/scripts/etc/alcasar-filter-exceptions |
---|
0,0 → 1,0 |
/scripts/etc/alcasar-services |
---|
0,0 → 1,5 |
#icmp - |
#ssh 22 |
#smtp 25 |
#pop 110 |
#https 443 |
/scripts/sbin/alcasar-bl.sh |
---|
0,0 → 1,77 |
#/bin/sh |
# Gestion des Blacklists/Whitelists |
DIR_tmp="/root/blacklists" |
DIR_DANSGUARDIAN="/etc/dansguardian/lists/" |
BL_SERVER="cri.univ-tlse1.fr" |
SED="/bin/sed -i" |
function transfert () { |
mkdir -p $DIR_tmp |
cd $DIR_tmp |
wget http://$BL_SERVER/blacklists/download/blacklists.tar.gz |
} |
function install () { |
[ -d $DIR_DANSGUARDIAN ] || mkdir -p $DIR_DANSGUARDIAN |
[ -d $DIR_DANSGUARDIAN/blacklists/ossi ] && mv -f $DIR_DANSGUARDIAN/blacklists/ossi $DIR_tmp |
tar zxvf $DIR_tmp/blacklists.tar.gz --directory=$DIR_DANSGUARDIAN |
[ -d $DIR_tmp/ossi ] && mv -f $DIR_tmp/ossi $DIR_DANSGUARDIAN/blacklists/ |
cd /root |
rm -rf $DIR_tmp |
} |
usage="Usage: alcasar-bl.sh -on | -off | -download| -reload" |
nb_args=$# |
args=$1 |
if [ $nb_args -eq 0 ] |
then |
nb_args=1 |
args="-h" |
fi |
case $args in |
-\? | -h* | --h*) |
echo "$usage" |
exit 0 |
;; |
-on) |
# activation du filtrage |
$SED "s/^reportinglevel =.*/reportinglevel = 3/g" /etc/dansguardian/dansguardian.conf |
service dansguardian reload |
;; |
-off) |
# désactivation du filtrage |
$SED "s/^reportinglevel =.*/reportinglevel = -1/g" /etc/dansguardian/dansguardian.conf |
service dansguardian reload |
;; |
-download) |
# Mise a jour de la blacklist 'Toulouse' et compilation de la base |
rm -rf /tmp/con_ok.html |
`/usr/bin/curl $BL_SERVER -# -o /tmp/con_ok.html` |
if [ ! -e /tmp/con_ok.html ] |
then |
echo "Erreur : le serveur de blacklist ($BL_SERVER) n'est pas joignable" |
else |
transfert |
install |
chown -R dansguardian:apache $DIR_DANSGUARDIAN |
chmod -R g+w $DIR_DANSGUARDIAN |
service dansguardian reload |
DATE=`date '+%d %B %Y - %Hh%M'` |
echo "Univ-tlse du $DATE " > /var/www/html/VERSION-BL |
rm -rf /tmp/con_ok.html |
fi |
;; |
-reload) |
# regénération de la base OSSI/RSSI |
chown -R dansguardian:apache $DIR_DANSGUARDIAN/blacklists/ossi |
chmod -R g+w $DIR_DANSGUARDIAN/blacklists/ossi |
service dansguardian reload |
;; |
*) |
echo "Argument inconnu :$1"; |
echo "$usage" |
exit 1 |
;; |
esac |
Property changes: |
Added: svn:eol-style |
+native |
\ No newline at end of property |
Added: svn:executable |
/scripts/sbin/alcasar-nf.sh |
---|
0,0 → 1,47 |
#/bin/sh |
# active ou desactive le filtrage réseau |
# by rexy |
SED="/bin/sed -i" |
FIC_SERVICES="/usr/local/etc/alcasar-services" |
FIC_EXCEPTIONS="/usr/local/etc/alcasar-filter-exceptions" |
usage="Usage: alcasar-nf.sh -on | -off " |
nb_args=$# |
args=$1 |
if [ $nb_args -eq 0 ] |
then |
nb_args=1 |
args="-h" |
fi |
case $args in |
-\? | -h* | --h*) |
echo "$usage" |
exit 0 |
;; |
-on) |
# activation du filtrage réseau |
$SED "s?^FILTERING.*?FILTERING=\"yes\"?g" /usr/local/bin/alcasar-iptables.sh |
# tri du fichier de services |
sort -k2n $FIC_SERVICES > /tmp/alcasar-services-sort |
mv -f /tmp/alcasar-services-sort $FIC_SERVICES |
chown root:apache $FIC_SERVICES |
chmod 660 $FIC_SERVICES |
# vérification de présence du fichier d'exception |
[ -e $FIC_EXCEPTIONS ] || touch $FIC_EXCEPTIONS |
chown root:apache $FIC_EXCEPTIONS |
chmod 664 $FIC_EXCEPTIONS |
/usr/local/bin/alcasar-iptables.sh |
;; |
-off) |
# désactivation du filtrage réseau |
$SED "s?^FILTERING.*?FILTERING=\"no\"?g" /usr/local/bin/alcasar-iptables.sh |
/usr/local/bin/alcasar-iptables.sh |
;; |
*) |
echo "Argument inconnu :$1"; |
echo "$usage" |
exit 1 |
;; |
esac |
Property changes: |
Added: svn:eol-style |
+native |
\ No newline at end of property |
Added: svn:executable |
/scripts/sbin/alcasar-profil.sh |
---|
0,0 → 1,120 |
#/bin/sh |
# Gestion des comptes liés aux profils |
ADM_PROFIL="admin" |
PROFILS="backup manager" |
ALL_PROFILS=`echo $ADM_PROFIL $PROFILS` |
DIR_KEY="/var/www/html/digest" |
SED="/bin/sed -i" |
HOSTNAME=`uname -n` |
# liste les comptes de chaque profile |
function list () { |
for i in $ALL_PROFILS |
do |
echo "Comptes liés au profil '$i' :" |
cat $DIR_KEY/key_only_$i | cut -d':' -f1|sort |
done |
} |
# ajoute les comptes du profil "admin" aux autres profils |
function concat () { |
for i in $PROFILS |
do |
cp -f $DIR_KEY/key_only_$ADM_PROFIL $DIR_KEY/key_$i |
cat $DIR_KEY/key_only_$i >> $DIR_KEY/key_$i |
done |
cp -f $DIR_KEY/key_only_$ADM_PROFIL $DIR_KEY/key_$ADM_PROFIL |
chown -R root:apache $DIR_KEY |
chmod 640 $DIR_KEY/key_* |
} |
usage="Usage: alcasar-profil.sh -list -add | -del | -pass" |
nb_args=$# |
args=$1 |
# on met en place la structure minimale |
if [ ! -e $DIR_KEY/key_$ADM_PROFIL ] |
then |
touch $DIR_KEY/key_$ADM_PROFIL |
fi |
cp -f $DIR_KEY/key_$ADM_PROFIL $DIR_KEY/key_only_$ADM_PROFIL |
for i in $PROFILS |
do |
if [ ! -e $DIR_KEY/key_only_$i ] |
then |
touch $DIR_KEY/key_only_$i |
fi |
done |
concat |
if [ $nb_args -eq 0 ] |
then |
echo $usage |
exit 0 |
fi |
case $args in |
-\? | -h* | --h*) |
echo "$usage" |
exit 0 |
;; |
-add) |
# ajout d'un compte |
list |
echo -n "Choisissez un profil ($ALL_PROFILS) : " |
read profil |
echo -n "Entrez le nom du compte à créer (profil '$profil') : " |
read account |
# on teste s'il n'existe pas déjà |
for i in $ALL_PROFILS |
do |
tmp_account=`cat $DIR_KEY/key_only_$i | cut -d':' -f1` |
for j in $tmp_account |
do |
if [ "$j" = "$account" ] |
then echo "Ce compte existe déjà" |
exit 0 |
fi |
done |
done |
/usr/sbin/htdigest $DIR_KEY/key_only_$profil $HOSTNAME $account |
concat |
list |
;; |
-del) |
# suppression d'un compte |
list |
echo -n "entrez le nom du compte à supprimer : " |
read account |
for i in $ALL_PROFILS |
do |
$SED "/^$account:/d" $DIR_KEY/key_only_$i |
done |
concat |
list |
;; |
-pass) |
# changement du mot de passe d'un compte |
list |
echo "Changement de mot de passe" |
echo -n "Entrez le nom du compte : " |
read account |
for i in $ALL_PROFILS |
do |
tmp_account=`cat $DIR_KEY/key_only_$i | cut -d':' -f1` |
for j in $tmp_account |
do |
if [ "$j" = "$account" ] |
then |
/usr/sbin/htdigest $DIR_KEY/key_only_$i $HOSTNAME $account |
fi |
done |
done |
concat |
;; |
-list) |
# liste des comptes par profile |
list |
;; |
*) |
echo "Argument inconnu :$1"; |
echo "$usage" |
exit 1 |
;; |
esac |
Property changes: |
Added: svn:eol-style |
+native |
\ No newline at end of property |
Added: svn:executable |
/scripts/sbin/alcasar-uninstall.sh |
---|
0,0 → 1,143 |
#!/bin/sh |
# alcasar-uninstall.sh |
# by 3abtux, angel95 and rexy |
# This script is distributed under the Gnu General Public License (GPL) |
clear |
echo "-----------------------------------------------------------------------------" |
echo "** Désinstallation d'ALCASAR **" |
echo "-----------------------------------------------------------------------------" |
echo |
#services_stop |
for i in ntpd iptables ulogd dansguardian squid chilli httpd radiusd named |
do |
/sbin/chkconfig --del $i |
/etc/init.d/$i stop |
done |
echo "Réinitialisation des fonctions : " |
#init |
echo -en "\n-1 init(1) : " |
#les script /usr/local/bin alcasar* sont supprimés à la fin car encore utiles ici |
rm -f /root/ALCASAR* && echo -n "1," |
sleep 1 |
# network |
echo -en "\n-2 network(9) : " |
hostname localhost |
[ -e /etc/sysconfig/network-scripts/default-ifcfg-eth1 ] && mv /etc/sysconfig/network-scripts/default-ifcfg-eth1 /etc/sysconfig/network-scripts/ifcfg-eth1 && echo -n "1, " |
[ -e /etc/sysconfig/network.default ] && mv /etc/sysconfig/network.default /etc/sysconfig/network && echo -n "2, " |
[ -e /etc/hosts.default ] && mv /etc/hosts.default /etc/hosts && echo -n "3, " |
[ -e /etc/sysconfig/network-scripts/ifcfg-eth1 ] && rm -f /etc/sysconfig/network-scripts/ifcfg-eth1 && echo -n "4, " |
[ -e /etc/ntp.conf.default ] && mv /etc/ntp.conf.default /etc/ntp.conf && echo -n "5, " |
[ -e /etc/dhcpd.conf.default ] && mv /etc/dhcpd.conf.default /etc/dhcpd.conf && echo -n "6, " |
[ -e /etc/sysconfig/dhcpd.default ] && mv /etc/sysconfig/dhcpd.default /etc/sysconfig/dhcpd && echo -n "7, " |
[ -e /etc/hosts.allow.default ] && mv /etc/hosts.allow.default /etc/hosts.allow && echo -n "8, " |
[ -e /etc/hosts.deny.default ] && mv /etc/hosts.deny.default /etc/hosts.deny && echo -n "9" |
sleep 1 |
# gestion |
echo -en "\n-3 gestion(4) : " |
[ -d /var/www/html ] && rm -rf /var/www/html && echo -n "1, " |
[ -e /etc/httpd/conf/httpd.conf.default ] && mv /etc/httpd/conf/httpd.conf.default /etc/httpd/conf/httpd.conf && echo -n "2, " |
[ -e /etc/httpd/conf/webapps.d/alcasar.conf ] && rm -f /etc/httpd/conf/webapps.d/alcasar.conf && echo -n "3, " |
[ -e /var/www/error/include/bottom.html.default ] && mv /var/www/error/include/bottom.html.default /var/www/error/include/bottom.html && echo -n "4 " |
sleep 1 |
# CA |
echo -en "\n-4 AC(4) : " |
[ -e /etc/pki/CA/alcasar-ca.crt ] && rm -f /etc/pki/CA/alcasar-ca.crt && echo -n "1, " |
[ -e /etc/pki/CA/private/alcasar-ca.key ] && rm -f /etc/pki/CA/private/alcasar-ca.key && echo -n "2, " |
[ -e /etc/pki/tls/certs/alcasar.crt ] && rm -f /etc/pki/tls/certs/alcasar.crt && echo -n "3, " |
[ -e /etc/pki/tls/private/alcasar.key ] && rm -f /etc/pki/tls/private/alcasar.key && echo -n "4" |
sleep 1 |
#init_db |
echo -en "\n-5 init_db(2) : 1, " |
[ -e /etc/my.cnf.default ] && mv -f /etc/my.cnf.default /etc/my.cnf && echo -n "2 " |
/sbin/chkconfig --del mysqld |
/etc/init.d/mysqld stop |
/usr/bin/killall mysqld 2>/dev/null |
rm -rf /var/lib/mysql* |
sleep 1 |
#param_radius |
echo -en "\n-6 param_radius(7) : " |
[ -e /etc/raddb/radiusd-db-vierge.sql ] && rm -f /etc/raddb/radiusd-db-vierge.sql && echo -n "1, " |
[ -e /etc/raddb/radiusd.conf.default ] && mv /etc/raddb/radiusd.conf.default /etc/raddb/radiusd.conf && echo -n "2, " |
[ -e /etc/raddb/sites-enabled/alcasar ] && rm /etc/raddb/sites-enabled/alcasar && echo -n "3, " |
[ -e /etc/raddb/sites-available/alcasar ] && rm /etc/raddb/sites-available/alcasar && echo -n "4, " |
[ -e /etc/raddb/clients.conf.default ] && mv /etc/raddb/clients.conf.default /etc/raddb/clients.conf && echo -n "5, " |
[ -e /etc/raddb/sql.conf.default ] && mv /etc/raddb/sql.conf.default /etc/raddb/sql.conf && echo -n "6, " |
[ -e /etc/raddb/sql/mysql/dialup.conf.default ] && mv /etc/raddb/sql/mysql/dialup.conf.default /etc/raddb/sql/mysql/dialup.conf && echo -n "7" |
sleep 1 |
#param_web_radius |
echo -en "\n-7 param_web_radius(3) : " |
[ -e /etc/freeradius-web/admin.conf.default ] && mv /etc/freeradius-web/admin.conf.default /etc/freeradius-web/admin.conf && echo -n "1, " |
[ -e /etc/freeradius-web/naslist.conf ] && rm /etc/freeradius-web/naslist.conf && echo -n "2, " |
[ -e /etc/freeradius-web/user_edit.attrs.default ] && mv /etc/freeradius-web/user_edit.attrs.default /etc/freeradius-web/user_edit.attrs && echo -n "3" |
sleep 1 |
#param_chilli |
echo -en "\n-8 param_chilli(5) : " |
[ -e /etc/chilli/functions.default ] && mv /etc/chilli/functions.default /etc/chilli/functions && echo -n "1, " |
[ -e /etc/init.d/chilli.default ] && mv /etc/init.d/chilli.default /etc/init.d/chilli && echo -n "2, " |
[ -e /etc/chilli/config ] && rm /etc/chilli/config && echo -n "3, " |
[ -e /etc/chilli/alcasar-uamallowed ] && rm /etc/chilli/alcasar-uamallowed && echo -n "4, " |
[ -e /etc/chilli/alcasar-uamdomain ] && rm /etc/chilli/alcasar-uamdomain && echo -n "5" |
sleep 1 |
#param_squid |
echo -en "\n-9 param_squid(2) : " |
[ -e /etc/squid/squid.conf.default ] && mv /etc/squid/squid.conf.default /etc/squid/squid.conf && echo -n "1, " |
[ -d /var/spool/squid ] && rm -rf /var/spool/squid/* && echo -n "2" |
#param_dansguardian |
echo -en "\n-10 param_dansguardian(10) : " |
[ -e /etc/init.d/dansguardian.default ] && mv /etc/init.d/dansguardian.default /etc/init.d/dansguardian && echo -n "1, " |
[ -d /var/dansguardian ] && rm -rf /var/dansguardian && echo -n "2, " |
[ -e /etc/dansguardian/dansguardian.conf.default ] && mv /etc/dansguardian/dansguardian.conf.default /etc/dansguardian/dansguardian.conf && echo -n "3, " |
[ -e /etc/dansguardian/lists/bannedphraselist.default ] && mv /etc/dansguardian/lists/bannedphraselist.default /etc/dansguardian/lists/bannedphraselist && echo -n "4, " |
[ -e /etc/dansguardian/dansguardianf1.conf.default ] && mv /etc/dansguardian/dansguardianf1.conf.default /etc/dansguardian/dansguardianf1.conf && echo -n "5, " |
[ -e /etc/dansguardian/lists/bannedextensionlist.default ] && mv /etc/dansguardian/lists/bannedextensionlist.default /etc/dansguardian/lists/bannedextensionlist && echo -n "6, " |
[ -e /etc/dansguardian/lists/bannedmimetypelist.default ] && mv /etc/dansguardian/lists/bannedmimetypelist.default /etc/dansguardian/lists/bannedmimetypelist && echo -n "7, " |
[ -e /etc/dansguardian/lists/exceptioniplist.default ] && mv /etc/dansguardian/lists/exceptioniplist.default /etc/dansguardian/lists/exceptioniplist && echo -n "8, " |
[ -e /etc/dansguardian/lists/bannedsitelist.default ] && mv /etc/dansguardian/lists/bannedsitelist.default /etc/dansguardian/lists/bannedsitelist && echo -n "9, " |
[ -d /etc/dansguardian/lists/blacklists.default ] && mv -f /etc/dansguardian/lists/blacklists.default /etc/dansguardian/lists/blacklists && echo -n "10" |
sleep 1 |
#firewall |
echo -en "\n-11 firewall(1) : " |
[ -e /etc/sysconfig/iptables ] && rm -f /etc/sysconfig/iptables && echo -n "1" |
sleep 1 |
#awstats |
echo -en "\n-12 awstats(1) : " |
[ -e /etc/awstats/awstats.conf.default ] && mv /etc/awstats/awstats.conf.default /etc/awstats/awstats.conf && echo -n "1" |
sleep 1 |
#Bind |
echo -en "\n-13 bind(4) : " |
[ -e /var/lib/named/etc/named.conf.default ] && mv /var/lib/named/etc/named.conf.default /var/lib/named/etc/named.conf && echo -n "1, " |
[ -e /var/lib/named/etc/trusted_networks_acl.conf.default ] && mv /var/lib/named/etc/trusted_networks_acl.conf.default /var/lib/named/etc/trusted_networks_acl.conf && echo -n "2, " |
[ -e /var/lib/named/var/named/master/localdomain.zone.default ] && mv /var/lib/named/var/named/master/localdomain.zone.default /var/lib/named/var/named/master/localdomain.zone && echo -n "3, " |
[ -e /var/lib/named/var/named/reverse/localdomain.rev ] && rm /var/lib/named/var/named/reverse/localdomain.rev && echo -n "4" |
sleep 1 |
#cron |
echo -en "\n-13 cron(9) : " |
[ -e /etc/crontab.default ] && mv /etc/crontab.default /etc/crontab && echo -n "1, " |
[ -e /etc/anacrontab.default ] && mv /etc/anacrontab.default /etc/anacrontab && echo -n "2, " |
[ -e /etc/cron.d/mysql ] && rm -f /etc/cron.d/mysql && echo -n "3, " |
[ -e /etc/cron.d/export_log ] && rm -f /etc/cron.d/export_log && echo -n "4, " |
[ -e /etc/cron.d/clean_log ] && rm -f /etc/cron.d/clean_log && echo -n "5, " |
[ -e /etc/cron.d/awstats ] && rm -f /etc/cron.d/awstats && echo -n "6, " |
[ -e /etc/cron.d/freeradius-web ] && rm -f /etc/cron.d/freeradius-web && echo -n "7, " |
[ -e /etc/cron.d/coova ] && rm -f /etc/cron.d/coova && echo -n "8, " |
[ -e /etc/cron.d/watchdog ] && rm -f /etc/cron.d/watchdog && echo -n "9" |
sleep 1 |
#plugin_ldap |
[ -e /etc/raddb/ldap.attrmap.default ] && mv /etc/raddb/ldap.attrmap.default /etc/raddb/ldap.attrmap |
[ -e /etc/raddb/ldap.default ] && mv /etc/raddb/ldap.default /etc/raddb/modules/ldap |
sleep 1 |
#post_install |
echo -en "\n-14 post_install(11) : " |
[ -e /etc/mandriva-release.default ] && mv /etc/mandriva-release.default /etc/mandriva-release && echo -n "1, " |
[ -e /etc/ssh/alcasar-banner-ssh ] && rm -f /etc/ssh/alcasar-banner-ssh && echo -n "2, " |
[ -e /etc/ssh/sshd_config.default ] && mv /etc/ssh/sshd_config.default /etc/ssh/sshd_config && echo -n "3, " |
[ -e /etc/bashrc.default ] && mv /etc/bashrc.default /etc/bashrc && echo -n "4, " |
[ -e /etc/sudoers.default ] && mv /etc/sudoers.default /etc/sudoers && echo -n "5, " |
[ -e /etc/logrotate.d/mysqld ] && rm -f /etc/logrotate.d/mysqld && echo -n "6, " |
[ -e /etc/logrotate.d/httpd ] && rm -f /etc/logrotate.d/httpd && echo -n "7, " |
[ -e /etc/logrotate.d/squid ] && rm -f /etc/logrotate.d/squid && echo -n "8, " |
[ -e /etc/logrotate.d/radiusd ] && rm -f /etc/logrotate.d/radiusd && echo -n "9, " |
[ -e /etc/logrotate.d/ulogd ] && rm -f /etc/logrotate.d/ulogd && echo -n "10, " |
[ -e /usr/local/sbin/alcasar-uninstall.sh ] && rm -f /usr/local/sbin/alcasar* && rm -f /usr/local/bin/alcasar* && echo -n "11" |
sleep 1 |
echo |
Property changes: |
Added: svn:eol-style |
+native |
\ No newline at end of property |
Added: svn:executable |
/scripts/sbin/alcasar-mysql.sh |
---|
0,0 → 1,53 |
#! /bin/bash |
## Script de sauvegarde de la base MySQL 'radius' (by rexy) |
LANG="fr_FR@euro" # choix de la langue |
rep_tr="/var/Save/base" # répertoire d'accueil des sauvegardes |
ext="sql" # extention des fichiers de sauvegarde |
DB_RADIUS="db_radius" # nom de la base |
DB_USER="db_user" # nom d'utilisateur mysql (base des usagers) |
radiuspwd="radius_pwd" # mot de passe d'accès |
new="$(date +%F-%Hh%M)" # date et heure des fichiers |
fichier="$DB_RADIUS-$new.$ext" # nom du fichier de sauvegarde |
usage="Usage: alcasar-mysql.sh -dump | -import | -raz" |
nb_args=$# |
args=$1 |
if [ $nb_args -eq 0 ] |
then |
nb_args=1 |
args="-h" |
fi |
case $args in |
-\? | -h* | --h*) |
echo "$usage" |
exit 0 |
;; |
-dump) |
[ -d $rep_tr ] || mkdir -p $rep_tr |
if [ -e $fichier ]; |
then rm -f $fichier |
fi |
echo "Export de la base 'db_radius' dans le fichier : $fichier" |
mysqldump -u $DB_USER -p$radiuspwd --opt -BcQC $DB_RADIUS > $rep_tr/$fichier |
echo "Fin de Sauvegarde mysql $( date "+%Hh %Mmn" )" |
;; |
-import) |
if [ $nb_args -ne 2 ] |
then |
echo "Entrez le nom d'un fichier SQL (.sql)" |
exit 0 |
else |
mysql -u $DB_USER -p$radiuspwd < $2 |
fi |
;; |
-raz) |
mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < /etc/raddb/radiusd-db-vierge.sql |
;; |
*) |
echo "Argument inconnu :$1"; |
echo "$usage" |
exit 1 |
;; |
esac |
Property changes: |
Added: svn:eol-style |
+native |
\ No newline at end of property |
Added: svn:executable |
/scripts/sbin/alcasar-logout.sh |
---|
0,0 → 1,23 |
#/bin/sh |
# deconnexion d'un usager |
radiussecret="" |
usage="Usage: alcasar-logout.sh nom_d'usager" |
nb_args=$# |
args=$1 |
if [ $nb_args -eq 0 ] |
then |
nb_args=1 |
args="-h" |
fi |
case $args in |
-\? | -h* | --h*) |
echo "$usage" |
exit 0 |
;; |
*) |
echo "User-Name = $args" | /usr/bin/radclient 127.0.0.1:3799 40 $radiussecret |
;; |
esac |
Property changes: |
Added: svn:eol-style |
+native |
\ No newline at end of property |
Added: svn:executable |
/scripts/sbin/alcasar-bypass.sh |
---|
0,0 → 1,45 |
#!/bin/sh |
# Script portail-bypass |
# Permet d'activer ou de désactiver le contournement de l'authentification et du filtrage WEB |
usage="Usage: alcasar-bypass.sh -on | -off" |
nb_args=$# |
args=$1 |
if [ $nb_args -eq 0 ] |
then |
nb_args=1 |
args="-h" |
fi |
case $args in |
-\? | -h* | --h*) |
echo "$usage" |
exit 0 |
;; |
-on) |
# activation du contournement |
for i in chilli squid dansguardian httpd mysqld radiusd |
do |
if (pgrep $i) > /dev/null ; then /etc/init.d/$i stop ; fi |
done |
echo "Configure eth1 ..." |
ifup eth1 |
sh /usr/local/bin/alcasar-iptables-bypass.sh |
if ! (pgrep dhcpd) > /dev/null ; then /etc/init.d/dhcpd start ; fi |
echo "Le contournement du module d'authentification et de filtrage WEB est activé" |
echo "les journaux du parefeu continuent néanmoins d'être enregistrés" |
;; |
-off) |
# désactivation du contournement |
if (pgrep dhcpd) > /dev/null ; then /etc/init.d/dhcpd stop ; fi |
for i in chilli squid dansguardian httpd mysqld radiusd |
do |
if ! (pgrep $i) > /dev/null ; then /etc/init.d/$i start ; fi |
done |
sh /usr/local/bin/alcasar-iptables.sh |
echo "L'authentification et le filtrage WEB sont de nouveau activés" |
;; |
*) |
echo "Argument inconnu :$1"; |
echo "$usage" |
exit 1 |
;; |
esac |
Property changes: |
Added: svn:eol-style |
+native |
\ No newline at end of property |
Added: svn:executable |
/scripts/alcasar-conf.sh |
---|
0,0 → 1,99 |
#/bin/sh |
# by rexy |
# Ce script permet de créer ou de charger l'archive des fichiers de configuration (/tmp/alcasar-conf.tar.gz) |
DIR_UPDATE="/tmp/conf" # répertoire de stockage des fichier de conf pour une mise à jour |
DIR_WEB="/var/www/html" # répertoire du centre de gestion |
DIR_DEST_SBIN="/usr/local/sbin" # répertoire des scripts d'admin |
DIR_DEST_ETC="/usr/local/etc" # répertoire des fichiers de conf |
DB_USER="db_user" # nom d'utilisateur mysql (base usagers) |
radiuspwd="radius_pwd" # mot de passe d'accès |
usage="Usage: alcasar-conf.sh -create | -load" |
nb_args=$# |
args=$1 |
if [ $nb_args -eq 0 ] |
then |
nb_args=1 |
args="-h" |
fi |
case $args in |
-\? | -h* | --h*) |
echo "$usage" |
exit 0 |
;; |
-create) |
DIR_UPDATE="/tmp/conf" # répertoire de stockage des fichier de conf pour une mise à jour |
[ -d $DIR_UPDATE ] && rm -rf $DIR_UPDATE |
mkdir $DIR_UPDATE |
# Sauvegarde des certificats (serveur et CA) |
cert_date=`/usr/bin/openssl x509 -noout -in /etc/pki/tls/certs/alcasar.crt -dates|grep After|cut -d"=" -f2` |
cp -f /etc/pki/tls/certs/alcasar.crt $DIR_UPDATE |
cp -f /etc/pki/tls/private/alcasar.key $DIR_UPDATE |
cp -f /etc/pki/CA/alcasar-ca.crt $DIR_UPDATE |
cp -f /etc/pki/CA/private/alcasar-ca.key $DIR_UPDATE |
# Sauvegarde de la base des usagers |
/usr/local/sbin/alcasar-mysql.sh -dump |
cp /var/Save/base/`ls /var/Save/base|tail -1` $DIR_UPDATE |
# Sauvegarde des comptes de gestion |
cp -rf $DIR_WEB/digest $DIR_UPDATE |
# Sauvegarde du nom d'organisme |
echo `hostname` > $DIR_UPDATE/hostname |
# Sauvegarde du logo |
cp -f $DIR_WEB/images/organisme.png $DIR_UPDATE |
# Sauvegarde des fichiers d'exceptions (urls, domains et mac) |
cp -f /etc/chilli/alcasar-* $DIR_UPDATE |
# Sauvegarde des listes de filtrage |
echo "sauvegarde de l'ancienne blacklist ..." |
cp -rf /etc/dansguardian/lists/ $DIR_UPDATE |
# sauvegarde des fichiers de filtrage réseau |
mkdir $DIR_UPDATE/etc/ |
cp -rf $DIR_DEST_ETC/* $DIR_UPDATE/etc/ |
# création de l'archive |
cd /tmp |
tar -cf alcasar-conf.tar conf/ |
gzip -f alcasar-conf.tar |
rm -rf $DIR_UPDATE |
;; |
-load) |
cd /tmp |
tar -xf /tmp/alcasar-conf.tar.gz |
# Récupération du nom d'organisme |
ORGANISME=`cat $DIR_UPDATE/hostname|cut -b 9-` |
hostname `cat $DIR_UPDATE/hostname` |
# Récupération du logo |
cp -f $DIR_UPDATE/organisme.png $DIR_WEB/images/ |
chown apache:apache $DIR_WEB/images/organisme.png $DIR_WEB/intercept.php |
# Récupération des certificats (CA et serveur) |
cp -f $DIR_UPDATE/alcasar-ca.crt /etc/pki/CA/ |
cp -f $DIR_UPDATE/alcasar-ca.key /etc/pki/CA/private/ |
cp -f $DIR_UPDATE/alcasar.crt /etc/pki/tls/certs/ |
cp -f $DIR_UPDATE/alcasar.key /etc/pki/tls/private/ |
chown -R root:apache /etc/pki |
chmod -R 750 /etc/pki |
# Import de la dernière base usagers |
mysql -u$DB_USER -p$radiuspwd < `ls $DIR_UPDATE/radius*` |
# Récupération des uamallowed |
cp -f $DIR_UPDATE/alcasar-uam* /etc/chilli/. |
chown root:apache /etc/chilli/alcasar-uam* |
chmod 660 /etc/chilli/alcasar-uam* |
# Récupération des listes de filtrage (BL principale et secondaire, @IP non filtrés, etc.) |
rm -rf /etc/dansguardian/lists |
cp -rf $DIR_UPDATE/lists /etc/dansguardian/ |
chown -R dansguardian:apache /etc/dansguardian/lists |
chmod -R g+rw /etc/dansguardian/lists |
# Récupération des comptes de gestion (admin + manager + backup) |
cp -rf $DIR_UPDATE/digest $DIR_WEB/ |
$DIR_DEST_SBIN/alcasar-profil.sh -list |
# Récupération des règles de filtrage réseau |
cp -f $DIR_UPDATE/etc/* $DIR_DEST_ETC/ |
chown root:apache $DIR_DEST_ETC/* |
chmod 660 $DIR_DEST_ETC/* |
rm -rf $DIR_UPDATE |
;; |
*) |
echo "Argument inconnu :$1"; |
echo "$usage" |
exit 1 |
;; |
esac |
Property changes: |
Added: svn:eol-style |
+native |
\ No newline at end of property |
Added: svn:executable |
+* |
\ No newline at end of property |
/scripts/alcasar-iptables-filter.sh |
---|
0,0 → 1,62 |
#!/bin/sh |
# by rexy (version 1.9 du 12/2009) |
# a voir la relation avec nf_nat_ftp |
# modprobe ip_conntrack_irc |
# modprobe ip_conntrack_ftp |
################## FILTRAGE PARTICULIER ################## |
# Administration à distance par exemple : |
## Autoriser SSH depuis l'extérieur sur le port 12222 #### |
## Ne pas oublier la règle de PAT sur le modem/routeur (box ADSL) ! ainsi que l'adresse IP de votre machine distante dans /etc/hosts.allow |
# $IPTABLES -A PREROUTING -t nat -i $EXTIF -p tcp --dport 12222 -m state --state NEW -j ULOG --ulog-prefix "RULE Admin2 -- ACCEPT |
# $IPTABLES -A PREROUTING -t nat -i $EXTIF -p tcp --dport 12222 -j REDIRECT --to-port 22 |
# $IPTABLES -A INPUT -i $EXTIF -p tcp --dport ssh -j ACCEPT |
########################################################## |
################# FILTRAGE APPLICATIF #################### |
## Positionnez la variable "FILTERING" du fichier "alcasar-iptables.sh" à "yes" pour activer le filtrage |
## Modifiez le fichier /usr/local/etc/alcasar-services pour l'adapter à vos besoins |
if [ $FILTERING = "yes" ] |
then |
# si le fichier d'exception est renseigné on le traite |
nb_exceptions=`wc -w /usr/local/etc/alcasar-filter-exceptions | cut -d" " -f1` |
if [ $nb_exceptions != "0" ] |
then |
while read ip_exception |
do |
echo $ip_exception |
$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j ULOG --ulog-prefix "RULE IP-exception -- ACCEPT " |
$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW,ESTABLISHED -j ACCEPT |
done < /usr/local/etc/alcasar-filter-exceptions |
fi |
# On autorise les protoles non commentés |
while read svc_line |
do |
svc_on=`echo $svc_line|cut -b1` |
if [ $svc_on != "#" ] |
then |
svc_name=`echo $svc_line|cut -d" " -f1` |
svc_port=`echo $svc_line|cut -d" " -f2` |
if [ $svc_name = "icmp" ] |
then |
$IPTABLES -A FORWARD -i $TUNIF -p icmp -j ACCEPT |
# else if [ $svc_name = "ftp-passif" ] |
# then |
# /sbin/modprobe nf_nat_ftp |
# $IPTABLES -A FORWARD -i $TUNIF -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ULOG --ulog-prefix "RULE F_ftp-passifE -- ACCEPT " |
# $IPTABLES -A FORWARD -i $TUNIF -p tcp --sport 1024: --dport 1024: -m state --state RELATED -j ULOG --ulog-prefix "RULE F_ftp-passifR -- ACCEPT " |
# $IPTABLES -A FORWARD -i $TUNIF -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT |
# fi |
else |
$IPTABLES -A FORWARD -i $TUNIF -p tcp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_$svc_name -- ACCEPT " |
$IPTABLES -A FORWARD -i $TUNIF -p tcp --dport $svc_port -m state --state NEW,ESTABLISHED -j ACCEPT |
fi |
fi |
done < /usr/local/etc/alcasar-services |
#tout le reste est bloqué |
$IPTABLES -A FORWARD -i $TUNIF -p tcp -j REJECT --reject-with tcp-reset |
$IPTABLES -A FORWARD -i $TUNIF -p udp -j REJECT --reject-with icmp-port-unreachable |
$IPTABLES -A FORWARD -i $TUNIF -p icmp -j REJECT |
fi |
Property changes: |
Added: svn:eol-style |
+native |
\ No newline at end of property |
Added: svn:executable |
/scripts/alcasar-urpmi.sh |
---|
0,0 → 1,43 |
#!/bin/sh |
# script d'ajout des medias logiciels |
# 3abtux & rexy |
# changelog : |
# + prise en compte dynamique de la version de la distribution |
# + prise en compte de la nouvelle struture RPM |
# + test avant sortie |
fic=`cat /etc/product.id` |
old="$IFS" |
IFS="," |
set $fic |
for i in $* |
do |
if [ "`echo $i|grep arch|cut -d'=' -f1`" == "arch" ] |
then |
ARCH=`echo $i|cut -d"=" -f2` |
fi |
if [ "`echo $i|grep version|cut -d'=' -f1`" == "version" ] |
then |
VERSION=`echo $i|cut -d"=" -f2` |
fi |
done |
IFS="$old" |
# For International install |
# MIRRORLIST="http://api.mandriva.com/mirrors/basic.$VERSION.$ARCH.list" |
# For french ALCASARistes |
MIRRORLIST="http://ftp.free.fr/pub/Distributions_Linux/MandrivaLinux/official/$VERSION/$ARCH" |
urpmi.removemedia -a |
urpmi.addmedia --probe-synthesis --mirrorlist $MIRRORLIST main /media/main/release |
urpmi.addmedia --probe-synthesis --mirrorlist $MIRRORLIST main_updates /media/main/updates |
urpmi.addmedia --probe-synthesis --mirrorlist $MIRRORLIST contrib /media/contrib/release |
urpmi.addmedia --probe-synthesis --mirrorlist $MIRRORLIST contrib_updates /media/contrib/updates |
nb_repository=`cat /etc/urpmi/urpmi.cfg|grep mirrorlist|wc -l` |
if [ "$nb_repository" != "4" ] |
then |
exit 1 |
else exit 0 |
fi |
Property changes: |
Added: svn:eol-style |
+native |
\ No newline at end of property |
Added: svn:executable |
/scripts/alcasar-watchdog.sh |
---|
0,0 → 1,51 |
#/bin/sh |
# by rexy |
# Ce script permet de déconnecter les usagers dont |
# - les équipementis réseau ne répondent plus |
# - les adresses MAC sont usurpées |
# The aim of this script is to disconnect users whose |
# - PCs are quiet |
# - MAC address are in used by other systems (usurped) |
INTIF="eth1" |
PRIVATE_IP="192.168.182.1" |
tmp_file="/tmp/watchdog.txt" |
IFS=$'\n' |
# lecture du fichier contenant les adresses IP des stations muettes |
if [ -e $tmp_file ]; then |
cat $tmp_file | while read noresponse |
do |
noresponse_ip=`echo $noresponse | cut -d" " -f1` |
noresponse_mac=`echo $noresponse | cut -d" " -f2` |
arp_reply=`/usr/sbin/arping -b -I$INTIF -s$PRIVATE_IP -c1 $noresponse_ip|grep response|cut -d" " -f2` |
if [[ $(expr $arp_reply) -eq 0 ]] |
then |
logger "alcasar-watchdog $noresponse_ip ($noresponse_mac) reste muette. On déconnecte." |
/usr/sbin/chilli_query logout $noresponse_mac |
fi |
done |
rm $tmp_file |
fi |
# on traite chaque équipements connus de chilli |
for system in `/usr/sbin/chilli_query list` |
do |
active_ip=`echo $system |cut -d" " -f2` |
active_session=`echo $system |cut -d" " -f5` |
active_mac=`echo $system | cut -d" " -f1` |
# on ne traite que les équipements exploitées par un usager authentifié |
if [[ $(expr $active_session) -eq 1 ]] |
then |
arp_reply=`/usr/sbin/arping -b -I$INTIF -s$PRIVATE_IP -c2 $active_ip|grep response|cut -d" " -f2` |
# on stocke les adresses IP des stations muettes |
if [[ $(expr $arp_reply) -eq 0 ]] |
then |
echo "$active_ip $active_mac" >> $tmp_file |
fi |
# on deconnecte l'usager d'une stations usurpée (@MAC) |
if [[ $(expr $arp_reply) -gt 2 ]] |
then |
logger "alcasar-watchdog : $active_ip est usurpée ($active_mac). On déconnecte." |
/usr/sbin/chilli_query logout $active_mac |
fi |
fi |
done |
Property changes: |
Added: svn:eol-style |
+native |
\ No newline at end of property |
Added: svn:executable |
/scripts/alcasar-iptables.sh |
---|
0,0 → 1,118 |
#!/bin/sh |
# script de mise en place des regles du parefeu d'Alcasar (mode normal) |
# Rexy - 3abtux - CPN |
# version 1.8 (12/2009) |
# changelog : |
# + prise en compte des règles de "filtrage réseau" (alcasar-iptables-filter.sh) |
# + suppression log vers syslog |
# + suppression des broadcast sur EXTIF et INTIF |
# + suppression du filtrage par la table "NAT" -> utilisation de la table "MANGLE" |
IPTABLES="/sbin/iptables" |
FILTERING="no" |
EXTIF="eth0" |
INTIF="eth1" |
TUNIF="tun0" |
PRIVATE_NETWORK_MASK="192.168.182.0/24" |
PRIVATE_IP="192.168.182.1" |
# On vide (flush) toutes les règles existantes |
$IPTABLES -F |
$IPTABLES -t nat -F |
$IPTABLES -t mangle -F |
$IPTABLES -F INPUT |
$IPTABLES -F FORWARD |
$IPTABLES -F OUTPUT |
# On indique les politiques par défaut |
$IPTABLES -P INPUT DROP |
$IPTABLES -P FORWARD DROP |
$IPTABLES -P OUTPUT ACCEPT |
$IPTABLES -t nat -P PREROUTING ACCEPT |
$IPTABLES -t nat -P POSTROUTING ACCEPT |
$IPTABLES -t nat -P OUTPUT ACCEPT |
# On efface toutes les chaines qui ne sont pas par défaut dans les tables filter et nat |
$IPTABLES -X |
$IPTABLES -t nat -X |
# On autorise tout sur loopback |
$IPTABLES -A INPUT -i lo -j ACCEPT |
# on autorise les requêtes dhcp |
$IPTABLES -A INPUT -i $INTIF -p udp -m udp --sport bootpc --dport bootps -j ACCEPT |
# On ferme INTIF (tout passe par TUNIF) |
$IPTABLES -A INPUT -i $INTIF -j ULOG --ulog-prefix "RULE Protect1 -- REJECT " |
$IPTABLES -A INPUT -i $INTIF -j REJECT |
# Règles d'antispoofing |
$IPTABLES -A INPUT -i $TUNIF ! -s $PRIVATE_NETWORK_MASK -j ULOG --ulog-prefix "RULE Antispoof1 -- DENY " |
$IPTABLES -A INPUT -i $TUNIF ! -s $PRIVATE_NETWORK_MASK -j DROP |
$IPTABLES -A INPUT -i $EXTIF -s $PRIVATE_NETWORK_MASK -j ULOG --ulog-prefix "RULE Antispoof2 -- DENY " |
$IPTABLES -A INPUT -i $EXTIF -s $PRIVATE_NETWORK_MASK -j DROP |
# On drop le broadcast et le multicast sur les interfaces (sans Log) |
$IPTABLES -A INPUT -m addrtype --dst-type BROADCAST,MULTICAST -j DROP |
# On autorise le ping dans les deux sens (icmp N°0 & 8) en provenance du LAN |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp --icmp-type 0 -j ACCEPT |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp --icmp-type 8 -j ACCEPT |
# On ajoute ici les règles de filtrage réseau |
if [ -f /usr/local/bin/alcasar-iptables-filter.sh ]; then |
. /usr/local/bin/alcasar-iptables-filter.sh |
fi |
# On autorise le transfert de flux dans les deux sens (avec log sur les demandes de connexion sortantes) |
$IPTABLES -A FORWARD -i $TUNIF -m state --state NEW -j ULOG --ulog-prefix "RULE Transfert1 -- ACCEPT " |
$IPTABLES -A FORWARD -i $TUNIF -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT |
$IPTABLES -A FORWARD -o $TUNIF -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT |
# On autorise les flux entrant dns, ntp, https, ssh et le port 3990 (connexion/deconnexion des usagers). Retour autorisé par politique accept en OUTPUT |
$IPTABLES -A INPUT -i $TUNIF -p udp --dport domain -j ACCEPT |
$IPTABLES -A INPUT -i $TUNIF -p udp --dport ntp -j ACCEPT |
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport https -j ACCEPT |
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport ssh -j ACCEPT |
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 3990 -j ACCEPT |
# On autorise le retour des connexions sortantes (politique ouput accept) |
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT |
# On redirige les requêtes DNS sortantes sur BIND local |
# log DNS query present dans log du service BIND query.log --> pas de log dans firewall.log |
#$IPTABLES -A PREROUTING -t nat -i $TUNIF -p udp ! -d $PRIVATE_IP -m udp --dport domain -j ULOG --ulog-prefix "RULE direct-DNS -- REDIRECT " |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p udp ! -d $PRIVATE_IP --dport domain -j REDIRECT --to-port domain |
#$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp ! -d $PRIVATE_IP -m tcp --dport domain -j ULOG --ulog-prefix "RULE direct-DNS -- REDIRECT " |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp ! -d $PRIVATE_IP --dport domain -j REDIRECT --to-port domain |
# On interdit les connexions directes sur le port de DansGuardian (8080) |
# les paquets concernés sont marqués par une règle de PREROUTING (cf. ci-après) |
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8080 -m mark --mark 1 -j DROP |
# On autorise les connexions sur DansGuardian |
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8080 -m state --state NEW --syn -j ACCEPT |
# On log les requêtes HTTP sortantes (demande de connexion seulement) |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp ! -d $PRIVATE_IP --dport http -m state --state NEW -j ULOG --ulog-prefix "RULE Transfert2 -- ACCEPT " |
# On redirige les requête http sortantes vers DansGuardian (mode "proxy transparent") |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp ! -d $PRIVATE_IP --dport http -j REDIRECT --to-port 8080 |
# On traite les tentatives de contournement par accès direct à DansGuardian (marquage des paquets) |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8080 -j ULOG --ulog-prefix "RULE direct-proxy -- DENY " |
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8080 -j MARK --set-mark 1 |
# On interdit et on log le reste sur les 2 interfaces d'accès |
$IPTABLES -A INPUT -i $TUNIF -j ULOG --ulog-prefix "RULE rej-int -- REJECT " |
$IPTABLES -A INPUT -i $EXTIF -j ULOG --ulog-prefix "RULE rej-ext -- REJECT " |
$IPTABLES -A INPUT -p tcp -j REJECT --reject-with tcp-reset |
$IPTABLES -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable |
# On active le masquage d'adresse par translation (NAT) |
$IPTABLES -A POSTROUTING -t nat -o $EXTIF -j MASQUERADE |
# On sauvegarde les règles |
/etc/init.d/iptables save |
# On ne log pas les Log_martians (pour la mdv 2009 seulement) |
echo 0 > /proc/sys/net/ipv4/conf/all/log_martians |
# Fin du script des règles du parefeu |
Property changes: |
Added: svn:eol-style |
+native |
\ No newline at end of property |
Added: svn:executable |
/scripts/alcasar-CA.sh |
---|
0,0 → 1,246 |
#!/bin/sh |
# |
# alcasar-CA.sh |
# by Franck BOUIJOUX, Pascal LEVANT and Richard REY |
# This script is distributed under the Gnu General Public License (GPL) |
# |
# Some ideas from "nessus-mkcert" script written by Renaud Deraison <deraison@cvs.nessus.org> |
# and Michel Arboi <arboi@alussinan.org> |
# |
DIR_TMP=${TMPDIR-/tmp}/alcasar-mkcert.$$ |
DIR_PKI=/etc/pki |
DIR_CERT=$DIR_PKI/tls |
DIR_WEB=/var/www/html |
CACERT=$DIR_PKI/CA/alcasar-ca.crt |
CAKEY=$DIR_PKI/CA/private/alcasar-ca.key |
SRVCERT=$DIR_CERT/certs/alcasar.crt |
SRVKEY=$DIR_CERT/private/alcasar.key |
SRVREQ=$DIR_CERT/alcasar.req |
FIC_PARAM="/root/ALCASAR-parameters.txt" |
CACERT_LIFETIME="1460" |
SRVCERT_LIFETIME="1460" |
COUNTRY="FR" |
PROVINCE="none" |
LOCATION="Paris" |
ORGANIZATION="ALCASAR-Team" |
mkdir $DIR_TMP || exit 1 |
# dynamic conf file for openssl |
cat <<EOF >$DIR_TMP/ssl.conf |
RANDFILE = $HOME/.rnd |
# |
[ ca ] |
default_ca = AlcasarCA |
[ AlcasarCA ] |
dir = $DIR_TMP # Where everything is kept |
certs = \$dir # Where the issued certs are kept |
crl_dir = \$dir # Where the issued crl are kept |
database = \$dir/index.txt # database index file. |
new_certs_dir = \$dir # default place for new certs. |
certificate = $CACERT # The CA certificate |
serial = \$dir/serial # The current serial number |
crl = \$dir/crl.pem # The current CRL |
private_key = $CAKEY # The private key |
x509_extensions = usr_cert # The extentions to add to the cert |
crl_extensions = crl_ext |
default_days = 365 # how long to certify for |
default_crl_days= 30 # how long before next CRL |
default_md = md5 # which md to use. |
preserve = no # keep passed DN ordering |
policy = policy_anything |
[ policy_anything ] |
countryName = optional |
stateOrProvinceName = optional |
localityName = optional |
organizationName = optional |
organizationalUnitName = optional |
commonName = supplied |
emailAddress = optional |
[ req ] |
default_bits = 1024 |
distinguished_name = req_distinguished_name |
# attributes = req_attributes |
x509_extensions = v3_ca # The extentions to add to the self signed cert |
[ req_distinguished_name ] |
countryName = Country Name (2 letter code) |
countryName_default = FR |
countryName_min = 2 |
countryName_max = 2 |
stateOrProvinceName = State or Province Name (full name) |
stateOrProvinceName_default = Some-State |
localityName = Locality Name (eg, city) |
localityName_default = Lyon |
0.organizationName = Organization Name (eg, company) |
0.organizationName_default = your organization name |
# we can do this but it is not needed normally :-) |
#1.organizationName = Second Organization Name (eg, company) |
#1.organizationName_default = World Wide Web Pty Ltd |
organizationalUnitName = Organizational Unit Name (eg, section) |
#organizationalUnitName_default = |
commonName = Common Name (eg, your name or your server\'s hostname) |
commonName_max = 255 |
emailAddress = Email Address |
emailAddress_max = 255 |
# SET-ex3 = SET extension number 3 |
[ usr_cert ] |
# These extensions are added when 'ca' signs a request. |
# This goes against PKIX guidelines but some CAs do it and some software |
# requires this to avoid interpreting an end user certificate as a CA. |
#basicConstraints=CA:FALSE |
# Here are some examples of the usage of nsCertType. If it is omitted |
# the certificate can be used for anything *except* object signing. |
# This is OK for an SSL server. |
# nsCertType = nsCertType |
# For normal client use this is typical |
# nsCertType = client, email |
nsCertType = server |
keyUsage = nonRepudiation, digitalSignature, keyEncipherment |
# This will be displayed in Netscape's comment listbox. |
nsComment = "OpenSSL Generated Certificate" |
# PKIX recommendations harmless if included in all certificates. |
subjectKeyIdentifier=hash |
authorityKeyIdentifier=keyid,issuer:always |
# This stuff is for subjectAltName and issuerAltname. |
# Import the email address. |
subjectAltName=email:copy |
# Copy subject details |
issuerAltName=issuer:copy |
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem |
#nsBaseUrl |
#nsRevocationUrl |
#nsRenewalUrl |
#nsCaPolicyUrl |
#nsSslServerName |
[ v3_ca ] |
# PKIX recommendation. |
subjectKeyIdentifier=hash |
authorityKeyIdentifier=keyid:always,issuer:always |
# This is what PKIX recommends but some broken software chokes on critical |
# extensions. |
basicConstraints = critical,CA:true |
# So we do this instead. |
#basicConstraints = CA:true |
# Key usage: this is typical for a CA certificate. However since it will |
# prevent it being used as an test self-signed certificate it is best |
# left out by default. |
keyUsage = cRLSign, keyCertSign |
nsCertType = sslCA |
EOF |
hostname=`hostname` |
if [ -z "$hostname" ]; |
then |
echo "Impossible de déterminer le nom d'hôte !!!" |
exit 1 |
fi |
# The value for organizationalUnitName must be 64 chars or less; |
# thus, hostname must be 36 chars or less. If it's too big, |
# try removing domain (merci REXY ;-) ). |
hostname_len=`echo $hostname| wc -c` |
if [ $hostname_len -gt 36 ]; |
then |
hostname=`echo $hostname | cut -d '.' -f 1` |
fi |
if [ ! -f /etc/sysconfig/network-scripts/ifcfg-eth1 ] |
then |
echo "Impossible de déterminer l'@-IP" |
exit 1 |
fi |
IPADDR=`cat /etc/sysconfig/network-scripts/ifcfg-eth1 |grep IPADDR|cut -d"=" -f2` |
CAMAIL=ca@$hostname |
SRVMAIL=apache@$hostname |
echo 01 > $DIR_TMP/serial |
touch $DIR_TMP/index.txt |
# CA key |
rm -f $CAKEY |
echo "*********CAKEY*********" > $DIR_TMP/openssl-log |
openssl genrsa -out $CAKEY 1024 2>> $DIR_TMP/openssl-log |
# CA certificate |
rm -f $CACERT |
echo "*********CACERT*********" >> $DIR_TMP/openssl-log |
echo "$COUNTRY |
$PROVINCE |
$LOCATION |
$ORGANIZATION |
Certification Authority for $hostname |
ALCASAR-local-CA |
$CAMAIL" | |
openssl req -config $DIR_TMP/ssl.conf -new -x509 -days $CACERT_LIFETIME -key $CAKEY -out $CACERT 2>> $DIR_TMP/openssl-log |
# Server key |
rm -f $SRVKEY |
echo "*********SRVKEY*********" >> $DIR_TMP/openssl-log |
openssl genrsa -out $SRVKEY 1024 2>> $DIR_TMP/openssl-log |
# Server certificate "request" |
echo "*********SRVRQST*********" >> $DIR_TMP/openssl-log |
echo "$COUNTRY |
$PROVINCE |
$LOCATION |
$ORGANIZATION |
Server certificate for $hostname |
$IPADDR |
$SRVMAIL" | |
openssl req -config $DIR_TMP/ssl.conf -new -key $SRVKEY -out $SRVREQ 2>> $DIR_TMP/openssl-log |
# Sign the server certificate "request" to create server certificate |
rm -f $SRVCERT |
echo "*********SRVCERT*********" >> $DIR_TMP/openssl-log |
openssl ca -config $DIR_TMP/ssl.conf -name AlcasarCA -batch -days $SRVCERT_LIFETIME -in $SRVREQ -out $SRVCERT 2>> $DIR_TMP/openssl-log |
rm -f $SRVREQ |
chmod a+r $CACERT $SRVCERT |
if [ -s "$CACERT" -a -s "$CAKEY" -a -s "$SRVCERT" -a -s "$SRVKEY" ]; |
then |
echo "- Certificat de l'Authorité de Certification : " >> $FIC_PARAM |
echo " Certificat = $CACERT" >> $FIC_PARAM |
echo " Clée privée = $CAKEY" >> $FIC_PARAM |
echo "- Certificat du serveur : " >> $FIC_PARAM |
echo " Certificat = $SRVCERT" >> $FIC_PARAM |
echo " Clée privée = $SRVKEY" >> $FIC_PARAM |
[ -d $DIR_WEB/certs ] || mkdir -p $DIR_WEB/certs |
rm -f $DIR_WEB/certs/* |
ln -s $CACERT $DIR_WEB/certs/certificat_alcasar_ca.pem |
ln -s $SRVCERT $DIR_WEB/certs/certificat_alcasar.pem |
rm -rf $DIR_TMP |
exit 0 |
else |
echo "Problème lors de la création des certificats (cf. $DIR_TMP/openssl-log)" >> $FIC_PARAM |
exit 1 |
fi |
Property changes: |
Added: svn:eol-style |
+native |
\ No newline at end of property |
Added: svn:executable |
/scripts/alcasar-iptables-bypass.sh |
---|
0,0 → 1,80 |
#!/bin/sh |
# script d'initialisation des regles du parefeu en mode ByPass |
# Rexy - 3abtux |
# version 1.8 - 12/2009 |
# changelog : |
# + prise en compte optionnelle d'un fichier iptables 'personnel' permettant de bloquer certains flux/services |
# + suppression log vers syslog |
# + suppression du broadcast et du multicast sur les interfaces |
IPTABLES="/sbin/iptables" |
EXTIF="eth0" |
INTIF="eth1" |
PRIVATE_NETWORK_MASK="192.168.182.0/24" |
# On vide (flush) toutes les règles existantes |
$IPTABLES -F |
$IPTABLES -t nat -F |
$IPTABLES -F INPUT |
$IPTABLES -F FORWARD |
$IPTABLES -F OUTPUT |
# On indique les politiques par défaut |
$IPTABLES -P INPUT DROP |
$IPTABLES -P FORWARD DROP |
$IPTABLES -P OUTPUT ACCEPT |
$IPTABLES -t nat -P PREROUTING ACCEPT |
$IPTABLES -t nat -P POSTROUTING ACCEPT |
$IPTABLES -t nat -P OUTPUT ACCEPT |
# On efface toutes les chaînes qui ne sont pas par défaut dans les tables filter et nat |
$IPTABLES -X |
$IPTABLES -t nat -X |
# On autorise tout sur loopback |
$IPTABLES -A INPUT -i lo -j ACCEPT |
# on autorise les requêtes dhcp |
$IPTABLES -A INPUT -i $INTIF -p udp -m udp --sport bootpc --dport bootps -j ACCEPT |
# Règles d'antispoofing |
$IPTABLES -A INPUT -i $INTIF ! -s $PRIVATE_NETWORK_MASK -j ULOG --ulog-prefix "RULE Antispoof1 -- DENY " |
$IPTABLES -A INPUT -i $INTIF ! -s $PRIVATE_NETWORK_MASK -j DROP |
$IPTABLES -A INPUT -i $EXTIF -s $PRIVATE_NETWORK_MASK -j ULOG --ulog-prefix "RULE Antispoof2 -- DENY " |
$IPTABLES -A INPUT -i $EXTIF -s $PRIVATE_NETWORK_MASK -j DROP |
# On drop le broadcast et le multicasat sur les interfaces (sans Log) |
$IPTABLES -A INPUT -m addrtype --dst-type BROADCAST,MULTICAST -j DROP |
# On autorise le ping dans les deux sens (icmp N°0 & 8) en provenance du LAN |
$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -p icmp --icmp-type 0 -j ACCEPT |
$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -p icmp --icmp-type 8 -j ACCEPT |
# On autorise le tranfert des requête DNS (sans LOG) |
$IPTABLES -A FORWARD -i $INTIF -p udp --dport domain -j ACCEPT |
# On autorise le flux dans les deux sens (avec Log sur les demandes de connexion). |
$IPTABLES -A FORWARD -i $INTIF -m state --state NEW -j ULOG --ulog-prefix "RULE Transfert -- ACCEPT " |
$IPTABLES -A FORWARD -i $INTIF -m state --state NEW -j ACCEPT |
$IPTABLES -A FORWARD -i $INTIF -m state --state RELATED,ESTABLISHED -j ACCEPT |
$IPTABLES -A FORWARD -o $INTIF -m state --state RELATED,ESTABLISHED -j ACCEPT |
# On autorise les flux entrant ntp et ssh via INTIF |
$IPTABLES -A INPUT -i $INTIF -p udp --dport ntp -j ACCEPT |
$IPTABLES -A INPUT -i $INTIF -p tcp --dport ssh -j ACCEPT |
# On autorise les flux entrant des connexions déjà établies (ping à partir du portail par exemple) |
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT |
# On interdit et on log le reste sur les 2 interfaces d'accès |
$IPTABLES -A INPUT -i $INTIF -j ULOG --ulog-prefix "RULE rej-int -- REJECT " |
$IPTABLES -A INPUT -i $EXTIF -j ULOG --ulog-prefix "RULE rej-ext -- REJECT " |
$IPTABLES -A INPUT -p tcp -j REJECT --reject-with tcp-reset |
$IPTABLES -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable |
# On active le masquage d'adresse par translation (NAT) |
$IPTABLES -A POSTROUTING -t nat -o $EXTIF -j MASQUERADE |
/etc/init.d/iptables save |
# Fin du script des regles du parefeu |
Property changes: |
Added: svn:eol-style |
+native |
\ No newline at end of property |
Added: svn:executable |
/scripts/alcasar-mondo.sh |
---|
0,0 → 1,28 |
#!/bin/sh |
# by 3abtux (with debug helps by Michel GAUDET) |
DIR_TMP="/var/log/mondo" |
DIR_ISO="/var/Save/ISO" |
date=`date +%F-%Hh%M` |
HOSTNAME=`hostname -s` |
ROOT="root" |
ISOFile=$HOSTNAME-$date |
EXCLUDE="$DIR_ISO $DIR_TMP /tmp /mnt /media" |
echo "Les répertoires exclus de l'image ISO sont : $EXCLUDE " |
echo "##################################################" |
echo "# Création de l'archive ISO système d'Alcasar ! #" |
echo "##################################################" |
echo "" |
echo "--------------------------------------------------------" |
echo "Les ISOs seront disponibles dans le répertoire suivant :" |
echo "==--> $DIR_ISO" |
/bin/touch $DIR_ISO/creation-of-the-current-archive |
mkdir $DIR_TMP |
/bin/nice -n 19 /usr/sbin/mondoarchive -p $ISOFile -Oi -s 4300m -d $DIR_ISO -T $DIR_TMP -S $DIR_TMP -E "$EXCLUDE" |
cd $DIR_ISO |
for i in `ls *.iso` ;do |
/usr/bin/md5sum $i > $i.md5 |
done |
rm -rf $DIR_TMP/mondo.scratch.* $DIR_TMP/tmp.mondo.* $DIR_TMP/.*.dat |
rm -f $DIR_ISO/creation-of-the-current-archive |
exit 0 |
Property changes: |
Added: svn:eol-style |
+native |
\ No newline at end of property |
Added: svn:executable |
/scripts/alcasar-log-export.sh |
---|
0,0 → 1,36 |
#!/bin/sh |
# |
# alcasar-log-export.sh |
# by Franck BOUIJOUX |
# This script is distributed under the Gnu General Public License (GPL) |
# Script permettant d'exporter des logs des répertoires /var/log/(squid-firewall-httpd ) à des fins d'archivages. |
# Une fonction EXPERIMENTALE de chiffrement et de signature des logs a été implémentée dans ce script. Son activation par la mise à '1' de la variable 'CHIFFREMENT' et/ou 'SIGNATURE' permet de chiffrer-signer ou signer les logs contenus dans /var/Save/logs/. |
# Il est nécessaire de détenir la passphrase de la clé privée de l'utilisateur 'admin-chillispot' pour rendre ces logs lisibles (la passphrase est actuellement détenue par l'équipe projet. |
# changelog : |
# - 20080114 - implémentation de la signature des archives logs |
date=`date +%F` |
TO_SAVE="/var/Save/logs" # répertoire accessible par webs |
REP_SAVE="/var/log" # répertoire local des logs |
REP_SERVICE="squid httpd firewall" # liste des répertoires contenant des logs à exporter |
CHIFFREMENT="0" # chiffrement des logs ( 0=non / 1=oui ) |
GPG_USER="" # utilisateur autorisé à déchiffrer les logs. Son biclé est inclus dans le portefeuille gnupg de root (/root/.gnupg) |
for i in $REP_SERVICE ; do |
[ -d $TO_SAVE/$i ] || mkdir -p $TO_SAVE/$i # utile une seule fois mais crée le répertoire si nécessaire |
cd $REP_SAVE/$i |
if [ $CHIFFREMENT -eq "1" ] |
then |
# chiffrement des logs dans /var/Save/logs/(squid|firewall|httpd) |
find . \( -mtime -7 -o -ctime 0 \) -a \( -name '*access*log*.gz' -o -name 'firewall*.gz' -o -name 'admin*.gz' \) -exec gpg --output $TO_SAVE/$i/{}.gpg --encrypt --recipient $GPG_USER {} \; |
else |
# copie simple des logs dans /var/Save/logs/(squid|firewall|httpd) |
find . \( -mtime -7 -o -ctime 0 \) -a \( -name '*access*log*.gz' -o -name 'firewall*.gz' -o -name 'admin*.gz' \) -exec cp {} $TO_SAVE/$i/. \; |
fi |
done |
chown -R apache.apache $TO_SAVE |
exit 0 |
Property changes: |
Added: svn:eol-style |
+native |
\ No newline at end of property |
Added: svn:executable |
/scripts/alcasar-log-clean.sh |
---|
0,0 → 1,14 |
#!/bin/sh |
# script de nettoyage des archives supérieures à 1 an ( 365 jours) |
DATE=`date +%F` |
REP="/var/log/squid/ /var/log/httpd/ /var/log/firewall/ /var/Save/base/ /var/Save/logs/firewall/ /var/Save/logs/squid/ /var/Save/logs/httpd/" |
delay=365 |
for i in $REP |
do |
find $i -mtime +$delay -name '*.gz' -exec rm -f {} \; |
find $i -mtime +$delay -name '*.sql' -exec rm -f {} \; |
done |
exit 0 |
Property changes: |
Added: svn:eol-style |
+native |
\ No newline at end of property |
Added: svn:executable |