Thursday, December 31, 2009

INSTALL IPS(SNORT) WITH EasyIDS and Guardian

I/Intro

An Intrusion prevention system (IPS) is a network security device that monitors network and/or system activities for malicious or unwanted behavior and can react, in real-time, to block or prevent those activities. Network-based IPS, for example, will operate in-line to monitor all network traffic for malicious code or attacks . When an attack is detected, it can drop the offending packets while still allowing all other traffic to pass. Intrusion prevention technology is considered by some to be an extension of intrusion detection (IDS) technology

II/INSTALL

Step 1:Install IDS as http://conheotiensinh.blogspot.com/2009/12/install-ids-in-centos-with-5-minutes.html

Step 2:IPS – Guardian

Guardian is a security program which works in conjunction with Snort to automaticly update firewall rules based on alerts generated by Snort.
The updated firewall rules block all incoming data from the IP address of the attacking machine (the machine which caused Snort to generate an alert.
There is also logic in place which pervents blocking important machines, such as DNS servers, gateways, and whatever else you want.

Step 3:

Go to http://www.chaotic.org/guardian/ to download Guardian. The current version as at this writing is version 1.7.
#wget http://www.chaotic.org/guardian/guardian-1.7.tar.gz
#tar -xzvf guardian-1.7.tar.gz
#
cd guardian-1.7
#cp guardian.pl /usr/local/bin/
#cp scripts/iptables_block.sh /usr/local/bin/guardian_block.sh
#cp scripts/iptables_unblock.sh /usr/local/bin/guardian_unblock.sh
#cp guardian.conf /etc/snort/
#touch /etc/snort/guardian.ignore
#touch /etc/snort/guardian.target
#touch /var/log/snort/guardian.log


Step 4:

edit /etc/snort/guardian.conf change some variables

HostIpAddr xxx.xxx.xxx.xxx (IP snort monitor)
Interface ETH01 (interface snort monitor)
HostGatewayByte 75
Logfile /var/log/snort/guardian.log
AlertFile /var/log/messages
IgnoreFile /etc/snort/guardian.ignore
TargetFile /etc/snort/guardian.target
TimeLimit 86400

Step 5:
Edit /usr/local/bin/guardian_block.sh change some variables(this shell will block ip attacker and alert mail to test@conheotiensinh.co.cc )


source=$1
interface=$2

/sbin/iptables -I INPUT -s $source -i $interface -j DROP
/sbin/iptables -I FORWARD -s $source -i $interface -j DROP
echo "$source is blocked!" | mail -s "Snort alert is blocked" test@conheotiensinh.co.cc

Step 6:

Edit /usr/local/bin/guardian_unblock.sh change some variables(this shell will delete ip attaker from block ip and alert mail to test@conheotiensinh.co.cc)


source=$1
interface=$2

/sbin/iptables -D INPUT -s $source -i $interface -j DROP
/sbin/iptables -D FORWARD -s $source -i $interface -j DROP

echo "$source is blocked for 24 hours! It is released!" | mail -s "Snort alert is released" test@conheotiensinh.co.cc

Step 7:

Edit /etc/snort/guardian.target

add ip (snort monitor)

Step 8:
Edit /etc/snort/guardian.ignore


add ip 127.0.0.1

Step 9:

Edit /etc/snort/snort.conf

uncomment “output alert_syslog: LOG_AUTH LOG_ALERT”

service snort restart

Step 10:create file shell guardian.sh

#————— CUT HERE —————–#

#!/bin/bash

start()
{
export PATH=$PATH:/usr/local/bin
/usr/local/bin/guardian.pl -c /etc/snort/guardian.conf
}

stop()
{
ps aux | grep 'guardian.pl *-c' 2>&1 > /dev/null
if [ $? -eq 0 ];
then
kill `ps aux | grep 'guardian.pl *-c' | awk '{print $2}'`
else
echo "Guardian is not running ....."
fi
}

status()
{
ps aux | grep 'guardian.pl *-c' 2>&1 > /dev/null
if [ $? -eq 0 ];
then
echo "Guardian is Running ....."
else
echo "Guardian is not Running ...."
fi
}

case "$1" in
start)
start
;;
stop)
stop
;;
restart)
stop
start
;;
status)
status;;
*)
echo $"Usage: $0 {start|stop|restart|status}"
esac


Step 11:

chmod +x guardian.sh
cp guardian.sh /usr/local/bin/guardian.sh

/usr/local/bin/guardian.sh start

Step 12:test

use nmap test

#nmap -v -sS xxx.xxx.xxx.xxx


Beside you can use Easy IDS as IPS with other Firewall:FreeBSD using IPFW,Checkpoint, PIX....use SSH copy rule to firewall


Please prefer:http://www.chaotic.org/guardian/



Tuesday, December 29, 2009

Install IDS in Centos with 5 minutes



I/Intro

An Intrusion detection system (IDS) is a device (or application) that monitors network and/or system activities for malicious activities or policy violation.IDS install very hard (you need install Snort,HTTP,MYSQL and ......). But With EasyIDS you install IDS easier

II/Install

Step 1:you download ISO EasyIDS from http://sourceforge.net/projects/easyids/files/

Step 2:install It as install Centos OS (EasyIDS 4.0 run with Centos 5.4)

Step3:config Ip for Nic Card

Setp 4: To access the EasyIDS GUI browse to https://IPADDRESS from another computer and login with the username admin and the password password.

Step 5:atttack Easy IDS and check Status in Easy IDS

Beside you can use Easey IDS as IPS(Intrusion Prevention System) with iptables and Guardian.I will intro later


Thanks

Friday, December 4, 2009

INSTALL Monit for Monitor System

I/INTRO

Monit is a free open source utility for managing and monitoring, processes, files, directories and filesystems on a UNIX system. Monit conducts automatic maintenance and repair and can execute meaningful causal actions in error situations.

II/INSTALL

Step 1:Install monit

#wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.3.6-1.el5.rf.i386.rpm
#rpm -Uvh rpmforge-release-0.3.6-1.el5.rf.i386.rpm
#yum install monit
#chkconfig --levels 235 monit on

Step 2:Config Monit

edit /etc/moni.d/monitrc
set daemon  60
set logfile syslog facility log_daemon
set mailserver localhost #mail server
set mail-format { from: monit@server1.example.com }
set alert root@localhost #alert to admin with email adrress root@localhost
set httpd port 2812 and
SSL ENABLE
PEMFILE /var/certs/monit.pem
allow admin:test

some features example of monit

*check host CUIBAP with address 19.16.12.32
if failed icmp type echo with timeout 20 seconds then alert
(check host if over 20 second it will alert mail to admin)

*check host CONHEO with address 132.163.193.3
if failed port 25 with timeout 30 seconds then alert
(check Service SMTP if over 30 second it will alert mail to admin)

*check process sshd with pidfile /var/run/sshd.pid
start program "/etc/init.d/sshd start"
stop program "/etc/init.d/sshd stop"
if failed port 22 protocol ssh then restart
if failed port 22 protocol ssh then alert
if 5 restarts within 5 cycles then timeout
(check Service SSH if it down monit auto start only run in localhost)

Step 3:access monit via web mail port 2812


Thursday, December 3, 2009

Install Iredmail use LDAP and Groupware Server use SOGO

I/INTRO

As document previous I intro to you how to install iredmail use Mysql as backend http://conheotiensinh.blogspot.com/2009/08/install-linux-mail-server-with-5.html.Today I Will intro to you how to install iredmail use LDAP as backend(config iredadmin for admin mailbox .If you use Mysql as backend(postfixadmin)).Beside I will intro install and config Groupware Server use SOGO

*SOGo is groupware server with a focus on scalability and open standards.

*SOGo provides a rich AJAX-based Web interface and supports multiple native clients through the use of standard protocols such as CalDAV, CardDAV and GroupDAV.

*SOGo is the missing component of your infrastructure; it sits in the middle of your servers to offer your users an uniform and complete interface to access their information. It has been deployed in production environments where thousands of users are involved.


II/INSTALL

1/Install iredmail as normal but attention ! you choose ldap as backend password of account postmaster


2/Install and config Iredadmin

Default after install finish you can use phpldapadmin for admin mailbox but It very hard for config

Step 1:install package need for install iredadmin

#yum install python-setuptools.noarch MySQL-python.i386 \
gcc.i386 gcc-c++.i386 openssl-devel.i386 python-devel.i386 \
openldap-devel.i386

#easy_install web.py Jinja2 python-ldap==2.3.8 netifaces
#
rpm -ivh http://www.iredmail.org/yum/rpms/5/mod_wsgi-2.5-2.ired.i386.rpm



Step 2:download Iredadmin(you need buy liscense because open source version only fearture create mailbox not create maillist but you can use phpldapadmin create mailist ) from http://iredmail.googlecode.com/files/iRedAdmin-0.1.1.tar.bz2
Step 3:Copy iRedAdmin to /var/www/, set correct file permissions
Step 4:
$ tar xjf iRedAdmin-0.1.1.tar.bz2 -C /var/www/ 
$ cd /var/www/

$ chown -R root:root iRedAdmin-0.1.1
$ chmod -R 0755 iRedAdmin-0.1.1

$ ln -s iRedAdmin-0.1.1 iredadmin


Step 5:Add apache configure file: /etc/httpd/conf.d/iredadmin.conf.

AddType text/html .py Order deny,allow Allow from all

Step 6:
Edit /etc/httpd/conf.d/ssl.conf, make iredadmin accessable via HTTPS. Add below lines before :

WSGIScriptAlias /iredadmin /var/www/iredadmin/iredadmin.py/ Alias /iredadmin/static /var/www/iredadmin/static/

Step 7:restart apache

/etc/init.d/httpd restart

Step 8:
Create MySQL database: iredadmin and grant privileges

$ mysql -uroot -p
mysql> CREATE DATABASE iredadmin DEFAULT CHARACTER SET utf8 COLLATE utf8_general_ci;
mysql> USE iredadmin;
mysql> SOURCE /var/www/iredadmin/docs/samples/iredadmin.sql;
GRANT SELECT,INSERT,UPDATE,DELETE ON iredadmin.* TO
iredadmin@localhost IDENTIFIED BY '123' ;

FLUSH PRIVILEGES;

Step 9:Configure iRedAdmin

$ cd /var/www/iredadmin/ $ cp settings.ini.sample settings.ini


Edit settings.ini and set several variables


$ chmod -w settings.ini

Step 10:access iredamin:https://your_server_ip_address/iredadmin/

3/Install and config SOGO

Step 1:create repo for install SOGO by yum
create file /etc/yum.repos.d/inverse.repo with info

[RHEL5] name=Inverse SOGo Repository baseurl=http://inverse.ca/downloads/SOGo/RHEL5/$basearch gpgcheck=0

Step 2:install sogo

#yum install sogo
#yum install sope49-gdl1-postgresql(you can use mysql or oracle)

Step 3:Because SOGo requires a relational database system in order to store appointments, tasks and contacts information. It also uses the database system to store personal preferences of SOGo users.You need create DB and Grand permission

Step 4:Edit /home/sogo/GNUstep/Defaults/.GNUstepDefaults as image

Step 5:you need install add-on for thurderbird
http://www.sogo.nu/fr/downloads/frontends.html


Step 6:config thunderbird


If you only use the SOGo Connector plug in, you can still easily access your data.
To access your personal address book:
Choose Go > Address Book. Choose File > New > Remote Address Book.
Enter a signifcant name for your calendar in the Name feld.

Type the following URL in the URL feld: http://localhost/SOGo/dav/u1/Contacts/personal/ Click on OK.
To access your personal calendar:
Choose Go > Calendar.
Choose Calendar > New Calendar.
Select On the Network and click on Continue. Select CalDAV.
Type the following URL in the URL feld: http://localhost/SOGo/dav/u1/Calendar/personal/ Click on Continue.

STep 7:Test create 1 calendar in web it will auto sync to thunderbird

Wednesday, December 2, 2009

Monitor bandwidth with Netflow and PRTG(PFSENSE)

I/Intro

*NetFlow Analyzer is a, web based (no hardware probes), bandwidth monitoring, network forensics and network traffic analysis tool that has been optimizing thousands of networks across varied industries for peak performance and helping them to put their bandwidth for a better use. NetFlow Analyzer is a NetFlow, sFlow, JFLow (and more) collector, analyzer and reporting engine integrated together. With close to 4000 enterprises using NetFlow Analyzer for an in-depth visibility into their network traffic and its patterns, NetFlow Analyzer continues to earn trust of more users by giving business knowledge of real-time network behavior and how traffic impacts the network's overall health.

*PRTG Traffic Grapher is an easy to use Windows software for monitoring and classifying bandwidth traffic usage. It provides system administrators with live readings and long-term usage trends for their network devices. The most common usage is bandwidth management, but you can also monitor many other aspects of your network like memory and CPU utilizations.

II/Install

Step 1:install pfsense as normal

Step 2:install Service pfflowd(system->Packages chose pffflow click icon "+")

Step 3:Config Service pfflowd in pfsense (services -> pfflowd) and config as image with Host(address of machine install netflow) and click save

Step 4:config Service SNMP for PRTG(Services -> SNMP check enable as image )

Step 5 :install PRTG and Netflow .

Download PRTG:http://www.paessler.com/prtg6/download
Netflow:http://www.manageengine.com/products/netflow/download.html

install PRTG and Netflow auto

Step 6:restart pfsense

Step 7:Test
from 172.16.1.3 download check status prtg and netflow

Thursday, November 26, 2009

INSTALL MOD SECURITY ModSecurity (Web Application Firewall)

I/INTRO

ModSecurity is an open source intrusion detection and prevention engine for web applications. It operates embedded into the web server, acting as a powerful umbrella – shielding applications from attacks. ModSecurity supports both branches of the Apache web server.

The module filters, and optionally rejects, incoming requests based on a number of different criteria like CGI variables, HTTP headers, environment variables, and even individual script parameters. mod_security can also create an audit log, storing full request details in a separate file, including POST payloads (the audit feature can be turned on or off on a per-server or per-directory basis).

II/INSTALL


Step 1:You need install Microsoft Visual C++ 2008 Redistributable Package (x86) (if you use Apache in window).

If you use LINUX.you can install from source as:

#wget http://www.modsecurity.org/download/modsecurity-apache_2.5.11.tar.gz

#tar -xvzf modsecurity-apache_2.5.11.tar.gz

#cd modsecurity-apache_2.5.11

#./configure;make;make install

you can install It by yum if you use RHEL or CENTOS

prefer:http://www.jasonlitka.com/yum-repository/


Step 2:Configure

copy libxml2.dll to folder bin in folder Apache(/etc/httpd/)if you use window

Step 3:edit file httpd.conf

uncommend

  LoadModule unique_id_module modules/mod_unique_id.so 

Add this line at the bottom of Load Modules section:
LoadModule security2_module modules/mod_security2.so

Step 4:Test you change signature"SecServerSignature "IIS/7.5" " of webserver to IIS/7.5 and access to apache








Thursday, November 19, 2009

INSTALL hMailServer

I/INTRO

hMailServer is a free e-mail server for Microsoft Windows. It's used by Internet service providers, companies, governments, schools and enthusiasts in all parts of the world.

It supports the common e-mail protocols (IMAP, SMTP and POP3) and can easily be integrated with many existing web mail systems. It has flexible score-based spam protection and can attach to your virus scanner to scan all incoming and outgoing email.

prefer:http://www.hmailserver.com/

II/Functionality

1/Services(POP3,STMP,IMAP)
2/database support(Microsoft SQL Server, PostgreSQL and MySQL)
3/
webmail(you can use Roundcube,SquirrelMail ,AfterLogic WebMail Pro)
4/Security(hMailServer is pre-configured to have high security when it comes to relaying and authentication so that no one can use your server to send spam messages. It also supports the very popular open source virus scanner ClamAV. Configuring hMailServer to use ClamAV only takes a single click! The server also supports black list servers and other spam-stopping mechanisms such as SPF and MX lookups).
5/feature
* POP3, SMTP, IMAP
* Virtual domains
* Built-in backup
* SSL encryption
* Anti-spam
* Anti-virus
* Scripting
* Server-side rules
* Multilingual
* Routing
* MX backup
* Multihoming
* SQL backend
* Web administration
* ClamWin
* SpamAssassin
6/other(hMailServer can use account of Active directory)

III/INSTALL

Step 1:download hmail server from

http://www.hmailserver.com/index.php?page=download

Step 2:Install hmail server (it auto install)

Step 3: After install add domain(conheotiensinh.co.cc)


Step 4:Add Account you can use account of AD

Step 5:install web admin and Web mail


For easier install you can use xampp(http://www.apachefriends.org/en/xampp.html)


1/Web admin
- Copy folder PHPWebAdmin from in folder install hmailServer to folder htdocs of xampp
-Set the value of rooturl to the URL where the WebAdmin will be accessed.

Example:
$hmail_config['rooturl'] = "http://localhost/PHWebAdmin/";



2/Webmail
a/use SquirrelMail
Download It from (http://www.squirrelmail.org/download.php).In your mail folder, you will found a config folder with a file named config_default.php. Rename the config_default.php to config.php.Edit it

$domain
= "localhost"; $smtpServerAddress = "localhost"; // your hMailServer address $imapServerAddress = "localhost"; // your hMailServer address $imap_server_type = "hmailserver";
$data_dir = "C:/xampp/htdocs/mail/data/";
$attachment_dir
= "C:/xampp/htdocs/mail/attach/"

b/Use roundcube(recommend)
-Download from http://roundcube.net/
-Create database roundcubemail from phpmyadmin
-Rename your “db.inc.php.dist” to “db.inc.php” and “main.inc.php.dist” to “main.inc.php” in folder config of roundcube
-Edit your “db.inc.php” and change this line “$rcmail_config['db_dsnw'] = ‘mysql://roundcube:pass@localhost/roundcubemail’;” with this “$rcmail_config['db_dsnw'] = ‘mysql://root:@localhost/roundcubemail’;
-access http://localhost/roundcubemail/installer and configure it


c/use AfterLogic WebMail Pro(not recommend Buy Liscense)

- Download from http://www.afterlogic.com/

-Access http://your_webmail_web_address/adminpanel/install.htm you will install it auto

Friday, November 13, 2009

VPN IPSEC SITE TO SITE WITH PFSENSE

I/INSTALL


you need install pfsense with info:


Site 1: Outside IP: 192.168.20.203/24
Outside Gateway: 192.168.20.254
Inside IP: 172.16.1.0/16

Site 2: Outside IP: 192.168.20.83/24
Outside Gateway: 192.168.20.254
Inside IP: 172.16.10.0/24



Step 1: Install pfsense and set local IP’s on both firewalls.

Step 2: Logon to the web interface for pfsense on each box and assign the WAN addresses.

Step 3: Enable IPSEC (VPN->IPSEC->Enable IPSec). Do this on both firewalls.

Step 4: Add a tunnel on Site 1’s firewall to Site 2 by adding a tunnel and changing only the following items:
* Remote Subnet: 172.16.10.0/24
* Remote Gateway: 192.168.20.83
* Phase 1 Lifetime: 28800
* PreShared Key: conheotiensinh
* PFS Key Group: 2
* Phase 2 Lifetime: 3600

Step 5: Add a tunnel on Site 2’s firewall to Site 1 by adding a tunnel and changing only the following items:
* Remote Subnet: 172.16.1.0/16
* Remote Gateway: 192.168.20.203
* Phase 1 Lifetime: 28800
* PreShared Key: conheotiensinh
* PFS Key Group: 2
* Phase 2 Lifetime: 3600

Step 6: "Apply Changes”

Step 7: Allow Authenticated Headers (TCP/51) and ISAKMP (UPD/500) with Firewall rules so that IPSEC can pass. Firewall->Rules: WAN Tab.
Rule 1
* Source IP: Any
* Destination IP: WAN Address
* Protocol: TCP
* Port: 51

Rule 2
* Source IP: Any
* Destination IP: WAN Address
* Protocol: UDP
* Port:500

Do this on both firewalls and Apply Changes when prompted

Step 8: Allow all traffic to pass through the IPSEC tunnel. Firewall->Rules : IPSEC Tab
Rule
* Source IP: Any
* Destination IP: Any
* Protocol: Any
* Port Range: Any

II/TEST

ping test connection from local in site 1 to site 2 and site 2 to site 1

Tuesday, November 10, 2009

SETUP VPN(PPTP SERVER) WITH PFSENSE

I/INTRO


PPTP works by sending a regular PPP session to the peer with the Generic Routing Encapsulation (GRE) protocol. A second session on TCP port 1723 is used to initiate and manage the GRE session. PPTP is difficult to forward past a network firewall because it requires two network sessions. As such, firewalls are unable to let pass this traffic flawlessly, resulting in an inability to connect.

II/ INSTALL

We need install pfsense with 2 interface

Wan interface:192.168.20.203
Lan interface:172.16.1.1

Step 1: Enable PPTP Server (VPN > PPTP).Setup as Image




*Redirect incoming PPTP connections to:If check you will redirect to other PPTP Server(Example Window PPTP)
*Use a RADIUS server for authentication:used Account of Radius(AD,FreeRadius...)

Step 2: create Account for access VPN (click tab users)

Step 3:create Rule for VPN Zone access internet


Step 4: connect to PPTP with ip:192.168.20.203 and test connection

Monday, November 9, 2009

INSTALL IPS(SNORT) WITH PFSENSE

I/INTRO

Pfsense use snort as IPS( Snort Used by fortune 500 companies and goverments Snort is the most widely deployed IDS/IPS technology worldwide. It features rules based logging and can perform content searching/matching in addition to being used to detect a variety of other attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, and much more. )

II/INSTALL

In This lab we need setup network with info:

Wan Interface:192.168.20.203
Lan Interface:172.16.1.1



STEP 1:Install pfsense as ip
STEP 2:Install snort(The package is available to install from System > Packages and you must only install SNORT or SNORT_DEV never both. It is strongly suggested you get a paid subscription form www.snort.org in order for you to download the latest rules. )
STEP 3:After Install done We configure snort(Services > Snort)click tab Setting and configure as image



Notes:

Block offenders:Pfsense will automatically block hosts that generate a snort alert
Remove blocked hosts every: It Will auto remove hosts from tab blocked
Oinkmaster code:you need register 1 Account in Snort or buy (http://www.snort.org/vrt/buy-a-subscription/ will get the the latest rule updates 30 days faster than registered users)


Step 4:click tab update rules(please waith about 4-10 minutes)

Step 5:Test before attack(ping external ip)


Step 6:user super scan tool scan ip external and check tab blocked


Step 7 :access agian ip external

Step 8:Delete ip attacker in tab blocked and test again


Beside You can use Blocking Skype ,Yahoo ,P2P.... with pfSense and Snort.I will intro later

Tuesday, October 13, 2009

Install Firewall Cluster Failover(HA) With 5 minutes

I/ Intro

Setup Firewall Cluster Failover(HA) with 5 minutes




II/INSTALL

Step 1:You setup 2 firewall with info

firewall 1(MASTER): LAN:172.16.1.1 SYNC:192.168.188.1(cable Cross) WAN

firewall 2(SLAVE): LAN:172.16.1.2
SYNC:192.168.188.2(Cable Cross) WAN


Step 2 :Create virtual IP in fw1 and fw 2(Firewall > Virtual IP)

Step 3: config sync for fw (rule,Nat ......)

In Master (Firewall > Virtual IP go to tab CARP Settings)

+check all box
+Synchronize Interface:SYNC
+Synchronize to IP:192.168.188.2
+Remote System Password:your password access admin pfsense

In SLAVE(Firewall > Virtual IP go to tab CARP Settings)

+only check Synchronize Enabled
+Synchronize Interface:SYNC

Step 4: don't forget add rule in interface SYNC for master connect to SLAVE and SLAVE connect to MASTER

Step 5 :Check status In MASTER and SLAVE



Step 6:Test create rule in MASTER it Auto update to SLAVE

Step 7 :Test Connection shutdown MASTER.SLAVE to MASTER (it will delay 1 ms)

Multi WAN / Load Balancing OUTBOUND Use PFSENSE

1/Overview

This setup enables pfSense to load balance traffic from your LAN to multiple internet connections (WANs). Traffic from the LAN is shared out on a round robin basis across the available WANs. pfSense monitors each WAN connection, using an IP address you provide, and if the monitor fails, a failover configuration is used, this typically just feeds all traffic down the other connection(s). This example sets up 2 WANs, but 3 or more can be used.

2/Intro

You can use other device load balance but it very expensive for your Company (Include My company).Pfsense can deploy all company from small -> big company( <500users)


3/Install

you can Setup pfsense with 3 interface

Lan:172.16.1.1

Wan1: 192.168.20.204

Wan2:172.16.10.1




Step 1: Create App pool wan1&wan2(services>load balancer)




Step 2:Create rule for Local access internet via pool wan1&wan2



Step 3:Check status pool (Status > Load Balancer)

Step 4:Disconnect line 1 check internet va status pool

Step 4:Connect Line 1 Disconnect line 2 check internet va status pool
other you can setup Pfsense cluster failover .I will intro later

Wednesday, October 7, 2009

SMTP Gateway for Multiple Domain Email Gateway with Postfix

Contents


Scope / Purpose

This article walks through the setup for a email gateway for multiple domains, rejects unknown email addresses, and uses a script to query valid email addresses via Active Directory.



Overview

This article describes the rationale and the setup of an external email firewall/gateway server with Postfix, a secure, high performance, and easily configurable alternative SMTP server to Sendmail.

The most common reason for this is to improve security (this applies even if you're not running Exchange). Since the email gateway theoretically only exposes its SMTP port, and will not store any emails, so even in the (ideally unlikely) event that it is compromised, any sensitive or valuable data is held elsewhere. The worst that could happen is that the attacker obtains a list of vaild email addresses for your domain(s). It can also be used for offloading services from your main email server, tasks like rejecting and filtering spam, greylisting, scanning viruses, avoiding unnecessary bandwidth, etc.

There are "articles" on the Internet that make references to simplying using the "relayhost = internalsmtp.test.vn" directive. The problem with this setup is that since the external email gateway knows nothing about the internal addresses (even when configured to only accept email to @test.vn), that it has to accept and forward everything and depend on the internal host to handle rejecting and bouncing messages. This might be acceptable, except if/when your domain becomes the target of a flood of spam or viruses to invalid/generated email addresses. Especially since the source and reply-to addresses of these emails are typically spoofed, each message ends up being accepted at the email gateway, forwarded to your internal server, rejected and relayed back to your email gateway, queued by the email gateway for delivery, retried repeatedly until it exceeds the nominal timeout, then bounced back to the email admin account on your internal email server. Lather, rinse and repeat that for every single message and it should be clear why you should never just use the "relayhost" directive to do this.

The "correct(tm)" way to do this, is to set up the email gateway so that it has knowledge of valid email addresses. That way, any address that doesn't exist is immediately rejected before the email gateway even gets to accept the data. This is important enough to worth being redudant. Rejecting unknown addresses not only avoids the whole loop described above, but avoids tying up your bandwidth receiving whatever data that would have been sent.

References / Links

Basically, this article is a restatement of Postfix email firewall/gateway found on Postfix.org's online configuration examples


Configuration

This article will not cover the compiling or installation of Postfix as it's generally available or easily installed for most distributions.


/etc/postfix/main.cf

As the name implies, this is the main configuration file for Postfix. One main attribute with Postfix is that the defaults generally default to something sensible, so that for the most part, outside of the parameters that need to be customized to your setup, they can be completely omitted in main.cf.

Hint: The command below will show the configuration directives that have been altered from default.

 postconf -n

Since this is an email gateway only meant to forward email, disable local mail delivery by (Note: setting a configuration directive to empty disables it):

 mydestination =
local_recipient_maps =
local_transport = error:local mail delivery is disabled

Normally, emails that originate from a host will have a from address in the form of username@hostname.test.vn. However, since the email gateway cannot receive mail for local users (as disabled above), you need to set the originating domain to something sensible:

 myorigin = test.vn

mynetworks = define which networks are allowed to relay mail through this host. Although it's meant for internal networks to be able to relay mail without having to authenticate, it can be used (abused) to include external IP addresses or networks. However, the proper solution is to set up your Postfix installation to do SASL authentication:

 mynetworks =
127.0.0.0/8,
192.168.20.0/24

This section below prevents addresses such as usernexame@subdomain.test.vn to match. Explicitly define domains you wish to accept using relay_domains below.

 parent_domain_matches_subdomains =
debug_peer_list,
smtpd_access_maps

relay_domains = define domains for which the email gateway will accept emails.

 relay_domains =
test1.vn,
test2.vn,
subdomain.test.vn

smtpd_recipient_restrictions = controls what the Postfix server will accept during the RCPT TO command.

 smtpd_recipient_restrictions =
permit_mynetworks,
reject_unauth_destination

transport_maps = holds the mappings between domains and the SMTP server where the mail gets forwarded. See /etc/postfix/transport for details.

 transport_maps = hash:/etc/postfix/transport

relay_recipient_maps = points to a file that lists all of the email addresses for which the email gateway will accept mail. See /etc/postfix/relay_recipients.

 relay_recipient_maps = hash:/etc/postfix/relay_recipients

show_user_unknown_table_name = controls whether Postfix returns "User unknown in relay recipient table" (default - useful for debugging only) or "User unknown" (when set to no). This configuration directive is only used in conjunction with relay_recipient_maps.

 show_user_unknown_table_name = no

ven though local mail delivery is disabled, the email gateway is still supposed to accept emails to postmaster and abuse. To do so, define a virtual alias map (we'll populate the values later). See /etc/postfix/virtual for details.

 virtual_alias_maps = hash:/etc/postfix/virtual

/etc/postfix/master.cf

This file basically defines services that Postfix will provide. To completely disable local mail delivery, edit /etc/postfix/master.cf and insert a # symbol in front of the local service definition:

 #local     unix  -       n       n       -       -       local

/etc/postfix/virtual

In a typical setup, /etc/aliases is used to forward mail to other account or external addresses. However, since local mail delivery is disabled, modifying /etc/aliases has no effect. This file holds the alias mappings between local addresses and actual email addresses. Note: this is only necessary because there is no local mail delivery, and that some "local" addresses ought to exist for technical correctness.

 postmaster      postmaster@test.vn
abuse abuse@test.vn
root guru@test.vn
Actually, you can use this file for more than local addresses. You can forward emails from ex-users to their new emails addresses, create simple distribution lists, or copy an email to another user, etc.
 virtualuser@test.vn     actualuser@test1.vn
distribution@test.vn user1@test.vn,user2@test.vn,user3@test.vn
ex_user@test2.vn forwarding_address@dom.ain
user@test.vn user@test.vn,spy@test.vn

/etc/postfix/transport

This file defines the relationship between domains and the server(s) where mail is forwarded.

 test1.vn              smtp:insidesmtp.test.vn
test2.vn smtp:insidesmtp.test.vn
subdomain.test.vn smtp:insidesmtp.test.vn

/etc/postfix/relay_recipients

This file folds a complete list of email address for which the email gateway will accept mail. Even though you have to enter the values as a pair (key & value), the second part (the value) doesn't actually matter as long as the email addresses are correct.

 user1@test1.vn OK
user2@test1.vn OK
user1@test2.vn OK
user2@test2.vn OK
user1@subdomain.test.vn OK
user2@subdomain.test.vn OK

Populating relay_recipients from Active Directory

Note that this script requires perl and Net::LDAP(you need install perl-ldap by yum). However, this does NOT have to be on your email gateway.

$VALID = "/etc/postfix/relay_recipients";
$dc1="dc1.test.vn";
$dc2="dc2.test.vn";
$hqbase="cn=Users,dc=test,dc=vn";
$user="cn=user,cn=Users,dc=test,dc=vn";
$passwd="password";
  • Note that if you have email distribution lists that need to be externally accesible, that you will also need the contents of:
$hqbase="ou=Exchange Distribution Lists,dc=test,dc=vn";

Hashing Databases

Postfix uses the db hash format by default. For this setup, we need to create the hashed db files by executing:

postmap hash:/etc/postfix/virtual
postmap hash:/etc/postfix/transport
postmap hash:/etc/postfix/relay_recipients

Note: remember to rerun the above commands every time the contents of those files change.


Restarting Postfix

The preferred way of getting Postfix to reload its configuration files is simply execute:

postfix reload
You can create script run every hours

#!/bin/sh

cd /etc/postfix ; ./getadsmtp.pl && postmap relay_recipients


If You have any problem script perl please send mail to:
conheotiensinh@yahoo.com.

Tuesday, September 29, 2009

INSTALL SHOREWALL(Configure Iptables easier )

I/INTRO

Shorewall (more appropriately the Shoreline Firewall) is an open source firewall tool for Linux that builds upon the Netfilter (iptables/ipchains) system built into the Linux kernel, making it easier to manage more complex configuration schemes.

Using an analogy understandable to programmers: Shorewall is to iptables, what C is to assembly language. It provides a higher level of abstraction for describing rules using text files.


II/INSTALL

1/ download all packages *.rpm of shorewall(http://rpm.pbone.net/ if You use Fedora can use yum ) and install with command rpm -ivh *.rpm

2/Configure Shorewall

I Configure shorewall with 3 interface and 3 zone:net,DMZ,Local

2.1/in file /etc/shorewall/zone add all lines

fw firewall

net ipv4 #

loc ipv4 #

dmz ipv4 #
2.2/ In file /etc/shorewall/interfaces add all lines

net eth1 #interface of zone net

loc eth0 # interface of Zone loc

dmz eth2 #interface of Zone dmz

2.3/In File /etc/shorewall/masq add all lines (This file use for NAT outbound)

eth1 192.168.100.0/24 172.21.1.16
eth1 192.168.111.0/24 172.21.1.16


192.168.100.0/24 subnet zone local.
192.168.111.0/24 subnet zone DMZ and ip:172.21.1.16 external address of firewall

2.4/In file etc/shorewall/policy add all lines

loc net REJECT info

net all DROP info

all all REJECT info

$FW net REJECT info

dmz net REJECT info

dmz loc REJECT info

loc dmz REJECT info


2.5/In file /etc/shorewall/rule add all lines


ACCEPT loc net tcp 80,443,25,110,53//(Permit access local->internet with protocol HTTP,HTTPS,SMTP,POP3,DNS)

ACCEPT loc net udp 53

ACCEPT loc net icmp echo-request //(
Permit ping local->internet)

ACCEPT loc fw tcp 2822 //(permit access SSH to firewall for Security I change port of SSH)

DNAT net dmz:192.168.111.2 tcp 80,443,110,25,995,465//(Nat INBOUND from internet can access protocols: HTTP,HTTPS,POP3,SMTP,POP3S,SMTPS)


Change

STARTUP_ENABLED=No -> STARTUP_ENABLED=Yes trong /etc/shorewall/shorewall.conf

start shorewall by command :shorewall start


For configure easier you can use webmin for configure shorewall with web interface.


Thursday, September 17, 2009

Active Directory/LDAP Virtual Users for RHEL/CentOS 5

This guide will show you how to integrate Active Directory/LDAP into Postfix and Dovecot. In this page, you will learn how to enable Postfix to lookup email addresses in LDAP and how to enable Dovecot to authenticate to an LDAP server.

We will be using the following attributes

  • samaccountname or uid – User Name for Active Directory or OpenLDAP respectively.
  • mail – Email Address. For Active Directory users, you need to fill-up the E-mail field of the User.
  • othermailbox – For Active Directory only. We will use this field to store email aliases. Use ADSI Edit to update this field.

Create the Virtual Mail User Account

Since the Active Directory/OpenLDAP user names are not part of the Linux system, we will have to create a user that will be the owner for all the files belonging to the LDAP user names.


1. Create a new user, we will call it vmail. Change the Login Shell to /sbin/nologin, this user account should not be used for logging in.

2. Take note of the User ID and Home Directory of vmail(example 502).

3. Now note down the Group ID of vmail. We’ll be needing all of them later.

Postfix Active Directory/LDAP Integration


1. Create the file /etc/postfix/ldap-users.cf containing the lines below
server_host = dc.test.vn
search_base = dc=test,dc=vn
version = 3
query_filter = (&(objectclass=person)(mail=%s))
result_attribute = samaccountname #Account from DC
result_format = %s/Maildir/

If you are connecting to an Active Directory server and would like to have email alias capability, change the query filter to (&(objectclass=person)(|(mail=%s)(othermailbox=%s))) to include the othermailbox field in the search.

Change samaccountname to uid if you will be connecting to an Active Directory server. If your server requires authentication, add the lines below

bind = yes
bind_dn = cn=mailuser,dc=test,dc=vn
bind_dn = mailuser@test.vn

2. Test your postfix configuration file by typing in the command

postmap -q cuibap@test.vn ldap:/etc/postfix/ldap-users.cf


If you are querying a Windows 2003 Server and postmap does
not seem to work,try
enabling the Windows 2003 Active Directory.


3. Edit the postfix configuration file /etc/postfix/main.cf and edit the line below
mydestination = $myhostname, localhost.$mydomain, localhost

and add the lines below

virtual_mailbox_domains = $mydomain
virtual_mailbox_base = /home/vmail/
virtual_mailbox_maps = ldap:/etc/postfix/ldap-users.cf
virtual_uid_maps = static:502
virtual_gid_maps = static:502
virtual_mailbox_base, virtual_uid_maps and virtual_gid_maps should contain the home directory, user id and group id of vmail respectively.

Make sure $mydomain in mydestination has been removed, otherwise the lookup will not work and you will get a “User unknown in local recipient table” error.

4. Restart the Postfix

5. You should now be able to send email to addresses found in your LDAP server. sing LDAP email addresses instead of the system user names.

Dovecot Active Directory/LDAP Integration

1. Create the file /etc/dovecot-ldap.conf containing the lines below
server_host = dc.test.vn
search_base = dc=test,dc=vn
ldap_version = 3
auth_bind_userdn = test\%u

2. Edit the file /etc/dovecot.conf and change the value of the following keys below

auth_username_format = %Lu

passdb ldap {
args = /etc/dovecot-ldap.conf
}

userdb static {
args = uid=502 gid=502 home=/home/vmail/%u
}

uid, gid and home should contain the user id, group id and home directory respectively of the vmail user account.

3. Restart the dovecot service