Subversion Repositories ALCASAR

Compare Revisions

Ignore whitespace Rev 1154 → Rev 1157

/scripts/sbin/alcasar-uninstall.sh
15,7 → 15,7
echo "-----------------------------------------------------------------------------"
echo
#services_stop
for i in squid ntpd iptables ulogd dansguardian chilli httpd radiusd freshclam havp dnsmasq mysqld named dhcpd nfsen
for i in squid ntpd iptables ulogd dansguardian chilli httpd radiusd freshclam havp dnsmasq mysqld named dhcpd
do
[ -e /etc/init.d/$i ] && /sbin/chkconfig --del $i && /etc/init.d/$i stop && killall $i 2>/dev/null
done
132,6 → 132,11
fi
sleep 1
 
#awstats
echo -en "\n- awstats(1) : "
[ -e /etc/awstats/awstats.conf.default ] && mv /etc/awstats/awstats.conf.default /etc/awstats/awstats.conf && echo -n "1"
sleep 1
 
#DnsMasq
echo -en "\n- dnsmasq(4) : "
if [ -e /etc/init.d/dnsmasq ]
172,6 → 177,7
[ -e /etc/cron.d/alcasar-clean_log ] && rm -f /etc/cron.d/alcasar-clean_log && echo -n "5, "
[ -e /etc/cron.d/alcasar-clean_import ] && rm -f /etc/cron.d/alcasar-clean_import && echo -n "6, "
[ -e /etc/cron.d/alcasar-distrib-updates ] && rm -f /etc/cron.d/alcasar-distrib-updates && echo -n "7, "
[ -e /etc/cron.d/awstats ] && rm -f /etc/cron.d/awstats && echo -n "8, "
[ -e /etc/cron.d/freeradius-web ] && rm -f /etc/cron.d/freeradius-web && echo -n "9, "
[ -e /etc/cron.d/alcasar-watchdog ] && rm -f /etc/cron.d/alcasar-watchdog && echo -n "10"
rm -f /etc/cron.d/coova /etc/cron.d/alcasar-bl_download
219,4 → 225,4
echo
 
# suppression des exceptions de mises à jours ( coova-chilli et freeradius)
sed -i '/coova.*/d' /etc/urpmi/skip.list
sed -i '/coova.*/d' /etc/urpmi/skip.list
/scripts/sbin/alcasar-dhcp.sh
67,7 → 67,7
$SED "s?^DHCP.*?DHCP=off?g" $ALCASAR_CONF_FILE
if [ "$EXT_DHCP_IP" != "none" ]
then
$SED "s?.*dhcpgateway\t.*?dhcpgateway\t\t$EXT_DHCP_IP?g" $CHILLI_CONF_FILE
$SED "s?.*dhcpgateway\t.*?dhcpgateway\t\t $EXT_DHCP_IP?g" $CHILLI_CONF_FILE
$SED "s?.*dhcprelayagent.*?dhcprelayagent\t\t$RELAY_DHCP_IP?g" $CHILLI_CONF_FILE
$SED "s?.*dhcpgatewayport.*?dhcpgatewayport\t\t$RELAY_DHCP_PORT?g" $CHILLI_CONF_FILE
else
84,7 → 84,7
$SED "s?^dynip.*?dynip\t\t$PRIVATE_NETWORK_MASK?g" $CHILLI_CONF_FILE
$SED "s?^#dynip.*?dynip\t\t$PRIVATE_NETWORK_MASK?g" $CHILLI_CONF_FILE
$SED "s?^dhcp_range.*?dhcp-range=$PRIVATE_FIRST_IP,$PRIVATE_LAST_IP,$PRIVATE_NETMASK,12h?g" $DNSMASQ_CONF_FILE
$SED "s?^dhcpgateway\t.*?#dhcpgateway\t\t$EXT_DHCP_IP?g" $CHILLI_CONF_FILE
$SED "s?^dhcpgateway\t.*?#dhcpgateway\t\t $EXT_DHCP_IP?g" $CHILLI_CONF_FILE
$SED "s?^dhcprelayagent.*?#dhcprelayagent\t\t$RELAY_DHCP_IP?g" $CHILLI_CONF_FILE
$SED "s?^dhcpgatewayport.*?#dhcpgatewayport\t\t$RELAY_DHCP_PORT?g" $CHILLI_CONF_FILE
$SED "s?^EXT_DHCP_IP.*?EXT_DHCP_IP=none?g" $ALCASAR_CONF_FILE
99,7 → 99,7
$SED "s?^dynip.*?dynip\t\t$PRIVATE_DYN_IP?g" $CHILLI_CONF_FILE
$SED "s?^#dynip.*?dynip\t\t$PRIVATE_DYN_IP?g" $CHILLI_CONF_FILE
$SED "s?^dhcp_range.*?dhcp-range=$PRIVATE_DYN_FIRST_IP,$PRIVATE_DYN_LAST_IP,$PRIVATE_NETMASK,12h?g" $DNSMASQ_CONF_FILE
$SED "s?^dhcpgateway\t.*?#dhcpgateway\t\t$EXT_DHCP_IP?g" $CHILLI_CONF_FILE
$SED "s?^dhcpgateway\t.*?#dhcpgateway\t\t $EXT_DHCP_IP?g" $CHILLI_CONF_FILE
$SED "s?^dhcprelayagent.*?#dhcprelayagent\t\t$RELAY_DHCP_IP?g" $CHILLI_CONF_FILE
$SED "s?^dhcpgatewayport.*?#dhcpgatewayport\t\t$RELAY_DHCP_PORT?g" $CHILLI_CONF_FILE
$SED "s?^EXT_DHCP_IP.*?EXT_DHCP_IP=none?g" $ALCASAR_CONF_FILE
/scripts/alcasar-watchdog.sh
4,7 → 4,6
# alcasar-watchdog.sh
# by Rexy
# This script is distributed under the Gnu General Public License (GPL)
 
# Ce script prévient les usagers de l'indisponibilité de l'accès Internet
# il déconnecte les usagers dont
# - les équipements réseau ne répondent plus
12,7 → 11,7
# This script tells users that Internet access is down
# it logs out users whose
# - PCs are quiet
# - MAC address are in used by other systems (usurped)
# - MAC address is used by other systems (usurped)
 
EXTIF="eth0"
INTIF="eth1"
19,7 → 18,8
conf_file="/usr/local/etc/alcasar.conf"
private_ip_mask=`grep PRIVATE_IP= $conf_file|cut -d"=" -f2`
private_ip_mask=${private_ip_mask:=192.168.182.1/24}
PRIVATE_IP=`echo $private_ip_mask | cut -d"/" -f1` # ALCASAR LAN IP address
PRIVATE_IP=`echo "$private_ip_mask" |cut -d"/" -f1` # @ip du portail (côté LAN)
PRIVATE_IP=${PRIVATE_IP:=192.168.182.1}
tmp_file="/tmp/watchdog.txt"
DIR_WEB="/var/www/html"
Index_Page="$DIR_WEB/index.php"
27,7 → 27,7
IFS=$'\n'
 
function lan_down_alert ()
# users are redirected on ALCASAR IP address if LAN Pb detected
# users are redirected on ALCASAR IP address if a LAN problem is detected
{
case $LAN_DOWN in
"1")
42,7 → 42,7
;;
esac
net_pb=`cat /etc/dnsmasq.conf|grep "address=/#/"|wc -l`
if [ $net_pb = "0" ] # on alerte les usagers (si ce n'est pas déjà le cas).
if [ $net_pb = "0" ] # user alert
then
/bin/sed -i "s?^\$network_pb.*?\$network_pb = True;?g" $Index_Page
/bin/sed -i "s?^conf-dir=.*?address=\/#\/$PRIVATE_IP?g" /etc/dnsmasq-blackhole.conf
123,7 → 123,7
done
rm $tmp_file
fi
# on traite chaque équipements connus de chilli
# process each equipment known by chilli
for system in `/usr/sbin/chilli_query list |grep -v "\.0\.0\.0"`
do
active_ip=`echo $system |cut -d" " -f2`
130,16 → 130,20
active_session=`echo $system |cut -d" " -f5`
active_mac=`echo $system | cut -d" " -f1`
active_user=`echo $system |cut -d" " -f6`
# on ne traite que les équipements exploitées par un usager authentifié (test de 2 réponses en 4 secondes)
# process only equipment with an authenticated user
if [[ $(expr $active_session) -eq 1 ]]
then
then
arp_reply=`/usr/sbin/arping -b -I$INTIF -s$PRIVATE_IP -c2 -w4 $active_ip|grep "Unicast reply"|wc -l`
# on stocke les adresses IP des stations muettes
# store @IP of quiet equipments
if [[ $(expr $arp_reply) -eq 0 ]]
then
echo "$active_ip $active_mac $active_user" >> $tmp_file
PTN='^[[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]]$'
if [[ $(expr $active_user : $PTN) -eq 0 ]] # don't process @mac auth equipments
then
echo "$active_ip $active_mac $active_user" >> $tmp_file
fi
fi
# on deconnecte l'usager d'une stations usurpée (@MAC)
# disconnect users whose equipement is usurped (@MAC)
if [[ $(expr $arp_reply) -gt 2 ]]
then
echo "alcasar-watchdog : $active_ip is usurped ($active_mac). Alcasar disconnect the user ($active_user)." >> /var/Save/logs/security/watchdog.log
/scripts/alcasar-archive.sh
6,12 → 6,12
# This script is distributed under the Gnu General Public License (GPL)
 
# Script permettant
# - d'exporter les logs de traçabilités et la base des usagers à des fins d'archivages.
# - d'exporter dans un seul fichier les logs de traçabilités et la base des usagers (à des fins d'archivages).
# - Une fonction de chiffrement des logs a été implémentée dans ce script. Lisez la documentation d'exploitation pour l'activer.
# - nettoyage des archives supérieures à 1 an (365 jours)
 
# This script allows
# - export log files and user's base in order to archive them.
# - export in one file the log files and user's base (in order to archive them).
# - a cypher fonction allows to protect these files. Read the exploit documentation to enable it.
# - delete backup files older than one year (365 days)
 
27,7 → 27,7
EXPIRE_DAY=365 # Nbre de jour avant suppression des fichiers journaux
CRYPT="0" # chiffrement des logs ( 0=non / 1=oui --> Signature = 1(implicite))
SIGN="0" # Signature/empreinte des logs ( 0=non / 1=oui ) ATTENTION : nécessite la clé privée !!!
GPG_USER="OSSI-CIRISI-Lyon" # utilisateur autorisé à déchiffrer les logs. Sa clé publique doit être connu dans le portefeuille gnupg de root (/root/.gnupg)
GPG_USER="" # utilisateur autorisé à déchiffrer les logs. Sa clé publique doit être connu dans le portefeuille gnupg de root (/root/.gnupg)
 
usage="Usage: alcasar-archive.sh {--clean or -c} | {--now or -n}"
 
90,15 → 90,12
}
fi
rm -rf /tmp/archive-*
chown apache:apache $TO_SAVE/
chown root:apache $DIR_ARCHIVE/*
;;
--update | -u)
# Mise à niveau de l'architecture d'export/archivage
[ -d /tmp/save ] || mkdir -p /tmp/save
[ -d $DIR_ARCHIVE/ ] || mkdir -p $DIR_ARCHIVE/ # utile une seule fois mais crée le répertoire si nécessaire
# copie de l'archive au cas où ...
rm -f $(ls *[0-9]) # effacer les fichiers n'ayant pas été compressés
mv $TO_SAVE/firewall/tracabilite-* $DIR_ARCHIVE/.
;;
*)
echo "Unknown argument :$1";
/scripts/alcasar-iptables-bypass.sh
72,10 → 72,9
if [ $SSH = on ]
then
$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -m state --state NEW -j ULOG --ulog-nlgroup 2 --ulog-prefix "RULE ssh-from-LAN -- ACCEPT"
$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -j ACCEPT
$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -s $SSH_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport ssh -m state --state NEW --syn -j ULOG --ulog-nlgroup 2 --ulog-prefix "RULE ssh-from-WAN -- ACCEPT"
$IPTABLES -A INPUT -i $EXTIF -s $SSH_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport ssh -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport ssh -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -s $SSH_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport ssh -m state --state NEW -j ACCEPT
fi
 
# Insertion de règles locales
/scripts/alcasar-iptables.sh
45,9 → 45,6
TUNIF="tun0" # listen device for chilli daemon
IPTABLES="/sbin/iptables"
 
#lancement du module kernel ipt_NETFLOW (module iptables)
modprobe ipt_NETFLOW destination=127.0.0.1:2055
 
# Effacement des règles existantes
# Flush all existing rules
$IPTABLES -F
135,7 → 132,6
 
# On autorise les retours de connexions légitimes par INPUT
# Conntrack on INPUT
#$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j NETFLOW
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 
# On interdit les connexions directes au port utilisé par DansGuardian (8080). Les packets concernés ont été marqués dans la table mangle (PREROUTING)
158,8 → 154,6
fi
# Autorisation des connexions légitimes à DansGuardian
# Allow connections for DansGuardian
#Flux netflow des requêtes HTTP à destination de DansGuardian
#$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport 8080 -j NETFLOW
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport 8080 -m state --state NEW --syn -j ACCEPT
 
# On interdit les connexions directes au port UDP 54. Les packets concernés ont été marqués dans la table mangle (PREROUTING)
255,6 → 249,7
#fi
 
# Autorisation des retours de connexions légitimes
# Allow conntrack
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
 
# If protocols filter is activate
266,7 → 261,6
while read ip_exception
do
$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j ULOG --ulog-prefix "RULE IP-exception -- ACCEPT "
$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j NETFLOW
$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j ACCEPT
done < /usr/local/etc/alcasar-filter-exceptions
fi
278,7 → 272,6
do
ip_allowed=`echo $ip_allowed_line|cut -d"\"" -f2`
$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j ULOG --ulog-prefix "RULE IP-allowed -- ACCEPT "
$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j NETFLOW
$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j ACCEPT
done < /usr/local/etc/alcasar-uamallowed
fi
293,15 → 286,11
svc_port=`echo $svc_line|cut -d" " -f2`
if [ $svc_name = "icmp" ]
then
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp -j NETFLOW
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp -j ACCEPT
else
 
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_TCP-$svc_name -- ACCEPT "
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j NETFLOW
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_UDP-$svc_name -- ACCEPT "
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j NETFLOW
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ACCEPT
fi
fi
322,19 → 311,18
# Autorisation des connections sortant du LAN
# Allow forward connections with log
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j ULOG --ulog-prefix "RULE F_all -- ACCEPT "
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j NETFLOW
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j ACCEPT
 
#############################
# OUTPUT #
#############################
# SSHD rules if activate
if [ $SSH = on ]
then
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport ssh -m state --state ESTABLISHED -j ACCEPT
fi
# On laisse tout sortir sur toutes les cartes sauf celle qui est connectée sur l'extérieur
# Everything is allowed but traffic through outside network interface
 
# On autorise les retours de connexions légitimes par OUTPUT
# Conntrack on OUTPUT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 
# On laisse tout sortir sur INTIF
# Everything is allowed only on INTIF
$IPTABLES -A OUTPUT ! -o $EXTIF -j ACCEPT
 
# On autorise les requêtes DNS vers les serveurs DNS identifiés
343,7 → 331,6
 
# On autorise les requêtes HTTP sortantes
# HTTP requests are allowed
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport http -j NETFLOW
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport http -j ACCEPT
 
# On autorise les requêtes FTP
350,7 → 337,6
# FTP requests are allowed
modprobe ip_conntrack_ftp
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport ftp -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
 
# On autorise les requêtes NTP
# NTP requests are allowed
370,7 → 356,6
# $IPTABLES -A INPUT -p udp -s $LDAP_IP -m multiports --sports ldap,ldaps -m state --state ESTABLISHED -j ACCEPT
fi
 
 
#############################
# POSTROUTING #
#############################
/scripts/alcasar-conf.sh
386,6 → 386,8
$SED "s?^\$organisme = .*?\$organisme = \"$ORGANISME\";?g" /var/www/html/intercept.php /var/www/html/status.php
# dhcp (coova + dnsmasq)
$DIR_SBIN/alcasar-dhcp.sh -$DHCP_mode
# awstat
$SED "s?^HostAliases=.*?HostAliases=\"$PRIVATE_IP\"?g" /etc/awstats/awstats.conf
# dnsmasq
$SED "/127.0.0.1/!s?^listen-address=.*?listen-address=$PRIVATE_IP?g" /etc/dnsmasq.conf /etc/dnsmasq-blackhole.conf
for i in /etc/dnsmasq.conf /etc/dnsmasq-blackhole.conf
/scripts/alcasar-urpmi.sh
12,7 → 12,8
VERSION="2"
ARCH="i586"
# ****** Alcasar needed RPMS - paquetages nécessaires au fonctionnement d'Alcasar ******
PACKAGES="sudo freeradius freeradius-mysql freeradius-ldap freeradius-web apache-mpm-prefork apache-mod_ssl apache-mod_php iptables squid dansguardian postfix mariadb logwatch ntp bind-utils openssh-server php-xml php-ldap php-mysql pam_ccreds rng-utils dnsmasq syslinux rsync cronie-anacron clamav pm-fallback-policy php-mbstring perl-rrdtool perl-MailTools perl-Socket6 php-sockets kernel-desktop-3.4.45-1.mga2-1-1.mga2"
PACKAGES="sudo freeradius freeradius-mysql freeradius-ldap freeradius-web apache-mpm-prefork apache-mod_ssl apache-mod_php iptables squid dansguardian postfix mariadb logwatch ntp awstats bind-utils openssh-server php-xml php-ldap php-mysql pam_ccreds rng-utils dnsmasq syslinux rsync cronie-anacron clamav pm-fallback-policy php-mbstring"
 
rpm_repository_sync ()
{
cat <<EOF > /etc/urpmi/urpmi.cfg
227,20 → 228,4
[ -e /tmp/chilli.conf ] && mv /tmp/chilli.conf /etc/
# Clean the RPM cache
urpmi --clean
 
#Keep only kernel-desktop-3.4.45-1.mga2-1-1.mga2 version, and remove all others
kernelVersion=$(rpm -qa | grep "kernel-desktop")
for i in $kernelVersion
do
if [ ! $i = "kernel-desktop-3.4.45-1.mga2-1-1.mga2" ];then
urpme $i
fi
done
 
#Fix the kernel version to : kernel-desktop-3.4.45-1.mga2-1-1.mga2
echo "/^kernel-desktop/" > /etc/urpmi/skip.list
 
#update tht kernel modules list
depmod -a
 
exit 0