Showing posts with label vps. Show all posts
Showing posts with label vps. Show all posts

Saturday, March 10, 2012

Install OpenVPN on Debian

source
First check whether your server supports the device dev/tun
  • # ls -al /dev/net/tun
  • You'll get results like the following if it supports
    # ls -al /dev/net/tun
    crw------- 1 root root 10, 200 Aug  1 14:12 /dev/net/tun
Then check if the device dev/tun is enabled
  • cat /dev/net/tun
  • You'll get results like the following if it is enabled
    # cat /dev/net/tun
    cat: /dev/net/tun: File descriptor in bad state
If it is enabled you should contact the VPS provider
Install OpenVPN
  • apt-get update to update the OS
  • apt-get install openvpn
Install OpenSSL
  • apt-get install openssl
  • mkdir /etc/openvpn/easy-rsa to make new directory
  • cp -rp /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa to copy the files to the new folder
  • cp -rp /usr/share/doc/openvpn/examples/sample-config-files/ /etc/openvpn/sample
Edit vars and change variable
  • cd /etc/openvpn/easy-rsa/
  • vi vars to edit the file named "vars"
  • OPTIONAL: Change KEY_SIZE to 2048
Run vars to export variable
  • sh vars
  • source ./vars to execute vars script
Make the certificate authority
  • ./clean-all to remove any previous keys
  • ./build-ca to build the certificate authority.
  • Press enter for each line it asks to confirm your details, but where it asks for "Common Name" change to your server name
Make server key
  • Type ./build-key-server <server hostname>
  • Press enter for fields to confirm and leave the "A challenge password" and "An optional company name" fields blank
Create VPN client .key and .crt
  • ./build-key <client hostname>
  • Press enter again for fields to confirm and leave the "A challenge password" and "An optional company name" fields blank. A different key is needed for each VPN client
  • ./build-dh This allows sharing between peers
Now copy relevant files and place in the correct folder
  • cd /etc/openvpn/easy-rsa/keys
  • cp <server hostname>.key /etc/openvpn/
  • cp <server hostname>.crt /etc/openvpn/
  • cp ca.crt /etc/openvpn/
  • cp dh1024.pem /etc/openvpn/  or dh2048.pem for 2048 encryption
Create OpenVPN server config and edit
  • cd /etc/openvpn/sample
  • gunzip server.conf.gz
  • vi server.conf
  • Change server.crt to <server hostname>.crt
  • Change server.key to <server hostname>.key
  • Change "dh1024.pem" to "dh2048.pem" if using 2048 encryption
  • Uncomment max-clients 100
Create OpenVPN client config
  • cd /etc/openvpn/sample
  • vi client.conf
  • change my-server-1 to your IP address of your VPS
  • Change "client.crt" to "<client hostname>.crt"
Export these 4 OpenVPN client config files to C:\Program Files (x86)\OpenVPN\config
  • /etc/openvpn/easy-rsa/keys/<client hostname>.key
  • /etc/openvpn/easy-rsa/keys/ca.crt
  • /etc/openvpn/easy-rsa/keys/<client hostname>.crt
  • /etc/openvpn/sample/client.conf (Rename to client.ovpn)
Start OpenVPN as a service and start
  • service openvpn start
  • Query service  ps -aux | grep openvpn or ps –wwwaux
  • Make the service be started with init.d scripts by editing /etc/default/openvpn  AUTOSTART="all"
Posted by 桔梗 at 11:53 PM 0 comments
Labels: , ,

Monday, May 2, 2011

User management in Linux

User accounts in Linux works differently from the system in Windows.
ACLs are configured based on the system of UIDs. These are unique for each accounts. root account is UID 0 .UID 0-999 are typically reserved for system accounts.

Although there is only one UID 0 for administrator login, it is possible to “create” another administrator account by pointing said ID to UID 0. What we are doing is to create a replica of root ID.
useradd –o –u 0 userid
where –0 allow the creation of a user account with a duplicate (non-unique) UID ,    and –u link the ID to root UID.

Having another root level account on a system may not be desirable for user security governance and tracking. The use of sudo is recommended instead of having multiple administrator logins.

In Centos,
# visudo
Search for the commands section to grant the ID specific access rights. For example, to grant ID acme with root access with sudo, add a line underneath root.

## Allow root to run any commands anywhere
root    ALL=(ALL)       ALL
acme    ALL=(ALL)       ALL

Set a password
# passwd user
Set  password expiry date
# chage -m 0 user  where -m is the minimum no of days
Posted by 桔梗 at 2:07 PM 0 comments
Labels: ,

Sunday, April 24, 2011

Loading IPTables rules on reboot

IPTables rules are flushed after a reboot. I found out when i couldn't connect to a SOCKS5 proxy after the vps provider rebooted my node without notice. Poor system uptime seems to be a problem with some budget VPS. Here's how to make the rules stick after a reboot.

- On  Debian,
Save the rules to a file
#iptables-save > /etc/firewall.conf

Create a startup script so ifupdown loads these rules on boot:
vi /etc/network/if-up.d/iptables
#!/bin/sh
iptables-restore < /etc/firewall.conf

chmod +x /etc/network/if-up.d/iptables
Reboot, and check rules with iptables -L

- On  CentOS,

/sbin/service iptables save
This executes the iptables init script, which runs the /sbin/iptables-save program and writes the current iptables configuration to /etc/sysconfig/iptables. The existing /etc/sysconfig/iptables file is saved as /etc/sysconfig/iptables.save.

The next time the system boots, the iptables init script reapplies the rules saved in /etc/sysconfig/iptables by using the /sbin/iptables-restore command.


You can also save the iptables rules to a separate file for distribution, backup or other purposes. To save your iptables rules, type the following command as root:

[root@myserver ~]# iptables-save > <filename>
where <filename> is a user-defined name for your ruleset.

If distributing the /etc/sysconfig/iptables file to other machines, type /sbin/service iptables restart for the new rules to take effect.

Note the difference between the iptablescommand (/sbin/iptables), which is used to manipulate the tables and chains that constitute the iptables functionality, and the iptablesservice (/sbin/iptables service), which is used to enable and disable the iptables service itself.
Posted by 桔梗 at 6:55 PM 0 comments
Labels: ,

To flush existing iptables rules

# vi stop.fw4

#!/bin/sh
echo "Stopping firewall and allowing everyone..."
# Delete and flush. Default table is "filter". Others like "nat" must be explici# tly stated.
iptables -F
iptables -X
iptables --delete-chain
iptables -t nat -F
iptables -t nat -X
# Delete all chains that are not in default filter and nat table
iptables --table nat --delete-chain
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
chmod +x stop.fw4
./stop.fw4
Posted by 桔梗 at 5:54 PM 0 comments
Labels: ,

Configure NAT with iptables

- Initial set of firewall rules for a NAT vps
vi start.fw4
#!/bin/bash
LOGLIMIT="5/m"
LOGLIMITBURST="10"
iptables -I INPUT 1 -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#change port 33322 to configured SSH port
iptables -A INPUT -p tcp --dport 33322 -j ACCEPT
#open UDP 123 for NTP
iptables -A INPUT -p udp --sport 123 --dport 123 -j ACCEPT
#for openvpn and pptp access
iptables -A INPUT -p udp --dport 1194 -j ACCEPT
iptables -t nat -A POSTROUTING -o venet0 -j SNAT --to rem.ot.e.ip
iptables -A FORWARD -i venet0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i tun0 -o venet0 -j ACCEPT
#block others
iptables -N LOGDROP
iptables -A INPUT -j LOGDROP
iptables -A LOGDROP -p tcp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level 7 --log-prefix "TCP LOGDROP: "
iptables -A LOGDROP -p udp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level 7 --log-prefix "UDP LOGDROP: "
iptables -A LOGDROP -p icmp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level 7 --log-prefix "ICMP LOGDROP: "
iptables -A LOGDROP -f -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level 7 --log-prefix "FRAGMENT LOGDROP: "
iptables -A LOGDROP -j DROP

chmod +x start.fw4
./start.fw4
- To list rules,
# iptables -L
To list masquerade and NAT rules,
# iptables -t nat -L
Posted by 桔梗 at 5:07 PM 0 comments
Labels: ,

Updating OS on VPS

Debian

# apt-get update
# apt-get upgrade

Centos

Type the following command to get a list of packages that are going to be updated, enter:
# yum list updates
To upgrade your box, enter:
# yum update

Posted by 桔梗 at 4:54 PM 0 comments
Labels: ,

Initial SSH setup

Create User ID for normal use

  • On Debian, useradd is a low level utility for adding users. Administrators should usually use adduser(8) instead.
  • On Fedora or CentOS systems, adduser is just a symbolic link to useradd
  • adduser <user>

Change SSH port and deny root SSH login

  • vi /etc/ssh/sshd_config
  • Replace default port 22 with <random port>
  • Disable Root login   PermitRootLogin no
Enable new SSH port on ipchains
  • iptables -A INPUT -p tcp --dport <new SSH port> -j ACCEPT

Restart SSH service

  • service ssh reload

Posted by 桔梗 at 4:33 PM 0 comments
Labels: ,
Subscribe to: Posts (Atom)