頭城國小資訊組

LightSquid 是一個可以分析 Squid Proxy Server 瀏覽記錄的程式，可以讓管理者更加了解 Proxy Server 的使用狀況。
LightSquid 官方網站：http://lightsquid.sourceforge.net/
1. 下載 LightSquid
 # wget –no-check-certificate https://downloads.sourceforge.net/project/lightsquid/lightsquid/1.8/lightsquid-1.8.tgz -P /var/www

2. 解壓縮
# tar xvzf /var/www/lightsquid-1.8.tgz

3. 搬移目錄
# mv /var/www/lightsquid-1.8 /var/www/lightsquid[@more@]
4. 更改設定檔 /var/www/lightsquid/lightsquid.cfg
# sed -i ‘s@/var/www/html@/var/www@’  /var/www/lightsquid/lightsquid.cfg

5. 檢查設定
# cd /var/www/lightsquid
# ./check-setup.pl
LightSquid Config Checker, (c) 2005-9 Sergey Erokhin GNU GPL

no: CGI.PM found, please install
no: GD.PM found, please install or set $graphreport=0 to disable

# yum install perl-CGI perl-GD

# ./check-setup.pl
LightSquid Config Checker, (c) 2005-9 Sergey Erokhin GNU GPL

LogPath   : /var/log/squid
reportpath: /var/www/lightsquid/report
Lang      : /var/www/lightsquid/lang/zh_tw
Template  : /var/www/lightsquid/tpl/base
Ip2Name   : /var/www/lightsquid/ip2name/ip2name.simple

all check passed, now try access to cgi part in browser

6. 處理 SELinux 權限
# chcon -R system_u:object_r:httpd_sys_script_exec_t:s0 /var/www/lightsquid

7. 建立 /etc/httpd/conf.d/lightsquid.conf
# vim /etc/httpd/conf.d/lightsquid.conf
Alias /lightsquid /var/www/lightsquid
ScriptAlias /lightsquid/ /var/www/lifgtsquid/
<Directory /var/www/lightsquid/>
DirectoryIndex index.cgi
Options ExecCGI
AddHandler cgi-script .cgi
</Directory>

8. 處理 SELinux 權限
# chcon -R system_u:object_r:httpd_config_t:s0 /etc/httpd/conf.d

9. 重新啟動 Web Server
# systemctl restart httpd.service

10. 加入工作排程
# crontab -e
0 1 * * * /usr/sbin/squid -k rotate > /dev/null 2>&1
30 1 * * * /var/www/lightsquid/lightparser.pl access.log.0 > /dev/null 2>&1

參考網站：
SQUID Transparent Proxy (HTTP+HTTPs)
設定SQUID 成為 HTTP/HTTPS 代理伺服器及啟動 ICAP client功能
Jedi Linuxer: 利用 Squid 代理伺服器(Proxy)分析 HTTPS 連線內容
Configure Squid as HTTP and HTTPS Transparent Proxy
Configure squid-3.3 in transparent mode on CentOS 7 with SSL bum – Notes Wiki

CentOS 7.x x64
NAT Client：192.168.1.0/24
NAT Server：192.168.1.254
1. 安裝 perl-Crypt-OpenSSL-X509 套件
# yum install perl-Crypt-OpenSSL-X509 –enablerepo=epel

2. 初始化 Squid SSL DB
# /usr/lib64/squid/ssl_crtd -c -s /var/lib/ssl_db
Initialization SSL db…
Done[@more@]
3. 改變擁有者及群組
# chown -R squid.squid /var/lib/ssl_db

4. 如果有開啟 SELinux
# chcon -R -u system_u -t squid_conf_t /var/lib/ssl_db

5. 修改 /etc/squid/squid.conf
    僅列出特別修改的地方
# vim /etc/squid/squid.conf
http_port 3130
http_port 3128 intercept
http_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myca.pem key=/etc/squid/ssl_cert/myca.pem

#always_direct allow all
ssl_bump server-first all
#sslproxy_cert_error deny all
#sslproxy_flags DONT_VERIFY_PEER

sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslcrtd_children 8 startup=1 idle=1

coredump_dir /var/spool/squid
shutdown_lifetime 1 second

6. 使用 OpenSSL 來建立 Squid 憑證
# cp /etc/pki/tls/openssl.cnf /etc/pki/tls/openssl.cnf.$(date +%F)
# vim /etc/pki/tls/openssl.cnf
default_days    = 1365                  # how long to certify for

[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
countryName_default             = TW
countryName_min                 = 2
countryName_max                 = 2

stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = Yilan

localityName                    = Locality Name (eg, city)
localityName_default            = TouCheng

0.organizationName              = Organization Name (eg, company)
0.organizationName_default      = Elementary School

# we can do this but it is not needed normally 🙂
#1.organizationName             = Second Organization Name (eg, company)
#1.organizationName_default     = World Wide Web Pty Ltd

organizationalUnitName          = Organizational Unit Name (eg, section)
organizationalUnitName_default  = Proxy Server

commonName                      = Common Name (eg, your name or your server’s hostname)
commonName_default              = proxy.test.ilc.edu.tw
commonName_max                  = 64

emailAddress                    = test@gmail.com
emailAddress_max                = 64

7. 建立目錄
# mkdir /etc/squid/ssl_cert

8. 改變目錄擁有者及群組
# chown -R squid.squid /etc/squid/ssl_cert

9. 切換目錄
# cd /etc/squid/ssl_cert

10. 建立 Server Key，按 Enter 鍵即可
# openssl req -new -newkey rsa:1024 -days 1365 -nodes -x509 -keyout myca.pem -out myca.pem
Generating a 1024 bit RSA private key
………………………………………..++++++
………++++++
writing new private key to ‘myca.pem’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [TW]:
State or Province Name (full name) [Yilan]:
Locality Name (eg, city) [TouCheng]:
Organization Name (eg, company) [Elementary School]:
Organizational Unit Name (eg, section) [Proxy Server]:
Common Name (eg, your name or your server’s hostname) [proxy.test.ilc.edu.tw]:
test@gmail.com []:

11. 建立 Windows Client Key
# openssl x509 -in myca.pem -outform DER -out myca.der

12. 修改防火牆設定
# iptables -t nat -A PREROUTING -p tcp -s 192.168.1.0/24 –dport 80 -j DNAT –to 192.168.1.254:3128
# iptables -t nat -A PREROUTING -p tcp -s 192.168.1.0/24 –dport 443 -j DNAT –to 192.168.1.254:3129

經過一個多月的研究和學習，把學校的 Server 做了一下整理，除了 NAT / File Server 之外，大部分都移植到 Proxmox 上了，建立叢集，互為備援。
再來如果有空的話，會稍為研究一下 VMware vSphere Hypervisor ESXi。

雖然已經很習慣英文版的介面，但無聊閒暇之餘，還是自己動手改了一下！
[@more@]1. 備份原檔
# cp /usr/share/pve-manager/ext6/pvemanagerlib.js /usr/share/pve-manager/ext6/pvemanagerlib.js.$(date +%F)

2. 將簡體中文部分由 Chinese 改成簡體中文
# sed -i ‘s/Chinese/簡體中文/’ /usr/share/pve-manager/ext6/pvemanagerlib.js

3. 在簡體中文之下新增一行
# sed -i “/簡體中文/atzh_TW: ‘正體中文’,” /usr/share/pve-manager/ext6/pvemanagerlib.js

4. 轉換簡體中文的語系檔
# cd /usr/share/pve-manager/locale
# iconv pve-lang-zh_CN.js -f utf8 -t gb2312 | iconv -f gb2312 -t big5 | iconv -f big5 -t utf8 -o pve-lang-zh_TW.js
或下載
# wget https://2blog.ilc.edu.tw/wp-content/uploads/sites/985/25793/25793-3787742.zip

5. 解壓縮並設定擁有者及群組
# apt-get install zip unzip
# unzip 25793-3787742.zip -d /usr/share/pve-manager/locale
# chown -R www-data:www-data /usr/share/pve-manager/locale/pve-lang-zh_TW.js

6. 成果，已儘量修改

直接下載最新版本安裝
Windows
x86
http://ftp.mozilla.org/pub/firefox/releases/53.0.2/win32/zh-TW/Firefox%20Setup%2053.0.2.exe
ESR 52.1.1 版本
http://ftp.mozilla.org/pub/firefox/releases/52.1.1esr/win32/zh-TW/Firefox%20Setup%2052.1.1esr.exe

x64
http://ftp.mozilla.org/pub/firefox/releases/53.0.2/win64/zh-TW/Firefox%20Setup%2053.0.2.exe
ESR 52.1.1 版本
http://ftp.mozilla.org/pub/firefox/releases/52.1.1esr/win64/zh-TW/Firefox%20Setup%2052.1.1esr.exe

Mac
http://ftp.mozilla.org/pub/firefox/releases/53.0.2/mac/zh-TW/Firefox%2053.0.2.dmg
ESR 52.1.1 版本
http://ftp.mozilla.org/pub/firefox/releases/52.1.1esr/mac/zh-TW/Firefox%2052.1.1esr.dmg

1. 選擇 New Scan

2. 選擇要套用的 Templates

[@more@]3. 輸入資料 Target 可以輸入
   

4. MyScan 中會出現設定的任務

5. 勾選任務，然後選 More / Launch

6. 選擇 Launch

7. 進行中

8. 掃描結果

參考網站：
How to Install and Use Nessus Vulnerability Scanner | LinuxPitStop

到 Nessus 官方下載網站：
http://www.tenable.com/products/nessus/select-your-operating-system
1. 選擇要安裝的系統

2. 選擇作業系統版本來下載

[@more@]3. 軟體授權

4. 將下載下來的檔案到 Server，並進行安裝
# rpm -ivh Nessus-6.10.2-es7.x86_64.rpm
nessusd (Nessus) 6.10.2 [build M20085] for Linux
Copyright (C) 1998 – 2016 Tenable Network Security, Inc

Processing the Nessus plugins…
[##################################################]

All plugins loaded (1sec)
 – You can start Nessus by typing /bin/systemctl start nessusd.service
 – Then go to https://test:8834/ to configure your scanner

# systemctl start nessusd.service
# systemctl status nessusd.service
● nessusd.service – The Nessus Vulnerability Scanner
   Loaded: loaded (/usr/lib/systemd/system/nessusd.service; enabled; vendor preset: disabled)
   Active: active (running) since Mon 2017-03-06 10:42:24 CST; 14s ago
 Main PID: 462 (nessus-service)
   CGroup: /system.slice/nessusd.service
           tq462 /opt/nessus/sbin/nessus-service -q
           mq463 nessusd -q

Mar 06 10:42:24 test systemd[1]: Started The Nessus Vulnerability Scanner.
Mar 06 10:42:24 test systemd[1]: Starting The Nessus Vulnerability Scanner…

# netstat -antulp | grep nessusd
tcp        0      0 0.0.0.0:8834            0.0.0.0:*               LISTEN      463/nessusd
tcp6       0      0 :::8834                 :::*                    LISTEN      463/nessusd

5. 申請  activation code，只能用一次

6. 選擇 Nessus Home Free，並註冊

7. 輸入註冊資料

8. 電子郵件會收到 activation code

9. 防火牆設定
# firewall-cmd –zone=public –add-port=8834/tcp –permanent
# firewall-cmd –reload
或
# iptables -A INPUT -p tcp –syn -m state –state NEW –dport 8834 -j ACCEPT

10. 開啟瀏覽器，這裡以 Opera 為例，輸入 https://Server’IP:8834

11. 進行設定

輸入管理者要設定的帳號及密碼

輸入 Activation Code

12. 經過漫長的等待，終於來到登入畫面

登入後畫面

手動更新
# /opt/nessus/sbin/nessuscli update

—– Fetching the newest updates from nessus.org —–

Nessus Plugins: Complete

Nessus Core Components: Downloading (0%)
Nessus Core Components: Complete

 * Nessus Plugins are now up-to-date and the changes will be automatically processed by Nessus.
 * Nessus Core Components are now up-to-date and the changes will be automatically processed by Nessus.
[warn] An attempt was made to close an invalid database object.

原本的 OB2D-XFCE-Server-2017 訊息是顯示中文的，但因個人使用習慣，所以移除了 X-Window，使用 SSH Client 遠端登入後，顯示訊息是中文的，就有些不太習慣。
# cp /etc/default/locale /etc/default/locale.$(date +%F)
# sed -i ‘s/zh_TW/en_US/’ /etc/default/locale
# sed -i ‘s/zh/en/’ /etc/default/locale

# locale-gen en_US.UTF-8
Generating locales (this might take a while)…
  zh_TW.UTF-8… done
Generation complete.

但執行 locale 會出現警告提示的訊息
# locale
locale: Cannot set LC_CTYPE to default locale: No such file or directory
locale: Cannot set LC_MESSAGES to default locale: No such file or directory
locale: Cannot set LC_ALL to default locale: No such file or directory
LANG=en_US.UTF-8
LANGUAGE=
LC_CTYPE=”en_US.UTF-8″
LC_NUMERIC=”en_US.UTF-8″
LC_TIME=”en_US.UTF-8″
LC_COLLATE=”en_US.UTF-8″
LC_MONETARY=”en_US.UTF-8″
LC_MESSAGES=”en_US.UTF-8″
LC_PAPER=”en_US.UTF-8″
LC_NAME=”en_US.UTF-8″
LC_ADDRESS=”en_US.UTF-8″
LC_TELEPHONE=”en_US.UTF-8″
LC_MEASUREMENT=”en_US.UTF-8″
LC_IDENTIFICATION=”en_US.UTF-8″
LC_ALL=[@more@]解決方式：
# dpkg-reconfigure locale

這樣就正常了！
# locale
LANG=en_US.UTF-8
LANGUAGE=en_US:en
LC_CTYPE=”en_US.UTF-8″
LC_NUMERIC=”en_US.UTF-8″
LC_TIME=”en_US.UTF-8″
LC_COLLATE=”en_US.UTF-8″
LC_MONETARY=”en_US.UTF-8″
LC_MESSAGES=”en_US.UTF-8″
LC_PAPER=”en_US.UTF-8″
LC_NAME=”en_US.UTF-8″
LC_ADDRESS=”en_US.UTF-8″
LC_TELEPHONE=”en_US.UTF-8″
LC_MEASUREMENT=”en_US.UTF-8″
LC_IDENTIFICATION=”en_US.UTF-8″
LC_ALL=

整合一些常用軟體
Adobe Acrobat Reader DC

Microsoft Visual C++ 2005/2008/2010/2012/2013/2015 Redistributable

[@more@]Microsoft .NET Framework 4.7

安裝的軟體及更新

整合後剩下的更新

在 SetupComplete.cmd 中加入
start “” /wait “NDP47NDP47-KB3186497-x86-x64-AllOS-ENU.exe” /passive /norestart
start “” /wait “NDP47NDP47-KB3186497-x86-x64-AllOS-CHT.exe” /q /norestart

整合過程

1. 先下載 KB4019990 更新檔，並安裝
    KB4019990 更新檔下載網頁：請按 這裡

[@more@]
2. 安裝 Microsoft .NET Framework 4.7

如果沒有先安裝 KB4019990，則會出現下圖的錯誤訊息

3. 安裝 Microsoft .NET Framework 4.7 語言套件

重新啟動系統

可以試著直接整合到安裝光碟之中！