| Line 1... |
Line 1... |
| 1 |
#!/bin/bash
|
1 |
#!/bin/bash
|
| 2 |
# $Id: alcasar-watchdog.sh 1154 2013-07-15 14:27:10Z crox53 $
|
2 |
# $Id: alcasar-watchdog.sh 1157 2013-07-16 10:48:11Z stephane $
|
| 3 |
|
3 |
|
| 4 |
# alcasar-watchdog.sh
|
4 |
# alcasar-watchdog.sh
|
| 5 |
# by Rexy
|
5 |
# by Rexy
|
| 6 |
# This script is distributed under the Gnu General Public License (GPL)
|
6 |
# This script is distributed under the Gnu General Public License (GPL)
|
| 7 |
|
- |
|
| 8 |
# Ce script prévient les usagers de l'indisponibilité de l'accès Internet
|
7 |
# Ce script prévient les usagers de l'indisponibilité de l'accès Internet
|
| 9 |
# il déconnecte les usagers dont
|
8 |
# il déconnecte les usagers dont
|
| 10 |
# - les équipements réseau ne répondent plus
|
9 |
# - les équipements réseau ne répondent plus
|
| 11 |
# - les adresses MAC sont usurpées
|
10 |
# - les adresses MAC sont usurpées
|
| 12 |
# This script tells users that Internet access is down
|
11 |
# This script tells users that Internet access is down
|
| 13 |
# it logs out users whose
|
12 |
# it logs out users whose
|
| 14 |
# - PCs are quiet
|
13 |
# - PCs are quiet
|
| 15 |
# - MAC address are in used by other systems (usurped)
|
14 |
# - MAC address is used by other systems (usurped)
|
| 16 |
|
15 |
|
| 17 |
EXTIF="eth0"
|
16 |
EXTIF="eth0"
|
| 18 |
INTIF="eth1"
|
17 |
INTIF="eth1"
|
| 19 |
conf_file="/usr/local/etc/alcasar.conf"
|
18 |
conf_file="/usr/local/etc/alcasar.conf"
|
| 20 |
private_ip_mask=`grep PRIVATE_IP= $conf_file|cut -d"=" -f2`
|
19 |
private_ip_mask=`grep PRIVATE_IP= $conf_file|cut -d"=" -f2`
|
| 21 |
private_ip_mask=${private_ip_mask:=192.168.182.1/24}
|
20 |
private_ip_mask=${private_ip_mask:=192.168.182.1/24}
|
| 22 |
PRIVATE_IP=`echo $private_ip_mask | cut -d"/" -f1` # ALCASAR LAN IP address
|
21 |
PRIVATE_IP=`echo "$private_ip_mask" |cut -d"/" -f1` # @ip du portail (côté LAN)
|
| - |
|
22 |
PRIVATE_IP=${PRIVATE_IP:=192.168.182.1}
|
| 23 |
tmp_file="/tmp/watchdog.txt"
|
23 |
tmp_file="/tmp/watchdog.txt"
|
| 24 |
DIR_WEB="/var/www/html"
|
24 |
DIR_WEB="/var/www/html"
|
| 25 |
Index_Page="$DIR_WEB/index.php"
|
25 |
Index_Page="$DIR_WEB/index.php"
|
| 26 |
OLDIFS=$IFS
|
26 |
OLDIFS=$IFS
|
| 27 |
IFS=$'\n'
|
27 |
IFS=$'\n'
|
| 28 |
|
28 |
|
| 29 |
function lan_down_alert ()
|
29 |
function lan_down_alert ()
|
| 30 |
# users are redirected on ALCASAR IP address if LAN Pb detected
|
30 |
# users are redirected on ALCASAR IP address if a LAN problem is detected
|
| 31 |
{
|
31 |
{
|
| 32 |
case $LAN_DOWN in
|
32 |
case $LAN_DOWN in
|
| 33 |
"1")
|
33 |
"1")
|
| 34 |
logger "eth0 link down"
|
34 |
logger "eth0 link down"
|
| 35 |
echo "eth0 is down"
|
35 |
echo "eth0 is down"
|
| Line 40... |
Line 40... |
| 40 |
echo "can't contact the default router"
|
40 |
echo "can't contact the default router"
|
| 41 |
/bin/sed -i "s?diagnostic =.*?diagnostic = \"can't contact the default router\";?g" $Index_Page
|
41 |
/bin/sed -i "s?diagnostic =.*?diagnostic = \"can't contact the default router\";?g" $Index_Page
|
| 42 |
;;
|
42 |
;;
|
| 43 |
esac
|
43 |
esac
|
| 44 |
net_pb=`cat /etc/dnsmasq.conf|grep "address=/#/"|wc -l`
|
44 |
net_pb=`cat /etc/dnsmasq.conf|grep "address=/#/"|wc -l`
|
| 45 |
if [ $net_pb = "0" ] # on alerte les usagers (si ce n'est pas déjà le cas).
|
45 |
if [ $net_pb = "0" ] # user alert
|
| 46 |
then
|
46 |
then
|
| 47 |
/bin/sed -i "s?^\$network_pb.*?\$network_pb = True;?g" $Index_Page
|
47 |
/bin/sed -i "s?^\$network_pb.*?\$network_pb = True;?g" $Index_Page
|
| 48 |
/bin/sed -i "s?^conf-dir=.*?address=\/#\/$PRIVATE_IP?g" /etc/dnsmasq-blackhole.conf
|
48 |
/bin/sed -i "s?^conf-dir=.*?address=\/#\/$PRIVATE_IP?g" /etc/dnsmasq-blackhole.conf
|
| 49 |
/bin/sed -i "1i\address=\/#\/$PRIVATE_IP" /etc/dnsmasq.conf
|
49 |
/bin/sed -i "1i\address=\/#\/$PRIVATE_IP" /etc/dnsmasq.conf
|
| 50 |
/etc/init.d/dnsmasq restart
|
50 |
/etc/init.d/dnsmasq restart
|
| Line 121... |
Line 121... |
| 121 |
/usr/sbin/chilli_query dhcp-release $noresponse_mac # release dhcp for mac_auth equipment
|
121 |
/usr/sbin/chilli_query dhcp-release $noresponse_mac # release dhcp for mac_auth equipment
|
| 122 |
fi
|
122 |
fi
|
| 123 |
done
|
123 |
done
|
| 124 |
rm $tmp_file
|
124 |
rm $tmp_file
|
| 125 |
fi
|
125 |
fi
|
| 126 |
# on traite chaque équipements connus de chilli
|
126 |
# process each equipment known by chilli
|
| 127 |
for system in `/usr/sbin/chilli_query list |grep -v "\.0\.0\.0"`
|
127 |
for system in `/usr/sbin/chilli_query list |grep -v "\.0\.0\.0"`
|
| 128 |
do
|
128 |
do
|
| 129 |
active_ip=`echo $system |cut -d" " -f2`
|
129 |
active_ip=`echo $system |cut -d" " -f2`
|
| 130 |
active_session=`echo $system |cut -d" " -f5`
|
130 |
active_session=`echo $system |cut -d" " -f5`
|
| 131 |
active_mac=`echo $system | cut -d" " -f1`
|
131 |
active_mac=`echo $system | cut -d" " -f1`
|
| 132 |
active_user=`echo $system |cut -d" " -f6`
|
132 |
active_user=`echo $system |cut -d" " -f6`
|
| 133 |
# on ne traite que les équipements exploitées par un usager authentifié (test de 2 réponses en 4 secondes)
|
133 |
# process only equipment with an authenticated user
|
| 134 |
if [[ $(expr $active_session) -eq 1 ]]
|
134 |
if [[ $(expr $active_session) -eq 1 ]]
|
| 135 |
then
|
135 |
then
|
| 136 |
arp_reply=`/usr/sbin/arping -b -I$INTIF -s$PRIVATE_IP -c2 -w4 $active_ip|grep "Unicast reply"|wc -l`
|
136 |
arp_reply=`/usr/sbin/arping -b -I$INTIF -s$PRIVATE_IP -c2 -w4 $active_ip|grep "Unicast reply"|wc -l`
|
| 137 |
# on stocke les adresses IP des stations muettes
|
137 |
# store @IP of quiet equipments
|
| 138 |
if [[ $(expr $arp_reply) -eq 0 ]]
|
138 |
if [[ $(expr $arp_reply) -eq 0 ]]
|
| 139 |
then
|
139 |
then
|
| - |
|
140 |
PTN='^[[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]]$'
|
| - |
|
141 |
if [[ $(expr $active_user : $PTN) -eq 0 ]] # don't process @mac auth equipments
|
| - |
|
142 |
then
|
| 140 |
echo "$active_ip $active_mac $active_user" >> $tmp_file
|
143 |
echo "$active_ip $active_mac $active_user" >> $tmp_file
|
| - |
|
144 |
fi
|
| 141 |
fi
|
145 |
fi
|
| 142 |
# on deconnecte l'usager d'une stations usurpée (@MAC)
|
146 |
# disconnect users whose equipement is usurped (@MAC)
|
| 143 |
if [[ $(expr $arp_reply) -gt 2 ]]
|
147 |
if [[ $(expr $arp_reply) -gt 2 ]]
|
| 144 |
then
|
148 |
then
|
| 145 |
echo "alcasar-watchdog : $active_ip is usurped ($active_mac). Alcasar disconnect the user ($active_user)." >> /var/Save/logs/security/watchdog.log
|
149 |
echo "alcasar-watchdog : $active_ip is usurped ($active_mac). Alcasar disconnect the user ($active_user)." >> /var/Save/logs/security/watchdog.log
|
| 146 |
logger "alcasar-watchdog : $active_ip is usurped ($active_mac). Alcasar disconnect the user ($active_user)."
|
150 |
logger "alcasar-watchdog : $active_ip is usurped ($active_mac). Alcasar disconnect the user ($active_user)."
|
| 147 |
/usr/sbin/chilli_query logout $active_mac
|
151 |
/usr/sbin/chilli_query logout $active_mac
|