/alcasar.sh |
---|
1,14 → 1,14 |
#!/bin/bash |
# $Id$ |
# $Id$ |
# alcasar.sh |
# ALCASAR Install script - CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...] |
# ALCASAR Install script - CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...] |
# Ce programme est un logiciel libre ; This software is free and open source |
# elle que publiée par la Free Software Foundation ; soit la version 3 de la Licence. |
# Ce programme est distribué dans l'espoir qu'il sera utile, mais SANS AUCUNE GARANTIE ; |
# sans même une garantie implicite de COMMERCIABILITE ou DE CONFORMITE A UNE UTILISATION PARTICULIERE. |
# Voir la Licence Publique Générale GNU pour plus de détails. |
# elle que publiée par la Free Software Foundation ; soit la version 3 de la Licence. |
# Ce programme est distribué dans l'espoir qu'il sera utile, mais SANS AUCUNE GARANTIE ; |
# sans même une garantie implicite de COMMERCIABILITE ou DE CONFORMITE A UNE UTILISATION PARTICULIERE. |
# Voir la Licence Publique Générale GNU pour plus de détails. |
# team@alcasar.net |
18,7 → 18,7 |
# Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau) |
# ALCASAR est architecturé autour d'une distribution Linux Mageia minimaliste et les logiciels libres suivants : |
# Install script for ALCASAR (a secured and authenticated Internet access control captive portal) |
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares : |
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares : |
# Coovachilli, freeradius, mariaDB, apache, netfilter, dansguardian, ntpd, openssl, dnsmasq, gammu, havp, libclamav, Ulog, fail2ban, tinyproxy, NFsen and NFdump |
# Options : |
39,7 → 39,7 |
# antivirus : HAVP + libclamav configuration |
# tinyproxy : little proxy for user filtered with "WL + antivirus" and "antivirus" |
# ulogd : log system in userland (match NFLOG target of iptables) |
# nfsen : Configuration of Nfsen Netflow grapher |
# nfsen : Configuration of Nfsen Netflow grapher |
# dnsmasq : Name server configuration |
# vnstat : little network stat daemon |
# BL : Adaptation of Toulouse University BlackList : split into 3 BL (for Dnsmasq, for dansguardian and for Netfilter) |
55,7 → 55,7 |
Lang=`echo $LANG|cut -c 1-2` |
mode="install" |
# ******* Files parameters - paramètres fichiers ********* |
DIR_INSTALL=`pwd` # current directory |
DIR_INSTALL=`pwd` # current directory |
DIR_CONF="$DIR_INSTALL/conf" # install directory (with conf files) |
DIR_SCRIPTS="$DIR_INSTALL/scripts" # install directory (with script files) |
DIR_BLACKLIST="$DIR_INSTALL/blacklist" # install directory (with blacklist files) |
135,17 → 135,17 |
for i in $* |
do |
if [ "`echo $i|grep distribution|cut -d'=' -f1`" == "distribution" ] |
then |
then |
DISTRIBUTION=`echo $i|cut -d"=" -f2` |
unknown_os=`expr $unknown_os + 1` |
fi |
if [ "`echo $i|grep version|cut -d'=' -f1`" == "version" ] |
then |
then |
CURRENT_VERSION=`echo $i|cut -d"=" -f2` |
unknown_os=`expr $unknown_os + 1` |
fi |
if [ "`echo $i|grep arch|cut -d'=' -f1`" == "arch" ] |
then |
then |
ARCH=`echo $i|cut -d"=" -f2` |
unknown_os=`expr $unknown_os + 1` |
fi |
177,7 → 177,7 |
fi |
read response |
done |
if [ "$response" = "n" ] || [ "$response" = "N" ] |
if [ "$response" = "n" ] || [ "$response" = "N" ] |
then |
rm -f /tmp/alcasar-conf* |
else |
195,7 → 195,7 |
then |
echo |
if [ $Lang == "fr" ] |
then |
then |
echo "La mise à jour automatique d'ALCASAR ne peut pas être réalisée." |
echo "1 - Effectuez une sauvegarde des fichiers de traçabilité et de la base des usagers via l'ACC" |
echo "2 - Installez Linux-Mageia 6.0 (64bits) et ALCASAR (cf. doc d'installation)" |
208,7 → 208,7 |
fi |
else |
if [ $Lang == "fr" ] |
then |
then |
echo "L'installation d'ALCASAR ne peut pas être réalisée." |
else |
echo "The installation of ALCASAR can't be performed." |
216,7 → 216,7 |
fi |
echo |
if [ $Lang == "fr" ] |
then |
then |
echo "Le système d'exploitation doit être remplacé (Mageia6-64bits)" |
else |
echo "The OS must be replaced (Mageia6-64bits)" |
245,11 → 245,11 |
IF_INTERFACES=`ls ifcfg-*|cut -d"-" -f2|grep -v "^lo"|cut -d"*" -f1` |
for i in $IF_INTERFACES |
do |
IP_INTERFACE=`/usr/sbin/ip link|grep $i` |
IP_INTERFACE=`/usr/sbin/ip link|grep $i` |
if [ -z "$IP_INTERFACE" ] |
then |
rm -f ifcfg-$i |
if [ $Lang == "fr" ] |
then echo "Suppression : ifcfg-$i" |
else echo "Deleting : ifcfg-$i" |
258,13 → 258,13 |
done |
cd $DIR_INSTALL |
echo -n "." |
# Test Ethernet NIC links state |
# Test Ethernet NIC links state |
DOWN_IF=`/usr/sbin/ip link|grep "NO-CARRIER"|cut -d":" -f2|tr -d " "|grep -v "^w"` |
for i in $DOWN_IF |
do |
echo $i |
if [ $Lang == "fr" ] |
then |
then |
echo "Échec" |
echo "Le lien réseau de la carte $i n'est pas actif." |
echo "Assurez-vous que cette carte est bien connectée à un équipement (commutateur, A.P., etc.)" |
283,7 → 283,7 |
if [ `echo $PUBLIC_IP|wc -c` -lt 7 ] || [ `echo $PUBLIC_GATEWAY|wc -c` -lt 7 ] |
then |
if [ $Lang == "fr" ] |
then |
then |
echo "Échec" |
echo "La carte réseau connectée à Internet ($EXTIF) n'est pas correctement configurée." |
echo "Renseignez les champs suivants dans le fichier '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :" |
307,7 → 307,7 |
# Test if default GW is set on EXTIF (router or ISP provider equipment) |
if [ `ip route list|grep $EXTIF|grep -c ^default` -ne "1" ] ; then |
if [ $Lang == "fr" ] |
then |
then |
echo "Échec" |
echo "Vous n'avez pas configuré l'accès à Internet ou le câble réseau n'est pas sur la bonne carte." |
echo "Réglez ce problème puis relancez ce script." |
322,9 → 322,9 |
# Test if default GW is alive |
arp_reply=`/usr/sbin/arping -b -I$EXTIF -c1 -w2 $PUBLIC_GATEWAY|grep response|cut -d" " -f2` |
if [ $(expr $arp_reply) -eq 0 ] |
then |
then |
if [ $Lang == "fr" ] |
then |
then |
echo "Échec" |
echo "Le routeur de sortie ou la Box Internet ($PUBLIC_GATEWAY) ne répond pas." |
echo "Réglez ce problème puis relancez ce script." |
342,7 → 342,7 |
if [ ! -e /tmp/con_ok.html ] |
then |
if [ $Lang == "fr" ] |
then |
then |
echo "La tentative de connexion vers Internet a échoué (google.fr)." |
echo "Vérifiez que la carte $EXTIF est bien connectée au routeur du FAI." |
echo "Vérifiez la validité des adresses IP des DNS." |
371,9 → 371,9 |
ORGANISME=! |
PTN='^[a-zA-Z0-9-]*$' |
until [[ $(expr $ORGANISME : $PTN) -gt 0 ]] |
do |
do |
if [ $Lang == "fr" ] |
then echo -n "Entrez le nom de votre organisme : " |
then echo -n "Entrez le nom de votre organisme : " |
else echo -n "Enter the name of your organism : " |
fi |
read ORGANISME |
388,17 → 388,17 |
rm -f $PASSWD_FILE |
echo "##### ALCASAR ($ORGANISME) security passwords #####" > $PASSWD_FILE |
grub2pwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8` |
pbkdf2=`( echo $grub2pwd ; echo $grub2pwd ) | \ |
LC_ALL=C /usr/bin/grub2-mkpasswd-pbkdf2 | \ |
grep -v '[eE]nter password:' | \ |
sed -e "s/PBKDF2 hash of your password is //"` |
echo "GRUB2_PASSWORD=$pbkdf2" > /boot/grub2/user.cfg |
[ -e /root/grub.default ] || cp /etc/grub.d/10_linux /root/grub.default |
cp -f $DIR_CONF/grub-10_linux /etc/grub.d/10_linux # Request password only on menu editing attempts (not when selecting an entry) |
chmod 0600 /boot/grub2/user.cfg |
pbkdf2=`( echo $grub2pwd ; echo $grub2pwd ) | \ |
LC_ALL=C /usr/bin/grub2-mkpasswd-pbkdf2 | \ |
grep -v '[eE]nter password:' | \ |
sed -e "s/PBKDF2 hash of your password is //"` |
echo "GRUB2_PASSWORD=$pbkdf2" > /boot/grub2/user.cfg |
[ -e /root/grub.default ] || cp /etc/grub.d/10_linux /root/grub.default |
cp -f $DIR_CONF/grub-10_linux /etc/grub.d/10_linux # Request password only on menu editing attempts (not when selecting an entry) |
chmod 0600 /boot/grub2/user.cfg |
echo "# Login name and password to protect GRUB2 boot menu (!!!qwerty keyboard) : " > $PASSWD_FILE |
echo "GRUB2_user=root" >> $PASSWD_FILE |
echo "GRUB2_password=$grub2pwd" >> $PASSWD_FILE |
echo "GRUB2_user=root" >> $PASSWD_FILE |
echo "GRUB2_password=$grub2pwd" >> $PASSWD_FILE |
mysqlpwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c16` |
echo "# Login name and Password of MariaDB administrator:" >> $PASSWD_FILE |
echo "db_root=$mysqlpwd" >> $PASSWD_FILE |
475,10 → 475,10 |
read PRIVATE_IP_MASK |
done |
else |
PRIVATE_IP_MASK=$DEFAULT_PRIVATE_IP_MASK |
PRIVATE_IP_MASK=$DEFAULT_PRIVATE_IP_MASK |
fi |
else |
PRIVATE_IP_MASK=`grep ^PRIVATE_IP= conf/etc/alcasar.conf|cut -d"=" -f2` |
PRIVATE_IP_MASK=`grep ^PRIVATE_IP= conf/etc/alcasar.conf|cut -d"=" -f2` |
rm -rf conf/etc/alcasar.conf |
fi |
# Define LAN side global parameters |
490,9 → 490,9 |
PRIVATE_IP=`echo $PRIVATE_IP_MASK | cut -d"/" -f1` # ALCASAR private ip address (consultation LAN side) |
if [ $PRIVATE_IP == $PRIVATE_NETWORK ] # when entering network address instead of ip address |
then |
PRIVATE_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 1` |
PRIVATE_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 1` |
PRIVATE_IP_MASK=`echo $PRIVATE_IP/$PRIVATE_PREFIX` |
fi |
fi |
private_ip_ending=`echo $PRIVATE_IP | cut -d"." -f4` # last octet of LAN address |
PRIVATE_SECOND_IP=`echo $PRIVATE_IP | cut -d"." -f1-3`"."`expr $private_ip_ending + 1` # second network address (ex.: 192.168.182.2) |
PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX # ie.: 192.168.182.0/24 |
526,7 → 526,7 |
SUB=`echo ${i:0:2}` |
if [ $SUB = "wl" ] |
then WIFIF=$i |
elif [ "$i" != "$INTIF" ] && [ $SUB != "ww" ] |
elif [ "$i" != "$INTIF" ] && [ $SUB != "ww" ] |
then LANIF=$i |
fi |
done |
536,8 → 536,8 |
elif [ -n "$LANIF" ] |
then echo "LANIF=$LANIF" >> $CONF_FILE |
fi |
######################################################################################################### |
######################################################################################################### |
IP_SETTING=`grep BOOTPROTO /etc/sysconfig/network-scripts/ifcfg-$EXTIF|cut -d"=" -f2` # IP setting (static or dynamic) |
if [ $IP_SETTING == "dhcp" ] |
then |
590,7 → 590,7 |
USERCTL=no |
MTU=$MTU |
EOF |
else |
else |
cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF |
DEVICE=$EXTIF |
BOOTPROTO=static |
666,7 → 666,7 |
USERCTL=no |
EOF |
fi |
######################################################################################################### |
######################################################################################################### |
# Renseignement des fichiers hosts.allow et hosts.deny |
[ -e /etc/hosts.allow.default ] || cp /etc/hosts.allow /etc/hosts.allow.default |
cat <<EOF > /etc/hosts.allow |
691,7 → 691,7 |
$SED 's/ExecStart=\/usr\/libexec\/iptables.init start/ExecStart=\/usr\/local\/bin\/alcasar-iptables.sh/' /lib/systemd/system/iptables.service |
[ -e /usr/libexec/iptables.init.default ] || cp /usr/libexec/iptables.init /usr/libexec/iptables.init.default |
$SED "s?\[ -f \$IPTABLES_CONFIG \] .*?#&?" /usr/libexec/iptables.init # comment the test (flush all rules & policies) |
# |
# |
# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh |
} # End of network () |
819,7 → 819,7 |
do |
header_install |
if [ $Lang == "fr" ] |
then |
then |
echo "" |
echo "Définissez un premier compte d'administration d'ALCASAR :" |
echo |
869,7 → 869,7 |
Allow from $PRIVATE_NETWORK_MASK |
require valid-user |
AuthType digest |
AuthName "ALCASAR Control Center (ACC)" |
AuthName "ALCASAR Control Center (ACC)" |
AuthDigestDomain $HOSTNAME.$DOMAIN |
BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On |
AuthUserFile $DIR_DEST_ETC/digest/key_all |
884,7 → 884,7 |
Allow from $PRIVATE_NETWORK_MASK |
require valid-user |
AuthType digest |
AuthName "ALCASAR Control Center (ACC)" |
AuthName "ALCASAR Control Center (ACC)" |
AuthDigestDomain $HOSTNAME.$DOMAIN |
BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On |
AuthUserFile $DIR_DEST_ETC/digest/key_admin |
899,7 → 899,7 |
Allow from $PRIVATE_NETWORK_MASK |
require valid-user |
AuthType digest |
AuthName "ALCASAR Control Center (ACC)" |
AuthName "ALCASAR Control Center (ACC)" |
AuthDigestDomain $HOSTNAME.$DOMAIN |
BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On |
AuthUserFile $DIR_DEST_ETC/digest/key_manager |
914,7 → 914,7 |
Allow from $PRIVATE_NETWORK_MASK |
require valid-user |
AuthType digest |
AuthName "ALCASAR Control Center (ACC)" |
AuthName "ALCASAR Control Center (ACC)" |
AuthDigestDomain $HOSTNAME.$DOMAIN |
BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On |
AuthUserFile $DIR_DEST_ETC/digest/key_backup |
930,7 → 930,7 |
Allow from $PRIVATE_NETWORK_MASK |
require valid-user |
AuthType digest |
AuthName "ALCASAR Control Center (ACC)" |
AuthName "ALCASAR Control Center (ACC)" |
AuthDigestDomain $HOSTNAME.$DOMAIN |
AuthUserFile $DIR_DEST_ETC/digest/key_backup |
ErrorDocument 404 https://$HOSTNAME.$DOMAIN/ |
1050,7 → 1050,7 |
$MYSQL="GRANT ALL PRIVILEGES ON *.* TO root@'localhost' IDENTIFIED BY '$mysqlpwd';" |
MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --execute" |
$MYSQL="DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;" |
$MYSQL="CONNECT mysql;DELETE from user where User='';DELETE FROM user WHERE User='root' AND Host NOT IN ('localhost','127.0.0.1','::1');FLUSH PRIVILEGES;" |
$MYSQL="CONNECT mysql;DELETE from user where User='';DELETE FROM user WHERE User='root' AND Host NOT IN ('localhost','127.0.0.1','::1');FLUSH PRIVILEGES;" |
# Create 'radius' database |
$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;" |
# Add an empty radius database structure |
1088,24 → 1088,24 |
ipaddr = 127.0.0.1 |
secret = $secretradius |
shortname = chilli |
nas_type = other |
nas_type = other |
} |
EOF |
# Set Virtual server (remvove all except "alcasar virtual site") |
rm -f /etc/raddb/sites-enabled/* |
cp $DIR_CONF/radius/alcasar-radius /etc/raddb/sites-available/alcasar |
cp $DIR_CONF/radius/alcasar-radius /etc/raddb/sites-available/alcasar |
chown radius:apache /etc/raddb/sites-available/alcasar |
chmod 660 /etc/raddb/sites-available/alcasar |
ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar |
# INFO : To connect from outside (EAP), add the EAP virtual server (link in sites-enabled) and inner-tunnel modules (link in mods-enabled) |
# INFO : To connect from outside (EAP), add the EAP virtual server (link in sites-enabled) and inner-tunnel modules (link in mods-enabled) |
# Set modules |
# Set modules |
# Set only usefull modules for ALCASAR (ldap is enabled only via ACC) |
rm -rf /etc/raddb/mods-enabled/* |
for mods in sql sqlcounter attr_filter expiration logintime pap expr |
do |
ln -s /etc/raddb/mods-available/$mods /etc/raddb/mods-enabled/$mods |
done |
rm -rf /etc/raddb/mods-enabled/* |
for mods in sql sqlcounter attr_filter expiration logintime pap expr |
do |
ln -s /etc/raddb/mods-available/$mods /etc/raddb/mods-enabled/$mods |
done |
# Configure SQL mod |
[ -e /etc/raddb/mods-available/sql.default ] || cp /etc/raddb/mods-available/sql /etc/raddb/mods-available/sql.default |
$SED "s?^[\t ]*driver =.*?driver = \"rlm_sql_mysql\"?g" /etc/raddb/mods-available/sql |
1115,7 → 1115,7 |
$SED "s?^#[\t ]*port =.*?port = \"3306\"?g" /etc/raddb/mods-available/sql |
$SED "s?^#[\t ]*login =.*?login = \"$DB_USER\"?g" /etc/raddb/mods-available/sql |
$SED "s?^#[\t ]*password =.*?password = \"$radiuspwd\"?g" /etc/raddb/mods-available/sql |
# queries.conf modifications : case sensitive for username, check simultaneous use, patch on 'postauth' table, etc. |
# queries.conf modifications : case sensitive for username, check simultaneous use, patch on 'postauth' table, etc. |
[ -e /etc/raddb/mods-config/sql/main/mysql/queries.conf.default ] || cp /etc/raddb/mods-config/sql/main/mysql/queries.conf /etc/raddb/mods-config/sql/main/mysql/queries.conf.default |
cp -f $DIR_CONF/radius/queries.conf /etc/raddb/mods-config/sql/main/mysql/queries.conf |
chown -R radius:radius /etc/raddb/mods-config/sql/main/mysql/queries.conf |
1152,7 → 1152,7 |
/usr/bin/systemctl daemon-reload |
# Allow apache to change some conf files (ie : ldap on/off) |
chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/mods-available |
} # End freeradius () |
############################################################################# |
1195,10 → 1195,10 |
# description: CoovaChilli |
### BEGIN INIT INFO |
# Provides: chilli |
# Required-Start: network |
# Should-Start: |
# Required-Start: network |
# Should-Start: |
# Required-Stop: network |
# Should-Stop: |
# Should-Stop: |
# Default-Start: 2 3 5 |
# Default-Stop: |
# Description: CoovaChilli access controller |
1217,7 → 1217,7 |
prog="chilli" |
case \$1 in |
start) |
if [ -f \$pidfile ] ; then |
if [ -f \$pidfile ] ; then |
gprintf "chilli is already running" |
else |
gprintf "Starting \$prog: " |
1226,9 → 1226,9 |
/usr/sbin/modprobe tun >/dev/null 2>&1 |
echo 1 > /proc/sys/net/ipv4/ip_forward |
[ -e /dev/net/tun ] || { |
(cd /dev; |
mkdir net; |
cd net; |
(cd /dev; |
mkdir net; |
cd net; |
mknod tun c 10 200) |
} |
ifconfig $INTIF 0.0.0.0 |
1254,13 → 1254,13 |
;; |
stop) |
if [ -f \$pidfile ] ; then |
if [ -f \$pidfile ] ; then |
gprintf "Shutting down \$prog: " |
killproc /usr/sbin/chilli |
RETVAL=\$? |
[ \$RETVAL = 0 ] && rm -f \$pidfile |
[ -e \$current_users_file ] && rm -f \$current_users_file |
else |
else |
gprintf "chilli is not running" |
fi |
;; |
1279,7 → 1279,7 |
#DHCP Options : rfc2132 |
#dhcp option value will be convert in hexa. |
#NTP option (or 'option 42') is like : |
# |
# |
# Code Len Address 1 Address 2 |
# +-----+-----+-----+-----+-----+-----+-----+-----+-- |
# | 42 | n | a1 | a2 | a3 | a4 | a1 | a2 | ... |
1346,7 → 1346,7 |
chilli_exist=`grep -c ^chilli: /etc/passwd` |
if [ "$chilli_exist" == "1" ] |
then |
userdel -r chilli 2>/dev/null |
userdel -r chilli 2>/dev/null |
fi |
groupadd -f chilli |
useradd -r -g chilli -s /bin/false -c "system user for coova-chilli" chilli |
1363,7 → 1363,7 |
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dansguardian -c /etc/dansguardian/dansguardian.conf?g" /lib/systemd/system/dansguardian.service |
$SED "s?^After=.*?After=network.target chilli.service?g" /lib/systemd/system/dansguardian.service |
[ -e $DIR_DG/dansguardian.conf.default ] || cp $DIR_DG/dansguardian.conf $DIR_DG/dansguardian.conf.default |
# By default the filter is off |
# By default the filter is off |
$SED "s/^reportinglevel =.*/reportinglevel = 3/g" $DIR_DG/dansguardian.conf |
# French deny HTML page |
$SED "s?^language =.*?language = french?g" $DIR_DG/dansguardian.conf |
1395,7 → 1395,7 |
$SED "s?^preforkchildren =.*?preforkchildren = 10?g" $DIR_DG/dansguardian.conf |
# maximum age of a child process before it croaks it |
$SED "s?^maxagechildren =.*?maxagechildren = 1000?g" $DIR_DG/dansguardian.conf |
# on désactive par défaut le contrôle de téléchargement de fichiers |
[ -e $DIR_DG/dansguardianf1.conf.default ] || cp $DIR_DG/dansguardianf1.conf $DIR_DG/dansguardianf1.conf.default |
$SED "s?^blockdownloads =.*?blockdownloads = off?g" $DIR_DG/dansguardianf1.conf |
1417,14 → 1417,14 |
## Fonction "antivirus" ## |
## - configuration of havp, libclamav and freshclam ## |
################################################################## |
antivirus () |
antivirus () |
{ |
# create 'havp' user |
havp_exist=`grep -c ^havp: /etc/passwd` |
if [ "$havp_exist" == "1" ] |
then |
userdel -r havp 2>/dev/null |
groupdel havp 2>/dev/null |
userdel -r havp 2>/dev/null |
groupdel havp 2>/dev/null |
fi |
groupadd -f havp |
useradd -r -g havp -s /bin/false -c "system user for havp (antivirus proxy)" havp |
1471,13 → 1471,13 |
## Fonction "tinyproxy" ## |
## - configuration of tinyproxy (proxy between filterde users and havp) ## |
########################################################################## |
tinyproxy () |
tinyproxy () |
{ |
tinyproxy_exist=`grep -c ^tinyproxy: /etc/passwd` |
if [ "$tinyproxy_exist" == "1" ] |
then |
userdel -r tinyproxy 2>/dev/null |
groupdel tinyproxy 2>/dev/null |
userdel -r tinyproxy 2>/dev/null |
groupdel tinyproxy 2>/dev/null |
fi |
groupadd -f tinyproxy |
useradd -r -g tinyproxy -s /bin/false -c "system user for tinyproxy" tinyproxy |
1596,7 → 1596,7 |
PIDFile=/var/run/nfsen/nfsen.pid |
ExecStartPre=/bin/mkdir -p /var/run/nfsen |
ExecStartPre=/bin/chown apache:apache /var/run/nfsen |
ExecStart=/usr/bin/nfsen start |
ExecStart=/usr/bin/nfsen start |
ExecStop=/usr/bin/nfsen stop |
ExecReload=/usr/bin/nfsen restart |
TimeoutSec=0 |
1605,7 → 1605,7 |
WantedBy=multi-user.target |
EOF |
# Add the listen port to collect netflow packet (nfcapd) |
$SED "s?'\$ziparg $extensions.*?\$ziparg $extensions -b 127.0.0.1;'?g" /usr/libexec/NfSenRC.pm |
$SED "s?'\$ziparg $extensions.*?\$ziparg $extensions -b 127.0.0.1;'?g" /usr/libexec/NfSenRC.pm |
# expire delay for the profile "live" |
/usr/bin/systemctl start nfsen |
/bin/nfsen -m live -e 62d 2>/dev/null |
1643,8 → 1643,8 |
{ |
[ -d /var/log/dnsmasq ] || mkdir /var/log/dnsmasq |
# 1st dnsmasq listen on udp 53 ("dnsmasq - forward"). It's used as dhcp server only if "alcasar-bypass" is on. |
[ -e /etc/dnsmasq.conf.default ] || cp /etc/dnsmasq.conf /etc/dnsmasq.conf.default |
cat << EOF > /etc/dnsmasq.conf |
[ -e /etc/dnsmasq.conf.default ] || cp /etc/dnsmasq.conf /etc/dnsmasq.conf.default |
cat << EOF > /etc/dnsmasq.conf |
# Configuration file for "dnsmasq in forward mode" |
conf-file=$DIR_DEST_ETC/alcasar-dns-name # local DNS resolutions |
listen-address=$PRIVATE_IP |
1712,7 → 1712,7 |
bogus-priv |
filterwin2k |
ipset=/#/wl_ip_allowed # dynamicly add the resolv IP address in the Firewall rules |
address=/#/$PRIVATE_IP # for Domain name without local resolution (WL) |
address=/#/$PRIVATE_IP # for Domain name without local resolution (WL) |
EOF |
# 4th dnsmasq listen on udp 56 ("blackhole") |
cat << EOF > /etc/dnsmasq-blackhole.conf |
1826,8 → 1826,8 |
EOF |
[ -e /etc/anacrontab.default ] || cp /etc/anacrontab /etc/anacrontab.default |
cat <<EOF >> /etc/anacrontab |
7 8 cron.MysqlDump nice /etc/cron.d/alcasar-mysql |
7 10 cron.logExport nice /etc/cron.d/alcasar-archive |
7 8 cron.MysqlDump nice /etc/cron.d/alcasar-mysql |
7 10 cron.logExport nice /etc/cron.d/alcasar-archive |
7 20 cron.importClean nice /etc/cron.d/alcasar-clean_import |
EOF |
1841,16 → 1841,16 |
# Archive des logs et de la base de données (tous les lundi à 5h35) |
35 5 * * 1 root $DIR_DEST_BIN/alcasar-archive.sh --now |
EOF |
cat << EOF > /etc/cron.d/alcasar-ticket-clean |
cat <<EOF > /etc/cron.d/alcasar-ticket-clean |
# suppression des fichiers de mots de passe (imports massifs par fichier) et des ticket PDF d'utilisateur |
30 * * * * root $DIR_DEST_BIN/alcasar-ticket-clean.sh |
EOF |
cat << EOF > /etc/cron.d/alcasar-distrib-updates |
cat <<EOF > /etc/cron.d/alcasar-distrib-updates |
# mise à jour automatique de la distribution tous les jours 3h30 |
30 3 * * * root /usr/sbin/urpmi --auto-update --auto 2>&1 |
EOF |
cat << EOF > /etc/cron.d/alcasar-connections-stats |
cat <<EOF > /etc/cron.d/alcasar-connections-stats |
# Connection stats update (accounting). These Perl scripts are from "dialup_admin" (cf. wiki.freeradius.org/Dialup_admin). |
# 'alcasar-tot_stats' (everyday at 01h01 pm) : aggregating the daily connections of users (write in the table 'totacct') |
# 'alcasar-monthly_tot_stat' (everyday at 01h05 pm) : aggregating the monthly connections of users (write in table 'mtotacct') |
1863,7 → 1863,7 |
15 1 1 * * root $DIR_DEST_BIN/alcasar-clean_radacct > /dev/null 2>&1 |
35 5 * * 0 root $DIR_DEST_BIN/alcasar-activity_report.sh > /dev/null 2>&1 |
EOF |
cat << EOF > /etc/cron.d/alcasar-watchdog |
cat <<EOF > /etc/cron.d/alcasar-watchdog |
# run the "watchdog" every 3' |
# empty the IPSET of the whitelisted IP (loaded dynamically with dnsmasq-whitelist) when every whitelisted users are logged out (every sunday at 0h05 |
*/10 * * * * root $DIR_DEST_BIN/alcasar-watchdog.sh > /dev/null 2>&1 |
1871,7 → 1871,7 |
#* * * * * root $DIR_DEST_BIN/alcasar-watchdog-hl.sh > /dev/null 2>&1 |
EOF |
# Enabling the watchdog every 18' |
cat << EOF > /etc/cron.d/alcasar-daemon-watchdog |
cat <<EOF > /etc/cron.d/alcasar-daemon-watchdog |
# activate the daemon-watchdog after boot process |
@reboot root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1 |
# activate the daemon-watchdog every 18' |
1879,8 → 1879,8 |
EOF |
# Enabling category update from rsync |
cat << EOF > /etc/cron.d/alcasar-rsync-bl |
# Automatic update of BL via rsync every 12 hours. The categories are listed in the file '/usr/local/etc/update_cat.conf' (no sync if empty). |
cat <<EOF > /etc/cron.d/alcasar-rsync-bl |
# Automatic update of BL via rsync every 12 hours. The categories are listed in the file '/usr/local/etc/update_cat.conf' (no sync if empty). |
0 */12 * * * root $DIR_DEST_BIN/alcasar-bl.sh --update_cat > /dev/null 2>&1 |
EOF |
1959,7 → 1959,7 |
;ResetFrequency = 300 |
;HardResetFrequency = 120 |
CheckSecurity = 1 |
CheckSecurity = 1 |
CheckSignal = 1 |
CheckBattery = 0 |
EOF |
2011,7 → 2011,7 |
/var/log/netflow/porttracker root.apache 770 |
/var/log/netflow/porttracker/* root.apache 660 |
EOF |
# apply now hourly & daily checks |
# apply now hourly & daily checks |
/usr/sbin/msec |
/etc/cron.weekly/msec |
2099,12 → 2099,12 |
echo "SSH_ADMIN_FROM=0.0.0.0/0.0.0.0" >> $CONF_FILE |
echo "LDAP=off" >> $CONF_FILE |
echo "LDAP_SERVER=127.0.0.1" >> $CONF_FILE |
echo "LDAP_BASE=ou=my_lan;dc=server_name;dc=localdoamin" >> $CONF_FILE |
echo "LDAP_UID=sAMAccountName" >> $CONF_FILE |
echo "LDAP_FILTER=" >> $CONF_FILE |
echo "LDAP_USER=alcasar" >> $CONF_FILE |
echo "LDAP_PASSWORD=" >> $CONF_FILE |
echo "MULTIWAN=off" >> $CONF_FILE |
echo "LDAP_BASE=ou=my_lan;dc=server_name;dc=localdoamin" >> $CONF_FILE |
echo "LDAP_UID=sAMAccountName" >> $CONF_FILE |
echo "LDAP_FILTER=" >> $CONF_FILE |
echo "LDAP_USER=alcasar" >> $CONF_FILE |
echo "LDAP_PASSWORD=" >> $CONF_FILE |
echo "MULTIWAN=off" >> $CONF_FILE |
echo "FAILOVER=30" >> $CONF_FILE |
echo "## WANx=active,@IPx/mask,GWx,Weight,MTUx" >> $CONF_FILE |
echo "#WAN1=\"1,$EXTIF:1,192.168.2.20/24,192.168.2.6,1,1500\"" >> $CONF_FILE |
2125,7 → 2125,7 |
# actualisation des fichiers logs compressés |
for dir in firewall dansguardian httpd |
do |
find /var/log/$dir -type f -name *.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] -exec gzip {} \; |
find /var/log/$dir -type f -name *.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] -exec gzip {} \; |
done |
# create the alcasar-load_balancing unit |
cat << EOF > /lib/systemd/system/alcasar-load_balancing.service |
2157,13 → 2157,13 |
do |
/usr/bin/systemctl -q enable $i.service |
done |
# disable processes at boot time (Systemctl) |
for i in ulogd gpm |
do |
/usr/bin/systemctl -q disable $i.service |
done |
# Apply French Security Agency (ANSSI) rules |
# ignore ICMP broadcast (smurf attack) |
echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" > /etc/sysctl.d/alcasar.conf |
2180,7 → 2180,7 |
echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.d/alcasar.conf |
# set conntrack timer to 1h (3600s) instead of 5 weeks |
echo "net.netfilter.nf_conntrack_tcp_timeout_established = 3600" >> /etc/sysctl.d/alcasar.conf |
# disable log_martians (ALCASAR is often installed between two private network addresses) |
# disable log_martians (ALCASAR is often installed between two private network addresses) |
echo "net.ipv4.conf.all.log_martians = 0" >> /etc/sysctl.d/alcasar.conf |
# disable iptables_helpers |
echo "net.netfilter.nf_conntrack_helper = 0" >> /etc/sysctl.d/alcasar.conf |
2199,21 → 2199,21 |
$SED "s?^GRUB_DISTRIBUTOR=.*?GRUB_DISTRIBUTOR=ALCASAR?g" /etc/default/grub |
[ -e /etc/mageia-release.default ] || cp /etc/mageia-release /etc/mageia-release.default |
vm_vga=`lsmod | egrep -c "virtio|vmwgfx"` # test if in VM |
if [ $vm_vga == 0 ] # is not a VM |
if [ $vm_vga == 0 ] # is not a VM |
then |
cp -f $DIR_CONF/banner /etc/mageia-release # ALCASAR ASCII-Art |
echo >> /etc/mageia-release |
$SED "s?^GRUB_CMDLINE_LINUX_DEFAULT=\"?&vga=791 ?" /etc/default/grub |
fi |
if [ $Lang == "fr" ] |
then |
echo "Bienvenue sur ALCASAR V$VERSION" >> /etc/mageia-release |
echo "Connectez-vous à l'URL 'https://alcasar.localdomain/acc'" >> /etc/mageia-release |
else |
echo "Welcome on ALCASAR V$VERSION" >> /etc/mageia-release |
echo "Connect to 'https://alcasar.localdomain/acc'" >> /etc/mageia-release |
fi |
/usr/bin/update-grub2 |
cp -f $DIR_CONF/banner /etc/mageia-release # ALCASAR ASCII-Art |
echo >> /etc/mageia-release |
$SED "s?^GRUB_CMDLINE_LINUX_DEFAULT=\"?&vga=791 ?" /etc/default/grub |
fi |
if [ $Lang == "fr" ] |
then |
echo "Bienvenue sur ALCASAR V$VERSION" >> /etc/mageia-release |
echo "Connectez-vous à l'URL 'https://alcasar.localdomain/acc'" >> /etc/mageia-release |
else |
echo "Welcome on ALCASAR V$VERSION" >> /etc/mageia-release |
echo "Connect to 'https://alcasar.localdomain/acc'" >> /etc/mageia-release |
fi |
/usr/bin/update-grub2 |
# Load and apply the previous conf file |
if [ "$mode" = "update" ] |
then |
2222,7 → 2222,7 |
PARENT_SCRIPT=`basename $0` |
export PARENT_SCRIPT # to avoid stop&start process during the installation process |
$DIR_DEST_BIN/alcasar-conf.sh --apply |
$DIR_DEST_BIN/alcasar-file-clean.sh # Clean & sort conf files. Add uamallowed domains to the dns-blackhole conf |
$DIR_DEST_BIN/alcasar-file-clean.sh # Clean & sort conf files. Add uamallowed domains to the dns-blackhole conf |
$SED "s?^INSTALL_DATE=.*?INSTALL_DATE=$DATE?g" $CONF_FILE |
$SED "s?^VERSION=.*?VERSION=$VERSION?g" $CONF_FILE |
fi |
2249,7 → 2249,7 |
echo "- Le centre de controle d'ALCASAR (ACC) est à l'adresse http://alcasar.localdomain" |
echo |
echo " Appuyez sur 'Entrée' pour continuer" |
else |
else |
echo "# End of ALCASAR install process #" |
echo "# #" |
echo "# Application Libre pour le Contrôle Authentifié et Sécurisé #" |
2321,7 → 2321,7 |
# Uninstall the running version |
$DIR_SCRIPTS/alcasar-uninstall.sh -update |
fi |
# Test if manual update |
# Test if manual update |
if [ -e /tmp/alcasar-conf*.tar.gz ] && [ "$mode" == "install" ] |
then |
header_install |
2338,13 → 2338,13 |
else echo -n "Do you want to use it (Y/n)?"; |
fi |
read response |
if [ "$response" = "n" ] || [ "$response" = "N" ] |
if [ "$response" = "n" ] || [ "$response" = "N" ] |
then rm -f /tmp/alcasar-conf* |
fi |
done |
fi |
# Test if update |
if [ -e /tmp/alcasar-conf* ] |
if [ -e /tmp/alcasar-conf* ] |
then |
if [ $Lang == "fr" ] |
then echo "#### Installation avec mise à jour ####"; |
2351,7 → 2351,7 |
else echo "#### Installation with update ####"; |
fi |
# Extract the central configuration file |
tar -xf /tmp/alcasar-conf* conf/etc/alcasar.conf |
tar -xf /tmp/alcasar-conf* conf/etc/alcasar.conf |
ORGANISME=`grep ^ORGANISM= conf/etc/alcasar.conf|cut -d"=" -f2` |
PREVIOUS_VERSION=`grep ^VERSION= conf/etc/alcasar.conf|cut -d"=" -f2` |
MAJ_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f1` |
2387,7 → 2387,7 |
if [ "$response" = "o" ] || [ "$response" = "O" ] || [ "$response" = "Y" ] || [ "$response" = "y" ] |
then |
$DIR_SCRIPTS/alcasar-conf.sh --create |
else |
else |
rm -f /tmp/alcasar-conf* |
fi |
# Uninstall the running version |
/scripts/alcasar-CA.sh |
---|
5,7 → 5,7 |
# by Franck BOUIJOUX, Pascal LEVANT and Richard REY |
# This script is distributed under the Gnu General Public License (GPL) |
# |
# Some ideas from "nessus-mkcert" script written by Renaud Deraison <deraison@cvs.nessus.org> |
# Some ideas from "nessus-mkcert" script written by Renaud Deraison <deraison@cvs.nessus.org> |
# and Michel Arboi <arboi@alussinan.org> |
# |
DIR_TMP=${TMPDIR-/tmp}/alcasar-mkcert.$$ |
170,7 → 170,7 |
hostname_len=`echo $hostname| wc -c` |
if [ $hostname_len -gt 36 ]; |
then |
hostname=`echo $hostname | cut -d '.' -f 1` |
hostname=`echo $hostname | cut -d '.' -f 1` |
fi |
CAMAIL=ca@$hostname |
/scripts/alcasar-activity_report.sh |
---|
150,7 → 150,7 |
elif [ $(echo $LINE_HTML | grep 'XXMAJCLAMAVXX' | wc -l) -eq 1 ] |
then |
VALUE=$(date -d @$(rpm -qa --queryformat "%{installtime} %{name}\n" | grep -E "clamav-db" | cut -d' ' -f1 ) "+%Y-%m-%d %H:%M:%S") |
VALUE=$(date -d @$(rpm -qa --queryformat "%{installtime} %{name}\n" | grep -E "clamav-db" | cut -d' ' -f1 ) "+%Y-%m-%d %H:%M:%S") |
echo ${LINE_HTML/XXMAJCLAMAVXX/$VALUE} >> $HTML_REPORT |
elif [ $(echo $LINE_HTML | grep 'XXMAJBLXX' | wc -l) -eq 1 ] |
202,7 → 202,7 |
while read LOG_BL |
do |
if [ $(echo $LOG_BL | grep config | grep $PRIVATE_IP | wc -c) -ge 1 ] |
then |
then |
#find the current blacklisted category |
website_bl=$(echo $LOG_BL | cut -d' ' -f6) |
250,7 → 250,7 |
TS_FILE=$(echo $LINE | cut -d':' -f1) |
if [ "$TS_FILE" -le "$DATE_1" -a "$TS_FILE" -ge "$DATE_2" ] |
then |
then |
COUNT_BL_INSTALLATION=$((COUNT_BL_INSTALLATION+1)) |
fi |
272,41 → 272,41 |
cat $MODEL_CHARTJS | while read LINE_JS |
do |
#name of variable |
if [ $(echo $LINE_JS | grep 'XXCONFXX' | wc -l) -eq 1 ] |
if [ $(echo $LINE_JS | grep 'XXCONFXX' | wc -l) -eq 1 ] |
then |
echo ${LINE_JS/XXCONFXX/$CONF_BL_INSTALLATION} >> $HTML_REPORT |
#chart type |
elif [ $(echo $LINE_JS | grep 'XXTYPEXX' | wc -l) -eq 1 ] |
elif [ $(echo $LINE_JS | grep 'XXTYPEXX' | wc -l) -eq 1 ] |
then |
echo ${LINE_JS/XXTYPEXX/bar} >> $HTML_REPORT |
#chart title |
elif [ $(echo $LINE_JS | grep 'XXTITLEXX' | wc -l) -eq 1 ] |
then |
then |
echo ${LINE_JS/XXTITLEXX/"Sites bloqués au total"} >> $HTML_REPORT |
#chart data |
elif [ $(echo $LINE_JS | grep 'XXDATAXX' | wc -l) -eq 1 ] |
elif [ $(echo $LINE_JS | grep 'XXDATAXX' | wc -l) -eq 1 ] |
then |
echo ${LINE_JS/XXDATAXX/$VALUE_BL_INSTALLATION_DATA} >> $HTML_REPORT |
#color |
elif [ $(echo $LINE_JS | grep 'XXCOLORXX' | wc -l) -eq 1 ] |
elif [ $(echo $LINE_JS | grep 'XXCOLORXX' | wc -l) -eq 1 ] |
then |
echo ${LINE_JS/XXCOLORXX/$COLOR} >> $HTML_REPORT |
#labels |
elif [ $(echo $LINE_JS | grep 'XXLABELSXX' | wc -l) -eq 1 ] |
elif [ $(echo $LINE_JS | grep 'XXLABELSXX' | wc -l) -eq 1 ] |
then |
echo ${LINE_JS/XXLABELSXX/$VALUE_BL_INSTALLATION_LABEL} >> $HTML_REPORT |
elif [ $(echo $LINE_JS | grep 'XXLEGENDXX' | wc -l) -eq 1 ] |
elif [ $(echo $LINE_JS | grep 'XXLEGENDXX' | wc -l) -eq 1 ] |
then |
echo ${LINE_JS/XXLEGENDXX/false} >> $HTML_REPORT |
#display value of Y axis, only useful for chart bar |
elif [ $(echo $LINE_JS | grep 'XXCOMMENT-BEGINXX' | wc -l) -eq 1 ] |
elif [ $(echo $LINE_JS | grep 'XXCOMMENT-BEGINXX' | wc -l) -eq 1 ] |
then |
echo "" >> $HTML_REPORT |
#display value of Y axis, only useful for chart bar |
elif [ $(echo $LINE_JS | grep 'XXCOMMENT-ENDXX' | wc -l) -eq 1 ] |
elif [ $(echo $LINE_JS | grep 'XXCOMMENT-ENDXX' | wc -l) -eq 1 ] |
then |
echo "" >> $HTML_REPORT |
elif [ $(echo $LINE_JS | grep 'XXYLABELXX' | wc -l) -eq 1 ] |
elif [ $(echo $LINE_JS | grep 'XXYLABELXX' | wc -l) -eq 1 ] |
then |
echo "\"Nombre de site bloqué par la blacklist\"" >> $HTML_REPORT |
else |
339,7 → 339,7 |
TS_FILE=$(echo $LINE | cut -d':' -f1) |
#select only elements between DATE_1 and DATE_2 |
if [ "$TS_FILE" -le "$DATE_1" -a "$TS_FILE" -ge "$DATE_2" ] |
then |
then |
echo $LINE >> $TMP_BL_WEEK |
fi |
done |
364,10 → 364,10 |
done |
#get other categories (sum them all) |
if [ $(cat $TMP_BL_WEEK_CAT | cut -d':' -f2 | sort -k1 -rn | tail -n+$(($(echo $VALUE_BL_DATA | wc -w)+1)) | paste -sd+ | bc) -gt 0 ] |
if [ $(cat $TMP_BL_WEEK_CAT | cut -d':' -f2 | sort -k1 -rn | tail -n+$(($(echo $VALUE_BL_DATA | wc -w)+1)) | paste -sd+ | bc) -gt 0 ] |
then |
VALUE_BL_DATA="$VALUE_BL_DATA $(cat $TMP_BL_WEEK_CAT | cut -d':' -f2 | sort -k1 -rn | tail -n+$(($(echo $VALUE_BL_DATA | wc -w)+1)) | paste -sd+ | bc)" |
VALUE_BL_LABEL="$VALUE_BL_LABEL 'autre ($(cat $TMP_BL_WEEK_CAT | cut -d':' -f2 | sort -k1 -rn | tail -n+$(($(echo $VALUE_BL_DATA | wc -w)+1)) | paste -sd+ | bc))'" |
VALUE_BL_DATA="$VALUE_BL_DATA $(cat $TMP_BL_WEEK_CAT | cut -d':' -f2 | sort -k1 -rn | tail -n+$(($(echo $VALUE_BL_DATA | wc -w)+1)) | paste -sd+ | bc)" |
VALUE_BL_LABEL="$VALUE_BL_LABEL 'autre ($(cat $TMP_BL_WEEK_CAT | cut -d':' -f2 | sort -k1 -rn | tail -n+$(($(echo $VALUE_BL_DATA | wc -w)+1)) | paste -sd+ | bc))'" |
fi |
#create chart pie in html file with javascript (chartjs.com) |
381,11 → 381,11 |
cat $MODEL_CHARTJS | while read LINE_JS |
do |
#variable name |
if [ $(echo $LINE_JS | grep 'XXCONFXX' | wc -l) -eq 1 ] |
if [ $(echo $LINE_JS | grep 'XXCONFXX' | wc -l) -eq 1 ] |
then |
echo ${LINE_JS/XXCONFXX/$CONF_BL} >> $HTML_REPORT |
#chart type |
elif [ $(echo $LINE_JS | grep 'XXTYPEXX' | wc -l) -eq 1 ] |
elif [ $(echo $LINE_JS | grep 'XXTYPEXX' | wc -l) -eq 1 ] |
then |
echo ${LINE_JS/XXTYPEXX/pie} >> $HTML_REPORT |
#graph title |
393,19 → 393,19 |
then |
echo ${LINE_JS/XXTITLEXX/"Sites bloqués cette semaine"} >> $HTML_REPORT |
#chart data |
elif [ $(echo $LINE_JS | grep 'XXDATAXX' | wc -l) -eq 1 ] |
elif [ $(echo $LINE_JS | grep 'XXDATAXX' | wc -l) -eq 1 ] |
then |
echo ${LINE_JS/XXDATAXX/$VALUE_BL_DATA} >> $HTML_REPORT |
#color |
elif [ $(echo $LINE_JS | grep 'XXCOLORXX' | wc -l) -eq 1 ] |
elif [ $(echo $LINE_JS | grep 'XXCOLORXX' | wc -l) -eq 1 ] |
then |
echo ${LINE_JS/XXCOLORXX/$COLOR} >> $HTML_REPORT |
#labels |
elif [ $(echo $LINE_JS | grep 'XXLABELSXX' | wc -l) -eq 1 ] |
elif [ $(echo $LINE_JS | grep 'XXLABELSXX' | wc -l) -eq 1 ] |
then |
echo ${LINE_JS/XXLABELSXX/$VALUE_BL_LABEL} >> $HTML_REPORT |
#display legend, only useful for chart pie |
elif [ $(echo $LINE_JS | grep 'XXLEGENDXX' | wc -l) -eq 1 ] |
elif [ $(echo $LINE_JS | grep 'XXLEGENDXX' | wc -l) -eq 1 ] |
then |
echo ${LINE_JS/XXLEGENDXX/true} >> $HTML_REPORT |
#display value of Y axis, only useful for chart bar |
/scripts/alcasar-archive.sh |
---|
5,12 → 5,12 |
# by Franck BOUIJOUX and REXY |
# This script is distributed under the Gnu General Public License (GPL) |
# Script permettant |
# Script permettant |
# - d'exporter dans un seul fichier les logs de traçabilités et la base des usagers (à des fins d'archivages). |
# - Une fonction de chiffrement des logs a été implémentée dans ce script. Lisez la documentation d'exploitation pour l'activer. |
# - nettoyage des archives supérieures à 1 an (365 jours) |
# This script allows |
# This script allows |
# - export in one file the log files and user's base (in order to archive them). |
# - a cypher fonction allows to protect these files. Read the exploitation documentation to enable it. |
# - delete backup files older than one year (365 days) |
21,14 → 21,14 |
#DIR_SERVICE="squid httpd firewall" # répertoires contenant des logs utiles à exporter |
DIR_BASE="$DIR_SAVE/base" # répertoire de sauvegarde de la base de données usagers |
DIR_ARCHIVE="$DIR_SAVE/archive" # répertoire de sauvegarde des archives de log |
NOW="$(date +%G%m%d-%Hh%M)" # date et heure du moment |
NOW="$(date +%G%m%d-%Hh%M)" # date et heure du moment |
DIR_TMP="/tmp/traceability-$NOW" # Répertoire temporaire d'export |
FILE="traceability-$NOW.tar.gz" # Nom du fichier de l'archive |
EXPIRE_DAY=365 # Nbre de jour avant suppression des fichiers journaux |
CRYPT="0" # chiffrement des logs ( 0=non / 1=oui) --> Si oui alors la signature est automatiquement activée |
# log files encryption ( 0=no / 1=yes) --> if yes, the signature is automaticly enabled |
# log files encryption ( 0=no / 1=yes) --> if yes, the signature is automaticly enabled |
SIGN="0" # Signature/empreinte des logs ( 0=non / 1=oui ) ATTENTION : nécessite la clé privée !!! |
# Signature of log files ( 0=no / 1=yes ) ATTENTION : need the private key !!! |
# Signature of log files ( 0=no / 1=yes ) ATTENTION : need the private key !!! |
GPG_USER="" # utilisateur autorisé à déchiffrer les logs. Sa clé publique doit être connu dans le portefeuille gnupg de root (/root/.gnupg) |
# user allowed to decrypt the log files. Its public key must be known in the root keyring (/root/.gnupg) |
44,9 → 44,9 |
function cleanup() { |
# Nettoyage des fichiers archives |
cd $DIR_SAVE |
find . \( -mtime +$EXPIRE_DAY \) -a \( -name '*.gz' -o -name '*.sql' -o -name '' -o -name 'gpg' \) -exec rm -f {} \; |
# Nettoyage des fichiers archives |
cd $DIR_SAVE |
find . \( -mtime +$EXPIRE_DAY \) -a \( -name '*.gz' -o -name '*.sql' -o -name '' -o -name 'gpg' \) -exec rm -f {} \; |
} # end function cleanup |
56,30 → 56,30 |
} # end function crypt |
function archive() { |
mkdir -p $DIR_ARCHIVE |
mkdir -p $DIR_TMP |
nb_files=`ls $DIR_LOG/firewall/traceability.log*.gz 2>/dev/null | wc -w` |
if [ $nb_files -ne 0 ]; then |
mv $(echo $(ls -rt $DIR_LOG/firewall/traceability.log*.gz | tail -n 1 -)) $DIR_TMP/traceability-HTTP-$NOW.gz |
fi |
nb_files=`ls $DIR_BASE/alcasar-users-database-*.sql.gz 2>/dev/null | wc -w` |
if [ $nb_files -ne 0 ]; then |
mv $(echo $(ls -rt $DIR_BASE/alcasar-users-database-*.sql.gz | tail -n 1 -)) $DIR_TMP/ |
fi |
cd /var/log/nfsen/profiles-data/live/alcasar_netflow |
nb_files=`find . -mtime -7 -name 'nfcapd.[0-9]*' | wc -l` |
if [ $nb_files -ne 0 ]; then |
find . -mtime -7 -name 'nfcapd.[0-9]*' | xargs tar -cf $DIR_TMP/traceability-ALL-$NOW.tar; |
fi |
cd /tmp/ |
nb_files=`ls traceability-$NOW/* 2>/dev/null | wc -w` |
if [ $nb_files -ne 0 ]; then |
tar cvzf /tmp/$FILE traceability-$NOW/* |
else echo "no file to archive" |
fi |
mkdir -p $DIR_ARCHIVE |
mkdir -p $DIR_TMP |
nb_files=`ls $DIR_LOG/firewall/traceability.log*.gz 2>/dev/null | wc -w` |
if [ $nb_files -ne 0 ]; then |
mv $(echo $(ls -rt $DIR_LOG/firewall/traceability.log*.gz | tail -n 1 -)) $DIR_TMP/traceability-HTTP-$NOW.gz |
fi |
nb_files=`ls $DIR_BASE/alcasar-users-database-*.sql.gz 2>/dev/null | wc -w` |
if [ $nb_files -ne 0 ]; then |
mv $(echo $(ls -rt $DIR_BASE/alcasar-users-database-*.sql.gz | tail -n 1 -)) $DIR_TMP/ |
fi |
cd /var/log/nfsen/profiles-data/live/alcasar_netflow |
nb_files=`find . -mtime -7 -name 'nfcapd.[0-9]*' | wc -l` |
if [ $nb_files -ne 0 ]; then |
find . -mtime -7 -name 'nfcapd.[0-9]*' | xargs tar -cf $DIR_TMP/traceability-ALL-$NOW.tar; |
fi |
cd /tmp/ |
nb_files=`ls traceability-$NOW/* 2>/dev/null | wc -w` |
if [ $nb_files -ne 0 ]; then |
tar cvzf /tmp/$FILE traceability-$NOW/* |
else echo "no file to archive" |
fi |
} # end archive |
# Core script |
# Core script |
case $args in |
-\? | -h* | --h*) |
echo "$usage" |
98,17 → 98,17 |
# Saving of the database |
/usr/local/bin/alcasar-mysql.sh --dump |
# Encryption of the archive |
if [ -e /tmp/$FILE ]; then |
if [ -e /tmp/$FILE ]; then |
if [ $CRYPT -eq "1" ]; then |
{ |
# 1 ) chiffrement/signature =1 ==> gpg --encrypt avec test de la clé présente |
gpg --output $DIR_ARCHIVE/$FILE-crypt.gpg --armor --encrypt --recipient $GPG_USER /tmp/$FILE |
gpg --output $DIR_ARCHIVE/$FILE-crypt.gpg --armor --encrypt --recipient $GPG_USER /tmp/$FILE |
} |
elif [ $SIGN -eq "1" ]; then |
{ |
# 2) signature = 1 Chiffrement = 0 --> gpg --encrypt idem test de la clé présente |
gpg --output $DIR_ARCHIVE/$FILE-sign.gpg --sign --recipient $GPG_USER /tmp/$FILE |
gpg --output $DIR_ARCHIVE/$FILE-sign.gpg --sign --recipient $GPG_USER --detach-sign /tmp/$FILE |
# 2) signature = 1 Chiffrement = 0 --> gpg --encrypt idem test de la clé présente |
gpg --output $DIR_ARCHIVE/$FILE-sign.gpg --sign --recipient $GPG_USER /tmp/$FILE |
gpg --output $DIR_ARCHIVE/$FILE-sign.gpg --sign --recipient $GPG_USER --detach-sign /tmp/$FILE |
} |
else |
{ |
122,10 → 122,10 |
;; |
--live | -l) |
mkdir -p $DIR_ARCHIVE |
mkdir -p /tmp/live |
mkdir -p /tmp/live |
gap=7 |
cd /var/log/nfsen/profiles-data/live/alcasar_netflow |
find . -mtime -$gap -name 'nfcapd.[0-9]*' | xargs tar -cf /tmp/live/traceability-ALL-$NOW.tar; |
find . -mtime -$gap -name 'nfcapd.[0-9]*' | xargs tar -cf /tmp/live/traceability-ALL-$NOW.tar; |
# Saving of the database |
/usr/local/bin/alcasar-mysql.sh --dump |
mv $(echo $(ls -rt $DIR_BASE/alcasar-users-database-*.sql.gz | tail -n 1 -)) /tmp/live/ |
/scripts/alcasar-bl.sh |
---|
27,8 → 27,8 |
DIR_SHARE="/usr/local/share" |
DIR_DNS_BL="$DIR_SHARE/dnsmasq-bl" # all the BL in the DNSMASQ format |
DIR_DNS_WL="$DIR_SHARE/dnsmasq-wl" # all the WL ' ' ' |
DIR_IP_BL="$DIR_SHARE/iptables-bl" # all the IP addresses of the BL |
DIR_IP_WL="$DIR_SHARE/iptables-wl" # IP ossi disabled WL |
DIR_IP_BL="$DIR_SHARE/iptables-bl" # all the IP addresses of the BL |
DIR_IP_WL="$DIR_SHARE/iptables-wl" # IP ossi disabled WL |
DIR_DNS_BL_ENABLED="$DIR_SHARE/dnsmasq-bl-enabled" # symbolic link to the domains BL (only enabled categories) |
DIR_DNS_WL_ENABLED="$DIR_SHARE/dnsmasq-wl-enabled" # ' ' ' WL ' ' |
DIR_IP_BL_ENABLED="$DIR_SHARE/iptables-bl-enabled" # ' ' ip BL (only enabled categories) |
61,10 → 61,10 |
$SED "/\.Include/d" $DIR_DG/bannedsitelist $DIR_DG/bannedurllist # cleaning for DG |
$SED "s?^[^#]?#&?g" $BL_CATEGORIES $WL_CATEGORIES # cleaning BL & WL categories file (comment all lines) |
# process the file $BL_CATEGORIES with the choice of categories |
for ENABLE_CATEGORIE in `cat $BL_CATEGORIES_ENABLED` |
# process the file $BL_CATEGORIES with the choice of categories |
for ENABLE_CATEGORIE in `cat $BL_CATEGORIES_ENABLED` |
do |
$SED "/\/$ENABLE_CATEGORIE$/d" $BL_CATEGORIES |
$SED "/\/$ENABLE_CATEGORIE$/d" $BL_CATEGORIES |
$SED "1i\/etc\/dansguardian\/lists\/blacklists\/$ENABLE_CATEGORIE" $BL_CATEGORIES |
ln -sf $DIR_DNS_BL/$ENABLE_CATEGORIE.conf $DIR_DNS_BL_ENABLED/$ENABLE_CATEGORIE |
ln -sf $DIR_IP_BL/$ENABLE_CATEGORIE $DIR_IP_BL_ENABLED/$ENABLE_CATEGORIE |
78,10 → 78,10 |
chown root:apache $BL_CATEGORIES $BL_CATEGORIES_ENABLED |
chmod 660 $BL_CATEGORIES $BL_CATEGORIES_ENABLED |
# process the file $WL_CATEGORIES with the choice of categories |
for ENABLE_CATEGORIE in `cat $WL_CATEGORIES_ENABLED` |
# process the file $WL_CATEGORIES with the choice of categories |
for ENABLE_CATEGORIE in `cat $WL_CATEGORIES_ENABLED` |
do |
$SED "/\/$ENABLE_CATEGORIE$/d" $WL_CATEGORIES |
$SED "/\/$ENABLE_CATEGORIE$/d" $WL_CATEGORIES |
$SED "1i\/etc\/dansguardian\/lists\/blacklists\/$ENABLE_CATEGORIE" $WL_CATEGORIES |
ln -sf $DIR_DNS_WL/$ENABLE_CATEGORIE.conf $DIR_DNS_WL_ENABLED/$ENABLE_CATEGORIE |
done |
115,7 → 115,7 |
args=$1 |
if [ $nb_args -eq 0 ] |
then |
args="-h" |
args="-h" |
fi |
case $args in |
-\? | -h* | --h*) |
129,7 → 129,7 |
if [ ! -e /tmp/con_ok.html ] |
then |
echo "Erreur : le serveur de blacklist ($BL_SERVER) n'est pas joignable" |
else |
else |
rm -rf /tmp/con_ok.html $DIR_tmp |
mkdir $DIR_tmp |
wget -P $DIR_tmp http://$BL_SERVER/blacklists/download/blacklists.tar.gz |
146,7 → 146,7 |
echo -n "Adaptation process of Toulouse University blackList. Please wait : " |
if [ -f $DIR_tmp/blacklists.tar.gz ] # when downloading the last version of the BL |
then |
# keep custom files (ossi) |
# keep custom files (ossi) |
for x in $(ls -1 $DIR_DG_BL | grep "^ossi-*") |
do |
mv $DIR_DG_BL/$x $DIR_tmp |
158,7 → 158,7 |
chmod -R 770 $DIR_DG |
# Add the two local categories (ossi-bl & ossi-wl) to the usage file |
# Add the custom categories (ossi-tor_nodes) to the usage file |
cat << EOF >> $DIR_DG_BL/global_usage |
cat << EOF >> $DIR_DG_BL/global_usage |
NAME: ossi-bl |
DEFAULT_TYPE: black |
204,7 → 204,7 |
categorie_type=`grep -A1 ^NAME:[$' '$'\t']*$categorie$ $DIR_DG_BL/global_usage | grep ^DEFAULT_TYPE | cut -d":" -f2 | tr -d " \t"` |
if [ "$categorie_type" == "white" ] |
then |
echo "$dir_categorie" >> $WL_CATEGORIES |
echo "$dir_categorie" >> $WL_CATEGORIES |
else |
echo "$dir_categorie" >> $BL_CATEGORIES |
fi |
211,19 → 211,19 |
done |
rm -f $FILE_tmp |
# Verify that the enabled categories are effectively in the BL (need after an update of the BL) |
for ENABLE_CATEGORIE in `cat $BL_CATEGORIES_ENABLED` |
for ENABLE_CATEGORIE in `cat $BL_CATEGORIES_ENABLED` |
do |
ok=`grep /$ENABLE_CATEGORIE$ $BL_CATEGORIES|wc -l` |
if [ $ok != "1" ] |
if [ $ok != "1" ] |
then |
$SED "/^$ENABLE_CATEGORIE$/d" $BL_CATEGORIES_ENABLED |
fi |
done |
# Verify that the enabled categories are effectively in the WL (need after an update of the WL) |
for ENABLE_CATEGORIE in `cat $WL_CATEGORIES_ENABLED` |
for ENABLE_CATEGORIE in `cat $WL_CATEGORIES_ENABLED` |
do |
ok=`grep /$ENABLE_CATEGORIE$ $WL_CATEGORIES|wc -l` |
if [ $ok != "1" ] |
if [ $ok != "1" ] |
then |
$SED "/^$ENABLE_CATEGORIE$/d" $WL_CATEGORIES_ENABLED |
fi |
235,22 → 235,22 |
do |
DOMAIN=`basename $PATH_FILE` |
echo -n "$DOMAIN, " |
if [ ! -f $PATH_FILE/urls ] # create 'urls' file if it doesn't exist |
if [ ! -f $PATH_FILE/urls ] # create 'urls' file if it doesn't exist |
then |
touch $PATH_FILE/urls |
chown dansguardian:apache $PATH_FILE/urls |
fi |
cp $PATH_FILE/domains $FILE_tmp |
cp $PATH_FILE/domains $FILE_tmp |
clean_split # clean ossi custom files & split them for dnsmasq and for iptables |
if [ "$LIST" == "$BL_CATEGORIES" ] |
then |
# adapt to the dnsmasq syntax for the blacklist |
$SED "s?.*?address=/&/$PRIVATE_IP?g" $FILE_tmp |
$SED "s?.*?address=/&/$PRIVATE_IP?g" $FILE_tmp |
mv $FILE_tmp $DIR_DNS_BL/$DOMAIN.conf |
mv $FILE_ip_tmp $DIR_IP_BL/$DOMAIN |
else |
# adapt to the dnsmasq syntax for the whitelist |
$SED "s?.*?server=/&/$DNS1?g" $FILE_tmp |
$SED "s?.*?server=/&/$DNS1?g" $FILE_tmp |
mv $FILE_tmp $DIR_DNS_WL/$DOMAIN.conf |
fi |
done |
257,7 → 257,7 |
done |
echo |
chown -R root:apache $BL_CATEGORIES $WL_CATEGORIES $BL_CATEGORIES_ENABLED $WL_CATEGORIES_ENABLED $DIR_DNS_BL $DIR_DNS_WL $DIR_IP_BL $DIR_IP_WL |
chmod 770 $DIR_DNS_BL $DIR_DNS_WL $DIR_IP_BL $DIR_IP_WL |
chmod 770 $DIR_DNS_BL $DIR_DNS_WL $DIR_IP_BL $DIR_IP_WL |
chmod -f 660 $BL_CATEGORIES $WL_CATEGORIES $BL_CATEGORIES_ENABLED $WL_CATEGORIES_ENABLED $DIR_DNS_BL/* $DIR_DNS_WL/* $DIR_IP_BL/* $DIR_IP_WL/* |
rm -f $FILE_tmp $FILE_ip_tmp |
rm -rf $DIR_tmp |
281,12 → 281,12 |
if [ $black == "1" ] |
then |
# adapt to the dnsmasq syntax for the blacklist |
$SED "s?.*?address=/&/$PRIVATE_IP?g" $FILE_tmp |
$SED "s?.*?address=/&/$PRIVATE_IP?g" $FILE_tmp |
mv $FILE_tmp $DIR_DNS_BL/$DOMAIN.conf |
mv $FILE_ip_tmp $DIR_IP_BL/$DOMAIN |
else |
# adapt to the dnsmasq syntax for the whitelist |
$SED "s?.*?server=/&/$DNS1?g" $FILE_tmp |
$SED "s?.*?server=/&/$DNS1?g" $FILE_tmp |
mv $FILE_tmp $DIR_DNS_WL/$DOMAIN.conf |
mv $FILE_ip_tmp $DIR_IP_WL/$DOMAIN |
fi |
297,9 → 297,9 |
/usr/bin/systemctl restart dansguardian |
/usr/local/bin/alcasar-iptables.sh |
else |
echo -n "/usr/local/etc/update_cat.conf is empty ..." |
echo -n "/usr/local/etc/update_cat.conf is empty ..." |
fi |
echo |
echo |
;; |
# reload when selected categories are changed or when ossi change his custom files |
-reload | --reload) |
343,13 → 343,13 |
then |
# adapt the file to the dnsmasq syntax and enable it if needed |
# for the WL |
$SED "s?.*?server=/&/$DNS1?g" $FILE_tmp |
$SED "s?.*?server=/&/$DNS1?g" $FILE_tmp |
mv $FILE_tmp $DIR_DNS_WL/$ossi_categorie.conf |
mv $FILE_ip_tmp $DIR_IP_WL/$ossi_categorie |
enabled=`grep ^$ossi_categorie$ $WL_CATEGORIES_ENABLED | wc -l` |
if [ $enabled == "1" ] |
then |
$SED "/\/$ossi_categorie$/d" $WL_CATEGORIES |
$SED "/\/$ossi_categorie$/d" $WL_CATEGORIES |
$SED "1i\/etc\/dansguardian\/lists\/blacklists\/$ossi_categorie" $WL_CATEGORIES |
ln -sf $DIR_DNS_WL/$ossi_categorie.conf $DIR_DNS_WL_ENABLED/$ossi_categorie |
ln -sf $DIR_IP_WL/$ossi_categorie $DIR_IP_WL_ENABLED/$ossi_categorie |
356,13 → 356,13 |
fi |
else |
# for the BL |
$SED "s?.*?address=/&/$PRIVATE_IP?g" $FILE_tmp |
$SED "s?.*?address=/&/$PRIVATE_IP?g" $FILE_tmp |
mv $FILE_tmp $DIR_DNS_BL/$ossi_categorie.conf |
mv $FILE_ip_tmp $DIR_IP_BL/$ossi_categorie |
enabled=`grep ^$ossi_categorie$ $BL_CATEGORIES_ENABLED | wc -l` |
if [ $enabled == "1" ] |
then |
$SED "/\/$ossi_categorie$/d" $BL_CATEGORIES |
$SED "/\/$ossi_categorie$/d" $BL_CATEGORIES |
$SED "1i\/etc\/dansguardian\/lists\/blacklists\/$ossi_categorie" $BL_CATEGORIES |
ln -sf $DIR_DNS_BL/$ossi_categorie.conf $DIR_DNS_BL_ENABLED/$ossi_categorie |
ln -sf $DIR_IP_BL/$ossi_categorie $DIR_IP_BL_ENABLED/$ossi_categorie |
/scripts/alcasar-bypass.sh |
---|
32,8 → 32,8 |
ifup $INTIF |
sh /usr/local/bin/alcasar-iptables-bypass.sh |
DHCP=`grep ^DHCP= $CONF_FILE|cut -d"=" -f2` |
if [ $DHCP != off ] |
then |
if [ $DHCP != off ] |
then |
$SED "/^#dhcp-range=/s/^#//" /etc/dnsmasq.conf # dnsmasq become the DHCP server |
$SED "/^#dhcp-option=/s/^#//" /etc/dnsmasq.conf |
$SED "/^#domain=/s/^#//" /etc/dnsmasq.conf |
41,7 → 41,7 |
/usr/bin/systemctl restart dnsmasq |
fi |
rm -f /etc/cron.d/alcasar-daemon-watchdog # don't restart daemons (specially coova) |
rm -f /etc/cron.d/alcasar-daemon-watchdog # don't restart daemons (specially coova) |
echo "ALCASAR est en mode 'bypass'" |
echo "ALCASAR is in 'bypass' mode" |
;; |
48,7 → 48,7 |
--off | -off) |
cp -f /etc/sysconfig/network-scripts/default-ifcfg-$INTIF /etc/sysconfig/network-scripts/ifcfg-$INTIF |
ifup $INTIF |
$SED "s?^dhcp-range=.*?#&?g" /etc/dnsmasq.conf # dnsmasq is no more the DHCP server (it's coova) |
$SED "s?^dhcp-range=.*?#&?g" /etc/dnsmasq.conf # dnsmasq is no more the DHCP server (it's coova) |
$SED "s?^dhcp-option=.*?#&?g" /etc/dnsmasq.conf |
$SED "s?^domain=.*?#&?g" /etc/dnsmasq.conf |
$SED "/^#no-dhcp-interface/s/^#//" /etc/dnsmasq.conf |
/scripts/alcasar-certificates.sh |
---|
6,10 → 6,10 |
# by Franck BOUIJOUX and REXY |
# This script is distributed under the Gnu General Public License (GPL) |
# Script permettant |
# Script permettant |
# - d'exporter les certificats d'un serveur pour les transposer sur un autre. |
# This script allows |
# This script allows |
# - export certificates server to move them. |
30,19 → 30,19 |
fi |
NOW="$(date +%G%m%d-%Hh%M)" # date et heure du moment |
NOW="$(date +%G%m%d-%Hh%M)" # date et heure du moment |
FILE="certificates-$NOW" |
DIR_SAVE=$DIR_SAVE-$NOW |
# Function of export |
# Function of export |
function certs_export() { |
# Export of CA Certificate |
# Export of CA Certificate |
cd /root |
tar cvf $FILE.tar $DIR_PKI/CA/{alcasar-ca.crt,private/alcasar-ca.key} |
tar cvf $FILE.tar $DIR_PKI/CA/{alcasar-ca.crt,private/alcasar-ca.key} |
# Export of server Certificate |
tar rvf $FILE.tar $DIR_PKI/tls/{certs/alcasar.crt,private/alcasar.key,certs/server-chain.crt} |
gzip $FILE.tar |
# Export of server Certificate |
tar rvf $FILE.tar $DIR_PKI/tls/{certs/alcasar.crt,private/alcasar.key,certs/server-chain.crt} |
gzip $FILE.tar |
echo "Le ficher des certificats exportés est : $FILE.tar.gz" |
} # end function export |
51,16 → 51,16 |
# Sauvegarde de la pki actuelle |
[ -d $DIR_SAVE ] || mkdir $DIR_SAVE |
# Save of CA Certificate |
# Save of CA Certificate |
cd $DIR_PKI/CA/ |
cp alcasar-ca.crt $DIR_SAVE/. |
cp private/alcasar-ca.key $DIR_SAVE/. |
cp alcasar-ca.crt $DIR_SAVE/. |
cp private/alcasar-ca.key $DIR_SAVE/. |
# Save of server Certificate |
# Save of server Certificate |
cd $DIR_PKI/tls |
cp certs/alcasar.crt $DIR_SAVE/. |
cp private/alcasar.key $DIR_SAVE/. |
cp certs/server-chain.crt $DIR_SAVE/. |
cp certs/alcasar.crt $DIR_SAVE/. |
cp private/alcasar.key $DIR_SAVE/. |
cp certs/server-chain.crt $DIR_SAVE/. |
} # end function archive |
function import() { |
71,7 → 71,7 |
[ -d $DIR_IMPORT ] || mkdir $DIR_IMPORT |
rm -rf $DIR_IMPORT/* |
# Import of CA Certificate |
# Import of CA Certificate |
tar xzvf $1 --directory=$DIR_IMPORT |
echo "Import new certificates in ALCASAR !!!" |
cp -r $DIR_IMPORT/* /. |
80,9 → 80,9 |
# Service apache restart |
service httpd restart |
else |
echo "You are not import new certificates !!!" |
exit 0 |
else |
echo "You are not import new certificates !!!" |
exit 0 |
fi |
} # end import |
101,7 → 101,7 |
if [ $nb_args -eq 1 ] |
then |
echo "Il faut passer un fichier de certificat en paramètre !!!" |
exit 0 |
exit 0 |
fi |
import $2 |
;; |
/scripts/alcasar-daemon.sh |
---|
19,7 → 19,7 |
then |
logger -i "!! $s is inactive. Activation attempt" |
echo "the $s service is disabled! trying to start it..." |
/usr/bin/systemctl start $s.service |
/usr/bin/systemctl start $s.service |
else |
nb_srv=$((nb_srv+1)) |
fi |
28,13 → 28,13 |
nb_srv=0 |
for s in $SERVICES |
do |
if [ $s != "sshd" ] |
if [ $s != "sshd" ] |
then |
ServiceTest |
else |
{ |
if [ $SSH == "ON" ] || [ $SSH == "on" ] || [ $SSH == "On" ] |
then |
then |
ServiceTest |
else |
nb_available_srv=$((nb_available_srv-1)) |
/scripts/alcasar-dhcp.sh |
---|
54,15 → 54,15 |
$SED "s?^dynip.*?#dynip?g" $CHILLI_CONF_FILE |
$SED "s?^#dynip.*?#dynip?g" $CHILLI_CONF_FILE |
$SED "s?^DHCP.*?DHCP=off?g" $ALCASAR_CONF_FILE |
if [ "$EXT_DHCP_IP" != "none" ] |
if [ "$EXT_DHCP_IP" != "none" ] |
then |
$SED "s?.*dhcpgateway\t.*?dhcpgateway\t\t $EXT_DHCP_IP?g" $CHILLI_CONF_FILE |
$SED "s?.*dhcprelayagent.*?dhcprelayagent\t\t$RELAY_DHCP_IP?g" $CHILLI_CONF_FILE |
$SED "s?.*dhcpgatewayport.*?dhcpgatewayport\t\t$RELAY_DHCP_PORT?g" $CHILLI_CONF_FILE |
$SED "s?.*dhcpgateway\t.*?dhcpgateway\t\t $EXT_DHCP_IP?g" $CHILLI_CONF_FILE |
$SED "s?.*dhcprelayagent.*?dhcprelayagent\t\t$RELAY_DHCP_IP?g" $CHILLI_CONF_FILE |
$SED "s?.*dhcpgatewayport.*?dhcpgatewayport\t\t$RELAY_DHCP_PORT?g" $CHILLI_CONF_FILE |
else |
$SED "s?.*dhcpgateway\t.*?#dhcpgateway\t\t$EXT_DHCP_IP?g" $CHILLI_CONF_FILE |
$SED "s?.*dhcprelayagent.*?#dhcprelayagent\t\t$RELAY_DHCP_IP?g" $CHILLI_CONF_FILE |
$SED "s?.*dhcpgatewayport.*?#dhcpgatewayport\t\t$RELAY_DHCP_PORT?g" $CHILLI_CONF_FILE |
$SED "s?.*dhcpgateway\t.*?#dhcpgateway\t\t$EXT_DHCP_IP?g" $CHILLI_CONF_FILE |
$SED "s?.*dhcprelayagent.*?#dhcprelayagent\t\t$RELAY_DHCP_IP?g" $CHILLI_CONF_FILE |
$SED "s?.*dhcpgatewayport.*?#dhcpgatewayport\t\t$RELAY_DHCP_PORT?g" $CHILLI_CONF_FILE |
fi |
/usr/bin/systemctl restart chilli |
;; |
/scripts/alcasar-file-clean.sh |
---|
25,7 → 25,7 |
# remove empty lines and put rights |
for file in $ALCASAR_SERVICES $ALCASAR_IP_BLOCKED $ALCASAR_CONF $ALCASAR_UAMDOMAIN $ALCASAR_UAMALLOWED |
do |
$SED "/^$/d" $file |
$SED "/^$/d" $file |
chown root:apache $file |
chmod 660 $file |
done |
36,10 → 36,10 |
for domain in $(cat $ALCASAR_UAMDOMAIN | cut -d' ' -f1) |
do |
domain_exception="server=/$(echo $domain | cut -d'"' -f2)/#" |
sed -i "/conf-file/a$domain_exception" /etc/dnsmasq-blackhole.conf |
domain_exception="server=/$(echo $domain | cut -d'"' -f2)/#" |
sed -i "/conf-file/a$domain_exception" /etc/dnsmasq-blackhole.conf |
done |
if [ "$PARENT_SCRIPT" != "alcasar.sh" ] # don't restart on install stage |
then |
systemctl restart dnsmasq-blackhole |
fi |
fi |
/scripts/alcasar-generate_log.sh |
---|
35,8 → 35,8 |
if [ $nb_args -eq 1 ] |
then |
QUERY="SELECT username,callingstationid,framedipaddress,acctstarttime,acctstoptime,acctinputoctets,acctoutputoctets,acctterminatecause FROM radacct ORDER BY acctstarttime INTO OUTFILE '$TMP_SQL' FIELDS TERMINATED BY ',' ENCLOSED BY '' LINES TERMINATED BY '\n';" |
SECTION_LOG="Extraction de tous les journaux" |
QUERY="SELECT username,callingstationid,framedipaddress,acctstarttime,acctstoptime,acctinputoctets,acctoutputoctets,acctterminatecause FROM radacct ORDER BY acctstarttime INTO OUTFILE '$TMP_SQL' FIELDS TERMINATED BY ',' ENCLOSED BY '' LINES TERMINATED BY '\n';" |
SECTION_LOG="Extraction de tous les journaux" |
fi |
if [ $nb_args -eq 2 ] |
43,13 → 43,13 |
then |
QUERY="SELECT username,callingstationid,framedipaddress,acctstarttime,acctstoptime,acctinputoctets,acctoutputoctets,acctterminatecause FROM radacct WHERE acctstarttime >= '$2' ORDER BY acctstarttime INTO OUTFILE '$TMP_SQL' FIELDS TERMINATED BY ',' ENCLOSED BY '' LINES TERMINATED BY '\n';" |
echo $QUERY |
SECTION_LOG="Extraction des journaux à partir du $2" |
SECTION_LOG="Extraction des journaux à partir du $2" |
fi |
if [ $nb_args -eq 3 ] |
then |
QUERY="SELECT username,callingstationid,framedipaddress,acctstarttime,acctstoptime,acctinputoctets,acctoutputoctets,acctterminatecause FROM radacct WHERE acctstarttime >= '$2' AND acctstarttime <= '$3' ORDER BY acctstoptime INTO OUTFILE '$TMP_SQL' FIELDS TERMINATED BY ',' ENCLOSED BY '' LINES TERMINATED BY '\n';" |
SECTION_LOG="Extraction des journaux entre $2 et $3" |
QUERY="SELECT username,callingstationid,framedipaddress,acctstarttime,acctstoptime,acctinputoctets,acctoutputoctets,acctterminatecause FROM radacct WHERE acctstarttime >= '$2' AND acctstarttime <= '$3' ORDER BY acctstoptime INTO OUTFILE '$TMP_SQL' FIELDS TERMINATED BY ',' ENCLOSED BY '' LINES TERMINATED BY '\n';" |
SECTION_LOG="Extraction des journaux entre $2 et $3" |
fi |
if [ $nb_args -eq 0 ] |
61,8 → 61,8 |
if [ $nb_args -gt 3 ] |
then |
echo $usage |
exit |
echo $usage |
exit |
fi |
if [ -e $TMP_SQL ] |
77,7 → 77,7 |
if [ -e $ARCHIVE_LOCATION ] |
then |
rm $ARCHIVE_LOCATION |
rm $ARCHIVE_LOCATION |
fi |
106,7 → 106,7 |
LOG_M1=$(echo $LOG_DATE1 | cut -d'-' -f2) |
LOG_D1=$(echo $LOG_DATE1 | cut -d'-' -f3 | cut -d' ' -f1) |
LOG_H1=$(echo $LOG_DATE1 | cut -d'-' -f3 | cut -d' ' -f2) |
LOG_Y2=$(echo $LOG_DATE2 | cut -d'-' -f1) |
LOG_M2=$(echo $LOG_DATE2 | cut -d'-' -f2) |
LOG_D2=$(echo $LOG_DATE2 | cut -d'-' -f3 | cut -d' ' -f1) |
115,7 → 115,7 |
DUMP=$(nfdump -O tstart -R /var/log/nfsen/profiles-data/live/alcasar_netflow/ -t $LOG_Y1/$LOG_M1/$LOG_D1.$LOG_H1-$LOG_Y2/$LOG_M2/$LOG_D2.$LOG_H2 -o "fmt:<tr><td class='numberLine'></td><td>%sa</td><td>%sp</td><td>%da</td><td>%dp</td><td>%ts</td></tr>" | tail -n +2 | head -n -4 | grep "$LOG_IP") |
if [ ! -z "$DUMP" ] |
then |
echo "<div class='container'> " >> $TMP_HTML |
echo "<div class='container'> " >> $TMP_HTML |
echo "<table class='table table-striped'>" >> $TMP_HTML |
echo "<thead>" >> $TMP_HTML |
echo "<tr>" >> $TMP_HTML |
137,7 → 137,7 |
echo "<td>" $(echo $LIGNE_SQL | cut -d',' -f6) "</td>" >> $TMP_HTML |
echo "<td>" $(echo $LIGNE_SQL | cut -d',' -f8) "</td>" >> $TMP_HTML |
echo "</tr></tbody></table></div>" >> $TMP_HTML |
echo "<div class='container mySpace'> " >> $TMP_HTML |
echo "<div class='container mySpace'> " >> $TMP_HTML |
echo "<table class='table table-striped'>" >> $TMP_HTML |
echo "<thead>" >> $TMP_HTML |
echo "<tr>" >> $TMP_HTML |
156,11 → 156,11 |
echo "</body>" >> $TMP_HTML |
echo "</HTML>" >> $TMP_HTML |
#inform users about that by setting the fourth bit of Filter-Id at 1. |
#inform users about that by setting the fourth bit of Filter-Id at 1. |
QUERY="SELECT username from radreply INTO OUTFILE '$TMP_USERS' FIELDS TERMINATED BY ',' ENCLOSED BY '' LINES TERMINATED BY '\n';" |
mysql -u root -p"$DB_ROOT_PW" -D radius -e "$QUERY" |
if [ -e $TMP_USERS ] && [ $(cat $TMP_USERS | wc -l) -gt 0 ] |
if [ -e $TMP_USERS ] && [ $(cat $TMP_USERS | wc -l) -gt 0 ] |
then |
for user in $(cat $TMP_USERS) |
do |
175,7 → 175,7 |
/usr/bin/7za a -tzip -p$1 -mem=AES256 $ARCHIVE_LOCATION $TMP_PDF |
chown apache:apache $ARCHIVE_LOCATION |
chown apache:apache $ARCHIVE_LOCATION |
rm $TMP_HTML |
Property changes: |
Added: svn:eol-style |
+LF |
\ No newline at end of property |
Added: svn:executable |
+* |
\ No newline at end of property |
Added: svn:keywords |
+Id |
\ No newline at end of property |
/scripts/alcasar-https.sh |
---|
28,7 → 28,7 |
echo "$usage" |
exit 0 |
;; |
--off | -off) # disable HTTPS |
--off | -off) # disable HTTPS |
$SED "s?^HTTPS_LOGIN=.*?HTTPS_LOGIN=off?" $CONF_FILE |
$SED "s?^HTTPS_CHILLI=.*?HTTPS_CHILLI=off?" $CONF_FILE |
$SED "s?uamserver.*?uamserver\thttp://$HOSTNAME.$DOMAIN/intercept.php?" $CHILLI_CONF_FILE |
/scripts/alcasar-importcert.sh |
---|
57,7 → 57,7 |
domain=`echo $fqdn | awk -F'.' '{$1="";OFS=".";print $0}' | sed 's/^.//'` |
echo "fqdn=$fqdn hostname=$hostname domain=$domain" |
#check fqdn format |
#check fqdn format |
if [[ "$fqdn" != "" && "$domain" != "" ]]; then |
$SED "s/^HOSTNAME=.*/HOSTNAME=$hostname/g" /usr/local/etc/alcasar.conf |
$SED "s/^DOMAIN=.*/DOMAIN=$domain/g" /usr/local/etc/alcasar.conf |
/scripts/alcasar-iptables-bypass.sh |
---|
55,7 → 55,7 |
# Insertion de règles de blocage (Devel) |
# Here, we add block rules (Devel) |
if [ -s /usr/local/etc/alcasar-ip-blocked ]; then |
if [ -s /usr/local/etc/alcasar-ip-blocked ]; then |
while read ip_line |
do |
ip_on=`echo $ip_line|cut -b1` |
68,7 → 68,7 |
done < /usr/local/etc/alcasar-ip-blocked |
fi |
# SSHD rules if activate |
# SSHD rules if activate |
if [ $SSH = on ] |
then |
$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -m state --state NEW -j NFLOG --nflog-group 2 --nflog-prefix "RULE ssh-from-LAN -- ACCEPT" |
79,7 → 79,7 |
# Insertion de règles locales |
# Here, we add local rules (i.e. VPN from Internet) |
if [ -f /usr/local/etc/alcasar-iptables-local.sh ]; then |
. /usr/local/etc/alcasar-iptables-local.sh |
. /usr/local/etc/alcasar-iptables-local.sh |
fi |
# on autorise les requêtes dhcp |
/scripts/alcasar-iptables.sh |
---|
7,10 → 7,10 |
# Reminders |
# There are four channels for log : |
# 1 tracability of the consultation equipment with The 'Netflow' kernel module (iptables target = NETFLOW); |
# 2 protection of ALCASAR with the Ulog group 1 (default group) |
# 2 protection of ALCASAR with the Ulog group 1 (default group) |
# 3 SSH on ALCASAR with the Ulog group 2; |
# 4 extern access attempts on ALCASAR with the Ulog group 3. |
# The bootps/dhcp (67) port is always open on tun0/INTIF by coova |
# The bootps/dhcp (67) port is always open on tun0/INTIF by coova |
CONF_FILE="/usr/local/etc/alcasar.conf" |
EXTIF=`grep ^EXTIF= $CONF_FILE|cut -d"=" -f2` # EXTernal InterFace |
INTIF=`grep ^INTIF= $CONF_FILE|cut -d"=" -f2` # INTernal InterFace |
35,7 → 35,7 |
DNSSERVERS="$dns1,$dns2" # first and second public DNS servers |
BL_IP_CAT="/usr/local/share/iptables-bl-enabled" # categories files of the BlackListed IP |
WL_IP_CAT="/usr/local/share/iptables-wl-enabled" # categories files of the WhiteListed IP |
TMP_users_set_save="/tmp/users_set_save" # tmp file for backup users set |
TMP_users_set_save="/tmp/users_set_save" # tmp file for backup users set |
TMP_set_save="/tmp/ipset_save" # tmp file for blacklist and whitelist creation |
SSH=`grep ^SSH= $CONF_FILE|cut -d"=" -f2` # sshd active (on/off) |
SSH=${SSH:=off} |
129,7 → 129,7 |
ipset -! restore < $TMP_set_save |
rm -f $TMP_set_save |
# Restoration des SET des utilisateurs connectés si ils existent sinon création des SET |
# Restoration des SET des utilisateurs connectés si ils existent sinon création des SET |
# Restoring the connected users SETs if available, otherwise creating SETs |
if [ -e $TMP_users_set_save ]; |
then |
188,7 → 188,7 |
# redirect DNS of 'havp_wl' users to port 55 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl src -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 55 |
# Journalisation HTTP_Internet des usagers 'havp_bl' (paquets SYN uniquement). Les autres protocoles sont journalisés en FORWARD par netflow. |
# Journalisation HTTP_Internet des usagers 'havp_bl' (paquets SYN uniquement). Les autres protocoles sont journalisés en FORWARD par netflow. |
# Log Internet HTTP of 'havp_bl' users" (only syn packets). Other protocols are logged in FORWARD by netflow |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl src ! -d $PRIVATE_IP -p tcp --dport http -m state --state NEW -j NFLOG --nflog-group 1 --nflog-prefix "RULE F_http -- ACCEPT " |
230,7 → 230,7 |
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP |
$IPTABLES -A INPUT -p tcp -m tcp ! --syn -m state --state NEW -j DROP |
# Si configéré, on autorise les réponses DHCP |
# Si configéré, on autorise les réponses DHCP |
# Allow DHCP answers if configured |
public_ip_mask=`grep ^PUBLIC_IP= $CONF_FILE|cut -d"=" -f2` # ALCASAR WAN IP address |
if [[ "$public_ip_mask" == "dhcp" ]] |
239,7 → 239,7 |
$IPTABLES -A OUTPUT -o $EXTIF -p udp --dport 68 -j ACCEPT |
fi |
# On rejette les trame en broadcast et en multicast sur EXTIF (évite leur journalisation) |
# Drop broadcast & multicast on EXTIF to avoid log |
# Drop broadcast & multicast on EXTIF to avoid log |
$IPTABLES -A INPUT -m addrtype --dst-type BROADCAST,MULTICAST -j DROP |
# On autorise les retours de connexions légitimes par INPUT |
250,7 → 250,7 |
# Deny direct connections on DansGuardian port (8080). The concerned paquets have been marked and logged in mangle table (PREROUTING) |
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8080 -m mark --mark 1 -j REJECT --reject-with tcp-reset |
# Autorisation des connexions légitimes à DansGuardian |
# Autorisation des connexions légitimes à DansGuardian |
# Allow connections for DansGuardian |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport 8080 -m state --state NEW --syn -j ACCEPT |
258,7 → 258,7 |
# Deny direct connections on tinyproxy port (8090). The concerned paquets have been marked in mangle table (PREROUTING) |
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8090 -m mark --mark 2 -j REJECT --reject-with tcp-reset |
# Autorisation des connexions légitimes vers tinyproxy |
# Autorisation des connexions légitimes vers tinyproxy |
# Allow connections to tinyproxy |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport 8090 -m state --state NEW --syn -j ACCEPT |
294,7 → 294,7 |
# Accès direct aux services internes |
# Internal services access |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport domain -j ACCEPT # DNS |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport domain -j ACCEPT # DNS |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport domain -j ACCEPT # DNS |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p icmp --icmp-type 8 -j ACCEPT # Réponse ping # ping responce |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p icmp --icmp-type 0 -j ACCEPT # Requête ping # ping request |
303,7 → 303,7 |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport 3990:3991 -j ACCEPT # Requêtes de deconnexion usagers # Users logout requests |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport ntp -j ACCEPT # Serveur local de temps # local time server |
# SSHD rules if activate |
# SSHD rules if activate |
if [ $SSH = on ] |
then |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -m state --state NEW -j NFLOG --nflog-group 2 --nflog-prefix "RULE ssh-from-LAN -- ACCEPT" |
315,7 → 315,7 |
# Insertion de règles locales |
# Here, we add local rules (i.e. VPN from Internet) |
if [ -f /usr/local/etc/alcasar-iptables-local.sh ]; then |
. /usr/local/etc/alcasar-iptables-local.sh |
. /usr/local/etc/alcasar-iptables-local.sh |
fi |
# Journalisation et rejet des connexions (autres que celles autorisées) effectuées depuis le LAN |
352,11 → 352,11 |
# Allow Conntrack |
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT |
# Compute uamallowed IP (IP address of equipments connected between ALCASAR and Internet (DMZ, own servers, ...) |
# Compute uamallowed IP (IP address of equipments connected between ALCASAR and Internet (DMZ, own servers, ...) |
nb_uamallowed=`wc -l /usr/local/etc/alcasar-uamallowed | cut -d" " -f1` |
if [ $nb_uamallowed != "0" ] |
then |
while read ip_allowed_line |
while read ip_allowed_line |
do |
ip_allowed=`echo $ip_allowed_line|cut -d"\"" -f2` |
$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j NETFLOW |
421,7 → 421,7 |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_3 src -s $PRIVATE_NETWORK_MASK -p udp -m multiport ! --dports $custom_udp_protocols_list -m state --state NEW -j REJECT --reject-with icmp-port-unreachable |
fi |
# journalisation et autorisation des connections sortant du LAN |
# journalisation et autorisation des connections sortant du LAN |
# Allow forward connections with log |
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j NETFLOW |
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j ACCEPT |
433,7 → 433,7 |
# Everything is allowed but traffic through outside network interface |
$IPTABLES -A OUTPUT ! -o $EXTIF -j ACCEPT |
# Si configéré, on autorise les requêtes DHCP |
# Si configéré, on autorise les requêtes DHCP |
# Allow DHCP requests if configured |
public_ip_mask=`grep ^PUBLIC_IP= $CONF_FILE|cut -d"=" -f2` # ALCASAR WAN IP address |
if [[ "$public_ip_mask" == "dhcp" ]] |
442,7 → 442,7 |
$IPTABLES -A OUTPUT -o $EXTIF -p udp --dport 67 -j ACCEPT |
fi |
# On autorise les requêtes DNS vers les serveurs DNS identifiés |
# On autorise les requêtes DNS vers les serveurs DNS identifiés |
# Allow DNS requests to identified DNS servers |
$IPTABLES -A OUTPUT -o $EXTIF -d $DNSSERVERS -p udp --dport domain -m state --state NEW -j ACCEPT |
459,17 → 459,17 |
# RSYNC requests are allowed (to update BL of Toulouse) |
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport rsync -j ACCEPT |
# On autorise les requêtes FTP |
# On autorise les requêtes FTP |
# FTP requests are allowed |
modprobe nf_conntrack_ftp |
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport ftp -j ACCEPT |
$IPTABLES -A OUTPUT -o $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT |
# On autorise les requêtes NTP |
# On autorise les requêtes NTP |
# NTP requests are allowed |
$IPTABLES -A OUTPUT -o $EXTIF -p udp --dport ntp -j ACCEPT |
# On autorise les requêtes ICMP (ping) |
# On autorise les requêtes ICMP (ping) |
# ICMP (ping) requests are allowed |
$IPTABLES -A OUTPUT -o $EXTIF -p icmp --icmp-type 8 -j ACCEPT |
489,4 → 489,3 |
$IPTABLES -A POSTROUTING -t nat -o $EXTIF -j MASQUERADE |
# End of script |
/scripts/alcasar-load_balancing.sh |
---|
48,7 → 48,7 |
if [ $(whoami) != "root" ]; then |
echo "You must be root to run this!" ; echo ; exit 1 |
echo "You must be root to run this!" ; echo ; exit 1 |
fi |
# Adapter for ALCASAR project |
104,7 → 104,7 |
fi # End |
NET="`ipcalc -n $IP_NET | cut -d"=" -f2`/`ipcalc -p $IP_NET|cut -d"=" -f2`" |
if [ "$PARAM" == "add" ]; then |
if [ "$PARAM" == "add" ]; then |
set -x |
table=$(($i + 1)) |
ip route ${PARAM} ${NET} dev ${IFACE} src ${IP} table $table |
124,7 → 124,7 |
i=$(($i + 1)) |
done # End While |
if [ "$PARAM" == "add" ]; then |
if [ "$PARAM" == "add" ]; then |
echo "[] Balanced routing:" |
# suppress default route |
ip route del default scope global |
133,7 → 133,7 |
set +x |
echo |
fi |
} # end create_eth |
########################### |
144,7 → 144,7 |
echo $IFACE_COUNT |
while [ $IFACE_COUNT -ne 0 ] |
do |
i=$IFACE_COUNT |
i=$IFACE_COUNT |
echo "ifdown $EXTIF:$i" |
ifdown $EXTIF:$i |
rm -f /etc/sysconfig/network-scripts/ifcfg-$EXTIF:$i |
153,21 → 153,21 |
ip route del default scope global |
# ip route add default gw 192.168.1.1 |
} |
# do not modify below this line unless you know what you're doing :) |
function getvalue() { |
index=$1 |
VAR=$2 |
index=$1 |
VAR=$2 |
n=1 |
for f in ${VAR} ; do |
if [ "${n}" == "${index}" ]; then |
echo "$f" |
break |
fi |
n=$(($n++)) |
done |
n=1 |
for f in ${VAR} ; do |
if [ "${n}" == "${index}" ]; then |
echo "$f" |
break |
fi |
n=$(($n++)) |
done |
} |
###################### |
178,7 → 178,7 |
echo "[] Watchdog started" |
# 0 == all links ok, 1 == some link down |
STATE=0 |
DOWNCOUNT_BAK=0 |
DOWN_BAK="" |
NBIFACE=`grep "^WAN" $CONF_FILE | wc -l` # Nbre interfaces virtuelles |
195,12 → 195,12 |
echo "Liste des interfaces : "${WANIFACE[*]} |
# Failover test |
while : ; do |
if [ $VERBOSE -eq 1 ]; then |
echo "[] Sleeping, state=$STATE" |
fi |
sleep $FAILOVER |
IFINDEX=1 |
DOWN="" # liste des interfaces down |
DOWNCOUNT=0 # nombre d'interface down |
214,7 → 214,7 |
WT=`grep "$iface," $CONF_FILE | awk -F'"' '{ print $2 }' | awk -F, '{ print $5}'` # @WT |
else |
GW=`grep "^GW=" $CONF_FILE | awk -F= '{print $2}'` # @GW |
fi |
fi |
for TESTIP in $TESTIPS ; do |
COUNT=$(($COUNT + 1)) |
ping -W 3 -I $IP -c 1 $TESTIP > /dev/null 2>&1 |
222,7 → 222,7 |
# Si ping de la première adresse --> ok --> stop du test pour l'interface testée |
if [ $? -eq 0 ]; then |
break |
else |
else |
# sinon on compte une erreur |
FAIL=$(($FAIL + 1)) |
fi |
248,7 → 248,7 |
echo "IFINDEX =$IFINDEX" |
done # End Test Interface in WANIFACE |
# 0 Passerelle down et état précédent différent (retour à la normale)) --> mise à la normale des passerelles |
# 0 Passerelle down et état précédent différent (retour à la normale)) --> mise à la normale des passerelles |
# if [ $DOWNCOUNT -eq 0 ] && [ $DOWNCOUNT -ne $DOWNCOUNT_BAK ]; then |
if [ $DOWNCOUNT -eq 0 ] ; then |
if [ $STATE -eq 1 ]; then |
279,13 → 279,13 |
echo "iface=$iface" |
echo "Index = " $IFINDEX |
FAILIF=0 |
# Pour chaque interface down --> |
# Pour chaque interface down --> |
echo "Interfaces DOWN = $DOWN" |
for lnkdwn in $DOWN ; do |
echo "LINKDOWN = "$lnkdown |
if [ $lnkdwn -eq $IFINDEX ]; then |
FAILIF=1 |
break |
break |
else |
continue |
fi |
298,7 → 298,7 |
WT=`grep "$iface," $CONF_FILE | awk -F'"' '{ print $2 }' | awk -F, '{ print $5}'` # @GW |
else |
GW=`grep "^GW=" $CONF_FILE | awk -F= '{print $2}'` # @GW |
fi |
fi |
echo "GW=$GW" |
echo "WT=$WT" |
echo "suffix=$sufix" |
308,7 → 308,7 |
done # End iface IN WANIFACE |
# Commande globale |
cmd="ip route replace default scope global $suffix" |
if [ $VERBOSE -eq 1 ]; then |
set -x |
# echo "Avec commentaire : " ${cmd} |
321,7 → 321,7 |
fi # end Application de la commande de routage globale |
fi # |
DOWN_BAK=$DOWN # Enregistrement de l'etat |
fi # End |
fi # End |
done |
} # End of Failover |
336,70 → 336,70 |
echo |
case $1 in |
create) |
create_eth |
create) |
create_eth |
;; |
delete) |
delete_eth |
delete) |
delete_eth |
;; |
start) |
if [ "$MULTIWAN" != "on" ] && [ "$MULTIWAN" != "On" ]; then |
start) |
if [ "$MULTIWAN" != "on" ] && [ "$MULTIWAN" != "On" ]; then |
echo "The MultiGateway is not activated !" |
exit 0 |
fi |
PARAM="add" |
create_eth |
ip route flush cache |
if [ $FAILOVER -eq 0 ]; then |
PARAM="add" |
create_eth |
ip route flush cache |
if [ $FAILOVER -eq 0 ]; then |
echo "The MultiWAN Mode is actived but not failover connectivity !" |
exit 0 |
fi |
echo "Starting down $prog: " |
pid=`pidof -x "alcasar-load_balancing.sh"` |
if [ $pid != "" ]; then |
echo $pid > $pidfile |
fi |
touch /var/lock/subsys/alcasar-load_balancing |
failover |
echo "Starting down $prog: " |
pid=`pidof -x "alcasar-load_balancing.sh"` |
if [ $pid != "" ]; then |
echo $pid > $pidfile |
fi |
touch /var/lock/subsys/alcasar-load_balancing |
failover |
;; |
stop) |
stop) |
PARAM="del" |
echo "Shutting down $prog: " |
if [ -f $pidfile ]; then |
pid=`cat $pidfile` |
kill -9 $pid |
else |
echo "$prog is not running." |
exit 1 |
fi |
RETVAL=$? |
echo |
[ $RETVAL -eq 0 ] && rm -f $pidfile && rm -f /var/lock/subsys/alcasar-load_balancing |
echo "Delete of virtual interfaces" |
delete_eth |
echo "Network restart" |
service network restart 2>&1 > /dev/null |
ip route |
if [ -f $pidfile ]; then |
pid=`cat $pidfile` |
kill -9 $pid |
else |
echo "$prog is not running." |
exit 1 |
fi |
RETVAL=$? |
echo |
[ $RETVAL -eq 0 ] && rm -f $pidfile && rm -f /var/lock/subsys/alcasar-load_balancing |
echo "Delete of virtual interfaces" |
delete_eth |
echo "Network restart" |
service network restart 2>&1 > /dev/null |
ip route |
;; |
status) |
echo "Checking $prog : " |
if [ -f $pidfile ]; then |
pid=`cat $pidfile` |
CHECK=`ps -p $pid --no-heading | awk {'printf $1'}` |
if [ "$CHECK" = "" ]; then |
echo "$prog is NOT running." |
else |
echo "$prog is running !" |
fi |
else |
echo "$prog is Not running." |
fi |
echo "Checking $prog : " |
if [ -f $pidfile ]; then |
pid=`cat $pidfile` |
CHECK=`ps -p $pid --no-heading | awk {'printf $1'}` |
if [ "$CHECK" = "" ]; then |
echo "$prog is NOT running." |
else |
echo "$prog is running !" |
fi |
else |
echo "$prog is Not running." |
fi |
;; |
fail) |
failover |
fail) |
failover |
;; |
*) |
*) |
echo "Usage: $0 [start|stop|status|create|delete]" ; echo ; exit 1 |
;; |
esac |
/scripts/alcasar-profil.sh |
---|
20,16 → 20,16 |
for i in $ALL_PROFILS |
do |
if [ $Lang == "fr" ] |
then |
then |
echo -n "Comptes liés au profil '$i' : " |
else |
echo -n "accounts linked with profile '$i' : " |
echo -n "accounts linked with profile '$i' : " |
fi |
account_list=`cat $DIR_KEY/key_only_$i | cut -d':' -f1|sort` |
for account in $account_list |
do |
echo -n "$account " |
echo -n "$account " |
done |
echo |
done |
78,11 → 78,11 |
echo "$usage" |
exit 0 |
;; |
--add|-a) |
--add|-a) |
# ajout d'un compte |
list |
if [ $Lang == "fr" ] |
then |
then |
echo -n "Choisissez un profil ($ALL_PROFILS) : " |
else |
echo -n "Select a profile ($ALL_PROFILS) : " |
92,7 → 92,7 |
then |
echo -n "Entrez le nom du compte à créer (profil '$profil') : " |
else |
echo "Enter the name of the account to create (profile '$profil') : " |
echo "Enter the name of the account to create (profile '$profil') : " |
fi |
read account |
# on teste s'il n'existe pas déjà |
/scripts/alcasar-rpm-download.sh |
---|
9,7 → 9,7 |
# retrieve needed RPM in a tarball file |
VERSION="5" |
ARCH="x86_64" |
ARCH="x86_64" |
# ****** Alcasar needed RPMS - paquetages nécessaires au fonctionnement d'Alcasar ****** |
PACKAGES="arp-scan vim-enhanced freeradius freeradius-mysql freeradius-ldap apache apache-mod_ssl apache-mod_php dansguardian postfix mariadb ntp bind-utils openssh-server php-xml php-ldap php-mysqli php-mbstring php-sockets php-cli php-curl php-pdo_sqlite php-json rng-utils rsync clamav perl-rrdtool perl-MailTools perl-Socket6 fail2ban gnupg ulogd pm-fallback-policy ipset cronie-anacron gammu usbutils locales-en usb_modeswitch tinyproxy vnstat php-gd sudo iftop man kernel-firmware-nonfree dos2unix p7zip bc msec kernel-userspace-headers" |
43,7 → 43,7 |
for i in $* |
do |
if [ "`echo $i|grep arch|cut -d'=' -f1`" == "arch" ] |
then |
then |
ARCH=`echo $i|cut -d"=" -f2` |
fi |
done |
65,7 → 65,7 |
do |
try_nb=`expr $try_nb + 1` |
MIRRORLIST="MIRRORLIST$try_nb" |
rpm_repository_sync |
rpm_repository_sync |
nb_repository=`cat /etc/urpmi/urpmi.cfg|grep mirrorlist|wc -l` |
if [ "$nb_repository" != "4" ] |
then |
84,7 → 84,7 |
do |
read response |
done |
if [ "$response" = "n" ] || [ "$response" = "N" ] |
if [ "$response" = "n" ] || [ "$response" = "N" ] |
then |
exit 1 |
fi |
98,7 → 98,7 |
echo -n "." |
done |
urpmi --clean |
# download RPM in cache |
# download RPM in cache |
echo "Récupération des paquetages de mise à jour. Veuillez patienter ..." |
echo "Updated RPM download. Please wait ..." |
echo "Il est temps d'aller prendre un café :-) " |
/scripts/alcasar-sms.sh |
---|
41,9 → 41,9 |
end="%%%%%%%%%% STOP %%%%%%%%%%" |
usage="Usage: alcasar-gammu.sh |
usage="Usage: alcasar-gammu.sh |
Start Gammu-smsd : --start |
Stop Gammu-smsd : --stop |
Stop Gammu-smsd : --stop |
Process on new sms : --new_sms" |
78,7 → 78,7 |
then |
sql_add_gp="connect radius; INSERT INTO $radgp (username,groupname) VALUES ('sms','sms');" |
sql_add_gp_att="connect radius; INSERT INTO $radgpck (groupname,attribute,op,value) VALUES ('sms','Simultaneous-Use',':=',1);" |
mysql --user=$u_db --password=$p_db -B -se "$sql_add_gp" |
mysql --user=$u_db --password=$p_db -B -se "$sql_add_gp_att" |
fi |
99,11 → 99,11 |
#Suppression du numero dans la table SMS_ban_perm |
sql_remove_ban_perm="connect gammu; DELETE FROM $sms_p" |
mysql --user=$u_db --password=$p_db -B -se "$sql_remove_ban_perm WHERE SenderNumber=$1;" |
# Ajout au groupe sms |
sql_remove_gp="connect radius; DELETE FROM $radgp WHERE username='$1';" |
mysql --user=$u_db --password=$p_db -B -se "$sql_remove_gp" |
# Suppression du compte dans Radcheck |
sql_remove_compte="connect radius; DELETE FROM $rad WHERE username='$1';" |
mysql --user=$u_db --password=$p_db -B -se "$sql_remove_compte" |
136,21 → 136,21 |
# Ajout table RadCheck : creation du compte |
sql_add_pass="connect radius; INSERT INTO $rad (username,attribute,op,value) VALUES ('$1','Crypt-Password',':=','$2');" |
sql_add_expe="connect radius; INSERT INTO $rad (username,attribute,op,value) VALUES ('$1','Expiration',':=','$3');" |
mysql --user=$u_db --password=$p_db -B -se "$sql_add_pass" |
mysql --user=$u_db --password=$p_db -B -se "$sql_add_expe" |
# Ajout au groupe sms |
sql_add_gp="connect radius; INSERT INTO $radgp (username,groupname) VALUES ('$1','sms');" |
mysql --user=$u_db --password=$p_db -B -se "$sql_add_gp" |
} # end function add_acc_rad() |
function supp_num_temp() { |
# Suppression du numéro dans table SMS_ban_temp |
sql_remove_ban_temp="connect gammu; DELETE FROM $sms_t" |
mysql --user=$u_db --password=$p_db -B -se "$sql_remove_ban_temp WHERE SenderNumber=$1;" |
} # end function supp_num_temp() |
function add_num_perm() { |
# Ajout du numero table SMS_ban_perm, 0 : creation du compte |
sql_add_ban_perm="connect gammu; INSERT INTO $sms_p (SenderNumber,Perm,Expiration) VALUES ('$1',0,'$2');" |
166,34 → 166,34 |
function new_sms() { |
# Check Inbox table, manage Ban temp and perm, create account |
export salt='$1$passwd$' |
sql_select_inbox="connect gammu; SELECT ID, SenderNumber, TextDecoded FROM $inb;" |
sql_delete_inbox="connect gammu; DELETE FROM $inb" |
mysql --user=$u_db --password=$p_db -B -se "$sql_select_inbox" | while read result; |
do |
# On recupère le nombre de mots (resultat) |
nb=$(echo $result | wc -w) |
# On récupère le numéro de l'ID |
id=$(echo $result | cut -d ' ' -f1) |
numero=$(echo $result | cut -d ' ' -f2) |
if [[ $numero =~ ^\+ ]] |
if [[ $numero =~ ^\+ ]] |
then |
# On vérifie si le pays est bloqué |
# On vérifie si le pays est bloqué |
sql_select_countries="connect gammu; SELECT id FROM $SMS_c WHERE status=1" |
mysql --user=$u_db --password=$p_db -B -se "$sql_select_countries" | while read result_c; |
do |
if [[ $numero =~ ^"$result_c" ]] |
then |
then |
numero=$(echo $numero | cut -d '+' -f2) |
# On vérifie que le numéro n'est pas Ban Perm |
# On vérifie que le numéro n'est pas Ban Perm |
sql_ban_perm="connect gammu; SELECT * FROM $sms_p WHERE SenderNumber=$numero" |
result_bp=$(mysql --user=$u_db --password=$p_db -B -se "$sql_ban_perm") |
206,46 → 206,46 |
sql_add_temp="connect gammu; INSERT INTO $sms_t(SenderNumber) VALUES ('$numero');" |
mysql --user=$u_db --password=$p_db -B -se "$sql_add_temp" |
elif [ $nb -eq 3 ] # Si 3 mots : id + mot de passe + numero |
elif [ $nb -eq 3 ] # Si 3 mots : id + mot de passe + numero |
then |
export pass=$(echo $result | cut -d ' ' -f3) |
pass_salt=$(perl -e'print crypt($ARGV[0],$ARGV[1])' $pass $salt) |
export LC_TIME="en_US.UTF-8" |
expir=$(date '+%d %B %Y' -d "$time_account days") |
supp_acc_rad "$numero" |
add_acc_rad "$numero" "$pass_salt" "$expir" |
supp_num_temp "$numero" |
add_num_perm "$numero" "$expir" |
else |
else |
# Autrement, le mot de passe est trop grand ( > un mot ) |
# On incrémente d'un 1 dans la table des bans temp |
sql_add_temp="connect gammu; INSERT INTO $sms_t(SenderNumber) VALUES ('$numero');" |
mysql --user=$u_db --password=$p_db -B -se "$sql_add_temp" |
fi |
# On gère les bans temp en ban perm |
sql_select_temp="connect gammu; SELECT ID FROM $sms_t WHERE SenderNumber='$numero'" |
r_select_temp=$(mysql --user=$u_db --password=$p_db -B -se "$sql_select_temp") |
nb_ban_t=$(echo $r_select_temp| wc -w) |
if [ $nb_ban_t -ge $nb_essais ] |
then |
supp_num_temp "$numero" |
export LC_TIME="en_US.UTF-8" |
expir_f=$(date '+%d %B %Y' -d "$time_ban days") |
# Ajout du numero table SMS_ban_perm, 1 : flood |
sql_add_ban_perm="connect gammu; INSERT INTO $sms_p (SenderNumber,Perm,Expiration) VALUES ('$numero',1,'$expir_f');" |
mysql --user=$u_db --password=$p_db -B -se "$sql_add_ban_perm" |
fi |
fi |
else |
date_expiration=$(echo $result_bp | cut -d ' ' -f2,3,4) |
perm=$(echo $result_bp | cut -d ' ' -f5) |
export LC_TIME="en_US.UTF-8" |
date_script=$(date '+%d %B %Y' -d "now") |
263,7 → 263,7 |
sql_add_temp="connect gammu; INSERT INTO $sms_t(SenderNumber) VALUES ('$numero');" |
mysql --user=$u_db --password=$p_db -B -se "$sql_add_temp" |
elif [ $nb -eq 3 ] # Si 3 mots : id + mot de passe + numero |
elif [ $nb -eq 3 ] # Si 3 mots : id + mot de passe + numero |
then |
date_expiration=$(echo $result_bp | cut -d ' ' -f2,3,4) |
perm=$(echo $result_bp | cut -d ' ' -f5) |
276,7 → 276,7 |
export pass=$(echo $result | cut -d ' ' -f3) |
pass_salt=$(perl -e'print crypt($ARGV[0],$ARGV[1])' $pass $salt) |
export LC_TIME="en_US.UTF-8" |
expir=$(date '+%d %B %Y' -d "$time_account days") |
286,8 → 286,8 |
supp_num_temp "$numero" |
supp_num_perm "$numero" |
add_num_perm "$numero" "$expir" |
else |
else |
# Autrement, le mot de passe est trop grand ( > un mot ) |
# On incrémente d'un 1 dans la table des bans temp |
sql_add_temp="connect gammu; INSERT INTO $sms_t(SenderNumber) VALUES ('$numero');" |
294,26 → 294,26 |
mysql --user=$u_db --password=$p_db -B -se "$sql_add_temp" |
echo "Mot de passe incorrect, ajout du numero en ban temporaire" |
fi |
# On gère les bans temp en ban perm |
sql_select_temp="connect gammu; SELECT ID FROM $sms_t WHERE SenderNumber='$numero'" |
r_select_temp=$(mysql --user=$u_db --password=$p_db -B -se "$sql_select_temp") |
nb_ban_t=$(echo $r_select_temp| wc -w) |
if [ $nb_ban_t -ge $nb_essais ] |
then |
supp_num_perm "$numero" |
supp_num_temp "$numero" |
export LC_TIME="en_US.UTF-8" |
expir_f=$(date '+%d %B %Y' -d "$time_ban days") |
# Ajout du numero table SMS_ban_perm, 1 : flood |
sql_add_ban_perm="connect gammu; INSERT INTO $sms_p (SenderNumber,Perm,Expiration) VALUES ('$numero',1,'$expir_f');" mysql --user=$u_db --password=$p_db -B -se "$sql_add_ban_perm" |
fi |
else |
echo "Le ban de $numero est encore valide" |
fi |
echo "Le ban de $numero est encore valide" |
fi |
break |
fi |
#else |
359,7 → 359,7 |
else |
echo "gammu is already stopped" |
fi |
exit 0 |
exit 0 |
;; |
--pidof) |
/sbin/pidof gammu-smsd |
367,103 → 367,103 |
--last_nosim) |
# Récupère la dernière ligne où NOSIM est présent (error) |
cat $logfile | grep -n "NOSIM" | cut -d ':' -f1 | tail -n 1 |
exit 0 |
exit 0 |
;; |
--last_start) |
# Récupère la dernière ligne où ########## est présent (séparateur) |
cat $logfile | grep -n "##########" | cut -d ':' -f1 | tail -n 1 |
exit 0 |
exit 0 |
;; |
--last_stop) |
# Récupère la dernière ligne où %%%%%%%%%% est présent (séparateur) |
cat $logfile | grep -n "%%%%%%%%%%" | cut -d ':' -f1 | tail -n 1 |
exit 0 |
exit 0 |
;; |
--last_writeerror) |
#Récupère la dernière ligne où SECURITYERROR est présent (error) |
cat $logfile | grep -n "DEVICEWRITEERROR" | cut -d ':' -f1 | tail -n 1 |
exit 0 |
exit 0 |
;; |
--last_timeout) |
# Récupère la dernière ligne où SECURITYERROR est présent (error) |
cat $logfile | grep -n "TIMEOUT" | cut -d ':' -f1 | tail -n 1 |
exit 0 |
exit 0 |
;; |
--last_secu) |
# Récupère la dernière ligne où SECURITYERROR est présent (error) |
cat $logfile | grep -n "SECURITYERROR" | cut -d ':' -f1 | tail -n 1 |
exit 0 |
exit 0 |
;; |
--last_puk) |
# Récupère la dernière ligne où PUK est présent (error) |
cat $logfile | grep -n "UNKNOWN" | cut -d ':' -f1 | tail -n 1 |
exit 0 |
exit 0 |
;; |
#--log) |
# # Récupère le nom du fichier de log |
# cat $config | grep logfile | cut -d ' ' -f3 |
# exit 0 |
# exit 0 |
# ;; |
--connect) |
# Récupère la vitesse de co |
cat $config | grep connection | cut -d ' ' -f3 |
exit 0 |
exit 0 |
;; |
--replace_connect) |
# Edition de la vitesse de co |
sed -i "s/^connection = at.*/connection = at$2/g" $config |
exit 0 |
exit 0 |
;; |
--pin) |
# Récupère le code PIN (file de conf) |
cat $config | grep PIN | cut -d ' ' -f3 |
exit 0 |
exit 0 |
;; |
--replace_pin) |
# Edition du code PIN |
sed -i "s/^PIN =.*/PIN = $2/g" $config |
exit 0 |
exit 0 |
;; |
--try_ban) |
# Récupère le nombre d'essais avant le ban perm |
grep nb_essais= $script | head -n 1 | cut -d '=' -f2 |
exit 0 |
exit 0 |
;; |
--replace_try_ban) |
# Edition le nombre d'essais avant le ban perm |
sed -i "s/^nb_essais=.*/nb_essais=$2/g" $script |
exit 0 |
exit 0 |
;; |
--time_account) |
# Récupère la durée en jours de la session créée |
grep time_account= $script | head -n 1 | cut -d '=' -f2 |
exit 0 |
exit 0 |
;; |
--replace_time_account) |
# Edition de la durée de la session créée |
sed -i "s/^time_account=.*/time_account=$2/g" $script |
exit 0 |
exit 0 |
;; |
--time_perm) |
# Récupère la durée un jours d'un ban perm (après flood par exemple) |
grep time_ban= $script | head -n 1 | cut -d '=' -f2 |
exit 0 |
exit 0 |
;; |
--replace_time_perm) |
# Edition de la durée d'un ban perm |
sed -i "s/^time_ban=.*/time_ban=$2/g" $script |
exit 0 |
exit 0 |
;; |
--unlock_num) |
# Appel de la fonction unlock : deban un numero $2 |
unlock "$2" |
exit 0 |
exit 0 |
;; |
--change_country) |
# Permet de changer l'état de blocage d'un pays |
a="" |
for i in "$@" |
do |
do |
a=$(echo "$a $i") |
done |
a=$(echo $a | cut -d ' ' -f2-$#) |
514,12 → 514,12 |
--numero_alcasar) |
# Récupère le numero de la clé 3g (téléphone) |
grep "\$current_num=" $public_page | head -n 1 | cut -d"'" -f2 |
exit 0 |
exit 0 |
;; |
--replace_numero_alcasar) |
# Edition du numero de la clé 3g (téléphone) |
sed -i "s/\$current_num=.*/\$current_num='$2';/g" $public_page |
exit 0 |
exit 0 |
;; |
--mode) |
# Mode huawei |
/scripts/alcasar-uninstall.sh |
---|
54,12 → 54,12 |
fi |
echo "Stopping service : " |
/usr/local/bin/alcasar-sms.sh --stop |
for i in $services |
for i in $services |
do |
if [ -e /lib/systemd/system/$i.service ] |
if [ -e /lib/systemd/system/$i.service ] |
then |
/usr/bin/systemctl disable $i.service |
/usr/bin/systemctl stop $i.service 1>/dev/null |
/usr/bin/systemctl stop $i.service 1>/dev/null |
sleep 1 |
else |
echo "The service $i.service doesn't exist !" |
157,7 → 157,7 |
sleep 1 |
echo -en "\n- antivirus (5) : " |
if [ -e /etc/init.d/havp ] |
if [ -e /etc/init.d/havp ] |
then |
[ -e /etc/havp/havp.config.default ] && mv /etc/havp/havp.config.default /etc/havp/havp.config && echo -n "1, " |
userdel -r havp 2>/dev/null && echo -n "2, " |
169,7 → 169,7 |
sleep 1 |
echo -en "\n- tinyproxy (2) : " |
if [ -e /etc/init.d/tinyproxy ] |
if [ -e /etc/init.d/tinyproxy ] |
then |
[ -e /etc/tinyproxy/tinyproxy.conf.default ] && mv /etc/tinyproxy/tinyproxy.conf.default /etc/tinyproxy/tinyproxy.conf && echo -n "1, " |
userdel -r tinyproxy 2>/dev/null && echo -n "2" |
222,8 → 222,8 |
i=3 |
for filter in `ls /etc/fail2ban/filter.d/alcasar_*` |
do |
i=`expr $i + 1` |
rm $filter && echo -n "$i, " |
i=`expr $i + 1` |
rm $filter && echo -n "$i, " |
done |
[ -e /lib/systemd/system/fail2ban.service.default ] && mv /lib/systemd/system/fail2ban.service.default /lib/systemd/system/fail2ban.service && echo -n "8" |
sleep 1 |
232,8 → 232,8 |
i=1 |
for cron in `ls /etc/cron.d/alcasar-*` |
do |
rm $cron && echo -n "$i, " |
i=`expr $i + 1` |
rm $cron && echo -n "$i, " |
i=`expr $i + 1` |
done |
[ -e /etc/crontab.default ] && mv /etc/crontab.default /etc/crontab && echo -n "10, " |
[ -e /etc/anacrontab.default ] && mv /etc/anacrontab.default /etc/anacrontab && echo -n "11" |
/scripts/alcasar-url_filter_bl.sh |
---|
7,9 → 7,9 |
# This script is distributed under the Gnu General Public License (GPL) |
# Active / désactive : safesearch des moteurs de recherche |
# Enable / disable : search engines safesearch |
# Enable / disable : search engines safesearch |
# Active / désactive : le filtrage des url contenant une adresse ip à la place d'un nom de domaine |
# Enable / disable : filter of urls containing ip address instead of domain name |
# Enable / disable : filter of urls containing ip address instead of domain name |
DIR_DG="/etc/dansguardian/lists" |
DNSMASQ_BL_CONF="/etc/dnsmasq-blacklist.conf" |
33,11 → 33,11 |
exit 0 |
;; |
# Safe search activation |
-safesearch_on | --safesearch_on) |
-safesearch_on | --safesearch_on) |
safesearch="On" |
;; |
# Safe search desactivation |
-safesearch_off | --safesearch_off) |
-safesearch_off | --safesearch_off) |
safesearch="Off" |
;; |
# pure_ip activation |
63,7 → 63,7 |
# $SED "/google/d" $DNSMASQ_BL_CONF # remove old google declaration |
# nossl_server=`host -ta nosslsearch.google.com|cut -d" " -f4` # retrieve google nosslsearch ip |
# echo "# nosslsearch redirect server for google" >> $DNSMASQ_BL_CONF |
# for gg_dnsname in .google.com .google.ad .google.ae .google.com.af .google.com.ag .google.com.ai .google.al .google.am .google.co.ao .google.com.ar .google.as .google.at .google.com.au .google.az .google.ba .google.com.bd .google.be .google.bf .google.bg .google.com.bh .google.bi .google.bj .google.com.bn .google.com.bo .google.com.br .google.bs .google.bt .google.co.bw .google.by .google.com.bz .google.ca .google.cd .google.cf .google.cg .google.ch .google.ci .google.co.ck .google.cl .google.cm .google.cn .google.com.co .google.co.cr .google.com.cu .google.cv .google.com.cy .google.cz .google.de .google.dj .google.dk .google.dm .google.com.do .google.dz .google.com.ec .google.ee .google.com.eg .google.es .google.com.et .google.fi .google.com.fj .google.fm .google.fr .google.ga .google.ge .google.gg .google.com.gh .google.com.gi .google.gl .google.gm .google.gp .google.gr .google.com.gt .google.gy .google.com.hk .google.hn .google.hr .google.ht .google.hu .google.co.id .google.ie .google.co.il .google.im .google.co.in .google.iq .google.is .google.it .google.je .google.com.jm .google.jo .google.co.jp .google.co.ke .google.com.kh .google.ki .google.kg .google.co.kr .google.com.kw .google.kz .google.la .google.com.lb .google.li .google.lk .google.co.ls .google.lt .google.lu .google.lv .google.com.ly .google.co.ma .google.md .google.me .google.mg .google.mk .google.ml .google.com.mm .google.mn .google.ms .google.com.mt .google.mu .google.mv .google.mw .google.com.mx .google.com.my .google.co.mz .google.com.na .google.com.nf .google.com.ng .google.com.ni .google.ne .google.nl .google.no .google.com.np .google.nr .google.nu .google.co.nz .google.com.om .google.com.pa .google.com.pe .google.com.pg .google.com.ph .google.com.pk .google.pl .google.pn .google.com.pr .google.ps .google.pt .google.com.py .google.com.qa .google.ro .google.ru .google.rw .google.com.sa .google.com.sb .google.sc .google.se .google.com.sg .google.sh .google.si .google.sk .google.com.sl .google.sn .google.so .google.sm .google.sr .google.st .google.com.sv .google.td .google.tg .google.co.th .google.com.tj .google.tk .google.tl .google.tm .google.tn .google.to .google.com.tr .google.tt .google.com.tw .google.co.tz .google.com.ua .google.co.ug .google.co.uk .google.com.uy .google.co.uz .google.com.vc .google.co.ve .google.vg .google.co.vi .google.com.vn .google.vu .google.ws .google.rs .google.co.za .google.co.zm .google.co.zw .google.cat |
# for gg_dnsname in .google.com .google.ad .google.ae .google.com.af .google.com.ag .google.com.ai .google.al .google.am .google.co.ao .google.com.ar .google.as .google.at .google.com.au .google.az .google.ba .google.com.bd .google.be .google.bf .google.bg .google.com.bh .google.bi .google.bj .google.com.bn .google.com.bo .google.com.br .google.bs .google.bt .google.co.bw .google.by .google.com.bz .google.ca .google.cd .google.cf .google.cg .google.ch .google.ci .google.co.ck .google.cl .google.cm .google.cn .google.com.co .google.co.cr .google.com.cu .google.cv .google.com.cy .google.cz .google.de .google.dj .google.dk .google.dm .google.com.do .google.dz .google.com.ec .google.ee .google.com.eg .google.es .google.com.et .google.fi .google.com.fj .google.fm .google.fr .google.ga .google.ge .google.gg .google.com.gh .google.com.gi .google.gl .google.gm .google.gp .google.gr .google.com.gt .google.gy .google.com.hk .google.hn .google.hr .google.ht .google.hu .google.co.id .google.ie .google.co.il .google.im .google.co.in .google.iq .google.is .google.it .google.je .google.com.jm .google.jo .google.co.jp .google.co.ke .google.com.kh .google.ki .google.kg .google.co.kr .google.com.kw .google.kz .google.la .google.com.lb .google.li .google.lk .google.co.ls .google.lt .google.lu .google.lv .google.com.ly .google.co.ma .google.md .google.me .google.mg .google.mk .google.ml .google.com.mm .google.mn .google.ms .google.com.mt .google.mu .google.mv .google.mw .google.com.mx .google.com.my .google.co.mz .google.com.na .google.com.nf .google.com.ng .google.com.ni .google.ne .google.nl .google.no .google.com.np .google.nr .google.nu .google.co.nz .google.com.om .google.com.pa .google.com.pe .google.com.pg .google.com.ph .google.com.pk .google.pl .google.pn .google.com.pr .google.ps .google.pt .google.com.py .google.com.qa .google.ro .google.ru .google.rw .google.com.sa .google.com.sb .google.sc .google.se .google.com.sg .google.sh .google.si .google.sk .google.com.sl .google.sn .google.so .google.sm .google.sr .google.st .google.com.sv .google.td .google.tg .google.co.th .google.com.tj .google.tk .google.tl .google.tm .google.tn .google.to .google.com.tr .google.tt .google.com.tw .google.co.tz .google.com.ua .google.co.ug .google.co.uk .google.com.uy .google.co.uz .google.com.vc .google.co.ve .google.vg .google.co.vi .google.com.vn .google.vu .google.ws .google.rs .google.co.za .google.co.zm .google.co.zw .google.cat |
# do |
# echo "address=/$gg_dnsname/$nossl_server" >> $DNSMASQ_BL_CONF |
# done |
71,7 → 71,7 |
$SED "/google/d" $DNSMASQ_BL_CONF # remove old google declaration |
forcesafesearch_server=`host -ta forcesafesearch.google.com|cut -d" " -f4` # retrieve google forcesafesearch ip |
echo "# SafeSearch redirect server for google" >> $DNSMASQ_BL_CONF |
for gg_dnsname in .google.com .google.ad .google.ae .google.com.af .google.com.ag .google.com.ai .google.al .google.am .google.co.ao .google.com.ar .google.as .google.at .google.com.au .google.az .google.ba .google.com.bd .google.be .google.bf .google.bg .google.com.bh .google.bi .google.bj .google.com.bn .google.com.bo .google.com.br .google.bs .google.bt .google.co.bw .google.by .google.com.bz .google.ca .google.cd .google.cf .google.cg .google.ch .google.ci .google.co.ck .google.cl .google.cm .google.cn .google.com.co .google.co.cr .google.com.cu .google.cv .google.com.cy .google.cz .google.de .google.dj .google.dk .google.dm .google.com.do .google.dz .google.com.ec .google.ee .google.com.eg .google.es .google.com.et .google.fi .google.com.fj .google.fm .google.fr .google.ga .google.ge .google.gg .google.com.gh .google.com.gi .google.gl .google.gm .google.gp .google.gr .google.com.gt .google.gy .google.com.hk .google.hn .google.hr .google.ht .google.hu .google.co.id .google.ie .google.co.il .google.im .google.co.in .google.iq .google.is .google.it .google.je .google.com.jm .google.jo .google.co.jp .google.co.ke .google.com.kh .google.ki .google.kg .google.co.kr .google.com.kw .google.kz .google.la .google.com.lb .google.li .google.lk .google.co.ls .google.lt .google.lu .google.lv .google.com.ly .google.co.ma .google.md .google.me .google.mg .google.mk .google.ml .google.com.mm .google.mn .google.ms .google.com.mt .google.mu .google.mv .google.mw .google.com.mx .google.com.my .google.co.mz .google.com.na .google.com.nf .google.com.ng .google.com.ni .google.ne .google.nl .google.no .google.com.np .google.nr .google.nu .google.co.nz .google.com.om .google.com.pa .google.com.pe .google.com.pg .google.com.ph .google.com.pk .google.pl .google.pn .google.com.pr .google.ps .google.pt .google.com.py .google.com.qa .google.ro .google.ru .google.rw .google.com.sa .google.com.sb .google.sc .google.se .google.com.sg .google.sh .google.si .google.sk .google.com.sl .google.sn .google.so .google.sm .google.sr .google.st .google.com.sv .google.td .google.tg .google.co.th .google.com.tj .google.tk .google.tl .google.tm .google.tn .google.to .google.com.tr .google.tt .google.com.tw .google.co.tz .google.com.ua .google.co.ug .google.co.uk .google.com.uy .google.co.uz .google.com.vc .google.co.ve .google.vg .google.co.vi .google.com.vn .google.vu .google.ws .google.rs .google.co.za .google.co.zm .google.co.zw .google.cat |
for gg_dnsname in .google.com .google.ad .google.ae .google.com.af .google.com.ag .google.com.ai .google.al .google.am .google.co.ao .google.com.ar .google.as .google.at .google.com.au .google.az .google.ba .google.com.bd .google.be .google.bf .google.bg .google.com.bh .google.bi .google.bj .google.com.bn .google.com.bo .google.com.br .google.bs .google.bt .google.co.bw .google.by .google.com.bz .google.ca .google.cd .google.cf .google.cg .google.ch .google.ci .google.co.ck .google.cl .google.cm .google.cn .google.com.co .google.co.cr .google.com.cu .google.cv .google.com.cy .google.cz .google.de .google.dj .google.dk .google.dm .google.com.do .google.dz .google.com.ec .google.ee .google.com.eg .google.es .google.com.et .google.fi .google.com.fj .google.fm .google.fr .google.ga .google.ge .google.gg .google.com.gh .google.com.gi .google.gl .google.gm .google.gp .google.gr .google.com.gt .google.gy .google.com.hk .google.hn .google.hr .google.ht .google.hu .google.co.id .google.ie .google.co.il .google.im .google.co.in .google.iq .google.is .google.it .google.je .google.com.jm .google.jo .google.co.jp .google.co.ke .google.com.kh .google.ki .google.kg .google.co.kr .google.com.kw .google.kz .google.la .google.com.lb .google.li .google.lk .google.co.ls .google.lt .google.lu .google.lv .google.com.ly .google.co.ma .google.md .google.me .google.mg .google.mk .google.ml .google.com.mm .google.mn .google.ms .google.com.mt .google.mu .google.mv .google.mw .google.com.mx .google.com.my .google.co.mz .google.com.na .google.com.nf .google.com.ng .google.com.ni .google.ne .google.nl .google.no .google.com.np .google.nr .google.nu .google.co.nz .google.com.om .google.com.pa .google.com.pe .google.com.pg .google.com.ph .google.com.pk .google.pl .google.pn .google.com.pr .google.ps .google.pt .google.com.py .google.com.qa .google.ro .google.ru .google.rw .google.com.sa .google.com.sb .google.sc .google.se .google.com.sg .google.sh .google.si .google.sk .google.com.sl .google.sn .google.so .google.sm .google.sr .google.st .google.com.sv .google.td .google.tg .google.co.th .google.com.tj .google.tk .google.tl .google.tm .google.tn .google.to .google.com.tr .google.tt .google.com.tw .google.co.tz .google.com.ua .google.co.ug .google.co.uk .google.com.uy .google.co.uz .google.com.vc .google.co.ve .google.vg .google.co.vi .google.com.vn .google.vu .google.ws .google.rs .google.co.za .google.co.zm .google.co.zw .google.cat |
do |
echo "address=/$gg_dnsname/$forcesafesearch_server" >> $DNSMASQ_BL_CONF |
done |
/scripts/alcasar-url_filter_wl.sh |
---|
9,7 → 9,7 |
# Active / désactive : safesearch des moteurs de recherche |
# Enable / disable : search engines safesearch |
# Active / désactive : le filtrage des url contenant une adresse ip à la place d'un nom de domaine |
# Enable / disable : filter of urls containing ip address instead of domain name |
# Enable / disable : filter of urls containing ip address instead of domain name |
TINY_CONF="/etc/tinyproxy/tinyproxy.conf" |
DNSMASQ_WL_CONF="/etc/dnsmasq-whitelist.conf" |
33,11 → 33,11 |
exit 0 |
;; |
# Safe search activation |
-safesearch_on | --safesearch_on) |
-safesearch_on | --safesearch_on) |
safesearch="On" |
;; |
# Safe search desactivation |
-safesearch_off | --safesearch_off) |
-safesearch_off | --safesearch_off) |
safesearch="Off" |
;; |
*) |
58,7 → 58,7 |
rm $IP_WL # remove old google declaration |
fi |
echo "# SafeSearch redirect server for google" >> $DNSMASQ_WL_CONF |
for gg_dnsname in .google.com .google.ad .google.ae .google.com.af .google.com.ag .google.com.ai .google.al .google.am .google.co.ao .google.com.ar .google.as .google.at .google.com.au .google.az .google.ba .google.com.bd .google.be .google.bf .google.bg .google.com.bh .google.bi .google.bj .google.com.bn .google.com.bo .google.com.br .google.bs .google.bt .google.co.bw .google.by .google.com.bz .google.ca .google.cd .google.cf .google.cg .google.ch .google.ci .google.co.ck .google.cl .google.cm .google.cn .google.com.co .google.co.cr .google.com.cu .google.cv .google.com.cy .google.cz .google.de .google.dj .google.dk .google.dm .google.com.do .google.dz .google.com.ec .google.ee .google.com.eg .google.es .google.com.et .google.fi .google.com.fj .google.fm .google.fr .google.ga .google.ge .google.gg .google.com.gh .google.com.gi .google.gl .google.gm .google.gp .google.gr .google.com.gt .google.gy .google.com.hk .google.hn .google.hr .google.ht .google.hu .google.co.id .google.ie .google.co.il .google.im .google.co.in .google.iq .google.is .google.it .google.je .google.com.jm .google.jo .google.co.jp .google.co.ke .google.com.kh .google.ki .google.kg .google.co.kr .google.com.kw .google.kz .google.la .google.com.lb .google.li .google.lk .google.co.ls .google.lt .google.lu .google.lv .google.com.ly .google.co.ma .google.md .google.me .google.mg .google.mk .google.ml .google.com.mm .google.mn .google.ms .google.com.mt .google.mu .google.mv .google.mw .google.com.mx .google.com.my .google.co.mz .google.com.na .google.com.nf .google.com.ng .google.com.ni .google.ne .google.nl .google.no .google.com.np .google.nr .google.nu .google.co.nz .google.com.om .google.com.pa .google.com.pe .google.com.pg .google.com.ph .google.com.pk .google.pl .google.pn .google.com.pr .google.ps .google.pt .google.com.py .google.com.qa .google.ro .google.ru .google.rw .google.com.sa .google.com.sb .google.sc .google.se .google.com.sg .google.sh .google.si .google.sk .google.com.sl .google.sn .google.so .google.sm .google.sr .google.st .google.com.sv .google.td .google.tg .google.co.th .google.com.tj .google.tk .google.tl .google.tm .google.tn .google.to .google.com.tr .google.tt .google.com.tw .google.co.tz .google.com.ua .google.co.ug .google.co.uk .google.com.uy .google.co.uz .google.com.vc .google.co.ve .google.vg .google.co.vi .google.com.vn .google.vu .google.ws .google.rs .google.co.za .google.co.zm .google.co.zw .google.cat |
for gg_dnsname in .google.com .google.ad .google.ae .google.com.af .google.com.ag .google.com.ai .google.al .google.am .google.co.ao .google.com.ar .google.as .google.at .google.com.au .google.az .google.ba .google.com.bd .google.be .google.bf .google.bg .google.com.bh .google.bi .google.bj .google.com.bn .google.com.bo .google.com.br .google.bs .google.bt .google.co.bw .google.by .google.com.bz .google.ca .google.cd .google.cf .google.cg .google.ch .google.ci .google.co.ck .google.cl .google.cm .google.cn .google.com.co .google.co.cr .google.com.cu .google.cv .google.com.cy .google.cz .google.de .google.dj .google.dk .google.dm .google.com.do .google.dz .google.com.ec .google.ee .google.com.eg .google.es .google.com.et .google.fi .google.com.fj .google.fm .google.fr .google.ga .google.ge .google.gg .google.com.gh .google.com.gi .google.gl .google.gm .google.gp .google.gr .google.com.gt .google.gy .google.com.hk .google.hn .google.hr .google.ht .google.hu .google.co.id .google.ie .google.co.il .google.im .google.co.in .google.iq .google.is .google.it .google.je .google.com.jm .google.jo .google.co.jp .google.co.ke .google.com.kh .google.ki .google.kg .google.co.kr .google.com.kw .google.kz .google.la .google.com.lb .google.li .google.lk .google.co.ls .google.lt .google.lu .google.lv .google.com.ly .google.co.ma .google.md .google.me .google.mg .google.mk .google.ml .google.com.mm .google.mn .google.ms .google.com.mt .google.mu .google.mv .google.mw .google.com.mx .google.com.my .google.co.mz .google.com.na .google.com.nf .google.com.ng .google.com.ni .google.ne .google.nl .google.no .google.com.np .google.nr .google.nu .google.co.nz .google.com.om .google.com.pa .google.com.pe .google.com.pg .google.com.ph .google.com.pk .google.pl .google.pn .google.com.pr .google.ps .google.pt .google.com.py .google.com.qa .google.ro .google.ru .google.rw .google.com.sa .google.com.sb .google.sc .google.se .google.com.sg .google.sh .google.si .google.sk .google.com.sl .google.sn .google.so .google.sm .google.sr .google.st .google.com.sv .google.td .google.tg .google.co.th .google.com.tj .google.tk .google.tl .google.tm .google.tn .google.to .google.com.tr .google.tt .google.com.tw .google.co.tz .google.com.ua .google.co.ug .google.co.uk .google.com.uy .google.co.uz .google.com.vc .google.co.ve .google.vg .google.co.vi .google.com.vn .google.vu .google.ws .google.rs .google.co.za .google.co.zm .google.co.zw .google.cat |
do |
echo "address=/$gg_dnsname/$forcesafesearch_server" >> $DNSMASQ_WL_CONF |
done |
/scripts/alcasar-urpmi.sh |
---|
5,12 → 5,12 |
# by 3abtux and Rexy |
# This script is distributed under the Gnu General Public License (GPL) |
# script de mise en place des dépots RPM |
# script de mise en place des dépots RPM |
# configure the RPM repository |
Lang=`echo $LANG|cut -c 1-2` |
VERSION="6" |
ARCH="x86_64" |
ARCH="x86_64" |
# The kernel version we compile netflow for |
KERNEL="kernel-server-4.9.56-1.mga6-1-1.mga6" |
# ****** Alcasar needed RPMS - paquetages nécessaires au fonctionnement d'Alcasar ****** |
34,7 → 34,7 |
{ |
echo |
if [ $Lang == "fr" ] |
then |
then |
echo "Relancez l'installation ultérieurement." |
echo "Si vous rencontrez à nouveau ce problème, modifier les variables MIRRORLIST[1&2] du fichier 'scripts/alcasar-urpmi.sh'" |
else |
51,15 → 51,15 |
for i in $* |
do |
if [ "`echo $i|grep distribution|cut -d'=' -f1`" == "distribution" ] |
then |
then |
DISTRIBUTION=`echo $i|cut -d"=" -f2` |
fi |
if [ "`echo $i|grep version|cut -d'=' -f1`" == "version" ] |
then |
then |
CURRENT_VERSION=`echo $i|cut -d"=" -f2` |
fi |
if [ "`echo $i|grep arch|cut -d'=' -f1`" == "arch" ] |
then |
then |
ARCH=`echo $i|cut -d"=" -f2` |
fi |
done |
71,7 → 71,7 |
# Set the RPM repository (if not already set) |
ACTIVE_REPO=`cat /etc/urpmi/urpmi.cfg|grep "mageia.org"|wc -l` |
MIRROR_NBR=2 |
# For Europeans |
# For Europeans |
MIRRORLIST1="http://www.mirrorservice.org/sites/mageia.org/pub/mageia/distrib/$VERSION/$ARCH" |
# For International install |
MIRRORLIST2="http://mirrors.mageia.org/api/mageia.$VERSION.$ARCH.list" |
80,12 → 80,12 |
do |
try_nb=`expr $try_nb + 1` |
MIRRORLIST="MIRRORLIST$try_nb" |
rpm_repository_sync |
rpm_repository_sync |
nb_repository=`cat /etc/urpmi/urpmi.cfg|grep mirrorlist|wc -l` |
if [ "$nb_repository" != "4" ] |
then |
if [ $Lang == "fr" ] |
then |
then |
echo "Une erreur a été détectée lors de la synchronisation avec le dépot N°$try_nb." |
else |
echo "An error occurs when synchronising the repositories N°$try_nb" |
96,7 → 96,7 |
exit 1 |
fi |
if [ $Lang == "fr" ] |
then |
then |
echo "Voulez-vous tenter une synchronisation avec un autre dépôt ? (O/n)" |
else |
echo "Do you wan't to try a synchronisation with an other repository? (Y/n)" |
107,7 → 107,7 |
do |
read response |
done |
if [ "$response" = "n" ] || [ "$response" = "N" ] |
if [ "$response" = "n" ] || [ "$response" = "N" ] |
then |
exit 1 |
fi |
116,7 → 116,7 |
# download the kernel used by ALCASAR and fix its version |
if [ $Lang == "fr" ] |
then |
then |
echo "Récupération du noyau Linux exploité par ALCASAR. Veuillez patienter ..." |
else |
echo "Download the Linux kernel used by ALCASAR. Please wait ..." |
123,9 → 123,9 |
fi |
echo "/^kernel/" > /etc/urpmi/skip.list |
urpmi --auto --quiet $KERNEL |
# download updated RPM in cache |
# download updated RPM in cache |
if [ $Lang == "fr" ] |
then |
then |
echo "Récupération des paquetages de mise à jour. Veuillez patienter ..." |
echo "Il est temps d'aller prendre un café (ou une bonne bière) ;-)" |
else |
137,7 → 137,7 |
then |
echo |
if [ $Lang == "fr" ] |
then |
then |
echo "Une erreur a été détectée lors de la récupération des paquetages." |
else |
echo "An error occurs when downloading RPMS" |
152,7 → 152,7 |
then |
echo |
if [ $Lang == "fr" ] |
then |
then |
echo "Une erreur a été détectée lors de la mise à jour des paquetages." |
else |
echo "An error occurs when updating packages" |
165,7 → 165,7 |
# Download of ALCASAR specifics RPM in cache (and test) |
if [ $Lang == "fr" ] |
then |
then |
echo "Récupération des paquetages complémentaires. Veuillez patienter ..." |
else |
echo "Download of complementary packages. Please wait ..." |
175,7 → 175,7 |
then |
echo |
if [ $Lang == "fr" ] |
then |
then |
echo "Une erreur a été détectée lors de la récupération des paquetages complémentaires." |
else |
echo "An error occurs when downloading complementary packages" |
185,12 → 185,12 |
fi |
# update with cached RPM |
urpmi --auto $PACKAGES |
urpmi --auto $PACKAGES |
if [ "$?" != "0" ] |
then |
echo |
if [ $Lang == "fr" ] |
then |
then |
echo "Une erreur a été détectée lors de l'installation des paquetages complémentaires." |
else |
echo "An error occurs when installing complementary packages" |
/scripts/alcasar-version.sh |
---|
26,7 → 26,7 |
MAJ="True" |
fi |
#compare minor number |
if [ $MAJ_RUNNING_VERSION -eq $MAJ_DNS_VERSION ] |
if [ $MAJ_RUNNING_VERSION -eq $MAJ_DNS_VERSION ] |
then |
if [ $MIN_RUNNING_VERSION -lt $MIN_DNS_VERSION ] |
then |
41,7 → 41,7 |
then |
MAJ="True" |
else |
if [ $UPD_RUNNING_VERSION -lt $UPD_DNS_VERSION ] |
if [ $UPD_RUNNING_VERSION -lt $UPD_DNS_VERSION ] |
then |
MAJ="True" |
fi |
51,8 → 51,8 |
fi |
if [ $MAJ = "True" ] |
then |
then |
echo "An updated version is available ($DNS_VERSION)" |
else |
else |
echo "The Running version ($RUNNING_VERSION) is up to date" |
fi |
/scripts/alcasar-watchdog.sh |
---|
43,7 → 43,7 |
;; |
esac |
net_pb=`grep "network_pb = true;" $Index_Page|wc -l` |
if [ $net_pb = "0" ] # user alert (only the first time) |
if [ $net_pb = "0" ] # user alert (only the first time) |
then |
/bin/sed -i "s?^\$network_pb.*?\$network_pb = true;?g" $Index_Page |
$IPTABLES -I PREROUTING -t nat -i $TUNIF -p udp --dport domain -j REDIRECT --to-port 56 |
145,5 → 145,5 |
fi |
done |
;; |
esac |
esac |
IFS=$OLDIFS |