This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1] 2
1
Other modules / Re: no forward-proxy ports error after updating squid
« on: July 09, 2022, 11:29:49 am »
After testing the solution given by the Zentyal team, nothing helps the blacklist takes a long time to be validated, then an error message appears saying that the proxy cannot find a redirection port.
On the other hand, if the blacklist is removed, the services are available again, so tested to manually add domains to be prohibited, and the proxy works normally.
The problem comes from the recent update of squid? The squid stubs to review? The blacklist that has a compatibility issue? I leave it to the Zentyal team to look into it.
I thank the team for their support and hope that they will find a solution to this unfortunate incident.
On the other hand, if the blacklist is removed, the services are available again, so tested to manually add domains to be prohibited, and the proxy works normally.
The problem comes from the recent update of squid? The squid stubs to review? The blacklist that has a compatibility issue? I leave it to the Zentyal team to look into it.
I thank the team for their support and hope that they will find a solution to this unfortunate incident.
2
Directory and Authentication / Re: Working with LDAPS?
« on: June 27, 2022, 01:34:12 pm »
*edit*
CA and LDAPS certificates can be found here:
/var/lib/samba/private/tls
CA certificate can be found here:
Code: [Select]
/var/lib/zentyal/CA/private
For an trusted certificate you can follow the explanation on the Let's encrypt line:
Let's encrypt
3
Other modules / Re: no forward-proxy ports error after updating squid
« on: June 26, 2022, 08:47:44 pm »
I found a lead while researching, about the documentation revealing the above error.
it is recommended to add the mention "intercept" to the http_port line in the configuration file of squid under "/usr/share/zentyal/stubs/squid/squid.conf.mas".
Before changing it, i stopped the service, changed the conf file, and restart the service, same issue
it is recommended to add the mention "intercept" to the http_port line in the configuration file of squid under "/usr/share/zentyal/stubs/squid/squid.conf.mas".
Before changing it, i stopped the service, changed the conf file, and restart the service, same issue
4
Other modules / no forward-proxy ports error after updating squid
« on: June 24, 2022, 09:11:49 pm »
After a squid update the service no longer works.
When I clear the proxy configuration and after a restart the service works again.
I consulted the log of squid which informs me of an "ERROR: no forward-proxy ports configured."
I tried to downgrade squid to version 4.10-1ubuntu1, but the error persists.
I need a working proxy to validate my training project.
What I find strange is that 2 virtual machines out of 3 are not impacted by this incident, and on the final server it is apparent even after redoing an clean installation.
I guess it's a package versioning issue?
zentyal.log
When I clear the proxy configuration and after a restart the service works again.
I consulted the log of squid which informs me of an "ERROR: no forward-proxy ports configured."
I tried to downgrade squid to version 4.10-1ubuntu1, but the error persists.
I need a working proxy to validate my training project.
What I find strange is that 2 virtual machines out of 3 are not impacted by this incident, and on the final server it is apparent even after redoing an clean installation.
I guess it's a package versioning issue?
zentyal.log
5
Contributions / Tips&Tricks / Features Requests / Re: Zentyal HTTPS repository
« on: June 22, 2022, 11:44:38 am »Hi,
We have issued a new certificate. Now you can use HTTPS in your repository configuration.
Thank you for your feedback.
Best regards, Daniel Joven.
thank you for the return, the https repo works.
6
Contributions / Tips&Tricks / Features Requests / XII. Xrdp REMOTE DESKTOP. (Part 12/12)
« on: June 03, 2022, 07:09:39 pm »
XII. Xrdp REMOTE DESKTOP.
We are going to install an remote desktop(RDP) client for remote control of the administrator workstation to Zentyal, as part of maintenance in a graphical user interface.
In a terminal window enter following command line to install Xrdp:
Create the xrdp user and add it to the ssl-cert group:
Once installed, enable the service on every boot:
To check if the service are running:
It may happen that the service refuses to start, in this case reboot the server, everything will be back to normal on restart.
Once the service is active, let's go to the administration console to configure the service and the firewall.
Go to the network tab then services:
Then add a new service and name it:
Then configure the newly created service:
Fill in the fields:
Once the new service is configured, don't forget to save the changes:
Then we go to the firewall to add new a rule.
Go to the firewall tab, select filter and zentyal internal network:
Add and configure a new rule:
In my example as a security measure, I only tolerate rdp access to the administrator workstation via its mac address.
The new filter rule is added:
Don't forget to save the changes.
To take effect, we have to restart the firewall services:
After restarting the firwall services, go to the administrator workstation to initiate a remote desktop session.
In the windows search bar enter desktop and select, remote desktop connection:
A window then opens, fill in with the ip address of Zentyal:
In the second window, enter your Zentyal user and password:
And here we are on Zentyal desktop via remote desktop session:
Xrdp Source
We are going to install an remote desktop(RDP) client for remote control of the administrator workstation to Zentyal, as part of maintenance in a graphical user interface.
In a terminal window enter following command line to install Xrdp:
Code: [Select]
sudo apt install xorgxrdp xrdp -y
Create the xrdp user and add it to the ssl-cert group:
Code: [Select]
sudo adduser xrdp ssl-cert
Once installed, enable the service on every boot:
Code: [Select]
sudo systemctl enable xrdp
To check if the service are running:
Code: [Select]
sudo systemctl status xrdp
It may happen that the service refuses to start, in this case reboot the server, everything will be back to normal on restart.
Once the service is active, let's go to the administration console to configure the service and the firewall.
Go to the network tab then services:
Then add a new service and name it:
Then configure the newly created service:
Fill in the fields:
Once the new service is configured, don't forget to save the changes:
Then we go to the firewall to add new a rule.
Go to the firewall tab, select filter and zentyal internal network:
Add and configure a new rule:
In my example as a security measure, I only tolerate rdp access to the administrator workstation via its mac address.
The new filter rule is added:
Don't forget to save the changes.
To take effect, we have to restart the firewall services:
Code: [Select]
sudo zs firewall restart
After restarting the firwall services, go to the administrator workstation to initiate a remote desktop session.
In the windows search bar enter desktop and select, remote desktop connection:
A window then opens, fill in with the ip address of Zentyal:
In the second window, enter your Zentyal user and password:
And here we are on Zentyal desktop via remote desktop session:
Xrdp Source
7
Contributions / Tips&Tricks / Features Requests / Re: Zentyal HTTPS repository
« on: June 01, 2022, 08:28:24 am »Can't check this here (don't ask) but I guess for the website it is a Let's Encrypt cert with auto renew with cert bot.
I'm more interested with the securing of your Zentyal configuration. Would you care to create a separate post and explain what and how did you try to improve?
Hi, you can find on this link my Securing Zentyal Project.
It's a good start and of course it is possible to add more layers of security, if required.
Wish you a good read
8
Contributions / Tips&Tricks / Features Requests / XI. SECURING ZENTYAL. (Part 11/12)
« on: May 31, 2022, 05:41:17 pm »
XI. SECURING ZENTYAL
1. SECURE REPOSITORY.
Linux distributions usually come with insecure repositories in
http, so we will switch them to https as much as possible, because some
Zentyal repositories are not available in https.
To do this open a terminal window and enter the following command for the socket
support for https repositories:
From now on we can change http repositories to https.
In a terminal window:
To change the sources, just add an "s" at the end of http, in my
example below I unchecked the deb-src, see type of archives.
Save your changes with "ctrl+x" then "y" and finally hit enter.
n addition we can also change the security http repositories by a mirror
supporting https, to be chosen according to your geographical location
to limit latencies, see archive mirrors.
In my example I chose the plusserver mirror:
Once the repositories have been changed, simply reload the sources with the command
next:
Edit:
Since 20 June Zentyal HTTPS repository are available.
2. CERTIFICATE AUTHORITY.
We will add a self-signed x509 certificate to access the console
administration in https, which by default is in http.
Go to Certification Authority in the administration console:
Then create a new certificate:
Once created we can see it in the list of current certificates:
Now you have to apply the certificate to the web server, go to "Services
certificates” and tick the services you wish to certify:
To take effect, save your changes and then close the console
administration. Upon reopening and after accepting the risk, you will see
appear https in the navigation bar.
3. LDAPS CONFIGURATION.
By default the port used by the directory is 389 which is not safe, we will force
using secure port 636.
For support it is necessary to enrich the samba configuration file
found in "/usr/share/zentyal/stubs/samba/smb.conf.mas" by adding
the location of the certificate created previously.
In a terminal window:
Dans la section [global] rajoutez ces lignes:
We will restrict the access rights to the certificate key, go to the
certificates folder:
Finally we will restart the samba services:
4. FAIL2BAN CONFIGURATION.
Short presentation of fail2ban, it is an intrusion prevention system that
allows you to ban source ip addresses that attempt to connect without your knowledge to
some services, such as ssh.
We are going to install fail2ban, in a terminal window:
Enable the service on every boot:
Check the service status:
Let's move on to configuring the plugins:
Rajoutez les plugins à surveiller ainsi que le temps de bannissement:
In the example the ssh and nginx plugins have been chosen, with a time of
ban of 24 hours estimated in seconds, as well as 2 attempts maximum.
Do not forget to add to the "ignoreip" list the ip address of your
server and the administrator workstation, at the risk of being blocked by fail2ban.
Restart the service for the changes to take effect:
Check the logs:
5. PORTSENTRY CONFIGURATION.
portsentry is a "portscan" detection and blocking program, ideal
to hide services using specific ports.
Installing portsentry:
Enable the service on every boot:
Check the service status:
Configure the file with the ip addresses to ignore, those of the server and administrator station:
By default portsentry does not block any ip, we will go to the file of
configuration of it and modify so that the blocking is effective:
Set Ignore Options BLOCK_UDP/TCP to "1" for blocking support:
“Dropping Routes” section, check that the following line is uncommented:
Same for the “TCP Wrappers” section:
“External Command” section, add this long line and uncomment
KILL_RUN_CMD_FIRST with a value of “1”:
Section “Scan trigger” value “0” to “1”:
For automatic detection of the ports used, simply go to the file
/etc/default/portsentry:
Passez en mode «atcp» et «audp» puis redémarrez le service:
6. SSH CONFIGURATION.
To connect remotely to our server and maintain it, we
we need the ssh service and of course secure it to limit access.
First of all we will open port 22 on Zentyal which by default is closed, to
to be able to access the ssh via administrator post, open a terminal and enter the
following command:
Once in the configuration file uncheck port 22 and restart the service:
Let's go to the administrator workstation on which we will generate a
new pair of ssh keys, for this open a command window and enter the
next line:
This command allows us to create an rsa key pair with a length of
4096 bit.
The following message asks where to store the key pair, let the location per
default:
Fill in a robust passphrase respecting the security policy with the help of the
KeePassXC password manager:
Once the key pair is generated, we can connect via ssh to the server
Zentyal, using the main admin console user as
identifier:
For this first connection, the administration console user password
will be needed to connect remotely:
And here we are on the server via remote access:
We will create a hidden folder, where we will store the public key of the administrator computer
in a key authorization file, in order to limit the ssh access:
Enter the public key retrieved via notepad in the path "C:\Users\
user_adm/.ssh/id_rsa.pub”:
Once the key is registered we will configure the ssh service to secure the keys access, then go to the ssh configuration file:
Uncheck the Hostkeys:
Then uncheck “PermitRootLogin” and put “no”, “PubKeyAuthentication yes”,
and finally “AuthorizedKeysFile”:
Uncheck “UseDNS” and change the value to “no”:
Arrived at the "Subsystem" section, check it then add this line below to
force the use of sFTP:
And finally, let's limit access only to the user of the administration console, by
adding at the bottom:
For the changes to be taken, simply restart the service
ssh with the following command:
Once the service has restarted, we can connect to the server via ssh by
filling in the console the user and the associated passphrase:
And here we are on the Zentyal server:
From now on only the administrator workstation can connect to the server,
so we have limited remote access to the server.
HTTPS Repository Source
LDAPS Source
Certification Authority Source
Fail2ban Source
portsentry Source
SSH Source
1. SECURE REPOSITORY.
Linux distributions usually come with insecure repositories in
http, so we will switch them to https as much as possible, because some
Zentyal repositories are not available in https.
To do this open a terminal window and enter the following command for the socket
support for https repositories:
Code: [Select]
sudo apt install apt-transport-https -y
From now on we can change http repositories to https.
In a terminal window:
Code: [Select]
sudo nano /etc/apt/sources.list
To change the sources, just add an "s" at the end of http, in my
example below I unchecked the deb-src, see type of archives.
Save your changes with "ctrl+x" then "y" and finally hit enter.
n addition we can also change the security http repositories by a mirror
supporting https, to be chosen according to your geographical location
to limit latencies, see archive mirrors.
In my example I chose the plusserver mirror:
Once the repositories have been changed, simply reload the sources with the command
next:
Code: [Select]
sudo apt update
Edit:
Since 20 June Zentyal HTTPS repository are available.
2. CERTIFICATE AUTHORITY.
We will add a self-signed x509 certificate to access the console
administration in https, which by default is in http.
Go to Certification Authority in the administration console:
Then create a new certificate:
Once created we can see it in the list of current certificates:
Now you have to apply the certificate to the web server, go to "Services
certificates” and tick the services you wish to certify:
To take effect, save your changes and then close the console
administration. Upon reopening and after accepting the risk, you will see
appear https in the navigation bar.
3. LDAPS CONFIGURATION.
By default the port used by the directory is 389 which is not safe, we will force
using secure port 636.
For support it is necessary to enrich the samba configuration file
found in "/usr/share/zentyal/stubs/samba/smb.conf.mas" by adding
the location of the certificate created previously.
In a terminal window:
Code: [Select]
sudo nano /usr/share/zentyal/stubs/samba/smb.conf.mas
Dans la section [global] rajoutez ces lignes:
Code: [Select]
tls enabled = yes
tls keyfile = tls/key.pem
tls certfile = tls/cert.pem
tls cafile = tls/ca.pem
tls priority = NORMAL:-VERS-TLS1.0:-VERS-TLS1.1
We will restrict the access rights to the certificate key, go to the
certificates folder:
Code: [Select]
cd /var/lib/samba/private/tls
Code: [Select]
sudo chmod 600 key.pem
Finally we will restart the samba services:
Code: [Select]
sudo zs samba restart
4. FAIL2BAN CONFIGURATION.
Short presentation of fail2ban, it is an intrusion prevention system that
allows you to ban source ip addresses that attempt to connect without your knowledge to
some services, such as ssh.
We are going to install fail2ban, in a terminal window:
Code: [Select]
sudo apt install fail2ban -y
Enable the service on every boot:
Code: [Select]
sudo systemctl enable fail2ban
Check the service status:
Code: [Select]
sudo systemctl status fail2ban
Let's move on to configuring the plugins:
Code: [Select]
sudo nano /etc/fail2ban/jail.d/defaults-debian.conf
Rajoutez les plugins à surveiller ainsi que le temps de bannissement:
Code: [Select]
[sshd]
enabled = true
port = 22
[DEFAULT]
bantime = 86400
maxretry = 2
ignoreip = 127.0.0.1/8 server-ip admin-client-ip
[nginx-http-auth]
enabled = true
port = http,https
In the example the ssh and nginx plugins have been chosen, with a time of
ban of 24 hours estimated in seconds, as well as 2 attempts maximum.
Do not forget to add to the "ignoreip" list the ip address of your
server and the administrator workstation, at the risk of being blocked by fail2ban.
Restart the service for the changes to take effect:
Code: [Select]
sudo systemctl restart fail2ban
Check the logs:
Code: [Select]
tail -f /var/log/fail2ban.log
5. PORTSENTRY CONFIGURATION.
portsentry is a "portscan" detection and blocking program, ideal
to hide services using specific ports.
Installing portsentry:
Code: [Select]
sudo apt install portsentry -y
Enable the service on every boot:
Code: [Select]
sudo systemctl enable portsentry
Check the service status:
Code: [Select]
sudo systemctl status portsentry
Configure the file with the ip addresses to ignore, those of the server and administrator station:
Code: [Select]
sudo nano /etc/portsentry/portsentry.ignore.static
By default portsentry does not block any ip, we will go to the file of
configuration of it and modify so that the blocking is effective:
Code: [Select]
sudo nano /etc/portsentry/portsentry.conf
Set Ignore Options BLOCK_UDP/TCP to "1" for blocking support:
“Dropping Routes” section, check that the following line is uncommented:
Same for the “TCP Wrappers” section:
“External Command” section, add this long line and uncomment
KILL_RUN_CMD_FIRST with a value of “1”:
Code: [Select]
KILL_RUN_CMD="/sbin/iptables -I INPUT -s $TARGET$ -j DROP && /sbin/iptables
-I INPUT -s $TARGET$ -m limit --limit 3/minute --limit-burst 5 -j LOG
--log-level debug --log-prefix 'Portsentry: dropping: '"
Section “Scan trigger” value “0” to “1”:
For automatic detection of the ports used, simply go to the file
/etc/default/portsentry:
Code: [Select]
sudo nano /etc/default/portsentry
Passez en mode «atcp» et «audp» puis redémarrez le service:
Code: [Select]
sudo systemctl restart portsentry
6. SSH CONFIGURATION.
To connect remotely to our server and maintain it, we
we need the ssh service and of course secure it to limit access.
First of all we will open port 22 on Zentyal which by default is closed, to
to be able to access the ssh via administrator post, open a terminal and enter the
following command:
Code: [Select]
sudo nano /etc/ssh/sshd_config
Once in the configuration file uncheck port 22 and restart the service:
Code: [Select]
sudo systemctl restart sshd
Let's go to the administrator workstation on which we will generate a
new pair of ssh keys, for this open a command window and enter the
next line:
Code: [Select]
ssh-keygen -t rsa -b 4096
This command allows us to create an rsa key pair with a length of
4096 bit.
The following message asks where to store the key pair, let the location per
default:
Fill in a robust passphrase respecting the security policy with the help of the
KeePassXC password manager:
Once the key pair is generated, we can connect via ssh to the server
Zentyal, using the main admin console user as
identifier:
Code: [Select]
ssh user_console_adm@adresse_ip_zentyal
For this first connection, the administration console user password
will be needed to connect remotely:
And here we are on the server via remote access:
We will create a hidden folder, where we will store the public key of the administrator computer
in a key authorization file, in order to limit the ssh access:
Code: [Select]
mkdir .ssh
Code: [Select]
cd .ssh
Code: [Select]
sudo nano authorized_keys
Enter the public key retrieved via notepad in the path "C:\Users\
user_adm/.ssh/id_rsa.pub”:
Once the key is registered we will configure the ssh service to secure the keys access, then go to the ssh configuration file:
Code: [Select]
sudo nano /etc/ssh/sshd_config
Uncheck the Hostkeys:
Then uncheck “PermitRootLogin” and put “no”, “PubKeyAuthentication yes”,
and finally “AuthorizedKeysFile”:
Uncheck “UseDNS” and change the value to “no”:
Arrived at the "Subsystem" section, check it then add this line below to
force the use of sFTP:
Code: [Select]
Subsystem sftp internal-sftp
And finally, let's limit access only to the user of the administration console, by
adding at the bottom:
Code: [Select]
Allowusers user_console_adm
For the changes to be taken, simply restart the service
ssh with the following command:
Code: [Select]
sudo systemctl restart sshd
Once the service has restarted, we can connect to the server via ssh by
filling in the console the user and the associated passphrase:
And here we are on the Zentyal server:
From now on only the administrator workstation can connect to the server,
so we have limited remote access to the server.
HTTPS Repository Source
LDAPS Source
Certification Authority Source
Fail2ban Source
portsentry Source
SSH Source
9
Contributions / Tips&Tricks / Features Requests / X. ZENTYAL UPDATE. (Part 10/12)
« on: May 23, 2022, 11:56:12 am »
X. ZENTYAL UPDATE.
Particular caution when updating certain packages, especially
not overwrite the configuration files, present under penalty of serious
malfunctions. (take a snapshot before each update)
Update command:
Text output when updating a package's configuration file:
Absolutely keep the currently installed version and validate:
Particular caution when updating certain packages, especially
not overwrite the configuration files, present under penalty of serious
malfunctions. (take a snapshot before each update)
Update command:
Code: [Select]
sudo apt update && sudo apt full-upgrade -y
Text output when updating a package's configuration file:
Absolutely keep the currently installed version and validate:
10
Contributions / Tips&Tricks / Features Requests / IX. SHARED FOLDER CONFIGURATION. (Part 9/12)
« on: May 23, 2022, 11:48:51 am »11
Contributions / Tips&Tricks / Features Requests / VIII. RSAT CONFIGURATION. (Part 8/12)
« on: May 23, 2022, 11:35:53 am »
RSAT CONFIGURATION.
Download windows 10 remote server administration tools:
Go to Apps & Features:
Select Optional Features:
Filter with RSAT:
Select the 20 modules:
Then join the domain.
Then go to System and Security then Administrative Tools:
Make desktop shortcuts:
Go to Active Directory Users and Computers:
Download windows 10 remote server administration tools:
Go to Apps & Features:
Select Optional Features:
Filter with RSAT:
Select the 20 modules:
Then join the domain.
Then go to System and Security then Administrative Tools:
Make desktop shortcuts:
Go to Active Directory Users and Computers:
12
Contributions / Tips&Tricks / Features Requests / VII. WINDOWS 10 CLIENT CONFIGURATION. (Part 7/12)
« on: May 23, 2022, 11:20:46 am »
VII. WINDOWS 10 CLIENT CONFIGURATION.
Go to Rename your PC to change NetBios:
[/ur
Once restarted, Rename your PC (advanced) to join a domain:
[url=https://imgbb.com/]
Authenticate with an account authorized to join a domain:
Successful authentication:
Log out and then log in with another user:
Successful Domain Login:
Then go to Proxy, activate the option and enter the server IP as well as the port and
register: (to be adapted according to present infrastructure)
To test the proxy, open an internet window and enter an NSFW site:
Go to Rename your PC to change NetBios:
[/ur
Once restarted, Rename your PC (advanced) to join a domain:
[url=https://imgbb.com/]
Authenticate with an account authorized to join a domain:
Successful authentication:
Log out and then log in with another user:
Successful Domain Login:
Then go to Proxy, activate the option and enter the server IP as well as the port and
register: (to be adapted according to present infrastructure)
To test the proxy, open an internet window and enter an NSFW site:
13
Contributions / Tips&Tricks / Features Requests / VI. PROXY CONFIGURATION. (Part 6/12)
« on: May 23, 2022, 10:59:21 am »
VI. PROXY CONFIGURATION.
Go to the HTTP Proxy tab:
In general settings check transparent proxy:
Go to https://dsi.ut-capitole.fr/blacklists/download/ and download the
blacklist needed for the proxy, in a terminal copy the line below:
Go to the categorized lists tab and download the blacklist:
In Filter Profiles create a new blacklist profile:
Go to the blacklist profile configuration and edit the filters:
Finally go to Access rules to apply the filters:
Go to the HTTP Proxy tab:
In general settings check transparent proxy:
Go to https://dsi.ut-capitole.fr/blacklists/download/ and download the
blacklist needed for the proxy, in a terminal copy the line below:
Code: [Select]
wget https://dsi.ut-capitole.fr/blacklists/download/blacklists.tar.gz
Go to the categorized lists tab and download the blacklist:
In Filter Profiles create a new blacklist profile:
Go to the blacklist profile configuration and edit the filters:
Finally go to Access rules to apply the filters:
14
Contributions / Tips&Tricks / Features Requests / V. LDAP CONFIGURATION. (Part 5/12)
« on: May 20, 2022, 04:29:11 pm »15
Contributions / Tips&Tricks / Features Requests / IV. CERTIFICATION AUTHORITRY CONFIGURATION. (Part 4/12)
« on: May 20, 2022, 04:17:58 pm »
Pages: [1] 2