Squid Proxy Server w/ SquidGuard, HAVP, ClamAV and IMSpector
April 25, 2010

Operating System	Application(s)
Platform

I. Abstract

This document describes the process of setting up a Squid Proxy Server with AMD64 (or i386) hardware, Slackware Linux 13.0, HAVP (HTTP Anti Virus Proxy (in parent-proxy mode), using ClamAV), SquidGuard (for content filtering), Webmin and IMSpector (Instant Messenger proxy with monitoring, blocking and content-filtering capabilities). We will be using a mix of packages and source for these applications.

Test Platform:

• Sun V20z
• 2x AMD Opteron 252 2.6Ghz CPUs / 4GB RAM
• Slackware Linux 13.0 (AMD64)

II. Setup the Operating Environment

First, the system I'm using only has a CD-ROM drive, not a DVD drive. The official distribution of Slackware64 only comes on DVD. So, to get around this, I went to Alien BOB's site and fetched the mini-ISO to use as a boot CD and selected FTP/HTTP as the source media. Next, enter the IP of a mirror from the Slackware site. Keep in mind it will expect an IP address, because this portion of setup doesn't ask about DNS. There are tricks for that, but I'd rather just ping the URL on another machine and enter the IP address.

I believe in an operating system configuration that is as minimal as possible. Because of this, I've created a set of "tagfiles" tailored specifically for this system's purpose. Download tagfiles.tar and extract the contents to a floppy or USB thumb drive... whichever your system can support. Now plug in the drive or insert the floppy into the target system.

After booting the installation media, you will be asked to login as root. After this, you need to mount the media that contains the tagfiles from that .tar file. If you're using a floppy, do this:

If you're using a USB drive, enter fdisk -l to find out the device name of your drive. For example, mine is /dev/sdb1:

Don't forget to setup your hard drive(s) using fdisk. I won't go into those details, just make sure /usr and /var have a decent amount of space in each. Also, because HAVP requires a partition mounted with mandatory locking, you need to create one and have the installer mount it as /havp. We'll talk more about that later, just make sure it big enough to suit your needs. I keep mine at a comfortable 8GB.

Now type setup and continue the normal installation process. When prompted for the PACKAGE SERIES SELECTION, choose the following:

When asked about the prompting mode, select tagpath and hist enter. Now enter the following path line:

/tagfiles

The automated installation should now begin. Go get a sandwich. When it finishes installing the file sets, pull the USB drive! I've noticed it messes up the LILO/MBR installation if left in for the rest of the installation.

When configuring the network, set one interface as your internal (LAN) NIC. We will configure the Internet facing interface later.

When asked which services to run at startup, select only what you need (sshd and syslog). When finished, reboot and continue.

III. Get and Apply Security Updates / Configure NTP and fstab

We want to stay current, with a stable and secure operating environment. The newer releases of Slackware make this simple. First, edit the /etc/slackpkg/mirrors file by un-commenting a mirror close to you (be careful to choose either the x86 or x64 sites, depending on your platform!). Then, do the following:

This command will hunt down updates applicable to your environment. A dialog should pop-up prompting you to select the desired packages for update. Keep them all selected and hit enter (OK).

Time accuracy is very important for any system. I do this in a simple way, by just adding the following script to the /etc/cron.daily directory (so it updates the time once per day):

I use the NIST server because it is close and always works for me. I recommend you check out the NTP Pool Project for the one best for you.

HAVP is designed to use mandatory locking. This feature provides continuous and non-blocking downloads during scanning. To utilize this function, we will add an option flag to the /etc/fstab entry for the /havp partition that we created during installation. For example, my entry for the /havp partition is:

/dev/sdb1     /havp     ext4     defaults,mand    1 2

Now that we are updated and the correct drive mount settings are complete, you should reboot.

IV. Install Squid, SquidGuard, HAVP, ClamAV, Webmin and IMSpector

To ease the pain of downloading and extracting by hand all these source files, I wrote a small script that will do it for you. Do this and your life will be a little simpler:

FYI, the versions used (current as of this writing) are:

CLAMAV=clamav-0.96
SQUID=squid-3.1.1
SQUIDGUARD=squidGuard-1.4
HAVP=havp-0.91
IMSPECTOR=imspector-0.9
SSLEAY=Net-SSLeay-1.36
WEBMIN=webmin-1.510

This shouldn't take too long, my mirror serving these files is rather quick.

Now, if you want to just get this done quickly, I also wrote a script that will perform most all of the steps below (within this section) to configure, make and install everything (along with adding users and groups). It will not perform configurations on the individual software's *.conf files, so definately pay attention (I will BOLD those parts here). You can do the following if you'd like to go that route, otherwise, please continue and learn as you go!

ClamAV

First, we'll install ClamAV. You can use other anti-virus engines, but for this guide we'll stick with the open source one!

Once ClamAV is installed, you'll want to keep it up to date. Preferably by automatic means. Edit the /etc/clamav/freshclam.conf and /etc/clamav/clamd.conf files to suit your environment. They're fairly self-documented, but I'd suggest going through the man pages first. It is safe to use most of the defaults, just know what you're doing. Just make sure to change the #DatabaseDirectory /var/lib/clamav to DatabaseDirectory /var/db/clamav.

For me, updating the virus database once a day is sufficient. To do this, I just add it to the daily system cron job like so:

Squid

SquidGuard

Berkeley DB is required for SquidGuard, and we have version 4.4 selected in our installation tagfiles.

I really like the blacklists offered by Shalla Secure Services (Shalla's Blacklists). They're up to date and very well organized. So, for this guide, we will use their latest collection.

The ./configure flags for SquidGuard are kinda wonky. We'll make up for this after install by moving some stuff around. These are just my preferences, so do as you will.

HAVP

IMSpector

IMSpector shuns standard GNU development practices. So, if you need to do anything special, you need to manually edit the Makefile. Luckily, since we're using Linux, we don't have to change anything.

Webmin (w/ SSLeay):

Normally I don't like GUIs... having been raised on CLI and terminals. But I've been really getting into Webmin lately, and it has some really useful modules (despite being Perl-based).

Because I like using HTTPS for Webmin, we need SSLeay installed:

Now for Webmin...

For the Webmin installation, you can use the defaults for almost everything except password. Also, answer "y" when asked to use SSL and "y" when asked to start at boot.

V. Configure Webmin and Squid

From a Web browser on your LAN, access the Webmin console using HTTPS, the server's IP (or name) and port 10000. Once you login with the password you setup during installation, you'll notice a lot of crap you don't need. If you're like me, you want a tidy system. You can go to Webmin -> Webmin Configuration -> Webmin Modules and click on the 'Delete' tab. Here you can highlight all the stuff that you either don't have or don't need to use, and delete them! Now that everything is cleaned up, let's have some fun.

The Squid module won't load because it thinks it isn't on the system. We'll fix that like so (you're settings may vary, these are just suggestions!):

1. Click on the "Un-used Modules" link on the left. Then click on "Squid Proxy Server"
2. Click on the "module configuration" link.
3. If you want pretty reports on proxy activity, Calamaris may be what you want. I don't, so I change it to no.
4. Change the following under "System configuration" to read like so:
   • Full path to squid config file: /etc/squid/squid.conf
   • Squid executable: /usr/local/sbin/squid
   • Full path to PID file: /var/run/squid.pid
   • Full path to squid cache directory: /var/squid/cache
   • Squid cachemgr.cgi executable: /usr/local/libexec/cachemgr.cgi
   • Full path to squid log directory: /var/squid/logs
5. Click "Save."

The next page should have at the top a message about initializing the Squid cache directory. The user listed should be squid. Before we initialize the cache, we need to configure it. Click on the "Cache Options" star icon. On this page, select the "Listed.." radio button. For Directory, enter /var/squid/cache, Type is UFS, Size (MB) is safe at 1000, 1st level dirs at 16 and 2nd level dirs at 256. Click save.

Click on the "Initialize Cache" button to do so. Once that finishes, you can edit the Squid settings. I won't go into these details, because the Webmin module for Squid is pretty dummy proof. Read and learn all you can before messing around (or at least during). Squid is a powerful application, with many features.

VI. Configure SquidGuard

As we installed it, the configuration file is here: /etc/squidGuard.conf. I recommend visiting the SquidGuard Documentation page for more details and examples to create your own perfect configuration. Some tips for you, though:

• Change references to dest/ to BL/
• Everytime you update your blacklists, you need to initialize them into DB format, like so (permissions are VERY important - it will not work if all blacklist files aren't owned by user squid!):
  • # squidGuard -c /etc/squidGuard.conf -C all
  • # chown -R squid /var/db/squidGuard
• Add the following line somewhere in /etc/squid/squid.conf:
  • url_rewrite_program /usr/local/bin/squidGuard -c /etc/squidGuard.conf

VII. Configure HAVP

Read the INSTALL file included in the source tar file!

Now that you've read it, here are some suggestions on how to configure it. First, set the proper permissions and ownerships:

Next, if you're running a 64-bit machine, you need to hack up the ld.so.conf file so HAVP can see your ClamAV libraries:

Now we need to edit the /etc/havp/havp.config file. Read it carefully and know what you are doing. Most of the defaults are good. Some things needing changing are the following:

• Delete the line that says: REMOVETHISLINE deleteme
• Change ACCESSLOG to /var/havp/log/access.log and ERRORLOG to /var/havp/log/havp.log
• I don't require logging every request, so I uncomment and change LOG_OKS true to LOG_OKS false
• Uncomment and change SCANTEMPFILE to /havp/havp-XXXXXX
• Uncomment and change TEMPDIR to /var/havp/tmp
• Because I only update the ClamAV database once a day, I uncomment and change the DBRELOAD 60 line to DBRELOAD 240 (just in case, I don't actually make it wait 24 hours to check!)
• Uncomment and change FORWARDED_IP false to FORWARDED_IP true

Since we are using ClamAV as the virus scanning engine, we will need to do some editing in the ClamAV Library Scanner (libclamav) section.

• Change ENABLECLAMLIB false to ENABLECLAMLIB true
• Uncomment and change CLAMDBDIR /path/to/directory to CLAMDBDIR /var/db/clamav
• I always disable the MAX sizes... because I'm paranoid. You may want to plan according to your needs with slightly more foresight than this!

Now add the following to /etc/squid/squid.conf:

The following command will start HAVP, and it needs to be running to work! Also, it will fork into the background. If you set Squid to start at boot time, you should add this as well (also, make sure to run freshclam first!):

FYI, the following command will kill all HAVP processes:

VIII. Configure IMSpector

Edit the /etc/imspector/imspector.conf file to suit your environment. Some key variables to tweak are:

• Uncomment the user and group lines
• If you wish to tinker with the SSL MitM features, check out the IMSpector SSL page
• Turn off/on whichever protocols you wish to monitor (FYI, ICQ = AIM)

Now we need to configure the port routing so IMSpector can see the traffic. The Installation page at imspector.org has a nice, detailed overview of how to do this. For example, these are the iptables NAT entries I use for AOL Instant Messenger and Yahoo! Messenger:

Make sure your IM clients are set to use the proxy server's internal IP address and the regular port number for the service being used (i.e. 5190 for AIM, 5050 for YIM, etc.) and HTTP for the proxy protocol.

The following command will start IMSpector, and it needs to be running to work! Also, it will fork into the background.

IX. Test It!

Start your engines:

Set your browser(s) to use your new proxy server's internal IP address and port 3128 and try it out. You can test the antivirus features by going to the EICAR Anti-Virus Test page and clicking on one of the "infected" binaries. You should see the default HAVP block page with the virus name listed.

As for the IMSpector logging, check out the entries in /var/log/imspector. They should be organized by service, user name and date. You can also configure logging to database instead... check the documention for this.

Don't abuse your power! Make sure your users know your organization's Internet usage policy so they are informed as to their privacy expectations. Laws differ everywhere, so do your homework.