/CHANGELOG |
---|
1,6 → 1,17 |
# $Id$ |
********** ALCASAR CHANGELOG ********** |
-------------------- 3.4.0 -------------------- |
NEWS |
- Replace DNSmasq server with Unbound |
BUGS |
- Fix listening address for nfcapd (was 0.0.0.0 instead of 127.0.0.1) |
- Fix some typo |
CHANGES |
- Improve script syntax |
-------------------- 3.3.3 -------------------- |
NEWS |
- Linux Kernel 4.14.89 |
/alcasar.sh |
---|
18,7 → 18,7 |
# Install script for ALCASAR (a secured and authenticated Internet access control captive portal) |
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares : |
# Coovachilli, freeradius, mariaDB, lighttpd, netfilter, e2guardian, ntpd, openssl, dnsmasq, gammu, havp, libclamav, Ulog, fail2ban, tinyproxy, NFsen and NFdump |
# Coovachilli, freeradius, mariaDB, lighttpd, netfilter, e2guardian, ntpd, openssl, dnsmasq, unbound, gammu, havp, libclamav, Ulog, fail2ban, tinyproxy, NFsen and NFdump |
# Options : |
# -i or --install |
39,9 → 39,10 |
# tinyproxy : little proxy for user filtered with "WL + antivirus" and "antivirus" |
# ulogd : log system in userland (match NFLOG target of iptables) |
# nfsen : Configuration of Nfsen Netflow grapher |
# dnsmasq : Name server configuration |
# unbound : Name server configuration |
# dnsmasq : Name server configuration (for whitelist ipset support) |
# vnstat : little network stat daemon |
# BL : Adaptation of Toulouse University BlackList : split into 3 BL (for Dnsmasq, for e2guardian and for Netfilter) |
# BL : Adaptation of Toulouse University BlackList : split into 3 BL (for unbound, for e2guardian and for Netfilter) |
# cron : Logs export + watchdog + connexion statistics |
# fail2ban : Fail2ban IDS installation and configuration |
# gammu_smsd : Autoregister addon via SMS (gammu-smsd) |
65,7 → 66,7 |
DIR_ACC="$DIR_WEB/acc" # directory of the 'ALCASAR Control Center' |
DIR_DEST_BIN="/usr/local/bin" # directory of ALCASAR scripts |
DIR_DEST_ETC="/usr/local/etc" # directory of ALCASAR conf files |
DIR_DEST_SHARE="/usr/local/share" # directory of share files used by ALCASAR (dnsmasq for instance) |
DIR_DEST_SHARE="/usr/local/share" # directory of share files used by ALCASAR (unbound for instance) |
CONF_FILE="$DIR_DEST_ETC/alcasar.conf" # central ALCASAR conf file |
PASSWD_FILE="/root/ALCASAR-passwords.txt" # text file with the passwords and shared secrets |
# ******* DBMS parameters - paramètres SGBD ******** |
132,7 → 133,7 |
old="$IFS" |
IFS="," |
set $fic |
for i in $* |
for i in "$@" |
do |
if [ "`echo $i|grep distribution|cut -d'=' -f1`" == "distribution" ] |
then |
160,7 → 161,7 |
fi |
IFS="$old" |
if [[ ( $unknown_os != 3 ) || ("$DISTRIBUTION" != "Mageia" ) || ( "$CURRENT_VERSION" != "6" ) ]] |
then |
then |
if [ -e /var/tmp/alcasar-conf.tar.gz ] # update |
then |
echo |
187,7 → 188,7 |
then echo "Le système d'exploitation doit être remplacé (Mageia6-64bits)" |
else echo "The OS must be replaced (Mageia6-64bits)" |
fi |
exit 0 |
exit 1 |
fi |
# Test if ALCASAR is already installed |
215,8 → 216,8 |
# Retrieve former NICname |
EXTIF_saved=`grep ^EXTIF= $CONF_FILE | cut -d'=' -f2-` # EXTernal InterFace |
INTIF_saved=`grep ^INTIF= $CONF_FILE | cut -d'=' -f2-` # INTernal InterFace |
[ $(/usr/sbin/ip link | grep -c " $EXTIF_saved:") -ne 0 ] && EXTIF=$EXTIF_saved || echo "Warning: Network card \"$EXTIF_saved\" is not connected, so \"$EXTIF\" will be used for external network." |
[ $(/usr/sbin/ip link | grep -c " $INTIF_saved:") -ne 0 ] && INTIF=$INTIF_saved || echo "Warning: Network card \"$INTIF_saved\" is not connected, so \"$INTIF\" will be used for internal network." |
[ "$(/usr/sbin/ip link | grep -c " $EXTIF_saved:")" -ne 0 ] && EXTIF=$EXTIF_saved || echo "Warning: Network card \"$EXTIF_saved\" is not connected, so \"$EXTIF\" will be used for external network." |
[ "$(/usr/sbin/ip link | grep -c " $INTIF_saved:")" -ne 0 ] && INTIF=$INTIF_saved || echo "Warning: Network card \"$INTIF_saved\" is not connected, so \"$INTIF\" will be used for internal network." |
# Create the current conf file |
$DIR_SCRIPTS/alcasar-conf.sh --create |
mode="update" |
225,7 → 226,7 |
# Test free space on /var |
if [ ! -d /var/log/netflow/porttracker ] |
then |
free_space=`df -BG --output=avail /var|tail -1|tr -d [:space:]G` |
free_space=`df -BG --output=avail /var|tail -1|tr -d '[:space:]G'` |
if [ $free_space -lt 10 ] |
then |
if [ $Lang == "fr" ] |
283,7 → 284,7 |
[ -z "$response" ] && response="$interfacePreferred" |
# Check if interface exist |
if [ $(echo "$interfacesList" | grep -c "^$response\$") -eq 1 ]; then |
if [ "$(echo "$interfacesList" | grep -c "^$response\$")" -eq 1 ]; then |
INTIF="$response" |
break |
else |
305,11 → 306,11 |
else echo -n "Network parameters tests: " |
fi |
# Remove conf file if NIC is not plugged (ie : GSM/WIFI/Bt dongles) |
cd /etc/sysconfig/network-scripts/ |
cd /etc/sysconfig/network-scripts/ || { echo "Unable to find /etc/sysconfig/network-scripts directory"; exit 1; } |
IF_INTERFACES=`ls ifcfg-*|cut -d"-" -f2|grep -v "^lo"|cut -d"*" -f1` |
for i in $IF_INTERFACES |
do |
if [ $(/usr/sbin/ip link | grep -c " $i:") -eq 0 ]; then |
if [ "$(/usr/sbin/ip link | grep -c " $i:")" -eq 0 ]; then |
rm -f ifcfg-$i |
if [ $Lang == "fr" ] |
318,7 → 319,7 |
fi |
fi |
done |
cd $DIR_INSTALL |
cd $DIR_INSTALL || { echo "Unable to find $DIR_INSTALL directory"; exit 1; } |
echo -n "." |
# Test Ethernet NIC links state |
interfacesDown=$(/usr/sbin/ip -br link | grep "^\($EXTIF\|$INTIF\) " | grep 'NO-CARRIER' | cut -d' ' -f1) |
342,7 → 343,7 |
PUBLIC_IP_MASK=`/usr/sbin/ip addr show $EXTIF | grep '^\s*inet\s' | awk '{ print $2 }'` |
PUBLIC_IP=`echo $PUBLIC_IP_MASK | cut -d'/' -f1` |
PUBLIC_GATEWAY=`/usr/sbin/ip route list | awk -v EXTIF="$EXTIF" '(/^default / && $5 == EXTIF) {print $3}'` |
if [ `echo $PUBLIC_IP|wc -c` -lt 7 ] || [ `echo $PUBLIC_GATEWAY|wc -c` -lt 7 ] |
if [ "$(echo $PUBLIC_IP|wc -c)" -lt 7 ] || [ "$(echo $PUBLIC_GATEWAY|wc -c)" -lt 7 ] |
then |
if [ $Lang == "fr" ] |
then |
367,7 → 368,7 |
fi |
echo -n "." |
# Test if default GW is set on EXTIF (router or ISP provider equipment) |
if [ `/usr/sbin/ip route list|grep " $EXTIF "|grep -c '^default '` -ne 1 ] ; then |
if [ "$(/usr/sbin/ip route list|grep " $EXTIF "|grep -c '^default ')" -ne 1 ] ; then |
if [ $Lang == "fr" ] |
then |
echo -e "\nÉchec" |
383,7 → 384,7 |
echo -n "." |
# Test if default GW is alive |
arp_reply=`/usr/sbin/arping -b -I$EXTIF -c1 -w2 $PUBLIC_GATEWAY|grep response|cut -d" " -f2` |
if [ $(expr $arp_reply) -eq 0 ] |
if [ "$(expr $arp_reply)" -eq 0 ] |
then |
if [ $Lang == "fr" ] |
then |
438,7 → 439,7 |
fi |
read ORGANISME |
if [ "$ORGANISME" == "" ] |
then |
then |
ORGANISME=! |
fi |
done |
447,7 → 448,7 |
# We create random passwords and shared secrets |
rm -f $PASSWD_FILE |
echo "##### ALCASAR ($ORGANISME) security passwords #####" > $PASSWD_FILE |
grub2pwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8` |
grub2pwd=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c8` |
pbkdf2=`( echo $grub2pwd ; echo $grub2pwd ) | \ |
LC_ALL=C /usr/bin/grub2-mkpasswd-pbkdf2 | \ |
grep -v '[eE]nter password:' | \ |
459,17 → 460,17 |
echo "# Login name and password to protect GRUB2 boot menu (!!!qwerty keyboard) : " > $PASSWD_FILE |
echo "GRUB2_user=root" >> $PASSWD_FILE |
echo "GRUB2_password=$grub2pwd" >> $PASSWD_FILE |
mysqlpwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c16` |
mysqlpwd=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16` |
echo "# Login name and Password of MariaDB administrator:" >> $PASSWD_FILE |
echo "db_root=$mysqlpwd" >> $PASSWD_FILE |
radiuspwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c16` |
radiuspwd=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16` |
echo "# Login name and password of MariaDB user:" >> $PASSWD_FILE |
echo "db_user=$DB_USER" >> $PASSWD_FILE |
echo "db_password=$radiuspwd" >> $PASSWD_FILE |
secretuam=`cat /dev/urandom | tr -dc [:alnum:] | head -c16` |
secretuam=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16` |
echo "# Shared secret between the script 'intercept.php' and coova-chilli:" >> $PASSWD_FILE |
echo "secret_uam=$secretuam" >> $PASSWD_FILE |
secretradius=`cat /dev/urandom | tr -dc [:alnum:] | head -c16` |
secretradius=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16` |
echo "# Shared secret between coova-chilli and FreeRadius:" >> $PASSWD_FILE |
echo "secret_radius=$secretradius" >> $PASSWD_FILE |
chmod 640 $PASSWD_FILE |
535,7 → 536,7 |
read PRIVATE_IP_MASK |
done |
else |
PRIVATE_IP_MASK=$DEFAULT_PRIVATE_IP_MASK |
PRIVATE_IP_MASK=$DEFAULT_PRIVATE_IP_MASK |
fi |
else |
PRIVATE_IP_MASK=`grep ^PRIVATE_IP= conf/etc/alcasar.conf|cut -d"=" -f2` |
549,7 → 550,7 |
PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP_MASK |cut -d"=" -f2` # network prefix (ie. 24) |
PRIVATE_IP=`echo $PRIVATE_IP_MASK | cut -d"/" -f1` # ALCASAR private ip address (consultation LAN side) |
if [ $PRIVATE_IP == $PRIVATE_NETWORK ] # when entering network address instead of ip address |
then |
then |
PRIVATE_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 1` |
PRIVATE_IP_MASK=`echo $PRIVATE_IP/$PRIVATE_PREFIX` |
fi |
558,10 → 559,6 |
PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX # ie.: 192.168.182.0/24 |
classe=$((PRIVATE_PREFIX/8)) # ie.: 2=classe B, 3=classe C |
PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK | cut -d"." -f1-$classe`. # compatibility with hosts.allow et hosts.deny (ie.: 192.168.182.) |
PRIVATE_BROADCAST=`/bin/ipcalc -b $PRIVATE_NETWORK_MASK | cut -d"=" -f2` # private network broadcast (ie.: 192.168.182.255) |
private_broadcast_ending=`echo $PRIVATE_BROADCAST | cut -d"." -f4` # last octet of LAN broadcast |
PRIVATE_FIRST_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 1` # First network address (ex.: 192.168.182.1) |
PRIVATE_LAST_IP=`echo $PRIVATE_BROADCAST | cut -d"." -f1-3`"."`expr $private_broadcast_ending - 1` # last network address (ex.: 192.168.182.254) |
PRIVATE_MAC=`/usr/sbin/ip link show $INTIF | grep ether | cut -d" " -f6| sed 's/:/-/g'| awk '{print toupper($0)}'` # MAC address of INTIF |
# Define Internet parameters |
if [ "$mode" != "update" ] |
611,7 → 608,7 |
######################################################################################################### |
IP_SETTING=`grep BOOTPROTO /etc/sysconfig/network-scripts/ifcfg-$EXTIF|cut -d"=" -f2` # test static or dynamic |
if [ $IP_SETTING == "dhcp" ] |
then |
then |
echo "PUBLIC_IP=dhcp" >> $CONF_FILE |
echo "GW=dhcp" >> $CONF_FILE |
else |
644,7 → 641,7 |
# write EXTIF (Internet) config |
[ -e /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF ] || cp /etc/sysconfig/network-scripts/ifcfg-$EXTIF /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF |
if [ $IP_SETTING == "dhcp" ] |
then |
then |
cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF |
DEVICE=$EXTIF |
BOOTPROTO=dhcp |
661,7 → 658,7 |
USERCTL=no |
MTU=$MTU |
EOF |
else |
else |
cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF |
DEVICE=$EXTIF |
BOOTPROTO=static |
758,10 → 755,10 |
# load ipt_NETFLOW module |
echo "ipt_NETFLOW" >> /etc/modprobe.preload |
# modify iptables service files (start with "alcasar-iptables.sh" and stop with flush) |
[ -e /lib/systemd/system/iptables.service.default ] || cp /lib/systemd/system/iptables.service /lib/systemd/system/iptables.service.default |
$SED 's/ExecStart=\/usr\/libexec\/iptables.init start/ExecStart=\/usr\/local\/bin\/alcasar-iptables.sh/' /lib/systemd/system/iptables.service |
[ -e /usr/libexec/iptables.init.default ] || cp /usr/libexec/iptables.init /usr/libexec/iptables.init.default |
$SED "s?\[ -f \$IPTABLES_CONFIG \] .*?#&?" /usr/libexec/iptables.init # comment the test (flush all rules & policies) |
[ -e /lib/systemd/system/iptables.service.default ] || cp /lib/systemd/system/iptables.service /lib/systemd/system/iptables.service.default |
$SED 's/ExecStart=\/usr\/libexec\/iptables.init start/ExecStart=\/usr\/local\/bin\/alcasar-iptables.sh/' /lib/systemd/system/iptables.service |
[ -e /usr/libexec/iptables.init.default ] || cp /usr/libexec/iptables.init /usr/libexec/iptables.init.default |
$SED "s?\[ -f \$IPTABLES_CONFIG \] .*?#&?" /usr/libexec/iptables.init # comment the test (flush all rules & policies) |
# |
# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh |
} # End of network () |
823,8 → 820,8 |
rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README* |
[ -e /etc/lighttpd/lighttpd.conf.default ] || cp /etc/lighttpd/lighttpd.conf /etc/lighttpd/lighttpd.conf.default |
$SED "s?^server\.use-ipv6.*?server\.use-ipv6 = \"disable\"?g" /etc/lighttpd/lighttpd.conf |
$SED "s?^#server\.bind.*?server\.bind = \"$HOSTNAME.$DOMAIN\"?g" /etc/lighttpd/lighttpd.conf |
$SED "s?^server\.bind.*?server\.bind = \"$HOSTNAME.$DOMAIN\"?g" /etc/lighttpd/lighttpd.conf |
$SED "s?^#server\.bind.*?server\.bind = \"$PRIVATE_IP\"?g" /etc/lighttpd/lighttpd.conf |
$SED "s?^server\.bind.*?server\.bind = \"$PRIVATE_IP\"?g" /etc/lighttpd/lighttpd.conf |
$SED "s?^#server\.tag.*?server\.tag = \"\"?g" /etc/lighttpd/lighttpd.conf |
echo "include \"vhosts.d/alcasar.conf\"" >> /etc/lighttpd/lighttpd.conf |
845,15 → 842,16 |
[ -d /etc/lighttpd/vhosts.d ] || mkdir /etc/lighttpd/vhosts.d |
cp $DIR_CONF/lighttpd/vhosts.d/* /etc/lighttpd/vhosts.d/ |
$SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$HOSTNAME.$DOMAIN"':443" {/g' /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf |
$SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$HOSTNAME.$DOMAIN"':443" {/g' /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf |
$SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$HOSTNAME.$DOMAIN\"/g" /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf |
$SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$HOSTNAME.$DOMAIN\"/g" /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf |
$SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$PRIVATE_IP"':443" {/g' /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf |
$SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$PRIVATE_IP"':443" {/g' /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf |
$SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$PRIVATE_IP\"/g" /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf |
$SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$PRIVATE_IP\"/g" /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf |
ln -s /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf /etc/lighttpd/vhosts.d/alcasar.conf |
[ -d /var/log/lighttpd ] || mkdir /var/log/lighttpd |
[ -e /var/log/lighttpd/access.log ] || touch /var/log/lighttpd/access.log |
[ -e /var/log/lighttpd/error.log ] || touch /var/log/lighttpd/error.log |
chown -R apache:apache /var/log/lighttpd |
/usr/bin/systemctl start lighttpd |
/usr/bin/systemctl start php-fpm |
860,16 → 858,16 |
# Creation of the first account (in 'admin' profile) |
if [ "$mode" = "install" ] |
then |
header_install |
then |
header_install |
# Creation of keys file for the admin account ("admin") |
[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest |
mkdir -p $DIR_DEST_ETC/digest |
chmod 755 $DIR_DEST_ETC/digest |
until [ -s $DIR_DEST_ETC/digest/key_admin ] |
do |
$DIR_DEST_BIN/alcasar-profil.sh --add admin |
done |
[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest |
mkdir -p $DIR_DEST_ETC/digest |
chmod 755 $DIR_DEST_ETC/digest |
until [ -s $DIR_DEST_ETC/digest/key_admin ] |
do |
$DIR_DEST_BIN/alcasar-profil.sh --add admin |
done |
fi |
# Run after coova (in order to wait tun0 to be up) |
919,7 → 917,7 |
EOF |
chown -R ntp:ntp /var/lib/ntp |
# Synchronize now |
ntpd -q -g & |
ntpd -4 -q -g & |
} # End of time_server () |
##################################################################### |
932,7 → 930,7 |
##################################################################### |
init_db () |
{ |
if [ `systemctl is-active mysqld` == "active" ] |
if [ "`systemctl is-active mysqld`" == "active" ] |
then |
systemctl stop mysqld |
fi |
957,16 → 955,16 |
echo "Problème : la base données 'MariaDB' ne s'est pas lancée !" |
exit |
fi |
MYSQL="/usr/bin/mysql --execute" |
# Secure the server |
$MYSQL="GRANT ALL PRIVILEGES ON *.* TO root@'localhost' IDENTIFIED BY '$mysqlpwd';" |
/usr/bin/mysql --execute "GRANT ALL PRIVILEGES ON *.* TO root@'localhost' IDENTIFIED BY '$mysqlpwd';" |
MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --execute" |
$MYSQL="DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;" |
$MYSQL="CONNECT mysql;DELETE from user where User='';DELETE FROM user WHERE User='root' AND Host NOT IN ('localhost','127.0.0.1','::1');FLUSH PRIVILEGES;" |
$MYSQL "DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;" |
$MYSQL "CONNECT mysql;DELETE from user where User='';DELETE FROM user WHERE User='root' AND Host NOT IN ('localhost','127.0.0.1','::1');FLUSH PRIVILEGES;" |
# Create 'radius' database |
$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;" |
$MYSQL "CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;" |
# Add an empty radius database structure |
mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/empty-radiusd-db.sql |
/usr/bin/mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/empty-radiusd-db.sql |
# modify the start script in order to close accounting connexion when the system is comming down or up |
[ -e /lib/systemd/system/mysqld.service.default ] || cp /lib/systemd/system/mysqld.service /lib/systemd/system/mysqld.service.default |
$SED "/^ExecStart=/a ExecStop=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /usr/lib/systemd/system/mysqld.service |
1051,7 → 1049,6 |
/usr/bin/systemctl daemon-reload |
# Allow apache to change some conf files (ie : ldap on/off) |
chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/mods-available |
} # End freeradius () |
############################################################################# |
1186,7 → 1183,7 |
# |
#Code : 42 => 2a |
#Len : 4 => 04 |
PRIVATE_IP_HEXA=$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f1))$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f2))$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f3))$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f4)) |
PRIVATE_IP_HEXA=$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f1)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f2)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f3)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f4)") |
cat <<EOF > /etc/chilli.conf |
# coova config for ALCASAR |
cmdsocket /var/run/chilli.sock |
1468,7 → 1465,7 |
cp $DIR_CONF/nfsen/nfsen.conf /tmp/nfsen-*/etc/ |
# Installation of nfsen (we change a little 'install.pl in order not to ask the user for the perl version) |
DirTmp=$(pwd) |
cd /tmp/nfsen-*/ |
cd /tmp/nfsen-*/ || { echo "Unable to find nfsen directory"; exit 1; } |
/usr/bin/perl install.pl etc/nfsen.conf |
/usr/bin/perl install.pl etc/nfsen.conf # to avoid a Perl mistake "Semaphore introuvable" |
# Create RRD DB for porttracker (only in it still doesn't exist) |
1505,7 → 1502,7 |
WantedBy=multi-user.target |
EOF |
# Add the listen port to collect netflow packet (nfcapd) |
$SED "s?'\$ziparg $extensions.*?\$ziparg $extensions -b 127.0.0.1;'?g" /usr/libexec/NfSenRC.pm |
$SED 's?$ziparg $extensions.*?$ziparg $extensions -b 127.0.0.1";?g' /usr/libexec/NfSenRC.pm |
# expire delay for the profile "live" |
/usr/bin/systemctl start nfsen |
/bin/nfsen -m live -e 62d 2>/dev/null |
1515,11 → 1512,11 |
# cp $DIR_CONF/nfsen/GeoLiteCity* /tmp/ |
# tar xzf /tmp/SURFmap_*.tar.gz -C /tmp/ |
# cd /tmp/ |
# /usr/bin/sh SURFmap/install.sh |
# /usr/bin/sh SURFmap/install.sh |
# clear the installation |
# rm -rf /tmp/SURFmap* |
rm -rf /tmp/nfsen-* |
cd $DirTmp |
cd $DirTmp || { echo "Unable to find $DirTmp directory"; exit 1; } |
chown -R apache:apache /var/www/html/acc/manager/nfsen /usr/share/nfsen /var/log/nfsen |
} # End of nfsen () |
1531,7 → 1528,7 |
{ |
[ -e /etc/vnstat.conf.default ] || cp /etc/vnstat.conf /etc/vnstat.conf.default |
$SED "s?^Interface.*?Interface \"$EXTIF\"?g" /etc/vnstat.conf |
$SED "s?^DatabaseDir.*?DatabaseDir /var/log/vnstat?g" /etc/vnstat.conf |
$SED "s?^DatabaseDir.*?DatabaseDir /var/log/vnstat?g" /etc/vnstat.conf |
[ -e $DIR_ACC/manager/stats/config.php.default ] || cp $DIR_ACC/manager/stats/config.php $DIR_ACC/manager/stats/config.php.default |
$SED "s?\$iface_list =.*?\$iface_list = array('$EXTIF');?" $DIR_ACC/manager/stats/config.php |
$SED "s?\$iface_title\['.*?\$iface_title\['$EXTIF'\] = \$title;?" $DIR_ACC/manager/stats/config.php |
1546,67 → 1543,14 |
dnsmasq () |
{ |
[ -d /var/log/dnsmasq ] || mkdir /var/log/dnsmasq |
# 1st dnsmasq listen on udp 53 ("dnsmasq - forward"). It's used as dhcp server only if "alcasar-bypass" is on. |
[ -e /etc/dnsmasq.conf.default ] || cp /etc/dnsmasq.conf /etc/dnsmasq.conf.default |
cat << EOF > /etc/dnsmasq.conf |
# Configuration file for "dnsmasq in forward mode" |
conf-file=$DIR_DEST_ETC/alcasar-dns-name # local & remote DNS domain name resolutions |
listen-address=$PRIVATE_IP |
pid-file=/var/run/dnsmasq.pid |
listen-address=127.0.0.1 |
no-dhcp-interface=$INTIF |
no-dhcp-interface=tun0 |
no-dhcp-interface=lo |
bind-interfaces |
cache-size=2048 |
domain-needed |
expand-hosts |
bogus-priv |
filterwin2k |
server=$DNS1 |
server=$DNS2 |
# DHCP service is configured. It will be enabled in "bypass" mode |
#dhcp-range=$PRIVATE_FIRST_IP,$PRIVATE_LAST_IP,$PRIVATE_NETMASK,12h |
#dhcp-option=option:router,$PRIVATE_IP |
#dhcp-option=option:ntp-server,$PRIVATE_IP |
# Exemple of static dhcp assignation : <@MAC>,<name>,<@IP>,<MASK>,<ttl bail> |
#dhcp-host=11:22:33:44:55:66,ssic-test,192.168.182.20,255.255.255.0,45m |
EOF |
# 2nd dnsmasq listen on udp 54 ("dnsmasq with blacklist") |
cat << EOF > /etc/dnsmasq-blacklist.conf |
# Configuration file for "dnsmasq with blacklist" |
# Add Toulouse University blacklist domains |
conf-file=$DIR_DEST_ETC/alcasar-dns-name # local & remote DNS domain name resolutions |
conf-dir=$DIR_DEST_SHARE/dnsmasq-bl-enabled |
pid-file=/var/run/dnsmasq-blacklist.pid |
listen-address=$PRIVATE_IP |
port=54 |
no-dhcp-interface=$INTIF |
no-dhcp-interface=tun0 |
no-dhcp-interface=lo |
bind-interfaces |
cache-size=2048 |
domain-needed |
expand-hosts |
bogus-priv |
filterwin2k |
log-queries |
log-facility=/var/log/dnsmasq/dnsmasq-blacklist.log |
server=$DNS1 |
server=$DNS2 |
EOF |
# 3rd dnsmasq listen on udp 55 ("dnsmasq with whitelist") |
[ -e /etc/dnsmasq.conf.default ] || mv /etc/dnsmasq.conf /etc/dnsmasq.conf.default |
# 3rd dnsmasq listen on udp 55 ("dnsmasq with whitelist") |
cat << EOF > /etc/dnsmasq-whitelist.conf |
# Configuration file for "dnsmasq with whitelist" |
# ADD Toulouse university whitelist domains |
conf-file=$DIR_DEST_ETC/alcasar-dns-name # local & remote DNS domain name resolutions |
conf-dir=$DIR_DEST_SHARE/dnsmasq-wl-enabled |
pid-file=/var/run/dnsmasq-whitelist.pid |
listen-address=$PRIVATE_IP |
listen-address=127.0.0.1 |
port=55 |
no-dhcp-interface=$INTIF |
no-dhcp-interface=tun0 |
no-dhcp-interface=lo |
bind-interfaces |
cache-size=1024 |
1614,60 → 1558,228 |
expand-hosts |
bogus-priv |
filterwin2k |
ipset=/#/wl_ip_allowed # dynamicly add the resolv IP address in the Firewall rules |
address=/#/$PRIVATE_IP # for Domain name without local resolution (WL) |
ipset=/#/wl_ip_allowed # dynamically add the resolv IP address in the Firewall rules |
server=$DNS1 |
server=$DNS2 |
EOF |
# 4th dnsmasq listen on udp 56 ("blackhole") |
cat << EOF > /etc/dnsmasq-blackhole.conf |
# Configuration file for "dnsmasq as a blackhole" |
conf-file=$DIR_DEST_ETC/alcasar-dns-name # local & remote DNS domain name resolutions |
address=/#/$PRIVATE_IP # redirect all on ALCASAR IP address |
pid-file=/var/run/dnsmasq-blackhole.pid |
listen-address=$PRIVATE_IP |
port=56 |
no-dhcp-interface=$INTIF |
no-dhcp-interface=tun0 |
no-dhcp-interface=lo |
bind-interfaces |
cache-size=256 |
domain-needed |
expand-hosts |
bogus-priv |
filterwin2k |
# Create dnsmasq-whitelist unit |
mv /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq.service.default |
cp /lib/systemd/system/dnsmasq.service.default /lib/systemd/system/dnsmasq-whitelist.service |
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-whitelist.conf?g" /lib/systemd/system/dnsmasq-whitelist.service |
$SED "s?^PIDFile=.*?PIDFile=/var/run/dnsmasq-whitelist.pid?g" /lib/systemd/system/dnsmasq-whitelist.service |
} # End dnsmasq |
################################################## |
## Function "unbound" ## |
################################################## |
unbound () |
{ |
[ -d /etc/unbound/conf.d ] || mkdir -p /etc/unbound/conf.d |
[ -d /etc/unbound/conf.d/common ] || mkdir /etc/unbound/conf.d/common |
[ -d /etc/unbound/conf.d/common/local-forward ] || mkdir /etc/unbound/conf.d/common/local-forward |
[ -d /etc/unbound/conf.d/common/local-dns ] || mkdir /etc/unbound/conf.d/common/local-dns |
[ -d /etc/unbound/conf.d/forward ] || mkdir /etc/unbound/conf.d/forward |
[ -d /etc/unbound/conf.d/blacklist ] || mkdir /etc/unbound/conf.d/blacklist |
[ -d /etc/unbound/conf.d/whitelist ] || mkdir /etc/unbound/conf.d/whitelist |
[ -d /etc/unbound/conf.d/blackhole ] || mkdir /etc/unbound/conf.d/blackhole |
[ -d /var/log/unbound ] || { mkdir /var/log/unbound; chown unbound:unbound /var/log/unbound; } |
[ -e /etc/unbound/unbound.conf.default ] || cp /etc/unbound/unbound.conf /etc/unbound/unbound.conf.default |
# Local static DNS configuration |
[ -e /etc/unbound/conf.d/common/local-dns/global.conf ] || touch /etc/unbound/conf.d/common/local-dns/global.conf |
# Forward zone configuration file for all unbound dns servers |
cat << EOF > /etc/unbound/conf.d/common/forward-zone.conf |
forward-zone: |
name: "." |
forward-addr: $DNS1 |
forward-addr: $DNS2 |
EOF |
# file managing domain name resolution (local & remote) |
cat << EOF > $DIR_DEST_ETC/alcasar-dns-name |
# Vous pouvez définir ici votre nom de domain local ('localdomain' par défaut) |
# Here you can define your local domain name ('localdomain' by default) |
local=/localdomain/ |
domain=localdomain |
## Ajouter une ligne pour chaque nom de domaine géré par un autre seveur DNS |
## Add one line for each domain name managed by an other DNS server |
## server=/<your_domain>/<@IP_domain_server> |
## Exemple for an A.D. domain : server=/Your.Domain.AD/110.120.100.100 |
## Exemple for an other domain : server=/an_other_domain/10.20.30.40 |
# Custom configuration file for manual DNS configuration |
cat << EOF > /etc/unbound/conf.d/common/local-forward/custom.conf |
## Ajouter un bloc pour chaque nom de domaine géré par un autre seveur DNS |
## Add one block for each domain name managed by an other DNS server |
## |
## Example: |
## |
## server: |
## local-zone: "<your_domain>." transparent |
## forward-zone: |
## name: "<your_domain>." |
## forward-addr: <@IP_domain_server> |
## |
## INFO : local hostnames are resolved in /etc/hosts file |
EOF |
# the main instance should start after network and chilli (which create tun0) |
[ -e /lib/systemd/system/dnsmasq.service.default ] || cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq.service.default |
$SED "s?^After=.*?After=syslog.target network-online.target chilli.service?g" /lib/systemd/system/dnsmasq.service |
# Create dnsmasq-blacklist, dnsmasq-whitelist and dnsmasq-blackhole unit |
for list in blacklist whitelist blackhole |
# Configuration file of ALCASAR main domains for $INTIF |
cat << EOF > /etc/unbound/conf.d/common/local-dns/${INTIF}.conf |
server: |
local-zone: "$HOSTNAME.$DOMAIN" static |
local-data: "$HOSTNAME.$DOMAIN A $PRIVATE_IP" |
local-zone: "$HOSTNAME" static |
local-data: "$HOSTNAME A $PRIVATE_IP" |
local-zone: "$DOMAIN." static |
local-data: "$DOMAIN. A" |
EOF |
# Configuration file for lo of forward unbound |
cat << EOF > /etc/unbound/conf.d/forward/iface.lo.conf |
server: |
interface: 127.0.0.1@53 |
access-control-view: 127.0.0.1/8 lo |
view: |
name: "lo" |
local-zone: "$HOSTNAME.$DOMAIN" static |
local-data: "$HOSTNAME.$DOMAIN A 127.0.0.1" |
local-zone: "$HOSTNAME" static |
local-data: "$HOSTNAME A 127.0.0.1" |
local-zone: "$DOMAIN." static |
local-data: "$DOMAIN. A" |
view-first: yes |
EOF |
# Configuration file for $INTIF of forward unbound |
cat << EOF > /etc/unbound/conf.d/forward/iface.${INTIF}.conf |
server: |
interface: ${PRIVATE_IP}@53 |
access-control-view: $PRIVATE_NETWORK_MASK $INTIF |
view: |
name: "$INTIF" |
local-zone: "$HOSTNAME.$DOMAIN" static |
local-data: "$HOSTNAME.$DOMAIN A $PRIVATE_IP" |
local-zone: "$HOSTNAME" static |
local-data: "$HOSTNAME A $PRIVATE_IP" |
view-first: yes |
EOF |
# Configuration file for forward unbound |
cat << EOF > /etc/unbound/unbound.conf |
server: |
verbosity: 1 |
hide-version: yes |
hide-identity: yes |
do-ip6: no |
include: /etc/unbound/conf.d/common/forward-zone.conf |
include: /etc/unbound/conf.d/common/local-forward/* |
include: /etc/unbound/conf.d/common/local-dns/* |
include: /etc/unbound/conf.d/forward/* |
EOF |
# Configuration file for $INTIF of blacklist unbound |
cat << EOF > /etc/unbound/conf.d/blacklist/iface.${INTIF}.conf |
server: |
interface: ${PRIVATE_IP}@54 |
access-control: $PRIVATE_IP_MASK allow |
access-control-tag: $PRIVATE_IP_MASK "blacklist" |
access-control-tag-action: $PRIVATE_IP_MASK "blacklist" redirect |
access-control-tag-data: $PRIVATE_IP_MASK "blacklist" "A $PRIVATE_IP" |
EOF |
# Configuration file for blacklist unbound |
cat << EOF > /etc/unbound/unbound-blacklist.conf |
server: |
verbosity: 1 |
hide-version: yes |
hide-identity: yes |
do-ip6: no |
logfile: "/var/log/unbound/unbound-blacklist.log" |
chroot: "" |
define-tag: "blacklist" |
log-local-actions: yes |
include: /etc/unbound/conf.d/common/forward-zone.conf |
include: /etc/unbound/conf.d/common/local-forward/* |
include: /etc/unbound/conf.d/common/local-dns/* |
include: /etc/unbound/conf.d/blacklist/* |
include: /usr/local/share/unbound-bl-enabled/* |
EOF |
# Configuration file for $INTIF of whitelist unbound |
cat << EOF > /etc/unbound/conf.d/whitelist/iface.${INTIF}.conf |
server: |
interface: ${PRIVATE_IP}@55 |
access-control: $PRIVATE_IP_MASK allow |
access-control-tag: $PRIVATE_IP_MASK "whitelist" |
access-control-tag-action: $PRIVATE_IP_MASK "whitelist" redirect |
access-control-tag-data: $PRIVATE_IP_MASK "whitelist" "A $PRIVATE_IP" |
EOF |
# Configuration file for whitelist unbound |
cat << EOF > /etc/unbound/unbound-whitelist.conf |
server: |
verbosity: 1 |
hide-version: yes |
hide-identity: yes |
do-ip6: no |
do-not-query-localhost: no |
define-tag: "whitelist" |
local-zone: "." transparent |
local-zone-tag: "." "whitelist" |
include: /usr/local/share/unbound-wl-enabled/* |
include: /etc/unbound/conf.d/whitelist/* |
include: /etc/unbound/conf.d/common/local-dns/* |
include: /etc/unbound/conf.d/common/local-forward/* |
forward-zone: |
name: "." |
forward-addr: 127.0.0.1@55 |
EOF |
# Configuration file for $INTIF of blackhole unbound |
cat << EOF > /etc/unbound/conf.d/blackhole/iface.${INTIF}.conf |
server: |
interface: ${PRIVATE_IP}@56 |
access-control-view: $PRIVATE_NETWORK_MASK $INTIF |
view: |
name: "$INTIF" |
local-zone: "." redirect |
local-data: ". A $PRIVATE_IP" |
EOF |
# Configuration file for blackhole unbound |
cat << EOF > /etc/unbound/unbound-blackhole.conf |
server: |
verbosity: 1 |
hide-version: yes |
hide-identity: yes |
do-ip6: no |
include: /etc/unbound/conf.d/blackhole/* |
include: /etc/unbound/conf.d/common/local-dns/* |
include: /etc/unbound/conf.d/common/local-forward/* |
EOF |
if [ ! -e /lib/systemd/system/unbound.service.default ] |
then |
cp -f /lib/systemd/system/unbound.service /lib/systemd/system/unbound.service.default |
fi |
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound.conf?g" /lib/systemd/system/unbound.service |
$SED "s?^After=.*?After=syslog.target network-online.target chilli.service?g" /lib/systemd/system/unbound.service |
for list in blacklist blackhole whitelist |
do |
cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq-$list.service |
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-$list.conf?g" /lib/systemd/system/dnsmasq-$list.service |
$SED "s?^PIDFile=.*?PIDFile=/var/run/dnsmasq-$list.pid?g" /lib/systemd/system/dnsmasq-$list.service |
cp -f /lib/systemd/system/unbound.service /lib/systemd/system/unbound-$list.service |
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound-$list.conf?g" /lib/systemd/system/unbound-$list.service |
$SED "s?^PIDFile=.*?PIDFile=/var/run/unbound-$list.pid?g" /lib/systemd/system/unbound-$list.service |
done |
} # End dnsmasq |
$SED "s?^After=.*?After=syslog.target network-online.target chilli.service dnsmasq-whitelist.service?g" /lib/systemd/system/unbound-whitelist.service |
} # End unbound |
########################################################## |
## Function "BL" ## |
## - copy Toulouse BL ## |
## - adapt this BL to ALCASAR architecture ## |
## - domain names for dnsmasq-bl & dnasmasq-wl ## |
## - domain names for unbound-bl & unbound-wl ## |
## - URLs for E²guardian ## |
## - IPs for NetFilter ## |
########################################################## |
1845,9 → 1957,9 |
# Create 'gammu' database |
MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --execute" |
$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_GAMMU; GRANT ALL ON $DB_GAMMU.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd'; FLUSH PRIVILEGES;" |
$MYSQL "CREATE DATABASE IF NOT EXISTS $DB_GAMMU; GRANT ALL ON $DB_GAMMU.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd'; FLUSH PRIVILEGES;" |
# Add a gammu database structure |
mysql -u$DB_USER -p$radiuspwd $DB_GAMMU < $DIR_CONF/empty-gammu-smsd-db.sql |
/usr/bin/mysql -u$DB_USER -p$radiuspwd $DB_GAMMU < $DIR_CONF/empty-gammu-smsd-db.sql |
# Config file for the gammu_smsd daemon & gammu (ttyUSB0 as default com port) |
cat << EOF > /etc/gammurc |
1972,7 → 2084,7 |
tar xzf ./conf/letsencrypt-client/acme.sh-*.tar.gz -C /tmp/ |
pwdInstall=$(pwd) |
cd /tmp/acme.sh-* |
cd /tmp/acme.sh-* || { echo "Unable to find ACME directory"; exit 1; } |
acmesh_installDir="/opt/acme.sh" |
acmesh_confDir="/usr/local/etc/letsencrypt" |
2004,7 → 2116,7 |
dateNextRenewal= |
EOF |
cd $pwdInstall |
cd $pwdInstall || { echo "Unable to find $pwdInstall directory"; exit 1; } |
rm -rf /tmp/acme.sh-* |
} # END letsencrypt() |
2027,7 → 2139,7 |
$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config |
$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config |
# postfix banner anonymisation |
$SED "s?^smtpd_banner =.*?smtpd_banner = $myhostname ESMTP?g" /etc/postfix/main.cf |
$SED "s?^smtpd_banner =.*?smtpd_banner = \$myhostname ESMTP?g" /etc/postfix/main.cf |
chown -R postfix:postfix /var/lib/postfix |
# sshd liste on EXTIF & INTIF |
$SED "s?^#ListenAddress 0\.0\.0\.0.*?ListenAddress 0\.0\.0\.0?g" /etc/ssh/sshd_config |
2052,6 → 2164,9 |
echo "## WANx=active,@IPx/mask,GWx,Weight,MTUx" >> $CONF_FILE |
echo "#WAN1=\"1,$EXTIF:1,192.168.2.20/24,192.168.2.6,1,1500\"" >> $CONF_FILE |
echo "#WAN2=\"1,$EXTIF:2,192.168.3.20/24,192.168.3.1,2,1500\"" >> $CONF_FILE |
echo "BL_PUREIP=on" >> $CONF_FILE |
echo "BL_SAFESEARCH=off" >> $CONF_FILE |
echo "WL_SAFESEARCH=off" >> $CONF_FILE |
# Prompt customisation (colors) |
[ -e /etc/bashrc.default ] || cp /etc/bashrc /etc/bashrc.default |
cp -f $DIR_CONF/bashrc /etc/. ; chmod 644 /etc/bashrc ; chown root:root /etc/bashrc |
2068,7 → 2183,7 |
# actualisation des fichiers logs compressés |
for dir in firewall e2guardian lighttpd |
do |
find /var/log/$dir -type f -name *.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] -exec gzip {} \; |
find /var/log/$dir -type f -name "*.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]" -exec gzip {} \; |
done |
# create the alcasar-load_balancing unit |
cat << EOF > /lib/systemd/system/alcasar-load_balancing.service |
2097,13 → 2212,13 |
EOF |
/usr/bin/systemctl daemon-reload |
# processes launched at boot time (Systemctl) |
for i in alcasar-load_balancing mysqld lighttpd php-fpm ntpd iptables dnsmasq dnsmasq-blacklist dnsmasq-whitelist dnsmasq-blackhole radiusd nfsen e2guardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban havp tinyproxy vnstat sshd |
for i in alcasar-load_balancing mysqld lighttpd php-fpm ntpd iptables unbound unbound-blacklist unbound-whitelist dnsmasq-whitelist unbound-blackhole radiusd nfsen e2guardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban havp tinyproxy vnstat sshd |
do |
/usr/bin/systemctl -q enable $i.service |
done |
# disable processes at boot time (Systemctl) |
for i in ulogd gpm |
for i in ulogd gpm dhcpd |
do |
/usr/bin/systemctl -q disable $i.service |
done |
2152,10 → 2267,10 |
if [ $Lang == "fr" ] |
then |
echo "Bienvenue sur ALCASAR V$VERSION" >> /etc/mageia-release |
echo "Connectez-vous à l'URL 'https://alcasar.localdomain/acc'" >> /etc/mageia-release |
echo "Connectez-vous à l'URL 'https://$HOSTNAME.$DOMAIN/acc'" >> /etc/mageia-release |
else |
echo "Welcome on ALCASAR V$VERSION" >> /etc/mageia-release |
echo "Connect to 'https://alcasar.localdomain/acc'" >> /etc/mageia-release |
echo "Connect to 'https://$HOSTNAME.$DOMAIN/acc'" >> /etc/mageia-release |
fi |
/usr/bin/update-grub2 |
# Load and apply the previous conf file |
2174,7 → 2289,7 |
chown -R root:apache $DIR_DEST_ETC/* |
chmod -R 660 $DIR_DEST_ETC/* |
chmod ug+x $DIR_DEST_ETC/digest |
cd $DIR_INSTALL |
cd $DIR_INSTALL || { echo "Unable to find $DIR_INSTALL directory"; exit 1; } |
echo "" |
echo "#############################################################################" |
if [ $Lang == "fr" ] |
2190,7 → 2305,7 |
echo |
echo "- Lisez attentivement la documentation d'exploitation" |
echo |
echo "- Le centre de controle d'ALCASAR (ACC) est à l'adresse http://alcasar.localdomain" |
echo "- Le centre de controle d'ALCASAR (ACC) est à l'adresse http://$HOSTNAME.$DOMAIN" |
echo |
echo " Appuyez sur 'Entrée' pour continuer" |
else |
2205,7 → 2320,7 |
echo |
echo "- Read the exploitation documentation" |
echo |
echo "- The ALCASAR Control Center (ACC) is at http://alcasar.localdomain" |
echo "- The ALCASAR Control Center (ACC) is at http://$HOSTNAME.$DOMAIN" |
echo |
echo " Hit 'Enter' to continue" |
fi |
2212,7 → 2327,7 |
sleep 2 |
if [ "$mode" == "install" ] || [ "$DEBUG_ALCASAR" == "on" ] |
then |
read a |
read |
fi |
clear |
reboot |
2228,10 → 2343,10 |
echo "Launch this program from the ALCASAR archive directory" |
exit 0 |
fi |
if [[ $EUID > 0 ]] |
if [ $EUID -gt 0 ] |
then |
echo "Vous devez être "root" pour installer ALCASAR (commande 'su')" |
echo "You must be "root" to install ALCASAR ('su' command)" |
echo "Vous devez être \"root\" pour installer ALCASAR (commande 'su')" |
echo "You must be \"root\" to install ALCASAR ('su' command)" |
exit 0 |
fi |
VERSION=`cat $DIR_INSTALL/VERSION` |
2273,7 → 2388,7 |
if [ $DEBUG_ALCASAR == "on" ] |
then |
echo "*** 'debug' : end of cleaning ***" |
read a |
read |
fi |
# Test if manual update |
if [ -e /var/tmp/alcasar-conf*.tar.gz ] && [ "$mode" == "install" ] |
2313,13 → 2428,13 |
UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f3|cut -c1` |
mode="update" |
fi |
for func in init network ACC CA time_server init_db freeradius chilli e2guardian antivirus tinyproxy ulogd nfsen vnstat dnsmasq BL cron fail2ban gammu_smsd msec letsencrypt post_install |
for func in init network ACC CA time_server init_db freeradius chilli e2guardian antivirus tinyproxy ulogd nfsen vnstat dnsmasq unbound BL cron fail2ban gammu_smsd msec letsencrypt post_install |
do |
$func |
if [ $DEBUG_ALCASAR == "on" ] |
then |
then |
echo "*** 'debug' : end of install '$func' ***" |
read a |
read |
fi |
done |
;; |
2359,4 → 2474,3 |
;; |
esac |
# end of script |
/conf/logrotate.d/unbound-blacklist |
---|
0,0 → 1,11 |
/var/log/unbound/unbound-blacklist.log { |
missingok |
notifempty |
rotate 52 |
weekly |
dateext |
sharedscripts |
postrotate |
/usr/bin/systemctl restart unbound-blacklist |
endscript |
} |
/rpms/x86_64/lib64unbound8-1.8.3-2.mga6.x86_64.rpm |
---|
Cannot display: file marked as a binary type. |
svn:mime-type = application/x-rpm |
Property changes: |
Added: svn:mime-type |
+application/x-rpm |
\ No newline at end of property |
/rpms/x86_64/unbound-1.8.3-2.mga6.x86_64.rpm |
---|
Cannot display: file marked as a binary type. |
svn:mime-type = application/x-rpm |
Property changes: |
Added: svn:mime-type |
+application/x-rpm |
\ No newline at end of property |
/scripts/alcasar-activity_report.sh |
---|
93,98 → 93,97 |
cat $MODEL_TABINFO | while read LINE_HTML |
do |
if [ "$(echo $LINE_HTML | grep 'XXORGXX' | wc -l)" -eq 1 ] |
then |
VALUE=$(grep ^ORGANISM= $CONF_FILE | cut -d'=' -f2-) |
echo ${LINE_HTML/XXORGXX/$VALUE} >> $HTML_REPORT |
if [ $(echo $LINE_HTML | grep 'XXORGXX' | wc -l) -eq 1 ] |
then |
VALUE=$(grep ^ORGANISM= $CONF_FILE | cut -d'=' -f2-) |
echo ${LINE_HTML/XXORGXX/$VALUE} >> $HTML_REPORT |
elif [ $(echo $LINE_HTML | grep 'XXINSTALLXX' | wc -l) -eq 1 ] |
then |
VALUE=$(grep ^INSTALL_DATE= $CONF_FILE | cut -d'=' -f2) |
echo ${LINE_HTML/XXINSTALLXX/$VALUE} >> $HTML_REPORT |
elif [ $(echo $LINE_HTML | grep 'XXAVERSIONXX' | wc -l) -eq 1 ] |
then |
VALUE=$(grep ^VERSION= $CONF_FILE | cut -d'=' -f2) |
echo ${LINE_HTML/XXAVERSIONXX/$VALUE} >> $HTML_REPORT |
elif [ $(echo $LINE_HTML | grep 'XXIP_PUBLICXX' | wc -l) -eq 1 ] |
then |
VALUE=$(grep ^PUBLIC_IP= $CONF_FILE | cut -d'=' -f2) |
echo ${LINE_HTML/XXIP_PUBLICXX/$VALUE} >> $HTML_REPORT |
elif [ $(echo $LINE_HTML | grep 'XXIP_PRIVEXX' | wc -l) -eq 1 ] |
then |
VALUE=$(grep ^PRIVATE_IP= $CONF_FILE | cut -d'=' -f2) |
echo ${LINE_HTML/XXIP_PRIVEXX/$VALUE} >> $HTML_REPORT |
elif [ $(echo $LINE_HTML | grep 'XXGWXX' | wc -l) -eq 1 ] |
then |
VALUE=$(grep ^GW= $CONF_FILE | cut -d'=' -f2) |
echo ${LINE_HTML/XXGWXX/$VALUE} >> $HTML_REPORT |
elif [ $(echo $LINE_HTML | grep 'XXDNS1XX' | wc -l) -eq 1 ] |
then |
VALUE=$(grep ^DNS1= $CONF_FILE | cut -d'=' -f2) |
echo ${LINE_HTML/XXDNS1XX/$VALUE} >> $HTML_REPORT |
elif [ $(echo $LINE_HTML | grep 'XXDNS2XX' | wc -l) -eq 1 ] |
then |
VALUE=$(grep ^DNS2= $CONF_FILE | cut -d'=' -f2) |
echo ${LINE_HTML/XXDNS2XX/$VALUE} >> $HTML_REPORT |
elif [ $(echo $LINE_HTML | grep 'XXHOSTXX' | wc -l) -eq 1 ] |
then |
VALUE=$(hostname) |
echo ${LINE_HTML/XXHOSTXX/$VALUE} >> $HTML_REPORT |
elif [ $(echo $LINE_HTML | grep 'XXOS_VERSIONXX' | wc -l) -eq 1 ] |
then |
VALUE=$( echo $(uname -r) [ $(uname -m) ] ) |
echo ${LINE_HTML/XXOS_VERSIONXX/$VALUE} >> $HTML_REPORT |
elif [ $(echo $LINE_HTML | grep 'XXREBOOTXX' | wc -l) -eq 1 ] |
then |
VALUE=$(echo $(who -b | cut -d' ' -f12-)) |
echo ${LINE_HTML/XXREBOOTXX/$VALUE} >> $HTML_REPORT |
elif [ $(echo $LINE_HTML | grep 'XXMAJCLAMAVXX' | wc -l) -eq 1 ] |
then |
VALUE=$(date -d @$(rpm -qa --queryformat "%{installtime} %{name}\n" | grep -E "clamav-db" | cut -d' ' -f1 ) "+%Y-%m-%d %H:%M:%S") |
echo ${LINE_HTML/XXMAJCLAMAVXX/$VALUE} >> $HTML_REPORT |
elif [ $(echo $LINE_HTML | grep 'XXMAJBLXX' | wc -l) -eq 1 ] |
then |
VALUE=$(cat /etc/e2guardian/lists/blacklists/README | grep 'Last version' | cut -d' ' -f4-6) |
echo ${LINE_HTML/XXMAJBLXX/$VALUE} >> $HTML_REPORT |
elif [ $(echo $LINE_HTML | grep 'XXRPMXX' | wc -l) -eq 1 ] |
then |
#show every ALCASAR RPM updated since X day ago |
#get timestamp of X day ago. Then we get every packets chich have been updated since this date. |
if [ $(rpm -qa --queryformat '%{installtime} %{name} %{version}\n' | awk -v seuil="$SECS_AGO" '$1 > seuil' | sort -n | grep -E "$PACKAGE" | wc -l) -gt 1 ] |
elif [ "$(echo $LINE_HTML | grep 'XXINSTALLXX' | wc -l)" -eq 1 ] |
then |
PACKAGE='php|lighttpd|iptables|dnsmasq|radius|tinyproxy|nfdump|e2guardian|clamav|ulogd|chilli|fail2ban|openssh|havp|ipt-netflow|wget' |
rpm -qa --queryformat '%{installtime} %{name} %{version}\n' | awk -v seuil="$SECS_AGO" '$1 > seuil' | sort -n | grep -E "$PACKAGE" | while read RPM_ALCASAR |
do |
RPM_TIMESTAMP=$(echo $RPM_ALCASAR | cut -d' ' -f1) |
RPM_DATE=$(date -d @$(echo $RPM_TIMESTAMP) "+%Y-%m-%d %H:%M:%S") |
RPM_NAME=$(echo $RPM_ALCASAR | cut -d' ' -f2) |
RPM_VERSION=$(echo $RPM_ALCASAR | cut -d' ' -f3) |
VALUE=$(grep ^INSTALL_DATE= $CONF_FILE | cut -d'=' -f2) |
echo ${LINE_HTML/XXINSTALLXX/$VALUE} >> $HTML_REPORT |
echo "<tr>" >> $HTML_REPORT |
echo "<td>$RPM_NAME</td>" >> $HTML_REPORT |
echo "<td>$RPM_DATE</td>" >> $HTML_REPORT |
echo "<td>$RPM_VERSION</td>" >> $HTML_REPORT |
echo "</tr>" >> $HTML_REPORT |
done |
elif [ "$(echo $LINE_HTML | grep 'XXAVERSIONXX' | wc -l)" -eq 1 ] |
then |
VALUE=$(grep ^VERSION= $CONF_FILE | cut -d'=' -f2) |
echo ${LINE_HTML/XXAVERSIONXX/$VALUE} >> $HTML_REPORT |
elif [ "$(echo $LINE_HTML | grep 'XXIP_PUBLICXX' | wc -l)" -eq 1 ] |
then |
VALUE=$(grep ^PUBLIC_IP= $CONF_FILE | cut -d'=' -f2) |
echo ${LINE_HTML/XXIP_PUBLICXX/$VALUE} >> $HTML_REPORT |
elif [ "$(echo $LINE_HTML | grep 'XXIP_PRIVEXX' | wc -l)" -eq 1 ] |
then |
VALUE=$(grep ^PRIVATE_IP= $CONF_FILE | cut -d'=' -f2) |
echo ${LINE_HTML/XXIP_PRIVEXX/$VALUE} >> $HTML_REPORT |
elif [ "$(echo $LINE_HTML | grep 'XXGWXX' | wc -l)" -eq 1 ] |
then |
VALUE=$(grep ^GW= $CONF_FILE | cut -d'=' -f2) |
echo ${LINE_HTML/XXGWXX/$VALUE} >> $HTML_REPORT |
elif [ "$(echo $LINE_HTML | grep 'XXDNS1XX' | wc -l)" -eq 1 ] |
then |
VALUE=$(grep ^DNS1= $CONF_FILE | cut -d'=' -f2) |
echo ${LINE_HTML/XXDNS1XX/$VALUE} >> $HTML_REPORT |
elif [ "$(echo $LINE_HTML | grep 'XXDNS2XX' | wc -l)" -eq 1 ] |
then |
VALUE=$(grep ^DNS2= $CONF_FILE | cut -d'=' -f2) |
echo ${LINE_HTML/XXDNS2XX/$VALUE} >> $HTML_REPORT |
elif [ "$(echo $LINE_HTML | grep 'XXHOSTXX' | wc -l)" -eq 1 ] |
then |
VALUE=$(hostname) |
echo ${LINE_HTML/XXHOSTXX/$VALUE} >> $HTML_REPORT |
elif [ "$(echo $LINE_HTML | grep 'XXOS_VERSIONXX' | wc -l)" -eq 1 ] |
then |
VALUE=$(echo "$(uname -r) [ $(uname -m) ]") |
echo ${LINE_HTML/XXOS_VERSIONXX/$VALUE} >> $HTML_REPORT |
elif [ "$(echo $LINE_HTML | grep 'XXREBOOTXX' | wc -l)" -eq 1 ] |
then |
VALUE=$(who -b | cut -d' ' -f12-) |
echo ${LINE_HTML/XXREBOOTXX/$VALUE} >> $HTML_REPORT |
elif [ "$(echo $LINE_HTML | grep 'XXMAJCLAMAVXX' | wc -l)" -eq 1 ] |
then |
VALUE=$(date -d "@$(rpm -qa --queryformat "%{installtime} %{name}\n" | grep -E "clamav-db" | cut -d' ' -f1 )" "+%Y-%m-%d %H:%M:%S") |
echo ${LINE_HTML/XXMAJCLAMAVXX/$VALUE} >> $HTML_REPORT |
elif [ "$(echo $LINE_HTML | grep 'XXMAJBLXX' | wc -l)" -eq 1 ] |
then |
VALUE=$(cat /etc/e2guardian/lists/blacklists/README | grep 'Last version' | cut -d' ' -f4-6) |
echo ${LINE_HTML/XXMAJBLXX/$VALUE} >> $HTML_REPORT |
elif [ "$(echo $LINE_HTML | grep 'XXRPMXX' | wc -l)" -eq 1 ] |
then |
#show every ALCASAR RPM updated since X day ago |
#get timestamp of X day ago. Then we get every packets chich have been updated since this date. |
if [ "$(rpm -qa --queryformat '%{installtime} %{name} %{version}\n' | awk -v seuil="$SECS_AGO" '$1 > seuil' | sort -n | grep -E "$PACKAGE" | wc -l)" -gt 1 ] |
then |
PACKAGE='php|lighttpd|iptables|dnsmasq|unbound|radius|tinyproxy|nfdump|e2guardian|clamav|ulogd|chilli|fail2ban|openssh|havp|ipt-netflow|wget' |
rpm -qa --queryformat '%{installtime} %{name} %{version}\n' | awk -v seuil="$SECS_AGO" '$1 > seuil' | sort -n | grep -E "$PACKAGE" | while read RPM_ALCASAR |
do |
RPM_TIMESTAMP=$(echo $RPM_ALCASAR | cut -d' ' -f1) |
RPM_DATE=$(date -d "@$(echo $RPM_TIMESTAMP)" "+%Y-%m-%d %H:%M:%S") |
RPM_NAME=$(echo $RPM_ALCASAR | cut -d' ' -f2) |
RPM_VERSION=$(echo $RPM_ALCASAR | cut -d' ' -f3) |
echo "<tr>" >> $HTML_REPORT |
echo "<td>$RPM_NAME</td>" >> $HTML_REPORT |
echo "<td>$RPM_DATE</td>" >> $HTML_REPORT |
echo "<td>$RPM_VERSION</td>" >> $HTML_REPORT |
echo "</tr>" >> $HTML_REPORT |
done |
else |
echo "<tr><td colspan=\"3\">Pas de RPM mis à jour cette semaine</td></tr>" >> $HTML_REPORT |
fi |
else |
echo "<tr><td colspan=\"3\">Pas de RPM mis à jour cette semaine</td></tr>" >> $HTML_REPORT |
echo $LINE_HTML >> $HTML_REPORT |
fi |
else |
echo $LINE_HTML >> $HTML_REPORT |
fi |
done |
######################BL WEBSITE SINCE INSTALLATION###################### |
192,45 → 191,36 |
#find data |
#decompress every logs |
if [ $(ls -1 /var/log/dnsmasq/dnsmasq-blacklist.log.*.gz 2>/dev/null | wc -l) -ge 1 ] |
if [ "$(ls -1 /var/log/unbound/unbound-blacklist.log.*.gz 2>/dev/null | wc -l)" -ge 1 ] |
then |
gunzip -d dnsmasq-blacklist.log.*.gz |
gunzip -d unbound-blacklist.log.*.gz |
fi |
#convert logs date in timestamp and find categories of blacklisted website |
for FILE in $(ls -1 /var/log/dnsmasq/ | grep 'dnsmasq-blacklist.log') |
tmp_log=$(mktemp) |
for FILE in /var/log/unbound/unbound-blacklist.log* |
do |
grep -E "info: [^ ]+ typetransparent $PRIVATE_IP" /var/log/unbound/unbound-blacklist.log > $tmp_log |
while read LOG_BL |
do |
if [ $(echo $LOG_BL | grep config | grep $PRIVATE_IP | wc -c) -ge 1 ] |
# find the current blacklisted category |
website_bl=$(echo $LOG_BL | cut -d' ' -f4) |
website_bl=${website_bl%?} # remove the last character |
#we convert www.test.co.uk => test.co.uk to find the category of this website |
if [ "$(grep -o '\.' <<< "$website_bl" | wc -l)" -ge "2" ] |
then |
#find the current blacklisted category |
website_bl=$(echo $LOG_BL | cut -d' ' -f6) |
#we convert www.test.co.uk => test.co.uk to find the category of this website |
if [ $(grep -o '\.' <<< "$website_bl" | wc -l) -ge "2" ] |
then |
website_bl=$(echo $website_bl | cut -d'.' -f2-) |
fi |
website_bl=$(echo $website_bl | cut -d'.' -f2-) |
fi |
#get BL category |
categorie_bl=$(grep -R "$website_bl/" /usr/local/share/dnsmasq-bl-enabled/ | cut -d':' -f1 | cut -d'/' -f6 | cut -d' ' -f1) |
if [ $(echo $categorie_bl | wc -w) -gt 1 ] |
then |
categorie_bl=$(grep -R "/$website_bl/" /usr/local/share/dnsmasq-bl-enabled/ | cut -d':' -f1 | cut -d'/' -f6 | cut -d' ' -f1 | head -1) |
fi |
#Calculate its timestamp |
Y=$(date -R | cut -d' ' -f4) |
M=$(echo $LOG_BL | cut -d' ' -f1) |
D=$(echo $LOG_BL | cut -d' ' -f2) |
H=$(echo $LOG_BL | cut -d' ' -f3) |
CURRENT_TS=$(date -d "$M $D $Y $H" +"%s") |
echo "$CURRENT_TS:$categorie_bl:" >> $TMP_BL |
fi |
done < /var/log/dnsmasq/$FILE |
#get BL category |
categorie_bl=$(grep -Rl "$website_bl" /usr/local/share/unbound-bl-enabled/ | cut -d'/' -f6 | head -1) |
CURRENT_TS=$(echo $LOG_BL | cut -d '[' -f2 | cut -d ']' -f1) |
echo "$CURRENT_TS:$categorie_bl:" >> $TMP_BL |
done < $tmp_log |
done |
rm $tmp_log |
#if data exists, create this section in html document |
if [ -e $TMP_BL ] |
244,19 → 234,18 |
do |
DATE_1=$TS |
DATE_2=$((TS-$STEP_TS)) |
COUNT_BL_INSTALLATION=0 |
COUNT_BL_INSTALLATION=0 |
for LINE in $(cat $TMP_BL) |
do |
TS_FILE=$(echo $LINE | cut -d':' -f1) |
if [ "$TS_FILE" -le "$DATE_1" -a "$TS_FILE" -ge "$DATE_2" ] |
if [ "$TS_FILE" -le "$DATE_1" ] && [ "$TS_FILE" -ge "$DATE_2" ] |
then |
COUNT_BL_INSTALLATION=$((COUNT_BL_INSTALLATION+1)) |
fi |
done |
VALUE_BL_INSTALLATION_LABEL="'$(date -d @$DATE_2 "+%Y-%m-%d" )', $VALUE_BL_INSTALLATION_LABEL" |
VALUE_BL_INSTALLATION_DATA="$COUNT_BL_INSTALLATION, $VALUE_BL_INSTALLATION_DATA" |
done |
273,41 → 262,41 |
cat $MODEL_CHARTJS | while read LINE_JS |
do |
#name of variable |
if [ $(echo $LINE_JS | grep 'XXCONFXX' | wc -l) -eq 1 ] |
if [ "$(echo $LINE_JS | grep 'XXCONFXX' | wc -l)" -eq 1 ] |
then |
echo ${LINE_JS/XXCONFXX/$CONF_BL_INSTALLATION} >> $HTML_REPORT |
#chart type |
elif [ $(echo $LINE_JS | grep 'XXTYPEXX' | wc -l) -eq 1 ] |
elif [ "$(echo $LINE_JS | grep 'XXTYPEXX' | wc -l)" -eq 1 ] |
then |
echo ${LINE_JS/XXTYPEXX/bar} >> $HTML_REPORT |
#chart title |
elif [ $(echo $LINE_JS | grep 'XXTITLEXX' | wc -l) -eq 1 ] |
elif [ "$(echo $LINE_JS | grep 'XXTITLEXX' | wc -l)" -eq 1 ] |
then |
echo ${LINE_JS/XXTITLEXX/"Sites bloqués au total"} >> $HTML_REPORT |
#chart data |
elif [ $(echo $LINE_JS | grep 'XXDATAXX' | wc -l) -eq 1 ] |
elif [ "$(echo $LINE_JS | grep 'XXDATAXX' | wc -l)" -eq 1 ] |
then |
echo ${LINE_JS/XXDATAXX/$VALUE_BL_INSTALLATION_DATA} >> $HTML_REPORT |
#color |
elif [ $(echo $LINE_JS | grep 'XXCOLORXX' | wc -l) -eq 1 ] |
elif [ "$(echo $LINE_JS | grep 'XXCOLORXX' | wc -l)" -eq 1 ] |
then |
echo ${LINE_JS/XXCOLORXX/$COLOR} >> $HTML_REPORT |
#labels |
elif [ $(echo $LINE_JS | grep 'XXLABELSXX' | wc -l) -eq 1 ] |
elif [ "$(echo $LINE_JS | grep 'XXLABELSXX' | wc -l)" -eq 1 ] |
then |
echo ${LINE_JS/XXLABELSXX/$VALUE_BL_INSTALLATION_LABEL} >> $HTML_REPORT |
elif [ $(echo $LINE_JS | grep 'XXLEGENDXX' | wc -l) -eq 1 ] |
elif [ "$(echo $LINE_JS | grep 'XXLEGENDXX' | wc -l)" -eq 1 ] |
then |
echo ${LINE_JS/XXLEGENDXX/false} >> $HTML_REPORT |
#display value of Y axis, only useful for chart bar |
elif [ $(echo $LINE_JS | grep 'XXCOMMENT-BEGINXX' | wc -l) -eq 1 ] |
elif [ "$(echo $LINE_JS | grep 'XXCOMMENT-BEGINXX' | wc -l)" -eq 1 ] |
then |
echo "" >> $HTML_REPORT |
#display value of Y axis, only useful for chart bar |
elif [ $(echo $LINE_JS | grep 'XXCOMMENT-ENDXX' | wc -l) -eq 1 ] |
elif [ "$(echo $LINE_JS | grep 'XXCOMMENT-ENDXX' | wc -l)" -eq 1 ] |
then |
echo "" >> $HTML_REPORT |
elif [ $(echo $LINE_JS | grep 'XXYLABELXX' | wc -l) -eq 1 ] |
elif [ "$(echo $LINE_JS | grep 'XXYLABELXX' | wc -l)" -eq 1 ] |
then |
echo "\"Nombre de site bloqué par la blacklist\"" >> $HTML_REPORT |
else |
321,7 → 310,7 |
######################DNSMASQ BLACKLIST###################### |
######################Unbound BLACKLIST###################### |
echo "Create BL website since $MAX_DAY_AGO days" |
#if data exists, create BL section in html document |
339,7 → 328,7 |
do |
TS_FILE=$(echo $LINE | cut -d':' -f1) |
#select only elements between DATE_1 and DATE_2 |
if [ "$TS_FILE" -le "$DATE_1" -a "$TS_FILE" -ge "$DATE_2" ] |
if [ "$TS_FILE" -le "$DATE_1" ] && [ "$TS_FILE" -ge "$DATE_2" ] |
then |
echo $LINE >> $TMP_BL_WEEK |
fi |
346,7 → 335,7 |
done |
#then we count every occurence for each category in TMP_BL_WEEK |
for CAT in $(ls /usr/local/share/dnsmasq-bl/ -1 | cut -d'.' -f1) |
for CAT in $(ls /usr/local/share/unbound-bl/ -1 | cut -d'.' -f1) |
do |
echo "$CAT:$(grep -o ":$CAT:" <<< "$(cat $TMP_BL_WEEK)" | wc -l):" >> $TMP_BL_WEEK_CAT |
done |
354,7 → 343,7 |
#we sort by number of occurence and we take the top 10 BL categories |
for LINE in $(sort -t':' -k2 -rn $TMP_BL_WEEK_CAT | head -n 10) |
do |
DATA=$(echo $LINE | cut -d':' -f2) |
LABEL=$(echo $LINE | cut -d':' -f1) |
if [ $DATA -ne 0 ] |
365,7 → 354,7 |
done |
#get other categories (sum them all) |
if [ $(cat $TMP_BL_WEEK_CAT | cut -d':' -f2 | sort -k1 -rn | tail -n+$(($(echo $VALUE_BL_DATA | wc -w)+1)) | paste -sd+ | bc) -gt 0 ] |
if [ "$(cat $TMP_BL_WEEK_CAT | cut -d':' -f2 | sort -k1 -rn | tail -n+$(($(echo $VALUE_BL_DATA | wc -w)+1)) | paste -sd+ | bc)" -gt 0 ] |
then |
VALUE_BL_DATA="$VALUE_BL_DATA $(cat $TMP_BL_WEEK_CAT | cut -d':' -f2 | sort -k1 -rn | tail -n+$(($(echo $VALUE_BL_DATA | wc -w)+1)) | paste -sd+ | bc)" |
VALUE_BL_LABEL="$VALUE_BL_LABEL 'autre ($(cat $TMP_BL_WEEK_CAT | cut -d':' -f2 | sort -k1 -rn | tail -n+$(($(echo $VALUE_BL_DATA | wc -w)+1)) | paste -sd+ | bc))'" |
382,39 → 371,39 |
cat $MODEL_CHARTJS | while read LINE_JS |
do |
#variable name |
if [ $(echo $LINE_JS | grep 'XXCONFXX' | wc -l) -eq 1 ] |
if [ "$(echo $LINE_JS | grep 'XXCONFXX' | wc -l)" -eq 1 ] |
then |
echo ${LINE_JS/XXCONFXX/$CONF_BL} >> $HTML_REPORT |
#chart type |
elif [ $(echo $LINE_JS | grep 'XXTYPEXX' | wc -l) -eq 1 ] |
elif [ "$(echo $LINE_JS | grep 'XXTYPEXX' | wc -l)" -eq 1 ] |
then |
echo ${LINE_JS/XXTYPEXX/pie} >> $HTML_REPORT |
#graph title |
elif [ $(echo $LINE_JS | grep 'XXTITLEXX' | wc -l) -eq 1 ] |
elif [ "$(echo $LINE_JS | grep 'XXTITLEXX' | wc -l)" -eq 1 ] |
then |
echo ${LINE_JS/XXTITLEXX/"Sites bloqués cette semaine"} >> $HTML_REPORT |
#chart data |
elif [ $(echo $LINE_JS | grep 'XXDATAXX' | wc -l) -eq 1 ] |
elif [ "$(echo $LINE_JS | grep 'XXDATAXX' | wc -l)" -eq 1 ] |
then |
echo ${LINE_JS/XXDATAXX/$VALUE_BL_DATA} >> $HTML_REPORT |
#color |
elif [ $(echo $LINE_JS | grep 'XXCOLORXX' | wc -l) -eq 1 ] |
elif [ "$(echo $LINE_JS | grep 'XXCOLORXX' | wc -l)" -eq 1 ] |
then |
echo ${LINE_JS/XXCOLORXX/$COLOR} >> $HTML_REPORT |
#labels |
elif [ $(echo $LINE_JS | grep 'XXLABELSXX' | wc -l) -eq 1 ] |
elif [ "$(echo $LINE_JS | grep 'XXLABELSXX' | wc -l)" -eq 1 ] |
then |
echo ${LINE_JS/XXLABELSXX/$VALUE_BL_LABEL} >> $HTML_REPORT |
#display legend, only useful for chart pie |
elif [ $(echo $LINE_JS | grep 'XXLEGENDXX' | wc -l) -eq 1 ] |
elif [ "$(echo $LINE_JS | grep 'XXLEGENDXX' | wc -l)" -eq 1 ] |
then |
echo ${LINE_JS/XXLEGENDXX/true} >> $HTML_REPORT |
#display value of Y axis, only useful for chart bar |
elif [ $(echo $LINE_JS | grep 'XXCOMMENT-BEGINXX' | wc -l) -eq 1 ] |
elif [ "$(echo $LINE_JS | grep 'XXCOMMENT-BEGINXX' | wc -l)" -eq 1 ] |
then |
echo "/*" >> $HTML_REPORT |
#display value of Y axis, only useful for chart bar |
elif [ $(echo $LINE_JS | grep 'XXCOMMENT-ENDXX' | wc -l) -eq 1 ] |
elif [ "$(echo $LINE_JS | grep 'XXCOMMENT-ENDXX' | wc -l)" -eq 1 ] |
then |
echo "*/" >> $HTML_REPORT |
else |
430,12 → 419,12 |
echo "Create AV logs since the installation of ALCASAR" |
#decompress every logs, if they exist |
if [ $(ls -1 /var/log/havp/access.log.*.gz 2>/dev/null | wc -l) -ge 1 ] |
if [ "$(ls -1 /var/log/havp/access.log.*.gz 2>/dev/null | wc -l)" -ge 1 ] |
then |
gunzip -d access.log.*.gz |
fi |
for FILE in $(ls -1 /var/log/havp/ | grep 'access.log') |
for FILE in /var/log/havp/access.log* |
do |
while read LINE_AV |
do |
445,8 → 434,7 |
H=$(echo $LINE_AV | cut -d' ' -f4) |
CURRENT_TS=$(date -d "$M $D $Y $H" +"%s") |
echo $CURRENT_TS >> $TMP_AV |
done < /var/log/havp/$FILE |
done < $FILE |
done |
if [ -e $TMP_AV ] |
461,7 → 449,7 |
for TS_FILE in $(cat $TMP_AV) |
do |
if [ "$TS_FILE" -le "$DATE_1" -a "$TS_FILE" -ge "$DATE_2" ] |
if [ "$TS_FILE" -le "$DATE_1" ] && [ "$TS_FILE" -ge "$DATE_2" ] |
then |
COUNT_AV=$((COUNT_AV+1)) |
fi |
470,7 → 458,7 |
VALUE_AV_LABEL="'$(date -d @$DATE_2 "+%Y-%m-%d" )', $VALUE_AV_LABEL" |
VALUE_AV_DATA="$COUNT_AV, $VALUE_AV_DATA" |
done |
#create Antivirus section in html document |
NAME_AV='chart_av' |
CONF_AV='config_av' |
484,41 → 472,41 |
cat $MODEL_CHARTJS | while read LINE_JS |
do |
#name of variable |
if [ $(echo $LINE_JS | grep 'XXCONFXX' | wc -l) -eq 1 ] |
if [ "$(echo $LINE_JS | grep 'XXCONFXX' | wc -l)" -eq 1 ] |
then |
echo ${LINE_JS/XXCONFXX/$CONF_AV} >> $HTML_REPORT |
#chart type |
elif [ $(echo $LINE_JS | grep 'XXTYPEXX' | wc -l) -eq 1 ] |
elif [ "$(echo $LINE_JS | grep 'XXTYPEXX' | wc -l)" -eq 1 ] |
then |
echo ${LINE_JS/XXTYPEXX/bar} >> $HTML_REPORT |
#graph title |
elif [ $(echo $LINE_JS | grep 'XXTITLEXX' | wc -l) -eq 1 ] |
elif [ "$(echo $LINE_JS | grep 'XXTITLEXX' | wc -l)" -eq 1 ] |
then |
echo ${LINE_JS/XXTITLEXX/"Menaces bloqués par l\'antivirus"} >> $HTML_REPORT |
#chart data |
elif [ $(echo $LINE_JS | grep 'XXDATAXX' | wc -l) -eq 1 ] |
elif [ "$(echo $LINE_JS | grep 'XXDATAXX' | wc -l)" -eq 1 ] |
then |
echo ${LINE_JS/XXDATAXX/$VALUE_AV_DATA} >> $HTML_REPORT |
#color |
elif [ $(echo $LINE_JS | grep 'XXCOLORXX' | wc -l) -eq 1 ] |
elif [ "$(echo $LINE_JS | grep 'XXCOLORXX' | wc -l)" -eq 1 ] |
then |
echo ${LINE_JS/XXCOLORXX/$COLOR} >> $HTML_REPORT |
#labels |
elif [ $(echo $LINE_JS | grep 'XXLABELSXX' | wc -l) -eq 1 ] |
elif [ "$(echo $LINE_JS | grep 'XXLABELSXX' | wc -l)" -eq 1 ] |
then |
echo ${LINE_JS/XXLABELSXX/$VALUE_AV_LABEL} >> $HTML_REPORT |
elif [ $(echo $LINE_JS | grep 'XXLEGENDXX' | wc -l) -eq 1 ] |
elif [ "$(echo $LINE_JS | grep 'XXLEGENDXX' | wc -l)" -eq 1 ] |
then |
echo ${LINE_JS/XXLEGENDXX/false} >> $HTML_REPORT |
#display value of Y axis, only useful for chart bar |
elif [ $(echo $LINE_JS | grep 'XXCOMMENT-BEGINXX' | wc -l) -eq 1 ] |
elif [ "$(echo $LINE_JS | grep 'XXCOMMENT-BEGINXX' | wc -l)" -eq 1 ] |
then |
echo "" >> $HTML_REPORT |
#display value of Y axis, only useful for chart bar |
elif [ $(echo $LINE_JS | grep 'XXCOMMENT-ENDXX' | wc -l) -eq 1 ] |
elif [ "$(echo $LINE_JS | grep 'XXCOMMENT-ENDXX' | wc -l)" -eq 1 ] |
then |
echo "" >> $HTML_REPORT |
elif [ $(echo $LINE_JS | grep 'XXYLABELXX' | wc -l) -eq 1 ] |
elif [ "$(echo $LINE_JS | grep 'XXYLABELXX' | wc -l)" -eq 1 ] |
then |
echo "\"Nombre de menaces virales bloqués par l'antivirus\"" >> $HTML_REPORT |
else |
538,7 → 526,7 |
#create new htdigest user to consult statistique of ACC |
#if user does not exist, we create him |
if [ $(grep "$tmp_account:" $DIR_KEY/key_only_manager | wc -l) -lt 1 ] |
if [ "$(grep "$tmp_account:" $DIR_KEY/key_only_manager | wc -l)" -lt 1 ] |
then |
(echo -n "$tmp_account:$realm:" && echo -n "$tmp_account:$realm:$password" | md5sum | awk '{print $1}' ) >> $DIR_KEY/key_only_manager |
(echo -n "$tmp_account:$realm:" && echo -n "$tmp_account:$realm:$password" | md5sum | awk '{print $1}' ) >> $DIR_KEY/key_manager |
557,7 → 545,7 |
cat $TMP_STATS_2 | sed -e 's:images/pixel.gif:../../manager/htdocs/images/pixel.gif:g' >> $HTML_REPORT |
#we delete our user if he still exists |
if [ $(grep "$tmp_account:" $DIR_KEY/key_only_manager | wc -l) -ge 1 ] |
if [ "$(grep "$tmp_account:" $DIR_KEY/key_only_manager | wc -l)" -ge 1 ] |
then |
$SED "/^$tmp_account:/d" $DIR_KEY/key_only_manager |
$SED "/^$tmp_account:/d" $DIR_KEY/key_manager |
595,7 → 583,7 |
echo "<h2>Connexion à l'ALCASAR Control Center (ACC)</h2>" >> $HTML_REPORT |
echo "<table class=\"table table-striped\">" >> $HTML_REPORT |
echo "<thead><tr><th>Date</th><th>Utilisateur</th><th>Adresse IP</th><th>Agent</th></tr></thead><tbody>" >> $HTML_REPORT |
echo $ROWS >> $HTML_REPORT |
echo "$ROWS" >> $HTML_REPORT |
echo "</tbody></table>" >> $HTML_REPORT |
640,7 → 628,7 |
echo "<h2>Trafic global</h2>" >> $HTML_REPORT |
echo "<table class=\"table table-striped\">" >> $HTML_REPORT |
echo "<thead><tr><th>Date</th><th>Entrant</th><th>Sortant</th><th>Total</th></tr></thead><tbody>" >> $HTML_REPORT |
echo $ROWS >> $HTML_REPORT |
echo "$ROWS" >> $HTML_REPORT |
echo "</tbody></table>" >> $HTML_REPORT |
698,21 → 686,21 |
echo "</html>" >> $HTML_REPORT |
#convert html document to PDF |
/usr/bin/wkhtmltopdf $HTML_REPORT $(echo $HTML_REPORT | cut -d'.' -f1).pdf |
chown apache:apache $(echo $HTML_REPORT | cut -d'.' -f1).pdf |
chmod 644 $(echo $HTML_REPORT | cut -d'.' -f1).pdf |
mv $(echo $HTML_REPORT | cut -d'.' -f1).pdf /var/Save/activity_report/ |
/usr/bin/wkhtmltopdf $HTML_REPORT "$(echo $HTML_REPORT | cut -d'.' -f1).pdf" |
chown apache:apache "$(echo $HTML_REPORT | cut -d'.' -f1).pdf" |
chmod 644 "$(echo $HTML_REPORT | cut -d'.' -f1).pdf" |
mv "$(echo $HTML_REPORT | cut -d'.' -f1).pdf" /var/Save/activity_report/ |
#compress every logs, if they exist |
if [ $(ls -1 /var/log/havp/access.log.* 2>/dev/null | wc -l) -ge 1 ] |
if [ "$(ls -1 /var/log/havp/access.log.* 2>/dev/null | wc -l)" -ge 1 ] |
then |
gzip /var/log/havp/access.log.* |
fi |
#compress every logs |
if [ $(ls -1 /var/log/dnsmasq/dnsmasq-blacklist.log.* 2>/dev/null | wc -l) -ge 1 ] |
if [ "$(ls -1 /var/log/unbound/unbound-blacklist.log.* 2>/dev/null | wc -l)" -ge 1 ] |
then |
gzip /var/log/dnsmasq/dnsmasq-blacklist.log.* |
gzip /var/log/unbound/unbound-blacklist.log.* |
fi |
#remove our files |
/scripts/alcasar-bl.sh |
---|
6,16 → 6,14 |
# by Franck BOUIJOUX and Richard REY |
# This script is distributed under the Gnu General Public License (GPL) |
# Gestion de la BL pour le filtrage de domaine (via dnsmasq) et d'URL (via E2guardian) |
# Manage the BL for DnsBlackHole (dnsmasq) and URL filtering (E2guardian) |
# Gestion de la BL pour le filtrage de domaine (via unbound) et d'URL (via E2guardian) |
# Manage the BL for DnsBlackHole (unbound) and URL filtering (E2guardian) |
DIR_CONF="/usr/local/etc" |
CONF_FILE="$DIR_CONF/alcasar.conf" |
private_ip_mask=`grep ^PRIVATE_IP= $CONF_FILE|cut -d"=" -f2` |
private_ip_mask=${private_ip_mask:=192.168.182.1/24} |
PRIVATE_IP=`echo $private_ip_mask | cut -d"/" -f1` # ALCASAR LAN IP address |
DIR_tmp="/tmp/blacklists" |
DIR_WL_tmp="/tmp/whitelists" |
FILE_tmp="/tmp/filesfilter.txt" |
FILE_ip_tmp="/tmp/filesipfilter.txt" |
DIR_DG="/etc/e2guardian/lists" |
26,15 → 24,15 |
BL_CATEGORIES_ENABLED="$DIR_CONF/alcasar-bl-categories-enabled" # ' ' BL enabled categories |
WL_CATEGORIES_ENABLED="$DIR_CONF/alcasar-wl-categories-enabled" # ' ' WL enabled categories |
DIR_SHARE="/usr/local/share" |
DIR_DNS_BL="$DIR_SHARE/dnsmasq-bl" # all the BL in the DNSMASQ format |
DIR_DNS_WL="$DIR_SHARE/dnsmasq-wl" # all the WL ' ' ' |
DIR_DNS_BL="$DIR_SHARE/unbound-bl" # all the BL in the Unbound format |
DIR_DNS_WL="$DIR_SHARE/unbound-wl" # all the WL ' ' ' |
DIR_IP_BL="$DIR_SHARE/iptables-bl" # all the IP addresses of the BL |
DIR_IP_WL="$DIR_SHARE/iptables-wl" # IP ossi disabled WL |
DIR_DNS_BL_ENABLED="$DIR_SHARE/dnsmasq-bl-enabled" # symbolic link to the domains BL (only enabled categories) |
DIR_DNS_WL_ENABLED="$DIR_SHARE/dnsmasq-wl-enabled" # ' ' ' WL ' ' |
DIR_DNS_BL_ENABLED="$DIR_SHARE/unbound-bl-enabled" # symbolic link to the domains BL (only enabled categories) |
DIR_DNS_WL_ENABLED="$DIR_SHARE/unbound-wl-enabled" # ' ' ' WL ' ' |
DIR_IP_BL_ENABLED="$DIR_SHARE/iptables-bl-enabled" # ' ' ip BL (only enabled categories) |
DIR_IP_WL_ENABLED="$DIR_SHARE/iptables-wl-enabled" # ' ' ip WL (ossi and ossi-* imported from ACC) |
DNS1=`grep ^DNS1= $CONF_FILE | cut -d'=' -f2-` # server DNS1 (for WL domain names) |
REHABILITATED_DNS_FILE="/etc/unbound/conf.d/blacklist/rehabilitated.conf" |
BL_SERVER="dsi.ut-capitole.fr" |
SED="/bin/sed -i" |
47,7 → 45,7 |
then |
mkdir $LIST |
else |
rm -rf $LIST/* |
rm -rf ${LIST:?}/* |
fi |
chown root:apache $LIST |
chmod 770 $LIST |
69,7 → 67,7 |
$SED "1i\/etc\/e2guardian\/lists\/blacklists\/$ENABLE_CATEGORIE" $BL_CATEGORIES |
ln -sf $DIR_DNS_BL/$ENABLE_CATEGORIE.conf $DIR_DNS_BL_ENABLED/$ENABLE_CATEGORIE |
ln -sf $DIR_IP_BL/$ENABLE_CATEGORIE $DIR_IP_BL_ENABLED/$ENABLE_CATEGORIE |
# echo ".Include<$DIR_DG_BL/$ENABLE_CATEGORIE/domains>" >> $DIR_DG/bannedsitelist # Blacklisted domains are managed by dnsmasq |
# echo ".Include<$DIR_DG_BL/$ENABLE_CATEGORIE/domains>" >> $DIR_DG/bannedsitelist # Blacklisted domains are managed by unbound |
echo ".Include<$DIR_DG_BL/$ENABLE_CATEGORIE/urls>" >> $DIR_DG/bannedurllist |
done |
sort +0.0 -0.2 $BL_CATEGORIES -o $FILE_tmp |
101,7 → 99,7 |
$SED '/[äâëêïîöôüû@,]/d' $FILE_tmp # remove line with "chelou" characters |
# extract ip addresses for iptables. |
awk '/^([0-9]{1,3}\.){3}[0-9]{1,3}$/{print "add bl_ip_blocked " $0}' $FILE_tmp > $FILE_ip_tmp |
# extract domain names for dnsmasq. |
# extract domain names for unbound. |
$SED -n '/^\([0-9]\{1,3\}\.\)\{3\}[0-9]\{1,3\}/!p' $FILE_tmp |
# Retrieve max Top Level Domain for domain name synthax |
#MAX_TLD=$(curl http://data.iana.org/TLD/tlds-alpha-by-domain.txt | grep -v '-' | grep -v '#' | wc -L) |
142,7 → 140,7 |
-cat_choice | --cat_choice) |
cat_choice |
;; |
# Adapt Toulouse University BL to ALCASAR architecture (dnsmasq + DG + iptables) |
# Adapt Toulouse University BL to ALCASAR architecture (unbound + DG + iptables) |
-adapt | --adapt) |
echo -n "Adaptation process of Toulouse University blackList. Please wait : " |
if [ -f $DIR_tmp/blacklists.tar.gz ] # when downloading the last version of the BL |
231,7 → 229,8 |
$SED "/^$ENABLE_CATEGORIE$/d" $WL_CATEGORIES_ENABLED |
fi |
done |
# Creation of DNSMASQ and Iptables BL and WL |
# Creation of Unbound and Iptables BL and WL |
for LIST in $BL_CATEGORIES $WL_CATEGORIES # for each list (bl and wl) |
do |
for PATH_FILE in `cat $LIST` # for each category |
244,16 → 243,16 |
chown e2guardian:apache $PATH_FILE/urls |
fi |
cp $PATH_FILE/domains $FILE_tmp |
clean_split # clean ossi custom files & split them for dnsmasq and for iptables |
clean_split # clean ossi custom files & split them for unbound and for iptables |
if [ "$LIST" == "$BL_CATEGORIES" ] |
then |
# adapt to the dnsmasq syntax for the blacklist |
$SED "s?.*?address=/&/$PRIVATE_IP?g" $FILE_tmp |
# adapt to the unbound syntax for the blacklist |
$SED "s?.*?local-zone: & typetransparent\nlocal-zone-tag: & blacklist?g" $FILE_tmp |
mv $FILE_tmp $DIR_DNS_BL/$DOMAIN.conf |
mv $FILE_ip_tmp $DIR_IP_BL/$DOMAIN |
else |
# adapt to the dnsmasq syntax for the whitelist |
$SED "s?.*?server=/&/$DNS1?g" $FILE_tmp |
# adapt to the unbound syntax for the whitelist |
$SED "s?.*?local-zone: & transparent?g" $FILE_tmp |
mv $FILE_tmp $DIR_DNS_WL/$DOMAIN.conf |
fi |
done |
276,27 → 275,28 |
URL=$(echo $LIGNE_RSYNC | cut -d' ' -f2) |
PATH_FILE=$(find $DIR_DG_BL/ -type d -name $CATEGORIE) # retrieve directory name of the category |
rsync -rv $URL $(dirname $PATH_FILE ) #rsync inside of the blacklist directory |
# Creation of DNSMASQ and Iptables BL and WL |
# Creation of unbound and Iptables BL and WL |
DOMAIN=$(basename $PATH_FILE) |
cp $PATH_FILE/domains $FILE_tmp |
clean_split # clean ossi custom files & split them for dnsmasq and for iptables |
clean_split # clean ossi custom files & split them for unbound and for iptables |
black=`grep black $PATH_FILE/usage |wc -l` |
if [ $black == "1" ] |
then |
# adapt to the dnsmasq syntax for the blacklist |
$SED "s?.*?address=/&/$PRIVATE_IP?g" $FILE_tmp |
# adapt to the unbound syntax for the blacklist |
$SED "s?.*?local-zone: & typetransparent\nlocal-zone-tag: & blacklist?g" $FILE_tmp |
mv $FILE_tmp $DIR_DNS_BL/$DOMAIN.conf |
mv $FILE_ip_tmp $DIR_IP_BL/$DOMAIN |
else |
# adapt to the dnsmasq syntax for the whitelist |
$SED "s?.*?server=/&/$DNS1?g" $FILE_tmp |
# adapt to the unbound syntax for the whitelist |
$SED "s?.*?local-zone: & transparent?g" $FILE_tmp |
mv $FILE_tmp $DIR_DNS_WL/$DOMAIN.conf |
mv $FILE_ip_tmp $DIR_IP_WL/$DOMAIN |
fi |
rm -f $FILE_tmp $FILE_ip_tmp |
done |
/usr/bin/systemctl restart unbound-whitelist |
/usr/bin/systemctl restart dnsmasq-whitelist |
/usr/bin/systemctl restart dnsmasq-blacklist |
/usr/bin/systemctl restart unbound-blacklist |
/usr/bin/systemctl restart e2guardian |
/usr/local/bin/alcasar-iptables.sh |
else |
308,17 → 308,16 |
-reload | --reload) |
# for DG |
cat_choice |
# for dnsmasq (rehabited domain names) |
if [ `wc -w $DIR_DG/exceptionsitelist|cut -d " " -f1` != "0" ] |
# for unbound (rehabilitated domain names) |
rm -f $REHABILITATED_DNS_FILE |
if [ "$(wc -w $DIR_DG/exceptionsitelist | cut -d " " -f1)" != "0" ] |
then |
rm -f $DIR_DNS_BL_ENABLED/authorized-ossi-bl $DIR_DNS_BL/authorized-ossi-bl.conf |
touch $DIR_DNS_BL/authorized-ossi-bl.conf |
for i in `cat $DIR_DG/exceptionsitelist` |
do |
$SED "/$i/d" $DIR_DNS_BL/* |
echo "server=/$i/#" >> $DIR_DNS_BL/authorized-ossi-bl.conf |
done |
ln -s $DIR_DNS_BL/authorized-ossi-bl.conf $DIR_DNS_BL_ENABLED/authorized-ossi-bl |
touch $REHABILITATED_DNS_FILE |
while read -r domain; do |
[ -z "$domain" ] && continue |
echo "local-zone: $domain typetransparent" >> $REHABILITATED_DNS_FILE |
echo "local-zone-tag: $domain \"\"" >> $REHABILITATED_DNS_FILE |
done < $DIR_DG/exceptionsitelist |
fi |
# adapt OSSI BL & WL custom files |
for dir in $DIR_DNS_BL_ENABLED $DIR_DNS_WL_ENABLED $DIR_IP_BL_ENABLED $DIR_IP_WL_ENABLED $DIR_DNS_BL $DIR_DNS_WL $DIR_IP_BL $DIR_IP_WL |
341,12 → 340,12 |
fi |
$SED "s/\r//" $ossi_custom_dir/domains $ossi_custom_dir/urls # remove Windows <CR> from custom file |
cp $ossi_custom_dir/domains $FILE_tmp |
clean_split # clean ossi custom files & split them for dnsmasq and for iptables |
clean_split # clean ossi custom files & split them for unbound and for iptables |
if [ $categorie_type == "white" ] |
then |
# adapt the file to the dnsmasq syntax and enable it if needed |
# adapt the file to the unbound syntax and enable it if needed |
# for the WL |
$SED "s?.*?server=/&/$DNS1?g" $FILE_tmp |
$SED "s?.*?local-zone: & transparent?g" $FILE_tmp |
mv $FILE_tmp $DIR_DNS_WL/$ossi_categorie.conf |
mv $FILE_ip_tmp $DIR_IP_WL/$ossi_categorie |
enabled=`grep ^$ossi_categorie$ $WL_CATEGORIES_ENABLED | wc -l` |
359,7 → 358,7 |
fi |
else |
# for the BL |
$SED "s?.*?address=/&/$PRIVATE_IP?g" $FILE_tmp |
$SED "s?.*?local-zone: & typetransparent\nlocal-zone-tag: & blacklist?g" $FILE_tmp |
mv $FILE_tmp $DIR_DNS_BL/$ossi_categorie.conf |
mv $FILE_ip_tmp $DIR_IP_BL/$ossi_categorie |
enabled=`grep ^$ossi_categorie$ $BL_CATEGORIES_ENABLED | wc -l` |
383,7 → 382,8 |
chmod 660 $DIR_DNS_BL/* $DIR_DNS_WL/* $DIR_IP_BL/* $DIR_IP_WL/* |
if [ "$PARENT_SCRIPT" != "alcasar-conf.sh" ] # don't launch on install stage |
then |
/usr/bin/systemctl restart dnsmasq-blacklist |
/usr/bin/systemctl restart unbound-blacklist |
/usr/bin/systemctl restart unbound-whitelist |
/usr/bin/systemctl restart dnsmasq-whitelist |
/usr/bin/systemctl restart e2guardian |
/usr/local/bin/alcasar-iptables.sh |
/scripts/alcasar-bypass.sh |
---|
9,7 → 9,6 |
# enable / disable the bypass of authentication process and WEB filtering |
usage="Usage: alcasar-bypass.sh {--on or -on } | {--off or -off}" |
SED="/bin/sed -i" |
CONF_FILE="/usr/local/etc/alcasar.conf" |
INTIF=`grep ^INTIF= $CONF_FILE|cut -d"=" -f2` # INTernal InterFace |
25,7 → 24,7 |
echo "$usage" |
exit 0 |
;; |
--on | -on) |
--on | -on) |
/usr/local/bin/alcasar-logout.sh all |
/usr/bin/systemctl stop chilli |
cp -f /etc/sysconfig/network-scripts/bypass-ifcfg-$INTIF /etc/sysconfig/network-scripts/ifcfg-$INTIF |
34,11 → 33,7 |
DHCP=`grep ^DHCP= $CONF_FILE|cut -d"=" -f2` |
if [ $DHCP != off ] |
then |
$SED "/^#dhcp-range=/s/^#//" /etc/dnsmasq.conf # dnsmasq become the DHCP server |
$SED "/^#dhcp-option=/s/^#//" /etc/dnsmasq.conf |
$SED "/^#domain=/s/^#//" /etc/dnsmasq.conf |
$SED "s?^no-dhcp-interface.*?#&?g" /etc/dnsmasq.conf |
/usr/bin/systemctl restart dnsmasq |
/usr/bin/systemctl start dhcpd |
fi |
rm -f /etc/cron.d/alcasar-daemon-watchdog # don't restart daemons (specially coova) |
48,11 → 43,7 |
--off | -off) |
cp -f /etc/sysconfig/network-scripts/default-ifcfg-$INTIF /etc/sysconfig/network-scripts/ifcfg-$INTIF |
ifup $INTIF |
$SED "s?^dhcp-range=.*?#&?g" /etc/dnsmasq.conf # dnsmasq is no more the DHCP server (it's coova) |
$SED "s?^dhcp-option=.*?#&?g" /etc/dnsmasq.conf |
$SED "s?^domain=.*?#&?g" /etc/dnsmasq.conf |
$SED "/^#no-dhcp-interface/s/^#//" /etc/dnsmasq.conf |
/usr/bin/systemctl restart dnsmasq |
/usr/bin/systemctl stop dhcpd |
/usr/bin/systemctl start chilli |
sh /usr/local/bin/alcasar-iptables.sh |
# activation of the "daemon-watchdog" every 18' |
/scripts/alcasar-conf.sh |
---|
14,14 → 14,12 |
# - load the backup of configuration files during the update process (alcasar-conf -load). If needed, it's here we update files between versions |
# - apply ALCASAR central configuration file "/usr/local/etc/alcasar.conf" when hot modification are needed (alcasar-conf -apply) |
new="$(date +%G%m%d-%Hh%M)" # date et heure des fichiers |
fichier="alcasar-conf-$new.tar.gz" # nom du fichier de sauvegarde |
DIR_UPDATE="/var/tmp/conf" # répertoire de stockage des fichier de conf pour une mise à jour |
DIR_WEB="/var/www/html" # répertoire du centre de gestion |
DIR_BIN="/usr/local/bin" # scripts directory |
DIR_ETC="/usr/local/etc" # conf directory |
DIR_SHARE="/usr/local/share" # data directory |
DIR_BLACKLIST="/etc/e2guardian/lists/blacklists" # Toulouse BL directory |
DIR_E2G="/etc/e2guardian/lists" # Toulouse BL directory |
DIR_BLACKLIST="$DIR_E2G/blacklists" # Toulouse BL directory |
CONF_FILE="$DIR_ETC/alcasar.conf" # main alcasar conf file |
EXTIF=`grep ^EXTIF= $CONF_FILE|cut -d"=" -f2` # EXTernal InterFace |
INTIF=`grep ^INTIF= $CONF_FILE|cut -d"=" -f2` # INTernal InterFace |
34,7 → 32,6 |
SED="/bin/sed -i" |
DNS1=`grep ^DNS1= $CONF_FILE | cut -d'=' -f2` # server DNS1 (for WL domain names) |
DOMAIN=${DOMAIN:=localdomain} |
DATE=`date '+%d %B %Y - %Hh%M'` |
private_network_calc () |
{ |
41,13 → 38,11 |
PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP $PRIVATE_NETMASK |cut -d"=" -f2` # prefixe du réseau (ex. 24) |
PRIVATE_NETWORK=`/bin/ipcalc -n $PRIVATE_IP $PRIVATE_NETMASK| cut -d"=" -f2` # @ réseau de consultation (ex.: 192.168.182.0) |
PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX # @ + masque du réseau de consult (192.168.182.0/24) |
classe=$((PRIVATE_PREFIX/8)); classe_sup=`expr $classe + 1`; classe_sup_sup=`expr $classe + 2` # classes de réseau (ex.: 2=classe B, 3=classe C) |
classe=$((PRIVATE_PREFIX/8)); classe_sup=`expr $classe + 1`; # classes de réseau (ex.: 2=classe B, 3=classe C) |
PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK | cut -d"." -f1-$classe`. # @ compatible hosts.allow et hosts.deny (ex.: 192.168.182.) |
PRIVATE_BROADCAST=`/bin/ipcalc -b $PRIVATE_NETWORK_MASK | cut -d"=" -f2` # private network broadcast (ie.: 192.168.182.255) |
private_network_ending=`echo $PRIVATE_NETWORK | cut -d"." -f$classe_sup` # last octet of LAN address |
private_broadcast_ending=`echo $PRIVATE_BROADCAST | cut -d"." -f$classe_sup` # last octet of LAN broadcast |
private_ip_ending=`echo $PRIVATE_IP | cut -d"." -f4` # last octet of LAN address |
PRIVATE_FIRST_IP=$PRIVATE_IP # First network address (ex.: 192.168.182.1) |
PRIVATE_SECOND_IP=`echo $PRIVATE_IP | cut -d"." -f1-3`"."`expr $private_ip_ending + 1` # second network address (ex.: 192.168.182.2) |
PRIVATE_LAST_IP=`echo $PRIVATE_BROADCAST | cut -d"." -f1-3`"."`expr $private_broadcast_ending - 1` # last network address (ex.: 192.168.182.254) |
PRIVATE_MAC=`/sbin/ip link show $INTIF | grep ether | cut -d" " -f6| sed 's/:/-/g'| awk '{print toupper($0)}'` # MAC address of INTIF |
66,12 → 61,12 |
echo "$usage" |
exit 0 |
;; |
--create|-create) |
--create|-create) |
[ -d $DIR_UPDATE ] && rm -rf $DIR_UPDATE |
mkdir $DIR_UPDATE |
# backup the users database (test to delete in future version) |
$DIR_BIN/alcasar-mysql.sh --dump |
cp /var/Save/base/`ls -1t /var/Save/base|head -1` $DIR_UPDATE |
cp /var/Save/base/"$(ls -1t /var/Save/base|head -1)" $DIR_UPDATE |
# backup the logo |
cp -f $DIR_WEB/images/organisme.png $DIR_UPDATE |
# backup BL/WL custom files |
82,7 → 77,7 |
cp /etc/dansguardian/lists/$i $DIR_UPDATE/custom_bl/ # before V3.3 |
cp -rf /etc/dansguardian/lists/blacklists/ossi-* $DIR_UPDATE/custom_bl/ 2>/dev/null |
else |
cp /etc/e2guardian/lists/$i $DIR_UPDATE/custom_bl/ # since V3.3 |
cp $DIR_E2G/$i $DIR_UPDATE/custom_bl/ # since V3.3 |
cp -rf $DIR_BLACKLIST/ossi-* $DIR_UPDATE/custom_bl/ 2>/dev/null |
fi |
done |
101,8 → 96,35 |
else |
cp -f /etc/pki/tls/certs/alcasar.crt $DIR_UPDATE/server-chain.crt |
fi |
# pureip & safesearch status |
[ -d /etc/dansguardian ] && dg_path=/etc/dansguardian || dg_path=/etc/e2guardian |
if ! grep -Eq '^WL_SAFESEARCH=' $DIR_UPDATE/etc/alcasar.conf; then |
if [ -f /etc/dnsmasq-whitelist.conf ] && grep -iq "SafeSearch" /etc/dnsmasq-whitelist.conf; then |
echo 'WL_SAFESEARCH=on' >> $DIR_UPDATE/etc/alcasar.conf |
else |
echo 'WL_SAFESEARCH=off' >> $DIR_UPDATE/etc/alcasar.conf |
fi |
fi |
if ! grep -Eq '^BL_SAFESEARCH=' $DIR_UPDATE/etc/alcasar.conf; then |
if [ -f /etc/dnsmasq-blacklist.conf ] && grep -iq "SafeSearch" /etc/dnsmasq-blacklist.conf; then |
echo 'BL_SAFESEARCH=on' >> $DIR_UPDATE/etc/alcasar.conf |
else |
echo 'BL_SAFESEARCH=off' >> $DIR_UPDATE/etc/alcasar.conf |
fi |
fi |
if ! grep -Eq '^BL_PUREIP=' $DIR_UPDATE/etc/alcasar.conf; then |
if grep -Eq "^\*ip" $dg_path/lists/bannedsitelist; then |
echo 'BL_PUREIP=on' >> $DIR_UPDATE/etc/alcasar.conf |
else |
echo 'BL_PUREIP=off' >> $DIR_UPDATE/etc/alcasar.conf |
fi |
fi |
# archive file creation |
cd /var/tmp |
cd /var/tmp || { echo "Unable to find /var/tmp directory"; } |
tar -cf alcasar-conf.tar conf/ |
gzip -f alcasar-conf.tar |
rm -rf $DIR_UPDATE |
109,7 → 131,7 |
;; |
--load|-load) |
cd /var/tmp |
cd /var/tmp || { echo "Unable to find /var/tmp directory"; } |
tar -xf alcasar-conf*.tar.gz |
######################### modifications between versions ####################### |
# Retrieve the previous version |
123,7 → 145,7 |
HOSTNAME=`grep ^HOSTNAME= $CONF_FILE|cut -d"=" -f2-` |
domainNames="$HOSTNAME $HOSTNAME.$DOMAIN" |
[ "$HOSTNAME" != 'alcasar' ] && domainNames="alcasar $domainNames" |
if [ $(grep -c "$PRIVATE_IP\s$domainNames" $DIR_UPDATE/etc/hosts ) -eq 0 ]; then |
if [ "$(grep -c "$PRIVATE_IP\s$domainNames" $DIR_UPDATE/etc/hosts )" -eq 0 ]; then |
cat << EOF > $DIR_UPDATE/etc/hosts |
127.0.0.1 localhost |
$PRIVATE_IP $domainNames |
130,7 → 152,7 |
EOF |
fi |
## apache & dansguardian are replaced with lighttpd & E²guardian |
if [ $(rpm -qa | grep '^\(apache\|apache-mod_php\|apache-mod_ssl\|dansguardian\)-' | wc -l) -ne 0 ]; then |
if [ "$(rpm -qa | grep '^\(apache\|apache-mod_php\|apache-mod_ssl\|dansguardian\)-' | wc -l)" -ne 0 ]; then |
rm_rpm="apache apache-mod_php apache-mod_ssl dansguardian" |
/usr/sbin/urpme --auto -a $rm_rpm 2>/dev/null |
/usr/sbin/urpme --auto --auto-orphans |
140,12 → 162,17 |
[ ! -f $DIR_UPDATE/alcasar.pem ] && (cat $DIR_UPDATE/alcasar.key; echo; cat $DIR_UPDATE/alcasar.crt) > $DIR_UPDATE/alcasar.pem |
## From 3.3.0 ## |
# add "SMS=off" in conf file |
if [ $(grep -c '^SMS=' $DIR_UPDATE/etc/alcasar.conf) -eq 0 ]; then |
if [ "$(grep -c '^SMS=' $DIR_UPDATE/etc/alcasar.conf)" -eq 0 ]; then |
echo "SMS=off" >> $DIR_UPDATE/etc/alcasar.conf |
fi |
if [ $(grep -c '^SMS_NUM=' $DIR_UPDATE/etc/alcasar.conf) -eq 0 ]; then |
if [ "$(grep -c '^SMS_NUM=' $DIR_UPDATE/etc/alcasar.conf)" -eq 0 ]; then |
echo "SMS_NUM=" >> $DIR_UPDATE/etc/alcasar.conf |
fi |
## From 3.4.0 ## |
# Fix subdomain dot position (.domain.org to domain.org.) for Unbound |
for file in $DIR_E2G/exceptionsitelist $DIR_BLACKLIST/ossi-bl*/domains $DIR_BLACKLIST/ossi-wl*/domains; do |
[ -f $file ] && $SED "s/^\.\(.*\)$/\1./g" $file |
done |
###################### End of modifications between versions ####################### |
# Retrieve the logo |
[ -e $DIR_UPDATE/organisme.png ] && cp -f $DIR_UPDATE/organisme.png $DIR_WEB/images/ |
155,26 → 182,26 |
cp -f $DIR_UPDATE/alcasar-ca.key /etc/pki/CA/private/ |
cp -f $DIR_UPDATE/alcasar.crt /etc/pki/tls/certs/ |
cp -f $DIR_UPDATE/alcasar.key /etc/pki/tls/private/ |
cp -f $DIR_UPDATE/alcasar.pem /etc/pki/tls/private/ |
cp -f $DIR_UPDATE/alcasar.pem /etc/pki/tls/private/ |
[ -e $DIR_UPDATE/server-chain.crt ] && cp -f $DIR_UPDATE/server-chain.crt* /etc/pki/tls/certs/ # autosigned and official if exist |
chown -R root:apache /etc/pki |
chmod -R 750 /etc/pki |
# Import of the users database |
$DIR_BIN/alcasar-mysql.sh --import `ls $DIR_UPDATE/alcasar-users-database*` |
$DIR_BIN/alcasar-mysql.sh --import "$(ls $DIR_UPDATE/alcasar-users-database*)" |
# Retrieve local parameters |
cp -rf $DIR_UPDATE/etc/* $DIR_ETC/ |
mv -f $DIR_UPDATE/etc/hosts /etc/hosts |
chmod 755 /etc/hosts |
# Retrieve BL/WL custom files |
cp -f $DIR_UPDATE/custom_bl/exceptioniplist /etc/e2guardian/lists/ |
cp -f $DIR_UPDATE/custom_bl/exceptionsitelist /etc/e2guardian/lists/ |
cp -f $DIR_UPDATE/custom_bl/urlregexplist /etc/e2guardian/lists/ |
cp -f $DIR_UPDATE/custom_bl/bannedsitelist /etc/e2guardian/lists/ |
cp -f $DIR_UPDATE/custom_bl/exceptionurllist /etc/e2guardian/lists/ |
cp -f $DIR_UPDATE/custom_bl/bannedurllist /etc/e2guardian/lists/ |
cp -f $DIR_UPDATE/custom_bl/exceptioniplist $DIR_E2G/ |
cp -f $DIR_UPDATE/custom_bl/exceptionsitelist $DIR_E2G/ |
cp -f $DIR_UPDATE/custom_bl/urlregexplist $DIR_E2G/ |
cp -f $DIR_UPDATE/custom_bl/bannedsitelist $DIR_E2G/ |
cp -f $DIR_UPDATE/custom_bl/exceptionurllist $DIR_E2G/ |
cp -f $DIR_UPDATE/custom_bl/bannedurllist $DIR_E2G/ |
cp -rf $DIR_UPDATE/custom_bl/ossi-* $DIR_BLACKLIST/ 2>/dev/null |
chown -R e2guardian:apache /etc/e2guardian/lists |
chmod -R g+rw /etc/e2guardian/lists |
chown -R e2guardian:apache $DIR_E2G |
chmod -R g+rw $DIR_E2G |
# Adapt DNS/URL filtering |
PARENT_SCRIPT=`basename $0` |
export PARENT_SCRIPT |
197,9 → 224,8 |
--apply|-apply) |
PTN="\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([012]?[0-9]|3[0-2])\b" |
PRIVATE_IP_MASK=`grep ^PRIVATE_IP= $CONF_FILE|cut -d"=" -f2` |
check=$(echo $PRIVATE_IP_MASK | egrep $PTN) |
if [[ "$?" -ne 0 ]] |
then |
if ! echo $PRIVATE_IP_MASK | egrep -q $PTN |
then |
echo "Syntax error for PRIVATE_IP_MASK ($PRIVATE_IP_MASK)" |
exit 0 |
fi |
210,9 → 236,8 |
PUBLIC_GATEWAY="dhcp" |
else |
check=$(echo $PUBLIC_IP_MASK | egrep $PTN) |
if [[ "$?" -ne 0 ]] |
then |
if ! echo $PUBLIC_IP_MASK | egrep -q $PTN |
then |
echo "Syntax error for PUBLIC_IP_MASK ($PUBLIC_IP_MASK)" |
exit 0 |
fi |
219,24 → 244,21 |
PUBLIC_IP=`echo $PUBLIC_IP_MASK | cut -d"/" -f1` |
PUBLIC_NETMASK=`/bin/ipcalc -m $PUBLIC_IP_MASK | cut -d"=" -f2` |
PUBLIC_GATEWAY=`grep ^GW= $CONF_FILE|cut -d"=" -f2` |
check=$(echo $PUBLIC_GATEWAY | egrep $PTN) |
if [[ "$?" -ne 0 ]] |
then |
if ! echo $PUBLIC_GATEWAY | egrep -q $PTN |
then |
echo "Syntax error for the Gateway IP ($PUBLIC_GATEWAY)" |
exit 0 |
fi |
fi |
DNS1=`grep ^DNS1= $CONF_FILE|cut -d"=" -f2` |
check=$(echo $DNS1 | egrep $PTN) |
if [[ "$?" -ne 0 ]] |
then |
if ! echo $DNS1 | egrep -q $PTN |
then |
echo "Syntax error for the IP address of the first DNS server ($DNS1)" |
exit 0 |
fi |
DNS2=`grep ^DNS2= $CONF_FILE|cut -d"=" -f2` |
check=$(echo $DNS2 | egrep $PTN) |
if [[ "$?" -ne 0 ]] |
then |
if ! echo $DNS2 | egrep -q $PTN |
then |
echo "Syntax error for the IP address of the second DNS server ($DNS2)" |
exit 0 |
fi |
245,10 → 267,13 |
private_network_calc |
INSTALL_DATE=`grep ^INSTALL_DATE= $CONF_FILE|cut -d"=" -f2` |
ORGANISME=`grep ^ORGANISM= $CONF_FILE|cut -d"=" -f2-` |
BL_SAFESEARCH=`grep ^BL_SAFESEARCH= $CONF_FILE|cut -d"=" -f2` |
WL_SAFESEARCH=`grep ^WL_SAFESEARCH= $CONF_FILE|cut -d"=" -f2` |
BL_PUREIP=`grep ^BL_PUREIP= $CONF_FILE|cut -d"=" -f2` |
DHCP_mode=`grep ^DHCP= $CONF_FILE|cut -d"=" -f2` |
if [ "$PARENT_SCRIPT" != "alcasar.sh" ] # don't launch on install stage |
then |
if [ $DHCP_mode = "off" ] || [ $DHCP_mode = "Off" ] || [ $DHCP_mode = "OFF" ] |
if [ "$DHCP_mode" = "off" ] || [ "$DHCP_mode" = "Off" ] || [ "$DHCP_mode" = "OFF" ] |
then |
$DIR_BIN/alcasar-dhcp.sh --off |
else |
256,7 → 281,7 |
fi |
# Set the local DNS (or not) |
if [ $INT_DNS_mode = "on" ] || [ $INT_DNS_mode = "On" ] || [ $INT_DNS_mode = "ON" ] |
if [ "$INT_DNS_mode" = "on" ] || [ "$INT_DNS_mode" = "On" ] || [ "$INT_DNS_mode" = "ON" ] |
then |
$DIR_BIN/alcasar-dns-local.sh --on |
else |
263,11 → 288,40 |
$DIR_BIN/alcasar-dns-local.sh --off |
fi |
# Set the pure ip option (or not) |
if [ "$BL_PUREIP" = "off" ] || [ "$BL_PUREIP" = "Off" ] || [ "$BL_PUREIP" = "OFF" ] |
then |
bl_filter_param+="--pureip_off" |
else |
bl_filter_param+="--pureip_on" |
fi |
# Set the safesearch options (or not) |
bl_filter_param="" |
if [ "$BL_SAFESEARCH" = "on" ] || [ "$BL_SAFESEARCH" = "On" ] || [ "$BL_SAFESEARCH" = "ON" ] |
then |
bl_filter_param+="--safesearch_on " |
else |
bl_filter_param+="--safesearch_off " |
fi |
$DIR_BIN/alcasar-url_filter_bl.sh $bl_filter_param |
if [ "$WL_SAFESEARCH" = "on" ] || [ "$WL_SAFESEARCH" = "On" ] || [ "$WL_SAFESEARCH" = "ON" ] |
then |
$DIR_BIN/alcasar-url_filter_wl.sh --safesearch_on |
else |
$DIR_BIN/alcasar-url_filter_wl.sh --safesearch_off |
fi |
# Reload the local dns configuration |
$DIR_BIN/alcasar-dns-local.sh --reload |
# Logout everybody |
$DIR_BIN/alcasar-logout.sh all |
$DIR_BIN/alcasar-logout.sh all |
# Services stop |
echo -n "Stop services : " |
for i in ntpd tinyproxy e2guardian dnsmasq dnsmasq-whitelist dnsmasq-blacklist dnsmasq-blackhole chilli network lighttpd |
for i in ntpd tinyproxy e2guardian unbound unbound-whitelist dnsmasq-whitelist unbound-blacklist unbound-blackhole chilli network lighttpd |
do |
/usr/bin/systemctl stop $i && echo -n "$i, " |
done |
292,7 → 346,7 |
MTU=$MTU |
NOZEROCONF=yes |
EOF |
else |
else |
cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF |
DEVICE=$EXTIF |
BOOTPROTO=static |
317,7 → 371,7 |
$SED "s?^NETMASK=.*?NETMASK=$PRIVATE_NETMASK?" /etc/sysconfig/network-scripts/bypass-ifcfg-$INTIF |
# NTP server |
$SED "/127.0.0.1/!s?^restrict.*?restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap?g" /etc/ntp.conf |
# host.allow |
# host.allow |
cat <<EOF > /etc/hosts.allow |
ALL: LOCAL, 127.0.0.1, localhost, $PRIVATE_IP |
sshd: ALL |
335,9 → 389,9 |
# MOTD |
$SED "s@'https://\(.\+\)/acc'@'https://$HOSTNAME.$DOMAIN/acc'@" /etc/mageia-release |
# Lighttpd |
$SED "s?^server\.bind.*?server\.bind = \"$HOSTNAME.$DOMAIN\"?g" /etc/lighttpd/lighttpd.conf |
$SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$HOSTNAME.$DOMAIN"':443" {/g' /etc/lighttpd/vhosts.d/alcasar.conf |
$SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$HOSTNAME.$DOMAIN\"/g" /etc/lighttpd/vhosts.d/alcasar.conf |
$SED "s?^server\.bind.*?server\.bind = \"$PRIVATE_IP\"?g" /etc/lighttpd/lighttpd.conf |
$SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$PRIVATE_IP"':443" {/g' /etc/lighttpd/vhosts.d/alcasar.conf |
$SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$PRIVATE_IP\"/g" /etc/lighttpd/vhosts.d/alcasar.conf |
# FreeRADIUS Web |
$SED "s?^nas1_name:.*?nas1_name: alcasar-$ORGANISME?g" /etc/freeradius-web/naslist.conf |
$SED "s?^nas1_ip:.*?nas1_ip: $PRIVATE_IP?g" /etc/freeradius-web/naslist.conf |
344,7 → 398,7 |
# coova |
$SED "s/^uamallowed.*/uamallowed\t$HOSTNAME,$HOSTNAME.$DOMAIN/g" /etc/chilli.conf |
$SED "s/^locationname.*/locationname\t$HOSTNAME.$DOMAIN/g" /etc/chilli.conf |
[ `grep ^HTTPS_LOGIN= $CONF_FILE | cut -d'=' -f2` == "on" ] && chilli_login_protocol="https" || chilli_login_protocol="http" |
[ "`grep ^HTTPS_LOGIN= $CONF_FILE | cut -d'=' -f2`" == "on" ] && chilli_login_protocol="https" || chilli_login_protocol="http" |
$SED "s/^uamserver.*/uamserver\t$chilli_login_protocol:\/\/$HOSTNAME.$DOMAIN\/intercept.php/" /etc/chilli.conf |
$SED "s/^radiusnasid.*/radiusnasid\t$HOSTNAME.$DOMAIN/g" /etc/chilli.conf |
$SED "s?^net.*?net\t\t$PRIVATE_NETWORK_MASK?g" /etc/chilli.conf |
353,31 → 407,115 |
$SED "s?^uamlisten.*?uamlisten\t$PRIVATE_IP?g" /etc/chilli.conf |
# modify the DHCP static ip file. Reserve the second IP address for INTIF (the first one is for tun0). Keep previous entries |
$SED "s?^$PRIVATE_MAC.*?$PRIVATE_MAC $PRIVATE_SECOND_IP?" $DIR_ETC/alcasar-ethers $DIR_ETC/alcasar-ethers-info |
# dnsmasq |
$SED "/127.0.0.1/!s?^listen-address=.*?listen-address=$PRIVATE_IP?g" /etc/dnsmasq.conf /etc/dnsmasq-blacklist.conf /etc/dnsmasq-whitelist.conf /etc/dnsmasq-blackhole.conf |
for i in /etc/dnsmasq.conf /etc/dnsmasq-blacklist.conf |
do |
$SED "/^server=/d" $i |
echo "server=$DNS1" >> $i |
echo "server=$DNS2" >> $i |
done |
$SED "s?^address=.*?address=/#/$PRIVATE_IP?g" /etc/dnsmasq-blackhole.conf |
for i in `ls $DIR_SHARE/dnsmasq-wl` |
do |
cat $DIR_SHARE/dnsmasq-wl/$i|cut -d"/" -f1,2 > /tmp/tmp_file |
$SED "s/$/\/$DNS1/" /tmp/tmp_file |
mv -f /tmp/tmp_file $DIR_SHARE/dnsmasq-wl/$i |
done |
chown root:apache $DIR_SHARE/dnsmasq-wl/* |
chmod 660 $DIR_SHARE/dnsmasq-wl/* |
$SED "s@^\([#]\?\)dhcp-range=.*@\1dhcp-range=$PRIVATE_SECOND_IP,$PRIVATE_LAST_IP,$PRIVATE_NETMASK,12h@" /etc/dnsmasq.conf |
$SED "s@^\([#]\?\)dhcp-option=option:router.*@\1dhcp-option=option:router,$PRIVATE_IP@" /etc/dnsmasq.conf |
$SED "s@^\([#]\?\)dhcp-option=option:ntp-server.*@\1dhcp-option=option:ntp-server,$PRIVATE_IP@" /etc/dnsmasq.conf |
networkDomain='localdomain' |
# networkDomain="$DOMAIN" (/!\ this domain (and its subdomains) will not be resolved by the external DNS servers) |
$SED "s?^local=.*?local=/$networkDomain/?g" $DIR_ETC/alcasar-dns-name |
$SED "s?^domain=.*?domain=$networkDomain?g" $DIR_ETC/alcasar-dns-name |
# tinyproxy |
# dnsmasq-whitelist |
$SED "/^server=/d" /etc/dnsmasq-whitelist.conf |
echo "server=$DNS1" >> /etc/dnsmasq-whitelist.conf |
echo "server=$DNS2" >> /etc/dnsmasq-whitelist.conf |
# unbound |
# removing unbound configuration files |
rm -f /etc/unbound/conf.d/{forward,blacklist,whitelist,blackhole}/iface.* |
rm -f /etc/unbound/conf.d/common/forward-zone.conf |
find /etc/unbound/conf.d/common/local-dns/ ! -name "global.conf" -type f -delete |
# Configuration file for the dns servers forward-zone |
cat << EOF > /etc/unbound/conf.d/common/forward-zone.conf |
forward-zone: |
name: "." |
forward-addr: $DNS1 |
forward-addr: $DNS2 |
EOF |
# Configuration file of ALCASAR main domains for $INTIF |
cat << EOF > /etc/unbound/conf.d/common/local-dns/${INTIF}.conf |
server: |
local-zone: "$HOSTNAME.$DOMAIN" static |
local-data: "$HOSTNAME.$DOMAIN A $PRIVATE_IP" |
local-zone: "$HOSTNAME" static |
local-data: "$HOSTNAME A $PRIVATE_IP" |
EOF |
# Configuration file for lo of forward unbound |
cat << EOF > /etc/unbound/conf.d/forward/iface.lo.conf |
server: |
interface: 127.0.0.1@53 |
access-control-view: 127.0.0.1/8 lo |
view: |
name: "lo" |
view-first: yes |
local-zone: "$HOSTNAME.$DOMAIN" static |
local-data: "$HOSTNAME.$DOMAIN A 127.0.0.1" |
local-zone: "$HOSTNAME" static |
local-data: "$HOSTNAME A 127.0.0.1" |
local-zone: "$DOMAIN." static |
local-data: "$DOMAIN. A" |
EOF |
if [ "$HOSTNAME" != 'alcasar' ] |
then |
echo -e "\tlocal-zone: \"alcasar\" static" >> /etc/unbound/conf.d/common/local-dns/${INTIF}.conf |
echo -e "\tlocal-zone: \"alcasar A $PRIVATE_IP\"" >> /etc/unbound/conf.d/common/local-dns/${INTIF}.conf |
echo -e "\tlocal-zone: \"alcasar\" static" >> /etc/unbound/conf.d/forward/iface.lo.conf |
echo -e "\tlocal-zone: \"alcasar A 127.0.0.1\"" >> /etc/unbound/conf.d/forward/iface.lo.conf |
fi |
# Configuration file for $INTIF of forward unbound |
cat << EOF > /etc/unbound/conf.d/forward/iface.${INTIF}.conf |
server: |
interface: ${PRIVATE_IP}@53 |
access-control-view: $PRIVATE_NETWORK_MASK $INTIF |
view: |
name: "$INTIF" |
view-first: yes |
EOF |
# Configuration file for $INTIF of blacklist unbound |
cat << EOF > /etc/unbound/conf.d/blacklist/iface.${INTIF}.conf |
server: |
interface: ${PRIVATE_IP}@54 |
access-control: $PRIVATE_IP_MASK allow |
access-control-tag: $PRIVATE_IP_MASK "blacklist" |
access-control-tag-action: $PRIVATE_IP_MASK "blacklist" redirect |
access-control-tag-data: $PRIVATE_IP_MASK "blacklist" "A $PRIVATE_IP" |
EOF |
# Configuration file for $INTIF of whitelist unbound |
cat << EOF > /etc/unbound/conf.d/whitelist/iface.${INTIF}.conf |
server: |
interface: ${PRIVATE_IP}@55 |
access-control: $PRIVATE_IP_MASK allow |
access-control-tag: $PRIVATE_IP_MASK "whitelist" |
access-control-tag-action: $PRIVATE_IP_MASK "whitelist" redirect |
access-control-tag-data: $PRIVATE_IP_MASK "whitelist" "A $PRIVATE_IP" |
EOF |
# Configuration file for $INTIF of blackhole unbound |
cat << EOF > /etc/unbound/conf.d/blackhole/iface.${INTIF}.conf |
server: |
interface: ${PRIVATE_IP}@56 |
access-control-view: $PRIVATE_NETWORK_MASK $INTIF |
view: |
name: "$INTIF" |
local-zone: "." redirect |
local-data: ". A $PRIVATE_IP" |
EOF |
# dhcpd |
cat <<EOF > /etc/dhcpd.conf |
ddns-update-style none; |
subnet $PRIVATE_NETWORK netmask $PRIVATE_NETMASK { |
option routers $PRIVATE_IP; |
option subnet-mask $PRIVATE_NETMASK; |
option domain-name-servers $PRIVATE_IP; |
range dynamic-bootp $PRIVATE_SECOND_IP $PRIVATE_LAST_IP; |
default-lease-time 21600; |
max-lease-time 43200; |
} |
EOF |
# tinyproxy |
$SED "s?^Listen.*?Listen $PRIVATE_IP?g" /etc/tinyproxy/tinyproxy.conf |
# DG + BL |
$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" /etc/e2guardian/e2guardian.conf |
392,12 → 530,12 |
# Services start |
/usr/bin/systemctl start network && echo -n "Start service : network" && sleep 1 |
$DIR_BIN/alcasar-dhcp.sh -$DHCP_mode && echo -n ", chilli" # apply DHCP mode and start CoovaChilli |
for i in dnsmasq dnsmasq-blackhole tinyproxy ntpd |
for i in unbound unbound-blackhole tinyproxy ntpd |
do |
sleep 1 |
/usr/bin/systemctl start $i && echo -n ", $i" |
done |
$DIR_BIN/alcasar-bl.sh -reload && echo -n ", dnsmasq-blacklist, dnsmasq-whitelist, e2guardian, iptables" |
$DIR_BIN/alcasar-bl.sh -reload && echo -n ", unbound-blacklist, unbound-whitelist, dnsmasq-whitelist, e2guardian, iptables" |
/usr/bin/systemctl restart lighttpd && echo -n ", lighttpd" |
fi |
# Start / Stop SSH Daemon |
417,7 → 555,7 |
fi |
fi |
# Start / Stop LDAP authentification |
if [ LDAP_mode = "on" ] || [ $LDAP_mode = "On" ] || [ $LDAP_mode = "ON" ] |
if [ $LDAP_mode = "on" ] || [ $LDAP_mode = "On" ] || [ $LDAP_mode = "ON" ] |
then |
$DIR_BIN/alcasar-ldap.sh |
fi |
424,7 → 562,7 |
echo |
;; |
*) |
echo "Argument inconnu :$1"; |
echo "Argument inconnu : $1"; |
echo "$usage" |
exit 1 |
;; |
/scripts/alcasar-daemon.sh |
---|
16,7 → 16,7 |
LDAP=${LDAP:=off} |
INTIF=`grep ^INTIF= $conf_file|cut -d"=" -f2` # INTIF name |
EXTIF=`grep ^EXTIF= $conf_file|cut -d"=" -f2` # EXTIF name |
SERVICES="mysqld lighttpd php-fpm ntpd havp dnsmasq dnsmasq-blacklist dnsmasq-whitelist dnsmasq-blackhole radiusd tinyproxy nfsen e2guardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban sshd vnstat gammu-smsd" |
SERVICES="mysqld lighttpd php-fpm ntpd havp unbound unbound-blacklist unbound-whitelist dnsmasq-whitelist unbound-blackhole radiusd tinyproxy nfsen e2guardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban sshd vnstat gammu-smsd" |
nb_available_srv=`echo $SERVICES|wc -w` |
function ServiceTest () { |
/scripts/alcasar-dhcp.sh |
---|
12,7 → 12,6 |
SED="/bin/sed -i" |
CHILLI_CONF_FILE="/etc/chilli.conf" |
ALCASAR_CONF_FILE="/usr/local/etc/alcasar.conf" |
DNSMASQ_CONF_FILE="/etc/dnsmasq.conf" |
# define DHCP parameters (LAN side) |
PRIVATE_IP_MASK=`grep ^PRIVATE_IP= $ALCASAR_CONF_FILE|cut -d"=" -f2` |
72,7 → 71,6 |
$SED "s?^DHCP.*?DHCP=on?g" $ALCASAR_CONF_FILE |
$SED "s?^dynip.*?dynip\t\t$PRIVATE_NETWORK_MASK?g" $CHILLI_CONF_FILE |
$SED "s?^#dynip.*?dynip\t\t$PRIVATE_NETWORK_MASK?g" $CHILLI_CONF_FILE |
$SED "s?^dhcp_range.*?dhcp-range=$PRIVATE_FIRST_IP,$PRIVATE_LAST_IP,$PRIVATE_NETMASK,12h?g" $DNSMASQ_CONF_FILE |
$SED "s?^dhcpgateway\t.*?#dhcpgateway\t\t $EXT_DHCP_IP?g" $CHILLI_CONF_FILE |
$SED "s?^dhcprelayagent.*?#dhcprelayagent\t\t$RELAY_DHCP_IP?g" $CHILLI_CONF_FILE |
$SED "s?^dhcpgatewayport.*?#dhcpgatewayport\t\t$RELAY_DHCP_PORT?g" $CHILLI_CONF_FILE |
87,4 → 85,3 |
exit 1 |
;; |
esac |
/scripts/alcasar-dns-local.sh |
---|
1,7 → 1,7 |
#!/bin/bash |
# $Id$ |
# alcasar-dns-interne.sh |
# alcasar-dns-local.sh |
# by Rexy - 3abtux |
# This script is distributed under the Gnu General Public License (GPL) |
11,17 → 11,17 |
SED="/bin/sed -i" |
ALCASAR_CONF_FILE="/usr/local/etc/alcasar.conf" |
DNSMASQ_CONF_FILE="/etc/dnsmasq.conf /etc/dnsmasq-blackhole.conf /etc/dnsmasq-blacklist.conf /etc/dnsmasq-whitelist.conf" |
LOCAL_DOMAIN_CONF_FILE="/usr/local/etc/alcasar-dns-name" |
LOCAL_DOMAIN_CONF_FILE="/etc/unbound/conf.d/common/local-forward/dns-redirector.conf" |
LOCAL_HOSTNAME_FILE="/etc/hosts" |
LOCAL_DNS_FILE="/etc/unbound/conf.d/common/local-dns/global.conf" |
# define DNS parameters (LAN side) |
INT_DNS_DOMAIN=`grep INT_DNS_DOMAIN $ALCASAR_CONF_FILE|cut -d"=" -f2` # Nom du domaine DNS interne |
INT_DNS_DOMAIN=`grep INT_DNS_DOMAIN $ALCASAR_CONF_FILE|cut -d"=" -f2` # Nom du domaine DNS interne |
INT_DNS_IP=`grep INT_DNS_IP $ALCASAR_CONF_FILE|cut -d"=" -f2` # Adresse du serveur DNS interne |
INT_DNS_ACTIVE=`grep INT_DNS_ACTIVE $ALCASAR_CONF_FILE|cut -d"=" -f2` # Activation de la redirection DNS interne |
INT_DNS_ACTIVE=`grep INT_DNS_ACTIVE $ALCASAR_CONF_FILE|cut -d"=" -f2` # Activation de la redirection DNS interne |
usage="Usage: alcasar-dns-interne.sh {--on | -on} | {--off | -off} | {--add | -add}" |
usage="Usage: alcasar-dns-local.sh {--on | -on} | {--off | -off} | {--add | -add} ip domain | {--del | -del} ip domain | {--reload | -reload}" |
nb_args=$# |
args=$1 |
if [ $nb_args -eq 0 ] |
29,13 → 29,31 |
echo "$usage" |
exit 1 |
fi |
function restart_dns(){ |
for dns in dnsmasq dnsmasq-blacklist dnsmasq-whitelist dnsmasq-blackhole |
for dns in unbound unbound-blacklist unbound-whitelist dnsmasq-whitelist unbound-blackhole |
do |
systemctl restart $dns |
done |
} |
function hosts_to_unbound(){ |
# Empty the local DNS file |
echo "server:" > $LOCAL_DNS_FILE |
while read -r line |
do |
ip_address=$(echo $line | awk '{ print $1 }') |
domain=$(echo $line | awk '{ print $2 }') |
if ! echo $line | grep -E -q "^([0-9\.\t ]+alcasar( |$)|127\.0\.0)" |
then |
echo -e "\tlocal-zone: \"$domain\" redirect" >> $LOCAL_DNS_FILE |
echo -e "\tlocal-data: \"$domain A $ip_address\"" >> $LOCAL_DNS_FILE |
fi |
done < $LOCAL_HOSTNAME_FILE |
} |
case $args in |
-\? | -h | --h) |
echo "$usage" |
47,7 → 65,12 |
echo "$usage" |
exit 1 |
else |
# removing if already exists |
$SED "/^$2\t$3/d" $LOCAL_HOSTNAME_FILE |
# adding to the hosts file |
echo -e "$2\t$3" >> $LOCAL_HOSTNAME_FILE |
hosts_to_unbound |
restart_dns |
fi |
;; |
57,26 → 80,41 |
echo "$usage" |
exit 1 |
else |
$SED "/^$2\t$3/d" SLOCAL_HOSTNAME_FILE |
$SED "/^$2\t$3/d" $LOCAL_HOSTNAME_FILE |
hosts_to_unbound |
restart_dns |
fi |
;; |
--reload|-reload) |
hosts_to_unbound |
restart_dns |
;; |
--off|-off) # disable DNS redirector |
$SED "s?^#filterwin2k.*?filterwin2k?g" $DNSMASQ_CONF_FILE |
$SED "s?^server.*?#&?g" $LOCAL_DOMAIN_CONF_FILE |
#$SED "s?^#filterwin2k.*?filterwin2k?g" $DNSMASQ_CONF_FILE |
rm -f $LOCAL_DOMAIN_CONF_FILE |
$SED "s?^INT_DNS_ACTIVE.*?INT_DNS_ACTIVE=off?g" $ALCASAR_CONF_FILE |
restart_dns |
# Reload firewall |
/usr/local/bin/alcasar-iptables.sh |
;; |
--on|-on) # enable DHCP service on all range of IP addresses |
$SED "s?^filterwin2k.*?#filterwin2k?g" $DNSMASQ_CONF_FILE |
$SED "s?^server=/.*?server=/$INT_DNS_DOMAIN/$INT_DNS_IP?g" $LOCAL_DOMAIN_CONF_FILE |
$SED "s?^#server=/.*?server=/$INT_DNS_DOMAIN/$INT_DNS_IP?g" $LOCAL_DOMAIN_CONF_FILE |
--on|-on) # enable DNS redirector |
#$SED "s?^filterwin2k.*?#filterwin2k?g" $DNSMASQ_CONF_FILE |
cat > $LOCAL_DOMAIN_CONF_FILE << EOF |
server: |
local-zone: "$INT_DNS_DOMAIN." transparent |
forward-zone: |
name: "$INT_DNS_DOMAIN." |
forward-addr: $INT_DNS_IP |
EOF |
$SED "s?^INT_DNS_ACTIVE.*?INT_DNS_ACTIVE=on?g" $ALCASAR_CONF_FILE |
restart_dns |
# Reload firewall |
/usr/local/bin/alcasar-iptables.sh |
;; |
*) |
echo "Argument inconnu :$1"; |
echo "Argument inconnu : $1"; |
echo "$usage" |
exit 1 |
;; |
/scripts/alcasar-file-clean.sh |
---|
29,17 → 29,3 |
chown root:apache $file |
chmod 660 $file |
done |
#update dnsmasq-blackhole with uamallowed domains ($ALCASAR_UAMDOMAIN) |
#remove old configuration |
sed -i '/^server=/d' /etc/dnsmasq-blackhole.conf |
for domain in $(cat $ALCASAR_UAMDOMAIN | cut -d' ' -f1) |
do |
domain_exception="server=/$(echo $domain | cut -d'"' -f2)/#" |
sed -i "/conf-file/a$domain_exception" /etc/dnsmasq-blackhole.conf |
done |
if [ "$PARENT_SCRIPT" != "alcasar.sh" ] # don't restart on install stage |
then |
systemctl restart dnsmasq-blackhole |
fi |
/scripts/alcasar-importcert.sh |
---|
173,7 → 173,7 |
fi |
domainName $cert |
certImport $cert $key $sc |
for services in chilli dnsmasq dnsmasq-blackhole dnsmasq-blacklist dnsmasq-whitelist lighttpd |
for services in chilli unbound unbound-blackhole unbound-blacklist unbound-whitelist dnsmasq-whitelist lighttpd |
do |
echo "restarting $services"; systemctl restart $services; sleep 1 |
done |
184,7 → 184,7 |
echo "Restoring default certificate" |
defaultCert |
defaultNdd |
for services in chilli dnsmasq dnsmasq-blackhole dnsmasq-blacklist dnsmasq-whitelist lighttpd |
for services in chilli unbound unbound-blackhole unbound-blacklist unbound-whitelist dnsmasq-whitelist lighttpd |
do |
echo "restarting $services"; systemctl restart $services; sleep 1 |
done |
/scripts/alcasar-iptables.sh |
---|
33,6 → 33,8 |
dns1=${dns1:=208.67.220.220} |
dns2=${dns2:=208.67.222.222} |
DNSSERVERS="$dns1,$dns2" # first and second public DNS servers |
INT_DNS_IP=`grep INT_DNS_IP $CONF_FILE|cut -d"=" -f2` # Adresse du serveur DNS interne |
INT_DNS_ACTIVE=`grep INT_DNS_ACTIVE $CONF_FILE|cut -d"=" -f2` # Activation de la redirection DNS interne |
BL_IP_CAT="/usr/local/share/iptables-bl-enabled" # categories files of the BlackListed IP |
WL_IP_CAT="/usr/local/share/iptables-wl-enabled" # categories files of the WhiteListed IP |
TMP_users_set_save="/tmp/users_set_save" # tmp file for backup users set |
45,6 → 47,12 |
IP_REHABILITEES="/etc/e2guardian/lists/exceptioniplist" # Rehabilitated IP |
SITE_DIRECT="/usr/local/etc/alcasar-site-direct" # Site Direct (no havp and no filtrage) for user BL |
# Allow requests to internal DNS if activated |
if [ "$INT_DNS_ACTIVE" = "on" ] |
then |
DNSSERVERS="$DNSSERVERS,$INT_DNS_IP" |
fi |
# Sauvegarde des SET des utilisateurs connectés si ils existent |
# Saving SET of connected users if it exists |
ipset list not_filtered 1>/dev/null 2>&1 |
111,7 → 119,7 |
# Suppression des ip réhabilitées / Removing of rehabilitated ip |
for ip in $(cat $IP_REHABILITEES) |
do |
ipset del bl_ip_blocked $ip |
ipset -q del bl_ip_blocked $ip |
done |
# rajout exception havp_bl --> Site en direct pour les Utilisateurs filtrés |
118,11 → 126,11 |
ipset create site_direct hash:net hashsize 1024 |
for site in $(cat $SITE_DIRECT) |
do |
ipset add site_direct $site |
ipset add site_direct $site |
done |
###### WL set ########### |
# taille fixe, car peupler par dnsmasq / fixe length due to dnsmasq dynamic loading |
# taille fixe, car peuplé par dnsmasq / fixe length due to dnsmasq dynamic loading |
wl_set_length=65536 |
# Chargement Loading |
echo "create wl_ip_allowed hash:net family inet hashsize 1024 maxelem $wl_set_length" > $TMP_set_save |
285,18 → 293,18 |
$IPTABLES -A INPUT -i $TUNIF -p udp --dport 56 -m mark --mark 5 -j REJECT --reject-with icmp-port-unreachable |
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 56 -m mark --mark 3 -j REJECT --reject-with tcp-reset |
# autorisation des connexion légitime à DNSMASQ (avec blacklist) |
# Allow connections for DNSMASQ (with blacklist) |
# autorisation des connexion légitime à Unbound (avec blacklist) |
# Allow connections for Unbound (with blacklist) |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport 54 -j ACCEPT |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport 54 -j ACCEPT |
# autorisation des connexion légitime à DNSMASQ (avec whitelist) |
# Allow connections for DNSMASQ (with whitelist) |
# autorisation des connexion légitime à Unbound (avec whitelist) |
# Allow connections for Unbound (with whitelist) |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport 55 -j ACCEPT |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport 55 -j ACCEPT |
# autorisation des connexion légitime à DNSMASQ (mode blackhole) |
# Allow connections for DNSMASQ (blackhole mode) |
# autorisation des connexion légitime à Unbound (mode blackhole) |
# Allow connections for Unbound (blackhole mode) |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport 56 -j ACCEPT |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport 56 -j ACCEPT |
386,7 → 394,7 |
do |
svc_on=`echo $svc_line|cut -b1` |
if [ $svc_on != "#" ] |
then |
then |
svc_name=`echo $svc_line|cut -d" " -f1` |
svc_port=`echo $svc_line|cut -d" " -f2` |
if [ $svc_name = "icmp" ] |
/scripts/alcasar-rpm-download.sh |
---|
13,7 → 13,7 |
# The kernel version we compile netflow for |
KERNEL="kernel-server-4.14.89-1.mga6-1-1.mga6" |
# ****** Alcasar needed RPMS - paquetages nécessaires au fonctionnement d'Alcasar ****** |
PACKAGES="arp-scan vim-enhanced freeradius freeradius-mysql freeradius-ldap lighttpd lighttpd-mod_auth php-fpm e2guardian postfix mariadb ntp bind-utils openssh-server php-xml php-ldap php-mysqli php-mbstring php-sockets php-cli php-curl php-pdo_sqlite php-json rng-utils rsync clamav perl-rrdtool perl-MailTools perl-Socket6 fail2ban gnupg ulogd pm-fallback-policy ipset cronie-anacron usbutils locales-en usb_modeswitch tinyproxy vnstat php-gd sudo iftop man dos2unix p7zip bc msec kernel-userspace-headers dnsmasq netcat-traditional" |
PACKAGES="arp-scan vim-enhanced freeradius freeradius-mysql freeradius-ldap lighttpd lighttpd-mod_auth php-fpm e2guardian postfix mariadb ntp bind-utils openssh-server php-xml php-ldap php-mysqli php-mbstring php-sockets php-cli php-curl php-pdo_sqlite php-json rng-utils rsync clamav perl-rrdtool perl-MailTools perl-Socket6 fail2ban gnupg ulogd pm-fallback-policy ipset cronie-anacron usbutils locales-en usb_modeswitch tinyproxy vnstat php-gd sudo iftop man dos2unix p7zip bc msec kernel-userspace-headers dnsmasq dhcp-server netcat-traditional" |
rpm_repository_sync () |
{ |
147,4 → 147,3 |
cd |
echo "Your RPM archive file is /root/rpms-$ARCH.tar.gz" |
exit 0 |
/scripts/alcasar-uninstall.sh |
---|
155,25 → 155,26 |
dnsmasq () |
{ |
echo -en "(6 if update ; 8 if uninstall) : " |
i=0 |
for list in blacklist whitelist blackhole |
do |
i=`expr $i + 1` |
[ -e /etc/dnsmasq-$list.conf ] && rm /etc/dnsmasq-$list.conf && echo -n "$i, " |
i=`expr $i + 1` |
[ -e /lib/systemd/system/dnsmasq-$list.service ] && rm /lib/systemd/system/dnsmasq-$list.service && echo -n "$i, " |
done |
echo -en "(2 if update ; 4 if uninstall) : " |
[ -e /etc/dnsmasq-whitelist.conf ] && rm /etc/dnsmasq-whitelist.conf && echo -n "1, " |
[ -e /lib/systemd/system/dnsmasq-whitelist.service ] && rm /lib/systemd/system/dnsmasq-whitelist.service && echo -n "2, " |
if [ $mode == "full" ] # don't remove dnsmasq in update mode (DHCP + DNS !) |
then |
if [ -e /lib/systemd/system/dnsmasq.service ] |
then |
[ -e /etc/dnsmasq.conf.default ] && mv /etc/dnsmasq.conf.default /etc/dnsmasq.conf && echo -n "7, " |
[ -e /lib/systemd/system/dnsmasq.service.default ] && mv /lib/systemd/system/dnsmasq.service.default /lib/systemd/system/dnsmasq.service && echo -n "8" |
fi |
[ -e /etc/dnsmasq.conf.default ] && mv /etc/dnsmasq.conf.default /etc/dnsmasq.conf && echo -n "3, " |
[ -e /lib/systemd/system/dnsmasq.service.default ] && mv /lib/systemd/system/dnsmasq.service.default /lib/systemd/system/dnsmasq.service && echo -n "4" |
fi |
} |
unbound () |
{ |
echo -en "(5) : " |
[ -e /etc/unbound/unbound.conf.default ] && mv /etc/unbound/unbound.conf.default /etc/unbound/unbound.conf && echo -n "1, " |
[ -e /etc/unbound/unbound-blacklist.conf ] && rm -f /etc/unbound/unbound-blacklist.conf && echo -n "2, " |
[ -e /etc/unbound/unbound-whitelist.conf ] && rm -f /etc/unbound/unbound-whitelist.conf && echo -n "3, " |
[ -e /etc/unbound/unbound-blackhole.conf ] && rm -f /etc/unbound/unbound-blackhole.conf && echo -n "4, " |
[ -e /etc/unbound/conf.d ] && rm -rf /etc/unbound/conf.d && echo -n "5" |
} |
cron () |
{ |
echo -en "(11) : " |
275,7 → 276,7 |
echo "----------------------------------------------------------------------------" |
echo "** Uninstall/Désinstallation d'ALCASAR **" |
echo "----------------------------------------------------------------------------" |
services="alcasar-load_balancing vnstat havp freshclam ntpd lighttpd radiusd mysqld dnsmasq-blacklist dnsmasq-whitelist dnsmasq-blackhole tinyproxy nfsen fail2ban iptables ulogd-ext-access ulogd-ssh ulogd-traceability e2guardian dnsmasq sshd chilli" |
services="alcasar-load_balancing vnstat havp freshclam ntpd lighttpd radiusd mysqld unbound unbound-blacklist unbound-whitelist dnsmasq-whitelist unbound-blackhole tinyproxy nfsen fail2ban iptables ulogd-ext-access ulogd-ssh ulogd-traceability e2guardian dnsmasq sshd chilli" |
/usr/local/bin/alcasar-logout.sh all # logout everybody |
else |
echo "--------------------------------------------------------------------------" |
282,7 → 283,7 |
echo "** update/mise à jour d'ALCASAR **" |
echo "--------------------------------------------------------------------------" |
# dnsmasq & sshd should stay on to allow remote update |
services="alcasar-load_balancing vnstat havp freshclam ntpd lighttpd radiusd mysqld dnsmasq-blacklist dnsmasq-whitelist dnsmasq-blackhole tinyproxy nfsen fail2ban ulogd-ext-access ulogd-ssh ulogd-traceability e2guardian chilli" |
services="alcasar-load_balancing vnstat havp freshclam ntpd lighttpd radiusd mysqld unbound unbound-blacklist unbound-whitelist dnsmasq-whitelist unbound-blackhole tinyproxy nfsen fail2ban ulogd-ext-access ulogd-ssh ulogd-traceability e2guardian chilli" |
/usr/local/bin/alcasar-bypass.sh -on # to allow remote update |
fi |
316,7 → 317,7 |
/usr/bin/systemctl reload sshd |
fi |
echo "Reset ALCASAR main functions : " |
for func in init ACC CA time_server init_db freeradius chilli e2guardian antivirus tinyproxy ulogd nfsen vnstat dnsmasq cron fail2ban gammu_smsd msec letsencrypt post_install |
for func in init ACC CA time_server init_db freeradius chilli e2guardian antivirus tinyproxy ulogd nfsen vnstat unbound dnsmasq cron fail2ban gammu_smsd msec letsencrypt post_install |
do |
echo -en "\n- $func " |
$func |
376,4 → 377,3 |
done |
fi |
echo |
/scripts/alcasar-url_filter_bl.sh |
---|
11,104 → 11,116 |
# Active / désactive : le filtrage des url contenant une adresse ip à la place d'un nom de domaine |
# Enable / disable : filter of urls containing ip address instead of domain name |
CONF_FILE="/usr/local/etc/alcasar.conf" |
DIR_DG="/etc/e2guardian/lists" |
DNSMASQ_BL_CONF="/etc/dnsmasq-blacklist.conf" |
CONF_FILE="/usr/local/etc/alcasar.conf" |
UNBOUND_BL_DOMAIN_FILTER_CONF="/etc/unbound/conf.d/blacklist/domainfilter.conf" |
SED="/bin/sed -i" |
safesearch="Off" |
pureip="Off" |
usage="Usage: alcasar-url_filter_bl.sh { -safesearch_on or -safesearch_off } & { -pureip_on or --pureip_off }" |
usage="Usage: alcasar-url_filter_bl.sh { -safesearch_on or -safesearch_off } & { -pureip_on or -pureip_off }" |
nb_args=$# |
googledomains="google.com. google.ad. google.ae. google.com.af. google.com.ag. google.com.ai. google.al. google.am. google.co.ao. google.com.ar. google.as. google.at. google.com.au. google.az. google.ba. google.com.bd. google.be. google.bf. google.bg. google.com.bh. google.bi. google.bj. google.com.bn. google.com.bo. google.com.br. google.bs. google.bt. google.co.bw. google.by. google.com.bz. google.ca. google.cd. google.cf. google.cg. google.ch. google.ci. google.co.ck. google.cl. google.cm. google.cn. google.com.co. google.co.cr. google.com.cu. google.cv. google.com.cy. google.cz. google.de. google.dj. google.dk. google.dm. google.com.do. google.dz. google.com.ec. google.ee. google.com.eg. google.es. google.com.et. google.fi. google.com.fj. google.fm. google.fr. google.ga. google.ge. google.gg. google.com.gh. google.com.gi. google.gl. google.gm. google.gp. google.gr. google.com.gt. google.gy. google.com.hk. google.hn. google.hr. google.ht. google.hu. google.co.id. google.ie. google.co.il. google.im. google.co.in. google.iq. google.is. google.it. google.je. google.com.jm. google.jo. google.co.jp. google.co.ke. google.com.kh. google.ki. google.kg. google.co.kr. google.com.kw. google.kz. google.la. google.com.lb. google.li. google.lk. google.co.ls. google.lt. google.lu. google.lv. google.com.ly. google.co.ma. google.md. google.me. google.mg. google.mk. google.ml. google.com.mm. google.mn. google.ms. google.com.mt. google.mu. google.mv. google.mw. google.com.mx. google.com.my. google.co.mz. google.com.na. google.com.nf. google.com.ng. google.com.ni. google.ne. google.nl. google.no. google.com.np. google.nr. google.nu. google.co.nz. google.com.om. google.com.pa. google.com.pe. google.com.pg. google.com.ph. google.com.pk. google.pl. google.pn. google.com.pr. google.ps. google.pt. google.com.py. google.com.qa. google.ro. google.ru. google.rw. google.com.sa. google.com.sb. google.sc. google.se. google.com.sg. google.sh. google.si. google.sk. google.com.sl. google.sn. google.so. google.sm. google.sr. google.st. google.com.sv. google.td. google.tg. google.co.th. google.com.tj. google.tk. google.tl. google.tm. google.tn. google.to. google.com.tr. google.tt. google.com.tw. google.co.tz. google.com.ua. google.co.ug. google.co.uk. google.com.uy. google.co.uz. google.com.vc. google.co.ve. google.vg. google.co.vi. google.com.vn. google.vu. google.ws. google.rs. google.co.za. google.co.zm. google.co.zw. google.cat." |
youtubedomains="www.youtube.com m.youtube.com youtubei.googleapis.com youtube.googleapis.com www.youtube-nocookie.com" |
nb_args=$# |
if [ $nb_args -le 1 ] |
safesearch="" |
pureip="" |
if [ $nb_args -lt 1 ] |
then |
echo "$usage" |
nb_args=0 |
else |
while [ $nb_args -ge 1 ] |
exit 1 |
fi |
while [ $nb_args -ge 1 ] |
do |
arg=${!nb_args} |
case $arg in |
-\? | -h* | --h*) |
echo "$usage" |
exit 0 |
;; |
# Safe search activation |
-safesearch_on | --safesearch_on) |
safesearch="On" |
;; |
# Safe search deactivation |
-safesearch_off | --safesearch_off) |
safesearch="Off" |
;; |
# pure_ip activation |
-pureip_on | --pureip_on) |
pureip="On" |
;; |
# pureip deactivation |
-pureip_off | --pureip_off) |
pureip="Off" |
;; |
*) |
echo "Argument inconnu :$arg"; |
echo "$usage" |
exit 1 |
;; |
esac |
nb_args=$(expr $nb_args - 1) |
done |
if [ "$safesearch" == "On" ] |
then |
$SED "s?^#\"?\"?g" $DIR_DG/urlregexplist # on décommente les lignes de regles |
# add 'SafeSearch' redirection for google searching |
google_safe_server=`host -ta forcesafesearch.google.com | grep "address" | cut -d" " -f4` # retrieve google forcesafesearch ip |
# config file header |
echo "server:" > $UNBOUND_BL_DOMAIN_FILTER_CONF |
for domain in $googledomains |
do |
arg=${!nb_args} |
case $arg in |
-\? | -h* | --h*) |
echo "$usage" |
exit 0 |
;; |
# Safe search activation |
-safesearch_on | --safesearch_on) |
safesearch="On" |
;; |
# Safe search desactivation |
-safesearch_off | --safesearch_off) |
safesearch="Off" |
;; |
# pure_ip activation |
-pureip_on | --pureip_on) |
pureip="On" |
;; |
# pureip desactivation |
-pureip_off | --pureip_off) |
pureip="Off" |
;; |
*) |
echo "Argument inconnu :$arg"; |
echo "$usage" |
exit 1 |
;; |
esac |
nb_args=$(expr $nb_args - 1) |
echo -e "\tlocal-zone: \"$domain\" redirect" >> $UNBOUND_BL_DOMAIN_FILTER_CONF |
echo -e "\tlocal-data: \"$domain A $google_safe_server\"" >> $UNBOUND_BL_DOMAIN_FILTER_CONF |
done |
if [ $safesearch == "On" ] |
then |
$SED "s?^#\"?\"?g" $DIR_DG/urlregexplist # on décommente les lignes de regles |
# add 'SafeSearch' redirection for google searching |
$SED "/google/d" $DNSMASQ_BL_CONF # remove old google declaration |
google_safe_server=`host -ta forcesafesearch.google.com|cut -d" " -f4` # retrieve google forcesafesearch ip |
echo "# SafeSearch redirect server for google" >> $DNSMASQ_BL_CONF |
for gg_dnsname in $googledomains |
do |
echo "address=/$gg_dnsname/$google_safe_server" >> $DNSMASQ_BL_CONF |
done |
# add 'SafeSearch' redirection for youtube searching |
youtube_safe_server=`host -ta restrict.youtube.com | grep "address" | cut -d" " -f4` # retrieve youtube restrict ip |
for domain in $youtubedomains |
do |
echo -e "\tlocal-zone: \"$domain\" redirect" >> $UNBOUND_BL_DOMAIN_FILTER_CONF |
echo -e "\tlocal-data: \"$domain A $youtube_safe_server\"" >> $UNBOUND_BL_DOMAIN_FILTER_CONF |
done |
# add 'SafeSearch' redirection for bing searching |
$SED "/bing/d" $DNSMASQ_BL_CONF # remove old bing declaration |
bing_safe_server=`host -ta strict.bing.com | grep "address" | cut -d" " -f4` # retrieve bing strict ip |
echo "# SafeSearch redirect server for bing" >> $DNSMASQ_BL_CONF |
echo "address=/www.bing.com/$bing_safe_server" >> $DNSMASQ_BL_CONF |
# add 'SafeSearch' redirection for bing searching |
bing_safe_server=`host -ta strict.bing.com | grep "address" | cut -d" " -f4` # retrieve bing strict ip |
echo -e "\tlocal-zone: \"www.bing.com\" redirect" >> $UNBOUND_BL_DOMAIN_FILTER_CONF |
echo -e "\tlocal-data: \"www.bing.com A $bing_safe_server\"" >> $UNBOUND_BL_DOMAIN_FILTER_CONF |
# add 'SafeSearch' redirection for youtube searching |
$SED "/youtube/d" $DNSMASQ_BL_CONF # remove old youtube declaration |
youtube_safe_server=`host -ta restrict.youtube.com | grep "address" | cut -d" " -f4` # retrieve youtube restrict ip |
echo "# SafeSearch redirect server for youtube" >> $DNSMASQ_BL_CONF |
for yt_dnsname in $youtubedomains |
do |
echo "address=/$yt_dnsname/$youtube_safe_server" >> $DNSMASQ_BL_CONF |
done |
# add 'SafeSearch' redirection for qwant searching |
qwant_safe_server=`host -ta safeapi.qwant.com | grep "address" | cut -d" " -f4` # retrieve qwant strict ip |
echo -e "\tlocal-zone: \"api.qwant.com\" redirect" >> $UNBOUND_BL_DOMAIN_FILTER_CONF |
echo -e "\tlocal-data: \"api.qwant.com A $qwant_safe_server\"" >> $UNBOUND_BL_DOMAIN_FILTER_CONF |
# add 'SafeSearch' redirection for qwant searching |
$SED "/qwant/d" $DNSMASQ_BL_CONF # remove old qwant declaration |
qwant_safe_server=`host -ta safeapi.qwant.com | grep "address" | cut -d" " -f4` # retrieve qwant strict ip |
echo "# SafeSearch redirect server for qwant" >> $DNSMASQ_BL_CONF |
echo "address=/api.qwant.com/$qwant_safe_server" >> $DNSMASQ_BL_CONF |
else |
$SED "s?^[^#]?#&?g" $DIR_DG/urlregexplist |
$SED "/google/d" $DNSMASQ_BL_CONF |
$SED "/bing/d" $DNSMASQ_BL_CONF |
$SED "/youtube/d" $DNSMASQ_BL_CONF |
$SED "/qwant/d" $DNSMASQ_BL_CONF |
fi |
if [ $pureip == "On" ] |
then |
$SED "s/^\#\*ip$/*ip/g" $DIR_DG/bannedsitelist |
$SED "s/^\#\*ips$/*ips/g" $DIR_DG/bannedsitelist |
else |
$SED "s/^\*ip$/#*ip/g" $DIR_DG/bannedsitelist |
$SED "s/^\*ips$/#*ips/g" $DIR_DG/bannedsitelist |
fi |
$SED 's/^BL_SAFESEARCH=.*/BL_SAFESEARCH=on/g' $CONF_FILE |
elif [ "$safesearch" == "Off" ] |
then |
$SED "s?^[^#]?#&?g" $DIR_DG/urlregexplist |
[ -e $UNBOUND_BL_DOMAIN_FILTER_CONF ] && rm -f $UNBOUND_BL_DOMAIN_FILTER_CONF |
$SED 's/^BL_SAFESEARCH=.*/BL_SAFESEARCH=off/g' $CONF_FILE |
fi |
if [ "$pureip" == "On" ] |
then |
$SED "s/^\#\*ip$/*ip/g" $DIR_DG/bannedsitelist |
$SED "s/^\#\*ips$/*ips/g" $DIR_DG/bannedsitelist |
$SED 's/^BL_PUREIP=.*/BL_PUREIP=on/g' $CONF_FILE |
elif [ "$pureip" == "Off" ] |
then |
$SED "s/^\*ip$/#*ip/g" $DIR_DG/bannedsitelist |
$SED "s/^\*ips$/#*ips/g" $DIR_DG/bannedsitelist |
$SED 's/^BL_PUREIP=.*/BL_PUREIP=off/g' $CONF_FILE |
fi |
systemctl restart e2guardian |
systemctl restart dnsmasq-blacklist |
fi |
systemctl restart unbound-blacklist |
/scripts/alcasar-url_filter_wl.sh |
---|
11,93 → 11,93 |
# Active / désactive : le filtrage des url contenant une adresse ip à la place d'un nom de domaine |
# Enable / disable : filter of urls containing ip address instead of domain name |
TINY_CONF="/etc/tinyproxy/tinyproxy.conf" |
DNSMASQ_WL_CONF="/etc/dnsmasq-whitelist.conf" |
CONF_FILE="/usr/local/etc/alcasar.conf" |
UNBOUND_WL_DOMAIN_FILTER_CONF="/etc/unbound/conf.d/whitelist/domainfilter.conf" |
IP_WL="/usr/local/share/iptables-wl-enabled/ossi-ip-safesearch" |
CONF_FILE="/usr/local/etc/alcasar.conf" |
SED="/bin/sed -i" |
safesearch="Off" |
usage="Usage: alcasar-url_filter_wl.sh { -safesearch_on or -safesearch_off }" |
nb_args=$# |
googledomains="google.com. google.ad. google.ae. google.com.af. google.com.ag. google.com.ai. google.al. google.am. google.co.ao. google.com.ar. google.as. google.at. google.com.au. google.az. google.ba. google.com.bd. google.be. google.bf. google.bg. google.com.bh. google.bi. google.bj. google.com.bn. google.com.bo. google.com.br. google.bs. google.bt. google.co.bw. google.by. google.com.bz. google.ca. google.cd. google.cf. google.cg. google.ch. google.ci. google.co.ck. google.cl. google.cm. google.cn. google.com.co. google.co.cr. google.com.cu. google.cv. google.com.cy. google.cz. google.de. google.dj. google.dk. google.dm. google.com.do. google.dz. google.com.ec. google.ee. google.com.eg. google.es. google.com.et. google.fi. google.com.fj. google.fm. google.fr. google.ga. google.ge. google.gg. google.com.gh. google.com.gi. google.gl. google.gm. google.gp. google.gr. google.com.gt. google.gy. google.com.hk. google.hn. google.hr. google.ht. google.hu. google.co.id. google.ie. google.co.il. google.im. google.co.in. google.iq. google.is. google.it. google.je. google.com.jm. google.jo. google.co.jp. google.co.ke. google.com.kh. google.ki. google.kg. google.co.kr. google.com.kw. google.kz. google.la. google.com.lb. google.li. google.lk. google.co.ls. google.lt. google.lu. google.lv. google.com.ly. google.co.ma. google.md. google.me. google.mg. google.mk. google.ml. google.com.mm. google.mn. google.ms. google.com.mt. google.mu. google.mv. google.mw. google.com.mx. google.com.my. google.co.mz. google.com.na. google.com.nf. google.com.ng. google.com.ni. google.ne. google.nl. google.no. google.com.np. google.nr. google.nu. google.co.nz. google.com.om. google.com.pa. google.com.pe. google.com.pg. google.com.ph. google.com.pk. google.pl. google.pn. google.com.pr. google.ps. google.pt. google.com.py. google.com.qa. google.ro. google.ru. google.rw. google.com.sa. google.com.sb. google.sc. google.se. google.com.sg. google.sh. google.si. google.sk. google.com.sl. google.sn. google.so. google.sm. google.sr. google.st. google.com.sv. google.td. google.tg. google.co.th. google.com.tj. google.tk. google.tl. google.tm. google.tn. google.to. google.com.tr. google.tt. google.com.tw. google.co.tz. google.com.ua. google.co.ug. google.co.uk. google.com.uy. google.co.uz. google.com.vc. google.co.ve. google.vg. google.co.vi. google.com.vn. google.vu. google.ws. google.rs. google.co.za. google.co.zm. google.co.zw. google.cat." |
youtubedomains="www.youtube.com m.youtube.com youtubei.googleapis.com youtube.googleapis.com www.youtube-nocookie.com" |
nb_args=$# |
if [ $nb_args -le 0 ] |
then |
echo "$usage" |
nb_args=0 |
else |
while [ $nb_args -ge 1 ] |
exit 1 |
fi |
while [ $nb_args -ge 1 ] |
do |
arg=${!nb_args} |
case $arg in |
-\? | -h* | --h*) |
echo "$usage" |
exit 0 |
;; |
# Safe search activation |
-safesearch_on | --safesearch_on) |
safesearch="On" |
;; |
# Safe search desactivation |
-safesearch_off | --safesearch_off) |
safesearch="Off" |
;; |
*) |
echo "Argument inconnu : $arg"; |
echo "$usage" |
exit 1 |
;; |
esac |
nb_args=$(expr $nb_args - 1) |
done |
if [ $safesearch == "On" ] |
then |
[ -e $IP_WL ] && rm -f $IP_WL |
# add 'SafeSearch' redirection for google searching |
google_safe_server=`host -ta forcesafesearch.google.com | grep "address" | cut -d" " -f4` # retrieve google forcesafesearch ip |
# config file header |
echo "server:" > $UNBOUND_WL_DOMAIN_FILTER_CONF |
for domain in $googledomains |
do |
arg=${!nb_args} |
case $arg in |
-\? | -h* | --h*) |
echo "$usage" |
exit 0 |
;; |
# Safe search activation |
-safesearch_on | --safesearch_on) |
safesearch="On" |
;; |
# Safe search desactivation |
-safesearch_off | --safesearch_off) |
safesearch="Off" |
;; |
*) |
echo "Argument inconnu :$arg"; |
echo "$usage" |
exit 1 |
;; |
esac |
nb_args=$(expr $nb_args - 1) |
echo -e "\tlocal-zone: \"$domain\" redirect" >> $UNBOUND_WL_DOMAIN_FILTER_CONF |
echo -e "\tlocal-data: \"$domain A $google_safe_server\"" >> $UNBOUND_WL_DOMAIN_FILTER_CONF |
done |
if [ $safesearch == "On" ] |
then |
if [ -e $IP_WL ] |
then |
rm $IP_WL # remove old google declaration |
fi |
echo "add wl_ip_allowed $google_safe_server" >> $IP_WL |
# add 'SafeSearch' redirection for google searching |
google_safe_server=`host -ta forcesafesearch.google.com | grep "address" | cut -d" " -f4` # retrieve google forcesafesearch ip |
$SED "/google/d" $DNSMASQ_WL_CONF # remove old google declaration |
echo "# SafeSearch redirect server for google" >> $DNSMASQ_WL_CONF |
for bing_dnsname in $googledomains |
do |
echo "address=/$bing_dnsname/$google_safe_server" >> $DNSMASQ_WL_CONF |
done |
echo "add wl_ip_allowed $google_safe_server" >> $IP_WL |
# add 'SafeSearch' redirection for youtube searching |
youtube_safe_server=`host -ta restrict.youtube.com | grep "address" | cut -d" " -f4` # retrieve youtube restrict ip |
for domain in $youtubedomains |
do |
echo -e "\tlocal-zone: \"$domain\" redirect" >> $UNBOUND_WL_DOMAIN_FILTER_CONF |
echo -e "\tlocal-data: \"$domain A $youtube_safe_server\"" >> $UNBOUND_WL_DOMAIN_FILTER_CONF |
done |
echo "add wl_ip_allowed $youtube_safe_server" >> $IP_WL |
# add 'SafeSearch' redirection for bing searching |
bing_safe_server=`host -ta strict.bing.com | grep "address" | cut -d" " -f4` # retrieve bing strict ip |
$SED "/bing/d" $DNSMASQ_WL_CONF # remove old bing declaration |
echo "# SafeSearch redirect server for bing" >> $DNSMASQ_WL_CONF |
echo "address=/www.bing.com/$bing_safe_server" >> $DNSMASQ_WL_CONF |
echo "add wl_ip_allowed $bing_safe_server" >> $IP_WL |
# add 'SafeSearch' redirection for bing searching |
bing_safe_server=`host -ta strict.bing.com | grep "address" | cut -d" " -f4` # retrieve bing strict ip |
echo -e "\tlocal-zone: \"www.bing.com\" redirect" >> $UNBOUND_WL_DOMAIN_FILTER_CONF |
echo -e "\tlocal-data: \"www.bing.com A $bing_safe_server\"" >> $UNBOUND_WL_DOMAIN_FILTER_CONF |
echo "add wl_ip_allowed $bing_safe_server" >> $IP_WL |
# add 'SafeSearch' redirection for youtube searching |
youtube_safe_server=`host -ta restrict.youtube.com | grep "address" | cut -d" " -f4` # retrieve youtube restrict ip |
$SED "/youtube/d" $DNSMASQ_WL_CONF # remove old youtube declaration |
echo "# SafeSearch redirect server for youtube" >> $DNSMASQ_WL_CONF |
for yt_dnsname in $youtubedomains |
do |
echo "address=/$yt_dnsname/$youtube_safe_server" >> $DNSMASQ_WL_CONF |
done |
echo "add wl_ip_allowed $youtube_safe_server" >> $IP_WL |
# add 'SafeSearch' redirection for qwant searching |
qwant_safe_server=`host -ta safeapi.qwant.com | grep "address" | cut -d" " -f4` # retrieve qwant strict ip |
echo -e "\tlocal-zone: \"api.qwant.com\" redirect" >> $UNBOUND_WL_DOMAIN_FILTER_CONF |
echo -e "\tlocal-data: \"api.qwant.com A $qwant_safe_server\"" >> $UNBOUND_WL_DOMAIN_FILTER_CONF |
echo "add wl_ip_allowed $qwant_safe_server" >> $IP_WL |
# add 'SafeSearch' redirection for qwant searching |
$SED "/qwant/d" $DNSMASQ_WL_CONF # remove old qwant declaration |
qwant_safe_server=`host -ta safeapi.qwant.com | grep "address" | cut -d" " -f4` # retrieve qwant strict ip |
echo "# SafeSearch redirect server for qwant" >> $DNSMASQ_WL_CONF |
echo "address=/api.qwant.com/$qwant_safe_server" >> $DNSMASQ_WL_CONF |
else |
$SED "/google/d" $DNSMASQ_WL_CONF |
$SED "/bing/d" $DNSMASQ_WL_CONF |
$SED "/youtube/d" $DNSMASQ_WL_CONF |
$SED "/qwant/d" $DNSMASQ_WL_CONF |
rm $IP_WL |
fi |
systemctl restart dnsmasq-whitelist |
$SED 's/^WL_SAFESEARCH=.*/WL_SAFESEARCH=on/g' $CONF_FILE |
else |
[ -e $UNBOUND_WL_DOMAIN_FILTER_CONF ] && rm -f $UNBOUND_WL_DOMAIN_FILTER_CONF |
[ -e $IP_WL ] && rm -f $IP_WL |
$SED 's/^WL_SAFESEARCH=.*/WL_SAFESEARCH=off/g' $CONF_FILE |
fi |
systemctl restart unbound-whitelist |
/scripts/alcasar-urpmi.sh |
---|
14,7 → 14,7 |
# The kernel version we compile netflow for |
KERNEL="kernel-server-4.14.89-1.mga6-1-1.mga6" |
# ****** Alcasar needed RPMS - paquetages nécessaires au fonctionnement d'Alcasar ****** |
PACKAGES="arp-scan vim-enhanced freeradius freeradius-mysql freeradius-ldap lighttpd lighttpd-mod_auth php-fpm e2guardian postfix mariadb ntp bind-utils openssh-server php-xml php-ldap php-mysqli php-mbstring php-sockets php-cli php-curl php-pdo_sqlite php-json rng-utils rsync clamav perl-rrdtool perl-MailTools perl-Socket6 fail2ban gnupg ulogd pm-fallback-policy ipset cronie-anacron usbutils locales-en usb_modeswitch tinyproxy vnstat php-gd sudo iftop man dos2unix p7zip bc msec kernel-userspace-headers dnsmasq netcat-traditional" |
PACKAGES="arp-scan vim-enhanced freeradius freeradius-mysql freeradius-ldap lighttpd lighttpd-mod_auth php-fpm e2guardian postfix mariadb ntp bind-utils openssh-server php-xml php-ldap php-mysqli php-mbstring php-sockets php-cli php-curl php-pdo_sqlite php-json rng-utils rsync clamav perl-rrdtool perl-MailTools perl-Socket6 fail2ban gnupg ulogd pm-fallback-policy ipset cronie-anacron usbutils locales-en usb_modeswitch tinyproxy vnstat php-gd sudo iftop man dos2unix p7zip bc msec kernel-userspace-headers dnsmasq dhcp-server netcat-traditional" |
rpm_repository_sync () |
{ |
/web/acc/admin/bl_categories_help.php |
---|
6,8 → 6,8 |
$bl_dir="/etc/e2guardian/lists/blacklists/"; |
$bl_iptables_dir="/usr/local/share/iptables-bl/"; |
$wl_iptables_dir="/usr/local/share/iptables-wl/"; |
$bl_dnsmasq_dir="/usr/local/share/dnsmasq-bl/"; |
$wl_dnsmasq_dir="/usr/local/share/dnsmasq-wl/"; |
$bl_unbound_dir="/usr/local/share/unbound-bl/"; |
$wl_unbound_dir="/usr/local/share/unbound-wl/"; |
# Choice of language |
$Language = 'en'; |
if(isset($_SERVER['HTTP_ACCEPT_LANGUAGE'])) |
42,12 → 42,11 |
$l_example="Example(s) : "; |
$l_error_cat = "Error category"; |
$l_error_list = "Error listing"; |
} |
if(isset($_GET['cat'])) |
{ |
$categorie = $_GET['cat']; |
} |
} |
else |
{ |
$categorie = $l_error_cat; |
61,48 → 60,73 |
$liste = $l_error_list; |
} |
if($liste == "bl") |
{ |
$bl_categorie_domain_file = $bl_dnsmasq_dir.$categorie.".conf"; |
{ |
$bl_categorie_domain_file = $bl_unbound_dir.$categorie.".conf"; |
$bl_categorie_url_file = $bl_dir.$categorie."/urls"; |
$bl_categorie_ip_file = $bl_iptables_dir.$categorie; |
//don't calc again on reload (click on the number of domain/urls/ip) |
if (isset ($_GET['nb_domains']) && isset($_GET['nb_urls']) && isset($_GET['nb_ip'])) |
{ |
{ |
$nb_domains = $_GET['nb_domains']; |
$nb_urls = $_GET['nb_urls']; |
$nb_ip = $_GET['nb_ip']; |
} |
} |
else |
{ |
if (file_exists($bl_categorie_domain_file)) |
{ |
if (file_exists($bl_categorie_domain_file)) |
$nb_domains = exec("wc -l $bl_categorie_domain_file | cut -d ' ' -f1"); |
# two lines per domain |
$nb_domains = exec("wc -l $bl_categorie_domain_file | cut -d ' ' -f1") / 2; |
} |
else |
{ |
$nb_domains = $l_error_open_file." ".$bl_categorie_domain_file; |
} |
if (file_exists($bl_categorie_url_file)) |
{ |
$nb_urls = exec ("wc -l $bl_categorie_url_file | cut -d ' ' -f1"); |
} |
else |
{ |
$nb_urls = $l_error_open_file." ".$bl_categorie_url_file; |
} |
if(file_exists($bl_categorie_ip_file)) |
{ |
$nb_ip = exec("wc -l $bl_categorie_ip_file | cut -d ' ' -f1"); |
} |
else |
{ |
$nb_ip = $l_error_open_file." ".$bl_categorie_ip_file; |
} |
} |
} |
else |
{ |
$wl_categorie_domain_file = $wl_dnsmasq_dir.$categorie.".conf"; |
{ |
$wl_categorie_domain_file = $wl_unbound_dir.$categorie.".conf"; |
$wl_categorie_ip_file = $wl_iptables_dir.$categorie; |
if (file_exists($wl_categorie_domain_file)) |
{ |
$nb_domains = exec("wc -l $wl_categorie_domain_file | cut -d ' ' -f1"); |
} |
else |
{ |
$nb_domains = $l_error_open_file." ".$wl_categorie_domain_file; |
} |
if (file_exists($wl_categorie_ip_file)) |
{ |
$nb_ip = exec("wc -l $wl_categorie_ip_file | cut -d ' ' -f1"); |
} |
else |
{ |
$nb_ip = 0; |
//$nb_ip = $l_error_open_file." ".$wl_categorie_ip_file; |
} |
$nb_urls = 0; //no urls in WL |
} |
} |
$global_usage = file($bl_dir."global_usage"); |
$langue = strtoupper($Language); |
if(isset($categorie)) |
111,9 → 135,13 |
foreach($global_usage as $line) |
{ |
if(preg_match("#^NAME:.$categorie$#", $line) == 1) |
{ |
$fin1 = 1; |
} |
if($fin1 && preg_match("#^DESC.$langue:.#", $line) == 1) |
{ |
$l_description_cat = preg_replace("#^DESC.$langue:.#", "", $line); |
} |
if($fin1 && preg_match("#^NAME.$langue:.#", $line) == 1) |
{ |
$l_name_cat = preg_replace("#^NAME.$langue:.#", "", $line); |
178,7 → 206,7 |
{ |
$filtre = $liste == "bl" ? $bl_categorie_domain_file : $wl_categorie_domain_file; |
exec("head -n 15 ".escapeshellarg($filtre)." | cut -d '/' -f2", $resultat); |
exec("head -n 15 ".escapeshellarg($filtre)." | grep 'transparent' | awk '{ print $2 }'", $resultat); |
} |
elseif($titre == "ip") |
{ |
190,7 → 218,9 |
exec("head -n 15 ".escapeshellarg($filtre), $resultat); |
} |
for($i=0; $i<count($resultat); $i++) |
{ |
echo $resultat[$i]."<br/>"; |
} |
?> |
</td></tr> |
</TABLE> |
197,4 → 227,3 |
<center><a href="javascript:window.close();"><b><?php echo "$l_close"; ?></b></a></center> |
</BODY> |
</HTML> |
/web/acc/admin/bl_filter.php |
---|
37,22 → 37,22 |
} |
} |
function echo_file ($filename) |
{ |
if (file_exists($filename)) |
{ |
if (file_exists($filename)) |
if (filesize($filename) != 0) |
{ |
if (filesize($filename) != 0) |
{ |
$pointeur=fopen($filename,"r"); |
$tampon = fread($pointeur, filesize($filename)); |
fclose($pointeur); |
echo $tampon; |
} |
} |
} |
else |
{ |
{ |
echo "$filename doesn't exist"; |
} |
} |
} |
function echo_ip_file ($filename) |
{ |
$filename = escapeshellarg($filename); |
68,7 → 68,7 |
if(isset($_SERVER['HTTP_ACCEPT_LANGUAGE'])){ |
$Langue = explode(",",$_SERVER['HTTP_ACCEPT_LANGUAGE']); |
$Language = strtolower(substr(chop($Langue[0]),0,2)); |
} |
} |
if($Language == 'fr'){ |
$l_bl="Liste noire générale"; |
$l_load="Chargement..."; |
89,7 → 89,7 |
$l_rehabilitated_ip_explain="Entrez ici des IP bloquées par la liste noire <BR> que vous souhaitez réhabiliter."; |
$l_one_dns="Entrez une adresse DNS par ligne (exemple : www.domaine.com)"; |
$l_one_ip="Entrez une IP par ligne (exemple : 123.123.123.123)"; |
$l_one_dns_ip="Entrez un nom de domaine ou une adresse IP ou une adresse de réseau par ligne<br>exemple (domaine) : .domaine.org - exemple (ip) : 61.54.52.56 - exemple (réseau) : 172.16.0.0/16"; |
$l_one_dns_ip="Entrez un nom de domaine ou une adresse IP ou une adresse de réseau par ligne<br>exemple (domaine) : domaine.org. - exemple (ip) : 61.54.52.56 - exemple (réseau) : 172.16.0.0/16"; |
$l_record="Enregistrer les modifications"; |
$l_wait="Une fois validées, 10 secondes sont nécessaires pour traiter vos modifications"; |
$l_ip_filtering="Filtrer les URLs contenant une adresse IP au lieu d'un nom de domaine (ex: http://25.56.58.59/index.htm)"; |
133,9 → 133,9 |
$l_add_to_bl="Domain names or IP addresses to add to the blacklist"; |
$l_rehabilitated_ip="IP addresses to rehabilitated"; |
$l_rehabilitated_ip_explain="Enter here IP that are blocked by the blacklist <BR> and you want to rehabilitate."; |
$l_one_dns="Enter one DNS per row (example : www.domaine.com)"; |
$l_one_dns="Enter one DNS per row (example : www.domain.com)"; |
$l_one_ip="Enter one IP per row (example : 123.123.123.123)"; |
$l_one_dns_ip="Enter one domain name or one IP address or one network address per row <br>example (domain): .domain.org - example (ip): 61.54.56.52 - example (network) : 172.16.0.0/16"; |
$l_one_dns_ip="Enter one domain name or one IP address or one network address per row <br>example (domain): domain.org. - example (ip): 61.54.56.52 - example (network) : 172.16.0.0/16"; |
$l_record="Save changes"; |
$l_wait="Once validated, 10 seconds are necessary to compute your modifications"; |
$l_ip_filtering="Filtering URLs that contain an IP address instead of a domain name (ie: http://25.56.58.59/index.htm)"; |
165,142 → 165,158 |
$dir_blacklist=$dir_dg."blacklists/"; |
$dir_bl_ip="/usr/local/share/iptables-bl/"; |
$dir_bl_ip_enabled="/usr/local/share/iptables-bl-enabled/"; |
$dir_bl_domain_names="/usr/local/share/dnsmasq-bl/"; |
$dir_bl_domain_names_enabled="/usr/local/share/dnsmasq-bl-enabled/"; |
$dir_bl_domain_names="/usr/local/share/unbound-bl/"; |
$dir_bl_domain_names_enabled="/usr/local/share/unbound-bl-enabled/"; |
$bl_categories=$dir_etc."alcasar-bl-categories"; |
$bl_categories_enabled=$dir_etc."alcasar-bl-categories-enabled"; |
$conf_file=$dir_etc."alcasar.conf"; |
$urlregex_file=$dir_dg."urlregexplist"; |
$domainfilter_file="/etc/unbound/conf.d/blacklist/domainfilter.conf"; |
$bannedsite_file=$dir_dg."bannedsitelist"; |
$dir_tmp="/tmp/blacklists"; |
$update_file_cat="/usr/local/etc/update_cat.conf"; |
$bl_safesearch="off"; |
$bl_pureip="off"; |
# default values |
if (is_file ($conf_file)) |
{ |
{ |
$tab=file($conf_file); |
if ($tab) |
{ |
foreach ($tab as $line) |
{ |
foreach ($tab as $line) |
{ |
$field=explode("=", $line); |
if ($field[0] == "PRIVATE_IP") |
{ |
$PRIVATE_IP_MASK=trim($field[1]); |
$tmp = explode("/",$PRIVATE_IP_MASK); |
$PRIVATE_IP=$tmp[0]; |
} |
switch ($field[0]) { |
case 'PRIVATE_IP': |
$PRIVATE_IP_MASK=trim($field[1]); |
$tmp = explode("/",$PRIVATE_IP_MASK); |
$PRIVATE_IP=$tmp[0]; |
break; |
case 'BL_SAFESEARCH': |
if (strtolower(trim($field[1])) == 'on') { |
$bl_safesearch='on'; |
} |
break; |
case 'BL_PUREIP': |
if (strtolower(trim($field[1])) == 'on') { |
$bl_pureip='on'; |
} |
break; |
} |
} |
} |
} |
else { echo "$l_error_open_file $conf_file";} |
if (isset($_POST['choix'])){ $choix=$_POST['choix']; } else { $choix=""; } |
switch ($choix) |
{ |
case 'Download_list' : |
exec ("sudo /usr/local/bin/alcasar-bl.sh --download"); |
break; |
case 'Active_list' : |
exec ("sudo /usr/local/bin/alcasar-bl.sh --adapt"); |
exec ("sudo /usr/local/bin/alcasar-bl.sh --reload"); |
break; |
case 'Reject_list' : |
unlink ("$dir_tmp/blacklists.tar.gz"); unlink ("$dir_tmp/md5sum"); |
break; |
case 'MAJ_cat_bl' : |
if (file_exists($bl_categories_enabled)) |
{ |
exec("/bin/sed -i \"/^ossi-/!d\" $bl_categories_enabled"); // keep ossi custom categories |
$pointeur=fopen($bl_categories_enabled, "a+"); |
$fichier=fopen($update_file_cat,"w+"); |
foreach ($_POST as $key => $value) |
case 'Download_list' : |
exec ("sudo /usr/local/bin/alcasar-bl.sh --download"); |
break; |
case 'Active_list' : |
exec ("sudo /usr/local/bin/alcasar-bl.sh --adapt"); |
exec ("sudo /usr/local/bin/alcasar-bl.sh --reload"); |
break; |
case 'Reject_list' : |
unlink ("$dir_tmp/blacklists.tar.gz"); unlink ("$dir_tmp/md5sum"); |
break; |
case 'MAJ_cat_bl' : |
if (file_exists($bl_categories_enabled)) |
{ |
if (strstr($key,'chk-')) |
exec("/bin/sed -i \"/^ossi-/!d\" $bl_categories_enabled"); // keep ossi custom categories |
$pointeur=fopen($bl_categories_enabled, "a+"); |
$fichier=fopen($update_file_cat,"w+"); |
foreach ($_POST as $key => $value) |
{ |
$line=str_replace('chk-','',$key)."\n"; |
fwrite($pointeur,$line); |
if(trim($line) == 'malware' && $_POST['update_cat'] == 1) //auto-update of malware |
if (strstr($key,'chk-')) |
{ |
fputs($fichier, "malware rsync://ftp.ut-capitole.fr/blacklist/dest/malware\n"); |
$line=str_replace('chk-','',$key)."\n"; |
fwrite($pointeur,$line); |
if(trim($line) == 'malware' && $_POST['update_cat'] == 1) //auto-update of malware |
{ |
fputs($fichier, "malware rsync://ftp.ut-capitole.fr/blacklist/dest/malware\n"); |
} |
} |
} |
fclose($pointeur); |
fclose($fichier); |
} |
fclose($pointeur); |
else {echo "$l_error_open_file $bl_categories_enabled";} |
$fichier=fopen($dir_blacklist."ossi-bl/domains","w+"); |
fputs($fichier, form_filter($_POST['OSSI_bl'])); |
fclose($fichier); |
} |
else {echo "$l_error_open_file $bl_categories_enabled";} |
$fichier=fopen($dir_blacklist."ossi-bl/domains","w+"); |
fputs($fichier, form_filter($_POST['OSSI_bl'])); |
fclose($fichier); |
unset($_POST['OSSI_bl']); |
$fichier=fopen($dir_dg."exceptionsitelist","w+"); |
fputs($fichier, form_filter($_POST['BL_rehabilited_domains'])); |
fclose($fichier); |
unset($_POST['BL_rehabilited_domains']); |
$fichier=fopen($dir_dg."exceptioniplist","w+"); |
fputs($fichier, form_filter($_POST['BL_rehabilited_ip'])); |
fclose($fichier); |
unset($_POST['BL_rehabilited_ip']); |
exec ("sudo /usr/local/bin/alcasar-bl.sh --reload"); |
break; |
case 'Specific_filtering' : |
$pureip="-pureip_off"; $safesearch="-safesearch_off"; ; |
foreach ($_POST as $key => $value) |
{ |
if (strstr($key,'chk-ip')) $pureip="-pureip_on"; |
if (strstr($key,'chk-safesearch')) $safesearch="-safesearch_on"; |
} |
exec ("sudo /usr/local/bin/alcasar-url_filter_bl.sh $safesearch $pureip"); |
break; |
case 'MAJ_ossi_file' : |
foreach($_POST as $fichier => $value) |
{ |
if($fichier != "choix") |
unset($_POST['OSSI_bl']); |
$fichier=fopen($dir_dg."exceptionsitelist","w+"); |
fputs($fichier, form_filter($_POST['BL_rehabilited_domains'])); |
fclose($fichier); |
unset($_POST['BL_rehabilited_domains']); |
$fichier=fopen($dir_dg."exceptioniplist","w+"); |
fputs($fichier, form_filter($_POST['BL_rehabilited_ip'])); |
fclose($fichier); |
unset($_POST['BL_rehabilited_ip']); |
exec ("sudo /usr/local/bin/alcasar-bl.sh --reload"); |
break; |
case 'Specific_filtering': |
$bl_pureip='off'; |
$bl_safesearch='off'; |
foreach ($_POST as $key => $value) |
{ |
$action=$_POST[$fichier]; |
if($action == $l_remove) //delete |
if (strstr($key,'chk-ip')) $bl_pureip="on"; |
if (strstr($key,'chk-safesearch')) $bl_safesearch="on"; |
} |
exec ("sudo /usr/local/bin/alcasar-url_filter_bl.sh -safesearch_$bl_safesearch -pureip_$bl_pureip"); |
break; |
case 'MAJ_ossi_file' : |
foreach($_POST as $fichier => $value) |
{ |
if($fichier != "choix") |
{ |
exec("/bin/sed -i ".escapeshellarg("/^$fichier\$/d")." $bl_categories_enabled"); |
exec("/bin/sed -i ".escapeshellarg("/$fichier\$/d")." $bl_categories"); |
exec("rm -rf $dir_blacklist".escapeshellarg($fichier)); |
exec("sudo /usr/local/bin/alcasar-bl.sh --reload"); |
$action=$_POST[$fichier]; |
if($action == $l_remove) //delete |
{ |
exec("/bin/sed -i ".escapeshellarg("/^$fichier\$/d")." $bl_categories_enabled"); |
exec("/bin/sed -i ".escapeshellarg("/$fichier\$/d")." $bl_categories"); |
exec("rm -rf $dir_blacklist".escapeshellarg($fichier)); |
exec("sudo /usr/local/bin/alcasar-bl.sh --reload"); |
} |
if($action == $l_disable) //disable |
{ |
exec("/bin/sed -i ".escapeshellarg("/^$fichier\$/d")." $bl_categories_enabled"); |
exec("sudo /usr/local/bin/alcasar-bl.sh --reload"); |
} |
if($action == $l_enable) //enable |
{ |
file_put_contents ($bl_categories_enabled, $fichier."\n", FILE_APPEND); |
exec("sudo /usr/local/bin/alcasar-bl.sh --reload"); |
} |
} |
if($action == $l_disable) //disable |
} |
break; |
case 'MAJ_ossi_file_upload' : |
$file_name = str_replace (".", "_",basename($_FILES['fichier_ip']['name'])); |
$dest_dir = $dir_blacklist."ossi-bl-".$file_name; # /etc/e2guardian/list/blacklist/ossi-bl-XXXXXXXX |
if((!empty($file_name)) && (!file_exists($dest_dir))) |
{ |
exec("mkdir ".escapeshellarg($dest_dir)); |
$file=$_FILES['fichier_ip']['tmp_name']; |
exec('/usr/bin/dos2unix '.escapeshellarg($file)); |
if(move_uploaded_file($_FILES['fichier_ip']['tmp_name'], $dest_dir."/domains")) // copy in the file "domains" (containing @ip & domain names (like over Toulouse categories)) |
{ |
exec("/bin/sed -i ".escapeshellarg("/^$fichier\$/d")." $bl_categories_enabled"); |
touch ($dest_dir."/urls"); // create the URL file even if it isn't used |
file_put_contents ($bl_categories, $dest_dir."\n", FILE_APPEND); # add to the categories list |
file_put_contents ($bl_categories_enabled, "ossi-bl-".$file_name."\n", FILE_APPEND); //Enabled by default |
exec("sudo /usr/local/bin/alcasar-bl.sh --reload"); |
} |
if($action == $l_enable) //enable |
else |
{ |
file_put_contents ($bl_categories_enabled, $fichier."\n", FILE_APPEND); |
exec("sudo /usr/local/bin/alcasar-bl.sh --reload"); |
exec("rm -rf ".escapeshellarg($dest_dir)); |
echo $l_error_upload; |
} |
} |
} |
break; |
case 'MAJ_ossi_file_upload' : |
$file_name = str_replace (".", "_",basename($_FILES['fichier_ip']['name'])); |
$dest_dir = $dir_blacklist."ossi-bl-".$file_name; # /etc/e2guardian/list/blacklist/ossi-bl-XXXXXXXX |
if((!empty($file_name)) && (!file_exists($dest_dir))) |
{ |
exec("mkdir ".escapeshellarg($dest_dir)); |
$file=$_FILES['fichier_ip']['tmp_name']; |
exec('/usr/bin/dos2unix '.escapeshellarg($file)); |
if(move_uploaded_file($_FILES['fichier_ip']['tmp_name'], $dest_dir."/domains")) // copy in the file "domains" (containing @ip & domain names (like over Toulouse categories)) |
{ |
touch ($dest_dir."/urls"); // create the URL file even if it isn't used |
file_put_contents ($bl_categories, $dest_dir."\n", FILE_APPEND); # add to the categories list |
file_put_contents ($bl_categories_enabled, "ossi-bl-".$file_name."\n", FILE_APPEND); //Enabled by default |
exec("sudo /usr/local/bin/alcasar-bl.sh --reload"); |
} |
else |
{ |
exec("rm -rf ".escapeshellarg($dest_dir)); |
echo $l_error_upload; |
} |
} |
break; |
break; |
} |
?> |
<table width="100%" border="0" cellspacing="0" cellpadding="0"> |
314,7 → 330,7 |
<FORM action='bl_filter.php' method=POST> |
<?php |
if ((file_exists("$dir_tmp/blacklists.tar.gz")) && (file_exists("$dir_tmp/md5sum"))) |
{ |
{ |
echo "$l_fingerprint"; echo_file ("$dir_tmp/md5sum"); |
echo "<br>$l_fingerprint2<a href='http://dsi.ut-capitole.fr/blacklists/download/MD5SUM.LST' target='cat_help' onclick=\"window.open('http://dsi.ut-capitole.fr/blacklists/download/MD5SUM.LST','cat_help','width=600,height=150,toolbar=no,scrollbars=yes,resizable=yes')\" title='verify fingerprint'>dsi.ut-capitole.fr/blacklists/download/MD5SUM.LST</a><br>"; |
echo "<input type='hidden' name='choix' value='Active_list'>"; |
322,12 → 338,12 |
echo "<FORM action='bl_filter.php' method=POST>"; |
echo "<input type='hidden' name='choix' value='Reject_list'>"; |
echo "<input type='submit' onClick=\"this.disabled=true; this.value='$l_load';submit();\" value='$l_reject_bl'></form>"; |
} |
} |
else |
{ |
{ |
echo "<input type='hidden' name='choix' value='Download_list'>"; |
echo "<input type='submit' onClick=\"this.disabled=true; this.value='$l_load';submit();\" value='$l_download_bl'> ($l_warning)</form>"; |
} |
} |
?> |
</td></tr> |
</table><br> |
342,7 → 358,7 |
<?php |
echo "<center>"; |
// total number of IP, DNS & URLs |
$nbDomainNames = exec("wc -l /usr/local/share/dnsmasq-bl/* | tail -n 1 | awk '{print $1}'"); |
$nbDomainNames = exec("wc -l /usr/local/share/unbound-bl/* | tail -n 1 | awk '{print $1}'") / 2; |
$nbUrl = exec("for file in `find /etc/e2guardian/lists/blacklists/ -name 'urls'`; do nb=$((nb+$(wc -l \$file | awk '{print $1}'))); done; echo \$nb"); |
$nbIp = exec("wc -l /usr/local/share/iptables-bl/* | tail -n 1 | awk '{print $1}'"); |
echo "<b>$l_nbDomainNames</b> $nbDomainNames, <b>$l_nbUrl</b> $nbUrl, <b>$l_nbIp</b> $nbIp<br/>"; |
350,11 → 366,11 |
//read & display all BL categories (checked or not) |
$cols=1; |
if (file_exists($bl_categories)) |
{ |
{ |
$bl_files = file($bl_categories); |
$bl_files = preg_grep("/ossi-/", $bl_files, 1); // don't display ossi custom categories |
foreach($bl_files as $fichier => $value) |
{ |
{ |
if ($cols == 1) { echo "<tr>";} |
$categorie=trim(basename($value)); |
echo "<td><a href='bl_categories_help.php?liste=bl&cat=$categorie' target='cat_help' onclick=\"window.open('bl_categories_help.php','cat_help','width=600,height=450,toolbar=no,scrollbars=yes,resizable=yes')\" title='categories help page'>$categorie</a><br>"; |
366,10 → 382,11 |
$cols++; |
if ($cols > 10) { |
echo "</tr>\n"; |
$cols=1; } |
$cols=1; |
} |
} |
else { |
} |
else { |
echo "$l_error_open_file $bl_categories"; |
} |
451,59 → 468,14 |
<input type='hidden' name='choix' value='Specific_filtering'> |
<table width="100%" border=1 cellspacing=0 cellpadding=1> |
<tr><td> |
<input type='checkbox' name='chk-ip' |
<?php |
// verify "pureip" filtering state |
if (file_exists($bannedsite_file)) |
{ |
$pointeur=fopen($bannedsite_file,"r"); |
while (!feof ($pointeur)) |
{ |
$ligne=fgets($pointeur, 4096); |
if ($ligne) |
{ |
if (preg_match('/^\*ip$/',$ligne, $r)) |
{ |
echo " checked"; |
break; |
} |
} |
} |
fclose($pointeur); |
} |
else { |
echo "$l_error_open_file $bannedsite_file"; |
} |
echo "> $l_ip_filtering"; |
?> |
<input type='checkbox' name='chk-ip' <?= $bl_pureip == 'on' ? 'checked' : ''; ?>><?= $l_ip_filtering; ?> |
</td></tr> |
<tr><td> |
<input type='checkbox' name='chk-safesearch' |
<?php |
// verify "safesearch" filtering state |
if (file_exists($urlregex_file)) |
{ |
$pointeur=fopen($urlregex_file,"r"); |
while (!feof ($pointeur)) |
{ |
$ligne=fgets($pointeur, 4096); |
if ($ligne) |
{ |
if (preg_match('/^\"\(\^http\:\/\/\[0\-9a\-z\]\+\\\.google/',$ligne, $r)) |
{ |
echo " checked"; |
break; |
} |
} |
} |
fclose($pointeur); |
} |
else { |
echo "$l_error_open_file $urlregex_file"; |
} |
echo "> $l_safe_searching<tr><td>"; |
echo "<input type='submit' onClick=\"this.disabled=true; this.value='$l_load';submit();\" value='$l_record'></td></tr>"; |
?> |
<input type='checkbox' name='chk-safesearch' <?= $bl_safesearch == 'on' ? 'checked' : ''; ?>><?= $l_safe_searching; ?> |
</tr></td> |
<tr><td> |
<?= "<input type='submit' onClick=\"this.disabled=true; this.value='$l_load';submit();\" value='$l_record'>"; ?> |
</td></tr> |
</table> |
</form> |
</BODY> |
/web/acc/admin/network.php |
---|
226,10 → 226,6 |
$field = preg_split("/\s+/",$line); |
$ip_addr = $field[0]; |
$host_name = trim($field[1]); |
if (strcmp($add_ip, $ip_addr) === 0) { |
$insert = false; |
break; |
} |
if (strcasecmp($add_host, $host_name) === 0) { |
$insert = false; |
break; |
237,7 → 233,7 |
} |
} |
if ($insert) { |
exec("sudo /usr/local/bin/alcasar-dns-local.sh -add $add_ip $add_host"); |
exec("sudo /usr/local/bin/alcasar-dns-local.sh --add $add_ip $add_host"); |
} |
} |
} |
272,8 → 268,8 |
move_uploaded_file($_FILES['key']['tmp_name'], $keypath); |
move_uploaded_file($_FILES['crt']['tmp_name'], $crtpath); |
exec("sudo alcasar-importcert.sh -i $crtpath -k $keypath -c $scpath"); |
if (file_exists($crtpath)) unlink($crtpath); |
if (file_exists($keypath)) unlink($keypath); |
if (file_exists($crtpath)) unlink($crtpath); |
if (file_exists($keypath)) unlink($keypath); |
if (file_exists($scpath)) unlink($scpath); |
} |
} |
342,7 → 338,7 |
$domainName = $_POST['domainname']; |
exec('sudo /usr/local/bin/alcasar-letsencrypt.sh --issue --email '.escapeshellarg($email).' --domain '.escapeshellarg($domainName), $output, $exitCode); |
$cmdResponse = implode("<br>\n", $output); |
} |
if ($choix === 'le_renewCert') { |
/web/acc/admin/services.php |
---|
1,5 → 1,5 |
<?php |
/* written by steweb57 & Rexy */ |
/* written by steweb57 & Rexy */ |
# Choice of language |
$Language = 'en'; |
if(isset($_SERVER['HTTP_ACCEPT_LANGUAGE'])){ |
31,10 → 31,11 |
$l_vnstat = "Grapheur de flux réseau"; |
$l_havp = "Proxy Antivirus"; |
$l_tinyproxy = "Proxy HTTP léger"; |
$l_dnsmasq = "Serveur DNS principal"; |
$l_dnsmasq_blacklist = "Serveur DNS pour la Blacklist"; |
$l_dnsmasq_whitelist = "Serveur DNS pour la Whitelist"; |
$l_dnsmasq_blackhole = "Serveur DNS 'trou noir'"; |
$l_unbound = "Serveur DNS principal"; |
$l_unbound_blacklist = "Serveur DNS pour la Blacklist"; |
$l_unbound_whitelist = "Serveur DNS pour la Whitelist"; |
$l_dnsmasq_whitelist = "Serveur DNS pour la Whitelist (IPSET)"; |
$l_unbound_blackhole = "Serveur DNS 'trou noir'"; |
$l_ulogd_ssh = "journalisation des accès par SSH"; |
$l_ulogd_ext_access = "journalisation des tentatives d'accès externes"; |
$l_ulogd_traceability = "journalisation des connexions WEB filtrés"; |
42,7 → 43,7 |
$l_stop_restart = "Arret et redémarrage du système"; |
$l_halt = "Arréter le système"; |
$l_reboot = "Relancer le système"; |
} else { |
$l_services_title = "Services configuration"; |
$l_main_services = "Main services"; |
69,10 → 70,11 |
$l_vnstat = "Network grapher"; |
$l_havp = "Antivirus Proxy"; |
$l_tinyproxy = "Light HTTP Proxy"; |
$l_dnsmasq = "Main DNS server"; |
$l_dnsmasq_blacklist = "Blacklist DNS server"; |
$l_dnsmasq_whitelist = "Whitelist DNS server"; |
$l_dnsmasq_blackhole = "Blackhole DNS server"; |
$l_unbound = "Main DNS server"; |
$l_unbound_blacklist = "Blacklist DNS server"; |
$l_unbound_whitelist = "Whitelist DNS server"; |
$l_dnsmasq_whitelist = "Whitelist DNS server (IPSET)"; |
$l_unbound_blackhole = "Blackhole DNS server"; |
$l_ulogd_ssh = "SSH access logging process"; |
$l_ulogd_ext_access = "Extern access attempts logging process"; |
$l_ulogd_traceability = "Filtering WEB access logging process"; |
102,7 → 104,7 |
if (($action == "start")||($action == "stop")||($action == "restart")){ |
exec("sudo /usr/bin/systemctl $action ".escapeshellarg($service), $retval, $retstatus); |
if ($service == "sshd"){ // in order to keep that conf for SSH at next reboot |
if ($action == "start"){ |
if ($action == "start"){ |
exec("sudo /usr/bin/systemctl enable ".escapeshellarg($service)); |
file_put_contents(CONF_FILE, str_replace('SSH=off', 'SSH=on', file_get_contents(CONF_FILE))); |
exec("sudo /usr/local/bin/alcasar-iptables.sh"); |
135,7 → 137,7 |
//------------------------------- |
// Actions on services |
//------------------------------- |
$autorizeService = array("radiusd","chilli","mysqld","lighttpd","dnsmasq","ulogd-ssh","ulogd-ext-access","ulogd-traceability","dnsmasq-blacklist","dnsmasq-whitelist","dnsmasq-blackhole","e2guardian","havp","tinyproxy","freshclam","sshd","ntpd","fail2ban","nfsen","vnstat"); |
$autorizeService = array("radiusd","chilli","mysqld","lighttpd","unbound-forward","ulogd-ssh","ulogd-ext-access","ulogd-traceability","unbound-blacklist","unbound-whitelist","dnsmasq-whitelist","unbound-blackhole","e2guardian","havp","tinyproxy","freshclam","sshd","ntpd","fail2ban","nfsen","vnstat"); |
$autorizeAction = array("start","stop","restart"); |
if (isset($_GET['service'])&&(in_array($_GET['service'], $autorizeService))) { |
168,15 → 170,16 |
$MainServiceStatus['radiusd'] = checkServiceStatus("radiusd"); |
$MainServiceStatus['mysqld'] = checkServiceStatus("mysqld"); |
$MainServiceStatus['lighttpd'] = checkServiceStatus("lighttpd"); |
$MainServiceStatus['dnsmasq'] = checkServiceStatus("dnsmasq"); |
$MainServiceStatus['unbound'] = checkServiceStatus("unbound-forward"); |
$MainServiceStatus['ulogd_ssh'] = checkServiceStatus("ulogd-ssh"); |
$MainServiceStatus['ulogd_ext_access'] = checkServiceStatus("ulogd-ext-access"); |
$MainServiceStatus['ulogd_traceability'] = checkServiceStatus("ulogd-traceability"); |
$FilterServiceStatus = array(); |
$FilterServiceStatus['dnsmasq_blacklist'] = checkServiceStatus("dnsmasq-blacklist"); |
$FilterServiceStatus['unbound_blacklist'] = checkServiceStatus("unbound-blacklist"); |
$FilterServiceStatus['unbound_whitelist'] = checkServiceStatus("unbound-whitelist"); |
$FilterServiceStatus['dnsmasq_whitelist'] = checkServiceStatus("dnsmasq-whitelist"); |
$FilterServiceStatus['dnsmasq_blackhole'] = checkServiceStatus("dnsmasq-blackhole"); |
$FilterServiceStatus['unbound_blackhole'] = checkServiceStatus("unbound-blackhole"); |
$FilterServiceStatus['e2guardian'] = checkServiceStatus("e2guardian"); |
$FilterServiceStatus['havp'] = checkServiceStatus("havp"); |
$FilterServiceStatus['tinyproxy'] = checkServiceStatus("tinyproxy"); |
/web/acc/admin/wl_filter.php |
---|
9,7 → 9,7 |
<? |
function form_filter ($form_content) |
{ |
// réencodage iso + format unix + rc fin de ligne (ouf...) |
// réencodage iso + format unix + rc fin de ligne (ouf...) |
$list = str_replace("\r\n", "\n", utf8_decode($form_content)); |
if (strlen($list) != 0){ |
if ($list[strlen($list)-1] != "\n") { $list[strlen($list)]="\n";} ;} ; |
37,22 → 37,22 |
} |
} |
function echo_file ($filename) |
{ |
if (file_exists($filename)) |
{ |
if (file_exists($filename)) |
if (filesize($filename) != 0) |
{ |
if (filesize($filename) != 0) |
{ |
$pointeur=fopen($filename,"r"); |
$tampon = fread($pointeur, filesize($filename)); |
fclose($pointeur); |
echo $tampon; |
} |
} |
} |
else |
{ |
{ |
echo "$filename doesn't exist"; |
} |
} |
} |
function echo_ip_file ($filename) |
{ |
$filename = escapeshellarg($filename); |
68,7 → 68,7 |
if(isset($_SERVER['HTTP_ACCEPT_LANGUAGE'])){ |
$Langue = explode(",",$_SERVER['HTTP_ACCEPT_LANGUAGE']); |
$Language = strtolower(substr(chop($Langue[0]),0,2)); |
} |
} |
if($Language == 'fr'){ |
$l_wl="Liste blanche générale"; |
$l_load="Chargement..."; |
76,7 → 76,7 |
$l_wl_categories="Sélectionnez les catégories à autoriser"; |
$l_specific_filtering="Filtrage special"; |
$l_add_to_wl="Noms de domaine ou adresses IP à ajouter à la liste blanche"; |
$l_one_dns_ip="Entrez un nom de domaine ou une adresse IP ou une adresse de réseau par ligne<br>exemple (domaine) : .domaine.org - exemple (ip) : 61.54.52.56 - exemple (réseau) : 172.16.0.0/16"; |
$l_one_dns_ip="Entrez un nom de domaine ou une adresse IP ou une adresse de réseau par ligne<br>exemple (domaine) : domaine.org. - exemple (ip) : 61.54.52.56 - exemple (réseau) : 172.16.0.0/16"; |
$l_record="Enregistrer les modifications"; |
$l_wait="Une fois validées, 10 secondes sont nécessaires pour traiter vos modifications"; |
$l_safe_searching="Activer le contrôle scolaire/parental pour 'YouTube' et pour les moteurs de recherche 'Google', 'Bing' et 'Qwant'."; |
107,7 → 107,7 |
$l_specific_filtering="Specific filtering"; |
$l_allowed_dns="Allowed domain names"; |
$l_add_to_wl="Domain names or IP addresses to add to the whitelist"; |
$l_one_dns_ip="Enter one domain name or one IP address or one network address per row <br>example (domain): .domain.org - example (ip): 61.54.56.52 - example (network) : 172.16.0.0/16"; |
$l_one_dns_ip="Enter one domain name or one IP address or one network address per row <br>example (domain): domain.org. - example (ip): 61.54.56.52 - example (network) : 172.16.0.0/16"; |
$l_record="Save changes"; |
$l_wait="Once validated, 10 seconds are necessary to compute your modifications"; |
$l_safe_searching="Enabling school/parental control for 'YouTube' and for the search engines 'Google', 'Bing' and 'Qwant'"; |
135,127 → 135,137 |
$dir_blacklist=$dir_dg."blacklists/"; |
$dir_wl_ip="/usr/local/share/iptables-wl/"; |
$dir_wl_ip_enabled= "/usr/local/share/iptables-wl-enabled/"; |
$dir_wl_domain_names= "/usr/local/share/dnsmasq-wl/"; |
$dir_wl_domain_names_enabled= "/usr/local/share/dnsmasq-wl-enabled/"; |
$dir_wl_domain_names= "/usr/local/share/unbound-wl/"; |
$dir_wl_domain_names_enabled= "/usr/local/share/unbound-wl-enabled/"; |
$wl_categories=$dir_etc."alcasar-wl-categories"; |
$wl_categories_enabled=$dir_etc."alcasar-wl-categories-enabled"; |
$conf_file=$dir_etc."alcasar.conf"; |
$iptables_safesearch_file=$dir_wl_ip_enabled."ossi-ip-safesearch"; |
$domainfilter_file="/etc/unbound/conf.d/whitelist/domainfilter.conf"; |
$bannedsite_file=$dir_dg."bannedsitelist"; |
$dir_tmp="/tmp/blacklists"; |
$wl_safesearch="off"; |
# default values |
if (is_file ($conf_file)) |
{ |
{ |
$tab=file($conf_file); |
if ($tab) |
{ |
foreach ($tab as $line) |
{ |
foreach ($tab as $line) |
{ |
$field=explode("=", $line); |
if ($field[0] == "PRIVATE_IP") |
{ |
$PRIVATE_IP_MASK=trim($field[1]); |
$tmp = explode("/",$PRIVATE_IP_MASK); |
$PRIVATE_IP=$tmp[0]; |
} |
switch ($field[0]) { |
case 'PRIVATE_IP': |
$PRIVATE_IP_MASK=trim($field[1]); |
$tmp = explode("/",$PRIVATE_IP_MASK); |
$PRIVATE_IP=$tmp[0]; |
break; |
case 'WL_SAFESEARCH': |
if (strtolower(trim($field[1])) == 'on') { |
$wl_safesearch='on'; |
} |
break; |
} |
} |
} |
} |
else { echo "$l_error_open_file $conf_file";} |
if (isset($_POST['choix'])){ $choix=$_POST['choix']; } else { $choix=""; } |
switch ($choix) |
{ |
case 'Download_list' : |
exec ("sudo /usr/local/bin/alcasar-bl.sh --download"); |
break; |
case 'Active_list' : |
exec ("sudo /usr/local/bin/alcasar-bl.sh --adapt"); |
exec ("sudo /usr/local/bin/alcasar-bl.sh --reload"); |
break; |
case 'Reject_list' : |
unlink ("$dir_tmp/blacklists.tar.gz"); unlink ("$dir_tmp/md5sum"); |
break; |
case 'MAJ_cat_wl' : |
if (file_exists($wl_categories_enabled)) |
{ |
exec("/bin/sed -i \"/^ossi-/!d\" $wl_categories_enabled"); // keep ossi custom categories |
$pointeur=fopen($wl_categories_enabled, "a+"); |
foreach ($_POST as $key => $value) |
case 'Download_list' : |
exec ("sudo /usr/local/bin/alcasar-bl.sh --download"); |
break; |
case 'Active_list' : |
exec ("sudo /usr/local/bin/alcasar-bl.sh --adapt"); |
exec ("sudo /usr/local/bin/alcasar-bl.sh --reload"); |
break; |
case 'Reject_list' : |
unlink ("$dir_tmp/blacklists.tar.gz"); unlink ("$dir_tmp/md5sum"); |
break; |
case 'MAJ_cat_wl' : |
if (file_exists($wl_categories_enabled)) |
{ |
if (strstr($key,'chk-')) |
exec("/bin/sed -i \"/^ossi-/!d\" $wl_categories_enabled"); // keep ossi custom categories |
$pointeur=fopen($wl_categories_enabled, "a+"); |
foreach ($_POST as $key => $value) |
{ |
$line=str_replace('chk-','',$key)."\n"; |
fwrite($pointeur,$line); |
if (strstr($key,'chk-')) |
{ |
$line=str_replace('chk-','',$key)."\n"; |
fwrite($pointeur,$line); |
} |
} |
fclose($pointeur); |
} |
fclose($pointeur); |
} |
else {echo "$l_error_open_file $wl_categories_enabled";} |
$fichier=fopen($dir_blacklist."ossi-wl/domains","w+"); |
fputs($fichier, form_filter($_POST['OSSI_wl'])); |
fclose($fichier); |
unset($_POST['OSSI_wl']); |
exec ("sudo /usr/local/bin/alcasar-bl.sh --reload"); |
break; |
case 'Specific_filtering' : |
$safesearch="-safesearch_off"; ; |
foreach ($_POST as $key => $value) |
{ |
if (strstr($key,'chk-safesearch')) $safesearch="-safesearch_on"; |
} |
exec ("sudo /usr/local/bin/alcasar-url_filter_wl.sh $safesearch"); |
break; |
case 'MAJ_ossi_file' : |
foreach($_POST as $fichier => $value) |
{ |
if($fichier != "choix") |
else {echo "$l_error_open_file $wl_categories_enabled";} |
$fichier=fopen($dir_blacklist."ossi-wl/domains","w+"); |
fputs($fichier, form_filter($_POST['OSSI_wl'])); |
fclose($fichier); |
unset($_POST['OSSI_wl']); |
exec ("sudo /usr/local/bin/alcasar-bl.sh --reload"); |
break; |
case 'Specific_filtering' : |
$wl_safesearch='off'; |
foreach ($_POST as $key => $value) |
{ |
$action=$_POST[$fichier]; |
if($action == $l_remove) //delete |
if (strstr($key,'chk-safesearch')) { |
$wl_safesearch='on'; |
} |
} |
exec ("sudo /usr/local/bin/alcasar-url_filter_wl.sh -safesearch_$wl_safesearch"); |
break; |
case 'MAJ_ossi_file' : |
foreach($_POST as $fichier => $value) |
{ |
if($fichier != "choix") |
{ |
exec("/bin/sed -i ".escapeshellarg("/^$fichier\$/d")." $wl_categories_enabled"); |
exec("/bin/sed -i ".escapeshellarg("/^$fichier\$/d")." $wl_categories"); |
exec("rm -rf ".escapeshellarg("$dir_blacklist$fichier")); |
exec("sudo /usr/local/bin/alcasar-bl.sh --reload"); |
$action=$_POST[$fichier]; |
if($action == $l_remove) //delete |
{ |
exec("/bin/sed -i ".escapeshellarg("/^$fichier\$/d")." $wl_categories_enabled"); |
exec("/bin/sed -i ".escapeshellarg("/^$fichier\$/d")." $wl_categories"); |
exec("rm -rf ".escapeshellarg("$dir_blacklist$fichier")); |
exec("sudo /usr/local/bin/alcasar-bl.sh --reload"); |
} |
if($action == $l_disable) //disable |
{ |
exec("/bin/sed -i ".escapeshellarg("/^$fichier\$/d")." $wl_categories_enabled"); |
exec("sudo /usr/local/bin/alcasar-bl.sh --reload"); |
} |
if($action == $l_enable) //enable |
{ |
file_put_contents($wl_categories_enabled, $fichier."\n", FILE_APPEND); |
exec("sudo /usr/local/bin/alcasar-bl.sh --reload"); |
} |
} |
if($action == $l_disable) //disable |
} |
break; |
case 'MAJ_ossi_file_upload' : |
$file_name = str_replace (".", "_",basename($_FILES['fichier_ip']['name'])); |
if(!empty($file_name)) |
{ |
$dest_dir = $dir_blacklist."ossi-wl-".$file_name; |
exec("mkdir ".escapeshellarg($dest_dir)); |
$file=$_FILES['fichier_ip']['tmp_name']; |
exec('/usr/bin/dos2unix '.escapeshellarg($file)); |
if(move_uploaded_file($_FILES['fichier_ip']['tmp_name'], $dest_dir."/domains")) |
{ |
exec("/bin/sed -i ".escapeshellarg("/^$fichier\$/d")." $wl_categories_enabled"); |
exec("sudo /usr/local/bin/alcasar-bl.sh --reload"); |
touch ($dest_dir."/urls"); // create the URL file even if it isn't used |
file_put_contents ($wl_categories, $dest_dir."\n", FILE_APPEND); |
file_put_contents ($wl_categories_enabled, "ossi-wl-".$file_name."\n", FILE_APPEND); //Enabled by default |
exec ("sudo /usr/local/bin/alcasar-bl.sh --reload"); |
} |
if($action == $l_enable) //enable |
else |
{ |
file_put_contents($wl_categories_enabled, $fichier."\n", FILE_APPEND); |
exec("sudo /usr/local/bin/alcasar-bl.sh --reload"); |
exec("rm -rf ".escapeshellarg($dest_dir)); |
echo $l_error_upload; |
} |
} |
} |
break; |
case 'MAJ_ossi_file_upload' : |
$file_name = str_replace (".", "_",basename($_FILES['fichier_ip']['name'])); |
if(!empty($file_name)) |
{ |
$dest_dir = $dir_blacklist."ossi-wl-".$file_name; |
exec("mkdir ".escapeshellarg($dest_dir)); |
$file=$_FILES['fichier_ip']['tmp_name']; |
exec('/usr/bin/dos2unix '.escapeshellarg($file)); |
if(move_uploaded_file($_FILES['fichier_ip']['tmp_name'], $dest_dir."/domains")) |
{ |
touch ($dest_dir."/urls"); // create the URL file even if it isn't used |
file_put_contents ($wl_categories, $dest_dir."\n", FILE_APPEND); |
file_put_contents ($wl_categories_enabled, "ossi-wl-".$file_name."\n", FILE_APPEND); //Enabled by default |
exec ("sudo /usr/local/bin/alcasar-bl.sh --reload"); |
} |
else |
{ |
exec("rm -rf ".escapeshellarg($dest_dir)); |
echo $l_error_upload; |
} |
} |
break; |
break; |
} |
?> |
<table width="100%" border="0" cellspacing="0" cellpadding="0"> |
269,19 → 279,19 |
<?php |
echo "<center>"; |
// total number of IP, DNS & URLs |
$nbDomainNames = exec("wc -l /usr/local/share/dnsmasq-wl/* | tail -n 1 | awk '{print $1}'"); |
$nbDomainNames = exec("wc -l $dir_wl_domain_names* | tail -n 1 | awk '{print $1}'"); |
$nbUrl = "0"; |
$nbIp = exec("wc -l /usr/local/share/iptables-wl/* | tail -n 1 | awk '{print $1}'"); |
$nbIp = exec("wc -l $dir_wl_ip* | tail -n 1 | awk '{print $1}'"); |
echo "<b>$l_nbDomainNames</b> $nbDomainNames, <b>$l_nbUrl</b> $nbUrl, <b>$l_nbIp</b> $nbIp<br/>"; |
echo "$l_wl_categories</center></td></tr>"; |
//read & display all WL categories (checked or not) |
$cols=1; |
if (file_exists($wl_categories)) |
{ |
{ |
$wl_files = file($wl_categories); |
$wl_files = preg_grep("/ossi-/", $wl_files, 1); // don't display ossi custom categories |
foreach($wl_files as $fichier => $value) |
{ |
{ |
if ($cols == 1) { echo "<tr>";} |
$categorie=trim(basename($value)); |
echo "<td><a href='bl_categories_help.php?liste=wl&cat=$categorie' target='cat_help' onclick=window.open('bl_categories_help.php','cat_help','width=600,height=450,toolbar=no,scrollbars=yes,resizable=yes') title='categories help page'>$categorie</a><br>"; |
293,10 → 303,11 |
$cols++; |
if ($cols > 10) { |
echo "</tr>"; |
$cols=1; } |
$cols=1; |
} |
} |
else { |
} |
else { |
echo "$l_error_open_file $wl_categories"; |
} |
echo "<tr><td valign='middle' align='left' colspan=10>"; |
350,17 → 361,11 |
<FORM action='wl_filter.php' method='POST'> |
<input type='hidden' name='choix' value='Specific_filtering'> |
<tr><td> |
<input type='checkbox' name='chk-safesearch' |
<?php |
// verify "safesearch" filtering state |
if (file_exists($iptables_safesearch_file)) |
{ |
echo " checked"; |
} |
echo "> $l_safe_searching<tr><td>"; |
echo "<input type='submit' onClick=\"this.disabled=true; this.value='$l_load';submit();\" value='$l_record'></td></tr>"; |
?> |
</FORM> |
<input type='checkbox' name='chk-safesearch' <?= $wl_safesearch == 'on' ? 'checked' : ''; ?>><?= $l_safe_searching; ?> |
</tr></td> |
<tr><td> |
<?= "<input type='submit' onClick=\"this.disabled=true; this.value='$l_load';submit();\" value='$l_record'>"; ?> |
</td></tr></FORM> |
</TABLE> |
</BODY> |
</HTML> |
/web/acc/phpsysinfo/includes/lang/en.php |
---|
45,13 → 45,13 |
$text['scsi'] = 'SCSI Devices'; |
// |
$text['portail'] = 'General Informations about ALCASAR portal'; |
$text['portail'] = 'General information about ALCASAR portal'; |
$text['portail-version']= 'Installed version'; |
$text['portail-disp'] = 'Available versions'; |
$text['utilisateur'] = 'logged user(s) / tot.'; |
$text['groupe'] = 'Number of group(s)'; |
$text['bl-version'] = 'Updated \'Blacklist\''; |
$text['internet_link'] = "Internet connexion"; |
$text['internet_link'] = "Internet connection"; |
$text['enable'] = "enable"; |
$text['disable'] = "disable"; |
$text['web_antivirus'] = "WEB antivirus"; |
85,7 → 85,7 |
$text['none'] = 'none'; |
$text['capacity'] = 'Capacity'; |
$text['capacity'] = 'Capacity'; |
$text['template'] = 'Template'; |
$text['language'] = 'Language'; |
/web/index.php |
---|
80,12 → 80,12 |
]; |
} |
// Test if it's a direct connexion to ALCASAR |
// Test if it's a direct connection to ALCASAR |
if (isset($_SERVER['HTTP_HOST']) && (($_SERVER['HTTP_HOST'] === $_SERVER['SERVER_ADDR']) || ($_SERVER['HTTP_HOST'] === 'alcasar') || ($_SERVER['HTTP_HOST'] === $hostname) || ($_SERVER['HTTP_HOST'] === $organisme))) { |
$direct_access = true; |
} |
// Function to adapt time connexion in seconds to H,M,S |
// Function to adapt time connection in seconds to H,M,S |
function secondsToDuration($seconds = null){ |
if ($seconds == null) return ""; |
$temp = $seconds % 3600; |
132,7 → 132,7 |
if (isset($_GET['url'])) { // it's the second stage (when user has clicked on the button "open a connection") |
$redir = 'http://'.$_GET['url']; |
header("Location: $redir", true, 307); |
exit(); |
exit(); |
} |
} |
224,7 → 224,7 |
$l_service_sms = "SMS service enable"; |
$l_service_sms_n = "SMS service disable"; |
$l_acc_sms = "Auto registration by SMS"; |
$l_explain_warn = "El administrador ha creado un archivo que contiene los periódicos de inicio de sesión como parte de un proceso judicial."; |
$l_explain_warn = "El administrador ha creado un archivo que contiene los periódicos de inicio de sesión como parte de un proceso judicial."; |
if (isset($_GET['url'])) { |
$l_continue_link = "<a href=\"index.php?redirect=1&url=".urlencode($_GET['url'])."\" class=\"button\">Lo comprendo y deseo continuar mi navegación.</a>"; |
} else { |
360,22 → 360,22 |
$l_explain_access_deny = "You try to connect to a resource whose content is deemed to contain inappropriate information."; |
$l_explain_net_pb = "Your portal has just detected that the Internet access is down"; |
$l_contact_access_deny = "Contact your security system manager if you think this filtering is abusive."; |
$l_contact_net_pb = "Contact your network responsive or your Internet provider for more information"; |
$l_contact_net_pb = "Contact your network responsive or your Internet provider for further information."; |
$l_sms_access = "<a href=\"//$hostname/autoregistrationinfo.php\">Auto Registration by SMS</a>"; |
$l_install_certif = "Install ALCASAR AC Certificate"; |
$l_install_certif_more = "Install ALCASAR AC Certificate"; |
$l_certif_explain = "Allow secure data exchange between your computer and ALCASAR portal.<BR>If this certificate isn't incorporated in your computer, some security alerts should appear in your browser.<br><br>"; |
$l_certif_explain_help = "<a href=\"alcasar-certificat.pdf\" target=\"_blank\">Complementary help</a>"; |
$l_category = "category :"; |
$l_category = "category:"; |
if (!$user->connected) { |
$l_logout_explain = "No Internet consultation session is actualy open on your system"; |
$l_logout_explain = "No Internet consultation session is currently open on your system"; |
$l_logout = "<a href=\"//$hostname/index.php?url=$redirect_link\">Open an Internet session</a>"; |
} else { |
if ($user->username != $user->mac) { // authentication exception or not |
$l_logout_explain = "Close the session of the user currently connected.<br> User logged-on : <a href=\"$logout_link\" title=\"Disconnect user $user->username\"><b>$user->username</b></a><br><br>$nb_connection_history last connections :$connection_history"; |
$l_logout = "<a href=\"$logout_link\">Logoff from internet</a>"; |
$l_logout_explain = "Close the session of the currently logged-in user.<br> User logged-on: <a href=\"$logout_link\" title=\"Disconnect user $user->username\"><b>$user->username</b></a><br><br>$nb_connection_history last connections:$connection_history"; |
$l_logout = "<a href=\"$logout_link\">Logoff from the internet</a>"; |
} else { |
$l_logout_explain = "Your system ($user->username) is in exception of authentication.<br><br>$nb_connection_history Last logins :$connection_history"; |
$l_logout_explain = "Your system ($user->username) is in exception of authentication.<br><br>$nb_connection_history Last logins:$connection_history"; |
$l_logout = "Connections information"; |
} |
} |
394,10 → 394,10 |
} |
$l_title_warn="Dear user,"; |
$l_explain_warn_name="Someone called "; |
$l_explain_warn_ip="with this IP : "; |
$l_explain_warn_date="has read your connexion logs at "; |
$l_explain_warn_reason="For this reason : "; |
$l_uam_domain = "Authorized websites : "; |
$l_explain_warn_ip="with this IP: "; |
$l_explain_warn_date="has read your connection logs at "; |
$l_explain_warn_reason="For this reason: "; |
$l_uam_domain = "Authorized websites: "; |
} |
$l_title = ($direct_access ? $l_access_welcome : ($network_pb ? $l_access_unavailable : $l_access_denied)); |
461,16 → 461,12 |
// Search blacklist categories |
if ((!$direct_access) && (!$network_pb) && (!isset($_GET['warn']))) { |
$pattern = str_replace('www.', '', $_SERVER['HTTP_HOST']); |
$output = []; |
exec('grep -Re ' . escapeshellarg('^'.$pattern.'$') . " /etc/e2guardian/lists/blacklists/*/domains | cut -d'/' -f6", $output); |
$lists = []; |
foreach ($output as $line) { |
$lists[] = $line; |
} |
$categories = []; |
exec('grep -Re ' . escapeshellarg('^'.$pattern.'$') . " /etc/e2guardian/lists/blacklists/*/domains | cut -d'/' -f6", $categories); |
$filteredUrlHtml = $l_required_domain.' : '.htmlspecialchars($_SERVER['HTTP_HOST']); |
if (!empty($lists)) { |
$filteredUrlHtml .= "<br>$l_category ".implode(', ', $lists); |
if (!empty($categories)) { |
$filteredUrlHtml .= "<br>$l_category ".implode(', ', $categories); |
} |
} |
564,7 → 560,7 |
<div class="div-cache" id="text_certif"> |
<h2><a href="<?= $certCa_link ?>"><?= $l_install_certif_more ?></a></h2> |
<p><?= "$l_certif_explain $l_certif_explain_help" ?></p> |
<img src="<?= $img_rep.$img_certificate ?>"> |
<img src="<?= $img_rep.$img_certificate ?>"> |
</div> |
<div class="div-cache" id="text_mdp"> |
/web/language/alcasar-fr.txt |
---|
369,7 → 369,7 |
$l_e2guardian = "Filtre d'URL et de contenu WEB"; |
$l_mysqld = "Serveur de la base de données usager"; |
$l_squid = "Serveur de cache WEB"; |
$l_dnsmasq = "Serveur DNS et filtre de domaine"; |
$l_unbound = "Serveur DNS et filtre de domaine"; |
$l_httpd = "Serveur WEB (Centre de Gestion d'ALCASAR)"; |
$l_havp = "Filtre antivirus WEB"; |
$l_sshd = "Accès sécurisée à distance"; |