Awesome

OpenVPN and Ipsec L2tp server

Steps I take when setting up a VPN server on Digital Ocean

Table of Contents

• Create SSH keys on client computer
• Login after creating droplet
• Disable root login and change SSH port
• Enable UFW
• Install OpenVPN
• Install Libreswan
• Install Dnsmasq
• Install NTP
• Install send only SSMTP service
• Install Fail2ban
• Install Tripwire
• Enable Automatic upgrades
• Autostart OpenVPN on Debian client computer
• Allow multiple clients to connect with same ovpn file
• Maintenance commands

<a name="create-keys"></a>Create SSH keys on client computer

Check for existing SSH keys

ls -al ~/.ssh

Generate new SSH key

ssh-keygen -t rsa -b 4096 -C your_email@example.com

Public key is now located in /home/demo/.ssh/id_rsa.pub. Private key is now located in /home/demo/.ssh/id_rsa. While creating new droplet, add these keys.

<a name="new-login"></a>Login after creating droplet

Login as root

ssh root@server_ip_address

Upgrade system

sudo apt-get update && sudo apt-get upgrade && sudo apt-get dist-upgrade

Create new user

adduser demo

Give root privileges

gpasswd -a demo sudo

Add public key authentication for new user using client computer. Call new public key id_rsa_demo

ssh-keygen -t rsa -b 4096 -C your_email@example.com

Copy contents of public key by CTRL-C or (cat ~/.ssh/id_rsa_demo.pub)

Manually install public key on server

su - demo
mkdir .ssh
chmod 700 .ssh

Paste in public key while in nano

sudo nano .ssh/authorized_keys

chmod 600 .ssh/authorized_keys

Exit returns to root

exit

Login as new user

<a name="disable-root"></a>Disable root login and change SSH port

You can change the SSH port to any value that doesn't conflict with other active ports. Although Port 22 is used in the example below, you can choose a different port. Update the UFW rules to allow the new port and restart UFW before restarting SSH.

sudo nano /etc/ssh/sshd_config

Port 22
PermitRootLogin without-password
reload ssh
sudo restart ssh

<a name="enable-ufw"></a>Enable UFW

ufw limit 22
ufw allow 1194/udp
ufw allow 500/udp
ufw allow 4500/udp

Change from DROP to ACCEPT

sudo nano /etc/default/ufw

DEFAULT_FORWARD_POLICY="ACCEPT"

Add these lines to the before.rules file

sudo nano /etc/ufw/before.rules

# START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to eth0
-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE
COMMIT
# END OPENVPN RULES

UFW rules should look similar to this

#Status: active
#Logging: on (low)
#Default: deny (incoming), allow (outgoing), allow (routed)
#New profiles: skip

#To                         Action      From
#--                         ------      ----
#22                         LIMIT IN    Anywhere
#1194/udp                   ALLOW IN    Anywhere
#500/udp                    ALLOW IN    Anywhere
#4500/udp                   ALLOW IN    Anywhere
#1194/udp (v6)              ALLOW IN    Anywhere (v6)
#22 (v6)                    LIMIT IN    Anywhere (v6)
#500/udp (v6)               ALLOW IN    Anywhere (v6)
#4500/udp (v6)              ALLOW IN    Anywhere (v6)

<a name="install-ovpn"></a>Install OpenVPN

#https://github.com/Nyr/openvpn-install

wget git.io/vpn -O openvpn-install.sh && bash openvpn-install.sh

Copy unified .ovpn to client computer

scp -P root@server_ip_address:client.ovpn Downloads/

<a name="install-libreswan"></a>Install Libreswan

Libreswan is an implementation of IPsec (Internet Protocol Security) and IKE (Internet Key Exchange) for Linux. It's used to create secure VPN connections.

#https://blog.ls20.com/ipsec-l2tp-vpn-auto-setup-for-ubuntu-12-04-on-amazon-ec2/
#https://github.com/hwdsl2/setup-ipsec-vpn

wget https://github.com/hwdsl2/setup-ipsec-vpn/raw/master/vpnsetup.sh -O vpnsetup.sh

sudo nano -w vpnsetup.sh

PSK:your_private_key
Username:your_username
Password:your_password

/bin/sh vpnsetup.sh

Run following commands if OpenVPN doesn't work after reboot

sudo iptables -I INPUT -p udp --dport 1194 -j ACCEPT
sudo iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT
sudo iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo service ufw stop
sudo service ufw start
sudo /etc/init.d/openvpn restart

sudo iptables-save > /etc/iptables.rules

sudo nano /etc/rc.local

iptables-restore < /etc/iptables.rules

<a name="dnsmasq"></a>Install Dnsmasq

Dnsmasq is a lightweight DNS (Domain Name System) forwarder and DHCP (Dynamic Host Configuration Protocol) server. It's used to resolve hostnames and manage IP addresses.

Check current nameserver configuration

cat /etc/resolv.conf

Install Dnsmasq

sudo apt-get install dnsmasq
cat /etc/resolv.conf

Take note of query time

dig duckduckgo.com @localhost

Check again after cached

dig duckduckgo.com @localhost

<a name="ntp"></a>Install NTP

sudo apt-get install ntp

sudo dpkg-reconfigure tzdata
sudo ntpdate pool.ntp.org
sudo service ntp start

<a name="ssmtp"></a>Install send only SSMTP service

SSMTP send-only command-line tool that allows sending emails from the Linux command line. SMTP stands for Simple Mail Transfer Protocol.

sudo apt-get install ssmtp

sudo nano /etc/ssmtp/ssmtp.conf

#root=postmaster
root=your_email@example.com
#mailhub=mail
mailhub=smtp.gmail.com:587
AuthUser=your_email@example.com
AuthPass=your_password
UseTLS=YES
UseSTARTTLS=YES
#rewriteDomain=
rewriteDomain=gmail.com
#hostname=your_hostname
hostname=your_email@example.com

Test ssmtp in terminal

ssmtp recipient_email@example.com

Format message as below

To: recipient_email@example.com
From: myemailaddress@gmail.com
Subject: test email

test email

Insert blank line after Subject:. This is the body of the email. Press CTRL-D to send message. Sometimes pressing CTRL-D a second time after about 10 seconds is needed if message is not sent.

<a name="fail2ban"></a>Install Fail2ban

Fail2ban is a log-parsing tool that protects against brute-force attacks. It monitors log files for failed login attempts and can ban IPs that show malicious signs.

sudo apt-get install fail2ban
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

sudo nano /etc/fail2ban/jail.local

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Use space separator to add more than one IP
ignoreip = 127.0.0.⅛
bantime  = 600
maxretry = 3

destemail = your_email@example.com
sendername = Fail2Ban
mta = sendmail
#_mwl sends email with logs
action = %(action_mwl)s

Jails which can be initially set to true without any errors

#ssh
#dropbear
#pam-generic
#ssh-ddos
#postfix
#couriersmtp
#courierauth
#sasl
#dovecot

Restart Fail2ban

sudo service fail2ban stop
sudo service fail2ban start

Check list of banned IPs for Fail2ban

fail2ban-client status ssh
iptables --list -n | fgrep DROP

Full system backup using rsync.

Using the -aAX set of options, all attributes are preserved

rsync -aAXv --exclude={"/dev/*","/proc/*","/sys/*","/tmp/*","/run/*","/mnt/*","/media/*","/lost+found"} root@your_hostname:/ /home/demo/backup/

<a name="tripwire"></a>Install TripWire

Tripwire is an intrusion detection system that monitors file integrity. It checks for unauthorized changes to critical system files and can alert administrators.

#https://www.digitalocean.com/community/tutorials/how-to-use-tripwire-to-detect-server-intrusions-on-an-ubuntu-vps

sudo apt-get install tripwire

Set the Site-Key and Local-Key passphrase

Create policy file

sudo twadmin --create-polfile /etc/tripwire/twpol.txt

Initialize database

sudo tripwire --init
sudo sh -c 'tripwire --check | grep Filename > /etc/tripwire/test_results'

Entries may look like this

less /etc/tripwire/test_results

     Filename: /etc/rc.boot
     Filename: /root/mail
     Filename: /root/Mail
     Filename: /root/.xsession-errors
     Filename: /root/.xauth
     Filename: /root/.tcshrc
     Filename: /root/.sawfish
     Filename: /root/.pinerc
     Filename: /root/.mc
     Filename: /root/.gnome_private
     Filename: /root/.gnome-desktop
     Filename: /root/.gnome
     Filename: /root/.esd_auth
     Filename: /root/.elm
     Filename: /root/.cshrc
     Filename: /root/.bash_profile
     Filename: /root/.bash_logout
     Filename: /root/.amandahosts
     Filename: /root/.addressbook.lu
     Filename: /root/.addressbook
     Filename: /root/.Xresources
     Filename: /root/.Xauthority
     Filename: /root/.ICEauthority
     Filename: /proc/30400/fd/3
     Filename: /proc/30400/fdinfo/3
     Filename: /proc/30400/task/30400/fd/3
     Filename: /proc/30400/task/30400/fdinfo/3

Edit text policy in editor

sudo nano /etc/tripwire/twpol.txt

Search for each of the files that were returned in the test_results file. Comment out lines that match.

    {
        /dev                    -> $(Device) ;
        /dev/pts                -> $(Device) ;
        #/proc                  -> $(Device) ;
        /proc/devices           -> $(Device) ;
        /proc/net               -> $(Device) ;
        /proc/tty               -> $(Device) ;
        . . .

Comment out /var/run and /var/lock lines

    (
  rulename = "System boot changes",
  severity = $(SIG_HI)
    )
    {
        #/var/lock              -> $(SEC_CONFIG) ;
        #/var/run               -> $(SEC_CONFIG) ; # daemon PIDs
        /var/log                -> $(SEC_CONFIG) ;
    }

Save and close

Re-create encrypted policy file

sudo twadmin -m P /etc/tripwire/twpol.txt

Re-initialize database

sudo tripwire --init

Warnings should be gone. If there are still warnings, continue editing /etc/tripwire/twpol.txt file until gone.

Check current status of warnings

sudo tripwire --check

Delete test_results file that was just created

sudo rm /etc/tripwire/test_results

Remove plain text configuration files

sudo sh -c 'twadmin --print-polfile > /etc/tripwire/twpol.txt'

Move text version to backup location and recreate it

sudo mv /etc/tripwire/twpol.txt /etc/tripwire/twpol.txt.bak
sudo sh -c 'twadmin --print-polfile > /etc/tripwire/twpol.txt'

Remove plain text files

sudo rm /etc/tripwire/twpol.txt
sudo rm /etc/tripwire/twpol.txt.bak

Send an email notifications

sudo apt-get install mailutils

See if we can send email

sudo tripwire --check | mail -s "Tripwire report for `uname -n`" your_email@example.com

Check report that was sent with the email

sudo tripwire --check --interactive

Remove x from box if not ok with change. Re-run above command to reset warning after each email received

Automate Tripwire with Cron

Check if root already has crontab by issuing this command

sudo crontab -l

If crontab is present, pipe into file to back it up

sudo sh -c 'crontab -l > crontab.bad'

Edit crontab

sudo crontab -e

To have tripwire run at 3:30am every day, insert this line

30 3 * * * /usr/sbin/tripwire --check | mail -s "Tripwire report for `uname -n`" your_email@example.com

<a name="upgrades"></a>Enable Automatic Upgrades

sudo apt-get install unattended-upgrades
sudo dpkg-reconfigure unattended-upgrades

Update the 10 periodic file. 1 means that it will upgrade every day

sudo nano /etc/apt/apt.conf.d/10periodic

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "1";
APT::Periodic::Unattended-Upgrade "1";

<a name="autostart"></a>Autostart OpenVPN on Debian client computer

sudo nano /etc/default/openvpn

Uncomment:

AUTOSTART=all

Copy client.ovpn to /etc/openvpn/client.conf by renaming file

gksu -w -u root gksu thunar

Reload openvpn configuration

/etc/init.d/openvpn reload /etc/openvpn/client.conf

Check for tun0 interface

ifconfig

<a name="multiple-clients"></a>Allow multiple clients to connect with same ovpn file

Note: While it's possible to allow multiple clients to connect with the same ovpn file, it's generally safer to create individual ovpn files for each client.

sudo nano /etc/openvpn/server.conf

Uncomment following line:

duplicate-n

Restart OpenVPN service

sudo service openvpn restart

<a name="misc"></a>Maintenance Commands

#Programs holding open network socket
lsof -i

#Show all running processes
ps -ef

#Who is logged on
who -u

#Kill the process that you want
kill "pid"

#Check SSH sessions
ps aux | egrep "sshd: [a-zA-Z]+@"

#Check SSHD
ps fax

#Check last logins
last

#Check ufw status
sudo ufw status verbose

#Delete ufw rules
sudo ufw delete deny "port"

#Check logs
grep -ir ssh /var/log/* 
grep -ir sshd /var/log/* 
grep -ir breakin /var/log/* 
grep -ir security /var/log/*

#Tree directory 
http://www.cyberciti.biz/faq/linux-show-directory-structure-command-line/

#See all files
tree -a

#List directories only
tree -d

#Colorized output
tree -C

#File management
https://www.digitalocean.com/community/tutorials/basic-linux-navigation-and-file-management
http://www.computerworld.com/article/2598082/linux/linux-linux-command-line-cheat-sheet.html
http://www.debian-tutorials.com/beginners-how-to-navigate-the-linux-filesystem

#LSOF Commands
https://stackoverflow.com/questions/106234/lsof-survival-guide

#How to kill zombie process
ps aux | grep 'Z'

#Find the parent PID of the zombie
pstree -p -s 93572

#Check IPTables traffic
sudo iptables -v -x -n -L

#Report file system disk space
df -Th

#Check trash size
sudo find / -type d -name '*Trash*' | sudo xargs du -h | sort

#Check size of packages in apt
du -h /var/cache/apt/

#Check size of log files
sudo du -h /var/log

#Check size of lost+found folder
sudo find / -name "lost+found" | sudo xargs du -h

#How to delete lots of text in nano
Scroll to top of text, press Alt+A, Ctrl-V to bottom of text, press Ctrl-K to cut the text, Ctrl-O to save, Ctrl-X to exit

#How to scan top 8000 ports using nmap
nmap -vv --top-ports 8000 your_hostname

#Delete ufw and iptable rules by line number. In this example we use number 666
sudo ufw status numbered
sudo ufw delete 666

sudo iptables -L --line-numbers
sudo iptables -D INPUT 666