Posts Tagged ‘Networking’

Configuring vsftpd in Ubuntu : Example #1

August 2, 2010

vsftpd is one Linux package to create an FTP server. Through this article, I try to give a simple example in configuring vsftpd in Ubuntu. FTP server that will be built this using a real username of Linux system and not encrypted.

Please follow the steps below.

  1. Information schema.
       [eth1]                            [eth0]
         ||                                ||
     [Internet]--------[vsftpd]--------[Intranet]
                          ||
                    [tcp_wrappers]
  2. Installing vsftpd for the first time.

    ~# apt-get install vsftpd

  3. Make sure the configuration files in “/etc/vsftpd.conf”, at least as the following lines.

    listen=YES
    anonymous_enable=NO
    local_enable=YES
    write_enable=YES
    local_umask=022
    dirmessage_enable=YES
    xferlog_enable=YES
    connect_from_port_20=YES
    xferlog_file=/var/log/vsftpd.log
    xferlog_std_format=YES
    idle_session_timeout=600
    data_connection_timeout=120
    ftpd_banner=BLAH-FTP
    chroot_local_user=YES
    secure_chroot_dir=/var/run/vsftpd
    pam_service_name=vsftpd
    local_root=/home
    hide_ids=YES
    syslog_enable=YES
    max_clients=20
    max_per_ip=5
    pasv_min_port=5000
    pasv_max_port=5999
    tcp_wrappers=YES
    # Optional
    # deny_file={*.iso,*.lnk,*.3gp,*.3gpp}
    # cmds_allowed=PASV,RETR,QUIT

  4. Add the following rules in IPTables.

    ~# iptables -A INPUT -j ACCEPT -p tcp –dport 20:21 -m state –state NEW,RELATED,ESTABLISHED
    ~# iptables -A OUTPUT -j ACCEPT -p tcp

  5. Prevent the user cannot login into the Linux shell.

    ~# echo “/usr/sbin/nologin” >> /etc/shells

    To add users or change the Linux shell of an existing user can be done in the following way.

    ~# useradd -g ftp -s /usr/sbin/nologin -m johnson
    ~# / -OR- /
    ~# chsh -s /usr/sbin/nologin johndoe

  6. Prevent certain users to use FTP server.

    ~# echo “sysadmin” >> /etc/ftpusers

  7. Here is a simple step to securing your FTP server using “tcp_wrappers”.

    7.1. Make sure the file “/etc/hosts.deny” contains only the following.

    ALL: ALL

    7.2. Create file “/etc/hosts.sandbox” to accommodate the IP or network address will be blocked.

    ~# echo “224.” >> /etc/hosts.sandbox
    ~# echo “240.” >> /etc/hosts.sandbox
    ~# echo “248.” >> /etc/hosts.sandbox

    7.3. Add the following line into the file “/ etc / hosts.allow”.

    vsftpd: ALL EXCEPT /etc/hosts.sandbox

  8. To test whether the “tcp_wrapper” is already well underway, you can add an IP workstation to the file “/etc/hosts.sandbox”.

    If using the shell command “tcpdchk -v” to check the configuration “tcp_wrappers”, then appears an error message “no such process name in /etc/inetd.conf”.

    Please add the following line into the file “/ etc / inetd.conf”.

    ~# echo “ftp stream tcp nowait root /usr/sbin/tcpd /usr/sbin/vsftpd” >> /etc/inetd.conf

    This is not absolute, because without adding the following line, the function “tcp_wrappers” You keep running well.

    Information about file “/ etc / inetd.conf” which was removed by Ubuntu, can you read here.

  9. Finish.

Again, this is a simple example, and you can customize to your own tastes.

Configuring Polipo & HAVP + ClamAV in Ubuntu

April 27, 2010

Polipo very effectively implemented as a web-proxy in a small network (SOHO). The ease, simplicity and speed can be used as an option to replace Squid as a web-proxy. Even so, remain necessary virus-scanner that can act proactively to prevent the entry of the virus while surfing on the internet. In this article, I only gave examples of how to configure Polipo as a web-proxy which is equipped with a collaboration between HAVP & ClamAV as a virus-scanner.

Please follow the steps on the following line.

  1. Information Schema.
                   192.168.0.253:8123
                          ||                      [eth1]
                          ||                        ||
     [Intranet]--------[Polipo]-+-[HAVP]--------[Internet]
         ||                         ||
       [eth0]                   Parent Proxy
    192.168.0.0/24             127.0.0.1:8080
                                    ||
                                    ||
                                 [ClamAV]
  2. Installing Polipo for the first time.

    ~# apt-get install polipo

  3. Installing HAVP, ClamAV and ClamAV update virus databases for the first time.

    ~# apt-get install havp clamav
    ~# freshclam

  4. Make sure the configuration files in “/etc/polipo/config”, at least as the following lines.

    daemonise = true
    proxyAddress = “192.168.0.253”
    allowedClients = 127.0.0.1, 192.168.0.0/24
    proxyName = “kokikode.wordpress.com”
    parentProxy = 127.0.0.1:8080 # HAVP as parent proxy.
    forbiddenFile = /etc/polipo/forbidden # Commonly used to block the ad.
    chunkHighMark = 819200 # If you’ve got plenty of memory, set value is 50331648.
    objectHighMark = 128 # If you’ve got plenty of memory, set value is 16384.
    diskCacheFilePermissions = 0600
    diskCacheDirectoryPermissions = 0700
    diskCacheRoot = /cache1/polipo
    disableLocalInterface = true
    localDocumentRoot = “”
    dnsQueryIPv6 = no
    dnsUseGethostbyname = reluctantly
    censoredHeaders = from, accept-language
    censorReferer = maybe
    dontCacheRedirects = false
    allowedPorts = 1-65535
    tunnelAllowedPorts = 1-65535

  5. Make sure the configuration files in “/etc/havp/havp.config”, at least as the following lines.

    USER havp
    GROUP havp
    DAEMON true
    PIDFILE /var/run/havp/havp.pid
    SERVERNUMBER 20
    MAXSERVERS 100
    ACCESSLOG /var/log/havp/access.log
    ERRORLOG /var/log/havp/havp.log
    USESYSLOG false
    SYSLOGNAME havp
    SYSLOGFACILITY daemon
    SYSLOGLEVEL info
    LOG_OKS true
    LOGLEVEL 1
    SCANTEMPFILE /var/spool/havp/havp-XXXXXX
    TEMPDIR /var/tmp
    DBRELOAD 60
    TRANSPARENT false
    FORWARDED_IP true
    PORT 8080
    BIND_ADDRESS 127.0.0.1
    TEMPLATEPATH /etc/havp/templates/en
    ENABLECLAMLIB true
    CLAMDBDIR /var/lib/clamav
    ENABLECLAMD false
    ENABLEFPROT false
    ENABLEAVG false
    ENABLEAVESERVER false
    ENABLESOPHIE false
    ENABLETROPHIE false
    ENABLENOD32 false
    ENABLEAVAST false
    ENABLEARCAVIR false
    ENABLEDRWEB false

  6. Make sure the rules in the IPTables in this case, at least as the following lines.

    ~# iptables -A INPUT -j ACCEPT -p tcp -i eth0 -s 192.168.0.0/24 –-dport 8123

    *) Polipo default port on 8123.

  7. Restart Polipo and HAVP service.

    ~# /etc/init.d/polipo force-reload
    ~# /etc/init.d/havp force-reload

  8. Please configure your internet browser manually, because Polipo non-transparent proxy.

    HTTP Proxy: 192.168.0.253 – Port: 8123
    HTTPS/SSL Proxy: 192.168.0.253 – Port: 8123

  9. Finish.

Sample configuration above, please be adapted and improvised to suit your needs. In this article, I use Ubuntu Server 8.04 LTS, Polipo 1.0.4, HAVP 0.89, and ClamAV 0.95.3.

Configuring Squid & HAVP(ClamAV) in Ubuntu : Reviews

March 14, 2010

In this article, I will review the previous articles, entitled

Equation result from the configuration on both the article.

  • When a file that you downloaded or a site that contains a virus can be detected directly, so can not be forwarded to the local workstation.

Differences result from the configuration on both the article.

  • Configuring Squid + HAVP(ClamAV) in Ubuntu : Example #1
    • Squid cache files is through scanning.
    • If in the Squid configuration settings, implement delay-pool & content filtering based on IP/MAC address from the local workstation, will continue to function properly.
    Because, Squid still receive an IP/MAC address is actually from the local workstation.
  • Configuring Squid + HAVP(ClamAV) in Ubuntu : Example #2
    • Squid cache files are not through scanning.
    • If in the Squid configuration settings, implement delay-pool & content filtering based on IP/MAC address from the local workstation, will not work.
    Because, Squid serves as a “parent-proxy” and only accept requests from HAVP as “transparent-proxy”.
    So the IP address received by the Squid is localhost (e.g. 127.0.0.1), and this configuration is more suitable to be applied to delay-pool & content filtering, in general.

Is HAVP + ClamAV is working well on both the configuration examples?

To test whether the configuration is working properly, please download the following test file.

http://www.eicar.org/download/eicarcom2.zip

Which later in the Internet browser will display a message like the following.

At the time this article was written, ClamAV version 0.94.2 already upgraded to 0.95.3.
For more information, please visit the website at http://www.server-side.de.

Configuring Squid & HAVP(ClamAV) in Ubuntu : Example #2

March 7, 2010

In this article, it is assumed that Squid has been installed and running well, because the contents of this article will not discuss the installation of squid. The following is just an example of the steps in configuring Squid as a parent proxy (not transparent proxy) and HAVP (in collaboration with ClamAV) as a virus scanner (transparent proxy).

1. Information schema.

                  [ClamAV]
                     ||
                     || 
               Transparent Proxy*
               192.168.0.253:8080
                     ||                     [eth1]
                     ||                       ||
 [Intranet]--------[HAVP]-+-[Squid]--------[Internet]
     ||                        ||
   [eth0]                  Parent Proxy
192.168.0.0/24            127.0.0.1:3128

2. Installing HAVP, ClamAV and ClamAV update virus databases for the first time.

~# apt-get install havp clamav
~# freshclam

3. Add the following line into file “/etc/squid/squid.conf”. If the existing configuration, like this “http_port 192.168.0.253:3128 transparent”, please change the following lines like this.

http_port 127.0.0.1:3128

4. Make sure the configuration files in “/etc/havp/havp.config”, at least as the following lines.

USER havp
GROUP havp
DAEMON true
PIDFILE /var/run/havp/havp.pid
SERVERNUMBER 20 # please adjust itself
MAXSERVERS 100 # please adjust ifself
ACCESSLOG /var/log/havp/access.log
ERRORLOG /var/log/havp/havp.log
USESYSLOG false
SYSLOGNAME havp
SYSLOGFACILITY daemon
SYSLOGLEVEL info
LOG_OKS true
LOGLEVEL 1
SCANTEMPFILE /var/spool/havp/havp-XXXXXX
TEMPDIR /var/tmp
DBRELOAD 60
TRANSPARENT true
FORWARDED_IP true
PARENTPROXY 127.0.0.1
PARENTPORT 3128
PORT 8080
BIND_ADDRESS 192.168.0.253
TEMPLATEPATH /etc/havp/templates/en
ENABLECLAMLIB true
CLAMDBDIR /var/lib/clamav
ENABLECLAMD false
ENABLEFPROT false
ENABLEAVG false
ENABLEAVESERVER false
ENABLESOPHIE false
ENABLETROPHIE false
ENABLENOD32 false
ENABLEAVAST false
ENABLEARCAVIR false
ENABLEDRWEB false

5. Make sure the rules in the IPTables NAT in this case as step 1, at least as the following lines. If the IPTables NAT rule to redirect port prior to 3128, please change it to 8080.

~# iptables -t nat -A PREROUTING -j REDIRECT -p tcp -i eth0 -s 192.168.0.0/24 –dport 80 –to-ports 8080
~# iptables -t nat -A POSTROUTING -j MASQUERADE -p tcp -s 192.168.0.0/24 -o eth1

6. Restart Squid and HAVP service.

~# squid -k reconfigure
~# /etc/init.d/havp force-reload
– or –
~# /etc/init.d/squid restart
~# /etc/init.d/havp restart

7. Finish.

*) Don’t forget to open tcp ports 80 & 8080.

In this article, I use Ubuntu Server 8.04 LTS, Squid 2.6, HAVP 0.89, and ClamAV 0.94.2.
For more information, please visit the website at http://www.server-side.de.

Configuring Squid & HAVP(ClamAV) in Ubuntu : Example # 1

March 4, 2010

In this article, it is assumed that Squid has been installed and running well, because the contents of this article will not discuss the installation of squid. The following is just an example of the steps in configuring Squid as a transparent proxy and HAVP (in collaboration with ClamAV) as a virus scanner (parent proxy).

1. Information schema.

               Transparent Proxy*
               192.168.0.253:3128
                      ||                    [eth1]
                      ||                      ||
 [Intranet]--------[Squid]-+-[HAVP]--------[Internet]
     ||                        ||
   [eth0]                  Parent Proxy
192.168.0.0/24            127.0.0.1:8080
                               ||
                               ||
                            [ClamAV]

2. Installing HAVP, ClamAV and ClamAV update virus databases for the first time.

~# apt-get install havp clamav
~# freshclam

3. Add the following line into file “/etc/squid/squid.conf”.

cache_peer 127.0.0.1 parent 8080 0 no-query no-diggest no-netdb-exchange default

4. Make sure the configuration files in “/etc/havp/havp.config”, at least as the following lines.

USER havp
GROUP havp
DAEMON true
PIDFILE /var/run/havp/havp.pid
SERVERNUMBER 20 # please adjust itself
MAXSERVERS 100 # please adjust ifself
ACCESSLOG /var/log/havp/access.log
ERRORLOG /var/log/havp/havp.log
USESYSLOG false
SYSLOGNAME havp
SYSLOGFACILITY daemon
SYSLOGLEVEL info
LOG_OKS true
LOGLEVEL 1
SCANTEMPFILE /var/spool/havp/havp-XXXXXX
TEMPDIR /var/tmp
DBRELOAD 60
TRANSPARENT false
FORWARDED_IP true
PORT 8080
BIND_ADDRESS 127.0.0.1
TEMPLATEPATH /etc/havp/templates/en
ENABLECLAMLIB true
CLAMDBDIR /var/lib/clamav
ENABLECLAMD false
ENABLEFPROT false
ENABLEAVG false
ENABLEAVESERVER false
ENABLESOPHIE false
ENABLETROPHIE false
ENABLENOD32 false
ENABLEAVAST false
ENABLEARCAVIR false
ENABLEDRWEB false

5. Make sure the rules in the IPTables NAT in this case as step 1, at least as the following lines.

~# iptables -t nat -A PREROUTING -j REDIRECT -p tcp -i eth0 -s 192.168.0.0/24 –dport 80 –to-ports 3128
~# iptables -t nat -A POSTROUTING -j MASQUERADE -p tcp -s 192.168.0.0/24 -o eth1

6. Restart Squid and HAVP service.

~# squid -k reconfigure
~# /etc/init.d/havp force-reload
– or –
~# /etc/init.d/squid restart
~# /etc/init.d/havp restart

7. Finish.

*) Don’t forget to open tcp ports 80 & 3128.

In this article, I use Ubuntu Server 8.04 LTS, Squid 2.6, HAVP 0.89, and ClamAV 0.94.2.
For more information, please visit the website at http://www.server-side.de.