環境:
CentOS 5.5
Kernel 2.6.18-128.el5
套件:
Postfix(SMTP)
Saslauthd(SMTP AUTH)
dovecot(POP3)
一.
查看是否已安裝有sendmail(移除sendmail)
[root@CentOS ~]# rpm -qa |grep sendmail
sendmail-cf-8.13.8-8.el5
sendmail-8.13.8-8.el5
[root@CentOS ~]# rpm -e sendmail
error: Failed dependencies:
/usr/sbin/sendmail is needed by (installed) redhat-lsb-3.1-12.3.EL.el5.centos.i386
smtpdaemon is needed by (installed) mdadm-2.6.9-3.el5.i386
smtpdaemon is needed by (installed) fetchmail-6.3.6-1.1.el5_3.1.i386
smtpdaemon is needed by (installed) mutt-1.4.2.2-3.0.2.el5.i386
[root@CentOS ~]#rpm -e --nodeps sendmail
二.
安裝Postfix(yum)
[root@CentOS etc]# yum install postfix
.......
設定/etc/postfix/main.cf
[root@CentOS etc]#vi /etc/postfix/main.cf
-------------------修改部分------------------
myhostname = mail.XD.com #Postfix郵件主機名稱
mydomain = XD.com #Domain名稱
myorigin = $mydomain #發信端機
inet_interfaces = all
mydestination=$mydomain #可以讓client MUA接收的目的地位置(#信件的目的網域符合將信收下來)
mynetworks = 127.0.0.0/8 #可以Relay的條件
-------------------------------------------------
判斷是否已安裝sasl認證
[root@CentOS etc]# rpm -qa |grep sasl
cyrus-sasl-2.1.22-5.el5_4.3
cyrus-sasl-lib-2.1.22-5.el5_4.3
cyrus-sasl-plain-2.1.22-5.el5_4.3
若已安裝sasl後繼續設定psotfix main.cf
[root@CentOS etc]#vi /etc/postfix/main.cf
-------------------------新增部分-------------------------------
smtpd_sasl_auth_enable=yes
smtpd_sasl_security_options=noanonymous
broken_sasl_auth_clients=yes
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_sender_restrictions = permit_mynetworks,permit_sasl_authenticated,reject
#因為permit_mynetworks為localhost,smtpd_sender_restrictions可以越來設定內部寄件者進行SMTP認證,smtpd_client_restrictions也可達成
--------------------------------------------------------------------
檢查是否安裝dovecot(POP3 IMAP)
[root@CentOS sasl2]# rpm -qa |grep dovecot
dovecot-1.0.7-7.el5
若已安裝進行修改dovecot設定檔
[root@CentOS sasl2]#vi /etc/dovecot.conf
-------------------------------修改部分-------------------------
protocols = imap imaps pop3 pop3s #拿掉# 註解
--------------------------------------------------------------------
啟動dovecot
[root@CentOS sasl2]# service dovecot start
Starting Dovecot Imap: [ OK ]
啟動sasl認證
[root@CentOS sasl2]# service saslauthd start
Starting saslauthd: [ OK ]
啟動Postfix
[root@CentOS sasl2]# service postfix start
Starting postfix: [ OK ]
參考:
http://www.spps.tp.edu.tw/documents/memo/postfix/postfix.htm
2010年9月16日 星期四
2010年9月5日 星期日
CentOS5.5+ChangePassword(SAMBA Client 自行變更密碼)
環境:
CentOS 5.5
Kernel 2.6.18-128.el5
套件:
ChangePasswor
官方網站:http://changepassword.sourceforge.net/
To use changepassword you will need to have:
[root@CentOS ~]#cd /usr/src
[root@CentOS src]#wget http://prdownloads.sourceforge.net/changepassword/changepassword-0.9.tar.gz?download
[root@CentOS src]#tar -xzvf changepassword-0.9.tar.gz
.....
[root@CentOS src]#cd changepassword-0.9
[root@CentOS changepassword-0.9]# ./configure --enable-cgidir=/var/www/cgi-bin --enable-smbpasswd=/etc/samba/smbpasswd --disable-squidpasswd
.......
[root@CentOS changepassword-0.9]#make && make install
CentOS 5.5
Kernel 2.6.18-128.el5
套件:
ChangePasswor
官方網站:http://changepassword.sourceforge.net/
To use changepassword you will need to have:
- Apache Web Server with cgi-bin enabled (Version 1.3.20 or later)
- GNU GCC (Version 2.95.3 or later)
- glibc (Version 2.2.5 or later)
[root@CentOS ~]#cd /usr/src
[root@CentOS src]#wget http://prdownloads.sourceforge.net/changepassword/changepassword-0.9.tar.gz?download
[root@CentOS src]#tar -xzvf changepassword-0.9.tar.gz
.....
[root@CentOS src]#cd changepassword-0.9
[root@CentOS changepassword-0.9]# ./configure --enable-cgidir=/var/www/cgi-bin --enable-smbpasswd=/etc/samba/smbpasswd --disable-squidpasswd
.......
[root@CentOS changepassword-0.9]#make && make install
2010年9月1日 星期三
CentOS5.5+Kaspersky Security for Internet Gateway
環境:
CentOS 5.5(final)
Kernel 2.6.30.5
套件:
SQUID 3.1.7
(http://www.squid-cache.org/Versions/v3/3.1/)
Kaspersky Security for Internet Gateway 5.5.51
(http://www.t-techftp.com/Products/Kaspersky/Internet_gateway/For_ProxyServer/For_Linux/kav4proxy-5.5-51.i386.rpm)
Kaspersky Security for Internet Gateway 30day trial_key申請位置
(http://www.kaspersky.com/kaspersky_security_internet_gateway_trial_download)
一.SQUID安裝
下載檔至 /usr/src/
[root@CentOS src]#wget http://www.squid-cache.org/Versions/v3/3.1/squid-3.1.7.tar.bz2
將檔案squid-3.1.7.tar.bz2解壓縮
[root@CentOS src]#tar xjf squid-3.1.7.tar.bz2
[root@CentOS src]#cd squid-3.1.7
[root@CentOS squid-3.1.7]#./configure --enable-icap-client --disable-loadable-modules --enable-icap-support
(--disable-loadable-modules沒加上去,下面進行make編譯會出現"../libltdl/libltdl/lt_error.h:35:31: error: libltdl/lt_system.h: No such file or directory")
(--enable-icap-support沒加上去 Kaspersky ICAP Server啟動或出現錯誤)
[root@CentOS squid-3.1.7]#make && make install
squid初始化
[root@CentOS squid-3.1.7]#/usr/local/squid/sbin/squid -z
WARNING: Cannot write log file: /usr/local/squid/var/logs/cache.log
/usr/local/squid/var/logs/cache.log: Permission denied
messages will be sent to 'stderr'.
2010/08/30 15:33:17
Creating Swap Directories
從新設定/usr/local/squid/var/logs/權限
[root@CentOS squid-3.1.7]#chmod 777 /usr/local/squid/var/logs/
[root@CentOS squid-3.1.7]#/usr/local/squid/sbin/squid -z
[root@CentOS squid-3.1.7]#/usr/local/squid/sbin/squid -s
[root@CentOS ~]# netstat -tln grep 3128
tcp 0 0 :::3128 :::* LISTEN
Squid預設port是3128,出現Listen表示已經啟用了
於Client端IE 掛上proxy IP:3128 即可使用
二.安裝 Kaspersky Security for Internet Gateway
下載檔至 /usr/src/
[root@CentOS ~]#cd /usr/src
[root@CentOS src]#wget http://www.t-techftp.com/Products/Kaspersky/Internet_gateway/For_ProxyServer/For_Linux/kav4proxy-5.5-51.i386.rpm
[root@CentOS src]# rpm -ivh kav4proxy-5.5-51.i386.rpm
Preparing... ########################################### [100%]
1:kav4proxy ########################################### [100%]
Kaspersky Anti-Virus for Proxy Server has been installed
successfully but needs to be properly configured before using.
Unfortunately, RPM is not able to run scripts interactively, so
please run
/opt/kaspersky/kav4proxy/lib/bin/setup/postinstall.pl
script by yourself to configure it.
[root@CentOS src]#/opt/kaspersky/kav4proxy/lib/bin/setup/postinstall.pl
Configuring KeepUp2Date proxy settings.
If you use an http proxy server to access the Internet, you need
to tell the Kaspersky Anti-Virus for Proxy Server KeepUp2Date
component about it. Please enter the address of your http proxy
server in one of the following forms, http://proxyIP:port or
http://user:pass@proxyIP:port. If you don't have or need a proxy
server to access the Internet, enter 'no' here [no]:
no
Latest anti-virus bases are an essential part of your anti-virus
protection. Do you want to download the latest anti-virus bases
right now to insure your application is up to date? (If you
answer 'yes', make sure you are connected to the Internet):
[yes]:
yes
Kaspersky KeepUp2Date 5.5.50/RELEASE build #43
Copyright (C) Kaspersky Lab, 1997-2007.
Portions Copyright (C) Lan Crypto
Configuration file: /etc/opt/kaspersky/kav4proxy.conf
=== Update task started
Update source selected 'http://dnl-eu4.kaspersky-labs.com/'
Downloading file 'index/master.xml.klz'
.......
開始進行Kaspersky anti-virus Base更新
Update 'Kaspersky Anti-Virus for Proxy Server' completed successfully
Do you want to activate regular updates? [y/N]:y
Default Webmin configuration file was not found. This means that
either Webmin is not installed at all, or is installed into a
non-default location.
Webmin (www.webmin.com) is a web-based interface for system
administration for various Unix components. If you install it,
you'll be able to configure and use Kaspersky Anti-Virus through
the web interface. If you want to use this functionality, but
haven't installed Webmin yet, you can skip this stage and
install this module later using Webmin's built-in installation
procedure.
If you have Webmin installed in a non-default path, please enter
the path to the location of the Webmin configuration file, or
leave blank to skip?
Setting up protection with Kaspersky Anti-Virus for Proxy
server.
The installation program can automatically configure your
ICAP-enabled Squid to be protected by Kaspersky Anti-Virus ICAP
server.
1) No integration
2) Configure to work with remote proxy
3) Configure Squid manually
4) Squid (/usr/local/squid/etc/squid.conf)
Please Choose 1-4
4
Configuring Squid to use Kaspersky Anti-Virus
ICAP-Server
Proxy server binary path: /usr/local/squid/sbin/squid
Proxy server configuration file: /usr/local/squid/etc/squid.conf
Please enter 'Y' to confirm that you want to protect this proxy
server with Kaspersky Anti-Virus. Enter 'N' if proxy server has
been detected incorrectly, or if you do not want to protect it.
[Y]:
Y
Stopping ICAP server: kavicapserver stopped
Starting ICAP server: kavicapserver started
Reconfigure Squid - 2010/08/30 17:15:02
WARNING: 'icap_class' is depricated. Use 'adaptation_service_set' instead
2010/08/30 17:15:02
WARNING: 'icap_class' is depricated. Use 'adaptation_service_set' instead
2010/08/30 17:15:02
WARNING: 'icap_access' is depricated. Use 'adaptation_access' instead
2010/08/30 17:15:02
WARNING: 'icap_access' is depricated. Use 'adaptation_access' instead
success
(這部份的WARNING訊息不管他也不會對系統有影響,修改方式對squid.conf內容進行修改)
Kaspersky Anti-Virus for Proxy Server is installed.
Configuration file was installed in
/etc/opt/kaspersky/kav4proxy.conf
Binaries were installed in /opt/kaspersky/kav4proxy/bin
[root@CentOS src]#vi /usr/local/squid/etc/squid.conf
.....................
# Added by Kaspersky Anti-Virus installer
icap_enable on
icap_send_client_ip on
icap_service is_kav_req reqmod_precache 0 icap://localhost:1344/av/reqmod
icap_service is_kav_resp respmod_precache 0 icap://localhost:1344/av/respmod
icap_class ic_kav_req is_kav_req
icap_class ic_kav_resp is_kav_resp
icap_access ic_kav_resp allow all
icap_access ic_kav_req allow all !acl_kav_GET
# /Added by Kaspersky Anti-Virus installer
......................
修改後
# Added by Kaspersky Anti-Virus installer
icap_enable on
icap_send_client_ip on
icap_service is_kav_req reqmod_precache 0 icap://localhost:1344/av/reqmod
icap_service is_kav_resp respmod_precache 0 icap://localhost:1344/av/respmod
adaptation_service_set ic_kav_req is_kav_req
adaptation_service_set ic_kav_resp is_kav_resp
adaptation_access ic_kav_resp allow all
adaptation_access ic_kav_req allow all !acl_kav_GET
# /Added by Kaspersky Anti-Virus installer
......................
開機自動啟動
[root@CentOS src]#vi /etc/rc.d/rc.local
-----------------
/usr/local/squid/sbin/squid -s
-----------------
CentOS 5.5(final)
Kernel 2.6.30.5
套件:
SQUID 3.1.7
(http://www.squid-cache.org/Versions/v3/3.1/)
Kaspersky Security for Internet Gateway 5.5.51
(http://www.t-techftp.com/Products/Kaspersky/Internet_gateway/For_ProxyServer/For_Linux/kav4proxy-5.5-51.i386.rpm)
Kaspersky Security for Internet Gateway 30day trial_key申請位置
(http://www.kaspersky.com/kaspersky_security_internet_gateway_trial_download)
一.SQUID安裝
下載檔至 /usr/src/
[root@CentOS src]#wget http://www.squid-cache.org/Versions/v3/3.1/squid-3.1.7.tar.bz2
將檔案squid-3.1.7.tar.bz2解壓縮
[root@CentOS src]#tar xjf squid-3.1.7.tar.bz2
[root@CentOS src]#cd squid-3.1.7
[root@CentOS squid-3.1.7]#./configure --enable-icap-client --disable-loadable-modules --enable-icap-support
(--disable-loadable-modules沒加上去,下面進行make編譯會出現"../libltdl/libltdl/lt_error.h:35:31: error: libltdl/lt_system.h: No such file or directory")
(--enable-icap-support沒加上去 Kaspersky ICAP Server啟動或出現錯誤)
[root@CentOS squid-3.1.7]#make && make install
squid初始化
[root@CentOS squid-3.1.7]#/usr/local/squid/sbin/squid -z
WARNING: Cannot write log file: /usr/local/squid/var/logs/cache.log
/usr/local/squid/var/logs/cache.log: Permission denied
messages will be sent to 'stderr'.
2010/08/30 15:33:17
Creating Swap Directories
從新設定/usr/local/squid/var/logs/權限
[root@CentOS squid-3.1.7]#chmod 777 /usr/local/squid/var/logs/
[root@CentOS squid-3.1.7]#/usr/local/squid/sbin/squid -z
[root@CentOS squid-3.1.7]#/usr/local/squid/sbin/squid -s
[root@CentOS ~]# netstat -tln grep 3128
tcp 0 0 :::3128 :::* LISTEN
Squid預設port是3128,出現Listen表示已經啟用了
於Client端IE 掛上proxy IP:3128 即可使用
二.安裝 Kaspersky Security for Internet Gateway
下載檔至 /usr/src/
[root@CentOS ~]#cd /usr/src
[root@CentOS src]#wget http://www.t-techftp.com/Products/Kaspersky/Internet_gateway/For_ProxyServer/For_Linux/kav4proxy-5.5-51.i386.rpm
[root@CentOS src]# rpm -ivh kav4proxy-5.5-51.i386.rpm
Preparing... ########################################### [100%]
1:kav4proxy ########################################### [100%]
Kaspersky Anti-Virus for Proxy Server has been installed
successfully but needs to be properly configured before using.
Unfortunately, RPM is not able to run scripts interactively, so
please run
/opt/kaspersky/kav4proxy/lib/bin/setup/postinstall.pl
script by yourself to configure it.
[root@CentOS src]#/opt/kaspersky/kav4proxy/lib/bin/setup/postinstall.pl
Configuring KeepUp2Date proxy settings.
If you use an http proxy server to access the Internet, you need
to tell the Kaspersky Anti-Virus for Proxy Server KeepUp2Date
component about it. Please enter the address of your http proxy
server in one of the following forms, http://proxyIP:port or
http://user:pass@proxyIP:port. If you don't have or need a proxy
server to access the Internet, enter 'no' here [no]:
no
Latest anti-virus bases are an essential part of your anti-virus
protection. Do you want to download the latest anti-virus bases
right now to insure your application is up to date? (If you
answer 'yes', make sure you are connected to the Internet):
[yes]:
yes
Kaspersky KeepUp2Date 5.5.50/RELEASE build #43
Copyright (C) Kaspersky Lab, 1997-2007.
Portions Copyright (C) Lan Crypto
Configuration file: /etc/opt/kaspersky/kav4proxy.conf
=== Update task started
Update source selected 'http://dnl-eu4.kaspersky-labs.com/'
Downloading file 'index/master.xml.klz'
.......
開始進行Kaspersky anti-virus Base更新
Update 'Kaspersky Anti-Virus for Proxy Server' completed successfully
Do you want to activate regular updates? [y/N]:y
Default Webmin configuration file was not found. This means that
either Webmin is not installed at all, or is installed into a
non-default location.
Webmin (www.webmin.com) is a web-based interface for system
administration for various Unix components. If you install it,
you'll be able to configure and use Kaspersky Anti-Virus through
the web interface. If you want to use this functionality, but
haven't installed Webmin yet, you can skip this stage and
install this module later using Webmin's built-in installation
procedure.
If you have Webmin installed in a non-default path, please enter
the path to the location of the Webmin configuration file, or
leave blank to skip?
Setting up protection with Kaspersky Anti-Virus for Proxy
server.
The installation program can automatically configure your
ICAP-enabled Squid to be protected by Kaspersky Anti-Virus ICAP
server.
1) No integration
2) Configure to work with remote proxy
3) Configure Squid manually
4) Squid (/usr/local/squid/etc/squid.conf)
Please Choose 1-4
4
Configuring Squid to use Kaspersky Anti-Virus
ICAP-Server
Proxy server binary path: /usr/local/squid/sbin/squid
Proxy server configuration file: /usr/local/squid/etc/squid.conf
Please enter 'Y' to confirm that you want to protect this proxy
server with Kaspersky Anti-Virus. Enter 'N' if proxy server has
been detected incorrectly, or if you do not want to protect it.
[Y]:
Y
Stopping ICAP server: kavicapserver stopped
Starting ICAP server: kavicapserver started
Reconfigure Squid - 2010/08/30 17:15:02
WARNING: 'icap_class' is depricated. Use 'adaptation_service_set' instead
2010/08/30 17:15:02
WARNING: 'icap_class' is depricated. Use 'adaptation_service_set' instead
2010/08/30 17:15:02
WARNING: 'icap_access' is depricated. Use 'adaptation_access' instead
2010/08/30 17:15:02
WARNING: 'icap_access' is depricated. Use 'adaptation_access' instead
success
(這部份的WARNING訊息不管他也不會對系統有影響,修改方式對squid.conf內容進行修改)
Kaspersky Anti-Virus for Proxy Server is installed.
Configuration file was installed in
/etc/opt/kaspersky/kav4proxy.conf
Binaries were installed in /opt/kaspersky/kav4proxy/bin
[root@CentOS src]#vi /usr/local/squid/etc/squid.conf
.....................
# Added by Kaspersky Anti-Virus installer
icap_enable on
icap_send_client_ip on
icap_service is_kav_req reqmod_precache 0 icap://localhost:1344/av/reqmod
icap_service is_kav_resp respmod_precache 0 icap://localhost:1344/av/respmod
icap_class ic_kav_req is_kav_req
icap_class ic_kav_resp is_kav_resp
icap_access ic_kav_resp allow all
icap_access ic_kav_req allow all !acl_kav_GET
# /Added by Kaspersky Anti-Virus installer
......................
修改後
# Added by Kaspersky Anti-Virus installer
icap_enable on
icap_send_client_ip on
icap_service is_kav_req reqmod_precache 0 icap://localhost:1344/av/reqmod
icap_service is_kav_resp respmod_precache 0 icap://localhost:1344/av/respmod
adaptation_service_set ic_kav_req is_kav_req
adaptation_service_set ic_kav_resp is_kav_resp
adaptation_access ic_kav_resp allow all
adaptation_access ic_kav_req allow all !acl_kav_GET
# /Added by Kaspersky Anti-Virus installer
......................
開機自動啟動
[root@CentOS src]#vi /etc/rc.d/rc.local
-----------------
/usr/local/squid/sbin/squid -s
-----------------
Clam AntiVirus+HAVP
Clam AntiVirus
(http://sourceforge.net/projects/clamav/files/clamav/)
HAVP
(http://www.server-side.de/download/havp-0.92.tar.gz)
一.安裝 Clam AntiVirus
[root@CentOS ~]#cd /usr/src
[root@CentOS src]#wget http://sourceforge.net/projects/clamav/files/clamav/0.96.2/clamav-0.96.2.tar.gz/download
.....
[root@CentOS src]#groupadd clamav && useradd -g clamav -M clamav
[root@CentOS src]#tar zxvf clamav-0.96.2.tar.gz
[root@CentOS src]# cd clamav-0.96.2
[root@CentOS clamav-0.96.2]#./configure
(請先安裝zlib and zlib-devel)
....
[root@CentOS clamav-0.96.2]#make && make install
.....
[root@CentOS clamav-0.96.2]#mkdir /var/log/clamav
[root@CentOS clamav-0.96.2]#chown clamav:clamav /var/log/clamav
[root@CentOS clamav-0.96.2]#cp /usr/local/etc/clamd.conf /usr/local/etc/clamd.conf.bak
[root@CentOS clamav-0.96.2]#vi /usr/local/etc/clamd.conf
修改部分
===========================================
#Example
LogFile /var/log/clamav/clamav.log
LogVerbose yes
LogTime yes
PidFile /var/run/clamd.pid
DatabaseDirectory /usr/local/share/clamav
===========================================
[root@CentOS clamav-0.96.2]#vi /usr/local/etc/freshclam.conf
(設定freshclam.conf)
===========================================
#Example
DatabaseDirectory /usr/local/share/clamav
UpdateLogFile /var/log/clamav/freshclam.log
LogSyslog yes
LogVerbose yes
===========================================
[root@CentOS clamav-0.96.2]#/usr/local/bin/freshclam
(執行freshclam病毒碼更新)
二.安裝HAVP
[root@CentOS src]#wget http://www.server-side.de/download/havp-0.92.tar.gz
[root@CentOS src]#tar zxvf havp-0.92.tar.gz
....
[root@CentOS src]#cd havp-0.92
[root@CentOS havp-0.92]#./configure
(yum install gcc-c++)
[root@CentOS havp-0.92]#make && make install
[root@CentOS havp-0.92]#groupadd havp && useradd -g havp -M havp
[root@CentOS havp-0.92]#chown havp:havp /var/log/havp /var/run/havp
[root@CentOS havp-0.92]#vi /usr/local/etc/havp/havp.config
===========================================
#REMOVETHISLINE deletem
ENABLECLAMLIB true
CLAMDBDIR /usr/local/share/clamav
TEMPDIR /tmp
SCANIMAGES false #(不使用圖片掃瞄 )
# TRANSPARENT true (若要單獨使用 HAVP 當 Proxy 則拿掉註解)
# PARENTPROXY 127.0.0.1 (若有 ParentProxy 就拿掉這兩行 , 跟上面這行擇一使用)
# PARENTPORT 3128
......
三.(使用 1G 硬碟空間建立虛擬磁碟)
[root@CentOS havp-0.92]#dd if=/dev/zero of=/root/havp_tmp.img bs=1024K count=1 seek=1024
[root@CentOS havp-0.92]#mkfs.ext2 /root/havp_tmp.img
[root@CentOS havp-0.92]#mount -o loop,mand /root/havp_tmp.img /var/tmp/havp
[root@CentOS havp-0.92]#chown havp:havp /var/tmp/havp
[root@CentOS havp-0.92]#vi /etc/rc.d/rc.local
(開機啟動虛擬硬碟)
mount -o loop,mand /root/havp_tmp.img /var/tmp/havp
[root@CentOS havp-0.92]#vi /etc/ld.so.conf
/usr/local/lib
[root@CentOS havp-0.92]#ldconfig
(更新 shared libraries 資料庫 (for ClamAV) )
[root@CentOS havp-0.92]#cp /usr/src/havp-0.92/etc/init.d/havp /etc/init.d
[root@CentOS havp-0.92]#/etc/init.d/havp start
[root@CentOS havp-0.92]#vi /etc/rc.d/rc.local
/etc/init.d/havp start
[root@CentOS havp-0.92]#iptables -A PREROUTING -p tcp -s 192.168.1.0/24 --dport 80 -j REDIRECT --to-port 8080
測試網頁:http://www.eicar.org/anti_virus_test_file.htm
不過這好想是讓人心安的防毒 ,我試著從網路找尋 2010病毒包
http://rs568.rapidshare.com/files/395560382/528.zip
果然很順利的讓我下載下來了....
(http://sourceforge.net/projects/clamav/files/clamav/)
HAVP
(http://www.server-side.de/download/havp-0.92.tar.gz)
一.安裝 Clam AntiVirus
[root@CentOS ~]#cd /usr/src
[root@CentOS src]#wget http://sourceforge.net/projects/clamav/files/clamav/0.96.2/clamav-0.96.2.tar.gz/download
.....
[root@CentOS src]#groupadd clamav && useradd -g clamav -M clamav
[root@CentOS src]#tar zxvf clamav-0.96.2.tar.gz
[root@CentOS src]# cd clamav-0.96.2
[root@CentOS clamav-0.96.2]#./configure
(請先安裝zlib and zlib-devel)
....
[root@CentOS clamav-0.96.2]#make && make install
.....
[root@CentOS clamav-0.96.2]#mkdir /var/log/clamav
[root@CentOS clamav-0.96.2]#chown clamav:clamav /var/log/clamav
[root@CentOS clamav-0.96.2]#cp /usr/local/etc/clamd.conf /usr/local/etc/clamd.conf.bak
[root@CentOS clamav-0.96.2]#vi /usr/local/etc/clamd.conf
修改部分
===========================================
#Example
LogFile /var/log/clamav/clamav.log
LogVerbose yes
LogTime yes
PidFile /var/run/clamd.pid
DatabaseDirectory /usr/local/share/clamav
===========================================
[root@CentOS clamav-0.96.2]#vi /usr/local/etc/freshclam.conf
(設定freshclam.conf)
===========================================
#Example
DatabaseDirectory /usr/local/share/clamav
UpdateLogFile /var/log/clamav/freshclam.log
LogSyslog yes
LogVerbose yes
===========================================
[root@CentOS clamav-0.96.2]#/usr/local/bin/freshclam
(執行freshclam病毒碼更新)
二.安裝HAVP
[root@CentOS src]#wget http://www.server-side.de/download/havp-0.92.tar.gz
[root@CentOS src]#tar zxvf havp-0.92.tar.gz
....
[root@CentOS src]#cd havp-0.92
[root@CentOS havp-0.92]#./configure
(yum install gcc-c++)
[root@CentOS havp-0.92]#make && make install
[root@CentOS havp-0.92]#groupadd havp && useradd -g havp -M havp
[root@CentOS havp-0.92]#chown havp:havp /var/log/havp /var/run/havp
[root@CentOS havp-0.92]#vi /usr/local/etc/havp/havp.config
===========================================
#REMOVETHISLINE deletem
ENABLECLAMLIB true
CLAMDBDIR /usr/local/share/clamav
TEMPDIR /tmp
SCANIMAGES false #(不使用圖片掃瞄 )
# TRANSPARENT true (若要單獨使用 HAVP 當 Proxy 則拿掉註解)
# PARENTPROXY 127.0.0.1 (若有 ParentProxy 就拿掉這兩行 , 跟上面這行擇一使用)
# PARENTPORT 3128
......
三.(使用 1G 硬碟空間建立虛擬磁碟)
[root@CentOS havp-0.92]#dd if=/dev/zero of=/root/havp_tmp.img bs=1024K count=1 seek=1024
[root@CentOS havp-0.92]#mkfs.ext2 /root/havp_tmp.img
[root@CentOS havp-0.92]#mount -o loop,mand /root/havp_tmp.img /var/tmp/havp
[root@CentOS havp-0.92]#chown havp:havp /var/tmp/havp
[root@CentOS havp-0.92]#vi /etc/rc.d/rc.local
(開機啟動虛擬硬碟)
mount -o loop,mand /root/havp_tmp.img /var/tmp/havp
[root@CentOS havp-0.92]#vi /etc/ld.so.conf
/usr/local/lib
[root@CentOS havp-0.92]#ldconfig
(更新 shared libraries 資料庫 (for ClamAV) )
[root@CentOS havp-0.92]#cp /usr/src/havp-0.92/etc/init.d/havp /etc/init.d
[root@CentOS havp-0.92]#/etc/init.d/havp start
[root@CentOS havp-0.92]#vi /etc/rc.d/rc.local
/etc/init.d/havp start
[root@CentOS havp-0.92]#iptables -A PREROUTING -p tcp -s 192.168.1.0/24 --dport 80 -j REDIRECT --to-port 8080
測試網頁:http://www.eicar.org/anti_virus_test_file.htm
不過這好想是讓人心安的防毒 ,我試著從網路找尋 2010病毒包
http://rs568.rapidshare.com/files/395560382/528.zip
果然很順利的讓我下載下來了....
CentOS5.5(final)+L7-filter
環境:
OS:CentOS5.5 release (Final)
Kernel:2.6.18-194.el5
iptables:iptables v1.3.5
安裝套件:
linux-2.6.30.5.tar.bz2
(http://ftp.isu.edu.tw/pub/Linux/kernel/v2.6/linux-2.6.30.5.tar.bz2)
netfilter-layer7-v2.22.tar.gz
(http://sourceforge.net/projects/l7-filter/files/l7-filter%20kernel%20version/2.22/netfilter-layer7-v2.22.tar.gz/download)
l7-protocols-2009-05-28.tar.gz
(http://sourceforge.net/projects/l7-filter/files/Protocol%20definitions/2009-05-28/l7-protocols-2009-05-28.tar.gz/download)
iptables-1.4.6.tar.bz2
(http://www.netfilter.org/projects/iptables/files/iptables-1.4.6.tar.bz2)
其他:
L7測試相容性表:
http://l7-filter.sourceforge.net/kernelcompat
作業前準備:
關閉SELinux
[root@CentOS ~]# vi /etc/sysconfig/selinux
# Ts file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - SELinux is fully disabled.
SELINUX=enforcing
# SELINUXTYPE= type of policy in use. Possible values are:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=targeted
修改SELINUX=enforcing→SELINUX=disabled
一.將所有套件下載至/usr/src/
二.編譯核心
[root@CentOS src]# tar xf linux-2.6.30.5.tar.bz2
[root@CentOS src]# tar xzf netfilter-layer7-v2.22.tar.gz
patch kernel
[root@CentOS src]#cd linux-2.6.30.5
[root@CentOS linux-2.6.30.5]# patch -p1 < ../netfilter-layer7-v2.22/kernel-2.6.25-2.6.28-layer7-2.22.patch
.....
[root@CentOS linux-2.6.30.5]#cp /boot/config-`uname -r` .config
(複製現行核心設定檔 )
[root@CentOS linux-2.6.30.5]#make menuconfig
(若無安裝gcc、ncurses-devel無法make menuconfig)
.....
* "Prompt for development and/or incomplete code/drivers" (under "Code maturity level options")
* "Network packet filtering framework" (Networking → Networking support → Networking Options)
* "Netfilter Xtables support" (on the same screen)
* "Netfilter connection tracking support" (... → Network packet filtering framework → Core Netfilter Configuration), select "Layer 3 Independent Connection tracking"
* "Connection tracking flow accounting" (on the same screen)
* And finally, "Layer 7 match support"
* Optional but highly recommended: Lots of other Netfilter options, notably "FTP support" and other matches. If you don't know what you're doing, go ahead and enable all of them.
* "layer7" match support (需要 Netfilter connection tracking support 才會出現)
* IPv4 connection tracking support (required for NAT)
勾選部分參考
http://charlothuang.blogspot.com/2010/02/l7-filter-on-centos-54.html
http://sacs.twgg.org/content/l7-filter-centos-52
[root@CentOS linux-2.6.30.5]#make
....
[root@CentOS linux-2.6.30.5]#make modules_install
....
[root@CentOS linux-2.6.30.5]#make install
....
[root@CentOS linux-2.6.30.5]#vi /boot/grub/grub.conf
# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making changes to this file
# NOTICE: You have a /boot partition. This means that
# all kernel and initrd paths are relative to /boot/, eg.
# root (hd0,0)
# kernel /vmlinuz-version ro root=/dev/VolGroup00/LogVol00
# initrd /initrd-version.img
#boot=/dev/hda
default=1
timeout=5
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
title CentOS (2.6.30.5 )
root (hd0,0)
kernel /vmlinuz-2.6.30.5 ro root=/dev/VolGroup00/LogVol00
initrd /initrd-2.6.30.5.img
title CentOS (2.6.18-194.el5)
root (hd0,0)
kernel /vmlinuz-2.6.18-194.el5 ro root=/dev/VolGroup00/LogVol00
initrd /initrd-2.6.18-194.el5.img
修改部分
default=1→default=0
title CentOS (2.6.30.5 )→title CentOS (2.6.30.5 inculde l7-filter)
二.安裝iptables 1.46
[root@CentOS ~]#cp /etc/init.d/iptables /etc/init.d/iptables.bak
(備份iptables script)
[root@CentOS ~]#yum remove iptables
(移除舊版本iptables)
.....
[root@CentOS ~]# cd /usr/src
[root@CentOS src]#
[root@CentOS src]#patch -p1 < /netfilter-layer7-v2.21/iptables-1.3-for-kernel-pre2.6.20-layer7-2.21.patch
.....
[root@CentOS src]# tar xjf iptables-1.4.6.tar.bz2
[root@CentOS src]#cp netfilter-layer7-v2.22/iptables-1.4.3forward-for-kernel-2.6.20forward/* iptables-1.4.6/extensions/
[root@CentOS src]#cd iptables-1.4.6/
[root@CentOS iptables-1.4.6]#./configure --with-ksource=~/linux/linux-2.6.30.5
[root@CentOS iptables-1.4.6]#make
[root@CentOS iptables-1.4.6]#make install
[root@CentOS ~]#cp /etc/init.d/iptables.bak /etc/init.d/iptables
(還原腳本)
三.安裝規則分析表
[root@CentOS iptables-1.4.6]#cd ../
[root@CentOS src]#tar xzf l7-protocols-2009-05-28.tar.gz
[root@CentOS src]#cd l7-protocols-2009-05-28
[root@CentOS l7-protocols-2009-05-28]#make install
四.設定NAT
[root@CentOS ~]#vi /etc/sysctl.conf
# Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
# sysctl.conf(5) for more details.
# Controls IP packet forwarding
net.ipv4.ip_forward = 0
# Controls source route verification
net.ipv4.conf.default.rp_filter = 1
# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0
.....................
修改部分
net.ipv4.ip_forward = 0→net.ipv4.ip_forward = 1
#[root@CentOS ~]#iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j MASQUERADE
[root@CentOS ~]#/vi /etc/sysconfig/iptables
# Generated by iptables-save v1.3.5 on Thu Aug 26 11:52:40 2010
*nat
:PREROUTING ACCEPT [10:1270]
:POSTROUTING ACCEPT [1:40]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -s 192.168.1.0/255.255.255.0 -o eth0 -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-OUTPUT -o eth0 -j ACCEPT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
----------以上修改後規則(藍字為增加部份)-----------
五.測試SKYPE、MSN、HTTP、Yahoo messenger
支援軟體 參考http://l7-filter.sourceforge.net/protocols
(一.)在尚未套用規則軟體界可使用
(二.)
套用以下規則
iptables -t mangle -A PREROUTING -m layer7 --l7proto http -j DROP
iptables -t mangle -A PREROUTING -m layer7 --l7proto msnmessenger -j DROP
iptables -t mangle -A PREROUTING -m layer7 --l7proto yahoo -j DROP
iptables -t mangle -A PREROUTING -m layer7 --l7proto skypeout -j DROP
iptables -t mangle -A PREROUTING -m layer7 --l7proto skypetoskype -j DROP
註: iptables -t mangle -A PREROUTING -m layer7 --l7proto skypeout -j DROP
skypeout該筆規則會導致網路速度變慢,雖然官方有提醒:
This is slow, but not as bad as you might think 但是在使用上出現網頁異常慢,甚至有無法現象狀況(測試部分有telnet ftp都無法連線
OS:CentOS5.5 release (Final)
Kernel:2.6.18-194.el5
iptables:iptables v1.3.5
安裝套件:
linux-2.6.30.5.tar.bz2
(http://ftp.isu.edu.tw/pub/Linux/kernel/v2.6/linux-2.6.30.5.tar.bz2)
netfilter-layer7-v2.22.tar.gz
(http://sourceforge.net/projects/l7-filter/files/l7-filter%20kernel%20version/2.22/netfilter-layer7-v2.22.tar.gz/download)
l7-protocols-2009-05-28.tar.gz
(http://sourceforge.net/projects/l7-filter/files/Protocol%20definitions/2009-05-28/l7-protocols-2009-05-28.tar.gz/download)
iptables-1.4.6.tar.bz2
(http://www.netfilter.org/projects/iptables/files/iptables-1.4.6.tar.bz2)
其他:
L7測試相容性表:
http://l7-filter.sourceforge.net/kernelcompat
作業前準備:
關閉SELinux
[root@CentOS ~]# vi /etc/sysconfig/selinux
# Ts file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - SELinux is fully disabled.
SELINUX=enforcing
# SELINUXTYPE= type of policy in use. Possible values are:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=targeted
修改SELINUX=enforcing→SELINUX=disabled
一.將所有套件下載至/usr/src/
二.編譯核心
[root@CentOS src]# tar xf linux-2.6.30.5.tar.bz2
[root@CentOS src]# tar xzf netfilter-layer7-v2.22.tar.gz
patch kernel
[root@CentOS src]#cd linux-2.6.30.5
[root@CentOS linux-2.6.30.5]# patch -p1 < ../netfilter-layer7-v2.22/kernel-2.6.25-2.6.28-layer7-2.22.patch
.....
[root@CentOS linux-2.6.30.5]#cp /boot/config-`uname -r` .config
(複製現行核心設定檔 )
[root@CentOS linux-2.6.30.5]#make menuconfig
(若無安裝gcc、ncurses-devel無法make menuconfig)
.....
* "Prompt for development and/or incomplete code/drivers" (under "Code maturity level options")
* "Network packet filtering framework" (Networking → Networking support → Networking Options)
* "Netfilter Xtables support" (on the same screen)
* "Netfilter connection tracking support" (... → Network packet filtering framework → Core Netfilter Configuration), select "Layer 3 Independent Connection tracking"
* "Connection tracking flow accounting" (on the same screen)
* And finally, "Layer 7 match support"
* Optional but highly recommended: Lots of other Netfilter options, notably "FTP support" and other matches. If you don't know what you're doing, go ahead and enable all of them.
* "layer7" match support (需要 Netfilter connection tracking support 才會出現)
* IPv4 connection tracking support (required for NAT)
勾選部分參考
http://charlothuang.blogspot.com/2010/02/l7-filter-on-centos-54.html
http://sacs.twgg.org/content/l7-filter-centos-52
[root@CentOS linux-2.6.30.5]#make
....
[root@CentOS linux-2.6.30.5]#make modules_install
....
[root@CentOS linux-2.6.30.5]#make install
....
[root@CentOS linux-2.6.30.5]#vi /boot/grub/grub.conf
# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making changes to this file
# NOTICE: You have a /boot partition. This means that
# all kernel and initrd paths are relative to /boot/, eg.
# root (hd0,0)
# kernel /vmlinuz-version ro root=/dev/VolGroup00/LogVol00
# initrd /initrd-version.img
#boot=/dev/hda
default=1
timeout=5
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
title CentOS (2.6.30.5 )
root (hd0,0)
kernel /vmlinuz-2.6.30.5 ro root=/dev/VolGroup00/LogVol00
initrd /initrd-2.6.30.5.img
title CentOS (2.6.18-194.el5)
root (hd0,0)
kernel /vmlinuz-2.6.18-194.el5 ro root=/dev/VolGroup00/LogVol00
initrd /initrd-2.6.18-194.el5.img
修改部分
default=1→default=0
title CentOS (2.6.30.5 )→title CentOS (2.6.30.5 inculde l7-filter)
二.安裝iptables 1.46
[root@CentOS ~]#cp /etc/init.d/iptables /etc/init.d/iptables.bak
(備份iptables script)
[root@CentOS ~]#yum remove iptables
(移除舊版本iptables)
.....
[root@CentOS ~]# cd /usr/src
[root@CentOS src]#
[root@CentOS src]#patch -p1 < /netfilter-layer7-v2.21/iptables-1.3-for-kernel-pre2.6.20-layer7-2.21.patch
.....
[root@CentOS src]# tar xjf iptables-1.4.6.tar.bz2
[root@CentOS src]#cp netfilter-layer7-v2.22/iptables-1.4.3forward-for-kernel-2.6.20forward/* iptables-1.4.6/extensions/
[root@CentOS src]#cd iptables-1.4.6/
[root@CentOS iptables-1.4.6]#./configure --with-ksource=~/linux/linux-2.6.30.5
[root@CentOS iptables-1.4.6]#make
[root@CentOS iptables-1.4.6]#make install
[root@CentOS ~]#cp /etc/init.d/iptables.bak /etc/init.d/iptables
(還原腳本)
三.安裝規則分析表
[root@CentOS iptables-1.4.6]#cd ../
[root@CentOS src]#tar xzf l7-protocols-2009-05-28.tar.gz
[root@CentOS src]#cd l7-protocols-2009-05-28
[root@CentOS l7-protocols-2009-05-28]#make install
四.設定NAT
[root@CentOS ~]#vi /etc/sysctl.conf
# Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
# sysctl.conf(5) for more details.
# Controls IP packet forwarding
net.ipv4.ip_forward = 0
# Controls source route verification
net.ipv4.conf.default.rp_filter = 1
# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0
.....................
修改部分
net.ipv4.ip_forward = 0→net.ipv4.ip_forward = 1
#[root@CentOS ~]#iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j MASQUERADE
[root@CentOS ~]#/vi /etc/sysconfig/iptables
# Generated by iptables-save v1.3.5 on Thu Aug 26 11:52:40 2010
*nat
:PREROUTING ACCEPT [10:1270]
:POSTROUTING ACCEPT [1:40]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -s 192.168.1.0/255.255.255.0 -o eth0 -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-OUTPUT -o eth0 -j ACCEPT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
----------以上修改後規則(藍字為增加部份)-----------
五.測試SKYPE、MSN、HTTP、Yahoo messenger
支援軟體 參考http://l7-filter.sourceforge.net/protocols
(一.)在尚未套用規則軟體界可使用
(二.)
套用以下規則
iptables -t mangle -A PREROUTING -m layer7 --l7proto http -j DROP
iptables -t mangle -A PREROUTING -m layer7 --l7proto msnmessenger -j DROP
iptables -t mangle -A PREROUTING -m layer7 --l7proto yahoo -j DROP
iptables -t mangle -A PREROUTING -m layer7 --l7proto skypeout -j DROP
iptables -t mangle -A PREROUTING -m layer7 --l7proto skypetoskype -j DROP
skypeout該筆規則會導致網路速度變慢,雖然官方有提醒:
This is slow, but not as bad as you might think 但是在使用上出現網頁異常慢,甚至有無法現象狀況(測試部分有telnet ftp都無法連線
訂閱:
文章 (Atom)