WebSVN – ALCASAR – Diff – /scripts/alcasar-watchdog.sh


#!/bin/bash
# $Id: alcasar-watchdog.sh 2108 2017-01-06 08:50:25Z richard $
 
# alcasar-watchdog.sh
# by Rexy
# This script is distributed under the Gnu General Public License (GPL)
# - Ce script prévient les usagers de l'indisponibilité de l'accès Internet
 
# - Il déconnecte les usagers dont les équipements réseau ne répondent plus (leur onglet 'status.php' a été fermé)
# - Il deconnecte les usagers dont les adresses MAC sont usurpées
#
# - This script tells users that Internet access is down
 
# - It logs out users whose PCs are quiet (their status tab is closed)
# - It logs out users whose MAC address is used by other systems (usurped)
 
CONF_FILE="/usr/local/etc/alcasar.conf"
EXTIF=`grep ^EXTIF= $CONF_FILE|cut -d"=" -f2`			# EXTernal InterFace
INTIF=`grep ^INTIF= $CONF_FILE|cut -d"=" -f2`			# INTernal InterFace
private_ip_mask=`grep PRIVATE_IP= $CONF_FILE|cut -d"=" -f2`
private_ip_mask=${private_ip_mask:=192.168.182.1/24}
PRIVATE_IP=`echo "$private_ip_mask" |cut -d"/" -f1`      # @ip du portail (côté LAN)
PRIVATE_IP=${PRIVATE_IP:=192.168.182.1}
 
current_users_file="/var/tmp/havp/current_users.txt"	# file containing active users with their "status.php" tab open
DIR_WEB="/var/www/html"
Index_Page="$DIR_WEB/index.php"
IPTABLES="/sbin/iptables"
TUNIF="tun0"						# listen device for chilli daemon
OLDIFS=$IFS
IFS=$'\n'
 
function lan_down_alert ()
# users are redirected on ALCASAR IP address if a LAN problem is detected
{
	case $LAN_DOWN in
	"1")
		logger "$EXTIF (WAN card) link down"
		echo "$EXTIF (WAN card) link down"
		/bin/sed -i "s?diagnostic =.*?diagnostic = \"$EXTIF (WAN card) link down\";?g" $Index_Page
		;;
	"2")
		logger "can't contact the default router"
		echo "can't contact the default router"
		/bin/sed -i "s?diagnostic =.*?diagnostic = \"can't contact the default router\";?g" $Index_Page
		;;
	esac
	net_pb=`grep "network_pb = True;" $Index_Page|wc -l`
	if [ $net_pb = "0" ] # user alert (only the first time)	
		then
		/bin/sed -i "s?^\$network_pb.*?\$network_pb = True;?g" $Index_Page
		$IPTABLES -I PREROUTING -t nat -i $TUNIF -p udp --dport domain -j REDIRECT --to-port 56
	fi
}
 
function lan_test ()
# LAN connectiivity testing
{
	watchdog_process=`ps -C alcasar-watchdog.sh|wc -l`
	if [[ $(expr $watchdog_process) -gt 3 ]]
		then
		echo "ALCASAR watchdog is already running"
		exit 0
	fi
	# EXTIF testing
	LAN_DOWN="0"
	if [ `/sbin/ip link | grep $EXTIF|grep "NO-CARRIER" | wc -l` -eq "1" ]
		then
		LAN_DOWN="1"
	fi
	# Default GW testing
	if [ $LAN_DOWN -eq "0" ]
		then
		IP_GW=`/sbin/ip route list|grep ^default|cut -d" " -f3`
		arp_reply=`/usr/sbin/arping -I$EXTIF -c1 $IP_GW|grep response|cut -d" " -f2`
		if [ $arp_reply -eq "0" ]
	       		then
			LAN_DOWN="2"
		fi
	fi
	# if LAN pb detected, users are warned
	if [ $LAN_DOWN != "0" ]
		then
			lan_down_alert
	# else switch in normal mode
	else
		echo "Internet access is OK for now"
		net_pb=`grep "network_pb = True;" $Index_Page|wc -l`
		if [ $net_pb != "0" ]
			then
			/bin/sed -i "s?^\$network_pb.*?\$network_pb = False;?g" $Index_Page
			$IPTABLES -D PREROUTING -t nat -i $TUNIF -p udp --dport domain -j REDIRECT --to-port 56
		fi
	fi
}
 
usage="Usage: alcasar-watchdog.sh {-lt --lan_test}"
case $1 in
	-\? | -h* | --h*)
		echo "$usage"
		exit 0
		;;
	-lt | --lan_test)
		lan_test
		exit 0
		;;
	*)
		lan_test
 
		# We disconnect inactive users (its means that their 'status.php' tab has been closed --> their ip address isn't in $current_users_file)
 
		# process each equipment known by chilli to check if IP address is usurped (with arping)
		for system in `/usr/sbin/chilli_query list |grep -v "\.0\.0\.0"`
		do
			active_ip=`echo $system |cut -d" " -f2`
			active_session=`echo $system |cut -d" " -f5`
			active_mac=`echo $system | cut -d" " -f1`
			active_user=`echo $system |cut -d" " -f6`
 
			#We disconnect inactive user here :
			#We check if this is not an auth @MAC and if he is still connected
			if [ "$active_user" != "$active_mac" ] && [ $(expr $active_session) -eq 1 ]; then
				# If /tmp/current_user.txt exists ...
				if [ -e $current_users_file ]; then
					# We check if user @IP is in 'current_users.txt'
					cmp_user_ok=$(cat $current_users_file | grep $active_ip | wc -w)
					# If not we disconnect this user.
					if [ $cmp_user_ok -eq 0 ]; then
						logger "alcasar-watchdog $active_ip ($active_mac) can't be contact. Alcasar disconnects the user ($active_user)."
 
						/usr/sbin/chilli_query logout $active_mac
					fi
					# Remove the user's IP from 'current_users.txt'. Every user need to insert their @IP everytime to prove their connectivity.
					sed -i "/^$active_ip/d" $current_users_file
				else # "/tmp/current_user.txt" does not exists. We disconnect every users.
					logger "Le fichier /tmp/current_users.txt n'existe pas."
					logger "alcasar-watchdog $active_ip ($active_mac) can't be contact. Alcasar disconnects the user ($active_user)."
 
					/usr/sbin/chilli_query logout $active_mac
				fi
			fi
 
 
 
			# IP usurpation test : process only equipment with an authenticated user
			if [[ $(expr $active_session) -eq 1 ]]
			then
				arp_reply=`/usr/sbin/arping -b -I$INTIF -s$PRIVATE_IP -c2 -w4 $active_ip|grep "Unicast reply"|wc -l`
				# disconnect users whose equipement is usurped. For example, if there are 2 same @MAC it will make 3 lines in output.
				if [[ $(expr $arp_reply) -gt 2 ]]
	       				then 
					echo "$(date "+[%x-%X] : ")alcasar-watchdog : $active_ip is usurped ($active_mac). Alcasar disconnect the user ($active_user)." >> /var/Save/security/watchdog.log
					logger "alcasar-watchdog : $active_ip is usurped ($active_mac). Alcasar disconnect the user ($active_user)."
					/usr/sbin/chilli_query logout $active_mac
					chmod 644 /var/Save/security/watchdog.log
				fi
			fi
		done
		;;
esac	
IFS=$OLDIFS
 
 

Rev 2107	Rev 2108
1	`#!/bin/bash`	1	`#!/bin/bash`
2	`# $Id: alcasar-watchdog.sh 2107 2017-01-05 22:23:35Z raphael.pion $`	2	`# $Id: alcasar-watchdog.sh 2108 2017-01-06 08:50:25Z richard $`
3		3
4	`# alcasar-watchdog.sh`	4	`# alcasar-watchdog.sh`
5	`# by Rexy`	5	`# by Rexy`
6	`# This script is distributed under the Gnu General Public License (GPL)`	6	`# This script is distributed under the Gnu General Public License (GPL)`
7	`# Ce script prévient les usagers de l'indisponibilité de l'accès Internet`	7	`# - Ce script prévient les usagers de l'indisponibilité de l'accès Internet`
8	`# il déconnecte les usagers dont`	-
9	`# - les équipements réseau ne répondent plus ( si la fenetre status.php a été fermé. Les autorisations par adresse mac sont laissé de côté)`	8	`# - Il déconnecte les usagers dont les équipements réseau ne répondent plus (leur onglet 'status.php' a été fermé)`
10	`# - les adresses MAC sont usurpées`	9	`# - Il deconnecte les usagers dont les adresses MAC sont usurpées`
-		10	`#`
11	`# This script tells users that Internet access is down`	11	`# - This script tells users that Internet access is down`
12	`# it logs out users whose`	-
13	`# - PCs are quiet (it means that status.php has been closed. We put aside @MAC Authorization )`	12	`# - It logs out users whose PCs are quiet (their status tab is closed)`
14	`# - MAC address is used by other systems (usurped)`	13	`# - It logs out users whose MAC address is used by other systems (usurped)`
15		14
16	`CONF_FILE="/usr/local/etc/alcasar.conf"`	15	`CONF_FILE="/usr/local/etc/alcasar.conf"`
17	EXTIF=`grep ^EXTIF= $CONF_FILE\|cut -d"=" -f2` # EXTernal InterFace	16	EXTIF=`grep ^EXTIF= $CONF_FILE\|cut -d"=" -f2` # EXTernal InterFace
18	INTIF=`grep ^INTIF= $CONF_FILE\|cut -d"=" -f2` # INTernal InterFace	17	INTIF=`grep ^INTIF= $CONF_FILE\|cut -d"=" -f2` # INTernal InterFace
19	private_ip_mask=`grep PRIVATE_IP= $CONF_FILE\|cut -d"=" -f2`	18	private_ip_mask=`grep PRIVATE_IP= $CONF_FILE\|cut -d"=" -f2`
20	`private_ip_mask=${private_ip_mask:=192.168.182.1/24}`	19	`private_ip_mask=${private_ip_mask:=192.168.182.1/24}`
21	PRIVATE_IP=`echo "$private_ip_mask" \|cut -d"/" -f1` # @ip du portail (côté LAN)	20	PRIVATE_IP=`echo "$private_ip_mask" \|cut -d"/" -f1` # @ip du portail (côté LAN)
22	`PRIVATE_IP=${PRIVATE_IP:=192.168.182.1}`	21	`PRIVATE_IP=${PRIVATE_IP:=192.168.182.1}`
23	`tmp_file="/tmp/watchdog.txt"`	-
24	`current_users_file="/tmp/current_users.txt"`	22	`current_users_file="/var/tmp/havp/current_users.txt" # file containing active users with their "status.php" tab open`
25	`DIR_WEB="/var/www/html"`	23	`DIR_WEB="/var/www/html"`
26	`Index_Page="$DIR_WEB/index.php"`	24	`Index_Page="$DIR_WEB/index.php"`
27	`IPTABLES="/sbin/iptables"`	25	`IPTABLES="/sbin/iptables"`
28	`TUNIF="tun0" # listen device for chilli daemon`	26	`TUNIF="tun0" # listen device for chilli daemon`
29	`OLDIFS=$IFS`	27	`OLDIFS=$IFS`
30	`IFS=$'\n'`	28	`IFS=$'\n'`
31		29
32	`function lan_down_alert ()`	30	`function lan_down_alert ()`
33	`# users are redirected on ALCASAR IP address if a LAN problem is detected`	31	`# users are redirected on ALCASAR IP address if a LAN problem is detected`
34	`{`	32	`{`
35	`case $LAN_DOWN in`	33	`case $LAN_DOWN in`
36	`"1")`	34	`"1")`
37	`logger "$EXTIF (WAN card) link down"`	35	`logger "$EXTIF (WAN card) link down"`
38	`echo "$EXTIF (WAN card) link down"`	36	`echo "$EXTIF (WAN card) link down"`
39	`/bin/sed -i "s?diagnostic =.*?diagnostic = \"$EXTIF (WAN card) link down\";?g" $Index_Page`	37	`/bin/sed -i "s?diagnostic =.*?diagnostic = \"$EXTIF (WAN card) link down\";?g" $Index_Page`
40	`;;`	38	`;;`
41	`"2")`	39	`"2")`
42	`logger "can't contact the default router"`	40	`logger "can't contact the default router"`
43	`echo "can't contact the default router"`	41	`echo "can't contact the default router"`
44	`/bin/sed -i "s?diagnostic =.*?diagnostic = \"can't contact the default router\";?g" $Index_Page`	42	`/bin/sed -i "s?diagnostic =.*?diagnostic = \"can't contact the default router\";?g" $Index_Page`
45	`;;`	43	`;;`
46	`esac`	44	`esac`
47	net_pb=`grep "network_pb = True;" $Index_Page\|wc -l`	45	net_pb=`grep "network_pb = True;" $Index_Page\|wc -l`
48	`if [ $net_pb = "0" ] # user alert (only the first time)`	46	`if [ $net_pb = "0" ] # user alert (only the first time)`
49	`then`	47	`then`
50	`/bin/sed -i "s?^\$network_pb.*?\$network_pb = True;?g" $Index_Page`	48	`/bin/sed -i "s?^\$network_pb.*?\$network_pb = True;?g" $Index_Page`
51	`$IPTABLES -I PREROUTING -t nat -i $TUNIF -p udp --dport domain -j REDIRECT --to-port 56`	49	`$IPTABLES -I PREROUTING -t nat -i $TUNIF -p udp --dport domain -j REDIRECT --to-port 56`
52	`fi`	50	`fi`
53	`}`	51	`}`
54		52
55	`function lan_test ()`	53	`function lan_test ()`
56	`# LAN connectiivity testing`	54	`# LAN connectiivity testing`
57	`{`	55	`{`
58	watchdog_process=`ps -C alcasar-watchdog.sh\|wc -l`	56	watchdog_process=`ps -C alcasar-watchdog.sh\|wc -l`
59	`if [[ $(expr $watchdog_process) -gt 3 ]]`	57	`if [[ $(expr $watchdog_process) -gt 3 ]]`
60	`then`	58	`then`
61	`echo "ALCASAR watchdog is already running"`	59	`echo "ALCASAR watchdog is already running"`
62	`exit 0`	60	`exit 0`
63	`fi`	61	`fi`
64	`# EXTIF testing`	62	`# EXTIF testing`
65	`LAN_DOWN="0"`	63	`LAN_DOWN="0"`
66	if [ `/sbin/ip link \| grep $EXTIF\|grep "NO-CARRIER" \| wc -l` -eq "1" ]	64	if [ `/sbin/ip link \| grep $EXTIF\|grep "NO-CARRIER" \| wc -l` -eq "1" ]
67	`then`	65	`then`
68	`LAN_DOWN="1"`	66	`LAN_DOWN="1"`
69	`fi`	67	`fi`
70	`# Default GW testing`	68	`# Default GW testing`
71	`if [ $LAN_DOWN -eq "0" ]`	69	`if [ $LAN_DOWN -eq "0" ]`
72	`then`	70	`then`
73	IP_GW=`/sbin/ip route list\|grep ^default\|cut -d" " -f3`	71	IP_GW=`/sbin/ip route list\|grep ^default\|cut -d" " -f3`
74	arp_reply=`/usr/sbin/arping -I$EXTIF -c1 $IP_GW\|grep response\|cut -d" " -f2`	72	arp_reply=`/usr/sbin/arping -I$EXTIF -c1 $IP_GW\|grep response\|cut -d" " -f2`
75	`if [ $arp_reply -eq "0" ]`	73	`if [ $arp_reply -eq "0" ]`
76	`then`	74	`then`
77	`LAN_DOWN="2"`	75	`LAN_DOWN="2"`
78	`fi`	76	`fi`
79	`fi`	77	`fi`
80	`# if LAN pb detected, users are warned`	78	`# if LAN pb detected, users are warned`
81	`if [ $LAN_DOWN != "0" ]`	79	`if [ $LAN_DOWN != "0" ]`
82	`then`	80	`then`
83	`lan_down_alert`	81	`lan_down_alert`
84	`# else switch in normal mode`	82	`# else switch in normal mode`
85	`else`	83	`else`
86	`echo "Internet access is OK for now"`	84	`echo "Internet access is OK for now"`
87	net_pb=`grep "network_pb = True;" $Index_Page\|wc -l`	85	net_pb=`grep "network_pb = True;" $Index_Page\|wc -l`
88	`if [ $net_pb != "0" ]`	86	`if [ $net_pb != "0" ]`
89	`then`	87	`then`
90	`/bin/sed -i "s?^\$network_pb.*?\$network_pb = False;?g" $Index_Page`	88	`/bin/sed -i "s?^\$network_pb.*?\$network_pb = False;?g" $Index_Page`
91	`$IPTABLES -D PREROUTING -t nat -i $TUNIF -p udp --dport domain -j REDIRECT --to-port 56`	89	`$IPTABLES -D PREROUTING -t nat -i $TUNIF -p udp --dport domain -j REDIRECT --to-port 56`
92	`fi`	90	`fi`
93	`fi`	91	`fi`
94	`}`	92	`}`
95		93
96	`usage="Usage: alcasar-watchdog.sh {-lt --lan_test}"`	94	`usage="Usage: alcasar-watchdog.sh {-lt --lan_test}"`
97	`case $1 in`	95	`case $1 in`
98	`-\? \| -h* \| --h*)`	96	`-\? \| -h* \| --h*)`
99	`echo "$usage"`	97	`echo "$usage"`
100	`exit 0`	98	`exit 0`
101	`;;`	99	`;;`
102	`-lt \| --lan_test)`	100	`-lt \| --lan_test)`
103	`lan_test`	101	`lan_test`
104	`exit 0`	102	`exit 0`
105	`;;`	103	`;;`
106	`*)`	104	`*)`
107	`lan_test`	105	`lan_test`
108		-
109	`# We disconnect inactive users (its means that status.php has been closed)`	106	`# We disconnect inactive users (its means that their 'status.php' tab has been closed --> their ip address isn't in $current_users_file)`
110	`# Each user inform about his connectivity by filling in /tmp/current_users.txt his own @IP`	-
111	`# process each equipment known by chilli to check if any equipment is usurped (@MAC)`	107	`# process each equipment known by chilli to check if IP address is usurped (with arping)`
112	for system in `/usr/sbin/chilli_query list \|grep -v "\.0\.0\.0"`	108	for system in `/usr/sbin/chilli_query list \|grep -v "\.0\.0\.0"`
113	`do`	109	`do`
114	active_ip=`echo $system \|cut -d" " -f2`	110	active_ip=`echo $system \|cut -d" " -f2`
115	active_session=`echo $system \|cut -d" " -f5`	111	active_session=`echo $system \|cut -d" " -f5`
116	active_mac=`echo $system \| cut -d" " -f1`	112	active_mac=`echo $system \| cut -d" " -f1`
117	active_user=`echo $system \|cut -d" " -f6`	113	active_user=`echo $system \|cut -d" " -f6`
118		-
119	`#We disconnect inactive user here :`	114	`#We disconnect inactive user here :`
120	`#We check if this is not an auth @MAC and if he is still connected`	115	`#We check if this is not an auth @MAC and if he is still connected`
121	`if [ "$active_user" != "$active_mac" ] && [ $(echo $system \| awk '$5 == 1' \| wc -c) -gt 1 ]; then`	116	`if [ "$active_user" != "$active_mac" ] && [ $(expr $active_session) -eq 1 ]; then`
122	`# If /tmp/current_user.txt exists ...`	117	`# If /tmp/current_user.txt exists ...`
123	`if [ -e $current_users_file ]; then`	118	`if [ -e $current_users_file ]; then`
124	`# We check if user @IP is in 'current_users.txt'`	119	`# We check if user @IP is in 'current_users.txt'`
125	`cmp_user_ok=$(cat $current_users_file \| grep $active_ip \| wc -w)`	120	`cmp_user_ok=$(cat $current_users_file \| grep $active_ip \| wc -w)`
126	`# If this @IP is not in this file, we disconnect this user.`	121	`# If not we disconnect this user.`
127	`if [ $cmp_user_ok -eq 0 ]; then`	122	`if [ $cmp_user_ok -eq 0 ]; then`
128	`logger "alcasar-watchdog $active_ip ($active_mac) can't be contact. Alcasar disconnects the user ($active_user)."`	123	`logger "alcasar-watchdog $active_ip ($active_mac) can't be contact. Alcasar disconnects the user ($active_user)."`
129	`echo "Disconnect : $active_ip $active_mac $active_user"`	-
130	`/usr/sbin/chilli_query logout $active_mac`	124	`/usr/sbin/chilli_query logout $active_mac`
131	`fi`	125	`fi`
132	`# We clean 'current_users.txt'. Every user need to inform their @IP everytime to prove thier connectivity.`	126	`# Remove the user's IP from 'current_users.txt'. Every user need to insert their @IP everytime to prove their connectivity.`
133	`sed -i 'd' $current_users_file`	127	`sed -i "/^$active_ip/d" $current_users_file`
134	`else # If /tmp/current_user.txt does not exists we disconnect every users.`	128	`else # "/tmp/current_user.txt" does not exists. We disconnect every users.`
135	`logger "Le fichier /tmp/current_users.txt n'existe pas."`	129	`logger "Le fichier /tmp/current_users.txt n'existe pas."`
136	`logger "alcasar-watchdog $active_ip ($active_mac) can't be contact. Alcasar disconnects the user ($active_user)."`	130	`logger "alcasar-watchdog $active_ip ($active_mac) can't be contact. Alcasar disconnects the user ($active_user)."`
137	`echo "Disconnect : $active_ip $active_mac $active_user"`	-
138	`/usr/sbin/chilli_query logout $active_mac`	131	`/usr/sbin/chilli_query logout $active_mac`
139	`fi`	132	`fi`
140	`fi`	133	`fi`
141		-
142		-
143		-
144	`# process only equipment with an authenticated user`	134	`# IP usurpation test : process only equipment with an authenticated user`
145	`if [[ $(expr $active_session) -eq 1 ]]`	135	`if [[ $(expr $active_session) -eq 1 ]]`
146	`then`	136	`then`
147	arp_reply=`/usr/sbin/arping -b -I$INTIF -s$PRIVATE_IP -c2 -w4 $active_ip\|grep "Unicast reply"\|wc -l`	137	arp_reply=`/usr/sbin/arping -b -I$INTIF -s$PRIVATE_IP -c2 -w4 $active_ip\|grep "Unicast reply"\|wc -l`
148	`# disconnect users whose equipement is usurped (@MAC). For example, if there are 2 same @MAC it will make 3 lines in output.`	138	`# disconnect users whose equipement is usurped. For example, if there are 2 same @MAC it will make 3 lines in output.`
149	`if [[ $(expr $arp_reply) -gt 2 ]]`	139	`if [[ $(expr $arp_reply) -gt 2 ]]`
150	`then`	140	`then`
151	`echo "$(date "+[%x-%X] : ")alcasar-watchdog : $active_ip is usurped ($active_mac). Alcasar disconnect the user ($active_user)." >> /var/Save/security/watchdog.log`	141	`echo "$(date "+[%x-%X] : ")alcasar-watchdog : $active_ip is usurped ($active_mac). Alcasar disconnect the user ($active_user)." >> /var/Save/security/watchdog.log`
152	`logger "alcasar-watchdog : $active_ip is usurped ($active_mac). Alcasar disconnect the user ($active_user)."`	142	`logger "alcasar-watchdog : $active_ip is usurped ($active_mac). Alcasar disconnect the user ($active_user)."`
153	`/usr/sbin/chilli_query logout $active_mac`	143	`/usr/sbin/chilli_query logout $active_mac`
154	`chmod 644 /var/Save/security/watchdog.log`	144	`chmod 644 /var/Save/security/watchdog.log`
155	`fi`	145	`fi`
156	`fi`	146	`fi`
157	`done`	147	`done`
158	`;;`	148	`;;`
159	`esac`	149	`esac`
160	`IFS=$OLDIFS`	150	`IFS=$OLDIFS`
161		-
162		151

Subversion Repositories ALCASAR

(root)/scripts/alcasar-watchdog.sh – Rev 2107 → 2108