/alcasar.sh |
---|
444,11 → 444,14 |
ALL: ALL: spawn ( /bin/echo "service %d demandé par %c" | /bin/mail -s "Tentative d'accès au service %d par %c REFUSE !!!" security ) & |
EOF |
# Firewall config |
$SED "s?^EXTIF=.*?EXTIF=\"$EXTIF\"?g" $DIR_DEST_BIN/alcasar-iptables.sh $DIR_DEST_BIN/alcasar-iptables-bypass.sh |
$SED "s?^INTIF=.*?INTIF=\"$INTIF\"?g" $DIR_DEST_BIN/alcasar-iptables.sh $DIR_DEST_BIN/alcasar-iptables-bypass.sh |
chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau) |
# création du fichier d'exception au filtrage |
touch $DIR_DEST_ETC/alcasar-filter-exceptions |
$SED "s?^EXTIF=.*?EXTIF=\"$EXTIF\"?g" $DIR_DEST_BIN/alcasar-iptables.sh $DIR_DEST_BIN/alcasar-iptables-bypass.sh |
$SED "s?^INTIF=.*?INTIF=\"$INTIF\"?g" $DIR_DEST_BIN/alcasar-iptables.sh $DIR_DEST_BIN/alcasar-iptables-bypass.sh |
chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau) |
# create the filter exxeption file |
touch $DIR_DEST_ETC/alcasar-filter-exceptions |
# load conntrack ftp module |
[ -e /etc/modprobe.preload.default ] || cp /etc/modprobe.preload /etc/modprobe.preload.default |
echo "ip_conntrack_ftp" >> /etc/modprobe.preload |
# le script $DIR_DEST_BIN/alcasar-iptables.sh est lancé à la fin (pour ne pas perturber une mise à jour via ssh) |
} # End of network () |
461,8 → 464,6 |
################################################################## |
gestion() |
{ |
# Suppression des CGI et des pages WEB installés par défaut |
rm -rf /var/www/cgi-bin/* |
[ -d $DIR_WEB ] && rm -rf $DIR_WEB |
mkdir $DIR_WEB |
# Copie et configuration des fichiers du centre de gestion |
489,6 → 490,7 |
$SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini |
$SED "s?^expose_php.*?expose_php = Off?g" /etc/php.ini |
# Configuration et sécurisation Apache |
rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README* |
[ -e /etc/httpd/conf/httpd.conf.default ] || cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.default |
$SED "s?^#ServerName.*?ServerName $HOSTNAME?g" /etc/httpd/conf/httpd.conf |
$SED "s?^Listen.*?Listen $PRIVATE_IP:80?g" /etc/httpd/conf/httpd.conf |
495,6 → 497,13 |
$SED "s?^ServerTokens.*?ServerTokens Prod?g" /etc/httpd/conf/httpd.conf |
$SED "s?^ServerSignature.*?ServerSignature Off?g" /etc/httpd/conf/httpd.conf |
$SED "s?^#ErrorDocument 404 /missing.html.*?ErrorDocument 404 /index.html?g" /etc/httpd/conf/httpd.conf |
$SED "s?^LoadModule authn_anon_module.*?#LoadModule authn_anon_module modules/mod_authn_anon.so?g" /etc/httpd/conf/httpd.conf |
$SED "s?^LoadModule status_module.*?#LoadModule status_module modules/mod_status.so?g" /etc/httpd/conf/httpd.conf |
$SED "s?^LoadModule autoindex_module.*?#LoadModule autoindex_module modules/mod_autoindex.so?g" /etc/httpd/conf/httpd.conf |
$SED "s?^LoadModule info_module.*?#LoadModule info_module modules/mod_info.so?g" /etc/httpd/conf/httpd.conf |
$SED "s?^LoadModule cgi_module.*?#LoadModule cgi_module modules/mod_cgi.so?g" /etc/httpd/conf/httpd.conf |
$SED "s?^LoadModule imagemap_module.*?#LoadModule imagemap_module modules/mod_imagemap.so?g" /etc/httpd/conf/httpd.conf |
$SED "s?^LoadModule rewrite_module.*?#LoadModule rewrite_module modules/mod_rewrite.so?g" /etc/httpd/conf/httpd.conf |
FIC_MOD_SSL=`find /etc/httpd/modules.d/ -type f -name *mod_ssl.conf` |
$SED "s?^Listen.*?Listen $PRIVATE_IP:443?g" $FIC_MOD_SSL # On écoute en SSL que sur INTIF |
$SED "s?background-color.*?background-color: #EFEFEF; }?g" /var/www/error/include/top.html |
624,21 → 633,6 |
AuthUserFile $DIR_DEST_ETC/digest/key_backup |
ErrorDocument 404 https://$HOSTNAME/ |
</Directory> |
Alias /save/ "$DIR_SAVE/" |
<Directory $DIR_SAVE> |
SSLRequireSSL |
Options Indexes |
Order deny,allow |
Deny from all |
Allow from 127.0.0.1 |
Allow from $PRIVATE_NETWORK_MASK |
require valid-user |
AuthType digest |
AuthName $HOSTNAME |
AuthUserFile $DIR_DEST_ETC/digest/key_backup |
ErrorDocument 404 https://$HOSTNAME/ |
ReadmeName /readmeSave.html |
</Directory> |
EOF |
} # End of gestion () |
1305,7 → 1299,7 |
# sshd écoute côté LAN et WAN |
$SED "s?^#ListenAddress 0\.0\.0\.0?ListenAddress $PRIVATE_IP?g" /etc/ssh/sshd_config |
$SED "/^ListenAddress $PRIVATE_IP/a\ListenAddress $PUBLIC_IP" /etc/ssh/sshd_config |
# Put the default value in conf file (sshd, QOS, protocols filter and dns filter are off)(web antivirus is on) |
# Put the default value in conf file (sshd, QOS and protocols/dns/ext_LAN filtering are off)(web antivirus is on) |
/sbin/chkconfig --del sshd |
echo "SSH=off" >> $CONF_FILE |
echo 'Admin_from_IP="0.0.0.0/0.0.0.0"' >> $CONF_FILE |
1313,6 → 1307,7 |
echo "LDAP=off" >> $CONF_FILE |
echo "LDAP_IP=0.0.0.0/0.0.0.0" >> $CONF_FILE |
echo "PROTOCOLS_FILTERING=off" >> $CONF_FILE |
echo "EXT_LAN_FILTERING=off" >> $CONF_FILE |
echo "DNS_FILTERING=off" >> $CONF_FILE |
echo "WEB_ANTIVIRUS=on" >> $CONF_FILE |
# Coloration des prompts |
/CHANGELOG |
---|
2,21 → 2,29 |
************ CHANGELOG *********** |
---- svn ---- |
- Bug : watchdog release the ip address of macallowed equipment (insteed of logout the user) |
- Bug : reading of alcasar.conf file parameters more securely |
- Bug : don't download RPMs twice |
- Bug : allow connexion to an LDAP server on WAN side |
- Bug : don't disconnect user in some case (when the equipment is authenticated with Mac adresse) |
- Bug : control that watchdog can't execute if already running |
- Core : allow FTP in output |
- Core : new alcasar-iptables.sh script (more logically strutured) |
- Core : update phpsysinfo page ("Internet access flag" nom show the right status) |
- Core : Authenticate user on Mysql when LDAP server is down |
- Core : import users via text file with or without password |
- Security : The 8080 (TCP) and 53 (UDP) ports are now hidden on Lan side |
- Install : control eth0 config on startup (no dhcp) |
- Install : don't dowload the last BL version |
---- 2.5 ---- |
Bug |
- watchdog (and script alcasar-logout.sh) doesn't logout the macallowed addresses |
- reading of alcasar.conf file parameters more securely |
- don't download RPMs twice |
- allow connexion to an LDAP server on WAN side |
- control that watchdog can't execute if already running |
- allow FTP in output |
Improve Core |
- new alcasar-iptables.sh script (more logically strutured) |
- update phpsysinfo page ("Internet access flag" nom show the right status) |
- Authenticate user on Mysql when LDAP server is down |
- import users via text file with or without password |
Improve security |
- The 8080 (TCP) and 53 (UDP) ports are now hidden on Lan side |
- ANSSI code review (sql escape string) |
- remove the apache unused modules |
Improve installation |
- control eth0 config on startup (no dhcp) |
- don't dowload the last BL version |
- remove unused RPM before update the system |
Improve Alcasar Control Center (ACC) |
- |
---- 2.4 ---- |
- Bug : some minor bugs (log rotate, intercept page, squid, ...) |
- Bug : ACC - correction of the Internet connectivity test flag |
38,8 → 46,8 |
- Core : allow exception of IP addresses (or network addresses) in the authentication process |
---- 2.2 ---- |
- blacklist category "ip" is added for url that contains ip address (no domain name) |
- IP parameters can be change in central conf. Apply then with the script "alcasar-conf.sh -apply" |
- blacklist category "ip" is added for url that contains only an ip address (no FQDN) |
- IP parameters can be change in central conf file. Apply with the script "alcasar-conf.sh -apply" |
- 'alcasar-nf.sh' and 'alcasar-bl.sh' scripts now use the global parameters file (alcasar.conf) |
- allow LDAP/AD connections both on WAN and LAN servers |
- Add a LDAP connectivity test |
81,7 → 89,7 |
---- 2.0 ---- |
- mise à jour de la documentation technique |
- rajout des switchs en '--' pour remplacer les '-' des scripts |
- ajout des switchs en '--' pour remplacer les '-' des scripts |
- accès authentifié à la la page de garde du centre de gestion |
- Prise en compte du script "alcasar-iptables-local.sh" dans le cadre du ByPass |
- Prise en compte des catégories de la BL dans l'interface de gestion |
/scripts/alcasar-iptables.sh |
---|
27,6 → 27,8 |
DNSSERVERS="$dns1,$dns2" # first and second DNS IP servers addresses |
PROTOCOLS_FILTERING=`grep PROTOCOLS_FILTERING= $conf_file|cut -d"=" -f2` # Network protocols filter (on/off) |
PROTOCOLS_FILTERING=${PROTOCOLS_FILTERING:=off} |
EXT_LAN_FILTERING=`grep EXT_LAN_FILTERING= $conf_file|cut -d"=" -f2` # filter acces to the lan on alcasar/eth0 (on/off) |
EXT_LAN_FILTERING=${EXT_LAN_FILTERING:=off} |
DNS_FILTERING=`grep DNS_FILTERING= $conf_file|cut -d"=" -f2` # DNS and URLs filter (on/off) |
DNS_FILTERING=${DNS_FILTERING:=off} |
QOS=`grep QOS= $conf_file|cut -d"=" -f2` # QOS (on/off) |
196,6 → 198,14 |
$IPTABLES -A FORWARD -i $TUNIF -p udp --dport domain -j REJECT --reject-with icmp-port-unreachable |
$IPTABLES -A FORWARD -i $TUNIF -p tcp --dport domain -j REJECT --reject-with tcp-reset |
# Filtrage de l'accès au LAN connecté sur EXTIF (eth0) |
# EXTIF (eth0) connected LAN filtering |
if [ $EXT_LAN_FILTERING = on ]; then |
$IPTABLES -A FORWARD -i $TUNIF -p udp -d $public_ip_mask -j REJECT --reject-with icmp-port-unreachable |
$IPTABLES -A FORWARD -i $TUNIF -p icmp -d $public_ip_mask -j REJECT --reject-with icmp-port-unreachable |
$IPTABLES -A FORWARD -i $TUNIF -p tcp -d $public_ip_mask -j REJECT --reject-with tcp-reset |
fi |
# If protocols filter is activate |
if [ $PROTOCOLS_FILTERING = on ]; then |
# Compute exception IP (IP addresses that shouldn't be filtered) |
/scripts/sbin/alcasar-logout.sh |
---|
2,7 → 2,7 |
# $Id$ |
# alcasar-logout.sh |
# by Richard REY |
# by Rexy |
# This script is distributed under the Gnu General Public License (GPL) |
# Déconnexion d'un ou de tous les usagers |
9,7 → 9,7 |
# One user (or all users) disconnect |
macallowed_file="/usr/local/etc/alcasar-macallowed" |
radiussecret="ci0wkfI9" |
radiussecret="" |
OLDIFS=$IFS |
IFS=$'\n' |
/scripts/sbin/alcasar-uninstall.sh |
---|
182,7 → 182,7 |
sleep 1 |
# network |
echo -en "\n- network(8) : " |
echo -en "\n- network(9) : " |
hostname localhost |
/sbin/ifdown eth0 |
[ -e /etc/sysconfig/network-scripts/default-ifcfg-eth0 ] && mv /etc/sysconfig/network-scripts/default-ifcfg-eth0 /etc/sysconfig/network-scripts/ifcfg-eth0 && echo -n "1, " |
193,6 → 193,8 |
[ -e /etc/hosts.allow.default ] && mv /etc/hosts.allow.default /etc/hosts.allow && echo -n "6, " |
[ -e /etc/hosts.deny.default ] && mv /etc/hosts.deny.default /etc/hosts.deny && echo -n "7, " |
[ -e /etc/sysconfig/iptables ] && rm -f /etc/sysconfig/iptables && echo -n "8" |
[ -e /etc/modprobe.preload.default ] && mv /etc/modprobe.preload.default /etc/modprobe.preload && echo -n "9" |
echo |
/sbin/ifup eth0 |
sleep 1 |
/scripts/alcasar-watchdog.sh |
---|
2,7 → 2,7 |
# $Id$ |
# alcasar-watchdog.sh |
# by Richard REY |
# by Rexy |
# This script is distributed under the Gnu General Public License (GPL) |
# Ce script prévient les usagers de l'indisponibilité de l'accès Internet |
/web/acc/admin/net_filter.php |
---|
155,6 → 155,7 |
{ |
$field=explode("=", $line); |
if ($field[0] == "PROTOCOLS_FILTERING") {$PROTOCOLS_FILTERING=trim($field[1]);} |
if ($field[0] == "EXT_LAN_FILTERING") {$EXT_LAN_FILTERING=trim($field[1]);} |
if ($field[0] == "WEB_ANTIVIRUS") {$WEB_ANTIVIRUS=trim($field[1]);} |
} |
} |
190,6 → 191,31 |
<tr bgcolor="#FFCC66"><td><img src="/images/pix.gif" width="1" height="2"></td></tr> |
</table> |
<TABLE width="100%" border=1 cellspacing=0 cellpadding=0> |
<tr><td valign="middle" align="left"> |
<?php |
if ($EXT_LAN_FILTERING == "on") |
{ |
echo "<CENTER><H3>$l_antivir_on</H3></CENTER>"; |
echo "<FORM action='$_SERVER[PHP_SELF]' method=POST>"; |
echo "<input type=hidden name='choix' value=\"AV_Off\">"; |
echo "<input type=submit value=\"$l_switch_antivir_off\">"; |
} |
else |
{ |
echo "<CENTER><H3>$l_antivir_off</H3></CENTER>"; |
echo "<FORM action='$_SERVER[PHP_SELF]' method=POST>"; |
echo "<input type=hidden name='choix' value=\"AV_On\">"; |
echo "<input type=submit value=\"$l_switch_antivir_on\">"; |
} |
?> |
</FORM> |
</td></tr> |
</table> |
<TABLE width="100%" border=0 cellspacing=0 cellpadding=0> |
<tr><th><?echo "$l_title_proto";?></th></tr> |
<tr bgcolor="#FFCC66"><td><img src="/images/pix.gif" width="1" height="2"></td></tr> |
</table> |
<TABLE width="100%" border=1 cellspacing=0 cellpadding=0> |
<tr><td valign="middle" align="left"> |
<? |
if ($PROTOCOLS_FILTERING == "on") |
/web/acc/admin/firewallEyes/configuration.php |
---|
43,13 → 43,13 |
$index=0; |
while ($Fichier = readdir($dossier)) { |
$exclusion = stripos ($Fichier, '.gz'); |
if ($Fichier != "." && $Fichier != ".." && $exclusion == 0) { |
if ($Fichier != "." && $Fichier != ".." && $fichier != " " && $exclusion == 0) { |
$index ++; |
$logfiles[]=$folder . "/" . $Fichier; |
} # end if |
} # end while |
closedir($dossier); |
rsort($logfiles,SORT_STRING); |
// automatic submit |
// automatic reload log display just after changing a display option (search strings, resolving, ...) |
// $automaticSubmit=true|false; |
/web/acc/manager/lib/sql/drivers/mysql/functions.php |
---|
78,7 → 78,7 |
function da_sql_escape_string($string) |
{ |
return @mysql_escape_string($string); |
return @mysql_real_escape_string($string); |
} |
function da_sql_query($link,$config,$query) |
/web/pass/sql/drivers/mysql/functions.php |
---|
78,7 → 78,7 |
function da_sql_escape_string($string) |
{ |
return @mysql_escape_string($string); |
return @mysql_real_escape_string($string); |
} |
function da_sql_query($link,$config,$query) |
/web/status.php |
---|
3,7 → 3,7 |
# status.php for Alcasar captive portal |
# by steweb57 |
# |
$organisme = "etrs-ssic"; |
$organisme = "etrs-test"; |
$remote_ip = ($_SERVER['REMOTE_ADDR']); |
$connection_history = ""; |
$nb_connection_history = 3; |
34,7 → 34,6 |
$Language = strtolower(substr(chop($Langue[0]),0,2)); } |
if($Language == 'es'){ |
$l_login1 = "El éxito de la autenticación"; |
$l_login2 = "Cierre esta ventana interrumpte la sesion."; |
$l_logout = "Conexión de cierre"; |
$l_logout_question = "Are you sure you want to disconnect now?"; //à traduire |
$l_loggedout = "Su sesión se cierra"; |
60,7 → 59,6 |
} |
else if($Language == 'de'){ |
$l_login1 = "Erfolgreiche Authentifizierung"; |
$l_login2 = "Schlißen dieses fensters unterbricht die sitzung"; |
$l_logout = "Beenden der Verbindung"; |
$l_logout_question = "Are you sure you want to disconnect now?"; //à traduire |
$l_loggedout = "Ihre Sitzung ist geschlossen"; |
86,7 → 84,6 |
} |
else if($Language == 'nl'){ |
$l_login1 = "Succesvolle authenticatie"; |
$l_login2 = "Dit venster te sluiten onderbreekt uw sessie."; |
$l_logout = "Slotkoers verbinding"; |
$l_logout_question = "Are you sure you want to disconnect now?"; //à traduire |
$l_loggedout = "Uw sessie is gesloten"; |
112,7 → 109,6 |
} |
else if($Language == 'fr'){ |
$l_login1 = "Authentification réussie"; |
$l_login2 = "La fermeture de cette fenêtre interrompt votre session."; |
$l_logout = "Fermeture de la session"; |
$l_logout_question = "Etes vous sûr de vouloir vous déconnecter?"; |
$l_loggedout = "Votre session est fermée"; |
138,7 → 134,6 |
} |
else { |
$l_login1 = "Successful authentication."; |
$l_login2 = "Closing this window interrupts your session."; |
$l_logout = "Closing connection"; |
$l_logout_question = "Are you sure you want to disconnect now?"; |
$l_loggedout = "Your session is closed"; |
260,11 → 255,6 |
</td> |
</tr> |
<tr> |
<td class="text_warn"> |
<?php echo $l_login2; ?> |
</td> |
</tr> |
<tr> |
<td colspan="2" align="center" class="link_logout"> |
<a href="#" onclick="return logoutWithConfirmation('<?php echo $l_logout_question;?>');" class="lien_deco"><?php echo $l_logout; ?></a> |
</td> |