/scripts/alcasar-daemon.sh |
---|
10,7 → 10,7 |
conf_file="/usr/local/etc/alcasar.conf" |
SSH=`grep SSH= $conf_file|cut -d"=" -f2` # sshd active (on/off) |
SSH=${SSH:=off} |
SERVICE="sshd dnsmasq httpd chilli radiusd mysqld dansguardian dnsmasq havp freshclam ntpd squid master squid" |
SERVICE="sshd dnsmasq httpd chilli radiusd mysqld dansguardian dnsmasq havp havp2 freshclam ntpd squid master squid" |
function ServiceTest () { |
CMD=`pidof $s` |
/scripts/alcasar-iptables.sh |
---|
30,6 → 30,7 |
BL_IP_CAT="/usr/local/share/iptables-bl-enabled" # categories files of the BlackListed IP |
BL_IP_OSSI="/usr/local/share/iptables-bl/ossi" # ossi categoty |
WL_IP_OSSI="/usr/local/share/ossi-ip-wl" # ip of the whitelist |
DNSMASQ_WL_ENABLED="/usr/local/share/dnsmasq-wl-enabled" # enabled domain names for the Whitelist |
TMP_users_set_save="/tmp/users_set_save" # tmp file for backup users set |
TMP_set_save="/tmp/ipset_save" # tmp file for blacklist and whitelist creation |
QOS=`grep ^QOS= $conf_file|cut -d"=" -f2` # QOS (on/off) |
92,13 → 93,12 |
# Calcul de la taille du set de la blacklist |
# Compute the blacklist set length |
cd $BL_IP_CAT |
set_bl_length=$(($(wc -l * | awk '{print $1}' | tail -n 1)+$(wc -l $BL_IP_OSSI | awk '{print $1}'))) |
bl_set_length=$(($(wc -l $BL_IP_CAT/* | awk '{print $1}' | tail -n 1)+$(wc -l $BL_IP_OSSI | awk '{print $1}'))) |
# Création du fichier set temporaire, remplissage, chargement et suppression |
# Creating the temporary set file, filling, loading and deleting |
echo "create blacklist_ip_blocked hash:net family inet hashsize 1024 maxelem $set_bl_length" > $TMP_set_save |
for category in `ls -1 | cut -d '@' -f1` |
echo "create blacklist_ip_blocked hash:net family inet hashsize 1024 maxelem $bl_set_length" > $TMP_set_save |
for category in `ls -1 $BL_IP_CAT | cut -d '@' -f1` |
do |
cat $BL_IP_CAT/$category >> $TMP_set_save |
done |
113,9 → 113,13 |
ipset del blacklist_ip_blocked $ip |
done |
# Calcul de la taille du set de la whitelist |
# Compute the whitelist set length |
wl_set_length=$(($(wc -l $DNSMASQ_WL_ENABLED/* | awk '{print $1}' | tail -n 1)*3)) |
# Création du fichier set temporaire, remplissage, chargement et suppression |
# Creating the temporary set file, filling, loading and deleting |
echo "create whitelist_ip_allowed hash:net family inet hashsize 1024" > $TMP_set_save |
echo "create whitelist_ip_allowed hash:net family inet hashsize 1024 maxelem $wl_set_length" > $TMP_set_save |
cat $WL_IP_OSSI >> $TMP_set_save |
ipset -! restore < $TMP_set_save |
rm -f $TMP_set_save |
158,18 → 162,22 |
# Mark (and log) the 8091 direct attempts to REJECT them in INPUT rules |
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8091 -j MARK --set-mark 5 |
# Aiguillage des flux DNS |
# Switching DNS streams |
# havp_bl_set --> redirection vers le port 54 |
# havp_bl_set --> redirect to port 54 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl_set src -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 54 |
# havp_wl_set --> redirection vers le port 55 |
# havp_wl_set --> redirect to port 55 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl_set src -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 55 |
# Redirection des requêtes HTTP des IP de la blacklist vers ALCASAR (page 'accès interdit') pour le set havp_bl_set |
# Redirect outbound HTTP requests from blacklist IP to ALCASAR ('access denied' page) for the set havp_bl_set |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set blacklist_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port 80 |
# Redirection des requêtes HTTP des IP qui ne sont pas dans la whitelist vers ALCASAR (page 'accès interdit') pour le set havp_wl_set |
# Redirect outbound HTTP requests from IP which are not in the whitelist to ALCASAR ('access denied' page) for the set havp_wl_set |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl_set src -m set ! --match-set whitelist_ip_allowed dst -p tcp --dport http -j REDIRECT --to-port 80 |
# Journalisation des requètes HTTP vers Internet (seulement les paquets SYN) - Les autres protocoles sont journalisés en FORWARD par netflow |
## Log HTTP requests to Internet (only syn packets) - Other protocols are log in FORWARD by netflow |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p tcp --dport http -m state --state NEW -j ULOG --ulog-prefix "RULE F_http -- ACCEPT " |
286,7 → 294,7 |
$IPTABLES -A INPUT -i $TUNIF -p tcp -j REJECT --reject-with tcp-reset |
$IPTABLES -A INPUT -i $TUNIF -p udp -j REJECT --reject-with icmp-port-unreachable |
# interdiction d'accès à INTIF (n'est utile que lorsque chilli est arrêté). |
# Interdiction d'accès à INTIF (n'est utile que lorsque chilli est arrêté). |
# Reject INTIF access (only when chilli is down) |
$IPTABLES -A INPUT -i $INTIF -j ULOG --ulog-prefix "RULE Protect1 -- REJECT " |
$IPTABLES -A INPUT -i $INTIF -j REJECT |
/scripts/sbin/alcasar-havp.sh |
---|
File deleted |
Property changes: |
Deleted: svn:eol-style |
-LF |
\ No newline at end of property |
Deleted: svn:executable |
-* |
\ No newline at end of property |
Deleted: svn:keywords |
-Id Author Date |
\ No newline at end of property |
/scripts/sbin/alcasar-bl.sh |
---|
38,18 → 38,23 |
# enable/disable the BL & WL categories |
function cat_choice (){ |
# saving ip files and ossi category |
# saving ossi category |
mkdir $DIR_tmp |
if [ $(find $DIR_IP_BL_ENABLED -name "ossi-*" | wc -l) -ne 0 ] |
cp $DIR_IP_BL/ossi $DIR_tmp |
if [ -d $DIR_IP_BL_ENABLED ] |
then |
cp $DIR_IP_BL_ENABLED/ossi-* $DIR_tmp |
for file in `ls -1 $DIR_IP_BL_ENABLED | grep -v "^ossi-*"` |
do |
rm -f $DIR_IP_BL_ENABLED/$file |
done |
else |
mkdir $DIR_IP_BL_ENABLED |
chown apache $DIR_IP_BL_ENABLED |
fi |
cp $DIR_IP_BL/ossi $DIR_tmp |
rm -rf $DIR_DNS_BL_ENABLED $DIR_DNS_WL_ENABLED $DIR_IP_BL_ENABLED # cleaning for dnsmasq and iptables |
rm -rf $DIR_DNS_BL_ENABLED $DIR_DNS_WL_ENABLED # cleaning for dnsmasq and iptables |
$SED "/\.Include/d" $DIR_DG/bannedsitelist $DIR_DG/bannedurllist # cleaning for DG |
$SED "s?^[^#]?#&?g" $BL_CATEGORIES $WL_CATEGORIES # cleaning BL & WL categories file (comment all lines) |
mkdir $DIR_DNS_BL_ENABLED $DIR_DNS_WL_ENABLED $DIR_IP_BL_ENABLED |
chown apache $DIR_IP_BL_ENABLED |
mkdir $DIR_DNS_BL_ENABLED $DIR_DNS_WL_ENABLED |
# process the file $BL_CATEGORIES with the choice of categories |
for ENABLE_CATEGORIE in `cat $BL_CATEGORIES_ENABLED` |
do |
74,10 → 79,6 |
# restoring ip files and ossi category |
mv $DIR_tmp/ossi $DIR_IP_BL |
chown apache $DIR_IP_BL/ossi |
if [ $(find $DIR_tmp -name "ossi-*" | wc -l) -ne 0 ] |
then |
mv $DIR_tmp/ossi-* $DIR_IP_BL_ENABLED |
fi |
rm -rf $DIR_tmp |
} |
function bl_enable (){ |
/scripts/sbin/alcasar-uninstall.sh |
---|
107,14 → 107,16 |
sleep 1 |
#antivirus |
echo -en "\n- antivirus(4) : " |
echo -en "\n- antivirus(6) : " |
if [ -e /etc/init.d/havp ] |
then |
[ -e /etc/havp/havp.config.default ] && mv /etc/havp/havp.config.default /etc/havp/havp.config && echo -n "1, " |
userdel -r havp 2>/dev/null && echo -n "2, " |
[ -e /etc/havp/havp2.config ] && rm -f /etc/havp/havp2.config && echo -n "2, " |
userdel -r havp 2>/dev/null && echo -n "3, " |
[ `grep havp /etc/fstab|wc -l` -ne "0" ] && $SED "/havp/d" /etc/fstab # anciennes versions (mémoire tampon sur disque) |
[ -e /etc/init.d/havp.default ] && mv /etc/init.d/havp.default /etc/init.d/havp && echo -n "3, " |
[ -e /etc/freshclam.conf.default ] && mv /etc/freshclam.conf.default /etc/freshclam.conf && echo -n "4" |
[ -e /etc/init.d/havp.default ] && mv /etc/init.d/havp.default /etc/init.d/havp && echo -n "4, " |
[ -e /etc/init.d/havp2 ] && rm -f /etc/init.d/havp2 && echo -n "5, " |
[ -e /etc/freshclam.conf.default ] && mv /etc/freshclam.conf.default /etc/freshclam.conf && echo -n "6" |
else echo -n "uninstalled" |
fi |
sleep 1 |
127,7 → 129,7 |
i=`expr $i + 1` |
[ -e /etc/ulogd-$log_type.conf ] && rm -f /etc/ulogd-$log_type.conf && echo -n "$i, " |
i=`expr $i + 1` |
[ -e /lib/systemd/system/ulogd-$log_type.service ] && rm -f /lib/systemd/system/ulogd-$log_type.service && echo -n "$i" |
[ -e /lib/systemd/system/ulogd-$log_type.service ] && rm -f /lib/systemd/system/ulogd-$log_type.service && echo -n "$i, " |
done |
sleep 1 |
144,7 → 146,7 |
echo -en "\n- dnsmasq(6) : " |
if [ -e /lib/systemd/system/dnsmasq.service ] |
then |
[ -e /etc/sysconfig/dnsmasq.default ] && mv /etc/sysconfig/dnsmasq.default /etc/sysconfig/dnsmasq && echo -n "1 ," |
[ -e /etc/sysconfig/dnsmasq.default ] && mv /etc/sysconfig/dnsmasq.default /etc/sysconfig/dnsmasq && echo -n "1, " |
[ -e /etc/dnsmasq.conf.default ] && mv /etc/dnsmasq.conf.default /etc/dnsmasq.conf && echo -n "2, " |
[ -e /etc/dnsmasq-blacklist.conf ] && rm /etc/dnsmasq-blacklist.conf && echo -n "3, " |
[ -e /etc/dnsmasq-whitelist.conf ] && rm /etc/dnsmasq-whitelist.conf && echo -n "4, " |
157,7 → 159,7 |
#BL |
echo -en "\n- BL(1) : " |
[ -e /lib/systemd/system/iptables.service.default ] && mv /lib/systemd/system/iptables.service.default /lib/systemd/system/iptables.service && echo "1" |
[ -e /lib/systemd/system/iptables.service.default ] && mv /lib/systemd/system/iptables.service.default /lib/systemd/system/iptables.service && echo -n "1" |
sleep 1 |
#dhcpd |
170,10 → 172,10 |
sleep 1 |
#fail2ban |
echo -en "\n- fail2ban(7) :" |
echo -en "\n- fail2ban(7) : " |
[ -e /etc/fail2ban/fail2ban.conf.default ] && mv /etc/fail2ban/fail2ban.conf.default /etc/fail2ban/fail2ban.conf && echo -n "1, " |
[ -e /etc/fail2ban/jail.conf.default ] && mv /etc/fail2ban/jail.conf.default /etc/fail2ban/jail.conf && echo -n "2, " |
[ -e /etc/fail2ban/action.d/iptables-allports.conf.default ] && mv /etc/fail2ban/action.d/iptables-allports.conf.default /etc/fail2ban/action.d/iptables-allports.conf && echo -n " 3, " |
[ -e /etc/fail2ban/action.d/iptables-allports.conf.default ] && mv /etc/fail2ban/action.d/iptables-allports.conf.default /etc/fail2ban/action.d/iptables-allports.conf && echo -n "3, " |
[ -e /etc/fail2ban/filter.d/alcasar_mod-evasive.conf ] && rm /etc/fail2ban/filter.d/alcasar_mod-evasive.conf && echo -n "4, " |
[ -e /etc/fail2ban/filter.d/alcasar_htdigest.conf ] && rm /etc/fail2ban/filter.d/alcasar_htdigest.conf && echo -n "5, " |
[ -e /etc/fail2ban/filter.d/alcasar_intercept.conf ] && rm /etc/fail2ban/filter.d/alcasar_intercept.conf && echo -n "6, " |
196,7 → 198,7 |
sleep 1 |
#gammu-smsd |
echo -en "\n- gammu-smsd(3) :" |
echo -en "\n- gammu-smsd(3) : " |
[ -e /etc/gammu_smsd_conf ] && rm -f /etc/gammu_smsd_conf && echo -n "1, " |
[ -e /etc/udev/rules.d/66-huawei.rules ] && rm -f /etc/udev/rules.d/66-huawei.rules && echo -n "2, " |
[ -e /var/log/gammu-smsd ] && rm -rf /var/log/gammu-smsd && echo -n "3" |
222,7 → 224,6 |
[ -e /etc/sysconfig/iptables ] && rm -f /etc/sysconfig/iptables && echo -n "8, " |
[ -e /etc/modprobe.preload.default ] && mv /etc/modprobe.preload.default /etc/modprobe.preload && echo -n "9" |
echo |
/sbin/ifup $EXTIF |
sleep 1 |