I TESTED EVERYTHING ON THIS POST, EVERYTHING WORKS AND DOES NOT AFFECT ANY OTHER MODULE OR CODE IN THE UNTANGLE SYSTEM, MY SERVER IS ON PRODUCTION WITH MORE THAN 150 ACTIVE USERS EVERYDAY AND PERFORMANCE IS EXCELLENT. USE IT AT YOUR OWN RISK.
Changes:
-Ntop: now it works fine, does not reboot everytime.
-Webmin: has no sense to install webmin, I never used to do nothing so is not installed now.
-Phpsysinfo: easier setup thanks to installed modules from UT 7.3
-Imspector: now it depends from phpsysinfo web not from webmin.
-Squid: improved security, just for users you want not to pass thru webfilter, and port not standard.
-Monit: it’s already installed on 7.3 so I just configured with our apps.
-Sqstat: changed SRG and Sarg by SQstat
Added
-start ssh everytime
-logs error messages from bootscreen
-Rsyslog alerts by mail credits to: bigdessert
-Remote access to UT database credits to: Sky-Knight
-Added cleaning files for database, files, and squid
Previous post:
http://forums.untangle.com/hacks/964...test-rels.html
1. Start SSH (start SSH Service)
rm /etc/ssh/sshd_not_to_be_run && /etc/init.d/ssh start
2. Logs de Boot (Logs all boot errors and information)
a. Edit /etc/default/bootlogd with: BOOTLOGD_ENABLE=Yes
b. Logs to: /var/log/boot.
3. Install NTOP
a) Increase the APT cache: /etc/apt/apt.conf or /etc/apt/apt.conf/70debconf
Add line: APT::Cache-Limit 30000000;b) Uncomment lenny sources in /etc/apt/sources.list
c) Clean & Update Apt Cache
apt-get clean && apt-get updated) Install ntop
apt-get install ntope) Set nTOP's admin password
ntop –Af) Configure nTOP monitoring interfaces
echo 'USER="ntop"\nINTERFACES="eth0,eth1,eth2"' >| /var/lib/ntop/init.cfgg) Configure nTOP to use TCP port 4000
echo 'GETOPT="-w 4000"' >> /etc/default/ntoph) Start nTOP
/etc/init.d/ntop starti) Confirm nTOP is listening on TCP port 4000
lsof -i | grep ntopj) Configure a packet filter for nTOP (Packet Filter)
Port:4000 & Destination Localk) Access NTOP
4. Install PHPSYSINFO
a) Edit the file /etc/apache2/sites-available/uvm to allow PHP and CGI files
<Directory /var/www>b) Install PhpSysInfo
Options +ExecCGI
AddHandler cgi-script .cgi
AddHandler fcgid-script .php
FCGIWrapper /usr/lib/cgi-bin/php5 .php
FileETag Mtime Size
</Directory>
apt-get install phpsysinfoc) Access PhpMyInfo: http://untangleip/phpsysinfo
5. Install Imspector
a) Install Dependencies
apt-get install make build-essential openssl libssl-devb) Install Imspector
cd /tmpc) Create Folder
wget http://www.imspector.org/downloads/imspector-0.9.tar.gz
tar zxf imspector-0.9.tar.gz
cd imspector-0.9
make
make install
make install-cert
mkdir /etc/imspectord) Create Dependency files
Add to start and create /etc/init.d/imspector with:
#! /bin/sh
# IMspector startup
PATH=/sbin:/bin:/usr/sbin:/usr/bin
echo "Starting IMspector..."
imspector -c /etc/imspector/imspector.conf
chmod 755 /etc/init.d/imspector
update-rc.d imspector defaults
mv /usr/etc/imspector/imspector.conf /etc/imspector/imspector.conf
mv /usr/etc/imspector/badwords.txt /etc/imspector/badwords.txt
mv /usr/etc/imspector/acl.txt /etc/imspector/acl.txt
/etc/init.d/imspector
cp /tmp/imspector-0.9/contrib/imspector.cgi to /usr/share/phpsysinfo/imspector.cgi
e) Restart Apache: /etc/init.d/apache2 restart
f) Access Imspector: http://untangleip/phpsysinfo/imspector.cgi
g) Rules in port Forwarding to Imspector
Configure a port forwarding in UT for all or users you want to monitor
Port:10000 & Destination Local
Source: Any or IP that you want.
Destination Port: 1863 (For MSN, Yahoo, Gmail, etc)
Protocol:TCP
New Destination: UT Internal eth1 IP
New Port. 16667
Configure a packet filter for squid (Packet Filter)
Port:3128& Destination Local
6. Install Squid (Just for power Users, It can’t be filtered)
a) Install squid
apt-get install squidb) Configure squid
Edit /etc/squid/squid.conf with
acl all src allc) Reestart squid: /etc/init.d/squid reestart
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
http_access allow all (define users who could use squid here)
acl_uses_indirect_client off
http_port 55555 transparent (uses no standar port so users can't find it)
cache_mem 32 MB
cache_dir ufs /var/spool/squid 5000 16 256
access_log /var/log/squid/access.log squid
cache_mgr admin@domain.com
httpd_suppress_version_string on
d) Rules in port Forwarding & Packet Filter to Squid
Configure a port forwarding in UT for all or users you want to monitor
Source Address: any or IP you want to pass thru squid
Destination Port. 80
Protocol:TCP
New Address: INTERNALUTADDRESS
New Port. 55555
Configure a packet filter for squid (Packet Filter)
Port:55555& Destination Local
7. Install Monit (Just need to get configured with our info, it’s already installed on 7.3)
a) Add to file:/etc/untangle/monit.d/monit-base_all.conf
set daemon 120
set logfile /var/log/uvm/monit.log
set mailserver mail.server.com port 587 username "admin@domain.com" password "adminpwd"
set alert mail1@domain.com only on { timeout, nonexist, connection }
set alert mail2@domain.com only on { timeout, nonexist, connection }
set httpd port 2812 and use address localhost
allow 192.168.80.0/24
allow user:password
allow localhost
#MONITOR APACHE
check process apache with pidfile /var/run/apache2.pid
start program = "/etc/init.d/apache2 start"
stop program = "/etc/init.d/apache2 stop"
if failed host 192.168.200.254 port 80 protocol http for 2 cycles then restart
if 5 restarts within 10 cycles then timeout
#MONITOR NTOP
check process ntop with pidfile /var/run/ntop.pid
start program = "/etc/init.d/ntop start"
stop program = "/etc/init.d/ntop stop"
if failed host 192.168.200.254 port 4000 then restart
# if 5 restarts within 5 cycles then timeout
#MONITOR SSHD
check process sshd with pidfile /var/run/sshd.pid
start program "/etc/init.d/ssh start"
stop program "/etc/init.d/ssh stop"
if failed port 22 protocol ssh for 2 cycles then restart
if 5 restarts within 10 cycles then timeout
#MONITOR SQUID
check process squid with pidfile /var/run/squid.pid
start program "/etc/init.d/squid start"
stop program "/etc/init.d/squid stop"
if failed host 192.168.200.254 port 3128 then restart
if 5 restarts within 10 cycles then timeout
#MONITOR IMSPECTOR
check process imspector with pidfile /var/run/imspector.pid
start program "/etc/init.d/imspector start"
stop program "/etc/init.d/imspector stop"
if failed host 192.168.200.254 port 16667 then restart
if 5 restarts within 10 cycles then timeout
b) Restart /etc/init.d/untangle-vm (this restarts monit)
8. Install TCPTRACK & DSNIFF
apt-get install tcptracka) UT 7.3 has already iftop & jnettop
apt-get install dsniff
9. Install Rsyslog alerts (Just need to get configured with our info, it’s already installed on 7.3)
Credits for Bigdessert
a) Edit /etc/rsyslog.conf
Under #### MODULES ####
Add: $ ModLoad ommail
Under # provides UDP syslog reception, uncomment the following two lines:
#$ModLoad imudp
#$UDPServerRun 514
Under #### GLOBAL DIRECTIVES ####, add the following action
####ACTIONS####
##Note, smtp server must be able to relay mail!##
$ActionMailSMTPServer localhost
$ActionMailSMTPPort 25
$ActionMailFrom email@fromaddress.com
$ActionMailTo email@toaddress.com
$template mailSubject,"Untangle Alert On Server"
$template mailBody,"RSYSLOG Alert\r\nmsg='%msg%'"
$ActionMailSubject mailSubject
if $syslogtag contains 'Intrusion_Prevention' then :ommail:;mailBody
b) Restart rsyslog: /etc/init.d/rsyslog restart
c) Change in admin panel, under monitoring tab, enable syslog to localhost and port 514.
10. Install Sqstat for Squid (Live Stats)
Cd /tmp
wget http://samm.kiev.ua/sqstat/sqstat-1.20.tar.gz
tar xvzf sqstat-1.20.tar.gz
cp sqstat-1.20/config.inc.php.defaults sqstat-1.20/config.inc.php,
edit config.inc.php with Squid IP:127.0.0.1 and Port: 55555
mv sqstat-1.20 /usr/share/phpsysinfo/sqstat
view logs on http://untangleip/phpsysinfo/sqstat/sqstat.php
11. Allow remote access to UT database
Credits Sky-Knight
b) Add a packet filter rule with this:
Description: Pass Postgresc) Stop postgress services:
Action: Pass
Source Interface: Internal
Destined Local
Protocol: TCP
Destination Port: 5432
/etc/init.d/untangle-vm stop
/etc/init.d/postgresql-8.3 stop
d) Edit file: /etc/postgresql/8.3/main/postgresql.conf with
listen_addresses = '*'e) Edit file: /etc/postgresql/8.3/main/pg_hba.conf with
host all all 0.0.0.0/0 trustf) Just restart the services.
/etc/init.d/postgresql-8.3 start
/etc/init.d/untangle-vm start
g) Get a copy of pgAdmin from www.pgadmin.org and connect using the following:
Name: Untangle
Host: Internal IP of your Untangle here
Port: 5432
SSL: allow
Maintenance DB: postgres
Username: postgres
Password: uvm