Install strongSwan

The strongSwan packages are available in the Extra Packages for Enterprise Linux (EPEL) repository. We should enable EPEL first, then install strongSwan.

yum install http://ftp.nluug.nl/pub/os/Linux/distr/fedora-epel/7/x86_64/Packages/e/epel-release-7-11.noarch.rpm
yum install strongswan openssl

Generate certificates

Both the VPN client and server need a certificate to identify and authenticate themselves. I have prepared two shell scripts to generate and sign the certificates. First, we download these two scripts into the folder /etc/strongswan/ipsec.d.

cd /etc/strongswan/ipsec.d
wget https://raw.githubusercontent.com/michael-loo/strongswan_config/for_aklwebhost/server_key.sh
chmod a+x server_key.sh
wget https://raw.githubusercontent.com/michael-loo/strongswan_config/for_aklwebhost/client_key.sh
chmod a+x client_key.sh

In these two .sh files, I have set the organization name as AKLWEB-HOST-VPS-CENTOS. If you want to change it, open the .sh files and replace O=AKLWEB-HOST-VPS-CENTOS with O=YOUR_ORGANIZATION_NAME.

Next, use server_key.sh with the IP address of your server to generate the certificate authority (CA) key and certificate for server. Replace SERVER_IP with the IP address of your AKLWEB HOST VPS.

./server_key.sh SERVER_IP

Generate the client key, certificate, and P12 file. Here, I will create the certificate and P12 file for the VPN user “john”.

./client_key.sh john john@gmail.com

Replace “john” and his email with yours before running the script.

After the certificates for client and server are generated, copy /etc/strongswan/ipsec.d/john.p12 and /etc/strongswan/ipsec.d/cacerts/strongswanCert.pem to your local computer.

Configure strongSwan

Open the strongSwan IPSec configuration file.

vi /etc/strongswan/ipsec.conf

Replace its content with the following text.

config setup
    uniqueids=never
    charondebug="cfg 2, dmn 2, ike 2, net 0"

conn %default
    left=%defaultroute
    leftsubnet=0.0.0.0/0
    leftcert=vpnHostCert.pem
    right=%any
    rightsourceip=172.16.1.100/16

conn CiscoIPSec
    keyexchange=ikev1
    fragmentation=yes
    rightauth=pubkey
    rightauth2=xauth
    leftsendcert=always
    rekey=no
    auto=add

conn XauthPsk
    keyexchange=ikev1
    leftauth=psk
    rightauth=psk
    rightauth2=xauth
    auto=add

conn IpsecIKEv2
    keyexchange=ikev2
    leftauth=pubkey
    rightauth=pubkey
    leftsendcert=always
    auto=add

conn IpsecIKEv2-EAP
    keyexchange=ikev2
    ike=aes256-sha1-modp1024!
    rekey=no
    leftauth=pubkey
    leftsendcert=always
    rightauth=eap-mschapv2
    eap_identity=%any
    auto=add

Edit the strongSwan configuration file, strongswan.conf.

vi /etc/strongswan/strongswan.conf

Delete everything and replace it with the following.

charon {
    load_modular = yes
    duplicheck.enable = no
    compress = yes
    plugins {
            include strongswan.d/charon/*.conf
    }
    dns1 = 8.8.8.8
    dns2 = 8.8.4.4
    nbns1 = 8.8.8.8
    nbns2 = 8.8.4.4
}

include strongswan.d/*.conf

Edit the IPsec secret file to add a user and password.

vi /etc/strongswan/ipsec.secrets

Add a user account “john” into it.

: RSA vpnHostKey.pem
: PSK "PSK_KEY"
john %any : EAP "John's Password"
john %any : XAUTH "John's Password"

Please note that both sides of the colon ‘:’ need a white-space.

Allow IPv4 forwarding

Edit /etc/sysctl.conf to allow forwarding in the Linux kernel.

vi /etc/sysctl.conf

Add the following line into the file.

net.ipv4.ip_forward=1

Save the file, then apply the change.

sysctl -p

Configure the firewall

Open the firewall for your VPN on the server.

firewall-cmd --permanent --add-service="ipsec"
firewall-cmd --permanent --add-port=4500/udp
firewall-cmd --permanent --add-masquerade
firewall-cmd --reload

Start VPN

systemctl start strongswan
systemctl enable strongswan

StrongSwan is now is running on your server. Install the strongswanCert.pem and .p12 certificate files into your client. You will now be able to join your private network.

• munin – The server component in which munin-node reports. This program generates the HTML output.
• munin-node – Installed on machines to be monitored, plugin-based architecture allows monitoring of almost any facet of a AKLWEB HOST VPS.

Munin can provide status and monitoring for any configuration from a single VPS to an entire datacenter of machines.

The following guide assumes you’re logged in as root and running CentOS 6 x64 on AKLWEB HOST. This guide should be applicable to CentOS 7 too.

You will require two servers.

• Server A: Our monitoring server where the status will be visible. Referred to from now on as 192.168.10.1.
• Server B: Our server that we want to monitor. Referred to as 192.168.10.2.

Note that you can also monitor Server A, if desired.

Install and setup Munin

Follow these steps on Server A.

First, install Apache to serve our Munin server status page, as well as Munin itself.

yum install httpd munin

Install nano if you’re not comfortable in vi.

yum install nano

It’s time to edit the Munin configuration to add monitoring of our additional servers, as by default Munin only monitors the local machine. Run the following.

nano /etc/munin/munin.conf

At the bottom, append the following where 192.168.10.2 is replaced with the IP address of Server B, and “serverb” is replaced with a descriptive hostname.

[serverb]
    address 192.168.10.2
    use_node_name yes

Additional servers to be monitored can be added in the same manner.

By default, Munin is not secured with a password. To setup a password, run the following:

nano /etc/munin/munin-htpasswd

… and enter a password to secure your Munin installation.

The username is munin.

Start Apache and Munin-node.

service start httpd
service start munin-node

You will now be able to login to http://[SERVER_A_IP]/munin with the username munin and the password you have just specified.

Continue below for setting up munin-node on additional machines and configuring munin-node plugins.

Setup munin-node

The following can be applied to Server A, Server B, and as many additional servers as needed.

Install munin-node if it is not already installed.

yum install munin-node

Edit the munin-node.conf file.

nano /etc/munin/munin-node.conf

Append a new line with the IP address of Server A. The address must be in the format of a regular expression. Replace “192.168.10.1” the IP address of Server A.

allow ^192\.168\.10\.1$

At this point, you can start munin-node.

service munin-node restart

Server B’s status will be visible on your Munin status page at http://[SERVER_A_IP]/munin within a few minutes time.

Enabling munin-node plugins

munin-node comes packaged with a wide variety of plugins.

To browse the available plugins:

cd /usr/share/munin/plugins/
ls

All plugins can be enabled by creating a symbolic link to it in the /etc/munin/plugins folder. For example, to enable the Apache status plugins, run the following commands:

ln -s /usr/share/munin/plugins/apache_accesses /etc/munin/plugins/apache_accesses
ln -s /usr/share/munin/plugins/apache_processes /etc/munin/plugins/apache_processes
ln -s /usr/share/munin/plugins/apache_processes /etc/munin/plugins/apache_volume

… then restart munin-node.

service munin-node restart

Wait a few minutes and your status will be available on your master server.

This tutorial explains how you can install a PPTP server on Ubuntu. The steps are generic, they should apply to almost all versions of Ubuntu.

Please note that security vulnerabilities have been found in the PPTP protocol and it may be worth evaluating other VPN protocols before utilizing PPTP.

Installing the server

Step 1: Installing PPTPD

The first thing that we need to do is, naturally, install PPTPD.

apt-get install pptpd

Installing PPTPD is that easy! Now we need to actually setup the PPTP server.

Step 2: Adding users

We don’t want everyone to be able to access our VPN of course; because of this, you can create users so that only the users with the correct password will be able to access your VPN. To add users, edit the file:

/etc/ppp/chap-secrets

The format is:

[username] [service] [password] [ip]

Username and password are pretty straightforward, service and IP are not though. Service is usually pptpd. If you just want to setup a VPN, use pptpd for the service – it will work. If you want to restrict the IP that a user can login from, you can use his/her IP. If you want connections from that account to be made from all IPs, you can use *.

Step 3: Edit the PPTPD settings

There are a few things that we need to edit. Start by editing the following file:

/etc/pptpd.conf

Look for the localip and remoteip settings. Remove the # (comment character) for both so that these settings will actually be recognized. Change localip to your server IP. If you don’t know your server IP, you may look in the AKLWEB HOST control panel.

The remoteip is basically the IP range that clients (computers that are connected to your VPN) will be assigned. For example, if you want the following IP range: 192.168.120.231-235, your VPN server will be able to assign 192.168.120.232, 192.168.120.233, 192.168.120.234, and 192.168.120.235 to clients. It’s up to you what you want to use for this field.

Step 4: Update sysctl.conf

Find the line net.ipv4.ip_forward in the sysctl.conf file. We need to uncomment this line, so open the following file:

/etc/sysctl.conf

Make sure that it says net.ipv4.ip_forward=1, and not net.ipv4.ip_forward=0.

Step 5: Restarting PPTPD

At this point, everything will work. Restart PPTPD.

service pptpd restart

Congratulations, you now have a PPTP server!

Using the VPN

Mac OS X

Using a VPN on Mac OS X is very easy.

Go to System Preferences -> Network. Click on the + icon and choose “VPN” as the interface. The name can be anything you want, for example “VPN”. The VPN type is “PPTP”. Click “Create”. You will now see some settings; the server address and username. These are the credentials you have entered in the /etc/ppp/chap-secrets file.

Now click on “Authentication Settings”. Choose “Password” and enter the password. Click “OK”, then click “Connect”.

Your computer will now connect to your VPN server. Internet traffic will be sent over the VPN server.

Windows 8

In Windows 8, setting up a VPN is pretty easy as well. The first thing you are going to do is go to the “Start menu” and type “VPN”. You should see “Set up a virtual private network (VPN) connection”. Click on that.

The internet address is your server IP. The destination name can be anything you would like, such as “VPN”. Click “Next”. Windows will now ask for your credentials; enter the username and password you have entered in the /etc/ppp/chap-secrets file. Click “Connect”.

Windows will now connect to your VPN server and start sending traffic over it.

This tutorial shows three methods to stop DHCP from changing the /etc/resolv.conf on Debian or Ubuntu.

Method 1: Change interface settings to static

• On a cloud vps, I do not suggest using this method.
• If you use this method, you may find that the reboot processing (until you can login through ssh) takes longer.

First, we need to get the IP/netmask/gateway of the server. Run the following command.

ifconfig | grep "inet addr" | head -n 1 | awk '{print $2, $4}'

This provides the server IP and netmask. Looking at the example output…

addr:1.2.3.4 Mask:255.255.254.0

… the server IP address is 1.2.3.4 and mask is 255.255.254.0.

To get the gateway address, run the following command.

 netstat -rn | grep '^0.0.0.0' | awk '{print $2}'

In this example, I will use the gateway address 1.2.3.1.

Now that we have the IP/netmask/gateway, edit /etc/network/interfaces.

 vim /etc/network/interfaces

Make the following edits:

# Comment out this line
# iface eth0 inet dhcp

# Add these contents
iface eth0 inet static
address 1.2.3.4
mask 255.255.254.0
gateway 1.2.3.1

Remember, you must replace these values with the appropriate IP/netmask/gateway of server.

Save and exit, then reboot.

Method 2: Write protect your nameservers

Change your nameservers by editing /etc/resolv.conf. Once you have made your edits, write protect that file.

chattr +i /etc/resolv.conf

The +i option (attribute) write protects the /etc/resolv.conf file on Linux so that no one can modify it – not even the root user.

If you need to remove the write protect attribute, use the following command.

chattr -i /etc/resolv.conf

Method 3: Use DHCP hooks

This is the method that I recommend using the most.

Edit /etc/dhcp/dhclient-enter-hooks.d/nodnsupdate.

vim /etc/dhcp/dhclient-enter-hooks.d/nodnsupdate

Make the following edits:

#!/bin/sh
make_resolv_conf(){
    :
}

Save and exit.

Update the permissions on the nodnsupdate file.

chmod +x /etc/dhcp/dhclient-enter-hooks.d/nodnsupdate

Reboot your server. You can now update nameservers by editing /etc/resolv.conf without worrying about rollback.

Installing Windows

1. Install Windows while deploying a virtual private server on AKLWEB Host.
2. If you are using the “Custom ISO” feature, then first make sure that you integrate VirtIO Drivers to your Windows ISO. You can follow the steps outlined in this article.

Installing and configuring No-IP Dynamic Update Client (DUC)

1. In your web browser, create an account on NoIP.com.
2. Add a “DUC hostname” using their members area. For example, type your “Hostname” then click “Add Host”.
3. Install No-IP DUC on your Windows VPS.
4. When the client launches, sign in, then click on “Edit Hosts”. Select the “DUC hostname” that you have created in the 2nd step.
5. Enable DUC to auto start: File -> Preferences -> Start this application when user logs on.
6. Allow remote connections on your VPS: WIN Key + R -> sysdm.cpl -> Remote -> Allow Remote Assistance (both).

Creating and restoring a snapshot

1. After setting up DUC on your VPS, simply create a snapshot on the AKLWEB Host control panel. This is located on My Servers -> Manage -> Snapshots -> Take Snapshot. It will take a few moments to save a snapshot of your VPS.
2. That’s it! Use that snapshot the next time you want to deploy that VPS.

After deploying a VPS snapshot you can simply use your “DUC hostname” in any Remote Desktop Client. This saves a lot of time when you deploy VPS multiple times – as you don’t have to use your RD credentials each time.

This article will show you how to install and setup ocserv on Ubuntu 14.04 x64.

Installing ocserv

Since Ubuntu 14.04 does not ship with ocserv, we will have to download the source code and compile it. The latest stable version of ocserv is 0.9.2.

Download ocserv from the official site.

wget ftp://ftp.infradead.org/pub/ocserv/ocserv-0.9.2.tar.xz
tar -xf ocserv-0.9.2.tar.xz
cd ocserv-0.9.2

Next, install the compile dependencies.

apt-get install build-essential pkg-config libgnutls28-dev libwrap0-dev libpam0g-dev libseccomp-dev libreadline-dev libnl-route-3-dev

Compile and install ocserv.

./configure
make
make install

Configuring ocserv

A sample config file is placed under the directory ocser-0.9.2/doc. We will use this file as a template. At first, we have to make our own CA cert and server cert.

cd ~
apt-get install gnutls-bin
mkdir certificates
cd certificates

We create a CA template file (ca.tmpl) with the content similar to the following. You can set your own “cn” and “organization”.

cn = "VPN CA" 
organization = "Big Corp" 
serial = 1 
expiration_days = 3650
ca 
signing_key 
cert_signing_key 
crl_signing_key 

Then, generate a CA key and CA cert.

certtool --generate-privkey --outfile ca-key.pem
certtool --generate-self-signed --load-privkey ca-key.pem --template ca.tmpl --outfile ca-cert.pem

Next, create a local server certificate template file (server.tmpl) with the the content below. Please pay attention to the “cn” field, it must match the DNS name or IP address of your server.

cn = "you domain name or ip"
organization = "MyCompany" 
expiration_days = 3650 
signing_key 
encryption_key
tls_www_server

Then, generate the server key and certificate.

certtool --generate-privkey --outfile server-key.pem
certtool --generate-certificate --load-privkey server-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template server.tmpl --outfile server-cert.pem

Copy the key, certificate, and config file to the ocserv config directory.

mkdir /etc/ocserv
cp server-cert.pem server-key.pem /etc/ocserv
cd ~/ocserv-0.9.2/doc
cp sample.config /etc/ocserv/config
cd /etc/ocserv

Edit the config file under /etc/ocserv. Uncomment or modify the fields described below.

auth = "plain[/etc/ocserv/ocpasswd]"

try-mtu-discovery = true

server-cert = /etc/ocserv/server-cert.pem
server-key = /etc/ocserv/server-key.pem

dns = 8.8.8.8

# comment out all route fields
#route = 10.10.10.0/255.255.255.0
#route = 192.168.0.0/255.255.0.0
#route = fef4:db8:1000:1001::/64
#no-route = 192.168.5.0/255.255.255.0

cisco-client-compat = true

Generate a user that will be used to login to ocserv.

ocpasswd -c /etc/ocserv/ocpasswd username

Enable NAT.

iptables -t nat -A POSTROUTING -j MASQUERADE

Enable IPv4 forwarding. Edit the file /etc/sysctl.conf.

net.ipv4.ip_forward=1

Apply this modification.

sysctl -p /etc/sysctl.conf

Start ocserv and connect using Cisco AnyConnect

First, start ocserv.

ocserv -c /etc/ocserv/config

Then, install Cisco AnyConnect on any of your devices, such as iPhone, iPad, or an Android device. Since we used a self-signed server key and certificate, we have to uncheck the option which prevents insecure servers. This option is located in the settings of AnyConnect. At this point, we can setup a new connection with the domain name or IP address of our ocserv and the username/password that we created.

Connect and enjoy!

For Ubuntu 12.04 (Precise Pangolin)

1. On your SSH Terminal, type: hostname pluto
2. Using nano, you can then type: nano /etc/hostname
3. Type in pluto, then press Ctrl + X, then Y, then Enter.
4. Now, again using nano, type nano /etc/hosts to edit the hosts file.
5. Add another line on top, it should read: 127.0.0.1 pluto
6. Confirm your changes by typing hostname.

For Ubuntu 14.04 (Trusty Tahr) / 14.10 (Utopic Unicorn)

1. Newer Ubuntu versions make it even easier, you can just type: hostnamectl set-hostname pluto
2. Confirm your changes by typing hostname.

In this tutorial, we’ll compile ZNC with the web admin module installed.

Installation

Packages

First of all, and as always, we’ll update the package cache.

sudo apt-get update

Next, we’ll install some dependencies required to compile ZNC.

sudo apt-get install libssl-dev libperl-dev pkg-config build-essential

Compile and install ZNC

Download the latest release of ZNC:

cd /usr/local/src
sudo wget http://znc.in/releases/znc-latest.tar.gz

Extract ZNC from the tarball, and then enter the source directory:

sudo tar xf znc-latest.tar.gz
cd znc-*/

At this step, you can set ZNC’s installation directory by adding the --prefix=<yourdir> option. But for now, we’ll install it system wide:

./configure

We’ll compile ZNC and install it with the following commands. To speed up the process, you may add -j n to the first make command, where n is the number of cores / vCPUs on your server.

sudo make
sudo make install

This may take a few minutes, depends on your machine’s configuration.

Configuration

It is important not to run web-facing apps under root. So we’ll create a new user for ZNC.

adduser --disabled-password znc

Now switch to znc.

su znc -
cd ~

Create ZNC’s config file under znc:

/usr/local/bin/znc --makeconf

ZNC will ask us some questions in order to create the config file. The first one is important; note your input because you will connect to the ZNC daemon using that port.

We’ll enter 6697 now – that’s the default port for IRC with SSL / TLS.

[ ?? ] What port would you like ZNC to listen on? (1025 to 65535): 6697

It is strongly recommended to enable SSL listening instead of the plain-text (i.e. insecure) scheme.

 Would you like ZNC to listen using SSL? (yes/no) [no]: yes

Next question is regarding IPv6. That actually depends on your needs. If your home network is IPv6 enabled, it’s recommended to enable. We’ll just leave the default option there.

[ ?? ] Would you like ZNC to listen using both IPv4 and IPv6? (yes/no) [yes]: <press Enter>

Now it’ll prompt us about two global modules, partyline and webadmin. They’re self-explanatory, and we’ll need to enable them.

[ ?? ] Load global module <partyline>? (yes/no) [no]: yes
[ ?? ] Load global module <webadmin>? (yes/no) [no]: yes

User creation. Enter your desired username and password for the user, then confirm it. Note that the password will not be echoed.

[ ?? ] Username (AlphaNumeric): Doe
[ ?? ] Enter Password: <password>
[ ?? ] Confirm Password: <password>

Grant the user admin permissions:

[ ?? ] Would you like this user to be an admin? (yes/no) [yes]: yes

Then, your IRC network options. Set it on your own. Here’s an example:

[ ?? ] Nick [Doe]: Doe 
[ ?? ] Alt Nick [Doe_]: Doe_
[ ?? ] Ident [Doe]: DoeIdent
[ ?? ] Real Name [Got ZNC?]: Jane Doe        
[ ?? ] Bind Host (optional): server.hostname
[ ?? ] Number of lines to buffer per channel [50]: 50
[ ?? ] Would you like to clear channel buffers after replay? (yes/no) [yes]: yes

Enable these modules:

[ ?? ] Load module <chansaver>? (yes/no) [no]: yes
[ ?? ] Load module <controlpanel>? (yes/no) [no]: yes
[ ?? ] Load module <perform>? (yes/no) [no]: yes
[ ?? ] Load module <webadmin>? (yes/no) [no]: yes

Now we may setup the IRC network that ZNC will connect to.

[ ?? ] Would you like to set up a network? (yes/no) [no]: yes

We’ll use #ubuntu on Freenode for example.

Network (e.g. 'freenode' or 'efnet'): freenode

Information about these network modules prompted are here.

[ ?? ] Load module <chansaver>? (yes/no) [no]: yes
[ ?? ] Load module <keepnick>? (yes/no) [no]: yes
[ ?? ] Load module <kickrejoin>? (yes/no) [no]: yes
[ ?? ] Load module <kickrejoin>? (yes/no) [no]: yes
[ ?? ] Load module <nickserv>? (yes/no) [no]: yes
[ ?? ] Load module <perform>? (yes/no) [no]: yes
[ ?? ] Load module <simple_away>? (yes/no) [no]: yes

Set the server we’ll connect to:

[ ?? ] IRC server (host only): irc.freenode.net
[ ?? ] [irc.freenode.net] Port (1 to 65535) [6667]: 6697
[ ?? ] [irc.freenode.net] Password (probably empty): 
[ ?? ] Does this server use SSL? (yes/no) [no]: yes
[ ** ] 
[ ?? ] Would you like to add another server for this IRC network? (yes/no) [no]: no

And the channel we’ll join:

[ ?? ] Would you like to add a channel for ZNC to automatically join? (yes/no) [yes]: yes
[ ?? ] Channel name: #ubuntu
[ ?? ] Would you like to add another channel? (yes/no) [no]: no

Finish the configuration and launch ZNC:

[ ?? ] Would you like to set up another user? (yes/no) [no]: no
[ .. ] Writing config [/home/znc/.znc/configs/znc.conf]...
[ >> ] ok
... ...
[ ?? ] Launch ZNC now? (yes/no) [yes]: yes

Yay. ZNC is up and running!

This article will be split into three parts:

• Basic features.
• Filtering based on certain traffic characteristics.
• A short snippet of the more advanced features (such as logical expressions, filtering by TCP flags).

Since tcpdump is not included with most base systems, you will need to install it. However, nearly all Linux distributions have tcpdump in their core repositories. For Debian based distributions, the command to install tcpdump is:

apt-get install tcpdump

For CentOS/RedHat, use the following command:

yum install tcpdump

FreeBSD offers a pre-built package which can be installed by issuing:

pkg install tcpdump

There’s also a port available, net/tcpdump which can be installed via:

cd /usr/ports/net/tcpdump
make install clean

If you run tcpdump without any arguments, you’ll be be battered with results. Running it on a freshly spinned up instance here on AKLWEB Host for less than five seconds gives the following results:

2661 packets captured
2663 packets received by filter
0 packets dropped by kernel

Before going into more details on how to filter input, you should take a look at some parameters that can be passed to tcpdump:

• -i – Specifies the interface you want to listen on, for example: tcpdump -i eth0.
• -n – Do not try to do reverse lookups on IP addresses, for example: tcpdump -n (if you add another n tcpdump will show you port numbers instead of names).
• -X – Show the content of the collected packets: tcpdump -X.
• -c – Only capture x packets, x being an arbitrary number, for example tcpdump -c 10 captures exactly 10 packets.
• -v – Increase the amount of packet information you are shown, more vs add more verbosity.

Each of those parameters mentioned here can be combined together. If you wanted to capture 100 packets, but only on your VPN interface tun0, then the tcpdump command would look like this:

tcpdump -i tun0 -c 100 -X

There are dozens (if not hundreds) of options in addition to those few, but they are the most common ones. Feel free to read tcpdump’s manpage on your system.

Now that you have a basic understanding of tcpdump, it’s time to look at one of tcpdump’s most awesome features: expressions. Expressions will make your life a lot easier. They are also known as BPF or Berkeley Packet Filters. Using expressions allows you to selectively display (or ignore) packets based on certain characteristics – such as origin, destination, size, or even TCP sequence number.

So far you’ve managed to limit your search to a certain amount of packets on a certain interface, but let’s be honest here: that still leaves too much background noise to effectively work with the collected data. That’s where expressions come into play. The concept is pretty straightforward, so we’ll leave out the dry theory here and support the understanding with some practical examples.

The expressions that you’ll probably be using the most are:

• host – Look for traffic based on hostnames or IP addresses.
• src or dst – Look for traffic from or to a specific host.
• proto – Look for traffic of a certain protocol. Works for tcp, udp, icmp, and others. Omitting the proto keyword is also possible.
• net – Look for traffic to / from a certain range of IP addresses.
• port – Look for traffic to / from a certain port.
• greater or less – Look for traffic bigger or smaller than a certain amount of bytes.

While the manpage for tcpdump just contains a few examples, the manpage for pcap-filter has very detailed explanations on how each filter works and can be applied.

If you want to see how your communication with a certain server is going, then you can use the host keyword, for example (including some of the parameters from above):

tcpdump -i eth0 host aklwebhost.com

Sometimes there are computers on the network that don’t honor the MTU or spam you with large packets; filtering them out can be difficult sometimes. Expressions allow you to filter out packages that are bigger or smaller than a certain number of bytes:

tcpdump -i eth0 -nn greater 128
or
tcpdump -i eth0 -nn less 32

Maybe only a certain port is of interest for you. In this case, use the port expression:

tcpdump -i eth0 -X port 21

You can also look out for port ranges:

tcdump -i eth0 -X portrange 22-25

Since NAT gateways are pretty common, you may only look for destination ports:

tcpdump dst port 80

If you are watching traffic to your web server, you may only want to look at TCP traffic to port 80:

tcpdump tcp and dst port 80

You are probably asking yourself what the keyword and is doing there. Good question. That brings us to the last part of this article.

tcpdump offers basic support for logical expressions, more specifically:

• and / && – Logical “and”.
• or / || – Logical “or”.
• not / ! – Logical “not”.

Together with the ability to group expressions together, this allows you to create very powerful searches for incoming and outgoing traffic. So let’s filter out traffic coming from aklwebhost.com on port 22 or 443:

tcpdump -i eth0 src host aklwebhost.com and (dst port 22 or 443)

Running this on the command line will give you the following error:

bash: syntax error near unexpected token `('

That’s because there is a caveat: bash tries to evaluate every character it can. This includes the ( and ) characters. In order to avoid that error, you should use single quotes around the combined expression:

tcpdump -i eth0 'src host aklwebhost.com and (dst port 22 or 443)'

Another useful example: When debugging SSH issues with one of your users, you may want to ignore everything that’s related to your SSH session:

tcpdump '!(host $youripaddress) && port 22)'

Again, the use cases are endless, and you can specify into extreme depths what kind of traffic that you want to see. The following command would show you only SYNACK packets of a TCP handshake:

tcpdump -i eth0 'tcp[13]=18'

This works by looking at the thirteenth offset of the TCP header and the eighteenth byte within it.

If you made it all the way here, then you are ready for most use cases that will arise. I can barely touch the surface without going into too many details. I highly recommend that you experiment with the different options and expressions a bit further; and as usual: reference the manpage when you get lost.

Last but not least – a quick look back. Remember the beginning of this article? With the thousands of packets captured in a matter of seconds? The power of tcpdump can trim that down a whole lot:

tcpdump -i eth0 tcp port 22

The result is now:

81 packets captured
114 packets received by filter
0 packets dropped by kerne

This is much saner and easier to debug. Happy networking!

To begin, open your terminal and install this package:

<ceph>[~]# pkg install djbdns                                              
Updating FreeBSD repository catalogue...
FreeBSD repository is up-to-date.
All repositories are up-to-date.
The following 3 packages will be affected (of 0 checked):

New packages to be INSTALLED:
djbdns: 1.05_20,1
ucspi-tcp: 0.88_2
daemontools: 0.76_17

The process will require 1 MB more space.
251 KB to be downloaded.

Proceed with this action? [y/N]: y
Fetching djbdns-1.05_20,1.txz: 100%  139 KB 142.4k/s    00:01    
Fetching ucspi-tcp-0.88_2.txz: 100%   62 KB  63.1k/s    00:01    
Fetching daemontools-0.76_17.txz: 100%   51 KB  51.7k/s    00:01    
Checking integrity... done (0 conflicting)
[1/3] Installing ucspi-tcp-0.88_2...
[1/3] Extracting ucspi-tcp-0.88_2: 100%
[2/3] Installing daemontools-0.76_17...
[2/3] Extracting daemontools-0.76_17: 100%
[3/3] Installing djbdns-1.05_20,1...
[3/3] Extracting djbdns-1.05_20,1: 100%

Installation will automatically install additional packages (daemontools and ucspi-tcp).

Create two users, gtinydns and gdnslog. Start with the first user:

<ceph>[~]# adduser         
Username: gtinydns
Full name: gtinydns
Uid (Leave empty for default): 
Login group [gtinydns]: 
Login group is gtinydns. Invite gtinydns into other groups? []: 
Login class [default]: 
Shell (sh csh tcsh zsh rzsh nologin) [sh]: nologin
Home directory [/home/gtinydns]: 
Home directory permissions (Leave empty for default): 
Use password-based authentication? [yes]: 
Use an empty password? (yes/no) [no]: 
Use a random password? (yes/no) [no]: yes
Lock out the account after creation? [no]: 
Username   : gtinydns
Password   : <random>
Full Name  : gtinydns
Uid        : 1002
Class      : 
Groups     : gtinydns 
Home       : /home/gtinydns
Home Mode  : 
Shell      : /usr/sbin/nologin
Locked     : no
OK? (yes/no): yes
adduser: INFO: Successfully added (gtinydns) to the user database.
adduser: INFO: Password for (gtinydns) is: rTsada2131sa1Mg
Add another user? (yes/no): no
Goodbye!

Now, add the second user:

<ceph>[~]# adduser
Username: gdnslog
Full name: gdnslog
Uid (Leave empty for default):  
Login group [gdnslog]: 
Login group is gdnslog. Invite gdnslog into other groups? []: 
Login class [default]: 
Shell (sh csh tcsh zsh rzsh nologin) [sh]: nologin
Home directory [/home/gdnslog]: 
Home directory permissions (Leave empty for default): 
Use password-based authentication? [yes]: 
Use an empty password? (yes/no) [no]: 
Use a random password? (yes/no) [no]: yes
Lock out the account after creation? [no]: 
Username   : gdnslog
Password   : <random>
Full Name  : gdnslog
Uid        : 1003
Class      : 
Groups     : gdnslog 
Home       : /home/gdnslog
Home Mode  : 
Shell      : /usr/sbin/nologin
Locked     : no
OK? (yes/no): yes
adduser: INFO: Successfully added (gdnslog) to the user database.
adduser: INFO: Password for (gdnslog) is: jWsdad33aasdaFa0
Add another user? (yes/no): no
Goodbye!

Run the following command. Replace the IP address with the address of your AKLWEB Host server.

<ceph>[~]# tinydns-conf gtinydns gdnslog /usr/local/etc/tinydns 108.61.100.100

This command will create directories, files, and other sub directories in /usr/local/etc/tinydns. It will also put the IP address of the VPS in /usr/local/etc/tinydns/env/IP.

Create the directory /service.

<ceph>[~]# mkdir /service

Edit your /etc/rc.conf file:

<ceph>[~]# ee /etc/rc.conf

… and and these lines:

svscan_enable="YES"
svscan_servicedir="/service"

Save the configuration and start the svscan service:

<ceph>[~]# /usr/local/etc/rc.d/svscan start
Starting svscan.

Next, go to this directory:

 <ceph>[~]# cd /usr/local/etc/tinydns/root

Edit the data file:

 <ceph>[root]# ee data

… and add some DNS data:

# domain1.com
Zdomain1.com:dns1.domain1.com.:ns.domain1.com.:2013101203:604800:86400:2419200:604800:3600
&domain1.com::dns1.domain1.com.:3600
&domain1.com::dns2.domain1.com.:3600

# MX
@domain1.com::mail1.domain1.com.:10:3600
@domain1.com::mail2.domain1.com.:30:3600

# IP's (A records)
=dns1.domain1.com:108.61.210.99:3600
=dns2.domain1.com:89.201.163.42:3600
=mail1.domain1.com:89.201.163.42:3600
=mail2.domain1.com:85.114.41.8:3600
=www.domain1.com:108.61.178.194:3600
=test1.domain1.com:193.198.184.100:3600
=test2.domain1.com:108.61.178.215:3600

# Aliases
+domain1.com:108.61.178.194:3600
+smtp.domain1.com:89.201.163.42:3600
+imap.domain1.com:89.201.163.42:3600

Save the file and exit.

Run ls:

<ceph>[root]# ls
Makefile  add-alias  add-childns  add-host  add-mx  add-ns  data

Convert your text data to the database format:

<ceph>[root]# make
/usr/local/bin/tinydns-data

Run ls again:

<ceph>[root]# ls
Makefile  add-alias  add-childns  add-host  add-mx  add-ns  data  data.cdb

Notice the data.cdb file. You have created it with the make command.

And one more thing, create a symbolic link:

<ceph>[root]# ln -s /usr/local/etc/tinydns /service

Now test your new DNS server. Replace 108.61.178.110 with IP address of your server.

<ceph>[root]# host www.domain1.com 108.61.178.110 
Using domain server:
Name: 108.61.178.110
Address: 108.61.178.110#53
Aliases: 

www.domain1.com has address 108.61.178.194

Nameserver lookup:

<ceph>[root]# host -t ns domain1.com 108.61.178.110 
Using domain server:
Name: 108.61.178.110
Address: 108.61.178.110#53
Aliases: 

domain1.com name server dns1.domain1.com.
domain1.com name server dns2.domain1.com.

Mailserver MX lookup:

<ceph>[root]# host -t mx domain1.com 108.61.178.110 
Using domain server:
Name: 108.61.178.110
Address: 108.61.178.110#53
Aliases: 

domain1.com mail is handled by 10 mail1.domain1.com.
domain1.com mail is handled by 30 mail2.domain1.com.

One more time to be sure:

<ceph>[root]# host mail1.domain1.com 108.61.178.110 
Using domain server:
Name: 108.61.178.110
Address: 108.61.178.110#53
Aliases: 

mail1.domain1.com has address 89.201.163.42

Congratulations! You have a working DNS server. Replace domain1.com with your domain. After every change, run the make command to make new data.cdb file.

Explanation of the data file:

“A” records begin with an = sign. Aliases or CNAME records with a + sign. Mail servers begin with the @ sign. Nameservers with the & sign.

Example 1:

=test1.domain1.com:193.198.184.100:3600

= stands for “A” record. test1.domain1.com is the DNS name, IP 193.198.184.100 is the address in which test1.domain1.com resolves, and 3600 is the TTL (time to live).

Example 2:

# MX
@domain1.com::mail1.domain1.com.:10:3600
@domain1.com::mail2.domain1.com.:30:3600

In this example, mail1 and mail2 are mail servers for domain1.com. mail1 has priority 10 and mail2 has priority 30. That means that mail servers will first try to deliver mail to mail1. If mail1 fails, then they will try mail2.

The following line marks beginning of the zone info. It is required.

Zdomain1.com:dns1.domain1.com.:ns.domain1.com.:2013101203:604800:86400:2419200:604800:3600

2013101203 number is used when you have secondary DNS on some other provider. When you change the number to 2013101204, the secondary DNS will know that there are some changes in DNS and will pick up the changes. This is just for informative purposes (you would need the AXFR DNS transfer service). Alternatively, you can copy and paste your DNS changes between two DJBDNS servers with the rsync program.

If you have PF Firewall on your FreeBSD server, add this line to allow DNS queries:

pass quick proto {tcp, udp} from any to $me port 53 flags S/SA keep state