Configura Ubuntu-Server 6.06 LTS come firewall/gateway per il tuo ambiente di piccole imprese
Include:Shorewall, NAT, Caching NameServer, Server DHCP, Server VPN, Webmin, Munin, Apache (abilitazione SSL), Squirrelmail, Configurazione Postfix con domini virtuali, Courier imap imaps pop3 pop3s, autenticazione sasl per road warriors, MailScanner as un wrapper per SpamAssassin, Razor, ClamAV, ecc. Samba installato, non configurato.
Richiede pochissima manutenzione ed è estensibile oltre la tua più sfrenata immaginazione. Tutto a seconda dell'hardware utilizzato, ovviamente.
Questo è solo un manuale COPIA&INCOLLA. Per maggiori info usa la rete. L'ho fatto... Comunque, contributi e suggerimenti sono sempre i benvenuti! So che questo può essere fatto meglio, quindi sentiti libero.
Avrei dovuto basare questo tutorial su 6.06 LTS subito, a causa dell'LTS. Scusa per quello. A causa di alcune modifiche minori ma importanti necessarie per farlo funzionare con Ubuntu 6.06 LTS, l'ho scritto di nuovo.
Se qualcuno di voi riesce a trovare il tempo per aggiungere una buona installazione e configurazione per snort AND snortsam, incluso un pannello di controllo completo, gliene sarei grato.
Ambito:creazione di un firewall/gateway (postale) per una piccola rete (diciamo da 10 a 15 utenti circa su una RAM PIII da 450 MHz, 512 MB e due schede di interfaccia di rete identiche, connessione a banda larga, con funzionalità complete, per un ambiente aziendale. Specifiche migliori del tuo hardware (in particolare la quantità di ram) migliorerà significativamente le prestazioni del tuo server.Le specifiche menzionate sono un minimo indispensabile per i clienti non così esigenti, solo per indicare che se lo desideri davvero, può essere fatto davvero (necessario qualche ritocco in seguito però).
Pubblico previsto:(inizio) sysop.
Questo tutorial porta verso un solido sistema 'pronto all'uso'. La parte divertente, credo, (modifica, messa a punto, ecc.) inizia quando hai finito. Potresti voler ispezionare i tuoi registri per trovare indizi su dove dovrebbe iniziare la messa a punto. Anche Munin potrebbe dirti molto.Buon divertimento!
Innanzitutto, esegui un'installazione pulita utilizzando Ubuntu-Server 6.06 LTS. Durante l'installazione, le impostazioni corrette per eth0 verranno rilevate automaticamente. Se non riesce, cambia i cavi di rete e riprova. C'è una possibilità molto piccola che il tuo ISP non esegua un server DHCP (mai visto che è successo), o semplicemente potrebbe essere inattivo (visto che parecchie volte, inoltre possono rovinare il loro DNS ogni tanto), in nel qual caso sei sul tuo, meglio aspettare che abbiano finito di ripararlo. Quindi iniziamo con un indirizzo assegnato da DHCP per eth0. Questo è solo un modo semplice per capire quale NIC è effettivamente eth0. Se sai già quale è meglio iniziare con un indirizzo statico per eth0. Se il tuo ISP non è scadente, hai le impostazioni corrette per questo.
Ora procedi e accetta tutte le impostazioni predefinite (ma potresti voler fare il tuo partizionamento), non installare LAMP.
Ora accedi come nuovo utente che hai appena creato e fai:
sudo passwd
Ora inserisci di nuovo la tua password. Quindi inserisci la nuova password per l'utente "root" e conferma. Quindi abbiamo abbandonato la brutta esperienza sudo (un po' strano su un server, vero?) Ora disconnetti e accedi di nuovo come root con la nuova password di root.
Usando vim (o il tuo editor preferito) modifica /etc/apt/sources.list. Commenta il repository cd. Successivamente aggiungi "universe" (senza virgolette) a tutte le righe che non sono commentate e decommenta i repository backport. Salva il file.
Modifica /etc/network/interfaces e aggiungi quanto segue in fondo:
auto eth1 iface eth1 inet static address 192.168.1.1 netmask 255.255.255.0 broadcast 192.168.1.255 network 192.168.1.0
Nota che il resto di questo tutorial presuppone che tu abbia effettivamente effettuato le impostazioni per eth1 come mostrato.
Il mio completo/etc/network/interfaces è simile a questo:
# This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). # The loopback network interface auto lo iface lo inet loopback # The primary network interface auto eth0 iface eth0 inet dhcp auto eth1 iface eth1 inet static address 192.168.1.1 netmask 255.255.255.0 broadcast 192.168.1.255 network 192.168.1.0
Come puoi vedere, il mio eth0 ottiene le sue impostazioni usando DHCP.
Salva il file. Avanti:
apt-get update
apt-get install openssh-server
apt-get upgrade
Durante il processo di aggiornamento viene installata una nuova immagine del kernel. Quindi fai il prossimo:
reboot
Il resto puoi farlo dalla tua workstation, Linux o l'altra (deve avere stucco), quindi puoi effettivamente copiare e incollare. Accedi a 192.168.1.1 come root e vai avanti.
Assicurati che le impostazioni di rete della tua workstation corrispondano alle impostazioni di eth1
del tuo serverSe sei confuso qui, prima configura e avvia il tuo server DHCP come mostrato in questo articolo e lascia che la tua workstation rilevi automaticamente le impostazioni corrette.
Configura Ubuntu-Server 6.06 LTS come firewall/gateway per il tuo ambiente di piccole imprese - Pagina 2
Ora fai:
apt-get install libmd5-perl libnet-ssleay-perl libauthen-pam-perl libio-pty-perl shorewall dnsmasq openssl
wget http://surfnet.dl.sourceforge.net/sourceforge/webadmin/webmin_1.390_all.deb
"surfnet" è il server olandese. Cambialo in "heanet" (per l'Irlanda), "belnet" (per il Belgio), "mesh" (per la Germania) e così via.
dpkg -i webmin_1.390_all.deb
cp /usr/share/doc/shorewall/examples/two-interfaces/* /etc/shorewall/
cd /etc/shorewall
gunzip interfaces.gz masq.gz rules.gz
Ora apri il tuo browser e accedi a webmin all'indirizzo https://192.168.1.1:10000 come root con la tua password di root e, usando il modulo Shorewall di webmin, cambia le policy e le regole del tuo firewall secondo necessità (per ora, ho solo impostato le regole file nell'esempio come mostrato, puoi copiare e incollare il mio file delle regole per cominciare, se non ti piace webmin).
Impostare anche in /etc/shorewall/shorewall.conf la riga "IP_FORWARDING=Keep" su "IP_FORWARDING=On" (senza virgolette)
e abilitare il firewall in /etc/default/shorewall.
Il mio /etc/shorewall/rules ora appare così:
#############################################################################################################Quindi fai:
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
# PORT PORT(S) DEST LIMIT GROUP
#
# Accept DNS connections from the firewall to the network
#
DNS/ACCEPT $FW net
ACCEPT $FW net all
ACCEPT $FW loc all
ACCEPT loc $FW all
#
# Accept SSH connections from the local network for administration
#
SSH/ACCEPT loc $FW
#
# Allow Ping from the local network
#
Ping/ACCEPT loc $FW
#
# Reject Ping from the "bad" net zone.. and prevent your log from being flooded..
#
Ping/REJECT net $FW
ACCEPT $FW loc icmp
ACCEPT $FW net icmp
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
rm /etc/shorewall/README.txt Makefile
/etc/init.d/shorewall start
Ora dovresti essere in grado di navigare in rete.
NON PROCEDERE FINO A CHE NON RIUSCITI A NAVIGARE IN RETE. VISTO CHE QUESTO È IL TUO QUADRO. DEVE ESSERE OK.
Configura Ubuntu-Server 6.06 LTS come firewall/gateway per il tuo ambiente di piccole imprese - Pagina 3
Quindi ora abbiamo bisogno di alcuni pacchetti. Fai (tutto in una riga!):
apt-get install clamav-daemon xfsdump razor pyzor mailscanner spamc spamassassin postfix courier-authmysql courier-pop courier-pop-ssl courier-imap courier-imap-ssl libsasl2-modules-sql sasl2-bin libpam-mysql build-essential dpkg-dev fakeroot debhelper libdb4.2-dev libgdbm-dev libldap2-dev libpcre3-dev libmysqlclient12-dev libssl-dev libsasl2-dev postgresql-dev po-debconf dpatch zoo unzip arj rdate fetchmail zip ncftp zlib1g-dev libpopt-dev nmap lynx fileutils curl imagemagick squirrelmail squirrelmail-locales munin munin-node ntp nfs-kernel-server samba unzoo mysql-server mysql-client libapache2-mod-php4 libapache2-mod-perl2 php4 php4-cli php4-common php4-curl php4-dev php4-domxml php4-gd php4-imap php4-ldap php4-mcal php4-mhash php4-mysql php4-odbc php4-pear php4-xslt curl php-pear mailx libzzip-dev libgmp3c2 libgmp3-dev dhcp3-server pptpd
Accetta tutte le impostazioni predefinite.
Ora fai:
mysqladmin -u root password yourrootsqlpassword
USA QUI UNA PASSWORD REALE!
Ora configura Apache e Squirrelmail.
/usr/sbin/squirrelmail-configure
Impostalo su corriere (opzione D) e imposta ik altrimenti come preferisci.
Non dimenticare di abilitare alcuni plugin e di impostare una lingua predefinita, se lo desideri. Inoltre suggerisco di impostare questo:
$show_contain_subfolders_option = true;
My/etc/squirrelmail/config.php ora appare così:(Solo la mia configurazione attuale. Non copiarla, usala come riferimento.)
<?php
/**
* SquirrelMail Configuration File
* Created using the configure script, conf.pl
*/
global $version;
$config_version = '1.4.0';
$config_use_color = 2;
$org_name = "Lürsen";
$org_logo = SM_PATH . 'images/sm_logo.png';
$org_logo_width = '564';
$org_logo_height = '261';
$org_title = "Lürsen";
$signout_page = 'https://lursen.net/webmail';
$frame_top = '_top';
$provider_uri = 'http://www.squirrelmail.org/';
$provider_name = 'SquirrelMail';
$motd = "";
$squirrelmail_default_language = 'nl_NL';
$default_charset = 'iso-8859-1';
$lossy_encoding = false;
$domain = 'lursen.net';
$imapServerAddress = 'localhost';
$imapPort = 143;
$useSendmail = false;
$smtpServerAddress = 'localhost';
$smtpPort = 25;
$sendmail_path = '/usr/sbin/sendmail';
$sendmail_args = '-i -t';
$pop_before_smtp = false;
$imap_server_type = 'courier';
$invert_time = false;
$optional_delimiter = '.';
$encode_header_key = '';
$default_folder_prefix = 'INBOX.';
$trash_folder = 'Trash';
$sent_folder = 'Sent';
$draft_folder = 'Drafts';
$default_move_to_trash = true;
$default_move_to_sent = true;
$default_save_as_draft = true;
$show_prefix_option = false;
$list_special_folders_first = true;
$use_special_folder_color = true;
$auto_expunge = true;
$default_sub_of_inbox = false;
$show_contain_subfolders_option = true;
$default_unseen_notify = 2;
$default_unseen_type = 1;
$auto_create_special = true;
$delete_folder = true;
$noselect_fix_enable = false;
$data_dir = '/var/lib/squirrelmail/ data/';
$attachment_dir = '/var/spool/squirrelmail/attach/';
$dir_hash_level = 0;
$default_left_size = '150';
$force_username_lowercase = false;
$default_use_priority = true;
$hide_sm_attributions = false;
$default_use_mdn = true;
$edit_identity = true;
$edit_name = true;
$hide_auth_header = false;
$allow_thread_sort = false;
$allow_server_sort = false;
$allow_charset_search = true;
$uid_support = true;
$plugins[0] = 'abook_take';
$plugins[1] = 'delete_move_next';
$plugins[2] = 'calendar';
$plugins[3] = 'filters';
$plugins[4] = 'message_details';
$plugins[5] = 'mail_fetch';
$plugins[6] = 'newmail';
$theme_css = '';
$theme_default = 0;
$theme[0]['PATH'] = SM_PATH . 'themes/default_theme.php';
$theme[0]['NAME'] = 'Default';
$theme[1]['PATH'] = SM_PATH . 'themes/plain_blue_theme.php';
$theme[1]['NAME'] = 'Plain Blue';
$theme[2]['PATH'] = SM_PATH . 'themes/sandstorm_theme.php';
$theme[2]['NAME'] = 'Sand Storm';
$theme[3]['PATH'] = SM_PATH . 'themes/deepocean_theme.php';
$theme[3]['NAME'] = 'Deep Ocean';
$theme[4]['PATH'] = SM_PATH . 'themes/slashdot_theme.php';
$theme[4]['NAME'] = 'Slashdot';
$theme[5]['PATH'] = SM_PATH . 'themes/purple_theme.php';
$theme[5]['NAME'] = 'Purple';
$theme[6]['PATH'] = SM_PATH . 'themes/forest_theme.php';
$theme[6]['NAME'] = 'Forest';
$theme[7]['PATH'] = SM_PATH . 'themes/ice_theme.php';
$theme[7]['NAME'] = 'Ice';
$theme[8]['PATH'] = SM_PATH . 'themes/seaspray_theme.php';
$theme[8]['NAME'] = 'Sea Spray';
$theme[9]['PATH'] = SM_PATH . 'themes/bluesteel_theme.php';
$theme[9]['NAME'] = 'Blue Steel';
$theme[10]['PATH'] = SM_PATH . 'themes/dark_grey_theme.php';
$theme[10]['NAME'] = 'Dark Grey';
$theme[11]['PATH'] = SM_PATH . 'themes/high_contrast_theme.php';
$theme[11]['NAME'] = 'High Contrast';
$theme[12]['PATH'] = SM_PATH . 'themes/bla ck_bean_burrito_theme.php';
$theme[12]['NAME'] = 'Black Bean Burrito';
$theme[13]['PATH'] = SM_PATH . 'themes/servery_theme.php';
$theme[13]['NAME'] = 'Servery';
$theme[14]['PATH'] = SM_PATH . 'themes/maize_theme.php';
$theme[14]['NAME'] = 'Maize';
$theme[15]['PATH'] = SM_PATH . 'themes/bluesnews_theme.php';
$theme[15]['NAME'] = 'BluesNews';
$theme[16]['PATH'] = SM_PATH . 'themes/deepocean2_theme.php';
$theme[16]['NAME'] = 'Deep Ocean 2';
$theme[17]['PATH'] = SM_PATH . 'themes/blue_grey_theme.php';
$theme[17]['NAME'] = 'Blue Grey';
$theme[18]['PATH'] = SM_PATH . 'themes/dompie_theme.php';
$theme[18]['NAME'] = 'Dompie';
$theme[19]['PATH'] = SM_PATH . 'themes/methodical_theme.php';
$theme[19]['NAME'] = 'Methodical';
$theme[20]['PATH'] = SM_PATH . 'themes/greenhouse_effect.php';
$theme[20]['NAME'] = 'Greenhouse Effect (Changes)';
$theme[21]['PATH'] = SM_PATH . 'themes/in_the_pink.php';
$theme[21]['NAME'] = 'In The Pink (Changes)';
$theme[22]['PATH'] = SM_PATH . 'themes/kind_of_blue.php';
$theme[22]['NAME'] = 'Kind of Blue (Changes)';
$theme[23]['PATH'] = SM_PATH . 'themes/monostochastic.php';
$theme[23]['NAME'] = 'Monostochastic (Changes)';
$theme[24]['PATH'] = SM_PATH . 'themes/shades_of_grey.php';
$theme[24]['NAME'] = 'Shades of Grey (Changes)';
$theme[25]['PATH'] = SM_PATH . 'themes/spice_of_life.php';
$theme[25]['NAME'] = 'Spice of Life (Changes)';
$theme[26]['PATH'] = SM_PATH . 'themes/spice_of_life_lite.php';
$theme[26]['NAME'] = 'Spice of Life - Lite (Changes)';
$theme[27]['PATH'] = SM_PATH . 'themes/spice_of_life_dark.php';
$theme[27]['NAME'] = 'Spice of Life - Dark (Changes)';
$theme[28]['PATH'] = SM_PATH . 'themes/christmas.php';
$theme[28]['NAME'] = 'Holiday - Christmas';
$theme[29]['PATH'] = SM_PATH . 'themes/darkness.php';
$theme[29]['NAME'] = 'Darkness (Changes)';
$theme[30]['PATH'] = SM_PATH . 'themes/random.php';
$theme[30]['NAME'] = 'Random (Changes every login)';
$theme[31]['PATH'] = SM _PATH . 'themes/midnight.php';
$theme[31]['NAME'] = 'Midnight';
$theme[32]['PATH'] = SM_PATH . 'themes/alien_glow.php';
$theme[32]['NAME'] = 'Alien Glow';
$theme[33]['PATH'] = SM_PATH . 'themes/dark_green.php';
$theme[33]['NAME'] = 'Dark Green';
$theme[34]['PATH'] = SM_PATH . 'themes/penguin.php';
$theme[34]['NAME'] = 'Penguin';
$theme[35]['PATH'] = SM_PATH . 'themes/minimal_bw.php';
$theme[35]['NAME'] = 'Minimal BW';
$theme[36]['PATH'] = SM_PATH . 'themes/redmond.php';
$theme[36]['NAME'] = 'Redmond';
$theme[37]['PATH'] = SM_PATH . 'themes/netstyle_theme.php';
$theme[37]['NAME'] = 'Net Style';
$theme[38]['PATH'] = SM_PATH . 'themes/silver_steel_theme.php';
$theme[38]['NAME'] = 'Silver Steel';
$theme[39]['PATH'] = SM_PATH . 'themes/simple_green_theme.php';
$theme[39]['NAME'] = 'Simple Green';
$theme[40]['PATH'] = SM_PATH . 'themes/wood_theme.php';
$theme[40]['NAME'] = 'Wood';
$theme[41]['PATH'] = SM_PATH . 'themes/bluesome.php';
$theme[41]['NAME'] = 'Bluesome';
$theme[42]['PATH'] = SM_PATH . 'themes/simple_green2.php';
$theme[42]['NAME'] = 'Simple Green 2';
$theme[43]['PATH'] = SM_PATH . 'themes/simple_purple.php';
$theme[43]['NAME'] = 'Simple Purple';
$theme[44]['PATH'] = SM_PATH . 'themes/autumn.php';
$theme[44]['NAME'] = 'Autumn';
$theme[45]['PATH'] = SM_PATH . 'themes/autumn2.php';
$theme[45]['NAME'] = 'Autumn 2';
$theme[46]['PATH'] = SM_PATH . 'themes/blue_on_blue.php';
$theme[46]['NAME'] = 'Blue on Blue';
$theme[47]['PATH'] = SM_PATH . 'themes/classic_blue.php';
$theme[47]['NAME'] = 'Classic Blue';
$theme[48]['PATH'] = SM_PATH . 'themes/classic_blue2.php';
$theme[48]['NAME'] = 'Classic Blue 2';
$theme[49]['PATH'] = SM_PATH . 'themes/powder_blue.php';
$theme[49]['NAME'] = 'Powder Blue';
$theme[50]['PATH'] = SM_PATH . 'themes/techno_blue.php';
$theme[50]['NAME'] = 'Techno Blue';
$theme[51]['PATH'] = SM_PATH . 'themes/turquoise.php';
$theme[51]['NAME'] = 'Turquoise';
$default_use_jav ascript_addr_book = false;
$abook_global_file = '';
$abook_global_file_writeable = false;
$addrbook_dsn = '';
$addrbook_table = 'address';
$prefs_dsn = '';
$prefs_table = 'userprefs';
$prefs_user_field = 'user';
$prefs_key_field = 'prefkey';
$prefs_val_field = 'prefval';
$addrbook_global_dsn = '';
$addrbook_global_table = 'global_abook';
$addrbook_global_writeable = false;
$addrbook_global_listing = false;
$no_list_for_subscribe = false;
$smtp_auth_mech = 'none';
$imap_auth_mech = 'login';
$use_imap_tls = false;
$use_smtp_tls = false;
$session_name = 'SQMSESSID';
$config_location_base = '';
@include SM_PATH . 'config/config_local.php';
/**
* Make sure there are no characters after the PHP closing
* tag below (including newline characters and whitespace).
* Otherwise, that character will cause the headers to be
* sent and regular output to begin, which will majorly screw
* things up when we try to send more headers later.
*/
?>
Prossimo:
apache2-ssl-certificate -days 3650
Inserisci il nome del server corretto!!!
Cioè:l'indirizzo su cui prevedi di dare ai tuoi utenti l'accesso a Squirrelmail o qualsiasi altro servizio tramite apache sulla porta 443. Solo il dominio farà (DEVE ESISTERE IN DNS). Non dominio/webmail.
Se qualcosa è andato storto, elimina il certificato e ripeti questo passaggio.
Ora inserisci:
a2enmod ssl
a2enmod rewrite
a2enmod include
cp /etc/apache2/sites-available/default /etc/apache2/sites-available/https
ln -s /etc/apache2/sites-available/https /etc/apache2/sites-enabled/https
ln -s /etc/squirrelmail/apache.conf /etc/apache2/sites-enabled/squirrelmail
Configura Ubuntu-Server 6.06 LTS come firewall/gateway per il tuo ambiente di piccole imprese - Pagina 4
Quindi modifica /etc/courier/imapd-ssl e cambia quanto segue:
TLS_CERTFILE=/etc/apache2/ssl/apache.pem
Ora fai lo stesso con il tuo /etc/courier/pop3d-ssl.
Ora modifica /etc/apache2/sites-available/default. La parte superiore deve essere modificata in modo che si legga:
NameVirtualHost *:80
<VirtualHost *:80>
Modifica anche /etc/apache2/sites-available/https, la parte superiore del file dovrebbe leggere:
NameVirtualHost *:443Modifica /etc/squirrelmail/apache.conf Dovrebbe apparire così:
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.pem
Alias /webmail /usr/share/squirrelmail
<Directory /usr/share/squirrelmail>
php_flag register_globals off
Options Indexes FollowSymLinks
<IfModule mod_dir.c>
DirectoryIndex index.php
</IfModule>
# access to configtest is limited by default to prevent information leak
<Files configtest.php>
order deny,allow
deny from all
allow from 127.0.0.1
</Files>
</Directory>
# users will prefer a simple URL like http://webmail.example.com
#<VirtualHost 1.2.3.4>
# DocumentRoot /usr/share/squirrelmail
# ServerName webmail.example.com
#</VirtualHost>
# redirect to https when available (thanks [email protected])
#
# Note: There are multiple ways to do this, and which one is suitable for
# your site's configuration depends. Consult the apache documentation if
# you're unsure, as this example might not work everywhere.
#
<IfModule mod_rewrite.c>
<IfModule mod_ssl.c>
<Location /webmail>
RewriteEngine on
RewriteCond %{HTTPS} !^on$ [NC]
RewriteRule . https://%{HTTP_HOST}%{REQUEST_URI} [L]
</Location>
</IfModule>
</IfModule>
Ora assicurati che la riga DirectoryIndex in /etc/apache2/apache2.conf legga:
DirectoryIndex index.html index.htm index.shtml index.cgi index.php index.php3 index.pl index.xhtml
Modifica /etc/apache2/ports.conf e aggiungi Listen 443:
Listen 80 Listen 443
Configura Ubuntu-Server 6.06 LTS come firewall/gateway per l'ambiente delle piccole imprese - Pagina 5
Ora fai in modo che squirrelmail parli la tua lingua. Se usi solo l'inglese puoi saltare l'ultima riga del file ovviamente.
Modifica /var/lib/locales/supported.d/local.
Dovrebbe assomigliare a questo:(se sei olandese, altrimenti regola come desideri). La cosa principale è abilitare la tua locale con il set di caratteri ISO-8859-1.
en_US.UTF-8 UTF-8 en_US.ISO-8859-1 ISO-8859-1 nl_NL.ISO-8859-1 ISO-8859-1
dpkg-reconfigure locales
Ora configuriamo postfix.
postconf -e 'mynetworks = 127.0.0.0/8, 192.168.1.0/24'
postconf -e 'smtpd_sasl_local_domain ='
postconf -e 'smtpd_sasl_auth_enable = yes'
postconf -e 'smtpd_sasl_security_options = noanonymous'
postconf -e 'broken_sasl_auth_clients = yes'
postconf -e 'smtpd_recipient_restrictions =permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'
postconf -e 'inet_interfaces = all'
echo 'pwcheck_method: saslauthd' >> /etc/postfix/sasl/smtpd.conf
echo 'mech_list: plain login' >> /etc/postfix/sasl/smtpd.conf
postconf -e 'smtpd_tls_auth_only = no'
postconf -e 'smtp_use_tls = yes'
postconf -e 'smtpd_use_tls = yes'
postconf -e 'smtp_tls_note_starttls_offer = yes'
postconf -e 'smtpd_tls_key_file = /etc/apache2/ssl/apache.pem'
postconf -e 'smtpd_tls_cert_file = /etc/apache2/ssl/apache.pem'
postconf -e 'smtpd_tls_loglevel = 1'
postconf -e 'smtpd_tls_received_header = yes'
postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
postconf -e 'tls_random_source = dev:/dev/urandom'
postconf -e 'home_mailbox = Maildir/'
postconf -e 'mailbox_command ='
postconf -e 'header_checks = regexp:/etc/postfix/header_checks'
postconf -e 'relayhost ='
postconf -e 'virtual_alias_domains = hash:/etc/postfix/virtual'
postconf -e 'virtual_alias_maps = hash:/etc/postfix/virtual'
postconf -e 'smtp_never_send_ehlo = yes'
touch /etc/postfix/header_checks
touch /etc/postfix/virtual
Configura Ubuntu-Server 6.06 LTS come firewall/gateway per il tuo ambiente di piccole imprese - Pagina 6
Ora modifica etc/postfix/header_checks.
Dovrebbe assomigliare a questo:
/^Received:/ HOLD
cd /rootOra configura MailScanner.
chown postfix.postfix /var/spool/MailScanner/incoming
chown postfix.postfix /var/spool/MailScanner/quarantine
mkdir /var/spool/MailScanner/spamassassin
ln -s /etc/MailScanner/spam.assassin.prefs.conf /etc/spamassassin/mailscanner.cf
chown postfix.postfix /var/spool/MailScanner/spamassassin
Ora modifica /etc/MailScanner/MailScanner.conf e imposta le seguenti righe come mostrato:
Run As User = postfixDecommenta la riga # run_mailscanner=1 nel tuo /etc/default/mailscanner.
Run As Group = postfix
Queue Scan Interval = 120
Incoming Queue Dir = /var/spool/postfix/hold
Outgoing Queue Dir = /var/spool/postfix/incoming
MTA = postfix
Virus Scanners = clamav
Always Include SpamAssassin Report = yes
SpamAssassin User State Dir = /var/spool/MailScanner/spamassassin
Ora crea un cron job di /usr/sbin/check_mailscanner ed eseguilo ogni 20 minuti.
Ora inganneremo lo script di avvio di MailScanner. Questo è necessario perché MailScanner si rifiuta di iniziare, a causa di uno script mirato a exim, sospetto (non ho mai usato Exim, quindi non ne sono sicuro). Non voglio modificare lo script stesso, poiché potrebbe essere sostituito con un altro aggiornamento "non avviato" in futuro. Solo per sicurezza.
touch /etc/init.d/mailscanner_pre
Modifica /etc/init.d/mailscanner_pre. Dovrebbe assomigliare a questo:
#!/bin/sh
mkdir /var/lock/subsys
mkdir /var/lock/subsys/MailScanner
mkdir /var/run/MailScanner
chown postfix.postfix /var/run/MailScanner
chown postfix.postfix /var/lock/subsys/MailScanner
chmod 755 /etc/init.d/mailscanner_pre
mv /etc/rc2.d/S20mailscanner /etc/rc2.d/S99mailscanner
mv /etc/rc3.d/S20mailscanner /etc/rc3.d/S99mailscanner
mv /etc/rc4.d/S20mailscanner /etc/rc4.d/S99mailscanner
mv /etc/rc5.d/S20mailscanner /etc/rc5.d/S99mailscanner
ln -s /etc/init.d/mailscanner_pre /etc/rc2.d/S20mailscanner_pre
chown postfix.postfix /var/spool/MailScanner
chown postfix.postfix /var/lib/MailScanner
Questo dovrebbe fare il trucco ora, non sei d'accordo?
Configura Ubuntu-Server 6.06 LTS come firewall/gateway per il tuo ambiente di piccole imprese - Pagina 7
Ora configura l'autenticazione sasl.
mkdir -p /var/spool/postfix/var/run/saslauthd
Ora dobbiamo modificare /etc/default/saslauthd. Dovrebbe assomigliare a questo:
# This needs to be uncommented before saslauthd will be run automatically START=yes PARAMS="-m /var/spool/postfix/var/run/saslauthd -r" # You must specify the authentication mechanisms you wish to use. # This defaults to "pam" for PAM support, but may also include # "shadow" or "sasldb", like this: # MECHANISMS="pam shadow" MECHANISMS="pam"Quindi modifica /etc/init.d/saslauthd e cambia la posizione del file PID di saslauthd. Cambia il valore di PIDFILE in /var/spool/postfix/var/run/${NAME}/saslauthd.pid, in modo che legga:
PIDFILE="/var/spool/postfix/var/run/${NAME}/saslauthd.pid" Ora popola il tuo sistema con utenti reali. Imposta la shell degli utenti su /bin/false per evitare falle di sicurezza.
Quindi riempi /etc/postfix/virtual come preferisci. Amo Webmin per questo. Ovviamente puoi anche modificarlo direttamente. Tuttavia, webmin fa un ottimo lavoro.
Gotcha!:"some.domain" ecc. non può essere uguale a nulla menzionato nella riga "mydestination" in
/etc/postfix/main.cf
Il mio /etc/postfix/virtual ha la seguente struttura:
some.domain virtual domain some.other.domain virtual domain some.really.other.domain virtual domain [email protected] user [email protected] otheruser [email protected] user [email protected] otheruser [email protected] user [email protected] someoneidontlike [email protected] someoneidontlike [email protected] [email protected] differentuser [email protected] someoneidontlike @some.really.other.domain someonidontlike [email protected]e così via. Quindi devo solo impostare un alias per root e postmaster in /etc/aliasesTutti gli altri alias dovrebbero essere in questo file. Anche l'inoltro e la consegna della posta a più indirizzi e quindi fort può (e dovrebbe, credo) essere impostato in questo file.
Nota che in questo tipo di configurazione i tuoi utenti possono avere tutti gli alias che vogliono (fino a quando non ti stanchi di loro), ma per ogni utente devi comunque aggiungere un utente reale, con una home directory.
Non dimenticare di fare
postmap /etc/postfix/virtual
quando hai finito.
Ora vogliamo alcune regole per spamassassin per fare un lavoro migliore.
Prima modifica /etc/MailScanner/spam.assassin.prefs.conf.
Commenta dcc_path /usr/bin/dccproc. Commenta anche razor_timeout 10 e
segna RCVD_IN_RSL 0.
Avanti:
cd ..
wget http://www.fsl.com/support/Rules_Du_Jour.tar.gz
tar -zxvf Rules_Du_Jour.tar.gz
cd rules_du_jour
mkdir /etc/rulesdujour
cp config /etc/rulesdujour/config
cp rules_du_jour /usr/bin
cp rules_du_jour_wrapper /etc/cron.daily
/etc/cron.daily/rules_du_jour_wrapper
Quindi configuriamo il server DHCP.
Modifica /etc/dhcp3/dhcpd.conf. Il mio ora si presenta così:
# Local Network
subnet 192.168.1.0 netmask 255.255.255.0 {
option netbios-name-servers 192.168.1.1;
option domain-name-servers 192.168.1.1;
option domain-name "your.domain.here";
option broadcast-address 192.168.1.255;
option routers 192.168.1.1;
range 192.168.1.100 192.168.1.130;
} Modifica /etc/default/dhcp3-server. Dovrebbe leggere
INTERFACES=eth1
Avanti:
/etc/init.d/dhcp3-server start
Quindi installa dcc dal sorgente
cd /root
wget http://www.dcc-servers.net/dcc/source/dcc.tar.Z
gunzip dcc.tar.Z
tar -xvf dcc.tar
cd dcc*
./configure
make
make install
shutdown -r now
e aspetta che sia di nuovo attivo.
Configura Ubuntu-Server 6.06 LTS come firewall/gateway per il tuo ambiente di piccole imprese - Pagina 8
Ora devi inviare a ciascun utente reale un messaggio di benvenuto, creando così le strutture di Maildir iniziali nelle loro home directory necessarie per poter accedere ai propri account. Puoi usare il modulo postfix di webmin per questo. Non c'è bisogno di inviare nulla ai loro alias. Potresti voler utilizzare un account e-mail esterno per inviare quei messaggi di benvenuto, tuttavia, dovrai prima aprire la porta 25 nel tuo firewall per farlo, come mostrato in questa pagina del tutorial.
Nota che dovrai inviare un messaggio anche a ogni nuovo utente aggiunto dopo questa configurazione iniziale, ovviamente.
Il tuo Webmail Server si trova su https://tuo.dominio/webmail (invia prima quei messaggi!)
Munin è su http://tuo.dominio/munin
Webmin è su https://tuo.dominio:10000
Se non hai impostato alcun dominio, usa https://192.168.1.1/webmail ecc.
Check that you can log in to your webmail and actually send and receive mail within your local network. If you're satisfied, open port 25 on your firewall for incoming tcp traffic (postfix) and port 6277 for incoming udp traffic (dcc). You may wish to make your webmail server availableto your users from the outside world. Open port 443 for incoming tcp traffic as well (apache ssl). Opening port 993 is also a good idea for incoming tcp connections, as it facilitates imaps.
My /etc/shorewall/rules now looks like this:(just to begin with, all firewall settings shown in this article are just ment to get you up and running, you might want to adjust these settings once you are done!)
#############################################################################################################Restart the firewall:
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
# PORT PORT(S) DEST LIMIT GROUP
ACCEPT net $FW tcp 25
ACCEPT net $FW tcp 443
ACCEPT net $FW tcp 993
ACCEPT net $FW udp 6277
#
# Accept DNS connections from the firewall to the network
#
DNS/ACCEPT $FW net
ACCEPT $FW net all
ACCEPT $FW loc all
ACCEPT loc $FW all
#
# Accept SSH connections from the local network for administration
#
SSH/ACCEPT loc $FW
#
# Allow Ping from the local network
#
Ping/ACCEPT loc $FW
#
# Reject Ping from the "bad" net zone.. and prevent your log from being flooded..
#
Ping/REJECT net $FW
ACCEPT $FW loc icmp
ACCEPT $FW net icmp
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
/etc/init.d/shorewall restart
Next do:
/var/dcc/libexec/updatedcc
Now we configure your VPN Server.
Edit /etc/pptpd.conf. It should look like this now:
###############################################################################
# $Id: pptpd.conf 4255 2004-10-03 18:44:00Z rene $
#
# Sample Poptop configuration file /etc/pptpd.conf
#
# Changes are effective when pptpd is restarted.
###############################################################################
# TAG: ppp
# Path to the pppd program, default '/usr/sbin/pppd' on Linux
#
#ppp /usr/sbin/pppd
# TAG: option
# Specifies the location of the PPP options file.
# By default PPP looks in '/etc/ppp/options'
#
option /etc/ppp/pptpd-options
# TAG: debug
# Turns on (more) debugging to syslog
#
#debug
# TAG: stimeout
# Specifies timeout (in seconds) on starting ctrl connection
#
# stimeout 10
# TAG: noipparam
# Suppress the passing of the client's IP address to PPP, which is
# done by default otherwise.
#
#noipparam
# TAG: logwtmp
# Use wtmp(5) to record client connections and disconnections.
#
logwtmp
# TAG: bcrelay <if>
# Turns on broadcast relay to clients from interface <if>
#
#bcrelay eth1
# TAG: localip
# TAG: remoteip
# Specifies the local and remote IP address ranges.
#
# Any addresses work as long as the local machine takes care of the
# routing. But if you want to use MS-Windows networking, you should
# use IP addresses out of the LAN address space and use the proxyarp
# option in the pppd options file, or run bcrelay.
#
# You can specify single IP addresses seperated by commas or you can
# specify ranges, or both. For example:
#
# 192.168.0.234,192.168.0.245-249,192.168.0.254
#
# IMPORTANT RESTRICTIONS:
#
# 1. No spaces are permitted between commas or within addresses.
#
# 2. If you give more IP addresses than MAX_CONNECTIONS, it will
# start at the beginning of the list and go until it gets
# MAX_CONNECTIONS IPs. Others will be ignored.
#
# 3. No shortcuts in ranges! ie. 234-8 does not mean 234 to 238,
# you must type 234-238 if you mean this.
#
# 4. If you give a single localIP, that's ok - all local IPs will
# be set to the given one. You MUST still give at least one remote
# IP for each simultaneous client.
#
# (Recommended)
localip 192.168.1.1
remoteip 192.168.1.10-30
# or
#localip 192.168.0.234-238,192.168.0.245
#remoteip 192.168.1.234-238,192.168.1.245
Next edit /etc/ppp/options.It should look like this:
asyncmap 0
noauth
lock
hide-password
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
noipx
Edit /etc/ppp/pptpd-options. It should look like this:
###############################################################################
# $Id: pptpd-options 4643 2006-11-06 18:42:43Z rene $
#
# Sample Poptop PPP options file /etc/ppp/pptpd-options
# Options used by PPP when a connection arrives from a client.
# This file is pointed to by /etc/pptpd.conf option keyword.
# Changes are effective on the next connection. See "man pppd".
#
# You are expected to change this file to suit your system. As
# packaged, it requires PPP 2.4.2 and the kernel MPPE module.
###############################################################################
# Authentication
# Name of the local system for authentication purposes
# (must match the second field in /etc/ppp/chap-secrets entries)
name pptp-vpn
# Optional: domain name to use for authentication
# domain mydomain.net
# Strip the domain prefix from the username before authentication.
# (applies if you use pppd with chapms-strip-domain patch)
#chapms-strip-domain
# Encryption
# Debian: on systems with a kernel built with the package
# kernel-patch-mppe >= 2.4.2 and using ppp >= 2.4.2, ...
# {{{
refuse-pap
refuse-chap
refuse-mschap
# Require the peer to authenticate itself using MS-CHAPv2 [Microsoft
# Challenge Handshake Authentication Protocol, Version 2] authentication.
require-mschap-v2
# Require MPPE 128-bit encryption
# (note that MPPE requires the use of MSCHAP-V2 during authentication)
require-mppe-128
# }}}
# Network and Routing
# If pppd is acting as a server for Microsoft Windows clients, this
# option allows pppd to supply one or two DNS (Domain Name Server)
# addresses to the clients. The first instance of this option
# specifies the primary DNS address; the second instance (if given)
# specifies the secondary DNS address.
# Attention! This information may not be taken into account by a Windows
# client. See KB311218 in Microsoft's knowledge base for more information.
#ms-dns 10.0.0.1
ms-dns 192.168.0.1
# If pppd is acting as a server for Microsoft Windows or "Samba"
# clients, this option allows pppd to supply one or two WINS (Windows
# Internet Name Services) server addresses to the clients. The first
# instance of this option specifies the primary WINS address; the
# second instance (if given) specifies the secondary WINS address.
#ms-wins 10.0.0.3
ms-wins 192.168.0.1
# Add an entry to this system's ARP [Address Resolution Protocol]
# table with the IP address of the peer and the Ethernet address of this
# system. This will have the effect of making the peer appear to other
# systems to be on the local ethernet.
# (you do not need this if your PPTP server is responsible for routing
# packets to the clients -- James Cameron)
proxyarp
# Debian: do not replace the default route
nodefaultroute
# Logging
# Enable connection debugging facilities.
# (see your syslog configuration for where pppd sends to)
#debug
# Print out all the option values which have been set.
# (often requested by mailing list to verify options)
#dump
# Miscellaneous
# Create a UUCP-style lock file for the pseudo-tty to ensure exclusive
# access.
lock
# Disable BSD-Compress compression
nobsdcomp
auth
Next, edit /etc/ppp/chap-secrets. It should look like this:
# Secrets for authentication using CHAP # client server secret IP addresses user pptp-vpn abcdefg "*"Now do:
/etc/init.d/pptpd restart
You must be able now to setup a vpn connection to your new server from the inside of your firewall as "user" with password "abcdefg" (without the quotes) Change this initial username and password and add some users, if you like. Maybe you'll have to reboot some machines to make it work.
Now open your firewall for incoming vpn connections. To do this, set your /etc/shorewall/rules as shown.
My /etc/shorewall/rules at this time:
#############################################################################################################To complete this step, do:
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
# PORT PORT(S) DEST LIMIT GROUP
ACCEPT net $FW tcp 25
ACCEPT net $FW tcp 443
ACCEPT net $FW tcp 993
ACCEPT net $FW udp 6277
DNAT net fw:192.168.1.1 tcp 1723
DNAT net fw:192.168.1.1 47
#
# Accept DNS connections from the firewall to the network
#
DNS/ACCEPT $FW net
ACCEPT $FW net all
ACCEPT $FW loc all
ACCEPT loc $FW all
#
# Accept SSH connections from the local network for administration
#
SSH/ACCEPT loc $FW
#
# Allow Ping from the local network
#
Ping/ACCEPT loc $FW
#
# Reject Ping from the "bad" net zone.. and prevent your log from being flooded..
#
Ping/REJECT net $FW
ACCEPT $FW loc icmp
ACCEPT $FW net icmp
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
/etc/init.d/shorewall restart
So now your customers will be able to do their (computer network related) job at home as well.
Note, that this only makes sense when your server has a reliable broadband connection to the internet, which in The Netherlands is the defacto standard, even for very tiny offices and most home addresses. In this respect we are way ahead of the rest of the world.
Now edit your /etc/MailScanner/spam.assassin.prefs.conf and add the following lines at the bottom:
score RCVD_IN_SORBS_WEB 10
score RCVD_IN_WHOIS_INVALID 10
score RCVD_IN_WHOIS_BOGONS 10
score RCVD_IN_NJABL_PROXY 10
score RCVD_IN_DSBL 10
score RCVD_IN_XBL 10
score RCVD_IN_BL_SPAMCOP_NET 10
score RCVD_IN_SORBS_DUL 10
score SARE_LWSYMFMT 3
score SARE_MLB_Stock4 3
score SARE_BAYES_5x8 3
score SARE_BAYES_6x8 3
score URIBL_SC_SURBL 10
score URIBL_WS_SURBL 10
score URIBL_PH_SURBL 10
score URIBL_OB_SURBL 10
score URIBL_AB_SURBL 10
score URIBL_JP_SURBL 10
score URIBL_SBL 10
score ALL_TRUSTED 0
Now clean your /root directory. That's where all the downloads went.
Samba is installed. As every setup of Samba is unique, I can't help you out here. Don't know how to do it? This is a good starting point.
To complete all of this, do:
/etc/init.d/mailscanner restart
Now watch the spam reports in the headers of incoming mail (but make sure your users agree to this, as you will be violating some postal and maybe other laws) to adjust the last edit (and add some) to make it work as you like. Especially false negatives and even more false positives should draw your attention. When you are done you may wish to send most spam, if not all, to /dev/null.
Make this spy yob easy:Create a special account to which you send a copy of all mail handled by your server. Let's assume you create this user and call it "spy" (without quotes) and you have given spy a line in /etc/postfix/virtual, (like "[email protected] spy", without quotes). Next do:
postmap /etc/postfix/virtual
Now send spy a welcome message, as a rule of thumb, and check that spy's account is fully operational. Next do:
postconf -e 'always_bcc = spy'
DONE!