| /scripts/alcasar-daemon.sh |
|---|
| 10,7 → 10,7 |
| conf_file="/usr/local/etc/alcasar.conf" |
| SSH=`grep SSH= $conf_file|cut -d"=" -f2` # sshd active (on/off) |
| SSH=${SSH:=off} |
| SERVICE="sshd dnsmasq httpd chilli radiusd mysqld dansguardian dnsmasq havp freshclam ntpd squid master squid" |
| SERVICE="sshd dnsmasq httpd chilli radiusd mysqld dansguardian dnsmasq havp havp2 freshclam ntpd squid master squid" |
| function ServiceTest () { |
| CMD=`pidof $s` |
| /scripts/alcasar-iptables.sh |
|---|
| 30,6 → 30,7 |
| BL_IP_CAT="/usr/local/share/iptables-bl-enabled" # categories files of the BlackListed IP |
| BL_IP_OSSI="/usr/local/share/iptables-bl/ossi" # ossi categoty |
| WL_IP_OSSI="/usr/local/share/ossi-ip-wl" # ip of the whitelist |
| DNSMASQ_WL_ENABLED="/usr/local/share/dnsmasq-wl-enabled" # enabled domain names for the Whitelist |
| TMP_users_set_save="/tmp/users_set_save" # tmp file for backup users set |
| TMP_set_save="/tmp/ipset_save" # tmp file for blacklist and whitelist creation |
| QOS=`grep ^QOS= $conf_file|cut -d"=" -f2` # QOS (on/off) |
| 92,13 → 93,12 |
| # Calcul de la taille du set de la blacklist |
| # Compute the blacklist set length |
| cd $BL_IP_CAT |
| set_bl_length=$(($(wc -l * | awk '{print $1}' | tail -n 1)+$(wc -l $BL_IP_OSSI | awk '{print $1}'))) |
| bl_set_length=$(($(wc -l $BL_IP_CAT/* | awk '{print $1}' | tail -n 1)+$(wc -l $BL_IP_OSSI | awk '{print $1}'))) |
| # Création du fichier set temporaire, remplissage, chargement et suppression |
| # Creating the temporary set file, filling, loading and deleting |
| echo "create blacklist_ip_blocked hash:net family inet hashsize 1024 maxelem $set_bl_length" > $TMP_set_save |
| for category in `ls -1 | cut -d '@' -f1` |
| echo "create blacklist_ip_blocked hash:net family inet hashsize 1024 maxelem $bl_set_length" > $TMP_set_save |
| for category in `ls -1 $BL_IP_CAT | cut -d '@' -f1` |
| do |
| cat $BL_IP_CAT/$category >> $TMP_set_save |
| done |
| 113,9 → 113,13 |
| ipset del blacklist_ip_blocked $ip |
| done |
| # Calcul de la taille du set de la whitelist |
| # Compute the whitelist set length |
| wl_set_length=$(($(wc -l $DNSMASQ_WL_ENABLED/* | awk '{print $1}' | tail -n 1)*3)) |
| # Création du fichier set temporaire, remplissage, chargement et suppression |
| # Creating the temporary set file, filling, loading and deleting |
| echo "create whitelist_ip_allowed hash:net family inet hashsize 1024" > $TMP_set_save |
| echo "create whitelist_ip_allowed hash:net family inet hashsize 1024 maxelem $wl_set_length" > $TMP_set_save |
| cat $WL_IP_OSSI >> $TMP_set_save |
| ipset -! restore < $TMP_set_save |
| rm -f $TMP_set_save |
| 158,18 → 162,22 |
| # Mark (and log) the 8091 direct attempts to REJECT them in INPUT rules |
| $IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8091 -j MARK --set-mark 5 |
| # Aiguillage des flux DNS |
| # Switching DNS streams |
| # havp_bl_set --> redirection vers le port 54 |
| # havp_bl_set --> redirect to port 54 |
| $IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl_set src -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 54 |
| # havp_wl_set --> redirection vers le port 55 |
| # havp_wl_set --> redirect to port 55 |
| $IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl_set src -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 55 |
| # Redirection des requêtes HTTP des IP de la blacklist vers ALCASAR (page 'accès interdit') pour le set havp_bl_set |
| # Redirect outbound HTTP requests from blacklist IP to ALCASAR ('access denied' page) for the set havp_bl_set |
| $IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set blacklist_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port 80 |
| # Redirection des requêtes HTTP des IP qui ne sont pas dans la whitelist vers ALCASAR (page 'accès interdit') pour le set havp_wl_set |
| # Redirect outbound HTTP requests from IP which are not in the whitelist to ALCASAR ('access denied' page) for the set havp_wl_set |
| $IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl_set src -m set ! --match-set whitelist_ip_allowed dst -p tcp --dport http -j REDIRECT --to-port 80 |
| # Journalisation des requètes HTTP vers Internet (seulement les paquets SYN) - Les autres protocoles sont journalisés en FORWARD par netflow |
| ## Log HTTP requests to Internet (only syn packets) - Other protocols are log in FORWARD by netflow |
| $IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p tcp --dport http -m state --state NEW -j ULOG --ulog-prefix "RULE F_http -- ACCEPT " |
| 286,7 → 294,7 |
| $IPTABLES -A INPUT -i $TUNIF -p tcp -j REJECT --reject-with tcp-reset |
| $IPTABLES -A INPUT -i $TUNIF -p udp -j REJECT --reject-with icmp-port-unreachable |
| # interdiction d'accès à INTIF (n'est utile que lorsque chilli est arrêté). |
| # Interdiction d'accès à INTIF (n'est utile que lorsque chilli est arrêté). |
| # Reject INTIF access (only when chilli is down) |
| $IPTABLES -A INPUT -i $INTIF -j ULOG --ulog-prefix "RULE Protect1 -- REJECT " |
| $IPTABLES -A INPUT -i $INTIF -j REJECT |
| /scripts/sbin/alcasar-havp.sh |
|---|
| File deleted |
| Property changes: |
| Deleted: svn:eol-style |
| -LF |
| \ No newline at end of property |
| Deleted: svn:executable |
| -* |
| \ No newline at end of property |
| Deleted: svn:keywords |
| -Id Author Date |
| \ No newline at end of property |
| /scripts/sbin/alcasar-bl.sh |
|---|
| 38,18 → 38,23 |
| # enable/disable the BL & WL categories |
| function cat_choice (){ |
| # saving ip files and ossi category |
| # saving ossi category |
| mkdir $DIR_tmp |
| if [ $(find $DIR_IP_BL_ENABLED -name "ossi-*" | wc -l) -ne 0 ] |
| cp $DIR_IP_BL/ossi $DIR_tmp |
| if [ -d $DIR_IP_BL_ENABLED ] |
| then |
| cp $DIR_IP_BL_ENABLED/ossi-* $DIR_tmp |
| for file in `ls -1 $DIR_IP_BL_ENABLED | grep -v "^ossi-*"` |
| do |
| rm -f $DIR_IP_BL_ENABLED/$file |
| done |
| else |
| mkdir $DIR_IP_BL_ENABLED |
| chown apache $DIR_IP_BL_ENABLED |
| fi |
| cp $DIR_IP_BL/ossi $DIR_tmp |
| rm -rf $DIR_DNS_BL_ENABLED $DIR_DNS_WL_ENABLED $DIR_IP_BL_ENABLED # cleaning for dnsmasq and iptables |
| rm -rf $DIR_DNS_BL_ENABLED $DIR_DNS_WL_ENABLED # cleaning for dnsmasq and iptables |
| $SED "/\.Include/d" $DIR_DG/bannedsitelist $DIR_DG/bannedurllist # cleaning for DG |
| $SED "s?^[^#]?#&?g" $BL_CATEGORIES $WL_CATEGORIES # cleaning BL & WL categories file (comment all lines) |
| mkdir $DIR_DNS_BL_ENABLED $DIR_DNS_WL_ENABLED $DIR_IP_BL_ENABLED |
| chown apache $DIR_IP_BL_ENABLED |
| mkdir $DIR_DNS_BL_ENABLED $DIR_DNS_WL_ENABLED |
| # process the file $BL_CATEGORIES with the choice of categories |
| for ENABLE_CATEGORIE in `cat $BL_CATEGORIES_ENABLED` |
| do |
| 74,10 → 79,6 |
| # restoring ip files and ossi category |
| mv $DIR_tmp/ossi $DIR_IP_BL |
| chown apache $DIR_IP_BL/ossi |
| if [ $(find $DIR_tmp -name "ossi-*" | wc -l) -ne 0 ] |
| then |
| mv $DIR_tmp/ossi-* $DIR_IP_BL_ENABLED |
| fi |
| rm -rf $DIR_tmp |
| } |
| function bl_enable (){ |
| /scripts/sbin/alcasar-uninstall.sh |
|---|
| 107,14 → 107,16 |
| sleep 1 |
| #antivirus |
| echo -en "\n- antivirus(4) : " |
| echo -en "\n- antivirus(6) : " |
| if [ -e /etc/init.d/havp ] |
| then |
| [ -e /etc/havp/havp.config.default ] && mv /etc/havp/havp.config.default /etc/havp/havp.config && echo -n "1, " |
| userdel -r havp 2>/dev/null && echo -n "2, " |
| [ -e /etc/havp/havp2.config ] && rm -f /etc/havp/havp2.config && echo -n "2, " |
| userdel -r havp 2>/dev/null && echo -n "3, " |
| [ `grep havp /etc/fstab|wc -l` -ne "0" ] && $SED "/havp/d" /etc/fstab # anciennes versions (mémoire tampon sur disque) |
| [ -e /etc/init.d/havp.default ] && mv /etc/init.d/havp.default /etc/init.d/havp && echo -n "3, " |
| [ -e /etc/freshclam.conf.default ] && mv /etc/freshclam.conf.default /etc/freshclam.conf && echo -n "4" |
| [ -e /etc/init.d/havp.default ] && mv /etc/init.d/havp.default /etc/init.d/havp && echo -n "4, " |
| [ -e /etc/init.d/havp2 ] && rm -f /etc/init.d/havp2 && echo -n "5, " |
| [ -e /etc/freshclam.conf.default ] && mv /etc/freshclam.conf.default /etc/freshclam.conf && echo -n "6" |
| else echo -n "uninstalled" |
| fi |
| sleep 1 |
| 127,7 → 129,7 |
| i=`expr $i + 1` |
| [ -e /etc/ulogd-$log_type.conf ] && rm -f /etc/ulogd-$log_type.conf && echo -n "$i, " |
| i=`expr $i + 1` |
| [ -e /lib/systemd/system/ulogd-$log_type.service ] && rm -f /lib/systemd/system/ulogd-$log_type.service && echo -n "$i" |
| [ -e /lib/systemd/system/ulogd-$log_type.service ] && rm -f /lib/systemd/system/ulogd-$log_type.service && echo -n "$i, " |
| done |
| sleep 1 |
| 144,7 → 146,7 |
| echo -en "\n- dnsmasq(6) : " |
| if [ -e /lib/systemd/system/dnsmasq.service ] |
| then |
| [ -e /etc/sysconfig/dnsmasq.default ] && mv /etc/sysconfig/dnsmasq.default /etc/sysconfig/dnsmasq && echo -n "1 ," |
| [ -e /etc/sysconfig/dnsmasq.default ] && mv /etc/sysconfig/dnsmasq.default /etc/sysconfig/dnsmasq && echo -n "1, " |
| [ -e /etc/dnsmasq.conf.default ] && mv /etc/dnsmasq.conf.default /etc/dnsmasq.conf && echo -n "2, " |
| [ -e /etc/dnsmasq-blacklist.conf ] && rm /etc/dnsmasq-blacklist.conf && echo -n "3, " |
| [ -e /etc/dnsmasq-whitelist.conf ] && rm /etc/dnsmasq-whitelist.conf && echo -n "4, " |
| 157,7 → 159,7 |
| #BL |
| echo -en "\n- BL(1) : " |
| [ -e /lib/systemd/system/iptables.service.default ] && mv /lib/systemd/system/iptables.service.default /lib/systemd/system/iptables.service && echo "1" |
| [ -e /lib/systemd/system/iptables.service.default ] && mv /lib/systemd/system/iptables.service.default /lib/systemd/system/iptables.service && echo -n "1" |
| sleep 1 |
| #dhcpd |
| 170,10 → 172,10 |
| sleep 1 |
| #fail2ban |
| echo -en "\n- fail2ban(7) :" |
| echo -en "\n- fail2ban(7) : " |
| [ -e /etc/fail2ban/fail2ban.conf.default ] && mv /etc/fail2ban/fail2ban.conf.default /etc/fail2ban/fail2ban.conf && echo -n "1, " |
| [ -e /etc/fail2ban/jail.conf.default ] && mv /etc/fail2ban/jail.conf.default /etc/fail2ban/jail.conf && echo -n "2, " |
| [ -e /etc/fail2ban/action.d/iptables-allports.conf.default ] && mv /etc/fail2ban/action.d/iptables-allports.conf.default /etc/fail2ban/action.d/iptables-allports.conf && echo -n " 3, " |
| [ -e /etc/fail2ban/action.d/iptables-allports.conf.default ] && mv /etc/fail2ban/action.d/iptables-allports.conf.default /etc/fail2ban/action.d/iptables-allports.conf && echo -n "3, " |
| [ -e /etc/fail2ban/filter.d/alcasar_mod-evasive.conf ] && rm /etc/fail2ban/filter.d/alcasar_mod-evasive.conf && echo -n "4, " |
| [ -e /etc/fail2ban/filter.d/alcasar_htdigest.conf ] && rm /etc/fail2ban/filter.d/alcasar_htdigest.conf && echo -n "5, " |
| [ -e /etc/fail2ban/filter.d/alcasar_intercept.conf ] && rm /etc/fail2ban/filter.d/alcasar_intercept.conf && echo -n "6, " |
| 196,7 → 198,7 |
| sleep 1 |
| #gammu-smsd |
| echo -en "\n- gammu-smsd(3) :" |
| echo -en "\n- gammu-smsd(3) : " |
| [ -e /etc/gammu_smsd_conf ] && rm -f /etc/gammu_smsd_conf && echo -n "1, " |
| [ -e /etc/udev/rules.d/66-huawei.rules ] && rm -f /etc/udev/rules.d/66-huawei.rules && echo -n "2, " |
| [ -e /var/log/gammu-smsd ] && rm -rf /var/log/gammu-smsd && echo -n "3" |
| 222,7 → 224,6 |
| [ -e /etc/sysconfig/iptables ] && rm -f /etc/sysconfig/iptables && echo -n "8, " |
| [ -e /etc/modprobe.preload.default ] && mv /etc/modprobe.preload.default /etc/modprobe.preload && echo -n "9" |
| echo |
| /sbin/ifup $EXTIF |
| sleep 1 |