e2guardian CentOS 7 com SSL MITM

e2guardian CentOS 7 com SSL MITM

Preparando o Ambiente

yum groupinstall ‘Development Tools’
yum install zlib-devel pcre-devel openssl-devel git vim bash-completion wget xz-devel bzip2-devel openldap-devel gd gd-devel

Desabilitando Firewall

systemctl disable firewalld
systemctl stop firewalld

Desabilitando SElinux

vim /etc/selinux/config
SELINUX=disabled

Baixando o Instalador

git clone https://github.com/e2guardian/e2guardian.git
cd e2guardian

Compilando e Instalando

./autogen.sh
./configure ‘–prefix=/usr’ ‘–enable-clamd=yes’ ‘–with-proxyuser=e2guardian’ ‘–with-proxygroup=e2guardian’ ‘–sysconfdir=/etc’ ‘–localstatedir=/var’ ‘–enable-icap=yes’ ‘–enable-commandline=yes’ ‘–enable-email=yes’ ‘–enable-ntlm=yes’ ‘–mandir=${prefix}/share/man’ ‘–infodir=${prefix}/share/info’ ‘–enable-pcre=yes’ ‘–enable-sslmitm=yes’ ‘CPPFLAGS=-mno-sse2 -g -O2’

make

make install

Criando os Serviços SystemCTL

cp /usr/share/e2guardian/scripts/e2guardian.service /etc/systemd/system/
cp /usr/share/e2guardian/scripts/e2guardian /etc/logrotate.d/

Necessário criar Log e Setar Permissão

touch /var/log/e2guardian/access.log
useradd e2guardian
chown -R e2guardian:e2guardian /var/log/e2guardian/

Gerando Certificado SSL Para MITM

Crie o diretório /etc/e2guardian/ssl/generatedcerts:

mkdir -p /etc/e2guardian/ssl/generatedcerts

Mude o mode do diretório /etc/e2guardian/ssl/generatedcerts para 777:

chmod 777 /etc/e2guardian/ssl/generatedcerts

Crie o arquivo /etc/e2guardian/sslgen.sh e o execute:

#!/bin/bash
openssl genrsa 4096 > ca.key
openssl req -new -x509 -days 3650 -key ca.key -out ca.pem
openssl x509 -in ca.pem -outform DER -out ca.der
openssl genrsa 4096 > cert.key

Execute

chmod +x sslgen.sh

cp /etc/e2guardian/ssl/ca.pem /etc/e2guardian/ssl/ca.crt

Copiar o CA.crt para Maquina Windows
Importar no Diretório de CA Confiáveis

Edite os arquivos:
/etc/e2guardian/e2guardian.conf:

# Enable SSL support
# This must be present to enable MITM and/or Cert checking
# default is off
enablessl = on

#SSL man in the middle
#CA certificate path
#Path to the CA certificate to use as a signing certificate for
#generated certificates.
# default is blank – required if ssl_mitm is enabled.
cacertificatepath = ‘/etc/e2guardian/ssl/ca.pem’

#CA private key path
#path to the private key that matches the public key in the CA certificate.
# default is blank – required if ssl_mitm is enabled.
caprivatekeypath = ‘/etc/e2guardian/ssl/ca.key’

#Cert private key path
#The public / private key pair used by all generated certificates
# default is blank – required if ssl_mitm is enabled.
certprivatekeypath = ‘/etc/e2guardian/ssl/cert.key’

#Generated cert path
#The location where generated certificates will be saved for future use.
#(must be writable by the dg user)
# default is blank – required if ssl_mitm is enabled.
generatedcertpath = ‘/etc/e2guardian/ssl/generatedcerts/’

Edite o arquivo e2guardianf1.conf e Habilite

sslmitm = on

Adicione alguns sites para teste

/etc/e2guardian/lists/bannedsitelist:

#List other sites to block:
# badboys.com
xxxbucetas.net
bucetas.b-cdn.net
xvideos.blog

Habilite e inicie o serviço e2guardian.service:

systemctl enable e2guardian.service
systemctl start e2guardian.service

Instale uma Blacklist (Opicional)

cd ~
wget http://www.shallalist.de/Downloads/shallalist.tar.gz
tar -xvzf shallalist.tar.gz
mv BL/ /etc/e2guardian/lists/

chown -R e2guardian:e2guardian /etc/e2guardian/lists/

Instale o SARG (Opicional)

wget https://sourceforge.net/projects/sarg/files/sarg/sarg-2.4.0/sarg-2.4.0.tar.gz
tar -xvzf sarg-2.4.0.tar.gz
cd sarg-2.4.0
./configure
make
make install

Sobre o Autor

Diego Elcain administrator