OpenFire 3.6.4, Centos Linux Server 5.5

CILJ : Instalacija Openfire servera na Centos Linux, i prebacivanje OpenFire baze korisnika sa Windows 2003 servera na Linux server

BENEFITI IMPLEMENTACIJE :

1. Jednostavan postupak migracije,
2. Brz i efikasan postupak backup-a i oporavka

NAPOMENE

______________________________

1. Korišćen su Centos Linux 5.5 i Windows Server 2003,

2. OpenFire - aktuelna verzija.

I DEO - PROBLEM SA INSTALACIJOM
_______________________________

1. Skinuti poslednju aktulenu verziju (Openfire 3.6.4) rpm paket,

2. # rpm -ivh openfire-3.6.4-1.i386.rpm

3. Starovati Openfire server : # /opt/openfire/bin/openfire.sh

4. Ulogovati se na web interfejs : http://ime_servera:9090

5. Podesiti podrazumevana podešavanja    

    5.1. Ukoliko se javi sledeći problem, onda nije dobro podešen konfiguracioni   fajl koji se nalazi u : /opt/openfire/conf/openfire.xml

        5.2. Editovati fajl /opt/openfire/conf/openfire.xml :
                   # nano  /opt/openfire/conf/openfire.xml

        5.3. Ukoliko ne postoji, mora se ubaciti sledeći sadržaj pred kraj xml fajla tako da izgleda ovako :

        5.2. Restarovati openfire server - stopirati ga, pa ga ponovo pokrenut komandom :  /opt/openfire/bin/openfire.sh

        5.3. Kreirati digitalni sertifikat za https pristup admin konzoli :

       5.4. Restartovati PSI http server :

              

6. Što se tiče migracije baze sa Windows servera na Linux, treba prosto prekopirati fajlove iz  embedded-db foldera sa Windows-a na Linux, i obavezno restartovati server.


Komanda za start psi servera je : /opt/openfire/bin/openfire.sh


7. U Webminu podesiti automatsko startovanje. Ići u :
        Webmin -> System -> Bootup and shutdown
   
    7.1. Kreirati Action Details karticu na sledeći način :
           Name : OpenFire Server
              Action Script :

#!/bin/sh
# chkconfig: 2345 99 00

case "$1" in
'start')
    /opt/openfire/bin/openfire.sh
    touch /var/lock/subsys/OpenfireServer
    ;;
'stop')
    rm -f /var/lock/subsys/OpenfireServer
    ;;
*)
    echo "Usage: $0 { start | stop }"
    ;;
esac
exit 0



Start at boot time?  Yes


Kliknuti na Save dugme.

                        

Migracija Wildfire 2.6.2 Linux servera na Windows okruženje na OpenFire server

CILJ : Migracija Wildfire servera sa Linux-a, na OpenFire server na Windows 2003/Linux


BENEFITI IMPLEMENTACIJE :

1. Jednostavan postupak migracije,
2. Brz i efikasan postupak backup-a i oporavka

NAPOMENE

______________________________

1. Korišćen su Centos Linux i Windows Server 2003,

2. Wildfire 2.6.2, i OpenFire - aktuelna verzija.

I DEO - MIGRACIJA U LINUX OKRUŽENJU
_______________________________

1. Obezbediti Wildfire 2.6.2 rpm (http://www.igniterealtime.org/builds/wildfire/wildfire_2_6_2.rpm),
2. rpm -ivh wildfire_2_6_2.rpm,
3. Otvoriti browser i upisati : http://localhost:9090,
4. Pokreće se wizard,
5. Ići na sve podrazumevane opcije, a pri izboru baze podataka, izabrati
   embedded tip baze,
6. Posle podešavanja, pronaći instalaciju Wildfire-a, obično je u lokaciji /opt/wildfire,
7. Zatim bekapovati sadržaj /opt/wildfire/embedded-db foldera,
8. Kopirati fajlove iz backup-a Wildfire servera u /opt/wildfire/embedded-db :
   
   
   • wildfire.log
   • wildfire.properties
   • wildfire.script
   
   Restartovati wildfire:
   
   
   • /opt/wildfire/bin/wildfire stop
   • /opt/wildfire/bin/wildfire start

     9. Ukoliko se wildfire ne može startovati, pogledati permise na wildfire fajlu :

•  [root@VirtualPROXY ~]# cd /opt/wildfire/bin/
•  [root@VirtualPROXY ~]# chmod 744 wildfire
• ./wildfire start
 

     10.Podesiti automatsko startovanje wildfire servisa na serveru :

• Startovati Webmin,
• Odabrati System -> Bootup and Shutdown
• Zatim odabrati na (vrhu) opciju : Create a new bootup and shutdown action
   
• Otvara se deo sa podešavanjima.
  Unesti sledeće vrednosti :
  
•     Name : Wildfire
•     Description : može se preskočiti,
•     Bootup commands : /opt/wildfire/bin/wildfire start
•     Shutdown commands : može se preskočiti,
•     Start at boot time? : Odabratii Yes
  

II DEO - MIGRACIJA NA WINDOWS OKRUŽENJE
_______________________________

1. Cilj ovog dela je da se migrira linux baza
   Save as Draft
   korisnika i svih ostalih podešavanja, na windows server koji će raditi sa OpenFire serverom i bazom korisnika sa Wildfire-a,
2. Instalirati aktuelnu verziju OpenFire servera na Windows serveru 2003,
3. Otvoriti browser i pokrenuti inicijalno podešavanje Openfire servera,
4. Odabrati podrazumevano podešavanje, dakle, embedded-db bazu podataka,
5. Zatim stopirati Openfire server,
6. Backup embedded-db baze podataka sa linux servera koji, ako smo već uradili backup i sve to snimili na windows sistem, se nalazi u folderu : ~\wildfire\embedded-db\
7. Spisak fajlova je isti kao i u tački 8 prvog dela ovog članka.
8. Pre kopiranja wildfire fajlova u windows direktorijum Openfire servera, uraditi backup fajlova sa windows servera koji se obično nalaze u C:\Program Files\Openfire\embedded-db :
   
   • openfire.log
   • openfire.properties
   • openfire.script
   
   Sada treba originalne linux fajlove iz tačke 8 prvog dela prekopirati u windows lokaciju baze podataka i izmeniti tako da svaki linux fajl umesto svog imena koji počinje sa wildfire.* bude izmenjen u openfire.*
   Dakle :
   
   • wildfire.log                 ->  openfire.log
   • wildfire.properties    ->   openfire.properties
   • wildfire.script            ->   openfire.script
   
   Startovati Openfire server na Windows serveru, i testirati kroz Psi klijent !

NAPOMENE

______________________________

MANDRIVA LINUX – VNC SERVER

MANDRIVA LINUX 2010 – VNC SERVER

1.      Instalirati :  x11vnc, vncserver      

2.      Editovati vncserver file : nano /etc/init.d/vncserver

3.      Umesto komande runuser –I :
      runuser -l ${USER} -c "cd ~${USER} && [ -r .vnc/passwd ] && vncserver :${DISP} ${VNCUSERARGS}"

      Upisati komandu su --login :

      su --login ${USER} -c "cd ~${USER} && [ -r .vnc/passwd ] && vncserver :${DISP} ${VNCUSERARGS}"

4.       Editovati file : /etc/sysconfig/vncservers

Kopirati poslednje dve linije pod komentarom I postaviti da izgleda ovako :

VNCSERVERS="1:dobri"

VNCSERVERARGS[1]="-geometry 1280x1024"

      5.    Postaviti password za ne-root korisnika :

       [dobri@mandriva2 ~]$ vncpasswd

       Password:
       Verify:

       6.       Kao običan korisnik pokrenuti sledeće komande :

      
      echo "#! /bin/sh" > ~/.kde4/Autostart/x11vnc

      echo "x11vnc -rfbauth ~/.vnc/passwd -bg -forever" >> ~/.kde4/Autostart/x11vnc
      chmod 700 ~/.kde4/Autostart/x11vnc

7.     Deaktivirati krfb : x11vnc -rfbauth ~/.vnc/passwd -bg –forever

8.     Podesiti firewall portove, od 5900 do 5904, pošto u nekim slučajevima 

     konekcija se može ostvariti preko podrazumevanog porta 5900, a u nekim 

     slučajevima preko 5901

9.     Konekcija sa klijentske mašine se izvršava standardno :

ili:

MS WINDOWS - Prebacivanje štampe u velikom mrežnom okruženju

CILJ :
Prebacivanje štampe na slobodni štampač zbog kvara postojećeg štampača.

DODATNI IZAZOV :
1. Problem otkaza mrežnog štampača kojeg koristi veliki broj korisnika, 
2. Problem sa podešavanjem štampe u dos programima (clipper/dbase aplikacije),
3. Nepostojanje stručne osobe koja brzo može rešiti problem.

TRAŽENA FUNKCIONALNOST:
1. Rešenje problema ukoliko je moguće "jednim klikom" od strane korisnika koji je onemogućen da štampa.
2. Premošćivanje problema što pre kako bi se smanjio dodatni stres, i pritisak na obične korisnike koji su obično već pod velikim opterećenjem,
3. Posle servisiranja pokvarenog štampača, vraćanje na uobičajeno podešavanje "jednim klikom",
4. Automatizacija kroz Active Directory.


TESTOVI :
Testovi su uspešno izvršeni sa štampačima HP serije 4100, 4050,1300,5P/6P,1150,1100,1300,1010/1018/1020


BENEFITI IMPLEMENTACIJE :
1. Fleksibilnost - krajnji korisnik prebacuje štampu na bilo koji štampač iz grupe definisanih štampača,
2. Prebacivanje rešenja problema na stranu krajnjeg korisnika, bez dodatne intervencije it stručnjaka.
3. Potpuna automatizacija korišćenjem Active Directory-ja


KORIŠĆENI DODATNI ALATI:
1. Defprint alat (http://www.aylott.com.au/software.htm)
2. Dodatni skriptovi.

I DEO

_________________

1. Instalirati program defprint na svim računarima koji su kritični u smislu štampe: iskopirati defprint.exe u ~\System32 folder,
2. Identifikovati štampače koji su deljeni na mreži (Share-ovane štampače), kroz imena share-ova.
3. Identifikovati grupe korisnika koji koriste postojeće štampače.
4. Identifikovati postojanje eventualnog problema kod štampe u "legacy" aplikacijama (dos/clipper-dbase)
   
   
   1. Razrešiti potencijalni LPT1/LPT2 problem koji se ogleda u tome da ako računar koji štampa u legacy aplikacijama NIJE print server, a ako je zauzet LPT1 port, onda se ostvaruje preduslov da se izvrši komanda : DEVCON DISABLE *PNP04* ,naravno, pod administratorskim kredencijalom.
   2. Ukoliko na ovom računaru i dalje nije moguće da običan korisnik računara (domain user) i dalje nije u mogućnosti da preusmeri štampu putem komande :
      NET USE LPT1/2 onda se posle akcije iz 4.1. posmatrani računar mora restartovati.
   3. Ukoliko smo na računaru koji nije print server usmerili LPT1 port za štampu, onda se iz shell-a mora pokrenuti program EDIT (sa admin pristupom) :
      
      
      1. Pokrenuti EDIT,
      2. Ići u Options, Settings,
      3. Izabrati LPT1, ili LPT2 u zavisnosti od podešavanja u tački 4.2.
      
      
      

II DEO
____________

1. ORGANIZOVANJE I STRUKTURA ŠTAMPAČA I NJIHOVIH SHARE-ova
      1. Definicija štampača se obavlja kreiranjem batch fajla : Definicije.Print.Servera.bat
      2. Primer :
   
   @echo off
   
   set dc=KOMERC
   set dcshare=HP4100
   
   set dc2=TRINITY
   set dc2share=HP4100T
   
   set sb=SERVISBAR
   set sbshare=HP6P
   
   set m01=MAGACIN01
   set m01share=HPLASERJ
   
   set gar=GARANCIJE
   set garshare=HP1150
   
   set rd=REZDEL
   set rdshare=HP1300Ljubo
   
   set kd=KNJIGDELL
   set kdshare=HP1150G
   
   set bl=BLAGAJNA
   set blshare=OLIVETTI
   
   set rce2=RC2
   set rce2share=HP5550
   
      3. Definicija poziva štampača se obavlja kreiranjem batch fajla :Print.Server.Pozivi.bat
      4. PRIMER :
   
   REM #####################################################
   REM #                            #
   REM #   Ukoliko racunar koji ciji se stampac pokvari    #
   REM #  ili ima potrebu da se prikljuci na neki rezervni    #
   REM #    print share, onda taj racunar moze rezervisati    #
   REM #  SAMO LPT2 PORT !!! Izuzetak je racunar BLAGAJNE    #
   REM #                            #
   REM #####################################################
   
   REM #####################################################
   REM #                            #
   REM #   Upisi u logove koriscenje preusmeravanja    #
   REM #              stampe                #
   REM #                            #
   REM #####################################################
   
   @echo off
   
   echo ______________________________________________________________ >> "G:\Logovi\preusmerenje.txt"
   echo >> "G:\Logovi\preusmerenje.txt"
   echo Datum Preusmerenja: [%date%] >> "G:\Logovi\preusmerenje.txt"
   echo Vreme Preusmerenja: [%time%] >> "G:\Logovi\preusmerenje.txt"
   echo Racunar sa koga se Preusmerava: [%computername%] >> "G:\Logovi\preusmerenje.txt"
   echo Osoba koja Preusmerava: [%username%] >> "G:\Logovi\preusmerenje.txt"
   echo Stampac na koji se preusmerava stampa: [%printServer%] >> "G:\Logovi\preusmerenje.txt"
   echo Print Share na koji se preusmerava : [%printServerShare%] >> "G:\Logovi\preusmerenje.txt"
   
   echo Korisnik vraca na staro : [%PovratakNaStaro%] >> "G:\Logovi\preusmerenje.txt"
   
   
   echo >> "G:\Logovi\preusmerenje.txt"
   echo ______________________________________________________________ >> "G:\Logovi\preusmerenje.txt"
   
   
   if %computername%==%bl% goto PrintServerBLAGAJNA_
   if %computername%==%printServer% goto Poruka
   if %computername%==%sb% goto PrintServeri_
   if %computername%==%m01% goto PrintServeri_
   if %computername%==%gar% goto PrintServeri_
   if %computername%==%rd% goto PrintServeri_
   
   goto Preskoci_
   
   :PrintServerBLAGAJNA_
   defprint /D %blshare%
   
   
   :Preskoci_
   
   net use LPT1 \\%printServer%\%printServerShare%
   Call L:\PRINTBAR.lpt1.BAT
   goto Poruka
   
   
   :PrintServeri_
   net use LPT2 \\%printServer%\%printServerShare%
   Call L:\PRINTBAR.lpt2.BAT
   
   
   set poruka1="U Plavim programima OBAVEZNO koristite podesavanje STAMPA-2"
   net send %computername% %poruka1%
   
   :Poruka
   
   set poruka2="Stampanje preusmereno na stampac: "
   net send %computername% %poruka2% %printServerShare%
   
   :Kraj
   Exit
   
      5. Definicija poziva konkretnog štampača se obavlja kreiranjem batch fajla : npr. prebaci.na.BLAGAJNU.bat
      6. PRIMER :     
   REM #####################################################
   REM #                            #
   REM #    Definicije Print Servera            #
   REM #                            #
   REM #####################################################
   
   @echo off
   
   set printServer=BLAGAJNA
   set printServerShare=OLIVETTI
   
   REM #############################################################
   REM #                                #
   REM #       Definicije ostalih Print Servera, u mrezi        #
   REM #                                #
   REM #############################################################
   
   G:
   call G:\SYS.SCRIPTS\startup.scripts\Sektori\Zajednicki\Stampaci\Skripts\Definicije.Print.Servera.bat
   
   
   REM #####################################################
   REM #                            #
   REM #  Pocetak Izvrsavanja zamena default-nih stampaca    #
   REM #                            #
   REM #####################################################
   
   defprint /D %printServerShare%
   
   net use lpt1 /delete
   net use lpt2 /delete
   
   
   REM #####################################################
   REM #                            #
   REM #   Proveri koji racunar poziva promenu stampaca    #
   REM #                            #
   REM #####################################################
   
   call G:\SYS.SCRIPTS\startup.scripts\Sektori\Zajednicki\Stampaci\Skripts\Print.Server.Pozivi.bat
   
   7. Definicija poziva skripta za vraćanje na stanje pre kvara štampača : Vrati.Na.Staro.bat  
   6. PRIMER :     
2. 
   REM #############################################################
   REM #                                #
   REM #   Vracanje na default-ni stampac pre izmene ili kvara    #
   REM #                                #
   REM #############################################################
   
   @echo off
   
   REM #############################################################
   REM #                                #
   REM #     Ulazak i lokaciju sa definicijama skriptova        #
   REM #                                #
   REM #############################################################
   
   G:
   cd "G:\SYS.SCRIPTS\startup.scripts\Sektori\Zajednicki\Stampaci"
   set comp=%computername%
   set PovratakNaStaro=true
   
   
   REM #############################################################
   REM #                                #
   REM #       Definicije Print Servera, i njihovih share-ova    #
   REM #                                #
   REM #############################################################
   
   call G:\SYS.SCRIPTS\startup.scripts\Sektori\Zajednicki\Stampaci\Skripts\Definicije.Print.Servera.bat
   
   
   REM #############################################################
   REM #                                #
   REM #         Za sve racunare koji koriste KOMERC        #
   REM #       kao print server, treba vratiti na HP4100 share    #
   REM #                                #
   REM #############################################################
   
   REM #############################################################
   REM #                                #
   REM #              Print server ne zauzima LPT            #
   REM #                                #
   REM #############################################################
   
   if %comp% == %dc% goto kraj
   
   REM #############################################################
   REM #                                #
   REM #       Definicije Print Klijenta koji koriste         #
   REM #            print server KOMERC                #
   REM #                                #
   REM #############################################################
   
   if %comp% == PRIJEM1 goto dc_
   if %comp% == PRIJEM2 goto dc_
   if %comp% == PRIJEM3 goto dc_
   
   if %comp% == JELENATASIC goto dc_
   
   if %comp% == BLAGAJNA goto dc_
   if %comp% == BLAGAJNA2 goto dc_
   
   if %comp% == REZ1 goto dc_
   if %comp% == MILJANPULT goto dc_
   
   
   REM #############################################################
   REM #                                #
   REM #           Za sve racunare koji koriste SERVISBAR        #
   REM #    kao print server, treba vratiti na HP6P share        #
   REM #                                #
   REM #############################################################
   
   REM #############################################################
   REM #                                #
   REM #       Definicije Print Klijenta koji koriste         #
   REM #            print server SERVISBAR                #
   REM #                                #
   REM #############################################################
   
   if %comp% == %sb% goto sb_
   
   if %comp% == ELSAUTOK goto sb_
   if %comp% == MAJSTORI goto sb_
   
   
   REM #############################################################
   REM #                                #
   REM #           Za sve racunare koji koriste MAGACIN01        #
   REM #    kao print server, treba vratiti na HPLASERJ share    #
   REM #                                #
   REM #############################################################
   
   REM #############################################################
   REM #                                #
   REM #       Definicije Print Klijenta koji koriste         #
   REM #            print server MAGACIN01                #
   REM #                                #
   REM #############################################################
   
   if %comp% == %m01% goto m01_
   
   if %comp% == MAGACIN02 goto m01_
   if %comp% == MAGACIN03 goto m01_
   if %comp% == MAGACIN04 goto m01_
   
   
   REM #############################################################
   REM #                                #
   REM #           Za sve racunare koji koriste GARANCIJE        #
   REM #    kao print server, treba vratiti na HP1150 share        #
   REM #                                #
   REM #############################################################
   
   REM #############################################################
   REM #                                #
   REM #       Definicije Print Klijenta koji koriste         #
   REM #            print server GARANCIJE                #
   REM #                                #
   REM #############################################################
   
   if %comp% == %gar% goto gar_
   
   if %comp% == PEVAC goto gar_
   if %comp% == BARLIMAR goto gar_
   
   
   REM #############################################################
   REM #                                #
   REM #           Za sve racunare koji koriste stampac u        #
   REM #           RACUNOVODSTVU kao print server            #       
   REM #        treba vratiti na HP1150G  share            #
   REM #                                #
   REM #############################################################
   
   REM #############################################################
   REM #                                #
   REM #       Definicije Print Klijenta koji koriste         #
   REM #            print server GARANCIJE                #
   REM #                                #
   REM #############################################################
   
   if %comp% == %kd% goto kd_
   
   if %comp% == FINANSIJE2 goto kd_
   if %comp% == BUBA goto kd_
   if %comp% == GOCAKNJIG goto kd_
   
   
   REM #############################################################
   REM #                                #
   REM #           Za sve racunare koji koriste stampac        #
   REM #          BLAGAJNE kao print server treba vratiti         #       
   REM #           na OLIVETTI share                #
   REM #                                #
   REM #############################################################
   
   REM #############################################################
   REM #                                #
   REM #       Definicije Print Klijenta koji koriste         #
   REM #            print server BLAGAJNA                #
   REM #                                #
   REM #############################################################
   
   if %comp% == %bl% goto bl_
   
   REM #############################################################
   REM #                                #
   REM #           Za sve racunare koji koriste REZDEL        #
   REM #    kao print server, treba vratiti na HP1300ljubo share    #
   REM #                                #
   REM #############################################################
   
   REM #############################################################
   REM #                                #
   REM #       Definicije Print Klijenta koji koriste         #
   REM #            print server REZDEL                #
   REM #                                #
   REM #############################################################
   
   if %comp% == %rd% goto rd_
   
   
   REM #############################################################
   REM #                                #
   REM #           Za sve racunare koji koriste RC2            #
   REM #    kao print server, treba vratiti na HP5550 share        #
   REM #                                #
   REM #############################################################
   
   REM #############################################################
   REM #                                #
   REM #       Definicije Print Klijenta koji koriste         #
   REM #            print server REZDEL                #
   REM #                                #
   REM #############################################################
   
   if %comp% == %rce2% goto rce2_
   if %comp% == RCDELL goto rce2_
   
   goto kraj
   
   REM #############################################################
   REM #############################################################
   REM #############################################################
   
   
   :dc_
   
   prebaci.na.PRIJEM.HP.4100.lnk
   
   goto kraj
   
   REM #############################################################
   
   
   :sb_
   
   prebaci.na.SERVISNI.Racunar.lnk
   
   goto kraj
   
   REM #############################################################
   
   
   :m01_
   
   prebaci.u.MAGACIN.lnk
   
   goto kraj
   
   REM #############################################################
   
   
   :gar_
   
   prebaci.u.GARANCIJE.lnk
   
   goto kraj
   
   REM #############################################################
   
   
   :rd_
   prebaci.kod.NJEGOVANOVICA.lnk
   
   goto kraj
   
   REM #############################################################
   
   
   :kd_
   prebaci.u.RACUNOVODSTVO.lnk
   
   goto kraj
   
   REM #############################################################
   
   :rce2_
   IT.Kolor.stampac.lnk
   
   goto kraj
   
   REM #############################################################
   
   
   :bl_
   BLAGAJNA.Matricni.lnk
   
   REM #############################################################
   
   :kraj
   
   
   NAPOMENE:
   
   

CENTOS LINUX - WEBMIN INSTALACIJA

1. nano /etc/yum.repos.d/webmin.repo
2. uneti repo:


[Webmin]

name=Webmin Distribution Neutral
baseurl=http://download.webmin.com/download/yum
enabled=1


3. yum install webmin

4. Ukoliko bude pravio problem zbog gpg-a, upisati : 
yum install webmin  --nogpgcheck 

CENTOS LINUX - SARG INSTALACIJA

I DEO
_________

http://www.rpmfind.net/linux/rpm2html/search.php?query=libpng.so.2
-> skinuti poslednji : libpng10-1.0.41-1.fc10.i386.rpm


http://www.wesmo.com/rpm2html/contributed/RPMS/gd-1.8.3-4.i386.html
-> skinuti : gd-1.8.3-4.i386.rpm



rpm -ivh libpng10-1.0.41-1.fc10.i386.rpm
rpm -ivh gd-1.8.4-4.asp.i386.rpm

yum --enablerepo=dag -y install sarg

1. Ukoliko ovo gore ne pomogne, ući u Webmin -> Webmin Configuration -> Webmin Modules
2. U delu : Standard module from www.webmin.com, kliknuti na link za webmin.com, i unutar njega upisati sarg.
3. Instalirati modul za sarg.

II DEO
_________

1. Ući u webmin
2. Others -> Squid Report Generator
   -> Module Config
   2.1. Upisati SARG config lokaciju : /etc/sarg/sarg.conf
3. Refresh Modules

III DEO
_________

1. Webmin -> Servers -> Apache Webserver
   Start Apache
2. Apache Webserver -> Existing virtual hosts
   -> Default Server -> Per-Directory Options
   -> Directory /var/www/sarg
   2.1. Access Control -> Restrict access :
        Staviti : Allow - All requests
3. Save
4. Apply Changes

IV DEO

_________

1. Webmin -> System -> Bootup and Shutdown
2. Klik na httpd
3. Start at boot time? -> Yes
4. Save

CENTOS LINUX - Squid PROXY + ClamAV ANTIVIRUS - ZAŠTITA U REALNOM VREMENU

CILJ : Prvi nivo zaštite korisnika pri surfovanju Internetom

TESTOVI : IZVEDENI USPEŠNO U PRODUKCIONOM OKRUŽENJU SA 60 KORISNIKA NA SLEDEĆIM PLATFORMAMA :


1. Pentium 2 - 433Mhz, 6GB HDD, 384MB RAM
2. Pentium 4 - 2.66Ghz, 60GB HDD, 1GB RAM
3. VirtualBOX :
    Virtuelni host : Dell Poweredge 2900
    3.1. Virtualni disk ~ 6GB
    3.2. Virtualni procesori ~ od 1 do 4 CPU-a
    3.3. Virtuelna memorija ~ 512MB

BENEFITI IMPLEMENTACIJE :

1. Nulti troškovi za licence,
2. Prvi nivo zaštite prilikom surfovanja,
3. Rešenje radi na svim hardwareskim platformama i moguće je iskoristiti čak i starije mašine, a povezivanjem u Heartbeat cluster, dobija se dodatna pouzdanost u radu.
4. Desetominutni update Clam Antivirusa obezbeđuje solidnu zaštitu.

UVODNE NAPOMENE :

Postojeće konfiguracije rade na Centos Linux 5.5 sa poslednjim verzijama Clam Antivirusa, SquidclamAV redirector-a, i Squid Proxy-ja na VirtualBOX-u opisano u tački 3. u delu koji opisuje sprovedene testove.

U prilogu su date konfiguracije koje se mogu putem copy/paste-a odmah kao takve smestiti u konfiguracione fajlove sa neznatnim izmenama (email adrese, whitelist stranice, itd.)

I DEO
______________________________

1. yum install curl-devel
2. yum install gcc
   
   
3. yum install nano
4. yum install squid
   
   
   
5. Instalirati DAG repozitorijum :
   wget http://dag.wieers.com/rpm/packages/RPM-GPG-KEY.dag.txt
   
   
6. rpm --import RPM-GPG-KEY.dag.txt
7. rm -f RPM-GPG-KEY.dag.txt
8. nano /etc/yum.repos.d/dag.repo
9. upisati :
   
   [dag]
   name=Dag RPM Repository for Red Hat Enterprise Linux
   baseurl=http://apt.sw.be/redhat/el5/en/$basearch/dag/
   gpgcheck=1
   enabled=0
   
   
10. yum --enablerepo=dag -y install clamd

II DEO

______________________________

1. Instalirati aktuelni squidclamav sa lokacije :
2. http://sourceforge.net/projects/squidclamav
3. Snimiti na Desktop i raspakovati :
4. chmod -R 777 squidclamav-5.3
5. cd Desktop/squidclamav-5.3
6. ./configure
7. make
8. make install
9. cp squidclamav.conf.dist /etc/squidclamav.conf
   
   
10. touch /var/log/squidclamav.log
11. chmod 644 /var/log/squidclamav.log
12. chown squid:squid /var/log/squidclamav.log
    
    
13. nano /etc/squidclamav.conf
    
    # squidclamav.conf.dist
    #
    # Lines have the form:
    #
    #     regex pattern
    #
    #     abort pattern
    #
    #    content pattern
    #
    #    abortcontent pattern
    #
    #    redirect cgi_redirect_url
    #
    #       logfile /path/to/log_file
    #
    #       proxy none
    #
    #       squid_ip 127.0.0.1
    #
    #       squid_port 3128
    #
    #       debug 0|1
    #
    #       timeout secondes
    #
    #       clamd_ip 127.0.0.1
    #
    #       clamd_port 3310
    #
    #       clamd_local /tmp/clamd
    #
    #    stat 0|1
    #
    #    maxredir 10
    #
    #    squidguard /usr/local/squidGuard/bin/squidGuard
    #
    #    whitelist this.trustdomain.com
    #    whitelist .*\.domain\.com
    #
    #    useragent String_to_modify_curl_user_agent
    #
    #    trust_cache 0|1
    #
    #    maxsize    2000000
    #
    # Note that the ordering of regex|abort|content|abortcontent|whitelist lines
    # in this file is critical. Some pattern can not be reached if a previous
    # pattern match.
    #
    #
    # Examples of valid lines:
    #
    
    
    #proxy http://127.0.0.1:8080/
    
    squid_ip 127.0.0.1
    squid_port 3128
    
    #logfile /var/log/squid/squidclamav.log
    
    logfile /var/log/squidclamav.log
    
    #maxsize 2000000
    
    
    redirect http://www.google.com/
    
    #squidguard /usr/bin/squidGuard
    
    
    debug 0
    force 1
    stat 0
    
    #stat 1
    #maxredir 10
    maxredir 10
    
    #clamd_local /tmp/clamd
    
    clamd_local /var/run/clamav/clamd.sock
    
    clamd_ip 127.0.0.1
    clamd_port 3310
    timeout 30
    
    #useragent Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
    
    #trust_cache 0
    #trust_cache 1
    
    
    #abort ^.*\.js$
    #abort ^.*\.html$
    #abort ^.*\.jsp$
    #abort ^.*\.jsp\?.*$
    #abort ^.*servlet.*$
    #abort ^.*\.ico$
    
    #abortcontent ^.*application\/x-mms-framed.*$
    #abortcontent ^.*application\/x-javascript.*$
    #abortcontent ^video\/x-flv$
    #whitelist www.eicar.org
    
    whitelist .*\.auto-partner.net
    whitelist .*\.cpn.vwg
    whitelist .*\.autokomerc.rs
    whitelist .*\.nbs.rs
    
    #ovo sam dodao
    #abort ^.*\.pdf$
    #abort ^.*\.css$
    #abort ^.*\.xml$
    #abort ^.*\.xsl$
    #abort ^.*\.swf$
    
    # Do not scan standard HTTP images
    abort ^.*\.(ico|gif|png|jpg|jpeg|bmp|tga|tif|tiff)$
    abortcontent ^image\/.*$
    
    # Do not scan streaming videos
    abortcontent ^video\/mp4$
    abortcontent ^video\/x-flv$
    
    # Do not scan sequence of framed Microsoft Media Server (MMS) data packets
    abortcontent ^.*application\/x-mms-framed.*$
    
    #content ^.zip$
    
    # Scan all files
    content ^.*\/.*$
    
    
14. nano /etc/clamd.conf
    
    ##
    ## Example config file for the Clam AV daemon
    ## Please read the clamd.conf(5) manual before editing this file.
    ##
    
    
    # Comment or remove the line below.
    #Example
    
    # Uncomment this option to enable logging.
    # LogFile must be writable for the user running daemon.
    # A full path is required.
    # Default: disabled
    LogFile /var/log/clamav/clamd.log
    
    # By default the log file is locked for writing - the lock protects against
    # running clamd multiple times (if want to run another clamd, please
    # copy the configuration file, change the LogFile variable, and run
    # the daemon with --config-file option).
    # This option disables log file locking.
    # Default: no
    #LogFileUnlock yes
    
    # Maximum size of the log file.
    # Value of 0 disables the limit.
    # You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes)
    # and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size
    # in bytes just don't use modifiers.
    # Default: 1M
    LogFileMaxSize 0
    
    # Log time with each message.
    # Default: no
    LogTime yes
    
    # Also log clean files. Useful in debugging but drastically increases the
    # log size.
    # Default: no
    #LogClean yes
    
    # Use system logger (can work together with LogFile).
    # Default: no
    LogSyslog yes
    
    # Specify the type of syslog messages - please refer to 'man syslog'
    # for facility names.
    # Default: LOG_LOCAL6
    #LogFacility LOG_MAIL
    
    # Enable verbose logging.
    # Default: no
    #LogVerbose yes
    
    # This option allows you to save a process identifier of the listening
    # daemon (main thread).
    # Default: disabled
    PidFile /var/run/clamav/clamd.pid
    
    # Optional path to the global temporary directory.
    # Default: system specific (usually /tmp or /var/tmp).
    TemporaryDirectory /var/tmp
    
    # Path to the database directory.
    # Default: hardcoded (depends on installation options)
    DatabaseDirectory /var/clamav
    
    # The daemon can work in local mode, network mode or both.
    # Due to security reasons we recommend the local mode.
    
    # Path to a local socket file the daemon will listen on.
    # Default: disabled (must be specified by a user)
    LocalSocket /var/run/clamav/clamd.sock
    
    # Remove stale socket after unclean shutdown.
    # Default: yes
    FixStaleSocket yes
    
    # TCP port address.
    # Default: no
    TCPSocket 3310
    
    # TCP address.
    # By default we bind to INADDR_ANY, probably not wise.
    # Enable the following to provide some degree of protection
    # from the outside world.
    # Default: no
    TCPAddr 127.0.0.1
    
    # Maximum length the queue of pending connections may grow to.
    # Default: 15
    MaxConnectionQueueLength 30
    
    # Clamd uses FTP-like protocol to receive data from remote clients.
    # If you are using clamav-milter to balance load between remote clamd daemons
    # on firewall servers you may need to tune the options below.
    
    # Close the connection when the data size limit is exceeded.
    # The value should match your MTA's limit for a maximum attachment size.
    # Default: 25M
    #StreamMaxLength 10M
    
    # Limit port range.
    # Default: 1024
    #StreamMinPort 30000
    # Default: 2048
    #StreamMaxPort 32000
    
    # Maximum number of threads running at the same time.
    # Default: 10
    
    #ovo je bilo aktivno
    #MaxThreads 50
    MaxThreads 10
    
    # Waiting for data from a client socket will timeout after this time (seconds).
    # Value of 0 disables the timeout.
    # Default: 120
    ReadTimeout 300
    
    # This option specifies the time (in seconds) after which clamd should
    # timeout if a client doesn't provide any initial command after connecting.
    # Default: 5
    #CommandReadTimeout 5
    
    # This option specifies how long to wait (in miliseconds) if the send buffer is full.
    # Keep this value low to prevent clamd hanging
    #
    # Default: 500
    #SendBufTimeout 200
    
    # Maximum number of queued items (including those being processed by MaxThreads threads)
    # It is recommended to have this value at least twice MaxThreads if possible.
    # WARNING: you shouldn't increase this too much to avoid running out  of file descriptors,
    # the following condition should hold:
    # MaxThreads*MaxRecursion + (MaxQueue - MaxThreads) + 6< RLIMIT_NOFILE (usual max is 1024)
    #
    # Default: 100
    #MaxQueue 200
    
    # Waiting for a new job will timeout after this time (seconds).
    # Default: 30
    #IdleTimeout 60
    
    # Don't scan files and directories matching regex
    # This directive can be used multiple times
    # Default: scan all
    #ExcludePath ^/proc/
    #ExcludePath ^/sys/
    
    # Maximum depth directories are scanned at.
    # Default: 15
    #MaxDirectoryRecursion 20
    
    # Follow directory symlinks.
    # Default: no
    #FollowDirectorySymlinks yes
    
    # Follow regular file symlinks.
    # Default: no
    #FollowFileSymlinks yes
    
    # Perform a database check.
    # Default: 600 (10 min)
    #SelfCheck 600
    
    # Execute a command when virus is found. In the command string %v will
    # be replaced with the virus name.
    # Default: no
    #VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v"
    
    #ovo sam dodao:
    
    VirusEvent /bin/mailx -s "Proxy - $HOSTNAME - ClamAV - VIRUS ALERT: %v" <> < /var/log/squidclamav.log
    
    # Run as another user (clamd must be started by root for this option to work)
    # Default: don't drop privileges
    User clamav
    
    # Initialize supplementary group access (clamd must be started by root).
    # Default: no
    AllowSupplementaryGroups yes
    
    # Stop daemon when libclamav reports out of memory condition.
    #ExitOnOOM yes
    
    # Don't fork into background.
    # Default: no
    #Foreground yes
    
    # Enable debug messages in libclamav.
    # Default: no
    #Debug yes
    
    # Do not remove temporary files (for debug purposes).
    # Default: no
    #LeaveTemporaryFiles yes
    
    # Detect Possibly Unwanted Applications.
    # Default: no
    #DetectPUA yes
    
    # Exclude a specific PUA category. This directive can be used multiple times.
    # See http://www.clamav.net/support/pua for the complete list of PUA
    # categories.
    # Default: Load all categories (if DetectPUA is activated)
    #ExcludePUA NetTool
    #ExcludePUA PWTool
    
    # Only include a specific PUA category. This directive can be used multiple
    # times.
    # Default: Load all categories (if DetectPUA is activated)
    #IncludePUA Spy
    #IncludePUA Scanner
    #IncludePUA RAT
    
    # In some cases (eg. complex malware, exploits in graphic files, and others),
    # ClamAV uses special algorithms to provide accurate detection. This option
    # controls the algorithmic detection.
    # Default: yes
    #AlgorithmicDetection yes
    
    
    ##
    ## Executable files
    ##
    
    # PE stands for Portable Executable - it's an executable file format used
    # in all 32 and 64-bit versions of Windows operating systems. This option allows
    # ClamAV to perform a deeper analysis of executable files and it's also
    # required for decompression of popular executable packers such as UPX, FSG,
    # and Petite.
    # Default: yes
    ScanPE yes
    
    # Executable and Linking Format is a standard format for UN*X executables.
    # This option allows you to control the scanning of ELF files.
    # Default: yes
    ScanELF yes
    
    # With this option clamav will try to detect broken executables (both PE and
    # ELF) and mark them as Broken.Executable.
    # Default: no
    DetectBrokenExecutables yes
    
    
    ##
    ## Documents
    ##
    
    # This option enables scanning of OLE2 files, such as Microsoft Office
    # documents and .msi files.
    # Default: yes
    ScanOLE2 yes
    
    # This option enables scanning within PDF files.
    # Default: yes
    #ScanPDF yes
    
    
    ##
    ## Mail files
    ##
    
    # Enable internal e-mail scanner.
    # Default: yes
    ScanMail yes
    
    # If an email contains URLs ClamAV can download and scan them.
    # WARNING: This option may open your system to a DoS attack.
    #       Never use it on loaded servers.
    # Default: no
    #MailFollowURLs no
    
    # Scan RFC1341 messages split over many emails.
    # You will need to periodically clean up $TemporaryDirectory/clamav-partial directory.
    # WARNING: This option may open your system to a DoS attack.
    #       Never use it on loaded servers.
    # Default: no
    #ScanPartialMessages yes
    
    
    # With this option enabled ClamAV will try to detect phishing attempts by using
    # signatures.
    # Default: yes
    #PhishingSignatures yes
    
    # Scan URLs found in mails for phishing attempts using heuristics.
    # Default: yes
    #PhishingScanURLs yes
    
    # Always block SSL mismatches in URLs, even if the URL isn't in the database.
    # This can lead to false positives.
    #
    # Default: no
    #PhishingAlwaysBlockSSLMismatch no
    
    # Always block cloaked URLs, even if URL isn't in database.
    # This can lead to false positives.
    #
    # Default: no
    #PhishingAlwaysBlockCloak no
    
    # Allow heuristic match to take precedence.
    # When enabled, if a heuristic scan (such as phishingScan) detects
    # a possible virus/phish it will stop scan immediately. Recommended, saves CPU
    # scan-time.
    # When disabled, virus/phish detected by heuristic scans will be reported only at
    # the end of a scan. If an archive contains both a heuristically detected
    # virus/phish, and a real malware, the real malware will be reported
    #
    # Keep this disabled if you intend to handle "*.Heuristics.*" viruses
    # differently from "real" malware.
    # If a non-heuristically-detected virus (signature-based) is found first,
    # the scan is interrupted immediately, regardless of this config option.
    #
    # Default: no
    #HeuristicScanPrecedence yes
    
    ##
    ## Data Loss Prevention (DLP)
    ##
    
    # Enable the DLP module
    # Default: No
    #StructuredDataDetection yes
    
    # This option sets the lowest number of Credit Card numbers found in a file
    # to generate a detect.
    # Default: 3
    #StructuredMinCreditCardCount 5
    
    # This option sets the lowest number of Social Security Numbers found
    # in a file to generate a detect.
    # Default: 3
    #StructuredMinSSNCount 5
    
    # With this option enabled the DLP module will search for valid
    # SSNs formatted as xxx-yy-zzzz
    # Default: yes
    #StructuredSSNFormatNormal yes
    
    # With this option enabled the DLP module will search for valid
    # SSNs formatted as xxxyyzzzz
    # Default: no
    #StructuredSSNFormatStripped yes
    
    
    ##
    ## HTML
    ##
    
    # Perform HTML normalisation and decryption of MS Script Encoder code.
    # Default: yes
    #ScanHTML yes
    
    
    ##
    ## Archives
    ##
    
    # ClamAV can scan within archives and compressed files.
    # Default: yes
    ScanArchive yes
    
    # Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR).
    # Default: no
    ArchiveBlockEncrypted no
    
    
    ##
    ## Limits
    ##
    
    # The options below protect your system against Denial of Service attacks
    # using archive bombs.
    
    # This option sets the maximum amount of data to be scanned for each input file.
    # Archives and other containers are recursively extracted and scanned up to this
    # value.
    # Value of 0 disables the limit
    # Note: disabling this limit or setting it too high may result in severe damage
    # to the system.
    # Default: 100M
    #MaxScanSize 150M
    
    # Files larger than this limit won't be scanned. Affects the input file itself
    # as well as files contained inside it (when the input file is an archive, a
    # document or some other kind of container).
    # Value of 0 disables the limit.
    # Note: disabling this limit or setting it too high may result in severe damage
    # to the system.
    # Default: 25M
    #MaxFileSize 30M
    
    # Nested archives are scanned recursively, e.g. if a Zip archive contains a RAR
    # file, all files within it will also be scanned. This options specifies how
    # deeply the process should be continued.
    # Note: disabling this limit or setting it too high may result in severe damage
    # to the system.
    # Value of 0 disables the limit.
    # Default: 16
    #MaxRecursion 10
    
    # Number of files to be scanned within an archive, a document, or any other
    # container file.
    # Value of 0 disables the limit.
    # Note: disabling this limit or setting it too high may result in severe damage
    # to the system.
    # Default: 10000
    #MaxFiles 15000
    
    
    ##
    ## Clamuko settings
    ## WARNING: This is experimental software. It is very likely it will hang
    ##        up your system!!!
    ##
    
    # Enable Clamuko. Dazuko (/dev/dazuko) must be configured and running.
    # Default: no
    #ClamukoScanOnAccess yes
    
    # Set access mask for Clamuko.
    # Default: no
    #ClamukoScanOnOpen yes
    #ClamukoScanOnClose yes
    #ClamukoScanOnExec yes
    
    # Set the include paths (all files inside them will be scanned). You can have
    # multiple ClamukoIncludePath directives but each directory must be added
    # in a seperate line.
    # Default: disabled
    #ClamukoIncludePath /home
    #ClamukoIncludePath /students
    
    # Set the exclude paths. All subdirectories are also excluded.
    # Default: disabled
    #ClamukoExcludePath /home/bofh
    
    # Don't scan files larger than ClamukoMaxFileSize
    # Value of 0 disables the limit.
    # Default: 5M
    #ClamukoMaxFileSize 10M
    
    
15. Relevantni delovi za konfiguraciju ClamAV sa Squid-om :
    
    nano /etc/squid/squid.conf
    
    #  TAG: location_rewrite_children
    #    The number of location rewriting processes to spawn. If you start
    #    too few Squid will have to wait for them to process a backlog of
    #    URLs, slowing it down. If you start too many they will use RAM
    #    and other system resources.
    
    :
    :
    
    ###ovo sam dodao kako bih pokrenuo skeniranje http saobraćaja u realnom vremenu :
    
    url_rewrite_program /usr/local/bin/squidclamav
    url_rewrite_children 15
    
    :
    :
    
    
16. Vrlo je važno restartovati Squid server svaki put posle izmena u konfiguraciji ili Squid-a, ili ClamAV-a !!!
    
17. Provera ispravnog podešavanja se može videti tako što se otvori test stranica Eicar-a : http://www.eicar.org/anti_virus_test_file.htm 
    
    
    
    
    
    
    
18. Posle otvaranja test virus stranice mora se pojaviti sledeći izlaz :
    
    
    
    
    
    
    
19. Ukoliko se konfiguriše email obaveštavanje u clamd.conf, onda će Vam stići email sa obaveštenjem o blokiranom pristupu stranici jer je stranica zaražena. Mail agent kao attachment šalje ceo squidclamav.log, a poslednji događaji su na kraju squidclamav.log-a
    
    Evo dva primera :
    
    Mon May 31 09:39:18 2010 [10809] LOG Redirecting URL to: http://www.google.com/?url=http://www.eicar.org/download/eicar.com.txt&source=10.145.3.166/rcdell.akk_domain.com&user=-&virus=stream:+Eicar-Test-Signature+FOUND
    
    
    Sat May 29 07:57:31 2010 [18242] LOG Redirecting URL to: http://www.google.com/?url=http://penzosi.gradub.info/?attachment_id=831&source=10.145.3.153/magacin02.akk_domain.com&user=-&virus=stream:+JS.Crypt-1+FOUND
    

NAPOMENE

______________________________

Oficijelna verzija ClamAV-a koju yum instalira je 0.95 i tada freshclam ne može da skida nove definicije sve dok se clamav ne upgrade-uje na 0.96, tj. poslednju aktuelnu verziju.

Pošto smo instalirali clamd sa DAG repozitorijuma, ovaj problem je rešen !