Citadel Groupware Install

Base install of required programs.

sudo apt-get install clamav clamav-milter spamassassin citadel-suite amavisd-new

Install and Start Spamassassin

vim  /etc/default/spamassassin

# Change to one to enable spamd
ENABLED=1

sudo /etc/init.d/spamassassin start

Spamassassin is listening on port 783.
tcp        0      0 127.0.0.1:783           0.0.0.0:*               LISTEN

Citadel Configuration

Make sure all of your processes are running.
ps -eaf | grep cit 
root      5167     1  0 13:47 ?        00:00:00 /usr/sbin/citserver -d -x3 -lmail -t/dev/null
citadel   5168  5167  0 13:47 ?        00:00:01 /usr/sbin/citserver -d -x3 -lmail -t/dev/null
root      6052     1  0 13:47 ?        00:00:00 /usr/sbin/webcit -D/var/run/webcit/webcit.pid.8504 -p8504 127.0.0.1 504 -i0.0.0.0 -f -t/var/log/webcit//access.8504.log
root      6053  6052  0 13:47 ?        00:00:06 /usr/sbin/webcit -D/var/run/webcit/webcit.pid.8504 -p8504 127.0.0.1 504 -i0.0.0.0 -f -t/var/log/webcit//access.8504.log

Check Network Ports
# netstat -lnp 
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:993             0.0.0.0:*               LISTEN      5168/citserver
tcp        0      0 0.0.0.0:5666            0.0.0.0:*               LISTEN      5979/nrpe
tcp        0      0 0.0.0.0:995             0.0.0.0:*               LISTEN      5168/citserver
tcp        0      0 0.0.0.0:2020            0.0.0.0:*               LISTEN      5168/citserver
tcp        0      0 0.0.0.0:5222            0.0.0.0:*               LISTEN      5168/citserver
tcp        0      0 0.0.0.0:587             0.0.0.0:*               LISTEN      5168/citserver
tcp        0      0 0.0.0.0:110             0.0.0.0:*               LISTEN      5168/citserver
tcp        0      0 127.0.0.1:783           0.0.0.0:*               LISTEN      8057/spamd.pid
tcp        0      0 0.0.0.0:143             0.0.0.0:*               LISTEN      5168/citserver
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      6510/apache2
tcp        0      0 0.0.0.0:465             0.0.0.0:*               LISTEN      5168/citserver
tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN      6039/vsftpd
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      5077/sshd
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      5840/cupsd
tcp        0      0 0.0.0.0:8504            0.0.0.0:*               LISTEN      6053/webcit
tcp        0      0 0.0.0.0:504             0.0.0.0:*               LISTEN      5168/citserver
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      5168/citserver
tcp6       0      0 :::22                   :::*                    LISTEN      5077/sshd
udp        0      0 0.0.0.0:35499           0.0.0.0:*                           5053/avahi-daemon:
udp        0      0 0.0.0.0:68              0.0.0.0:*                           4444/dhclient3
udp        0      0 0.0.0.0:5353            0.0.0.0:*                           5053/avahi-daemon:

Once the server is installed, login to the web interface with your server IP Address and the port 8504 which is the default.

http://192.168.5.100:8504

Enter the Administrator user and no password and this interface will open.  Choose Administration and you can set up your server from this interface.  You will have four categories to work with.  Global Configuration is where you should start.  Select “Edit site-wide configuration” to set up your basic configuration.

The window opens and has a number of tabs that you can modify under General one feature you must modify is the Fully qualified domain name.  You must have a host name and a domain name to complete the FQDN.  It must look something like this:

mail.example.com

Note the name of the system administrator is listed, you can change that if you want but be sure permissions are set correctly.

The Access controls section defines how you want users to have access and what number of levels you will create access.  You do not need to modify this initially as this will work by default.

Network services will define your ports.  The SMTP port is the port you will communicate with other mail servers and so this should remain standard.  IMAP port is 143 and 993 if you run it with SSL.  If you want encrypted connection for your SMTP it will be based on port 465.  Be careful if you make changes here because other programs are expecting connections on these ports as they are standards.

Tuning allows you to set timeouts and also adjust message size. The worker threads represent the number of web connections that are available by default.  Here you see the minimum of 5 and the maximum of 256.  You can save resources by bringing the minimum down to 2 or 3 if you have a small number of users or increase it to 7 to 10 if you have a constant level of users that high.

The Pop3 tab shows you the default ports that are available, 110 for normal connections and port 995 if it is encrypted.

Read more...

HTTPS Traffic block in squid 2.6

Here are steps to configure Transparent proxy in Squid

Steps for configuring transparent proxy for HTTPS protocol at port 443 in SQUID 2.6

(steps tested on squid 2.6 running on RHEL 5.0)

Configuring transparent proxy on port 80 for use with HTTP protocol is simple but involves some extra configuration to use transparent proxy with HTTPS protocol.

We need to configure this because if we block a website say www.facebook.com it cannot be accessed by users on port 80 via http protocol but if the same user tries to open the site usinghttps://www.facebook.com the website gets opened thus bypassing our security if NATing and IP Forwarding is enabled.

To solve this problem if we add port 443 in iptables the same way we did for port 80 then all traffic for HTTPS is blocked and the browser gives error 

SSL received a record that exceeded the maximum permissible length.

(Error code: ssl_error_rx_record_too_long)

Blocking all HTTPS traffic is not possible in office environments and using transparent proxy is our requirement so follow the following steps to configure HTTPS protocol to use transparent proxy.

Create two iptable rules (First rule might already be created then create second rule)

#iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
#iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 3130

(Note here that eth0 is my NIC facing local network clients, adjust it according to your topology)

Certificate and public key private key generation steps

Install rpm crypto-utils

#rpm -ivh crypto-utils-2.3
#genkey -days 365 squidserver.hostname.com
(Note here the hostname value, enter your hostname here e.g #genkey -days 365squidserver.corvit.com)
Hit next.
Select number of bits for data encryption. Default is 1024. This command will generate random bits.
Generate the certificate. This may take some time.
Option dispays Generate CSR 
Select No
Give details of your certificate
Hit next
Do nothing and hit next
I will suggest you to never use passphrase for key, because if u assigns passphrase to key then along with public key we need to share passphrase.

The certificate is created and the Certificate and key are stored at /etc/pki/tls/certs/ and /etc/pki/tls/private/

In squid.conf make necessary changes like this

http_port 3128 transparent

https_port 3130 transparent cert=/etc/pki/tls/certs/squidserver.hostname.com.cert key=/etc/pki/tls/private/squidserver.hostname.com.key

Restart squid service and now when the client tries to access a https website they will get message that secure connection failed and at end of message there is a hyperlink "OR YOU CAN ADD AN EXCEPTION" click on it, then click on ADD EXCEPTION, click GET CERTIFICATE and click CONFIRM SECURITY EXCEPTION. your website will be opened if there is no rule stopping it or will get blocked if blocking ACL exists for that site.

You have to add a certificate only one time when the user tries to access https website for the first time, second time the site opens normally without asking for exception.

If you want the users not to get the above error and they donot have to add an excepion manually in the browser each time they visit a new https website for first time then you will have to get your SSL certificate approved by a company like verisign or other CA that the browser trusts. 

Read more...

Linux Local Yum Installation / Configuration

Step by Step:

As there is dependencies issue in linux software installation. Yum is an application which resolves the dependencies issue. Let start to configure local yum.

1.       We required FTP server to configure yum locally or we can configure the same (local) server as FTP server. Following is the local server configuration.

2.       Start vsftpd service and anonymous access should allow on this FTP server.

3.       Copy RedHat DVD at “/var/ftp/pub” directory.

#cp –r  /media/RHEL*   /var/ftp/pub

4.       Create repodata and repomod.xml

5.       To create these files we required to install the following software.

#rpm –ivh createrepo.rpm

6.       Now enter following command to create repodata and repomod.xml

#create repo –v /var/ftp/pub

7.       As the creation process complete, go in yum configuration file.

#vim /etc/yum.conf

8.       Write the following lines at the end of this configuration file.

[local]                                                                  

baseurl=ftp://192.168.0.254/pub                 (your machine ip)    

gpgcheck=0                                                      

9.       Write and quit from file. Now the local yum is ready. Now we can install software through yum which work properly now like

#yum install httpd

It will work and install the required software.

10.   To check yum logs.

#cat /var/log/yum.log

Read more...

Public Share on Samba Server

Goal of this tutorial is to show you how to set up a public share on your Samba server that can be used by everyone on your network with all rights. This will enable everyone on a Windows machine to access this without a password.  Of course, this has security implications but it is a good way to get something working.  The next article will show you how to create a share for one user in which that one user is the only one who can access the share.

1. Install Samba
yum install samba samba-client samba-common

chkconfig  – -level 35 smb on

service smb start

2. Create a New smb.conf file

First,  change the  default smb.conf file to a backup copy, and then create a whole new one.

# mv smb.conf smb.conf.backup
# vim smb.conf

Here’s the new smb.conf file:
Note the workgroup should be the workgroup that you are using on your Windows machines.

[global]
netbios name = linuxserver
workgroup = WORKGROUP
server string = Public File Server
security = user
map to guest = bad user
guest account = smbguest

[public]
path = /public
guest ok = yes
read only = no

3. Test with testparm
This will help you determine if you have any major problems with the set up you placed in smb.conf.

# testparm
Load smb config files from /etc/samba/smb.conf
Processing section “[public]”
Loaded services file OK.
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions

[global]
server string = Public File Server
map to guest = Bad User
guest account = smbguest

[public]
path = /public
read only = No
guest ok = Yes

4. Create a public user
Since the purpose is to  map the users to a special guest account,  open the /etc/passwd file for editing, and add the following line to the end of the file.

smbguest:x:525:525:Samba Guest Account:/dev/null:/bin/false

This creates the guest account.  Now, create a smbguest group with a group ID, here the GID of 525 was used, it does not matter which number as long as it is not used and over 500.

# groupadd -g 525 smbguest

Now, change to the root of the file system, and create the new directory that  to share.

# mkdir public

# chown -R smbguest:smbguest public
# ls -l 
drwxr-xr-x 2 smbguest smbguest 184 2007-08-03 15:18 public

Read more...

MRTG on Linux

The Multi Router Traffic Grapher is a network or resource monitoring tool used by System Administrators across the Globe. MRTG generates HTML pages containing PNG images, which provides a real time visual representation of network traffic and system resources.

STEP 1: Install MRTG with required packages

# yum install mrtg net-snmp net-snmp-utils -y

STEP 2: Configure snmpd

If you need to monitor localhost including interface and other stuff such as CPU, memory etc, configure snmpd. Open /etc/snmp/snmpd.conf,

# vim /etc/snmp/snmpd.conf

Do changes in it as follows to only allow access from localhost:

com2sec   local      localhost       public

group      rwroup     v1         local

group     rwgroup    v2c         local

group      rwgroup    usm        local

view      all        included       .1   80

access   rwgroup    “”  any   noauth    exact  all    all    none

syslocation BSNL, India

syscontact Root <web@linuxarticles.org>

Save and close the file. Restart snmpd:

# chkconfig snmpd on; service snmpd restart

Make sure you see interface IP, by running the following command:

# snmpwalk -v 1 -c public localhost IP-MIB::ipAdEntIfIndex

Sample Outputs:

IP-MIB::ipAdEntIfIndex.121.xx.yy.zzz = INTEGER: 2

IP-MIB::ipAdEntIfIndex.127.0.0.1 = INTEGER: 1

STEP 3: Configure MRTG,

Use cfgmaker command to creates /etc/mrtg/mrtg.cfg file, enter:

# cfgmaker –global ‘WorkDir: /var/www/mrtg’ –output  /etc/mrtg/mrtg.cfg public@localhost

Options Description:

- -global ‘WorkDir: /var/www/mrtg’ : A place – workdir to store MRTG graphs.

- -output /etc/mrtg/mrtg.cfg: configure output filename

public@localhost : public is the community name of the device you want to create a configuration for. localhost is the DNS name or the IP number of an SNMP-manageable device i.e. our local server.

Finally, run indexmaker to create web pages which display the status of an array of mrtg interface status pages:

# indexmaker –output=/var/www/mrtg/index.html /etc/mrtg/mrtg.cfg

STEP 4: Verify Cron Job

# cat /etc/cron.d/mrtg

*/5 * * * * LANG=C LC_ALL=C /usr/bin/mrtg /etc/mrtg/mrtg.cfg –lock-file /var/lock/mrtg/mrtg_l –confcache-file /var/lib/mrtg/mrtg.ok

Now, restart crond service to make it live instantly.

# chkconfig crond on; service crond restart

STEP 5: To view graph,

You need Apache web server to view graphs, simply type the following to install httpd:

# yum install httpd

# chkconfig httpd on ; service httpd start

Now, open http://server1.linuxarticles.org/mrtg/ . Use your server name instead of server1.linuxarticles.org.

Read more...

Configure or setup VNC server in linux rhel5 / centos5

How to Configure a VNC server In linux?

#VNC Server configuration#
#yum -y install vnc*

For using this we need to setup a password for the server. We can set it by the linux command vncpasswd.
#Set the password#
#vncpasswd

#Restart the service#
#service vncserver start

To make VNC server we need to run the following command. While executing it. it will create some files.
#Run the server command#
#vncserver
or
#vncserver :13 The display number. Default will be one. If available.

This file will be generated when executing the above command. We need to do a small change in that in order to make it was server.
# vi .vnc/xstartup
uncomment the following lines.
unset SESSION_MANAGER
exec /etc/X11/xinit/xinitrc

#service vncserver restart

Read more...

Blocking video files with rep_mime_type video/x-flv

There several type of video file formats. One of them is fllv : format used by streaming video service such as youtube, metacafe, etc

We are going to block thise file.The configuration file is :

acl LOCALHOST src 127.0.0.1
acl LOCALNET_A src 192.168.0.0/24
acl FORBIDDEN_DESTINATION dstdomain "/etc/squid3/restricteddomains.txt"
acl FORBIDDEN_VIDEO rep_mime_type video/x-flv

http_access deny FORBIDDEN_DESTINATION
http_reply_access deny FORBIDDEN_VIDEO

http_access allow LOCALHOST
http_access allow LOCALNET_A

http_port 3128

Read more...

How To Block/Deny Websites To Specific IP/Users/Time Using Squid Proxy

Assume you already have a working squid installation.

Requirements:
Some websites will only be blocked during office hours (8am to 12pm and 1:30pm to 6pm).
Websites will be only blocked for specific IPs.
Deny websites using keywords.
Edit /etc/squid/squid.conf

# vi /etc/squid/squid.conf


Find the line "INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS" and add the following:

acl morning_hours time M T W H F 8:00-12:00
acl evening_hours time M T W H F 13:30-18:00

acl deniedDomains url_regex src "/etc/squid/deniedDomains"
acl blacklistIP src "/etc/squid/blacklistIP"

http_access deny deniedDomains morning_hours blacklistIP
http_access deny deniedDomains evening_hours blacklistIP

acl myNetwork src "/etc/squid/acl"
http_access allow myNetwork


Create the list of domain name separated by line to be blocked:

# vi /etc/squid/deniedDomains


friendster
metacafe
myspace
videos.google
youtube
facebook
chatenabled.mail.google.com


Create the list of users IP who's having rescticted access:

# vi /etc/squid/blacklistIP


192.168.0.254
192.168.1.221
192.168.1.236
172.16.70.0/24


Create the list of IP who can access your squid proxy:

# vi /etc/squid/acl


192.168.1.0/24
172.16.70.0/24
213.44.2.126


Restart squid:

# /etc/init.d/squid reload

Read more...