Subversion Repositories ALCASAR

Compare Revisions

No changes between revisions

Ignore whitespace Rev 2840 → Rev 2841

/alcasar.sh
1290,22 → 1290,19
# Enable clamd scanner
$SED "s?^#contentscanner = '/etc/e2guardian/contentscanners/clamdscan.conf'?contentscanner = '/etc/e2guardian/contentscanners/clamdscan.conf'?g" $DIR_DG/e2guardian.conf
 
# Adapt the first group conf file
[ -e $DIR_DG/e2guardianf1.conf.default ] || cp $DIR_DG/e2guardianf1.conf $DIR_DG/e2guardianf1.conf.default
# Reporting (deny page) in HTML
$SED "s/^reportinglevel =.*/reportinglevel = 3/g" $DIR_DG/e2guardianf1.conf
$SED "s/^groupname =.*/groupname = 'blacklisted users'/g" $DIR_DG/e2guardianf1.conf
 
###### ALCASAR special filtering ####
# RAZ bannedphraselist
cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default
$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (comment what is not)
 
# Disable URL control with regex
cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default
$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (comment what is not)
 
# Adapt the first group conf file
[ -e $DIR_DG/e2guardianf1.conf.default ] || cp $DIR_DG/e2guardianf1.conf $DIR_DG/e2guardianf1.conf.default
# Reporting (deny page) in HTML
$SED "s/^reportinglevel =.*/reportinglevel = 3/g" $DIR_DG/e2guardianf1.conf
 
# Copy the fist group conf file to the second
cp $DIR_DG/e2guardianf1.conf $DIR_DG/e2guardianf2.conf
 
# Replace the default deny HTML page (only fr & uk) --> !!! search why our pages make the server crash...
# [ -e /usr/share/e2guardian/languages/french/template.html.default ] || mv /usr/share/e2guardian/languages/french/template.html /usr/share/e2guardian/languages/french/template.html.default
# cp -f $DIR_CONF/template-fr.html /usr/share/e2guardian/languages/french/template.html
1320,12 → 1317,10
[ -e $DIR_DG/lists/exceptioniplist.default ] || mv $DIR_DG/lists/exceptioniplist $DIR_DG/lists/exceptioniplist.default
touch $DIR_DG/lists/exceptioniplist
# Creation of ALCASAR banned site list
[ -e $DIR_DG/lists/bannedsitelist.default ] || mv $DIR_DG/lists/bannedsitelist $DIR_DG/lists/bannedsitelist.default
cat <<EOF > $DIR_DG/lists/bannedsitelist
[ -e $DIR_DG/lists/greysitelist.default ] || mv $DIR_DG/lists/greysitelist $DIR_DG/lists/greysitelist.default
cat <<EOF > $DIR_DG/lists/greysitelist
# E2guardian filter config for ALCASAR
# In ALCASAR E2guardian filters only URLs (domains are filtered with unbound)
# block all sites except those in the exceptionsitelist --> liste blanche (désactivée)
#**
# block all SSL and CONNECT tunnels
**s
# block all SSL and CONNECT tunnels specified only as an IP
1354,6 → 1349,13
$SED "s?images?search?g" $DIR_DG/lists/urlregexplist
# change the google safesearch ("safe=strict" instead of "safe=vss")
$SED "s?safe=vss?safe=strict?g" $DIR_DG/lists/urlregexplist
 
# Create & adapt the second group conf file (av + av_wl)
cp $DIR_DG/e2guardianf1.conf.default $DIR_DG/e2guardianf2.conf
$SED "s?^reportinglevel =.*?reportinglevel = 3?g" $DIR_DG/e2guardianf2.conf
$SED "s/^groupname =.*/groupname = 'antimalware & whitelested users'/g" $DIR_DG/e2guardianf2.conf
$SED "s/\/lists\/bannedurllist'/urllist = 'name=banned,messageno=501,path=\/etc\/e2guardian\/lists\/bannedurllist.default'/g" $DIR_DG/e2guardianf2.conf # no banned urls
 
# create log folder
mkdir -p /var/log/e2guardian
chown -R e2guardian /etc/e2guardian /var/log/e2guardian
1366,8 → 1368,15
antivirus()
{
# Clamd adaptation to e2guardian
[ -e /lib/systemd/system/clamav-daemon.service.default ] || cp /lib/systemd/system/clamav-daemon.service /lib/systemd/system/clamav-daemon.service.default
$SED "/^[Service]/a ExecStartPre=\/bin\/chown e2guardian:e2guardian \/run\/clamav" /lib/systemd/system/clamav-daemon.service
$SED "/^[Service]/a ExecStartPre=\/bin\/mkdir -p \/run\/clamav" /lib/systemd/system/clamav-daemon.service
[ -e /etc/clamd.conf.default ] || cp /etc/clamd.conf /etc/clamd.conf.default
$SED "s?^User.*?User e2guardian?g" /etc/clamd.conf
$SED "s?^MaxThreads.*?MaxThreads 32?g" /etc/clamd.conf
$SED "s?^#LogTime.*?LogTime yes?g" /etc/clamd.conf # enable logtime for each message
$SED "s?^LogVerbose.*?LogVerbose no?g" /etc/clamd.conf
$SED "s?^#LogRotate.*?LogRotate yes?g" /etc/clamd.conf
chown -R e2guardian:e2guardian /var/log/clamav /var/lib/clamav
chmod 775 /var/log/clamav /var/lib/clamav
chmod 664 /var/log/clamav/*
1376,9 → 1385,8
$SED "s?^Checks.*?Checks 6?g" /etc/freshclam.conf
$SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf
$SED "/^DatabaseMirror/a DatabaseMirror db.fr.clamav.net" /etc/freshclam.conf
$SED "s?MaxAttempts.*?MaxAttempts 3?g" /etc/freshclam.conf
$SED "s?^DatabaseOwner.*?DatabaseOwner e2guardian?g" /etc/freshclam
$SED "s?^MaxAttempts.*?MaxAttempts 3?g" /etc/freshclam.conf
$SED "s?^DatabaseOwner.*?DatabaseOwner e2guardian?g" /etc/freshclam.conf
# update now
/usr/bin/freshclam --no-warnings --quiet
} # End of antivirus()
2171,7 → 2179,7
$SED "s?^GRUB_TIMEOUT=.*?GRUB_TIMEOUT=3?g" /etc/default/grub
$SED "s?^GRUB_DISTRIBUTOR=.*?GRUB_DISTRIBUTOR=ALCASAR?g" /etc/default/grub
[ -e /etc/mageia-release.default ] || cp /etc/mageia-release /etc/mageia-release.default
vm_vga=`lsmod | egrep -c "virtio|vmwgfx|vbox"` # test if in VM
vm_vga=`lsmod | egrep -c "virtio|vmwgfx"` # test if in VM
if [ $vm_vga == 0 ] # is not a VM
then
cp -f $DIR_CONF/banner /etc/mageia-release # ALCASAR ASCII-Art
/scripts/alcasar-activity_report.sh
419,21 → 419,24
echo "Create AV logs since the installation of ALCASAR"
 
#decompress every logs, if they exist
if [ "$(ls -1 /var/log/havp/access.log.*.gz 2>/dev/null | wc -l)" -ge 1 ]
if [ "$(ls -1 /var/log/clamav/clamd.log.*.gz 2>/dev/null | wc -l)" -ge 1 ]
then
gunzip -d access.log.*.gz
gunzip -d clamd.log.*.gz
fi
 
for FILE in /var/log/havp/access.log*
for FILE in /var/log/clamav/clamd.log*
do
while read LINE_AV
do
Y=$(echo $LINE_AV | cut -d' ' -f1)
M=$(echo $LINE_AV | cut -d' ' -f2)
D=$(echo $LINE_AV | cut -d' ' -f3)
H=$(echo $LINE_AV | cut -d' ' -f4)
CURRENT_TS=$(date -d "$M $D $Y $H" +"%s")
echo $CURRENT_TS >> $TMP_AV
if [ "`echo $LINE_AV|grep -c FOUND`" == 1 ]
then
Y=$(echo $LINE_AV | cut -d' ' -f5)
M=$(echo $LINE_AV | cut -d' ' -f2)
D=$(echo $LINE_AV | cut -d' ' -f3)
H=$(echo $LINE_AV | cut -d' ' -f4)
CURRENT_TS=$(date -d "$M $D $Y $H" +"%s")
echo $CURRENT_TS >> $TMP_AV
fi
done < $FILE
done
 
692,9 → 695,9
mv "$(echo $HTML_REPORT | cut -d'.' -f1).pdf" /var/Save/activity_report/
 
#compress every logs, if they exist
if [ "$(ls -1 /var/log/havp/access.log.* 2>/dev/null | wc -l)" -ge 1 ]
if [ "$(ls -1 /var/log/clamav/clamd.log.* 2>/dev/null | wc -l)" -ge 1 ]
then
gzip /var/log/havp/access.log.*
gzip /var/log/clamav/clamd.log.*
fi
 
#compress every logs
/scripts/alcasar-condown.sh
29,12 → 29,12
filter=$(echo "$db_res" | awk '$1 == "Alcasar-Filter" { print $2 }')
filterProto=$(echo "$db_res" | awk '$1 == "Alcasar-Protocols-Filter" { print $2 }')
 
if [ "$filter" == '4' ]; then # HAVP_WL
set_filter="havp_wl"
elif [ "$filter" == '3' ]; then # HAVP_BL
set_filter="havp_bl"
elif [ "$filter" == '2' ]; then # HAVP
set_filter="havp"
if [ "$filter" == '4' ]; then # AV_WL
set_filter="av_wl"
elif [ "$filter" == '3' ]; then # AV_BL
set_filter="av_bl"
elif [ "$filter" == '2' ]; then # AV
set_filter="av"
else # NOT_FILTERED
set_filter="not_filtered"
fi
53,7 → 53,7
ipset del $set_filterProto $FRAMED_IP_ADDRESS
 
# Remove IP address from active users
current_users_file="/var/tmp/havp/current_users.txt"
current_users_file="/tmp/current_users.txt"
[ -e $current_users_file ] && sed -i "/^$FRAMED_IP_ADDRESS:/d" $current_users_file
 
# Debug : show all the coova parse variables (+ $set_filter + $set_filterProto).
/scripts/alcasar-conup.sh
31,12 → 31,12
filterProto=$(echo "$db_res" | awk '$1 == "Alcasar-Protocols-Filter" { print $2 }')
statusOpenRequired=$(echo "$db_res" | awk '$1 == "Alcasar-Status-Page-Must-Stay-Open" { print $2 }')
 
if [ "$filter" == '4' ]; then # HAVP_WL
set_filter="havp_wl"
elif [ "$filter" == '3' ]; then # HAVP_BL
set_filter="havp_bl"
elif [ "$filter" == '2' ]; then # HAVP
set_filter="havp"
if [ "$filter" == '4' ]; then # AV_WL
set_filter="av_wl"
elif [ "$filter" == '3' ]; then # AV_BL
set_filter="av_bl"
elif [ "$filter" == '2' ]; then # AV
set_filter="av"
else # NOT_FILTERED
set_filter="not_filtered"
fi
55,7 → 55,7
ipset add $set_filterProto $FRAMED_IP_ADDRESS
 
# Add user IP permanently to current_users.txt if no status_open_required
current_users_file="/var/tmp/havp/current_users.txt"
current_users_file="/tmp/current_users.txt"
[ ! -e $current_users_file ] && touch $current_users_file && chown apache:apache $current_users_file
if [ "$statusOpenRequired" == '2' ]; then # no status_open_required
echo "$FRAMED_IP_ADDRESS:PERM" >> $current_users_file
/scripts/alcasar-flush_ipset_wl.sh
4,7 → 4,7
#Clean wl_ip_allowed ipset when WL users are gone.
 
PTN="(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)"
NB_USERS=$(ipset list havp_wl | grep -E $PTN | wc -l)
NB_USERS=$(ipset list av_wl | grep -E $PTN | wc -l)
if [ $NB_USERS -eq '0' ]
then
/sbin/ipset flush wl_ip_allowed
/scripts/alcasar-iptables.sh
45,7 → 45,7
SSH_ADMIN_FROM=${SSH_ADMIN_FROM:="0.0.0.0/0.0.0.0"} # WAN IP address to reduce ssh access (all ip allowed on LAN side)
IPTABLES="/sbin/iptables"
IP_REHABILITEES="/etc/e2guardian/lists/exceptioniplist" # Rehabilitated IP
SITE_DIRECT="/usr/local/etc/alcasar-site-direct" # Site Direct (no havp and no filtrage) for user BL
SITE_DIRECT="/usr/local/etc/alcasar-site-direct" # WEB Sites allowed for all (no av and no filtering for av_bl users)
 
# Allow requests to internal DNS if activated
if [ "$INT_DNS_ACTIVE" = "on" ]
59,9 → 59,9
if [ $? -eq 0 ];
then
ipset save not_filtered > $TMP_users_set_save
ipset save havp >> $TMP_users_set_save
ipset save havp_bl >> $TMP_users_set_save
ipset save havp_wl >> $TMP_users_set_save
ipset save av >> $TMP_users_set_save
ipset save av_bl >> $TMP_users_set_save
ipset save av_wl >> $TMP_users_set_save
ipset save proto_0 >> $TMP_users_set_save
ipset save proto_1 >> $TMP_users_set_save
ipset save proto_2 >> $TMP_users_set_save
122,7 → 122,7
ipset -q del bl_ip_blocked $ip
done
 
# rajout exception havp_bl --> Site en direct pour les Utilisateurs filtrés
# ipset for exception web sites (usefull for filtered users = av_bl)
ipset create site_direct hash:net hashsize 1024
for site in $(cat $SITE_DIRECT)
do
150,9 → 150,9
rm -f $TMP_users_set_save
else
ipset create not_filtered hash:ip hashsize 1024
ipset create havp hash:ip hashsize 1024
ipset create havp_bl hash:ip hashsize 1024
ipset create havp_wl hash:ip hashsize 1024
ipset create av hash:ip hashsize 1024
ipset create av_bl hash:ip hashsize 1024
ipset create av_wl hash:ip hashsize 1024
# pour les filtrages de protocole par utilisateur / For network protocols filtering by user
ipset create proto_0 hash:ip hashsize 1024
ipset create proto_1 hash:ip hashsize 1024
166,22 → 166,22
 
# Marquage (et journalisation) des paquets qui tentent d'accéder directement aux ports d'écoute du proxy HTTP/HTTPS (E2Guardian) pour pouvoir les rejeter en INPUT
# Mark (and log) the direct attempts to E2guardian listen ports in order to REJECT them in INPUT rules
# 8080 = ipset havp_bl
# 8080 = ipset av_bl
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8080 -j NFLOG --nflog-group 1 --nflog-prefix "RULE direct-proxy -- DENY "
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8080 -j MARK --set-mark 1
# 8090 = ipset havp_wl + havp
# 8090 = ipset av_wl + av
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8090 -j NFLOG --nflog-group 1 --nflog-prefix "RULE direct-proxy -- DENY "
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8090 -j MARK --set-mark 2
# 8443 = tranparent HTTPS for ipsets havp_bl + havp_wl + havp
# 8443 = tranparent HTTPS for ipsets av_bl + av_wl + av
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8443 -j NFLOG --nflog-group 1 --nflog-prefix "RULE direct-proxy -- DENY "
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8443 -j MARK --set-mark 6
 
# Marquage des paquets qui tentent d'accéder directement aux ports d'écoute DNS (UNBOUND) pour pouvoir les rejeter en INPUT
# Mark the direct attempts to DNS ports (UNBOUND) in order to REJECT them in INPUT rules
# 54 = ipset havp_bl
# 54 = ipset av_bl
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp --dport 54 -j MARK --set-mark 3
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p udp --dport 54 -j MARK --set-mark 3
# 55 = ipset havp_wl
# 55 = ipset av_wl
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp --dport 55 -j MARK --set-mark 4
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p udp --dport 55 -j MARK --set-mark 4
# 56 = blackall
190,12 → 190,12
 
# redirection DNS des usagers
# users DNS redirection
# 54 = ipset havp_bl
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl src -p udp --dport domain -j REDIRECT --to-port 54
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl src -p tcp --dport domain -j REDIRECT --to-port 54
# 55 = ipset havp_wl
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl src -p udp --dport domain -j REDIRECT --to-port 55
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl src -p tcp --dport domain -j REDIRECT --to-port 55
# 54 = ipset av_bl
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_bl src -p udp --dport domain -j REDIRECT --to-port 54
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_bl src -p tcp --dport domain -j REDIRECT --to-port 54
# 55 = ipset av_wl
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_wl src -p udp --dport domain -j REDIRECT --to-port 55
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_wl src -p tcp --dport domain -j REDIRECT --to-port 55
# 53 = all other users
$IPTABLES -A PREROUTING -t nat -i $TUNIF ! -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 53
$IPTABLES -A PREROUTING -t nat -i $TUNIF ! -d $PRIVATE_IP -p tcp --dport domain -j REDIRECT --to-port 53
202,29 → 202,29
 
# Redirection des requêtes HTTP des usagers vers E2guardian
# Redirect outbound users HTTP requests to E2guardian
# 8080 = ipset havp_bl
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8080
# 8090 = ipset havp_wl & havp
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090
# 8080 = ipset av_bl
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_bl src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8080
# 8090 = ipset av_wl & av
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_wl src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090
 
# Redirection des requêtes HTTPS sortantes des usagers havp_bl + havp_wl + havp vers E2Guardian
# Redirect outbound HTTPS requests of havp_bl + havp_wl + havp users to E2Guardian
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP -p tcp --dport https -j REDIRECT --to-port 8443
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP -p tcp --dport https -j REDIRECT --to-port 8443
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP -p tcp --dport https -j REDIRECT --to-port 8443
# Redirection des requêtes HTTPS sortantes des usagers av_bl + av_wl + av vers E2Guardian
# Redirect outbound HTTPS requests of av_bl + av_wl + av users to E2Guardian
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_bl src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP -p tcp --dport https -j REDIRECT --to-port 8443
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_wl src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP -p tcp --dport https -j REDIRECT --to-port 8443
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP -p tcp --dport https -j REDIRECT --to-port 8443
 
# Journalisation HTTP_Internet des usagers 'havp_bl' (paquets SYN uniquement). Les autres protocoles sont journalisés en FORWARD par netflow.
# Log Internet HTTP of 'havp_bl' users" (only syn packets). Other protocols are logged in FORWARD by netflow
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl src ! -d $PRIVATE_IP -p tcp --dport http -m conntrack --ctstate NEW -j NFLOG --nflog-group 1 --nflog-prefix "RULE F_http -- ACCEPT "
# Journalisation HTTP_Internet des usagers 'av_bl' (paquets SYN uniquement). Les autres protocoles sont journalisés en FORWARD par netflow.
# Log Internet HTTP of 'av_bl' users" (only syn packets). Other protocols are logged in FORWARD by netflow
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_bl src ! -d $PRIVATE_IP -p tcp --dport http -m conntrack --ctstate NEW -j NFLOG --nflog-group 1 --nflog-prefix "RULE F_http -- ACCEPT "
 
# Redirection HTTP des usagers 'havp_bl' cherchant à joindre les IP de la blacklist vers ALCASAR (page 'accès interdit')
# Redirect HTTP of 'havp_bl' users who want blacklist IP to ALCASAR ('access denied' page)
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl src -m set --match-set bl_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port 80
# Redirection HTTP des usagers 'av_bl' cherchant à joindre les IP de la blacklist vers ALCASAR (page 'accès interdit')
# Redirect HTTP of 'av_bl' users who want blacklist IP to ALCASAR ('access denied' page)
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_bl src -m set --match-set bl_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port 80
 
# Redirection HTTP des usagers 'havp_wl' cherchant à joindre les IP qui ne sont pas dans la WL vers ALCASAR (page 'accès interdit')
# Redirect HTTP of 'havp_wl' users who want IP not in the WL to ALCASAR ('access denied' page)
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl src -m set ! --match-set wl_ip_allowed dst -p tcp --dport http -j REDIRECT --to-port 80
# Redirection HTTP des usagers 'av_wl' cherchant à joindre les IP qui ne sont pas dans la WL vers ALCASAR (page 'accès interdit')
# Redirect HTTP of 'av_wl' users who want IP not in the WL to ALCASAR ('access denied' page)
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_wl src -m set ! --match-set wl_ip_allowed dst -p tcp --dport http -j REDIRECT --to-port 80
 
# Redirection des requêtes NTP vers le serveur NTP local
# Redirect NTP request in local NTP server
265,9 → 265,9
 
# On interdit les connexions directes aux ports d'écoute d'E2Guardian. Les packets concernés ont été marqués et loggués dans la table mangle (PREROUTING)
# Deny direct connections on E2Guardian listen ports. The concerned paquets have been marked and logged in mangle table (PREROUTING)
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8080 -m mark --mark 1 -j REJECT --reject-with tcp-reset # havp_bl
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8090 -m mark --mark 2 -j REJECT --reject-with tcp-reset # havp_wl+havp
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8443 -m mark --mark 6 -j REJECT --reject-with tcp-reset # havp_bl+havp_wl+havp
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8080 -m mark --mark 1 -j REJECT --reject-with tcp-reset # av_bl
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8090 -m mark --mark 2 -j REJECT --reject-with tcp-reset # av_wl + av
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8443 -m mark --mark 6 -j REJECT --reject-with tcp-reset # av_bl + av_wl + av
 
# On autorise les connexions HTTP/HTTPS légitimes vers E2Guardian
# Allow HTTP connections to E2Guardian
286,10 → 286,10
 
# On autorise les connexion DNS légitime
# Allow DNS connections
# ipset = havp_bl
# ipset = av_bl
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport 54 -j ACCEPT
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport 54 -j ACCEPT
# ipset = havp_wl
# ipset = av_wl
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport 55 -j ACCEPT
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport 55 -j ACCEPT
# blackall
342,11 → 342,11
# FORWARD #
#############################
 
# Blocage des IPs du SET bl_ip_blocked pour le SET havp_bl
# Deny IPs of the SET bl_ip_blocked for the set havp_bl
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl src -m set --match-set bl_ip_blocked dst -p icmp -j REJECT --reject-with icmp-host-prohibited
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl src -m set --match-set bl_ip_blocked dst -p udp -j REJECT --reject-with icmp-host-prohibited
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl src -m set --match-set bl_ip_blocked dst -p tcp -j REJECT --reject-with tcp-reset
# Blocage des IPs du SET bl_ip_blocked pour le SET av_bl
# Deny IPs of the SET bl_ip_blocked for the set av_bl
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set av_bl src -m set --match-set bl_ip_blocked dst -p icmp -j REJECT --reject-with icmp-host-prohibited
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set av_bl src -m set --match-set bl_ip_blocked dst -p udp -j REJECT --reject-with icmp-host-prohibited
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set av_bl src -m set --match-set bl_ip_blocked dst -p tcp -j REJECT --reject-with tcp-reset
 
# Active le suivi de session
# Allow Conntrack
420,9 → 420,9
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_3 src -s $PRIVATE_NETWORK_MASK -p udp -m multiport ! --dports $custom_udp_protocols_list -m conntrack --ctstate NEW -j REJECT --reject-with icmp-port-unreachable
fi
 
# Blocage des usagers 'havp_wl' cherchant à joindre les IP qui ne sont pas dans la WL
# Block 'havp_wl' users who want IP not in the WL
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_wl src -m set ! --match-set wl_ip_allowed dst -j DROP
# Blocage des usagers 'av_wl' cherchant à joindre les IP qui ne sont pas dans la WL
# Block 'av_wl' users who want IP not in the WL
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set av_wl src -m set ! --match-set wl_ip_allowed dst -j DROP
 
# journalisation et autorisation des connections sortant du LAN
# Allow forward connections with log
/scripts/alcasar-uninstall.sh
109,7 → 109,7
[ -e /etc/e2guardian/lists/bannedextensionlist.default ] && mv /etc/e2guardian/lists/bannedextensionlist.default /etc/e2guardian/lists/bannedextensionlist && echo -n "8, "
[ -e /etc/e2guardian/lists/bannedmimetypelist.default ] && mv /etc/e2guardian/lists/bannedmimetypelist.default /etc/e2guardian/lists/bannedmimetypelist && echo -n "9, "
[ -e /etc/e2guardian/lists/exceptioniplist.default ] && mv /etc/e2guardian/lists/exceptioniplist.default /etc/e2guardian/lists/exceptioniplist && echo -n "10, "
[ -e /etc/e2guardian/lists/bannedsitelist.default ] && mv /etc/e2guardian/lists/bannedsitelist.default /etc/e2guardian/lists/bannedsitelist && echo -n "11, "
[ -e /etc/e2guardian/lists/greysitelist.default ] && mv /etc/e2guardian/lists/greysitelist.default /etc/e2guardian/lists/greysitelist && echo -n "11, "
[ -e /etc/e2guardian/lists/bannedurllist.default ] && mv /etc/e2guardian/lists/bannedurllist.default /etc/e2guardian/lists/bannedurllist && echo -n "12, "
[ -e /etc/e2guardian/lists/exceptionsitelist.default ] && mv /etc/e2guardian/lists/exceptionsitelist.default /etc/e2guardian/lists/exceptionsitelist && echo -n "13, "
[ -e /etc/e2guardian/lists/exceptionurllist.default ] && mv /etc/e2guardian/lists/exceptionurllist.default /etc/e2guardian/lists/exceptionurllist && echo -n "14, "
118,9 → 118,10
 
antivirus ()
{
echo -en "(2) : "
[ -e /etc/clamd.conf.default ] && mv /etc/clamd.conf.default /etc/clamd.conf && echo -n "1, "
[ -e /etc/freshclam.conf.default ] && mv /etc/freshclam.conf.default /etc/freshclam.conf && echo -n "2"
echo -en "(3) : "
[ -e /lib/systemd/system/clamav-daemon.service.default ] && mv /lib/systemd/system/clamav-daemon.service.default /lib/systemd/system/clamav-daemon.service && echo -n "1, "
[ -e /etc/clamd.conf.default ] && mv /etc/clamd.conf.default /etc/clamd.conf && echo -n "2, "
[ -e /etc/freshclam.conf.default ] && mv /etc/freshclam.conf.default /etc/freshclam.conf && echo -n "3"
}
 
ulogd ()
/scripts/alcasar-watchdog.sh
19,7 → 19,7
private_ip_mask=${private_ip_mask:=192.168.182.1/24}
PRIVATE_IP=`echo "$private_ip_mask" |cut -d"/" -f1` # @ip du portail (côté LAN)
PRIVATE_IP=${PRIVATE_IP:=192.168.182.1}
current_users_file="/var/tmp/havp/current_users.txt" # file containing active users with their "status.php" tab open
current_users_file="/tmp/current_users.txt" # file containing active users with their "status.php" tab open
DIR_WEB="/var/www/html"
Index_Page="$DIR_WEB/index.php"
IPTABLES="/sbin/iptables"
132,7 → 132,7
sed -i "/^$active_ip:$cmp_user_ok\$/d" $current_users_file
fi
else # "current_user.txt" does not exists. We disconnect every users.
logger -t alcasar-watchdog "The file /var/tmp/havp/current_users.txt doen't' exist. We disconnects the user $active_user"
logger -t alcasar-watchdog "The file /tmp/current_users.txt doesn't' exist. We disconnects the user $active_user"
/usr/sbin/chilli_query logout $active_mac
fi
fi
/web/acc/about.htm
87,7 → 87,7
<TD align="center"><A HREF="javascript:ouvrir('https://sourceforge.net/projects/ipt-netflow')"><img border="0" src="/images/footer_netflow.png"></A></TD>
<TD align="center"><A HREF="javascript:ouvrir('https://www.clamav.net')"><img border="0" src="/images/footer_clamav.png"></A></TD>
<TD align="center"><A HREF="javascript:ouvrir('http://www.netfilter.org')"><img border="0" src="/images/footer_netfilter.png"></A></TD>
<TD align="center"><A HREF="javascript:ouvrir('http://www.havp.org')"><img border="0" src="/images/footer_havp.png"></A></TD>
<TD align="center"><A HREF="javascript:ouvrir('http://www.wammu.eu')"><img border="0" src="/images/footer_gammu.png"></A></TD>
<TD align="center"><A HREF="javascript:ouvrir('http://e2guardian.org')"><img border="0" src="/images/footer_e2guardian.png"></A></TD>
<TD align="center"><A HREF="javascript:ouvrir('http://thekelleys.org.uk/dnsmasq/doc.html')"><img border="0" src="/images/footer_dnsmasq.png"></A></TD>
</TR>
/web/acc/manager/htdocs/group_new.php
459,9 → 459,9
echo "<select name=\"$name\">";
echo "<option value=\"\"></option>";
echo "<option value=\"1\">$l_filtering_none</option>";
echo "<option value=\"2\">$l_filtering_havp</option>";
echo "<option value=\"3\">$l_filtering_havp_bl</option>";
echo "<option value=\"4\">$l_filtering_havp_wl</option>";
echo "<option value=\"2\">$l_filtering_av</option>";
echo "<option value=\"3\">$l_filtering_av_bl</option>";
echo "<option value=\"4\">$l_filtering_av_wl</option>";
echo "</select>";
break;
case 'Alcasar-Protocols-Filter' :
/web/acc/manager/htdocs/security.php
9,7 → 9,7
if ($language === 'fr') {
$l_title = 'Sécurité';
$l_spoofing = "Adresse(s) MAC usurpée(s) (Watchdog)";
$l_virus = "Virus bloqué(s) (HAVP)";
$l_virus = "Virus bloqué(s) (CLAMAV)";
$l_fail2ban = "Adresse(s) IP bloquée(s) (Fail2Ban)";
$l_ipAddress="Adresse IP";
$l_user = "L'utilisateur";
18,7 → 18,7
} else {
$l_title = 'Security';
$l_spoofing = "MAC address spoofed (Watchdog)";
$l_virus = "Virus blocked (HAVP)";
$l_virus = "Virus blocked (CLAMAV)";
$l_fail2ban = "IP address blocked (Fail2Ban)";
$l_ipAddress="IP address";
$l_user = "User";
101,7 → 101,7
</div>
<?php
} else if ($tab === 2) {
$filePath = '/var/log/havp/access.log';
$filePath = '/var/log/clamav/clamd.log';
$lines = file($filePath);
if ($lines === false) {
exit("Cannot open '$filePath'.");
/web/acc/manager/htdocs/user_edit.php
311,11 → 311,11
break;
case 'Alcasar-Filter' :
if ($val === '4') {
$grp_filter = $l_filtering_havp_wl;
$grp_filter = $l_filtering_av_wl;
} else if ($val === '3') {
$grp_filter = $l_filtering_havp_bl;
$grp_filter = $l_filtering_av_bl;
} else if ($val === '2') {
$grp_filter = $l_filtering_havp;
$grp_filter = $l_filtering_av;
} else if ($val === '1') {
$grp_filter = $l_filtering_none;
} else {
780,9 → 780,9
echo "<select name=\"$name1\">";
echo "<option value=\"\"".(($val === '') ? ' selected' : '')."></option>";
echo "<option value=\"1\"".(($val === '1') ? ' selected' : '').">$l_filtering_none</option>";
echo "<option value=\"2\"".(($val === '2') ? ' selected' : '').">$l_filtering_havp</option>";
echo "<option value=\"3\"".(($val === '3') ? ' selected' : '').">$l_filtering_havp_bl</option>";
echo "<option value=\"4\"".(($val === '4') ? ' selected' : '').">$l_filtering_havp_wl</option>";
echo "<option value=\"2\"".(($val === '2') ? ' selected' : '').">$l_filtering_av</option>";
echo "<option value=\"3\"".(($val === '3') ? ' selected' : '').">$l_filtering_av_bl</option>";
echo "<option value=\"4\"".(($val === '4') ? ' selected' : '').">$l_filtering_av_wl</option>";
echo "</select>";
break;
case 'Alcasar-Protocols-Filter' :
/web/acc/manager/htdocs/user_new.php
463,9 → 463,9
echo "<select name=\"$name\">";
echo "<option value=\"\"></option>";
echo "<option value=\"1\">$l_filtering_none</option>";
echo "<option value=\"2\">$l_filtering_havp</option>";
echo "<option value=\"3\">$l_filtering_havp_bl</option>";
echo "<option value=\"4\">$l_filtering_havp_wl</option>";
echo "<option value=\"2\">$l_filtering_av</option>";
echo "<option value=\"3\">$l_filtering_av_bl</option>";
echo "<option value=\"4\">$l_filtering_av_wl</option>";
echo "</select>";
break;
case 'Alcasar-Protocols-Filter' :
/web/acc/manager/lib/langues.php
114,9 → 114,9
$l_createTicketsMSG = "Saisissez le nombre d\'utilisateurs à créer";
$l_filtering = "Filtrage de domaines et antiviral ";
$l_filtering_none = "Aucun";
$l_filtering_havp = "Antivirus web";
$l_filtering_havp_bl = "Antivirus web + Blacklist";
$l_filtering_havp_wl = "Antivirus web + Whitelist";
$l_filtering_av = "Antivirus web";
$l_filtering_av_bl = "Antivirus web + Blacklist";
$l_filtering_av_wl = "Antivirus web + Whitelist";
$l_user_exists = "existe déjà !";
$l_created = "a été correctement créé";
$l_removed = "a été supprimé";
240,9 → 240,9
$l_createTicketsMSG = "Enter the number of users to create";
$l_filtering = "Antivirus & domain Filtering";
$l_filtering_none = "None";
$l_filtering_havp = "WEB Antivirus";
$l_filtering_havp_bl = "Blacklist + WEB antivirus";
$l_filtering_havp_wl = "Whitelist + WEB antivirus";
$l_filtering_av = "WEB Antivirus";
$l_filtering_av_bl = "Blacklist + WEB antivirus";
$l_filtering_av_wl = "Whitelist + WEB antivirus";
$l_user_exists = "already exists !";
$l_created = "has been correctly created";
$l_removed = "has been removed";
/web/acc/phpsysinfo/phpsysinfo.ini
296,7 → 296,7
; Hide mounts
; Example : HIDE_MOUNTS="/home,/usr"
;
; HIDE_MOUNTS="/dev,/dev/shm,/run,/run/user/0,/var/tmp/havp,/sys/fs/cgroup"
; HIDE_MOUNTS="/dev,/dev/shm,/run,/run/user/0,/sys/fs/cgroup"
HIDE_MOUNTS=""
 
 
/web/images/footer_havp.png
Cannot display: file marked as a binary type.
svn:mime-type = image/png
Property changes:
Deleted: svn:mime-type
-image/png
\ No newline at end of property
/web/images/footer_gammu.png
Cannot display: file marked as a binary type.
svn:mime-type = image/png
Property changes:
Added: svn:mime-type
+image/png
\ No newline at end of property
/web/status.php
315,7 → 315,7
}
}
 
$filename = '/var/tmp/havp/current_users.txt';
$filename = '/tmp/current_users.txt';
$user_needKeepOpen = (preg_match("/^$remote_ip:PERM/m", file_get_contents($filename)) === 0);
}
 
/web/still_connected.php
1,7 → 1,7
<?php
 
// store user @IP who can join this page (still have their status.php tab open) in a file.
$filename = '/var/tmp/havp/current_users.txt';
$filename = '/tmp/current_users.txt';
$user_ip = $_SERVER['REMOTE_ADDR'];
 
$isConnected = exec('sudo /usr/sbin/chilli_query list | awk '.escapeshellarg('($2 == "'.$user_ip.'") {print $5}'));