O Orion é um aplicação onde venho desenvolvendo varias funções, tudo voltado para a segurança da Internet.
Escrevo este Tutorial pois será de muita utilidade para quem estiver afim de desenvolver seu conhecimento em Linux.
Case tudo aqui eu consegui aprender no decorrer de 4 anos, onde venho estudando um pouco sobre Linux, e a cada dia me apaixono mais, pois ele me mostra um outro lado da TI.
Bom vamos lá.
A primeira coisa a se fazer é baixar a ultima versão do Debian que pode ser encontrado neste site.
http://www.debian.org/CD/netinst/
Quando este procedimento foi postado a versão era debian-503.
http://cdimage.debian.org/debian-cd/5.0.3/i386/iso-cd/debian-503-i386-netinst.iso
O Debian que utilizaremos será o debian básico e depois iremos instalando os aplicativos de acordo
com a necessidade.
![clip_image002[4]](http://juliomonteiro.net/wp-content/uploads/2018/02/clip_image0024.jpg "clip_image002[4]")
![clip_image002[6]](http://juliomonteiro.net/wp-content/uploads/2018/02/clip_image0026.jpg "clip_image002[6]")
![clip_image002[8]](http://juliomonteiro.net/wp-content/uploads/2018/02/clip_image0028.jpg "clip_image002[8]")
![clip_image002[10]](http://juliomonteiro.net/wp-content/uploads/2018/02/clip_image00210.jpg "clip_image002[10]")
![clip_image002[12]](http://juliomonteiro.net/wp-content/uploads/2018/02/clip_image00212.jpg "clip_image002[12]")
![clip_image002[14]](http://juliomonteiro.net/wp-content/uploads/2018/02/clip_image00214.jpg "clip_image002[14]")
![clip_image002[16]](http://juliomonteiro.net/wp-content/uploads/2018/02/clip_image00216.jpg "clip_image002[16]")
![clip_image002[18]](http://juliomonteiro.net/wp-content/uploads/2018/02/clip_image00218.jpg "clip_image002[18]")
![clip_image002[20]](http://juliomonteiro.net/wp-content/uploads/2018/02/clip_image00220.jpg "clip_image002[20]")
![clip_image002[22]](http://juliomonteiro.net/wp-content/uploads/2018/02/clip_image00222.jpg "clip_image002[22]")
![clip_image002[24]](http://juliomonteiro.net/wp-content/uploads/2018/02/clip_image00224.jpg "clip_image002[24]")
![clip_image002[26]](http://juliomonteiro.net/wp-content/uploads/2018/02/clip_image00226.jpg "clip_image002[26]")
![clip_image002[28]](http://juliomonteiro.net/wp-content/uploads/2018/02/clip_image00228.jpg "clip_image002[28]")
![clip_image002[30]](http://juliomonteiro.net/wp-content/uploads/2018/02/clip_image00230.jpg "clip_image002[30]")
![clip_image002[32]](http://juliomonteiro.net/wp-content/uploads/2018/02/clip_image00232.jpg "clip_image002[32]")
![clip_image002[34]](http://juliomonteiro.net/wp-content/uploads/2018/02/clip_image00234.jpg "clip_image002[34]")
![clip_image002[36]](http://juliomonteiro.net/wp-content/uploads/2018/02/clip_image00236.jpg "clip_image002[36]")
![clip_image002[38]](http://juliomonteiro.net/wp-content/uploads/2018/02/clip_image00238.jpg "clip_image002[38]")
![clip_image002[40]](http://juliomonteiro.net/wp-content/uploads/2018/02/clip_image00240.jpg "clip_image002[40]")
![clip_image002[42]](http://juliomonteiro.net/wp-content/uploads/2018/02/clip_image00242.jpg "clip_image002[42]")
Passos necessários
Atualizando o Debian
apt-get update
apt-get upgrade
apt-get dist-upgrade
Instalando ssh
apt-get install ssh
Aplicativos basicos necessários
apt-get install aptitude vim tcpdump nmap libncurses5-dev iptraf dhcpcd lshw elinks mc most arping ntpdate
Deixando VIM Colorido
echo “syntax enable” > ~/.vimrc
Shell Colorido
vim /root/.bashrc
Adicionar as seguintes linhas abaixo:
####### ~/.bashrc: executed by bash(1) for non-login shells.
export PS1=’\h:\w\$ ‘
umask 022
# You may uncomment the following lines if you want `ls’ to be colorized:
export LS_OPTIONS=’–color=auto’
eval “`dircolors`”
alias ls=’ls $LS_OPTIONS’
alias l=’ls $LS_OPTIONS -lA’
# Some more alias to avoid making mistakes:
alias rm=’rm -i’
alias cp=’cp -i’
alias mv=’mv -i’
export MANPAGER=”/usr/bin/most -s”
export HISTTIMEFORMAT=”%F %T “
alias grep=’grep –color=auto’
Instalando o Squid
aptitude install squid
Criar pasta arquivos dentro de /etc/squid
cd /etc/squid
mkdir arquivos
cd arquivos/
criar arquivos para acl
touch audio
touch bancos
touch comando
touch compactadores
touch downloads
touch entretenimento
touch esporte
touch executável
touch governamental
touch imagem
touch messenger
touch pornografia
touch provedores
touch relacionamento
touch revistas
touch video
touch webmail
BKP do squid.conf
cd /etc/squid
mkdir backup
cp squid.conf /etc/squid/backup/squid.conf.default
Limpando Squid.conf
cd /etc/squid
cp squid.conf squid.conf.original
egrep -v “^#|^$” squid.conf.original > squid.conf
Configuração do Squid.conf com Autenticação no AD (2003/2008)
########## AUTENTICAÇÃO #####################
auth_param ntlm program /usr/bin/ntlm_auth –helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 10
auth_param basic program /usr/bin/ntlm_auth –helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
authenticate_cache_garbage_interval 10 seconds
authenticate_ttl 0 seconds
###########################################
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Package(.gz)*)$ 0 20% 2880
refresh_pattern . 0 20% 4320
####ACL´S DEFAULT ############################
acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 192.168.11.0/24
acl SSL_ports port 443 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
########ACL´S DEFAULT #########################
external_acl_type NT_global_group children=10 %LOGIN /usr/lib/squid/wbinfo_group.pl
acl ProxyUsers external NT_global_group proxy_user ——-> Grupo do Ad com permissão para autenticação no SQUID
############### ACL´S #######################
acl diretoria proxy_auth “/etc/squid/arquivos/diretoria”
acl relacionamento url_regex “/etc/squid/arquivos/relacionamento”
acl sites_liberados url_regex “/etc/squid/arquivos/sites_liberados”
acl sites_bloqueados url_regex “/etc/squid/arquivos/sites_bloqueados”
acl palavras_negadas url_regex “/etc/squid/arquivos/palavras_negadas”
acl extensoes_liberadas url_regex “/etc/squid/arquivos/extensoes_liberadas”
acl extensoes_bloqueadas url_regex “/etc/squid/arquivos/extensoes_bloqueadas”
acl dominios_bloqueados dstdom_regex -i “/etc/squid/arquivos/dominios_bloqueados”
acl dominios_liberados dstdom_regex -i “/etc/squid/arquivos/dominios_liberados”
acl usuarios_bloqueados proxy_auth “/etc/squid/arquivos/usuarios_bloqueados”
acl porno url_regex “/etc/squid/arquivos/porno”
########### RESTRIÇÕES DE PROXY ######################
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access allow CONNECT
http_access allow !SSL_ports !Safe_ports
http_access allow localhost
http_access allow diretoria
http_access allow sites_liberados
http_access allow extensoes_liberadas
http_access allow dominios_liberados
http_access deny relacionamento
http_access deny sites_bloqueados
http_access deny palavras_negadas
http_access deny extensoes_bloqueadas
http_access deny dominios_bloqueados
http_access deny usuarios_bloqueados
http_access deny porno
http_access allow ProxyUsers ——> ACL de usuario autenticados no AD
http_access deny all
icp_access allow localnet
icp_access deny all
###########################################################################
access_log /var/log/squid/access.log squid
logfile_rotate 10
error_directory /usr/share/squid/errors/Portuguese
hosts_file /etc/hosts
http_port 3128
coredump_dir /var/spool/squid
visible_hostname plserver02
cache_mgr suporte@contoso.com.br
dns_nameservers 192.168.x.y —–> Servidor de DNs da Rede
Instalando o SAMBA
aptitude install samba samba-common winbind smbclient
Configurando winbind
vim /etc/init.d/winbind
chgrp proxy /var/run/samba/winbindd_privileged/ || return 1
Configuração do smb.conf
#============== Global Settings =====================
[global]
workgroup = CONTOSO
realm = CONTOSO.LOCAL
netbios name = orion
server string = Servidor Proxy
dns proxy = no
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
security = ADS
domain master = no
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/bash
template homedir = /home/%D/%U
winbind enum groups = yes
winbind enum users = yes
winbind use default domain = yes
winbind separator = +
usershare allow guests = yes
#=======Share Definitions============================
[homes]
comment = Home Directories
browseable = no
writeable = yes
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
printable = yes
[Softwares]
comment = Softwares Skylan
writeable = yes
create mode = 777
path = /x/softwares
directory mode = 777
browseable = yes
Instalando Kerberos
apt-get install krb5-user
apt-get install ldap-utils
apt-get install libldap-2.4-2
Coloque a infromações corretas.
Servidor de Kerberos para seu realm: CONTOSO.LOCAL
Servidor administrativo para seu realm kerberos: CONTOSOSERVER
Configurações do krb5.conf (/etc/krb5.conf)
[libdefaults]
default_realm = CONTOSO.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24000
[realms]
SKYLAN.LOCAL = {
kdc = contososerver01.contoso.local
admin_server = contososerver01.contoso.local
default_domain = CONTOSO.LOCAL
}
[domain_realm]
.contoso.local = CONTOSO.LOCAL
contoso.local = CONTOSO.LOCAL
[logging]
default = FILE:/var/log/krb5.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
Configurações do nsswitch.conf (/etc/nsswitch.conf)
passwd: compat winbind
group: compat winbind
shadow: compat winbind
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
Atualizando relogio
ntpdate ntp.usp.br
Ingressando no Domínio
kinit administrador@CONTOSO.LOCAL
net ads join –U administrador
net ads testjoin
wbinfo –t
net ads user
Instalando o APACHE
apt-get install apache2
Instalando o MYSQL
apt-get install mysql-server mysql-client
Instalando o PHP5
apt-get install php5 php5-sybase php5-symfony1.0 php5-tidy php5-uuid php5-xapian php5-xcache php5-xdebug php5-xmlrpc php5-xsl php5-mysql phpmyadmin
Criar pasta para downloads firewall e backups
cd ..
mkdir x
cd /x
mkdir downloads
mkdir softwares
mkdir backups
mkdir firewall
chmod 777 firewall/
cd downloads
Instalando MYSAR
wget http://ufpr.dl.sourceforge.net/sourceforge/mysar/mysar-2.1.4.tar.gz
tar zxvf mysar-2.1.4.tar.gz -C /usr/local
cd /usr/local/mysar
Adicionar no /etc/apache2/apache2.conf
vim /etc/apache2/apache2.conf
———–>>>> Alias /mysar /usr/local/mysar/www
<Directory “/usr/local/mysar/www”>
Options Indexes MultiViews
AllowOverride None
Order allow,deny
Allow from all
</Directory>
/etc/init.d/mysql restart
/etc/init.d/apache2 restart
cd /usr/local/mysar/etc/
cp config.ini.example config.ini
rm -rf /usr/local/mysar/www/install
ln -s /usr/local/mysar/etc/mysar.cron /etc/cron.d/mysar
Configurando o WEBMIN
Adicionar em /etc/apt/sources.list
vim /etc/apt/sources.list
deb http://download.webmin.com/download/repository sarge contrib
cd /x/downloads/
wget http://www.webmin.com/jcameron-key.asc
apt-key add jcameron-key.asc
apt-get update
apt-get install webmin