/alcasar.sh |
---|
1290,22 → 1290,19 |
# Enable clamd scanner |
$SED "s?^#contentscanner = '/etc/e2guardian/contentscanners/clamdscan.conf'?contentscanner = '/etc/e2guardian/contentscanners/clamdscan.conf'?g" $DIR_DG/e2guardian.conf |
# Adapt the first group conf file |
[ -e $DIR_DG/e2guardianf1.conf.default ] || cp $DIR_DG/e2guardianf1.conf $DIR_DG/e2guardianf1.conf.default |
# Reporting (deny page) in HTML |
$SED "s/^reportinglevel =.*/reportinglevel = 3/g" $DIR_DG/e2guardianf1.conf |
$SED "s/^groupname =.*/groupname = 'blacklisted users'/g" $DIR_DG/e2guardianf1.conf |
###### ALCASAR special filtering #### |
# RAZ bannedphraselist |
cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default |
$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (comment what is not) |
# Disable URL control with regex |
cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default |
$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (comment what is not) |
# Adapt the first group conf file |
[ -e $DIR_DG/e2guardianf1.conf.default ] || cp $DIR_DG/e2guardianf1.conf $DIR_DG/e2guardianf1.conf.default |
# Reporting (deny page) in HTML |
$SED "s/^reportinglevel =.*/reportinglevel = 3/g" $DIR_DG/e2guardianf1.conf |
# Copy the fist group conf file to the second |
cp $DIR_DG/e2guardianf1.conf $DIR_DG/e2guardianf2.conf |
# Replace the default deny HTML page (only fr & uk) --> !!! search why our pages make the server crash... |
# [ -e /usr/share/e2guardian/languages/french/template.html.default ] || mv /usr/share/e2guardian/languages/french/template.html /usr/share/e2guardian/languages/french/template.html.default |
# cp -f $DIR_CONF/template-fr.html /usr/share/e2guardian/languages/french/template.html |
1320,12 → 1317,10 |
[ -e $DIR_DG/lists/exceptioniplist.default ] || mv $DIR_DG/lists/exceptioniplist $DIR_DG/lists/exceptioniplist.default |
touch $DIR_DG/lists/exceptioniplist |
# Creation of ALCASAR banned site list |
[ -e $DIR_DG/lists/bannedsitelist.default ] || mv $DIR_DG/lists/bannedsitelist $DIR_DG/lists/bannedsitelist.default |
cat <<EOF > $DIR_DG/lists/bannedsitelist |
[ -e $DIR_DG/lists/greysitelist.default ] || mv $DIR_DG/lists/greysitelist $DIR_DG/lists/greysitelist.default |
cat <<EOF > $DIR_DG/lists/greysitelist |
# E2guardian filter config for ALCASAR |
# In ALCASAR E2guardian filters only URLs (domains are filtered with unbound) |
# block all sites except those in the exceptionsitelist --> liste blanche (désactivée) |
#** |
# block all SSL and CONNECT tunnels |
**s |
# block all SSL and CONNECT tunnels specified only as an IP |
1354,6 → 1349,13 |
$SED "s?images?search?g" $DIR_DG/lists/urlregexplist |
# change the google safesearch ("safe=strict" instead of "safe=vss") |
$SED "s?safe=vss?safe=strict?g" $DIR_DG/lists/urlregexplist |
# Create & adapt the second group conf file (av + av_wl) |
cp $DIR_DG/e2guardianf1.conf.default $DIR_DG/e2guardianf2.conf |
$SED "s?^reportinglevel =.*?reportinglevel = 3?g" $DIR_DG/e2guardianf2.conf |
$SED "s/^groupname =.*/groupname = 'antimalware & whitelested users'/g" $DIR_DG/e2guardianf2.conf |
$SED "s/\/lists\/bannedurllist'/urllist = 'name=banned,messageno=501,path=\/etc\/e2guardian\/lists\/bannedurllist.default'/g" $DIR_DG/e2guardianf2.conf # no banned urls |
# create log folder |
mkdir -p /var/log/e2guardian |
chown -R e2guardian /etc/e2guardian /var/log/e2guardian |
1366,8 → 1368,15 |
antivirus() |
{ |
# Clamd adaptation to e2guardian |
[ -e /lib/systemd/system/clamav-daemon.service.default ] || cp /lib/systemd/system/clamav-daemon.service /lib/systemd/system/clamav-daemon.service.default |
$SED "/^[Service]/a ExecStartPre=\/bin\/chown e2guardian:e2guardian \/run\/clamav" /lib/systemd/system/clamav-daemon.service |
$SED "/^[Service]/a ExecStartPre=\/bin\/mkdir -p \/run\/clamav" /lib/systemd/system/clamav-daemon.service |
[ -e /etc/clamd.conf.default ] || cp /etc/clamd.conf /etc/clamd.conf.default |
$SED "s?^User.*?User e2guardian?g" /etc/clamd.conf |
$SED "s?^MaxThreads.*?MaxThreads 32?g" /etc/clamd.conf |
$SED "s?^#LogTime.*?LogTime yes?g" /etc/clamd.conf # enable logtime for each message |
$SED "s?^LogVerbose.*?LogVerbose no?g" /etc/clamd.conf |
$SED "s?^#LogRotate.*?LogRotate yes?g" /etc/clamd.conf |
chown -R e2guardian:e2guardian /var/log/clamav /var/lib/clamav |
chmod 775 /var/log/clamav /var/lib/clamav |
chmod 664 /var/log/clamav/* |
1376,9 → 1385,8 |
$SED "s?^Checks.*?Checks 6?g" /etc/freshclam.conf |
$SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf |
$SED "/^DatabaseMirror/a DatabaseMirror db.fr.clamav.net" /etc/freshclam.conf |
$SED "s?MaxAttempts.*?MaxAttempts 3?g" /etc/freshclam.conf |
$SED "s?^DatabaseOwner.*?DatabaseOwner e2guardian?g" /etc/freshclam |
$SED "s?^MaxAttempts.*?MaxAttempts 3?g" /etc/freshclam.conf |
$SED "s?^DatabaseOwner.*?DatabaseOwner e2guardian?g" /etc/freshclam.conf |
# update now |
/usr/bin/freshclam --no-warnings --quiet |
} # End of antivirus() |
2171,7 → 2179,7 |
$SED "s?^GRUB_TIMEOUT=.*?GRUB_TIMEOUT=3?g" /etc/default/grub |
$SED "s?^GRUB_DISTRIBUTOR=.*?GRUB_DISTRIBUTOR=ALCASAR?g" /etc/default/grub |
[ -e /etc/mageia-release.default ] || cp /etc/mageia-release /etc/mageia-release.default |
vm_vga=`lsmod | egrep -c "virtio|vmwgfx|vbox"` # test if in VM |
vm_vga=`lsmod | egrep -c "virtio|vmwgfx"` # test if in VM |
if [ $vm_vga == 0 ] # is not a VM |
then |
cp -f $DIR_CONF/banner /etc/mageia-release # ALCASAR ASCII-Art |
/scripts/alcasar-activity_report.sh |
---|
419,21 → 419,24 |
echo "Create AV logs since the installation of ALCASAR" |
#decompress every logs, if they exist |
if [ "$(ls -1 /var/log/havp/access.log.*.gz 2>/dev/null | wc -l)" -ge 1 ] |
if [ "$(ls -1 /var/log/clamav/clamd.log.*.gz 2>/dev/null | wc -l)" -ge 1 ] |
then |
gunzip -d access.log.*.gz |
gunzip -d clamd.log.*.gz |
fi |
for FILE in /var/log/havp/access.log* |
for FILE in /var/log/clamav/clamd.log* |
do |
while read LINE_AV |
do |
Y=$(echo $LINE_AV | cut -d' ' -f1) |
M=$(echo $LINE_AV | cut -d' ' -f2) |
D=$(echo $LINE_AV | cut -d' ' -f3) |
H=$(echo $LINE_AV | cut -d' ' -f4) |
CURRENT_TS=$(date -d "$M $D $Y $H" +"%s") |
echo $CURRENT_TS >> $TMP_AV |
if [ "`echo $LINE_AV|grep -c FOUND`" == 1 ] |
then |
Y=$(echo $LINE_AV | cut -d' ' -f5) |
M=$(echo $LINE_AV | cut -d' ' -f2) |
D=$(echo $LINE_AV | cut -d' ' -f3) |
H=$(echo $LINE_AV | cut -d' ' -f4) |
CURRENT_TS=$(date -d "$M $D $Y $H" +"%s") |
echo $CURRENT_TS >> $TMP_AV |
fi |
done < $FILE |
done |
692,9 → 695,9 |
mv "$(echo $HTML_REPORT | cut -d'.' -f1).pdf" /var/Save/activity_report/ |
#compress every logs, if they exist |
if [ "$(ls -1 /var/log/havp/access.log.* 2>/dev/null | wc -l)" -ge 1 ] |
if [ "$(ls -1 /var/log/clamav/clamd.log.* 2>/dev/null | wc -l)" -ge 1 ] |
then |
gzip /var/log/havp/access.log.* |
gzip /var/log/clamav/clamd.log.* |
fi |
#compress every logs |
/scripts/alcasar-condown.sh |
---|
29,12 → 29,12 |
filter=$(echo "$db_res" | awk '$1 == "Alcasar-Filter" { print $2 }') |
filterProto=$(echo "$db_res" | awk '$1 == "Alcasar-Protocols-Filter" { print $2 }') |
if [ "$filter" == '4' ]; then # HAVP_WL |
set_filter="havp_wl" |
elif [ "$filter" == '3' ]; then # HAVP_BL |
set_filter="havp_bl" |
elif [ "$filter" == '2' ]; then # HAVP |
set_filter="havp" |
if [ "$filter" == '4' ]; then # AV_WL |
set_filter="av_wl" |
elif [ "$filter" == '3' ]; then # AV_BL |
set_filter="av_bl" |
elif [ "$filter" == '2' ]; then # AV |
set_filter="av" |
else # NOT_FILTERED |
set_filter="not_filtered" |
fi |
53,7 → 53,7 |
ipset del $set_filterProto $FRAMED_IP_ADDRESS |
# Remove IP address from active users |
current_users_file="/var/tmp/havp/current_users.txt" |
current_users_file="/tmp/current_users.txt" |
[ -e $current_users_file ] && sed -i "/^$FRAMED_IP_ADDRESS:/d" $current_users_file |
# Debug : show all the coova parse variables (+ $set_filter + $set_filterProto). |
/scripts/alcasar-conup.sh |
---|
31,12 → 31,12 |
filterProto=$(echo "$db_res" | awk '$1 == "Alcasar-Protocols-Filter" { print $2 }') |
statusOpenRequired=$(echo "$db_res" | awk '$1 == "Alcasar-Status-Page-Must-Stay-Open" { print $2 }') |
if [ "$filter" == '4' ]; then # HAVP_WL |
set_filter="havp_wl" |
elif [ "$filter" == '3' ]; then # HAVP_BL |
set_filter="havp_bl" |
elif [ "$filter" == '2' ]; then # HAVP |
set_filter="havp" |
if [ "$filter" == '4' ]; then # AV_WL |
set_filter="av_wl" |
elif [ "$filter" == '3' ]; then # AV_BL |
set_filter="av_bl" |
elif [ "$filter" == '2' ]; then # AV |
set_filter="av" |
else # NOT_FILTERED |
set_filter="not_filtered" |
fi |
55,7 → 55,7 |
ipset add $set_filterProto $FRAMED_IP_ADDRESS |
# Add user IP permanently to current_users.txt if no status_open_required |
current_users_file="/var/tmp/havp/current_users.txt" |
current_users_file="/tmp/current_users.txt" |
[ ! -e $current_users_file ] && touch $current_users_file && chown apache:apache $current_users_file |
if [ "$statusOpenRequired" == '2' ]; then # no status_open_required |
echo "$FRAMED_IP_ADDRESS:PERM" >> $current_users_file |
/scripts/alcasar-flush_ipset_wl.sh |
---|
4,7 → 4,7 |
#Clean wl_ip_allowed ipset when WL users are gone. |
PTN="(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)" |
NB_USERS=$(ipset list havp_wl | grep -E $PTN | wc -l) |
NB_USERS=$(ipset list av_wl | grep -E $PTN | wc -l) |
if [ $NB_USERS -eq '0' ] |
then |
/sbin/ipset flush wl_ip_allowed |
/scripts/alcasar-iptables.sh |
---|
45,7 → 45,7 |
SSH_ADMIN_FROM=${SSH_ADMIN_FROM:="0.0.0.0/0.0.0.0"} # WAN IP address to reduce ssh access (all ip allowed on LAN side) |
IPTABLES="/sbin/iptables" |
IP_REHABILITEES="/etc/e2guardian/lists/exceptioniplist" # Rehabilitated IP |
SITE_DIRECT="/usr/local/etc/alcasar-site-direct" # Site Direct (no havp and no filtrage) for user BL |
SITE_DIRECT="/usr/local/etc/alcasar-site-direct" # WEB Sites allowed for all (no av and no filtering for av_bl users) |
# Allow requests to internal DNS if activated |
if [ "$INT_DNS_ACTIVE" = "on" ] |
59,9 → 59,9 |
if [ $? -eq 0 ]; |
then |
ipset save not_filtered > $TMP_users_set_save |
ipset save havp >> $TMP_users_set_save |
ipset save havp_bl >> $TMP_users_set_save |
ipset save havp_wl >> $TMP_users_set_save |
ipset save av >> $TMP_users_set_save |
ipset save av_bl >> $TMP_users_set_save |
ipset save av_wl >> $TMP_users_set_save |
ipset save proto_0 >> $TMP_users_set_save |
ipset save proto_1 >> $TMP_users_set_save |
ipset save proto_2 >> $TMP_users_set_save |
122,7 → 122,7 |
ipset -q del bl_ip_blocked $ip |
done |
# rajout exception havp_bl --> Site en direct pour les Utilisateurs filtrés |
# ipset for exception web sites (usefull for filtered users = av_bl) |
ipset create site_direct hash:net hashsize 1024 |
for site in $(cat $SITE_DIRECT) |
do |
150,9 → 150,9 |
rm -f $TMP_users_set_save |
else |
ipset create not_filtered hash:ip hashsize 1024 |
ipset create havp hash:ip hashsize 1024 |
ipset create havp_bl hash:ip hashsize 1024 |
ipset create havp_wl hash:ip hashsize 1024 |
ipset create av hash:ip hashsize 1024 |
ipset create av_bl hash:ip hashsize 1024 |
ipset create av_wl hash:ip hashsize 1024 |
# pour les filtrages de protocole par utilisateur / For network protocols filtering by user |
ipset create proto_0 hash:ip hashsize 1024 |
ipset create proto_1 hash:ip hashsize 1024 |
166,22 → 166,22 |
# Marquage (et journalisation) des paquets qui tentent d'accéder directement aux ports d'écoute du proxy HTTP/HTTPS (E2Guardian) pour pouvoir les rejeter en INPUT |
# Mark (and log) the direct attempts to E2guardian listen ports in order to REJECT them in INPUT rules |
# 8080 = ipset havp_bl |
# 8080 = ipset av_bl |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8080 -j NFLOG --nflog-group 1 --nflog-prefix "RULE direct-proxy -- DENY " |
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8080 -j MARK --set-mark 1 |
# 8090 = ipset havp_wl + havp |
# 8090 = ipset av_wl + av |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8090 -j NFLOG --nflog-group 1 --nflog-prefix "RULE direct-proxy -- DENY " |
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8090 -j MARK --set-mark 2 |
# 8443 = tranparent HTTPS for ipsets havp_bl + havp_wl + havp |
# 8443 = tranparent HTTPS for ipsets av_bl + av_wl + av |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8443 -j NFLOG --nflog-group 1 --nflog-prefix "RULE direct-proxy -- DENY " |
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8443 -j MARK --set-mark 6 |
# Marquage des paquets qui tentent d'accéder directement aux ports d'écoute DNS (UNBOUND) pour pouvoir les rejeter en INPUT |
# Mark the direct attempts to DNS ports (UNBOUND) in order to REJECT them in INPUT rules |
# 54 = ipset havp_bl |
# 54 = ipset av_bl |
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp --dport 54 -j MARK --set-mark 3 |
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p udp --dport 54 -j MARK --set-mark 3 |
# 55 = ipset havp_wl |
# 55 = ipset av_wl |
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp --dport 55 -j MARK --set-mark 4 |
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p udp --dport 55 -j MARK --set-mark 4 |
# 56 = blackall |
190,12 → 190,12 |
# redirection DNS des usagers |
# users DNS redirection |
# 54 = ipset havp_bl |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl src -p udp --dport domain -j REDIRECT --to-port 54 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl src -p tcp --dport domain -j REDIRECT --to-port 54 |
# 55 = ipset havp_wl |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl src -p udp --dport domain -j REDIRECT --to-port 55 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl src -p tcp --dport domain -j REDIRECT --to-port 55 |
# 54 = ipset av_bl |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_bl src -p udp --dport domain -j REDIRECT --to-port 54 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_bl src -p tcp --dport domain -j REDIRECT --to-port 54 |
# 55 = ipset av_wl |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_wl src -p udp --dport domain -j REDIRECT --to-port 55 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_wl src -p tcp --dport domain -j REDIRECT --to-port 55 |
# 53 = all other users |
$IPTABLES -A PREROUTING -t nat -i $TUNIF ! -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 53 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF ! -d $PRIVATE_IP -p tcp --dport domain -j REDIRECT --to-port 53 |
202,29 → 202,29 |
# Redirection des requêtes HTTP des usagers vers E2guardian |
# Redirect outbound users HTTP requests to E2guardian |
# 8080 = ipset havp_bl |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8080 |
# 8090 = ipset havp_wl & havp |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090 |
# 8080 = ipset av_bl |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_bl src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8080 |
# 8090 = ipset av_wl & av |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_wl src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090 |
# Redirection des requêtes HTTPS sortantes des usagers havp_bl + havp_wl + havp vers E2Guardian |
# Redirect outbound HTTPS requests of havp_bl + havp_wl + havp users to E2Guardian |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP -p tcp --dport https -j REDIRECT --to-port 8443 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP -p tcp --dport https -j REDIRECT --to-port 8443 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP -p tcp --dport https -j REDIRECT --to-port 8443 |
# Redirection des requêtes HTTPS sortantes des usagers av_bl + av_wl + av vers E2Guardian |
# Redirect outbound HTTPS requests of av_bl + av_wl + av users to E2Guardian |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_bl src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP -p tcp --dport https -j REDIRECT --to-port 8443 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_wl src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP -p tcp --dport https -j REDIRECT --to-port 8443 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP -p tcp --dport https -j REDIRECT --to-port 8443 |
# Journalisation HTTP_Internet des usagers 'havp_bl' (paquets SYN uniquement). Les autres protocoles sont journalisés en FORWARD par netflow. |
# Log Internet HTTP of 'havp_bl' users" (only syn packets). Other protocols are logged in FORWARD by netflow |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl src ! -d $PRIVATE_IP -p tcp --dport http -m conntrack --ctstate NEW -j NFLOG --nflog-group 1 --nflog-prefix "RULE F_http -- ACCEPT " |
# Journalisation HTTP_Internet des usagers 'av_bl' (paquets SYN uniquement). Les autres protocoles sont journalisés en FORWARD par netflow. |
# Log Internet HTTP of 'av_bl' users" (only syn packets). Other protocols are logged in FORWARD by netflow |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_bl src ! -d $PRIVATE_IP -p tcp --dport http -m conntrack --ctstate NEW -j NFLOG --nflog-group 1 --nflog-prefix "RULE F_http -- ACCEPT " |
# Redirection HTTP des usagers 'havp_bl' cherchant à joindre les IP de la blacklist vers ALCASAR (page 'accès interdit') |
# Redirect HTTP of 'havp_bl' users who want blacklist IP to ALCASAR ('access denied' page) |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl src -m set --match-set bl_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port 80 |
# Redirection HTTP des usagers 'av_bl' cherchant à joindre les IP de la blacklist vers ALCASAR (page 'accès interdit') |
# Redirect HTTP of 'av_bl' users who want blacklist IP to ALCASAR ('access denied' page) |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_bl src -m set --match-set bl_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port 80 |
# Redirection HTTP des usagers 'havp_wl' cherchant à joindre les IP qui ne sont pas dans la WL vers ALCASAR (page 'accès interdit') |
# Redirect HTTP of 'havp_wl' users who want IP not in the WL to ALCASAR ('access denied' page) |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl src -m set ! --match-set wl_ip_allowed dst -p tcp --dport http -j REDIRECT --to-port 80 |
# Redirection HTTP des usagers 'av_wl' cherchant à joindre les IP qui ne sont pas dans la WL vers ALCASAR (page 'accès interdit') |
# Redirect HTTP of 'av_wl' users who want IP not in the WL to ALCASAR ('access denied' page) |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_wl src -m set ! --match-set wl_ip_allowed dst -p tcp --dport http -j REDIRECT --to-port 80 |
# Redirection des requêtes NTP vers le serveur NTP local |
# Redirect NTP request in local NTP server |
265,9 → 265,9 |
# On interdit les connexions directes aux ports d'écoute d'E2Guardian. Les packets concernés ont été marqués et loggués dans la table mangle (PREROUTING) |
# Deny direct connections on E2Guardian listen ports. The concerned paquets have been marked and logged in mangle table (PREROUTING) |
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8080 -m mark --mark 1 -j REJECT --reject-with tcp-reset # havp_bl |
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8090 -m mark --mark 2 -j REJECT --reject-with tcp-reset # havp_wl+havp |
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8443 -m mark --mark 6 -j REJECT --reject-with tcp-reset # havp_bl+havp_wl+havp |
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8080 -m mark --mark 1 -j REJECT --reject-with tcp-reset # av_bl |
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8090 -m mark --mark 2 -j REJECT --reject-with tcp-reset # av_wl + av |
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8443 -m mark --mark 6 -j REJECT --reject-with tcp-reset # av_bl + av_wl + av |
# On autorise les connexions HTTP/HTTPS légitimes vers E2Guardian |
# Allow HTTP connections to E2Guardian |
286,10 → 286,10 |
# On autorise les connexion DNS légitime |
# Allow DNS connections |
# ipset = havp_bl |
# ipset = av_bl |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport 54 -j ACCEPT |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport 54 -j ACCEPT |
# ipset = havp_wl |
# ipset = av_wl |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport 55 -j ACCEPT |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport 55 -j ACCEPT |
# blackall |
342,11 → 342,11 |
# FORWARD # |
############################# |
# Blocage des IPs du SET bl_ip_blocked pour le SET havp_bl |
# Deny IPs of the SET bl_ip_blocked for the set havp_bl |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl src -m set --match-set bl_ip_blocked dst -p icmp -j REJECT --reject-with icmp-host-prohibited |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl src -m set --match-set bl_ip_blocked dst -p udp -j REJECT --reject-with icmp-host-prohibited |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl src -m set --match-set bl_ip_blocked dst -p tcp -j REJECT --reject-with tcp-reset |
# Blocage des IPs du SET bl_ip_blocked pour le SET av_bl |
# Deny IPs of the SET bl_ip_blocked for the set av_bl |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set av_bl src -m set --match-set bl_ip_blocked dst -p icmp -j REJECT --reject-with icmp-host-prohibited |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set av_bl src -m set --match-set bl_ip_blocked dst -p udp -j REJECT --reject-with icmp-host-prohibited |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set av_bl src -m set --match-set bl_ip_blocked dst -p tcp -j REJECT --reject-with tcp-reset |
# Active le suivi de session |
# Allow Conntrack |
420,9 → 420,9 |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_3 src -s $PRIVATE_NETWORK_MASK -p udp -m multiport ! --dports $custom_udp_protocols_list -m conntrack --ctstate NEW -j REJECT --reject-with icmp-port-unreachable |
fi |
# Blocage des usagers 'havp_wl' cherchant à joindre les IP qui ne sont pas dans la WL |
# Block 'havp_wl' users who want IP not in the WL |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_wl src -m set ! --match-set wl_ip_allowed dst -j DROP |
# Blocage des usagers 'av_wl' cherchant à joindre les IP qui ne sont pas dans la WL |
# Block 'av_wl' users who want IP not in the WL |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set av_wl src -m set ! --match-set wl_ip_allowed dst -j DROP |
# journalisation et autorisation des connections sortant du LAN |
# Allow forward connections with log |
/scripts/alcasar-uninstall.sh |
---|
109,7 → 109,7 |
[ -e /etc/e2guardian/lists/bannedextensionlist.default ] && mv /etc/e2guardian/lists/bannedextensionlist.default /etc/e2guardian/lists/bannedextensionlist && echo -n "8, " |
[ -e /etc/e2guardian/lists/bannedmimetypelist.default ] && mv /etc/e2guardian/lists/bannedmimetypelist.default /etc/e2guardian/lists/bannedmimetypelist && echo -n "9, " |
[ -e /etc/e2guardian/lists/exceptioniplist.default ] && mv /etc/e2guardian/lists/exceptioniplist.default /etc/e2guardian/lists/exceptioniplist && echo -n "10, " |
[ -e /etc/e2guardian/lists/bannedsitelist.default ] && mv /etc/e2guardian/lists/bannedsitelist.default /etc/e2guardian/lists/bannedsitelist && echo -n "11, " |
[ -e /etc/e2guardian/lists/greysitelist.default ] && mv /etc/e2guardian/lists/greysitelist.default /etc/e2guardian/lists/greysitelist && echo -n "11, " |
[ -e /etc/e2guardian/lists/bannedurllist.default ] && mv /etc/e2guardian/lists/bannedurllist.default /etc/e2guardian/lists/bannedurllist && echo -n "12, " |
[ -e /etc/e2guardian/lists/exceptionsitelist.default ] && mv /etc/e2guardian/lists/exceptionsitelist.default /etc/e2guardian/lists/exceptionsitelist && echo -n "13, " |
[ -e /etc/e2guardian/lists/exceptionurllist.default ] && mv /etc/e2guardian/lists/exceptionurllist.default /etc/e2guardian/lists/exceptionurllist && echo -n "14, " |
118,9 → 118,10 |
antivirus () |
{ |
echo -en "(2) : " |
[ -e /etc/clamd.conf.default ] && mv /etc/clamd.conf.default /etc/clamd.conf && echo -n "1, " |
[ -e /etc/freshclam.conf.default ] && mv /etc/freshclam.conf.default /etc/freshclam.conf && echo -n "2" |
echo -en "(3) : " |
[ -e /lib/systemd/system/clamav-daemon.service.default ] && mv /lib/systemd/system/clamav-daemon.service.default /lib/systemd/system/clamav-daemon.service && echo -n "1, " |
[ -e /etc/clamd.conf.default ] && mv /etc/clamd.conf.default /etc/clamd.conf && echo -n "2, " |
[ -e /etc/freshclam.conf.default ] && mv /etc/freshclam.conf.default /etc/freshclam.conf && echo -n "3" |
} |
ulogd () |
/scripts/alcasar-watchdog.sh |
---|
19,7 → 19,7 |
private_ip_mask=${private_ip_mask:=192.168.182.1/24} |
PRIVATE_IP=`echo "$private_ip_mask" |cut -d"/" -f1` # @ip du portail (côté LAN) |
PRIVATE_IP=${PRIVATE_IP:=192.168.182.1} |
current_users_file="/var/tmp/havp/current_users.txt" # file containing active users with their "status.php" tab open |
current_users_file="/tmp/current_users.txt" # file containing active users with their "status.php" tab open |
DIR_WEB="/var/www/html" |
Index_Page="$DIR_WEB/index.php" |
IPTABLES="/sbin/iptables" |
132,7 → 132,7 |
sed -i "/^$active_ip:$cmp_user_ok\$/d" $current_users_file |
fi |
else # "current_user.txt" does not exists. We disconnect every users. |
logger -t alcasar-watchdog "The file /var/tmp/havp/current_users.txt doen't' exist. We disconnects the user $active_user" |
logger -t alcasar-watchdog "The file /tmp/current_users.txt doesn't' exist. We disconnects the user $active_user" |
/usr/sbin/chilli_query logout $active_mac |
fi |
fi |
/web/acc/about.htm |
---|
87,7 → 87,7 |
<TD align="center"><A HREF="javascript:ouvrir('https://sourceforge.net/projects/ipt-netflow')"><img border="0" src="/images/footer_netflow.png"></A></TD> |
<TD align="center"><A HREF="javascript:ouvrir('https://www.clamav.net')"><img border="0" src="/images/footer_clamav.png"></A></TD> |
<TD align="center"><A HREF="javascript:ouvrir('http://www.netfilter.org')"><img border="0" src="/images/footer_netfilter.png"></A></TD> |
<TD align="center"><A HREF="javascript:ouvrir('http://www.havp.org')"><img border="0" src="/images/footer_havp.png"></A></TD> |
<TD align="center"><A HREF="javascript:ouvrir('http://www.wammu.eu')"><img border="0" src="/images/footer_gammu.png"></A></TD> |
<TD align="center"><A HREF="javascript:ouvrir('http://e2guardian.org')"><img border="0" src="/images/footer_e2guardian.png"></A></TD> |
<TD align="center"><A HREF="javascript:ouvrir('http://thekelleys.org.uk/dnsmasq/doc.html')"><img border="0" src="/images/footer_dnsmasq.png"></A></TD> |
</TR> |
/web/acc/manager/htdocs/group_new.php |
---|
459,9 → 459,9 |
echo "<select name=\"$name\">"; |
echo "<option value=\"\"></option>"; |
echo "<option value=\"1\">$l_filtering_none</option>"; |
echo "<option value=\"2\">$l_filtering_havp</option>"; |
echo "<option value=\"3\">$l_filtering_havp_bl</option>"; |
echo "<option value=\"4\">$l_filtering_havp_wl</option>"; |
echo "<option value=\"2\">$l_filtering_av</option>"; |
echo "<option value=\"3\">$l_filtering_av_bl</option>"; |
echo "<option value=\"4\">$l_filtering_av_wl</option>"; |
echo "</select>"; |
break; |
case 'Alcasar-Protocols-Filter' : |
/web/acc/manager/htdocs/security.php |
---|
9,7 → 9,7 |
if ($language === 'fr') { |
$l_title = 'Sécurité'; |
$l_spoofing = "Adresse(s) MAC usurpée(s) (Watchdog)"; |
$l_virus = "Virus bloqué(s) (HAVP)"; |
$l_virus = "Virus bloqué(s) (CLAMAV)"; |
$l_fail2ban = "Adresse(s) IP bloquée(s) (Fail2Ban)"; |
$l_ipAddress="Adresse IP"; |
$l_user = "L'utilisateur"; |
18,7 → 18,7 |
} else { |
$l_title = 'Security'; |
$l_spoofing = "MAC address spoofed (Watchdog)"; |
$l_virus = "Virus blocked (HAVP)"; |
$l_virus = "Virus blocked (CLAMAV)"; |
$l_fail2ban = "IP address blocked (Fail2Ban)"; |
$l_ipAddress="IP address"; |
$l_user = "User"; |
101,7 → 101,7 |
</div> |
<?php |
} else if ($tab === 2) { |
$filePath = '/var/log/havp/access.log'; |
$filePath = '/var/log/clamav/clamd.log'; |
$lines = file($filePath); |
if ($lines === false) { |
exit("Cannot open '$filePath'."); |
/web/acc/manager/htdocs/user_edit.php |
---|
311,11 → 311,11 |
break; |
case 'Alcasar-Filter' : |
if ($val === '4') { |
$grp_filter = $l_filtering_havp_wl; |
$grp_filter = $l_filtering_av_wl; |
} else if ($val === '3') { |
$grp_filter = $l_filtering_havp_bl; |
$grp_filter = $l_filtering_av_bl; |
} else if ($val === '2') { |
$grp_filter = $l_filtering_havp; |
$grp_filter = $l_filtering_av; |
} else if ($val === '1') { |
$grp_filter = $l_filtering_none; |
} else { |
780,9 → 780,9 |
echo "<select name=\"$name1\">"; |
echo "<option value=\"\"".(($val === '') ? ' selected' : '')."></option>"; |
echo "<option value=\"1\"".(($val === '1') ? ' selected' : '').">$l_filtering_none</option>"; |
echo "<option value=\"2\"".(($val === '2') ? ' selected' : '').">$l_filtering_havp</option>"; |
echo "<option value=\"3\"".(($val === '3') ? ' selected' : '').">$l_filtering_havp_bl</option>"; |
echo "<option value=\"4\"".(($val === '4') ? ' selected' : '').">$l_filtering_havp_wl</option>"; |
echo "<option value=\"2\"".(($val === '2') ? ' selected' : '').">$l_filtering_av</option>"; |
echo "<option value=\"3\"".(($val === '3') ? ' selected' : '').">$l_filtering_av_bl</option>"; |
echo "<option value=\"4\"".(($val === '4') ? ' selected' : '').">$l_filtering_av_wl</option>"; |
echo "</select>"; |
break; |
case 'Alcasar-Protocols-Filter' : |
/web/acc/manager/htdocs/user_new.php |
---|
463,9 → 463,9 |
echo "<select name=\"$name\">"; |
echo "<option value=\"\"></option>"; |
echo "<option value=\"1\">$l_filtering_none</option>"; |
echo "<option value=\"2\">$l_filtering_havp</option>"; |
echo "<option value=\"3\">$l_filtering_havp_bl</option>"; |
echo "<option value=\"4\">$l_filtering_havp_wl</option>"; |
echo "<option value=\"2\">$l_filtering_av</option>"; |
echo "<option value=\"3\">$l_filtering_av_bl</option>"; |
echo "<option value=\"4\">$l_filtering_av_wl</option>"; |
echo "</select>"; |
break; |
case 'Alcasar-Protocols-Filter' : |
/web/acc/manager/lib/langues.php |
---|
114,9 → 114,9 |
$l_createTicketsMSG = "Saisissez le nombre d\'utilisateurs à créer"; |
$l_filtering = "Filtrage de domaines et antiviral "; |
$l_filtering_none = "Aucun"; |
$l_filtering_havp = "Antivirus web"; |
$l_filtering_havp_bl = "Antivirus web + Blacklist"; |
$l_filtering_havp_wl = "Antivirus web + Whitelist"; |
$l_filtering_av = "Antivirus web"; |
$l_filtering_av_bl = "Antivirus web + Blacklist"; |
$l_filtering_av_wl = "Antivirus web + Whitelist"; |
$l_user_exists = "existe déjà !"; |
$l_created = "a été correctement créé"; |
$l_removed = "a été supprimé"; |
240,9 → 240,9 |
$l_createTicketsMSG = "Enter the number of users to create"; |
$l_filtering = "Antivirus & domain Filtering"; |
$l_filtering_none = "None"; |
$l_filtering_havp = "WEB Antivirus"; |
$l_filtering_havp_bl = "Blacklist + WEB antivirus"; |
$l_filtering_havp_wl = "Whitelist + WEB antivirus"; |
$l_filtering_av = "WEB Antivirus"; |
$l_filtering_av_bl = "Blacklist + WEB antivirus"; |
$l_filtering_av_wl = "Whitelist + WEB antivirus"; |
$l_user_exists = "already exists !"; |
$l_created = "has been correctly created"; |
$l_removed = "has been removed"; |
/web/acc/phpsysinfo/phpsysinfo.ini |
---|
296,7 → 296,7 |
; Hide mounts |
; Example : HIDE_MOUNTS="/home,/usr" |
; |
; HIDE_MOUNTS="/dev,/dev/shm,/run,/run/user/0,/var/tmp/havp,/sys/fs/cgroup" |
; HIDE_MOUNTS="/dev,/dev/shm,/run,/run/user/0,/sys/fs/cgroup" |
HIDE_MOUNTS="" |
/web/images/footer_havp.png |
---|
Cannot display: file marked as a binary type. |
svn:mime-type = image/png |
Property changes: |
Deleted: svn:mime-type |
-image/png |
\ No newline at end of property |
/web/images/footer_gammu.png |
---|
Cannot display: file marked as a binary type. |
svn:mime-type = image/png |
Property changes: |
Added: svn:mime-type |
+image/png |
\ No newline at end of property |
/web/status.php |
---|
315,7 → 315,7 |
} |
} |
$filename = '/var/tmp/havp/current_users.txt'; |
$filename = '/tmp/current_users.txt'; |
$user_needKeepOpen = (preg_match("/^$remote_ip:PERM/m", file_get_contents($filename)) === 0); |
} |
/web/still_connected.php |
---|
1,7 → 1,7 |
<?php |
// store user @IP who can join this page (still have their status.php tab open) in a file. |
$filename = '/var/tmp/havp/current_users.txt'; |
$filename = '/tmp/current_users.txt'; |
$user_ip = $_SERVER['REMOTE_ADDR']; |
$isConnected = exec('sudo /usr/sbin/chilli_query list | awk '.escapeshellarg('($2 == "'.$user_ip.'") {print $5}')); |