BlueGreycalmElegant

Català-Valencià – Catalan中文 – Chinese (Simplified)中文 – Chinese (Traditional)Česky – CzechDansk – DanishNederlands – DutchEnglish – EnglishSuomi – FinnishFrançais – FrenchDeutsch – Germanעברית – Hebrewहिंदी – HindiMagyar – HungarianBahasa Indonesia – IndonesianItaliano – Italian日本語 – Japanese한국어 – KoreanМакедонски – Macedonianमराठी – MarathiNorsk – NorwegianPolski – PolishPortuguês – PortuguesePortuguês – Portuguese (Brazil)Русский – RussianSlovenčina – SlovakSlovenščina – SlovenianEspañol – SpanishSvenska – SwedishTürkçe – TurkishУкраїнська – UkrainianOëzbekcha – Uzbek

Compare Revisions

• This comparison shows the changes necessary to convert path

  → / @ 2687

  → / @ 2688

  ↔ Reverse comparison

• Compare Path:	Rev

  With Path:	Rev

No changes between revisions

Ignore whitespace Rev 2687 → Rev 2688

/CHANGELOG
1,6 → 1,17
# $Id$
********** ALCASAR CHANGELOG **********
-------------------- 3.4.0 --------------------
NEWS
- Replace DNSmasq server with Unbound
BUGS
- Fix listening address for nfcapd (was 0.0.0.0 instead of 127.0.0.1)
- Fix some typo
CHANGES
- Improve script syntax
-------------------- 3.3.3 --------------------
NEWS
- Linux Kernel 4.14.89

/alcasar.sh
18,7 → 18,7
# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares :
# Coovachilli, freeradius, mariaDB, lighttpd, netfilter, e2guardian, ntpd, openssl, dnsmasq, gammu, havp, libclamav, Ulog, fail2ban, tinyproxy, NFsen and NFdump
# Coovachilli, freeradius, mariaDB, lighttpd, netfilter, e2guardian, ntpd, openssl, dnsmasq, unbound, gammu, havp, libclamav, Ulog, fail2ban, tinyproxy, NFsen and NFdump
# Options :
# -i or --install
39,9 → 39,10
# tinyproxy : little proxy for user filtered with "WL + antivirus" and "antivirus"
# ulogd : log system in userland (match NFLOG target of iptables)
# nfsen : Configuration of Nfsen Netflow grapher
# dnsmasq : Name server configuration
# unbound : Name server configuration
# dnsmasq : Name server configuration (for whitelist ipset support)
# vnstat : little network stat daemon
# BL : Adaptation of Toulouse University BlackList : split into 3 BL (for Dnsmasq, for e2guardian and for Netfilter)
# BL : Adaptation of Toulouse University BlackList : split into 3 BL (for unbound, for e2guardian and for Netfilter)
# cron : Logs export + watchdog + connexion statistics
# fail2ban : Fail2ban IDS installation and configuration
# gammu_smsd : Autoregister addon via SMS (gammu-smsd)
65,7 → 66,7
DIR_ACC="$DIR_WEB/acc" # directory of the 'ALCASAR Control Center'
DIR_DEST_BIN="/usr/local/bin" # directory of ALCASAR scripts
DIR_DEST_ETC="/usr/local/etc" # directory of ALCASAR conf files
DIR_DEST_SHARE="/usr/local/share" # directory of share files used by ALCASAR (dnsmasq for instance)
DIR_DEST_SHARE="/usr/local/share" # directory of share files used by ALCASAR (unbound for instance)
CONF_FILE="$DIR_DEST_ETC/alcasar.conf" # central ALCASAR conf file
PASSWD_FILE="/root/ALCASAR-passwords.txt" # text file with the passwords and shared secrets
# ******* DBMS parameters - paramètres SGBD ********
132,7 → 133,7
old="$IFS"
IFS=","
set $fic
for i in $*
for i in "$@"
do
if [ "`echo $i|grep distribution|cut -d'=' -f1`" == "distribution" ]
then
160,7 → 161,7
fi
IFS="$old"
if [[ ( $unknown_os != 3 ) || ("$DISTRIBUTION" != "Mageia" ) || ( "$CURRENT_VERSION" != "6" ) ]]
then
then
if [ -e /var/tmp/alcasar-conf.tar.gz ] # update
then
echo
187,7 → 188,7
then echo "Le système d'exploitation doit être remplacé (Mageia6-64bits)"
else echo "The OS must be replaced (Mageia6-64bits)"
fi
exit 0
exit 1
fi
# Test if ALCASAR is already installed
215,8 → 216,8
# Retrieve former NICname
EXTIF_saved=`grep ^EXTIF= $CONF_FILE | cut -d'=' -f2-` # EXTernal InterFace
INTIF_saved=`grep ^INTIF= $CONF_FILE | cut -d'=' -f2-` # INTernal InterFace
[ $(/usr/sbin/ip link | grep -c " $EXTIF_saved:") -ne 0 ] && EXTIF=$EXTIF_saved || echo "Warning: Network card \"$EXTIF_saved\" is not connected, so \"$EXTIF\" will be used for external network."
[ $(/usr/sbin/ip link | grep -c " $INTIF_saved:") -ne 0 ] && INTIF=$INTIF_saved || echo "Warning: Network card \"$INTIF_saved\" is not connected, so \"$INTIF\" will be used for internal network."
[ "$(/usr/sbin/ip link | grep -c " $EXTIF_saved:")" -ne 0 ] && EXTIF=$EXTIF_saved || echo "Warning: Network card \"$EXTIF_saved\" is not connected, so \"$EXTIF\" will be used for external network."
[ "$(/usr/sbin/ip link | grep -c " $INTIF_saved:")" -ne 0 ] && INTIF=$INTIF_saved || echo "Warning: Network card \"$INTIF_saved\" is not connected, so \"$INTIF\" will be used for internal network."
# Create the current conf file
$DIR_SCRIPTS/alcasar-conf.sh --create
mode="update"
225,7 → 226,7
# Test free space on /var
if [ ! -d /var/log/netflow/porttracker ]
then
free_space=`df -BG --output=avail /var|tail -1|tr -d [:space:]G`
free_space=`df -BG --output=avail /var|tail -1|tr -d '[:space:]G'`
if [ $free_space -lt 10 ]
then
if [ $Lang == "fr" ]
283,7 → 284,7
[ -z "$response" ] && response="$interfacePreferred"
# Check if interface exist
if [ $(echo "$interfacesList" | grep -c "^$response\$") -eq 1 ]; then
if [ "$(echo "$interfacesList" | grep -c "^$response\$")" -eq 1 ]; then
INTIF="$response"
break
else
305,11 → 306,11
else echo -n "Network parameters tests: "
fi
# Remove conf file if NIC is not plugged (ie : GSM/WIFI/Bt dongles)
cd /etc/sysconfig/network-scripts/
cd /etc/sysconfig/network-scripts/ || { echo "Unable to find /etc/sysconfig/network-scripts directory"; exit 1; }
IF_INTERFACES=`ls ifcfg-*|cut -d"-" -f2|grep -v "^lo"|cut -d"*" -f1`
for i in $IF_INTERFACES
do
if [ $(/usr/sbin/ip link | grep -c " $i:") -eq 0 ]; then
if [ "$(/usr/sbin/ip link | grep -c " $i:")" -eq 0 ]; then
rm -f ifcfg-$i
if [ $Lang == "fr" ]
318,7 → 319,7
fi
fi
done
cd $DIR_INSTALL
cd $DIR_INSTALL || { echo "Unable to find $DIR_INSTALL directory"; exit 1; }
echo -n "."
# Test Ethernet NIC links state
interfacesDown=$(/usr/sbin/ip -br link | grep "^\($EXTIF\|$INTIF\) " | grep 'NO-CARRIER' | cut -d' ' -f1)
342,7 → 343,7
PUBLIC_IP_MASK=`/usr/sbin/ip addr show $EXTIF | grep '^\s*inet\s' | awk '{ print $2 }'`
PUBLIC_IP=`echo $PUBLIC_IP_MASK | cut -d'/' -f1`
PUBLIC_GATEWAY=`/usr/sbin/ip route list | awk -v EXTIF="$EXTIF" '(/^default / && $5 == EXTIF) {print $3}'`
if [ `echo $PUBLIC_IP|wc -c` -lt 7 ] || [ `echo $PUBLIC_GATEWAY|wc -c` -lt 7 ]
if [ "$(echo $PUBLIC_IP|wc -c)" -lt 7 ] || [ "$(echo $PUBLIC_GATEWAY|wc -c)" -lt 7 ]
then
if [ $Lang == "fr" ]
then
367,7 → 368,7
fi
echo -n "."
# Test if default GW is set on EXTIF (router or ISP provider equipment)
if [ `/usr/sbin/ip route list|grep " $EXTIF "|grep -c '^default '` -ne 1 ] ; then
if [ "$(/usr/sbin/ip route list|grep " $EXTIF "|grep -c '^default ')" -ne 1 ] ; then
if [ $Lang == "fr" ]
then
echo -e "\nÉchec"
383,7 → 384,7
echo -n "."
# Test if default GW is alive
arp_reply=`/usr/sbin/arping -b -I$EXTIF -c1 -w2 $PUBLIC_GATEWAY|grep response|cut -d" " -f2`
if [ $(expr $arp_reply) -eq 0 ]
if [ "$(expr $arp_reply)" -eq 0 ]
then
if [ $Lang == "fr" ]
then
438,7 → 439,7
fi
read ORGANISME
if [ "$ORGANISME" == "" ]
then
then
ORGANISME=!
fi
done
447,7 → 448,7
# We create random passwords and shared secrets
rm -f $PASSWD_FILE
echo "##### ALCASAR ($ORGANISME) security passwords #####" > $PASSWD_FILE
grub2pwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
grub2pwd=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c8`
pbkdf2=`( echo $grub2pwd ; echo $grub2pwd ) | \
LC_ALL=C /usr/bin/grub2-mkpasswd-pbkdf2 | \
grep -v '[eE]nter password:' | \
459,17 → 460,17
echo "# Login name and password to protect GRUB2 boot menu (!!!qwerty keyboard) : " > $PASSWD_FILE
echo "GRUB2_user=root" >> $PASSWD_FILE
echo "GRUB2_password=$grub2pwd" >> $PASSWD_FILE
mysqlpwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c16`
mysqlpwd=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16`
echo "# Login name and Password of MariaDB administrator:" >> $PASSWD_FILE
echo "db_root=$mysqlpwd" >> $PASSWD_FILE
radiuspwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c16`
radiuspwd=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16`
echo "# Login name and password of MariaDB user:" >> $PASSWD_FILE
echo "db_user=$DB_USER" >> $PASSWD_FILE
echo "db_password=$radiuspwd" >> $PASSWD_FILE
secretuam=`cat /dev/urandom | tr -dc [:alnum:] | head -c16`
secretuam=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16`
echo "# Shared secret between the script 'intercept.php' and coova-chilli:" >> $PASSWD_FILE
echo "secret_uam=$secretuam" >> $PASSWD_FILE
secretradius=`cat /dev/urandom | tr -dc [:alnum:] | head -c16`
secretradius=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16`
echo "# Shared secret between coova-chilli and FreeRadius:" >> $PASSWD_FILE
echo "secret_radius=$secretradius" >> $PASSWD_FILE
chmod 640 $PASSWD_FILE
535,7 → 536,7
read PRIVATE_IP_MASK
done
else
PRIVATE_IP_MASK=$DEFAULT_PRIVATE_IP_MASK
PRIVATE_IP_MASK=$DEFAULT_PRIVATE_IP_MASK
fi
else
PRIVATE_IP_MASK=`grep ^PRIVATE_IP= conf/etc/alcasar.conf|cut -d"=" -f2`
549,7 → 550,7
PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP_MASK |cut -d"=" -f2` # network prefix (ie. 24)
PRIVATE_IP=`echo $PRIVATE_IP_MASK | cut -d"/" -f1` # ALCASAR private ip address (consultation LAN side)
if [ $PRIVATE_IP == $PRIVATE_NETWORK ] # when entering network address instead of ip address
then
then
PRIVATE_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 1`
PRIVATE_IP_MASK=`echo $PRIVATE_IP/$PRIVATE_PREFIX`
fi
558,10 → 559,6
PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX # ie.: 192.168.182.0/24
classe=$((PRIVATE_PREFIX/8)) # ie.: 2=classe B, 3=classe C
PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK | cut -d"." -f1-$classe`. # compatibility with hosts.allow et hosts.deny (ie.: 192.168.182.)
PRIVATE_BROADCAST=`/bin/ipcalc -b $PRIVATE_NETWORK_MASK | cut -d"=" -f2` # private network broadcast (ie.: 192.168.182.255)
private_broadcast_ending=`echo $PRIVATE_BROADCAST | cut -d"." -f4` # last octet of LAN broadcast
PRIVATE_FIRST_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 1` # First network address (ex.: 192.168.182.1)
PRIVATE_LAST_IP=`echo $PRIVATE_BROADCAST | cut -d"." -f1-3`"."`expr $private_broadcast_ending - 1` # last network address (ex.: 192.168.182.254)
PRIVATE_MAC=`/usr/sbin/ip link show $INTIF | grep ether | cut -d" " -f6| sed 's/:/-/g'| awk '{print toupper($0)}'` # MAC address of INTIF
# Define Internet parameters
if [ "$mode" != "update" ]
611,7 → 608,7
#########################################################################################################
IP_SETTING=`grep BOOTPROTO /etc/sysconfig/network-scripts/ifcfg-$EXTIF|cut -d"=" -f2` # test static or dynamic
if [ $IP_SETTING == "dhcp" ]
then
then
echo "PUBLIC_IP=dhcp" >> $CONF_FILE
echo "GW=dhcp" >> $CONF_FILE
else
644,7 → 641,7
# write EXTIF (Internet) config
[ -e /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF ] || cp /etc/sysconfig/network-scripts/ifcfg-$EXTIF /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF
if [ $IP_SETTING == "dhcp" ]
then
then
cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
DEVICE=$EXTIF
BOOTPROTO=dhcp
661,7 → 658,7
USERCTL=no
MTU=$MTU
EOF
else
else
cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
DEVICE=$EXTIF
BOOTPROTO=static
758,10 → 755,10
# load ipt_NETFLOW module
echo "ipt_NETFLOW" >> /etc/modprobe.preload
# modify iptables service files (start with "alcasar-iptables.sh" and stop with flush)
[ -e /lib/systemd/system/iptables.service.default ] || cp /lib/systemd/system/iptables.service /lib/systemd/system/iptables.service.default
$SED 's/ExecStart=\/usr\/libexec\/iptables.init start/ExecStart=\/usr\/local\/bin\/alcasar-iptables.sh/' /lib/systemd/system/iptables.service
[ -e /usr/libexec/iptables.init.default ] || cp /usr/libexec/iptables.init /usr/libexec/iptables.init.default
$SED "s?\[ -f \$IPTABLES_CONFIG \] .*?#&?" /usr/libexec/iptables.init # comment the test (flush all rules & policies)
[ -e /lib/systemd/system/iptables.service.default ] || cp /lib/systemd/system/iptables.service /lib/systemd/system/iptables.service.default
$SED 's/ExecStart=\/usr\/libexec\/iptables.init start/ExecStart=\/usr\/local\/bin\/alcasar-iptables.sh/' /lib/systemd/system/iptables.service
[ -e /usr/libexec/iptables.init.default ] || cp /usr/libexec/iptables.init /usr/libexec/iptables.init.default
$SED "s?\[ -f \$IPTABLES_CONFIG \] .*?#&?" /usr/libexec/iptables.init # comment the test (flush all rules & policies)
#
# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
} # End of network ()
823,8 → 820,8
rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README*
[ -e /etc/lighttpd/lighttpd.conf.default ] || cp /etc/lighttpd/lighttpd.conf /etc/lighttpd/lighttpd.conf.default
$SED "s?^server\.use-ipv6.*?server\.use-ipv6 = \"disable\"?g" /etc/lighttpd/lighttpd.conf
$SED "s?^#server\.bind.*?server\.bind = \"$HOSTNAME.$DOMAIN\"?g" /etc/lighttpd/lighttpd.conf
$SED "s?^server\.bind.*?server\.bind = \"$HOSTNAME.$DOMAIN\"?g" /etc/lighttpd/lighttpd.conf
$SED "s?^#server\.bind.*?server\.bind = \"$PRIVATE_IP\"?g" /etc/lighttpd/lighttpd.conf
$SED "s?^server\.bind.*?server\.bind = \"$PRIVATE_IP\"?g" /etc/lighttpd/lighttpd.conf
$SED "s?^#server\.tag.*?server\.tag = \"\"?g" /etc/lighttpd/lighttpd.conf
echo "include \"vhosts.d/alcasar.conf\"" >> /etc/lighttpd/lighttpd.conf
845,15 → 842,16
[ -d /etc/lighttpd/vhosts.d ] || mkdir /etc/lighttpd/vhosts.d
cp $DIR_CONF/lighttpd/vhosts.d/* /etc/lighttpd/vhosts.d/
$SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$HOSTNAME.$DOMAIN"':443" {/g' /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf
$SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$HOSTNAME.$DOMAIN"':443" {/g' /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf
$SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$HOSTNAME.$DOMAIN\"/g" /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf
$SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$HOSTNAME.$DOMAIN\"/g" /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf
$SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$PRIVATE_IP"':443" {/g' /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf
$SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$PRIVATE_IP"':443" {/g' /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf
$SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$PRIVATE_IP\"/g" /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf
$SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$PRIVATE_IP\"/g" /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf
ln -s /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf /etc/lighttpd/vhosts.d/alcasar.conf
[ -d /var/log/lighttpd ] || mkdir /var/log/lighttpd
[ -e /var/log/lighttpd/access.log ] || touch /var/log/lighttpd/access.log
[ -e /var/log/lighttpd/error.log ] || touch /var/log/lighttpd/error.log
chown -R apache:apache /var/log/lighttpd
/usr/bin/systemctl start lighttpd
/usr/bin/systemctl start php-fpm
860,16 → 858,16
# Creation of the first account (in 'admin' profile)
if [ "$mode" = "install" ]
then
header_install
then
header_install
# Creation of keys file for the admin account ("admin")
[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
mkdir -p $DIR_DEST_ETC/digest
chmod 755 $DIR_DEST_ETC/digest
until [ -s $DIR_DEST_ETC/digest/key_admin ]
do
$DIR_DEST_BIN/alcasar-profil.sh --add admin
done
[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
mkdir -p $DIR_DEST_ETC/digest
chmod 755 $DIR_DEST_ETC/digest
until [ -s $DIR_DEST_ETC/digest/key_admin ]
do
$DIR_DEST_BIN/alcasar-profil.sh --add admin
done
fi
# Run after coova (in order to wait tun0 to be up)
919,7 → 917,7
EOF
chown -R ntp:ntp /var/lib/ntp
# Synchronize now
ntpd -q -g &
ntpd -4 -q -g &
} # End of time_server ()
#####################################################################
932,7 → 930,7
#####################################################################
init_db ()
{
if [ `systemctl is-active mysqld` == "active" ]
if [ "`systemctl is-active mysqld`" == "active" ]
then
systemctl stop mysqld
fi
957,16 → 955,16
echo "Problème : la base données 'MariaDB' ne s'est pas lancée !"
exit
fi
MYSQL="/usr/bin/mysql --execute"
# Secure the server
$MYSQL="GRANT ALL PRIVILEGES ON *.* TO root@'localhost' IDENTIFIED BY '$mysqlpwd';"
/usr/bin/mysql --execute "GRANT ALL PRIVILEGES ON *.* TO root@'localhost' IDENTIFIED BY '$mysqlpwd';"
MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --execute"
$MYSQL="DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;"
$MYSQL="CONNECT mysql;DELETE from user where User='';DELETE FROM user WHERE User='root' AND Host NOT IN ('localhost','127.0.0.1','::1');FLUSH PRIVILEGES;"
$MYSQL "DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;"
$MYSQL "CONNECT mysql;DELETE from user where User='';DELETE FROM user WHERE User='root' AND Host NOT IN ('localhost','127.0.0.1','::1');FLUSH PRIVILEGES;"
# Create 'radius' database
$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;"
$MYSQL "CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;"
# Add an empty radius database structure
mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/empty-radiusd-db.sql
/usr/bin/mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/empty-radiusd-db.sql
# modify the start script in order to close accounting connexion when the system is comming down or up
[ -e /lib/systemd/system/mysqld.service.default ] || cp /lib/systemd/system/mysqld.service /lib/systemd/system/mysqld.service.default
$SED "/^ExecStart=/a ExecStop=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /usr/lib/systemd/system/mysqld.service
1051,7 → 1049,6
/usr/bin/systemctl daemon-reload
# Allow apache to change some conf files (ie : ldap on/off)
chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/mods-available
} # End freeradius ()
#############################################################################
1186,7 → 1183,7
#
#Code : 42 => 2a
#Len : 4 => 04
PRIVATE_IP_HEXA=$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f1))$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f2))$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f3))$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f4))
PRIVATE_IP_HEXA=$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f1)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f2)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f3)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f4)")
cat <<EOF > /etc/chilli.conf
# coova config for ALCASAR
cmdsocket /var/run/chilli.sock
1468,7 → 1465,7
cp $DIR_CONF/nfsen/nfsen.conf /tmp/nfsen-*/etc/
# Installation of nfsen (we change a little 'install.pl in order not to ask the user for the perl version)
DirTmp=$(pwd)
cd /tmp/nfsen-*/
cd /tmp/nfsen-*/ || { echo "Unable to find nfsen directory"; exit 1; }
/usr/bin/perl install.pl etc/nfsen.conf
/usr/bin/perl install.pl etc/nfsen.conf # to avoid a Perl mistake "Semaphore introuvable"
# Create RRD DB for porttracker (only in it still doesn't exist)
1505,7 → 1502,7
WantedBy=multi-user.target
EOF
# Add the listen port to collect netflow packet (nfcapd)
$SED "s?'\$ziparg $extensions.*?\$ziparg $extensions -b 127.0.0.1;'?g" /usr/libexec/NfSenRC.pm
$SED 's?$ziparg $extensions.*?$ziparg $extensions -b 127.0.0.1";?g' /usr/libexec/NfSenRC.pm
# expire delay for the profile "live"
/usr/bin/systemctl start nfsen
/bin/nfsen -m live -e 62d 2>/dev/null
1515,11 → 1512,11
# cp $DIR_CONF/nfsen/GeoLiteCity* /tmp/
# tar xzf /tmp/SURFmap_*.tar.gz -C /tmp/
# cd /tmp/
# /usr/bin/sh SURFmap/install.sh
# /usr/bin/sh SURFmap/install.sh
# clear the installation
# rm -rf /tmp/SURFmap*
rm -rf /tmp/nfsen-*
cd $DirTmp
cd $DirTmp || { echo "Unable to find $DirTmp directory"; exit 1; }
chown -R apache:apache /var/www/html/acc/manager/nfsen /usr/share/nfsen /var/log/nfsen
} # End of nfsen ()
1531,7 → 1528,7
{
[ -e /etc/vnstat.conf.default ] || cp /etc/vnstat.conf /etc/vnstat.conf.default
$SED "s?^Interface.*?Interface \"$EXTIF\"?g" /etc/vnstat.conf
$SED "s?^DatabaseDir.*?DatabaseDir /var/log/vnstat?g" /etc/vnstat.conf
$SED "s?^DatabaseDir.*?DatabaseDir /var/log/vnstat?g" /etc/vnstat.conf
[ -e $DIR_ACC/manager/stats/config.php.default ] || cp $DIR_ACC/manager/stats/config.php $DIR_ACC/manager/stats/config.php.default
$SED "s?\$iface_list =.*?\$iface_list = array('$EXTIF');?" $DIR_ACC/manager/stats/config.php
$SED "s?\$iface_title\['.*?\$iface_title\['$EXTIF'\] = \$title;?" $DIR_ACC/manager/stats/config.php
1546,67 → 1543,14
dnsmasq ()
{
[ -d /var/log/dnsmasq ] || mkdir /var/log/dnsmasq
# 1st dnsmasq listen on udp 53 ("dnsmasq - forward"). It's used as dhcp server only if "alcasar-bypass" is on.
[ -e /etc/dnsmasq.conf.default ] || cp /etc/dnsmasq.conf /etc/dnsmasq.conf.default
cat << EOF > /etc/dnsmasq.conf
# Configuration file for "dnsmasq in forward mode"
conf-file=$DIR_DEST_ETC/alcasar-dns-name # local & remote DNS domain name resolutions
listen-address=$PRIVATE_IP
pid-file=/var/run/dnsmasq.pid
listen-address=127.0.0.1
no-dhcp-interface=$INTIF
no-dhcp-interface=tun0
no-dhcp-interface=lo
bind-interfaces
cache-size=2048
domain-needed
expand-hosts
bogus-priv
filterwin2k
server=$DNS1
server=$DNS2
# DHCP service is configured. It will be enabled in "bypass" mode
#dhcp-range=$PRIVATE_FIRST_IP,$PRIVATE_LAST_IP,$PRIVATE_NETMASK,12h
#dhcp-option=option:router,$PRIVATE_IP
#dhcp-option=option:ntp-server,$PRIVATE_IP
# Exemple of static dhcp assignation : <@MAC>,<name>,<@IP>,<MASK>,<ttl bail>
#dhcp-host=11:22:33:44:55:66,ssic-test,192.168.182.20,255.255.255.0,45m
EOF
# 2nd dnsmasq listen on udp 54 ("dnsmasq with blacklist")
cat << EOF > /etc/dnsmasq-blacklist.conf
# Configuration file for "dnsmasq with blacklist"
# Add Toulouse University blacklist domains
conf-file=$DIR_DEST_ETC/alcasar-dns-name # local & remote DNS domain name resolutions
conf-dir=$DIR_DEST_SHARE/dnsmasq-bl-enabled
pid-file=/var/run/dnsmasq-blacklist.pid
listen-address=$PRIVATE_IP
port=54
no-dhcp-interface=$INTIF
no-dhcp-interface=tun0
no-dhcp-interface=lo
bind-interfaces
cache-size=2048
domain-needed
expand-hosts
bogus-priv
filterwin2k
log-queries
log-facility=/var/log/dnsmasq/dnsmasq-blacklist.log
server=$DNS1
server=$DNS2
EOF
# 3rd dnsmasq listen on udp 55 ("dnsmasq with whitelist")
[ -e /etc/dnsmasq.conf.default ] || mv /etc/dnsmasq.conf /etc/dnsmasq.conf.default
# 3rd dnsmasq listen on udp 55 ("dnsmasq with whitelist")
cat << EOF > /etc/dnsmasq-whitelist.conf
# Configuration file for "dnsmasq with whitelist"
# ADD Toulouse university whitelist domains
conf-file=$DIR_DEST_ETC/alcasar-dns-name # local & remote DNS domain name resolutions
conf-dir=$DIR_DEST_SHARE/dnsmasq-wl-enabled
pid-file=/var/run/dnsmasq-whitelist.pid
listen-address=$PRIVATE_IP
listen-address=127.0.0.1
port=55
no-dhcp-interface=$INTIF
no-dhcp-interface=tun0
no-dhcp-interface=lo
bind-interfaces
cache-size=1024
1614,60 → 1558,228
expand-hosts
bogus-priv
filterwin2k
ipset=/#/wl_ip_allowed # dynamicly add the resolv IP address in the Firewall rules
address=/#/$PRIVATE_IP # for Domain name without local resolution (WL)
ipset=/#/wl_ip_allowed # dynamically add the resolv IP address in the Firewall rules
server=$DNS1
server=$DNS2
EOF
# 4th dnsmasq listen on udp 56 ("blackhole")
cat << EOF > /etc/dnsmasq-blackhole.conf
# Configuration file for "dnsmasq as a blackhole"
conf-file=$DIR_DEST_ETC/alcasar-dns-name # local & remote DNS domain name resolutions
address=/#/$PRIVATE_IP # redirect all on ALCASAR IP address
pid-file=/var/run/dnsmasq-blackhole.pid
listen-address=$PRIVATE_IP
port=56
no-dhcp-interface=$INTIF
no-dhcp-interface=tun0
no-dhcp-interface=lo
bind-interfaces
cache-size=256
domain-needed
expand-hosts
bogus-priv
filterwin2k
# Create dnsmasq-whitelist unit
mv /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq.service.default
cp /lib/systemd/system/dnsmasq.service.default /lib/systemd/system/dnsmasq-whitelist.service
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-whitelist.conf?g" /lib/systemd/system/dnsmasq-whitelist.service
$SED "s?^PIDFile=.*?PIDFile=/var/run/dnsmasq-whitelist.pid?g" /lib/systemd/system/dnsmasq-whitelist.service
} # End dnsmasq
##################################################
## Function "unbound" ##
##################################################
unbound ()
{
[ -d /etc/unbound/conf.d ] || mkdir -p /etc/unbound/conf.d
[ -d /etc/unbound/conf.d/common ] || mkdir /etc/unbound/conf.d/common
[ -d /etc/unbound/conf.d/common/local-forward ] || mkdir /etc/unbound/conf.d/common/local-forward
[ -d /etc/unbound/conf.d/common/local-dns ] || mkdir /etc/unbound/conf.d/common/local-dns
[ -d /etc/unbound/conf.d/forward ] || mkdir /etc/unbound/conf.d/forward
[ -d /etc/unbound/conf.d/blacklist ] || mkdir /etc/unbound/conf.d/blacklist
[ -d /etc/unbound/conf.d/whitelist ] || mkdir /etc/unbound/conf.d/whitelist
[ -d /etc/unbound/conf.d/blackhole ] || mkdir /etc/unbound/conf.d/blackhole
[ -d /var/log/unbound ] || { mkdir /var/log/unbound; chown unbound:unbound /var/log/unbound; }
[ -e /etc/unbound/unbound.conf.default ] || cp /etc/unbound/unbound.conf /etc/unbound/unbound.conf.default
# Local static DNS configuration
[ -e /etc/unbound/conf.d/common/local-dns/global.conf ] || touch /etc/unbound/conf.d/common/local-dns/global.conf
# Forward zone configuration file for all unbound dns servers
cat << EOF > /etc/unbound/conf.d/common/forward-zone.conf
forward-zone:
name: "."
forward-addr: $DNS1
forward-addr: $DNS2
EOF
# file managing domain name resolution (local & remote)
cat << EOF > $DIR_DEST_ETC/alcasar-dns-name
# Vous pouvez définir ici votre nom de domain local ('localdomain' par défaut)
# Here you can define your local domain name ('localdomain' by default)
local=/localdomain/
domain=localdomain
## Ajouter une ligne pour chaque nom de domaine géré par un autre seveur DNS
## Add one line for each domain name managed by an other DNS server
## server=/<your_domain>/<@IP_domain_server>
## Exemple for an A.D. domain : server=/Your.Domain.AD/110.120.100.100
## Exemple for an other domain : server=/an_other_domain/10.20.30.40
# Custom configuration file for manual DNS configuration
cat << EOF > /etc/unbound/conf.d/common/local-forward/custom.conf
## Ajouter un bloc pour chaque nom de domaine géré par un autre seveur DNS
## Add one block for each domain name managed by an other DNS server
##
## Example:
##
## server:
## local-zone: "<your_domain>." transparent
## forward-zone:
## name: "<your_domain>."
## forward-addr: <@IP_domain_server>
##
## INFO : local hostnames are resolved in /etc/hosts file
EOF
# the main instance should start after network and chilli (which create tun0)
[ -e /lib/systemd/system/dnsmasq.service.default ] || cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq.service.default
$SED "s?^After=.*?After=syslog.target network-online.target chilli.service?g" /lib/systemd/system/dnsmasq.service
# Create dnsmasq-blacklist, dnsmasq-whitelist and dnsmasq-blackhole unit
for list in blacklist whitelist blackhole
# Configuration file of ALCASAR main domains for $INTIF
cat << EOF > /etc/unbound/conf.d/common/local-dns/${INTIF}.conf
server:
local-zone: "$HOSTNAME.$DOMAIN" static
local-data: "$HOSTNAME.$DOMAIN A $PRIVATE_IP"
local-zone: "$HOSTNAME" static
local-data: "$HOSTNAME A $PRIVATE_IP"
local-zone: "$DOMAIN." static
local-data: "$DOMAIN. A"
EOF
# Configuration file for lo of forward unbound
cat << EOF > /etc/unbound/conf.d/forward/iface.lo.conf
server:
interface: 127.0.0.1@53
access-control-view: 127.0.0.1/8 lo
view:
name: "lo"
local-zone: "$HOSTNAME.$DOMAIN" static
local-data: "$HOSTNAME.$DOMAIN A 127.0.0.1"
local-zone: "$HOSTNAME" static
local-data: "$HOSTNAME A 127.0.0.1"
local-zone: "$DOMAIN." static
local-data: "$DOMAIN. A"
view-first: yes
EOF
# Configuration file for $INTIF of forward unbound
cat << EOF > /etc/unbound/conf.d/forward/iface.${INTIF}.conf
server:
interface: ${PRIVATE_IP}@53
access-control-view: $PRIVATE_NETWORK_MASK $INTIF
view:
name: "$INTIF"
local-zone: "$HOSTNAME.$DOMAIN" static
local-data: "$HOSTNAME.$DOMAIN A $PRIVATE_IP"
local-zone: "$HOSTNAME" static
local-data: "$HOSTNAME A $PRIVATE_IP"
view-first: yes
EOF
# Configuration file for forward unbound
cat << EOF > /etc/unbound/unbound.conf
server:
verbosity: 1
hide-version: yes
hide-identity: yes
do-ip6: no
include: /etc/unbound/conf.d/common/forward-zone.conf
include: /etc/unbound/conf.d/common/local-forward/*
include: /etc/unbound/conf.d/common/local-dns/*
include: /etc/unbound/conf.d/forward/*
EOF
# Configuration file for $INTIF of blacklist unbound
cat << EOF > /etc/unbound/conf.d/blacklist/iface.${INTIF}.conf
server:
interface: ${PRIVATE_IP}@54
access-control: $PRIVATE_IP_MASK allow
access-control-tag: $PRIVATE_IP_MASK "blacklist"
access-control-tag-action: $PRIVATE_IP_MASK "blacklist" redirect
access-control-tag-data: $PRIVATE_IP_MASK "blacklist" "A $PRIVATE_IP"
EOF
# Configuration file for blacklist unbound
cat << EOF > /etc/unbound/unbound-blacklist.conf
server:
verbosity: 1
hide-version: yes
hide-identity: yes
do-ip6: no
logfile: "/var/log/unbound/unbound-blacklist.log"
chroot: ""
define-tag: "blacklist"
log-local-actions: yes
include: /etc/unbound/conf.d/common/forward-zone.conf
include: /etc/unbound/conf.d/common/local-forward/*
include: /etc/unbound/conf.d/common/local-dns/*
include: /etc/unbound/conf.d/blacklist/*
include: /usr/local/share/unbound-bl-enabled/*
EOF
# Configuration file for $INTIF of whitelist unbound
cat << EOF > /etc/unbound/conf.d/whitelist/iface.${INTIF}.conf
server:
interface: ${PRIVATE_IP}@55
access-control: $PRIVATE_IP_MASK allow
access-control-tag: $PRIVATE_IP_MASK "whitelist"
access-control-tag-action: $PRIVATE_IP_MASK "whitelist" redirect
access-control-tag-data: $PRIVATE_IP_MASK "whitelist" "A $PRIVATE_IP"
EOF
# Configuration file for whitelist unbound
cat << EOF > /etc/unbound/unbound-whitelist.conf
server:
verbosity: 1
hide-version: yes
hide-identity: yes
do-ip6: no
do-not-query-localhost: no
define-tag: "whitelist"
local-zone: "." transparent
local-zone-tag: "." "whitelist"
include: /usr/local/share/unbound-wl-enabled/*
include: /etc/unbound/conf.d/whitelist/*
include: /etc/unbound/conf.d/common/local-dns/*
include: /etc/unbound/conf.d/common/local-forward/*
forward-zone:
name: "."
forward-addr: 127.0.0.1@55
EOF
# Configuration file for $INTIF of blackhole unbound
cat << EOF > /etc/unbound/conf.d/blackhole/iface.${INTIF}.conf
server:
interface: ${PRIVATE_IP}@56
access-control-view: $PRIVATE_NETWORK_MASK $INTIF
view:
name: "$INTIF"
local-zone: "." redirect
local-data: ". A $PRIVATE_IP"
EOF
# Configuration file for blackhole unbound
cat << EOF > /etc/unbound/unbound-blackhole.conf
server:
verbosity: 1
hide-version: yes
hide-identity: yes
do-ip6: no
include: /etc/unbound/conf.d/blackhole/*
include: /etc/unbound/conf.d/common/local-dns/*
include: /etc/unbound/conf.d/common/local-forward/*
EOF
if [ ! -e /lib/systemd/system/unbound.service.default ]
then
cp -f /lib/systemd/system/unbound.service /lib/systemd/system/unbound.service.default
fi
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound.conf?g" /lib/systemd/system/unbound.service
$SED "s?^After=.*?After=syslog.target network-online.target chilli.service?g" /lib/systemd/system/unbound.service
for list in blacklist blackhole whitelist
do
cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq-$list.service
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-$list.conf?g" /lib/systemd/system/dnsmasq-$list.service
$SED "s?^PIDFile=.*?PIDFile=/var/run/dnsmasq-$list.pid?g" /lib/systemd/system/dnsmasq-$list.service
cp -f /lib/systemd/system/unbound.service /lib/systemd/system/unbound-$list.service
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound-$list.conf?g" /lib/systemd/system/unbound-$list.service
$SED "s?^PIDFile=.*?PIDFile=/var/run/unbound-$list.pid?g" /lib/systemd/system/unbound-$list.service
done
} # End dnsmasq
$SED "s?^After=.*?After=syslog.target network-online.target chilli.service dnsmasq-whitelist.service?g" /lib/systemd/system/unbound-whitelist.service
} # End unbound
##########################################################
## Function "BL" ##
## - copy Toulouse BL ##
## - adapt this BL to ALCASAR architecture ##
## - domain names for dnsmasq-bl & dnasmasq-wl ##
## - domain names for unbound-bl & unbound-wl ##
## - URLs for E²guardian ##
## - IPs for NetFilter ##
##########################################################
1845,9 → 1957,9
# Create 'gammu' database
MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --execute"
$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_GAMMU; GRANT ALL ON $DB_GAMMU.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd'; FLUSH PRIVILEGES;"
$MYSQL "CREATE DATABASE IF NOT EXISTS $DB_GAMMU; GRANT ALL ON $DB_GAMMU.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd'; FLUSH PRIVILEGES;"
# Add a gammu database structure
mysql -u$DB_USER -p$radiuspwd $DB_GAMMU < $DIR_CONF/empty-gammu-smsd-db.sql
/usr/bin/mysql -u$DB_USER -p$radiuspwd $DB_GAMMU < $DIR_CONF/empty-gammu-smsd-db.sql
# Config file for the gammu_smsd daemon & gammu (ttyUSB0 as default com port)
cat << EOF > /etc/gammurc
1972,7 → 2084,7
tar xzf ./conf/letsencrypt-client/acme.sh-*.tar.gz -C /tmp/
pwdInstall=$(pwd)
cd /tmp/acme.sh-*
cd /tmp/acme.sh-* || { echo "Unable to find ACME directory"; exit 1; }
acmesh_installDir="/opt/acme.sh"
acmesh_confDir="/usr/local/etc/letsencrypt"
2004,7 → 2116,7
dateNextRenewal=
EOF
cd $pwdInstall
cd $pwdInstall || { echo "Unable to find $pwdInstall directory"; exit 1; }
rm -rf /tmp/acme.sh-*
} # END letsencrypt()
2027,7 → 2139,7
$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
# postfix banner anonymisation
$SED "s?^smtpd_banner =.*?smtpd_banner = $myhostname ESMTP?g" /etc/postfix/main.cf
$SED "s?^smtpd_banner =.*?smtpd_banner = \$myhostname ESMTP?g" /etc/postfix/main.cf
chown -R postfix:postfix /var/lib/postfix
# sshd liste on EXTIF & INTIF
$SED "s?^#ListenAddress 0\.0\.0\.0.*?ListenAddress 0\.0\.0\.0?g" /etc/ssh/sshd_config
2052,6 → 2164,9
echo "## WANx=active,@IPx/mask,GWx,Weight,MTUx" >> $CONF_FILE
echo "#WAN1=\"1,$EXTIF:1,192.168.2.20/24,192.168.2.6,1,1500\"" >> $CONF_FILE
echo "#WAN2=\"1,$EXTIF:2,192.168.3.20/24,192.168.3.1,2,1500\"" >> $CONF_FILE
echo "BL_PUREIP=on" >> $CONF_FILE
echo "BL_SAFESEARCH=off" >> $CONF_FILE
echo "WL_SAFESEARCH=off" >> $CONF_FILE
# Prompt customisation (colors)
[ -e /etc/bashrc.default ] || cp /etc/bashrc /etc/bashrc.default
cp -f $DIR_CONF/bashrc /etc/. ; chmod 644 /etc/bashrc ; chown root:root /etc/bashrc
2068,7 → 2183,7
# actualisation des fichiers logs compressés
for dir in firewall e2guardian lighttpd
do
find /var/log/$dir -type f -name *.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] -exec gzip {} \;
find /var/log/$dir -type f -name "*.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]" -exec gzip {} \;
done
# create the alcasar-load_balancing unit
cat << EOF > /lib/systemd/system/alcasar-load_balancing.service
2097,13 → 2212,13
EOF
/usr/bin/systemctl daemon-reload
# processes launched at boot time (Systemctl)
for i in alcasar-load_balancing mysqld lighttpd php-fpm ntpd iptables dnsmasq dnsmasq-blacklist dnsmasq-whitelist dnsmasq-blackhole radiusd nfsen e2guardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban havp tinyproxy vnstat sshd
for i in alcasar-load_balancing mysqld lighttpd php-fpm ntpd iptables unbound unbound-blacklist unbound-whitelist dnsmasq-whitelist unbound-blackhole radiusd nfsen e2guardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban havp tinyproxy vnstat sshd
do
/usr/bin/systemctl -q enable $i.service
done
# disable processes at boot time (Systemctl)
for i in ulogd gpm
for i in ulogd gpm dhcpd
do
/usr/bin/systemctl -q disable $i.service
done
2152,10 → 2267,10
if [ $Lang == "fr" ]
then
echo "Bienvenue sur ALCASAR V$VERSION" >> /etc/mageia-release
echo "Connectez-vous à l'URL 'https://alcasar.localdomain/acc'" >> /etc/mageia-release
echo "Connectez-vous à l'URL 'https://$HOSTNAME.$DOMAIN/acc'" >> /etc/mageia-release
else
echo "Welcome on ALCASAR V$VERSION" >> /etc/mageia-release
echo "Connect to 'https://alcasar.localdomain/acc'" >> /etc/mageia-release
echo "Connect to 'https://$HOSTNAME.$DOMAIN/acc'" >> /etc/mageia-release
fi
/usr/bin/update-grub2
# Load and apply the previous conf file
2174,7 → 2289,7
chown -R root:apache $DIR_DEST_ETC/*
chmod -R 660 $DIR_DEST_ETC/*
chmod ug+x $DIR_DEST_ETC/digest
cd $DIR_INSTALL
cd $DIR_INSTALL || { echo "Unable to find $DIR_INSTALL directory"; exit 1; }
echo ""
echo "#############################################################################"
if [ $Lang == "fr" ]
2190,7 → 2305,7
echo
echo "- Lisez attentivement la documentation d'exploitation"
echo
echo "- Le centre de controle d'ALCASAR (ACC) est à l'adresse http://alcasar.localdomain"
echo "- Le centre de controle d'ALCASAR (ACC) est à l'adresse http://$HOSTNAME.$DOMAIN"
echo
echo " Appuyez sur 'Entrée' pour continuer"
else
2205,7 → 2320,7
echo
echo "- Read the exploitation documentation"
echo
echo "- The ALCASAR Control Center (ACC) is at http://alcasar.localdomain"
echo "- The ALCASAR Control Center (ACC) is at http://$HOSTNAME.$DOMAIN"
echo
echo " Hit 'Enter' to continue"
fi
2212,7 → 2327,7
sleep 2
if [ "$mode" == "install" ] || [ "$DEBUG_ALCASAR" == "on" ]
then
read a
read
fi
clear
reboot
2228,10 → 2343,10
echo "Launch this program from the ALCASAR archive directory"
exit 0
fi
if [[ $EUID > 0 ]]
if [ $EUID -gt 0 ]
then
echo "Vous devez être "root" pour installer ALCASAR (commande 'su')"
echo "You must be "root" to install ALCASAR ('su' command)"
echo "Vous devez être \"root\" pour installer ALCASAR (commande 'su')"
echo "You must be \"root\" to install ALCASAR ('su' command)"
exit 0
fi
VERSION=`cat $DIR_INSTALL/VERSION`
2273,7 → 2388,7
if [ $DEBUG_ALCASAR == "on" ]
then
echo "*** 'debug' : end of cleaning ***"
read a
read
fi
# Test if manual update
if [ -e /var/tmp/alcasar-conf*.tar.gz ] && [ "$mode" == "install" ]
2313,13 → 2428,13
UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f3|cut -c1`
mode="update"
fi
for func in init network ACC CA time_server init_db freeradius chilli e2guardian antivirus tinyproxy ulogd nfsen vnstat dnsmasq BL cron fail2ban gammu_smsd msec letsencrypt post_install
for func in init network ACC CA time_server init_db freeradius chilli e2guardian antivirus tinyproxy ulogd nfsen vnstat dnsmasq unbound BL cron fail2ban gammu_smsd msec letsencrypt post_install
do
$func
if [ $DEBUG_ALCASAR == "on" ]
then
then
echo "*** 'debug' : end of install '$func' ***"
read a
read
fi
done
;;
2359,4 → 2474,3
;;
esac
# end of script

/conf/logrotate.d/unbound-blacklist
0,0 → 1,11
/var/log/unbound/unbound-blacklist.log {
missingok
notifempty
rotate 52
weekly
dateext
sharedscripts
postrotate
/usr/bin/systemctl restart unbound-blacklist
endscript
}

/rpms/x86_64/lib64unbound8-1.8.3-2.mga6.x86_64.rpm
Cannot display: file marked as a binary type.
svn:mime-type = application/x-rpm
Property changes:
Added: svn:mime-type
+application/x-rpm
\ No newline at end of property

/rpms/x86_64/unbound-1.8.3-2.mga6.x86_64.rpm
Cannot display: file marked as a binary type.
svn:mime-type = application/x-rpm
Property changes:
Added: svn:mime-type
+application/x-rpm
\ No newline at end of property

/scripts/alcasar-activity_report.sh
93,98 → 93,97
cat $MODEL_TABINFO | while read LINE_HTML
do
if [ "$(echo $LINE_HTML | grep 'XXORGXX' | wc -l)" -eq 1 ]
then
VALUE=$(grep ^ORGANISM= $CONF_FILE | cut -d'=' -f2-)
echo ${LINE_HTML/XXORGXX/$VALUE} >> $HTML_REPORT
if [ $(echo $LINE_HTML | grep 'XXORGXX' | wc -l) -eq 1 ]
then
VALUE=$(grep ^ORGANISM= $CONF_FILE | cut -d'=' -f2-)
echo ${LINE_HTML/XXORGXX/$VALUE} >> $HTML_REPORT
elif [ $(echo $LINE_HTML | grep 'XXINSTALLXX' | wc -l) -eq 1 ]
then
VALUE=$(grep ^INSTALL_DATE= $CONF_FILE | cut -d'=' -f2)
echo ${LINE_HTML/XXINSTALLXX/$VALUE} >> $HTML_REPORT
elif [ $(echo $LINE_HTML | grep 'XXAVERSIONXX' | wc -l) -eq 1 ]
then
VALUE=$(grep ^VERSION= $CONF_FILE | cut -d'=' -f2)
echo ${LINE_HTML/XXAVERSIONXX/$VALUE} >> $HTML_REPORT
elif [ $(echo $LINE_HTML | grep 'XXIP_PUBLICXX' | wc -l) -eq 1 ]
then
VALUE=$(grep ^PUBLIC_IP= $CONF_FILE | cut -d'=' -f2)
echo ${LINE_HTML/XXIP_PUBLICXX/$VALUE} >> $HTML_REPORT
elif [ $(echo $LINE_HTML | grep 'XXIP_PRIVEXX' | wc -l) -eq 1 ]
then
VALUE=$(grep ^PRIVATE_IP= $CONF_FILE | cut -d'=' -f2)
echo ${LINE_HTML/XXIP_PRIVEXX/$VALUE} >> $HTML_REPORT
elif [ $(echo $LINE_HTML | grep 'XXGWXX' | wc -l) -eq 1 ]
then
VALUE=$(grep ^GW= $CONF_FILE | cut -d'=' -f2)
echo ${LINE_HTML/XXGWXX/$VALUE} >> $HTML_REPORT
elif [ $(echo $LINE_HTML | grep 'XXDNS1XX' | wc -l) -eq 1 ]
then
VALUE=$(grep ^DNS1= $CONF_FILE | cut -d'=' -f2)
echo ${LINE_HTML/XXDNS1XX/$VALUE} >> $HTML_REPORT
elif [ $(echo $LINE_HTML | grep 'XXDNS2XX' | wc -l) -eq 1 ]
then
VALUE=$(grep ^DNS2= $CONF_FILE | cut -d'=' -f2)
echo ${LINE_HTML/XXDNS2XX/$VALUE} >> $HTML_REPORT
elif [ $(echo $LINE_HTML | grep 'XXHOSTXX' | wc -l) -eq 1 ]
then
VALUE=$(hostname)
echo ${LINE_HTML/XXHOSTXX/$VALUE} >> $HTML_REPORT
elif [ $(echo $LINE_HTML | grep 'XXOS_VERSIONXX' | wc -l) -eq 1 ]
then
VALUE=$( echo $(uname -r) [ $(uname -m) ] )
echo ${LINE_HTML/XXOS_VERSIONXX/$VALUE} >> $HTML_REPORT
elif [ $(echo $LINE_HTML | grep 'XXREBOOTXX' | wc -l) -eq 1 ]
then
VALUE=$(echo $(who -b | cut -d' ' -f12-))
echo ${LINE_HTML/XXREBOOTXX/$VALUE} >> $HTML_REPORT
elif [ $(echo $LINE_HTML | grep 'XXMAJCLAMAVXX' | wc -l) -eq 1 ]
then
VALUE=$(date -d @$(rpm -qa --queryformat "%{installtime} %{name}\n" | grep -E "clamav-db" | cut -d' ' -f1 ) "+%Y-%m-%d %H:%M:%S")
echo ${LINE_HTML/XXMAJCLAMAVXX/$VALUE} >> $HTML_REPORT
elif [ $(echo $LINE_HTML | grep 'XXMAJBLXX' | wc -l) -eq 1 ]
then
VALUE=$(cat /etc/e2guardian/lists/blacklists/README | grep 'Last version' | cut -d' ' -f4-6)
echo ${LINE_HTML/XXMAJBLXX/$VALUE} >> $HTML_REPORT
elif [ $(echo $LINE_HTML | grep 'XXRPMXX' | wc -l) -eq 1 ]
then
#show every ALCASAR RPM updated since X day ago
#get timestamp of X day ago. Then we get every packets chich have been updated since this date.
if [ $(rpm -qa --queryformat '%{installtime} %{name} %{version}\n' | awk -v seuil="$SECS_AGO" '$1 > seuil' | sort -n | grep -E "$PACKAGE" | wc -l) -gt 1 ]
elif [ "$(echo $LINE_HTML | grep 'XXINSTALLXX' | wc -l)" -eq 1 ]
then
PACKAGE='php|lighttpd|iptables|dnsmasq|radius|tinyproxy|nfdump|e2guardian|clamav|ulogd|chilli|fail2ban|openssh|havp|ipt-netflow|wget'
rpm -qa --queryformat '%{installtime} %{name} %{version}\n' | awk -v seuil="$SECS_AGO" '$1 > seuil' | sort -n | grep -E "$PACKAGE" | while read RPM_ALCASAR
do
RPM_TIMESTAMP=$(echo $RPM_ALCASAR | cut -d' ' -f1)
RPM_DATE=$(date -d @$(echo $RPM_TIMESTAMP) "+%Y-%m-%d %H:%M:%S")
RPM_NAME=$(echo $RPM_ALCASAR | cut -d' ' -f2)
RPM_VERSION=$(echo $RPM_ALCASAR | cut -d' ' -f3)
VALUE=$(grep ^INSTALL_DATE= $CONF_FILE | cut -d'=' -f2)
echo ${LINE_HTML/XXINSTALLXX/$VALUE} >> $HTML_REPORT
echo "<tr>" >> $HTML_REPORT
echo "<td>$RPM_NAME</td>" >> $HTML_REPORT
echo "<td>$RPM_DATE</td>" >> $HTML_REPORT
echo "<td>$RPM_VERSION</td>" >> $HTML_REPORT
echo "</tr>" >> $HTML_REPORT
done
elif [ "$(echo $LINE_HTML | grep 'XXAVERSIONXX' | wc -l)" -eq 1 ]
then
VALUE=$(grep ^VERSION= $CONF_FILE | cut -d'=' -f2)
echo ${LINE_HTML/XXAVERSIONXX/$VALUE} >> $HTML_REPORT
elif [ "$(echo $LINE_HTML | grep 'XXIP_PUBLICXX' | wc -l)" -eq 1 ]
then
VALUE=$(grep ^PUBLIC_IP= $CONF_FILE | cut -d'=' -f2)
echo ${LINE_HTML/XXIP_PUBLICXX/$VALUE} >> $HTML_REPORT
elif [ "$(echo $LINE_HTML | grep 'XXIP_PRIVEXX' | wc -l)" -eq 1 ]
then
VALUE=$(grep ^PRIVATE_IP= $CONF_FILE | cut -d'=' -f2)
echo ${LINE_HTML/XXIP_PRIVEXX/$VALUE} >> $HTML_REPORT
elif [ "$(echo $LINE_HTML | grep 'XXGWXX' | wc -l)" -eq 1 ]
then
VALUE=$(grep ^GW= $CONF_FILE | cut -d'=' -f2)
echo ${LINE_HTML/XXGWXX/$VALUE} >> $HTML_REPORT
elif [ "$(echo $LINE_HTML | grep 'XXDNS1XX' | wc -l)" -eq 1 ]
then
VALUE=$(grep ^DNS1= $CONF_FILE | cut -d'=' -f2)
echo ${LINE_HTML/XXDNS1XX/$VALUE} >> $HTML_REPORT
elif [ "$(echo $LINE_HTML | grep 'XXDNS2XX' | wc -l)" -eq 1 ]
then
VALUE=$(grep ^DNS2= $CONF_FILE | cut -d'=' -f2)
echo ${LINE_HTML/XXDNS2XX/$VALUE} >> $HTML_REPORT
elif [ "$(echo $LINE_HTML | grep 'XXHOSTXX' | wc -l)" -eq 1 ]
then
VALUE=$(hostname)
echo ${LINE_HTML/XXHOSTXX/$VALUE} >> $HTML_REPORT
elif [ "$(echo $LINE_HTML | grep 'XXOS_VERSIONXX' | wc -l)" -eq 1 ]
then
VALUE=$(echo "$(uname -r) [ $(uname -m) ]")
echo ${LINE_HTML/XXOS_VERSIONXX/$VALUE} >> $HTML_REPORT
elif [ "$(echo $LINE_HTML | grep 'XXREBOOTXX' | wc -l)" -eq 1 ]
then
VALUE=$(who -b | cut -d' ' -f12-)
echo ${LINE_HTML/XXREBOOTXX/$VALUE} >> $HTML_REPORT
elif [ "$(echo $LINE_HTML | grep 'XXMAJCLAMAVXX' | wc -l)" -eq 1 ]
then
VALUE=$(date -d "@$(rpm -qa --queryformat "%{installtime} %{name}\n" | grep -E "clamav-db" | cut -d' ' -f1 )" "+%Y-%m-%d %H:%M:%S")
echo ${LINE_HTML/XXMAJCLAMAVXX/$VALUE} >> $HTML_REPORT
elif [ "$(echo $LINE_HTML | grep 'XXMAJBLXX' | wc -l)" -eq 1 ]
then
VALUE=$(cat /etc/e2guardian/lists/blacklists/README | grep 'Last version' | cut -d' ' -f4-6)
echo ${LINE_HTML/XXMAJBLXX/$VALUE} >> $HTML_REPORT
elif [ "$(echo $LINE_HTML | grep 'XXRPMXX' | wc -l)" -eq 1 ]
then
#show every ALCASAR RPM updated since X day ago
#get timestamp of X day ago. Then we get every packets chich have been updated since this date.
if [ "$(rpm -qa --queryformat '%{installtime} %{name} %{version}\n' | awk -v seuil="$SECS_AGO" '$1 > seuil' | sort -n | grep -E "$PACKAGE" | wc -l)" -gt 1 ]
then
PACKAGE='php|lighttpd|iptables|dnsmasq|unbound|radius|tinyproxy|nfdump|e2guardian|clamav|ulogd|chilli|fail2ban|openssh|havp|ipt-netflow|wget'
rpm -qa --queryformat '%{installtime} %{name} %{version}\n' | awk -v seuil="$SECS_AGO" '$1 > seuil' | sort -n | grep -E "$PACKAGE" | while read RPM_ALCASAR
do
RPM_TIMESTAMP=$(echo $RPM_ALCASAR | cut -d' ' -f1)
RPM_DATE=$(date -d "@$(echo $RPM_TIMESTAMP)" "+%Y-%m-%d %H:%M:%S")
RPM_NAME=$(echo $RPM_ALCASAR | cut -d' ' -f2)
RPM_VERSION=$(echo $RPM_ALCASAR | cut -d' ' -f3)
echo "<tr>" >> $HTML_REPORT
echo "<td>$RPM_NAME</td>" >> $HTML_REPORT
echo "<td>$RPM_DATE</td>" >> $HTML_REPORT
echo "<td>$RPM_VERSION</td>" >> $HTML_REPORT
echo "</tr>" >> $HTML_REPORT
done
else
echo "<tr><td colspan=\"3\">Pas de RPM mis à jour cette semaine</td></tr>" >> $HTML_REPORT
fi
else
echo "<tr><td colspan=\"3\">Pas de RPM mis à jour cette semaine</td></tr>" >> $HTML_REPORT
echo $LINE_HTML >> $HTML_REPORT
fi
else
echo $LINE_HTML >> $HTML_REPORT
fi
done
######################BL WEBSITE SINCE INSTALLATION######################
192,45 → 191,36
#find data
#decompress every logs
if [ $(ls -1 /var/log/dnsmasq/dnsmasq-blacklist.log.*.gz 2>/dev/null | wc -l) -ge 1 ]
if [ "$(ls -1 /var/log/unbound/unbound-blacklist.log.*.gz 2>/dev/null | wc -l)" -ge 1 ]
then
gunzip -d dnsmasq-blacklist.log.*.gz
gunzip -d unbound-blacklist.log.*.gz
fi
#convert logs date in timestamp and find categories of blacklisted website
for FILE in $(ls -1 /var/log/dnsmasq/ | grep 'dnsmasq-blacklist.log')
tmp_log=$(mktemp)
for FILE in /var/log/unbound/unbound-blacklist.log*
do
grep -E "info: [^ ]+ typetransparent $PRIVATE_IP" /var/log/unbound/unbound-blacklist.log > $tmp_log
while read LOG_BL
do
if [ $(echo $LOG_BL | grep config | grep $PRIVATE_IP | wc -c) -ge 1 ]
# find the current blacklisted category
website_bl=$(echo $LOG_BL | cut -d' ' -f4)
website_bl=${website_bl%?} # remove the last character
#we convert www.test.co.uk => test.co.uk to find the category of this website
if [ "$(grep -o '\.' <<< "$website_bl" | wc -l)" -ge "2" ]
then
#find the current blacklisted category
website_bl=$(echo $LOG_BL | cut -d' ' -f6)
#we convert www.test.co.uk => test.co.uk to find the category of this website
if [ $(grep -o '\.' <<< "$website_bl" | wc -l) -ge "2" ]
then
website_bl=$(echo $website_bl | cut -d'.' -f2-)
fi
website_bl=$(echo $website_bl | cut -d'.' -f2-)
fi
#get BL category
categorie_bl=$(grep -R "$website_bl/" /usr/local/share/dnsmasq-bl-enabled/ | cut -d':' -f1 | cut -d'/' -f6 | cut -d' ' -f1)
if [ $(echo $categorie_bl | wc -w) -gt 1 ]
then
categorie_bl=$(grep -R "/$website_bl/" /usr/local/share/dnsmasq-bl-enabled/ | cut -d':' -f1 | cut -d'/' -f6 | cut -d' ' -f1 | head -1)
fi
#Calculate its timestamp
Y=$(date -R | cut -d' ' -f4)
M=$(echo $LOG_BL | cut -d' ' -f1)
D=$(echo $LOG_BL | cut -d' ' -f2)
H=$(echo $LOG_BL | cut -d' ' -f3)
CURRENT_TS=$(date -d "$M $D $Y $H" +"%s")
echo "$CURRENT_TS:$categorie_bl:" >> $TMP_BL
fi
done < /var/log/dnsmasq/$FILE
#get BL category
categorie_bl=$(grep -Rl "$website_bl" /usr/local/share/unbound-bl-enabled/ | cut -d'/' -f6 | head -1)
CURRENT_TS=$(echo $LOG_BL | cut -d '[' -f2 | cut -d ']' -f1)
echo "$CURRENT_TS:$categorie_bl:" >> $TMP_BL
done < $tmp_log
done
rm $tmp_log
#if data exists, create this section in html document
if [ -e $TMP_BL ]
244,19 → 234,18
do
DATE_1=$TS
DATE_2=$((TS-$STEP_TS))
COUNT_BL_INSTALLATION=0
COUNT_BL_INSTALLATION=0
for LINE in $(cat $TMP_BL)
do
TS_FILE=$(echo $LINE | cut -d':' -f1)
if [ "$TS_FILE" -le "$DATE_1" -a "$TS_FILE" -ge "$DATE_2" ]
if [ "$TS_FILE" -le "$DATE_1" ] && [ "$TS_FILE" -ge "$DATE_2" ]
then
COUNT_BL_INSTALLATION=$((COUNT_BL_INSTALLATION+1))
fi
done
VALUE_BL_INSTALLATION_LABEL="'$(date -d @$DATE_2 "+%Y-%m-%d" )', $VALUE_BL_INSTALLATION_LABEL"
VALUE_BL_INSTALLATION_DATA="$COUNT_BL_INSTALLATION, $VALUE_BL_INSTALLATION_DATA"
done
273,41 → 262,41
cat $MODEL_CHARTJS | while read LINE_JS
do
#name of variable
if [ $(echo $LINE_JS | grep 'XXCONFXX' | wc -l) -eq 1 ]
if [ "$(echo $LINE_JS | grep 'XXCONFXX' | wc -l)" -eq 1 ]
then
echo ${LINE_JS/XXCONFXX/$CONF_BL_INSTALLATION} >> $HTML_REPORT
#chart type
elif [ $(echo $LINE_JS | grep 'XXTYPEXX' | wc -l) -eq 1 ]
elif [ "$(echo $LINE_JS | grep 'XXTYPEXX' | wc -l)" -eq 1 ]
then
echo ${LINE_JS/XXTYPEXX/bar} >> $HTML_REPORT
#chart title
elif [ $(echo $LINE_JS | grep 'XXTITLEXX' | wc -l) -eq 1 ]
elif [ "$(echo $LINE_JS | grep 'XXTITLEXX' | wc -l)" -eq 1 ]
then
echo ${LINE_JS/XXTITLEXX/"Sites bloqués au total"} >> $HTML_REPORT
#chart data
elif [ $(echo $LINE_JS | grep 'XXDATAXX' | wc -l) -eq 1 ]
elif [ "$(echo $LINE_JS | grep 'XXDATAXX' | wc -l)" -eq 1 ]
then
echo ${LINE_JS/XXDATAXX/$VALUE_BL_INSTALLATION_DATA} >> $HTML_REPORT
#color
elif [ $(echo $LINE_JS | grep 'XXCOLORXX' | wc -l) -eq 1 ]
elif [ "$(echo $LINE_JS | grep 'XXCOLORXX' | wc -l)" -eq 1 ]
then
echo ${LINE_JS/XXCOLORXX/$COLOR} >> $HTML_REPORT
#labels
elif [ $(echo $LINE_JS | grep 'XXLABELSXX' | wc -l) -eq 1 ]
elif [ "$(echo $LINE_JS | grep 'XXLABELSXX' | wc -l)" -eq 1 ]
then
echo ${LINE_JS/XXLABELSXX/$VALUE_BL_INSTALLATION_LABEL} >> $HTML_REPORT
elif [ $(echo $LINE_JS | grep 'XXLEGENDXX' | wc -l) -eq 1 ]
elif [ "$(echo $LINE_JS | grep 'XXLEGENDXX' | wc -l)" -eq 1 ]
then
echo ${LINE_JS/XXLEGENDXX/false} >> $HTML_REPORT
#display value of Y axis, only useful for chart bar
elif [ $(echo $LINE_JS | grep 'XXCOMMENT-BEGINXX' | wc -l) -eq 1 ]
elif [ "$(echo $LINE_JS | grep 'XXCOMMENT-BEGINXX' | wc -l)" -eq 1 ]
then
echo "" >> $HTML_REPORT
#display value of Y axis, only useful for chart bar
elif [ $(echo $LINE_JS | grep 'XXCOMMENT-ENDXX' | wc -l) -eq 1 ]
elif [ "$(echo $LINE_JS | grep 'XXCOMMENT-ENDXX' | wc -l)" -eq 1 ]
then
echo "" >> $HTML_REPORT
elif [ $(echo $LINE_JS | grep 'XXYLABELXX' | wc -l) -eq 1 ]
elif [ "$(echo $LINE_JS | grep 'XXYLABELXX' | wc -l)" -eq 1 ]
then
echo "\"Nombre de site bloqué par la blacklist\"" >> $HTML_REPORT
else
321,7 → 310,7
######################DNSMASQ BLACKLIST######################
######################Unbound BLACKLIST######################
echo "Create BL website since $MAX_DAY_AGO days"
#if data exists, create BL section in html document
339,7 → 328,7
do
TS_FILE=$(echo $LINE | cut -d':' -f1)
#select only elements between DATE_1 and DATE_2
if [ "$TS_FILE" -le "$DATE_1" -a "$TS_FILE" -ge "$DATE_2" ]
if [ "$TS_FILE" -le "$DATE_1" ] && [ "$TS_FILE" -ge "$DATE_2" ]
then
echo $LINE >> $TMP_BL_WEEK
fi
346,7 → 335,7
done
#then we count every occurence for each category in TMP_BL_WEEK
for CAT in $(ls /usr/local/share/dnsmasq-bl/ -1 | cut -d'.' -f1)
for CAT in $(ls /usr/local/share/unbound-bl/ -1 | cut -d'.' -f1)
do
echo "$CAT:$(grep -o ":$CAT:" <<< "$(cat $TMP_BL_WEEK)" | wc -l):" >> $TMP_BL_WEEK_CAT
done
354,7 → 343,7
#we sort by number of occurence and we take the top 10 BL categories
for LINE in $(sort -t':' -k2 -rn $TMP_BL_WEEK_CAT | head -n 10)
do
DATA=$(echo $LINE | cut -d':' -f2)
LABEL=$(echo $LINE | cut -d':' -f1)
if [ $DATA -ne 0 ]
365,7 → 354,7
done
#get other categories (sum them all)
if [ $(cat $TMP_BL_WEEK_CAT | cut -d':' -f2 | sort -k1 -rn | tail -n+$(($(echo $VALUE_BL_DATA | wc -w)+1)) | paste -sd+ | bc) -gt 0 ]
if [ "$(cat $TMP_BL_WEEK_CAT | cut -d':' -f2 | sort -k1 -rn | tail -n+$(($(echo $VALUE_BL_DATA | wc -w)+1)) | paste -sd+ | bc)" -gt 0 ]
then
VALUE_BL_DATA="$VALUE_BL_DATA $(cat $TMP_BL_WEEK_CAT | cut -d':' -f2 | sort -k1 -rn | tail -n+$(($(echo $VALUE_BL_DATA | wc -w)+1)) | paste -sd+ | bc)"
VALUE_BL_LABEL="$VALUE_BL_LABEL 'autre ($(cat $TMP_BL_WEEK_CAT | cut -d':' -f2 | sort -k1 -rn | tail -n+$(($(echo $VALUE_BL_DATA | wc -w)+1)) | paste -sd+ | bc))'"
382,39 → 371,39
cat $MODEL_CHARTJS | while read LINE_JS
do
#variable name
if [ $(echo $LINE_JS | grep 'XXCONFXX' | wc -l) -eq 1 ]
if [ "$(echo $LINE_JS | grep 'XXCONFXX' | wc -l)" -eq 1 ]
then
echo ${LINE_JS/XXCONFXX/$CONF_BL} >> $HTML_REPORT
#chart type
elif [ $(echo $LINE_JS | grep 'XXTYPEXX' | wc -l) -eq 1 ]
elif [ "$(echo $LINE_JS | grep 'XXTYPEXX' | wc -l)" -eq 1 ]
then
echo ${LINE_JS/XXTYPEXX/pie} >> $HTML_REPORT
#graph title
elif [ $(echo $LINE_JS | grep 'XXTITLEXX' | wc -l) -eq 1 ]
elif [ "$(echo $LINE_JS | grep 'XXTITLEXX' | wc -l)" -eq 1 ]
then
echo ${LINE_JS/XXTITLEXX/"Sites bloqués cette semaine"} >> $HTML_REPORT
#chart data
elif [ $(echo $LINE_JS | grep 'XXDATAXX' | wc -l) -eq 1 ]
elif [ "$(echo $LINE_JS | grep 'XXDATAXX' | wc -l)" -eq 1 ]
then
echo ${LINE_JS/XXDATAXX/$VALUE_BL_DATA} >> $HTML_REPORT
#color
elif [ $(echo $LINE_JS | grep 'XXCOLORXX' | wc -l) -eq 1 ]
elif [ "$(echo $LINE_JS | grep 'XXCOLORXX' | wc -l)" -eq 1 ]
then
echo ${LINE_JS/XXCOLORXX/$COLOR} >> $HTML_REPORT
#labels
elif [ $(echo $LINE_JS | grep 'XXLABELSXX' | wc -l) -eq 1 ]
elif [ "$(echo $LINE_JS | grep 'XXLABELSXX' | wc -l)" -eq 1 ]
then
echo ${LINE_JS/XXLABELSXX/$VALUE_BL_LABEL} >> $HTML_REPORT
#display legend, only useful for chart pie
elif [ $(echo $LINE_JS | grep 'XXLEGENDXX' | wc -l) -eq 1 ]
elif [ "$(echo $LINE_JS | grep 'XXLEGENDXX' | wc -l)" -eq 1 ]
then
echo ${LINE_JS/XXLEGENDXX/true} >> $HTML_REPORT
#display value of Y axis, only useful for chart bar
elif [ $(echo $LINE_JS | grep 'XXCOMMENT-BEGINXX' | wc -l) -eq 1 ]
elif [ "$(echo $LINE_JS | grep 'XXCOMMENT-BEGINXX' | wc -l)" -eq 1 ]
then
echo "/*" >> $HTML_REPORT
#display value of Y axis, only useful for chart bar
elif [ $(echo $LINE_JS | grep 'XXCOMMENT-ENDXX' | wc -l) -eq 1 ]
elif [ "$(echo $LINE_JS | grep 'XXCOMMENT-ENDXX' | wc -l)" -eq 1 ]
then
echo "*/" >> $HTML_REPORT
else
430,12 → 419,12
echo "Create AV logs since the installation of ALCASAR"
#decompress every logs, if they exist
if [ $(ls -1 /var/log/havp/access.log.*.gz 2>/dev/null | wc -l) -ge 1 ]
if [ "$(ls -1 /var/log/havp/access.log.*.gz 2>/dev/null | wc -l)" -ge 1 ]
then
gunzip -d access.log.*.gz
fi
for FILE in $(ls -1 /var/log/havp/ | grep 'access.log')
for FILE in /var/log/havp/access.log*
do
while read LINE_AV
do
445,8 → 434,7
H=$(echo $LINE_AV | cut -d' ' -f4)
CURRENT_TS=$(date -d "$M $D $Y $H" +"%s")
echo $CURRENT_TS >> $TMP_AV
done < /var/log/havp/$FILE
done < $FILE
done
if [ -e $TMP_AV ]
461,7 → 449,7
for TS_FILE in $(cat $TMP_AV)
do
if [ "$TS_FILE" -le "$DATE_1" -a "$TS_FILE" -ge "$DATE_2" ]
if [ "$TS_FILE" -le "$DATE_1" ] && [ "$TS_FILE" -ge "$DATE_2" ]
then
COUNT_AV=$((COUNT_AV+1))
fi
470,7 → 458,7
VALUE_AV_LABEL="'$(date -d @$DATE_2 "+%Y-%m-%d" )', $VALUE_AV_LABEL"
VALUE_AV_DATA="$COUNT_AV, $VALUE_AV_DATA"
done
#create Antivirus section in html document
NAME_AV='chart_av'
CONF_AV='config_av'
484,41 → 472,41
cat $MODEL_CHARTJS | while read LINE_JS
do
#name of variable
if [ $(echo $LINE_JS | grep 'XXCONFXX' | wc -l) -eq 1 ]
if [ "$(echo $LINE_JS | grep 'XXCONFXX' | wc -l)" -eq 1 ]
then
echo ${LINE_JS/XXCONFXX/$CONF_AV} >> $HTML_REPORT
#chart type
elif [ $(echo $LINE_JS | grep 'XXTYPEXX' | wc -l) -eq 1 ]
elif [ "$(echo $LINE_JS | grep 'XXTYPEXX' | wc -l)" -eq 1 ]
then
echo ${LINE_JS/XXTYPEXX/bar} >> $HTML_REPORT
#graph title
elif [ $(echo $LINE_JS | grep 'XXTITLEXX' | wc -l) -eq 1 ]
elif [ "$(echo $LINE_JS | grep 'XXTITLEXX' | wc -l)" -eq 1 ]
then
echo ${LINE_JS/XXTITLEXX/"Menaces bloqués par l\'antivirus"} >> $HTML_REPORT
#chart data
elif [ $(echo $LINE_JS | grep 'XXDATAXX' | wc -l) -eq 1 ]
elif [ "$(echo $LINE_JS | grep 'XXDATAXX' | wc -l)" -eq 1 ]
then
echo ${LINE_JS/XXDATAXX/$VALUE_AV_DATA} >> $HTML_REPORT
#color
elif [ $(echo $LINE_JS | grep 'XXCOLORXX' | wc -l) -eq 1 ]
elif [ "$(echo $LINE_JS | grep 'XXCOLORXX' | wc -l)" -eq 1 ]
then
echo ${LINE_JS/XXCOLORXX/$COLOR} >> $HTML_REPORT
#labels
elif [ $(echo $LINE_JS | grep 'XXLABELSXX' | wc -l) -eq 1 ]
elif [ "$(echo $LINE_JS | grep 'XXLABELSXX' | wc -l)" -eq 1 ]
then
echo ${LINE_JS/XXLABELSXX/$VALUE_AV_LABEL} >> $HTML_REPORT
elif [ $(echo $LINE_JS | grep 'XXLEGENDXX' | wc -l) -eq 1 ]
elif [ "$(echo $LINE_JS | grep 'XXLEGENDXX' | wc -l)" -eq 1 ]
then
echo ${LINE_JS/XXLEGENDXX/false} >> $HTML_REPORT
#display value of Y axis, only useful for chart bar
elif [ $(echo $LINE_JS | grep 'XXCOMMENT-BEGINXX' | wc -l) -eq 1 ]
elif [ "$(echo $LINE_JS | grep 'XXCOMMENT-BEGINXX' | wc -l)" -eq 1 ]
then
echo "" >> $HTML_REPORT
#display value of Y axis, only useful for chart bar
elif [ $(echo $LINE_JS | grep 'XXCOMMENT-ENDXX' | wc -l) -eq 1 ]
elif [ "$(echo $LINE_JS | grep 'XXCOMMENT-ENDXX' | wc -l)" -eq 1 ]
then
echo "" >> $HTML_REPORT
elif [ $(echo $LINE_JS | grep 'XXYLABELXX' | wc -l) -eq 1 ]
elif [ "$(echo $LINE_JS | grep 'XXYLABELXX' | wc -l)" -eq 1 ]
then
echo "\"Nombre de menaces virales bloqués par l'antivirus\"" >> $HTML_REPORT
else
538,7 → 526,7
#create new htdigest user to consult statistique of ACC
#if user does not exist, we create him
if [ $(grep "$tmp_account:" $DIR_KEY/key_only_manager | wc -l) -lt 1 ]
if [ "$(grep "$tmp_account:" $DIR_KEY/key_only_manager | wc -l)" -lt 1 ]
then
(echo -n "$tmp_account:$realm:" && echo -n "$tmp_account:$realm:$password" | md5sum | awk '{print $1}' ) >> $DIR_KEY/key_only_manager
(echo -n "$tmp_account:$realm:" && echo -n "$tmp_account:$realm:$password" | md5sum | awk '{print $1}' ) >> $DIR_KEY/key_manager
557,7 → 545,7
cat $TMP_STATS_2 | sed -e 's:images/pixel.gif:../../manager/htdocs/images/pixel.gif:g' >> $HTML_REPORT
#we delete our user if he still exists
if [ $(grep "$tmp_account:" $DIR_KEY/key_only_manager | wc -l) -ge 1 ]
if [ "$(grep "$tmp_account:" $DIR_KEY/key_only_manager | wc -l)" -ge 1 ]
then
$SED "/^$tmp_account:/d" $DIR_KEY/key_only_manager
$SED "/^$tmp_account:/d" $DIR_KEY/key_manager
595,7 → 583,7
echo "<h2>Connexion à l'ALCASAR Control Center (ACC)</h2>" >> $HTML_REPORT
echo "<table class=\"table table-striped\">" >> $HTML_REPORT
echo "<thead><tr><th>Date</th><th>Utilisateur</th><th>Adresse IP</th><th>Agent</th></tr></thead><tbody>" >> $HTML_REPORT
echo $ROWS >> $HTML_REPORT
echo "$ROWS" >> $HTML_REPORT
echo "</tbody></table>" >> $HTML_REPORT
640,7 → 628,7
echo "<h2>Trafic global</h2>" >> $HTML_REPORT
echo "<table class=\"table table-striped\">" >> $HTML_REPORT
echo "<thead><tr><th>Date</th><th>Entrant</th><th>Sortant</th><th>Total</th></tr></thead><tbody>" >> $HTML_REPORT
echo $ROWS >> $HTML_REPORT
echo "$ROWS" >> $HTML_REPORT
echo "</tbody></table>" >> $HTML_REPORT
698,21 → 686,21
echo "</html>" >> $HTML_REPORT
#convert html document to PDF
/usr/bin/wkhtmltopdf $HTML_REPORT $(echo $HTML_REPORT | cut -d'.' -f1).pdf
chown apache:apache $(echo $HTML_REPORT | cut -d'.' -f1).pdf
chmod 644 $(echo $HTML_REPORT | cut -d'.' -f1).pdf
mv $(echo $HTML_REPORT | cut -d'.' -f1).pdf /var/Save/activity_report/
/usr/bin/wkhtmltopdf $HTML_REPORT "$(echo $HTML_REPORT | cut -d'.' -f1).pdf"
chown apache:apache "$(echo $HTML_REPORT | cut -d'.' -f1).pdf"
chmod 644 "$(echo $HTML_REPORT | cut -d'.' -f1).pdf"
mv "$(echo $HTML_REPORT | cut -d'.' -f1).pdf" /var/Save/activity_report/
#compress every logs, if they exist
if [ $(ls -1 /var/log/havp/access.log.* 2>/dev/null | wc -l) -ge 1 ]
if [ "$(ls -1 /var/log/havp/access.log.* 2>/dev/null | wc -l)" -ge 1 ]
then
gzip /var/log/havp/access.log.*
fi
#compress every logs
if [ $(ls -1 /var/log/dnsmasq/dnsmasq-blacklist.log.* 2>/dev/null | wc -l) -ge 1 ]
if [ "$(ls -1 /var/log/unbound/unbound-blacklist.log.* 2>/dev/null | wc -l)" -ge 1 ]
then
gzip /var/log/dnsmasq/dnsmasq-blacklist.log.*
gzip /var/log/unbound/unbound-blacklist.log.*
fi
#remove our files

/scripts/alcasar-bl.sh
6,16 → 6,14
# by Franck BOUIJOUX and Richard REY
# This script is distributed under the Gnu General Public License (GPL)
# Gestion de la BL pour le filtrage de domaine (via dnsmasq) et d'URL (via E2guardian)
# Manage the BL for DnsBlackHole (dnsmasq) and URL filtering (E2guardian)
# Gestion de la BL pour le filtrage de domaine (via unbound) et d'URL (via E2guardian)
# Manage the BL for DnsBlackHole (unbound) and URL filtering (E2guardian)
DIR_CONF="/usr/local/etc"
CONF_FILE="$DIR_CONF/alcasar.conf"
private_ip_mask=`grep ^PRIVATE_IP= $CONF_FILE|cut -d"=" -f2`
private_ip_mask=${private_ip_mask:=192.168.182.1/24}
PRIVATE_IP=`echo $private_ip_mask | cut -d"/" -f1` # ALCASAR LAN IP address
DIR_tmp="/tmp/blacklists"
DIR_WL_tmp="/tmp/whitelists"
FILE_tmp="/tmp/filesfilter.txt"
FILE_ip_tmp="/tmp/filesipfilter.txt"
DIR_DG="/etc/e2guardian/lists"
26,15 → 24,15
BL_CATEGORIES_ENABLED="$DIR_CONF/alcasar-bl-categories-enabled" # ' ' BL enabled categories
WL_CATEGORIES_ENABLED="$DIR_CONF/alcasar-wl-categories-enabled" # ' ' WL enabled categories
DIR_SHARE="/usr/local/share"
DIR_DNS_BL="$DIR_SHARE/dnsmasq-bl" # all the BL in the DNSMASQ format
DIR_DNS_WL="$DIR_SHARE/dnsmasq-wl" # all the WL ' ' '
DIR_DNS_BL="$DIR_SHARE/unbound-bl" # all the BL in the Unbound format
DIR_DNS_WL="$DIR_SHARE/unbound-wl" # all the WL ' ' '
DIR_IP_BL="$DIR_SHARE/iptables-bl" # all the IP addresses of the BL
DIR_IP_WL="$DIR_SHARE/iptables-wl" # IP ossi disabled WL
DIR_DNS_BL_ENABLED="$DIR_SHARE/dnsmasq-bl-enabled" # symbolic link to the domains BL (only enabled categories)
DIR_DNS_WL_ENABLED="$DIR_SHARE/dnsmasq-wl-enabled" # ' ' ' WL ' '
DIR_DNS_BL_ENABLED="$DIR_SHARE/unbound-bl-enabled" # symbolic link to the domains BL (only enabled categories)
DIR_DNS_WL_ENABLED="$DIR_SHARE/unbound-wl-enabled" # ' ' ' WL ' '
DIR_IP_BL_ENABLED="$DIR_SHARE/iptables-bl-enabled" # ' ' ip BL (only enabled categories)
DIR_IP_WL_ENABLED="$DIR_SHARE/iptables-wl-enabled" # ' ' ip WL (ossi and ossi-* imported from ACC)
DNS1=`grep ^DNS1= $CONF_FILE | cut -d'=' -f2-` # server DNS1 (for WL domain names)
REHABILITATED_DNS_FILE="/etc/unbound/conf.d/blacklist/rehabilitated.conf"
BL_SERVER="dsi.ut-capitole.fr"
SED="/bin/sed -i"
47,7 → 45,7
then
mkdir $LIST
else
rm -rf $LIST/*
rm -rf ${LIST:?}/*
fi
chown root:apache $LIST
chmod 770 $LIST
69,7 → 67,7
$SED "1i\/etc\/e2guardian\/lists\/blacklists\/$ENABLE_CATEGORIE" $BL_CATEGORIES
ln -sf $DIR_DNS_BL/$ENABLE_CATEGORIE.conf $DIR_DNS_BL_ENABLED/$ENABLE_CATEGORIE
ln -sf $DIR_IP_BL/$ENABLE_CATEGORIE $DIR_IP_BL_ENABLED/$ENABLE_CATEGORIE
# echo ".Include<$DIR_DG_BL/$ENABLE_CATEGORIE/domains>" >> $DIR_DG/bannedsitelist # Blacklisted domains are managed by dnsmasq
# echo ".Include<$DIR_DG_BL/$ENABLE_CATEGORIE/domains>" >> $DIR_DG/bannedsitelist # Blacklisted domains are managed by unbound
echo ".Include<$DIR_DG_BL/$ENABLE_CATEGORIE/urls>" >> $DIR_DG/bannedurllist
done
sort +0.0 -0.2 $BL_CATEGORIES -o $FILE_tmp
101,7 → 99,7
$SED '/[äâëêïîöôüû@,]/d' $FILE_tmp # remove line with "chelou" characters
# extract ip addresses for iptables.
awk '/^([0-9]{1,3}\.){3}[0-9]{1,3}$/{print "add bl_ip_blocked " $0}' $FILE_tmp > $FILE_ip_tmp
# extract domain names for dnsmasq.
# extract domain names for unbound.
$SED -n '/^\([0-9]\{1,3\}\.\)\{3\}[0-9]\{1,3\}/!p' $FILE_tmp
# Retrieve max Top Level Domain for domain name synthax
#MAX_TLD=$(curl http://data.iana.org/TLD/tlds-alpha-by-domain.txt | grep -v '-' | grep -v '#' | wc -L)
142,7 → 140,7
-cat_choice | --cat_choice)
cat_choice
;;
# Adapt Toulouse University BL to ALCASAR architecture (dnsmasq + DG + iptables)
# Adapt Toulouse University BL to ALCASAR architecture (unbound + DG + iptables)
-adapt | --adapt)
echo -n "Adaptation process of Toulouse University blackList. Please wait : "
if [ -f $DIR_tmp/blacklists.tar.gz ] # when downloading the last version of the BL
231,7 → 229,8
$SED "/^$ENABLE_CATEGORIE$/d" $WL_CATEGORIES_ENABLED
fi
done
# Creation of DNSMASQ and Iptables BL and WL
# Creation of Unbound and Iptables BL and WL
for LIST in $BL_CATEGORIES $WL_CATEGORIES # for each list (bl and wl)
do
for PATH_FILE in `cat $LIST` # for each category
244,16 → 243,16
chown e2guardian:apache $PATH_FILE/urls
fi
cp $PATH_FILE/domains $FILE_tmp
clean_split # clean ossi custom files & split them for dnsmasq and for iptables
clean_split # clean ossi custom files & split them for unbound and for iptables
if [ "$LIST" == "$BL_CATEGORIES" ]
then
# adapt to the dnsmasq syntax for the blacklist
$SED "s?.*?address=/&/$PRIVATE_IP?g" $FILE_tmp
# adapt to the unbound syntax for the blacklist
$SED "s?.*?local-zone: & typetransparent\nlocal-zone-tag: & blacklist?g" $FILE_tmp
mv $FILE_tmp $DIR_DNS_BL/$DOMAIN.conf
mv $FILE_ip_tmp $DIR_IP_BL/$DOMAIN
else
# adapt to the dnsmasq syntax for the whitelist
$SED "s?.*?server=/&/$DNS1?g" $FILE_tmp
# adapt to the unbound syntax for the whitelist
$SED "s?.*?local-zone: & transparent?g" $FILE_tmp
mv $FILE_tmp $DIR_DNS_WL/$DOMAIN.conf
fi
done
276,27 → 275,28
URL=$(echo $LIGNE_RSYNC | cut -d' ' -f2)
PATH_FILE=$(find $DIR_DG_BL/ -type d -name $CATEGORIE) # retrieve directory name of the category
rsync -rv $URL $(dirname $PATH_FILE ) #rsync inside of the blacklist directory
# Creation of DNSMASQ and Iptables BL and WL
# Creation of unbound and Iptables BL and WL
DOMAIN=$(basename $PATH_FILE)
cp $PATH_FILE/domains $FILE_tmp
clean_split # clean ossi custom files & split them for dnsmasq and for iptables
clean_split # clean ossi custom files & split them for unbound and for iptables
black=`grep black $PATH_FILE/usage |wc -l`
if [ $black == "1" ]
then
# adapt to the dnsmasq syntax for the blacklist
$SED "s?.*?address=/&/$PRIVATE_IP?g" $FILE_tmp
# adapt to the unbound syntax for the blacklist
$SED "s?.*?local-zone: & typetransparent\nlocal-zone-tag: & blacklist?g" $FILE_tmp
mv $FILE_tmp $DIR_DNS_BL/$DOMAIN.conf
mv $FILE_ip_tmp $DIR_IP_BL/$DOMAIN
else
# adapt to the dnsmasq syntax for the whitelist
$SED "s?.*?server=/&/$DNS1?g" $FILE_tmp
# adapt to the unbound syntax for the whitelist
$SED "s?.*?local-zone: & transparent?g" $FILE_tmp
mv $FILE_tmp $DIR_DNS_WL/$DOMAIN.conf
mv $FILE_ip_tmp $DIR_IP_WL/$DOMAIN
fi
rm -f $FILE_tmp $FILE_ip_tmp
done
/usr/bin/systemctl restart unbound-whitelist
/usr/bin/systemctl restart dnsmasq-whitelist
/usr/bin/systemctl restart dnsmasq-blacklist
/usr/bin/systemctl restart unbound-blacklist
/usr/bin/systemctl restart e2guardian
/usr/local/bin/alcasar-iptables.sh
else
308,17 → 308,16
-reload | --reload)
# for DG
cat_choice
# for dnsmasq (rehabited domain names)
if [ `wc -w $DIR_DG/exceptionsitelist|cut -d " " -f1` != "0" ]
# for unbound (rehabilitated domain names)
rm -f $REHABILITATED_DNS_FILE
if [ "$(wc -w $DIR_DG/exceptionsitelist | cut -d " " -f1)" != "0" ]
then
rm -f $DIR_DNS_BL_ENABLED/authorized-ossi-bl $DIR_DNS_BL/authorized-ossi-bl.conf
touch $DIR_DNS_BL/authorized-ossi-bl.conf
for i in `cat $DIR_DG/exceptionsitelist`
do
$SED "/$i/d" $DIR_DNS_BL/*
echo "server=/$i/#" >> $DIR_DNS_BL/authorized-ossi-bl.conf
done
ln -s $DIR_DNS_BL/authorized-ossi-bl.conf $DIR_DNS_BL_ENABLED/authorized-ossi-bl
touch $REHABILITATED_DNS_FILE
while read -r domain; do
[ -z "$domain" ] && continue
echo "local-zone: $domain typetransparent" >> $REHABILITATED_DNS_FILE
echo "local-zone-tag: $domain \"\"" >> $REHABILITATED_DNS_FILE
done < $DIR_DG/exceptionsitelist
fi
# adapt OSSI BL & WL custom files
for dir in $DIR_DNS_BL_ENABLED $DIR_DNS_WL_ENABLED $DIR_IP_BL_ENABLED $DIR_IP_WL_ENABLED $DIR_DNS_BL $DIR_DNS_WL $DIR_IP_BL $DIR_IP_WL
341,12 → 340,12
fi
$SED "s/\r//" $ossi_custom_dir/domains $ossi_custom_dir/urls # remove Windows <CR> from custom file
cp $ossi_custom_dir/domains $FILE_tmp
clean_split # clean ossi custom files & split them for dnsmasq and for iptables
clean_split # clean ossi custom files & split them for unbound and for iptables
if [ $categorie_type == "white" ]
then
# adapt the file to the dnsmasq syntax and enable it if needed
# adapt the file to the unbound syntax and enable it if needed
# for the WL
$SED "s?.*?server=/&/$DNS1?g" $FILE_tmp
$SED "s?.*?local-zone: & transparent?g" $FILE_tmp
mv $FILE_tmp $DIR_DNS_WL/$ossi_categorie.conf
mv $FILE_ip_tmp $DIR_IP_WL/$ossi_categorie
enabled=`grep ^$ossi_categorie$ $WL_CATEGORIES_ENABLED | wc -l`
359,7 → 358,7
fi
else
# for the BL
$SED "s?.*?address=/&/$PRIVATE_IP?g" $FILE_tmp
$SED "s?.*?local-zone: & typetransparent\nlocal-zone-tag: & blacklist?g" $FILE_tmp
mv $FILE_tmp $DIR_DNS_BL/$ossi_categorie.conf
mv $FILE_ip_tmp $DIR_IP_BL/$ossi_categorie
enabled=`grep ^$ossi_categorie$ $BL_CATEGORIES_ENABLED | wc -l`
383,7 → 382,8
chmod 660 $DIR_DNS_BL/* $DIR_DNS_WL/* $DIR_IP_BL/* $DIR_IP_WL/*
if [ "$PARENT_SCRIPT" != "alcasar-conf.sh" ] # don't launch on install stage
then
/usr/bin/systemctl restart dnsmasq-blacklist
/usr/bin/systemctl restart unbound-blacklist
/usr/bin/systemctl restart unbound-whitelist
/usr/bin/systemctl restart dnsmasq-whitelist
/usr/bin/systemctl restart e2guardian
/usr/local/bin/alcasar-iptables.sh

/scripts/alcasar-bypass.sh
9,7 → 9,6
# enable / disable the bypass of authentication process and WEB filtering
usage="Usage: alcasar-bypass.sh {--on or -on } | {--off or -off}"
SED="/bin/sed -i"
CONF_FILE="/usr/local/etc/alcasar.conf"
INTIF=`grep ^INTIF= $CONF_FILE|cut -d"=" -f2` # INTernal InterFace
25,7 → 24,7
echo "$usage"
exit 0
;;
--on | -on)
--on | -on)
/usr/local/bin/alcasar-logout.sh all
/usr/bin/systemctl stop chilli
cp -f /etc/sysconfig/network-scripts/bypass-ifcfg-$INTIF /etc/sysconfig/network-scripts/ifcfg-$INTIF
34,11 → 33,7
DHCP=`grep ^DHCP= $CONF_FILE|cut -d"=" -f2`
if [ $DHCP != off ]
then
$SED "/^#dhcp-range=/s/^#//" /etc/dnsmasq.conf # dnsmasq become the DHCP server
$SED "/^#dhcp-option=/s/^#//" /etc/dnsmasq.conf
$SED "/^#domain=/s/^#//" /etc/dnsmasq.conf
$SED "s?^no-dhcp-interface.*?#&?g" /etc/dnsmasq.conf
/usr/bin/systemctl restart dnsmasq
/usr/bin/systemctl start dhcpd
fi
rm -f /etc/cron.d/alcasar-daemon-watchdog # don't restart daemons (specially coova)
48,11 → 43,7
--off | -off)
cp -f /etc/sysconfig/network-scripts/default-ifcfg-$INTIF /etc/sysconfig/network-scripts/ifcfg-$INTIF
ifup $INTIF
$SED "s?^dhcp-range=.*?#&?g" /etc/dnsmasq.conf # dnsmasq is no more the DHCP server (it's coova)
$SED "s?^dhcp-option=.*?#&?g" /etc/dnsmasq.conf
$SED "s?^domain=.*?#&?g" /etc/dnsmasq.conf
$SED "/^#no-dhcp-interface/s/^#//" /etc/dnsmasq.conf
/usr/bin/systemctl restart dnsmasq
/usr/bin/systemctl stop dhcpd
/usr/bin/systemctl start chilli
sh /usr/local/bin/alcasar-iptables.sh
# activation of the "daemon-watchdog" every 18'

/scripts/alcasar-conf.sh
14,14 → 14,12
# - load the backup of configuration files during the update process (alcasar-conf -load). If needed, it's here we update files between versions
# - apply ALCASAR central configuration file "/usr/local/etc/alcasar.conf" when hot modification are needed (alcasar-conf -apply)
new="$(date +%G%m%d-%Hh%M)" # date et heure des fichiers
fichier="alcasar-conf-$new.tar.gz" # nom du fichier de sauvegarde
DIR_UPDATE="/var/tmp/conf" # répertoire de stockage des fichier de conf pour une mise à jour
DIR_WEB="/var/www/html" # répertoire du centre de gestion
DIR_BIN="/usr/local/bin" # scripts directory
DIR_ETC="/usr/local/etc" # conf directory
DIR_SHARE="/usr/local/share" # data directory
DIR_BLACKLIST="/etc/e2guardian/lists/blacklists" # Toulouse BL directory
DIR_E2G="/etc/e2guardian/lists" # Toulouse BL directory
DIR_BLACKLIST="$DIR_E2G/blacklists" # Toulouse BL directory
CONF_FILE="$DIR_ETC/alcasar.conf" # main alcasar conf file
EXTIF=`grep ^EXTIF= $CONF_FILE|cut -d"=" -f2` # EXTernal InterFace
INTIF=`grep ^INTIF= $CONF_FILE|cut -d"=" -f2` # INTernal InterFace
34,7 → 32,6
SED="/bin/sed -i"
DNS1=`grep ^DNS1= $CONF_FILE | cut -d'=' -f2` # server DNS1 (for WL domain names)
DOMAIN=${DOMAIN:=localdomain}
DATE=`date '+%d %B %Y - %Hh%M'`
private_network_calc ()
{
41,13 → 38,11
PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP $PRIVATE_NETMASK |cut -d"=" -f2` # prefixe du réseau (ex. 24)
PRIVATE_NETWORK=`/bin/ipcalc -n $PRIVATE_IP $PRIVATE_NETMASK| cut -d"=" -f2` # @ réseau de consultation (ex.: 192.168.182.0)
PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX # @ + masque du réseau de consult (192.168.182.0/24)
classe=$((PRIVATE_PREFIX/8)); classe_sup=`expr $classe + 1`; classe_sup_sup=`expr $classe + 2` # classes de réseau (ex.: 2=classe B, 3=classe C)
classe=$((PRIVATE_PREFIX/8)); classe_sup=`expr $classe + 1`; # classes de réseau (ex.: 2=classe B, 3=classe C)
PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK | cut -d"." -f1-$classe`. # @ compatible hosts.allow et hosts.deny (ex.: 192.168.182.)
PRIVATE_BROADCAST=`/bin/ipcalc -b $PRIVATE_NETWORK_MASK | cut -d"=" -f2` # private network broadcast (ie.: 192.168.182.255)
private_network_ending=`echo $PRIVATE_NETWORK | cut -d"." -f$classe_sup` # last octet of LAN address
private_broadcast_ending=`echo $PRIVATE_BROADCAST | cut -d"." -f$classe_sup` # last octet of LAN broadcast
private_ip_ending=`echo $PRIVATE_IP | cut -d"." -f4` # last octet of LAN address
PRIVATE_FIRST_IP=$PRIVATE_IP # First network address (ex.: 192.168.182.1)
PRIVATE_SECOND_IP=`echo $PRIVATE_IP | cut -d"." -f1-3`"."`expr $private_ip_ending + 1` # second network address (ex.: 192.168.182.2)
PRIVATE_LAST_IP=`echo $PRIVATE_BROADCAST | cut -d"." -f1-3`"."`expr $private_broadcast_ending - 1` # last network address (ex.: 192.168.182.254)
PRIVATE_MAC=`/sbin/ip link show $INTIF | grep ether | cut -d" " -f6| sed 's/:/-/g'| awk '{print toupper($0)}'` # MAC address of INTIF
66,12 → 61,12
echo "$usage"
exit 0
;;
--create|-create)
--create|-create)
[ -d $DIR_UPDATE ] && rm -rf $DIR_UPDATE
mkdir $DIR_UPDATE
# backup the users database (test to delete in future version)
$DIR_BIN/alcasar-mysql.sh --dump
cp /var/Save/base/`ls -1t /var/Save/base|head -1` $DIR_UPDATE
cp /var/Save/base/"$(ls -1t /var/Save/base|head -1)" $DIR_UPDATE
# backup the logo
cp -f $DIR_WEB/images/organisme.png $DIR_UPDATE
# backup BL/WL custom files
82,7 → 77,7
cp /etc/dansguardian/lists/$i $DIR_UPDATE/custom_bl/ # before V3.3
cp -rf /etc/dansguardian/lists/blacklists/ossi-* $DIR_UPDATE/custom_bl/ 2>/dev/null
else
cp /etc/e2guardian/lists/$i $DIR_UPDATE/custom_bl/ # since V3.3
cp $DIR_E2G/$i $DIR_UPDATE/custom_bl/ # since V3.3
cp -rf $DIR_BLACKLIST/ossi-* $DIR_UPDATE/custom_bl/ 2>/dev/null
fi
done
101,8 → 96,35
else
cp -f /etc/pki/tls/certs/alcasar.crt $DIR_UPDATE/server-chain.crt
fi
# pureip & safesearch status
[ -d /etc/dansguardian ] && dg_path=/etc/dansguardian || dg_path=/etc/e2guardian
if ! grep -Eq '^WL_SAFESEARCH=' $DIR_UPDATE/etc/alcasar.conf; then
if [ -f /etc/dnsmasq-whitelist.conf ] && grep -iq "SafeSearch" /etc/dnsmasq-whitelist.conf; then
echo 'WL_SAFESEARCH=on' >> $DIR_UPDATE/etc/alcasar.conf
else
echo 'WL_SAFESEARCH=off' >> $DIR_UPDATE/etc/alcasar.conf
fi
fi
if ! grep -Eq '^BL_SAFESEARCH=' $DIR_UPDATE/etc/alcasar.conf; then
if [ -f /etc/dnsmasq-blacklist.conf ] && grep -iq "SafeSearch" /etc/dnsmasq-blacklist.conf; then
echo 'BL_SAFESEARCH=on' >> $DIR_UPDATE/etc/alcasar.conf
else
echo 'BL_SAFESEARCH=off' >> $DIR_UPDATE/etc/alcasar.conf
fi
fi
if ! grep -Eq '^BL_PUREIP=' $DIR_UPDATE/etc/alcasar.conf; then
if grep -Eq "^\*ip" $dg_path/lists/bannedsitelist; then
echo 'BL_PUREIP=on' >> $DIR_UPDATE/etc/alcasar.conf
else
echo 'BL_PUREIP=off' >> $DIR_UPDATE/etc/alcasar.conf
fi
fi
# archive file creation
cd /var/tmp
cd /var/tmp || { echo "Unable to find /var/tmp directory"; }
tar -cf alcasar-conf.tar conf/
gzip -f alcasar-conf.tar
rm -rf $DIR_UPDATE
109,7 → 131,7
;;
--load|-load)
cd /var/tmp
cd /var/tmp || { echo "Unable to find /var/tmp directory"; }
tar -xf alcasar-conf*.tar.gz
######################### modifications between versions #######################
# Retrieve the previous version
123,7 → 145,7
HOSTNAME=`grep ^HOSTNAME= $CONF_FILE|cut -d"=" -f2-`
domainNames="$HOSTNAME $HOSTNAME.$DOMAIN"
[ "$HOSTNAME" != 'alcasar' ] && domainNames="alcasar $domainNames"
if [ $(grep -c "$PRIVATE_IP\s$domainNames" $DIR_UPDATE/etc/hosts ) -eq 0 ]; then
if [ "$(grep -c "$PRIVATE_IP\s$domainNames" $DIR_UPDATE/etc/hosts )" -eq 0 ]; then
cat << EOF > $DIR_UPDATE/etc/hosts
127.0.0.1 localhost
$PRIVATE_IP $domainNames
130,7 → 152,7
EOF
fi
## apache & dansguardian are replaced with lighttpd & E²guardian
if [ $(rpm -qa | grep '^\(apache\|apache-mod_php\|apache-mod_ssl\|dansguardian\)-' | wc -l) -ne 0 ]; then
if [ "$(rpm -qa | grep '^\(apache\|apache-mod_php\|apache-mod_ssl\|dansguardian\)-' | wc -l)" -ne 0 ]; then
rm_rpm="apache apache-mod_php apache-mod_ssl dansguardian"
/usr/sbin/urpme --auto -a $rm_rpm 2>/dev/null
/usr/sbin/urpme --auto --auto-orphans
140,12 → 162,17
[ ! -f $DIR_UPDATE/alcasar.pem ] && (cat $DIR_UPDATE/alcasar.key; echo; cat $DIR_UPDATE/alcasar.crt) > $DIR_UPDATE/alcasar.pem
## From 3.3.0 ##
# add "SMS=off" in conf file
if [ $(grep -c '^SMS=' $DIR_UPDATE/etc/alcasar.conf) -eq 0 ]; then
if [ "$(grep -c '^SMS=' $DIR_UPDATE/etc/alcasar.conf)" -eq 0 ]; then
echo "SMS=off" >> $DIR_UPDATE/etc/alcasar.conf
fi
if [ $(grep -c '^SMS_NUM=' $DIR_UPDATE/etc/alcasar.conf) -eq 0 ]; then
if [ "$(grep -c '^SMS_NUM=' $DIR_UPDATE/etc/alcasar.conf)" -eq 0 ]; then
echo "SMS_NUM=" >> $DIR_UPDATE/etc/alcasar.conf
fi
## From 3.4.0 ##
# Fix subdomain dot position (.domain.org to domain.org.) for Unbound
for file in $DIR_E2G/exceptionsitelist $DIR_BLACKLIST/ossi-bl*/domains $DIR_BLACKLIST/ossi-wl*/domains; do
[ -f $file ] && $SED "s/^\.\(.*\)$/\1./g" $file
done
###################### End of modifications between versions #######################
# Retrieve the logo
[ -e $DIR_UPDATE/organisme.png ] && cp -f $DIR_UPDATE/organisme.png $DIR_WEB/images/
155,26 → 182,26
cp -f $DIR_UPDATE/alcasar-ca.key /etc/pki/CA/private/
cp -f $DIR_UPDATE/alcasar.crt /etc/pki/tls/certs/
cp -f $DIR_UPDATE/alcasar.key /etc/pki/tls/private/
cp -f $DIR_UPDATE/alcasar.pem /etc/pki/tls/private/
cp -f $DIR_UPDATE/alcasar.pem /etc/pki/tls/private/
[ -e $DIR_UPDATE/server-chain.crt ] && cp -f $DIR_UPDATE/server-chain.crt* /etc/pki/tls/certs/ # autosigned and official if exist
chown -R root:apache /etc/pki
chmod -R 750 /etc/pki
# Import of the users database
$DIR_BIN/alcasar-mysql.sh --import `ls $DIR_UPDATE/alcasar-users-database*`
$DIR_BIN/alcasar-mysql.sh --import "$(ls $DIR_UPDATE/alcasar-users-database*)"
# Retrieve local parameters
cp -rf $DIR_UPDATE/etc/* $DIR_ETC/
mv -f $DIR_UPDATE/etc/hosts /etc/hosts
chmod 755 /etc/hosts
# Retrieve BL/WL custom files
cp -f $DIR_UPDATE/custom_bl/exceptioniplist /etc/e2guardian/lists/
cp -f $DIR_UPDATE/custom_bl/exceptionsitelist /etc/e2guardian/lists/
cp -f $DIR_UPDATE/custom_bl/urlregexplist /etc/e2guardian/lists/
cp -f $DIR_UPDATE/custom_bl/bannedsitelist /etc/e2guardian/lists/
cp -f $DIR_UPDATE/custom_bl/exceptionurllist /etc/e2guardian/lists/
cp -f $DIR_UPDATE/custom_bl/bannedurllist /etc/e2guardian/lists/
cp -f $DIR_UPDATE/custom_bl/exceptioniplist $DIR_E2G/
cp -f $DIR_UPDATE/custom_bl/exceptionsitelist $DIR_E2G/
cp -f $DIR_UPDATE/custom_bl/urlregexplist $DIR_E2G/
cp -f $DIR_UPDATE/custom_bl/bannedsitelist $DIR_E2G/
cp -f $DIR_UPDATE/custom_bl/exceptionurllist $DIR_E2G/
cp -f $DIR_UPDATE/custom_bl/bannedurllist $DIR_E2G/
cp -rf $DIR_UPDATE/custom_bl/ossi-* $DIR_BLACKLIST/ 2>/dev/null
chown -R e2guardian:apache /etc/e2guardian/lists
chmod -R g+rw /etc/e2guardian/lists
chown -R e2guardian:apache $DIR_E2G
chmod -R g+rw $DIR_E2G
# Adapt DNS/URL filtering
PARENT_SCRIPT=`basename $0`
export PARENT_SCRIPT
197,9 → 224,8
--apply|-apply)
PTN="\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([012]?[0-9]|3[0-2])\b"
PRIVATE_IP_MASK=`grep ^PRIVATE_IP= $CONF_FILE|cut -d"=" -f2`
check=$(echo $PRIVATE_IP_MASK | egrep $PTN)
if [[ "$?" -ne 0 ]]
then
if ! echo $PRIVATE_IP_MASK | egrep -q $PTN
then
echo "Syntax error for PRIVATE_IP_MASK ($PRIVATE_IP_MASK)"
exit 0
fi
210,9 → 236,8
PUBLIC_GATEWAY="dhcp"
else
check=$(echo $PUBLIC_IP_MASK | egrep $PTN)
if [[ "$?" -ne 0 ]]
then
if ! echo $PUBLIC_IP_MASK | egrep -q $PTN
then
echo "Syntax error for PUBLIC_IP_MASK ($PUBLIC_IP_MASK)"
exit 0
fi
219,24 → 244,21
PUBLIC_IP=`echo $PUBLIC_IP_MASK | cut -d"/" -f1`
PUBLIC_NETMASK=`/bin/ipcalc -m $PUBLIC_IP_MASK | cut -d"=" -f2`
PUBLIC_GATEWAY=`grep ^GW= $CONF_FILE|cut -d"=" -f2`
check=$(echo $PUBLIC_GATEWAY | egrep $PTN)
if [[ "$?" -ne 0 ]]
then
if ! echo $PUBLIC_GATEWAY | egrep -q $PTN
then
echo "Syntax error for the Gateway IP ($PUBLIC_GATEWAY)"
exit 0
fi
fi
DNS1=`grep ^DNS1= $CONF_FILE|cut -d"=" -f2`
check=$(echo $DNS1 | egrep $PTN)
if [[ "$?" -ne 0 ]]
then
if ! echo $DNS1 | egrep -q $PTN
then
echo "Syntax error for the IP address of the first DNS server ($DNS1)"
exit 0
fi
DNS2=`grep ^DNS2= $CONF_FILE|cut -d"=" -f2`
check=$(echo $DNS2 | egrep $PTN)
if [[ "$?" -ne 0 ]]
then
if ! echo $DNS2 | egrep -q $PTN
then
echo "Syntax error for the IP address of the second DNS server ($DNS2)"
exit 0
fi
245,10 → 267,13
private_network_calc
INSTALL_DATE=`grep ^INSTALL_DATE= $CONF_FILE|cut -d"=" -f2`
ORGANISME=`grep ^ORGANISM= $CONF_FILE|cut -d"=" -f2-`
BL_SAFESEARCH=`grep ^BL_SAFESEARCH= $CONF_FILE|cut -d"=" -f2`
WL_SAFESEARCH=`grep ^WL_SAFESEARCH= $CONF_FILE|cut -d"=" -f2`
BL_PUREIP=`grep ^BL_PUREIP= $CONF_FILE|cut -d"=" -f2`
DHCP_mode=`grep ^DHCP= $CONF_FILE|cut -d"=" -f2`
if [ "$PARENT_SCRIPT" != "alcasar.sh" ] # don't launch on install stage
then
if [ $DHCP_mode = "off" ] || [ $DHCP_mode = "Off" ] || [ $DHCP_mode = "OFF" ]
if [ "$DHCP_mode" = "off" ] || [ "$DHCP_mode" = "Off" ] || [ "$DHCP_mode" = "OFF" ]
then
$DIR_BIN/alcasar-dhcp.sh --off
else
256,7 → 281,7
fi
# Set the local DNS (or not)
if [ $INT_DNS_mode = "on" ] || [ $INT_DNS_mode = "On" ] || [ $INT_DNS_mode = "ON" ]
if [ "$INT_DNS_mode" = "on" ] || [ "$INT_DNS_mode" = "On" ] || [ "$INT_DNS_mode" = "ON" ]
then
$DIR_BIN/alcasar-dns-local.sh --on
else
263,11 → 288,40
$DIR_BIN/alcasar-dns-local.sh --off
fi
# Set the pure ip option (or not)
if [ "$BL_PUREIP" = "off" ] || [ "$BL_PUREIP" = "Off" ] || [ "$BL_PUREIP" = "OFF" ]
then
bl_filter_param+="--pureip_off"
else
bl_filter_param+="--pureip_on"
fi
# Set the safesearch options (or not)
bl_filter_param=""
if [ "$BL_SAFESEARCH" = "on" ] || [ "$BL_SAFESEARCH" = "On" ] || [ "$BL_SAFESEARCH" = "ON" ]
then
bl_filter_param+="--safesearch_on "
else
bl_filter_param+="--safesearch_off "
fi
$DIR_BIN/alcasar-url_filter_bl.sh $bl_filter_param
if [ "$WL_SAFESEARCH" = "on" ] || [ "$WL_SAFESEARCH" = "On" ] || [ "$WL_SAFESEARCH" = "ON" ]
then
$DIR_BIN/alcasar-url_filter_wl.sh --safesearch_on
else
$DIR_BIN/alcasar-url_filter_wl.sh --safesearch_off
fi
# Reload the local dns configuration
$DIR_BIN/alcasar-dns-local.sh --reload
# Logout everybody
$DIR_BIN/alcasar-logout.sh all
$DIR_BIN/alcasar-logout.sh all
# Services stop
echo -n "Stop services : "
for i in ntpd tinyproxy e2guardian dnsmasq dnsmasq-whitelist dnsmasq-blacklist dnsmasq-blackhole chilli network lighttpd
for i in ntpd tinyproxy e2guardian unbound unbound-whitelist dnsmasq-whitelist unbound-blacklist unbound-blackhole chilli network lighttpd
do
/usr/bin/systemctl stop $i && echo -n "$i, "
done
292,7 → 346,7
MTU=$MTU
NOZEROCONF=yes
EOF
else
else
cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
DEVICE=$EXTIF
BOOTPROTO=static
317,7 → 371,7
$SED "s?^NETMASK=.*?NETMASK=$PRIVATE_NETMASK?" /etc/sysconfig/network-scripts/bypass-ifcfg-$INTIF
# NTP server
$SED "/127.0.0.1/!s?^restrict.*?restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap?g" /etc/ntp.conf
# host.allow
# host.allow
cat <<EOF > /etc/hosts.allow
ALL: LOCAL, 127.0.0.1, localhost, $PRIVATE_IP
sshd: ALL
335,9 → 389,9
# MOTD
$SED "s@'https://\(.\+\)/acc'@'https://$HOSTNAME.$DOMAIN/acc'@" /etc/mageia-release
# Lighttpd
$SED "s?^server\.bind.*?server\.bind = \"$HOSTNAME.$DOMAIN\"?g" /etc/lighttpd/lighttpd.conf
$SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$HOSTNAME.$DOMAIN"':443" {/g' /etc/lighttpd/vhosts.d/alcasar.conf
$SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$HOSTNAME.$DOMAIN\"/g" /etc/lighttpd/vhosts.d/alcasar.conf
$SED "s?^server\.bind.*?server\.bind = \"$PRIVATE_IP\"?g" /etc/lighttpd/lighttpd.conf
$SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$PRIVATE_IP"':443" {/g' /etc/lighttpd/vhosts.d/alcasar.conf
$SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$PRIVATE_IP\"/g" /etc/lighttpd/vhosts.d/alcasar.conf
# FreeRADIUS Web
$SED "s?^nas1_name:.*?nas1_name: alcasar-$ORGANISME?g" /etc/freeradius-web/naslist.conf
$SED "s?^nas1_ip:.*?nas1_ip: $PRIVATE_IP?g" /etc/freeradius-web/naslist.conf
344,7 → 398,7
# coova
$SED "s/^uamallowed.*/uamallowed\t$HOSTNAME,$HOSTNAME.$DOMAIN/g" /etc/chilli.conf
$SED "s/^locationname.*/locationname\t$HOSTNAME.$DOMAIN/g" /etc/chilli.conf
[ `grep ^HTTPS_LOGIN= $CONF_FILE | cut -d'=' -f2` == "on" ] && chilli_login_protocol="https" || chilli_login_protocol="http"
[ "`grep ^HTTPS_LOGIN= $CONF_FILE | cut -d'=' -f2`" == "on" ] && chilli_login_protocol="https" || chilli_login_protocol="http"
$SED "s/^uamserver.*/uamserver\t$chilli_login_protocol:\/\/$HOSTNAME.$DOMAIN\/intercept.php/" /etc/chilli.conf
$SED "s/^radiusnasid.*/radiusnasid\t$HOSTNAME.$DOMAIN/g" /etc/chilli.conf
$SED "s?^net.*?net\t\t$PRIVATE_NETWORK_MASK?g" /etc/chilli.conf
353,31 → 407,115
$SED "s?^uamlisten.*?uamlisten\t$PRIVATE_IP?g" /etc/chilli.conf
# modify the DHCP static ip file. Reserve the second IP address for INTIF (the first one is for tun0). Keep previous entries
$SED "s?^$PRIVATE_MAC.*?$PRIVATE_MAC $PRIVATE_SECOND_IP?" $DIR_ETC/alcasar-ethers $DIR_ETC/alcasar-ethers-info
# dnsmasq
$SED "/127.0.0.1/!s?^listen-address=.*?listen-address=$PRIVATE_IP?g" /etc/dnsmasq.conf /etc/dnsmasq-blacklist.conf /etc/dnsmasq-whitelist.conf /etc/dnsmasq-blackhole.conf
for i in /etc/dnsmasq.conf /etc/dnsmasq-blacklist.conf
do
$SED "/^server=/d" $i
echo "server=$DNS1" >> $i
echo "server=$DNS2" >> $i
done
$SED "s?^address=.*?address=/#/$PRIVATE_IP?g" /etc/dnsmasq-blackhole.conf
for i in `ls $DIR_SHARE/dnsmasq-wl`
do
cat $DIR_SHARE/dnsmasq-wl/$i|cut -d"/" -f1,2 > /tmp/tmp_file
$SED "s/$/\/$DNS1/" /tmp/tmp_file
mv -f /tmp/tmp_file $DIR_SHARE/dnsmasq-wl/$i
done
chown root:apache $DIR_SHARE/dnsmasq-wl/*
chmod 660 $DIR_SHARE/dnsmasq-wl/*
$SED "s@^\([#]\?\)dhcp-range=.*@\1dhcp-range=$PRIVATE_SECOND_IP,$PRIVATE_LAST_IP,$PRIVATE_NETMASK,12h@" /etc/dnsmasq.conf
$SED "s@^\([#]\?\)dhcp-option=option:router.*@\1dhcp-option=option:router,$PRIVATE_IP@" /etc/dnsmasq.conf
$SED "s@^\([#]\?\)dhcp-option=option:ntp-server.*@\1dhcp-option=option:ntp-server,$PRIVATE_IP@" /etc/dnsmasq.conf
networkDomain='localdomain'
# networkDomain="$DOMAIN" (/!\ this domain (and its subdomains) will not be resolved by the external DNS servers)
$SED "s?^local=.*?local=/$networkDomain/?g" $DIR_ETC/alcasar-dns-name
$SED "s?^domain=.*?domain=$networkDomain?g" $DIR_ETC/alcasar-dns-name
# tinyproxy
# dnsmasq-whitelist
$SED "/^server=/d" /etc/dnsmasq-whitelist.conf
echo "server=$DNS1" >> /etc/dnsmasq-whitelist.conf
echo "server=$DNS2" >> /etc/dnsmasq-whitelist.conf
# unbound
# removing unbound configuration files
rm -f /etc/unbound/conf.d/{forward,blacklist,whitelist,blackhole}/iface.*
rm -f /etc/unbound/conf.d/common/forward-zone.conf
find /etc/unbound/conf.d/common/local-dns/ ! -name "global.conf" -type f -delete
# Configuration file for the dns servers forward-zone
cat << EOF > /etc/unbound/conf.d/common/forward-zone.conf
forward-zone:
name: "."
forward-addr: $DNS1
forward-addr: $DNS2
EOF
# Configuration file of ALCASAR main domains for $INTIF
cat << EOF > /etc/unbound/conf.d/common/local-dns/${INTIF}.conf
server:
local-zone: "$HOSTNAME.$DOMAIN" static
local-data: "$HOSTNAME.$DOMAIN A $PRIVATE_IP"
local-zone: "$HOSTNAME" static
local-data: "$HOSTNAME A $PRIVATE_IP"
EOF
# Configuration file for lo of forward unbound
cat << EOF > /etc/unbound/conf.d/forward/iface.lo.conf
server:
interface: 127.0.0.1@53
access-control-view: 127.0.0.1/8 lo
view:
name: "lo"
view-first: yes
local-zone: "$HOSTNAME.$DOMAIN" static
local-data: "$HOSTNAME.$DOMAIN A 127.0.0.1"
local-zone: "$HOSTNAME" static
local-data: "$HOSTNAME A 127.0.0.1"
local-zone: "$DOMAIN." static
local-data: "$DOMAIN. A"
EOF
if [ "$HOSTNAME" != 'alcasar' ]
then
echo -e "\tlocal-zone: \"alcasar\" static" >> /etc/unbound/conf.d/common/local-dns/${INTIF}.conf
echo -e "\tlocal-zone: \"alcasar A $PRIVATE_IP\"" >> /etc/unbound/conf.d/common/local-dns/${INTIF}.conf
echo -e "\tlocal-zone: \"alcasar\" static" >> /etc/unbound/conf.d/forward/iface.lo.conf
echo -e "\tlocal-zone: \"alcasar A 127.0.0.1\"" >> /etc/unbound/conf.d/forward/iface.lo.conf
fi
# Configuration file for $INTIF of forward unbound
cat << EOF > /etc/unbound/conf.d/forward/iface.${INTIF}.conf
server:
interface: ${PRIVATE_IP}@53
access-control-view: $PRIVATE_NETWORK_MASK $INTIF
view:
name: "$INTIF"
view-first: yes
EOF
# Configuration file for $INTIF of blacklist unbound
cat << EOF > /etc/unbound/conf.d/blacklist/iface.${INTIF}.conf
server:
interface: ${PRIVATE_IP}@54
access-control: $PRIVATE_IP_MASK allow
access-control-tag: $PRIVATE_IP_MASK "blacklist"
access-control-tag-action: $PRIVATE_IP_MASK "blacklist" redirect
access-control-tag-data: $PRIVATE_IP_MASK "blacklist" "A $PRIVATE_IP"
EOF
# Configuration file for $INTIF of whitelist unbound
cat << EOF > /etc/unbound/conf.d/whitelist/iface.${INTIF}.conf
server:
interface: ${PRIVATE_IP}@55
access-control: $PRIVATE_IP_MASK allow
access-control-tag: $PRIVATE_IP_MASK "whitelist"
access-control-tag-action: $PRIVATE_IP_MASK "whitelist" redirect
access-control-tag-data: $PRIVATE_IP_MASK "whitelist" "A $PRIVATE_IP"
EOF
# Configuration file for $INTIF of blackhole unbound
cat << EOF > /etc/unbound/conf.d/blackhole/iface.${INTIF}.conf
server:
interface: ${PRIVATE_IP}@56
access-control-view: $PRIVATE_NETWORK_MASK $INTIF
view:
name: "$INTIF"
local-zone: "." redirect
local-data: ". A $PRIVATE_IP"
EOF
# dhcpd
cat <<EOF > /etc/dhcpd.conf
ddns-update-style none;
subnet $PRIVATE_NETWORK netmask $PRIVATE_NETMASK {
option routers $PRIVATE_IP;
option subnet-mask $PRIVATE_NETMASK;
option domain-name-servers $PRIVATE_IP;
range dynamic-bootp $PRIVATE_SECOND_IP $PRIVATE_LAST_IP;
default-lease-time 21600;
max-lease-time 43200;
}
EOF
# tinyproxy
$SED "s?^Listen.*?Listen $PRIVATE_IP?g" /etc/tinyproxy/tinyproxy.conf
# DG + BL
$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" /etc/e2guardian/e2guardian.conf
392,12 → 530,12
# Services start
/usr/bin/systemctl start network && echo -n "Start service : network" && sleep 1
$DIR_BIN/alcasar-dhcp.sh -$DHCP_mode && echo -n ", chilli" # apply DHCP mode and start CoovaChilli
for i in dnsmasq dnsmasq-blackhole tinyproxy ntpd
for i in unbound unbound-blackhole tinyproxy ntpd
do
sleep 1
/usr/bin/systemctl start $i && echo -n ", $i"
done
$DIR_BIN/alcasar-bl.sh -reload && echo -n ", dnsmasq-blacklist, dnsmasq-whitelist, e2guardian, iptables"
$DIR_BIN/alcasar-bl.sh -reload && echo -n ", unbound-blacklist, unbound-whitelist, dnsmasq-whitelist, e2guardian, iptables"
/usr/bin/systemctl restart lighttpd && echo -n ", lighttpd"
fi
# Start / Stop SSH Daemon
417,7 → 555,7
fi
fi
# Start / Stop LDAP authentification
if [ LDAP_mode = "on" ] || [ $LDAP_mode = "On" ] || [ $LDAP_mode = "ON" ]
if [ $LDAP_mode = "on" ] || [ $LDAP_mode = "On" ] || [ $LDAP_mode = "ON" ]
then
$DIR_BIN/alcasar-ldap.sh
fi
424,7 → 562,7
echo
;;
*)
echo "Argument inconnu :$1";
echo "Argument inconnu : $1";
echo "$usage"
exit 1
;;

/scripts/alcasar-daemon.sh
16,7 → 16,7
LDAP=${LDAP:=off}
INTIF=`grep ^INTIF= $conf_file|cut -d"=" -f2` # INTIF name
EXTIF=`grep ^EXTIF= $conf_file|cut -d"=" -f2` # EXTIF name
SERVICES="mysqld lighttpd php-fpm ntpd havp dnsmasq dnsmasq-blacklist dnsmasq-whitelist dnsmasq-blackhole radiusd tinyproxy nfsen e2guardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban sshd vnstat gammu-smsd"
SERVICES="mysqld lighttpd php-fpm ntpd havp unbound unbound-blacklist unbound-whitelist dnsmasq-whitelist unbound-blackhole radiusd tinyproxy nfsen e2guardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban sshd vnstat gammu-smsd"
nb_available_srv=`echo $SERVICES|wc -w`
function ServiceTest () {

/scripts/alcasar-dhcp.sh
12,7 → 12,6
SED="/bin/sed -i"
CHILLI_CONF_FILE="/etc/chilli.conf"
ALCASAR_CONF_FILE="/usr/local/etc/alcasar.conf"
DNSMASQ_CONF_FILE="/etc/dnsmasq.conf"
# define DHCP parameters (LAN side)
PRIVATE_IP_MASK=`grep ^PRIVATE_IP= $ALCASAR_CONF_FILE|cut -d"=" -f2`
72,7 → 71,6
$SED "s?^DHCP.*?DHCP=on?g" $ALCASAR_CONF_FILE
$SED "s?^dynip.*?dynip\t\t$PRIVATE_NETWORK_MASK?g" $CHILLI_CONF_FILE
$SED "s?^#dynip.*?dynip\t\t$PRIVATE_NETWORK_MASK?g" $CHILLI_CONF_FILE
$SED "s?^dhcp_range.*?dhcp-range=$PRIVATE_FIRST_IP,$PRIVATE_LAST_IP,$PRIVATE_NETMASK,12h?g" $DNSMASQ_CONF_FILE
$SED "s?^dhcpgateway\t.*?#dhcpgateway\t\t $EXT_DHCP_IP?g" $CHILLI_CONF_FILE
$SED "s?^dhcprelayagent.*?#dhcprelayagent\t\t$RELAY_DHCP_IP?g" $CHILLI_CONF_FILE
$SED "s?^dhcpgatewayport.*?#dhcpgatewayport\t\t$RELAY_DHCP_PORT?g" $CHILLI_CONF_FILE
87,4 → 85,3
exit 1
;;
esac

/scripts/alcasar-dns-local.sh
1,7 → 1,7
#!/bin/bash
# $Id$
# alcasar-dns-interne.sh
# alcasar-dns-local.sh
# by Rexy - 3abtux
# This script is distributed under the Gnu General Public License (GPL)
11,17 → 11,17
SED="/bin/sed -i"
ALCASAR_CONF_FILE="/usr/local/etc/alcasar.conf"
DNSMASQ_CONF_FILE="/etc/dnsmasq.conf /etc/dnsmasq-blackhole.conf /etc/dnsmasq-blacklist.conf /etc/dnsmasq-whitelist.conf"
LOCAL_DOMAIN_CONF_FILE="/usr/local/etc/alcasar-dns-name"
LOCAL_DOMAIN_CONF_FILE="/etc/unbound/conf.d/common/local-forward/dns-redirector.conf"
LOCAL_HOSTNAME_FILE="/etc/hosts"
LOCAL_DNS_FILE="/etc/unbound/conf.d/common/local-dns/global.conf"
# define DNS parameters (LAN side)
INT_DNS_DOMAIN=`grep INT_DNS_DOMAIN $ALCASAR_CONF_FILE|cut -d"=" -f2` # Nom du domaine DNS interne
INT_DNS_DOMAIN=`grep INT_DNS_DOMAIN $ALCASAR_CONF_FILE|cut -d"=" -f2` # Nom du domaine DNS interne
INT_DNS_IP=`grep INT_DNS_IP $ALCASAR_CONF_FILE|cut -d"=" -f2` # Adresse du serveur DNS interne
INT_DNS_ACTIVE=`grep INT_DNS_ACTIVE $ALCASAR_CONF_FILE|cut -d"=" -f2` # Activation de la redirection DNS interne
INT_DNS_ACTIVE=`grep INT_DNS_ACTIVE $ALCASAR_CONF_FILE|cut -d"=" -f2` # Activation de la redirection DNS interne
usage="Usage: alcasar-dns-interne.sh {--on | -on} | {--off | -off} | {--add | -add}"
usage="Usage: alcasar-dns-local.sh {--on | -on} | {--off | -off} | {--add | -add} ip domain | {--del | -del} ip domain | {--reload | -reload}"
nb_args=$#
args=$1
if [ $nb_args -eq 0 ]
29,13 → 29,31
echo "$usage"
exit 1
fi
function restart_dns(){
for dns in dnsmasq dnsmasq-blacklist dnsmasq-whitelist dnsmasq-blackhole
for dns in unbound unbound-blacklist unbound-whitelist dnsmasq-whitelist unbound-blackhole
do
systemctl restart $dns
done
}
function hosts_to_unbound(){
# Empty the local DNS file
echo "server:" > $LOCAL_DNS_FILE
while read -r line
do
ip_address=$(echo $line | awk '{ print $1 }')
domain=$(echo $line | awk '{ print $2 }')
if ! echo $line | grep -E -q "^([0-9\.\t ]+alcasar( |$)|127\.0\.0)"
then
echo -e "\tlocal-zone: \"$domain\" redirect" >> $LOCAL_DNS_FILE
echo -e "\tlocal-data: \"$domain A $ip_address\"" >> $LOCAL_DNS_FILE
fi
done < $LOCAL_HOSTNAME_FILE
}
case $args in
-\? | -h | --h)
echo "$usage"
47,7 → 65,12
echo "$usage"
exit 1
else
# removing if already exists
$SED "/^$2\t$3/d" $LOCAL_HOSTNAME_FILE
# adding to the hosts file
echo -e "$2\t$3" >> $LOCAL_HOSTNAME_FILE
hosts_to_unbound
restart_dns
fi
;;
57,26 → 80,41
echo "$usage"
exit 1
else
$SED "/^$2\t$3/d" SLOCAL_HOSTNAME_FILE
$SED "/^$2\t$3/d" $LOCAL_HOSTNAME_FILE
hosts_to_unbound
restart_dns
fi
;;
--reload|-reload)
hosts_to_unbound
restart_dns
;;
--off|-off) # disable DNS redirector
$SED "s?^#filterwin2k.*?filterwin2k?g" $DNSMASQ_CONF_FILE
$SED "s?^server.*?#&?g" $LOCAL_DOMAIN_CONF_FILE
#$SED "s?^#filterwin2k.*?filterwin2k?g" $DNSMASQ_CONF_FILE
rm -f $LOCAL_DOMAIN_CONF_FILE
$SED "s?^INT_DNS_ACTIVE.*?INT_DNS_ACTIVE=off?g" $ALCASAR_CONF_FILE
restart_dns
# Reload firewall
/usr/local/bin/alcasar-iptables.sh
;;
--on|-on) # enable DHCP service on all range of IP addresses
$SED "s?^filterwin2k.*?#filterwin2k?g" $DNSMASQ_CONF_FILE
$SED "s?^server=/.*?server=/$INT_DNS_DOMAIN/$INT_DNS_IP?g" $LOCAL_DOMAIN_CONF_FILE
$SED "s?^#server=/.*?server=/$INT_DNS_DOMAIN/$INT_DNS_IP?g" $LOCAL_DOMAIN_CONF_FILE
--on|-on) # enable DNS redirector
#$SED "s?^filterwin2k.*?#filterwin2k?g" $DNSMASQ_CONF_FILE
cat > $LOCAL_DOMAIN_CONF_FILE << EOF
server:
local-zone: "$INT_DNS_DOMAIN." transparent
forward-zone:
name: "$INT_DNS_DOMAIN."
forward-addr: $INT_DNS_IP
EOF
$SED "s?^INT_DNS_ACTIVE.*?INT_DNS_ACTIVE=on?g" $ALCASAR_CONF_FILE
restart_dns
# Reload firewall
/usr/local/bin/alcasar-iptables.sh
;;
*)
echo "Argument inconnu :$1";
echo "Argument inconnu : $1";
echo "$usage"
exit 1
;;

/scripts/alcasar-file-clean.sh
29,17 → 29,3
chown root:apache $file
chmod 660 $file
done
#update dnsmasq-blackhole with uamallowed domains ($ALCASAR_UAMDOMAIN)
#remove old configuration
sed -i '/^server=/d' /etc/dnsmasq-blackhole.conf
for domain in $(cat $ALCASAR_UAMDOMAIN | cut -d' ' -f1)
do
domain_exception="server=/$(echo $domain | cut -d'"' -f2)/#"
sed -i "/conf-file/a$domain_exception" /etc/dnsmasq-blackhole.conf
done
if [ "$PARENT_SCRIPT" != "alcasar.sh" ] # don't restart on install stage
then
systemctl restart dnsmasq-blackhole
fi

/scripts/alcasar-importcert.sh
173,7 → 173,7
fi
domainName $cert
certImport $cert $key $sc
for services in chilli dnsmasq dnsmasq-blackhole dnsmasq-blacklist dnsmasq-whitelist lighttpd
for services in chilli unbound unbound-blackhole unbound-blacklist unbound-whitelist dnsmasq-whitelist lighttpd
do
echo "restarting $services"; systemctl restart $services; sleep 1
done
184,7 → 184,7
echo "Restoring default certificate"
defaultCert
defaultNdd
for services in chilli dnsmasq dnsmasq-blackhole dnsmasq-blacklist dnsmasq-whitelist lighttpd
for services in chilli unbound unbound-blackhole unbound-blacklist unbound-whitelist dnsmasq-whitelist lighttpd
do
echo "restarting $services"; systemctl restart $services; sleep 1
done

/scripts/alcasar-iptables.sh
33,6 → 33,8
dns1=${dns1:=208.67.220.220}
dns2=${dns2:=208.67.222.222}
DNSSERVERS="$dns1,$dns2" # first and second public DNS servers
INT_DNS_IP=`grep INT_DNS_IP $CONF_FILE|cut -d"=" -f2` # Adresse du serveur DNS interne
INT_DNS_ACTIVE=`grep INT_DNS_ACTIVE $CONF_FILE|cut -d"=" -f2` # Activation de la redirection DNS interne
BL_IP_CAT="/usr/local/share/iptables-bl-enabled" # categories files of the BlackListed IP
WL_IP_CAT="/usr/local/share/iptables-wl-enabled" # categories files of the WhiteListed IP
TMP_users_set_save="/tmp/users_set_save" # tmp file for backup users set
45,6 → 47,12
IP_REHABILITEES="/etc/e2guardian/lists/exceptioniplist" # Rehabilitated IP
SITE_DIRECT="/usr/local/etc/alcasar-site-direct" # Site Direct (no havp and no filtrage) for user BL
# Allow requests to internal DNS if activated
if [ "$INT_DNS_ACTIVE" = "on" ]
then
DNSSERVERS="$DNSSERVERS,$INT_DNS_IP"
fi
# Sauvegarde des SET des utilisateurs connectés si ils existent
# Saving SET of connected users if it exists
ipset list not_filtered 1>/dev/null 2>&1
111,7 → 119,7
# Suppression des ip réhabilitées / Removing of rehabilitated ip
for ip in $(cat $IP_REHABILITEES)
do
ipset del bl_ip_blocked $ip
ipset -q del bl_ip_blocked $ip
done
# rajout exception havp_bl --> Site en direct pour les Utilisateurs filtrés
118,11 → 126,11
ipset create site_direct hash:net hashsize 1024
for site in $(cat $SITE_DIRECT)
do
ipset add site_direct $site
ipset add site_direct $site
done
###### WL set ###########
# taille fixe, car peupler par dnsmasq / fixe length due to dnsmasq dynamic loading
# taille fixe, car peuplé par dnsmasq / fixe length due to dnsmasq dynamic loading
wl_set_length=65536
# Chargement Loading
echo "create wl_ip_allowed hash:net family inet hashsize 1024 maxelem $wl_set_length" > $TMP_set_save
285,18 → 293,18
$IPTABLES -A INPUT -i $TUNIF -p udp --dport 56 -m mark --mark 5 -j REJECT --reject-with icmp-port-unreachable
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 56 -m mark --mark 3 -j REJECT --reject-with tcp-reset
# autorisation des connexion légitime à DNSMASQ (avec blacklist)
# Allow connections for DNSMASQ (with blacklist)
# autorisation des connexion légitime à Unbound (avec blacklist)
# Allow connections for Unbound (with blacklist)
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport 54 -j ACCEPT
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport 54 -j ACCEPT
# autorisation des connexion légitime à DNSMASQ (avec whitelist)
# Allow connections for DNSMASQ (with whitelist)
# autorisation des connexion légitime à Unbound (avec whitelist)
# Allow connections for Unbound (with whitelist)
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport 55 -j ACCEPT
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport 55 -j ACCEPT
# autorisation des connexion légitime à DNSMASQ (mode blackhole)
# Allow connections for DNSMASQ (blackhole mode)
# autorisation des connexion légitime à Unbound (mode blackhole)
# Allow connections for Unbound (blackhole mode)
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport 56 -j ACCEPT
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport 56 -j ACCEPT
386,7 → 394,7
do
svc_on=`echo $svc_line|cut -b1`
if [ $svc_on != "#" ]
then
then
svc_name=`echo $svc_line|cut -d" " -f1`
svc_port=`echo $svc_line|cut -d" " -f2`
if [ $svc_name = "icmp" ]

/scripts/alcasar-rpm-download.sh
13,7 → 13,7
# The kernel version we compile netflow for
KERNEL="kernel-server-4.14.89-1.mga6-1-1.mga6"
# ****** Alcasar needed RPMS - paquetages nécessaires au fonctionnement d'Alcasar ******
PACKAGES="arp-scan vim-enhanced freeradius freeradius-mysql freeradius-ldap lighttpd lighttpd-mod_auth php-fpm e2guardian postfix mariadb ntp bind-utils openssh-server php-xml php-ldap php-mysqli php-mbstring php-sockets php-cli php-curl php-pdo_sqlite php-json rng-utils rsync clamav perl-rrdtool perl-MailTools perl-Socket6 fail2ban gnupg ulogd pm-fallback-policy ipset cronie-anacron usbutils locales-en usb_modeswitch tinyproxy vnstat php-gd sudo iftop man dos2unix p7zip bc msec kernel-userspace-headers dnsmasq netcat-traditional"
PACKAGES="arp-scan vim-enhanced freeradius freeradius-mysql freeradius-ldap lighttpd lighttpd-mod_auth php-fpm e2guardian postfix mariadb ntp bind-utils openssh-server php-xml php-ldap php-mysqli php-mbstring php-sockets php-cli php-curl php-pdo_sqlite php-json rng-utils rsync clamav perl-rrdtool perl-MailTools perl-Socket6 fail2ban gnupg ulogd pm-fallback-policy ipset cronie-anacron usbutils locales-en usb_modeswitch tinyproxy vnstat php-gd sudo iftop man dos2unix p7zip bc msec kernel-userspace-headers dnsmasq dhcp-server netcat-traditional"
rpm_repository_sync ()
{
147,4 → 147,3
cd
echo "Your RPM archive file is /root/rpms-$ARCH.tar.gz"
exit 0

/scripts/alcasar-uninstall.sh
155,25 → 155,26
dnsmasq ()
{
echo -en "(6 if update ; 8 if uninstall) : "
i=0
for list in blacklist whitelist blackhole
do
i=`expr $i + 1`
[ -e /etc/dnsmasq-$list.conf ] && rm /etc/dnsmasq-$list.conf && echo -n "$i, "
i=`expr $i + 1`
[ -e /lib/systemd/system/dnsmasq-$list.service ] && rm /lib/systemd/system/dnsmasq-$list.service && echo -n "$i, "
done
echo -en "(2 if update ; 4 if uninstall) : "
[ -e /etc/dnsmasq-whitelist.conf ] && rm /etc/dnsmasq-whitelist.conf && echo -n "1, "
[ -e /lib/systemd/system/dnsmasq-whitelist.service ] && rm /lib/systemd/system/dnsmasq-whitelist.service && echo -n "2, "
if [ $mode == "full" ] # don't remove dnsmasq in update mode (DHCP + DNS !)
then
if [ -e /lib/systemd/system/dnsmasq.service ]
then
[ -e /etc/dnsmasq.conf.default ] && mv /etc/dnsmasq.conf.default /etc/dnsmasq.conf && echo -n "7, "
[ -e /lib/systemd/system/dnsmasq.service.default ] && mv /lib/systemd/system/dnsmasq.service.default /lib/systemd/system/dnsmasq.service && echo -n "8"
fi
[ -e /etc/dnsmasq.conf.default ] && mv /etc/dnsmasq.conf.default /etc/dnsmasq.conf && echo -n "3, "
[ -e /lib/systemd/system/dnsmasq.service.default ] && mv /lib/systemd/system/dnsmasq.service.default /lib/systemd/system/dnsmasq.service && echo -n "4"
fi
}
unbound ()
{
echo -en "(5) : "
[ -e /etc/unbound/unbound.conf.default ] && mv /etc/unbound/unbound.conf.default /etc/unbound/unbound.conf && echo -n "1, "
[ -e /etc/unbound/unbound-blacklist.conf ] && rm -f /etc/unbound/unbound-blacklist.conf && echo -n "2, "
[ -e /etc/unbound/unbound-whitelist.conf ] && rm -f /etc/unbound/unbound-whitelist.conf && echo -n "3, "
[ -e /etc/unbound/unbound-blackhole.conf ] && rm -f /etc/unbound/unbound-blackhole.conf && echo -n "4, "
[ -e /etc/unbound/conf.d ] && rm -rf /etc/unbound/conf.d && echo -n "5"
}
cron ()
{
echo -en "(11) : "
275,7 → 276,7
echo "----------------------------------------------------------------------------"
echo "** Uninstall/Désinstallation d'ALCASAR **"
echo "----------------------------------------------------------------------------"
services="alcasar-load_balancing vnstat havp freshclam ntpd lighttpd radiusd mysqld dnsmasq-blacklist dnsmasq-whitelist dnsmasq-blackhole tinyproxy nfsen fail2ban iptables ulogd-ext-access ulogd-ssh ulogd-traceability e2guardian dnsmasq sshd chilli"
services="alcasar-load_balancing vnstat havp freshclam ntpd lighttpd radiusd mysqld unbound unbound-blacklist unbound-whitelist dnsmasq-whitelist unbound-blackhole tinyproxy nfsen fail2ban iptables ulogd-ext-access ulogd-ssh ulogd-traceability e2guardian dnsmasq sshd chilli"
/usr/local/bin/alcasar-logout.sh all # logout everybody
else
echo "--------------------------------------------------------------------------"
282,7 → 283,7
echo "** update/mise à jour d'ALCASAR **"
echo "--------------------------------------------------------------------------"
# dnsmasq & sshd should stay on to allow remote update
services="alcasar-load_balancing vnstat havp freshclam ntpd lighttpd radiusd mysqld dnsmasq-blacklist dnsmasq-whitelist dnsmasq-blackhole tinyproxy nfsen fail2ban ulogd-ext-access ulogd-ssh ulogd-traceability e2guardian chilli"
services="alcasar-load_balancing vnstat havp freshclam ntpd lighttpd radiusd mysqld unbound unbound-blacklist unbound-whitelist dnsmasq-whitelist unbound-blackhole tinyproxy nfsen fail2ban ulogd-ext-access ulogd-ssh ulogd-traceability e2guardian chilli"
/usr/local/bin/alcasar-bypass.sh -on # to allow remote update
fi
316,7 → 317,7
/usr/bin/systemctl reload sshd
fi
echo "Reset ALCASAR main functions : "
for func in init ACC CA time_server init_db freeradius chilli e2guardian antivirus tinyproxy ulogd nfsen vnstat dnsmasq cron fail2ban gammu_smsd msec letsencrypt post_install
for func in init ACC CA time_server init_db freeradius chilli e2guardian antivirus tinyproxy ulogd nfsen vnstat unbound dnsmasq cron fail2ban gammu_smsd msec letsencrypt post_install
do
echo -en "\n- $func "
$func
376,4 → 377,3
done
fi
echo

/scripts/alcasar-url_filter_bl.sh
11,104 → 11,116
# Active / désactive : le filtrage des url contenant une adresse ip à la place d'un nom de domaine
# Enable / disable : filter of urls containing ip address instead of domain name
CONF_FILE="/usr/local/etc/alcasar.conf"
DIR_DG="/etc/e2guardian/lists"
DNSMASQ_BL_CONF="/etc/dnsmasq-blacklist.conf"
CONF_FILE="/usr/local/etc/alcasar.conf"
UNBOUND_BL_DOMAIN_FILTER_CONF="/etc/unbound/conf.d/blacklist/domainfilter.conf"
SED="/bin/sed -i"
safesearch="Off"
pureip="Off"
usage="Usage: alcasar-url_filter_bl.sh { -safesearch_on or -safesearch_off } & { -pureip_on or --pureip_off }"
usage="Usage: alcasar-url_filter_bl.sh { -safesearch_on or -safesearch_off } & { -pureip_on or -pureip_off }"
nb_args=$#
googledomains="google.com. google.ad. google.ae. google.com.af. google.com.ag. google.com.ai. google.al. google.am. google.co.ao. google.com.ar. google.as. google.at. google.com.au. google.az. google.ba. google.com.bd. google.be. google.bf. google.bg. google.com.bh. google.bi. google.bj. google.com.bn. google.com.bo. google.com.br. google.bs. google.bt. google.co.bw. google.by. google.com.bz. google.ca. google.cd. google.cf. google.cg. google.ch. google.ci. google.co.ck. google.cl. google.cm. google.cn. google.com.co. google.co.cr. google.com.cu. google.cv. google.com.cy. google.cz. google.de. google.dj. google.dk. google.dm. google.com.do. google.dz. google.com.ec. google.ee. google.com.eg. google.es. google.com.et. google.fi. google.com.fj. google.fm. google.fr. google.ga. google.ge. google.gg. google.com.gh. google.com.gi. google.gl. google.gm. google.gp. google.gr. google.com.gt. google.gy. google.com.hk. google.hn. google.hr. google.ht. google.hu. google.co.id. google.ie. google.co.il. google.im. google.co.in. google.iq. google.is. google.it. google.je. google.com.jm. google.jo. google.co.jp. google.co.ke. google.com.kh. google.ki. google.kg. google.co.kr. google.com.kw. google.kz. google.la. google.com.lb. google.li. google.lk. google.co.ls. google.lt. google.lu. google.lv. google.com.ly. google.co.ma. google.md. google.me. google.mg. google.mk. google.ml. google.com.mm. google.mn. google.ms. google.com.mt. google.mu. google.mv. google.mw. google.com.mx. google.com.my. google.co.mz. google.com.na. google.com.nf. google.com.ng. google.com.ni. google.ne. google.nl. google.no. google.com.np. google.nr. google.nu. google.co.nz. google.com.om. google.com.pa. google.com.pe. google.com.pg. google.com.ph. google.com.pk. google.pl. google.pn. google.com.pr. google.ps. google.pt. google.com.py. google.com.qa. google.ro. google.ru. google.rw. google.com.sa. google.com.sb. google.sc. google.se. google.com.sg. google.sh. google.si. google.sk. google.com.sl. google.sn. google.so. google.sm. google.sr. google.st. google.com.sv. google.td. google.tg. google.co.th. google.com.tj. google.tk. google.tl. google.tm. google.tn. google.to. google.com.tr. google.tt. google.com.tw. google.co.tz. google.com.ua. google.co.ug. google.co.uk. google.com.uy. google.co.uz. google.com.vc. google.co.ve. google.vg. google.co.vi. google.com.vn. google.vu. google.ws. google.rs. google.co.za. google.co.zm. google.co.zw. google.cat."
youtubedomains="www.youtube.com m.youtube.com youtubei.googleapis.com youtube.googleapis.com www.youtube-nocookie.com"
nb_args=$#
if [ $nb_args -le 1 ]
safesearch=""
pureip=""
if [ $nb_args -lt 1 ]
then
echo "$usage"
nb_args=0
else
while [ $nb_args -ge 1 ]
exit 1
fi
while [ $nb_args -ge 1 ]
do
arg=${!nb_args}
case $arg in
-\? | -h* | --h*)
echo "$usage"
exit 0
;;
# Safe search activation
-safesearch_on | --safesearch_on)
safesearch="On"
;;
# Safe search deactivation
-safesearch_off | --safesearch_off)
safesearch="Off"
;;
# pure_ip activation
-pureip_on | --pureip_on)
pureip="On"
;;
# pureip deactivation
-pureip_off | --pureip_off)
pureip="Off"
;;
*)
echo "Argument inconnu :$arg";
echo "$usage"
exit 1
;;
esac
nb_args=$(expr $nb_args - 1)
done
if [ "$safesearch" == "On" ]
then
$SED "s?^#\"?\"?g" $DIR_DG/urlregexplist # on décommente les lignes de regles
# add 'SafeSearch' redirection for google searching
google_safe_server=`host -ta forcesafesearch.google.com | grep "address" | cut -d" " -f4` # retrieve google forcesafesearch ip
# config file header
echo "server:" > $UNBOUND_BL_DOMAIN_FILTER_CONF
for domain in $googledomains
do
arg=${!nb_args}
case $arg in
-\? | -h* | --h*)
echo "$usage"
exit 0
;;
# Safe search activation
-safesearch_on | --safesearch_on)
safesearch="On"
;;
# Safe search desactivation
-safesearch_off | --safesearch_off)
safesearch="Off"
;;
# pure_ip activation
-pureip_on | --pureip_on)
pureip="On"
;;
# pureip desactivation
-pureip_off | --pureip_off)
pureip="Off"
;;
*)
echo "Argument inconnu :$arg";
echo "$usage"
exit 1
;;
esac
nb_args=$(expr $nb_args - 1)
echo -e "\tlocal-zone: \"$domain\" redirect" >> $UNBOUND_BL_DOMAIN_FILTER_CONF
echo -e "\tlocal-data: \"$domain A $google_safe_server\"" >> $UNBOUND_BL_DOMAIN_FILTER_CONF
done
if [ $safesearch == "On" ]
then
$SED "s?^#\"?\"?g" $DIR_DG/urlregexplist # on décommente les lignes de regles
# add 'SafeSearch' redirection for google searching
$SED "/google/d" $DNSMASQ_BL_CONF # remove old google declaration
google_safe_server=`host -ta forcesafesearch.google.com|cut -d" " -f4` # retrieve google forcesafesearch ip
echo "# SafeSearch redirect server for google" >> $DNSMASQ_BL_CONF
for gg_dnsname in $googledomains
do
echo "address=/$gg_dnsname/$google_safe_server" >> $DNSMASQ_BL_CONF
done
# add 'SafeSearch' redirection for youtube searching
youtube_safe_server=`host -ta restrict.youtube.com | grep "address" | cut -d" " -f4` # retrieve youtube restrict ip
for domain in $youtubedomains
do
echo -e "\tlocal-zone: \"$domain\" redirect" >> $UNBOUND_BL_DOMAIN_FILTER_CONF
echo -e "\tlocal-data: \"$domain A $youtube_safe_server\"" >> $UNBOUND_BL_DOMAIN_FILTER_CONF
done
# add 'SafeSearch' redirection for bing searching
$SED "/bing/d" $DNSMASQ_BL_CONF # remove old bing declaration
bing_safe_server=`host -ta strict.bing.com | grep "address" | cut -d" " -f4` # retrieve bing strict ip
echo "# SafeSearch redirect server for bing" >> $DNSMASQ_BL_CONF
echo "address=/www.bing.com/$bing_safe_server" >> $DNSMASQ_BL_CONF
# add 'SafeSearch' redirection for bing searching
bing_safe_server=`host -ta strict.bing.com | grep "address" | cut -d" " -f4` # retrieve bing strict ip
echo -e "\tlocal-zone: \"www.bing.com\" redirect" >> $UNBOUND_BL_DOMAIN_FILTER_CONF
echo -e "\tlocal-data: \"www.bing.com A $bing_safe_server\"" >> $UNBOUND_BL_DOMAIN_FILTER_CONF
# add 'SafeSearch' redirection for youtube searching
$SED "/youtube/d" $DNSMASQ_BL_CONF # remove old youtube declaration
youtube_safe_server=`host -ta restrict.youtube.com | grep "address" | cut -d" " -f4` # retrieve youtube restrict ip
echo "# SafeSearch redirect server for youtube" >> $DNSMASQ_BL_CONF
for yt_dnsname in $youtubedomains
do
echo "address=/$yt_dnsname/$youtube_safe_server" >> $DNSMASQ_BL_CONF
done
# add 'SafeSearch' redirection for qwant searching
qwant_safe_server=`host -ta safeapi.qwant.com | grep "address" | cut -d" " -f4` # retrieve qwant strict ip
echo -e "\tlocal-zone: \"api.qwant.com\" redirect" >> $UNBOUND_BL_DOMAIN_FILTER_CONF
echo -e "\tlocal-data: \"api.qwant.com A $qwant_safe_server\"" >> $UNBOUND_BL_DOMAIN_FILTER_CONF
# add 'SafeSearch' redirection for qwant searching
$SED "/qwant/d" $DNSMASQ_BL_CONF # remove old qwant declaration
qwant_safe_server=`host -ta safeapi.qwant.com | grep "address" | cut -d" " -f4` # retrieve qwant strict ip
echo "# SafeSearch redirect server for qwant" >> $DNSMASQ_BL_CONF
echo "address=/api.qwant.com/$qwant_safe_server" >> $DNSMASQ_BL_CONF
else
$SED "s?^[^#]?#&?g" $DIR_DG/urlregexplist
$SED "/google/d" $DNSMASQ_BL_CONF
$SED "/bing/d" $DNSMASQ_BL_CONF
$SED "/youtube/d" $DNSMASQ_BL_CONF
$SED "/qwant/d" $DNSMASQ_BL_CONF
fi
if [ $pureip == "On" ]
then
$SED "s/^\#\*ip$/*ip/g" $DIR_DG/bannedsitelist
$SED "s/^\#\*ips$/*ips/g" $DIR_DG/bannedsitelist
else
$SED "s/^\*ip$/#*ip/g" $DIR_DG/bannedsitelist
$SED "s/^\*ips$/#*ips/g" $DIR_DG/bannedsitelist
fi
$SED 's/^BL_SAFESEARCH=.*/BL_SAFESEARCH=on/g' $CONF_FILE
elif [ "$safesearch" == "Off" ]
then
$SED "s?^[^#]?#&?g" $DIR_DG/urlregexplist
[ -e $UNBOUND_BL_DOMAIN_FILTER_CONF ] && rm -f $UNBOUND_BL_DOMAIN_FILTER_CONF
$SED 's/^BL_SAFESEARCH=.*/BL_SAFESEARCH=off/g' $CONF_FILE
fi
if [ "$pureip" == "On" ]
then
$SED "s/^\#\*ip$/*ip/g" $DIR_DG/bannedsitelist
$SED "s/^\#\*ips$/*ips/g" $DIR_DG/bannedsitelist
$SED 's/^BL_PUREIP=.*/BL_PUREIP=on/g' $CONF_FILE
elif [ "$pureip" == "Off" ]
then
$SED "s/^\*ip$/#*ip/g" $DIR_DG/bannedsitelist
$SED "s/^\*ips$/#*ips/g" $DIR_DG/bannedsitelist
$SED 's/^BL_PUREIP=.*/BL_PUREIP=off/g' $CONF_FILE
fi
systemctl restart e2guardian
systemctl restart dnsmasq-blacklist
fi
systemctl restart unbound-blacklist

/scripts/alcasar-url_filter_wl.sh
11,93 → 11,93
# Active / désactive : le filtrage des url contenant une adresse ip à la place d'un nom de domaine
# Enable / disable : filter of urls containing ip address instead of domain name
TINY_CONF="/etc/tinyproxy/tinyproxy.conf"
DNSMASQ_WL_CONF="/etc/dnsmasq-whitelist.conf"
CONF_FILE="/usr/local/etc/alcasar.conf"
UNBOUND_WL_DOMAIN_FILTER_CONF="/etc/unbound/conf.d/whitelist/domainfilter.conf"
IP_WL="/usr/local/share/iptables-wl-enabled/ossi-ip-safesearch"
CONF_FILE="/usr/local/etc/alcasar.conf"
SED="/bin/sed -i"
safesearch="Off"
usage="Usage: alcasar-url_filter_wl.sh { -safesearch_on or -safesearch_off }"
nb_args=$#
googledomains="google.com. google.ad. google.ae. google.com.af. google.com.ag. google.com.ai. google.al. google.am. google.co.ao. google.com.ar. google.as. google.at. google.com.au. google.az. google.ba. google.com.bd. google.be. google.bf. google.bg. google.com.bh. google.bi. google.bj. google.com.bn. google.com.bo. google.com.br. google.bs. google.bt. google.co.bw. google.by. google.com.bz. google.ca. google.cd. google.cf. google.cg. google.ch. google.ci. google.co.ck. google.cl. google.cm. google.cn. google.com.co. google.co.cr. google.com.cu. google.cv. google.com.cy. google.cz. google.de. google.dj. google.dk. google.dm. google.com.do. google.dz. google.com.ec. google.ee. google.com.eg. google.es. google.com.et. google.fi. google.com.fj. google.fm. google.fr. google.ga. google.ge. google.gg. google.com.gh. google.com.gi. google.gl. google.gm. google.gp. google.gr. google.com.gt. google.gy. google.com.hk. google.hn. google.hr. google.ht. google.hu. google.co.id. google.ie. google.co.il. google.im. google.co.in. google.iq. google.is. google.it. google.je. google.com.jm. google.jo. google.co.jp. google.co.ke. google.com.kh. google.ki. google.kg. google.co.kr. google.com.kw. google.kz. google.la. google.com.lb. google.li. google.lk. google.co.ls. google.lt. google.lu. google.lv. google.com.ly. google.co.ma. google.md. google.me. google.mg. google.mk. google.ml. google.com.mm. google.mn. google.ms. google.com.mt. google.mu. google.mv. google.mw. google.com.mx. google.com.my. google.co.mz. google.com.na. google.com.nf. google.com.ng. google.com.ni. google.ne. google.nl. google.no. google.com.np. google.nr. google.nu. google.co.nz. google.com.om. google.com.pa. google.com.pe. google.com.pg. google.com.ph. google.com.pk. google.pl. google.pn. google.com.pr. google.ps. google.pt. google.com.py. google.com.qa. google.ro. google.ru. google.rw. google.com.sa. google.com.sb. google.sc. google.se. google.com.sg. google.sh. google.si. google.sk. google.com.sl. google.sn. google.so. google.sm. google.sr. google.st. google.com.sv. google.td. google.tg. google.co.th. google.com.tj. google.tk. google.tl. google.tm. google.tn. google.to. google.com.tr. google.tt. google.com.tw. google.co.tz. google.com.ua. google.co.ug. google.co.uk. google.com.uy. google.co.uz. google.com.vc. google.co.ve. google.vg. google.co.vi. google.com.vn. google.vu. google.ws. google.rs. google.co.za. google.co.zm. google.co.zw. google.cat."
youtubedomains="www.youtube.com m.youtube.com youtubei.googleapis.com youtube.googleapis.com www.youtube-nocookie.com"
nb_args=$#
if [ $nb_args -le 0 ]
then
echo "$usage"
nb_args=0
else
while [ $nb_args -ge 1 ]
exit 1
fi
while [ $nb_args -ge 1 ]
do
arg=${!nb_args}
case $arg in
-\? | -h* | --h*)
echo "$usage"
exit 0
;;
# Safe search activation
-safesearch_on | --safesearch_on)
safesearch="On"
;;
# Safe search desactivation
-safesearch_off | --safesearch_off)
safesearch="Off"
;;
*)
echo "Argument inconnu : $arg";
echo "$usage"
exit 1
;;
esac
nb_args=$(expr $nb_args - 1)
done
if [ $safesearch == "On" ]
then
[ -e $IP_WL ] && rm -f $IP_WL
# add 'SafeSearch' redirection for google searching
google_safe_server=`host -ta forcesafesearch.google.com | grep "address" | cut -d" " -f4` # retrieve google forcesafesearch ip
# config file header
echo "server:" > $UNBOUND_WL_DOMAIN_FILTER_CONF
for domain in $googledomains
do
arg=${!nb_args}
case $arg in
-\? | -h* | --h*)
echo "$usage"
exit 0
;;
# Safe search activation
-safesearch_on | --safesearch_on)
safesearch="On"
;;
# Safe search desactivation
-safesearch_off | --safesearch_off)
safesearch="Off"
;;
*)
echo "Argument inconnu :$arg";
echo "$usage"
exit 1
;;
esac
nb_args=$(expr $nb_args - 1)
echo -e "\tlocal-zone: \"$domain\" redirect" >> $UNBOUND_WL_DOMAIN_FILTER_CONF
echo -e "\tlocal-data: \"$domain A $google_safe_server\"" >> $UNBOUND_WL_DOMAIN_FILTER_CONF
done
if [ $safesearch == "On" ]
then
if [ -e $IP_WL ]
then
rm $IP_WL # remove old google declaration
fi
echo "add wl_ip_allowed $google_safe_server" >> $IP_WL
# add 'SafeSearch' redirection for google searching
google_safe_server=`host -ta forcesafesearch.google.com | grep "address" | cut -d" " -f4` # retrieve google forcesafesearch ip
$SED "/google/d" $DNSMASQ_WL_CONF # remove old google declaration
echo "# SafeSearch redirect server for google" >> $DNSMASQ_WL_CONF
for bing_dnsname in $googledomains
do
echo "address=/$bing_dnsname/$google_safe_server" >> $DNSMASQ_WL_CONF
done
echo "add wl_ip_allowed $google_safe_server" >> $IP_WL
# add 'SafeSearch' redirection for youtube searching
youtube_safe_server=`host -ta restrict.youtube.com | grep "address" | cut -d" " -f4` # retrieve youtube restrict ip
for domain in $youtubedomains
do
echo -e "\tlocal-zone: \"$domain\" redirect" >> $UNBOUND_WL_DOMAIN_FILTER_CONF
echo -e "\tlocal-data: \"$domain A $youtube_safe_server\"" >> $UNBOUND_WL_DOMAIN_FILTER_CONF
done
echo "add wl_ip_allowed $youtube_safe_server" >> $IP_WL
# add 'SafeSearch' redirection for bing searching
bing_safe_server=`host -ta strict.bing.com | grep "address" | cut -d" " -f4` # retrieve bing strict ip
$SED "/bing/d" $DNSMASQ_WL_CONF # remove old bing declaration
echo "# SafeSearch redirect server for bing" >> $DNSMASQ_WL_CONF
echo "address=/www.bing.com/$bing_safe_server" >> $DNSMASQ_WL_CONF
echo "add wl_ip_allowed $bing_safe_server" >> $IP_WL
# add 'SafeSearch' redirection for bing searching
bing_safe_server=`host -ta strict.bing.com | grep "address" | cut -d" " -f4` # retrieve bing strict ip
echo -e "\tlocal-zone: \"www.bing.com\" redirect" >> $UNBOUND_WL_DOMAIN_FILTER_CONF
echo -e "\tlocal-data: \"www.bing.com A $bing_safe_server\"" >> $UNBOUND_WL_DOMAIN_FILTER_CONF
echo "add wl_ip_allowed $bing_safe_server" >> $IP_WL
# add 'SafeSearch' redirection for youtube searching
youtube_safe_server=`host -ta restrict.youtube.com | grep "address" | cut -d" " -f4` # retrieve youtube restrict ip
$SED "/youtube/d" $DNSMASQ_WL_CONF # remove old youtube declaration
echo "# SafeSearch redirect server for youtube" >> $DNSMASQ_WL_CONF
for yt_dnsname in $youtubedomains
do
echo "address=/$yt_dnsname/$youtube_safe_server" >> $DNSMASQ_WL_CONF
done
echo "add wl_ip_allowed $youtube_safe_server" >> $IP_WL
# add 'SafeSearch' redirection for qwant searching
qwant_safe_server=`host -ta safeapi.qwant.com | grep "address" | cut -d" " -f4` # retrieve qwant strict ip
echo -e "\tlocal-zone: \"api.qwant.com\" redirect" >> $UNBOUND_WL_DOMAIN_FILTER_CONF
echo -e "\tlocal-data: \"api.qwant.com A $qwant_safe_server\"" >> $UNBOUND_WL_DOMAIN_FILTER_CONF
echo "add wl_ip_allowed $qwant_safe_server" >> $IP_WL
# add 'SafeSearch' redirection for qwant searching
$SED "/qwant/d" $DNSMASQ_WL_CONF # remove old qwant declaration
qwant_safe_server=`host -ta safeapi.qwant.com | grep "address" | cut -d" " -f4` # retrieve qwant strict ip
echo "# SafeSearch redirect server for qwant" >> $DNSMASQ_WL_CONF
echo "address=/api.qwant.com/$qwant_safe_server" >> $DNSMASQ_WL_CONF
else
$SED "/google/d" $DNSMASQ_WL_CONF
$SED "/bing/d" $DNSMASQ_WL_CONF
$SED "/youtube/d" $DNSMASQ_WL_CONF
$SED "/qwant/d" $DNSMASQ_WL_CONF
rm $IP_WL
fi
systemctl restart dnsmasq-whitelist
$SED 's/^WL_SAFESEARCH=.*/WL_SAFESEARCH=on/g' $CONF_FILE
else
[ -e $UNBOUND_WL_DOMAIN_FILTER_CONF ] && rm -f $UNBOUND_WL_DOMAIN_FILTER_CONF
[ -e $IP_WL ] && rm -f $IP_WL
$SED 's/^WL_SAFESEARCH=.*/WL_SAFESEARCH=off/g' $CONF_FILE
fi
systemctl restart unbound-whitelist

/scripts/alcasar-urpmi.sh
14,7 → 14,7
# The kernel version we compile netflow for
KERNEL="kernel-server-4.14.89-1.mga6-1-1.mga6"
# ****** Alcasar needed RPMS - paquetages nécessaires au fonctionnement d'Alcasar ******
PACKAGES="arp-scan vim-enhanced freeradius freeradius-mysql freeradius-ldap lighttpd lighttpd-mod_auth php-fpm e2guardian postfix mariadb ntp bind-utils openssh-server php-xml php-ldap php-mysqli php-mbstring php-sockets php-cli php-curl php-pdo_sqlite php-json rng-utils rsync clamav perl-rrdtool perl-MailTools perl-Socket6 fail2ban gnupg ulogd pm-fallback-policy ipset cronie-anacron usbutils locales-en usb_modeswitch tinyproxy vnstat php-gd sudo iftop man dos2unix p7zip bc msec kernel-userspace-headers dnsmasq netcat-traditional"
PACKAGES="arp-scan vim-enhanced freeradius freeradius-mysql freeradius-ldap lighttpd lighttpd-mod_auth php-fpm e2guardian postfix mariadb ntp bind-utils openssh-server php-xml php-ldap php-mysqli php-mbstring php-sockets php-cli php-curl php-pdo_sqlite php-json rng-utils rsync clamav perl-rrdtool perl-MailTools perl-Socket6 fail2ban gnupg ulogd pm-fallback-policy ipset cronie-anacron usbutils locales-en usb_modeswitch tinyproxy vnstat php-gd sudo iftop man dos2unix p7zip bc msec kernel-userspace-headers dnsmasq dhcp-server netcat-traditional"
rpm_repository_sync ()
{

/web/acc/admin/bl_categories_help.php
6,8 → 6,8
$bl_dir="/etc/e2guardian/lists/blacklists/";
$bl_iptables_dir="/usr/local/share/iptables-bl/";
$wl_iptables_dir="/usr/local/share/iptables-wl/";
$bl_dnsmasq_dir="/usr/local/share/dnsmasq-bl/";
$wl_dnsmasq_dir="/usr/local/share/dnsmasq-wl/";
$bl_unbound_dir="/usr/local/share/unbound-bl/";
$wl_unbound_dir="/usr/local/share/unbound-wl/";
# Choice of language
$Language = 'en';
if(isset($_SERVER['HTTP_ACCEPT_LANGUAGE']))
42,12 → 42,11
$l_example="Example(s) : ";
$l_error_cat = "Error category";
$l_error_list = "Error listing";
}
if(isset($_GET['cat']))
{
$categorie = $_GET['cat'];
}
}
else
{
$categorie = $l_error_cat;
61,48 → 60,73
$liste = $l_error_list;
}
if($liste == "bl")
{
$bl_categorie_domain_file = $bl_dnsmasq_dir.$categorie.".conf";
{
$bl_categorie_domain_file = $bl_unbound_dir.$categorie.".conf";
$bl_categorie_url_file = $bl_dir.$categorie."/urls";
$bl_categorie_ip_file = $bl_iptables_dir.$categorie;
//don't calc again on reload (click on the number of domain/urls/ip)
if (isset ($_GET['nb_domains']) && isset($_GET['nb_urls']) && isset($_GET['nb_ip']))
{
{
$nb_domains = $_GET['nb_domains'];
$nb_urls = $_GET['nb_urls'];
$nb_ip = $_GET['nb_ip'];
}
}
else
{
if (file_exists($bl_categorie_domain_file))
{
if (file_exists($bl_categorie_domain_file))
$nb_domains = exec("wc -l $bl_categorie_domain_file | cut -d ' ' -f1");
# two lines per domain
$nb_domains = exec("wc -l $bl_categorie_domain_file | cut -d ' ' -f1") / 2;
}
else
{
$nb_domains = $l_error_open_file." ".$bl_categorie_domain_file;
}
if (file_exists($bl_categorie_url_file))
{
$nb_urls = exec ("wc -l $bl_categorie_url_file | cut -d ' ' -f1");
}
else
{
$nb_urls = $l_error_open_file." ".$bl_categorie_url_file;
}
if(file_exists($bl_categorie_ip_file))
{
$nb_ip = exec("wc -l $bl_categorie_ip_file | cut -d ' ' -f1");
}
else
{
$nb_ip = $l_error_open_file." ".$bl_categorie_ip_file;
}
}
}
else
{
$wl_categorie_domain_file = $wl_dnsmasq_dir.$categorie.".conf";
{
$wl_categorie_domain_file = $wl_unbound_dir.$categorie.".conf";
$wl_categorie_ip_file = $wl_iptables_dir.$categorie;
if (file_exists($wl_categorie_domain_file))
{
$nb_domains = exec("wc -l $wl_categorie_domain_file | cut -d ' ' -f1");
}
else
{
$nb_domains = $l_error_open_file." ".$wl_categorie_domain_file;
}
if (file_exists($wl_categorie_ip_file))
{
$nb_ip = exec("wc -l $wl_categorie_ip_file | cut -d ' ' -f1");
}
else
{
$nb_ip = 0;
//$nb_ip = $l_error_open_file." ".$wl_categorie_ip_file;
}
$nb_urls = 0; //no urls in WL
}
}
$global_usage = file($bl_dir."global_usage");
$langue = strtoupper($Language);
if(isset($categorie))
111,9 → 135,13
foreach($global_usage as $line)
{
if(preg_match("#^NAME:.$categorie$#", $line) == 1)
{
$fin1 = 1;
}
if($fin1 && preg_match("#^DESC.$langue:.#", $line) == 1)
{
$l_description_cat = preg_replace("#^DESC.$langue:.#", "", $line);
}
if($fin1 && preg_match("#^NAME.$langue:.#", $line) == 1)
{
$l_name_cat = preg_replace("#^NAME.$langue:.#", "", $line);
178,7 → 206,7
{
$filtre = $liste == "bl" ? $bl_categorie_domain_file : $wl_categorie_domain_file;
exec("head -n 15 ".escapeshellarg($filtre)." | cut -d '/' -f2", $resultat);
exec("head -n 15 ".escapeshellarg($filtre)." | grep 'transparent' | awk '{ print $2 }'", $resultat);
}
elseif($titre == "ip")
{
190,7 → 218,9
exec("head -n 15 ".escapeshellarg($filtre), $resultat);
}
for($i=0; $i<count($resultat); $i++)
{
echo $resultat[$i]."<br/>";
}
?>
</td></tr>
</TABLE>
197,4 → 227,3
<center><a href="javascript:window.close();"><b><?php echo "$l_close"; ?></b></a></center>
</BODY>
</HTML>

/web/acc/admin/bl_filter.php
37,22 → 37,22
}
}
function echo_file ($filename)
{
if (file_exists($filename))
{
if (file_exists($filename))
if (filesize($filename) != 0)
{
if (filesize($filename) != 0)
{
$pointeur=fopen($filename,"r");
$tampon = fread($pointeur, filesize($filename));
fclose($pointeur);
echo $tampon;
}
}
}
else
{
{
echo "$filename doesn't exist";
}
}
}
function echo_ip_file ($filename)
{
$filename = escapeshellarg($filename);
68,7 → 68,7
if(isset($_SERVER['HTTP_ACCEPT_LANGUAGE'])){
$Langue = explode(",",$_SERVER['HTTP_ACCEPT_LANGUAGE']);
$Language = strtolower(substr(chop($Langue[0]),0,2));
}
}
if($Language == 'fr'){
$l_bl="Liste noire générale";
$l_load="Chargement...";
89,7 → 89,7
$l_rehabilitated_ip_explain="Entrez ici des IP bloquées par la liste noire <BR> que vous souhaitez réhabiliter.";
$l_one_dns="Entrez une adresse DNS par ligne (exemple : www.domaine.com)";
$l_one_ip="Entrez une IP par ligne (exemple : 123.123.123.123)";
$l_one_dns_ip="Entrez un nom de domaine ou une adresse IP ou une adresse de réseau par ligne<br>exemple (domaine) : .domaine.org - exemple (ip) : 61.54.52.56 - exemple (réseau) : 172.16.0.0/16";
$l_one_dns_ip="Entrez un nom de domaine ou une adresse IP ou une adresse de réseau par ligne<br>exemple (domaine) : domaine.org. - exemple (ip) : 61.54.52.56 - exemple (réseau) : 172.16.0.0/16";
$l_record="Enregistrer les modifications";
$l_wait="Une fois validées, 10 secondes sont nécessaires pour traiter vos modifications";
$l_ip_filtering="Filtrer les URLs contenant une adresse IP au lieu d'un nom de domaine (ex: http://25.56.58.59/index.htm)";
133,9 → 133,9
$l_add_to_bl="Domain names or IP addresses to add to the blacklist";
$l_rehabilitated_ip="IP addresses to rehabilitated";
$l_rehabilitated_ip_explain="Enter here IP that are blocked by the blacklist <BR> and you want to rehabilitate.";
$l_one_dns="Enter one DNS per row (example : www.domaine.com)";
$l_one_dns="Enter one DNS per row (example : www.domain.com)";
$l_one_ip="Enter one IP per row (example : 123.123.123.123)";
$l_one_dns_ip="Enter one domain name or one IP address or one network address per row <br>example (domain): .domain.org - example (ip): 61.54.56.52 - example (network) : 172.16.0.0/16";
$l_one_dns_ip="Enter one domain name or one IP address or one network address per row <br>example (domain): domain.org. - example (ip): 61.54.56.52 - example (network) : 172.16.0.0/16";
$l_record="Save changes";
$l_wait="Once validated, 10 seconds are necessary to compute your modifications";
$l_ip_filtering="Filtering URLs that contain an IP address instead of a domain name (ie: http://25.56.58.59/index.htm)";
165,142 → 165,158
$dir_blacklist=$dir_dg."blacklists/";
$dir_bl_ip="/usr/local/share/iptables-bl/";
$dir_bl_ip_enabled="/usr/local/share/iptables-bl-enabled/";
$dir_bl_domain_names="/usr/local/share/dnsmasq-bl/";
$dir_bl_domain_names_enabled="/usr/local/share/dnsmasq-bl-enabled/";
$dir_bl_domain_names="/usr/local/share/unbound-bl/";
$dir_bl_domain_names_enabled="/usr/local/share/unbound-bl-enabled/";
$bl_categories=$dir_etc."alcasar-bl-categories";
$bl_categories_enabled=$dir_etc."alcasar-bl-categories-enabled";
$conf_file=$dir_etc."alcasar.conf";
$urlregex_file=$dir_dg."urlregexplist";
$domainfilter_file="/etc/unbound/conf.d/blacklist/domainfilter.conf";
$bannedsite_file=$dir_dg."bannedsitelist";
$dir_tmp="/tmp/blacklists";
$update_file_cat="/usr/local/etc/update_cat.conf";
$bl_safesearch="off";
$bl_pureip="off";
# default values
if (is_file ($conf_file))
{
{
$tab=file($conf_file);
if ($tab)
{
foreach ($tab as $line)
{
foreach ($tab as $line)
{
$field=explode("=", $line);
if ($field[0] == "PRIVATE_IP")
{
$PRIVATE_IP_MASK=trim($field[1]);
$tmp = explode("/",$PRIVATE_IP_MASK);
$PRIVATE_IP=$tmp[0];
}
switch ($field[0]) {
case 'PRIVATE_IP':
$PRIVATE_IP_MASK=trim($field[1]);
$tmp = explode("/",$PRIVATE_IP_MASK);
$PRIVATE_IP=$tmp[0];
break;
case 'BL_SAFESEARCH':
if (strtolower(trim($field[1])) == 'on') {
$bl_safesearch='on';
}
break;
case 'BL_PUREIP':
if (strtolower(trim($field[1])) == 'on') {
$bl_pureip='on';
}
break;
}
}
}
}
else { echo "$l_error_open_file $conf_file";}
if (isset($_POST['choix'])){ $choix=$_POST['choix']; } else { $choix=""; }
switch ($choix)
{
case 'Download_list' :
exec ("sudo /usr/local/bin/alcasar-bl.sh --download");
break;
case 'Active_list' :
exec ("sudo /usr/local/bin/alcasar-bl.sh --adapt");
exec ("sudo /usr/local/bin/alcasar-bl.sh --reload");
break;
case 'Reject_list' :
unlink ("$dir_tmp/blacklists.tar.gz"); unlink ("$dir_tmp/md5sum");
break;
case 'MAJ_cat_bl' :
if (file_exists($bl_categories_enabled))
{
exec("/bin/sed -i \"/^ossi-/!d\" $bl_categories_enabled"); // keep ossi custom categories
$pointeur=fopen($bl_categories_enabled, "a+");
$fichier=fopen($update_file_cat,"w+");
foreach ($_POST as $key => $value)
case 'Download_list' :
exec ("sudo /usr/local/bin/alcasar-bl.sh --download");
break;
case 'Active_list' :
exec ("sudo /usr/local/bin/alcasar-bl.sh --adapt");
exec ("sudo /usr/local/bin/alcasar-bl.sh --reload");
break;
case 'Reject_list' :
unlink ("$dir_tmp/blacklists.tar.gz"); unlink ("$dir_tmp/md5sum");
break;
case 'MAJ_cat_bl' :
if (file_exists($bl_categories_enabled))
{
if (strstr($key,'chk-'))
exec("/bin/sed -i \"/^ossi-/!d\" $bl_categories_enabled"); // keep ossi custom categories
$pointeur=fopen($bl_categories_enabled, "a+");
$fichier=fopen($update_file_cat,"w+");
foreach ($_POST as $key => $value)
{
$line=str_replace('chk-','',$key)."\n";
fwrite($pointeur,$line);
if(trim($line) == 'malware' && $_POST['update_cat'] == 1) //auto-update of malware
if (strstr($key,'chk-'))
{
fputs($fichier, "malware rsync://ftp.ut-capitole.fr/blacklist/dest/malware\n");
$line=str_replace('chk-','',$key)."\n";
fwrite($pointeur,$line);
if(trim($line) == 'malware' && $_POST['update_cat'] == 1) //auto-update of malware
{
fputs($fichier, "malware rsync://ftp.ut-capitole.fr/blacklist/dest/malware\n");
}
}
}
fclose($pointeur);
fclose($fichier);
}
fclose($pointeur);
else {echo "$l_error_open_file $bl_categories_enabled";}
$fichier=fopen($dir_blacklist."ossi-bl/domains","w+");
fputs($fichier, form_filter($_POST['OSSI_bl']));
fclose($fichier);
}
else {echo "$l_error_open_file $bl_categories_enabled";}
$fichier=fopen($dir_blacklist."ossi-bl/domains","w+");
fputs($fichier, form_filter($_POST['OSSI_bl']));
fclose($fichier);
unset($_POST['OSSI_bl']);
$fichier=fopen($dir_dg."exceptionsitelist","w+");
fputs($fichier, form_filter($_POST['BL_rehabilited_domains']));
fclose($fichier);
unset($_POST['BL_rehabilited_domains']);
$fichier=fopen($dir_dg."exceptioniplist","w+");
fputs($fichier, form_filter($_POST['BL_rehabilited_ip']));
fclose($fichier);
unset($_POST['BL_rehabilited_ip']);
exec ("sudo /usr/local/bin/alcasar-bl.sh --reload");
break;
case 'Specific_filtering' :
$pureip="-pureip_off"; $safesearch="-safesearch_off"; ;
foreach ($_POST as $key => $value)
{
if (strstr($key,'chk-ip')) $pureip="-pureip_on";
if (strstr($key,'chk-safesearch')) $safesearch="-safesearch_on";
}
exec ("sudo /usr/local/bin/alcasar-url_filter_bl.sh $safesearch $pureip");
break;
case 'MAJ_ossi_file' :
foreach($_POST as $fichier => $value)
{
if($fichier != "choix")
unset($_POST['OSSI_bl']);
$fichier=fopen($dir_dg."exceptionsitelist","w+");
fputs($fichier, form_filter($_POST['BL_rehabilited_domains']));
fclose($fichier);
unset($_POST['BL_rehabilited_domains']);
$fichier=fopen($dir_dg."exceptioniplist","w+");
fputs($fichier, form_filter($_POST['BL_rehabilited_ip']));
fclose($fichier);
unset($_POST['BL_rehabilited_ip']);
exec ("sudo /usr/local/bin/alcasar-bl.sh --reload");
break;
case 'Specific_filtering':
$bl_pureip='off';
$bl_safesearch='off';
foreach ($_POST as $key => $value)
{
$action=$_POST[$fichier];
if($action == $l_remove) //delete
if (strstr($key,'chk-ip')) $bl_pureip="on";
if (strstr($key,'chk-safesearch')) $bl_safesearch="on";
}
exec ("sudo /usr/local/bin/alcasar-url_filter_bl.sh -safesearch_$bl_safesearch -pureip_$bl_pureip");
break;
case 'MAJ_ossi_file' :
foreach($_POST as $fichier => $value)
{
if($fichier != "choix")
{
exec("/bin/sed -i ".escapeshellarg("/^$fichier\$/d")." $bl_categories_enabled");
exec("/bin/sed -i ".escapeshellarg("/$fichier\$/d")." $bl_categories");
exec("rm -rf $dir_blacklist".escapeshellarg($fichier));
exec("sudo /usr/local/bin/alcasar-bl.sh --reload");
$action=$_POST[$fichier];
if($action == $l_remove) //delete
{
exec("/bin/sed -i ".escapeshellarg("/^$fichier\$/d")." $bl_categories_enabled");
exec("/bin/sed -i ".escapeshellarg("/$fichier\$/d")." $bl_categories");
exec("rm -rf $dir_blacklist".escapeshellarg($fichier));
exec("sudo /usr/local/bin/alcasar-bl.sh --reload");
}
if($action == $l_disable) //disable
{
exec("/bin/sed -i ".escapeshellarg("/^$fichier\$/d")." $bl_categories_enabled");
exec("sudo /usr/local/bin/alcasar-bl.sh --reload");
}
if($action == $l_enable) //enable
{
file_put_contents ($bl_categories_enabled, $fichier."\n", FILE_APPEND);
exec("sudo /usr/local/bin/alcasar-bl.sh --reload");
}
}
if($action == $l_disable) //disable
}
break;
case 'MAJ_ossi_file_upload' :
$file_name = str_replace (".", "_",basename($_FILES['fichier_ip']['name']));
$dest_dir = $dir_blacklist."ossi-bl-".$file_name; # /etc/e2guardian/list/blacklist/ossi-bl-XXXXXXXX
if((!empty($file_name)) && (!file_exists($dest_dir)))
{
exec("mkdir ".escapeshellarg($dest_dir));
$file=$_FILES['fichier_ip']['tmp_name'];
exec('/usr/bin/dos2unix '.escapeshellarg($file));
if(move_uploaded_file($_FILES['fichier_ip']['tmp_name'], $dest_dir."/domains")) // copy in the file "domains" (containing @ip & domain names (like over Toulouse categories))
{
exec("/bin/sed -i ".escapeshellarg("/^$fichier\$/d")." $bl_categories_enabled");
touch ($dest_dir."/urls"); // create the URL file even if it isn't used
file_put_contents ($bl_categories, $dest_dir."\n", FILE_APPEND); # add to the categories list
file_put_contents ($bl_categories_enabled, "ossi-bl-".$file_name."\n", FILE_APPEND); //Enabled by default
exec("sudo /usr/local/bin/alcasar-bl.sh --reload");
}
if($action == $l_enable) //enable
else
{
file_put_contents ($bl_categories_enabled, $fichier."\n", FILE_APPEND);
exec("sudo /usr/local/bin/alcasar-bl.sh --reload");
exec("rm -rf ".escapeshellarg($dest_dir));
echo $l_error_upload;
}
}
}
break;
case 'MAJ_ossi_file_upload' :
$file_name = str_replace (".", "_",basename($_FILES['fichier_ip']['name']));
$dest_dir = $dir_blacklist."ossi-bl-".$file_name; # /etc/e2guardian/list/blacklist/ossi-bl-XXXXXXXX
if((!empty($file_name)) && (!file_exists($dest_dir)))
{
exec("mkdir ".escapeshellarg($dest_dir));
$file=$_FILES['fichier_ip']['tmp_name'];
exec('/usr/bin/dos2unix '.escapeshellarg($file));
if(move_uploaded_file($_FILES['fichier_ip']['tmp_name'], $dest_dir."/domains")) // copy in the file "domains" (containing @ip & domain names (like over Toulouse categories))
{
touch ($dest_dir."/urls"); // create the URL file even if it isn't used
file_put_contents ($bl_categories, $dest_dir."\n", FILE_APPEND); # add to the categories list
file_put_contents ($bl_categories_enabled, "ossi-bl-".$file_name."\n", FILE_APPEND); //Enabled by default
exec("sudo /usr/local/bin/alcasar-bl.sh --reload");
}
else
{
exec("rm -rf ".escapeshellarg($dest_dir));
echo $l_error_upload;
}
}
break;
break;
}
?>
<table width="100%" border="0" cellspacing="0" cellpadding="0">
314,7 → 330,7
<FORM action='bl_filter.php' method=POST>
<?php
if ((file_exists("$dir_tmp/blacklists.tar.gz")) && (file_exists("$dir_tmp/md5sum")))
{
{
echo "$l_fingerprint"; echo_file ("$dir_tmp/md5sum");
echo "<br>$l_fingerprint2<a href='http://dsi.ut-capitole.fr/blacklists/download/MD5SUM.LST' target='cat_help' onclick=\"window.open('http://dsi.ut-capitole.fr/blacklists/download/MD5SUM.LST','cat_help','width=600,height=150,toolbar=no,scrollbars=yes,resizable=yes')\" title='verify fingerprint'>dsi.ut-capitole.fr/blacklists/download/MD5SUM.LST</a><br>";
echo "<input type='hidden' name='choix' value='Active_list'>";
322,12 → 338,12
echo "<FORM action='bl_filter.php' method=POST>";
echo "<input type='hidden' name='choix' value='Reject_list'>";
echo "<input type='submit' onClick=\"this.disabled=true; this.value='$l_load';submit();\" value='$l_reject_bl'></form>";
}
}
else
{
{
echo "<input type='hidden' name='choix' value='Download_list'>";
echo "<input type='submit' onClick=\"this.disabled=true; this.value='$l_load';submit();\" value='$l_download_bl'> ($l_warning)</form>";
}
}
?>
</td></tr>
</table><br>
342,7 → 358,7
<?php
echo "<center>";
// total number of IP, DNS & URLs
$nbDomainNames = exec("wc -l /usr/local/share/dnsmasq-bl/* | tail -n 1 | awk '{print $1}'");
$nbDomainNames = exec("wc -l /usr/local/share/unbound-bl/* | tail -n 1 | awk '{print $1}'") / 2;
$nbUrl = exec("for file in `find /etc/e2guardian/lists/blacklists/ -name 'urls'`; do nb=$((nb+$(wc -l \$file | awk '{print $1}'))); done; echo \$nb");
$nbIp = exec("wc -l /usr/local/share/iptables-bl/* | tail -n 1 | awk '{print $1}'");
echo "<b>$l_nbDomainNames</b> $nbDomainNames, <b>$l_nbUrl</b> $nbUrl, <b>$l_nbIp</b> $nbIp<br/>";
350,11 → 366,11
//read & display all BL categories (checked or not)
$cols=1;
if (file_exists($bl_categories))
{
{
$bl_files = file($bl_categories);
$bl_files = preg_grep("/ossi-/", $bl_files, 1); // don't display ossi custom categories
foreach($bl_files as $fichier => $value)
{
{
if ($cols == 1) { echo "<tr>";}
$categorie=trim(basename($value));
echo "<td><a href='bl_categories_help.php?liste=bl&cat=$categorie' target='cat_help' onclick=\"window.open('bl_categories_help.php','cat_help','width=600,height=450,toolbar=no,scrollbars=yes,resizable=yes')\" title='categories help page'>$categorie</a><br>";
366,10 → 382,11
$cols++;
if ($cols > 10) {
echo "</tr>\n";
$cols=1; }
$cols=1;
}
}
else {
}
else {
echo "$l_error_open_file $bl_categories";
}
451,59 → 468,14
<input type='hidden' name='choix' value='Specific_filtering'>
<table width="100%" border=1 cellspacing=0 cellpadding=1>
<tr><td>
<input type='checkbox' name='chk-ip'
<?php
// verify "pureip" filtering state
if (file_exists($bannedsite_file))
{
$pointeur=fopen($bannedsite_file,"r");
while (!feof ($pointeur))
{
$ligne=fgets($pointeur, 4096);
if ($ligne)
{
if (preg_match('/^\*ip$/',$ligne, $r))
{
echo " checked";
break;
}
}
}
fclose($pointeur);
}
else {
echo "$l_error_open_file $bannedsite_file";
}
echo "> $l_ip_filtering";
?>
<input type='checkbox' name='chk-ip' <?= $bl_pureip == 'on' ? 'checked' : ''; ?>><?= $l_ip_filtering; ?>
</td></tr>
<tr><td>
<input type='checkbox' name='chk-safesearch'
<?php
// verify "safesearch" filtering state
if (file_exists($urlregex_file))
{
$pointeur=fopen($urlregex_file,"r");
while (!feof ($pointeur))
{
$ligne=fgets($pointeur, 4096);
if ($ligne)
{
if (preg_match('/^\"\(\^http\:\/\/\[0\-9a\-z\]\+\\\.google/',$ligne, $r))
{
echo " checked";
break;
}
}
}
fclose($pointeur);
}
else {
echo "$l_error_open_file $urlregex_file";
}
echo "> $l_safe_searching<tr><td>";
echo "<input type='submit' onClick=\"this.disabled=true; this.value='$l_load';submit();\" value='$l_record'></td></tr>";
?>
<input type='checkbox' name='chk-safesearch' <?= $bl_safesearch == 'on' ? 'checked' : ''; ?>><?= $l_safe_searching; ?>
</tr></td>
<tr><td>
<?= "<input type='submit' onClick=\"this.disabled=true; this.value='$l_load';submit();\" value='$l_record'>"; ?>
</td></tr>
</table>
</form>
</BODY>

/web/acc/admin/network.php
226,10 → 226,6
$field = preg_split("/\s+/",$line);
$ip_addr = $field[0];
$host_name = trim($field[1]);
if (strcmp($add_ip, $ip_addr) === 0) {
$insert = false;
break;
}
if (strcasecmp($add_host, $host_name) === 0) {
$insert = false;
break;
237,7 → 233,7
}
}
if ($insert) {
exec("sudo /usr/local/bin/alcasar-dns-local.sh -add $add_ip $add_host");
exec("sudo /usr/local/bin/alcasar-dns-local.sh --add $add_ip $add_host");
}
}
}
272,8 → 268,8
move_uploaded_file($_FILES['key']['tmp_name'], $keypath);
move_uploaded_file($_FILES['crt']['tmp_name'], $crtpath);
exec("sudo alcasar-importcert.sh -i $crtpath -k $keypath -c $scpath");
if (file_exists($crtpath)) unlink($crtpath);
if (file_exists($keypath)) unlink($keypath);
if (file_exists($crtpath)) unlink($crtpath);
if (file_exists($keypath)) unlink($keypath);
if (file_exists($scpath)) unlink($scpath);
}
}
342,7 → 338,7
$domainName = $_POST['domainname'];
exec('sudo /usr/local/bin/alcasar-letsencrypt.sh --issue --email '.escapeshellarg($email).' --domain '.escapeshellarg($domainName), $output, $exitCode);
$cmdResponse = implode("<br>\n", $output);
}
if ($choix === 'le_renewCert') {

/web/acc/admin/services.php
1,5 → 1,5
<?php
/* written by steweb57 & Rexy */
/* written by steweb57 & Rexy */
# Choice of language
$Language = 'en';
if(isset($_SERVER['HTTP_ACCEPT_LANGUAGE'])){
31,10 → 31,11
$l_vnstat = "Grapheur de flux réseau";
$l_havp = "Proxy Antivirus";
$l_tinyproxy = "Proxy HTTP léger";
$l_dnsmasq = "Serveur DNS principal";
$l_dnsmasq_blacklist = "Serveur DNS pour la Blacklist";
$l_dnsmasq_whitelist = "Serveur DNS pour la Whitelist";
$l_dnsmasq_blackhole = "Serveur DNS 'trou noir'";
$l_unbound = "Serveur DNS principal";
$l_unbound_blacklist = "Serveur DNS pour la Blacklist";
$l_unbound_whitelist = "Serveur DNS pour la Whitelist";
$l_dnsmasq_whitelist = "Serveur DNS pour la Whitelist (IPSET)";
$l_unbound_blackhole = "Serveur DNS 'trou noir'";
$l_ulogd_ssh = "journalisation des accès par SSH";
$l_ulogd_ext_access = "journalisation des tentatives d'accès externes";
$l_ulogd_traceability = "journalisation des connexions WEB filtrés";
42,7 → 43,7
$l_stop_restart = "Arret et redémarrage du système";
$l_halt = "Arréter le système";
$l_reboot = "Relancer le système";
} else {
$l_services_title = "Services configuration";
$l_main_services = "Main services";
69,10 → 70,11
$l_vnstat = "Network grapher";
$l_havp = "Antivirus Proxy";
$l_tinyproxy = "Light HTTP Proxy";
$l_dnsmasq = "Main DNS server";
$l_dnsmasq_blacklist = "Blacklist DNS server";
$l_dnsmasq_whitelist = "Whitelist DNS server";
$l_dnsmasq_blackhole = "Blackhole DNS server";
$l_unbound = "Main DNS server";
$l_unbound_blacklist = "Blacklist DNS server";
$l_unbound_whitelist = "Whitelist DNS server";
$l_dnsmasq_whitelist = "Whitelist DNS server (IPSET)";
$l_unbound_blackhole = "Blackhole DNS server";
$l_ulogd_ssh = "SSH access logging process";
$l_ulogd_ext_access = "Extern access attempts logging process";
$l_ulogd_traceability = "Filtering WEB access logging process";
102,7 → 104,7
if (($action == "start")||($action == "stop")||($action == "restart")){
exec("sudo /usr/bin/systemctl $action ".escapeshellarg($service), $retval, $retstatus);
if ($service == "sshd"){ // in order to keep that conf for SSH at next reboot
if ($action == "start"){
if ($action == "start"){
exec("sudo /usr/bin/systemctl enable ".escapeshellarg($service));
file_put_contents(CONF_FILE, str_replace('SSH=off', 'SSH=on', file_get_contents(CONF_FILE)));
exec("sudo /usr/local/bin/alcasar-iptables.sh");
135,7 → 137,7
//-------------------------------
// Actions on services
//-------------------------------
$autorizeService = array("radiusd","chilli","mysqld","lighttpd","dnsmasq","ulogd-ssh","ulogd-ext-access","ulogd-traceability","dnsmasq-blacklist","dnsmasq-whitelist","dnsmasq-blackhole","e2guardian","havp","tinyproxy","freshclam","sshd","ntpd","fail2ban","nfsen","vnstat");
$autorizeService = array("radiusd","chilli","mysqld","lighttpd","unbound-forward","ulogd-ssh","ulogd-ext-access","ulogd-traceability","unbound-blacklist","unbound-whitelist","dnsmasq-whitelist","unbound-blackhole","e2guardian","havp","tinyproxy","freshclam","sshd","ntpd","fail2ban","nfsen","vnstat");
$autorizeAction = array("start","stop","restart");
if (isset($_GET['service'])&&(in_array($_GET['service'], $autorizeService))) {
168,15 → 170,16
$MainServiceStatus['radiusd'] = checkServiceStatus("radiusd");
$MainServiceStatus['mysqld'] = checkServiceStatus("mysqld");
$MainServiceStatus['lighttpd'] = checkServiceStatus("lighttpd");
$MainServiceStatus['dnsmasq'] = checkServiceStatus("dnsmasq");
$MainServiceStatus['unbound'] = checkServiceStatus("unbound-forward");
$MainServiceStatus['ulogd_ssh'] = checkServiceStatus("ulogd-ssh");
$MainServiceStatus['ulogd_ext_access'] = checkServiceStatus("ulogd-ext-access");
$MainServiceStatus['ulogd_traceability'] = checkServiceStatus("ulogd-traceability");
$FilterServiceStatus = array();
$FilterServiceStatus['dnsmasq_blacklist'] = checkServiceStatus("dnsmasq-blacklist");
$FilterServiceStatus['unbound_blacklist'] = checkServiceStatus("unbound-blacklist");
$FilterServiceStatus['unbound_whitelist'] = checkServiceStatus("unbound-whitelist");
$FilterServiceStatus['dnsmasq_whitelist'] = checkServiceStatus("dnsmasq-whitelist");
$FilterServiceStatus['dnsmasq_blackhole'] = checkServiceStatus("dnsmasq-blackhole");
$FilterServiceStatus['unbound_blackhole'] = checkServiceStatus("unbound-blackhole");
$FilterServiceStatus['e2guardian'] = checkServiceStatus("e2guardian");
$FilterServiceStatus['havp'] = checkServiceStatus("havp");
$FilterServiceStatus['tinyproxy'] = checkServiceStatus("tinyproxy");

/web/acc/admin/wl_filter.php
9,7 → 9,7
<?
function form_filter ($form_content)
{
// réencodage iso + format unix + rc fin de ligne (ouf...)
// réencodage iso + format unix + rc fin de ligne (ouf...)
$list = str_replace("\r\n", "\n", utf8_decode($form_content));
if (strlen($list) != 0){
if ($list[strlen($list)-1] != "\n") { $list[strlen($list)]="\n";} ;} ;
37,22 → 37,22
}
}
function echo_file ($filename)
{
if (file_exists($filename))
{
if (file_exists($filename))
if (filesize($filename) != 0)
{
if (filesize($filename) != 0)
{
$pointeur=fopen($filename,"r");
$tampon = fread($pointeur, filesize($filename));
fclose($pointeur);
echo $tampon;
}
}
}
else
{
{
echo "$filename doesn't exist";
}
}
}
function echo_ip_file ($filename)
{
$filename = escapeshellarg($filename);
68,7 → 68,7
if(isset($_SERVER['HTTP_ACCEPT_LANGUAGE'])){
$Langue = explode(",",$_SERVER['HTTP_ACCEPT_LANGUAGE']);
$Language = strtolower(substr(chop($Langue[0]),0,2));
}
}
if($Language == 'fr'){
$l_wl="Liste blanche générale";
$l_load="Chargement...";
76,7 → 76,7
$l_wl_categories="Sélectionnez les catégories à autoriser";
$l_specific_filtering="Filtrage special";
$l_add_to_wl="Noms de domaine ou adresses IP à ajouter à la liste blanche";
$l_one_dns_ip="Entrez un nom de domaine ou une adresse IP ou une adresse de réseau par ligne<br>exemple (domaine) : .domaine.org - exemple (ip) : 61.54.52.56 - exemple (réseau) : 172.16.0.0/16";
$l_one_dns_ip="Entrez un nom de domaine ou une adresse IP ou une adresse de réseau par ligne<br>exemple (domaine) : domaine.org. - exemple (ip) : 61.54.52.56 - exemple (réseau) : 172.16.0.0/16";
$l_record="Enregistrer les modifications";
$l_wait="Une fois validées, 10 secondes sont nécessaires pour traiter vos modifications";
$l_safe_searching="Activer le contrôle scolaire/parental pour 'YouTube' et pour les moteurs de recherche 'Google', 'Bing' et 'Qwant'.";
107,7 → 107,7
$l_specific_filtering="Specific filtering";
$l_allowed_dns="Allowed domain names";
$l_add_to_wl="Domain names or IP addresses to add to the whitelist";
$l_one_dns_ip="Enter one domain name or one IP address or one network address per row <br>example (domain): .domain.org - example (ip): 61.54.56.52 - example (network) : 172.16.0.0/16";
$l_one_dns_ip="Enter one domain name or one IP address or one network address per row <br>example (domain): domain.org. - example (ip): 61.54.56.52 - example (network) : 172.16.0.0/16";
$l_record="Save changes";
$l_wait="Once validated, 10 seconds are necessary to compute your modifications";
$l_safe_searching="Enabling school/parental control for 'YouTube' and for the search engines 'Google', 'Bing' and 'Qwant'";
135,127 → 135,137
$dir_blacklist=$dir_dg."blacklists/";
$dir_wl_ip="/usr/local/share/iptables-wl/";
$dir_wl_ip_enabled= "/usr/local/share/iptables-wl-enabled/";
$dir_wl_domain_names= "/usr/local/share/dnsmasq-wl/";
$dir_wl_domain_names_enabled= "/usr/local/share/dnsmasq-wl-enabled/";
$dir_wl_domain_names= "/usr/local/share/unbound-wl/";
$dir_wl_domain_names_enabled= "/usr/local/share/unbound-wl-enabled/";
$wl_categories=$dir_etc."alcasar-wl-categories";
$wl_categories_enabled=$dir_etc."alcasar-wl-categories-enabled";
$conf_file=$dir_etc."alcasar.conf";
$iptables_safesearch_file=$dir_wl_ip_enabled."ossi-ip-safesearch";
$domainfilter_file="/etc/unbound/conf.d/whitelist/domainfilter.conf";
$bannedsite_file=$dir_dg."bannedsitelist";
$dir_tmp="/tmp/blacklists";
$wl_safesearch="off";
# default values
if (is_file ($conf_file))
{
{
$tab=file($conf_file);
if ($tab)
{
foreach ($tab as $line)
{
foreach ($tab as $line)
{
$field=explode("=", $line);
if ($field[0] == "PRIVATE_IP")
{
$PRIVATE_IP_MASK=trim($field[1]);
$tmp = explode("/",$PRIVATE_IP_MASK);
$PRIVATE_IP=$tmp[0];
}
switch ($field[0]) {
case 'PRIVATE_IP':
$PRIVATE_IP_MASK=trim($field[1]);
$tmp = explode("/",$PRIVATE_IP_MASK);
$PRIVATE_IP=$tmp[0];
break;
case 'WL_SAFESEARCH':
if (strtolower(trim($field[1])) == 'on') {
$wl_safesearch='on';
}
break;
}
}
}
}
else { echo "$l_error_open_file $conf_file";}
if (isset($_POST['choix'])){ $choix=$_POST['choix']; } else { $choix=""; }
switch ($choix)
{
case 'Download_list' :
exec ("sudo /usr/local/bin/alcasar-bl.sh --download");
break;
case 'Active_list' :
exec ("sudo /usr/local/bin/alcasar-bl.sh --adapt");
exec ("sudo /usr/local/bin/alcasar-bl.sh --reload");
break;
case 'Reject_list' :
unlink ("$dir_tmp/blacklists.tar.gz"); unlink ("$dir_tmp/md5sum");
break;
case 'MAJ_cat_wl' :
if (file_exists($wl_categories_enabled))
{
exec("/bin/sed -i \"/^ossi-/!d\" $wl_categories_enabled"); // keep ossi custom categories
$pointeur=fopen($wl_categories_enabled, "a+");
foreach ($_POST as $key => $value)
case 'Download_list' :
exec ("sudo /usr/local/bin/alcasar-bl.sh --download");
break;
case 'Active_list' :
exec ("sudo /usr/local/bin/alcasar-bl.sh --adapt");
exec ("sudo /usr/local/bin/alcasar-bl.sh --reload");
break;
case 'Reject_list' :
unlink ("$dir_tmp/blacklists.tar.gz"); unlink ("$dir_tmp/md5sum");
break;
case 'MAJ_cat_wl' :
if (file_exists($wl_categories_enabled))
{
if (strstr($key,'chk-'))
exec("/bin/sed -i \"/^ossi-/!d\" $wl_categories_enabled"); // keep ossi custom categories
$pointeur=fopen($wl_categories_enabled, "a+");
foreach ($_POST as $key => $value)
{
$line=str_replace('chk-','',$key)."\n";
fwrite($pointeur,$line);
if (strstr($key,'chk-'))
{
$line=str_replace('chk-','',$key)."\n";
fwrite($pointeur,$line);
}
}
fclose($pointeur);
}
fclose($pointeur);
}
else {echo "$l_error_open_file $wl_categories_enabled";}
$fichier=fopen($dir_blacklist."ossi-wl/domains","w+");
fputs($fichier, form_filter($_POST['OSSI_wl']));
fclose($fichier);
unset($_POST['OSSI_wl']);
exec ("sudo /usr/local/bin/alcasar-bl.sh --reload");
break;
case 'Specific_filtering' :
$safesearch="-safesearch_off"; ;
foreach ($_POST as $key => $value)
{
if (strstr($key,'chk-safesearch')) $safesearch="-safesearch_on";
}
exec ("sudo /usr/local/bin/alcasar-url_filter_wl.sh $safesearch");
break;
case 'MAJ_ossi_file' :
foreach($_POST as $fichier => $value)
{
if($fichier != "choix")
else {echo "$l_error_open_file $wl_categories_enabled";}
$fichier=fopen($dir_blacklist."ossi-wl/domains","w+");
fputs($fichier, form_filter($_POST['OSSI_wl']));
fclose($fichier);
unset($_POST['OSSI_wl']);
exec ("sudo /usr/local/bin/alcasar-bl.sh --reload");
break;
case 'Specific_filtering' :
$wl_safesearch='off';
foreach ($_POST as $key => $value)
{
$action=$_POST[$fichier];
if($action == $l_remove) //delete
if (strstr($key,'chk-safesearch')) {
$wl_safesearch='on';
}
}
exec ("sudo /usr/local/bin/alcasar-url_filter_wl.sh -safesearch_$wl_safesearch");
break;
case 'MAJ_ossi_file' :
foreach($_POST as $fichier => $value)
{
if($fichier != "choix")
{
exec("/bin/sed -i ".escapeshellarg("/^$fichier\$/d")." $wl_categories_enabled");
exec("/bin/sed -i ".escapeshellarg("/^$fichier\$/d")." $wl_categories");
exec("rm -rf ".escapeshellarg("$dir_blacklist$fichier"));
exec("sudo /usr/local/bin/alcasar-bl.sh --reload");
$action=$_POST[$fichier];
if($action == $l_remove) //delete
{
exec("/bin/sed -i ".escapeshellarg("/^$fichier\$/d")." $wl_categories_enabled");
exec("/bin/sed -i ".escapeshellarg("/^$fichier\$/d")." $wl_categories");
exec("rm -rf ".escapeshellarg("$dir_blacklist$fichier"));
exec("sudo /usr/local/bin/alcasar-bl.sh --reload");
}
if($action == $l_disable) //disable
{
exec("/bin/sed -i ".escapeshellarg("/^$fichier\$/d")." $wl_categories_enabled");
exec("sudo /usr/local/bin/alcasar-bl.sh --reload");
}
if($action == $l_enable) //enable
{
file_put_contents($wl_categories_enabled, $fichier."\n", FILE_APPEND);
exec("sudo /usr/local/bin/alcasar-bl.sh --reload");
}
}
if($action == $l_disable) //disable
}
break;
case 'MAJ_ossi_file_upload' :
$file_name = str_replace (".", "_",basename($_FILES['fichier_ip']['name']));
if(!empty($file_name))
{
$dest_dir = $dir_blacklist."ossi-wl-".$file_name;
exec("mkdir ".escapeshellarg($dest_dir));
$file=$_FILES['fichier_ip']['tmp_name'];
exec('/usr/bin/dos2unix '.escapeshellarg($file));
if(move_uploaded_file($_FILES['fichier_ip']['tmp_name'], $dest_dir."/domains"))
{
exec("/bin/sed -i ".escapeshellarg("/^$fichier\$/d")." $wl_categories_enabled");
exec("sudo /usr/local/bin/alcasar-bl.sh --reload");
touch ($dest_dir."/urls"); // create the URL file even if it isn't used
file_put_contents ($wl_categories, $dest_dir."\n", FILE_APPEND);
file_put_contents ($wl_categories_enabled, "ossi-wl-".$file_name."\n", FILE_APPEND); //Enabled by default
exec ("sudo /usr/local/bin/alcasar-bl.sh --reload");
}
if($action == $l_enable) //enable
else
{
file_put_contents($wl_categories_enabled, $fichier."\n", FILE_APPEND);
exec("sudo /usr/local/bin/alcasar-bl.sh --reload");
exec("rm -rf ".escapeshellarg($dest_dir));
echo $l_error_upload;
}
}
}
break;
case 'MAJ_ossi_file_upload' :
$file_name = str_replace (".", "_",basename($_FILES['fichier_ip']['name']));
if(!empty($file_name))
{
$dest_dir = $dir_blacklist."ossi-wl-".$file_name;
exec("mkdir ".escapeshellarg($dest_dir));
$file=$_FILES['fichier_ip']['tmp_name'];
exec('/usr/bin/dos2unix '.escapeshellarg($file));
if(move_uploaded_file($_FILES['fichier_ip']['tmp_name'], $dest_dir."/domains"))
{
touch ($dest_dir."/urls"); // create the URL file even if it isn't used
file_put_contents ($wl_categories, $dest_dir."\n", FILE_APPEND);
file_put_contents ($wl_categories_enabled, "ossi-wl-".$file_name."\n", FILE_APPEND); //Enabled by default
exec ("sudo /usr/local/bin/alcasar-bl.sh --reload");
}
else
{
exec("rm -rf ".escapeshellarg($dest_dir));
echo $l_error_upload;
}
}
break;
break;
}
?>
<table width="100%" border="0" cellspacing="0" cellpadding="0">
269,19 → 279,19
<?php
echo "<center>";
// total number of IP, DNS & URLs
$nbDomainNames = exec("wc -l /usr/local/share/dnsmasq-wl/* | tail -n 1 | awk '{print $1}'");
$nbDomainNames = exec("wc -l $dir_wl_domain_names* | tail -n 1 | awk '{print $1}'");
$nbUrl = "0";
$nbIp = exec("wc -l /usr/local/share/iptables-wl/* | tail -n 1 | awk '{print $1}'");
$nbIp = exec("wc -l $dir_wl_ip* | tail -n 1 | awk '{print $1}'");
echo "<b>$l_nbDomainNames</b> $nbDomainNames, <b>$l_nbUrl</b> $nbUrl, <b>$l_nbIp</b> $nbIp<br/>";
echo "$l_wl_categories</center></td></tr>";
//read & display all WL categories (checked or not)
$cols=1;
if (file_exists($wl_categories))
{
{
$wl_files = file($wl_categories);
$wl_files = preg_grep("/ossi-/", $wl_files, 1); // don't display ossi custom categories
foreach($wl_files as $fichier => $value)
{
{
if ($cols == 1) { echo "<tr>";}
$categorie=trim(basename($value));
echo "<td><a href='bl_categories_help.php?liste=wl&cat=$categorie' target='cat_help' onclick=window.open('bl_categories_help.php','cat_help','width=600,height=450,toolbar=no,scrollbars=yes,resizable=yes') title='categories help page'>$categorie</a><br>";
293,10 → 303,11
$cols++;
if ($cols > 10) {
echo "</tr>";
$cols=1; }
$cols=1;
}
}
else {
}
else {
echo "$l_error_open_file $wl_categories";
}
echo "<tr><td valign='middle' align='left' colspan=10>";
350,17 → 361,11
<FORM action='wl_filter.php' method='POST'>
<input type='hidden' name='choix' value='Specific_filtering'>
<tr><td>
<input type='checkbox' name='chk-safesearch'
<?php
// verify "safesearch" filtering state
if (file_exists($iptables_safesearch_file))
{
echo " checked";
}
echo "> $l_safe_searching<tr><td>";
echo "<input type='submit' onClick=\"this.disabled=true; this.value='$l_load';submit();\" value='$l_record'></td></tr>";
?>
</FORM>
<input type='checkbox' name='chk-safesearch' <?= $wl_safesearch == 'on' ? 'checked' : ''; ?>><?= $l_safe_searching; ?>
</tr></td>
<tr><td>
<?= "<input type='submit' onClick=\"this.disabled=true; this.value='$l_load';submit();\" value='$l_record'>"; ?>
</td></tr></FORM>
</TABLE>
</BODY>
</HTML>

/web/acc/phpsysinfo/includes/lang/en.php
45,13 → 45,13
$text['scsi'] = 'SCSI Devices';
//
$text['portail'] = 'General Informations about ALCASAR portal';
$text['portail'] = 'General information about ALCASAR portal';
$text['portail-version']= 'Installed version';
$text['portail-disp'] = 'Available versions';
$text['utilisateur'] = 'logged user(s) / tot.';
$text['groupe'] = 'Number of group(s)';
$text['bl-version'] = 'Updated \'Blacklist\'';
$text['internet_link'] = "Internet connexion";
$text['internet_link'] = "Internet connection";
$text['enable'] = "enable";
$text['disable'] = "disable";
$text['web_antivirus'] = "WEB antivirus";
85,7 → 85,7
$text['none'] = 'none';
$text['capacity'] = 'Capacity';
$text['capacity'] = 'Capacity';
$text['template'] = 'Template';
$text['language'] = 'Language';

/web/index.php
80,12 → 80,12
];
}
// Test if it's a direct connexion to ALCASAR
// Test if it's a direct connection to ALCASAR
if (isset($_SERVER['HTTP_HOST']) && (($_SERVER['HTTP_HOST'] === $_SERVER['SERVER_ADDR']) || ($_SERVER['HTTP_HOST'] === 'alcasar') || ($_SERVER['HTTP_HOST'] === $hostname) || ($_SERVER['HTTP_HOST'] === $organisme))) {
$direct_access = true;
}
// Function to adapt time connexion in seconds to H,M,S
// Function to adapt time connection in seconds to H,M,S
function secondsToDuration($seconds = null){
if ($seconds == null) return "";
$temp = $seconds % 3600;
132,7 → 132,7
if (isset($_GET['url'])) { // it's the second stage (when user has clicked on the button "open a connection")
$redir = 'http://'.$_GET['url'];
header("Location: $redir", true, 307);
exit();
exit();
}
}
224,7 → 224,7
$l_service_sms = "SMS service enable";
$l_service_sms_n = "SMS service disable";
$l_acc_sms = "Auto registration by SMS";
$l_explain_warn = "El administrador ha creado un archivo que contiene los periódicos de inicio de sesión como parte de un proceso judicial.";
$l_explain_warn = "El administrador ha creado un archivo que contiene los periódicos de inicio de sesión como parte de un proceso judicial.";
if (isset($_GET['url'])) {
$l_continue_link = "<a href=\"index.php?redirect=1&url=".urlencode($_GET['url'])."\" class=\"button\">Lo comprendo y deseo continuar mi navegación.</a>";
} else {
360,22 → 360,22
$l_explain_access_deny = "You try to connect to a resource whose content is deemed to contain inappropriate information.";
$l_explain_net_pb = "Your portal has just detected that the Internet access is down";
$l_contact_access_deny = "Contact your security system manager if you think this filtering is abusive.";
$l_contact_net_pb = "Contact your network responsive or your Internet provider for more information";
$l_contact_net_pb = "Contact your network responsive or your Internet provider for further information.";
$l_sms_access = "<a href=\"//$hostname/autoregistrationinfo.php\">Auto Registration by SMS</a>";
$l_install_certif = "Install ALCASAR AC Certificate";
$l_install_certif_more = "Install ALCASAR AC Certificate";
$l_certif_explain = "Allow secure data exchange between your computer and ALCASAR portal.<BR>If this certificate isn't incorporated in your computer, some security alerts should appear in your browser.<br><br>";
$l_certif_explain_help = "<a href=\"alcasar-certificat.pdf\" target=\"_blank\">Complementary help</a>";
$l_category = "category :";
$l_category = "category:";
if (!$user->connected) {
$l_logout_explain = "No Internet consultation session is actualy open on your system";
$l_logout_explain = "No Internet consultation session is currently open on your system";
$l_logout = "<a href=\"//$hostname/index.php?url=$redirect_link\">Open an Internet session</a>";
} else {
if ($user->username != $user->mac) { // authentication exception or not
$l_logout_explain = "Close the session of the user currently connected.<br> User logged-on : <a href=\"$logout_link\" title=\"Disconnect user $user->username\"><b>$user->username</b></a><br><br>$nb_connection_history last connections :$connection_history";
$l_logout = "<a href=\"$logout_link\">Logoff from internet</a>";
$l_logout_explain = "Close the session of the currently logged-in user.<br> User logged-on: <a href=\"$logout_link\" title=\"Disconnect user $user->username\"><b>$user->username</b></a><br><br>$nb_connection_history last connections:$connection_history";
$l_logout = "<a href=\"$logout_link\">Logoff from the internet</a>";
} else {
$l_logout_explain = "Your system ($user->username) is in exception of authentication.<br><br>$nb_connection_history Last logins :$connection_history";
$l_logout_explain = "Your system ($user->username) is in exception of authentication.<br><br>$nb_connection_history Last logins:$connection_history";
$l_logout = "Connections information";
}
}
394,10 → 394,10
}
$l_title_warn="Dear user,";
$l_explain_warn_name="Someone called ";
$l_explain_warn_ip="with this IP : ";
$l_explain_warn_date="has read your connexion logs at ";
$l_explain_warn_reason="For this reason : ";
$l_uam_domain = "Authorized websites : ";
$l_explain_warn_ip="with this IP: ";
$l_explain_warn_date="has read your connection logs at ";
$l_explain_warn_reason="For this reason: ";
$l_uam_domain = "Authorized websites: ";
}
$l_title = ($direct_access ? $l_access_welcome : ($network_pb ? $l_access_unavailable : $l_access_denied));
461,16 → 461,12
// Search blacklist categories
if ((!$direct_access) && (!$network_pb) && (!isset($_GET['warn']))) {
$pattern = str_replace('www.', '', $_SERVER['HTTP_HOST']);
$output = [];
exec('grep -Re ' . escapeshellarg('^'.$pattern.'$') . " /etc/e2guardian/lists/blacklists/*/domains | cut -d'/' -f6", $output);
$lists = [];
foreach ($output as $line) {
$lists[] = $line;
}
$categories = [];
exec('grep -Re ' . escapeshellarg('^'.$pattern.'$') . " /etc/e2guardian/lists/blacklists/*/domains | cut -d'/' -f6", $categories);
$filteredUrlHtml = $l_required_domain.' : '.htmlspecialchars($_SERVER['HTTP_HOST']);
if (!empty($lists)) {
$filteredUrlHtml .= "<br>$l_category ".implode(', ', $lists);
if (!empty($categories)) {
$filteredUrlHtml .= "<br>$l_category ".implode(', ', $categories);
}
}
564,7 → 560,7
<div class="div-cache" id="text_certif">
<h2><a href="<?= $certCa_link ?>"><?= $l_install_certif_more ?></a></h2>
<p><?= "$l_certif_explain $l_certif_explain_help" ?></p>
<img src="<?= $img_rep.$img_certificate ?>">
<img src="<?= $img_rep.$img_certificate ?>">
</div>
<div class="div-cache" id="text_mdp">

/web/language/alcasar-fr.txt
369,7 → 369,7
$l_e2guardian = "Filtre d'URL et de contenu WEB";
$l_mysqld = "Serveur de la base de données usager";
$l_squid = "Serveur de cache WEB";
$l_dnsmasq = "Serveur DNS et filtre de domaine";
$l_unbound = "Serveur DNS et filtre de domaine";
$l_httpd = "Serveur WEB (Centre de Gestion d'ALCASAR)";
$l_havp = "Filtre antivirus WEB";
$l_sshd = "Accès sécurisée à distance";