Dansguardian + Squid +Cntlm + Proxy Parent = Internet Access

Problem:  The credentials in my proxy parent was upgraded from basic to NTLM. I don’t know how to configure Squid for NTLM auth against proxy parent.

Solution: Install Cntlm between Squid and proxy parent.

Cntlm (http://sourceforge.net/projects/cntlm/): “Is an NTLM / NTLMv2 authenticating HTTP/1.1 proxy”.

dg-squid-cntlm

In front of my clients, in the proxy server, Dansguardian is installed for content filtering.

Then Squid listen only for dansguardian requests and redirects to a proxy parent.

Because I don’t know if its possible to configure Squid to authenticate with the proxy parent using NTLM, instead, I have used cntlm between Squid and the proxy parent. Good idea huh!

The basic configuration will be like:

Client: Shots to Dansguardian.

Proxy: 192.168.5.7
Port: 8080

Dansguandian: Listen on port 8080 and shots to squid.

filterip = 192.168.5.7
filterport = 8080
proxyip = 192.168.5.7
proxyport = 3128

Squid: Listen on port 3128 and shots to cntlm:

http_port 192.168.5.7:3128
cache_peer 192.168.5.7  parent  4040  0  default no-query proxy-only

Cntlm: Listen on port 4040 and shots to Proxy parent with the credentials:

Username    userofdomain
Domain       MYCOMPANY
Password    supersecretpassword
Proxy        10.0.0.10:8080
Listen        192.168.5.7:4040

Daemons: After configuring, restart every daemon:

# /etc/init.d/cntlm restart
# /etc/init.d/squid3 restart
# /etc/init.d/dansguardian restart

Well, for prevent clients to directly jump to cntlm or squid evading the filter, somo iptables rules:

Redirect traffic to port 3128 (squid) to filter on port 8080 (DansGuardian).
# iptables -t nat -A PREROUTING -p tcp -s 0.0.0.0/0 --dport 3128 -j REDIRECT --to 8080;

Redirect traffic to port 4040 (cntlm) to filter on port 8080 (DansGuardian).
# iptables -t nat -A PREROUTING -p tcp -s 0.0.0.0/0 --dport 4040 -j REDIRECT --to 8080;

Ta Dan!

Juniper Virtual LAB – Configuration notes

Hi folks.

Recently preparing for the certification JNCIS-ENT (exam JN0-343) from Juniper Networks, y take some notes from the installation of a Virtual Juniper Networks LAB using QEMU, Olive, and GNS3.

The document its not finished yet, and have some issues.

But here it is.   JuniperVirtualLABConfiguration

Guia de ejercios de SAMBA

Saludos.

Adjunto una breve guia de ejercicios para compartir recursos con SAMBA escrita en 2008.

Juniper Networks EX Ethernet switches

The EX series Ethernet Switch  from Juniper Networks certainly  is not the “cheaper” solution, but is a high level solution for the enterprise.

This post is dedicated to review the EX Series Ethernet switch portfolio from Juniper Networs.

Specifically, the series EX2200, EX3200, EX4200 and EX8200.

The EX2200 ethernet switch:

EX2200

EX 2200 Ethernet Switch

Single rack unit (1 RU) with 24 or 48 x 1Gbps ports.

Aditional has a 4 x 1Gbps fixed ports to connect to agregation layer.

It’ available with or without 802.3af (PoE), ideally for IP phones, wireless Access Points, and IPCCTV cameras.

Ideal for access layer, in branch office or medium enterprise.

And of course, runs the same JUNOS operating system (with some extension for switches).

The EX3200 ethernet switch:

EX3200

EX 3200 Ethernet Switch

Single rack unit with 24 or 48 x 1Gbps ports. Partial (8) or totally support for 802.3af (PoE) in ports.

Two optional modules with pluggable ports; 4 ports x 1 Gbps or 2 ports x 10Gbps.

Another feature is the little display, that shows the status of the switch, enviromental factors, the ports, etc.

Run Junos.

The EX4200 ethernet switch:

EX 4200

EX 4200 Ethernet Switch

Designed for access or aggregation layer, offers 24 or 48 x 1Gbps ports. Full or partial PoE ports.

Two optional modules with pluggable ports; 4 ports x 1 Gbps or 2 ports x 10Gbps.

Also has the display.

The big feature on this switch it’s called “Juniper’s Virtual Chassis Technology”. That’s, connect up to 10 switches with a 128Gbps backplane, to create a single logical device up to 480 x 1Gbps user ports, and 20 x 10Gbps  uplink ports.

The EX8200 ethernet switch:

EX 8200

EX 8200 Ethernet Switch

Its designed for high density 10Gbps networks like, campus agreggation, data centers an core.

Two options are available, a 16 rack units (16 RU) with 8 slots, and 21 racks units (21 RU) with 16 slots.

Have a “built-in migration path” to support (in the future) 100Gbps.

Support “Virtual Chassis” up two switches, and, runs Junos.

Well, these are the Juniper’s Networks switchs that i want in my rack😉

Pursuit of JNCIS-ENT

Juniper JNCIS logo

Juniper JNCIS logo

This post is for anounce the pursuit of Juniper Networks Certified Internet Specialist – Enterprise (JNCIS-ENT).

In 2009 i passed JNCIA-ER exam (JN0-342).

Now in 2011, the certification expires. So, i have decided to pursuit de JNCIS-ENT (JN0-343).

The objetives for the exam are here, and they are:

  • Layer 2 Switching and VLANs
  • Spanning Tree
  • Layer 2 Security
  • Protocol Independent Routing
  • Open Shirtest Path First (OSPF)
  • Intermediate System to Intermediate System (IS-IS)
  • Border Gateway Protocol (BGP)
  • Tunnels
  • High Availability

As far as possible i’ll writing a post to specific topic of the JN0-343 exam.

Mapa de claves WEP.

Utilizando google maps, para organizar claves WEP.

Documento de instalación de ubuntu PXE+TFTP+NFS

Saludos.
Navegando por el sistema de ficheros, encontre un documento ya viejito pero util.

Instalación de Ubuntu en red mediante PXE + DHCP + TFTP + NFS.

Instalacion-de-ubuntu-7.04-mediante-PXE.pdf

Apache Reverse Proxy + ModSecurity.

ModSecurity is an open source web application firewall. It’s like an “Intrusion Detection/Prevention System for a WEB application“. Works as an Apache’s module.
It’s a powerfull tool for securing web applications.

A complete reference, is the ModSecurity Handbook, a good book for in-deep study of the tool.

ModSecurity can be implemented in an Apache Reverse Proxy for WEB applications, with support for both HTTP and HTTPS.

Apache as a Reverse Proxy with ModSecurity

Apache as a Reverse Proxy with ModSecurity

After reading some ModSecurity Handbook’s chapters, and the Apache mod_proxy documentation, a basic configuration file looks like this one.

<VirtualHost *:443>
# ModSecurity configuration
Include /opt/modsecurity/etc/modsecurity.conf
SSLEngine on
RewriteEngine on
SSLProxyEngine on
# The public certificate and the private key
# for the client <--> reverse proxy
SSLCertificateFile /etc/apache2/ssl/reverse-cert.pem
SSLCertificateKeyFile /etc/apache2/ssl/reverse-key.pem
# The Certification Authority (CA) file.
# Who signed the certificates from the remote webservers.
SSLProxyCACertificateFile /etc/apache2/ssl/webservers-CA.pem
ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
RewriteRule ^/webserver1$ /webserver1/ [R]
RewriteRule ^/webserver2$ /webserver2/ [R]
RewriteRule ^/webserver3$ /webserver3/ [R]
<Location /webserver1/>
ProxyPass https://webserver1/
ProxyPassReverse https://webserver1/
</Location>
<Location /webserver2/>
ProxyPass https://webserver2:8443/
ProxyPassReverse https://webserver:8443/
</Location>
<Location /webserver3/>
ProxyPass http://webserver3/
ProxyPassReverse http://webserver3/
</Location>
ErrorLog /var/log/apache2/reverse_proxy.log
LogLevel warn
CustomLog /var/log/apache2/reverse_proxy.log combined
ServerSignature Off
</VirtualHost>

Edit (25/10/2011):
The content of /opt/modsecurity/etc/modsecurity.conf
SecRuleEngine DetectionOnly
SecRequestBodyAccess On
SecResponseBodyAccess Off
SecUploadKeepFiles Off
SecDebugLog /opt/modsecurity/var/log/modsec_debug.log
SecDebugLogLevel 0
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus ^5
SecAuditLogParts ABIFHKZ
SecAuditLogType Concurrent
SecAuditLog "|/usr/local/bin/mlogc /etc/mlogc.conf"
SecAuditLogStorageDir /var/log/mlogc/data
SecRequestBodyLimit 131072
SecRequestBodyInMemoryLimit 131072
SecResponseBodyLimit 524288
SecRule REQBODY_PROCESSOR_ERROR "!@eq 0" \
"phase:2,t:none,log,deny,msg:'Failed to parse request body.',severity:2"
SSecRule MULTIPART_STRICT_ERROR "!@eq 0" \
"phase:2,t:none,log,deny,msg:'Multipart request body \
failed strict validation: \
PE %{REQBODY_PROCESSOR_ERROR}, \
BQ %{MULTIPART_BOUNDARY_QUOTED}, \
BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
DB %{MULTIPART_DATA_BEFORE}, \
DA %{MULTIPART_DATA_AFTER}, \
HF %{MULTIPART_HEADER_FOLDING}, \
LF %{MULTIPART_LF_LINE}, \
SM %{MULTIPART_SEMICOLON_MISSING}, \
IQ %{MULTIPART_INVALID_QUOTING}'"ecRule MULTIPART_STRICT_ERROR "!@eq 0" \
"phase:2,t:none,log,deny,msg:'Multipart request body \
failed strict validation: \
PE %{REQBODY_PROCESSOR_ERROR}, \
BQ %{MULTIPART_BOUNDARY_QUOTED}, \
BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
DB %{MULTIPART_DATA_BEFORE}, \
DA %{MULTIPART_DATA_AFTER}, \
HF %{MULTIPART_HEADER_FOLDING}, \
LF %{MULTIPART_LF_LINE}, \
SM %{MULTIPART_SEMICOLON_MISSING}, \
IQ %{MULTIPART_INVALID_QUOTING}'"
SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
"phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"
SecRule ARGS MY_UNIQUE_TEST_STRING \
"phase:1,log,deny,status:503"
SecDefaultAction "phase:2,deny,log,status:500"
SecAuditLog "|/usr/local/bin/mlogc /etc/mlogc.conf"

Apache as a Reverse Proxy

Recently, in my current job, i have to configure a reverse proxy for some WEB servers, to share the same IP and DNS name.

Almost all servers are SSL enabled for their WEB application.

For this configuration Apache + mod_proxy will be used.

apache reverse proxy schema

Apache as a reverse proxy configuration

The reverse proxy is a Debian GNU/Linux 6.0 box. To install Apache:

apt-get install apache2 mod_proxy mod_ssl

To enable mod_proxy and mod_ssl, in Debian GNU/Linux for Apache:

a2enmod proxy ssl

Put the X.509 Certificate Autority (CA) file in a location for Apache, this certificate is the CA for the webservers to be proxied (if they are SSL-enabled).

/etc/apache2/ssl/ca.crt

Edit the VirtualHost file, for the reverse proxy:
<VirtualHost *:80>
ProxyRequests Off
RewriteEngine on
SSLProxyEngine on
SSLProxyCACertificateFile /etc/apache2/ssl/ca.crt
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
<Location /webserver1/>
ProxyPass https://ip.webserver1/
ProxyPassReverse https://ip.webserver1/
</Location>
<Location /webserver2/>
ProxyPass http://ip.webserver2/
ProxyPassReverse http://ip.webserver2/
</Location>
<Location /webserver3/>
ProxyPass https://ip.webserver3/
ProxyPassReverse https://ip.webserver3/
</Location>
</VirtualHost >

Restart the Apache WEB server:
/etc/init.d/apache2 restart

With this configuration, the internal webservers are accesible from INTERNET.
http://reverse.proxy.domain/webserver1/
http://reverse.proxy.domain/webserver2/
http://reverse.proxy.domain/webserver3/

Also, it’s possible to configure the reverse proxy with SSL for HTTPS connections.
https://reverse.proxy.domain/

Apuntes de ORACLE: Respaldos con RMAN.

Saludos.
Algunos apuntes de ORACLE sobre respaldos utilizando RMAN.

1. CONFIGURING RMAN.

– Crear TABLESPACE.
– Crear usuario RMAN.
– Dar permisos de conexion al usuario RMAN.
– Dar permisos al TABLESPACE.
– Ingresar como RMAN.
– Crear CATALOGO.
– Registrar base de datos en catalogo.

SQL> CREATE TABLESPACE RMAN DATAFILE ‘$ORACLE_BASE/oradata/orcl/rman01.dbf’ SIZE
100m EXTENT MANAGEMENT LOCAL UNIFORM SIZE 128K;
SQL> CREATE USER RMAN IDENTIFIED BY RMAN DEFAULT TABLESPACE RMAN;
SQL> GRANT CONNECT TO RMAN;
SQL> ALTER USER RMAN DEFAULT TABLESPACE RMAN QUOTA UNLIMITED ON RMAN;
SQL> GRANT RECOVERY_CATALOG_OWNER TO RMAN;
$ rman CATALOG rman/rman@orcl target eman/rman@orcl
RMAN> CREATE CATALOG;
$ rman CATALOG rman/rman@orcl target rman/rman@orcl
RMAN> REPORT SCHEMA;
RMAN> REGISTER DATABASE;

2. RMAN OFFLINE FULL BACKUP.

$ rman CATALOG rman/rman@orcl TARGET rman/rman@orcl
RMAN> BACKUP DATABASE;

3. RMAN INCREMENTAL BACKUP.

$ sqlplus / AS SYSDBA;
SQL> ALTER DATABASE ENABLE BLOCK CHANGE TRACKING USING FILE ‘$ORACLE_BASE/orcl_b
lock_track.log’;
$ rman TARGET rman/rman@orcl CATALOG rman/rman@orcl
RMAN> BACKUP INCREMENTAL LEVEL 0 DATABASE;
Datos son grabados en $ORACLE_BASE/orcl/backupset/
$ sqlplus / AS SYSDBA;
SQL> CREATE TABLE FOO;
SQL> CREATE TABLE BAR;
$ rman TARGET rman/rman@orcl CATALOG rman/rman@orcl
RMAN> BACKUP INCREMENTAL LEVEL 1 DATABASE;

4. RMAN ARCHIVELOG BACKUP.

$ rman ARCHIVELOG ALL DELETE ALL INPUT;

5. Cargar RMAN FULL BACKUP.

$ rman TARGET rman/rman@orcl NOCATALOG
RMAN> BACKUP DATABASE PLUS ARCHIVELOG DELETE INPUT;

SQL> SHUT DOWN IMMEDIATE;
$ rm $ORACLE_BASE/oradata/orcl/{rman,system,users}.dbf
SQL> STARTUP;
ERROR!!! NO DATAFILES!!!
$ rman TARGET rman/rman@orcl NOCATALOG
RMAN> RESTORE DATABASE;
RMAN> RECOVER DATABASE;
RMAN> ALTER DATABASE OPEN;

6. Cargar RMAN INCOMPLETE BACKUP.

SQL> ALTER SYSTEM SWITCH LOGFILE;
SQL> @ /home/logfiles.sql;
SQL> ALTER SYSTEM SWITCH LOGFILE;
SQL> SHUTDOWN ABORT;
SQL> STARTUP;
SQL> SHUTDOWN ABORT;
SQL> STARTUP;
ERROR!!!
$ rman TARGET rman/rman@orcl NOCATALOG;
RMAN> RESTORE DATABASE;
RMAN> RECOVER DATABASE UNTIL SEQUENCE # thread 1;
RMAN> ALTER DATABASE OPEN RESETLOGS;
SQL> SHUTDOWN IMMEDIATE;
SQL> STARTUP MOUNT;
$ rman TARGET rman/rman@orcl NOCATALOG;
RMAN> BACKUP DATABASE;
RMAN> ALTER DATABASE OPEN;

Follow

Get every new post delivered to your Inbox.