Arquivo de tag e2guardian

Tutorial e2guardian com Squid Proxy Autenticando no com SSL e Blacklist no Debian 11

1 – Preparando o Ambiente

Adicionar as repos contrib e non-free no sources.list do apt.

vim /etc/apt/sources.lists
deb http://debian.pop-sc.rnp.br/debian/ bullseye main contrib non-free
deb-src http://debian.pop-sc.rnp.br/debian/ bullseye main contrib non-free

2 – Instalar e Testar o Squid

apt install squid

Configurar o squid com essas configurações

auth_param basic program /usr/lib/squid/basic_ldap_auth -R -b “DC=minhaempresa,DC=local” -D “cn=e2guardian,cn=Users,dc=minhaempresa,dc=local” -w “Senha123” -f sAMAccountName=%s -h 192.168.200.3

auth_param basic children 20
auth_param basic realm Autentique-se no proxy para acessar a internet.
auth_param basic credentialsttl 360 minutes

### –> Aqui é o momento quer o squid envia as requisições para o E2guardian

cache_peer 127.0.0.1 parent 8080 0 login=*:password
always_direct deny all
never_direct allow all

acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.200.0/24 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 8080
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 8080 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

acl password proxy_auth REQUIRED

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager

http_access allow password localnet

http_access deny localnet
http_access deny localhost
http_access deny all

http_port 3128
cache_mgr [email protected]
coredump_dir /var/spool/squid
access_log /var/log/squid/access.log
error_default_language pt-br
visible_hostname proxy.minhaempresa.local

Habilitar e Iniciar os serviços

systemctl enable squid

systemctl start squid

Realizar todos os testes antes de partir para o e2guardian, nesse momento vc ja deve autenticar no AD e navegar livremente com usuário e senha, se for o caso comente as linhas em que o o squid chama o e2guardian na porta 8080.

realize testes de consulta com AD com a seguinte linha de comando.

/usr/lib/squid/basic_ldap_auth -R -b “DC=minhaempresa,DC=local” -D “cn=e2guardian,cn=Users,dc=minhaempresa,dc=local” -w “Senha123” -f sAMAccountName=%s -h 192.168.200.3

quando a sessão estiver establecida, digite o usuário e senha aperte Enter, uma resposta de OK deve ser apresentada.

3 – Instalando e Configurando o e2guardian

apt install e2guardian

Habilitar e Iniciar os serviços

systemctl enable e2guardian

systemctl start e2guardian

Crie o diretório dos certificados e dê as permissões.

mkdir -p /etc/e2guardian/ssl/generatedcerts
chmod 777 /etc/e2guardian/ssl/generatedcerts

Crie o arquivo /etc/e2guardian/ssl/mkcert.sh e o execute:

touch /etc/e2guardian/ssl/mkcert.sh
chmod 777 /etc/e2guardian/ssl/mkcert.sh

Insira o seguinte script

#!/bin/bash
openssl genrsa 4096 > ca.key
openssl req -new -x509 -days 3650 -key ca.key -out ca.pem
openssl x509 -in ca.pem -outform DER -out ca.der
openssl genrsa 4096 > cert.key

Edite o e2guardian.conf e configure as respectivas diretivas.

enablessl = on
cacertificatepath = ‘/etc/e2guardian/ssl/ca.pem’
caprivatekeypath = ‘/etc/e2guardian/ssl/ca.key’
certprivatekeypath = ‘/etc/e2guardian/ssl/cert.key’
generatedcertpath = ‘/etc/e2guardian/ssl/generatedcerts/’

language = ‘ptbrazilian’
logfileformat = 3

Edite o e2guardianf1.conf e habilite a seguinte diretiva.

sslmitm = on

Realize o download da blacklist extraia e salve em

https://www.shallalist.de/Downloads/shallalist.tar.gz

/etc/e2guardian/lists/blacklists/

Edite o arquivo bannedsitelist em /etc/e2guardian/lists/ e habilite as categorias desejada

.Include</etc/e2guardian/lists/blacklists/downloads/domains>
.Include</etc/e2guardian/lists/blacklists/aggressive/domains>
.Include</etc/e2guardian/lists/blacklists/fortunetelling/domains>
.Include</etc/e2guardian/lists/blacklists/movies/domains>
.Include</etc/e2guardian/lists/blacklists/radiotv/domains>
.Include</etc/e2guardian/lists/blacklists/chat/domains>
.Include</etc/e2guardian/lists/blacklists/sex/lingerie/domains>
.Include</etc/e2guardian/lists/blacklists/spyware/domains>
.Include</etc/e2guardian/lists/blacklists/dating/domains>
.Include</etc/e2guardian/lists/blacklists/anonvpn/domains>
.Include</etc/e2guardian/lists/blacklists/drugs/domains>
.Include</etc/e2guardian/lists/blacklists/socialnet/domains>
.Include</etc/e2guardian/lists/blacklists/porn/domains>
.Include</etc/e2guardian/lists/blacklists/gamble/domains>
.Include</etc/e2guardian/lists/blacklists/hacking/domains>

Obs importante caso ocorra algum erro de digitção ou alguma lista de domínios não for encontrada por daemon, o serviço continuará ativo porém a bannedsitelist desabilitará todas as listas que estão corretas.

 

e2guardian CentOS 7 com SSL MITM

Preparando o Ambiente

yum groupinstall ‘Development Tools’
yum install zlib-devel pcre-devel openssl-devel git vim bash-completion wget xz-devel bzip2-devel openldap-devel gd gd-devel

Desabilitando Firewall

systemctl disable firewalld
systemctl stop firewalld

Desabilitando SElinux

vim /etc/selinux/config
SELINUX=disabled

Baixando o Instalador

git clone https://github.com/e2guardian/e2guardian.git
cd e2guardian

Compilando e Instalando

./autogen.sh
./configure ‘–prefix=/usr’ ‘–enable-clamd=yes’ ‘–with-proxyuser=e2guardian’ ‘–with-proxygroup=e2guardian’ ‘–sysconfdir=/etc’ ‘–localstatedir=/var’ ‘–enable-icap=yes’ ‘–enable-commandline=yes’ ‘–enable-email=yes’ ‘–enable-ntlm=yes’ ‘–mandir=${prefix}/share/man’ ‘–infodir=${prefix}/share/info’ ‘–enable-pcre=yes’ ‘–enable-sslmitm=yes’ ‘CPPFLAGS=-mno-sse2 -g -O2’

make

make install

Criando os Serviços SystemCTL

cp /usr/share/e2guardian/scripts/e2guardian.service /etc/systemd/system/
cp /usr/share/e2guardian/scripts/e2guardian /etc/logrotate.d/

Necessário criar Log e Setar Permissão

touch /var/log/e2guardian/access.log
useradd e2guardian
chown -R e2guardian:e2guardian /var/log/e2guardian/

Gerando Certificado SSL Para MITM

Crie o diretório /etc/e2guardian/ssl/generatedcerts:

mkdir -p /etc/e2guardian/ssl/generatedcerts

Mude o mode do diretório /etc/e2guardian/ssl/generatedcerts para 777:

chmod 777 /etc/e2guardian/ssl/generatedcerts

Crie o arquivo /etc/e2guardian/sslgen.sh e o execute:

#!/bin/bash
openssl genrsa 4096 > ca.key
openssl req -new -x509 -days 3650 -key ca.key -out ca.pem
openssl x509 -in ca.pem -outform DER -out ca.der
openssl genrsa 4096 > cert.key

Execute

chmod +x sslgen.sh

cp /etc/e2guardian/ssl/ca.pem /etc/e2guardian/ssl/ca.crt

Copiar o CA.crt para Maquina Windows
Importar no Diretório de CA Confiáveis

Edite os arquivos:
/etc/e2guardian/e2guardian.conf:

# Enable SSL support
# This must be present to enable MITM and/or Cert checking
# default is off
enablessl = on

#SSL man in the middle
#CA certificate path
#Path to the CA certificate to use as a signing certificate for
#generated certificates.
# default is blank – required if ssl_mitm is enabled.
cacertificatepath = ‘/etc/e2guardian/ssl/ca.pem’

#CA private key path
#path to the private key that matches the public key in the CA certificate.
# default is blank – required if ssl_mitm is enabled.
caprivatekeypath = ‘/etc/e2guardian/ssl/ca.key’

#Cert private key path
#The public / private key pair used by all generated certificates
# default is blank – required if ssl_mitm is enabled.
certprivatekeypath = ‘/etc/e2guardian/ssl/cert.key’

#Generated cert path
#The location where generated certificates will be saved for future use.
#(must be writable by the dg user)
# default is blank – required if ssl_mitm is enabled.
generatedcertpath = ‘/etc/e2guardian/ssl/generatedcerts/’

Edite o arquivo e2guardianf1.conf e Habilite

sslmitm = on

Adicione alguns sites para teste

/etc/e2guardian/lists/bannedsitelist:

#List other sites to block:
# badboys.com
xxxbucetas.net
bucetas.b-cdn.net
xvideos.blog

Habilite e inicie o serviço e2guardian.service:

systemctl enable e2guardian.service
systemctl start e2guardian.service

Instale uma Blacklist (Opicional)

cd ~
wget http://www.shallalist.de/Downloads/shallalist.tar.gz
tar -xvzf shallalist.tar.gz
mv BL/ /etc/e2guardian/lists/

chown -R e2guardian:e2guardian /etc/e2guardian/lists/

Instale o SARG (Opicional)

wget https://sourceforge.net/projects/sarg/files/sarg/sarg-2.4.0/sarg-2.4.0.tar.gz
tar -xvzf sarg-2.4.0.tar.gz
cd sarg-2.4.0
./configure
make
make install

E2Guardian MITN Criando Certificados


  1. Crie o diretório /etc/e2guardian/ssl/generatedcerts:
    mkdir -p /etc/e2guardian/ssl/generatedcerts
  2. Mude o mode do diretório /etc/e2guardian/ssl/generatedcerts para 777:
    chmod 777 /etc/e2guardian/ssl/generatedcerts
  3. Crie o arquivo /etc/e2guardian/ssl/mkcert e o execute:
    #!/bin/bash
    
    openssl genrsa 4096 > ca.key
    openssl req -new -x509 -days 3650 -key ca.key -out ca.pem
    openssl x509 -in ca.pem -outform DER -out ca.der
    openssl genrsa 4096 > cert.key
  4. Edite os arquivos:

/etc/e2guardian/e2guardian.conf:

# Enable SSL support
# This must be present to enable MITM and/or Cert checking
# default is off
enablessl = on
...
#SSL man in the middle
#CA certificate path
#Path to the CA certificate to use as a signing certificate for
#generated certificates.
# default is blank - required if ssl_mitm is enabled.
cacertificatepath = '/etc/e2guardian/ssl/ca.pem'

#CA private key path
#path to the private key that matches the public key in the CA certificate.
# default is blank - required if ssl_mitm is enabled.
caprivatekeypath = '/etc/e2guardian/ssl/ca.key'

#Cert private key path
#The public / private key pair used by all generated certificates
# default is blank - required if ssl_mitm is enabled.
certprivatekeypath = '/etc/e2guardian/ssl/cert.key'

#Generated cert path
#The location where generated certificates will be saved for future use.
#(must be writable by the dg user)
# default is blank - required if ssl_mitm is enabled.
generatedcertpath = '/etc/e2guardian/ssl/generatedcerts/'

Edite o arquivo e2guardianf1.conf

Localize a linha e ligue o SSLMITM

sslmitm = on

/etc/e2guardian/lists/bannedsitelist:

...
#List other sites to block:

# badboys.com
xxxbucetas.net
bucetas.b-cdn.net
xvideos.blog
...
# You will need to edit to add and remove categories you want
.Include</etc/e2guardian/lists/BL/porn/domains>
.Include</etc/e2guardian/lists/BL/aggressive/domains>
  1. Habilite e inicie o serviço e2guardian.service:
    systemctl enable e2guardian.service
    systemctl start e2guardian.service