公司需要对网络进行限制,简单记录
1 基础系统centos 4.6
2 使用samba的winbind将系统与AD域联系,方便用户管理
3 使用syslog-ng做日志服务器
4 使用squid作为用户代理,sarg做squid日志分析
squid.conf
http_port 3128
cache_mem 1024 MB
maximum_object_size 8192 KB
cache_dir ufs /usr/local/squid/cache 25000 16 256
cache_access_log /usr/local/squid/logs/access.log
cache_log /usr/local/squid/logs/cache.log
cache_store_log /usr/local/squid/logs/store.logemulate_httpd_log off
mime_table /usr/local/squid/etc/mime.conf
pid_filename /usr/local/squid/logs/squid.pid
debug_options ALL,1
log_fqdn off
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl Safe_ports port 80 21 443 563 8080 7080
acl CONNECT method CONNECT
acl all src 0.0.0.0/0.0.0.0
acl Creative src 192.168.8.0/255.255.255.0
acl Engineer src 192.168.9.0/255.255.255.0
acl QUERY urlpath_regex cgi-bin \?
acl mmxfile urlpath_regex -i \.mp3$
acl localserver dst 192.168.0.0/24
acl office dst a.b.c.dno_cache deny QUERY
no_cache deny mmxfile
no_cache deny localserver
no_cache deny office
http_access deny !Safe_ports
http_access deny Engineer
http_access deny Creative
http_access allow localhost
http_access deny all
cache_mgr lyou@test.comcache_effective_user squid
cache_effective_group squid
visible_hostname 11sha.TEST.COMdns_testnames logfile_rotate 1
append_domain .TEST.COMmemory_pools on
memory_pools_limit 1500 MB
cachemgr_passwd disable all
sarg.conflanguage English
access_log /usr/local/squid/logs/access.log
graphs yes
graph_days_bytes_bar_color orange
title "Squid User Access Reports"
font_face Tahoma,Verdana,Arial
header_color darkblue
header_bgcolor blanchedalmond
font_size 11px
header_font_size 11px
title_font_size 13px
background_color white
text_color #000000
text_bgcolor lavender
title_color green
logo_image none
logo_text_color #000000
image_size 80 45
background_image none
temporary_dir /tmp
output_dir /var/www/html/squid-reports
resolve_ip no
topuser_sort_field BYTES reverse
user_sort_field BYTES reverse
exclude_users none
exclude_hosts none
useragent_log none
date_format e
per_user_limit none
lastlog 0
remove_temp_files yes
index yes
index_tree file
overwrite_report no
records_without_userid ip
use_comma no
topsites_num 100
topsites_sort_order CONNECT D
index_sort_order D
report_type topusers topsites sites_users users_sites date_time denied auth_failures site_user_time_date downloads
long_url no
charset UTF-8
show_successful_message yes
topuser_fields NUM DATE_TIME USERID CONNECT BYTES %BYTES IN-CACHE-OUT USED_TIME MILISEC %TIME TOTAL AVERAGE
user_report_fields CONNECT BYTES %BYTES IN-CACHE-OUT USED_TIME MILISEC %TIME TOTAL AVERAGE
topuser_num 10
www_document_root /var/www/html
download_suffix "zip,arj,bzip,gz,ace,doc,iso,adt,bin,cab,com,dot,drv$,lha,lzh,mdb,mso,ppt,rtf,src,shs,sys,exe,dll,mp3,avi,mpg,mpeg"
ulimit 20000
设置apache访问权限,只有域用户组engineering才能查
/etc/pam.d/httpdauth sufficient /lib/security/pam_winbind.so
auth required /lib/security/pam_stack.so service=system-auth
account sufficient /lib/security/pam_winbind.so
account required /lib/security/pam_stack.so service=system-auth
/etc/httpd/conf.d/access.conf
order deny,allow #以ip地址做权限控制
deny from all
allow from 192.168.12.40
#以AD的用户组做权限鉴别,需要mod_auth_pam
AuthPAM_Enabled on
AuthType Basic
AuthName "Engineer Repository"
Require group Engineering
5 安装openfire取代QQ MSN SKYPE,作为内部用户的聊天工具。
此工具支持LDAP,可以直接将域用户添加,安装配置也十分简单方便。并且支持中文,跨平台,windows和linux都有相应版本。
客户端上既可使用自带的spark,也可以使用pidgin。确实简单好用。
6 iptables做部分过滤
7 安装XDMCP使用远程X终端,配合winbind,域用户可直接登录,方便管理(使用gnome)
/etc/pam.d/gdmauth sufficient /lib/security/pam_winbind.so
auth required pam_env.so
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account sufficient /lib/security/pam_winbind.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session required pam_loginuid.so
session optional pam_console.so
session required pam_mkhomedir.so skel=/etc/skel umask=0077
经验证,cache_store_log /usr/local/squid/logs/store.log
当store.log文件超过2G时squid会crash,因此可以将其设为none。
