WebSVN – ALCASAR – Diff – /scripts/alcasar-watchdog.sh

 #!/bin/bash
-# $Id: alcasar-watchdog.sh 2107 2017-01-05 22:23:35Z raphael.pion $
+# $Id: alcasar-watchdog.sh 2108 2017-01-06 08:50:25Z richard $
 # alcasar-watchdog.sh
 # by Rexy
 # This script is distributed under the Gnu General Public License (GPL)
-# Ce script prévient les usagers de l'indisponibilité de l'accès Internet
+# - Ce script prévient les usagers de l'indisponibilité de l'accès Internet
-# il déconnecte les usagers dont
-# - les équipements réseau ne répondent plus ( si la fenetre status.php a été fermé. Les autorisations par adresse mac sont laissé de côté)
+# - Il déconnecte les usagers dont les équipements réseau ne répondent plus (leur onglet 'status.php' a été fermé)
-# - les adresses MAC sont usurpées
+# - Il deconnecte les usagers dont les adresses MAC sont usurpées
+#
-# This script tells users that Internet access is down
+# - This script tells users that Internet access is down
-# it logs out users whose
-# - PCs are quiet (it means that status.php has been closed. We put aside @MAC Authorization )
+# - It logs out users whose PCs are quiet (their status tab is closed)
-# - MAC address is used by other systems (usurped)
+# - It logs out users whose MAC address is used by other systems (usurped)
 CONF_FILE="/usr/local/etc/alcasar.conf"
 EXTIF=`grep ^EXTIF= $CONF_FILE|cut -d"=" -f2`			# EXTernal InterFace
 INTIF=`grep ^INTIF= $CONF_FILE|cut -d"=" -f2`			# INTernal InterFace
 private_ip_mask=`grep PRIVATE_IP= $CONF_FILE|cut -d"=" -f2`
 private_ip_mask=${private_ip_mask:=192.168.182.1/24}
 PRIVATE_IP=`echo "$private_ip_mask" |cut -d"/" -f1`      # @ip du portail (côté LAN)
 PRIVATE_IP=${PRIVATE_IP:=192.168.182.1}
-tmp_file="/tmp/watchdog.txt"
-current_users_file="/tmp/current_users.txt"
+current_users_file="/var/tmp/havp/current_users.txt"	# file containing active users with their "status.php" tab open
 DIR_WEB="/var/www/html"
 Index_Page="$DIR_WEB/index.php"
 IPTABLES="/sbin/iptables"
 TUNIF="tun0"						# listen device for chilli daemon
 OLDIFS=$IFS
 		lan_test
 		exit 0
 		;;
 	*)
 		lan_test
-		# We disconnect inactive users (its means that status.php has been closed)
+		# We disconnect inactive users (its means that their 'status.php' tab has been closed --> their ip address isn't in $current_users_file)
-		# Each user inform about his connectivity by filling in /tmp/current_users.txt his own @IP
-		# process each equipment known by chilli to check if any equipment is usurped (@MAC)
+		# process each equipment known by chilli to check if IP address is usurped (with arping)
 		for system in `/usr/sbin/chilli_query list |grep -v "\.0\.0\.0"`
 		do
 			active_ip=`echo $system |cut -d" " -f2`
 			active_session=`echo $system |cut -d" " -f5`
 			active_mac=`echo $system | cut -d" " -f1`
 			active_user=`echo $system |cut -d" " -f6`
 			#We disconnect inactive user here :
 			#We check if this is not an auth @MAC and if he is still connected
-			if [ "$active_user" != "$active_mac" ] && [ $(echo $system | awk '$5 == 1' | wc -c) -gt 1 ]; then
+			if [ "$active_user" != "$active_mac" ] && [ $(expr $active_session) -eq 1 ]; then
 				# If /tmp/current_user.txt exists ...
 				if [ -e $current_users_file ]; then
 					# We check if user @IP is in 'current_users.txt'
 					cmp_user_ok=$(cat $current_users_file | grep $active_ip | wc -w)
-					# If this @IP is not in this file, we disconnect this user.
+					# If not we disconnect this user.
 					if [ $cmp_user_ok -eq 0 ]; then
 						logger "alcasar-watchdog $active_ip ($active_mac) can't be contact. Alcasar disconnects the user ($active_user)."
-						echo "Disconnect : $active_ip $active_mac $active_user"
 						/usr/sbin/chilli_query logout $active_mac
 					fi
-					# We clean 'current_users.txt'. Every user need to inform their @IP everytime to prove thier connectivity.
+					# Remove the user's IP from 'current_users.txt'. Every user need to insert their @IP everytime to prove their connectivity.
-					sed -i 'd' $current_users_file
+					sed -i "/^$active_ip/d" $current_users_file
-				else # If /tmp/current_user.txt does not exists we disconnect every users.
+				else # "/tmp/current_user.txt" does not exists. We disconnect every users.
 					logger "Le fichier /tmp/current_users.txt n'existe pas."
 					logger "alcasar-watchdog $active_ip ($active_mac) can't be contact. Alcasar disconnects the user ($active_user)."
-					echo "Disconnect : $active_ip $active_mac $active_user"
 					/usr/sbin/chilli_query logout $active_mac
 				fi
 			fi
-			# process only equipment with an authenticated user
+			# IP usurpation test : process only equipment with an authenticated user
 			if [[ $(expr $active_session) -eq 1 ]]
 			then
 				arp_reply=`/usr/sbin/arping -b -I$INTIF -s$PRIVATE_IP -c2 -w4 $active_ip|grep "Unicast reply"|wc -l`
-				# disconnect users whose equipement is usurped (@MAC). For example, if there are 2 same @MAC it will make 3 lines in output.
+				# disconnect users whose equipement is usurped. For example, if there are 2 same @MAC it will make 3 lines in output.
 				if [[ $(expr $arp_reply) -gt 2 ]]
 	       				then
 					echo "$(date "+[%x-%X] : ")alcasar-watchdog : $active_ip is usurped ($active_mac). Alcasar disconnect the user ($active_user)." >> /var/Save/security/watchdog.log
 					logger "alcasar-watchdog : $active_ip is usurped ($active_mac). Alcasar disconnect the user ($active_user)."
 					/usr/sbin/chilli_query logout $active_mac
 			fi
 		done
 		;;
 esac
 IFS=$OLDIFS

Subversion Repositories ALCASAR

(root)/scripts/alcasar-watchdog.sh @ 2864 – Rev 2107 → 2108