Saturday, April 28, 2012

Optimizing and Security Hotspot YFI (part 2)


Squid
·         get the latest version squid, http://www.squid-cache.org and installing
cd /usr/local
wget http://www.squid-cache.org/Versions/v3/3.1/squid-3.1.19.tar.bz2
tar jxvf squid-3.1.19.tar.bz2
cd squid-3.1.19
./configure --prefix=/usr   --exec-prefix=/usr   --bindir=/usr/sbin  \
 --sbindir=/usr/sbin   --sysconfdir=/etc/squid   --datadir=/usr/share/squid  \
 --includedir=/usr/include   --libdir=/usr/lib   --libexecdir=/usr/lib/squid  \
 --localstatedir=/var   --sharedstatedir=/usr/com   --mandir=/usr/share/man  \
 --infodir=/usr/share/info   --x-includes=/usr/include   \ 
 --x-libraries=/usr/lib   --enable-shared=yes   --enable-static=no  \
 --enable-xmalloc-statistics   --enable-carp    \
 --enable-storeio=aufs,diskd,ufs   --enable-removal-policies=heap,lru   \
 --enable-icmp   --disable-delay-pools   --disable-esi   --enable-icap-client \
 --enable-useragent-log   --enable-referer-log   --disable-wccp   \
 --enable-wccpv2   --disable-kill-parent-hack   --enable-snmp  \
 --enable-cachemgr-hostname=localhost   --enable-arp-acl   --disable-htcp \
 --enable-forw-via-db   --enable-follow-x-forwarded-for  \
 --enable-cache-digests    --disable-poll   --enable-epoll  \
 --enable-linux-netfilter   --disable-ident-lookups  \
 --enable-default-hostsfile=/etc/hosts    --with-default-user=squid  \
 --with-large-files  --enable-mit=/usr   --with-logdir=/var/log/squid  \
 --enable-http-violations   --enable-zph-qos   --with-filedescriptors=65536  \
 --enable-gnuregex --enable-async-io=64 --with-aufs-threads=64 \
 --with-pthreads --with-aio  --enable-default-err-languages=English \
 --enable-err-languages=English --disable-hostname-checks \
 --enable-underscores
make; make install
cp /usr/lib/squid/cachemgr.cgi /var/www/cgi-bin
·          
Now, continue to configure. Edit file /etc/squid/squid.conf
#       WELCOME TO SQUID 3.1.STABLE19
#       ----------------------------
#ACCESS CONTROLS
acl snmppublic snmp_community public
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl bamboe src 10.1.0.0/24
acl noway url_regex -i "/etc/squid/noway"
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
http_access deny noway
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow bamboe
http_access allow localhost
htcp_access deny all
miss_access allow all
 
# NETWORK OPTIONS
http_port 3128 transparent
hierarchy_stoplist cgi-bin ? .js .jsp mivo.tv 192.168.10.30 192.168.10.29 youtube.com
acl QUERY urlpath_regex cgi-bin \? .js .jsp 192.168.10.29 192.168.10.30
no_cache deny QUERY
#  MEMORY CACHE OPTIONS
cache_mem 8 MB
maximum_object_size_in_memory 16 KB
memory_replacement_policy heap GDSF
# DISK CACHE OPTIONS
cache_replacement_policy heap LFUDA
cache_dir aufs /cache 10000 32 256
store_dir_select_algorithm least-load
minimum_object_size 0 KB
maximum_object_size 32 MB
cache_swap_low 97
cache_swap_high 99
#LOGFILE OPTIONS
access_log /var/log/squid/access.log squid
cache_log /var/log/squid/cache.log
cache_store_log none
cache_swap_log /etc/squid/swap/swap.state
logfile_rotate 5
log_fqdn off
log_icp_queries off
buffered_logs off
emulate_httpd_log off
 
#OPTIONS FOR TUNING THE CACHE
refresh_pattern ^ftp:           1440    90%     100800  override-lastmod reload-into-ims
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern (cgi-bin|\?)    0       0%      0
refresh_pattern .               0       90%     43200   override-lastmod reload-into-ims
quick_abort_min 0 KB
quick_abort_max 0 KB
quick_abort_pct 95
shutdown_lifetime 10 seconds
half_closed_clients off
cache_effective_user squid
cache_effective_group squid
#SNMP OPTIONS
snmp_port 3401
snmp_access allow snmppublic bamboe
snmp_access deny all
dns_nameservers 8.8.8.8 61.94.192.12 202.134.1.10 8.8.4.4
ipcache_size 2048
ipcache_low 90
ipcache_high 95
#another optimizing
memory_pools off
client_db off
coredump_dir /cache
reload_into_ims on
balance_on_multiple_ip on
vary_ignore_expire on
pipeline_prefetch on
#MARKING ZPH for squid 3.1
qos_flows local-hit=0x30
·         change owner some file, depend squid.conf
chown -Rf squid:squid /var/log/squid
chown -Rf squid:squid /cache
chown -Rf squid:squid /etc/squid/swap/
squid -z
·         file start-up. Copy from the another article, the file in /etc/init.d/squid. http://myconfigure.blogspot.com/2012/03/missing-file-startup-squid.html
·         Remember to allow execution of the script and at it to the startup scripts:
chmod 755 /etc/init.d/squid
update-rc.d squid defaults
·         run
/etc/init.d/squid start

Shorewall.
·         get the latest version shorewall, www.shorewall.net.
cd /usr/local
wget http://slovakia.shorewall.net/pub/shorewall/CURRENT_STABLE_VERSION_IS_4.5\
/shorewall-4.5.1/shorewall-core-4.5.1.1.tgz
wget http://slovakia.shorewall.net/pub/shorewall/CURRENT_STABLE_VERSION_IS_4.5\
/shorewall-4.5.1/shorewall-4.5.1.1.tgz
tar zxvf shorewall-core-4.5.1.1.tgz 
cd shorewall-core-4.5.1.1
./install.sh
cd /usr/local/shorewall-4.5.1.1
./install.sh
·         If you get error
Can't locate Digest/SHA1.pm in @INC 
(@INC contains: /usr/local/shorewall-4.5.1.1/Perl /etc/perl 
/usr/local/lib/perl/5.10.1 /usr/local/share/perl/5.10.1 
/usr/lib/perl5 /usr/share/perl5 /usr/lib/perl/5.10 
/usr/share/perl/5.10 /usr/local/lib/site_perl .) at 
/usr/local/shorewall-4.5.1.1/Perl/Shorewall/Chains.pm line 31.
·         Remove line 31.
#use Digest::SHA1 qw(sha1);
And try to install again.
·         To configure shorewall, make some file in directory /etc/shorewall. First, make file zones,
touch /etc/shorewall/zones
·         add lines below, don’t forget to save
net     ipv4
loc     ipv4
fw      firewall
·         make file interface
touch /etc/shorewall/interfaces
·         add lines below
loc     tun0    detect
net     eth0    detect
·         make file policy
touch /etc/shorewall/interfaces
·         add line below
net     fw      ACCEPT
fw      all     ACCEPT
net     all     DROP    info
all     all     REJECT  info

·         make file rules
touch /etc/shorewall/rules
·         add line below
ACCEPT          loc     fw      tcp     53,80,3990
ACCEPT          loc     fw      udp     53,5353,3799,1812,1813,1814
REDIRECT        loc     3128    tcp     www     -
ACCEPT          loc     net     -       -
·         Make sure, in /etc/default/shorewall, value for startup = 1. Now, run…
Shorewall start


Security
To avoid attacks from crackers / hackers, some of which I've done, in my hotspot server.
1. using shorewall, configuration as above. in the configuration, I allow some ports that need it, while the other port I deny / reject.
2. using squid acl, to get into the hotspot login page manager, is only allowed from certain ip, and I refused requests from the client to the page manager login.

Acl op 192.168.10.20
Acl user 10.0.1.0/24
acl noway url_regex -i "/etc/squid/noway"
…….
http_access allow op noway
http_access deny noway
and the contents of the file noway, as below.
192.168.10.29
10.1.0.1/yfi

3. Use also allow and deny, in apache, the file / etc/apache2/sites-available/default
<Directory /var/www/coova_json/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride None
                Order allow,deny
                allow from 10.1.0.0/255.255.255.0
                allow from 192.168.10.29/255.255.255.255
 </Directory>

Three combinations are shorewall, squid, apache, I think it's strong enough to blocking an attack. Need accuracy, perseverance and patience to combine. If one of these combinations are false, the user can not even login. So be careful ... and do not forget to be backed up first!!!

1 comment:

  1. Find out how 1,000's of people like YOU are making a LIVING by staying home and are living their dreams right NOW.
    CLICK HERE TO START NOW

    ReplyDelete