Subversion Repositories ALCASAR

Compare Revisions

No changes between revisions

Ignore whitespace Rev 3192 → Rev 3193

/CHANGELOG.md
1,9 → 1,11
# ALCASAR CHANGELOG
 
## 3.7.0 (SVN revision: 3180)
## 3.7.0 (SVN revision: xxxx)
* NEWS
* Mageia9 (kernel 6.6.22)
* CHANGES
* ACC
* use nmap's MAC prefix file instead of our
* BUGS
* SECURITY
* WEB
/alcasar.sh
909,8 → 909,6
[ -e $DIR_SAVE/security/acc_access.log ] || touch $DIR_SAVE/security/acc_access.log
chown root:apache $DIR_SAVE/security/acc_access.log
chmod 664 $DIR_SAVE/security/acc_access.log
# Copy IEEE-MAC-manuf list (origin from sanitized nmac file : see linuxnet.ca)
cp $DIR_CONF/nmap-mac-prefixes /usr/local/share/
} # End of ACC()
 
#############################################################
921,11 → 919,12
{
[ -e /etc/ntp.conf.default ] || cp /etc/ntp.conf /etc/ntp.conf.default
$SED "s?^pool.*?pool fr.pool.ntp.org iburst?g" /etc/ntp.conf
$SED '$ainterface ignore wildcard' /etc/ntp.conf
$SED '$ainterface listen lo' /etc/ntp.conf
$SED '$ainterface listen $INTIF' /etc/ntp.conf
echo "interface ignore wildcard" >> /etc/ntp.conf
echo "interface listen lo" >> /etc/ntp.conf
echo "interface listen $INTIF" >> /etc/ntp.conf
# Synchronize now
ntpdate fr.pool.ntp.org &
sleep 2 # wait for time server responce
} # End of time_server()
 
#####################################################################
1270,7 → 1269,7
 
################################################################
## "e2guardian" ##
## - Set the parameters of this HTML proxy (as controler) ##
## - Set the parameters of this HTTP proxy (as controler) ##
################################################################
e2guardian()
{
1284,15 → 1283,18
[ -e $DIR_DG/e2guardian.conf.default ] || cp $DIR_DG/e2guardian.conf $DIR_DG/e2guardian.conf.default
# French deny HTML page
$SED "s?^language =.*?language = 'french'?g" $DIR_DG/e2guardian.conf
# +++ listen & loop prevention on loopback
$SED "s?^#checkip = 127.0.0.1.*?checkip = 127.0.0.1?g" $DIR_DG/e2guardian.conf
# 2 filtergroups (8080 & 8090)
$SED "s?^filtergroups =.*?filtergroups = 2?g" $DIR_DG/e2guardian.conf
# Listen on 8080 (HTTP for BL users) only on LAN side
$SED "s?^filterip =.*?filterip = $PRIVATE_IP?g" $DIR_DG/e2guardian.conf
$SED "s?^filterports =.*?filterports = 8080?g" $DIR_DG/e2guardian.conf
# Listen on 8090 (HTTP for WL/AV users) only on LAN side
$SED "/^filterip = $PRIVATE_IP/a filterip = $PRIVATE_IP" $DIR_DG/e2guardian.conf
$SED "/^filterports = 8080/a filterports = 8090" $DIR_DG/e2guardian.conf
# E2guardian doesn't listen transparently on 8443 (HTTPS) (only in future version)
$SED "s?^#filtergroups =.*?filtergroups = 2?g" $DIR_DG/e2guardian.conf
# Listen on LAN only
$SED "s?^#filterip =.*?filterip = $PRIVATE_IP?g" $DIR_DG/e2guardian.conf
# Listen on 8080 (group1 : BL users on HTTP)
$SED "s?^#filterports = 8080.*?filterports = 8080?g" $DIR_DG/e2guardian.conf
# Listen on 8081 (group2 : previously AV users --> to be redefine)
# $SED "/^filterip = $PRIVATE_IP/a filterip = $PRIVATE_IP" $DIR_DG/e2guardian.conf
$SED "s?^#filterports = 8081.*?filterports = 8081?g" $DIR_DG/e2guardian.conf
# for now we don't listen transparently on 8443 (HTTPS) (only in future version)
$SED "s?^transparenthttpsport =.*?#transparenthttpsport = 8443?g" $DIR_DG/e2guardian.conf
# Don't log
$SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/e2guardian.conf
1301,15 → 1303,10
# Enable authport plugin
$SED "s?^#authplugin = '/etc/e2guardian/authplugins/port.conf'?authplugin = '/etc/e2guardian/authplugins/port.conf'?g" $DIR_DG/e2guardian.conf
$SED "s?^#mapauthtoports =.*?mapauthtoports = off?g" $DIR_DG/e2guardian.conf
# Set Max RAM cache to 10Mb
$SED "s?^maxcontentramcachescansize =.*?maxcontentramcachescansize = 10240?g" $DIR_DG/e2guardian.conf
# Set Max file size cache to 20Mb
$SED "s?^maxcontentfilecachescansize =.*?maxcontentfilecachescansize = 20480?g" $DIR_DG/e2guardian.conf
# Adapt the first group conf file
[ -e $DIR_DG/e2guardianf1.conf.default ] || cp $DIR_DG/e2guardianf1.conf $DIR_DG/e2guardianf1.conf.default
$SED "s/^reportinglevel =.*/reportinglevel = 3/g" $DIR_DG/e2guardianf1.conf
$SED "s/^groupname =.*/groupname = 'blacklisted users'/g" $DIR_DG/e2guardianf1.conf
$SED "s/^#htmltemplate =.*/htmltemplate = 'alcasar-e2g.html'/g" $DIR_DG/e2guardianf1.conf
# !!! Set Max RAM cache to 10Mb (for antimalware/EDR)
#$SED "s?^maxcontentramcachescansize =.*?maxcontentramcachescansize = 10240?g" $DIR_DG/e2guardian.conf
# !!! Set Max file size cache to 20Mb (for antimalware/EDR)
#$SED "s?^maxcontentfilecachescansize =.*?maxcontentfilecachescansize = 20480?g" $DIR_DG/e2guardian.conf
 
# copy & adapt HTML templates
cp $DIR_CONF/alcasar-e2g-fr.html /usr/share/e2guardian/languages/french/alcasar-e2g.html
1317,29 → 1314,26
$SED "s?\/\/[a-z.]*\/?\/\/$HOSTNAME.$DOMAIN\/?g" /usr/share/e2guardian/languages/french/alcasar-e2g.html
$SED "s?\/\/[a-z.]*\/?\/\/$HOSTNAME.$DOMAIN\/?g" /usr/share/e2guardian/languages/ukenglish/alcasar-e2g.html
 
###### ALCASAR special filtering ####
###### ALCASAR filtering for group1 (blacklisted_users) ####
# Adapt group1 conf file
[ -e $DIR_DG/e2guardianf1.conf.default ] || cp $DIR_DG/e2guardianf1.conf $DIR_DG/e2guardianf1.conf.default
$SED "s/^#reportinglevel =.*/reportinglevel = 3/g" $DIR_DG/e2guardianf1.conf
$SED "s/^#groupname =.*/groupname = 'blacklisted_users'/g" $DIR_DG/e2guardianf1.conf
$SED "s/^#htmltemplate =.*/htmltemplate = 'alcasar-e2g.html'/g" $DIR_DG/e2guardianf1.conf
$SED "s/^.Define LISTDIR.*/.Define LISTDIR <$DIR_DG/lists/group1/g" $DIR_DG/e2guardianf1.conf
DIR_GROUP1="$DIR_DG/lists/group1"
cp -r $DIR_DG/lists/example.group $DIR_GROUP1
chown -R e2guardian:root $DIR_GROUP1
# RAZ bannedphraselist
cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default
$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (comment what is not)
$SED "s?^[^#]?#&?g" $DIR_GROUP1/bannedphraselist # (comment what is not)
# Disable URL control with regex
cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default
$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (comment what is not)
# Replace the default deny HTML page (only fr & uk) --> !!! search why our pages make the server crash...
# [ -e /usr/share/e2guardian/languages/french/template.html.default ] || mv /usr/share/e2guardian/languages/french/template.html /usr/share/e2guardian/languages/french/template.html.default
# cp -f $DIR_CONF/template-fr.html /usr/share/e2guardian/languages/french/template.html
# [ -e /usr/share/e2guardian/languages/ukenglish/template.html.default ] || mv /usr/share/e2guardian/languages/ukenglish/template.html /usr/share/e2guardian/languages/ukenglish/template.html.default
# cp -f $DIR_CONF/template.html /usr/share/e2guardian/languages/ukenglish/template.html
$SED "s?^[^#]?#&?g" $DIR_GROUP1/bannedregexpurllist # (comment what is not)
# Dont filtering files by extension or mime-type (empty list)
[ -e $DIR_DG/lists/bannedextensionlist.default ] || mv $DIR_DG/lists/bannedextensionlist $DIR_DG/lists/bannedextensionlist.default
touch $DIR_DG/lists/bannedextensionlist
[ -e $DIR_DG/lists/bannedmimetypelist.default ] || mv $DIR_DG/lists/bannedmimetypelist $DIR_DG/lists/bannedmimetypelist.default
touch $DIR_DG/lists/bannedmimetypelist
# Empty LAN IP list that won't be WEB filtered
[ -e $DIR_DG/lists/exceptioniplist.default ] || mv $DIR_DG/lists/exceptioniplist $DIR_DG/lists/exceptioniplist.default
touch $DIR_DG/lists/exceptioniplist
> $DIR_GROUP1/bannedextensionlist
> $DIR_GROUP1/bannedmimetypelist
# Creation of ALCASAR banned site list
[ -e $DIR_DG/lists/greysitelist.default ] || mv $DIR_DG/lists/greysitelist $DIR_DG/lists/greysitelist.default
cat <<EOF > $DIR_DG/lists/greysitelist
[ -e $DIR_GROUP1/greysitelist.default ] || mv $DIR_GROUP1/greysitelist $DIR_GROUP1/greysitelist.default
cat <<EOF > $DIR_GROUP1/greysitelist
# E2guardian filter config for ALCASAR
# In ALCASAR E2guardian filters only URLs (domains are filtered with unbound)
# block all SSL and CONNECT tunnels
1350,35 → 1344,34
*ip
EOF
# Creation of ALCASAR empty banned URLs list (filled later with Toulouse BL --> see BL function)
[ -e $DIR_DG/lists/bannedurllist.default ] || mv $DIR_DG/lists/bannedurllist $DIR_DG/lists/bannedurllist.default
cat <<EOF > $DIR_DG/lists/bannedurllist
# E2guardian filter config for ALCASAR
[ -e $DIR_GROUP1/bannedurllist.default ] || mv $DIR_GROUP1/bannedurllist $DIR_GROUP1/bannedurllist.default
cat <<EOF > $DIR_GROUP1/bannedurllist
# E2guardian URL filter config for ALCASAR
EOF
# Creation of files for rehabilited domains and urls
[ -e $DIR_DG/lists/exceptionsitelist.default ] || mv $DIR_DG/lists/exceptionsitelist $DIR_DG/lists/exceptionsitelist.default
[ -e $DIR_DG/lists/exceptionurllist.default ] || mv $DIR_DG/lists/exceptionurllist $DIR_DG/lists/exceptionurllist.default
touch $DIR_DG/lists/exceptionsitelist
touch $DIR_DG/lists/exceptionurllist
[ -e $DIR_GROUP1/exceptionsitelist.default ] || mv $DIR_GROUP1/exceptionsitelist $DIR_GROUP1/exceptionsitelist.default
[ -e $DIR_GROUP1/exceptionurllist.default ] || mv $DIR_GROUP1/exceptionurllist $DIR_GROUP1/exceptionurllist.default
touch $DIR_GROUP1/exceptionsitelist
touch $DIR_GROUP1/exceptionurllist
# Add Bing to the safesearch url regext list (parental control)
[ -e $DIR_DG/lists/urlregexplist.default ] || cp $DIR_DG/lists/urlregexplist $DIR_DG/lists/urlregexplist.default
cat <<EOF >> $DIR_DG/lists/urlregexplist
 
[ -e $DIR_GROUP1/urlregexplist.default ] || cp $DIR_GROUP1/urlregexplist $DIR_GROUP1/urlregexplist.default
cat <<EOF >> $DIR_GROUP1/urlregexplist
# Bing - add 'adlt=strict'
#"(^http://[0-9a-z]+\.bing\.[a-z]+[-/%.0-9a-z]*\?)(.*)"->"\1\2&adlt=strict"
EOF
# 'Safesearch' regex actualisation
$SED "s?images?search?g" $DIR_DG/lists/urlregexplist
$SED "s?images?search?g" $DIR_GROUP1/urlregexplist
# change the google safesearch ("safe=strict" instead of "safe=vss")
$SED "s?safe=vss?safe=strict?g" $DIR_DG/lists/urlregexplist
$SED "s?safe=vss?safe=strict?g" $DIR_GROUP1/urlregexplist
 
# Create & adapt the second group conf file (av + av_wl)
# Create & adapt group2 conf file (av + av_wl)
cp $DIR_DG/e2guardianf1.conf.default $DIR_DG/e2guardianf2.conf
$SED "s?^reportinglevel =.*?reportinglevel = 3?g" $DIR_DG/e2guardianf2.conf
$SED "s?^groupname =.*?groupname = 'antimalware + whitelested users'?g" $DIR_DG/e2guardianf2.conf
$SED "s?^urllist = 'name=banned,messageno=501,path=/etc/e2guardian/lists/bannedurllist'?urllist = 'name=banned,messageno=501,path=/etc/e2guardian/lists/bannedurllist.default'?g" $DIR_DG/e2guardianf2.conf # no banned urls
$SED "s?^urllist = 'name=banned,messageno=501,path=__LISTEN__/bannedurllist'?urllist = 'name=banned,messageno=501,path=__LISTEN__/bannedurllist.default'?g" $DIR_DG/e2guardianf2.conf # no banned urls
 
# create log folder
mkdir -p /var/log/e2guardian
mkdir -p /var/log/e2guardian
chown -R e2guardian /etc/e2guardian /var/log/e2guardian
} # End of e2guardian()
 
/conf/nmap-mac-prefixes
File deleted
/rpms/ipt-netflow-2.6.spec
1,8 → 1,9
%define kversion 5.15.126-server-1.mga8
%define kversion 6.6.22-server-1.mga9
%define debug_package %{nil}
%define _build_id_links none
Name: ipt-netflow
Version: 2.6
Release: %mkrel 1
Release: %mkrel 0
Summary: Netflow iptables module for Linux kernel
License: GPLv2
Packager: Richard REY (Rexy)
19,7 → 20,7
%setup -q -n ipt-netflow-%{version}
 
%build
./configure --kdir=/usr/src/kernel-5.15.126-server-1.mga8 --disable-dkms --disable-snmp-agent
./configure --kdir=/usr/src/kernel-%{kversion} --disable-dkms --disable-snmp-agent
%make_build
 
%install
42,9 → 43,12
/lib64/iptables/libipt_NETFLOW.so
/lib64/iptables/libip6t_NETFLOW.so
/lib/modules/%kversion/extra/ipt_NETFLOW.ko
/lib/modules/%kversion/updates/ipt_NETFLOW.ko
 
%changelog
* Fri Nov 14 2023 Richard REY <Rexy>
* Sun Apr 21 2024 Richard REY <Rexy>
- Version 2.6 for the kernel 6.6.22 (ALCASAR 3.7.0)
* Tue Nov 14 2023 Richard REY <Rexy>
- Version 2.6 for the kernel 5.15.126 (ALCASAR 3.6.1)
* Fri Dec 30 2022 Richard REY <Rexy>
- Version 2.6 for the kernel 5.15.86 (ALCASAR 3.6.0)
/rpms/x86_64/ipt-netflow-2.6-1.mga8.x86_64.rpm
Cannot display: file marked as a binary type.
svn:mime-type = application/octet-stream
Property changes:
Deleted: svn:mime-type
-application/octet-stream
\ No newline at end of property
/rpms/x86_64/ipt-netflow-2.6-0.mga9.x86_64.rpm
Cannot display: file marked as a binary type.
svn:mime-type = application/octet-stream
Property changes:
Added: svn:mime-type
+application/octet-stream
\ No newline at end of property
/scripts/alcasar-bl.sh
18,6 → 18,7
FILE_ip_tmp="/tmp/filesipfilter.txt"
DIR_DG="/etc/e2guardian/lists"
DIR_DG_BL="$DIR_DG/blacklists"
DIR_DG_GROUP1="$DIR_DG/group1"
GLOBAL_USAGE="$DIR_CONF/alcasar-global-usage" # file containing the description of the lists
BL_CATEGORIES="$DIR_CONF/alcasar-bl-categories" # list of names of the BL categories
WL_CATEGORIES="$DIR_CONF/alcasar-wl-categories" # ' ' WL categories
57,7 → 58,7
chown root:apache $DIR_CONF/update_cat.conf
chmod 660 $DIR_CONF/update_cat.conf
fi
$SED "/\.Include/d" $DIR_DG/bannedsitelist $DIR_DG/bannedurllist # cleaning for DG
$SED "/\.Include/d" $DIR_DG_GROUP1/bannedsitelist $DIR_DG_GROUP1/bannedurllist # cleaning for DG
$SED "s?^[^#]?#&?g" $BL_CATEGORIES $WL_CATEGORIES # cleaning BL & WL categories file (comment all lines)
 
# process the file $BL_CATEGORIES with the choice of categories
67,8 → 68,8
$SED "1i\/etc\/e2guardian\/lists\/blacklists\/$ENABLE_CATEGORIE" $BL_CATEGORIES
ln -sf $DIR_DNS_BL/$ENABLE_CATEGORIE.conf $DIR_DNS_BL_ENABLED/$ENABLE_CATEGORIE
ln -sf $DIR_IP_BL/$ENABLE_CATEGORIE $DIR_IP_BL_ENABLED/$ENABLE_CATEGORIE
# echo ".Include<$DIR_DG_BL/$ENABLE_CATEGORIE/domains>" >> $DIR_DG/bannedsitelist # Blacklisted domains are managed by unbound
echo ".Include<$DIR_DG_BL/$ENABLE_CATEGORIE/urls>" >> $DIR_DG/bannedurllist
# echo ".Include<$DIR_DG_BL/$ENABLE_CATEGORIE/domains>" >> $DIR_DG_GROUP1/bannedsitelist # Blacklisted domains are managed by unbound
echo ".Include<$DIR_DG_BL/$ENABLE_CATEGORIE/urls>" >> $DIR_DG_GROUP1/bannedurllist
done
sort +0.0 -0.2 $BL_CATEGORIES -o $FILE_tmp
mv $FILE_tmp $BL_CATEGORIES
289,7 → 290,7
cat_choice
# for unbound (rehabilitated domain names)
rm -f $REHABILITATED_DNS_FILE
if [ "$(wc -w $DIR_DG/exceptionsitelist | cut -d " " -f1)" != "0" ]
if [ "$(wc -w $DIR_DG_GROUP1/exceptionsitelist | cut -d " " -f1)" != "0" ]
then
touch $REHABILITATED_DNS_FILE
while read -r domain; do
296,7 → 297,7
[ -z "$domain" ] && continue
echo "local-zone: $domain typetransparent" >> $REHABILITATED_DNS_FILE
echo "local-zone-tag: $domain \"\"" >> $REHABILITATED_DNS_FILE
done < $DIR_DG/exceptionsitelist
done < $DIR_DG_GROUP1/exceptionsitelist
fi
# adapt OSSI BL & WL custom files
for dir in $DIR_DNS_BL_ENABLED $DIR_DNS_WL_ENABLED $DIR_IP_BL_ENABLED $DIR_IP_WL_ENABLED $DIR_DNS_BL $DIR_DNS_WL $DIR_IP_BL $DIR_IP_WL
/scripts/alcasar-iptables.sh
53,7 → 53,7
SSH_LAN_ADMIN_FROM=${SSH_LAN_ADMIN_FROM:="0.0.0.0"}
SSH_LAN_ADMIN_FROM=$([ "$SSH_LAN_ADMIN_FROM" == "0.0.0.0" ] && echo "$PRIVATE_NETWORK_MASK" || echo "$SSH_LAN_ADMIN_FROM" )
IPTABLES="/sbin/iptables"
REHABILITED_IP="/etc/e2guardian/lists/exceptioniplist"
REHABILITED_IP="/etc/e2guardian/lists/group1/exceptioniplist"
ALLOWED_SITES="/usr/local/etc/alcasar-site-direct" # WEB Sites allowed for all (no av and no filtering for av_bl users)
MULTIWAN=`grep ^MULTIWAN $CONF_FILE|cut -d"=" -f2`
PROXY=`grep ^PROXY= $CONF_FILE|cut -d"=" -f2`
231,9 → 231,9
# 8080 = ipset av_bl
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8080 -j NFLOG --nflog-group 1 --nflog-prefix "RULE direct-proxy -- DENY "
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8080 -j MARK --set-mark 1
# 8090 = ipset av_wl + av
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8090 -j NFLOG --nflog-group 1 --nflog-prefix "RULE direct-proxy -- DENY "
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8090 -j MARK --set-mark 2
# 8081 = ipset av_wl + av (to be redefine)
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8081 -j NFLOG --nflog-group 1 --nflog-prefix "RULE direct-proxy -- DENY "
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8081 -j MARK --set-mark 2
# 8443 = tranparent HTTPS for ipsets av_bl + av_wl + av (future version)
#$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8443 -j NFLOG --nflog-group 1 --nflog-prefix "RULE direct-proxy -- DENY "
#$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8443 -j MARK --set-mark 6
281,9 → 281,9
# 8080 = ipset av_bl
#$IPTABLES -A PREROUTING -t mangle -i $TUNIF -m set --match-set av_bl src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP -p tcp --dport http -j MARK --set-mark 200
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_bl src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8080
# 8090 = ipset av_wl & av
#$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_wl src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090
#$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090
# 8081 = ipset av_wl & av
#$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_wl src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8081
#$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8081
 
# Redirection des requêtes HTTPS sortantes des usagers av_bl + av_wl + av vers E2Guardian (in a future version - don't forget to set E2guardian as a tranparent HTTPS proxy)
# Redirect outbound HTTPS requests of av_bl + av_wl + av users to E2Guardian
346,13 → 346,13
# On interdit les connexions directes aux ports d'écoute d'E2Guardian. Les packets concernés ont été marqués et loggués dans la table mangle (PREROUTING)
# Deny direct connections on E2Guardian listen ports. The concerned paquets have been marked and logged in mangle table (PREROUTING)
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8080 -m mark --mark 1 -j REJECT --reject-with tcp-reset # av_bl
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8090 -m mark --mark 2 -j REJECT --reject-with tcp-reset # av_wl + av
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8081 -m mark --mark 2 -j REJECT --reject-with tcp-reset # av_wl + av
#$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8443 -m mark --mark 6 -j REJECT --reject-with tcp-reset # av_bl + av_wl + av (future version)
 
# On autorise les connexions HTTP/HTTPS légitimes vers E2Guardian
# Allow HTTP connections to E2Guardian
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport 8080 -m conntrack --ctstate NEW --syn -j ACCEPT
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport 8090 -m conntrack --ctstate NEW --syn -j ACCEPT
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport 8081 -m conntrack --ctstate NEW --syn -j ACCEPT
#$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport 8443 -m conntrack --ctstate NEW --syn -j ACCEPT # (future version)
 
# On interdit les connexions directes aux ports d'écoupe DNS (UNBOUND). Les packets concernés ont été marqués dans la table mangle (PREROUTING)
/scripts/alcasar-rpm.sh
20,6 → 20,8
# "socat" : avoid a warning when run the install script of letsencrypt ("acme.sh")
# "sudo" : needed after a reinstallation (to be investigated)
# "postfix" + "cyrus-sasl" + "lib64sasl2-plug-plain" : email registration method
# "nmap" : "/usr/share/nmap/nmap-mac-prefixes" is used to display MAC manufacturers in ACC
 
PACKAGES="vim-enhanced freeradius freeradius-mysql freeradius-ldap lighttpd lighttpd-mod_auth php-fpm php-gd php-ldap php-mysqli php-mbstring php-sockets php-curl php-pdo_sqlite php-cli php-dom php-filter unbound e2guardian postfix mariadb ntpsec bind-utils openssh-server rng-utils rsync fail2ban gnupg2 ulogd ipset usb_modeswitch vnstat dos2unix p7zip msec kernel-userspace-headers kernel-firmware kernel-firmware-nonfree dhcp-server tcpdump fonts-dejavu-common fonts-ttf-dejavu lsscsi nvme-cli sudo socat postfix cyrus-sasl lib64sasl2-plug-plain iftop"
 
rpm_repository_sync ()
/web/acc/admin/bl_filter.php
227,7 → 227,6
$bl_categories_enabled=$dir_etc."alcasar-bl-categories-enabled";
$conf_file=$dir_etc."alcasar.conf";
$domainfilter_file="/etc/unbound/conf.d/blacklist/domainfilter.conf";
$bannedsite_file=$dir_dg."bannedsitelist";
$dir_tmp="/tmp/blacklists";
$update_file_cat="/usr/local/etc/update_cat.conf";
$update_file_ossi_cat="/usr/local/etc/update_ossi_cat.conf";
291,11 → 290,11
fputs($fichier, form_filter($_POST['OSSI_bl']));
fclose($fichier);
unset($_POST['OSSI_bl']);
$fichier=fopen($dir_dg."exceptionsitelist","w+");
$fichier=fopen($dir_dg."group1/exceptionsitelist","w+");
fputs($fichier, form_filter($_POST['BL_rehabilited_domains']));
fclose($fichier);
unset($_POST['BL_rehabilited_domains']);
$fichier=fopen($dir_dg."exceptioniplist","w+");
$fichier=fopen($dir_dg."group1/exceptioniplist","w+");
fputs($fichier, form_filter($_POST['BL_rehabilited_ip']));
fclose($fichier);
unset($_POST['BL_rehabilited_ip']);
462,12 → 461,12
echo "<tr><td width=50% colspan=5 align=center>";
echo "<H3>$l_rehabilitated_dns</H3>$l_rehabilitated_dns_explain<BR>$l_one_dns<BR>";
echo "<textarea name='BL_rehabilited_domains' rows=3 cols=40>";
echo_file ($dir_dg."exceptionsitelist");
echo_file ($dir_dg."group1/exceptionsitelist");
echo "</textarea></td>";
echo "<td width=50% colspan=5 align=center>";
echo "<H3>$l_rehabilitated_ip</H3>$l_rehabilitated_ip_explain<BR>$l_one_ip<BR>";
echo "<textarea name='BL_rehabilited_ip' rows=3 cols=40>";
echo_file ($dir_dg."exceptioniplist");
echo_file ($dir_dg."group1/exceptioniplist");
echo "</textarea></td></tr>";
echo "<tr><td valign='middle' align='left' colspan=10>";
echo "<center><b>$l_add_to_bl</b></center></td></tr>";
/web/acc/admin/wl_filter.php
165,7 → 165,6
$wl_categories_enabled=$dir_etc."alcasar-wl-categories-enabled";
$conf_file=$dir_etc."alcasar.conf";
$domainfilter_file="/etc/unbound/conf.d/whitelist/domainfilter.conf";
$bannedsite_file=$dir_dg."bannedsitelist";
$dir_tmp="/tmp/blacklists";
$wl_safesearch="off";
 
/web/acc/manager/htdocs/activity.php
190,9 → 190,9
echo "<td>".$nb_ligne."</td>";
echo "<td>".$detail[1]."</td>"; // @IP
echo "<td>$detail[0]"; // @MAC
if(file_exists('/usr/local/share/nmap-mac-prefixes')){ // retrieve @MAC manufacturer
if(file_exists('/usr/share/nmap/nmap-mac-prefixes')){ // retrieve @MAC manufacturer
$oui_id = substr(str_replace("-","",$detail[0]),0,6);
exec ("grep $oui_id /usr/local/share/nmap-mac-prefixes | cut -f2", $mac_manufacturer);
exec ("grep $oui_id /usr/share/nmap/nmap-mac-prefixes | cut -f2", $mac_manufacturer);
if(! empty($mac_manufacturer[0])) echo " <font size=\"1\">($mac_manufacturer[0])</font>";
else echo " <font size=\"1\">($l_unknown)</font>";
unset($mac_manufacturer);
/web/acc/phpsysinfo/README.ALCASAR
2,5 → 2,6
- remove folders "tools", "sample", "plugins", "js/vendor"
- in "/" : remove "composer.json", "phpsysinfo.xslt", "phpsysinfo3.xsd", "Dockerfile"
: rename & adapt phpsysinfo.ini
- in folder "templates" : remove all except "aqua", "aqua.css", "html" & "plugin". "Aqua.css" has been adapted
- language/language.php : has been modified ($lang is set by the web browser conf)
- in "templates" : remove all except "aqua", "aqua.css", "html" & "plugin". "Aqua.css" has been adapted
- in "language" : language.php : has been modified ($lang is set by the web browser conf)
- in "templates/html/index" (at the end) remove the link <a=href></a> on the phpsysinfo version.
/web/acc/phpsysinfo/templates/html/index_dynamic.html
273,7 → 273,7
<div id="ups" class="halfsize" style="display:none;">
</div>
<div id="footer">
<span class="lang_047">Generated by</span>&nbsp;<a href="http://phpsysinfo.sourceforge.net/" target="psihref">phpSysInfo&nbsp;-&nbsp;<span id="version"></span></a>
<span class="lang_047">Generated by</span>&nbsp;phpSysInfo&nbsp;-&nbsp;<span id="version"></span>
</div>
</div>
</body>