/alcasar.sh |
---|
753,6 → 753,42 |
EOF |
# Launch after coova |
$SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /lib/systemd/system/httpd.service |
# Error page management |
FIC_ERROR_DOC=`find /etc/httpd/conf -type f -name multilang-errordoc.conf` |
[ -e $FIC_ERROR_DOC ] || cp $FIC_ERROR_DOC $FIC_ERROR_DOC.default |
cat <<EOF > $FIC_ERROR_DOC |
Alias /error/ "/var/www/html/" |
<Directory "/usr/share/httpd/error"> |
AllowOverride None |
Options IncludesNoExec |
AddOutputFilter Includes html |
AddHandler type-map var |
Require all granted |
LanguagePriority en cs de es fr it ja ko nl pl pt-br ro sv tr |
ForceLanguagePriority Prefer Fallback |
</Directory> |
ErrorDocument 400 /error/error.php?error=400 |
ErrorDocument 401 /error/error.php?error=401 |
ErrorDocument 403 /error/error.php?error=403 |
ErrorDocument 404 /error/error.php?error=404 |
ErrorDocument 405 /error/error.php?error=405 |
ErrorDocument 408 /error/error.php?error=408 |
ErrorDocument 410 /error/error.php?error=410 |
ErrorDocument 411 /error/error.php?error=411 |
ErrorDocument 412 /error/error.php?error=412 |
ErrorDocument 413 /error/error.php?error=413 |
ErrorDocument 414 /error/error.php?error=414 |
ErrorDocument 415 /error/error.php?error=415 |
ErrorDocument 500 /error/error.php?error=500 |
ErrorDocument 501 /error/error.php?error=501 |
ErrorDocument 502 /error/error.php?error=502 |
ErrorDocument 503 /error/error.php?error=503 |
ErrorDocument 506 /error/error.php?error=506 |
EOF |
} # End of ACC () |
########################################################################################## |
765,9 → 801,32 |
$DIR_DEST_BIN/alcasar-CA.sh |
FIC_VIRTUAL_SSL=`find /etc/httpd/conf -type f -name *default_ssl_vhost.conf` |
[ -e /etc/httpd/conf/vhosts-ssl.default ] || cp $FIC_VIRTUAL_SSL /etc/httpd/conf/vhosts-ssl.default |
$SED "s?localhost.crt?alcasar.crt?g" $FIC_VIRTUAL_SSL |
$SED "s?localhost.key?alcasar.key?g" $FIC_VIRTUAL_SSL |
$SED "s?^#SSLCertificateChainFile.*?SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt?" $FIC_VIRTUAL_SSL |
#$SED "s?localhost.crt?alcasar.crt?g" $FIC_VIRTUAL_SSL |
#$SED "s?localhost.key?alcasar.key?g" $FIC_VIRTUAL_SSL |
#$SED "s?^#SSLCertificateChainFile.*?SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt?" $FIC_VIRTUAL_SSL |
cat <<EOF > $FIC_VIRTUAL_SSL |
# default SSL virtual host, used for all HTTPS requests that do not |
# match a ServerName or ServerAlias in any <VirtualHost> block. |
<VirtualHost _default_:443> |
# general configuration |
ServerAdmin root@localhost |
ServerName localhost |
# SSL configuration |
SSLEngine on |
SSLCertificateFile /etc/pki/tls/certs/alcasar.crt |
SSLCertificateKeyFile /etc/pki/tls/private/alcasar.key |
SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt |
CustomLog logs/ssl_request_log \ |
"%t %{SSL_PROTOCOL}x %{SSL_CIPHER}x [%h] \"%r\" %b" |
ErrorLog logs/ssl_error_log |
ErrorLogFormat "[%t] [%m:%l] [client %a] %M" |
</VirtualHost> |
EOF |
chown -R root:apache /etc/pki |
chmod -R 750 /etc/pki |
} # End of CA () |
1321,7 → 1380,7 |
systemctl start nfsen |
/bin/nfsen -m live -e 62d 2>/dev/null |
# add SURFmap plugin |
tar xzf $DIR_CONF/nfsen/SURFmap_v3.3b1.tar.gz -C /tmp/ |
tar xzf $DIR_CONF/nfsen/SURFmap_v3.3.tar.gz -C /tmp/ |
cd /tmp/SURFmap |
/usr/bin/sh install.sh |
# clear the installation |
/conf/fail2ban.sh |
---|
38,6 → 38,13 |
# Values: FILE Default: /var/run/fail2ban/fail2ban.sock |
# |
socket = /var/run/fail2ban/fail2ban.sock |
# Option: pidfile |
# Notes.: Set the PID file. This is used to store the process ID of the |
# fail2ban server. |
# Values: [ FILE ] Default: /var/run/fail2ban/fail2ban.pid |
# |
pidfile = /var/run/fail2ban/fail2ban.pid |
EOF |
######################################################### |
86,12 → 93,22 |
# auto: will choose Gamin if available and polling otherwise. |
backend = auto |
# "usedns" specifies if jails should trust hostnames in logs, |
# warn when DNS lookups are performed, or ignore all hostnames in logs |
# |
# yes: if a hostname is encountered, a DNS lookup will be performed. |
# warn: if a hostname is encountered, a DNS lookup will be performed, |
# but it will be logged as a warning. |
# no: if a hostname is encountered, will not be used for banning, |
# but it will be logged as info. |
usedns = warn |
# Bannissement sur tous les ports après 2 refus d'Apache (tentative d'accès sur des pages inexistentes) |
[alcasar_mod-evasive] |
enabled = true |
#enabled = false |
filter = mod-evasive |
#enabled = true |
enabled = false |
filter = alcasar_mod-evasive |
action = iptables-allports[name=alcasar_mod-evasive] |
logpath = /var/log/httpd/error_log |
maxretry = 2 |
111,9 → 128,9 |
enabled = true |
#enabled = false |
filter = htdigest |
filter = alcasar_htdigest |
action = iptables-allports[name=alcasar_htdigest] |
logpath = /var/log/httpd/ssl_error_log |
logpath = /var/log/httpd/ssl_request_log |
maxretry = 5 |
# Bannissement sur tout les ports après 5 echecs de connexion pour un usager |
121,7 → 138,7 |
enabled = true |
#enabled = false |
filter = intercept |
filter = alcasar_intercept |
action = iptables-allports[name=alcasar_intercept] |
logpath = /var/log/httpd/ssl_request_log |
maxretry = 5 |
128,14 → 145,15 |
# Bannissement sur tout les port après 5 échecs de changement de mot de passe |
# 5 POST pour changer le mot de passe que le POST soit ok ou non. |
[alcasar_change-password] |
[alcasar_change-pwd] |
enabled = true |
#enabled = false |
filter = mot_de_passe |
action = iptables-allports[name=alcasar_change-password] |
filter = alcasar_change-pwd |
action = iptables-allports[name=alcasar_change-pwd] |
logpath = /var/log/httpd/ssl_request_log |
maxretry = 5 |
EOF |
################################################## |
191,8 → 209,11 |
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) |
# Values: TEXT |
# |
failregex = [[]error[]] [[]client <HOST>[]] Digest: |
#failregex = [[]error[]] [[]client <HOST>[]] Digest: |
failregex = [[]<HOST>[]] "GET /acc HTTP/1.1" 972 |
#[[]auth_digest:error[]] [[]client <HOST>:[0-9]\{1,5\}[]] |
# Option: ignoreregex |
# Notes.: regex to ignore. If this regex matches, the line is ignored. |
# Values: TEXT |
218,7 → 239,8 |
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) |
# Values: TEXT |
# |
failregex = <HOST> TLSv1 DHE-RSA-AES256-SHA ["]GET \/intercept\.php\?res=failed[&]reason=reject |
#failregex = <HOST> TLSv1 DHE-RSA-AES256-SHA ["]GET \/intercept\.php\?res=failed[&]reason=reject |
failregex = [[]<HOST>[]] ["]GET \/intercept\.php\?res=failed[&]reason=reject |
# Option: ignoreregex |
# Notes.: regex to ignore. If this regex matches, the line is ignored. |
230,7 → 252,7 |
####################### |
## MOT_DE_PASSE.CONF ## |
####################### |
cat << EOF > $DIR_FILTER/alcasar_change-password.conf |
cat << EOF > $DIR_FILTER/alcasar_change-pwd.conf |
# Fail2Ban configuration file |
# |
246,8 → 268,10 |
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) |
# Values: TEXT |
# |
failregex = <HOST> TLSv1 DHE-RSA-AES256-SHA ["]POST \/pass\/index\.php HTTP |
#failregex = <HOST> TLSv1 DHE-RSA-AES256-SHA ["]POST \/pass\/index\.php HTTP |
failregex = [[]<HOST>[]] ["]POST /pass/index.php HTTP/1.1" 11169 |
# Option: ignoreregex |
# Notes.: regex to ignore. If this regex matches, the line is ignored. |
# Values: TEXT |
/web/acc/manager/htdocs/security.php |
---|
12,42 → 12,78 |
<link rel="stylesheet" href="/css/style.css" type="text/css"> |
</HEAD> |
<body> |
<TABLE width="100%" border="0" cellspacing="0" cellpadding="0"> |
<tr><th><?php echo "$l_spoofing";?></th></tr> |
<?php |
$table = 1; |
if(isset($_GET['table'])){ |
$table = $_GET['table']; |
} |
?> |
<?php |
echo' |
<br /> |
<table width="100%" style="text-align: center;"> |
<tr> |
<td width="33%"><a href="./security.php?table=1">'.$l_spoofing.'</a></td> |
<td width="33%"><a href="./security.php?table=2">'.$l_virus.'</a></td> |
<td width="33%"><a href="./security.php?table=3">'.$l_fail2ban.'</a></td> |
</tr> |
</table> |
<br />'; |
?> |
<?php |
if ( $table == 1){ |
echo ' <TABLE width="100%" border="0" cellspacing="0" cellpadding="0"> |
<tr><th>'; |
echo "$l_spoofing"; |
echo '</th></tr> |
<tr bgcolor="#FFCC66"><td><img src="/images/pix.gif" width="1" |
height="2"></td></tr> |
<TABLE width="100%" border=0 cellspacing=0 cellpadding=1> |
<tr bgcolor="#666666"><td> |
<DIV style="width:100%;height:100%;overflow-x:hidden;overflow-y:scroll;"> |
<TABLE width="100%" border=0 cellspacing=0 cellpadding=2> |
<tr><td valign="middle" align="left">'; |
$fichier='/var/Save/logs/security/watchdog.log'; |
$pointeur=fopen($fichier,"r"); |
if ($pointeur){ |
while (!feof($pointeur)){ |
$ligne=fgets($pointeur); |
echo "$ligne</br>"; |
} |
} |
fclose($pointeur); |
echo ' </td></tr> |
</TABLE> |
</DIV> |
</TABLE> |
</TABLE>'; |
} elseif ($table == 2){ |
echo '<TABLE width="100%" border="0" cellspacing="0" cellpadding="0"> |
<tr><th>'; |
echo "$l_virus"; |
echo '</th></tr> |
<tr bgcolor="#FFCC66"><td><img src="/images/pix.gif" width="1" |
height="2"></td></tr> |
<TABLE width="100%" border=0 cellspacing=0 cellpadding=1> |
<tr bgcolor="#666666"><td> |
<DIV style="width:100%;height:150px;overflow-x:hidden;overflow-y:scroll;"> |
<DIV style="width:100%;height:100%;overflow-x:hidden;overflow-y:scroll;"> |
<TABLE width="100%" border=0 cellspacing=0 cellpadding=2> |
<tr><td valign="middle" align="left"> |
<?php |
$fichier='/var/Save/logs/security/watchdog.log'; |
$pointeur=fopen($fichier,"r"); |
if ($pointeur){ |
while (!feof($pointeur)){ |
$ligne=fgets($pointeur); |
echo "$ligne</br>"; |
} |
} |
fclose($pointeur); |
?> |
</td></tr> |
</TABLE> |
</DIV> |
</TABLE> |
</TABLE> |
</br> |
<TABLE width="100%" border="0" cellspacing="0" cellpadding="0"> |
<tr><th><?php echo "$l_virus";?></th></tr> |
<tr bgcolor="#FFCC66"><td><img src="/images/pix.gif" width="1" |
height="2"></td></tr> |
<TABLE width="100%" border=0 cellspacing=0 cellpadding=1> |
<tr bgcolor="#666666"><td> |
<DIV style="width:100%;height:150px;overflow-x:hidden;overflow-y:scroll;"> |
<TABLE width="100%" border=0 cellspacing=0 cellpadding=2> |
<tr><td valign="middle" align="left"> |
<?php |
<tr><td valign="middle" align="left">'; |
$fichier='/var/log/havp/access.log'; |
$pointeur=fopen($fichier,"r"); |
if ($pointeur){ |
57,23 → 93,24 |
} |
} |
fclose($pointeur); |
?> |
</td></tr> |
echo ' </td></tr> |
</TABLE> |
</DIV> |
</TABLE> |
</TABLE> |
</br> |
<TABLE width="100%" border="0" cellspacing="0" cellpadding="0"> |
<tr><th><?php echo "$l_fail2ban";?></th></tr> |
</TABLE>'; |
} elseif ($table == 3){ |
echo '<TABLE width="100%" border="0" cellspacing="0" cellpadding="0"> |
<tr><th>'; |
echo "$l_fail2ban"; |
echo '</th></tr> |
<tr bgcolor="#FFCC66"><td><img src="/images/pix.gif" width="1" |
height="2"></td></tr> |
<TABLE width="100%" border=0 cellspacing=0 cellpadding=1> |
<tr bgcolor="#666666"><td> |
<DIV style="width:100%;height:150px;overflow-x:hidden;overflow-y:scroll;"> |
<DIV style="width:100%;height:100%;overflow-x:hidden;overflow-y:scroll;"> |
<TABLE width="100%" border=0 cellspacing=0 cellpadding=2> |
<tr><td valign="middle" align="left"> |
<?php |
<tr><td valign="middle" align="left">'; |
$fichier='/var/log/fail2ban.log'; |
$unban="/Unban/"; |
$ban="/Ban/"; |
82,19 → 119,23 |
while (!feof($pointeur)){ |
$ligne=fgets($pointeur); |
if(preg_match($ban,$ligne,$r)){ |
echo "$ligne</br>"; |
echo "<font color='red'>$ligne</font></br>"; |
} |
if(preg_match($unban,$ligne,$r)){ |
echo " ---> $ligne</br>"; |
echo "<font color='orange'>$ligne</font></br>"; |
} |
} |
fclose($pointeur); |
} |
?> |
</td></tr> |
} |
echo ' </td></tr> |
</TABLE> |
</DIV> |
</TABLE> |
</TABLE> |
</TABLE>'; |
} else { |
echo 'Do not exist'; |
} |
?> |
</body> |
</HTML> |
/web/css/style_intercept.css |
---|
39,7 → 39,7 |
background-color: #666666; |
} |
INPUT, #contenu_acces, #logon, #auth_reussi { |
INPUT, #contenu_acces, #contenu_error, #logon, #auth_reussi { |
background-color: #ffffff; |
} |
239,6 → 239,27 |
-webkit-box-shadow: 1px 1px 10px #000; |
box-shadow: 1px 1px 10px #000; |
} |
#contenu_error { |
position: relative; |
width: 640px; |
height: auto; |
top: -20px; |
padding-top: 40px; |
padding-bottom: 40px; |
padding-left: 40px; |
padding-right: 40px; |
margin-left: auto; |
margin-right: auto; |
z-index: 1; |
/* ombrage CSS3 */ |
-moz-box-shadow: 1px 1px 10px #000; |
-webkit-box-shadow: 1px 1px 10px #000; |
box-shadow: 1px 1px 10px #000; |
} |
#logo_acces IMG, #box_refuse IMG { |
width: 95px; |
height: 95px; |
273,6 → 294,11 |
bottom: -150px; |
font-family: "courier new"; |
} |
#contenu_error SPAN { |
position: relative; |
bottom: -150px; |
font-family: "courier new"; |
} |
#box_refuse { |
font-size: 16px; |
margin-left: 130px; |
296,7 → 322,7 |
height: 70px; |
top: -25px; |
} |
.box_menu, #logon , #contenu_acces, #acces_controle, #cadre_titre, #box_info{ |
.box_menu, #logon , #contenu_acces, #contenu_error, #acces_controle, #cadre_titre, #box_info{ |
/* Arrondi CSS3 Firefox*/ |
-moz-border-radius: 10px; |
/* Arrondi CSS3 Autres Nav*/ |
430,4 → 456,4 |
margin-right : 10px; |
display: block; |
float: left; |
} |
} |