Logging Activity in "Allow Everything" setup

[PureLoneWolf]

Hi all

I just downloaded and installed Zentyal Community Edition 64bit.  Core version is 3.0.21.

Everything is working great and allowing what I want (which is everything).  However, I need to be able to look through logs to find which user accessed a particular site, at a particular time.

We have 5 rooms, each of these rooms has a Wireless Router, which is wired through to the Zentyal box for it's internet access.

Each user of the room signs a AUP, that gives them full responsibility for anything that they do online, whilst they are using the room.  We change the wifi access keys each time a new user needs the room.  We do not want to restrict what the users are able to do, so there are no blocking rules in place.

Essentially, should we receive a "You have been very naughty with your internet" letter, we need to track down which room (router) caused it, which would allow us to pass on any legal costs.

How can I go about doing this?  Ideally, the user should just connect to their wifi router and be up and running, preferably without having further logins.  So I had initially thought about the Transparent Proxy, but obviously this only logs http traffic and the users could be running ftp/https etc etc.  I turned on firewall logging, but can't see where to enable anything other than drops.

Would anyone have any suggestions?

Many thanks

[christian]

Would anyone have any suggestions?

non transparent (explicit) proxy ? 

[astana]

Without creating users you'll not get users listed on your proxy.
If your proxy is transparent then you can't log users.
You can log IP addresses and use something like SARG to generate reports, but the downside is they will be IP Addresses not users.
I'm not sure how captive portal works with transparent proxy as I've not implemented or played around with that.

The short answers is if you need usernames then you'll need to add users to zentyal. If you go down this route then you can't use a transparent proxy.

I'm guessing that the captive portal is just redirecting the ports once authorisation has been accorded and if it is then routed through a transparent proxy you will still have no user names.

TL,DR; Set up a non-transparent proxy and add them as users before they connect. Then use SARG to generate your reports.

[PureLoneWolf]

Thanks for the responses.

I am not looking for users, IP addresses are enough, as each room has a static IP.  We log who is in the room at what times, so as long as I can search for a destination (ftp/http/https etc) in the log, then that is perfectly acceptable.

I am looking at the explicit proxy at the moment.  I guess I need to disable the Any<>Any rules in the firewall for it to take over though..

Thanks

[christian]

indeed, if you stack proxy and any-to-any allowed, users will quickly move to "no proxy".

[PureLoneWolf]

Ok

I have now moved to the Explicit Proxy option.

My setup is as follows

Wireless AP -> Switch -> Zentyal Box Internal (eth0) -> Zentyal Box External (eth1) -> DSL

I have a laptop connected through the Wireless AP.

With no proxy settings..the laptop gets nowhere, as expected.
With proxy settings input manually (Zentyal Server IP, Port 3128), the laptop can get to http sites.

Issue1:  The laptop can visit http sites without being prompted for a username/password
Issue2:  The laptop cannot visit https or FTP at all (error 111 tunnel connection failed).  The logs show that the connections are accepted though.

Shouldn't I be getting prompted for user logins and, without logging in, get no response from websites?
Presumably, if I were to manually add the proxy information into an application, such as Filezilla, I would be able to FTP?

Thanks again

[christian]

Don't you mix-up explicit proxy set up and need for authentication?
You can't prompt for authentication without explicit proxy but if you want authentication, you have to configure proxy this way (authenticate then filter).

What have you configured so far ?

[PureLoneWolf]

So far, I have removed the Any Any rule from the firewall and unchecked the "Transparent Proxy" option.


I had thought that this would require users to authenticate to the proxy (nowhere else).  I don't see any options to "Authenticate then filter".


Essentially, I need all traffic to route through the proxy, so that it is logged.  I am not looking to impose any restrictions, simply the ability to log all activity.  It doesn't have to show users, the source IP will be enough. 


Once I have this, I will need to grab the logs on a regular basis and store them, in case they are required for legal reasons.

[christian]

I don't have any 3.x interface available but can tell you how 2.2 works.
Even if interface slightly differs with 3.x, principle remains.

Once you have deactivated "transparent" proxy, you have to define policy. This is obvious and highly visible with 2.2:
- Always allow
- filter
- always deny
- authorize and allow
- authorize and filter
- authorize and deny

With 3.3, although logic should be the same, the way interface is organized differs.
If I remember well, you have to go to "access rules" and also define "filter profiles".

If your decision is to always allow all, there is no filtering neither prompt for authentication.

[PureLoneWolf]

I don't have any 3.x interface available but can tell you how 2.2 works.
Even if interface slightly differs with 3.x, principle remains.

Once you have deactivated "transparent" proxy, you have to define policy. This is obvious and highly visible with 2.2:
- Always allow
- filter
- always deny
- authorize and allow
- authorize and filter
- authorize and deny

With 3.3, although logic should be the same, the way interface is organized differs.
If I remember well, you have to go to "access rules" and also define "filter profiles".

If your decision is to always allow all, there is no filtering neither prompt for authentication.

In Access Rules, I have the following:

Code: [Select]



Time Period:  From/To/Days of the Week
Source:  Any |  Network Object  |  Users Group
Decision:  Allow All  |  Deny All  |  Apply Filter Profile

Nothing about Authentication.  When I create a test filter profile, there is nothing about authentication there either.


I am getting confused, to say the least.


Cheers

Dave

[christian]

Let me start my 3.1 test bed and I'll have a look.
There is something about authentication in the very first interface where you have or not to enable Kerberos.
I hope Zentyal decision is not to support Kerberos "only" 

[PureLoneWolf]

Let me start my 3.1 test bed and I'll have a look.
There is something about authentication in the very first interface where you have or not to enable Kerberos.
I hope Zentyal decision is not to support Kerberos "only" 

It does have a selectable option to "Enable Single Sign-On (Kerberos)


Cheers

[christian]

In "access rules", you define source as:
- any
- network object 
- users groups

.... tada.... 
once you select source = users group, you can select either
- all users (authentication is required but no membership is checked)
- domain admins
- or one of the group you previously created (in such case, prompt for authentication + group membership both apply)

Cool isn't it ? 

[PureLoneWolf]

That's superb, thanks


That has cured the login problem..and the https problem (to default port 443)


FTP through a desktop application doesn't want to work though.  I have configured the proxy in the application, it says handshaking..then gives a server timeout.  No idea if that is a Zentyal timeout or a genuine server timeout.  Either way, if I visit the same ftp server in a browser, it works perfectly.

[PureLoneWolf]

Additionally...I tried to follow http://doc.zentyal.org/en/develop.html#advanced-service-customisation to allow ports 20000 and 10000 (Virtualmin/Usermin), but it doesn't seem to work.


I created /etc/zentyal/stubs/squid, then copied /usr/share/zentyal/stubs/squid/squid.conf.mas into it.


Edited the file under /etc/zentyal/stubs/squid and added two new SSL_Ports lines (exactly the same as the existing two, but with the ports I want).  Saved the file, restarted http proxy module.


That didn't work, so I updated the http proxy configuration (changed cache size to 200, saved, then changed it back, saved) then restarted http proxy.  That didn't work either.


I then changed the file /usr/share/zentyal/stubs/squid/squid.conf.mas and then repeated the module update/restart module.


Still nothing working


Any ideas?  I haven't restarted the server yet, but I wouldn't have thought that would make any difference.


Cheers