/CHANGELOG |
---|
4,6 → 4,7 |
-------------------- 3.5.0 -------------------- |
NEWS |
- Mageia7.1 and Linux Kernel 5.6.14 |
- Remove HAVP & Tinyproxy (replaced by E2guardian & clamd) |
- All user pages are now responsive. Thanks to Clément GELINEAU |
- Add an additional BL : Malwares Command & Control servers (C&C) from "osint.bambenekconsulting.com/feeds/". Thanks to Sven RATH |
- Add IoT live capture (to detect private data leakage). Thanks to Dorian LEMOINE & Guillaume GELLUSSEAU |
/alcasar.sh |
---|
18,7 → 18,7 |
# Install script for ALCASAR (a secured and authenticated Internet access control captive portal) |
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares : |
# Coovachilli, freeradius, mariaDB, lighttpd, netfilter, e2guardian, ntpd, openssl, dnsmasq, unbound, gammu, havp, libclamav, Ulog, fail2ban, tinyproxy, NFsen and NFdump |
# Coovachilli, freeradius, mariaDB, lighttpd, netfilter, e2guardian, ntpd, openssl, dnsmasq, unbound, gammu, clamav, Ulog, fail2ban, NFsen and NFdump |
# Options : |
# -i or --install |
35,8 → 35,7 |
# freeradius : FreeRadius initialisation |
# chilli : coovachilli initialisation (+authentication page) |
# e2guardian : E2Guardian filtering HTTP proxy configuration |
# antivirus : HAVP + libclamav configuration |
# tinyproxy : little proxy for user filtered with "WL + antivirus" and "antivirus" |
# antivirus : clamav & freshclam configuration |
# ulogd : log system in userland (match NFLOG target of iptables) |
# nfsen : Configuration of Netflow grapher (nfsen) & netflow collector (nfcapd) |
# unbound : Name server configuration |
1271,29 → 1270,42 |
# Adapt the main conf file |
# French deny HTML page |
$SED "s?^language =.*?language = 'french'?g" $DIR_DG/e2guardian.conf |
# Listen only on LAN side |
$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" $DIR_DG/e2guardian.conf |
# E2guardian listens on 8080 (HTTP) |
# 2 filtergroups (8080 & 8090) |
$SED "s?^filtergroups =.*?filtergroups = 2?g" $DIR_DG/e2guardian.conf |
# Listen on 8080 (HTTP for BL users) only on LAN side |
$SED "s?^filterip =.*?filterip = $PRIVATE_IP?g" $DIR_DG/e2guardian.conf |
$SED "s?^filterports =.*?filterports = 8080?g" $DIR_DG/e2guardian.conf |
# Listen on 8090 (HTTP for WL/AV users) only on LAN side |
$SED "/^filterip = $PRIVATE_IP/a filterip = $PRIVATE_IP" $DIR_DG/e2guardian.conf |
$SED "/^filterports = 8080/a filterports = 8090" $DIR_DG/e2guardian.conf |
# E2guardian listens transparently on 8443 (HTTPS) |
$SED "s?^transparenthttpsport =.*?transparenthttpsport = 8443?g" $DIR_DG/e2guardian.conf |
# DG send its flow to HAVP (127.0.0.1:8090) |
$SED "s?^#proxyip.*?proxyip = 127.0.0.1?g" $DIR_DG/e2guardian.conf |
$SED "s?^#proxyport.*?proxyport = 8090?g" $DIR_DG/e2guardian.conf |
# Don't log |
$SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/e2guardian.conf |
# Disable HTML content control (weighted & banned) |
$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/e2guardian.conf |
cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default |
# Enable authport plugin |
$SED "s?^#authplugin = '/etc/e2guardian/authplugins/port.conf'?authplugin = '/etc/e2guardian/authplugins/port.conf'?g" $DIR_DG/e2guardian.conf |
$SED "s?^#mapauthtoports =.*?mapauthtoports = off?g" $DIR_DG/e2guardian.conf |
# Enable clamd scanner |
$SED "s?^#contentscanner = '/etc/e2guardian/contentscanners/clamdscan.conf'?contentscanner = '/etc/e2guardian/contentscanners/clamdscan.conf'?g" $DIR_DG/e2guardian.conf |
# RAZ bannedphraselist |
cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default |
$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (comment what is not) |
# Disable URL control with regex |
cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default |
$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (comment what is not) |
# Adapt the first group file (only one for instance) |
# Adapt the first group conf file |
[ -e $DIR_DG/e2guardianf1.conf.default ] || cp $DIR_DG/e2guardianf1.conf $DIR_DG/e2guardianf1.conf.default |
# Reporting (deny page) in HTML |
$SED "s/^reportinglevel =.*/reportinglevel = 3/g" $DIR_DG/e2guardianf1.conf |
# Copy the fist group conf file to the second |
cp $DIR_DG/e2guardianf1.conf $DIR_DG/e2guardianf2.conf |
# Replace the default deny HTML page (only fr & uk) --> !!! search why our pages make the server crash... |
# [ -e /usr/share/e2guardian/languages/french/template.html.default ] || mv /usr/share/e2guardian/languages/french/template.html /usr/share/e2guardian/languages/french/template.html.default |
# cp -f $DIR_CONF/template-fr.html /usr/share/e2guardian/languages/french/template.html |
1349,47 → 1361,16 |
################################################################## |
## Function "antivirus" ## |
## - Set the parameters of havp, libclamav and freshclam ## |
## - Set the parameters of clamav and freshclam ## |
################################################################## |
antivirus() |
{ |
# create 'havp' user |
havp_exist=`grep -c ^havp: /etc/passwd` |
if [ "$havp_exist" == "1" ] |
then |
userdel -r havp 2>/dev/null |
groupdel havp 2>/dev/null |
fi |
groupadd -f havp |
useradd -r -g havp -s /bin/false -c "system user for havp (antivirus proxy)" havp |
mkdir -p /var/tmp/havp /var/log/havp /run/havp /var/log/clamav /var/lib/clamav |
chown -R havp:havp /var/tmp/havp /var/log/havp /run/havp |
chown -R clamav:clamav /var/log/clamav /var/lib/clamav |
[ -e /etc/havp/havp.config.default ] || cp /etc/havp/havp.config /etc/havp/havp.config.default |
$SED "/^REMOVETHISLINE/d" /etc/havp/havp.config |
$SED "s?^# PIDFILE.*?PIDFILE /run/havp/havp.pid?g" /etc/havp/havp.config # pidfile |
$SED "s?^# TRANSPARENT.*?TRANSPARENT false?g" /etc/havp/havp.config # transparent mode |
$SED "s?^# BIND_ADDRESS.*?BIND_ADDRESS 127.0.0.1?g" /etc/havp/havp.config # we listen only on loopback |
$SED "s?^# PORT.*?PORT 8090?g" /etc/havp/havp.config # datas come on port 8090 (on loopback) |
$SED "s?^# TIMEFORMAT.*?TIMEFORMAT %Y %b %d %H:%M:%S?g" /etc/havp/havp.config # Log format |
$SED "s?^ENABLECLAMLIB.*?ENABLECLAMLIB true?g" /etc/havp/havp.config # active libclamav AV |
$SED "s?^# LOG_OKS.*?LOG_OKS false?g" /etc/havp/havp.config # log only when malware matches |
$SED "s?^# SERVERNUMBER.*?SERVERNUMBER 10?g" /etc/havp/havp.config # 10 daemons are started simultaneously |
$SED "s?^# SCANIMAGES.*?SCANIMAGES false?g" /etc/havp/havp.config # doesn't scan image files |
$SED "s?^# SKIPMIME.*?SKIPMIME image\/\* video\/\* audio\/\*?g" /etc/havp/havp.config # doesn't scan some multimedia files |
$SED "s?^# SCANTEMPFILE.*?SCANTEMPFILE /var/tmp/havp/havp-XXXXXX?g" /etc/havp/havp.config # Use our special tmp FS (memfs) |
$SED "s?^# TEMPDIR.*?TEMPDIR /var/tmp/havp?g" /etc/havp/havp.config # Use our special tmp FS (memfs) |
# skip checking of youtube flow (too heavy load / risk too low) |
[ -e /etc/havp/whitelist.default ] || cp /etc/havp/whitelist /etc/havp/whitelist.default |
echo "# Whitelist youtube flow" >> /etc/havp/whitelist |
echo "*.youtube.com/*" >> /etc/havp/whitelist |
# adapt init script and systemd unit |
[ -e /etc/init.d/havp.default ] || cp /etc/init.d/havp /etc/init.d/havp.default |
cp -f $DIR_CONF/havp-init /etc/init.d/havp |
cp -f $DIR_CONF/havp.service /lib/systemd/system/ |
# replace of the intercept page (template) |
cp -f $DIR_CONF/virus-fr.html /etc/havp/templates/fr/virus.html |
cp -f $DIR_CONF/virus-en.html /etc/havp/templates/en/virus.html |
# Clamd adaptation to e2guardian |
[ -e /etc/clamd.conf.default ] || cp /etc/clamd.conf /etc/clamd.conf.default |
$SED "s?^User.*?User e2guardian?g" /etc/clamd.conf |
chown -R e2guardian:e2guardian /var/log/clamav /var/lib/clamav |
chmod 775 /var/log/clamav /var/lib/clamav |
chmod 664 /var/log/clamav/* |
# update virus database every 4 hours (24h/6) |
[ -e /etc/freshclam.conf.default ] || cp /etc/freshclam.conf /etc/freshclam.conf.default |
$SED "s?^Checks.*?Checks 6?g" /etc/freshclam.conf |
1396,65 → 1377,12 |
$SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf |
$SED "/^DatabaseMirror/a DatabaseMirror db.fr.clamav.net" /etc/freshclam.conf |
$SED "s?MaxAttempts.*?MaxAttempts 3?g" /etc/freshclam.conf |
$SED "s?^DatabaseOwner.*?DatabaseOwner e2guardian?g" /etc/freshclam |
# update now |
/usr/bin/freshclam --no-warnings --quiet |
} # End of antivirus() |
################################################################################ |
## Function "tinyproxy" ## |
## - Set the parameters of tinyproxy (proxy between filtered users and havp) ## |
################################################################################ |
tinyproxy() |
{ |
tinyproxy_exist=`grep -c ^tinyproxy: /etc/passwd` |
if [ "$tinyproxy_exist" == "1" ] |
then |
userdel -r tinyproxy 2>/dev/null |
groupdel tinyproxy 2>/dev/null |
fi |
groupadd -f tinyproxy |
useradd -r -g tinyproxy -s /bin/false -c "system user for tinyproxy" tinyproxy |
mkdir -p /run/tinyproxy /var/log/tinyproxy |
chown -R tinyproxy.tinyproxy /run/tinyproxy /var/log/tinyproxy |
[ -e /etc/tinyproxy/tinyproxy.conf.default ] || cp /etc/tinyproxy/tinyproxy.conf /etc/tinyproxy/tinyproxy.conf.default |
$SED "s?^User.*?User tinyproxy?g" /etc/tinyproxy/tinyproxy.conf |
$SED "s?^Group.*?Group tinyproxy?g" /etc/tinyproxy/tinyproxy.conf |
$SED "s?^Port.*?Port 8090?g" /etc/tinyproxy/tinyproxy.conf # Listen Port |
$SED "s?^#Listen.*?Listen $PRIVATE_IP?g" /etc/tinyproxy/tinyproxy.conf # Listen NIC (only intif) |
$SED "s?^#LogFile.*?LogFile \"/var/log/tinyproxy/tinyproxy.log\"?g" /etc/tinyproxy/tinyproxy.conf |
$SED "s?^#PidFile.*?PidFile \"/run/tinyproxy/tinyproxy.pid\"?g" /etc/tinyproxy/tinyproxy.conf |
$SED "s?^LogLevel.*?LogLevel Error?g" /etc/tinyproxy/tinyproxy.conf # Only errors are logged |
$SED "s?^#Upstream.*?Upstream http 127.0.0.1:8090?g" /etc/tinyproxy/tinyproxy.conf # forward to HAVP |
$SED "s?^#DisableViaHeader.*?DisableViaHeader Yes?g" /etc/tinyproxy/tinyproxy.conf # Stealth mode |
$SED "s?^Allow.*?Allow $PRIVATE_NETWORK_MASK?g" /etc/tinyproxy/tinyproxy.conf # Allow from LAN |
# Create the systemd unit |
cat << EOF > /lib/systemd/system/tinyproxy.service |
# This file is part of systemd. |
# |
# systemd is free software; you can redistribute it and/or modify it |
# under the terms of the GNU General Public License as published by |
# the Free Software Foundation; either version 2 of the License, or |
# (at your option) any later version. |
# This unit launches tinyproxy (a very light proxy). |
# The "sleep 2" is needed because the pid file isn't ready for systemd |
[Unit] |
Description=Tinyproxy Web Proxy Server |
After=network-online.target iptables.service |
[Service] |
Type=forking |
ExecStartPre=/bin/chown -R tinyproxy.tinyproxy /run/tinyproxy /var/log/tinyproxy |
ExecStartPre=/bin/sleep 2 |
PIDFile=/run/tinyproxy/tinyproxy.pid |
ExecStart=/usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf |
ExecStop=/usr/bin/killall -9 tinyproxy |
[Install] |
WantedBy=multi-user.target |
EOF |
} # end of tinyproxy() |
############################################################## |
## function "ulogd" ## |
## - Ulog config for multi-log files ## |
1907,7 → 1835,7 |
fail2ban() |
{ |
/usr/bin/sh $DIR_CONF/fail2ban.sh |
# allow reading of 2 log files (fail2ban & watchdog). HAVP is treated in its section |
# allow reading of 2 log files (fail2ban & watchdog). |
[ -e /var/log/fail2ban.log ] || /usr/bin/touch /var/log/fail2ban.log |
[ -e /var/Save/security/watchdog.log ] || /usr/bin/touch /var/Save/security/watchdog.log |
chmod 644 /var/log/fail2ban.log |
2112,7 → 2040,7 |
################################################################## |
post_install() |
{ |
# change the SSH banner |
# change the SSHD options |
cp -f $DIR_CONF/banner /etc/ssh/alcasar-banner-ssh |
echo " V$VERSION" >> /etc/ssh/alcasar-banner-ssh |
chmod 644 /etc/ssh/alcasar-banner-ssh ; chown root:root /etc/ssh/alcasar-banner-ssh |
2119,13 → 2047,15 |
[ -e /etc/ssh/sshd_config.default ] || cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default |
$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config |
$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config |
# sshd listens on EXTIF & INTIF |
$SED "s?^#ListenAddress 0\.0\.0\.0.*?ListenAddress 0\.0\.0\.0?g" /etc/ssh/sshd_config |
# sshd authorized certificate for root login |
$SED "s?^PermitRootLogin.*?PermitRootLogin without-password?g" /etc/ssh/sshd_config |
$SED "s?^X11Forwarding.*?#X11Forwarding yes?g" /etc/ssh/sshd_config |
# postfix banner anonymisation |
$SED "s?^smtpd_banner =.*?smtpd_banner = \$myhostname ESMTP?g" /etc/postfix/main.cf |
chown -R postfix:postfix /var/lib/postfix |
# sshd liste on EXTIF & INTIF |
$SED "s?^#ListenAddress 0\.0\.0\.0.*?ListenAddress 0\.0\.0\.0?g" /etc/ssh/sshd_config |
# sshd authorized certificate for root login |
$SED "s?^PermitRootLogin.*?PermitRootLogin without-password?g" /etc/ssh/sshd_config |
# ALCASAR conf file |
echo "HTTPS_LOGIN=off" >> $CONF_FILE |
echo "HTTPS_CHILLI=off" >> $CONF_FILE |
2196,7 → 2126,7 |
EOF |
/usr/bin/systemctl daemon-reload |
# processes launched at boot time (Systemctl) |
for i in alcasar-load_balancing mysqld lighttpd php-fpm ntpd iptables unbound unbound-blacklist unbound-whitelist dnsmasq-whitelist unbound-blackhole radiusd nfcapd e2guardian clamav-freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban havp tinyproxy vnstat sshd |
for i in alcasar-load_balancing mysqld lighttpd php-fpm ntpd iptables unbound unbound-blacklist unbound-whitelist dnsmasq-whitelist unbound-blackhole radiusd nfcapd e2guardian clamav-daemon clamav-freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban vnstat sshd |
do |
/usr/bin/systemctl -q enable $i.service |
done |
2241,7 → 2171,7 |
$SED "s?^GRUB_TIMEOUT=.*?GRUB_TIMEOUT=3?g" /etc/default/grub |
$SED "s?^GRUB_DISTRIBUTOR=.*?GRUB_DISTRIBUTOR=ALCASAR?g" /etc/default/grub |
[ -e /etc/mageia-release.default ] || cp /etc/mageia-release /etc/mageia-release.default |
vm_vga=`lsmod | egrep -c "virtio|vmwgfx"` # test if in VM |
vm_vga=`lsmod | egrep -c "virtio|vmwgfx|vbox"` # test if in VM |
if [ $vm_vga == 0 ] # is not a VM |
then |
cp -f $DIR_CONF/banner /etc/mageia-release # ALCASAR ASCII-Art |
2425,7 → 2355,7 |
fi |
mode="update" |
fi |
for func in init network CA ACC time_server init_db freeradius chilli e2guardian antivirus tinyproxy ulogd nfsen vnstat dnsmasq unbound dhcpd BL cron fail2ban gammu_smsd msec letsencrypt post_install |
for func in init network CA ACC time_server init_db freeradius chilli e2guardian antivirus ulogd nfsen vnstat dnsmasq unbound dhcpd BL cron fail2ban gammu_smsd msec letsencrypt post_install |
do |
$func |
if [ $DEBUG_ALCASAR == "on" ] |
/conf/havp.service |
---|
File deleted |
/conf/havp-init |
---|
File deleted |
Property changes: |
Deleted: svn:executable |
-* |
\ No newline at end of property |
Deleted: svn:keywords |
-Id Date Author |
\ No newline at end of property |
/conf/havp-tmpfs-example |
---|
0,0 → 1,45 |
havp_loopback=tmpfs |
havp_mountpoint=/var/tmp/havp |
#set -e |
# Return values acc. to LSB for all commands but status: |
# 1 generic or unspecified error (current practice) |
# 2 invalid or excess argument(s) |
# 3 unimplemented feature (for example, "reload") |
# 4 user had insufficient privilege |
# 5 program is not installed |
# 6 program is not configured |
# 7 program is not running |
# 8-99 reserved for future LSB use |
# 100-149 reserved for distribution use |
# 150-199 reserved for application use |
# 200-254 reserved |
# Note that starting an already running service, stopping |
# or restarting a not-running service as well as the restart |
# with force-reload (in case signaling is not supported) are |
# considered a success. |
start) |
if ! [ "`mount | grep $havp_mountpoint`" ]; then |
echo -n "Mounting $havp_loopback under $havp_mountpoint ..." |
mount -t tmpfs -o mand,noatime,size=50m,nosuid,noexec $havp_loopback $havp_mountpoint |
chown -R havp:havp $havp_mountpoint |
echo "done" |
fi |
if [ "`mount | grep $havp_mountpoint`" ]; then |
echo -n "Cleaning up $havp_mountpoint"... |
find $havp_mountpoint/ -type f -delete |
echo " done" |
echo -n "Starting $DESC: " |
if [ ! -f $HAVP_BIN ]; then |
echo "Error: $HAVP_BIN not found" |
exit 5 |
fi |
$HAVP_BIN -c $HAVP_CONFIG |
else |
echo "Error: mount tmpfs point failed" |
fi |
chmod 644 /var/log/havp/access.log |
exit $? |
;; |
/rpms/havp-0.92a-1.1.spec |
---|
File deleted |
/rpms/x86_64/havp-0.93-1.mga7.x86_64.rpm |
---|
Cannot display: file marked as a binary type. |
svn:mime-type = application/octet-stream |
Property changes: |
Deleted: svn:mime-type |
-application/octet-stream |
\ No newline at end of property |
/scripts/alcasar-activity_report.sh |
---|
164,7 → 164,7 |
#get timestamp of X day ago. Then we get every packets chich have been updated since this date. |
if [ "$(rpm -qa --queryformat '%{installtime} %{name} %{version}\n' | awk -v seuil="$SECS_AGO" '$1 > seuil' | sort -n | grep -E "$PACKAGE" | wc -l)" -gt 1 ] |
then |
PACKAGE='php|lighttpd|iptables|dnsmasq|unbound|radius|tinyproxy|nfdump|e2guardian|clamav|ulogd|chilli|fail2ban|openssh|havp|ipt-netflow|wget' |
PACKAGE='php|lighttpd|iptables|dnsmasq|unbound|radius|nfdump|e2guardian|clamav|ulogd|chilli|fail2ban|openssh|ipt-netflow|wget|mariadb|gnupg|openssl' |
rpm -qa --queryformat '%{installtime} %{name} %{version}\n' | awk -v seuil="$SECS_AGO" '$1 > seuil' | sort -n | grep -E "$PACKAGE" | while read RPM_ALCASAR |
do |
RPM_TIMESTAMP=$(echo $RPM_ALCASAR | cut -d' ' -f1) |
/scripts/alcasar-conf.sh |
---|
275,7 → 275,7 |
$DIR_BIN/alcasar-logout.sh all |
# Services stop |
echo -n "Stop services : " |
for i in ntpd tinyproxy e2guardian unbound unbound-whitelist dnsmasq-whitelist unbound-blacklist unbound-blackhole chilli network lighttpd |
for i in ntpd e2guardian unbound unbound-whitelist dnsmasq-whitelist unbound-blacklist unbound-blackhole chilli network lighttpd |
do |
/usr/bin/systemctl stop $i && echo -n "$i, " |
done |
433,8 → 433,6 |
} |
EOF |
$DIR_BIN/alcasar-dns-local.sh -hosts_to_unbound # add local name resolution to unbound (forward & blackhole) |
# tinyproxy |
$SED "s?^Listen.*?Listen $PRIVATE_IP?g" /etc/tinyproxy/tinyproxy.conf |
# DG + BL |
$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" /etc/e2guardian/e2guardian.conf |
# Watchdog |
448,7 → 446,7 |
# Services start |
/usr/bin/systemctl start network && echo -n "Start service : network" && sleep 1 |
$DIR_BIN/alcasar-dhcp.sh -$DHCP_mode && echo -n ", chilli" # apply DHCP mode and start CoovaChilli |
for i in unbound unbound-blackhole tinyproxy ntpd |
for i in unbound unbound-blackhole ntpd |
do |
sleep 1 |
/usr/bin/systemctl start $i && echo -n ", $i" |
/scripts/alcasar-daemon.sh |
---|
16,7 → 16,7 |
LDAP=${LDAP:=off} |
INTIF=`grep ^INTIF= $conf_file|cut -d"=" -f2` # INTIF name |
EXTIF=`grep ^EXTIF= $conf_file|cut -d"=" -f2` # EXTIF name |
SERVICES="mysqld lighttpd php-fpm ntpd havp unbound unbound-blacklist unbound-whitelist dnsmasq-whitelist unbound-blackhole radiusd tinyproxy nfcapd e2guardian clamav-freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban sshd vnstat gammu-smsd" |
SERVICES="mysqld lighttpd php-fpm ntpd unbound unbound-blacklist unbound-whitelist dnsmasq-whitelist unbound-blackhole radiusd nfcapd e2guardian clamav-daemon clamav-freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban sshd vnstat gammu-smsd" |
nb_available_srv=`echo $SERVICES|wc -w` |
function ServiceTest () { |
/scripts/alcasar-iptables.sh |
---|
164,46 → 164,56 |
# PREROUTING # |
############################# |
# Marquage (et journalisation) des paquets qui tentent d'accéder directement au 8080 (E2Guardian) pour pouvoir les rejeter en INPUT |
# Mark (and log) the direct attempts to TCP port 8090 (e2guardian) in order to REJECT them in INPUT rules |
# Marquage (et journalisation) des paquets qui tentent d'accéder directement aux ports d'écoute du proxy HTTP/HTTPS (E2Guardian) pour pouvoir les rejeter en INPUT |
# Mark (and log) the direct attempts to E2guardian listen ports in order to REJECT them in INPUT rules |
# 8080 = ipset havp_bl |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8080 -j NFLOG --nflog-group 1 --nflog-prefix "RULE direct-proxy -- DENY " |
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8080 -j MARK --set-mark 1 |
# Marquage (et journalisation) des paquets qui tentent d'accéder directement au port 8090 (tinyproxy) pour pouvoir les rejeter en INPUT |
# Mark (and log) the direct attempts to TCP port 8090 (tinyproxy) in order to REJECT them in INPUT rules |
# 8090 = ipset havp_wl + havp |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8090 -j NFLOG --nflog-group 1 --nflog-prefix "RULE direct-proxy -- DENY " |
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8090 -j MARK --set-mark 2 |
# 8443 = tranparent HTTPS for ipsets havp_bl + havp_wl + havp |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8443 -j NFLOG --nflog-group 1 --nflog-prefix "RULE direct-proxy -- DENY " |
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8443 -j MARK --set-mark 6 |
# Marquage des paquets qui tentent d'accéder directement au port 54 (DNS-blacklist) pour pouvoir les rejeter en INPUT |
# Mark the direct attempts to port 54 (DNS-blacklist) in order to REJECT them in INPUT rules |
# Marquage des paquets qui tentent d'accéder directement aux ports d'écoute DNS (UNBOUND) pour pouvoir les rejeter en INPUT |
# Mark the direct attempts to DNS ports (UNBOUND) in order to REJECT them in INPUT rules |
# 54 = ipset havp_bl |
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp --dport 54 -j MARK --set-mark 3 |
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p udp --dport 54 -j MARK --set-mark 3 |
# Marquage des paquets qui tentent d'accéder directement au port 55 (DNS-Whitelist) pour pouvoir les rejeter en INPUT |
# Mark the direct attempts to port 55 (DNS-whitelist) in order to REJECT them in INPUT rules |
# 55 = ipset havp_wl |
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp --dport 55 -j MARK --set-mark 4 |
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p udp --dport 55 -j MARK --set-mark 4 |
# Marquage des paquets qui tentent d'accéder directement au port 56 (DNS-Blackhole) pour pouvoir les rejeter en INPUT |
# Mark the direct attempts to port 56 (DNS-blackhole) in order to REJECT them in INPUT rules |
# 56 = blackall |
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp --dport 56 -j MARK --set-mark 5 |
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p udp --dport 56 -j MARK --set-mark 5 |
# redirection DNS des usagers 'havp_bl' vers le port local 54 (en évitant le contournement) |
# redirect DNS of 'havp_bl' users to the local port 54 (avoiding bypass) |
# redirection DNS des usagers |
# users DNS redirection |
# 54 = ipset havp_bl |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl src -p udp --dport domain -j REDIRECT --to-port 54 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl src -p tcp --dport domain -j REDIRECT --to-port 54 |
# redirection DNS des usagers 'havp_wl' vers le port local 55 (en évitant le contournement) |
# redirect DNS of 'havp_wl' users to the local port 55 (avoiding bypass) |
# 55 = ipset havp_wl |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl src -p udp --dport domain -j REDIRECT --to-port 55 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl src -p tcp --dport domain -j REDIRECT --to-port 55 |
# redirection des requêtes DNS de contournement vers le port local 53 |
# redirect of bypass DNS requests to the local port 53 |
# 53 = all other users |
$IPTABLES -A PREROUTING -t nat -i $TUNIF ! -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 53 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF ! -d $PRIVATE_IP -p tcp --dport domain -j REDIRECT --to-port 53 |
# Redirection des requêtes HTTP des usagers vers E2guardian |
# Redirect outbound users HTTP requests to E2guardian |
# 8080 = ipset havp_bl |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8080 |
# 8090 = ipset havp_wl & havp |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090 |
# Redirection des requêtes HTTPS sortantes des usagers havp_bl + havp_wl + havp vers E2Guardian |
# Redirect outbound HTTPS requests of havp_bl + havp_wl + havp users to E2Guardian |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP -p tcp --dport https -j REDIRECT --to-port 8443 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP -p tcp --dport https -j REDIRECT --to-port 8443 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP -p tcp --dport https -j REDIRECT --to-port 8443 |
# Journalisation HTTP_Internet des usagers 'havp_bl' (paquets SYN uniquement). Les autres protocoles sont journalisés en FORWARD par netflow. |
# Log Internet HTTP of 'havp_bl' users" (only syn packets). Other protocols are logged in FORWARD by netflow |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl src ! -d $PRIVATE_IP -p tcp --dport http -m conntrack --ctstate NEW -j NFLOG --nflog-group 1 --nflog-prefix "RULE F_http -- ACCEPT " |
216,15 → 226,6 |
# Redirect HTTP of 'havp_wl' users who want IP not in the WL to ALCASAR ('access denied' page) |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl src -m set ! --match-set wl_ip_allowed dst -p tcp --dport http -j REDIRECT --to-port 80 |
# Redirection des requêtes HTTP sortantes des usagers 'havp_bl' vers E2Guardian |
# Redirect outbound HTTP requests of "BL" users to E2Guardian (transparent proxy) |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8080 |
# Redirection des requêtes HTTP sortantes des usager 'havp_wl' et 'havp' vers Tinyproxy |
# Redirect outbound HTTP requests for "WL-antivirus" users to Tinyproxy |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090 |
# Redirection des requêtes NTP vers le serveur NTP local |
# Redirect NTP request in local NTP server |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p udp --dport ntp -j REDIRECT --to-port 123 |
262,53 → 263,40 |
# Conntrack on INPUT |
$IPTABLES -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT |
# On interdit les connexions directes au port utilisé par E2Guardian (8080). Les packets concernés ont été marqués et loggués dans la table mangle (PREROUTING) |
# Deny direct connections on E2Guardian port (8080). The concerned paquets have been marked and logged in mangle table (PREROUTING) |
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8080 -m mark --mark 1 -j REJECT --reject-with tcp-reset |
# On interdit les connexions directes aux ports d'écoute d'E2Guardian. Les packets concernés ont été marqués et loggués dans la table mangle (PREROUTING) |
# Deny direct connections on E2Guardian listen ports. The concerned paquets have been marked and logged in mangle table (PREROUTING) |
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8080 -m mark --mark 1 -j REJECT --reject-with tcp-reset # havp_bl |
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8090 -m mark --mark 2 -j REJECT --reject-with tcp-reset # havp_wl+havp |
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8443 -m mark --mark 6 -j REJECT --reject-with tcp-reset # havp_bl+havp_wl+havp |
# Autorisation des connexions légitimes à E2Guardian |
# Allow connections for E2Guardian |
# On autorise les connexions HTTP/HTTPS légitimes vers E2Guardian |
# Allow HTTP connections to E2Guardian |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport 8080 -m conntrack --ctstate NEW --syn -j ACCEPT |
# On interdit les connexions directes au port utilisé par tinyproxy (8090). Les packets concernés ont été marqués et loggués dans la table mangle (PREROUTING) |
# Deny direct connections on tinyproxy port (8090). The concerned paquets have been marked in mangle table (PREROUTING) |
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8090 -m mark --mark 2 -j REJECT --reject-with tcp-reset |
# Autorisation des connexions légitimes vers tinyproxy |
# Allow connections to tinyproxy |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport 8090 -m conntrack --ctstate NEW --syn -j ACCEPT |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport 8443 -m conntrack --ctstate NEW --syn -j ACCEPT |
# On interdit les connexions directes au port 54 (DNS-blacklist). Les packets concernés ont été marqués dans la table mangle (PREROUTING) |
# Deny direct connections on port 54 (DNS-blacklist). The concerned paquets are marked in mangle table (PREROUTING) |
# On interdit les connexions directes aux ports d'écoupe DNS (UNBOUND). Les packets concernés ont été marqués dans la table mangle (PREROUTING) |
# Deny direct connections to DNS ports (UNBOUND). The concerned paquets are marked in mangle table (PREROUTING) |
$IPTABLES -A INPUT -i $TUNIF -p udp --dport 54 -m mark --mark 3 -j REJECT --reject-with icmp-port-unreachable |
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 54 -m mark --mark 3 -j REJECT --reject-with tcp-reset |
# On interdit les connexions directes au port 55 (DNS-whitelist). Les packets concernés ont été marqués dans la table mangle (PREROUTING) |
# Deny direct connections on port 55 (DNS-whitelist). The concerned paquets are marked in mangle table (PREROUTING) |
$IPTABLES -A INPUT -i $TUNIF -p udp --dport 55 -m mark --mark 4 -j REJECT --reject-with icmp-port-unreachable |
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 55 -m mark --mark 3 -j REJECT --reject-with tcp-reset |
# On interdit les connexions directes au port 56 (DNS-Blackhole). Les packets concernés ont été marqués dans la table mangle (PREROUTING) |
# Deny direct connections on port 56 (DNS-blackhole). The concerned paquets are marked in mangle table (PREROUTING) |
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 55 -m mark --mark 4 -j REJECT --reject-with tcp-reset |
$IPTABLES -A INPUT -i $TUNIF -p udp --dport 56 -m mark --mark 5 -j REJECT --reject-with icmp-port-unreachable |
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 56 -m mark --mark 3 -j REJECT --reject-with tcp-reset |
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 56 -m mark --mark 5 -j REJECT --reject-with tcp-reset |
# autorisation des connexion légitime à Unbound (avec blacklist) |
# Allow connections for Unbound (with blacklist) |
# On autorise les connexion DNS légitime |
# Allow DNS connections |
# ipset = havp_bl |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport 54 -j ACCEPT |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport 54 -j ACCEPT |
# autorisation des connexion légitime à Unbound (avec whitelist) |
# Allow connections for Unbound (with whitelist) |
# ipset = havp_wl |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport 55 -j ACCEPT |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport 55 -j ACCEPT |
# autorisation des connexion légitime à Unbound (mode blackhole) |
# Allow connections for Unbound (blackhole mode) |
# blackall |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport 56 -j ACCEPT |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport 56 -j ACCEPT |
# Accès direct aux services internes |
# On accepte l'accès aux services internes |
# Internal services access |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport domain -j ACCEPT # DNS |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport domain -j ACCEPT # DNS |
501,7 → 489,6 |
# Dynamic NAT on EXTIF |
$IPTABLES -A POSTROUTING -t nat -o $EXTIF -j MASQUERADE |
############################# |
# FAIL2BAN # |
############################# |
/scripts/alcasar-rpm-download.sh |
---|
13,7 → 13,7 |
# The kernel version we compile netflow for |
KERNEL="kernel-server-5.3.7-4.mga7-1-1.mga7" |
# ****** Alcasar needed RPMS - paquetages nécessaires au fonctionnement d'Alcasar ****** |
PACKAGES="arp-scan vim-enhanced freeradius freeradius-mysql freeradius-ldap lighttpd lighttpd-mod_auth php-fpm e2guardian postfix mariadb ntp bind-utils openssh-server php-xml php-ldap php-mysqli php-mbstring php-sockets php-cli php-curl php-pdo_sqlite php-json rng-utils rsync clamav perl-rrdtool perl-MailTools perl-Socket6 fail2ban gnupg ulogd pm-fallback-policy ipset cronie-anacron usbutils locales-en usb_modeswitch tinyproxy vnstat php-gd sudo iftop man dos2unix p7zip bc msec kernel-userspace-headers kernel-firmware-nonfree dnsmasq dhcp-server netcat-traditional" |
PACKAGES="arp-scan vim-enhanced freeradius freeradius-mysql freeradius-ldap lighttpd lighttpd-mod_auth php-fpm e2guardian postfix mariadb ntp bind-utils openssh-server php-xml php-ldap php-mysqli php-mbstring php-sockets php-cli php-curl php-pdo_sqlite php-json rng-utils rsync clamd perl-rrdtool perl-MailTools perl-Socket6 fail2ban gnupg ulogd pm-fallback-policy ipset cronie-anacron usbutils locales-en usb_modeswitch vnstat php-gd sudo iftop man dos2unix p7zip bc msec kernel-userspace-headers kernel-firmware-nonfree dnsmasq dhcp-server netcat-traditional" |
rpm_repository_sync () |
{ |
/scripts/alcasar-uninstall.sh |
---|
96,7 → 96,7 |
e2guardian () |
{ |
echo -en "(14) : " |
echo -en "(15) : " |
[ -d /var/e2guardian ] && rm -rf /var/e2guardian |
[ -d /var/dansguardian ] && rm -rf /var/dansguardian |
[ -e /lib/systemd/system/e2guardian.service.default ] && mv /lib/systemd/system/e2guardian.service.default /lib/systemd/system/e2guardian.service && echo -n "1, " |
103,45 → 103,26 |
[ -e /etc/e2guardian/e2guardian.conf.default ] && mv /etc/e2guardian/e2guardian.conf.default /etc/e2guardian/e2guardian.conf && echo -n "2, " |
[ -e /etc/e2guardian/lists/bannedphraselist.default ] && mv /etc/e2guardian/lists/bannedphraselist.default /etc/e2guardian/lists/bannedphraselist && echo -n "3, " |
[ -e /etc/e2guardian/e2guardianf1.conf.default ] && mv /etc/e2guardian/e2guardianf1.conf.default /etc/e2guardian/e2guardianf1.conf && echo -n "4, " |
[ -e /usr/share/e2guardian/languages/french/template.html.default ] && mv /usr/share/e2guardian/languages/french/template.html.default /usr/share/e2guardian/languages/french/template.html && echo -n "5, " |
[ -e /usr/share/e2guardian/languages/ukenglish/template.html.default ] && mv /usr/share/e2guardian/languages/ukenglish/template.html.default /usr/share/e2guardian/languages/ukenglish/template.html && echo -n "6, " |
[ -e /etc/e2guardian/lists/bannedextensionlist.default ] && mv /etc/e2guardian/lists/bannedextensionlist.default /etc/e2guardian/lists/bannedextensionlist && echo -n "7, " |
[ -e /etc/e2guardian/lists/bannedmimetypelist.default ] && mv /etc/e2guardian/lists/bannedmimetypelist.default /etc/e2guardian/lists/bannedmimetypelist && echo -n "8, " |
[ -e /etc/e2guardian/lists/exceptioniplist.default ] && mv /etc/e2guardian/lists/exceptioniplist.default /etc/e2guardian/lists/exceptioniplist && echo -n "9, " |
[ -e /etc/e2guardian/lists/bannedsitelist.default ] && mv /etc/e2guardian/lists/bannedsitelist.default /etc/e2guardian/lists/bannedsitelist && echo -n "10, " |
[ -e /etc/e2guardian/lists/bannedurllist.default ] && mv /etc/e2guardian/lists/bannedurllist.default /etc/e2guardian/lists/bannedurllist && echo -n "11, " |
[ -e /etc/e2guardian/lists/exceptionsitelist.default ] && mv /etc/e2guardian/lists/exceptionsitelist.default /etc/e2guardian/lists/exceptionsitelist && echo -n "12, " |
[ -e /etc/e2guardian/lists/exceptionurllist.default ] && mv /etc/e2guardian/lists/exceptionurllist.default /etc/e2guardian/lists/exceptionurllist && echo -n "13, " |
[ -e /etc/e2guardian/lists/urlregexplist.default ] && mv /etc/e2guardian/lists/urlregexplist.default /etc/e2guardian/lists/urlregexplist && echo -n "14" |
[ -e /etc/e2guardian/e2guardianf2.conf ] && rm -f /etc/e2guardian/e2guardianf2.conf && echo -n "5, " |
[ -e /usr/share/e2guardian/languages/french/template.html.default ] && mv /usr/share/e2guardian/languages/french/template.html.default /usr/share/e2guardian/languages/french/template.html && echo -n "6, " |
[ -e /usr/share/e2guardian/languages/ukenglish/template.html.default ] && mv /usr/share/e2guardian/languages/ukenglish/template.html.default /usr/share/e2guardian/languages/ukenglish/template.html && echo -n "7, " |
[ -e /etc/e2guardian/lists/bannedextensionlist.default ] && mv /etc/e2guardian/lists/bannedextensionlist.default /etc/e2guardian/lists/bannedextensionlist && echo -n "8, " |
[ -e /etc/e2guardian/lists/bannedmimetypelist.default ] && mv /etc/e2guardian/lists/bannedmimetypelist.default /etc/e2guardian/lists/bannedmimetypelist && echo -n "9, " |
[ -e /etc/e2guardian/lists/exceptioniplist.default ] && mv /etc/e2guardian/lists/exceptioniplist.default /etc/e2guardian/lists/exceptioniplist && echo -n "10, " |
[ -e /etc/e2guardian/lists/bannedsitelist.default ] && mv /etc/e2guardian/lists/bannedsitelist.default /etc/e2guardian/lists/bannedsitelist && echo -n "11, " |
[ -e /etc/e2guardian/lists/bannedurllist.default ] && mv /etc/e2guardian/lists/bannedurllist.default /etc/e2guardian/lists/bannedurllist && echo -n "12, " |
[ -e /etc/e2guardian/lists/exceptionsitelist.default ] && mv /etc/e2guardian/lists/exceptionsitelist.default /etc/e2guardian/lists/exceptionsitelist && echo -n "13, " |
[ -e /etc/e2guardian/lists/exceptionurllist.default ] && mv /etc/e2guardian/lists/exceptionurllist.default /etc/e2guardian/lists/exceptionurllist && echo -n "14, " |
[ -e /etc/e2guardian/lists/urlregexplist.default ] && mv /etc/e2guardian/lists/urlregexplist.default /etc/e2guardian/lists/urlregexplist && echo -n "15" |
} |
antivirus () |
{ |
echo -en "(6) : " |
if [ -e /etc/init.d/havp ] |
then |
[ -e /etc/havp/havp.config.default ] && mv /etc/havp/havp.config.default /etc/havp/havp.config && echo -n "1, " |
[ -d /run/havp ] && rm -rf /run/havp && echo -n "2, " |
[ -e /etc/init.d/havp.default ] && mv /etc/init.d/havp.default /etc/init.d/havp && echo -n "3, " |
[ -e /lib/systemd/system/havp.service ] && rm /lib/systemd/system/havp.service && echo -n "4, " |
[ -e /etc/freshclam.conf.default ] && mv /etc/freshclam.conf.default /etc/freshclam.conf && echo -n "5, " |
userdel -r havp 2>/dev/null ; echo -n "6" |
else echo -n "already uninstalled" |
fi |
echo -en "(2) : " |
[ -e /etc/clamd.conf.default ] && mv /etc/clamd.conf.default /etc/clamd.conf && echo -n "1, " |
[ -e /etc/freshclam.conf.default ] && mv /etc/freshclam.conf.default /etc/freshclam.conf && echo -n "2" |
} |
tinyproxy () |
{ |
echo -en "(3) : " |
if [ -e /etc/init.d/tinyproxy ] |
then |
[ -e /etc/tinyproxy/tinyproxy.conf.default ] && mv /etc/tinyproxy/tinyproxy.conf.default /etc/tinyproxy/tinyproxy.conf && echo -n "1, " |
[ -d /run/tinyproxy ] && rm -rf /run/tinyproxy && echo -n "2, " |
userdel -r tinyproxy 2>/dev/null && echo -n "3" |
else echo -n "already uninstalled" |
fi |
} |
ulogd () |
{ |
echo -en "(6) : " |
294,7 → 275,7 |
echo "----------------------------------------------------------------------------" |
echo "** Uninstall/Désinstallation d'ALCASAR **" |
echo "----------------------------------------------------------------------------" |
services="alcasar-load_balancing vnstat havp clamav-freshclam ntpd php-fpm lighttpd radiusd mysqld unbound unbound-blacklist unbound-whitelist dnsmasq-whitelist unbound-blackhole tinyproxy nfcapd fail2ban iptables ulogd-ext-access ulogd-ssh ulogd-traceability e2guardian sshd chilli" |
services="alcasar-load_balancing vnstat clamav-daemon clamav-freshclam ntpd php-fpm lighttpd radiusd mysqld unbound unbound-blacklist unbound-whitelist dnsmasq-whitelist unbound-blackhole nfcapd fail2ban iptables ulogd-ext-access ulogd-ssh ulogd-traceability e2guardian sshd chilli" |
/usr/local/bin/alcasar-logout.sh all # logout everybody |
else |
echo "--------------------------------------------------------------------------" |
301,7 → 282,7 |
echo "** update/mise à jour d'ALCASAR **" |
echo "--------------------------------------------------------------------------" |
# unbound, iptables & sshd should stay on to allow remote update |
services="alcasar-load_balancing vnstat havp clamav-freshclam ntpd php-fpm lighttpd radiusd mysqld unbound-blacklist unbound-whitelist dnsmasq-whitelist unbound-blackhole tinyproxy nfcapd fail2ban ulogd-ext-access ulogd-ssh ulogd-traceability e2guardian chilli" |
services="alcasar-load_balancing vnstat clamav-daemon clamav-freshclam ntpd php-fpm lighttpd radiusd mysqld unbound-blacklist unbound-whitelist dnsmasq-whitelist unbound-blackhole nfcapd fail2ban ulogd-ext-access ulogd-ssh ulogd-traceability e2guardian chilli" |
/usr/local/bin/alcasar-bypass.sh -on # to allow remote update |
fi |
335,7 → 316,7 |
/usr/bin/systemctl reload sshd |
fi |
echo "Reset ALCASAR main functions : " |
for func in init ACC CA time_server init_db freeradius chilli e2guardian antivirus tinyproxy ulogd nfsen vnstat unbound dnsmasq dhcpd cron fail2ban gammu_smsd msec letsencrypt post_install |
for func in init ACC CA time_server init_db freeradius chilli e2guardian antivirus ulogd nfsen vnstat unbound dnsmasq dhcpd cron fail2ban gammu_smsd msec letsencrypt post_install |
do |
echo -en "\n- $func " |
$func |
/scripts/alcasar-urpmi.sh |
---|
17,7 → 17,7 |
# (old) perl-Socket6 : needed by nfsen |
# "fonts-dejavu-common" & "fonts-ttf-dejavu" : fonts needed by wkhtmltopdf |
# "lsscsi" & nvme-cli" : needed by phpsysinfo |
PACKAGES="vim-enhanced freeradius freeradius-mysql freeradius-ldap lighttpd lighttpd-mod_auth php-fpm php-gd php-ldap php-mysqli php-mbstring php-sockets php-curl php-pdo_sqlite php-cli php-rrd unbound e2guardian postfix mariadb ntp bind-utils openssh-server rng-utils rsync clamav fail2ban gnupg2 ulogd pm-fallback-policy ipset usb_modeswitch tinyproxy vnstat dos2unix p7zip msec kernel-userspace-headers kernel-firmware-nonfree dnsmasq dhcp-server tcpdump fonts-dejavu-common fonts-ttf-dejavu lsscsi nvme-cli" |
PACKAGES="vim-enhanced freeradius freeradius-mysql freeradius-ldap lighttpd lighttpd-mod_auth php-fpm php-gd php-ldap php-mysqli php-mbstring php-sockets php-curl php-pdo_sqlite php-cli php-rrd unbound e2guardian postfix mariadb ntp bind-utils openssh-server rng-utils rsync clamd fail2ban gnupg2 ulogd pm-fallback-policy ipset usb_modeswitch vnstat dos2unix p7zip msec kernel-userspace-headers kernel-firmware-nonfree dnsmasq dhcp-server tcpdump fonts-dejavu-common fonts-ttf-dejavu lsscsi nvme-cli" |
rpm_repository_sync () |
{ |
/web/acc/admin/services.php |
---|
25,12 → 25,11 |
$l_lighttpd = "Serveur WEB (Alcasar Control Center)"; |
$l_sshd = "Accès sécurisée distant"; |
$l_clamav_freshclam = "Mise à jour de l'antivirus (toutes les 4 heures)"; |
$l_clamav_daemon = "Antimalware"; |
$l_ntpd = "Service de mise à l'heure réseau"; |
$l_fail2ban = "Détecteur d'intrusion"; |
$l_nfcapd = "Collecteur de flux NetFlow"; |
$l_vnstat = "Grapheur de flux réseau"; |
$l_havp = "Proxy Antivirus"; |
$l_tinyproxy = "Proxy HTTP léger"; |
$l_unbound = "Serveur DNS principal"; |
$l_unbound_blacklist = "Serveur DNS pour la Blacklist"; |
$l_unbound_whitelist = "Serveur DNS pour la Whitelist"; |
64,12 → 63,11 |
$l_lighttpd = "WEB server (ALCASAR Control Center)"; |
$l_sshd = "Secure remote access"; |
$l_clamav_freshclam = "Antivirus update process (every 4 hours)"; |
$l_clamav_daemon= "Antimalware"; |
$l_ntpd = "Network time server"; |
$l_fail2ban = "Intrusion Dectection System"; |
$l_nfcapd = "Netflow collector"; |
$l_vnstat = "Network grapher"; |
$l_havp = "Antivirus Proxy"; |
$l_tinyproxy = "Light HTTP Proxy"; |
$l_unbound = "Main DNS server"; |
$l_unbound_blacklist = "Blacklist DNS server"; |
$l_unbound_whitelist = "Whitelist DNS server"; |
137,7 → 135,7 |
//------------------------------- |
// Actions on services |
//------------------------------- |
$autorizeService = array("radiusd","chilli","mysqld","lighttpd","unbound-forward","ulogd-ssh","ulogd-ext-access","ulogd-traceability","unbound-blacklist","unbound-whitelist","dnsmasq-whitelist","unbound-blackhole","e2guardian","havp","tinyproxy","clamav-freshclam","sshd","ntpd","fail2ban","nfcapd","vnstat"); |
$autorizeService = array("radiusd","chilli","mysqld","lighttpd","unbound-forward","ulogd-ssh","ulogd-ext-access","ulogd-traceability","unbound-blacklist","unbound-whitelist","dnsmasq-whitelist","unbound-blackhole","e2guardian","clamav-daemon","clamav-freshclam","sshd","ntpd","fail2ban","nfcapd","vnstat"); |
$autorizeAction = array("start","stop","restart"); |
if (isset($_GET['service'])&&(in_array($_GET['service'], $autorizeService))) { |
182,8 → 180,7 |
$FilterServiceStatus['dnsmasq_whitelist'] = checkServiceStatus("dnsmasq-whitelist"); |
$FilterServiceStatus['unbound_blackhole'] = checkServiceStatus("unbound-blackhole"); |
$FilterServiceStatus['e2guardian'] = checkServiceStatus("e2guardian"); |
$FilterServiceStatus['havp'] = checkServiceStatus("havp"); |
$FilterServiceStatus['tinyproxy'] = checkServiceStatus("tinyproxy"); |
$FilterServiceStatus['clamav_daemon'] = checkServiceStatus("clamav-daemon"); |
$FilterServiceStatus['clamav_freshclam'] = checkServiceStatus("clamav-freshclam"); |
$OptServiceStatus = array(); |