Subversion Repositories ALCASAR

#!/bin/bash

# $Id: alcasar-watchdog.sh 2376 2017-08-16 18:46:50Z tom.houdayer $

# alcasar-watchdog.sh

# by Rexy

# This script is distributed under the Gnu General Public License (GPL)

# - Ce script prévient les usagers de l'indisponibilité de l'accès Internet

# - Il déconnecte les usagers dont les équipements réseau ne répondent plus (leur onglet 'status.php' a été fermé)

# - Il deconnecte les usagers dont les adresses MAC sont usurpées

#

# - This script tells users that Internet access is down

# - It logs out users whose PCs are quiet (their status tab is closed)

# - It logs out users whose MAC address is used by other systems (usurped)

CONF_FILE="/usr/local/etc/alcasar.conf"

EXTIF=`grep ^EXTIF= $CONF_FILE|cut -d"=" -f2`                   # EXTernal InterFace

INTIF=`grep ^INTIF= $CONF_FILE|cut -d"=" -f2`                   # INTernal InterFace

private_ip_mask=`grep PRIVATE_IP= $CONF_FILE|cut -d"=" -f2`

private_ip_mask=${private_ip_mask:=192.168.182.1/24}

PRIVATE_IP=`echo "$private_ip_mask" |cut -d"/" -f1`             # @ip du portail (côté LAN)

PRIVATE_IP=${PRIVATE_IP:=192.168.182.1}

current_users_file="/var/tmp/havp/current_users.txt"            # file containing active users with their "status.php" tab open

DIR_WEB="/var/www/html"

Index_Page="$DIR_WEB/index.php"

IPTABLES="/sbin/iptables"

TUNIF="tun0"                                                    # listen device for chilli daemon

OLDIFS=$IFS

IFS=$'\n'

function lan_down_alert ()

# users are redirected on ALCASAR IP address if a LAN problem is detected

{

        case $LAN_DOWN in

        "1")

                logger "$EXTIF (WAN card) link down"

                echo "$EXTIF (WAN card) link down"

                /bin/sed -i "s?diagnostic =.*?diagnostic = \"$EXTIF (WAN card) link down\";?g" $Index_Page

                ;;

        "2")

                logger "can't contact the default router"

                echo "can't contact the default router"

                /bin/sed -i "s?diagnostic =.*?diagnostic = \"can't contact the default router\";?g" $Index_Page

                ;;

        esac

        net_pb=`grep "network_pb = true;" $Index_Page|wc -l`

        if [ $net_pb = "0" ] # user alert (only the first time) 

                then

                /bin/sed -i "s?^\$network_pb.*?\$network_pb = true;?g" $Index_Page

                $IPTABLES -I PREROUTING -t nat -i $TUNIF -p udp --dport domain -j REDIRECT --to-port 56

        fi

}

function lan_test ()

# LAN connectiivity testing

{

        watchdog_process=`ps -C alcasar-watchdog.sh|wc -l`

        if [[ $(expr $watchdog_process) -gt 3 ]]

                then

                echo "ALCASAR watchdog is already running"

                exit 0

        fi

        # EXTIF testing

        LAN_DOWN="0"

        if [ `/sbin/ip link | grep $EXTIF|grep "NO-CARRIER" | wc -l` -eq "1" ]

                then

                LAN_DOWN="1"

        fi

        # Default GW testing

        if [ $LAN_DOWN -eq "0" ]

                then

                IP_GW=`/sbin/ip route list|grep ^default|cut -d" " -f3`

                arp_reply=`/usr/sbin/arping -I$EXTIF -c1 $IP_GW|grep response|cut -d" " -f2`

                if [ $arp_reply -eq "0" ]

                        then

                        LAN_DOWN="2"

                fi

        fi

        # if LAN pb detected, users are warned

        if [ $LAN_DOWN != "0" ]

                then

                        lan_down_alert

        # else switch in normal mode

        else

                echo "Internet access is OK for now"

                net_pb=`grep "network_pb = true;" $Index_Page|wc -l`

                if [ $net_pb != "0" ]

                        then

                        /bin/sed -i "s?^\$network_pb.*?\$network_pb = false;?g" $Index_Page

                        $IPTABLES -D PREROUTING -t nat -i $TUNIF -p udp --dport domain -j REDIRECT --to-port 56

                fi

        fi

}

usage="Usage: alcasar-watchdog.sh {-lt --lan_test}"

case $1 in

        -\? | -h* | --h*)

                echo "$usage"

                exit 0

                ;;

        -lt | --lan_test)

                lan_test

                exit 0

                ;;

        *)

                lan_test

                # We disconnect inactive users (its means that their 'status.php' tab has been closed --> their ip address isn't in $current_users_file)

                # process each equipment known by chilli to check if IP address is usurped (with arping)

                for system in `/usr/sbin/chilli_query list |grep -v "\.0\.0\.0"`

                do

                        active_ip=`echo $system |cut -d" " -f2`

                        active_session=`echo $system |cut -d" " -f5`

                        active_mac=`echo $system | cut -d" " -f1`

                        active_user=`echo $system |cut -d" " -f6`

                        #We disconnect inactive user here :

                        #We check if this is not an auth @MAC and if he is still connected

                        if [ "$active_user" != "$active_mac" ] && [ $(expr $active_session) -eq 1 ]; then

                                if [ -e $current_users_file ]; then

                                        # We check if user @IP is in 'current_users.txt'

                                        cmp_user_ok=$(cat $current_users_file | grep "^$active_ip\$" -c)

                                        # If not we disconnect this user.

                                        if [ $cmp_user_ok -eq 0 ]; then

                                                logger "alcasar-watchdog : $active_ip ($active_mac) can't be contact. We disconnects the user ($active_user)."

                                                /usr/sbin/chilli_query logout $active_mac

                                        else

                                                # Remove the user's IP from 'current_users.txt'. Every user need to insert their @IP everytime to prove their connectivity.

                                                sed -i "/^$active_ip\$/d" $current_users_file

                                        fi

                                else # "current_user.txt" does not exists. We disconnect every users.

                                        logger "alcasar-watchdog : The file /var/tmp/havp/current_users.txt doen't' exist. We disconnects the user $active_user"

                                        /usr/sbin/chilli_query logout $active_mac

                                fi

                        fi

                        # IP usurpation test : process only equipment with an authenticated user

                        if [[ $(expr $active_session) -eq 1 ]]

                        then

                                arp_reply=`/usr/sbin/arping -b -I$INTIF -s$PRIVATE_IP -c1 -w4 $active_ip|grep -c "Unicast reply"`

                                # disconnect users whose equipement is usurped. For example, if there are 2 same @MAC it will make 2 lines in output.

                                if [[ $(expr $arp_reply) -gt 1 ]]

                                        then

                                        echo "$(date "+[%x-%X] : ")alcasar-watchdog : $active_ip is usurped ($active_mac). Alcasar disconnect the user ($active_user)." >> /var/Save/security/watchdog.log

                                        logger "alcasar-watchdog : $active_ip is usurped ($active_mac). Alcasar disconnect the user ($active_user)."

                                        /usr/sbin/chilli_query logout $active_mac

                                        chmod 644 /var/Save/security/watchdog.log

                                fi

                        fi

                done

                ;;

esac   

IFS=$OLDIFS