WebSVN – ALCASAR – Diff – /scripts/alcasar-watchdog.sh


#!/bin/bash
# $Id: alcasar-watchdog.sh 1867 2016-05-04 12:22:08Z raphael.pion $
 
# alcasar-watchdog.sh
# by Rexy
# This script is distributed under the Gnu General Public License (GPL)
# Ce script prévient les usagers de l'indisponibilité de l'accès Internet
# il déconnecte les usagers dont
# - les équipements réseau ne répondent plus
# - les adresses MAC sont usurpées
# This script tells users that Internet access is down
# it logs out users whose 
# - PCs are quiet
# - MAC address is used by other systems (usurped)
 
CONF_FILE="/usr/local/etc/alcasar.conf"
EXTIF=`grep ^EXTIF= $CONF_FILE|cut -d"=" -f2`			# EXTernal InterFace
INTIF=`grep ^INTIF= $CONF_FILE|cut -d"=" -f2`			# INTernal InterFace
private_ip_mask=`grep PRIVATE_IP= $CONF_FILE|cut -d"=" -f2`
private_ip_mask=${private_ip_mask:=192.168.182.1/24}
PRIVATE_IP=`echo "$private_ip_mask" |cut -d"/" -f1`      # @ip du portail (côté LAN)
PRIVATE_IP=${PRIVATE_IP:=192.168.182.1}
tmp_file="/tmp/watchdog.txt"
DIR_WEB="/var/www/html"
Index_Page="$DIR_WEB/index.php"
IPTABLES="/sbin/iptables"
TUNIF="tun0"						# listen device for chilli daemon
OLDIFS=$IFS
IFS=$'\n'
 
function lan_down_alert ()
# users are redirected on ALCASAR IP address if a LAN problem is detected
{
	case $LAN_DOWN in
	"1")
		logger "$EXTIF (WAN card) link down"
		echo "$EXTIF (WAN card) link down"
		/bin/sed -i "s?diagnostic =.*?diagnostic = \"$EXTIF (WAN card) link down\";?g" $Index_Page
		;;
	"2")
		logger "can't contact the default router"
		echo "can't contact the default router"
		/bin/sed -i "s?diagnostic =.*?diagnostic = \"can't contact the default router\";?g" $Index_Page
		;;
	esac
	net_pb=`grep "network_pb = True;" $Index_Page|wc -l`
	if [ $net_pb = "0" ] # user alert (only the first time)	
		then
		/bin/sed -i "s?^\$network_pb.*?\$network_pb = True;?g" $Index_Page
		$IPTABLES -I PREROUTING -t nat -i $TUNIF -p udp --dport domain -j REDIRECT --to-port 56
	fi
}
 
function lan_test ()
# LAN connectiivity testing
{
	watchdog_process=`ps -C alcasar-watchdog.sh|wc -l`
	if [[ $(expr $watchdog_process) -gt 3 ]]
		then
		echo "ALCASAR watchdog is already running"
		exit 0
	fi
	# EXTIF testing
	LAN_DOWN="0"
	if [ `/sbin/ip link | grep $EXTIF|grep "NO-CARRIER" | wc -l` -eq "1" ]
		then
		LAN_DOWN="1"
	fi
	# Default GW testing
	if [ $LAN_DOWN -eq "0" ]
		then
		IP_GW=`/sbin/ip route list|grep ^default|cut -d" " -f3`
		arp_reply=`/usr/sbin/arping -I$EXTIF -c1 $IP_GW|grep response|cut -d" " -f2`
		if [ $arp_reply -eq "0" ]
	       		then
			LAN_DOWN="2"
		fi
	fi
	# if LAN pb detected, users are warned
	if [ $LAN_DOWN != "0" ]
		then
			lan_down_alert
	# else switch in normal mode
	else
		echo "Internet access is OK for now"
		net_pb=`grep "network_pb = True;" $Index_Page|wc -l`
		if [ $net_pb != "0" ]
			then
			/bin/sed -i "s?^\$network_pb.*?\$network_pb = False;?g" $Index_Page
			$IPTABLES -D PREROUTING -t nat -i $TUNIF -p udp --dport domain -j REDIRECT --to-port 56
		fi
	fi
}
 
usage="Usage: alcasar-watchdog.sh {-lt --lan_test}"
case $1 in
	-\? | -h* | --h*)
		echo "$usage"
		exit 0
		;;
	-lt | --lan_test)
		lan_test
		exit 0
		;;
	*)
		lan_test
		# read file that contains IP address of quiet equipments
		if [ -e $tmp_file ]; then
			cat $tmp_file | while read noresponse
			do
				noresponse_ip=`echo $noresponse | cut -d" " -f1`
				noresponse_mac=`echo $noresponse | cut -d" " -f2`
				noresponse_user=`echo $noresponse | cut -d" " -f3`
				arp_reply=`/usr/sbin/arping -b -I$INTIF -s$PRIVATE_IP -c1 -w4 $noresponse_ip|grep "Unicast reply"|wc -l`
				if [[ $(expr $arp_reply) -eq 0 ]]
	       				then
					#on vide les ip inactifs de l'ipset not_auth_yet
					ipset del not_auth_yet $noresponse_ip
					logger "alcasar-watchdog $noresponse_ip ($noresponse_mac) can't be contact. Alcasar disconnects the user ($noresponse_user)."
					/usr/sbin/chilli_query logout $noresponse_mac
					if [[ $noresponse_user == $noresponse_mac ]] # for @mac auth equipments, we must remove the arp entry 
						then /usr/sbin/chilli_query dhcp-release $noresponse_mac
					fi
				fi
			done
			rm $tmp_file
		fi
# process each equipment known by chilli
		for system in `/usr/sbin/chilli_query list |grep -v "\.0\.0\.0"`
		do
			active_ip=`echo $system |cut -d" " -f2`
			active_session=`echo $system |cut -d" " -f5`
			active_mac=`echo $system | cut -d" " -f1`
			active_user=`echo $system |cut -d" " -f6`
# process only equipment with an authenticated user
			if [[ $(expr $active_session) -eq 1 ]]
			then
				arp_reply=`/usr/sbin/arping -b -I$INTIF -s$PRIVATE_IP -c2 -w4 $active_ip|grep "Unicast reply"|wc -l`
# store @IP of quiet equipments
				if [[ $(expr $arp_reply) -eq 0 ]]
   				then		
					echo "$active_ip $active_mac $active_user" >> $tmp_file
					
				fi
# disconnect users whose equipement is usurped (@MAC)
				if [[ $(expr $arp_reply) -gt 2 ]]
	       				then 
					echo "$(date "+[%x-%X] : ")alcasar-watchdog : $active_ip is usurped ($active_mac). Alcasar disconnect the user ($active_user)." >> /var/Save/security/watchdog.log
					logger "alcasar-watchdog : $active_ip is usurped ($active_mac). Alcasar disconnect the user ($active_user)."
					/usr/sbin/chilli_query logout $active_mac
					chmod 644 /var/Save/security/watchdog.log
				fi
			fi
		done
		;;
esac	
IFS=$OLDIFS
 

Rev 1818	Rev 1867
1	`#!/bin/bash`	1	`#!/bin/bash`
2	`# $Id: alcasar-watchdog.sh 1818 2016-04-07 13:38:05Z raphael.pion $`	2	`# $Id: alcasar-watchdog.sh 1867 2016-05-04 12:22:08Z raphael.pion $`
3		3
4	`# alcasar-watchdog.sh`	4	`# alcasar-watchdog.sh`
5	`# by Rexy`	5	`# by Rexy`
6	`# This script is distributed under the Gnu General Public License (GPL)`	6	`# This script is distributed under the Gnu General Public License (GPL)`
7	`# Ce script prévient les usagers de l'indisponibilité de l'accès Internet`	7	`# Ce script prévient les usagers de l'indisponibilité de l'accès Internet`
8	`# il déconnecte les usagers dont`	8	`# il déconnecte les usagers dont`
9	`# - les équipements réseau ne répondent plus`	9	`# - les équipements réseau ne répondent plus`
10	`# - les adresses MAC sont usurpées`	10	`# - les adresses MAC sont usurpées`
11	`# This script tells users that Internet access is down`	11	`# This script tells users that Internet access is down`
12	`# it logs out users whose`	12	`# it logs out users whose`
13	`# - PCs are quiet`	13	`# - PCs are quiet`
14	`# - MAC address is used by other systems (usurped)`	14	`# - MAC address is used by other systems (usurped)`
15		15
16	`CONF_FILE="/usr/local/etc/alcasar.conf"`	16	`CONF_FILE="/usr/local/etc/alcasar.conf"`
17	EXTIF=`grep ^EXTIF= $CONF_FILE\|cut -d"=" -f2` # EXTernal InterFace	17	EXTIF=`grep ^EXTIF= $CONF_FILE\|cut -d"=" -f2` # EXTernal InterFace
18	INTIF=`grep ^INTIF= $CONF_FILE\|cut -d"=" -f2` # INTernal InterFace	18	INTIF=`grep ^INTIF= $CONF_FILE\|cut -d"=" -f2` # INTernal InterFace
19	private_ip_mask=`grep PRIVATE_IP= $CONF_FILE\|cut -d"=" -f2`	19	private_ip_mask=`grep PRIVATE_IP= $CONF_FILE\|cut -d"=" -f2`
20	`private_ip_mask=${private_ip_mask:=192.168.182.1/24}`	20	`private_ip_mask=${private_ip_mask:=192.168.182.1/24}`
21	PRIVATE_IP=`echo "$private_ip_mask" \|cut -d"/" -f1` # @ip du portail (côté LAN)	21	PRIVATE_IP=`echo "$private_ip_mask" \|cut -d"/" -f1` # @ip du portail (côté LAN)
22	`PRIVATE_IP=${PRIVATE_IP:=192.168.182.1}`	22	`PRIVATE_IP=${PRIVATE_IP:=192.168.182.1}`
23	`tmp_file="/tmp/watchdog.txt"`	23	`tmp_file="/tmp/watchdog.txt"`
24	`DIR_WEB="/var/www/html"`	24	`DIR_WEB="/var/www/html"`
25	`Index_Page="$DIR_WEB/index.php"`	25	`Index_Page="$DIR_WEB/index.php"`
26	`IPTABLES="/sbin/iptables"`	26	`IPTABLES="/sbin/iptables"`
27	`TUNIF="tun0" # listen device for chilli daemon`	27	`TUNIF="tun0" # listen device for chilli daemon`
28	`OLDIFS=$IFS`	28	`OLDIFS=$IFS`
29	`IFS=$'\n'`	29	`IFS=$'\n'`
30		30
31	`function lan_down_alert ()`	31	`function lan_down_alert ()`
32	`# users are redirected on ALCASAR IP address if a LAN problem is detected`	32	`# users are redirected on ALCASAR IP address if a LAN problem is detected`
33	`{`	33	`{`
34	`case $LAN_DOWN in`	34	`case $LAN_DOWN in`
35	`"1")`	35	`"1")`
36	`logger "$EXTIF (WAN card) link down"`	36	`logger "$EXTIF (WAN card) link down"`
37	`echo "$EXTIF (WAN card) link down"`	37	`echo "$EXTIF (WAN card) link down"`
38	`/bin/sed -i "s?diagnostic =.*?diagnostic = \"$EXTIF (WAN card) link down\";?g" $Index_Page`	38	`/bin/sed -i "s?diagnostic =.*?diagnostic = \"$EXTIF (WAN card) link down\";?g" $Index_Page`
39	`;;`	39	`;;`
40	`"2")`	40	`"2")`
41	`logger "can't contact the default router"`	41	`logger "can't contact the default router"`
42	`echo "can't contact the default router"`	42	`echo "can't contact the default router"`
43	`/bin/sed -i "s?diagnostic =.*?diagnostic = \"can't contact the default router\";?g" $Index_Page`	43	`/bin/sed -i "s?diagnostic =.*?diagnostic = \"can't contact the default router\";?g" $Index_Page`
44	`;;`	44	`;;`
45	`esac`	45	`esac`
46	net_pb=`grep "network_pb = True;" $Index_Page\|wc -l`	46	net_pb=`grep "network_pb = True;" $Index_Page\|wc -l`
47	`if [ $net_pb = "0" ] # user alert (only the first time)`	47	`if [ $net_pb = "0" ] # user alert (only the first time)`
48	`then`	48	`then`
49	`/bin/sed -i "s?^\$network_pb.*?\$network_pb = True;?g" $Index_Page`	49	`/bin/sed -i "s?^\$network_pb.*?\$network_pb = True;?g" $Index_Page`
50	`$IPTABLES -I PREROUTING -t nat -i $TUNIF -p udp --dport domain -j REDIRECT --to-port 56`	50	`$IPTABLES -I PREROUTING -t nat -i $TUNIF -p udp --dport domain -j REDIRECT --to-port 56`
51	`fi`	51	`fi`
52	`}`	52	`}`
53		53
54	`function lan_test ()`	54	`function lan_test ()`
55	`# LAN connectiivity testing`	55	`# LAN connectiivity testing`
56	`{`	56	`{`
57	watchdog_process=`ps -C alcasar-watchdog.sh\|wc -l`	57	watchdog_process=`ps -C alcasar-watchdog.sh\|wc -l`
58	`if [[ $(expr $watchdog_process) -gt 3 ]]`	58	`if [[ $(expr $watchdog_process) -gt 3 ]]`
59	`then`	59	`then`
60	`echo "ALCASAR watchdog is already running"`	60	`echo "ALCASAR watchdog is already running"`
61	`exit 0`	61	`exit 0`
62	`fi`	62	`fi`
63	`# EXTIF testing`	63	`# EXTIF testing`
64	`LAN_DOWN="0"`	64	`LAN_DOWN="0"`
65	if [ `/sbin/ip link \| grep $EXTIF\|grep "NO-CARRIER" \| wc -l` -eq "1" ]	65	if [ `/sbin/ip link \| grep $EXTIF\|grep "NO-CARRIER" \| wc -l` -eq "1" ]
66	`then`	66	`then`
67	`LAN_DOWN="1"`	67	`LAN_DOWN="1"`
68	`fi`	68	`fi`
69	`# Default GW testing`	69	`# Default GW testing`
70	`if [ $LAN_DOWN -eq "0" ]`	70	`if [ $LAN_DOWN -eq "0" ]`
71	`then`	71	`then`
72	IP_GW=`/sbin/ip route list\|grep ^default\|cut -d" " -f3`	72	IP_GW=`/sbin/ip route list\|grep ^default\|cut -d" " -f3`
73	arp_reply=`/usr/sbin/arping -I$EXTIF -c1 $IP_GW\|grep response\|cut -d" " -f2`	73	arp_reply=`/usr/sbin/arping -I$EXTIF -c1 $IP_GW\|grep response\|cut -d" " -f2`
74	`if [ $arp_reply -eq "0" ]`	74	`if [ $arp_reply -eq "0" ]`
75	`then`	75	`then`
76	`LAN_DOWN="2"`	76	`LAN_DOWN="2"`
77	`fi`	77	`fi`
78	`fi`	78	`fi`
79	`# if LAN pb detected, users are warned`	79	`# if LAN pb detected, users are warned`
80	`if [ $LAN_DOWN != "0" ]`	80	`if [ $LAN_DOWN != "0" ]`
81	`then`	81	`then`
82	`lan_down_alert`	82	`lan_down_alert`
83	`# else switch in normal mode`	83	`# else switch in normal mode`
84	`else`	84	`else`
85	`echo "Internet access is OK for now"`	85	`echo "Internet access is OK for now"`
86	net_pb=`grep "network_pb = True;" $Index_Page\|wc -l`	86	net_pb=`grep "network_pb = True;" $Index_Page\|wc -l`
87	`if [ $net_pb != "0" ]`	87	`if [ $net_pb != "0" ]`
88	`then`	88	`then`
89	`/bin/sed -i "s?^\$network_pb.*?\$network_pb = False;?g" $Index_Page`	89	`/bin/sed -i "s?^\$network_pb.*?\$network_pb = False;?g" $Index_Page`
90	`$IPTABLES -D PREROUTING -t nat -i $TUNIF -p udp --dport domain -j REDIRECT --to-port 56`	90	`$IPTABLES -D PREROUTING -t nat -i $TUNIF -p udp --dport domain -j REDIRECT --to-port 56`
91	`fi`	91	`fi`
92	`fi`	92	`fi`
93	`}`	93	`}`
94		94
95	`usage="Usage: alcasar-watchdog.sh {-lt --lan_test}"`	95	`usage="Usage: alcasar-watchdog.sh {-lt --lan_test}"`
96	`case $1 in`	96	`case $1 in`
97	`-\? \| -h* \| --h*)`	97	`-\? \| -h* \| --h*)`
98	`echo "$usage"`	98	`echo "$usage"`
99	`exit 0`	99	`exit 0`
100	`;;`	100	`;;`
101	`-lt \| --lan_test)`	101	`-lt \| --lan_test)`
102	`lan_test`	102	`lan_test`
103	`exit 0`	103	`exit 0`
104	`;;`	104	`;;`
105	`*)`	105	`*)`
106	`lan_test`	106	`lan_test`
107	`# read file that contains IP address of quiet equipments`	107	`# read file that contains IP address of quiet equipments`
108	`if [ -e $tmp_file ]; then`	108	`if [ -e $tmp_file ]; then`
109	`cat $tmp_file \| while read noresponse`	109	`cat $tmp_file \| while read noresponse`
110	`do`	110	`do`
111	noresponse_ip=`echo $noresponse \| cut -d" " -f1`	111	noresponse_ip=`echo $noresponse \| cut -d" " -f1`
112	noresponse_mac=`echo $noresponse \| cut -d" " -f2`	112	noresponse_mac=`echo $noresponse \| cut -d" " -f2`
113	noresponse_user=`echo $noresponse \| cut -d" " -f3`	113	noresponse_user=`echo $noresponse \| cut -d" " -f3`
114	arp_reply=`/usr/sbin/arping -b -I$INTIF -s$PRIVATE_IP -c1 -w4 $noresponse_ip\|grep "Unicast reply"\|wc -l`	114	arp_reply=`/usr/sbin/arping -b -I$INTIF -s$PRIVATE_IP -c1 -w4 $noresponse_ip\|grep "Unicast reply"\|wc -l`
115	`if [[ $(expr $arp_reply) -eq 0 ]]`	115	`if [[ $(expr $arp_reply) -eq 0 ]]`
116	`then`	116	`then`
117	`#on vide les ip inactifs de l'ipset user_not_connected_yet`	117	`#on vide les ip inactifs de l'ipset not_auth_yet`
118	`ipset del user_not_connected_yet $noresponse_ip`	118	`ipset del not_auth_yet $noresponse_ip`
119	`logger "alcasar-watchdog $noresponse_ip ($noresponse_mac) can't be contact. Alcasar disconnects the user ($noresponse_user)."`	119	`logger "alcasar-watchdog $noresponse_ip ($noresponse_mac) can't be contact. Alcasar disconnects the user ($noresponse_user)."`
120	`/usr/sbin/chilli_query logout $noresponse_mac`	120	`/usr/sbin/chilli_query logout $noresponse_mac`
121	`if [[ $noresponse_user == $noresponse_mac ]] # for @mac auth equipments, we must remove the arp entry`	121	`if [[ $noresponse_user == $noresponse_mac ]] # for @mac auth equipments, we must remove the arp entry`
122	`then /usr/sbin/chilli_query dhcp-release $noresponse_mac`	122	`then /usr/sbin/chilli_query dhcp-release $noresponse_mac`
123	`fi`	123	`fi`
124	`fi`	124	`fi`
125	`done`	125	`done`
126	`rm $tmp_file`	126	`rm $tmp_file`
127	`fi`	127	`fi`
128	`# process each equipment known by chilli`	128	`# process each equipment known by chilli`
129	for system in `/usr/sbin/chilli_query list \|grep -v "\.0\.0\.0"`	129	for system in `/usr/sbin/chilli_query list \|grep -v "\.0\.0\.0"`
130	`do`	130	`do`
131	active_ip=`echo $system \|cut -d" " -f2`	131	active_ip=`echo $system \|cut -d" " -f2`
132	active_session=`echo $system \|cut -d" " -f5`	132	active_session=`echo $system \|cut -d" " -f5`
133	active_mac=`echo $system \| cut -d" " -f1`	133	active_mac=`echo $system \| cut -d" " -f1`
134	active_user=`echo $system \|cut -d" " -f6`	134	active_user=`echo $system \|cut -d" " -f6`
135	`# process only equipment with an authenticated user`	135	`# process only equipment with an authenticated user`
136	`if [[ $(expr $active_session) -eq 1 ]]`	136	`if [[ $(expr $active_session) -eq 1 ]]`
137	`then`	137	`then`
138	arp_reply=`/usr/sbin/arping -b -I$INTIF -s$PRIVATE_IP -c2 -w4 $active_ip\|grep "Unicast reply"\|wc -l`	138	arp_reply=`/usr/sbin/arping -b -I$INTIF -s$PRIVATE_IP -c2 -w4 $active_ip\|grep "Unicast reply"\|wc -l`
139	`# store @IP of quiet equipments`	139	`# store @IP of quiet equipments`
140	`if [[ $(expr $arp_reply) -eq 0 ]]`	140	`if [[ $(expr $arp_reply) -eq 0 ]]`
141	`then`	141	`then`
142	`echo "$active_ip $active_mac $active_user" >> $tmp_file`	142	`echo "$active_ip $active_mac $active_user" >> $tmp_file`
143		143
144	`fi`	144	`fi`
145	`# disconnect users whose equipement is usurped (@MAC)`	145	`# disconnect users whose equipement is usurped (@MAC)`
146	`if [[ $(expr $arp_reply) -gt 2 ]]`	146	`if [[ $(expr $arp_reply) -gt 2 ]]`
147	`then`	147	`then`
148	`echo "$(date "+[%x-%X] : ")alcasar-watchdog : $active_ip is usurped ($active_mac). Alcasar disconnect the user ($active_user)." >> /var/Save/security/watchdog.log`	148	`echo "$(date "+[%x-%X] : ")alcasar-watchdog : $active_ip is usurped ($active_mac). Alcasar disconnect the user ($active_user)." >> /var/Save/security/watchdog.log`
149	`logger "alcasar-watchdog : $active_ip is usurped ($active_mac). Alcasar disconnect the user ($active_user)."`	149	`logger "alcasar-watchdog : $active_ip is usurped ($active_mac). Alcasar disconnect the user ($active_user)."`
150	`/usr/sbin/chilli_query logout $active_mac`	150	`/usr/sbin/chilli_query logout $active_mac`
151	`chmod 644 /var/Save/security/watchdog.log`	151	`chmod 644 /var/Save/security/watchdog.log`
152	`fi`	152	`fi`
153	`fi`	153	`fi`
154	`done`	154	`done`
155	`;;`	155	`;;`
156	`esac`	156	`esac`
157	`IFS=$OLDIFS`	157	`IFS=$OLDIFS`
158		158

Subversion Repositories ALCASAR

(root)/scripts/alcasar-watchdog.sh – Rev 1818 → 1867