UBUNTU 14 CONFIGURATION MANUAL

Install Squid and configure Proxy server.

] This is common forward proxy settings.
root@prox:~# aptitude -y install squid3
root@prox:~# vi /etc/squid3/squid.conf
acl CONNECT method CONNECT
# line 919: add (define ACL for internal)
acl lan src 10.0.0.0/24
http_access allow localhost
# line 1058: add (set ACL for internal)
http_access allow lan
# line 1460: change
http_port 8080 transparent
# line 4445: add follows
request_header_access Referer deny all
request_header_access X-Forwarded-For deny all
request_header_access Via deny all
request_header_access Cache-Control deny all
# line 4761: add (define hostname)
visible_hostname prox.server.world
# forwarded_for on
# line 6869: add (hide IP address)
forwarded_for off
root@prox:~# initctl restart squid3
squid3 start/running, process 1462

UBUNTU 14 CONFIGURATION MANUAL

Configure Squid as a Reverse Proxy server

root@prox:~# vi /etc/squid3/squid.conf
# near line 1058: add ( allow all http access )
http_access allow all
# line 1460: specify http server's IP for backend
http_port 80 accel defaultsite=www.server.world
# line 2596: add
cache_peer 10.0.0.31 parent 80 0 no-query originserver
# line 2736: add (memory cache size)
cache_mem 256 MB
# line 3001: add
# number means [disk cache size] [number of directories on top level] [number of
directories on 2nd level]
cache_dir ufs /var/spool/squid3 256 16 256
# line 4761: add (define hostname)
visible_hostname prox.server.world
root@prox:~# initctl restart squid3
squid3 start/running, process 2708
[2]

Change DNS or Router's settings if need, and make it listen http requests on Squid
server. It's OK if backend http server responds like follows.

UBUNTU 14 CONFIGURATION MANUAL

Install SquidClamav and Configure Proxy Server to scan downloaded files to protect
from virus. Install Clamav first.
[1] Install Clamd
root@prox:~# aptitude -y install clamav-daemon
[2]

Download the latest version of Squidclamav from the link below.

http://sourceforge.net/projects/squidclamav/files/squidclamav/

# install some required packages first

root@prox:~# aptitude -y install gcc make curl libcurl4-gnutls-dev c-icap libicapapi-dev
root@prox:~# wget
http://ftp.jaist.ac.jp/pub/sourceforge/s/project/sq/squidclamav/squidclamav/6.11/squidclamav6.11.tar.gz
root@prox:~# tar zxvf squidclamav-6.11.tar.gz
root@prox:~# cd squidclamav-6.11
root@prox:~/squidclamav-6.11#
./configure --with-c-icap
root@prox:~/squidclamav-6.11# make
root@prox:~/squidclamav-6.11# make install
root@prox:~/squidclamav-6.11# cd
root@prox:~# ln -s /etc/c-icap/squidclamav.conf /etc/squidclamav.conf
root@prox:~# vi /etc/squidclamav.conf
# line 17: change ( create a error page that is redirected to )
redirect
http://www.server.world/error.html
[3] Configure c-icap and Squid
root@prox:~# vi /etc/default/c-icap
# line 6: change
START=
yes
root@prox:~# vi /etc/c-icap/c-icap.conf
# line 142: change to the admin email
ServerAdmin
root@server.world
# line 151: change to the hostname

UBUNTU 14 CONFIGURATION MANUAL

ServerName
prox.server.world
# line 502: add
Service squidclamav squidclamav.so
root@prox:~#
/etc/init.d/c-icap start
Starting c-icap: c-icap.
root@prox:~# vi /etc/squid3/squid.conf
# line 6078: add
icap_enable on
# line 6199: add
adaptation_send_client_ip o
# line 6209: add
adaptation_send_username on
# line 6214: add
icap_client_username_header X-Authenticated-User
# line 6310: add follows
icap_service service_req reqmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav
adaptation_access service_req allow all
icap_service service_resp respmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav
adaptation_access service_resp allow all
root@prox:~#
initctl restart squid3
squid3 start/running, process 12010
Try to access to the page that has trial virus below.
http://downloadcenter.trendmicro.com/index.php?regs=jp&prodid=1424 Click 'eicar.com'
[4]
and try to download it. Then, Virus will be detected and accessing is redirected to the
page you set.

UBUNTU 14 CONFIGURATION MANUAL

UBUNTU 14 CONFIGURATION MANUAL

In addition to configure SquidClamav, Configure SquidGuard

which is the URL redirector to use blacklists.
[1] Install SquidGuard
root@prox:~# aptitude -y install squidguard
root@prox:~# mv /etc/squidguard/squidGuard.conf /etc/squidguard/squidGuard.conf.bk
root@prox:~# vi /etc/squidguard/squidGuard.conf
# create new ( simply settings as an example )
dbhome /var/lib/squidguard/db
logdir /var/log/squid
dest deny {
# define 'deny' category for prohibited domain
domainlist deny/domains
# define 'deny' category for prohibited URL
urllist deny/urls
}
acl {
default {
# permit all except 'deny' category
pass !deny all
# the redirected URL if matchs 'deny'
redirect http://www.server.world/error.html
}
}
root@prox:~# mkdir /var/lib/squidguard/db/deny
root@prox:~# vi /var/lib/squidguard/db/deny/domains
# write domains you'd like to prohibit to access
yahoo.co.jp
example.com
root@prox:~# vi /var/lib/squidguard/db/deny/urls
# write URLs you'd like to prohibit to access
www.yahoo.co.jp/deny/
www.example.com/

UBUNTU 14 CONFIGURATION MANUAL

root@prox:~# squidGuard -C all
2014-06-08 13:25:35 [14132] INFO: squidGuard 1.5 started (1402287935.664)
2014-06-08 13:25:35 [14132] INFO: db update done
2014-06-08 13:25:35 [14132] INFO: squidGuard stopped (1402287936.001)
root@prox:~# chown -R c-icap:proxy /var/lib/squidguard
root@prox:~# chown -R c-icap:proxy /var/log/squidguard
root@prox:~# vi /etc/squidclamav.conf
# line 21: uncomment and change
squidguard /usr/bin/squidGuard
root@prox:~# /etc/init.d/c-icap restart
* Restarting c-icap Server c-icap
...done.

[2] Try to access to the URL you set as prohibited domains in [1].

UBUNTU 14 CONFIGURATION MANUAL

Install/Configure Postfix
Install Postfix to configure SMTP server. SMTP uses 25/TCP.
[1] This example shows to configure SMTP-Auth to use Dovecot's SASL function.
root@mail:~# aptitude -y install postfix sasl2-bin
# Enter
+------------------------+ Postfix Configuration +-----------------------+
|
|
| Please select the mail server configuration type that best meets
your
| needs.
|
| No configuration:
|
Should be chosen to leave the current configuration unchanged.
| Internet site:
|
Mail is sent and received directly using SMTP.
| Internet with smarthost:
|
Mail is received directly using SMTP or by running a utility such
|
as fetchmail. Outgoing mail is sent using a smarthost.
| Satellite system:
|
All mail is sent to another machine, called a 'smarthost', for
| delivery.
| Local only:
|
|
<Ok>
|
|
+------------------------------------------------------------------------+

# select 'No Configuration' (configure manually)

+------+ Postfix Configuration +-------+
| General type of mail configuration: |
|
|
|
No configuration
|
|
Internet Site
|
|
Internet with smarthost
|
|
Satellite system
|
|
Local only
|
|
|
|
|
|
<Ok>
<Cancel>
|
|
|
+--------------------------------------+

root@mail:~# cp /usr/lib/postfix/main.cf /etc/postfix/main.cf

UBUNTU 14 CONFIGURATION MANUAL

root@mail:~# vi /etc/postfix/main.cf
# line 59: uncomment
mail_owner = postfix
# line 76: uncomment and specify hostname
myhostname = mail.server.world
# line 83: uncomment and specify domain name
mydomain = server.world
# line 104: uncomment
myorigin = $mydomain
# line 118: uncomment
inet_interfaces = all
# line 166: uncomment
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
# line 209: uncomment
local_recipient_maps = unix:passwd.byname $alias_maps
# line 268: uncomment and specify your LAN
mynetworks = 127.0.0.0/8, 10.0.0.0/24
# line 388: uncomment
alias_maps = hash:/etc/aliases
# line 399: uncomment
alias_database = hash:/etc/aliases
# line 421: uncomment (use Maildir)
home_mailbox = Maildir/
# line 557: comment out and add below
#
smtpd_banner = $myhostname ESMTP $mail_name (@@DISTRO@@)
smtpd_banner = $myhostname ESMTP
# line 631: add
sendmail_path = /usr/sbin/postfix
# line 636: add
newaliases_path = /usr/bin/newaliases
# line 641: add
mailq_path = /usr/bin/mailq
# line 647: add

UBUNTU 14 CONFIGURATION MANUAL

setgid_group = postdrop
# line 651: comment out
#html_directory =
# line 655: comment out
#manpage_directory =
# line 660: comment out
#sample_directory =
# line 664: comment out
#readme_directory =
# add at the lasdt line: limit an email size 10M
message_size_limit = 10485760
# limit mailbox 1G
mailbox_size_limit = 1073741824
# for SMTP-Auth settings
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
smtpd_recipient_restrictions =
permit_mynetworks,permit_auth_destination,permit_sasl_authenticated,reject
root@mail:~# newaliases
root@mail:~# /etc/init.d/postfix restart
* Stopping Postfix Mail Transport Agent postfix
...done.
* Starting Postfix Mail Transport Agent postfix
...done.

UBUNTU 14 CONFIGURATION MANUAL

Install Dovecot to configure POP/IMAP server. POP uses 110/TCP, IMAP uses 143/TCP.
[1]

This example shows to configure to provide SASL function to Postfix.

root@mail:~#aptitude y install dovecot-core dovecot-pop3d dovecot-imapd

# select "No", configure later if it needs

+-----------------------+ Configuring dovecot-core +------------------------+

|

| An SSL certificate is needed in order to use IMAP or POP3 over SSL/TLS. |

| No such certificate was found.
|

|
|

| Please choose whether you want to create one now. This will then be a
| self-signed certificate.

| If you choose not to create a certificate, please adapt Dovecot's

| configuration file (/etc/dovecot/conf.d/10-ssl.conf).
|

| Create a self-signed SSL certificate?

|
|

|
|

<Yes>

<No>

|
|

+---------------------------------------------------------------------------+

root@mail:~#vi /etc/dovecot/dovecot.conf
# line 30: change ( if not listen IPv6 port )
listen =*

root@mail:~# vi /etc/dovecot/conf.d/10-auth.conf
# line 10: uncomment and change ( allow plain text auth )
disable_plaintext_auth =no

UBUNTU 14 CONFIGURATION MANUAL

# line 100: add
auth_mechanisms = plain login
root@mail:~#vi /etc/dovecot/conf.d/10-mail.conf
# line 30: change to Maildir
mail_location =maildir:~/Maildir
root@mail:~#vi /etc/dovecot/conf.d/10-master.conf
# line 96-98: uncomment and add
# Postfix smtp-auth
unix_listener /var/spool/postfix/private/auth {
mode = 0666
user = postfix
group = postfix
}
root@mail:~# vi /etc/dovecot/conf.d/10-ssl.conf
# line 6: uncomment and change (no SSL)
ssl = no
# line 12,13: comment out
#ssl_cert = </etc/dovecot/dovecot.pem
# ssl_key = </etc/dovecot/private/dovecot.pem
root@mail:~# initctl start dovecot
dovecot start/running, process 1337

UBUNTU 14 CONFIGURATION MANUAL

Configure Postfix and Dovecot for SSL.

root@mail:~# vi /etc/postfix/main.cf
# add at the last line
smtpd_use_tls = yes
smtpd_tls_cert_file = /etc/ssl/private/server.crt
smtpd_tls_key_file = /etc/ssl/private/server.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
root@mail:~# vi /etc/postfix/master.cf
# line 28-30: uncomment
smtps inet n
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes

smtpd

root@mail:~# vi /etc/dovecot/conf.d/10-ssl.conf
# line 6: uncomment
ssl = yes
# line 12,13: uncomment and specify certificate
ssl_cert = </etc/ssl/private/server.crt
ssl_key = </etc/ssl/private/server.key

root@mail:~# /etc/init.d/postfix restart

* Stopping Postfix Mail Transport Agent postfix
...done.
* Starting Postfix Mail Transport Agent postfix
...done.

root@mail:~#
initctl restart dovecot
dovecot start/running, process 1280

UBUNTU 14 CONFIGURATION MANUAL

Create a your server's original SSL Certificate. If you use your server as a business, it
had better buy and use a Formal Certificate from Verisign and so on.
root@www:~# cd /etc/ssl/private
root@www:/etc/ssl/private# openssl genrsa -des3 -out server.key 2048
Generating RSA private key, 2048 bit long modulus
...................+++
.....+++
e is 65537 (0x10001)
Enter pass phrase for server.key: # set passphrase
Verifying - Enter pass phrase for server.key: # confirm
# remove passphrase from private key
root@www:/etc/ssl/private# openssl rsa -in server.key -out server.key
Enter pass phrase for server.key: # passphrase
writing RSA key
root@www:/etc/ssl/private# openssl req -new -days 3650 -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
----Country Name (2 letter code) [AU]: JP # country
State or Province Name (full name) [Some-State]: Hiroshima # state
Locality Name (eg, city) []: Hiroshima # city
Organization Name (eg, company) [Internet Widgits Pty Ltd]: GTS # company
Organizational Unit Name (eg, section) []: Server World # department
Common Name (e.g. server FQDN or YOUR name) []: www.server.world # server's FQDN
Email Address []: xxx@server.world # email address
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
root@www:/etc/ssl/private# openssl x509 -in server.csr -out server.crt -req -signkey
server.key -days 3650

UBUNTU 14 CONFIGURATION MANUAL

Signature ok
subject=/C=JP/ST=Hiroshima/L=Hiroshima/O=GTS/OU=Server
World/CN=www.server.world/emailAddress=xxx@server.world
Getting Private key
root@www:/etc/ssl/private# chmod 400 server.*

APACHE2
root@www:~# vi /etc/apache2/conf-enabled/security.conf
# line 26: change
ServerTokens Prod
# line 37: change
ServerSignature Off

root@www:~# vi /etc/apache2/mods-enabled/dir.conf
# line 2: add file name that it can access only with directory's name
DirectoryIndex index.html index.htm
root@www:~# vi /etc/apache2/apache2.conf
# line 70: add to specify server name
ServerName www.server.world
root@www:~# vi /etc/apache2/sites-enabled/000-default.conf
# line 11: change to webmaster's email
ServerAdmin webmaster@server.world
root@www:~# /etc/init.d/apache2 restart
* Restarting web server apache2
...done.