Secure Internet access with Squid, Openldap, Dansguardian and Clamav

Step 1. General informations

Objectives

• Authenticate users in LAN for Internet access
• Content filtering for Internet traffic:
  • URL filtering
  • Virus scanning
  • Advert blocking
  • Customized information of block reasons for users
• Content Caching

Not detailed

• Installations of programs
• QoS with Squid proxy server
• Controlling users max IP address with Squid proxy server
• Encrypted authentication with LDAP
• Customized information of block reasons for users with Dansguardian
• Graphical interfaces for programs
• Logging analysations (logging analysation Tools)
• General management tasks (Examples: Squid cache clear, backup, log archiving, virus database update with freshclam)
• Firewall setup on Squid server and on the Firewall itself.

Used components

The following table contains informations about the used applications and its main informations:

Application name	Version
Ubuntu – Hardy Heron	2.6.24-19-server
Squid	Version 2.6.STABLE18
Dansguardian	DansGuardian 2.8.0.6
ClamAV	ClamAV 0.92.1
Openldap	OpenLDAP: slapd 2.4.9

Process flow

The following picture shows the process of operation:

Work order of the Internet access

1. The client cannot reach Internet directly. Clients should communicate with proxy.
2. Client sends requests to Squid proxy server (to tcp port 3128) that at first request requests for authentication (username and password) from clients.
3. If client gives authentication data, Squid tries to authenticate with Ldap.
4. Ldap server checks user credentials and replies to Squid (if user is identified or not).
5. If authentication passed Squid forwards request to Dansguardian Content Filter.
6. Dansguardian Content Filter processes the request.
7. If Content is not blocked by the Dansguardian Content Filter (For example it is denied by URL or a Virus identified by ClamAV) than it forwards back to Squid.
8. Squid forwards Content back to client and caches it as well.*

* After the AV database update of ClamAV Antivirus system it is better to clear squid cache.

Step 2. Configuring Squid for LDAP Authentication and for Dansguardian Content Filter

There are 3 Schemes (In our example we use ‘basic’):
– negotiate: The client negotiate with squid what to use for authentication.
– basic: In this scheme the credentials are within a Base64 encoded string, but unencrypted. More info about base64 encoding: http://www.ietf.org/rfc/rfc2617.txt
– diggest: It is secured with using a ‘nonce’ generated by squid proxy server. More info about diggest: http://www.ietf.org/rfc/rfc2617.txt
– ntlm: Windows like authentication scheme. The original protocol was reverse-engineered. More info about NTLM: http://en.wikipedia.org/wiki/NTLM
There is a lot of authenticator helper programs that can we use, example RADIUS, LDAP, EDirectory, POP3, SMB, etc…

Here configure the LDAP authentication with ‘ldap_auth‘ authenticator helper program.
More information about this: http://www.digipedia.pl/man/squid_ldap_auth.8.html

We use the following parameters for ‘ldap_auth‘ program:
-b this means Basename as we specified in slapd.conf with ‘suffix’ attribute.
-f LDAP search filter to locate the user DN. *
-v Version. Her ewe use ldap version 3.

* Required if the users are in a hierarchy below the base DN, or if the login name is not what builds the user specific part of the users DN.
The search filter can contain up to 15 occurrences of %s which will be replaced by the username, as in “uid=%s” for RFC2037 directories. For a detailed description of LDAP search filter syntax see RFC2254.

These 4 lines required as a minimal authentication configuration:

auth_param basic program /usr/lib/squid/ldap_auth -v 3 -b “dc=mydomain,dc=dyndns,dc=org” -f “uid=%s” auth_param basic children 5 auth_param basic realm Web-Proxy auth_param basic credentialsttl 1 minute

We need a new acl definition for authentication, that is in this example ‘ldap-auth‘:

(More info: http://www.visolve.com/squid/squid26/accesscontrols.php#proxy_auth)

acl ldap-auth proxy_auth REQUIRED

The default acl commands are the following:

acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443          # https acl SSL_ports port 563          # snews acl SSL_ports port 873          # rsync acl Safe_ports port 80          # http acl Safe_ports port 21          # ftp acl Safe_ports port 443         # https acl Safe_ports port 70          # gopher acl Safe_ports port 210         # wais acl Safe_ports port 1025-65535  # unregistered ports acl Safe_ports port 280         # http-mgmt acl Safe_ports port 488         # gss-http acl Safe_ports port 591         # filemaker acl Safe_ports port 777         # multiling http acl Safe_ports port 631         # cups acl Safe_ports port 873         # rsync acl Safe_ports port 901         # SWAT acl purge method PURGE acl CONNECT method CONNECT

Here we should refer to the ‘ldap-auth‘ acl to permit access for successful authentications:

http_access allow ldap-auth

The default http_access commands are the following:

http_access allow manager localhost http_access deny manager http_access allow purge localhost http_access deny purge http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost http_access deny all icp_access allow all

Here can we specify what port should squid proxy use:

http_port 3128

Here we lead requests to a cache peer, that is the dansguardian in our example (in the requests we forward the usernames as well):

cache_peer 127.0.0.1 parent 8080 0 no-query login=*:nopassword

Here we specify whit regex what objects should not query from neighbour caches:

hierarchy_stoplist cgi-bin ?

The timestamp in the default log format is not exactly human readable, here we specify a readable date and time format for log entries:

logformat squid  %tl %>a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A %mt

Here we specify where to write log entries:

access_log /var/log/squid/access.log squid

Other default configurations (For more information see original squid.conf):

acl QUERY urlpath_regex cgi-bin \? cache deny QUERY refresh_pattern ^ftp:           1440    20%     10080 refresh_pattern ^gopher:        1440    0%      1440 refresh_pattern .               0       20%     4320 acl apache rep_header Server ^Apache broken_vary_encoding allow apache extension_methods REPORT MERGE MKACTIVITY CHECKOUT hosts_file /etc/hosts coredump_dir /var/spool/squid

Step 3. Configuring Openldap server

Before we configure ldap, we need to find out a DN for our Ldap server. We use in this example  dc=mydomain,dc=dyndns,dc=org
Here I describe only required and/or important directives. A detailed information of all directives can be found here: http://www.openldap.org/doc/admin24/slapdconfig.html
We allow LDAP Version 2 connections:

allow bind_v2

We specify with ‘include’ directive the schema specifications, we use in our example ‘inetorgperson.schema’ and ‘?’.

include         /etc/ldap/schema/core.schema include         /etc/ldap/schema/cosine.schema include         /etc/ldap/schema/nis.schema include         /etc/ldap/schema/inetorgperson.schema

Other default directives:

pidfile         /var/run/slapd/slapd.pid argsfile        /var/run/slapd/slapd.args loglevel        none modulepath      /usr/lib/ldap moduleload      back_bdb sizelimit 500 tool-threads 1

We use bdb (Berkeley DB transactional backend) as the database and backend db:

backend         bdb database        bdb

Here we specify what is our DN suffix belonging to this database:

suffix          “dc=mydomain,dc=dyndns,dc=org”

Here we specifies the DN that is not subject to access control or administrative limit restrictions for operations on this database:

rootdn          “cn=admin,dc=mydomain,dc=dyndns,dc=org”

Here we specify the password for the DN for the rootdn:

rootpw secret

Other default directives:

directory       /var/lib/ldap dbconfig set_cachesize 0 2097152 0 dbconfig set_lk_max_objects 1500 dbconfig set_lk_max_locks 1500 dbconfig set_lk_max_lockers 1500 index           objectClass eq lastmod         on checkpoint      512 30

Here we specify access rights:

access to attrs=userPassword,shadowLastChange by dn=”cn=admin,dc=mydomain,dc=dyndns,dc=org” write by anonymous auth by self write by * auth access to dn.base=”” by * read access to * by dn=”cn=admin,dc=mydomain,dc=dyndns,dc=org” write by * read

Step 4. Creating users in Openldap server

We create an ldif file with the following content (in this example it is myldap_data4.ldif):

# Firstname1 Entry dn: cn=Firstname1 Familyname1,dc=mydomain,dc=dyndns,dc=org cn: Firstname1 Familyname1 objectClass: person objectClass: inetOrgPerson sn: Firstname1 uid: Firstname1 userPassword:1234

Then add the following command:

ldapadd -x -D “cn=admin,dc=mydomain,dc=dyndns,dc=org” -W -f myldap_data4.ldif

Step 5. Configuring Dansguardian Content Filter for Multiple groups

A good example for multigroup is a VIP access for management or their relatives J. For example they should reach more kind of content as general users.

Here we discuss the parameters used in dansguardian.conf file and the filtergroupslist file and dansguardianf1.conf and dansguardianf2.conf file.

Step 5.1. Configuring dansguardian.conf file

For detailed information see original dansguardian.conf or the website http://contentfilter.futuragts.com/wiki/doku.php

reportinglevel = 3 languagedir = ‘/etc/dansguardian/languages’ language = ‘ukenglish’ loglevel = 3 logexceptionhits = on logfileformat = 1 filterip =

Here we can specify what ports should be used by Dansguardian. This will be used in squid.conf for cache_peer:

filterport = 8080 proxyip = 127.0.0.1 proxyport = 3128 accessdeniedaddress = ‘http://YOURSERVER.YOURDOMAIN/cgi-bin/dansguardian.pl’ nonstandarddelimiter = on usecustombannedimage = 1 custombannedimagefile = ‘/etc/dansguardian/transparent1x1.gif’

We can different rules for different groups. Here we use 2 groups in this example:

filtergroups = 2

Here we specify the file that contains which user belongs to which group.

filtergroupslist = ‘/etc/dansguardian/filtergroupslist’

Here we specify the list that will be used for filtering and exeptions:

bannediplist = ‘/etc/dansguardian/bannediplist’ exceptioniplist = ‘/etc/dansguardian/exceptioniplist’ banneduserlist = ‘/etc/dansguardian/banneduserlist’ exceptionuserlist = ‘/etc/dansguardian/exceptionuserlist’

Other default configurations:

showweightedfound = on weightedphrasemode = 2 urlcachenumber = 3000 urlcacheage = 900 phrasefiltermode = 2 preservecase = 0 hexdecodecontent = 0 forcequicksearch = 0 reverseaddresslookups = off reverseclientiplookups = off createlistcachefiles = on maxuploadsize = -1 maxcontentfiltersize = 256

Here we specify that proxy authentication will beused for getting userids.

usernameidmethodproxyauth = on usernameidmethodntlm = off # **NOT IMPLEMENTED** usernameidmethodident = off preemptivebanning = on forwardedfor = off usexforwardedfor = off logconnectionhandlingerrors = on maxchildren = 120 minchildren = 8 minsparechildren = 4 preforkchildren = 6 maxsparechildren = 32 maxagechildren = 500 ipcfilename = ‘/tmp/.dguardianipc’ urlipcfilename = ‘/tmp/.dguardianurlipc’ nodaemon = off nologger = off softrestart = off

Dansguardian uses ClamAV as antivirus engine in this example.

virusscan = on virusengine = ‘clamav’ tricklelength = 32768 forkscanlength = 32768 firsttrickledelay = 10 followingtrickledelay = 10 maxcontentscansize = 41904304 virusscanexceptions = on urlcachecleanonly = on virusscannertimeout = 60 notify = 0 emaildomain = ‘your.domain.com’ postmaster = ‘postmaster@your.domain.com’ emailserver = ‘127.0.0.1:25’ downloaddir = ‘/tmp/dgvirus’ clmaxfiles = 1500 clmaxreclevel = 3 clmaxfilesize = 10485760 clblockencryptedarchives = off cldetectbroken = off clamdsocket = ‘/tmp/clamd’ avesocket = ‘/var/run/aveserver’ trophiesocket = ‘/var/run/trophie’ sophiesocket = ‘/var/run/sophie’ icapsocket = ‘localhost:1344’ icapservice = ‘icap://localhost/avscan’

Step 5.2. Configuring filtergroupslist file

Here is our example filtergroupslist file output (all users default to filter group 1):

# Filter Groups List file for DansGuardian # # Format is <user>=filter<1-99> where 1-99 are the groups # # Eg: # daniel=filter2 # # This file is only of use if you have more than 1 filter group # Firstname1=filter1 Firstname2=filter2

Step 5.3. Configuring dansguardianf1.conf file

Here we can see dansguardianf1.conf file output

bannedphraselist = ‘/etc/dansguardian/bannedphraselist’ weightedphraselist = ‘/etc/dansguardian/weightedphraselist’ exceptionphraselist = ‘/etc/dansguardian/exceptionphraselist’ bannedsitelist = ‘/etc/dansguardian/bannedsitelist’ greysitelist = ‘/etc/dansguardian/greysitelist’ exceptionsitelist = ‘/etc/dansguardian/exceptionsitelist’ bannedurllist = ‘/etc/dansguardian/bannedurllist’ greyurllist = ‘/etc/dansguardian/greyurllist’ exceptionurllist = ‘/etc/dansguardian/exceptionurllist’ bannedregexpurllist = ‘/etc/dansguardian/bannedregexpurllist’ bannedextensionlist = ‘/etc/dansguardian/bannedextensionlist’ bannedmimetypelist = ‘/etc/dansguardian/bannedmimetypelist’ picsfile = ‘/etc/dansguardian/pics’ contentregexplist = ‘/etc/dansguardian/contentregexplist’ naughtynesslimit = 50 bypass = 0 bypasskey = ” virusscan = on exceptionvirusextensionlist = ‘/etc/dansguardian/exceptionvirusextensionlist’ exceptionvirusmimetypelist = ‘/etc/dansguardian/exceptionvirusmimetypelist’ exceptionvirussitelist = ‘/etc/dansguardian/exceptionvirussitelist’ exceptionvirusurllist = ‘/etc/dansguardian/exceptionvirusurllist’ dlmgrextensionlist = ‘/etc/dansguardian/dlmgrextensionlist’

Step 5.4. Configuring dansguardianf2.conf file

Here we can see dansguardianf2.conf file output. In this example we specified as exceptionsitelist the exceptionsitelist2 file, this way we have a unique list for group 2 and for group 1.

bannedphraselist = ‘/etc/dansguardian/bannedphraselist’ weightedphraselist = ‘/etc/dansguardian/weightedphraselist’ exceptionphraselist = ‘/etc/dansguardian/exceptionphraselist’ bannedsitelist = ‘/etc/dansguardian/bannedsitelist’ greysitelist = ‘/etc/dansguardian/greysitelist’ exceptionsitelist = ‘/etc/dansguardian/exceptionsitelist2’ bannedurllist = ‘/etc/dansguardian/bannedurllist’ greyurllist = ‘/etc/dansguardian/greyurllist’ exceptionurllist = ‘/etc/dansguardian/exceptionurllist’ bannedregexpurllist = ‘/etc/dansguardian/bannedregexpurllist’ bannedextensionlist = ‘/etc/dansguardian/bannedextensionlist’ bannedmimetypelist = ‘/etc/dansguardian/bannedmimetypelist’ picsfile = ‘/etc/dansguardian/pics’ contentregexplist = ‘/etc/dansguardian/contentregexplist’ naughtynesslimit = 50 bypass = 0 bypasskey = ” virusscan = on exceptionvirusextensionlist = ‘/etc/dansguardian/exceptionvirusextensionlist’ exceptionvirusmimetypelist = ‘/etc/dansguardian/exceptionvirusmimetypelist’ exceptionvirussitelist = ‘/etc/dansguardian/exceptionvirussitelist’ exceptionvirusurllist = ‘/etc/dansguardian/exceptionvirusurllist’ dlmgrextensionlist = ‘/etc/dansguardian/dlmgrextensionlist’

Step 5.5. Configuring exceptionsitelist2 file

This file is referred in dansguardianf2.conf file with exceptionsitelist parameter.

In this example we configure that group 2, who uses exceptionsitelist2 file can reach playboy.com, but group 1 cannot (We not specify ‘playboy.com’ in exceptionsitelist file that is referred in dansguardianf1.conf with exceptionsitelist parameter).

#Sites in exception list #Don’t bother with the www. or #the http:// # #These are specifically domains and are not URLs. #For example ‘foo.bar/porn/’ is no good, you need #to just have ‘foo.bar’. # #You can also match IPs here too. # #As of DansGuardian 2.7.3 you can now include #.tld so for example you can match .gov for example dansguardian.org windowsupdate.microsoft.com playboy.com windowsupdate.com

That’s it! Just a short test and ready.