This document provides instructions for installing and configuring a Squid proxy cache with additional security features like ClamAV antivirus and DansGuardian web filtering on a CentOS server. It is an 8 step process that involves installing and configuring Squid, ClamAV, c-ICAP, SquidClamAV, DansGuardian, and LightSquid for reporting. The final configuration would allow proxying and filtering of internet access from the LAN and DMZ subnets while scanning files for viruses.
This document provides instructions for installing and configuring a Squid proxy cache with additional security features like ClamAV antivirus and DansGuardian web filtering on a CentOS server. It is an 8 step process that involves installing and configuring Squid, ClamAV, c-ICAP, SquidClamAV, DansGuardian, and LightSquid for reporting. The final configuration would allow proxying and filtering of internet access from the LAN and DMZ subnets while scanning files for viruses.
This document provides instructions for installing and configuring a Squid proxy cache with additional security features like ClamAV antivirus and DansGuardian web filtering on a CentOS server. It is an 8 step process that involves installing and configuring Squid, ClamAV, c-ICAP, SquidClamAV, DansGuardian, and LightSquid for reporting. The final configuration would allow proxying and filtering of internet access from the LAN and DMZ subnets while scanning files for viruses.
This document provides instructions for installing and configuring a Squid proxy cache with additional security features like ClamAV antivirus and DansGuardian web filtering on a CentOS server. It is an 8 step process that involves installing and configuring Squid, ClamAV, c-ICAP, SquidClamAV, DansGuardian, and LightSquid for reporting. The final configuration would allow proxying and filtering of internet access from the LAN and DMZ subnets while scanning files for viruses.
Instalacin y configuracin del Squid Proxy-Cache en CentOS
Paso 1: Limpiar las IPTables
iptables -F iptables -t nat -F iptables --delete-chain iptables -t nat --delete-chain Paso 2: Modificar IPTables, Squid se har cargo del FORWARD # iptables -A INPUT -i eth1 -j ACCEPT # iptables -A INPUT -i eth2 -j ACCEPT # iptables -A OUTPUT o eth1 -j ACCEPT # iptables -A OUTPUT o eth2 -j ACCEPT # iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE # service iptables save Paso 3: Instalar repositorios adicionales # yum -y install epel-release # yum -y install http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.31.el6.rf.x86_64.rpm Paso 4: Instalar el Squid Proxy-Cache # yum -y install squid Configuracin del Squid # nano -c /etc/squid/squid.conf lnea 29: agregar acl LAN src 192.168.10.0/24 acl DMZ src 192.168.32.0/24 lnea 58: agregar http_access allow LAN http_access allow DMZ lnea 64: Debe de quedar as http_port 192.168.10.1:3128 http_port 192.168.32.1:3128 http_port 127.0.0.1:3128 final del archivo: agregar request_header_access Referer deny all request_header_access X-Forwarded-For deny all request_header_access Via deny all request_header_access Cache-Control deny all visible_hostname proxy.nombre.local forwarded_for off # service squid start # chkconfig squid on
Paso 5: Pruebas Asigne el proxy a el servidor y al cliente de Ubuntu LAN IP: 192.168.10.1 Puerto: 3128 DMZ IP: 192.168.32.1 Puerto: 3128 Navegue por internet Paso 6: Integrar el Clamd AntiVirus al Squid Proxy-Cache # yum -y install clamav wget curl # freshclam # yum -y groupinstall Development Tools # curl -L -O http://ufpr.dl.sourceforge.net/project/c-icap/c-icap/0.4.x/c_icap-0.4.3.tar.gz # tar zxvf c_icap-0.4.3.tar.gz # cd c_icap-0.4.3 # ./configure && make && make install && cd # cp /usr/local/etc/c-icap.conf /etc Configuracin del AntiVirus # nano -c /etc/c-icap.conf Lnea 161: defina el correo del administrador ServerAdmin [email protected] Lnea 170: ponga el nombre que se asign el Squid ServerName proxy.nombre.local Lnea 568: agregar Service squidclamav squidclamav.so Cree el siguiente Script de arranque del servicio: #nano /etc/rc.d/init.d/c-icap #!/bin/bash # c-icap: Start/Stop c-icap # chkconfig: - 70 30 # description: c-icap is an implementation of an ICAP server. # processname: c-icap # pidfile: /var/run/c-icap/c-icap.pid . /etc/rc.d/init.d/functions . /etc/sysconfig/network CONFIG_FILE=/etc/c-icap.conf PID_DIR=/var/run/c-icap
# cd squidclamav-6.15 # ./configure --with-c-icap && make && make install && cd # ln -s /usr/local/etc/squidclamav.conf /etc/squidclamav.conf Configuracin del SquidClamAV # nano -c /etc/squidclamav.conf Lnea 18: Defina la URL donde se reenviaran las pginas infectadas redirect http://www.ina.ac.cr/
Lnea 27: Defina el socket de escucha (mismo que el clamd)
clamd_local /var/run/clamav/clamd.sock # service c-icap start # chkconfig --add c-icap # chkconfig c-icap on Integrar el AntiVirus con el Squid # nano /etc/squid/squid.conf Final del fichero: agregar icap_enable on icap_send_client_ip on icap_send_client_username on icap_client_username_header X-Authenticated-User icap_service service_req reqmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav
# squid -k reconfigure # service squid restart Paso 7: Instalar el Web Filter DansGuardian # yum -y install dansguardian Configuracin del DansGuardian # nano -c /etc/dansguardian/dansguardian.conf Lnea 26: Cambiar idioma languaje = spanish Lnea 88: Definir el puerto de escucha del DandsGuardian filterport = 8080 Lnea 94: Definir el puerto de escucha del Squid proxyport = 3128 Iniciar el servicio # service dansguardian start # chkconfig dansguardian on Paso 8: Crear listas negras para el Web Filter # nano /etc/dansguardian/lists/bannedsitelist Agregar al fichero: yahoo.com
google.com opendns.com cisco.com babosas.com Reiniciar el servicio # service dansguardian restart Pruebas: Cambie en los clientes el puerto proxy por el 8080 y navegue por los sitios agregados al fichero. Paso 9: Instalar el reporteador LightSquid # yum -y groupinstall Web Server # yum -y install lightsquid lightsquid-apache perl perl-CGI Habilitar soporte para CGI Scripting en el servidor web # nano /etc/httpd/conf/httpd.conf Lnea 576: Defina la ubicacin del CGI Scripting ScriptAlias /cgi-bin/ "/var/www/cgi-bin/" Lnea 331: La lnea debe quedar as Options FollowSymLinks ExecCGI Lnea 769: descomente la lnea y agregue el soporte de perl AddHandler cgi-script .cgi .pl Iniciar el servicio # service httpd start # chkconfig httpd on Configuracin del LightSquid # nano /etc/httpd/conf.d/lightsquid.conf Modifique el fichero para que se vea as: SOLO desde DMZ se tendr Acceso. <Directory /usr/share/lightsquid/cgi> DirectoryIndex index.cgi Options ExecCGI AddHandler cgi-script .cgi AllowOverride None Order Deny,Allow Deny from all Allow from 127.0.0.1 192.168.32.0/24 </Directory> Reinicie el Servicio Web
# service httpd restart
Generar el reporte (se ejecuta cada que quiera un nuevo reporte) # /usr/sbin/lightparser.pl Pruebas: Desde el servidor ingrese a http://192.168.32.1/lightsquid/
