Categoria Tutorial

e2guardian CentOS 7 com SSL MITM

Preparando o Ambiente

yum groupinstall ‘Development Tools’
yum install zlib-devel pcre-devel openssl-devel git vim bash-completion wget xz-devel bzip2-devel openldap-devel gd gd-devel

Desabilitando Firewall

systemctl disable firewalld
systemctl stop firewalld

Desabilitando SElinux

vim /etc/selinux/config
SELINUX=disabled

Baixando o Instalador

git clone https://github.com/e2guardian/e2guardian.git
cd e2guardian

Compilando e Instalando

./autogen.sh
./configure ‘–prefix=/usr’ ‘–enable-clamd=yes’ ‘–with-proxyuser=e2guardian’ ‘–with-proxygroup=e2guardian’ ‘–sysconfdir=/etc’ ‘–localstatedir=/var’ ‘–enable-icap=yes’ ‘–enable-commandline=yes’ ‘–enable-email=yes’ ‘–enable-ntlm=yes’ ‘–mandir=${prefix}/share/man’ ‘–infodir=${prefix}/share/info’ ‘–enable-pcre=yes’ ‘–enable-sslmitm=yes’ ‘CPPFLAGS=-mno-sse2 -g -O2’

make

make install

Criando os Serviços SystemCTL

cp /usr/share/e2guardian/scripts/e2guardian.service /etc/systemd/system/
cp /usr/share/e2guardian/scripts/e2guardian /etc/logrotate.d/

Necessário criar Log e Setar Permissão

touch /var/log/e2guardian/access.log
useradd e2guardian
chown -R e2guardian:e2guardian /var/log/e2guardian/

Gerando Certificado SSL Para MITM

Crie o diretório /etc/e2guardian/ssl/generatedcerts:

mkdir -p /etc/e2guardian/ssl/generatedcerts

Mude o mode do diretório /etc/e2guardian/ssl/generatedcerts para 777:

chmod 777 /etc/e2guardian/ssl/generatedcerts

Crie o arquivo /etc/e2guardian/sslgen.sh e o execute:

#!/bin/bash
openssl genrsa 4096 > ca.key
openssl req -new -x509 -days 3650 -key ca.key -out ca.pem
openssl x509 -in ca.pem -outform DER -out ca.der
openssl genrsa 4096 > cert.key

Execute

chmod +x sslgen.sh

cp /etc/e2guardian/ssl/ca.pem /etc/e2guardian/ssl/ca.crt

Copiar o CA.crt para Maquina Windows
Importar no Diretório de CA Confiáveis

Edite os arquivos:
/etc/e2guardian/e2guardian.conf:

# Enable SSL support
# This must be present to enable MITM and/or Cert checking
# default is off
enablessl = on

#SSL man in the middle
#CA certificate path
#Path to the CA certificate to use as a signing certificate for
#generated certificates.
# default is blank – required if ssl_mitm is enabled.
cacertificatepath = ‘/etc/e2guardian/ssl/ca.pem’

#CA private key path
#path to the private key that matches the public key in the CA certificate.
# default is blank – required if ssl_mitm is enabled.
caprivatekeypath = ‘/etc/e2guardian/ssl/ca.key’

#Cert private key path
#The public / private key pair used by all generated certificates
# default is blank – required if ssl_mitm is enabled.
certprivatekeypath = ‘/etc/e2guardian/ssl/cert.key’

#Generated cert path
#The location where generated certificates will be saved for future use.
#(must be writable by the dg user)
# default is blank – required if ssl_mitm is enabled.
generatedcertpath = ‘/etc/e2guardian/ssl/generatedcerts/’

Edite o arquivo e2guardianf1.conf e Habilite

sslmitm = on

Adicione alguns sites para teste

/etc/e2guardian/lists/bannedsitelist:

#List other sites to block:
# badboys.com
xxxbucetas.net
bucetas.b-cdn.net
xvideos.blog

Habilite e inicie o serviço e2guardian.service:

systemctl enable e2guardian.service
systemctl start e2guardian.service

Instale uma Blacklist (Opicional)

cd ~
wget http://www.shallalist.de/Downloads/shallalist.tar.gz
tar -xvzf shallalist.tar.gz
mv BL/ /etc/e2guardian/lists/

chown -R e2guardian:e2guardian /etc/e2guardian/lists/

Instale o SARG (Opicional)

wget https://sourceforge.net/projects/sarg/files/sarg/sarg-2.4.0/sarg-2.4.0.tar.gz
tar -xvzf sarg-2.4.0.tar.gz
cd sarg-2.4.0
./configure
make
make install

E2Guardian MITN Criando Certificados


  1. Crie o diretório /etc/e2guardian/ssl/generatedcerts:
    mkdir -p /etc/e2guardian/ssl/generatedcerts
  2. Mude o mode do diretório /etc/e2guardian/ssl/generatedcerts para 777:
    chmod 777 /etc/e2guardian/ssl/generatedcerts
  3. Crie o arquivo /etc/e2guardian/ssl/mkcert e o execute:
    #!/bin/bash
    
    openssl genrsa 4096 > ca.key
    openssl req -new -x509 -days 3650 -key ca.key -out ca.pem
    openssl x509 -in ca.pem -outform DER -out ca.der
    openssl genrsa 4096 > cert.key
  4. Edite os arquivos:
    • /etc/e2guardian/e2guardian.conf:
      ...
      # Enable SSL support
      # This must be present to enable MITM and/or Cert checking
      # default is off
      enablessl = on
      ...
      #SSL man in the middle
      #CA certificate path
      #Path to the CA certificate to use as a signing certificate for
      #generated certificates.
      # default is blank - required if ssl_mitm is enabled.
      cacertificatepath = '/etc/e2guardian/ssl/ca.pem'
      
      #CA private key path
      #path to the private key that matches the public key in the CA certificate.
      # default is blank - required if ssl_mitm is enabled.
      caprivatekeypath = '/etc/e2guardian/ssl/ca.key'
      
      #Cert private key path
      #The public / private key pair used by all generated certificates
      # default is blank - required if ssl_mitm is enabled.
      certprivatekeypath = '/etc/e2guardian/ssl/cert.key'
      
      #Generated cert path
      #The location where generated certificates will be saved for future use.
      #(must be writable by the dg user)
      # default is blank - required if ssl_mitm is enabled.
      generatedcertpath = '/etc/e2guardian/ssl/generatedcerts/'
      ...
    • /etc/e2guardian/lists/bannedsitelist:
      ...
      #List other sites to block:
      
      # badboys.com
      xxxbucetas.net
      bucetas.b-cdn.net
      xvideos.blog
      ...
      # You will need to edit to add and remove categories you want
      .Include</etc/e2guardian/lists/BL/porn/domains>
      .Include</etc/e2guardian/lists/BL/aggressive/domains>
  5. Habilite e inicie o serviço e2guardian.service:
    systemctl enable e2guardian.service
    systemctl start e2guardian.service

Script Backup Mikrotik Via E-mail

Script para backup mikrotik enviando por e-mail usando o Gmail

Criar uma conta no G-Mail, Permitir acesso a Dispositivos menos Seguros

Configurar NTP Clinet

Configurar uma conta de e-mail

Agendar uma tarefa, nesse cado 5 dias.

Criar um Script

/system ntp client
set enabled=yes primary-ntp=200.160.0.8 secondary-ntp=200.189.40.8

/tool e-mail
set address=smtp.gmail.com from=cuidadodigitalgyn@gmail.com password=******** \
port=587 start-tls=yes user=cuidadodigitalgyn

/system scheduler
add interval=5d name=run_backup on-event=backup policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=oct/04/2019 start-time=18:00:00

/system script
add dont-require-permissions=no name=backup owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=”/\
export file=backup\r\
\n:log info message=\”Enviando backup por e-mail\”\r\
\n:delay 5s\r\
\n:global data [/system clock get date]\r\
\n:global hora [/system clock get time]\r\
\n:global nome [/system identity get name]\r\
\n/tool e-mail send to=\”contato@cuidadodigital.com.br\” subject=\”Backup_\
\$nome\” body=\”\” file=\”backup.rsc\””

Migrando e-mails entre provedores com ImapSync (Script)

Muitas vezes aparecem a árdua tarefa de ter de migrar várias caixas postais de um mesmo domínio entre provedores diferentes, para essa tarefa usamos o Imap Sync que pode tanto ser usado um à um ou via script otimizando a tarefa. Ler mais

Tutorial: MongoDB em Docker No CentOS 7

Instalação e configuração e ajuste fino do MongoDB em Docker no Centos&

Ler mais

Servidor SFTP no SSH com CHROOT JAIL

Breve tutorial de como configurar sftp com chroot jail no Centos

OpenSSH Server

OpenSSH Server

Ler mais

Habilitando Porta USB no Power Modem GVT Sagemcom F@st

Nesse breve How To iremos mostrar como habilitar as portas USB do Power Modem aDSL da GVT


Ler mais

Oracle Instant Cliente OCI8 no Debian Squeez

Tutorial de instalação do Oracle Instant Client (OCI8) no Debian Squeeze

Ler mais