Thursday, November 5, 2009

Enable root log in and Login as root user on Linux Fedora


Login as normal user, press Ctrl+Alt+F2 to get the text terminal, then key in your normal user login name and password... remember that you already create these user on early stage the installation configuration process.

Log in to Fedora core using root user

Fedora release 10 (Cambridge)

Kernel 2.6.27.5-117.fc10.i686 on an i686 (tty2)

fedora10 login: fedora10

Password:

Last login: Fri Dec 5 06:23:09 on tty4

[fedora10@fedora10 ~]$

2. Switch user to root user. In order to execute command or edit configuration file, you may need the root privileges. The example below use the su command to change from normal user to root user in order to have the root privileges to edit the gdm configuration file.

Change to root user on Fedora 10

[fedora10@fedora10 ~]$ su -

Password:

[root@fedora10 ~]#

3. The gdm configuration file contain the setting that disable the root login on Fedora 10. To view the contents of gdm configuration file the cat command is use in this example.

The gdm configuration file contain the setting that disable the root login on Fedora 10

[root@fedora10 ~]# cat /etc/pam.d/gdm

#%PAM-1.0

auth [success=done ignore=ignore default=bad] pam_selinux_permit.so

auth required pam_succeed_if.so user != root quiet

auth required pam_env.so

auth substack system-auth

auth optional pam_gnome_keyring.so

account required pam_nologin.so

account include system-auth

password include system-auth

session required pam_selinux.so close

session required pam_loginuid.so

session optional pam_console.so

session required pam_selinux.so open

session optional pam_keyinit.so force revoke

session required pam_namespace.so

session optional pam_gnome_keyring.so auto_start

session include system-auth

[root@fedora10 ~]#

4. Before we edit the gdm configuration file to enable root login to fedora 10, please make backup the gdm configuration file. The example below use the cp command to make gdm backup file.

Edit the gdm configuration file to enable root login to fedora 10, please make backup the gdm configuration file

Copy file to make backup

[root@fedora10 ~]# cp -pr /etc/pam.d/gdm /etc/pam.d/gdm.bak

[root@fedora10 ~]#

Verify backup file exist

[root@fedora10 ~]# ls /etc/pam.d/gdm.bak

/etc/pam.d/gdm.bak

[root@fedora10 ~]#

5. To allow root user to log in on Fedora 10, the "user != root quiet" need to be remove from the gdm configuration file. The step by step below show how to edit the gdm using vi editor, to edit and remove the "user != root quiet" on the file.

Open vi editor : [root@fedora10 ~]# vi /etc/pam.d/gdm

and move the cursur to the user != root quiet (as show on figure below): use the keyboard key h=move cursor left, j=move cursor down, k=move cursor up, l=move cursor right.

Open and edit file using vi editor. To allow root log in on Fedora 10, the (user != root quiet) must be remove from gdm configuration file.

To allow root log in on Fedora 10, the (user != root quiet) must be remove from gdm configuration file.

Hit 'x' key on keyboard to delete the user != root quiet .

After deleting the user != root quiet, save the gdm configuration file and the exit the vi text editor by using :wq as show on figure below.

After deleting the user != root quiet, save the gdm configuration file and the exit the vi text editor by using :wq as show on figure below.

Verify by display the gdm configuration file contents by using cat command as show on example below.

Verify by display the gdm configuration file contents by using cat command as show on example below.

[root@fedora10 ~]# cat /etc/pam.d/gdm

#%PAM-1.0

auth [success=done ignore=ignore default=bad] pam_selinux_permit.so

auth required pam_succeed_if.so

auth required pam_env.so

auth substack system-auth

auth optional pam_gnome_keyring.so

account required pam_nologin.so

account include system-auth

password include system-auth

session required pam_selinux.so close

session required pam_loginuid.so

session optional pam_console.so

session required pam_selinux.so open

session optional pam_keyinit.so force revoke

session required pam_namespace.so

session optional pam_gnome_keyring.so auto_start

session include system-auth

[root@fedora10 ~]#

Now, reboot the system and start login as root user on Fedora

Posted by at No comments:

Squid Web Filtering

Web Filtering

The http caching that has been reviewed here uses Squid Cache. Similarly for filtering we will look at configuration details and modules to be used with Squid will be reviewed here.

* url_regex
* Squid Guard


url_regex

This is integrel to Squid and grabs url segments from a specified file and if a match occurs squid will either allow or disallow dependent upon the configuration. Here is a segment from the example squid file and an example of a banned file.

acl filter url_regex "/etc/squid/banned"
http_access deny filter

Here we have an acl called filter, the type of filter is a url_regex and we use the file /etc/squid/banned.
The http_access is set to deny upon match, as you can see from the example file, this is set to block advert sites and other rubbish. It is easy to add new sites to block just by adding another domain to the list.

After a new entry has been added, squid needs to be told by the following command:
squid -k reconfigure

To restart the http cache, you can run the following command:
service squid restart

Squid Guard

Squid Guard has to be downloaded and compiled. This is easier than it sounds. It is dependant upon having gcc package installed.

It runs as follows:

tar zxvf squidguard-xxxx.tar.gz

cd squidGuard-xxx

./configure

make

The install has to be done as root.
make install

Have a read of the documentation and any other information on the site. You will also have to download and install the block lists. There are a large number of different blacklists available, from porn to violence. These are regularly updated and contain tens of thousands of sites and IPs. These are located normally in /var/spool/squidguard/

The Access Control Lists work very similarly to those in the squid configuration file.

Read what documentation you can. Once you have it up and working it is launched from squid using the re-director config option, have a look at the sample file for details.

Once you have downloaded or changed any of the files, you can rebuild the database files using the command:

squidGuard -C all

You will note that there are blockfiles such as:
drwxr-xr-x 2 squid squid 4096 Mar 3 01:23 ads
drwxr-xr-x 2 squid squid 4096 Feb 11 19:12 aggressive
drwxr-xr-x 2 squid squid 4096 Feb 11 19:12 audio-video
drwxr-xr-x 2 squid squid 4096 Feb 11 19:12 drugs
drwxr-xr-x 2 squid squid 4096 Feb 11 19:12 gambling
drwxr-xr-x 2 squid squid 4096 Feb 11 19:12 hacking
drwxr-xr-x 2 squid squid 4096 Feb 12 18:26 mail

Within these directories you will find files such as:
ls -l /var/spool/squidguard/blacklists/ads
total 184
-rw-r----- 1 squid squid 44500 Mar 3 01:23 domains
-rw-r--r-- 1 squid squid 122880 Mar 3 01:24 domains.db
-rw-r--r-- 1 squid squid 27 Feb 25 13:18 expressions
-rw-r----- 1 squid squid 3147 Feb 7 23:55 urls
-rw-r--r-- 1 squid squid 8192 Mar 3 01:24 urls.db

Note that you have domains and urls, and domains.db and urls.db, these are the database files that are built by the command above.

The blocklists also provide a good list, if you build your ACLs with good then !bad the URL will be accepted if it is found in the good list, even if it is in any of the blacklists.
Posted by at No comments:

Squid Configuration with MAC Authentication

#squid.conf
#Every option in this file is very well documented in the original squid.conf fi
le
#

#
#The ports our Squid will listen on.
http_port 8080
icp_port 3130
#cgi-bins will not be cached.
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
#Memory the Squid will use. Well, Squid will use far more than that.
cache_mem 8 MB
#250 means that Squid will use 250 megabytes of disk space.
cache_dir ufs /var/spool/squid 17072 16 256

#Places where Squid's logs will go to.
cache_log /var/log/squid/cache.log
cache_access_log /var/log/squid/access.log
cache_store_log /var/log/squid/store.log
cache_swap_log /var/log/squid/swap.log
#How many times to rotate the logs before deleting them.
#See the FAQ for more info.
logfile_rotate 10

dns_nameservers 200.32.73.6 200.32.73.4 200.31.30.47
redirect_rewrites_host_header off
cache_replacement_policy GDSF
acl porn url_regex "/etc/squid/pornoweb.txt"
acl localnet src "/etc/squid/permitidos"
acl lab1 arp "/etc/squid/lab1_mac"
acl localhost src 127.0.0.1/255.255.255.255
acl Safe_ports port 80 443 210 119 70 20 21 1025-65535
acl CONNECT method CONNECT
acl all src 0.0.0.0/0.0.0.0
http_access deny porn
http_access allow localnet
http_access allow lab1 arp
http_access allow localhost
http_access deny !Safe_ports
http_access deny CONNECT
http_access deny all
maximum_object_size 60096 KB
store_avg_object_size 50 KB

#Set these if you want your proxy to work in a transparent way.
#Transparent proxy means you generally don't have to configure all
#your client's browsers, but hase some drawbacks too.
#Leaving these uncommented won't do any harm.
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

#all our LAN users will be seen by external web servers
#as if they all used Mozilla on Linux. Smiling
#anonymize_headers deny User-Agent
#fake_user_agent Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.6+) Gecko/200111
22

#To make our connection even faster, we put two lines similar
#to the ones below. They will point a parent proxy server our own Squid
#will use. Don't forget to change the server to the one that will
#be fastest for you!
#Measure pings, traceroutes and so on.
#Make sure that http and icp ports are correct.

#Uncomment lines beginning with "cache_peer" if necessary.
#This is the proxy you are going to use for all connections...
#cache_peer w3cache.icm.edu.pl parent 8080 3130 no-digest default

#...except for the connections to addresses and IPs beginning with "!".
#It's a good idea not to use a higher
#cache_peer_domain w3cache.icm.edu.pl !.pl !7thguard.net !192.168.1.1

#This is useful when we want to use the Cache Manager.
#Copy cachemgr.cgi to cgi-bin of your www server.
#You can reach it then via a web browser typing
#the address http://your-web-server/cgi-bin/cachemgr.cgi
cache_mgr soporte@techsoftnet.net
cachemgr_passwd gicserver! all

#This is a name of a user our Squid will work as.
cache_effective_user squid
cache_effective_group squid
visible_hostname techsoftnet.net
log_icp_queries off
buffered_logs on

#####DELAY POOLS
#This is the most important part for shaping incoming traffic with Squid
#For detailed description see squid.conf file or docs at http://www.squid-cache.
org

#We don't want to limit downloads on our local network.
acl magic_words1 url_regex -i 192.100.100

#We want to limit downloads of these type of files
#Put this all in one line
acl magic_words2 url_regex -i ftp .exe .mp3 .vqf .tar.gz .gz .rpm .zip .rar .avi
.mpeg .mpe .mpg .qt .ram .rm .iso .raw .wav .mov
#We don't block .html, .gif, .jpg and similar files, because they
#generally don't consume much bandwidth

#We want to limit bandwidth during the day, and allow
#full bandwidth during the night
#Caution! with the acl below your downloads are likely to break
#at 23:59. Read the FAQ in this bandwidth if you want to avoid it.
#acl day time 09:00-23:59

#We have two different delay_pools
#View Squid documentation to get familiar
#with delay_pools and delay_class.
delay_pools 2

#First delay pool
#We don't want to delay our local traffic.
#There are three pool classes; here we will deal only with the second.
#First delay class (1) of second type (2).
delay_class 1 2

#-1/-1 mean that there are no limits.
delay_parameters 1 -1/-1 -1/-1

#magic_words1: 192.168 we have set before
delay_access 1 allow magic_words1

#Second delay pool.
#we want to delay downloading files mentioned in magic_words2.
#Second delay class (2) of second type (2).
delay_class 2 2

#The numbers here are values in bytes;
#we must remember that Squid doesn't consider start/stop bits
#5000/150000 are values for the whole network
#5000/120000 are values for the single IP
#after downloaded files exceed about 150000 bytes,
#(or even twice or three times as much)
#they will continue to download at about 5000 bytes/s

delay_parameters 2 5000/150000 5000/120000
#We have set day to 09:00-23:59 before.
#delay_access 2 allow day
#delay_access 2 deny !day
delay_access 2 allow magic_words2

#EOF

Posted by at 1 comment:

Installing, Running and configuring a Squid proxy server

The following tutorial illustrates how to install and run a Squid proxy server.

First off, a little info about Squid, Squid is a fully-featured HTTP/1.0 proxy which is almost (in progress) HTTP/1.1 compliant. Squid offers a rich access control, authorization and logging environment to develop web proxy and content serving applications.

You will need the following programs installed. ‘openssl’ ‘pam’ ‘perl’ and any ‘cron’ daemon preferably dcron. A recent gcc version is also needed.

Installing Squid:

First you need to download the following source tarball.
Open a terminal window and cd to the folder where you downloaded the file
run: tar -jxvf squid-2.6.STABLE14.tar.bz2 && cd squid-2.6.STABLE14

The next step is to run the configure script.

./configure –prefix=/usr –datadir=/usr/share/squid \
–sysconfdir=/etc/squid –libexecdir=/usr/lib/squid \
–localstatedir=/var –enable-auth=”basic,digest,ntlm” \
–enable-removal-policies=”lru,heap” \
–enable-digest-auth-helpers=”password” \
–enable-storeio=”aufs,ufs,diskd,coss,null” \
–enable-basic-auth-helpers=”getpwnam,YP,NCSA,SMB,MSNT,PAM, multi-domain-NTLM” \
–enable-external-acl-helpers=”ip_user,unix_group,wbinfo_group” \
–enable-ntlm-auth-helpers=”SMB,fakeauth,no_check” \
–enable-delay-pools –enable-arp-acl –enable-ssl \
–enable-linux-netfilter –enable-ident-lookups \
–enable-useragent-log –enable-cache-digests –enable-referer-log \
–enable-async-io –enable-truncate –enable-arp-acl \
–enable-htcp –enable-carp –enable-poll –with-maxfd=4096
Then run ‘make’ and hope for the best.
After it is done compiling, type ’su’ then enter your root password and run ‘make install’

Configuring Squid:

I have an incoming Internet connection through ppp0 and I am hooked to the other computers on my network though the interface eth0. My ip on eth0 is 10.0.2.1 and the addresses of the clients ranges from 10.0.2.2 to 10.0.2.254

Open a terminal and type su. Then type vi /etc/squid/squid.conf

add the following information. Note that lines starting with ## are comments to help you understand the syntax of the file.

http_port 10.0.2.1:3128
acl QUERY urlpath_regex cgi-bin \?

cache deny QUERY
acl apache rep_header Server ^Apache

broken_vary_encoding allow apache

## This is the maximum size of a single file that the cache can hold.
## You may change this
maximum_object_size 100096 KB
minimum_object_size 0 KB

cache_replacement_policy heap LFUDA

## This is where squid’s cache will be placed. You may change it’s location and
## size.
cache_dir ufs /var/cache/squid 1000 16 256

## location of log file.
access_log /var/log/squid/access.log squid

refresh_pattern ^ftp: 1440 20% 10080

refresh_pattern ^gopher: 1440 0% 1440

refresh_pattern . 0 20% 4320

## my_network is the codename for my network, you may change this to anything you want
acl all src 0.0.0.0/0.0.0.0

acl manager proto cache_object

acl localhost src 127.0.0.1/255.255.255.255

acl to_localhost dst 127.0.0.0/8

acl SSL_ports port 443

acl Safe_ports port 80 # http

acl Safe_ports port 21 # ftp

acl Safe_ports port 443 # https

acl Safe_ports port 70 # gopher

acl Safe_ports port 210 # wais

acl Safe_ports port 1025-65535 # unregistered ports

acl Safe_ports port 280 # http-mgmt

acl Safe_ports port 488 # gss-http

acl Safe_ports port 591 # filemaker

acl Safe_ports port 777 # multiling http

acl CONNECT method CONNECT

acl my_network src 10.0.2.0-10.0.2.254

# Only allow cachemgr access from localhost

http_access allow manager localhost

http_access deny manager

# Deny requests to unknown ports

http_access deny !Safe_ports

# Deny CONNECT to other than SSL ports

http_access deny CONNECT !SSL_ports

# And finally deny all other access to this proxy

http_access allow my_network

http_access deny all

http_reply_access allow all

#Allow ICP queries from everyone

icp_access allow all

Starting Squid:

as root, run:
/usr/sbin/squid -z
This will create the initial cache directory.

You can start the server by running
/usr/sbin/squid -D

You clients can now connect to your proxy server if they are using IP addresses from 10.0.2.2 to 10.0.2.254

They should add 10.0.2.1 as proxy and 3128 as port in their internet programs.

The final step is to secure your server unless you are running other services.
Run vi /etc/iptables/iptables.rules and insert the following lines:

*nat

:PREROUTING ACCEPT [0:0]

:POSTROUTING ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

-A POSTROUTING -o ppp0 -j MASQUERADE

COMMIT

*filter

:INPUT DROP [0:0]

:FORWARD DROP [0:0]

:OUTPUT ACCEPT [0:0]

-N SCANDROP

-A SCANDROP -m limit –limit 4/minute -j LOG –log-prefix scan

-A SCANDROP -j DROP

-N LOGDROP

-A LOGDROP -m limit –limit 4/minute -j LOG

-A LOGDROP -j DROP

-A INPUT -i lo -j ACCEPT

-A INPUT -i eth0 -p icmp -m icmp –icmp-type echo-request -j DROP

-A INPUT -i eth0 -p tcp -s 10.0.2.0/24 -d 10.0.2.1 –destination-port 3128 -m state –state NEW,ESTABLISHED -j ACCEPT

-A INPUT -i ppp0 -p icmp -m icmp –icmp-type echo-request -j DROP

-A INPUT -i ppp0 -s 127.0.0.1 -j LOGDROP

-A INPUT -p tcp –tcp-flags ACK,FIN FIN -j SCANDROP

-A INPUT -i ppp0 -p udp –sport 67 -d 255.255.255.255/32 –dport 68 -j ACCEPT

-A INPUT -i ppp0 -m state –state RELATED,ESTABLISHED -j ACCEPT

-A INPUT -i ppp0 -m state –state NEW -j LOGDROP

-A INPUT -j LOGDROP

COMMIT

Note that we are closing everything on eth0 but connection from “10.0.2.0/24” on port 3128. This means clients can’t even ping the server. You may add other lines if your server offers other services.

To start your firewall, run the following as root.
‘/usr/sbin/iptables-restore /etc/iptables/iptables.rules’

That’s it. You should now have a running proxy server!


Posted by at No comments:

Installing Squid with the delay pools feature

Configuring Squid to use the delay pools feature

1. Configure our squid.conf file (located under /opt/squid/etc/squid.conf): 

#squid.conf #Every option in this file is very well documented in the original squid.conf file #and on http://www.visolve.com/squidman/Configuration%20Guide.html  # #The ports our Squid will listen on. http_port 8080 icp_port 3130 #cgi-bins will not be cached. acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY #Memory the Squid will use. Well, Squid will use far more than that. cache_mem 16 MB #250 means that Squid will use 250 megabytes of disk space. cache_dir ufs /cache 250 16 256  #Places where Squid's logs will go to. cache_log /var/log/squid/cache.log cache_access_log /var/log/squid/access.log cache_store_log /var/log/squid/store.log cache_swap_log /var/log/squid/swap.log #How many times to rotate the logs before deleting them. #See the FAQ for more info. logfile_rotate 10  redirect_rewrites_host_header off cache_replacement_policy GDSF acl localnet src 192.168.1.0/255.255.255.0 acl localhost src 127.0.0.1/255.255.255.255 acl Safe_ports port 80 443 210 119 70 20 21 1025-65535 acl CONNECT method CONNECT acl all src 0.0.0.0/0.0.0.0 http_access allow localnet http_access allow localhost http_access deny !Safe_ports http_access deny CONNECT http_access deny all maximum_object_size 3000 KB store_avg_object_size 50 KB  #Set these if you want your proxy to work in a transparent way. #Transparent proxy means you generally don't have to configure all #your client's browsers, but hase some drawbacks too. #Leaving these uncommented won't do any harm. httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on   #all our LAN users will be seen by external web servers #as if they all used Mozilla on Linux. :) anonymize_headers deny User-Agent fake_user_agent Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.6+) Gecko/20011122   #To make our connection even faster, we put two lines similar #to the ones below. They will point a parent proxy server our own Squid #will use. Don't forget to change the server to the one that will #be fastest for you! #Measure pings, traceroutes and so on. #Make sure that http and icp ports are correct.  #Uncomment lines beginning with "cache_peer" if necessary. #This is the proxy you are going to use for all connections... #cache_peer w3cache.icm.edu.pl parent 8080 3130 no-digest default  #...except for the connections to addresses and IPs beginning with "!". #It's a good idea not to use a higher  #cache_peer_domain w3cache.icm.edu.pl !.pl !7thguard.net !192.168.1.1  #This is useful when we want to use the Cache Manager. #Copy cachemgr.cgi to cgi-bin of your www server. #You can reach it then via a web browser typing #the address http://your-web-server/cgi-bin/cachemgr.cgi cache_mgr your@email cachemgr_passwd secret_password all   #This is a name of a user our Squid will work as. cache_effective_user squid cache_effective_group squid   log_icp_queries off buffered_logs on 
#This is the most important part for shaping incoming traffic with Squid #For detailed description see squid.conf file or docs at http://www.squid-cache.org   #We don't want to limit downloads on our local network. acl magic_words1 url_regex -i 192.168   #We want to limit downloads of these type of files #Put this all in one line acl magic_words2 url_regex -i ftp .exe .mp3 .vqf .tar.gz .gz .rpm .zip .rar .avi .mpeg .mpe .mpg .qt .ram .rm .iso .raw .wav .mov #We don't block .html, .gif, .jpg and similar files, because they #generally don't consume much bandwidth  #We want to limit bandwidth during the day, and allow #full bandwidth during the night #Caution! with the acl below your downloads are likely to break #at 23:59. Read the FAQ in this bandwidth if you want to avoid it. acl day time 09:00-23:59   #We have two different delay_pools #View Squid documentation to get familiar #with delay_pools and delay_class. delay_pools 2   #First delay pool #We don't want to delay our local traffic. #There are three pool classes; here we will deal only with the second. #First delay class (1) of second type (2). delay_class 1 2   #-1/-1 mean that there are no limits. delay_parameters 1 -1/-1 -1/-1   #magic_words1: 192.168 we have set before delay_access 1 allow magic_words1    #Second delay pool. #we want to delay downloading files mentioned in magic_words2. #Second delay class (2) of second type (2). delay_class 2 2   #The numbers here are values in bytes; #we must remember that Squid doesn't consider start/stop bits #5000/150000 are values for the whole network #5000/120000 are values for the single IP #after downloaded files exceed about 150000 bytes, #(or even twice or three times as much) #they will continue to download at about 5000 bytes/s   delay_parameters 2 5000/150000 5000/120000 #We have set day to 09:00-23:59 before. delay_access 2 allow day delay_access 2 deny !day delay_access 2 allow magic_words2   #EOF 
Hear in delay_parameters 2 5000/150000 5000/120000 we can change the numbers according to our requirement. For example if we want to restrict our lan users to give download speed of 20 KB/Sec with a bucket size 12 MB and to whole network a download speed of 25 KB/Sec with a bucket size 25 MB, change this line to delay_parameters 2 25000/250000 20000/120000 
OK, when we have configured everything, we must make sure everything under /opt/squid and /cache directories belongs to user 'squid'. 
 
# mkdir /var/log/squid/ # chown squid:squid /var/log/squid/ # chmod 770 /var/log/squid/ # chown -R squid:squid /opt/squid/ # chown -R squid:squid /cache/ 
 
Now everything is ready to run Squid. When we do it for the first time, we have to create its cache directories:  
 
# /opt/squid/bin/squid -z 
We run Squid and check if everything is working. A good tool to do that is IPTraf; you can find it on http://freshmeat.net. Make sure you have set the appropriate proxy in your web browsers (192.168.1.1, port 8080 in our example): 
 
  # /opt/squid/bin/squid 
 
If everything is working, we add /opt/squid/bin/squid line to the end of our initializing scripts. Usually, it can be /etc/rc.d/rc.local. 
Other helpful options in Squid may be: 
 
# /opt/squid/bin/squid -k reconfigure  (it reconfigures Squid if we made any changes in its squid.conf file) # /opt/squid/bin/squid -help :)  self-explanatory 
 
You can also copy cachemgr.cgi to the cgi-bin directory of your WWW server, to make use of a useful Cache Manager.
Posted by at No comments:

How to block websites and file extension

How to block few users and allow some for a particular website

First we will create a list then allow or deny at the end

Code:
# vi /etc/squid/squid.conf

[go to acl and add/modify according to ur need]

Code:


acl GoodIP src 192.168.0.1
acl GoodIP src 192.168.0.15

acl BlockedIP src 192.168.0.2
acl BlockedIP src 192.168.0.3


acl LimitedURL url_regex -i bbc.com
acl LimitedURL url_regex -i abc.com


acl GoodURL url_regex -i 123abc.com
acl GoodURL url_regex -i abc123.com


acl badURL url_regex -i xyz.com
acl badURL url_regex -i games
acl badURL url_regex -i chat


acl x-type req_mime_type -i ^application/octet-stream$
acl x-type req_mime_type -i application/octet-stream
acl x-type req_mime_type -i ^application/x-mplayer2$
acl x-type req_mime_type -i application/x-mplayer2
acl x-type req_mime_type -i ^application/x-oleobject$
acl x-type req_mime_type -i application/x-oleobject
acl x-type req_mime_type -i application/x-pncmd
acl x-type req_mime_type -i ^video/x-ms-asf$


acl x-type2 rep_mime_type -i ^application/octet-stream$
acl x-type2 rep_mime_type -i application/octet-stream
acl x-type2 rep_mime_type -i ^application/x-mplayer2$
acl x-type2 rep_mime_type -i application/x-mplayer2
acl x-type2 rep_mime_type -i ^application/x-oleobject$
acl x-type2 rep_mime_type -i application/x-oleobject
acl x-type2 rep_mime_type -i application/x-pncmd
acl x-type2 rep_mime_type -i ^video/x-ms-asf$




http_access allow GoodIP all


http_access deny BlockedIP LimitedURL


http_access deny badURL


http_access deny x-type all
http_reply_access deny x-type all
http_access deny x-type1 all
http_reply_access deny x-type1 all
http_access deny x-type2 all
http_reply_access deny x-type2 all



acl extndeny url_regex -i "/etc/squid/extndeny"


acl download method GET


http_access deny extndeny download
http_access deny extndeny

save and close

Now lets create extndeny file ..this is the list of file extensions which we are blocking in SQUID. make a file and add these file extensions vi /etc/squid/extndeny --
Code:
\.ez$
\.hqx$
\.cpt$
\.dot$
\.wrd$
\.bin$
\.dms$
\.lha$
\.lzh$
\.ace$
\.r00$
\.r01$
\.exe$
\.wp5$
\.wk$
\.wz$
\.vcd$
\.bz2$
\.deb$
\.dvi$
\.tar$
\.gtar$
\.tgz$
\.gz$
\.bat$
\.rpm$
\.spm$
\.zip$
\.mid$
\.midi$
\.kar$
\.mpga$
\.mp2$
\.mp3$
\.ra$
\.dl$
\.fli$
\.gl$
\.mpe$
\.mpeg$
\.mpg$
\.qt$
\.mov$
\.avi$
\.movie$
\.wav$
\.au$
\.asf$
\.af$
\.bin$
\.gz$
\.bz2$
\.asx$
\.afx$
\.asf$
\.asx$
\.au$
\.avi$
\.divx$
\.m3u$
\.mov$
\.mp2$
\.mp3$
\.mpeg$
\.mpg$
\.qt$
\.ra$
\.ram$
\.rm$
\.viv$
\.vivo$
\.vob$
\.vqf$
\.wav$
\.wma$
\.wmv$
\.vbs$
\.shs$
\.pif$
\.wpm$
\.wvx$


Now restart squid
Code:
# service squid restart


Always look in log files for errors
Code:
/var/log/squid/access.log # have list of website visited by all users
/var/log/squid/cache.log # Log of squid deamon / process
Posted by at No comments:

Step by step Setup and Configure Squid Proxy Server on Fedora Core.

Step by step Setup and Configure Squid Proxy Server on Fedora Core.

The article below show the step by step to setup and configure SQUID proxy serve on Fedora core with screenshot and SQUID configuration example.

Network configuration scenario:

Setp 1:

To backup the Squid configuration directory:

[root@cempakasari ~]# cp -pr /etc/squid/ /etc/squid.bak
[root@cempakasari ~]#

Backup the squid.conf file:

[root@cempakasari ~]# cp -pr /etc/squid/squid.conf /etc/squid/squid.conf.bak
[root@cempakasari ~]#

Setp 2:

Edit the squid.conf, the Squid Cache Proxy configuration file.

1. Open the squid config file (squid.conf) that is located on the /etc/squid directory with your own choice of text editor.

[root@linux fedora]# vi /etc/squid/squid.conf

or you can use the gedit program...

[root@linux fedora]# gedit /etc/squid/squid.con

On this project, we setup (configure) our Squid proxy to bind with the internal Ethernet card which is using internal IP 10.2.0.5 and listen on port 8080 on that internal IP address. With this configuration, Squid should only visible and listen to our internal address only.
Change the address to fit your network layout.

# NETWORK OPTIONS
........................
#Default:
# http_port 3128
http_port 10.2.0.5:8080

Setp 3:

Scroll down the page and find # TAG: cache_mem (bytes), To increase the Squid cache memory capacity, edit the default setting and put the appropriate memory size base on your system capabilities. The example below show that the Squid cache memory setting increase up to 256 MB. Take note that, before you change this setting make sure your hardware can support the size of memory that you specify here.

# OPTIONS WHICH AFFECT THE CACHE SIZE
# -----------------------------------
# TAG: cache_mem (bytes)
# NOTE: THIS PARAMETER DOES NOT SPECIFY THE MAXIMUM PROCESS SIZE.
# IT ONLY PLACES A LIMIT ON HOW MUCH ADDITIONAL MEMORY SQUID WILL
# USE AS A MEMORY CACHE OF OBJECTS. SQUID USES MEMORY FOR OTHER
# THINGS AS WELL. SEE THE SQUID FAQ SECTION 8 FOR DETAILS.
#
# 'cache_mem' specifies the ideal amount of memory to be used
# for:
# * In-Transit objects
# * Hot Objects
# * Negative-Cached objects
------- +++++ ---------------------------
#Default:
# cache_mem 8 MB
cache_mem 256 MB

4. Then find tag # TAG: cache_dir, then increase the size of cache directory to 2000 MB, also make sure that you have enough disk space before you change the size value.
# LOGFILE PATHNAMES AND CACHE DIRECTORIES
# -----------------------------------------------------------------------------

# TAG: cache_dir
# Usage:
#
# cache_dir Type Directory-Name Fs-specific-data [options]
#
------- +++++ ---------------------------
#
#Default:
# cache_dir ufs /var/spool/squid 100 16 256
cache_dir ufs /var/spool/squid 2000 16 256

Setp 4:

Adjust the list of DNS name servers. Squid cache proxy used this list of DNS servers to query domain name.

# TAG: dns_nameservers
# Use this if you want to specify a list of DNS name servers
# (IP addresses) to use instead of those given in your
# /etc/resolv.conf file.
# On Windows platforms, if no value is specified here or in
# the /etc/resolv.conf file, the list of DNS name servers are
# taken from the Windows registry, both static and dynamic DHCP
# configurations are supported.
#
# Example: dns_nameservers 10.0.0.1 192.172.0.4
#
#Default:
# none
dns_nameservers 203.106.93.91 161.142.227.17 192.228.128.16 201.188.0.16

Setp 5:

Add required port to "Acess Control List". This example show that the port number 2083 port is add to safe_ports list.

# ACCESS CONTROLS
# ---------------------------
----------- **** +++++
#Examples:
#acl macaddress arp 09:00:2b:23:45:67
#acl myexample dst_as 1241
#acl password proxy_auth REQUIRED
#acl fileupload req_mime_type -i ^multipart/form-data$
#acl javascript rep_mime_type -i ^application/x-javascript$
#
#Recommended minimum configuration:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 2083 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 2083 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

You can enter your own rules:

# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

# Example rule allowing access from your local networks. Adapt
# to list your (internal) IP networks from where browsing should
# be allowed
#acl our_networks src 192.168.1.0/24 192.168.2.0/24
#http_access allow our_networks
acl our_networks src 172.16.160.0/24 172.16.161.0/24 172.16.162.0/24 172.16.163.0/24 172.16.164.0/24 172.16.165.0/24 172.16.166.0/24 172.16.167.0/24 172.16.168.0/24 172.16.169.0/24 172.16.170.0/24
acl bad_url dstdomain "/etc/squid/bad-sites.squid"
http_access allow our_networks
http_access deny bad_url

To allow FTP request from client.

# TAG: always_direct
# Usage: always_direct allowdeny [!]aclname ...
#
# Here you can use ACL elements to specify requests which should
# ALWAYS be forwarded by Squid to the origin servers without using
# any peers. For example, to always directly forward requests for
# local servers ignoring any parents or siblings you may have use
# something like:
#
# acl local-servers dstdomain my.domain.net
# always_direct allow local-servers
#
# To always forward FTP requests directly, use
#
# acl FTP proto FTP
# always_direct allow FTP
+++++++++++++++++++++
#
#Default:
# none
acl FTP proto FTP
always_direct allow FTP

In order to make sure that the configuration and your Squid proxy server running smoothly, test to start Squid proxy server in debugging mode; The command example below show the step by step to create the Squid cache directory and then running Squid proxy server in debugging mode.

1. Create squid cache directory by issuing this command:

[root@linux fedora]# /usr/sbin/squid -z
2006/03/16 10:33:00 Creating Swap Directories

2. Then test run your Squid cache proxy by running Squid in debug-mode

[root@linux fedora]# /usr/sbin/squid -NCd1
Ctrl + C to stop.
Output
2006/03/16 10:43:22 Preparing for shutdown after 39 requests
2006/03/16 10:43:22 Waiting 0 seconds for active connections to finish
2006/03/16 10:43:22 FD 11 Closing HTTP connection
2006/03/16 10:43:22 FD 12 Closing HTTP connection
2006/03/16 10:43:24 Shutting down...
2006/03/16 10:43:24 FD 13 Closing ICP connection
2006/03/16 10:43:24 Closing unlinkd pipe on FD 9
2006/03/16 10:43:24 storeDirWriteCleanLogs: Starting...
2006/03/16 10:43:25 Finished. Wrote 7796 entries.
2006/03/16 10:43:25 Took 0.1 seconds (89056.4 entries/sec).

Use the following command to start and stop Squid.

[root@linux fedora]# /sbin/service squid start
[root@linux fedora]# /sbin/service squid stop

To make sure Squid automatic start after the system reboot, use the chkconfig command to On Squid on runlevel 3 and 5. (Setting of automatic start on runlevel 3 and 5)

[root@linux fedora]# /sbin/chkconfig --level 35 squid on

(Confirmation of automatic start)

[root@linux fedora]# /sbin/chkconfig --list squid
squid 0:off 1: off 2: off 3: on 4: off 5:on 6: off
Posted by at No comments:
Subscribe to: Posts (Atom)