/CHANGELOG |
---|
3,10 → 3,11 |
********** ALCASAR CHANGELOG ********** |
-------------------- 3.5.0 -------------------- |
NEWS |
- Mageia7.1 and Linux Kernel 5.6.8 |
- Mageia7.1 and Linux Kernel 5.6.14 |
- All user pages are now responsive. Thanks to Clément GELINEAU |
- Add an additional BL : Malwares Command & Control servers (C&C) from "osint.bambenekconsulting.com/feeds/". Thanks to Sven RATH |
- Add IoT live capture (to detect private data leakage). Thanks to Dorian LEMOINE & Guillaume GELLUSSEAU |
- Update processes have been improved |
ACC |
- "sysinfo" is displayed with "phpsysinfo 3.3.2" |
- global flow statistics generated by "vnstat-dashboard" (instead of "vnstat-frontend") |
/VERSION |
---|
1,0 → 0,0 |
3.5b |
3.5 |
/alcasar.sh |
---|
1584,7 → 1584,8 |
[ -d /etc/unbound/conf.d/blacklist ] || mkdir /etc/unbound/conf.d/blacklist |
[ -d /etc/unbound/conf.d/whitelist ] || mkdir /etc/unbound/conf.d/whitelist |
[ -d /etc/unbound/conf.d/blackhole ] || mkdir /etc/unbound/conf.d/blackhole |
[ -d /var/log/unbound ] || { mkdir /var/log/unbound; chown unbound:unbound /var/log/unbound; } |
[ -d /var/log/unbound ] || mkdir /var/log/unbound |
chown unbound:unbound /var/log/unbound |
[ -e /etc/unbound/unbound.conf.default ] || cp /etc/unbound/unbound.conf /etc/unbound/unbound.conf.default |
# Forward zone configuration file for all unbound dns servers |
1628,7 → 1629,6 |
name: "lo" |
local-zone: "$DOMAIN" static |
local-data: "$HOSTNAME.$DOMAIN A 127.0.0.1" |
local-data-ptr "127.0.0.1 $HOSTNAME.$DOMAIN" |
view-first: yes |
EOF |
1722,6 → 1722,9 |
name: "$INTIF" |
local-zone: "." redirect |
local-data: ". A $PRIVATE_IP" |
local-zone: "$DOMAIN" static |
local-data: "$HOSTNAME.$DOMAIN A $PRIVATE_IP" |
local-data-ptr: "$PRIVATE_IP $HOSTNAME.$DOMAIN" |
EOF |
# Configuration file for blackhole unbound |
1732,7 → 1735,6 |
hide-identity: yes |
do-ip6: no |
include: /etc/unbound/conf.d/blackhole/* |
include: /etc/unbound/conf.d/common/local-dns/* |
include: /etc/unbound/conf.d/common/local-forward/* |
EOF |
/blacklist/blacklists.tar.gz |
---|
Cannot display: file marked as a binary type. |
svn:mime-type = application/octet-stream |
/conf/etc/alcasar-iptables-local.sh |
---|
43,7 → 43,7 |
#$IPTABLES -A OUTPUT -p tcp -d $SMTP_IP --dport $SMTP_PORT -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT |
#$IPTABLES -A INPUT -p tcp -s $SMTP_IP --sport $SMTP_PORT -m conntrack --ctstate ESTABLISHED -j ACCEPT |
# On autorise du PAT (Port Adresse Translation) afin de pouvoir joindre des équipements du LAN depuis Internet |
# On autorise du PAT (Port Adresse Translation) afin de pouvoir joindre des équipements du LAN à partir d'Internet |
# Allow PAT (Port Adresse Translation) |
# example for the external UDP-TCP port 11222 which is redirected to the internal IP 192.168.182.10 on port 22 |
#$IPTABLES -A PREROUTING -i $EXTIF -t nat -p tcp -d $PUBLIC_IP --dport 11222 -j DNAT --to 192.168.182.10:22 |
/conf/logrotate.d/mysqld |
---|
File deleted |
Property changes: |
Deleted: svn:keywords |
-Id Author Date |
\ No newline at end of property |
/conf/logrotate.d/admin_log |
---|
1,7 → 1,6 |
/var/Save/security/acc_access.log{ |
/var/Save/security/acc_access.log { |
rotate 12 |
monthly |
missingok |
notifempty |
endscript |
} |
/conf/logrotate.d/ulogd |
---|
1,6 → 1,6 |
/var/log/ulogd/ulogd.log { |
missingok |
notifyempty |
notifempty |
create 0640 ulogd ulogd |
sharedscripts |
} |
/scripts/alcasar-conf.sh |
---|
153,7 → 153,7 |
[ -e $DIR_UPDATE/etc/alcasar-uamallowed ] && cp -f $DIR_UPDATE/etc/alcasar-uamallowed $DIR_ETC/ # exception IP_addresses or network_IP_addresses |
[ -e $DIR_UPDATE/etc/alcasar-ethers ] && cp -f $DIR_UPDATE/etc/alcasar-ethers $DIR_ETC/ # DHCP static hosts |
[ -e $DIR_UPDATE/etc/alcasar-ethers-info ] && cp -f $DIR_UPDATE/etc/alcasar-ethers-info $DIR_ETC/ # DHCP static hosts information |
[ -e $DIR_UPDATE/etc/hosts ] && cp -f $DIR_UPDATE/etc/hosts /etc/ && $DIR_BIN/alcasar-dns-local.sh -hosts_to_unbound # local hosts name |
[ -e $DIR_UPDATE/etc/hosts ] && cp -f $DIR_UPDATE/etc/hosts /etc/ # local host name resolution |
# Retrieve BL/WL custom files |
cp -f $DIR_UPDATE/custom_bl/exceptioniplist $DIR_E2G/ |
cp -f $DIR_UPDATE/custom_bl/exceptionsitelist $DIR_E2G/ |
377,20 → 377,6 |
forward-addr: $DNS1 |
forward-addr: $DNS2 |
EOF |
# Configuration file of ALCASAR main domains for $INTIF |
cat << EOF > /etc/unbound/conf.d/common/local-dns/${INTIF}.conf |
server: |
local-zone: "$DOMAIN" static |
local-data: "$HOSTNAME.$DOMAIN A $PRIVATE_IP" |
local-data-ptr: "$PRIVATE_IP $HOSTNAME.$DOMAIN" |
EOF |
if [ "$HOSTNAME" != 'alcasar' ] |
then |
echo -e "\tlocal-zone: \"alcasar\" static" >> /etc/unbound/conf.d/common/local-dns/${INTIF}.conf |
echo -e "\tlocal-zone: \"alcasar A $PRIVATE_IP\"" >> /etc/unbound/conf.d/common/local-dns/${INTIF}.conf |
echo -e "\tlocal-zone: \"alcasar\" static" >> /etc/unbound/conf.d/forward/iface.lo.conf |
echo -e "\tlocal-zone: \"alcasar A 127.0.0.1\"" >> /etc/unbound/conf.d/forward/iface.lo.conf |
fi |
# Configuration file for lo of forward |
cat << EOF > /etc/unbound/conf.d/forward/iface.lo.conf |
server: |
429,16 → 415,6 |
access-control-tag-action: $PRIVATE_IP_MASK "whitelist" redirect |
access-control-tag-data: $PRIVATE_IP_MASK "whitelist" "A $PRIVATE_IP" |
EOF |
# Configuration file for $INTIF of blackhole |
cat << EOF > /etc/unbound/conf.d/blackhole/iface.${INTIF}.conf |
server: |
interface: ${PRIVATE_IP}@56 |
access-control-view: $PRIVATE_NETWORK_MASK $INTIF |
view: |
name: "$INTIF" |
local-zone: "." redirect |
local-data: ". A $PRIVATE_IP" |
EOF |
# dhcpd |
cat <<EOF > /etc/dhcpd.conf |
ddns-update-style none; |
451,6 → 427,7 |
max-lease-time 43200; |
} |
EOF |
$DIR_BIN/alcasar-dns-local.sh -hosts_to_unbound # add local name resoution to unbound (forward & blackhole) |
# tinyproxy |
$SED "s?^Listen.*?Listen $PRIVATE_IP?g" /etc/tinyproxy/tinyproxy.conf |
# DG + BL |
/scripts/alcasar-dns-local.sh |
---|
17,10 → 17,12 |
# define DNS parameters (LAN side) |
INT_DNS_DOMAIN=`grep ^DOMAIN $ALCASAR_CONF_FILE|cut -d"=" -f2` |
INT_DNS_HOST=`grep ^HOSTNAME $ALCASAR_CONF_FILE|cut -d"=" -f2` |
INT_DNS_IP_MASK=`grep ^PRIVATE_IP $ALCASAR_CONF_FILE|cut -d"=" -f2` |
INT_DNS_IP=`grep ^PRIVATE_IP $ALCASAR_CONF_FILE|cut -d"=" -f2|cut -d"/" -f1` |
INTIF=`grep ^INTIF $ALCASAR_CONF_FILE|cut -d"=" -f2` |
INT_DNS_ACTIVE=`grep INT_DNS_ACTIVE $ALCASAR_CONF_FILE|cut -d"=" -f2` |
LOCAL_DNS_FILE="/etc/unbound/conf.d/common/local-dns/$INTIF.conf" |
LOCAL_DNS_BLACKHOLE_FILE="/etc/unbound/conf.d/blackhole/iface.$INTIF.conf" |
usage="Usage: alcasar-dns-local.sh {--on | -on} | {--off | -off} | {--add | -add} ip domain | {--del | -del} ip domain | {--reload | -reload}" |
nb_args=$# |
38,7 → 40,7 |
done |
} |
function hosts_to_unbound(){ |
function hosts_to_unbound(){ # configure the unbound conf file with local host names resolution (forward + blackhole) |
cat << EOF > $LOCAL_DNS_FILE |
server: |
local-zone: "$INT_DNS_DOMAIN" static |
45,6 → 47,26 |
local-data: "$INT_DNS_HOST.$INT_DNS_DOMAIN A $INT_DNS_IP" |
local-data-ptr: "$INT_DNS_IP $INT_DNS_HOST.$INT_DNS_DOMAIN" |
EOF |
if [ "$HOSTNAME" != 'alcasar' ] |
then |
echo -e "\tlocal-zone: \"alcasar\" static" >> /etc/unbound/conf.d/common/local-dns/${INTIF}.conf |
echo -e "\tlocal-zone: \"alcasar A $PRIVATE_IP\"" >> /etc/unbound/conf.d/common/local-dns/${INTIF}.conf |
echo -e "\tlocal-zone: \"alcasar\" static" >> /etc/unbound/conf.d/forward/iface.lo.conf |
echo -e "\tlocal-zone: \"alcasar A 127.0.0.1\"" >> /etc/unbound/conf.d/forward/iface.lo.conf |
fi |
cat << EOF > $LOCAL_DNS_BLACKHOLE_FILE |
server: |
server: |
interface: ${INT_DNS_IP}@56 |
access-control-view: $INT_DNS_IP_MASK $INTIF |
view: |
name: "$INTIF" |
local-zone: "." redirect |
local-data: ". A $INT_DNS_IP" |
local-zone: "$INT_DNS_DOMAIN" static |
local-data: "$INT_DNS_HOST.$INT_DNS_DOMAIN A $INT_DNS_IP" |
local-data-ptr: "$INT_DNS_IP $INT_DNS_HOST.$INT_DNS_DOMAIN" |
EOF |
while read -r line |
do |
ip_address=$(echo $line | awk '{ print $1 }') |
51,8 → 73,10 |
domain=$(echo $line | awk '{ print $2 }') |
if ! echo $line | grep -E -q "^([0-9\.\t ]+alcasar( |$)|127\.0\.0)" |
then |
echo -e "\tlocal-data: \"$domaini.$INT_DNS_DOMAIN A $ip_address\"" >> $LOCAL_DNS_FILE |
echo -e "\tlocal-data: \"$domain.$INT_DNS_DOMAIN A $ip_address\"" >> $LOCAL_DNS_FILE |
echo -e "\tlocal-data-ptr: \"$ip_address $domain.$INT_DNS_DOMAIN\"" >> $LOCAL_DNS_FILE |
echo -e "\tlocal-data: \"$domain.$INT_DNS_DOMAIN A $ip_address\"" >> $LOCAL_DNS_BLACKHOLE_FILE |
echo -e "\tlocal-data-ptr: \"$ip_address $domain.$INT_DNS_DOMAIN\"" >> $LOCAL_DNS_BLACKHOLE_FILE |
fi |
done < $LOCAL_HOSTNAME_FILE |
} |
/scripts/alcasar-uninstall.sh |
---|
196,7 → 196,7 |
cron () |
{ |
# /etc/cron.d/alcasar-daemon-watchdog is removed at the beginning of this script |
echo -en "(13) : " |
echo -en "(12) : " |
i=1 |
for cron in `ls /etc/cron.d/alcasar-* 2>/dev/null` |
do |
203,8 → 203,8 |
rm $cron && echo -n "$i, " |
i=`expr $i + 1` |
done |
[ -e /etc/crontab.default ] && mv /etc/crontab.default /etc/crontab && echo -n "12, " |
[ -e /etc/anacrontab.default ] && mv /etc/anacrontab.default /etc/anacrontab && echo -n "13" |
[ -e /etc/crontab.default ] && mv /etc/crontab.default /etc/crontab && echo -n "11, " |
[ -e /etc/anacrontab.default ] && mv /etc/anacrontab.default /etc/anacrontab && echo -n "12" |
} |
fail2ban () |
/web/index.php |
---|
489,7 → 489,7 |
<head> |
<meta charset="UTF-8"> |
<meta name="viewport" content="width=device-width, initial-scale=1.0"> |
<title>ALCASAR - <?= $l_title ?></title> |
<title><?= $l_title ?></title> |
<link rel="stylesheet" type="text/css" href="<?= ((!$direct_access) ? "//$hostname" : '') ?>/css/bootstrap.min.css"> |
<link rel="stylesheet" type="text/css" href="/css/index.css"> |
<link rel="icon" href="/images/favicon-48.ico" type="image/ico"> |