Home
Guestbook
Cv
My projects
Contact me
Some Photos ;)
Running activities 
Radioamator activities 
Links
SQUID/SQUIDGUARD avec authentification NTLM/LDAP
et analyse de log avec SARG
et analyse de log avec SARG
Ecrit : 12/2007
Last Maj : 12/2007
- Scénario
- Packages utilisés
- Configuration réseau & systèmes
- mise à l'heure
- configuration de kerberos
- configuration samba winbind
- erreurs courantes
- test de winbind
- test de kerberos
- test de ntlm
- configuration de squid
- configuration des logs
- configuration du filtrage squidguard
-------------------------------------------------
Scénario :
----------
in1.isec.lan => pc sous 2003 Server en contrôleur de domaine vsrv1.isec.lan => pc sous centos5 avec squid
Packages utilisés ici :
-----------------------
NTP : ntp-4.2.2p1-7.el5.
SAMBA : samba-3.0.23c-2.el5.2.0.2
KERBEROS : client kerberos
[root@vsrv1 samba]# smbpasswd -j ISEC -r srvwin1 -U Administrateur
Configuration réseau & système :
--------------------------------
Fichier resolv.conf :
---------------------
search isec.lan nameserver 192.168.2.209
Fichier hosts :
---------------
127.0.0.1 localhost 192.168.2.210 vsrv1.isec.lan vsrv1
Contrôle :
----------
[root@vsrv1 samba]# ping srvwin1.isec.lan [root@vsrv1 samba]# ping isec.lan PING isec.lan (192.168.2.209) 56(84) bytes of data. 64 bytes from srvwin1 (192.168.2.209): icmp_seq=1 ttl=128 time=1.66 ms 64 bytes from srvwin1 (192.168.2.209): icmp_seq=2 ttl=128 time=0.946 ms
Mise à l'heure :
----------------
Le serveur doit être à la même heure que le contrôleur de domaine sans quoi cela ne vas pas fonctionner. On peut installer ntp si c'est pas déjà fait :
[root@vsrv1 samba]# yum install ntp [root@vsrv1 samba]# ntpdate ntp.free.fr [root@vsrv1 samba]# hwclock -w [root@vsrv1 samba]# clock
Configuration kerberos :
------------------------
/etc/krb5.conf
[libdefaults]
default_realm = ISEC.LAN
clock_skew = 300
ticket_lifetime = 24000
forwardable = yes
default_tgs_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
default_tkt_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
preferred_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
ISEC.LAN = {
kdc = srvwin1.isec.lan
admin_server = srvwin1.isec.lan:749
default_domain = ISEC.LAN
}
[domain_realm]
.isec.lan = ISEC.LAN
isec.lan = ISEC.LAN
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = true
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
Configuration samba/winbind :
-----------------------------
[root@vsrv1 ~]# vim /etc/samba/smb.conf [global] workgroup=ISEC realm = ISEC.LAN netbios name=VSRV1 security = ADS log file = /var/log/samba/%m.log max log size = 50 password server = srvwin1.isec.lan encrypt passwords = yes domain master = no domain logons = no dns proxy = no os level = 17 idmap uid = 10000-20000 idmap gid = 10000-20000 winbind use default domain = yes winbind separator = / winbind enum users = yes winbind enum groups = yes
Erreurs courantes :
------------------
- Décalage entre l'heure locale et celle du contrôleur de domaine :
[root@vsrv1 samba]# net ads join -U Administrateur Administrateur's password: [2007/11/30 05:02:24, 0] libsmb/cliconnect.c:cli_session_setup_spnego(776) Kinit failed: Clock skew too great Failed to join domain!
- Pas de résolution DNS dans kerberos :
[root@vsrv1 samba]# net ads join -U Administrateur Administrateur's password: [2007/11/30 05:01:48, 0] libads/kerberos.c:ads_kinit_password(208) kerberos_kinit_password Administrateur@ISEC.LAN failed: Cannot find KDC for requested realm [2007/11/30 05:01:48, 0] utils/net_ads.c:ads_startup(281) ads_connect: Cannot find KDC for requested realm
- Il faut attendre qque secondes ou reesayer la commande net ads join :
Client not found in Kerberos database
- pb avec winbind :
/usr/lib/squid/wb_group test /wb_group[11672](wb_check_group.c:308): Can't contact winbindd. Dying
Test KERBEROS :
----------------
[root@vsrv1 samba]# kinit Administrateur@ISEC.LAN -V Password for Administrateur@ISEC.LAN: Authenticated to Kerberos v5 [root@vsrv1 samba]# [root@vsrv1 samba]# kinit bba Password for bba@ISEC.LAN: [root@vsrv1 samba]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: bba@ISEC.LAN Valid starting Expires Service principal 12/04/07 15:16:17 12/04/07 21:56:17 krbtgt/ISEC.LAN@ISEC.LAN Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached [root@vsrv1 samba]#
Test WINBIND :
--------------
wbinfo -g wbinfo -u wbinfo -p Ping to winbindd succeeded on fd 4 wbinfo -t checking the trust secret via RPC calls succeeded
LINK :
http://wiki.squid-cache.org
[root@vsrv1 ~]# net ads join -U Administrateur Administrateur's password: Using short domain name -- ISEC Joined 'VSRV1' to realm 'ISEC.LAN' [root@vsrv1 ~]# 127.0.0.1 localhost 192.168.2.210 vsrv1.isec.lan vsrv1 Impossible de rejoindre le domaine : ------------------------------------ https://bugzilla.samba.org/show_bug.cgi?id=4497 [root@vsrv1 ~]# net ads join -U Administrateur Administrateur's password: Using short domain name -- ISEC Failed to set servicePrincipalNames. Please ensure that the DNS domain of this server matches the AD domain, Or rejoin with using Domain Admin credentials. Disabled account for 'VSRV1' in realm 'ISEC.LAN' [root@vsrv1 ~]#
Test de NTLM :
--------------
[root@vsrv1 ~]# /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic usertest password2007 OK
Configuration squid :
---------------------
/etc/squid/squid.conf
visible_hostname myproxy http_port 8080 hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY ################################################################## #Squid guard : ################################################################## redirect_rewrites_host_header on redirect_program /usr/bin/squidGuard -c /etc/squid/squidguard.conf redirect_children 10 ################################################################## #Proxy authentification setup with NTLM ################################################################## auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 30 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 5 minutes auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 30 auth_param basic realm isec.lan auth_param basic credentialsttl 4 hours auth_param basic realm WebProxy-ISEC auth_param basic casesensitive off authenticate_ttl 1 hour authenticate_ip_ttl 60 seconds external_acl_type NT_global_group %LOGIN /usr/lib/squid/wbinfo_group.pl refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 ################################################################## #Proxy ACLs ################################################################## acl groupe_low external NT_global_group GRPaccesInternet acl NTLMUsers proxy_auth REQUIRED acl all src 0.0.0.0/0.0.0.0 acl ftp_proto port 21 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 #acl intranet src 192.168.2.0/255.255.255.0 acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT ################################################################## #Give HTTP Access ################################################################## http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost http_access allow manager http_access allow GRPaccesInternet http_access deny !NTLMUsers #http_access allow intranet http_access deny all http_reply_access allow all coredump_dir /var/spool/squid cache_effective_user squid cache_effective_group squid logfile_rotate 1 cache_access_log /var/log/squid/access.log cache_log /var/log/squid/cache.log cache_store_log none maximum_object_size 8192 KB minimum_object_size 0 KB cache_dir diskd /var/cache/squid 4096 16 256 log_fqdn on cache_mem 8 MB memory_pools off buffered_logs on
Optimisation squid:
-------------------
maximum_object_size 25 MB cache_dir ufs /var/cache/squid 4096 16 256 authenticate_ttl 6 hour buffered_logs on memory_pools off cache_mem 100 MB
Configuration de SQUID pour LDAP
--------------------------------
Il est possible d'utiliser SQUID avec LDAP plutôt que NTLM
- Cela peux poser problème nottament pour l'authentification car le mode LDAP demande une authentification pour chaque instance du navigateur.
- Dans un premier temps il faut chercher les commandes LDAP correctes pour configurer le serveur SQUID avec les commandes ldap.
ldapsearch -x -D "cn=vsrv1,cn=Users,dc=mon,dc=domaine,dc=fr" -W -LLL -b "dc=mon,dc=domaine,dc=fr" -h srvwin1.isec.lan
- Une fois qu'on peux faire des requettes dans l'annuaire LDAP d'AD par exemple on peux tester le script utilisé par SQUID pour l'authentification :
# /usr/lib/squid/squid_ldap_auth -b "cn=users,dc=mon,dc=domaine,dc=fr" -D "cn=Administrateur,cn=Users,dc=mon,dc=domaine,dc=fr" -w "motdepasse" -f "(&(sAMAccountName=%s)(objectClass=person))" srvwin1.isec.lan usertest password2007 OK
Du côté du squid.conf :
-----------------------
Il suffit de remplacer les lignes suivantes :
auth_param basic program /usr/lib/squid/ldap_auth -R -b "dc=mon,dc=domaine,dc=fr" \ -D "cn=Administrateur,cn=Users,dc=mon,dc=domaine,dc=fr" -w "motdepasseadmin" \ -f sAMAccountName=%s -h adresse-ip-du-serveur-ad external_acl_type InetGroup ttl=10 %LOGIN /usr/lib/squid/squid_ldap_group -R -b "dc=mon,dc=domaine,dc=fr" \ -D "cn=Administrateur,cn=Users,dc=mon,dc=domaine,dc=fr" -w "motdepasseadmin" \ -f "(&(objectclass=person) (sAMAccountName=%v) (memberof=cn=%a,ou=Users,dc=mon,dc=domaine,dc=fr) )" -h adresse-ip-du-serveur-ad acl InetAccess external InetGroup internet
configuration des logs:
-----------------------
Modifier le fichier est l'adapter suivant votre politique de journalisation :
# /etc/logrotate.d/squid
/var/log/squid/access.log {
weekly
dateext
rotate 365
size=30M
copytruncate
compress
notifempty
missingok
}
/var/log/squid/cache.log {
weekly
rotate 99
copytruncate
compress
notifempty
missingok
}
/var/log/squid/store.log {
weekly
rotate 99
copytruncate
compress
notifempty
missingok
# This script asks squid to rotate its logs on its own.
# Restarting squid is a long process and it is not worth
# doing it just to rotate logs
postrotate
/usr/sbin/squid -k rotate
endscript
}
Configuration du filtrage squidguard
------------------------------------
Cette partie est optionnelle est permet de filtrer le traffic web du proxy, on peux bloquer certains sites par catégories.
Les bases de filtrage sont mises à disposition par l'université de Toulouse.
- La configuration de squidguard se fait par : /etc/squid/squidguard.conf
- Avant d'utiliser squidGuard il faut compiler les bases avec l'option -C de l'executable.
#
# CONFIG FILE FOR SQUIDGUARD
#
dbhome /etc/squid/blacklists
logdir /var/log/squidguard
source LAN {
ip 192.168.2.0/24
}
destination adult {
urllist adult/urls
domainlist adult/domains
}
destination agressif {
urllist agressif/urls
domainlist agressif/domains
}
destination astrology {
urllist astrology/urls
domainlist astrology/domains
}
#destination audio-video {
# urllist audio-video/urls
# domainlist audio-video/domains
#}
#destination blog {
# urllist blog/urls
# domainlist blog/domains
#}
destination cleaning {
urllist cleaning/urls
domainlist cleaning/domains
}
destination dangerous_material {
urllist dangerous_material/urls
domainlist dangerous_material/domains
}
destination dating {
urllist dating/urls
domainlist dating/domains
}
destination drogue {
urllist drogue/urls
domainlist drogue/domains
}
destination filehosting {
urllist filehosting/urls
domainlist filehosting/domains
}
destination forums {
urllist forums/urls
domainlist forums/domains
}
destination liste_bu {
urllist liste_bu/urls
domainlist liste_bu/domains
}
destination marketingware {
urllist marketingware/urls
domainlist marketingware/domains
}
destination mixed_adult {
urllist mixed_adult/urls
domainlist mixed_adult/domains
}
destination mobile-phone {
urllist mobile-phone/urls
domainlist mobile-phone/domains
}
destination phishing {
urllist phishing/urls
domainlist phishing/domains
}
destination publicite {
urllist publicite/urls
domainlist publicite/domains
}
destination radio {
urllist radio/urls
domainlist radio/domains
}
destination reaffected {
urllist reaffected/urls
domainlist reaffected/domains
}
destination redirector {
urllist redirector/urls
domainlist redirector/domains
}
destination sexual_education {
urllist sexual_education/urls
domainlist sexual_education/domains
}
destination shopping {
urllist shopping/urls
domainlist shopping/domains
}
destination strict_redirector {
urllist strict_redirector/urls
domainlist strict_redirector/domains
}
destination strong_redirector {
urllist strong_redirector/urls
domainlist strong_redirector/domains
}
destination tricheur {
urllist tricheur/urls
domainlist tricheur/domains
}
destination warez {
urllist warez/urls
domainlist warez/domains
}
destination webmail {
urllist webmail/urls
domainlist webmail/domains
}
destination games {
urllist games/urls
domainlist games/domains
}
destination gambling {
urllist gambling/urls
domainlist gambling/domains
}
destination hacking {
urllist hacking/urls
domainlist hacking/domains
}
acl {
default {
pass !adult !agressif !drogue !forums !hacking !mixed_adult !publicite !warez all
#redirect http://127.0.0.1/cgi-bin/squidGuard.cgi?clientaddr=%a&srcclass=%s&targetclass=%t&url=%u
redirect http://srvcnx/indispo
}
#default {
#redirect http://127.0.0.1/cgi-bin/squidGuard.cgi?clientaddr=%a&srcclass=%s&targetclass=%t&url=%u
# redirect http://srvcnx/indispo
# pass none
#}
}
#End of squidguard.conf
------------------------------------
squidguard_update_db.sh
------------------------------------
SquidGuard a besoin pour fonctionner de base de filtrage, le script suivant permet de télécharger par FTP les bases et de les compiler pour squidguard.
Le script peux être mis dans la crontab et peux être exécuté tous les mois par exemple.
#!/bin/sh
TMP_PATH_DOWNLOAD_BLACKLIST='/tmp/'
#URL_BLACKLIST_FILE='http://192.168.2.242/blacklists.tar.gz'
URL_BLACKLIST_FILE='ftp://ftp.univ-tlse1.fr/pub/reseau/cache/squidguard_contrib/blacklists.tar.gz'
BLACKLIST_PATH='/etc/squid/'
#Stop squid service :
echo "Start squidguard db update, try to stop squid service ..."
service squid stop > /dev/null
#Go to download directory :
cd $TMP_PATH_DOWNLOAD_BLACKLIST
#If tmp tgz file exists delete it :
if [ -f $TMP_PATH_DOWNLOAD_BLACKLIST'blacklists.tar.gz' ] ; then
rm $TMP_PATH_DOWNLOAD_BLACKLIST'blacklists.tar.gz'
fi
#Download it :
echo "Download and extract squiGuard db ..."
wget -q $URL_BLACKLIST_FILE > /dev/null
#Delete old entries from tmp folder :
rm -rf $TMP_PATH_DOWNLOAD_BLACKLIST'blacklists'
#Uncompress in tmp dir :
#it"ll create new /tmp/blacklist
tar xzf blacklists.tar.gz
if [ -f $TMP_PATH_DOWNLOAD_BLACKLIST'blacklists.tar.gz' ] ; then
#Go to squidguard db directory and clean old blacklists :
cd $BLACKLIST_PATH
rm -rf $BLACKLIST_PATH'blacklists'
#Move folder blacklists to squid folder :
cd $TMP_PATH_DOWNLOAD_BLACKLIST
mv blacklists $BLACKLIST_PATH
#Create squidGuard db files :
echo "Start squidGuard db generation it can take few minutes ..."
cd $BLACKLIST_PATH
squidGuard -C all
#Set directory rights:
chown -R squid blacklists/
chmod -R 760 blacklists/
echo "Generation is finished, start squid service !";
#Start squid service :
fi
service squid start > /dev/null