WebSVN – ALCASAR – Diff – /scripts/alcasar-watchdog.sh


#!/bin/bash
# $Id: alcasar-watchdog.sh 3219 2024-07-05 14:54:19Z rexy $
 
# alcasar-watchdog.sh
# by Rexy
# This script is distributed under the Gnu General Public License (GPL)
# - Ce script prévient les usagers de l'indisponibilité de l'accès Internet
# - Il déconnecte les usagers dont les équipements réseau ne répondent plus (leur onglet 'status.php' a été fermé)
# - Il deconnecte les usagers dont les adresses MAC sont usurpées
#
# - This script tells users that Internet access is down
# - It logs out users whose PCs are quiet (their status tab is closed)
# - It logs out users whose MAC address is used by other systems (usurped)
 
export LC_ALL=C
CONF_FILE="/usr/local/etc/alcasar.conf"
EXTIF=`grep ^EXTIF= $CONF_FILE|cut -d"=" -f2`			# EXTernal InterFace
INTIF=`grep ^INTIF= $CONF_FILE|cut -d"=" -f2`			# INTernal InterFace
private_ip_mask=`grep ^PRIVATE_IP= $CONF_FILE|cut -d"=" -f2`
private_ip_mask=${private_ip_mask:=192.168.182.1/24}
PRIVATE_IP=`echo $private_ip_mask |cut -d"/" -f1`
PRIVATE_IP=${PRIVATE_IP:=192.168.182.1}
MULTIWAN=`grep ^MULTIWAN= $CONF_FILE|cut -d"=" -f2`
current_users_file="/tmp/current_users.txt"		# file containing active users with their "status.php" tab open
DIR_WEB="/var/www/html"
Index_Page="$DIR_WEB/index.php"
IPTABLES="/sbin/iptables"
TUNIF="tun0"							# listen device for chilli daemon
OLDIFS=$IFS
IFS=$'\n'
 
function lan_down_alert ()
# users are redirected on ALCASAR IP address if a LAN problem is detected
{
	case $LAN_DOWN in
	"1")
		logger -t alcasar-watchdog "$EXTIF (WAN card) link down"
		echo "$EXTIF (WAN card) link down"
		/bin/sed -i "s?diagnostic =.*?diagnostic = \"$EXTIF (WAN card) link down\";?g" $Index_Page
		;;
	"2")
		logger -t alcasar-watchdog "can't contact the default router"
		echo "can't contact the default router"
		/bin/sed -i "s?diagnostic =.*?diagnostic = \"can't contact the default router\";?g" $Index_Page
		;;
	"3")
		logger -t alcasar-watchdog "can't resolv DNS queries"
		echo "can't resolv DNS queries"
		/bin/sed -i "s?diagnostic =.*?diagnostic = \"can't resolv DNS queries\";?g" $Index_Page
		;;
	esac
	net_pb=`grep "network_pb = true;" $Index_Page|wc -l`
	if [ $net_pb = "0" ] # if previously up
		then
		/bin/sed -i "s?^\$network_pb.*?\$network_pb = true;?g" $Index_Page
		$IPTABLES -I PREROUTING -t nat -i $TUNIF -p udp --dport domain -j REDIRECT --to-port 56
	fi
}
 
function lan_test ()
# LAN connectiivity testing
{
	watchdog_process=`ps -C alcasar-watchdog.sh|wc -l`
	if [[ $(expr $watchdog_process) -gt 3 ]]
		then
		echo "ALCASAR watchdog is already running"
		exit 0
	fi
	# EXTIF testing
	LAN_DOWN="0"
	if [ `/sbin/ip link | grep $EXTIF|grep "NO-CARRIER" | wc -l` -eq "1" ]
		then
		LAN_DOWN="1"
	fi
	# Default GW testing
	if [ $LAN_DOWN -eq "0" ]
		then
		GW_EXIST=`/sbin/ip route list|grep ^default|wc -l`
		if [ $GW_EXIST -eq "0" ] # no GW defined !
			then
			systemctl restart network
		else
			if [ "$MULTIWAN" == "off" ] || [ "$MULTIWAN" == "Off" ]
				then
				IP_GW=`/sbin/ip route list|grep ^default|cut -d" " -f3`
				arp_reply=`/usr/sbin/arping -I$EXTIF -c1 $IP_GW|grep response|cut -d" " -f2`
				if [ $arp_reply -eq "0" ]
					then
					LAN_DOWN="2"
				fi
			fi
		fi
	fi
	# DNS request testing (twice)
	if [ $LAN_DOWN -eq "0" ]
		then
			dns_reply=`/usr/bin/host -W1 www.free.fr|grep SERVFAIL|wc -l`
			if [ $dns_reply -eq "1" ]
				then
				dns_reply=`/usr/bin/host -W1 www.startpage.com|grep SERVFAIL|wc -l`
				if [ $dns_reply -eq "1" ]
					then LAN_DOWN="3"
				fi
			fi
	fi
	# if LAN pb detected, users are warned
	if [ $LAN_DOWN != "0" ]
		then
			lan_down_alert
	# else switch in normal mode
	else
		echo "Internet access is OK for now"
		net_pb=`grep "network_pb = true;" $Index_Page|wc -l`
		if [ $net_pb != "0" ] # if already down
			then
			/bin/sed -i "s?^\$network_pb.*?\$network_pb = false;?g" $Index_Page
			$IPTABLES -D PREROUTING -t nat -i $TUNIF -p udp --dport domain -j REDIRECT --to-port 56
		fi
	fi
}
 
usage="Usage: alcasar-watchdog.sh {-lt --lan_test | --disconnect-permanent-users}"
case $1 in
	-\? | -h* | --h*)
		echo "$usage"
		exit 0
	;;
	-lt | --lan_test)
		lan_test
		exit 0
	;;
	--disconnect-permanent-users)
		/bin/sed -i '/PERM/d' $current_users_file
		exit 0
	;;
	*)
		lan_test
		# We disconnect inactive users (its means that their 'status.php' tab has been closed --> their ip address isn't in $current_users_file)
		# process each equipment known by chilli
		for system in `/usr/sbin/chilli_query list | grep -v "0\.0\.0\.0"`
		do
			active_ip=`echo $system |cut -d" " -f2`
			active_session=`echo $system |cut -d" " -f5`
			active_mac=`echo $system | cut -d" " -f1`
			active_user=`echo $system |cut -d" " -f6`
			# We check if the user isn't an auth @MAC and if he is still connected
			if [ "$active_user" != "$active_mac" ] && [ $(expr $active_session) -eq 1 ]; then
				if [ -e $current_users_file ]; then
					# We check if user @IP is in 'current_users.txt'
					cmp_user_ok=$(cat $current_users_file | awk -F':' "\$1 == \"$active_ip\" {print \$2}")
					# If not we disconnect this user.
					if [ -z "$cmp_user_ok" ]; then
						logger -t alcasar-watchdog "$active_ip ($active_mac) doesn't contact ALCASAR any more. We disconnects the user ($active_user)."
						/usr/sbin/chilli_query logout $active_mac
					elif [ "$cmp_user_ok" == "TEMP" ]; then
						# Remove the user's IP from 'current_users.txt'. Every user status page need to insert their @IP everytime to prove their connectivity.
						# We don't disconnect when $cmp_user_ok == "PERM" (status page not needed)
						sed -i "/^$active_ip:$cmp_user_ok\$/d" $current_users_file
					fi
				else # "current_user.txt" does not exists. We disconnect every users.
					logger -t alcasar-watchdog "The file /tmp/current_users.txt doesn't' exist. We disconnects the user $active_user"
					/usr/sbin/chilli_query logout $active_mac
				fi
			fi
			# IP usurpation test : process only equipment with an authenticated user
			if [[ $(expr $active_session) -eq 1 ]]
			then
				arp_reply=`/usr/sbin/arping -b -I$INTIF -s$PRIVATE_IP -c1 -w4 $active_ip|grep -c "Unicast reply"`
				# disconnect users whose equipement is usurped. For example, if there are 2 same @MAC it will make 2 lines in output.
				if [[ $(expr $arp_reply) -gt 1 ]]
					then 
					echo "[$(date +"%Y-%m-%d %H:%M:%S")] : alcasar-watchdog : $active_ip is usurped ($active_mac). Alcasar disconnect the user ($active_user)." >> /var/Save/security/watchdog.log
					logger -t alcasar-watchdog "$active_ip is usurped ($active_mac). Alcasar disconnect the user ($active_user)."
					/usr/sbin/chilli_query logout $active_mac
					chmod 644 /var/Save/security/watchdog.log
				fi
			fi
		done
	;;
esac
IFS=$OLDIFS
 

Rev 3214	Rev 3219
1	`#!/bin/bash`	1	`#!/bin/bash`
2	`# $Id: alcasar-watchdog.sh 3214 2024-07-01 17:32:18Z rexy $`	2	`# $Id: alcasar-watchdog.sh 3219 2024-07-05 14:54:19Z rexy $`
3		3
4	`# alcasar-watchdog.sh`	4	`# alcasar-watchdog.sh`
5	`# by Rexy`	5	`# by Rexy`
6	`# This script is distributed under the Gnu General Public License (GPL)`	6	`# This script is distributed under the Gnu General Public License (GPL)`
7	`# - Ce script prévient les usagers de l'indisponibilité de l'accès Internet`	7	`# - Ce script prévient les usagers de l'indisponibilité de l'accès Internet`
8	`# - Il déconnecte les usagers dont les équipements réseau ne répondent plus (leur onglet 'status.php' a été fermé)`	8	`# - Il déconnecte les usagers dont les équipements réseau ne répondent plus (leur onglet 'status.php' a été fermé)`
9	`# - Il deconnecte les usagers dont les adresses MAC sont usurpées`	9	`# - Il deconnecte les usagers dont les adresses MAC sont usurpées`
10	`#`	10	`#`
11	`# - This script tells users that Internet access is down`	11	`# - This script tells users that Internet access is down`
12	`# - It logs out users whose PCs are quiet (their status tab is closed)`	12	`# - It logs out users whose PCs are quiet (their status tab is closed)`
13	`# - It logs out users whose MAC address is used by other systems (usurped)`	13	`# - It logs out users whose MAC address is used by other systems (usurped)`
14		14
15	`export LC_ALL=C.UTF-8`	15	`export LC_ALL=C`
16	`CONF_FILE="/usr/local/etc/alcasar.conf"`	16	`CONF_FILE="/usr/local/etc/alcasar.conf"`
17	EXTIF=`grep ^EXTIF= $CONF_FILE\|cut -d"=" -f2` # EXTernal InterFace	17	EXTIF=`grep ^EXTIF= $CONF_FILE\|cut -d"=" -f2` # EXTernal InterFace
18	INTIF=`grep ^INTIF= $CONF_FILE\|cut -d"=" -f2` # INTernal InterFace	18	INTIF=`grep ^INTIF= $CONF_FILE\|cut -d"=" -f2` # INTernal InterFace
19	private_ip_mask=`grep ^PRIVATE_IP= $CONF_FILE\|cut -d"=" -f2`	19	private_ip_mask=`grep ^PRIVATE_IP= $CONF_FILE\|cut -d"=" -f2`
20	`private_ip_mask=${private_ip_mask:=192.168.182.1/24}`	20	`private_ip_mask=${private_ip_mask:=192.168.182.1/24}`
21	PRIVATE_IP=`echo $private_ip_mask \|cut -d"/" -f1`	21	PRIVATE_IP=`echo $private_ip_mask \|cut -d"/" -f1`
22	`PRIVATE_IP=${PRIVATE_IP:=192.168.182.1}`	22	`PRIVATE_IP=${PRIVATE_IP:=192.168.182.1}`
23	MULTIWAN=`grep ^MULTIWAN= $CONF_FILE\|cut -d"=" -f2`	23	MULTIWAN=`grep ^MULTIWAN= $CONF_FILE\|cut -d"=" -f2`
24	`current_users_file="/tmp/current_users.txt" # file containing active users with their "status.php" tab open`	24	`current_users_file="/tmp/current_users.txt" # file containing active users with their "status.php" tab open`
25	`DIR_WEB="/var/www/html"`	25	`DIR_WEB="/var/www/html"`
26	`Index_Page="$DIR_WEB/index.php"`	26	`Index_Page="$DIR_WEB/index.php"`
27	`IPTABLES="/sbin/iptables"`	27	`IPTABLES="/sbin/iptables"`
28	`TUNIF="tun0" # listen device for chilli daemon`	28	`TUNIF="tun0" # listen device for chilli daemon`
29	`OLDIFS=$IFS`	29	`OLDIFS=$IFS`
30	`IFS=$'\n'`	30	`IFS=$'\n'`
31		31
32	`function lan_down_alert ()`	32	`function lan_down_alert ()`
33	`# users are redirected on ALCASAR IP address if a LAN problem is detected`	33	`# users are redirected on ALCASAR IP address if a LAN problem is detected`
34	`{`	34	`{`
35	`case $LAN_DOWN in`	35	`case $LAN_DOWN in`
36	`"1")`	36	`"1")`
37	`logger -t alcasar-watchdog "$EXTIF (WAN card) link down"`	37	`logger -t alcasar-watchdog "$EXTIF (WAN card) link down"`
38	`echo "$EXTIF (WAN card) link down"`	38	`echo "$EXTIF (WAN card) link down"`
39	`/bin/sed -i "s?diagnostic =.*?diagnostic = \"$EXTIF (WAN card) link down\";?g" $Index_Page`	39	`/bin/sed -i "s?diagnostic =.*?diagnostic = \"$EXTIF (WAN card) link down\";?g" $Index_Page`
40	`;;`	40	`;;`
41	`"2")`	41	`"2")`
42	`logger -t alcasar-watchdog "can't contact the default router"`	42	`logger -t alcasar-watchdog "can't contact the default router"`
43	`echo "can't contact the default router"`	43	`echo "can't contact the default router"`
44	`/bin/sed -i "s?diagnostic =.*?diagnostic = \"can't contact the default router\";?g" $Index_Page`	44	`/bin/sed -i "s?diagnostic =.*?diagnostic = \"can't contact the default router\";?g" $Index_Page`
45	`;;`	45	`;;`
46	`"3")`	46	`"3")`
47	`logger -t alcasar-watchdog "can't resolv DNS queries"`	47	`logger -t alcasar-watchdog "can't resolv DNS queries"`
48	`echo "can't resolv DNS queries"`	48	`echo "can't resolv DNS queries"`
49	`/bin/sed -i "s?diagnostic =.*?diagnostic = \"can't resolv DNS queries\";?g" $Index_Page`	49	`/bin/sed -i "s?diagnostic =.*?diagnostic = \"can't resolv DNS queries\";?g" $Index_Page`
50	`;;`	50	`;;`
51	`esac`	51	`esac`
52	net_pb=`grep "network_pb = true;" $Index_Page\|wc -l`	52	net_pb=`grep "network_pb = true;" $Index_Page\|wc -l`
53	`if [ $net_pb = "0" ] # if previously up`	53	`if [ $net_pb = "0" ] # if previously up`
54	`then`	54	`then`
55	`/bin/sed -i "s?^\$network_pb.*?\$network_pb = true;?g" $Index_Page`	55	`/bin/sed -i "s?^\$network_pb.*?\$network_pb = true;?g" $Index_Page`
56	`$IPTABLES -I PREROUTING -t nat -i $TUNIF -p udp --dport domain -j REDIRECT --to-port 56`	56	`$IPTABLES -I PREROUTING -t nat -i $TUNIF -p udp --dport domain -j REDIRECT --to-port 56`
57	`fi`	57	`fi`
58	`}`	58	`}`
59		59
60	`function lan_test ()`	60	`function lan_test ()`
61	`# LAN connectiivity testing`	61	`# LAN connectiivity testing`
62	`{`	62	`{`
63	watchdog_process=`ps -C alcasar-watchdog.sh\|wc -l`	63	watchdog_process=`ps -C alcasar-watchdog.sh\|wc -l`
64	`if [[ $(expr $watchdog_process) -gt 3 ]]`	64	`if [[ $(expr $watchdog_process) -gt 3 ]]`
65	`then`	65	`then`
66	`echo "ALCASAR watchdog is already running"`	66	`echo "ALCASAR watchdog is already running"`
67	`exit 0`	67	`exit 0`
68	`fi`	68	`fi`
69	`# EXTIF testing`	69	`# EXTIF testing`
70	`LAN_DOWN="0"`	70	`LAN_DOWN="0"`
71	if [ `/sbin/ip link \| grep $EXTIF\|grep "NO-CARRIER" \| wc -l` -eq "1" ]	71	if [ `/sbin/ip link \| grep $EXTIF\|grep "NO-CARRIER" \| wc -l` -eq "1" ]
72	`then`	72	`then`
73	`LAN_DOWN="1"`	73	`LAN_DOWN="1"`
74	`fi`	74	`fi`
75	`# Default GW testing`	75	`# Default GW testing`
76	`if [ $LAN_DOWN -eq "0" ]`	76	`if [ $LAN_DOWN -eq "0" ]`
77	`then`	77	`then`
78	GW_EXIST=`/sbin/ip route list\|grep ^default\|wc -l`	78	GW_EXIST=`/sbin/ip route list\|grep ^default\|wc -l`
79	`if [ $GW_EXIST -eq "0" ] # no GW defined !`	79	`if [ $GW_EXIST -eq "0" ] # no GW defined !`
80	`then`	80	`then`
81	`systemctl restart network`	81	`systemctl restart network`
82	`else`	82	`else`
83	`if [ "$MULTIWAN" == "off" ] \|\| [ "$MULTIWAN" == "Off" ]`	83	`if [ "$MULTIWAN" == "off" ] \|\| [ "$MULTIWAN" == "Off" ]`
84	`then`	84	`then`
85	IP_GW=`/sbin/ip route list\|grep ^default\|cut -d" " -f3`	85	IP_GW=`/sbin/ip route list\|grep ^default\|cut -d" " -f3`
86	arp_reply=`/usr/sbin/arping -I$EXTIF -c1 $IP_GW\|grep response\|cut -d" " -f2`	86	arp_reply=`/usr/sbin/arping -I$EXTIF -c1 $IP_GW\|grep response\|cut -d" " -f2`
87	`if [ $arp_reply -eq "0" ]`	87	`if [ $arp_reply -eq "0" ]`
88	`then`	88	`then`
89	`LAN_DOWN="2"`	89	`LAN_DOWN="2"`
90	`fi`	90	`fi`
91	`fi`	91	`fi`
92	`fi`	92	`fi`
93	`fi`	93	`fi`
94	`# DNS request testing (twice)`	94	`# DNS request testing (twice)`
95	`if [ $LAN_DOWN -eq "0" ]`	95	`if [ $LAN_DOWN -eq "0" ]`
96	`then`	96	`then`
97	dns_reply=`/usr/bin/host -W1 www.free.fr\|grep SERVFAIL\|wc -l`	97	dns_reply=`/usr/bin/host -W1 www.free.fr\|grep SERVFAIL\|wc -l`
98	`if [ $dns_reply -eq "1" ]`	98	`if [ $dns_reply -eq "1" ]`
99	`then`	99	`then`
100	dns_reply=`/usr/bin/host -W1 www.startpage.com\|grep SERVFAIL\|wc -l`	100	dns_reply=`/usr/bin/host -W1 www.startpage.com\|grep SERVFAIL\|wc -l`
101	`if [ $dns_reply -eq "1" ]`	101	`if [ $dns_reply -eq "1" ]`
102	`then LAN_DOWN="3"`	102	`then LAN_DOWN="3"`
103	`fi`	103	`fi`
104	`fi`	104	`fi`
105	`fi`	105	`fi`
106	`# if LAN pb detected, users are warned`	106	`# if LAN pb detected, users are warned`
107	`if [ $LAN_DOWN != "0" ]`	107	`if [ $LAN_DOWN != "0" ]`
108	`then`	108	`then`
109	`lan_down_alert`	109	`lan_down_alert`
110	`# else switch in normal mode`	110	`# else switch in normal mode`
111	`else`	111	`else`
112	`echo "Internet access is OK for now"`	112	`echo "Internet access is OK for now"`
113	net_pb=`grep "network_pb = true;" $Index_Page\|wc -l`	113	net_pb=`grep "network_pb = true;" $Index_Page\|wc -l`
114	`if [ $net_pb != "0" ] # if already down`	114	`if [ $net_pb != "0" ] # if already down`
115	`then`	115	`then`
116	`/bin/sed -i "s?^\$network_pb.*?\$network_pb = false;?g" $Index_Page`	116	`/bin/sed -i "s?^\$network_pb.*?\$network_pb = false;?g" $Index_Page`
117	`$IPTABLES -D PREROUTING -t nat -i $TUNIF -p udp --dport domain -j REDIRECT --to-port 56`	117	`$IPTABLES -D PREROUTING -t nat -i $TUNIF -p udp --dport domain -j REDIRECT --to-port 56`
118	`fi`	118	`fi`
119	`fi`	119	`fi`
120	`}`	120	`}`
121		121
122	`usage="Usage: alcasar-watchdog.sh {-lt --lan_test \| --disconnect-permanent-users}"`	122	`usage="Usage: alcasar-watchdog.sh {-lt --lan_test \| --disconnect-permanent-users}"`
123	`case $1 in`	123	`case $1 in`
124	`-\? \| -h* \| --h*)`	124	`-\? \| -h* \| --h*)`
125	`echo "$usage"`	125	`echo "$usage"`
126	`exit 0`	126	`exit 0`
127	`;;`	127	`;;`
128	`-lt \| --lan_test)`	128	`-lt \| --lan_test)`
129	`lan_test`	129	`lan_test`
130	`exit 0`	130	`exit 0`
131	`;;`	131	`;;`
132	`--disconnect-permanent-users)`	132	`--disconnect-permanent-users)`
133	`/bin/sed -i '/PERM/d' $current_users_file`	133	`/bin/sed -i '/PERM/d' $current_users_file`
134	`exit 0`	134	`exit 0`
135	`;;`	135	`;;`
136	`*)`	136	`*)`
137	`lan_test`	137	`lan_test`
138	`# We disconnect inactive users (its means that their 'status.php' tab has been closed --> their ip address isn't in $current_users_file)`	138	`# We disconnect inactive users (its means that their 'status.php' tab has been closed --> their ip address isn't in $current_users_file)`
139	`# process each equipment known by chilli`	139	`# process each equipment known by chilli`
140	for system in `/usr/sbin/chilli_query list \| grep -v "0\.0\.0\.0"`	140	for system in `/usr/sbin/chilli_query list \| grep -v "0\.0\.0\.0"`
141	`do`	141	`do`
142	active_ip=`echo $system \|cut -d" " -f2`	142	active_ip=`echo $system \|cut -d" " -f2`
143	active_session=`echo $system \|cut -d" " -f5`	143	active_session=`echo $system \|cut -d" " -f5`
144	active_mac=`echo $system \| cut -d" " -f1`	144	active_mac=`echo $system \| cut -d" " -f1`
145	active_user=`echo $system \|cut -d" " -f6`	145	active_user=`echo $system \|cut -d" " -f6`
146	`# We check if the user isn't an auth @MAC and if he is still connected`	146	`# We check if the user isn't an auth @MAC and if he is still connected`
147	`if [ "$active_user" != "$active_mac" ] && [ $(expr $active_session) -eq 1 ]; then`	147	`if [ "$active_user" != "$active_mac" ] && [ $(expr $active_session) -eq 1 ]; then`
148	`if [ -e $current_users_file ]; then`	148	`if [ -e $current_users_file ]; then`
149	`# We check if user @IP is in 'current_users.txt'`	149	`# We check if user @IP is in 'current_users.txt'`
150	`cmp_user_ok=$(cat $current_users_file \| awk -F':' "\$1 == \"$active_ip\" {print \$2}")`	150	`cmp_user_ok=$(cat $current_users_file \| awk -F':' "\$1 == \"$active_ip\" {print \$2}")`
151	`# If not we disconnect this user.`	151	`# If not we disconnect this user.`
152	`if [ -z "$cmp_user_ok" ]; then`	152	`if [ -z "$cmp_user_ok" ]; then`
153	`logger -t alcasar-watchdog "$active_ip ($active_mac) doesn't contact ALCASAR any more. We disconnects the user ($active_user)."`	153	`logger -t alcasar-watchdog "$active_ip ($active_mac) doesn't contact ALCASAR any more. We disconnects the user ($active_user)."`
154	`/usr/sbin/chilli_query logout $active_mac`	154	`/usr/sbin/chilli_query logout $active_mac`
155	`elif [ "$cmp_user_ok" == "TEMP" ]; then`	155	`elif [ "$cmp_user_ok" == "TEMP" ]; then`
156	`# Remove the user's IP from 'current_users.txt'. Every user status page need to insert their @IP everytime to prove their connectivity.`	156	`# Remove the user's IP from 'current_users.txt'. Every user status page need to insert their @IP everytime to prove their connectivity.`
157	`# We don't disconnect when $cmp_user_ok == "PERM" (status page not needed)`	157	`# We don't disconnect when $cmp_user_ok == "PERM" (status page not needed)`
158	`sed -i "/^$active_ip:$cmp_user_ok\$/d" $current_users_file`	158	`sed -i "/^$active_ip:$cmp_user_ok\$/d" $current_users_file`
159	`fi`	159	`fi`
160	`else # "current_user.txt" does not exists. We disconnect every users.`	160	`else # "current_user.txt" does not exists. We disconnect every users.`
161	`logger -t alcasar-watchdog "The file /tmp/current_users.txt doesn't' exist. We disconnects the user $active_user"`	161	`logger -t alcasar-watchdog "The file /tmp/current_users.txt doesn't' exist. We disconnects the user $active_user"`
162	`/usr/sbin/chilli_query logout $active_mac`	162	`/usr/sbin/chilli_query logout $active_mac`
163	`fi`	163	`fi`
164	`fi`	164	`fi`
165	`# IP usurpation test : process only equipment with an authenticated user`	165	`# IP usurpation test : process only equipment with an authenticated user`
166	`if [[ $(expr $active_session) -eq 1 ]]`	166	`if [[ $(expr $active_session) -eq 1 ]]`
167	`then`	167	`then`
168	arp_reply=`/usr/sbin/arping -b -I$INTIF -s$PRIVATE_IP -c1 -w4 $active_ip\|grep -c "Unicast reply"`	168	arp_reply=`/usr/sbin/arping -b -I$INTIF -s$PRIVATE_IP -c1 -w4 $active_ip\|grep -c "Unicast reply"`
169	`# disconnect users whose equipement is usurped. For example, if there are 2 same @MAC it will make 2 lines in output.`	169	`# disconnect users whose equipement is usurped. For example, if there are 2 same @MAC it will make 2 lines in output.`
170	`if [[ $(expr $arp_reply) -gt 1 ]]`	170	`if [[ $(expr $arp_reply) -gt 1 ]]`
171	`then`	171	`then`
172	`echo "[$(date +"%Y-%m-%d %H:%M:%S")] : alcasar-watchdog : $active_ip is usurped ($active_mac). Alcasar disconnect the user ($active_user)." >> /var/Save/security/watchdog.log`	172	`echo "[$(date +"%Y-%m-%d %H:%M:%S")] : alcasar-watchdog : $active_ip is usurped ($active_mac). Alcasar disconnect the user ($active_user)." >> /var/Save/security/watchdog.log`
173	`logger -t alcasar-watchdog "$active_ip is usurped ($active_mac). Alcasar disconnect the user ($active_user)."`	173	`logger -t alcasar-watchdog "$active_ip is usurped ($active_mac). Alcasar disconnect the user ($active_user)."`
174	`/usr/sbin/chilli_query logout $active_mac`	174	`/usr/sbin/chilli_query logout $active_mac`
175	`chmod 644 /var/Save/security/watchdog.log`	175	`chmod 644 /var/Save/security/watchdog.log`
176	`fi`	176	`fi`
177	`fi`	177	`fi`
178	`done`	178	`done`
179	`;;`	179	`;;`
180	`esac`	180	`esac`
181	`IFS=$OLDIFS`	181	`IFS=$OLDIFS`
182		182

Subversion Repositories ALCASAR

(root)/scripts/alcasar-watchdog.sh @ 2261 – Rev 3214 → 3219