Upload
nkosana-ngwenya
View
243
Download
9
Embed Size (px)
DESCRIPTION
linux server configuaration guide-ubuntu 14.04
Citation preview
UBUNTU 14 CONFIGURATION MANUAL
Install Squid and configure Proxy server. ] This is common forward proxy settings.
root@prox:~# aptitude -y install squid3 root@prox:~# vi /etc/squid3/squid.conf acl CONNECT method CONNECT # line 919: add (define ACL for internal) acl lan src 10.0.0.0/24 http_access allow localhost # line 1058: add (set ACL for internal) http_access allow lan # line 1460: change http_port 8080 transparent # line 4445: add follows request_header_access Referer deny all request_header_access X-Forwarded-For deny all request_header_access Via deny all request_header_access Cache-Control deny all # line 4761: add (define hostname) visible_hostname prox.server.world # forwarded_for on # line 6869: add (hide IP address) forwarded_for off root@prox:~# initctl restart squid3 squid3 start/running, process 1462
UBUNTU 14 CONFIGURATION MANUAL
Configure Squid as a Reverse Proxy server
root@prox:~# vi /etc/squid3/squid.conf # near line 1058: add ( allow all http access ) http_access allow all # line 1460: specify http server's IP for backend http_port 80 accel defaultsite=www.server.world # line 2596: add cache_peer 10.0.0.31 parent 80 0 no-query originserver # line 2736: add (memory cache size) cache_mem 256 MB # line 3001: add
# number means [disk cache size] [number of directories on top level] [number of directories on 2nd level] cache_dir ufs /var/spool/squid3 256 16 256 # line 4761: add (define hostname) visible_hostname prox.server.world root@prox:~# initctl restart squid3 squid3 start/running, process 2708
[2] Change DNS or Router's settings if need, and make it listen http requests on Squid
server. It's OK if backend http server responds like follows.
UBUNTU 14 CONFIGURATION MANUAL
Install SquidClamav and Configure Proxy Server to scan downloaded files to protect
from virus. Install Clamav first.
[1] Install Clamd
root@prox:~# aptitude -y install clamav-daemon
[2] Download the latest version of Squidclamav from the link below. http://sourceforge.net/projects/squidclamav/files/squidclamav/
# install some required packages first root@prox:~# aptitude -y install gcc make curl libcurl4-gnutls-dev c-icap libicapapi-dev root@prox:~# wget http://ftp.jaist.ac.jp/pub/sourceforge/s/project/sq/squidclamav/squidclamav/6.11/squidclamav-6.11.tar.gz root@prox:~# tar zxvf squidclamav-6.11.tar.gz root@prox:~# cd squidclamav-6.11 root@prox:~/squidclamav-6.11# ./configure --with-c-icap root@prox:~/squidclamav-6.11# make root@prox:~/squidclamav-6.11# make install root@prox:~/squidclamav-6.11# cd root@prox:~# ln -s /etc/c-icap/squidclamav.conf /etc/squidclamav.conf root@prox:~# vi /etc/squidclamav.conf # line 17: change ( create a error page that is redirected to ) redirect http://www.server.world/error.html
[3] Configure c-icap and Squid
root@prox:~# vi /etc/default/c-icap # line 6: change START= yes root@prox:~# vi /etc/c-icap/c-icap.conf # line 142: change to the admin email ServerAdmin [email protected] # line 151: change to the hostname
UBUNTU 14 CONFIGURATION MANUAL
ServerName prox.server.world # line 502: add Service squidclamav squidclamav.so root@prox:~# /etc/init.d/c-icap start Starting c-icap: c-icap. root@prox:~# vi /etc/squid3/squid.conf # line 6078: add icap_enable on # line 6199: add adaptation_send_client_ip o # line 6209: add adaptation_send_username on # line 6214: add icap_client_username_header X-Authenticated-User # line 6310: add follows icap_service service_req reqmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav adaptation_access service_req allow all icap_service service_resp respmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav adaptation_access service_resp allow all root@prox:~# initctl restart squid3 squid3 start/running, process 12010
[4]
Try to access to the page that has trial virus below. http://downloadcenter.trendmicro.com/index.php?regs=jp&prodid=1424 Click 'eicar.com' and try to download it. Then, Virus will be detected and accessing is redirected to the page you set.
UBUNTU 14 CONFIGURATION MANUAL
UBUNTU 14 CONFIGURATION MANUAL
In addition to configure SquidClamav, Configure SquidGuard
which is the URL redirector to use blacklists.
[1] Install SquidGuard
root@prox:~# aptitude -y install squidguard root@prox:~# mv /etc/squidguard/squidGuard.conf /etc/squidguard/squidGuard.conf.bk root@prox:~# vi /etc/squidguard/squidGuard.conf # create new ( simply settings as an example ) dbhome /var/lib/squidguard/db logdir /var/log/squid dest deny { # define 'deny' category for prohibited domain domainlist deny/domains # define 'deny' category for prohibited URL urllist deny/urls } acl { default { # permit all except 'deny' category pass !deny all # the redirected URL if matchs 'deny' redirect http://www.server.world/error.html } } root@prox:~# mkdir /var/lib/squidguard/db/deny root@prox:~# vi /var/lib/squidguard/db/deny/domains # write domains you'd like to prohibit to access yahoo.co.jp example.com root@prox:~# vi /var/lib/squidguard/db/deny/urls # write URLs you'd like to prohibit to access www.yahoo.co.jp/deny/ www.example.com/
UBUNTU 14 CONFIGURATION MANUAL
root@prox:~# squidGuard -C all 2014-06-08 13:25:35 [14132] INFO: squidGuard 1.5 started (1402287935.664) 2014-06-08 13:25:35 [14132] INFO: db update done 2014-06-08 13:25:35 [14132] INFO: squidGuard stopped (1402287936.001) root@prox:~# chown -R c-icap:proxy /var/lib/squidguard root@prox:~# chown -R c-icap:proxy /var/log/squidguard root@prox:~# vi /etc/squidclamav.conf # line 21: uncomment and change squidguard /usr/bin/squidGuard root@prox:~# /etc/init.d/c-icap restart * Restarting c-icap Server c-icap ...done.
[2] Try to access to the URL you set as prohibited domains in [1].
UBUNTU 14 CONFIGURATION MANUAL
Install/Configure Postfix
Install Postfix to configure SMTP server. SMTP uses 25/TCP. [1] This example shows to configure SMTP-Auth to use Dovecot's SASL function.
root@mail:~# aptitude -y install postfix sasl2-bin # Enter +------------------------+ Postfix Configuration +-------------------
-----+
|
|
| Please select the mail server configuration type that best meets
your
| needs.
|
| No configuration:
| Should be chosen to leave the current configuration unchanged.
| Internet site:
| Mail is sent and received directly using SMTP.
| Internet with smarthost:
| Mail is received directly using SMTP or by running a utility such
| as fetchmail. Outgoing mail is sent using a smarthost.
| Satellite system:
| All mail is sent to another machine, called a 'smarthost', for
| delivery.
| Local only:
|
|
|
|
+--------------------------------------------------------------------
-----+
# select 'No Configuration' (configure manually) +------+ Postfix Configuration +-------+
| General type of mail configuration: |
| |
| No configuration |
| Internet Site |
| Internet with smarthost |
| Satellite system |
| Local only |
| |
| |
| |
| |
+--------------------------------------+
root@mail:~# cp /usr/lib/postfix/main.cf /etc/postfix/main.cf
UBUNTU 14 CONFIGURATION MANUAL
root@mail:~# vi /etc/postfix/main.cf # line 59: uncomment mail_owner = postfix # line 76: uncomment and specify hostname myhostname = mail.server.world # line 83: uncomment and specify domain name mydomain = server.world # line 104: uncomment myorigin = $mydomain # line 118: uncomment inet_interfaces = all # line 166: uncomment mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain # line 209: uncomment local_recipient_maps = unix:passwd.byname $alias_maps # line 268: uncomment and specify your LAN mynetworks = 127.0.0.0/8, 10.0.0.0/24 # line 388: uncomment alias_maps = hash:/etc/aliases # line 399: uncomment alias_database = hash:/etc/aliases # line 421: uncomment (use Maildir) home_mailbox = Maildir/ # line 557: comment out and add below # smtpd_banner = $myhostname ESMTP $mail_name (@@DISTRO@@) smtpd_banner = $myhostname ESMTP # line 631: add sendmail_path = /usr/sbin/postfix # line 636: add newaliases_path = /usr/bin/newaliases # line 641: add mailq_path = /usr/bin/mailq # line 647: add
UBUNTU 14 CONFIGURATION MANUAL
setgid_group = postdrop # line 651: comment out #html_directory = # line 655: comment out #manpage_directory = # line 660: comment out #sample_directory = # line 664: comment out #readme_directory = # add at the lasdt line: limit an email size 10M message_size_limit = 10485760 # limit mailbox 1G mailbox_size_limit = 1073741824 # for SMTP-Auth settings smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous smtpd_sasl_local_domain = $myhostname smtpd_recipient_restrictions = permit_mynetworks,permit_auth_destination,permit_sasl_authenticated,reject root@mail:~# newaliases root@mail:~# /etc/init.d/postfix restart * Stopping Postfix Mail Transport Agent postfix ...done. * Starting Postfix Mail Transport Agent postfix ...done.
UBUNTU 14 CONFIGURATION MANUAL
Install Dovecot to configure POP/IMAP server. POP uses 110/TCP, IMAP uses 143/TCP.
[1] This example shows to configure to provide SASL function to Postfix.
root@mail:~#aptitude y install dovecot-core dovecot-pop3d dovecot-imapd
# select "No", configure later if it needs
+-----------------------+ Configuring dovecot-core +------------------------+
| |
| An SSL certificate is needed in order to use IMAP or POP3 over SSL/TLS. |
| No such certificate was found. |
| |
| Please choose whether you want to create one now. This will then be a |
| self-signed certificate. |
| |
| If you choose not to create a certificate, please adapt Dovecot's |
| configuration file (/etc/dovecot/conf.d/10-ssl.conf). |
| |
| Create a self-signed SSL certificate? |
| |
| |
| |
+---------------------------------------------------------------------------+
root@mail:~#vi /etc/dovecot/dovecot.conf
# line 30: change ( if not listen IPv6 port )
listen =*
root@mail:~# vi /etc/dovecot/conf.d/10-auth.conf
# line 10: uncomment and change ( allow plain text auth )
disable_plaintext_auth =no
UBUNTU 14 CONFIGURATION MANUAL
# line 100: add
auth_mechanisms = plain login
root@mail:~#vi /etc/dovecot/conf.d/10-mail.conf
# line 30: change to Maildir
mail_location =maildir:~/Maildir
root@mail:~#vi /etc/dovecot/conf.d/10-master.conf
# line 96-98: uncomment and add
# Postfix smtp-auth
unix_listener /var/spool/postfix/private/auth {
mode = 0666
user = postfix
group = postfix
}
root@mail:~# vi /etc/dovecot/conf.d/10-ssl.conf
# line 6: uncomment and change (no SSL)
ssl = no
# line 12,13: comment out
#ssl_cert =
UBUNTU 14 CONFIGURATION MANUAL
Configure Postfix and Dovecot for SSL. root@mail:~# vi /etc/postfix/main.cf # add at the last line smtpd_use_tls = yes smtpd_tls_cert_file = /etc/ssl/private/server.crt smtpd_tls_key_file = /etc/ssl/private/server.key smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache root@mail:~# vi /etc/postfix/master.cf # line 28-30: uncomment smtps inet n - - - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes
root@mail:~# vi /etc/dovecot/conf.d/10-ssl.conf # line 6: uncomment ssl = yes # line 12,13: uncomment and specify certificate ssl_cert =
UBUNTU 14 CONFIGURATION MANUAL
Create a your server's original SSL Certificate. If you use your server as a business, it
had better buy and use a Formal Certificate from Verisign and so on.
root@www:~# cd /etc/ssl/private root@www:/etc/ssl/private# openssl genrsa -des3 -out server.key 2048 Generating RSA private key, 2048 bit long modulus ...................+++ .....+++ e is 65537 (0x10001) Enter pass phrase for server.key: # set passphrase Verifying - Enter pass phrase for server.key: # confirm # remove passphrase from private key root@www:/etc/ssl/private# openssl rsa -in server.key -out server.key Enter pass phrase for server.key: # passphrase writing RSA key root@www:/etc/ssl/private# openssl req -new -days 3650 -key server.key -out server.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]: JP # country State or Province Name (full name) [Some-State]: Hiroshima # state Locality Name (eg, city) []: Hiroshima # city Organization Name (eg, company) [Internet Widgits Pty Ltd]: GTS # company Organizational Unit Name (eg, section) []: Server World # department Common Name (e.g. server FQDN or YOUR name) []: www.server.world # server's FQDN Email Address []: [email protected] # email address Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: root@www:/etc/ssl/private# openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 3650
UBUNTU 14 CONFIGURATION MANUAL
Signature ok subject=/C=JP/ST=Hiroshima/L=Hiroshima/O=GTS/OU=Server World/CN=www.server.world/[email protected] Getting Private key root@www:/etc/ssl/private# chmod 400 server.*
APACHE2
root@www:~# vi /etc/apache2/conf-enabled/security.conf
# line 26: change
ServerTokens Prod
# line 37: change
ServerSignature Off
root@www:~# vi /etc/apache2/mods-enabled/dir.conf
# line 2: add file name that it can access only with directory's name
DirectoryIndex index.html index.htm
root@www:~# vi /etc/apache2/apache2.conf
# line 70: add to specify server name
ServerName www.server.world
root@www:~# vi /etc/apache2/sites-enabled/000-default.conf
# line 11: change to webmaster's email
ServerAdmin [email protected]
root@www:~# /etc/init.d/apache2 restart
* Restarting web server apache2
...done.