Conheotiensinh

Setting Up A High-Availability Load Balancer With HAProxy/Pfsense 2.0.1

2011-12-26T10:11:00.019+07:00

I/Overview

II/Intro

As lastest document.I give you how to config haproxy on Pfsense 2.0.1.Now I will intro to you how to Setting Up A High-Availability Load Balancer With HAProxy/Pfsense 2.0.1

III/Setting

1/Install haproxy on pfsense as http://conheotiensinh.blogspot.com/2011/12/config-haproxy-with-pfsense-version-201.html
2/Configuring CARP firewall failover

2.1/On both machines, add a firewall to allow all traffic on the SYNC interface:

a. Browse to Firewall | Rules.
b. Click the SYNC Interface tab.
c. Click the "plus" button to add a new firewall rule.
d. Set Protocol to any.

e. Save the changes.
f. Apply changes, if necessary.

2.2/On the backup-pfsense machine, we need to enable CARP synchronization and
configure it as a backup only:

a. Browse to Firewall | Virtual IPs .
b. Click the CARP Settings tab.
c. Check Synchronize Enabled.
d. Set Synchronize Interface to SYNC.

e. Save the changes.
f. We have now finished configuring the backup firewall.

2.3/On the primary-pfsense machine, we need to enable CARP synchronization and
configure it to act as the primary firewall:

a. Br owse to Firewall | Virtual IPs .
b. Click the CARP Settings tab.
c. Check Synchronize Enabled.
d. Set Synchronize Interface to SYNC.

e. Check Synchronize rules
f. Check Synchronize nat
g. Check Synchronize Virtual IPs
h. Set Synchronize to IP to the IP address of backup-pfsense
i. Set Remote System Password to the password of backup-pfsense
j Save the changes

2.4/We must now configure a virtual IP address for the WAN interface on the primary-pfsense machine:

a. Browse to Firewall | Virtual IPs .
b. Click the Virtual IPs tab.
c. Click the "plus" button to add a new virtual IP.
d. Set the Type to CARP.
e. Set the Interface to WAN.
f. Set the IP Address to the single WAN address that will be used throughout
your systems, regardless of whether the primary or backup firewall is in
effect.
g. Create a Virtual IP Password.
h. Leave the VHID Group set to 1.
i. Leave the Advertising Frequency at 0.
j. Add a Description

k.Save the changes
l.Apply changes, if necessary

3/config Sync HAProxy configuration

3.1/On the backup-pfsense machine we need check Sync HAProxy configuration to backup CARP members via XMLRPC.

3.2/On the primary-pfsense machine,we need check Sync HAProxy configuration to backup CARP members via XMLRPC and setting for sync config HaProxy

Now we can config haproxy in primary-Pfsense and it auto sync to backup -Pfsense

Thanks and Best Regards

quan.hoa@conheotiensinh.co.cc

Config HAPROXY with PFSENSE version 2.0.1

2011-12-23T11:02:00.028+07:00

Merry Christmas and Happy New Year

I/Intro

As the previous Document about Haproxy , I have explained how to configure a command line .Now with version 2.0.1 pfsense support config haproxy lastest version(1.4.8) via web interface( config easier).although it can not configure advanced features of haproxy through the web interface.

II/Install

1/Install pfsense 2.0.1

2/Install haproxy (The package is available to install from System -> Packages)

3/After Install done We configure Haproxy(Services -> Haproxy)click tab Setting and configure as image

4/Config with ip info:192.168.44.150(Haproxy),192.168.44.130(apache),192.168.44.131(nginx)

III/Config Haproxy

1/config Frontend for haproxy

2/Config Backend for haproxy

a/config server A

b/config server B

3/Check status HAPROXY with URL:http://192.168.44.150/haproxy?stats

NOTE: You must add a firewall rule permitting access to frontend!

Thanks and Best Regards

quan.hoa@conheotiensinh.co.cc

Query Recipient Windows Active Directory directly

2010-08-23T09:14:00.005+07:00

I/Intro

As Document http://conheotiensinh.blogspot.com/2010/08/config-iredmail-as-mail-gatewayanti.html.I intro to you how to query recipients use Perl and after discusses with Zhang Huangbin and I promise with him.So today I will intro to you How to query recipient(real-time) Windows Active Directory directly.

II/Config

Step 1:Create /etc/postfix/ldap_user.cf with info:

server_host = 192.168.22.233 ##with 192.168.22.233 As Active Directory

search_base = dc=test, dc=vn

version = 3

query_filter = (&(objectclass=person)(mail=%s))

result_attribute = samaccountname

bind = yes

bind_dn = test\admin # Account use query Recipient.

bind_pw = 123 #pass use query Recipient

Step 2: change config in /etc/postfix/main.cf

relay_recipient_maps = hash:/etc/postfix/relay_recipients

relay_recipient_maps = ldap:/etc/postfix/ldap_user.cf

Step 3:restart Postfix

/etc/init.d/postfix restart

Thanks Zhang Huangbin for suggest and Contribute

Please let me know if you have question

quan.hoa@conheotiensinh.co.cc

Config Mail Gateway LINUX less than 5 minutes (Anti-spam, Mail Anti-virus,Greylisting).

2010-08-20T14:06:00.013+07:00

I/Intro

As previous document I intro to you Iredmail as mail server in linux with full-featured (/Postfix/Dovecot/Amavisd/ClamAV/SpamAssassin/RoundCube/iRedAdmin/

postfixadmin).But With this document I will intro iredmail as mail gateway(because By default iredmail config /Amavisd/ClamAV/SpamAssassin/greylisting for anti spam and mail anti-virus).

II/Install Iredmail

Install iredmail as normal But only choose phpmyadmin(for managed greylisting easier) and Awstats

III/Remove some services not use

Because we setup iredmail as Mail gateway so We not use some services:dovecot,pysieved

IV/Change some config

1/Edit /etc/postfix/main.cf

mydestination =

local_recipient_maps =

local_transport =error:local mail delivery disabled

relay_recipient_maps = hash:/etc/postfix/relay_recipients

relay_domains = test.vn

transport_maps = hash:/etc/postfix/transport

comments all line with mysql_* or ldap_*

2/ edit /etc/postfix/master.cf

comment line

#local unix - n n - - local

3/edit /etc/postfix/transport

test.vn smtp:192.168.22.233 #with 192.168.22.233(IP mail server backend as exchange...)

4/create /etc/postfix/relay_recipients

u1@test.vn OK

u2@test.vn OK

ug@test.vn OK

u3@test.vn OK

u4@test.vn OK

5/hashing Databases

postmap /etc/postfix/transport

postmap /etc/postfix/relay_recipients

V/Populating relay_recipients from Active Directory

Note that this script requires perl and Net::LDAP(you need install perl-ldap by yum). However, this does NOT have to be on your email gateway.

Download http://www-personal.umich.edu/~malth/gaptuning/postfix/getadsmtp.pl

Edit the script so that values below are correct:

$VALID = "/etc/postfix/relay_recipients";

$dc1="dc1.test.vn";

$dc2="dc2.test.vn";

$hqbase="cn=Users,dc=test,dc=vn";

$user="cn=user,cn=Users,dc=test,dc=vn";

$passwd="password";

If You have any problem script perl please send mail to quan.hoa@conheotiensinh.co.cc.I will edit for you

VI/Create Bash shell automatic update relay_recipients from Active directory

create bash shell /opt/ad.sh with info:

cd /etc/postfix ; ./getadsmtp.pl && /usr/sbin/postmap relay_recipients

/usr/sbin/postfix reload

use crontab run as your schedule

Beside you can use iredmail for multi domain(can get relay_recipients from Multi Active directory).

Thanks

quan.hoa@conheotiensinh.co.cc

Config cluster Load balancer layer 7 support SSL with Heatbeat,Nginx and Haproxy

2010-08-13T10:10:00.019+07:00

I/INTRO

As Document http://conheotiensinh.blogspot.com/2010/06/setting-up-high-availability-load.html.I config Haproxy load balance HTTPS with stunnel(It very easy for config and deploy).But with stunnel you can't detech IP source access to haproxy and Performance can't same as Nginx.So I will intro to you 1 solution resove this problem with Nginx as SSL Reverse Proxy,Heartbeat as cluster and haproxy load balance.

Nginx [engine x] is a HTTP and reverse proxy server, as well as a mail proxy server written by Igor Sysoev. It has been running for more than five years on many heavily loaded Russian sites including Rambler (RamblerMedia.com). According to Netcraft nginx served or proxied 4.70% busiest sites in April 2010. Here are some of success stories: FastMail.FM, Wordpress.com,sourceforge.net....

II/INSTALL

Step 1:config IP As image

Step 2:install haproxy by rpm packet(if you need install haproxy with last version 1.4.8.Please contact me with email:quan.hoa@conheotiensinh.co.cc,I will give it to you) or you can download Haproxy from http://rpm.pbone.net/

Step 3:install heartbeat as Document :http://conheotiensinh.blogspot.com/2010/04/deploy-cluster-iptables-usefwbuider-and.html

Step 4:Install Nginx by rpm packet(if you need install nginx with last version 0.7.67.Please contact me with email:quan.hoa@conheotiensinh.co.cc,I will give it to you) or you can download Nginx from http://rpm.pbone.net/

III/CONFIG

Step 1:config haproxy on both Server .You config as image

Step 2:Config heartbeat on both server as document http://conheotiensinh.blogspot.com/2010/04/deploy-cluster-iptables-usefwbuider-and.html

Step 3:config Nginx on both serve as image

Step 4:access haproxy status pages with url https://192.168.129.133/haproxy?stats

Step 5:stop Server 1 and access haproxy status page:

if you have question.Please contact me with email quan.hoa@conheotiensinh.co.cc

Thanks

quan.hoa@conheotiensinh.co.cc

LOADBALANCE WITH MULTI PPPoE INTERFACE IN PFSENSE 2.0

2010-08-06T10:34:00.017+07:00

I/Intro

Now pfsense release version 1.2.3 .It only support 1 interface use PPPoE.But with pfsense 2.0(Beta 4)you can use multi interface use PPPoE and Version 2.0 change config load balance outbound.So I will intro to you config multi interface use PPPoE.

II/Install Pfsense as previous Document

III/Config multi interface use PPPoE config as images

Note:you can create PPPoE Server for test this document with pfsense

IV/config load balance with pfsense

As previous version (1.2.3) you can config as http://conheotiensinh.blogspot.com/2009/10/multi-wan-load-balancing-outbound-use.html.But with pfsense version 2.0 load balance outbound change config.

step1:config gateway (system ->routing) config 2 gateway as images with 192.168.127.128 and 192.168.128.129 IP of PPPoe server (it will auto detect when connect via PPPoE)

step 2:config groups(system ->routing) change to Groups tab and create group as image

Step 3:view status of Gateway and Groups when 2 line connect

Step 4:Test disconnect 1 interface and view status

Step 5:create rule as image

Thanks

Conheotiensinh(quan.hoa@conheotiensinh.co.cc)

Setting Up A High-Availability Load Balancer HTTPS(With Failover and Session Support) With HAProxy/Keepalived/Stunnel

2010-06-01T09:28:00.010+07:00

I/INTRO

As this document http://conheotiensinh.blogspot.com/2010/05/setting-up-high-availability-load_14.html.I setup load balancer for HTTP in Haproxy.But Haproxy not support SSL(HTTPS) directly So I will intro config haproxy support SSL use stunnel(As haproxy site require need install Stunnel for support SSL(HTTPS...))

II/INSTALL

1/Install haproxy and keepalived as document:http://conheotiensinh.blogspot.com/2010/05/setting-up-high-availability-load_14.html

2/Install Stunnel

you need insert patch of haproxy to Stunnel packet(I build rpm packet with insert patch of haproxy.If you need it for install easy Please contact me with email:quan.hoa@conheotiensinh.co.cc)

3/Config Keepalived as document:

http://conheotiensinh.blogspot.com/2010/05/setting-up-high-availability-load_14.html

4/config Haproxy in both loadbalance

Edit /etc/haproxy/haproxy.cfg

stats enable

stats auth test:123

listen domain_cluster_https 192.168.236.130:80

mode http

balance roundrobin

cookie SERVERID insert nocache

option forwardfor except 192.168.236.130

option httpchk HEAD /check.txt HTTP/1.0

server server1 192.168.127.131:80 cookie A check

server server2 192.168.127.132:80 cookie B check

5/config Stunnel

Edit /etc/stunnel/stunnel.conf

cert = /etc/stunnel/monit.pem # you need install cert

;key = /etc/stunnel/mail.key

; Some security enhancements for UNIX systems - comment them out on Win32

;chroot = /var/run/stunnel/

setuid = root

setgid = root

; PID is created inside chroot jail

;pid = /stunnel.pid

pid = /etc/stunnel/stunnel.pid

;debug = 3

;output = /etc/stunnel/stunnel.log

; Some performance tunings

socket = l:TCP_NODELAY=1

socket = r:TCP_NODELAY=1

[https]

accept=192.168.236.130:443

connect=192.168.236.130:80

6/Test You can access web mail with URL:

https://192.168.236.130/mail

Check status HAPROXY with URL:https://192.168.236.130/haproxy?stats

Beside You can use another solution for this problem:

Use Pound for Reverse Proxy( SSL )and Haproxy for load balancer

Thanks

Setting Up A High-Availability Load Balancer(With Failover and Session Support) With HAProxy/Keepalived

2010-05-14T15:47:00.013+07:00

I/INTRO

As you know,We any solution for load load blancer in Linux as:

Pfsense:http://conheotiensinh.blogspot.com/2009/09/load-balance-and-cluster-failover.htmlOnly support layer 4(can't deploy with system need Login)

PEN:http://conheotiensinh.blogspot.com/2009/09/load-balance-web-server-use-pen.html

Pen is a very simple load balancer for TCP protocols. It supports source IP-based persistence for up to 2048 clients. Supports IP-based ACLs. Uses select() and supports higher loads than Pound but will not scale very well to thousands of simultaneous connections.

POUND:http://conheotiensinh.blogspot.com/2009/08/load-balance-web-server-using-pound.html

Pound can be seen as a complement to HAProxy. It supports SSL, and can direct traffic according to the requested URL. Its code is very small and will stay small for easy auditing. Its configuration file is very small too. However, it does not support persistence, and the performance associated to its multi-threaded model limits its usage to medium sites only.

Beside We can use Linux Virtual Servers (LVS),Pure Load Balancer (PLB)But with load balance support layer 7 But with me HAproxy best choice.HAProxy is a free, very fast and reliable solution offering high availability, load balancing, and proxying for TCP and HTTP-based applications. It is particularly suited for web sites crawling under very high loads while needing persistence or Layer 7 processing. Supporting tens of thousands of connections is clearly realistic with todays hardware. Its mode of operation makes its integration into existing architectures very easy and riskless, while still offering the possibility not to expose fragile web servers to the Net.

II/INSTALL

For this howto I set up four Centos systems (minimal installation without gui etc.) with the following configuration:

Load Balancer 1

IP: 192.168.236.128(eth0) and 192.168.127.128(eth1) Shared IP: 192.168.236.130

Load Balancer 2

IP: 192.168.236.129 192.168.127.129(eth1) Shared IP: 192.168.236.130

Web Server 1

IP: 192.168.127.130

Web Server 2

IP: 192.168.127.132

1/Intall Haproxy and keepalived

You can install from source but for easier you need install rpm packet(if you need lastest rpm packet of HAPROXY(version 1.4.5) and Keepalived(version 1.1.20) .Please contact me with email:quan.hoa@conheotiensinh.co.cc.I will give it to you

2/Edit /etc/haproxy/haproxy.cfg in both load balancer server as following:

global

log 127.0.0.1 local2

chroot /var/lib/haproxy

pidfile /var/run/haproxy.pid

maxconn 4000

user haproxy

group haproxy

daemon

defaults

mode http

log global

option dontlognull

option httpclose

option httplog

option forwardfor

option redispatch

timeout connect 10000 # default 10 second time out if a backend is not found

timeout client 300000

timeout server 300000

maxconn 60000

retries 3

listen webfarm 192.168.236.130:80

mode http

stats enable

stats auth test:123

#balance roundrobin

balance source

cookie JSESSIONID prefix

#balance source

#cookie SERVERID insert indirect

option httpclose

option forwardfor

option httpchk HEAD /check.txt HTTP/1.0

server web1 192.168.127.130:80 cookie A check

server web2 192.168.127.132:80 cookie B check

3/Configure Keepalived

As this Document I use keepalived for HA(beside you can use heartbeat and VRRP for cluster)

edit /etc/keepalived/keepalived.conf in both load balance(only change priority 101 on master, 100 on backup)

vrrp_script chk_haproxy { # Requires keepalived-1.1.13

script "killall -0 haproxy" # cheaper than pidof

interval 2 # check every 2 seconds

weight 2 # add 2 points of prio if OK

}

vrrp_instance VI_1 {

interface eth0

state MASTER

virtual_router_id 51

priority 101 # 101 on master, 100 on backup

virtual_ipaddress {

192.168.236.130

}

track_script {

chk_haproxy

}

4/Edit /etc/sysctl.conf in both load balance

# Allow HAProxy shared IP

net.ipv4.ip_nonlocal_bind = 1

5/Test

I setup 2 webmail roundcube for test this haproxy

a/Login webmail and check log

b/Stop LB1 and check log in Load balance 2

c/Check status HAPROXY with URL:http://192.168.236.130/haproxy?stats

Thanks

Deploy iptables Cluster using Fwbuilder and Heartbeat

2010-04-06T13:24:00.023+07:00

I/Intro

As We know fwbuilder is a GUI firewall configuration and management tool that supports iptables (netfilter), ipfilter, pf, ipfw, Cisco PIX (FWSM, ASA) and Cisco routers extended access lists. Both professional network administrators and hobbyists managing firewalls with policies more complex that is allowed by simple web based UI can simplify management tasks with the application. The program runs on Linux, FreeBSD, OpenBSD, Windows and Mac OS X and can manage both local and remote firewalls.

Firewall Builder is packaged with most Linux distributions. If the package is not available in the base distribution, it usually can be found in "extras". You need to install package that has supporting API library libfwbuilder and package fwbuilder that contains Firewall Builder GUI and policy compilers. You can use your favorite package management tool sucn as yum, apt-get or aptitude to find and install them. On FreeBSD and OpenBSD Firewall Builder is part of ports, you can find it in /usr/ports/security/fwbuilder. Now The new version comes with support for high availability firewall configurations, including heartbeat, vrrpd, keepalived, conntrackd on Linux, CARP and pfsync on OpenBSD and PIX failover configuration. It can generate configuration scripts to manage ip addresses, VLAN, bridge and bonding interfaces on the firewall. Drop-in support for OpenWRT firewall script is now available, as well as experimental integration with IPCOP firewall appliances. The GUI has supports undo/redo of unlimited depth and was generally streamlined and has many other improvements.you can prefer:http://www.fwbuilder.org/

2/Install

Step 1:config IP for 2 firewall as image

Step 2:install heartbeat

yum -y install heartbeat

yum -y install heartbeat# run again becaus of errors

Step 3:copy file configure default.It's necessary to do this on both systems

cp /usr/share/doc/heartbeat-2.1.3/authkeys /etc/ha.d/authkeys

cp /usr/share/doc/heartbeat-2.1.3/ ha.cf etc/ha.d/ha.cf

cp /usr/share/doc/heartbeat-2.1.3/haresources etc/ha.d/haresources

Step 4 :Edit /etc/ha.d/authkeys It's necessary to do this on both systems

auth 3

3 md5 123

Step 5:edit etc/ha.d/ha.cf.It's necessary to do this on both systems

keepalive 2 #line 52

deadtime 10 # line 60

mcast eth0 225.0.0.1 694 1 0 #line 117

mcast eth1 225.0.0.1 694 1 0 #line 118

node fw1.test.vn #add it in BOTTOM

node fw2.test.vn #add it in BOTTOM

step 6:edit etc/ha.d/haresources

fw1.test.vn IPaddr::192.168.10.145/24/eth0/192.168.10.255

fw1.test.vn IPaddr::172.16.1.3/16/eth1/172.16.255.255

Step 7:

authkeys should have permissions "0600", other files can have permissions "0644"

Step 8:

/etc/init.d/heartbeat start

Step 9:Install fwbuilder

#rpm -Uvh libfwbuilder*

#rpm -Uvh fwbuilder*

Step 10:

Create 2 fw as image in Fwbuilder

Step 11:

Step 12:

we can open udp port 694 and udp port 3780 in both fw

Step 13:

Create Nat and Policy for cluster (it created as fwbuilder stand alone)

Step 14:Test

shutdown fw1 test again

start fw1 test again

beside you can use vrrp,carp.... for cluster.

if you need file template for config .Please send mail to quan.hoa@conheotiensinh.co.cc.I Will send it to you

Thanks

http://conheotiensinh.blogspot.com/

INSTALL IPS(SNORT) WITH EasyIDS and Guardian

2009-12-31T13:34:00.007+07:00

I/Intro

An Intrusion prevention system (IPS) is a network security device that monitors network and/or system activities for malicious or unwanted behavior and can react, in real-time, to block or prevent those activities. Network-based IPS, for example, will operate in-line to monitor all network traffic for malicious code or attacks . When an attack is detected, it can drop the offending packets while still allowing all other traffic to pass. Intrusion prevention technology is considered by some to be an extension of intrusion detection (IDS) technology

II/INSTALL

Step 1:Install IDS as http://conheotiensinh.blogspot.com/2009/12/install-ids-in-centos-with-5-minutes.html

Step 2:IPS – Guardian

Guardian is a security program which works in conjunction with Snort to automaticly update firewall rules based on alerts generated by Snort.
The updated firewall rules block all incoming data from the IP address of the attacking machine (the machine which caused Snort to generate an alert.
There is also logic in place which pervents blocking important machines, such as DNS servers, gateways, and whatever else you want.

Step 3:

Go to http://www.chaotic.org/guardian/ to download Guardian. The current version as at this writing is version 1.7.
#wget http://www.chaotic.org/guardian/guardian-1.7.tar.gz
#

tar -xzvf guardian-1.7.tar.gz
#

cd guardian-1.7
#cp guardian.pl /usr/local/bin/
#cp scripts/iptables_block.sh /usr/local/bin/guardian_block.sh
#cp scripts/iptables_unblock.sh /usr/local/bin/guardian_unblock.sh
#cp guardian.conf /etc/snort/
#touch /etc/snort/guardian.ignore
#touch /etc/snort/guardian.target
#touch /var/log/snort/guardian.log

Step 4:

edit /etc/snort/guardian.conf change some variables

HostIpAddr xxx.xxx.xxx.xxx (IP snort monitor)
Interface ETH01 (interface snort monitor)
HostGatewayByte   75
Logfile /var/log/snort/guardian.log
AlertFile /var/log/messages
IgnoreFile /etc/snort/guardian.ignore
TargetFile /etc/snort/guardian.target
TimeLimit 86400

Step 5:

Edit /usr/local/bin/guardian_block.sh change some variables(this shell will block ip attacker and alert mail to test@conheotiensinh.co.cc )

source=$1
interface=$2

/sbin/iptables -I INPUT -s $source -i $interface -j DROP
/sbin/iptables -I FORWARD -s $source -i $interface -j DROP

echo "$source is blocked!" | mail -s "Snort alert is blocked" test@conheotiensinh.co.cc

Step 6:

Edit /usr/local/bin/guardian_unblock.sh change some variables(this shell will delete ip attaker from block ip and alert mail to test@conheotiensinh.co.cc)

source=$1
interface=$2

/sbin/iptables -D INPUT -s $source -i $interface -j DROP
/sbin/iptables -D FORWARD -s $source -i $interface -j DROP

echo "$source is blocked for 24 hours! It is released!" | mail -s "Snort alert is released" test@conheotiensinh.co.cc

Step 7:

Edit /etc/snort/guardian.target

add ip (snort monitor)

Step 8:


Edit /etc/snort/guardian.ignore

add ip 127.0.0.1

Step 9:



Edit /etc/snort/snort.conf

uncomment “output alert_syslog: LOG_AUTH LOG_ALERT”

service snort restart

Step 10:create file shell guardian.sh

#————— CUT HERE —————–#

#!/bin/bash

start() { export PATH=$PATH:/usr/local/bin /usr/local/bin/guardian.pl -c /etc/snort/guardian.conf }

stop() { ps aux | grep 'guardian.pl *-c' 2>&1 > /dev/null if [ $? -eq 0 ]; then kill `ps aux | grep 'guardian.pl *-c' | awk '{print $2}'` else echo "Guardian is not running ....." fi }

status() { ps aux | grep 'guardian.pl *-c' 2>&1 > /dev/null if [ $? -eq 0 ]; then echo "Guardian is Running ....." else echo "Guardian is not Running ...." fi }

case "$1" in
start)
start
;;
stop)
stop
;;
restart)
stop
start
;;
status)
status;;
*)
echo $"Usage: $0 {start|stop|restart|status}"
esac

Step 11:

chmod +x guardian.sh
cp guardian.sh /usr/local/bin/guardian.sh

/usr/local/bin/guardian.sh start

Step 12:test

use nmap test

#nmap -v -sS xxx.xxx.xxx.xxx

Beside you can use Easy IDS as IPS with other Firewall:FreeBSD using IPFW,Checkpoint, PIX....use SSH copy rule to firewall

Please prefer:http://www.chaotic.org/guardian/

Install IDS in Centos with 5 minutes

2009-12-29T10:40:00.007+07:00

I/Intro

An Intrusion detection system (IDS) is a device (or application) that monitors network and/or system activities for malicious activities or policy violation.IDS install very hard (you need install Snort,HTTP,MYSQL and ......). But With EasyIDS you install IDS easier

II/Install

Step 1:you download ISO EasyIDS from http://sourceforge.net/projects/easyids/files/

Step 2:install It as install Centos OS (EasyIDS 4.0 run with Centos 5.4)

Step3:config Ip for Nic Card

Setp 4: To access the EasyIDS GUI browse to https://IPADDRESS from another computer and login with the username admin and the password password.

Step 5:atttack Easy IDS and check Status in Easy IDS

Beside you can use Easey IDS as IPS(Intrusion Prevention System) with iptables and Guardian.I will intro later

Thanks

INSTALL Monit for Monitor System

2009-12-04T11:20:00.004+07:00

I/INTRO

Monit is a free open source utility for managing and monitoring, processes, files, directories and filesystems on a UNIX system. Monit conducts automatic maintenance and repair and can execute meaningful causal actions in error situations.

II/INSTALL

Step 1:Install monit

#wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.3.6-1.el5.rf.i386.rpm
#rpm -Uvh rpmforge-release-0.3.6-1.el5.rf.i386.rpm
#yum install monit
#chkconfig --levels 235 monit on

Step 2:Config Monit

edit /etc/moni.d/monitrc

set daemon  60
set logfile syslog facility log_daemon
set mailserver localhost #mail server
set mail-format { from: monit@server1.example.com }
set alert root@localhost #alert to admin with email adrress root@localhost
set httpd port 2812 and
  SSL ENABLE
  PEMFILE  /var/certs/monit.pem
  allow admin:test

some features example of monit

*check host CUIBAP with address 19.16.12.32
if failed icmp type echo with timeout 20 seconds then alert
(check host if over 20 second it will alert mail to admin)

*check host CONHEO with address 132.163.193.3
if failed port 25 with timeout 30 seconds then alert
(check Service SMTP if over 30 second it will alert mail to admin)

*check process sshd with pidfile /var/run/sshd.pid
start program "/etc/init.d/sshd start"
stop program "/etc/init.d/sshd stop"
if failed port 22 protocol ssh then restart
if failed port 22 protocol ssh then alert
if 5 restarts within 5 cycles then timeout
(check Service SSH if it down monit auto start only run in localhost)

Step 3:access monit via web mail port 2812

Install Iredmail use LDAP and Groupware Server use SOGO

2009-12-03T16:22:00.027+07:00

I/INTRO

As document previous I intro to you how to install iredmail use Mysql as backend http://conheotiensinh.blogspot.com/2009/08/install-linux-mail-server-with-5.html.Today I Will intro to you how to install iredmail use LDAP as backend(config iredadmin for admin mailbox .If you use Mysql as backend(postfixadmin)).Beside I will intro install and config Groupware Server use SOGO

*SOGo is groupware server with a focus on scalability and open standards.

*SOGo provides a rich AJAX-based Web interface and supports multiple native clients through the use of standard protocols such as CalDAV, CardDAV and GroupDAV.

*SOGo is the missing component of your infrastructure; it sits in the middle of your servers to offer your users an uniform and complete interface to access their information. It has been deployed in production environments where thousands of users are involved.

II/INSTALL

1/Install iredmail as normal but attention ! you choose ldap as backend password of account postmaster

2/Install and config Iredadmin

Default after install finish you can use phpldapadmin for admin mailbox but It very hard for config

Step 1:install package need for install iredadmin

#yum install python-setuptools.noarch MySQL-python.i386 \
gcc.i386 gcc-c++.i386 openssl-devel.i386 python-devel.i386 \
openldap-devel.i386
#easy_install web.py Jinja2 python-ldap==2.3.8 netifaces
#rpm -ivh http://www.iredmail.org/yum/rpms/5/mod_wsgi-2.5-2.ired.i386.rpm

Step 2:download Iredadmin(you need buy liscense because open source version only fearture create mailbox not create maillist but you can use phpldapadmin create mailist ) from http://iredmail.googlecode.com/files/iRedAdmin-0.1.1.tar.bz2
Step 3:Copy iRedAdmin to /var/www/, set correct file permissions
Step 4:

$ tar xjf iRedAdmin-0.1.1.tar.bz2 -C /var/www/ 
$ cd /var/www/
$ chown -R root:root iRedAdmin-0.1.1 
$ chmod -R 0755 iRedAdmin-0.1.1
$ ln -s iRedAdmin-0.1.1 iredadmin

Step 5:Add apache configure file: /etc/httpd/conf.d/iredadmin.conf.

AddType text/html .py Order deny,allow Allow from all

Step 6:Edit /etc/httpd/conf.d/ssl.conf, make iredadmin accessable via HTTPS. Add below lines before :

WSGIScriptAlias /iredadmin /var/www/iredadmin/iredadmin.py/ Alias /iredadmin/static /var/www/iredadmin/static/

Step 7:restart apache

/etc/init.d/httpd restart

Step 8:Create MySQL database: iredadmin and grant privileges

$ mysql -uroot -p
mysql> CREATE DATABASE iredadmin DEFAULT CHARACTER SET utf8 COLLATE utf8_general_ci;
mysql> USE iredadmin;
mysql> SOURCE /var/www/iredadmin/docs/samples/iredadmin.sql;
GRANT SELECT,INSERT,UPDATE,DELETE ON iredadmin.* TO
iredadmin@localhost IDENTIFIED BY '123' ;
FLUSH PRIVILEGES;

Step 9:Configure iRedAdmin

$ cd /var/www/iredadmin/ $ cp settings.ini.sample settings.ini

Edit settings.ini and set several variables

$ chmod -w settings.ini

Step 10:access iredamin:https://your_server_ip_address/iredadmin/

3/Install and config SOGO

Step 1:create repo for install SOGO by yum
create file /etc/yum.repos.d/inverse.repo with info

[RHEL5] name=Inverse SOGo Repository baseurl=http://inverse.ca/downloads/SOGo/RHEL5/$basearch gpgcheck=0

Step 2:install sogo

#yum install sogo
#yum install sope49-gdl1-postgresql(you can use mysql or oracle)

Step 3:Because SOGo requires a relational database system in order to store appointments, tasks and contacts information. It also uses the database system to store personal preferences of SOGo users.You need create DB and Grand permission

Step 4:Edit /home/sogo/GNUstep/Defaults/.GNUstepDefaults as image

Step 5:you need install add-on for thurderbird

http://www.sogo.nu/fr/downloads/frontends.html

Step 6:config thunderbird

If you only use the SOGo Connector plug in, you can still easily access your data.
To access your personal address book:
Choose Go > Address Book. Choose File > New > Remote Address Book.
Enter a signifcant name for your calendar in the Name feld.
Type the following URL in the URL feld: http://localhost/SOGo/dav/u1/Contacts/personal/ Click on OK.
To access your personal calendar: Choose Go > Calendar.
Choose Calendar > New Calendar. Select On the Network and click on Continue. Select CalDAV.
Type the following URL in the URL feld: http://localhost/SOGo/dav/u1/Calendar/personal/ Click on Continue.

STep 7:Test create 1 calendar in web it will auto sync to thunderbird

Monitor bandwidth with Netflow and PRTG(PFSENSE)

2009-12-02T13:40:00.008+07:00

I/Intro

*NetFlow Analyzer is a, web based (no hardware probes), bandwidth monitoring, network forensics and network traffic analysis tool that has been optimizing thousands of networks across varied industries for peak performance and helping them to put their bandwidth for a better use. NetFlow Analyzer is a NetFlow, sFlow, JFLow (and more) collector, analyzer and reporting engine integrated together. With close to 4000 enterprises using NetFlow Analyzer for an in-depth visibility into their network traffic and its patterns, NetFlow Analyzer continues to earn trust of more users by giving business knowledge of real-time network behavior and how traffic impacts the network's overall health.

*PRTG Traffic Grapher is an easy to use Windows software for monitoring and classifying bandwidth traffic usage. It provides system administrators with live readings and long-term usage trends for their network devices. The most common usage is bandwidth management, but you can also monitor many other aspects of your network like memory and CPU utilizations.

II/Install

Step 1:install pfsense as normal

Step 2:install Service pfflowd(system->Packages chose pffflow click icon "+")

Step 3:Config Service pfflowd in pfsense (services -> pfflowd) and config as image with Host(address of machine install netflow) and click save

Step 4:config Service SNMP for PRTG(Services -> SNMP check enable as image )

Step 5 :install PRTG and Netflow .

Download PRTG:http://www.paessler.com/prtg6/download
Netflow:http://www.manageengine.com/products/netflow/download.html

install PRTG and Netflow auto

Step 6:restart pfsense

Step 7:Test
from 172.16.1.3 download check status prtg and netflow

INSTALL MOD SECURITY ModSecurity (Web Application Firewall)

2009-11-26T13:49:00.004+07:00

I/INTRO

ModSecurity is an open source intrusion detection and prevention engine for web applications. It operates embedded into the web server, acting as a powerful umbrella – shielding applications from attacks. ModSecurity supports both branches of the Apache web server.

The module filters, and optionally rejects, incoming requests based on a number of different criteria like CGI variables, HTTP headers, environment variables, and even individual script parameters. mod_security can also create an audit log, storing full request details in a separate file, including POST payloads (the audit feature can be turned on or off on a per-server or per-directory basis).

II/INSTALL

Step 1:You need install Microsoft Visual C++ 2008 Redistributable Package (x86) (if you use Apache in window).

If you use LINUX.you can install from source as:

#wget http://www.modsecurity.org/download/modsecurity-apache_2.5.11.tar.gz

#tar -xvzf modsecurity-apache_2.5.11.tar.gz

#cd modsecurity-apache_2.5.11

#./configure;make;make install

you can install It by yum if you use RHEL or CENTOS

prefer:http://www.jasonlitka.com/yum-repository/

Step 2:Configure

copy libxml2.dll to folder bin in folder Apache(/etc/httpd/)if you use window

Step 3:edit file httpd.conf

uncommend

  LoadModule unique_id_module modules/mod_unique_id.so

Add this line at the bottom of Load Modules section:
LoadModule security2_module modules/mod_security2.so

Step 4:Test you change signature"SecServerSignature "IIS/7.5" " of webserver to IIS/7.5 and access to apache

INSTALL hMailServer

2009-11-19T14:55:00.012+07:00

I/INTRO

hMailServer is a free e-mail server for Microsoft Windows. It's used by Internet service providers, companies, governments, schools and enthusiasts in all parts of the world.

It supports the common e-mail protocols (IMAP, SMTP and POP3) and can easily be integrated with many existing web mail systems. It has flexible score-based spam protection and can attach to your virus scanner to scan all incoming and outgoing email.

prefer:http://www.hmailserver.com/

II/Functionality

1/Services(POP3,STMP,IMAP)
2/database support(Microsoft SQL Server, PostgreSQL and MySQL)
3/webmail(you can use Roundcube,SquirrelMail ,AfterLogic WebMail Pro)
4/Security(hMailServer is pre-configured to have high security when it comes to relaying and authentication so that no one can use your server to send spam messages. It also supports the very popular open source virus scanner ClamAV. Configuring hMailServer to use ClamAV only takes a single click! The server also supports black list servers and other spam-stopping mechanisms such as SPF and MX lookups).
5/feature
* POP3, SMTP, IMAP
* Virtual domains
* Built-in backup
* SSL encryption
* Anti-spam
* Anti-virus
* Scripting
* Server-side rules
* Multilingual
* Routing
* MX backup
* Multihoming
* SQL backend
* Web administration
* ClamWin
* SpamAssassin
6/other(hMailServer can use account of Active directory)

III/INSTALL

Step 1:download hmail server from

http://www.hmailserver.com/index.php?page=download

Step 2:Install hmail server (it auto install)

Step 3: After install add domain(conheotiensinh.co.cc)

Step 4:Add Account you can use account of AD

Step 5:install web admin and Web mail

For easier install you can use xampp(http://www.apachefriends.org/en/xampp.html)

1/Web admin
- Copy folder PHPWebAdmin from in folder install hmailServer to folder htdocs of xampp
-Set the value of rooturl to the URL where the WebAdmin will be accessed.

Example:
$hmail_config['rooturl'] = "http://localhost/PHWebAdmin/";

2/Webmail
a/use SquirrelMail
Download It from (http://www.squirrelmail.org/download.php).In your mail folder, you will found a config folder with a file named config_default.php. Rename the config_default.php to config.php.Edit it

$domain = "localhost"; $smtpServerAddress = "localhost"; // your hMailServer address $imapServerAddress = "localhost"; // your hMailServer address $imap_server_type = "hmailserver";
$data_dir = "C:/xampp/htdocs/mail/data/";
$attachment_dir = "C:/xampp/htdocs/mail/attach/"

b/Use roundcube(recommend)
-Download from http://roundcube.net/
-Create database roundcubemail from phpmyadmin
-Rename your “db.inc.php.dist” to “db.inc.php” and “main.inc.php.dist” to “main.inc.php” in folder config of roundcube
-Edit your “db.inc.php” and change this line “$rcmail_config['db_dsnw'] = ‘mysql://roundcube:pass@localhost/roundcubemail’;” with this “$rcmail_config['db_dsnw'] = ‘mysql://root:@localhost/roundcubemail’;”
-access http://localhost/roundcubemail/installer and configure it

c/use AfterLogic WebMail Pro(not recommend Buy Liscense)

- Download from http://www.afterlogic.com/

-Access http://your_webmail_web_address/adminpanel/install.htm you will install it auto

VPN IPSEC SITE TO SITE WITH PFSENSE

2009-11-13T15:20:00.005+07:00

I/INSTALL

you need install pfsense with info:

Site 1: Outside IP: 192.168.20.203/24
Outside Gateway: 192.168.20.254
Inside IP: 172.16.1.0/16

Site 2: Outside IP: 192.168.20.83/24
Outside Gateway: 192.168.20.254
Inside IP: 172.16.10.0/24

Step 1: Install pfsense and set local IP’s on both firewalls.

Step 2: Logon to the web interface for pfsense on each box and assign the WAN addresses.

Step 3: Enable IPSEC (VPN->IPSEC->Enable IPSec). Do this on both firewalls.

Step 4: Add a tunnel on Site 1’s firewall to Site 2 by adding a tunnel and changing only the following items:
* Remote Subnet: 172.16.10.0/24
* Remote Gateway: 192.168.20.83
* Phase 1 Lifetime: 28800
* PreShared Key: conheotiensinh
* PFS Key Group: 2
* Phase 2 Lifetime: 3600

Step 5: Add a tunnel on Site 2’s firewall to Site 1 by adding a tunnel and changing only the following items:
* Remote Subnet: 172.16.1.0/16
* Remote Gateway: 192.168.20.203
* Phase 1 Lifetime: 28800
* PreShared Key: conheotiensinh
* PFS Key Group: 2
* Phase 2 Lifetime: 3600

Step 6: "Apply Changes”

Step 7: Allow Authenticated Headers (TCP/51) and ISAKMP (UPD/500) with Firewall rules so that IPSEC can pass. Firewall->Rules: WAN Tab.
Rule 1
* Source IP: Any
* Destination IP: WAN Address
* Protocol: TCP
* Port: 51

Rule 2
* Source IP: Any
* Destination IP: WAN Address
* Protocol: UDP
* Port:500

Do this on both firewalls and Apply Changes when prompted

Step 8: Allow all traffic to pass through the IPSEC tunnel. Firewall->Rules : IPSEC Tab
Rule
* Source IP: Any
* Destination IP: Any
* Protocol: Any
* Port Range: Any

II/TEST

ping test connection from local in site 1 to site 2 and site 2 to site 1

SETUP VPN(PPTP SERVER) WITH PFSENSE

2009-11-10T11:22:00.008+07:00

I/INTRO

PPTP works by sending a regular PPP session to the peer with the Generic Routing Encapsulation (GRE) protocol. A second session on TCP port 1723 is used to initiate and manage the GRE session. PPTP is difficult to forward past a network firewall because it requires two network sessions. As such, firewalls are unable to let pass this traffic flawlessly, resulting in an inability to connect.

II/ INSTALL

We need install pfsense with 2 interface

Wan interface:192.168.20.203
Lan interface:172.16.1.1

Step 1: Enable PPTP Server (VPN > PPTP).Setup as Image

*Redirect incoming PPTP connections to:If check you will redirect to other PPTP Server(Example Window PPTP)
*Use a RADIUS server for authentication:used Account of Radius(AD,FreeRadius...)

Step 2: create Account for access VPN (click tab users)

Step 3:create Rule for VPN Zone access internet

Step 4: connect to PPTP with ip:192.168.20.203 and test connection

INSTALL IPS(SNORT) WITH PFSENSE

2009-11-09T15:21:00.010+07:00

I/INTRO

Pfsense use snort as IPS( Snort Used by fortune 500 companies and goverments Snort is the most widely deployed IDS/IPS technology worldwide. It features rules based logging and can perform content searching/matching in addition to being used to detect a variety of other attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, and much more. )

II/INSTALL

In This lab we need setup network with info:

Wan Interface:192.168.20.203
Lan Interface:172.16.1.1

STEP 1:Install pfsense as ip
STEP 2:Install snort(The package is available to install from System > Packages and you must only install SNORT or SNORT_DEV never both. It is strongly suggested you get a paid subscription form www.snort.org in order for you to download the latest rules. )
STEP 3:After Install done We configure snort(Services > Snort)click tab Setting and configure as image

Notes:

Block offenders:Pfsense will automatically block hosts that generate a snort alert
Remove blocked hosts every: It Will auto remove hosts from tab blocked
Oinkmaster code:you need register 1 Account in Snort or buy (http://www.snort.org/vrt/buy-a-subscription/ will get the the latest rule updates 30 days faster than registered users)

Step 4:click tab update rules(please waith about 4-10 minutes)

Step 5:Test before attack(ping external ip)

Step 6:user super scan tool scan ip external and check tab blocked

Step 7 :access agian ip external

Step 8:Delete ip attacker in tab blocked and test again

Beside You can use Blocking Skype ,Yahoo ,P2P.... with pfSense and Snort.I will intro later

Install Firewall Cluster Failover(HA) With 5 minutes

2009-10-13T16:57:00.010+07:00

I/ Intro

Setup Firewall Cluster Failover(HA) with 5 minutes

II/INSTALL

Step 1:You setup 2 firewall with info

firewall 1(MASTER): LAN:172.16.1.1 SYNC:192.168.188.1(cable Cross) WAN

firewall 2(SLAVE): LAN:172.16.1.2 SYNC:192.168.188.2(Cable Cross) WAN

Step 2 :Create virtual IP in fw1 and fw 2(Firewall > Virtual IP)

Step 3: config sync for fw (rule,Nat ......)

In Master (Firewall > Virtual IP go to tab CARP Settings)

+check all box
+Synchronize Interface:SYNC
+Synchronize to IP:192.168.188.2
+Remote System Password:your password access admin pfsense

In SLAVE(Firewall > Virtual IP go to tab CARP Settings)

+only check Synchronize Enabled
+Synchronize Interface:SYNC

Step 4: don't forget add rule in interface SYNC for master connect to SLAVE and SLAVE connect to MASTER

Step 5 :Check status In MASTER and SLAVE

Step 6:Test create rule in MASTER it Auto update to SLAVE

Step 7 :Test Connection shutdown MASTER.SLAVE to MASTER (it will delay 1 ms)

Multi WAN / Load Balancing OUTBOUND Use PFSENSE

2009-10-13T10:30:00.016+07:00

1/Overview

This setup enables pfSense to load balance traffic from your LAN to multiple internet connections (WANs). Traffic from the LAN is shared out on a round robin basis across the available WANs. pfSense monitors each WAN connection, using an IP address you provide, and if the monitor fails, a failover configuration is used, this typically just feeds all traffic down the other connection(s). This example sets up 2 WANs, but 3 or more can be used.

2/Intro

You can use other device load balance but it very expensive for your Company (Include My company).Pfsense can deploy all company from small -> big company( <500users)

3/Install

you can Setup pfsense with 3 interface

Lan:172.16.1.1

Wan1: 192.168.20.204

Wan2:172.16.10.1

Step 1: Create App pool wan1&wan2(services>load balancer)

Step 2:Create rule for Local access internet via pool wan1&wan2

Step 3:Check status pool (Status > Load Balancer)

Step 4:Disconnect line 1 check internet va status pool

Step 4:Connect Line 1 Disconnect line 2 check internet va status pool
other you can setup Pfsense cluster failover .I will intro later

SMTP Gateway for Multiple Domain Email Gateway with Postfix

2009-10-07T16:21:00.000+07:00

Scope / Purpose

This article walks through the setup for a email gateway for multiple domains, rejects unknown email addresses, and uses a script to query valid email addresses via Active Directory.

Overview

This article describes the rationale and the setup of an external email firewall/gateway server with Postfix, a secure, high performance, and easily configurable alternative SMTP server to Sendmail.

The most common reason for this is to improve security (this applies even if you're not running Exchange). Since the email gateway theoretically only exposes its SMTP port, and will not store any emails, so even in the (ideally unlikely) event that it is compromised, any sensitive or valuable data is held elsewhere. The worst that could happen is that the attacker obtains a list of vaild email addresses for your domain(s). It can also be used for offloading services from your main email server, tasks like rejecting and filtering spam, greylisting, scanning viruses, avoiding unnecessary bandwidth, etc.

There are "articles" on the Internet that make references to simplying using the "relayhost = internalsmtp.test.vn" directive. The problem with this setup is that since the external email gateway knows nothing about the internal addresses (even when configured to only accept email to @test.vn), that it has to accept and forward everything and depend on the internal host to handle rejecting and bouncing messages. This might be acceptable, except if/when your domain becomes the target of a flood of spam or viruses to invalid/generated email addresses. Especially since the source and reply-to addresses of these emails are typically spoofed, each message ends up being accepted at the email gateway, forwarded to your internal server, rejected and relayed back to your email gateway, queued by the email gateway for delivery, retried repeatedly until it exceeds the nominal timeout, then bounced back to the email admin account on your internal email server. Lather, rinse and repeat that for every single message and it should be clear why you should never just use the "relayhost" directive to do this.

The "correct(tm)" way to do this, is to set up the email gateway so that it has knowledge of valid email addresses. That way, any address that doesn't exist is immediately rejected before the email gateway even gets to accept the data. This is important enough to worth being redudant. Rejecting unknown addresses not only avoids the whole loop described above, but avoids tying up your bandwidth receiving whatever data that would have been sent.

References / Links

Basically, this article is a restatement of Postfix email firewall/gateway found on Postfix.org's online configuration examples

Configuration

This article will not cover the compiling or installation of Postfix as it's generally available or easily installed for most distributions.

/etc/postfix/main.cf

As the name implies, this is the main configuration file for Postfix. One main attribute with Postfix is that the defaults generally default to something sensible, so that for the most part, outside of the parameters that need to be customized to your setup, they can be completely omitted in main.cf.

Hint: The command below will show the configuration directives that have been altered from default.

 postconf -n

Since this is an email gateway only meant to forward email, disable local mail delivery by (Note: setting a configuration directive to empty disables it):

 mydestination =
local_recipient_maps =
local_transport = error:local mail delivery is disabled

Normally, emails that originate from a host will have a from address in the form of username@hostname.test.vn. However, since the email gateway cannot receive mail for local users (as disabled above), you need to set the originating domain to something sensible:

 myorigin = test.vn

mynetworks = define which networks are allowed to relay mail through this host. Although it's meant for internal networks to be able to relay mail without having to authenticate, it can be used (abused) to include external IP addresses or networks. However, the proper solution is to set up your Postfix installation to do SASL authentication:

 mynetworks =
127.0.0.0/8,
192.168.20.0/24

This section below prevents addresses such as usernexame@subdomain.test.vn to match. Explicitly define domains you wish to accept using relay_domains below.

 parent_domain_matches_subdomains =
debug_peer_list,
smtpd_access_maps

relay_domains = define domains for which the email gateway will accept emails.

 relay_domains =
test1.vn,
test2.vn,
subdomain.test.vn

smtpd_recipient_restrictions = controls what the Postfix server will accept during the RCPT TO command.

 smtpd_recipient_restrictions =
permit_mynetworks,
reject_unauth_destination

transport_maps = holds the mappings between domains and the SMTP server where the mail gets forwarded. See /etc/postfix/transport for details.

 transport_maps = hash:/etc/postfix/transport

relay_recipient_maps = points to a file that lists all of the email addresses for which the email gateway will accept mail. See /etc/postfix/relay_recipients.

 relay_recipient_maps = hash:/etc/postfix/relay_recipients

show_user_unknown_table_name = controls whether Postfix returns "User unknown in relay recipient table" (default - useful for debugging only) or "User unknown" (when set to no). This configuration directive is only used in conjunction with relay_recipient_maps.

 show_user_unknown_table_name = no

ven though local mail delivery is disabled, the email gateway is still supposed to accept emails to postmaster and abuse. To do so, define a virtual alias map (we'll populate the values later). See /etc/postfix/virtual for details.

 virtual_alias_maps = hash:/etc/postfix/virtual

/etc/postfix/master.cf

This file basically defines services that Postfix will provide. To completely disable local mail delivery, edit /etc/postfix/master.cf and insert a # symbol in front of the local service definition:

 #local     unix  -       n       n       -       -       local

/etc/postfix/virtual

In a typical setup, /etc/aliases is used to forward mail to other account or external addresses. However, since local mail delivery is disabled, modifying /etc/aliases has no effect. This file holds the alias mappings between local addresses and actual email addresses. Note: this is only necessary because there is no local mail delivery, and that some "local" addresses ought to exist for technical correctness.

 postmaster      postmaster@test.vn
abuse           abuse@test.vn
root  guru@test.vn

Actually, you can use this file for more than local addresses. You can forward emails from ex-users to their new emails addresses, create simple distribution lists, or copy an email to another user, etc.

 virtualuser@test.vn     actualuser@test1.vn
distribution@test.vn    user1@test.vn,user2@test.vn,user3@test.vn
ex_user@test2.vn         forwarding_address@dom.ain
user@test.vn             user@test.vn,spy@test.vn

/etc/postfix/transport

This file defines the relationship between domains and the server(s) where mail is forwarded.

 test1.vn              smtp:insidesmtp.test.vn
test2.vn              smtp:insidesmtp.test.vn
subdomain.test.vn    smtp:insidesmtp.test.vn

/etc/postfix/relay_recipients

This file folds a complete list of email address for which the email gateway will accept mail. Even though you have to enter the values as a pair (key & value), the second part (the value) doesn't actually matter as long as the email addresses are correct.

 user1@test1.vn OK
user2@test1.vn OK
user1@test2.vn OK
user2@test2.vn OK
user1@subdomain.test.vn OK
user2@subdomain.test.vn OK

Populating relay_recipients from Active Directory

Note that this script requires perl and Net::LDAP(you need install perl-ldap by yum). However, this does NOT have to be on your email gateway.

Download http://www-personal.umich.edu/~malth/gaptuning/postfix/getadsmtp.pl
Edit the script so that values below are correct:

$VALID = "/etc/postfix/relay_recipients";
$dc1="dc1.test.vn";
$dc2="dc2.test.vn";
$hqbase="cn=Users,dc=test,dc=vn";
$user="cn=user,cn=Users,dc=test,dc=vn";
$passwd="password";

Note that if you have email distribution lists that need to be externally accesible, that you will also need the contents of:

$hqbase="ou=Exchange Distribution Lists,dc=test,dc=vn";

Hashing Databases

Postfix uses the db hash format by default. For this setup, we need to create the hashed db files by executing:

postmap hash:/etc/postfix/virtual
postmap hash:/etc/postfix/transport
postmap hash:/etc/postfix/relay_recipients

Note: remember to rerun the above commands every time the contents of those files change.

Restarting Postfix

The preferred way of getting Postfix to reload its configuration files is simply execute:

postfix reload

You can create script run every hours

#!/bin/sh

cd /etc/postfix ; ./getadsmtp.pl && postmap relay_recipients


If You have any problem script perl please send mail to:
conheotiensinh@yahoo.com.

INSTALL SHOREWALL(Configure Iptables easier )

2009-09-29T16:30:00.001+07:00

I/INTRO

Shorewall (more appropriately the Shoreline Firewall) is an open source firewall tool for Linux that builds upon the Netfilter (iptables/ipchains) system built into the Linux kernel, making it easier to manage more complex configuration schemes.

Using an analogy understandable to programmers: Shorewall is to iptables, what C is to assembly language. It provides a higher level of abstraction for describing rules using text files.

II/INSTALL

1/ download all packages *.rpm of shorewall(http://rpm.pbone.net/ if You use Fedora can use yum ) and install with command rpm -ivh *.rpm

2/Configure Shorewall

I Configure shorewall with 3 interface and 3 zone:net,DMZ,Local

2.1/in file /etc/shorewall/zone add all lines

fw firewall

net ipv4 #

loc ipv4 #

dmz ipv4 #

2.2/ In file /etc/shorewall/interfaces add all lines

net eth1 #interface of zone net

loc eth0 # interface of Zone loc

dmz eth2 #interface of Zone dmz
2.3/In File /etc/shorewall/masq add all lines (This file use for NAT outbound)

eth1 192.168.100.0/24 172.21.1.16
eth1 192.168.111.0/24 172.21.1.16

192.168.100.0/24 subnet zone local.
192.168.111.0/24 subnet zone DMZ and ip:172.21.1.16 external address of firewall

2.4/In file etc/shorewall/policy add all lines

loc net REJECT info

net all DROP info

all all REJECT info

$FW net REJECT info

dmz net REJECT info

dmz loc REJECT info

loc dmz REJECT info

2.5/In file /etc/shorewall/rule add all lines

ACCEPT loc net tcp 80,443,25,110,53//(Permit access local->internet with protocol HTTP,HTTPS,SMTP,POP3,DNS)

ACCEPT loc net udp 53

ACCEPT loc net icmp echo-request //(Permit ping local->internet)

ACCEPT loc fw tcp 2822 //(permit access SSH to firewall for Security I change port of SSH)

DNAT net dmz:192.168.111.2 tcp 80,443,110,25,995,465//(Nat INBOUND from internet can access protocols: HTTP,HTTPS,POP3,SMTP,POP3S,SMTPS)

Change

STARTUP_ENABLED=No -> STARTUP_ENABLED=Yes trong /etc/shorewall/shorewall.conf

start shorewall by command :shorewall start

For configure easier you can use webmin for configure shorewall with web interface.

Active Directory/LDAP Virtual Users for RHEL/CentOS 5

2009-09-17T15:27:00.000+07:00

This guide will show you how to integrate Active Directory/LDAP into Postfix and Dovecot. In this page, you will learn how to enable Postfix to lookup email addresses in LDAP and how to enable Dovecot to authenticate to an LDAP server.

We will be using the following attributes

samaccountname or uid – User Name for Active Directory or OpenLDAP respectively.
mail – Email Address. For Active Directory users, you need to fill-up the E-mail field of the User.
othermailbox – For Active Directory only. We will use this field to store email aliases. Use ADSI Edit to update this field.

Create the Virtual Mail User Account

Since the Active Directory/OpenLDAP user names are not part of the Linux system, we will have to create a user that will be the owner for all the files belonging to the LDAP user names.

1. Create a new user, we will call it vmail. Change the Login Shell to /sbin/nologin, this user account should not be used for logging in.

2. Take note of the User ID and Home Directory of vmail(example 502).

3. Now note down the Group ID of vmail. We’ll be needing all of them later.

Postfix Active Directory/LDAP Integration

1. Create the file /etc/postfix/ldap-users.cf containing the lines below

server_host = dc.test.vn
search_base = dc=test,dc=vn
version = 3
query_filter = (&(objectclass=person)(mail=%s))
result_attribute = samaccountname #Account from DC
result_format = %s/Maildir/

If you are connecting to an Active Directory server and would like to have email alias capability, change the query filter to (&(objectclass=person)(|(mail=%s)(othermailbox=%s))) to include the othermailbox field in the search.

Change samaccountname to uid if you will be connecting to an Active Directory server. If your server requires authentication, add the lines below

bind = yes
bind_dn = cn=mailuser,dc=test,dc=vn
bind_dn = mailuser@test.vn

2. Test your postfix configuration file by typing in the command

postmap -q cuibap@test.vn ldap:/etc/postfix/ldap-users.cf


If you are querying a Windows 2003 Server and postmap does
not seem to work,try
enabling the Windows 2003 Active Directory.

3. Edit the postfix configuration file /etc/postfix/main.cf and edit the line below

mydestination = $myhostname, localhost.$mydomain, localhost

and add the lines below

virtual_mailbox_domains = $mydomain
virtual_mailbox_base = /home/vmail/
virtual_mailbox_maps = ldap:/etc/postfix/ldap-users.cf
virtual_uid_maps = static:502
virtual_gid_maps = static:502

virtual_mailbox_base, virtual_uid_maps and virtual_gid_maps should contain the home directory, user id and group id of vmail respectively.

Make sure $mydomain in mydestination has been removed, otherwise the lookup will not work and you will get a “User unknown in local recipient table” error.

4. Restart the Postfix

5. You should now be able to send email to addresses found in your LDAP server. sing LDAP email addresses instead of the system user names.

Dovecot Active Directory/LDAP Integration

1. Create the file /etc/dovecot-ldap.conf containing the lines below

server_host = dc.test.vn
search_base = dc=test,dc=vn
ldap_version = 3
auth_bind_userdn = test\%u

2. Edit the file /etc/dovecot.conf and change the value of the following keys below

auth_username_format = %Lu

passdb ldap {
  args = /etc/dovecot-ldap.conf
}

userdb static {
  args = uid=502 gid=502 home=/home/vmail/%u
}

uid, gid and home should contain the user id, group id and home directory respectively of the vmail user account.

3. Restart the dovecot service

LOAD BALANCE AND CLUSTER FAILOVER WEBSERVER(INBOUND)USE PFSENSE

2009-09-11T16:06:00.003+07:00

I/Intro

pfSense is a FreeBSD-based firewall tailored for use as a firewall and router. The project started in 2004 as a fork of the m0n0wall project, but focused towards full PC installations rather than the embedded hardware focus of m0n0wall.

Common Deployments

Although mainly deployed as a perimeter firewall, pfSense is versatile enough to fill many types of deployments. Here is a short list of common deployments:

Perimeter Firewall - As discused earlier, this is by far the most common deployment for pfSense.
Router - Due to the ability to load balance connections and provide failover capabilities, pfSense makes for an ideal choice for a DIY Router for the SMB market.
Wireless Access Point - With the ability of Captive Portal within it, pfSense can easily be deployed as a wireless hotspot solution.
Special purpose appliance - Some users have decided to utilize pfSense in a unique way to helpfulfill their unique needs.
- VPN Appliance
- Sniffer Appliance
- Dedicated DHCP server
- Dedicated DNS server

Features

pfSense includes almost all the features in expensive commercial firewalls, and more in many cases. Here is a list of features taken from the pfSense Features page.

Firewall
State Table
NAT
Redundancy
- CARP- CARP from OpenBSD allows for hardware failover. Two or more firewalls can be configured as a failover group. If one interface fails on the primary or the primary goes offline entirely, the secondary becomes active. pfSense also includes configuration synchronization capabilities, so you make your configuration changes on the primary and they automatically synchronize to the secondary firewall.
- pfsync - pfsync ensures the firewall's state table is replicated to all failover configured firewalls. This means your existing connections will be maintained in the case of failure, which is important to prevent network disruptions.
Outbound and Inbound load balancing
VPN - IPsec, OpenVPN, PPTP
PPPoE Server
RRD Graphs Reporting
Real Time Information - Using AJAX
Dynamic DNS
Captive portal
DHCP Server and Relay
Live CD Version Available

II/INSTALL

Step 1:Install Pfsense from CD

Step 2:enable vlan or no(I choose "no")

Step 3:enter the lan interface name

Step 4:enter the wan interface name

Step 5: enter

Step 6 type "y"

Step 7: setup ip adrress as Diagram
III/LOAD BALANCE WEB

Step 8:Set up Load Balancing Pool

The first thing to do is create a pool (Services > Load Balancer > Add).

Step 9:Set up virtual server

Adding a new Virtual Server (Services > Load balancer > Virtual Servers > Add )

Step 10: Set up virtual ip address

Adding a new Virtual IP (Firewall > Virtual IPs > Add )

Step 11:Create Nat(Firewall > Nat > Add)

Note: open port 80 from Internet access to 192.168.0.5 and 192.168.0.6

Step 12:Access to http://192.168.20.204/ and check status load balance

Step 13:Disconnect 192.168.0.5 Access to http://192.168.20.204/ and check status load balance

IV/CLUSTER FAILOVER

As LOAD balance but choose Failover

Besides pfsense can create cluster fail over firewall and load balance outbound

Redundant Load Balancers Using VRRP

2009-09-10T17:44:00.001+07:00

I/INTRO

Pen offers fault tolerance by automatically rerouting traffic from servers that are offline. But what if the load balancer goes down? Using VRRP, it is possible to run two load balancers in an active-passive failover configuration

II/INSTALL VRRP

[root@ ~]wget http://downloads.sourceforge.net/project/vrrpd/vrrpd/1.0/vrrpd-1.0.tar.gz?use_mirror=biznetnetworks

1. uncompress the source
2. cd in the directory
3. type 'make'(Please install gcc* before type make by "yum -y install gcc*")
[root@ ~] cp vrrpd /usr/sbin/vrrpd

Install pen and vrrpd on the two load balancer hosts. Start pen on both load balancers and check that both work by surfing to http://102.168.0.1/ and http://102.168.0.2/.

Now start vrrpd like this on both load balancers:

[root@ ~]vrrpd -i eth1 -v 1 192.168.0.3

Now try surfing to http://192.168.0.3/. One of the load balancers will be active and respond at that address

Disconnect "MASTER" .Now "SLAVE" restoring functionality.

Connect "MASTER" .Disconnect "SLAVE" ,"MASTER" restoring functionality

LOAD BALANCE WEB SERVER USE PEN

2009-09-08T16:52:00.001+07:00

I/Intro

This is pen, a load balancer for "simple" tcp based protocols such as http or smtp. It allows several servers to appear as one to the outside and automatically detects servers that are down and distributes clients among the available servers. This gives high availability and scalable performance.

The load balancing algorithm keeps track of clients and will try to send them back to the server they visited the last time. The client table has a number of slots (default 2048, settable through command-line arguments). When the table is full, the least recently used one will be thrown out to make room for the new one.

This is superior to a simple round-robin algorithm, which sends a client that connects repeatedly to different servers. Doing so breaks applications that maintain state between connections in the server, including most modern web applications.

When pen detects that a server is unavailable, it scans for another starting with the server after the most recently used one. That way we get load balancing and "fair" failover for free.

Correctly configured, pen can ensure that a server farm is always available, even when individual servers are brought down for maintenance or reconfiguration. The final single point of failure, pen itself, can be eliminated by running pen on several servers, using vrrp to decide which is active.

Refer:

http://siag.nu/pen/

II/Install

This example is based on follwing environmet.

(1) cluster.test.vn [192.168.20.101] Pen Server
(2) www1.test.vn [192.168.20.203] Web Server #1
(3) www2.test.vn [192.168.20.83] Web Server #2

1/Install and configure Pen
[root@ ~]# wget http://dag.wieers.com/rpm/packages/pen/pen-0.17.2-1.el5.rf.i386.rpm
[root@ ~]#rpm -Uvh pen-0.17.2-1.el5.rf.i386.rpm
[root@ ~]#vim /etc/rc.d/init.d/pen

# make scripts

# an example

#!/bin/bash
#
# Pen: Starting Pen
#
# chkconfig: 345 93 92
# description:Simple load-balancer
# processname: pen

. /etc/rc.d/init.d/functions

pen="/usr/local/bin/pen"
lockfile="/var/lock/subsys/pen"
prog="pen"
RETVAL=0

# PID file

PID=/var/run/pen.pid-80

# log file

LOGFILE=/var/log/pen.log

# control port

CONTROL=localhost:10080

# max connections

MAX_CONNECTIONS=500

# port

PORT=80

# number of servers

SERVERS=2

# IP of a server #1

SERVER1=192.168.20.203:80

# IP of a server #2

SERVER2=192.168.20.83:80

start() {
echo -n $"Starting $prog: "
daemon $pen -x $MAX_CONNECTIONS -S $SERVERS -p $PID -l $LOGFILE -C $CONTROL -r $PORT $SERVER1 $SERVER2
RETVAL=$?
echo
[ $RETVAL = 0 ] && touch $lockfile
return $RETVAL
}
stop() {
echo -n $"Stopping $prog: "
killproc $pen
RETVAL=$?
echo
[ $RETVAL = 0 ] && rm -f $lockfile
return $RETVAL
}
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
stop
start
;;
status)
status $pen
;;
*)
echo "Usage: $prog {start|stop|restart|status}"
exit 1
esac

exit $?

[root@lan ~]#vi /etc/logrotate.d/pen

# an example

/var/log/pen.log { daily copytruncate compress notifempty missingok postrotate /etc/rc.d/init.d/pen restart 2>&1 > /dev/null || true endscript }

[root@lan ~]#chmod 755 /etc/rc.d/init.d/pen
[root@lan ~]#/etc/rc.d/init.d/pen startStarting pen: [ OK ]
[root@lan ~]#chkconfig --add pen
[root@lan ~]#chkconfig pen on

2/Configure a tool that shows status of Pen from web browser.

[root@lan ~]#vi /etc/rc.d/init.d/pen

# line 16: specify html file

WEBFILE=/var/www/html/pen/index.html

PID=/var/run/pen.pid-80 LOGFILE=/var/log/pen.log

# add options

daemon $pen -w $WEBFILE -x $MAX_CONNECTIONS -S $SERVERS -p $PID -l $LOGFILE -C $CONTROL -r $PORT $SERVER1 $SERVER2

[root@lan ~]#cp /usr/local/doc/pen/penstats /usr/local/bin/
[root@lan ~]#vi /usr/local/bin/penstats
#!/bin/sh PENHOME=/home/ulric/Projekt/pen PIDFILE=/var/run/pen.pid-80

# change

WEBFILE=/var/www/html/pen/index.html

# change

# This will make pen save its stats kill -USR1 `cat $PIDFILE` # We don't know how long it will take; wait a few seconds sleep 2 # And display the results echo "Content-type: text/html" echo cat $WEBFILE

[root@lan ~]#/etc/rc.d/init.d/pen restart
Stopping pen:[ OK ]
Starting pen:[ OK ]
[root@lan ~]#chmod 755 /usr/local/bin/penstats
[root@lan ~]#/usr/local/bin/penstats# run
[root@lan ~]#crontab -e

*/1 * * * * /usr/local/bin/penstats

3/Access to Pen server with web browser. A backend server answers normally like below.

a/First Request

b/Second request

4/ Stop httpd on a server now and access to pen server again. Another backend server answers normally like below.

a/ Stop http in 192.168.20.203

b/ Stop http in 192.168.20.83

Note:you need configure Apache listen port 81:

change listen port 80 to 81
Besides Pen can loadbalance other service (FTP,HTTPS,SMTP,POP3...)

pen -l pen443.log -p pen443.pid 192.168.20.101:443
192.168.20.203:443 192.168.20.83:443
(LOAD BALANCE HHTPS)

pen -l pen110.log -p pen110.pid 192.168.20.101:110
192.168.20.203:110 192.168.20.83:110
(LOAD BALANCE POP3)

pen -l pen25.log -p pen25.pid 192.168.20.101:25
192.168.20.203:25 192.168.20.83:25
(LOAD BALANCE SMTP)

pen -l pen21.log -p pen21.pid 192.168.20.101:21
192.168.20.203:21 192.168.20.83:21
(LOAD BALANCE FTP)

Install ClamAV

2009-09-04T17:49:00.000+07:00

[root@lan ~]#yum -y install clamav // (or download clamav and clam-db for install manual)
[root@lan ~]#vim /etc/freshclam.conf

#NotifyClamd /etc/clamd.conf

[root@lan ~]#freshclam // update policy file

[root@lan ~]#clamscan --infected --remove --recursive /home

[root@lan ~]#wget http://www.eicar.org/download/eicar.com

[root@lan ~]#clamscan --infected --remove --recursive .

You will detect and delete virus

INSTALL PROXY WITH ANTIVIRUS AND DB BLACKLIST

2009-09-04T17:02:00.000+07:00

I/INSTAL SQUID PROXY
1/Install and configure squid

[root@lan ~]#yum -y install squid
[root@lan ~]#vi /etc/squid/squid.conf

http_port 8080 acl CONNECT method CONNECT

acl lan src 192.168.0.0/255.255.255.0

// (permit only LAN)

http_access allow localhost

http_access allow lan

// add (permit only LAN)

http_access deny all

visible_hostname test.vn

// add (specify hostname)

# forwarded_for on

forwarded_for off

// add (hide IP address)

header_access Referer deny all

// add

header_access X-Forwarded-For deny all
header_access Via deny all
header_access Cache-Control deny all

[root@lan ~]#/etc/rc.d/init.d/squid start
init_cache_dir /var/spool/squid... Starting squid:[ OK ]
[root@lan ~]#chkconfig squid on
II/PROXY WITH ANTI VIRUS

Configure Proxy in order to scan download files to protect from virus. Install clamav first

1/Install clamd

[root@lan ~]#yum -y install clamd ( Or download from http://rpm.pbone.net/)
[root@lan ~]#vim /etc/clamd.conf

LocalSocket /var/run/clamav/clamd.sock //change

[2] Install squidclamav

[root@lan ~]# wget http://www.darold.net/projects/squidclamav/squidclamav-4.0.tar.gz
root@lan ~]#tar zxvf squidclamav-4.0.tar.gz
[root@lan ~]#cd squidclamav-4.0
[root@lan squidclamav-4.0]#./configure
[root@lan squidclamav-4.0]#make
[root@lan squidclamav-4.0]#make install
[root@lan squidclamav-4.0]#cp squidclamav.conf.dist /etc/squidclamav.conf
[root@lan squidclamav-4.0]#cd
[root@lan ~]#vim /etc/squidclamav.conf

proxy http://127.0.0.1:8080/// change ( proxy address )
logfile /var/log/squid/squidclamav.log// change ( log file )
redirect http://www.yahoo.com/// change ( redirect URL )
# squidguard /usr/local/squidGuard/bin/squidGuard
debug 0
force 1
stat 1
clamd_local /var/run/clamav/clamd.sock// change
clamd_ip 127.0.0.1
clamd_port 3310
timeout 60
abort ^.*\.gz$
abort ^.*\.bz2$
abort ^.*\.pdf$
abort ^.*\.js$
abort ^.*\.html$
abort ^.*\.css$
abort ^.*\.xml$
abort ^.*\.xsl$
abort ^.*\.js$
abort ^.*\.ico$
aborti ^.*\.gif$
aborti ^.*\.png$
aborti ^.*\.jpg$
aborti ^.*\.swf$
content ^.*application\/.*$
whitelist .*yahoo\.com

[3] Configurarion of squid

[root@lan ~]#vim /etc/squid/squid.conf

add these 3 lines at the bottom

url_rewrite_access deny localhost
redirect_program /usr/local/bin/squidclamav
redirect_children 15

[root@lan ~]#touch /var/log/squid/squidclamav.log
[root@lan ~]#chown squid. /var/log/squid/squidclamav.log
[root@lan ~]#vim /etc/logrotate.d/squid

add at the bottom

/var/log/squid/squidclamav.log {
weekly
rotate 5
copytruncate
compress
notifempty
missingok
}

[root@lan ~]#/etc/rc.d/init.d/squid restart
Stopping squid: .............[ OK ]
Starting squid: .[ OK ]

III/PROXY WITH SQUIDGRARD

[1] Install squidguard

[root@lan ~]#yum -y install squidguard [root@lan ~]#mv /etc/squid/squidguard.conf /etc/squid/squidguard.conf.bk
[root@lan ~]#vi /etc/squid/squidguard.conf

// configure like following example

#
# CONFIG FILE FOR SQUIDGUARD
#

dbhome /var/lib/squidguard
logdir /var/log/squidguard

dest dame {

domainlist dame/domains

urllist dame/urls

}
acl {

default {

pass !dame all

redirect http://www.yahoo.com/

}

}

[root@lan ~]#mkdir /var/lib/squidguard/dame
[root@lan ~]#vi /var/lib/squidguard/dame/domains

// write domains you'd like to prohibit to access

yahoo.com
conheotiensinh.blogspot.com

[root@lan ~]#vi /var/lib/squidguard/dame/urls

// writeURLs you'd like to prohibit to access

www.yahoo.com/deny/
conheotiensinh.blogspot.com /

[root@lan ~]#squidGuard -C all// create DB
[root@lan ~]#chown -R squid. /var/lib/squidguard/dame

[root@lan ~]#vim /etc/squidclamav.conf

squidguard /usr/bin/squidguard

// line 42: make valid and change PASS

[root@lan ~]#/etc/rc.d/init.d/squid restart
Stopping squid: .............[ OK ]
Starting squid: .[ OK ]

2/Try to access to Yahoo set as prohibited domain in . Anyway, this redirect setting is an example to show action of this squidGuard, but please make your own original redirect page because it's meaningless to redirect to google like this example.

Cluster Linux Mail Server

2009-09-01T16:54:00.007+07:00

1/Install heart beart for Cluster

Please refer:

http://conheotiensinh.blogspot.com/2009/08/high-availability-http-use-heartbeat.html

http://www.linux-ha.org/

USE Pfsense for load balance or Cluster FailOver(http://conheotiensinh.blogspot.com/2009/09/load-balance-and-cluster-failover.html)

Use Pen for Loadbalance(http://conheotiensinh.blogspot.com/2009/09/load-balance-web-server-use-pen.html)

2/Master-Master Replication With MySQL

1.1 System 1

Hostname: mail.test.vn
IP: 192.168.20.203

1.2 System 2

Hostname: mail1.test.vn
IP: 192.168.20.83

Step 1: MySQL Root Password

Both Systems

Set a password for the MySQL root-user on localhost.

mysqladmin -u root password 123

System 1

Set a password for the MySQL root-user on mail.test.vn.

mysqladmin -u root -h 192.168.20.203 password 123

System 2

Set a password for the MySQL root-user on mail1.test.vn.

mysqladmin -u root -h 192.168.20.83 password 123

Step2:MySQL Replication User

System 1

Create the replication user that System 2 will use to access the MySQL database on System 1.

mysql -u root -p

GRANT REPLICATION SLAVE ON *.* TO 'system'@'%' IDENTIFIED BY '123';
FLUSH PRIVILEGES;
quit;

System 2

Create the replication user that System 1 will use to access the MySQL database on System 2.

mysql -u root -p

GRANT REPLICATION SLAVE ON *.* TO 'system'@'%' IDENTIFIED BY '123';
FLUSH PRIVILEGES;
quit;

Step 3: Open port 3306 for connect

Step 4:MySQL Configuration

In the next two steps we adjust the MySQL configuration on both systems for master-master replication.

System 1

vi /etc/my.cnf

Add the following lines to the section [mysqld]:

server-id = 1
replicate-same-server-id = 0
auto-increment-increment = 2
auto-increment-offset = 1

master-host = 192.168.20.83
master-user = system
master-password = 123
master-connect-retry = 60
replicate-do-db =vmail

log-bin = /var/log/mysql/mysql-bin.log
binlog-do-db = vmail

relay-log = /var/lib/mysql/slave-relay.log
relay-log-index = /var/lib/mysql/slave-relay-log.index

expire_logs_days = 10
max_binlog_size = 500M

Afterwards restart the MySQL server.

/etc/init.d/mysqld restart

System 2

vi /etc/my.cnf

Add the following lines to the section [mysqld]:

server-id = 2
replicate-same-server-id = 0
auto-increment-increment = 2
auto-increment-offset = 2

master-host = 192.168.20.203
master-user = system
master-password = 123
master-connect-retry = 60
replicate-do-db =vmail

log-bin= /var/log/mysql/mysql-bin.log
binlog-do-db =vmail

relay-log = /var/lib/mysql/slave-relay.log
relay-log-index = /var/lib/mysql/slave-relay-log.index

expire_logs_days = 10
max_binlog_size = 500M

Afterwards restart the MySQL server.

/etc/init.d/mysqld restart

Step 5:Export MySQL Dump On System 1

Now we create a dump of the existing database and transfer it to system 2.

mysql -u root -p

Open a second terminal for system 1, create the dump and transfer it to system 2. Don't leave the MySQL-shell at this point - otherwise you'll loose the read-lock.

cd /tmp/
mysqldump -u root -p123 --opt vmail > sqldump.sql
scp sqldump.sql root@192.168.20.83:/tmp/

Afterwards close the second terminal and switch back to the first. Remove the read-lock and leave the MySQL-shell.

UNLOCK TABLES;
quit;

Step 6: Import MySQL Dump On System 2

Time to import the database dump on system 2.

mysqladmin --user=root --password=123 stop-slave
cd /tmp/
mysql -u root -p123 vmail <>

Step 7:System 2 As Master

Now we need information about the master status on system 2.

mysql -u root -p
USE vmail;
FLUSH TABLES WITH READ LOCK;
SHOW MASTER STATUS;

The output should look like this. Note down the file and the position - you'll need both later.

Afterwards remove the read-lock.

UNLOCK TABLES;

At this point we're ready to become the master for system 1. Replace %mysql_slaveuser_password% with the password you choose and be sure that you replace the values for MASTER_LOG_FILE and MASTER_LOG_POS with the values that you noted down at step 5!

CHANGE MASTER TO MASTER_HOST='192.168.20.203', MASTER_USER='system', MASTER_PASSWORD='123', MASTER_LOG_FILE='mysql-bin.000007', MASTER_LOG_POS=30330;

Now start the slave ...

START SLAVE;

quit;

Step 8:System 1 As Master

Open a MySQL-shell on system 1 ...

mysql -u root -p

... and stop the slave.

STOP SLAVE;

At this point we're ready to become the master for system 2. Replace %mysql_slaveuser_password% with the password you choose and be sure that you replace the values for MASTER_LOG_FILE and MASTER_LOG_POS with the values that you noted down at step 7!

CHANGE MASTER TO MASTER_HOST='192.168.20.83', MASTER_USER='system', MASTER_PASSWORD='123', MASTER_LOG_FILE='mysql-bin.000009', MASTER_LOG_POS=28816;

Now start the slave ...

START SLAVE;

quit;

Step 10:Test

create mailbox Test1@test.vn and add in mailist ug@test.vn in system1:192.168.20.203

Check in system 2:192.168.20.83

create mailbox Test2@test.vn and add in mailist ug@test.vn in system2:192.168.20.83

Check in system 1:192.168.20.203

Now i can login 2 Accounts in system1 and system 2

Beside you need replicate other DB:mysql ,policyd, roundcubemail.

Install Linux Mail Server with 5 minutes

2009-08-31T10:01:00.000+07:00

iRedMail is a shell script that lets you quickly deploy a full-featured mail solution in less than 5 minutes on CentOS 5.x and Debian (Lenny) 5.0.1 and Ubuntu (it supports both i386 and x86_64). Its object is to make a Linux mail server installation and configuration simple and easy to use. iRedMail supports both OpenLDAP and MySQL as backends for storing virtual domains and users.This tutorial shows how to use the MYSQL as the backend.

The mail server components: http://code.google.com/p/iredmail/wiki/Main_Components

The discussion forum: http://www.iredmail.org/forum/

1/Preliminary Note

In this tutorial

I use: Hostname mail.test.vn

admin account: Postmaster@test.vn
Mail domain: test.vn
Mail delivery (mailboxes) path: /home/vmail/domains

These settings might differ for you, so you have to replace them where appropriate.

Requirements

Install CentOS 5.x, I suggest to use the minimum install, make sure you don't install Apache, PHP and MySQL. You can remove them with yum if they are installed.Yum is working, because the installation needs to use CentOS source packages.

Installation

Download the iRedMail script:

wget http://iredmail.googlecode.com/files/iRedMail-0.4.0.tar.bz2

tar xjf iRedMail-0.4.0.tar.bz2

Run the script to download all mail server related rpm packages:

Only download packages not shipped within RHEL/CentOS iso files.

cd iRedMail-0.4.0/pkgs/
sh get_all.sh

Run the script to install:

cd ..
sh iRedMail.sh

Step1:welcome page

Step2:Mail delivery (mailboxes) path, all emails should be stored in this directory.

Step3:Choose backend to store virtual domains and virtual users.Note: Please choose the one you are familiar. Here we use MySQL for example.

Step4:Set MySQL account 'root' password.

Step5:Set MySQL account 'vmailadmin' password.Note: vmailadmin is used for manage all virtual domains & users, so that you don't need MySQL root privileges

Step6:Set first virtual domain. e.g. test.vn, botay.com, etc.

Step7:Set admin user for first virtual domain you set above. e.g. postmaster.

Step8:Set password for admin user you set above.

Step9:Set first normal user. e.g. www.
Step10:Set password for normal user you set above.

Step11:Enable SPF Validation, DKIM signing/verification or not.

Step12:Enable managesieve service or not

Step13:Enable POP3, POP3S, IMAP, IMAPS services or not

Step14:Choose your prefer webmail programs

Step15:Choose optional components. It's recommended you choose all.

Step16:If you choose PostfixAdmin above, you need to set a global admin user. It can manage all virtual domains and users.
Step17:If you choose Awstats as log analyzer, you will be prompted to set a username and password

Step18:Set mail alias address for root user in operation system

Step19:drink coffee :D and wait few minutes

Step20:reboot and enjoy

Step21:After reboot .Create Mailbox by postfixadmin

https://mail.test.vn/postfixadmin

After login,I choose Virtual list-> Add Mailbox

Step 22:Create Maillist

I choose Virtual list-> Add Alias

Step23: Test configure and Account

Configure Account use outlook Express check mail

You can use webmail for check mail :https://mail.test.vn/mail/

Other you can create cluster mail server with replication mysql and can configure manual from http://www.postfix.org/

SYNC DATA USE RSYNC

2009-08-28T17:10:00.000+07:00

Configure Rsync to copy files.

Following example based on a environment HostA is [192.168.0.19], HostB is [192.168.0.20].

[1] Install xinetd first. It's necessary on HostA.

[root@www ~]#yum -y install xinetd

[root@www ~]#vi /etc/xinetd.d/rsync

# default: off
# description: The rsync server is a good addition to an ftp server, as it \
# allows crc checksumming etc.
service rsync
{

disable = no// change

socket_type = stream

wait = no

user = root

server = /usr/bin/rsync

server_args = --daemon

log_on_failure += USERID

}

[root@www ~]#/etc/rc.d/init.d/xinetd start
Starting xinetd:[ OK ]
[root@www ~]#chkconfig xinetd on

[2] Config for HostA. This example based on a configuration to copy files under /var/www/html to HostB.

[root@www ~]#vi /etc/rsyncd.conf

[site] // name
path = /var/www/html // copied directory
hosts allow = 192.168.0.20
hosts deny = *
list = true
uid = root
gid = root

[3] Config for HostB.
[root@lan ~]#vi /etc/rsync_exclude.lst

// Write directory or files you don't want to copy.

test
test.txt

[4] Run Rsync.

[root@lan ~]#rsync -avz --delete --exclude-from=/etc/rsync_exclude.lst 192.168.0.19::site /home/backup

// add in cron if you'd like to run rsync.

[root@lan ~]#crontab -e

00 06 * * * rsync -avz --delete --exclude-from=/etc/rsync_exclude.lst 192.168.0.19::site /home/backup

LOAD BALANCE WEB SERVER USE POUND

2009-08-28T15:26:00.001+07:00

This example is based on the environment below.

(1) cluster.test.vn [192.168.0.17] Pound server
(2) www.test.vn [192.168.0.18] Web server #1
(3) www2.test.vn [192.168.0.21] Web server #2

In this example, Pound server listens HTTP requests, and if requests to jpg or gif files come, they are forwarded to (2)'s server, and if requests to files except jpg or gif, they are forwarded to (3)'s server. It's also necessary to set gateway router that HTTP requests are forwared to pound server first.

[1] Install and configure Pound

[root@cluster ~]# yum -y install pound #or you download pound rpm from http://rpm.pbone.net
[root@cluster ~]#useradd -s /sbin/nologin -d /root pound
[root@cluster ~]#vi /etc/pound.cfg

# an example
# see "man pound" if you'd like to know more

#Global settings

# specify user

User "pound"

# specify group

Group "pound"

# log level (max = 5)

LogLevel 1

# send heartbeat ?/per second

Alive 30

# run as a daemon

Daemon 1

# Pound server settings
ListenHTTP

# IP of Pound server

Address 192.168.0.17

# Listen Port

Port 80

End

# Config for backend server #1

# Backend server settings
Service

# listen requests to jpg,gif

URL ".*.(jpg|gif)"

BackEnd

# server's IP

Address 192.168.0.18

# Listen Port

Port 80

End

# Config for backend server #2

Service

# listen requests except the one specified on #1's server

URL ".*"

BackEnd

# server's IP

Address 192.168.0.21

# Listen Port

Port 80

End

[root@cluster ~]#vim /etc/init.d/pound

# an example

#!/bin/bash
#
# pound: Starting Pound
#
# chkconfig: 345 98 91
# description:
HTTP/HTTPS reverse-proxy and load-balancer

# processname: pound

. /etc/rc.d/init.d/functions

pound="/usr/sbin/pound"
lockfile="/var/lock/subsys/pound"
prog="pound"
RETVAL=0

start() {

echo -n $"Starting $prog: "

daemon $pound

RETVAL=$?

echo

[ $RETVAL = 0 ] && touch $lockfile

return $RETVAL

}
stop() {

echo -n $"Stopping $prog: "

killproc $pound

RETVAL=$?

echo

[ $RETVAL = 0 ] && rm -f $lockfile

return $RETVAL

}
case "$1" in

start)

start

;;

stop)

stop

;;

restart)

stop

start

;;

status)

status $pound

;;

*)

echo "Usage: $prog {start|stop|restart|status}"

exit 1

esac

exit $?

[root@cluster ~]#chmod 755 /etc/init.d/pound
[root@cluster ~]#/etc/init.d/pound start
Starting pound: starting...[ OK ]
[root@cluster ~]#chkconfig --add pound
[root@cluster ~]#chkconfig pound on

[2] Verify load baranced or not. Upload jpg or gif file on Web Server #1 and create a html file on webserver #2 that shows a file on Web server #1 .

[root@www ~]#vim /var/www/html/index.html

[3] Access with web browser. Pound works normally.

High Availability HTTP use HeartBeat

2009-08-27T16:01:00.000+07:00

I/ Install heartBeat

I set 2 systems as cluster servers on this example. The environment of 2 systems are like below. They have 2 NICs.

(1) www1.test.vn [eth0:192.168.0.21] [eth1:10.0.0.21]
(2) www2.test.vn [eth0:192.168.0.22] [eth1:10.0.0.22]

[1] Install HeartBeat first. It's necessary to do this on both systems.

[root@www1 ~]# yum -y install heartbeat #install heartbeat by yum
[root@www1 ~]# vi /etc/ha.d/authkey # create certificates

auth 1
1 crc

[root@www1 ~]# chmod 600 /etc/ha.d/authkeys

[2] Config for a server of (1).

[root@www1 ~]# vi /etc/ha.d/ha.cf

crm on

# debug log

debugfile /var/log/ha-debug

# log file

logfile /var/log/ha-log

# the way of output to syslog

logfacility local0

# keepalive

keepalive 2

# deadtime

deadtime 30

# deadping

deadping 40

# warntime

warntime 10

# initdead

initdead 60

# port

udpport 694

# interface and IP address of another Host

ucast eth1 10.0.0.22

# auto failback

auto_failback on

# node name (the name of "uname -n")

node www1.test.vn node www2.test.vn respawn root /usr/lib/heartbeat/pingd -m 100 -d 5s -a default_ping_set

[3] Config for a server of (2). The different point is only the section of ucast.

[root@www1 ~]#vi /etc/ha.d/ha.cf

crm on
debugfile /var/log/ha-debug
logfile /var/log/ha-log
logfacility local0
keepalive 2
deadtime 30
deadping 40
warntime 10
initdead 60
udpport 694

# interface and IP address of another Host

ucast eth1 10.0.0.21
auto_failback on
node www1.test.vn
node www2.test.vn
respawn root /usr/lib/heartbeat/pingd -m 100 -d 5s -a default_ping_set

[4] Start HeartBeat on both server.

[root@www1 ~]#/etc/rc.d/init.d/heartbeat start
Starting High-Availability services: [ OK ]
[root@www1 ~]# chkconfig heartbeat on

[5] Run crm_mon on both server, then if following result is shown, it's OK, heartbeat running normally. These are Basical configuration of HeartBeat.

[root@www1 ~]# crm_mon -i 3
Defaulting to one-shot mode You need to have curses available at compile time to enable console mode ============ Last updated: Sun Jun 15 05:04:34 2008 Current DC: www2.test.vn (f8719a77-70b4-4e5f-851b-dafa7d65e2d3a2) 2 Nodes configured. 0 Resources configured. ============ Node: www2.test.vn (f8719a77-70b4-4e5f-851b-dafa7d65e2d3a2): online Node: www1.test.vn (2bbd6408-ec01-4b8c-bb8e-20723ee7af3a99): online

II/Configure 2 web servers for cluster. httpd is also needed.

The environment of 2 web servers are like below. And more, I set virual IP address [192.168.0.100].

(1) www1.test.vn eth0:192.168.0.21] [eth1:10.0.0.21]
(2) www2.test.vn eth0:192.168.0.22] [eth1:10.0.0.22]
(3) cluster.test.vn Virtual IP:192.168.0.100]
[1] Configure like below on both Host. if httpd is running, stop it because they are controled by HeartBeat.
[root@www1 ~]#/etc/rc.d/init.d/heartbeat stop
Stopping High-Availability services:[ OK ]
[root@www1 ~]# cd /var/lib/heartbeat/crm
[root@www1 crm]#rm -f cib.xml.*
[root@www1 crm]#vi cib.xml

[root@www1 crm]# cd
[root@www1 ~]# vi /etc/httpd/conf/httpd.conf

[root@www1 ~]# /etc/rc.d/init.d/heartbeat start
Starting High-Availability services: [ OK ]

[2] Run crm_mon after some time passed, then following result is shown, it's OK. httpd is running on primary server.

[root@www1 ~]#crm_mon -i 3
Defaulting to one-shot mode You need to have curses available at compile time to enable console mode ============ Last updated: Sun Jun 15 05:58:18 2008 Current DC: www2.test.vn (f8719a77-70b4-4e5f-851b-dafa7d65e2d3a2) 2 Nodes configured. 1 Resources configured. ============ Node: www1.test.vn (2bbd6408-ec01-4b8c-bb8e-20723ee7af3a99): online Node: www2.test.vn (f8719a77-70b4-4e5f-851b-dafa7d65e2d3a2): online Resource Group: group_apache

ipaddr (heartbeat::ocf:IPaddr): Started www1.test.vn

apache (heartbeat::ocf:apache): Started www1.test.vn

[3] Make test page on both servers and access to virtual IP. Primary server replys normally like below.

[4] Shutdown HeartBeat on primary server and verify if HeartBeat works or not.

[root@www1 ~]# /etc/rc.d/init.d/heartbeat stop
Stopping High-Availability services:[ OK ]

Access to virtual IP address you set, then running server is switched normally like below

[5] Start HeartBeat again on primary server and verify if HeartBeat
works or not.

[root@www1 ~]#/etc/rc.d/init.d/heartbeat start
Starting High-Availability services:[ OK ]

Other we can create cluster for FTP and another service by heartbeat.

Conheotiensinh

Setting Up A High-Availability Load Balancer With HAProxy/Pfsense 2.0.1

Config HAPROXY with PFSENSE version 2.0.1

Query Recipient Windows Active Directory directly

Config Mail Gateway LINUX less than 5 minutes (Anti-spam, Mail Anti-virus,Greylisting).

Config cluster Load balancer layer 7 support SSL with Heatbeat,Nginx and Haproxy

LOADBALANCE WITH MULTI PPPoE INTERFACE IN PFSENSE 2.0

Setting Up A High-Availability Load Balancer HTTPS(With Failover and Session Support) With HAProxy/Keepalived/Stunnel

Setting Up A High-Availability Load Balancer(With Failover and Session Support) With HAProxy/Keepalived

For this howto I set up four Centos systems (minimal installation without gui etc.) with the following configuration:

Load Balancer 2

Web Server 1

Web Server 2

Deploy iptables Cluster using Fwbuilder and Heartbeat

INSTALL IPS(SNORT) WITH EasyIDS and Guardian

Install IDS in Centos with 5 minutes

INSTALL Monit for Monitor System

Install Iredmail use LDAP and Groupware Server use SOGO

Monitor bandwidth with Netflow and PRTG(PFSENSE)

INSTALL MOD SECURITY ModSecurity (Web Application Firewall)

INSTALL hMailServer

VPN IPSEC SITE TO SITE WITH PFSENSE

SETUP VPN(PPTP SERVER) WITH PFSENSE

INSTALL IPS(SNORT) WITH PFSENSE

Install Firewall Cluster Failover(HA) With 5 minutes

Multi WAN / Load Balancing OUTBOUND Use PFSENSE

1/Overview

SMTP Gateway for Multiple Domain Email Gateway with Postfix

Contents

Scope / Purpose

Overview

References / Links

Configuration

/etc/postfix/main.cf

/etc/postfix/master.cf

/etc/postfix/virtual

/etc/postfix/transport

/etc/postfix/relay_recipients

Populating relay_recipients from Active Directory

Hashing Databases

Restarting Postfix

INSTALL SHOREWALL(Configure Iptables easier )

Active Directory/LDAP Virtual Users for RHEL/CentOS 5

Create the Virtual Mail User Account

Postfix Active Directory/LDAP Integration

Dovecot Active Directory/LDAP Integration

LOAD BALANCE AND CLUSTER FAILOVER WEBSERVER(INBOUND)USE PFSENSE

Common Deployments

Features

Redundant Load Balancers Using VRRP

LOAD BALANCE WEB SERVER USE PEN

Install ClamAV

INSTALL PROXY WITH ANTIVIRUS AND DB BLACKLIST

Cluster Linux Mail Server

Please refer:

http://conheotiensinh.blogspot.com/2009/08/high-availability-http-use-heartbeat.html

2/Master-Master Replication With MySQL

1.1 System 1

Step 1: MySQL Root Password

Both Systems

System 1

System 2

System 1

System 2

Step 4:MySQL Configuration

System 1

System 2

Step 5:Export MySQL Dump On System 1

Step 6: Import MySQL Dump On System 2

Step 7:System 2 As Master

Step 8:System 1 As Master

Install Linux Mail Server with 5 minutes

1/Preliminary Note

Requirements

Installation

SYNC DATA USE RSYNC

LOAD BALANCE WEB SERVER USE POUND

High Availability HTTP use HeartBeat