The strongSwan packages are available in the Extra Packages for Enterprise Linux (EPEL) repository. We should enable EPEL first, then install strongSwan.
yum install http://ftp.nluug.nl/pub/os/Linux/distr/fedora-epel/7/x86_64/Packages/e/epel-release-7-11.noarch.rpm
yum install strongswan openssl
Both the VPN client and server need a certificate to identify and authenticate themselves. I have prepared two shell scripts to generate and sign the certificates. First, we download these two scripts into the folder /etc/strongswan/ipsec.d
.
cd /etc/strongswan/ipsec.d
wget https://raw.githubusercontent.com/michael-loo/strongswan_config/for_aklwebhost/server_key.sh
chmod a+x server_key.sh
wget https://raw.githubusercontent.com/michael-loo/strongswan_config/for_aklwebhost/client_key.sh
chmod a+x client_key.sh
In these two .sh
files, I have set the organization name as AKLWEB-HOST-VPS-CENTOS
. If you want to change it, open the .sh
files and replace O=AKLWEB-HOST-VPS-CENTOS
with O=YOUR_ORGANIZATION_NAME
.
Next, use server_key.sh
with the IP address of your server to generate the certificate authority (CA) key and certificate for server. Replace SERVER_IP
with the IP address of your AKLWEB HOST VPS.
./server_key.sh SERVER_IP
Generate the client key, certificate, and P12 file. Here, I will create the certificate and P12 file for the VPN user “john”.
./client_key.sh john john@gmail.com
Replace “john” and his email with yours before running the script.
After the certificates for client and server are generated, copy /etc/strongswan/ipsec.d/john.p12
and /etc/strongswan/ipsec.d/cacerts/strongswanCert.pem
to your local computer.
Open the strongSwan IPSec configuration file.
vi /etc/strongswan/ipsec.conf
Replace its content with the following text.
config setup
uniqueids=never
charondebug="cfg 2, dmn 2, ike 2, net 0"
conn %default
left=%defaultroute
leftsubnet=0.0.0.0/0
leftcert=vpnHostCert.pem
right=%any
rightsourceip=172.16.1.100/16
conn CiscoIPSec
keyexchange=ikev1
fragmentation=yes
rightauth=pubkey
rightauth2=xauth
leftsendcert=always
rekey=no
auto=add
conn XauthPsk
keyexchange=ikev1
leftauth=psk
rightauth=psk
rightauth2=xauth
auto=add
conn IpsecIKEv2
keyexchange=ikev2
leftauth=pubkey
rightauth=pubkey
leftsendcert=always
auto=add
conn IpsecIKEv2-EAP
keyexchange=ikev2
ike=aes256-sha1-modp1024!
rekey=no
leftauth=pubkey
leftsendcert=always
rightauth=eap-mschapv2
eap_identity=%any
auto=add
Edit the strongSwan configuration file, strongswan.conf
.
vi /etc/strongswan/strongswan.conf
Delete everything and replace it with the following.
charon {
load_modular = yes
duplicheck.enable = no
compress = yes
plugins {
include strongswan.d/charon/*.conf
}
dns1 = 8.8.8.8
dns2 = 8.8.4.4
nbns1 = 8.8.8.8
nbns2 = 8.8.4.4
}
include strongswan.d/*.conf
Edit the IPsec secret file to add a user and password.
vi /etc/strongswan/ipsec.secrets
Add a user account “john” into it.
: RSA vpnHostKey.pem
: PSK "PSK_KEY"
john %any : EAP "John's Password"
john %any : XAUTH "John's Password"
Please note that both sides of the colon ‘:’ need a white-space.
Edit /etc/sysctl.conf
to allow forwarding in the Linux kernel.
vi /etc/sysctl.conf
Add the following line into the file.
net.ipv4.ip_forward=1
Save the file, then apply the change.
sysctl -p
Open the firewall for your VPN on the server.
firewall-cmd --permanent --add-service="ipsec"
firewall-cmd --permanent --add-port=4500/udp
firewall-cmd --permanent --add-masquerade
firewall-cmd --reload
systemctl start strongswan
systemctl enable strongswan
StrongSwan is now is running on your server. Install the strongswanCert.pem
and .p12
certificate files into your client. You will now be able to join your private network.
Munin can provide status and monitoring for any configuration from a single VPS to an entire datacenter of machines.
The following guide assumes you’re logged in as root and running CentOS 6 x64 on AKLWEB HOST. This guide should be applicable to CentOS 7 too.
You will require two servers.
Note that you can also monitor Server A, if desired.
Follow these steps on Server A.
First, install Apache to serve our Munin server status page, as well as Munin itself.
yum install httpd munin
Install nano if you’re not comfortable in vi.
yum install nano
It’s time to edit the Munin configuration to add monitoring of our additional servers, as by default Munin only monitors the local machine. Run the following.
nano /etc/munin/munin.conf
At the bottom, append the following where 192.168.10.2 is replaced with the IP address of Server B, and “serverb” is replaced with a descriptive hostname.
[serverb]
address 192.168.10.2
use_node_name yes
Additional servers to be monitored can be added in the same manner.
By default, Munin is not secured with a password. To setup a password, run the following:
nano /etc/munin/munin-htpasswd
… and enter a password to secure your Munin installation.
The username is munin.
Start Apache and Munin-node.
service start httpd
service start munin-node
You will now be able to login to http://[SERVER_A_IP]/munin
with the username munin and the password you have just specified.
Continue below for setting up munin-node on additional machines and configuring munin-node plugins.
The following can be applied to Server A, Server B, and as many additional servers as needed.
Install munin-node if it is not already installed.
yum install munin-node
Edit the munin-node.conf
file.
nano /etc/munin/munin-node.conf
Append a new line with the IP address of Server A. The address must be in the format of a regular expression. Replace “192.168.10.1” the IP address of Server A.
allow ^192\.168\.10\.1$
At this point, you can start munin-node.
service munin-node restart
Server B’s status will be visible on your Munin status page at http://[SERVER_A_IP]/munin
within a few minutes time.
munin-node comes packaged with a wide variety of plugins.
To browse the available plugins:
cd /usr/share/munin/plugins/
ls
All plugins can be enabled by creating a symbolic link to it in the /etc/munin/plugins
folder. For example, to enable the Apache status plugins, run the following commands:
ln -s /usr/share/munin/plugins/apache_accesses /etc/munin/plugins/apache_accesses
ln -s /usr/share/munin/plugins/apache_processes /etc/munin/plugins/apache_processes
ln -s /usr/share/munin/plugins/apache_processes /etc/munin/plugins/apache_volume
… then restart munin-node.
service munin-node restart
Wait a few minutes and your status will be available on your master server.
]]>This tutorial explains how you can install a PPTP server on Ubuntu. The steps are generic, they should apply to almost all versions of Ubuntu.
Please note that security vulnerabilities have been found in the PPTP protocol and it may be worth evaluating other VPN protocols before utilizing PPTP.
The first thing that we need to do is, naturally, install PPTPD.
apt-get install pptpd
Installing PPTPD is that easy! Now we need to actually setup the PPTP server.
We don’t want everyone to be able to access our VPN of course; because of this, you can create users so that only the users with the correct password will be able to access your VPN. To add users, edit the file:
/etc/ppp/chap-secrets
The format is:
[username] [service] [password] [ip]
Username and password are pretty straightforward, service and IP are not though. Service is usually pptpd
. If you just want to setup a VPN, use pptpd
for the service – it will work. If you want to restrict the IP that a user can login from, you can use his/her IP. If you want connections from that account to be made from all IPs, you can use *
.
There are a few things that we need to edit. Start by editing the following file:
/etc/pptpd.conf
Look for the localip
and remoteip
settings. Remove the #
(comment character) for both so that these settings will actually be recognized. Change localip
to your server IP. If you don’t know your server IP, you may look in the AKLWEB HOST control panel.
The remoteip
is basically the IP range that clients (computers that are connected to your VPN) will be assigned. For example, if you want the following IP range: 192.168.120.231-235, your VPN server will be able to assign 192.168.120.232, 192.168.120.233, 192.168.120.234, and 192.168.120.235 to clients. It’s up to you what you want to use for this field.
Find the line net.ipv4.ip_forward
in the sysctl.conf
file. We need to uncomment this line, so open the following file:
/etc/sysctl.conf
Make sure that it says net.ipv4.ip_forward=1
, and not net.ipv4.ip_forward=0
.
At this point, everything will work. Restart PPTPD.
service pptpd restart
Congratulations, you now have a PPTP server!
Using a VPN on Mac OS X is very easy.
Go to System Preferences -> Network
. Click on the +
icon and choose “VPN” as the interface. The name can be anything you want, for example “VPN”. The VPN type is “PPTP”. Click “Create”. You will now see some settings; the server address and username. These are the credentials you have entered in the /etc/ppp/chap-secrets
file.
Now click on “Authentication Settings”. Choose “Password” and enter the password. Click “OK”, then click “Connect”.
Your computer will now connect to your VPN server. Internet traffic will be sent over the VPN server.
In Windows 8, setting up a VPN is pretty easy as well. The first thing you are going to do is go to the “Start menu” and type “VPN”. You should see “Set up a virtual private network (VPN) connection”. Click on that.
The internet address is your server IP. The destination name can be anything you would like, such as “VPN”. Click “Next”. Windows will now ask for your credentials; enter the username and password you have entered in the /etc/ppp/chap-secrets
file. Click “Connect”.
Windows will now connect to your VPN server and start sending traffic over it.
]]>/etc/resolv.conf
to use other nameservers. Then, after a period of time (or after a system reboot), you discover that your changes to /etc/resolv.conf
have been reverted.
This tutorial shows three methods to stop DHCP from changing the /etc/resolv.conf
on Debian or Ubuntu.
First, we need to get the IP/netmask/gateway of the server. Run the following command.
ifconfig | grep "inet addr" | head -n 1 | awk '{print $2, $4}'
This provides the server IP and netmask. Looking at the example output…
addr:1.2.3.4 Mask:255.255.254.0
… the server IP address is 1.2.3.4 and mask is 255.255.254.0.
To get the gateway address, run the following command.
netstat -rn | grep '^0.0.0.0' | awk '{print $2}'
In this example, I will use the gateway address 1.2.3.1.
Now that we have the IP/netmask/gateway, edit /etc/network/interfaces
.
vim /etc/network/interfaces
Make the following edits:
# Comment out this line
# iface eth0 inet dhcp
# Add these contents
iface eth0 inet static
address 1.2.3.4
mask 255.255.254.0
gateway 1.2.3.1
Remember, you must replace these values with the appropriate IP/netmask/gateway of server.
Save and exit, then reboot.
Change your nameservers by editing /etc/resolv.conf
. Once you have made your edits, write protect that file.
chattr +i /etc/resolv.conf
The +i
option (attribute) write protects the /etc/resolv.conf
file on Linux so that no one can modify it – not even the root user.
If you need to remove the write protect attribute, use the following command.
chattr -i /etc/resolv.conf
This is the method that I recommend using the most.
Edit /etc/dhcp/dhclient-enter-hooks.d/nodnsupdate
.
vim /etc/dhcp/dhclient-enter-hooks.d/nodnsupdate
Make the following edits:
#!/bin/sh
make_resolv_conf(){
:
}
Save and exit.
Update the permissions on the nodnsupdate
file.
chmod +x /etc/dhcp/dhclient-enter-hooks.d/nodnsupdate
Reboot your server. You can now update nameservers by editing /etc/resolv.conf
without worrying about rollback.
File -> Preferences -> Start this application when user logs on
.-> sysdm.cpl -> Remote -> Allow Remote Assistance (both)
.My Servers -> Manage -> Snapshots -> Take Snapshot
. It will take a few moments to save a snapshot of your VPS.]]>After deploying a VPS snapshot you can simply use your “DUC hostname” in any Remote Desktop Client. This saves a lot of time when you deploy VPS multiple times – as you don’t have to use your RD credentials each time.
This article will show you how to install and setup ocserv on Ubuntu 14.04 x64.
Since Ubuntu 14.04 does not ship with ocserv, we will have to download the source code and compile it. The latest stable version of ocserv is 0.9.2.
Download ocserv from the official site.
wget ftp://ftp.infradead.org/pub/ocserv/ocserv-0.9.2.tar.xz
tar -xf ocserv-0.9.2.tar.xz
cd ocserv-0.9.2
Next, install the compile dependencies.
apt-get install build-essential pkg-config libgnutls28-dev libwrap0-dev libpam0g-dev libseccomp-dev libreadline-dev libnl-route-3-dev
Compile and install ocserv.
./configure
make
make install
A sample config file is placed under the directory ocser-0.9.2/doc
. We will use this file as a template. At first, we have to make our own CA cert and server cert.
cd ~
apt-get install gnutls-bin
mkdir certificates
cd certificates
We create a CA template file (ca.tmpl
) with the content similar to the following. You can set your own “cn” and “organization”.
cn = "VPN CA"
organization = "Big Corp"
serial = 1
expiration_days = 3650
ca
signing_key
cert_signing_key
crl_signing_key
Then, generate a CA key and CA cert.
certtool --generate-privkey --outfile ca-key.pem
certtool --generate-self-signed --load-privkey ca-key.pem --template ca.tmpl --outfile ca-cert.pem
Next, create a local server certificate template file (server.tmpl
) with the the content below. Please pay attention to the “cn” field, it must match the DNS name or IP address of your server.
cn = "you domain name or ip"
organization = "MyCompany"
expiration_days = 3650
signing_key
encryption_key
tls_www_server
Then, generate the server key and certificate.
certtool --generate-privkey --outfile server-key.pem
certtool --generate-certificate --load-privkey server-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template server.tmpl --outfile server-cert.pem
Copy the key, certificate, and config file to the ocserv config directory.
mkdir /etc/ocserv
cp server-cert.pem server-key.pem /etc/ocserv
cd ~/ocserv-0.9.2/doc
cp sample.config /etc/ocserv/config
cd /etc/ocserv
Edit the config file under /etc/ocserv
. Uncomment or modify the fields described below.
auth = "plain[/etc/ocserv/ocpasswd]"
try-mtu-discovery = true
server-cert = /etc/ocserv/server-cert.pem
server-key = /etc/ocserv/server-key.pem
dns = 8.8.8.8
# comment out all route fields
#route = 10.10.10.0/255.255.255.0
#route = 192.168.0.0/255.255.0.0
#route = fef4:db8:1000:1001::/64
#no-route = 192.168.5.0/255.255.255.0
cisco-client-compat = true
Generate a user that will be used to login to ocserv.
ocpasswd -c /etc/ocserv/ocpasswd username
Enable NAT.
iptables -t nat -A POSTROUTING -j MASQUERADE
Enable IPv4 forwarding. Edit the file /etc/sysctl.conf
.
net.ipv4.ip_forward=1
Apply this modification.
sysctl -p /etc/sysctl.conf
First, start ocserv.
ocserv -c /etc/ocserv/config
Then, install Cisco AnyConnect on any of your devices, such as iPhone, iPad, or an Android device. Since we used a self-signed server key and certificate, we have to uncheck the option which prevents insecure servers. This option is located in the settings of AnyConnect. At this point, we can setup a new connection with the domain name or IP address of our ocserv and the username/password that we created.
Connect and enjoy!
]]>hostname pluto
nano
, you can then type: nano /etc/hostname
pluto
, then press Ctrl + X, then Y, then Enter.nano
, type nano /etc/hosts
to edit the hosts file.127.0.0.1 pluto
hostname
.hostnamectl set-hostname pluto
hostname
.In this tutorial, we’ll compile ZNC with the web admin module installed.
First of all, and as always, we’ll update the package cache.
sudo apt-get update
Next, we’ll install some dependencies required to compile ZNC.
sudo apt-get install libssl-dev libperl-dev pkg-config build-essential
Download the latest release of ZNC:
cd /usr/local/src
sudo wget http://znc.in/releases/znc-latest.tar.gz
Extract ZNC from the tarball, and then enter the source directory:
sudo tar xf znc-latest.tar.gz
cd znc-*/
At this step, you can set ZNC’s installation directory by adding the --prefix=<yourdir>
option. But for now, we’ll install it system wide:
./configure
We’ll compile ZNC and install it with the following commands. To speed up the process, you may add -j n
to the first make
command, where n
is the number of cores / vCPUs on your server.
sudo make
sudo make install
This may take a few minutes, depends on your machine’s configuration.
It is important not to run web-facing apps under root
. So we’ll create a new user for ZNC.
adduser --disabled-password znc
Now switch to znc
.
su znc -
cd ~
Create ZNC’s config file under znc
:
/usr/local/bin/znc --makeconf
ZNC will ask us some questions in order to create the config file. The first one is important; note your input because you will connect to the ZNC daemon using that port.
We’ll enter 6697
now – that’s the default port for IRC with SSL / TLS.
[ ?? ] What port would you like ZNC to listen on? (1025 to 65535): 6697
It is strongly recommended to enable SSL listening instead of the plain-text (i.e. insecure) scheme.
Would you like ZNC to listen using SSL? (yes/no) [no]: yes
Next question is regarding IPv6. That actually depends on your needs. If your home network is IPv6 enabled, it’s recommended to enable. We’ll just leave the default option there.
[ ?? ] Would you like ZNC to listen using both IPv4 and IPv6? (yes/no) [yes]: <press Enter>
Now it’ll prompt us about two global modules, partyline
and webadmin
. They’re self-explanatory, and we’ll need to enable them.
[ ?? ] Load global module <partyline>? (yes/no) [no]: yes
[ ?? ] Load global module <webadmin>? (yes/no) [no]: yes
User creation. Enter your desired username and password for the user, then confirm it. Note that the password will not be echoed.
[ ?? ] Username (AlphaNumeric): Doe
[ ?? ] Enter Password: <password>
[ ?? ] Confirm Password: <password>
Grant the user admin permissions:
[ ?? ] Would you like this user to be an admin? (yes/no) [yes]: yes
Then, your IRC network options. Set it on your own. Here’s an example:
[ ?? ] Nick [Doe]: Doe
[ ?? ] Alt Nick [Doe_]: Doe_
[ ?? ] Ident [Doe]: DoeIdent
[ ?? ] Real Name [Got ZNC?]: Jane Doe
[ ?? ] Bind Host (optional): server.hostname
[ ?? ] Number of lines to buffer per channel [50]: 50
[ ?? ] Would you like to clear channel buffers after replay? (yes/no) [yes]: yes
Enable these modules:
[ ?? ] Load module <chansaver>? (yes/no) [no]: yes
[ ?? ] Load module <controlpanel>? (yes/no) [no]: yes
[ ?? ] Load module <perform>? (yes/no) [no]: yes
[ ?? ] Load module <webadmin>? (yes/no) [no]: yes
Now we may setup the IRC network that ZNC will connect to.
[ ?? ] Would you like to set up a network? (yes/no) [no]: yes
We’ll use #ubuntu
on Freenode for example.
Network (e.g. 'freenode' or 'efnet'): freenode
Information about these network modules prompted are here.
[ ?? ] Load module <chansaver>? (yes/no) [no]: yes
[ ?? ] Load module <keepnick>? (yes/no) [no]: yes
[ ?? ] Load module <kickrejoin>? (yes/no) [no]: yes
[ ?? ] Load module <kickrejoin>? (yes/no) [no]: yes
[ ?? ] Load module <nickserv>? (yes/no) [no]: yes
[ ?? ] Load module <perform>? (yes/no) [no]: yes
[ ?? ] Load module <simple_away>? (yes/no) [no]: yes
Set the server we’ll connect to:
[ ?? ] IRC server (host only): irc.freenode.net
[ ?? ] [irc.freenode.net] Port (1 to 65535) [6667]: 6697
[ ?? ] [irc.freenode.net] Password (probably empty):
[ ?? ] Does this server use SSL? (yes/no) [no]: yes
[ ** ]
[ ?? ] Would you like to add another server for this IRC network? (yes/no) [no]: no
And the channel we’ll join:
[ ?? ] Would you like to add a channel for ZNC to automatically join? (yes/no) [yes]: yes
[ ?? ] Channel name: #ubuntu
[ ?? ] Would you like to add another channel? (yes/no) [no]: no
Finish the configuration and launch ZNC:
[ ?? ] Would you like to set up another user? (yes/no) [no]: no
[ .. ] Writing config [/home/znc/.znc/configs/znc.conf]...
[ >> ] ok
... ...
[ ?? ] Launch ZNC now? (yes/no) [yes]: yes
Yay. ZNC is up and running!
]]>tcpdump
is the tool for that job. Tcpdump is a network packet analyzer that runs under the command line.
This article will be split into three parts:
Since tcpdump is not included with most base systems, you will need to install it. However, nearly all Linux distributions have tcpdump in their core repositories. For Debian based distributions, the command to install tcpdump is:
apt-get install tcpdump
For CentOS/RedHat, use the following command:
yum install tcpdump
FreeBSD offers a pre-built package which can be installed by issuing:
pkg install tcpdump
There’s also a port available, net/tcpdump
which can be installed via:
cd /usr/ports/net/tcpdump
make install clean
If you run tcpdump
without any arguments, you’ll be be battered with results. Running it on a freshly spinned up instance here on AKLWEB Host for less than five seconds gives the following results:
2661 packets captured
2663 packets received by filter
0 packets dropped by kernel
Before going into more details on how to filter input, you should take a look at some parameters that can be passed to tcpdump:
-i
– Specifies the interface you want to listen on, for example: tcpdump -i eth0
.-n
– Do not try to do reverse lookups on IP addresses, for example: tcpdump -n
(if you add another n
tcpdump will show you port numbers instead of names).-X
– Show the content of the collected packets: tcpdump -X
.-c
– Only capture x
packets, x
being an arbitrary number, for example tcpdump -c 10
captures exactly 10 packets.-v
– Increase the amount of packet information you are shown, more v
s add more verbosity.Each of those parameters mentioned here can be combined together. If you wanted to capture 100 packets, but only on your VPN interface tun0, then the tcpdump command would look like this:
tcpdump -i tun0 -c 100 -X
There are dozens (if not hundreds) of options in addition to those few, but they are the most common ones. Feel free to read tcpdump’s manpage on your system.
Now that you have a basic understanding of tcpdump, it’s time to look at one of tcpdump’s most awesome features: expressions. Expressions will make your life a lot easier. They are also known as BPF or Berkeley Packet Filters. Using expressions allows you to selectively display (or ignore) packets based on certain characteristics – such as origin, destination, size, or even TCP sequence number.
So far you’ve managed to limit your search to a certain amount of packets on a certain interface, but let’s be honest here: that still leaves too much background noise to effectively work with the collected data. That’s where expressions come into play. The concept is pretty straightforward, so we’ll leave out the dry theory here and support the understanding with some practical examples.
The expressions that you’ll probably be using the most are:
host
– Look for traffic based on hostnames or IP addresses.src
or dst
– Look for traffic from or to a specific host.proto
– Look for traffic of a certain protocol. Works for tcp, udp, icmp, and others. Omitting the proto
keyword is also possible.net
– Look for traffic to / from a certain range of IP addresses.port
– Look for traffic to / from a certain port.greater
or less
– Look for traffic bigger or smaller than a certain amount of bytes.While the manpage for tcpdump
just contains a few examples, the manpage for pcap-filter
has very detailed explanations on how each filter works and can be applied.
If you want to see how your communication with a certain server is going, then you can use the host
keyword, for example (including some of the parameters from above):
tcpdump -i eth0 host aklwebhost.com
Sometimes there are computers on the network that don’t honor the MTU or spam you with large packets; filtering them out can be difficult sometimes. Expressions allow you to filter out packages that are bigger or smaller than a certain number of bytes:
tcpdump -i eth0 -nn greater 128
or
tcpdump -i eth0 -nn less 32
Maybe only a certain port is of interest for you. In this case, use the port
expression:
tcpdump -i eth0 -X port 21
You can also look out for port ranges:
tcdump -i eth0 -X portrange 22-25
Since NAT gateways are pretty common, you may only look for destination ports:
tcpdump dst port 80
If you are watching traffic to your web server, you may only want to look at TCP traffic to port 80:
tcpdump tcp and dst port 80
You are probably asking yourself what the keyword and
is doing there. Good question. That brings us to the last part of this article.
tcpdump
offers basic support for logical expressions, more specifically:
and
/ &&
– Logical “and”.or
/ ||
– Logical “or”.not
/ !
– Logical “not”.Together with the ability to group expressions together, this allows you to create very powerful searches for incoming and outgoing traffic. So let’s filter out traffic coming from aklwebhost.com on port 22 or 443:
tcpdump -i eth0 src host aklwebhost.com and (dst port 22 or 443)
Running this on the command line will give you the following error:
bash: syntax error near unexpected token `('
That’s because there is a caveat: bash
tries to evaluate every character it can. This includes the (
and )
characters. In order to avoid that error, you should use single quotes around the combined expression:
tcpdump -i eth0 'src host aklwebhost.com and (dst port 22 or 443)'
Another useful example: When debugging SSH issues with one of your users, you may want to ignore everything that’s related to your SSH session:
tcpdump '!(host $youripaddress) && port 22)'
Again, the use cases are endless, and you can specify into extreme depths what kind of traffic that you want to see. The following command would show you only SYNACK packets of a TCP handshake:
tcpdump -i eth0 'tcp[13]=18'
This works by looking at the thirteenth offset of the TCP header and the eighteenth byte within it.
If you made it all the way here, then you are ready for most use cases that will arise. I can barely touch the surface without going into too many details. I highly recommend that you experiment with the different options and expressions a bit further; and as usual: reference the manpage when you get lost.
Last but not least – a quick look back. Remember the beginning of this article? With the thousands of packets captured in a matter of seconds? The power of tcpdump
can trim that down a whole lot:
tcpdump -i eth0 tcp port 22
The result is now:
81 packets captured
114 packets received by filter
0 packets dropped by kerne
This is much saner and easier to debug. Happy networking!
]]>To begin, open your terminal and install this package:
<ceph>[~]# pkg install djbdns
Updating FreeBSD repository catalogue...
FreeBSD repository is up-to-date.
All repositories are up-to-date.
The following 3 packages will be affected (of 0 checked):
New packages to be INSTALLED:
djbdns: 1.05_20,1
ucspi-tcp: 0.88_2
daemontools: 0.76_17
The process will require 1 MB more space.
251 KB to be downloaded.
Proceed with this action? [y/N]: y
Fetching djbdns-1.05_20,1.txz: 100% 139 KB 142.4k/s 00:01
Fetching ucspi-tcp-0.88_2.txz: 100% 62 KB 63.1k/s 00:01
Fetching daemontools-0.76_17.txz: 100% 51 KB 51.7k/s 00:01
Checking integrity... done (0 conflicting)
[1/3] Installing ucspi-tcp-0.88_2...
[1/3] Extracting ucspi-tcp-0.88_2: 100%
[2/3] Installing daemontools-0.76_17...
[2/3] Extracting daemontools-0.76_17: 100%
[3/3] Installing djbdns-1.05_20,1...
[3/3] Extracting djbdns-1.05_20,1: 100%
Installation will automatically install additional packages (daemontools
and ucspi-tcp
).
Create two users, gtinydns
and gdnslog
. Start with the first user:
<ceph>[~]# adduser
Username: gtinydns
Full name: gtinydns
Uid (Leave empty for default):
Login group [gtinydns]:
Login group is gtinydns. Invite gtinydns into other groups? []:
Login class [default]:
Shell (sh csh tcsh zsh rzsh nologin) [sh]: nologin
Home directory [/home/gtinydns]:
Home directory permissions (Leave empty for default):
Use password-based authentication? [yes]:
Use an empty password? (yes/no) [no]:
Use a random password? (yes/no) [no]: yes
Lock out the account after creation? [no]:
Username : gtinydns
Password : <random>
Full Name : gtinydns
Uid : 1002
Class :
Groups : gtinydns
Home : /home/gtinydns
Home Mode :
Shell : /usr/sbin/nologin
Locked : no
OK? (yes/no): yes
adduser: INFO: Successfully added (gtinydns) to the user database.
adduser: INFO: Password for (gtinydns) is: rTsada2131sa1Mg
Add another user? (yes/no): no
Goodbye!
Now, add the second user:
<ceph>[~]# adduser
Username: gdnslog
Full name: gdnslog
Uid (Leave empty for default):
Login group [gdnslog]:
Login group is gdnslog. Invite gdnslog into other groups? []:
Login class [default]:
Shell (sh csh tcsh zsh rzsh nologin) [sh]: nologin
Home directory [/home/gdnslog]:
Home directory permissions (Leave empty for default):
Use password-based authentication? [yes]:
Use an empty password? (yes/no) [no]:
Use a random password? (yes/no) [no]: yes
Lock out the account after creation? [no]:
Username : gdnslog
Password : <random>
Full Name : gdnslog
Uid : 1003
Class :
Groups : gdnslog
Home : /home/gdnslog
Home Mode :
Shell : /usr/sbin/nologin
Locked : no
OK? (yes/no): yes
adduser: INFO: Successfully added (gdnslog) to the user database.
adduser: INFO: Password for (gdnslog) is: jWsdad33aasdaFa0
Add another user? (yes/no): no
Goodbye!
Run the following command. Replace the IP address with the address of your AKLWEB Host server.
<ceph>[~]# tinydns-conf gtinydns gdnslog /usr/local/etc/tinydns 108.61.100.100
This command will create directories, files, and other sub directories in /usr/local/etc/tinydns
. It will also put the IP address of the VPS in /usr/local/etc/tinydns/env/IP
.
Create the directory /service
.
<ceph>[~]# mkdir /service
Edit your /etc/rc.conf
file:
<ceph>[~]# ee /etc/rc.conf
… and and these lines:
svscan_enable="YES"
svscan_servicedir="/service"
Save the configuration and start the svscan
service:
<ceph>[~]# /usr/local/etc/rc.d/svscan start
Starting svscan.
Next, go to this directory:
<ceph>[~]# cd /usr/local/etc/tinydns/root
Edit the data
file:
<ceph>[root]# ee data
… and add some DNS data:
# domain1.com
Zdomain1.com:dns1.domain1.com.:ns.domain1.com.:2013101203:604800:86400:2419200:604800:3600
&domain1.com::dns1.domain1.com.:3600
&domain1.com::dns2.domain1.com.:3600
# MX
@domain1.com::mail1.domain1.com.:10:3600
@domain1.com::mail2.domain1.com.:30:3600
# IP's (A records)
=dns1.domain1.com:108.61.210.99:3600
=dns2.domain1.com:89.201.163.42:3600
=mail1.domain1.com:89.201.163.42:3600
=mail2.domain1.com:85.114.41.8:3600
=www.domain1.com:108.61.178.194:3600
=test1.domain1.com:193.198.184.100:3600
=test2.domain1.com:108.61.178.215:3600
# Aliases
+domain1.com:108.61.178.194:3600
+smtp.domain1.com:89.201.163.42:3600
+imap.domain1.com:89.201.163.42:3600
Save the file and exit.
Run ls
:
<ceph>[root]# ls
Makefile add-alias add-childns add-host add-mx add-ns data
Convert your text data to the database format:
<ceph>[root]# make
/usr/local/bin/tinydns-data
Run ls
again:
<ceph>[root]# ls
Makefile add-alias add-childns add-host add-mx add-ns data data.cdb
Notice the data.cdb
file. You have created it with the make
command.
And one more thing, create a symbolic link:
<ceph>[root]# ln -s /usr/local/etc/tinydns /service
Now test your new DNS server. Replace 108.61.178.110
with IP address of your server.
<ceph>[root]# host www.domain1.com 108.61.178.110
Using domain server:
Name: 108.61.178.110
Address: 108.61.178.110#53
Aliases:
www.domain1.com has address 108.61.178.194
Nameserver lookup:
<ceph>[root]# host -t ns domain1.com 108.61.178.110
Using domain server:
Name: 108.61.178.110
Address: 108.61.178.110#53
Aliases:
domain1.com name server dns1.domain1.com.
domain1.com name server dns2.domain1.com.
Mailserver MX lookup:
<ceph>[root]# host -t mx domain1.com 108.61.178.110
Using domain server:
Name: 108.61.178.110
Address: 108.61.178.110#53
Aliases:
domain1.com mail is handled by 10 mail1.domain1.com.
domain1.com mail is handled by 30 mail2.domain1.com.
One more time to be sure:
<ceph>[root]# host mail1.domain1.com 108.61.178.110
Using domain server:
Name: 108.61.178.110
Address: 108.61.178.110#53
Aliases:
mail1.domain1.com has address 89.201.163.42
Congratulations! You have a working DNS server. Replace domain1.com
with your domain. After every change, run the make
command to make new data.cdb
file.
Explanation of the data file:
“A” records begin with an =
sign. Aliases or CNAME records with a +
sign. Mail servers begin with the @
sign. Nameservers with the &
sign.
Example 1:
=test1.domain1.com:193.198.184.100:3600
=
stands for “A” record. test1.domain1.com
is the DNS name, IP 193.198.184.100
is the address in which test1.domain1.com
resolves, and 3600 is the TTL (time to live).
Example 2:
# MX
@domain1.com::mail1.domain1.com.:10:3600
@domain1.com::mail2.domain1.com.:30:3600
In this example, mail1
and mail2
are mail servers for domain1.com
. mail1
has priority 10 and mail2
has priority 30. That means that mail servers will first try to deliver mail to mail1
. If mail1
fails, then they will try mail2
.
The following line marks beginning of the zone info. It is required.
Zdomain1.com:dns1.domain1.com.:ns.domain1.com.:2013101203:604800:86400:2419200:604800:3600
2013101203
number is used when you have secondary DNS on some other provider. When you change the number to 2013101204
, the secondary DNS will know that there are some changes in DNS and will pick up the changes. This is just for informative purposes (you would need the AXFR DNS transfer service). Alternatively, you can copy and paste your DNS changes between two DJBDNS servers with the rsync
program.
If you have PF Firewall on your FreeBSD server, add this line to allow DNS queries:
pass quick proto {tcp, udp} from any to $me port 53 flags S/SA keep state
]]>