OPNsense – Transparent Caching Filtering Proxy with Virus Scanning – Step 1 Prerequisites

Posted on Posted in HowTo
Introduction: Basic Overview
Step 1 – Prerequisites
Step 2 – Install ClamAV
Step 3 – Configure OPNsense
Step 4 – Add Antivirus Scanning
Step 5 – Add Category Filtering
Step 6 – Make it Transparent
Step 7 – Add HTTPS Filtering
Step 8 – Optional – SSL Scanning
Step 9 – Optional – Deploy CA GPO
Step 10 – Final steps

This is a pretty long guide, even before I added images, so it is broken it into sections. I hope it is easy to follow; if you find any errors, please Contact us!

Step 1 – Prerequisites: Install CentOS, secure the SSH server, temporarily disable SElinux and firewall, Install Apache and PHP, and Setup the Antivirus Error Page

Please refer to this server guide for more information on these steps. That guide has many more procedures than you need for this, but it also covers some of the below in more detail.

  1. Preform a base install of CentOS 7 x64
    1. Select your language.
    2. “Software Selection”, select “Infrastructure Server” and click Done.
    3. Select “Installation Destination”, Select the disk partition, and click Done.
    4. Select Network & Hostname. Click the switch in the upper right to enable the adapter. Then click Configure.
    5. Set a Static IP. Click Save. Then Click Done.
    6. Start the install.
    7. Create your root password and click Done.
    8. Create a user login and click Done. Wait for the install to complete.
    9. Reboot and login after reboot.
  2. For security, modify SSH server using the command below to modify the config for the items listed below:
    nano /etc/ssh/sshd_config

    1. disable root login to SSH:
      PermitRootLogin no

    2. Set Max Auth tries to a number less than 10, perhaps 6:
      MaxAuthTries 6
    3. Set MaxSessions to a number, perhaps 10:
      MaxSessions 10
    4. Set SSH protocol version to 2:
      Protocol 2
    5. Set SSH port to something other than 22 (example 2222):
      Port 2222

    6. Set AllowedUsers to the user you created (example user1 and user2):
      AllowedUsers user1 user2
    7. Save and exit the sshd_config file
    8. Run the below command to restart the service and apply the new config:

      systemctl restart sshd
    9. Refer to this guide for more info.
  3. SSH using the user login you created and allowed to SSH, and run su to become root.
  4. Import the EPEL GPG Keys and Install from EPEL repro:
    rpm –import /etc/pki/rpm-gpg/RPM-GPG-KEY*
    yum -y install epel-release yum-priorities
  5. Edit the Epel repros using the command below and add the line “priority=10” to the [epel] section:
    nano /etc/yum.repos.d/epel.repo

    [epel]
    name=Extra Packages for Enterprise Linux 7 - $basearch
    #baseurl=http://download.fedoraproject.org/pub/epel/7/$basearch
    mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=epel-7&arch=$basearch
    failovermethod=priority
    enabled=1
    priority=10
    gpgcheck=1
    [...]
  6. Save and close the epel.repo file.
  7. Update CentOS 7:
    yum -y update

  8. Install Software for building:
    yum -y groupinstall ‘Development Tools’
  9. For testing, lets disable the firewall. You can re-enable it once you get the proxy working:
    systemctl stop firewalld.service
    systemctl disable firewalld.service
  10. For testing, lets also disable SELinux. Again, you can re-enable it once you get the proxy working:
    nano /etc/selinux/config
    Change “SELINUX=enforcing” <TO> “SELINUX=disabled

  11. Save and exit the file.
  12. Reboot:
    shutdown -r now

  13. Install Apache and PHP stack for the Error page. You can skip this step if you will use a different web server for the Error page:
    yum -y install ntp httpd mod_ssl php
  14. Add the apache header rule at the end of the httpd.conf file to prevent HTTPOXY vulnerability:
    echo “RequestHeader unset Proxy early” >> /etc/httpd/conf/httpd.conf
  15. Restart the httpd service:
    service httpd restart
  16. Set httpd to start at boot:
    systemctl enable httpd
  17. Create your Error page for Antivirus from the default index page and modify it:
    cp /usr/share/httpd/noindex/index.html /var/www/html/error.php
    nano /var/www/html/error.php
    Replace the <body> to </body> section with this:
    <body>
    <?php
    function clean($str){
    return htmlentities($str, ENT_QUOTES | ENT_HTML5, 'UTF-8');
    }
    function getIP(){
    $ip = htmlspecialchars($_GET["source"]);
    if(filter_var($ip, FILTER_VALIDATE_IP) === false) { $ip=""; }
    return $ip;
    }
    function getURL(){
    $url = htmlspecialchars($_GET["url"]);
    if(filter_var($url, FILTER_VALIDATE_URL) === false) { $url=""; }
    return $url;
    }
    function getTxt(){
    return clean($_GET["virus"]);
    }
    ?>
    <div class="jumbotron text-center"><div class="container">
    <h1>ERROR... </h1>
    <p class="lead">This page has been blocked.</p></div></div>
    <div class="main"><div class="container"><div class="row"><div class="">
    <h2>The page you tried to load contains a virus!</h2>
    <p class="lead">The URL you attempted to visit is: <?php echo getURL(); ?>.</p>
    <p>The virus on the page is: <?php echo getTxt(); ?>.</p>
    <p>Your computer IP address is: <?php echo getIP(); ?>.</p>
    <p>This attempt has been logged. Please be more careful following random links.</p>
    </div></div></div></div>
    <div class="footer"><div class="container"><div class="row"><div class="">
    <h2>Powered by <a href="http://www.TCPTechs.com">TCPTechs</a></h2>
    <p class="lead">Technical Business Solutions </p>
    <p></p></div></div></div></div></div>
    </body>
  18. Save and Exit the file.
  19. Visit the URL to verify the page works: http://IPAddressofServer/error.php

This completes the Prerequisites.

 

Tagged with: , ,