30 มี.ค. 2555

Alway the right time to do the right thing


เป็นเวลาที่ถูกต้องเสมอถ้าอยากทำสิ่งที่ถูกต้อง ไม่มีคำว่าสาย ตอนนั้นเรียนมาอย่างแต่ไม่ชอบ อาจารย์ที่สอนบอกอย่างนี้ ชีวิตคนแปลกมากไม่เหมือนการทำธุรกิจและไม่เหมือนการทำอะไรทั้งนั้น ตรงที่มันเริ่มต้นใหม่ได้ทุกวัน จะเริ่มใหม่วันนี้หรือเดี๋ยวนี้ก็ทำได้ทั้งนั้น

http://203.155.220.217/pdd/magazine/07_50/07_04.htm

2 มี.ค. 2555

Install SARG on squid3 at Ubuntu 11.10

Sarg เป็นเครื่องมือที่ช่วยวิเคราะห์ข้อมูลการใช้งานอินเตอร์เน็ตของ User ได้ดีมากๆ หลังจากประเมินผมก็เอาข้อมูลที่ได้เหล่านี้มา Shape Bandwidth ต่อ แต่วันนี้เอาแค่รายงานมาดูก่อน
apt-get install sarg

ติดตั้งเสร็จแล้วก็มา Config กันต่อ:
cp /etc/sarg/sarg.conf /etc/sarg/sarg.conf.original
nano /etc/sarg/sarg.conf

เอา Comment ออกตามบรรทัดเหล่านี้ครับ:
access_log /var/log/squid3/access.log #ระบุตำแหน่งที่เก็บ log ของ squid
graphs yes
output_dir /var/www/squid-reports #เปลี่ยนที่เก็บได้ตามใจเลยครับ

ต่อไปจะเป็นการสร้างคำสั่งให้ Sarg สร้างรายงานอัตโนมัติ และให้ Cron เป็นตัวเรียก คำสั่ง Sarg ที่เพิ่งสร้างนี้ มารันตามเวลาที่ตั้งไว้:
nano /usr/sbin/sarg-daily-report

TODAY=$(date +%d/%m/%Y)
YESTERDAY=$(date –date “1 day ago” +%d/%m/%Y)
sarg /var/log/squid/access.log -o /var/www/squid-reports/daily -z -d $YESTERDAY-$TODAY
/usr/sbin/squid -k rotate
exit 0

nano /usr/sbin/sarg-weekly-report

TODAY=$(date +%d/%m/%Y)
YESTERDAY=$(date –date “1 month ago” +%d/%m/%Y)
sarg /var/log/squid/access.log -o /var/www/squid-reports/monthly -z -d $YESTERDAY-$TODAY
/usr/sbin/squid -k rotate
exit 0

chmod 755 /usr/sbin/sarg-daily-report
chmod 755 /usr/sbin/sarg-weekly-report
chmod 755 /usr/sbin/sarg-monthly-report

และก็มาขั้นตอนการตั้งเวลาสร้างรายงานผ่านทาง Cron:
crontab -e

00 00 * * * /usr/sbin/sarg-daily-report
00 01 * * 1 /usr/sbin/sarg-weekly-report
03 02 1 * * /usr/sbin/sarg-monthly-report

ถ้าอยากลองรันเพื่อทดสอบก็พิมพ์คำสั่งตามนี้:
/usr/sbin/sarg-daily-report
/usr/sbin/sarg-weekly-report
/usr/sbin/sarg-monthly-report

/etc/init.d/cron restart

สุดท้ายครับวิธีการดูรายงาน :
http://ip_address_server/squid-reports

1 มี.ค. 2555

How to setup Transparent Proxy with Squid3 and dhcp3-server on Ubuntu Oneiric Ocelot

Squid is a very well known and vastly used cache proxy server for the common web protocols such as HTTP, HTTPS, FTP and more. It caches frequently accessed web pages and thus reduces bandwidth and response time. Squid is available for almost all the platforms including Windows. It is open source and available under GNU/GPL.

Advantages of setting up Squid as Transparent Proxy include the fact that you don't need to configure all the machines on your LAN to connect to Squid manually. All the traffic would be redirected to the Squid Listening Port automatically and your Ubuntu Box would act like a Router.

Follow these steps to set up a Transparent Proxy Server with Squid3 on Ubuntu 11.10 (Oneiric Ocelot)

1. Install Ubuntu Oneiric Ocelot Server or Desktop on your computer.

2. Change your network interfaces from DHCP to Static
nano /etc/network/interfaces

Delete all the text and paste this text in your interfaces file:
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
address 192.168.0.12
netmask 255.255.255.0
network 192.168.0.0
broadcast 192.168.0.255
gateway 192.168.0.3

auto eth1
iface eth1 inet static
address 192.168.2.1
netmask 255.255.255.0
network 192.168.2.0
broadcast 192.168.2.255

Where 192.168.0.12 is the IP address of your WAN interface and 192.168.2.1 is the IP address of your LAN interface.
nano /etc/resolv.conf

Paste this text in the file that opens up:
nameserver 127.0.0.1
when one sees "127.0.0.1" in the list of DNS servers it
suggests that one is running a local, caching-only name server.

3. Install squid3:
sudo apt-get install squid3

4. Make a backup of your squid.conf for future reference. Squid.conf has nearly all the options listed and it is recommended to go through that file to know more about squid options.
cp /etc/squid3/squid.conf /etc/squid3/squid.conf.original

Configure squid3.
nano /etc/squid3/squid.conf

Remove all the text and paste this text in your squid.conf file:
http_port 3128 transparent
acl LAN src 192.168.2.0/24
acl localnet src 127.0.0.1/255.255.255.255

# Limited file download < 250 MB
reply_body_max_size 250 MB
http_access allow LAN
http_access allow localnet
# No cache anything
no_cache deny all

Where 192.168.2.0/24 is the range of your LAN interface. The last line in that file is defining a cache directory for squid3 to use. Here, the first number denotes the size of cache in MB, 20 GB in this case.
Save and close this file.

6. Restart squid3:
/etc/init.d/squid3 restart

7. Edit /etc/sysctl.conf:
nano /etc/sysctl.conf

In this file, uncomment the lines that enable packet forwarding for IPv4 and IPv6:
net.ipv4.ip_forward=1

Save and close this file.

8. Define IPTABLE rules for port forwarding.
nano /etc/fw.proxy

Paste this text in the file that opens up:
#!/bin/sh
# squid server IP
SQUID_SERVER="192.168.2.1"
# Interface connected to Internet
INTERNET="eth0"
# Interface connected to LAN
LAN_IN="eth1"
# Squid port
SQUID_PORT="3128"
# DO NOT MODIFY BELOW
# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# For win xp ftp client
#modprobe ip_nat_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
# set this system as a router for Rest of LAN
iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE
iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT
# unlimited access to LAN
iptables -A INPUT -i $LAN_IN -j ACCEPT
iptables -A OUTPUT -o $LAN_IN -j ACCEPT
# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT
# if it is same system
iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT

iptables -I INPUT -p tcp -m tcp --dport 53 --syn -j ACCEPT
iptables -I INPUT -p tcp -m tcp --dport 82 --syn -j ACCEPT

# Algo string
iptables -I FORWARD -m string --algo bm --string "BitTorrent" -j DROP
iptables -I FORWARD -m string --algo bm --string "BitTorrent protocol" -j DROP
iptables -I FORWARD -m string --algo bm --string "peer_id=" -j DROP
iptables -I FORWARD -m string --algo bm --string ".torrent" -j DROP
iptables -I FORWARD -m string --algo bm --string "announce.php?passkey=" -j DROP
iptables -I FORWARD -m string --algo bm --string "torrent" -j DROP
iptables -I FORWARD -m string --algo bm --string "announce" -j DROP

iptables -I FORWARD -m string --algo bm --string "tracker." -j DROP
iptables -I FORWARD -m string --algo bm --string "info_hash" -j DROP
iptables -I FORWARD -m string --algo bm --string "/default.ida?" -j DROP #codered virus
iptables -I FORWARD -m string --algo bm --string ".exe?/c+dir" -j DROP #nimda virus
iptables -I FORWARD -m string --algo bm --string ".exe?/c_tftp" -j DROP #nimda virus

# bittorrent key
iptables -I FORWARD -m string --string "peer_id" --algo kmp --to 65535 -j DROP
iptables -I FORWARD -m string --string "BitTorrent" --algo kmp --to 65535 -j DROP
iptables -I FORWARD -m string --string "BitTorrent protocol" --algo kmp --to 65535 -j DROP
iptables -I FORWARD -m string --string "bittorrent-announce" --algo kmp --to 65535 -j DROP
iptables -I FORWARD -m string --string "announce.php?passkey=" --algo kmp --to 65535 -j DROP

# DHT keyword
iptables -I FORWARD -m string --string "info_hash" --algo kmp --to 65535 -j DROP
iptables -I FORWARD -m string --string "get_peers" --algo kmp --to 65535 -j DROP
iptables -I FORWARD -m string --string "announce" --algo kmp --to 65535 -j DROP
iptables -I FORWARD -m string --string "announce_peers" --algo kmp --to 65535 -j DROP

iptables -I INPUT -s 0.0.0.0/0 -m string --string "info_hash" --algo bm -j DROP
iptables -I INPUT -s 0.0.0.0/0 -m string --string "announce" --algo bm -j DROP
iptables -I INPUT -s 0.0.0.0/0 -m string --string "torrent" --algo bm -j DROP
iptables -I INPUT -s 0.0.0.0/0 -m string --string "sumotracker" --algo bm -j DROP

iptables -I INPUT -p tcp -m tcp --dport 22222 --dst $SQUID_SERVER -j ACCEPT

iptables -I INPUT -p tcp -m tcp --dport 22222 --dst 192.168.0.12 -j ACCEPT

iptables -A INPUT -j LOG --log-level info --log-prefix "INPUT "
iptables -A OUTPUT -j LOG --log-level info --log-prefix "OUTPUT "
iptables -A FORWARD -j LOG --log-level info --log-prefix "FORWARD "

# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP
Block torrent
Save and close this file.

Change Mode
chmode +x /etc/fw.proxy

9. Edit /etc/rc.local:
nano /etc/rc.local

Paste this text at the end of the file that opens up but before "exit 0":
/etc/fw.proxy

Save and close this file.

10. Reboot your server.

If you don't want to go to each machine on your Network and configure it for a Static IP, you can use dhcp3-server to assign Dynamic IPs to all the computers on your LAN and make them forward all there internet traffic to your squid box.

11. Install dhcp3-server:
apt-get install dhcp3-server

12. Edit /etc/default/dhcp3-server:
nano /etc/default/isc-dhcp-server

Type eth1 in between the quotes in this line:
INTERFACES=""

Save and close this file.

13. Make a backup of your original /etc/dhcp/dhcpd.conf:
cp /etc/dhcp/dhcpd.conf /etc/dhcp/dhcpd.conf.original

14. Edit /etc/dhcp/dhcpd.conf:
nano /etc/dhcp/dhcpd.conf

Delete all the text and paste this text in the file that opens up
ddns-update-style none;
log-facility local7;

subnet 192.168.2.0 netmask 255.255.255.0 {
range 192.168.2.100 192.168.2.200;
option domain-name-servers 192.168.2.1;
option routers 192.168.2.1;
option broadcast-address 192.168.2.255;
default-lease-time 600;
max-lease-time 7200;
}

We are using True (ISP in Thailand) DNS in this example. You can use your own DNS Server if you've configured one on your network.
Save and close this file.

Make sure all the cables on your network are plugged in and the devices are powered on.

15. Start dhcp3-server:
service dhcp3-server start

16. Reboot your server.

17. Install Bind9 if you didn't install it
apt-get install bind9 dnsutils

Install dnsutils for dig command.

Edit conf file for Caching
nano /etc/bind/named.conf.options

Delete all the text and paste this text in the file that opens up:
options {
directory "/var/cache/bind";
forwarders {
203.144.207.29;
203.144.207.49;
};
auth-nxdomain no;
allow-query { any; };
};