Subversion Repositories ALCASAR

Compare Revisions

Ignore whitespace Rev 785 → Rev 786

/alcasar.sh
1143,7 → 1143,7
$SED "/daemon/a \$dnsmasq -C /etc/dnsmasq-blackhole.conf \$OPTIONS" /etc/init.d/dnsmasq
$SED "/killproc \$DAEMON_NAME/a killproc \$DAEMON_NAME" /etc/init.d/dnsmasq
# Optionnellement on active les logs DNS des clients --> traiter les uninstall et update
[ -e /etc/sysconfig/dnsmasq.default ] || cp /etc/sysconfig/dnsmasq /etc/sysconfig/dnsmasq.conf.default
[ -e /etc/sysconfig/dnsmasq.default ] || cp /etc/sysconfig/dnsmasq /etc/sysconfig/dnsmasq.default
$SED "s?^OPTIONS=.*?OPTIONS=\"-q --log-facility=/var/log/dnsmasq/queries.log\"?g" /etc/sysconfig/dnsmasq
} # End dnsmasq
 
1189,8 → 1189,7
chown -R root:apache $DIR_DEST_ETC/{alcasar-dnsfilter-available,alcasar-dnsfilter-enabled}
# On fait pointer le black-hole sur une page interne
$SED "s?^IP_RETOUR=.*?IP_RETOUR=\"$PRIVATE_IP\"?g" $DIR_DEST_SBIN/alcasar-bl.sh
# On récupère la dernière version de la BL Toulouse et on l'adapte à notre structure
$DIR_DEST_SBIN/alcasar-bl.sh --download
# On adapte la BL de Toulouse à notre structure
if [ "$mode" != "update" ]; then
$DIR_DEST_SBIN/alcasar-bl.sh --adapt
fi
1312,7 → 1311,7
echo 'Admin_from_IP="0.0.0.0/0.0.0.0"' >> $CONF_FILE
echo "QOS=off" >> $CONF_FILE
echo "LDAP=off" >> $CONF_FILE
echo "LDAP_IP=0.0.0.0" >> $CONF_FILE
echo "LDAP_IP=0.0.0.0/0.0.0.0" >> $CONF_FILE
echo "PROTOCOLS_FILTERING=off" >> $CONF_FILE
echo "DNS_FILTERING=off" >> $CONF_FILE
echo "WEB_ANTIVIRUS=on" >> $CONF_FILE
/conf/blacklist-MD5SUM.lst
0,0 → 1,50
a3e1cac5fdf8e96e1e727a8ff494b10b adult.tar.gz
b8fc5d6dadfa5caeb6ec174016ee4594 agressif.tar.gz
33d0e6808086dc7704356023b18f3367 arjel.tar.gz
ac90cd0faf4b85b2d43b4cedb612c40e astrology.tar.gz
1c6baad8fc2bfbbcd7408c9d7af29fb9 audio-video.tar.gz
3c33a9d64d4e1352ffa59e67ed818f43 bank.tar.gz
7f362c9150c0054088fd1f0a60460c65 blacklists.tar.gz
111d6378f4af57661efdc9c2ae0cc5a1 blog.tar.gz
d1984e28be5bef9202221f7a346f2d50 celebrity.tar.gz
fb236c17a727c5571f76f42d4ce436da chat.tar.gz
3cfaf51762fd333099ab51a4ab9bc63f child.tar.gz
7aa5132bcf853810a50366ce2a4d0b5e cleaning.tar.gz
67adb3d6053b52120526bd3da73b89f3 cooking.tar.gz
b88a31674ef2390ea4e608ee6f63e6bd dangerous_material.tar.gz
12dab5d97086862fc7c2a71b69f3ba40 dating.tar.gz
7876aaf053dfdff2f1bc8d3330402d46 domains.tar.gz
70c218cc7b25f6ed5e75aefd02312583 drogue.tar.gz
a6bea4d1257ae9519195927fc4353361 filehosting.tar.gz
afc57c7a188ad2979509bacdbd6e94f8 financial.tar.gz
6aeb2264718c862935371bdabf380c5f forums.tar.gz
66f10dd65eb1b6137f973aea8de1024d gambling.tar.gz
31d7a8b28f96a2811cb497b349d34492 games.tar.gz
6b3da621eff0329fe0dee00a5db78d6a global_usage
0f3176be383b9af2d5c66ae93130b32f hacking.tar.gz
88d8268285045e5e08f064adffaa6009 jobsearch.tar.gz
225c711ac1696f88664fee7d2d503a2e liste_bu.tar.gz
8e2a3448f439101a601c9aabe88fdaef malware.tar.gz
f1dcceb4525efd80420cadcc231f8603 manga.tar.gz
5124297ba90edd10bfb5bccfdfc73e02 marketingware.tar.gz
b92db4dea1d10e060e2d047cb389489a mixed_adult.tar.gz
920eaf2c2efa621595b01e429aec9eb8 mobile-phone.tar.gz
99e7f5b654c08391769e836cafc0471a phishing.tar.gz
a27ce2cdaa2180da6f077753aa0c028a press.tar.gz
8077e32c096d53c890359c99b2d35040 publicite.tar.gz
6b5961a9a8a9f2ee8e2d374a38e49068 radio.tar.gz
c3892926db5da37da1450cdf4a3a2662 README
58ecdb9423af4412fb929996b7e83ae0 reaffected.tar.gz
25d07e4ebe1cd37f8c48efc6522c1d30 redirector.tar.gz
106f04531e03bd7084c8d8be6e5edcbe remote-control.tar.gz
fdf43aea4dc34c27165a5bed4617184f sect.tar.gz
5f8a8f141fb132dffe952987bc799613 sexual_education.tar.gz
991c54cadeaaa29bd14af19f19b0c177 shopping.tar.gz
6cfef22b0af602e7c1b19ef2a42918c0 social_networks.tar.gz
5518d699f40f45d89f46508ac2b298ce sports.tar.gz
11e24ae876cd606c9aab11f5b108145c strict_redirector.tar.gz
f179ee926aedb1064a916d4b079e1c56 strong_redirector.tar.gz
16b2504f88866f07f905a6afe5d65b4f tricheur.tar.gz
351bc756bd5e9d871299eabf43021cb1 verisign.tar.gz
3d3bbae06d7b76eb8a413a1dc15ba2a5 warez.tar.gz
a3d546dcebdb44320bc412b297c740ac webmail.tar.gz
/conf/blacklists.tar.gz
Cannot display: file marked as a binary type.
svn:mime-type = application/octet-stream
/CHANGELOG
2,6 → 2,7
 
************ CHANGELOG ***********
---- svn ----
- Bug : watchdog release the ip address of macallowed equipment (insteed of logout the user)
- Bug : reading of alcasar.conf file parameters more securely
- Bug : don't download RPMs twice
- Bug : allow connexion to an LDAP server on WAN side
13,7 → 14,9
- Core : Authenticate user on Mysql when LDAP server is down
- Core : import users via text file with or without password
- Security : The 8080 (TCP) and 53 (UDP) ports are now hidden on Lan side
- Install : control eth0 config on startup
- Install : control eth0 config on startup (no dhcp)
- Install : don't dowload the last BL version
 
---- 2.4 ----
- Bug : some minor bugs (log rotate, intercept page, squid, ...)
- Bug : ACC - correction of the Internet connectivity test flag
/scripts/alcasar-iptables.sh
146,13 → 146,13
 
# Accès direct aux services internes
# Internal services access
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport domain -j ACCEPT # DNS non filtré # DNS without blackhole
#$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp --icmp-type 8 -j ACCEPT # Requête ping # ping request
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p icmp --icmp-type 0 -j ACCEPT # Réponse ping # ping reply
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport https -j ACCEPT # Pages d'authentification et MCC # authentication pages and MCC
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport http -j ACCEPT # Page d'avertissement filtrage # Filtering warning pages
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport 3990 -j ACCEPT # Requêtes de deconnexion usagers # Users logout requests
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport ntp -j ACCEPT # Serveur local de temps # local time server
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport domain -j ACCEPT # DNS non filtré # DNS without blackhole
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p icmp --icmp-type 8 -j ACCEPT # Réponse ping # ping responce
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p icmp --icmp-type 0 -j ACCEPT # Requête ping # ping request
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport https -j ACCEPT # Pages d'authentification et MCC # authentication pages and MCC
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport http -j ACCEPT # Page d'avertissement filtrage # Filtering warning pages
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport 3990 -j ACCEPT # Requêtes de deconnexion usagers # Users logout requests
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport ntp -j ACCEPT # Serveur local de temps # local time server
 
# SSHD rules if activate
if [ $SSH = on ]
/scripts/alcasar-watchdog.sh
16,7 → 16,11
 
EXTIF="eth0"
INTIF="eth1"
PRIVATE_IP="192.168.182.1"
macallowed_file="/usr/local/etc/alcasar-macallowed"
conf_file="/usr/local/etc/alcasar.conf"
private_ip_mask=`grep PRIVATE_IP= $conf_file|cut -d"=" -f2`
private_ip_mask=${private_ip_mask:=192.168.182.1/24}
PRIVATE_IP=`echo $private_ip_mask | cut -d"/" -f1` # ALCASAR LAN IP address
tmp_file="/tmp/watchdog.txt"
DIR_WEB="/var/www/html"
Index_Page="$DIR_WEB/index.php"
109,8 → 113,15
arp_reply=`/usr/sbin/arping -b -I$INTIF -s$PRIVATE_IP -c1 -w4 $noresponse_ip|grep response|cut -d" " -f2`
if [[ $(expr $arp_reply) -eq 0 ]]
then
logger "alcasar-watchdog $noresponse_ip ($noresponse_mac) can't be contact. Alcasar disconnects the user."
/usr/sbin/chilli_query logout $noresponse_mac
mac_allowed=`cat $macallowed_file |grep $noresponse_mac | wc -l`
if [ $mac_allowed -eq 0 ]
then
logger "alcasar-watchdog $noresponse_ip ($noresponse_mac) can't be contact. Alcasar disconnects the user."
/usr/sbin/chilli_query logout $noresponse_mac
else
logger "alcasar-watchdog $noresponse_ip ($noresponse_mac - macallowed) can't be contact. Alcasar release the IP address"
/usr/sbin/chilli_query dhcp-release $noresponse_mac
fi
fi
done
rm $tmp_file