Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - vandykmarsu

Pages: [1] 2
1
Other modules / Re: no forward-proxy ports error after updating squid
« on: July 09, 2022, 11:29:49 am »
After testing the solution given by the Zentyal team, nothing helps the blacklist takes a long time to be validated, then an error message appears saying that the proxy cannot find a redirection port.

On the other hand, if the blacklist is removed, the services are available again, so tested to manually add domains to be prohibited, and the proxy works normally.

The problem comes from the recent update of squid? The squid stubs to review? The blacklist that has a compatibility issue? I leave it to the Zentyal team to look into it.

I thank the team for their support and hope that they will find a solution to this unfortunate incident.


2
Directory and Authentication / Re: Working with LDAPS?
« on: June 27, 2022, 01:34:12 pm »

*edit*

CA and LDAPS certificates can be found here:
/var/lib/samba/private/tls

CA certificate can be found here:

Code: [Select]
/var/lib/zentyal/CA/private
For an trusted certificate you can follow the explanation on the Let's encrypt line:

Let's encrypt

3
Other modules / Re: no forward-proxy ports error after updating squid
« on: June 26, 2022, 08:47:44 pm »
I found a lead while researching, about the documentation revealing the above error.


it is recommended to add the mention "intercept" to the http_port line in the configuration file of squid under "/usr/share/zentyal/stubs/squid/squid.conf.mas".

Before changing it, i stopped the service, changed the conf file, and restart the service, same issue :(

4
Other modules / no forward-proxy ports error after updating squid
« on: June 24, 2022, 09:11:49 pm »
After a squid update the service no longer works.

When I clear the proxy configuration and after a restart the service works again.

I consulted the log of squid which informs me of an "ERROR: no forward-proxy ports configured."

I tried to downgrade squid to version 4.10-1ubuntu1, but the error persists.

I need a working proxy to validate my training project.

What I find strange is that 2 virtual machines out of 3 are not impacted by this incident, and on the final server it is apparent even after redoing an clean installation.


I guess it's a package versioning issue?

zentyal.log

5
Hi,

We have issued a new certificate. Now you can use HTTPS in your repository configuration.

Thank you for your feedback.

Best regards, Daniel Joven.

thank you for the return, the https repo works.

6
XII. Xrdp REMOTE DESKTOP.



We are going to install an remote desktop(RDP) client for remote control of the administrator workstation to Zentyal, as part of maintenance in a graphical user interface.

In a terminal window enter following command line to install Xrdp:

Code: [Select]
sudo apt install xorgxrdp xrdp -y

Create the xrdp user and add it to the ssl-cert group:

Code: [Select]
sudo adduser xrdp ssl-cert

Once installed, enable the service on every boot:

Code: [Select]
sudo systemctl enable xrdp

To check if the service are running:

Code: [Select]
sudo systemctl status xrdp

It may happen that the service refuses to start, in this case reboot the server, everything will be back to normal on restart.

Once the service is active, let's go to the administration console to configure the service and the firewall.

Go to the network tab then services:




Then add a new service and name it:






Then configure the newly created service:




Fill in the fields:




Once the new service is configured, don't forget to save the changes:




Then we go to the firewall to add new a rule.

Go to the firewall tab, select filter and zentyal internal network:




Add and configure a new rule:




In my example as a security measure, I only tolerate rdp access to the administrator workstation via its mac address.

The new filter rule is added:




Don't forget to save the changes.

To take effect, we have to restart the firewall services:

Code: [Select]
sudo zs firewall restart

After restarting the firwall services, go to the administrator workstation to initiate a remote desktop session.

In the windows search bar enter desktop and select, remote desktop connection:




A window then opens, fill in with the ip address of Zentyal:




In the second window, enter your Zentyal user and password:




And here we are on Zentyal desktop via remote desktop session:






Xrdp Source








7
Can't check this here (don't ask) but I guess for the website it is a Let's Encrypt cert with auto renew with cert bot.

I'm more interested with the securing of your Zentyal configuration. Would you care to create a separate post and explain what and how did you try to improve?

Hi, you can find on this link my Securing Zentyal Project.

It's a good start and of course it is possible to add more layers of security, if required.


Wish you a good read :)


8
XI. SECURING ZENTYAL



1. SECURE REPOSITORY.


Linux distributions usually come with insecure repositories in
http, so we will switch them to https as much as possible, because some
Zentyal repositories are not available in https.

To do this open a terminal window and enter the following command for the socket
support for https repositories:


Code: [Select]
sudo apt install apt-transport-https -y

From now on we can change http repositories to https.

In a terminal window:

Code: [Select]
sudo nano /etc/apt/sources.list

To change the sources, just add an "s" at the end of http, in my
example below I unchecked the deb-src, see type of archives.






Save your changes with "ctrl+x" then "y" and finally hit enter.

n addition we can also change the security http repositories by a mirror
supporting https, to be chosen according to your geographical location
to limit latencies, see archive mirrors.

In my example I chose the plusserver mirror:






Once the repositories have been changed, simply reload the sources with the command
next:


Code: [Select]
sudo apt update



Edit:

Since 20 June Zentyal HTTPS repository are available.



2. CERTIFICATE AUTHORITY.



We will add a self-signed x509 certificate to access the console
administration in https, which by default is in http.

Go to Certification Authority in the administration console:




Then create a new certificate:




Once created we can see it in the list of current certificates:




Now you have to apply the certificate to the web server, go to "Services
certificates” and tick the services you wish to certify:





To take effect, save your changes and then close the console
administration. Upon reopening and after accepting the risk, you will see
appear https in the navigation bar.





3. LDAPS CONFIGURATION.



By default the port used by the directory is 389 which is not safe, we will force
using secure port 636.

For support it is necessary to enrich the samba configuration file
found in "/usr/share/zentyal/stubs/samba/smb.conf.mas" by adding
the location of the certificate created previously.

In a terminal window:

Code: [Select]
sudo nano /usr/share/zentyal/stubs/samba/smb.conf.mas

Dans la section [global] rajoutez ces lignes:

Code: [Select]
tls enabled = yes
tls keyfile = tls/key.pem
tls certfile = tls/cert.pem
tls cafile = tls/ca.pem
tls priority = NORMAL:-VERS-TLS1.0:-VERS-TLS1.1




We will restrict the access rights to the certificate key, go to the
certificates folder:


Code: [Select]
cd /var/lib/samba/private/tls
Code: [Select]
sudo chmod 600 key.pem



Finally we will restart the samba services:

Code: [Select]
sudo zs samba restart


4. FAIL2BAN CONFIGURATION.



Short presentation of fail2ban, it is an intrusion prevention system that
allows you to ban source ip addresses that attempt to connect without your knowledge to
some services, such as ssh.

We are going to install fail2ban, in a terminal window:

Code: [Select]
sudo apt install fail2ban -y

Enable the service on every boot:

Code: [Select]
sudo systemctl enable fail2ban

Check the service status:

Code: [Select]
sudo systemctl status fail2ban

Let's move on to configuring the plugins:

Code: [Select]
sudo nano /etc/fail2ban/jail.d/defaults-debian.conf

Rajoutez les plugins à surveiller ainsi que le temps de bannissement:



Code: [Select]
[sshd]
enabled = true
port = 22
[DEFAULT]
bantime = 86400
maxretry = 2
ignoreip = 127.0.0.1/8 server-ip admin-client-ip
[nginx-http-auth]
enabled = true
port = http,https

In the example the ssh and nginx plugins have been chosen, with a time of
ban of 24 hours estimated in seconds, as well as 2 attempts maximum.

Do not forget to add to the "ignoreip" list the ip address of your
server and the administrator workstation, at the risk of being blocked by fail2ban.


Restart the service for the changes to take effect:

Code: [Select]
sudo systemctl restart fail2ban

Check the logs:

Code: [Select]
tail -f /var/log/fail2ban.log


5. PORTSENTRY CONFIGURATION.



portsentry is a "portscan" detection and blocking program, ideal
to hide services using specific ports.

Installing portsentry:

Code: [Select]
sudo apt install portsentry -y

Enable the service on every boot:

Code: [Select]
sudo systemctl enable portsentry

Check the service status:

Code: [Select]
sudo systemctl status portsentry

Configure the file with the ip addresses to ignore, those of the server and administrator station:

Code: [Select]
sudo nano /etc/portsentry/portsentry.ignore.static



By default portsentry does not block any ip, we will go to the file of
configuration of it and modify so that the blocking is effective:


Code: [Select]
sudo nano /etc/portsentry/portsentry.conf

Set Ignore Options BLOCK_UDP/TCP to "1" for blocking support:




“Dropping Routes” section, check that the following line is uncommented:




Same for the “TCP Wrappers” section:




“External Command” section, add this long line and uncomment
KILL_RUN_CMD_FIRST with a value of “1”:


Code: [Select]
KILL_RUN_CMD="/sbin/iptables -I INPUT -s $TARGET$ -j DROP && /sbin/iptables
-I INPUT -s $TARGET$ -m limit --limit 3/minute --limit-burst 5 -j LOG
--log-level debug --log-prefix 'Portsentry: dropping: '"




Section “Scan trigger” value “0” to “1”:




For automatic detection of the ports used, simply go to the file
/etc/default/portsentry:


Code: [Select]
sudo nano /etc/default/portsentry

Passez en mode «atcp» et «audp» puis redémarrez le service:



Code: [Select]
sudo systemctl restart portsentry


6. SSH CONFIGURATION.



To connect remotely to our server and maintain it, we
we need the ssh service and of course secure it to limit access.

First of all we will open port 22 on Zentyal which by default is closed, to
to be able to access the ssh via administrator post, open a terminal and enter the
following command:


Code: [Select]
sudo nano /etc/ssh/sshd_config

Once in the configuration file uncheck port 22 and restart the service:



Code: [Select]
sudo systemctl restart sshd

Let's go to the administrator workstation on which we will generate a
new pair of ssh keys, for this open a command window and enter the
next line:


Code: [Select]
ssh-keygen -t rsa -b 4096

This command allows us to create an rsa key pair with a length of
4096 bit.




The following message asks where to store the key pair, let the location per
default:





Fill in a robust passphrase respecting the security policy with the help of the
KeePassXC password manager:





Once the key pair is generated, we can connect via ssh to the server
Zentyal, using the main admin console user as
identifier:


Code: [Select]
ssh user_console_adm@adresse_ip_zentyal



For this first connection, the administration console user password
will be needed to connect remotely:





And here we are on the server via remote access:




We will create a hidden folder, where we will store the public key of the administrator computer
in a key authorization file, in order to limit the ssh access:


Code: [Select]
mkdir .ssh
Code: [Select]
cd .ssh
Code: [Select]
sudo nano authorized_keys







Enter the public key retrieved via notepad in the path "C:\Users\
user_adm/.ssh/id_rsa.pub”:





Once the key is registered we will configure the ssh service to secure the keys access, then go to the ssh configuration file:

Code: [Select]
sudo nano /etc/ssh/sshd_config



Uncheck the Hostkeys:




Then uncheck “PermitRootLogin” and put “no”, “PubKeyAuthentication yes”,
and finally “AuthorizedKeysFile”:





Uncheck “UseDNS” and change the value to “no”:




Arrived at the "Subsystem" section, check it then add this line below to
force the use of sFTP:


Code: [Select]
Subsystem      sftp      internal-sftp

And finally, let's limit access only to the user of the administration console, by
adding at the bottom:


Code: [Select]
Allowusers user_console_adm



For the changes to be taken, simply restart the service
ssh with the following command:


Code: [Select]
sudo systemctl restart sshd



Once the service has restarted, we can connect to the server via ssh by
filling in the console the user and the associated passphrase:





And here we are on the Zentyal server:




From now on only the administrator workstation can connect to the server,
so we have limited remote access to the server.



HTTPS Repository Source

LDAPS Source

Certification Authority Source

Fail2ban Source

portsentry Source

SSH Source

9
X. ZENTYAL UPDATE.



Particular caution when updating certain packages, especially
not overwrite the configuration files, present under penalty of serious
malfunctions. (take a snapshot before each update)



Update command:

Code: [Select]
sudo apt update && sudo apt full-upgrade -y

Text output when updating a package's configuration file:




Absolutely keep the currently installed version and validate:




10
IX. SHARED FOLDER CONFIGURATION.



Go to the File Sharing tab:




Give a share name:




In the created share go to access control:




Choose the group or authorized users for this share:




On a client workstation disconnect/reconnect:



11
RSAT CONFIGURATION.



Download windows 10 remote server administration tools:










Go to Apps & Features:





Select Optional Features:




Filter with RSAT:







Select the 20 modules:








Then join the domain.

Then go to System and Security then Administrative Tools:




Make desktop shortcuts:




Go to Active Directory Users and Computers:


12
VII. WINDOWS 10 CLIENT CONFIGURATION.



Go to Rename your PC to change NetBios:

[/ur


Once restarted, Rename your PC (advanced) to join a domain:

[url=https://imgbb.com/]



Authenticate with an account authorized to join a domain:




Successful authentication:




Log out and then log in with another user:




Successful Domain Login:




Then go to Proxy, activate the option and enter the server IP as well as the port and
register:
(to be adapted according to present infrastructure)




To test the proxy, open an internet window and enter an NSFW site:




13
VI. PROXY CONFIGURATION.



Go to the HTTP Proxy tab:




In general settings check transparent proxy:




Go to https://dsi.ut-capitole.fr/blacklists/download/ and download the
blacklist needed for the proxy, in a terminal copy the line below:


Code: [Select]
wget https://dsi.ut-capitole.fr/blacklists/download/blacklists.tar.gz

Go to the categorized lists tab and download the blacklist:




In Filter Profiles create a new blacklist profile:




Go to the blacklist profile configuration and edit the filters:






Finally go to Access rules to apply the filters:








14
V. LDAP CONFIGURATION.



Go to the Users and Computers tab:


 

Then in Groups add user groups:




Creation of the Administrator group:


 



Create users with a 10 character password:



Assign users to the right groups:




15
IV. CERTIFICATION AUTHORITY CONFIGURATION.



Go to the Certification Authority tab:




Create a new certification authority certificate:[/] (to be edited according to the infrastructure
present)





List of certificates:






Pages: [1] 2