6,11 → 6,11 |
# This script is distributed under the Gnu General Public License (GPL) |
# Ce script prévient les usagers de l'indisponibilité de l'accès Internet |
# il déconnecte les usagers dont |
# - les équipements réseau ne répondent plus |
# - les équipements réseau ne répondent plus ( si la fenetre status.php a été fermé. Les autorisations par adresse mac sont laissé de côté) |
# - les adresses MAC sont usurpées |
# This script tells users that Internet access is down |
# it logs out users whose |
# - PCs are quiet |
# - PCs are quiet (it means that status.php has been closed. We put aside @MAC Authorization ) |
# - MAC address is used by other systems (usurped) |
|
CONF_FILE="/usr/local/etc/alcasar.conf" |
21,6 → 21,7 |
PRIVATE_IP=`echo "$private_ip_mask" |cut -d"/" -f1` # @ip du portail (côté LAN) |
PRIVATE_IP=${PRIVATE_IP:=192.168.182.1} |
tmp_file="/tmp/watchdog.txt" |
tmp_users_file="/tmp/current_users.txt" |
DIR_WEB="/var/www/html" |
Index_Page="$DIR_WEB/index.php" |
IPTABLES="/sbin/iptables" |
104,7 → 105,7 |
;; |
*) |
lan_test |
# read file that contains IP address of quiet equipments |
# read file that contains IP address of user who are not in $tmp_users_file (its means that status.php has been closed) |
if [ -e $tmp_file ]; then |
cat $tmp_file | while read noresponse |
do |
111,21 → 112,59 |
noresponse_ip=`echo $noresponse | cut -d" " -f1` |
noresponse_mac=`echo $noresponse | cut -d" " -f2` |
noresponse_user=`echo $noresponse | cut -d" " -f3` |
arp_reply=`/usr/sbin/arping -b -I$INTIF -s$PRIVATE_IP -c1 -w4 $noresponse_ip|grep "Unicast reply"|wc -l` |
if [[ $(expr $arp_reply) -eq 0 ]] |
then |
#on vide les ip inactifs de l'ipset not_auth_yet |
ipset del not_auth_yet $noresponse_ip |
logger "alcasar-watchdog $noresponse_ip ($noresponse_mac) can't be contact. Alcasar disconnects the user ($noresponse_user)." |
/usr/sbin/chilli_query logout $noresponse_mac |
if [[ $noresponse_user == $noresponse_mac ]] # for @mac auth equipments, we must remove the arp entry |
then /usr/sbin/chilli_query dhcp-release $noresponse_mac |
data_user=$(/usr/sbin/chilli_query list | grep -v "\.0\.0\.0" | awk '$5 == 1' | grep $noresponse_ip) |
if [ $(echo $data_users | wc -l) -eq 1 ] #if it still connected ... |
then |
if [[ $noresponse_user == $noresponse_mac ]] #we let @mac auth equipments connected |
then |
#/usr/sbin/chilli_query dhcp-release $noresponse_mac # for @mac auth equipments, we must remove the arp entry |
echo "MAC authentification : $noresponse_mac (keep on connection)" |
else #we disconnect user because status.php has been closed |
logger "alcasar-watchdog $noresponse_ip ($noresponse_mac) can't be contact. Alcasar disconnects the user ($noresponse_user)." |
echo "Disconnect : $noresponse_ip $noresponse_mac $noresponse_user" |
/usr/sbin/chilli_query logout $noresponse_mac |
fi |
fi |
|
done |
rm $tmp_file |
if [ -e $tmp_users_file ]; then |
rm $tmp_users_file |
fi |
|
fi |
# process each equipment known by chilli |
|
#this temporary file contains every 'user IP address' which are connected to ALCASAR (status.php still open) |
if [ -e $tmp_users_file ]; then |
|
for ip_user in $(cat $tmp_users_file) |
do |
#Check if user is still connected |
data_user=$(/usr/sbin/chilli_query list | grep -v "\.0\.0\.0" | awk '$5 == 1' | grep $ip_user) |
if [ $(echo $data_users | wc -l) -eq 0 ] #if user not in the file $tmp_users_file (it means that status.php has been closed) |
then |
#save info in tmp_file |
active_ip=`echo $data_user |cut -d" " -f2` |
active_mac=`echo $data_user | cut -d" " -f1` |
active_user=`echo $data_user |cut -d" " -f6` |
|
echo "$active_ip $active_mac $active_user" >> $tmp_file #save info for next time, user will be disconnected. |
fi |
done |
rm $tmp_users_file |
else |
for system in $(/usr/sbin/chilli_query list |grep -v "\.0\.0\.0" | awk '$5 == 1') |
do |
#disconnect all users |
active_ip=`echo $system |cut -d" " -f2` |
active_mac=`echo $system | cut -d" " -f1` |
active_user=`echo $system |cut -d" " -f6` |
echo "$active_ip $active_mac $active_user" >> $tmp_file |
done |
fi |
|
|
# process each equipment known by chilli to check if any equipment is usurped (@MAC) |
for system in `/usr/sbin/chilli_query list |grep -v "\.0\.0\.0"` |
do |
active_ip=`echo $system |cut -d" " -f2` |
132,17 → 171,11 |
active_session=`echo $system |cut -d" " -f5` |
active_mac=`echo $system | cut -d" " -f1` |
active_user=`echo $system |cut -d" " -f6` |
# process only equipment with an authenticated user |
# process only equipment with an authenticated user |
if [[ $(expr $active_session) -eq 1 ]] |
then |
arp_reply=`/usr/sbin/arping -b -I$INTIF -s$PRIVATE_IP -c2 -w4 $active_ip|grep "Unicast reply"|wc -l` |
# store @IP of quiet equipments |
if [[ $(expr $arp_reply) -eq 0 ]] |
then |
echo "$active_ip $active_mac $active_user" >> $tmp_file |
|
fi |
# disconnect users whose equipement is usurped (@MAC) |
# disconnect users whose equipement is usurped (@MAC). For example, if there are 2 same @MAC it will make 3 lines in output. |
if [[ $(expr $arp_reply) -gt 2 ]] |
then |
echo "$(date "+[%x-%X] : ")alcasar-watchdog : $active_ip is usurped ($active_mac). Alcasar disconnect the user ($active_user)." >> /var/Save/security/watchdog.log |