Debian/Ubuntu Tips and Tricks

Debuntu

Debian/Ubuntu Tips and Tricks

Archive for the 'Networking' Category

How Tos related to networking from accessing remote hosts, configuring a service or administration.

How-To: Prevent SPAM with Apache’s mod security

Posted by chantra on 6th November 2014

WordPress is a great piece of software to run a blog, it is flexible, has tons of plugins are developed for it and updates are really easy to do. To fight spam comments, there is already the Akismet plugin that does a really good job.
While Akismet catches the spam comments and put them in a separate location, making it easy to delete them, as the number of spam grows, WordPress can take long to empty the purge the flush comments and the best option becomes to use a manual SQL query to flush them.
In this article, we will see how we can use RBL to prevent spammer from posting to WordPress's comment page and at the same time, lift a bit of load from the server.
While the rules work for WordPress, with a bit of modifications, it will be easy to get this setup working for any kind of blog/website.

Read the rest of this entry »

Tags: , ,
Posted in Administration, HowTo, HTTP, Networking, System | 1 Comment »

How-To: Fight SPAM with Postfix RBL

Posted by chantra on 26th September 2013

Spam, spam everywhere! If you are hosting your own mail server, fighting spam can become tricky. Antispam solutions do catch a fair amount of them, but still many spam email can still make their way through.

RBL (Real-time Blackhole) is a database of known spammy IPs which is accessible over DNS. Depending on the response received from the DNS server, the IP is classified as spammy or not.

This tutorial will show you how to set up RBL with postfix.

Read the rest of this entry »

Tags: , , ,
Posted in Administration, HowTo, Networking, System | 1 Comment »

How-To: WiFi roaming with wpa-supplicant

Posted by chantra on 18th June 2013

wpa_supplicant can be used as a roaming daemon so you can get your system to automatically connect to different network as you are going from one location to another.

This come in pretty handy on headless machines where you rely on network connection to be up in order to be able to access the machine.

Read the rest of this entry »

Tags: ,
Posted in Administration, HowTo, Networking | No Comments »

How-To: find which program consumes your bandwidth with nethogs

Posted by chantra on 29th March 2013

Let's continue the network monitoring serie with yet another use case.... the "What program is using my bandwidth?" problem while not imposible to solve, still remains a pain. What if there were some kind of top for network?

NetHogs is a nifty tool that will do that for you and will help you finding what is hogging your connection.

Read the rest of this entry »

Tags: , , ,
Posted in Administration, HowTo, Networking | No Comments »

How-To: monitor network bandwidth usage with vnstat

Posted by chantra on 11th March 2013

There is many tools out there that help in monitoring network usage, collect statistics and generate graphs so we can view what happened at a given date/time. Anyhow, finding the bandwidth usage over an hour/day/week/month can be really tricky.

vnstat is a suite of daemon and client programs that monitor network bandwidth usage.

Read the rest of this entry »

Tags: , , ,
Posted in Administration, HowTo, Networking | No Comments »

How-To: OpenVPN on Debian Squeeze with Username/Password authentication

Posted by chantra on 16th January 2013

Client configuration

To get the client configuration set, you will need to provide the following file:

  • ta.key
  • ca.crt

# mkdir clientconfig
# cp /etc/openvpn/easy-rsa/2.0/keys/{ca.crt,ta.key} clientconfig/

And finally create the config file clientconfig/client.ovpn

client
dev tun
proto udp
# change to your vpn server
remote 172.16.132.5 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
ca ca.crt
ns-cert-type server
tls-auth ta.key 1
# in UDP mode, explicitely notify
# the server that we exit
# send up to 3 attempts
explicit-exit-notify 3
comp-lzo
verb 3
auth-user-pass

Finally, provide the clientconfig folder and its content to a client.

I would recommend using network-manager-openvpn package on Debian/Ubuntu. It is a easy as importing the configuration through network-manager wizard.

Another way to connect to your newly intalled openvpn server is to run the following command:

chantra@fb-ubu1210-64:~/clientconfig$ sudo openvpn ovpn.ovpn
Tue Jan 15 20:22:14 2013 OpenVPN 2.2.1 x86_64-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Oct  8 2012
Enter Auth Username:chantra
Enter Auth Password:
Tue Jan 15 20:22:22 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Tue Jan 15 20:22:22 2013 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
Tue Jan 15 20:22:22 2013 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jan 15 20:22:22 2013 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jan 15 20:22:22 2013 LZO compression initialized
Tue Jan 15 20:22:22 2013 Control Channel MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
Tue Jan 15 20:22:22 2013 Socket Buffers: R=[212992->131072] S=[212992->131072]
Tue Jan 15 20:22:22 2013 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Jan 15 20:22:22 2013 Local Options hash (VER=V4): '504e774e'
Tue Jan 15 20:22:22 2013 Expected Remote Options hash (VER=V4): '14168603'
Tue Jan 15 20:22:22 2013 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Tue Jan 15 20:22:22 2013 UDPv4 link local: [undef]
Tue Jan 15 20:22:22 2013 UDPv4 link remote: [AF_INET]172.16.132.5:1194
Tue Jan 15 20:22:22 2013 TLS: Initial packet from [AF_INET]172.16.132.5:1194, sid=8c1e69ca 24d3f240
Tue Jan 15 20:22:22 2013 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Tue Jan 15 20:22:22 2013 VERIFY OK: depth=1, /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/CN=Fort-Funston CA/emailAddress=me@myhost.mydomain
Tue Jan 15 20:22:22 2013 VERIFY OK: nsCertType=SERVER
Tue Jan 15 20:22:22 2013 VERIFY OK: depth=0, /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/CN=Fort-Funston CA/emailAddress=me@myhost.mydomain
Tue Jan 15 20:22:22 2013 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Jan 15 20:22:22 2013 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jan 15 20:22:22 2013 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Jan 15 20:22:22 2013 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jan 15 20:22:22 2013 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Tue Jan 15 20:22:22 2013 [frd1h01] Peer Connection Initiated with [AF_INET]172.16.132.5:1194
Tue Jan 15 20:22:24 2013 SENT CONTROL [frd1h01]: 'PUSH_REQUEST' (status=1)
Tue Jan 15 20:22:24 2013 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 10.8.0.1,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0'
Tue Jan 15 20:22:24 2013 OPTIONS IMPORT: timers and/or timeouts modified
Tue Jan 15 20:22:24 2013 OPTIONS IMPORT: --ifconfig/up options modified
Tue Jan 15 20:22:24 2013 OPTIONS IMPORT: route options modified
Tue Jan 15 20:22:24 2013 OPTIONS IMPORT: route-related options modified
Tue Jan 15 20:22:24 2013 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Tue Jan 15 20:22:24 2013 ROUTE default_gateway=172.16.132.2
Tue Jan 15 20:22:24 2013 TUN/TAP device tun0 opened
Tue Jan 15 20:22:24 2013 TUN/TAP TX queue length set to 100
Tue Jan 15 20:22:24 2013 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Tue Jan 15 20:22:24 2013 /sbin/ifconfig tun0 10.8.0.2 netmask 255.255.255.0 mtu 1500 broadcast 10.8.0.255
Tue Jan 15 20:22:24 2013 /sbin/route add -net 172.16.132.5 netmask 255.255.255.255 gw 172.16.132.2
Tue Jan 15 20:22:24 2013 /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.8.0.1
Tue Jan 15 20:22:24 2013 /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.8.0.1
Tue Jan 15 20:22:24 2013 GID set to nogroup
Tue Jan 15 20:22:24 2013 UID set to nobody
Tue Jan 15 20:22:24 2013 Initialization Sequence Completed

That's it, you should now be able to connect to your OpenVPN server and encrypt all the traffic between your workstation and your server!

Tags: , , , ,
Posted in Administration, HowTo, Networking, Softwares, System | No Comments »

How-To: Set up a L2TP over IPSec VPN using a Radius backend — page 3

Posted by chantra on 18th June 2010

This entry is part 3 of 3 in the series How-To: Set up a L2TP over IPSec VPN using a Radius backend

Using freeradius for authentication

Here I am going to consider that the freeradius server is set up correctly, meaning that you can already authenticate your users with freeradius using radtest utility.

In order to get ppp to use freeradius, we need to install libradius1:

# apt-get install libradius1

No we need to set up the server we use in /etc/radiusclient/servers. Here we use the default password on localhost:

localhost testing123

and finally, we tell ppp to use the radius plugin by adding at the end of /etc/xl2tpd/ppp-options.xl2tpd :

plugin radius.so

And that should be it!

Tags: , , , ,
Posted in Administration, HowTo, Networking, System | No Comments »

How-To: Set up a L2TP over IPSec VPN using a Radius backend — page 2

Posted by chantra on 18th June 2010

This entry is part 1 of 3 in the series How-To: Set up a L2TP over IPSec VPN using a Radius backend

XL2TP

Now, let's get on the next phase: XL2TP.

Packages Requirements

You can install xl2tp with the following command:

# apt-get install xl2tp

Configuration

The configuration of xl2tp happens in /etc/xl2tpd/xl2tpd.conf. We are going to provide IPs in the range 10.10.10.2-10.10.10.254, 10.10.10.1 being the endpoint IP of the VPN server.

So go ahead and open /etc/xl2tpd/xl2tpd.conf and make it look like:

[global]
ipsec saref = yes
listen-addr = your external IP address
port = 1701
[lns default]
ip range = 10.10.10.2-10.10.10.254
local ip = 10.10.10.1
refuse chap = yes
require pap = yes
require authentication = no
name = LinuxVPNserver
hostname = YourHostName
ppp debug = yes
length bit = yes
pppoptfile = /etc/xl2tpd/ppp-options.xl2tpd

Copy an example config from xl2tp doc:

sudo cp /usr/share/doc/xl2tpd/examples/ppp-options.xl2tpd /etc/xl2tpd/ppp-options.xl2tpd

Now go and edit etc/xl2tpd/ppp-options.xl2tpd and make it look like:

require-pap
crtscts
idle 1800
mtu 1200
mru 1200
nodefaultroute
debug
lock
proxyarp
connect-delay 5000

Same here, change it with whatever mstches your settings (DNS...)

Finally test your configuration with:

sudo xl2tpd -D

Tags: , , , ,
Posted in Administration, HowTo, Networking, System | 1 Comment »

How-To: Set up a L2TP over IPSec VPN using a Radius backend

Posted by chantra on 18th June 2010

This entry is part 1 of 3 in the series How-To: Set up a L2TP over IPSec VPN using a Radius backend

Even though I pretty like OpenVPN, there is still some devices that might not support the TUN/TAP driver needed by OpenVPN.

Take IPhones, Android phones for instance, you need to root them in order to get that feature, assuming somebody has already cooked a ROM for your device.

L2TP is quite and old standard that allow setting up VPNs.

On the other end, it does not provide any kind of encryption mechanism, and as such, it is pretty common to get L2TP running over an IPSec link.

In this tutorial, we are going to set up this kind of VPN. First IPSec will create an encrypted link, then L2TP will create a VPN link.

We are going to use a Pre-Shared Key (or PSK) for IPsec.

L2TP will use PAP as an authentication mechanism.
Why PAP? Because that allow us to store encrypted password instead of plain text one. Some might say that the password will go over the wire unencrypted, but here we have IPSec taking care of not letting our password be seeing by others.

This tutorial was done on Debian Lenny and Windows XP SP3 connected to the service successfully. Android 2.2 client also connected successfully.

Windows mobiles would fail to authenticated as PAP is not supported on the client :s !

So let get started with IPSec.

IPSec

Packages requirements

We are going to use OpenSwan to handle IPSec. On Debian, you can install it with:

# apt-get install openswan

If you are asked questions, just answer the default.

IPSec Configuration

We are going to use the example from /etc/ipsec.d/examples/l2tp-psk.conf and copy the following below # Add connections here in /etc/ipsec.conf.

version 2.0     # conforms to second version of ipsec.conf specification
# basic configuration
config setup
        # plutodebug / klipsdebug = "all", "none" or a combation from below:
        # "raw crypt parsing emitting control klips pfkey natt x509 private"
        # eg: plutodebug="control parsing"
        #
        # ONLY enable plutodebug=all or klipsdebug=all if you are a developer !!
        #
        # NAT-TRAVERSAL support, see README.NAT-Traversal
        nat_traversal=yes
        #virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
        # If we consider that we have an internal interface on subnet 192.168.22.0/24,
        # we need to had here we had %v4:!192.168.22.0/24
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.22.0/24
        #
        # enable this if you see "failed to find any available worker"
        nhelpers=0
# Add connections here
conn L2TP-PSK-CLIENTS
  #
  # Configuration for one user with any type of IPsec/L2TP client
  # including the updated Windows 2000/XP (MS KB Q818043), but
  # excluding the non-updated Windows 2000/XP.
  #
  #
  # Use a Preshared Key. Disable Perfect Forward Secrecy.
  #
  # PreSharedSecret needs to be specified in /etc/ipsec.secrets as
  # YourIPAddress  %any: "sharedsecret"
  authby=secret
  pfs=no
  auto=add
  keyingtries=3
  # we cannot rekey for %any, let client rekey
  rekey=no
  type=transport
  #
  left=%defaultroute
  leftnexthop=%defaultroute
  # or you can use: left=YourIPAddress
  # leftnexthop=YourGatewayIPAddress
  #
  # For updated Windows 2000/XP clients,
  # to support old clients as well, use leftprotoport=17/%any
  leftprotoport=17/1701
  #
  # The remote user.
  #
  right=%any
  rightsubnet=vhost:%priv,%no
  # Using the magic port of "0" means "any one single port". This is
  # a work around required for Apple OSX clients that use a randomly
  # high port, but propose "0" instead of their port.
  rightprotoport=17/%any
# sample VPN connections, see /etc/ipsec.d/examples/

Now we set our preshared key in /etc/ipsec.secrets with the format given in the configuration:

YourIPAddress  %any: PSK "sharedsecret"

And that should be it for the IPsec part. Now you can restart IPSec:

# /etc/init.d/ipsec restart

You might want to check the output of:

# ipsec auto --status

to troubleshoot potential issues.

Firewall

If you have a firewall set up, you can use those settings to allow ipsec:

-A INPUT -i eth0 -p udp -m udp --dport 4500 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -i eth0 -p esp -j ACCEPT

Well, assuming IPsec part is fine, let go to the xl2tp part now.

Tags: , , , ,
Posted in Administration, HowTo, Networking, System | 1 Comment »

How-To: Network-Manager-OpenVPN overwrites default route

Posted by chantra on 2nd March 2010

I was trying network-manager-openvpn plugin today on Lucid, I could import my configuration, DNS was set up correctly upon connection/disconnection, route imported correctly (almost :)).

One issue though is that it was also changing the default route to the VPN tunnel while this should not happen.

Well, the solution was simple enough after some googling (or yahooing should I say).
It appears that there is an option to set. And was as easy as editing your connection and going through:
IPv4 Settings->Routes and checking "Use this connection only for resources on its network".

Tags: ,
Posted in HowTo, Networking | No Comments »