Showing posts with label tech. Show all posts
Showing posts with label tech. Show all posts

Saturday, March 10, 2012

Install OpenVPN on Debian

source
First check whether your server supports the device dev/tun
  • # ls -al /dev/net/tun
  • You'll get results like the following if it supports
    # ls -al /dev/net/tun
    crw------- 1 root root 10, 200 Aug  1 14:12 /dev/net/tun
Then check if the device dev/tun is enabled
  • cat /dev/net/tun
  • You'll get results like the following if it is enabled
    # cat /dev/net/tun
    cat: /dev/net/tun: File descriptor in bad state
If it is enabled you should contact the VPS provider
Install OpenVPN
  • apt-get update to update the OS
  • apt-get install openvpn
Install OpenSSL
  • apt-get install openssl
  • mkdir /etc/openvpn/easy-rsa to make new directory
  • cp -rp /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa to copy the files to the new folder
  • cp -rp /usr/share/doc/openvpn/examples/sample-config-files/ /etc/openvpn/sample
Edit vars and change variable
  • cd /etc/openvpn/easy-rsa/
  • vi vars to edit the file named "vars"
  • OPTIONAL: Change KEY_SIZE to 2048
Run vars to export variable
  • sh vars
  • source ./vars to execute vars script
Make the certificate authority
  • ./clean-all to remove any previous keys
  • ./build-ca to build the certificate authority.
  • Press enter for each line it asks to confirm your details, but where it asks for "Common Name" change to your server name
Make server key
  • Type ./build-key-server <server hostname>
  • Press enter for fields to confirm and leave the "A challenge password" and "An optional company name" fields blank
Create VPN client .key and .crt
  • ./build-key <client hostname>
  • Press enter again for fields to confirm and leave the "A challenge password" and "An optional company name" fields blank. A different key is needed for each VPN client
  • ./build-dh This allows sharing between peers
Now copy relevant files and place in the correct folder
  • cd /etc/openvpn/easy-rsa/keys
  • cp <server hostname>.key /etc/openvpn/
  • cp <server hostname>.crt /etc/openvpn/
  • cp ca.crt /etc/openvpn/
  • cp dh1024.pem /etc/openvpn/  or dh2048.pem for 2048 encryption
Create OpenVPN server config and edit
  • cd /etc/openvpn/sample
  • gunzip server.conf.gz
  • vi server.conf
  • Change server.crt to <server hostname>.crt
  • Change server.key to <server hostname>.key
  • Change "dh1024.pem" to "dh2048.pem" if using 2048 encryption
  • Uncomment max-clients 100
Create OpenVPN client config
  • cd /etc/openvpn/sample
  • vi client.conf
  • change my-server-1 to your IP address of your VPS
  • Change "client.crt" to "<client hostname>.crt"
Export these 4 OpenVPN client config files to C:\Program Files (x86)\OpenVPN\config
  • /etc/openvpn/easy-rsa/keys/<client hostname>.key
  • /etc/openvpn/easy-rsa/keys/ca.crt
  • /etc/openvpn/easy-rsa/keys/<client hostname>.crt
  • /etc/openvpn/sample/client.conf (Rename to client.ovpn)
Start OpenVPN as a service and start
  • service openvpn start
  • Query service  ps -aux | grep openvpn or ps –wwwaux
  • Make the service be started with init.d scripts by editing /etc/default/openvpn  AUTOSTART="all"
Posted by 桔梗 at 11:53 PM 0 comments
Labels: , ,

Friday, November 25, 2011

Siemens Gigaset 5005

Siemens Gigaset 5005 documentation
viewer(7)

Read more »
Posted by 桔梗 at 9:47 PM 0 comments
Labels:

Thursday, July 14, 2011

Power supply discussion


In this first segment, I will be covering on power supplies and the quality of power supplies from different brands.
1) Why you should buy a quality power supply?
The reason is simple. Quality power supplies are not only able to deliver their rated power, but they also deliver it in a cleaner and more stable manner.
 This means that you will have to use less voltage to your CPU when overclocking, it also helps to prolong the life of your hardware when they are provided with clean, unfluctuating power.
Also, the power supply lasts longer.
2) What makes a good power supply?
There are many things a good power supply has.
Look for operational features like OCP (Overcurrent Protection), OVP/UVP (Overvoltage/Undervoltage protection), SCP (Short circuit Protection), PFC (Power factor correction) and such.
If you open up a quality power supply, chances are you'll find the following traits.
a) A fan with ball bearings from a reputable manufacturer. (AVC, Nidec, Sanyo, ADDA, Globe, Delta, etc.)
b) Quality Japanese capacitors that are rated at the higher maximum operating temperature of 105 degrees Celsius. (Nichihon, Nippon Chemicon, Hitachi, Rubycon)
c) Active PFC. This is evident when you see the absence of a voltage selector switch at the rear of the unit.
d) Sleeved cables. Now, it doesn't mean all PSU's with sleeved cables are good, but it usually means that they have at least added some quality to the cabling. Thick wires are also a good indicator.

Read more »
Posted by 桔梗 at 10:36 PM 1 comments
Labels: ,

Monday, May 2, 2011

User management in Linux

User accounts in Linux works differently from the system in Windows.
ACLs are configured based on the system of UIDs. These are unique for each accounts. root account is UID 0 .UID 0-999 are typically reserved for system accounts.

Although there is only one UID 0 for administrator login, it is possible to “create” another administrator account by pointing said ID to UID 0. What we are doing is to create a replica of root ID.
useradd –o –u 0 userid
where –0 allow the creation of a user account with a duplicate (non-unique) UID ,    and –u link the ID to root UID.

Having another root level account on a system may not be desirable for user security governance and tracking. The use of sudo is recommended instead of having multiple administrator logins.

In Centos,
# visudo
Search for the commands section to grant the ID specific access rights. For example, to grant ID acme with root access with sudo, add a line underneath root.

## Allow root to run any commands anywhere
root    ALL=(ALL)       ALL
acme    ALL=(ALL)       ALL

Set a password
# passwd user
Set  password expiry date
# chage -m 0 user  where -m is the minimum no of days
Posted by 桔梗 at 2:07 PM 0 comments
Labels: ,

Saturday, April 30, 2011

Fixing Windows 7 boot problems

I was inspired to write this after spending an hour trying to get windows to boot. The problem started when i removed an IDE disk from the PC. Turns out that when i install windows on the PC with a pair of IDE and SATA disks, windows configured the IDE disk as the active partition even though i installed windows on the SATA disk. Now that the IDE disk is gone, there is no active partition. In this situation, the repair function windows boot CD will not work until an active partition is manually activated.

- Changing the active partition
Boot to repair mode on your windows CD. Under command prompt, run Diskpart
Look for the disk number with List disk
Select Disk x where x is the disk number from above
List Partition and look for the windows partition number
Select Partition x where x is the windows partition
With the active partition loaded correctly, the repair function now has the correction partition to work on.

- Restoring the boot sector on the active partition
The commandline way to rebuild the boot code.
Under Windows Vista and above, boot to repair mode on your windows CD
bootsect.exe /nt60 SYS /force where SYS refers to the system partition used to boot Windows. Replace SYS with ALL to update the boot code on all volumes that can be used as Windows boot volumes.
Posted by 桔梗 at 8:03 PM 0 comments
Labels:

Sunday, April 24, 2011

Loading IPTables rules on reboot

IPTables rules are flushed after a reboot. I found out when i couldn't connect to a SOCKS5 proxy after the vps provider rebooted my node without notice. Poor system uptime seems to be a problem with some budget VPS. Here's how to make the rules stick after a reboot.

- On  Debian,
Save the rules to a file
#iptables-save > /etc/firewall.conf

Create a startup script so ifupdown loads these rules on boot:
vi /etc/network/if-up.d/iptables
#!/bin/sh
iptables-restore < /etc/firewall.conf

chmod +x /etc/network/if-up.d/iptables
Reboot, and check rules with iptables -L

- On  CentOS,

/sbin/service iptables save
This executes the iptables init script, which runs the /sbin/iptables-save program and writes the current iptables configuration to /etc/sysconfig/iptables. The existing /etc/sysconfig/iptables file is saved as /etc/sysconfig/iptables.save.

The next time the system boots, the iptables init script reapplies the rules saved in /etc/sysconfig/iptables by using the /sbin/iptables-restore command.


You can also save the iptables rules to a separate file for distribution, backup or other purposes. To save your iptables rules, type the following command as root:

[root@myserver ~]# iptables-save > <filename>
where <filename> is a user-defined name for your ruleset.

If distributing the /etc/sysconfig/iptables file to other machines, type /sbin/service iptables restart for the new rules to take effect.

Note the difference between the iptablescommand (/sbin/iptables), which is used to manipulate the tables and chains that constitute the iptables functionality, and the iptablesservice (/sbin/iptables service), which is used to enable and disable the iptables service itself.
Posted by 桔梗 at 6:55 PM 0 comments
Labels: ,

To flush existing iptables rules

# vi stop.fw4

#!/bin/sh
echo "Stopping firewall and allowing everyone..."
# Delete and flush. Default table is "filter". Others like "nat" must be explici# tly stated.
iptables -F
iptables -X
iptables --delete-chain
iptables -t nat -F
iptables -t nat -X
# Delete all chains that are not in default filter and nat table
iptables --table nat --delete-chain
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
chmod +x stop.fw4
./stop.fw4
Posted by 桔梗 at 5:54 PM 0 comments
Labels: ,

Configure NAT with iptables

- Initial set of firewall rules for a NAT vps
vi start.fw4
#!/bin/bash
LOGLIMIT="5/m"
LOGLIMITBURST="10"
iptables -I INPUT 1 -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#change port 33322 to configured SSH port
iptables -A INPUT -p tcp --dport 33322 -j ACCEPT
#open UDP 123 for NTP
iptables -A INPUT -p udp --sport 123 --dport 123 -j ACCEPT
#for openvpn and pptp access
iptables -A INPUT -p udp --dport 1194 -j ACCEPT
iptables -t nat -A POSTROUTING -o venet0 -j SNAT --to rem.ot.e.ip
iptables -A FORWARD -i venet0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i tun0 -o venet0 -j ACCEPT
#block others
iptables -N LOGDROP
iptables -A INPUT -j LOGDROP
iptables -A LOGDROP -p tcp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level 7 --log-prefix "TCP LOGDROP: "
iptables -A LOGDROP -p udp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level 7 --log-prefix "UDP LOGDROP: "
iptables -A LOGDROP -p icmp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level 7 --log-prefix "ICMP LOGDROP: "
iptables -A LOGDROP -f -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level 7 --log-prefix "FRAGMENT LOGDROP: "
iptables -A LOGDROP -j DROP

chmod +x start.fw4
./start.fw4
- To list rules,
# iptables -L
To list masquerade and NAT rules,
# iptables -t nat -L
Posted by 桔梗 at 5:07 PM 0 comments
Labels: ,

Updating OS on VPS

Debian

# apt-get update
# apt-get upgrade

Centos

Type the following command to get a list of packages that are going to be updated, enter:
# yum list updates
To upgrade your box, enter:
# yum update

Posted by 桔梗 at 4:54 PM 0 comments
Labels: ,

Initial SSH setup

Create User ID for normal use

  • On Debian, useradd is a low level utility for adding users. Administrators should usually use adduser(8) instead.
  • On Fedora or CentOS systems, adduser is just a symbolic link to useradd
  • adduser <user>

Change SSH port and deny root SSH login

  • vi /etc/ssh/sshd_config
  • Replace default port 22 with <random port>
  • Disable Root login   PermitRootLogin no
Enable new SSH port on ipchains
  • iptables -A INPUT -p tcp --dport <new SSH port> -j ACCEPT

Restart SSH service

  • service ssh reload

Posted by 桔梗 at 4:33 PM 0 comments
Labels: ,

Friday, April 22, 2011

DNS leaking with browsers

Following on this great DNS leakage test with Firefox , I ran my own simple browser privacy tests on browsers i use frequently.

Setup used for the test

- Remote SSH host

- Opera 11.10 Build 2092

- Chrome 10.0.648.205 with Proxy Switchy! 1.6.3

- Firefox 4.0

- IE 9.0.8112.16421

- Plink 0.60.9149.0

- MyEN Tunnel v3.5.2 to build TCP SSH tunnels for SOCKS5 proxy. More stable and better speed(Hulu) than opening a dynamic proxy with Putty (putty shell@xx.xx.xx.xx -fND localhost:7777)

- DNS Randomness test . Great tool for testing DNS leakage.

- Client DNS: OpenDns , ISP DNS

- Remote DNS: Remote host DNS

Results:

Browser Proxy Notes
Firefox Client Uses client DNS out of the box
Firefox with network.proxy.socks_remote_dns TRUE Remote Enable this in about:config. Tells firefox to use DNS SOCKS5
Chrome Remote  
IE Client  
Opera NA Not SOCKS compatible as of tested version.

Conclusion: Chrome has the best result out of the box. It looks up URLs using the remote DNS once you point chrome to a SOCKS5 proxy. There is no need for additional configuration or socks server traversing application.

Firefox requires an additional tweak to force remote DNS lookup.

I could not find a native way of forcing remote DNS lookup in IE. One alternative is to disable client side DNS caching in windows, probably not what you want on a corporate network. Another is to “socksify” IE with sockscap or widecap.

Opera has no socks support. Boo. There is always widecap or sockscap, but why bother when you can use chrome?

Random discovery: Your company domain admin may have a AD group policy that enables corporate proxy on your browser, overriding your SOCKS5 proxy selection. This is annoying and recurring, the browser changing to corporate proxy when you think you are surfing on the SOCKS5 proxy.

To workaround this on Chrome with Proxy Switchy, with Socks proxy selected configure the following in Switchy configuration.

Auto apply last selected proxy profile on startup.
Monitor Proxy Changes
Revert proxy changes done by other apps.

With this, you know your web traffic on Chrome is encrypted.

Posted by 桔梗 at 3:22 PM 0 comments
Labels: ,

Saturday, February 26, 2011

BB test

advanced help alt rshift h


Enter data above.
Posted by 桔梗 at 8:07 PM 0 comments
Labels:

Tuesday, March 2, 2010

Symbols in batch files

'>' and '<' are special characters in command prompt. They means input and output redirect. So they can't be directly echoed in command prompt. You need to escape them with '^'. 

C:\>echo <
The syntax of the command is incorrect.

C:\>echo ^<
<

This is mentioned in http://www.microsoft.com/windowsxp/home/using/productdoc/en/default.asp?url=/windowsxp/home/using/productdoc/en/ntcmds_shelloverview.asp

The following characters are special and have to be escaped:
<, >, |, &, or ^,

via MSDN blog

Posted by 桔梗 at 11:18 AM 0 comments
Labels:

Sunday, February 28, 2010

Simple text logging with a batch file

@echo off
Cls
set /p m=Task:
echo %DATE%^|%TIME%^|%m% >> log.txt

via enrri.blog

Lifehacker - xls quicklogger




Posted by 桔梗 at 7:06 PM 0 comments
Labels: ,

Tuesday, February 16, 2010

Appending a date to files

7z.exe a "c:\temp\onenote_%date:/=%.zip" "C:\Users\\AppData\Local\Microsoft\OneNote\12.0\Backup\Personal Notebook"

A simple way of appending a date to a backup file. It works by stripping out the '/' symbol from the date, which may not seem seem like much but always had me stumped. I found a few date scripts on the web but those were just too complicated for me.  This will be very useful for backups of Onenote, great program it might be but could really use an export data function. The program backup data automatically by default to the hidden application data folder. How difficult would it be to add that option and let folks backup their data easily? 

Another way would be to use Namedate , a program that appends dates to a specified program. 

Posted by 桔梗 at 8:19 PM 0 comments
Labels:
Subscribe to: Posts (Atom)