Home

Exploitation documentation - FusionForge de l`ADULLACT

Contents

1. User manual ALCASAR 2 9 10 37 3 6 Importing users In the ACC menu AUTHENTICATION Import a From a user database backup Import from a saved users database file SQL format When you import a user database backup the current database ns cause due wi bo mmm ees will be emptied Because this database needs to be provided in a case of inquiry a backup is automatically done see 87 to sena mb retrieve this backup b From a text file txt This function allows you to easily add users to the current database This text file must be formatted like this one user login per line followed or not by a password separated by a space Without a defined password ALCASAR creates one randomly This file can come from a spreadsheet application from the Microsoft office suite record the file in Text DOS txt format e from the LibreOffice office suite record the file in Text CSV csv format and remove separators option edit filter parameters Once the file is imported ALCASAR creates each new account If the login name already exists the password is just changed Two files in txt and pdf format including login names and passwords are created and saved in the directory tmp during 24 hours These files are available in the ACC Import from a text file txt In this file you must write only the user login one below the oth
2. AUTHENTIFICATION Cr er un usager diter un usager Creer un groupe diter un groupe Importer Vider Exceptions LE No device detected If a valid 3g key is connected Status of your device Your 3g key is connected S34 Connection at115200 Configuration at v Valider Signal strength Configuration Phone number 3g key PIN password Time for a new session Max number of try before a permanent ban tll Duration of a ban for example after X try n y h D a M wn Phone number Reason Expiration date Action No matching records found No matching records found previous next This number must be written as the international pattern xxYYYYYYYYY xx for country indicative YYYYYYYYY for the phone number 9 digits This number will be write on the user information page see next 8 Be careful If the PIN code is wrong the SIM card will be locked In this case follow the instructions in the documentation alcasar 2 9 technique odt 88 2 Auto inscription par SMS to unlock it This field give a value in days for a valid account A policy against the spam has been implanted Number of tries allowed by phone when receiving an invalid password just one word in the content of the SMS If the number of try is exceed the phone n
3. 2 9 24 37 key 4 if your CA owns a intermediate authority certificate cp root HACert bundle crt certs server chain crt else Cp certs alcasar crt certs server chain crt 5 Restart the Apache web server with the command service httpd restart If you re having problems e either you reverse the instructions of the second line or you regenerate new local certificates with the command alcasar CA sh e restart the Apache Web server with the command service httpd restart b Copy of a certificate on several ALCASAR server If you use several ALCASAR server it could be interesting to copy the server certificate from a reference ALCASAR server to other ALCASAR servers If you installed an official certificate execute the commands from the points 1 to 5 from the previous section on the differents ALCASAR servers In the case of a certificate created during installation copy the five following files from the reference ALCASAR to the other servers for the certification authority etc pki CA alcasar ca crt and etc pki CA private alcasar ca key e for the server certificate etc pki tls certs alcasar crt etc pki tls certs server chain crt and etc pki tls private alcasar key Restart the Apache Web server with the command service httpd restart 7 5 Use of an external directory server LDAP or AD ALCASAR contains a module capable of requesting an external directory server LDAP or AD located e
4. When starting the installation script sh alcasarsh install it detects your current version and offers you the possibility to update automaticly ALCASAR to the latest version available Only minor updates can be done by that way If it s impossible the script ask you to perform a reinstallation During an minor update the following settings will still remain network configuration the name and logo of the organization logins and passwords for administrative accounts of the portal users and groups database main and secondary blacklists trusted sites and MAC addresses list network filtering configuration the certificates of the Certification Authority C A and the server certificate 8 4 ALCASAR major update or reinstallation Via ACC create a backup of the current users database see 86 2 Save this backup file on a extern system Install the new operating system and the new version of ALCASAR see installation documentation Via ACC import the users database see 3 6 a User manual ALCASAR 2 9 29 37 Troubleshooting If you have any problem with ALCASAR this chapter sets out several troubleshooting steps that may indicate the cause All commands italic text on a yellow background must be run in a console as root 9 1 Network connectivity Retrieve the network informations in the file usr local etc alcasar conf e Check the network card status run the command ip link to know t
5. check the file cat ssh authorized keys and log out exit Connection test from Linux host aah sysadmin w x y Z 3 Connection test from Windows host o load the previous session of putty o onthe left side select Connection SSH Auth o click on browse to select the key file o onthe left side select Session Options Cort Or SSH I Evpsss suthente sticus erikbe SSH cordes FF Atert mA es ai te User manual ALCASAR 2 9 23 37 o click on Save then on Open o enter the user sysadmin o the key is recognized it remains only to enter the passphrase If now you want to prevent the connection with passphrase configure the sshd server o become root su and set the following options on the file etc ssh sshd_config ChallengeResponseAuthentication no Bienvenue sur alcasar rexy 74 PasswordAuthentication no UsePAM no o restart the sshd server service sshd restart and close the ssh session exit 7 3 How to display your logo It is possible to display your logo by clicking on the logo on the upper right corner of the ACC Your logo will be inserted in the authentication page and Vous pouvez S lectionnez un nouveau logo at the top of the page of your management interface Your logo must be in sas png format and its size must not exceed 100KB Refresh the page to see the change 7 4 Server certificate Data is encrypted between
6. padlocks etc e configure the BIOS so that only the internal hard disk drive is bootable e Seta password to access the BIOS setup P eue Lun uw stant xguest l vane 1 Creates xguest user as a locke ash 3 Mmga3 10 2 Onthe network ee xguest Creates xguest user as a locked down a Network type hotspot user Installing this package sets up the xguest user to be used as a If you want to set up free access computers it may be interesting to temporary account to switch to or as a kiosk user account The user is only allowed to log in via gdm The home and temporary directories of the user will be polyinstantiated and mounted on tmpfs User manual ALCASAR 2 9 33 37 install products ensuring both the protection of the privacy and security of these computers like cybercafe computers These products allow the user to be compartmentalised in a sealed environment At the end of his session the user environment is totally cleaned e On Linux you can install the product xguest it is provided natively with Mageia Mandriva Fedora RedHat and Centos distributions e On Windows you can chose one of these not free projects Openkiosk DeepFreeze Smartshield and reboot restore RX They save all the computer and restore it after a reboot Microsoft gave the software Steady state for XP Vista This software is no longer supported On WIFI Access Points AP ES Enable
7. par d faut 2 DSA Csignature seule 5 RSA signature seule otre choix 1_ Generate the key pair public key private key Choose the algorithm the size and the lifetime of the keys no expiration Choose a user name and passphrase gpg gen key info The user name must not contain spaces This name is summarized in the term lt username gt later in this procedure killall rngd Stop the entropy generator killall rngd gpg arnor export secret keys ossi organisme gt alcasar_key pr iy ls al alcasar key priv ru r r 1 root root 1858 2009 12 21 00 56 alcasar_key priv Export the private key Copy this to an external media Provide it with passphrase and username to an official of your organization Private key escrow gpg armor export secret key lt username gt gt alcasar_key priv info cf installation doc for the USB management rm f alcasar_key privu delete secret key ossi organisme ypg GnuPG 1 4 9 Copyright C 2008 Free Software Foundation Inc his is free software you are free to change and redistribute it here is NO WARRANTY to the extent permitted by lau Bec 1624D COD8D6EB 2889 12 28 ossi organisme nlever cette cl du porte cl s o N o est une cl secr te faut il vraiment l effacer o N o Delete the previously generated keys Delete the private key from the GPG keyring rm f alcasar_key priv gpg d
8. 04 13 06 08 7 minutes 58 seconds CEE 192 168 182 10 400 14 KBs 2009 06 04 13 41 29 2009 06 04 13 43 45 2 minutes 16 seconds Class par 192 168 182 10 327 07 KBs 2009 06 04 14 50 24 2009 06 04 15 22 37 32 minutes 13 second Accounting ld 192 168 182 10 96 93 KBs 2009 06 04 15 23 13 2009 06 04 15 37 46 14 minutes 33 second eo o Nbr Max de r sultats 192 168 182 10 286 75 KBs 2009 06 04 15 38 37 2009 06 04 16 20 42 42 minutes 5 secondSretoum s 192 168 182 129 10 33 MBs 2009 06 04 16 29 46 2009 06 04 19 15 48 2 hours 46 minutes 2 seci40 1Q 1AR1R 11Q 2073 49 KRe PNNAQA NAA NA 1667 20 INNA NK_NA 18 96 17 1 hanure 97 minutac 8 car Envoyer User manual ALCASAR 2 9 17 37 Example of search No2 Display of the 5 shortest connections during the month of July 2009 and with the IP address 192 168 182 129 The display criteria include the cause of disconnection but not the volume of data exchanged Afficher les attributs suivants Critere de s lection gt rAttribute 7 Unique Id Login Time lt 2009 07 31 del 192 168 182 147 2009 07 01 14 07 28 2009 07 01 14 08 30 1 minutes 2 seconds User Request Upload i RER ER EEE User Name E Client IP Address 7 192 168 182 147 del 192 168 182 147 2009 07 21 10 57 19 2009 07 21 10 58 26 minutes 7 seconds Admin Reset 192 168 182 147 1009 07 01 16 21 43 2009 07 01 16 23 00 1 minu
9. ALCASAR and devices on the ALCASAR network in the following cases for users authentication request and changing passwords Systm for administrators access to the ACC ALCASAR Control Center Nom d h te cannonique alcasar Date d expiration du certificat May 30 23 59 59 2012 GMT Version du noyau 2 6 33 7 desktop586 2mnb SMP Encryption uses TLS protocol with a server certificate and a local Certificate isin haces wae authority CA created during the installation This server certificate has a aan Charge systeme 0 00 0 00 0 00 10 validity of four years You can check it on homepage of the ACC If the server certificate is expired you can regenerate it with the following command alcasar CA sh It will be necessary to remove the old certificate from browsers before installing the new one a Install an official certificate In version 2 0 and higher it is possible to install an official intranet certificate issues from a certificate authority CA The installation of such a certificate ovoids security warning dialog box on browsers that did not install the ALCASAR root certificate cf 82 2 c Unlike Internet certificates which certify a domain name registered at a registrar an intranet certificate can certify a private IP address or a simple server name hostname This is the case of ALCASAR whose hostname is always alcasar To obtain your certificate follow the instructions as noted on the site of the cer
10. Thus even if they change of wifi network they will try to connect with the parameters of the previous hotspot This problem is recognized by Microsoft that offers the following solution Manually force the refreshing of the ip address with the command ipconfig renew d Windows clients with static addressing It is necessary to add the DNS suffix localdomain Network configuration Advanced DNS e No Internet browsing but the browser accesses the homepage of ALCASAR http alcasar Ornis can occur after a complete reinstallation of the portal or after an update with a change of the server certificate Browsers display the following pages when they attempt to access a website Echec de la connexion s curis e i Impossible d afficher la page Une erreur est survenue pendant une connexion 192 168 182 1 La page que vous recherchez est actuellement indisponible Le site 2 vous avez re u un certificat invalide Veuillez contacter eb rencontre peut tre des difficult s techniques ou vous devez Internet Explorer ne peut pas afficher cette page Web l administrateur du serveur ou votre correspondant de messagerie modifier les param tres de votre navigateur et fournissez lui les informations suivantes Votre certificat contient le m me num ro de s rie qu un autre Essayez la chose suivante certificat mis par l autorit de certification Veuillez vous Essayez de la mani re suivante procurer un nouveau certifica
11. UDP Flows UDP Packets 1 1 IN 111 Tue Dec 17 15 55 00 2013 TCP Flows mar 0 00 mar 12 00 B Port 65533 B Port 65532 Log Type O Stacked Line 19 37 SURFmap is a plugin which gives the possibility tof have a visual of all the flows not only HTTP Caora Different filters are available in the Menu number o flow begin and end date show just the flows of one ip src host 123 123 123 123 Do not enter a huge value of flow More this value is hight more the time of process is high The Auto refresh checkbox refresh this page each 5 minutes a l Sema 5 5 Security Report Dans This page displays three safety information identified by ALCASAR The list of users disconnected due to a MAC address spoofing of their device The list of malwares intercepted by the integrated antivirus The list of IP addresses banned during 5 by the intrusion detection system The reasons can be 3 successive SSH connection failures 5 successive connection failures on the ACC 5 successive login failures for a user 5 successive attempts to change password in less than one minute _Adresse s MAC ALERTE Watchdog alcasar watchdog 172 16 FA 101s usur ped 54 04 AG TF ET DB Alcasar disconnec tthe user alcasar watchdog 172 16 0 10 is usurped 54 04 A6 1E F7 DB Alcasar disconnect the user alcasar watchdog 172 16 0 10 is usurped 54 04 A6 1E F7 DB Alcasar disconnect
12. certificats sont stock s Vous ne pouvez pas faire confiance ce certificat Nom certificat_alcasar_ca cer Ce programme sera ouvert en dehors du mode prot g d internet Explorer ee ne dem alg 8 Type Certificat de s curit 1 41 Ko Le mode prot g vous aide prot ger votre ordinateur Si vous ne faites d autorit s de certification de la racine de confiance Windows peut s lectionner automatiquement un magasin de certificats ou vous De akasa pas confiance ce site Web n ouvrez pas ce programme pouvez sp cifier l emplacement du certificat FE Nom Extensions noyau de chiffrement 1 i Annuler L diteur Microsoft Windows Fe 3 2 Ouvrir l Enregistrer _Annuier _ STE Ss S lectionner automatiquement le magasin de certificats selon le type de certificat E Ne plus afficher d avertissement pour ce programme D livr par ALCASAR ocai CA Placer tous les certificats dans le magasin suivant n Les fichiers t l charg s depuis Int peuvent tre utiles mais ce Magasin de certificats ry type de fichier pr sente un danger potentiel N ouvrez ou Valide du 20 03 2011 au 19 03 2015 UEI n enregistrez ce programme que si vous tes s r de son origine Dak prenen Autorit s de certification racines de confiance Quels sont les risques 1 click open 2 click authorize 4 Choose the store Trusted root certification authorities 3 click install the certificate
13. dupont DUPONT dupont DUPONT Loic Loic De SE NT Ce Le dps ee Ooo o o Duste ite dieses fn e OOo o en serende gt E ee Enea lasts jeunes m o OE Dur e limite mensuelle P riode hebdomadaire WkO800 1 700 Date d expiration 20 june 2009 Membre de ie groupe auquel oportient l usager est surligne paul Suppression du User paulette Change Etes vous certain de vouloir supprimer le user paulette Etat des connexions pour paulo Fermeture des sessions ouvertes pour l usager dupont L utilisateur est en ligne depuis 2009 01 06 22 58 30 L usager dupont a 1 session s ouverte s l 00 01 26 i l alcasar rexy 192 168 182 1 MAC de la station cliente 08 00 27 E7 EA 89 a L utilisateur peut s identifier pendant unlimited essions autoris es Description compl te de l utilisateur p logged in session time upload download server terminate cause callerid HT 2007 12 26 141102 17minutes 13 seconds O65MBs 765MBs 00 0D 56 85 25 0F Check Password 2007 12 03 150729 10minutes 31 seconds 45771KBs 293MBs 00 00 56 D9 B5 9B Password O OS 2007 12 03 13 55 50 23 minutes 20 seconds 131 MBs 7 63 MBs Uset Request 00 0D 56 D9 B5 9B cnec Password heck I Totalpagee S1 minues does 241MBs 1821 1 1 Dates du 2007 12 03 au 2008 05 11 Utilisateur d butdate fin date nbrpage class le ney 2007 1203 20080611
14. more explanations about the blacklist whitelist and antivirus filtering system Cet attribut d finit le nombre maximum de sessions simultan es qu un usager peut ouvrir non renseigne infini This attribute defines the maximum number of concurrent logins for a user It is independent from the number of ports the user is allowed to open in a multilink session Close Window For assistance click on the attributes name User manual ALCASAR 2 9 8 37 3 3 Editing and removing a group Group classroom Remove al members of this group a Are you sure to remove classroom 7 Yes remove Members to add Separate the members with a space or a carriage return 11 158 3 4 Creating users Password A g Group The group list is empty When an attribute is defined both for user and for his O OOo oS group example maximum time for a session user Email Address attribute takes precedence over group attribute ee OOOO O When a user is member of several groups you can set his primary group in the user attributes window see next When an attribute prevents a user to log in a message Fitering None is displayed in his login window see user sheet at Voucherlanguage Fran ais the end of this manual usemame and password a fields Sumame and name ail Address are not use TICKET D ACCES INT
15. the client isolation option also called wireless 2 isolation It prevents a user connected to an access point to R gion europe R seau sans fil 2 4GHz bigin communicate with another one connected to the same access aciverrisoiation sans ti vV Activer la diffusion du SSID point They can only connect to Internet via ALCASAR EEE IUT Nantes Canal Automatique v e enable WPA2 Personal encryption also known as WPA2 Mode Cl Options de s curit PSK It avoids user to listen WIFI traffic even if the key is the An mn same for everyone You can choose a simple WPA2 key as M ume psk aes your organization name for example On switches of wired Ethernet networks e enable DHCP snooping on ALCASAR port and on interswitch ports This will prevent false fake DHCP servers LOIS ENM b Controlled networks On these networks the stations must be protected by physical measures to ensure their integrity Physical access to network consultation must be secured by the following e disconnect unused network jacks on WIFI hotspots o camouflage the network name SSID o enable encryption WPA2 personal with a strong key on Ethernet switches o Enable the lock port Port Security function to associate the MAC addresses of devices to the physical ports of switches o select the DHCP snooping function on the port used by ALCASAR and on the interswitch ports This will prevent false DHCP servers Fake DHC
16. update of the blacklist will download the latest version of the List version January 05 2013 list of the University of Toulouse France and will install it Once Lomestielesvesion Esinstss ins one ninte the file is downloaded ALCASAR calculates and displays its fingerprint Then you can compare this fingerprint with The digital fingerprint of the downloaded blacklist is 498704ed81 7e4c40f20888a96a18371 Verify it with this link line blacklists tar gz dsi ut capitole fr blacklists download MDSSUMLST the one available on the website of the university Of Acivetethenewversion Estimate ine one minute Toulouse If the two are identical you can confirm the Rect update Otherwise discard it List version January 05 2013 b Editing the blacklist Some redirector sites which are used to circumvent filtering Number of filtered domain names 84482 You can choose categories to filter and restore or add sites to the blacklist silt al pe BlackList Domain names 1248186 Url 54296 Ip 214557 Example s By clicking on the category name you display its definition and the number of domain names URLs and IP addresses it contains By clicking on one of these number you display the first 10 sites You can rehabilite domain names or IP addresses You can add domain names or IP addresses directly in the ACC or by importing text file one
17. virus worm phishing etc Blacklist aniivins It can be combined with previous filter It is enabled by user It is updated every TS ANNE 4 hours Domain names URLs and IP addresses are referenced in two lists Either you operate a whitelist The filtered users using that list can access only the sites and IP addresses of the whitelist Either you operate a blacklist The filtered users using that list can access all the sites and IP addresses except those of the blacklist On ALCASAR this filter runs on all network protocols For example if the domain name warez com is blocked all protocols for this domain will be blocked HTTP HTTPS FTP etc ALCASAR uses the excellent list black white drawn up by the University of Toulouse France This list was chosen because it is distributed under a free license creative commons and its content refers to France In that list domain names eg www domaine org URLs eg www domaine org rubriquel page2 html and IP addresses eg 67 251 111 10 are listed by categories games astrology violence sects etc The ACC allows you e to update that list and to define the categories of sites to block or to allow e to rehabilitate a blocked site exemple a site that was banned was closed and purchased by new people to add sites URLs or IP addresses that are not in the list CERT alerts local directive etc 4 1 Blacklist and whitelist a Updating the list The
18. 013 09 25 11 52 51 640 fall2ban actions WARNING ssh iptables Ban 172 16 0 12 gt 2013 09 25 12 02 52 370 fail2ban actions WARNING ssh iptables Unban mison TB address blocked by the IDS iptables D fail ban SSH s 172 16 0 12 4 ULOG ulog prefix Fail2Ban DROP retumed 100 6 Backup i OOOO 6 1 Connection logs archive 20140103 18h59 tar gz 1 82 Mo 4 J 1 archive 20131216 05h35 tar gz 572 83 Ko The menu Backup from the ACC displays in the first column the list of veto taraz 1572 07 Ko traceability files containing the users activity logs To save them on another 2 hi 20131202 05h35 tar gz 761 29 ko j archive 20131125 05h35 tar gz 931 33 Ko media right click on the file name then save target as archive 20131118 05h35 tar gz 732 16 Ko archive 20131111 05h35 tar gz 1 36 Mo These files are automatically generated once a week in the directory archive 20131104 05h35 tar gz 787 9 Ko archive 20131028 05h35 tar gz 848 86 Ko var Save larchive Files older than one year are deleted archive 20131021 05h35 tar gz 938 89 Ko archive 20131014 05h35 tar gz 643 25 Ko archive 20131007 05h35 tar gz 588 05 Ko In case of legal inquiry In a legal inquiry law enforcement officials may ask for connection logs of your users Give them the file of activity of the week of the offence If the officials ask for the files of the current week create this file via t
19. 03 Eata si Tae Dec 10 LS 00 203 Tes Cac 17 15 00 03 Bites Li ak ar CERTES LE Pis Gee L7 1514520 Mi Batam Gan haa L7 Side OS Ti Gee LP 15146 06 2013 mu m i Wi ba E JE BR 4 ot j i Fes L Emb 4 m 48 ta 1 foe Tl The details menu allows you to zoom on a particular time slot For the HTTP flows network IP addresses are hidden and replaced with the IP address of ALCASAR Profile live TCP UDP ICMP other sot 700 wef 1e 10 300 b os ne we gt xs Lo ts 2 02 A ia 170 00 0 9 ne ne r ee s a ln 12 0 mo Mon Dec 16 09 45 00 2013 Flows s any protocol 4 0 3 5 gt 3 0 o 2 5 f a Z 2 0 13 5 6 1 0 T lun 06 00 ipt_netflow The plugins menu shows the network traffic based on the traffic protocol port tracker You can see the protocols currently in use now or all protocols used during the last 24 hours User manual ALCASAR Netflow Processing Source Filter All Sources and lt none gt yx nfdump M var log nfsen profiles data live ipt_netflow T nfdump filter any Top 10 Dst Date first 2013 12 16 2013 12 16 2013 12 16 2013 12 16 2013 12 16 2013 12 16 2013 12 16 2013 12 16 2013 12 16 2013 12 16 Port ordered by bytes seen Duration 09 44 692 26689 479 09 44 617 26683 314 09 56 115 5470 785 10 04 241 4963 755 09 50 685 281 302 10 39 6
20. 06 10 connections number v ascending Siew On Access Server User ai CIS 5 2 Connection status of users This page lists log in and log out events from the portal An input box allows you to specify your search and display criteria With no search criteria the chronological list of connections is displayed since the installation of the portal Please note the volume of data exchanged is what ALCASAR sent to the user upload or what it received from the user download Afficher les attributs suivants Crit re de s lection Accounting Stop Delay _ Attribute AcctAuthentic CalledStationld Caller Id Client IP Address Classe par Accounting Id Nbr Max de r sultats retourn 40 Envoyer Example of search No1 Display in chronological order of the connections established between June 1 and June 15 2009 with the default display criteria Joumal des connexions 192 168 182 10 443 61 KBs 2009 05 29 11 19 54 2009 05 29 11 32 34 12 minutes 40 seconds accounting Stop Delay _ Attribute 192 168 182 22 1 66MBs 2009 06 03 18 24 20 2009 06 03 18 44 20 20 minutes AcctAuthentic Login Time gt 2009 06 01 del Login Time lt 2009 06 15 del CalledStationid 192 168 182 129 46 12 MBs 2009 06 03 18 58 23 2009 06 04 09 39 01 14 hours 40 minutes 38 se Caller id 192 168 182 10 381 81 KBs 2009 06 04 12 58 10 2009 06
21. 45 19 331 09 50 985 2 051 09 50 985 2 051 09 45 640 22558 334 10 33 632 20569 346 Proto any any any any any any any any any any 48 54 00 10 43 26 42 42 35 58 Summary total flows 58436 total bytes 61 8 M Time window 2013 12 16 09 44 48 Dst Port Options List Flows Stat TopN Top 10 Stat DST Port order by bytes v Limit Packets vy gt 0 SAN Output __ IPv6 long Clear Form process R 2013 12 16 nfcapd 201312160945 2013 Flows Packets Bytes 80 50589 86 6 730755 98 9 61 3 M 99 2 443 5180 8 9 5217 0 7 322601 0 5 21592 150 0 3 186 0 0 12097 0 0 1030 12 0 0 106 0 0 8351 0 0 27019 120 0 2 120 0 0 5120 0 0 60225 1 0 0 40 0 0 3145 0 0 27017 46 0 1 46 0 0 2944 0 0 27018 46 0 1 46 0 0 2944 0 0 993 43 0 1 43 0 0 2729 0 0 21 31 0 1 33 0 0 1980 0 0 total packets 739076 avg bps 18520 avg pps 2013 12 16 17 09 38 Total flows processed 58436 Blocks skipped 0 Bytes read 3049352 Sys 0 024s flows second 2337814 1 Wall 0 020s flows second 2851927 8 PortTracker Port Tracker TCP Packets RER aE TCP Bytes EURE se E sun Dec 15 15 55 00 213 re gt TCP Flows eo n a Oo wm Rie th AU NS A A Hi 0 0 Top 5 Ports E Port 80 B Port 443 Display 2 days v Y axis 2 9 IL A lun 12 00 O Port 9418 Linear
22. 8 182 1 ALCASAR IP address o DNS suffix localdomain this DNS suffix must be set in the static address setting of the client device o Default gateway IP address 192 168 182 1 ALCASAR IP address o network mask 255 255 255 0 User manual ALCASAR 2 9 A 37 2 1 ALCASAR settings You can change ALCASAR network settings in the system network menu a IP configuration INTERNET W woe Etho Internet connected interface Public IP address Eth1 Private network eimai IP Address 192 168 0 1 24 DNS1 X AN 7 IP Address 192 168 182 1 24 Gateway 192 168 0254 DNS2 Currently these parameters cannot be modified directly with the ACC Nevertheless you can change them in a text console by editing the file usr ocal etc alcasar conf When modifications are made apply them with the command line alcas UES DHCP service Current mode enabled enabled Apply changes Before disabling the DHCP server you must write the extern DHCP parameters in the config fle see Documentation Static IP addresses reservation MAC Address IP Address Delete fram list MAC Address IP Address exemple 12 2f 36 a4 df 43 exemple 192 168 182 10 The DHCP Dynamic Host Control ol Protocol server provides IP settings to client devices connected on the network You can reserve IP addresses for devices that need static IP addresses servers printers WiFi AccessPoin
23. 82 1 the DNS suffix localdomain the IP address of the DNS server gt the internal IP address of ALCASAR default 192 168 182 1 the IP address of the time server NTP gt the internal IP address of ALCASAR default 192 168 182 1 or the domain controller to avoid temporal drifts synchronize the server clock with a trusted NTP server on the internet or with the ALCASAR server User manual ALCASAR 2 9 26 37 7 7 Encryption of log files ALCASAR can automatically encrypt weekly log files cd 87 1 For this it uses the GPG asymmetric algorithm public key private key By Providing the private key to an afficial of your company you prevent administrators from being accused of log files modification In case of inquiry simply provide log files and the private key for decryption The procedure for activating the encryption is as follows Printscreen Comments To do Bienvenue sur alcasar rexy Kernel 2 6 27 37 desktop 1mnb on an lcasar rexy login i686 7 ttyl root Passuord Last login Sun Dec 28 19 12 49 on ttyl rngd r vdevvurandonm Log on as root Start the entropy generator random values rgd r dev urandom gpg gen key gpg GnuPG 1 4 9 Copyright C 2668 Free Software Foundation Inc This is free software you are free to change and redistribute it There is NO WARRANTY to the extent permitted by law S lectionnez le type de cl d sir 1 DSA et Elgamal
24. CASAR 2 9 21 37 b administration of ALCASAR in text mode You can log in remotely to ALCASAR using the Linux sysadmin account created during the installation of the system Once you are logged in you can use the administration commands of ALCASAR see 11 1 Use the su command to become root e On Linux install openssh client you can also install putty and run the command ssh p 52222 mE sysadmin w x y z replace w x y z with the public IP fagi address of the broadband modem router 2 and replace the gage external_port with the listening port number of the broadband modem router 2 52222 in our example You can add the C option to enable the compression algorythme On Windows install Putty or putty portable or kitty and create a new session 2 PuTTY Configuration x Category Session Basic options for your PuT TY session i es Logging Specify the destination you want to connect to Terminal E Host Name or IP address For Keyboard e aee Bell 85 85 35 85 52222 e Features Connection type Window we Telnet Rlogin f SSH Serial Appearance Behaviour L Translation Saved Sessions Selection acces portai eapti 2 Colours Connection H Data Save ij H Proxy Telnet Delete i Rlogin SSH Serial Load save or delete a stored session Default Settings Close window on exit Always N
25. DHCP Obtenir une adresse IP automatiquement Adresses des serveurs DNS dans l ordre dlutfisation Configuration manuele Utiiser l adresse IP suivante Adresse IP 192 168 182 10 Adresse IP 192 168 182 10 M d s ae Siebs 168 182 3 asque de sous r seau 2552552550 SE ee Mas d t 255 255 255 0 cs RAN Passerelle 192 168 182 1 Chent DHCP ae Passerele par d faut 192 168 182 1 Ajouter Modifier supprimer Les trois param tres suivants sont appliqu s toutes les connexions pour D lai d expiration DHCP en sec ksqueles TCP IP est activ Pour la r solution des noms non qualifi s Serveur DNS 1 192 168 182 1 enr les adresses des serveurs DNS automatiquement R cup rer les serveurs YP depuis le serveur DHCP Utiiser l adresse de serveur DNS suivante Ajouter des suffixes DNS principaux et sp cifiques aux connexions eed R cup rer les serveurs NTPD depuis le serveur DHCP Serveur DNS pr f r 192 168 182 1 F Ajouter des suffixes parents du suffixe DNS principal Autoriser les utilisateurs g rer la connexion Nom dn te DHCP N Ajouter ces suffixes DNS dans l ordre Lancer la connexion au d marrage m trique Actover les statistiques r seau MTU Valder les param tres en quittant Branchement chaud du r seau Activer le tunnel IPy6 sur IPw4 Avance Suffixe DNS pour cette localdoman connexion legates ads de cett
26. ERNET Aay Utilisateur Alex Enter the number of users to create Mot de passe duKbFUo9 Dur e totale autoris e 1H Dur e d une session Illimit e 06 Lames Dur e journali re illimit e Date d expiration 04 07 2012 CS if an expiration date is enabled one week after this date the user is automatically deleted When a user is deleted from the database his connections logs are kept in order to be able to impute his connections User manual ALCASAR 2 9 9 37 3 5 Searching and editing users You can search users with several criteria login name attributes etc If you leave the criteria field blank all users will be listed Search filter Spec atte _ Attribute Expiration date i Expiration date Maximum time of connection in seconds empty all Maximum time for a session in seconds Maximum time of connection per day in seconds Maximum time of connection per month in seconds Number of concurent login Weekly period Maximum of data uploaded in octets Maximum of data downloaded in octets Maximum of data exchanged in octets Maximum upload bandwidth in kbits second Maximum download bandwidth in kbits second Redirection URL The result is a list of users matching your search criteria Each user s toolbar includes the following functions PEF Page d information personnelle de Pr f rences du
27. Internet Explorer 8 and Safari Google chrome Google Chrome saves the certificate locally certificat _alcasar_ca crt Select preferences in the configuration menu then advanced options then manage certificates and then import in the tab Authorities 1 You can avoid this manipulation either in buying and including in ALCASAR an official certificate which is known by all web browsers see 88 4 or in disabling the encryption of authenticating flow with the script alcasar https sh on off Disabling the encryption means that you perfectly manage your ALCASAR network see 811 User manual ALCASAR 2 9 6 37 d Network configuration in static mode servers printers WIFI access points etc For these devices the required parameters are the following e default gateway IP address of the eth1 network interface of ALCASAR e DNS server IP address of the eth1 network interface of ALCASAR DNS suffix localdomain Propri t s de Protocole Internet version 4 TCP IPv4 8 2 a Parametres r seau G n ral Intel Corporation 82540EM Gigabit Ethernet Controller Les param tres IP peuvent tre d termin s automatiquement si r seau le permet Sinon vous devez ez demander es param wes IP trateur r Lasser ete Veuillez entrer les param tres r seau Perem tres IP ONS WINS Attribution automatique de l adresse IP BOOTP
28. P sera propre au r seau du quartier the changes d Whitelist Den Domain names 9087 Uri 0 Ip 0 Select the categories to allow z a ques me te sexual education Domain names or IP to add to whitelist Allowed IP Allowed domain names Enter one IP per row example 123 123 123 123 Enter one domain name per row example domain org p uk P 9 or a network address example 123 123 0 0 16 Save changes As for the blacklist you can select categories and add your own domain names and IP addresses Note liste_bu is a category used by french students bu bibliotheque universitaire university library This category contains a lot of useful websites validated by teachers and learning teams 4 2 Protocol filtering When this filter is not enabled a logged in user can use any protocol Internet access is limitless All the actions of logged in users are traced and recorded regardless of the protocol used When the filter module is enabled only the HTTP protocol is enabled by default All other protocols are blocked It is possible from this restrictive mode to enable one by one the network protocols you want to allow A list of standard protocols is presented by default You can enrich it ICMP is used for example by the Actually the network protocols filter is enable ping command Except for the WEB port 80 all protocols are blocked Choose in the list below the protocols you
29. P servers Devices can should incorporate several security features such as locking the BIOS setup locking the desktop configuration antivirus automatic update security patches patch etc To facilitate downloading of security patches or antivirus updates cf 4 7 ALCASAR can authorize devices to automatically connect without authentication on sites specifically identified Make your users aware of these two security features Password must be changed e Credentials must remain confidential Each user is responsible of friend s session using his credentials User manual ALCASAR 2 9 34 37 11 Annexes 11 1 Useful commands and files The administration of ALCASAR can be done from a command line interface as root All these commands shell scripts begin with alcasar and are located in the directories usr local bin and usr local sbin Some of them rely on the central configuration file of ALCASAR usr local etc alcasar conf The h argument lists available command line arguments alcasar bl sh on off enables disables the domain nd URL filtering o download download and apply the latest version of the BlackList BL o adapt adapt the BL to the ALCASAR architecture o reload activate the freshly downloaded BL alcasar bypass sh on off Enables disables the BYPASS mode alcasar CA sh creates a local CA and server certificate Requires the restartin
30. Security of Information and Communication Systems USER MANUAL This document describes how to administer ALCASAR with the ALCASAR Control Center ACC or by using Linux command lines Project ALCASAR Author Rexy and 3abtux with support of ALCASAR Team Thanks to the main translator Cl ment Object User manual Version 2 9 Keywords captive portal access control accountability traceability authentication Date 2015 March User manual ALCASAR 2 9 1 37 Table of contents AA LUE 16 Le MAM PRE 3 PA E E E E E E E eo ET 4 AAA CCAD ENTS Se E E EEE E EEA E E EE EE EE AAR D 2 2 CHOC EV IC es SOS ee aus ikouietane arn E EN OT D PLU Bea aie es LOS Re LL ec E E 7 SG IN TV OTC VY et a de en E 7 UN FOUND Serato inte ee a ce 8 39 ECS dnd removing d group sessin E E E EEEE SEEE e 9 SUREE NG e E E E A E E N EE E A E E E ESTY 9 Seo Oe AEC ng and ECTS USET eer en E E de A ERE O OTOES 10 OO O E E E E A T A T EAE E EEE 11 3 7 EIMPLYINe the user TALADAS nano ETE EEE EE N E 11 EAs KSS a EDE i E T EE E AE T E E E T A 11 Bye I NU FO BAS PE EOI Yl OS a E e TE E E O de ue 12 A EA E MNO A E A EEE E A ESA A A A E E A E A EAE 15 LBlackist and MES aanct so a E Re ee de 15 BPA oa aal N a EEEE ATE a oo AES TEE A E A E EET 16 F a EEE 17 5 1 Number of connections per user per day 17 5 2 Connection status OF USCIS wissssskegesesivevedanatpouswadd anposewnsb sadicownnieddaadewnetedinadyiennadenndae
31. ad Save the generated key Save public key Save private key Parameters Type of key to generate SSH 1 RSA SSH 2 RSA SSH 2DS4 Number of bits in a generated key 2044 o Linux with ssh keygen In your personal directory create the directory ssh if it is not exist From this one generate your public private key pair ssh keygen t rsa b 2048 f id_rsa The command cat id_rsa pub displays your public a and allows you to copy it cat 1d_rsa pub ssh rsa IAC IVOTERAAARTAAAND ERVE AYNARBOTONNEN teh BkF2wvhuHzmNmH9 ITFTALWHPHA91WnxlcDPE9DPR7FPqrEZf uT84C2G1 97d 1X JyP1VXoUdXaZ9w j tusU3SVWSr609NXmbZqo0gzrGpj N7VFuS npCrDQGFfuq6PImO6AQC JQkySmOXDIGFVr4rSZbw 2 ge Ly Cone fe public key on the remote ol o run the following command to copy your public key directly on the remote server ssh copy id i ssh id_rsa pub sysadmin lt IP_interne_consultation gt Enter your password your public key is copied in the sysadmin ssh authorized_keys automatically with the correct permissions o Another method log on through SSH to the remote ALASAR as sysadmin and execute the following commands mkdir ssh then cat gt ssh authorized_keys copy the contents of the public key from the clipboard Ctrl V for Windows middle mouse button for Linux type Enter then Ctrl D protect the directory chmod 700 ssh and key file chmod 600 ssh authorized_keys
32. b lt A To have more information on the MAC address you can add user GT 485850400077 eco 1 8E V0 3 fabien _y eleves information in the user info menu like in the following screenshot H Sera In order to be imediatly considered the chilli service must be restarted Ses PE CEE see 89 3 3 9 Auto registration via SMS STE a Purpose principle and prerequisite The objective of this module is to provide to the users a self registration while respecting the legal requirements In order to work this module required a GSM modem also called 3g key and a subscription to a mobile operator How does it work The user who want an ALCASAR account in order to access to the Internet send a simple SMS to number of the ALCASAR 3g key The SMS content is the password and the phone number of the user is the login When the SMS is received by ALCASAR the account is created During our tests the following 3g key were used Huawei E180 o 30 o Connectivity USB o Power USB o Little issue with the Huawei firmware o Configuration at19200 Wavecom Fastrack suprem 10 o 60 o Connectivity RS 232 with an RS 232 USB link o Power Power mains o No issues o Configuration at115200 Wavecom Q2303A Module USB 5 wE o Connectivity USB o Power USB o No issues o Configuration at9600 User manual ALCASAR 2 9 12 37 b enable the service
33. des e protection credentials theft The authentication flow between devices and ALCASAR users are encrypted Passwords are stored encrypted in the database e protection against forgetting to log out The attribute time limit of one session cf 4 1 allows to automatically disconnect a user after a pre set time e protection against failures network or user devices Devices that do not respond during 6 minutes are automatically disconnected e protection against session hijacking by spoofing network settings This spoofing technique exploits the weaknesses of Ethernet and WIFI protocols To reduce this risk ALCASAR incorporates an auto protection process which is running every 3 minutes alcasar watchdog sh e protection of the bootloader GRUB of the portal with a password This password is stored in the file root ALCASAR passwords txt The mere presence of ALCASAR not guarantee an absolute security against all threats including internal threat hacker on the ALCASAR network In most cases this threat remains very low Without being paranoid and if you really need a high security the following measures can improve the overall security of your system 10 1 On ALCASAR Choose a strong root password you can change it by running the command passwd Protect your ALCASAR server and ISP s equipment to prevent unauthorized access theft or installation of equipment between the modem and ALCASAR locked premises
34. domain or one address per line Info if you want to test site filtering or site restoring remember to clear the cache memory of the browsers User manual ALCASAR 2 9 15 37 c Special blacklist filtering Specific filtering The blacklist has two special filters available for HTTP protocol 5 vas ti conan a P address instead ofa domain nane eh 56 58 59 index htm The first one blocks URLs containing an IP address instead of d C Enabling school parental control for the search engines google y yahoo a metacrawler and Youtube domain name For Youtube enter your ID here The second one exclude results from search engines that may o be suitable for minors Safe search function This second filter is compatible with Google Yahoo bing and metacrawler This second filter works only on HTTP requests It works with YouTube only if you get a Youtube ID For that Option A ajouter une nouvelle r gle d en t te HTTP Modifiez votre filtre de mat riel ou vos param tres de serveur proxy pour que tout le trafic sortant vers youtube com visit htt WWW outube com education si nup Once your contienne l en t te HTTP personnalis suivant L ID a utiliser dans la configuration de l en t te HTTP crit ci dessous est propre au r seau de votre tablissement scolaire Si votre tablissement est bloqu au niveau du quartier cet YouTube account 1S created COPY the ID in the ACC and SAVE en t te HTT
35. e connexion dans le anene Jtliser le s S de cette ne 1 pour l enregs Sn Windows Seven Mandriva amp Mageia Linux e Time synchronization ALCASAR includes a network time server NTP RS allowing you to synchronize devices connected to the ALCASAR network Thus on Windows or on Linux you can define ALCASAR server as _ EE aa the time server by right clicking on the clock of z3 2 2 zaa Serveur akcesarloceldomain the desktop Enter alcasar on Linux and alcasar localdomain on Windows Q R glages de la da 31 Protocole du Temps R seau NTP Votre ordinateur peut synchroniser son horloge 14 22 5 avec un serveur distant via NTP Fuseau horaire Activer NTP Europe Paris L horloge a t synchronis e avec alcasar localdomain le 28 09 2011 13 21 Serveur alcasar 5 Changer le fuseau horaire Note All NTP flows from consultation network are redirected to ALCASAR OK Annuler Annuler R initialiser Ok 3 Managing users and their devices TAUIHENIICALION User management interface is available in the menu AUTHENTICATION b Activit You can b Create a user display the network activity Disconnect a user Edit a user e create search modify and remove a user or user group Create a group import user names from a text file or from a user database backup Edit a srou e empty the user database gt Import Empty defi
36. e failure or ISP network failure The following pages are displayed ACCESS DENIED ACCESS UNAVAILABLE h Access to the page has been denied Required WES site www warez com category warez Required WEB site www google fr category liste_bu because the following virus was detected You try to camnect to a resource whose contest is deemed to costais Your portal has just detected that the Internet access i down ClamAV Eicar Test Signature inappropriate information Parnes past Bomians page User manual ALCASAR 2 9 37 37
37. e server srv ad brock net Restart the service DNSMASQ to take your changes changes into acccount service dnsmasg restart Reminder The DNS suffix localdomain of static IP devices is mandatory So computers whether in static IP address mode or in DHCP mode integrated into a Windows domain must have their primary DNS suffix configured with the Windows domain name and in addition with the suffix localdomain b Using an External DHCP Server With an external DHCP server ALCASAR must not assign network settings anymore but this task must be is carried out by the external DHCP server In order to do this ALCASAR will act as a relay agent to enable assignment of IP addresses by the DHCP server It is necessary to stop the ALCASAR DHCP server in the ACC System Network No DHCP mode and to modify the following variables to manage the external server configuration file usr local etc alcasar conf EXT_DHCP_IP lt IP_srv_external gt RELAY DHCP_IP lt IP_internal_ALCASAR gt RELAY DHCP_PORT lt relay port to the external DHCP server gt default 67 The external DHCP server must be configured to provide to devices a range of IP corresponding to the range allowed by ALCASAR default 192 168 182 3 to 254 24 Warning ALCASAR keep for itself the following address for its internal interface 192 168 182 1 and 192 168 182 2 a gateway address corresponding to the internal IP address of ALCASAR by default 192 168 1
38. elete secret key lt nom_utilisateur gt Enable encryption by changing the variables CRYPT and gpg_user in the file usr local bin alcasar archive sh vi usr local bin alcasar log export sh info assign the username to the variable gpg_user e ALCASAR uses the keyring root in the directory root gnupg e gpg list key allows to list all the key pairs contained in this kit e gpg delete key lt user_name gt deletes a public key keyring gpg delete secret key lt user_name gt deletes a private key keyring You can copy the directory root gnupg on another server ALCASAR Thus you can use the same key and the same lt username gt To decipher an encrypted archive gpg decrypt files lt filename_crypt_archive gt User manual ALCASAR 2 9 27 37 7 8 Managing multiple Internet connections load balancing ALCASAR has a script to distribute requests over a number of gateways to the Internet alcasar load_balancing sh start stop status The parameters are not included in the ACC it is necessary to modify the global configuration file alcasar conf located under usr local etc Associated parameters virtual networks card weights gateway ip address etc must be defined in the following format WANx active 1 0 IPx mask GWx Weight MTUX The script creates the interfaces on the fly To make it active
39. er Logins passwor 20150127 114055 users hst tat pdf 20150127 111022 hst txt pdf File txt Parcourir Aucun fichier s lectionn PEDE ee Re eae Z 20150127 114212 users list txt Send e 20150127 112507 hst tat pdf eleves e 20150127 113556 users hst tat pdf enseignants 3 7 Emptying the user database This function allows you to delete all the users in one click A backup of this database is automatically done See 7 to retrieve the backup See previous chapter to re inject it Send 3 8 Authentication exceptions By default ALCASAR is configured to stop the network flow from a user not logged in Nevertheless you can define some exceptions e to allow auto update of antivirus and auto update of operating systems See 811 2 On Windows to keep the Internet access icon on even if nobody is connected e to access a server or a security zone DMZ located behind ALCASAR to allow some devices to not be intercepted Reset the users database n order to impute the last connections the actual users database will be automaticly saved a To trusted sites or trusted domain names Trusted Internet domain names In this window you Can input trusted site names Or Manage Internet domain names that can be joined without authentication trusted domain names In case of a domain DAME name Link splayed in intercept Remove fom om Link deplayed in in
40. ever tf Only on clean exit About canc click on Open accept the server key and log in as sysadmin c Administration ALCASAR in GUI mode The goal is now to redirect the data flow from the workstation s browser to ALCASAR in a SSH tunnel To create this tunnel R PuTTY Configuration ij x On Linux run the command R ssh L 10000 IP_eth1_alcasar 443 p 52222 sysadmin w x y z options sonona SSH pot forwarding E Terminal a a Port forwarding i Tl Local ports accept connections from other hosts i Features e On Window configure putty as describe bellow sie ey es Appearance Forwarded ports Remove Behaviour meal Translation Selection io Colours Add new forwarded port El Connection z Data Source port 10000 Add Proxy em 7 Telnet Destination 192 168 0 1 443 login Local C Remote Dynamic E SSH Auto C IPv4 C IPv6 H i Keg Auth TTY H 11 Tunnels he Bugs lt amp CEE https 127 0 0 1 1000 Les plus visit s zicmu v Hytech jeux Mandriva E ALCASAR Control Center lt gt amp ALCAS Start your browser and go to https localhost 10000 acc oc gt AUTHENTIFIC A acc in the end of URL is important STATISTIQUES s si Usager s en liane 071 User manual ALCASAR 2 9 22 37 d Managing devices on the ALCASAR network Following the same logic it is possible to ma
41. ffiche la page 1 sur 3 Pr c den 1 2 Suivant Access Control User Authentication Auto registration This link gives some information about the SMS account already created Moreover each user can have an information on the status of his phone number d Accounts management administration Each account created by the auto registration module has just on attribute the expiration date These accounts belong to the users group sms So if you want to set an attribute you can edit the user group see 83 2 These accounts are not seen in the ce sms standard user management section of the ACC This table give the state of phone number Sp mmes ae See eee which have sent one or more SMS If you uncamptea 13 ure 204 click on delete the account if it is already Un compto a t cr tapre 2014 Eracar available will be delete and the user can create an account again e Country filtering By default the SMS auto registration module allows only french numbers country code 33 A web interface is available to change the level of filtering only french numbers only European numbers Allow every numbers Count ry filteringT Personal configuration the administrator can authorize a personal list of country Current filtering Authorize the french numbers Authorize the french numbers Country filtering advanced vV Show 10 v entries Pa
42. g of Apache web server service httpd restart alcasar conf apply apply the network settings according to the configuration file alcasar dg pureip sh on off enables disables the filtering of URLs containing IP addresses instead of a domain name alcasar havp sh on off enables disables the antivirus filtering on WEB flows o update updates the antivirus database clamav alcasar https sh on off enables disables encrypted authentication flows alcasar load balancing sh Aggregates several Internet connections IP addresses bandwidth and MTU of available modems routers must be configured in the file usr local etc alcasar conf to work properly Remember the script is automatically launched when the system starts up only if the MULTIWAN parameter is set up in the file usr local etc alcasar conf To ensure the script is running properly execute the command ip route start stop and status are the options available for this command alcasar logout sh username logs off user lt username gt from all his sessions o all logs off all the logged users alcasar mysql sh import fichier_sql sql imports a user database overwriting the existing one o raz resets the user database o dump creates an archive file of the current user database in var Save base o acct_stop stops the open accountability sessions alcasar nf sh on off enables disables
43. he menu Create the traceability fle of the current week Execute User manual ALCASAR 2 9 20 37 6 2 The users database Users database The menu Backups from the ACC displays in the second column backup files in compressed SQL format of the users database They can be generated at any time by clicking in the menu Create the current users database file These files can be imported in ALCASAR cf 83 6 a You can use these files when reinstallation of the portal see 88 4 Create the current users database file wi Execute 7 Advanced features 7 1 Administration accounts management ALCASAR server has two system accounts or Linux accounts that were created during the installation of the operating system e root This is the account used for system administration sysadmin This account allows you to take secure remote control of your system see next 8 Along with these two system accounts Management accounts have been defined to control some functions through the graphical ALCASAR Control Center ACC These management accounts can belong to one of the three following profiles e admin this account give access to all the functions of the ACC A first admin account was created during the installation of ALCASAR see Installation documentation e manager this account only give access to users and groups management functions see 83 e backup th
44. he name of your two network cards In this doc we use the following name INTIF for the card connected to the consultation network EX TTF is connected to the Internet Run ethtool INTIF and ethtool EXTIF in order to check the status of both network cards Link detected and Speed fields for example e gateway router connection test Run the command route n to display the IP address of the broadband modem router Ping the broadband modem router Internet router If an error occurs check the cable connections and the status of the gateway router External DNS servers connection test Ping the DNS servers If an error occurs try with another server Internal DNS server connection test dnsmasq Send a name resolution request ex nslookup www google fr If an error occurs check state of the service dnsmasq You can restart the dnsmasq service with the command systemctl restart dnsmasq Connection test to the Internet run the command wget www google fr In case of success the Google page is downloaded and saved locally index html The result of this test is displayed in the menu system service of the ACC Lien Internet actif Device connection test Run the command arping I INTIF ip_equipment to know if a device is connected to the ALCASAR network To discover all me device install the arp scan package urpmi arp scan and run the command ar
45. heck Mozilla version and its modules Sites IP addresses or URLs can be configured in the ACC or in the following file usr local etc alcasar uamallowed uamallowed activation sls microsoft com uamallowed www msftncsi com uamallowed crl microsoft com uamallowed download microsoft com uamallowed download windowsupdate com uamallowed g0 microsoft com uamallowed ntservicepack microsoft com uamallowed stats update microsoft com uamallowed update microsoft com uamallowed update microsoft com nsatc net uamallowed pccreg trendmicro de uamallowed pmac trendmicro com uamallowed tis16 emea p activeupdate trendmicro com uamallowed update nai com uamallowed download mozilla org 3 Domains can also be configured in the ACC or in the file usr local etc alcasar uamdomain uamdomain download microsoft com uamdomain download windowsupdate com uamdomain ds download windowsupdate com uamdomain microsoft com uamdomain update microsoft com uamdomain update microsoft com nsatc net uamdomain windowsupdate com uamdomain windowsupdate microsoft com uamdomain trendmicro com uamdomain activeupdate trendmicro com uamdomain akamaiedge net uamdomain akamaitechnologies com uamdomain clamav net It is necessary to restart the chili service if these files are changed directly User manual ALCASAR 2 9 36 37 11 3 User sheet rexy Access Co
46. is account only give access to backup and archiving of log files see previous chapter You can create as many Management accounts as you want in each profile To manage these management accounts use the alcasar profil sh command as root e alcasar profil sh list to list all the accounts of each profile e alcasar profil sh add to add an account to a profile e alcasar profil sh del to delete an account e alcasar profil sh pass to change the password of an existing account 7 2 Secure administration across the Internet It is possible to establish a secure remote connection to ALCASAR an ALCASAR portal using encrypted data flow SSH B a LU ALCASAR Network protocol Secure SHell Let s take an example of an j administrator who seeks to administer through the Port 22 Internet an ALCASAR portal or devices on the consultation network Firstly you need to enable the SSH service on ALCASAR menu system and services You must know the IP address of the Broadband modem router 2 a Broadband modem router configuration It is necessary to configure broadband modem router 2 so that it doesn t block the SSH protocol To anonymise the SSH data flow on the Internet the default port 22 is replaced by another one 52222 If you want you can still use the port 22 Refer to your broadband modem router documentation before performing this operation User manual AL
47. ither on the LAN side or on the WAN side When this module is enabled ALCASAR uses the external directory to authenticate a user but if an error occurs the local database will be used In all cases user events logs are recorded in the local database of ALCASAR Here id the management GUI of this module A eo Remark PRET _ attributes of users from the external directory can t Nom du serveurLDAP 19216816210 be modified with the ACC ON de D LDAP ar a ems o adius deus descaldoman use of the secure protocol Idaps is not available for Con now The network segment between ALCASAR and Cl utilis e pour la recherche d un identifiant de connexion exemple uid sn etc Pour a es ol the directory server must be under control for Filtre de l utilisateur LDAP Set a T eiie epea pa mee te aa obvious reasons of security cf 10 cons quence l utilisation de amp uid username objectClass posixGroup Q Utilisateur LDAP cn alcasar ou radius dc etrs dc localdomain En External directories do not support Case sensitive aissez vide pour utiliser un acc s invit Si renseign ALCASAR se connectera al ey LDAP en antau un gar ce mema like the local database of ALCASAR uid Utilis ele Montini p alan c R Requis pour les serveurs un 1 e t e OCd ata ase O ossedant un Active Directory Mot de passe LDAP eccccecece aissez vide pour un acc s invit Sinon indiquez le mot de
48. izations who have faced problems and have solved them a Onsome sites pictures are not displayed When the domain names and URLs filtering is enabled by default ALCASAR filters links without domain name links containing IP addresses Thus pages containing this kind of links are partially displayed To prevent from this problem two solutions uncheck the IP box from the blacklist cf 5 1 c or save the IP addresses contained in these links as Domain names rehabilitated cf 5 1 c For example the site leboncoin fr hosts its pictures on the following IP addresses 193 164 196 30 40 50 and 60 and 193 164 197 30 40 and 50 b Navigation impossible with some antivirus Disable the proxy web function integrated in some anivirus In Trend Micro antivirus for example this function relies on a whitelist blacklist downloaded from the servers of Trend Micro backup30 trendmicro com etc that analyses validates each request of a website A limited rights user can enable it To avoid all inconvenience of this function incompatible with ALCASAR it is better to stop the service Proxy Trend service and to restart the computer c Windows Stations previously connected to a public hotspot When a system connects to a public hotspot it provides network parameters and a lease time which determines the validity time of these parameters Windows XP stations do not reset these settings during a reboot
49. l by running the script alcasar bypass sh on To stop it run the script alcasar bypass sh off Please note Bypass mode is no longer active after restarting the server User manual ALCASAR 2 9 28 37 8 Shutdown restart update and reinstallation 8 1 Shutdown and restart There are three possibilities to stop or restart properly the system Via ACC by briefly pressing the power button of the PC by connecting to the console as root and running the command init 0 When restarting the portal ALCASAR a procedure deletes all connections that have not been closed due to an unplaned shutdown failure power failure etc 8 2 Operating system update Mageia Linux provides an excellent mechanism to apply security patches on the system and its components ALCASAR has been developed to be fully compatible with this mechanism So every night at 3 30 the security updates are downloaded checked and applied As root you can manually update the system with the command urpmi auto auto update Once the update is complete a message may warn you that a system reboot is required This message appears only if a new kernel or a major library were updated 8 3 ALCASAR minor updates You can see if an update is available on ALCASAR web page or on the cover page of the ACC or by executing the following command alcasar version sh Download and extract the archive of the latest version like a normal installation
50. lli restart 9 Operating system and memory overload The Linux system always attempts to use the maximum amount of memory RAM available On the homepage of the ACC the bar graph indicating the use of the memory can be regularly beyond 80 percent and can turn red This is normal If the system needs more memory it will use the swap This swap is an area of the hard disk used when your computer runs out of RAM but this memory is approximately 1000 times slower If you notice that the system uses swap space gt 1 you can consider increasing the RAM to significantly improve system responsiveness especially when the domain names and URLs filtering is enabled You can display the system load on the home page of the ACC in System Lload system or in a console with the commands top ou uptime 3 values shown represent the average system load average for the last hour the five last hours and the last 15 minutes The average load is the number of processes waiting for CPU usage These values are normally less than 1 e A value greater than 1 00 results from an under sized server especially if it affects the three values long term overload Search the process which represents a high proportion of the load command top 10 Security On the consultation network ALCASAR is the Internet Access Controller It also helps to protect the network from external threats or from internal threats To this end it inclu
51. m_de_fichier gt sauvegarde le fichier sous le nom lt nom_de_fichier gt Annuler ou r p ter des modifications croix dessus w sauvegarde le fichier penser write P dd supprime une ligne wq sauvegarde le fichier et quitte vi write and quit quivallent x q q quitte vi sans sauvegarder les modifications quit nY Supprimer du texte copie n lignes u annule la derni re modification undo d faire ndd un point r p te les derni res modifications supprime n lignes quitte vi sans sauvegarder les modifications quit quitte imm diatement sans rien faire d autre w lt nom_de_fichier gt sauvegarde le fichier sous le nom lt nom_de_fichier gt Rechercher et remplacer motif recherche motif en allant vers la fin du document n r p te la derni re recherche next suivant N retourne au r sultat de la pr c dente recherche effectu e s motif motif2 g recherche le motif et la remplace par motif2 User manual ALCASAR 2 9 35 37 11 2 Helpful authentication exceptions The following values allow network devices to access WEB sites without authentication process in order to connect to the following services The following values allow client devices to access the Internet without authentication in order to connect to the following services perform a test of Internet connection Microsoft system update e TrendMicro and Clamav antivirus update e c
52. me Members of group lt Jun 2011 Expiry date SE After this date users of this group can t log in anymore A gt s o n week after this date users will be automatically deleted 20 21 22 23 2a BSUS Click on the zone to see a calendar NOW separate by a space or a carriage return 28 29 30 Clear Maximum time of connection _ This time of connection is independent from the number of sessions Thus the user can spend this time as he wants in one or more sessions Limit of time When one of these limits is reached the user is logged out v S ange Number of concurrent session per user Examples 1 only one session at a time empty no limit X X sh __ authorized concurrent sessions 0 account locked a Note It s a good way to temporarily lock or unlock a user account ae Authorized periods in a week ee Se SS Example for a period from Monday at 7 am to Friday at 6 pm a Mo Fr0700 1800 5 quality of service parameters QOS You can set limitations sali Data volume limit is set for one session When the limit value is reached the user is logged out pr Once authenticated the user is redirected to this URL Blacklist antivirus _ The URL must contain the protocol name Example Whitelist antivirus http www site org Filtering Page d aide session simultanee Choose the filtering policy See 4 for
53. minal It can be useful to use a keyboardless and screenless server Below the tutorial explains how to connect to a serial terminal thank you Igor Popowski File etc inittab File etc securetty e save the original cp etc inittab etc inittab save e save the original cp etc securetty etc securetty save e edit the file vi etc inittab e edit the file vi etc securetty before this line Single user mode add the following add one of the two following line at the end of file lines ttySO if using a 9 pin serial port connexion au terminal serial ttvUSBO if using a Serial USB s0 2345 respawn sbin agetty L 9600 ttySO vt100 f and save Echap and wq US RS e run the command init q t nt for this chan then save Esc then wq PE ee cp ent ge ee S erg To display the output of the boot in GRUB edit the file boot grub menu Ist e save the original cp boot grub menu lst boot grub menu Ist save e inthe section title linux after adding vga 791 to end of line console tty0 console ttyS0 9600n8 by standard serial port console tty0 console ttyUSB0 9600n8 in USB port Connect your management station to ALCASAR with a null modem cable on the serial port COM1 or through a serial usb adaptator Configure PuTTY to use this COM1 serial connection in vt100 mode User manual ALCASAR 2 9 31 37 9 6 Problems experienced This chapter presents feedbacks of organ
54. nage any device connected to the consultation network WIFI access points switches LDAP AD etc On Linux run the command ssh L 10000 IP_equipment Num_Port p 52222 sysadmin w x y z IP_quipment is the IP address of the device to manage NUM_PORT is the administration port of this equipment 22 80 443 etc On Windows enter the IP address and the port of the device in the form Destination of Putty Run the command ssh login localhost 10000 to use SSH for secure remote administration To connect the web based interface go to http s localhost 10000 e Use of SSH tunnel with public private key pair public private key This paragraph although not essential adds an additional layer of security using private key authentication i PuTTY Key Generator File Key Conversions Help File Key Conversions Help generate a keys pair public key private key o On Windows with puttygen x E PuTTY Key Generator x Key No key kep Public key for pasting into Opens SH Slee i MEE Annuler Couper kep fingerprint esh isa 2047 S0 3eee 9c ec ce 4t 96 69 41 1 7 46 2b 0L L ODIE Kep comment cle portail captif Coller SUBErinner Fey passphrase SSCS ESSERE RES S lectionner Confirm passphrase ee CC CCE EEE ee Actions Jess Generate 4 public private key pair Generate i Load an existing private key file Lo
55. ne trusted client devices allowed to connect to the Internet without authentication exceptions b Exceptions H Auto registration SMS 3 1 Network activit ALCASAR Activite sur le reseau de consultation Cette page est rafraichie toutes les 30 secondes fs adresse Adresse mac Usager a 192 168 182 100 00 21 97 6B 57 E5 ecter 2 192 168 182 173 00 02 72 85 75 ED D connecter 3 192 168 182 130 00 16 EA 58 9B 04 D connecter ja 192 168 182 131 00 16 6F A1 EB 60 D connecter 5 192 168 182 137 00 1A A0 2F 10 DB MAC autoris e lo 192 168 182 162 00 24 01 0B 95 CB Dissocier 7 192 168 182 132 00 24 2B 71 24 1C Dissocier ls 192 168 182 165 00 0F 3D 67 E2 48 i i Dissocier User manual ALCASAR 2 9 7 37 3 2 Creating groups Generally in order to minimize the administration load it s interesting to manage user group instead of each user For that the first thing to do is to define the list of user group to create When you create a user group you can define attributes of all the users of this group These attributes are taken into account only if they are not empty Thus let the attribute empty if you don t want to use it For assistance click on the attribute name Create a group The name is case sensitive group1 and Group1 are two different names and can t contain any accents or special characters Already created group s The group list is empty Group na
56. ntrol ALCASAR is now deployed in your organization ALCASAR is a network access controller it means that when you will go on the Internet a the following login window will be displayed Both fields are case atin sensitive smith and Smith are two different users a 6 Successful authentication Fans hen login is successful this popup window appears It allows you to logout from ALCASAR This window provides information on your account permissions lease time download limits connection history etc Closing connection If this window is closed when you want to logout just type logout in your browser address bar Access Control Authentication Failed eee If login fails a message will give you more information Expired account maximum download volume reached attempts to login outside the allocated a slot times etc Welcome on ALCASAR Your captive portal main page You can access your account details login logout change Ps re 7 Open an Internet session ALCASAR Control Center your password installation of the certificate in your a oe A Tom browser by entering ALCASAR in your browser Install ALCASAR AC Cerifcate address bar A Change your password Im y ALCASAR Control Center Qu The portal embeds a WEB flow antimalware and a website filtering to prevent unauthorized web browsing It also helps to know if there is a problem with the Internet connection hardwar
57. ou EEEE en 29 D E aA CAG E E E A EE 0 E A EA E 29 8 4 ALCASAR major update or reinstallation sise 29 T Eann KOG e E E E E 30 PIN GEOL COMMIS CII y ceir da en is ta de de die cadet 30 22 Avaa ble disk DAS de ton a ie ae de Ode te D a 30 DO ALGCGASAR SCEVER SCTVICES 5 sesee s nes anus nienke oen nAn EN ARNESE EAEE E EASAN NEEESE nee ee tone emmener 30 gA hent devices GO I CLIO A de ne de en ee an ee ein 30 9 5 Connection to ALCASAR with a serial terminal ses 31 DOE TOD TINS MONIC OI a aes De de On do don 32 LE MMM ET EEE 33 OO OR ee ea do De 33 OO MER a ee oi 33 A UE LED CES ec ce ag E E ET I A E acta E E A E T TAT 39 LL Ned EES ATTICS ATIC UTS a D 0 D D TEA 35 11 2 Helpful authentication CXCeptions ccccccccsceeesecseseeeeeeceeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeesceeceeeceeseeeseuasesseeeuaseess 36 SR A tenn E eabararneasheateas A T 37 User manual ALCASAR 2 9 2 37 1 Introduction ALCASAR is a free and open source Network Access Controler NAC This paper describes how to use it and how to administer it The following screenshot is displayed for users attempting to access an HTTP website This page is available in English Spanish German Dutch French and Portuguese depending on the browsers settings As long as the user is not logged in no traffic will pass through ALCASAR Network Access Control Controle d acces au reseau Identifiant User Mot de passe A
58. passe de connexion Requis our les serveurs poss dant un Active Directory Enregistrer Annuler D Utilisateurs et ordinateurs Active Directory Example This screenshot shows the AD directory tree organized as follows Fichier Action Affichage standard users are put into the Organizational Unit O U User ep tml o XOocslibelSeurae The account used by ALCASAR to request the directory is the account rldap sates et orinstews Active Di Nom Type Description in the OU Admin This account is a standard acount that does not need gs Sena special rights BD Compt 8 ldap Utiisateur Both O U Admin and User are located themselves in the OU User E e DN of the database ou User ou Utilisateur ou site_i2sc dc i2sc dc local gt JL ee research base of users and this root is to be adapted to the organization of the on directorry tree E Users e LDAP ID sAMAccountName gt for AD uid in general for other LDAP e Filter leave this field empty unless you want to select only specific users LDAP user cn rldap ou Admin ou site_i2sc dc i2sc dc local Please note that this field and the field Password can be left blank if the directory server accepts requests in anonymous mode e Password password of the user rldap OU SITE_I25C OU Utihsateur User manual ALCASAR 2 9 25 37 From an external directory server LDAP or AD and in order to provide to users some attribute
59. pscan I INTIF localnet 00 1C 25 CB BA 7B 192 168 1821 00 11 25 B5 FC 41 192 168 182 25 00 15 77 AZ OD ES 192 168 182 129 9 2 Available disk space If the available disk space is not enough some modules i mao Sao eue may not run properly anymore You can check the available nn M SE ENG Se MSc disk space especially the war partition bai SE in GUI mode via the homepage of the ACC intext mode using the command df Syst mes de fichiers mont s In case of excessive reduction of this space delete old log files after they have been archived directory var Save 9 3 ALCASAR server services In order to complete these tasks ALCASAR uses several server services The status of these services is displayed in the ACC a system services You can stop or restart them Mom du services If one of these services can t be restarted you can diagnotic the mistake Connect to the console of ALCASAR directly or with SSH You can control the services with the command systemctl start stop restart service_name At the same time display the log file with the command journalctl f 9 4 Client devices connection In the ACC menu System Activity make sure that all your clients network settings are correct MAC address IP address If not delete the old settings set by ALCASAR and save the new User manual ALCASAR 2 9 30 37 correct
60. re Normally when you try to connect securely sites will present trusted identification to prove that Le certificat de s curit pr sent par ce site Web n a pas t mis par une autorit de you are going to the right place However this site s identity can t be verified certification approuv e A Le centificat de s curit du site n est pas approuv What Should Do Les probl mes de certificat de s curit peuvent indiquer une tentative de duperie ou ij AMI LE FRAEN ITAA LE BAH GR ROUE Ay i Wa By po ES d interception des donn es que vous envoyez sur le serveur ee oj pO ay Toms a EP Fed pe Ca nk ep LT RC CTii E Ta M f you usually connect to this site without problems this error could mean that someone is TITI A iiy DA UE M pC Tes OH imi trying to impersonate the site and you shouldn t continue r bs ee an tae te Nous vous recommandons de fermer cette page Web et de quitter ce site Get me out of here Pees qd miea Epon iani Cliquez ici pour fermer cette page Web 7 m Technical Detalls Poursuivre avec ce site Web non recommand Understand the Risks Information v Mozilla Firefox Microsoft I E Google chrome Your captive portal main page Although it is possible to continue to browse it is recommended to install the security certificate of this C A in browsers so that they don t display these WF mms pages anymore To do that click the zone Install ALCASAR AC
61. s English and French via an encrypted flow HTTPS An authentication is required with a login name in one of the three following profiles cf 87 1 e profile admin can use all the administration functions e profile manager is limited to user management functions e profile backup is limited to a backup of the log files function m Q Le site https alcasar demande un nom d utilisateur et un mot de passe Le site indique alcasar Utilisateur a Mot de passe gt SYSTEM b AUTHENTICATION Internet connexion WS enable Canornecal Hostname localhost om m RTS Installed version 2 7 Certificate expiration date Jan 19 20 32 17 2017 GMT poms SORE Available versions 2 6 1 stable trunk devel Kernel Version 3 4 24 desktop 3 mga2 SMP 2 z Tem logged user s tot 0 0 Distro Name Mageis 2 PBACKUPS Number of group s 0 Uptime 2 menutes Network protocols filter disable Current Users i WEB antvirus enable Load Averages 0 03 0 06 0 03 Presentation Domain and URL filter disable 10 Instaltanor Updated Blacklist January 05 2013 Lxploilator Q Technique Warning e The intrusion detection mme Type Percent Capacity Free Used Size g aca li aaa Physical Memory A G 58 31 MB 436 73 MB 495 04 MB system of ALCASAR will forbid new SS Kernel applications ES 57 282 22 MB depuis le 20 01 2013 Buffers 5 26 23 MB d f Cached Ga 26 128 28 MB connection attempt
62. s specific to ALCASAR bandwidth concurrent session etc it is possible to create a group named Idap respect lower case letters for which you set the desired attributes It is also possible to assign attributes to a particular account authenticated on an external directory To do this create a user in the ACC with the same name identifier as that is in the directory Integration in a complex architecture AD external DHCP LDAP ALCASAR can be installed in an existing network with a Windows domain a DHCP server and an external directory for the authentication process LDAP or AD see previous 8 a Managing Windows DNS If your existing environment already has Active Directory enabled then Windows computers of your domain controller must request the DNS of this controller for specific resolutions of the domain and they must request ALCASAR for Internet access One solution is to configure the ALCASAR DNS so it redirects to the domain controller the DNS queries concerning resolution of the domain In this way devices are configured with an unique DNS ALCASAR On ALCASAR the only change to make is to add the following line in the file usr local etc alcasar dns name server lt your domain gt lt IP_SRV AD DNS gt Example brock net domain is managed by the AD DNS server 192 168 182 10 The line to add is server brock net 192 168 182 10 Please note that it is the domain name and not the name of th
63. s uring 3 1 it Disk Swap o 822 07 MB 0 00 KB 822 07 MB detects three connection failures on _ TRO 858 AG C Mount Type Partition Percent Capacity Free Used Size 3 ext4 Idev sda1 SSS 1 820 05 MB 980 48 MB 1 91 GB Pimp ext4 dev sda6 12 1 78 GB 34 97 MB 1 91 GB nome ext4 1dev sda7 12 1 88 GB 34 95 MB 1 91 GB var ext4 dev sda8 a 1 11 GB 158 09 MB 1 33 G8 User manual ALCASAR 2 9 3 37 2 Network settings Ya Multi WAN switch or router This optional equipment balances the network load on several D ISP Broadband modem router load balancing a a Le K 6 mnt ae ET ISP broadband me modems routers Pi E pn a E e fed On the ALCASAR network devices can be connected with multiple technologies wired Ethernet WiFi PCL etc For all these devices ALCASAR is the DNS the time server and the default gateway CAUTION On the consultation network no other gateway should be present verify the PLC and WIFI Access Point settings The IP address setting of the network is defined during the installation process of the portal For example with a class C network default configuration e Network IP Address 192 168 182 0 24 sub net mask 255 255 255 0 e Max number of devices 253 e ALCASAR eth1 IP address 192 168 182 1 24 e Parameters of connected devices o available IP addresses between 192 168 182 3 and 192 168 182 254 static or dynamic o DNS server address 192 16
64. s8sem certificate of the ALCASAR homepage For each browser follow the seat following steps EEN ALCASAR Control Center Install ALCASAR AC Certificate Allow secure data exchange between your Downloading Certificate You have been asked to trust a new Certificate Authority CA Do you want to trust ALCASAR local CA for the following purposes v Trust this CA to identify websites Trust this CA to identify email users alcasar Kenguerei Duwir http Wakasarcent oikat altata caci 7 Type certificat x 508 cod DERPEM Netscape M monser faction pour les fichiers de ce type _ Trust this CA to identify software developers Before trusting this CA for any purpose you should examine its certificate and its policy and procedures if available Ml Enregistrer sous 4 Quune avec Kleopatra Annujer View Examine CA certificate Cancel Y OK Mozilla Firefox Konqueror e LLL LLa Oonan Ee E ee a 0 de certificat_alcasar_ca crt de alcasar termin s oj E S curit d Internet Explorer x Certificat Assistant Importation de certificat aa z RE a G n ral r Chemin d acc fica T l chargement de fichiers Avertissement de s curit Ss Laden Sesces de cer ication unir de cartificat Voulez vous ouvrir ou enregistrer ce fichier 8 Informations sur le certificat Les magasins de certificats sont des zones syst me o les
65. settings On the client devices check the network settings run ipconfig all on Windows sbin ifconfig on Linux if they are not correct update them For devices that use dynamic IP addresses send again a DHCP request ipconfig renew on Windows dhclient ethO on Linux If the interface is not configured check the cable connections and make sure that DHCP frames of your client pass on the network use the network analyser Wireshark for example On ALCASAR you can see incoming DHCP requests by running the command journalctl f or by displaying the terminal 12 lt Alt gt F12 Dec 29 22 31 27 alcasar coova chillil4299 chilli c 2694 Mew DHCP reques From MAC H6b HB 27 E EA 89 Dec 29 42 51 27 alcasar coova chillil4299 chilli c 2661 Client MAC 86 H H 27 EY EA 689 assigned IP 192 168 162 129 Connection test to the portal Send a ping request to the IP address of ALCASAR If an error e occurs check the cable connections and the network settings e Name resolution test On Windows and on Linux run nslookup alcasar The result should be the IP ALCASAR In case of failure If not check that ALCASAR is the DNS server of the client The ACC On a client with a browser try to connect to ALCASAR http alcasar Internet Connection test Try to visit a site on Internet ALCASAR must intercept your request and display the login window 9 5 Connection to ALCASAR with a serial ter
66. t Be sure that no other DHCP server is connected on your network Or be sure to well knowing how manage multi DHCP service cf 88 5a to manage the cohabitation with a A D server 2 2 Client devices settings a Client device setting A User sheet is available at the end of this manual Users only need a system in DHCP mode and a browser supporting JavaScript and pop up windows To be intercepted by ALCASAR browsers must try to access a HTTP and only HTTP website The proxy server settings must be disabled b Adding bookmark On browsers it can be useful to add ALCASAR homepage http alcasar to bookmarks in order to allow users to change their password to log out or to install the ALCASAR security certificate User manual ALCASAR 2 9 5 37 c Installing the ALCASAR security certificate Some communications between client devices and ALCASAR are encrypted with SSL Secure Socket Layer protocol This protocol needs two certificates created during the installation the ALCASAR certificate and the local Certification Authority C A certificate By default browsers don t know this certification authority So one of the following page is displayed when they connect to the portal for the first time This Connection is Untrusted a Le certificat de s curit de ce site Web pr sente un probleme You have asked Firefox to connect securely to alcasar but we can t confirm that your y connection is secu
67. t avec un num ro de s rie unique Cliquez sur le bouton 7 Actualiser ou recommencez Diagnostiquer les probl mes de connexion Code d erreur sec_error_ reused_issuer_ and serial ult rieuremen t Siv tr l ad d ette page d la b a d adresses v rifiez qu elle est correcte Informations La page que vous essayez de consulter ne peut pas tre affich e car Po rifier vos param tres de connexion cliquez sur le l authenticit des donn es re ues ne peut tre v rifi e menu Outils puis sur Options Internet Dans l onglet Veuill i ETETE w i inf Connexions cliquez sur Param tres Les param tres Veuillez contacter les propri taires du site Web pour les en informer R essayer With IE6 With IE 7 8 and9 With Mozill This is because browsers try to authenticate the ALCASAR portal using an old certificate The old certificate must be deleted on the clients browsers Tools Internet options tab content button Certificates tab Root certification Authority to be replaced by the new one as described in chapter 2 2 c User manual ALCASAR 2 9 32 37 f No Internet browsing but the Trusted sites section is filled in ALCASAR verifies the validity of domain names entered in this section cf 4 7 a If a domain name is not valid the chilli service can no longer start Then change the invalid domain name and restart the chilli service with the command service chi
68. tercept page list page p 1 mydomain exemplh exemple n 29 66 www mydomain com free fr allows ftp free fr www free fr etc passan aux ne You can display a weblink to a trusted site on the vs 1m ALCASAR homepage Apok chagas P Let empty to not display link exemple2 yourdomain net all the linked sites are allowed example E Add to list User manual ALCASAR 2 9 11 37 b To trusted IP addresses or trusted network IP addresses Trusted IF addresses Manage systems addresses or networks IP addresses that can be jomed without authentication Trusted IP addresses exemple 170 25 23 10 my web server exemple 15 20 20 0 16 my dmz Add to list Apply changes In this window you can manage trusted IP addresses or trusted network ip addresses a DMZ for example The network protocol filtering if enabled see 4 2 c has no effect on the addresses mentioned here c Allowing trusted client devices It is possible to allow some client devices to go through ALCASAR without being intercepted In order to do that create a user whose name is the MAC address of the device example 08 00 27 F3 DF 68 and the password is password It should be borne in mind that in this case traces of connection to the Internet will be charged to the device not to the user ER DENTS Actions 3 B 00 11 09 2D 25 4C PC proviseur 2 amp
69. tes 17 seconds User Request 192168182147 200907070050 5 2009 07 070954 02 3minutes 27 seconds UserRequest Nbr Max de r sultats 192168182147 2009 07 01 175050 2009 07 01 175430 3minutes 40 seconds UserRequest 5 Envoyer Class par Session Time 5 3 Daily use This page allows you to know the Eu load of the portal usager sur le serveur PCSI E 2009 11 30 RE Thursday 14 January 2010 18 26 58 CET r node observ e 2009 11 23 4 2009 11 30 Statistiques d utilisation journali re Statistiques pour tous les usagers Nbre de sessions Temps d utilisation total uploads Analyse journali re temps d utilisation total uploads 11 27 366 1009 ST 07 32 27 100 m E 59 GBs 92 ES 2009 11 28 235 64 05 02 06 34 as 11 45 GBs 100 SN 2009 11 29 253 69 ES jos 06 26 55 63 9 85 GBs 86 D 88 2009 11 30 280 76 ms 07 09 22 28 7 29 GBs 63 EN Recapitulatif journalier temps d utilisation total uploads 08 07 32 27 11 45 GBs moyenne 06 15 40 04 7 28 GBs r capitulatif 2285 53 05 20 30 58 25 GBs 5 4 Global and detailed traffic Due Global traffic Traffic data for Internet outbound enp1s0 Internet outbound Traffic data for enp1lsO summary 12 i 2 9 EE D lt 7 E 9 10 A1 M2 2 93 D 5 A 9 10 11 B bytes in B bytes out Last 24 hours This graph allows
70. the filtering of network protocols alcasar rpm download sh Downloads and creates an archive file of all the necessary packets to install ALCASAR alcasar safesearch sh on off enables disables SafeSearch filter from the major search engines blocks inappropriate or explicit content for young people alcasar version sh compares the current ALCASAR version with the latest one available on the Internet Each service provided by the server is supported by a daemon which is managed automatically start View the status of a particular daemon works for most daemons etc init d lt nom du service gt status Restart stop a daemon etc init d lt nom du service gt start stop restart reload Info a super daemon checks every 10 minutes service status alcasar daemon sh If you need to edit a file you ll probably need to know some basic features of the text editor vi To help you you can consult a summary of useful commands http www computerhope com unix uvi htm q Sauvegarder un fichier quitter vi Copier Coller E E T w sauvegarde le fichier penser write Le Y copie une ligne donc la place dans un tampon pour l vel denser wq sauvegarde le fichier et quitte vi write and quit quivallent x pouvoir ensuite la coller yank tirer i Da a q quitte imm diatement sans rien faire d autre E p colle les lignes apr s le curseur paste coller xo supprime un caract re faire une w lt no
71. the parameter MULTIWAN must include the on or On value otherwise insert the Off value to enable the single gateway mode The connection test frequecny is set by default to 30 sec Please note The parameter FAILOVER 0 enables the MULTIWAN mode with no connection test to the gateways no gateway failure detection 7 9 Creating an ALCASAR dedicated PC This chapter presents an example of a dedicated PC ALCASAR appliance whose constraints are miniature mini itx low noise low cost and low energy consumption The configuration is the following Case mini ITX 12V powerline motherboard GigaByte GA J1900N D3V two network cards and Intel 4 core Celeron 4GB of DDR3 SODIMM memory HDD 2 5 200GB SATA SSD Memory 4GB of DDR3 The cost of this configuration is around 250 shipping included The consumption of this mini PC is not more then 30W the cost of the annual electricity consumption in France is about 30 30 24 365 1000 0 1329 ALCASAR is installed via a USB drive as usual Once deployed the unit requires no keyboard no mouse and no screen 7 10 Bypassing the portal For reasons of maintenance or emergency a portal by pass procedure was created It disables user authentication and filtering Logging network activity remains active Network event logging remains active but ALCASAR does not trace internet connections anymore Bypass the porta
72. the user alcasar watchdog 172 16 0 10 is usurped 54 04 46 1E F7 DB Alcasar disconnect the user alcasar watchdog 172 16 0 10 is usurped 54 04 46 1E F7 DB Alcasar disconnect the user alcasar watchdog 172 16 0 10 is usurped 54 04 A6 1E F7 DB Alcasar disconnect the user alcasar watchdog 172 16 0 10 is usurped 54 04 A46 1E F7 DB Alcasar disconnect the user alcasar watchdog 172 16 0 10 is usurped 00 24 81 12 52 01 Alcasar disconnect the user 1 Virus bloquets HAVP _ 3013 3 Aug 30 18 16 5 55 127 0 01 1 GET 00 http is Snagit informetaue tonne ECAN wnload eicar_ niveau Zip 276 474 VIRUS Clamav Eicar Test Signature 2013 Oct 03 10 15 29 127 0 0 1 GET 200 http am4 r1f9 stords uploaded net dl efp34de0 af7b 4851 81d0 caa42cada2e4 299 5000632 VIRUS Clem EEE DS 2013 Oct 03 11 30 49 127 0 0 1 GET 200 http www hackerzvoice net ceh CEHV6 2 OModule 2 008 0Trojans 2 0and 2 0Backdoors valnet2 Trojan Netbus KeyHook170 2013 Oct 03 11 31 39 127 0 0 1 GET 200 http www hackerzvoice net ceh CEHv6 2 OModule 2 008 2 0Trojans 2 0and ClamaAv Trojan DropperDelf 152 2013 Oct 03 11 42 33 127 0 0 1 GET 200 http www drivehg com folder p7275651 1833479246 aspx 471 182652 VIRUS ClamAV PHP C99 5 2013 Oct 07 16 07 52 127 0 0 1 GET 200 http 30545001325 VIRUS ClamAV PHP Optix 2013 Oct 07 16 09 53 127 0 0 1 GET 200 http 305 5001085 VIRUS ClamAV PHP Cptix Adresse s IP bloquee s Fail2Ban 2
73. tificate authority Please note that the web server used by ALCASAR is an APACHE server with a SSL module The following example presents an intranet certificate installation generated by the certificate authority CA Digitalix Digitalix First you will have to execute the following command on ALCASAR ass root e openssl req newkey rsa 2048 new nodes keyout alcasar key out alcasar csr ESS This command creates two files the private key alcasarkey and the certificate signing request alcasar csr Copy the certificate signing request on a USB flash drive to copy its contents on the site of the certificate authority he CA must provide you a file containing your official server certificate alcasar crt If needed you also have to download the intermediate authority certificate of your CA for Digitalix it is available here http www digitalix fr certs HA Cert bundle crt As root copy the three files alcasar key alcasar crt and HACert bundle crt in your directory root Then execute the following commands 1 cd etc pki tls moves in the certificate directory 2 mv certs alcasarcrt certs alcasar crt old then mv certs server chain crt certs server chain crt old and finally mv private alcasar key private alcasar key old backup of the old certificates 3 cp root alcasar crt certs et cp root alcasarkey private copy of the official certificate and of its private User manual ALCASAR
74. to show network statistics by hour day month User manual In Out Total 11pm 12am 239 00 KB 160 00 KB 399 00 KB 10pm 11pm 4 84 MB 1 45 MB 6 29 MB 9pm 10pm 73 67 MB 4 96 MB 78 63 MB 8pm 9pm 146 27 MB 5 53 MB 151 80 MB 7pm 8pm 45 87 MB 3 81 MB 49 69 MB 6pm 7pm 5 92 MB 926 00 KB 6 83 MB Spm 6pm 13 75 MB 1 62 MB 15 37 MB 4pm 5pm 19 90 MB 2 70 MB 22 59 MB ALCASAR 2 9 18 37 Detailed traffic Due are updated every 5 Home Graphs Details Alerts Stats Plugins live Bookmark URL Profile live Overview Profile live Group nogroup Powis Me Dee 16 LS O0 ZE Tes Dec 7 18 00 3011 Pathetic Mes Dee 16 ESS O0 UE ug na Ha i E wm Boe a f a F T Li 5 Bel Le a 1 PPT Lun Ha UE gt lm DE EG EN BB is ri fies BB ip nat thes Fmaj Toe Dec 10 fi 2 Tes Dec 1 ISi 203 Packetsisi Tae Dec 10 Poo 2693 7 p a Eg e zg r E a ua f w z ia a k q mej a CRC Lie Flea Sun Men 17 Poe ott DONS Tes Gee LP Se 03 Bsechetsis Sam Hem 17 L o US 4af mf EE E Haj H o a r xE Haj A E E Es 40 Bises les This page shows the statistics for outbound network traffic by day by week and by month The data Des Get L Seo ZI teh Ben Dec 16 PS Aa Due Cee I7 ee 20l1 imi EE bi a Le a D mi W a 21 acer a ee E D i lam EE eh DE EE er Le E apt vert Tle Tet Cac L7 15 85 00
75. uarndiadaconsevesaieeodsossibieevenossiaanarisenietes 17 OO ca 18 oA GO Dall an detailed AAC ne do de de te a Gt a co onu 18 Be CC RE DO E T pee aunann A E E 20 EE a i i EE E P E E E E E E E A AE EAA E T E E 20 Pll CONTE On BO ra ES E ET a EEEE N OEN EE nn 20 02 DE SOS e E E E EE A E TT S EEA E E ele a ne ne 21 P cM AN A ANI srg pea E E E ae dan E EEE E EE E IAEE E E OO 21 7 1 Administration accounts MANAGEMENL cccccccccccccccceesssssseeeeeecccceeeceeauaeeessssssseeeeececeseessssaueesesecesseeesesseesesseaeeees 21 7 2 SeCUre AGMIMIStH AHON ACTOSS ihe Internetera ne ana eo nt nn dd recto adecco sente 21 PS HON LO display YOUR TOO Rad dde ee en en ee ln 24 TA CVC AE A CANG EET IAA E EE E E E A E EE 24 7 5 Use of an external directory server LDAP or AD scsssssssssssssssesssssssssesssesssssssssssssssssssssesssesseeccceeeneseceseens 25 7 6 Integration in a complex architecture AD external DHCP LDAP cccccccccceaseeessssseeeeceecececeeseaaaeeeseesees 26 PE TOMO NOP ARS A EE OEE E ui dde Le 27 7 8 Managing multiple Internet connections load balancing 28 7 9 Creating an ALGASAR dedicated AO PP 28 AON Ee S i e T E E EE EA E E AE A ne 28 8 Shutdown restart update and reinstallation sssccccccccccccccccccensnnssssssssssseesseccccececcececennaaaasssssssssseseececeess 29 0o haido wn LATE OSE LR asen A E EEE EEE EE T E E 29 D 2 Operang system WIA Oo sesser nar R E at
76. umber of this user will be banned for a time in days Each phone number ban will be ignored by ALCASAR 9 Each 3g key has a different baud rate transfer See previous chapter to find the rate for the 3g keys we have tested A bigger list of configuration can be find on http wammu eu phones If all is set correctly you can start the module with the starts button This table show the status of the service the signal strength the IMEI number and the number of SMS received reset when the service is stopped User manual ALCASAR 2 9 13 37 c User interface Once the service is started the interception page provides an additional link Auto registration CcCvo Page d auto enregistrement uivant les 5 derniers ci dessous vous permet de rechercher votre numere Recherche 5 dernier chiffre Etat de votre num ro Le champ de recherche chiffres Montrer 10 r sultat par page Numero de t l phone Expiration du bloquage 3 36 18961 Num ro bloqu nombre d essai d pass 3 June 2014 336 18961 Num ro bloqu nombre d essai d pass 3 June 2014 36 28961 npte actif 13 June 2014 36 3551 mpte actif 13 Jun 014 36 394 1 Num ro bloq re d essai d pa 3 June 2014 36 961 Num ro bloqu re d e i d pa 3 June 2014 36 Num ro bloqu e d essai d pa 13 Ju 014 36 38961 mpte actif 13 Jur 014 36 61 Num ro bloqu r j 13 Jur 014 61 pte actif 13 Jur 014 A
77. user upload and what it received from the user download security 2007 06 04 chillispot tyon fr 34 minutes 58 seconds 1 51 MBs 52 37 MBs 3 2007 06 04 chillispot tyon fr 3 17 minutes 38 seconds 0 78 MBs 3 15 MBs 2007 06 04 chilispot tyon fr 3 32 minutes 4 seconds 1 84 MBs 12 61 MBs 2007 05 30 chillispot tyon fr 4 3 hours 50 minutes 26 seconds 3 25 MBs 17 91 MBs 2007 06 01 chillispot tyon fr 4 57 minutes 16 seconds 4 04 MBs 23 44 MBs 2007 05 31 chillispot tyon fr 4 1 hours 20 minutes 26 seconds 6 80 MBs 26 79 MBs 2007 05 30 chilispot tyon fr 4 50 minutes 32 seconds 4 03 MBs 29 53 MBs 2007 05 30 chillispot tyon fr 4 32 minutes 49 seconds 1 79 MBs 11 75 MBs 2007 06 05 chillispot tyon fr 5 21 minutes 22 seconds 1 97 MBs 71 12 MBs 2007 05 31 chillispot tyon fr 5 1 hours 12 minutes 26 seconds 0 88 MBs 4 71 MBs 2007 06 01 chillispot tyon fr 5 1 hours 3 minutes 25 seconds 1 41 MBs 59 74 MBs 2007 05 30 chillispot tyon fr 6 25 minutes 10 seconds 1 86 MBs 61 05 MBs 2007 06 04 chilispot tyon fr 6 1 hours 11 minutes 4 seconds 6 33 MBs 39 43 MBs 2007 06 05 chillispot tyon fr 7 33 minutes 45 seconds 1 40 MBs 9 79 MBs 2007 05 31 chilispot lyon fr 8 1 hours 2 seconds 0 83 MBs 32 22 MBs 82 2007 05 30 chillispot tyon fr 10 3 hours 17 60 MBs 39 65 MBs 83 2007 05 31 chillispot tyon fr 14 3 hours 51 minutes 40 seconds 2 63 MBs 15 65 MBs start time stop time pagesize sort by order Po07 06
78. uthentification Password Authentication S curit des Syst mes d Information Information System Security is en place pour assurer reglementairement la tra abilit s connexions ol was set up regulations to ensure traceability accountability and e nnexion iation of connections s que par une autorit judiciaire ed data can be able to be operated by a judicial authority in the course tion o y on the network is registered in accordance with privacy These data will be automatically deleted after one year Click here to change your password or to integrate the security certificate in your browser sur u est enregistr e conform ment au respect de la vie priv e Youra seront automatiquement supprim es au bout d un an our changer votre mot de passe ou pour int grer le certificat de s curit Welcome on ALCASAR The homepage of the portal is available for any browser connected on the network The URL is http alcasar or http alcasar localdomain From there users can log on log out change their password and install Gorm T DRR the security certificate into their web browsers it team a corine a Administrators can access the graphical ALCASAR Control Center A C C by clicking the little notched wheel at the bottom right of the page or via https alcasar localdomain acc Your captive portal main page This ACC is available in two language
79. want authorize e S S H S e cure S H ell to allow secure remote connections Switch the Filter off Port number Remove from list im D e SMTP Simple Mail Transport _ Protocol to allow emails to be 5 z E sent from a thick client outlook imap3 thunderbird etc f C ES POP Post Office Protocol to B allow thick clients to download m n emails secure web surfing Note When enabled this filter is active for all users In future ALCASAR will be able to associate it or not to each user as for blacklist whitelist anti malware HTTPS HTTP secure to allow User manual ALCASAR 2 9 16 37 5 Access to Statistics STATISTICS Statistics are available on the ACC menu statistics after logging in user day This menu provides access to the following information connections number of connections per user per day updated every night at midnight daily use e connection status of users updated in real time gt global trafic e daily load of the portal updated every night at midnight betailed trafie e global amp detailed network traffic updated every 5 minutes e security reports updated in real time 5 1 Number of connections per user per day This page displays per day per user number connection time and volumes of data exchanged Please note the volume of data exchanged is what ALCASAR sent to the
80. ys Authorize european numbers Authorize all countries Search code Etat Angola aAnmauilla zuilla t Barbuda 0000000000 Showing I to 1 of 1 entries revious 23 next f Error messages administration Can not listen the ttyUSB0 port You 3g key is maybe used by an other program Timeout Can not connect to modem The 3g key has beed deconnected An issue with your Sim card was detected Is it in the key The Sim card is not in the 3g key card must be blocked Please read the documentation Warning during the last startup the PIN code was wrong The Sim The PIN password is invalide The SIM card is maybe blocked Please instructions in the technical documentation of ALCASAR 88 2 Auto inscription par SMS User manual ALCASAR 2 9 14 37 4 Filtering FILTERING ALCASAR has several optional filters Blacklist e a blacklist and a whitelist of domain names URLs and IP addresses Whitelist an anti malwares on the WEB flow Protocols e a filter for network protocols The first filter was developed at the request of organization likely to welcome young people schools secondary schools recreation centers etc This filter can be compared to the parental school control system You can enable or disable it for each user or group of users by sims None modifying users or groups attributes see 83 Ae The anti malware can detect a lot of type of files

Download Pdf Manuals

Related Search

Related Contents

Scheda tecnica COMMANDER  Parada segura  comandi, strumenti e funzionamento  Manual(150331)  カタログ  Multi Channel System User`s Manual  

Copyright © All rights reserved. Failed to retrieve file