timestamp between current timestamp and SECS_AGO
# PRIVATE IP OF ALCASAR
PRIVATE_IP=$(grep ^PRIVATE_IP= $CONF_FILE | cut -d'=' -f2 | cut -d'/' -f1)
# COLOR for charts
COLOR="'#ff0000','#3333cc','#009933','#993300','#1720EE','#D30229','#8D726D','#41C4E4','#8574F4','#A0BC1A','#BFDC1F','#5ADDC3','#B05744','#CD9319','#8CA39B','#D4AA1C','#A76752','#B03088','#445E87','#70424D','#D118C3','#46ABEF','#E9F197','#AEC0D4','#755C79','#94BBD7','#E2E9DC','#8B68D0','#F7EC7C','#1F16B8','#F4DA0A','#2EC17A','#E06483','#48B342','#F510CD','#9B2662','#180E98','#988FC1','#209E4E','#034240','#FDB142','#36B445','#CDD5C9','#6FA0DE','#EE2206','#204E19','#15FC93','#161ECE','#83D33B','#11A44A','#B7BF6C','#87274C','#B52C4F','#AD2805','#427E6C','#91341A','#191315','#FCB290','#13D3CD','#90F0E6','#C870C9','#AD2C14','#201D2A','#E4DB79','#90A919','#FE17FE','#09B35C','#88D950','#3440FC','#A9D42F','#E2DFAC','#DA69EC','#67430A','#43E94E','#5F7349','#22CF16','#CF038F','#0F6427','#F7AD0F','#C5E382','#DB49B6','#F760BF','#0BE701','#EF88D8','#79E6D7','#8A2D3D','#435A30','#A3C8AC','#99B118','#A929FF','#08A36D','#0A1654','#6F8283','#E1CA3E','#3E8577','#580FB6','#DB0E16','#386CBE','#FA0C43','#B713C9'"
# Values to create new htdigest user to consult statistique of ACC
DIR_KEY="/usr/local/etc/digest"
tmp_account="tmp_activityreport"
realm="ALCASAR Control Center (ACC)"
password=$(openssl rand -base64 32) #random password (length : 32)
SED="/usr/bin/sed -i "
TMP_STATS="$DIR_TMP/stats.html"
TMP_STATS_2="$DIR_TMP/stats2.html"
# if empty logs, replace charts by text.
ENABLE_BL=0
ENABLE_BL_WEEK=0
ENABLE_AV=0
if [ -e $TMP_AV ]
then
rm $TMP_AV
fi
if [ -e $TMP_BL ]
then
rm $TMP_BL
fi
if [ -e $TMP_BL_WEEK ]
then
rm $TMP_BL_WEEK
fi
if [ -e $TMP_BL_WEEK_CAT ]
then
rm $TMP_BL_WEEK_CAT
fi
if [ -e $HTML_REPORT ]
then
rm $HTML_REPORT
fi
echo "<!doctype html>" >> $HTML_REPORT
echo "<html>" >> $HTML_REPORT
echo "<head>" >> $HTML_REPORT
echo "<meta charset=\"utf-8\">" >> $HTML_REPORT
echo "<title>ALCASAR report</title>" >> $HTML_REPORT
echo "<link rel=\"stylesheet\" type=\"text/css\" href=\"../../../css/bootstrap.min.css\">" >> $HTML_REPORT
echo "<link rel=\"stylesheet\" type=\"text/css\" href=\"../../../css/report.css\">" >> $HTML_REPORT
echo "<script src=\"../../../js/Chart.bundle.min.js\"></script>" >> $HTML_REPORT
echo "<script src=\"../../../js/jquery.min.js\"></script>" >> $HTML_REPORT
echo "</head>" >> $HTML_REPORT
echo "<body>" >> $HTML_REPORT
echo "<h1><center>Rapport d'activité de l'ALCASAR-$(grep ^ORGANISM= $CONF_FILE | cut -d'=' -f2-)</center></h1>" >> $HTML_REPORT
echo "<i><p style=\"text-align: right;\">Date de création $(date +%F)</p></i>" >> $HTML_REPORT
echo "<font size=\"1\">" >> $HTML_REPORT
######################TABINFO######################
echo "Create information about system and ALCASAR"
#contain every information about ALCASAR configuration, system and last update
cat $MODEL_TABINFO | while read LINE_HTML
do
if [ "$(echo $LINE_HTML | grep 'XXORGXX' | wc -l)" -eq 1 ]
then
VALUE=$(grep ^ORGANISM= $CONF_FILE | cut -d'=' -f2-)
echo ${LINE_HTML/XXORGXX/$VALUE} >> $HTML_REPORT
elif [ "$(echo $LINE_HTML | grep 'XXINSTALLXX' | wc -l)" -eq 1 ]
then
VALUE=$(grep ^INSTALL_DATE= $CONF_FILE | cut -d'=' -f2)
echo ${LINE_HTML/XXINSTALLXX/$VALUE} >> $HTML_REPORT
elif [ "$(echo $LINE_HTML | grep 'XXAVERSIONXX' | wc -l)" -eq 1 ]
then
VALUE=$(grep ^VERSION= $CONF_FILE | cut -d'=' -f2)
echo ${LINE_HTML/XXAVERSIONXX/$VALUE} >> $HTML_REPORT
elif [ "$(echo $LINE_HTML | grep 'XXIP_PUBLICXX' | wc -l)" -eq 1 ]
then
VALUE=$(grep ^PUBLIC_IP= $CONF_FILE | cut -d'=' -f2)
echo ${LINE_HTML/XXIP_PUBLICXX/$VALUE} >> $HTML_REPORT
elif [ "$(echo $LINE_HTML | grep 'XXIP_PRIVEXX' | wc -l)" -eq 1 ]
then
VALUE=$(grep ^PRIVATE_IP= $CONF_FILE | cut -d'=' -f2)
echo ${LINE_HTML/XXIP_PRIVEXX/$VALUE} >> $HTML_REPORT
elif [ "$(echo $LINE_HTML | grep 'XXGWXX' | wc -l)" -eq 1 ]
then
VALUE=$(grep ^GW= $CONF_FILE | cut -d'=' -f2)
echo ${LINE_HTML/XXGWXX/$VALUE} >> $HTML_REPORT
elif [ "$(echo $LINE_HTML | grep 'XXDNS1XX' | wc -l)" -eq 1 ]
then
VALUE=$(grep ^DNS1= $CONF_FILE | cut -d'=' -f2)
echo ${LINE_HTML/XXDNS1XX/$VALUE} >> $HTML_REPORT
elif [ "$(echo $LINE_HTML | grep 'XXDNS2XX' | wc -l)" -eq 1 ]
then
VALUE=$(grep ^DNS2= $CONF_FILE | cut -d'=' -f2)
echo ${LINE_HTML/XXDNS2XX/$VALUE} >> $HTML_REPORT
elif [ "$(echo $LINE_HTML | grep 'XXHOSTXX' | wc -l)" -eq 1 ]
then
VALUE=$(hostname)
echo ${LINE_HTML/XXHOSTXX/$VALUE} >> $HTML_REPORT
elif [ "$(echo $LINE_HTML | grep 'XXOS_VERSIONXX' | wc -l)" -eq 1 ]
then
VALUE=$(echo "$(uname -r) [ $(uname -m) ]")
echo ${LINE_HTML/XXOS_VERSIONXX/$VALUE} >> $HTML_REPORT
elif [ "$(echo $LINE_HTML | grep 'XXREBOOTXX' | wc -l)" -eq 1 ]
then
VALUE=$(who -b | cut -d' ' -f12-)
echo ${LINE_HTML/XXREBOOTXX/$VALUE} >> $HTML_REPORT
elif [ "$(echo $LINE_HTML | grep 'XXMAJCLAMAVXX' | wc -l)" -eq 1 ]
then
VALUE=$(date -d "@$(rpm -qa --queryformat "%{installtime} %{name}\n" | grep -E "clamav-db" | cut -d' ' -f1 )" "+%Y-%m-%d %H:%M:%S")
echo ${LINE_HTML/XXMAJCLAMAVXX/$VALUE} >> $HTML_REPORT
elif [ "$(echo $LINE_HTML | grep 'XXMAJBLXX' | wc -l)" -eq 1 ]
then
VALUE=$(cat /etc/e2guardian/lists/blacklists/README | grep 'Last version' | cut -d' ' -f4-6)
echo ${LINE_HTML/XXMAJBLXX/$VALUE} >> $HTML_REPORT
elif [ "$(echo $LINE_HTML | grep 'XXRPMXX' | wc -l)" -eq 1 ]
then
#show every ALCASAR RPM updated since X day ago
#get timestamp of X day ago. Then we get every packets chich have been updated since this date.
if [ "$(rpm -qa --queryformat '%{installtime} %{name} %{version}\n' | awk -v seuil="$SECS_AGO" '$1 > seuil' | sort -n | grep -E "$PACKAGE" | wc -l)" -gt 1 ]
then
PACKAGE='php|lighttpd|iptables|unbound|radius|nfdump|e2guardian|clamav|ulogd|chilli|fail2ban|openssh|ipt-netflow|wget|mariadb|gnupg|openssl'
rpm -qa --queryformat '%{installtime} %{name} %{version}\n' | awk -v seuil="$SECS_AGO" '$1 > seuil' | sort -n | grep -E "$PACKAGE" | while read RPM_ALCASAR
do
RPM_TIMESTAMP=$(echo $RPM_ALCASAR | cut -d' ' -f1)
RPM_DATE=$(date -d "@$(echo $RPM_TIMESTAMP)" "+%Y-%m-%d %H:%M:%S")
RPM_NAME=$(echo $RPM_ALCASAR | cut -d' ' -f2)
RPM_VERSION=$(echo $RPM_ALCASAR | cut -d' ' -f3)
echo "<tr>" >> $HTML_REPORT
echo "<td>$RPM_NAME</td>" >> $HTML_REPORT
echo "<td>$RPM_DATE</td>" >> $HTML_REPORT
echo "<td>$RPM_VERSION</td>" >> $HTML_REPORT
echo "</tr>" >> $HTML_REPORT
done
else
echo "<tr><td colspan=\"3\">Pas de RPM mis à jour cette semaine</td></tr>" >> $HTML_REPORT
fi
else
echo $LINE_HTML >> $HTML_REPORT
fi
done
######################BL WEBSITE SINCE INSTALLATION######################
echo "Create BL website since the installation of ALCASAR"
#find data
#decompress every logs
if [ "$(ls -1 /var/log/unbound/unbound-blacklist.log.*.gz 2>/dev/null | wc -l)" -ge 1 ]
then
gunzip -d unbound-blacklist.log.*.gz
fi
#convert logs date in timestamp and find categories of blacklisted website
tmp_log=$(mktemp)
for FILE in /var/log/unbound/unbound-blacklist.log*
do
grep -E "info: [^ ]+ typetransparent $PRIVATE_IP" /var/log/unbound/unbound-blacklist.log > $tmp_log
while read LOG_BL
do
# find the current blacklisted category
website_bl=$(echo $LOG_BL | cut -d' ' -f4)
website_bl=${website_bl%?} # remove the last character
#we convert www.test.co.uk => test.co.uk to find the category of this website
if [ "$(grep -o '\.' <<< "$website_bl" | wc -l)" -ge "2" ]
then
website_bl=$(echo $website_bl | cut -d'.' -f2-)
fi
#get BL category
categorie_bl=$(grep -Rl "$website_bl" /usr/local/share/unbound-bl-enabled/ | cut -d'/' -f6 | head -1)
CURRENT_TS=$(echo $LOG_BL | cut -d '[' -f2 | cut -d ']' -f1)
echo "$CURRENT_TS:$categorie_bl:" >> $TMP_BL
done < $tmp_log
done
rm $tmp_log
#if data exists, create this section in html document
if [ -e $TMP_BL ]
then
ENABLE_BL=1
#count every BL website consulted since installation (maximum 1 year)
DATE_END=$(cat $TMP_BL | cut -d':' -f1 | sort -n | head -1 )
for TS in $(seq $C_TS -$STEP_TS $DATE_END)
do
DATE_1=$TS
DATE_2=$((TS-$STEP_TS))
COUNT_BL_INSTALLATION=0
for LINE in $(cat $TMP_BL)
do
TS_FILE=$(echo $LINE | cut -d':' -f1)
if [ "$TS_FILE" -le "$DATE_1" ] && [ "$TS_FILE" -ge "$DATE_2" ]
then
COUNT_BL_INSTALLATION=$((COUNT_BL_INSTALLATION+1))
fi
done
VALUE_BL_INSTALLATION_LABEL="'$(date -d @$DATE_2 "+%Y-%m-%d" )', $VALUE_BL_INSTALLATION_LABEL"
VALUE_BL_INSTALLATION_DATA="$COUNT_BL_INSTALLATION, $VALUE_BL_INSTALLATION_DATA"
done
#create Antivirus section in html document
NAME_BL_INSTALLATION='chart_bl_installation'
CONF_BL_INSTALLATION='config_bl_installation'
echo "<center>" >> $HTML_REPORT
echo "<canvas id='$NAME_BL_INSTALLATION' width='450' height='450'></canvas>" >> $HTML_REPORT
echo "</center>" >> $HTML_REPORT
#create chart bar in html file with javascript (chartjs.com)
echo "<script>" >> $HTML_REPORT
cat $MODEL_CHARTJS | while read LINE_JS
do
#name of variable
if [ "$(echo $LINE_JS | grep 'XXCONFXX' | wc -l)" -eq 1 ]
then
echo ${LINE_JS/XXCONFXX/$CONF_BL_INSTALLATION} >> $HTML_REPORT
#chart type
elif [ "$(echo $LINE_JS | grep 'XXTYPEXX' | wc -l)" -eq 1 ]
then
echo ${LINE_JS/XXTYPEXX/bar} >> $HTML_REPORT
#chart title
elif [ "$(echo $LINE_JS | grep 'XXTITLEXX' | wc -l)" -eq 1 ]
then
echo ${LINE_JS/XXTITLEXX/"Sites bloqués au total"} >> $HTML_REPORT
#chart data
elif [ "$(echo $LINE_JS | grep 'XXDATAXX' | wc -l)" -eq 1 ]
then
echo ${LINE_JS/XXDATAXX/$VALUE_BL_INSTALLATION_DATA} >> $HTML_REPORT
#color
elif [ "$(echo $LINE_JS | grep 'XXCOLORXX' | wc -l)" -eq 1 ]
then
echo ${LINE_JS/XXCOLORXX/$COLOR} >> $HTML_REPORT
#labels
elif [ "$(echo $LINE_JS | grep 'XXLABELSXX' | wc -l)" -eq 1 ]
then
echo ${LINE_JS/XXLABELSXX/$VALUE_BL_INSTALLATION_LABEL} >> $HTML_REPORT
elif [ "$(echo $LINE_JS | grep 'XXLEGENDXX' | wc -l)" -eq 1 ]
then
echo ${LINE_JS/XXLEGENDXX/false} >> $HTML_REPORT
#display value of Y axis, only useful for chart bar
elif [ "$(echo $LINE_JS | grep 'XXCOMMENT-BEGINXX' | wc -l)" -eq 1 ]
then
echo "" >> $HTML_REPORT
#display value of Y axis, only useful for chart bar
elif [ "$(echo $LINE_JS | grep 'XXCOMMENT-ENDXX' | wc -l)" -eq 1 ]
then
echo "" >> $HTML_REPORT
elif [ "$(echo $LINE_JS | grep 'XXYLABELXX' | wc -l)" -eq 1 ]
then
echo "\"Nombre de site bloqué par la blacklist\"" >> $HTML_REPORT
else
echo $LINE_JS >> $HTML_REPORT
fi
done
echo "</script>" >> $HTML_REPORT
else
echo "<h2>Aucune activité de la Blacklist depuis l'installation.</h2>" >> $HTML_REPORT
fi
######################Unbound BLACKLIST######################
echo "Create BL website since $MAX_DAY_AGO days"
#if data exists, create BL section in html document
if [ -e $TMP_BL ]
then
ENABLE_BL_WEEK=1
#find data
#count every BL website consulted since DAYS_AGO
DATE_1=$C_TS
DATE_2=$((DATE_1-$STEP_TS))
touch $TMP_BL_WEEK
for LINE in $(cat $TMP_BL)
do
TS_FILE=$(echo $LINE | cut -d':' -f1)
#select only elements between DATE_1 and DATE_2
if [ "$TS_FILE" -le "$DATE_1" ] && [ "$TS_FILE" -ge "$DATE_2" ]
then
echo $LINE >> $TMP_BL_WEEK
fi
done
#then we count every occurence for each category in TMP_BL_WEEK
for CAT in $(ls /usr/local/share/unbound-bl/ -1 | cut -d'.' -f1)
do
echo "$CAT:$(grep -o ":$CAT:" <<< "$(cat $TMP_BL_WEEK)" | wc -l):" >> $TMP_BL_WEEK_CAT
done
#we sort by number of occurence and we take the top 10 BL categories
for LINE in $(sort -t':' -k2 -rn $TMP_BL_WEEK_CAT | head -n 10)
do
DATA=$(echo $LINE | cut -d':' -f2)
LABEL=$(echo $LINE | cut -d':' -f1)
if [ $DATA -ne 0 ]
then
VALUE_BL_DATA="$VALUE_BL_DATA $DATA, "
VALUE_BL_LABEL="$VALUE_BL_LABEL '$LABEL ($DATA)',"
fi
done
#get other categories (sum them all)
if [ "$(cat $TMP_BL_WEEK_CAT | cut -d':' -f2 | sort -k1 -rn | tail -n+$(($(echo $VALUE_BL_DATA | wc -w)+1)) | paste -sd+ | bc)" -gt 0 ]
then
VALUE_BL_DATA="$VALUE_BL_DATA $(cat $TMP_BL_WEEK_CAT | cut -d':' -f2 | sort -k1 -rn | tail -n+$(($(echo $VALUE_BL_DATA | wc -w)+1)) | paste -sd+ | bc)"
VALUE_BL_LABEL="$VALUE_BL_LABEL 'autre ($(cat $TMP_BL_WEEK_CAT | cut -d':' -f2 | sort -k1 -rn | tail -n+$(($(echo $VALUE_BL_DATA | wc -w)+1)) | paste -sd+ | bc))'"
fi
#create chart pie in html file with javascript (chartjs.com)
NAME_BL='chart_bl'
CONF_BL='config_bl'
echo "<center>" >> $HTML_REPORT
echo "<canvas id='$NAME_BL' width='450' height='450' ></canvas>" >> $HTML_REPORT
echo "</center>" >> $HTML_REPORT
echo "<script>" >> $HTML_REPORT
cat $MODEL_CHARTJS | while read LINE_JS
do
#variable name
if [ "$(echo $LINE_JS | grep 'XXCONFXX' | wc -l)" -eq 1 ]
then
echo ${LINE_JS/XXCONFXX/$CONF_BL} >> $HTML_REPORT
#chart type
elif [ "$(echo $LINE_JS | grep 'XXTYPEXX' | wc -l)" -eq 1 ]
then
echo ${LINE_JS/XXTYPEXX/pie} >> $HTML_REPORT
#graph title
elif [ "$(echo $LINE_JS | grep 'XXTITLEXX' | wc -l)" -eq 1 ]
then
echo ${LINE_JS/XXTITLEXX/"Sites bloqués cette semaine"} >> $HTML_REPORT
#chart data
elif [ "$(echo $LINE_JS | grep 'XXDATAXX' | wc -l)" -eq 1 ]
then
echo ${LINE_JS/XXDATAXX/$VALUE_BL_DATA} >> $HTML_REPORT
#color
elif [ "$(echo $LINE_JS | grep 'XXCOLORXX' | wc -l)" -eq 1 ]
then
echo ${LINE_JS/XXCOLORXX/$COLOR} >> $HTML_REPORT
#labels
elif [ "$(echo $LINE_JS | grep 'XXLABELSXX' | wc -l)" -eq 1 ]
then
echo ${LINE_JS/XXLABELSXX/$VALUE_BL_LABEL} >> $HTML_REPORT
#display legend, only useful for chart pie
elif [ "$(echo $LINE_JS | grep 'XXLEGENDXX' | wc -l)" -eq 1 ]
then
echo ${LINE_JS/XXLEGENDXX/true} >> $HTML_REPORT
#display value of Y axis, only useful for chart bar
elif [ "$(echo $LINE_JS | grep 'XXCOMMENT-BEGINXX' | wc -l)" -eq 1 ]
then
echo "/*" >> $HTML_REPORT
#display value of Y axis, only useful for chart bar
elif [ "$(echo $LINE_JS | grep 'XXCOMMENT-ENDXX' | wc -l)" -eq 1 ]
then
echo "*/" >> $HTML_REPORT
else
echo $LINE_JS >> $HTML_REPORT
fi
done
echo "</script>" >> $HTML_REPORT
else
echo "<h2>Aucune activité de la Blacklist cette semaine.</h2>" >> $HTML_REPORT
fi
######################VIRUS THREAT######################
echo "Create AV logs since the installation of ALCASAR"
#decompress every logs, if they exist
if [ "$(ls -1 /var/log/clamav/clamd.log.*.gz 2>/dev/null | wc -l)" -ge 1 ]
then
gunzip -d clamd.log.*.gz
fi
for FILE in /var/log/clamav/clamd.log*
do
while read LINE_AV
do
if [ "`echo $LINE_AV|grep -c FOUND`" == 1 ]
then
Y=$(echo $LINE_AV | cut -d' ' -f5)
M=$(echo $LINE_AV | cut -d' ' -f2)
D=$(echo $LINE_AV | cut -d' ' -f3)
H=$(echo $LINE_AV | cut -d' ' -f4)
CURRENT_TS=$(date -d "$M $D $Y $H" +"%s")
echo $CURRENT_TS >> $TMP_AV
fi
done < $FILE
done
if [ -e $TMP_AV ]
then
ENABLE_AV=1
DATE_END=$(cat $TMP_AV | sort -n | head -1)
for TS in $(seq $C_TS -$STEP_TS $DATE_END)
do
DATE_1=$TS
DATE_2=$((TS-$STEP_TS))
COUNT_AV=0
for TS_FILE in $(cat $TMP_AV)
do
if [ "$TS_FILE" -le "$DATE_1" ] && [ "$TS_FILE" -ge "$DATE_2" ]
then
COUNT_AV=$((COUNT_AV+1))
fi
done
VALUE_AV_LABEL="'$(date -d @$DATE_2 "+%Y-%m-%d" )', $VALUE_AV_LABEL"
VALUE_AV_DATA="$COUNT_AV, $VALUE_AV_DATA"
done
#create Antivirus section in html document
NAME_AV='chart_av'
CONF_AV='config_av'
echo "<center>" >> $HTML_REPORT
echo "<canvas id='$NAME_AV' width='450' height='450' ></canvas>" >> $HTML_REPORT
echo "</center>" >> $HTML_REPORT
#create chart bar in html file with javascript (chartjs.com)
echo "<script>" >> $HTML_REPORT
cat $MODEL_CHARTJS | while read LINE_JS
do
#name of variable
if [ "$(echo $LINE_JS | grep 'XXCONFXX' | wc -l)" -eq 1 ]
then
echo ${LINE_JS/XXCONFXX/$CONF_AV} >> $HTML_REPORT
#chart type
elif [ "$(echo $LINE_JS | grep 'XXTYPEXX' | wc -l)" -eq 1 ]
then
echo ${LINE_JS/XXTYPEXX/bar} >> $HTML_REPORT
#graph title
elif [ "$(echo $LINE_JS | grep 'XXTITLEXX' | wc -l)" -eq 1 ]
then
echo ${LINE_JS/XXTITLEXX/"Menaces bloqués par l\'antivirus"} >> $HTML_REPORT
#chart data
elif [ "$(echo $LINE_JS | grep 'XXDATAXX' | wc -l)" -eq 1 ]
then
echo ${LINE_JS/XXDATAXX/$VALUE_AV_DATA} >> $HTML_REPORT
#color
elif [ "$(echo $LINE_JS | grep 'XXCOLORXX' | wc -l)" -eq 1 ]
then
echo ${LINE_JS/XXCOLORXX/$COLOR} >> $HTML_REPORT
#labels
elif [ "$(echo $LINE_JS | grep 'XXLABELSXX' | wc -l)" -eq 1 ]
then
echo ${LINE_JS/XXLABELSXX/$VALUE_AV_LABEL} >> $HTML_REPORT
elif [ "$(echo $LINE_JS | grep 'XXLEGENDXX' | wc -l)" -eq 1 ]
then
echo ${LINE_JS/XXLEGENDXX/false} >> $HTML_REPORT
#display value of Y axis, only useful for chart bar
elif [ "$(echo $LINE_JS | grep 'XXCOMMENT-BEGINXX' | wc -l)" -eq 1 ]
then
echo "" >> $HTML_REPORT
#display value of Y axis, only useful for chart bar
elif [ "$(echo $LINE_JS | grep 'XXCOMMENT-ENDXX' | wc -l)" -eq 1 ]
then
echo "" >> $HTML_REPORT
elif [ "$(echo $LINE_JS | grep 'XXYLABELXX' | wc -l)" -eq 1 ]
then
echo "\"Nombre de menaces virales bloqués par l'antivirus\"" >> $HTML_REPORT
else
echo $LINE_JS >> $HTML_REPORT
fi
done
echo "</script>" >> $HTML_REPORT
else
echo "<h2>Aucune menace virale.</h2>" >> $HTML_REPORT
fi
######################ALCASAR : DAILY USE######################
echo "Get daily use connection of the week"
#create html document
echo "<h2>Statistiques volumétrie connexions</h2>" >> $HTML_REPORT
#create new htdigest user to consult statistique of ACC
#if user does not exist, we create him
if [ "$(grep "$tmp_account:" $DIR_KEY/key_only_manager | wc -l)" -lt 1 ]
then
(echo -n "$tmp_account:$realm:" && echo -n "$tmp_account:$realm:$password" | md5sum | awk '{print $1}' ) >> $DIR_KEY/key_only_manager
(echo -n "$tmp_account:$realm:" && echo -n "$tmp_account:$realm:$password" | md5sum | awk '{print $1}' ) >> $DIR_KEY/key_manager
(echo -n "$tmp_account:$realm:" && echo -n "$tmp_account:$realm:$password" | md5sum | awk '{print $1}' ) >> $DIR_KEY/key_all
chown -R root:apache $DIR_KEY
chmod 640 $DIR_KEY/key_*
fi
#get stats.php from ACC
wget -q -nv --user $tmp_account --password $password https://alcasar/acc/manager/htdocs/stats.php -O $TMP_STATS --no-check-certificate
#clean this file to include it in html report.
DELIM_1="<td colspan=10 height=20><img src=\"images\/pixel.gif\"><\/td>"
DELIM_2="<\/td><\/tr> <\/table> <\/td><\/tr> <\/table> <\/td><\/tr> <\/table> <p>"
cat $TMP_STATS | sed -n "/$DELIM_1/,/$DELIM_2/p" | tail -n+3 | head -n-2 >> $TMP_STATS_2
cat $TMP_STATS_2 | sed -e 's:images/pixel.gif:../../manager/htdocs/images/pixel.gif:g' >> $HTML_REPORT
#we delete our user if he still exists
if [ "$(grep "$tmp_account:" $DIR_KEY/key_only_manager | wc -l)" -ge 1 ]
then
$SED "/^$tmp_account:/d" $DIR_KEY/key_only_manager
$SED "/^$tmp_account:/d" $DIR_KEY/key_manager
$SED "/^$tmp_account:/d" $DIR_KEY/key_all
fi
###################### ALCASAR : LOG ACCESS ######################
echo "Get ACC log access of the week"
ROWS=""
while read -r access ; do
access_datas=(${access//|/ })
accces_date_intl=$(echo "${access_datas[0]} ${access_datas[1]}" | sed -E 's@^([0-9]{2})+/+([0-9]{2})+/+([0-9]{4})+@\3-\2-\1@') # Convert date format DD/MM/YYYY to YYYY-MM-DD
access_date=$(date -d "$accces_date_intl" +%s)
access_user=${access_datas[2]}
access_ip=${access_datas[3]}
access_agent=$(echo "$access" | cut -d'|' -f4)
if [ $access_date -lt $SECS_AGO ]; then
break
fi
access_date_formatted=$(date -d @$access_date +"%x %X")
ROWS="$ROWS<tr><td>$access_date_formatted</td><td>$access_user</td><td>$access_ip</td><td>$access_agent</td></tr>"
done < <(cat /var/Save/security/acc_access.log | sort -r)
# TODO: Read archives if necessary
if [ -z "$ROWS" ]; then
ROWS="<tr><td colspan=\"4\" style=\"text-align: center;\">Aucune connexion</td></tr>"
fi
# Create HTML document
echo "<h2>Connexion à l'ALCASAR Control Center (ACC)</h2>" >> $HTML_REPORT
echo "<table class=\"table table-striped\">" >> $HTML_REPORT
echo "<thead><tr><th>Date</th><th>Utilisateur</th><th>Adresse IP</th><th>Agent</th></tr></thead><tbody>" >> $HTML_REPORT
echo "$ROWS" >> $HTML_REPORT
echo "</tbody></table>" >> $HTML_REPORT
###################### ALCASAR : GLOBAL TRAFFIC ######################
echo "Get Global traffic of the last 30 days"
ROWS=""
EXTIF=$(grep ^EXTIF= $CONF_FILE | cut -d'=' -f2)
for day in $(vnstat --exportdb -i $EXTIF | grep '^d;' | sort -t";" -k3 -r); do
day_datas=(${day//;/ })
day_date=${day_datas[2]}
day_rxMio=${day_datas[3]}
day_txMio=${day_datas[4]}
day_rxKio=${day_datas[5]}
day_txKio=${day_datas[6]}
day_act=${day_datas[7]}
if [ $day_act -ne 1 ]; then
continue
fi
if [ $day_date -lt $SECS_AGO ]; then
break
fi
day_date_formatted=$(date -d @$day_date +%x)
day_rx=$(($day_rxMio * 1048576 + $day_rxKio * 1024))
day_tx=$(($day_txMio * 1048576 + $day_txKio * 1024))
day_total=$(($day_rx + $day_tx))
day_rx_formatted=$(numfmt --from=iec --to=iec --suffix=B $day_rx)
day_tx_formatted=$(numfmt --from=iec --to=iec --suffix=B $day_tx)
day_total_formatted=$(numfmt --from=iec --to=iec --suffix=B $day_total)
ROWS="$ROWS<tr><td>$day_date_formatted</td><td>$day_rx_formatted</td><td>$day_tx_formatted</td><td>$day_total_formatted</td></tr>"
done
if [ -z "$ROWS" ]; then
ROWS="<tr><td colspan=\"4\" style=\"text-align: center;\">Aucun jour capturé</td></tr>"
fi
# Create html document
echo "<h2>Trafic global</h2>" >> $HTML_REPORT
echo "<table class=\"table table-striped\">" >> $HTML_REPORT
echo "<thead><tr><th>Date</th><th>Entrant</th><th>Sortant</th><th>Total</th></tr></thead><tbody>" >> $HTML_REPORT
echo "$ROWS" >> $HTML_REPORT
echo "</tbody></table>" >> $HTML_REPORT
###################### ALCASAR : FAIL2BAN ######################
echo "Get fail2ban log of the week"
ROWS=""
dateDaysAgo_formatted=$(date --date="$MAX_DAY_AGO days ago" +'%Y-%m-%d %H:%M:%S,%N' | rev | cut -c 7- | rev)
while read -r log ; do
log_datas=($log)
log_date="${log_datas[0]} ${log_datas[1]}"
log_type=${log_datas[4]:1:-1}
log_ip=${log_datas[6]}
log_date_formatted=$(date -d "$log_date" +"%x %X")
ROWS="$ROWS<tr><td>$log_date_formatted</td><td>$log_ip</td><td>$log_type</td></tr>"
done < <(grep " Ban " /var/log/fail2ban.log | sort -r | awk -v dateDaysAgo="$dateDaysAgo_formatted" '($1 " " $2) >= dateDaysAgo')
if [ -z "$ROWS" ]; then
ROWS="<tr><td colspan=\"3\" style=\"text-align: center;\">Aucune adresse IP bloquée</td></tr>"
fi
# Create html document
echo "<h2>Adresse(s) IP bloquée(s) (Fail2Ban)</h2>" >> $HTML_REPORT
echo "<table class=\"table table-striped\">" >> $HTML_REPORT
echo "<thead><tr><th>Date</th><th>Adresse IP</th><th>Règle</th></tr></thead><tbody>" >> $HTML_REPORT
echo $ROWS >> $HTML_REPORT
echo "</tbody></table>" >> $HTML_REPORT
######################FIN HTML######################
#Execute our javascript function to print charts
echo "<script>window.onload = function() {" >> $HTML_REPORT
#BL SINCE INSTALLATION
if [ $ENABLE_BL -eq "1" ]
then
echo "var ctx_$NAME_BL_INSTALLATION = document.getElementById('$NAME_BL_INSTALLATION').getContext('2d');" >> $HTML_REPORT
echo "var $NAME_BL_INSTALLATION = new Chart(ctx_$NAME_BL_INSTALLATION, $CONF_BL_INSTALLATION);" >> $HTML_REPORT
fi
#BL WEEK
if [ $ENABLE_BL_WEEK -eq "1" ]
then
echo "var ctx_$NAME_BL = document.getElementById('$NAME_BL').getContext('2d');" >> $HTML_REPORT
echo "var $NAME_BL = new Chart(ctx_$NAME_BL, $CONF_BL);" >> $HTML_REPORT
fi
#VIRUS THREAT
if [ $ENABLE_AV -eq "1" ]
then
echo "var ctx_$NAME_AV = document.getElementById('$NAME_AV').getContext('2d');" >> $HTML_REPORT
echo "var $NAME_AV = new Chart(ctx_$NAME_AV, $CONF_AV);" >> $HTML_REPORT
fi
echo "};</script>" >> $HTML_REPORT
echo "</body>" >> $HTML_REPORT
echo "</html>" >> $HTML_REPORT
#convert html document to PDF
/usr/bin/wkhtmltopdf $HTML_REPORT "$(echo $HTML_REPORT | cut -d'.' -f1).pdf"
chown apache:apache "$(echo $HTML_REPORT | cut -d'.' -f1).pdf"
chmod 644 "$(echo $HTML_REPORT | cut -d'.' -f1).pdf"
mv "$(echo $HTML_REPORT | cut -d'.' -f1).pdf" /var/Save/activity_report/
#compress every logs, if they exist
if [ "$(ls -1 /var/log/clamav/clamd.log.* 2>/dev/null | wc -l)" -ge 1 ]
then
gzip /var/log/clamav/clamd.log.*
fi
#compress every logs
if [ "$(ls -1 /var/log/unbound/unbound-blacklist.log.* 2>/dev/null | wc -l)" -ge 1 ]
then
gzip /var/log/unbound/unbound-blacklist.log.*
fi
#remove our files
rm -f $TMP_BL
rm -f $TMP_BL_WEEK
rm -f $TMP_BL_WEEK_CAT
rm -f $TMP_STATS
rm -f $TMP_STATS_2
rm -f $HTML_REPORT
Property changes:
Added: svn:eol-style
+LF
\ No newline at end of property
Added: svn:executable
+*
\ No newline at end of property
Added: svn:keywords
+Id
\ No newline at end of property

/scripts/alcasar-dns-local.sh
0,0 → 1,141
#!/bin/bash
# $Id$
# alcasar-dns-local.sh
# by Rexy - 3abtux
# This script is distributed under the Gnu General Public License (GPL)
# active ou desactive la redirection du service DNS sur le réseau de consultation
# enable or disable the redirector of internal DNS service on consultation LAN
SED="/bin/sed -i"
ALCASAR_CONF_FILE="/usr/local/etc/alcasar.conf"
LOCAL_DOMAIN_CONF_FILE="/etc/unbound/conf.d/common/local-forward/dns-redirector.conf"
LOCAL_HOSTNAME_FILE="/etc/hosts"
# define DNS parameters (LAN side)
INT_DNS_DOMAIN=`grep ^DOMAIN $ALCASAR_CONF_FILE|cut -d"=" -f2`
INT_DNS_HOST=`grep ^HOSTNAME $ALCASAR_CONF_FILE|cut -d"=" -f2`
INT_DNS_IP_MASK=`grep ^PRIVATE_IP $ALCASAR_CONF_FILE|cut -d"=" -f2`
INT_DNS_IP=`grep ^PRIVATE_IP $ALCASAR_CONF_FILE|cut -d"=" -f2|cut -d"/" -f1`
INTIF=`grep ^INTIF $ALCASAR_CONF_FILE|cut -d"=" -f2`
INT_DNS_ACTIVE=`grep INT_DNS_ACTIVE $ALCASAR_CONF_FILE|cut -d"=" -f2`
LOCAL_DNS_FILE="/etc/unbound/conf.d/common/local-dns/$INTIF.conf"
usage="Usage: alcasar-dns-local.sh {--on | -on} | {--off | -off} | {--add | -add} ip domain | {--del | -del} ip domain | {--reload | -reload}"
nb_args=$#
args=$1
if [ $nb_args -eq 0 ]
then
echo "$usage"
exit 1
fi
function restart_dns(){
for dns in unbound unbound-blacklist unbound-whitelist unbound-blackhole
do
echo "Restarting $dns. Please wait..."
systemctl restart $dns
done
}
function hosts_to_unbound(){ # configure the unbound conf file with local host names resolution
cat << EOF > $LOCAL_DNS_FILE
server:
local-data: "$INT_DNS_HOST.$INT_DNS_DOMAIN IN A $INT_DNS_IP"
local-data-ptr: "$INT_DNS_IP $INT_DNS_HOST.$INT_DNS_DOMAIN"
EOF
while read -r line
do
ip_address=$(echo $line | awk '{ print $1 }')
domain=$(echo $line | awk '{ print $2 }')
if ! echo $line | grep -E -q "^([0-9\.\t ]+alcasar( |$)|127\.0\.0)"
then
echo -e "\tlocal-data: \"$domain.$INT_DNS_DOMAIN IN A $ip_address\"" >> $LOCAL_DNS_FILE
echo -e "\tlocal-data-ptr: \"$ip_address $domain.$INT_DNS_DOMAIN\"" >> $LOCAL_DNS_FILE
fi
done < $LOCAL_HOSTNAME_FILE
if [ $INT_DNS_DOMAIN == "localdomain" ]
then
echo -e "\tlocal-zone: \"$INT_DNS_DOMAIN\" static" >> $LOCAL_DNS_FILE # Don't forward this local zone
fi
}
case $args in
-\? | -h | --h)
echo "$usage"
exit 0
;;
--add|-add) # add a local host resolution
if [ $nb_args -ne 3 ]
then
echo "$usage"
exit 1
else
# removing if already exists
$SED "/^$2[ \t]*$3/d" $LOCAL_HOSTNAME_FILE
# adding to the hosts file
echo -e "$2\t$3" >> $LOCAL_HOSTNAME_FILE
hosts_to_unbound
restart_dns
fi
;;
--del|-del) # remove a local host resolution
if [ $nb_args -ne 3 ]
then
echo "$usage"
exit 1
else
$SED "/^$2[ \t]*$3/d" $LOCAL_HOSTNAME_FILE
hosts_to_unbound
restart_dns
fi
;;
--reload|-reload)
hosts_to_unbound
restart_dns
;;
--hosts_to_unbound|-hosts_to_unbound)
hosts_to_unbound
;;
--off|-off) # disable DNS redirector
rm -f $LOCAL_DOMAIN_CONF_FILE
$SED "s?^INT_DNS_ACTIVE.*?INT_DNS_ACTIVE=off?g" $ALCASAR_CONF_FILE
restart_dns
/usr/local/bin/alcasar-iptables.sh
;;
--off-without-restart|-off-without-restart) # disable DNS redirector
rm -f $LOCAL_DOMAIN_CONF_FILE
$SED "s?^INT_DNS_ACTIVE.*?INT_DNS_ACTIVE=off?g" $ALCASAR_CONF_FILE
/usr/local/bin/alcasar-iptables.sh
;;
--on|-on) # enable DNS redirector
cat > $LOCAL_DOMAIN_CONF_FILE << EOF
server:
local-zone: "$INT_DNS_DOMAIN." transparent
forward-zone:
name: "$INT_DNS_DOMAIN."
forward-addr: $INT_DNS_IP
EOF
$SED "s?^INT_DNS_ACTIVE.*?INT_DNS_ACTIVE=on?g" $ALCASAR_CONF_FILE
restart_dns
/usr/local/bin/alcasar-iptables.sh
;;
--on-without-restart|-on-without-restart) # enable DNS redirector
cat > $LOCAL_DOMAIN_CONF_FILE << EOF
server:
local-zone: "$INT_DNS_DOMAIN." transparent
forward-zone:
name: "$INT_DNS_DOMAIN."
forward-addr: $INT_DNS_IP
EOF
$SED "s?^INT_DNS_ACTIVE.*?INT_DNS_ACTIVE=on?g" $ALCASAR_CONF_FILE
/usr/local/bin/alcasar-iptables.sh
;;
*)
echo "Argument inconnu : $1";
echo "$usage"
exit 1
;;
esac
Property changes:
Added: svn:eol-style
+LF
\ No newline at end of property
Added: svn:executable
+*
\ No newline at end of property
Added: svn:keywords
+Id
\ No newline at end of property

/scripts/alcasar-sms.sh
0,0 → 1,498
#!/bin/bash
# $Id$
# alcasar-sms.sh
# by Nicolas Aubry & Rexy
# This script is distributed under the Gnu General Public License (GPL)
# This script manages the 'gammu-smsd' service when a GSM adapter is detected
# Ce script gère le service 'gammu-smsd' quand un adaptateur GSM est détecté
CONF_FILE='/usr/local/etc/alcasar.conf'
####### VARIABLES ########
nb_essais=3
time_account=1
time_ban=2
####### IDs DB ##########################
PASSWD_FILE="/root/ALCASAR-passwords.txt"
u_db=$(grep '^db_user=' $PASSWD_FILE | cut -d'=' -f2-)
p_db=$(grep '^db_password=' $PASSWD_FILE | cut -d'=' -f2-)
#########################################
rad="radcheck"
radgp="radusergroup"
radgpck="radgroupcheck"
radinf="userinfo"
sms_p="SMS_ban_perm"
sms_t="SMS_ban_temp"
inb="inbox"
SMS_c="SMS_country"
config="/etc/gammu_smsd_conf"
config2="/etc/gammurc"
logfile="/var/log/gammu-smsd/gammu-smsd.log"
script="/usr/local/bin/alcasar-sms.sh"
separator="########## START ##########"
end="%%%%%%%%%% STOP %%%%%%%%%%"
usage="Usage: alcasar-gammu.sh
Start Gammu-smsd : --start
Stop Gammu-smsd : --stop
Process on new sms : --new_sms"
nb_args=$#
args=$1
# Functions
function mode_huawei() {
couple=$(lsusb | grep -i huawei | cut -d ' ' -f6)
vendor=$(echo $couple | cut -d ':' -f1)
product=$(echo $couple | cut -d ':' -f2)
echo "******** Modeswitch *************" >> $logfile
echo $vendor >> $logfile
echo $product >> $logfile
/usr/sbin/usb_modeswitch -I -H -v 0x$vendor -p 0x$product -V 0x$vendor -P 0x$product -W -n >> $logfile
} # end function mode_huawei
function start_gammu() {
# Truncate phones table (informations signal/IMEI/battery/sent et reveived sms)
mysql --user=$u_db --password=$p_db --database=gammu -Bs -e 'TRUNCATE phones;'
# Verify the sms group is created
if [ $(mysql --user=$u_db --password=$p_db --database=radius -Bs -e "SELECT COUNT(*) FROM $radgp WHERE username='sms' AND groupname='sms';") -eq 0 ]; then
sql_add_gp="INSERT INTO $radgp (username,groupname) VALUES ('sms','sms'); INSERT INTO $radgpck (groupname,attribute,op,value) VALUES ('sms','Simultaneous-Use',':=',1);"
mysql --user=$u_db --password=$p_db --database=radius -Bs -e "$sql_add_gp"
fi
# Start gammu
echo $separator >> $logfile
/usr/bin/systemctl -q start gammu-smsd.service
/usr/bin/systemctl -q enable gammu-smsd.service
} # end function start_gammu
function stop_gammu() {
/usr/bin/systemctl -q stop gammu-smsd.service
/usr/bin/systemctl -q disable gammu-smsd.service
echo $end >> $logfile
} # end function stop_gammu
function unlock() {
# Remove phone number in SMS_ban_perm table
sql_remove_ban_perm="connect gammu; DELETE FROM $sms_p"
mysql --user=$u_db --password=$p_db -B -se "$sql_remove_ban_perm WHERE SenderNumber=$1;"
# Add sms group
sql_remove_gp="connect radius; DELETE FROM $radgp WHERE username='$1';"
mysql --user=$u_db --password=$p_db -B -se "$sql_remove_gp"
# Remove account in Radcheck table
sql_remove_compte="connect radius; DELETE FROM $rad WHERE username='$1';"
mysql --user=$u_db --password=$p_db -B -se "$sql_remove_compte"
} # end function unlock
function change_country() {
sql_status_country="connect gammu; SELECT status FROM SMS_country WHERE name='$1'"
stat=$(mysql --user=$u_db --password=$p_db -B -se "$sql_status_country")
if [ $stat -eq 0 ]
then
sql_change_country="connect gammu; UPDATE $SMS_c SET status=1 WHERE name='$1'"
mysql --user=$u_db --password=$p_db -B -se "$sql_change_country"
else
sql_change_country="connect gammu; UPDATE $SMS_c SET status=0 WHERE name='$1'"
mysql --user=$u_db --password=$p_db -B -se "$sql_change_country"
fi
} # end change_country
function supp_acc_rad() {
# Remove account in Radcheck table
sql_del_compte="connect radius; DELETE FROM $rad WHERE username='$1';"
mysql --user=$u_db --password=$p_db -B -se "$sql_del_compte"
} # end function supp_acc_rad()
function add_acc_rad() {
# Add accoubt in RadCheck table
sql_add_pass="connect radius; INSERT INTO $rad (username,attribute,op,value) VALUES ('$1','Crypt-Password',':=','$2');"
sql_add_expe="connect radius; INSERT INTO $rad (username,attribute,op,value) VALUES ('$1','Expiration',':=','$3');"
mysql --user=$u_db --password=$p_db -B -se "$sql_add_pass"
mysql --user=$u_db --password=$p_db -B -se "$sql_add_expe"
# Add this account to sms group
sql_add_gp="connect radius; INSERT INTO $radgp (username,groupname) VALUES ('$1','sms');"
mysql --user=$u_db --password=$p_db -B -se "$sql_add_gp"
} # end function add_acc_rad()
function supp_num_temp() {
# Remove phone number in SMS_ban_temp table
sql_remove_ban_temp="connect gammu; DELETE FROM $sms_t"
mysql --user=$u_db --password=$p_db -B -se "$sql_remove_ban_temp WHERE SenderNumber=$1;"
} # end function supp_num_temp()
function add_num_perm() {
# Add phone number in SMS_ban_perm table
sql_add_ban_perm="connect gammu; INSERT INTO $sms_p (SenderNumber,Perm,Expiration) VALUES ('$1',0,'$2');"
mysql --user=$u_db --password=$p_db -B -se "$sql_add_ban_perm"
} # end function add_num_perm()
function supp_num_perm() {
# Remove phone number in SMS_ban_perm table
sql_remove_ban_perm="connect gammu; DELETE FROM $sms_p"
mysql --user=$u_db --password=$p_db -B -se "$sql_remove_ban_perm WHERE SenderNumber=$1;"
} # end function add_num_perm()
function new_sms() {
# Check Inbox table, manage Ban temp and perm, create account
export salt='$5$passwd$'
sql_select_inbox="connect gammu; SELECT ID, SenderNumber, TextDecoded FROM $inb;"
sql_delete_inbox="connect gammu; DELETE FROM $inb"
mysql --user=$u_db --password=$p_db -B -se "$sql_select_inbox" | while read result;
do
# Retrieve the number of words (result)
nb=$(echo $result | wc -w)
# Retrive the ID
id=$(echo $result | cut -d ' ' -f1)
numero=$(echo $result | cut -d ' ' -f2)
if [[ $numero =~ ^\+ ]]
then
# Check if country is blocked
sql_select_countries="connect gammu; SELECT id FROM $SMS_c WHERE status=1"
mysql --user=$u_db --password=$p_db -B -se "$sql_select_countries" | while read result_c;
do
if [[ $numero =~ ^"$result_c" ]]
then
numero=$(echo $numero | cut -d '+' -f2)
# Check if GSM number is nabbed
sql_ban_perm="connect gammu; SELECT * FROM $sms_p WHERE SenderNumber=$numero"
result_bp=$(mysql --user=$u_db --password=$p_db -B -se "$sql_ban_perm")
if test -z "$result_bp"
then
# Test the number of word (result)
if [ $nb -eq 2 ] # if only 2 words : lack of password
then
# Add "1" in bans_temp table // NO PASSWORD
sql_add_temp="connect gammu; INSERT INTO $sms_t(SenderNumber) VALUES ('$numero');"
mysql --user=$u_db --password=$p_db -B -se "$sql_add_temp"
elif [ $nb -eq 3 ] # if 3 words (id + password + phone numbere)
then
export pass=$(echo $result | cut -d ' ' -f3)
pass_salt=$(perl -e'print crypt($ARGV[0],$ARGV[1])' $pass $salt)
export LC_TIME="en_US.UTF-8"
expir=$(date '+%d %B %Y' -d "$time_account days")
supp_acc_rad "$numero"
add_acc_rad "$numero" "$pass_salt" "$expir"
supp_num_temp "$numero"
add_num_perm "$numero" "$expir"
else # more then 3 words --> Add "1" in ban_temp table
sql_add_temp="connect gammu; INSERT INTO $sms_t(SenderNumber) VALUES ('$numero');"
mysql --user=$u_db --password=$p_db -B -se "$sql_add_temp"
fi
# manage ban perm
sql_select_temp="connect gammu; SELECT ID FROM $sms_t WHERE SenderNumber='$numero'"
r_select_temp=$(mysql --user=$u_db --password=$p_db -B -se "$sql_select_temp")
nb_ban_t=$(echo $r_select_temp| wc -w)
if [ $nb_ban_t -ge $nb_essais ]
then
supp_num_temp "$numero"
export LC_TIME="en_US.UTF-8"
expir_f=$(date '+%d %B %Y' -d "$time_ban days")
# Add "1" in SMS_ban_perm table : flood
sql_add_ban_perm="connect gammu; INSERT INTO $sms_p (SenderNumber,Perm,Expiration) VALUES ('$numero',1,'$expir_f');"
mysql --user=$u_db --password=$p_db -B -se "$sql_add_ban_perm"
fi
else
date_expiration=$(echo $result_bp | cut -d ' ' -f2,3,4)
perm=$(echo $result_bp | cut -d ' ' -f5)
export LC_TIME="en_US.UTF-8"
date_script=$(date '+%d %B %Y' -d "now")
# convert in seconds in order to be able to compare
d_exp=$(date --date "$date_expiration" +%s)
d_scr=$(date --date "$date_script" +%s)
if test $d_scr -ge $d_exp # Si le ban à expiré
then
# Test the number of words (result)
if [ $nb -eq 2 ] # Si 2 mots : le mot de passe est manquant
then
# Add "1" in ban temp table
sql_add_temp="connect gammu; INSERT INTO $sms_t(SenderNumber) VALUES ('$numero');"
mysql --user=$u_db --password=$p_db -B -se "$sql_add_temp"
elif [ $nb -eq 3 ] # Si 3 mots : id + mot de passe + numero
then
date_expiration=$(echo $result_bp | cut -d ' ' -f2,3,4)
perm=$(echo $result_bp | cut -d ' ' -f5)
date_script=$(date '+%d %B %Y' -d "now")
# convert in seconds in order to be able to compare
d_exp=$(date --date "$date_expiration" +%s)
d_scr=$(date --date "$date_script" +%s)
export pass=$(echo $result | cut -d ' ' -f3)
pass_salt=$(perl -e'print crypt($ARGV[0],$ARGV[1])' $pass $salt)
export LC_TIME="en_US.UTF-8"
expir=$(date '+%d %B %Y' -d "$time_account days")
supp_acc_rad "$numero"
add_acc_rad "$numero" "$pass_salt" "$expir"
supp_num_temp "$numero"
supp_num_perm "$numero"
add_num_perm "$numero" "$expir"
else
# number of words to big (> 3)
# Add "1" in bans temp table
sql_add_temp="connect gammu; INSERT INTO $sms_t(SenderNumber) VALUES ('$numero');"
mysql --user=$u_db --password=$p_db -B -se "$sql_add_temp"
echo "Mot de passe incorrect, ajout du numero en ban temporaire"
fi
# manage bans_temp & ban_perm
sql_select_temp="connect gammu; SELECT ID FROM $sms_t WHERE SenderNumber='$numero'"
r_select_temp=$(mysql --user=$u_db --password=$p_db -B -se "$sql_select_temp")
nb_ban_t=$(echo $r_select_temp| wc -w)
if [ $nb_ban_t -ge $nb_essais ]
then
supp_num_perm "$numero"
supp_num_temp "$numero"
export LC_TIME="en_US.UTF-8"
expir_f=$(date '+%d %B %Y' -d "$time_ban days")
# Add phne number in ban_perm : flood
sql_add_ban_perm="connect gammu; INSERT INTO $sms_p (SenderNumber,Perm,Expiration) VALUES ('$numero',1,'$expir_f');"
mysql --user=$u_db --password=$p_db -B -se "$sql_add_ban_perm"
fi
else
echo "Le ban de $numero est encore valide"
fi
break
fi
#else
#echo "Pays bloqué"
fi
done
else
echo "Numero non autorisé (ex: 36665)"
fi
# On supprime la ligne d'ID=$id dans inbox
mysql --user=$u_db --password=$p_db -B -e "$sql_delete_inbox WHERE ID=$id;"
done
} # end function new_sms
# CORE
case $args in
-h | --help)
echo "$usage"
exit 0
;;
--start)
failed="0"
comports=`ls -l /dev/ttyUSB* 2>/dev/null | wc -l`
if [ $comports == "0" ]
then
echo "No GSM modem found."
failed="1"
fi
if [ -z "$(grep '^SMS_NUM=' $CONF_FILE | cut -d'=' -f2-)" ]; then
echo 'The phone number is not set.'
failed="1"
fi
if [ $failed == "1" ]
then
sed -i "s/^SMS=.*/SMS=off/" $CONF_FILE
exit 0
fi
gammu_pid=`/usr/bin/pidof gammu-smsd|wc -l`
if [ $gammu_pid != "0" ]
then
echo "Gammu is already started"
else
start_gammu
sleep 1
is_active=`systemctl is-active gammu-smsd`
if [ $is_active == "active" ]
then
sed -i "s/^SMS=.*/SMS=on/" $CONF_FILE
else
sed -i "s/^SMS=.*/SMS=off/" $CONF_FILE
fi
fi
exit 0
;;
--stop)
gammu_pid=`/usr/bin/pidof gammu-smsd|wc -l`
if [ $gammu_pid != "0" ]
then
stop_gammu
else
echo "Gammu is already stopped"
fi
sed -i "s/^SMS=.*/SMS=off/" $CONF_FILE
exit 0
;;
--pidof)
/usr/bin/pidof gammu-smsd
;;
--last_nosim)
# Récupère la dernière ligne où NOSIM est présent (error)
cat $logfile | grep -n "NOSIM" | cut -d ':' -f1 | tail -n 1
exit 0
;;
--last_start)
# Récupère la dernière ligne où ########## est présent (séparateur)
cat $logfile | grep -n "##########" | cut -d ':' -f1 | tail -n 1
exit 0
;;
--last_stop)
# Récupère la dernière ligne où %%%%%%%%%% est présent (séparateur)
cat $logfile | grep -n "%%%%%%%%%%" | cut -d ':' -f1 | tail -n 1
exit 0
;;
--last_writeerror)
#Récupère la dernière ligne où DEVICEWRITEERROR est présent (error)
cat $logfile | grep -n "DEVICEWRITEERROR" | cut -d ':' -f1 | tail -n 1
exit 0
;;
--last_timeout)
# Récupère la dernière ligne où TIMEOUT est présent (error)
cat $logfile | grep -n "TIMEOUT" | cut -d ':' -f1 | tail -n 1
exit 0
;;
--last_secu)
# Récupère la dernière ligne où SECURITYERROR est présent (error)
cat $logfile | grep -n "SECURITYERROR" | cut -d ':' -f1 | tail -n 1
exit 0
;;
--last_puk)
# Récupère la dernière ligne où PUK est présent (error)
cat $logfile | grep -n "UNKNOWN" | cut -d ':' -f1 | tail -n 1
exit 0
;;
#--log)
# # Récupère le nom du fichier de log
# cat $config | grep logfile | cut -d ' ' -f3
# exit 0
# ;;
--connect)
# display the com port speed
cat $config | grep connection | cut -d ' ' -f3
exit 0
;;
--replace_port)
# modify the com port
echo $2
sed -i "s?^port = .*?port = $2?g" $config
sed -i "0,/^device =/ s?device =.*?device = $2?" $config2
exit 0
;;
--replace_speed)
# modufy the com port speed
sed -i "s/^connection = at.*/connection = at$2/g" $config
sed -i "0,/^connection =/ s/connection =.*/connection = $2/" $config2
exit 0
;;
--pin)
# Récupère le code PIN (file de conf)
cat $config | grep PIN | cut -d ' ' -f3
exit 0
;;
--replace_pin)
# Edition du code PIN
sed -i "s/^PIN =.*/PIN = $2/g" $config
exit 0
;;
--try_ban)
# Récupère le nombre d'essais avant le ban perm
grep nb_essais= $script | head -n 1 | cut -d '=' -f2
exit 0
;;
--replace_try_ban)
# Edition le nombre d'essais avant le ban perm
sed -i "s/^nb_essais=.*/nb_essais=$2/g" $script
exit 0
;;
--time_account)
# Récupère la durée en jours de la session créée
grep time_account= $script | head -n 1 | cut -d '=' -f2
exit 0
;;
--replace_time_account)
# Edition de la durée de la session créée
sed -i "s/^time_account=.*/time_account=$2/g" $script
exit 0
;;
--time_perm)
# Récupère la durée un jours d'un ban perm (après flood par exemple)
grep time_ban= $script | head -n 1 | cut -d '=' -f2
exit 0
;;
--replace_time_perm)
# Edition de la durée d'un ban perm
sed -i "s/^time_ban=.*/time_ban=$2/g" $script
exit 0
;;
--unlock_num)
# Appel de la fonction unlock : deban un numero $2
unlock "$2"
exit 0
;;
--change_country)
# Permet de changer l'état de blocage d'un pays
a=""
for i in "$@"
do
a=$(echo "$a $i")
done
a=$(echo $a | cut -d ' ' -f2-$#)
change_country "$a"
exit
;;
--change_country_ena_all)
# Active l'ensemble des pays
sql_change_country="connect gammu; UPDATE $SMS_c SET status=1"
mysql --user=$u_db --password=$p_db -B -se "$sql_change_country"
exit
;;
--change_country_dis_all)
# Desactive l'ensemble des pays
sql_change_country="connect gammu; UPDATE $SMS_c SET status=0"
mysql --user=$u_db --password=$p_db -B -se "$sql_change_country"
exit
;;
--change_country_filter)
# Change la valeur du filtrage (FR, UE, all, perso)
sql_change_country="connect gammu; UPDATE $SMS_c SET id='$2' WHERE name='FILTRAGE'"
mysql --user=$u_db --password=$p_db -B -se "$sql_change_country"
break
;;
--new_sms)
# Appel de la fonction new_sms : filtrage du password, creation du compte et ban
new_sms
exit 0
;;
--imei_device)
# Recuperation de l'imei du device
sql_imei_phones="connect gammu; SELECT \`IMEI\` FROM phones;"
mysql --user=$u_db --password=$p_db -B -se "$sql_imei_phones"
exit 0
;;
--signal_device)
# Recuperation du signal du device
sql_signal_phones="connect gammu; SELECT \`Signal\` FROM phones;"
mysql --user=$u_db --password=$p_db -B -se "$sql_signal_phones"
exit 0
;;
--sms_received)
# Recuperation du nombre de sms reçu. Depuis la dernière activation.
sql_sms_received="connect gammu; SELECT \`Received\` FROM phones;"
mysql --user=$u_db --password=$p_db -B -se "$sql_sms_received"
exit 0
;;
--numero_alcasar)
# Récupère le numero de la clé 3g (téléphone)
grep '^SMS_NUM=' $CONF_FILE | cut -d'=' -f2-
exit 0
;;
--replace_numero_alcasar)
# Edition du numero de la clé 3g (téléphone)
sed -i "s/^SMS_NUM=.*/SMS_NUM=$2/" $CONF_FILE
exit 0
;;
--mode)
# Mode huawei
mode_huawei
exit 0
;;
*)
# Default
echo "$usage"
exit 0
;;
esac
exit 0
Property changes:
Added: svn:eol-style
+LF
\ No newline at end of property
Added: svn:executable
+*
\ No newline at end of property
Added: svn:keywords
+Id
\ No newline at end of property

/scripts/alcasar-mail-install.sh
0,0 → 1,202
#!/bin/bash
###########################################################################################
## ALCASAR MAIL SERVICE CONFIGURATION
##
## Script by K@M3L & T3RRY (LaPlateforme.io), joss_p & Rexy
## This script configure PostFix
## 0 : no email autoregistration
## 1 : PostFix is the SMTP server
## 2 : PostFix relay to an other SMTP server
## 3 : PostFix use an external email address (with Cyrus-SASL)
###########################################################################################
######################################################
## Email configuration examples (mode = 3)
## common parameters : smtp_use_tls = yes, smtp_tls_security_level = encrypt, smtp_sasl_auth_enable = yes
## common rules : 'myhostname' parameter should be the domain name of the sasl_email account
########## smtp.free.fr:465 (expose mechanisms : PLAIN LOGIN CRAM-MD5 DIGEST-MD5)
## smtp_sasl_security_option = noanonymous, relayhost = [smtp.free.fr]:465, smtp_tls_wrappermode = yes
########## smtp.free.fr:587 (expose mechanismes
## smtp_sasl_security_option = noanonymous, relayhost = [smtp.free.fr]:587, smtp_tls_wrappermode = no, smtputf8_enable = no
########## smtp.orange.fr:465 (expose mechanisms : LOGIN PLAIN)
## smtp_sasl_security_option = noanonymous, relayhost = [smtp.orange.fr]:465, smtp_tls_wrappermode = yes, smtputf8_enable = no
########## smtp.sfr.fr:465 (expose mechanisms : LOGIN PLAIN)
## smtp_sasl_security_option = noanonymous, relayhost = [smtp.sfr.fr]:465, smtp_tls_wrappermode = yes
########## smtp.laposte.net:465 (expose mechanisms : LOGIN PLAIN)
## smtp_sasl_security_option = noanonymous, relayhost = [laposte.net]:465, smtp_tls_wrappermode = yes
########## smtp.bbox.net:465 (expose mechanisms : LOGIN PLAIN)
## smtp_sasl_security_option = noanonymous, relayhost = [laposte.net]:465, smtp_tls_wrappermode = yes
########## smtp.gmail.com:587 (expose mechanisms : LOGIN PLAIN XOAUTH2 PLAIN-CLIENTTOKEN OAUTHBEARER XOAUTH)
## smtp_sasl_security_option = noanonymous, relayhost = [gmail.com]:587, smtp_tls_wrappermode = no
## In this case (gmail) the password must be an "application password" created via the gmail account manager (security tab)
# ****** Paths *******
SED="/bin/sed -i"
CONF_FILE="/usr/local/etc/alcasar.conf"
POSTFIX_CONF_FILE="/etc/postfix/main.cf"
LOCAL_IPTABLE_FILE="/usr/local/etc/alcasar-iptables-local.sh"
SASLPATH="/etc/postfix/sasl"
smtpIP="0.0.0.0/0"
hostName=`grep ^HOSTNAME= $CONF_FILE|cut -d"=" -f2`
domainName=`grep ^DOMAIN= $CONF_FILE|cut -d"=" -f2`
usage="Usage: alcasar-mail_install.sh -h|-0|-1|-2|-3"
nb_args=$#
if [ $nb_args -eq 0 ]; then # apply alcasar.conf
mail=`grep ^MAIL= $CONF_FILE|cut -d"=" -f2`
if [ "$mail" = "off" ]; then
TYPE_MAIL=0
else
TYPE_MAIL=`grep ^MAIL_TYPE= $CONF_FILE|cut -d"=" -f2`
smtpPort=`grep ^MAIL_SMTP_PORT= $CONF_FILE|cut -d"=" -f2`
smtpIP=`grep ^MAIL_SMTP_IP= $CONF_FILE|cut -d"=" -f2`
mailAddr=`grep ^MAIL_ADDR= $CONF_FILE|cut -d"=" -f2`
[ -e ${SASLPATH}/sasl_passwd ] && mailMdp=`cat $SASLPATH/sasl_passwd|cut -d":" -f3`
adminMail=`grep ^MAIL_ADMIN= $CONF_FILE|cut -d"=" -f2`
whiteDomain=`grep ^MAIL_WHITEDOMAIN= $CONF_FILE|cut -d"=" -f2`
fi
else # apply args
if [ "$1" = "-h" ] || [ "$1" = "--h" ]; then
echo $usage
exit 0
fi
while getopts ":h:s:p:m:o:a:w:0123" option
do
case $option in
0)
TYPE_MAIL=0
;;
1)
TYPE_MAIL=1
;;
2)
TYPE_MAIL=2
;;
3)
TYPE_MAIL=3
;;
p)
smtpPort=$OPTARG
;;
s)
smtpIP=$OPTARG
;;
m)
mailAddr=$OPTARG
;;
o)
mailMdp=$OPTARG
;;
a)
adminMail=$OPTARG
;;
w)
whiteDomain=$OPTARG
;;
:)
echo "L'option $OPTARG requiert un argument"
exit 1
;;
\?)
echo "$OPTARG : option invalide"
exit 1
;;
esac
done
fi
if [[ $TYPE_MAIL -eq 0 ]]; then # disable mail service
$SED "s/^MAIL=.*/MAIL=off/" $CONF_FILE
$SED "s/^MAIL_TYPE=.*/MAIL_TYPE=/" $CONF_FILE
$SED "s/^MAIL_SMTP_IP=.*/MAIL_SMTP_IP=/" $CONF_FILE
$SED "s/^MAIL_SMTP_PORT=.*/MAIL_SMTP_PORT=/" $CONF_FILE
$SED "s/^MAIL_ADDR=.*/MAIL_ADDR=/" $CONF_FILE
$SED "s/^MAIL_WHITEDOMAIN=.*/MAIL_WHITEDOMAIN=/" $CONF_FILE
$SED "s/^MAIL_ADMIN=.*/MAIL_ADMIN=/" $CONF_FILE
$SED "/^SMTP_IP=/ s/^/#/" $LOCAL_IPTABLE_FILE
$SED "/^SMTP_PORT=/ s/^/#/" $LOCAL_IPTABLE_FILE
$SED "s/^\$IPTABLES -A OUTPUT -p tcp --dport \$SMTP_PORT.*/#\$IPTABLES -A OUTPUT -p tcp --dport \$SMTP_PORT -d \$SMTP_IP -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT/" $LOCAL_IPTABLE_FILE
$SED "s/^\$IPTABLES -A INPUT -p tcp --sport \$SMTP_PORT.*/#\$IPTABLES -A INPUT -p tcp --sport \$SMTP_PORT -s \$SMTP_IP -m conntrack --ctstate ESTABLISHED -j ACCEPT/" $LOCAL_IPTABLE_FILE
$SED "s/^relayhost =.*/relayhost =/" $POSTFIX_CONF_FILE
$SED "s/^smtp_tls_security_level =.*/smtp_tls_security_level = may/g" $POSTFIX_CONF_FILE
$SED "s/^smtp_tls_wrappermode =.*/smtp_tls_wrappermode = no/g" $POSTFIX_CONF_FILE
$SED "s/^myhostname =.*/myhostname = $hostName.$domainName/g" $POSTFIX_CONF_FILE
[ -e ${SASLPATH}/sasl_passwd ] && rm -f ${SASLPATH}/*
elif [[ $TYPE_MAIL -eq 1 ]]; then # Enable mail service (act as smtp server)
$SED "s/^MAIL=.*/MAIL=on/" $CONF_FILE
$SED "s/^MAIL_TYPE=.*/MAIL_TYPE=1/" $CONF_FILE
$SED "s/^MAIL_SMTP_IP=.*/MAIL_SMTP_IP=/" $CONF_FILE
$SED "s/^MAIL_SMTP_PORT=.*/MAIL_SMTP_PORT=$smtpPort/" $CONF_FILE
$SED "s/^MAIL_ADDR=.*/MAIL_ADDR=/" $CONF_FILE
$SED "s/^MAIL_WHITEDOMAIN=.*/MAIL_WHITEDOMAIN=$whiteDomain/" $CONF_FILE
$SED "s/^MAIL_ADMIN=.*/MAIL_ADMIN=$adminMail/" $CONF_FILE
$SED "/^SMTP_IP=/ s/^/#/" $LOCAL_IPTABLE_FILE
$SED "s/^SMTP_PORT=.*/SMTP_PORT=$smtpPort/" $LOCAL_IPTABLE_FILE
$SED "s/^\$IPTABLES -A OUTPUT -p tcp --dport \$SMTP_PORT.*/\$IPTABLES -A OUTPUT -p tcp --dport \$SMTP_PORT -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT/" $LOCAL_IPTABLE_FILE
$SED "s/^\$IPTABLES -A INPUT -p tcp --sport \$SMTP_PORT.*/\$IPTABLES -A INPUT -p tcp --sport \$SMTP_PORT -m conntrack --ctstate ESTABLISHED -j ACCEPT/" $LOCAL_IPTABLE_FILE
$SED "s/^#SMTP_PORT=.*/SMTP_PORT=$smtpPort/" $LOCAL_IPTABLE_FILE
$SED "s/^#\$IPTABLES -A OUTPUT -p tcp --dport \$SMTP_PORT.*/\$IPTABLES -A OUTPUT -p tcp --dport \$SMTP_PORT -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT/" $LOCAL_IPTABLE_FILE
$SED "s/^#\$IPTABLES -A INPUT -p tcp --sport \$SMTP_PORT.*/\$IPTABLES -A INPUT -p tcp --sport \$SMTP_PORT -m conntrack --ctstate ESTABLISHED -j ACCEPT/" $LOCAL_IPTABLE_FILE
$SED "s/^relayhost =.*/relayhost =/" $POSTFIX_CONF_FILE
$SED "s/^smtp_tls_security_level =.*/smtp_tls_security_level = may/g" $POSTFIX_CONF_FILE
$SED "s/^smtp_tls_wrappermode =.*/smtp_tls_wrappermode = no/g" $POSTFIX_CONF_FILE
$SED "s/^myhostname =.*/myhostname = $hostName.$domainName/g" $POSTFIX_CONF_FILE
[ -e ${SASLPATH}/sasl_passwd ] && rm -f ${SASLPATH}/*
elif [[ $TYPE_MAIL -eq 2 ]]; then # Enable mail service (relaying to an extern mail server)
$SED "s/^MAIL=.*/MAIL=on/" $CONF_FILE
$SED "s/^MAIL_TYPE=.*/MAIL_TYPE=2/" $CONF_FILE
$SED "s/^MAIL_SMTP_IP=.*/MAIL_SMTP_IP=$smtpIP/" $CONF_FILE
$SED "s/^MAIL_SMTP_PORT=.*/MAIL_SMTP_PORT=$smtpPort/" $CONF_FILE
$SED "s/^MAIL_ADDR=.*/MAIL_ADDR=/" $CONF_FILE
$SED "s/^MAIL_WHITEDOMAIN=.*/MAIL_WHITEDOMAIN=$whiteDomain/" $CONF_FILE
$SED "s/^MAIL_ADMIN=.*/MAIL_ADMIN=$adminMail/" $CONF_FILE
$SED "s/^SMTP_IP=.*/SMTP_IP=$smtpIP/" $LOCAL_IPTABLE_FILE
$SED "s/^SMTP_PORT=.*/SMTP_PORT=$smtpPort/" $LOCAL_IPTABLE_FILE
$SED "s/^\$IPTABLES -A OUTPUT -p tcp --dport \$SMTP_PORT.*/\$IPTABLES -A OUTPUT -p tcp --dport \$SMTP_PORT -d \$SMTP_IP -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT/" $LOCAL_IPTABLE_FILE
$SED "s/^\$IPTABLES -A INPUT -p tcp --sport \$SMTP_PORT.*/\$IPTABLES -A INPUT -p tcp --sport \$SMTP_PORT -s \$SMTP_IP -m conntrack --ctstate ESTABLISHED -j ACCEPT/" $LOCAL_IPTABLE_FILE
$SED "s/^#SMTP_IP=.*/SMTP_IP=$smtpIP/" $LOCAL_IPTABLE_FILE
$SED "s/^#SMTP_PORT=.*/SMTP_PORT=$smtpPort/" $LOCAL_IPTABLE_FILE
$SED "s/^#\$IPTABLES -A OUTPUT -p tcp --dport \$SMTP_PORT.*/\$IPTABLES -A OUTPUT -p tcp --dport \$SMTP_PORT -d \$SMTP_IP -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT/" $LOCAL_IPTABLE_FILE
$SED "s/^#\$IPTABLES -A INPUT -p tcp --sport \$SMTP_PORT.*/\$IPTABLES -A INPUT -p tcp --sport \$SMTP_PORT -s \$SMTP_IP -m conntrack --ctstate ESTABLISHED -j ACCEPT/" $LOCAL_IPTABLE_FILE
$SED "s/^relayhost =.*/relayhost = [$smtpIP]:$smtpPort/g" $POSTFIX_CONF_FILE
$SED "s/^smtp_tls_security_level =.*/smtp_tls_security_level = may/g" $POSTFIX_CONF_FILE
$SED "s/^smtp_tls_wrappermode =.*/smtp_tls_wrappermode = no/g" $POSTFIX_CONF_FILE
$SED "s/^myhostname =.*/myhostname = $hostName.$domainName/g" $POSTFIX_CONF_FILE
[ -e ${SASLPATH}/sasl_passwd ] && rm -f ${SASLPATH}/*
elif [[ $TYPE_MAIL -eq 3 ]]; then # Enable mail service (using an email address)
$SED "s/^MAIL=.*/MAIL=on/" $CONF_FILE
$SED "s/^MAIL_TYPE=.*/MAIL_TYPE=3/" $CONF_FILE
$SED "s/^MAIL_SMTP_IP=.*/MAIL_SMTP_IP=$smtpIP/" $CONF_FILE
$SED "s/^MAIL_SMTP_PORT=.*/MAIL_SMTP_PORT=$smtpPort/" $CONF_FILE
$SED "s/^MAIL_ADDR=.*/MAIL_ADDR=$mailAddr/" $CONF_FILE
$SED "s/^MAIL_WHITEDOMAIN=.*/MAIL_WHITEDOMAIN=$whiteDomain/" $CONF_FILE
$SED "s/^MAIL_ADMIN=.*/MAIL_ADMIN=$adminMail/" $CONF_FILE
$SED "s/^SMTP_IP=.*/SMTP_IP=$smtpIP/" $LOCAL_IPTABLE_FILE
$SED "s/^SMTP_PORT=.*/SMTP_PORT=$smtpPort/" $LOCAL_IPTABLE_FILE
$SED "s/^\$IPTABLES -A OUTPUT -p tcp --dport \$SMTP_PORT.*/\$IPTABLES -A OUTPUT -p tcp --dport \$SMTP_PORT -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT/" $LOCAL_IPTABLE_FILE
$SED "s/^\$IPTABLES -A INPUT -p tcp --sport \$SMTP_PORT.*/\$IPTABLES -A INPUT -p tcp --sport \$SMTP_PORT -m conntrack --ctstate ESTABLISHED -j ACCEPT/" $LOCAL_IPTABLE_FILE
$SED "s/^#SMTP_IP=.*/SMTP_IP=$smtpIP/" $LOCAL_IPTABLE_FILE
$SED "s/^#SMTP_PORT=.*/SMTP_PORT=$smtpPort/" $LOCAL_IPTABLE_FILE
$SED "s/^#\$IPTABLES -A OUTPUT -p tcp --dport \$SMTP_PORT.*/\$IPTABLES -A OUTPUT -p tcp --dport \$SMTP_PORT -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT/" $LOCAL_IPTABLE_FILE
$SED "s/^#\$IPTABLES -A INPUT -p tcp --sport \$SMTP_PORT.*/\$IPTABLES -A INPUT -p tcp --sport \$SMTP_PORT -m conntrack --ctstate ESTABLISHED -j ACCEPT/" $LOCAL_IPTABLE_FILE
$SED "s/^relayhost =.*/relayhost = [$smtpIP]:$smtpPort/g" $POSTFIX_CONF_FILE
$SED "s/^smtp_tls_security_level =.*/smtp_tls_security_level = encrypt/g" $POSTFIX_CONF_FILE
if [ "$smtpPort" = "465" ]; then # wrappermode is madatory only if port = 465
$SED "s/^smtp_tls_wrappermode =.*/smtp_tls_wrappermode = yes/g" $POSTFIX_CONF_FILE
else
$SED "s/^smtp_tls_wrappermode =.*/smtp_tls_wrappermode = no/g" $POSTFIX_CONF_FILE
fi
$SED "s/^myhostname =.*/myhostname = alcasar.net/g" $POSTFIX_CONF_FILE # use the alcasar domain name to avoid extern smtp servers reject
[ -d ${SASLPATH} ] || mkdir ${SASLPATH}
echo "[${smtpIP}]:${smtpPort} ${mailAddr}:${mailMdp}" > ${SASLPATH}/sasl_passwd
postmap ${SASLPATH}/sasl_passwd
chmod -R 644 ${SASLPATH}
chown root:root ${SASLPATH}/sasl_passwd*
chmod 0600 ${SASLPATH}/sasl_passwd*
else
echo "Erreur ! Aucun type de messagerie sélectionné !"
exit 0
fi
/usr/local/bin/alcasar-iptables.sh
systemctl restart postfix.service
exit 0
Property changes:
Added: svn:eol-style
+native
\ No newline at end of property
Added: svn:executable
+*
\ No newline at end of property

/scripts/alcasar-mysql.sh
0,0 → 1,144
#!/bin/bash
# $Id$
# alcasar-mysql.sh
# by Franck BOUIJOUX, Pascal LEVANT and Richard REY
# This script is distributed under the Gnu General Public License (GPL)
# Gestion (sauvegarde / import / RAZ) de la base MySQL 'radius'. Fermeture des sessions de comptabilité ouvertes
# Management of mysql 'radius' database (save / import / RAZ). Close the accounting open sessions
rep_tr="/var/Save/base"
DIR_BIN="/usr/local/bin"
PASSWD_FILE="/root/ALCASAR-passwords.txt"
DB_RADIUS="radius"
DB_USER=$(grep '^db_user=' $PASSWD_FILE | cut -d'=' -f 2-)
DB_PASS=$(grep '^db_password=' $PASSWD_FILE | cut -d'=' -f 2-)
new="$(date +%G%m%d-%Hh%M)" # date & hour of files
fichier="alcasar-users-database-$new.sql"
stop_acct ()
{
date_now=`date "+%F %X"`
echo "UPDATE radacct SET acctstoptime = '$date_now', acctterminatecause = 'Admin-Reset' WHERE acctstoptime IS NULL" | mysql -u$DB_USER -p$DB_PASS $DB_RADIUS
}
check ()
{
echo "check (and repair if needed) the database :"
mysqlcheck --databases $DB_RADIUS -u $DB_USER -p$DB_PASS --auto-repair
}
expire_user () # remove users whom expiration date has passed to 7 days
{
del_date=`date +%F`
MYSQL_USER=""
MYSQL_USER=`/usr/bin/mysql -u$DB_USER -p$DB_PASS $DB_RADIUS -ss --execute "SELECT username FROM radcheck WHERE ( DATE_SUB(CURDATE(),INTERVAL 7 DAY) > STR_TO_DATE(value,'%d %M %Y')) AND attribute='Expiration';"`
for u in $MYSQL_USER
do
/usr/bin/mysql -u$DB_USER -p$DB_PASS $DB_RADIUS --execute "DELETE FROM radusergroup WHERE username = '$u'; DELETE FROM radreply WHERE username = '$u'; DELETE FROM userinfo WHERE UserName = '$u'; DELETE FROM radcheck WHERE username = '$u';"
if [ $? = 0 ]
then
echo "User $u was deleted $del_date" >> /var/log/mysqld/delete_user.log
else
echo "Delete User $u : Error $del_date" >> /var/log/mysqld/delete_user.log
fi
done
}
expire_group () # remove users of group whom expiration date has passed to 7 days
{
del_date=`date +%F`
MYSQL_GROUP=""
MYSQL_GROUP=`/usr/bin/mysql -u$DB_USER -p$DB_PASS $DB_RADIUS -ss --execute "SELECT groupname FROM radgroupcheck WHERE ( DATE_SUB(CURDATE(),INTERVAL 7 DAY) > STR_TO_DATE(value,'%d %M %Y')) AND attribute='Expiration';"`
for g in $MYSQL_GROUP
do
MYSQL_USERGROUP=""
MYSQL_USERGROUP=`/usr/bin/mysql -u$DB_USER -p$DB_PASS $DB_RADIUS -ss --execute "SELECT username FROM radusergroup WHERE groupname = '$g';"`
for u in $MYSQL_USERGROUP
do
/usr/bin/mysql -u$DB_USER -p$DB_PASS $DB_RADIUS --execute "DELETE FROM radusergroup WHERE username = '$u'; DELETE FROM radreply WHERE username = '$u'; DELETE FROM userinfo WHERE UserName = '$u'; DELETE FROM radcheck WHERE username = '$u';"
if [ $? = 0 ]
then
echo "User $u was deleted $del_date" >> /var/log/mysqld/delete_user.log
else
echo "Delete User $u : Error $del_date" >> /var/log/mysqld/delete_user.log
fi
done
/usr/bin/mysql -u$DB_USER -p$DB_PASS $DB_RADIUS --execute "DELETE FROM radgroupreply WHERE groupname = '$g'; DELETE FROM radgroupcheck WHERE groupname = '$g';"
if [ $? = 0 ]
then
echo "Group $g was deleted $del_date" >> /var/log/mysqld/delete_group.log
else
echo "Delete Group $g : Error $del_date" >> /var/log/mysqld/delete_group.log
fi
done
}
usage="Usage: alcasar-mysql.sh { -d or --dump } | { -c or --check } | { -i or --import } | { -r or --raz } | { -a or --acct_stop } | [ -e or --expire_user ]"
nb_args=$#
args=$1
if [ $nb_args -eq 0 ]
then
nb_args=1
args="-h"
fi
case $args in
-\? | -h* | --h*)
echo "$usage"
exit 0
;;
-d | --dump | -dump)
[ -d $rep_tr ] || mkdir -p $rep_tr
if [ -e $fichier ];
then rm -f $fichier
fi
check
echo "Export the database in file : $fichier.gz"
mysqldump -u $DB_USER -p$DB_PASS --opt -BcQC $DB_RADIUS > $rep_tr/$fichier
gzip -f $rep_tr/$fichier
echo "End of export $( date "+%Hh %Mmn" )"
;;
-c | --check | -check)
check
;;
-i | --import | -import)
if [ $nb_args -ne 2 ]
then
echo "Enter a SQL file name ('.sql' or '.sql.gz')"
exit 0
else
case $2 in
*.sql.gz )
gunzip -f < $2 | mysql -u $DB_USER -p$DB_PASS
stop_acct
;;
*.sql )
mysql -u $DB_USER -p$DB_PASS < $2
stop_acct
;;
esac
migrationsPath="$DIR_BIN/alcasar-db-migrations"
"$migrationsPath/alcasar-migration-3.2.0_dbStructure.sh"
"$migrationsPath/alcasar-migration-3.3.0_dbRadiusAttrs.sh"
"$migrationsPath/alcasar-migration-3.3.1_dbRadiusAttrs.sh"
fi
;;
-r | --raz | -raz)
mysqldump -u $DB_USER -p$DB_PASS --opt -BcQC $DB_RADIUS > $rep_tr/$fichier
gzip -f $rep_tr/$fichier
mysql -u$DB_USER -p$DB_PASS $DB_RADIUS < /etc/raddb/empty-radiusd-db.sql
;;
-a | --acct_stop | -acct_stop)
stop_acct
;;
-e | --expire_user)
expire_user
expire_group
;;
*)
echo "Unknown argument :$1";
echo "$usage"
exit 1
;;
esac
Property changes:
Added: svn:eol-style
+LF
\ No newline at end of property
Added: svn:executable
+*
\ No newline at end of property
Added: svn:keywords
+Id Author Date
\ No newline at end of property

/scripts/test-create-delete-multiple_MAC-sh
0,0 → 1,19
#!/bin/bash
PASSWD_FILE="/root/ALCASAR-passwords.txt"
USER_NAME="test"
DB_USER=`cat $PASSWD_FILE|grep ^db_user=|cut -d'=' -f2`
DB_PASSWORD=`cat $PASSWD_FILE|grep ^db_password=|cut -d'=' -f2`
MAC_ADDRESSES="00:11:22:33:44:50 00:11:22:33:44:51 00:11:22:33:44:52" # write here @MAC or user_names (delimiter=space)
for MAC in $MAC_ADDRESSES
do
salt=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c8`
export algo_salt='$5$'$salt
export pass='PASSWORD'
pass_salt=$(perl -e'print crypt($ARGV[0],$ARGV[1])' $pass $algo_salt)
db_query1="INSERT INTO radcheck (username,attribute,op,value) VALUES ('$MAC', 'Crypt-Password', ':=', '$pass_salt'); INSERT INTO userinfo (username) VALUES ('$MAC');"
db_query2="DELETE FROM radcheck WHERE username = '$MAC'; DELETE FROM userinfo WHERE username = '$MAC';"
db_radcheck_insert_res=$(mysql -u $DB_USER -p$DB_PASSWORD -D radius -e "$db_query2" -Ns) # choose here db_query1 or 2
echo -n "$MAC "
done
echo

/scripts/alcasar-network.sh
0,0 → 1,131
#!/bin/bash
# alcasar-network.sh
# by Pierre RIVAULT and Rexy
# This script is distributed under the Gnu General Public License (GPL)
# Met à jour la configuration réseau conformément au fichier de configuration (alcasar.conf)
# update network configuration according to alcasar.conf
CONF_FILE="/usr/local/etc/alcasar.conf"
TMP_ip_gw_save="/tmp/ipset_ip_gw_save"
EXTIF=`grep ^EXTIF= $CONF_FILE|cut -d"=" -f2`
PUBLIC_IP=`grep ^PUBLIC_IP= $CONF_FILE|cut -d"=" -f2`
if [ $PUBLIC_IP != "dhcp" ]; then
GW1=`grep ^GW= $CONF_FILE|cut -d"=" -f2`
MTU=`grep ^PUBLIC_MTU= $CONF_FILE|cut -d"=" -f2`
MULTIWAN=`grep ^MULTIWAN= $CONF_FILE|cut -d"=" -f2`
MULTIWAN=${MULTIWAN:=off}
NET="`ipcalc -n $PUBLIC_IP | cut -d"=" -f2`/`ipcalc -p $PUBLIC_IP | cut -d"=" -f2`"
IP=`echo $PUBLIC_IP | cut -d"/" -f1`
PRIVATE_IP_MASK=`grep ^PRIVATE_IP $CONF_FILE | cut -d"=" -f2`
PRIVATE_IP=`echo $PRIVATE_IP_MASK | cut -d"/" -f1`
PRIVATE_NETMASK=`echo $PRIVATE_IP_MASK | cut -d"/" -f2`
PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP $PRIVATE_NETMASK |cut -d"=" -f2` # prefixe du réseau (ex. 24)
PRIVATE_NETWORK=`/bin/ipcalc -n $PRIVATE_IP $PRIVATE_NETMASK| cut -d"=" -f2` # @ réseau de consultation (ex.: 192.168.182.0)
PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX # @ + masque du réseau de consult (192.168.182.0/24)
nb_gw=`grep ^WAN $CONF_FILE | wc -l`
fi
routecmd="ip route replace default scope global"
if [ $(whoami) != "root" ]; then
echo "You must be root to run this!" ; echo ; exit 1
fi
if [ $# -eq 0 ]; then
args="--apply"
else
args=$1
fi
case $args in
--save) # save all the IP before changing the configuration
rm -f $TMP_ip_gw_save
gw_list="gw0" # ipset name list for load_balancing
for ((i=1 ; i<=$nb_gw ; i++)); do
gw_list="${gw_list} gw$i"
done
# Saving all of the already connected IP in order to put them back in the load balancing after
for i in $gw_list;do
ipset list $i 1>/dev/null 2>&1
if [ $? -eq 0 ]
then
# the cut -d":" -f5 deletes all the lines with a :, i.e all the lines except the members
ipset list $i | grep -v ":" >> $TMP_ip_gw_save
fi
done
exit 0
;;
--apply)
[ -e /etc/sysconfig/network-scripts/ifcfg-$EXTIF ] && ifdown $EXTIF
# set the new configuration for EXTIF
if [ $PUBLIC_IP == "dhcp" ]; then
cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
DEVICE=$EXTIF
BOOTPROTO=dhcp
DNS1=127.0.0.1
PEERDNS=no
RESOLV_MODS=yes
ONBOOT=yes
NOZEROCONF=yes
METRIC=10
MII_NOT_SUPPORTED=yes
IPV6INIT=no
IPV6TO4INIT=no
ACCOUNTING=no
USERCTL=no
MTU=$MTU
EOF
ifup $EXTIF
else
cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
DEVICE=$EXTIF
BOOTPROTO=static
IPADDR=$IP
NETMASK=`ipcalc -m $PUBLIC_IP | cut -d= -f2`
NETWORK=`ipcalc -n $PUBLIC_IP | cut -d= -f2`
GATEWAY=$GW1
DNS1=127.0.0.1
RESOLV_MODS=yes
ONBOOT=yes
METRIC=10
MII_NOT_SUPPORTED=yes
IPV6INIT=no
IPV6TO4INIT=no
ACCOUNTING=no
USERCTL=no
MTU=$MTU
NOZEROCONF=yes
EOF
ifup $EXTIF
ip route flush ${NET} # Remove the previous route for the network of EXTIF
ip route delete default scope global # Remove the previous default route
ip route add ${NET} dev ${EXTIF} src ${IP} # Set the new route for EXTIF network
ip route add ${NET} dev ${EXTIF} src ${IP} table 200 # Set the new default route. If no multiwan, these lines are equivalent to `ip route add default via ${GW1}`
ip route add default via ${GW1} table 200
routecmd="${routecmd} nexthop via ${GW1} dev ${EXTIF}"
ip rule flush # Remove the previous routing rules
ip rule add from all lookup main pref 32766 # Set back the main rules
ip rule add from all lookup default pref 32767 # Set back the default rules
ip rule add from ${PRIVATE_NETWORK_MASK} fwmark 200 lookup 200 # Add the rule for the first gateway
if [ "$MULTIWAN" == "on" ] || [ "$MULTIWAN" == "On" ]; then
nb_gw_supp=`grep ^WAN $CONF_FILE|wc -l`
for ((i=0 ; $i < $nb_gw_supp ; i++)); do
table=$(($i + 201)) # This number is used to mark the paquets in order to route them to the choosen GW
GW=`grep ^WAN$(($i + 1))= $CONF_FILE|awk -F'"' '{ print $2 }' | awk -F, '{print $1}'`
ip route add ${NET} dev ${EXTIF} src ${IP} table $table # Add the others route in their respective tables
ip route add default via ${GW} table $table
ip rule add from ${PRIVATE_NETWORK_MASK} fwmark $table lookup $table # Add the rule for each rule depending of the mark set by the firewall
routecmd="${routecmd} nexthop via ${GW} dev ${EXTIF}" # add the added gateway into the default gateway
done
fi
${routecmd} # define the default gateway for outgoing traffic
ip route flush cache
fi
/usr/local/bin/alcasar-iptables.sh
exit 0
;;
*)
exit 1
;;
esac
Property changes:
Added: svn:eol-style
+native
\ No newline at end of property
Added: svn:executable
+*
\ No newline at end of property

/scripts/alcasar-list-ip_gw.sh
0,0 → 1,19
#!/bin/sh
#
# alcasar-list-ip_gw.sh
# by Rexy
# This script is distributed under the Gnu General Public License (GPL)
# This script displays authenticated systems (users & @MAC) with their gw
# Ce script affiche les systèmes authentifiés (utilisateurs et @MAC) avec leur routeur
CONF_FILE="/usr/local/etc/alcasar.conf"
nb_gw=`grep ^WAN $CONF_FILE | wc -l`
for (( i = 0 ; i <= $nb_gw ; i++ ));do
gw="gw$i"; gw_order=`expr $i + 1`
ip_list=`ipset l $gw|grep -v :`
for ip in $ip_list;do
echo "$ip $gw_order"
done
done
Property changes:
Added: svn:eol-style
+native
\ No newline at end of property
Added: svn:executable
+*
\ No newline at end of property

/scripts/test-retrieve-users-attributes-sh
0,0 → 1,69
#! /bin/bash
# script test&debug.sh
# by Rexy
# This script is distributed under the Gnu General Public License (GPL)
# This script tests the following behaviour :
# - Retreive 3 special attributes of a user ('test' by default). It Retrieves theses attributes from default group, then from user's group, then from its account
# - test if the attribute "Alcasar-Status-Page-Must-Stay-Open" is set to "2", then retrieve the "expiration" attribute
# - (todo) if the "expiration" attribute exists then create a new user (login = user's @MAC) and duplicates all user's attributes
PASSWD_FILE="/root/ALCASAR-passwords.txt"
USER_NAME="test"
DB_USER=`cat $PASSWD_FILE|grep ^db_user=|cut -d'=' -f2`
DB_PASSWORD=`cat $PASSWD_FILE|grep ^db_password=|cut -d'=' -f2`
# Retrieve 3 ALCASAR special radius attributes (search order : default group, then user's group, then user)
db_query="SELECT attribute, value FROM ( \
( SELECT attribute, value FROM radreply WHERE username = '$USER_NAME' AND (attribute IN ('Alcasar-Filter', 'Alcasar-Protocols-Filter', 'Alcasar-Status-Page-Must-Stay-Open')) ) UNION \
( SELECT attribute, value FROM radgroupreply gr LEFT JOIN radusergroup ug ON gr.groupname = ug.groupname WHERE username = '$USER_NAME' AND (attribute IN ('Alcasar-Filter', 'Alcasar-Protocols-Filter', 'Alcasar-Status-Page-Must-Stay-Open')) ORDER BY ug.priority ) UNION \
( SELECT attribute, value FROM radgroupreply WHERE groupname = 'default' AND (attribute IN ('Alcasar-Filter', 'Alcasar-Protocols-Filter', 'Alcasar-Status-Page-Must-Stay-Open')) ) \
) attrs GROUP BY attribute;"
db_radreply_res=$(mysql -u$DB_USER -p$DB_PASSWORD -D radius -e "$db_query" -Ns)
filter=$(echo "$db_radreply_res" | awk '$1 == "Alcasar-Filter" { print $2 }')
filterProto=$(echo "$db_radreply_res" | awk '$1 == "Alcasar-Protocols-Filter" { print $2 }')
statusOpenRequired=$(echo "$db_radreply_res" | awk '$1 == "Alcasar-Status-Page-Must-Stay-Open" { print $2 }')
echo "USER_NAME = $USER_NAME; filter = $filter; filterproto = $filterProto; statusOpenRequired = $statusOpenRequired";
# If status page isn't required :
if [ "$statusOpenRequired" == '2' ]; then # Status page is not required
echo ""
# Retrieve "expiration" attribute from radcheck
db_query="SELECT attribute, value FROM ( \
( SELECT attribute, value FROM radcheck WHERE username = '$USER_NAME' AND attribute = 'Expiration' ) UNION \
( SELECT attribute, value FROM radgroupcheck gr LEFT JOIN radusergroup ug ON gr.groupname = ug.groupname WHERE username = '$USER_NAME' AND attribute = 'Expiration' ORDER BY ug.priority ) UNION \
( SELECT attribute, value FROM radgroupcheck WHERE groupname = 'default' AND attribute = 'Expiration' ) \
) attrs GROUP BY attribute;"
db_radcheck_expiration_res=$(mysql -u$DB_USER -p$DB_PASSWORD -D radius -e "$db_query" -Ns)
# if a expiration date exists we retrieve all radreply attributes
if [ `echo $db_radcheck_expiration_res|wc -l` == '1' ]; then
echo "###########################"
echo "## Radreply attributes"
db_query="SELECT attribute, value FROM ( \
( SELECT attribute, value FROM radreply WHERE username = '$USER_NAME' ) UNION \
( SELECT attribute, value FROM radgroupreply gr LEFT JOIN radusergroup ug ON gr.groupname = ug.groupname WHERE username = '$USER_NAME' ORDER BY ug.priority ) UNION \
( SELECT attribute, value FROM radgroupreply WHERE groupname = 'default' ) \
) attrs GROUP BY attribute;"
mysql -u$DB_USER -p$DB_PASSWORD -D radius -e "$db_query" -Ns | while IFS= read -r loop
do
attr=`echo $loop|cut -d" " -f1`
attr_value=`echo $loop|cut -d" " -f2-`
echo "$attr = $attr_value"
done
# if a expiration date exists we retrieve all radcheck attributes
echo "## Radcheck attributes"
db_query="SELECT attribute, value FROM ( \
( SELECT attribute, value FROM radcheck WHERE username = '$USER_NAME' ) UNION \
( SELECT attribute, value FROM radgroupcheck gr LEFT JOIN radusergroup ug ON gr.groupname = ug.groupname WHERE username = '$USER_NAME' ORDER BY ug.priority ) UNION \
( SELECT attribute, value FROM radgroupcheck WHERE groupname = 'default' ) \
) attrs GROUP BY attribute;"
mysql -u$DB_USER -p$DB_PASSWORD -D radius -e "$db_query" -Ns | while IFS= read -r loop
do
attr=`echo $loop|cut -d" " -f1`
attr_value=`echo $loop|cut -d" " -f2-`
echo "$attr = $attr_value"
done
fi
fi
Property changes:
Added: svn:executable
+*
\ No newline at end of property

/scripts/alcasar-condown.sh
0,0 → 1,91
#!/bin/sh
#
# $Id$
#
# alcasar-condown.sh
# by Rexy & Pierre RIVAULT
# This script is distributed under the Gnu General Public License (GPL)
# This script is started by coova after each logout
# Ce script est lancé par coova à chaque déconnexion d'usager
CONF_FILE="/usr/local/etc/alcasar.conf"
PASSWD_FILE="/root/ALCASAR-passwords.txt"
DB_USER=`cat $PASSWD_FILE|grep ^db_user=|cut -d'=' -f2`
DB_PASSWORD=`cat $PASSWD_FILE|grep ^db_password=|cut -d'=' -f2`
if [ -z $FRAMED_IP_ADDRESS ]; then
exit 1
fi
# Retrieve 2 alcasar special radius attributes (search order : default group, then user's group, then user)
db_query="SELECT attribute, value FROM ( \
( SELECT attribute, value FROM radreply WHERE username = '$USER_NAME' AND (attribute IN ('Alcasar-Filter', 'Alcasar-Protocols-Filter')) ) UNION \
( SELECT attribute, value FROM radgroupreply gr LEFT JOIN radusergroup ug ON gr.groupname = ug.groupname WHERE username = '$USER_NAME' AND (attribute IN ('Alcasar-Filter', 'Alcasar-Protocols-Filter')) ORDER BY ug.priority ) UNION \
( SELECT attribute, value FROM radgroupreply WHERE groupname = 'default' AND (attribute IN ('Alcasar-Filter', 'Alcasar-Protocols-Filter')) ) \
) attrs GROUP BY attribute;"
db_res=$(mysql -u$DB_USER -p$DB_PASSWORD -D radius -e "$db_query" -Ns)
filter=$(echo "$db_res" | awk '$1 == "Alcasar-Filter" { print $2 }')
filterProto=$(echo "$db_res" | awk '$1 == "Alcasar-Protocols-Filter" { print $2 }')
if [ "$filter" == '4' ]; then # AV_WL
set_filter="av_wl"
elif [ "$filter" == '3' ]; then # AV_BL
set_filter="av_bl"
elif [ "$filter" == '2' ]; then # AV
set_filter="av"
else # NOT_FILTERED
set_filter="not_filtered"
fi
if [ "$filterProto" == '4' ]; then # PROFILE 3 (Custom)
set_filterProto="proto_3";
elif [ "$filterProto" == '3' ]; then # PROFILE 2 (WEB + Mail + Remote access)
set_filterProto="proto_2";
elif [ "$filterProto" == '2' ]; then # PROFILE 1 (WEB)
set_filterProto="proto_1";
else # PROFILE 0 (Not filtered)
set_filterProto="proto_0";
fi
# Remove user from his IPSET
ipset del $set_filter $FRAMED_IP_ADDRESS
ipset del $set_filterProto $FRAMED_IP_ADDRESS
# Remove IP address from active users list
current_users_file="/tmp/current_users.txt"
[ -e $current_users_file ] && sed -i "/^$FRAMED_IP_ADDRESS:/d" $current_users_file
# Remove user_IP from ipset of load balancing
nb_gw=`grep ^WAN $CONF_FILE | wc -l`
for (( i = 0 ; i <= $nb_gw ; i++ ));do
gw="gw$i"
ipset test $gw $FRAMED_IP_ADDRESS 1>/dev/null 2>&1
if [ $? -eq 0 ];then
ipset del $gw $FRAMED_IP_ADDRESS
break
fi
done
#############################
## Debug : show all the coova parse variables (+ ALCASAR-Filter + ALCASAR-Protocols-Filter).
## see "/src/chilli.c" for the complete list of parse variables
#debug_file="/tmp/debug-condown.txt"
#echo "-----------------------------------------------" >> $debug_file
#echo `date` >> $debug_file
#for i in DEV NET MASK ADDR USER_NAME NAS_IP_ADDRESS SERVICE_TYPE FRAMED_IP_ADDRESS FILTER_ID STATE CLASS CUI SESSION_TIMEOUT IDLE_TIMEOUT CALLING_STATION_ID CALLED_STATION_ID NAS_ID NAS_PORT_TYPE ACCT_SESSION_ID ACCT_INTERIM_INTERVAL WISPR_LOCATION_ID WISPR_LOCATION_NAME WISPR_BANDWIDTH_MAX_UP WISPR_BANDWIDTH_MAX_DOWN COOVACHILLI_MAX_INPUT_OCTETS COOVACHILLI_MAX_OUTPUT_OCTETS COOVACHILLI_MAX_TOTAL_OCTETS INPUT_OCTETS OUTPUT_OCTETS INPUT_PACKETS OUTPUT_PACKETS SESSION_TIME IDLE_TIME LOCATION OLD_LOCATION TERMINATE_CAUSE
#do
# echo -n "$i=" >> $debug_file
# if [[ -v $i ]];
# then
# echo -n "${!i}; " >> $debug_file
# else
# echo -n "not defined; " >> $debug_file
# fi
#done
#echo >> $debug_file
#echo "ALCASAR-Filter : $set_filter" >> $debug_file
#echo "ALCASAR-Protocols-Filter : $set_filterProto" >> $debug_file
## END Debug
#################################
Property changes:
Added: svn:eol-style
+LF
\ No newline at end of property
Added: svn:executable
+*
\ No newline at end of property
Added: svn:keywords
+Id
\ No newline at end of property

/scripts/alcasar-conup.sh
0,0 → 1,112
#!/bin/sh
#
# $Id$
#
# alcasar-conup.sh
# by Rexy & Pierre RIVAULT
# This script is distributed under the Gnu General Public License (GPL)
# This script is started by coova after each successfull login
# Ce script est démarré par coova à chaque connexion d'usager (authentification réussi)
CONF_FILE="/usr/local/etc/alcasar.conf"
PASSWD_FILE="/root/ALCASAR-passwords.txt"
DB_USER=`cat $PASSWD_FILE|grep ^db_user=|cut -d'=' -f2`
DB_PASSWORD=`cat $PASSWD_FILE|grep ^db_password=|cut -d'=' -f2`
if [ -z $FRAMED_IP_ADDRESS ]; then
exit 1
fi
# Retrieve 3 alcasar special radius attributes (search order : default group, then user's group, then user)
db_query="SELECT attribute, value FROM ( \
( SELECT attribute, value FROM radreply WHERE username = '$USER_NAME' AND (attribute IN ('Alcasar-Filter', 'Alcasar-Protocols-Filter', 'Alcasar-Status-Page-Must-Stay-Open')) ) UNION \
( SELECT attribute, value FROM radgroupreply gr LEFT JOIN radusergroup ug ON gr.groupname = ug.groupname WHERE username = '$USER_NAME' AND (attribute IN ('Alcasar-Filter', 'Alcasar-Protocols-Filter', 'Alcasar-Status-Page-Must-Stay-Open')) ORDER BY ug.priority ) UNION \
( SELECT attribute, value FROM radgroupreply WHERE groupname = 'default' AND (attribute IN ('Alcasar-Filter', 'Alcasar-Protocols-Filter', 'Alcasar-Status-Page-Must-Stay-Open')) ) \
) attrs GROUP BY attribute;"
db_res=$(mysql -u$DB_USER -p$DB_PASSWORD -D radius -e "$db_query" -Ns)
filter=$(echo "$db_res" | awk '$1 == "Alcasar-Filter" { print $2 }')
filterProto=$(echo "$db_res" | awk '$1 == "Alcasar-Protocols-Filter" { print $2 }')
statusPageRequired=$(echo "$db_res" | awk '$1 == "Alcasar-Status-Page-Must-Stay-Open" { print $2 }')
# Add user to his IPSET
if [ "$filter" == '4' ]; then # AV_WL
set_filter="av_wl"
elif [ "$filter" == '3' ]; then # AV_BL
set_filter="av_bl"
elif [ "$filter" == '2' ]; then # AV
set_filter="av"
else # NOT_FILTERED
set_filter="not_filtered"
fi
if [ "$filterProto" == '4' ]; then # PROFILE 3 (Custom)
set_filterProto="proto_3";
elif [ "$filterProto" == '3' ]; then # PROFILE 2 (WEB + Mail + Remote access)
set_filterProto="proto_2";
elif [ "$filterProto" == '2' ]; then # PROFILE 1 (WEB)
set_filterProto="proto_1";
else # PROFILE 0 (Not filtered)
set_filterProto="proto_0";
fi
# Add user to his IPSET
ipset add $set_filter $FRAMED_IP_ADDRESS
ipset add $set_filterProto $FRAMED_IP_ADDRESS
# If status page isn't required :
# -add user_IP with flag PERM in /tmp/current_users.txt (watchdog remove these @IP at midnight)
# if the user has the "Expiration" attribute, add its @MAC as an authenticated user (with the same user's attributes)
if [ "$statusPageRequired" == '2' ]; then # Status page is not required
current_users_file="/tmp/current_users.txt"
if [ ! -e $current_users_file ]; then
touch $current_users_file && chown root:apache $current_users_file && chmod 660 $current_users_file
fi
echo "$FRAMED_IP_ADDRESS:PERM" >> $current_users_file
fi
# set the user_ip to an gw_ipset for load-balancing
gw_min="gw0"
weight=`grep ^PUBLIC_WEIGHT= $CONF_FILE | cut -d"=" -f2`
already=`ipset list $gw_min | grep Number\ of\ entries: | cut -d":" -f2`
#The *1000 is here to avoid working on floats in bash
gw_min_value=$((1000 * $already / $weight))
nb_gw=`grep ^WAN $CONF_FILE | wc -l`
for (( i = 1 ; i <= $nb_gw ; i++ ));do
gw="gw${i}"
weight=`grep ^WAN$i= $CONF_FILE | awk -F'"' '{ print $2 }' | awk -F ',' '{ print $2 }'`
already=`ipset list $gw | grep Number\ of\ entries: | cut -d":" -f2`
value=$((1000 * $already / $weight))
if [ $value -lt $gw_min_value ]
then
gw_min_value=$value
gw_min=$gw
fi
done
ipset add $gw_min $FRAMED_IP_ADDRESS
#############################
## Debug : show all the coova parse variables (+ ALCASAR-Filter + ALCASAR-Protocols-Filter + Alcasar-Status-Page-Must-Stay-Open).
## see "/src/chilli.c" for the complete list of parse variables
#debug_file="/tmp/debug-conup.txt"
#echo "-----------------------------------------------" >> $debug_file
#echo `date` >> $debug_file
#for i in DEV NET MASK ADDR USER_NAME NAS_IP_ADDRESS SERVICE_TYPE FRAMED_IP_ADDRESS FILTER_ID STATE CLASS CUI SESSION_TIMEOUT IDLE_TIMEOUT CALLING_STATION_ID CALLED_STATION_ID NAS_ID NAS_PORT_TYPE ACCT_SESSION_ID ACCT_INTERIM_INTERVAL WISPR_LOCATION_ID WISPR_LOCATION_NAME WISPR_BANDWIDTH_MAX_UP WISPR_BANDWIDTH_MAX_DOWN COOVACHILLI_MAX_INPUT_OCTETS COOVACHILLI_MAX_OUTPUT_OCTETS COOVACHILLI_MAX_TOTAL_OCTETS INPUT_OCTETS OUTPUT_OCTETS INPUT_PACKETS OUTPUT_PACKETS SESSION_TIME IDLE_TIME LOCATION OLD_LOCATION TERMINATE_CAUSE
#do
# echo -n "$i=" >> $debug_file
# if [[ -v $i ]];
# then
# echo -n "${!i}; " >> $debug_file
# else
# echo -n "not defined; " >> $debug_file
# fi
#done
#echo >> $debug_file
#echo "ALCASAR-Filter : $set_filter" >> $debug_file
#echo "ALCASAR-Protocols-Filter : $set_filterProto" >> $debug_file
#echo "Alcasar-Status-Page-Must-Stay-Open : $statusPageRequired" >> $debug_file
## END DEBUG
#################################
Property changes:
Added: svn:eol-style
+LF
\ No newline at end of property
Added: svn:executable
+*
\ No newline at end of property
Added: svn:keywords
+Id Author Date
\ No newline at end of property

/scripts/alcasar-wifi4eu.sh
0,0 → 1,48
#!/bin/bash
# alcasar-wifi4eu.sh
# by Rexy
# This script is distributed under the Gnu General Public License (GPL)
# active ou désactive l'affichage du logo WIFI4EU (+ intégration de leur échantillon de code)
# enable or disable the display of WIFI4EU logo (+ integration of their snippet)
SED="/bin/sed -i"
CONF_FILE="/usr/local/etc/alcasar.conf"
TRUST_SITES_FILE='/usr/local/etc/alcasar-uamdomain'
TRUST_DOMAIN='collection.wifi4eu.ec.europa.eu' # the web site where the snippet connects to
HOSTNAME=$(grep ^HOSTNAME= $CONF_FILE | cut -d'=' -f2)
DOMAIN=$(grep ^DOMAIN= $CONF_FILE | cut -d'=' -f2)
usage="Usage: alcasar-wifi4eu.sh {--on | -on} | {--off | -off}"
nb_args=$#
args=$1
if [ $nb_args -eq 0 ]
then
echo "$usage"
exit 1
fi
case $args in
-\? | -h* | --h*)
echo "$usage"
exit 0
;;
--off | -off)
$SED "s?^WIFI4EU=.*?WIFI4EU=off?" $CONF_FILE
$SED "/$TRUST_DOMAIN/d" $TRUST_SITES_FILE
/usr/local/bin/alcasar-file-clean.sh # Clean & sort conf files.
/usr/bin/systemctl restart chilli
;;
--on | -on)
$SED "s?^WIFI4EU=.*?WIFI4EU=on?" $CONF_FILE
echo "uamdomain=\"$TRUST_DOMAIN\"" >> $TRUST_SITES_FILE
/usr/local/bin/alcasar-file-clean.sh # Clean & sort conf files.
/usr/bin/systemctl restart chilli
;;
*)
echo "Argument inconnu : $1"
echo "$usage"
exit 1
;;
esac
Property changes:
Added: svn:eol-style
+native
\ No newline at end of property
Added: svn:executable
+*
\ No newline at end of property

/scripts/alcasar-CA.sh
0,0 → 1,191
#!/bin/sh
# $Id$
# alcasar-CA.sh
# by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
# This script is distributed under the Gnu General Public License (GPL)
#
# Some ideas from "nessus-mkcert" script written by Renaud Deraison <deraison@cvs.nessus.org>
# and Michel Arboi <arboi@alussinan.org>
#
DIR_TMP=${TMPDIR-/tmp}/alcasar-mkcert.$$
DIR_PKI=/etc/pki
DIR_CERT=$DIR_PKI/tls
DIR_WEB=/var/www/html
CACERT=$DIR_PKI/CA/alcasar-ca.crt
CAKEY=$DIR_PKI/CA/private/alcasar-ca.key
SRVREQ=$DIR_CERT/alcasar.req
SRVKEY=$DIR_CERT/private/alcasar.key
SRVCERT=$DIR_CERT/certs/alcasar.crt
SRVPEM=$DIR_CERT/private/alcasar.pem
SRVCHAIN=$DIR_CERT/certs/server-chain.pem
CONF_FILE="/usr/local/etc/alcasar.conf"
hostname=`grep ^HOSTNAME= $CONF_FILE|cut -d"=" -f2`
domain=`grep ^DOMAIN= $CONF_FILE|cut -d"=" -f2`
domain=${domain:=localdomain}
fqdn_hostname="$hostname.$domain"
# The value for organizationalUnitName must be 64 chars or less;
# thus, hostname must be 36 chars or less. If it's too big,
# try removing domain (merci REXY ;-) ).
hostname_len=`echo $fqdn_hostname| wc -c`
if [ $hostname_len -gt 36 ];
then
fqdn_hostname=$hostname
fi
private_ip=`grep ^PRIVATE_IP= $CONF_FILE|cut -d"=" -f2|cut -d"/" -f1`
CACERT_LIFETIME="1460"
SRVCERT_LIFETIME="1460"
COUNTRY="FR"
PROVINCE="none"
LOCATION="Paris"
ORGANIZATION="ALCASAR-Team"
mkdir $DIR_TMP || exit 1
[ -d $DIR_PKI/CA/private ] || mkdir -p $DIR_PKI/CA/private ; chown -R root:root $DIR_PKI/CA ; chmod -R 750 $DIR_PKI/CA
# dynamic conf file for openssl
cat <<EOF >$DIR_TMP/ssl.conf
RANDFILE = $HOME/.rnd
#
[ca]
default_ca = AlcasarCA
[AlcasarCA]
dir = $DIR_TMP # Where everything is kept
certs = \$dir # Where the issued certs are kept
crl_dir = \$dir # Where the issued crl are kept
database = \$dir/index.txt # database index file.
new_certs_dir = \$dir # default place for new certs.
certificate = $CACERT # The CA certificate
serial = \$dir/serial # The current serial number
crl = \$dir/crl.pem # The current CRL
private_key = $CAKEY # The private key
x509_extensions = usr_cert # The extentions to add to the cert
crl_extensions = crl_ext
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = sha256 # which message digest to use.
preserve = no # keep passed DN ordering
policy = policy_anything
[policy_anything]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[req]
default_bits = 2048
distinguished_name = req_distinguished_name
# attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints = critical,CA:true
keyUsage = cRLSign, keyCertSign
nsCertType = sslCA
[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = FR
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Some-State
localityName = Locality Name (eg, city)
localityName_default = Lyon
0.organizationName = Organization Name (eg, company)
0.organizationName_default = your organization name
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (eg, your name or your server\'s hostname)
commonName_max = 255
emailAddress = Email Address
emailAddress_max = 255
[usr_cert]
nsCertType = server
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
basicConstraints = CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
issuerAltName = issuer:copy
subjectAltName = @alt_names
[alt_names]
DNS.1 = $fqdn_hostname
IP.1 = $private_ip
EOF
CAMAIL=
SRVMAIL=
echo 01 > $DIR_TMP/serial
touch $DIR_TMP/index.txt
# CA key
rm -f $CAKEY
echo "*********CAKEY*********" > $DIR_TMP/openssl-log
openssl genrsa -out $CAKEY 2048 2>> $DIR_TMP/openssl-log
# CA certificate
rm -f $CACERT
echo >> $DIR_TMP/openssl-log
echo "*********CACERT*********" >> $DIR_TMP/openssl-log
echo "$COUNTRY
$PROVINCE
$LOCATION
$ORGANIZATION
Certification Authority for $fqdn_hostname
$fqdn_hostname-local-CA
$CAMAIL" |
openssl req -config $DIR_TMP/ssl.conf -new -x509 -sha256 -days $CACERT_LIFETIME -key $CAKEY -out $CACERT 2>> $DIR_TMP/openssl-log
# Server key
rm -f $SRVKEY
echo >> $DIR_TMP/openssl-log
echo "*********SRVKEY*********" >> $DIR_TMP/openssl-log
openssl genrsa -out $SRVKEY 2048 2>> $DIR_TMP/openssl-log
# Server certificate "request"
echo >> $DIR_TMP/openssl-log
echo "*********SRVRQST*********" >> $DIR_TMP/openssl-log
echo "$COUNTRY
$PROVINCE
$LOCATION
$ORGANIZATION
Server certificate for $fqdn_hostname
$fqdn_hostname
$SRVMAIL" |
openssl req -config $DIR_TMP/ssl.conf -new -key $SRVKEY -out $SRVREQ 2>> $DIR_TMP/openssl-log
# Sign the server certificate "request" to create server certificate
rm -f $SRVCERT
echo >> $DIR_TMP/openssl-log
echo "*********SRVCERT*********" >> $DIR_TMP/openssl-log
openssl ca -config $DIR_TMP/ssl.conf -name AlcasarCA -batch -days $SRVCERT_LIFETIME -in $SRVREQ -out $SRVCERT 2>> $DIR_TMP/openssl-log
rm -f $SRVREQ
(cat $SRVKEY; echo; cat $SRVCERT) > $SRVPEM
cp -f $CACERT $SRVCHAIN
# Limit rights
chown -R root:root $SRVKEY $CAKEY
chmod -R 0600 $SRVKEY $CAKEY
# Link certs in ALCASAR Control Center
if [ -s "$CACERT" -a -s "$CAKEY" -a -s "$SRVCERT" -a -s "$SRVKEY" ];
then
[ -d $DIR_WEB/certs ] || mkdir -p $DIR_WEB/certs
rm -f $DIR_WEB/certs/*
ln -s $CACERT $DIR_WEB/certs/certificat_alcasar_ca.crt
ln -s $SRVCERT $DIR_WEB/certs/certificat_alcasar.crt
rm -rf $DIR_TMP
exit 0
else
echo "An error occured when generating security certificates (see : $DIR_TMP/openssl-log)"
exit 1
fi
Property changes:
Added: svn:eol-style
+LF
\ No newline at end of property
Added: svn:executable
+*
\ No newline at end of property
Added: svn:keywords
+Id Author Date
\ No newline at end of property

/scripts/alcasar-https.sh
0,0 → 1,58
#!/bin/bash
# $Id$
# alcasar-dhcp.sh
# by Rexy
# This script is distributed under the Gnu General Public License (GPL)
# active ou désactive le chiffrement sur les flux d'authentification
# enable or disable encryption on authentication flows
SED="/bin/sed -i"
CONF_FILE="/usr/local/etc/alcasar.conf"
CHILLI_CONF_FILE="/etc/chilli.conf"
HOSTNAME=$(grep ^HOSTNAME= $CONF_FILE | cut -d'=' -f2)
DOMAIN=$(grep ^DOMAIN= $CONF_FILE | cut -d'=' -f2)
usage="Usage: alcasar-https.sh {--on | -on} | {--off | -off}"
nb_args=$#
args=$1
if [ $nb_args -eq 0 ]
then
echo "$usage"
exit 1
fi
case $args in
-\? | -h* | --h*)
echo "$usage"
exit 0
;;
--off | -off) # Chilli : disable HTTPS (it will listen only on 3990 port) + lighttpd : switch with an HTTP conf file
$SED "s?^HTTPS_LOGIN=.*?HTTPS_LOGIN=off?" $CONF_FILE
$SED "s?^HTTPS_CHILLI=.*?HTTPS_CHILLI=off?" $CONF_FILE
$SED "s?^uamserver.*?uamserver\thttp://$HOSTNAME.$DOMAIN/intercept.php?" $CHILLI_CONF_FILE
$SED "s?^redirssl.*?#&?" $CHILLI_CONF_FILE
$SED "s?^uamuissl.*?#&?" $CHILLI_CONF_FILE
/usr/bin/systemctl restart chilli
rm -f /etc/lighttpd/vhosts.d/alcasar.conf
ln -s /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf /etc/lighttpd/vhosts.d/alcasar.conf
/usr/bin/systemctl restart lighttpd
;;
--on | -on) # Chilli : enable HTTPS (it will listen on ports 3990 (http) and 3991 (https) + lighttpd : switch with an HTTPS conf file
$SED "s?^HTTPS_LOGIN=.*?HTTPS_LOGIN=on?" $CONF_FILE
$SED "s?^HTTPS_CHILLI=.*?HTTPS_CHILLI=on?" $CONF_FILE
$SED "s?^uamserver.*?uamserver\thttps://$HOSTNAME.$DOMAIN/intercept.php?" $CHILLI_CONF_FILE
$SED "s?^#redirssl.*?redirssl?" $CHILLI_CONF_FILE
$SED "s?^#uamuissl.*?uamuissl?" $CHILLI_CONF_FILE
/usr/bin/systemctl restart chilli
rm -f /etc/lighttpd/vhosts.d/alcasar.conf
ln -s /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf /etc/lighttpd/vhosts.d/alcasar.conf
/usr/bin/systemctl restart lighttpd
;;
*)
echo "Argument inconnu : $1"
echo "$usage"
exit 1
;;
esac
Property changes:
Added: svn:eol-style
+LF
\ No newline at end of property
Added: svn:executable
+*
\ No newline at end of property
Added: svn:keywords
+Id Author Date
\ No newline at end of property

/scripts/alcasar-iot_capture.sh
0,0 → 1,62
#!/bin/bash
# alcasar-iot_capture.sh
# by Guillaume Gellusseau, Dorian Lemoine & REXY
# This script is distributed under the Gnu General Public License (GPL)
# Ce script lance une capture de flux réseau en fonction d'une adresse IP source ($1)
# This script performs a network flow capture based on source ip address ($1)
CONF_FILE="/usr/local/etc/alcasar.conf"
INTIF=`grep ^INTIF= $CONF_FILE|cut -d"=" -f2`
PRIVATE_IP=$(grep ^PRIVATE_IP= $CONF_FILE | cut -d'=' -f2 | cut -d'/' -f1)
function info
{
_PID=$(ps -ef | grep tcpdump | grep $1 | awk {'print $2'})
if [[ -n $_PID ]]
then
echo "CaptureON"
else
echo "CaptureOFF"
fi
}
function kill
{
_PID=$(ps -ef | grep tcpdump | grep $1 | awk {'print $2'})
sudo kill -2 $_PID
}
function launch
{
# capture only one @MAC, on $INTIF, max filesize=10M, without flows to PRIVATE_IP except DNS
sudo tcpdump "ether host $1 and (host not $PRIVATE_IP or port 53)" -i $INTIF -n -C 10 -W 1 -w /var/Save/iot_captures/$1.pcap
}
function flush
{
sudo rm /var/Save/iot_captures/$1.pcap -f
}
while getopts "l k i f" option; do
case "${option}" in
l)
launch $2
;;
k)
kill $2
;;
i)
info $2
;;
f)
flush $2
;;
esac
done
#End
Property changes:
Added: svn:eol-style
+native
\ No newline at end of property
Added: svn:executable
+*
\ No newline at end of property

/scripts/alcasar-importcert.sh
0,0 → 1,173
#!/bin/bash
#
# $Id$
#
# alcasar-importcert.sh
# by Raphaël, Hugo, Clément, Bettyna & rexy
#
# This script is distributed under the Gnu General Public License (GPL)
#
# Script permettant
# - d'importer des certificats sur Alcasar
# - de revenir au certificat par default
#
# This script allows
# - to import a certificate in Alcasar
# - to go back to the default certificate
SED="/bin/sed -ri"
DIR_CERT="/etc/pki/tls"
CONF_FILE="/usr/local/etc/alcasar.conf"
PRIVATE_IP_MASK=`grep ^PRIVATE_IP= $CONF_FILE|cut -d"=" -f2`
PRIVATE_IP=`echo $PRIVATE_IP_MASK | cut -d"/" -f1`
usage="Usage: alcasar-importcert.sh -i /path/to/certificate.crt -k /path/to/privatekey.key [-c /path/to/serverchain.crt]\n alcasar-importcert.sh -d (restore default certificate)"
nb_args=$#
arg1=$1
function defaultCert()
{
mv -f $DIR_CERT/certs/alcasar.crt.old $DIR_CERT/certs/alcasar.crt
mv -f $DIR_CERT/private/alcasar.key.old $DIR_CERT/private/alcasar.key
if [ -f $DIR_CERT/certs/server-chain.pem.old ]
then
mv $DIR_CERT/certs/server-chain.pem.old $DIR_CERT/certs/server-chain.pem
fi
(cat $DIR_CERT/private/alcasar.key; echo; cat $DIR_CERT/certs/alcasar.crt) > $DIR_CERT/private/alcasar.pem
chown root:apache $DIR_CERT/private/alcasar.pem
chmod 750 $DIR_CERT/private/alcasar.pem
}
function domainName() # change the domain name in the conf files
{
fqdn=$(openssl x509 -noout -subject -nameopt multiline -in $DIR_CERT/certs/alcasar.crt | grep commonName|cut -d"=" -f2|tr -d ' ')
#check if there is a wildcard in $fqdn
if [[ $fqdn == *"*"* ]];
then
hostname="alcasar"
fqdn=${fqdn/"*"/$hostname}
else
hostname=$(echo $fqdn | cut -d'.' -f1)
fi
domain=$(echo $fqdn | cut -d'.' -f2-)
echo "fqdn=$fqdn hostname=$hostname domain=$domain"
#check fqdn format
if [[ "$fqdn" != "" && "$domain" != "" ]]; then
$SED "s/^HOSTNAME=.*/HOSTNAME=$hostname/g" /usr/local/etc/alcasar.conf
$SED "s/^DOMAIN=.*/DOMAIN=$domain/g" /usr/local/etc/alcasar.conf
/usr/local/bin/alcasar-conf.sh --apply
fi
}
function certImport()
{
if [ ! -f "$DIR_CERT/certs/alcasar.crt.old" ]
then
echo "Backup of old cert (alcasar.crt)"
mv $DIR_CERT/certs/alcasar.crt $DIR_CERT/certs/alcasar.crt.old
fi
if [ ! -f "$DIR_CERT/private/alcasar.key.old" ]
then
echo "Backup of old private key (alcasar.key)"
mv $DIR_CERT/private/alcasar.key $DIR_CERT/private/alcasar.key.old
fi
cp $cert $DIR_CERT/certs/alcasar.crt
cp $key $DIR_CERT/private/alcasar.key
(cat $DIR_CERT/private/alcasar.key; echo; cat $DIR_CERT/certs/alcasar.crt) > $DIR_CERT/private/alcasar.pem
chown root:apache $DIR_CERT/certs/alcasar.crt
chown root:apache $DIR_CERT/private/alcasar.key
chown root:apache $DIR_CERT/private/alcasar.pem
chmod 750 $DIR_CERT/certs/alcasar.crt
chmod 750 $DIR_CERT/private/alcasar.key
chmod 750 $DIR_CERT/private/alcasar.pem
if [ "$sc" != "" ]
then
echo "cert-chain exists"
if [ ! -f "$DIR_CERT/certs/server-chain.pem.old" ]
then
echo "Backup of old cert-chain (server-chain.pem)"
mv $DIR_CERT/certs/server-chain.pem $DIR_CERT/certs/server-chain.pem.old
fi
cp $sc $DIR_CERT/certs/server-chain.pem
chown root:apache $DIR_CERT/certs/server-chain.pem
chmod 750 $DIR_CERT/certs/server-chain.pem
fi
}
if [ $nb_args -eq 0 ]
then
echo -e "$usage"
exit 1
fi
case $arg1 in
-\? | -h* | --h*)
echo -e "$usage"
exit 0
;;
-i)
arg3=$3
arg5=$5
cert=$2
key=$4
sc=$6
if [ "$cert" == "" ] || [ "$key" == "" ]
then
echo -e "$usage"
exit 1
fi
if [ ! -f "$cert" ] || [ ! -f "$key" ]
then
echo "Certificate and/or private key not found"
exit 1
fi
if [ ${cert: -4} != ".crt" ] && [ ${cert: -4} != ".cer" ]
then
echo "Invalid certificate file"
exit 1
fi
if [ ${key: -4} != ".key" ]
then
echo "Invalid private key"
exit 1
fi
if [ "$arg5" != "-c" ] || [ -z "$sc" ]
then
echo "No server-chain given"
echo "Importing certificate $cert with private key $key"
sc=""
else
if [ ! -f "$sc" ]
then
echo "Server-chain certificate not found"
exit 1
fi
if [ ${sc: -4} != ".crt" ] && [ ${sc: -4} != ".cer" ] && [ ${sc: -4} != ".pem" ]
then
echo "Invalid server-chain certificate file"
exit 1
fi
echo "Importing certificate $cert with private key $key and server-chain $sc"
fi
certImport
domainName
;;
-d)
if [ -f "/etc/pki/tls/certs/alcasar.crt.old" -a -f "/etc/pki/tls/private/alcasar.key.old" ]
then
echo "Restoring default certificate"
defaultCert
domainName
else echo "No default cert found"
fi
;;
*)
echo -e "$usage"
;;
esac
Property changes:
Added: svn:eol-style
+LF
\ No newline at end of property
Added: svn:executable
+*
\ No newline at end of property
Added: svn:keywords
+Id
\ No newline at end of property

/scripts/alcasar-flush_ipset_wl.sh
0,0 → 1,11
#!/bin/sh
#by Raphaël Pion
#Permet de vider l'ipset wl_ip_allowed lorsque tous les utilisateurs de la whitelist sont déconnectés
#Clean wl_ip_allowed ipset when WL users are gone.
PTN="(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)"
NB_USERS=$(ipset list av_wl | grep -E $PTN | wc -l)
if [ $NB_USERS -eq '0' ]
then
/sbin/ipset flush wl_ip_allowed
fi

/scripts/alcasar-db-migrations/alcasar-migration-3.2.0_dbStructure.sh
0,0 → 1,81
#!/bin/bash
#
# $Id$
#
# alcasar-migration-3.2.0_dbStructure.sh
# by Tom HOUDAYER & Richard REY (Rexy)
#
# This script is distributed under the Gnu General Public License (GPL)
#
# Migrate database structure to ALCASAR 3.2.0
# Changes:
# - Set database engine of radius tables to InnoDB
# - Set column names in lowercase in radius tables
# - Set index names in lowercase in radius tables
# - Set RADIUS attribute length to 64 characters
PASSWD_FILE="/root/ALCASAR-passwords.txt"
DB_PASS=$(cat $PASSWD_FILE | grep ^db_root= | cut -d'=' -f2-)
DRY_RUN=false
if [ $# -eq 1 ] && [ "$1" == "--simulation" ]; then
DRY_RUN=true
fi
db_query () {
if $DRY_RUN && [[ ! "$1" =~ ^'SELECT ' ]]; then
echo "[SQL] request: \"$1\""
else
mysql -u root -p"$DB_PASS" -D radius -e "$1" -Ns
[ $? -ne 0 ] && echo "[SQL] ERROR (\"$1\")"
fi
}
# Set database engine of radius tables to InnoDB
db_res=$(db_query "SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA = 'radius' AND ENGINE != 'InnoDB';")
if [ -n "$db_res" ]; then
while read -r tableName; do
db_query "ALTER TABLE $tableName ENGINE = InnoDB;"
done <<< "$db_res"
fi
# Set column names in lowercase in radius tables
db_res=$(db_query "SELECT COLUMN_NAME, TABLE_NAME, COLUMN_TYPE FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA = 'radius' AND TABLE_NAME IN ('mtotacct', 'totacct', 'userinfo') AND BINARY COLUMN_NAME REGEXP BINARY '[A-Z]';")
if [ -n "$db_res" ]; then
while read -r line; do
columnName=$(echo "$line" | cut -f1)
tableName=$(echo "$line" | cut -f2)
columnType=$(echo "$line" | cut -f3)
columnNameLower=${columnName,,}
db_query "ALTER TABLE $tableName CHANGE $columnName $columnNameLower $columnType;"
done <<< "$db_res"
fi
# Set index names in lowercase in radius tables
db_res=$(db_query "SELECT INDEX_NAME, TABLE_NAME, GROUP_CONCAT(COLUMN_NAME SEPARATOR ',') FROM ( SELECT INDEX_NAME, TABLE_NAME, COLUMN_NAME FROM INFORMATION_SCHEMA.STATISTICS WHERE TABLE_SCHEMA = 'radius' AND TABLE_NAME IN ('mtotacct', 'totacct', 'userinfo') AND INDEX_NAME != 'PRIMARY' AND BINARY INDEX_NAME REGEXP BINARY '[A-Z]' ORDER BY SEQ_IN_INDEX ) AS indexes GROUP BY TABLE_NAME, INDEX_NAME;")
if [ -n "$db_res" ]; then
while read -r line; do
indexName=$(echo "$line" | cut -f1)
tableName=$(echo "$line" | cut -f2)
indexColumns=$(echo "$line" | cut -f3)
indexNameLower=${indexName,,}
db_query "ALTER TABLE $tableName DROP INDEX $indexName, ADD INDEX $indexNameLower ($indexColumns);"
done <<< "$db_res"
fi
# Set RADIUS attribute length to 64 characters
db_query "ALTER TABLE radacct MODIFY COLUMN acctuniqueid varchar(64) COLLATE utf8_bin NOT NULL DEFAULT '';"
db_query "ALTER TABLE radcheck MODIFY COLUMN attribute varchar(64) COLLATE utf8_bin NOT NULL DEFAULT '';"
db_query "ALTER TABLE radreply MODIFY COLUMN attribute varchar(64) COLLATE utf8_bin NOT NULL DEFAULT '';"
db_query "ALTER TABLE radgroupcheck MODIFY COLUMN attribute varchar(64) COLLATE utf8_bin NOT NULL DEFAULT '';"
db_query "ALTER TABLE radgroupreply MODIFY COLUMN attribute varchar(64) COLLATE utf8_bin NOT NULL DEFAULT '';"
# Fix potential bugs
db_query "UPDATE radreply SET attribute = 'Alcasar-Status-Page-Must-Stay-Open' WHERE attribute = 'Alcasar-Status-Page-Must-Stay-Op';"
db_query "UPDATE radgroupreply SET attribute = 'Alcasar-Status-Page-Must-Stay-Open' WHERE attribute = 'Alcasar-Status-Page-Must-Stay-Op';"
db_query "ALTER TABLE mtotacct DROP COLUMN mtotacctid;"
db_query "ALTER TABLE mtotacct ADD COLUMN mtotacctid bigint(21) AUTO_INCREMENT NOT NULL PRIMARY KEY FIRST;"
db_query "ALTER TABLE totacct DROP COLUMN totacctid;"
db_query "ALTER TABLE totacct ADD COLUMN totacctid bigint(21) AUTO_INCREMENT NOT NULL PRIMARY KEY FIRST;"
Property changes:
Added: svn:eol-style
+LF
\ No newline at end of property
Added: svn:executable
+*
\ No newline at end of property
Added: svn:keywords
+Id
\ No newline at end of property

/scripts/alcasar-db-migrations/alcasar-migration-3.3.0_dbRadiusAttrs.sh
0,0 → 1,103
#!/bin/bash
#
# $Id$
#
# alcasar-migration-3.3.0_dbRadiusAttrs.sh
# by Tom HOUDAYER
#
# This script is distributed under the Gnu General Public License (GPL)
#
# Migrate user database to ALCASAR 3.3.0
# Changes:
# - Explode "Filter-Id" RADIUS attribute into "Alcasar-Filter", "Alcasar-Protocols-Filter", "Alcasar-Status-Page-Must-Stay-Open" and "Alcasar-Imputability-Warning"
# - Rename "ChilliSpot-*" RADIUS attribute to "CoovaChilli-*"
# - Rename "Max-All-Session" RADIUS attribute to "Alcasar-Expire-After"
PASSWD_FILE="/root/ALCASAR-passwords.txt"
DB_PASS=$(cat $PASSWD_FILE | grep ^db_root= | cut -d'=' -f2-)
DRY_RUN=false
if [ $# -eq 1 ] && [ "$1" == "--simulation" ]; then
DRY_RUN=true
fi
db_query () {
if $DRY_RUN && [[ ! "$1" =~ ^'SELECT ' ]]; then
echo "[SQL] request: \"$1\""
else
mysql -u root -p"$DB_PASS" -D radius -e "$1" -Ns
[ $? -ne 0 ] && echo "[SQL] ERROR (\"$1\")"
fi
}
for step in $(seq 1 2); do
if [ $step -eq 1 ]; then
tableNameCheck='radcheck'
tableNameReply='radreply'
loginName='username'
else
tableNameCheck='radgroupcheck'
tableNameReply='radgroupreply'
loginName='groupname'
fi
# Explode "Filter-Id" RADIUS attribute into "Alcasar-Filter", "Alcasar-Protocols-Filter", "Alcasar-Status-Page-Must-Stay-Open" and "Alcasar-Imputability-Warning"
db_res=$(db_query "SELECT $loginName, value FROM $tableNameReply WHERE attribute = 'Filter-Id';")
if [ -n "$db_res" ]; then
echo "$(echo "$db_res" | wc -l) \"Filter-Id\" found in table \"$tableNameReply\"."
while read -r line; do
login=$(echo "$line" | cut -f1)
filterId=$(echo "$line" | cut -f2)
echo " $login ($filterId)..."
if [ ${filterId:5:1} == '1' ]; then # Filter: HAVP_WL
filter='4'
elif [ ${filterId:6:1} == '1' ]; then # Filter: HAVP_BL
filter='3'
elif [ ${filterId:7:1} == '1' ]; then # Filter: HAVP
filter='2'
else # Filter: NOT_FILTERED
filter=''
fi
[ ! -z "$filter" ] && db_query "INSERT INTO $tableNameReply ($loginName, attribute, value, op) VALUES ('$login','Alcasar-Filter','$filter', '=');"
if [ ${filterId:2:1} == '1' ]; then # FilterProto: PROFILE 3 (Custom)
filterProto='4';
elif [ ${filterId:1:1} == '1' ]; then # FilterProto: PROFILE 2 (WEB + Mail + Remote access)
filterProto='3';
elif [ ${filterId:0:1} == '1' ]; then # FilterProto: PROFILE 1 (WEB)
filterProto='2';
else # FilterProto: PROFILE 0 (Not filtered)
filterProto='';
fi
[ ! -z "$filterProto" ] && db_query "INSERT INTO $tableNameReply ($loginName, attribute, value, op) VALUES ('$login','Alcasar-Protocols-Filter','$filterProto', '=');"
if [ ${filterId:4:1} == '1' ]; then # status_open_required
statusOpenRequired='2';
else
statusOpenRequired='';
fi
[ ! -z "$statusOpenRequired" ] && db_query "INSERT INTO $tableNameReply ($loginName, attribute, value, op) VALUES ('$login','Alcasar-Status-Page-Must-Stay-Open','$statusOpenRequired', '=');"
if [ ${filterId:3:1} == '1' ]; then # imputability warning
imputabilityWarning='1';
else
imputabilityWarning='';
fi
[ ! -z "$imputabilityWarning" ] && db_query "INSERT INTO $tableNameReply ($loginName, attribute, value, op) VALUES ('$login','Alcasar-Imputability-Warning','$imputabilityWarning', '=');"
db_query "DELETE FROM $tableNameReply WHERE attribute = 'Filter-Id' AND $loginName = '$login';"
done <<< "$db_res"
fi
# Rename "ChilliSpot-*" RADIUS attribute to "CoovaChilli-*"
db_query "UPDATE $tableNameReply SET attribute = 'CoovaChilli-Max-Input-Octets' WHERE attribute = 'ChilliSpot-Max-Input-Octets';"
db_query "UPDATE $tableNameReply SET attribute = 'CoovaChilli-Max-Output-Octets' WHERE attribute = 'ChilliSpot-Max-Output-Octets';"
db_query "UPDATE $tableNameReply SET attribute = 'CoovaChilli-Max-Total-Octets' WHERE attribute = 'ChilliSpot-Max-Total-Octets';"
db_query "UPDATE $tableNameReply SET attribute = 'CoovaChilli-Bandwidth-Max-Up' WHERE attribute = 'ChilliSpot-Bandwidth-Max-Up';"
db_query "UPDATE $tableNameReply SET attribute = 'CoovaChilli-Bandwidth-Max-Down' WHERE attribute = 'ChilliSpot-Bandwidth-Max-Down';"
# Rename "Max-All-Session" RADIUS attribute to "Alcasar-Expire-After"
db_query "UPDATE $tableNameCheck SET attribute = 'Alcasar-Expire-After' WHERE attribute = 'Max-All-Session';"
done
Property changes:
Added: svn:eol-style
+LF
\ No newline at end of property
Added: svn:executable
+*
\ No newline at end of property
Added: svn:keywords
+Id
\ No newline at end of property

/scripts/alcasar-db-migrations/alcasar-migration-3.3.1_dbRadiusAttrs.sh
0,0 → 1,62
#!/bin/bash
#
# $Id$
#
# alcasar-migration-3.3.1_dbRadiusAttrs.sh
# by Tom HOUDAYER
#
# This script is distributed under the Gnu General Public License (GPL)
#
# Migrate user database to ALCASAR 3.3.1
# Changes:
# - Move "CoovaChilli-Max-Total-Octets" RADIUS attribute from radreply to radcheck
# - Delete "CoovaChilli-Max-Input-Octets" and "CoovaChilli-Max-Output-Octets" RADIUS attributes
PASSWD_FILE="/root/ALCASAR-passwords.txt"
DB_PASS=$(grep ^db_root= $PASSWD_FILE | cut -d'=' -f2-)
DRY_RUN=false
if [ $# -eq 1 ] && [ "$1" == "--simulation" ]; then
DRY_RUN=true
fi
db_query () {
if $DRY_RUN && [[ ! "$1" =~ ^'SELECT ' ]]; then
echo "[SQL] request: \"$1\""
else
mysql -u root -p"$DB_PASS" -D radius -e "$1" -Bs
[ $? -ne 0 ] && echo "[SQL] ERROR (\"$1\")"
fi
}
for step in $(seq 1 2); do
if [ $step -eq 1 ]; then
tableNameCheck='radcheck'
tableNameReply='radreply'
loginName='username'
else
tableNameCheck='radgroupcheck'
tableNameReply='radgroupreply'
loginName='groupname'
fi
# Move "CoovaChilli-Max-Total-Octets" RADIUS attribute from radreply to radcheck
db_res=$(db_query "SELECT $loginName, value FROM $tableNameReply WHERE attribute = 'CoovaChilli-Max-Total-Octets';")
if [ -n "$db_res" ]; then
echo "$(echo "$db_res" | wc -l) \"CoovaChilli-Max-Total-Octets\" found in table \"$tableNameReply\"."
while read -r line; do
login=$(echo "$line" | cut -f1)
value=$(echo "$line" | cut -f2)
echo " $login..."
db_query "INSERT INTO $tableNameCheck ($loginName, attribute, value, op) VALUES ('$login','CoovaChilli-Max-Total-Octets','$value', ':=');"
done <<< "$db_res"
db_query "DELETE FROM $tableNameReply WHERE attribute = 'CoovaChilli-Max-Total-Octets';"
fi
# Delete "CoovaChilli-Max-Input-Octets" and "CoovaChilli-Max-Output-Octets" RADIUS attributes
db_query "DELETE FROM $tableNameReply WHERE attribute = 'CoovaChilli-Max-Input-Octets';"
db_query "DELETE FROM $tableNameReply WHERE attribute = 'CoovaChilli-Max-Output-Octets';"
done
Property changes:
Added: svn:eol-style
+LF
\ No newline at end of property
Added: svn:executable
+*
\ No newline at end of property
Added: svn:keywords
+Id
\ No newline at end of property

/scripts/alcasar-ldap.sh
0,0 → 1,139
#!/bin/bash
# $Id$
# alcasar-ldap.sh
# by Rexy
# This script is distributed under the Gnu General Public License (GPL)
# activation / désactivation de l'authentification des utilisateurs via un serveur LDAP externe
# enable / disable authentication of users via an extern LDAP server
usage="Usage: alcasar-ldap.sh {--on or -on } | {--off or -off} | --import-cert {certificatePath} | --test [-d]"
SED="/bin/sed -i"
CONF_FILE="/usr/local/etc/alcasar.conf"
LDAP_MODULE="/etc/raddb/mods-available/ldap-alcasar"
OPENLDAP_CONF='/etc/openldap/ldap.conf'
LDAPS_CERT_LOC='/etc/raddb/certs/alcasar-ldaps.crt'
LDAP_SERVER=$(grep '^LDAP_SERVER=' $CONF_FILE | cut -d"=" -f2) # hostname/IP address of the LDAP server
LDAP_USER=$(grep '^LDAP_USER=' $CONF_FILE | cut -d"=" -f2-) # LDAP username used by ALCASAR to read the remote directory
LDAP_PASSWORD=$(grep '^LDAP_PASSWORD=' $CONF_FILE | cut -d"=" -f2-) # its password
LDAP_BASE=$(grep '^LDAP_BASE=' $CONF_FILE | cut -d"=" -f2-) # Where to find the users (cn=**,dc=**,dc=**)
LDAP_UID=$(grep '^LDAP_UID=' $CONF_FILE | cut -d"=" -f2) # 'samaccountname' for A.D. - 'UID' for LDAP
LDAP_FILTER=$(grep '^LDAP_FILTER=' $CONF_FILE | cut -d"=" -f2-) # LDAP filter
LDAP_SSL=$(grep '^LDAP_SSL=' $CONF_FILE | cut -d"=" -f2-) # LDAP SSL status
LDAP_CERT_REQUIRED=$(grep '^LDAP_CERT_REQUIRED=' $CONF_FILE | cut -d"=" -f2-) # LDAP SSL certificate verifying
add_ldap_server_to_static_dhcp() {
if [[ "$LDAP_SERVER" =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
ldap_server_ip="$LDAP_SERVER"
else
ldap_server_ip=$(dig +short $LDAP_SERVER)
[ -z "$ldap_server_ip" ] && return 1
fi
if [ -z "$(cat /usr/local/etc/alcasar-ethers | awk -v ldap_server_ip="$ldap_server_ip" '($2==ldap_server_ip)')" ]; then
ldap_server_mac=$(chilli_query list | awk -v ldap_server_ip="$ldap_server_ip" '($2==ldap_server_ip) {print $1}')
[ -z "$ldap_server_mac" ] && return 1
echo "$ldap_server_mac $ldap_server_ip" >> /usr/local/etc/alcasar-ethers
echo "$ldap_server_mac $ldap_server_ip #LDAP Server" >> /usr/local/etc/alcasar-ethers-info
fi
}
nb_args=$#
args=$1
if [ $nb_args -eq 0 ]; then
nb_args=1
args="-h"
fi
case $args in
-\? | -h* | --h*)
echo "$usage"
exit 0
;;
--on | -on)
$SED "s/^LDAP=.*/LDAP=on/g" $CONF_FILE
if [ "$LDAP_SSL" == 'on' ]; then
$SED "s/^\tserver =.*/\tserver = \"ldaps:\/\/${LDAP_SERVER//\"/\\\\\\\"}\"/g" $LDAP_MODULE
$SED "s/^\tport =.*/\tport = 636/g" $LDAP_MODULE
[ "$LDAP_CERT_REQUIRED" == 'on' ] && require_cert='demand' || require_cert='never'
$SED "s/^\t\t#?require_cert =.*/\t\trequire_cert = '$require_cert'/g" $LDAP_MODULE
echo "TLS_REQCERT $require_cert" > $OPENLDAP_CONF
[ -f "$LDAPS_CERT_LOC" ] && echo "TLS_CACERT $LDAPS_CERT_LOC" >> $OPENLDAP_CONF
else
$SED "s/^\tserver =.*/\tserver = \"ldap:\/\/${LDAP_SERVER//\"/\\\\\\\"}\"/g" $LDAP_MODULE
$SED "s/^\tport =.*/\tport = 389/g" $LDAP_MODULE
echo '' > $OPENLDAP_CONF
fi
$SED "s/^\tidentity =.*/\tidentity = \"${LDAP_USER//\"/\\\\\\\"}\"/g" $LDAP_MODULE
$SED "s/^\tpassword =.*/\tpassword = \"${LDAP_PASSWORD//\"/\\\\\\\"}\"/g" $LDAP_MODULE
$SED "s/^\tbase_dn =.*/\tbase_dn = \"${LDAP_BASE//\"/\\\\\\\"}\"/g" $LDAP_MODULE
[ -n "$LDAP_FILTER" ] && filter="$LDAP_FILTER" || filter='&'
$SED "s/^\t\tfilter =.*/\t\tfilter = \"(\&(${LDAP_UID//\"/\\\\\\\"}=%{%{Stripped-User-Name}:-%{User-Name}})(${filter//&/\\&}))\"/g" $LDAP_MODULE
if [ ! -e /etc/raddb/mods-enabled/ldap ]; then
ln -s $LDAP_MODULE /etc/raddb/mods-enabled/ldap
fi
[ -e /etc/raddb/sites-enabled/alcasar ] && rm /etc/raddb/sites-enabled/alcasar
ln -s /etc/raddb/sites-available/alcasar-with-ldap /etc/raddb/sites-enabled/alcasar
add_ldap_server_to_static_dhcp
/usr/bin/systemctl restart radiusd.service
;;
--off | -off)
$SED "s/^LDAP=.*/LDAP=off/g" $CONF_FILE
rm -f /etc/raddb/mods-enabled/ldap
[ -e /etc/raddb/sites-enabled/alcasar ] && rm /etc/raddb/sites-enabled/alcasar
ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar
/usr/bin/systemctl restart radiusd.service
;;
--import-cert)
cert=$2
[ -z "$cert" ] && echo "$usage" && exit 1
[ ! -f "$cert" ] && { echo >&2 "ERR: certificate file \"$cert\" not found" ; exit 1; }
# TODO : convert DER format to PEM ?
cp -f "$cert" $LDAPS_CERT_LOC
chown root:radius $LDAPS_CERT_LOC
chmod 644 $LDAPS_CERT_LOC
if [ "$LDAP_CERT_REQUIRED" == 'on' ]; then
domainName=$(openssl x509 -noout -subject -in $LDAPS_CERT_LOC | cut -d' ' -f2- | sed 's@/[A-Za-z]\+=@\n@g' | tac | tr '\n' '.' | sed 's@\.\+$@@')
if [ "$domainName" != "$LDAP_SERVER" ]; then
echo 'WARN: the common name of the certificate is different from the server domain name'
fi
fi
$SED "s/^LDAP_SSL=.*/LDAP_SSL=on/g" $CONF_FILE
$SED "s/^\tserver =.*/\tserver = \"ldaps:\/\/${LDAP_SERVER//\"/\\\\\\\"}\"/g" $LDAP_MODULE
$SED "s/^\tport =.*/\tport = 636/g" $LDAP_MODULE
$SED "s@^#\?\t\tca_file =.*@\t\tca_file = $LDAPS_CERT_LOC@g" $LDAP_MODULE
[ "$LDAP_CERT_REQUIRED" == 'on' ] && require_cert='demand' || require_cert='never'
$SED "s/^#\?\t\trequire_cert =.*/\t\trequire_cert = '$require_cert'/g" $LDAP_MODULE
echo -e "TLS_CACERT $LDAPS_CERT_LOC\nTLS_REQCERT $require_cert" > $OPENLDAP_CONF
/usr/bin/systemctl restart radiusd.service
;;
--delete-cert)
[ -f "$LDAPS_CERT_LOC" ] && rm -f $LDAPS_CERT_LOC
;;
--test)
[ -n "$2" ] && [ "$2" == '-d' ] && debugOpt='-d229'
command -v ldapsearch &>/dev/null || { echo >&2 -e "ERR: ldapsearch is not installed\nrun 'dnf install openldap-clients'" ; exit 1; }
if [ "$LDAP_SSL" == 'on' ]; then
protocol='ldaps'
[ "$LDAP_CERT_REQUIRED" == 'on' ] && require_cert='demand' || require_cert='never'
export LDAPTLS_REQCERT="$require_cert"
[ -f "$LDAPS_CERT_LOC" ] && export LDAPTLS_CACERT="$LDAPS_CERT_LOC"
else
protocol='ldap'
fi
[ -n "$LDAP_FILTER" ] && filter="$LDAP_FILTER" || filter='&'
/usr/bin/ldapsearch $debugOpt -LLL -H "$protocol://$LDAP_SERVER" -x -D "$LDAP_USER" -w "$LDAP_PASSWORD" -b "$LDAP_BASE" "(&($LDAP_UID=*)($filter))" 1.1
;;
*)
echo "Argument inconnu : $1";
echo "$usage"
exit 1
;;
esac
Property changes:
Added: svn:eol-style
+LF
\ No newline at end of property
Added: svn:executable
+*
\ No newline at end of property
Added: svn:keywords
+Id
\ No newline at end of property

/scripts/alcasar-generate_log.sh
0,0 → 1,166
#!/bin/bash
#
# $Id$
#
#Corrélation et Generation des logs d'imputabilité au format PDF.
#Ce script permet de générer un fichier HTML qui sera converti en PDF a l'aide du RPM wkhtmltopdf.
#Ce PDF sera placé dans une archive protégé par un mot de passe.
#Pour extraire ce fichier PDF, il faudra installer le paquet p7zip.
#La génération de ce document préviendra les utilisateurs lors de leur prochaine connection. (utilisateur flagué dans le 4ème 'bit' de l'attribut FilterID de la BDD radius.
#
#Il est possible de demander les logs d'imputabilité :
#-depuis le début (pas d'argument)
#-à partir d'une date (un seul argument)
#-en spécifiant un intervale (deux arguments correspondant aux bornes respectives)
#Par Raphaël Pion
usage="Usage: alcasar-generate_log.sh PASSWORD && ({ '' } | { 'YYYY-MM-DD HH:MM:SS' } | { 'YYYY-MM-DD HH:MM:SS' 'YYYY-MM-DD HH:MM:SS' })"
nb_args=$#
DIR='/var/www/html/acc/backup/'
TMP_SQL="/tmp/log_sql.csv"
TMP_USERS="/tmp/log_users"
TMP_HTML="$DIR/log_nf.html"
TMP_PDF="$DIR/imputabilities_logs-$(date +%F).pdf"
PASSWD_FILE="/root/ALCASAR-passwords.txt"
DB_ROOT_PW=$(grep '^db_root=' $PASSWD_FILE | cut -d'=' -f 2-)
ARCHIVE_LOCATION="$DIR/imputabilities_logs.zip"
if [ $nb_args -eq 1 ]
then
QUERY="SELECT username,callingstationid,framedipaddress,acctstarttime,acctstoptime,acctinputoctets,acctoutputoctets,acctterminatecause FROM radacct ORDER BY acctstarttime INTO OUTFILE '$TMP_SQL' FIELDS TERMINATED BY ',' ENCLOSED BY '' LINES TERMINATED BY '\n';"
SECTION_LOG="Extraction de tous les journaux"
fi
if [ $nb_args -eq 2 ]
then
QUERY="SELECT username,callingstationid,framedipaddress,acctstarttime,acctstoptime,acctinputoctets,acctoutputoctets,acctterminatecause FROM radacct WHERE acctstarttime >= '$2' ORDER BY acctstarttime INTO OUTFILE '$TMP_SQL' FIELDS TERMINATED BY ',' ENCLOSED BY '' LINES TERMINATED BY '\n';"
SECTION_LOG="Extraction des journaux à partir du $2"
fi
if [ $nb_args -eq 3 ]
then
QUERY="SELECT username,callingstationid,framedipaddress,acctstarttime,acctstoptime,acctinputoctets,acctoutputoctets,acctterminatecause FROM radacct WHERE acctstarttime >= '$2' AND acctstarttime <= '$3' ORDER BY acctstoptime INTO OUTFILE '$TMP_SQL' FIELDS TERMINATED BY ',' ENCLOSED BY '' LINES TERMINATED BY '\n';"
SECTION_LOG="Extraction des journaux entre $2 et $3"
fi
if [ $nb_args -eq 0 ]
then
echo $usage
exit
fi
if [ $nb_args -gt 3 ]
then
echo $usage
exit
fi
if [ -e $TMP_SQL ]
then
rm $TMP_SQL
fi
if [ -e $TMP_PDF ]
then
rm $TMP_PDF
fi
if [ -e $ARCHIVE_LOCATION ]
then
rm $ARCHIVE_LOCATION
fi
#get log information for each users
mysql -u root -p"$DB_ROOT_PW" -D radius -e "$QUERY"
#Create HTML document which contains every informations about users
echo "<!DOCTYPE html>" > $TMP_HTML
echo "<meta http-equiv='Content-Type' content='text/html; charset=utf-8'>" >> $TMP_HTML
echo "<TITLE>ALCASAR Report</TITLE>" >> $TMP_HTML
echo "<link rel='stylesheet' type='text/css' href='../../css/bootstrap.min.css'>" >> $TMP_HTML
echo "<link rel='stylesheet' type='text/css' href='../../css/report.css'>" >> $TMP_HTML
echo "</HEAD>" >> $TMP_HTML
echo "<body>" >> $TMP_HTML
echo "<h1>$SECTION_LOG</h1>" >> $TMP_HTML
echo "<i><p style='text-align: right;'>Date de création $(date +%F)</p></i>" >> $TMP_HTML
echo "<font size='1'>" >> $TMP_HTML
cat $TMP_SQL | while read LIGNE_SQL
do
LOG_IP=$(echo $LIGNE_SQL | cut -d',' -f3)
LOG_DATE1=$(echo $LIGNE_SQL | cut -d',' -f4)
LOG_DATE2=$(echo $LIGNE_SQL | cut -d',' -f5)
LOG_Y1=$(echo $LOG_DATE1 | cut -d'-' -f1)
LOG_M1=$(echo $LOG_DATE1 | cut -d'-' -f2)
LOG_D1=$(echo $LOG_DATE1 | cut -d'-' -f3 | cut -d' ' -f1)
LOG_H1=$(echo $LOG_DATE1 | cut -d'-' -f3 | cut -d' ' -f2)
LOG_Y2=$(echo $LOG_DATE2 | cut -d'-' -f1)
LOG_M2=$(echo $LOG_DATE2 | cut -d'-' -f2)
LOG_D2=$(echo $LOG_DATE2 | cut -d'-' -f3 | cut -d' ' -f1)
LOG_H2=$(echo $LOG_DATE2 | cut -d'-' -f3 | cut -d' ' -f2)
DUMP=$(nfdump -q -R /var/log/nfsen/profiles-data/live/alcasar_netflow/ -t $LOG_Y1/$LOG_M1/$LOG_D1.$LOG_H1-$LOG_Y2/$LOG_M2/$LOG_D2.$LOG_H2 -O tstart -o "fmt:<tr><td class='numberLine'></td><td>%sa</td><td>%sp</td><td>%da</td><td>%dp</td><td>%ts</td></tr>" "ip $LOG_IP")
if [ ! -z "$DUMP" ]
then
echo "<div class='container'> " >> $TMP_HTML
echo "<table class='table table-striped'>" >> $TMP_HTML
echo "<thead>" >> $TMP_HTML
echo "<tr>" >> $TMP_HTML
echo "<th>Username</th>" >> $TMP_HTML
echo "<th>Client @MAC</th>" >> $TMP_HTML
echo "<th>Client @IP</th>" >> $TMP_HTML
echo "<th>Login Time</th>" >> $TMP_HTML
echo "<th>Logout Time</th>" >> $TMP_HTML
echo "<th>Upload</th>" >> $TMP_HTML
echo "<th>Download</th>" >> $TMP_HTML
echo "<th>Cause</th>" >> $TMP_HTML
echo "</tr></thead><tbody><tr>" >> $TMP_HTML
echo "<td>" $(echo $LIGNE_SQL | cut -d',' -f1) "</td>" >> $TMP_HTML
echo "<td>" $(echo $LIGNE_SQL | cut -d',' -f2) "</td>" >> $TMP_HTML
echo "<td>" $(echo $LIGNE_SQL | cut -d',' -f3) "</td>" >> $TMP_HTML
echo "<td>" $(echo $LIGNE_SQL | cut -d',' -f4) "</td>" >> $TMP_HTML
echo "<td>" $(echo $LIGNE_SQL | cut -d',' -f5) "</td>" >> $TMP_HTML
echo "<td>" $(echo $LIGNE_SQL | cut -d',' -f7) "</td>" >> $TMP_HTML
echo "<td>" $(echo $LIGNE_SQL | cut -d',' -f6) "</td>" >> $TMP_HTML
echo "<td>" $(echo $LIGNE_SQL | cut -d',' -f8) "</td>" >> $TMP_HTML
echo "</tr></tbody></table></div>" >> $TMP_HTML
echo "<div class='container mySpace'> " >> $TMP_HTML
echo "<table class='table table-striped'>" >> $TMP_HTML
echo "<thead>" >> $TMP_HTML
echo "<tr>" >> $TMP_HTML
echo "<th>N°</th>" >> $TMP_HTML
echo "<th>@IP src</th>" >> $TMP_HTML
echo "<th>Port src</th>" >> $TMP_HTML
echo "<th>@IP dst</th>" >> $TMP_HTML
echo "<th>Port dst</th>" >> $TMP_HTML
echo "<th>Date</th>" >> $TMP_HTML
echo "</tr></thead><tbody>" >> $TMP_HTML
echo $DUMP >> $TMP_HTML
echo "</tbody></table></div>" >> $TMP_HTML
fi
done
echo "</font>" >> $TMP_HTML
echo "</body>" >> $TMP_HTML
echo "</HTML>" >> $TMP_HTML
# inform users about that by setting the Alcasar-Imputability-Warning attribute
QUERY="INSERT INTO radreply (username, attribute, value, op) SELECT ui.username, 'Alcasar-Imputability-Warning', '1' , '=' FROM userinfo ui LEFT JOIN radreply rr ON rr.username = ui.username AND rr.attribute = 'Alcasar-Imputability-Warning' WHERE rr.username IS NULL;"
mysql -u root -p"$DB_ROOT_PW" -D radius -e "$QUERY"
/usr/bin/wkhtmltopdf $TMP_HTML $TMP_PDF
/usr/bin/7za a -tzip -p"$1" -mem=AES256 $ARCHIVE_LOCATION $TMP_PDF
chown apache:apache $ARCHIVE_LOCATION
rm $TMP_HTML
rm $TMP_SQL
rm $TMP_PDF
Property changes:
Added: svn:eol-style
+LF
\ No newline at end of property
Added: svn:executable
+*
\ No newline at end of property
Added: svn:keywords
+Id
\ No newline at end of property

/scripts/alcasar-macup.sh
0,0 → 1,60
#!/bin/sh
#
# $Id$
#
# alcasar-macup.sh
#
# This script is distributed under the Gnu General Public License (GPL)
PASSWD_FILE="/root/ALCASAR-passwords.txt"
if [ -z "$CALLING_STATION_ID" ]; then
exit 1
fi
dbRootPass=$(grep ^db_root= $PASSWD_FILE | cut -d'=' -f2-)
chilli_query_res=$(chilli_query list mac $CALLING_STATION_ID)
[ -z "$chilli_query_res" ] && exit
is_connected=$(echo "$chilli_query_res" | awk '{ print $5 }')
current_mac=$CALLING_STATION_ID
if [ $is_connected == '0' ]; then
db_query="SELECT username, IFNULL((UNIX_TIMESTAMP(NOW()) - UNIX_TIMESTAMP(acctstoptime)), 0) AS timeout, acctterminatecause FROM radacct WHERE callingstationid='$current_mac' ORDER BY acctstarttime DESC LIMIT 1;"
db_res=$(mysql -u root -p"$dbRootPass" -D radius -e "$db_query" -Bs)
if [ -n "$db_res" ]; then
username=$(echo "$db_res" | cut -f1)
timeout=$(echo "$db_res" | cut -f2)
acctterminatecause=$(echo "$db_res" | cut -f3)
if [ "$acctterminatecause" != "User-Request" ]; then
db_query_additionalGroups=''
[ -n "$FILTER_ID" ] && db_query_additionalGroups="( SELECT attribute, value FROM radgroupreply WHERE groupname = '$FILTER_ID' AND (attribute='Alcasar-Reconnect-Timeout') ) UNION "
db_query="SELECT attribute, value FROM ( \
( SELECT attribute, value FROM radreply WHERE username = '$USER_NAME' AND (attribute='Alcasar-Reconnect-Timeout') ) UNION \
( SELECT attribute, value FROM radgroupreply gr LEFT JOIN radusergroup ug ON gr.groupname = ug.groupname WHERE username = '$USER_NAME' AND (attribute='Alcasar-Reconnect-Timeout') ORDER BY ug.priority ) UNION \
$db_query_additionalGroups \
( SELECT attribute, value FROM radgroupreply WHERE groupname = 'default' AND (attribute='Alcasar-Reconnect-Timeout') ) \
) attrs GROUP BY attribute;"
db_res=$(mysql -u root -p"$dbRootPass" -D radius -e "$db_query" -Bs)
reconnectTimeout=$(echo "$db_res" | awk '$1 == "Alcasar-Reconnect-Timeout" { print $2 }')
if [ -n "$reconnectTimeout" ] && [ $timeout -le $reconnectTimeout ]; then
for i in {1..10}; do
sleep 1
chilli_query authorize mac $current_mac username "$username"
chilli_query_res=$(chilli_query list mac $current_mac)
isPassing=$(echo "$chilli_query_res" | awk '{ print $3 }')
is_connected=$(echo "$chilli_query_res" | awk '{ print $5 }')
if [ "$is_connected" == '1' ] && [ "$isPassing" == 'pass' ]; then
logger -t alcasar-macup "The MAC address \"$current_mac\" is reconnected with user \"$username\"."
break
fi
done
fi
fi
fi
fi
Property changes:
Added: svn:eol-style
+LF
\ No newline at end of property
Added: svn:executable
+*
\ No newline at end of property
Added: svn:keywords
+Id
\ No newline at end of property

/scripts/alcasar-dhcp.sh
0,0 → 1,76
#!/bin/bash
# $Id$
# alcasar-dhcp.sh
# by Rexy
# This script is distributed under the Gnu General Public License (GPL)
# active ou desactive le service DHCP sur le réseau de consultation
# enable or disable the DHCP service on consultation LAN
SED="/bin/sed -i"
CHILLI_CONF_FILE="/etc/chilli.conf"
ALCASAR_CONF_FILE="/usr/local/etc/alcasar.conf"
# define DHCP parameters (LAN side)
PRIVATE_IP_MASK=`grep ^PRIVATE_IP= $ALCASAR_CONF_FILE|cut -d"=" -f2`
PRIVATE_IP=`echo $PRIVATE_IP_MASK | cut -d"/" -f1`
PRIVATE_NETMASK=`/bin/ipcalc -m $PRIVATE_IP_MASK | cut -d"=" -f2`
PRIVATE_NETWORK=`/bin/ipcalc -n $PRIVATE_IP $PRIVATE_NETMASK| cut -d"=" -f2`
PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP $PRIVATE_NETMASK |cut -d"=" -f2`
PRIVATE_NETWORK_MASK="$PRIVATE_NETWORK/$PRIVATE_PREFIX" # ie.: 192.168.182.0/24
EXT_DHCP_IP=`grep ^EXT_DHCP_IP= $ALCASAR_CONF_FILE|cut -d"=" -f2` # Adresse du serveur DHCP externe
RELAY_DHCP_IP=`grep ^RELAY_DHCP_IP= $ALCASAR_CONF_FILE|cut -d"=" -f2` # Adresse de l'agent Relay : IP interne (défaut 192.168.182.1) dans le cas de DHCP dans le LAN de consultation
RELAY_DHCP_IP=${RELAY_DHCP_IP:=$PRIVATE_IP} # IP externe (défaut x.y.z.t) dans le cas de DHCP du côté WAN
RELAY_DHCP_PORT=`grep ^RELAY_DHCP_PORT= $ALCASAR_CONF_FILE|cut -d"=" -f2` # Port de redirection vers le relay DHCP : 67 par défaut
RELAY_DHCP_PORT=${RELAY_DHCP_PORT:=67}
usage="Usage: alcasar-dhcp.sh {--on | -on} | {--off | -off} "
nb_args=$#
args=$1
if [ $nb_args -eq 0 ]
then
echo "$usage"
exit 1
fi
case $args in
-\? | -h | --h)
echo "$usage"
exit 0
;;
--off|-off) # disable DHCP service
$SED "s?^DHCP=.*?DHCP=off?g" $ALCASAR_CONF_FILE
$SED "s?.*statip.*?statip\t\t$PRIVATE_NETWORK_MASK?g" $CHILLI_CONF_FILE
$SED "s?^#nodynip.*?nodynip?g" $CHILLI_CONF_FILE
$SED "s@^#\?dynip.*@#dynip@g" $CHILLI_CONF_FILE
if [ -n "$EXT_DHCP_IP" ] && [ "$EXT_DHCP_IP" != "none" ]
then
$SED "s?.*dhcpgateway\s.*?dhcpgateway\t$EXT_DHCP_IP?g" $CHILLI_CONF_FILE
$SED "s?.*dhcprelayagent.*?dhcprelayagent\t$RELAY_DHCP_IP?g" $CHILLI_CONF_FILE
$SED "s?.*dhcpgatewayport.*?dhcpgatewayport\t$RELAY_DHCP_PORT?g" $CHILLI_CONF_FILE
else
$SED "s?.*dhcpgateway\s.*?#dhcpgateway\t\t$EXT_DHCP_IP?g" $CHILLI_CONF_FILE
$SED "s?.*dhcprelayagent.*?#dhcprelayagent\t\t$RELAY_DHCP_IP?g" $CHILLI_CONF_FILE
$SED "s?.*dhcpgatewayport.*?#dhcpgatewayport\t\t$RELAY_DHCP_PORT?g" $CHILLI_CONF_FILE
fi
/usr/bin/systemctl restart chilli
;;
--on|-on) # enable DHCP service on all range of IP addresses
$SED "s?^DHCP=.*?DHCP=on?g" $ALCASAR_CONF_FILE
$SED "s?^RELAY_DHCP_IP=.*?RELAY_DHCP_IP=$RELAY_DHCP_IP?g" $ALCASAR_CONF_FILE
$SED "s?^RELAY_DHCP_PORT=.*?RELAY_DHCP_PORT=$RELAY_DHCP_PORT?g" $ALCASAR_CONF_FILE
$SED "s?^.*statip.*?#statip?g" $CHILLI_CONF_FILE
$SED "s?^nodynip.*?#nodynip?g" $CHILLI_CONF_FILE
$SED "s@^#\?dynip.*@dynip\t\t$PRIVATE_NETWORK_MASK@g" $CHILLI_CONF_FILE
$SED "s?^dhcpgateway\s.*?#dhcpgateway\t$EXT_DHCP_IP?g" $CHILLI_CONF_FILE
$SED "s?^dhcprelayagent.*?#dhcprelayagent\t$RELAY_DHCP_IP?g" $CHILLI_CONF_FILE
$SED "s?^dhcpgatewayport.*?#dhcpgatewayport\t$RELAY_DHCP_PORT?g" $CHILLI_CONF_FILE
/usr/bin/systemctl restart chilli
;;
*)
echo "Argument inconnu :$1";
echo "$usage"
exit 1
;;
esac
Property changes:
Added: svn:eol-style
+LF
\ No newline at end of property
Added: svn:executable
+*
\ No newline at end of property
Added: svn:keywords
+Id Author Date
\ No newline at end of property

/scripts/alcasar-bypass.sh
0,0 → 1,62
#!/bin/bash
# $Id$
# alcasar-bypass.sh
# by 3abtux and Rexy
# This script is distributed under the Gnu General Public License (GPL)
# activation / désactivation du contournement de l'authentification et du filtrage WEB
# enable / disable the bypass of authentication process and WEB filtering
usage="Usage: alcasar-bypass.sh {--on or -on } | {--off or -off}"
CONF_FILE="/usr/local/etc/alcasar.conf"
INTIF=`grep ^INTIF= $CONF_FILE|cut -d"=" -f2` # INTernal InterFace
nb_args=$#
args=$1
if [ $nb_args -eq 0 ]
then
nb_args=1
args="-h"
fi
case $args in
-\? | -h* | --h*)
echo "$usage"
exit 0
;;
--on | -on)
/usr/local/bin/alcasar-logout.sh all
/usr/bin/systemctl stop chilli
cp -f /etc/sysconfig/network-scripts/bypass-ifcfg-$INTIF /etc/sysconfig/network-scripts/ifcfg-$INTIF
ifup $INTIF
sh /usr/local/bin/alcasar-iptables-bypass.sh
DHCP=`grep ^DHCP= $CONF_FILE|cut -d"=" -f2`
if [ $DHCP != off ]
then
/usr/bin/systemctl start dhcpd
fi
rm -f /etc/cron.d/alcasar-daemon-watchdog # don't restart daemons (specially coova)
echo "ALCASAR est en mode 'bypass'"
echo "ALCASAR is in 'bypass' mode"
;;
--off | -off)
cp -f /etc/sysconfig/network-scripts/default-ifcfg-$INTIF /etc/sysconfig/network-scripts/ifcfg-$INTIF
ifup $INTIF
/usr/bin/systemctl stop dhcpd
/usr/bin/systemctl start chilli
sh /usr/local/bin/alcasar-iptables.sh
# activation of the "daemon-watchdog" every 18'
cat << EOF > /etc/cron.d/alcasar-daemon-watchdog
# activation du "chien de garde" (daemon-watchdog) toutes les 18'
*/18 * * * * root /usr/local/bin/alcasar-daemon.sh > /dev/null 2>&1
EOF
echo "L'authentification et le filtrage sont actifs"
echo "Authentication and filtering system are enabled"
;;
*)
echo "Argument inconnu :$1";
echo "$usage"
exit 1
;;
esac
Property changes:
Added: svn:eol-style
+LF
\ No newline at end of property
Added: svn:executable
+*
\ No newline at end of property
Added: svn:keywords
+Id Author Date
\ No newline at end of property

/scripts/alcasar-file-clean.sh
0,0 → 1,31
#!/bin/bash
# alcasar-file-clean.sh
# by Rexy
# This script is distributed under the Gnu General Public License (GPL)
# clean alcasar conf files (remove empty lines, sort and control)
# nettoie les fichiers de conf d'alcasar (suppression des lignes vides, tri et contrôle)
SED="/bin/sed -i"
DIR_CONF="/usr/local/etc"
ALCASAR_SERVICES="$DIR_CONF/alcasar-services"
ALCASAR_IP_BLOCKED="$DIR_CONF/alcasar-ip-blocked"
ALCASAR_UAMDOMAIN="$DIR_CONF/alcasar-uamdomain"
ALCASAR_UAMALLOWED="$DIR_CONF/alcasar-uamallowed"
ALCASAR_CONF="$DIR_CONF/alcasar.conf"
# sort file content
for file in $ALCASAR_SERVICES $ALCASAR_IP_BLOCKED $ALCASAR_UAMDOMAIN $ALCASAR_UAMALLOWED
do
sort -k2n $file > /tmp/alcasar-tmp-sort
mv -f /tmp/alcasar-tmp-sort $file
done
# remove empty lines and put rights
for file in $ALCASAR_SERVICES $ALCASAR_IP_BLOCKED $ALCASAR_CONF $ALCASAR_UAMDOMAIN $ALCASAR_UAMALLOWED
do
$SED "/^$/d" $file
chown root:apache $file
chmod 660 $file
done
Property changes:
Added: svn:eol-style
+LF
\ No newline at end of property
Added: svn:executable
+*
\ No newline at end of property
Added: svn:keywords
+Id Author Date
\ No newline at end of property

/scripts/alcasar-url_filter_wl.sh
0,0 → 1,103
#!/bin/bash
# Id: $Id$
# alcasar-url_filter.sh
# by REXY
# This script is distributed under the Gnu General Public License (GPL)
# Active / désactive : safesearch des moteurs de recherche
# Enable / disable : search engines safesearch
# Active / désactive : le filtrage des url contenant une adresse ip à la place d'un nom de domaine
# Enable / disable : filter of urls containing ip address instead of domain name
CONF_FILE="/usr/local/etc/alcasar.conf"
UNBOUND_WL_DOMAIN_FILTER_CONF="/etc/unbound/conf.d/whitelist/domainfilter.conf"
IP_WL="/usr/local/share/iptables-wl-enabled/ossi-ip-safesearch"
SED="/bin/sed -i"
safesearch="Off"
usage="Usage: alcasar-url_filter_wl.sh { -safesearch_on or -safesearch_off }"
nb_args=$#
googledomains="google.com. google.ad. google.ae. google.com.af. google.com.ag. google.com.ai. google.al. google.am. google.co.ao. google.com.ar. google.as. google.at. google.com.au. google.az. google.ba. google.com.bd. google.be. google.bf. google.bg. google.com.bh. google.bi. google.bj. google.com.bn. google.com.bo. google.com.br. google.bs. google.bt. google.co.bw. google.by. google.com.bz. google.ca. google.cd. google.cf. google.cg. google.ch. google.ci. google.co.ck. google.cl. google.cm. google.cn. google.com.co. google.co.cr. google.com.cu. google.cv. google.com.cy. google.cz. google.de. google.dj. google.dk. google.dm. google.com.do. google.dz. google.com.ec. google.ee. google.com.eg. google.es. google.com.et. google.fi. google.com.fj. google.fm. google.fr. google.ga. google.ge. google.gg. google.com.gh. google.com.gi. google.gl. google.gm. google.gp. google.gr. google.com.gt. google.gy. google.com.hk. google.hn. google.hr. google.ht. google.hu. google.co.id. google.ie. google.co.il. google.im. google.co.in. google.iq. google.is. google.it. google.je. google.com.jm. google.jo. google.co.jp. google.co.ke. google.com.kh. google.ki. google.kg. google.co.kr. google.com.kw. google.kz. google.la. google.com.lb. google.li. google.lk. google.co.ls. google.lt. google.lu. google.lv. google.com.ly. google.co.ma. google.md. google.me. google.mg. google.mk. google.ml. google.com.mm. google.mn. google.ms. google.com.mt. google.mu. google.mv. google.mw. google.com.mx. google.com.my. google.co.mz. google.com.na. google.com.nf. google.com.ng. google.com.ni. google.ne. google.nl. google.no. google.com.np. google.nr. google.nu. google.co.nz. google.com.om. google.com.pa. google.com.pe. google.com.pg. google.com.ph. google.com.pk. google.pl. google.pn. google.com.pr. google.ps. google.pt. google.com.py. google.com.qa. google.ro. google.ru. google.rw. google.com.sa. google.com.sb. google.sc. google.se. google.com.sg. google.sh. google.si. google.sk. google.com.sl. google.sn. google.so. google.sm. google.sr. google.st. google.com.sv. google.td. google.tg. google.co.th. google.com.tj. google.tk. google.tl. google.tm. google.tn. google.to. google.com.tr. google.tt. google.com.tw. google.co.tz. google.com.ua. google.co.ug. google.co.uk. google.com.uy. google.co.uz. google.com.vc. google.co.ve. google.vg. google.co.vi. google.com.vn. google.vu. google.ws. google.rs. google.co.za. google.co.zm. google.co.zw. google.cat."
youtubedomains="www.youtube.com m.youtube.com youtubei.googleapis.com youtube.googleapis.com www.youtube-nocookie.com"
if [ $nb_args -le 0 ]
then
echo "$usage"
exit 1
fi
while [ $nb_args -ge 1 ]
do
arg=${!nb_args}
case $arg in
-\? | -h* | --h*)
echo "$usage"
exit 0
;;
# Safe search activation
-safesearch_on | --safesearch_on)
safesearch="On"
;;
# Safe search desactivation
-safesearch_off | --safesearch_off)
safesearch="Off"
;;
*)
echo "Argument inconnu : $arg";
echo "$usage"
exit 1
;;
esac
nb_args=$(expr $nb_args - 1)
done
if [ $safesearch == "On" ]
then
[ -e $IP_WL ] && rm -f $IP_WL
# add 'SafeSearch' redirection for google searching
google_safe_server=`host -ta forcesafesearch.google.com | grep "address" | cut -d" " -f4` # retrieve google forcesafesearch ip
# config file header
echo "server:" > $UNBOUND_WL_DOMAIN_FILTER_CONF
for domain in $googledomains
do
echo -e "\tlocal-zone: \"$domain\" redirect" >> $UNBOUND_WL_DOMAIN_FILTER_CONF
echo -e "\tlocal-data: \"$domain A $google_safe_server\"" >> $UNBOUND_WL_DOMAIN_FILTER_CONF
done
echo "add wl_ip_allowed $google_safe_server" >> $IP_WL
# add 'SafeSearch' redirection for youtube searching
youtube_safe_server=`host -ta restrict.youtube.com | grep "address" | cut -d" " -f4` # retrieve youtube restrict ip
for domain in $youtubedomains
do
echo -e "\tlocal-zone: \"$domain\" redirect" >> $UNBOUND_WL_DOMAIN_FILTER_CONF
echo -e "\tlocal-data: \"$domain A $youtube_safe_server\"" >> $UNBOUND_WL_DOMAIN_FILTER_CONF
done
echo "add wl_ip_allowed $youtube_safe_server" >> $IP_WL
# add 'SafeSearch' redirection for bing searching
bing_safe_server=`host -ta strict.bing.com | grep "address" | cut -d" " -f4` # retrieve bing strict ip
echo -e "\tlocal-zone: \"www.bing.com\" redirect" >> $UNBOUND_WL_DOMAIN_FILTER_CONF
echo -e "\tlocal-data: \"www.bing.com A $bing_safe_server\"" >> $UNBOUND_WL_DOMAIN_FILTER_CONF
echo "add wl_ip_allowed $bing_safe_server" >> $IP_WL
# add 'SafeSearch' redirection for qwant searching
qwant_safe_server=`host -ta safeapi.qwant.com | grep "address" | cut -d" " -f4` # retrieve qwant strict ip
echo -e "\tlocal-zone: \"api.qwant.com\" redirect" >> $UNBOUND_WL_DOMAIN_FILTER_CONF
echo -e "\tlocal-data: \"api.qwant.com A $qwant_safe_server\"" >> $UNBOUND_WL_DOMAIN_FILTER_CONF
echo "add wl_ip_allowed $qwant_safe_server" >> $IP_WL
$SED 's/^WL_SAFESEARCH=.*/WL_SAFESEARCH=on/g' $CONF_FILE
else
[ -e $UNBOUND_WL_DOMAIN_FILTER_CONF ] && rm -f $UNBOUND_WL_DOMAIN_FILTER_CONF
[ -e $IP_WL ] && rm -f $IP_WL
$SED 's/^WL_SAFESEARCH=.*/WL_SAFESEARCH=off/g' $CONF_FILE
fi
systemctl restart unbound-whitelist
Property changes:
Added: svn:eol-style
+LF
\ No newline at end of property
Added: svn:executable
+*
\ No newline at end of property
Added: svn:keywords
+Id
\ No newline at end of property

/scripts/alcasar-profil.sh
0,0 → 1,245
#!/bin/bash
# $Id$
# alcasar-profil.sh
# by Richard REY
# This script is distributed under the Gnu General Public License (GPL)
# Gestion des comptes liés aux profiles
# Manage the profil logins
DIR_BIN="/usr/local/bin" # scripts directory
ADM_PROFIL="admin"
PROFILS="backup manager"
ALL_PROFILS=`echo $ADM_PROFIL $PROFILS`
DIR_KEY="/usr/local/etc/digest"
SED="/bin/sed -i"
Lang=`echo $LANG|cut -c 1-2`
REALM="ALCASAR Control Center (ACC)"
# génère le htdigest
function htdigest () {
passwdfile="$1"
username="$2"
[ -f "$passwdfile" ] || touch "$passwdfile"
grep -q "${username}:${REALM}:" "$passwdfile" && existing_user=1 || existing_user=0
if [ $existing_user -eq 1 ]; then
echo "Changing password for user $username in realm $REALM"
else
echo "Adding user $username in realm $REALM"
fi
equal=0
while [ $equal -eq 0 ]; do
echo -n "New password: "
read -s pass_1
echo
echo -n "Confirm the new password: "
read -s pass_2
echo
if [ -n "$pass_1" ] && [ "$pass_1" != "$pass_2" ]; then
echo -e "\nThe passwords don't match.\n"
else
equal=1
fi
done
digest="${username}:${REALM}:"
digest+=$(echo -n "${username}:${REALM}:${pass_1}" | md5sum | cut -d" " -f1)
if [ $existing_user -eq 0 ]; then
echo "$digest" >> "$passwdfile"
else
sed -i "s/${username}:${REALM}:.*/${digest}/" "$passwdfile"
fi
}
# liste les comptes de chaque profile
function list () {
for i in $ALL_PROFILS
do
if [ $Lang == "fr" ]
then
echo -n "Comptes liés au profil '$i' : "
else
echo -n "accounts linked with profile '$i' : "
fi
account_list=`cat $DIR_KEY/key_only_$i | cut -d':' -f1|sort`
for account in $account_list
do
echo -n "$account "
done
echo
done
}
# ajoute les comptes du profil "admin" aux autres profils
# crée le fichier de clés contenant tous les compte (pour l'accès au centre de gestion)
function concat () {
> $DIR_KEY/key_all
for i in $PROFILS
do
cp -f $DIR_KEY/key_only_$ADM_PROFIL $DIR_KEY/key_$i
cat $DIR_KEY/key_only_$i >> $DIR_KEY/key_$i
cat $DIR_KEY/key_only_$i >> $DIR_KEY/key_all
done
cp -f $DIR_KEY/key_only_$ADM_PROFIL $DIR_KEY/key_$ADM_PROFIL
cat $DIR_KEY/key_only_$ADM_PROFIL >> $DIR_KEY/key_all
chown -R root:apache $DIR_KEY
chmod 640 $DIR_KEY/key_*
}
usage="Usage: alcasar-profil.sh [-l|--list] [-a|--add [profil]] [-d|--del] [-p|--pass]"
nb_args=$#
arg1=$1
arg2=$2
# on met en place la structure minimale
if [ ! -e $DIR_KEY/key_$ADM_PROFIL ]
then
touch $DIR_KEY/key_$ADM_PROFIL
fi
cp -f $DIR_KEY/key_$ADM_PROFIL $DIR_KEY/key_only_$ADM_PROFIL
for i in $PROFILS
do
if [ ! -e $DIR_KEY/key_only_$i ]
then
touch $DIR_KEY/key_only_$i
fi
done
concat
if [ $nb_args -eq 0 ]
then
echo $usage
exit 0
fi
case $arg1 in
-\? | -h* | --h*)
echo "$usage"
exit 0
;;
--add|-a)
if [ $nb_args -eq 1 ]
then
# ajout d'un compte
list
if [ $Lang == "fr" ]
then
echo -n "Choisissez un profil ($ALL_PROFILS) : "
else
echo -n "Select a profile ($ALL_PROFILS) : "
fi
profil=''
while [ -z "$profil" ]; do
read profil
done
else
profil="$2"
fi
if ! echo $ALL_PROFILS | grep -qw $profil
then
if [ $Lang == "fr" ]
then
echo "Le profil indiqué n'existe pas"
else
echo "The given profile doesn't exist"
fi
exit 1
fi
if [ $Lang == "fr" ]
then
echo -n "Entrez le nom du compte à créer (profil '$profil') : "
else
echo "Enter the name of the account to create (profile '$profil') : "
fi
account=''
while [ -z "$account" ]; do
read account
done
# TODO : add check
# on teste s'il n'existe pas déjà
for i in $ALL_PROFILS
do
tmp_account=`cat $DIR_KEY/key_only_$i | cut -d':' -f1`
for j in $tmp_account
do
if [ "$j" = "$account" ]
then if [ $Lang == "fr" ]
then
echo "Ce compte existe déjà"
else
echo "This account already exists"
fi
exit 1
fi
done
done
htdigest $DIR_KEY/key_only_$profil "$account"
concat
list
;;
--del|-d)
# suppression d'un compte
list
if [ $Lang == "fr" ]
then
echo -n "entrez le nom du compte à supprimer : "
else
echo -n "enter the name of the account to remove : "
fi
account=''
while [ -z "$account" ]; do
read account
done
for i in $ALL_PROFILS; do
$SED "/^$account:/d" $DIR_KEY/key_only_$i
done
concat
list
;;
--pass|-p)
# changement du mot de passe d'un compte
list
if [ $Lang == "fr" ]
then
echo "Changement de mot de passe"
echo -n "Entrez le nom du compte : "
else
echo "Password change"
echo -n "Enter the name of the account : "
fi
read account
for i in $ALL_PROFILS
do
tmp_account=`cat $DIR_KEY/key_only_$i | cut -d':' -f1`
for j in $tmp_account
do
if [ "$j" = "$account" ]
then
htdigest $DIR_KEY/key_only_$i "$account"
fi
done
done
concat
;;
--list|-l)
# liste des comptes par profil
list
;;
*)
if [ $Lang == "fr" ]
then
echo "Argument inconnu :$1";
else
echo "Unknown argument : $i";
fi
echo "$usage"
exit 1
;;
esac
Property changes:
Added: svn:eol-style
+LF
\ No newline at end of property
Added: svn:executable
+*
\ No newline at end of property
Added: svn:keywords
+Id Author Date
\ No newline at end of property

/scripts/alcasar-watchdog-hl.sh
0,0 → 1,29
#!/bin/bash
# $Id: alcasar-watchdog-hl/sh 2113 2017-01-08 22:43:26Z richard $
# alcasar-watchdog-hl.sh
# by 3abtux
# This script is distributed under the Gnu General Public License (GPL)
# - Ce script déconnecte les équipements réseau qui sont identifiés en 0.0.0.0 (lancé optionnellement par cron dans /etc/cron.d/alcasar-watchdog)
# - This script disconnects the network equipments which are identified in 0.0.0.0 (optionally run by cron in /etc/cron.d/alcasar-watchdog)
OLDIFS=$IFS
IFS=$'\n'
usage="Usage: alcasar-watchdog-hl.sh "
case $1 in
-\? | -h* | --h*)
echo "$usage"
exit 0
;;
*)
# searching for 0.0.0.0 IP
for system in `/usr/sbin/chilli_query list |grep "0\.0\.0\.0 dnat"`
do
active_mac=`echo $system | cut -d" " -f1`
echo "$(date "+[%x-%X] : ")alcasar-watchdog-hl : $active_mac has 0.0.0.0 IP address. Alcasar release the equipment." >> /var/Save/security/watchdog-hl.log
/usr/sbin/chilli_query dhcp-release $active_mac
done
;;
esac
IFS=$OLDIFS
Property changes:
Added: svn:eol-style
+LF
\ No newline at end of property
Added: svn:executable
+*
\ No newline at end of property

/scripts/alcasar-archive.sh
0,0 → 1,142
#!/bin/bash
# $Id$
# alcasar-archive.sh
# by Franck BOUIJOUX and REXY
# This script is distributed under the Gnu General Public License (GPL)
# Script permettant
# - d'exporter dans un seul fichier les logs de traçabilités et la base des usagers (à des fins d'archivages).
# - Une fonction de chiffrement des logs a été implémentée dans ce script. Lisez la documentation d'exploitation pour l'activer.
# - nettoyage des archives supérieures à 1 an (365 jours)
# This script allows
# - export in one file the log files and user's base (in order to archive them).
# - a cypher fonction allows to protect these files. Read the exploitation documentation to enable it.
# - delete backup files older than one year (365 days)
DIR_SAVE="/var/Save" # répertoire accessible par webs
DIR_LOG="/var/log" # répertoire local des log
#DIR_SERVICE="squid lighttpd firewall" # répertoires contenant des logs utiles à exporter
DIR_BASE="$DIR_SAVE/base" # répertoire de sauvegarde de la base de données usagers
DIR_ARCHIVE="$DIR_SAVE/archive" # répertoire de sauvegarde des archives de log
NOW="$(date +%G%m%d-%Hh%M)" # date et heure du moment
DIR_TMP="/tmp/traceability-$NOW" # Répertoire temporaire d'export
FILE="traceability-$NOW.tar.gz" # Nom du fichier de l'archive
EXPIRE_DAY=365 # Nbre de jour avant suppression des fichiers journaux
CRYPT="0" # chiffrement des logs ( 0=non / 1=oui) --> Si oui alors la signature est automatiquement activée
# log files encryption ( 0=no / 1=yes) --> if yes, the signature is automaticly enabled
SIGN="0" # Signature/empreinte des logs ( 0=non / 1=oui ) ATTENTION : nécessite la clé privée !!!
# Signature of log files ( 0=no / 1=yes ) ATTENTION : need the private key !!!
GPG_USER="" # utilisateur autorisé à déchiffrer les logs. Sa clé publique doit être connu dans le portefeuille gnupg de root (/root/.gnupg)
# user allowed to decrypt the log files. Its public key must be known in the root keyring (/root/.gnupg)
usage="Usage: alcasar-archive.sh {--live or -l} | {--now or -n} | {--clean or -c}"
nb_args=$#
args=$1
if [ $nb_args -eq 0 ]
then
nb_args=1
args="-h"
fi
function cleanup() {
# Nettoyage des fichiers archives
cd $DIR_SAVE
find . \( -mtime +$EXPIRE_DAY \) -a \( -name '*.gz' -o -name '*.sql' -o -name '' -o -name 'gpg' \) -exec rm -f {} \;
} # end function cleanup
function crypt() {
# Chiffrement des logs dans /var/Save/
find . \( -mtime -7 -o -ctime 0 \) -a \( -name '*log-*.gz' \) -exec gpg --output $DIR_ARCHIVE/$file/{}.gpg --encrypt --recipient $GPG_USER {} \;
} # end function crypt
function archive() {
mkdir -p $DIR_ARCHIVE
mkdir -p $DIR_TMP
nb_files=`ls $DIR_LOG/firewall/traceability.log*.gz 2>/dev/null | wc -w`
if [ $nb_files -ne 0 ]; then
mv $(echo $(ls -rt $DIR_LOG/firewall/traceability.log*.gz | tail -n 1 -)) $DIR_TMP/traceability-HTTP-$NOW.gz
fi
nb_files=`ls $DIR_BASE/alcasar-users-database-*.sql.gz 2>/dev/null | wc -w`
if [ $nb_files -ne 0 ]; then
mv $(echo $(ls -rt $DIR_BASE/alcasar-users-database-*.sql.gz | tail -n 1 -)) $DIR_TMP/
fi
cd /var/log/nfsen/profiles-data/live/alcasar_netflow
nb_files=`find . -mtime -7 -name 'nfcapd.[0-9]*' | wc -l`
if [ $nb_files -ne 0 ]; then
find . -mtime -7 -name 'nfcapd.[0-9]*' | xargs tar -cf $DIR_TMP/traceability-ALL-$NOW.tar;
fi
cd /tmp/
nb_files=`ls traceability-$NOW/* 2>/dev/null | wc -w`
if [ $nb_files -ne 0 ]; then
tar cvzf /tmp/$FILE traceability-$NOW/*
else echo "no file to archive"
fi
} # end archive
# Core script
case $args in
-\? | -h* | --h*)
echo "$usage"
exit 0
;;
--clean | -c)
# Cleanup of files older than 365 days
cleanup
;;
--now | -n)
# Cleanup of files older than 365 days
cleanup
# make an archive
archive
# Saving of the database
/usr/local/bin/alcasar-mysql.sh --dump
# Encryption of the archive
if [ -e /tmp/$FILE ]; then
if [ $CRYPT -eq "1" ]; then
{
# 1 ) chiffrement/signature =1 ==> gpg --encrypt avec test de la clé présente
gpg --output $DIR_ARCHIVE/$FILE-crypt.gpg --armor --encrypt --recipient $GPG_USER /tmp/$FILE
}
elif [ $SIGN -eq "1" ]; then
{
# 2) signature = 1 Chiffrement = 0 --> gpg --encrypt idem test de la clé présente
gpg --output $DIR_ARCHIVE/$FILE-sign.gpg --sign --recipient $GPG_USER /tmp/$FILE
gpg --output $DIR_ARCHIVE/$FILE-sign.gpg --sign --recipient $GPG_USER --detach-sign /tmp/$FILE
}
else
{
# 3) chiffrement/signature = 0 --> cp simple avec suppression des droits d'écriture
cp /tmp/$FILE $DIR_ARCHIVE/.
}
fi
fi
rm -rf /tmp/traceability-*
chown root:apache $DIR_ARCHIVE/*
;;
--live | -l)
mkdir -p $DIR_ARCHIVE
mkdir -p /tmp/live
gap=7
cd /var/log/nfsen/profiles-data/live/alcasar_netflow
find . -mtime -$gap -name 'nfcapd.[0-9]*' | xargs tar -cf /tmp/live/traceability-ALL-$NOW.tar;
# Saving of the database
/usr/local/bin/alcasar-mysql.sh --dump
mv $(echo $(ls -rt $DIR_BASE/alcasar-users-database-*.sql.gz | tail -n 1 -)) /tmp/live/
cp /var/log/firewall/traceability.log /tmp/live/traceability-HTTP-$NOW.log
tar -czf $DIR_ARCHIVE/traceability-$NOW.tar.gz /tmp/live/*
rm -rf /tmp/live
;;
*)
echo "Unknown argument :$1";
echo "$usage"
exit 1
;;
esac
exit 0
Property changes:
Added: svn:eol-style
+LF
\ No newline at end of property
Added: svn:executable
+*
\ No newline at end of property
Added: svn:keywords
+Id Author Date
\ No newline at end of property

/scripts/alcasar-version.sh
0,0 → 1,58
#!/bin/bash
# $Id$
# alcasar-version-list.sh
# by Richard REY
# This script is distributed under the Gnu General Public License (GPL)
# récupère les versions d'ALCASAR (stable et développement)
# download the ALCASAR versions (stable / dev)
SITE_VERSION="version.alcasar.net"
MAJ="False"
DNS_VERSION_L=`dig $SITE_VERSION txt | grep ^$SITE_VERSION | cut -d"\"" -f2`
DNS_VERSION=`echo $DNS_VERSION_L|cut -d" " -f1`
MAJ_DNS_VERSION=`echo $DNS_VERSION|cut -d"." -f1`
MIN_DNS_VERSION=`echo $DNS_VERSION|cut -d"." -f2`
UPD_DNS_VERSION=`echo $DNS_VERSION|cut -d"." -f3`
RUNNING_VERSION=`grep ^VERSION= /usr/local/etc/alcasar.conf|cut -d'=' -f2`
MAJ_RUNNING_VERSION=`echo $RUNNING_VERSION|cut -d"." -f1`
MIN_RUNNING_VERSION=`echo $RUNNING_VERSION|cut -d"." -f2|cut -c1`
UPD_RUNNING_VERSION=`echo $RUNNING_VERSION|cut -d"." -f3`
#compare major number
if [ $MAJ_RUNNING_VERSION -lt $MAJ_DNS_VERSION ]
then
MAJ="True"
fi
#compare minor number
if [ $MAJ_RUNNING_VERSION -eq $MAJ_DNS_VERSION ]
then
if [ $MIN_RUNNING_VERSION -lt $MIN_DNS_VERSION ]
then
MAJ="True"
fi
#compare update number
if [ $MIN_DNS_VERSION -eq $MIN_RUNNING_VERSION ]
then
if [ -n "$UPD_DNS_VERSION" ]
then
if [ -z "$UPD_RUNNING_VERSION" ]
then
MAJ="True"
else
if [ $UPD_RUNNING_VERSION -lt $UPD_DNS_VERSION ]
then
MAJ="True"
fi
fi
fi
fi
fi
if [ $MAJ = "True" ]
then
echo "An updated version is available ($DNS_VERSION)"
else
echo "The Running version ($RUNNING_VERSION) is up to date"
fi
Property changes:
Added: svn:eol-style
+LF
\ No newline at end of property
Added: svn:executable
+*
\ No newline at end of property
Added: svn:keywords
+Id Author Date
\ No newline at end of property

/scripts/alcasar-logout.sh
0,0 → 1,55
#!/bin/bash
# $Id$
# alcasar-logout.sh
# by Rexy
# This script is distributed under the Gnu General Public License (GPL)
# Déconnexion d'un ou de tous les usagers
# Logout one user (or all users)
PASSWD_FILE="/root/ALCASAR-passwords.txt"
RADIUS_SECRET=$(grep '^secret_radius=' $PASSWD_FILE | cut -d'=' -f 2-)
OLDIFS=$IFS
IFS=$'\n'
usage="Usage: alcasar-logout.sh {user_name} | {all}"
nb_args=$#
args=$1
if [ $nb_args -eq 0 ]
then
nb_args=1
args="-h"
fi
case $args in
-\? | -h* | --h*)
echo "$usage"
exit 0
;;
all)
# Compute each equipments known by chilli
for system in `/usr/sbin/chilli_query list |grep -v "\.0\.0\.0"`
do
logout_users=""
active_session=`echo $system |cut -d" " -f5`
active_user=`echo $system|cut -d" " -f6`
active_mac=`echo $system | cut -d" " -f1`
# Logout only authenticated users
if [[ $(expr $active_session) -eq 1 ]]
then
# Don't logout MAC authenticated
if [ "$active_mac" != "$active_user" ]
then
logout_users=$logout_users" $active_user"
/usr/sbin/chilli_query logout $active_mac
fi
fi
done
echo "All users are now logout : ($logout_users)"
;;
*)
echo "User-Name = $args" | /usr/bin/radclient 127.0.0.1:3799 40 $RADIUS_SECRET
;;
esac
IFS=$OLDIFS
Property changes:
Added: svn:eol-style
+LF
\ No newline at end of property
Added: svn:executable
+*
\ No newline at end of property
Added: svn:keywords
+Id Author Date
\ No newline at end of property

/scripts/alcasar-ticket-clean.sh
0,0 → 1,14
#!/bin/bash
# alcasar-ticket-clean.sh
# by Franck BOUIJOUX & Rexy
# This script is distributed under the Gnu General Public License (GPL)
# nettoyage des fichiers de mots de passe générés après l'import d'une liste de noms.
# nettoyage des ticket PDF généré lors de la création d'usager
# delete password files generated during the importation of a list of names
# delete PDF ticket generated when creating new account
find /tmp -name '*.pwd' -exec rm -f {} \;
find /var/www/html/acc/manager/htdocs -name '*.pdf' -exec rm -f {} \;
exit 0
Property changes:
Added: svn:eol-style
+LF
\ No newline at end of property
Added: svn:executable
+*
\ No newline at end of property

/scripts/alcasar-clean_radacct
0,0 → 1,52
#!/usr/bin/perl
#
# Clean stale open sessions from the radacct table.
# we only clean up sessions which are older than $back_days
# Works with mysql and postgresql
#
use POSIX;
use File::Temp qw(tempfile tempdir);
$conf=shift||'/etc/freeradius-web/admin.conf';
$back_days = 30;
open CONF, "<$conf"
or die "Could not open configuration file\n";
while(<CONF>){
chomp;
($key,$val)=(split /:\s*/,$_);
$sql_type = $val if ($key eq 'sql_type');
$sql_server = $val if ($key eq 'sql_server');
$sql_username = $val if ($key eq 'sql_username');
$sql_password = $val if ($key eq 'sql_password');
$sql_database = $val if ($key eq 'sql_database');
$sql_accounting_table = $val if ($key eq 'sql_accounting_table');
$sqlcmd = $val if ($key eq 'sql_command');
}
close CONF;
die "sql_command directive is not set in admin.conf\n" if ($sqlcmd eq '');
die "sql command '$sqlcmd' not found or does not seem to be executable\n" if (! -x $sqlcmd);
if ($sql_type eq 'mysql'){
$sql_password = (!$sql_password) ? '' : "-p$sql_password";
}
$sql_password =~ s/(\W)/\\$1/g;
($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime;
$date = POSIX::strftime("%Y-%m-%d %T",$sec,$min,$hour,($mday - $back_days),$mon,$year,$wday,$yday,$isdst);
print "$date\n";
if (POSIX::strftime("%Y-%m-%d %T",localtime) eq $date){
die "Could not set correct back date.\n";
}
$query = "DELETE FROM $sql_accounting_table WHERE AcctStopTime IS NULL AND AcctStartTime < '$date';";
print "$query\n";
my ($fh, $tmp_filename) = tempfile() or die "Could not open tmp file\n";
print $fh $query;
close $fh;
$command = "$sqlcmd -h$sql_server -u$sql_username $sql_password $sql_database < $tmp_filename" if ($sql_type eq 'mysql');
$command = "$sqlcmd -U $sql_username -f $tmp_filename $sql_database" if ($sql_type eq 'pg');
$command = "$sqlcmd '$sql_server' '$sql_port' '' '$sql_username' '$sql_password' < $tmp_filename" if ($sql_type eq 'sqlrelay');
`$command`;
Property changes:
Added: svn:executable
+*
\ No newline at end of property

/scripts/alcasar-monthly_tot_stats
0,0 → 1,64
#!/usr/bin/perl
use POSIX;
use File::Temp qw(tempfile tempdir);
# Log in the mtotacct table aggregated accounting information for
# each user spaning in one month period.
# If the current month has not ended it will log information up to
# the current month day
# Works only with mysql and postgresql
#
$conf=shift||'/etc/freeradius-web/admin.conf';
open CONF, "<$conf"
or die "Could not open configuration file\n";
while(<CONF>){
chomp;
($key,$val)=(split /:\s*/,$_);
$sql_type = $val if ($key eq 'sql_type');
$sql_server = $val if ($key eq 'sql_server');
$sql_username = $val if ($key eq 'sql_username');
$sql_password = $val if ($key eq 'sql_password');
$sql_database = $val if ($key eq 'sql_database');
$sql_accounting_table = $val if ($key eq 'sql_accounting_table');
$sqlcmd = $val if ($key eq 'sql_command');
}
close CONF;
die "sql_command directive is not set in admin.conf\n" if ($sqlcmd eq '');
die "sql command '$sqlcmd' not found or does not seem to be executable\n" if (! -x $sqlcmd);
if ($sql_type eq 'mysql'){
$sql_password = (!$sql_password) ? '' : "-p$sql_password";
}
$sql_password =~ s/(\W)/\\$1/g;
($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime;
if ($mday == 1){
$mon--;
}
$date_start = POSIX::strftime("%Y-%m-%d",0,0,0,1,$mon,$year,$wday,$yday,$isdst);
$date_end = POSIX::strftime("%Y-%m-%d",0,0,0,$mday,$mon,$year,$wday,$yday,$isdst);
$query1 = "DELETE FROM mtotacct WHERE AcctDate = '$date_start';";
$query2 = "INSERT INTO mtotacct (UserName,AcctDate,ConnNum,ConnTotDuration,
ConnMaxDuration,ConnMinDuration,InputOctets,OutputOctets,NASIPAddress)
SELECT UserName,'$date_start',SUM(ConnNum),SUM(ConnTotDuration),
MAX(ConnMaxDuration),MIN(ConnMinDuration),SUM(InputOctets),
SUM(OutputOctets),NASIPAddress FROM totacct
WHERE AcctDate >= '$date_start' AND
AcctDate <= '$date_end' GROUP BY UserName,NASIPAddress;";
print "$query1\n";
print "$query2\n";
my ($fh, $tmp_filename) = tempfile() or die "Could not open tmp file\n";
print $fh "ALTER SESSION SET NLS_TIMESTAMP_TZ_FORMAT='YYYY-MM-DD HH24:MI:SS.FF TZH:TZM';\n" if ($sql_type eq 'oracle');
print $fh $query1;
print $fh $query2;
close $fh;
$command = "$sqlcmd -h $sql_server -u $sql_username $sql_password $sql_database < $tmp_filename" if ($sql_type eq 'mysql');
$command = "$sqlcmd -U $sql_username -f $tmp_filename $sql_database" if ($sql_type eq 'pg');
$command = "$sqlcmd $sql_username/$pass" . "@" . "$sql_database <$tmpfile.$server" if ($sql_type eq 'oracle');
$command = "$sqlcmd '$sql_server' '$sql_port' '' '$sql_username' '$sql_password' < $tmp_filename" if ($sql_type eq 'sqlrelay');
`$command`;
Property changes:
Added: svn:executable
+*
\ No newline at end of property

/scripts/alcasar-tot_stats
0,0 → 1,61
#!/usr/bin/perl
use POSIX;
use File::Temp qw(tempfile tempdir);
# Log in the totacct table aggregated daily accounting information for
# each user.
# We keep a row per user for each day.
# Works with mysql and postgresql
#
$conf=shift||'/etc/freeradius-web/admin.conf';
open CONF, "<$conf"
or die "Could not open configuration file\n";
while(<CONF>){
chomp;
($key,$val)=(split /:\s*/,$_);
$sql_type = $val if ($key eq 'sql_type');
$sql_server = $val if ($key eq 'sql_server');
$sql_username = $val if ($key eq 'sql_username');
$sql_password = $val if ($key eq 'sql_password');
$sql_database = $val if ($key eq 'sql_database');
$sql_accounting_table = $val if ($key eq 'sql_accounting_table');
$sqlcmd = $val if ($key eq 'sql_command');
}
close CONF;
die "sql_command directive is not set in admin.conf\n" if ($sqlcmd eq '');
die "sql command '$sqlcmd' not found or does not seem to be executable\n" if (! -x $sqlcmd);
if ($sql_type eq 'mysql'){
$sql_password = (!$sql_password) ? '' : "-p$sql_password";
}
$sql_password =~ s/(\W)/\\$1/g;
($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime;
$date_start = POSIX::strftime("%Y-%m-%d %T",0,0,0,($mday - 1),$mon,$year,$wday,$yday,$isdst);
$date_small_start = POSIX::strftime("%Y-%m-%d",0,0,0,($mday - 1),$mon,$year,$wday,$yday,$isdst);
$date_end = POSIX::strftime("%Y-%m-%d %T",0,0,0,$mday,$mon,$year,$wday,$yday,$isdst);
$query1 = "DELETE FROM totacct WHERE AcctDate = '$date_start';";
$query2 = "INSERT INTO totacct (UserName,AcctDate,ConnNum,ConnTotDuration,
ConnMaxDuration,ConnMinDuration,InputOctets,OutputOctets,NASIPAddress)
SELECT UserName,'$date_small_start',COUNT(*),SUM(AcctSessionTime),
MAX(AcctSessionTime),MIN(AcctSessionTime),SUM(AcctInputOctets),
SUM(AcctOutputOctets),NASIPAddress FROM radacct
WHERE AcctStopTime >= '$date_start' AND
AcctStopTime < '$date_end' GROUP BY UserName,NASIPAddress;";
print "$query1\n";
print "$query2\n";
my ($fh, $tmp_filename) = tempfile() or die "Could not open tmp file\n";
print $fh "ALTER SESSION SET NLS_TIMESTAMP_TZ_FORMAT='YYYY-MM-DD HH24:MI:SS.FF TZH:TZM';\n" if ($sql_type eq 'oracle');
print $fh $query1;
print $fh $query2;
close $fh;
$command = "$sqlcmd -h $sql_server -u $sql_username $sql_password $sql_database < $tmp_filename" if ($sql_type eq 'mysql');
$command = "$sqlcmd -U $sql_username -f $tmp_filename $sql_database" if ($sql_type eq 'pg');
$command = "$sqlcmd $sql_username/$pass" . "@" . "$sql_database <$tmpfile.$server" if ($sql_type eq 'oracle');
$command = "$sqlcmd '$sql_server' '$sql_port' '' '$sql_username' '$sql_password' < $tmp_filename" if ($sql_type eq 'sqlrelay');
`$command`;
Property changes:
Added: svn:executable
+*
\ No newline at end of property

/scripts/alcasar-truncate_radacct
0,0 → 1,55
#!/usr/bin/perl
#
# Delete sessions from the radacct table which are older than $back_days
# Works with mysql and postgresql
#
use POSIX;
use File::Temp qw(tempfile tempdir);
$conf=shift||'/etc/freeradius-web/admin.conf';
$back_days = 365;
open CONF, "<$conf"
or die "Could not open configuration file\n";
while(<CONF>){
chomp;
($key,$val)=(split /:\s*/,$_);
$sql_type = $val if ($key eq 'sql_type');
$sql_server = $val if ($key eq 'sql_server');
$sql_username = $val if ($key eq 'sql_username');
$sql_password = $val if ($key eq 'sql_password');
$sql_database = $val if ($key eq 'sql_database');
$sql_accounting_table = $val if ($key eq 'sql_accounting_table');
$sqlcmd = $val if ($key eq 'sql_command');
}
close CONF;
die "sql_command directive is not set in admin.conf\n" if ($sqlcmd eq '');
die "sql command '$sqlcmd' not found or does not seem to be executable\n" if (! -x $sqlcmd);
if ($sql_type eq 'mysql'){
$sql_password = (!$sql_password) ? '' : "-p$sql_password";
}
$sql_password =~ s/(\W)/\\$1/g;
($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime;
$date = POSIX::strftime("%Y-%m-%d %T",$sec,$min,$hour,($mday - $back_days),$mon,$year,$wday,$yday,$isdst);
print "$date\n";
if (POSIX::strftime("%Y-%m-%d %T",localtime) eq $date){
die "Could not set correct back date.\n";
}
$query = "";
$query = "LOCK TABLES $sql_accounting_table WRITE;" if ($sql_type eq 'mysql');
$query .= "DELETE FROM $sql_accounting_table WHERE AcctStopTime < '$date' AND AcctStopTime IS NOT NULL ;";
$query .= "UNLOCK TABLES;" if ($sql_type eq 'mysql');
print "$query\n";
my ($fh, $tmp_filename) = tempfile() or die "Could not open tmp file\n";
print $fh "ALTER SESSION SET NLS_TIMESTAMP_TZ_FORMAT='YYYY-MM-DD HH24:MI:SS.FF TZH:TZM';\n" if ($sql_type eq 'oracle');
print $fh $query;
close $fh;
$command = "$sqlcmd -h$sql_server -u$sql_username $sql_password $sql_database < $tmp_filename" if ($sql_type eq 'mysql');
$command = "$sqlcmd -U $sql_username -f $tmp_filename $sql_database" if ($sql_type eq 'pg');
$command = "$sqlcmd $sql_username/$pass" . "@" . "$sql_database <$tmpfile.$server" if ($sql_type eq 'oracle');
$command = "$sqlcmd '$sql_server' '$sql_port' '' '$sql_username' '$sql_password' < $tmp_filename" if ($sql_type eq 'sqlrelay');
`$command`;
Property changes:
Added: svn:executable
+*
\ No newline at end of property