====== Untangle as UTM box ======

Official Site: http://www.untangle.com/

**The following notes assume Untangle Version 7.1**

===== Post installation task =====

==== Enable SSH access ====

Use the console terminal, remove file "''/etc/ssh/sshd_not_to_be_run''" and edit ''sshd_config'' to your needs. Set ssh server port to something other than 22 for more security.

Or, follow this wiki article for latest information:

http://wiki.untangle.com/index.php/Enable_SSH

Then go to the packet filter and add a rule to allow traffic to the non-standard SSH port.

==== Access to internal database ====


===== Enhancement =====

==== Live view of traffic using iftop ====

Get the package at http://packages.debian.org/lenny/i386/iftop/download ,

and install using the "''dpkg -i''" command.

Create a config file "''/etc/iftoprc''" to format the default output.

Example for connection list:
<code>
hide-destination: no
line-display: one-line-both
port-display: yes
</code>

Example for per local IP bandwidth usage:
<code>
hide-destination: yes
line-display: one-line-both
</code>

And create a script to run it:
<code>
#!/bin/sh

# customizable settings:
LOCALNET="192.168.1.0/24"
IFACE="eth1"  #internal interface
CONF="/etc/iftoprc"

iftop -p -n -N -i $IFACE -F $LOCALNET -c $CONF
</code>


==== Per IP bandwidth usage statistic using bandwidthd ====
[[http://bandwidthd.sourceforge.net|bandwidthd project page]]

Get the package at http://packages.debian.org/lenny/i386/bandwidthd/download ,

get dependency package at http://packages.debian.org/lenny/i386/libgd2-noxpm/download ,

and install both using ''dpkg -i'' command.

Create "''/etc/apache2/conf.d/bandwidthd.conf''":
<code>
Alias /bandwidthd /var/lib/bandwidthd/htdocs

<Location /bandwidthd>
    Order deny,allow
    Deny from all

    # allow from these trusted hosts:
    Allow from 127.0.0.1
    Allow from ::1
    Allow from 10.0.0.0/8
    Allow from 172.16.0.0/12
    Allow from 192.168.0.0/16
</Location>
</code>

Edit "''/etc/bandwidthd/bandwidthd.conf''" to suit your needs. Normally these need to be changed:
<code>
# Subnets to collect statistics on
subnet 192.168.1.0/24

# normally change dev to the internal interface, like:
dev "eth1"

promiscuous true

#Log data to cdf file htdocs/log.cdf
output_cdf true

#Read back the cdf file on startup
recover_cdf true
</code>

Reloading apache and start bandwidthd. Access the statistics at:\\
''%%https://<ip of untangle box>/bandwidthd/%%''



==== Installing ntop ====
ntop home page: http://www.ntop.org

Get the ntop package at http://packages.debian.org/lenny/i386/ntop/download , 

and dependency package libgraphviz at http://packages.debian.org/lenny/i386/libgraphviz4/download 

After install, set ntop admin password by:
<code>
/usr/sbin/ntop -A                 
</code>

Edit "''/etc/default/ntop''", change ntop web server listen port to avoid conflict with untangle, eg. 4000:
<code>
GETOPT="-w 4000"
</code>

Edit "''/var/lib/ntop/init.cfg''" to your needs. Example, monitor the bridged interface:
<code>
INTERFACES="br.eth0" 
</code>

Add a rule in the Packet Filter to allow remote access to port 4000.

==== 7x24 traffic capture and analysis ====

Get latest tcpdump at http://packages.debian.org/sid/i386/tcpdump/download ,

dependency libpcap0.8 at http://packages.debian.org/sid/i386/libpcap0.8/download ,

dependency libssl0.9.8 at http://packages.debian.org/sid/i386/libssl0.9.8/download

The raw catpure command:
<code> 
# catpure on interface br.eth0
# how many bytes to save per packet: 68
# save buffer to file every 300 seconds
# file naming format: pcap_<year>_<month><day>_<hour><min> eg. pcap_2010_0120_1617

tcpdump -i br.eth0 -s 68 -G 300 -w "/capture-folder/pcap_%Y_%m%d_%H%M"
</code>

The more elegant way to do it is to use a [[tcpdump.init|init script]].
 
Clear outdated capture files using tmpwatch.
<code>
# You probably will run this using cron.
# Suppose you want to keep 30 days (=720hours) of traffic for analysis:
tmpwatch -m -f 720 /capture-folder/
</code>

To analyze the capture files, if your Untangle box has enough horsepower, fire up the bundled wireshark program at the console or remotely at your workstation. You can consider [[http://www.straightrunning.com|Xming]] if your workstation is running Windows. Otherwise, copy them to another box for analysis.

==== Add extra blocklists for SPAM Blocker ====

Suppose you want to add barracudacentral RBL.

Create file ''/etc/mail/spamassassin/99_barracuda_rbl.cf'':
<code>
header   RCVD_IN_BARRACUDACENTRAL_RBL    eval:check_rbl('barracuda', 'b.barracudacentral.org.')
describe RCVD_IN_BARRACUDACENTRAL_RBL    Received via a relay in BARRACUDACENTRAL Rbl blocklist
tflags   RCVD_IN_BARRACUDACENTRAL_RBL	 net
score    RCVD_IN_BARRACUDACENTRAL_RBL	 3.0 
</code>


==== Custom Reports ====
[[Custom Reports]]

----