====== **Hi people,** ====== Here you can find a solution for a common problem that you may encounter in any newly created company, and even on a big one, the bigger the business, the bigger the issue, because the number of employees is even bigger, and then the control that you have over them is very difficult to standardize. In this context you may encounter countless problems, but we will see the solution for what Public Instant Messaging(IM) softwares and uncontrolled web access can represent as a security leak on a private company. **The Problem:** Facebook and Messenger are a big problem for employers, as their employees could get easily distracted from work, playing or chatting on facebook. Even worse, they could transfer out internal private information and that way they could severely damage the business. They could also transfer in viruses or worms that could damage the internal infrastructure of your company and you could even suffer data loss, let’s not talk about time and effort to fix the problem. **The common solution** You can pay to install a highly expensive Microsoft Windows Server licensed to be able to handle highly expensive and just standard proxy software from any software developer on the market. Or pay even more to get one that adjusts to your needs, if specific. And you will need to install a licensed IM software like Microsoft Communicator or Lotus Notes. And pay the extra mile to be able to communicate from your internal IM network to other IM networks like Messenger, Google, Facebook or Yahoo contacts. **The Free Solution** With this proposal you can just install a free linux server and configure your own private proxy and your own private IM network that can communicate with other IM networks through a Gateway. And expend money only on the hardware and man-hours to install and maintain. Lets go through the necessary steps to implement this solution. Minimum required hardware: A computer with one core processor of 1.5 GHz, 1 GB of RAM memory, 20 GB of HDD memory and a NIC. Let's get to the implementation then: **How to install the IM private server: Openfire** 1) You will need to download the package from the official site for this software, that is: http://community.igniterealtime.org There you click on the download link and choose your operating system. 2) For Debian let us choose the .deb package. Save it to a location of your choice. Then use the command dpkg –I to install it. Done, you can configure it’s default settings on the address: http://localhost:9090. Remember that the administrator username is admin. 3) Once you have configured it, you can install the plugin for the gateway, we can search in the documentation in the site for: “where to download kraken.jar?” Or go directly to the download page: http://sourceforge.net/projects/kraken-gateway/files/ We can save our file (latest version recommended) to a location of our choice. Then we go to the admin interface of our openfire server(localhost:9090 or IP:9090), and select the plugin Tab: then go to the bottom of the plugin section and chose “Select”. Search for your file and upload it. Done, you will see a “Gateways” tab in the server section now. You can configure it there. Some settings that you may be interested in are: If you want to limit the number of users in your company that can access to this service and also the file transfer option, lets go to the Server Tab and click on Server Settings: - First let’s click on Registration & Login, there you can select if your users can automatically register or not, choose Disabled, then click on Save Settings at the end of the page. - Then let’s go to File Transfer Settings, and let’s also choose Disabled. Click on Save Settings and there you go. 4) Once you have selected your preferred configuration you can now install the client on the computer of your employees that will use your service. **Installing the client: Spark** 5) To install the client for this server, let’s download the Spark package from the download page mentioned before. Choose the operating system the end-user will be using, you can install it on windows, MAC, or Linux. Let’s download the tar.gz pakage for linux. 6) Use the tar –xzvf command to uncompress the files, and just run the Spark file inside the folder created. **Now for the Web Proxy Server:** 1) Just execute the following command: Sudo apt-get install squid3 You may need some dependencies also. You can use apt-get build-dep squid3 to install them. 2) Now lets configure the Squid server, this is the interesting part: - We need to do some preliminary and basic configuration: Lets open the squid.conf file, located in /etc/squid3/ Let’s locate the “visible_hostname” line (you can use gedit). And lets place the network name for your proxy server there, and save. - __Then you can start or restart your squid service: sudo /etc/init.d/squid3 start__ Okay, lets say we want to: -have 512 MB of caché on hard disk. -change the level 1 and 2 directories. -only allow browsing from Monday to Friday from 16:40 to 22:50. -only allow trafic comming from the network 172.16.0.0/255.255.0.0. -filter the access to 3 specific web pages. -filter the port for MSN messages. Back to our squid.conf file, lets search for cache_dir. Search for the example line and place the following after that: cache_dir ufs /var/spool/squid3 512 8 64 That takes care of the cache and the number of level 1 and 2 directories respectively. __Now for the ACL,__ search for TAG: ACL, The format is: acl aclname acltype argument … then in the “Recommended minimum configuration:” section let’s add: acl hora time MTWHF 16:40-22:50. acl equipos_permitidos src 172.16.0.0/255.255.0.0 acl elhacker dstdomain www.elhacker.net acl escepticos dstdomain www.arp-sapc.org acl elpais dstdomain www.elpais.com acl msn port 1863 __Now the directives__(tis tells squid how to interpret the ACLs): The format is: http_access allow|deny [!]aclname ... - Let’s search for TAG: http_access, and in the section “INSERT YOUR OWN …” let’s add: http_access deny !hora http_access deny msn http_access deny elhacker http_access deny escepticos http_access deny elpais http_access allow equipos_permitidos ! Is to deny the contrary than specified in the ACL. You could also make only one access list for the web pages like this: acl paginas dstdomain www.elhacker.net www.arp-sapc.org www.elpais.com __To finish let us restart our squid3 service.__ Now to start using your newly installed web proxy you need to configure the computers in your network to use the proxy. For that, go to the configuration page and add your proxy ip, or hostname to the browser configuration. ===== Eduardo Navarro Alvarez =====