Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Topics - vandykmarsu

Pages: [1] 2
1
Other modules / no forward-proxy ports error after updating squid
« on: June 24, 2022, 09:11:49 pm »
After a squid update the service no longer works.

When I clear the proxy configuration and after a restart the service works again.

I consulted the log of squid which informs me of an "ERROR: no forward-proxy ports configured."

I tried to downgrade squid to version 4.10-1ubuntu1, but the error persists.

I need a working proxy to validate my training project.

What I find strange is that 2 virtual machines out of 3 are not impacted by this incident, and on the final server it is apparent even after redoing an clean installation.


I guess it's a package versioning issue?

zentyal.log

2
XII. Xrdp REMOTE DESKTOP.



We are going to install an remote desktop(RDP) client for remote control of the administrator workstation to Zentyal, as part of maintenance in a graphical user interface.

In a terminal window enter following command line to install Xrdp:

Code: [Select]
sudo apt install xorgxrdp xrdp -y

Create the xrdp user and add it to the ssl-cert group:

Code: [Select]
sudo adduser xrdp ssl-cert

Once installed, enable the service on every boot:

Code: [Select]
sudo systemctl enable xrdp

To check if the service are running:

Code: [Select]
sudo systemctl status xrdp

It may happen that the service refuses to start, in this case reboot the server, everything will be back to normal on restart.

Once the service is active, let's go to the administration console to configure the service and the firewall.

Go to the network tab then services:




Then add a new service and name it:






Then configure the newly created service:




Fill in the fields:




Once the new service is configured, don't forget to save the changes:




Then we go to the firewall to add new a rule.

Go to the firewall tab, select filter and zentyal internal network:




Add and configure a new rule:




In my example as a security measure, I only tolerate rdp access to the administrator workstation via its mac address.

The new filter rule is added:




Don't forget to save the changes.

To take effect, we have to restart the firewall services:

Code: [Select]
sudo zs firewall restart

After restarting the firwall services, go to the administrator workstation to initiate a remote desktop session.

In the windows search bar enter desktop and select, remote desktop connection:




A window then opens, fill in with the ip address of Zentyal:




In the second window, enter your Zentyal user and password:




And here we are on Zentyal desktop via remote desktop session:






Xrdp Source








3
XI. SECURING ZENTYAL



1. SECURE REPOSITORY.


Linux distributions usually come with insecure repositories in
http, so we will switch them to https as much as possible, because some
Zentyal repositories are not available in https.

To do this open a terminal window and enter the following command for the socket
support for https repositories:


Code: [Select]
sudo apt install apt-transport-https -y

From now on we can change http repositories to https.

In a terminal window:

Code: [Select]
sudo nano /etc/apt/sources.list

To change the sources, just add an "s" at the end of http, in my
example below I unchecked the deb-src, see type of archives.






Save your changes with "ctrl+x" then "y" and finally hit enter.

n addition we can also change the security http repositories by a mirror
supporting https, to be chosen according to your geographical location
to limit latencies, see archive mirrors.

In my example I chose the plusserver mirror:






Once the repositories have been changed, simply reload the sources with the command
next:


Code: [Select]
sudo apt update



Edit:

Since 20 June Zentyal HTTPS repository are available.



2. CERTIFICATE AUTHORITY.



We will add a self-signed x509 certificate to access the console
administration in https, which by default is in http.

Go to Certification Authority in the administration console:




Then create a new certificate:




Once created we can see it in the list of current certificates:




Now you have to apply the certificate to the web server, go to "Services
certificates” and tick the services you wish to certify:





To take effect, save your changes and then close the console
administration. Upon reopening and after accepting the risk, you will see
appear https in the navigation bar.





3. LDAPS CONFIGURATION.



By default the port used by the directory is 389 which is not safe, we will force
using secure port 636.

For support it is necessary to enrich the samba configuration file
found in "/usr/share/zentyal/stubs/samba/smb.conf.mas" by adding
the location of the certificate created previously.

In a terminal window:

Code: [Select]
sudo nano /usr/share/zentyal/stubs/samba/smb.conf.mas

Dans la section [global] rajoutez ces lignes:

Code: [Select]
tls enabled = yes
tls keyfile = tls/key.pem
tls certfile = tls/cert.pem
tls cafile = tls/ca.pem
tls priority = NORMAL:-VERS-TLS1.0:-VERS-TLS1.1




We will restrict the access rights to the certificate key, go to the
certificates folder:


Code: [Select]
cd /var/lib/samba/private/tls
Code: [Select]
sudo chmod 600 key.pem



Finally we will restart the samba services:

Code: [Select]
sudo zs samba restart


4. FAIL2BAN CONFIGURATION.



Short presentation of fail2ban, it is an intrusion prevention system that
allows you to ban source ip addresses that attempt to connect without your knowledge to
some services, such as ssh.

We are going to install fail2ban, in a terminal window:

Code: [Select]
sudo apt install fail2ban -y

Enable the service on every boot:

Code: [Select]
sudo systemctl enable fail2ban

Check the service status:

Code: [Select]
sudo systemctl status fail2ban

Let's move on to configuring the plugins:

Code: [Select]
sudo nano /etc/fail2ban/jail.d/defaults-debian.conf

Rajoutez les plugins à surveiller ainsi que le temps de bannissement:



Code: [Select]
[sshd]
enabled = true
port = 22
[DEFAULT]
bantime = 86400
maxretry = 2
ignoreip = 127.0.0.1/8 server-ip admin-client-ip
[nginx-http-auth]
enabled = true
port = http,https

In the example the ssh and nginx plugins have been chosen, with a time of
ban of 24 hours estimated in seconds, as well as 2 attempts maximum.

Do not forget to add to the "ignoreip" list the ip address of your
server and the administrator workstation, at the risk of being blocked by fail2ban.


Restart the service for the changes to take effect:

Code: [Select]
sudo systemctl restart fail2ban

Check the logs:

Code: [Select]
tail -f /var/log/fail2ban.log


5. PORTSENTRY CONFIGURATION.



portsentry is a "portscan" detection and blocking program, ideal
to hide services using specific ports.

Installing portsentry:

Code: [Select]
sudo apt install portsentry -y

Enable the service on every boot:

Code: [Select]
sudo systemctl enable portsentry

Check the service status:

Code: [Select]
sudo systemctl status portsentry

Configure the file with the ip addresses to ignore, those of the server and administrator station:

Code: [Select]
sudo nano /etc/portsentry/portsentry.ignore.static



By default portsentry does not block any ip, we will go to the file of
configuration of it and modify so that the blocking is effective:


Code: [Select]
sudo nano /etc/portsentry/portsentry.conf

Set Ignore Options BLOCK_UDP/TCP to "1" for blocking support:




“Dropping Routes” section, check that the following line is uncommented:




Same for the “TCP Wrappers” section:




“External Command” section, add this long line and uncomment
KILL_RUN_CMD_FIRST with a value of “1”:


Code: [Select]
KILL_RUN_CMD="/sbin/iptables -I INPUT -s $TARGET$ -j DROP && /sbin/iptables
-I INPUT -s $TARGET$ -m limit --limit 3/minute --limit-burst 5 -j LOG
--log-level debug --log-prefix 'Portsentry: dropping: '"




Section “Scan trigger” value “0” to “1”:




For automatic detection of the ports used, simply go to the file
/etc/default/portsentry:


Code: [Select]
sudo nano /etc/default/portsentry

Passez en mode «atcp» et «audp» puis redémarrez le service:



Code: [Select]
sudo systemctl restart portsentry


6. SSH CONFIGURATION.



To connect remotely to our server and maintain it, we
we need the ssh service and of course secure it to limit access.

First of all we will open port 22 on Zentyal which by default is closed, to
to be able to access the ssh via administrator post, open a terminal and enter the
following command:


Code: [Select]
sudo nano /etc/ssh/sshd_config

Once in the configuration file uncheck port 22 and restart the service:



Code: [Select]
sudo systemctl restart sshd

Let's go to the administrator workstation on which we will generate a
new pair of ssh keys, for this open a command window and enter the
next line:


Code: [Select]
ssh-keygen -t rsa -b 4096

This command allows us to create an rsa key pair with a length of
4096 bit.




The following message asks where to store the key pair, let the location per
default:





Fill in a robust passphrase respecting the security policy with the help of the
KeePassXC password manager:





Once the key pair is generated, we can connect via ssh to the server
Zentyal, using the main admin console user as
identifier:


Code: [Select]
ssh user_console_adm@adresse_ip_zentyal



For this first connection, the administration console user password
will be needed to connect remotely:





And here we are on the server via remote access:




We will create a hidden folder, where we will store the public key of the administrator computer
in a key authorization file, in order to limit the ssh access:


Code: [Select]
mkdir .ssh
Code: [Select]
cd .ssh
Code: [Select]
sudo nano authorized_keys







Enter the public key retrieved via notepad in the path "C:\Users\
user_adm/.ssh/id_rsa.pub”:





Once the key is registered we will configure the ssh service to secure the keys access, then go to the ssh configuration file:

Code: [Select]
sudo nano /etc/ssh/sshd_config



Uncheck the Hostkeys:




Then uncheck “PermitRootLogin” and put “no”, “PubKeyAuthentication yes”,
and finally “AuthorizedKeysFile”:





Uncheck “UseDNS” and change the value to “no”:




Arrived at the "Subsystem" section, check it then add this line below to
force the use of sFTP:


Code: [Select]
Subsystem      sftp      internal-sftp

And finally, let's limit access only to the user of the administration console, by
adding at the bottom:


Code: [Select]
Allowusers user_console_adm



For the changes to be taken, simply restart the service
ssh with the following command:


Code: [Select]
sudo systemctl restart sshd



Once the service has restarted, we can connect to the server via ssh by
filling in the console the user and the associated passphrase:





And here we are on the Zentyal server:




From now on only the administrator workstation can connect to the server,
so we have limited remote access to the server.



HTTPS Repository Source

LDAPS Source

Certification Authority Source

Fail2ban Source

portsentry Source

SSH Source

4
X. ZENTYAL UPDATE.



Particular caution when updating certain packages, especially
not overwrite the configuration files, present under penalty of serious
malfunctions. (take a snapshot before each update)



Update command:

Code: [Select]
sudo apt update && sudo apt full-upgrade -y

Text output when updating a package's configuration file:




Absolutely keep the currently installed version and validate:




5
IX. SHARED FOLDER CONFIGURATION.



Go to the File Sharing tab:




Give a share name:




In the created share go to access control:




Choose the group or authorized users for this share:




On a client workstation disconnect/reconnect:



6
RSAT CONFIGURATION.



Download windows 10 remote server administration tools:










Go to Apps & Features:





Select Optional Features:




Filter with RSAT:







Select the 20 modules:








Then join the domain.

Then go to System and Security then Administrative Tools:




Make desktop shortcuts:




Go to Active Directory Users and Computers:


7
VII. WINDOWS 10 CLIENT CONFIGURATION.



Go to Rename your PC to change NetBios:

[/ur


Once restarted, Rename your PC (advanced) to join a domain:

[url=https://imgbb.com/]



Authenticate with an account authorized to join a domain:




Successful authentication:




Log out and then log in with another user:




Successful Domain Login:




Then go to Proxy, activate the option and enter the server IP as well as the port and
register:
(to be adapted according to present infrastructure)




To test the proxy, open an internet window and enter an NSFW site:




8
VI. PROXY CONFIGURATION.



Go to the HTTP Proxy tab:




In general settings check transparent proxy:




Go to https://dsi.ut-capitole.fr/blacklists/download/ and download the
blacklist needed for the proxy, in a terminal copy the line below:


Code: [Select]
wget https://dsi.ut-capitole.fr/blacklists/download/blacklists.tar.gz

Go to the categorized lists tab and download the blacklist:




In Filter Profiles create a new blacklist profile:




Go to the blacklist profile configuration and edit the filters:






Finally go to Access rules to apply the filters:








9
V. LDAP CONFIGURATION.



Go to the Users and Computers tab:


 

Then in Groups add user groups:




Creation of the Administrator group:


 



Create users with a 10 character password:



Assign users to the right groups:




10
IV. CERTIFICATION AUTHORITY CONFIGURATION.



Go to the Certification Authority tab:




Create a new certification authority certificate:[/] (to be edited according to the infrastructure
present)





List of certificates:






11
III. DHCP CONFIGURATION.



In the administration, console go to the DHCP tab:




Uncheck DHCP eth0:




In "Configuration" eth1: (don't forget to check dynamic dns)




Go to Ranges to address a new range of internal IP addresses: (differentiate the
internal address type from external)





Add and save the new address range:




Go to the Module Status tab:




Check DHCP and save:










12
II. DNS CONFIGURATION.



In the administration console go to the DNS tab:




Activate the transparent DNS cache and add the gateway: (to be adapted according to the infrastructure
existing)





Save changes: (to be performed after each setting or change)






Test DNS via PING the gateway:




13
Following the installation procedure, but with software raid support.



I. SOFTWARE RAID CONFIGURATION.


Choose expert mode installation:




Once in the partition disks menu, select “Manual”:




Go to the free space of the “sda” disk:




Create a new partition:




Choose the maximum partition size:




Then select the type of partition, logical in our case:




Change partition characteristics for raid volume:






Validate the end of the configuration:




Do the same operations above for the “sdb” disk.

Once the two raid volumes have been created, let's go to the software raid configuration:




Apply changes to disks:




Then create a multi-disk device:




Select “Raid1”:




Check the number of active devices, 2 in our case:




Leave the spare device count at 0:




Overview of active devices and selection thereof: (space to select)






Finish configuring volumes:




Finish partitioning and apply changes:




Appears a new Raid1 device:




Select free space to apply partition characteristics:




Apply the filesystem type, journaled ext4 in our example:




Select the partition mount point, root “/” in our case:






Finish setting the raid partition:




Finish partitioning and apply changes:






After applying the changes on the disks the installation of Zentyal continues
with software raid1 support.

Once the installation is complete, to verify the volumes, enter the command below
in a terminal:





We see a raid1 volume md0 belonging to disk sda partition sda5, same for
sdb5.



II. RAID MAINTENANCE



To display the status of a raid1 volume enter the following command:

Code: [Select]
sudo mdadm -D /dev/md0

Output of the above command:



To remove a bad volume:  (* select the bad disk number)

Code: [Select]
sudo mdadm --remove /dev/md0 /dev/sda*

To add a new volume:

Code: [Select]
sudo mdadm --add /dev/md0 /dev/sda*


Source











14
I want to share with the community my work, done as part of my training, to avoid bleeding from the eyes this will be done in several parts.

I wish you a good reading.


INSTALLATION AND CONFIGURATION PROCEDURE FOR ZENTYAL 7.0 DEVELOPMENT


I. INSTALLATION OF ZENTYAL 7.0 DEVELOPMENT.


Choice of language and installation screen: (expert mode for raid configuration, see
software raid configuration procedure)







Choice of language and keyboard type:








Choice of external network card:




Choice of NetBios of the server:




Choice of username for the main account: (to change for another name)




Choice of a password with 12 characters and verification:






Choice of system clock:




End of system installation:




Installing Zentyal core packages:




A web window then opens to enter into the console: (accept because self-signed certificate)




Zentyal administration console, fill in the user created previously and its password at
12 characters:





Choice of Zentyal components:








Confirmation and installation of components:






Configuration of network interfaces:






Choice of external network IP address: (to be adapted according to the existing infrastructure)




Choice of internal network IP address:




Domain controller type selection:







Source

Source

15
Other modules / IDS/IPS doesnt work
« on: March 25, 2022, 02:42:17 pm »
Hi Zentyal user, after a couple of installation's under virtualbox, the IDS/IPS module is installed, and once activated it crashes nginx every time. I tested with default ids/ips settings, same thing.

Any ideas where it could come from?







Pages: [1] 2