/alcasar.sh |
---|
1164,9 → 1164,13 |
groupadd -f havp |
useradd -r -g havp -s /bin/false -c "system user for havp" havp |
mkdir -p /var/tmp/havp /var/log/havp /var/run/havp |
mkdir -p /var/tmp/havp2 /var/log/havp2 |
chown -R havp /var/tmp/havp /var/log/havp /var/run/havp |
chown -R havp /var/tmp/havp2 /var/log/havp2 |
[ -e /etc/havp/havp.config.default ] || cp /etc/havp/havp.config /etc/havp/havp.config.default |
$SED "/^REMOVETHISLINE/d" /etc/havp/havp.config |
$SED "s?^# PIDFILE.*?PIDFILE /var/run/havp/havp.pid?g" /etc/havp/havp.config # pidfile |
$SED "s?^# TRANSPARENT.*?TRANSPARENT false?g" /etc/havp/havp.config # transparent mode |
$SED "s?^# PORT.*?PORT 8090?g" /etc/havp/havp.config # datas come on 8090 |
$SED "s?^# BIND_ADDRESS.*?BIND_ADDRESS 127.0.0.1?g" /etc/havp/havp.config # we listen only on loopback |
$SED "s?^# TIMEFORMAT.*?TIMEFORMAT %Y %b %d %H:%M:%S?g" /etc/havp/havp.config # Log format |
1175,6 → 1179,11 |
$SED "s?^# SERVERNUMBER.*?SERVERNUMBER 10?g" /etc/havp/havp.config # 10 daemons are started simultaneously |
$SED "s?^# SCANIMAGES.*?SCANIMAGES false?g" /etc/havp/havp.config # doesn't scan image files |
$SED "s?^# SKIPMIME.*?SKIPMIME image\/\* video\/\* audio\/\*?g" /etc/havp/havp.config # doesn't scan some multimedia files |
cp /etc/havp/havp.config /etc/havp/havp2.config |
$SED "s?^PIDFILE.*?PIDFILE /var/run/havp/havp2.pid?g" /etc/havp/havp2.config # pidfile |
$SED "s?^TRANSPARENT.*?TRANSPARENT true?g" /etc/havp/havp2.config # transparent mode |
$SED "s?^PORT.*?PORT 8091?g" /etc/havp/havp2.config # datas come on 8091 |
$SED "s?^BIND_ADDRESS.*?BIND_ADDRESS 192.168.182.1?g" /etc/havp/havp2.config # we listen only on tun0 |
# skip checking of youtube flow (too heavy load / risk too low) |
[ -e /etc/havp/whitelist.default ] || cp /etc/havp/whitelist /etc/havp/whitelist.default |
echo "# Whitelist youtube flow" >> /etc/havp/whitelist |
1182,6 → 1191,21 |
# replacement of init script |
[ -e /etc/init.d/havp.default ] || cp /etc/init.d/havp /etc/init.d/havp.default |
cp -f $DIR_CONF/havp-init /etc/init.d/havp |
cp /etc/init.d/havp /etc/init.d/havp2 |
$SED "s?^# description.*?# description: starts HAVP2 the High Availability Antivirus Proxy?g" /etc/init.d/havp2 # description |
$SED "s?^HAVP_CONFIG.*?HAVP_CONFIG=/etc/havp/havp2.config?g" /etc/init.d/havp2 # config file |
$SED "s?^PIDFILE.*?PIDFILE=/var/run/havp/havp2.pid?g" /etc/init.d/havp2 # pidfile |
$SED "s?^NAME.*?NAME=havp2?g" /etc/init.d/havp2 # name |
$SED "s?^DESC.*?DESC=havp2?g" /etc/init.d/havp2 # desc |
#$SED "s?if [ -f /etc/sysconfig/havp ] ; then.*?if [ -f /etc/sysconfig/havp2 ] ; then?g" /etc/init.d/havp2 # defaults |
#$SED "s?. /etc/sysconfig/havp.*?. /etc/sysconfig/havp2?g" /etc/init.d/havp2 # defaults |
$SED "s?^havp_mountpoint.*?havp_mountpoint=/var/tmp/havp2?g" /etc/init.d/havp2 # mountpoint |
$SED "s?echo \"Reloading HAVP ...\".*?echo \"Reloading HAVP2 ...\"?g" /etc/init.d/havp2 # reloading havp |
$SED "s?echo \"Error: HAVP not running\".*?echo \"Error : HAVP2 not running\"?g" /etc/init.d/havp2 # error havp |
$SED "s?echo \"Error: HAVP not running or PIDFILE not readable\".*?echo \"Error : HAVP2 not running or PIDFILE not readable\"?g" /etc/init.d/havp2 # error havp |
$SED "s?echo \"Error: HAVP not running or PIDFILE unreadable\".*?echo \"Error : HAVP2 not running or PIDFILE unreadable\"?g" /etc/init.d/havp2 # error havp |
$SED "s?echo \"Shutting down HAVP ...\".*?echo \"Shutting down HAVP2 ...\"?g" /etc/init.d/havp2 # shutting down havp |
$SED "s?status havp.*?status havp2?g" /etc/init.d/havp2 # status havp |
# replace of the intercept page (template) |
cp -f $DIR_CONF/virus-fr.html /etc/havp/templates/fr/virus.html |
cp -f $DIR_CONF/virus-en.html /etc/havp/templates/en/virus.html |
1230,15 → 1254,16 |
########################################################## |
nfsen() |
{ |
tar xvzf ./conf/nfsen/nfsen-1.3.6p1.tar.gz -C /tmp/ |
tar xzf ./conf/nfsen/nfsen-1.3.6p1.tar.gz -C /tmp/ |
# Create a specific user and group |
[ `grep "^www-data:" /etc/group | wc -l` == 1 ] || groupadd www-data |
[ `grep "^nfsen:" /etc/passwd | wc -l` == 1 ] || useradd -r -g nfsen -s /bin/false -c "system user for the grapher nfsen" nfsen |
[ `grep "^apache:" /etc/group | wc -l` == 1 ] || groupadd apache |
#[ `grep "^nfsen:" /etc/passwd | wc -l` == 1 ] || useradd -r -g nfsen -s /bin/false -c "system user for the grapher nfsen" nfsen |
groupadd -f chilli |
# Add PortTracker plugin |
mkdir -p /var/www/nfsen/plugins /var/log/netflow/porttracker /usr/share/nfsen/plugins |
chown -R nfsen:www-data /var/www/nfsen |
chown -R apache:apache /var/www/nfsen |
chown -R apache:apache /usr/share/nfsen |
chown -R apache:apache /var/log/netflow |
cp -f $DIR_CONF/nfsen/PortTracker.pm /tmp/nfsen-1.3.6p1/contrib/PortTracker/ |
# use of our conf file and init unit |
cp $DIR_CONF/nfsen/nfsen.conf /tmp/nfsen-1.3.6p1/etc/ |
1251,7 → 1276,7 |
cp /tmp/nfsen-1.3.6p1/contrib/PortTracker/PortTracker.pm /usr/share/nfsen/plugins/ |
cp /tmp/nfsen-1.3.6p1/contrib/PortTracker/PortTracker.php /var/www/nfsen/plugins/ |
[ -d /var/log/netflow/porttracker ] || sudo -u apache nftrack -I -d /var/log/netflow/porttracker |
chown -R apache:www-data /var/log/netflow/porttracker/ |
chown -R apache:apache /var/log/netflow/porttracker/ |
chmod -R 775 /var/log/netflow/porttracker |
# Apache conf file |
rm -f /etc/httpd/conf/conf.d/nfsen.conf |
1285,9 → 1310,12 |
[Service] |
Type=oneshot |
RemainAfterExit=yes |
PIDFile=/var/run/nfsen/nfsen.pid |
ExecStartPre=/bin/mkdir -p /var/run/nfsen |
ExecStartPre=/bin/chown apache:apache /var/run/nfsen |
ExecStart=/usr/bin/nfsen start |
ExecStop=/usr/bin/nfsen stop |
ExecRestart=/usr/bin/nfsen restart |
ExecReload=/usr/bin/nfsen restart |
TimeoutSec=0 |
[Install] |
1294,9 → 1322,10 |
WantedBy=multi-user.target |
EOF |
# Add the listen port to collect netflow packet (nfcapd) |
$SED s?'\$ziparg $extensions.*?\$ziparg $extensions -b 127.0.0.1";'?g /usr/libexec/NfSenRC.pm |
$SED "s?'\$ziparg $extensions.*?\$ziparg $extensions -b 127.0.0.1;'?g" /usr/libexec/NfSenRC.pm |
# expire delay for the profile "live" |
nfsen -m live -e 62d 2>/dev/null |
systemctl start nfsen |
/bin/nfsen -m live -e 62d 2>/dev/null |
# clear the installation |
cd $DirTmp |
rm -rf /tmp/nfsen-1.3.6p1/ |
1695,7 → 1724,7 |
/sbin/chkconfig --add $i |
done |
# processes launched at boot time (Systemctl) |
for i in alcasar-load_balancing nfsen mysqld httpd ntpd iptables ulogd dnsmasq dnsmasq-blacklist dnsmasq-whitelist radiusd dansguardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban |
for i in alcasar-load_balancing mysqld httpd ntpd iptables ulogd dnsmasq dnsmasq-blacklist dnsmasq-whitelist radiusd nfsen dansguardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban |
do |
systemctl -q enable $i.service |
done |
/conf/nfsen/nfsen.conf |
---|
47,7 → 47,7 |
$VARDIR="/var"; |
# directory for all pid files |
$PIDDIR="$VARDIR/run"; |
$PIDDIR="$VARDIR/run/nfsen"; |
# |
# Filter directory |
$FILTERDIR="$VARDIR/filters"; |
/scripts/alcasar-daemon.sh |
---|
10,7 → 10,7 |
conf_file="/usr/local/etc/alcasar.conf" |
SSH=`grep SSH= $conf_file|cut -d"=" -f2` # sshd active (on/off) |
SSH=${SSH:=off} |
SERVICE="sshd dnsmasq httpd chilli radiusd mysqld dansguardian dnsmasq havp freshclam ntpd squid master squid" |
SERVICE="sshd dnsmasq httpd chilli radiusd mysqld dansguardian dnsmasq havp havp2 freshclam ntpd squid master squid" |
function ServiceTest () { |
CMD=`pidof $s` |
/scripts/alcasar-iptables.sh |
---|
30,6 → 30,7 |
BL_IP_CAT="/usr/local/share/iptables-bl-enabled" # categories files of the BlackListed IP |
BL_IP_OSSI="/usr/local/share/iptables-bl/ossi" # ossi categoty |
WL_IP_OSSI="/usr/local/share/ossi-ip-wl" # ip of the whitelist |
DNSMASQ_WL_ENABLED="/usr/local/share/dnsmasq-wl-enabled" # enabled domain names for the Whitelist |
TMP_users_set_save="/tmp/users_set_save" # tmp file for backup users set |
TMP_set_save="/tmp/ipset_save" # tmp file for blacklist and whitelist creation |
QOS=`grep ^QOS= $conf_file|cut -d"=" -f2` # QOS (on/off) |
92,13 → 93,12 |
# Calcul de la taille du set de la blacklist |
# Compute the blacklist set length |
cd $BL_IP_CAT |
set_bl_length=$(($(wc -l * | awk '{print $1}' | tail -n 1)+$(wc -l $BL_IP_OSSI | awk '{print $1}'))) |
bl_set_length=$(($(wc -l $BL_IP_CAT/* | awk '{print $1}' | tail -n 1)+$(wc -l $BL_IP_OSSI | awk '{print $1}'))) |
# Création du fichier set temporaire, remplissage, chargement et suppression |
# Creating the temporary set file, filling, loading and deleting |
echo "create blacklist_ip_blocked hash:net family inet hashsize 1024 maxelem $set_bl_length" > $TMP_set_save |
for category in `ls -1 | cut -d '@' -f1` |
echo "create blacklist_ip_blocked hash:net family inet hashsize 1024 maxelem $bl_set_length" > $TMP_set_save |
for category in `ls -1 $BL_IP_CAT | cut -d '@' -f1` |
do |
cat $BL_IP_CAT/$category >> $TMP_set_save |
done |
113,9 → 113,13 |
ipset del blacklist_ip_blocked $ip |
done |
# Calcul de la taille du set de la whitelist |
# Compute the whitelist set length |
wl_set_length=$(($(wc -l $DNSMASQ_WL_ENABLED/* | awk '{print $1}' | tail -n 1)*3)) |
# Création du fichier set temporaire, remplissage, chargement et suppression |
# Creating the temporary set file, filling, loading and deleting |
echo "create whitelist_ip_allowed hash:net family inet hashsize 1024" > $TMP_set_save |
echo "create whitelist_ip_allowed hash:net family inet hashsize 1024 maxelem $wl_set_length" > $TMP_set_save |
cat $WL_IP_OSSI >> $TMP_set_save |
ipset -! restore < $TMP_set_save |
rm -f $TMP_set_save |
158,18 → 162,22 |
# Mark (and log) the 8091 direct attempts to REJECT them in INPUT rules |
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8091 -j MARK --set-mark 5 |
# Aiguillage des flux DNS |
# Switching DNS streams |
# havp_bl_set --> redirection vers le port 54 |
# havp_bl_set --> redirect to port 54 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl_set src -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 54 |
# havp_wl_set --> redirection vers le port 55 |
# havp_wl_set --> redirect to port 55 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl_set src -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 55 |
# Redirection des requêtes HTTP des IP de la blacklist vers ALCASAR (page 'accès interdit') pour le set havp_bl_set |
# Redirect outbound HTTP requests from blacklist IP to ALCASAR ('access denied' page) for the set havp_bl_set |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set blacklist_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port 80 |
# Redirection des requêtes HTTP des IP qui ne sont pas dans la whitelist vers ALCASAR (page 'accès interdit') pour le set havp_wl_set |
# Redirect outbound HTTP requests from IP which are not in the whitelist to ALCASAR ('access denied' page) for the set havp_wl_set |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl_set src -m set ! --match-set whitelist_ip_allowed dst -p tcp --dport http -j REDIRECT --to-port 80 |
# Journalisation des requètes HTTP vers Internet (seulement les paquets SYN) - Les autres protocoles sont journalisés en FORWARD par netflow |
## Log HTTP requests to Internet (only syn packets) - Other protocols are log in FORWARD by netflow |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p tcp --dport http -m state --state NEW -j ULOG --ulog-prefix "RULE F_http -- ACCEPT " |
286,7 → 294,7 |
$IPTABLES -A INPUT -i $TUNIF -p tcp -j REJECT --reject-with tcp-reset |
$IPTABLES -A INPUT -i $TUNIF -p udp -j REJECT --reject-with icmp-port-unreachable |
# interdiction d'accès à INTIF (n'est utile que lorsque chilli est arrêté). |
# Interdiction d'accès à INTIF (n'est utile que lorsque chilli est arrêté). |
# Reject INTIF access (only when chilli is down) |
$IPTABLES -A INPUT -i $INTIF -j ULOG --ulog-prefix "RULE Protect1 -- REJECT " |
$IPTABLES -A INPUT -i $INTIF -j REJECT |
/scripts/sbin/alcasar-havp.sh |
---|
File deleted |
Property changes: |
Deleted: svn:eol-style |
-LF |
\ No newline at end of property |
Deleted: svn:executable |
-* |
\ No newline at end of property |
Deleted: svn:keywords |
-Id Author Date |
\ No newline at end of property |
/scripts/sbin/alcasar-bl.sh |
---|
38,18 → 38,23 |
# enable/disable the BL & WL categories |
function cat_choice (){ |
# saving ip files and ossi category |
# saving ossi category |
mkdir $DIR_tmp |
if [ $(find $DIR_IP_BL_ENABLED -name "ossi-*" | wc -l) -ne 0 ] |
cp $DIR_IP_BL/ossi $DIR_tmp |
if [ -d $DIR_IP_BL_ENABLED ] |
then |
cp $DIR_IP_BL_ENABLED/ossi-* $DIR_tmp |
for file in `ls -1 $DIR_IP_BL_ENABLED | grep -v "^ossi-*"` |
do |
rm -f $DIR_IP_BL_ENABLED/$file |
done |
else |
mkdir $DIR_IP_BL_ENABLED |
chown apache $DIR_IP_BL_ENABLED |
fi |
cp $DIR_IP_BL/ossi $DIR_tmp |
rm -rf $DIR_DNS_BL_ENABLED $DIR_DNS_WL_ENABLED $DIR_IP_BL_ENABLED # cleaning for dnsmasq and iptables |
rm -rf $DIR_DNS_BL_ENABLED $DIR_DNS_WL_ENABLED # cleaning for dnsmasq and iptables |
$SED "/\.Include/d" $DIR_DG/bannedsitelist $DIR_DG/bannedurllist # cleaning for DG |
$SED "s?^[^#]?#&?g" $BL_CATEGORIES $WL_CATEGORIES # cleaning BL & WL categories file (comment all lines) |
mkdir $DIR_DNS_BL_ENABLED $DIR_DNS_WL_ENABLED $DIR_IP_BL_ENABLED |
chown apache $DIR_IP_BL_ENABLED |
mkdir $DIR_DNS_BL_ENABLED $DIR_DNS_WL_ENABLED |
# process the file $BL_CATEGORIES with the choice of categories |
for ENABLE_CATEGORIE in `cat $BL_CATEGORIES_ENABLED` |
do |
74,10 → 79,6 |
# restoring ip files and ossi category |
mv $DIR_tmp/ossi $DIR_IP_BL |
chown apache $DIR_IP_BL/ossi |
if [ $(find $DIR_tmp -name "ossi-*" | wc -l) -ne 0 ] |
then |
mv $DIR_tmp/ossi-* $DIR_IP_BL_ENABLED |
fi |
rm -rf $DIR_tmp |
} |
function bl_enable (){ |
/scripts/sbin/alcasar-uninstall.sh |
---|
107,14 → 107,16 |
sleep 1 |
#antivirus |
echo -en "\n- antivirus(4) : " |
echo -en "\n- antivirus(6) : " |
if [ -e /etc/init.d/havp ] |
then |
[ -e /etc/havp/havp.config.default ] && mv /etc/havp/havp.config.default /etc/havp/havp.config && echo -n "1, " |
userdel -r havp 2>/dev/null && echo -n "2, " |
[ -e /etc/havp/havp2.config ] && rm -f /etc/havp/havp2.config && echo -n "2, " |
userdel -r havp 2>/dev/null && echo -n "3, " |
[ `grep havp /etc/fstab|wc -l` -ne "0" ] && $SED "/havp/d" /etc/fstab # anciennes versions (mémoire tampon sur disque) |
[ -e /etc/init.d/havp.default ] && mv /etc/init.d/havp.default /etc/init.d/havp && echo -n "3, " |
[ -e /etc/freshclam.conf.default ] && mv /etc/freshclam.conf.default /etc/freshclam.conf && echo -n "4" |
[ -e /etc/init.d/havp.default ] && mv /etc/init.d/havp.default /etc/init.d/havp && echo -n "4, " |
[ -e /etc/init.d/havp2 ] && rm -f /etc/init.d/havp2 && echo -n "5, " |
[ -e /etc/freshclam.conf.default ] && mv /etc/freshclam.conf.default /etc/freshclam.conf && echo -n "6" |
else echo -n "uninstalled" |
fi |
sleep 1 |
127,7 → 129,7 |
i=`expr $i + 1` |
[ -e /etc/ulogd-$log_type.conf ] && rm -f /etc/ulogd-$log_type.conf && echo -n "$i, " |
i=`expr $i + 1` |
[ -e /lib/systemd/system/ulogd-$log_type.service ] && rm -f /lib/systemd/system/ulogd-$log_type.service && echo -n "$i" |
[ -e /lib/systemd/system/ulogd-$log_type.service ] && rm -f /lib/systemd/system/ulogd-$log_type.service && echo -n "$i, " |
done |
sleep 1 |
157,7 → 159,7 |
#BL |
echo -en "\n- BL(1) : " |
[ -e /lib/systemd/system/iptables.service.default ] && mv /lib/systemd/system/iptables.service.default /lib/systemd/system/iptables.service && echo "1" |
[ -e /lib/systemd/system/iptables.service.default ] && mv /lib/systemd/system/iptables.service.default /lib/systemd/system/iptables.service && echo -n "1" |
sleep 1 |
#dhcpd |
222,7 → 224,6 |
[ -e /etc/sysconfig/iptables ] && rm -f /etc/sysconfig/iptables && echo -n "8, " |
[ -e /etc/modprobe.preload.default ] && mv /etc/modprobe.preload.default /etc/modprobe.preload && echo -n "9" |
echo |
/sbin/ifup $EXTIF |
sleep 1 |
/web/acc/admin/bl_filter.php |
---|
211,6 → 211,7 |
fputs($fichier, form_filter($_POST['BL_rehabilited_ip'])); |
fclose($fichier); |
unset($_POST['BL_rehabilited_ip']); |
exec ("sudo /usr/local/sbin/alcasar-bl.sh --reload"); |
break; |
case 'MAJ_cat_wl' : |
$tab=file($wl_categories_enabled); |
/web/acc/phpsysinfo/includes/XPath.class.php |
---|
3849,7 → 3849,7 |
$step = '.'; |
$axis['axis'] = 'self'; |
$axis['node-test'] = '*'; |
break $parseBlock; |
break; |
} |
if ($step == '..') { |
3856,7 → 3856,7 |
// Select the parent axis. |
$axis['axis'] = 'parent'; |
$axis['node-test'] = '*'; |
break $parseBlock; |
break; |
} |
/////////////////////////////////////////////////// |
3908,7 → 3908,7 |
if ($step == '*') { |
// Use the child axis and select all children. |
$axis['node-test'] = '*'; |
break $parseBlock; |
break; |
} |
// ### I'm pretty sure our current handling of cdata is a fudge, and we should |
3916,7 → 3916,7 |
if ($step == "text()") { |
// Handle the text node |
$axis["node-test"] = "cdata"; |
break $parseBlock; |
break; |
} |
// There are a few node tests that we match verbatim. |
3925,7 → 3925,7 |
|| $step == "text()" |
|| $step == "processing-instruction") { |
$axis["node-test"] = $step; |
break $parseBlock; |
break; |
} |
// processing-instruction() is allowed to take an argument, but if it does, the argument |
3932,7 → 3932,7 |
// is a literal, which we will have parsed out to $[number]. |
if (preg_match(":processing-instruction\(\$\d*\):", $step)) { |
$axis["node-test"] = $step; |
break $parseBlock; |
break; |
} |
// The only remaining way this can be a step, is if the remaining string is a simple name |
3961,7 → 3961,7 |
// Not currently recursing |
$LastFailedStep = ''; |
$LastFailedContext = ''; |
break $parseBlock; |
break; |
} |
// It's not a node then, we must treat it as a PrimaryExpr |