You are on page 1of 120

Setup Ubuntu 8.04.

1 Server (
  Lan)

Remark Network Card 2 ()

1. Insert Disk Ubuntu 8.04.1 Server Select English

2. Select Install Ubuntu Server


3. Select English

4. Select Other
5. (6 Select Thailand 89:;:9<= T 5 >;<
? @A>;<)

6. Select No
7. Select Thailand

8. DEA Thailand
9. Select Atl+Shift

10. Lan Card Select eth0


11. Select Configure network manually

12. ( IP address :;(L@


13. ( Netmask :;(L@

14. ( Gateway :;(L@


15. ( DNS :;(L@

16. ( Hostname :;(L@


17. ( Domain name :;(L@ (OP Continue QRE>;<))

18. Select Guided w use entire disk


19. Select All Partition

20. Select Yes For Begin Format


21. Begin Format & Install

22. ( Full Name New User


23. ( User Name

24. ( Password


25. ( Password Again

26. Enter W@QRE>;<)


27. Select LAMP Server & OpenSSH Server

28. ( Password Mysql == mysqlroot


29. ( Password Mysql Again

30. [\:;]9<?Q>;<)
31. R;P);DE=>;<) R CD : Select Continue R^_` Restart

32. 6E<a: Restart DE= Login 9= User Password [P`;= (
Lan 9DE=>;<))
33. 6E<a: Login 9= User Password [P`;=

User Password    root " # $%"&'( 


$  * '( +,#$,. root % .
 /

# sudo passwd root >>> 454  


[sudo] password for khoonin: >>> ?? *&$@ .
Enter new UNIX password: >>> ? root
Retype new UNIX password: >>> *G.*.? root
Passwd: password updated successfully >>> $ */ *+#

Setup Network [P`(L@@A>;<)

# nano /etc/network/interfaces

auto eth0
iface eth0 inet static
address 192.168.0.100
netmask 255.255.255.0
network 192.168.0.0
broadcast 192.168.0.255
gateway 192.168.0.1
# dns-* options are implemented by the resolvconf package, if
installed
dns-nameservers 192.168.0.1

auto eth1 >>> $45 

Save DE= Exit 9RE


34. [9E: Internet 9= >\<` ping www.yahoo.com
Remote Server 9= SSH
Login 9= SSH R;P);
Update Ubuntu Server

# apt-get update

Upgrade Ubuntu Server

# apt-get -y upgrade
D:c ip_forward
 
      Forward packet    

! /etc/sysctl.conf

# nano /etc/sysctl.conf

# Uncomment the next line to enable TCP/IP SYN cookies


# This disables TCP Window Scaling
(http://lkml.org/lkml/2008/2/5/167)
#net.ipv4.tcp_syncookies=1

# Uncomment the next line to enable packet forwarding for IPv4


#net.ipv4.ip_forward=1 >>> $  # ?. %

# Uncomment the next line to enable packet forwarding for IPv6


#net.ipv6.ip_forward=1

Save DE= Exit 9RE

<`[\@89 Restart

# echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward

  /%#/ " 1


RQ9:;[\@ TUN/TAP device

# nano /etc/modules

# /etc/modules: kernel modules to load at boot time.


#
# This file contains the names of kernel modules that should be
loaded
# at boot time, one per line. Lines beginning with "#" are
ignored.

loop
lp
fuse
tun >>> $45 

Save DE= Exit 9RE


<`[\@89 Restart

# modprobe tun

Update =<@R=Ec Server (6[\@[g:>;<?[P`RQ9R>;_`

# nano /etc/rc.local

#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.

/usr/sbin/ntpdate time.navy.mi.th >>> $45 

exit 0

Save DE= Exit 9RE

Thaicert Nectec ;=][D6L] g[:h; :[<^R;_


clock.thaicert.nectec.or.th time1.nimt.or.th time.navy.mi.th
time2.nimt.or.th time2.navy.mi.th
time3.nimt.or.th time3.navy.mi.th
Setup Chillispot

# apt-get -y install chillispot

IP address of radius server 1: == 127.0.0.1


Radius shared secret: == radiussecret

Ethernet interface for DHCP to listen: == eth1


URL of UAM server: == https://192.168.3.1/uam/hotspotlogin.php

URL of UAM homepage: == https://192.168.3.1/uam/index.php


Shared password between chillispot and webserver: == uamsecret

]9<? chillispot R;P);DE=>;<)


RQ9:;(L@ Chillispot

# nano /etc/default/chillispot

# /etc/default/chillispot
#
# Enable on system start?
# Change to 1 if you want it to be enabled.
# Please make sure you have configured chillispot first.
ENABLED=0 >>> +%?$,. ENABLED=1
#
# chillispot default configuration
CHILLICFG=/etc/chilli.conf
#
# daemon arguments
DAEMON_ARGS="--conf $CHILLICFG"

Save DE= Exit 9RE


D:c File Chilli.conf (89:;>@6)

# nano /etc/chilli.conf

#net 192.168.182.0/24 >>> +%?$,. net 192.168.3.0/24


radiusserver1 127.0.0.1
radiusserver2 127.0.0.1
radiussecret radiussecret
dhcpif eth1
uamserver https://192.168.3.1/uam/hotspotlogin.php
uamhomepage https://192.168.3.1/uam/index.php
uamsecret uamsecret
#uamlisten 192.168.182.1 >>> +%?$,. uamlisten 192.168.3.1
#uamallowed www.chillispot.org,10.11.12.0/24 >>> +%?$,. uamallowed
www.????.com,192.168.3.0/24 (:R@k989]9)Ek:)

Save DE= Exit 9RE


]9<? Friewall

# cp /usr/share/doc/chillispot/firewall.iptables /etc/init.d/chilli.iptables
# chmod a+x /etc/init.d/chilli.iptables
# ln -s ../init.d/chilli.iptables /etc/rcS.d/S41chilli.iptables

<` Script firewall [\@

# /etc/init.d/chilli.iptables

<` Restart ChilliSpot

# /etc/init.d/chillispot restart
D:c File chilli.iptables R^_` SSH Rc[ eth1 9

# nano /etc/init.d/chilli.iptables

EXTIF="eth0"
INTIF="eth1"

$IPTABLES -P INPUT DROP


$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT

#Allow related and established on all interfaces (input)


$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

#Allow releated, established and ssh on $EXTIF. Reject everything else.


$IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --dport 22 --syn -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -j REJECT

>>> $45  2 / "#. 


w /
#Allow releated, established and ssh on $INTIF.
$IPTABLES -A INPUT -i tun0 -p tcp -m tcp --dport 22 --syn -j ACCEPT

#Allow related and established from $INTIF. Drop everything else.


$IPTABLES -A INPUT -i $INTIF -j DROP

Save DE= Exit 9RE


<` Script firewall [\@ Again

# /etc/init.d/chilli.iptables

<` Restart ChilliSpot Again

# /etc/init.d/chillispot restart
ChilliSpot Start R;P);DE=  Notebook :<) Network = etc1
9 IP Address a: Server DE=

Remote SSH Q[P` IP eth1 c Server


]9<? Radius Server

# apt-get -y install freeradius freeradius-mysql freeradius-dialupadmin


]9<? phpMyAdmin
D: Config phpMyAdmin
(L Edit Plus D:);;[<9[P` 73 (6RQ@ http

[9) phpMyAdmin http://192.168.3.1/phpMyAdmin-2.6.4/

Restart Apache

# /etc/init.d/apache2 restart
; Database freeradius

# mysql -u root –p >>> $. Mysql


Enter password: mysqlroot >>> password $w .5"w LAMP
mysql> CREATE DATABASE radius;
mysql> quit

( Freeradius database schema 9=>\<`9<@P?

# zcat /usr/share/doc/freeradius/examples/mysql.sql.gz | mysql -u root -p


radius
Enter password: mysqlroot
D:c6 Freeradius ]9:<) Mysql 9

# nano /etc/freeradius/sql.conf

sql {
# Database type
# Current supported are: rlm_sql_mysql, rlm_sql_postgresql,
# rlm_sql_iodbc, rlm_sql_oracle, rlm_sql_unixodbc, rlm_sql_freetds
driver = "rlm_sql_mysql"

# Connect info
server = "localhost"
login = "root"
password = "rootpass" >>> +%?$,. Password root  $
# Database table configuration
radius_db = "radius"

Save DE= Exit 9RE


D:c secret share c radius

# nano /etc/freeradius/clients.conf

# default, otherwise it's not a secret any more!


#
# The secret can be any string, up to 31 characters in length.
#
secret = testing123 >>> +%?$,. radiussecret
#
# The short name is used as an alias for the fully qualified
# domain name, or the IP address.

Save DE= Exit 9RE


 Test Freeradius :<@@A>;<)D; User \6;)[9):@

# nano /etc/freeradius/users

#
#"John Doe" Cleartext-Password := "hello"
# Reply-Message = "Hello, %u"

>>> Copy 2 / "/.+%/


"John Doe" Auth-Type := Local, User-Password == "hello"
Reply-Message = "Hello, %u"

#
# Dial user back and telnet to the default host for that port
#

Save DE= Exit 9RE

Restart Server RE>;<)

# reboot

OR:]9Qo6;O Remote Server eth1 9= SSH 9(6 Repair


Network [P`R>;_` Notebook aA(69P Restart Notebook RE>;<)
:<@RE>;<) RLk> Config Freeradius  Stop Freeradius :@>;<)

# /etc/init.d/freeradius stop

# freeradius -XXX -A

);;[<9g9[cp?@c>= Info: Ready to process requests. D9= OK


DE=>;<) Crtl+C :RE>;<) (8= R)
<` Start Freeradius

# /etc/init.d/freeradius start

Test Authen radius (file)

# radtest "John Doe" hello 127.0.0.1 0 radiussecret

Sending Access-Request of id 153 to 127.0.0.1 port 1812


User-Name = "John Doe"
User-Password = "hello"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=153,
length=37
Reply-Message = "Hello, John Doe"

cp?@c>=);<)= rad_recv: Access-Accept D9= OK DE=>;<)


(8= R) P:r<:[P`
RQEP`@ Freeradius 6(L Database

# nano /etc/freeradius/radiusd.conf

>>> .?. 
w / See "Authorization Queries" in sql.conf

# Read the 'users' file


Files >>> +%?$,. # Files ( #)

#
# Look in an SQL database. The schema of the database
# is meant to mirror the "users" file.
#
# See "Authorization Queries" in sql.conf
# sql >>> +%?$,. sql (# $  %)

Save DE= Exit 9RE


Add user E(@ Mysql >;<) (Username == test, Password == secret)

# echo "INSERT INTO radcheck (UserName, Attribute, Value) VALUES


('test', 'Password', 'secret');" | mysql -u root -p radius
# Enter password: mysqlroot

<` Restart Freeradius

# /etc/init.d/freeradius restart

Test Authen radius (SQL)

# radtest test secret 127.0.0.1 0 radiussecret

Sending Access-Request of id 80 to 127.0.0.1 port 1812


User-Name = "test"
User-Password = "secret"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=80,
length=20
cp?@c>=);<)= rad_recv: Access-Accept D9= OK DE=>;<)
(8= R) uuu

D:c SQL Logging R^_`R=E(L@ ezradius

# nano /etc/freeradius/sql.conf

postauth_query = "INSERT into ${postauth_table} (user, pass, reply,


dat$

#
# Set to 'yes' to read radius clients from the database ('nas' table)
#readclients = yes >>> +%?$,. readclients = yes (# $  %)
}

Save DE= Exit 9RE


D:c File radius.conf RE>;<)

# nano /etc/freeradius/radiusd.conf

>>> .?. 
w / See "Accounting queries" in sql.conf

# Log traffic to an SQL database.


#
# See "Accounting queries" in sql.conf
# sql >>> +%?$,. sql (# $  %)

#
# Instead of sending the query to the SQL server,
# write it into a log file.

>>> .?. 
w / See "Authentication Logging Queries" in sql.conf

# After authenticating the user, do another SQL query.


#
# See "Authentication Logging Queries" in sql.conf
# sql >>> +%?$,. sql (# $  %)

#
# Instead of sending the query to the SQL server,
# write it into a log file.

Save DE= Exit 9RE


<` Restart Freeradius

# /etc/init.d/freeradius restart

Test Authen radius (SQL) Again

# radtest test secret 127.0.0.1 0 radiussecret

Sending Access-Request of id 80 to 127.0.0.1 port 1812


User-Name = "test"
User-Password = "secret"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=80,
length=20

cp?@c>=);<)= rad_recv: Access-Accept D9= OK DE=>;<)


]9<? SSL RQ@ Modules c Apache

# apt-get install -y libapache2-mod-auth-mysql

; Certificate

# apt-get -y install ssl-cert


; Folder R:k) Certificate

# mkdir /etc/apache2/ssl

; Certificate

# sudo make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/apache.pem


R;P);DE=>;<) RQ9(L@ SSL

# sudo a2enmod ssl

;<)> Config (6

# /etc/init.d/apache2 force-reload
; virtualhost = Link SSL

Upload File hotspot '% Folder File Config , /etc/apache2/sites-available/

D:c File hotspot

# nano /etc/apache2/sites-available/hotspot

NameVirtualHost 192.168.3.1:443 >>> +%?$,. IP eth1   Server


<VirtualHost 192.168.3.1:443> >>> +%?$,. IP eth1   Server
ServerAdmin webmaster@domain.org
DocumentRoot "/var/www/hotspot"
ServerName "192.168.3.1" >>> +%?$,. IP eth1   Server

Save DE= Exit 9RE


<`(6 virtualhost [\@

# sudo a2ensite hotspot

# /etc/init.d/apache2 reload
Open Port

Upload File ports.conf '% Folder file config , /etc/apache2/

D:c File ports.conf

# nano /etc/apache2/ports.conf

#Listen 80
#
#<IfModule mod_ssl.c>
# Listen 443
#</IfModule>
Listen 192.168.3.1:80 >>> +%?$,. IP eth1   Server
Listen 192.168.3.1:443 >>> +%?$,. IP eth1   Server

Save DE= Exit 9RE


D:c File default

# nano /etc/apache2/sites-available/default

NameVirtualHost * >>> +%?$,. NameVirtualHost *:80


<VirtualHost *> >>> +%?$,. <VirtualHost *:80>
ServerAdmin webmaster@localhost

DocumentRoot /var/www/
<Directory />
Options FollowSymLinks
AllowOverride None

Save DE= Exit 9RE


D:c File apache2.conf

# nano /etc/apache2/apache2.conf

# Do NOT add a slash at the end of the directory path.


#
ServerRoot "/etc/apache2"
ServerName 192.168.3.1 >>> $45 
#
# The accept serialization lock file MUST BE STORED ON A LOCAL DISK.

Save DE= Exit 9RE


D:c File apache2.conf

# nano /etc/hosts

127.0.0.1 localhost
192.168.0.100 THAIEN-HOTSPOT >>> +%?$,. 192.168.3.1 THAIEN-
HOTSPOT

# The following lines are desirable for IPv6 capable hosts


::1 ip6-localhost ip6-loopback

Save DE= Exit 9RE


Restart Apache

# /etc/init.d/apache2 restart

[\:; Upload Hotspot Login

1. $, /var/www/  Floder hotspot


2. Upload Floder uam '% …,+% .% \web\ ,
/var/www/hotspot/

3. +% File conStatus.php *& …,+% .% \web\uam\Connections


4. +# Upload , / $"5
5. +% File index.php *& …,+% .% \web\uam\
6. +# Upload , / $"5
7. " /?. login hotspot http://google.co.th
8. +%‡ˆ …"*% Upload File charset '% Folder File Config ,
/etc/apache2/conf.d/

Restart Apache

# /etc/init.d/apache2 restart

9. " /?. %
login hotspot http://google.co.th
10. " / % Internet …"* User Password $
(User == test Password == secret)
]9<? ezradius

Upload Floder manage '% …,+% .% \web\ , /var/www/

(L>\<`R^_`D:cRac8wER9;@A>;<) 89(L>\<` chown

# chown -R www-data:www-data /var/www/manage


Rc Web ezradius http://192.168.3.1/manage/

Config ezradius
% . .
G  (/‰Š. &#  radius %.% .
.(/…"*?#5‹% Tool > Config editor

+#? %+%&,$#*.(/ +# *#G save #(


:;a<9:;:<) group DEA user

:;R^]` group

% . $'( %$5 $45


group $4G +*%%.  user %$,.%#‰. $.
'* , .%$ *. $  &'%%/ Attribute   radius % .@Œ '( 
?.  .% /‰%.   (// $.(/ $'(",/+%
."$?( *$. ''( .‰? '* ?G ??..  %
download/upload %%.%$ *.?G Ž&.  , $ #($"&?* 
Attribute '(..%." %.(/

>=6c Attribute [P`@]@\(L@(@;A)) Chillispot

$5 .%%#‰.%.$#*.(/…"*, Manage > Add > New Group

?$#G %&,$#*.(/
Attribute : Simultaneous-Use G % login @ .%.. . $ .‰?%#‰. w
Logig @ .%..(/ "..
w ?
Perator : :=+#( Value : 1 (?% %@ .%."? Value : 0)
'%.w.$$45  Attribute ?%#‰  teacher %." %.(/

?#5‹% add new attributr +#?&,$#*.(/

$%. ‰%. (60 5. ) ?%.? diconnect 15 . (900 5. )

$# . w 5  … (18000 . ) ?#'% login ? redirect ,*$/
http://www.srp.ac.th

%?." download $ %/ 1024kbps %?." upload $ %/ 512kbps


$G %$45  Attribute +#?% (Ž5"4#"%'("&,

:;a<9:; user

$5 .%Ž&.%.$#*.(/ …"*, Manage > Add > New User

*#($ *" Ž& &,$#.(/ '%.w.% Add user +#.,."$#*


/
,#  knoonin %." %.(/'($,. * $ set Attribute ?G $,#
"# $," IE .(/

+" Certificatr ssl  $ .+#.(/ ?$#G % Continue to this


website $#*.(/
'($' ?. ?. index.php $ ‰% #  . 5 .(/@Œ $
+%?.. +w #$,.,(%’   ?.*.".(/ $.+'%
,(‰ ($4(*?% . 5 $ $.% $' ?.. %
w  .) '%.w.$#G % $&
(//

$*  "+#( ." 5  … $4( *&.%#‰  teacher +#* redirect


?.+% http://www.srp.ac.ch / ‰% *.(/
:;(L@=@ u c ezradius

User Online
?/"& “ ,''‰/. user (. *&/ …"*, View > Online users

'(""&,
****6R6g ezRadius ****

RQEP`@RQ@ Version 1.1.4 and above R^_`(6;OL Password MD5 9

R^]`/D:c user RE_: Cleartext password


Add Port 3779 R^_` Kick User (1)

# nano /etc/init.d/chillispot

DESC="Chillispot captive portal"


NAME=chillispot
DAEMON=/usr/sbin/chilli
DAEMON_ARGS="--conf /etc/chilli.conf" >>> +%?$,.
DAEMON_ARGS="--coaport3779 --conf /etc/chilli.conf"

PIDFILE=/var/run/$NAME.pid
SCRIPTNAME=/etc/init.d/$NAME

Save DE= Exit 9RE


Add Port 3779 R^_` Kick User (2)

# nano /etc/chilli.conf

# TAG: macsuffix
# Suffix to add to MAC address in order to form the username.
# Normally you do not need to uncomment this tag.
#macsuffix suffix

coaport 3779 >>> $45 

Save DE= Exit 9RE

Restart ChilliSpot (@@r<:6@)

# /etc/init.d/chillispot restart
9{:;(L@c User @6E<

$"&%.  User * .?#"…"*(/‰.  %"& ?G


G User  % ?G w. +#( user …"*. . w'(*% *"& user +#(.
…"*?$#G % Accounting > Per User and Date

G user . $5  +#(. .


5w ‰" &,

'("*#($ *" "&,


:;]9<? Transparent Proxy

$5 .5"w squid ?/ ?. $%/ cache +#( sarg *.%.Ž.
?.$/

# sudo apt-get -y install squid sarg

?#'%5"w+#?+% •#  squid …"* 

# nano /etc/squid/squid.conf

…"*?+%". w
http_port 3128
#cache_mem 8 MB
#cache_dir ufs /var/spool/squid 100 16 256
#acl our_networks src 192.168.2.0/24
#http_access allow our_networks
access.log /path/access.log squid
#emulate_httpd_log off

>>> +%$,. (…"*5–


.?)

http_port 3128 transparent


cache_mem 64 MB
cache_dir ufs /var/spool/squid 100 16 2000
acl our_networks src 192.168.3.0/24
http_access allow our_networks
access.log /path/access.log
emulate_httpd_log on
>>> / "‰" *
visible_hostname THAIEN-HOTSPOT >>>$45 

Save DE= Exit 9RE

<`;P;[ squid

# /etc/init.d/squid restart
'%.w. ? user $. proxy .(/…"*,+% •# chilli.iptables

# nano /etc/init.d/chilli.iptables

#Allow releated, established and ssh on $EXTIF. Reject everything else.


$IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --dport 22 --syn -j ACCEPT
$IPTABLES -A INPUT -i tun0 -p tcp -m tcp --dport 22 --syn -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -j REJECT
#Allow related and established from $INTIF. Drop everything else.
$IPTABLES -A INPUT -i $INTIF -j DROP
#Allow http and https on other interfaces (input).
#This is only needed if authentication server is on same server as chilli
$IPTABLES -A INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT
$IPTABLES -A INPUT -p tcp -m tcp --dport 443 --syn -j ACCEPT
#Allow 3990 on other interfaces (input).
$IPTABLES -A INPUT -p tcp -m tcp --dport 3990 --syn -j ACCEPT

>>> $45 $,


#Allow Tranparent proxy
$IPTABLES -A INPUT -p tcp -m tcp --dport 3128 --syn -j ACCEPT

#Allow everything on loopback interface.


$IPTABLES -A INPUT -i lo -j ACCEPT

>>> $45 $,


#Allow Tranparent proxy
$IPTABLES -t nat -A PREROUTING -i tun0 -p tcp -m tcp --dport 3128 --syn -j DROP
$IPTABLES -t nat -A PREROUTING -i tun0 -p tcp -m tcp -d 192.168.3.0/16 --dport 80 -j
RETURN
$IPTABLES -t nat -A PREROUTING -i tun0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports
3128
$IPTABLES -t nat -A PREROUTING -i tun0 -p tcp -m tcp --dport 88 -j REDIRECT --to-ports
3128

Save DE= Exit 9RE


:;R^]` Port u(6 Redirect Q[P` Proxy (RL@ port 88)

# nano /etc/init.d/chilli.iptables

#Allow everything on loopback interface.


$IPTABLES -A INPUT -i lo -j ACCEPT

#Allow Tranparent proxy


$IPTABLES -t nat -A PREROUTING -i tun0 -p tcp -m tcp --dport 3128 --syn -j DROP
$IPTABLES -t nat -A PREROUTING -i tun0 -p tcp -m tcp -d 192.168.3.0/16 --dport 80 -j
RETURN
$IPTABLES -t nat -A PREROUTING -i tun0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports
3128
>>> $45 $,
$IPTABLES -t nat -A PREROUTING -i tun0 -p tcp -m tcp --dport 88 -j REDIRECT --to-ports
3128

Save DE= Exit 9RE


:;R^]` port (6W@ Proxy 9 (RL@ port 88)

# nano /etc/squid/squid.conf

>>>.?. w acl to_localhost dst 127.0.0.0/8

#Recommended minimum configuration:


acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 88 # http cz >>>$4G / ". w
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais

Save DE= Exit 9RE

<`;P;[ squid

# /etc/init.d/squid restart
<`(6 transparent [\@

# /etc/init.d/chilli.iptables

9{ access.log c Squid

"# . internet Ž. gateway server

# tail /var/log/squid/access.log -f

Ctrl+c %
:;9{;@c SARG (Squid report)

 ? sarg ."$#*…"*

# sarg

'%.w.%$"&*.%$/"$#*/…"*"&'% IE "$#
…"*454 http://192.168.3.1/squid-reports

<?R=E(6 sarg [\@W@ crontab

# nano /etc/crontab

# m h dom mon dow user command


17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --repo$
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --repo$
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --repo$
#
#sarg squid report
0* * * * root /usr/bin/sarg
#Shut Down
05 20 * * * root shutdown -h now

Save DE= Exit 9RE


Logrotate

$,.%#% (//,˜5/% 5 # .%


‰ @ *#/ log file $%% %, +#•#
log Œw.? @Œ  Ž# ?•# log ?%$%5., …"*% log file ?.. w
'(,@w%/•#$"5 '( option %%*?$+% + 4 ‰, " 
". w

1. Weekly-daily-monthly ?*Œ ?%  rotate . ‰%  5*


(weekly) ?G ‰% . (daily) ?G $"G . (monthly)
2. rotate xx ?*Œ  ? % rotate xx w % .#/•#$% 5w,
3. compress ?*Œ  ? % zip •# &% rotate ,+#
4. delaycompress ?*Œ  ? %(# % zip , 1 w ?
% rotate w+%$,.%$,# *.G •#$4 * *$" * +#('(&% zip .
% rotate .w ,
5. notifemply-ifemply ?*Œ ? % rotate $G log file .. w 
6. postrotate $,.%%?."?% .  ?#'%  % rotate ,
+#
7. endscript $,.%'/   postrotate
8. mail(address) $,.% ?(// log file ?Ž&"+ & #(//  E-mail
9. prerotage/endscript $,.%%?."? %.  % . '( %
% rotate @Œ '($,.+// postrotate
D:c Logrotate squid

# nano /etc/logrotate.d/squid

/var/log/squid/access.log {
daily
compress
delaycompress
rotate 2
missingok
nocreate
sharedscripts
# prerotate
# test ! -x /usr/sbin/sarg-maint || /usr/sbin/sarg-maint
# endscript
# postrotate
# test ! -e /var/run/squid.pid || /usr/sbin/squid -k rotate
# endscript
}

>>> +%$,.

/var/log/squid/access.log /var/log/squid/store.log {
daily
compress
# delaycompress
rotate 1
missingok
nocreate
sharedscripts
# prerotate
# test ! -x /usr/sbin/sarg-maint || /usr/sbin/sarg-maint
# endscript
# postrotate
# test ! -e /var/run/squid.pid || /usr/sbin/squid -k rotate

# endscript
}
>>> $45 
/var/log/squid/cache.log {
weekly
compress
rotate 2
missingok
nocreate
sharedscripts
}

Save DE= Exit 9RE


QD:>[P`wE radiusd.conf

# nano /etc/freeradius/radiusd.conf

>>> .? detailfile

detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d

>>> +%?$,.

detailfile = ${radacctdir}/%{Client-IP-Address}/details

Save DE= Exit 9RE

+%•# G  /etc/logrotate.d/freeradius $4G '"%%/•# "%#

# nano /etc/logrotate.d/freeradius

/var/log/freeradius/*.log {
weekly
rotate 52
compress
notifempty
}

>>> +%$,.

/var/log/freeradius/radacct/127.0.0.1/details {
daily
compress
rotate 1
missingok
notifempty
}

Save DE= Exit 9RE


<` freeradius Restart

# /etc/init.d/freeradius restart

[9E login Rc internet aAP file details cp?@ [P/


`
var/log/freeradius/radacct/127.0.0.1

<` logrotate [\@

# /etc/cron.daily/logrotate
(@[P`@P?W9; folder /home/LOG =DE=@A>;<) (>;[P`<;RQ@ :k
;@P?RE

# mkdir /home/LOG

; File changeaccess.sh R^_`RQEP@L_` File

# nano /home/changeaccess.sh

#!/bin/sh
timeaccess=`date +%Y-%m-%d`
cp /var/log/squid/access.log.1.gz /home/LOG/$timeaccess-access.log.gz
cp /var/log/squid/store.log.1.gz /home/LOG/$timeaccess-store.log.gz
cp /var/log/freeradius/radacct/127.0.0.1/details.1.gz
/home/LOG/$timeaccess-freeradius.log.gz

Save DE= Exit 9RE

chmod +x /home/changeaccess.sh ( R^_`(6 8Q;D:;;O


;<@ script @P` 9)

# chmod +x /home/changeaccess.sh
R=EaAR;P:(L

# cd /home
# ./changeaccess.sh

<?R=E(6 logrotate [\@W@ crontab

# nano /etc/crontab

# m h dom mon dow user command


17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --repo$
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --repo$
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --repo$
#
#sarg squid report
00 20 * * * root /usr/bin/sarg
#logrotate
05 20 * * * root /etc/cron.daily/logrotate
#change File name
15 20 * * * root sh /home/changeaccess.sh
#Shut Down
30 20 * * * root shutdown -h now

Save DE= Exit 9RE


TIP :@a)>;
+%,? session 
.'(., shell scrip  ?/("%.%.%".(/

# nano /home/clearlog.sh

rm /var/log/freeradius/radutmp
rm /var/log/freeradius/radwtmp
touch /var/log/freeradius/radutmp
touch /var/log/freeradius/radwtmp
chown freerad:freerad /var/log/freeradius/radutmp
chown freerad:freerad /var/log/freeradius/radwtmp

Save DE= Exit 9RE

+% permittion

# chmod 700 /home/clearlog.sh

$#.

# cd /home

# ./clearlog.sh

'%.w..,. /etc/rc.local .(/

9{O@Ac Lan card

# mii-tool

"&$.Gw $%/ Cache

# du –sh /var/spool/squid
]9<? bandwidthd D[@ sarg (@ ubuntu

# apt-get -y install bandwidthd

RE_: :;9 [P`:; (6D9WE


any ‰%%"
%" .
G %+#+   chilli % tun
$#G % IP Address tun0 (‡*.)  '.$'
D:c Config Apache

# nano /etc/apache2/apache2.conf

# The internationalized error documents require mod_alias, mod_include


# and mod_negotiation. To activate them, uncomment the following 30
lines.

>>> $45  5 / "".#. 


w /

Alias /bandwidthd "/var/lib/bandwidthd/htdocs"


<Directory "/var/lib/bandwidthd/htdocs">
Order Allow,Deny
Allow from All
</Directory>

# Alias /error/ "/usr/share/apache2/error/" >>> .?/ ". 


w /
#
# <Directory "/usr/share/apache2/error">
# AllowOverride None
# Options IncludesNoExec
# AddOutputFilter Includes html
# AddHandler type-map var

Save DE= Exit 9RE


Restart Apache

# /etc/init.d/apache2 restart

D: Config bandwidthd

# nano /etc/bandwidthd/bandwidthd.conf

. w$#G .,/ "#‰" $  # ?./ "‰" * %

#Set META REFRESH for static pages in seconds(default 150, use 0 to


disable).
#meta_refresh 150

meta_refresh 150

#Set the static html output directory


#htdocs_dir "/var/lib/bandwidthd/htdocs" >>> $  # %

Save DE= Exit 9RE


R;kaDE=<`(6[\@

# bandwidthd

DE= restart bandwidthd

# /etc/init.d/bandwidthd restart

9{WE6@R=)RE>;<) http://192.168.3.1/bandwidthd
<? crontab (6 bandwidthd <^R9[c{E[g:=<@@ R[P>_@ 5@[P

# nano /etc/crontab

#
#sarg squid report
00 * * * root /usr/bin/sarg
#bandwidthd
50 * * * root /usr/bin/bandwidt
#Shut Down
10 0 * * * root shutdown -h now

Save DE= Exit 9RE


]9<? syslog-ng

# apt-get -y install syslog-ng

9=@86E98Q;D:; php syslog viewer 9=>\<` =(@ /tmp/

# cd /tmp/

# wget http://downloads.sourceforge.net/phpsyslogviewer/phpsyslogviewer-7.2.1.tar.bz2
]9<?8Q;D:; bzip2 9=>\<` <{(@ /tmp/ @A>;<)

# apt-get install bzip2

D:wE phpsyslogviewer 9=>\<`

# tar xjvf phpsyslogviewer-7.2.1.tar.bz2


9=@86E98Q;D:; speedupd

@Œ $,.…,+%$$?$ .'5w., . &#&Š


 . &# mysql "* 

# wget
http://jaist.dl.sourceforge.net/sourceforge/phpsyslogviewer/speedupd-
7.3.2.tar.bz2

…•#$"  install   phpsyslogviewer '( 5, 5"w  ?%/


Š. &# $'(  %Š. &#$ *% . 5›(.w.'(4/%/ Ž5"4#"+#(
.5,"%#Ž."  .
w  .". w

1. $,# *."$%  ,*…•#$"  phpsyslogviwer-7.2.1

# cd phpsyslogviewer-7.2.1
2. $& mysql "* 
mysql -u root -p +#, .?Ž.  root

# mysql -u root -p

3. Š. &#G syslogng "* 

mysql>create database syslogng;


4. %'% mysql "*

mysql> exit;

5.  &#"*% script '%


•# install/phpsyslogviewer.sql "* 

# mysql -u root -p syslogng < install/phpsyslogviewer.sql

, . username +#( password $,.•# intall/newuser.sql.php "$.

# nano install/newuser.sql.php

// 02110-1301, USA.
// -------------------------------------------------------------------

$user = ""; // Your Username >>>  User


$pass = ""; // Your Password  Password

// -------------------------------------------------------------------
Save DE= Exit 9RE
*****User DEA Password r?\:<@

5"w…,+% php5-cli $4G ?.


   php Ž. command line "* 

# apt-get -y install php5-cli


.‡ˆ php-command line $4G insert  &# user +#( pass $&
 &# user  Š. &# syslogng "* ". w

# php install/newuser.sql.php

.‡ˆ php-command line "*  ,. w

# php install/newuser.sql.php | mysql -u root -p syslogng

'"%$/"$  $4G ?$ *%"& &#Ž.$//$@ " "*%$.


•# "* ". w

# cp -R htdocs /var/www/phpsyslogviewer
+%•# .•%G /var/www/phpsyslogviewer/config.php $4G %?."
$% *%/Š. &#". w

# nano /var/www/phpsyslogviewer/config.php

// USER DEFINED VARIABLES


// -------------------------------------------------------------------

$db_user = "syslog"; // Database Username


$db_pass = "syslog"; // Database Password
$db_host = "localhost"; // Database Hostname
$db_name = "syslog"; // Database Name

>>> +%$,.

$db_user = "root"; // Database Username


$db_pass = "mysqlroot"; // Database Password
$db_host = "localhost"; // Database Hostname
$db_name = "syslogng"; // Database Name

Save DE= Exit 9RE


;<@>\<`Q@P?

# chown root:www-data /var/www/phpsyslogviewer/config.php

# chmod 440 /var/www/phpsyslogviewer/config.php

Rc9{R=k)rc phpsyslogviewer [P` http://192.168.3.1/phpsyslogviewer


]9<?D^k>R:a speedupd-7.3.2
$4G $$?$ .'5w., . &#&Š. &# mysql . w  .. w '*‰*%.5"?. *
$4(  % 4#+4$%'"*$ ?  *w  .(/w. .
. w 5›(.w. $* phpsyslog-ng '(&@Œw Œ" "$,. * ?  
 ,. w

# cd .. >>> % /tmp/ % ./

# tar xjvf speedupd-7.3.2.tar.bz2

# cd speedupd-7.3.2 >>> $, / speedupd-7.3.2 / % ./


# apt-get –y install build-essential cmake libmysqlclient15-dev libdaemon-
dev libconfuse-dev

# apt-get -y install debhelper cmake libdaemon-dev libconfuse-dev


fakeroot
 ,?? ."& ''( 5"w libmysqlclient15-dev $45 $5"* 

# apt-get –y install libmysqlclient15-dev

# dpkg-buildpackage –rfakeroot
 .. w$'("+4$%'(%&# debian G  speedupd_7.3.0_i386.deb (?/ 64
bit OS '(G speedupd_7.3.0_amd64.deb) ?5"w+4$%'+#(%?."?%/
•# speedupd.conf". w

# cd ..

# ls

(?/$G  $,. 64 bit  dpkg -i speedupd_7.3.0_i386.deb)


(?/$G  $ ,. 64 bit  speedupd_7.3.0_amd64.deb)

# dpkg -i speedupd_7.3.0_i386.deb
D:c Config speedupd

# nano /etc/speedupd.conf

dbusername = syslog
dbpassword = syslog
dbhostname = localhost
dbdatabase = syslog

>>> +%$,.

dbusername = root
dbpassword = mysqlroot
dbhostname = localhost
dbdatabase = syslogng

Save DE= Exit 9RE


Start Speedupd

# /etc/init.d/speedupd start
QRQ@:;:\6@9> syslog-ng

?%/ syslog-ng %,$%/*Š. &# . w$#*/ *  Ž&$ *."


5– %$%/ &#%'' 45$ . G . % $4G ? $'"
*  / ?% •# .•$% *&+#%$45 $5$›4(.  %$%/ &#
.Š. &#"$#*/ …"*?+%.•# /etc/syslog-ng/syslog-ng.conf $,.
" ,. w @Œ .?. *&+#% .(/

# nano /etc/syslog-ng/syslog-ng.conf

***options
options {
recv_time_zone (+07:00);
send_time_zone (+07:00);
sync (0);
time_reopen (100);
log_fifo_size (1000);
long_hostnames (off);
use_dns (no);
use_fqdn (no);
create_dirs (yes);
chain_hostnames(yes);
keep_hostname (yes);
};

***source
source s_sys {
file ("/proc/kmsg" log_prefix("kernel: "));
unix-stream ("/dev/log");
internal();
udp(ip(0.0.0.0) port(514));
tcp(ip(0.0.0.0) port(514) keep-alive(yes));
};

***destination
destination d_mysql {pipe("/var/log/mysql.pipe" template("INSERT
INTO logs (host, facility, priority, level, tag, datetime, program, msg)
VALUES ( '$HOST', '$FACILITY', '$PRIORITY', '$LEVEL', '$TAG',
'$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC', '$PROGRAM', '$MSG'
);\n") template-escape(yes));
};

***filter
filter f_kernel { facility (kern); };
filter f_messages { level(info..emerg) and not (facility(mail) or
facility(authpriv) or facility(cron)); };

***log
log {source(s_sys); filter(f_messages); destination(d_mysql); };
log {source(s_sys); filter(f_kernel); destination(d_mysql); };

Save DE= Exit 9RE


;>;]QR^_`[\Q@\6;<)>;Pa:Q@{|@c{E @@P?
RQ@ bash >;]Q>;<) w9{=g@=D[\a;]:>;<) (6; script
file 9=>\<`Q@P?

# nano syslog2mysql.sh

>>>+# &# ,. w#,.•# +#/. Œ%•#

#!/bin/bash
if [ ! -e /var/log/mysql.pipe ]
then
mkfifo /var/log/mysql.pipe
fi
while [ -e /var/log/mysql.pipe ]
do
mysql -u root --password=radius syslogng < /var/log/mysql.pipe >/dev/null
done

Save DE= Exit 9RE

[\:;RQEP`@][}]wE DE=;<@>\<`Q@P?

# chmod +x syslog2mysql.sh

# ./syslog2mysql.sh &

# /etc/init.d/syslog-ng start

****6R6g****
a::;]9<? phpsyslogviewer DE= phpsyslogviewer PD log
Start,stop c Syslog-ng R[@<?@
:;>a: squid Q< syslog

# tail -F /var/log/squid/access.log | logger -t squid -p user.info

a:@<?@[\:;>a: radiusd Q< syslog 9<?@P?

# tail -F /var/log/radius/radacct/127.0.0.1/details | logger -t radiusd -p


user.info

?*$?‰   logger -t '(% ?."G  &#%'' 45$  . . w$'(


+ . &#%
'' 45$  '%$@  5" $. squid +#( radius $,.. +#( ?#G
 tail -F $4('($,.%
%?."? tail .•# . '( %•# ??G %
 
?/5– %+%,?•# ''(?$%5.,?/ &## %•#   radius
Server $
.%.%/

:;<?>(6c{E:;a;a;>^]=R; a: squid DEA radius 89(6


[\@[g:>;<?6E<RQ9R>;_`9<?@P?

# nano /etc/init.d/rc.capture

#!/bin/bash
tail -F /var/log/squid/access.log | logger -t squid -p user.info &
tail -F /var/log/freeradius/radacct/127.0.0.1/details | logger -t radiusd -p
user.info &

Save DE= Exit 9RE

a:@<?@<`(6;O;<@9DEA;E]> (6[\@[g:>;<?6E<RQ9R>;_`

# chmod a+x /etc/init.d/rc.capture

# ln -s /etc/init.d/rc.capture /etc/rcS.d/S88rccapture
<`(6 rc.capture [\@

# /etc/init.d/rc.capture

;=a) syslog

# tail -f /var/log/syslog

[9E(L@ Internet
]9<? webmin

# cd /var

# tar zxvf webmin-1.480.tar.gz

# cd webmin-1.480

# sh setup.sh
:;[\@c Samba aA[\@{)@ Port 137,138 DEA 139

* 137 Name Service : SMB '( port . w .%G $G  45$ "* %
/ package UDP (User Datagram Protocol) (…"*  IP $*)

* 138 Datagram Service : SMB '( port . w.% Browse ?G $G 

* 139 Session Service : SMB '( Port . w.%/ &#(?$G  "*


…,… # TCP @Œ +.. . %/ %  &#,Œ,#* +.. .
D:c File chilli.iptables R^_` webmin DEA samba Rc[ eth1 9

# nano /etc/init.d/chilli.iptables

#Allow releated, established and ssh on $EXTIF. Reject everything else.


$IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --dport 22 --syn -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -j REJECT

#Allow releated, established and ssh on $IXTIF.


$IPTABLES -A INPUT -i tun0 -p tcp -m tcp --dport 22 --syn -j ACCEPT
>>> $45  5 / "#. 
w /
$IPTABLES -A INPUT -i tun0 -p tcp -m tcp --dport 137 --syn -j ACCEPT
$IPTABLES -A INPUT -i tun0 -p tcp -m tcp --dport 138 --syn -j ACCEPT
$IPTABLES -A INPUT -i tun0 -p tcp -m tcp --dport 139 --syn -j ACCEPT
$IPTABLES -A INPUT -i tun0 -p tcp -m tcp --dport 445 --syn -j ACCEPT
$IPTABLES -A INPUT -i tun0 -p tcp -m tcp --dport 10000 --syn -j ACCEPT

#Allow related and established from $INTIF. Drop everything else.


$IPTABLES -A INPUT -i $INTIF -j DROP

Save DE= Exit 9RE


[9)Rc webmin http://192.168.3.1:10000/

R:;Lg9@P`9c{E9>=;{a: http://www.linuxthai.org DEA Web


Linux uP::DEAc)>g~ >g~ chalee VDO3,VDO4

cD9>=@<)O_
=]g[}] :;AR:g