Subversion Repositories ALCASAR

Compare Revisions

Ignore whitespace Rev 789 → Rev 790

/alcasar.sh
444,11 → 444,14
ALL: ALL: spawn ( /bin/echo "service %d demandé par %c" | /bin/mail -s "Tentative d'accès au service %d par %c REFUSE !!!" security ) &
EOF
# Firewall config
$SED "s?^EXTIF=.*?EXTIF=\"$EXTIF\"?g" $DIR_DEST_BIN/alcasar-iptables.sh $DIR_DEST_BIN/alcasar-iptables-bypass.sh
$SED "s?^INTIF=.*?INTIF=\"$INTIF\"?g" $DIR_DEST_BIN/alcasar-iptables.sh $DIR_DEST_BIN/alcasar-iptables-bypass.sh
chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau)
# création du fichier d'exception au filtrage
touch $DIR_DEST_ETC/alcasar-filter-exceptions
$SED "s?^EXTIF=.*?EXTIF=\"$EXTIF\"?g" $DIR_DEST_BIN/alcasar-iptables.sh $DIR_DEST_BIN/alcasar-iptables-bypass.sh
$SED "s?^INTIF=.*?INTIF=\"$INTIF\"?g" $DIR_DEST_BIN/alcasar-iptables.sh $DIR_DEST_BIN/alcasar-iptables-bypass.sh
chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau)
# create the filter exxeption file
touch $DIR_DEST_ETC/alcasar-filter-exceptions
# load conntrack ftp module
[ -e /etc/modprobe.preload.default ] || cp /etc/modprobe.preload /etc/modprobe.preload.default
echo "ip_conntrack_ftp" >> /etc/modprobe.preload
# le script $DIR_DEST_BIN/alcasar-iptables.sh est lancé à la fin (pour ne pas perturber une mise à jour via ssh)
} # End of network ()
 
461,8 → 464,6
##################################################################
gestion()
{
# Suppression des CGI et des pages WEB installés par défaut
rm -rf /var/www/cgi-bin/*
[ -d $DIR_WEB ] && rm -rf $DIR_WEB
mkdir $DIR_WEB
# Copie et configuration des fichiers du centre de gestion
489,6 → 490,7
$SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini
$SED "s?^expose_php.*?expose_php = Off?g" /etc/php.ini
# Configuration et sécurisation Apache
rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README*
[ -e /etc/httpd/conf/httpd.conf.default ] || cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.default
$SED "s?^#ServerName.*?ServerName $HOSTNAME?g" /etc/httpd/conf/httpd.conf
$SED "s?^Listen.*?Listen $PRIVATE_IP:80?g" /etc/httpd/conf/httpd.conf
495,6 → 497,13
$SED "s?^ServerTokens.*?ServerTokens Prod?g" /etc/httpd/conf/httpd.conf
$SED "s?^ServerSignature.*?ServerSignature Off?g" /etc/httpd/conf/httpd.conf
$SED "s?^#ErrorDocument 404 /missing.html.*?ErrorDocument 404 /index.html?g" /etc/httpd/conf/httpd.conf
$SED "s?^LoadModule authn_anon_module.*?#LoadModule authn_anon_module modules/mod_authn_anon.so?g" /etc/httpd/conf/httpd.conf
$SED "s?^LoadModule status_module.*?#LoadModule status_module modules/mod_status.so?g" /etc/httpd/conf/httpd.conf
$SED "s?^LoadModule autoindex_module.*?#LoadModule autoindex_module modules/mod_autoindex.so?g" /etc/httpd/conf/httpd.conf
$SED "s?^LoadModule info_module.*?#LoadModule info_module modules/mod_info.so?g" /etc/httpd/conf/httpd.conf
$SED "s?^LoadModule cgi_module.*?#LoadModule cgi_module modules/mod_cgi.so?g" /etc/httpd/conf/httpd.conf
$SED "s?^LoadModule imagemap_module.*?#LoadModule imagemap_module modules/mod_imagemap.so?g" /etc/httpd/conf/httpd.conf
$SED "s?^LoadModule rewrite_module.*?#LoadModule rewrite_module modules/mod_rewrite.so?g" /etc/httpd/conf/httpd.conf
FIC_MOD_SSL=`find /etc/httpd/modules.d/ -type f -name *mod_ssl.conf`
$SED "s?^Listen.*?Listen $PRIVATE_IP:443?g" $FIC_MOD_SSL # On écoute en SSL que sur INTIF
$SED "s?background-color.*?background-color: #EFEFEF; }?g" /var/www/error/include/top.html
624,21 → 633,6
AuthUserFile $DIR_DEST_ETC/digest/key_backup
ErrorDocument 404 https://$HOSTNAME/
</Directory>
Alias /save/ "$DIR_SAVE/"
<Directory $DIR_SAVE>
SSLRequireSSL
Options Indexes
Order deny,allow
Deny from all
Allow from 127.0.0.1
Allow from $PRIVATE_NETWORK_MASK
require valid-user
AuthType digest
AuthName $HOSTNAME
AuthUserFile $DIR_DEST_ETC/digest/key_backup
ErrorDocument 404 https://$HOSTNAME/
ReadmeName /readmeSave.html
</Directory>
EOF
} # End of gestion ()
 
1305,7 → 1299,7
# sshd écoute côté LAN et WAN
$SED "s?^#ListenAddress 0\.0\.0\.0?ListenAddress $PRIVATE_IP?g" /etc/ssh/sshd_config
$SED "/^ListenAddress $PRIVATE_IP/a\ListenAddress $PUBLIC_IP" /etc/ssh/sshd_config
# Put the default value in conf file (sshd, QOS, protocols filter and dns filter are off)(web antivirus is on)
# Put the default value in conf file (sshd, QOS and protocols/dns/ext_LAN filtering are off)(web antivirus is on)
/sbin/chkconfig --del sshd
echo "SSH=off" >> $CONF_FILE
echo 'Admin_from_IP="0.0.0.0/0.0.0.0"' >> $CONF_FILE
1313,6 → 1307,7
echo "LDAP=off" >> $CONF_FILE
echo "LDAP_IP=0.0.0.0/0.0.0.0" >> $CONF_FILE
echo "PROTOCOLS_FILTERING=off" >> $CONF_FILE
echo "EXT_LAN_FILTERING=off" >> $CONF_FILE
echo "DNS_FILTERING=off" >> $CONF_FILE
echo "WEB_ANTIVIRUS=on" >> $CONF_FILE
# Coloration des prompts
/CHANGELOG
2,21 → 2,29
 
************ CHANGELOG ***********
---- svn ----
- Bug : watchdog release the ip address of macallowed equipment (insteed of logout the user)
- Bug : reading of alcasar.conf file parameters more securely
- Bug : don't download RPMs twice
- Bug : allow connexion to an LDAP server on WAN side
- Bug : don't disconnect user in some case (when the equipment is authenticated with Mac adresse)
- Bug : control that watchdog can't execute if already running
- Core : allow FTP in output
- Core : new alcasar-iptables.sh script (more logically strutured)
- Core : update phpsysinfo page ("Internet access flag" nom show the right status)
- Core : Authenticate user on Mysql when LDAP server is down
- Core : import users via text file with or without password
- Security : The 8080 (TCP) and 53 (UDP) ports are now hidden on Lan side
- Install : control eth0 config on startup (no dhcp)
- Install : don't dowload the last BL version
 
---- 2.5 ----
Bug
- watchdog (and script alcasar-logout.sh) doesn't logout the macallowed addresses
- reading of alcasar.conf file parameters more securely
- don't download RPMs twice
- allow connexion to an LDAP server on WAN side
- control that watchdog can't execute if already running
- allow FTP in output
Improve Core
- new alcasar-iptables.sh script (more logically strutured)
- update phpsysinfo page ("Internet access flag" nom show the right status)
- Authenticate user on Mysql when LDAP server is down
- import users via text file with or without password
Improve security
- The 8080 (TCP) and 53 (UDP) ports are now hidden on Lan side
- ANSSI code review (sql escape string)
- remove the apache unused modules
Improve installation
- control eth0 config on startup (no dhcp)
- don't dowload the last BL version
- remove unused RPM before update the system
Improve Alcasar Control Center (ACC)
-
---- 2.4 ----
- Bug : some minor bugs (log rotate, intercept page, squid, ...)
- Bug : ACC - correction of the Internet connectivity test flag
38,8 → 46,8
- Core : allow exception of IP addresses (or network addresses) in the authentication process
 
---- 2.2 ----
- blacklist category "ip" is added for url that contains ip address (no domain name)
- IP parameters can be change in central conf. Apply then with the script "alcasar-conf.sh -apply"
- blacklist category "ip" is added for url that contains only an ip address (no FQDN)
- IP parameters can be change in central conf file. Apply with the script "alcasar-conf.sh -apply"
- 'alcasar-nf.sh' and 'alcasar-bl.sh' scripts now use the global parameters file (alcasar.conf)
- allow LDAP/AD connections both on WAN and LAN servers
- Add a LDAP connectivity test
81,7 → 89,7
 
---- 2.0 ----
- mise à jour de la documentation technique
- rajout des switchs en '--' pour remplacer les '-' des scripts
- ajout des switchs en '--' pour remplacer les '-' des scripts
- accès authentifié à la la page de garde du centre de gestion
- Prise en compte du script "alcasar-iptables-local.sh" dans le cadre du ByPass
- Prise en compte des catégories de la BL dans l'interface de gestion
/scripts/alcasar-iptables.sh
27,6 → 27,8
DNSSERVERS="$dns1,$dns2" # first and second DNS IP servers addresses
PROTOCOLS_FILTERING=`grep PROTOCOLS_FILTERING= $conf_file|cut -d"=" -f2` # Network protocols filter (on/off)
PROTOCOLS_FILTERING=${PROTOCOLS_FILTERING:=off}
EXT_LAN_FILTERING=`grep EXT_LAN_FILTERING= $conf_file|cut -d"=" -f2` # filter acces to the lan on alcasar/eth0 (on/off)
EXT_LAN_FILTERING=${EXT_LAN_FILTERING:=off}
DNS_FILTERING=`grep DNS_FILTERING= $conf_file|cut -d"=" -f2` # DNS and URLs filter (on/off)
DNS_FILTERING=${DNS_FILTERING:=off}
QOS=`grep QOS= $conf_file|cut -d"=" -f2` # QOS (on/off)
196,6 → 198,14
$IPTABLES -A FORWARD -i $TUNIF -p udp --dport domain -j REJECT --reject-with icmp-port-unreachable
$IPTABLES -A FORWARD -i $TUNIF -p tcp --dport domain -j REJECT --reject-with tcp-reset
 
# Filtrage de l'accès au LAN connecté sur EXTIF (eth0)
# EXTIF (eth0) connected LAN filtering
if [ $EXT_LAN_FILTERING = on ]; then
$IPTABLES -A FORWARD -i $TUNIF -p udp -d $public_ip_mask -j REJECT --reject-with icmp-port-unreachable
$IPTABLES -A FORWARD -i $TUNIF -p icmp -d $public_ip_mask -j REJECT --reject-with icmp-port-unreachable
$IPTABLES -A FORWARD -i $TUNIF -p tcp -d $public_ip_mask -j REJECT --reject-with tcp-reset
fi
 
# If protocols filter is activate
if [ $PROTOCOLS_FILTERING = on ]; then
# Compute exception IP (IP addresses that shouldn't be filtered)
/scripts/sbin/alcasar-logout.sh
2,7 → 2,7
# $Id$
 
# alcasar-logout.sh
# by Richard REY
# by Rexy
# This script is distributed under the Gnu General Public License (GPL)
 
# Déconnexion d'un ou de tous les usagers
9,7 → 9,7
# One user (or all users) disconnect
 
macallowed_file="/usr/local/etc/alcasar-macallowed"
radiussecret="ci0wkfI9"
radiussecret=""
OLDIFS=$IFS
IFS=$'\n'
 
/scripts/sbin/alcasar-uninstall.sh
182,7 → 182,7
sleep 1
 
# network
echo -en "\n- network(8) : "
echo -en "\n- network(9) : "
hostname localhost
/sbin/ifdown eth0
[ -e /etc/sysconfig/network-scripts/default-ifcfg-eth0 ] && mv /etc/sysconfig/network-scripts/default-ifcfg-eth0 /etc/sysconfig/network-scripts/ifcfg-eth0 && echo -n "1, "
193,6 → 193,8
[ -e /etc/hosts.allow.default ] && mv /etc/hosts.allow.default /etc/hosts.allow && echo -n "6, "
[ -e /etc/hosts.deny.default ] && mv /etc/hosts.deny.default /etc/hosts.deny && echo -n "7, "
[ -e /etc/sysconfig/iptables ] && rm -f /etc/sysconfig/iptables && echo -n "8"
[ -e /etc/modprobe.preload.default ] && mv /etc/modprobe.preload.default /etc/modprobe.preload && echo -n "9"
 
echo
/sbin/ifup eth0
sleep 1
/scripts/alcasar-watchdog.sh
2,7 → 2,7
# $Id$
 
# alcasar-watchdog.sh
# by Richard REY
# by Rexy
# This script is distributed under the Gnu General Public License (GPL)
 
# Ce script prévient les usagers de l'indisponibilité de l'accès Internet
/web/acc/admin/net_filter.php
155,6 → 155,7
{
$field=explode("=", $line);
if ($field[0] == "PROTOCOLS_FILTERING") {$PROTOCOLS_FILTERING=trim($field[1]);}
if ($field[0] == "EXT_LAN_FILTERING") {$EXT_LAN_FILTERING=trim($field[1]);}
if ($field[0] == "WEB_ANTIVIRUS") {$WEB_ANTIVIRUS=trim($field[1]);}
}
}
190,6 → 191,31
<tr bgcolor="#FFCC66"><td><img src="/images/pix.gif" width="1" height="2"></td></tr>
</table>
<TABLE width="100%" border=1 cellspacing=0 cellpadding=0>
<tr><td valign="middle" align="left">
<?php
if ($EXT_LAN_FILTERING == "on")
{
echo "<CENTER><H3>$l_antivir_on</H3></CENTER>";
echo "<FORM action='$_SERVER[PHP_SELF]' method=POST>";
echo "<input type=hidden name='choix' value=\"AV_Off\">";
echo "<input type=submit value=\"$l_switch_antivir_off\">";
}
else
{
echo "<CENTER><H3>$l_antivir_off</H3></CENTER>";
echo "<FORM action='$_SERVER[PHP_SELF]' method=POST>";
echo "<input type=hidden name='choix' value=\"AV_On\">";
echo "<input type=submit value=\"$l_switch_antivir_on\">";
}
?>
</FORM>
</td></tr>
</table>
<TABLE width="100%" border=0 cellspacing=0 cellpadding=0>
<tr><th><?echo "$l_title_proto";?></th></tr>
<tr bgcolor="#FFCC66"><td><img src="/images/pix.gif" width="1" height="2"></td></tr>
</table>
<TABLE width="100%" border=1 cellspacing=0 cellpadding=0>
<tr><td valign="middle" align="left">
<?
if ($PROTOCOLS_FILTERING == "on")
/web/acc/admin/firewallEyes/configuration.php
43,13 → 43,13
$index=0;
while ($Fichier = readdir($dossier)) {
$exclusion = stripos ($Fichier, '.gz');
if ($Fichier != "." && $Fichier != ".." && $exclusion == 0) {
if ($Fichier != "." && $Fichier != ".." && $fichier != " " && $exclusion == 0) {
$index ++;
$logfiles[]=$folder . "/" . $Fichier;
} # end if
} # end while
closedir($dossier);
 
rsort($logfiles,SORT_STRING);
// automatic submit
// automatic reload log display just after changing a display option (search strings, resolving, ...)
// $automaticSubmit=true|false;
/web/acc/manager/lib/sql/drivers/mysql/functions.php
78,7 → 78,7
 
function da_sql_escape_string($string)
{
return @mysql_escape_string($string);
return @mysql_real_escape_string($string);
}
 
function da_sql_query($link,$config,$query)
/web/pass/sql/drivers/mysql/functions.php
78,7 → 78,7
 
function da_sql_escape_string($string)
{
return @mysql_escape_string($string);
return @mysql_real_escape_string($string);
}
 
function da_sql_query($link,$config,$query)
/web/status.php
3,7 → 3,7
# status.php for Alcasar captive portal
# by steweb57
#
$organisme = "etrs-ssic";
$organisme = "etrs-test";
$remote_ip = ($_SERVER['REMOTE_ADDR']);
$connection_history = "";
$nb_connection_history = 3;
34,7 → 34,6
$Language = strtolower(substr(chop($Langue[0]),0,2)); }
if($Language == 'es'){
$l_login1 = "El éxito de la autenticación";
$l_login2 = "Cierre esta ventana interrumpte la sesion.";
$l_logout = "Conexión de cierre";
$l_logout_question = "Are you sure you want to disconnect now?"; //à traduire
$l_loggedout = "Su sesión se cierra";
60,7 → 59,6
}
else if($Language == 'de'){
$l_login1 = "Erfolgreiche Authentifizierung";
$l_login2 = "Schlißen dieses fensters unterbricht die sitzung";
$l_logout = "Beenden der Verbindung";
$l_logout_question = "Are you sure you want to disconnect now?"; //à traduire
$l_loggedout = "Ihre Sitzung ist geschlossen";
86,7 → 84,6
}
else if($Language == 'nl'){
$l_login1 = "Succesvolle authenticatie";
$l_login2 = "Dit venster te sluiten onderbreekt uw sessie.";
$l_logout = "Slotkoers verbinding";
$l_logout_question = "Are you sure you want to disconnect now?"; //à traduire
$l_loggedout = "Uw sessie is gesloten";
112,7 → 109,6
}
else if($Language == 'fr'){
$l_login1 = "Authentification r&eacute;ussie";
$l_login2 = "La fermeture de cette fenêtre interrompt votre session.";
$l_logout = "Fermeture de la session";
$l_logout_question = "Etes vous sûr de vouloir vous déconnecter?";
$l_loggedout = "Votre session est fermée";
138,7 → 134,6
}
else {
$l_login1 = "Successful authentication.";
$l_login2 = "Closing this window interrupts your session.";
$l_logout = "Closing connection";
$l_logout_question = "Are you sure you want to disconnect now?";
$l_loggedout = "Your session is closed";
260,11 → 255,6
</td>
</tr>
<tr>
<td class="text_warn">
<?php echo $l_login2; ?>
</td>
</tr>
<tr>
<td colspan="2" align="center" class="link_logout">
<a href="#" onclick="return logoutWithConfirmation('<?php echo $l_logout_question;?>');" class="lien_deco"><?php echo $l_logout; ?></a>
</td>