Ubuntu8.04 Chilli Free Radius

Setup Ubuntu 8.04.
1 Server (
  Lan)
Remark Network Card 2 ()
1. Insert Disk Ubuntu 8.04.1 Server Select English
2. Select Install Ubuntu Server

3. Select English
4. Select Other
5. (6 Select Thailand 89:;:9<= T 5 >;<
? @A>;<)
6. Select No
7. Select Thailand
8. DEA Thailand
9. Select Atl+Shift
10. Lan Card Select eth0

11. Select Configure network manually
12. ( IP address :;(L@

13. ( Netmask :;(L@
14. ( Gateway :;(L@

15. ( DNS :;(L@
16. ( Hostname :;(L@

17. ( Domain name :;(L@ (OP Continue QRE>;<))
18. Select Guided w use entire disk

19. Select All Partition
20. Select Yes For Begin Format

21. Begin Format & Install
22. ( Full Name New User

23. ( User Name
24. ( Password

25. ( Password Again
26. Enter W@QRE>;<)

27. Select LAMP Server & OpenSSH Server
28. ( Password Mysql == mysqlroot

29. ( Password Mysql Again
30. [\:;]9<?Q>;<)
31. R;P);DE=>;<) R CD : Select Continue R^_` Restart
32. 6E<a: Restart DE= Login 9= User Password [P`;= (
Lan 9DE=>;<))
33. 6E<a: Login 9= User Password [P`;=
User Password   root " # $%"&'(

$  * '( +,#$,. root % .
 /
# sudo passwd root >>> 454

[sudo] password for khoonin: >>> ?? *&$@ .
Enter new UNIX password: >>> ? root
Retype new UNIX password: >>> *G.*.? root
Passwd: password updated successfully >>> $*/ *+#
Setup Network [P`(L@@A>;<)
# nano /etc/network/interfaces
auto eth0
iface eth0 inet static
address 192.168.0.100
netmask 255.255.255.0
network 192.168.0.0
broadcast 192.168.0.255
gateway 192.168.0.1
# dns-* options are implemented by the resolvconf package, if
installed
dns-nameservers 192.168.0.1
auto eth1 >>> $45
Save DE= Exit 9RE

34. [9E: Internet 9= >\<` ping www.yahoo.com
Remote Server 9= SSH
Login 9= SSH R;P);
Update Ubuntu Server
# apt-get update
Upgrade Ubuntu Server
# apt-get -y upgrade
D:c ip_forward

Forward packet
! /etc/sysctl.conf
# nano /etc/sysctl.conf
# Uncomment the next line to enable TCP/IP SYN cookies

# This disables TCP Window Scaling
(http://lkml.org/lkml/2008/2/5/167)
#net.ipv4.tcp_syncookies=1
# Uncomment the next line to enable packet forwarding for IPv4

#net.ipv4.ip_forward=1 >>> $ # ?. %
# Uncomment the next line to enable packet forwarding for IPv6

#net.ipv6.ip_forward=1
<`[\@89 Restart
# echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward
 /%#/ " 1

RQ9:;[\@ TUN/TAP device
# nano /etc/modules
# /etc/modules: kernel modules to load at boot time.

#
# This file contains the names of kernel modules that should be
loaded
# at boot time, one per line. Lines beginning with "#" are
ignored.
loop
lp
fuse
tun >>> $45

<`[\@89 Restart
# modprobe tun
Update =<@R=Ec Server (6[\@[g:>;<?[P`RQ9R>;_`
# nano /etc/rc.local
#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.
/usr/sbin/ntpdate time.navy.mi.th >>> $45
exit 0
Thaicert Nectec ;=][D6L] g[:h; :[<^R;_

clock.thaicert.nectec.or.th time1.nimt.or.th time.navy.mi.th
time2.nimt.or.th time2.navy.mi.th
time3.nimt.or.th time3.navy.mi.th
Setup Chillispot
# apt-get -y install chillispot
IP address of radius server 1: == 127.0.0.1

Radius shared secret: == radiussecret
Ethernet interface for DHCP to listen: == eth1

URL of UAM server: == https://192.168.3.1/uam/hotspotlogin.php
URL of UAM homepage: == https://192.168.3.1/uam/index.php

Shared password between chillispot and webserver: == uamsecret
]9<? chillispot R;P);DE=>;<)

RQ9:;(L@ Chillispot
# nano /etc/default/chillispot
# /etc/default/chillispot
#
# Enable on system start?
# Change to 1 if you want it to be enabled.
# Please make sure you have configured chillispot first.
ENABLED=0 >>> +%?$,. ENABLED=1
#
# chillispot default configuration
CHILLICFG=/etc/chilli.conf
#
# daemon arguments
DAEMON_ARGS="--conf $CHILLICFG"

D:c File Chilli.conf (89:;>@6)
# nano /etc/chilli.conf
#net 192.168.182.0/24 >>> +%?$,. net 192.168.3.0/24

radiusserver1 127.0.0.1
radiusserver2 127.0.0.1
radiussecret radiussecret
dhcpif eth1
uamserver https://192.168.3.1/uam/hotspotlogin.php
uamhomepage https://192.168.3.1/uam/index.php
uamsecret uamsecret
#uamlisten 192.168.182.1 >>> +%?$,. uamlisten 192.168.3.1
#uamallowed www.chillispot.org,10.11.12.0/24 >>> +%?$,. uamallowed
www.????.com,192.168.3.0/24 (:R@k989]9)Ek:)

]9<? Friewall
# cp /usr/share/doc/chillispot/firewall.iptables /etc/init.d/chilli.iptables
# chmod a+x /etc/init.d/chilli.iptables
# ln -s ../init.d/chilli.iptables /etc/rcS.d/S41chilli.iptables
<` Script firewall [\@
# /etc/init.d/chilli.iptables
<` Restart ChilliSpot
# /etc/init.d/chillispot restart
D:c File chilli.iptables R^_` SSH Rc[ eth1 9
# nano /etc/init.d/chilli.iptables
EXTIF="eth0"
INTIF="eth1"
$IPTABLES -P INPUT DROP

$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT
#Allow related and established on all interfaces (input)

$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#Allow releated, established and ssh on $EXTIF. Reject everything else.

$IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --dport 22 --syn -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -j REJECT
>>> $45 2 /"#.

w /
#Allow releated, established and ssh on $INTIF.
$IPTABLES -A INPUT -i tun0 -p tcp -m tcp --dport 22 --syn -j ACCEPT
#Allow related and established from $INTIF. Drop everything else.

$IPTABLES -A INPUT -i $INTIF -j DROP

<` Script firewall [\@ Again
<` Restart ChilliSpot Again
ChilliSpot Start R;P);DE=  Notebook :<) Network = etc1
9 IP Address a: Server DE=
Remote SSH Q[P` IP eth1 c Server

]9<? Radius Server
# apt-get -y install freeradius freeradius-mysql freeradius-dialupadmin

]9<? phpMyAdmin
D: Config phpMyAdmin
(L Edit Plus D:);;[<9[P` 73 (6RQ@ http
[9) phpMyAdmin http://192.168.3.1/phpMyAdmin-2.6.4/
Restart Apache
# /etc/init.d/apache2 restart
; Database freeradius
# mysql -u root –p >>> $. Mysql

Enter password: mysqlroot >>> password $w .5"w LAMP
mysql> CREATE DATABASE radius;
mysql> quit
( Freeradius database schema 9=>\<`9<@P?
# zcat /usr/share/doc/freeradius/examples/mysql.sql.gz | mysql -u root -p

radius
Enter password: mysqlroot
D:c6 Freeradius ]9:<) Mysql 9
# nano /etc/freeradius/sql.conf
sql {
# Database type
# Current supported are: rlm_sql_mysql, rlm_sql_postgresql,
# rlm_sql_iodbc, rlm_sql_oracle, rlm_sql_unixodbc, rlm_sql_freetds
driver = "rlm_sql_mysql"
# Connect info
server = "localhost"
login = "root"
password = "rootpass" >>> +%?$,. Password root $
# Database table configuration
radius_db = "radius"

D:c secret share c radius
# nano /etc/freeradius/clients.conf
# default, otherwise it's not a secret any more!

#
# The secret can be any string, up to 31 characters in length.
#
secret = testing123 >>> +%?$,. radiussecret
#
# The short name is used as an alias for the fully qualified
# domain name, or the IP address.

Test Freeradius :<@@A>;<)D; User \6;)[9):@
# nano /etc/freeradius/users
#
#"John Doe" Cleartext-Password := "hello"
# Reply-Message = "Hello, %u"
>>> Copy 2 /"/.+%/

"John Doe" Auth-Type := Local, User-Password == "hello"
Reply-Message = "Hello, %u"
#
# Dial user back and telnet to the default host for that port
#
Restart Server RE>;<)
# reboot
OR:]9Qo6;O Remote Server eth1 9= SSH 9(6 Repair

Network [P`R>;_` Notebook aA(69P Restart Notebook RE>;<)
:<@RE>;<) RLk> Config Freeradius  Stop Freeradius :@>;<)
# /etc/init.d/freeradius stop
# freeradius -XXX -A
);;[<9g9[cp?@c>= Info: Ready to process requests. D9= OK

DE=>;<) Crtl+C :RE>;<) (8= R)
<` Start Freeradius
# /etc/init.d/freeradius start
Test Authen radius (file)
# radtest "John Doe" hello 127.0.0.1 0 radiussecret
Sending Access-Request of id 153 to 127.0.0.1 port 1812

User-Name = "John Doe"
User-Password = "hello"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=153,
length=37
Reply-Message = "Hello, John Doe"
cp?@c>=);<)= rad_recv: Access-Accept D9= OK DE=>;<)

(8= R) P:r<:[P`
RQEP`@ Freeradius 6(L Database
# nano /etc/freeradius/radiusd.conf
>>> .?.
w / See "Authorization Queries" in sql.conf
# Read the 'users' file

Files >>> +%?$,. # Files ( #)
#
# Look in an SQL database. The schema of the database
# is meant to mirror the "users" file.
#
# See "Authorization Queries" in sql.conf
# sql >>> +%?$,. sql (# $ %)

Add user E(@ Mysql >;<) (Username == test, Password == secret)
# echo "INSERT INTO radcheck (UserName, Attribute, Value) VALUES

('test', 'Password', 'secret');" | mysql -u root -p radius
# Enter password: mysqlroot
<` Restart Freeradius
# /etc/init.d/freeradius restart
Test Authen radius (SQL)
# radtest test secret 127.0.0.1 0 radiussecret

User-Name = "test"
User-Password = "secret"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
length=20
(8= R) uuu
D:c SQL Logging R^_`R=E(L@ ezradius
# nano /etc/freeradius/sql.conf
postauth_query = "INSERT into ${postauth_table} (user, pass, reply,

dat$
#
# Set to 'yes' to read radius clients from the database ('nas' table)
#readclients = yes >>> +%?$,. readclients = yes (# $ %)
}

D:c File radius.conf RE>;<)
>>> .?.
w / See "Accounting queries" in sql.conf
# Log traffic to an SQL database.

#
# See "Accounting queries" in sql.conf
# sql >>> +%?$,. sql (# $ %)
#
# Instead of sending the query to the SQL server,
# write it into a log file.
>>> .?.
w / See "Authentication Logging Queries" in sql.conf
# After authenticating the user, do another SQL query.

#
# See "Authentication Logging Queries" in sql.conf
# sql >>> +%?$,. sql (# $ %)
#
# Instead of sending the query to the SQL server,
# write it into a log file.

<` Restart Freeradius
Test Authen radius (SQL) Again
# radtest test secret 127.0.0.1 0 radiussecret

User-Name = "test"
User-Password = "secret"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
length=20

]9<? SSL RQ@ Modules c Apache
# apt-get install -y libapache2-mod-auth-mysql
; Certificate
# apt-get -y install ssl-cert

; Folder R:k) Certificate
# mkdir /etc/apache2/ssl
; Certificate
# sudo make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/apache.pem

R;P);DE=>;<) RQ9(L@ SSL
# sudo a2enmod ssl
;<)> Config (6
# /etc/init.d/apache2 force-reload
; virtualhost = Link SSL
Upload File hotspot '% Folder File Config , /etc/apache2/sites-available/
D:c File hotspot
# nano /etc/apache2/sites-available/hotspot
NameVirtualHost 192.168.3.1:443 >>> +%?$,. IP eth1 Server

<VirtualHost 192.168.3.1:443> >>> +%?$,. IP eth1 Server
ServerAdmin webmaster@domain.org
DocumentRoot "/var/www/hotspot"
ServerName "192.168.3.1" >>> +%?$,. IP eth1 Server

<`(6 virtualhost [\@
# sudo a2ensite hotspot
# /etc/init.d/apache2 reload
Open Port
Upload File ports.conf '% Folder file config , /etc/apache2/
D:c File ports.conf
# nano /etc/apache2/ports.conf
#Listen 80
#
#<IfModule mod_ssl.c>
# Listen 443
#</IfModule>
Listen 192.168.3.1:80 >>> +%?$,. IP eth1 Server
Listen 192.168.3.1:443 >>> +%?$,. IP eth1 Server

D:c File default
# nano /etc/apache2/sites-available/default
NameVirtualHost * >>> +%?$,. NameVirtualHost *:80

<VirtualHost *> >>> +%?$,. <VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/
<Directory />
Options FollowSymLinks
AllowOverride None

D:c File apache2.conf
# nano /etc/apache2/apache2.conf
# Do NOT add a slash at the end of the directory path.

#
ServerRoot "/etc/apache2"
ServerName 192.168.3.1 >>> $45
#
# The accept serialization lock file MUST BE STORED ON A LOCAL DISK.

D:c File apache2.conf
# nano /etc/hosts
127.0.0.1 localhost
192.168.0.100 THAIEN-HOTSPOT >>> +%?$,. 192.168.3.1 THAIEN-
HOTSPOT
# The following lines are desirable for IPv6 capable hosts

::1 ip6-localhost ip6-loopback

Restart Apache
[\:; Upload Hotspot Login
1. $, /var/www/  Floder hotspot

2. Upload Floder uam '% ,+% .%\web\ ,
/var/www/hotspot/
3. +% File conStatus.php *& ,+% .%\web\uam\Connections

4. +# Upload ,/ $"5
5. +% File index.php *& ,+% .%\web\uam\
6. +# Upload ,/ $"5
7. " /?. login hotspot http://google.co.th
8. +% "*% Upload File charset '% Folder File Config ,
/etc/apache2/conf.d/
Restart Apache
9. " /?. %
login hotspot http://google.co.th
10. " / % Internet "* User Password $
(User == test Password == secret)
]9<? ezradius
Upload Floder manage '% ,+% .%\web\ , /var/www/
(L>\<`R^_`D:cRac8wER9;@A>;<) 89(L>\<` chown
# chown -R www-data:www-data /var/www/manage

Rc Web ezradius http://192.168.3.1/manage/
Config ezradius
% . .
G  (/. &# radius %.% .
.(/"*?#5% Tool > Config editor
+#?%+%&,$#*.(/ +# *#G save #(

:;a<9:;:<) group DEA user
:;R^]` group
% . $'(%$5 $45

group $4G +*%%. user %$,.%#. $.
'* , .%$*. $ &'%%/ Attribute radius % .@ '(
?. .% /%. (// $.(/ $'(",/+%
."$?( *$. ''( .? '* ?G ??.. %
download/upload %%.%$*.?G &. , $ #($"&?*
Attribute '(..%."%.(/
>=6c Attribute [P`@]@\(L@(@;A)) Chillispot
$5 .%%#.%.$#*.(/"*, Manage > Add > New Group
?$#G %&,$#*.(/
Attribute : Simultaneous-Use G % login @ .%.. . $ .?%#.w
Logig @ .%..(/ "..
w ?
Perator : :=+#( Value : 1 (?% %@ .%."? Value : 0)
'%.w.$$45 Attribute ?%# teacher %."%.(/
?#5% add new attributr +#?&,$#*.(/
$%.%. (60 5.) ?%.? diconnect 15 .(900 5.)
$# . w 5 (18000 .) ?#'% login ? redirect ,*$/
http://www.srp.ac.th
%?." download $%/ 1024kbps %?." upload $%/ 512kbps

$G %$45 Attribute +#?% (5"4#"%'("&,
:;a<9:; user
$5 .%&.%.$#*.(/ "*, Manage > Add > New User
*#($ *" & &,$#.(/ '%.w.% Add user +#.,."$#*

/
,#  knoonin %."%.(/'($,. * $ set Attribute ?G $,#
"# $," IE .(/
+" Certificatr ssl $.+#.(/ ?$#G % Continue to this

website $#*.(/
'($' ?. ?. index.php $% # . 5 .(/@ $
+%?..+w #$,.,(% ?.*.".(/ $.+'%
,( ($4(*?% . 5 $ $.% $' ?..%
w  .) '%.w.$#G % $&
(//
$* "+#( ." 5 $4( *&.%# teacher +#* redirect

?.+% http://www.srp.ac.ch /% *.(/
:;(L@=@ u c ezradius
User Online
?/"& ,''/. user (. *&/ "*, View > Online users
'(""&,
****6R6g ezRadius ****
RQEP`@RQ@ Version 1.1.4 and above R^_`(6;OL Password MD5 9
R^]`/D:c user RE_: Cleartext password

Add Port 3779 R^_` Kick User (1)
# nano /etc/init.d/chillispot
DESC="Chillispot captive portal"

NAME=chillispot
DAEMON=/usr/sbin/chilli
DAEMON_ARGS="--conf /etc/chilli.conf" >>> +%?$,.
DAEMON_ARGS="--coaport3779 --conf /etc/chilli.conf"
PIDFILE=/var/run/$NAME.pid
SCRIPTNAME=/etc/init.d/$NAME

Add Port 3779 R^_` Kick User (2)
# nano /etc/chilli.conf
# TAG: macsuffix
# Suffix to add to MAC address in order to form the username.
# Normally you do not need to uncomment this tag.
#macsuffix suffix
coaport 3779 >>> $45
Restart ChilliSpot (@@r<:6@)
9{:;(L@c User @6E<
$"&%. User * .?#""*(/.  %"& ?G

G User  % ?G w. +#( user "*. .w'(*% *"& user +#(.
"*?$#G % Accounting > Per User and Date
G user . $5 +#(. .

5w " &,
'("*#($ *" "&,

:;]9<? Transparent Proxy
$5 .5"w squid ?/?. $%/ cache +#( sarg *.%..
?.$/
# sudo apt-get -y install squid sarg
?#'%5"w+#?+% # squid "*
# nano /etc/squid/squid.conf
"*?+%".w
http_port 3128
#cache_mem 8 MB
#cache_dir ufs /var/spool/squid 100 16 256
#acl our_networks src 192.168.2.0/24
#http_access allow our_networks
access.log /path/access.log squid
#emulate_httpd_log off
>>> +%$,. ("*5

.?)
http_port 3128 transparent

cache_mem 64 MB
cache_dir ufs /var/spool/squid 100 16 2000
acl our_networks src 192.168.3.0/24
http_access allow our_networks
access.log /path/access.log
emulate_httpd_log on
>>> /""*
visible_hostname THAIEN-HOTSPOT >>>$45
<`;P;[ squid
# /etc/init.d/squid restart
'%.w.? user $. proxy .(/"*,+% # chilli.iptables

#Allow http and https on other interfaces (input).
#This is only needed if authentication server is on same server as chilli
$IPTABLES -A INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT
#Allow 3990 on other interfaces (input).
>>> $45 $,

#Allow Tranparent proxy
#Allow everything on loopback interface.

$IPTABLES -A INPUT -i lo -j ACCEPT
>>> $45 $,

$IPTABLES -t nat -A PREROUTING -i tun0 -p tcp -m tcp --dport 3128 --syn -j DROP
$IPTABLES -t nat -A PREROUTING -i tun0 -p tcp -m tcp -d 192.168.3.0/16 --dport 80 -j
RETURN
$IPTABLES -t nat -A PREROUTING -i tun0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports
3128
3128

:;R^]` Port u(6 Redirect Q[P` Proxy (RL@ port 88)
#Allow everything on loopback interface.

$IPTABLES -A INPUT -i lo -j ACCEPT

$IPTABLES -t nat -A PREROUTING -i tun0 -p tcp -m tcp --dport 3128 --syn -j DROP
$IPTABLES -t nat -A PREROUTING -i tun0 -p tcp -m tcp -d 192.168.3.0/16 --dport 80 -j
RETURN
3128
>>> $45 $,
3128

:;R^]` port (6W@ Proxy 9 (RL@ port 88)
# nano /etc/squid/squid.conf
>>>.?.w acl to_localhost dst 127.0.0.0/8
#Recommended minimum configuration:

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 88 # http cz >>>$4G /".w
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
<`;P;[ squid
# /etc/init.d/squid restart
<`(6 transparent [\@
9{ access.log c Squid
"# . internet . gateway server
# tail /var/log/squid/access.log -f
Ctrl+c %
:;9{;@c SARG (Squid report)
? sarg ."$#*"*
# sarg
'%.w.%$"&*.%$/"$#*/"*"&'% IE "$#
"*454 http://192.168.3.1/squid-reports
<?R=E(6 sarg [\@W@ crontab
# nano /etc/crontab
# m h dom mon dow user command

17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --repo$
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --repo$
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --repo$
#
#sarg squid report
0* * * * root /usr/bin/sarg
#Shut Down
05 20 * * * root shutdown -h now

Logrotate
$,.%#% (//,5/% 5 #.%

@ *#/ log file $%% %, +##
log w.? @ #?# log ?%$%5., "*% log file ?.. w
'(,@w%/#$"5 '( option %%*?$+% + 4 , "
".w
1. Weekly-daily-monthly ?* ?% rotate . % 5*

(weekly) ?G % . (daily) ?G $"G . (monthly)
2. rotate xx ?* ?% rotate xx w % .#/#$%5w,
3. compress ?* ?% zip # &% rotate ,+#
4. delaycompress ?* ?%(# % zip , 1 w ?
% rotate w+%$,.%$,# *.G #$4* *$" * +#('(&% zip .
% rotate .w ,
5. notifemply-ifemply ?* ?% rotate $G log file .. w 
6. postrotate $,.%%?."?% . ?#'% % rotate ,
+#
7. endscript $,.%'/ postrotate
8. mail(address) $,.% ?(// log file ?&"+ & #(// E-mail
9. prerotage/endscript $,.%%?."?%. % . '(%
% rotate @ '($,.+// postrotate
D:c Logrotate squid
# nano /etc/logrotate.d/squid
/var/log/squid/access.log {
daily
compress
delaycompress
rotate 2
missingok
nocreate
sharedscripts
# prerotate
# test ! -x /usr/sbin/sarg-maint || /usr/sbin/sarg-maint
# endscript
# postrotate
# test ! -e /var/run/squid.pid || /usr/sbin/squid -k rotate
# endscript
}
>>> +%$,.
/var/log/squid/access.log /var/log/squid/store.log {
daily
compress
# delaycompress
rotate 1
missingok
nocreate
sharedscripts
# prerotate
# test ! -x /usr/sbin/sarg-maint || /usr/sbin/sarg-maint
# endscript
# postrotate
# test ! -e /var/run/squid.pid || /usr/sbin/squid -k rotate
# endscript
}
>>> $45
/var/log/squid/cache.log {
weekly
compress
rotate 2
missingok
nocreate
sharedscripts
}

QD:>[P`wE radiusd.conf
>>> .? detailfile
detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
>>> +%?$,.
detailfile = ${radacctdir}/%{Client-IP-Address}/details
+%# G  /etc/logrotate.d/freeradius $4G '"%%/# "%#
# nano /etc/logrotate.d/freeradius
/var/log/freeradius/*.log {
weekly
rotate 52
compress
notifempty
}
>>> +%$,.
/var/log/freeradius/radacct/127.0.0.1/details {
daily
compress
rotate 1
missingok
notifempty
}

<` freeradius Restart
[9E login Rc internet aAP file details cp?@ [P/

`
var/log/freeradius/radacct/127.0.0.1
<` logrotate [\@
# /etc/cron.daily/logrotate
(@[P`@P?W9; folder /home/LOG =DE=@A>;<) (>;[P`<;RQ@ :k
;@P?RE
# mkdir /home/LOG
; File changeaccess.sh R^_`RQEP@L_` File
# nano /home/changeaccess.sh
#!/bin/sh
timeaccess=`date +%Y-%m-%d`
cp /var/log/squid/access.log.1.gz /home/LOG/$timeaccess-access.log.gz
cp /var/log/squid/store.log.1.gz /home/LOG/$timeaccess-store.log.gz
cp /var/log/freeradius/radacct/127.0.0.1/details.1.gz
/home/LOG/$timeaccess-freeradius.log.gz
chmod +x /home/changeaccess.sh ( R^_`(6 8Q;D:;;O

;<@ script @P` 9)
# chmod +x /home/changeaccess.sh
R=EaAR;P:(L
# cd /home
# ./changeaccess.sh
<?R=E(6 logrotate [\@W@ crontab
# nano /etc/crontab
# m h dom mon dow user command

17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --repo$
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --repo$
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --repo$
#
#sarg squid report
00 20 * * * root /usr/bin/sarg
#logrotate
05 20 * * * root /etc/cron.daily/logrotate
#change File name
15 20 * * * root sh /home/changeaccess.sh
#Shut Down

TIP :@a)>;
+%,? session 
.'(., shell scrip  ?/("%.%.%".(/
# nano /home/clearlog.sh
rm /var/log/freeradius/radutmp
rm /var/log/freeradius/radwtmp
touch /var/log/freeradius/radutmp
touch /var/log/freeradius/radwtmp
chown freerad:freerad /var/log/freeradius/radutmp
chown freerad:freerad /var/log/freeradius/radwtmp
+% permittion
# chmod 700 /home/clearlog.sh
$#.
# cd /home
# ./clearlog.sh
'%.w..,. /etc/rc.local .(/
9{O@Ac Lan card
# mii-tool
"&$.Gw $%/ Cache
# du –sh /var/spool/squid
]9<? bandwidthd D[@ sarg (@ ubuntu
# apt-get -y install bandwidthd
RE_: :;9 [P`:; (6D9WE

any %%"
%" .
G %+#+  chilli % tun
$#G % IP Address tun0 (*.) '.$'
D:c Config Apache
# nano /etc/apache2/apache2.conf
# The internationalized error documents require mod_alias, mod_include

# and mod_negotiation. To activate them, uncomment the following 30
lines.
>>> $45 5 /"".#.

w /
Alias /bandwidthd "/var/lib/bandwidthd/htdocs"

<Directory "/var/lib/bandwidthd/htdocs">
Order Allow,Deny
Allow from All
</Directory>
# Alias /error/ "/usr/share/apache2/error/" >>> .?/".

w /
#
# <Directory "/usr/share/apache2/error">
# AllowOverride None
# Options IncludesNoExec
# AddOutputFilter Includes html
# AddHandler type-map var

Restart Apache
D: Config bandwidthd
# nano /etc/bandwidthd/bandwidthd.conf
.w$#G .,/"#" $ # ?./""* %
#Set META REFRESH for static pages in seconds(default 150, use 0 to

disable).
#meta_refresh 150
meta_refresh 150
#Set the static html output directory

#htdocs_dir "/var/lib/bandwidthd/htdocs" >>> $ # %

R;kaDE=<`(6[\@
# bandwidthd
DE= restart bandwidthd
# /etc/init.d/bandwidthd restart
9{WE6@R=)RE>;<) http://192.168.3.1/bandwidthd
<? crontab (6 bandwidthd <^R9[c{E[g:=<@@ R[P>_@ 5@[P
# nano /etc/crontab
#
#sarg squid report
00 * * * root /usr/bin/sarg
#bandwidthd
50 * * * root /usr/bin/bandwidt
#Shut Down

]9<? syslog-ng
# apt-get -y install syslog-ng
9=@86E98Q;D:; php syslog viewer 9=>\<` =(@ /tmp/
# cd /tmp/
# wget http://downloads.sourceforge.net/phpsyslogviewer/phpsyslogviewer-7.2.1.tar.bz2
]9<?8Q;D:; bzip2 9=>\<` <{(@ /tmp/ @A>;<)
# apt-get install bzip2
D:wE phpsyslogviewer 9=>\<`
# tar xjvf phpsyslogviewer-7.2.1.tar.bz2

9=@86E98Q;D:; speedupd
@ $,.,+%$$?$ .'5w., . &#&

 . &# mysql "*
# wget
http://jaist.dl.sourceforge.net/sourceforge/phpsyslogviewer/speedupd-
7.3.2.tar.bz2
#$"  install phpsyslogviewer '(5, 5"w ?%/

. &# $'( %. &#$*% . 5(.w.'(4/%/ 5"4#"+#(
.5,"%#." .
w .".w
1. $,# *."$% ,*#$"  phpsyslogviwer-7.2.1
# cd phpsyslogviewer-7.2.1
2. $& mysql "*
mysql -u root -p +#, .?. root
# mysql -u root -p
3. . &#G syslogng "*
mysql>create database syslogng;

4. %'% mysql "*
mysql> exit;
5.  &#"*% script '%

# install/phpsyslogviewer.sql "*
# mysql -u root -p syslogng < install/phpsyslogviewer.sql
, . username +#( password $,.# intall/newuser.sql.php "$.
# nano install/newuser.sql.php
// 02110-1301, USA.
// -------------------------------------------------------------------
$user = ""; // Your Username >>>  User

$pass = ""; // Your Password  Password
// -------------------------------------------------------------------
*****User DEA Password r?\:<@
5"w,+% php5-cli $4G ?.

php . command line "*
# apt-get -y install php5-cli

. php-command line $4G insert  &# user +#( pass $&
 &# user . &# syslogng "* ".w
# php install/newuser.sql.php
. php-command line "*  ,.w
# php install/newuser.sql.php | mysql -u root -p syslogng
'"%$/"$ $4G ?$*%"& &#.$//$@ " "*%$.

# "* ".w
# cp -R htdocs /var/www/phpsyslogviewer
+%# .%G /var/www/phpsyslogviewer/config.php $4G %?."
$% *%/. &#".w
# nano /var/www/phpsyslogviewer/config.php
// USER DEFINED VARIABLES

// -------------------------------------------------------------------
$db_user = "syslog"; // Database Username

$db_pass = "syslog"; // Database Password
$db_host = "localhost"; // Database Hostname
$db_name = "syslog"; // Database Name
>>> +%$,.
$db_user = "root"; // Database Username

$db_pass = "mysqlroot"; // Database Password
$db_host = "localhost"; // Database Hostname
$db_name = "syslogng"; // Database Name

;<@>\<`Q@P?
# chown root:www-data /var/www/phpsyslogviewer/config.php
# chmod 440 /var/www/phpsyslogviewer/config.php
Rc9{R=k)rc phpsyslogviewer [P` http://192.168.3.1/phpsyslogviewer

]9<?D^k>R:a speedupd-7.3.2
$4G $$?$ .'5w., . &#&. &# mysql . w ..w '**%.5"?. *
$4( % 4#+4$%'"*$ ? *w .(/w. .
.w 5(.w. $* phpsyslog-ng '(&@w " "$,. * ?
 ,.w
# cd .. >>> % /tmp/ % ./
# tar xjvf speedupd-7.3.2.tar.bz2
# cd speedupd-7.3.2 >>> $, / speedupd-7.3.2 / % ./

# apt-get –y install build-essential cmake libmysqlclient15-dev libdaemon-
dev libconfuse-dev
# apt-get -y install debhelper cmake libdaemon-dev libconfuse-dev

fakeroot
,?? ."& ''( 5"w libmysqlclient15-dev $45 $5"*
# apt-get –y install libmysqlclient15-dev
# dpkg-buildpackage –rfakeroot
..w$'("+4$%'(%&# debian G  speedupd_7.3.0_i386.deb (?/ 64
bit OS '(G speedupd_7.3.0_amd64.deb) ?5"w+4$%'+#(%?."?%/
# speedupd.conf".w
# cd ..
# ls
(?/$G $,. 64 bit  dpkg -i speedupd_7.3.0_i386.deb)

(?/$G $ ,. 64 bit  speedupd_7.3.0_amd64.deb)
# dpkg -i speedupd_7.3.0_i386.deb
D:c Config speedupd
# nano /etc/speedupd.conf
dbusername = syslog
dbpassword = syslog
dbhostname = localhost
dbdatabase = syslog
>>> +%$,.
dbusername = root
dbpassword = mysqlroot
dbhostname = localhost
dbdatabase = syslogng

Start Speedupd
# /etc/init.d/speedupd start
QRQ@:;:\6@9> syslog-ng
?%/ syslog-ng %,$%/*. &#.w$#*/ * &$*."

5%$%/ &#%'' 45$ . G . % $4G ?$'"
* / ?%# .$% *&+#%$45 $5$4(.  %$%/ &#
.. &#"$#*/ "*?+%.# /etc/syslog-ng/syslog-ng.conf $,.
" ,.w @ .?. *&+#% .(/
# nano /etc/syslog-ng/syslog-ng.conf
***options
options {
recv_time_zone (+07:00);
send_time_zone (+07:00);
sync (0);
time_reopen (100);
log_fifo_size (1000);
long_hostnames (off);
use_dns (no);
use_fqdn (no);
create_dirs (yes);
chain_hostnames(yes);
keep_hostname (yes);
};
***source
source s_sys {
file ("/proc/kmsg" log_prefix("kernel: "));
unix-stream ("/dev/log");
internal();
udp(ip(0.0.0.0) port(514));
tcp(ip(0.0.0.0) port(514) keep-alive(yes));
};
***destination
destination d_mysql {pipe("/var/log/mysql.pipe" template("INSERT
INTO logs (host, facility, priority, level, tag, datetime, program, msg)
VALUES ( '$HOST', '$FACILITY', '$PRIORITY', '$LEVEL', '$TAG',
'$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC', '$PROGRAM', '$MSG'
);\n") template-escape(yes));
};
***filter
filter f_kernel { facility (kern); };
filter f_messages { level(info..emerg) and not (facility(mail) or
facility(authpriv) or facility(cron)); };
***log
log {source(s_sys); filter(f_messages); destination(d_mysql); };
log {source(s_sys); filter(f_kernel); destination(d_mysql); };

;>;]QR^_`[\Q@\6;<)>;Pa:Q@{|@c{E @@P?
RQ@ bash >;]Q>;<) w9{=g@=D[\a;]:>;<) (6; script
file 9=>\<`Q@P?
# nano syslog2mysql.sh
>>>+# &# ,.w#,.# +#/.%#
#!/bin/bash
if [ ! -e /var/log/mysql.pipe ]
then
mkfifo /var/log/mysql.pipe
fi
while [ -e /var/log/mysql.pipe ]
do
mysql -u root --password=radius syslogng < /var/log/mysql.pipe >/dev/null
done
[\:;RQEP`@][}]wE DE=;<@>\<`Q@P?
# chmod +x syslog2mysql.sh
# ./syslog2mysql.sh &
# /etc/init.d/syslog-ng start
****6R6g****
a::;]9<? phpsyslogviewer DE= phpsyslogviewer PD log
Start,stop c Syslog-ng R[@<?@
:;>a: squid Q< syslog
# tail -F /var/log/squid/access.log | logger -t squid -p user.info
a:@<?@[\:;>a: radiusd Q< syslog 9<?@P?
# tail -F /var/log/radius/radacct/127.0.0.1/details | logger -t radiusd -p

user.info
?*$? logger -t '(% ?."G  &#%'' 45$  . .w$'(

+. &#%
'' 45$ '%$@  5" $. squid +#( radius $,.. +#( ?#G
 tail -F $4('($,.%
%?."? tail .# .'(%# ??G %

?/5%+%,?# ''(?$%5.,?/ &## %# radius
Server $
.%.%/
:;<?>(6c{E:;a;a;>^]=R; a: squid DEA radius 89(6

[\@[g:>;<?6E<RQ9R>;_`9<?@P?
# nano /etc/init.d/rc.capture
#!/bin/bash
tail -F /var/log/squid/access.log | logger -t squid -p user.info &
tail -F /var/log/freeradius/radacct/127.0.0.1/details | logger -t radiusd -p
user.info &
a:@<?@<`(6;O;<@9DEA;E]> (6[\@[g:>;<?6E<RQ9R>;_`
# chmod a+x /etc/init.d/rc.capture
# ln -s /etc/init.d/rc.capture /etc/rcS.d/S88rccapture
<`(6 rc.capture [\@
# /etc/init.d/rc.capture
;=a) syslog
# tail -f /var/log/syslog
[9E(L@ Internet
]9<? webmin
# cd /var
# tar zxvf webmin-1.480.tar.gz
# cd webmin-1.480
# sh setup.sh
:;[\@c Samba aA[\@{)@ Port 137,138 DEA 139
* 137 Name Service : SMB '( port .w .%G $G 45$ "* %
/ package UDP (User Datagram Protocol) ("*  IP $*)
* 138 Datagram Service : SMB '( port .w.% Browse ?G $G
* 139 Session Service : SMB '( Port .w.%/ &#(?$G "*

, # TCP @ +.. .%/ %  &#,,#*+.. .
D:c File chilli.iptables R^_` webmin DEA samba Rc[ eth1 9

#Allow releated, established and ssh on $IXTIF.

>>> $45 5 /"#.
w /


[9)Rc webmin http://192.168.3.1:10000/
R:;Lg9@P`9c{E9>=;{a: http://www.linuxthai.org DEA Web

Linux uP::DEAc)>g~ >g~ chalee VDO3,VDO4
cD9>=@<)O_
=]g[}] :;AR:g

Ubuntu8.04 Chilli Free Radius

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Ubuntu8.04 Chilli Free Radius

Hochgeladen von

Copyright:

Verfügbare Formate

Setup Ubuntu 8.04.

Remark Network Card 2 ()

1. Insert Disk Ubuntu 8.04.1 Server Select English

2. Select Install Ubuntu Server

10. Lan Card Select eth0

12. ( IP address :;(L@

14. ( Gateway :;(L@

16. ( Hostname :;(L@

18. Select Guided w use entire disk

20. Select Yes For Begin Format

22. ( Full Name New User

24. ( Password

26. Enter W@QRE>;<)

28. ( Password Mysql == mysqlroot

User Password    root " # $%"&'( 

# sudo passwd root >>> 454  

Setup Network [P`(L@@A>;<)

auto eth1 >>> $45 

Save DE= Exit 9RE

Upgrade Ubuntu Server

# Uncomment the next line to enable TCP/IP SYN cookies

# Uncomment the next line to enable packet forwarding for IPv4

# Uncomment the next line to enable packet forwarding for IPv6

Save DE= Exit 9RE

# echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward

  /%#/ " 1

# /etc/modules: kernel modules to load at boot time.

Save DE= Exit 9RE

Update =<@R=Ec Server (6[\@[g:>;<?[P`RQ9R>;_`

/usr/sbin/ntpdate time.navy.mi.th >>> $45 

Save DE= Exit 9RE

Thaicert Nectec ;=][D6L] g[:h; :[<^R;_

# apt-get -y install chillispot

IP address of radius server 1: == 127.0.0.1

Ethernet interface for DHCP to listen: == eth1

URL of UAM homepage: == https://192.168.3.1/uam/index.php

]9<? chillispot R;P);DE=>;<)

Save DE= Exit 9RE

#net 192.168.182.0/24 >>> +%?$,. net 192.168.3.0/24

Save DE= Exit 9RE

<` Script firewall [\@

<` Restart ChilliSpot

$IPTABLES -P INPUT DROP

#Allow related and established on all interfaces (input)

#Allow releated, established and ssh on $EXTIF. Reject everything else.

>>> $45  2 / "#. 

#Allow related and established from $INTIF. Drop everything else.

Save DE= Exit 9RE

<` Restart ChilliSpot Again

Remote SSH Q[P` IP eth1 c Server

# apt-get -y install freeradius freeradius-mysql freeradius-dialupadmin

[9) phpMyAdmin http://192.168.3.1/phpMyAdmin-2.6.4/

# mysql -u root –p >>> $. Mysql

( Freeradius database schema 9=>\<`9<@P?

# zcat /usr/share/doc/freeradius/examples/mysql.sql.gz | mysql -u root -p

Save DE= Exit 9RE

# default, otherwise it's not a secret any more!

Save DE= Exit 9RE

>>> Copy 2 / "/.+%/

Save DE= Exit 9RE

Restart Server RE>;<)

OR:]9Qo6;O Remote Server eth1 9= SSH 9(6 Repair

);;[<9g9[cp?@c>= Info: Ready to process requests. D9= OK

Test Authen radius (file)

12. ( IP address :;(L@

14. ( Gateway :;(L@

16. ( Hostname :;(L@

22. ( Full Name New User

24. ( Password

26. Enter W@QRE>;<)

28. ( Password Mysql == mysqlroot

User Password   root " # $%"&'(

# sudo passwd root >>> 454

Setup Network [P`(L@@A>;<)

auto eth1 >>> $45

Save DE= Exit 9RE

Save DE= Exit 9RE

 /%#/ " 1

Save DE= Exit 9RE

Update =<@R=Ec Server (6[\@[g:>;<?[P`RQ9R>;_`

/usr/sbin/ntpdate time.navy.mi.th >>> $45

Save DE= Exit 9RE

Thaicert Nectec ;=][D6L] g[:h; :[<^R;_

]9<? chillispot R;P);DE=>;<)

Save DE= Exit 9RE

#net 192.168.182.0/24 >>> +%?$,. net 192.168.3.0/24

Save DE= Exit 9RE

<` Script firewall [\@

<` Restart ChilliSpot

>>> $45 2 /"#.

Save DE= Exit 9RE

<` Restart ChilliSpot Again

Remote SSH Q[P` IP eth1 c Server

[9) phpMyAdmin http://192.168.3.1/phpMyAdmin-2.6.4/

# mysql -u root –p >>> $. Mysql

( Freeradius database schema 9=>\<`9<@P?

Save DE= Exit 9RE

Save DE= Exit 9RE

>>> Copy 2 /"/.+%/

Save DE= Exit 9RE

Restart Server RE>;<)

OR:]9Qo6;O Remote Server eth1 9= SSH 9(6 Repair

);;[<9g9[cp?@c>= Info: Ready to process requests. D9= OK

cp?@c>=);<)= rad_recv: Access-Accept D9= OK DE=>;<)

Save DE= Exit 9RE

<` Restart Freeradius

D:c SQL Logging R^_`R=E(L@ ezradius

Save DE= Exit 9RE

Save DE= Exit 9RE

cp?@c>=);<)= rad_recv: Access-Accept D9= OK DE=>;<)

;<)> Config (6

Upload File hotspot '% Folder File Config , /etc/apache2/sites-available/

D:c File hotspot

NameVirtualHost 192.168.3.1:443 >>> +%?$,. IP eth1 Server

Save DE= Exit 9RE

Upload File ports.conf '% Folder file config , /etc/apache2/

D:c File ports.conf

Save DE= Exit 9RE

NameVirtualHost * >>> +%?$,. NameVirtualHost *:80

Save DE= Exit 9RE

Save DE= Exit 9RE

Save DE= Exit 9RE

[\:; Upload Hotspot Login

1. $, /var/www/  Floder hotspot

3. +% File conStatus.php *& ,+% .%\web\uam\Connections

Upload Floder manage '% ,+% .%\web\ , /var/www/

(L>\<`R^_`D:cRac8wER9;@A>;<) 89(L>\<` chown

+#?%+%&,$#.(/ +# #G save #(

% . $'(%$5 $45

>=6c Attribute [P`@]@\(L@(@;A)) Chillispot

$5 .%%#.%.$#.(/", Manage > Add > New Group

?#5% add new attributr +#?&,$#*.(/

$%.%. (60 5.) ?%.? diconnect 15 .(900 5.)

%?." download $%/ 1024kbps %?." upload $%/ 512kbps

$5 .%&.%.$#.(/ ", Manage > Add > New User

#($ " & &,$#.(/ '%.w.% Add user +#.,."$#*

+" Certificatr ssl $.+#.(/ ?$#G % Continue to this

$ "+#( ." 5 $4( &.%# teacher +#* redirect

RQEP`@RQ@ Version 1.1.4 and above R^_`(6;OL Password MD5 9

R^]`/D:c user RE_: Cleartext password

Save DE= Exit 9RE

coaport 3779 >>> $45

Save DE= Exit 9RE

Restart ChilliSpot (@@r<:6@)