/CHANGELOG |
---|
8,11 → 8,12 |
- Add a third RPM repository (http://ftp.free.fr) |
- Improve firewall local rules |
- Add SMTP to the list of openned ports (for filtered users) |
- Adapt user page when HTTPS is enabled with an official certificate |
- Adapt user page when HTTPS is enabled with an official certificate (Thanks to Alexandre VEZIN) |
ACC |
- avoid password preload text in password forms |
- improve "let's encrypt" & "Internet connexion" forms |
- Add an overlay with spinner on all submit forms |
- Avoid password preload text in password forms |
- Improve "let's encrypt" & "Internet connexion" forms |
- Add an overlay with spinner on all submit forms (Thanks to Alexandre VEZIN) |
- SSH : admin can disable it on EXTIF (WAN). Admin can change the listen port (Thanks to Alexandre VEZIN) |
BUGS |
- Adapt "alcasar-network.sh" when ALCASAR is in DHCP mode |
- Adapt "alcasar-watchdog.sh" when ALCASAR is in multiWAN mode |
/alcasar.sh |
---|
2171,7 → 2171,8 |
# ALCASAR conf file |
echo "HTTPS_LOGIN=off" >> $CONF_FILE |
echo "HTTPS_CHILLI=off" >> $CONF_FILE |
echo "SSH=on" >> $CONF_FILE |
echo "SSH=off" >> $CONF_FILE |
echo "SSH_WAN=22" >> $CONF_FILE |
echo "SSH_ADMIN_FROM=0.0.0.0/0.0.0.0" >> $CONF_FILE |
echo "LDAP=off" >> $CONF_FILE |
echo "LDAP_SERVER=127.0.0.1" >> $CONF_FILE |
/conf/sudoers |
---|
13,7 → 13,7 |
User_Alias SMS=gammu_smsd # gammu-smsd owner |
# Cmnd alias specification |
Cmnd_Alias NET=/sbin/ip,/sbin/arping,/sbin/arp,/usr/sbin/tcpdump,/usr/local/bin/alcasar-watchdog.sh,/usr/local/bin/alcasar-dhcp.sh,/usr/local/bin/alcasar-dns-local.sh,/usr/local/bin/alcasar-network.sh,/usr/local/bin/alcasar-list-ip_gw.sh # network commands |
Cmnd_Alias NET=/sbin/ip,/sbin/arping,/sbin/arp,/usr/sbin/tcpdump,/usr/local/bin/alcasar-watchdog.sh,/usr/local/bin/alcasar-dhcp.sh,/usr/local/bin/alcasar-dns-local.sh,/usr/local/bin/alcasar-network.sh,/usr/local/bin/alcasar-list-ip_gw.sh,/usr/local/bin/alcasar-ssh.sh # network commands |
Cmnd_Alias URPMI=/usr/sbin/urpmi,/usr/sbin/urpmi.update # packages managment |
Cmnd_Alias BYPASS=/usr/local/bin/alcasar-bypass.sh # authentication bypass |
Cmnd_Alias RADDB=/usr/bin/radwho,/usr/sbin/chilli_query # manage users in command line |
/scripts/alcasar-iptables.sh |
---|
42,6 → 42,8 |
TMP_ip_gw_save="/tmp/ipset_ip_gw_save" # tmp file for already connected ips |
SSH=`grep ^SSH= $CONF_FILE|cut -d"=" -f2` # sshd active (on/off) |
SSH=${SSH:=off} |
SSH_PORT=`grep ^SSH_WAN= $CONF_FILE|cut -d"=" -f2` #ssh WAN port |
SSH_PORT=${SSH_PORT:=0} |
SSH_ADMIN_FROM=`grep ^SSH_ADMIN_FROM= $CONF_FILE|cut -d"=" -f2` |
SSH_ADMIN_FROM=${SSH_ADMIN_FROM:="0.0.0.0/0.0.0.0"} # WAN IP address to reduce ssh access (all ip allowed on LAN side) |
IPTABLES="/sbin/iptables" |
51,6 → 53,9 |
PROXY=`grep ^PROXY= $CONF_FILE|cut -d"=" -f2` |
PROXY_IP=`grep ^PROXY_IP= $CONF_FILE|cut -d"=" -f2` |
nb_gw=`grep ^WAN $CONF_FILE|wc -l` |
HOST=`grep ^HOSTNAME= $CONF_FILE|cut -d"=" -f2` |
DOM=`grep ^DOMAIN= $CONF_FILE|cut -d"=" -f2` |
DOMAIN="$HOST.$DOM" |
# Allow requests to internal DNS if activated |
if [ "$INT_DNS_ACTIVE" = "on" ] |
392,8 → 397,11 |
then |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -m conntrack --ctstate NEW -j NFLOG --nflog-group 2 --nflog-prefix "RULE ssh-from-LAN -- ACCEPT" |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -j ACCEPT |
$IPTABLES -A INPUT -i $EXTIF -s $SSH_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport ssh -m conntrack --ctstate NEW --syn -j NFLOG --nflog-group 2 --nflog-prefix "RULE ssh-from-WAN -- ACCEPT" |
$IPTABLES -A INPUT -i $EXTIF -s $SSH_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport ssh -m conntrack --ctstate NEW -j ACCEPT |
if [ $SSH_PORT -gt 0 ] |
then |
$IPTABLES -A INPUT -i $EXTIF -s $SSH_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport $SSH_PORT -m conntrack --ctstate NEW --syn -j NFLOG --nflog-group 2 --nflog-prefix "RULE ssh-from-WAN -- ACCEPT" |
$IPTABLES -A INPUT -i $EXTIF -s $SSH_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport $SSH_PORT -m conntrack --ctstate NEW -j ACCEPT |
fi |
fi |
# Insertion de règles locales |
/scripts/alcasar-ssh.sh |
---|
0,0 → 1,93 |
#!/bin/bash |
# alcasar-ssh.sh |
# by Alexandre Vezin |
# enable/disable SSH on external NIC (EXTIF). Set the listen port on EXTIF |
# activation/désactivation de SSH sur la carte réseau externe (EXTIF). Définit le port d'écoute sur EXTIF |
SED="/bin/sed -i" |
CAT="/bin/cat" |
GREP="/bin/grep" |
ALCASAR_CONF="/usr/local/etc/alcasar.conf" |
SSH_CONF="/etc/ssh/sshd_config" |
usage="Usage: alcasar-ssh.sh {--off | -off} | {--on | -on} [-p port]" |
nb_args=$# |
args=$1 |
echo "Checking args" >> '/tmp/alcasar_sms_tmp.log' |
if [ $nb_args -eq 0 ] |
then |
echo "No args" >> '/tmp/alcasar_sms_tmp.log' |
echo "$usage" |
exit 1 |
fi |
while getopts ":p:" portarg; do |
case "${portarg}" in |
p) |
echo "Port check" >> '/tmp/alcasar_sms_tmp.log' |
SSH_PORT=${OPTARG} |
echo "Port : $SSH_PORT" >> /tmp/alcasar_sms_tmp.log |
if [ $SSH_PORT -lt 0 ] || [ $SSH_PORT -gt 65535 ] |
then |
echo "Invalid port" >> /tmp/alcasar_sms_tmp.log |
echo "The port $SSH_PORT is invalid" |
exit 1 |
fi |
;; |
esac |
done |
case $args in |
-\? | -h* | --h*) |
echo "$usage" |
exit 0 |
;; |
--off | -off) |
echo "off" >> '/tmp/alcasar_sms_tmp.log' |
# Editing Alcasar configuration - Deleting the port |
$SED "s/^SSH_WAN=.*/SSH_WAN=/g" $ALCASAR_CONF |
# Editing SSH configuration - Deleting any port other than 22 |
$SED "/^.*Port\s[0-9]*/{/\s22$/!d}" $SSH_CONF |
# Applying iptables |
/usr/local/bin/alcasar-iptables.sh |
# Restarting SSH |
/usr/bin/systemctl restart sshd |
exit 0 |
;; |
--on | -on) |
SSH_PORT=${SSH_PORT:=22} |
echo "on" >> '/tmp/alcasar_sms_tmp.log' |
$SED "s/^SSH_WAN=.*/SSH_WAN=$SSH_PORT/g" $ALCASAR_CONF |
# Checking if there is already a port other than set |
if [ `grep -E "^.*Port\s[0-9]*" /etc/ssh/sshd_config| grep -vEc "\s22$"` -gt 0 ] |
then |
if [ $SSH_PORT -ne 22 ] |
then |
# Editing SSH configuration - Changing any port other than 22 |
$SED "/\s22$/! s/^.*Port\s[0-9]*/Port $SSH_PORT/" $SSH_CONF |
else |
# Editing SSH configuration - Deleting any port other than 22 (as 22 port is used) |
$SED "/^.*Port\s[0-9]*/{/\s22$/!d}" $SSH_CONF |
fi |
else |
if [ $SSH_PORT -ne 22 ] |
then |
# Adding the new SSH port in the config |
echo "Port $SSH_PORT" >> $SSH_CONF |
fi |
fi |
# Applying iptables |
/usr/local/bin/alcasar-iptables.sh |
# Restarting SSH |
/usr/bin/systemctl restart sshd |
exit 0 |
;; |
*) |
echo "Argument inconnu : $1" |
echo "$usage" |
exit 1 |
;; |
esac |
Property changes: |
Added: svn:eol-style |
+native |
\ No newline at end of property |
Added: svn:executable |
+* |
\ No newline at end of property |
/web/acc/admin/network.php |
---|
78,12 → 78,13 |
$l_yes = "Oui"; |
$l_no = "Non"; |
$l_ssl_title = "Chiffrer les flux d'authentification entre les utilisateurs et ALCASAR"; |
$l_cert_from = "Date d'émission"; |
$l_ssh_title = "SSH"; |
$l_ssh_port = "Port"; |
$l_ssh_activate = "Activer SSH"; |
$l_cert_expiration = "Date d'expiration :"; |
$l_cert_commonname = "Nom commun :"; |
$l_cert_organization = "Organisation :"; |
$l_upload_certificate = "Importer un certificat officiel"; |
$l_le_renewal = "Renouveler le certificat Let's Encrypt"; |
$l_le_integration = "Intégrer un certificat Let's Encrypt"; |
$l_le_status = "Status :"; |
$l_disabled = "Inactif"; |
143,13 → 144,14 |
$l_yes = "Si"; |
$l_no = "No"; |
$l_ssl_title = "La autenticación de cifrado fluye entre usuarios y ALCASAR"; |
$l_cert_from = "Fecha de emisión"; |
$l_ssh_title = "SSH"; |
$l_ssh_port = "Puerto"; |
$l_ssh_activate = "Activar SSH"; |
$l_cert_expiration = "Fecha de vencimiento:"; |
$l_cert_commonname = "Common name:"; |
$l_cert_organization = "Organización:"; |
$l_upload_certificate = "Importar un certificado"; |
$l_le_integration = "Integración con Let's Encrypt"; |
$l_le_renewal = "Renovación del certificado Let's Encrypt"; |
$l_le_status = "Estado:"; |
$l_disabled = "Desactivado"; |
$l_pending_validation = "Validación pendiente"; |
207,13 → 209,14 |
$l_yes = "Yes"; |
$l_no = "No"; |
$l_ssl_title = "Cipher authentication flows between users and ALCASAR"; |
$l_cert_from = "Date of issue"; |
$l_ssh_title = "SSH"; |
$l_ssh_port = "Port"; |
$l_ssh_activate = "Activate SSH"; |
$l_cert_expiration = "Expiration date:"; |
$l_cert_commonname = "Common name:"; |
$l_cert_organization = "Organization:"; |
$l_upload_certificate = "Import an officlal certificate"; |
$l_le_integration = "Integrate a Let's Encrypt certificate"; |
$l_le_renewal = "Renewing the Let's Encrypt certificate"; |
$l_le_status = "Status:"; |
$l_disabled = "Disabled"; |
$l_pending_validation = "Pending validation"; |
370,6 → 373,14 |
} |
} |
break; |
case 'enable_wan_ssh': // Activate SSH on WAN |
if (isset($_POST['togglessh'])) { |
exec('sudo /usr/local/bin/alcasar-ssh.sh --on -p'.escapeshellarg($_POST["ssh_port"])); |
} else{ |
exec('sudo /usr/local/bin/alcasar-ssh.sh --off'); |
} |
header('Location: '.$_SERVER['PHP_SELF']); |
exit(); |
case 'https_login': // Set HTTPS login status |
if ($_POST['https_login'] === 'on') { |
exec('sudo /usr/local/bin/alcasar-https.sh --on'); |
1167,13 → 1178,26 |
</div> |
<br> |
<div class="panel"> |
<div class="panel-header"><?= $l_ssh_title ?></div> |
<div class="panel-row"> |
<form method="post" action="<?= htmlspecialchars($_SERVER['PHP_SELF']) ?>"> |
<input type="hidden" name="choix" value="enable_wan_ssh"> |
<input type="checkbox" name="togglessh" id="togglessh" <?= is_numeric($conf['SSH_WAN'])? "checked": "" ?> onchange="document.getElementById('sshtable').style.display = this.checked ? 'block' : 'none';"> <b>Activer SSH <!-- TODO : Mettre traduction --></b><br> |
<div id="sshtable" style="display:<?= is_numeric($conf['SSH_WAN'])? "block": "none" ?>"> |
<label for="ssh_port"><?= $l_ssh_port ?></label> : <input style="width:120px" type="text" id="ssh_port" name="ssh_port" value="<?= is_numeric($conf['SSH_WAN']) ? $conf['SSH_WAN']:22 ?>" /><br> |
</div> |
<input type="submit" onClick="document.getElementById('ldoverlay').style.display='block';" value="<?= $l_apply ?>"><br> |
</form> |
</div> |
</div> |
<br> |
<div class="panel"> |
<div class="panel-header"><?= $l_import_cert ?></div> |
<div class="panel-row"> |
<div class="panel-cell"> |
<?php |
$certificateInfos = openssl_x509_parse(file_get_contents('/etc/pki/tls/certs/alcasar.crt')); |
$certificateInfos = openssl_x509_parse(file_get_contents('/etc/pki/tls/certs/alcasar.crt')); |
$cert_expiration_date = date('d-m-Y H:i:s', $certificateInfos['validTo_time_t']); |
$cert_from_date = date('d-m-Y H:i:s', $certificateInfos['validFrom_time_t']); |
$domain = $certificateInfos['subject']['CN']; |
$organization = (isset($certificateInfos['subject']['O'])) ? $certificateInfos['subject']['O'] : ''; |
$CAdomain = $certificateInfos['issuer']['CN']; |
1181,7 → 1205,6 |
?> |
<h3><?= $l_current_certificate ?></h3> |
<b><?= $l_cert_commonname ?></b> <?= $domain ?><br> |
<b><?= $l_cert_from ?></b> <?= $cert_from_date ?><br> |
<b><?= $l_cert_expiration ?></b> <?= $cert_expiration_date ?><br> |
<b><?= $l_cert_organization ?></b> <?= $organization ?><br> |
<b><?= $l_validated ?></b> <?= $CAdomain ?> (<?= $CAorganization ?>)<br> |
1224,10 → 1247,8 |
} else { |
$step = 1; |
} |
if ($step === 2) { |
echo "<h3>$l_le_renewal</h3>"; |
} else { echo "<h3>$l_le_integration</h3>";} |
?> |
<h3><?= $l_le_integration ?></h3> |
<?php if ($step === 1): ?> |
<form method="post" action="<?= htmlspecialchars($_SERVER['PHP_SELF']) ?>"> |
<input type="hidden" name="choix" value="le_issueCert"> |
1241,6 → 1262,7 |
<input type="hidden" name="choix" value="le_renewCert"> |
<?= $l_le_status ?> <?= $l_pending_validation ?><br> |
<?= $l_le_domain_name ?> <?= $LE_conf['domainRequest'] ?><br> |
<?= $l_le_ask_on ?> <?= date('d-m-Y H:i:s', $LE_conf['dateIssueRequest']) ?><br> |
<?= $l_le_dns_entry_txt ?> "<?= '_acme-challenge.'.$LE_conf['domainRequest'] ?>"<br> |
<?= $l_le_challenge ?> "<?= $LE_conf['challenge'] ?>"<br> |
<input type="submit" onClick="document.getElementById('ldoverlay').style.display='block';" name="recheck" value="<?= $l_recheck ?>"> <input type="submit" onClick="document.getElementById('ldoverlay').style.display='block';" name="cancel" value="<?= $l_cancel ?>"><br> |