WebSVN – ALCASAR – Diff – /scripts/alcasar-watchdog.sh


#!/bin/bash
# $Id: alcasar-watchdog.sh 987 2012-08-17 21:41:28Z richard $
 
# alcasar-watchdog.sh
# by Rexy
# This script is distributed under the Gnu General Public License (GPL)
 
# Ce script prévient les usagers de l'indisponibilité de l'accès Internet
# il déconnecte les usagers dont
# - les équipements réseau ne répondent plus
# - les adresses MAC sont usurpées
# This script tells users that Internet access is down
# it logs out users whose 
# - PCs are quiet
# - MAC address are in used by other systems (usurped)
 
EXTIF="eth0"
INTIF="eth1"
conf_file="/usr/local/etc/alcasar.conf"
private_ip_mask=`grep PRIVATE_IP= $conf_file|cut -d"=" -f2`
private_ip_mask=${private_ip_mask:=192.168.182.1/24}
PRIVATE_IP=`echo $private_ip_mask | cut -d"/" -f1`			# ALCASAR LAN IP address
tmp_file="/tmp/watchdog.txt"
DIR_WEB="/var/www/html"
Index_Page="$DIR_WEB/index.php"
OLDIFS=$IFS
IFS=$'\n'
 
function lan_down_alert ()
# users are redirected on ALCASAR IP address if LAN Pb detected
{
	case $LAN_DOWN in
	"1")
		logger "eth0 link down"
		echo "eth0 is down"
		/bin/sed -i "s?diagnostic =.*?diagnostic = \"eth0 link down\";?g" $Index_Page
		;;
	"2")
		logger "can't contact the default router"
		echo "can't contact the default router"
		/bin/sed -i "s?diagnostic =.*?diagnostic = \"can't contact the default router\";?g" $Index_Page
		;;
	esac
	net_pb=`cat /etc/dnsmasq.conf|grep "address=/#/"|wc -l`
	if [ $net_pb = "0" ] # on alerte les usagers (si ce n'est pas déjà le cas).
		then
		/bin/sed -i "s?^\$network_pb.*?\$network_pb = True;?g" $Index_Page
		/bin/sed -i "s?^conf-dir=.*?address=\/#\/$PRIVATE_IP?g" /etc/dnsmasq-blackhole.conf
		/bin/sed -i "1i\address=\/#\/$PRIVATE_IP" /etc/dnsmasq.conf
		/etc/init.d/dnsmasq restart
	fi
}
 
function lan_test ()
# LAN connectiivity testing
{
	watchdog_process=`ps -C alcasar-watchdog.sh|wc -l`
	if [[ $(expr $watchdog_process) -gt 3 ]]
		then
		echo "ALCASAR watchdog is already running"
		exit 0
	fi
	# EXTIF testing
	LAN_DOWN="0"
	if [ "`/usr/sbin/ethtool $EXTIF|grep Link|cut -d' ' -f3`" != "yes" ]
		then
		LAN_DOWN="1"
	fi
	# Default GW testing
	if [ $LAN_DOWN -eq "0" ]
		then
		IP_GW=`/sbin/ip route list|grep ^default|cut -d" " -f3`
		arp_reply=`/usr/sbin/arping -I$EXTIF -c1 $IP_GW|grep response|cut -d" " -f2`
		if [ $arp_reply -eq "0" ]
	       		then
			LAN_DOWN="2"
		fi
	fi
	# if LAN pb detected, users are warned
	if [ $LAN_DOWN != "0" ]
		then
			lan_down_alert
	# else switch in normal mode
	else
		echo "Internet access is OK for now"
		net_pb=`cat /etc/dnsmasq.conf|grep "address=/#/"|wc -l`
		if [ $net_pb != "0" ]
			then
			/bin/sed -i "s?^\$network_pb.*?\$network_pb = False;?g" $Index_Page
			/bin/sed -i "s?^address=\/#\/.*?conf-dir=/usr/local/etc/alcasar-dnsfilter-enabled?g" /etc/dnsmasq-blackhole.conf
			/bin/sed -i "/^address=/d" /etc/dnsmasq.conf
			/etc/init.d/dnsmasq restart
		fi
	fi
}
 
usage="Usage: alcasar-watchdog.sh {-lt --lan_test}"
case $1 in
	-\? | -h* | --h*)
		echo "$usage"
		exit 0
		;;
	-lt | --lan_test)
		lan_test
		exit 0
		;;
	*)
		lan_test
		# read file that contains IP address of quiet equipments
		if [ -e $tmp_file ]; then
			cat $tmp_file | while read noresponse
			do
				noresponse_ip=`echo $noresponse | cut -d" " -f1`
				noresponse_mac=`echo $noresponse | cut -d" " -f2`
				noresponse_user=`echo $noresponse | cut -d" " -f3`
				arp_reply=`/usr/sbin/arping -b -I$INTIF -s$PRIVATE_IP -c1 -w4 $noresponse_ip|grep "Unicast reply"|wc -l`
				if [[ $(expr $arp_reply) -eq 0 ]]
	       				then
					logger "alcasar-watchdog $noresponse_ip ($noresponse_mac) can't be contact. Alcasar disconnects the user ($noresponse_user)."
					/usr/sbin/chilli_query logout $noresponse_mac
					/usr/sbin/chilli_query dhcp-release $noresponse_mac  # release dhcp for mac_auth equipment 
				fi
			done
			rm $tmp_file
		fi
# on traite chaque équipements connus de chilli
		for system in `/usr/sbin/chilli_query list |grep -v "\.0\.0\.0"`
		do
			active_ip=`echo $system |cut -d" " -f2`
			active_session=`echo $system |cut -d" " -f5`
			active_mac=`echo $system | cut -d" " -f1`
			active_user=`echo $system |cut -d" " -f6`
# on ne traite que les équipements exploitées par un usager authentifié (test de 2 réponses en 4 secondes)
			if [[ $(expr $active_session) -eq 1 ]]
				then
				arp_reply=`/usr/sbin/arping -b -I$INTIF -s$PRIVATE_IP -c2 -w4 $active_ip|grep "Unicast reply"|wc -l`
# on stocke les adresses IP des stations muettes
				if [[ $(expr $arp_reply) -eq 0 ]]
	       				then
					echo "$active_ip $active_mac $active_user" >> $tmp_file
				fi
# on deconnecte l'usager d'une stations usurpée (@MAC)
				if [[ $(expr $arp_reply) -gt 2 ]]
	       				then
					echo "alcasar-watchdog : $active_ip is usurped ($active_mac). Alcasar disconnect the user ($active_user)." >> /var/Save/logs/security/watchdog.log
					logger "alcasar-watchdog : $active_ip is usurped ($active_mac). Alcasar disconnect the user ($active_user)."
					/usr/sbin/chilli_query logout $active_mac
				fi
			fi
		done
		;;
esac	
IFS=$OLDIFS
 

Rev 958	Rev 987
1	`#!/bin/bash`	1	`#!/bin/bash`
2	`# $Id: alcasar-watchdog.sh 958 2012-07-19 09:01:30Z franck $`	2	`# $Id: alcasar-watchdog.sh 987 2012-08-17 21:41:28Z richard $`
3		3
4	`# alcasar-watchdog.sh`	4	`# alcasar-watchdog.sh`
5	`# by Rexy`	5	`# by Rexy`
6	`# This script is distributed under the Gnu General Public License (GPL)`	6	`# This script is distributed under the Gnu General Public License (GPL)`
7		7
8	`# Ce script prévient les usagers de l'indisponibilité de l'accès Internet`	8	`# Ce script prévient les usagers de l'indisponibilité de l'accès Internet`
9	`# il déconnecte les usagers dont`	9	`# il déconnecte les usagers dont`
10	`# - les équipements réseau ne répondent plus`	10	`# - les équipements réseau ne répondent plus`
11	`# - les adresses MAC sont usurpées`	11	`# - les adresses MAC sont usurpées`
12	`# This script tells users that Internet access is down`	12	`# This script tells users that Internet access is down`
13	`# it logs out users whose`	13	`# it logs out users whose`
14	`# - PCs are quiet`	14	`# - PCs are quiet`
15	`# - MAC address are in used by other systems (usurped)`	15	`# - MAC address are in used by other systems (usurped)`
16		16
17	`EXTIF="eth0"`	17	`EXTIF="eth0"`
18	`INTIF="eth1"`	18	`INTIF="eth1"`
19	`conf_file="/usr/local/etc/alcasar.conf"`	19	`conf_file="/usr/local/etc/alcasar.conf"`
20	private_ip_mask=`grep PRIVATE_IP= $conf_file\|cut -d"=" -f2`	20	private_ip_mask=`grep PRIVATE_IP= $conf_file\|cut -d"=" -f2`
21	`private_ip_mask=${private_ip_mask:=192.168.182.1/24}`	21	`private_ip_mask=${private_ip_mask:=192.168.182.1/24}`
22	PRIVATE_IP=`echo $private_ip_mask \| cut -d"/" -f1` # ALCASAR LAN IP address	22	PRIVATE_IP=`echo $private_ip_mask \| cut -d"/" -f1` # ALCASAR LAN IP address
23	`tmp_file="/tmp/watchdog.txt"`	23	`tmp_file="/tmp/watchdog.txt"`
24	`DIR_WEB="/var/www/html"`	24	`DIR_WEB="/var/www/html"`
25	`Index_Page="$DIR_WEB/index.php"`	25	`Index_Page="$DIR_WEB/index.php"`
26	`OLDIFS=$IFS`	26	`OLDIFS=$IFS`
27	`IFS=$'\n'`	27	`IFS=$'\n'`
28		28
29	`function lan_down_alert ()`	29	`function lan_down_alert ()`
30	`# users are redirected on ALCASAR IP address if LAN Pb detected`	30	`# users are redirected on ALCASAR IP address if LAN Pb detected`
31	`{`	31	`{`
32	`case $LAN_DOWN in`	32	`case $LAN_DOWN in`
33	`"1")`	33	`"1")`
34	`logger "eth0 link down"`	34	`logger "eth0 link down"`
-		35	`echo "eth0 is down"`
35	`/bin/sed -i "s?diagnostic =.*?diagnostic = \"eth0 link down\";?g" $Index_Page`	36	`/bin/sed -i "s?diagnostic =.*?diagnostic = \"eth0 link down\";?g" $Index_Page`
36	`;;`	37	`;;`
37	`"2")`	38	`"2")`
38	`logger "can't contact the default router"`	39	`logger "can't contact the default router"`
-		40	`echo "can't contact the default router"`
39	`/bin/sed -i "s?diagnostic =.*?diagnostic = \"can't contact the default router\";?g" $Index_Page`	41	`/bin/sed -i "s?diagnostic =.*?diagnostic = \"can't contact the default router\";?g" $Index_Page`
40	`;;`	42	`;;`
41	`esac`	43	`esac`
42	net_pb=`cat /etc/dnsmasq.conf\|grep "address=/#/"\|wc -l`	44	net_pb=`cat /etc/dnsmasq.conf\|grep "address=/#/"\|wc -l`
43	`if [ $net_pb = "0" ] # on alerte les usagers (si ce n'est pas déjà le cas).`	45	`if [ $net_pb = "0" ] # on alerte les usagers (si ce n'est pas déjà le cas).`
44	`then`	46	`then`
45	`/bin/sed -i "s?^\$network_pb.*?\$network_pb = True;?g" $Index_Page`	47	`/bin/sed -i "s?^\$network_pb.*?\$network_pb = True;?g" $Index_Page`
46	`/bin/sed -i "s?^conf-dir=.*?address=\/#\/$PRIVATE_IP?g" /etc/dnsmasq-blackhole.conf`	48	`/bin/sed -i "s?^conf-dir=.*?address=\/#\/$PRIVATE_IP?g" /etc/dnsmasq-blackhole.conf`
47	`/bin/sed -i "1i\address=\/#\/$PRIVATE_IP" /etc/dnsmasq.conf`	49	`/bin/sed -i "1i\address=\/#\/$PRIVATE_IP" /etc/dnsmasq.conf`
48	`/etc/init.d/dnsmasq restart`	50	`/etc/init.d/dnsmasq restart`
49	`fi`	51	`fi`
50	`}`	52	`}`
51		53
52	`function lan_test ()`	54	`function lan_test ()`
53	`# LAN connectiivity testing`	55	`# LAN connectiivity testing`
54	`{`	56	`{`
55	watchdog_process=`ps -C alcasar-watchdog.sh\|wc -l`	57	watchdog_process=`ps -C alcasar-watchdog.sh\|wc -l`
56	`if [[ $(expr $watchdog_process) -gt 3 ]]`	58	`if [[ $(expr $watchdog_process) -gt 3 ]]`
57	`then`	59	`then`
58	`echo "ALCASAR watchdog is already running"`	60	`echo "ALCASAR watchdog is already running"`
59	`exit 0`	61	`exit 0`
60	`fi`	62	`fi`
61	`# EXTIF testing`	63	`# EXTIF testing`
62	`LAN_DOWN="0"`	64	`LAN_DOWN="0"`
63	if [ "`/usr/sbin/ethtool $EXTIF\|grep Link\|cut -d' ' -f3`" != "yes" ]	65	if [ "`/usr/sbin/ethtool $EXTIF\|grep Link\|cut -d' ' -f3`" != "yes" ]
64	`then`	66	`then`
65	`LAN_DOWN="1"`	67	`LAN_DOWN="1"`
66	`fi`	68	`fi`
67	`# Default GW testing`	69	`# Default GW testing`
68	`if [ $LAN_DOWN -eq "0" ]`	70	`if [ $LAN_DOWN -eq "0" ]`
69	`then`	71	`then`
70	IP_GW=`/sbin/ip route list\|grep ^default\|cut -d" " -f3`	72	IP_GW=`/sbin/ip route list\|grep ^default\|cut -d" " -f3`
71	arp_reply=`/usr/sbin/arping -I$EXTIF -c1 $IP_GW\|grep response\|cut -d" " -f2`	73	arp_reply=`/usr/sbin/arping -I$EXTIF -c1 $IP_GW\|grep response\|cut -d" " -f2`
72	`if [ $arp_reply -eq "0" ]`	74	`if [ $arp_reply -eq "0" ]`
73	`then`	75	`then`
74	`LAN_DOWN="2"`	76	`LAN_DOWN="2"`
75	`fi`	77	`fi`
76	`fi`	78	`fi`
77	`# if LAN pb detected, users are warned`	79	`# if LAN pb detected, users are warned`
78	`if [ $LAN_DOWN != "0" ]`	80	`if [ $LAN_DOWN != "0" ]`
79	`then`	81	`then`
80	`lan_down_alert`	82	`lan_down_alert`
81	`# else switch in normal mode`	83	`# else switch in normal mode`
82	`else`	84	`else`
-		85	`echo "Internet access is OK for now"`
83	net_pb=`cat /etc/dnsmasq.conf\|grep "address=/#/"\|wc -l`	86	net_pb=`cat /etc/dnsmasq.conf\|grep "address=/#/"\|wc -l`
84	`if [ $net_pb != "0" ]`	87	`if [ $net_pb != "0" ]`
85	`then`	88	`then`
86	`/bin/sed -i "s?^\$network_pb.*?\$network_pb = False;?g" $Index_Page`	89	`/bin/sed -i "s?^\$network_pb.*?\$network_pb = False;?g" $Index_Page`
87	`/bin/sed -i "s?^address=\/#\/.*?conf-dir=/usr/local/etc/alcasar-dnsfilter-enabled?g" /etc/dnsmasq-blackhole.conf`	90	`/bin/sed -i "s?^address=\/#\/.*?conf-dir=/usr/local/etc/alcasar-dnsfilter-enabled?g" /etc/dnsmasq-blackhole.conf`
88	`/bin/sed -i "/^address=/d" /etc/dnsmasq.conf`	91	`/bin/sed -i "/^address=/d" /etc/dnsmasq.conf`
89	`/etc/init.d/dnsmasq restart`	92	`/etc/init.d/dnsmasq restart`
90	`fi`	93	`fi`
91	`fi`	94	`fi`
92	`}`	95	`}`
93		96
94	`usage="Usage: alcasar-watchdog.sh {-lt --lan_test}"`	97	`usage="Usage: alcasar-watchdog.sh {-lt --lan_test}"`
95	`case $1 in`	98	`case $1 in`
96	`-\? \| -h* \| --h*)`	99	`-\? \| -h* \| --h*)`
97	`echo "$usage"`	100	`echo "$usage"`
98	`exit 0`	101	`exit 0`
99	`;;`	102	`;;`
100	`-lt \| --lan_test)`	103	`-lt \| --lan_test)`
101	`lan_test`	104	`lan_test`
102	`exit 0`	105	`exit 0`
103	`;;`	106	`;;`
104	`*)`	107	`*)`
105	`lan_test`	108	`lan_test`
106	`# read file that contains IP address of quiet equipments`	109	`# read file that contains IP address of quiet equipments`
107	`if [ -e $tmp_file ]; then`	110	`if [ -e $tmp_file ]; then`
108	`cat $tmp_file \| while read noresponse`	111	`cat $tmp_file \| while read noresponse`
109	`do`	112	`do`
110	noresponse_ip=`echo $noresponse \| cut -d" " -f1`	113	noresponse_ip=`echo $noresponse \| cut -d" " -f1`
111	noresponse_mac=`echo $noresponse \| cut -d" " -f2`	114	noresponse_mac=`echo $noresponse \| cut -d" " -f2`
112	noresponse_user=`echo $noresponse \| cut -d" " -f3`	115	noresponse_user=`echo $noresponse \| cut -d" " -f3`
113	arp_reply=`/usr/sbin/arping -b -I$INTIF -s$PRIVATE_IP -c1 -w4 $noresponse_ip\|grep "Unicast reply"\|wc -l`	116	arp_reply=`/usr/sbin/arping -b -I$INTIF -s$PRIVATE_IP -c1 -w4 $noresponse_ip\|grep "Unicast reply"\|wc -l`
114	`if [[ $(expr $arp_reply) -eq 0 ]]`	117	`if [[ $(expr $arp_reply) -eq 0 ]]`
115	`then`	118	`then`
116	`logger "alcasar-watchdog $noresponse_ip ($noresponse_mac) can't be contact. Alcasar disconnects the user ($noresponse_user)."`	119	`logger "alcasar-watchdog $noresponse_ip ($noresponse_mac) can't be contact. Alcasar disconnects the user ($noresponse_user)."`
117	`/usr/sbin/chilli_query logout $noresponse_mac`	120	`/usr/sbin/chilli_query logout $noresponse_mac`
118	`/usr/sbin/chilli_query dhcp-release $noresponse_mac # release dhcp for mac_auth equipment`	121	`/usr/sbin/chilli_query dhcp-release $noresponse_mac # release dhcp for mac_auth equipment`
119	`fi`	122	`fi`
120	`done`	123	`done`
121	`rm $tmp_file`	124	`rm $tmp_file`
122	`fi`	125	`fi`
123	`# on traite chaque équipements connus de chilli`	126	`# on traite chaque équipements connus de chilli`
124	for system in `/usr/sbin/chilli_query list \|grep -v "\.0\.0\.0"`	127	for system in `/usr/sbin/chilli_query list \|grep -v "\.0\.0\.0"`
125	`do`	128	`do`
126	active_ip=`echo $system \|cut -d" " -f2`	129	active_ip=`echo $system \|cut -d" " -f2`
127	active_session=`echo $system \|cut -d" " -f5`	130	active_session=`echo $system \|cut -d" " -f5`
128	active_mac=`echo $system \| cut -d" " -f1`	131	active_mac=`echo $system \| cut -d" " -f1`
129	active_user=`echo $system \|cut -d" " -f6`	132	active_user=`echo $system \|cut -d" " -f6`
130	`# on ne traite que les équipements exploitées par un usager authentifié (test de 2 réponses en 4 secondes)`	133	`# on ne traite que les équipements exploitées par un usager authentifié (test de 2 réponses en 4 secondes)`
131	`if [[ $(expr $active_session) -eq 1 ]]`	134	`if [[ $(expr $active_session) -eq 1 ]]`
132	`then`	135	`then`
133	arp_reply=`/usr/sbin/arping -b -I$INTIF -s$PRIVATE_IP -c2 -w4 $active_ip\|grep "Unicast reply"\|wc -l`	136	arp_reply=`/usr/sbin/arping -b -I$INTIF -s$PRIVATE_IP -c2 -w4 $active_ip\|grep "Unicast reply"\|wc -l`
134	`# on stocke les adresses IP des stations muettes`	137	`# on stocke les adresses IP des stations muettes`
135	`if [[ $(expr $arp_reply) -eq 0 ]]`	138	`if [[ $(expr $arp_reply) -eq 0 ]]`
136	`then`	139	`then`
137	`echo "$active_ip $active_mac $active_user" >> $tmp_file`	140	`echo "$active_ip $active_mac $active_user" >> $tmp_file`
138	`fi`	141	`fi`
139	`# on deconnecte l'usager d'une stations usurpée (@MAC)`	142	`# on deconnecte l'usager d'une stations usurpée (@MAC)`
140	`if [[ $(expr $arp_reply) -gt 2 ]]`	143	`if [[ $(expr $arp_reply) -gt 2 ]]`
141	`then`	144	`then`
142	`echo "alcasar-watchdog : $active_ip is usurped ($active_mac). Alcasar disconnect the user ($active_user)." >> /var/Save/logs/security/watchdog.log`	145	`echo "alcasar-watchdog : $active_ip is usurped ($active_mac). Alcasar disconnect the user ($active_user)." >> /var/Save/logs/security/watchdog.log`
143	`logger "alcasar-watchdog : $active_ip is usurped ($active_mac). Alcasar disconnect the user ($active_user)."`	146	`logger "alcasar-watchdog : $active_ip is usurped ($active_mac). Alcasar disconnect the user ($active_user)."`
144	`/usr/sbin/chilli_query logout $active_mac`	147	`/usr/sbin/chilli_query logout $active_mac`
145	`fi`	148	`fi`
146	`fi`	149	`fi`
147	`done`	150	`done`
148	`;;`	151	`;;`
149	`esac`	152	`esac`
150	`IFS=$OLDIFS`	153	`IFS=$OLDIFS`
151		154

Subversion Repositories ALCASAR

(root)/scripts/alcasar-watchdog.sh @ 958 – Rev 958 → 987