Network

Most ethernet configuration is centralized in a single file, /etc/network/interfaces

A sample /etc/network/interfaces file 

 auto lo
 iface lo inet loopback

 # The primary network interface
 auto eth0
 iface eth0 inet static
         address 192.168.0.100
         netmask 255.255.255.0
         network 192.168.0.0
         broadcast 192.168.0.255
         gateway 192.168.0.1

 auto eth1
 iface eth1 inet dhcp

/etc/hostname file has the host name of the system

To restart the network 

 /sbin/init.d/networking restart

To list all the listioning ports 

 # netstat -tap

To bring up or down a inter face using the configuration on /etc/network/interaces file 

 ifup <interface name>  /  ipdown <if name>

Change the hostname manually

01. Edit /etc/hostname file
02. Edit /etc/hosts file
03. Edit /etc/motd and /etc/printcap if required
04. Run hostname -F /etc/hostname

sftp in chroot jail

 # apt-get update
 # apt-get install openssh-server
 # groupadd sftponly
 # useradd user1 -d /home/user1 -G sftponly -s /bin/false
 # chown root:sftponly /home/user1
 # mkdir /home/user1/upload /home/user1/download
 # chown user1:sftponly /home/user1/*

Note: Change the /home/user1 owner to root. Otherwise, ssh may not allow the user to login.

Modify the /etc/sshd_config file

The line 

 Subsystem sftp /usr/lib/openssh/sftp-server

Needs to be replaced with 

 Subsystem sftp internal-sftp

Now go to the end of the file. After UsePAM Yes add the following lines to configure our sftponly group permissions and settings 

 Match group sftponly
 ChrootDirectory %h
 X11Forwarding no
 AllowTcpForwarding no
 ForceCommand internal-sftp

Restart the sshd daemon 

 # service ssh restart

Configuring OPENVPN on Ubuntu

There are two type of of Open VPN implementation. 

  1. routed
  2. Bridged

The bellow example is for routed VPN implementation.

01. Install Open VPN software 

    apt-get install openvpn

02. Copy all the sample config files and keygen commands to /etc/openvpn directory 

    cp -R /usr/share/doc/openvpn/examples/easy-rsa/* /etc/openvpn/easy-rsa/

03. Modify the /etc/openvpn/easy-rsa/vars file and set the KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL parameters. Don't leave any of these parameters blank. 

    export KEY_COUNTRY="US"
    export KEY_PROVINCE="CA"
    export KEY_CITY="Santa Clara"
    export KEY_ORG="SYSADMIN"
    export KEY_EMAIL="admin@sys-admin.net"

04. Create the CA (Certificate Authority) certificate 

    cd /etc/openvpn/easy-rsa
    . ./vars
    ./clean-all
    ./build-ca

05. Create the server certificates 

     ./build-key-server server

06. Create certificate and keys for clients (for 2 clients) 

    ./build-key client1
    ./build-key client2

07. Generate Diffie Hellman parameters 

    ./build-dh

08. For extra security, create an "HMAC firewall" 

    # openvpn --genkey --secret ta.key

09. Sample server.conf file 

  local 192.168.123.51
  port 1194
  proto udp
  dev tun0
  ca easy-rsa/keys/ca.crt
  cert easy-rsa/keys/server.crt
  key easy-rsa/keys/server.key  
  dh easy-rsa/keys/dh1024.pem
  server 192.168.200.0 255.255.255.0
  ifconfig-pool-persist ipp.txt
  push "route 192.168.123.0 255.255.255.0"
  push "dhcp-option DNS 192.168.123.1"
  client-to-client
  keepalive 10 120
  cipher AES-128-CBC   # AES
  comp-lzo
  user nobody
  group nobody
  persist-key
  persist-tun
  status openvpn-status.log
  log         openvpn.log
  verb 3
  tun-mtu 1500
  tun-mtu-extra 32
  mssfix 1450

Add a static route in the router for 192.168.200.0 network with default gateway to point to IP_address of the VPN server. In the above example, it would be 192.168.123.51

Client

1. Create client certificates 

   cd /etc/openvpn/easy-rsa
   ./build-key client_name

2. copy ca.crt, ta.key, client_name.crt and client.key files from the server

3. create a config file client_name.ovpn with the following lines on it. 

 client 
dev tun
proto udp 

# change this to your server's address 
remote 64.244.77.35
resolv-retry infinite 
nobind
persist-key 
persist-tun 

# Point the key and crt files to  
# the ones for this user 
tls-client
ca ca.crt 
cert jeeva.crt 
key jeeva.key 

#ensure that we are talking to a server 
ns-cert-type server

#confirm we are talking to the correct server 
tls-auth ta.key 1

# Select a cryptographic cipher. 
# If the cipher option is used on the server 
# then you must also specify it here. 
cipher AES-128-CBC 

# Enable compression on the VPN link. 
comp-lzo 

#fragment large packets 
# I found I needed this for some games but it is 
# not required
#fragment 1400 
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450

route-method exe
route-delay 2

Install openvpn gui and copy all the above files to config directory
http://openvpn.se/download.html

To revoke a openvpn certificate called client1

 cd /etc/openvpn/easyrsa
 ./revoke-full client1
 Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
 Revoking Certificate 04.
 Data Base Updated
 Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
 client1.crt: /C=US/ST=CA/L=Santa Clara/O=SYS-ADMIN.NET/CN=client1/emailAddress=admin@sys-admin.net
 error 23 at 0 depth lookup:certificate revoked

The revoke-full script will generate a CRL (certificate revocation list) file called crl.pem in the keys subdirectory. The file should be copied to a directory where the OpenVPN server can access it, then CRL verification should be enabled in the server configuration: 

    crl-verify easy-rsa/keys/crl.pem
  • When the crl-verify option is used in OpenVPN, the CRL file will be re-read any time a new client connects or an existing client renegotiates the SSL/TLS connection (by default once per hour). This means that you can update the CRL file while the OpenVPN server daemon is running, and have the new CRL take effect immediately for newly connecting clients. If the client whose certificate you are revoking is already connected, you can restart the server via a signal (SIGUSR1 or SIGHUP) and flush all clients, or you can telnet to the management interface and explicitly kill the specific client instance object on the server without disturbing other clients.
  • While the crl-verify directive can be used on both the OpenVPN server and clients, it is generally unnecessary to distribute a CRL file to clients unless a server certificate has been revoked. Clients don't need to know about other client certificates which have been revoked because clients shouldn't be accepting direct connections from other clients in the first place.
  • The CRL file is not secret, and should be made world-readable so that the OpenVPN daemon can read it after root privileges have been dropped.
  • If you are using the chroot directive, make sure to put a copy of the CRL file in the chroot directory, since unlike most other files which OpenVPN reads, the CRL file will be read after the chroot call is executed, not before.
  • A common reason why certificates need to be revoked is that the user encrypts their private key with a password, then forgets the password. By revoking the original certificate, it is possible to generate a new certificate/key pair with the user's original common name.

Note: I got "undefined variable on line 282 MODULE_PATH = $ENV::PKCS11_MODULE_PATH" error and the certification revokatoin failed. I commented out the following two lines in /etc/openvpn/easy-rsa/openssl.cnf file to get make it work. 

 #MODULE_PATH = $ENV::PKCS11_MODULE_PATH
 #PIN = $ENV::PKCS11_PIN

Setting up bind9 in chroot environment