BlueGreycalmElegant

Català-Valencià – Catalan中文 – Chinese (Simplified)中文 – Chinese (Traditional)Česky – CzechDansk – DanishNederlands – DutchEnglish – EnglishSuomi – FinnishFrançais – FrenchDeutsch – Germanעברית – Hebrewहिंदी – HindiMagyar – HungarianBahasa Indonesia – IndonesianItaliano – Italian日本語 – Japanese한국어 – KoreanМакедонски – Macedonianमराठी – MarathiNorsk – NorwegianPolski – PolishPortuguês – PortuguesePortuguês – Portuguese (Brazil)Русский – RussianSlovenčina – SlovakSlovenščina – SlovenianEspañol – SpanishSvenska – SwedishTürkçe – TurkishУкраїнська – UkrainianOëzbekcha – Uzbek

Compare Revisions

• This comparison shows the changes necessary to convert path

  → /scripts/ @ 1

  → /scripts/ @ HEAD

  ↔ Reverse comparison

• Compare Path:	Rev

  With Path:	Rev

No changes between revisions

Ignore whitespace Rev 1 → Rev HEAD

/scripts/alcasar-rpm.sh
0,0 → 1,296
#!/bin/bash
# alcasar-rpm.sh
# by 3abtux and Rexy
# This script is distributed under the Gnu General Public License (GPL)
# script de mise en place des dépots RPM + installation des RPM complémentaires
# configure the RPM repository + complementary RPM installation
Lang=`echo $LANG|cut -c 1-2`
SED="/bin/sed -i"
VERSION="9"
ARCH="x86_64"
# The kernel version we compile netflow for
KERNEL="kernel-server-6.6.28-1.mga9"
# ****** Alcasar needed RPMS - paquetages nécessaires au fonctionnement d'Alcasar ******
# (old) perl-Socket6 : needed by nfsen
# "fonts-dejavu-common" & "fonts-ttf-dejavu" : fonts needed by wkhtmltopdf
# "lsscsi" & nvme-cli" & "php-dom" : needed by phpsysinfo
# "socat" : avoid a warning when run the install script of letsencrypt ("acme.sh")
# "sudo" : needed after a reinstallation (to be investigated)
# "postfix" + "cyrus-sasl" + "lib64sasl2-plug-plain" : email registration method
# "nmap" : "/usr/share/nmap/nmap-mac-prefixes" is used to display MAC manufacturers in ACC
PACKAGES="vim-enhanced freeradius freeradius-mysql freeradius-ldap lighttpd lighttpd-mod_auth php-fpm php-gd php-ldap php-mysqli php-mbstring php-sockets php-curl php-pdo_sqlite php-cli php-dom php-filter unbound e2guardian postfix mariadb ntpsec bind-utils openssh-server rng-utils rsync fail2ban gnupg2 ulogd ipset usb_modeswitch vnstat dos2unix p7zip msec kernel-userspace-headers kernel-firmware kernel-firmware-nonfree dhcp-server tcpdump fonts-dejavu-common fonts-ttf-dejavu lsscsi nvme-cli sudo socat postfix cyrus-sasl lib64sasl2-plug-plain iftop"
rpm_repository_sync ()
{
cat <<EOF > /etc/urpmi/urpmi.cfg
{
downloader: wget
}
EOF
echo ${!MIRRORLIST}
urpmi.addmedia core --probe-synthesis --mirrorlist ${!MIRRORLIST} /media/core/release
urpmi.addmedia core-updates --update --probe-synthesis --mirrorlist ${!MIRRORLIST} /media/core/updates
urpmi.addmedia nonfree --probe-synthesis --mirrorlist ${!MIRRORLIST} /media/nonfree/release
urpmi.addmedia nonfree-updates --update --probe-synthesis --mirrorlist ${!MIRRORLIST} /media/nonfree/updates
}
rpm_error ()
{
# restore previous rpm conf file & removed RPMs
[ -e /etc/urpmi/urpmi.cfg.old ] && mv /etc/urpmi/urpmi.cfg.old /etc/urpmi/urpmi.cfg
urpmi --no-verify-rpm --auto rpms/$ARCH/wkhtmltopdf*.rpm
echo
if [ $Lang == "fr" ]
then
echo "Relancez l'installation ultérieurement."
echo "Si vous rencontrez à nouveau ce problème, modifier les variables MIRRORLIST[1&2] du fichier 'scripts/alcasar-rpm.sh'"
else
echo "Try an other install later."
echo "If this problem occurs again, change the MIRRORLIST[1&2] variables in the file 'scripts/alcasar-rpm.sh'"
fi
}
# We prefer wget than curl
urpmi --no-verify-rpm --auto rpms/$ARCH/wget*.rpm
# Set the RPM repository (if not already set)
cp /etc/urpmi/urpmi.cfg /etc/urpmi/urpmi.cfg.old
ACTIVE_REPO=`cat /etc/urpmi/urpmi.cfg|grep "mageia.org"|wc -l`
MIRROR_NBR=3
# For French
MIRRORLIST1="http://ftp.free.fr/mirrors/mageia.org/distrib/$VERSION/$ARCH"
# For Europeans
MIRRORLIST2="https://www.mirrorservice.org/pub/mageia/distrib/$VERSION/$ARCH"
# For everybody
MIRRORLIST3="https://mirrors.mageia.org/api/mageia.$VERSION.$ARCH.list"
try_nb="0"; nb_repository="0"
while [ "$nb_repository" != "4" ]
do
try_nb=`expr $try_nb + 1`
MIRRORLIST="MIRRORLIST$try_nb"
rpm_repository_sync
nb_repository=`cat /etc/urpmi/urpmi.cfg|grep mirrorlist|wc -l`
if [ "$nb_repository" != "4" ]
then
if [ $Lang == "fr" ]
then
echo "Une erreur a été détectée lors de la synchronisation avec le dépot N°$try_nb."
else
echo "An error occurs when synchronising the repositories N°$try_nb"
fi
if [ $(expr $try_nb) -eq $MIRROR_NBR ]
then
rpm_error
exit 1
fi
if [ $Lang == "fr" ]
then
echo "Voulez-vous tenter une synchronisation avec un autre dépôt ? (O/n)"
else
echo "Do you want to try a synchronisation with an other repository? (Y/n)"
fi
response=0
PTN='^[oOnNyY]?$'
until [[ "$response" =~ $PTN ]]
do
read response
done
if [ "$response" = "n" ] || [ "$response" = "N" ]
then
[ -e /etc/urpmi/urpmi.cfg.old ] && mv /etc/urpmi/urpmi.cfg.old /etc/urpmi/urpmi.cfg # restore previous rpm conf file
exit 1
fi
fi
done
# Clean the RPM cache
urpmi --clean
# At this time, we only skip Kernel update
echo "/^kernel/" > /etc/urpmi/skip.list
if [ `grep -E '^exclude=' /etc/dnf/dnf.conf |wc -l` -eq "1" ]; then
$SED "s?^exclude=.*?exclude=kernel\*?g" /etc/dnf/dnf.conf
else
echo "exclude=kernel*" >> /etc/dnf/dnf.conf
fi
# download the kernel used by ALCASAR
if [ $Lang == "fr" ]
then
echo "Récupération du noyau Linux exploité par ALCASAR. Veuillez patienter ..."
else
echo "Download the Linux kernel used by ALCASAR. Please wait ..."
fi
urpmi --auto --quiet $KERNEL
# download updated RPM in cache
if [ $Lang == "fr" ]
then
echo "Récupération des paquetages de mise à jour. Veuillez patienter ..."
echo "Il est temps d'aller prendre un café (ou une bonne bière) ;-)"
else
echo "Updated RPM download. Please wait ..."
echo "You should now take a coffe (or a good beer) ;-)"
fi
urpmi --auto --auto-update --quiet --test --retry 2
if [ "$?" != "0" ]
then
echo
if [ $Lang == "fr" ]
then
echo "Une erreur a été détectée lors de la récupération des paquetages."
else
echo "An error occurs when downloading RPMS"
fi
rpm_error
exit 1
fi
# update with cached RPM
urpmi --auto --auto-update
if [ "$?" != "0" ]
then
echo
if [ $Lang == "fr" ]
then
echo "Une erreur a été détectée lors de la mise à jour des paquetages."
else
echo "An error occurs when updating packages"
fi
rpm_error
exit 1
fi
# Download of ALCASAR specifics RPM in cache (and test)
if [ $Lang == "fr" ]
then
echo "Récupération des paquetages complémentaires. Veuillez patienter ..."
else
echo "Download of complementary packages. Please wait ..."
fi
urpmi --auto --no-recommends $PACKAGES --quiet --test --retry 2
if [ "$?" != "0" ]
then
echo
if [ $Lang == "fr" ]
then
echo "Une erreur a été détectée lors de la récupération des paquetages complémentaires."
else
echo "An error occurs when downloading complementary packages"
fi
rpm_error
exit 1
fi
# update with cached RPM
urpmi --auto --no-recommends $PACKAGES
if [ "$?" != "0" ]
then
echo
if [ $Lang == "fr" ]
then
echo "Une erreur a été détectée lors de l'installation des paquetages complémentaires."
else
echo "An error occurs when installing complementary packages"
fi
rpm_error
exit 1
fi
# Keep only the kernel version we compil netflow with, and remove all others
kernelVersion=$(rpm -qa | grep -e ^kernel-server -e ^kernel-desktop)
for i in $kernelVersion
do
if [ $i != $KERNEL ];then
urpme --auto $i
fi
done
# delete unused RPMs
if [ $Lang == "fr" ]
then
echo "Cleaning the system : "
else
echo "Nettoyage du système : "
fi
unused_rpm="shorewall mandi plymouth squid polkit pm-utils dnsmasq clamav clamd clamav-db"
/usr/sbin/urpme --auto -a $unused_rpm
for distrib in mga7 mga8
do
for rpm in `rpm -qa|grep $distrib`; do urpme --auto $rpm; done
done
/usr/sbin/urpme --auto --auto-orphans
# Save chilli launch script (erase with new rpm one)
[ -e /etc/chilli.conf ] && cp /etc/chilli.conf /tmp/
# Install home made RPMs
for pkg in `ls rpms/$ARCH/*.rpm`
do
urpmi --no-verify --auto $pkg
done
# restore chilli launch script
[ -e /tmp/chilli.conf ] && mv /tmp/chilli.conf /etc/
# Clean the RPM cache
urpmi --clean
# the ipt-netflow RPM add the kernel module ipt_NETFLOW (the modules dependance tree need to be updated). "2>/dev/null" in order not to display a error (the running kernel is not the ALCASAR one during the installation process)
/sbin/depmod -a 2>/dev/null
# test if all needed rpms are correctly installed
count_pkg=0; nb_pkg=0;
for pkg in $PACKAGES
do
nb_pkg=`expr $nb_pkg + 1`
if rpm -q --quiet $pkg ; then
count_pkg=`expr $count_pkg + 1`
else
echo "error installing $pkg"
fi
done
if [ $count_pkg -ne $nb_pkg ]
then
exit 1
fi
# test if all custom rpms are correctly installed
count_pkg=0; nb_pkg=0;
for pkg in `ls rpms/$ARCH/|sed 's/.x86_64.rpm//'`
do
nb_pkg=`expr $nb_pkg + 1`
if rpm -q --quiet $pkg ; then
count_pkg=`expr $count_pkg + 1`
else
echo "error installing $pkg"
fi
done
if [ $count_pkg -ne $nb_pkg ]
then
exit 1
fi
# .rpmnew handling (unused with ALCASAR)
[ -e /etc/shadow.rpmnew ] && rm -f /etc/shadow.rpmnew
[ -e /etc/sysconfig/system.rpmnew ] && rm -f /etc/sysconfig/system.rpmnew
[ -e /etc/rpm/macros.rpmnew ] && rm -f /etc/rpm/macros.rpmnew
[ -e /etc/fstab.rpmnew ] && rm -f /etc/fstab.rpmnew
[ -e /etc/shells.rpmnew ] && rm -f /etc/shells.rpmnew
[ -e /etc/hosts.rpmnew ] && rm -f /etc/hosts.rpmnew
[ -e /etc/systemd/journald.conf.rpmnew ] && rm -f /etc/systemd/journald.conf.rpmnew
[ -e /etc/raddb/certs/dh.rpmnew ] && rm -f /etc/raddb/certs/dh.rpmnew
# .rpmnew handling (used with ALCASAR)
[ -e /etc/php.ini.rpmnew ] && mv -f /etc/php.ini.rpmnew /etc/php.ini.default
[ -e /etc/lighttpd/lighttpd.conf.rpmnew ] && mv -f /etc/lighttpd/lighttpd.conf.rpmnew /etc/lighttpd/lighttpd.conf.default
[ -e /etc/lighttpd/modules.conf.rpmnew ] && mv -f /etc/lighttpd/modules.conf.rpmnew /etc/lighttpd/modules.conf.default
[ -e /etc/e2guardian/e2guardian.conf.rpmnew ] && mv -f /etc/e2guardian/e2guardian.conf.rpmnew /etc/e2guardian/e2guardian.conf.default
[ -e /etc/e2guardian/e2guardianf1.conf.rpmnew ] && mv -f /etc/e2guardian/e2guardianf1.conf.rpmnew /etc/e2guardian/e2guardianf1.conf.default
[ -e /etc/e2guardian/lists/urlregexplist.rpmnew ] && mv -f /etc/e2guardian/lists/urlregexplist.rpmnew /etc/e2guardian/lists/urlregexplist.default
[ -e /etc/e2guardian/lists/bannedregexpurllist.rpmnew ] && mv -f /etc/e2guardian/lists/bannedregexpurllist.rpmnew /etc/e2guardian/lists/bannedregexpurllist.default
[ -e /etc/vnstat.conf.rpmnew ] && mv -f /etc/vnstat.conf.rpmnew /etc/vnstat.conf.default
[ -e /etc/fail2ban/jail.conf.rpmnew ] && mv -f /etc/fail2ban/jail.conf.rpmnew /etc/fail2ban/jail.conf.default
[ -e /etc/ssh/sshd_config.rpmnew ] && mv -f /etc/ssh/sshd_config.rpmnew /etc/ssh/sshd_config.default
exit 0
Property changes:
Added: svn:eol-style
+native
\ No newline at end of property
Added: svn:executable
+*
\ No newline at end of property

/scripts/alcasar-db-migrations/alcasar-migration_db-3.7.0.sh
0,0 → 1,79
#!/bin/bash
#
# alcasar-migration_db-3.7.0.sh
# by Richard REY (Rexy)
#
# This script is distributed under the Gnu General Public License (GPL)
#
# Migrate database structure to ALCASAR 3.7.0
# Changes:
# - Update radacct table
# - remove 'groupname'
# - add 'acctupdatetime', 'acctinterval', 'framedipv6address', 'framedipv6prefix', 'framedinterfaceid', 'delegatedipv6prefix' & 'class'
# - change 'acctsessionid', 'acctuniqueid', 'nasportid', 'connectinfo start' & 'connectinfo stop'
# - KEY add: 'framedipv6address', 'framedipv6prefix', 'framedinterfaceid', 'delegatedipv6prefix', acctinterval & class
# - Update radpostauth table
# - add 'class'
# - KEY add: 'class' & 'username'
# - add nas table
PASSWD_FILE="/root/ALCASAR-passwords.txt"
DB_PASS=$(cat $PASSWD_FILE | grep ^db_root= | cut -d'=' -f2-)
DRY_RUN=false
if [ $# -eq 1 ] && [ "$1" == "--simulation" ]; then
DRY_RUN=true
fi
db_query () {
if $DRY_RUN && [[ ! "$1" =~ ^'SELECT ' ]]; then
echo "[SQL] request: \"$1\""
else
mysql -u root -p"$DB_PASS" -D radius -e "$1" -Ns
[ $? -ne 0 ] && echo "[SQL] ERROR (\"$1\")"
fi
}
# Update radacct table attributes
db_query "ALTER TABLE radacct DROP COLUMN IF EXISTS groupname"
db_query "ALTER TABLE radacct ADD COLUMN IF NOT EXISTS acctupdatetime datetime DEFAULT NULL;"
db_query "ALTER TABLE radacct ADD COLUMN IF NOT EXISTS acctinterval int(12) DEFAULT NULL;"
db_query "ALTER TABLE radacct ADD COLUMN IF NOT EXISTS framedipv6address varchar(45) COLLATE utf8_bin NOT NULL DEFAULT '';"
db_query "ALTER TABLE radacct ADD COLUMN IF NOT EXISTS framedipv6prefix varchar(45) COLLATE utf8_bin NOT NULL DEFAULT '';"
db_query "ALTER TABLE radacct ADD COLUMN IF NOT EXISTS framedinterfaceid varchar(45) COLLATE utf8_bin NOT NULL DEFAULT '';"
db_query "ALTER TABLE radacct ADD COLUMN IF NOT EXISTS delegatedipv6prefix varchar(45) COLLATE utf8_bin NOT NULL DEFAULT '';"
db_query "ALTER TABLE radacct ADD COLUMN IF NOT EXISTS class varchar(64) DEFAULT NULL;"
db_query "ALTER TABLE radacct MODIFY COLUMN acctsessionid varchar(64) COLLATE utf8_bin NOT NULL DEFAULT '';"
db_query "ALTER TABLE radacct MODIFY COLUMN acctuniqueid varchar(32) COLLATE utf8_bin NOT NULL DEFAULT '';"
db_query "ALTER TABLE radacct MODIFY COLUMN nasportid varchar(32) COLLATE utf8_bin NOT NULL DEFAULT '';"
db_query "ALTER TABLE radacct MODIFY COLUMN connectinfo_start varchar(128) COLLATE utf8_bin DEFAULT NULL;"
db_query "ALTER TABLE radacct MODIFY COLUMN connectinfo_stop varchar(128) COLLATE utf8_bin DEFAULT NULL;"
db_query "ALTER TABLE radacct ADD INDEX (framedipv6address);"
db_query "ALTER TABLE radacct ADD INDEX (framedipv6prefix);"
db_query "ALTER TABLE radacct ADD INDEX (framedinterfaceid);"
db_query "ALTER TABLE radacct ADD INDEX (delegatedipv6prefix);"
db_query "ALTER TABLE radacct ADD INDEX (acctinterval);"
db_query "ALTER TABLE radacct ADD INDEX (class);"
# update radpostauth table
db_query "ALTER TABLE radpostauth ADD COLUMN IF NOT EXISTS class varchar(64) DEFAULT NULL;"
db_query "ALTER TABLE radpostauth ADD INDEX (class);"
# add nas table
db_query "CREATE TABLE IF NOT EXISTS nas (
id int(10) NOT NULL AUTO_INCREMENT,
nasname varchar(128) NOT NULL,
shortname varchar(32),
type varchar(30) DEFAULT 'other',
ports int(5),
secret varchar(60) DEFAULT 'secret' NOT NULL,
server varchar(64),
community varchar(50),
description varchar(200) DEFAULT 'RADIUS Client',
PRIMARY KEY (id),
KEY nasname (nasname)
);"
Property changes:
Added: svn:eol-style
+native
\ No newline at end of property
Added: svn:executable
+*
\ No newline at end of property

/scripts/alcasar-db-migrations/alcasar-migration_db-3.2.0.sh
0,0 → 1,81
#!/bin/bash
#
# $Id: alcasar-migration-3.2.0_dbStructure.sh 2798 2020-04-07 09:01:01Z rexy $
#
# alcasar-migration_db-3.2.0.sh
# by Tom HOUDAYER & Richard REY (Rexy)
#
# This script is distributed under the Gnu General Public License (GPL)
#
# Migrate database structure to ALCASAR 3.2.0
# Changes:
# - Set database engine of radius tables to InnoDB
# - Set column names in lowercase in radius tables
# - Set index names in lowercase in radius tables
# - Set RADIUS attribute length to 64 characters
PASSWD_FILE="/root/ALCASAR-passwords.txt"
DB_PASS=$(cat $PASSWD_FILE | grep ^db_root= | cut -d'=' -f2-)
DRY_RUN=false
if [ $# -eq 1 ] && [ "$1" == "--simulation" ]; then
DRY_RUN=true
fi
db_query () {
if $DRY_RUN && [[ ! "$1" =~ ^'SELECT ' ]]; then
echo "[SQL] request: \"$1\""
else
mysql -u root -p"$DB_PASS" -D radius -e "$1" -Ns
[ $? -ne 0 ] && echo "[SQL] ERROR (\"$1\")"
fi
}
# Set database engine of radius tables to InnoDB
db_res=$(db_query "SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA = 'radius' AND ENGINE != 'InnoDB';")
if [ -n "$db_res" ]; then
while read -r tableName; do
db_query "ALTER TABLE $tableName ENGINE = InnoDB;"
done <<< "$db_res"
fi
# Set column names in lowercase in radius tables
db_res=$(db_query "SELECT COLUMN_NAME, TABLE_NAME, COLUMN_TYPE FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA = 'radius' AND TABLE_NAME IN ('mtotacct', 'totacct', 'userinfo') AND BINARY COLUMN_NAME REGEXP BINARY '[A-Z]';")
if [ -n "$db_res" ]; then
while read -r line; do
columnName=$(echo "$line" | cut -f1)
tableName=$(echo "$line" | cut -f2)
columnType=$(echo "$line" | cut -f3)
columnNameLower=${columnName,,}
db_query "ALTER TABLE $tableName CHANGE $columnName $columnNameLower $columnType;"
done <<< "$db_res"
fi
# Set index names in lowercase in radius tables
db_res=$(db_query "SELECT INDEX_NAME, TABLE_NAME, GROUP_CONCAT(COLUMN_NAME SEPARATOR ',') FROM ( SELECT INDEX_NAME, TABLE_NAME, COLUMN_NAME FROM INFORMATION_SCHEMA.STATISTICS WHERE TABLE_SCHEMA = 'radius' AND TABLE_NAME IN ('mtotacct', 'totacct', 'userinfo') AND INDEX_NAME != 'PRIMARY' AND BINARY INDEX_NAME REGEXP BINARY '[A-Z]' ORDER BY SEQ_IN_INDEX ) AS indexes GROUP BY TABLE_NAME, INDEX_NAME;")
if [ -n "$db_res" ]; then
while read -r line; do
indexName=$(echo "$line" | cut -f1)
tableName=$(echo "$line" | cut -f2)
indexColumns=$(echo "$line" | cut -f3)
indexNameLower=${indexName,,}
db_query "ALTER TABLE $tableName DROP INDEX $indexName, ADD INDEX $indexNameLower ($indexColumns);"
done <<< "$db_res"
fi
# Set RADIUS attribute length to 64 characters
db_query "ALTER TABLE radacct MODIFY COLUMN acctuniqueid varchar(64) COLLATE utf8_bin NOT NULL DEFAULT '';"
db_query "ALTER TABLE radcheck MODIFY COLUMN attribute varchar(64) COLLATE utf8_bin NOT NULL DEFAULT '';"
db_query "ALTER TABLE radreply MODIFY COLUMN attribute varchar(64) COLLATE utf8_bin NOT NULL DEFAULT '';"
db_query "ALTER TABLE radgroupcheck MODIFY COLUMN attribute varchar(64) COLLATE utf8_bin NOT NULL DEFAULT '';"
db_query "ALTER TABLE radgroupreply MODIFY COLUMN attribute varchar(64) COLLATE utf8_bin NOT NULL DEFAULT '';"
# Fix potential bugs
db_query "UPDATE radreply SET attribute = 'Alcasar-Status-Page-Must-Stay-Open' WHERE attribute = 'Alcasar-Status-Page-Must-Stay-Op';"
db_query "UPDATE radgroupreply SET attribute = 'Alcasar-Status-Page-Must-Stay-Open' WHERE attribute = 'Alcasar-Status-Page-Must-Stay-Op';"
db_query "ALTER TABLE mtotacct DROP COLUMN mtotacctid;"
db_query "ALTER TABLE mtotacct ADD COLUMN mtotacctid bigint(21) AUTO_INCREMENT NOT NULL PRIMARY KEY FIRST;"
db_query "ALTER TABLE totacct DROP COLUMN totacctid;"
db_query "ALTER TABLE totacct ADD COLUMN totacctid bigint(21) AUTO_INCREMENT NOT NULL PRIMARY KEY FIRST;"
Property changes:
Added: svn:eol-style
+native
\ No newline at end of property
Added: svn:executable
+*
\ No newline at end of property

/scripts/alcasar-db-migrations/alcasar-migration_db-3.3.0.sh
0,0 → 1,103
#!/bin/bash
#
# $Id: alcasar-migration-3.3.0_dbRadiusAttrs.sh 2664 2018-11-19 17:35:12Z tom.houdayer $
#
# alcasar-migration_db-3.3.0.sh
# by Tom HOUDAYER
#
# This script is distributed under the Gnu General Public License (GPL)
#
# Migrate user database to ALCASAR 3.3.0
# Changes:
# - Explode "Filter-Id" RADIUS attribute into "Alcasar-Filter", "Alcasar-Protocols-Filter", "Alcasar-Status-Page-Must-Stay-Open" and "Alcasar-Imputability-Warning"
# - Rename "ChilliSpot-*" RADIUS attribute to "CoovaChilli-*"
# - Rename "Max-All-Session" RADIUS attribute to "Alcasar-Expire-After"
PASSWD_FILE="/root/ALCASAR-passwords.txt"
DB_PASS=$(cat $PASSWD_FILE | grep ^db_root= | cut -d'=' -f2-)
DRY_RUN=false
if [ $# -eq 1 ] && [ "$1" == "--simulation" ]; then
DRY_RUN=true
fi
db_query () {
if $DRY_RUN && [[ ! "$1" =~ ^'SELECT ' ]]; then
echo "[SQL] request: \"$1\""
else
mysql -u root -p"$DB_PASS" -D radius -e "$1" -Ns
[ $? -ne 0 ] && echo "[SQL] ERROR (\"$1\")"
fi
}
for step in $(seq 1 2); do
if [ $step -eq 1 ]; then
tableNameCheck='radcheck'
tableNameReply='radreply'
loginName='username'
else
tableNameCheck='radgroupcheck'
tableNameReply='radgroupreply'
loginName='groupname'
fi
# Explode "Filter-Id" RADIUS attribute into "Alcasar-Filter", "Alcasar-Protocols-Filter", "Alcasar-Status-Page-Must-Stay-Open" and "Alcasar-Imputability-Warning"
db_res=$(db_query "SELECT $loginName, value FROM $tableNameReply WHERE attribute = 'Filter-Id';")
if [ -n "$db_res" ]; then
echo "$(echo "$db_res" | wc -l) \"Filter-Id\" found in table \"$tableNameReply\"."
while read -r line; do
login=$(echo "$line" | cut -f1)
filterId=$(echo "$line" | cut -f2)
echo " $login ($filterId)..."
if [ ${filterId:5:1} == '1' ]; then # Filter: HAVP_WL
filter='4'
elif [ ${filterId:6:1} == '1' ]; then # Filter: HAVP_BL
filter='3'
elif [ ${filterId:7:1} == '1' ]; then # Filter: HAVP
filter='2'
else # Filter: NOT_FILTERED
filter=''
fi
[ ! -z "$filter" ] && db_query "INSERT INTO $tableNameReply ($loginName, attribute, value, op) VALUES ('$login','Alcasar-Filter','$filter', '=');"
if [ ${filterId:2:1} == '1' ]; then # FilterProto: PROFILE 3 (Custom)
filterProto='4';
elif [ ${filterId:1:1} == '1' ]; then # FilterProto: PROFILE 2 (WEB + Mail + Remote access)
filterProto='3';
elif [ ${filterId:0:1} == '1' ]; then # FilterProto: PROFILE 1 (WEB)
filterProto='2';
else # FilterProto: PROFILE 0 (Not filtered)
filterProto='';
fi
[ ! -z "$filterProto" ] && db_query "INSERT INTO $tableNameReply ($loginName, attribute, value, op) VALUES ('$login','Alcasar-Protocols-Filter','$filterProto', '=');"
if [ ${filterId:4:1} == '1' ]; then # status_open_required
statusOpenRequired='2';
else
statusOpenRequired='';
fi
[ ! -z "$statusOpenRequired" ] && db_query "INSERT INTO $tableNameReply ($loginName, attribute, value, op) VALUES ('$login','Alcasar-Status-Page-Must-Stay-Open','$statusOpenRequired', '=');"
if [ ${filterId:3:1} == '1' ]; then # imputability warning
imputabilityWarning='1';
else
imputabilityWarning='';
fi
[ ! -z "$imputabilityWarning" ] && db_query "INSERT INTO $tableNameReply ($loginName, attribute, value, op) VALUES ('$login','Alcasar-Imputability-Warning','$imputabilityWarning', '=');"
db_query "DELETE FROM $tableNameReply WHERE attribute = 'Filter-Id' AND $loginName = '$login';"
done <<< "$db_res"
fi
# Rename "ChilliSpot-*" RADIUS attribute to "CoovaChilli-*"
db_query "UPDATE $tableNameReply SET attribute = 'CoovaChilli-Max-Input-Octets' WHERE attribute = 'ChilliSpot-Max-Input-Octets';"
db_query "UPDATE $tableNameReply SET attribute = 'CoovaChilli-Max-Output-Octets' WHERE attribute = 'ChilliSpot-Max-Output-Octets';"
db_query "UPDATE $tableNameReply SET attribute = 'CoovaChilli-Max-Total-Octets' WHERE attribute = 'ChilliSpot-Max-Total-Octets';"
db_query "UPDATE $tableNameReply SET attribute = 'CoovaChilli-Bandwidth-Max-Up' WHERE attribute = 'ChilliSpot-Bandwidth-Max-Up';"
db_query "UPDATE $tableNameReply SET attribute = 'CoovaChilli-Bandwidth-Max-Down' WHERE attribute = 'ChilliSpot-Bandwidth-Max-Down';"
# Rename "Max-All-Session" RADIUS attribute to "Alcasar-Expire-After"
db_query "UPDATE $tableNameCheck SET attribute = 'Alcasar-Expire-After' WHERE attribute = 'Max-All-Session';"
done
Property changes:
Added: svn:eol-style
+native
\ No newline at end of property
Added: svn:executable
+*
\ No newline at end of property

/scripts/alcasar-db-migrations/alcasar-migration_db-3.3.1.sh
0,0 → 1,62
#!/bin/bash
#
# $Id: alcasar-migration-3.3.1_dbRadiusAttrs.sh 2664 2018-11-19 17:35:12Z tom.houdayer $
#
# alcasar-migration_db-3.3.1.sh
# by Tom HOUDAYER
#
# This script is distributed under the Gnu General Public License (GPL)
#
# Migrate user database to ALCASAR 3.3.1
# Changes:
# - Move "CoovaChilli-Max-Total-Octets" RADIUS attribute from radreply to radcheck
# - Delete "CoovaChilli-Max-Input-Octets" and "CoovaChilli-Max-Output-Octets" RADIUS attributes
PASSWD_FILE="/root/ALCASAR-passwords.txt"
DB_PASS=$(grep ^db_root= $PASSWD_FILE | cut -d'=' -f2-)
DRY_RUN=false
if [ $# -eq 1 ] && [ "$1" == "--simulation" ]; then
DRY_RUN=true
fi
db_query () {
if $DRY_RUN && [[ ! "$1" =~ ^'SELECT ' ]]; then
echo "[SQL] request: \"$1\""
else
mysql -u root -p"$DB_PASS" -D radius -e "$1" -Bs
[ $? -ne 0 ] && echo "[SQL] ERROR (\"$1\")"
fi
}
for step in $(seq 1 2); do
if [ $step -eq 1 ]; then
tableNameCheck='radcheck'
tableNameReply='radreply'
loginName='username'
else
tableNameCheck='radgroupcheck'
tableNameReply='radgroupreply'
loginName='groupname'
fi
# Move "CoovaChilli-Max-Total-Octets" RADIUS attribute from radreply to radcheck
db_res=$(db_query "SELECT $loginName, value FROM $tableNameReply WHERE attribute = 'CoovaChilli-Max-Total-Octets';")
if [ -n "$db_res" ]; then
echo "$(echo "$db_res" | wc -l) \"CoovaChilli-Max-Total-Octets\" found in table \"$tableNameReply\"."
while read -r line; do
login=$(echo "$line" | cut -f1)
value=$(echo "$line" | cut -f2)
echo " $login..."
db_query "INSERT INTO $tableNameCheck ($loginName, attribute, value, op) VALUES ('$login','CoovaChilli-Max-Total-Octets','$value', ':=');"
done <<< "$db_res"
db_query "DELETE FROM $tableNameReply WHERE attribute = 'CoovaChilli-Max-Total-Octets';"
fi
# Delete "CoovaChilli-Max-Input-Octets" and "CoovaChilli-Max-Output-Octets" RADIUS attributes
db_query "DELETE FROM $tableNameReply WHERE attribute = 'CoovaChilli-Max-Input-Octets';"
db_query "DELETE FROM $tableNameReply WHERE attribute = 'CoovaChilli-Max-Output-Octets';"
done
Property changes:
Added: svn:eol-style
+native
\ No newline at end of property
Added: svn:executable
+*
\ No newline at end of property

/scripts/alcasar-conf.sh
0,0 → 1,524
#!/bin/bash
# $Id$
# alcasar-conf.sh
# by REXY
# This script is distributed under the Gnu General Public License (GPL)
# Ce script permet la mise à jour d'un ALCASAR
# - (alcasar-conf.sh -create) : création de l'archive des fichiers de configuration (/var/tmp/alcasar-conf.tar.gz)
# - (alcasar-conf.sh -load) : chargement de l'archive des fichiers de configuration. Le cas échéant, c'est ici qu'on met à jour les fichiers entre versions
# - (alcasar-conf.sh -apply) : application des directives du fichier de conf central "/usr/local/etc/alcasar.conf". Peut aussi être exploité à chaud après avoir changé des valeurs du fichier de conf.
# This script allows ALCASAR update
# - (alcasar-conf.sh -create) : create the configuration files backup (/var/tmp/alcasar-conf.tar.gz)
# - (alcasar-conf.sh -load) : load the backup of configuration files. If needed, it's here we update files between versions
# - (alcasar-conf.sh -load) : apply ALCASAR central configuration file "/usr/local/etc/alcasar.conf". Can be use after changes of conf file values.
DIR_UPDATE="/var/tmp/conf" # répertoire de stockage des fichier de conf pour une mise à jour
DIR_WEB="/var/www/html" # répertoire du centre de gestion
DIR_BIN="/usr/local/bin" # scripts directory
DIR_ETC="/usr/local/etc" # conf directory
DIR_E2G="/etc/e2guardian/lists" # Toulouse BL directory
DIR_BLACKLIST="$DIR_E2G/blacklists" # Toulouse BL directory
CONF_FILE="$DIR_ETC/alcasar.conf" # main alcasar conf file
PASSWD_FILE="/root/ALCASAR-passwords.txt"
DB_USER=$(grep '^db_user=' $PASSWD_FILE | cut -d'=' -f 2-)
DB_PASS=$(grep '^db_password=' $PASSWD_FILE | cut -d'=' -f 2-)
EXTIF=`grep ^EXTIF= $CONF_FILE|cut -d"=" -f2` # EXTernal InterFace
INTIF=`grep ^INTIF= $CONF_FILE|cut -d"=" -f2` # INTernal InterFace
MTU=`grep ^PUBLIC_MTU= $CONF_FILE|cut -d"=" -f2`
DHCP_mode=`grep ^DHCP= $CONF_FILE|cut -d"=" -f2`
INT_DNS_mode=`grep ^INT_DNS_ACTIVE= $CONF_FILE|cut -d"=" -f2`
HOSTNAME=`grep ^HOSTNAME= $CONF_FILE|cut -d"=" -f2`
DOMAIN=`grep ^DOMAIN= $CONF_FILE|cut -d"=" -f2`
DOMAIN=${DOMAIN:=localdomain}
DNS1=`grep ^DNS1= $CONF_FILE | cut -d'=' -f2` # To configure WL domain names
HTTPS_LOGIN=`grep ^HTTPS_LOGIN= $CONF_FILE | cut -d'=' -f2`
SED="/bin/sed -i"
private_network_calc ()
{
PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP $PRIVATE_NETMASK |cut -d"=" -f2` # prefixe du réseau (ex. 24)
PRIVATE_NETWORK=`/bin/ipcalc -n $PRIVATE_IP $PRIVATE_NETMASK| cut -d"=" -f2` # @ réseau de consultation (ex.: 192.168.182.0)
PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX # @ + masque du réseau de consult (192.168.182.0/24)
classe=$((PRIVATE_PREFIX/8)); classe_sup=`expr $classe + 1`; # classes de réseau (ex.: 2=classe B, 3=classe C)
PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK | cut -d"." -f1-$classe`. # @ compatible hosts.allow et hosts.deny (ex.: 192.168.182.)
PRIVATE_BROADCAST=`/bin/ipcalc -b $PRIVATE_NETWORK_MASK | cut -d"=" -f2` # private network broadcast (ie.: 192.168.182.255)
private_broadcast_ending=`echo $PRIVATE_BROADCAST | cut -d"." -f$classe_sup` # last octet of LAN broadcast
private_ip_ending=`echo $PRIVATE_IP | cut -d"." -f4` # last octet of LAN address
PRIVATE_SECOND_IP=`echo $PRIVATE_IP | cut -d"." -f1-3`"."`expr $private_ip_ending + 1` # second network address (ex.: 192.168.182.2)
PRIVATE_LAST_IP=`echo $PRIVATE_BROADCAST | cut -d"." -f1-3`"."`expr $private_broadcast_ending - 1` # last network address (ex.: 192.168.182.254)
PRIVATE_MAC=`/sbin/ip link show $INTIF | grep ether | cut -d" " -f6| sed 's/:/-/g'| awk '{print toupper($0)}'` # MAC address of INTIF
}
usage="Usage: alcasar-conf.sh {--create or -create} | {--load or -load} | {--apply or -apply}"
nb_args=$#
args=$1
if [ $nb_args -eq 0 ]
then
nb_args=1
args="-h"
fi
case $args in
-\? | -h* | --h*)
echo "$usage"
exit 0
;;
###################################################
## Create an archive conf file ##
###################################################
--create|-create)
[ -d $DIR_UPDATE ] && rm -rf $DIR_UPDATE
mkdir $DIR_UPDATE
# backup the users database (test to delete in future version)
$DIR_BIN/alcasar-mysql.sh --dump
cp /var/Save/base/"$(ls -1t /var/Save/base|head -1)" $DIR_UPDATE
# backup organism logo
cp -f $DIR_WEB/images/organisme.png $DIR_UPDATE
# backup E2D BL/WL custom files
mkdir $DIR_UPDATE/custom_bl
for i in urlregexplist exceptionsitelist bannedurllist
do
cp $DIR_E2G/group1/$i $DIR_UPDATE/custom_bl/
done
cp $DIR_E2G/common/exceptioniplist $DIR_UPDATE/custom_bl/
cp -rf $DIR_BLACKLIST/ossi-* $DIR_UPDATE/custom_bl/ 2>/dev/null
# backup conf files (main conf file, filtering, digest, etc.)
mkdir $DIR_UPDATE/etc/
cp -rf $DIR_ETC/* $DIR_UPDATE/etc/
cp -f /etc/hosts $DIR_UPDATE/etc/
# backup of the security certificates (server & CA)
cp -f /etc/pki/tls/certs/alcasar.crt* $DIR_UPDATE
cp -f /etc/pki/tls/private/alcasar.key* $DIR_UPDATE
[ -e /etc/pki/tls/private/alcasar.pem ] && cp -f /etc/pki/tls/private/alcasar.pem $DIR_UPDATE # since V3.3
cp -f /etc/pki/CA/alcasar-ca.crt $DIR_UPDATE
cp -f /etc/pki/CA/private/alcasar-ca.key $DIR_UPDATE
if [ -e /etc/pki/tls/certs/server-chain.pem ]; then
cp -f /etc/pki/tls/certs/server-chain.pem $DIR_UPDATE # autosigned and official if exist
else
cp -f /etc/pki/tls/certs/alcasar.crt $DIR_UPDATE/server-chain.pem
fi
# backup gammu conf file (if necessary)
SMS=`grep ^SMS= $CONF_FILE|cut -d"=" -f2`
if [ "$SMS" == "on" ]
then
cp -f /etc/gammurc $DIR_UPDATE
cp -f /etc/gammu_smsd_conf $DIR_UPDATE
fi
# archive file creation
cd /var/tmp || { echo "Unable to find /var/tmp directory"; }
tar -cf alcasar-conf.tar conf/
gzip -f alcasar-conf.tar
cp alcasar-conf.tar.gz /var/www/html/acc/backup/alcasar-conf.tar.gz
chown apache:apache /var/www/html/acc/backup/alcasar-conf.tar.gz
rm -rf $DIR_UPDATE
;;
###################################################
## Load an archive conf file ##
###################################################
--load|-load)
if [ ! -f /var/tmp/alcasar-conf.tar.gz ]; then
echo "Conf file not found (/var/tmp/alcasar-conf.tar.gz) !"
return 1
fi
CURRENT_DIR=`pwd` # install folder
cd /var/tmp
tar -xf alcasar-conf.tar.gz
# update alcasar.conf parameters
PREVIOUS_VERSION=`grep ^VERSION= $DIR_UPDATE/etc/alcasar.conf|cut -d"=" -f2`
MAJ_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f1`
MIN_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f2`
UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f3|cut -c1`
for line in `cat $DIR_UPDATE/etc/alcasar.conf | grep "=" | grep -Ev "^#| |VERSION|INSTALL_DATE|PUBLIC|GW|EXTIF|INTIF"`
do
key=`echo $line | cut -d"=" -f1`
key=$key=
value=`echo $line|cut -d"=" -f2-`
if [ "$value" != "" ]
then
sed -i "s?^$key.*?$key$value?g" /usr/local/etc/alcasar.conf
fi
done
# lighttpd need a .pem certificate (aggregation with private key & server crt)
[ ! -f $DIR_UPDATE/alcasar.pem ] && (cat $DIR_UPDATE/alcasar.key; echo; cat $DIR_UPDATE/alcasar.crt) > $DIR_UPDATE/alcasar.pem
# Retrieve organism logo
[ -e $DIR_UPDATE/organisme.png ] && cp -f $DIR_UPDATE/organisme.png $DIR_WEB/images/
chown apache:apache $DIR_WEB/images/organisme.png $DIR_WEB/intercept.php
# Retrieve the security certificates (CA and server)
cp -f $DIR_UPDATE/alcasar-ca.crt /etc/pki/CA/
cp -f $DIR_UPDATE/alcasar-ca.key /etc/pki/CA/private/
cp -f $DIR_UPDATE/alcasar.crt /etc/pki/tls/certs/
cp -f $DIR_UPDATE/alcasar.key /etc/pki/tls/private/
cp -f $DIR_UPDATE/alcasar.pem /etc/pki/tls/private/
[ -e $DIR_UPDATE/server-chain.pem ] && cp -f $DIR_UPDATE/server-chain.pem /etc/pki/tls/certs/ # autosigned and official if exist
chmod 755 /etc/pki/
chown root:apache /etc/pki/CA; chmod 750 /etc/pki/CA
chown root:apache /etc/pki/CA/alcasar-ca.crt; chmod 640 /etc/pki/CA/alcasar-ca.crt
chown root:root /etc/pki/CA/private; chmod 700 /etc/pki/CA/private
chmod 600 /etc/pki/CA/private/*
chown -R root:apache /etc/pki/tls/private; chmod 750 /etc/pki/tls/private
chmod 640 /etc/pki/tls/private/*
chmod 644 /etc/pki/tls/certs/*
# Import of the users database
$DIR_BIN/alcasar-mysql.sh --import "$(ls $DIR_UPDATE/alcasar-users-database*)"
# Retrieve local parameters
[ -d $DIR_UPDATE/etc/digest ] && cp -rf $DIR_UPDATE/etc/digest $DIR_ETC/ # ACC accounts
[ -e $DIR_UPDATE/etc/alcasar-iptables-local.sh ] && cp -f $DIR_UPDATE/etc/alcasar-iptables-local.sh $DIR_ETC/ # local FW rules
[ -e $DIR_UPDATE/etc/alcasar-iptables-local-mac-filtered ] && cp -f $DIR_UPDATE/etc/alcasar-iptables-local-mac-filtered $DIR_ETC/ # blocked MAC addresses
[ -e $DIR_UPDATE/etc/alcasar-services ] && cp -f $DIR_UPDATE/etc/alcasar-services $DIR_ETC/ # protocols filtering for users (profil 3 : customized with ACC)
[ -e $DIR_UPDATE/etc/alcasar-uamdomain ] && cp -f $DIR_UPDATE/etc/alcasar-uamdomain $DIR_ETC/ # exception domain names
[ -e $DIR_UPDATE/etc/alcasar-uamallowed ] && cp -f $DIR_UPDATE/etc/alcasar-uamallowed $DIR_ETC/ # exception IP_addresses or network_IP_addresses
[ -e $DIR_UPDATE/etc/alcasar-ethers ] && cp -f $DIR_UPDATE/etc/alcasar-ethers $DIR_ETC/ # DHCP static hosts
[ -e $DIR_UPDATE/etc/alcasar-ethers-info ] && cp -f $DIR_UPDATE/etc/alcasar-ethers-info $DIR_ETC/ # DHCP static hosts information
[ -e $DIR_UPDATE/etc/hosts ] && cp -f $DIR_UPDATE/etc/hosts /etc/ # local host name resolution
[ -e $DIR_UPDATE/etc/alcasar-letsencrypt ] && cp -f $DIR_UPDATE/etc/alcasar-letsencrypt $DIR_ETC/ # Letsencrypt local conf
[ -d $DIR_UPDATE/etc/letsencrypt ] && cp -rf $DIR_UPDATE/etc/letsencrypt $DIR_ETC/ # Letsencrypt local conf files
[ -e $DIR_UPDATE/gammurc ] && cp -f $DIR_UPDATE/gammurc /etc/ # Gammu conf file
[ -e $DIR_UPDATE/gammu_smsd_conf ] && cp -f $DIR_UPDATE/gammu_smsd_conf /etc/ # Gammu_smsd conf file
# Retrieve BL/WL custom files
cp -f $DIR_UPDATE/custom_bl/exceptioniplist $DIR_E2G/common/
cp -f $DIR_UPDATE/custom_bl/exceptionsitelist $DIR_E2G/group1/
cp -f $DIR_UPDATE/custom_bl/urlregexplist $DIR_E2G/group1/
cp -f $DIR_UPDATE/custom_bl/bannedurllist $DIR_E2G/group1/
cp -rf $DIR_UPDATE/custom_bl/ossi-* $DIR_BLACKLIST/ 2>/dev/null
chown -R e2guardian:apache $DIR_E2G
chmod -R g+rw $DIR_E2G
# Adapt DNS/URL filtering
PARENT_SCRIPT=`basename $0`
export PARENT_SCRIPT
$DIR_BIN/alcasar-bl.sh -cat_choice
$DIR_BIN/alcasar-bl.sh -reload
# admin profile update (admin + manager + backup)
$DIR_BIN/alcasar-profil.sh --list
# Apply changes between versions
## V3.5 --> V3.6
## remove dnsmasq service
[ -e /etc/dnsmasq-whitelist.conf ] && rm -f /etc/dnsmasq*
[ -e /etc/systemd/system/dnsmasq-whitelist.service ] && rm -f /etc/systemd/system/dnsmasq* && urpme dnsmasq
# Remove the update folder
rm -rf $DIR_UPDATE
;;
####################################################
## Configure ALCASAR according to alcasar.conf ##
####################################################
--apply|-apply)
PTN='^\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\)/[012]\?[[:digit:]]$'
PRIVATE_IP_MASK=`grep ^PRIVATE_IP= $CONF_FILE|cut -d"=" -f2`
if [[ $(expr "$PRIVATE_IP_MASK" : $PTN) -eq 0 ]]
then
echo "Syntax error for PRIVATE_IP_MASK ($PRIVATE_IP_MASK)"
exit 0
fi
PUBLIC_IP_MASK=`grep ^PUBLIC_IP= $CONF_FILE|cut -d"=" -f2`
if [[ "$PUBLIC_IP_MASK" == "dhcp" ]]
then
PUBLIC_GATEWAY="dhcp"
DHCP_DNS_servers=`cat /var/lib/dhclient/dhclient--$EXTIF.lease |grep domain-name-servers|sed -n "1 p"| rev|cut -d" " -f1|rev|tr -d ';'`
DNS1=`echo $DHCP_DNS_servers | cut -d"," -f1`
DNS2=`echo $DHCP_DNS_servers | cut -d"," -f2`
else
if [[ $(expr "$PUBLIC_IP_MASK" : $PTN) -eq 0 ]]
then
echo "Syntax error for PUBLIC_IP_MASK ($PUBLIC_IP_MASK)"
exit 0
fi
PUBLIC_IP=`echo $PUBLIC_IP_MASK | cut -d"/" -f1`
PUBLIC_NETMASK=`/bin/ipcalc -m $PUBLIC_IP_MASK | cut -d"=" -f2`
PUBLIC_GATEWAY=`grep ^GW= $CONF_FILE|cut -d"=" -f2`
PTN='^\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\)$'
if [[ $(expr "$PUBLIC_GATEWAY" : $PTN) -eq 0 ]]
then
echo "Syntax error for the Gateway IP ($PUBLIC_GATEWAY)"
exit 0
fi
DNS1=`grep ^DNS1= $CONF_FILE|cut -d"=" -f2`
if [[ $(expr "$DNS1" : $PTN) -eq 0 ]]
then
echo "Syntax error for the IP address of the first DNS server ($DNS1)"
exit 0
fi
DNS2=`grep ^DNS2= $CONF_FILE|cut -d"=" -f2`
if [[ $(expr "$DNS2" : $PTN) -eq 0 ]]
then
echo "Syntax error for the IP address of the second DNS server ($DNS2)"
exit 0
fi
fi
PRIVATE_IP=`echo $PRIVATE_IP_MASK | cut -d"/" -f1`
PRIVATE_NETMASK=`/bin/ipcalc -m $PRIVATE_IP_MASK | cut -d"=" -f2`
private_network_calc
INSTALL_DATE=`grep ^INSTALL_DATE= $CONF_FILE|cut -d"=" -f2`
ORGANISME=`grep ^ORGANISM= $CONF_FILE|cut -d"=" -f2-`
BL_SAFESEARCH=`grep ^BL_SAFESEARCH= $CONF_FILE|cut -d"=" -f2`
WL_SAFESEARCH=`grep ^WL_SAFESEARCH= $CONF_FILE|cut -d"=" -f2`
BL_PUREIP=`grep ^BL_PUREIP= $CONF_FILE|cut -d"=" -f2`
DHCP_mode=`grep ^DHCP= $CONF_FILE|cut -d"=" -f2`
if [ "$PARENT_SCRIPT" != "alcasar.sh" ] # don't launch on install stage
then
if [ "$DHCP_mode" = "off" ] || [ "$DHCP_mode" = "Off" ] || [ "$DHCP_mode" = "OFF" ]
then
$DIR_BIN/alcasar-dhcp.sh --off
else
$DIR_BIN/alcasar-dhcp.sh --on
fi
# Set the local DNS (or not)
if [ "$INT_DNS_mode" = "on" ] || [ "$INT_DNS_mode" = "On" ] || [ "$INT_DNS_mode" = "ON" ]
then
$DIR_BIN/alcasar-dns-local.sh --on-without-restart
else
$DIR_BIN/alcasar-dns-local.sh --off-without-restart
fi
# Set the pure ip option (or not)
if [ "$BL_PUREIP" = "off" ] || [ "$BL_PUREIP" = "Off" ] || [ "$BL_PUREIP" = "OFF" ]
then
bl_filter_param+="--pureip_off"
else
bl_filter_param+="--pureip_on"
fi
# Set the safesearch options (or not)
bl_filter_param=""
if [ "$BL_SAFESEARCH" = "on" ] || [ "$BL_SAFESEARCH" = "On" ] || [ "$BL_SAFESEARCH" = "ON" ]
then
bl_filter_param+="--safesearch_on "
else
bl_filter_param+="--safesearch_off "
fi
$DIR_BIN/alcasar-url_filter_bl.sh $bl_filter_param
if [ "$WL_SAFESEARCH" = "on" ] || [ "$WL_SAFESEARCH" = "On" ] || [ "$WL_SAFESEARCH" = "ON" ]
then
$DIR_BIN/alcasar-url_filter_wl.sh --safesearch_on
else
$DIR_BIN/alcasar-url_filter_wl.sh --safesearch_off
fi
# Reload the local dns configuration
$DIR_BIN/alcasar-dns-local.sh --reload
# Logout everybody
$DIR_BIN/alcasar-logout.sh all
# Services stop
echo -n "Stop services : "
for i in ntpd e2guardian unbound unbound-whitelist unbound-blacklist unbound-blackhole chilli network lighttpd
do
/usr/bin/systemctl stop $i && echo -n "$i, "
done
echo
fi
# EXTIF config
if [ $PUBLIC_IP_MASK == "dhcp" ]
then
cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
DEVICE=$EXTIF
BOOTPROTO=dhcp
DNS1=127.0.0.1
PEERDNS=no
RESOLV_MODS=yes
ONBOOT=yes
METRIC=10
MII_NOT_SUPPORTED=yes
IPV6INIT=no
IPV6TO4INIT=no
ACCOUNTING=no
USERCTL=no
MTU=$MTU
NOZEROCONF=yes
EOF
else # set the static configuration for EXTIF in multi-gw mode
$DIR_BIN/alcasar-network.sh --apply
fi
# INTIF config (for bypass mode only)
$SED "s?^IPADDR=.*?IPADDR=$PRIVATE_IP?" /etc/sysconfig/network-scripts/bypass-ifcfg-$INTIF
$SED "s?^NETMASK=.*?NETMASK=$PRIVATE_NETMASK?" /etc/sysconfig/network-scripts/bypass-ifcfg-$INTIF
# NTP server
$SED "/127.0.0.1/!s?^restrict.*?restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap?g" /etc/ntp.conf
# host.allow
cat <<EOF > /etc/hosts.allow
ALL: LOCAL, 127.0.0.1, localhost, $PRIVATE_IP
sshd: ALL
ntpd: $PRIVATE_NETWORK_SHORT
EOF
# Set hostname
hostnamectl set-hostname $HOSTNAME.$DOMAIN
# /etc/hosts (retriving local hostnames)
cp /etc/hosts /tmp/hosts
echo "127.0.0.1 localhost" > /etc/hosts
echo "$PRIVATE_IP $HOSTNAME $HOSTNAME.$DOMAIN" >> /etc/hosts
while read -r line
do
if ! echo $line | grep -E -q "^([0-9\.\t ]+alcasar( |$)|127\.0\.0)"
then
echo $line >> /etc/hosts
fi
done < /tmp/hosts
rm -f /tmp/hosts
# MOTD
$SED "s@'https://\(.\+\)/acc'@'https://$HOSTNAME.$DOMAIN/acc'@" /etc/mageia-release
# Lighttpd
$SED "s?^server\.bind.*?server\.bind = \"$PRIVATE_IP\"?g" /etc/lighttpd/lighttpd.conf
$SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$PRIVATE_IP"':443" {/g' /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf
$SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$PRIVATE_IP\"/g" /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf
# FreeRADIUS
$SED "s?^nas1_name:.*?nas1_name: alcasar-$ORGANISME?g" /etc/freeradius-web/naslist.conf
$SED "s?^nas1_ip:.*?nas1_ip: $PRIVATE_IP?g" /etc/freeradius-web/naslist.conf
# CoovaChilli
$SED "s/^uamallowed.*/uamallowed\t$HOSTNAME,$HOSTNAME.$DOMAIN/g" /etc/chilli.conf
$SED "s/^locationname.*/locationname\t$HOSTNAME.$DOMAIN/g" /etc/chilli.conf
$SED "s/^domain.*/domain\t\t$DOMAIN/g" /etc/chilli.conf
[ "`grep ^HTTPS_LOGIN= $CONF_FILE | cut -d'=' -f2`" == "on" ] && chilli_login_protocol="https" || chilli_login_protocol="http"
$SED "s/^uamserver.*/uamserver\t$chilli_login_protocol:\/\/$HOSTNAME.$DOMAIN\/intercept.php/" /etc/chilli.conf
$SED "s/^radiusnasid.*/radiusnasid\t$HOSTNAME.$DOMAIN/g" /etc/chilli.conf
$SED "s?^net.*?net\t\t$PRIVATE_NETWORK_MASK?g" /etc/chilli.conf
$SED "s?^dns1.*?dns1\t\t$PRIVATE_IP?g" /etc/chilli.conf
$SED "s?^dns2.*?dns2\t\t$PRIVATE_IP?g" /etc/chilli.conf
$SED "s?^uamlisten.*?uamlisten\t$PRIVATE_IP?g" /etc/chilli.conf
PRIVATE_IP_HEXA=$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f1)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f2)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f3)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f4)")
$SED "s?^dhcpopt.*?dhcpopt\t\t2a04$PRIVATE_IP_HEXA?g" /etc/chilli.conf
# modify the DHCP static ip file. Reserve the second IP address for INTIF (the first one is for tun0). Keep previous entries
$SED "s?^$PRIVATE_MAC.*?$PRIVATE_MAC $PRIVATE_SECOND_IP?" $DIR_ETC/alcasar-ethers $DIR_ETC/alcasar-ethers-info
# unbound
# removing unbound configuration files
rm -f /etc/unbound/conf.d/{forward,blacklist,whitelist,blackhole}/iface.*
rm -f /etc/unbound/conf.d/common/forward-zone.conf
# Configuration file for the dns servers forward-zone
cat << EOF > /etc/unbound/conf.d/common/forward-zone.conf
forward-zone:
name: "."
forward-addr: $DNS1
forward-addr: $DNS2
EOF
# Configuration file for lo of forward
cat << EOF > /etc/unbound/conf.d/forward/iface.lo.conf
server:
interface: 127.0.0.1@53
access-control-view: 127.0.0.1/8 lo
view:
name: "lo"
local-data: "$HOSTNAME A 127.0.0.1"
local-data: "$HOSTNAME.$DOMAIN A 127.0.0.1"
local-data-ptr: "127.0.0.1 $HOSTNAME.$DOMAIN"
view-first: yes
EOF
# Configuration file for $INTIF of forward
cat << EOF > /etc/unbound/conf.d/forward/iface.${INTIF}.conf
server:
interface: ${PRIVATE_IP}@53
access-control-view: $PRIVATE_NETWORK_MASK $INTIF
view:
name: "$INTIF"
view-first: yes
EOF
# Configuration file for $INTIF of blacklist
cat << EOF > /etc/unbound/conf.d/blacklist/iface.${INTIF}.conf
server:
interface: ${PRIVATE_IP}@54
access-control: $PRIVATE_IP_MASK allow
access-control-tag: $PRIVATE_IP_MASK "blacklist"
access-control-tag-action: $PRIVATE_IP_MASK "blacklist" redirect
access-control-tag-data: $PRIVATE_IP_MASK "blacklist" "A $PRIVATE_IP"
EOF
# Configuration file for $INTIF of whitelist
cat << EOF > /etc/unbound/conf.d/whitelist/iface.${INTIF}.conf
server:
interface: ${PRIVATE_IP}@55
access-control: $PRIVATE_IP_MASK allow
access-control-tag: $PRIVATE_IP_MASK "whitelist"
access-control-tag-action: $PRIVATE_IP_MASK "whitelist" redirect
access-control-tag-data: $PRIVATE_IP_MASK "whitelist" "A $PRIVATE_IP"
EOF
# Configuration file for $INTIF of blackhole unbound
cat << EOF > /etc/unbound/conf.d/blackhole/iface.${INTIF}.conf
server:
interface: ${PRIVATE_IP}@56
access-control-view: $PRIVATE_NETWORK_MASK $INTIF
view:
name: "$INTIF"
local-zone: "." redirect
local-data: ". A $PRIVATE_IP"
EOF
# dhcpd
cat <<EOF > /etc/dhcpd.conf
ddns-update-style none;
subnet $PRIVATE_NETWORK netmask $PRIVATE_NETMASK {
option routers $PRIVATE_IP;
option subnet-mask $PRIVATE_NETMASK;
option domain-name-servers $PRIVATE_IP;
range dynamic-bootp $PRIVATE_SECOND_IP $PRIVATE_LAST_IP;
default-lease-time 21600;
max-lease-time 43200;
}
EOF
$DIR_BIN/alcasar-dns-local.sh -hosts_to_unbound # add local name resolution to unbound (forward & blackhole)
# E2guardian
$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" /etc/e2guardian/e2guardian.conf
$SED "s?\/\/[a-z.]*\/?\/\/$HOSTNAME.$DOMAIN\/?g" /usr/share/e2guardian/languages/french/alcasar-e2g.html
$SED "s?\/\/[a-z.]*\/?\/\/$HOSTNAME.$DOMAIN\/?g" /usr/share/e2guardian/languages/ukenglish/alcasar-e2g.html
# Prompts
$SED "s?^ORGANISME.*?ORGANISME=$ORGANISME?g" /etc/bashrc
# sudoers
$SED "s?^Host_Alias.*?Host_Alias LAN_ORG=$PRIVATE_NETWORK/$PRIVATE_NETMASK,localhost #réseau de l'organisme?g" /etc/sudoers
# gammu-smsd
$SED "s?^user =.*?user = $DB_USER?g" /etc/gammu_smsd_conf
$SED "s?^password =.*?password = $DB_PASS?g" /etc/gammu_smsd_conf
# HTTPS login (Y/n)
if [ "$HTTPS_LOGIN" = "on" ] || [ "$HTTPS_LOGIN" = "On" ] || [ "$HTTPS_LOGIN" = "ON" ]
then
$SED "s?^HTTPS_LOGIN=.*?HTTPS_LOGIN=on?" $CONF_FILE
$SED "s?^HTTPS_CHILLI=.*?HTTPS_CHILLI=on?" $CONF_FILE
$SED "s?^uamserver.*?uamserver\thttps://$HOSTNAME.$DOMAIN/intercept.php?" /etc/chilli.conf
$SED "s?^#redirssl.*?redirssl?" /etc/chilli.conf
$SED "s?^#uamuissl.*?uamuissl?" /etc/chilli.conf
rm -f /etc/lighttpd/vhosts.d/alcasar.conf
ln -s /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf /etc/lighttpd/vhosts.d/alcasar.conf
else
$SED "s?^HTTPS_LOGIN=.*?HTTPS_LOGIN=off?" $CONF_FILE
$SED "s?^HTTPS_CHILLI=.*?HTTPS_CHILLI=off?" $CONF_FILE
$SED "s?^uamserver.*?uamserver\thttp://$HOSTNAME.$DOMAIN/intercept.php?" /etc/chilli.conf
$SED "s?^redirssl.*?#&?" /etc/chilli.conf
$SED "s?^uamuissl.*?#&?" /etc/chilli.conf
rm -f /etc/lighttpd/vhosts.d/alcasar.conf
ln -s /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf /etc/lighttpd/vhosts.d/alcasar.conf
fi
# Services start
if [ "$PARENT_SCRIPT" != "alcasar.sh" ] # don't launch on install stage
then
/usr/bin/systemctl start network && echo -n "Start service : network" && sleep 1
$DIR_BIN/alcasar-dhcp.sh -$DHCP_mode && echo -n ", chilli" # apply DHCP mode and start CoovaChilli
for i in unbound unbound-blackhole ntpd
do
sleep 1
/usr/bin/systemctl start $i && echo -n ", $i"
done
$DIR_BIN/alcasar-bl.sh -reload && echo -n ", unbound-blacklist, unbound-whitelist, e2guardian, iptables"
/usr/bin/systemctl restart lighttpd && echo -n ", lighttpd"
fi
# Email user registration
$DIR_BIN/alcasar-mail-install.sh
# Start / Stop LDAP authentification
if [ "$PARENT_SCRIPT" != "alcasar.sh" ] # don't launch on install stage
then
LDAP_mode=`grep ^LDAP= $CONF_FILE|cut -d"=" -f2`
if [ $LDAP_mode = "on" ]
then
$DIR_BIN/alcasar-ldap.sh --on
else
$DIR_BIN/alcasar-ldap.sh --off
fi
fi
# Start / Stop Gammu-smsd (SMS)
if [ "$PARENT_SCRIPT" != "alcasar.sh" ] # don't launch on install stage
then
SMS_mode=`grep ^SMS= $CONF_FILE|cut -d"=" -f2`
if [ $SMS_mode = "on" ]
then
$DIR_BIN/alcasar-sms.sh --start
fi
fi
echo
;;
*)
echo "Argument inconnu : $1";
echo "$usage"
exit 1
;;
esac
Property changes:
Added: svn:eol-style
+LF
\ No newline at end of property
Added: svn:executable
+*
\ No newline at end of property
Added: svn:keywords
+Id Author Date
\ No newline at end of property

/scripts/alcasar-iptables.sh
0,0 → 1,588
#!/bin/bash
# $Id$
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
# This script writes the netfilter rules for ALCASAR
# Rexy - 3abtux - CPN
#
# Reminders
# There are four channels for log :
# 1 tracability of the consultation equipment with The 'Netflow' kernel module (iptables target = NETFLOW);
# 2 protection of ALCASAR with the Ulog group 1 (default group)
# 3 SSH on ALCASAR with the Ulog group 2;
# 4 extern access attempts on ALCASAR with the Ulog group 3.
# The bootps/dhcp (67) port is always open on tun0/INTIF by coova
CONF_FILE="/usr/local/etc/alcasar.conf"
EXTIF=`grep ^EXTIF= $CONF_FILE|cut -d"=" -f2` # EXTernal InterFace
INTIF=`grep ^INTIF= $CONF_FILE|cut -d"=" -f2` # INTernal InterFace
TUNIF="tun0" # listen device for chilli daemon
private_ip_mask=`grep ^PRIVATE_IP= $CONF_FILE|cut -d"=" -f2`
private_ip_mask=${private_ip_mask:=192.168.182.1/24}
PRIVATE_IP=`echo $private_ip_mask | cut -d"/" -f1` # ALCASAR LAN IP address
private_network=`/bin/ipcalc -n $private_ip_mask|cut -d"=" -f2` # LAN IP address (ie.: 192.168.182.0)
private_prefix=`/bin/ipcalc -p $private_ip_mask|cut -d"=" -f2` # LAN prefix (ie. 24)
PRIVATE_NETWORK_MASK=$private_network/$private_prefix # LAN IP address + prefix (192.168.182.0/24)
public_ip_mask=`grep ^PUBLIC_IP= $CONF_FILE|cut -d"=" -f2` # ALCASAR WAN IP address
dhcp_on_extif="off"
if [[ "$public_ip_mask" == "dhcp" ]]
then
dhcp_on_extif="on"
PTN="\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([012]?[0-9]|3[0-2])\b"
public_ip_mask=`ip addr show $EXTIF | grep -o -E $PTN`
fi
PUBLIC_IP=`echo $public_ip_mask | cut -d"/" -f1`
dns1=`grep ^DNS1= $CONF_FILE|cut -d"=" -f2`
dns2=`grep ^DNS2= $CONF_FILE|cut -d"=" -f2`
dns1=${dns1:=208.67.220.220}
dns2=${dns2:=208.67.222.222}
DNSSERVERS="$dns1,$dns2" # first and second public DNS servers
INT_DNS_IP=`grep INT_DNS_IP $CONF_FILE|cut -d"=" -f2` # Adresse du serveur DNS interne
INT_DNS_ACTIVE=`grep INT_DNS_ACTIVE $CONF_FILE|cut -d"=" -f2` # Activation de la redirection DNS interne
BL_IP_CAT="/usr/local/share/iptables-bl-enabled" # categories files of the BlackListed IP
WL_IP_CAT="/usr/local/share/iptables-wl-enabled" # categories files of the WhiteListed IP
TMP_users_set_save="/tmp/users_set_save" # tmp file for backup users set
TMP_set_save="/tmp/ipset_save" # tmp file for blacklist and whitelist creation
TMP_ip_gw_save="/tmp/ipset_ip_gw_save" # tmp file for already connected ips
SSH_LAN=`grep ^SSH_LAN= $CONF_FILE|cut -d"=" -f2` # SSH LAN port
SSH_LAN=${SSH_LAN:=0}
SSH_WAN=`grep ^SSH_WAN= $CONF_FILE|cut -d"=" -f2` # SSH WAN port
SSH_WAN=${SSH_WAN:=0}
SSH_WAN_ADMIN_FROM=`grep ^SSH_ADMIN_FROM= $CONF_FILE|cut -d"=" -f2|cut -d"/" -f2`
SSH_WAN_ADMIN_FROM=${SSH_WAN_ADMIN_FROM:="0.0.0.0"}
SSH_WAN_ADMIN_FROM=$([ "$SSH_WAN_ADMIN_FROM" == "0.0.0.0" ] && echo "0.0.0.0/0" || echo "$SSH_WAN_ADMIN_FROM" )
SSH_LAN_ADMIN_FROM=`grep ^SSH_ADMIN_FROM= $CONF_FILE|cut -d"=" -f2|cut -d"/" -f1`
SSH_LAN_ADMIN_FROM=${SSH_LAN_ADMIN_FROM:="0.0.0.0"}
SSH_LAN_ADMIN_FROM=$([ "$SSH_LAN_ADMIN_FROM" == "0.0.0.0" ] && echo "$PRIVATE_NETWORK_MASK" || echo "$SSH_LAN_ADMIN_FROM" )
IPTABLES="/sbin/iptables"
REHABILITED_IP="/etc/e2guardian/lists/common/exceptioniplist"
ALLOWED_SITES="/usr/local/etc/alcasar-site-direct" # WEB Sites allowed for all (no av and no filtering for av_bl users)
MULTIWAN=`grep ^MULTIWAN $CONF_FILE|cut -d"=" -f2`
PROXY=`grep ^PROXY= $CONF_FILE|cut -d"=" -f2`
PROXY_IP=`grep ^PROXY_IP= $CONF_FILE|cut -d"=" -f2`
nb_gw=`grep ^WAN $CONF_FILE|wc -l`
interlan=`grep ^INTERLAN= $CONF_FILE|cut -d"=" -f2`
interlan=${interlan:=off}
# Allow requests to internal DNS if activated
if [ "$INT_DNS_ACTIVE" = "on" ]
then
DNSSERVERS="$DNSSERVERS,$INT_DNS_IP"
fi
#ipset name list for load_balancing
gw_list="gw0"
if [ "$MULTIWAN" == "on" ] || [ "$MULTIWAN" == "On" ]; then
for ((i=1 ; i<=$nb_gw ; i++)); do
gw_list="${gw_list} gw$i"
done
fi
# Sauvegarde des SET des utilisateurs connectés si ils existent
# Saving SET of connected users if it exists
ipset list not_filtered 1>/dev/null 2>&1
if [ $? -eq 0 ];
then
ipset save not_filtered > $TMP_users_set_save
ipset save av >> $TMP_users_set_save
ipset save av_bl >> $TMP_users_set_save
ipset save av_wl >> $TMP_users_set_save
ipset save proto_0 >> $TMP_users_set_save
ipset save proto_1 >> $TMP_users_set_save
ipset save proto_2 >> $TMP_users_set_save
ipset save proto_3 >> $TMP_users_set_save
fi
# Sauvegarde de la liste de toutes les IP déjà connectées pour les réintégrer dans le load balancing
# Saving all of the already connected IP in order to put them back in the load balancing after
if [ ! -f $TMP_ip_gw_save ];then
# Save only if alcasar-network.sh --save has not been executed before
for i in $gw_list;do
ipset list $i 1>/dev/null 2>&1
if [ $? -eq 0 ]
then
# the cut -d":" -f5 deletes all the lines with a :, i.e all the lines execpt the members
ipset list $i | cut -d":" -f5 | sed '/^[[:space:]]*$/d' >> $TMP_ip_gw_save
fi
done
fi
# Chargement de la sonde NetFlow (module noyau ipt_NETFLOW)
# loading of NetFlow probe (ipt_NETFLOW kernel module)
modprobe ipt_NETFLOW destination=127.0.0.1:2055
# Effacement des règles existantes
# Flush all existing rules
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
$IPTABLES -F INPUT
$IPTABLES -F FORWARD
$IPTABLES -F OUTPUT
# Suppression des chaines utilisateurs sur les tables filter et nat
# Flush non default rules on filter and nat tables
$IPTABLES -X
$IPTABLES -t nat -X
# Stratégies par défaut
# Default policies
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
#############################
# IPSET #
#############################
# destruction de tous les SET
# destroy all SET
ipset flush
ipset destroy
###### BL set ###########
# Calcul de la taille / Compute the length
bl_set_length=$(wc -l $BL_IP_CAT/* | awk '{print $1}' | tail -n 1)
# Chargement / loading
echo "create bl_ip_blocked hash:net family inet hashsize 1024 maxelem $bl_set_length" > $TMP_set_save
for category in `ls -1 $BL_IP_CAT | cut -d '@' -f1`
do
cat $BL_IP_CAT/$category >> $TMP_set_save
done
ipset -! restore < $TMP_set_save
rm -f $TMP_set_save
# Suppression des ip réhabilitées / Removing of rehabilitated ip
for ip in $(cat $REHABILITED_IP)
do
ipset -q del bl_ip_blocked $ip
done
# ipset for exception web sites (usefull for filtered users = av_bl)
ipset create site_direct hash:net hashsize 1024
for site in $(cat $ALLOWED_SITES)
do
ipset add site_direct $site
done
###### WL set ###########
# taille fixe, car peuplé par unbound / fixe length due to unbound dynamic loading
wl_set_length=65536
# Chargement Loading
echo "create wl_ip_allowed hash:net family inet hashsize 1024 maxelem $wl_set_length" > $TMP_set_save
#get ip-wl files from ACC
for category in `ls -1 $WL_IP_CAT |cut -d '@' -f1`
do
cat $WL_IP_CAT/$category >> $TMP_set_save
done
ipset -! restore < $TMP_set_save
rm -f $TMP_set_save
# Restoration des SET des utilisateurs connectés si ils existent sinon création des SET
# Restoring the connected users SETs if available, otherwise creating SETs
if [ -e $TMP_users_set_save ];
then
ipset -! restore < $TMP_users_set_save
rm -f $TMP_users_set_save
else
ipset create not_filtered hash:ip hashsize 1024
ipset create av hash:ip hashsize 1024
ipset create av_bl hash:ip hashsize 1024
ipset create av_wl hash:ip hashsize 1024
# pour les filtrages de protocole par utilisateur / For network protocols filtering by user
ipset create proto_0 hash:ip hashsize 1024
ipset create proto_1 hash:ip hashsize 1024
ipset create proto_2 hash:ip hashsize 1024
ipset create proto_3 hash:ip hashsize 1024
fi
#ipsets for load balancing
for i in $gw_list; do
ipset create $i hash:ip
done
cat $TMP_ip_gw_save | while read ip; do
gw_min="gw0"
weight=`grep ^PUBLIC_WEIGHT= $CONF_FILE | cut -d"=" -f2`
already=`ipset list $gw_min | grep Number\ of\ entries: | cut -d":" -f2`
#The *1000 is here to avoid working on floats in bash
gw_min_value=$((1000 * $already / $weight))
i=1
for gw in $gw_list;do
if [ "$gw" != "gw0" ]; then
weight=`grep ^WAN$i= $CONF_FILE | awk -F'"' '{ print $2 }' | awk -F ',' '{ print $2 }'`
already=`ipset list $gw | grep Number\ of\ entries: | cut -d":" -f2`
value=$((1000 * $already / $weight))
if [ $value -lt $gw_min_value ]
then
gw_min_value=$value
gw_min=$gw
fi
i=$(($i+1))
fi
done
ipset add $gw_min $ip
done
rm -f $TMP_ip_gw_save
#############################
# PREROUTING #
#############################
# Marquage (et journalisation) des paquets qui tentent d'accéder directement aux ports d'écoute du proxy HTTP/HTTPS (E2Guardian) pour pouvoir les rejeter en INPUT
# Mark (and log) the direct attempts to E2guardian listen ports in order to REJECT them in INPUT rules
# 8080 = ipset av_bl
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8080 -j NFLOG --nflog-group 1 --nflog-prefix "RULE direct-proxy -- DENY "
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8080 -j MARK --set-mark 1
# 8081 = ipset av_wl + av (to be redefine)
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8081 -j NFLOG --nflog-group 1 --nflog-prefix "RULE direct-proxy -- DENY "
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8081 -j MARK --set-mark 2
# 8443 = tranparent HTTPS for ipsets av_bl + av_wl + av (future version)
#$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8443 -j NFLOG --nflog-group 1 --nflog-prefix "RULE direct-proxy -- DENY "
#$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8443 -j MARK --set-mark 6
# Marquage des paquets qui tentent d'accéder directement aux ports d'écoute DNS (UNBOUND) pour pouvoir les rejeter en INPUT
# Mark the direct attempts to DNS ports (UNBOUND) in order to REJECT them in INPUT rules
# 54 = ipset av_bl
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp --dport 54 -j MARK --set-mark 3
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p udp --dport 54 -j MARK --set-mark 3
# 55 = ipset av_wl
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp --dport 55 -j MARK --set-mark 4
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p udp --dport 55 -j MARK --set-mark 4
# 56 = blackall
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp --dport 56 -j MARK --set-mark 5
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p udp --dport 56 -j MARK --set-mark 5
# redirection DNS des usagers
# users DNS redirection
# 54 = ipset av_bl
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_bl src -p udp --dport domain -j REDIRECT --to-port 54
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_bl src -p tcp --dport domain -j REDIRECT --to-port 54
# 55 = ipset av_wl
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_wl src -p udp --dport domain -j REDIRECT --to-port 55
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_wl src -p tcp --dport domain -j REDIRECT --to-port 55
# 53 = all other users
$IPTABLES -A PREROUTING -t nat -i $TUNIF ! -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 53
$IPTABLES -A PREROUTING -t nat -i $TUNIF ! -d $PRIVATE_IP -p tcp --dport domain -j REDIRECT --to-port 53
# Redirection HTTP des usagers 'av_bl' cherchant à joindre les IP de la blacklist vers ALCASAR (page 'accès interdit')
# Redirect HTTP of 'av_bl' users who want blacklist IP to ALCASAR ('access denied' page)
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_bl src -m set --match-set bl_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port 80
# Redirection HTTP des usagers 'av_wl' cherchant à joindre les IP qui ne sont pas dans la WL vers ALCASAR (page 'accès interdit')
# Redirect HTTP of 'av_wl' users who want IP not in the WL to ALCASAR ('access denied' page)
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_wl src -m set ! --match-set wl_ip_allowed dst -p tcp --dport http -j REDIRECT --to-port 80
# Journalisation des usagers "av_bl + av_wl + av" (paquets SYN uniquement). Les autres protocoles sont journalisés en FORWARD par netflow.
# accounting of "av_bl + av_wl + av" users (only syn packets). Other protocols are logged in FORWARD by netflow
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_bl src ! -d $PRIVATE_IP -p tcp --dport http -m conntrack --ctstate NEW -j NFLOG --nflog-group 1 --nflog-prefix "RULE F_http -- ACCEPT "
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_wl src ! -d $PRIVATE_IP -p tcp --dport http -m conntrack --ctstate NEW -j NFLOG --nflog-group 1 --nflog-prefix "RULE F_http -- ACCEPT "
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av src ! -d $PRIVATE_IP -p tcp --dport http -m conntrack --ctstate NEW -j NFLOG --nflog-group 1 --nflog-prefix "RULE F_http -- ACCEPT "
# Redirection des requêtes HTTP des usagers "av_bl + av_wl + av" vers E2guardian
# Redirect outbound "av_bl + av_wl +av" users HTTP requests to E2guardian
# 8080 = ipset av_bl
#$IPTABLES -A PREROUTING -t mangle -i $TUNIF -m set --match-set av_bl src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP -p tcp --dport http -j MARK --set-mark 200
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_bl src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8080
# 8081 = ipset av_wl & av
#$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_wl src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8081
#$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8081
# Redirection des requêtes HTTPS sortantes des usagers av_bl + av_wl + av vers E2Guardian (in a future version - don't forget to set E2guardian as a tranparent HTTPS proxy)
# Redirect outbound HTTPS requests of av_bl + av_wl + av users to E2Guardian
#$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_bl src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP -p tcp --dport https -j REDIRECT --to-port 8443
#$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_wl src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP -p tcp --dport https -j REDIRECT --to-port 8443
#$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP -p tcp --dport https -j REDIRECT --to-port 8443
# Redirection des requêtes NTP vers le serveur NTP local
# Redirect NTP request in local NTP server
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p udp --dport ntp -j REDIRECT --to-port 123
#Récupération de la marque associée à une gw pour chaque connection
$IPTABLES -A PREROUTING -t mangle -j CONNMARK --restore-mark
if [ "$PROXY" == "on" ] || [ "$PROXY" == "On" ];then
$IPTABLES -A PREROUTING -t nat -i $TUNIF ! -d $PRIVATE_IP -p tcp -m multiport --dports http,https -j DNAT --to-destination $PROXY_IP
fi
#Marquage pour le load balancing
if [ "$MULTIWAN" == "on" ] || [ "$MULTIWAN" == "On" ]; then
temp_index=200
for i in $gw_list; do
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -m set --match-set $i src -j MARK --set-mark $temp_index
temp_index=$(($temp_index+1))
done
fi
#############################
# INPUT #
#############################
# Tout passe sur loopback
# accept all on loopback
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
# Rejet des demandes de connexions non conformes (FIN-URG-PUSH, XMAS, NullScan, SYN-RST et NEW not SYN)
# Drop non standard connexions (FIN-URG-PUSH, XMAS, NullScan, SYN-RST and NEW not SYN)
$IPTABLES -A INPUT -p tcp --tcp-flags FIN,URG,PSH FIN,URG,PSH -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPTABLES -A INPUT -p tcp -m tcp ! --syn -m conntrack --ctstate NEW -j DROP
# Si configuré, on autorise les réponses DHCP sur EXTIF
# If configured, DHCP responses are allowed on EXTIF
if [[ "$dhcp_on_extif" == "on" ]]
then
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 68 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -p udp --dport 68 -j ACCEPT
fi
# On rejette les trame en broadcast et en multicast sur EXTIF (évite leur journalisation)
# Drop broadcast & multicast on EXTIF to avoid log
$IPTABLES -A INPUT -m addrtype --dst-type BROADCAST,MULTICAST -j DROP
# On autorise les retours de connexions légitimes par INPUT
# Conntrack on INPUT
$IPTABLES -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# On interdit les connexions directes aux ports d'écoute d'E2Guardian. Les packets concernés ont été marqués et loggués dans la table mangle (PREROUTING)
# Deny direct connections on E2Guardian listen ports. The concerned paquets have been marked and logged in mangle table (PREROUTING)
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8080 -m mark --mark 1 -j REJECT --reject-with tcp-reset # av_bl
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8081 -m mark --mark 2 -j REJECT --reject-with tcp-reset # av_wl + av
#$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8443 -m mark --mark 6 -j REJECT --reject-with tcp-reset # av_bl + av_wl + av (future version)
# On autorise les connexions HTTP/HTTPS légitimes vers E2Guardian
# Allow HTTP connections to E2Guardian
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport 8080 -m conntrack --ctstate NEW --syn -j ACCEPT
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport 8081 -m conntrack --ctstate NEW --syn -j ACCEPT
#$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport 8443 -m conntrack --ctstate NEW --syn -j ACCEPT # (future version)
# On interdit les connexions directes aux ports d'écoupe DNS (UNBOUND). Les packets concernés ont été marqués dans la table mangle (PREROUTING)
# Deny direct connections to DNS ports (UNBOUND). The concerned paquets are marked in mangle table (PREROUTING)
$IPTABLES -A INPUT -i $TUNIF -p udp --dport 54 -m mark --mark 3 -j REJECT --reject-with icmp-port-unreachable
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 54 -m mark --mark 3 -j REJECT --reject-with tcp-reset
$IPTABLES -A INPUT -i $TUNIF -p udp --dport 55 -m mark --mark 4 -j REJECT --reject-with icmp-port-unreachable
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 55 -m mark --mark 4 -j REJECT --reject-with tcp-reset
$IPTABLES -A INPUT -i $TUNIF -p udp --dport 56 -m mark --mark 5 -j REJECT --reject-with icmp-port-unreachable
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 56 -m mark --mark 5 -j REJECT --reject-with tcp-reset
# On autorise les connexion DNS légitime
# Allow DNS connections
# ipset = av_bl
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport 54 -j ACCEPT
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport 54 -j ACCEPT
# ipset = av_wl
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport 55 -j ACCEPT
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport 55 -j ACCEPT
# blackall
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport 56 -j ACCEPT
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport 56 -j ACCEPT
# On accepte l'accès aux services internes
# Internal services access
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport domain -j ACCEPT # DNS
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport domain -j ACCEPT # DNS
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p icmp --icmp-type 8 -j ACCEPT # Réponse ping # ping responce
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p icmp --icmp-type 0 -j ACCEPT # Requête ping # ping request
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport https -j ACCEPT # Pages d'authentification et MCC # authentication pages and MCC
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport http -j ACCEPT # Page d'avertissement filtrage # Filtering warning pages
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport 3990:3991 -j ACCEPT # Requêtes de deconnexion usagers # Users logout requests
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport ntp -j ACCEPT # Serveur local de temps # local time server
# Accès au serveur SSHD si activé en LAN et WAN
# SSHD server access in LAN and WAN if enabled
if [ $SSH_LAN -gt 0 ]
then
$IPTABLES -A INPUT -i $TUNIF -s $SSH_LAN_ADMIN_FROM -d $PRIVATE_IP -p tcp --dport $SSH_LAN -m conntrack --ctstate NEW -j NFLOG --nflog-group 2 --nflog-prefix "RULE ssh-from-LAN -- ACCEPT"
$IPTABLES -A INPUT -i $TUNIF -s $SSH_LAN_ADMIN_FROM -d $PRIVATE_IP -p tcp --dport $SSH_LAN -j ACCEPT
fi
if [ $SSH_WAN -gt 0 ]
then
$IPTABLES -A INPUT -i $EXTIF -s $SSH_WAN_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport $SSH_WAN -m conntrack --ctstate NEW --syn -j NFLOG --nflog-group 2 --nflog-prefix "RULE ssh-from-WAN -- ACCEPT"
$IPTABLES -A INPUT -i $EXTIF -s $SSH_WAN_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport $SSH_WAN -j ACCEPT
fi
# Insertion de règles locales
# Here, we add local rules (i.e. VPN from Internet)
if [ -f /usr/local/etc/alcasar-iptables-local.sh ]; then
. /usr/local/etc/alcasar-iptables-local.sh
fi
# Journalisation et rejet des connexions (autres que celles autorisées) effectuées depuis le LAN
# Deny and log on INPUT from the LAN
$IPTABLES -A INPUT -i $TUNIF -m conntrack --ctstate NEW -j NFLOG --nflog-group 3 --nflog-prefix "RULE rej-int -- REJECT "
$IPTABLES -A INPUT -i $TUNIF -p tcp -j REJECT --reject-with tcp-reset
$IPTABLES -A INPUT -i $TUNIF -p udp -j REJECT --reject-with icmp-port-unreachable
# Interdiction d'accès à INTIF (n'est utile que lorsque chilli est arrêté).
# Reject INTIF access (only when chilli is down)
$IPTABLES -A INPUT -i $INTIF -j NFLOG --nflog-group 3 --nflog-prefix "RULE Protect1 -- REJECT "
$IPTABLES -A INPUT -i $INTIF -j REJECT
# Journalisation et rejet des connexions initiées depuis le réseau extérieur (test des effets du paramètre --limit en cours)
# On EXTIF, the access attempts are log in channel 2 (we should test --limit option to avoid deny of service)
$IPTABLES -A INPUT -i $EXTIF -m conntrack --ctstate NEW -j NFLOG --nflog-group 3 --nflog-threshold 10 --nflog-prefix "RULE rej-ext -- DROP"
#############################
# FORWARD #
#############################
# Blocage des IPs du SET bl_ip_blocked pour le SET av_bl
# Deny IPs of the SET bl_ip_blocked for the set av_bl
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set av_bl src -m set --match-set bl_ip_blocked dst -p icmp -j REJECT --reject-with icmp-host-prohibited
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set av_bl src -m set --match-set bl_ip_blocked dst -p udp -j REJECT --reject-with icmp-host-prohibited
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set av_bl src -m set --match-set bl_ip_blocked dst -p tcp -j REJECT --reject-with tcp-reset
# Active le suivi de session
# Allow Conntrack
$IPTABLES -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Compute uamallowed IP (ie : IP address of equipments connected between ALCASAR and router like DMZ, own servers, etc.)
nb_uamallowed=`wc -l /usr/local/etc/alcasar-uamallowed | cut -d" " -f1`
if [ $nb_uamallowed != "0" ]
then
while read ip_allowed_line
do
ip_allowed=`echo $ip_allowed_line|cut -d"\"" -f2`
$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m conntrack --ctstate NEW -j NETFLOW
$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m conntrack --ctstate NEW -j ACCEPT
done < /usr/local/etc/alcasar-uamallowed
fi
# filtrage protocole par utilisateur (profile 1 : http, https)
# protocols filtering for users (profil 1 : http, https)
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_1 src -s $PRIVATE_NETWORK_MASK -p tcp -m multiport ! --dports http,https -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_1 src -s $PRIVATE_NETWORK_MASK -p udp -m multiport ! --dports http,https -m conntrack --ctstate NEW -j REJECT --reject-with icmp-port-unreachable
# filtrage protocole par utilisateur (profile 2 : http https smtp pop3 pop3s imap imaps ftp sftp ssh 465+587(smtps))
# protocols filtering for users (profil 2 : http https smtp pop3 pop3s imap imaps ftp sftp ssh 465+587(smtps))
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_2 src -s $PRIVATE_NETWORK_MASK -p tcp -m multiport ! --dports smtp,http,https,pop3,pop3s,imap,imaps,ftp,ftp-data,sftp,ssh,465,587 -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_2 src -s $PRIVATE_NETWORK_MASK -p udp -m multiport ! --dports smtp,http,https,pop3,pop3s,imap,imaps,ftp,ftp-data,sftp,ssh,465,587 -m conntrack --ctstate NEW -j REJECT --reject-with icmp-port-unreachable
# filtrage protocole par utilisateur (profile 3 : personnalisable via l'ACC)
# protocols filtering for users (profil 3 : customized with ACC)
custom_tcp_protocols_list='';custom_udp_protocols_list=''
while read svc_line
do
svc_on=`echo $svc_line|cut -b1`
if [ $svc_on != "#" ]
then
svc_name=`echo $svc_line|cut -d" " -f1`
svc_port=`echo $svc_line|cut -d" " -f2`
if [ $svc_name = "icmp" ]
then
svc_icmp="on"
else
if [ "$custom_tcp_protocols_list" == "" ]
then
custom_tcp_protocols_list=$svc_port
else
custom_tcp_protocols_list=`echo $custom_tcp_protocols_list","$svc_port`
fi
udp_svc=`grep -E "[[:space:]]$svc_port/udp" /etc/services|wc -l`
if [ $udp_svc = "1" ] # udp service exist
then
if [ "$custom_udp_protocols_list" == "" ]
then
custom_udp_protocols_list=$svc_port
else
custom_udp_protocols_list=`echo $custom_udp_protocols_list","$svc_port`
fi
fi
fi
fi
done < /usr/local/etc/alcasar-services
if [ "$custom_tcp_protocols_list" == "" ]
then
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_3 src -s $PRIVATE_NETWORK_MASK -j REJECT
else
if [ "$svc_icmp" != "on" ]
then
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_3 src -s $PRIVATE_NETWORK_MASK -p icmp -j REJECT --reject-with icmp-proto-unreachable
fi
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_3 src -s $PRIVATE_NETWORK_MASK -p tcp -m multiport ! --dports $custom_tcp_protocols_list -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_3 src -s $PRIVATE_NETWORK_MASK -p udp -m multiport ! --dports $custom_udp_protocols_list -m conntrack --ctstate NEW -j REJECT --reject-with icmp-port-unreachable
fi
# On autorise (ou pas) les utilisateurs à accéder au réseau situé entre ALCASAR et le routeur Internet
# Users are allowed (or not allowed) to access the network between ALCASAR and the Internet router
if [ "$interlan" != "on" ]
then
$IPTABLES -A FORWARD -i $TUNIF -d $public_ip_mask -j DROP
fi
# Blocage des usagers 'av_wl' cherchant à joindre les IP qui ne sont pas dans la WL
# Block 'av_wl' users who want IP not in the WL
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set av_wl src -m set ! --match-set wl_ip_allowed dst -j DROP
# journalisation et autorisation des connections sortant du LAN
# Allow forward connections with log
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m conntrack --ctstate NEW -j NETFLOW
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m conntrack --ctstate NEW -j ACCEPT
#############################
# OUTPUT #
#############################
# On laisse tout sortir sur la carte interne (voir les règles suivantes pour la carte externe)
# We let everything out on INTIF (see following rules for the EXTIF)
$IPTABLES -A OUTPUT ! -o $EXTIF -j ACCEPT
# Si configuré, on autorise les requêtes DHCP sur EXTIF
# Allow DHCP requests on EXTIF if configured
if [[ "$dhcp_on_extif" == "on" ]]
then
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport 67 -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTIF -p udp --dport 67 -j ACCEPT
fi
# On autorise les requêtes DNS vers les serveurs DNS identifiés
# Allow DNS requests to identified DNS servers
$IPTABLES -A OUTPUT -o $EXTIF -d $DNSSERVERS -p udp --dport domain -m conntrack --ctstate NEW -j ACCEPT
# On autorise les requêtes HTTP et HTTPS avec log Netflow (en provenance de E2guardian)
# HTTP & HTTPS requests are allowed with netflow log (from E2guardian)
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport http -j NETFLOW
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport http -j ACCEPT
#$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport https -j NETFLOW # When E2guardian will be in HTTPS transparent proxy)
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport https -j ACCEPT
# On autorise les requêtes RSYNC sortantes (maj BL de Toulouse)
# RSYNC requests are allowed (update of Toulouse BL)
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport rsync -j ACCEPT
# On autorise les requêtes FTP
# FTP requests are allowed
# modprobe nf_conntrack_ftp # no more needed with kernel > 5.15.85
# $IPTABLES -t raw -A OUTPUT -p tcp --dport ftp -j CT --helper ftp # no more needed with kernel > 5.15.85
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport ftp -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTIF -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# On autorise les requêtes NTP
# NTP requests are allowed
$IPTABLES -A OUTPUT -o $EXTIF -p udp --dport ntp -j ACCEPT
# On autorise les requêtes ICMP (ping)
# ICMP (ping) requests are allowed
$IPTABLES -A OUTPUT -o $EXTIF -p icmp --icmp-type 8 -j ACCEPT
# On autorise les requêtes LDAP
# LDAP requests are allowed
$IPTABLES -A OUTPUT -o $EXTIF -p tcp -m multiport --dports ldap,ldaps -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTIF -p udp -m multiport --dports ldap,ldaps -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
#############################
# POSTROUTING #
#############################
# Traduction dynamique d'adresse en sortie
# Dynamic NAT on EXTIF
$IPTABLES -A POSTROUTING -t nat -o $EXTIF -j MASQUERADE
#Sauvegarde de la marque associée à la connexion pour le load balancing
$IPTABLES -A POSTROUTING -t mangle -j CONNMARK --save-mark
#############################
# FAIL2BAN #
#############################
# Reload Fail2Ban
if systemctl -q is-active fail2ban; then
/usr/bin/fail2ban-client ping &>/dev/null && /usr/bin/fail2ban-client -q reload &>/dev/null
fi
Property changes:
Added: svn:eol-style
+LF
\ No newline at end of property
Added: svn:executable
+*
\ No newline at end of property
Added: svn:keywords
+Id Author Date
\ No newline at end of property

/scripts/alcasar-rpm-download.sh
0,0 → 1,156
#!/bin/bash
# $Id$
# alcasar-rpm-download.sh
# by Franck BOUIJOUX and Richard REY
# This script is distributed under the Gnu General Public License (GPL)
# récupération des RPM nécessaires dans un fichier tarball
# retrieve needed RPM in a tarball file
VERSION="8"
ARCH="x86_64"
# The kernel version we compile netflow for
KERNEL="kernel-server-6.6.28-1.mga9"
# ****** Alcasar needed RPMS - paquetages nécessaires au fonctionnement d'Alcasar ******
# (old) perl-Socket6 : needed by nfsen
# "fonts-dejavu-common" & "fonts-ttf-dejavu" : fonts needed by wkhtmltopdf
# "lsscsi" & nvme-cli" : needed by phpsysinfo
# "socat" : avoid a warning when run the install script of letsencrypt ("acme.sh")
# "sudo" : needed after a reinstallation (to be investigated)
# "clamav" + "clamav-db" : needed because of a lack of mutual dependance
# "postfix" + "cyrus-sasl" + "lib64sasl2-plug-plain" : email registration method
PACKAGES="vim-enhanced freeradius freeradius-mysql freeradius-ldap lighttpd lighttpd-mod_auth php-fpm php-gd php-ldap php-mysqli php-mbstring php-sockets php-curl php-pdo_sqlite php-cli php-filter unbound e2guardian postfix mariadb ntp bind-utils openssh-server rng-utils rsync clamav clamav-db clamd fail2ban gnupg2 ulogd ipset usb_modeswitch vnstat dos2unix p7zip msec kernel-userspace-headers kernel-firmware-nonfree dhcp-server tcpdump fonts-dejavu-common fonts-ttf-dejavu lsscsi nvme-cli sudo socat postfix cyrus-sasl lib64sasl2-plug-plain iftop"
rpm_repository_sync ()
{
cat <<EOF > /etc/urpmi/urpmi.cfg
{
downloader: wget
}
EOF
urpmi.addmedia core --probe-synthesis --mirrorlist ${!MIRRORLIST} /media/core/release
urpmi.addmedia core-updates --update --probe-synthesis --mirrorlist ${!MIRRORLIST} /media/core/updates
urpmi.addmedia nonfree --probe-synthesis --mirrorlist ${!MIRRORLIST} /media/nonfree/release
urpmi.addmedia nonfree-updates --update --probe-synthesis --mirrorlist ${!MIRRORLIST} /media/nonfree/updates
}
rpm_error ()
{
echo
echo "Relancez l'installation ultérieurement."
echo "Si vous rencontrez à nouveau ce problème, modifier les variables MIRRORLIST[1&2] du fichier 'scripts/alcasar-rpm.sh'"
echo "Try an other install later."
echo "If this problem occurs again, change the MIRRORLIST[1&2] variables in the file 'scripts/alcasar-rpm.sh'"
}
# extract the current architecture (i586 ou X64)
fic=`cat /etc/product.id`
old="$IFS"
IFS=","
set $fic
for i in $*
do
if [ "`echo $i|grep arch|cut -d'=' -f1`" == "arch" ]
then
ARCH=`echo $i|cut -d"=" -f2`
fi
done
IFS="$old"
# We prefer wget than curl
wget_exist=`rpm -qa|grep wget|wc -l`
if [ "$wget_exist" -eq "0" ]
then
urpmi --no-verify-rpm --auto ../rpms/$ARCH/wget*.rpm
fi
# Set the RPM repository
MIRROR_NBR=2
# For french ALCASARistes
MIRRORLIST1="http://www.mirrorservice.org/sites/mageia.org/pub/mageia/distrib/$VERSION/$ARCH"
# For International install
MIRRORLIST2="http://mirrors.mageia.org/api/mageia.$VERSION.$ARCH.list"
try_nb="0"; nb_repository="0"
while [ "$nb_repository" != "4" ]
do
try_nb=`expr $try_nb + 1`
MIRRORLIST="MIRRORLIST$try_nb"
rpm_repository_sync
nb_repository=`cat /etc/urpmi/urpmi.cfg|grep mirrorlist|wc -l`
if [ "$nb_repository" != "4" ]
then
echo "Une erreur a été détectée lors de la synchronisation avec le dépot N°$try_nb."
echo "An error occurs when synchronising the repositories N°$try_nb"
if [ $(expr $try_nb) -eq $MIRROR_NBR ]
then
rpm_error
exit 1
fi
echo "Voulez-vous tenter une synchronisation avec un autre dépôt (O/n)?"
echo "Do you want to try a synchronisation with an other repository (Y/n)?"
response=0
PTN='^[oOnNyY]?$'
until [[ "$response" =~ $PTN ]]
do
read response
done
if [ "$response" = "n" ] || [ "$response" = "N" ]
then
exit 1
fi
fi
done
# delete unused RPMs
echo "Cleaning the system : "
for rm_rpm in shorewall dhcp-server cyrus-sasl distcache-server avahi mandi radeontool mondo mindi
do
/usr/sbin/urpme --auto $rm_rpm --auto-orphans 2>/dev/null
echo -n "."
done
urpmi --clean
# download RPM in cache
echo "Récupération des paquetages de mise à jour. Veuillez patienter ..."
echo "Updated RPM download. Please wait ..."
echo "Il est temps d'aller prendre un café :-) "
echo "You should now take a Beer ;-) "
urpmi --auto --auto-update --quiet --test --retry 2
if [ "$?" != "0" ]
then
echo
echo "Une erreur a été détectée lors de la récupération des paquetages."
echo "An error occurs when downloading RPMS"
rpm_error
exit 1
fi
# update with cached RPM
urpmi --auto --auto-update --noclean
if [ "$?" != "0" ]
then
echo
echo "Une erreur a été détectée lors de la mise à jour des paquetages."
echo "An error occurs when updating packages"
rpm_error
exit 1
fi
# Download of ALCASAR specifics RPM in cache (and test)
echo "Récupération des paquetages complémentaires. Veuillez patienter ..."
echo "Download of complementary packages. Please wait ..."
urpmi --auto $KERNEL --quiet --test --retry 2
urpmi --auto $PACKAGES --quiet --test --retry 2
if [ "$?" != "0" ]
then
echo
echo "Une erreur a été détectée lors de la récupération des paquetages complémentaires."
echo "An error occurs when downloading complementary packages"
rpm_error
exit 1
fi
echo "archive creation. Please wait..."
cd /var/cache/urpmi
tar -czf rpms-$ARCH.tar.gz rpms/
# Clean the RPM cache
urpmi --clean
mv rpms-$ARCH.tar.gz /root/
cd
echo "Your RPM archive file is /root/rpms-$ARCH.tar.gz"
exit 0
Property changes:
Added: svn:eol-style
+LF
\ No newline at end of property
Added: svn:executable
+*
\ No newline at end of property
Added: svn:keywords
+Id Author Date
\ No newline at end of property

/scripts/alcasar-mysql.sh
0,0 → 1,145
#!/bin/bash
# $Id$
# alcasar-mysql.sh
# by Franck BOUIJOUX, Pascal LEVANT and Richard REY
# This script is distributed under the Gnu General Public License (GPL)
# Gestion (sauvegarde / import / RAZ) de la base MySQL 'radius'. Fermeture des sessions de comptabilité ouvertes
# Management of mysql 'radius' database (save / import / RAZ). Close the accounting open sessions
rep_tr="/var/Save/base"
DIR_BIN="/usr/local/bin"
PASSWD_FILE="/root/ALCASAR-passwords.txt"
DB_RADIUS="radius"
DB_USER=$(grep '^db_user=' $PASSWD_FILE | cut -d'=' -f 2-)
DB_PASS=$(grep '^db_password=' $PASSWD_FILE | cut -d'=' -f 2-)
new="$(date +%G%m%d-%Hh%M)" # date & hour of files
fichier="alcasar-users-database-$new.sql"
stop_acct ()
{
date_now=`date "+%F %X"`
echo "UPDATE radacct SET acctstoptime = '$date_now', acctterminatecause = 'Admin-Reset' WHERE acctstoptime IS NULL" | mysql -u$DB_USER -p$DB_PASS $DB_RADIUS
}
check ()
{
echo "check (and repair if needed) the database :"
mysqlcheck --databases $DB_RADIUS -u $DB_USER -p$DB_PASS --auto-repair
}
expire_user () # remove users whom expiration date has passed to 7 days
{
del_date=`date +%F`
MYSQL_USER=""
MYSQL_USER=`/usr/bin/mysql -u$DB_USER -p$DB_PASS $DB_RADIUS -ss --execute "SELECT username FROM radcheck WHERE ( DATE_SUB(CURDATE(),INTERVAL 7 DAY) > STR_TO_DATE(value,'%d %M %Y')) AND attribute='Expiration';"`
for u in $MYSQL_USER
do
/usr/bin/mysql -u$DB_USER -p$DB_PASS $DB_RADIUS --execute "DELETE FROM radusergroup WHERE username = '$u'; DELETE FROM radreply WHERE username = '$u'; DELETE FROM userinfo WHERE UserName = '$u'; DELETE FROM radcheck WHERE username = '$u';"
if [ $? = 0 ]
then
echo "User $u was deleted $del_date" >> /var/log/mysqld/delete_user.log
else
echo "Delete User $u : Error $del_date" >> /var/log/mysqld/delete_user.log
fi
done
}
expire_group () # remove users of group whom expiration date has passed to 7 days
{
del_date=`date +%F`
MYSQL_GROUP=""
MYSQL_GROUP=`/usr/bin/mysql -u$DB_USER -p$DB_PASS $DB_RADIUS -ss --execute "SELECT groupname FROM radgroupcheck WHERE ( DATE_SUB(CURDATE(),INTERVAL 7 DAY) > STR_TO_DATE(value,'%d %M %Y')) AND attribute='Expiration';"`
for g in $MYSQL_GROUP
do
MYSQL_USERGROUP=""
MYSQL_USERGROUP=`/usr/bin/mysql -u$DB_USER -p$DB_PASS $DB_RADIUS -ss --execute "SELECT username FROM radusergroup WHERE groupname = '$g';"`
for u in $MYSQL_USERGROUP
do
/usr/bin/mysql -u$DB_USER -p$DB_PASS $DB_RADIUS --execute "DELETE FROM radusergroup WHERE username = '$u'; DELETE FROM radreply WHERE username = '$u'; DELETE FROM userinfo WHERE UserName = '$u'; DELETE FROM radcheck WHERE username = '$u';"
if [ $? = 0 ]
then
echo "User $u was deleted $del_date" >> /var/log/mysqld/delete_user.log
else
echo "Delete User $u : Error $del_date" >> /var/log/mysqld/delete_user.log
fi
done
/usr/bin/mysql -u$DB_USER -p$DB_PASS $DB_RADIUS --execute "DELETE FROM radgroupreply WHERE groupname = '$g'; DELETE FROM radgroupcheck WHERE groupname = '$g';"
if [ $? = 0 ]
then
echo "Group $g was deleted $del_date" >> /var/log/mysqld/delete_group.log
else
echo "Delete Group $g : Error $del_date" >> /var/log/mysqld/delete_group.log
fi
done
}
usage="Usage: alcasar-mysql.sh { -d or --dump } | { -c or --check } | { -i or --import } | { -r or --raz } | { -a or --acct_stop } | [ -e or --expire_user ]"
nb_args=$#
args=$1
if [ $nb_args -eq 0 ]
then
nb_args=1
args="-h"
fi
case $args in
-\? | -h* | --h*)
echo "$usage"
exit 0
;;
-d | --dump | -dump)
[ -d $rep_tr ] || mkdir -p $rep_tr
if [ -e $fichier ];
then rm -f $fichier
fi
check
echo "Export the database in file : $fichier.gz"
mysqldump -u $DB_USER -p$DB_PASS --opt -BcQC $DB_RADIUS > $rep_tr/$fichier
gzip -f $rep_tr/$fichier
echo "End of export $( date "+%Hh %Mmn" )"
;;
-c | --check | -check)
check
;;
-i | --import | -import)
if [ $nb_args -ne 2 ]
then
echo "Enter a SQL file name ('.sql' or '.sql.gz')"
exit 0
else
case $2 in
*.sql.gz )
gunzip -f < $2 | mysql -u $DB_USER -p$DB_PASS
stop_acct
;;
*.sql )
mysql -u $DB_USER -p$DB_PASS < $2
stop_acct
;;
esac
migrationsPath="$DIR_BIN/alcasar-db-migrations"
"$migrationsPath/alcasar-migration_db-3.2.0.sh"
"$migrationsPath/alcasar-migration_db-3.3.0.sh"
"$migrationsPath/alcasar-migration_db-3.3.1.sh"
"$migrationsPath/alcasar-migration_db-3.7.0.sh"
fi
;;
-r | --raz | -raz)
mysqldump -u $DB_USER -p$DB_PASS --opt -BcQC $DB_RADIUS > $rep_tr/$fichier
gzip -f $rep_tr/$fichier
mysql -u$DB_USER -p$DB_PASS $DB_RADIUS < /etc/raddb/empty-radiusd-db.sql
;;
-a | --acct_stop | -acct_stop)
stop_acct
;;
-e | --expire_user)
expire_user
expire_group
;;
*)
echo "Unknown argument :$1";
echo "$usage"
exit 1
;;
esac
Property changes:
Added: svn:eol-style
+LF
\ No newline at end of property
Added: svn:executable
+*
\ No newline at end of property
Added: svn:keywords
+Id Author Date
\ No newline at end of property

/scripts/alcasar-CA.sh
0,0 → 1,191
#!/bin/sh
# $Id$
# alcasar-CA.sh
# by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
# This script is distributed under the Gnu General Public License (GPL)
#
# Some ideas from "nessus-mkcert" script written by Renaud Deraison <deraison@cvs.nessus.org>
# and Michel Arboi <arboi@alussinan.org>
#
DIR_TMP=${TMPDIR-/tmp}/alcasar-mkcert.$$
DIR_PKI=/etc/pki
DIR_CERT=$DIR_PKI/tls
DIR_WEB=/var/www/html
CACERT=$DIR_PKI/CA/alcasar-ca.crt
CAKEY=$DIR_PKI/CA/private/alcasar-ca.key
SRVREQ=$DIR_CERT/alcasar.req
SRVKEY=$DIR_CERT/private/alcasar.key
SRVCERT=$DIR_CERT/certs/alcasar.crt
SRVPEM=$DIR_CERT/private/alcasar.pem
SRVCHAIN=$DIR_CERT/certs/server-chain.pem
CONF_FILE="/usr/local/etc/alcasar.conf"
hostname=`grep ^HOSTNAME= $CONF_FILE|cut -d"=" -f2`
domain=`grep ^DOMAIN= $CONF_FILE|cut -d"=" -f2`
domain=${domain:=localdomain}
fqdn_hostname="$hostname.$domain"
# The value for organizationalUnitName must be 64 chars or less;
# thus, hostname must be 36 chars or less. If it's too big,
# try removing domain (merci REXY ;-) ).
hostname_len=`echo $fqdn_hostname| wc -c`
if [ $hostname_len -gt 36 ];
then
fqdn_hostname=$hostname
fi
private_ip=`grep ^PRIVATE_IP= $CONF_FILE|cut -d"=" -f2|cut -d"/" -f1`
CACERT_LIFETIME="1460"
SRVCERT_LIFETIME="1460"
COUNTRY="FR"
PROVINCE="none"
LOCATION="Paris"
ORGANIZATION="ALCASAR-Team"
mkdir $DIR_TMP || exit 1
[ -d $DIR_PKI/CA/private ] || mkdir -p $DIR_PKI/CA/private ; chown -R root:root $DIR_PKI/CA ; chmod -R 750 $DIR_PKI/CA
# dynamic conf file for openssl
cat <<EOF >$DIR_TMP/ssl.conf
RANDFILE = $HOME/.rnd
#
[ca]
default_ca = AlcasarCA
[AlcasarCA]
dir = $DIR_TMP # Where everything is kept
certs = \$dir # Where the issued certs are kept
crl_dir = \$dir # Where the issued crl are kept
database = \$dir/index.txt # database index file.
new_certs_dir = \$dir # default place for new certs.
certificate = $CACERT # The CA certificate
serial = \$dir/serial # The current serial number
crl = \$dir/crl.pem # The current CRL
private_key = $CAKEY # The private key
x509_extensions = usr_cert # The extentions to add to the cert
crl_extensions = crl_ext
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = sha256 # which message digest to use.
preserve = no # keep passed DN ordering
policy = policy_anything
[policy_anything]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[req]
default_bits = 2048
distinguished_name = req_distinguished_name
# attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints = critical,CA:true
keyUsage = cRLSign, keyCertSign
nsCertType = sslCA
[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = FR
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Some-State
localityName = Locality Name (eg, city)
localityName_default = Lyon
0.organizationName = Organization Name (eg, company)
0.organizationName_default = your organization name
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (eg, your name or your server\'s hostname)
commonName_max = 255
emailAddress = Email Address
emailAddress_max = 255
[usr_cert]
nsCertType = server
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
basicConstraints = CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
issuerAltName = issuer:copy
subjectAltName = @alt_names
[alt_names]
DNS.1 = $fqdn_hostname
IP.1 = $private_ip
EOF
CAMAIL=
SRVMAIL=
echo `date +%s` > $DIR_TMP/serial
touch $DIR_TMP/index.txt
# CA key
rm -f $CAKEY
echo "*********CAKEY*********" > $DIR_TMP/openssl-log
openssl genrsa -out $CAKEY 2048 2>> $DIR_TMP/openssl-log
# CA certificate
rm -f $CACERT
echo >> $DIR_TMP/openssl-log
echo "*********CACERT*********" >> $DIR_TMP/openssl-log
echo "$COUNTRY
$PROVINCE
$LOCATION
$ORGANIZATION
Certification Authority for $fqdn_hostname
$fqdn_hostname-local-CA
$CAMAIL" |
openssl req -config $DIR_TMP/ssl.conf -new -x509 -sha256 -days $CACERT_LIFETIME -key $CAKEY -out $CACERT 2>> $DIR_TMP/openssl-log
# Server key
rm -f $SRVKEY
echo >> $DIR_TMP/openssl-log
echo "*********SRVKEY*********" >> $DIR_TMP/openssl-log
openssl genrsa -out $SRVKEY 2048 2>> $DIR_TMP/openssl-log
# Server certificate "request"
echo >> $DIR_TMP/openssl-log
echo "*********SRVRQST*********" >> $DIR_TMP/openssl-log
echo "$COUNTRY
$PROVINCE
$LOCATION
$ORGANIZATION
Server certificate for $fqdn_hostname
$fqdn_hostname
$SRVMAIL" |
openssl req -config $DIR_TMP/ssl.conf -new -key $SRVKEY -out $SRVREQ 2>> $DIR_TMP/openssl-log
# Sign the server certificate "request" to create server certificate
rm -f $SRVCERT
echo >> $DIR_TMP/openssl-log
echo "*********SRVCERT*********" >> $DIR_TMP/openssl-log
openssl ca -config $DIR_TMP/ssl.conf -name AlcasarCA -batch -days $SRVCERT_LIFETIME -in $SRVREQ -out $SRVCERT 2>> $DIR_TMP/openssl-log
rm -f $SRVREQ
(cat $SRVKEY; echo; cat $SRVCERT) > $SRVPEM
cp -f $CACERT $SRVCHAIN
# Limit rights
chown -R root:root $SRVKEY $CAKEY
chmod -R 0600 $SRVKEY $CAKEY
# Link certs in ALCASAR Control Center
if [ -s "$CACERT" -a -s "$CAKEY" -a -s "$SRVCERT" -a -s "$SRVKEY" ];
then
[ -d $DIR_WEB/certs ] || mkdir -p $DIR_WEB/certs
rm -f $DIR_WEB/certs/*
ln -s $CACERT $DIR_WEB/certs/certificat_alcasar_ca.crt
ln -s $SRVCERT $DIR_WEB/certs/certificat_alcasar.crt
rm -rf $DIR_TMP
exit 0
else
echo "An error occured when generating security certificates (see : $DIR_TMP/openssl-log)"
exit 1
fi
Property changes:
Added: svn:eol-style
+LF
\ No newline at end of property
Added: svn:executable
+*
\ No newline at end of property
Added: svn:keywords
+Id Author Date
\ No newline at end of property

/scripts/alcasar-uninstall.sh
0,0 → 1,418
#!/bin/bash
# $Id$
# alcasar-uninstall.sh
# by Franck BOUIJOUX, Pascal LEVANT and Richard REY
# This script is distributed under the Gnu General Public License (GPL)
# Désinstallation ou mise à jour d'ALCASAR
# Uninstall or update ALCASAR
SED="/bin/sed -i"
[ -z $DEBUG_ALCASAR ] && DEBUG_ALCASAR='off'
init ()
{
echo -en "(3) : "
rm -f /root/ALCASAR* && echo -n "1, " # The files in /usr/local/ will be removed at the end (still usefull here)
[ -e /boot/grub2/user.cfg ] && rm -f /boot/grub2/user.cfg && echo -n "2, "
[ -e /root/grub.default ] && mv -f /root/grub.default /etc/grub.d/10_linux && echo -n "3"
}
ACC ()
{
echo -en "(11) : "
[ -d /var/www/html ] && rm -rf /var/www/html && echo -n "1, "
[ -d /etc/freeradius-web ] && rm -rf /etc/freeradius-web && echo -n "2, "
[ -e /etc/php.d/05_date.ini.default ] && mv -f /etc/php.d/05_date.ini.default /etc/php.d/05_date.ini && echo -n "3, "
[ -e /etc/php.ini.default ] && mv -f /etc/php.ini.default /etc/php.ini && echo -n "4, "
[ -e /etc/lighttpd/lighttpd.conf.default ] && mv -f /etc/lighttpd/lighttpd.conf.default /etc/lighttpd/lighttpd.conf && echo -n "5, "
[ -e /etc/lighttpd/modules.conf.default ] && mv -f /etc/lighttpd/modules.conf.default /etc/lighttpd/modules.conf && echo -n "6, "
[ -e /etc/lighttpd/conf.d/fastcgi.conf.default ] && mv -f /etc/lighttpd/conf.d/fastcgi.conf.default /etc/lighttpd/conf.d/fastcgi.conf && echo -n "7, "
[ -e /etc/php-fpm.conf.default ] && mv -f /etc/php-fpm.conf.default /etc/php-fpm.conf && echo -n "8, "
[ -d /etc/lighttpd/vhosts.d ] && rm -rf /etc/lighttpd/vhosts.d && echo -n "9, "
[ -d /usr/local/etc/digest ] && rm -rf /usr/local/etc/digest && echo -n "10, "
[ -e /etc/systemd/system/lighttpd.service ] && rm -f /etc/systemd/system/lighttpd.service && echo -n "11"
}
CA ()
{
echo -en "(5) : "
[ -e /etc/pki/CA/alcasar-ca.crt ] && rm -f /etc/pki/CA/alcasar-ca.crt && echo -n "1, "
[ -e /etc/pki/CA/private/alcasar-ca.key ] && rm -f /etc/pki/CA/private/alcasar-ca.key && echo -n "2, "
[ -e /etc/pki/tls/certs/alcasar.crt ] && rm -f /etc/pki/tls/certs/alcasar.crt && echo -n "3, "
[ -e /etc/pki/tls/private/alcasar.key ] && rm -f /etc/pki/tls/private/alcasar.key && echo -n "4, "
[ -e /etc/pki/tls/private/alcasar.pem ] && rm -f /etc/pki/tls/private/alcasar.pem && echo -n "5"
}
time_server ()
{
echo -en "(1) : "
[ -e /etc/ntp.conf.default ] && mv /etc/ntp.conf.default /etc/ntp.conf && echo -n "1"
}
init_db ()
{
echo -en "(2) : "
[ -e /etc/my.cnf.default ] && mv -f /etc/my.cnf.default /etc/my.cnf && echo -n "1, "
if [ -e /etc/systemd/system/mysqld.service ]
then
rm /etc/systemd/system/mysqld.service
echo -n "2"
fi
/usr/bin/systemctl daemon-reload
rm -rf /var/lib/mysql
}
freeradius ()
{
echo -en "(22) : "
[ -e /etc/raddb/empty-radiusd-db.sql ] && rm /etc/raddb/empty-radiusd-db.sql && echo -n "1, "
[ -e /etc/raddb/radiusd.conf.default ] && mv /etc/raddb/radiusd.conf.default /etc/raddb/radiusd.conf && echo -n "2, "
[ -e /etc/raddb/dictionary.default ] && mv /etc/raddb/dictionary.default /etc/raddb/dictionary && echo -n "3, "
[ -e /etc/raddb/dictionary.alcasar ] && rm /etc/raddb/dictionary.alcasar && echo -n "4, "
[ -e /etc/raddb/dictionary.coovachilli ] && rm /etc/raddb/dictionary.coovachilli && echo -n "5, "
[ -e /etc/raddb/clients.conf.default ] && mv /etc/raddb/clients.conf.default /etc/raddb/clients.conf && echo -n "6, "
[ -e /etc/raddb/sites-enabled/alcasar ] && rm /etc/raddb/sites-enabled/alcasar && echo -n "7, "
[ -e /etc/raddb/sites-available/alcasar ] && rm /etc/raddb/sites-available/alcasar && echo -n "8, "
[ -e /etc/raddb/sites-available/alcasar-with-ldap ] && rm /etc/raddb/sites-available/alcasar-with-ldap && echo -n "9, "
[ -e /etc/raddb/mods-available/ldap-alcasar ] && rm /etc/raddb/mods-available/ldap-alcasar && echo -n "10, "
i=10
for mods in sql sqlcounter attr_filter expiration logintime pap expr always
do
i=`expr $i + 1`
[ -e /etc/raddb/mods-enabled/$mods ] && rm /etc/raddb/mods-enabled/$mods && echo -n "$i, "
done
[ -e /etc/raddb/mods-available/sql.default ] && mv /etc/raddb/mods-available/sql.default /etc/raddb/mods-available/sql && echo -n "19, "
[ -e /etc/raddb/mods-config/sql/main/mysql/queries.conf.default ] && mv /etc/raddb/mods-config/sql/main/mysql/queries.conf.default /etc/raddb/mods-config/sql/main/mysql/queries.conf && echo -n "20, "
[ -e /etc/raddb/mods-available/sqlcounter.default ] && mv /etc/raddb/mods-available/sqlcounter.default /etc/raddb/mods-available/sqlcounter && echo -n "21, "
if [ -e /etc/systemd/system/radiusd.service ]; then
rm -f /etc/systemd/system/radiusd.service
echo -n "22"
fi
}
chilli ()
{
echo -en "(4) : "
[ -e /etc/init.d/chilli.default ] && mv /etc/init.d/chilli.default /etc/init.d/chilli && echo -n "1, "
[ -e /usr/libexec/chilli ] && rm /usr/libexec/chilli && echo -n "2, "
[ -e /etc/chilli.conf.default ] && mv /etc/chilli.conf.default /etc/chilli.conf && echo -n "3, "
[ -e /etc/systemd/system/chilli.service ] && rm /etc/systemd/system/chilli.service && echo -n "4"
}
e2guardian ()
{
echo -en "(8) : "
[ -d /var/e2guardian ] && rm -rf /var/e2guardian
[ -d /var/dansguardian ] && rm -rf /var/dansguardian
if [ -e /etc/systemd/system/e2guardian.service ]; then
rm -f /etc/systemd/system/e2guardian.service
echo -n "1, "
fi
[ -e /etc/e2guardian/e2guardian.conf.default ] && mv /etc/e2guardian/e2guardian.conf.default /etc/e2guardian/e2guardian.conf && echo -n "2, "
[ -e /usr/share/e2guardian/languages/french/alcasar-e2g.html ] && rm /usr/share/e2guardian/languages/french/alcasar-e2g.html && echo -n "3, "
[ -e /usr/share/e2guardian/languages/ukenglish/alcasar-e2g.html ] && rm /usr/share/e2guardian/languages/ukenglish/alcasar-e2g.html && echo -n "4, "
[ -e /etc/e2guardian/e2guardianf1.conf.default ] && mv /etc/e2guardian/e2guardianf1.conf.default /etc/e2guardian/e2guardianf1.conf && echo -n "5, "
[ -d /etc/e2guardian/lists/group1 ] && rm -rf /etc/e2guardian/lists/group1 && echo -n "6, "
[ -e /etc/e2guardian/lists/common/exceptioniplist.default ] && mv /etc/e2guardian/lists/common/exceptioniplist.default /etc/e2guardian/lists/common/exceptioniplist && echo -n "7, "
[ -e /etc/e2guardian/e2guardianf2.conf ] && rm -f /etc/e2guardian/e2guardianf2.conf && echo -n "8."
}
antivirus ()
{
echo -en "(4) : "
if [ -e /etc/systemd/system/clamav-daemon.service ]; then
rm -f /etc/systemd/system/clamav-daemon.service
echo -n "1, "
fi
if [ -e /etc/systemd/system/clamav-daemon.socket ]; then
rm -f /etc/systemd/system/clamav-daemon.socket
echo -n "2, "
fi
[ -e /etc/clamd.conf.default ] && mv /etc/clamd.conf.default /etc/clamd.conf && echo -n "3, "
[ -e /etc/freshclam.conf.default ] && mv /etc/freshclam.conf.default /etc/freshclam.conf && echo -n "4"
}
ulogd ()
{
echo -en "(6) : "
i=0
for log_type in traceability ssh ext-access
do
i=`expr $i + 1`
[ -e /etc/ulogd-$log_type.conf ] && rm -f /etc/ulogd-$log_type.conf && echo -n "$i, "
i=`expr $i + 1`
[ -e /etc/systemd/system/ulogd-$log_type.service ] && rm -f /etc/systemd/system/ulogd-$log_type.service && echo -n "$i, "
done
}
nfsen ()
{
# we don't remove user "nfcapd" & nfcapd folders in order to keep data when updating
echo -en "(1) : "
[ -e /etc/systemd/system/nfcapd.service ] && rm -f /etc/systemd/system/nfcapd.service && echo -n "1"
}
vnstat ()
{
echo -en "(2) : "
[ -e /etc/vnstat.conf.default ] && mv /etc/vnstat.conf.default /etc/vnstat.conf && echo -n "1, "
if [ -e /etc/systemd/system/vnstat.service ]; then
rm -f /etc/systemd/system/vnstat.service
echo -n "2"
fi
}
unbound ()
{
echo -en "(9) : "
[ -e /etc/unbound/unbound.conf.default ] && mv /etc/unbound/unbound.conf.default /etc/unbound/unbound.conf && echo -n "1, "
[ -e /etc/unbound/unbound-blacklist.conf ] && rm -f /etc/unbound/unbound-blacklist.conf && echo -n "2, "
[ -e /etc/unbound/unbound-whitelist.conf ] && rm -f /etc/unbound/unbound-whitelist.conf && echo -n "3, "
[ -e /etc/unbound/unbound-blackhole.conf ] && rm -f /etc/unbound/unbound-blackhole.conf && echo -n "4, "
[ -e /etc/unbound/conf.d ] && rm -rf /etc/unbound/conf.d && echo -n "5, "
i=6
for list in blacklist blackhole whitelist
do
if [ -e /etc/systemd/system/unbound-$list.service ]
then
rm -f /etc/systemd/system/unbound-$list.service
echo -n "$i, "
fi
i=`expr $i + 1`
done
if [ -e /etc/systemd/system/unbound.service ]; then
rm -f /etc/systemd/system/unbound.service
echo -n "9"
fi
}
dhcpd ()
{
echo -en "(1) : "
[ -e /etc/dhcpd.conf.default ] && mv /etc/dhcpd.conf.default /etc/dhcpd.conf && echo -n "1"
}
cron ()
{
# /etc/cron.d/alcasar-daemon-watchdog is removed at the beginning of this script
echo -en "(12) : "
i=1
for cron in `ls /etc/cron.d/alcasar-* 2>/dev/null`
do
rm $cron && echo -n "$i, "
i=`expr $i + 1`
done
[ -e /etc/crontab.default ] && mv /etc/crontab.default /etc/crontab && echo -n "11, "
[ -e /etc/anacrontab.default ] && mv /etc/anacrontab.default /etc/anacrontab && echo -n "12"
}
fail2ban ()
{
echo -en "(11) : "
[ -e /etc/fail2ban/jail.conf.default ] && mv /etc/fail2ban/jail.conf.default /etc/fail2ban/jail.conf && echo -n "1, "
[ -e /etc/fail2ban/action.d/iptables-allports.conf.default ] && mv /etc/fail2ban/action.d/iptables-allports.conf.default /etc/fail2ban/action.d/iptables-allports.conf # only for ALCASAR version <= V3.5.1
i=2
for filter in `ls /etc/fail2ban/filter.d/alcasar_* 2>/dev/null`
do
i=`expr $i + 1`
rm $filter && echo -n "$i, "
done
for jail in `ls /etc/fail2ban/jail.d/*alcasar_* 2>/dev/null`
do
i=`expr $i + 1`
rm $jail && echo -n "$i, "
done
if [ -e /etc/systemd/system/fail2ban.service ]; then
rm -f /etc/systemd/system/fail2ban.service
echo -n "11"
fi
}
gammu_smsd ()
{
echo -en "(4) : "
[ -e /etc/gammu_smsd_conf ] && rm -f /etc/gammu_smsd_conf && echo -n "1, "
[ -e /etc/systemd/system/gammu-smsd.service ] && rm -f /etc/systemd/system/gammu-smsd.service && echo -n "2, "
[ -e /var/log/gammu-smsd ] && rm -rf /var/log/gammu-smsd && echo -n "3, "
userdel -r gammu_smsd 2>/dev/null && echo -n "4"
#[ -e /lib/udev/rules.d/66-huawei.rules ] && rm -f /lib/udev/rules.d/66-huawei.rules && echo -n "4"
}
msec ()
{
echo -en "(2) : "
if [ -e /etc/security/msec/security.conf ]; then
[ -e /etc/security/msec/security.conf.default ] && mv /etc/security/msec/security.conf.default /etc/security/msec/security.conf && echo -n "1, "
[ -e /etc/security/msec/perm.local ] && rm -f /etc/security/msec/perm.local && echo -n "2"
else
echo -n "uninstalled"
fi
}
letsencrypt ()
{
echo -en "(3) : "
[ -e /usr/local/etc/letsencrypt ] && rm -rf /usr/local/etc/letsencrypt && echo -n "1, "
[ -e /opt/acme.sh/acme.sh ] && /opt/acme.sh/acme.sh --uninstall --nocron 1>/dev/null && echo -n "2, "
[ -e /opt/acme.sh ] && rm -rf /opt/acme.sh && echo -n "3"
}
mail_service()
{
echo -en "(1) : "
[ -e /etc/postfix/main.cf.orig ] && mv /etc/postfix/main.cf.orig /etc/postfix/main.cf && echo -n "1"
}
post_install ()
{
echo -en "(7) : "
[ -e /etc/mageia-release.default ] && mv -f /etc/mageia-release.default /etc/mageia-release && echo -n "1, "
[ -e /etc/ssh/alcasar-banner-ssh ] && rm -f /etc/ssh/alcasar-banner-ssh && echo -n "2, "
[ -e /etc/ssh/sshd_config.default ] && mv -f /etc/ssh/sshd_config.default /etc/ssh/sshd_config && echo -n "3, "
[ -e /etc/bashrc.default ] && mv -f /etc/bashrc.default /etc/bashrc && echo -n "4, "
[ -e /etc/sudoers.default ] && mv -f /etc/sudoers.default /etc/sudoers && echo -n "5, "
[ -e /etc/security/limits.conf.default ] && mv -f /etc/security/limits.conf.default /etc/security/limits.conf && echo -n "6, "
[ -e /etc/default/grub.default ] && mv -f /etc/default/grub.default /etc/default/grub && echo -n "7"
}
usage="Usage: alcasar-uninstall.sh {-update or --update} | {-full or --full}"
nb_args=$#
args=$1
if [ $nb_args -eq 0 ]; then
nb_args=1
args="-h"
fi
case $args in
-\? | -h* | --h*)
echo "$usage"
exit 0
;;
--update | -update)
mode="update"
;;
--full | -full)
mode="full"
;;
*)
echo "Argument inconnu :$1";
echo "$usage"
exit 1
;;
esac
clear
if [ $mode == "full" ]; then
echo "----------------------------------------------------------------------------"
echo "** Uninstall/Désinstallation d'ALCASAR **"
echo "----------------------------------------------------------------------------"
services="vnstat clamav-daemon clamav-freshclam ntpd php-fpm lighttpd radiusd mysqld unbound unbound-blacklist unbound-whitelist unbound-blackhole nfcapd fail2ban iptables ulogd-ext-access ulogd-ssh ulogd-traceability e2guardian sshd chilli"
/usr/local/bin/alcasar-logout.sh all # logout everybody
else
echo "--------------------------------------------------------------------------"
echo "** update/mise à jour d'ALCASAR **"
echo "--------------------------------------------------------------------------"
# unbound, iptables & sshd should stay on to allow remote update
services="vnstat clamav-daemon clamav-freshclam ntpd php-fpm lighttpd radiusd mysqld unbound-blacklist unbound-whitelist unbound-blackhole nfcapd fail2ban ulogd-ext-access ulogd-ssh ulogd-traceability e2guardian chilli"
/usr/local/bin/alcasar-bypass.sh -on # to allow remote update + users stay connected during the update
fi
echo "Stopping services : "
# remove daemon watchdog in order to not restart alcasar daemons during the uninstall process
[ -e /etc/cron.d/alcasar-daemon-watchdog ] && rm -f /etc/cron.d/alcasar-daemon-watchdog
/usr/local/bin/alcasar-sms.sh --stop
for i in $services
do
service_exist=`systemctl list-unit-files | grep ^$i.service | wc -l`
if [ $service_exist -eq 1 ]; then
/usr/bin/systemctl disable $i.service
/usr/bin/systemctl stop $i.service 1>/dev/null
sleep 1
else
echo "The service $i.service doesn't exist !"
fi
done
echo "Check the service clearing"
for i in $services
do
if [ `systemctl is-active $i.service` == "active" ]; then
echo "The service '$i' need to be killed"
/usr/bin/systemctl stop $i.service
killall $i
fi
done
[ $mode == "update" ] && /usr/bin/systemctl reload sshd # reload sshd in case of remote update
echo "Reset ALCASAR main functions : "
for func in init ACC CA time_server init_db freeradius chilli e2guardian antivirus ulogd nfsen vnstat unbound dhcpd cron fail2ban gammu_smsd msec letsencrypt mail_service post_install
do
echo -en "\n- $func "
$func
if [ $DEBUG_ALCASAR == "on" ]; then
echo -n " *** 'debug' : end removing function '$func' *** "
read a
fi
done
if [ $mode == "full" ]; then
echo -en "\n- network(10) : "
hostnamectl set-hostname localhost.localdomain
chmod a-x /etc/sysconfig/network-scripts/default-*
i=0
for nic in `ls /etc/sysconfig/network-scripts/default-*|cut -d'-' -f4`
do
i=`expr $i + 1`
/sbin/ifdown $nic
[ -e /etc/sysconfig/network-scripts/default-ifcfg-$nic ] && mv -f /etc/sysconfig/network-scripts/default-ifcfg-$nic /etc/sysconfig/network-scripts/ifcfg-$nic && echo -n "$i ($nic), "
done
[ -e /etc/sysconfig/network.default ] && mv -f /etc/sysconfig/network.default /etc/sysconfig/network && echo -n "3, "
[ -e /etc/hosts.default ] && mv -f /etc/hosts.default /etc/hosts && echo -n "4, "
[ -e /etc/hosts.allow.default ] && mv -f /etc/hosts.allow.default /etc/hosts.allow && echo -n "5, "
[ -e /etc/hosts.deny.default ] && mv -f /etc/hosts.deny.default /etc/hosts.deny && echo -n "6, "
[ -e /etc/modprobe.preload.default ] && mv -f /etc/modprobe.preload.default /etc/modprobe.preload && echo -n "7, "
if [ -e /etc/systemd/system/alcasar-network.service ]; then
rm -f /etc/systemd/system/alcasar-network.service
echo -n "8, "
fi
if [ -e /etc/systemd/system/iptables.service ]; then
rm -f /etc/systemd/system/iptables.service
echo -n "9, "
fi
[ -e /usr/libexec/iptables.init.default ] && mv -f /usr/libexec/iptables.init.default /usr/libexec/iptables.init && echo -n "10"
/usr/bin/systemctl restart network
sleep 1
fi
# Reset "skip.list" (we keep "kernel" in order not to download kernel we don't want to have)
echo "/^kernel/" > /etc/urpmi/skip.list
if [ `grep -E '^exclude=' /etc/dnf/dnf.conf |wc -l` -eq "1" ]; then
$SED "s?^exclude=.*?exclude=kernel\*?g" /etc/dnf/dnf.conf
else
echo "exclude=kernel*" >> /etc/dnf/dnf.conf
fi
# Cleaning (remove all "old" alcasar scripts)
echo -en "\n- End of cleaning ...\n"
for rm_fic in /usr/local/bin /usr/local/etc /usr/local/sbin
do
rm -rf $rm_fic/alcasar*
done
/usr/bin/update-grub2
if [ $mode == "full" ]; then
echo -n "Waiting for Network to be up again : "
i=0
while [ $i -lt 10 ] # We wait 10 seconds max
do
echo -n "."
DNS1=`grep ^nameserver /etc/resolv.conf|awk -F" " '{print $2}'|head -n 1`
if [ "$DNS1" != "" ] && [ "$DNS1" != "127.0.0.1" ]; then
i=9
echo -n "ok"
fi
i=`expr $i + 1`
sleep 1
done
fi
echo
Property changes:
Added: svn:eol-style
+LF
\ No newline at end of property
Added: svn:executable
+*
\ No newline at end of property
Added: svn:keywords
+Id Author Date
\ No newline at end of property

/scripts/alcasar-bl.sh
0,0 → 1,378
#!/bin/bash
# $Id$
# alcasar-bl.sh
# by Franck BOUIJOUX and Richard REY
# This script is distributed under the Gnu General Public License (GPL)
# Gestion de la BL pour le filtrage de domaine (via unbound) et d'URL (via E2guardian)
# Manage the BL for domain filtering (with unbound) and URL filtering (with E2guardian)
DIR_CONF="/usr/local/etc"
CONF_FILE="$DIR_CONF/alcasar.conf"
private_ip_mask=`grep ^PRIVATE_IP= $CONF_FILE|cut -d"=" -f2`
private_ip_mask=${private_ip_mask:=192.168.182.1/24}
DIR_tmp="/tmp/blacklists"
FILE_tmp="/tmp/filesfilter.txt"
FILE_ip_tmp="/tmp/filesipfilter.txt"
DIR_DG="/etc/e2guardian/lists"
DIR_DG_BL="$DIR_DG/blacklists"
DIR_DG_GROUP1="$DIR_DG/group1"
GLOBAL_USAGE="$DIR_CONF/alcasar-global-usage" # file containing the description of the lists
BL_CATEGORIES="$DIR_CONF/alcasar-bl-categories" # list of names of the BL categories
WL_CATEGORIES="$DIR_CONF/alcasar-wl-categories" # ' ' WL categories
BL_CATEGORIES_ENABLED="$DIR_CONF/alcasar-bl-categories-enabled" # ' ' BL enabled categories
WL_CATEGORIES_ENABLED="$DIR_CONF/alcasar-wl-categories-enabled" # ' ' WL enabled categories
DIR_SHARE="/usr/local/share"
DIR_DNS_BL="$DIR_SHARE/unbound-bl" # all the BL in the Unbound format
DIR_DNS_WL="$DIR_SHARE/unbound-wl" # all the WL ' ' '
DIR_IP_BL="$DIR_SHARE/iptables-bl" # all the IP addresses of the BL
DIR_IP_WL="$DIR_SHARE/iptables-wl" # IP ossi disabled WL
DIR_DNS_BL_ENABLED="$DIR_SHARE/unbound-bl-enabled" # symbolic link to the domains BL (only enabled categories)
DIR_DNS_WL_ENABLED="$DIR_SHARE/unbound-wl-enabled" # ' ' ' WL ' '
DIR_IP_BL_ENABLED="$DIR_SHARE/iptables-bl-enabled" # ' ' ip BL (only enabled categories)
DIR_IP_WL_ENABLED="$DIR_SHARE/iptables-wl-enabled" # ' ' ip WL (ossi and ossi-* imported from ACC)
REHABILITATED_DNS_FILE="/etc/unbound/conf.d/blacklist/rehabilitated.conf"
BL_SERVER="dsi.ut-capitole.fr"
SED="/bin/sed -i"
# enable/disable the BL & WL categories
function cat_choice (){
mkdir -p $DIR_tmp
for LIST in $DIR_IP_BL_ENABLED $DIR_DNS_BL_ENABLED $DIR_IP_WL_ENABLED $DIR_DNS_WL_ENABLED
do
if [ ! -e $LIST ] # only on install stage
then
mkdir $LIST
else
rm -rf ${LIST:?}/*
fi
chown root:apache $LIST
chmod 770 $LIST
done
# update categories with rsync
if [ ! -e $DIR_CONF/update_cat.conf ]
then
touch $DIR_CONF/update_cat.conf
chown root:apache $DIR_CONF/update_cat.conf
chmod 660 $DIR_CONF/update_cat.conf
fi
$SED "/\.Include/d" $DIR_DG_GROUP1/bannedurllist # cleaning E2G url blacklisted
# $SED "/\.Include/d" $DIR_DG_GROUP1/bannedsitelist # cleaning E2G domain blacklisted (now managed by unbound)
$SED "s?^[^#]?#&?g" $BL_CATEGORIES $WL_CATEGORIES # cleaning BL & WL categories file (comment all lines)
# process the file $BL_CATEGORIES with the choice of categories
for ENABLE_CATEGORIE in `cat $BL_CATEGORIES_ENABLED`
do
$SED "/\/$ENABLE_CATEGORIE$/d" $BL_CATEGORIES
$SED "1i\/etc\/e2guardian\/lists\/blacklists\/$ENABLE_CATEGORIE" $BL_CATEGORIES
ln -sf $DIR_DNS_BL/$ENABLE_CATEGORIE.conf $DIR_DNS_BL_ENABLED/$ENABLE_CATEGORIE
ln -sf $DIR_IP_BL/$ENABLE_CATEGORIE $DIR_IP_BL_ENABLED/$ENABLE_CATEGORIE
# echo ".Include<$DIR_DG_BL/$ENABLE_CATEGORIE/domains>" >> $DIR_DG_GROUP1/bannedsitelist # Blacklisted domains are managed by unbound
echo ".Include<$DIR_DG_BL/$ENABLE_CATEGORIE/urls>" >> $DIR_DG_GROUP1/bannedurllist
done
sort +0.0 -0.2 $BL_CATEGORIES -o $FILE_tmp
mv $FILE_tmp $BL_CATEGORIES
sort +0.0 -0.2 $BL_CATEGORIES_ENABLED -o $FILE_tmp
mv $FILE_tmp $BL_CATEGORIES_ENABLED
chown root:apache $BL_CATEGORIES $BL_CATEGORIES_ENABLED
chmod 660 $BL_CATEGORIES $BL_CATEGORIES_ENABLED
# process the file $WL_CATEGORIES with the choice of categories
for ENABLE_CATEGORIE in `cat $WL_CATEGORIES_ENABLED`
do
$SED "/\/$ENABLE_CATEGORIE$/d" $WL_CATEGORIES
$SED "1i\/etc\/e2guardian\/lists\/blacklists\/$ENABLE_CATEGORIE" $WL_CATEGORIES
ln -sf $DIR_DNS_WL/$ENABLE_CATEGORIE.conf $DIR_DNS_WL_ENABLED/$ENABLE_CATEGORIE
done
sort +0.0 -0.2 $WL_CATEGORIES -o $FILE_tmp
mv $FILE_tmp $WL_CATEGORIES
sort +0.0 -0.2 $WL_CATEGORIES_ENABLED -o $FILE_tmp
mv $FILE_tmp $WL_CATEGORIES_ENABLED
chown root:apache $WL_CATEGORIES $WL_CATEGORIES_ENABLED
chmod 660 $WL_CATEGORIES $WL_CATEGORIES_ENABLED
}
# cleaning file and split it ("domains" in $FILE_tmp & "IP" in $FILE_ip_tmp)
function clean_split (){
$SED '/^[.#]/d' $FILE_tmp # remove commented lines and lines beginning with a dot
$SED '/^\s*$/d' $FILE_tmp # remove empty lines
$SED '/[äâëêïîöôüû@,]/d' $FILE_tmp # remove line with "chelou" characters
# extract ip addresses and ip networks for iptables.
awk '/^([0-9]{1,3}\.){3}[0-9]{1,3}$/{print "add bl_ip_blocked " $0}' $FILE_tmp > $FILE_ip_tmp
awk '/^([0-9]{1,3}\.){3}[0-9]{1,3}\/[0-9]{1,2}$/{print "add bl_ip_blocked " $0}' $FILE_tmp >> $FILE_ip_tmp
# extract domain names for unbound.
$SED -n '/^\([0-9]\{1,3\}\.\)\{3\}[0-9]\{1,3\}/!p' $FILE_tmp
# Retrieve max Top Level Domain for domain name synthax
#MAX_TLD=$(curl http://data.iana.org/TLD/tlds-alpha-by-domain.txt | grep -v '-' | grep -v '#' | wc -L)
#if [ $(echo $MAX_TLD | wc -c) -eq 0 ];then
# MAX_TLD=18
#fi
# search for correction grep -E "([a-zA-Z0-9_-.]+\.){1,2}[a-zA-Z]{2,$MAX_TLD}" $ossi_custom_dir/domains > $FILE_tmp
}
usage="Usage: alcasar-bl.sh { -cat_choice or --cat_choice } | { -download or --download } | { -adapt or --adapt } | { -reload or --reload }"
nb_args=$#
args=$1
if [ $nb_args -eq 0 ]
then
args="-h"
fi
case $args in
-\? | -h* | --h*)
echo "$usage"
exit 0
;;
# Retrieve Toulouse University BL
-download | --download)
rm -rf /tmp/con_ok.html
`/usr/bin/curl $BL_SERVER -# -o /tmp/con_ok.html`
if [ ! -e /tmp/con_ok.html ]
then
echo "Erreur : le serveur de blacklist ($BL_SERVER) n'est pas joignable"
else
rm -rf /tmp/con_ok.html $DIR_tmp
mkdir $DIR_tmp
wget -P $DIR_tmp http://$BL_SERVER/blacklists/download/blacklists.tar.gz
md5sum $DIR_tmp/blacklists.tar.gz | cut -d" " -f1 > $DIR_tmp/md5sum
chown -R apache:apache $DIR_tmp
fi
;;
# enable/disable categories (used only during the alcasar install process)
-cat_choice | --cat_choice)
cat_choice
;;
# Adapt Toulouse University BL to ALCASAR architecture (unbound + DG + iptables)
-adapt | --adapt)
echo -n "Adaptation process of Toulouse University blackList. Please wait : "
if [ -f $DIR_tmp/blacklists.tar.gz ] # when downloading the last version of the BL
then
# keep custom files (ossi)
for x in $(ls -1 $DIR_DG_BL | grep "^ossi-*")
do
mv $DIR_DG_BL/$x $DIR_tmp
done
rm -rf $DIR_DG_BL $DIR_IP_BL
mkdir $DIR_DG_BL $DIR_IP_BL
tar zxf $DIR_tmp/blacklists.tar.gz --directory=$DIR_DG/
# replace the global_usage file of the archive
cp -f $GLOBAL_USAGE $DIR_DG_BL/global_usage
chown -R e2guardian:apache $DIR_DG
chmod -R 770 $DIR_DG
# Add the two local categories (ossi-bl & ossi-wl) to the usage file
# Add the custom categories (ossi-tor_nodes) to the usage file
cat <<EOF >> $DIR_DG_BL/global_usage
NAME: ossi-bl
DEFAULT_TYPE: black
SOURCE: ALCASAR Team
DESC FR: sites blacklistés ajoutés localement
DESC EN: blacklisted sites add locally
NAME FR: ossi-bl
NAME EN: ossi-bl
NAME: ossi-wl
DEFAULT_TYPE: white
SOURCE: ALCASAR Team
DESC FR: sites autorisés ajoutés localement
DESC EN: whitelisted sites add locally
NAME FR: ossi-wl
NAME EN: ossi-wl
NAME: ossi-bl-tor_nodes
DEFAULT_TYPE: black
SOURCE: ALCASAR Team
DESC FR: Adresses IP des noeuds (routeurs) d'entrée du réseau TOR
DESC EN: IP addresses of input TOR nodes (routers)
NAME FR: Noeuds TOR
NAME EN: TOR nodes
NAME: ossi-bl-ultrasurf
DEFAULT_TYPE: black
SOURCE: ALCASAR Team
DESC FR: Adresses IP des point de sortie ULTRASURF
DESC EN: IP addresses of output points of ULTRASURF
NAME FR: Points de sortie ULTRASURF
NAME EN: ULTRASURF output points
NAME: ossi-bl-candc
DEFAULT_TYPE: black
SOURCE: Bambenek Consulting: https://osint.bambenekconsulting.com
DESC FR: liste des URLs et IPs des serveurs command & control
DESC EN: list of URLs and IPs of command & control servers
NAME FR: Serveurs Command & Control
NAME EN: Command & Control Server
EOF
# Retrieve custom files (ossi)
for x in $(ls -1 $DIR_tmp | grep "^ossi-*")
do
mv $DIR_tmp/$x $DIR_DG_BL
done
fi
rm -f $BL_CATEGORIES $WL_CATEGORIES $WL_CATEGORIES_ENABLED
rm -rf $DIR_DNS_BL $DIR_DNS_WL $DIR_IP_BL $DIR_IP_WL
rm -rf $DIR_DNS_BL_ENABLED $DIR_DNS_WL_ENABLED $DIR_IP_BL_ENABLED $DIR_IP_WL_ENABLED
touch $BL_CATEGORIES $WL_CATEGORIES
mkdir $DIR_DNS_BL $DIR_DNS_WL $DIR_IP_BL $DIR_IP_WL
mkdir $DIR_DNS_BL_ENABLED $DIR_DNS_WL_ENABLED $DIR_IP_BL_ENABLED $DIR_IP_WL_ENABLED
find $DIR_DG_BL/ -type f -name domains > $FILE_tmp # retrieve directory name where a domain file exist
$SED "s?\/domains??g" $FILE_tmp # remove "/domains" suffix
for dir_categorie in `cat $FILE_tmp` # create the blacklist and the whitelist files
do
categorie=`echo $dir_categorie|cut -d "/" -f6`
categorie_type=`grep -A1 ^NAME:[$' '$'\t']*$categorie\$ $DIR_DG_BL/global_usage | grep ^DEFAULT_TYPE | cut -d":" -f2 | tr -d " \t"`
if [ "$categorie_type" == "white" ]
then
echo "$categorie" >> $WL_CATEGORIES_ENABLED
fi
echo "$dir_categorie" >> $BL_CATEGORIES
echo "$dir_categorie" >> $WL_CATEGORIES
done
rm -f $FILE_tmp
# Verify that the enabled categories are effectively in the BL (need after an update of the BL)
for ENABLE_CATEGORIE in `cat $BL_CATEGORIES_ENABLED`
do
ok=`grep /$ENABLE_CATEGORIE$ $BL_CATEGORIES|wc -l`
if [ $ok != "1" ]
then
$SED "/^$ENABLE_CATEGORIE$/d" $BL_CATEGORIES_ENABLED
fi
done
# Verify that the enabled categories are effectively in the WL (need after an update of the WL)
for ENABLE_CATEGORIE in `cat $WL_CATEGORIES_ENABLED`
do
ok=`grep /$ENABLE_CATEGORIE$ $WL_CATEGORIES|wc -l`
if [ $ok != "1" ]
then
$SED "/^$ENABLE_CATEGORIE$/d" $WL_CATEGORIES_ENABLED
fi
done
# Creation of Unbound and Iptables BL and WL
for LIST in $BL_CATEGORIES $WL_CATEGORIES # for each list (bl and wl)
do
for PATH_FILE in `cat $LIST` # for each category
do
DOMAIN=`basename $PATH_FILE`
echo -n "$DOMAIN, "
if [ ! -f $PATH_FILE/urls ] # create 'urls' file if it doesn't exist
then
touch $PATH_FILE/urls
chown e2guardian:apache $PATH_FILE/urls
fi
cp $PATH_FILE/domains $FILE_tmp
clean_split # clean ossi custom files & split them for unbound and for iptables
if [ "$LIST" == "$BL_CATEGORIES" ]
then
# adapt to the unbound syntax for the blacklist
$SED "s?.*?local-zone: & typetransparent\nlocal-zone-tag: & blacklist?g" $FILE_tmp
mv $FILE_tmp $DIR_DNS_BL/$DOMAIN.conf
mv $FILE_ip_tmp $DIR_IP_BL/$DOMAIN
else
# adapt to the unbound syntax for the whitelist
$SED "s?.*?local-zone: & transparent?g" $FILE_tmp
$SED "p; s? transparent? ipset?g" $FILE_tmp # duplicate lines to enable ipset module
mv $FILE_tmp $DIR_DNS_WL/$DOMAIN.conf
fi
done
done
echo
chown -R root:apache $BL_CATEGORIES $WL_CATEGORIES $BL_CATEGORIES_ENABLED $WL_CATEGORIES_ENABLED $DIR_DNS_BL $DIR_DNS_WL $DIR_IP_BL $DIR_IP_WL
chmod 770 $DIR_DNS_BL $DIR_DNS_WL $DIR_IP_BL $DIR_IP_WL
chmod -f 660 $BL_CATEGORIES $WL_CATEGORIES $BL_CATEGORIES_ENABLED $WL_CATEGORIES_ENABLED $DIR_DNS_BL/* $DIR_DNS_WL/* $DIR_IP_BL/* $DIR_IP_WL/*
rm -f $FILE_tmp $FILE_ip_tmp
rm -rf $DIR_tmp
;;
# reload when selected categories are changed or when ossi change his custom files
-reload | --reload)
# for E2Gardian
cat_choice
# for unbound (rehabilitated domain names)
rm -f $REHABILITATED_DNS_FILE
if [ "$(wc -w $DIR_DG_GROUP1/exceptionsitelist | cut -d " " -f1)" != "0" ]
then
touch $REHABILITATED_DNS_FILE
while read -r domain; do
[ -z "$domain" ] && continue
echo "local-zone: $domain typetransparent" >> $REHABILITATED_DNS_FILE
echo "local-zone-tag: $domain \"\"" >> $REHABILITATED_DNS_FILE
done < $DIR_DG_GROUP1/exceptionsitelist
fi
# adapt OSSI BL & WL custom files
for dir in $DIR_DNS_BL_ENABLED $DIR_DNS_WL_ENABLED $DIR_IP_BL_ENABLED $DIR_IP_WL_ENABLED $DIR_DNS_BL $DIR_DNS_WL $DIR_IP_BL $DIR_IP_WL
do
rm -f $dir/ossi*
done
find $DIR_DG_BL/ -type f -name domains | grep ossi- > $FILE_tmp # retrieve ossi directories name where a domain file exist
$SED "s?\/domains??g" $FILE_tmp # remove "/domains" suffix
for ossi_custom_dir in `cat $FILE_tmp` # create the blacklist and the whitelist files
do
chown -R root:apache $ossi_custom_dir
chmod 770 $ossi_custom_dir
ossi_categorie=`echo $ossi_custom_dir|cut -d "/" -f6`
short_categorie=`echo "$ossi_categorie" | cut -d"-" -f2`
if [ $short_categorie == "bl" ]
then
categorie_type="black"
else
categorie_type="white"
fi
$SED "s/\r//" $ossi_custom_dir/domains $ossi_custom_dir/urls # remove Windows <CR> from custom file
cp $ossi_custom_dir/domains $FILE_tmp
clean_split # clean ossi custom files & split them for unbound and for iptables
if [ $categorie_type == "white" ]
then
# adapt the file to the unbound syntax and enable it if needed
# for the WL
$SED "s?.*?local-zone: & transparent?g" $FILE_tmp
$SED "p; s? transparent? ipset?g" $FILE_tmp # duplicate lines to enable ipset module
mv $FILE_tmp $DIR_DNS_WL/$ossi_categorie.conf
mv $FILE_ip_tmp $DIR_IP_WL/$ossi_categorie
enabled=`grep ^$ossi_categorie$ $WL_CATEGORIES_ENABLED | wc -l`
if [ $enabled == "1" ]
then
$SED "/\/$ossi_categorie$/d" $WL_CATEGORIES
$SED "1i\/etc\/e2guardian\/lists\/blacklists\/$ossi_categorie" $WL_CATEGORIES
ln -sf $DIR_DNS_WL/$ossi_categorie.conf $DIR_DNS_WL_ENABLED/$ossi_categorie
ln -sf $DIR_IP_WL/$ossi_categorie $DIR_IP_WL_ENABLED/$ossi_categorie
fi
else
# for the BL
$SED "s?.*?local-zone: & typetransparent\nlocal-zone-tag: & blacklist?g" $FILE_tmp
mv $FILE_tmp $DIR_DNS_BL/$ossi_categorie.conf
mv $FILE_ip_tmp $DIR_IP_BL/$ossi_categorie
enabled=`grep ^$ossi_categorie$ $BL_CATEGORIES_ENABLED | wc -l`
if [ $enabled == "1" ]
then
$SED "/\/$ossi_categorie$/d" $BL_CATEGORIES
$SED "1i\/etc\/e2guardian\/lists\/blacklists\/$ossi_categorie" $BL_CATEGORIES
ln -sf $DIR_DNS_BL/$ossi_categorie.conf $DIR_DNS_BL_ENABLED/$ossi_categorie
ln -sf $DIR_IP_BL/$ossi_categorie $DIR_IP_BL_ENABLED/$ossi_categorie
fi
fi
done
for file in $BL_CATEGORIES $BL_CATEGORIES_ENABLED $WL_CATEGORIES $WL_CATEGORIES_ENABLED
do
sort +0.0 -0.2 $file -o $FILE_tmp
mv $FILE_tmp $file
chown root:apache $file
chmod 660 $file
done
chown -R root:apache $DIR_DNS_BL $DIR_DNS_WL $DIR_IP_BL $DIR_IP_WL
chmod 660 $DIR_DNS_BL/* $DIR_DNS_WL/* $DIR_IP_BL/* $DIR_IP_WL/*
if [ "$PARENT_SCRIPT" != "alcasar-conf.sh" ] # don't launch on install stage
then
/usr/bin/systemctl restart unbound-blacklist
/usr/bin/systemctl restart unbound-whitelist
/usr/bin/systemctl restart e2guardian
/usr/local/bin/alcasar-iptables.sh
fi
;;
*)
echo "Argument inconnu :$1";
echo "$usage"
exit 1
;;
esac
Property changes:
Added: svn:eol-style
+LF
\ No newline at end of property
Added: svn:executable
+*
\ No newline at end of property
Added: svn:keywords
+Id Author Date
\ No newline at end of property

/scripts/alcasar-url_filter_bl.sh
0,0 → 1,126
#!/bin/bash
# Id: $Id$
# alcasar-url_filter.sh
# by REXY
# This script is distributed under the Gnu General Public License (GPL)
# Active / désactive : safesearch des moteurs de recherche
# Enable / disable : search engines safesearch
# Active / désactive : le filtrage des url contenant une adresse ip à la place d'un nom de domaine
# Enable / disable : filter of urls containing ip address instead of domain name
CONF_FILE="/usr/local/etc/alcasar.conf"
DIR_DG_GROUP1="/etc/e2guardian/lists/group1"
UNBOUND_BL_DOMAIN_FILTER_CONF="/etc/unbound/conf.d/blacklist/domainfilter.conf"
SED="/bin/sed -i"
safesearch="Off"
pureip="Off"
usage="Usage: alcasar-url_filter_bl.sh { -safesearch_on or -safesearch_off } & { -pureip_on or -pureip_off }"
nb_args=$#
googledomains="google.com. google.ad. google.ae. google.com.af. google.com.ag. google.com.ai. google.al. google.am. google.co.ao. google.com.ar. google.as. google.at. google.com.au. google.az. google.ba. google.com.bd. google.be. google.bf. google.bg. google.com.bh. google.bi. google.bj. google.com.bn. google.com.bo. google.com.br. google.bs. google.bt. google.co.bw. google.by. google.com.bz. google.ca. google.cd. google.cf. google.cg. google.ch. google.ci. google.co.ck. google.cl. google.cm. google.cn. google.com.co. google.co.cr. google.com.cu. google.cv. google.com.cy. google.cz. google.de. google.dj. google.dk. google.dm. google.com.do. google.dz. google.com.ec. google.ee. google.com.eg. google.es. google.com.et. google.fi. google.com.fj. google.fm. google.fr. google.ga. google.ge. google.gg. google.com.gh. google.com.gi. google.gl. google.gm. google.gp. google.gr. google.com.gt. google.gy. google.com.hk. google.hn. google.hr. google.ht. google.hu. google.co.id. google.ie. google.co.il. google.im. google.co.in. google.iq. google.is. google.it. google.je. google.com.jm. google.jo. google.co.jp. google.co.ke. google.com.kh. google.ki. google.kg. google.co.kr. google.com.kw. google.kz. google.la. google.com.lb. google.li. google.lk. google.co.ls. google.lt. google.lu. google.lv. google.com.ly. google.co.ma. google.md. google.me. google.mg. google.mk. google.ml. google.com.mm. google.mn. google.ms. google.com.mt. google.mu. google.mv. google.mw. google.com.mx. google.com.my. google.co.mz. google.com.na. google.com.nf. google.com.ng. google.com.ni. google.ne. google.nl. google.no. google.com.np. google.nr. google.nu. google.co.nz. google.com.om. google.com.pa. google.com.pe. google.com.pg. google.com.ph. google.com.pk. google.pl. google.pn. google.com.pr. google.ps. google.pt. google.com.py. google.com.qa. google.ro. google.ru. google.rw. google.com.sa. google.com.sb. google.sc. google.se. google.com.sg. google.sh. google.si. google.sk. google.com.sl. google.sn. google.so. google.sm. google.sr. google.st. google.com.sv. google.td. google.tg. google.co.th. google.com.tj. google.tk. google.tl. google.tm. google.tn. google.to. google.com.tr. google.tt. google.com.tw. google.co.tz. google.com.ua. google.co.ug. google.co.uk. google.com.uy. google.co.uz. google.com.vc. google.co.ve. google.vg. google.co.vi. google.com.vn. google.vu. google.ws. google.rs. google.co.za. google.co.zm. google.co.zw. google.cat."
youtubedomains="www.youtube.com m.youtube.com youtubei.googleapis.com youtube.googleapis.com www.youtube-nocookie.com"
safesearch=""
pureip=""
if [ $nb_args -lt 1 ]
then
echo "$usage"
exit 1
fi
while [ $nb_args -ge 1 ]
do
arg=${!nb_args}
case $arg in
-\? | -h* | --h*)
echo "$usage"
exit 0
;;
# Safe search activation
-safesearch_on | --safesearch_on)
safesearch="On"
;;
# Safe search deactivation
-safesearch_off | --safesearch_off)
safesearch="Off"
;;
# pure_ip activation
-pureip_on | --pureip_on)
pureip="On"
;;
# pureip deactivation
-pureip_off | --pureip_off)
pureip="Off"
;;
*)
echo "Argument inconnu :$arg";
echo "$usage"
exit 1
;;
esac
nb_args=$(expr $nb_args - 1)
done
if [ "$safesearch" == "On" ]
then
$SED "s?^#\"?\"?g" $DIR_DG_GROUP1/urlregexplist # on décommente les lignes de regles
# add 'SafeSearch' redirection for google searching
google_safe_server=`host -ta forcesafesearch.google.com | grep "address" | cut -d" " -f4` # retrieve google forcesafesearch ip
# config file header
echo "server:" > $UNBOUND_BL_DOMAIN_FILTER_CONF
for domain in $googledomains
do
echo -e "\tlocal-zone: \"$domain\" redirect" >> $UNBOUND_BL_DOMAIN_FILTER_CONF
echo -e "\tlocal-data: \"$domain A $google_safe_server\"" >> $UNBOUND_BL_DOMAIN_FILTER_CONF
done
# add 'SafeSearch' redirection for youtube searching
youtube_safe_server=`host -ta restrict.youtube.com | grep "address" | cut -d" " -f4` # retrieve youtube restrict ip
for domain in $youtubedomains
do
echo -e "\tlocal-zone: \"$domain\" redirect" >> $UNBOUND_BL_DOMAIN_FILTER_CONF
echo -e "\tlocal-data: \"$domain A $youtube_safe_server\"" >> $UNBOUND_BL_DOMAIN_FILTER_CONF
done
# add 'SafeSearch' redirection for bing searching
bing_safe_server=`host -ta strict.bing.com | grep "address" | cut -d" " -f4` # retrieve bing strict ip
echo -e "\tlocal-zone: \"www.bing.com\" redirect" >> $UNBOUND_BL_DOMAIN_FILTER_CONF
echo -e "\tlocal-data: \"www.bing.com A $bing_safe_server\"" >> $UNBOUND_BL_DOMAIN_FILTER_CONF
# add 'SafeSearch' redirection for qwant searching
qwant_safe_server=`host -ta safeapi.qwant.com | grep "address" | cut -d" " -f4` # retrieve qwant strict ip
echo -e "\tlocal-zone: \"api.qwant.com\" redirect" >> $UNBOUND_BL_DOMAIN_FILTER_CONF
echo -e "\tlocal-data: \"api.qwant.com A $qwant_safe_server\"" >> $UNBOUND_BL_DOMAIN_FILTER_CONF
$SED 's/^BL_SAFESEARCH=.*/BL_SAFESEARCH=on/g' $CONF_FILE
elif [ "$safesearch" == "Off" ]
then
$SED "s?^[^#]?#&?g" $DIR_DG_GROUP1/urlregexplist
[ -e $UNBOUND_BL_DOMAIN_FILTER_CONF ] && rm -f $UNBOUND_BL_DOMAIN_FILTER_CONF
$SED 's/^BL_SAFESEARCH=.*/BL_SAFESEARCH=off/g' $CONF_FILE
fi
if [ "$pureip" == "On" ]
then
$SED "s/^\#\*ip$/*ip/g" $DIR_DG_GROUP1/bannedsitelist
$SED "s/^\#\*ips$/*ips/g" $DIR_DG_GROUP1/bannedsitelist
$SED 's/^BL_PUREIP=.*/BL_PUREIP=on/g' $CONF_FILE
elif [ "$pureip" == "Off" ]
then
$SED "s/^\*ip$/#*ip/g" $DIR_DG_GROUP1/bannedsitelist
$SED "s/^\*ips$/#*ips/g" $DIR_DG_GROUP1/bannedsitelist
$SED 's/^BL_PUREIP=.*/BL_PUREIP=off/g' $CONF_FILE
fi
systemctl restart e2guardian
systemctl restart unbound-blacklist
Property changes:
Added: svn:eol-style
+LF
\ No newline at end of property
Added: svn:executable
+*
\ No newline at end of property
Added: svn:keywords
+Id Author Date
\ No newline at end of property

/scripts/alcasar-bl-autoupdate.sh
0,0 → 1,130
#!/bin/bash
# $Id: alcasar-bl.sh 2688 2019-01-18 23:15:49Z lucas.echard $
# alcasar-autoupdate.sh
# by Sven RATH and Rexy
# This script is distributed under the Gnu General Public License (GPL)
# Gestion de la BL pour le filtrage de domaine (via unbound) et d'URL (via E2guardian)
# Manage the BL for DnsBlackHole (unbound) and URL filtering (E2guardian)
FILE_tmp="/tmp/filesfilter.txt"
FILE_ip_tmp="/tmp/filesipfilter.txt"
DIR_DG="/etc/e2guardian/lists"
DIR_DG_BL="$DIR_DG/blacklists"
DIR_SHARE="/usr/local/share"
DIR_DNS_BL="$DIR_SHARE/unbound-bl" # all the BL in the Unbound format
DIR_DNS_WL="$DIR_SHARE/unbound-wl" # all the WL ' ' '
DIR_IP_BL="$DIR_SHARE/iptables-bl" # all the IP addresses of the BL
DIR_IP_WL="$DIR_SHARE/iptables-wl" # IP ossi disabled WL
CNC_BL_NAME="ossi-bl-candc"
CNC_URL="https://osint.bambenekconsulting.com/feeds/"
CNC_DNS=${CNC_URL}c2-dommasterlist-high.txt
CNC_IP=${CNC_URL}c2-ipmasterlist-high.txt
SED="/bin/sed -i"
CURL="/usr/bin/curl"
# cleaning file and split it ("domains" in $FILE_tmp & "IP" in $FILE_ip_tmp)
function clean_split (){
$SED '/^#.*/d' $FILE_tmp # remove commented lines
$SED '/^\s*$/d' $FILE_tmp # remove empty lines
$SED '/[äâëêïîöôüû@,]/d' $FILE_tmp # remove line with "chelou" characters
# extract ip addresses for iptables.
awk '/^([0-9]{1,3}\.){3}[0-9]{1,3}$/{print "add bl_ip_blocked " $0}' $FILE_tmp > $FILE_ip_tmp
# extract domain names for unbound.
$SED -n '/^\([0-9]\{1,3\}\.\)\{3\}[0-9]\{1,3\}/!p' $FILE_tmp
# Retrieve max Top Level Domain for domain name synthax
#MAX_TLD=$(curl http://data.iana.org/TLD/tlds-alpha-by-domain.txt | grep -v '-' | grep -v '#' | wc -L)
#if [ $(echo $MAX_TLD | wc -c) -eq 0 ];then
# MAX_TLD=18
#fi
# search for correction grep -E "([a-zA-Z0-9_-.]+\.){1,2}[a-zA-Z]{2,$MAX_TLD}" $ossi_custom_dir/domains > $FILE_tmp
}
usage="Usage: alcasar-bl-autoupdate.sh { -update_cat or --update_cat | -update_ossi-bl-candc or --update_ossi-bl-candc }"
nb_args=$#
args=$1
if [ $nb_args -eq 0 ]
then
args="-h"
fi
case $args in
-\? | -h* | --h*)
echo "$usage"
exit 0
;;
# Update the categories of Toulouse BL listed in "/usr/local/etc/update_cat.conf" (via rsync). Cron runs this function every 12h
-update_cat | --update_cat)
if [ $(cat /usr/local/etc/update_cat.conf | wc -l) -ne 0 ]
then
echo -n "Updating categories in /usr/local/etc/update_cat.conf ..."
cat /usr/local/etc/update_cat.conf | while read LIGNE_RSYNC
do
CATEGORIE=$(echo $LIGNE_RSYNC | cut -d' ' -f1)
URL=$(echo $LIGNE_RSYNC | cut -d' ' -f2)
PATH_FILE=$(find $DIR_DG_BL/ -type d -name $CATEGORIE) # retrieve directory name of the category
rsync -rv $URL $(dirname $PATH_FILE ) #rsync inside of the blacklist directory
# Creation of unbound and Iptables BL and WL
DOMAIN=$(basename $PATH_FILE)
cp $PATH_FILE/domains $FILE_tmp
clean_split # clean ossi custom files & split them for unbound and for iptables
black=`grep black $PATH_FILE/usage |wc -l`
if [ $black == "1" ]
then
# adapt to the unbound syntax for the blacklist
$SED "s?.*?local-zone: & typetransparent\nlocal-zone-tag: & blacklist?g" $FILE_tmp
mv $FILE_tmp $DIR_DNS_BL/$DOMAIN.conf
mv $FILE_ip_tmp $DIR_IP_BL/$DOMAIN
else
# adapt to the unbound syntax for the whitelist
$SED "s?.*?local-zone: & transparent?g" $FILE_tmp
$SED "p; s? transparent? ipset?g" $FILE_tmp # duplicate lines to enable ipset module
mv $FILE_tmp $DIR_DNS_WL/$DOMAIN.conf
mv $FILE_ip_tmp $DIR_IP_WL/$DOMAIN
fi
rm -f $FILE_tmp $FILE_ip_tmp
done
/usr/local/bin/alcasar-bl.sh --reload
else
echo -n "/usr/local/etc/update_cat.conf is empty ..."
fi
echo
;;
# Update C&C-Server Blacklist (TODO : check that there is a difference between two downloads)
-update_ossi-bl-candc | --update_ossi-bl-candc)
# check availability of the lists
echo "Downloading blacklists from ${CNC_URL}..."
STATUS_DNS_BL=$(${CURL} --connect-timeout 5 --write-out %{http_code} --silent --output /dev/null ${CNC_DNS})
STATUS_IP_BL=$(${CURL} --connect-timeout 5 --write-out %{http_code} --silent --output /dev/null ${CNC_IP})
# if downloaded successfully
if [ $STATUS_DNS_BL = 200 ] && [ $STATUS_IP_BL = 200 ]; then
## parse domain names and ips from feed (cut first 19 lines (comments) and extract first column)
CNC_DOMAINS=$($CURL $CNC_DNS | tail -n +19 | awk -F, '{print $1}')
CNC_IPS=$($CURL $CNC_IP | tail -n +19 | awk -F, '{print $1}')
## create files and adapt downloaded data to alcasar structure (add newlines after each ip/domain)
BL_DIR=${DIR_DG_BL}/${CNC_BL_NAME}
rm -rf ${BL_DIR}
mkdir $BL_DIR
echo $CNC_DOMAINS | tr " " "\n" > ${BL_DIR}/urls
echo $CNC_IPS | tr " " "\n" > ${BL_DIR}/domains
## reload ossi-blacklists to add the created blacklist to ALCASAR
echo "Download successfull."
/usr/local/bin/alcasar-bl.sh --reload
exit 0
# if server responded with a code different than 200
else
## 000 means that curl failed
if [ $STATUS_DNS_BL = 000 ] || [ $STATUS_IP_BL = 000 ]; then
echo "ERROR: curl could not access the internet to download blacklists."
echo "This appears to be an error on your side: please check the connection to the internet."
else
echo "ERROR: could not donwload blacklists: Server returned non-200 codes:"
echo "${CNC_DNS} returned ${STATUS_DNS_BL}"
echo "${CNC_IP} returned ${STATUS_IP_BL}"
echo "Check the availability of the sites. Maybe the server removed its content or changed its address."
fi
exit 1
fi
;;
esac
Property changes:
Added: svn:eol-style
+native
\ No newline at end of property
Added: svn:executable
+*
\ No newline at end of property

/scripts/alcasar-daemon.sh
0,0 → 1,92
#!/bin/bash
# $Id$
# alcasar-daemon.sh
# by Franck BOUIJOUX & Rexy
# This script is distributed under the Gnu General Public License (GPL)
# Watchdog of Services
# With the option "-after-update" checks if services or system need to be restarted after a RPM update
# See /etc/cron.d/alcasar-daemon-watchdog for config the time
conf_file="/usr/local/etc/alcasar.conf"
SMS=`grep ^SMS= $conf_file|cut -d"=" -f2` # SMS active (on/off)
SMS=${SMS:=off}
LDAP=`grep ^LDAP= $conf_file|cut -d"=" -f2` # ldap active (on/off)
LDAP=${LDAP:=off}
INTIF=`grep ^INTIF= $conf_file|cut -d"=" -f2` # INTIF name
EXTIF=`grep ^EXTIF= $conf_file|cut -d"=" -f2` # EXTIF name
SERVICES="mysqld lighttpd php-fpm ntpd unbound unbound-blacklist unbound-whitelist unbound-blackhole radiusd nfcapd e2guardian ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban sshd vnstat gammu-smsd"
nb_available_srv=`echo $SERVICES|wc -w`
function ServiceTest () {
service=$1
if [ $(/usr/bin/systemctl is-active $service) != "active" ]; then
logger -t alcasar-daemon -i "$service is inactive. Activation attempt"
echo "the $service service is disabled! trying to start it..."
if [ $service == 'gammu-smsd' ]; then
/usr/local/bin/alcasar-sms.sh --start
fi
if [ $service == 'sshd' ]; then
[ -s /etc/ssh/ssh_host_rsa_key ] || rm -f /etc/ssh/ssh_host_* # sometimes sshd doesn't initialise its keys
fi
/usr/bin/systemctl start $service.service
else
nb_srv=$((nb_srv+1))
fi
}
usage="Usage: alcasar-daemon.sh {-after-update}"
case $1 in
-\? | -h* | --h*)
echo "$usage"
exit 0
;;
-after-update)
# TODO : check precisely which processes should be restarted (reboot the system or restart alcasar processes)
# extract processes name : for i in `dnf needs-restarting|cut -d " " -f3|sort -u|tr -d ":"|rev|cut -d"/" -f1|rev`;do;echo $i;done
# system_processes=`dnf needs-restarting|grep -E 'dbus|python|systemd|agetty'|wc -l` # processes to be restarted after glibc update
nb_processes=`dnf needs-restarting|wc -l`
if [ $nb_processes -ne 0 ]; then
reboot
fi
;;
*)
for NIC in $EXTIF $INTIF
do
if [ `/usr/sbin/ip a show $NIC|grep DOWN|wc -l` -eq "1" ]; then
echo "The network interface card '$NIC' is down! Try to enable it"
/usr/sbin/ifup $NIC
fi
done
nb_srv=0
for service in $SERVICES; do
if [ $service == 'gammu-smsd' ]; then
if [ $SMS != "ON" ] && [ $SMS != "on" ] && [ $SMS != "On" ]; then
nb_available_srv=$((nb_available_srv-1))
continue
fi
fi
ServiceTest $service
done
if [ $nb_available_srv -ne $nb_srv ]; then
echo "Restart this script to know if all is ok"
else
echo "$nb_srv services needed by ALCASAR are started."
fi
if [ `cat /proc/modules|grep -c ^ipt_NETFLOW` == 0 ]; then
logger -t alcasar-daemon -i "ipt_netflow is inactive."
echo "The Log system is disabled! try to know why (modprobe ipt_NETFLOW)"
else
echo "The Log system is active"
fi
if [ ! -e /etc/raddb/mods-enabled/ldap ]; then
if [ $LDAP == "ON" ] || [ $LDAP == "on" ] || [ $LDAP == "On" ]; then
echo "Enabling LDAP..."
/usr/local/bin/alcasar-ldap.sh -on
fi
fi
;;
esac
Property changes:
Added: svn:eol-style
+LF
\ No newline at end of property
Added: svn:executable
+*
\ No newline at end of property
Added: svn:keywords
+Id Author Date
\ No newline at end of property

/scripts/alcasar-iptables-bypass.sh
0,0 → 1,157
#!/bin/bash
# $Id$
# alcasar-iptables-bypass.sh
# by Rexy - 3abtux
# This script is distributed under the Gnu General Public License (GPL)
# Applique les regles du parefeu en mode ByPass
# Set the firewall rules in 'ByPass' mode
CONF_FILE="/usr/local/etc/alcasar.conf"
private_ip_mask=`grep ^PRIVATE_IP= $CONF_FILE|cut -d"=" -f2`
private_ip_mask=${private_ip_mask:=192.168.182.1/24}
private_network=`/bin/ipcalc -n $private_ip_mask|cut -d"=" -f2` # LAN IP address (ie.: 192.168.182.0)
private_prefix=`/bin/ipcalc -p $private_ip_mask|cut -d"=" -f2` # LAN prefix (ie. 24)
IPTABLES="/sbin/iptables"
EXTIF=`grep ^EXTIF= $CONF_FILE|cut -d"=" -f2` # EXTernal InterFace
INTIF=`grep ^INTIF= $CONF_FILE|cut -d"=" -f2` # INTernal InterFace
TUNIF="tun0" # listen device for chilli daemon
PRIVATE_NETWORK_MASK=$private_network/$private_prefix # Lan IP address + prefix (192.168.182.0/24)
PRIVATE_IP=`echo $private_ip_mask | cut -d"/" -f1` # ALCASAR LAN IP address
public_ip_mask=`grep ^PUBLIC_IP= $CONF_FILE|cut -d"=" -f2` # ALCASAR WAN IP address
if [[ "$public_ip_mask" == "dhcp" ]]
then
PTN="\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([012]?[0-9]|3[0-2])\b"
public_ip_mask=`ip addr show $EXTIF | grep -o -E $PTN`
fi
PUBLIC_IP=`echo $public_ip_mask | cut -d"/" -f1`
SSH_LAN=`grep ^SSH_LAN= $CONF_FILE|cut -d"=" -f2` # SSH LAN port
SSH_LAN=${SSH_LAN:=0}
SSH_WAN=`grep ^SSH_WAN= $CONF_FILE|cut -d"=" -f2` # SSH WAN port
SSH_WAN=${SSH_WAN:=0}
SSH_WAN_ADMIN_FROM=`grep ^SSH_ADMIN_FROM= $CONF_FILE|cut -d"=" -f2|cut -d"/" -f2`
SSH_WAN_ADMIN_FROM=${SSH_WAN_ADMIN_FROM:="0.0.0.0"}
SSH_WAN_ADMIN_FROM=$([ "$SSH_WAN_ADMIN_FROM" == "0.0.0.0" ] && echo "0.0.0.0/0" || echo "$SSH_WAN_ADMIN_FROM" )
SSH_LAN_ADMIN_FROM=`grep ^SSH_ADMIN_FROM= $CONF_FILE|cut -d"=" -f2|cut -d"/" -f1`
SSH_LAN_ADMIN_FROM=${SSH_LAN_ADMIN_FROM:="0.0.0.0"}
SSH_LAN_ADMIN_FROM=$([ "$SSH_LAN_ADMIN_FROM" == "0.0.0.0" ] && echo "$PRIVATE_NETWORK_MASK" || echo "$SSH_LAN_ADMIN_FROM" )
interlan=`grep ^INTERLAN= $CONF_FILE|cut -d"=" -f2`
interlan=${interlan:=off}
# On vide (flush) toutes les règles existantes
# Flush all existing rules
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -F INPUT
$IPTABLES -F FORWARD
$IPTABLES -F OUTPUT
# On indique les politiques par défaut
# Default policies
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
# On efface toutes les chaînes qui ne sont pas par défaut dans les tables filter et nat
# Flush non default rules on filter and nat tables
$IPTABLES -X
$IPTABLES -t nat -X
# On autorise tout sur loopback
# accept all on loopback
$IPTABLES -A OUTPUT -o lo -j ACCEPT
$IPTABLES -A INPUT -i lo -j ACCEPT
#############################
# INPUT #
#############################
# SSHD rules if activate
if [ $SSH_LAN -gt 0 ]
then
$IPTABLES -A INPUT -i $INTIF -s $SSH_LAN_ADMIN_FROM -d $PRIVATE_IP -p tcp --dport $SSH_LAN -m conntrack --ctstate NEW -j NFLOG --nflog-group 2 --nflog-prefix "RULE ssh-from-LAN -- ACCEPT"
$IPTABLES -A INPUT -i $INTIF -s $SSH_LAN_ADMIN_FROM -d $PRIVATE_IP -p tcp --dport $SSH_LAN -j ACCEPT
fi
if [ $SSH_WAN -gt 0 ]
then
$IPTABLES -A INPUT -i $EXTIF -s $SSH_WAN_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport $SSH_WAN -m conntrack --ctstate NEW --syn -j NFLOG --nflog-group 2 --nflog-prefix "RULE ssh-from-WAN -- ACCEPT"
$IPTABLES -A INPUT -i $EXTIF -s $SSH_WAN_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport $SSH_WAN -j ACCEPT
fi
# Insertion de règles locales
# Here, we add local rules (i.e. VPN from Internet)
if [ -f /usr/local/etc/alcasar-iptables-local.sh ]; then
. /usr/local/etc/alcasar-iptables-local.sh
fi
# on autorise les requêtes dhcp
# accept dhcp
$IPTABLES -A INPUT -i $INTIF -p udp -m udp --sport bootpc --dport bootps -j ACCEPT
# On drop le broadcast et le multicast sur les interfaces (sans Log)
# Drop broadcast & multicast
$IPTABLES -A INPUT -m addrtype --dst-type BROADCAST,MULTICAST -j DROP
# On autorise l'accès aux services internes
# Allow Internal access
$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport domain -j ACCEPT # DNS
$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport domain -j ACCEPT # DNS
$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p icmp --icmp-type 8 -j ACCEPT # Réponse ping # ping responce
$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p icmp --icmp-type 0 -j ACCEPT # Requête ping # ping request
$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport https -j ACCEPT # ACC
$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport http -j ACCEPT # ACC
$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport ntp -j ACCEPT # Serveur local de temps # local time server
# On autorise le retour des connexions entrante déjà acceptées
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# On interdit et on log le reste sur les 2 interfaces d'accès
$IPTABLES -A INPUT -i $INTIF -j NFLOG --nflog-group 1 --nflog-prefix "RULE rej-int -- REJECT "
$IPTABLES -A INPUT -i $EXTIF -j NFLOG --nflog-group 1 --nflog-prefix "RULE rej-ext -- REJECT "
$IPTABLES -A INPUT -p tcp -j REJECT --reject-with tcp-reset
$IPTABLES -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
#############################
# FORWARD #
#############################
# On autorise les retours de connexions légitimes par FORWARD
# Conntrack on forward
$IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
# On autorise (ou pas) les utilisateurs à accéder au réseau situé entre ALCASAR et le routeur Internet
# Users are allowed (or not allowed) to access the network between ALCASAR and the Internet router
if [ "$interlan" != "on" ]
then
$IPTABLES -A FORWARD -i $TUNIF -d $public_ip_mask -j DROP
fi
# Insertion de règles de blocage
# Here, we add block rules
if [ -s /usr/local/etc/alcasar-ip-blocked ]; then
while read ip_line
do
ip_on=`echo $ip_line|cut -b1`
if [ $ip_on != "#" ]
then
ip_blocked=`echo $ip_line|cut -d" " -f1`
$IPTABLES -A FORWARD -d $ip_blocked -j NFLOG --nflog-group 1 --nflog-prefix "RULE IP-blocked -- REJECT "
$IPTABLES -A FORWARD -d $ip_blocked -j REJECT
fi
done < /usr/local/etc/alcasar-ip-blocked
fi
# On autorise les demandes de connexions sortantes
$IPTABLES -A FORWARD -i $INTIF -m state --state NEW -j NFLOG --nflog-group 1 --nflog-prefix "RULE Transfert -- ACCEPT "
$IPTABLES -A FORWARD -i $INTIF -m state --state NEW -j ACCEPT
#############################
# POSTROUTING #
#############################
# On active le masquage d'adresse par translation (NAT)
$IPTABLES -A POSTROUTING -t nat -o $EXTIF -j MASQUERADE
# on ne sauvegarde pas les règles. En cas de reboot, on repasse ainsi automatiquement en mode normal (bypass -off)
# Fin du script des regles du parefeu
Property changes:
Added: svn:eol-style
+LF
\ No newline at end of property
Added: svn:executable
+*
\ No newline at end of property
Added: svn:keywords
+Id Author Date
\ No newline at end of property

/scripts/alcasar-watchdog.sh
0,0 → 1,180
#!/bin/bash
# $Id$
# alcasar-watchdog.sh
# by Rexy
# This script is distributed under the Gnu General Public License (GPL)
# - Ce script prévient les usagers de l'indisponibilité de l'accès Internet
# - Il déconnecte les usagers dont les équipements réseau ne répondent plus (leur onglet 'status.php' a été fermé)
# - Il deconnecte les usagers dont les adresses MAC sont usurpées
#
# - This script tells users that Internet access is down
# - It logs out users whose PCs are quiet (their status tab is closed)
# - It logs out users whose MAC address is used by other systems (usurped)
CONF_FILE="/usr/local/etc/alcasar.conf"
EXTIF=`grep ^EXTIF= $CONF_FILE|cut -d"=" -f2` # EXTernal InterFace
INTIF=`grep ^INTIF= $CONF_FILE|cut -d"=" -f2` # INTernal InterFace
private_ip_mask=`grep ^PRIVATE_IP= $CONF_FILE|cut -d"=" -f2`
private_ip_mask=${private_ip_mask:=192.168.182.1/24}
PRIVATE_IP=`echo $private_ip_mask |cut -d"/" -f1`
PRIVATE_IP=${PRIVATE_IP:=192.168.182.1}
MULTIWAN=`grep ^MULTIWAN= $CONF_FILE|cut -d"=" -f2`
current_users_file="/tmp/current_users.txt" # file containing active users with their "status.php" tab open
DIR_WEB="/var/www/html"
Index_Page="$DIR_WEB/index.php"
IPTABLES="/sbin/iptables"
TUNIF="tun0" # listen device for chilli daemon
OLDIFS=$IFS
IFS=$'\n'
function lan_down_alert ()
# users are redirected on ALCASAR IP address if a LAN problem is detected
{
case $LAN_DOWN in
"1")
logger -t alcasar-watchdog "$EXTIF (WAN card) link down"
echo "$EXTIF (WAN card) link down"
/bin/sed -i "s?diagnostic =.*?diagnostic = \"$EXTIF (WAN card) link down\";?g" $Index_Page
;;
"2")
logger -t alcasar-watchdog "can't contact the default router"
echo "can't contact the default router"
/bin/sed -i "s?diagnostic =.*?diagnostic = \"can't contact the default router\";?g" $Index_Page
;;
"3")
logger -t alcasar-watchdog "can't resolv DNS queries"
echo "can't resolv DNS queries"
/bin/sed -i "s?diagnostic =.*?diagnostic = \"can't resolv DNS queries\";?g" $Index_Page
;;
esac
net_pb=`grep "network_pb = true;" $Index_Page|wc -l`
if [ $net_pb = "0" ] # if previously up
then
/bin/sed -i "s?^\$network_pb.*?\$network_pb = true;?g" $Index_Page
$IPTABLES -I PREROUTING -t nat -i $TUNIF -p udp --dport domain -j REDIRECT --to-port 56
fi
}
function lan_test ()
# LAN connectiivity testing
{
watchdog_process=`ps -C alcasar-watchdog.sh|wc -l`
if [[ $(expr $watchdog_process) -gt 3 ]]
then
echo "ALCASAR watchdog is already running"
exit 0
fi
# EXTIF testing
LAN_DOWN="0"
if [ `/sbin/ip link | grep $EXTIF|grep "NO-CARRIER" | wc -l` -eq "1" ]
then
LAN_DOWN="1"
fi
# Default GW testing
if [ $LAN_DOWN -eq "0" ]
then
GW_EXIST=`/sbin/ip route list|grep ^default|wc -l`
if [ $GW_EXIST -eq "0" ] # no GW defined !
then
systemctl restart network
else
if [ "$MULTIWAN" == "off" ] || [ "$MULTIWAN" == "Off" ]
then
IP_GW=`/sbin/ip route list|grep ^default|cut -d" " -f3`
arp_reply=`LANG=en_US.UTF-8 /usr/sbin/arping -I$EXTIF -c1 $IP_GW|grep response|cut -d" " -f2`
if [ $arp_reply -eq "0" ]
then
LAN_DOWN="2"
fi
fi
fi
fi
# DNS request testing (twice)
if [ $LAN_DOWN -eq "0" ]
then
dns_reply=`/usr/bin/host -W1 www.free.fr|grep SERVFAIL|wc -l`
if [ $dns_reply -eq "1" ]
then
dns_reply=`/usr/bin/host -W1 www.startpage.com|grep SERVFAIL|wc -l`
if [ $dns_reply -eq "1" ]
then LAN_DOWN="3"
fi
fi
fi
# if LAN pb detected, users are warned
if [ $LAN_DOWN != "0" ]
then
lan_down_alert
# else switch in normal mode
else
echo "Internet access is OK for now"
net_pb=`grep "network_pb = true;" $Index_Page|wc -l`
if [ $net_pb != "0" ] # if already down
then
/bin/sed -i "s?^\$network_pb.*?\$network_pb = false;?g" $Index_Page
$IPTABLES -D PREROUTING -t nat -i $TUNIF -p udp --dport domain -j REDIRECT --to-port 56
fi
fi
}
usage="Usage: alcasar-watchdog.sh {-lt --lan_test | --disconnect-permanent-users}"
case $1 in
-\? | -h* | --h*)
echo "$usage"
exit 0
;;
-lt | --lan_test)
lan_test
exit 0
;;
--disconnect-permanent-users)
/bin/sed -i '/PERM/d' $current_users_file
exit 0
;;
*)
lan_test
# We disconnect inactive users (its means that their 'status.php' tab has been closed --> their ip address isn't in $current_users_file)
# process each equipment known by chilli
for system in `/usr/sbin/chilli_query list | grep -v "0\.0\.0\.0"`
do
active_ip=`echo $system |cut -d" " -f2`
active_session=`echo $system |cut -d" " -f5`
active_mac=`echo $system | cut -d" " -f1`
active_user=`echo $system |cut -d" " -f6`
# We check if the user isn't an auth @MAC and if he is still connected
if [ "$active_user" != "$active_mac" ] && [ $(expr $active_session) -eq 1 ]; then
if [ -e $current_users_file ]; then
# We check if user @IP is in 'current_users.txt'
cmp_user_ok=$(cat $current_users_file | awk -F':' "\$1 == \"$active_ip\" {print \$2}")
# If not we disconnect this user.
if [ -z "$cmp_user_ok" ]; then
logger -t alcasar-watchdog "$active_ip ($active_mac) doesn't contact ALCASAR any more. We disconnects the user ($active_user)."
/usr/sbin/chilli_query logout $active_mac
elif [ "$cmp_user_ok" == "TEMP" ]; then
# Remove the user's IP from 'current_users.txt'. Every user status page need to insert their @IP everytime to prove their connectivity.
# We don't disconnect when $cmp_user_ok == "PERM" (status page not needed)
sed -i "/^$active_ip:$cmp_user_ok\$/d" $current_users_file
fi
else # "current_user.txt" does not exists. We disconnect every users.
logger -t alcasar-watchdog "The file /tmp/current_users.txt doesn't' exist. We disconnects the user $active_user"
/usr/sbin/chilli_query logout $active_mac
fi
fi
# IP usurpation test : process only equipment with an authenticated user
if [[ $(expr $active_session) -eq 1 ]]
then
arp_reply=`LANG=en_US.UTF-8 /usr/sbin/arping -b -I$INTIF -s$PRIVATE_IP -c1 -w4 $active_ip|grep -c "Unicast reply"`
# disconnect users whose equipement is usurped. For example, if there are 2 same @MAC it will make 2 lines in output.
if [[ $(expr $arp_reply) -gt 1 ]]
then
echo "[$(date +"%Y-%m-%d %H:%M:%S")] : alcasar-watchdog : $active_ip is usurped ($active_mac). Alcasar disconnect the user ($active_user)." >> /var/Save/security/watchdog.log
logger -t alcasar-watchdog "$active_ip is usurped ($active_mac). Alcasar disconnect the user ($active_user)."
/usr/sbin/chilli_query logout $active_mac
chmod 644 /var/Save/security/watchdog.log
fi
fi
done
;;
esac
IFS=$OLDIFS
Property changes:
Added: svn:eol-style
+LF
\ No newline at end of property
Added: svn:executable
+*
\ No newline at end of property
Added: svn:keywords
+Id Author Date
\ No newline at end of property

/scripts/alcasar-letsencrypt.sh
0,0 → 1,284
#!/bin/bash
#
# $Id$
#
# alcasar-letsencrypt.sh
# by Tom HOUDAYER & Rexy
#
# This script is distributed under the Gnu General Public License (GPL)
#
# Manage Let's Encrypt for ALCASAR integration
CONF_FILE="/usr/local/etc/alcasar-letsencrypt"
ACCOUNT_EMAIL=""
DOMAIN=""
DNS_API=""
DEBUG=false
STAGING_SERVER=""
FORCE=""
OPT_PARAMS=""
ACMESH_HOME="/usr/local/etc/letsencrypt"
ACMESH_BIN="/opt/acme.sh/acme.sh"
LE_SERVER="letsencrypt"
usage="Usage: alcasar-letsencrypt.sh
--issue -d alcasar.domain.tld --email alcasar@domain.tld [--dns-api dns_registrar] [--force] [--staging]
--renew [-d alcasar.domain.tld] [--force] [--staging]"
################################################################################
# ISSUE #
################################################################################
issue() {
if [ ! -f $ACMESH_BIN ]; then
echo "The client does not seem to be installed."
return 1
fi
TMP_OUTPUT=$(mktemp --suffix=_ALCASAR-LE)
if [ ! -z $ACCOUNT_EMAIL ]; then
emailField=" --accountemail $ACCOUNT_EMAIL"
sed -i "s/^email=.*/email=$ACCOUNT_EMAIL/" $CONF_FILE
else
emailField=""
fi
rm -rf $ACMESH_HOME/certs/*
$DEBUG && debugOpt=" --debug" || debugOpt=""
[ ! -z "$DNS_API" ] && dnsApiOpt="$DNS_API" || dnsApiOpt="--yes-I-know-dns-manual-mode-enough-go-ahead-please"
$ACMESH_BIN --config-home $ACMESH_HOME/data \
$STAGING_SERVER $FORCE $debugOpt \
$emailField \
--issue --dns $dnsApiOpt -d $DOMAIN \
$OPT_PARAMS \
--server $LE_SERVER \
> $TMP_OUTPUT 2>&1
exitCode=$?
$DEBUG && cat $TMP_OUTPUT && echo -e "\n\n"
sed -i "s/^domainRequest=.*/domainRequest=$DOMAIN/" $CONF_FILE
sed -i "s/^dateIssueRequest=.*/dateIssueRequest=$(date +%s)/" $CONF_FILE
sed -i "s/^dnsapi=.*/dnsapi=${DNS_API:="dns"}/" $CONF_FILE
if ! _handle_client_response $TMP_OUTPUT; then
if [ $exitCode -ne 0 ]; then
echo -e "Error!\n"
cat $TMP_OUTPUT
rm -f $TMP_OUTPUT
return 1
else
echo -e "Unknown state\n"
cat $TMP_OUTPUT
fi
fi
rm -f $TMP_OUTPUT
}
################################################################################
# RENEW #
################################################################################
renew() {
if [ ! -f $ACMESH_BIN ]; then
echo "The client does not seem to be installed."
return 1
fi
TMP_OUTPUT=$(mktemp --suffix=_ALCASAR-LE)
$DEBUG && debugOpt=" --debug" || debugOpt=""
[ ! -z "$DNS_API" ] && dnsApiOpt="" || dnsApiOpt="--yes-I-know-dns-manual-mode-enough-go-ahead-please"
$ACMESH_BIN --config-home $ACMESH_HOME/data \
$STAGING_SERVER $FORCE $debugOpt \
--renew -d $DOMAIN $dnsApiOpt \
$OPT_PARAMS \
--server $LE_SERVER \
> $TMP_OUTPUT 2>&1
exitCode=$?
$DEBUG && cat $TMP_OUTPUT && echo -e "\n\n"
if ! _handle_client_response $TMP_OUTPUT; then
if [ $exitCode -ne 0 ]; then
echo -e "Error!\n"
cat $TMP_OUTPUT
rm -f $TMP_OUTPUT
return 1
else
echo -e "Unknown state\n"
cat $TMP_OUTPUT
fi
fi
rm -f $TMP_OUTPUT
}
################################################################################
# CRON TASK #
################################################################################
cron_task() {
if [ $(grep '^dateNextRenewal=' $CONF_FILE | cut -d'=' -f2) -le $(date +%s) ]; then
logger -t alcasar-letsencrypt "Launch CRON task."
renew
fi
}
################################################################################
# HANDLE CLIENT RESPONSE #
################################################################################
_handle_client_response() {
[ $# -lt 1 ] && return 1
responseFile=$1
# issue / renew
if [ $(cat $responseFile | grep "Add the following TXT record:" -c) -ne 0 ]; then
challenge=$(cat $responseFile | grep -E "TXT value: '[0-9a-zA-Z_-]+'" -o | cut -d"'" -f2)
sed -i "s/^challenge=.*/challenge=$challenge/" $CONF_FILE
echo "Add the following TXT record:"
echo "Domain: '_acme-challenge.$DOMAIN'"
echo "TXT value: '$challenge'"
elif [ $(cat $responseFile | grep "Cert success." -c) -ne 0 ]; then
sed -i "s/^challenge=.*/challenge=/" $CONF_FILE
sed -i "s/^dateIssued=.*/dateIssued=$(date +%s)/" $CONF_FILE
sed -i "s/^dateNextRenewal=.*/dateNextRenewal=$(date +%s -d '2 months - 3 days')/" $CONF_FILE
install_cert
logger -t alcasar-letsencrypt "Certificate \"$DOMAIN\" imported."
echo "Certificate imported."
[ -z $DNS_API ] && echo "Note: you can delete the TXT record."
elif [ $(cat $responseFile | grep "Domains not changed." -c) -ne 0 ]; then
echo "Domain not changed"
elif [ $(cat $responseFile | grep "$DOMAIN is already verified, skip dns-01." -c) -ne 0 ]; then
echo "Domain already verified"
elif [ $(cat $responseFile | grep "Error add txt for domain:_acme-challenge.$DOMAIN" -c) -ne 0 ]; then
echo "Error add txt for domain:_acme-challenge.$DOMAIN"
elif [ $(cat $responseFile | grep "Please add the TXT records to the domains, and retry again." -c) -ne 0 ]; then
echo "Dns record not added yet, you need to add it manually and retry again."
elif [ $(cat $responseFile | grep 'new-authz error: {"type":"urn:acme:error:malformed","detail":"Error creating new authz :: \(.*\)","status": 400}' -c) -ne 0 ]; then
errorMsg=$(cat $responseFile | grep 'new-authz error: {"type":"urn:acme:error:malformed","detail":"Error creating new authz :: \(.*\)","status": 400}' | sed 's/.*new-authz error: {"type":"urn:acme:error:malformed","detail":"Error creating new authz :: \(.*\)","status": 400}.*/\1/')
echo "Incorrect domain name"
echo "$errorMsg"
elif [ $(cat $responseFile | grep "'$DOMAIN' is not a issued domain, skip." -c) -ne 0 ]; then
echo "'$DOMAIN' is not a issued domain"
# renew
elif [ $(cat $responseFile | grep "Skip, Next renewal time is: " -c) -ne 0 ]; then
nextRenewal=$(cat $responseFile | grep 'Skip, Next renewal time is: ' | sed 's/.*Skip, Next renewal time is: \(.*\)/\1/')
echo "Skip, Next renewal time is: $nextRenewal"
echo "Add '--force' to force to renew."
elif [ $(cat $responseFile | grep "$DOMAIN:Verify error:Correct value not found for DNS challenge" -c) -ne 0 ]; then
echo "Correct value not found for DNS challenge"
elif [ $(cat $responseFile | grep "Unable to update challenge :: The challenge is not pending." -c) -ne 0 ]; then
echo "The challenge is not pending. You need to issue."
else
return 2
fi
return 0
}
################################################################################
# INSTALL CERTIFICATE #
################################################################################
install_cert() {
echo "Importing certificate to ALCASAR..."
LE_cert_folder="$( echo "$ACMESH_HOME/certs/$DOMAIN"*"")"
if [ ! -f $LE_cert_folder"/"$DOMAIN.cer ]; then
echo "Certificate not found."
return 1
fi
/usr/local/bin/alcasar-importcert.sh \
-i $LE_cert_folder"/"$DOMAIN.cer \
-k $LE_cert_folder"/"$DOMAIN.key \
-c $LE_cert_folder/fullchain.cer \
> /dev/null 2>&1
if [ $? -ne 0 ]; then
echo "Error."
return 1
fi
}
################################################################################
# MAIN #
################################################################################
if [ $# -eq 0 ]; then
echo "$usage"
exit 1
fi
cmd=""
while [ $# -gt 0 ]; do
case $1 in
-\? | -h | --help)
echo "$usage"
exit 0
;;
--issue)
cmd="issue"
shift 1
;;
--renew)
cmd="renew"
shift 1
;;
--cron)
cmd="cron"
shift 1
;;
--install-cert)
cmd="install-cert"
shift 1
;;
--email)
ACCOUNT_EMAIL="$2"
shift 2
;;
--domain | -d)
DOMAIN="$2"
shift 2
;;
--dns-api)
DNS_API="$2"
shift 2
;;
--force)
FORCE="--force"
shift 1
;;
--staging)
STAGING_SERVER="--staging"
shift 1
;;
--debug)
DEBUG=true
shift 1
;;
*)
found=false
for param in "--dnssleep"; do
if [ $1 == $param ]; then
OPT_PARAMS="$OPT_PARAMS $1 $2"
shift 2
found=true
break
fi
done
if ! $found; then
echo "Unknown argument: $1"
echo "$usage"
exit 1
fi
;;
esac
done
if [ -z $DOMAIN ]; then
if [ $(grep '^domainRequest=' $CONF_FILE | cut -d'=' -f2 | wc --chars) -gt 1 ]; then
DOMAIN="$(grep '^domainRequest=' $CONF_FILE | cut -d'=' -f2)"
else
DOMAIN="$(grep '^HOSTNAME=' /usr/local/etc/alcasar.conf | cut -d'=' -f2).$(grep '^DOMAIN=' /usr/local/etc/alcasar.conf | cut -d'=' -f2)"
fi
fi
case $cmd in
issue)
issue
;;
renew)
renew
;;
cron)
cron_task
;;
install-cert)
install_cert
;;
*) exit 1 ;;
esac
Property changes:
Added: svn:eol-style
+LF
\ No newline at end of property
Added: svn:executable
+*
\ No newline at end of property
Added: svn:keywords
+Id
\ No newline at end of property

/scripts/alcasar-certificates.sh
0,0 → 1,119
#!/bin/sh
# Id: $Id$
# alcasar-certificates.sh
# by Franck BOUIJOUX and REXY
# This script is distributed under the Gnu General Public License (GPL)
# Script permettant
# - d'exporter les certificats d'un serveur pour les transposer sur un autre.
# This script allows
# - export certificates server to move them.
DIR_EXPORT="/root/Certificats"
DIR_PKI="/etc/pki"
DIR_SAVE="/root/PKI_SAVE"
DIR_IMPORT="/root/Certificats"
usage="Usage: alcasar-certificates.sh {--export or -x} | {--import or -i <FileOfCertificate.tar.gz>} "
nb_args=$#
args=$1
if [ $nb_args -eq 0 ]
then
nb_args=1
args="-h"
fi
NOW="$(date +%G%m%d-%Hh%M)" # date et heure du moment
FILE="certificates-$NOW"
DIR_SAVE=$DIR_SAVE-$NOW
# Function of export
function certs_export() {
# Export of CA Certificate
cd /root
tar cvf $FILE.tar $DIR_PKI/CA/{alcasar-ca.crt,private/alcasar-ca.key}
# Export of server Certificate
tar rvf $FILE.tar $DIR_PKI/tls/{certs/alcasar.crt,private/alcasar.key,certs/server-chain.pem}
gzip $FILE.tar
echo "Le fichier des certificats exportés est : $FILE.tar.gz"
} # end function export
function archive() {
# Sauvegarde de la pki actuelle
[ -d $DIR_SAVE ] || mkdir $DIR_SAVE
# Save of CA Certificate
cd $DIR_PKI/CA/
cp alcasar-ca.crt $DIR_SAVE/.
cp private/alcasar-ca.key $DIR_SAVE/.
# Save of server Certificate
cd $DIR_PKI/tls
cp certs/alcasar.crt $DIR_SAVE/.
cp private/alcasar.key $DIR_SAVE/.
cp certs/server-chain.pem $DIR_SAVE/.
} # end function archive
function import() {
echo "Would you like to Import New Certificates in ALCASAR ?"
read response
if [ $response = "y" ] || [ $response = "o" ] || [ $response = "Y" ] || [ $response = "O" ]
then
[ -d $DIR_IMPORT ] || mkdir $DIR_IMPORT
rm -rf $DIR_IMPORT/*
# Import of CA Certificate
tar xzvf $1 --directory=$DIR_IMPORT
(cat $DIR_PKI/tls/private/alcasar.key; echo; cat $DIR_PKI/tls/certs/alcasar.crt) > $DIR_PKI/tls/private/alcasar.pem
echo "Import new certificates in ALCASAR !!!"
cp -r $DIR_IMPORT/* /.
chown root:apache $DIR_PKI/CA/{alcasar-ca.crt,private/alcasar-ca.key}
chown root:apache $DIR_PKI/tls/{certs/alcasar.crt,private/alcasar.key,private/alcasar.pem,certs/server-chain.pem}
chmod 750 $DIR_PKI/CA/{alcasar-ca.crt,private/alcasar-ca.key}
chmod 750 $DIR_PKI/tls/{certs/alcasar.crt,private/alcasar.key,private/alcasar.pem,certs/server-chain.pem}
service lighttpd restart
else
echo "You are not import new certificates !!!"
exit 0
fi
} # end import
# Core script
case $args in
-\? | -h* | --h*)
echo "$usage"
exit 0
;;
--export | -x)
archive
certs_export
;;
--import | -i)
nb_args=$#
if [ $nb_args -eq 1 ]
then
echo "Il faut passer un fichier de certificat en paramètre !!!"
exit 0
fi
import $2
;;
*)
echo "Unknown argument :$1";
echo "$usage"
exit 1
;;
esac
exit 0
Property changes:
Added: svn:eol-style
+native
\ No newline at end of property
Added: svn:executable
+*
\ No newline at end of property

/scripts/alcasar-ssh.sh
0,0 → 1,168
#!/bin/bash
# alcasar-ssh.sh
# by Alexandre Vezin
# enable/disable SSH on external card
# activation/désactivation de SSH sur la carte réseau externe
SED="/bin/sed -i"
CAT="/bin/cat"
GREP="/bin/grep"
SYSTEMCTL="/bin/systemctl"
ALCASAR_CONF="/usr/local/etc/alcasar.conf"
SSH_CONF="/etc/ssh/sshd_config"
usage="Usage: alcasar-ssh.sh {--off | -off} | {--on | -on} [-p port] [-i allowed ip] {-l lan} | {-w wan}" # | {--all | -all} à add pour off all?
nb_args=$#
args=$1
if [ $nb_args -eq 0 ]
then
echo "$usage"
exit 1
fi
while getopts ":p:i:wl" portarg; do
case "${portarg}" in
p)
SSH_PORT=${OPTARG}
NUM_REGEX='^[0-9]+$'
if ! [[ $SSH_PORT =~ $NUM_REGEX ]];
then
echo "The port $SSH_PORT is invalid"
exit 1
fi
if [ $SSH_PORT -lt 0 ] || [ $SSH_PORT -gt 65535 ]
then
echo "The port $SSH_PORT is invalid"
exit 1
fi
;;
i)
IP_FROM=${OPTARG}
ipcalc -c $IP_FROM
if [ $? -ne 0 ]
then
exit 1;
fi
;;
w)
NETWORK="wan"
;;
l)
NETWORK="lan"
;;
esac
done
case $args in
-\? | -h* | --h*)
echo "$usage"
exit 0
;;
--off | -off)
NETWORK=${NETWORK:="none"}
if [ $NETWORK == "wan" ]
then
# Editing Alcasar configuration - Deleting the port
$SED "s/^SSH_WAN=.*/SSH_WAN=0/g" $ALCASAR_CONF
# Editing SSH configuration - Deleting any port other than 22
$SED "/^.*Port\s[0-9]*/{/\s22$/!d}" $SSH_CONF
# Applying iptables
/usr/local/bin/alcasar-iptables.sh
elif [ $NETWORK == "lan" ]
then
# Editing Alcasar configuration
$SED "s/^SSH_LAN=.*/SSH_LAN=0/g" $ALCASAR_CONF
# Applying iptables
/usr/local/bin/alcasar-iptables.sh
else
echo "$usage"
exit 0
fi
$SYSTEMCTL restart sshd
exit 0
;;
--on | -on)
NETWORK=${NETWORK:="none"}
if [ $NETWORK == "wan" ]
then
# Getting LAN IP
LAN_IP=`$GREP "^SSH_ADMIN_FROM=" $ALCASAR_CONF |cut -d"=" -f2|cut -d"/" -f1`
# Setting accepted IP in Alcasar configuration
IP_FROM=${IP_FROM:="0.0.0.0"}
$SED "s ^SSH_ADMIN_FROM=.* SSH_ADMIN_FROM=$LAN_IP/$IP_FROM g" $ALCASAR_CONF
# Setting SSH port in Alcasar configuration
SSH_PORT=${SSH_PORT:=22}
$SED "s/^SSH_WAN=.*/SSH_WAN=$SSH_PORT/g" $ALCASAR_CONF
LAN_PORT=`$GREP "^SSH_LAN=" $ALCASAR_CONF | cut -d"=" -f2`
LAN_PORT=${LAN_PORT:=0}
# Checking if there is already a port other than the LAN port set
if [ `grep -E "^.*Port\s[0-9]*" /etc/ssh/sshd_config| grep -vEc "\s$LAN_PORT$"` -gt 0 ]
then
if [ $SSH_PORT -ne $LAN_PORT ]
then
# Editing SSH configuration - Changing any port other than the LAN port
$SED "/\s$LAN_PORT$/! s/^.*Port\s[0-9]*/Port $SSH_PORT/" $SSH_CONF
else
# Editing SSH configuration - Deleting any port other than the LAN port
$SED "/^.*Port\s[0-9]*/{/\s$LAN_PORT$/!d}" $SSH_CONF
fi
else
if [ $SSH_PORT -ne $LAN_PORT ]
then
# Adding the new SSH port in the config
echo "Port $SSH_PORT" >> $SSH_CONF
fi
fi
# Applying iptables
/usr/local/bin/alcasar-iptables.sh
elif [ $NETWORK == "lan" ]
then
# Getting WAN IP
WAN_IP=`$GREP "^SSH_ADMIN_FROM=" $ALCASAR_CONF |cut -d"=" -f2|cut -d"/" -f2`
# Setting accepted IP in Alcasar configuration
IP_FROM=${IP_FROM:="0.0.0.0"}
$SED "s ^SSH_ADMIN_FROM=.* SSH_ADMIN_FROM=$IP_FROM/$WAN_IP g" $ALCASAR_CONF
# Editing Alcasar configuration
$SED "s/^SSH_LAN=.*/SSH_LAN=$SSH_PORT/g" $ALCASAR_CONF
# Setting SSH port in Alcasar configuration
SSH_PORT=${SSH_PORT:=22}
$SED "s/^SSH_LAN=.*/SSH_LAN=$SSH_PORT/g" $ALCASAR_CONF
WAN_PORT=`$GREP "^SSH_WAN=" $ALCASAR_CONF | cut -d"=" -f2`
WAN_PORT=${WAN_PORT:=0}
# Checking if there is already a port other than the WAN port set
if [ `grep -E "^.*Port\s[0-9]*" /etc/ssh/sshd_config| grep -vEc "\s$WAN_PORT$"` -gt 0 ]
then
if [ $SSH_PORT -ne $WAN_PORT ]
then
# Editing SSH configuration - Changing any port other than the WAN port
$SED "/\s$WAN_PORT$/! s/^.*Port\s[0-9]*/Port $SSH_PORT/" $SSH_CONF
else
# Editing SSH configuration - Deleting any port other than the WAN port
$SED "/^.*Port\s[0-9]*/{/\s$WAN_PORT$/!d}" $SSH_CONF
fi
else
if [ $SSH_PORT -ne $WAN_PORT ]
then
# Adding the new SSH port in the config
echo "Port $SSH_PORT" >> $SSH_CONF
fi
fi
# Applying iptables
/usr/local/bin/alcasar-iptables.sh
else
echo "$usage"
exit 0
fi
$SYSTEMCTL restart sshd
exit 0
;;
*)
echo "Argument inconnu : $1"
echo "$usage"
exit 1
;;
esac
Property changes:
Added: svn:eol-style
+native
\ No newline at end of property
Added: svn:executable
+*
\ No newline at end of property

/scripts/alcasar-activity_report.sh
0,0 → 1,715
#!/bin/bash
# $Id$
#
# Create an activity report for ALCASAR every week (sunday at 5.35 pm --> see cron.d).
# We read configuration files and logs to create cool charts.
# Written by Raphaël PION, Rexy & Tom HOUDAYER
CONF_FILE='/usr/local/etc/alcasar.conf'
# files
DIR_TMP="/var/tmp"
TMP_AV="$DIR_TMP/av_count.txt"
TMP_BL="$DIR_TMP/bl_count.txt"
TMP_BL_WEEK="$DIR_TMP/bl_count_week.txt"
TMP_BL_WEEK_CAT="$DIR_TMP/bl_count_week_cat.txt"
# Model loaded to create charts
DIR_BUILD="/var/www/html/acc/manager/activity_report/"
MODEL_CHARTJS="$DIR_BUILD/models/Chart.report.js"
MODEL_TABINFO="$DIR_BUILD/models/tabinfo.html"
# Where the report will be created.
HTML_REPORT="$DIR_BUILD/alcasar-report-$(date +%F).html"
# TIME VALUE
C_TS=$(date +"%s") #current timestamp
MAX_DAY_AGO=7
SECS_AGO=$(date --date="$MAX_DAY_AGO days ago" +"%s") #timestamp ago
STEP_TS=$((C_TS-$SECS_AGO)) #timestamp between current timestamp and SECS_AGO
# PRIVATE IP OF ALCASAR
PRIVATE_IP=$(grep ^PRIVATE_IP= $CONF_FILE | cut -d'=' -f2 | cut -d'/' -f1)
# COLOR for charts
COLOR="'#ff0000','#3333cc','#009933','#993300','#1720EE','#D30229','#8D726D','#41C4E4','#8574F4','#A0BC1A','#BFDC1F','#5ADDC3','#B05744','#CD9319','#8CA39B','#D4AA1C','#A76752','#B03088','#445E87','#70424D','#D118C3','#46ABEF','#E9F197','#AEC0D4','#755C79','#94BBD7','#E2E9DC','#8B68D0','#F7EC7C','#1F16B8','#F4DA0A','#2EC17A','#E06483','#48B342','#F510CD','#9B2662','#180E98','#988FC1','#209E4E','#034240','#FDB142','#36B445','#CDD5C9','#6FA0DE','#EE2206','#204E19','#15FC93','#161ECE','#83D33B','#11A44A','#B7BF6C','#87274C','#B52C4F','#AD2805','#427E6C','#91341A','#191315','#FCB290','#13D3CD','#90F0E6','#C870C9','#AD2C14','#201D2A','#E4DB79','#90A919','#FE17FE','#09B35C','#88D950','#3440FC','#A9D42F','#E2DFAC','#DA69EC','#67430A','#43E94E','#5F7349','#22CF16','#CF038F','#0F6427','#F7AD0F','#C5E382','#DB49B6','#F760BF','#0BE701','#EF88D8','#79E6D7','#8A2D3D','#435A30','#A3C8AC','#99B118','#A929FF','#08A36D','#0A1654','#6F8283','#E1CA3E','#3E8577','#580FB6','#DB0E16','#386CBE','#FA0C43','#B713C9'"
# Values to create new htdigest user to consult statistique of ACC
DIR_KEY="/usr/local/etc/digest"
tmp_account="tmp_activityreport"
realm="ALCASAR Control Center (ACC)"
password=$(openssl rand -base64 32) #random password (length : 32)
SED="/usr/bin/sed -i "
TMP_STATS="$DIR_TMP/stats.html"
TMP_STATS_2="$DIR_TMP/stats2.html"
# if empty logs, replace charts by text.
ENABLE_BL=0
ENABLE_BL_WEEK=0
ENABLE_AV=0
if [ -e $TMP_AV ]
then
rm $TMP_AV
fi
if [ -e $TMP_BL ]
then
rm $TMP_BL
fi
if [ -e $TMP_BL_WEEK ]
then
rm $TMP_BL_WEEK
fi
if [ -e $TMP_BL_WEEK_CAT ]
then
rm $TMP_BL_WEEK_CAT
fi
if [ -e $HTML_REPORT ]
then
rm $HTML_REPORT
fi
echo "<!doctype html>" >> $HTML_REPORT
echo "<html>" >> $HTML_REPORT
echo "<head>" >> $HTML_REPORT
echo "<meta charset=\"utf-8\">" >> $HTML_REPORT
echo "<title>ALCASAR report</title>" >> $HTML_REPORT
echo "<link rel=\"stylesheet\" type=\"text/css\" href=\"../../../css/bootstrap.min.css\">" >> $HTML_REPORT
echo "<link rel=\"stylesheet\" type=\"text/css\" href=\"../../../css/report.css\">" >> $HTML_REPORT
echo "<script src=\"../../../js/Chart.bundle.min.js\"></script>" >> $HTML_REPORT
echo "<script src=\"../../../js/jquery.min.js\"></script>" >> $HTML_REPORT
echo "</head>" >> $HTML_REPORT
echo "<body>" >> $HTML_REPORT
echo "<h1><center>Rapport d'activité de l'ALCASAR-$(grep ^ORGANISM= $CONF_FILE | cut -d'=' -f2-)</center></h1>" >> $HTML_REPORT
echo "<i><p style=\"text-align: right;\">Date de création $(date +%F)</p></i>" >> $HTML_REPORT
echo "<font size=\"1\">" >> $HTML_REPORT
######################TABINFO######################
echo "Create information about system and ALCASAR"
#contain every information about ALCASAR configuration, system and last update
cat $MODEL_TABINFO | while read LINE_HTML
do
if [ "$(echo $LINE_HTML | grep 'XXORGXX' | wc -l)" -eq 1 ]
then
VALUE=$(grep ^ORGANISM= $CONF_FILE | cut -d'=' -f2-)
echo ${LINE_HTML/XXORGXX/$VALUE} >> $HTML_REPORT
elif [ "$(echo $LINE_HTML | grep 'XXINSTALLXX' | wc -l)" -eq 1 ]
then
VALUE=$(grep ^INSTALL_DATE= $CONF_FILE | cut -d'=' -f2)
echo ${LINE_HTML/XXINSTALLXX/$VALUE} >> $HTML_REPORT
elif [ "$(echo $LINE_HTML | grep 'XXAVERSIONXX' | wc -l)" -eq 1 ]
then
VALUE=$(grep ^VERSION= $CONF_FILE | cut -d'=' -f2)
echo ${LINE_HTML/XXAVERSIONXX/$VALUE} >> $HTML_REPORT
elif [ "$(echo $LINE_HTML | grep 'XXIP_PUBLICXX' | wc -l)" -eq 1 ]
then
VALUE=$(grep ^PUBLIC_IP= $CONF_FILE | cut -d'=' -f2)
echo ${LINE_HTML/XXIP_PUBLICXX/$VALUE} >> $HTML_REPORT
elif [ "$(echo $LINE_HTML | grep 'XXIP_PRIVEXX' | wc -l)" -eq 1 ]
then
VALUE=$(grep ^PRIVATE_IP= $CONF_FILE | cut -d'=' -f2)
echo ${LINE_HTML/XXIP_PRIVEXX/$VALUE} >> $HTML_REPORT
elif [ "$(echo $LINE_HTML | grep 'XXGWXX' | wc -l)" -eq 1 ]
then
VALUE=$(grep ^GW= $CONF_FILE | cut -d'=' -f2)
echo ${LINE_HTML/XXGWXX/$VALUE} >> $HTML_REPORT
elif [ "$(echo $LINE_HTML | grep 'XXDNS1XX' | wc -l)" -eq 1 ]
then
VALUE=$(grep ^DNS1= $CONF_FILE | cut -d'=' -f2)
echo ${LINE_HTML/XXDNS1XX/$VALUE} >> $HTML_REPORT
elif [ "$(echo $LINE_HTML | grep 'XXDNS2XX' | wc -l)" -eq 1 ]
then
VALUE=$(grep ^DNS2= $CONF_FILE | cut -d'=' -f2)
echo ${LINE_HTML/XXDNS2XX/$VALUE} >> $HTML_REPORT
elif [ "$(echo $LINE_HTML | grep 'XXHOSTXX' | wc -l)" -eq 1 ]
then
VALUE=$(hostname)
echo ${LINE_HTML/XXHOSTXX/$VALUE} >> $HTML_REPORT
elif [ "$(echo $LINE_HTML | grep 'XXOS_VERSIONXX' | wc -l)" -eq 1 ]
then
VALUE=$(echo "$(uname -r) [ $(uname -m) ]")
echo ${LINE_HTML/XXOS_VERSIONXX/$VALUE} >> $HTML_REPORT
elif [ "$(echo $LINE_HTML | grep 'XXREBOOTXX' | wc -l)" -eq 1 ]
then
VALUE=$(who -b | cut -d' ' -f12-)
echo ${LINE_HTML/XXREBOOTXX/$VALUE} >> $HTML_REPORT
elif [ "$(echo $LINE_HTML | grep 'XXMAJCLAMAVXX' | wc -l)" -eq 1 ]
then
VALUE=$(date -d "@$(rpm -qa --queryformat "%{installtime} %{name}\n" | grep -E "clamav-db" | cut -d' ' -f1 )" "+%Y-%m-%d %H:%M:%S")
echo ${LINE_HTML/XXMAJCLAMAVXX/$VALUE} >> $HTML_REPORT
elif [ "$(echo $LINE_HTML | grep 'XXMAJBLXX' | wc -l)" -eq 1 ]
then
VALUE=$(cat /etc/e2guardian/lists/blacklists/README | grep 'Last version' | cut -d' ' -f4-6)
echo ${LINE_HTML/XXMAJBLXX/$VALUE} >> $HTML_REPORT
elif [ "$(echo $LINE_HTML | grep 'XXRPMXX' | wc -l)" -eq 1 ]
then
#show every ALCASAR RPM updated since X day ago
#get timestamp of X day ago. Then we get every packets chich have been updated since this date.
if [ "$(rpm -qa --queryformat '%{installtime} %{name} %{version}\n' | awk -v seuil="$SECS_AGO" '$1 > seuil' | sort -n | grep -E "$PACKAGE" | wc -l)" -gt 1 ]
then
PACKAGE='php|lighttpd|iptables|unbound|radius|nfdump|e2guardian|clamav|ulogd|chilli|fail2ban|openssh|ipt-netflow|wget|mariadb|gnupg|openssl'
rpm -qa --queryformat '%{installtime} %{name} %{version}\n' | awk -v seuil="$SECS_AGO" '$1 > seuil' | sort -n | grep -E "$PACKAGE" | while read RPM_ALCASAR
do
RPM_TIMESTAMP=$(echo $RPM_ALCASAR | cut -d' ' -f1)
RPM_DATE=$(date -d "@$(echo $RPM_TIMESTAMP)" "+%Y-%m-%d %H:%M:%S")
RPM_NAME=$(echo $RPM_ALCASAR | cut -d' ' -f2)
RPM_VERSION=$(echo $RPM_ALCASAR | cut -d' ' -f3)
echo "<tr>" >> $HTML_REPORT
echo "<td>$RPM_NAME</td>" >> $HTML_REPORT
echo "<td>$RPM_DATE</td>" >> $HTML_REPORT
echo "<td>$RPM_VERSION</td>" >> $HTML_REPORT
echo "</tr>" >> $HTML_REPORT
done
else
echo "<tr><td colspan=\"3\">Pas de RPM mis à jour cette semaine</td></tr>" >> $HTML_REPORT
fi
else
echo $LINE_HTML >> $HTML_REPORT
fi
done
######################BL WEBSITE SINCE INSTALLATION######################
echo "Create BL website since the installation of ALCASAR"
#find data
#decompress every logs
if [ "$(ls -1 /var/log/unbound/unbound-blacklist.log.*.gz 2>/dev/null | wc -l)" -ge 1 ]
then
gunzip -d unbound-blacklist.log.*.gz
fi
#convert logs date in timestamp and find categories of blacklisted website
tmp_log=$(mktemp)
for FILE in /var/log/unbound/unbound-blacklist.log*
do
grep -E "info: [^ ]+ typetransparent $PRIVATE_IP" /var/log/unbound/unbound-blacklist.log > $tmp_log
while read LOG_BL
do
# find the current blacklisted category
website_bl=$(echo $LOG_BL | cut -d' ' -f4)
website_bl=${website_bl%?} # remove the last character
#we convert www.test.co.uk => test.co.uk to find the category of this website
if [ "$(grep -o '\.' <<< "$website_bl" | wc -l)" -ge "2" ]
then
website_bl=$(echo $website_bl | cut -d'.' -f2-)
fi
#get BL category
categorie_bl=$(grep -Rl "$website_bl" /usr/local/share/unbound-bl-enabled/ | cut -d'/' -f6 | head -1)
CURRENT_TS=$(echo $LOG_BL | cut -d '[' -f2 | cut -d ']' -f1)
echo "$CURRENT_TS:$categorie_bl:" >> $TMP_BL
done < $tmp_log
done
rm $tmp_log
#if data exists, create this section in html document
if [ -e $TMP_BL ]
then
ENABLE_BL=1
#count every BL website consulted since installation (maximum 1 year)
DATE_END=$(cat $TMP_BL | cut -d':' -f1 | sort -n | head -1 )
for TS in $(seq $C_TS -$STEP_TS $DATE_END)
do
DATE_1=$TS
DATE_2=$((TS-$STEP_TS))
COUNT_BL_INSTALLATION=0
for LINE in $(cat $TMP_BL)
do
TS_FILE=$(echo $LINE | cut -d':' -f1)
if [ "$TS_FILE" -le "$DATE_1" ] && [ "$TS_FILE" -ge "$DATE_2" ]
then
COUNT_BL_INSTALLATION=$((COUNT_BL_INSTALLATION+1))
fi
done
VALUE_BL_INSTALLATION_LABEL="'$(date -d @$DATE_2 "+%Y-%m-%d" )', $VALUE_BL_INSTALLATION_LABEL"
VALUE_BL_INSTALLATION_DATA="$COUNT_BL_INSTALLATION, $VALUE_BL_INSTALLATION_DATA"
done
#create Antivirus section in html document
NAME_BL_INSTALLATION='chart_bl_installation'
CONF_BL_INSTALLATION='config_bl_installation'
echo "<center>" >> $HTML_REPORT
echo "<canvas id='$NAME_BL_INSTALLATION' width='450' height='450'></canvas>" >> $HTML_REPORT
echo "</center>" >> $HTML_REPORT
#create chart bar in html file with javascript (chartjs.com)
echo "<script>" >> $HTML_REPORT
cat $MODEL_CHARTJS | while read LINE_JS
do
#name of variable
if [ "$(echo $LINE_JS | grep 'XXCONFXX' | wc -l)" -eq 1 ]
then
echo ${LINE_JS/XXCONFXX/$CONF_BL_INSTALLATION} >> $HTML_REPORT
#chart type
elif [ "$(echo $LINE_JS | grep 'XXTYPEXX' | wc -l)" -eq 1 ]
then
echo ${LINE_JS/XXTYPEXX/bar} >> $HTML_REPORT
#chart title
elif [ "$(echo $LINE_JS | grep 'XXTITLEXX' | wc -l)" -eq 1 ]
then
echo ${LINE_JS/XXTITLEXX/"Sites bloqués au total"} >> $HTML_REPORT
#chart data
elif [ "$(echo $LINE_JS | grep 'XXDATAXX' | wc -l)" -eq 1 ]
then
echo ${LINE_JS/XXDATAXX/$VALUE_BL_INSTALLATION_DATA} >> $HTML_REPORT
#color
elif [ "$(echo $LINE_JS | grep 'XXCOLORXX' | wc -l)" -eq 1 ]
then
echo ${LINE_JS/XXCOLORXX/$COLOR} >> $HTML_REPORT
#labels
elif [ "$(echo $LINE_JS | grep 'XXLABELSXX' | wc -l)" -eq 1 ]
then
echo ${LINE_JS/XXLABELSXX/$VALUE_BL_INSTALLATION_LABEL} >> $HTML_REPORT
elif [ "$(echo $LINE_JS | grep 'XXLEGENDXX' | wc -l)" -eq 1 ]
then
echo ${LINE_JS/XXLEGENDXX/false} >> $HTML_REPORT
#display value of Y axis, only useful for chart bar
elif [ "$(echo $LINE_JS | grep 'XXCOMMENT-BEGINXX' | wc -l)" -eq 1 ]
then
echo "" >> $HTML_REPORT
#display value of Y axis, only useful for chart bar
elif [ "$(echo $LINE_JS | grep 'XXCOMMENT-ENDXX' | wc -l)" -eq 1 ]
then
echo "" >> $HTML_REPORT
elif [ "$(echo $LINE_JS | grep 'XXYLABELXX' | wc -l)" -eq 1 ]
then
echo "\"Nombre de site bloqué par la blacklist\"" >> $HTML_REPORT
else
echo $LINE_JS >> $HTML_REPORT
fi
done
echo "</script>" >> $HTML_REPORT
else
echo "<h2>Aucune activité de la Blacklist depuis l'installation.</h2>" >> $HTML_REPORT
fi
######################Unbound BLACKLIST######################
echo "Create BL website since $MAX_DAY_AGO days"
#if data exists, create BL section in html document
if [ -e $TMP_BL ]
then
ENABLE_BL_WEEK=1
#find data
#count every BL website consulted since DAYS_AGO
DATE_1=$C_TS
DATE_2=$((DATE_1-$STEP_TS))
touch $TMP_BL_WEEK
for LINE in $(cat $TMP_BL)
do
TS_FILE=$(echo $LINE | cut -d':' -f1)
#select only elements between DATE_1 and DATE_2
if [ "$TS_FILE" -le "$DATE_1" ] && [ "$TS_FILE" -ge "$DATE_2" ]
then
echo $LINE >> $TMP_BL_WEEK
fi
done
#then we count every occurence for each category in TMP_BL_WEEK
for CAT in $(ls /usr/local/share/unbound-bl/ -1 | cut -d'.' -f1)
do
echo "$CAT:$(grep -o ":$CAT:" <<< "$(cat $TMP_BL_WEEK)" | wc -l):" >> $TMP_BL_WEEK_CAT
done
#we sort by number of occurence and we take the top 10 BL categories
for LINE in $(sort -t':' -k2 -rn $TMP_BL_WEEK_CAT | head -n 10)
do
DATA=$(echo $LINE | cut -d':' -f2)
LABEL=$(echo $LINE | cut -d':' -f1)
if [ $DATA -ne 0 ]
then
VALUE_BL_DATA="$VALUE_BL_DATA $DATA, "
VALUE_BL_LABEL="$VALUE_BL_LABEL '$LABEL ($DATA)',"
fi
done
#get other categories (sum them all)
if [ "$(cat $TMP_BL_WEEK_CAT | cut -d':' -f2 | sort -k1 -rn | tail -n+$(($(echo $VALUE_BL_DATA | wc -w)+1)) | paste -sd+ | bc)" -gt 0 ]
then
VALUE_BL_DATA="$VALUE_BL_DATA $(cat $TMP_BL_WEEK_CAT | cut -d':' -f2 | sort -k1 -rn | tail -n+$(($(echo $VALUE_BL_DATA | wc -w)+1)) | paste -sd+ | bc)"
VALUE_BL_LABEL="$VALUE_BL_LABEL 'autre ($(cat $TMP_BL_WEEK_CAT | cut -d':' -f2 | sort -k1 -rn | tail -n+$(($(echo $VALUE_BL_DATA | wc -w)+1)) | paste -sd+ | bc))'"
fi
#create chart pie in html file with javascript (chartjs.com)
NAME_BL='chart_bl'
CONF_BL='config_bl'
echo "<center>" >> $HTML_REPORT
echo "<canvas id='$NAME_BL' width='450' height='450' ></canvas>" >> $HTML_REPORT
echo "</center>" >> $HTML_REPORT
echo "<script>" >> $HTML_REPORT
cat $MODEL_CHARTJS | while read LINE_JS
do
#variable name
if [ "$(echo $LINE_JS | grep 'XXCONFXX' | wc -l)" -eq 1 ]
then
echo ${LINE_JS/XXCONFXX/$CONF_BL} >> $HTML_REPORT
#chart type
elif [ "$(echo $LINE_JS | grep 'XXTYPEXX' | wc -l)" -eq 1 ]
then
echo ${LINE_JS/XXTYPEXX/pie} >> $HTML_REPORT
#graph title
elif [ "$(echo $LINE_JS | grep 'XXTITLEXX' | wc -l)" -eq 1 ]
then
echo ${LINE_JS/XXTITLEXX/"Sites bloqués cette semaine"} >> $HTML_REPORT
#chart data
elif [ "$(echo $LINE_JS | grep 'XXDATAXX' | wc -l)" -eq 1 ]
then
echo ${LINE_JS/XXDATAXX/$VALUE_BL_DATA} >> $HTML_REPORT
#color
elif [ "$(echo $LINE_JS | grep 'XXCOLORXX' | wc -l)" -eq 1 ]
then
echo ${LINE_JS/XXCOLORXX/$COLOR} >> $HTML_REPORT
#labels
elif [ "$(echo $LINE_JS | grep 'XXLABELSXX' | wc -l)" -eq 1 ]
then
echo ${LINE_JS/XXLABELSXX/$VALUE_BL_LABEL} >> $HTML_REPORT
#display legend, only useful for chart pie
elif [ "$(echo $LINE_JS | grep 'XXLEGENDXX' | wc -l)" -eq 1 ]
then
echo ${LINE_JS/XXLEGENDXX/true} >> $HTML_REPORT
#display value of Y axis, only useful for chart bar
elif [ "$(echo $LINE_JS | grep 'XXCOMMENT-BEGINXX' | wc -l)" -eq 1 ]
then
echo "/*" >> $HTML_REPORT
#display value of Y axis, only useful for chart bar
elif [ "$(echo $LINE_JS | grep 'XXCOMMENT-ENDXX' | wc -l)" -eq 1 ]
then
echo "*/" >> $HTML_REPORT
else
echo $LINE_JS >> $HTML_REPORT
fi
done
echo "</script>" >> $HTML_REPORT
else
echo "<h2>Aucune activité de la Blacklist cette semaine.</h2>" >> $HTML_REPORT
fi
######################VIRUS THREAT######################
echo "Create AV logs since the installation of ALCASAR"
#decompress every logs, if they exist
if [ "$(ls -1 /var/log/clamav/clamd.log.*.gz 2>/dev/null | wc -l)" -ge 1 ]
then
gunzip -d clamd.log.*.gz
fi
for FILE in /var/log/clamav/clamd.log*
do
while read LINE_AV
do
if [ "`echo $LINE_AV|grep -c FOUND`" == 1 ]
then
Y=$(echo $LINE_AV | cut -d' ' -f5)
M=$(echo $LINE_AV | cut -d' ' -f2)
D=$(echo $LINE_AV | cut -d' ' -f3)
H=$(echo $LINE_AV | cut -d' ' -f4)
CURRENT_TS=$(date -d "$M $D $Y $H" +"%s")
echo $CURRENT_TS >> $TMP_AV
fi
done < $FILE
done
if [ -e $TMP_AV ]
then
ENABLE_AV=1
DATE_END=$(cat $TMP_AV | sort -n | head -1)
for TS in $(seq $C_TS -$STEP_TS $DATE_END)
do
DATE_1=$TS
DATE_2=$((TS-$STEP_TS))
COUNT_AV=0
for TS_FILE in $(cat $TMP_AV)
do
if [ "$TS_FILE" -le "$DATE_1" ] && [ "$TS_FILE" -ge "$DATE_2" ]
then
COUNT_AV=$((COUNT_AV+1))
fi
done
VALUE_AV_LABEL="'$(date -d @$DATE_2 "+%Y-%m-%d" )', $VALUE_AV_LABEL"
VALUE_AV_DATA="$COUNT_AV, $VALUE_AV_DATA"
done
#create Antivirus section in html document
NAME_AV='chart_av'
CONF_AV='config_av'
echo "<center>" >> $HTML_REPORT
echo "<canvas id='$NAME_AV' width='450' height='450' ></canvas>" >> $HTML_REPORT
echo "</center>" >> $HTML_REPORT
#create chart bar in html file with javascript (chartjs.com)
echo "<script>" >> $HTML_REPORT
cat $MODEL_CHARTJS | while read LINE_JS
do
#name of variable
if [ "$(echo $LINE_JS | grep 'XXCONFXX' | wc -l)" -eq 1 ]
then
echo ${LINE_JS/XXCONFXX/$CONF_AV} >> $HTML_REPORT
#chart type
elif [ "$(echo $LINE_JS | grep 'XXTYPEXX' | wc -l)" -eq 1 ]
then
echo ${LINE_JS/XXTYPEXX/bar} >> $HTML_REPORT
#graph title
elif [ "$(echo $LINE_JS | grep 'XXTITLEXX' | wc -l)" -eq 1 ]
then
echo ${LINE_JS/XXTITLEXX/"Menaces bloqués par l\'antivirus"} >> $HTML_REPORT
#chart data
elif [ "$(echo $LINE_JS | grep 'XXDATAXX' | wc -l)" -eq 1 ]
then
echo ${LINE_JS/XXDATAXX/$VALUE_AV_DATA} >> $HTML_REPORT
#color
elif [ "$(echo $LINE_JS | grep 'XXCOLORXX' | wc -l)" -eq 1 ]
then
echo ${LINE_JS/XXCOLORXX/$COLOR} >> $HTML_REPORT
#labels
elif [ "$(echo $LINE_JS | grep 'XXLABELSXX' | wc -l)" -eq 1 ]
then
echo ${LINE_JS/XXLABELSXX/$VALUE_AV_LABEL} >> $HTML_REPORT
elif [ "$(echo $LINE_JS | grep 'XXLEGENDXX' | wc -l)" -eq 1 ]
then
echo ${LINE_JS/XXLEGENDXX/false} >> $HTML_REPORT
#display value of Y axis, only useful for chart bar
elif [ "$(echo $LINE_JS | grep 'XXCOMMENT-BEGINXX' | wc -l)" -eq 1 ]
then
echo "" >> $HTML_REPORT
#display value of Y axis, only useful for chart bar
elif [ "$(echo $LINE_JS | grep 'XXCOMMENT-ENDXX' | wc -l)" -eq 1 ]
then
echo "" >> $HTML_REPORT
elif [ "$(echo $LINE_JS | grep 'XXYLABELXX' | wc -l)" -eq 1 ]
then
echo "\"Nombre de menaces virales bloqués par l'antivirus\"" >> $HTML_REPORT
else
echo $LINE_JS >> $HTML_REPORT
fi
done
echo "</script>" >> $HTML_REPORT
else
echo "<h2>Aucune menace virale.</h2>" >> $HTML_REPORT
fi
######################ALCASAR : DAILY USE######################
echo "Get daily use connection of the week"
#create html document
echo "<h2>Statistiques volumétrie connexions</h2>" >> $HTML_REPORT
#create new htdigest user to consult statistique of ACC
#if user does not exist, we create him
if [ "$(grep "$tmp_account:" $DIR_KEY/key_only_manager | wc -l)" -lt 1 ]
then
(echo -n "$tmp_account:$realm:" && echo -n "$tmp_account:$realm:$password" | md5sum | awk '{print $1}' ) >> $DIR_KEY/key_only_manager
(echo -n "$tmp_account:$realm:" && echo -n "$tmp_account:$realm:$password" | md5sum | awk '{print $1}' ) >> $DIR_KEY/key_manager
(echo -n "$tmp_account:$realm:" && echo -n "$tmp_account:$realm:$password" | md5sum | awk '{print $1}' ) >> $DIR_KEY/key_all
chown -R root:apache $DIR_KEY
chmod 640 $DIR_KEY/key_*
fi
#get stats.php from ACC
wget -q -nv --user $tmp_account --password $password https://alcasar/acc/manager/htdocs/stats.php -O $TMP_STATS --no-check-certificate
#clean this file to include it in html report.
DELIM_1="<td colspan=10 height=20><img src=\"images\/pixel.gif\"><\/td>"
DELIM_2="<\/td><\/tr> <\/table> <\/td><\/tr> <\/table> <\/td><\/tr> <\/table> <p>"
cat $TMP_STATS | sed -n "/$DELIM_1/,/$DELIM_2/p" | tail -n+3 | head -n-2 >> $TMP_STATS_2
cat $TMP_STATS_2 | sed -e 's:images/pixel.gif:../../manager/htdocs/images/pixel.gif:g' >> $HTML_REPORT
#we delete our user if he still exists
if [ "$(grep "$tmp_account:" $DIR_KEY/key_only_manager | wc -l)" -ge 1 ]
then
$SED "/^$tmp_account:/d" $DIR_KEY/key_only_manager
$SED "/^$tmp_account:/d" $DIR_KEY/key_manager
$SED "/^$tmp_account:/d" $DIR_KEY/key_all
fi
###################### ALCASAR : LOG ACCESS ######################
echo "Get ACC log access of the week"
ROWS=""
while read -r access ; do
access_datas=(${access//|/ })
accces_date_intl=$(echo "${access_datas[0]} ${access_datas[1]}" | sed -E 's@^([0-9]{2})+/+([0-9]{2})+/+([0-9]{4})+@\3-\2-\1@') # Convert date format DD/MM/YYYY to YYYY-MM-DD
access_date=$(date -d "$accces_date_intl" +%s)
access_user=${access_datas[2]}
access_ip=${access_datas[3]}
access_agent=$(echo "$access" | cut -d'|' -f4)
if [ $access_date -lt $SECS_AGO ]; then
break
fi
access_date_formatted=$(date -d @$access_date +"%x %X")
ROWS="$ROWS<tr><td>$access_date_formatted</td><td>$access_user</td><td>$access_ip</td><td>$access_agent</td></tr>"
done < <(cat /var/Save/security/acc_access.log | sort -r)
# TODO: Read archives if necessary
if [ -z "$ROWS" ]; then
ROWS="<tr><td colspan=\"4\" style=\"text-align: center;\">Aucune connexion</td></tr>"
fi
# Create HTML document
echo "<h2>Connexion à l'ALCASAR Control Center (ACC)</h2>" >> $HTML_REPORT
echo "<table class=\"table table-striped\">" >> $HTML_REPORT
echo "<thead><tr><th>Date</th><th>Utilisateur</th><th>Adresse IP</th><th>Agent</th></tr></thead><tbody>" >> $HTML_REPORT
echo "$ROWS" >> $HTML_REPORT
echo "</tbody></table>" >> $HTML_REPORT
###################### ALCASAR : GLOBAL TRAFFIC ######################
echo "Get Global traffic of the last 30 days"
ROWS=""
EXTIF=$(grep ^EXTIF= $CONF_FILE | cut -d'=' -f2)
for day in $(vnstat --exportdb -i $EXTIF | grep '^d;' | sort -t";" -k3 -r); do
day_datas=(${day//;/ })
day_date=${day_datas[2]}
day_rxMio=${day_datas[3]}
day_txMio=${day_datas[4]}
day_rxKio=${day_datas[5]}
day_txKio=${day_datas[6]}
day_act=${day_datas[7]}
if [ $day_act -ne 1 ]; then
continue
fi
if [ $day_date -lt $SECS_AGO ]; then
break
fi
day_date_formatted=$(date -d @$day_date +%x)
day_rx=$(($day_rxMio * 1048576 + $day_rxKio * 1024))
day_tx=$(($day_txMio * 1048576 + $day_txKio * 1024))
day_total=$(($day_rx + $day_tx))
day_rx_formatted=$(numfmt --from=iec --to=iec --suffix=B $day_rx)
day_tx_formatted=$(numfmt --from=iec --to=iec --suffix=B $day_tx)
day_total_formatted=$(numfmt --from=iec --to=iec --suffix=B $day_total)
ROWS="$ROWS<tr><td>$day_date_formatted</td><td>$day_rx_formatted</td><td>$day_tx_formatted</td><td>$day_total_formatted</td></tr>"
done
if [ -z "$ROWS" ]; then
ROWS="<tr><td colspan=\"4\" style=\"text-align: center;\">Aucun jour capturé</td></tr>"
fi
# Create html document
echo "<h2>Trafic global</h2>" >> $HTML_REPORT
echo "<table class=\"table table-striped\">" >> $HTML_REPORT
echo "<thead><tr><th>Date</th><th>Entrant</th><th>Sortant</th><th>Total</th></tr></thead><tbody>" >> $HTML_REPORT
echo "$ROWS" >> $HTML_REPORT
echo "</tbody></table>" >> $HTML_REPORT
###################### ALCASAR : FAIL2BAN ######################
echo "Get fail2ban log of the week"
ROWS=""
dateDaysAgo_formatted=$(date --date="$MAX_DAY_AGO days ago" +'%Y-%m-%d %H:%M:%S,%N' | rev | cut -c 7- | rev)
while read -r log ; do
log_datas=($log)
log_date="${log_datas[0]} ${log_datas[1]}"
log_type=${log_datas[4]:1:-1}
log_ip=${log_datas[6]}
log_date_formatted=$(date -d "$log_date" +"%x %X")
ROWS="$ROWS<tr><td>$log_date_formatted</td><td>$log_ip</td><td>$log_type</td></tr>"
done < <(grep " Ban " /var/log/fail2ban.log | sort -r | awk -v dateDaysAgo="$dateDaysAgo_formatted" '($1 " " $2) >= dateDaysAgo')
if [ -z "$ROWS" ]; then
ROWS="<tr><td colspan=\"3\" style=\"text-align: center;\">Aucune adresse IP bloquée</td></tr>"
fi
# Create html document
echo "<h2>Adresse(s) IP bloquée(s) (Fail2Ban)</h2>" >> $HTML_REPORT
echo "<table class=\"table table-striped\">" >> $HTML_REPORT
echo "<thead><tr><th>Date</th><th>Adresse IP</th><th>Règle</th></tr></thead><tbody>" >> $HTML_REPORT
echo $ROWS >> $HTML_REPORT
echo "</tbody></table>" >> $HTML_REPORT
######################FIN HTML######################
#Execute our javascript function to print charts
echo "<script>window.onload = function() {" >> $HTML_REPORT
#BL SINCE INSTALLATION
if [ $ENABLE_BL -eq "1" ]
then
echo "var ctx_$NAME_BL_INSTALLATION = document.getElementById('$NAME_BL_INSTALLATION').getContext('2d');" >> $HTML_REPORT
echo "var $NAME_BL_INSTALLATION = new Chart(ctx_$NAME_BL_INSTALLATION, $CONF_BL_INSTALLATION);" >> $HTML_REPORT
fi
#BL WEEK
if [ $ENABLE_BL_WEEK -eq "1" ]
then
echo "var ctx_$NAME_BL = document.getElementById('$NAME_BL').getContext('2d');" >> $HTML_REPORT
echo "var $NAME_BL = new Chart(ctx_$NAME_BL, $CONF_BL);" >> $HTML_REPORT
fi
#VIRUS THREAT
if [ $ENABLE_AV -eq "1" ]
then
echo "var ctx_$NAME_AV = document.getElementById('$NAME_AV').getContext('2d');" >> $HTML_REPORT
echo "var $NAME_AV = new Chart(ctx_$NAME_AV, $CONF_AV);" >> $HTML_REPORT
fi
echo "};</script>" >> $HTML_REPORT
echo "</body>" >> $HTML_REPORT
echo "</html>" >> $HTML_REPORT
#convert html document to PDF
/usr/bin/wkhtmltopdf $HTML_REPORT "$(echo $HTML_REPORT | cut -d'.' -f1).pdf"
chown apache:apache "$(echo $HTML_REPORT | cut -d'.' -f1).pdf"
chmod 644 "$(echo $HTML_REPORT | cut -d'.' -f1).pdf"
mv "$(echo $HTML_REPORT | cut -d'.' -f1).pdf" /var/Save/activity_report/
#compress every logs, if they exist
if [ "$(ls -1 /var/log/clamav/clamd.log.* 2>/dev/null | wc -l)" -ge 1 ]
then
gzip /var/log/clamav/clamd.log.*
fi
#compress every logs
if [ "$(ls -1 /var/log/unbound/unbound-blacklist.log.* 2>/dev/null | wc -l)" -ge 1 ]
then
gzip /var/log/unbound/unbound-blacklist.log.*
fi
#remove our files
rm -f $TMP_BL
rm -f $TMP_BL_WEEK
rm -f $TMP_BL_WEEK_CAT
rm -f $TMP_STATS
rm -f $TMP_STATS_2
rm -f $HTML_REPORT
Property changes:
Added: svn:eol-style
+LF
\ No newline at end of property
Added: svn:executable
+*
\ No newline at end of property
Added: svn:keywords
+Id
\ No newline at end of property

/scripts/alcasar-dns-local.sh
0,0 → 1,141
#!/bin/bash
# $Id$
# alcasar-dns-local.sh
# by Rexy - 3abtux
# This script is distributed under the Gnu General Public License (GPL)
# active ou desactive la redirection du service DNS sur le réseau de consultation
# enable or disable the redirector of internal DNS service on consultation LAN
SED="/bin/sed -i"
ALCASAR_CONF_FILE="/usr/local/etc/alcasar.conf"
LOCAL_DOMAIN_CONF_FILE="/etc/unbound/conf.d/common/local-forward/dns-redirector.conf"
LOCAL_HOSTNAME_FILE="/etc/hosts"
# define DNS parameters (LAN side)
INT_DNS_DOMAIN=`grep ^DOMAIN $ALCASAR_CONF_FILE|cut -d"=" -f2`
INT_DNS_HOST=`grep ^HOSTNAME $ALCASAR_CONF_FILE|cut -d"=" -f2`
INT_DNS_IP_MASK=`grep ^PRIVATE_IP $ALCASAR_CONF_FILE|cut -d"=" -f2`
INT_DNS_IP=`grep ^PRIVATE_IP $ALCASAR_CONF_FILE|cut -d"=" -f2|cut -d"/" -f1`
INTIF=`grep ^INTIF $ALCASAR_CONF_FILE|cut -d"=" -f2`
INT_DNS_ACTIVE=`grep INT_DNS_ACTIVE $ALCASAR_CONF_FILE|cut -d"=" -f2`
LOCAL_DNS_FILE="/etc/unbound/conf.d/common/local-dns/$INTIF.conf"
usage="Usage: alcasar-dns-local.sh {--on | -on} | {--off | -off} | {--add | -add} ip domain | {--del | -del} ip domain | {--reload | -reload}"
nb_args=$#
args=$1
if [ $nb_args -eq 0 ]
then
echo "$usage"
exit 1
fi
function restart_dns(){
for dns in unbound unbound-blacklist unbound-whitelist unbound-blackhole
do
echo "Restarting $dns. Please wait..."
systemctl restart $dns
done
}
function hosts_to_unbound(){ # configure the unbound conf file with local host names resolution
cat << EOF > $LOCAL_DNS_FILE
server:
local-data: "$INT_DNS_HOST.$INT_DNS_DOMAIN IN A $INT_DNS_IP"
local-data-ptr: "$INT_DNS_IP $INT_DNS_HOST.$INT_DNS_DOMAIN"
EOF
while read -r line
do
ip_address=$(echo $line | awk '{ print $1 }')
domain=$(echo $line | awk '{ print $2 }')
if ! echo $line | grep -E -q "^([0-9\.\t ]+alcasar( |$)|127\.0\.0)"
then
echo -e "\tlocal-data: \"$domain.$INT_DNS_DOMAIN IN A $ip_address\"" >> $LOCAL_DNS_FILE
echo -e "\tlocal-data-ptr: \"$ip_address $domain.$INT_DNS_DOMAIN\"" >> $LOCAL_DNS_FILE
fi
done < $LOCAL_HOSTNAME_FILE
if [ $INT_DNS_DOMAIN == "localdomain" ]
then
echo -e "\tlocal-zone: \"$INT_DNS_DOMAIN\" static" >> $LOCAL_DNS_FILE # Don't forward this local zone
fi
}
case $args in
-\? | -h | --h)
echo "$usage"
exit 0
;;
--add|-add) # add a local host resolution
if [ $nb_args -ne 3 ]
then
echo "$usage"
exit 1
else
# removing if already exists
$SED "/^$2[ \t]*$3/d" $LOCAL_HOSTNAME_FILE
# adding to the hosts file
echo -e "$2\t$3" >> $LOCAL_HOSTNAME_FILE
hosts_to_unbound
restart_dns
fi
;;
--del|-del) # remove a local host resolution
if [ $nb_args -ne 3 ]
then
echo "$usage"
exit 1
else
$SED "/^$2[ \t]*$3/d" $LOCAL_HOSTNAME_FILE
hosts_to_unbound
restart_dns
fi
;;
--reload|-reload)
hosts_to_unbound
restart_dns
;;
--hosts_to_unbound|-hosts_to_unbound)
hosts_to_unbound
;;
--off|-off) # disable DNS redirector
rm -f $LOCAL_DOMAIN_CONF_FILE
$SED "s?^INT_DNS_ACTIVE.*?INT_DNS_ACTIVE=off?g" $ALCASAR_CONF_FILE
restart_dns
/usr/local/bin/alcasar-iptables.sh
;;
--off-without-restart|-off-without-restart) # disable DNS redirector
rm -f $LOCAL_DOMAIN_CONF_FILE
$SED "s?^INT_DNS_ACTIVE.*?INT_DNS_ACTIVE=off?g" $ALCASAR_CONF_FILE
/usr/local/bin/alcasar-iptables.sh
;;
--on|-on) # enable DNS redirector
cat > $LOCAL_DOMAIN_CONF_FILE << EOF
server:
local-zone: "$INT_DNS_DOMAIN." transparent
forward-zone:
name: "$INT_DNS_DOMAIN."
forward-addr: $INT_DNS_IP
EOF
$SED "s?^INT_DNS_ACTIVE.*?INT_DNS_ACTIVE=on?g" $ALCASAR_CONF_FILE
restart_dns
/usr/local/bin/alcasar-iptables.sh
;;
--on-without-restart|-on-without-restart) # enable DNS redirector
cat > $LOCAL_DOMAIN_CONF_FILE << EOF
server:
local-zone: "$INT_DNS_DOMAIN." transparent
forward-zone:
name: "$INT_DNS_DOMAIN."
forward-addr: $INT_DNS_IP
EOF
$SED "s?^INT_DNS_ACTIVE.*?INT_DNS_ACTIVE=on?g" $ALCASAR_CONF_FILE
/usr/local/bin/alcasar-iptables.sh
;;
*)
echo "Argument inconnu : $1";
echo "$usage"
exit 1
;;
esac
Property changes:
Added: svn:eol-style
+LF
\ No newline at end of property
Added: svn:executable
+*
\ No newline at end of property
Added: svn:keywords
+Id
\ No newline at end of property

/scripts/alcasar-sms.sh
0,0 → 1,498
#!/bin/bash
# $Id$
# alcasar-sms.sh
# by Nicolas Aubry & Rexy
# This script is distributed under the Gnu General Public License (GPL)
# This script manages the 'gammu-smsd' service when a GSM adapter is detected
# Ce script gère le service 'gammu-smsd' quand un adaptateur GSM est détecté
CONF_FILE='/usr/local/etc/alcasar.conf'
####### VARIABLES ########
nb_essais=3
time_account=1
time_ban=2
####### IDs DB ##########################
PASSWD_FILE="/root/ALCASAR-passwords.txt"
u_db=$(grep '^db_user=' $PASSWD_FILE | cut -d'=' -f2-)
p_db=$(grep '^db_password=' $PASSWD_FILE | cut -d'=' -f2-)
#########################################
rad="radcheck"
radgp="radusergroup"
radgpck="radgroupcheck"
radinf="userinfo"
sms_p="SMS_ban_perm"
sms_t="SMS_ban_temp"
inb="inbox"
SMS_c="SMS_country"
config="/etc/gammu_smsd_conf"
config2="/etc/gammurc"
logfile="/var/log/gammu-smsd/gammu-smsd.log"
script="/usr/local/bin/alcasar-sms.sh"
separator="########## START ##########"
end="%%%%%%%%%% STOP %%%%%%%%%%"
usage="Usage: alcasar-gammu.sh
Start Gammu-smsd : --start
Stop Gammu-smsd : --stop
Process on new sms : --new_sms"
nb_args=$#
args=$1
# Functions
function mode_huawei() {
couple=$(lsusb | grep -i huawei | cut -d ' ' -f6)
vendor=$(echo $couple | cut -d ':' -f1)
product=$(echo $couple | cut -d ':' -f2)
echo "******** Modeswitch *************" >> $logfile
echo $vendor >> $logfile
echo $product >> $logfile
/usr/sbin/usb_modeswitch -I -H -v 0x$vendor -p 0x$product -V 0x$vendor -P 0x$product -W -n >> $logfile
} # end function mode_huawei
function start_gammu() {
# Truncate phones table (informations signal/IMEI/battery/sent et reveived sms)
mysql --user=$u_db --password=$p_db --database=gammu -Bs -e 'TRUNCATE phones;'
# Verify the sms group is created
if [ $(mysql --user=$u_db --password=$p_db --database=radius -Bs -e "SELECT COUNT(*) FROM $radgp WHERE username='sms' AND groupname='sms';") -eq 0 ]; then
sql_add_gp="INSERT INTO $radgp (username,groupname) VALUES ('sms','sms'); INSERT INTO $radgpck (groupname,attribute,op,value) VALUES ('sms','Simultaneous-Use',':=',1);"
mysql --user=$u_db --password=$p_db --database=radius -Bs -e "$sql_add_gp"
fi
# Start gammu
echo $separator >> $logfile
/usr/bin/systemctl -q start gammu-smsd.service
/usr/bin/systemctl -q enable gammu-smsd.service
} # end function start_gammu
function stop_gammu() {
/usr/bin/systemctl -q stop gammu-smsd.service
/usr/bin/systemctl -q disable gammu-smsd.service
echo $end >> $logfile
} # end function stop_gammu
function unlock() {
# Remove phone number in SMS_ban_perm table
sql_remove_ban_perm="connect gammu; DELETE FROM $sms_p"
mysql --user=$u_db --password=$p_db -B -se "$sql_remove_ban_perm WHERE SenderNumber=$1;"
# Add sms group
sql_remove_gp="connect radius; DELETE FROM $radgp WHERE username='$1';"
mysql --user=$u_db --password=$p_db -B -se "$sql_remove_gp"
# Remove account in Radcheck table
sql_remove_compte="connect radius; DELETE FROM $rad WHERE username='$1';"
mysql --user=$u_db --password=$p_db -B -se "$sql_remove_compte"
} # end function unlock
function change_country() {
sql_status_country="connect gammu; SELECT status FROM SMS_country WHERE name='$1'"
stat=$(mysql --user=$u_db --password=$p_db -B -se "$sql_status_country")
if [ $stat -eq 0 ]
then
sql_change_country="connect gammu; UPDATE $SMS_c SET status=1 WHERE name='$1'"
mysql --user=$u_db --password=$p_db -B -se "$sql_change_country"
else
sql_change_country="connect gammu; UPDATE $SMS_c SET status=0 WHERE name='$1'"
mysql --user=$u_db --password=$p_db -B -se "$sql_change_country"
fi
} # end change_country
function supp_acc_rad() {
# Remove account in Radcheck table
sql_del_compte="connect radius; DELETE FROM $rad WHERE username='$1';"
mysql --user=$u_db --password=$p_db -B -se "$sql_del_compte"
} # end function supp_acc_rad()
function add_acc_rad() {
# Add accoubt in RadCheck table
sql_add_pass="connect radius; INSERT INTO $rad (username,attribute,op,value) VALUES ('$1','Crypt-Password',':=','$2');"
sql_add_expe="connect radius; INSERT INTO $rad (username,attribute,op,value) VALUES ('$1','Expiration',':=','$3');"
mysql --user=$u_db --password=$p_db -B -se "$sql_add_pass"
mysql --user=$u_db --password=$p_db -B -se "$sql_add_expe"
# Add this account to sms group
sql_add_gp="connect radius; INSERT INTO $radgp (username,groupname) VALUES ('$1','sms');"
mysql --user=$u_db --password=$p_db -B -se "$sql_add_gp"
} # end function add_acc_rad()
function supp_num_temp() {
# Remove phone number in SMS_ban_temp table
sql_remove_ban_temp="connect gammu; DELETE FROM $sms_t"
mysql --user=$u_db --password=$p_db -B -se "$sql_remove_ban_temp WHERE SenderNumber=$1;"
} # end function supp_num_temp()
function add_num_perm() {
# Add phone number in SMS_ban_perm table
sql_add_ban_perm="connect gammu; INSERT INTO $sms_p (SenderNumber,Perm,Expiration) VALUES ('$1',0,'$2');"
mysql --user=$u_db --password=$p_db -B -se "$sql_add_ban_perm"
} # end function add_num_perm()
function supp_num_perm() {
# Remove phone number in SMS_ban_perm table
sql_remove_ban_perm="connect gammu; DELETE FROM $sms_p"
mysql --user=$u_db --password=$p_db -B -se "$sql_remove_ban_perm WHERE SenderNumber=$1;"
} # end function add_num_perm()
function new_sms() {
# Check Inbox table, manage Ban temp and perm, create account
export salt='$5$passwd$'
sql_select_inbox="connect gammu; SELECT ID, SenderNumber, TextDecoded FROM $inb;"
sql_delete_inbox="connect gammu; DELETE FROM $inb"
mysql --user=$u_db --password=$p_db -B -se "$sql_select_inbox" | while read result;
do
# Retrieve the number of words (result)
nb=$(echo $result | wc -w)
# Retrive the ID
id=$(echo $result | cut -d ' ' -f1)
numero=$(echo $result | cut -d ' ' -f2)
if [[ $numero =~ ^\+ ]]
then
# Check if country is blocked
sql_select_countries="connect gammu; SELECT id FROM $SMS_c WHERE status=1"
mysql --user=$u_db --password=$p_db -B -se "$sql_select_countries" | while read result_c;
do
if [[ $numero =~ ^"$result_c" ]]
then
numero=$(echo $numero | cut -d '+' -f2)
# Check if GSM number is nabbed
sql_ban_perm="connect gammu; SELECT * FROM $sms_p WHERE SenderNumber=$numero"
result_bp=$(mysql --user=$u_db --password=$p_db -B -se "$sql_ban_perm")
if test -z "$result_bp"
then
# Test the number of word (result)
if [ $nb -eq 2 ] # if only 2 words : lack of password
then
# Add "1" in bans_temp table // NO PASSWORD
sql_add_temp="connect gammu; INSERT INTO $sms_t(SenderNumber) VALUES ('$numero');"
mysql --user=$u_db --password=$p_db -B -se "$sql_add_temp"
elif [ $nb -eq 3 ] # if 3 words (id + password + phone numbere)
then
export pass=$(echo $result | cut -d ' ' -f3)
pass_salt=$(perl -e'print crypt($ARGV[0],$ARGV[1])' $pass $salt)
export LC_TIME="en_US.UTF-8"
expir=$(date '+%d %B %Y' -d "$time_account days")
supp_acc_rad "$numero"
add_acc_rad "$numero" "$pass_salt" "$expir"
supp_num_temp "$numero"
add_num_perm "$numero" "$expir"
else # more then 3 words --> Add "1" in ban_temp table
sql_add_temp="connect gammu; INSERT INTO $sms_t(SenderNumber) VALUES ('$numero');"
mysql --user=$u_db --password=$p_db -B -se "$sql_add_temp"
fi
# manage ban perm
sql_select_temp="connect gammu; SELECT ID FROM $sms_t WHERE SenderNumber='$numero'"
r_select_temp=$(mysql --user=$u_db --password=$p_db -B -se "$sql_select_temp")
nb_ban_t=$(echo $r_select_temp| wc -w)
if [ $nb_ban_t -ge $nb_essais ]
then
supp_num_temp "$numero"
export LC_TIME="en_US.UTF-8"
expir_f=$(date '+%d %B %Y' -d "$time_ban days")
# Add "1" in SMS_ban_perm table : flood
sql_add_ban_perm="connect gammu; INSERT INTO $sms_p (SenderNumber,Perm,Expiration) VALUES ('$numero',1,'$expir_f');"
mysql --user=$u_db --password=$p_db -B -se "$sql_add_ban_perm"
fi
else
date_expiration=$(echo $result_bp | cut -d ' ' -f2,3,4)
perm=$(echo $result_bp | cut -d ' ' -f5)
export LC_TIME="en_US.UTF-8"
date_script=$(date '+%d %B %Y' -d "now")
# convert in seconds in order to be able to compare
d_exp=$(date --date "$date_expiration" +%s)
d_scr=$(date --date "$date_script" +%s)
if test $d_scr -ge $d_exp # Si le ban à expiré
then
# Test the number of words (result)
if [ $nb -eq 2 ] # Si 2 mots : le mot de passe est manquant
then
# Add "1" in ban temp table
sql_add_temp="connect gammu; INSERT INTO $sms_t(SenderNumber) VALUES ('$numero');"
mysql --user=$u_db --password=$p_db -B -se "$sql_add_temp"
elif [ $nb -eq 3 ] # Si 3 mots : id + mot de passe + numero
then
date_expiration=$(echo $result_bp | cut -d ' ' -f2,3,4)
perm=$(echo $result_bp | cut -d ' ' -f5)
date_script=$(date '+%d %B %Y' -d "now")
# convert in seconds in order to be able to compare
d_exp=$(date --date "$date_expiration" +%s)
d_scr=$(date --date "$date_script" +%s)
export pass=$(echo $result | cut -d ' ' -f3)
pass_salt=$(perl -e'print crypt($ARGV[0],$ARGV[1])' $pass $salt)
export LC_TIME="en_US.UTF-8"
expir=$(date '+%d %B %Y' -d "$time_account days")
supp_acc_rad "$numero"
add_acc_rad "$numero" "$pass_salt" "$expir"
supp_num_temp "$numero"
supp_num_perm "$numero"
add_num_perm "$numero" "$expir"
else
# number of words to big (> 3)
# Add "1" in bans temp table
sql_add_temp="connect gammu; INSERT INTO $sms_t(SenderNumber) VALUES ('$numero');"
mysql --user=$u_db --password=$p_db -B -se "$sql_add_temp"
echo "Mot de passe incorrect, ajout du numero en ban temporaire"
fi
# manage bans_temp & ban_perm
sql_select_temp="connect gammu; SELECT ID FROM $sms_t WHERE SenderNumber='$numero'"
r_select_temp=$(mysql --user=$u_db --password=$p_db -B -se "$sql_select_temp")
nb_ban_t=$(echo $r_select_temp| wc -w)
if [ $nb_ban_t -ge $nb_essais ]
then
supp_num_perm "$numero"
supp_num_temp "$numero"
export LC_TIME="en_US.UTF-8"
expir_f=$(date '+%d %B %Y' -d "$time_ban days")
# Add phne number in ban_perm : flood
sql_add_ban_perm="connect gammu; INSERT INTO $sms_p (SenderNumber,Perm,Expiration) VALUES ('$numero',1,'$expir_f');"
mysql --user=$u_db --password=$p_db -B -se "$sql_add_ban_perm"
fi
else
echo "Le ban de $numero est encore valide"
fi
break
fi
#else
#echo "Pays bloqué"
fi
done
else
echo "Numero non autorisé (ex: 36665)"
fi
# On supprime la ligne d'ID=$id dans inbox
mysql --user=$u_db --password=$p_db -B -e "$sql_delete_inbox WHERE ID=$id;"
done
} # end function new_sms
# CORE
case $args in
-h | --help)
echo "$usage"
exit 0
;;
--start)
failed="0"
comports=`ls -l /dev/ttyUSB* 2>/dev/null | wc -l`
if [ $comports == "0" ]
then
echo "No GSM modem found."
failed="1"
fi
if [ -z "$(grep '^SMS_NUM=' $CONF_FILE | cut -d'=' -f2-)" ]; then
echo 'The phone number is not set.'
failed="1"
fi
if [ $failed == "1" ]
then
sed -i "s/^SMS=.*/SMS=off/" $CONF_FILE
exit 0
fi
gammu_pid=`/usr/bin/pidof gammu-smsd|wc -l`
if [ $gammu_pid != "0" ]
then
echo "Gammu is already started"
else
start_gammu
sleep 1
is_active=`systemctl is-active gammu-smsd`
if [ $is_active == "active" ]
then
sed -i "s/^SMS=.*/SMS=on/" $CONF_FILE
else
sed -i "s/^SMS=.*/SMS=off/" $CONF_FILE
fi
fi
exit 0
;;
--stop)
gammu_pid=`/usr/bin/pidof gammu-smsd|wc -l`
if [ $gammu_pid != "0" ]
then
stop_gammu
else
echo "Gammu is already stopped"
fi
sed -i "s/^SMS=.*/SMS=off/" $CONF_FILE
exit 0
;;
--pidof)
/usr/bin/pidof gammu-smsd
;;
--last_nosim)
# Récupère la dernière ligne où NOSIM est présent (error)
cat $logfile | grep -n "NOSIM" | cut -d ':' -f1 | tail -n 1
exit 0
;;
--last_start)
# Récupère la dernière ligne où ########## est présent (séparateur)
cat $logfile | grep -n "##########" | cut -d ':' -f1 | tail -n 1
exit 0
;;
--last_stop)
# Récupère la dernière ligne où %%%%%%%%%% est présent (séparateur)
cat $logfile | grep -n "%%%%%%%%%%" | cut -d ':' -f1 | tail -n 1
exit 0
;;
--last_writeerror)
#Récupère la dernière ligne où DEVICEWRITEERROR est présent (error)
cat $logfile | grep -n "DEVICEWRITEERROR" | cut -d ':' -f1 | tail -n 1
exit 0
;;
--last_timeout)
# Récupère la dernière ligne où TIMEOUT est présent (error)
cat $logfile | grep -n "TIMEOUT" | cut -d ':' -f1 | tail -n 1
exit 0
;;
--last_secu)
# Récupère la dernière ligne où SECURITYERROR est présent (error)
cat $logfile | grep -n "SECURITYERROR" | cut -d ':' -f1 | tail -n 1
exit 0
;;
--last_puk)
# Récupère la dernière ligne où PUK est présent (error)
cat $logfile | grep -n "UNKNOWN" | cut -d ':' -f1 | tail -n 1
exit 0
;;
#--log)
# # Récupère le nom du fichier de log
# cat $config | grep logfile | cut -d ' ' -f3
# exit 0
# ;;
--connect)
# display the com port speed
cat $config | grep connection | cut -d ' ' -f3
exit 0
;;
--replace_port)
# modify the com port
echo $2
sed -i "s?^port = .*?port = $2?g" $config
sed -i "0,/^device =/ s?device =.*?device = $2?" $config2
exit 0
;;
--replace_speed)
# modufy the com port speed
sed -i "s/^connection = at.*/connection = at$2/g" $config
sed -i "0,/^connection =/ s/connection =.*/connection = $2/" $config2
exit 0
;;
--pin)
# Récupère le code PIN (file de conf)
cat $config | grep PIN | cut -d ' ' -f3
exit 0
;;
--replace_pin)
# Edition du code PIN
sed -i "s/^PIN =.*/PIN = $2/g" $config
exit 0
;;
--try_ban)
# Récupère le nombre d'essais avant le ban perm
grep nb_essais= $script | head -n 1 | cut -d '=' -f2
exit 0
;;
--replace_try_ban)
# Edition le nombre d'essais avant le ban perm
sed -i "s/^nb_essais=.*/nb_essais=$2/g" $script
exit 0
;;
--time_account)
# Récupère la durée en jours de la session créée
grep time_account= $script | head -n 1 | cut -d '=' -f2
exit 0
;;
--replace_time_account)
# Edition de la durée de la session créée
sed -i "s/^time_account=.*/time_account=$2/g" $script
exit 0
;;
--time_perm)
# Récupère la durée un jours d'un ban perm (après flood par exemple)
grep time_ban= $script | head -n 1 | cut -d '=' -f2
exit 0
;;
--replace_time_perm)
# Edition de la durée d'un ban perm
sed -i "s/^time_ban=.*/time_ban=$2/g" $script
exit 0
;;
--unlock_num)
# Appel de la fonction unlock : deban un numero $2
unlock "$2"
exit 0
;;
--change_country)
# Permet de changer l'état de blocage d'un pays
a=""
for i in "$@"
do
a=$(echo "$a $i")
done
a=$(echo $a | cut -d ' ' -f2-$#)
change_country "$a"
exit
;;
--change_country_ena_all)
# Active l'ensemble des pays
sql_change_country="connect gammu; UPDATE $SMS_c SET status=1"
mysql --user=$u_db --password=$p_db -B -se "$sql_change_country"
exit
;;
--change_country_dis_all)
# Desactive l'ensemble des pays
sql_change_country="connect gammu; UPDATE $SMS_c SET status=0"
mysql --user=$u_db --password=$p_db -B -se "$sql_change_country"
exit
;;
--change_country_filter)
# Change la valeur du filtrage (FR, UE, all, perso)
sql_change_country="connect gammu; UPDATE $SMS_c SET id='$2' WHERE name='FILTRAGE'"
mysql --user=$u_db --password=$p_db -B -se "$sql_change_country"
break
;;
--new_sms)
# Appel de la fonction new_sms : filtrage du password, creation du compte et ban
new_sms
exit 0
;;
--imei_device)
# Recuperation de l'imei du device
sql_imei_phones="connect gammu; SELECT \`IMEI\` FROM phones;"
mysql --user=$u_db --password=$p_db -B -se "$sql_imei_phones"
exit 0
;;
--signal_device)
# Recuperation du signal du device
sql_signal_phones="connect gammu; SELECT \`Signal\` FROM phones;"
mysql --user=$u_db --password=$p_db -B -se "$sql_signal_phones"
exit 0
;;
--sms_received)
# Recuperation du nombre de sms reçu. Depuis la dernière activation.
sql_sms_received="connect gammu; SELECT \`Received\` FROM phones;"
mysql --user=$u_db --password=$p_db -B -se "$sql_sms_received"
exit 0
;;
--numero_alcasar)
# Récupère le numero de la clé 3g (téléphone)
grep '^SMS_NUM=' $CONF_FILE | cut -d'=' -f2-
exit 0
;;
--replace_numero_alcasar)
# Edition du numero de la clé 3g (téléphone)
sed -i "s/^SMS_NUM=.*/SMS_NUM=$2/" $CONF_FILE
exit 0
;;
--mode)
# Mode huawei
mode_huawei
exit 0
;;
*)
# Default
echo "$usage"
exit 0
;;
esac
exit 0
Property changes:
Added: svn:eol-style
+LF
\ No newline at end of property
Added: svn:executable
+*
\ No newline at end of property
Added: svn:keywords
+Id
\ No newline at end of property

/scripts/alcasar-mail-install.sh
0,0 → 1,202
#!/bin/bash
###########################################################################################
## ALCASAR MAIL SERVICE CONFIGURATION
##
## Script by K@M3L & T3RRY (LaPlateforme.io), joss_p & Rexy
## This script configure PostFix
## 0 : no email autoregistration
## 1 : PostFix is the SMTP server
## 2 : PostFix relay to an other SMTP server
## 3 : PostFix use an external email address (with Cyrus-SASL)
###########################################################################################
######################################################
## Email configuration examples (mode = 3)
## common parameters : smtp_use_tls = yes, smtp_tls_security_level = encrypt, smtp_sasl_auth_enable = yes
## common rules : 'myhostname' parameter should be the domain name of the sasl_email account
########## smtp.free.fr:465 (expose mechanisms : PLAIN LOGIN CRAM-MD5 DIGEST-MD5)
## smtp_sasl_security_option = noanonymous, relayhost = [smtp.free.fr]:465, smtp_tls_wrappermode = yes
########## smtp.free.fr:587 (expose mechanismes
## smtp_sasl_security_option = noanonymous, relayhost = [smtp.free.fr]:587, smtp_tls_wrappermode = no, smtputf8_enable = no
########## smtp.orange.fr:465 (expose mechanisms : LOGIN PLAIN)
## smtp_sasl_security_option = noanonymous, relayhost = [smtp.orange.fr]:465, smtp_tls_wrappermode = yes, smtputf8_enable = no
########## smtp.sfr.fr:465 (expose mechanisms : LOGIN PLAIN)
## smtp_sasl_security_option = noanonymous, relayhost = [smtp.sfr.fr]:465, smtp_tls_wrappermode = yes
########## smtp.laposte.net:465 (expose mechanisms : LOGIN PLAIN)
## smtp_sasl_security_option = noanonymous, relayhost = [laposte.net]:465, smtp_tls_wrappermode = yes
########## smtp.bbox.net:465 (expose mechanisms : LOGIN PLAIN)
## smtp_sasl_security_option = noanonymous, relayhost = [laposte.net]:465, smtp_tls_wrappermode = yes
########## smtp.gmail.com:587 (expose mechanisms : LOGIN PLAIN XOAUTH2 PLAIN-CLIENTTOKEN OAUTHBEARER XOAUTH)
## smtp_sasl_security_option = noanonymous, relayhost = [gmail.com]:587, smtp_tls_wrappermode = no
## In this case (gmail) the password must be an "application password" created via the gmail account manager (security tab)
# ****** Paths *******
SED="/bin/sed -i"
CONF_FILE="/usr/local/etc/alcasar.conf"
POSTFIX_CONF_FILE="/etc/postfix/main.cf"
LOCAL_IPTABLE_FILE="/usr/local/etc/alcasar-iptables-local.sh"
SASLPATH="/etc/postfix/sasl"
smtpIP="0.0.0.0/0"
hostName=`grep ^HOSTNAME= $CONF_FILE|cut -d"=" -f2`
domainName=`grep ^DOMAIN= $CONF_FILE|cut -d"=" -f2`
usage="Usage: alcasar-mail_install.sh -h|-0|-1|-2|-3"
nb_args=$#
if [ $nb_args -eq 0 ]; then # apply alcasar.conf
mail=`grep ^MAIL= $CONF_FILE|cut -d"=" -f2`
if [ "$mail" = "off" ]; then
TYPE_MAIL=0
else
TYPE_MAIL=`grep ^MAIL_TYPE= $CONF_FILE|cut -d"=" -f2`
smtpPort=`grep ^MAIL_SMTP_PORT= $CONF_FILE|cut -d"=" -f2`
smtpIP=`grep ^MAIL_SMTP_IP= $CONF_FILE|cut -d"=" -f2`
mailAddr=`grep ^MAIL_ADDR= $CONF_FILE|cut -d"=" -f2`
[ -e ${SASLPATH}/sasl_passwd ] && mailMdp=`cat $SASLPATH/sasl_passwd|cut -d":" -f3`
adminMail=`grep ^MAIL_ADMIN= $CONF_FILE|cut -d"=" -f2`
whiteDomain=`grep ^MAIL_WHITEDOMAIN= $CONF_FILE|cut -d"=" -f2`
fi
else # apply args
if [ "$1" = "-h" ] || [ "$1" = "--h" ]; then
echo $usage
exit 0
fi
while getopts ":h:s:p:m:o:a:w:0123" option
do
case $option in
0)
TYPE_MAIL=0
;;
1)
TYPE_MAIL=1
;;
2)
TYPE_MAIL=2
;;
3)
TYPE_MAIL=3
;;
p)
smtpPort=$OPTARG
;;
s)
smtpIP=$OPTARG
;;
m)
mailAddr=$OPTARG
;;
o)
mailMdp=$OPTARG
;;
a)
adminMail=$OPTARG
;;
w)
whiteDomain=$OPTARG
;;
:)
echo "L'option $OPTARG requiert un argument"
exit 1
;;
\?)
echo "$OPTARG : option invalide"
exit 1
;;
esac
done
fi
if [[ $TYPE_MAIL -eq 0 ]]; then # disable mail service
$SED "s/^MAIL=.*/MAIL=off/" $CONF_FILE
$SED "s/^MAIL_TYPE=.*/MAIL_TYPE=/" $CONF_FILE
$SED "s/^MAIL_SMTP_IP=.*/MAIL_SMTP_IP=/" $CONF_FILE
$SED "s/^MAIL_SMTP_PORT=.*/MAIL_SMTP_PORT=/" $CONF_FILE
$SED "s/^MAIL_ADDR=.*/MAIL_ADDR=/" $CONF_FILE
$SED "s/^MAIL_WHITEDOMAIN=.*/MAIL_WHITEDOMAIN=/" $CONF_FILE
$SED "s/^MAIL_ADMIN=.*/MAIL_ADMIN=/" $CONF_FILE
$SED "/^SMTP_IP=/ s/^/#/" $LOCAL_IPTABLE_FILE
$SED "/^SMTP_PORT=/ s/^/#/" $LOCAL_IPTABLE_FILE
$SED "s/^\$IPTABLES -A OUTPUT -p tcp --dport \$SMTP_PORT.*/#\$IPTABLES -A OUTPUT -p tcp --dport \$SMTP_PORT -d \$SMTP_IP -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT/" $LOCAL_IPTABLE_FILE
$SED "s/^\$IPTABLES -A INPUT -p tcp --sport \$SMTP_PORT.*/#\$IPTABLES -A INPUT -p tcp --sport \$SMTP_PORT -s \$SMTP_IP -m conntrack --ctstate ESTABLISHED -j ACCEPT/" $LOCAL_IPTABLE_FILE
$SED "s/^relayhost =.*/relayhost =/" $POSTFIX_CONF_FILE
$SED "s/^smtp_tls_security_level =.*/smtp_tls_security_level = may/g" $POSTFIX_CONF_FILE
$SED "s/^smtp_tls_wrappermode =.*/smtp_tls_wrappermode = no/g" $POSTFIX_CONF_FILE
$SED "s/^myhostname =.*/myhostname = $hostName.$domainName/g" $POSTFIX_CONF_FILE
[ -e ${SASLPATH}/sasl_passwd ] && rm -f ${SASLPATH}/*
elif [[ $TYPE_MAIL -eq 1 ]]; then # Enable mail service (act as smtp server)
$SED "s/^MAIL=.*/MAIL=on/" $CONF_FILE
$SED "s/^MAIL_TYPE=.*/MAIL_TYPE=1/" $CONF_FILE
$SED "s/^MAIL_SMTP_IP=.*/MAIL_SMTP_IP=/" $CONF_FILE
$SED "s/^MAIL_SMTP_PORT=.*/MAIL_SMTP_PORT=$smtpPort/" $CONF_FILE
$SED "s/^MAIL_ADDR=.*/MAIL_ADDR=/" $CONF_FILE
$SED "s/^MAIL_WHITEDOMAIN=.*/MAIL_WHITEDOMAIN=$whiteDomain/" $CONF_FILE
$SED "s/^MAIL_ADMIN=.*/MAIL_ADMIN=$adminMail/" $CONF_FILE
$SED "/^SMTP_IP=/ s/^/#/" $LOCAL_IPTABLE_FILE
$SED "s/^SMTP_PORT=.*/SMTP_PORT=$smtpPort/" $LOCAL_IPTABLE_FILE
$SED "s/^\$IPTABLES -A OUTPUT -p tcp --dport \$SMTP_PORT.*/\$IPTABLES -A OUTPUT -p tcp --dport \$SMTP_PORT -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT/" $LOCAL_IPTABLE_FILE
$SED "s/^\$IPTABLES -A INPUT -p tcp --sport \$SMTP_PORT.*/\$IPTABLES -A INPUT -p tcp --sport \$SMTP_PORT -m conntrack --ctstate ESTABLISHED -j ACCEPT/" $LOCAL_IPTABLE_FILE
$SED "s/^#SMTP_PORT=.*/SMTP_PORT=$smtpPort/" $LOCAL_IPTABLE_FILE
$SED "s/^#\$IPTABLES -A OUTPUT -p tcp --dport \$SMTP_PORT.*/\$IPTABLES -A OUTPUT -p tcp --dport \$SMTP_PORT -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT/" $LOCAL_IPTABLE_FILE
$SED "s/^#\$IPTABLES -A INPUT -p tcp --sport \$SMTP_PORT.*/\$IPTABLES -A INPUT -p tcp --sport \$SMTP_PORT -m conntrack --ctstate ESTABLISHED -j ACCEPT/" $LOCAL_IPTABLE_FILE
$SED "s/^relayhost =.*/relayhost =/" $POSTFIX_CONF_FILE
$SED "s/^smtp_tls_security_level =.*/smtp_tls_security_level = may/g" $POSTFIX_CONF_FILE
$SED "s/^smtp_tls_wrappermode =.*/smtp_tls_wrappermode = no/g" $POSTFIX_CONF_FILE
$SED "s/^myhostname =.*/myhostname = $hostName.$domainName/g" $POSTFIX_CONF_FILE
[ -e ${SASLPATH}/sasl_passwd ] && rm -f ${SASLPATH}/*
elif [[ $TYPE_MAIL -eq 2 ]]; then # Enable mail service (relaying to an extern mail server)
$SED "s/^MAIL=.*/MAIL=on/" $CONF_FILE
$SED "s/^MAIL_TYPE=.*/MAIL_TYPE=2/" $CONF_FILE
$SED "s/^MAIL_SMTP_IP=.*/MAIL_SMTP_IP=$smtpIP/" $CONF_FILE
$SED "s/^MAIL_SMTP_PORT=.*/MAIL_SMTP_PORT=$smtpPort/" $CONF_FILE
$SED "s/^MAIL_ADDR=.*/MAIL_ADDR=/" $CONF_FILE
$SED "s/^MAIL_WHITEDOMAIN=.*/MAIL_WHITEDOMAIN=$whiteDomain/" $CONF_FILE
$SED "s/^MAIL_ADMIN=.*/MAIL_ADMIN=$adminMail/" $CONF_FILE
$SED "s/^SMTP_IP=.*/SMTP_IP=$smtpIP/" $LOCAL_IPTABLE_FILE
$SED "s/^SMTP_PORT=.*/SMTP_PORT=$smtpPort/" $LOCAL_IPTABLE_FILE
$SED "s/^\$IPTABLES -A OUTPUT -p tcp --dport \$SMTP_PORT.*/\$IPTABLES -A OUTPUT -p tcp --dport \$SMTP_PORT -d \$SMTP_IP -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT/" $LOCAL_IPTABLE_FILE
$SED "s/^\$IPTABLES -A INPUT -p tcp --sport \$SMTP_PORT.*/\$IPTABLES -A INPUT -p tcp --sport \$SMTP_PORT -s \$SMTP_IP -m conntrack --ctstate ESTABLISHED -j ACCEPT/" $LOCAL_IPTABLE_FILE
$SED "s/^#SMTP_IP=.*/SMTP_IP=$smtpIP/" $LOCAL_IPTABLE_FILE
$SED "s/^#SMTP_PORT=.*/SMTP_PORT=$smtpPort/" $LOCAL_IPTABLE_FILE
$SED "s/^#\$IPTABLES -A OUTPUT -p tcp --dport \$SMTP_PORT.*/\$IPTABLES -A OUTPUT -p tcp --dport \$SMTP_PORT -d \$SMTP_IP -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT/" $LOCAL_IPTABLE_FILE
$SED "s/^#\$IPTABLES -A INPUT -p tcp --sport \$SMTP_PORT.*/\$IPTABLES -A INPUT -p tcp --sport \$SMTP_PORT -s \$SMTP_IP -m conntrack --ctstate ESTABLISHED -j ACCEPT/" $LOCAL_IPTABLE_FILE
$SED "s/^relayhost =.*/relayhost = [$smtpIP]:$smtpPort/g" $POSTFIX_CONF_FILE
$SED "s/^smtp_tls_security_level =.*/smtp_tls_security_level = may/g" $POSTFIX_CONF_FILE
$SED "s/^smtp_tls_wrappermode =.*/smtp_tls_wrappermode = no/g" $POSTFIX_CONF_FILE
$SED "s/^myhostname =.*/myhostname = $hostName.$domainName/g" $POSTFIX_CONF_FILE
[ -e ${SASLPATH}/sasl_passwd ] && rm -f ${SASLPATH}/*
elif [[ $TYPE_MAIL -eq 3 ]]; then # Enable mail service (using an email address)
$SED "s/^MAIL=.*/MAIL=on/" $CONF_FILE
$SED "s/^MAIL_TYPE=.*/MAIL_TYPE=3/" $CONF_FILE
$SED "s/^MAIL_SMTP_IP=.*/MAIL_SMTP_IP=$smtpIP/" $CONF_FILE
$SED "s/^MAIL_SMTP_PORT=.*/MAIL_SMTP_PORT=$smtpPort/" $CONF_FILE
$SED "s/^MAIL_ADDR=.*/MAIL_ADDR=$mailAddr/" $CONF_FILE
$SED "s/^MAIL_WHITEDOMAIN=.*/MAIL_WHITEDOMAIN=$whiteDomain/" $CONF_FILE
$SED "s/^MAIL_ADMIN=.*/MAIL_ADMIN=$adminMail/" $CONF_FILE
$SED "s/^SMTP_IP=.*/SMTP_IP=$smtpIP/" $LOCAL_IPTABLE_FILE
$SED "s/^SMTP_PORT=.*/SMTP_PORT=$smtpPort/" $LOCAL_IPTABLE_FILE
$SED "s/^\$IPTABLES -A OUTPUT -p tcp --dport \$SMTP_PORT.*/\$IPTABLES -A OUTPUT -p tcp --dport \$SMTP_PORT -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT/" $LOCAL_IPTABLE_FILE
$SED "s/^\$IPTABLES -A INPUT -p tcp --sport \$SMTP_PORT.*/\$IPTABLES -A INPUT -p tcp --sport \$SMTP_PORT -m conntrack --ctstate ESTABLISHED -j ACCEPT/" $LOCAL_IPTABLE_FILE
$SED "s/^#SMTP_IP=.*/SMTP_IP=$smtpIP/" $LOCAL_IPTABLE_FILE
$SED "s/^#SMTP_PORT=.*/SMTP_PORT=$smtpPort/" $LOCAL_IPTABLE_FILE
$SED "s/^#\$IPTABLES -A OUTPUT -p tcp --dport \$SMTP_PORT.*/\$IPTABLES -A OUTPUT -p tcp --dport \$SMTP_PORT -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT/" $LOCAL_IPTABLE_FILE
$SED "s/^#\$IPTABLES -A INPUT -p tcp --sport \$SMTP_PORT.*/\$IPTABLES -A INPUT -p tcp --sport \$SMTP_PORT -m conntrack --ctstate ESTABLISHED -j ACCEPT/" $LOCAL_IPTABLE_FILE
$SED "s/^relayhost =.*/relayhost = [$smtpIP]:$smtpPort/g" $POSTFIX_CONF_FILE
$SED "s/^smtp_tls_security_level =.*/smtp_tls_security_level = encrypt/g" $POSTFIX_CONF_FILE
if [ "$smtpPort" = "465" ]; then # wrappermode is madatory only if port = 465
$SED "s/^smtp_tls_wrappermode =.*/smtp_tls_wrappermode = yes/g" $POSTFIX_CONF_FILE
else
$SED "s/^smtp_tls_wrappermode =.*/smtp_tls_wrappermode = no/g" $POSTFIX_CONF_FILE
fi
$SED "s/^myhostname =.*/myhostname = alcasar.net/g" $POSTFIX_CONF_FILE # use the alcasar domain name to avoid extern smtp servers reject
[ -d ${SASLPATH} ] || mkdir ${SASLPATH}
echo "[${smtpIP}]:${smtpPort} ${mailAddr}:${mailMdp}" > ${SASLPATH}/sasl_passwd
postmap ${SASLPATH}/sasl_passwd
chmod -R 644 ${SASLPATH}
chown root:root ${SASLPATH}/sasl_passwd*
chmod 0600 ${SASLPATH}/sasl_passwd*
else
echo "Erreur ! Aucun type de messagerie sélectionné !"
exit 0
fi
/usr/local/bin/alcasar-iptables.sh
systemctl restart postfix.service
exit 0
Property changes:
Added: svn:eol-style
+native
\ No newline at end of property
Added: svn:executable
+*
\ No newline at end of property

/scripts/test-create-delete-multiple_MAC-sh
0,0 → 1,19
#!/bin/bash
PASSWD_FILE="/root/ALCASAR-passwords.txt"
USER_NAME="test"
DB_USER=`cat $PASSWD_FILE|grep ^db_user=|cut -d'=' -f2`
DB_PASSWORD=`cat $PASSWD_FILE|grep ^db_password=|cut -d'=' -f2`
MAC_ADDRESSES="00:11:22:33:44:50 00:11:22:33:44:51 00:11:22:33:44:52" # write here @MAC or user_names (delimiter=space)
for MAC in $MAC_ADDRESSES
do
salt=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c8`
export algo_salt='$5$'$salt
export pass='PASSWORD'
pass_salt=$(perl -e'print crypt($ARGV[0],$ARGV[1])' $pass $algo_salt)
db_query1="INSERT INTO radcheck (username,attribute,op,value) VALUES ('$MAC', 'Crypt-Password', ':=', '$pass_salt'); INSERT INTO userinfo (username) VALUES ('$MAC');"
db_query2="DELETE FROM radcheck WHERE username = '$MAC'; DELETE FROM userinfo WHERE username = '$MAC';"
db_radcheck_insert_res=$(mysql -u $DB_USER -p$DB_PASSWORD -D radius -e "$db_query2" -Ns) # choose here db_query1 or 2
echo -n "$MAC "
done
echo

/scripts/alcasar-network.sh
0,0 → 1,131
#!/bin/bash
# alcasar-network.sh
# by Pierre RIVAULT and Rexy
# This script is distributed under the Gnu General Public License (GPL)
# Met à jour la configuration réseau conformément au fichier de configuration (alcasar.conf)
# update network configuration according to alcasar.conf
CONF_FILE="/usr/local/etc/alcasar.conf"
TMP_ip_gw_save="/tmp/ipset_ip_gw_save"
EXTIF=`grep ^EXTIF= $CONF_FILE|cut -d"=" -f2`
PUBLIC_IP=`grep ^PUBLIC_IP= $CONF_FILE|cut -d"=" -f2`
if [ $PUBLIC_IP != "dhcp" ]; then
GW1=`grep ^GW= $CONF_FILE|cut -d"=" -f2`
MTU=`grep ^PUBLIC_MTU= $CONF_FILE|cut -d"=" -f2`
MULTIWAN=`grep ^MULTIWAN= $CONF_FILE|cut -d"=" -f2`
MULTIWAN=${MULTIWAN:=off}
NET="`ipcalc -n $PUBLIC_IP | cut -d"=" -f2`/`ipcalc -p $PUBLIC_IP | cut -d"=" -f2`"
IP=`echo $PUBLIC_IP | cut -d"/" -f1`
PRIVATE_IP_MASK=`grep ^PRIVATE_IP $CONF_FILE | cut -d"=" -f2`
PRIVATE_IP=`echo $PRIVATE_IP_MASK | cut -d"/" -f1`
PRIVATE_NETMASK=`echo $PRIVATE_IP_MASK | cut -d"/" -f2`
PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP $PRIVATE_NETMASK |cut -d"=" -f2` # prefixe du réseau (ex. 24)
PRIVATE_NETWORK=`/bin/ipcalc -n $PRIVATE_IP $PRIVATE_NETMASK| cut -d"=" -f2` # @ réseau de consultation (ex.: 192.168.182.0)
PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX # @ + masque du réseau de consult (192.168.182.0/24)
nb_gw=`grep ^WAN $CONF_FILE | wc -l`
fi
routecmd="ip route replace default scope global"
if [ $(whoami) != "root" ]; then
echo "You must be root to run this!" ; echo ; exit 1
fi
if [ $# -eq 0 ]; then
args="--apply"
else
args=$1
fi
case $args in
--save) # save all the IP before changing the configuration
rm -f $TMP_ip_gw_save
gw_list="gw0" # ipset name list for load_balancing
for ((i=1 ; i<=$nb_gw ; i++)); do
gw_list="${gw_list} gw$i"
done
# Saving all of the already connected IP in order to put them back in the load balancing after
for i in $gw_list;do
ipset list $i 1>/dev/null 2>&1
if [ $? -eq 0 ]
then
# the cut -d":" -f5 deletes all the lines with a :, i.e all the lines except the members
ipset list $i | grep -v ":" >> $TMP_ip_gw_save
fi
done
exit 0
;;
--apply)
[ -e /etc/sysconfig/network-scripts/ifcfg-$EXTIF ] && ifdown $EXTIF
# set the new configuration for EXTIF
if [ $PUBLIC_IP == "dhcp" ]; then
cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
DEVICE=$EXTIF
BOOTPROTO=dhcp
DNS1=127.0.0.1
PEERDNS=no
RESOLV_MODS=yes
ONBOOT=yes
NOZEROCONF=yes
METRIC=10
MII_NOT_SUPPORTED=yes
IPV6INIT=no
IPV6TO4INIT=no
ACCOUNTING=no
USERCTL=no
MTU=$MTU
EOF
ifup $EXTIF
else
cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
DEVICE=$EXTIF
BOOTPROTO=static
IPADDR=$IP
NETMASK=`ipcalc -m $PUBLIC_IP | cut -d= -f2`
NETWORK=`ipcalc -n $PUBLIC_IP | cut -d= -f2`
GATEWAY=$GW1
DNS1=127.0.0.1
RESOLV_MODS=yes
ONBOOT=yes
METRIC=10
MII_NOT_SUPPORTED=yes
IPV6INIT=no
IPV6TO4INIT=no
ACCOUNTING=no
USERCTL=no
MTU=$MTU
NOZEROCONF=yes
EOF
ifup $EXTIF
ip route flush ${NET} # Remove the previous route for the network of EXTIF
ip route delete default scope global # Remove the previous default route
ip route add ${NET} dev ${EXTIF} src ${IP} # Set the new route for EXTIF network
ip route add ${NET} dev ${EXTIF} src ${IP} table 200 # Set the new default route. If no multiwan, these lines are equivalent to `ip route add default via ${GW1}`
ip route add default via ${GW1} table 200
routecmd="${routecmd} nexthop via ${GW1} dev ${EXTIF}"
ip rule flush # Remove the previous routing rules
ip rule add from all lookup main pref 32766 # Set back the main rules
ip rule add from all lookup default pref 32767 # Set back the default rules
ip rule add from ${PRIVATE_NETWORK_MASK} fwmark 200 lookup 200 # Add the rule for the first gateway
if [ "$MULTIWAN" == "on" ] || [ "$MULTIWAN" == "On" ]; then
nb_gw_supp=`grep ^WAN $CONF_FILE|wc -l`
for ((i=0 ; $i < $nb_gw_supp ; i++)); do
table=$(($i + 201)) # This number is used to mark the paquets in order to route them to the choosen GW
GW=`grep ^WAN$(($i + 1))= $CONF_FILE|awk -F'"' '{ print $2 }' | awk -F, '{print $1}'`
ip route add ${NET} dev ${EXTIF} src ${IP} table $table # Add the others route in their respective tables
ip route add default via ${GW} table $table
ip rule add from ${PRIVATE_NETWORK_MASK} fwmark $table lookup $table # Add the rule for each rule depending of the mark set by the firewall
routecmd="${routecmd} nexthop via ${GW} dev ${EXTIF}" # add the added gateway into the default gateway
done
fi
${routecmd} # define the default gateway for outgoing traffic
ip route flush cache
fi
/usr/local/bin/alcasar-iptables.sh
exit 0
;;
*)
exit 1
;;
esac
Property changes:
Added: svn:eol-style
+native
\ No newline at end of property
Added: svn:executable
+*
\ No newline at end of property

/scripts/alcasar-list-ip_gw.sh
0,0 → 1,19
#!/bin/sh
#
# alcasar-list-ip_gw.sh
# by Rexy
# This script is distributed under the Gnu General Public License (GPL)
# This script displays authenticated systems (users & @MAC) with their gw
# Ce script affiche les systèmes authentifiés (utilisateurs et @MAC) avec leur routeur
CONF_FILE="/usr/local/etc/alcasar.conf"
nb_gw=`grep ^WAN $CONF_FILE | wc -l`
for (( i = 0 ; i <= $nb_gw ; i++ ));do
gw="gw$i"; gw_order=`expr $i + 1`
ip_list=`ipset l $gw|grep -v :`
for ip in $ip_list;do
echo "$ip $gw_order"
done
done
Property changes:
Added: svn:eol-style
+native
\ No newline at end of property
Added: svn:executable
+*
\ No newline at end of property

/scripts/test-retrieve-users-attributes-sh
0,0 → 1,69
#! /bin/bash
# script test&debug.sh
# by Rexy
# This script is distributed under the Gnu General Public License (GPL)
# This script tests the following behaviour :
# - Retreive 3 special attributes of a user ('test' by default). It Retrieves theses attributes from default group, then from user's group, then from its account
# - test if the attribute "Alcasar-Status-Page-Must-Stay-Open" is set to "2", then retrieve the "expiration" attribute
# - (todo) if the "expiration" attribute exists then create a new user (login = user's @MAC) and duplicates all user's attributes
PASSWD_FILE="/root/ALCASAR-passwords.txt"
USER_NAME="test"
DB_USER=`cat $PASSWD_FILE|grep ^db_user=|cut -d'=' -f2`
DB_PASSWORD=`cat $PASSWD_FILE|grep ^db_password=|cut -d'=' -f2`
# Retrieve 3 ALCASAR special radius attributes (search order : default group, then user's group, then user)
db_query="SELECT attribute, value FROM ( \
( SELECT attribute, value FROM radreply WHERE username = '$USER_NAME' AND (attribute IN ('Alcasar-Filter', 'Alcasar-Protocols-Filter', 'Alcasar-Status-Page-Must-Stay-Open')) ) UNION \
( SELECT attribute, value FROM radgroupreply gr LEFT JOIN radusergroup ug ON gr.groupname = ug.groupname WHERE username = '$USER_NAME' AND (attribute IN ('Alcasar-Filter', 'Alcasar-Protocols-Filter', 'Alcasar-Status-Page-Must-Stay-Open')) ORDER BY ug.priority ) UNION \
( SELECT attribute, value FROM radgroupreply WHERE groupname = 'default' AND (attribute IN ('Alcasar-Filter', 'Alcasar-Protocols-Filter', 'Alcasar-Status-Page-Must-Stay-Open')) ) \
) attrs GROUP BY attribute;"
db_radreply_res=$(mysql -u$DB_USER -p$DB_PASSWORD -D radius -e "$db_query" -Ns)
filter=$(echo "$db_radreply_res" | awk '$1 == "Alcasar-Filter" { print $2 }')
filterProto=$(echo "$db_radreply_res" | awk '$1 == "Alcasar-Protocols-Filter" { print $2 }')
statusOpenRequired=$(echo "$db_radreply_res" | awk '$1 == "Alcasar-Status-Page-Must-Stay-Open" { print $2 }')
echo "USER_NAME = $USER_NAME; filter = $filter; filterproto = $filterProto; statusOpenRequired = $statusOpenRequired";
# If status page isn't required :
if [ "$statusOpenRequired" == '2' ]; then # Status page is not required
echo ""
# Retrieve "expiration" attribute from radcheck
db_query="SELECT attribute, value FROM ( \
( SELECT attribute, value FROM radcheck WHERE username = '$USER_NAME' AND attribute = 'Expiration' ) UNION \
( SELECT attribute, value FROM radgroupcheck gr LEFT JOIN radusergroup ug ON gr.groupname = ug.groupname WHERE username = '$USER_NAME' AND attribute = 'Expiration' ORDER BY ug.priority ) UNION \
( SELECT attribute, value FROM radgroupcheck WHERE groupname = 'default' AND attribute = 'Expiration' ) \
) attrs GROUP BY attribute;"
db_radcheck_expiration_res=$(mysql -u$DB_USER -p$DB_PASSWORD -D radius -e "$db_query" -Ns)
# if a expiration date exists we retrieve all radreply attributes
if [ `echo $db_radcheck_expiration_res|wc -l` == '1' ]; then
echo "###########################"
echo "## Radreply attributes"
db_query="SELECT attribute, value FROM ( \
( SELECT attribute, value FROM radreply WHERE username = '$USER_NAME' ) UNION \
( SELECT attribute, value FROM radgroupreply gr LEFT JOIN radusergroup ug ON gr.groupname = ug.groupname WHERE username = '$USER_NAME' ORDER BY ug.priority ) UNION \
( SELECT attribute, value FROM radgroupreply WHERE groupname = 'default' ) \
) attrs GROUP BY attribute;"
mysql -u$DB_USER -p$DB_PASSWORD -D radius -e "$db_query" -Ns | while IFS= read -r loop
do
attr=`echo $loop|cut -d" " -f1`
attr_value=`echo $loop|cut -d" " -f2-`
echo "$attr = $attr_value"
done
# if a expiration date exists we retrieve all radcheck attributes
echo "## Radcheck attributes"
db_query="SELECT attribute, value FROM ( \
( SELECT attribute, value FROM radcheck WHERE username = '$USER_NAME' ) UNION \
( SELECT attribute, value FROM radgroupcheck gr LEFT JOIN radusergroup ug ON gr.groupname = ug.groupname WHERE username = '$USER_NAME' ORDER BY ug.priority ) UNION \
( SELECT attribute, value FROM radgroupcheck WHERE groupname = 'default' ) \
) attrs GROUP BY attribute;"
mysql -u$DB_USER -p$DB_PASSWORD -D radius -e "$db_query" -Ns | while IFS= read -r loop
do
attr=`echo $loop|cut -d" " -f1`
attr_value=`echo $loop|cut -d" " -f2-`
echo "$attr = $attr_value"
done
fi
fi
Property changes:
Added: svn:executable
+*
\ No newline at end of property

/scripts/alcasar-condown.sh
0,0 → 1,91
#!/bin/sh
#
# $Id$
#
# alcasar-condown.sh
# by Rexy & Pierre RIVAULT
# This script is distributed under the Gnu General Public License (GPL)
# This script is started by coova after each logout
# Ce script est lancé par coova à chaque déconnexion d'usager
CONF_FILE="/usr/local/etc/alcasar.conf"
PASSWD_FILE="/root/ALCASAR-passwords.txt"
DB_USER=`cat $PASSWD_FILE|grep ^db_user=|cut -d'=' -f2`
DB_PASSWORD=`cat $PASSWD_FILE|grep ^db_password=|cut -d'=' -f2`
if [ -z $FRAMED_IP_ADDRESS ]; then
exit 1
fi
# Retrieve 2 alcasar special radius attributes (search order : default group, then user's group, then user)
db_query="SELECT attribute, value FROM ( \
( SELECT attribute, value FROM radreply WHERE username = '$USER_NAME' AND (attribute IN ('Alcasar-Filter', 'Alcasar-Protocols-Filter')) ) UNION \
( SELECT attribute, value FROM radgroupreply gr LEFT JOIN radusergroup ug ON gr.groupname = ug.groupname WHERE username = '$USER_NAME' AND (attribute IN ('Alcasar-Filter', 'Alcasar-Protocols-Filter')) ORDER BY ug.priority ) UNION \
( SELECT attribute, value FROM radgroupreply WHERE groupname = 'default' AND (attribute IN ('Alcasar-Filter', 'Alcasar-Protocols-Filter')) ) \
) attrs GROUP BY attribute;"
db_res=$(mysql -u$DB_USER -p$DB_PASSWORD -D radius -e "$db_query" -Ns)
filter=$(echo "$db_res" | awk '$1 == "Alcasar-Filter" { print $2 }')
filterProto=$(echo "$db_res" | awk '$1 == "Alcasar-Protocols-Filter" { print $2 }')
if [ "$filter" == '4' ]; then # AV_WL
set_filter="av_wl"
elif [ "$filter" == '3' ]; then # AV_BL
set_filter="av_bl"
elif [ "$filter" == '2' ]; then # AV
set_filter="av"
else # NOT_FILTERED
set_filter="not_filtered"
fi
if [ "$filterProto" == '4' ]; then # PROFILE 3 (Custom)
set_filterProto="proto_3";
elif [ "$filterProto" == '3' ]; then # PROFILE 2 (WEB + Mail + Remote access)
set_filterProto="proto_2";
elif [ "$filterProto" == '2' ]; then # PROFILE 1 (WEB)
set_filterProto="proto_1";
else # PROFILE 0 (Not filtered)
set_filterProto="proto_0";
fi
# Remove user from his IPSET
ipset del $set_filter $FRAMED_IP_ADDRESS
ipset del $set_filterProto $FRAMED_IP_ADDRESS
# Remove IP address from active users list
current_users_file="/tmp/current_users.txt"
[ -e $current_users_file ] && sed -i "/^$FRAMED_IP_ADDRESS:/d" $current_users_file
# Remove user_IP from ipset of load balancing
nb_gw=`grep ^WAN $CONF_FILE | wc -l`
for (( i = 0 ; i <= $nb_gw ; i++ ));do
gw="gw$i"
ipset test $gw $FRAMED_IP_ADDRESS 1>/dev/null 2>&1
if [ $? -eq 0 ];then
ipset del $gw $FRAMED_IP_ADDRESS
break
fi
done
#############################
## Debug : show all the coova parse variables (+ ALCASAR-Filter + ALCASAR-Protocols-Filter).
## see "/src/chilli.c" for the complete list of parse variables
#debug_file="/tmp/debug-condown.txt"
#echo "-----------------------------------------------" >> $debug_file
#echo `date` >> $debug_file
#for i in DEV NET MASK ADDR USER_NAME NAS_IP_ADDRESS SERVICE_TYPE FRAMED_IP_ADDRESS FILTER_ID STATE CLASS CUI SESSION_TIMEOUT IDLE_TIMEOUT CALLING_STATION_ID CALLED_STATION_ID NAS_ID NAS_PORT_TYPE ACCT_SESSION_ID ACCT_INTERIM_INTERVAL WISPR_LOCATION_ID WISPR_LOCATION_NAME WISPR_BANDWIDTH_MAX_UP WISPR_BANDWIDTH_MAX_DOWN COOVACHILLI_MAX_INPUT_OCTETS COOVACHILLI_MAX_OUTPUT_OCTETS COOVACHILLI_MAX_TOTAL_OCTETS INPUT_OCTETS OUTPUT_OCTETS INPUT_PACKETS OUTPUT_PACKETS SESSION_TIME IDLE_TIME LOCATION OLD_LOCATION TERMINATE_CAUSE
#do
# echo -n "$i=" >> $debug_file
# if [[ -v $i ]];
# then
# echo -n "${!i}; " >> $debug_file
# else
# echo -n "not defined; " >> $debug_file
# fi
#done
#echo >> $debug_file
#echo "ALCASAR-Filter : $set_filter" >> $debug_file
#echo "ALCASAR-Protocols-Filter : $set_filterProto" >> $debug_file
## END Debug
#################################
Property changes:
Added: svn:eol-style
+LF
\ No newline at end of property
Added: svn:executable
+*
\ No newline at end of property
Added: svn:keywords
+Id
\ No newline at end of property

/scripts/alcasar-conup.sh
0,0 → 1,112
#!/bin/sh
#
# $Id$
#
# alcasar-conup.sh
# by Rexy & Pierre RIVAULT
# This script is distributed under the Gnu General Public License (GPL)
# This script is started by coova after each successfull login
# Ce script est démarré par coova à chaque connexion d'usager (authentification réussi)
CONF_FILE="/usr/local/etc/alcasar.conf"
PASSWD_FILE="/root/ALCASAR-passwords.txt"
DB_USER=`cat $PASSWD_FILE|grep ^db_user=|cut -d'=' -f2`
DB_PASSWORD=`cat $PASSWD_FILE|grep ^db_password=|cut -d'=' -f2`
if [ -z $FRAMED_IP_ADDRESS ]; then
exit 1
fi
# Retrieve 3 alcasar special radius attributes (search order : default group, then user's group, then user)
db_query="SELECT attribute, value FROM ( \
( SELECT attribute, value FROM radreply WHERE username = '$USER_NAME' AND (attribute IN ('Alcasar-Filter', 'Alcasar-Protocols-Filter', 'Alcasar-Status-Page-Must-Stay-Open')) ) UNION \
( SELECT attribute, value FROM radgroupreply gr LEFT JOIN radusergroup ug ON gr.groupname = ug.groupname WHERE username = '$USER_NAME' AND (attribute IN ('Alcasar-Filter', 'Alcasar-Protocols-Filter', 'Alcasar-Status-Page-Must-Stay-Open')) ORDER BY ug.priority ) UNION \
( SELECT attribute, value FROM radgroupreply WHERE groupname = 'default' AND (attribute IN ('Alcasar-Filter', 'Alcasar-Protocols-Filter', 'Alcasar-Status-Page-Must-Stay-Open')) ) \
) attrs GROUP BY attribute;"
db_res=$(mysql -u$DB_USER -p$DB_PASSWORD -D radius -e "$db_query" -Ns)
filter=$(echo "$db_res" | awk '$1 == "Alcasar-Filter" { print $2 }')
filterProto=$(echo "$db_res" | awk '$1 == "Alcasar-Protocols-Filter" { print $2 }')
statusPageRequired=$(echo "$db_res" | awk '$1 == "Alcasar-Status-Page-Must-Stay-Open" { print $2 }')
# Add user to his IPSET
if [ "$filter" == '4' ]; then # AV_WL
set_filter="av_wl"
elif [ "$filter" == '3' ]; then # AV_BL
set_filter="av_bl"
elif [ "$filter" == '2' ]; then # AV
set_filter="av"
else # NOT_FILTERED
set_filter="not_filtered"
fi
if [ "$filterProto" == '4' ]; then # PROFILE 3 (Custom)
set_filterProto="proto_3";
elif [ "$filterProto" == '3' ]; then # PROFILE 2 (WEB + Mail + Remote access)
set_filterProto="proto_2";
elif [ "$filterProto" == '2' ]; then # PROFILE 1 (WEB)
set_filterProto="proto_1";
else # PROFILE 0 (Not filtered)
set_filterProto="proto_0";
fi
# Add user to his IPSET
ipset add $set_filter $FRAMED_IP_ADDRESS
ipset add $set_filterProto $FRAMED_IP_ADDRESS
# If status page isn't required :
# -add user_IP with flag PERM in /tmp/current_users.txt (watchdog remove these @IP at midnight)
# if the user has the "Expiration" attribute, add its @MAC as an authenticated user (with the same user's attributes)
if [ "$statusPageRequired" == '2' ]; then # Status page is not required
current_users_file="/tmp/current_users.txt"
if [ ! -e $current_users_file ]; then
touch $current_users_file && chown root:apache $current_users_file && chmod 660 $current_users_file
fi
echo "$FRAMED_IP_ADDRESS:PERM" >> $current_users_file
fi
# set the user_ip to an gw_ipset for load-balancing
gw_min="gw0"
weight=`grep ^PUBLIC_WEIGHT= $CONF_FILE | cut -d"=" -f2`
already=`ipset list $gw_min | grep Number\ of\ entries: | cut -d":" -f2`
#The *1000 is here to avoid working on floats in bash
gw_min_value=$((1000 * $already / $weight))
nb_gw=`grep ^WAN $CONF_FILE | wc -l`
for (( i = 1 ; i <= $nb_gw ; i++ ));do
gw="gw${i}"
weight=`grep ^WAN$i= $CONF_FILE | awk -F'"' '{ print $2 }' | awk -F ',' '{ print $2 }'`
already=`ipset list $gw | grep Number\ of\ entries: | cut -d":" -f2`
value=$((1000 * $already / $weight))
if [ $value -lt $gw_min_value ]
then
gw_min_value=$value
gw_min=$gw
fi
done
ipset add $gw_min $FRAMED_IP_ADDRESS
#############################
## Debug : show all the coova parse variables (+ ALCASAR-Filter + ALCASAR-Protocols-Filter + Alcasar-Status-Page-Must-Stay-Open).
## see "/src/chilli.c" for the complete list of parse variables
#debug_file="/tmp/debug-conup.txt"
#echo "-----------------------------------------------" >> $debug_file
#echo `date` >> $debug_file
#for i in DEV NET MASK ADDR USER_NAME NAS_IP_ADDRESS SERVICE_TYPE FRAMED_IP_ADDRESS FILTER_ID STATE CLASS CUI SESSION_TIMEOUT IDLE_TIMEOUT CALLING_STATION_ID CALLED_STATION_ID NAS_ID NAS_PORT_TYPE ACCT_SESSION_ID ACCT_INTERIM_INTERVAL WISPR_LOCATION_ID WISPR_LOCATION_NAME WISPR_BANDWIDTH_MAX_UP WISPR_BANDWIDTH_MAX_DOWN COOVACHILLI_MAX_INPUT_OCTETS COOVACHILLI_MAX_OUTPUT_OCTETS COOVACHILLI_MAX_TOTAL_OCTETS INPUT_OCTETS OUTPUT_OCTETS INPUT_PACKETS OUTPUT_PACKETS SESSION_TIME IDLE_TIME LOCATION OLD_LOCATION TERMINATE_CAUSE
#do
# echo -n "$i=" >> $debug_file
# if [[ -v $i ]];
# then
# echo -n "${!i}; " >> $debug_file
# else
# echo -n "not defined; " >> $debug_file
# fi
#done
#echo >> $debug_file
#echo "ALCASAR-Filter : $set_filter" >> $debug_file
#echo "ALCASAR-Protocols-Filter : $set_filterProto" >> $debug_file
#echo "Alcasar-Status-Page-Must-Stay-Open : $statusPageRequired" >> $debug_file
## END DEBUG
#################################
Property changes:
Added: svn:eol-style
+LF
\ No newline at end of property
Added: svn:executable
+*
\ No newline at end of property
Added: svn:keywords
+Id Author Date
\ No newline at end of property

/scripts/alcasar-wifi4eu.sh
0,0 → 1,48
#!/bin/bash
# alcasar-wifi4eu.sh
# by Rexy
# This script is distributed under the Gnu General Public License (GPL)
# active ou désactive l'affichage du logo WIFI4EU (+ intégration de leur échantillon de code)
# enable or disable the display of WIFI4EU logo (+ integration of their snippet)
SED="/bin/sed -i"
CONF_FILE="/usr/local/etc/alcasar.conf"
TRUST_SITES_FILE='/usr/local/etc/alcasar-uamdomain'
TRUST_DOMAIN='collection.wifi4eu.ec.europa.eu' # the web site where the snippet connects to
HOSTNAME=$(grep ^HOSTNAME= $CONF_FILE | cut -d'=' -f2)
DOMAIN=$(grep ^DOMAIN= $CONF_FILE | cut -d'=' -f2)
usage="Usage: alcasar-wifi4eu.sh {--on | -on} | {--off | -off}"
nb_args=$#
args=$1
if [ $nb_args -eq 0 ]
then
echo "$usage"
exit 1
fi
case $args in
-\? | -h* | --h*)
echo "$usage"
exit 0
;;
--off | -off)
$SED "s?^WIFI4EU=.*?WIFI4EU=off?" $CONF_FILE
$SED "/$TRUST_DOMAIN/d" $TRUST_SITES_FILE
/usr/local/bin/alcasar-file-clean.sh # Clean & sort conf files.
/usr/bin/systemctl restart chilli
;;
--on | -on)
$SED "s?^WIFI4EU=.*?WIFI4EU=on?" $CONF_FILE
echo "uamdomain=\"$TRUST_DOMAIN\"" >> $TRUST_SITES_FILE
/usr/local/bin/alcasar-file-clean.sh # Clean & sort conf files.
/usr/bin/systemctl restart chilli
;;
*)
echo "Argument inconnu : $1"
echo "$usage"
exit 1
;;
esac
Property changes:
Added: svn:eol-style
+native
\ No newline at end of property
Added: svn:executable
+*
\ No newline at end of property

/scripts/alcasar-https.sh
0,0 → 1,58
#!/bin/bash
# $Id$
# alcasar-dhcp.sh
# by Rexy
# This script is distributed under the Gnu General Public License (GPL)
# active ou désactive le chiffrement sur les flux d'authentification
# enable or disable encryption on authentication flows
SED="/bin/sed -i"
CONF_FILE="/usr/local/etc/alcasar.conf"
CHILLI_CONF_FILE="/etc/chilli.conf"
HOSTNAME=$(grep ^HOSTNAME= $CONF_FILE | cut -d'=' -f2)
DOMAIN=$(grep ^DOMAIN= $CONF_FILE | cut -d'=' -f2)
usage="Usage: alcasar-https.sh {--on | -on} | {--off | -off}"
nb_args=$#
args=$1
if [ $nb_args -eq 0 ]
then
echo "$usage"
exit 1
fi
case $args in
-\? | -h* | --h*)
echo "$usage"
exit 0
;;
--off | -off) # Chilli : disable HTTPS (it will listen only on 3990 port) + lighttpd : switch with an HTTP conf file
$SED "s?^HTTPS_LOGIN=.*?HTTPS_LOGIN=off?" $CONF_FILE
$SED "s?^HTTPS_CHILLI=.*?HTTPS_CHILLI=off?" $CONF_FILE
$SED "s?^uamserver.*?uamserver\thttp://$HOSTNAME.$DOMAIN/intercept.php?" $CHILLI_CONF_FILE
$SED "s?^redirssl.*?#&?" $CHILLI_CONF_FILE
$SED "s?^uamuissl.*?#&?" $CHILLI_CONF_FILE
/usr/bin/systemctl restart chilli
rm -f /etc/lighttpd/vhosts.d/alcasar.conf
ln -s /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf /etc/lighttpd/vhosts.d/alcasar.conf
/usr/bin/systemctl restart lighttpd
;;
--on | -on) # Chilli : enable HTTPS (it will listen on ports 3990 (http) and 3991 (https) + lighttpd : switch with an HTTPS conf file
$SED "s?^HTTPS_LOGIN=.*?HTTPS_LOGIN=on?" $CONF_FILE
$SED "s?^HTTPS_CHILLI=.*?HTTPS_CHILLI=on?" $CONF_FILE
$SED "s?^uamserver.*?uamserver\thttps://$HOSTNAME.$DOMAIN/intercept.php?" $CHILLI_CONF_FILE
$SED "s?^#redirssl.*?redirssl?" $CHILLI_CONF_FILE
$SED "s?^#uamuissl.*?uamuissl?" $CHILLI_CONF_FILE
/usr/bin/systemctl restart chilli
rm -f /etc/lighttpd/vhosts.d/alcasar.conf
ln -s /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf /etc/lighttpd/vhosts.d/alcasar.conf
/usr/bin/systemctl restart lighttpd
;;
*)
echo "Argument inconnu : $1"
echo "$usage"
exit 1
;;
esac
Property changes:
Added: svn:eol-style
+LF
\ No newline at end of property
Added: svn:executable
+*
\ No newline at end of property
Added: svn:keywords
+Id Author Date
\ No newline at end of property

/scripts/alcasar-iot_capture.sh
0,0 → 1,62
#!/bin/bash
# alcasar-iot_capture.sh
# by Guillaume Gellusseau, Dorian Lemoine & REXY
# This script is distributed under the Gnu General Public License (GPL)
# Ce script lance une capture de flux réseau en fonction d'une adresse IP source ($1)
# This script performs a network flow capture based on source ip address ($1)
CONF_FILE="/usr/local/etc/alcasar.conf"
INTIF=`grep ^INTIF= $CONF_FILE|cut -d"=" -f2`
PRIVATE_IP=$(grep ^PRIVATE_IP= $CONF_FILE | cut -d'=' -f2 | cut -d'/' -f1)
function info
{
_PID=$(ps -ef | grep tcpdump | grep $1 | awk {'print $2'})
if [[ -n $_PID ]]
then
echo "CaptureON"
else
echo "CaptureOFF"
fi
}
function kill
{
_PID=$(ps -ef | grep tcpdump | grep $1 | awk {'print $2'})
sudo kill -2 $_PID
}
function launch
{
# capture only one @MAC, on $INTIF, max filesize=10M, without flows to PRIVATE_IP except DNS
sudo tcpdump "ether host $1 and (host not $PRIVATE_IP or port 53)" -i $INTIF -n -C 10 -W 1 -w /var/Save/iot_captures/$1.pcap
}
function flush
{
sudo rm /var/Save/iot_captures/$1.pcap -f
}
while getopts "l k i f" option; do
case "${option}" in
l)
launch $2
;;
k)
kill $2
;;
i)
info $2
;;
f)
flush $2
;;
esac
done
#End
Property changes:
Added: svn:eol-style
+native
\ No newline at end of property
Added: svn:executable
+*
\ No newline at end of property

/scripts/alcasar-importcert.sh
0,0 → 1,173
#!/bin/bash
#
# $Id$
#
# alcasar-importcert.sh
# by Raphaël, Hugo, Clément, Bettyna & rexy
#
# This script is distributed under the Gnu General Public License (GPL)
#
# Script permettant
# - d'importer des certificats sur Alcasar
# - de revenir au certificat par default
#
# This script allows
# - to import a certificate in Alcasar
# - to go back to the default certificate
SED="/bin/sed -ri"
DIR_CERT="/etc/pki/tls"
CONF_FILE="/usr/local/etc/alcasar.conf"
PRIVATE_IP_MASK=`grep ^PRIVATE_IP= $CONF_FILE|cut -d"=" -f2`
PRIVATE_IP=`echo $PRIVATE_IP_MASK | cut -d"/" -f1`
usage="Usage: alcasar-importcert.sh -i /path/to/certificate.crt -k /path/to/privatekey.key [-c /path/to/serverchain.crt]\n alcasar-importcert.sh -d (restore default certificate)"
nb_args=$#
arg1=$1
function defaultCert()
{
mv -f $DIR_CERT/certs/alcasar.crt.old $DIR_CERT/certs/alcasar.crt
mv -f $DIR_CERT/private/alcasar.key.old $DIR_CERT/private/alcasar.key
if [ -f $DIR_CERT/certs/server-chain.pem.old ]
then
mv $DIR_CERT/certs/server-chain.pem.old $DIR_CERT/certs/server-chain.pem
fi
(cat $DIR_CERT/private/alcasar.key; echo; cat $DIR_CERT/certs/alcasar.crt) > $DIR_CERT/private/alcasar.pem
chown root:apache $DIR_CERT/private/alcasar.pem
chmod 750 $DIR_CERT/private/alcasar.pem
}
function domainName() # change the domain name in the conf files
{
fqdn=$(openssl x509 -noout -subject -nameopt multiline -in $DIR_CERT/certs/alcasar.crt | grep commonName|cut -d"=" -f2|tr -d ' ')
#check if there is a wildcard in $fqdn
if [[ $fqdn == *"*"* ]];
then
hostname="alcasar"
fqdn=${fqdn/"*"/$hostname}
else
hostname=$(echo $fqdn | cut -d'.' -f1)
fi
domain=$(echo $fqdn | cut -d'.' -f2-)
echo "fqdn=$fqdn hostname=$hostname domain=$domain"
#check fqdn format
if [[ "$fqdn" != "" && "$domain" != "" ]]; then
$SED "s/^HOSTNAME=.*/HOSTNAME=$hostname/g" /usr/local/etc/alcasar.conf
$SED "s/^DOMAIN=.*/DOMAIN=$domain/g" /usr/local/etc/alcasar.conf
/usr/local/bin/alcasar-conf.sh --apply
fi
}
function certImport()
{
if [ ! -f "$DIR_CERT/certs/alcasar.crt.old" ]
then
echo "Backup of old cert (alcasar.crt)"
mv $DIR_CERT/certs/alcasar.crt $DIR_CERT/certs/alcasar.crt.old
fi
if [ ! -f "$DIR_CERT/private/alcasar.key.old" ]
then
echo "Backup of old private key (alcasar.key)"
mv $DIR_CERT/private/alcasar.key $DIR_CERT/private/alcasar.key.old
fi
cp $cert $DIR_CERT/certs/alcasar.crt
cp $key $DIR_CERT/private/alcasar.key
(cat $DIR_CERT/private/alcasar.key; echo; cat $DIR_CERT/certs/alcasar.crt) > $DIR_CERT/private/alcasar.pem
chown root:apache $DIR_CERT/certs/alcasar.crt
chown root:apache $DIR_CERT/private/alcasar.key
chown root:apache $DIR_CERT/private/alcasar.pem
chmod 750 $DIR_CERT/certs/alcasar.crt
chmod 750 $DIR_CERT/private/alcasar.key
chmod 750 $DIR_CERT/private/alcasar.pem
if [ "$sc" != "" ]
then
echo "cert-chain exists"
if [ ! -f "$DIR_CERT/certs/server-chain.pem.old" ]
then
echo "Backup of old cert-chain (server-chain.pem)"
mv $DIR_CERT/certs/server-chain.pem $DIR_CERT/certs/server-chain.pem.old
fi
cp $sc $DIR_CERT/certs/server-chain.pem
chown root:apache $DIR_CERT/certs/server-chain.pem
chmod 750 $DIR_CERT/certs/server-chain.pem
fi
}
if [ $nb_args -eq 0 ]
then
echo -e "$usage"
exit 1
fi
case $arg1 in
-\? | -h* | --h*)
echo -e "$usage"
exit 0
;;
-i)
arg3=$3
arg5=$5
cert=$2
key=$4
sc=$6
if [ "$cert" == "" ] || [ "$key" == "" ]
then
echo -e "$usage"
exit 1
fi
if [ ! -f "$cert" ] || [ ! -f "$key" ]
then
echo "Certificate and/or private key not found"
exit 1
fi
if [ ${cert: -4} != ".crt" ] && [ ${cert: -4} != ".cer" ]
then
echo "Invalid certificate file"
exit 1
fi
if [ ${key: -4} != ".key" ]
then
echo "Invalid private key"
exit 1
fi
if [ "$arg5" != "-c" ] || [ -z "$sc" ]
then
echo "No server-chain given"
echo "Importing certificate $cert with private key $key"
sc=""
else
if [ ! -f "$sc" ]
then
echo "Server-chain certificate not found"
exit 1
fi
if [ ${sc: -4} != ".crt" ] && [ ${sc: -4} != ".cer" ] && [ ${sc: -4} != ".pem" ]
then
echo "Invalid server-chain certificate file"
exit 1
fi
echo "Importing certificate $cert with private key $key and server-chain $sc"
fi
certImport
domainName
;;
-d)
if [ -f "/etc/pki/tls/certs/alcasar.crt.old" -a -f "/etc/pki/tls/private/alcasar.key.old" ]
then
echo "Restoring default certificate"
defaultCert
domainName
else echo "No default cert found"
fi
;;
*)
echo -e "$usage"
;;
esac
Property changes:
Added: svn:eol-style
+LF
\ No newline at end of property
Added: svn:executable
+*
\ No newline at end of property
Added: svn:keywords
+Id
\ No newline at end of property

/scripts/alcasar-flush_ipset_wl.sh
0,0 → 1,11
#!/bin/sh
#by Raphaël Pion
#Permet de vider l'ipset wl_ip_allowed lorsque tous les utilisateurs de la whitelist sont déconnectés
#Clean wl_ip_allowed ipset when WL users are gone.
PTN="(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)"
NB_USERS=$(ipset list av_wl | grep -E $PTN | wc -l)
if [ $NB_USERS -eq '0' ]
then
/sbin/ipset flush wl_ip_allowed
fi

/scripts/alcasar-ldap.sh
0,0 → 1,139
#!/bin/bash
# $Id$
# alcasar-ldap.sh
# by Rexy
# This script is distributed under the Gnu General Public License (GPL)
# activation / désactivation de l'authentification des utilisateurs via un serveur LDAP externe
# enable / disable authentication of users via an extern LDAP server
usage="Usage: alcasar-ldap.sh {--on or -on } | {--off or -off} | --import-cert {certificatePath} | --test [-d]"
SED="/bin/sed -i"
CONF_FILE="/usr/local/etc/alcasar.conf"
LDAP_MODULE="/etc/raddb/mods-available/ldap-alcasar"
OPENLDAP_CONF='/etc/openldap/ldap.conf'
LDAPS_CERT_LOC='/etc/raddb/certs/alcasar-ldaps.crt'
LDAP_SERVER=$(grep '^LDAP_SERVER=' $CONF_FILE | cut -d"=" -f2) # hostname/IP address of the LDAP server
LDAP_USER=$(grep '^LDAP_USER=' $CONF_FILE | cut -d"=" -f2-) # LDAP username used by ALCASAR to read the remote directory
LDAP_PASSWORD=$(grep '^LDAP_PASSWORD=' $CONF_FILE | cut -d"=" -f2-) # its password
LDAP_BASE=$(grep '^LDAP_BASE=' $CONF_FILE | cut -d"=" -f2-) # Where to find the users (cn=**,dc=**,dc=**)
LDAP_UID=$(grep '^LDAP_UID=' $CONF_FILE | cut -d"=" -f2) # 'samaccountname' for A.D. - 'UID' for LDAP
LDAP_FILTER=$(grep '^LDAP_FILTER=' $CONF_FILE | cut -d"=" -f2-) # LDAP filter
LDAP_SSL=$(grep '^LDAP_SSL=' $CONF_FILE | cut -d"=" -f2-) # LDAP SSL status
LDAP_CERT_REQUIRED=$(grep '^LDAP_CERT_REQUIRED=' $CONF_FILE | cut -d"=" -f2-) # LDAP SSL certificate verifying
add_ldap_server_to_static_dhcp() {
if [[ "$LDAP_SERVER" =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
ldap_server_ip="$LDAP_SERVER"
else
ldap_server_ip=$(dig +short $LDAP_SERVER)
[ -z "$ldap_server_ip" ] && return 1
fi
if [ -z "$(cat /usr/local/etc/alcasar-ethers | awk -v ldap_server_ip="$ldap_server_ip" '($2==ldap_server_ip)')" ]; then
ldap_server_mac=$(chilli_query list | awk -v ldap_server_ip="$ldap_server_ip" '($2==ldap_server_ip) {print $1}')
[ -z "$ldap_server_mac" ] && return 1
echo "$ldap_server_mac $ldap_server_ip" >> /usr/local/etc/alcasar-ethers
echo "$ldap_server_mac $ldap_server_ip #LDAP Server" >> /usr/local/etc/alcasar-ethers-info
fi
}
nb_args=$#
args=$1
if [ $nb_args -eq 0 ]; then
nb_args=1
args="-h"
fi
case $args in
-\? | -h* | --h*)
echo "$usage"
exit 0
;;
--on | -on)
$SED "s/^LDAP=.*/LDAP=on/g" $CONF_FILE
if [ "$LDAP_SSL" == 'on' ]; then
$SED "s/^\tserver =.*/\tserver = \"ldaps:\/\/${LDAP_SERVER//\"/\\\\\\\"}\"/g" $LDAP_MODULE
$SED "s/^\tport =.*/\tport = 636/g" $LDAP_MODULE
[ "$LDAP_CERT_REQUIRED" == 'on' ] && require_cert='demand' || require_cert='never'
$SED "s/^\t\t#?require_cert =.*/\t\trequire_cert = '$require_cert'/g" $LDAP_MODULE
echo "TLS_REQCERT $require_cert" > $OPENLDAP_CONF
[ -f "$LDAPS_CERT_LOC" ] && echo "TLS_CACERT $LDAPS_CERT_LOC" >> $OPENLDAP_CONF
else
$SED "s/^\tserver =.*/\tserver = \"ldap:\/\/${LDAP_SERVER//\"/\\\\\\\"}\"/g" $LDAP_MODULE
$SED "s/^\tport =.*/\tport = 389/g" $LDAP_MODULE
echo '' > $OPENLDAP_CONF
fi
$SED "s/^\tidentity =.*/\tidentity = \"${LDAP_USER//\"/\\\\\\\"}\"/g" $LDAP_MODULE
$SED "s/^\tpassword =.*/\tpassword = \"${LDAP_PASSWORD//\"/\\\\\\\"}\"/g" $LDAP_MODULE
$SED "s/^\tbase_dn =.*/\tbase_dn = \"${LDAP_BASE//\"/\\\\\\\"}\"/g" $LDAP_MODULE
[ -n "$LDAP_FILTER" ] && filter="$LDAP_FILTER" || filter='&'
$SED "s/^\t\tfilter =.*/\t\tfilter = \"(\&(${LDAP_UID//\"/\\\\\\\"}=%{%{Stripped-User-Name}:-%{User-Name}})(${filter//&/\\&}))\"/g" $LDAP_MODULE
if [ ! -e /etc/raddb/mods-enabled/ldap ]; then
ln -s $LDAP_MODULE /etc/raddb/mods-enabled/ldap
fi
[ -e /etc/raddb/sites-enabled/alcasar ] && rm /etc/raddb/sites-enabled/alcasar
ln -s /etc/raddb/sites-available/alcasar-with-ldap /etc/raddb/sites-enabled/alcasar
add_ldap_server_to_static_dhcp
/usr/bin/systemctl restart radiusd.service
;;
--off | -off)
$SED "s/^LDAP=.*/LDAP=off/g" $CONF_FILE
rm -f /etc/raddb/mods-enabled/ldap
[ -e /etc/raddb/sites-enabled/alcasar ] && rm /etc/raddb/sites-enabled/alcasar
ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar
/usr/bin/systemctl restart radiusd.service
;;
--import-cert)
cert=$2
[ -z "$cert" ] && echo "$usage" && exit 1
[ ! -f "$cert" ] && { echo >&2 "ERR: certificate file \"$cert\" not found" ; exit 1; }
# TODO : convert DER format to PEM ?
cp -f "$cert" $LDAPS_CERT_LOC
chown root:radius $LDAPS_CERT_LOC
chmod 644 $LDAPS_CERT_LOC
if [ "$LDAP_CERT_REQUIRED" == 'on' ]; then
domainName=$(openssl x509 -noout -subject -in $LDAPS_CERT_LOC | cut -d' ' -f2- | sed 's@/[A-Za-z]\+=@\n@g' | tac | tr '\n' '.' | sed 's@\.\+$@@')
if [ "$domainName" != "$LDAP_SERVER" ]; then
echo 'WARN: the common name of the certificate is different from the server domain name'
fi
fi
$SED "s/^LDAP_SSL=.*/LDAP_SSL=on/g" $CONF_FILE
$SED "s/^\tserver =.*/\tserver = \"ldaps:\/\/${LDAP_SERVER//\"/\\\\\\\"}\"/g" $LDAP_MODULE
$SED "s/^\tport =.*/\tport = 636/g" $LDAP_MODULE
$SED "s@^#\?\t\tca_file =.*@\t\tca_file = $LDAPS_CERT_LOC@g" $LDAP_MODULE
[ "$LDAP_CERT_REQUIRED" == 'on' ] && require_cert='demand' || require_cert='never'
$SED "s/^#\?\t\trequire_cert =.*/\t\trequire_cert = '$require_cert'/g" $LDAP_MODULE
echo -e "TLS_CACERT $LDAPS_CERT_LOC\nTLS_REQCERT $require_cert" > $OPENLDAP_CONF
/usr/bin/systemctl restart radiusd.service
;;
--delete-cert)
[ -f "$LDAPS_CERT_LOC" ] && rm -f $LDAPS_CERT_LOC
;;
--test)
[ -n "$2" ] && [ "$2" == '-d' ] && debugOpt='-d229'
command -v ldapsearch &>/dev/null || { echo >&2 -e "ERR: ldapsearch is not installed\nrun 'dnf install openldap-clients'" ; exit 1; }
if [ "$LDAP_SSL" == 'on' ]; then
protocol='ldaps'
[ "$LDAP_CERT_REQUIRED" == 'on' ] && require_cert='demand' || require_cert='never'
export LDAPTLS_REQCERT="$require_cert"
[ -f "$LDAPS_CERT_LOC" ] && export LDAPTLS_CACERT="$LDAPS_CERT_LOC"
else
protocol='ldap'
fi
[ -n "$LDAP_FILTER" ] && filter="$LDAP_FILTER" || filter='&'
/usr/bin/ldapsearch $debugOpt -LLL -H "$protocol://$LDAP_SERVER" -x -D "$LDAP_USER" -w "$LDAP_PASSWORD" -b "$LDAP_BASE" "(&($LDAP_UID=*)($filter))" 1.1
;;
*)
echo "Argument inconnu : $1";
echo "$usage"
exit 1
;;
esac
Property changes:
Added: svn:eol-style
+LF
\ No newline at end of property
Added: svn:executable
+*
\ No newline at end of property
Added: svn:keywords
+Id
\ No newline at end of property

/scripts/alcasar-generate_log.sh
0,0 → 1,166
#!/bin/bash
#
# $Id$
#
#Corrélation et Generation des logs d'imputabilité au format PDF.
#Ce script permet de générer un fichier HTML qui sera converti en PDF a l'aide du RPM wkhtmltopdf.
#Ce PDF sera placé dans une archive protégé par un mot de passe.
#Pour extraire ce fichier PDF, il faudra installer le paquet p7zip.
#La génération de ce document préviendra les utilisateurs lors de leur prochaine connection. (utilisateur flagué dans le 4ème 'bit' de l'attribut FilterID de la BDD radius.
#
#Il est possible de demander les logs d'imputabilité :
#-depuis le début (pas d'argument)
#-à partir d'une date (un seul argument)
#-en spécifiant un intervale (deux arguments correspondant aux bornes respectives)
#Par Raphaël Pion
usage="Usage: alcasar-generate_log.sh PASSWORD && ({ '' } | { 'YYYY-MM-DD HH:MM:SS' } | { 'YYYY-MM-DD HH:MM:SS' 'YYYY-MM-DD HH:MM:SS' })"
nb_args=$#
DIR='/var/www/html/acc/backup/'
TMP_SQL="/tmp/log_sql.csv"
TMP_USERS="/tmp/log_users"
TMP_HTML="$DIR/log_nf.html"
TMP_PDF="$DIR/imputabilities_logs-$(date +%F).pdf"
PASSWD_FILE="/root/ALCASAR-passwords.txt"
DB_ROOT_PW=$(grep '^db_root=' $PASSWD_FILE | cut -d'=' -f 2-)
ARCHIVE_LOCATION="$DIR/imputabilities_logs.zip"
if [ $nb_args -eq 1 ]
then
QUERY="SELECT username,callingstationid,framedipaddress,acctstarttime,acctstoptime,acctinputoctets,acctoutputoctets,acctterminatecause FROM radacct ORDER BY acctstarttime INTO OUTFILE '$TMP_SQL' FIELDS TERMINATED BY ',' ENCLOSED BY '' LINES TERMINATED BY '\n';"
SECTION_LOG="Extraction de tous les journaux"
fi
if [ $nb_args -eq 2 ]
then
QUERY="SELECT username,callingstationid,framedipaddress,acctstarttime,acctstoptime,acctinputoctets,acctoutputoctets,acctterminatecause FROM radacct WHERE acctstarttime >= '$2' ORDER BY acctstarttime INTO OUTFILE '$TMP_SQL' FIELDS TERMINATED BY ',' ENCLOSED BY '' LINES TERMINATED BY '\n';"
SECTION_LOG="Extraction des journaux à partir du $2"
fi
if [ $nb_args -eq 3 ]
then
QUERY="SELECT username,callingstationid,framedipaddress,acctstarttime,acctstoptime,acctinputoctets,acctoutputoctets,acctterminatecause FROM radacct WHERE acctstarttime >= '$2' AND acctstarttime <= '$3' ORDER BY acctstoptime INTO OUTFILE '$TMP_SQL' FIELDS TERMINATED BY ',' ENCLOSED BY '' LINES TERMINATED BY '\n';"
SECTION_LOG="Extraction des journaux entre $2 et $3"
fi
if [ $nb_args -eq 0 ]
then
echo $usage
exit
fi
if [ $nb_args -gt 3 ]
then
echo $usage
exit
fi
if [ -e $TMP_SQL ]
then
rm $TMP_SQL
fi
if [ -e $TMP_PDF ]
then
rm $TMP_PDF
fi
if [ -e $ARCHIVE_LOCATION ]
then
rm $ARCHIVE_LOCATION
fi
#get log information for each users
mysql -u root -p"$DB_ROOT_PW" -D radius -e "$QUERY"
#Create HTML document which contains every informations about users
echo "<!DOCTYPE html>" > $TMP_HTML
echo "<meta http-equiv='Content-Type' content='text/html; charset=utf-8'>" >> $TMP_HTML
echo "<TITLE>ALCASAR Report</TITLE>" >> $TMP_HTML
echo "<link rel='stylesheet' type='text/css' href='../../css/bootstrap.min.css'>" >> $TMP_HTML
echo "<link rel='stylesheet' type='text/css' href='../../css/report.css'>" >> $TMP_HTML
echo "</HEAD>" >> $TMP_HTML
echo "<body>" >> $TMP_HTML
echo "<h1>$SECTION_LOG</h1>" >> $TMP_HTML
echo "<i><p style='text-align: right;'>Date de création $(date +%F)</p></i>" >> $TMP_HTML
echo "<font size='1'>" >> $TMP_HTML
cat $TMP_SQL | while read LIGNE_SQL
do
LOG_IP=$(echo $LIGNE_SQL | cut -d',' -f3)
LOG_DATE1=$(echo $LIGNE_SQL | cut -d',' -f4)
LOG_DATE2=$(echo $LIGNE_SQL | cut -d',' -f5)
LOG_Y1=$(echo $LOG_DATE1 | cut -d'-' -f1)
LOG_M1=$(echo $LOG_DATE1 | cut -d'-' -f2)
LOG_D1=$(echo $LOG_DATE1 | cut -d'-' -f3 | cut -d' ' -f1)
LOG_H1=$(echo $LOG_DATE1 | cut -d'-' -f3 | cut -d' ' -f2)
LOG_Y2=$(echo $LOG_DATE2 | cut -d'-' -f1)
LOG_M2=$(echo $LOG_DATE2 | cut -d'-' -f2)
LOG_D2=$(echo $LOG_DATE2 | cut -d'-' -f3 | cut -d' ' -f1)
LOG_H2=$(echo $LOG_DATE2 | cut -d'-' -f3 | cut -d' ' -f2)
DUMP=$(nfdump -q -R /var/log/nfsen/profiles-data/live/alcasar_netflow/ -t $LOG_Y1/$LOG_M1/$LOG_D1.$LOG_H1-$LOG_Y2/$LOG_M2/$LOG_D2.$LOG_H2 -O tstart -o "fmt:<tr><td class='numberLine'></td><td>%sa</td><td>%sp</td><td>%da</td><td>%dp</td><td>%ts</td></tr>" "ip $LOG_IP")
if [ ! -z "$DUMP" ]
then
echo "<div class='container'> " >> $TMP_HTML
echo "<table class='table table-striped'>" >> $TMP_HTML
echo "<thead>" >> $TMP_HTML
echo "<tr>" >> $TMP_HTML
echo "<th>Username</th>" >> $TMP_HTML
echo "<th>Client @MAC</th>" >> $TMP_HTML
echo "<th>Client @IP</th>" >> $TMP_HTML
echo "<th>Login Time</th>" >> $TMP_HTML
echo "<th>Logout Time</th>" >> $TMP_HTML
echo "<th>Upload</th>" >> $TMP_HTML
echo "<th>Download</th>" >> $TMP_HTML
echo "<th>Cause</th>" >> $TMP_HTML
echo "</tr></thead><tbody><tr>" >> $TMP_HTML
echo "<td>" $(echo $LIGNE_SQL | cut -d',' -f1) "</td>" >> $TMP_HTML
echo "<td>" $(echo $LIGNE_SQL | cut -d',' -f2) "</td>" >> $TMP_HTML
echo "<td>" $(echo $LIGNE_SQL | cut -d',' -f3) "</td>" >> $TMP_HTML
echo "<td>" $(echo $LIGNE_SQL | cut -d',' -f4) "</td>" >> $TMP_HTML
echo "<td>" $(echo $LIGNE_SQL | cut -d',' -f5) "</td>" >> $TMP_HTML
echo "<td>" $(echo $LIGNE_SQL | cut -d',' -f7) "</td>" >> $TMP_HTML
echo "<td>" $(echo $LIGNE_SQL | cut -d',' -f6) "</td>" >> $TMP_HTML
echo "<td>" $(echo $LIGNE_SQL | cut -d',' -f8) "</td>" >> $TMP_HTML
echo "</tr></tbody></table></div>" >> $TMP_HTML
echo "<div class='container mySpace'> " >> $TMP_HTML
echo "<table class='table table-striped'>" >> $TMP_HTML
echo "<thead>" >> $TMP_HTML
echo "<tr>" >> $TMP_HTML
echo "<th>N°</th>" >> $TMP_HTML
echo "<th>@IP src</th>" >> $TMP_HTML
echo "<th>Port src</th>" >> $TMP_HTML
echo "<th>@IP dst</th>" >> $TMP_HTML
echo "<th>Port dst</th>" >> $TMP_HTML
echo "<th>Date</th>" >> $TMP_HTML
echo "</tr></thead><tbody>" >> $TMP_HTML
echo $DUMP >> $TMP_HTML
echo "</tbody></table></div>" >> $TMP_HTML
fi
done
echo "</font>" >> $TMP_HTML
echo "</body>" >> $TMP_HTML
echo "</HTML>" >> $TMP_HTML
# inform users about that by setting the Alcasar-Imputability-Warning attribute
QUERY="INSERT INTO radreply (username, attribute, value, op) SELECT ui.username, 'Alcasar-Imputability-Warning', '1' , '=' FROM userinfo ui LEFT JOIN radreply rr ON rr.username = ui.username AND rr.attribute = 'Alcasar-Imputability-Warning' WHERE rr.username IS NULL;"
mysql -u root -p"$DB_ROOT_PW" -D radius -e "$QUERY"
/usr/bin/wkhtmltopdf $TMP_HTML $TMP_PDF
/usr/bin/7za a -tzip -p"$1" -mem=AES256 $ARCHIVE_LOCATION $TMP_PDF
chown apache:apache $ARCHIVE_LOCATION
rm $TMP_HTML
rm $TMP_SQL
rm $TMP_PDF
Property changes:
Added: svn:eol-style
+LF
\ No newline at end of property
Added: svn:executable
+*
\ No newline at end of property
Added: svn:keywords
+Id
\ No newline at end of property

/scripts/alcasar-macup.sh
0,0 → 1,60
#!/bin/sh
#
# $Id$
#
# alcasar-macup.sh
#
# This script is distributed under the Gnu General Public License (GPL)
PASSWD_FILE="/root/ALCASAR-passwords.txt"
if [ -z "$CALLING_STATION_ID" ]; then
exit 1
fi
dbRootPass=$(grep ^db_root= $PASSWD_FILE | cut -d'=' -f2-)
chilli_query_res=$(chilli_query list mac $CALLING_STATION_ID)
[ -z "$chilli_query_res" ] && exit
is_connected=$(echo "$chilli_query_res" | awk '{ print $5 }')
current_mac=$CALLING_STATION_ID
if [ $is_connected == '0' ]; then
db_query="SELECT username, IFNULL((UNIX_TIMESTAMP(NOW()) - UNIX_TIMESTAMP(acctstoptime)), 0) AS timeout, acctterminatecause FROM radacct WHERE callingstationid='$current_mac' ORDER BY acctstarttime DESC LIMIT 1;"
db_res=$(mysql -u root -p"$dbRootPass" -D radius -e "$db_query" -Bs)
if [ -n "$db_res" ]; then
username=$(echo "$db_res" | cut -f1)
timeout=$(echo "$db_res" | cut -f2)
acctterminatecause=$(echo "$db_res" | cut -f3)
if [ "$acctterminatecause" != "User-Request" ]; then
db_query_additionalGroups=''
[ -n "$FILTER_ID" ] && db_query_additionalGroups="( SELECT attribute, value FROM radgroupreply WHERE groupname = '$FILTER_ID' AND (attribute='Alcasar-Reconnect-Timeout') ) UNION "
db_query="SELECT attribute, value FROM ( \
( SELECT attribute, value FROM radreply WHERE username = '$USER_NAME' AND (attribute='Alcasar-Reconnect-Timeout') ) UNION \
( SELECT attribute, value FROM radgroupreply gr LEFT JOIN radusergroup ug ON gr.groupname = ug.groupname WHERE username = '$USER_NAME' AND (attribute='Alcasar-Reconnect-Timeout') ORDER BY ug.priority ) UNION \
$db_query_additionalGroups \
( SELECT attribute, value FROM radgroupreply WHERE groupname = 'default' AND (attribute='Alcasar-Reconnect-Timeout') ) \
) attrs GROUP BY attribute;"
db_res=$(mysql -u root -p"$dbRootPass" -D radius -e "$db_query" -Bs)
reconnectTimeout=$(echo "$db_res" | awk '$1 == "Alcasar-Reconnect-Timeout" { print $2 }')
if [ -n "$reconnectTimeout" ] && [ $timeout -le $reconnectTimeout ]; then
for i in {1..10}; do
sleep 1
chilli_query authorize mac $current_mac username "$username"
chilli_query_res=$(chilli_query list mac $current_mac)
isPassing=$(echo "$chilli_query_res" | awk '{ print $3 }')
is_connected=$(echo "$chilli_query_res" | awk '{ print $5 }')
if [ "$is_connected" == '1' ] && [ "$isPassing" == 'pass' ]; then
logger -t alcasar-macup "The MAC address \"$current_mac\" is reconnected with user \"$username\"."
break
fi
done
fi
fi
fi
fi
Property changes:
Added: svn:eol-style
+LF
\ No newline at end of property
Added: svn:executable
+*
\ No newline at end of property
Added: svn:keywords
+Id
\ No newline at end of property

/scripts/alcasar-dhcp.sh
0,0 → 1,76
#!/bin/bash
# $Id$
# alcasar-dhcp.sh
# by Rexy
# This script is distributed under the Gnu General Public License (GPL)
# active ou desactive le service DHCP sur le réseau de consultation
# enable or disable the DHCP service on consultation LAN
SED="/bin/sed -i"
CHILLI_CONF_FILE="/etc/chilli.conf"
ALCASAR_CONF_FILE="/usr/local/etc/alcasar.conf"
# define DHCP parameters (LAN side)
PRIVATE_IP_MASK=`grep ^PRIVATE_IP= $ALCASAR_CONF_FILE|cut -d"=" -f2`
PRIVATE_IP=`echo $PRIVATE_IP_MASK | cut -d"/" -f1`
PRIVATE_NETMASK=`/bin/ipcalc -m $PRIVATE_IP_MASK | cut -d"=" -f2`
PRIVATE_NETWORK=`/bin/ipcalc -n $PRIVATE_IP $PRIVATE_NETMASK| cut -d"=" -f2`
PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP $PRIVATE_NETMASK |cut -d"=" -f2`
PRIVATE_NETWORK_MASK="$PRIVATE_NETWORK/$PRIVATE_PREFIX" # ie.: 192.168.182.0/24
EXT_DHCP_IP=`grep ^EXT_DHCP_IP= $ALCASAR_CONF_FILE|cut -d"=" -f2` # Adresse du serveur DHCP externe
RELAY_DHCP_IP=`grep ^RELAY_DHCP_IP= $ALCASAR_CONF_FILE|cut -d"=" -f2` # Adresse de l'agent Relay : IP interne (défaut 192.168.182.1) dans le cas de DHCP dans le LAN de consultation
RELAY_DHCP_IP=${RELAY_DHCP_IP:=$PRIVATE_IP} # IP externe (défaut x.y.z.t) dans le cas de DHCP du côté WAN
RELAY_DHCP_PORT=`grep ^RELAY_DHCP_PORT= $ALCASAR_CONF_FILE|cut -d"=" -f2` # Port de redirection vers le relay DHCP : 67 par défaut
RELAY_DHCP_PORT=${RELAY_DHCP_PORT:=67}
usage="Usage: alcasar-dhcp.sh {--on | -on} | {--off | -off} "
nb_args=$#
args=$1
if [ $nb_args -eq 0 ]
then
echo "$usage"
exit 1
fi
case $args in
-\? | -h | --h)
echo "$usage"
exit 0
;;
--off|-off) # disable DHCP service
$SED "s?^DHCP=.*?DHCP=off?g" $ALCASAR_CONF_FILE
$SED "s?.*statip.*?statip\t\t$PRIVATE_NETWORK_MASK?g" $CHILLI_CONF_FILE
$SED "s?^#nodynip.*?nodynip?g" $CHILLI_CONF_FILE
$SED "s@^#\?dynip.*@#dynip@g" $CHILLI_CONF_FILE
if [ -n "$EXT_DHCP_IP" ] && [ "$EXT_DHCP_IP" != "none" ]
then
$SED "s?.*dhcpgateway\s.*?dhcpgateway\t$EXT_DHCP_IP?g" $CHILLI_CONF_FILE
$SED "s?.*dhcprelayagent.*?dhcprelayagent\t$RELAY_DHCP_IP?g" $CHILLI_CONF_FILE
$SED "s?.*dhcpgatewayport.*?dhcpgatewayport\t$RELAY_DHCP_PORT?g" $CHILLI_CONF_FILE
else
$SED "s?.*dhcpgateway\s.*?#dhcpgateway\t\t$EXT_DHCP_IP?g" $CHILLI_CONF_FILE
$SED "s?.*dhcprelayagent.*?#dhcprelayagent\t\t$RELAY_DHCP_IP?g" $CHILLI_CONF_FILE
$SED "s?.*dhcpgatewayport.*?#dhcpgatewayport\t\t$RELAY_DHCP_PORT?g" $CHILLI_CONF_FILE
fi
/usr/bin/systemctl restart chilli
;;
--on|-on) # enable DHCP service on all range of IP addresses
$SED "s?^DHCP=.*?DHCP=on?g" $ALCASAR_CONF_FILE
$SED "s?^RELAY_DHCP_IP=.*?RELAY_DHCP_IP=$RELAY_DHCP_IP?g" $ALCASAR_CONF_FILE
$SED "s?^RELAY_DHCP_PORT=.*?RELAY_DHCP_PORT=$RELAY_DHCP_PORT?g" $ALCASAR_CONF_FILE
$SED "s?^.*statip.*?#statip?g" $CHILLI_CONF_FILE
$SED "s?^nodynip.*?#nodynip?g" $CHILLI_CONF_FILE
$SED "s@^#\?dynip.*@dynip\t\t$PRIVATE_NETWORK_MASK@g" $CHILLI_CONF_FILE
$SED "s?^dhcpgateway\s.*?#dhcpgateway\t$EXT_DHCP_IP?g" $CHILLI_CONF_FILE
$SED "s?^dhcprelayagent.*?#dhcprelayagent\t$RELAY_DHCP_IP?g" $CHILLI_CONF_FILE
$SED "s?^dhcpgatewayport.*?#dhcpgatewayport\t$RELAY_DHCP_PORT?g" $CHILLI_CONF_FILE
/usr/bin/systemctl restart chilli
;;
*)
echo "Argument inconnu :$1";
echo "$usage"
exit 1
;;
esac
Property changes:
Added: svn:eol-style
+LF
\ No newline at end of property
Added: svn:executable
+*
\ No newline at end of property
Added: svn:keywords
+Id Author Date
\ No newline at end of property

/scripts/alcasar-bypass.sh
0,0 → 1,62
#!/bin/bash
# $Id$
# alcasar-bypass.sh
# by 3abtux and Rexy
# This script is distributed under the Gnu General Public License (GPL)
# activation / désactivation du contournement de l'authentification et du filtrage WEB
# enable / disable the bypass of authentication process and WEB filtering
usage="Usage: alcasar-bypass.sh {--on or -on } | {--off or -off}"
CONF_FILE="/usr/local/etc/alcasar.conf"
INTIF=`grep ^INTIF= $CONF_FILE|cut -d"=" -f2` # INTernal InterFace
nb_args=$#
args=$1
if [ $nb_args -eq 0 ]
then
nb_args=1
args="-h"
fi
case $args in
-\? | -h* | --h*)
echo "$usage"
exit 0
;;
--on | -on)
/usr/local/bin/alcasar-logout.sh all
/usr/bin/systemctl stop chilli
cp -f /etc/sysconfig/network-scripts/bypass-ifcfg-$INTIF /etc/sysconfig/network-scripts/ifcfg-$INTIF
ifup $INTIF
sh /usr/local/bin/alcasar-iptables-bypass.sh
DHCP=`grep ^DHCP= $CONF_FILE|cut -d"=" -f2`
if [ $DHCP != off ]
then
/usr/bin/systemctl start dhcpd
fi
rm -f /etc/cron.d/alcasar-daemon-watchdog # don't restart daemons (specially coova)
echo "ALCASAR est en mode 'bypass'"
echo "ALCASAR is in 'bypass' mode"
;;
--off | -off)
cp -f /etc/sysconfig/network-scripts/default-ifcfg-$INTIF /etc/sysconfig/network-scripts/ifcfg-$INTIF
ifup $INTIF
/usr/bin/systemctl stop dhcpd
/usr/bin/systemctl start chilli
sh /usr/local/bin/alcasar-iptables.sh
# activation of the "daemon-watchdog" every 18'
cat << EOF > /etc/cron.d/alcasar-daemon-watchdog
# activation du "chien de garde" (daemon-watchdog) toutes les 18'
*/18 * * * * root /usr/local/bin/alcasar-daemon.sh > /dev/null 2>&1
EOF
echo "L'authentification et le filtrage sont actifs"
echo "Authentication and filtering system are enabled"
;;
*)
echo "Argument inconnu :$1";
echo "$usage"
exit 1
;;
esac
Property changes:
Added: svn:eol-style
+LF
\ No newline at end of property
Added: svn:executable
+*
\ No newline at end of property
Added: svn:keywords
+Id Author Date
\ No newline at end of property

/scripts/alcasar-file-clean.sh
0,0 → 1,31
#!/bin/bash
# alcasar-file-clean.sh
# by Rexy
# This script is distributed under the Gnu General Public License (GPL)
# clean alcasar conf files (remove empty lines, sort and control)
# nettoie les fichiers de conf d'alcasar (suppression des lignes vides, tri et contrôle)
SED="/bin/sed -i"
DIR_CONF="/usr/local/etc"
ALCASAR_SERVICES="$DIR_CONF/alcasar-services"
ALCASAR_IP_BLOCKED="$DIR_CONF/alcasar-ip-blocked"
ALCASAR_UAMDOMAIN="$DIR_CONF/alcasar-uamdomain"
ALCASAR_UAMALLOWED="$DIR_CONF/alcasar-uamallowed"
ALCASAR_CONF="$DIR_CONF/alcasar.conf"
# sort file content
for file in $ALCASAR_SERVICES $ALCASAR_IP_BLOCKED $ALCASAR_UAMDOMAIN $ALCASAR_UAMALLOWED
do
sort -k2n $file > /tmp/alcasar-tmp-sort
mv -f /tmp/alcasar-tmp-sort $file
done
# remove empty lines and put rights
for file in $ALCASAR_SERVICES $ALCASAR_IP_BLOCKED $ALCASAR_CONF $ALCASAR_UAMDOMAIN $ALCASAR_UAMALLOWED
do
$SED "/^$/d" $file
chown root:apache $file
chmod 660 $file
done
Property changes:
Added: svn:eol-style
+LF
\ No newline at end of property
Added: svn:executable
+*
\ No newline at end of property
Added: svn:keywords
+Id Author Date
\ No newline at end of property

/scripts/alcasar-url_filter_wl.sh
0,0 → 1,103
#!/bin/bash
# Id: $Id$
# alcasar-url_filter.sh
# by REXY
# This script is distributed under the Gnu General Public License (GPL)
# Active / désactive : safesearch des moteurs de recherche
# Enable / disable : search engines safesearch
# Active / désactive : le filtrage des url contenant une adresse ip à la place d'un nom de domaine
# Enable / disable : filter of urls containing ip address instead of domain name
CONF_FILE="/usr/local/etc/alcasar.conf"
UNBOUND_WL_DOMAIN_FILTER_CONF="/etc/unbound/conf.d/whitelist/domainfilter.conf"
IP_WL="/usr/local/share/iptables-wl-enabled/ossi-ip-safesearch"
SED="/bin/sed -i"
safesearch="Off"
usage="Usage: alcasar-url_filter_wl.sh { -safesearch_on or -safesearch_off }"
nb_args=$#
googledomains="google.com. google.ad. google.ae. google.com.af. google.com.ag. google.com.ai. google.al. google.am. google.co.ao. google.com.ar. google.as. google.at. google.com.au. google.az. google.ba. google.com.bd. google.be. google.bf. google.bg. google.com.bh. google.bi. google.bj. google.com.bn. google.com.bo. google.com.br. google.bs. google.bt. google.co.bw. google.by. google.com.bz. google.ca. google.cd. google.cf. google.cg. google.ch. google.ci. google.co.ck. google.cl. google.cm. google.cn. google.com.co. google.co.cr. google.com.cu. google.cv. google.com.cy. google.cz. google.de. google.dj. google.dk. google.dm. google.com.do. google.dz. google.com.ec. google.ee. google.com.eg. google.es. google.com.et. google.fi. google.com.fj. google.fm. google.fr. google.ga. google.ge. google.gg. google.com.gh. google.com.gi. google.gl. google.gm. google.gp. google.gr. google.com.gt. google.gy. google.com.hk. google.hn. google.hr. google.ht. google.hu. google.co.id. google.ie. google.co.il. google.im. google.co.in. google.iq. google.is. google.it. google.je. google.com.jm. google.jo. google.co.jp. google.co.ke. google.com.kh. google.ki. google.kg. google.co.kr. google.com.kw. google.kz. google.la. google.com.lb. google.li. google.lk. google.co.ls. google.lt. google.lu. google.lv. google.com.ly. google.co.ma. google.md. google.me. google.mg. google.mk. google.ml. google.com.mm. google.mn. google.ms. google.com.mt. google.mu. google.mv. google.mw. google.com.mx. google.com.my. google.co.mz. google.com.na. google.com.nf. google.com.ng. google.com.ni. google.ne. google.nl. google.no. google.com.np. google.nr. google.nu. google.co.nz. google.com.om. google.com.pa. google.com.pe. google.com.pg. google.com.ph. google.com.pk. google.pl. google.pn. google.com.pr. google.ps. google.pt. google.com.py. google.com.qa. google.ro. google.ru. google.rw. google.com.sa. google.com.sb. google.sc. google.se. google.com.sg. google.sh. google.si. google.sk. google.com.sl. google.sn. google.so. google.sm. google.sr. google.st. google.com.sv. google.td. google.tg. google.co.th. google.com.tj. google.tk. google.tl. google.tm. google.tn. google.to. google.com.tr. google.tt. google.com.tw. google.co.tz. google.com.ua. google.co.ug. google.co.uk. google.com.uy. google.co.uz. google.com.vc. google.co.ve. google.vg. google.co.vi. google.com.vn. google.vu. google.ws. google.rs. google.co.za. google.co.zm. google.co.zw. google.cat."
youtubedomains="www.youtube.com m.youtube.com youtubei.googleapis.com youtube.googleapis.com www.youtube-nocookie.com"
if [ $nb_args -le 0 ]
then
echo "$usage"
exit 1
fi
while [ $nb_args -ge 1 ]
do
arg=${!nb_args}
case $arg in
-\? | -h* | --h*)
echo "$usage"
exit 0
;;
# Safe search activation
-safesearch_on | --safesearch_on)
safesearch="On"
;;
# Safe search desactivation
-safesearch_off | --safesearch_off)
safesearch="Off"
;;
*)
echo "Argument inconnu : $arg";
echo "$usage"
exit 1
;;
esac
nb_args=$(expr $nb_args - 1)
done
if [ $safesearch == "On" ]
then
[ -e $IP_WL ] && rm -f $IP_WL
# add 'SafeSearch' redirection for google searching
google_safe_server=`host -ta forcesafesearch.google.com | grep "address" | cut -d" " -f4` # retrieve google forcesafesearch ip
# config file header
echo "server:" > $UNBOUND_WL_DOMAIN_FILTER_CONF
for domain in $googledomains
do
echo -e "\tlocal-zone: \"$domain\" redirect" >> $UNBOUND_WL_DOMAIN_FILTER_CONF
echo -e "\tlocal-data: \"$domain A $google_safe_server\"" >> $UNBOUND_WL_DOMAIN_FILTER_CONF
done
echo "add wl_ip_allowed $google_safe_server" >> $IP_WL
# add 'SafeSearch' redirection for youtube searching
youtube_safe_server=`host -ta restrict.youtube.com | grep "address" | cut -d" " -f4` # retrieve youtube restrict ip
for domain in $youtubedomains
do
echo -e "\tlocal-zone: \"$domain\" redirect" >> $UNBOUND_WL_DOMAIN_FILTER_CONF
echo -e "\tlocal-data: \"$domain A $youtube_safe_server\"" >> $UNBOUND_WL_DOMAIN_FILTER_CONF
done
echo "add wl_ip_allowed $youtube_safe_server" >> $IP_WL
# add 'SafeSearch' redirection for bing searching
bing_safe_server=`host -ta strict.bing.com | grep "address" | cut -d" " -f4` # retrieve bing strict ip
echo -e "\tlocal-zone: \"www.bing.com\" redirect" >> $UNBOUND_WL_DOMAIN_FILTER_CONF
echo -e "\tlocal-data: \"www.bing.com A $bing_safe_server\"" >> $UNBOUND_WL_DOMAIN_FILTER_CONF
echo "add wl_ip_allowed $bing_safe_server" >> $IP_WL
# add 'SafeSearch' redirection for qwant searching
qwant_safe_server=`host -ta safeapi.qwant.com | grep "address" | cut -d" " -f4` # retrieve qwant strict ip
echo -e "\tlocal-zone: \"api.qwant.com\" redirect" >> $UNBOUND_WL_DOMAIN_FILTER_CONF
echo -e "\tlocal-data: \"api.qwant.com A $qwant_safe_server\"" >> $UNBOUND_WL_DOMAIN_FILTER_CONF
echo "add wl_ip_allowed $qwant_safe_server" >> $IP_WL
$SED 's/^WL_SAFESEARCH=.*/WL_SAFESEARCH=on/g' $CONF_FILE
else
[ -e $UNBOUND_WL_DOMAIN_FILTER_CONF ] && rm -f $UNBOUND_WL_DOMAIN_FILTER_CONF
[ -e $IP_WL ] && rm -f $IP_WL
$SED 's/^WL_SAFESEARCH=.*/WL_SAFESEARCH=off/g' $CONF_FILE
fi
systemctl restart unbound-whitelist
Property changes:
Added: svn:eol-style
+LF
\ No newline at end of property
Added: svn:executable
+*
\ No newline at end of property
Added: svn:keywords
+Id
\ No newline at end of property

/scripts/alcasar-profil.sh
0,0 → 1,245
#!/bin/bash
# $Id$
# alcasar-profil.sh
# by Richard REY
# This script is distributed under the Gnu General Public License (GPL)
# Gestion des comptes liés aux profiles
# Manage the profil logins
DIR_BIN="/usr/local/bin" # scripts directory
ADM_PROFIL="admin"
PROFILS="backup manager"
ALL_PROFILS=`echo $ADM_PROFIL $PROFILS`
DIR_KEY="/usr/local/etc/digest"
SED="/bin/sed -i"
Lang=`echo $LANG|cut -c 1-2`
REALM="ALCASAR Control Center (ACC)"
# génère le htdigest
function htdigest () {
passwdfile="$1"
username="$2"
[ -f "$passwdfile" ] || touch "$passwdfile"
grep -q "${username}:${REALM}:" "$passwdfile" && existing_user=1 || existing_user=0
if [ $existing_user -eq 1 ]; then
echo "Changing password for user $username in realm $REALM"
else
echo "Adding user $username in realm $REALM"
fi
equal=0
while [ $equal -eq 0 ]; do
echo -n "New password: "
read -s pass_1
echo
echo -n "Confirm the new password: "
read -s pass_2
echo
if [ -n "$pass_1" ] && [ "$pass_1" != "$pass_2" ]; then
echo -e "\nThe passwords don't match.\n"
else
equal=1
fi
done
digest="${username}:${REALM}:"
digest+=$(echo -n "${username}:${REALM}:${pass_1}" | md5sum | cut -d" " -f1)
if [ $existing_user -eq 0 ]; then
echo "$digest" >> "$passwdfile"
else
sed -i "s/${username}:${REALM}:.*/${digest}/" "$passwdfile"
fi
}
# liste les comptes de chaque profile
function list () {
for i in $ALL_PROFILS
do
if [ $Lang == "fr" ]
then
echo -n "Comptes liés au profil '$i' : "
else
echo -n "accounts linked with profile '$i' : "
fi
account_list=`cat $DIR_KEY/key_only_$i | cut -d':' -f1|sort`
for account in $account_list
do
echo -n "$account "
done
echo
done
}
# ajoute les comptes du profil "admin" aux autres profils
# crée le fichier de clés contenant tous les compte (pour l'accès au centre de gestion)
function concat () {
> $DIR_KEY/key_all
for i in $PROFILS
do
cp -f $DIR_KEY/key_only_$ADM_PROFIL $DIR_KEY/key_$i
cat $DIR_KEY/key_only_$i >> $DIR_KEY/key_$i
cat $DIR_KEY/key_only_$i >> $DIR_KEY/key_all
done
cp -f $DIR_KEY/key_only_$ADM_PROFIL $DIR_KEY/key_$ADM_PROFIL
cat $DIR_KEY/key_only_$ADM_PROFIL >> $DIR_KEY/key_all
chown -R root:apache $DIR_KEY
chmod 640 $DIR_KEY/key_*
}
usage="Usage: alcasar-profil.sh [-l|--list] [-a|--add [profil]] [-d|--del] [-p|--pass]"
nb_args=$#
arg1=$1
arg2=$2
# on met en place la structure minimale
if [ ! -e $DIR_KEY/key_$ADM_PROFIL ]
then
touch $DIR_KEY/key_$ADM_PROFIL
fi
cp -f $DIR_KEY/key_$ADM_PROFIL $DIR_KEY/key_only_$ADM_PROFIL
for i in $PROFILS
do
if [ ! -e $DIR_KEY/key_only_$i ]
then
touch $DIR_KEY/key_only_$i
fi
done
concat
if [ $nb_args -eq 0 ]
then
echo $usage
exit 0
fi
case $arg1 in
-\? | -h* | --h*)
echo "$usage"
exit 0
;;
--add|-a)
if [ $nb_args -eq 1 ]
then
# ajout d'un compte
list
if [ $Lang == "fr" ]
then
echo -n "Choisissez un profil ($ALL_PROFILS) : "
else
echo -n "Select a profile ($ALL_PROFILS) : "
fi
profil=''
while [ -z "$profil" ]; do
read profil
done
else
profil="$2"
fi
if ! echo $ALL_PROFILS | grep -qw $profil
then
if [ $Lang == "fr" ]
then
echo "Le profil indiqué n'existe pas"
else
echo "The given profile doesn't exist"
fi
exit 1
fi
if [ $Lang == "fr" ]
then
echo -n "Entrez le nom du compte à créer (profil '$profil') : "
else
echo "Enter the name of the account to create (profile '$profil') : "
fi
account=''
while [ -z "$account" ]; do
read account
done
# TODO : add check
# on teste s'il n'existe pas déjà
for i in $ALL_PROFILS
do
tmp_account=`cat $DIR_KEY/key_only_$i | cut -d':' -f1`
for j in $tmp_account
do
if [ "$j" = "$account" ]
then if [ $Lang == "fr" ]
then
echo "Ce compte existe déjà"
else
echo "This account already exists"
fi
exit 1
fi
done
done
htdigest $DIR_KEY/key_only_$profil "$account"
concat
list
;;
--del|-d)
# suppression d'un compte
list
if [ $Lang == "fr" ]
then
echo -n "entrez le nom du compte à supprimer : "
else
echo -n "enter the name of the account to remove : "
fi
account=''
while [ -z "$account" ]; do
read account
done
for i in $ALL_PROFILS; do
$SED "/^$account:/d" $DIR_KEY/key_only_$i
done
concat
list
;;
--pass|-p)
# changement du mot de passe d'un compte
list
if [ $Lang == "fr" ]
then
echo "Changement de mot de passe"
echo -n "Entrez le nom du compte : "
else
echo "Password change"
echo -n "Enter the name of the account : "
fi
read account
for i in $ALL_PROFILS
do
tmp_account=`cat $DIR_KEY/key_only_$i | cut -d':' -f1`
for j in $tmp_account
do
if [ "$j" = "$account" ]
then
htdigest $DIR_KEY/key_only_$i "$account"
fi
done
done
concat
;;
--list|-l)
# liste des comptes par profil
list
;;
*)
if [ $Lang == "fr" ]
then
echo "Argument inconnu :$1";
else
echo "Unknown argument : $i";
fi
echo "$usage"
exit 1
;;
esac
Property changes:
Added: svn:eol-style
+LF
\ No newline at end of property
Added: svn:executable
+*
\ No newline at end of property
Added: svn:keywords
+Id Author Date
\ No newline at end of property

/scripts/alcasar-watchdog-hl.sh
0,0 → 1,29
#!/bin/bash
# $Id: alcasar-watchdog-hl/sh 2113 2017-01-08 22:43:26Z richard $
# alcasar-watchdog-hl.sh
# by 3abtux
# This script is distributed under the Gnu General Public License (GPL)
# - Ce script déconnecte les équipements réseau qui sont identifiés en 0.0.0.0 (lancé optionnellement par cron dans /etc/cron.d/alcasar-watchdog)
# - This script disconnects the network equipments which are identified in 0.0.0.0 (optionally run by cron in /etc/cron.d/alcasar-watchdog)
OLDIFS=$IFS
IFS=$'\n'
usage="Usage: alcasar-watchdog-hl.sh "
case $1 in
-\? | -h* | --h*)
echo "$usage"
exit 0
;;
*)
# searching for 0.0.0.0 IP
for system in `/usr/sbin/chilli_query list |grep "0\.0\.0\.0 dnat"`
do
active_mac=`echo $system | cut -d" " -f1`
echo "$(date "+[%x-%X] : ")alcasar-watchdog-hl : $active_mac has 0.0.0.0 IP address. Alcasar release the equipment." >> /var/Save/security/watchdog-hl.log
/usr/sbin/chilli_query dhcp-release $active_mac
done
;;
esac
IFS=$OLDIFS
Property changes:
Added: svn:eol-style
+LF
\ No newline at end of property
Added: svn:executable
+*
\ No newline at end of property

/scripts/alcasar-archive.sh
0,0 → 1,142
#!/bin/bash
# $Id$
# alcasar-archive.sh
# by Franck BOUIJOUX and REXY
# This script is distributed under the Gnu General Public License (GPL)
# Script permettant
# - d'exporter dans un seul fichier les logs de traçabilités et la base des usagers (à des fins d'archivages).
# - Une fonction de chiffrement des logs a été implémentée dans ce script. Lisez la documentation d'exploitation pour l'activer.
# - nettoyage des archives supérieures à 1 an (365 jours)
# This script allows
# - export in one file the log files and user's base (in order to archive them).
# - a cypher fonction allows to protect these files. Read the exploitation documentation to enable it.
# - delete backup files older than one year (365 days)
DIR_SAVE="/var/Save" # répertoire accessible par webs
DIR_LOG="/var/log" # répertoire local des log
#DIR_SERVICE="squid lighttpd firewall" # répertoires contenant des logs utiles à exporter
DIR_BASE="$DIR_SAVE/base" # répertoire de sauvegarde de la base de données usagers
DIR_ARCHIVE="$DIR_SAVE/archive" # répertoire de sauvegarde des archives de log
NOW="$(date +%G%m%d-%Hh%M)" # date et heure du moment
DIR_TMP="/tmp/traceability-$NOW" # Répertoire temporaire d'export
FILE="traceability-$NOW.tar.gz" # Nom du fichier de l'archive
EXPIRE_DAY=365 # Nbre de jour avant suppression des fichiers journaux
CRYPT="0" # chiffrement des logs ( 0=non / 1=oui) --> Si oui alors la signature est automatiquement activée
# log files encryption ( 0=no / 1=yes) --> if yes, the signature is automaticly enabled
SIGN="0" # Signature/empreinte des logs ( 0=non / 1=oui ) ATTENTION : nécessite la clé privée !!!
# Signature of log files ( 0=no / 1=yes ) ATTENTION : need the private key !!!
GPG_USER="" # utilisateur autorisé à déchiffrer les logs. Sa clé publique doit être connu dans le portefeuille gnupg de root (/root/.gnupg)
# user allowed to decrypt the log files. Its public key must be known in the root keyring (/root/.gnupg)
usage="Usage: alcasar-archive.sh {--live or -l} | {--now or -n} | {--clean or -c}"
nb_args=$#
args=$1
if [ $nb_args -eq 0 ]
then
nb_args=1
args="-h"
fi
function cleanup() {
# Nettoyage des fichiers archives
cd $DIR_SAVE
find . \( -mtime +$EXPIRE_DAY \) -a \( -name '*.gz' -o -name '*.sql' -o -name '' -o -name 'gpg' \) -exec rm -f {} \;
} # end function cleanup
function crypt() {
# Chiffrement des logs dans /var/Save/
find . \( -mtime -7 -o -ctime 0 \) -a \( -name '*log-*.gz' \) -exec gpg --output $DIR_ARCHIVE/$file/{}.gpg --encrypt --recipient $GPG_USER {} \;
} # end function crypt
function archive() {
mkdir -p $DIR_ARCHIVE
mkdir -p $DIR_TMP
nb_files=`ls $DIR_LOG/firewall/traceability.log*.gz 2>/dev/null | wc -w`
if [ $nb_files -ne 0 ]; then
mv $(echo $(ls -rt $DIR_LOG/firewall/traceability.log*.gz | tail -n 1 -)) $DIR_TMP/traceability-HTTP-$NOW.gz
fi
nb_files=`ls $DIR_BASE/alcasar-users-database-*.sql.gz 2>/dev/null | wc -w`
if [ $nb_files -ne 0 ]; then
mv $(echo $(ls -rt $DIR_BASE/alcasar-users-database-*.sql.gz | tail -n 1 -)) $DIR_TMP/
fi
cd /var/log/nfsen/profiles-data/live/alcasar_netflow
nb_files=`find . -mtime -7 -name 'nfcapd.[0-9]*' | wc -l`
if [ $nb_files -ne 0 ]; then
find . -mtime -7 -name 'nfcapd.[0-9]*' | xargs tar -cf $DIR_TMP/traceability-ALL-$NOW.tar;
fi
cd /tmp/
nb_files=`ls traceability-$NOW/* 2>/dev/null | wc -w`
if [ $nb_files -ne 0 ]; then
tar cvzf /tmp/$FILE traceability-$NOW/*
else echo "no file to archive"
fi
} # end archive
# Core script
case $args in
-\? | -h* | --h*)
echo "$usage"
exit 0
;;
--clean | -c)
# Cleanup of files older than 365 days
cleanup
;;
--now | -n)
# Cleanup of files older than 365 days
cleanup
# make an archive
archive
# Saving of the database
/usr/local/bin/alcasar-mysql.sh --dump
# Encryption of the archive
if [ -e /tmp/$FILE ]; then
if [ $CRYPT -eq "1" ]; then
{
# 1 ) chiffrement/signature =1 ==> gpg --encrypt avec test de la clé présente
gpg --output $DIR_ARCHIVE/$FILE-crypt.gpg --armor --encrypt --recipient $GPG_USER /tmp/$FILE
}
elif [ $SIGN -eq "1" ]; then
{
# 2) signature = 1 Chiffrement = 0 --> gpg --encrypt idem test de la clé présente
gpg --output $DIR_ARCHIVE/$FILE-sign.gpg --sign --recipient $GPG_USER /tmp/$FILE
gpg --output $DIR_ARCHIVE/$FILE-sign.gpg --sign --recipient $GPG_USER --detach-sign /tmp/$FILE
}
else
{
# 3) chiffrement/signature = 0 --> cp simple avec suppression des droits d'écriture
cp /tmp/$FILE $DIR_ARCHIVE/.
}
fi
fi
rm -rf /tmp/traceability-*
chown root:apache $DIR_ARCHIVE/*
;;
--live | -l)
mkdir -p $DIR_ARCHIVE
mkdir -p /tmp/live
gap=7
cd /var/log/nfsen/profiles-data/live/alcasar_netflow
find . -mtime -$gap -name 'nfcapd.[0-9]*' | xargs tar -cf /tmp/live/traceability-ALL-$NOW.tar;
# Saving of the database
/usr/local/bin/alcasar-mysql.sh --dump
mv $(echo $(ls -rt $DIR_BASE/alcasar-users-database-*.sql.gz | tail -n 1 -)) /tmp/live/
cp /var/log/firewall/traceability.log /tmp/live/traceability-HTTP-$NOW.log
tar -czf $DIR_ARCHIVE/traceability-$NOW.tar.gz /tmp/live/*
rm -rf /tmp/live
;;
*)
echo "Unknown argument :$1";
echo "$usage"
exit 1
;;
esac
exit 0
Property changes:
Added: svn:eol-style
+LF
\ No newline at end of property
Added: svn:executable
+*
\ No newline at end of property
Added: svn:keywords
+Id Author Date
\ No newline at end of property

/scripts/alcasar-version.sh
0,0 → 1,58
#!/bin/bash
# $Id$
# alcasar-version-list.sh
# by Richard REY
# This script is distributed under the Gnu General Public License (GPL)
# récupère les versions d'ALCASAR (stable et développement)
# download the ALCASAR versions (stable / dev)
SITE_VERSION="version.alcasar.net"
MAJ="False"
DNS_VERSION_L=`dig $SITE_VERSION txt | grep ^$SITE_VERSION | cut -d"\"" -f2`
DNS_VERSION=`echo $DNS_VERSION_L|cut -d" " -f1`
MAJ_DNS_VERSION=`echo $DNS_VERSION|cut -d"." -f1`
MIN_DNS_VERSION=`echo $DNS_VERSION|cut -d"." -f2`
UPD_DNS_VERSION=`echo $DNS_VERSION|cut -d"." -f3`
RUNNING_VERSION=`grep ^VERSION= /usr/local/etc/alcasar.conf|cut -d'=' -f2`
MAJ_RUNNING_VERSION=`echo $RUNNING_VERSION|cut -d"." -f1`
MIN_RUNNING_VERSION=`echo $RUNNING_VERSION|cut -d"." -f2|cut -c1`
UPD_RUNNING_VERSION=`echo $RUNNING_VERSION|cut -d"." -f3`
#compare major number
if [ $MAJ_RUNNING_VERSION -lt $MAJ_DNS_VERSION ]
then
MAJ="True"
fi
#compare minor number
if [ $MAJ_RUNNING_VERSION -eq $MAJ_DNS_VERSION ]
then
if [ $MIN_RUNNING_VERSION -lt $MIN_DNS_VERSION ]
then
MAJ="True"
fi
#compare update number
if [ $MIN_DNS_VERSION -eq $MIN_RUNNING_VERSION ]
then
if [ -n "$UPD_DNS_VERSION" ]
then
if [ -z "$UPD_RUNNING_VERSION" ]
then
MAJ="True"
else
if [ $UPD_RUNNING_VERSION -lt $UPD_DNS_VERSION ]
then
MAJ="True"
fi
fi
fi
fi
fi
if [ $MAJ = "True" ]
then
echo "An updated version is available ($DNS_VERSION)"
else
echo "The Running version ($RUNNING_VERSION) is up to date"
fi
Property changes:
Added: svn:eol-style
+LF
\ No newline at end of property
Added: svn:executable
+*
\ No newline at end of property
Added: svn:keywords
+Id Author Date
\ No newline at end of property

/scripts/alcasar-logout.sh
0,0 → 1,55
#!/bin/bash
# $Id$
# alcasar-logout.sh
# by Rexy
# This script is distributed under the Gnu General Public License (GPL)
# Déconnexion d'un ou de tous les usagers
# Logout one user (or all users)
PASSWD_FILE="/root/ALCASAR-passwords.txt"
RADIUS_SECRET=$(grep '^secret_radius=' $PASSWD_FILE | cut -d'=' -f 2-)
OLDIFS=$IFS
IFS=$'\n'
usage="Usage: alcasar-logout.sh {user_name} | {all}"
nb_args=$#
args=$1
if [ $nb_args -eq 0 ]
then
nb_args=1
args="-h"
fi
case $args in
-\? | -h* | --h*)
echo "$usage"
exit 0
;;
all)
# Compute each equipments known by chilli
for system in `/usr/sbin/chilli_query list |grep -v "\.0\.0\.0"`
do
logout_users=""
active_session=`echo $system |cut -d" " -f5`
active_user=`echo $system|cut -d" " -f6`
active_mac=`echo $system | cut -d" " -f1`
# Logout only authenticated users
if [[ $(expr $active_session) -eq 1 ]]
then
# Don't logout MAC authenticated
if [ "$active_mac" != "$active_user" ]
then
logout_users=$logout_users" $active_user"
/usr/sbin/chilli_query logout $active_mac
fi
fi
done
echo "All users are now logout : ($logout_users)"
;;
*)
echo "User-Name = $args" | /usr/bin/radclient 127.0.0.1:3799 40 $RADIUS_SECRET
;;
esac
IFS=$OLDIFS
Property changes:
Added: svn:eol-style
+LF
\ No newline at end of property
Added: svn:executable
+*
\ No newline at end of property
Added: svn:keywords
+Id Author Date
\ No newline at end of property

/scripts/alcasar-ticket-clean.sh
0,0 → 1,14
#!/bin/bash
# alcasar-ticket-clean.sh
# by Franck BOUIJOUX & Rexy
# This script is distributed under the Gnu General Public License (GPL)
# nettoyage des fichiers de mots de passe générés après l'import d'une liste de noms.
# nettoyage des ticket PDF généré lors de la création d'usager
# delete password files generated during the importation of a list of names
# delete PDF ticket generated when creating new account
find /tmp -name '*.pwd' -exec rm -f {} \;
find /var/www/html/acc/manager/htdocs -name '*.pdf' -exec rm -f {} \;
exit 0
Property changes:
Added: svn:eol-style
+LF
\ No newline at end of property
Added: svn:executable
+*
\ No newline at end of property

/scripts/alcasar-clean_radacct
0,0 → 1,52
#!/usr/bin/perl
#
# Clean stale open sessions from the radacct table.
# we only clean up sessions which are older than $back_days
# Works with mysql and postgresql
#
use POSIX;
use File::Temp qw(tempfile tempdir);
$conf=shift||'/etc/freeradius-web/admin.conf';
$back_days = 30;
open CONF, "<$conf"
or die "Could not open configuration file\n";
while(<CONF>){
chomp;
($key,$val)=(split /:\s*/,$_);
$sql_type = $val if ($key eq 'sql_type');
$sql_server = $val if ($key eq 'sql_server');
$sql_username = $val if ($key eq 'sql_username');
$sql_password = $val if ($key eq 'sql_password');
$sql_database = $val if ($key eq 'sql_database');
$sql_accounting_table = $val if ($key eq 'sql_accounting_table');
$sqlcmd = $val if ($key eq 'sql_command');
}
close CONF;
die "sql_command directive is not set in admin.conf\n" if ($sqlcmd eq '');
die "sql command '$sqlcmd' not found or does not seem to be executable\n" if (! -x $sqlcmd);
if ($sql_type eq 'mysql'){
$sql_password = (!$sql_password) ? '' : "-p$sql_password";
}
$sql_password =~ s/(\W)/\\$1/g;
($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime;
$date = POSIX::strftime("%Y-%m-%d %T",$sec,$min,$hour,($mday - $back_days),$mon,$year,$wday,$yday,$isdst);
print "$date\n";
if (POSIX::strftime("%Y-%m-%d %T",localtime) eq $date){
die "Could not set correct back date.\n";
}
$query = "DELETE FROM $sql_accounting_table WHERE AcctStopTime IS NULL AND AcctStartTime < '$date';";
print "$query\n";
my ($fh, $tmp_filename) = tempfile() or die "Could not open tmp file\n";
print $fh $query;
close $fh;
$command = "$sqlcmd -h$sql_server -u$sql_username $sql_password $sql_database < $tmp_filename" if ($sql_type eq 'mysql');
$command = "$sqlcmd -U $sql_username -f $tmp_filename $sql_database" if ($sql_type eq 'pg');
$command = "$sqlcmd '$sql_server' '$sql_port' '' '$sql_username' '$sql_password' < $tmp_filename" if ($sql_type eq 'sqlrelay');
`$command`;
Property changes:
Added: svn:executable
+*
\ No newline at end of property

/scripts/alcasar-monthly_tot_stats
0,0 → 1,64
#!/usr/bin/perl
use POSIX;
use File::Temp qw(tempfile tempdir);
# Log in the mtotacct table aggregated accounting information for
# each user spaning in one month period.
# If the current month has not ended it will log information up to
# the current month day
# Works only with mysql and postgresql
#
$conf=shift||'/etc/freeradius-web/admin.conf';
open CONF, "<$conf"
or die "Could not open configuration file\n";
while(<CONF>){
chomp;
($key,$val)=(split /:\s*/,$_);
$sql_type = $val if ($key eq 'sql_type');
$sql_server = $val if ($key eq 'sql_server');
$sql_username = $val if ($key eq 'sql_username');
$sql_password = $val if ($key eq 'sql_password');
$sql_database = $val if ($key eq 'sql_database');
$sql_accounting_table = $val if ($key eq 'sql_accounting_table');
$sqlcmd = $val if ($key eq 'sql_command');
}
close CONF;
die "sql_command directive is not set in admin.conf\n" if ($sqlcmd eq '');
die "sql command '$sqlcmd' not found or does not seem to be executable\n" if (! -x $sqlcmd);
if ($sql_type eq 'mysql'){
$sql_password = (!$sql_password) ? '' : "-p$sql_password";
}
$sql_password =~ s/(\W)/\\$1/g;
($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime;
if ($mday == 1){
$mon--;
}
$date_start = POSIX::strftime("%Y-%m-%d",0,0,0,1,$mon,$year,$wday,$yday,$isdst);
$date_end = POSIX::strftime("%Y-%m-%d",0,0,0,$mday,$mon,$year,$wday,$yday,$isdst);
$query1 = "DELETE FROM mtotacct WHERE AcctDate = '$date_start';";
$query2 = "INSERT INTO mtotacct (UserName,AcctDate,ConnNum,ConnTotDuration,
ConnMaxDuration,ConnMinDuration,InputOctets,OutputOctets,NASIPAddress)
SELECT UserName,'$date_start',SUM(ConnNum),SUM(ConnTotDuration),
MAX(ConnMaxDuration),MIN(ConnMinDuration),SUM(InputOctets),
SUM(OutputOctets),NASIPAddress FROM totacct
WHERE AcctDate >= '$date_start' AND
AcctDate <= '$date_end' GROUP BY UserName,NASIPAddress;";
print "$query1\n";
print "$query2\n";
my ($fh, $tmp_filename) = tempfile() or die "Could not open tmp file\n";
print $fh "ALTER SESSION SET NLS_TIMESTAMP_TZ_FORMAT='YYYY-MM-DD HH24:MI:SS.FF TZH:TZM';\n" if ($sql_type eq 'oracle');
print $fh $query1;
print $fh $query2;
close $fh;
$command = "$sqlcmd -h $sql_server -u $sql_username $sql_password $sql_database < $tmp_filename" if ($sql_type eq 'mysql');
$command = "$sqlcmd -U $sql_username -f $tmp_filename $sql_database" if ($sql_type eq 'pg');
$command = "$sqlcmd $sql_username/$pass" . "@" . "$sql_database <$tmpfile.$server" if ($sql_type eq 'oracle');
$command = "$sqlcmd '$sql_server' '$sql_port' '' '$sql_username' '$sql_password' < $tmp_filename" if ($sql_type eq 'sqlrelay');
`$command`;
Property changes:
Added: svn:executable
+*
\ No newline at end of property

/scripts/alcasar-tot_stats
0,0 → 1,61
#!/usr/bin/perl
use POSIX;
use File::Temp qw(tempfile tempdir);
# Log in the totacct table aggregated daily accounting information for
# each user.
# We keep a row per user for each day.
# Works with mysql and postgresql
#
$conf=shift||'/etc/freeradius-web/admin.conf';
open CONF, "<$conf"
or die "Could not open configuration file\n";
while(<CONF>){
chomp;
($key,$val)=(split /:\s*/,$_);
$sql_type = $val if ($key eq 'sql_type');
$sql_server = $val if ($key eq 'sql_server');
$sql_username = $val if ($key eq 'sql_username');
$sql_password = $val if ($key eq 'sql_password');
$sql_database = $val if ($key eq 'sql_database');
$sql_accounting_table = $val if ($key eq 'sql_accounting_table');
$sqlcmd = $val if ($key eq 'sql_command');
}
close CONF;
die "sql_command directive is not set in admin.conf\n" if ($sqlcmd eq '');
die "sql command '$sqlcmd' not found or does not seem to be executable\n" if (! -x $sqlcmd);
if ($sql_type eq 'mysql'){
$sql_password = (!$sql_password) ? '' : "-p$sql_password";
}
$sql_password =~ s/(\W)/\\$1/g;
($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime;
$date_start = POSIX::strftime("%Y-%m-%d %T",0,0,0,($mday - 1),$mon,$year,$wday,$yday,$isdst);
$date_small_start = POSIX::strftime("%Y-%m-%d",0,0,0,($mday - 1),$mon,$year,$wday,$yday,$isdst);
$date_end = POSIX::strftime("%Y-%m-%d %T",0,0,0,$mday,$mon,$year,$wday,$yday,$isdst);
$query1 = "DELETE FROM totacct WHERE AcctDate = '$date_start';";
$query2 = "INSERT INTO totacct (UserName,AcctDate,ConnNum,ConnTotDuration,
ConnMaxDuration,ConnMinDuration,InputOctets,OutputOctets,NASIPAddress)
SELECT UserName,'$date_small_start',COUNT(*),SUM(AcctSessionTime),
MAX(AcctSessionTime),MIN(AcctSessionTime),SUM(AcctInputOctets),
SUM(AcctOutputOctets),NASIPAddress FROM radacct
WHERE AcctStopTime >= '$date_start' AND
AcctStopTime < '$date_end' GROUP BY UserName,NASIPAddress;";
print "$query1\n";
print "$query2\n";
my ($fh, $tmp_filename) = tempfile() or die "Could not open tmp file\n";
print $fh "ALTER SESSION SET NLS_TIMESTAMP_TZ_FORMAT='YYYY-MM-DD HH24:MI:SS.FF TZH:TZM';\n" if ($sql_type eq 'oracle');
print $fh $query1;
print $fh $query2;
close $fh;
$command = "$sqlcmd -h $sql_server -u $sql_username $sql_password $sql_database < $tmp_filename" if ($sql_type eq 'mysql');
$command = "$sqlcmd -U $sql_username -f $tmp_filename $sql_database" if ($sql_type eq 'pg');
$command = "$sqlcmd $sql_username/$pass" . "@" . "$sql_database <$tmpfile.$server" if ($sql_type eq 'oracle');
$command = "$sqlcmd '$sql_server' '$sql_port' '' '$sql_username' '$sql_password' < $tmp_filename" if ($sql_type eq 'sqlrelay');
`$command`;
Property changes:
Added: svn:executable
+*
\ No newline at end of property

/scripts/alcasar-truncate_radacct
0,0 → 1,55
#!/usr/bin/perl
#
# Delete sessions from the radacct table which are older than $back_days
# Works with mysql and postgresql
#
use POSIX;
use File::Temp qw(tempfile tempdir);
$conf=shift||'/etc/freeradius-web/admin.conf';
$back_days = 365;
open CONF, "<$conf"
or die "Could not open configuration file\n";
while(<CONF>){
chomp;
($key,$val)=(split /:\s*/,$_);
$sql_type = $val if ($key eq 'sql_type');
$sql_server = $val if ($key eq 'sql_server');
$sql_username = $val if ($key eq 'sql_username');
$sql_password = $val if ($key eq 'sql_password');
$sql_database = $val if ($key eq 'sql_database');
$sql_accounting_table = $val if ($key eq 'sql_accounting_table');
$sqlcmd = $val if ($key eq 'sql_command');
}
close CONF;
die "sql_command directive is not set in admin.conf\n" if ($sqlcmd eq '');
die "sql command '$sqlcmd' not found or does not seem to be executable\n" if (! -x $sqlcmd);
if ($sql_type eq 'mysql'){
$sql_password = (!$sql_password) ? '' : "-p$sql_password";
}
$sql_password =~ s/(\W)/\\$1/g;
($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime;
$date = POSIX::strftime("%Y-%m-%d %T",$sec,$min,$hour,($mday - $back_days),$mon,$year,$wday,$yday,$isdst);
print "$date\n";
if (POSIX::strftime("%Y-%m-%d %T",localtime) eq $date){
die "Could not set correct back date.\n";
}
$query = "";
$query = "LOCK TABLES $sql_accounting_table WRITE;" if ($sql_type eq 'mysql');
$query .= "DELETE FROM $sql_accounting_table WHERE AcctStopTime < '$date' AND AcctStopTime IS NOT NULL ;";
$query .= "UNLOCK TABLES;" if ($sql_type eq 'mysql');
print "$query\n";
my ($fh, $tmp_filename) = tempfile() or die "Could not open tmp file\n";
print $fh "ALTER SESSION SET NLS_TIMESTAMP_TZ_FORMAT='YYYY-MM-DD HH24:MI:SS.FF TZH:TZM';\n" if ($sql_type eq 'oracle');
print $fh $query;
close $fh;
$command = "$sqlcmd -h$sql_server -u$sql_username $sql_password $sql_database < $tmp_filename" if ($sql_type eq 'mysql');
$command = "$sqlcmd -U $sql_username -f $tmp_filename $sql_database" if ($sql_type eq 'pg');
$command = "$sqlcmd $sql_username/$pass" . "@" . "$sql_database <$tmpfile.$server" if ($sql_type eq 'oracle');
$command = "$sqlcmd '$sql_server' '$sql_port' '' '$sql_username' '$sql_password' < $tmp_filename" if ($sql_type eq 'sqlrelay');
`$command`;
Property changes:
Added: svn:executable
+*
\ No newline at end of property