Squid + PAM Authentication in CentOS 7- SMB Networks

General index of the series: Computer Networks for SMEs: Introduction

Hello friends and friends!

The title of the article should have been: «MATE + NTP + Dnsmasq + Gateway Service + Apache + Squid with PAM Authentication in Centos 7 - SME Networks«. For practical reasons we shorten it.

We continue with the authentication to local users on a Linux computer using PAM, and this time we will see how we can provide the Proxy service with Squid for a small network of computers, by using the authentication credentials stored on the same computer where the server is running Squid.

Although we know that it is very common practice nowadays, to authenticate services against an OpenLDAP, Red Hat's Directory Server 389, Microsoft Active Directory, etc., we consider that we must first go through simple and cheap solutions, and then face the most complex ones. We believe that we must go from the simple to the complex.

Table of Contents

Scenario

It is a small organization -with very few financial resources- dedicated to supporting the use of Free Software and that opted for the name of FromLinux.Fan. They are various OS Enthusiasts CentOS grouped in a single office. They bought a workstation - not a professional server - which they will dedicate to function as a "server."

Enthusiasts do not have extensive knowledge of how to implement an OpenLDAP server or a Samba 4 AD-DC, nor can they afford to license a Microsoft Active Directory. However, for their daily work, they need Internet access services through a Proxy -to speed up browsing- and a space to save their most valuable documents and work as backup copies.

They still mostly use legally acquired Microsoft operating systems, but want to change them to Linux-based Operating Systems, starting with their "Server".

They also aspire to have their own mail server to become independent - at least from the origin - of services such as Gmail, Yahoo, HotMail, etc., which is what they currently use.

The Firewall and Routing Rules against the Internet will establish it in the ADSL Router contracted.

They do not have a real domain name as they do not need to publish any service on the Internet.

CentOS 7 as a server without GUI

We start from a fresh installation of a server without a graphical interface, and the only option we select during the process is «Infrastructure Server»As we saw in previous articles in the series.

Initial settings

[root @ linuxbox ~] # cat / etc / hostname 
linuxbox

[root @ linuxbox ~] # cat / etc / hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 :: 1 localhost localhost.localdomain localhost6 localhost6.localdomain6 192.168.10.5 linuxbox.fromlinux.fan linuxbox

[root @ linuxbox ~] # hostname
linuxbox

[root @ linuxbox ~] # hostname -f
linuxbox.fromlinux.fan

[root @ linuxbox ~] # ip addr list
[root @ linuxbox ~] # ifconfig -a
[root @ linuxbox ~] # ls / sys / class / net /
ens32 ens34 lo

We disable the Network Manager

[root @ linuxbox ~] # systemctl stop NetworkManager

[root @ linuxbox ~] # systemctl disable NetworkManager

[root @ linuxbox ~] # systemctl status NetworkManager
● NetworkManager.service - Network Manager Loaded: loaded (/usr/lib/systemd/system/NetworkManager.service; disabled; vendor preset: enabled) Active: inactive (dead) Docs: man: NetworkManager (8)

[root @ linuxbox ~] # ifconfig -a

We configure the network interfaces

Ens32 LAN interface connected to the Internal Network

[root @ linuxbox ~] # nano / etc / sysconfig / network-scripts / ifcfg-ens32
DEVICE=ens32
ONBOOT=yes
BOOTPROTO=static
HWADDR=00:0c:29:da:a3:e7
NM_CONTROLLED=no
IPADDR=192.168.10.5
NETMASK=255.255.255.0
GATEWAY=192.168.10.1
DOMAIN=desdelinux.fan
DNS1=127.0.0.1
ZONE = public

[root @ linuxbox ~] # ifdown ens32 && ifup ens32

Ens34 WAN interface connected to the Internet

[root @ linuxbox ~] # nano / etc / sysconfig / network-scripts / ifcfg-ens34
DEVICE = ens34 ONBOOT = yes BOOTPROTO = static HWADDR = 00: 0c: 29: da: a3: e7 NM_CONTROLLED = no IPADDR = 172.16.10.10 NETMASK = 255.255.255.0 # The ADSL router is connected to # this interface with # the following address IP GATEWAY = 172.16.10.1 DOMAIN = desdelinux.fan DNS1 = 127.0.0.1
ZONE = external

[root @ linuxbox ~] # ifdown ens34 && ifup ens34

Repositories configuration

[root @ linuxbox ~] # cd /etc/yum.repos.d/
[root @ linuxbox ~] # original mkdir
[root @ linuxbox ~] # mv Centos- * original /

[root @ linuxbox ~] # nano centos.repo
[Base-Repo]
name=CentOS-$releasever
baseurl=http://192.168.10.1/repos/centos/7/base/x86_64/
gpgcheck=0
enabled=1

[CentosPlus-Repo]
name=CentOS-$releasever
baseurl=http://192.168.10.1/repos/centos/7/centosplus/x86_64/
gpgcheck=0
enabled=1

[Epel-Repo]
name=CentOS-$releasever
baseurl=http://192.168.10.1/repos/centos/7/epel/x86_64/
gpgcheck=0
enabled=1

[Updates-Repo]
name=CentOS-$releasever
baseurl=http://192.168.10.1/repos/centos/7/updates/x86_64/
gpgcheck=0
enabled=1

[root @ linuxbox yum.repos.d] # yum clean all
Plugins loaded: fastestmirror, langpacks Cleaning repositories: Base-Repo CentosPlus-Repo Epel-Repo Media-Repo: Updates-Repo Cleaning up everything Cleaning up list of fastest mirrors
[root @ linuxbox yum.repos.d] # yum update
Loaded Plugins: fastestmirror, langpacks Base-Repo | 3.6 kB 00:00 CentosPlus-Repo | 3.4 kB 00:00 Epel-Repo | 4.3 kB 00:00 Media-Repo | 3.6 kB 00:00 Updates-Repo | 3.4 kB 00:00 (1/9): Base-Repo / group_gz | 155 kB 00:00 (2/9): Epel-Repo / group_gz | 170 kB 00:00 (3/9): Media-Repo / group_gz | 155 kB 00:00 (4/9): Epel-Repo / updateinfo | 734 kB 00:00 (5/9): Media-Repo / primary_db | 5.3 MB 00:00 (6/9): CentosPlus-Repo / primary_db | 1.1 MB 00:00 (7/9): Updates-Repo / primary_db | 2.2 MB 00:00 (8/9): Epel-Repo / primary_db | 4.5 MB 00:01 (9/9): Base-Repo / primary_db | 5.6 MB 00:01 Determining fastest mirrors No packages marked for update

The message "No packages marked for update»Is shown because during installation we declared the same local repositories that we have at our disposal.

Centos 7 with the MATE desktop environment

To use the very good administration tools with a graphical interface that CentOS / Red Hat provides us, and because we always miss GNOME2, we decided to install MATE as a desktop environment.

[root @ linuxbox ~] # yum groupinstall "X Window system"
[root @ linuxbox ~] # yum groupinstall "MATE Desktop"

To check that the MATE loads properly, we execute the following command in a console -local or remote-:

[root @ linuxbox ~] # systemctl isolate graphical.target

and the desktop environment should be loaded -on the local team- smoothly, showing the lightdm as a graphical login. We type the name of the local user and its password, and we will enter the MATE.

To tell the systemd that the default boot level is 5 -graphic environment- we create the following symbolic link:

[root @ linuxbox ~] # ln -sf /lib/systemd/system/runlevel5.target /etc/systemd/system/default.target

We reboot the system and everything works fine.

We install the Time Service for Networks

[root @ linuxbox ~] # yum install ntp

During the installation we configure that the local clock will be synchronized with the time server of the equipment sysadmin.fromlinux.fan with IP 192.168.10.1. So, we save the file ntp.conf original by:

[root @ linuxbox ~] # cp /etc/ntp.conf /etc/ntp.conf.original

Now, we create a new one with the following content:

[root @ linuxbox ~] # nano /etc/ntp.conf # Servers configured during installation: server 192.168.10.1 iburst # For more information, see the man pages of: # ntp.conf (5), ntp_acc (5) , ntp_auth (5), ntp_clock (5), ntp_misc (5), ntp_mon (5). driftfile / var / lib / ntp / drift # Allow synchronization with the time source, but not # allow the source to consult or modify this service restrict default nomodify notrap nopeer noquery # Allow all access to the interface Loopback restrict 127.0.0.1 restrict :: 1 # Restrict a little less to computers on the local network. restrict 192.168.10.0 mask 255.255.255.0 nomodify notrap # Use the project's public servers pool.ntp.org # If you want to join the project visit # (http://www.pool.ntp.org/join.html). #broadcast 192.168.10.255 autokey # broadcast server broadcastclient # broadcast client #broadcast 224.0.1.1 autokey # multicast server #multicastclient 224.0.1.1 # multicast client #manycastserver 239.255.254.254 # manycast server #manycastclient 239.255.254.254 autokey # manycast client broadcast 192.168.10.255. 4 # Enable public cryptography. #crypto includefile / etc / ntp / crypto / pw # Key file containing the keys and key identifiers # used when operating with symmetric key cryptography keys / etc / ntp / keys # Specify trusted key identifiers. #trustedkey 8 42 8 # Specify the key identifier to use with the ntpdc utility. #requestkey 8 # Specify the key identifier to use with the ntpq utility. #controlkey 2013 # Enable writing of statistics registers. #statistics clockstats cryptostats loopstats peerstats # Disable secession monitor to prevent amplification of # attacks using the ntpdc monlist command, when the default # constraint does not include the noquery flag. Read CVE-5211-XNUMX # for more details. # Note: Monitor is not disabled with the limited restriction flag. disable monitor

We enable, start and check the NTP service

[root @ linuxbox ~] # systemctl status ntpd
● ntpd.service - Network Time Service Loaded: loaded (/usr/lib/systemd/system/ntpd.service; disabled; vendor preset: disabled) Active: inactive (dead)

[root @ linuxbox ~] # systemctl enable ntpd
Created symlink from /etc/systemd/system/multi-user.target.wants/ntpd.service to /usr/lib/systemd/system/ntpd.service.

[root @ linuxbox ~] # systemctl start ntpd
[root @ linuxbox ~] # systemctl status ntpd

[root @ linuxbox ~] # systemctl status ntpdntpd.service - Network Time Service
   Loaded: loaded (/usr/lib/systemd/system/ntpd.service; enabled; vendor preset: disabled) Active: active (running) since Fri 2017-04-14 15:51:08 EDT; 1s ago Process: 1307 ExecStart = / usr / sbin / ntpd -u ntp: ntp $ OPTIONS (code = exited, status = 0 / SUCCESS) Main PID: 1308 (ntpd) CGroup: /system.slice/ntpd.service └─ 1308 / usr / sbin / ntpd -u ntp: ntp -g

Ntp and the Firewall

[root @ linuxbox ~] # firewall-cmd --get-active-zones
external
  interfaces: ens34
public
  interfaces: ens32

[root @ linuxbox ~] # firewall-cmd --zone = public --add-port = 123 / udp --permanent
success
[root @ linuxbox ~] # firewall-cmd --reload
success

We enable and configure the Dnsmasq

As we saw in the previous article in the Small Business Networks series, Dnsamasq is installed by default on a CentOS 7 Infrastructure Server.

[root @ linuxbox ~] # systemctl status dnsmasq
● dnsmasq.service - DNS caching server. Loaded: loaded (/usr/lib/systemd/system/dnsmasq.service; disabled; vendor preset: disabled) Active: inactive (dead)

[root @ linuxbox ~] # systemctl enable dnsmasq
Created symlink from /etc/systemd/system/multi-user.target.wants/dnsmasq.service to /usr/lib/systemd/system/dnsmasq.service.

[root @ linuxbox ~] # systemctl start dnsmasq
[root @ linuxbox ~] # systemctl status dnsmasq
● dnsmasq.service - DNS caching server. Loaded: loaded (/usr/lib/systemd/system/dnsmasq.service; enabled; vendor preset: disabled) Active: active (running) since Fri 2017-04-14 16:21:18 EDT; 4s ago Main PID: 33611 (dnsmasq) CGroup: /system.slice/dnsmasq.service └─33611 / usr / sbin / dnsmasq -k

[root @ linuxbox ~] # mv /etc/dnsmasq.conf /etc/dnsmasq.conf.original

[root @ linuxbox ~] # nano /etc/dnsmasq.conf
# ------------------------------------------------- ------------------ # GENERAL OPTIONS # ----------------------------- -------------------------------------- domain-needed # Do not pass names without the domain part bogus-priv # Do not pass addresses in the unrouted space expand-hosts # Automatically add the domain to the host interface = ens32 # Interface LAN strict-order # Order in which to query the /etc/resolv.conf file conf-dir = / etc /dnsmasq.d domain = desdelinux.fan # Domain name address = / time.windows.com / 192.168.10.5 # Sends an empty option of the WPAD value. Required for # Windos 7 and later clients to behave properly. ;-) dhcp-option = 252, "\ n" # File where we will declare the HOSTS that will be "banned" addn-hosts = / etc / banner_add_hosts local = / desdelinux.fan / # ---------- -------------------------------------------------- ------- # REGISTROSCNAMEMXTXT # ---------------------------------------- --------------------------- # This type of registration requires an entry # in the / etc / hosts file # eg: 192.168.10.5 linuxbox.fromlinux.fan linuxbox # cname = ALIAS, REAL_NAME cname = mail.fromlinux.fan, linuxbox.fromlinux.fan # MX RECORDS # Returns an MX record with the name "desdelinux.fan" destined # for the mail.desdelinux computer. fan and priority of 10 mx-host = desdelinux.fan, mail.desdelinux.fan, 10 # The default destination for MX records that are created # using the localmx option will be: mx-target = mail.desdelinux.fan # Returns an MX record pointing to the mx-target for ALL # local machines localmx # TXT records. We can also declare an SPF record txt-record = desdelinux.fan, "v = spf1 a -all" txt-record = desdelinux.fan, "DesdeLinux, your Blog dedicated to Free Software" # --------- -------------------------------------------------- -------- # RANGE AND USOPTIONS # --------------------------------------- ---------------------------- # IPv4 range and lease time # 1 to 29 are for Servers and other dhcp needs -range = 192.168.10.30,192.168.10.250,8h dhcp-lease-max = 222 # Maximum number of addresses to lease # by default are 150 # IPV6 range # dhcp-range = 1234 ::, ra-only # Options for the RANGE # OPTIONS dhcp-option = 1,255.255.255.0 # NETMASK dhcp-option = 3,192.168.10.5 # ROUTER GATEWAY dhcp-option = 6,192.168.10.5 # DNS Servers dhcp-option = 15, desdelinux.fan # DNS Domain Name dhcp-option = 19,1 , 28,192.168.10.255 # option ip-forwarding ON dhcp-option = 42,192.168.10.5 # BROADCAST dhcp-option = XNUMX # NTP dhcp-authoritative # Authoritative DHCP on subnet # -------------- ------------------ ----------------------------------- # If you want to store in / var / log / messages the log of the queries # uncomment the line below # --------------------------------------- ----------------------------
# log-queries
# END of file /etc/dnsmasq.conf # --------------------------------------- ----------------------------

We create the file / etc / banner_add_hosts

[root @ linuxbox ~] # nano / etc / banner_add_hosts
192.168.10.5 windowsupdate.com 192.168.10.5 ctldl.windowsupdate.com 192.168.10.5 ocsp.verisign.com 192.168.10.5 csc3-2010-crl.verisign.com 192.168.10.5 www.msftncsi.com 192.168.10.5 ipv6.msftncsi.com 192.168.10.5 teredo.ipv6.microsoft.com 192.168.10.5 ds.download.windowsupdate.com 192.168.10.5 download.microsoft.com 192.168.10.5 fe2.update.microsoft.com 192.168.10.5 crl.microsoft.com 192.168.10.5 www .download.windowsupdate.com 192.168.10.5 win8.ipv6.microsoft.com 192.168.10.5 spynet.microsoft.com 192.168.10.5 spynet1.microsoft.com 192.168.10.5 spynet2.microsoft.com 192.168.10.5 spynet3.microsoft.com 192.168.10.5. 4 spynet192.168.10.5.microsoft.com 5 spynet192.168.10.5.microsoft.com 15 office192.168.10.5client.microsoft.com 192.168.10.5 addons.mozilla.org XNUMX crl.verisign.com

Fixed IP addresses

[root @ linuxbox ~] # nano / etc / hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 :: 1 localhost localhost.localdomain localhost6 localhost6.localdomain6 192.168.10.5 linuxbox.fromlinux.fan linuxbox 192.168.10.1 sysadmin.fromlinux.fan sysadmin

We configure the file /etc/resolv.conf - solve

[root @ linuxbox ~] # nano /etc/resolv.conf
search desdelinux.fan nameserver 127.0.0.1 # For external or non-domain DNS queries desdelinux.fan # local = / desdelinux.fan / nameserver 8.8.8.8

We check file syntax dnsmasq.conf, we start and check the status of the service

[root @ linuxbox ~] # dnsmasq --test
dnsmasq: syntax check OK.
[root @ linuxbox ~] # systemctl restart dnsmasq
[root @ linuxbox ~] # systemctl status dnsmasq

Dnsmasq and the Firewall

[root @ linuxbox ~] # firewall-cmd --get-active-zones
external
  interfaces: ens34
public
  interfaces: ens32

Service domain o Domain Name Server (dns). Protocol swipe «IP with Encryption«

[root @ linuxbox ~] # firewall-cmd --zone = public --add-port = 53 / tcp --permanent
success
[root @ linuxbox ~] # firewall-cmd --zone = public --add-port = 53 / udp --permanent
success

Dnsmasq queries to external DNS servers

[root @ linuxbox ~] # firewall-cmd --zone = external --add-port = 53 / tcp --permanent
success
[root @ linuxbox ~] # firewall-cmd --zone = external --add-port = 53 / udp --permanent
success

Service bootps o BOOTP server (dhcp). Protocol ippc «Internet Pluribus Packet Core«

[root @ linuxbox ~] # firewall-cmd --zone = public --add-port = 67 / tcp --permanent
success
[root @ linuxbox ~] # firewall-cmd --zone = public --add-port = 67 / udp --permanent
success

[root @ linuxbox ~] # firewall-cmd --reload
success

[root @ linuxbox ~] # firewall-cmd --info-zone public public (active)
  target: default icmp-block-inversion: no interfaces: ens32 sources: services: dhcp dns ntp ssh ports: 67 / tcp 53 / udp 123 / udp 67 / udp 53 / tcp protocols: masquerade: no forward-ports: sourceports: icmp -blocks: rich rules:

[root @ linuxbox ~] # firewall-cmd --info-zone external external (active)
  target: default icmp-block-inversion: no interfaces: ens34 sources: services: dns ports: 53 / udp 53 / tcp protocols: masquerade: yes forward-ports: sourceports: icmp-blocks: parameter-problem redirect router-advertisement router- solicitation source-quench rich rules:

If we want to use a graphical interface to configure the Firewall in CentOS 7, we look in the general menu - it will depend on the desktop environment in which submenu it appears - the application «Firewall», we execute it and after entering the user's password root, we will access the program interface as such. In MATE it appears in the menu «System »->" Administration "->" Firewall ".

We select the Area «public»And we authorize the Services we want to be published on the LAN, which until now are dhcp, dns, Ntp and ssh. After selecting the services, verifying that everything works correctly, we must make the changes in Runtime to Permanent. To do this we go to the Options menu and select the option «Run time to permanent«.

Later we select the Area «external»And we check that the Ports necessary to communicate with the Internet are open. DO NOT publish Services in this Zone unless we know very well what we are doing!.

Let's not forget to make the changes Permanent through the option «Run time to permanent»And reload the demon FirewallD, every time we use this powerful graphic tool.

NTP and Dnsmasq from a Windows 7 client

Synchronization with NTP

external

Leased IP address

Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C: \ Users \ buzz> ipconfig / all Windows IP Configuration Host Name. . . . . . . . . . . . : SEVEN
   Primary Dns Suffix. . . . . . . :
   Node Type. . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : desdelinux.fan Ethernet adapter Local Area Connection: Connection-specific DNS Suffix. : desdelinux.fan Description. . . . . . . . . . . : Intel (R) PRO / 1000 MT Network Connection Physical Address. . . . . . . . . : 00-0C-29-D6-14-36 DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled. . . . : And it is
   IPvxNUMX Address. . . . . . . . . . . : 4 (Preferred)
   Subnet Mask. . . . . . . . . . . : 255.255.255.0 Lease Obtained. . . . . . . . . . : Friday, April 14, 2017 5:12:53 PM Lease Expires. . . . . . . . . . : Saturday, April 15, 2017 1:12:53 AM Default Gateway. . . . . . . . . : 192.168.10.1 DHCP Server. . . . . . . . . . . : 192.168.10.5 DNS Servers. . . . . . . . . . . : 192.168.10.5 NetBIOS over Tcpip. . . . . . . . : Enabled Tunnel adapter Local Area Connection * 9: Media State. . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix. : Description. . . . . . . . . . . : Microsoft Teredo Tunneling Adapter Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled. . . . : Yes Tunnel adapter isatap.fromlinux.fan: Media State. . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix. : desdelinux.fan Description. . . . . . . . . . . : Microsoft ISATAP Adapter # 2 Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled. . . . : Yes C: \ Users \ buzz>

Tip:

An important value in Windows clients is the "Primary Dns Suffix" or "Main connection suffix". When you do not use a Microsoft Domain Controller, the operating system does not assign any value to it. If we are facing a case like the one described at the beginning of the article and we want to explicitly declare that value, we must proceed according to what is shown in the following image, accept the changes and restart the client.

 

If we run again CMD -> ipconfig / all we will obtain the following:

Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C: \ Users \ buzz> ipconfig / all Windows IP Configuration Host Name. . . . . . . . . . . . : SEVEN
   Primary Dns Suffix. . . . . . . : desdelinux.fan
   Node Type. . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : desdelinux.fan

The rest of the values ​​remain unchanged

DNS checks

buzz @ sysadmin: ~ $ host spynet.microsoft.com
spynet.microsoft.com has address 127.0.0.1 Host spynet.microsoft.com not found: 5 (REFUSED) spynet.microsoft.com mail is handled by 1 mail.fromlinux.fan.

buzz @ sysadmin: ~ $ host linuxbox
linuxbox.desdelinux.fan has address 192.168.10.5 linuxbox.desdelinux.fan mail is handled by 1 mail.desdelinux.fan.

buzz @ sysadmin: ~ $ host sysadmin
sysadmin.desdelinux.fan has address 192.168.10.1 sysadmin.desdelinux.fan mail is handled by 1 mail.desdelinux.fan.

buzz @ sysadmin: ~ $ host mail
mail.desdelinux.fan is an alias for linuxbox.desdelinux.fan. linuxbox.desdelinux.fan has address 192.168.10.5 linuxbox.desdelinux.fan mail is handled by 1 mail.desdelinux.fan.

We install -for testing only- an Authoritative DNS server NSD in sysadmin.fromlinux.fan, and we include the IP address 172.16.10.1 in the File / Etc / resolv.conf of the team linuxbox.fromlinux.fan, to verify that Dnsmasq was executing its Forwarder function correctly. Sandboxes on the NSD server are favt.org y toujague.org. All IPs are fictitious or from private networks.

If we disable the WAN interface ens34 using the command ifdown ens34, Dnsmasq will not be able to query external DNS servers.

[buzz @ linuxbox ~] $ sudo ifdown ens34 [buzz @ linuxbox ~] $ host -t mx toujague.org
Host toujague.org not found: 3 (NXDOMAIN)

[buzz @ linuxbox ~] $ host pizzapie.favt.org
Host pizzapie.favt.org not found: 3 (NXDOMAIN)

Let's enable the ens34 interface and check again:

[buzz @ linuxbox ~] $ sudo ifup ens34
buzz @ linuxbox ~] $ host pizzapie.favt.org
pizzapie.favt.org is an alias for paisano.favt.org. paisano.favt.org has address 172.16.10.4

[buzz @ linuxbox ~] $ host pizzapie.toujague.org
Host pizzas.toujague.org not found: 3 (NXDOMAIN)

[buzz @ linuxbox ~] $ host poblacion.toujague.org
poblacion.toujague.org has address 169.18.10.18

[buzz @ linuxbox ~] $ host -t NS favt.org
favt.org name server ns1.favt.org. favt.org name server ns2.favt.org.

[buzz @ linuxbox ~] $ host -t NS toujague.org
toujague.org name server ns1.toujague.org. toujague.org name server ns2.toujague.org.

[buzz @ linuxbox ~] $ host -t MX toujague.org
toujague.org mail is handled by 10 mail.toujague.org.

Let's consult from sysadmin.fromlinux.fan:

buzz @ sysadmin: ~ $ cat /etc/resolv.conf 
search from linux.fan nameserver 192.168.10.5

xeon @ sysadmin: ~ $ host mail.toujague.org
mail.toujague.org has address 169.18.10.19

The Dnsmasq is working like Forwarder correctly.

Squid

In the book in PDF format «Linux Server Configuration»Dated July 25, 2016, by the Author Joel Barrios Dueñas (darkshram@gmail.com - http://www.alcancelibre.org/), a text to which I have referred in previous articles, there is a whole chapter dedicated to the Squid Basic Configuration Options.

Due to the importance of the Web - Proxy service, we reproduce the Introduction made about the Squid in the aforementioned book:

105.1. Introduction.

105.1.1. What is an Intermediary Server (Proxy)?

The term in English "Proxy" has a very general and at the same time ambiguous meaning, although
is invariably considered a synonym of the concept of "Intermediary". It is usually translated, in the strict sense, as delegate o attorney (the one who has power over another).

Un Intermediary Server It is defined as a computer or device that offers a network service that consists of allowing clients to make indirect network connections to other network services. During the process the following occurs:

  • Client connects to a Proxy server.
  • Client requests a connection, file, or other resource available on a different server.
  • Intermediary Server provides the resource either by connecting to the specified server
    or serving it from a cache.
  • In some cases the Intermediary Server can alter the client's request or the
    server response for various purposes.

Each filtering bag Proxy Servers they are generally made to work simultaneously as a fire wall operating in the Network level, acting as a packet filter, as in the case of iptables or operating in the Application Level, controlling various services, as is the case of TCP Wrapper. Depending on the context, the fire wall is also known as BPD o Border Protection Device or just packet filter.

A common application of Proxy Servers is to function as a cache of network content (mainly HTTP), providing in the proximity of the clients a cache of pages and files available through the network on remote HTTP servers, allowing clients of the local network to access them in a faster and more reliable.

When a request is received for a specified Network resource in a URL (Uniform Resource Locator) the Intermediary Server look for the result of URL inside the cache. If it is found, the Intermediary Server Responds to the customer by immediately providing the requested content. If the requested content is absent in the cache, the Intermediary Server it will fetch it from a remote server, delivering it to the client that requested it and keeping a copy in the cache. The content in the cache is then removed through an expiration algorithm according to the age, size and history of responses to requests (hits) (examples: LRU, LFUDA y GDSF).

Proxy Servers for Network content (Web Proxies) can also act as filters of the content served, applying censorship policies according to arbitrary criteria..

The version of Squid that we will install is 3.5.20-2.el7_3.2 from the repository updates.

Installation

[root @ linuxbox ~] # yum install squid

[root @ linuxbox ~] # ls / etc / squid /
cachemgr.conf errorpage.css.default  squid.conf
cachemgr.conf.default mime.conf              squid.conf.default
errorpage.css mime.conf.default

[root @ linuxbox ~] # systemctl enable squid

Important

  • The main objective of this article is to Authorize local users to connect with Squid from other computers connected to the LAN. In addition, implement the core of a server to which other services will be added. It is not an article dedicated to the Squid as such.
  • To get an idea of ​​Squid's configuration options, read the /usr/share/doc/squid-3.5.20/squid.conf.documented file, which has 7915 lines.

SELinux and Squid

[root @ linuxbox ~] # getsebool -a | grep squid
squid_connect_any -> on squid_use_tproxy -> off

[root @ linuxbox ~] # setsebool -P squid_connect_any = on

Configuration

[root @ linuxbox ~] # nano /etc/squid/squid.conf
# LAN acl localnet src 192.168.10.0/24 acl SSL_ports port 443 21
acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT # We deny queries for non-secure ports http_access deny! Safe_ports # We deny the CONNECT method for non-secure ports http_access deny CONNECT! SSL_ports # Access to Cache manager only from localhost http_access allow localhost manager http_access deny manager # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user http_access deny to_localhost # # INSERT YOUR OWN RULE (S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # # PAM authorization
auth_param basic program / usr / lib64 / squid / basic_pam_auth
auth_param basic children 5 auth_param basic realm from linux.fan auth_param basic credentialsttl 2 hours auth_param basic casesensitive off # Acl authentication is required to access Squid Enthusiasts proxy_auth REQUIRED # We allow access to authenticated users # through PAM http_access deny! Enthusiasts # Access to FTP sites acl ftp proto FTP http_access allow ftp http_access allow localnet http_access allow localhost # We deny any other access to the proxy http_access deny all # Squid normally listens on port 3128 http_port 3128 # We leave the "coredumps" in the first cache directory coredump_dir / var / spool / squid # # Add any of your own refresh_pattern entries above these. # refresh_pattern ^ ftp: 1440 20% 10080 refresh_pattern ^ gopher: 1440 0% 1440 refresh_pattern -i (/ cgi-bin / | \?) 0 0% 0 refresh_pattern. 0 20% 4320 cache_mem 64 MB # Cache memory memory_replacement_policy lru cache_replacement_policy heap LFUDA cache_dir aufs / var / spool / squid 4096 16 256 maximum_object_size 4 MB cache_swap_low 85 cache_swap_highux 90 cache_mgr buzz@desdelindes_fanux.linnameux.inhostux visiblebox.

We check the syntax of the file /etc/squid/squid.conf

[root @ linuxbox ~] # squid -k parse
2017/04/16 15: 45: 10 | Startup: Initializing Authentication Schemes ...
 2017/04/16 15: 45: 10 | Startup: Initialized Authentication Scheme 'basic' 2017/04/16 15: 45: 10 | Startup: Initialized Authentication Scheme 'digest' 2017/04/16 15: 45: 10 | Startup: Initialized Authentication Scheme 'negotiate' 2017/04/16 15: 45: 10 | Startup: Initialized Authentication Scheme 'ntlm' 2017/04/16 15: 45: 10 | Startup: Initialized Authentication.
 2017/04/16 15: 45: 10 | Processing Configuration File: /etc/squid/squid.conf (depth 0) 2017/04/16 15: 45: 10 | Processing: acl localnet src 192.168.10.0/24 2017/04/16 15: 45: 10 | Processing: acl SSL_ports port 443 21 2017/04/16 15: 45: 10 | Processing: acl Safe_ports port 80 # http 2017/04/16 15: 45: 10 | Processing: acl Safe_ports port 21 # ftp 2017/04/16 15: 45: 10 | Processing: acl Safe_ports port 443 # https 2017/04/16 15: 45: 10 | Processing: acl Safe_ports port 70 # gopher 2017/04/16 15: 45: 10 | Processing: acl Safe_ports port 210 # wais 2017/04/16 15: 45: 10 | Processing: acl Safe_ports port 1025-65535 # unregistered ports 2017/04/16 15: 45: 10 | Processing: acl Safe_ports port 280 # http-mgmt 2017/04/16 15: 45: 10 | Processing: acl Safe_ports port 488 # gss-http 2017/04/16 15: 45: 10 | Processing: acl Safe_ports port 591 # filemaker 2017/04/16 15: 45: 10 | Processing: acl Safe_ports port 777 # multiling http 2017/04/16 15: 45: 10 | Processing: acl CONNECT method CONNECT 2017/04/16 15: 45: 10 | Processing: http_access deny! Safe_ports 2017/04/16 15: 45: 10 | Processing: http_access deny CONNECT! SSL_ports 2017/04/16 15: 45: 10 | Processing: http_access allow localhost manager 2017/04/16 15: 45: 10 | Processing: http_access deny manager 2017/04/16 15: 45: 10 | Processing: http_access deny to_localhost 2017/04/16 15: 45: 10 | Processing: auth_param basic program / usr / lib64 / squid / basic_pam_auth 2017/04/16 15: 45: 10 | Processing: auth_param basic children 5 2017/04/16 15: 45: 10 | Processing: auth_param basic realm from linux.fan 2017/04/16 15: 45: 10 | Processing: auth_param basic credentialsttl 2 hours 2017/04/16 15: 45: 10 | Processing: auth_param basic casesensitive off 2017/04/16 15: 45: 10 | Processing: acl Enthusiasts proxy_auth REQUIRED 2017/04/16 15: 45: 10 | Processing: http_access deny! Enthusiasts 2017/04/16 15: 45: 10 | Processing: acl ftp proto FTP 2017/04/16 15: 45: 10 | Processing: http_access allow ftp 2017/04/16 15: 45: 10 | Processing: http_access allow localnet 2017/04/16 15: 45: 10 | Processing: http_access allow localhost 2017/04/16 15: 45: 10 | Processing: http_access deny all 2017/04/16 15: 45: 10 | Processing: http_port 3128 2017/04/16 15: 45: 10 | Processing: coredump_dir / var / spool / squid 2017/04/16 15: 45: 10 | Processing: refresh_pattern ^ ftp: 1440 20% 10080 2017/04/16 15: 45: 10 | Processing: refresh_pattern ^ gopher: 1440 0% 1440 2017/04/16 15: 45: 10 | Processing: refresh_pattern -i (/ cgi-bin / | \?) 0 0% 0 2017/04/16 15: 45: 10 | Processing: refresh_pattern. 

We adjust permissions in / usr / lib64 / squid / basic_pam_auth

[root @ linuxbox ~] # chmod u + s / usr / lib64 / squid / basic_pam_auth

We create the cache directory

# Just in case ... [root @ linuxbox ~] # service squid stop
Redirecting to / bin / systemctl stop squid.service

[root @ linuxbox ~] # squid -z
[root @ linuxbox ~] # 2017/04/16 15:48:28 kid1 | Set Current Directory to / var / spool / squid 2017/04/16 15:48:28 kid1 | Creating missing swap directories 2017/04/16 15:48:28 kid1 | / var / spool / squid exists 2017/04/16 15:48:28 kid1 | Making directories in / var / spool / squid / 00 2017/04/16 15:48:28 kid1 | Making directories in / var / spool / squid / 01 2017/04/16 15:48:28 kid1 | Making directories in / var / spool / squid / 02 2017/04/16 15:48:28 kid1 | Making directories in / var / spool / squid / 03 2017/04/16 15:48:28 kid1 | Making directories in / var / spool / squid / 04 2017/04/16 15:48:28 kid1 | Making directories in / var / spool / squid / 05 2017/04/16 15:48:28 kid1 | Making directories in / var / spool / squid / 06 2017/04/16 15:48:28 kid1 | Making directories in / var / spool / squid / 07 2017/04/16 15:48:28 kid1 | Making directories in / var / spool / squid / 08 2017/04/16 15:48:28 kid1 | Making directories in / var / spool / squid / 09 2017/04/16 15:48:28 kid1 | Making directories in / var / spool / squid / 0A 2017/04/16 15:48:28 kid1 | Making directories in / var / spool / squid / 0B 2017/04/16 15:48:28 kid1 | Making directories in / var / spool / squid / 0C 2017/04/16 15:48:29 kid1 | Making directories in / var / spool / squid / 0D 2017/04/16 15:48:29 kid1 | Making directories in / var / spool / squid / 0E 2017/04/16 15:48:29 kid1 | Making directories in / var / spool / squid / 0F

At this point, if it takes a while to return the command prompt - which was never returned to me - press Enter.

[root @ linuxbox ~] # service squid start
[root @ linuxbox ~] # service squid restart
[root @ linuxbox ~] # service squid status
Redirecting to / bin / systemctl status squid.service ● squid.service - Squid caching proxy Loaded: loaded (/usr/lib/systemd/system/squid.service; disabled; vendor preset: disabled) Active: active (running) since dom 2017-04-16 15:57:27 EDT; 1s ago Process: 2844 ExecStop = / usr / sbin / squid -k shutdown -f $ SQUID_CONF (code = exited, status = 0 / SUCCESS) Process: 2873 ExecStart = / usr / sbin / squid $ SQUID_OPTS -f $ SQUID_CONF (code = exited, status = 0 / SUCCESS) Process: 2868 ExecStartPre = / usr / libexec / squid / cache_swap.sh (code = exited, status = 0 / SUCCESS) Main PID: 2876 (squid) CGroup: /system.slice/squid .service └─2876 / usr / sbin / squid -f /etc/squid/squid.conf Apr 16 15:57:27 linuxbox systemd [1]: Starting Squid caching proxy ... Apr 16 15:57:27 linuxbox systemd [1]: Started Squid caching proxy. Apr 16 15:57:27 linuxbox squid [2876]: Squid Parent: will start 1 kids Apr 16 15:57:27 linuxbox squid [2876]: Squid Parent: (squid-1) process 2878 ... ed Apr 16 15 : 57: 27 linuxbox squid [2876]: Squid Parent: (squid-1) process 2878 ... 1 Hint: Some lines were ellipsized, use -l to show in full

[root @ linuxbox ~] # cat / var / log / messages | grep squid

Firewall fixes

We must also open in the Zone «external" the ports 80 HTTP y 443 HTTPS so the Squid can communicate with the Internet.

[root @ linuxbox ~] # firewall-cmd --zone = external --add-port = 80 / tcp --permanent
success
[root @ linuxbox ~] # firewall-cmd --zone = external --add-port = 443 / tcp --permanent
success
[root @ linuxbox ~] # firewall-cmd --reload
success
[root @ linuxbox ~] # firewall-cmd --info-zone external
external (active) target: default icmp-block-inversion: no interfaces: ens34 sources: services: dns ports: 443 / tcp 53 / udp 80 / tcp 53 / tcp
  protocols: masquerade: yes forward-ports: sourceports: icmp-blocks: parameter-problem redirect router-advertisement router-solicitation source-quench rich rules:
  • It is not idle to go to the graphic application «Firewall settings»And check that ports 443 tcp, 80 tcp, 53 tcp, and 53 udp are open for the zone«external«, And that we have NOT published any service for her.

Note on the basic_pam_auth helper program

If we consult the manual of this utility through man basic_pam_auth We will read that the author himself makes a strong recommendation that the program be moved to a directory where normal users do not have sufficient permissions to access the tool.

On the other hand, it is known that with this authorization scheme, the credentials travel in plain text and it is not safe for hostile environments, read open networks.

Jeff Yestrumskas dedicate the article «How-to: Setup a secure web proxy using SSL encryption, Squid Caching Proxy and PAM authentication»To the issue of increasing security with this authentication scheme so that it can be used in potentially hostile open networks.

We install httpd

As a way to check the operation of Squid -and incidentally that of Dnsmasq- we will install the service httpd -Apache web server- which is not required to be done. In the file relative to the Dnsmasq / etc / banner_add_hosts We declare the sites we want to be banned, and we explicitly assign them the same IP address that they have linuxbox. Thus, if we request access to any of these sites, the home page of the httpd.

[root @ linuxbox ~] # yum install httpd [root @ linuxbox ~] # systemctl enable httpd
Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.

[root @ linuxbox ~] # systemctl start httpd

[root @ linuxbox ~] # systemctl status httpd
● httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled) Active: active (running) since Sun 2017-04-16 16:41: 35 EDT; 5s ago Docs: man: httpd (8) man: apachectl (8) Main PID: 2275 (httpd) Status: "Processing requests ..." CGroup: /system.slice/httpd.service ├─2275 / usr / sbin / httpd -DFOREGROUND ├─2276 / usr / sbin / httpd -DFOREGROUND ├─2277 / usr / sbin / httpd -DFOREGROUND ├─2278 / usr / sbin / httpd -DFOREGROUND ├─2279 / usr / sbin / httpd -DFOREGROUND └─2280 / usr / sbin / httpd -DFOREGROUND Apr 16 16:41:35 linuxbox systemd [1]: Starting The Apache HTTP Server ... Apr 16 16:41:35 linuxbox systemd [1]: Started The Apache HTTP Server.

SELinux and Apache

Apache has several policies to configure within the SELinux context.

[root @ linuxbox ~] # getsebool -a | grep httpd
httpd_anon_write -> off httpd_builtin_scripting -> on httpd_can_check_spam -> off httpd_can_connect_ftp -> off httpd_can_connect_ldap -> off httpd_can_connect_mythtv -> off httpd_can_connect off_zabbix -> off httpd_can_connect_zabbix_workb_workb_workd_connect_workbconnect off_workbwork_ httpd_can_network_memcache -> off httpd_can_network_relay -> off httpd_can_sendmail -> off httpd_dbus_avahi -> off httpd_dbus_sssd -> off httpd_dontaudit_search_dirs -> off httpd_enable_cgi -> httpd_enable_offmirs -> httpd_enable_enable offpd_server_offmirs -> httpd_enablem offpd_server_enable_cgi -> offhpd_enablem off httpd_graceful_shutdown -> on httpd_manage_ipa -> off httpd_mod_auth_ntlm_winbind -> off httpd_mod_auth_pam -> off httpd_read_user_content -> off httpd_run_ipa -> off httpd_run_preupgrade -> off httpd_runcobshift offlimerfift_runco_stick> off httpd_runco ​​offlimift offlimift_runco_stick> off httpd_ssi_exec -> off httpd_sys_script_anon_write -> off httpd_tmp_exec -> off httpd_tty_comm - > off httpd_unified -> off httpd_use_cifs -> off httpd_use_fusefs -> off httpd_use_gpg -> off httpd_use_nfs -> off httpd_use_openstack -> off httpd_use_sasl -> off httpd_verify_dns -> off

We will only configure the following:

Send email through Apache

root @ linuxbox ~] # setsebool -P httpd_can_sendmail 1

Allow Apache to read the contents located in the home directories of local users

root @ linuxbox ~] # setsebool -P httpd_read_user_content 1

Allow to administer via FTP or FTPS any directory managed by
Apache or allow Apache to function as an FTP server listening for requests through the FTP port

[root @ linuxbox ~] # setsebool -P httpd_enable_ftp_server 1

For more information, please read Linux Server Configuration.

We check the Authentication

It only remains to open a browser on a workstation and point, for example, to http://windowsupdate.com. We will check that the request is correctly redirected to the Apache home page in linuxbox. In fact, any site name declared in the file / etc / banner_add_hosts you will be redirected to the same page.

The images at the end of the article prove it.

Users Management

We do it using the graphic tool «User Management»Which we access through the menu System -> Administration -> User management. Every time we add a new user, its folder is created / home / user automatically.

 

Backups

Linux clients

You only need the normal file browser and indicate that you want to connect, for example: ssh: // buzz @ linuxbox / home / buzz and after entering the password, the directory will be displayed home of the user buzz.

Windows Clients

In Windows clients, we use the tool WinSCP. Once installed, we use it in the following way:

 

 

Simple, right?

Your Order

We have seen that it is possible to use PAM to authenticate services in a small network and in a controlled environment totally isolated from the hands of hackers. It is fundamentally due to the fact that the authentication credentials travel in plain text and therefore it is not an authentication scheme to be used in open networks such as airports, Wi-Fi networks, etc. However, it is a simple authorization mechanism, easy to implement and configure.

Sources consulted

PDF version

Download the PDF version here!.

Until the next article!


The content of the article adheres to our principles of editorial ethics. To report an error click here!.

9 comments, leave yours

Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.

  1.   NauTiluS said

    Tremendous post has been cured Mr. Fico. Thanks for sharing your knowledge.

  2.   lizard said

    I know how difficult it is to put together an article with such a level of detail, with fairly clear tests and especially with concepts and strategies adapted to the standards. I just take my hat off to this jewel of contributions, thank you very much Fico for such a good job.

    I have never combined squid with pam authentication but I go as far as possible to do this practice in my laboratory ... Goal hug and we continue !!

  3.   federico said

    NaTiluS: Thank you very much for your comment and evaluation.
    Lizard: To you too, thank you very much for your comment and evaluation.

    The time and effort devoted to making articles like this one are only rewarded with the reading and comments of those who visit the FromLinux community. I hope it is useful to you in your daily work.
    We keep going!

  4.   Anonymous said

    Incredible citizen contribution !!!! I read each of your articles and I can say that even for a person who does not have advanced knowledge in Free Software (like me) can follow this exquisite article step by step. Cheers !!!!

  5.   IWO said

    Thanks Fico for this other great article; As if that were not enough with all the posts already published, in this we have a service not previously covered by the PYMES Series and that is extremely important: the "SQUID" or Proxy of a LAN. Nothing that for us the family of those who think we are "sysadmins" have here other good material to study and deepen our knowledge.

  6.   federico said

    Thank you all for your comments. The next article will deal with the Prosody chat server with authentication against local credentials (PAM) via Cyrus-SASL, and that service will be implemented in this same server.

  7.   kenpachiRo17 said

    In good time countryman !!!! Great contribution even for those like me who do not have great knowledge about Free Software are passionate about learning with articles as exquisite as this one. I have been following your contributions and I would like to know by which article you would recommend me to start on this series of SME Networks, since I have been reading in a disorderly way and I think it has a lot of valuable content to miss any detail. Without more, greetings and may the shared knowledge as well as the Software remain Free !!

    1.    federico said

      Greetings countryman !!!. I recommend you start at the beginning, that although it may seem like the long way, it is the shortest way so as not to get lost. In the index -which is not updated with the last two articles- https://blog.desdelinux.net/redes-computadoras-las-pymes-introduccion/, we established the recommended reading order of the Series, which begins with how to do my Workstation, continues with several posts dedicated to the subject Virtualization, follow with several envelope BIND, Isc-Dhcp-Server, and Dnsmasq, and so on until we get to the service implementation part for the SME network, which is where we are currently. I hope it helps you.

      1.    kenpachiRo17 said

        Well it will be !!!! Right away I start with the series from the beginning and I look forward to new articles. Cheers !!!!