Awesome
OpenVPN and Ipsec L2tp server
Steps I take when setting up a VPN server on Digital Ocean
Table of Contents
- Create SSH keys on client computer
- Login after creating droplet
- Disable root login and change SSH port
- Enable UFW
- Install OpenVPN
- Install Libreswan
- Install Dnsmasq
- Install NTP
- Install send only SSMTP service
- Install Fail2ban
- Install Tripwire
- Enable Automatic upgrades
- Autostart OpenVPN on Debian client computer
- Allow multiple clients to connect with same ovpn file
- Maintenance commands
<a name="create-keys"></a>Create SSH keys on client computer
Check for existing SSH keys
ls -al ~/.ssh
Generate new SSH key
ssh-keygen -t rsa -b 4096 -C your_email@example.com
Public key is now located in /home/demo/.ssh/id_rsa.pub
. Private key is now located in /home/demo/.ssh/id_rsa
. While creating new droplet, add these keys.
<a name="new-login"></a>Login after creating droplet
Login as root
ssh root@server_ip_address
Upgrade system
sudo apt-get update && sudo apt-get upgrade && sudo apt-get dist-upgrade
Create new user
adduser demo
Give root privileges
gpasswd -a demo sudo
Add public key authentication for new user using client computer. Call new public key id_rsa_demo
ssh-keygen -t rsa -b 4096 -C your_email@example.com
Copy contents of public key by CTRL-C
or (cat ~/.ssh/id_rsa_demo.pub)
Manually install public key on server
su - demo
mkdir .ssh
chmod 700 .ssh
Paste in public key while in nano
sudo nano .ssh/authorized_keys
chmod 600 .ssh/authorized_keys
Exit returns to root
exit
Login as new user
<a name="disable-root"></a>Disable root login and change SSH port
You can change the SSH port to any value that doesn't conflict with other active ports. Although Port 22 is used in the example below, you can choose a different port. Update the UFW rules to allow the new port and restart UFW before restarting SSH.
sudo nano /etc/ssh/sshd_config
Port 22
PermitRootLogin without-password
reload ssh
sudo restart ssh
<a name="enable-ufw"></a>Enable UFW
ufw limit 22
ufw allow 1194/udp
ufw allow 500/udp
ufw allow 4500/udp
Change from DROP to ACCEPT
sudo nano /etc/default/ufw
DEFAULT_FORWARD_POLICY="ACCEPT"
Add these lines to the before.rules
file
sudo nano /etc/ufw/before.rules
# START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to eth0
-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE
COMMIT
# END OPENVPN RULES
UFW rules should look similar to this
#Status: active
#Logging: on (low)
#Default: deny (incoming), allow (outgoing), allow (routed)
#New profiles: skip
#To Action From
#-- ------ ----
#22 LIMIT IN Anywhere
#1194/udp ALLOW IN Anywhere
#500/udp ALLOW IN Anywhere
#4500/udp ALLOW IN Anywhere
#1194/udp (v6) ALLOW IN Anywhere (v6)
#22 (v6) LIMIT IN Anywhere (v6)
#500/udp (v6) ALLOW IN Anywhere (v6)
#4500/udp (v6) ALLOW IN Anywhere (v6)
<a name="install-ovpn"></a>Install OpenVPN
#https://github.com/Nyr/openvpn-install
wget git.io/vpn -O openvpn-install.sh && bash openvpn-install.sh
Copy unified .ovpn
to client computer
scp -P root@server_ip_address:client.ovpn Downloads/
<a name="install-libreswan"></a>Install Libreswan
Libreswan is an implementation of IPsec (Internet Protocol Security) and IKE (Internet Key Exchange) for Linux. It's used to create secure VPN connections.
#https://blog.ls20.com/ipsec-l2tp-vpn-auto-setup-for-ubuntu-12-04-on-amazon-ec2/
#https://github.com/hwdsl2/setup-ipsec-vpn
wget https://github.com/hwdsl2/setup-ipsec-vpn/raw/master/vpnsetup.sh -O vpnsetup.sh
sudo nano -w vpnsetup.sh
PSK:your_private_key
Username:your_username
Password:your_password
/bin/sh vpnsetup.sh
Run following commands if OpenVPN doesn't work after reboot
sudo iptables -I INPUT -p udp --dport 1194 -j ACCEPT
sudo iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT
sudo iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo service ufw stop
sudo service ufw start
sudo /etc/init.d/openvpn restart
sudo iptables-save > /etc/iptables.rules
sudo nano /etc/rc.local
iptables-restore < /etc/iptables.rules
<a name="dnsmasq"></a>Install Dnsmasq
Dnsmasq is a lightweight DNS (Domain Name System) forwarder and DHCP (Dynamic Host Configuration Protocol) server. It's used to resolve hostnames and manage IP addresses.
Check current nameserver configuration
cat /etc/resolv.conf
Install Dnsmasq
sudo apt-get install dnsmasq
cat /etc/resolv.conf
Take note of query time
dig duckduckgo.com @localhost
Check again after cached
dig duckduckgo.com @localhost
<a name="ntp"></a>Install NTP
sudo apt-get install ntp
sudo dpkg-reconfigure tzdata
sudo ntpdate pool.ntp.org
sudo service ntp start
<a name="ssmtp"></a>Install send only SSMTP service
SSMTP send-only command-line tool that allows sending emails from the Linux command line. SMTP stands for Simple Mail Transfer Protocol.
sudo apt-get install ssmtp
sudo nano /etc/ssmtp/ssmtp.conf
#root=postmaster
root=your_email@example.com
#mailhub=mail
mailhub=smtp.gmail.com:587
AuthUser=your_email@example.com
AuthPass=your_password
UseTLS=YES
UseSTARTTLS=YES
#rewriteDomain=
rewriteDomain=gmail.com
#hostname=your_hostname
hostname=your_email@example.com
Test ssmtp in terminal
ssmtp recipient_email@example.com
Format message as below
To: recipient_email@example.com
From: myemailaddress@gmail.com
Subject: test email
test email
Insert blank line after Subject:
. This is the body of the email. Press CTRL-D
to send message. Sometimes pressing CTRL-D
a second time after about 10 seconds is needed if message is not sent.
<a name="fail2ban"></a>Install Fail2ban
Fail2ban is a log-parsing tool that protects against brute-force attacks. It monitors log files for failed login attempts and can ban IPs that show malicious signs.
sudo apt-get install fail2ban
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Use space separator to add more than one IP
ignoreip = 127.0.0.⅛
bantime = 600
maxretry = 3
destemail = your_email@example.com
sendername = Fail2Ban
mta = sendmail
#_mwl sends email with logs
action = %(action_mwl)s
Jails which can be initially set to true without any errors
#ssh
#dropbear
#pam-generic
#ssh-ddos
#postfix
#couriersmtp
#courierauth
#sasl
#dovecot
Restart Fail2ban
sudo service fail2ban stop
sudo service fail2ban start
Check list of banned IPs for Fail2ban
fail2ban-client status ssh
iptables --list -n | fgrep DROP
Full system backup using rsync.
Using the -aAX set of options, all attributes are preserved
rsync -aAXv --exclude={"/dev/*","/proc/*","/sys/*","/tmp/*","/run/*","/mnt/*","/media/*","/lost+found"} root@your_hostname:/ /home/demo/backup/
<a name="tripwire"></a>Install TripWire
Tripwire is an intrusion detection system that monitors file integrity. It checks for unauthorized changes to critical system files and can alert administrators.
#https://www.digitalocean.com/community/tutorials/how-to-use-tripwire-to-detect-server-intrusions-on-an-ubuntu-vps
sudo apt-get install tripwire
Set the Site-Key
and Local-Key
passphrase
Create policy file
sudo twadmin --create-polfile /etc/tripwire/twpol.txt
Initialize database
sudo tripwire --init
sudo sh -c 'tripwire --check | grep Filename > /etc/tripwire/test_results'
Entries may look like this
less /etc/tripwire/test_results
Filename: /etc/rc.boot
Filename: /root/mail
Filename: /root/Mail
Filename: /root/.xsession-errors
Filename: /root/.xauth
Filename: /root/.tcshrc
Filename: /root/.sawfish
Filename: /root/.pinerc
Filename: /root/.mc
Filename: /root/.gnome_private
Filename: /root/.gnome-desktop
Filename: /root/.gnome
Filename: /root/.esd_auth
Filename: /root/.elm
Filename: /root/.cshrc
Filename: /root/.bash_profile
Filename: /root/.bash_logout
Filename: /root/.amandahosts
Filename: /root/.addressbook.lu
Filename: /root/.addressbook
Filename: /root/.Xresources
Filename: /root/.Xauthority
Filename: /root/.ICEauthority
Filename: /proc/30400/fd/3
Filename: /proc/30400/fdinfo/3
Filename: /proc/30400/task/30400/fd/3
Filename: /proc/30400/task/30400/fdinfo/3
Edit text policy in editor
sudo nano /etc/tripwire/twpol.txt
Search for each of the files that were returned in the test_results
file. Comment out lines that match.
{
/dev -> $(Device) ;
/dev/pts -> $(Device) ;
#/proc -> $(Device) ;
/proc/devices -> $(Device) ;
/proc/net -> $(Device) ;
/proc/tty -> $(Device) ;
. . .
Comment out /var/run
and /var/lock
lines
(
rulename = "System boot changes",
severity = $(SIG_HI)
)
{
#/var/lock -> $(SEC_CONFIG) ;
#/var/run -> $(SEC_CONFIG) ; # daemon PIDs
/var/log -> $(SEC_CONFIG) ;
}
Save and close
Re-create encrypted policy file
sudo twadmin -m P /etc/tripwire/twpol.txt
Re-initialize database
sudo tripwire --init
Warnings should be gone. If there are still warnings, continue editing /etc/tripwire/twpol.txt
file until gone.
Check current status of warnings
sudo tripwire --check
Delete test_results
file that was just created
sudo rm /etc/tripwire/test_results
Remove plain text configuration files
sudo sh -c 'twadmin --print-polfile > /etc/tripwire/twpol.txt'
Move text version to backup location and recreate it
sudo mv /etc/tripwire/twpol.txt /etc/tripwire/twpol.txt.bak
sudo sh -c 'twadmin --print-polfile > /etc/tripwire/twpol.txt'
Remove plain text files
sudo rm /etc/tripwire/twpol.txt
sudo rm /etc/tripwire/twpol.txt.bak
Send an email notifications
sudo apt-get install mailutils
See if we can send email
sudo tripwire --check | mail -s "Tripwire report for `uname -n`" your_email@example.com
Check report that was sent with the email
sudo tripwire --check --interactive
Remove x
from box if not ok with change. Re-run above command to reset warning after each email received
Automate Tripwire with Cron
Check if root already has crontab by issuing this command
sudo crontab -l
If crontab is present, pipe into file to back it up
sudo sh -c 'crontab -l > crontab.bad'
Edit crontab
sudo crontab -e
To have tripwire run at 3:30am every day, insert this line
30 3 * * * /usr/sbin/tripwire --check | mail -s "Tripwire report for `uname -n`" your_email@example.com
<a name="upgrades"></a>Enable Automatic Upgrades
sudo apt-get install unattended-upgrades
sudo dpkg-reconfigure unattended-upgrades
Update the 10 periodic file. 1
means that it will upgrade every day
sudo nano /etc/apt/apt.conf.d/10periodic
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "1";
APT::Periodic::Unattended-Upgrade "1";
<a name="autostart"></a>Autostart OpenVPN on Debian client computer
sudo nano /etc/default/openvpn
Uncomment:
AUTOSTART=all
Copy client.ovp
n to /etc/openvpn/client.conf
by renaming file
gksu -w -u root gksu thunar
Reload openvpn configuration
/etc/init.d/openvpn reload /etc/openvpn/client.conf
Check for tun0
interface
ifconfig
<a name="multiple-clients"></a>Allow multiple clients to connect with same ovpn file
Note: While it's possible to allow multiple clients to connect with the same ovpn file, it's generally safer to create individual ovpn files for each client.
sudo nano /etc/openvpn/server.conf
Uncomment following line:
duplicate-n
Restart OpenVPN service
sudo service openvpn restart
<a name="misc"></a>Maintenance Commands
#Programs holding open network socket
lsof -i
#Show all running processes
ps -ef
#Who is logged on
who -u
#Kill the process that you want
kill "pid"
#Check SSH sessions
ps aux | egrep "sshd: [a-zA-Z]+@"
#Check SSHD
ps fax
#Check last logins
last
#Check ufw status
sudo ufw status verbose
#Delete ufw rules
sudo ufw delete deny "port"
#Check logs
grep -ir ssh /var/log/*
grep -ir sshd /var/log/*
grep -ir breakin /var/log/*
grep -ir security /var/log/*
#Tree directory
http://www.cyberciti.biz/faq/linux-show-directory-structure-command-line/
#See all files
tree -a
#List directories only
tree -d
#Colorized output
tree -C
#File management
https://www.digitalocean.com/community/tutorials/basic-linux-navigation-and-file-management
http://www.computerworld.com/article/2598082/linux/linux-linux-command-line-cheat-sheet.html
http://www.debian-tutorials.com/beginners-how-to-navigate-the-linux-filesystem
#LSOF Commands
https://stackoverflow.com/questions/106234/lsof-survival-guide
#How to kill zombie process
ps aux | grep 'Z'
#Find the parent PID of the zombie
pstree -p -s 93572
#Check IPTables traffic
sudo iptables -v -x -n -L
#Report file system disk space
df -Th
#Check trash size
sudo find / -type d -name '*Trash*' | sudo xargs du -h | sort
#Check size of packages in apt
du -h /var/cache/apt/
#Check size of log files
sudo du -h /var/log
#Check size of lost+found folder
sudo find / -name "lost+found" | sudo xargs du -h
#How to delete lots of text in nano
Scroll to top of text, press Alt+A, Ctrl-V to bottom of text, press Ctrl-K to cut the text, Ctrl-O to save, Ctrl-X to exit
#How to scan top 8000 ports using nmap
nmap -vv --top-ports 8000 your_hostname
#Delete ufw and iptable rules by line number. In this example we use number 666
sudo ufw status numbered
sudo ufw delete 666
sudo iptables -L --line-numbers
sudo iptables -D INPUT 666