Install CentOS 7.6 and Configure it as a Firewall Gateway Router

From a networker’s perspective there is so much you can do with Linux, so many servers and free tools to play with. Linux can be a server, a gateway router, a proxy, a transparent bridge you name it, and using virtualization I have the flexibility to test things from my laptop workstation.

The idea for this lab was taken from my Winter 2015 Final Exam, it is a great project that I know you will love. I have updated it to work with CentOS7.

Lab Instructions:

//*******************************************\\
    CentOS7 Linux Router and Server 
\\*******************************************//
====================
 Install Linux       – 2pts
====================
A. Use the CentOS7 minimal install x86_64 iso image file. You can download it here: http://centos.org/

B. Using Virtualbox create a new virtual machine: Choose “I will install the operating system later.”
      – Settings: Linux, RedHat 64 bit, Disk Size minimum 12Gb, Memory 1 to 2Gb 
      – Choose Settings: set the CD-ROM to boot directly from the CentOS-7 iso image file, 
      – Choose Settings: set the network adapter to bridged mode

C. Click finish and then Start which will boot the virtual machine to the iso image file. Install CentOS-7.5 (the latest version)

D. Important settings:

   – Name your Centos localhost hostname <centos.yourname.local>
   – set the root password <yourchoice>
   – create a user account and password
   – set the location timezone
   – accept all other default settings  

E. Login to CentOS7 as root and take a screenshot logged into your CentOS7 Virtual Machine (save screenshot)

======================================
 Add and Configure 2 Network Adapters  – 2pts
======================================

1. Starting with CentOS-7 minimal install and virtual machine network interface in bridged mode

2. # ip addr    //have you picked up an ip address from the network DHCP server? If not, try:

   # ifdown enp0s3
   # ifup enp0s3
   
3. Next, you will manually edit/configure the ifcfg-enp0s3 network adapter configuration file: 

   # cd /etc/sysconfig/network-scripts
   # ls          # vi ifcfg-enp0s3

     – using vi press “i” for insert mode
     – to save press “esc”, then type a “:”, then “wq” to write quit
     – make sure the configuration has the following items you do not need to delete any other items:

    DEVICE=enp0s3
    HWADDR=<mac-address>  //adding this is optional, see network adapter advanced settings in Virtualbox for the virtual NIC mac address
    TYPE=Ethernet
    ONBOOT=yes
    NM_CONTROLLED=no  //**this is the only line we need to add
    BOOTPROTO=dhcp   

   # ifup enp0s3
        
   – if needed
   # ifdown enp0s3
   # service network restart

4. Once you are online install the following tools:

   # yum install nano
   # yum install vim
   # yum install wget
   # yum install openssh
   # yum install iptables-services
   # yum install net-tools
   # yum install bridge-utils

5. Now that eth0 is working and you are connected online it is time to shutdown your system
   and install a second network interface card. 

   # shutdown -h now

   – edit your virtual machine’s Settings: 
   – Settings: select Network > select Adapter 2: 
     – Activate Network Adapter: checkmarked,
     – Attached to: Internal Network, 
     – Name: vlan
     – Advanced > Promiscuous Mode: Allow all
     –   ”     > cable connected: checkmarked

6. Start Centos7 and check to see if CentOS7 recognizes the new network adapter:

   # ifconfig -a |less
 
   – if enp0s8 shows up, then go to step 7.
   – if enp0s8 doesn’t show up, then shutdown CentOS, go back to virtual machine settings
   – deactivate the network adapter 2 and then re-enable it.
   – if enp0s8 still doesn’t show up, then go to step 7 anyway and try and force it to see it.

7. Copy ifcfg-enp0s3 to ifcfg-enp0s8 to create a configuration file for enp0s8:

   # cp /etc/sysconfig/network-scripts/ifcfg-enp0s3 /etc/sysconfig/network-scripts/ifcfg-enp0s8

8. Edit ifcfg-enp0s8

   # nano /etc/sysconfig/network-scripts/ifcfg-enp0s8

    DEVICE=enp0s8
    HWADDR=<mac-address>  //see network adapter advanced settings
    TYPE=Ethernet
    IPADDR=172.16.1.1
    NETMASK=255.255.255.0
    ONBOOT=yes
    NM_CONTROLLED=no
    BOOTPROTO=none   

   # ifup enp0s8
    
   – if needed
   # ifdown enp0s8
   # service network restart

9. Take a screenshot showing your active enp0s3 and enp0s8 interfaces. 

   # ifconfig -a |less     //take screenshot

=========================================================
 Install Apache Webserver and reach it from your Windows computer  – 2pts
=========================================================

1. # yum install httpd        //install apache web server
    # systemctl start httpd    //start the apache web server
    # systemctl enable httpd    //set it to run on startup

   # nano /var/www/html/index.html    //create and edit a simple index.html homepage 
    
    <html>
    <head><title>Welcome to my “Your Name” Homepage Final</title>
    </head>
    <body> 
         Hello this is my webserver homepage!
    </body>
    html>

2. In this lab we will use the older iptables instead of the newer nftables(firewalld). You will need to shutdown the nftables firewall in order to reach the Apache webserver

   # systemctl stop firewalld
   # systemctl disable firewalld

3. Using your hsot computer (not CentOS7) open a web browser, and browse to your CentOS7 web server’s enp0s3 ip address

4. Take a screenshot of your Apache web server homepage from the Web Browser


=====================================
Install and configure a DHCP server  – 2pts
=====================================

1. # yum install dhcp    //install dhcp server
   # systemctl start dhcpd     //the dhcpd service should fail because it has not been configured yet
   # systemctl enable dhcpd    //set it to run on startup

3. Configure the dhcp server

   # cd /etc/dhcp/
   # ls
   # nano /etc/dhcp/dhcpd.conf

    subnet 172.16.1.0 netmask 255.255.255.0 {
        range 172.16.1.100 172.16.1.150;
        option domain-name-servers 8.8.4.4, 4.4.2.2;
        option routers 172.16.1.1;
        option broadcast-address 172.16.1.255;
    }

4. # service dhcpd restart 
    
    Note: if it fails the dhcpd.conf file has errors that need to be fixed, 
          or your enp0s8 interface is not enabled with the correct ip address 

5. From another virtual machine (Linux Mint VM) with the virtual network adapter set to Internal Network (name: vlan) try picking up an ip address from the CentOS7 DHCP server by setting the local area connection to automatically pick up an IP address (DHCP client)

6. Take a screenshot showing a successful dhcp address lease on a virtual machine using the same Internal Network as the CentOS7 Server. Open a command prompt and issue an ipconfig, or from the Centos Server use the following command to check for dhcp leases:

   # cat /var/lib/dhcpd/dhcpd.leases 


=================================================
 SSH into your server from Windows using PuTTY  – 2pts
=================================================

1. Install the Windows PuTTY client to your Windows computer

2. In Centos check to see of SSHD is already started, if not start it 
    
   # service sshd status
   # service sshd start

3. If you did not create a user account when you installed CentOS7 then you will want one:

   # adduser 
   # passwd 
    <enter a password of your choice>
    <re-enter the password>

4. In Windows open PuTTY, put the ip address of CentOS (enp0s3), click Open and enter your name and password.

5. Take a screenshot of your successful SSH connection.


===============================
 IP Forwarding and Iptables     – 2pts 
===============================

1. Turn on routing in the kernel by setting net.ipv4.ip_forward = 1 

   # sysctl -w net.ipv4.ip_forward=1

   – to make the setting survive a reboot add the setting to the sysctl.conf file

   # nano /etc/sysctl.conf 
   
   –  add the following line, save and quit
   net.ipv4.ip_forward = 1         
      
2. Load the new sysctl settings

   # sysctl -p

3. Configure iptables firewall rules and nat by creating a firewall script to load the configuration commands

   # cd /usr/local/bin
   # touch firewall_script
   # chmod 700 firewall_script
   # nano firewall_script

4. Below is the firewall_script line by line:

#!/bin/bash
# Basic firewall script

# Define variables
ipt=”/sbin/iptables”
int_intf=enp0s8 
ext_intf=enp0s3

# Flush all active rules and delete all custom chains
$ipt -F
$ipt -t nat -F
$ipt -t mangle -F
$ipt -X
$ipt -t nat -X
$ipt -t mangle -X

# Set default policies
$ipt -P INPUT ACCEPT
$ipt -P FORWARD ACCEPT
$ipt -P OUTPUT ACCEPT
$ipt -t nat -P OUTPUT ACCEPT
$ipt -t nat -P PREROUTING ACCEPT
$ipt -t nat -P POSTROUTING ACCEPT
$ipt -t mangle -P PREROUTING ACCEPT
$ipt -t mangle -P POSTROUTING ACCEPT

# This line is necessary for the loopback interface
# and internal socket-based services to work correctly
$ipt -A INPUT -i lo -j ACCEPT

# Enable IP masquerading (NAT)
$ipt -t nat -A POSTROUTING -o $ext_intf -j MASQUERADE

# Allow outside connections to servers
$ipt -A INPUT -p tcp –dport 22 –sport 1024:65535 -m state –state NEW -j ACCEPT
$ipt -A INPUT -p tcp –dport 80 –sport 1024:65535 -m state –state NEW -j ACCEPT

# Enable unrestricted outgoing traffic, incoming traffic
# is restricted to locally-initiated sessions only
$ipt -A INPUT -i $ext_intf -m state –state ESTABLISHED,RELATED -j ACCEPT
$ipt -A INPUT -i $int_intf -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT
$ipt -A FORWARD -i $ext_intf -o $int_intf -m state –state ESTABLISHED,RELATED -j ACCEPT
$ipt -A FORWARD -i $int_intf -o $ext_intf -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT

# Accept important ICMP messages
$ipt -A INPUT -p icmp –icmp-type echo-request  -j ACCEPT
$ipt -A INPUT -p icmp –icmp-type time-exceeded -j ACCEPT
$ipt -A INPUT -p icmp –icmp-type destination-unreachable -j ACCEPT

# Reject connection attempts not initiated from inside the LAN
$ipt -A INPUT -p tcp –syn -j DROP

# Send LAN web requests to Squid, 
# the line below is commented out at first until Squid is installed and configured 
#$ipt -t nat -A PREROUTING -i $int_intf -p tcp –dport 80 -j DNAT –to 172.16.1.1:3128

5. Start iptables then run your script to configure iptables 

   # service iptables start
   # ./firewall_script        //if errors exist fix script, save, and run script again        

6. Take a screenshot of your firewall script and another of your firewall running successfully    

   # service iptables status


===============================
 Install and configure Squid    – 2pts
===============================

1. Install Squid 

   # yum install squid
   # systemctl start squid
   # systemctl enable squid

   # nano /etc/squid/squid.conf

    //since this is now a transparent proxy, on line 62 edit the following line to read
    http_port 3128 intercept

   # systemctl restart squid   //or reload

2. Open up your WindowsXP Pro client, behind your Centos Server (LAN Segment VLAN10) and open a browser to test to see if Squid is intercepting web requests

   # tail -f /var/log/squid/access.log

3. Take a screenshot of the Squid access log 


==========================================
 Install and configure squidGuard    – extra credit 2pts
==========================================

1. Install squidGuard, you need the epel repositories
    
   # yum install epel-release
   # yum install squidGuard

2. Configure Squid to use squidGuard:

   # nano -c /etc/squid/squid.conf

   // add the following line around line 26:
   url_rewrite_program /usr/bin/squidGuard

   # systemctl restart squid

3. Make a blacklists directory in squidGuard

   # mkdir /var/squidGuard/blacklists

   //download a publicly available blacklist file to /usr/local/bin using wget or you could do a testdomains page instead of a full blacklist
   
   # cd /usr/local/bin
   # wget http://www.shallalist.de/Downloads/shallalist.tar.gz
    
   //extract the compressed blacklist file, then copy the folder named “gamble” to the blacklists folder
   //the file extracts into a folder named “BL” and within that folder are the blacklist categories

   # tar -xvf shallalist.tar.gz
   # ls
   # cd BL
   # cp -R gamble /var/squidGuard/blacklists     

4. Configure squidGuard:

   # nano -c /etc/squid/squidGuard.conf
    
//edit the squidGuard.conf file starting at line 33 with the following changes:
//comment out the user line shown below in the “src admin” block with a “#” 
//comment out all the lines in the “dest adult” block with a “#” in front of each line 

src admin {
        ip              1.2.3.4 1.2.3.5
#       user            root foo bar     //don’t forget to comment this out
        within          workhours
}

#dest adult {
#   domainlist blacklists/…
#   urllist blacklists/…
#   expressionlist blacklists/…
#   redirect        http://admin…
#}

dest gamble {                     //add this dest gamble block
    domainlist    gamble/domains        //…add
    urllist        gamble/urls        //…add
}                        //…add

acl {
    admin {
        pass any
    }

    foo-clients within workhours {
#        pass good !in-addr !adult any    //comment out this line with a “#”
    } else {
        pass any
    }

    bar-clients {
        pass local none
    }

    default {                
        pass !gamble any            //change this line to “pass !gambling any”
        rewrite dmz
        redirect http://172.16.1.1/blocked.html    //change to redirect to your own blocked webpage
    }
}

5. Add draftkings.com to your gambling blacklist (or any other domains you want to block) 

   # nano -c /var/squidGuard/blacklists/gamble/domains
 
   // add a line at the top of domains for draftkings.com (you can add more test domains to block also)

6. Compile the squidGuard database files, then chown the entire blacklists folder and files

   # squidGuard -b -d -C all
   # chown squid:squid -R /var/squidGuard/blacklists

7. Reload Squid

   # systemctl restart squid

7. Go to the Linux Mint or Windows virtual machine on the internal network vlan10
   and open a browser to test to see if Squid is using squidGuard to block unsavory websites.
   If you cannot web browse to a gambling domain listed in the gamble/domains file then squidGuard is working.

   // run an ongong tail command on the LAN segment host   # tail -f /var/log/squid/access.log

8. Create a blocked.html file by copying your index.html file

   # cp /var/www/html/index.html /var/www/html/blocked.html
    
9. Edit the blocked.html file content to read, “You are blocked!”

   # nano /var/www/html/blocked.html

   //you should now see your blocked.html page everytime squidGuard blocks a web site or domain

10. Take a screenshot of a successful blocked page result from the virtual machine client (Mint or Win) on the internal network (vlan)

Video Walkthrough

Part 1

Part 2

Part 3

Part 4

Part 5

Part 6

Part 7

Install and Configure Squid in Ubuntu

Squid in Ubuntu Overview

A proxy server is a very useful tool for a network. It is commonly used in computer networks to protect the network from attack, to filter nefarious web content and pages requested by local users, and to speed up the delivery of web pages and web content by caching (storing) commonly requested web pages, documents, and media. Proxy servers are typically implemented on private, local area networks, to filter, protect and cache content requested by users on that network, this is called “proxy” or “transparent proxy.” Proxy servers can also be implemented on the remote side “in-front-of” destination webservers in order to protect those servers by filtering requests, speeding up web page delivery, and caching frequently requested files, this is called “reverse proxy.”

Types of Proxy Servers

Proxy Server The web browser on the client is configured to point to the proxy server’s IP address. The client can bypass the proxy server by removing or altering the proxy address configuration. An administrator could prevent this by creating a GPO in Active Directory that blocks access to the web browser settings. A proxy server can also function as a caching server.
Transparent Proxy Server The router sends all traffic on defined ports, to the transparent proxy server, this way clients cannot bypass the proxy server. A transparent proxy server can also function as a caching server.
Reverse Proxy Server (Caching) The reverse proxy server or cache server is placed in-front-of or prior-to the web server in order to speed up delivery of frequently requested pages and to protect the web server by creating a layer of separation and redundancy.

diagram of proxy server scenarios

Squid is one of the most popular and most used proxy servers in the world. It is free to download, easy to install and it can be implemented on any distribution of Linux. Here are the steps to install and configure Squid on an Ubuntu distribution of Linux.

Steps to install and configure Squid

Open a terminal, and type in the following commands to install Squid

sudo apt-get update
sudo apt-get install squid squid-common

Ways to start and stop Squid

sudo service squid start (stop|restart|status)
sudo /usr/sbin/squid (launch program directly)
sudo pkill -9 squid

Navigate to the Squid folder to find the squid.conf configuration file

cd /etc/squid
ls (you should see the squid.conf file)

Create a backup of the squid.conf file

sudo cp squid.conf squid.conf.bak

For testing purposes open Firefox and set it to send web requests to the Squid Proxy Server (You will need to know your ip address)

ifconfig (write down your inet address e.g. 192.168.1.100)
 

Open Firefox

Edit > Preferences, Advanced > Network Tab > Connection-Settings:

Manual Proxy Configuration:

HTTP Proxy: your IP address or loopback address 127.0.0.1,    Port: 3128
   Click Ok and Close

Now if you try and go to a website like google you should see an ERROR – Access Denied message from Squid (see bottom line). This means that Squid is working by actively denying the traffic.

Now we need to configure Squid to allow web traffic through the proxy server. Open squid.conf in your favorite text editor like gedit, nano, or vi

sudo nano squid.conf

or

sudo gedit squid.conf & (If gedit does not open from the terminal you can open it as root user)
sudo su
gedit squid.conf &

To switch out of root user

su your-username (if you are root user the prompt is a "#" switch back to your user account privilege)

If you chose to open with squid.conf with gedit, then turn on line numbering (Edit > Preferences > View >Display Line Numbers)

Change the name of your Squid Proxy Server, around line 3399, change.

#    TAG: visible_hostname

to

 visible_hostname YourNameProxyServer  

You can configure access rules for your Squid proxy server (lines 331 to 831 are for Access Control). Notice that on lines 606 to 630 the local networks and usable ports (services) are defined. Active configuration lines, are the lines that are not commented out, i.e. they do not start with  a # sign.

To re-enable web access uncomment line 676

#http_access allow localnet

to

http_access allow localnet

To verify the Web is now working, save your changes to the squid.conf file and restart your Squid server.

sudo service squid restart

Now resfresh your Firefox web browser and your homepage should be visible.

Now we can practice writing a custom ACL (access list) in the squid.conf file to block specific domains and websites. We can write our custom ACL at the end of the acl lines around line 631. From an empty line write the following lines to test domain blocking.

acl blocked_websites dstdomain .msn.com .yahoo.com
http_access deny blocked_websites

Now restart your Squid server, and test to see if Squid denies access to your blocked domains/websites in Firefox.

Video Tutorials

In this series of videos, I go through the same process outlined above, to install and configure a Squid proxy server in Ubuntu .

In part 1, I install Squid in Ubuntu, start and stop it, backup the configuration
file, and configure Firefox to use Squid as a proxy server

In part 2, I discuss editing the configuration file

In part 3, I write a custom ACL in the squid.conf file

Turn a Raspberry Pi into a Web Filter Proxy with SquidGuard

Turn a Raspberry Pi into a Web Filter Proxy with SquidGuard Overview

Most routers for the home don’t do a very good job at filtering objectionable web content. One possible solution is to turn a Raspberry Pi into a proxy web filter that can protect users on your home network. In this lab, I turn a Raspberry Pi running the Raspbian Linux operating system into a robust web proxy that filters objectionable web sites. In order to turn the Raspberry Pi into a web proxy I install and configure Squid and SquidGuard, and then I download and configure a blacklist file which is available for personal use through a creative commons license. This lab focuses on turning the Raspberry Pi into a standalone proxy server that can be reached by changing the network clients web browser proxy settings, or by configuring the router to direct web traffic to the proxy server. In a follow up lab, you could configure the Raspberry Pi as a transparent inline proxy server.

Step-by-step instructions

First, I recommend updating your repositories and then installing the program locate and updating the index/database of file locations. This will help you if you need search for the file paths to the Squid and SquidGuard configuration files. After installing Squid and SquidGuard you will want to run the sudo updatedb command again in order to make the newly installed files indexed and searchable with locate.

$ sudo apt-get update
$ sudo apt-get install locate
$ sudo updatedb

1. Install Squid, start it, and set it to start on boot

$ sudo apt-get install squid3
$ sudo update-rc.d squid3 enable

Use netstat to check to see if Squid is listening on port 3128, also using ps notice that one of the process ids that Squid uses is proxy:proxy for the user and group

$ sudo netstat -antp |grep squid
$ sudo ps -aux |grep squid

2. Edit the Squid configuration file and then reload Squid. Notice, that I run updatedb and then use locate to find the location of the squid.conf file

$ sudo updatedb
S sudo locate squid.conf
$ sudo nano -c /etc/squid3/squid.conf

on lines 1038 to 1040 uncomment the lines that start with #acl localnet src …  (In nano use the Ctrl+w keys to search for, and jump to, specific lines in the configuration file)

acl localnet src 10.0.0.0/8
acl localnet src 172.16.0.0/12
acl localnet src 192.168.0.0/16

on line 1209 uncomment the line #http_access allow localnet

http_access allow localnet

on line 1613 make sure http_port 3128 is uncommented:

http_port 3128

save and quit.

$ sudo service squid3 reload

or

$ sudo service squid3 restart

3. Now that Squid is running you can test it from another computer on the network by going to another computer and changing the settings in Firefox or Chrome to point to the Squid web proxy on the Raspberry Pi. Open Firefox and go to File > Options > advanced > network tab > connection settings > manual proxy configuration

and set it to: <the ip address of the computer/RPi running squid>:3128

*Note: In order to test the Squid proxy server from another computer you will need to make sure that the proxy server’s firewall is not blocking outside requests. Depending on your distribution the Linux firewalld or iptables firewall can be actively blocking outside requests. You will need to add a rule to allow requests on port 3128. On the Raspbian operating system by default there should be no firewall activated, but just in case, you can turn off the iptables firewall using the following command:

$ sudo service iptables stop

4. You can monitor the access log to see it working

$ sudo tail -f /var/log/squid3/access.log

Now browse the web in Firefox, or the web browser of your choice to see if you are able to receive webpages through the Squid proxy. If you are able to successfully reach websites, then the Squid proxy is working correctly and allowing web requests. Look to the output of Squid’s access.log file to see the requests reaching Squid (issue the tail command shown above)

5. With Squid working you can now install SquidGuard

$ sudo apt-get install squidGuard

6. Now that SquidGuard is installed, you will want to download a blacklist of websites and domains that you can block with SquidGuard. You can find more information at http://squidguard.org on SquidGuard and where to find blacklists. A great resource is located at http://dsi.ut-capitole.fr/blacklists/ which has an extensive blacklists.tar.gz file under a “creative commons” license. The website http://www.shallalist.de has a similar downloadable blacklist with similar license terms. You will find links to other commercial blacklist sites as well. For this lab, I recommend downloading the shallalist.tar.gz file from http://www.shallalist.de. You can download it from the command line using wget or from the gui using a webbrowser. Download the blacklist file to your Downloads or home folder but before you install a full blacklist let’s create a testdomain file with test domains for SquidGuard to practice blocking

$ cd /var/lib/squidguard/db
$ sudo nano testdomains

type in three lines of text to add some test-domains to block:

yahoo.com
msn.com
whatever-you-want-to-block.com

save and exit.

7. Now edit the squidGuard.conf file to configure it to work with the testdomains file. You may want to back up the squidGuard.conf file before making changes.

$ cd /etc/squidguard
$ sudo cp squidGuard.conf squidGuard.conf.bak
$ sudo nano -c /etc/squidguard/squidGuard.conf

In the config file, add the following text elements in red. Be careful in your edits, incorrect syntax will cause squidGuard to fail. The beginning of the text file has been omitted.

#dest adult {
#   domainlist        BL/porn/domains
#   urllist        BL/porn/urls
#   expressionlist    BL/adult/expressions
#   redirect http://admin.foo.bar.de/cgi/blocked?clientaddr=%a+clientname=%n+clientuser=%i+clientgroup=%s+targetgroup=%t+url=%u
#}

dest test {
domainlist testdomains
}

acl {
admin {
pass any
}

foo-clients within workhours {
#           pass good !in-addr !adult any
} else {
pass any
}

bar-clients {
pass local none
}

default {
pass !test any
redirect http://127.0.0.1/blocked.html
}
}

Save and exit

8. Now install the Apache2 webserver and create a blocked.html page using nano

$ sudo apt-get install apache2
$ cd /var/www/html
$ sudo nano blocked.html

<html>
<head>
<title>Blocked!</title>
</head>
<body>
<h1>You have been blocked by Raspberry Pi administrator!</h1>
</body>
</html>

Save and exit

9. Now you need to compile the SquidGuard blacklists.

$ sudo squidGuard -C all

10. Now give Squid3 ownership or access to some of the squidguard files and directories:

$ sudo chown -R proxy:proxy /var/lib/squidguard/db
$ sudo chown -R proxy:proxy /var/log/squidguard
$ sudo chown -R proxy:proxy /usr/bin/squidGuard

11. Edit the squid.conf file and then reload Squid

$ sudo nano -c /etc/squid3/squid.conf

Add the following line to the squid.conf file around line 4168:

url_rewrite_program /usr/bin/squidGuard

$ sudo service squid3 reload

12. Now open the Firefox browser from another computer and test to see if the domains listed in the testdomains file in step 6 are successfully blocked. Domains not listed in the testdomains file should be allowed. In other words, from another computer with the web browser configured with the proxy settings of the Raspberry Pi’s ip address and port number 3128, try browsing to msn.com or one of the domains listed in the testdomains file that you created in step 6

13. If you were successful at blocking the testdomains then it’s time to extract and decompress the shallalist.tar.gz file that you downloaded in Step 6. When you extract shallalist.tar.gz is will extract into a folder titled BL. You will then copy BL to the squidguard db folder

$ cd ~/Downloads
$ tar -xzf shallalist.tar.gz
$ ls
$ sudo cp BL -R /var/lib/squidguard/db
$ cd /var/lib/squidguard/db

Now recursively change permissions on the BL blacklists folder so you can list through the various blacklist categories that you may wish to activate. You will need to know the name paths of the categories, folders and files that you will want to compile to work with SquidGuard

$ sudo chmod -R 755 /var/lib/squidguard/db/BL
$ sudo chown -R proxy:proxy /var/lib/squidguard/db/BL
$ ls
/var/lib/squidguard/db/BL

14. Now you can edit the squidGuard.conf file to configure it to begin blocking undesirable content

$ sudo nano -c /etc/squidguard/squidGuard.conf

In the config file, change the following lines in red. Be careful in your edits, incorrect syntax will cause squidGuard to fail. You will need to add a dest gamble block as well as changing the paths to the content you intend to block. Notice under dest gamble that I change the paths under domainlist and urllist to match the content and paths in the BL folder

<… previous lines in the squidGuard configuration file are omitted>
#dest adult {
#   domainlist        BL/porn/domains
#   urllist        BL/porn/urls
#   expressionlist    BL/adult/expressions
#   redirect http://admin.foo.bar.de/cgi/blocked?clientaddr=%a+clientname=%n+clientuser=%i+clientgroup=%s+targetgroup=%t+url=%u
#}

dest test {
domainlist testdomains
}

dest gamble {
domainlist     BL/gamble/domains
urllist             BL/gamble/urls
}

acl {
admin {
pass any
}

foo-clients within workhours {
#          pass good !in-addr !adult any
} else {
pass any
}

bar-clients {
pass local none
}

default {
pass !gamble !test any
redirect http://127.0.0.1/blocked.html
}
}

Save and exit

15. Now you need to recompile the SquidGuard blacklists which will create new squidGuard blacklist database files. Then change ownership of the files in the db folder to proxy

$ sudo squidGuard -C all
$ sudo chown -R proxy:proxy /var/lib/squidguard/db

16. Reload Squid and then use Firefox from another computer to test to see if Squid and SquidGuard are blocking websites with known adult content. You may want to execute this test privately or with the majority of the web browser dragged off screen … just in case it doesn’t work!

$ sudo service squid3 reload
$ sudo service squid3 status

Install OpenVPN in a Centos 7 Virtual Machine -Page 2

OpenVPN Lab continued from Page 1

Install the EPEL Repositories
========================

To install OpenVPN you will need the EPEL repositories

13. Using yum install EPEL

yum install epel-release

Disable firewalld and use iptables
===========================

14. Centos 7 has the new firewalld dynamic firewall daemon installed by default. Firewalld has many new updated and advanced features that you would want in a firewall, however if you are more familiar with the iptables firewall service you can disable firewalld and use iptables. The following commands assume root access through su.

   systemctl stop firewalld
systemctl disable firewalld

   yum install iptables-services   //iptables should already be installed, if not then type y to install.

systemctl enable iptables
systemctl start iptables
systemctl status iptables
systemctl stop iptables

Stop iptables with the intention of configuring it later in the lab.
Install and Configure the OpenVPN Server
===================================

15. Install OpenVPN server

yum install openvpn

16. Copy the sample OpenVPN server configuration file to the /etc/openvpn folder

   cd /usr/share/doc/openvpn-2.3.6/sample/sample-config-files/
ls
cp /usr/share/doc/openvpn-2.3.6/sample/sample-config-files/server.conf /etc/openvpn

17. Edit the OpenVPN server.conf file

   cd /etc/openvpn
nano server.conf

edit -> uncomment the following lines and change the DNS server addresses
push “redirect-gateway def1 bypass-dhcp”
push “dhcp-option DNS 8.8.8.8”
push “dhcp-option DNS 8.8.4.4”
user nobody
group nobody

Install Easy-RSA to create certificate of authority, server certificates, and keys
================================================================

18. Install easy-rsa to handle encryption, certificates, and keys

   yum install easy-rsa
mkdir -p /etc/openvpn/easy-rsa/keys
cp -rf /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa

19. Change the variables file in the easy-rsa folder

   nano /etc/openvpn/easy-rsa/vars

edit -> change the following lines (the following settings are just my example settings)
export KEY_COUNTRY=”US”
export KEY_PROVINCE=”OR”
export KEY_CITY=”Portland”
export KEY_ORG=”danscourses”
export KEY_EMAIL=”webadmin@danscentos-s2.danscourses.com”
export KEY_OU=”danscourses”

20. Build your security your server security certificates and keys. You will accept the default settings.

   cd /etc/openvpn/easy-rsa
source ./vars
./clean-all
./build-ca
./build-key-server $( hostname )
./build-dh

21. Copy your server certificates and keys to the openvpn folder

   cd /etc/openvpn/easy-rsa/keys
cp ca.crt danscentos-s2.crt danscentos-s2.key dh2048.pem /etc/openvpn

Start the OpenVPN Server
=====================

22. Restore SE Linux security context and create symbolic link for systemd

   restorecon -Rv /etc/openvpn
ln -s /lib/systemd/system/openvpn\@.service /etc/systemd/system/multi-user.target.wants/openvpn\@server.service

23. Edit the OpenVPN server.conf file and change the names of the server certificate and server key, to match the certificates and keys that you created. Save the file and exit.

   cd /etc/openvpn
nano server.conf

in server.conf change the following lines:
cert server.crt
key server.key    # This file should be kept secret

replace the word “server” with your server’s hostname which should be the name of your server certificate and key files:
cert danscentos-s2.crt
key danscentos-s2.key    # This file should be kept secret

24. Start the OpenVPN server

   systemctl -f enable openvpn@server.service
systemctl start openvpn@server.service
systemctl status openvpn@server.service

 

Video Tutorial

 

 

Click here to go to Part 3

 

Install OpenVPN in a Centos 7 Virtual Machine -Page 3

OpenVPN Lab continued from Page 2

Build the client keys using easy-rsa
=============================

You can build separate client keys for each client you wish to allow to connect to your server.

25. Navigate to the easy-rsa directory and build your client keys.

   cd /etc/openvpn/easy-rsa
source ./vars
./build-key myclient


Copy the client keys to the client’s computer
=====================================

26. Change directories to the keys folder and verify your client keys. You should see files named myclient.crt and myclient.key

   cd /etc/openvpn/easy-rsa/keys
ls

27. Copy the files ca.crt, myclient.crt, and myclient.key to the remote client computer using a flash drive, emailing the files or using an SSH/SCP client like Filezilla. To copy the files using Filezilla you will may first need to copy the files to a folder like Documents that does not require root access and then change the file permissions on myclient.key so that group and public have read access. The client computer used to connect to the OpenVPN server can be a computer running Windows, Linux, or OSX.

   cp ca.crt myclient.crt myclient.key /home/student/Documents
cd /home/student/Documents
ls -l
chmod 644 myclient.key   

Now from a remote computer you can use a program like Filezilla to copy the files from the server.

 

Create the client OpenVPN configuration file used to connect to the server
=============================================================

28. Using a text editor like nano in Linux or notepad in Windows create the text file myclient.ovpn and place it in the same directory as the ca.crt, myclient.crt, and myclient.key files that you copied from the Centos 7 server.

   nano myclient.ovpn

add the following lines.:

client
dev tun
proto udp
remote <centos server ip address> 1194
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
verb 3
ca ca.crt
cert myclient.crt
key myclient.key

auth-user-pass

 

On the server, enable Centos 7 to forward packets through its network interfaces
==================================================================

29. Use sysctl to allow IP packet forwarding. Add the following line to the sysctl.conf file

   nano /etc/sysctl.conf
  edit -> net.ipv4.ip_forward = 1

   sysctl -p

 

 

Enable the OpenVPN pam authentication module to add user authentication
==============================================================

30. Using the OpenVPN auth-pam module the OpenVPN server can authenticate using the Linux system users. To do this you will need to create a PAM service file:

   touch /etc/pam.d/openvpn
nano /etc/pam.d/openvpn

then add the following two lines:
auth    required    pam_unix.so    shadow    nodelay
account required    pam_unix.so

31. Add the following line to the end of the OpenVPN server.conf file

   nano /etc/openvpn/server.conf

    plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn

On the server, add and uncomment two lines in the OpenVPN server.conf file
=============================================================== 

32. In server.conf add a line to push a route to the server’s inside LAN network and uncomment a line to allow client to client communication between tunneled users

   cd /etc/openvpn
nano server.conf

add/uncomment the following two lines:

push “route 192.168.10.0 255.255.255.0”
            client-to-client                                      

Ctrl+x, type y and press enter to save.
33. Now restart the OpenVPN server

   systemctl stop openvpn@server.service
systemctl start openvpn@server.service
systemctl status openvpn@server.service

 

Connect the the OpenVPN Server from a client computer
===============================================

34. With root access use the following command to connect to the server from a Linux host. Notice, in the example command below the path to the myclient.ovpn file is the current directory. If the ovpn config file is in a different directory you will need to provide the path. You may need to install openvpn and easy-rsa if openvpn is not already installedon your linux client.

   openvpn myclient.ovpn   

OpenVPN is now running in that terminal window, to close the OpenVPN connection press Ctrl+c, or to continue working you will need to open a new terminal window. You can also close OpenVPN and the tunnel connection using the pkill program.

   pkill openvpn

35. In a new terminal window examine your tunnel interface using ifconfig. You should see a tun0 interface with a 10.8.0.0 range IP address.

   ifconfig

36. Test to see if you can ping the router’s tunnel interface at 10.8.0.1, as well communicate to the inside LAN network at 192.168.10.1

   ping 10.8.0.1
ping 192.168.10.1

37. To connect to the OpenVPN server from a Windows client computer you will need to download and install the openvpn client program from http://openvpn.net. You will find the the windows client installer at the website under community downloads. After installing the OpenVPN client for Windows you will need to copy the ca.crt, myclient.crt, myclient.key, and myclient.ovpn files to the C:\Programs and Files (x86)\OpenVPN\config\ folder, or if you installed the 64bit version of the OpenVPN client the location will be C:\Programs and Files\OpenVPN\config\.

38. Now start the Windows OpenVPN client. It will launch into the System Tray. You will right click the OpenVPN icon in the System Tray, choose the config file and select Connect.

Start > Programs > OpenVPN GUI
Right click the OpenVPN icon in the system stray, and select Connect.

 

Configure the iptables firewall to allow OpenVPN connections
===================================================

Earlier in the lab, I shutdown the iptables firewall with the intention of turning it back, after configuring it to allow OpenVPN connections.

39. to be posted soon…

 

Video Tutorial

 

 

<– Click here to go to Part 2

 

 

Install OpenVPN in a Centos 7 Virtual Machine -Page 1

Install OpenVPN Overview

OpenVPN is an incredible tool for creating securely encrypted, remote network-to-network and client-to-network tunneled connections. You can think of it like this, if you have an OpenVPN connection to a network, then you have a secure connection to that network and all the resources on that network, like printers, file servers, other host computers, etc.. To set it up, you need to install an OpenVPN access server on one computer, and then on a separate computer, install an OpenVPN client for connecting to the server remotely. The goal of the lab is to install and configure an OpenVPN server, and then from a second computer, open a tunnel to the server using an OpenVPN client. To do this, you will first need to install Centos 7 (64bit) in a VMware Player virtual machine. Since this is a test case scenario, during the Centos 7 installation, I recommend installing the Gnome Desktop instead of the default, minimal install. When creating the virtual machine with VMware Player you will need to add an additional virtual network interface (NIC) to your virtual machine. After creating the virtual machine, edit the virtual machine settings, add a second network adapter, then change it from Bridged mode to LAN Segment mode. You will need to create/add a LAN Segment, name it VLAN10, and then configure the network adapter to the LAN Segment (VLAN10) setting. The virtual machine will have two network adapters, the first in Bridged Mode, and the second in LAN Segment mode (VLAN10).

Install Centos in a VM

Start up your VMware Centos 7 virtual machine, run through the installation, install the Gnome desktop environment, create a student account as well as a root password. After the install, start Centos and login. At the desktop, go to Applications and open a terminal window. In the terminal issue an ifconfig command to verify the presence of the two network adapters, they will probably show up as eno16777736 and eno33554960. If the second network adapter did not appear after issuing the ifconfig command then shutdown Centos, edit the virtual machine settings in VMware Player, remove and then re-add the second network adapter, until the second network adapter registers as present from within Centos.

   

The diagram below represents a network hosted from a single computer using virtual machines. The single physical host computer is the laptop represented by the laptop icon and the black rectangular outline. The virtual machines are running inside the laptop using VMware Player, VMware Workstation, or Virtualbox. Notice the Centos 7 Server has two Ethernet network adapters. The bridged mode network adapter places the Centos 7 eth0 interface on the network just like any other physical computer. Notice that by configuring eth0 with a DHCP client it will obtain an IP address just like the laptop. The eth1 network adapter is in LAN Segment mode which will allow it to communicate with any other virtual machines that are similarly configured with an identical LAN Segment network adapter. In this scenario, if the the Interior Client virtual machine wishes to connect to the internet, it will need to go through the Centos 7 Server, making the Centos 7 Server a transparent proxy or gateway for any virtual machines on the LAN Segment. With 8Gb of RAM and a quad core processor on the host computer it is possible to run two virtual machines simultaneously.

Lab Steps

Change the server’s hostname
=========================
1. Get root super-user access using su. Everything in this exercise is done with root access.

   su

2. Change localhost.localdomain to a server name of your choice (eg. danscentos-s2)

   nano /etc/hostname

3. Add your new hostname to the file (eg. 127.0.0.1 danscentos-s2 localhost localhost.localdomain …)

   nano /etc/hosts

Change the Network Interfaces to eth0 and eth1
=======================================
For some strange reason the network interfaces show up as: eno16777736 and eno33554960. Thanks to some great websites, I was able to find a fix.

4. In the following file search for the line “GRUB_CMDLINE_LINUX” and append the following: net.ifnames=0 biosdevname=0
note: make sure to append the text within the ending quotation mark as such: net.ifnames=0 biosdevname=0″

   nano /etc/default/grub

   grub2-mkconfig -o /boot/grub2/grub.cfg

   reboot

5. After rebooting, use su for root access. Enter the hostname command to verify your new hostname. Do an ifconfig and you should see the following network interfaces: eth0, eth1, and Lo. If not go back to step 4 an try again.

Configure the Network Interfaces
===========================

6. To configure the network interfaces we need the network-scripts directory

   cd /etc/sysconfig/network-scripts/

7. Rename the ifcfg-en016777736 file to ifcfg-eth0 then do an ls command to verify

   mv /etc/sysconfig/network-scripts/ifcfg-eno16777736 /etc/sysconfig/network-scripts/ifcfg-eth0

8. Copy the ifcfg-eth0 file to ifcfg-eth1 so now you have a config file for each network interface. Do an ls command to verify

   cp /etc/sysconfig/network-scripts/ifcfg-eth0 ifcfg-eth1

9. Edit the ifcfg-eth1 file {loadposition adposition6}

    nano ifcfg-eth1

//change the contents of ifcfg-eth1 to the following, exit and save:

TYPE=”Ethernet”
DEVICE=”eth1″
BOOTPROTO=”static”
IPADDR=”192.168.10.1″
NETMASK=”255.255.255.0″
IPV4_FAILURE_FATAL=”no”
IPV6INIT=”yes”
IPV6_AUTOCONF=”yes”
IPV6_DEFROUTE=”yes”
IPV6_PEERDNS=”yes”
IPV6_PEERROUTES=”yes”
IPV6_FAILURE_FATAL=”no”
NAME=”eth1″
ONBOOT=”yes”

10. Edit the ifcfg-eth0 file

    nano ifcfg-eth0

//change the contents of ifcfg-eth0 to the following, exit and save:

TYPE=”Ethernet”
DEVICE=”eth0″
BOOTPROTO=”dhcp”
DEFROUTE=”yes”
PEERDNS=”yes”
PEERROUTES=”yes”
IPV4_FAILURE_FATAL=”no”
IPV6INIT=”yes”
IPV6_AUTOCONF=”yes”
IPV6_DEFROUTE=”yes”
IPV6_PEERDNS=”yes”
IPV6_PEERROUTES=”yes”
IPV6_FAILURE_FATAL=”no”
NAME=”eth0″
ONBOOT=”yes”

Remove the Network Manager
=========================

11. Since this is a server, I recommend removing the Network Manager and relying on manual network configurations instead

    systemctl stop NetworkManager
systemctl disable NetworkManager
service network restart

12. Reboot, then login and verify network connectivity and internet access. You should see that eth0 received an IP address through DHCP and that eth1 has the IP address 192.168.10.1. If not, then re-edit your ifcfg-eth0 and ifcfg-eth1 configuration files.

    reboot
ifconfig
ping yahoo.com

Note: you can manually bring a network interfaces up or down with the following commands
   ifconfig eth0 down
ifconfig eth0 up
   ifconfig eth1 down
ifconfig eth1 up

 

Video Tutorials

 

 

 

Click here to go to Part 2

How to Install Squid & SquidGuard in CentOS

How to Install Squid and SquidGuard in CentOS Overview

A proxy server is a very useful tool for a computer network. Proxy servers are commonly used in computer networks to protect the network from attack, to filter undesirable web content and web pages requested by local users, and to speed up the delivery of web pages and web content by caching (storing) commonly requested web pages, documents, and media. Proxy servers are typically implemented on private, local area networks, to filter, protect and cache content requested by users on that network, this is called “proxy” or “transparent proxy.” Proxy servers can also be implemented on the remote side “in-front-of” destination webservers in order to protect those servers by filtering requests, speeding up web page delivery, and caching frequently requested files, this is called “reverse proxy.”

Squid is one of the most popular and most used proxy servers in the world. It is free to download, easy to install and it can be implemented on any distribution of Linux. Here are the steps to install and configure Squid and SquidGuard on a CentOS distribution of Linux.

 

Types of Proxy Servers

Proxy Server The web browser on the client is configured to point to the proxy server’s IP address. The client can bypass the proxy server by removing or altering the proxy address configuration. An administrator could prevent this by creating a GPO in Active Directory that blocks access to the web browser settings. A proxy server can also function as a caching server.
Transparent Proxy Server The router sends all traffic on defined ports, to the transparent proxy server, this way clients cannot bypass the proxy server. A transparent proxy server can also function as a caching server.
Reverse Proxy Server (Cache) The reverse proxy server or cache server is placed in-front-of or prior-to the web server in order to speed up delivery of frequently requested pages and to protect the web server by creating a layer of separation and redundancy.

 

Step-by-step instructions

1. Install Squid, start it, and set it to start on boot.

$ su –
# yum install squid
# service squid start
# chkconfig squid on

Check to see if it is listening on port 3128.

# netstat -antp |grep squid
# ps -aux |grep squid

2. Edit the Squid configuration file to change Squid from IPv6 to IPv4. Reload Squid.

# vim /etc/squid/squid.conf

on line 62 change http_port :::3128 to  http_port 0.0.0.0:3128
save and quit.

# service squid reload
or
# service squid restart

3. Now that squid is running you can test it out directly from your CentOS Linux machine by setting Firefox to use the Squid web proxy. Open Firefox and go to File > Options > advanced > network tab > connection settings > manual proxy configuration.

set it to: 127.0.0.1:3128

Now request a web page from Firefox. The request will be forwarded to Squid, running on the local system at the loopback address and port 127.0.0.1:3128. You can also test Squid from a different computer on the network, by adjusting the computer’s web browser settings to use a proxy. In Internet Explorer go to Tools > Internet options > Connections (tab) > LAN settings > Proxy server and set the address to the IP address of the proxy server and the port number to 3128. In Firefox, go to File > Options > advanced > network tab > connection settings > manual proxy configuration, and set the address and port number to the proxy server’s IP address and port number 3128.

*Note: In order to test the Squid proxy server from another computer you will need to make sure that the proxy server’s firewall is not blocking outside requests. Depending on the release and type of CentOS Linux distribution, the iptables firewall can be actively blocking outside requests. You will need to add a rule to allow requests on port 3128. In the meantime, for testing purposes just turn off the iptables firewall.

# service iptables stop

4. You can monitor the access log to see it working.

# tail -f /var/log/squid/access.log 

Now browse the web in Firefox, or the web browser of your choice to see if you are able to receive webpages through the Squid proxy. If you are able to successfully reach websites, then the Squid proxy is working correctly and allowing web requests. Look to the output of Squid’s access.log file to see the requests reaching Squid (issue the tail command shown above).

5. With Squid working you can now go about installing SquidGuard.

If you do not already have the EPEL repositories, you will need to install additional repositories in CentOS, in order to access to necessary software packages that are not available in the default repositories. Install the Extra Packages for Enterprise Linux (EPEL), the epel-release for the current version of Enterprise Linux (EL6). You can find it at the following website: http://fedoraproject.org/wiki/EPEL. A direct link to the RPM is in the command below. Eventually the link will be outdated and need to be replaced. For 64 bit systems you can change /i386/ to /x86_64/ in the command below.
# yum install http://ftp.osuosl.org/pub/fedora-epel/6/i386/epel-release-6-8.noarch.rpm

Now install SquidGuard.

# yum install squidGuard

{loadposition adposition6}6. Now that SquidGuard is installed, open Firefox and go to the SquidGuard website: http://squidguard.org . The SquidGuard website has links to configuration documentation and websites to download blacklists. You need to download a blacklists file. You can go to http://dsi.ut-capitole.fr/blacklists/  and get the link for the blacklists.tar.gz file, then you can use wget to download blacklists.tar.gz, by copying and pasting the link, or you can download it through the Firefox web browser. Squidguard has its own blacklists.tar.gz file, and you will eventually want to replace it with the newer blacklists.tar.gz file that you downloaded. Before you do that, you can create a test blacklists file for SquidGuard to block. To do that you need to create a blacklists directory in the /var/squidGuard/ directory. Now, in the new blacklists directory use vim create and edit a text file named testdomains.

# cd /var/squidGuard
# mkdir blacklists
# cd blacklists
# vim testdomains

type in three lines of text to add some test-domains to block:
yahoo.com
msn.com
whatever-you-want-to-block.com

save and exit.

7. Now edit the squidGuard.conf file to configure it to work with the testdomains file. You may want to back up the squidGuard.conf file before making changes.

# cp /etc/squid/squidGuard.conf /etc/squid/squidGuard.conf.BAK
# vim /etc/squid/squidGuard.conf

In the config file, add the following text elements in red. Be careful in your edits, incorrect syntax will cause squidGuard to fail. The beginning of the text file has been omitted.

#dest adult {
#   domainlist blacklists/porn/domains
  urllist blacklists/porn/urls
#   expressionlist blacklists/porn/expressions
#   redirect        http://admin.foo.bar.de/cgi/blocked?clientaddr=%a+clientname=%n+clientuser=%i+clientgroup=%s+targetgroup=%t+url=%u

#}

dest test {
domainlist testdomains
redirect
http://www.google.com
}
acl {
admin {
pass any
}

foo-clients within workhours {
     #   pass good !in-addr !adult any
} else {
pass any
}

bar-clients {
pass local none
}

default {
  pass !test any
            rewrite dmz
redirect http://www.google.com
     }
}

8. Now compile the SquidGuard blacklists and chown the blacklists to be accessible by Squid.

# squidGuard -b -d -C all
# chown -R squid /var/squidGuard/blacklists 

9. Edit the squid.conf file and then reload Squid.

# vim /etc/squid/squid.conf

add the following line to the squid.conf file around line 28:

url_rewrite_program /usr/bin/squidGuard

# service squid reload
or
# service squid restart

10. Now open the Firefox browser and test to see if your testdomains are successfully blocked, while every other domain is allowed.

11. If you were successful at blocking the test domains then you can extract and decompress the blacklists.tar.gz file that you downloaded in Step 6. Copy some of the extracted blacklist folders to your /var/squidGuard/blacklists/ directory. Now you will need to edit your squidGuard.conf file to account for the new blacklists areas beyond testdomains, recompile the squidGuard database (if there are errors creating the database file/s then you will need to troubleshoot by editing the squidGuard.conf file), chown the blacklists directory recursively, restart Squid and you should be filtering tons of undesirable domains, urls, keywords, etc.

How to Install the OSSEC HIDS in Linux

OSSEC HIDS Overview

OSSEC is a host based intrusion detection and prevention system (HIDS/HIPS). A host based based intrusion detection system or host based intrusion prevention system serves a similar function as antivirus software. A HIDS can warn you if it discovers that your system has an intrusion or virus, and a HIPS can warn you in real-time, if an intrusion is currently being attempted, and block it. This can greatly increase the security of your system, especially if you are running servers like a webserver. OSSEC is supported by the TrendMicro security company.

OSSEC Installation and Configuration

1. Elevate to root user. Download OSSEC, extract it, change directories and list the directory contents to look for the installation script. Before you can run the installation script you will need to install the GCC compiler.

$ su –
# wget
http://www.ossec.net/files/ossec-hids-2.7.tar.gz
# tar -xf ossec-hids-2.7.tar.gz
# cd ossec-hids-2.7
# ls
# yum -y install gcc

2. Run the installation script and choose hybrid install. Answer yes to everything else, but no to the active response, you can change that later. For the IP address or hostname of the OSSEC server type in localhost and press enter.

# ./install.sh

3. Run the service status and the service start commands. When you try to start the program, you will get an error that it is missing the client.keys file.

# service ossec status
# service ossec start

4. Run the ./ossec-control program to see the program options. Run the ./ossec-control enable client-syslog options. When you try to start the program, ./ossec-control start, you will get an error that it is missing the client.keys file. Create an empty client.keys file using the touch command, then start the ossec-control program.

# cd /var/ossec/bin/
# ls
# ./ossec-control
# ./ossec-control enable
# ./ossec-control enable client-syslog
# ./ossec-control start
# touch /var/ossec/ossec-agent/etc/client.keys
# ./ossec-control start

5. Using the cd command return to your home directory then download the web user interface using wget. Verify the checksum, extract the tar.gz file and move the contents of the directory to a new directory at /var/www/html/ossec.

 

# cd
# wget http://www.ossec.net/files/ossec-wui-0.3.tar.gz
# wget http://www.ossec.net/files/ossec-wui-0.3-checksum.txt

# cat ossec-wui-0.3-checksum.txt
# sha1sum ossec-wui-0.3.tar.gz

# tar -xf ossec-wui-0.3.tar.gz
# mv ossec-wui-0.3 /var/www/html/ossec
# cd /var/www/html/ossec/
# ls

6. Run the setup script you will be prompted to create a username and password.

# ./setup.sh

7. Recursively change the ossec folder owner and group to apache:apache.

# cd ..
# chown apache:apache -R ossec/

8. Now using Firefox go to the webpage for OSSEC at http://localhost/ossec and you will get a 403 forbidden error message. By examining the httpd error log you can find information related to the error. SELinux may be a potential cause to the problem.

# cat /var/log/httpd/error_log

9. Edit the group file with Vim or Nano. Arrow down to the bottom of the group file and add apache to the ossec group. In Vim you will need to press the i key in order to get to insert mode to edit the text, and the escape key and press the :wq keys in order to save the file.

# vim /etc/group


10. Check to see if selinux is enforced. A 1 means that it is enforced.

# cat /selinux/enforce

 

11. Since OSSEC was downloaded and extracted from a tar.gz file there was no security context associated with the files. This can be fixed by using the restore context program to restore the security context.

# restorecon -R /var/www/html/ossec/

12. Now change the security context for the OSSEC alerts.log file so it can be read by the Apache server.

# chcon -t httpd_sys_content_t /var/ossec/logs/alerts/alerts.log
# chcon -t httpd_sys_content_t /var/ossec/queue/syscheck/syscheck

13. Restart the Apache and OSSEC services.

# service httpd restart
# service ossec restart

14. Now go to the OSSEC homepage at http://localhost/ossec to see the latest events in your host based intrusion detection system.