/scripts/alcasar-activity_report.sh |
---|
93,98 → 93,97 |
cat $MODEL_TABINFO | while read LINE_HTML |
do |
if [ "$(echo $LINE_HTML | grep 'XXORGXX' | wc -l)" -eq 1 ] |
then |
VALUE=$(grep ^ORGANISM= $CONF_FILE | cut -d'=' -f2-) |
echo ${LINE_HTML/XXORGXX/$VALUE} >> $HTML_REPORT |
if [ $(echo $LINE_HTML | grep 'XXORGXX' | wc -l) -eq 1 ] |
then |
VALUE=$(grep ^ORGANISM= $CONF_FILE | cut -d'=' -f2-) |
echo ${LINE_HTML/XXORGXX/$VALUE} >> $HTML_REPORT |
elif [ $(echo $LINE_HTML | grep 'XXINSTALLXX' | wc -l) -eq 1 ] |
then |
VALUE=$(grep ^INSTALL_DATE= $CONF_FILE | cut -d'=' -f2) |
echo ${LINE_HTML/XXINSTALLXX/$VALUE} >> $HTML_REPORT |
elif [ $(echo $LINE_HTML | grep 'XXAVERSIONXX' | wc -l) -eq 1 ] |
then |
VALUE=$(grep ^VERSION= $CONF_FILE | cut -d'=' -f2) |
echo ${LINE_HTML/XXAVERSIONXX/$VALUE} >> $HTML_REPORT |
elif [ $(echo $LINE_HTML | grep 'XXIP_PUBLICXX' | wc -l) -eq 1 ] |
then |
VALUE=$(grep ^PUBLIC_IP= $CONF_FILE | cut -d'=' -f2) |
echo ${LINE_HTML/XXIP_PUBLICXX/$VALUE} >> $HTML_REPORT |
elif [ $(echo $LINE_HTML | grep 'XXIP_PRIVEXX' | wc -l) -eq 1 ] |
then |
VALUE=$(grep ^PRIVATE_IP= $CONF_FILE | cut -d'=' -f2) |
echo ${LINE_HTML/XXIP_PRIVEXX/$VALUE} >> $HTML_REPORT |
elif [ $(echo $LINE_HTML | grep 'XXGWXX' | wc -l) -eq 1 ] |
then |
VALUE=$(grep ^GW= $CONF_FILE | cut -d'=' -f2) |
echo ${LINE_HTML/XXGWXX/$VALUE} >> $HTML_REPORT |
elif [ $(echo $LINE_HTML | grep 'XXDNS1XX' | wc -l) -eq 1 ] |
then |
VALUE=$(grep ^DNS1= $CONF_FILE | cut -d'=' -f2) |
echo ${LINE_HTML/XXDNS1XX/$VALUE} >> $HTML_REPORT |
elif [ $(echo $LINE_HTML | grep 'XXDNS2XX' | wc -l) -eq 1 ] |
then |
VALUE=$(grep ^DNS2= $CONF_FILE | cut -d'=' -f2) |
echo ${LINE_HTML/XXDNS2XX/$VALUE} >> $HTML_REPORT |
elif [ $(echo $LINE_HTML | grep 'XXHOSTXX' | wc -l) -eq 1 ] |
then |
VALUE=$(hostname) |
echo ${LINE_HTML/XXHOSTXX/$VALUE} >> $HTML_REPORT |
elif [ $(echo $LINE_HTML | grep 'XXOS_VERSIONXX' | wc -l) -eq 1 ] |
then |
VALUE=$( echo $(uname -r) [ $(uname -m) ] ) |
echo ${LINE_HTML/XXOS_VERSIONXX/$VALUE} >> $HTML_REPORT |
elif [ $(echo $LINE_HTML | grep 'XXREBOOTXX' | wc -l) -eq 1 ] |
then |
VALUE=$(echo $(who -b | cut -d' ' -f12-)) |
echo ${LINE_HTML/XXREBOOTXX/$VALUE} >> $HTML_REPORT |
elif [ $(echo $LINE_HTML | grep 'XXMAJCLAMAVXX' | wc -l) -eq 1 ] |
then |
VALUE=$(date -d @$(rpm -qa --queryformat "%{installtime} %{name}\n" | grep -E "clamav-db" | cut -d' ' -f1 ) "+%Y-%m-%d %H:%M:%S") |
echo ${LINE_HTML/XXMAJCLAMAVXX/$VALUE} >> $HTML_REPORT |
elif [ $(echo $LINE_HTML | grep 'XXMAJBLXX' | wc -l) -eq 1 ] |
then |
VALUE=$(cat /etc/e2guardian/lists/blacklists/README | grep 'Last version' | cut -d' ' -f4-6) |
echo ${LINE_HTML/XXMAJBLXX/$VALUE} >> $HTML_REPORT |
elif [ $(echo $LINE_HTML | grep 'XXRPMXX' | wc -l) -eq 1 ] |
then |
#show every ALCASAR RPM updated since X day ago |
#get timestamp of X day ago. Then we get every packets chich have been updated since this date. |
if [ $(rpm -qa --queryformat '%{installtime} %{name} %{version}\n' | awk -v seuil="$SECS_AGO" '$1 > seuil' | sort -n | grep -E "$PACKAGE" | wc -l) -gt 1 ] |
elif [ "$(echo $LINE_HTML | grep 'XXINSTALLXX' | wc -l)" -eq 1 ] |
then |
PACKAGE='php|lighttpd|iptables|dnsmasq|radius|tinyproxy|nfdump|e2guardian|clamav|ulogd|chilli|fail2ban|openssh|havp|ipt-netflow|wget' |
rpm -qa --queryformat '%{installtime} %{name} %{version}\n' | awk -v seuil="$SECS_AGO" '$1 > seuil' | sort -n | grep -E "$PACKAGE" | while read RPM_ALCASAR |
do |
RPM_TIMESTAMP=$(echo $RPM_ALCASAR | cut -d' ' -f1) |
RPM_DATE=$(date -d @$(echo $RPM_TIMESTAMP) "+%Y-%m-%d %H:%M:%S") |
RPM_NAME=$(echo $RPM_ALCASAR | cut -d' ' -f2) |
RPM_VERSION=$(echo $RPM_ALCASAR | cut -d' ' -f3) |
VALUE=$(grep ^INSTALL_DATE= $CONF_FILE | cut -d'=' -f2) |
echo ${LINE_HTML/XXINSTALLXX/$VALUE} >> $HTML_REPORT |
echo "<tr>" >> $HTML_REPORT |
echo "<td>$RPM_NAME</td>" >> $HTML_REPORT |
echo "<td>$RPM_DATE</td>" >> $HTML_REPORT |
echo "<td>$RPM_VERSION</td>" >> $HTML_REPORT |
echo "</tr>" >> $HTML_REPORT |
done |
elif [ "$(echo $LINE_HTML | grep 'XXAVERSIONXX' | wc -l)" -eq 1 ] |
then |
VALUE=$(grep ^VERSION= $CONF_FILE | cut -d'=' -f2) |
echo ${LINE_HTML/XXAVERSIONXX/$VALUE} >> $HTML_REPORT |
elif [ "$(echo $LINE_HTML | grep 'XXIP_PUBLICXX' | wc -l)" -eq 1 ] |
then |
VALUE=$(grep ^PUBLIC_IP= $CONF_FILE | cut -d'=' -f2) |
echo ${LINE_HTML/XXIP_PUBLICXX/$VALUE} >> $HTML_REPORT |
elif [ "$(echo $LINE_HTML | grep 'XXIP_PRIVEXX' | wc -l)" -eq 1 ] |
then |
VALUE=$(grep ^PRIVATE_IP= $CONF_FILE | cut -d'=' -f2) |
echo ${LINE_HTML/XXIP_PRIVEXX/$VALUE} >> $HTML_REPORT |
elif [ "$(echo $LINE_HTML | grep 'XXGWXX' | wc -l)" -eq 1 ] |
then |
VALUE=$(grep ^GW= $CONF_FILE | cut -d'=' -f2) |
echo ${LINE_HTML/XXGWXX/$VALUE} >> $HTML_REPORT |
elif [ "$(echo $LINE_HTML | grep 'XXDNS1XX' | wc -l)" -eq 1 ] |
then |
VALUE=$(grep ^DNS1= $CONF_FILE | cut -d'=' -f2) |
echo ${LINE_HTML/XXDNS1XX/$VALUE} >> $HTML_REPORT |
elif [ "$(echo $LINE_HTML | grep 'XXDNS2XX' | wc -l)" -eq 1 ] |
then |
VALUE=$(grep ^DNS2= $CONF_FILE | cut -d'=' -f2) |
echo ${LINE_HTML/XXDNS2XX/$VALUE} >> $HTML_REPORT |
elif [ "$(echo $LINE_HTML | grep 'XXHOSTXX' | wc -l)" -eq 1 ] |
then |
VALUE=$(hostname) |
echo ${LINE_HTML/XXHOSTXX/$VALUE} >> $HTML_REPORT |
elif [ "$(echo $LINE_HTML | grep 'XXOS_VERSIONXX' | wc -l)" -eq 1 ] |
then |
VALUE=$(echo "$(uname -r) [ $(uname -m) ]") |
echo ${LINE_HTML/XXOS_VERSIONXX/$VALUE} >> $HTML_REPORT |
elif [ "$(echo $LINE_HTML | grep 'XXREBOOTXX' | wc -l)" -eq 1 ] |
then |
VALUE=$(who -b | cut -d' ' -f12-) |
echo ${LINE_HTML/XXREBOOTXX/$VALUE} >> $HTML_REPORT |
elif [ "$(echo $LINE_HTML | grep 'XXMAJCLAMAVXX' | wc -l)" -eq 1 ] |
then |
VALUE=$(date -d "@$(rpm -qa --queryformat "%{installtime} %{name}\n" | grep -E "clamav-db" | cut -d' ' -f1 )" "+%Y-%m-%d %H:%M:%S") |
echo ${LINE_HTML/XXMAJCLAMAVXX/$VALUE} >> $HTML_REPORT |
elif [ "$(echo $LINE_HTML | grep 'XXMAJBLXX' | wc -l)" -eq 1 ] |
then |
VALUE=$(cat /etc/e2guardian/lists/blacklists/README | grep 'Last version' | cut -d' ' -f4-6) |
echo ${LINE_HTML/XXMAJBLXX/$VALUE} >> $HTML_REPORT |
elif [ "$(echo $LINE_HTML | grep 'XXRPMXX' | wc -l)" -eq 1 ] |
then |
#show every ALCASAR RPM updated since X day ago |
#get timestamp of X day ago. Then we get every packets chich have been updated since this date. |
if [ "$(rpm -qa --queryformat '%{installtime} %{name} %{version}\n' | awk -v seuil="$SECS_AGO" '$1 > seuil' | sort -n | grep -E "$PACKAGE" | wc -l)" -gt 1 ] |
then |
PACKAGE='php|lighttpd|iptables|dnsmasq|unbound|radius|tinyproxy|nfdump|e2guardian|clamav|ulogd|chilli|fail2ban|openssh|havp|ipt-netflow|wget' |
rpm -qa --queryformat '%{installtime} %{name} %{version}\n' | awk -v seuil="$SECS_AGO" '$1 > seuil' | sort -n | grep -E "$PACKAGE" | while read RPM_ALCASAR |
do |
RPM_TIMESTAMP=$(echo $RPM_ALCASAR | cut -d' ' -f1) |
RPM_DATE=$(date -d "@$(echo $RPM_TIMESTAMP)" "+%Y-%m-%d %H:%M:%S") |
RPM_NAME=$(echo $RPM_ALCASAR | cut -d' ' -f2) |
RPM_VERSION=$(echo $RPM_ALCASAR | cut -d' ' -f3) |
echo "<tr>" >> $HTML_REPORT |
echo "<td>$RPM_NAME</td>" >> $HTML_REPORT |
echo "<td>$RPM_DATE</td>" >> $HTML_REPORT |
echo "<td>$RPM_VERSION</td>" >> $HTML_REPORT |
echo "</tr>" >> $HTML_REPORT |
done |
else |
echo "<tr><td colspan=\"3\">Pas de RPM mis à jour cette semaine</td></tr>" >> $HTML_REPORT |
fi |
else |
echo "<tr><td colspan=\"3\">Pas de RPM mis à jour cette semaine</td></tr>" >> $HTML_REPORT |
echo $LINE_HTML >> $HTML_REPORT |
fi |
else |
echo $LINE_HTML >> $HTML_REPORT |
fi |
done |
######################BL WEBSITE SINCE INSTALLATION###################### |
192,45 → 191,36 |
#find data |
#decompress every logs |
if [ $(ls -1 /var/log/dnsmasq/dnsmasq-blacklist.log.*.gz 2>/dev/null | wc -l) -ge 1 ] |
if [ "$(ls -1 /var/log/unbound/unbound-blacklist.log.*.gz 2>/dev/null | wc -l)" -ge 1 ] |
then |
gunzip -d dnsmasq-blacklist.log.*.gz |
gunzip -d unbound-blacklist.log.*.gz |
fi |
#convert logs date in timestamp and find categories of blacklisted website |
for FILE in $(ls -1 /var/log/dnsmasq/ | grep 'dnsmasq-blacklist.log') |
tmp_log=$(mktemp) |
for FILE in /var/log/unbound/unbound-blacklist.log* |
do |
grep -E "info: [^ ]+ typetransparent $PRIVATE_IP" /var/log/unbound/unbound-blacklist.log > $tmp_log |
while read LOG_BL |
do |
if [ $(echo $LOG_BL | grep config | grep $PRIVATE_IP | wc -c) -ge 1 ] |
# find the current blacklisted category |
website_bl=$(echo $LOG_BL | cut -d' ' -f4) |
website_bl=${website_bl%?} # remove the last character |
#we convert www.test.co.uk => test.co.uk to find the category of this website |
if [ "$(grep -o '\.' <<< "$website_bl" | wc -l)" -ge "2" ] |
then |
#find the current blacklisted category |
website_bl=$(echo $LOG_BL | cut -d' ' -f6) |
#we convert www.test.co.uk => test.co.uk to find the category of this website |
if [ $(grep -o '\.' <<< "$website_bl" | wc -l) -ge "2" ] |
then |
website_bl=$(echo $website_bl | cut -d'.' -f2-) |
fi |
website_bl=$(echo $website_bl | cut -d'.' -f2-) |
fi |
#get BL category |
categorie_bl=$(grep -R "$website_bl/" /usr/local/share/dnsmasq-bl-enabled/ | cut -d':' -f1 | cut -d'/' -f6 | cut -d' ' -f1) |
if [ $(echo $categorie_bl | wc -w) -gt 1 ] |
then |
categorie_bl=$(grep -R "/$website_bl/" /usr/local/share/dnsmasq-bl-enabled/ | cut -d':' -f1 | cut -d'/' -f6 | cut -d' ' -f1 | head -1) |
fi |
#Calculate its timestamp |
Y=$(date -R | cut -d' ' -f4) |
M=$(echo $LOG_BL | cut -d' ' -f1) |
D=$(echo $LOG_BL | cut -d' ' -f2) |
H=$(echo $LOG_BL | cut -d' ' -f3) |
CURRENT_TS=$(date -d "$M $D $Y $H" +"%s") |
echo "$CURRENT_TS:$categorie_bl:" >> $TMP_BL |
fi |
done < /var/log/dnsmasq/$FILE |
#get BL category |
categorie_bl=$(grep -Rl "$website_bl" /usr/local/share/unbound-bl-enabled/ | cut -d'/' -f6 | head -1) |
CURRENT_TS=$(echo $LOG_BL | cut -d '[' -f2 | cut -d ']' -f1) |
echo "$CURRENT_TS:$categorie_bl:" >> $TMP_BL |
done < $tmp_log |
done |
rm $tmp_log |
#if data exists, create this section in html document |
if [ -e $TMP_BL ] |
244,19 → 234,18 |
do |
DATE_1=$TS |
DATE_2=$((TS-$STEP_TS)) |
COUNT_BL_INSTALLATION=0 |
COUNT_BL_INSTALLATION=0 |
for LINE in $(cat $TMP_BL) |
do |
TS_FILE=$(echo $LINE | cut -d':' -f1) |
if [ "$TS_FILE" -le "$DATE_1" -a "$TS_FILE" -ge "$DATE_2" ] |
if [ "$TS_FILE" -le "$DATE_1" ] && [ "$TS_FILE" -ge "$DATE_2" ] |
then |
COUNT_BL_INSTALLATION=$((COUNT_BL_INSTALLATION+1)) |
fi |
done |
VALUE_BL_INSTALLATION_LABEL="'$(date -d @$DATE_2 "+%Y-%m-%d" )', $VALUE_BL_INSTALLATION_LABEL" |
VALUE_BL_INSTALLATION_DATA="$COUNT_BL_INSTALLATION, $VALUE_BL_INSTALLATION_DATA" |
done |
273,41 → 262,41 |
cat $MODEL_CHARTJS | while read LINE_JS |
do |
#name of variable |
if [ $(echo $LINE_JS | grep 'XXCONFXX' | wc -l) -eq 1 ] |
if [ "$(echo $LINE_JS | grep 'XXCONFXX' | wc -l)" -eq 1 ] |
then |
echo ${LINE_JS/XXCONFXX/$CONF_BL_INSTALLATION} >> $HTML_REPORT |
#chart type |
elif [ $(echo $LINE_JS | grep 'XXTYPEXX' | wc -l) -eq 1 ] |
elif [ "$(echo $LINE_JS | grep 'XXTYPEXX' | wc -l)" -eq 1 ] |
then |
echo ${LINE_JS/XXTYPEXX/bar} >> $HTML_REPORT |
#chart title |
elif [ $(echo $LINE_JS | grep 'XXTITLEXX' | wc -l) -eq 1 ] |
elif [ "$(echo $LINE_JS | grep 'XXTITLEXX' | wc -l)" -eq 1 ] |
then |
echo ${LINE_JS/XXTITLEXX/"Sites bloqués au total"} >> $HTML_REPORT |
#chart data |
elif [ $(echo $LINE_JS | grep 'XXDATAXX' | wc -l) -eq 1 ] |
elif [ "$(echo $LINE_JS | grep 'XXDATAXX' | wc -l)" -eq 1 ] |
then |
echo ${LINE_JS/XXDATAXX/$VALUE_BL_INSTALLATION_DATA} >> $HTML_REPORT |
#color |
elif [ $(echo $LINE_JS | grep 'XXCOLORXX' | wc -l) -eq 1 ] |
elif [ "$(echo $LINE_JS | grep 'XXCOLORXX' | wc -l)" -eq 1 ] |
then |
echo ${LINE_JS/XXCOLORXX/$COLOR} >> $HTML_REPORT |
#labels |
elif [ $(echo $LINE_JS | grep 'XXLABELSXX' | wc -l) -eq 1 ] |
elif [ "$(echo $LINE_JS | grep 'XXLABELSXX' | wc -l)" -eq 1 ] |
then |
echo ${LINE_JS/XXLABELSXX/$VALUE_BL_INSTALLATION_LABEL} >> $HTML_REPORT |
elif [ $(echo $LINE_JS | grep 'XXLEGENDXX' | wc -l) -eq 1 ] |
elif [ "$(echo $LINE_JS | grep 'XXLEGENDXX' | wc -l)" -eq 1 ] |
then |
echo ${LINE_JS/XXLEGENDXX/false} >> $HTML_REPORT |
#display value of Y axis, only useful for chart bar |
elif [ $(echo $LINE_JS | grep 'XXCOMMENT-BEGINXX' | wc -l) -eq 1 ] |
elif [ "$(echo $LINE_JS | grep 'XXCOMMENT-BEGINXX' | wc -l)" -eq 1 ] |
then |
echo "" >> $HTML_REPORT |
#display value of Y axis, only useful for chart bar |
elif [ $(echo $LINE_JS | grep 'XXCOMMENT-ENDXX' | wc -l) -eq 1 ] |
elif [ "$(echo $LINE_JS | grep 'XXCOMMENT-ENDXX' | wc -l)" -eq 1 ] |
then |
echo "" >> $HTML_REPORT |
elif [ $(echo $LINE_JS | grep 'XXYLABELXX' | wc -l) -eq 1 ] |
elif [ "$(echo $LINE_JS | grep 'XXYLABELXX' | wc -l)" -eq 1 ] |
then |
echo "\"Nombre de site bloqué par la blacklist\"" >> $HTML_REPORT |
else |
321,7 → 310,7 |
######################DNSMASQ BLACKLIST###################### |
######################Unbound BLACKLIST###################### |
echo "Create BL website since $MAX_DAY_AGO days" |
#if data exists, create BL section in html document |
339,7 → 328,7 |
do |
TS_FILE=$(echo $LINE | cut -d':' -f1) |
#select only elements between DATE_1 and DATE_2 |
if [ "$TS_FILE" -le "$DATE_1" -a "$TS_FILE" -ge "$DATE_2" ] |
if [ "$TS_FILE" -le "$DATE_1" ] && [ "$TS_FILE" -ge "$DATE_2" ] |
then |
echo $LINE >> $TMP_BL_WEEK |
fi |
346,7 → 335,7 |
done |
#then we count every occurence for each category in TMP_BL_WEEK |
for CAT in $(ls /usr/local/share/dnsmasq-bl/ -1 | cut -d'.' -f1) |
for CAT in $(ls /usr/local/share/unbound-bl/ -1 | cut -d'.' -f1) |
do |
echo "$CAT:$(grep -o ":$CAT:" <<< "$(cat $TMP_BL_WEEK)" | wc -l):" >> $TMP_BL_WEEK_CAT |
done |
354,7 → 343,7 |
#we sort by number of occurence and we take the top 10 BL categories |
for LINE in $(sort -t':' -k2 -rn $TMP_BL_WEEK_CAT | head -n 10) |
do |
DATA=$(echo $LINE | cut -d':' -f2) |
LABEL=$(echo $LINE | cut -d':' -f1) |
if [ $DATA -ne 0 ] |
365,7 → 354,7 |
done |
#get other categories (sum them all) |
if [ $(cat $TMP_BL_WEEK_CAT | cut -d':' -f2 | sort -k1 -rn | tail -n+$(($(echo $VALUE_BL_DATA | wc -w)+1)) | paste -sd+ | bc) -gt 0 ] |
if [ "$(cat $TMP_BL_WEEK_CAT | cut -d':' -f2 | sort -k1 -rn | tail -n+$(($(echo $VALUE_BL_DATA | wc -w)+1)) | paste -sd+ | bc)" -gt 0 ] |
then |
VALUE_BL_DATA="$VALUE_BL_DATA $(cat $TMP_BL_WEEK_CAT | cut -d':' -f2 | sort -k1 -rn | tail -n+$(($(echo $VALUE_BL_DATA | wc -w)+1)) | paste -sd+ | bc)" |
VALUE_BL_LABEL="$VALUE_BL_LABEL 'autre ($(cat $TMP_BL_WEEK_CAT | cut -d':' -f2 | sort -k1 -rn | tail -n+$(($(echo $VALUE_BL_DATA | wc -w)+1)) | paste -sd+ | bc))'" |
382,39 → 371,39 |
cat $MODEL_CHARTJS | while read LINE_JS |
do |
#variable name |
if [ $(echo $LINE_JS | grep 'XXCONFXX' | wc -l) -eq 1 ] |
if [ "$(echo $LINE_JS | grep 'XXCONFXX' | wc -l)" -eq 1 ] |
then |
echo ${LINE_JS/XXCONFXX/$CONF_BL} >> $HTML_REPORT |
#chart type |
elif [ $(echo $LINE_JS | grep 'XXTYPEXX' | wc -l) -eq 1 ] |
elif [ "$(echo $LINE_JS | grep 'XXTYPEXX' | wc -l)" -eq 1 ] |
then |
echo ${LINE_JS/XXTYPEXX/pie} >> $HTML_REPORT |
#graph title |
elif [ $(echo $LINE_JS | grep 'XXTITLEXX' | wc -l) -eq 1 ] |
elif [ "$(echo $LINE_JS | grep 'XXTITLEXX' | wc -l)" -eq 1 ] |
then |
echo ${LINE_JS/XXTITLEXX/"Sites bloqués cette semaine"} >> $HTML_REPORT |
#chart data |
elif [ $(echo $LINE_JS | grep 'XXDATAXX' | wc -l) -eq 1 ] |
elif [ "$(echo $LINE_JS | grep 'XXDATAXX' | wc -l)" -eq 1 ] |
then |
echo ${LINE_JS/XXDATAXX/$VALUE_BL_DATA} >> $HTML_REPORT |
#color |
elif [ $(echo $LINE_JS | grep 'XXCOLORXX' | wc -l) -eq 1 ] |
elif [ "$(echo $LINE_JS | grep 'XXCOLORXX' | wc -l)" -eq 1 ] |
then |
echo ${LINE_JS/XXCOLORXX/$COLOR} >> $HTML_REPORT |
#labels |
elif [ $(echo $LINE_JS | grep 'XXLABELSXX' | wc -l) -eq 1 ] |
elif [ "$(echo $LINE_JS | grep 'XXLABELSXX' | wc -l)" -eq 1 ] |
then |
echo ${LINE_JS/XXLABELSXX/$VALUE_BL_LABEL} >> $HTML_REPORT |
#display legend, only useful for chart pie |
elif [ $(echo $LINE_JS | grep 'XXLEGENDXX' | wc -l) -eq 1 ] |
elif [ "$(echo $LINE_JS | grep 'XXLEGENDXX' | wc -l)" -eq 1 ] |
then |
echo ${LINE_JS/XXLEGENDXX/true} >> $HTML_REPORT |
#display value of Y axis, only useful for chart bar |
elif [ $(echo $LINE_JS | grep 'XXCOMMENT-BEGINXX' | wc -l) -eq 1 ] |
elif [ "$(echo $LINE_JS | grep 'XXCOMMENT-BEGINXX' | wc -l)" -eq 1 ] |
then |
echo "/*" >> $HTML_REPORT |
#display value of Y axis, only useful for chart bar |
elif [ $(echo $LINE_JS | grep 'XXCOMMENT-ENDXX' | wc -l) -eq 1 ] |
elif [ "$(echo $LINE_JS | grep 'XXCOMMENT-ENDXX' | wc -l)" -eq 1 ] |
then |
echo "*/" >> $HTML_REPORT |
else |
430,12 → 419,12 |
echo "Create AV logs since the installation of ALCASAR" |
#decompress every logs, if they exist |
if [ $(ls -1 /var/log/havp/access.log.*.gz 2>/dev/null | wc -l) -ge 1 ] |
if [ "$(ls -1 /var/log/havp/access.log.*.gz 2>/dev/null | wc -l)" -ge 1 ] |
then |
gunzip -d access.log.*.gz |
fi |
for FILE in $(ls -1 /var/log/havp/ | grep 'access.log') |
for FILE in /var/log/havp/access.log* |
do |
while read LINE_AV |
do |
445,8 → 434,7 |
H=$(echo $LINE_AV | cut -d' ' -f4) |
CURRENT_TS=$(date -d "$M $D $Y $H" +"%s") |
echo $CURRENT_TS >> $TMP_AV |
done < /var/log/havp/$FILE |
done < $FILE |
done |
if [ -e $TMP_AV ] |
461,7 → 449,7 |
for TS_FILE in $(cat $TMP_AV) |
do |
if [ "$TS_FILE" -le "$DATE_1" -a "$TS_FILE" -ge "$DATE_2" ] |
if [ "$TS_FILE" -le "$DATE_1" ] && [ "$TS_FILE" -ge "$DATE_2" ] |
then |
COUNT_AV=$((COUNT_AV+1)) |
fi |
470,7 → 458,7 |
VALUE_AV_LABEL="'$(date -d @$DATE_2 "+%Y-%m-%d" )', $VALUE_AV_LABEL" |
VALUE_AV_DATA="$COUNT_AV, $VALUE_AV_DATA" |
done |
#create Antivirus section in html document |
NAME_AV='chart_av' |
CONF_AV='config_av' |
484,41 → 472,41 |
cat $MODEL_CHARTJS | while read LINE_JS |
do |
#name of variable |
if [ $(echo $LINE_JS | grep 'XXCONFXX' | wc -l) -eq 1 ] |
if [ "$(echo $LINE_JS | grep 'XXCONFXX' | wc -l)" -eq 1 ] |
then |
echo ${LINE_JS/XXCONFXX/$CONF_AV} >> $HTML_REPORT |
#chart type |
elif [ $(echo $LINE_JS | grep 'XXTYPEXX' | wc -l) -eq 1 ] |
elif [ "$(echo $LINE_JS | grep 'XXTYPEXX' | wc -l)" -eq 1 ] |
then |
echo ${LINE_JS/XXTYPEXX/bar} >> $HTML_REPORT |
#graph title |
elif [ $(echo $LINE_JS | grep 'XXTITLEXX' | wc -l) -eq 1 ] |
elif [ "$(echo $LINE_JS | grep 'XXTITLEXX' | wc -l)" -eq 1 ] |
then |
echo ${LINE_JS/XXTITLEXX/"Menaces bloqués par l\'antivirus"} >> $HTML_REPORT |
#chart data |
elif [ $(echo $LINE_JS | grep 'XXDATAXX' | wc -l) -eq 1 ] |
elif [ "$(echo $LINE_JS | grep 'XXDATAXX' | wc -l)" -eq 1 ] |
then |
echo ${LINE_JS/XXDATAXX/$VALUE_AV_DATA} >> $HTML_REPORT |
#color |
elif [ $(echo $LINE_JS | grep 'XXCOLORXX' | wc -l) -eq 1 ] |
elif [ "$(echo $LINE_JS | grep 'XXCOLORXX' | wc -l)" -eq 1 ] |
then |
echo ${LINE_JS/XXCOLORXX/$COLOR} >> $HTML_REPORT |
#labels |
elif [ $(echo $LINE_JS | grep 'XXLABELSXX' | wc -l) -eq 1 ] |
elif [ "$(echo $LINE_JS | grep 'XXLABELSXX' | wc -l)" -eq 1 ] |
then |
echo ${LINE_JS/XXLABELSXX/$VALUE_AV_LABEL} >> $HTML_REPORT |
elif [ $(echo $LINE_JS | grep 'XXLEGENDXX' | wc -l) -eq 1 ] |
elif [ "$(echo $LINE_JS | grep 'XXLEGENDXX' | wc -l)" -eq 1 ] |
then |
echo ${LINE_JS/XXLEGENDXX/false} >> $HTML_REPORT |
#display value of Y axis, only useful for chart bar |
elif [ $(echo $LINE_JS | grep 'XXCOMMENT-BEGINXX' | wc -l) -eq 1 ] |
elif [ "$(echo $LINE_JS | grep 'XXCOMMENT-BEGINXX' | wc -l)" -eq 1 ] |
then |
echo "" >> $HTML_REPORT |
#display value of Y axis, only useful for chart bar |
elif [ $(echo $LINE_JS | grep 'XXCOMMENT-ENDXX' | wc -l) -eq 1 ] |
elif [ "$(echo $LINE_JS | grep 'XXCOMMENT-ENDXX' | wc -l)" -eq 1 ] |
then |
echo "" >> $HTML_REPORT |
elif [ $(echo $LINE_JS | grep 'XXYLABELXX' | wc -l) -eq 1 ] |
elif [ "$(echo $LINE_JS | grep 'XXYLABELXX' | wc -l)" -eq 1 ] |
then |
echo "\"Nombre de menaces virales bloqués par l'antivirus\"" >> $HTML_REPORT |
else |
538,7 → 526,7 |
#create new htdigest user to consult statistique of ACC |
#if user does not exist, we create him |
if [ $(grep "$tmp_account:" $DIR_KEY/key_only_manager | wc -l) -lt 1 ] |
if [ "$(grep "$tmp_account:" $DIR_KEY/key_only_manager | wc -l)" -lt 1 ] |
then |
(echo -n "$tmp_account:$realm:" && echo -n "$tmp_account:$realm:$password" | md5sum | awk '{print $1}' ) >> $DIR_KEY/key_only_manager |
(echo -n "$tmp_account:$realm:" && echo -n "$tmp_account:$realm:$password" | md5sum | awk '{print $1}' ) >> $DIR_KEY/key_manager |
557,7 → 545,7 |
cat $TMP_STATS_2 | sed -e 's:images/pixel.gif:../../manager/htdocs/images/pixel.gif:g' >> $HTML_REPORT |
#we delete our user if he still exists |
if [ $(grep "$tmp_account:" $DIR_KEY/key_only_manager | wc -l) -ge 1 ] |
if [ "$(grep "$tmp_account:" $DIR_KEY/key_only_manager | wc -l)" -ge 1 ] |
then |
$SED "/^$tmp_account:/d" $DIR_KEY/key_only_manager |
$SED "/^$tmp_account:/d" $DIR_KEY/key_manager |
595,7 → 583,7 |
echo "<h2>Connexion à l'ALCASAR Control Center (ACC)</h2>" >> $HTML_REPORT |
echo "<table class=\"table table-striped\">" >> $HTML_REPORT |
echo "<thead><tr><th>Date</th><th>Utilisateur</th><th>Adresse IP</th><th>Agent</th></tr></thead><tbody>" >> $HTML_REPORT |
echo $ROWS >> $HTML_REPORT |
echo "$ROWS" >> $HTML_REPORT |
echo "</tbody></table>" >> $HTML_REPORT |
640,7 → 628,7 |
echo "<h2>Trafic global</h2>" >> $HTML_REPORT |
echo "<table class=\"table table-striped\">" >> $HTML_REPORT |
echo "<thead><tr><th>Date</th><th>Entrant</th><th>Sortant</th><th>Total</th></tr></thead><tbody>" >> $HTML_REPORT |
echo $ROWS >> $HTML_REPORT |
echo "$ROWS" >> $HTML_REPORT |
echo "</tbody></table>" >> $HTML_REPORT |
698,21 → 686,21 |
echo "</html>" >> $HTML_REPORT |
#convert html document to PDF |
/usr/bin/wkhtmltopdf $HTML_REPORT $(echo $HTML_REPORT | cut -d'.' -f1).pdf |
chown apache:apache $(echo $HTML_REPORT | cut -d'.' -f1).pdf |
chmod 644 $(echo $HTML_REPORT | cut -d'.' -f1).pdf |
mv $(echo $HTML_REPORT | cut -d'.' -f1).pdf /var/Save/activity_report/ |
/usr/bin/wkhtmltopdf $HTML_REPORT "$(echo $HTML_REPORT | cut -d'.' -f1).pdf" |
chown apache:apache "$(echo $HTML_REPORT | cut -d'.' -f1).pdf" |
chmod 644 "$(echo $HTML_REPORT | cut -d'.' -f1).pdf" |
mv "$(echo $HTML_REPORT | cut -d'.' -f1).pdf" /var/Save/activity_report/ |
#compress every logs, if they exist |
if [ $(ls -1 /var/log/havp/access.log.* 2>/dev/null | wc -l) -ge 1 ] |
if [ "$(ls -1 /var/log/havp/access.log.* 2>/dev/null | wc -l)" -ge 1 ] |
then |
gzip /var/log/havp/access.log.* |
fi |
#compress every logs |
if [ $(ls -1 /var/log/dnsmasq/dnsmasq-blacklist.log.* 2>/dev/null | wc -l) -ge 1 ] |
if [ "$(ls -1 /var/log/unbound/unbound-blacklist.log.* 2>/dev/null | wc -l)" -ge 1 ] |
then |
gzip /var/log/dnsmasq/dnsmasq-blacklist.log.* |
gzip /var/log/unbound/unbound-blacklist.log.* |
fi |
#remove our files |
/scripts/alcasar-bl.sh |
---|
6,16 → 6,14 |
# by Franck BOUIJOUX and Richard REY |
# This script is distributed under the Gnu General Public License (GPL) |
# Gestion de la BL pour le filtrage de domaine (via dnsmasq) et d'URL (via E2guardian) |
# Manage the BL for DnsBlackHole (dnsmasq) and URL filtering (E2guardian) |
# Gestion de la BL pour le filtrage de domaine (via unbound) et d'URL (via E2guardian) |
# Manage the BL for DnsBlackHole (unbound) and URL filtering (E2guardian) |
DIR_CONF="/usr/local/etc" |
CONF_FILE="$DIR_CONF/alcasar.conf" |
private_ip_mask=`grep ^PRIVATE_IP= $CONF_FILE|cut -d"=" -f2` |
private_ip_mask=${private_ip_mask:=192.168.182.1/24} |
PRIVATE_IP=`echo $private_ip_mask | cut -d"/" -f1` # ALCASAR LAN IP address |
DIR_tmp="/tmp/blacklists" |
DIR_WL_tmp="/tmp/whitelists" |
FILE_tmp="/tmp/filesfilter.txt" |
FILE_ip_tmp="/tmp/filesipfilter.txt" |
DIR_DG="/etc/e2guardian/lists" |
26,15 → 24,15 |
BL_CATEGORIES_ENABLED="$DIR_CONF/alcasar-bl-categories-enabled" # ' ' BL enabled categories |
WL_CATEGORIES_ENABLED="$DIR_CONF/alcasar-wl-categories-enabled" # ' ' WL enabled categories |
DIR_SHARE="/usr/local/share" |
DIR_DNS_BL="$DIR_SHARE/dnsmasq-bl" # all the BL in the DNSMASQ format |
DIR_DNS_WL="$DIR_SHARE/dnsmasq-wl" # all the WL ' ' ' |
DIR_DNS_BL="$DIR_SHARE/unbound-bl" # all the BL in the Unbound format |
DIR_DNS_WL="$DIR_SHARE/unbound-wl" # all the WL ' ' ' |
DIR_IP_BL="$DIR_SHARE/iptables-bl" # all the IP addresses of the BL |
DIR_IP_WL="$DIR_SHARE/iptables-wl" # IP ossi disabled WL |
DIR_DNS_BL_ENABLED="$DIR_SHARE/dnsmasq-bl-enabled" # symbolic link to the domains BL (only enabled categories) |
DIR_DNS_WL_ENABLED="$DIR_SHARE/dnsmasq-wl-enabled" # ' ' ' WL ' ' |
DIR_DNS_BL_ENABLED="$DIR_SHARE/unbound-bl-enabled" # symbolic link to the domains BL (only enabled categories) |
DIR_DNS_WL_ENABLED="$DIR_SHARE/unbound-wl-enabled" # ' ' ' WL ' ' |
DIR_IP_BL_ENABLED="$DIR_SHARE/iptables-bl-enabled" # ' ' ip BL (only enabled categories) |
DIR_IP_WL_ENABLED="$DIR_SHARE/iptables-wl-enabled" # ' ' ip WL (ossi and ossi-* imported from ACC) |
DNS1=`grep ^DNS1= $CONF_FILE | cut -d'=' -f2-` # server DNS1 (for WL domain names) |
REHABILITATED_DNS_FILE="/etc/unbound/conf.d/blacklist/rehabilitated.conf" |
BL_SERVER="dsi.ut-capitole.fr" |
SED="/bin/sed -i" |
47,7 → 45,7 |
then |
mkdir $LIST |
else |
rm -rf $LIST/* |
rm -rf ${LIST:?}/* |
fi |
chown root:apache $LIST |
chmod 770 $LIST |
69,7 → 67,7 |
$SED "1i\/etc\/e2guardian\/lists\/blacklists\/$ENABLE_CATEGORIE" $BL_CATEGORIES |
ln -sf $DIR_DNS_BL/$ENABLE_CATEGORIE.conf $DIR_DNS_BL_ENABLED/$ENABLE_CATEGORIE |
ln -sf $DIR_IP_BL/$ENABLE_CATEGORIE $DIR_IP_BL_ENABLED/$ENABLE_CATEGORIE |
# echo ".Include<$DIR_DG_BL/$ENABLE_CATEGORIE/domains>" >> $DIR_DG/bannedsitelist # Blacklisted domains are managed by dnsmasq |
# echo ".Include<$DIR_DG_BL/$ENABLE_CATEGORIE/domains>" >> $DIR_DG/bannedsitelist # Blacklisted domains are managed by unbound |
echo ".Include<$DIR_DG_BL/$ENABLE_CATEGORIE/urls>" >> $DIR_DG/bannedurllist |
done |
sort +0.0 -0.2 $BL_CATEGORIES -o $FILE_tmp |
101,7 → 99,7 |
$SED '/[äâëêïîöôüû@,]/d' $FILE_tmp # remove line with "chelou" characters |
# extract ip addresses for iptables. |
awk '/^([0-9]{1,3}\.){3}[0-9]{1,3}$/{print "add bl_ip_blocked " $0}' $FILE_tmp > $FILE_ip_tmp |
# extract domain names for dnsmasq. |
# extract domain names for unbound. |
$SED -n '/^\([0-9]\{1,3\}\.\)\{3\}[0-9]\{1,3\}/!p' $FILE_tmp |
# Retrieve max Top Level Domain for domain name synthax |
#MAX_TLD=$(curl http://data.iana.org/TLD/tlds-alpha-by-domain.txt | grep -v '-' | grep -v '#' | wc -L) |
142,7 → 140,7 |
-cat_choice | --cat_choice) |
cat_choice |
;; |
# Adapt Toulouse University BL to ALCASAR architecture (dnsmasq + DG + iptables) |
# Adapt Toulouse University BL to ALCASAR architecture (unbound + DG + iptables) |
-adapt | --adapt) |
echo -n "Adaptation process of Toulouse University blackList. Please wait : " |
if [ -f $DIR_tmp/blacklists.tar.gz ] # when downloading the last version of the BL |
231,7 → 229,8 |
$SED "/^$ENABLE_CATEGORIE$/d" $WL_CATEGORIES_ENABLED |
fi |
done |
# Creation of DNSMASQ and Iptables BL and WL |
# Creation of Unbound and Iptables BL and WL |
for LIST in $BL_CATEGORIES $WL_CATEGORIES # for each list (bl and wl) |
do |
for PATH_FILE in `cat $LIST` # for each category |
244,16 → 243,16 |
chown e2guardian:apache $PATH_FILE/urls |
fi |
cp $PATH_FILE/domains $FILE_tmp |
clean_split # clean ossi custom files & split them for dnsmasq and for iptables |
clean_split # clean ossi custom files & split them for unbound and for iptables |
if [ "$LIST" == "$BL_CATEGORIES" ] |
then |
# adapt to the dnsmasq syntax for the blacklist |
$SED "s?.*?address=/&/$PRIVATE_IP?g" $FILE_tmp |
# adapt to the unbound syntax for the blacklist |
$SED "s?.*?local-zone: & typetransparent\nlocal-zone-tag: & blacklist?g" $FILE_tmp |
mv $FILE_tmp $DIR_DNS_BL/$DOMAIN.conf |
mv $FILE_ip_tmp $DIR_IP_BL/$DOMAIN |
else |
# adapt to the dnsmasq syntax for the whitelist |
$SED "s?.*?server=/&/$DNS1?g" $FILE_tmp |
# adapt to the unbound syntax for the whitelist |
$SED "s?.*?local-zone: & transparent?g" $FILE_tmp |
mv $FILE_tmp $DIR_DNS_WL/$DOMAIN.conf |
fi |
done |
276,27 → 275,28 |
URL=$(echo $LIGNE_RSYNC | cut -d' ' -f2) |
PATH_FILE=$(find $DIR_DG_BL/ -type d -name $CATEGORIE) # retrieve directory name of the category |
rsync -rv $URL $(dirname $PATH_FILE ) #rsync inside of the blacklist directory |
# Creation of DNSMASQ and Iptables BL and WL |
# Creation of unbound and Iptables BL and WL |
DOMAIN=$(basename $PATH_FILE) |
cp $PATH_FILE/domains $FILE_tmp |
clean_split # clean ossi custom files & split them for dnsmasq and for iptables |
clean_split # clean ossi custom files & split them for unbound and for iptables |
black=`grep black $PATH_FILE/usage |wc -l` |
if [ $black == "1" ] |
then |
# adapt to the dnsmasq syntax for the blacklist |
$SED "s?.*?address=/&/$PRIVATE_IP?g" $FILE_tmp |
# adapt to the unbound syntax for the blacklist |
$SED "s?.*?local-zone: & typetransparent\nlocal-zone-tag: & blacklist?g" $FILE_tmp |
mv $FILE_tmp $DIR_DNS_BL/$DOMAIN.conf |
mv $FILE_ip_tmp $DIR_IP_BL/$DOMAIN |
else |
# adapt to the dnsmasq syntax for the whitelist |
$SED "s?.*?server=/&/$DNS1?g" $FILE_tmp |
# adapt to the unbound syntax for the whitelist |
$SED "s?.*?local-zone: & transparent?g" $FILE_tmp |
mv $FILE_tmp $DIR_DNS_WL/$DOMAIN.conf |
mv $FILE_ip_tmp $DIR_IP_WL/$DOMAIN |
fi |
rm -f $FILE_tmp $FILE_ip_tmp |
done |
/usr/bin/systemctl restart unbound-whitelist |
/usr/bin/systemctl restart dnsmasq-whitelist |
/usr/bin/systemctl restart dnsmasq-blacklist |
/usr/bin/systemctl restart unbound-blacklist |
/usr/bin/systemctl restart e2guardian |
/usr/local/bin/alcasar-iptables.sh |
else |
308,17 → 308,16 |
-reload | --reload) |
# for DG |
cat_choice |
# for dnsmasq (rehabited domain names) |
if [ `wc -w $DIR_DG/exceptionsitelist|cut -d " " -f1` != "0" ] |
# for unbound (rehabilitated domain names) |
rm -f $REHABILITATED_DNS_FILE |
if [ "$(wc -w $DIR_DG/exceptionsitelist | cut -d " " -f1)" != "0" ] |
then |
rm -f $DIR_DNS_BL_ENABLED/authorized-ossi-bl $DIR_DNS_BL/authorized-ossi-bl.conf |
touch $DIR_DNS_BL/authorized-ossi-bl.conf |
for i in `cat $DIR_DG/exceptionsitelist` |
do |
$SED "/$i/d" $DIR_DNS_BL/* |
echo "server=/$i/#" >> $DIR_DNS_BL/authorized-ossi-bl.conf |
done |
ln -s $DIR_DNS_BL/authorized-ossi-bl.conf $DIR_DNS_BL_ENABLED/authorized-ossi-bl |
touch $REHABILITATED_DNS_FILE |
while read -r domain; do |
[ -z "$domain" ] && continue |
echo "local-zone: $domain typetransparent" >> $REHABILITATED_DNS_FILE |
echo "local-zone-tag: $domain \"\"" >> $REHABILITATED_DNS_FILE |
done < $DIR_DG/exceptionsitelist |
fi |
# adapt OSSI BL & WL custom files |
for dir in $DIR_DNS_BL_ENABLED $DIR_DNS_WL_ENABLED $DIR_IP_BL_ENABLED $DIR_IP_WL_ENABLED $DIR_DNS_BL $DIR_DNS_WL $DIR_IP_BL $DIR_IP_WL |
341,12 → 340,12 |
fi |
$SED "s/\r//" $ossi_custom_dir/domains $ossi_custom_dir/urls # remove Windows <CR> from custom file |
cp $ossi_custom_dir/domains $FILE_tmp |
clean_split # clean ossi custom files & split them for dnsmasq and for iptables |
clean_split # clean ossi custom files & split them for unbound and for iptables |
if [ $categorie_type == "white" ] |
then |
# adapt the file to the dnsmasq syntax and enable it if needed |
# adapt the file to the unbound syntax and enable it if needed |
# for the WL |
$SED "s?.*?server=/&/$DNS1?g" $FILE_tmp |
$SED "s?.*?local-zone: & transparent?g" $FILE_tmp |
mv $FILE_tmp $DIR_DNS_WL/$ossi_categorie.conf |
mv $FILE_ip_tmp $DIR_IP_WL/$ossi_categorie |
enabled=`grep ^$ossi_categorie$ $WL_CATEGORIES_ENABLED | wc -l` |
359,7 → 358,7 |
fi |
else |
# for the BL |
$SED "s?.*?address=/&/$PRIVATE_IP?g" $FILE_tmp |
$SED "s?.*?local-zone: & typetransparent\nlocal-zone-tag: & blacklist?g" $FILE_tmp |
mv $FILE_tmp $DIR_DNS_BL/$ossi_categorie.conf |
mv $FILE_ip_tmp $DIR_IP_BL/$ossi_categorie |
enabled=`grep ^$ossi_categorie$ $BL_CATEGORIES_ENABLED | wc -l` |
383,7 → 382,8 |
chmod 660 $DIR_DNS_BL/* $DIR_DNS_WL/* $DIR_IP_BL/* $DIR_IP_WL/* |
if [ "$PARENT_SCRIPT" != "alcasar-conf.sh" ] # don't launch on install stage |
then |
/usr/bin/systemctl restart dnsmasq-blacklist |
/usr/bin/systemctl restart unbound-blacklist |
/usr/bin/systemctl restart unbound-whitelist |
/usr/bin/systemctl restart dnsmasq-whitelist |
/usr/bin/systemctl restart e2guardian |
/usr/local/bin/alcasar-iptables.sh |
/scripts/alcasar-bypass.sh |
---|
9,7 → 9,6 |
# enable / disable the bypass of authentication process and WEB filtering |
usage="Usage: alcasar-bypass.sh {--on or -on } | {--off or -off}" |
SED="/bin/sed -i" |
CONF_FILE="/usr/local/etc/alcasar.conf" |
INTIF=`grep ^INTIF= $CONF_FILE|cut -d"=" -f2` # INTernal InterFace |
25,7 → 24,7 |
echo "$usage" |
exit 0 |
;; |
--on | -on) |
--on | -on) |
/usr/local/bin/alcasar-logout.sh all |
/usr/bin/systemctl stop chilli |
cp -f /etc/sysconfig/network-scripts/bypass-ifcfg-$INTIF /etc/sysconfig/network-scripts/ifcfg-$INTIF |
34,11 → 33,7 |
DHCP=`grep ^DHCP= $CONF_FILE|cut -d"=" -f2` |
if [ $DHCP != off ] |
then |
$SED "/^#dhcp-range=/s/^#//" /etc/dnsmasq.conf # dnsmasq become the DHCP server |
$SED "/^#dhcp-option=/s/^#//" /etc/dnsmasq.conf |
$SED "/^#domain=/s/^#//" /etc/dnsmasq.conf |
$SED "s?^no-dhcp-interface.*?#&?g" /etc/dnsmasq.conf |
/usr/bin/systemctl restart dnsmasq |
/usr/bin/systemctl start dhcpd |
fi |
rm -f /etc/cron.d/alcasar-daemon-watchdog # don't restart daemons (specially coova) |
48,11 → 43,7 |
--off | -off) |
cp -f /etc/sysconfig/network-scripts/default-ifcfg-$INTIF /etc/sysconfig/network-scripts/ifcfg-$INTIF |
ifup $INTIF |
$SED "s?^dhcp-range=.*?#&?g" /etc/dnsmasq.conf # dnsmasq is no more the DHCP server (it's coova) |
$SED "s?^dhcp-option=.*?#&?g" /etc/dnsmasq.conf |
$SED "s?^domain=.*?#&?g" /etc/dnsmasq.conf |
$SED "/^#no-dhcp-interface/s/^#//" /etc/dnsmasq.conf |
/usr/bin/systemctl restart dnsmasq |
/usr/bin/systemctl stop dhcpd |
/usr/bin/systemctl start chilli |
sh /usr/local/bin/alcasar-iptables.sh |
# activation of the "daemon-watchdog" every 18' |
/scripts/alcasar-conf.sh |
---|
14,14 → 14,12 |
# - load the backup of configuration files during the update process (alcasar-conf -load). If needed, it's here we update files between versions |
# - apply ALCASAR central configuration file "/usr/local/etc/alcasar.conf" when hot modification are needed (alcasar-conf -apply) |
new="$(date +%G%m%d-%Hh%M)" # date et heure des fichiers |
fichier="alcasar-conf-$new.tar.gz" # nom du fichier de sauvegarde |
DIR_UPDATE="/var/tmp/conf" # répertoire de stockage des fichier de conf pour une mise à jour |
DIR_WEB="/var/www/html" # répertoire du centre de gestion |
DIR_BIN="/usr/local/bin" # scripts directory |
DIR_ETC="/usr/local/etc" # conf directory |
DIR_SHARE="/usr/local/share" # data directory |
DIR_BLACKLIST="/etc/e2guardian/lists/blacklists" # Toulouse BL directory |
DIR_E2G="/etc/e2guardian/lists" # Toulouse BL directory |
DIR_BLACKLIST="$DIR_E2G/blacklists" # Toulouse BL directory |
CONF_FILE="$DIR_ETC/alcasar.conf" # main alcasar conf file |
EXTIF=`grep ^EXTIF= $CONF_FILE|cut -d"=" -f2` # EXTernal InterFace |
INTIF=`grep ^INTIF= $CONF_FILE|cut -d"=" -f2` # INTernal InterFace |
34,7 → 32,6 |
SED="/bin/sed -i" |
DNS1=`grep ^DNS1= $CONF_FILE | cut -d'=' -f2` # server DNS1 (for WL domain names) |
DOMAIN=${DOMAIN:=localdomain} |
DATE=`date '+%d %B %Y - %Hh%M'` |
private_network_calc () |
{ |
41,13 → 38,11 |
PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP $PRIVATE_NETMASK |cut -d"=" -f2` # prefixe du réseau (ex. 24) |
PRIVATE_NETWORK=`/bin/ipcalc -n $PRIVATE_IP $PRIVATE_NETMASK| cut -d"=" -f2` # @ réseau de consultation (ex.: 192.168.182.0) |
PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX # @ + masque du réseau de consult (192.168.182.0/24) |
classe=$((PRIVATE_PREFIX/8)); classe_sup=`expr $classe + 1`; classe_sup_sup=`expr $classe + 2` # classes de réseau (ex.: 2=classe B, 3=classe C) |
classe=$((PRIVATE_PREFIX/8)); classe_sup=`expr $classe + 1`; # classes de réseau (ex.: 2=classe B, 3=classe C) |
PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK | cut -d"." -f1-$classe`. # @ compatible hosts.allow et hosts.deny (ex.: 192.168.182.) |
PRIVATE_BROADCAST=`/bin/ipcalc -b $PRIVATE_NETWORK_MASK | cut -d"=" -f2` # private network broadcast (ie.: 192.168.182.255) |
private_network_ending=`echo $PRIVATE_NETWORK | cut -d"." -f$classe_sup` # last octet of LAN address |
private_broadcast_ending=`echo $PRIVATE_BROADCAST | cut -d"." -f$classe_sup` # last octet of LAN broadcast |
private_ip_ending=`echo $PRIVATE_IP | cut -d"." -f4` # last octet of LAN address |
PRIVATE_FIRST_IP=$PRIVATE_IP # First network address (ex.: 192.168.182.1) |
PRIVATE_SECOND_IP=`echo $PRIVATE_IP | cut -d"." -f1-3`"."`expr $private_ip_ending + 1` # second network address (ex.: 192.168.182.2) |
PRIVATE_LAST_IP=`echo $PRIVATE_BROADCAST | cut -d"." -f1-3`"."`expr $private_broadcast_ending - 1` # last network address (ex.: 192.168.182.254) |
PRIVATE_MAC=`/sbin/ip link show $INTIF | grep ether | cut -d" " -f6| sed 's/:/-/g'| awk '{print toupper($0)}'` # MAC address of INTIF |
66,12 → 61,12 |
echo "$usage" |
exit 0 |
;; |
--create|-create) |
--create|-create) |
[ -d $DIR_UPDATE ] && rm -rf $DIR_UPDATE |
mkdir $DIR_UPDATE |
# backup the users database (test to delete in future version) |
$DIR_BIN/alcasar-mysql.sh --dump |
cp /var/Save/base/`ls -1t /var/Save/base|head -1` $DIR_UPDATE |
cp /var/Save/base/"$(ls -1t /var/Save/base|head -1)" $DIR_UPDATE |
# backup the logo |
cp -f $DIR_WEB/images/organisme.png $DIR_UPDATE |
# backup BL/WL custom files |
82,7 → 77,7 |
cp /etc/dansguardian/lists/$i $DIR_UPDATE/custom_bl/ # before V3.3 |
cp -rf /etc/dansguardian/lists/blacklists/ossi-* $DIR_UPDATE/custom_bl/ 2>/dev/null |
else |
cp /etc/e2guardian/lists/$i $DIR_UPDATE/custom_bl/ # since V3.3 |
cp $DIR_E2G/$i $DIR_UPDATE/custom_bl/ # since V3.3 |
cp -rf $DIR_BLACKLIST/ossi-* $DIR_UPDATE/custom_bl/ 2>/dev/null |
fi |
done |
101,8 → 96,35 |
else |
cp -f /etc/pki/tls/certs/alcasar.crt $DIR_UPDATE/server-chain.crt |
fi |
# pureip & safesearch status |
[ -d /etc/dansguardian ] && dg_path=/etc/dansguardian || dg_path=/etc/e2guardian |
if ! grep -Eq '^WL_SAFESEARCH=' $DIR_UPDATE/etc/alcasar.conf; then |
if [ -f /etc/dnsmasq-whitelist.conf ] && grep -iq "SafeSearch" /etc/dnsmasq-whitelist.conf; then |
echo 'WL_SAFESEARCH=on' >> $DIR_UPDATE/etc/alcasar.conf |
else |
echo 'WL_SAFESEARCH=off' >> $DIR_UPDATE/etc/alcasar.conf |
fi |
fi |
if ! grep -Eq '^BL_SAFESEARCH=' $DIR_UPDATE/etc/alcasar.conf; then |
if [ -f /etc/dnsmasq-blacklist.conf ] && grep -iq "SafeSearch" /etc/dnsmasq-blacklist.conf; then |
echo 'BL_SAFESEARCH=on' >> $DIR_UPDATE/etc/alcasar.conf |
else |
echo 'BL_SAFESEARCH=off' >> $DIR_UPDATE/etc/alcasar.conf |
fi |
fi |
if ! grep -Eq '^BL_PUREIP=' $DIR_UPDATE/etc/alcasar.conf; then |
if grep -Eq "^\*ip" $dg_path/lists/bannedsitelist; then |
echo 'BL_PUREIP=on' >> $DIR_UPDATE/etc/alcasar.conf |
else |
echo 'BL_PUREIP=off' >> $DIR_UPDATE/etc/alcasar.conf |
fi |
fi |
# archive file creation |
cd /var/tmp |
cd /var/tmp || { echo "Unable to find /var/tmp directory"; } |
tar -cf alcasar-conf.tar conf/ |
gzip -f alcasar-conf.tar |
rm -rf $DIR_UPDATE |
109,7 → 131,7 |
;; |
--load|-load) |
cd /var/tmp |
cd /var/tmp || { echo "Unable to find /var/tmp directory"; } |
tar -xf alcasar-conf*.tar.gz |
######################### modifications between versions ####################### |
# Retrieve the previous version |
123,7 → 145,7 |
HOSTNAME=`grep ^HOSTNAME= $CONF_FILE|cut -d"=" -f2-` |
domainNames="$HOSTNAME $HOSTNAME.$DOMAIN" |
[ "$HOSTNAME" != 'alcasar' ] && domainNames="alcasar $domainNames" |
if [ $(grep -c "$PRIVATE_IP\s$domainNames" $DIR_UPDATE/etc/hosts ) -eq 0 ]; then |
if [ "$(grep -c "$PRIVATE_IP\s$domainNames" $DIR_UPDATE/etc/hosts )" -eq 0 ]; then |
cat << EOF > $DIR_UPDATE/etc/hosts |
127.0.0.1 localhost |
$PRIVATE_IP $domainNames |
130,7 → 152,7 |
EOF |
fi |
## apache & dansguardian are replaced with lighttpd & E²guardian |
if [ $(rpm -qa | grep '^\(apache\|apache-mod_php\|apache-mod_ssl\|dansguardian\)-' | wc -l) -ne 0 ]; then |
if [ "$(rpm -qa | grep '^\(apache\|apache-mod_php\|apache-mod_ssl\|dansguardian\)-' | wc -l)" -ne 0 ]; then |
rm_rpm="apache apache-mod_php apache-mod_ssl dansguardian" |
/usr/sbin/urpme --auto -a $rm_rpm 2>/dev/null |
/usr/sbin/urpme --auto --auto-orphans |
140,12 → 162,17 |
[ ! -f $DIR_UPDATE/alcasar.pem ] && (cat $DIR_UPDATE/alcasar.key; echo; cat $DIR_UPDATE/alcasar.crt) > $DIR_UPDATE/alcasar.pem |
## From 3.3.0 ## |
# add "SMS=off" in conf file |
if [ $(grep -c '^SMS=' $DIR_UPDATE/etc/alcasar.conf) -eq 0 ]; then |
if [ "$(grep -c '^SMS=' $DIR_UPDATE/etc/alcasar.conf)" -eq 0 ]; then |
echo "SMS=off" >> $DIR_UPDATE/etc/alcasar.conf |
fi |
if [ $(grep -c '^SMS_NUM=' $DIR_UPDATE/etc/alcasar.conf) -eq 0 ]; then |
if [ "$(grep -c '^SMS_NUM=' $DIR_UPDATE/etc/alcasar.conf)" -eq 0 ]; then |
echo "SMS_NUM=" >> $DIR_UPDATE/etc/alcasar.conf |
fi |
## From 3.4.0 ## |
# Fix subdomain dot position (.domain.org to domain.org.) for Unbound |
for file in $DIR_E2G/exceptionsitelist $DIR_BLACKLIST/ossi-bl*/domains $DIR_BLACKLIST/ossi-wl*/domains; do |
[ -f $file ] && $SED "s/^\.\(.*\)$/\1./g" $file |
done |
###################### End of modifications between versions ####################### |
# Retrieve the logo |
[ -e $DIR_UPDATE/organisme.png ] && cp -f $DIR_UPDATE/organisme.png $DIR_WEB/images/ |
155,26 → 182,26 |
cp -f $DIR_UPDATE/alcasar-ca.key /etc/pki/CA/private/ |
cp -f $DIR_UPDATE/alcasar.crt /etc/pki/tls/certs/ |
cp -f $DIR_UPDATE/alcasar.key /etc/pki/tls/private/ |
cp -f $DIR_UPDATE/alcasar.pem /etc/pki/tls/private/ |
cp -f $DIR_UPDATE/alcasar.pem /etc/pki/tls/private/ |
[ -e $DIR_UPDATE/server-chain.crt ] && cp -f $DIR_UPDATE/server-chain.crt* /etc/pki/tls/certs/ # autosigned and official if exist |
chown -R root:apache /etc/pki |
chmod -R 750 /etc/pki |
# Import of the users database |
$DIR_BIN/alcasar-mysql.sh --import `ls $DIR_UPDATE/alcasar-users-database*` |
$DIR_BIN/alcasar-mysql.sh --import "$(ls $DIR_UPDATE/alcasar-users-database*)" |
# Retrieve local parameters |
cp -rf $DIR_UPDATE/etc/* $DIR_ETC/ |
mv -f $DIR_UPDATE/etc/hosts /etc/hosts |
chmod 755 /etc/hosts |
# Retrieve BL/WL custom files |
cp -f $DIR_UPDATE/custom_bl/exceptioniplist /etc/e2guardian/lists/ |
cp -f $DIR_UPDATE/custom_bl/exceptionsitelist /etc/e2guardian/lists/ |
cp -f $DIR_UPDATE/custom_bl/urlregexplist /etc/e2guardian/lists/ |
cp -f $DIR_UPDATE/custom_bl/bannedsitelist /etc/e2guardian/lists/ |
cp -f $DIR_UPDATE/custom_bl/exceptionurllist /etc/e2guardian/lists/ |
cp -f $DIR_UPDATE/custom_bl/bannedurllist /etc/e2guardian/lists/ |
cp -f $DIR_UPDATE/custom_bl/exceptioniplist $DIR_E2G/ |
cp -f $DIR_UPDATE/custom_bl/exceptionsitelist $DIR_E2G/ |
cp -f $DIR_UPDATE/custom_bl/urlregexplist $DIR_E2G/ |
cp -f $DIR_UPDATE/custom_bl/bannedsitelist $DIR_E2G/ |
cp -f $DIR_UPDATE/custom_bl/exceptionurllist $DIR_E2G/ |
cp -f $DIR_UPDATE/custom_bl/bannedurllist $DIR_E2G/ |
cp -rf $DIR_UPDATE/custom_bl/ossi-* $DIR_BLACKLIST/ 2>/dev/null |
chown -R e2guardian:apache /etc/e2guardian/lists |
chmod -R g+rw /etc/e2guardian/lists |
chown -R e2guardian:apache $DIR_E2G |
chmod -R g+rw $DIR_E2G |
# Adapt DNS/URL filtering |
PARENT_SCRIPT=`basename $0` |
export PARENT_SCRIPT |
197,9 → 224,8 |
--apply|-apply) |
PTN="\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([012]?[0-9]|3[0-2])\b" |
PRIVATE_IP_MASK=`grep ^PRIVATE_IP= $CONF_FILE|cut -d"=" -f2` |
check=$(echo $PRIVATE_IP_MASK | egrep $PTN) |
if [[ "$?" -ne 0 ]] |
then |
if ! echo $PRIVATE_IP_MASK | egrep -q $PTN |
then |
echo "Syntax error for PRIVATE_IP_MASK ($PRIVATE_IP_MASK)" |
exit 0 |
fi |
210,9 → 236,8 |
PUBLIC_GATEWAY="dhcp" |
else |
check=$(echo $PUBLIC_IP_MASK | egrep $PTN) |
if [[ "$?" -ne 0 ]] |
then |
if ! echo $PUBLIC_IP_MASK | egrep -q $PTN |
then |
echo "Syntax error for PUBLIC_IP_MASK ($PUBLIC_IP_MASK)" |
exit 0 |
fi |
219,24 → 244,21 |
PUBLIC_IP=`echo $PUBLIC_IP_MASK | cut -d"/" -f1` |
PUBLIC_NETMASK=`/bin/ipcalc -m $PUBLIC_IP_MASK | cut -d"=" -f2` |
PUBLIC_GATEWAY=`grep ^GW= $CONF_FILE|cut -d"=" -f2` |
check=$(echo $PUBLIC_GATEWAY | egrep $PTN) |
if [[ "$?" -ne 0 ]] |
then |
if ! echo $PUBLIC_GATEWAY | egrep -q $PTN |
then |
echo "Syntax error for the Gateway IP ($PUBLIC_GATEWAY)" |
exit 0 |
fi |
fi |
DNS1=`grep ^DNS1= $CONF_FILE|cut -d"=" -f2` |
check=$(echo $DNS1 | egrep $PTN) |
if [[ "$?" -ne 0 ]] |
then |
if ! echo $DNS1 | egrep -q $PTN |
then |
echo "Syntax error for the IP address of the first DNS server ($DNS1)" |
exit 0 |
fi |
DNS2=`grep ^DNS2= $CONF_FILE|cut -d"=" -f2` |
check=$(echo $DNS2 | egrep $PTN) |
if [[ "$?" -ne 0 ]] |
then |
if ! echo $DNS2 | egrep -q $PTN |
then |
echo "Syntax error for the IP address of the second DNS server ($DNS2)" |
exit 0 |
fi |
245,10 → 267,13 |
private_network_calc |
INSTALL_DATE=`grep ^INSTALL_DATE= $CONF_FILE|cut -d"=" -f2` |
ORGANISME=`grep ^ORGANISM= $CONF_FILE|cut -d"=" -f2-` |
BL_SAFESEARCH=`grep ^BL_SAFESEARCH= $CONF_FILE|cut -d"=" -f2` |
WL_SAFESEARCH=`grep ^WL_SAFESEARCH= $CONF_FILE|cut -d"=" -f2` |
BL_PUREIP=`grep ^BL_PUREIP= $CONF_FILE|cut -d"=" -f2` |
DHCP_mode=`grep ^DHCP= $CONF_FILE|cut -d"=" -f2` |
if [ "$PARENT_SCRIPT" != "alcasar.sh" ] # don't launch on install stage |
then |
if [ $DHCP_mode = "off" ] || [ $DHCP_mode = "Off" ] || [ $DHCP_mode = "OFF" ] |
if [ "$DHCP_mode" = "off" ] || [ "$DHCP_mode" = "Off" ] || [ "$DHCP_mode" = "OFF" ] |
then |
$DIR_BIN/alcasar-dhcp.sh --off |
else |
256,7 → 281,7 |
fi |
# Set the local DNS (or not) |
if [ $INT_DNS_mode = "on" ] || [ $INT_DNS_mode = "On" ] || [ $INT_DNS_mode = "ON" ] |
if [ "$INT_DNS_mode" = "on" ] || [ "$INT_DNS_mode" = "On" ] || [ "$INT_DNS_mode" = "ON" ] |
then |
$DIR_BIN/alcasar-dns-local.sh --on |
else |
263,11 → 288,40 |
$DIR_BIN/alcasar-dns-local.sh --off |
fi |
# Set the pure ip option (or not) |
if [ "$BL_PUREIP" = "off" ] || [ "$BL_PUREIP" = "Off" ] || [ "$BL_PUREIP" = "OFF" ] |
then |
bl_filter_param+="--pureip_off" |
else |
bl_filter_param+="--pureip_on" |
fi |
# Set the safesearch options (or not) |
bl_filter_param="" |
if [ "$BL_SAFESEARCH" = "on" ] || [ "$BL_SAFESEARCH" = "On" ] || [ "$BL_SAFESEARCH" = "ON" ] |
then |
bl_filter_param+="--safesearch_on " |
else |
bl_filter_param+="--safesearch_off " |
fi |
$DIR_BIN/alcasar-url_filter_bl.sh $bl_filter_param |
if [ "$WL_SAFESEARCH" = "on" ] || [ "$WL_SAFESEARCH" = "On" ] || [ "$WL_SAFESEARCH" = "ON" ] |
then |
$DIR_BIN/alcasar-url_filter_wl.sh --safesearch_on |
else |
$DIR_BIN/alcasar-url_filter_wl.sh --safesearch_off |
fi |
# Reload the local dns configuration |
$DIR_BIN/alcasar-dns-local.sh --reload |
# Logout everybody |
$DIR_BIN/alcasar-logout.sh all |
$DIR_BIN/alcasar-logout.sh all |
# Services stop |
echo -n "Stop services : " |
for i in ntpd tinyproxy e2guardian dnsmasq dnsmasq-whitelist dnsmasq-blacklist dnsmasq-blackhole chilli network lighttpd |
for i in ntpd tinyproxy e2guardian unbound unbound-whitelist dnsmasq-whitelist unbound-blacklist unbound-blackhole chilli network lighttpd |
do |
/usr/bin/systemctl stop $i && echo -n "$i, " |
done |
292,7 → 346,7 |
MTU=$MTU |
NOZEROCONF=yes |
EOF |
else |
else |
cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF |
DEVICE=$EXTIF |
BOOTPROTO=static |
317,7 → 371,7 |
$SED "s?^NETMASK=.*?NETMASK=$PRIVATE_NETMASK?" /etc/sysconfig/network-scripts/bypass-ifcfg-$INTIF |
# NTP server |
$SED "/127.0.0.1/!s?^restrict.*?restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap?g" /etc/ntp.conf |
# host.allow |
# host.allow |
cat <<EOF > /etc/hosts.allow |
ALL: LOCAL, 127.0.0.1, localhost, $PRIVATE_IP |
sshd: ALL |
335,9 → 389,9 |
# MOTD |
$SED "s@'https://\(.\+\)/acc'@'https://$HOSTNAME.$DOMAIN/acc'@" /etc/mageia-release |
# Lighttpd |
$SED "s?^server\.bind.*?server\.bind = \"$HOSTNAME.$DOMAIN\"?g" /etc/lighttpd/lighttpd.conf |
$SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$HOSTNAME.$DOMAIN"':443" {/g' /etc/lighttpd/vhosts.d/alcasar.conf |
$SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$HOSTNAME.$DOMAIN\"/g" /etc/lighttpd/vhosts.d/alcasar.conf |
$SED "s?^server\.bind.*?server\.bind = \"$PRIVATE_IP\"?g" /etc/lighttpd/lighttpd.conf |
$SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$PRIVATE_IP"':443" {/g' /etc/lighttpd/vhosts.d/alcasar.conf |
$SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$PRIVATE_IP\"/g" /etc/lighttpd/vhosts.d/alcasar.conf |
# FreeRADIUS Web |
$SED "s?^nas1_name:.*?nas1_name: alcasar-$ORGANISME?g" /etc/freeradius-web/naslist.conf |
$SED "s?^nas1_ip:.*?nas1_ip: $PRIVATE_IP?g" /etc/freeradius-web/naslist.conf |
344,7 → 398,7 |
# coova |
$SED "s/^uamallowed.*/uamallowed\t$HOSTNAME,$HOSTNAME.$DOMAIN/g" /etc/chilli.conf |
$SED "s/^locationname.*/locationname\t$HOSTNAME.$DOMAIN/g" /etc/chilli.conf |
[ `grep ^HTTPS_LOGIN= $CONF_FILE | cut -d'=' -f2` == "on" ] && chilli_login_protocol="https" || chilli_login_protocol="http" |
[ "`grep ^HTTPS_LOGIN= $CONF_FILE | cut -d'=' -f2`" == "on" ] && chilli_login_protocol="https" || chilli_login_protocol="http" |
$SED "s/^uamserver.*/uamserver\t$chilli_login_protocol:\/\/$HOSTNAME.$DOMAIN\/intercept.php/" /etc/chilli.conf |
$SED "s/^radiusnasid.*/radiusnasid\t$HOSTNAME.$DOMAIN/g" /etc/chilli.conf |
$SED "s?^net.*?net\t\t$PRIVATE_NETWORK_MASK?g" /etc/chilli.conf |
353,31 → 407,115 |
$SED "s?^uamlisten.*?uamlisten\t$PRIVATE_IP?g" /etc/chilli.conf |
# modify the DHCP static ip file. Reserve the second IP address for INTIF (the first one is for tun0). Keep previous entries |
$SED "s?^$PRIVATE_MAC.*?$PRIVATE_MAC $PRIVATE_SECOND_IP?" $DIR_ETC/alcasar-ethers $DIR_ETC/alcasar-ethers-info |
# dnsmasq |
$SED "/127.0.0.1/!s?^listen-address=.*?listen-address=$PRIVATE_IP?g" /etc/dnsmasq.conf /etc/dnsmasq-blacklist.conf /etc/dnsmasq-whitelist.conf /etc/dnsmasq-blackhole.conf |
for i in /etc/dnsmasq.conf /etc/dnsmasq-blacklist.conf |
do |
$SED "/^server=/d" $i |
echo "server=$DNS1" >> $i |
echo "server=$DNS2" >> $i |
done |
$SED "s?^address=.*?address=/#/$PRIVATE_IP?g" /etc/dnsmasq-blackhole.conf |
for i in `ls $DIR_SHARE/dnsmasq-wl` |
do |
cat $DIR_SHARE/dnsmasq-wl/$i|cut -d"/" -f1,2 > /tmp/tmp_file |
$SED "s/$/\/$DNS1/" /tmp/tmp_file |
mv -f /tmp/tmp_file $DIR_SHARE/dnsmasq-wl/$i |
done |
chown root:apache $DIR_SHARE/dnsmasq-wl/* |
chmod 660 $DIR_SHARE/dnsmasq-wl/* |
$SED "s@^\([#]\?\)dhcp-range=.*@\1dhcp-range=$PRIVATE_SECOND_IP,$PRIVATE_LAST_IP,$PRIVATE_NETMASK,12h@" /etc/dnsmasq.conf |
$SED "s@^\([#]\?\)dhcp-option=option:router.*@\1dhcp-option=option:router,$PRIVATE_IP@" /etc/dnsmasq.conf |
$SED "s@^\([#]\?\)dhcp-option=option:ntp-server.*@\1dhcp-option=option:ntp-server,$PRIVATE_IP@" /etc/dnsmasq.conf |
networkDomain='localdomain' |
# networkDomain="$DOMAIN" (/!\ this domain (and its subdomains) will not be resolved by the external DNS servers) |
$SED "s?^local=.*?local=/$networkDomain/?g" $DIR_ETC/alcasar-dns-name |
$SED "s?^domain=.*?domain=$networkDomain?g" $DIR_ETC/alcasar-dns-name |
# tinyproxy |
# dnsmasq-whitelist |
$SED "/^server=/d" /etc/dnsmasq-whitelist.conf |
echo "server=$DNS1" >> /etc/dnsmasq-whitelist.conf |
echo "server=$DNS2" >> /etc/dnsmasq-whitelist.conf |
# unbound |
# removing unbound configuration files |
rm -f /etc/unbound/conf.d/{forward,blacklist,whitelist,blackhole}/iface.* |
rm -f /etc/unbound/conf.d/common/forward-zone.conf |
find /etc/unbound/conf.d/common/local-dns/ ! -name "global.conf" -type f -delete |
# Configuration file for the dns servers forward-zone |
cat << EOF > /etc/unbound/conf.d/common/forward-zone.conf |
forward-zone: |
name: "." |
forward-addr: $DNS1 |
forward-addr: $DNS2 |
EOF |
# Configuration file of ALCASAR main domains for $INTIF |
cat << EOF > /etc/unbound/conf.d/common/local-dns/${INTIF}.conf |
server: |
local-zone: "$HOSTNAME.$DOMAIN" static |
local-data: "$HOSTNAME.$DOMAIN A $PRIVATE_IP" |
local-zone: "$HOSTNAME" static |
local-data: "$HOSTNAME A $PRIVATE_IP" |
EOF |
# Configuration file for lo of forward unbound |
cat << EOF > /etc/unbound/conf.d/forward/iface.lo.conf |
server: |
interface: 127.0.0.1@53 |
access-control-view: 127.0.0.1/8 lo |
view: |
name: "lo" |
view-first: yes |
local-zone: "$HOSTNAME.$DOMAIN" static |
local-data: "$HOSTNAME.$DOMAIN A 127.0.0.1" |
local-zone: "$HOSTNAME" static |
local-data: "$HOSTNAME A 127.0.0.1" |
local-zone: "$DOMAIN." static |
local-data: "$DOMAIN. A" |
EOF |
if [ "$HOSTNAME" != 'alcasar' ] |
then |
echo -e "\tlocal-zone: \"alcasar\" static" >> /etc/unbound/conf.d/common/local-dns/${INTIF}.conf |
echo -e "\tlocal-zone: \"alcasar A $PRIVATE_IP\"" >> /etc/unbound/conf.d/common/local-dns/${INTIF}.conf |
echo -e "\tlocal-zone: \"alcasar\" static" >> /etc/unbound/conf.d/forward/iface.lo.conf |
echo -e "\tlocal-zone: \"alcasar A 127.0.0.1\"" >> /etc/unbound/conf.d/forward/iface.lo.conf |
fi |
# Configuration file for $INTIF of forward unbound |
cat << EOF > /etc/unbound/conf.d/forward/iface.${INTIF}.conf |
server: |
interface: ${PRIVATE_IP}@53 |
access-control-view: $PRIVATE_NETWORK_MASK $INTIF |
view: |
name: "$INTIF" |
view-first: yes |
EOF |
# Configuration file for $INTIF of blacklist unbound |
cat << EOF > /etc/unbound/conf.d/blacklist/iface.${INTIF}.conf |
server: |
interface: ${PRIVATE_IP}@54 |
access-control: $PRIVATE_IP_MASK allow |
access-control-tag: $PRIVATE_IP_MASK "blacklist" |
access-control-tag-action: $PRIVATE_IP_MASK "blacklist" redirect |
access-control-tag-data: $PRIVATE_IP_MASK "blacklist" "A $PRIVATE_IP" |
EOF |
# Configuration file for $INTIF of whitelist unbound |
cat << EOF > /etc/unbound/conf.d/whitelist/iface.${INTIF}.conf |
server: |
interface: ${PRIVATE_IP}@55 |
access-control: $PRIVATE_IP_MASK allow |
access-control-tag: $PRIVATE_IP_MASK "whitelist" |
access-control-tag-action: $PRIVATE_IP_MASK "whitelist" redirect |
access-control-tag-data: $PRIVATE_IP_MASK "whitelist" "A $PRIVATE_IP" |
EOF |
# Configuration file for $INTIF of blackhole unbound |
cat << EOF > /etc/unbound/conf.d/blackhole/iface.${INTIF}.conf |
server: |
interface: ${PRIVATE_IP}@56 |
access-control-view: $PRIVATE_NETWORK_MASK $INTIF |
view: |
name: "$INTIF" |
local-zone: "." redirect |
local-data: ". A $PRIVATE_IP" |
EOF |
# dhcpd |
cat <<EOF > /etc/dhcpd.conf |
ddns-update-style none; |
subnet $PRIVATE_NETWORK netmask $PRIVATE_NETMASK { |
option routers $PRIVATE_IP; |
option subnet-mask $PRIVATE_NETMASK; |
option domain-name-servers $PRIVATE_IP; |
range dynamic-bootp $PRIVATE_SECOND_IP $PRIVATE_LAST_IP; |
default-lease-time 21600; |
max-lease-time 43200; |
} |
EOF |
# tinyproxy |
$SED "s?^Listen.*?Listen $PRIVATE_IP?g" /etc/tinyproxy/tinyproxy.conf |
# DG + BL |
$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" /etc/e2guardian/e2guardian.conf |
392,12 → 530,12 |
# Services start |
/usr/bin/systemctl start network && echo -n "Start service : network" && sleep 1 |
$DIR_BIN/alcasar-dhcp.sh -$DHCP_mode && echo -n ", chilli" # apply DHCP mode and start CoovaChilli |
for i in dnsmasq dnsmasq-blackhole tinyproxy ntpd |
for i in unbound unbound-blackhole tinyproxy ntpd |
do |
sleep 1 |
/usr/bin/systemctl start $i && echo -n ", $i" |
done |
$DIR_BIN/alcasar-bl.sh -reload && echo -n ", dnsmasq-blacklist, dnsmasq-whitelist, e2guardian, iptables" |
$DIR_BIN/alcasar-bl.sh -reload && echo -n ", unbound-blacklist, unbound-whitelist, dnsmasq-whitelist, e2guardian, iptables" |
/usr/bin/systemctl restart lighttpd && echo -n ", lighttpd" |
fi |
# Start / Stop SSH Daemon |
417,7 → 555,7 |
fi |
fi |
# Start / Stop LDAP authentification |
if [ LDAP_mode = "on" ] || [ $LDAP_mode = "On" ] || [ $LDAP_mode = "ON" ] |
if [ $LDAP_mode = "on" ] || [ $LDAP_mode = "On" ] || [ $LDAP_mode = "ON" ] |
then |
$DIR_BIN/alcasar-ldap.sh |
fi |
424,7 → 562,7 |
echo |
;; |
*) |
echo "Argument inconnu :$1"; |
echo "Argument inconnu : $1"; |
echo "$usage" |
exit 1 |
;; |
/scripts/alcasar-daemon.sh |
---|
16,7 → 16,7 |
LDAP=${LDAP:=off} |
INTIF=`grep ^INTIF= $conf_file|cut -d"=" -f2` # INTIF name |
EXTIF=`grep ^EXTIF= $conf_file|cut -d"=" -f2` # EXTIF name |
SERVICES="mysqld lighttpd php-fpm ntpd havp dnsmasq dnsmasq-blacklist dnsmasq-whitelist dnsmasq-blackhole radiusd tinyproxy nfsen e2guardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban sshd vnstat gammu-smsd" |
SERVICES="mysqld lighttpd php-fpm ntpd havp unbound unbound-blacklist unbound-whitelist dnsmasq-whitelist unbound-blackhole radiusd tinyproxy nfsen e2guardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban sshd vnstat gammu-smsd" |
nb_available_srv=`echo $SERVICES|wc -w` |
function ServiceTest () { |
/scripts/alcasar-dhcp.sh |
---|
12,7 → 12,6 |
SED="/bin/sed -i" |
CHILLI_CONF_FILE="/etc/chilli.conf" |
ALCASAR_CONF_FILE="/usr/local/etc/alcasar.conf" |
DNSMASQ_CONF_FILE="/etc/dnsmasq.conf" |
# define DHCP parameters (LAN side) |
PRIVATE_IP_MASK=`grep ^PRIVATE_IP= $ALCASAR_CONF_FILE|cut -d"=" -f2` |
72,7 → 71,6 |
$SED "s?^DHCP.*?DHCP=on?g" $ALCASAR_CONF_FILE |
$SED "s?^dynip.*?dynip\t\t$PRIVATE_NETWORK_MASK?g" $CHILLI_CONF_FILE |
$SED "s?^#dynip.*?dynip\t\t$PRIVATE_NETWORK_MASK?g" $CHILLI_CONF_FILE |
$SED "s?^dhcp_range.*?dhcp-range=$PRIVATE_FIRST_IP,$PRIVATE_LAST_IP,$PRIVATE_NETMASK,12h?g" $DNSMASQ_CONF_FILE |
$SED "s?^dhcpgateway\t.*?#dhcpgateway\t\t $EXT_DHCP_IP?g" $CHILLI_CONF_FILE |
$SED "s?^dhcprelayagent.*?#dhcprelayagent\t\t$RELAY_DHCP_IP?g" $CHILLI_CONF_FILE |
$SED "s?^dhcpgatewayport.*?#dhcpgatewayport\t\t$RELAY_DHCP_PORT?g" $CHILLI_CONF_FILE |
87,4 → 85,3 |
exit 1 |
;; |
esac |
/scripts/alcasar-dns-local.sh |
---|
1,7 → 1,7 |
#!/bin/bash |
# $Id$ |
# alcasar-dns-interne.sh |
# alcasar-dns-local.sh |
# by Rexy - 3abtux |
# This script is distributed under the Gnu General Public License (GPL) |
11,17 → 11,17 |
SED="/bin/sed -i" |
ALCASAR_CONF_FILE="/usr/local/etc/alcasar.conf" |
DNSMASQ_CONF_FILE="/etc/dnsmasq.conf /etc/dnsmasq-blackhole.conf /etc/dnsmasq-blacklist.conf /etc/dnsmasq-whitelist.conf" |
LOCAL_DOMAIN_CONF_FILE="/usr/local/etc/alcasar-dns-name" |
LOCAL_DOMAIN_CONF_FILE="/etc/unbound/conf.d/common/local-forward/dns-redirector.conf" |
LOCAL_HOSTNAME_FILE="/etc/hosts" |
LOCAL_DNS_FILE="/etc/unbound/conf.d/common/local-dns/global.conf" |
# define DNS parameters (LAN side) |
INT_DNS_DOMAIN=`grep INT_DNS_DOMAIN $ALCASAR_CONF_FILE|cut -d"=" -f2` # Nom du domaine DNS interne |
INT_DNS_DOMAIN=`grep INT_DNS_DOMAIN $ALCASAR_CONF_FILE|cut -d"=" -f2` # Nom du domaine DNS interne |
INT_DNS_IP=`grep INT_DNS_IP $ALCASAR_CONF_FILE|cut -d"=" -f2` # Adresse du serveur DNS interne |
INT_DNS_ACTIVE=`grep INT_DNS_ACTIVE $ALCASAR_CONF_FILE|cut -d"=" -f2` # Activation de la redirection DNS interne |
INT_DNS_ACTIVE=`grep INT_DNS_ACTIVE $ALCASAR_CONF_FILE|cut -d"=" -f2` # Activation de la redirection DNS interne |
usage="Usage: alcasar-dns-interne.sh {--on | -on} | {--off | -off} | {--add | -add}" |
usage="Usage: alcasar-dns-local.sh {--on | -on} | {--off | -off} | {--add | -add} ip domain | {--del | -del} ip domain | {--reload | -reload}" |
nb_args=$# |
args=$1 |
if [ $nb_args -eq 0 ] |
29,13 → 29,31 |
echo "$usage" |
exit 1 |
fi |
function restart_dns(){ |
for dns in dnsmasq dnsmasq-blacklist dnsmasq-whitelist dnsmasq-blackhole |
for dns in unbound unbound-blacklist unbound-whitelist dnsmasq-whitelist unbound-blackhole |
do |
systemctl restart $dns |
done |
} |
function hosts_to_unbound(){ |
# Empty the local DNS file |
echo "server:" > $LOCAL_DNS_FILE |
while read -r line |
do |
ip_address=$(echo $line | awk '{ print $1 }') |
domain=$(echo $line | awk '{ print $2 }') |
if ! echo $line | grep -E -q "^([0-9\.\t ]+alcasar( |$)|127\.0\.0)" |
then |
echo -e "\tlocal-zone: \"$domain\" redirect" >> $LOCAL_DNS_FILE |
echo -e "\tlocal-data: \"$domain A $ip_address\"" >> $LOCAL_DNS_FILE |
fi |
done < $LOCAL_HOSTNAME_FILE |
} |
case $args in |
-\? | -h | --h) |
echo "$usage" |
47,7 → 65,12 |
echo "$usage" |
exit 1 |
else |
# removing if already exists |
$SED "/^$2\t$3/d" $LOCAL_HOSTNAME_FILE |
# adding to the hosts file |
echo -e "$2\t$3" >> $LOCAL_HOSTNAME_FILE |
hosts_to_unbound |
restart_dns |
fi |
;; |
57,26 → 80,41 |
echo "$usage" |
exit 1 |
else |
$SED "/^$2\t$3/d" SLOCAL_HOSTNAME_FILE |
$SED "/^$2\t$3/d" $LOCAL_HOSTNAME_FILE |
hosts_to_unbound |
restart_dns |
fi |
;; |
--reload|-reload) |
hosts_to_unbound |
restart_dns |
;; |
--off|-off) # disable DNS redirector |
$SED "s?^#filterwin2k.*?filterwin2k?g" $DNSMASQ_CONF_FILE |
$SED "s?^server.*?#&?g" $LOCAL_DOMAIN_CONF_FILE |
#$SED "s?^#filterwin2k.*?filterwin2k?g" $DNSMASQ_CONF_FILE |
rm -f $LOCAL_DOMAIN_CONF_FILE |
$SED "s?^INT_DNS_ACTIVE.*?INT_DNS_ACTIVE=off?g" $ALCASAR_CONF_FILE |
restart_dns |
# Reload firewall |
/usr/local/bin/alcasar-iptables.sh |
;; |
--on|-on) # enable DHCP service on all range of IP addresses |
$SED "s?^filterwin2k.*?#filterwin2k?g" $DNSMASQ_CONF_FILE |
$SED "s?^server=/.*?server=/$INT_DNS_DOMAIN/$INT_DNS_IP?g" $LOCAL_DOMAIN_CONF_FILE |
$SED "s?^#server=/.*?server=/$INT_DNS_DOMAIN/$INT_DNS_IP?g" $LOCAL_DOMAIN_CONF_FILE |
--on|-on) # enable DNS redirector |
#$SED "s?^filterwin2k.*?#filterwin2k?g" $DNSMASQ_CONF_FILE |
cat > $LOCAL_DOMAIN_CONF_FILE << EOF |
server: |
local-zone: "$INT_DNS_DOMAIN." transparent |
forward-zone: |
name: "$INT_DNS_DOMAIN." |
forward-addr: $INT_DNS_IP |
EOF |
$SED "s?^INT_DNS_ACTIVE.*?INT_DNS_ACTIVE=on?g" $ALCASAR_CONF_FILE |
restart_dns |
# Reload firewall |
/usr/local/bin/alcasar-iptables.sh |
;; |
*) |
echo "Argument inconnu :$1"; |
echo "Argument inconnu : $1"; |
echo "$usage" |
exit 1 |
;; |
/scripts/alcasar-file-clean.sh |
---|
29,17 → 29,3 |
chown root:apache $file |
chmod 660 $file |
done |
#update dnsmasq-blackhole with uamallowed domains ($ALCASAR_UAMDOMAIN) |
#remove old configuration |
sed -i '/^server=/d' /etc/dnsmasq-blackhole.conf |
for domain in $(cat $ALCASAR_UAMDOMAIN | cut -d' ' -f1) |
do |
domain_exception="server=/$(echo $domain | cut -d'"' -f2)/#" |
sed -i "/conf-file/a$domain_exception" /etc/dnsmasq-blackhole.conf |
done |
if [ "$PARENT_SCRIPT" != "alcasar.sh" ] # don't restart on install stage |
then |
systemctl restart dnsmasq-blackhole |
fi |
/scripts/alcasar-importcert.sh |
---|
173,7 → 173,7 |
fi |
domainName $cert |
certImport $cert $key $sc |
for services in chilli dnsmasq dnsmasq-blackhole dnsmasq-blacklist dnsmasq-whitelist lighttpd |
for services in chilli unbound unbound-blackhole unbound-blacklist unbound-whitelist dnsmasq-whitelist lighttpd |
do |
echo "restarting $services"; systemctl restart $services; sleep 1 |
done |
184,7 → 184,7 |
echo "Restoring default certificate" |
defaultCert |
defaultNdd |
for services in chilli dnsmasq dnsmasq-blackhole dnsmasq-blacklist dnsmasq-whitelist lighttpd |
for services in chilli unbound unbound-blackhole unbound-blacklist unbound-whitelist dnsmasq-whitelist lighttpd |
do |
echo "restarting $services"; systemctl restart $services; sleep 1 |
done |
/scripts/alcasar-iptables.sh |
---|
33,6 → 33,8 |
dns1=${dns1:=208.67.220.220} |
dns2=${dns2:=208.67.222.222} |
DNSSERVERS="$dns1,$dns2" # first and second public DNS servers |
INT_DNS_IP=`grep INT_DNS_IP $CONF_FILE|cut -d"=" -f2` # Adresse du serveur DNS interne |
INT_DNS_ACTIVE=`grep INT_DNS_ACTIVE $CONF_FILE|cut -d"=" -f2` # Activation de la redirection DNS interne |
BL_IP_CAT="/usr/local/share/iptables-bl-enabled" # categories files of the BlackListed IP |
WL_IP_CAT="/usr/local/share/iptables-wl-enabled" # categories files of the WhiteListed IP |
TMP_users_set_save="/tmp/users_set_save" # tmp file for backup users set |
45,6 → 47,12 |
IP_REHABILITEES="/etc/e2guardian/lists/exceptioniplist" # Rehabilitated IP |
SITE_DIRECT="/usr/local/etc/alcasar-site-direct" # Site Direct (no havp and no filtrage) for user BL |
# Allow requests to internal DNS if activated |
if [ "$INT_DNS_ACTIVE" = "on" ] |
then |
DNSSERVERS="$DNSSERVERS,$INT_DNS_IP" |
fi |
# Sauvegarde des SET des utilisateurs connectés si ils existent |
# Saving SET of connected users if it exists |
ipset list not_filtered 1>/dev/null 2>&1 |
111,7 → 119,7 |
# Suppression des ip réhabilitées / Removing of rehabilitated ip |
for ip in $(cat $IP_REHABILITEES) |
do |
ipset del bl_ip_blocked $ip |
ipset -q del bl_ip_blocked $ip |
done |
# rajout exception havp_bl --> Site en direct pour les Utilisateurs filtrés |
118,11 → 126,11 |
ipset create site_direct hash:net hashsize 1024 |
for site in $(cat $SITE_DIRECT) |
do |
ipset add site_direct $site |
ipset add site_direct $site |
done |
###### WL set ########### |
# taille fixe, car peupler par dnsmasq / fixe length due to dnsmasq dynamic loading |
# taille fixe, car peuplé par dnsmasq / fixe length due to dnsmasq dynamic loading |
wl_set_length=65536 |
# Chargement Loading |
echo "create wl_ip_allowed hash:net family inet hashsize 1024 maxelem $wl_set_length" > $TMP_set_save |
285,18 → 293,18 |
$IPTABLES -A INPUT -i $TUNIF -p udp --dport 56 -m mark --mark 5 -j REJECT --reject-with icmp-port-unreachable |
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 56 -m mark --mark 3 -j REJECT --reject-with tcp-reset |
# autorisation des connexion légitime à DNSMASQ (avec blacklist) |
# Allow connections for DNSMASQ (with blacklist) |
# autorisation des connexion légitime à Unbound (avec blacklist) |
# Allow connections for Unbound (with blacklist) |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport 54 -j ACCEPT |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport 54 -j ACCEPT |
# autorisation des connexion légitime à DNSMASQ (avec whitelist) |
# Allow connections for DNSMASQ (with whitelist) |
# autorisation des connexion légitime à Unbound (avec whitelist) |
# Allow connections for Unbound (with whitelist) |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport 55 -j ACCEPT |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport 55 -j ACCEPT |
# autorisation des connexion légitime à DNSMASQ (mode blackhole) |
# Allow connections for DNSMASQ (blackhole mode) |
# autorisation des connexion légitime à Unbound (mode blackhole) |
# Allow connections for Unbound (blackhole mode) |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport 56 -j ACCEPT |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport 56 -j ACCEPT |
386,7 → 394,7 |
do |
svc_on=`echo $svc_line|cut -b1` |
if [ $svc_on != "#" ] |
then |
then |
svc_name=`echo $svc_line|cut -d" " -f1` |
svc_port=`echo $svc_line|cut -d" " -f2` |
if [ $svc_name = "icmp" ] |
/scripts/alcasar-rpm-download.sh |
---|
13,7 → 13,7 |
# The kernel version we compile netflow for |
KERNEL="kernel-server-4.14.89-1.mga6-1-1.mga6" |
# ****** Alcasar needed RPMS - paquetages nécessaires au fonctionnement d'Alcasar ****** |
PACKAGES="arp-scan vim-enhanced freeradius freeradius-mysql freeradius-ldap lighttpd lighttpd-mod_auth php-fpm e2guardian postfix mariadb ntp bind-utils openssh-server php-xml php-ldap php-mysqli php-mbstring php-sockets php-cli php-curl php-pdo_sqlite php-json rng-utils rsync clamav perl-rrdtool perl-MailTools perl-Socket6 fail2ban gnupg ulogd pm-fallback-policy ipset cronie-anacron usbutils locales-en usb_modeswitch tinyproxy vnstat php-gd sudo iftop man dos2unix p7zip bc msec kernel-userspace-headers dnsmasq netcat-traditional" |
PACKAGES="arp-scan vim-enhanced freeradius freeradius-mysql freeradius-ldap lighttpd lighttpd-mod_auth php-fpm e2guardian postfix mariadb ntp bind-utils openssh-server php-xml php-ldap php-mysqli php-mbstring php-sockets php-cli php-curl php-pdo_sqlite php-json rng-utils rsync clamav perl-rrdtool perl-MailTools perl-Socket6 fail2ban gnupg ulogd pm-fallback-policy ipset cronie-anacron usbutils locales-en usb_modeswitch tinyproxy vnstat php-gd sudo iftop man dos2unix p7zip bc msec kernel-userspace-headers dnsmasq dhcp-server netcat-traditional" |
rpm_repository_sync () |
{ |
147,4 → 147,3 |
cd |
echo "Your RPM archive file is /root/rpms-$ARCH.tar.gz" |
exit 0 |
/scripts/alcasar-uninstall.sh |
---|
155,25 → 155,26 |
dnsmasq () |
{ |
echo -en "(6 if update ; 8 if uninstall) : " |
i=0 |
for list in blacklist whitelist blackhole |
do |
i=`expr $i + 1` |
[ -e /etc/dnsmasq-$list.conf ] && rm /etc/dnsmasq-$list.conf && echo -n "$i, " |
i=`expr $i + 1` |
[ -e /lib/systemd/system/dnsmasq-$list.service ] && rm /lib/systemd/system/dnsmasq-$list.service && echo -n "$i, " |
done |
echo -en "(2 if update ; 4 if uninstall) : " |
[ -e /etc/dnsmasq-whitelist.conf ] && rm /etc/dnsmasq-whitelist.conf && echo -n "1, " |
[ -e /lib/systemd/system/dnsmasq-whitelist.service ] && rm /lib/systemd/system/dnsmasq-whitelist.service && echo -n "2, " |
if [ $mode == "full" ] # don't remove dnsmasq in update mode (DHCP + DNS !) |
then |
if [ -e /lib/systemd/system/dnsmasq.service ] |
then |
[ -e /etc/dnsmasq.conf.default ] && mv /etc/dnsmasq.conf.default /etc/dnsmasq.conf && echo -n "7, " |
[ -e /lib/systemd/system/dnsmasq.service.default ] && mv /lib/systemd/system/dnsmasq.service.default /lib/systemd/system/dnsmasq.service && echo -n "8" |
fi |
[ -e /etc/dnsmasq.conf.default ] && mv /etc/dnsmasq.conf.default /etc/dnsmasq.conf && echo -n "3, " |
[ -e /lib/systemd/system/dnsmasq.service.default ] && mv /lib/systemd/system/dnsmasq.service.default /lib/systemd/system/dnsmasq.service && echo -n "4" |
fi |
} |
unbound () |
{ |
echo -en "(5) : " |
[ -e /etc/unbound/unbound.conf.default ] && mv /etc/unbound/unbound.conf.default /etc/unbound/unbound.conf && echo -n "1, " |
[ -e /etc/unbound/unbound-blacklist.conf ] && rm -f /etc/unbound/unbound-blacklist.conf && echo -n "2, " |
[ -e /etc/unbound/unbound-whitelist.conf ] && rm -f /etc/unbound/unbound-whitelist.conf && echo -n "3, " |
[ -e /etc/unbound/unbound-blackhole.conf ] && rm -f /etc/unbound/unbound-blackhole.conf && echo -n "4, " |
[ -e /etc/unbound/conf.d ] && rm -rf /etc/unbound/conf.d && echo -n "5" |
} |
cron () |
{ |
echo -en "(11) : " |
275,7 → 276,7 |
echo "----------------------------------------------------------------------------" |
echo "** Uninstall/Désinstallation d'ALCASAR **" |
echo "----------------------------------------------------------------------------" |
services="alcasar-load_balancing vnstat havp freshclam ntpd lighttpd radiusd mysqld dnsmasq-blacklist dnsmasq-whitelist dnsmasq-blackhole tinyproxy nfsen fail2ban iptables ulogd-ext-access ulogd-ssh ulogd-traceability e2guardian dnsmasq sshd chilli" |
services="alcasar-load_balancing vnstat havp freshclam ntpd lighttpd radiusd mysqld unbound unbound-blacklist unbound-whitelist dnsmasq-whitelist unbound-blackhole tinyproxy nfsen fail2ban iptables ulogd-ext-access ulogd-ssh ulogd-traceability e2guardian dnsmasq sshd chilli" |
/usr/local/bin/alcasar-logout.sh all # logout everybody |
else |
echo "--------------------------------------------------------------------------" |
282,7 → 283,7 |
echo "** update/mise à jour d'ALCASAR **" |
echo "--------------------------------------------------------------------------" |
# dnsmasq & sshd should stay on to allow remote update |
services="alcasar-load_balancing vnstat havp freshclam ntpd lighttpd radiusd mysqld dnsmasq-blacklist dnsmasq-whitelist dnsmasq-blackhole tinyproxy nfsen fail2ban ulogd-ext-access ulogd-ssh ulogd-traceability e2guardian chilli" |
services="alcasar-load_balancing vnstat havp freshclam ntpd lighttpd radiusd mysqld unbound unbound-blacklist unbound-whitelist dnsmasq-whitelist unbound-blackhole tinyproxy nfsen fail2ban ulogd-ext-access ulogd-ssh ulogd-traceability e2guardian chilli" |
/usr/local/bin/alcasar-bypass.sh -on # to allow remote update |
fi |
316,7 → 317,7 |
/usr/bin/systemctl reload sshd |
fi |
echo "Reset ALCASAR main functions : " |
for func in init ACC CA time_server init_db freeradius chilli e2guardian antivirus tinyproxy ulogd nfsen vnstat dnsmasq cron fail2ban gammu_smsd msec letsencrypt post_install |
for func in init ACC CA time_server init_db freeradius chilli e2guardian antivirus tinyproxy ulogd nfsen vnstat unbound dnsmasq cron fail2ban gammu_smsd msec letsencrypt post_install |
do |
echo -en "\n- $func " |
$func |
376,4 → 377,3 |
done |
fi |
echo |
/scripts/alcasar-url_filter_bl.sh |
---|
11,104 → 11,116 |
# Active / désactive : le filtrage des url contenant une adresse ip à la place d'un nom de domaine |
# Enable / disable : filter of urls containing ip address instead of domain name |
CONF_FILE="/usr/local/etc/alcasar.conf" |
DIR_DG="/etc/e2guardian/lists" |
DNSMASQ_BL_CONF="/etc/dnsmasq-blacklist.conf" |
CONF_FILE="/usr/local/etc/alcasar.conf" |
UNBOUND_BL_DOMAIN_FILTER_CONF="/etc/unbound/conf.d/blacklist/domainfilter.conf" |
SED="/bin/sed -i" |
safesearch="Off" |
pureip="Off" |
usage="Usage: alcasar-url_filter_bl.sh { -safesearch_on or -safesearch_off } & { -pureip_on or --pureip_off }" |
usage="Usage: alcasar-url_filter_bl.sh { -safesearch_on or -safesearch_off } & { -pureip_on or -pureip_off }" |
nb_args=$# |
googledomains="google.com. google.ad. google.ae. google.com.af. google.com.ag. google.com.ai. google.al. google.am. google.co.ao. google.com.ar. google.as. google.at. google.com.au. google.az. google.ba. google.com.bd. google.be. google.bf. google.bg. google.com.bh. google.bi. google.bj. google.com.bn. google.com.bo. google.com.br. google.bs. google.bt. google.co.bw. google.by. google.com.bz. google.ca. google.cd. google.cf. google.cg. google.ch. google.ci. google.co.ck. google.cl. google.cm. google.cn. google.com.co. google.co.cr. google.com.cu. google.cv. google.com.cy. google.cz. google.de. google.dj. google.dk. google.dm. google.com.do. google.dz. google.com.ec. google.ee. google.com.eg. google.es. google.com.et. google.fi. google.com.fj. google.fm. google.fr. google.ga. google.ge. google.gg. google.com.gh. google.com.gi. google.gl. google.gm. google.gp. google.gr. google.com.gt. google.gy. google.com.hk. google.hn. google.hr. google.ht. google.hu. google.co.id. google.ie. google.co.il. google.im. google.co.in. google.iq. google.is. google.it. google.je. google.com.jm. google.jo. google.co.jp. google.co.ke. google.com.kh. google.ki. google.kg. google.co.kr. google.com.kw. google.kz. google.la. google.com.lb. google.li. google.lk. google.co.ls. google.lt. google.lu. google.lv. google.com.ly. google.co.ma. google.md. google.me. google.mg. google.mk. google.ml. google.com.mm. google.mn. google.ms. google.com.mt. google.mu. google.mv. google.mw. google.com.mx. google.com.my. google.co.mz. google.com.na. google.com.nf. google.com.ng. google.com.ni. google.ne. google.nl. google.no. google.com.np. google.nr. google.nu. google.co.nz. google.com.om. google.com.pa. google.com.pe. google.com.pg. google.com.ph. google.com.pk. google.pl. google.pn. google.com.pr. google.ps. google.pt. google.com.py. google.com.qa. google.ro. google.ru. google.rw. google.com.sa. google.com.sb. google.sc. google.se. google.com.sg. google.sh. google.si. google.sk. google.com.sl. google.sn. google.so. google.sm. google.sr. google.st. google.com.sv. google.td. google.tg. google.co.th. google.com.tj. google.tk. google.tl. google.tm. google.tn. google.to. google.com.tr. google.tt. google.com.tw. google.co.tz. google.com.ua. google.co.ug. google.co.uk. google.com.uy. google.co.uz. google.com.vc. google.co.ve. google.vg. google.co.vi. google.com.vn. google.vu. google.ws. google.rs. google.co.za. google.co.zm. google.co.zw. google.cat." |
youtubedomains="www.youtube.com m.youtube.com youtubei.googleapis.com youtube.googleapis.com www.youtube-nocookie.com" |
nb_args=$# |
if [ $nb_args -le 1 ] |
safesearch="" |
pureip="" |
if [ $nb_args -lt 1 ] |
then |
echo "$usage" |
nb_args=0 |
else |
while [ $nb_args -ge 1 ] |
exit 1 |
fi |
while [ $nb_args -ge 1 ] |
do |
arg=${!nb_args} |
case $arg in |
-\? | -h* | --h*) |
echo "$usage" |
exit 0 |
;; |
# Safe search activation |
-safesearch_on | --safesearch_on) |
safesearch="On" |
;; |
# Safe search deactivation |
-safesearch_off | --safesearch_off) |
safesearch="Off" |
;; |
# pure_ip activation |
-pureip_on | --pureip_on) |
pureip="On" |
;; |
# pureip deactivation |
-pureip_off | --pureip_off) |
pureip="Off" |
;; |
*) |
echo "Argument inconnu :$arg"; |
echo "$usage" |
exit 1 |
;; |
esac |
nb_args=$(expr $nb_args - 1) |
done |
if [ "$safesearch" == "On" ] |
then |
$SED "s?^#\"?\"?g" $DIR_DG/urlregexplist # on décommente les lignes de regles |
# add 'SafeSearch' redirection for google searching |
google_safe_server=`host -ta forcesafesearch.google.com | grep "address" | cut -d" " -f4` # retrieve google forcesafesearch ip |
# config file header |
echo "server:" > $UNBOUND_BL_DOMAIN_FILTER_CONF |
for domain in $googledomains |
do |
arg=${!nb_args} |
case $arg in |
-\? | -h* | --h*) |
echo "$usage" |
exit 0 |
;; |
# Safe search activation |
-safesearch_on | --safesearch_on) |
safesearch="On" |
;; |
# Safe search desactivation |
-safesearch_off | --safesearch_off) |
safesearch="Off" |
;; |
# pure_ip activation |
-pureip_on | --pureip_on) |
pureip="On" |
;; |
# pureip desactivation |
-pureip_off | --pureip_off) |
pureip="Off" |
;; |
*) |
echo "Argument inconnu :$arg"; |
echo "$usage" |
exit 1 |
;; |
esac |
nb_args=$(expr $nb_args - 1) |
echo -e "\tlocal-zone: \"$domain\" redirect" >> $UNBOUND_BL_DOMAIN_FILTER_CONF |
echo -e "\tlocal-data: \"$domain A $google_safe_server\"" >> $UNBOUND_BL_DOMAIN_FILTER_CONF |
done |
if [ $safesearch == "On" ] |
then |
$SED "s?^#\"?\"?g" $DIR_DG/urlregexplist # on décommente les lignes de regles |
# add 'SafeSearch' redirection for google searching |
$SED "/google/d" $DNSMASQ_BL_CONF # remove old google declaration |
google_safe_server=`host -ta forcesafesearch.google.com|cut -d" " -f4` # retrieve google forcesafesearch ip |
echo "# SafeSearch redirect server for google" >> $DNSMASQ_BL_CONF |
for gg_dnsname in $googledomains |
do |
echo "address=/$gg_dnsname/$google_safe_server" >> $DNSMASQ_BL_CONF |
done |
# add 'SafeSearch' redirection for youtube searching |
youtube_safe_server=`host -ta restrict.youtube.com | grep "address" | cut -d" " -f4` # retrieve youtube restrict ip |
for domain in $youtubedomains |
do |
echo -e "\tlocal-zone: \"$domain\" redirect" >> $UNBOUND_BL_DOMAIN_FILTER_CONF |
echo -e "\tlocal-data: \"$domain A $youtube_safe_server\"" >> $UNBOUND_BL_DOMAIN_FILTER_CONF |
done |
# add 'SafeSearch' redirection for bing searching |
$SED "/bing/d" $DNSMASQ_BL_CONF # remove old bing declaration |
bing_safe_server=`host -ta strict.bing.com | grep "address" | cut -d" " -f4` # retrieve bing strict ip |
echo "# SafeSearch redirect server for bing" >> $DNSMASQ_BL_CONF |
echo "address=/www.bing.com/$bing_safe_server" >> $DNSMASQ_BL_CONF |
# add 'SafeSearch' redirection for bing searching |
bing_safe_server=`host -ta strict.bing.com | grep "address" | cut -d" " -f4` # retrieve bing strict ip |
echo -e "\tlocal-zone: \"www.bing.com\" redirect" >> $UNBOUND_BL_DOMAIN_FILTER_CONF |
echo -e "\tlocal-data: \"www.bing.com A $bing_safe_server\"" >> $UNBOUND_BL_DOMAIN_FILTER_CONF |
# add 'SafeSearch' redirection for youtube searching |
$SED "/youtube/d" $DNSMASQ_BL_CONF # remove old youtube declaration |
youtube_safe_server=`host -ta restrict.youtube.com | grep "address" | cut -d" " -f4` # retrieve youtube restrict ip |
echo "# SafeSearch redirect server for youtube" >> $DNSMASQ_BL_CONF |
for yt_dnsname in $youtubedomains |
do |
echo "address=/$yt_dnsname/$youtube_safe_server" >> $DNSMASQ_BL_CONF |
done |
# add 'SafeSearch' redirection for qwant searching |
qwant_safe_server=`host -ta safeapi.qwant.com | grep "address" | cut -d" " -f4` # retrieve qwant strict ip |
echo -e "\tlocal-zone: \"api.qwant.com\" redirect" >> $UNBOUND_BL_DOMAIN_FILTER_CONF |
echo -e "\tlocal-data: \"api.qwant.com A $qwant_safe_server\"" >> $UNBOUND_BL_DOMAIN_FILTER_CONF |
# add 'SafeSearch' redirection for qwant searching |
$SED "/qwant/d" $DNSMASQ_BL_CONF # remove old qwant declaration |
qwant_safe_server=`host -ta safeapi.qwant.com | grep "address" | cut -d" " -f4` # retrieve qwant strict ip |
echo "# SafeSearch redirect server for qwant" >> $DNSMASQ_BL_CONF |
echo "address=/api.qwant.com/$qwant_safe_server" >> $DNSMASQ_BL_CONF |
else |
$SED "s?^[^#]?#&?g" $DIR_DG/urlregexplist |
$SED "/google/d" $DNSMASQ_BL_CONF |
$SED "/bing/d" $DNSMASQ_BL_CONF |
$SED "/youtube/d" $DNSMASQ_BL_CONF |
$SED "/qwant/d" $DNSMASQ_BL_CONF |
fi |
if [ $pureip == "On" ] |
then |
$SED "s/^\#\*ip$/*ip/g" $DIR_DG/bannedsitelist |
$SED "s/^\#\*ips$/*ips/g" $DIR_DG/bannedsitelist |
else |
$SED "s/^\*ip$/#*ip/g" $DIR_DG/bannedsitelist |
$SED "s/^\*ips$/#*ips/g" $DIR_DG/bannedsitelist |
fi |
$SED 's/^BL_SAFESEARCH=.*/BL_SAFESEARCH=on/g' $CONF_FILE |
elif [ "$safesearch" == "Off" ] |
then |
$SED "s?^[^#]?#&?g" $DIR_DG/urlregexplist |
[ -e $UNBOUND_BL_DOMAIN_FILTER_CONF ] && rm -f $UNBOUND_BL_DOMAIN_FILTER_CONF |
$SED 's/^BL_SAFESEARCH=.*/BL_SAFESEARCH=off/g' $CONF_FILE |
fi |
if [ "$pureip" == "On" ] |
then |
$SED "s/^\#\*ip$/*ip/g" $DIR_DG/bannedsitelist |
$SED "s/^\#\*ips$/*ips/g" $DIR_DG/bannedsitelist |
$SED 's/^BL_PUREIP=.*/BL_PUREIP=on/g' $CONF_FILE |
elif [ "$pureip" == "Off" ] |
then |
$SED "s/^\*ip$/#*ip/g" $DIR_DG/bannedsitelist |
$SED "s/^\*ips$/#*ips/g" $DIR_DG/bannedsitelist |
$SED 's/^BL_PUREIP=.*/BL_PUREIP=off/g' $CONF_FILE |
fi |
systemctl restart e2guardian |
systemctl restart dnsmasq-blacklist |
fi |
systemctl restart unbound-blacklist |
/scripts/alcasar-url_filter_wl.sh |
---|
11,93 → 11,93 |
# Active / désactive : le filtrage des url contenant une adresse ip à la place d'un nom de domaine |
# Enable / disable : filter of urls containing ip address instead of domain name |
TINY_CONF="/etc/tinyproxy/tinyproxy.conf" |
DNSMASQ_WL_CONF="/etc/dnsmasq-whitelist.conf" |
CONF_FILE="/usr/local/etc/alcasar.conf" |
UNBOUND_WL_DOMAIN_FILTER_CONF="/etc/unbound/conf.d/whitelist/domainfilter.conf" |
IP_WL="/usr/local/share/iptables-wl-enabled/ossi-ip-safesearch" |
CONF_FILE="/usr/local/etc/alcasar.conf" |
SED="/bin/sed -i" |
safesearch="Off" |
usage="Usage: alcasar-url_filter_wl.sh { -safesearch_on or -safesearch_off }" |
nb_args=$# |
googledomains="google.com. google.ad. google.ae. google.com.af. google.com.ag. google.com.ai. google.al. google.am. google.co.ao. google.com.ar. google.as. google.at. google.com.au. google.az. google.ba. google.com.bd. google.be. google.bf. google.bg. google.com.bh. google.bi. google.bj. google.com.bn. google.com.bo. google.com.br. google.bs. google.bt. google.co.bw. google.by. google.com.bz. google.ca. google.cd. google.cf. google.cg. google.ch. google.ci. google.co.ck. google.cl. google.cm. google.cn. google.com.co. google.co.cr. google.com.cu. google.cv. google.com.cy. google.cz. google.de. google.dj. google.dk. google.dm. google.com.do. google.dz. google.com.ec. google.ee. google.com.eg. google.es. google.com.et. google.fi. google.com.fj. google.fm. google.fr. google.ga. google.ge. google.gg. google.com.gh. google.com.gi. google.gl. google.gm. google.gp. google.gr. google.com.gt. google.gy. google.com.hk. google.hn. google.hr. google.ht. google.hu. google.co.id. google.ie. google.co.il. google.im. google.co.in. google.iq. google.is. google.it. google.je. google.com.jm. google.jo. google.co.jp. google.co.ke. google.com.kh. google.ki. google.kg. google.co.kr. google.com.kw. google.kz. google.la. google.com.lb. google.li. google.lk. google.co.ls. google.lt. google.lu. google.lv. google.com.ly. google.co.ma. google.md. google.me. google.mg. google.mk. google.ml. google.com.mm. google.mn. google.ms. google.com.mt. google.mu. google.mv. google.mw. google.com.mx. google.com.my. google.co.mz. google.com.na. google.com.nf. google.com.ng. google.com.ni. google.ne. google.nl. google.no. google.com.np. google.nr. google.nu. google.co.nz. google.com.om. google.com.pa. google.com.pe. google.com.pg. google.com.ph. google.com.pk. google.pl. google.pn. google.com.pr. google.ps. google.pt. google.com.py. google.com.qa. google.ro. google.ru. google.rw. google.com.sa. google.com.sb. google.sc. google.se. google.com.sg. google.sh. google.si. google.sk. google.com.sl. google.sn. google.so. google.sm. google.sr. google.st. google.com.sv. google.td. google.tg. google.co.th. google.com.tj. google.tk. google.tl. google.tm. google.tn. google.to. google.com.tr. google.tt. google.com.tw. google.co.tz. google.com.ua. google.co.ug. google.co.uk. google.com.uy. google.co.uz. google.com.vc. google.co.ve. google.vg. google.co.vi. google.com.vn. google.vu. google.ws. google.rs. google.co.za. google.co.zm. google.co.zw. google.cat." |
youtubedomains="www.youtube.com m.youtube.com youtubei.googleapis.com youtube.googleapis.com www.youtube-nocookie.com" |
nb_args=$# |
if [ $nb_args -le 0 ] |
then |
echo "$usage" |
nb_args=0 |
else |
while [ $nb_args -ge 1 ] |
exit 1 |
fi |
while [ $nb_args -ge 1 ] |
do |
arg=${!nb_args} |
case $arg in |
-\? | -h* | --h*) |
echo "$usage" |
exit 0 |
;; |
# Safe search activation |
-safesearch_on | --safesearch_on) |
safesearch="On" |
;; |
# Safe search desactivation |
-safesearch_off | --safesearch_off) |
safesearch="Off" |
;; |
*) |
echo "Argument inconnu : $arg"; |
echo "$usage" |
exit 1 |
;; |
esac |
nb_args=$(expr $nb_args - 1) |
done |
if [ $safesearch == "On" ] |
then |
[ -e $IP_WL ] && rm -f $IP_WL |
# add 'SafeSearch' redirection for google searching |
google_safe_server=`host -ta forcesafesearch.google.com | grep "address" | cut -d" " -f4` # retrieve google forcesafesearch ip |
# config file header |
echo "server:" > $UNBOUND_WL_DOMAIN_FILTER_CONF |
for domain in $googledomains |
do |
arg=${!nb_args} |
case $arg in |
-\? | -h* | --h*) |
echo "$usage" |
exit 0 |
;; |
# Safe search activation |
-safesearch_on | --safesearch_on) |
safesearch="On" |
;; |
# Safe search desactivation |
-safesearch_off | --safesearch_off) |
safesearch="Off" |
;; |
*) |
echo "Argument inconnu :$arg"; |
echo "$usage" |
exit 1 |
;; |
esac |
nb_args=$(expr $nb_args - 1) |
echo -e "\tlocal-zone: \"$domain\" redirect" >> $UNBOUND_WL_DOMAIN_FILTER_CONF |
echo -e "\tlocal-data: \"$domain A $google_safe_server\"" >> $UNBOUND_WL_DOMAIN_FILTER_CONF |
done |
if [ $safesearch == "On" ] |
then |
if [ -e $IP_WL ] |
then |
rm $IP_WL # remove old google declaration |
fi |
echo "add wl_ip_allowed $google_safe_server" >> $IP_WL |
# add 'SafeSearch' redirection for google searching |
google_safe_server=`host -ta forcesafesearch.google.com | grep "address" | cut -d" " -f4` # retrieve google forcesafesearch ip |
$SED "/google/d" $DNSMASQ_WL_CONF # remove old google declaration |
echo "# SafeSearch redirect server for google" >> $DNSMASQ_WL_CONF |
for bing_dnsname in $googledomains |
do |
echo "address=/$bing_dnsname/$google_safe_server" >> $DNSMASQ_WL_CONF |
done |
echo "add wl_ip_allowed $google_safe_server" >> $IP_WL |
# add 'SafeSearch' redirection for youtube searching |
youtube_safe_server=`host -ta restrict.youtube.com | grep "address" | cut -d" " -f4` # retrieve youtube restrict ip |
for domain in $youtubedomains |
do |
echo -e "\tlocal-zone: \"$domain\" redirect" >> $UNBOUND_WL_DOMAIN_FILTER_CONF |
echo -e "\tlocal-data: \"$domain A $youtube_safe_server\"" >> $UNBOUND_WL_DOMAIN_FILTER_CONF |
done |
echo "add wl_ip_allowed $youtube_safe_server" >> $IP_WL |
# add 'SafeSearch' redirection for bing searching |
bing_safe_server=`host -ta strict.bing.com | grep "address" | cut -d" " -f4` # retrieve bing strict ip |
$SED "/bing/d" $DNSMASQ_WL_CONF # remove old bing declaration |
echo "# SafeSearch redirect server for bing" >> $DNSMASQ_WL_CONF |
echo "address=/www.bing.com/$bing_safe_server" >> $DNSMASQ_WL_CONF |
echo "add wl_ip_allowed $bing_safe_server" >> $IP_WL |
# add 'SafeSearch' redirection for bing searching |
bing_safe_server=`host -ta strict.bing.com | grep "address" | cut -d" " -f4` # retrieve bing strict ip |
echo -e "\tlocal-zone: \"www.bing.com\" redirect" >> $UNBOUND_WL_DOMAIN_FILTER_CONF |
echo -e "\tlocal-data: \"www.bing.com A $bing_safe_server\"" >> $UNBOUND_WL_DOMAIN_FILTER_CONF |
echo "add wl_ip_allowed $bing_safe_server" >> $IP_WL |
# add 'SafeSearch' redirection for youtube searching |
youtube_safe_server=`host -ta restrict.youtube.com | grep "address" | cut -d" " -f4` # retrieve youtube restrict ip |
$SED "/youtube/d" $DNSMASQ_WL_CONF # remove old youtube declaration |
echo "# SafeSearch redirect server for youtube" >> $DNSMASQ_WL_CONF |
for yt_dnsname in $youtubedomains |
do |
echo "address=/$yt_dnsname/$youtube_safe_server" >> $DNSMASQ_WL_CONF |
done |
echo "add wl_ip_allowed $youtube_safe_server" >> $IP_WL |
# add 'SafeSearch' redirection for qwant searching |
qwant_safe_server=`host -ta safeapi.qwant.com | grep "address" | cut -d" " -f4` # retrieve qwant strict ip |
echo -e "\tlocal-zone: \"api.qwant.com\" redirect" >> $UNBOUND_WL_DOMAIN_FILTER_CONF |
echo -e "\tlocal-data: \"api.qwant.com A $qwant_safe_server\"" >> $UNBOUND_WL_DOMAIN_FILTER_CONF |
echo "add wl_ip_allowed $qwant_safe_server" >> $IP_WL |
# add 'SafeSearch' redirection for qwant searching |
$SED "/qwant/d" $DNSMASQ_WL_CONF # remove old qwant declaration |
qwant_safe_server=`host -ta safeapi.qwant.com | grep "address" | cut -d" " -f4` # retrieve qwant strict ip |
echo "# SafeSearch redirect server for qwant" >> $DNSMASQ_WL_CONF |
echo "address=/api.qwant.com/$qwant_safe_server" >> $DNSMASQ_WL_CONF |
else |
$SED "/google/d" $DNSMASQ_WL_CONF |
$SED "/bing/d" $DNSMASQ_WL_CONF |
$SED "/youtube/d" $DNSMASQ_WL_CONF |
$SED "/qwant/d" $DNSMASQ_WL_CONF |
rm $IP_WL |
fi |
systemctl restart dnsmasq-whitelist |
$SED 's/^WL_SAFESEARCH=.*/WL_SAFESEARCH=on/g' $CONF_FILE |
else |
[ -e $UNBOUND_WL_DOMAIN_FILTER_CONF ] && rm -f $UNBOUND_WL_DOMAIN_FILTER_CONF |
[ -e $IP_WL ] && rm -f $IP_WL |
$SED 's/^WL_SAFESEARCH=.*/WL_SAFESEARCH=off/g' $CONF_FILE |
fi |
systemctl restart unbound-whitelist |
/scripts/alcasar-urpmi.sh |
---|
14,7 → 14,7 |
# The kernel version we compile netflow for |
KERNEL="kernel-server-4.14.89-1.mga6-1-1.mga6" |
# ****** Alcasar needed RPMS - paquetages nécessaires au fonctionnement d'Alcasar ****** |
PACKAGES="arp-scan vim-enhanced freeradius freeradius-mysql freeradius-ldap lighttpd lighttpd-mod_auth php-fpm e2guardian postfix mariadb ntp bind-utils openssh-server php-xml php-ldap php-mysqli php-mbstring php-sockets php-cli php-curl php-pdo_sqlite php-json rng-utils rsync clamav perl-rrdtool perl-MailTools perl-Socket6 fail2ban gnupg ulogd pm-fallback-policy ipset cronie-anacron usbutils locales-en usb_modeswitch tinyproxy vnstat php-gd sudo iftop man dos2unix p7zip bc msec kernel-userspace-headers dnsmasq netcat-traditional" |
PACKAGES="arp-scan vim-enhanced freeradius freeradius-mysql freeradius-ldap lighttpd lighttpd-mod_auth php-fpm e2guardian postfix mariadb ntp bind-utils openssh-server php-xml php-ldap php-mysqli php-mbstring php-sockets php-cli php-curl php-pdo_sqlite php-json rng-utils rsync clamav perl-rrdtool perl-MailTools perl-Socket6 fail2ban gnupg ulogd pm-fallback-policy ipset cronie-anacron usbutils locales-en usb_modeswitch tinyproxy vnstat php-gd sudo iftop man dos2unix p7zip bc msec kernel-userspace-headers dnsmasq dhcp-server netcat-traditional" |
rpm_repository_sync () |
{ |