Subversion Repositories ALCASAR

Compare Revisions

No changes between revisions

Ignore whitespace Rev 2839 → Rev 2840

/CHANGELOG
4,6 → 4,7
-------------------- 3.5.0 --------------------
NEWS
- Mageia7.1 and Linux Kernel 5.6.14
- Remove HAVP & Tinyproxy (replaced by E2guardian & clamd)
- All user pages are now responsive. Thanks to Clément GELINEAU
- Add an additional BL : Malwares Command & Control servers (C&C) from "osint.bambenekconsulting.com/feeds/". Thanks to Sven RATH
- Add IoT live capture (to detect private data leakage). Thanks to Dorian LEMOINE & Guillaume GELLUSSEAU
/alcasar.sh
18,7 → 18,7
# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares :
 
# Coovachilli, freeradius, mariaDB, lighttpd, netfilter, e2guardian, ntpd, openssl, dnsmasq, unbound, gammu, havp, libclamav, Ulog, fail2ban, tinyproxy, NFsen and NFdump
# Coovachilli, freeradius, mariaDB, lighttpd, netfilter, e2guardian, ntpd, openssl, dnsmasq, unbound, gammu, clamav, Ulog, fail2ban, NFsen and NFdump
 
# Options :
# -i or --install
35,8 → 35,7
# freeradius : FreeRadius initialisation
# chilli : coovachilli initialisation (+authentication page)
# e2guardian : E2Guardian filtering HTTP proxy configuration
# antivirus : HAVP + libclamav configuration
# tinyproxy : little proxy for user filtered with "WL + antivirus" and "antivirus"
# antivirus : clamav & freshclam configuration
# ulogd : log system in userland (match NFLOG target of iptables)
# nfsen : Configuration of Netflow grapher (nfsen) & netflow collector (nfcapd)
# unbound : Name server configuration
1271,29 → 1270,42
# Adapt the main conf file
# French deny HTML page
$SED "s?^language =.*?language = 'french'?g" $DIR_DG/e2guardian.conf
# Listen only on LAN side
$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" $DIR_DG/e2guardian.conf
# E2guardian listens on 8080 (HTTP)
# 2 filtergroups (8080 & 8090)
$SED "s?^filtergroups =.*?filtergroups = 2?g" $DIR_DG/e2guardian.conf
# Listen on 8080 (HTTP for BL users) only on LAN side
$SED "s?^filterip =.*?filterip = $PRIVATE_IP?g" $DIR_DG/e2guardian.conf
$SED "s?^filterports =.*?filterports = 8080?g" $DIR_DG/e2guardian.conf
# Listen on 8090 (HTTP for WL/AV users) only on LAN side
$SED "/^filterip = $PRIVATE_IP/a filterip = $PRIVATE_IP" $DIR_DG/e2guardian.conf
$SED "/^filterports = 8080/a filterports = 8090" $DIR_DG/e2guardian.conf
# E2guardian listens transparently on 8443 (HTTPS)
$SED "s?^transparenthttpsport =.*?transparenthttpsport = 8443?g" $DIR_DG/e2guardian.conf
# DG send its flow to HAVP (127.0.0.1:8090)
$SED "s?^#proxyip.*?proxyip = 127.0.0.1?g" $DIR_DG/e2guardian.conf
$SED "s?^#proxyport.*?proxyport = 8090?g" $DIR_DG/e2guardian.conf
# Don't log
$SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/e2guardian.conf
# Disable HTML content control (weighted & banned)
$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/e2guardian.conf
cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default
# Enable authport plugin
$SED "s?^#authplugin = '/etc/e2guardian/authplugins/port.conf'?authplugin = '/etc/e2guardian/authplugins/port.conf'?g" $DIR_DG/e2guardian.conf
$SED "s?^#mapauthtoports =.*?mapauthtoports = off?g" $DIR_DG/e2guardian.conf
# Enable clamd scanner
$SED "s?^#contentscanner = '/etc/e2guardian/contentscanners/clamdscan.conf'?contentscanner = '/etc/e2guardian/contentscanners/clamdscan.conf'?g" $DIR_DG/e2guardian.conf
 
# RAZ bannedphraselist
cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default
$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (comment what is not)
 
# Disable URL control with regex
cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default
$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (comment what is not)
# Adapt the first group file (only one for instance)
 
# Adapt the first group conf file
[ -e $DIR_DG/e2guardianf1.conf.default ] || cp $DIR_DG/e2guardianf1.conf $DIR_DG/e2guardianf1.conf.default
# Reporting (deny page) in HTML
$SED "s/^reportinglevel =.*/reportinglevel = 3/g" $DIR_DG/e2guardianf1.conf
 
# Copy the fist group conf file to the second
cp $DIR_DG/e2guardianf1.conf $DIR_DG/e2guardianf2.conf
 
# Replace the default deny HTML page (only fr & uk) --> !!! search why our pages make the server crash...
# [ -e /usr/share/e2guardian/languages/french/template.html.default ] || mv /usr/share/e2guardian/languages/french/template.html /usr/share/e2guardian/languages/french/template.html.default
# cp -f $DIR_CONF/template-fr.html /usr/share/e2guardian/languages/french/template.html
1349,47 → 1361,16
 
##################################################################
## Function "antivirus" ##
## - Set the parameters of havp, libclamav and freshclam ##
## - Set the parameters of clamav and freshclam ##
##################################################################
antivirus()
{
# create 'havp' user
havp_exist=`grep -c ^havp: /etc/passwd`
if [ "$havp_exist" == "1" ]
then
userdel -r havp 2>/dev/null
groupdel havp 2>/dev/null
fi
groupadd -f havp
useradd -r -g havp -s /bin/false -c "system user for havp (antivirus proxy)" havp
mkdir -p /var/tmp/havp /var/log/havp /run/havp /var/log/clamav /var/lib/clamav
chown -R havp:havp /var/tmp/havp /var/log/havp /run/havp
chown -R clamav:clamav /var/log/clamav /var/lib/clamav
[ -e /etc/havp/havp.config.default ] || cp /etc/havp/havp.config /etc/havp/havp.config.default
$SED "/^REMOVETHISLINE/d" /etc/havp/havp.config
$SED "s?^# PIDFILE.*?PIDFILE /run/havp/havp.pid?g" /etc/havp/havp.config # pidfile
$SED "s?^# TRANSPARENT.*?TRANSPARENT false?g" /etc/havp/havp.config # transparent mode
$SED "s?^# BIND_ADDRESS.*?BIND_ADDRESS 127.0.0.1?g" /etc/havp/havp.config # we listen only on loopback
$SED "s?^# PORT.*?PORT 8090?g" /etc/havp/havp.config # datas come on port 8090 (on loopback)
$SED "s?^# TIMEFORMAT.*?TIMEFORMAT %Y %b %d %H:%M:%S?g" /etc/havp/havp.config # Log format
$SED "s?^ENABLECLAMLIB.*?ENABLECLAMLIB true?g" /etc/havp/havp.config # active libclamav AV
$SED "s?^# LOG_OKS.*?LOG_OKS false?g" /etc/havp/havp.config # log only when malware matches
$SED "s?^# SERVERNUMBER.*?SERVERNUMBER 10?g" /etc/havp/havp.config # 10 daemons are started simultaneously
$SED "s?^# SCANIMAGES.*?SCANIMAGES false?g" /etc/havp/havp.config # doesn't scan image files
$SED "s?^# SKIPMIME.*?SKIPMIME image\/\* video\/\* audio\/\*?g" /etc/havp/havp.config # doesn't scan some multimedia files
$SED "s?^# SCANTEMPFILE.*?SCANTEMPFILE /var/tmp/havp/havp-XXXXXX?g" /etc/havp/havp.config # Use our special tmp FS (memfs)
$SED "s?^# TEMPDIR.*?TEMPDIR /var/tmp/havp?g" /etc/havp/havp.config # Use our special tmp FS (memfs)
# skip checking of youtube flow (too heavy load / risk too low)
[ -e /etc/havp/whitelist.default ] || cp /etc/havp/whitelist /etc/havp/whitelist.default
echo "# Whitelist youtube flow" >> /etc/havp/whitelist
echo "*.youtube.com/*" >> /etc/havp/whitelist
# adapt init script and systemd unit
[ -e /etc/init.d/havp.default ] || cp /etc/init.d/havp /etc/init.d/havp.default
cp -f $DIR_CONF/havp-init /etc/init.d/havp
cp -f $DIR_CONF/havp.service /lib/systemd/system/
# replace of the intercept page (template)
cp -f $DIR_CONF/virus-fr.html /etc/havp/templates/fr/virus.html
cp -f $DIR_CONF/virus-en.html /etc/havp/templates/en/virus.html
# Clamd adaptation to e2guardian
[ -e /etc/clamd.conf.default ] || cp /etc/clamd.conf /etc/clamd.conf.default
$SED "s?^User.*?User e2guardian?g" /etc/clamd.conf
chown -R e2guardian:e2guardian /var/log/clamav /var/lib/clamav
chmod 775 /var/log/clamav /var/lib/clamav
chmod 664 /var/log/clamav/*
# update virus database every 4 hours (24h/6)
[ -e /etc/freshclam.conf.default ] || cp /etc/freshclam.conf /etc/freshclam.conf.default
$SED "s?^Checks.*?Checks 6?g" /etc/freshclam.conf
1396,65 → 1377,12
$SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf
$SED "/^DatabaseMirror/a DatabaseMirror db.fr.clamav.net" /etc/freshclam.conf
$SED "s?MaxAttempts.*?MaxAttempts 3?g" /etc/freshclam.conf
$SED "s?^DatabaseOwner.*?DatabaseOwner e2guardian?g" /etc/freshclam
# update now
/usr/bin/freshclam --no-warnings --quiet
} # End of antivirus()
 
################################################################################
## Function "tinyproxy" ##
## - Set the parameters of tinyproxy (proxy between filtered users and havp) ##
################################################################################
tinyproxy()
{
tinyproxy_exist=`grep -c ^tinyproxy: /etc/passwd`
if [ "$tinyproxy_exist" == "1" ]
then
userdel -r tinyproxy 2>/dev/null
groupdel tinyproxy 2>/dev/null
fi
groupadd -f tinyproxy
useradd -r -g tinyproxy -s /bin/false -c "system user for tinyproxy" tinyproxy
mkdir -p /run/tinyproxy /var/log/tinyproxy
chown -R tinyproxy.tinyproxy /run/tinyproxy /var/log/tinyproxy
[ -e /etc/tinyproxy/tinyproxy.conf.default ] || cp /etc/tinyproxy/tinyproxy.conf /etc/tinyproxy/tinyproxy.conf.default
$SED "s?^User.*?User tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
$SED "s?^Group.*?Group tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
$SED "s?^Port.*?Port 8090?g" /etc/tinyproxy/tinyproxy.conf # Listen Port
$SED "s?^#Listen.*?Listen $PRIVATE_IP?g" /etc/tinyproxy/tinyproxy.conf # Listen NIC (only intif)
$SED "s?^#LogFile.*?LogFile \"/var/log/tinyproxy/tinyproxy.log\"?g" /etc/tinyproxy/tinyproxy.conf
$SED "s?^#PidFile.*?PidFile \"/run/tinyproxy/tinyproxy.pid\"?g" /etc/tinyproxy/tinyproxy.conf
$SED "s?^LogLevel.*?LogLevel Error?g" /etc/tinyproxy/tinyproxy.conf # Only errors are logged
$SED "s?^#Upstream.*?Upstream http 127.0.0.1:8090?g" /etc/tinyproxy/tinyproxy.conf # forward to HAVP
$SED "s?^#DisableViaHeader.*?DisableViaHeader Yes?g" /etc/tinyproxy/tinyproxy.conf # Stealth mode
$SED "s?^Allow.*?Allow $PRIVATE_NETWORK_MASK?g" /etc/tinyproxy/tinyproxy.conf # Allow from LAN
# Create the systemd unit
cat << EOF > /lib/systemd/system/tinyproxy.service
# This file is part of systemd.
#
# systemd is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
 
# This unit launches tinyproxy (a very light proxy).
# The "sleep 2" is needed because the pid file isn't ready for systemd
[Unit]
Description=Tinyproxy Web Proxy Server
After=network-online.target iptables.service
 
[Service]
Type=forking
ExecStartPre=/bin/chown -R tinyproxy.tinyproxy /run/tinyproxy /var/log/tinyproxy
ExecStartPre=/bin/sleep 2
PIDFile=/run/tinyproxy/tinyproxy.pid
ExecStart=/usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf
ExecStop=/usr/bin/killall -9 tinyproxy
[Install]
WantedBy=multi-user.target
EOF
 
} # end of tinyproxy()
 
##############################################################
## function "ulogd" ##
## - Ulog config for multi-log files ##
1907,7 → 1835,7
fail2ban()
{
/usr/bin/sh $DIR_CONF/fail2ban.sh
# allow reading of 2 log files (fail2ban & watchdog). HAVP is treated in its section
# allow reading of 2 log files (fail2ban & watchdog).
[ -e /var/log/fail2ban.log ] || /usr/bin/touch /var/log/fail2ban.log
[ -e /var/Save/security/watchdog.log ] || /usr/bin/touch /var/Save/security/watchdog.log
chmod 644 /var/log/fail2ban.log
2112,7 → 2040,7
##################################################################
post_install()
{
# change the SSH banner
# change the SSHD options
cp -f $DIR_CONF/banner /etc/ssh/alcasar-banner-ssh
echo " V$VERSION" >> /etc/ssh/alcasar-banner-ssh
chmod 644 /etc/ssh/alcasar-banner-ssh ; chown root:root /etc/ssh/alcasar-banner-ssh
2119,13 → 2047,15
[ -e /etc/ssh/sshd_config.default ] || cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default
$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
# sshd listens on EXTIF & INTIF
$SED "s?^#ListenAddress 0\.0\.0\.0.*?ListenAddress 0\.0\.0\.0?g" /etc/ssh/sshd_config
# sshd authorized certificate for root login
$SED "s?^PermitRootLogin.*?PermitRootLogin without-password?g" /etc/ssh/sshd_config
$SED "s?^X11Forwarding.*?#X11Forwarding yes?g" /etc/ssh/sshd_config
 
# postfix banner anonymisation
$SED "s?^smtpd_banner =.*?smtpd_banner = \$myhostname ESMTP?g" /etc/postfix/main.cf
chown -R postfix:postfix /var/lib/postfix
# sshd liste on EXTIF & INTIF
$SED "s?^#ListenAddress 0\.0\.0\.0.*?ListenAddress 0\.0\.0\.0?g" /etc/ssh/sshd_config
# sshd authorized certificate for root login
$SED "s?^PermitRootLogin.*?PermitRootLogin without-password?g" /etc/ssh/sshd_config
# ALCASAR conf file
echo "HTTPS_LOGIN=off" >> $CONF_FILE
echo "HTTPS_CHILLI=off" >> $CONF_FILE
2196,7 → 2126,7
EOF
/usr/bin/systemctl daemon-reload
# processes launched at boot time (Systemctl)
for i in alcasar-load_balancing mysqld lighttpd php-fpm ntpd iptables unbound unbound-blacklist unbound-whitelist dnsmasq-whitelist unbound-blackhole radiusd nfcapd e2guardian clamav-freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban havp tinyproxy vnstat sshd
for i in alcasar-load_balancing mysqld lighttpd php-fpm ntpd iptables unbound unbound-blacklist unbound-whitelist dnsmasq-whitelist unbound-blackhole radiusd nfcapd e2guardian clamav-daemon clamav-freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban vnstat sshd
do
/usr/bin/systemctl -q enable $i.service
done
2241,7 → 2171,7
$SED "s?^GRUB_TIMEOUT=.*?GRUB_TIMEOUT=3?g" /etc/default/grub
$SED "s?^GRUB_DISTRIBUTOR=.*?GRUB_DISTRIBUTOR=ALCASAR?g" /etc/default/grub
[ -e /etc/mageia-release.default ] || cp /etc/mageia-release /etc/mageia-release.default
vm_vga=`lsmod | egrep -c "virtio|vmwgfx"` # test if in VM
vm_vga=`lsmod | egrep -c "virtio|vmwgfx|vbox"` # test if in VM
if [ $vm_vga == 0 ] # is not a VM
then
cp -f $DIR_CONF/banner /etc/mageia-release # ALCASAR ASCII-Art
2425,7 → 2355,7
fi
mode="update"
fi
for func in init network CA ACC time_server init_db freeradius chilli e2guardian antivirus tinyproxy ulogd nfsen vnstat dnsmasq unbound dhcpd BL cron fail2ban gammu_smsd msec letsencrypt post_install
for func in init network CA ACC time_server init_db freeradius chilli e2guardian antivirus ulogd nfsen vnstat dnsmasq unbound dhcpd BL cron fail2ban gammu_smsd msec letsencrypt post_install
do
$func
if [ $DEBUG_ALCASAR == "on" ]
/conf/havp.service
File deleted
/conf/havp-init
File deleted
Property changes:
Deleted: svn:executable
-*
\ No newline at end of property
Deleted: svn:keywords
-Id Date Author
\ No newline at end of property
/conf/havp-tmpfs-example
0,0 → 1,45
havp_loopback=tmpfs
havp_mountpoint=/var/tmp/havp
 
#set -e
 
# Return values acc. to LSB for all commands but status:
# 1 generic or unspecified error (current practice)
# 2 invalid or excess argument(s)
# 3 unimplemented feature (for example, "reload")
# 4 user had insufficient privilege
# 5 program is not installed
# 6 program is not configured
# 7 program is not running
# 8-99 reserved for future LSB use
# 100-149 reserved for distribution use
# 150-199 reserved for application use
# 200-254 reserved
# Note that starting an already running service, stopping
# or restarting a not-running service as well as the restart
# with force-reload (in case signaling is not supported) are
# considered a success.
 
start)
if ! [ "`mount | grep $havp_mountpoint`" ]; then
echo -n "Mounting $havp_loopback under $havp_mountpoint ..."
mount -t tmpfs -o mand,noatime,size=50m,nosuid,noexec $havp_loopback $havp_mountpoint
chown -R havp:havp $havp_mountpoint
echo "done"
fi
if [ "`mount | grep $havp_mountpoint`" ]; then
echo -n "Cleaning up $havp_mountpoint"...
find $havp_mountpoint/ -type f -delete
echo " done"
echo -n "Starting $DESC: "
if [ ! -f $HAVP_BIN ]; then
echo "Error: $HAVP_BIN not found"
exit 5
fi
$HAVP_BIN -c $HAVP_CONFIG
else
echo "Error: mount tmpfs point failed"
fi
chmod 644 /var/log/havp/access.log
exit $?
;;
/rpms/havp-0.92a-1.1.spec
File deleted
/rpms/x86_64/havp-0.93-1.mga7.x86_64.rpm
Cannot display: file marked as a binary type.
svn:mime-type = application/octet-stream
Property changes:
Deleted: svn:mime-type
-application/octet-stream
\ No newline at end of property
/scripts/alcasar-activity_report.sh
164,7 → 164,7
#get timestamp of X day ago. Then we get every packets chich have been updated since this date.
if [ "$(rpm -qa --queryformat '%{installtime} %{name} %{version}\n' | awk -v seuil="$SECS_AGO" '$1 > seuil' | sort -n | grep -E "$PACKAGE" | wc -l)" -gt 1 ]
then
PACKAGE='php|lighttpd|iptables|dnsmasq|unbound|radius|tinyproxy|nfdump|e2guardian|clamav|ulogd|chilli|fail2ban|openssh|havp|ipt-netflow|wget'
PACKAGE='php|lighttpd|iptables|dnsmasq|unbound|radius|nfdump|e2guardian|clamav|ulogd|chilli|fail2ban|openssh|ipt-netflow|wget|mariadb|gnupg|openssl'
rpm -qa --queryformat '%{installtime} %{name} %{version}\n' | awk -v seuil="$SECS_AGO" '$1 > seuil' | sort -n | grep -E "$PACKAGE" | while read RPM_ALCASAR
do
RPM_TIMESTAMP=$(echo $RPM_ALCASAR | cut -d' ' -f1)
/scripts/alcasar-conf.sh
275,7 → 275,7
$DIR_BIN/alcasar-logout.sh all
# Services stop
echo -n "Stop services : "
for i in ntpd tinyproxy e2guardian unbound unbound-whitelist dnsmasq-whitelist unbound-blacklist unbound-blackhole chilli network lighttpd
for i in ntpd e2guardian unbound unbound-whitelist dnsmasq-whitelist unbound-blacklist unbound-blackhole chilli network lighttpd
do
/usr/bin/systemctl stop $i && echo -n "$i, "
done
433,8 → 433,6
}
EOF
$DIR_BIN/alcasar-dns-local.sh -hosts_to_unbound # add local name resolution to unbound (forward & blackhole)
# tinyproxy
$SED "s?^Listen.*?Listen $PRIVATE_IP?g" /etc/tinyproxy/tinyproxy.conf
# DG + BL
$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" /etc/e2guardian/e2guardian.conf
# Watchdog
448,7 → 446,7
# Services start
/usr/bin/systemctl start network && echo -n "Start service : network" && sleep 1
$DIR_BIN/alcasar-dhcp.sh -$DHCP_mode && echo -n ", chilli" # apply DHCP mode and start CoovaChilli
for i in unbound unbound-blackhole tinyproxy ntpd
for i in unbound unbound-blackhole ntpd
do
sleep 1
/usr/bin/systemctl start $i && echo -n ", $i"
/scripts/alcasar-daemon.sh
16,7 → 16,7
LDAP=${LDAP:=off}
INTIF=`grep ^INTIF= $conf_file|cut -d"=" -f2` # INTIF name
EXTIF=`grep ^EXTIF= $conf_file|cut -d"=" -f2` # EXTIF name
SERVICES="mysqld lighttpd php-fpm ntpd havp unbound unbound-blacklist unbound-whitelist dnsmasq-whitelist unbound-blackhole radiusd tinyproxy nfcapd e2guardian clamav-freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban sshd vnstat gammu-smsd"
SERVICES="mysqld lighttpd php-fpm ntpd unbound unbound-blacklist unbound-whitelist dnsmasq-whitelist unbound-blackhole radiusd nfcapd e2guardian clamav-daemon clamav-freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban sshd vnstat gammu-smsd"
nb_available_srv=`echo $SERVICES|wc -w`
 
function ServiceTest () {
/scripts/alcasar-iptables.sh
164,46 → 164,56
# PREROUTING #
#############################
 
# Marquage (et journalisation) des paquets qui tentent d'accéder directement au 8080 (E2Guardian) pour pouvoir les rejeter en INPUT
# Mark (and log) the direct attempts to TCP port 8090 (e2guardian) in order to REJECT them in INPUT rules
# Marquage (et journalisation) des paquets qui tentent d'accéder directement aux ports d'écoute du proxy HTTP/HTTPS (E2Guardian) pour pouvoir les rejeter en INPUT
# Mark (and log) the direct attempts to E2guardian listen ports in order to REJECT them in INPUT rules
# 8080 = ipset havp_bl
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8080 -j NFLOG --nflog-group 1 --nflog-prefix "RULE direct-proxy -- DENY "
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8080 -j MARK --set-mark 1
 
# Marquage (et journalisation) des paquets qui tentent d'accéder directement au port 8090 (tinyproxy) pour pouvoir les rejeter en INPUT
# Mark (and log) the direct attempts to TCP port 8090 (tinyproxy) in order to REJECT them in INPUT rules
# 8090 = ipset havp_wl + havp
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8090 -j NFLOG --nflog-group 1 --nflog-prefix "RULE direct-proxy -- DENY "
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8090 -j MARK --set-mark 2
# 8443 = tranparent HTTPS for ipsets havp_bl + havp_wl + havp
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8443 -j NFLOG --nflog-group 1 --nflog-prefix "RULE direct-proxy -- DENY "
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8443 -j MARK --set-mark 6
 
# Marquage des paquets qui tentent d'accéder directement au port 54 (DNS-blacklist) pour pouvoir les rejeter en INPUT
# Mark the direct attempts to port 54 (DNS-blacklist) in order to REJECT them in INPUT rules
# Marquage des paquets qui tentent d'accéder directement aux ports d'écoute DNS (UNBOUND) pour pouvoir les rejeter en INPUT
# Mark the direct attempts to DNS ports (UNBOUND) in order to REJECT them in INPUT rules
# 54 = ipset havp_bl
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp --dport 54 -j MARK --set-mark 3
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p udp --dport 54 -j MARK --set-mark 3
 
# Marquage des paquets qui tentent d'accéder directement au port 55 (DNS-Whitelist) pour pouvoir les rejeter en INPUT
# Mark the direct attempts to port 55 (DNS-whitelist) in order to REJECT them in INPUT rules
# 55 = ipset havp_wl
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp --dport 55 -j MARK --set-mark 4
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p udp --dport 55 -j MARK --set-mark 4
 
# Marquage des paquets qui tentent d'accéder directement au port 56 (DNS-Blackhole) pour pouvoir les rejeter en INPUT
# Mark the direct attempts to port 56 (DNS-blackhole) in order to REJECT them in INPUT rules
# 56 = blackall
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp --dport 56 -j MARK --set-mark 5
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p udp --dport 56 -j MARK --set-mark 5
 
# redirection DNS des usagers 'havp_bl' vers le port local 54 (en évitant le contournement)
# redirect DNS of 'havp_bl' users to the local port 54 (avoiding bypass)
# redirection DNS des usagers
# users DNS redirection
# 54 = ipset havp_bl
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl src -p udp --dport domain -j REDIRECT --to-port 54
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl src -p tcp --dport domain -j REDIRECT --to-port 54
 
# redirection DNS des usagers 'havp_wl' vers le port local 55 (en évitant le contournement)
# redirect DNS of 'havp_wl' users to the local port 55 (avoiding bypass)
# 55 = ipset havp_wl
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl src -p udp --dport domain -j REDIRECT --to-port 55
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl src -p tcp --dport domain -j REDIRECT --to-port 55
 
# redirection des requêtes DNS de contournement vers le port local 53
# redirect of bypass DNS requests to the local port 53
# 53 = all other users
$IPTABLES -A PREROUTING -t nat -i $TUNIF ! -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 53
$IPTABLES -A PREROUTING -t nat -i $TUNIF ! -d $PRIVATE_IP -p tcp --dport domain -j REDIRECT --to-port 53
 
# Redirection des requêtes HTTP des usagers vers E2guardian
# Redirect outbound users HTTP requests to E2guardian
# 8080 = ipset havp_bl
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8080
# 8090 = ipset havp_wl & havp
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090
 
# Redirection des requêtes HTTPS sortantes des usagers havp_bl + havp_wl + havp vers E2Guardian
# Redirect outbound HTTPS requests of havp_bl + havp_wl + havp users to E2Guardian
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP -p tcp --dport https -j REDIRECT --to-port 8443
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP -p tcp --dport https -j REDIRECT --to-port 8443
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP -p tcp --dport https -j REDIRECT --to-port 8443
 
# Journalisation HTTP_Internet des usagers 'havp_bl' (paquets SYN uniquement). Les autres protocoles sont journalisés en FORWARD par netflow.
# Log Internet HTTP of 'havp_bl' users" (only syn packets). Other protocols are logged in FORWARD by netflow
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl src ! -d $PRIVATE_IP -p tcp --dport http -m conntrack --ctstate NEW -j NFLOG --nflog-group 1 --nflog-prefix "RULE F_http -- ACCEPT "
216,15 → 226,6
# Redirect HTTP of 'havp_wl' users who want IP not in the WL to ALCASAR ('access denied' page)
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl src -m set ! --match-set wl_ip_allowed dst -p tcp --dport http -j REDIRECT --to-port 80
 
# Redirection des requêtes HTTP sortantes des usagers 'havp_bl' vers E2Guardian
# Redirect outbound HTTP requests of "BL" users to E2Guardian (transparent proxy)
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8080
 
# Redirection des requêtes HTTP sortantes des usager 'havp_wl' et 'havp' vers Tinyproxy
# Redirect outbound HTTP requests for "WL-antivirus" users to Tinyproxy
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090
 
# Redirection des requêtes NTP vers le serveur NTP local
# Redirect NTP request in local NTP server
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p udp --dport ntp -j REDIRECT --to-port 123
262,53 → 263,40
# Conntrack on INPUT
$IPTABLES -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 
# On interdit les connexions directes au port utilisé par E2Guardian (8080). Les packets concernés ont été marqués et loggués dans la table mangle (PREROUTING)
# Deny direct connections on E2Guardian port (8080). The concerned paquets have been marked and logged in mangle table (PREROUTING)
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8080 -m mark --mark 1 -j REJECT --reject-with tcp-reset
# On interdit les connexions directes aux ports d'écoute d'E2Guardian. Les packets concernés ont été marqués et loggués dans la table mangle (PREROUTING)
# Deny direct connections on E2Guardian listen ports. The concerned paquets have been marked and logged in mangle table (PREROUTING)
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8080 -m mark --mark 1 -j REJECT --reject-with tcp-reset # havp_bl
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8090 -m mark --mark 2 -j REJECT --reject-with tcp-reset # havp_wl+havp
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8443 -m mark --mark 6 -j REJECT --reject-with tcp-reset # havp_bl+havp_wl+havp
 
# Autorisation des connexions légitimes à E2Guardian
# Allow connections for E2Guardian
# On autorise les connexions HTTP/HTTPS légitimes vers E2Guardian
# Allow HTTP connections to E2Guardian
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport 8080 -m conntrack --ctstate NEW --syn -j ACCEPT
 
# On interdit les connexions directes au port utilisé par tinyproxy (8090). Les packets concernés ont été marqués et loggués dans la table mangle (PREROUTING)
# Deny direct connections on tinyproxy port (8090). The concerned paquets have been marked in mangle table (PREROUTING)
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8090 -m mark --mark 2 -j REJECT --reject-with tcp-reset
 
# Autorisation des connexions légitimes vers tinyproxy
# Allow connections to tinyproxy
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport 8090 -m conntrack --ctstate NEW --syn -j ACCEPT
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport 8443 -m conntrack --ctstate NEW --syn -j ACCEPT
 
# On interdit les connexions directes au port 54 (DNS-blacklist). Les packets concernés ont été marqués dans la table mangle (PREROUTING)
# Deny direct connections on port 54 (DNS-blacklist). The concerned paquets are marked in mangle table (PREROUTING)
# On interdit les connexions directes aux ports d'écoupe DNS (UNBOUND). Les packets concernés ont été marqués dans la table mangle (PREROUTING)
# Deny direct connections to DNS ports (UNBOUND). The concerned paquets are marked in mangle table (PREROUTING)
$IPTABLES -A INPUT -i $TUNIF -p udp --dport 54 -m mark --mark 3 -j REJECT --reject-with icmp-port-unreachable
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 54 -m mark --mark 3 -j REJECT --reject-with tcp-reset
 
# On interdit les connexions directes au port 55 (DNS-whitelist). Les packets concernés ont été marqués dans la table mangle (PREROUTING)
# Deny direct connections on port 55 (DNS-whitelist). The concerned paquets are marked in mangle table (PREROUTING)
$IPTABLES -A INPUT -i $TUNIF -p udp --dport 55 -m mark --mark 4 -j REJECT --reject-with icmp-port-unreachable
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 55 -m mark --mark 3 -j REJECT --reject-with tcp-reset
 
# On interdit les connexions directes au port 56 (DNS-Blackhole). Les packets concernés ont été marqués dans la table mangle (PREROUTING)
# Deny direct connections on port 56 (DNS-blackhole). The concerned paquets are marked in mangle table (PREROUTING)
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 55 -m mark --mark 4 -j REJECT --reject-with tcp-reset
$IPTABLES -A INPUT -i $TUNIF -p udp --dport 56 -m mark --mark 5 -j REJECT --reject-with icmp-port-unreachable
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 56 -m mark --mark 3 -j REJECT --reject-with tcp-reset
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 56 -m mark --mark 5 -j REJECT --reject-with tcp-reset
 
# autorisation des connexion légitime à Unbound (avec blacklist)
# Allow connections for Unbound (with blacklist)
# On autorise les connexion DNS légitime
# Allow DNS connections
# ipset = havp_bl
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport 54 -j ACCEPT
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport 54 -j ACCEPT
 
# autorisation des connexion légitime à Unbound (avec whitelist)
# Allow connections for Unbound (with whitelist)
# ipset = havp_wl
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport 55 -j ACCEPT
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport 55 -j ACCEPT
 
# autorisation des connexion légitime à Unbound (mode blackhole)
# Allow connections for Unbound (blackhole mode)
# blackall
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport 56 -j ACCEPT
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport 56 -j ACCEPT
 
# Accès direct aux services internes
# On accepte l'accès aux services internes
# Internal services access
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport domain -j ACCEPT # DNS
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport domain -j ACCEPT # DNS
501,7 → 489,6
# Dynamic NAT on EXTIF
$IPTABLES -A POSTROUTING -t nat -o $EXTIF -j MASQUERADE
 
 
#############################
# FAIL2BAN #
#############################
/scripts/alcasar-rpm-download.sh
13,7 → 13,7
# The kernel version we compile netflow for
KERNEL="kernel-server-5.3.7-4.mga7-1-1.mga7"
# ****** Alcasar needed RPMS - paquetages nécessaires au fonctionnement d'Alcasar ******
PACKAGES="arp-scan vim-enhanced freeradius freeradius-mysql freeradius-ldap lighttpd lighttpd-mod_auth php-fpm e2guardian postfix mariadb ntp bind-utils openssh-server php-xml php-ldap php-mysqli php-mbstring php-sockets php-cli php-curl php-pdo_sqlite php-json rng-utils rsync clamav perl-rrdtool perl-MailTools perl-Socket6 fail2ban gnupg ulogd pm-fallback-policy ipset cronie-anacron usbutils locales-en usb_modeswitch tinyproxy vnstat php-gd sudo iftop man dos2unix p7zip bc msec kernel-userspace-headers kernel-firmware-nonfree dnsmasq dhcp-server netcat-traditional"
PACKAGES="arp-scan vim-enhanced freeradius freeradius-mysql freeradius-ldap lighttpd lighttpd-mod_auth php-fpm e2guardian postfix mariadb ntp bind-utils openssh-server php-xml php-ldap php-mysqli php-mbstring php-sockets php-cli php-curl php-pdo_sqlite php-json rng-utils rsync clamd perl-rrdtool perl-MailTools perl-Socket6 fail2ban gnupg ulogd pm-fallback-policy ipset cronie-anacron usbutils locales-en usb_modeswitch vnstat php-gd sudo iftop man dos2unix p7zip bc msec kernel-userspace-headers kernel-firmware-nonfree dnsmasq dhcp-server netcat-traditional"
 
rpm_repository_sync ()
{
/scripts/alcasar-uninstall.sh
96,7 → 96,7
 
e2guardian ()
{
echo -en "(14) : "
echo -en "(15) : "
[ -d /var/e2guardian ] && rm -rf /var/e2guardian
[ -d /var/dansguardian ] && rm -rf /var/dansguardian
[ -e /lib/systemd/system/e2guardian.service.default ] && mv /lib/systemd/system/e2guardian.service.default /lib/systemd/system/e2guardian.service && echo -n "1, "
103,45 → 103,26
[ -e /etc/e2guardian/e2guardian.conf.default ] && mv /etc/e2guardian/e2guardian.conf.default /etc/e2guardian/e2guardian.conf && echo -n "2, "
[ -e /etc/e2guardian/lists/bannedphraselist.default ] && mv /etc/e2guardian/lists/bannedphraselist.default /etc/e2guardian/lists/bannedphraselist && echo -n "3, "
[ -e /etc/e2guardian/e2guardianf1.conf.default ] && mv /etc/e2guardian/e2guardianf1.conf.default /etc/e2guardian/e2guardianf1.conf && echo -n "4, "
[ -e /usr/share/e2guardian/languages/french/template.html.default ] && mv /usr/share/e2guardian/languages/french/template.html.default /usr/share/e2guardian/languages/french/template.html && echo -n "5, "
[ -e /usr/share/e2guardian/languages/ukenglish/template.html.default ] && mv /usr/share/e2guardian/languages/ukenglish/template.html.default /usr/share/e2guardian/languages/ukenglish/template.html && echo -n "6, "
[ -e /etc/e2guardian/lists/bannedextensionlist.default ] && mv /etc/e2guardian/lists/bannedextensionlist.default /etc/e2guardian/lists/bannedextensionlist && echo -n "7, "
[ -e /etc/e2guardian/lists/bannedmimetypelist.default ] && mv /etc/e2guardian/lists/bannedmimetypelist.default /etc/e2guardian/lists/bannedmimetypelist && echo -n "8, "
[ -e /etc/e2guardian/lists/exceptioniplist.default ] && mv /etc/e2guardian/lists/exceptioniplist.default /etc/e2guardian/lists/exceptioniplist && echo -n "9, "
[ -e /etc/e2guardian/lists/bannedsitelist.default ] && mv /etc/e2guardian/lists/bannedsitelist.default /etc/e2guardian/lists/bannedsitelist && echo -n "10, "
[ -e /etc/e2guardian/lists/bannedurllist.default ] && mv /etc/e2guardian/lists/bannedurllist.default /etc/e2guardian/lists/bannedurllist && echo -n "11, "
[ -e /etc/e2guardian/lists/exceptionsitelist.default ] && mv /etc/e2guardian/lists/exceptionsitelist.default /etc/e2guardian/lists/exceptionsitelist && echo -n "12, "
[ -e /etc/e2guardian/lists/exceptionurllist.default ] && mv /etc/e2guardian/lists/exceptionurllist.default /etc/e2guardian/lists/exceptionurllist && echo -n "13, "
[ -e /etc/e2guardian/lists/urlregexplist.default ] && mv /etc/e2guardian/lists/urlregexplist.default /etc/e2guardian/lists/urlregexplist && echo -n "14"
[ -e /etc/e2guardian/e2guardianf2.conf ] && rm -f /etc/e2guardian/e2guardianf2.conf && echo -n "5, "
[ -e /usr/share/e2guardian/languages/french/template.html.default ] && mv /usr/share/e2guardian/languages/french/template.html.default /usr/share/e2guardian/languages/french/template.html && echo -n "6, "
[ -e /usr/share/e2guardian/languages/ukenglish/template.html.default ] && mv /usr/share/e2guardian/languages/ukenglish/template.html.default /usr/share/e2guardian/languages/ukenglish/template.html && echo -n "7, "
[ -e /etc/e2guardian/lists/bannedextensionlist.default ] && mv /etc/e2guardian/lists/bannedextensionlist.default /etc/e2guardian/lists/bannedextensionlist && echo -n "8, "
[ -e /etc/e2guardian/lists/bannedmimetypelist.default ] && mv /etc/e2guardian/lists/bannedmimetypelist.default /etc/e2guardian/lists/bannedmimetypelist && echo -n "9, "
[ -e /etc/e2guardian/lists/exceptioniplist.default ] && mv /etc/e2guardian/lists/exceptioniplist.default /etc/e2guardian/lists/exceptioniplist && echo -n "10, "
[ -e /etc/e2guardian/lists/bannedsitelist.default ] && mv /etc/e2guardian/lists/bannedsitelist.default /etc/e2guardian/lists/bannedsitelist && echo -n "11, "
[ -e /etc/e2guardian/lists/bannedurllist.default ] && mv /etc/e2guardian/lists/bannedurllist.default /etc/e2guardian/lists/bannedurllist && echo -n "12, "
[ -e /etc/e2guardian/lists/exceptionsitelist.default ] && mv /etc/e2guardian/lists/exceptionsitelist.default /etc/e2guardian/lists/exceptionsitelist && echo -n "13, "
[ -e /etc/e2guardian/lists/exceptionurllist.default ] && mv /etc/e2guardian/lists/exceptionurllist.default /etc/e2guardian/lists/exceptionurllist && echo -n "14, "
[ -e /etc/e2guardian/lists/urlregexplist.default ] && mv /etc/e2guardian/lists/urlregexplist.default /etc/e2guardian/lists/urlregexplist && echo -n "15"
}
 
antivirus ()
{
echo -en "(6) : "
if [ -e /etc/init.d/havp ]
then
[ -e /etc/havp/havp.config.default ] && mv /etc/havp/havp.config.default /etc/havp/havp.config && echo -n "1, "
[ -d /run/havp ] && rm -rf /run/havp && echo -n "2, "
[ -e /etc/init.d/havp.default ] && mv /etc/init.d/havp.default /etc/init.d/havp && echo -n "3, "
[ -e /lib/systemd/system/havp.service ] && rm /lib/systemd/system/havp.service && echo -n "4, "
[ -e /etc/freshclam.conf.default ] && mv /etc/freshclam.conf.default /etc/freshclam.conf && echo -n "5, "
userdel -r havp 2>/dev/null ; echo -n "6"
else echo -n "already uninstalled"
fi
echo -en "(2) : "
[ -e /etc/clamd.conf.default ] && mv /etc/clamd.conf.default /etc/clamd.conf && echo -n "1, "
[ -e /etc/freshclam.conf.default ] && mv /etc/freshclam.conf.default /etc/freshclam.conf && echo -n "2"
}
 
tinyproxy ()
{
echo -en "(3) : "
if [ -e /etc/init.d/tinyproxy ]
then
[ -e /etc/tinyproxy/tinyproxy.conf.default ] && mv /etc/tinyproxy/tinyproxy.conf.default /etc/tinyproxy/tinyproxy.conf && echo -n "1, "
[ -d /run/tinyproxy ] && rm -rf /run/tinyproxy && echo -n "2, "
userdel -r tinyproxy 2>/dev/null && echo -n "3"
else echo -n "already uninstalled"
fi
}
 
ulogd ()
{
echo -en "(6) : "
294,7 → 275,7
echo "----------------------------------------------------------------------------"
echo "** Uninstall/Désinstallation d'ALCASAR **"
echo "----------------------------------------------------------------------------"
services="alcasar-load_balancing vnstat havp clamav-freshclam ntpd php-fpm lighttpd radiusd mysqld unbound unbound-blacklist unbound-whitelist dnsmasq-whitelist unbound-blackhole tinyproxy nfcapd fail2ban iptables ulogd-ext-access ulogd-ssh ulogd-traceability e2guardian sshd chilli"
services="alcasar-load_balancing vnstat clamav-daemon clamav-freshclam ntpd php-fpm lighttpd radiusd mysqld unbound unbound-blacklist unbound-whitelist dnsmasq-whitelist unbound-blackhole nfcapd fail2ban iptables ulogd-ext-access ulogd-ssh ulogd-traceability e2guardian sshd chilli"
/usr/local/bin/alcasar-logout.sh all # logout everybody
else
echo "--------------------------------------------------------------------------"
301,7 → 282,7
echo "** update/mise à jour d'ALCASAR **"
echo "--------------------------------------------------------------------------"
# unbound, iptables & sshd should stay on to allow remote update
services="alcasar-load_balancing vnstat havp clamav-freshclam ntpd php-fpm lighttpd radiusd mysqld unbound-blacklist unbound-whitelist dnsmasq-whitelist unbound-blackhole tinyproxy nfcapd fail2ban ulogd-ext-access ulogd-ssh ulogd-traceability e2guardian chilli"
services="alcasar-load_balancing vnstat clamav-daemon clamav-freshclam ntpd php-fpm lighttpd radiusd mysqld unbound-blacklist unbound-whitelist dnsmasq-whitelist unbound-blackhole nfcapd fail2ban ulogd-ext-access ulogd-ssh ulogd-traceability e2guardian chilli"
/usr/local/bin/alcasar-bypass.sh -on # to allow remote update
fi
 
335,7 → 316,7
/usr/bin/systemctl reload sshd
fi
echo "Reset ALCASAR main functions : "
for func in init ACC CA time_server init_db freeradius chilli e2guardian antivirus tinyproxy ulogd nfsen vnstat unbound dnsmasq dhcpd cron fail2ban gammu_smsd msec letsencrypt post_install
for func in init ACC CA time_server init_db freeradius chilli e2guardian antivirus ulogd nfsen vnstat unbound dnsmasq dhcpd cron fail2ban gammu_smsd msec letsencrypt post_install
do
echo -en "\n- $func "
$func
/scripts/alcasar-urpmi.sh
17,7 → 17,7
# (old) perl-Socket6 : needed by nfsen
# "fonts-dejavu-common" & "fonts-ttf-dejavu" : fonts needed by wkhtmltopdf
# "lsscsi" & nvme-cli" : needed by phpsysinfo
PACKAGES="vim-enhanced freeradius freeradius-mysql freeradius-ldap lighttpd lighttpd-mod_auth php-fpm php-gd php-ldap php-mysqli php-mbstring php-sockets php-curl php-pdo_sqlite php-cli php-rrd unbound e2guardian postfix mariadb ntp bind-utils openssh-server rng-utils rsync clamav fail2ban gnupg2 ulogd pm-fallback-policy ipset usb_modeswitch tinyproxy vnstat dos2unix p7zip msec kernel-userspace-headers kernel-firmware-nonfree dnsmasq dhcp-server tcpdump fonts-dejavu-common fonts-ttf-dejavu lsscsi nvme-cli"
PACKAGES="vim-enhanced freeradius freeradius-mysql freeradius-ldap lighttpd lighttpd-mod_auth php-fpm php-gd php-ldap php-mysqli php-mbstring php-sockets php-curl php-pdo_sqlite php-cli php-rrd unbound e2guardian postfix mariadb ntp bind-utils openssh-server rng-utils rsync clamd fail2ban gnupg2 ulogd pm-fallback-policy ipset usb_modeswitch vnstat dos2unix p7zip msec kernel-userspace-headers kernel-firmware-nonfree dnsmasq dhcp-server tcpdump fonts-dejavu-common fonts-ttf-dejavu lsscsi nvme-cli"
 
rpm_repository_sync ()
{
/web/acc/admin/services.php
25,12 → 25,11
$l_lighttpd = "Serveur WEB (Alcasar Control Center)";
$l_sshd = "Accès sécurisée distant";
$l_clamav_freshclam = "Mise à jour de l'antivirus (toutes les 4 heures)";
$l_clamav_daemon = "Antimalware";
$l_ntpd = "Service de mise à l'heure réseau";
$l_fail2ban = "Détecteur d'intrusion";
$l_nfcapd = "Collecteur de flux NetFlow";
$l_vnstat = "Grapheur de flux réseau";
$l_havp = "Proxy Antivirus";
$l_tinyproxy = "Proxy HTTP léger";
$l_unbound = "Serveur DNS principal";
$l_unbound_blacklist = "Serveur DNS pour la Blacklist";
$l_unbound_whitelist = "Serveur DNS pour la Whitelist";
64,12 → 63,11
$l_lighttpd = "WEB server (ALCASAR Control Center)";
$l_sshd = "Secure remote access";
$l_clamav_freshclam = "Antivirus update process (every 4 hours)";
$l_clamav_daemon= "Antimalware";
$l_ntpd = "Network time server";
$l_fail2ban = "Intrusion Dectection System";
$l_nfcapd = "Netflow collector";
$l_vnstat = "Network grapher";
$l_havp = "Antivirus Proxy";
$l_tinyproxy = "Light HTTP Proxy";
$l_unbound = "Main DNS server";
$l_unbound_blacklist = "Blacklist DNS server";
$l_unbound_whitelist = "Whitelist DNS server";
137,7 → 135,7
//-------------------------------
// Actions on services
//-------------------------------
$autorizeService = array("radiusd","chilli","mysqld","lighttpd","unbound-forward","ulogd-ssh","ulogd-ext-access","ulogd-traceability","unbound-blacklist","unbound-whitelist","dnsmasq-whitelist","unbound-blackhole","e2guardian","havp","tinyproxy","clamav-freshclam","sshd","ntpd","fail2ban","nfcapd","vnstat");
$autorizeService = array("radiusd","chilli","mysqld","lighttpd","unbound-forward","ulogd-ssh","ulogd-ext-access","ulogd-traceability","unbound-blacklist","unbound-whitelist","dnsmasq-whitelist","unbound-blackhole","e2guardian","clamav-daemon","clamav-freshclam","sshd","ntpd","fail2ban","nfcapd","vnstat");
$autorizeAction = array("start","stop","restart");
 
if (isset($_GET['service'])&&(in_array($_GET['service'], $autorizeService))) {
182,8 → 180,7
$FilterServiceStatus['dnsmasq_whitelist'] = checkServiceStatus("dnsmasq-whitelist");
$FilterServiceStatus['unbound_blackhole'] = checkServiceStatus("unbound-blackhole");
$FilterServiceStatus['e2guardian'] = checkServiceStatus("e2guardian");
$FilterServiceStatus['havp'] = checkServiceStatus("havp");
$FilterServiceStatus['tinyproxy'] = checkServiceStatus("tinyproxy");
$FilterServiceStatus['clamav_daemon'] = checkServiceStatus("clamav-daemon");
$FilterServiceStatus['clamav_freshclam'] = checkServiceStatus("clamav-freshclam");
 
$OptServiceStatus = array();