/scripts/sbin/alcasar-uninstall.sh |
---|
15,7 → 15,7 |
echo "-----------------------------------------------------------------------------" |
echo |
#services_stop |
for i in squid ntpd iptables ulogd dansguardian chilli httpd radiusd freshclam havp dnsmasq mysqld named dhcpd nfsen |
for i in squid ntpd iptables ulogd dansguardian chilli httpd radiusd freshclam havp dnsmasq mysqld named dhcpd |
do |
[ -e /etc/init.d/$i ] && /sbin/chkconfig --del $i && /etc/init.d/$i stop && killall $i 2>/dev/null |
done |
132,6 → 132,11 |
fi |
sleep 1 |
#awstats |
echo -en "\n- awstats(1) : " |
[ -e /etc/awstats/awstats.conf.default ] && mv /etc/awstats/awstats.conf.default /etc/awstats/awstats.conf && echo -n "1" |
sleep 1 |
#DnsMasq |
echo -en "\n- dnsmasq(4) : " |
if [ -e /etc/init.d/dnsmasq ] |
172,6 → 177,7 |
[ -e /etc/cron.d/alcasar-clean_log ] && rm -f /etc/cron.d/alcasar-clean_log && echo -n "5, " |
[ -e /etc/cron.d/alcasar-clean_import ] && rm -f /etc/cron.d/alcasar-clean_import && echo -n "6, " |
[ -e /etc/cron.d/alcasar-distrib-updates ] && rm -f /etc/cron.d/alcasar-distrib-updates && echo -n "7, " |
[ -e /etc/cron.d/awstats ] && rm -f /etc/cron.d/awstats && echo -n "8, " |
[ -e /etc/cron.d/freeradius-web ] && rm -f /etc/cron.d/freeradius-web && echo -n "9, " |
[ -e /etc/cron.d/alcasar-watchdog ] && rm -f /etc/cron.d/alcasar-watchdog && echo -n "10" |
rm -f /etc/cron.d/coova /etc/cron.d/alcasar-bl_download |
219,4 → 225,4 |
echo |
# suppression des exceptions de mises à jours ( coova-chilli et freeradius) |
sed -i '/coova.*/d' /etc/urpmi/skip.list |
sed -i '/coova.*/d' /etc/urpmi/skip.list |
/scripts/sbin/alcasar-dhcp.sh |
---|
67,7 → 67,7 |
$SED "s?^DHCP.*?DHCP=off?g" $ALCASAR_CONF_FILE |
if [ "$EXT_DHCP_IP" != "none" ] |
then |
$SED "s?.*dhcpgateway\t.*?dhcpgateway\t\t$EXT_DHCP_IP?g" $CHILLI_CONF_FILE |
$SED "s?.*dhcpgateway\t.*?dhcpgateway\t\t $EXT_DHCP_IP?g" $CHILLI_CONF_FILE |
$SED "s?.*dhcprelayagent.*?dhcprelayagent\t\t$RELAY_DHCP_IP?g" $CHILLI_CONF_FILE |
$SED "s?.*dhcpgatewayport.*?dhcpgatewayport\t\t$RELAY_DHCP_PORT?g" $CHILLI_CONF_FILE |
else |
84,7 → 84,7 |
$SED "s?^dynip.*?dynip\t\t$PRIVATE_NETWORK_MASK?g" $CHILLI_CONF_FILE |
$SED "s?^#dynip.*?dynip\t\t$PRIVATE_NETWORK_MASK?g" $CHILLI_CONF_FILE |
$SED "s?^dhcp_range.*?dhcp-range=$PRIVATE_FIRST_IP,$PRIVATE_LAST_IP,$PRIVATE_NETMASK,12h?g" $DNSMASQ_CONF_FILE |
$SED "s?^dhcpgateway\t.*?#dhcpgateway\t\t$EXT_DHCP_IP?g" $CHILLI_CONF_FILE |
$SED "s?^dhcpgateway\t.*?#dhcpgateway\t\t $EXT_DHCP_IP?g" $CHILLI_CONF_FILE |
$SED "s?^dhcprelayagent.*?#dhcprelayagent\t\t$RELAY_DHCP_IP?g" $CHILLI_CONF_FILE |
$SED "s?^dhcpgatewayport.*?#dhcpgatewayport\t\t$RELAY_DHCP_PORT?g" $CHILLI_CONF_FILE |
$SED "s?^EXT_DHCP_IP.*?EXT_DHCP_IP=none?g" $ALCASAR_CONF_FILE |
99,7 → 99,7 |
$SED "s?^dynip.*?dynip\t\t$PRIVATE_DYN_IP?g" $CHILLI_CONF_FILE |
$SED "s?^#dynip.*?dynip\t\t$PRIVATE_DYN_IP?g" $CHILLI_CONF_FILE |
$SED "s?^dhcp_range.*?dhcp-range=$PRIVATE_DYN_FIRST_IP,$PRIVATE_DYN_LAST_IP,$PRIVATE_NETMASK,12h?g" $DNSMASQ_CONF_FILE |
$SED "s?^dhcpgateway\t.*?#dhcpgateway\t\t$EXT_DHCP_IP?g" $CHILLI_CONF_FILE |
$SED "s?^dhcpgateway\t.*?#dhcpgateway\t\t $EXT_DHCP_IP?g" $CHILLI_CONF_FILE |
$SED "s?^dhcprelayagent.*?#dhcprelayagent\t\t$RELAY_DHCP_IP?g" $CHILLI_CONF_FILE |
$SED "s?^dhcpgatewayport.*?#dhcpgatewayport\t\t$RELAY_DHCP_PORT?g" $CHILLI_CONF_FILE |
$SED "s?^EXT_DHCP_IP.*?EXT_DHCP_IP=none?g" $ALCASAR_CONF_FILE |
/scripts/alcasar-watchdog.sh |
---|
4,7 → 4,6 |
# alcasar-watchdog.sh |
# by Rexy |
# This script is distributed under the Gnu General Public License (GPL) |
# Ce script prévient les usagers de l'indisponibilité de l'accès Internet |
# il déconnecte les usagers dont |
# - les équipements réseau ne répondent plus |
12,7 → 11,7 |
# This script tells users that Internet access is down |
# it logs out users whose |
# - PCs are quiet |
# - MAC address are in used by other systems (usurped) |
# - MAC address is used by other systems (usurped) |
EXTIF="eth0" |
INTIF="eth1" |
19,7 → 18,8 |
conf_file="/usr/local/etc/alcasar.conf" |
private_ip_mask=`grep PRIVATE_IP= $conf_file|cut -d"=" -f2` |
private_ip_mask=${private_ip_mask:=192.168.182.1/24} |
PRIVATE_IP=`echo $private_ip_mask | cut -d"/" -f1` # ALCASAR LAN IP address |
PRIVATE_IP=`echo "$private_ip_mask" |cut -d"/" -f1` # @ip du portail (côté LAN) |
PRIVATE_IP=${PRIVATE_IP:=192.168.182.1} |
tmp_file="/tmp/watchdog.txt" |
DIR_WEB="/var/www/html" |
Index_Page="$DIR_WEB/index.php" |
27,7 → 27,7 |
IFS=$'\n' |
function lan_down_alert () |
# users are redirected on ALCASAR IP address if LAN Pb detected |
# users are redirected on ALCASAR IP address if a LAN problem is detected |
{ |
case $LAN_DOWN in |
"1") |
42,7 → 42,7 |
;; |
esac |
net_pb=`cat /etc/dnsmasq.conf|grep "address=/#/"|wc -l` |
if [ $net_pb = "0" ] # on alerte les usagers (si ce n'est pas déjà le cas). |
if [ $net_pb = "0" ] # user alert |
then |
/bin/sed -i "s?^\$network_pb.*?\$network_pb = True;?g" $Index_Page |
/bin/sed -i "s?^conf-dir=.*?address=\/#\/$PRIVATE_IP?g" /etc/dnsmasq-blackhole.conf |
123,7 → 123,7 |
done |
rm $tmp_file |
fi |
# on traite chaque équipements connus de chilli |
# process each equipment known by chilli |
for system in `/usr/sbin/chilli_query list |grep -v "\.0\.0\.0"` |
do |
active_ip=`echo $system |cut -d" " -f2` |
130,16 → 130,20 |
active_session=`echo $system |cut -d" " -f5` |
active_mac=`echo $system | cut -d" " -f1` |
active_user=`echo $system |cut -d" " -f6` |
# on ne traite que les équipements exploitées par un usager authentifié (test de 2 réponses en 4 secondes) |
# process only equipment with an authenticated user |
if [[ $(expr $active_session) -eq 1 ]] |
then |
then |
arp_reply=`/usr/sbin/arping -b -I$INTIF -s$PRIVATE_IP -c2 -w4 $active_ip|grep "Unicast reply"|wc -l` |
# on stocke les adresses IP des stations muettes |
# store @IP of quiet equipments |
if [[ $(expr $arp_reply) -eq 0 ]] |
then |
echo "$active_ip $active_mac $active_user" >> $tmp_file |
PTN='^[[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]]$' |
if [[ $(expr $active_user : $PTN) -eq 0 ]] # don't process @mac auth equipments |
then |
echo "$active_ip $active_mac $active_user" >> $tmp_file |
fi |
fi |
# on deconnecte l'usager d'une stations usurpée (@MAC) |
# disconnect users whose equipement is usurped (@MAC) |
if [[ $(expr $arp_reply) -gt 2 ]] |
then |
echo "alcasar-watchdog : $active_ip is usurped ($active_mac). Alcasar disconnect the user ($active_user)." >> /var/Save/logs/security/watchdog.log |
/scripts/alcasar-archive.sh |
---|
6,12 → 6,12 |
# This script is distributed under the Gnu General Public License (GPL) |
# Script permettant |
# - d'exporter les logs de traçabilités et la base des usagers à des fins d'archivages. |
# - d'exporter dans un seul fichier les logs de traçabilités et la base des usagers (à des fins d'archivages). |
# - Une fonction de chiffrement des logs a été implémentée dans ce script. Lisez la documentation d'exploitation pour l'activer. |
# - nettoyage des archives supérieures à 1 an (365 jours) |
# This script allows |
# - export log files and user's base in order to archive them. |
# - export in one file the log files and user's base (in order to archive them). |
# - a cypher fonction allows to protect these files. Read the exploit documentation to enable it. |
# - delete backup files older than one year (365 days) |
27,7 → 27,7 |
EXPIRE_DAY=365 # Nbre de jour avant suppression des fichiers journaux |
CRYPT="0" # chiffrement des logs ( 0=non / 1=oui --> Signature = 1(implicite)) |
SIGN="0" # Signature/empreinte des logs ( 0=non / 1=oui ) ATTENTION : nécessite la clé privée !!! |
GPG_USER="OSSI-CIRISI-Lyon" # utilisateur autorisé à déchiffrer les logs. Sa clé publique doit être connu dans le portefeuille gnupg de root (/root/.gnupg) |
GPG_USER="" # utilisateur autorisé à déchiffrer les logs. Sa clé publique doit être connu dans le portefeuille gnupg de root (/root/.gnupg) |
usage="Usage: alcasar-archive.sh {--clean or -c} | {--now or -n}" |
90,15 → 90,12 |
} |
fi |
rm -rf /tmp/archive-* |
chown apache:apache $TO_SAVE/ |
chown root:apache $DIR_ARCHIVE/* |
;; |
--update | -u) |
# Mise à niveau de l'architecture d'export/archivage |
[ -d /tmp/save ] || mkdir -p /tmp/save |
[ -d $DIR_ARCHIVE/ ] || mkdir -p $DIR_ARCHIVE/ # utile une seule fois mais crée le répertoire si nécessaire |
# copie de l'archive au cas où ... |
rm -f $(ls *[0-9]) # effacer les fichiers n'ayant pas été compressés |
mv $TO_SAVE/firewall/tracabilite-* $DIR_ARCHIVE/. |
;; |
*) |
echo "Unknown argument :$1"; |
/scripts/alcasar-iptables-bypass.sh |
---|
72,10 → 72,9 |
if [ $SSH = on ] |
then |
$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -m state --state NEW -j ULOG --ulog-nlgroup 2 --ulog-prefix "RULE ssh-from-LAN -- ACCEPT" |
$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -j ACCEPT |
$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -m state --state NEW -j ACCEPT |
$IPTABLES -A INPUT -i $EXTIF -s $SSH_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport ssh -m state --state NEW --syn -j ULOG --ulog-nlgroup 2 --ulog-prefix "RULE ssh-from-WAN -- ACCEPT" |
$IPTABLES -A INPUT -i $EXTIF -s $SSH_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport ssh -m state --state NEW,ESTABLISHED -j ACCEPT |
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport ssh -m state --state ESTABLISHED -j ACCEPT |
$IPTABLES -A INPUT -i $EXTIF -s $SSH_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport ssh -m state --state NEW -j ACCEPT |
fi |
# Insertion de règles locales |
/scripts/alcasar-iptables.sh |
---|
45,9 → 45,6 |
TUNIF="tun0" # listen device for chilli daemon |
IPTABLES="/sbin/iptables" |
#lancement du module kernel ipt_NETFLOW (module iptables) |
modprobe ipt_NETFLOW destination=127.0.0.1:2055 |
# Effacement des règles existantes |
# Flush all existing rules |
$IPTABLES -F |
135,7 → 132,6 |
# On autorise les retours de connexions légitimes par INPUT |
# Conntrack on INPUT |
#$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j NETFLOW |
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT |
# On interdit les connexions directes au port utilisé par DansGuardian (8080). Les packets concernés ont été marqués dans la table mangle (PREROUTING) |
158,8 → 154,6 |
fi |
# Autorisation des connexions légitimes à DansGuardian |
# Allow connections for DansGuardian |
#Flux netflow des requêtes HTTP à destination de DansGuardian |
#$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport 8080 -j NETFLOW |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport 8080 -m state --state NEW --syn -j ACCEPT |
# On interdit les connexions directes au port UDP 54. Les packets concernés ont été marqués dans la table mangle (PREROUTING) |
255,6 → 249,7 |
#fi |
# Autorisation des retours de connexions légitimes |
# Allow conntrack |
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT |
# If protocols filter is activate |
266,7 → 261,6 |
while read ip_exception |
do |
$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j ULOG --ulog-prefix "RULE IP-exception -- ACCEPT " |
$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j NETFLOW |
$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j ACCEPT |
done < /usr/local/etc/alcasar-filter-exceptions |
fi |
278,7 → 272,6 |
do |
ip_allowed=`echo $ip_allowed_line|cut -d"\"" -f2` |
$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j ULOG --ulog-prefix "RULE IP-allowed -- ACCEPT " |
$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j NETFLOW |
$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j ACCEPT |
done < /usr/local/etc/alcasar-uamallowed |
fi |
293,15 → 286,11 |
svc_port=`echo $svc_line|cut -d" " -f2` |
if [ $svc_name = "icmp" ] |
then |
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp -j NETFLOW |
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp -j ACCEPT |
else |
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_TCP-$svc_name -- ACCEPT " |
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j NETFLOW |
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ACCEPT |
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_UDP-$svc_name -- ACCEPT " |
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j NETFLOW |
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ACCEPT |
fi |
fi |
322,19 → 311,18 |
# Autorisation des connections sortant du LAN |
# Allow forward connections with log |
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j ULOG --ulog-prefix "RULE F_all -- ACCEPT " |
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j NETFLOW |
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j ACCEPT |
############################# |
# OUTPUT # |
############################# |
# SSHD rules if activate |
if [ $SSH = on ] |
then |
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport ssh -m state --state ESTABLISHED -j ACCEPT |
fi |
# On laisse tout sortir sur toutes les cartes sauf celle qui est connectée sur l'extérieur |
# Everything is allowed but traffic through outside network interface |
# On autorise les retours de connexions légitimes par OUTPUT |
# Conntrack on OUTPUT |
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT |
# On laisse tout sortir sur INTIF |
# Everything is allowed only on INTIF |
$IPTABLES -A OUTPUT ! -o $EXTIF -j ACCEPT |
# On autorise les requêtes DNS vers les serveurs DNS identifiés |
343,7 → 331,6 |
# On autorise les requêtes HTTP sortantes |
# HTTP requests are allowed |
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport http -j NETFLOW |
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport http -j ACCEPT |
# On autorise les requêtes FTP |
350,7 → 337,6 |
# FTP requests are allowed |
modprobe ip_conntrack_ftp |
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport ftp -j ACCEPT |
$IPTABLES -A OUTPUT -o $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT |
# On autorise les requêtes NTP |
# NTP requests are allowed |
370,7 → 356,6 |
# $IPTABLES -A INPUT -p udp -s $LDAP_IP -m multiports --sports ldap,ldaps -m state --state ESTABLISHED -j ACCEPT |
fi |
############################# |
# POSTROUTING # |
############################# |
/scripts/alcasar-conf.sh |
---|
386,6 → 386,8 |
$SED "s?^\$organisme = .*?\$organisme = \"$ORGANISME\";?g" /var/www/html/intercept.php /var/www/html/status.php |
# dhcp (coova + dnsmasq) |
$DIR_SBIN/alcasar-dhcp.sh -$DHCP_mode |
# awstat |
$SED "s?^HostAliases=.*?HostAliases=\"$PRIVATE_IP\"?g" /etc/awstats/awstats.conf |
# dnsmasq |
$SED "/127.0.0.1/!s?^listen-address=.*?listen-address=$PRIVATE_IP?g" /etc/dnsmasq.conf /etc/dnsmasq-blackhole.conf |
for i in /etc/dnsmasq.conf /etc/dnsmasq-blackhole.conf |
/scripts/alcasar-urpmi.sh |
---|
12,7 → 12,8 |
VERSION="2" |
ARCH="i586" |
# ****** Alcasar needed RPMS - paquetages nécessaires au fonctionnement d'Alcasar ****** |
PACKAGES="sudo freeradius freeradius-mysql freeradius-ldap freeradius-web apache-mpm-prefork apache-mod_ssl apache-mod_php iptables squid dansguardian postfix mariadb logwatch ntp bind-utils openssh-server php-xml php-ldap php-mysql pam_ccreds rng-utils dnsmasq syslinux rsync cronie-anacron clamav pm-fallback-policy php-mbstring perl-rrdtool perl-MailTools perl-Socket6 php-sockets kernel-desktop-3.4.45-1.mga2-1-1.mga2" |
PACKAGES="sudo freeradius freeradius-mysql freeradius-ldap freeradius-web apache-mpm-prefork apache-mod_ssl apache-mod_php iptables squid dansguardian postfix mariadb logwatch ntp awstats bind-utils openssh-server php-xml php-ldap php-mysql pam_ccreds rng-utils dnsmasq syslinux rsync cronie-anacron clamav pm-fallback-policy php-mbstring" |
rpm_repository_sync () |
{ |
cat <<EOF > /etc/urpmi/urpmi.cfg |
227,20 → 228,4 |
[ -e /tmp/chilli.conf ] && mv /tmp/chilli.conf /etc/ |
# Clean the RPM cache |
urpmi --clean |
#Keep only kernel-desktop-3.4.45-1.mga2-1-1.mga2 version, and remove all others |
kernelVersion=$(rpm -qa | grep "kernel-desktop") |
for i in $kernelVersion |
do |
if [ ! $i = "kernel-desktop-3.4.45-1.mga2-1-1.mga2" ];then |
urpme $i |
fi |
done |
#Fix the kernel version to : kernel-desktop-3.4.45-1.mga2-1-1.mga2 |
echo "/^kernel-desktop/" > /etc/urpmi/skip.list |
#update tht kernel modules list |
depmod -a |
exit 0 |