Global Open Versity, ICT Security Labs Step-By-Step Install Guide Squid Proxy Server with DG on Linux v1.1
Global Open Versity
IT Security & Network Defense Hands-on Labs Training Manual
Build & Deploy Secure Squid Proxy Server with DansGuardian
for Network Protection
Kefa Rabah
Global Open Versity, Vancouver Canada
krabah@globalopenversity.org
www.globalopenversity.org
Table of Contents Page No.
BUILD & DEPLOY SECURE SQUID PROXY SERVER WITH DANSGUARDIAN FOR NETWORK
PROTECTION 3
Introduction 3
Part 1: Install CentOS 5 Server 4
Step 1: Install Required Packages 4
Step 2: Webmin installation and configuration 5
Part 3: Squid installation and configuration 5
Step 1: Install Squid Proxy Server 5
Step 2: Implement Access Control Lists (ACLs) 7
Step 2.1: Restricting Web Access By Time 8
Step 2.2: Restricting Web Access to Specific Websites 9
Step 3: Squid Proxy Server Mac Address based filtering 10
Step 4: How to test if your squid proxy is working correctly? 11
Step 4.1: Running Squid in a Logging mode 11
Step 4.2: Squid cache proxy by running Squid in debug-mode 12
Step 5: Manually Configuring Web Browsers to Use Your Squid Server 12
1. Setting Proxy Server on IE 12
2. Setting Proxy Server on Mozilla Firefox 13
Step 6: Integrating Squid Server with Firewall 14
Step 7: Test Squid with Port Redirection to port 3128 16
Part 4: Installing and configuring DansGuardian with antivirus plug-in 17
Step 1: Update Repositories - IMPORTANT!!! 17
1. RPMForge for CentOS5 17
2. EPEL repository configuration 17
Step 2: Install DansGuardian Web Filter 18
Step 3: Configure DansGuardian (DG) Web Content Filter 20
Step 4: Configuring the DG Web Filter 20
Step 5: Test Proxy Server 23
Step 6: Redirect traffic 24
Option 1: Using Shorewall Firewall 24
Option 2: Using Iptables 24
Step 7: Setup Client Machine 25
1
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
www.globalopenversity.org EBT107 – Secure Firewall System Administration Training
Global Open Versity, ICT Security Labs Step-By-Step Install Guide Squid Proxy Server with DG on Linux v1.1
Step 8: Web Traffic Monitoring 25
Part 5: Adding BlackList 25
Part 6: Lockdown Squid Proxy Server against Malware 26
Step 1: Installing and configuring anti-virus software ClamAV 26
Part 7: Lock it Down with MailScanner Antivirus solution 28
Step 1: Install & Setup MailScanner on CentOS5/RHE5 29
Part 8: Need More Training on Linux: 29
Secure Firewall Administration Training 29
Linux Administration Training 29
Part 9: Hands-on Lab Assignments 30
A GOV Open Access Technical Academic Publications
Enhancing education & empowering people worldwide through eLearning in the 21st Century
2
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
www.globalopenversity.org EBT107 – Secure Firewall System Administration Training
Global Open Versity, ICT Security Labs Step-By-Step Install Guide Squid Proxy Server with DG on Linux v1.1
Global Open Versity
IT Security & Network Defense Hands-on Labs Training Manual
Build & Deploy Secure Squid Proxy Server with Dansguardian
for Network Protection
By Kefa Rabah, krabah@globalopenversity.org July 29, 2010 GTS Institute
Introduction
People quickly and easily access volumes of research on the Internet and correspond with a mouse click.
For more and more companies, content filtering is part of the large battle to combat all kinds of online
threats, including hackers, worms and viruses and plethora of malware not mention ever increasing fishing
activities by cybercriminals. Today schools and colleges are reeling from bandwidth hogging by students
who spent most of their time multimedia streaming. In comes Squid proxy server.
Squid is a proxy server and web cache daemon. It has a wide variety of uses, from speeding up a web
server by caching frequently requested web pages; to caching web, DNS and other computer network
lookups for a group of people sharing network resources; to aiding security by filtering traffic. Squid has
extensive access controls and makes a great server accelerator. It also reduces bandwidth usage. Although
primarily used for HTTP and FTP, Squid includes support for several other protocols including TLS, SSL,
Internet Gopher and HTTPS. In 2010, work got under way to include IPv6 and ICAP support. Squid web
site claims that if working in front of the server application, it can improve performance by up to four times.
Squid is especially efficient in case of (probably unexpected) high traffic to one or several particular
pages, as in this case near 100% of caching can be achieved. It runs on most available operating systems,
including Windows and is licensed under the GNU GPL.
Today, Linux content filtering allows administrators to configure and manage Internet access across the
entire network and to block unwanted Web content like pornography, shopping Web sites, games and
gambling, or searching for jobs while on company time at a workplace. The combination with different anti
virus software makes it even more powerful and helps to protect our own system against the common
threats. This hands-on training manual contains all the necessary information for installing and
understanding the architectural layout of the implementation of Squid proxy server, Dansguardian Web
filter, ClamAd. On Linux CentOS-5 In this its assumed that students/trainees understand how to install OS
and other programs and have a basic understanding of Linux CentOS5/RHEL5 and firewall knowhow.
This includes installing Linux CentOS/RHEL5 and RPM packages, editing files, making directories,
compiling software and understanding general UNIX commands. In this training session, I’ll explain how to
install and configure Squid, DansGuardian and ClamAV.
CentOS is a community-supported, free and open source operating system based on Red Hat Enterprise
Linux. It exists to provide a free enterprise class computing platform and strives to maintain 100% binary
compatibility with its upstream distribution .CentOS stands for "Community ENTerprise Operating
System". CentOS is the perfect server for people who need an enterprise class operating system stability
without the cost of certification and support and pocket burning baggage that comes with proprietary
software. And the beauty is CentOS is free.
3
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
www.globalopenversity.org EBT107 – Secure Firewall System Administration Training
Global Open Versity, ICT Security Labs Step-By-Step Install Guide Squid Proxy Server with DG on Linux v1.1
Solution:
In this Lab session, you’ll learn how to setup virtual network on VMware (you may also use any other
virtual machines like MS VirtualPC, Linux Xen, or VirtualBox from Sun). Next you will learn how to install
and configure Linux CentOS5 (VM1) with two NIC adapters. On the Linux VM1, I’ll show you how to install
& configure a DHCP server and Shorewall firewall on it. You’ll also learn how to install & configure a
second Linux CentOS5 (VM2) machine to use for testing your firewalled network connectivity to public
network (Internet). Finally you’ll have an opportunity to do the Hands-on Labs home assignment labs to
test what you have learned in this lesson. Once you’re done with this labs session you should have gained
an experience and capability to enable you to plan design implement and deploy a simple but secure
Home/SMB office network infrastructure.
Assumptions:
It’s assumed that you have a good understanding of Linux operating system and its working environment.
It’s also assumed that you know how to install and configure Linux CentOS5, if not go ahead and pop over
to scribd.com and check out a good training manual entitled “Install Guide Linux CentOS5 Server v1.1” to
get you started.
It’s also assumed that you have a good understanding of working with Linux-based firewall e.g., Shorewall
and its configuration to lookdown the network. It’s also assumed that you know how to install and
configure Shorewall on Linux CentOS5, if not go ahead and pop over to scribd.com and check out a good
training manual entitled “Build & Deploy Secure Shorewall Firewall Protected Network v1.1” to get you
started.
Part 1: Install CentOS 5 Server
Step 1: Install Required Packages
It is now time to specify which programs you wish to install on your system. There are thousands of
packages available for Mandrake Linux, and to make it simpler to manage the packages have been
placed into groups of similar applications. We just need a basis system. For that reason you should select
the following groups:
• Console Tools
• Development
• Gnome server (or KDE)
Additionally you need the following packages:
• Squid
• Webmin
• Shorewall (or use iptables) firewall
• Perl
4
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
www.globalopenversity.org EBT107 – Secure Firewall System Administration Training
Global Open Versity, ICT Security Labs Step-By-Step Install Guide Squid Proxy Server with DG on Linux v1.1
Please use the CentOS Software: - to perform an update of your software, from the Terminal window
issue the command "yum update" the system will be connected to the nearest FTP server and will get
security updates, bugfixes and normal updates.
Step 2: Webmin installation and configuration
It is time to get Webmin running. Webmin is a web-based interface for system administration for UNIX.
Using any browser that supports tables and forms (and Java for the File Manager module), you can setup
user accounts, Apache, DNS, MySQL, file sharing and so on.
Webmin consists of a simple web server, and a number of CGI programs which directly update system
files like "/etc/inetd.conf" and "/etc/passwd". The web server and all CGI programs are written
in Perl version 5, and use no non-standard Perl modules. Please get more information about Webmin
here.
Honestly, we really do not need Webmin to get everything running, but it is a excellent tool for a LINUX
system administrator and it will help us to configure Squid and DansGuardian and of course Shorewall
firewall.
1. After the installation please check if Webmin is already running:
/etc/init.d/webmin status
2. If not, please start it like this:
/etc/init.d/webmin start
3. You can now use the Webmin interface with your favorite browser via the following URLs:
https://localhost:10000 or http://youdomain:10000 or https://IP-address:1000
4. We’re done with this section.
Part 3: Squid installation and configuration
Step 1: Install Squid Proxy Server
Squid is a high-performance proxy caching server for web clients, supporting FTP, gopher, and HTTP
data objects. The software is designed to operate on any modern UNIX system. The current stable
version is 2.6.
5. To install Squid, using Yum command, do the following:
yum install squid -y
5
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
www.globalopenversity.org EBT107 – Secure Firewall System Administration Training
Globa