Thursday, November 13, 2014

How To Setup Your Own VPN With PPTP on Linux (CentOS, Ubuntu, Debian)

A virtual private network (VPN) is network that extends a private network (i.e. LAN) across a public network, such as the Internet. It enables a communications between computers and devices across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security and management policies of the private network.
This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. Basically, if two computers are connected through a VPN, they can communicate directly the same way as if they were in local network. Although the two computers could be physically very distant, the other computers on the internet are not able to intercept their communication.

Server side setup and configuration

The most popular VPN solutions are OpenVPN and PPTP. We will use PPTP. Before we proceed and setup our own VPN network, we should have one computer that will be the VPN server. That computer will be responsible for assigning IP addresses to the clients, establishing initial connection between the clients or between client and the server, handling the security protocols and users/clients authentication. In order to install PPTP we will execute the following command:
# apt-get install pptpd
Alternatively, if we are using CentOS we should execute:
# rpm -i http://poptop.sourceforge.net/yum/stable/rhel6/pptp-release-current.noarch.rpm
# yum -y install pptpd
Next step is to edit the default configuration file /etc/pptpd.conf, using our favourite editor and add the following lines:
localip 172.16.0.1
remoteip 172.16.0.100-200
In this case, 172.16.0.1 is the IP that will be used inside the VPN by the VPN server, and An IP from the range 172.16.0.100-200 will be assigned to each client that will be authenticated.
Now we need to add new users. The file that contains the users and their password is /etc/ppp/chap-secrets. The client should be entered with the following information in the following order:
# client        server  secret                  IP addresses
In order to create new client called client1 that will be able to use the pptpd server from any location using the password password1 we should add the following line, in the following case, the asterisk means that anyone IP address can use that login information:
client1  pptpd    password1   *
The last thing that we need to do before starting our VPN server is to add DNS server. We can add the DNS servers provided by or internet provider or we can use Google DNS servers and insert them in the file.
ms-dns 8.8.8.8
ms-dns 8.8.4.4
Now we can start the pptpd daemon using the command:
service pptpd start
In order to verify that it is running and listening for incoming connections, we should execute:
netstat -alpn | grep pptp
The output should look something like this:
tcp        0      0 0.0.0.0:1723            0.0.0.0:*               LISTEN      20934/pptpd
unix  2      [ ]         DGRAM                    5992346  20934/pptpd
In order for VPN server to work properly and be able to forward the requests we should make sure that the following line exists in /etc/systl.conf.
net.ipv4.ip_forward = 1
If it doesn’t exist, we need to add it and then apply the configuration using the following command:
sysctl -p
If we want the clients to be able to communicate to each other inside the VPN network we should create the following iptables rules:
# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE && iptables-save
# iptables --table nat --append POSTROUTING --out-interface ppp0 -j 
# iptables -I INPUT -s 172.16.0.0/16 -i ppp0 -j ACCEPT
# iptables --append FORWARD --in-interface eth0 -j ACCEPT

Client side setup and configuration

In order for a client computer to be able to connect to our VPN server, we should install the PPTP client using the following command (the first one is for CentOS, the second is for Debian/Ubuntu):
# yum -y install pptp
# apt-get install pptp-linux
The VPN client request the ppp_mppe module, so we need to load it:
# modprobe ppp_mppe
Client configuration should be created in /etc/ppp/peers/ folder. In order to configure the parameters for the server we want to use, we should create the configuration file using our favorite editor and set the following parameters (we are at client1 now):
pty "pptp  --nolaunchpppd"
name client1
password password1
remotename PPTP
require-mope-128
If our config files in the example above, was named /etc/ppp/peers/vpnserver, then in order to start the client and connect to the VPN server we should execute:
# pppd call vpnserver
After starting the client, check the log files for possible errors or successful connection info using the following command:
# cat /var/log/syslog | grep pptp
We should explicitly set proper routing for the VPN traffic on our clients:
ip route add 172.16.0.0/16 dev ppp0

Once this is done, we can repeat the procedure and add more client and they will all be able to communicate to each other inside secured virtual private network. The computer can communicate using any protocol or service, such as HTTP, SMTP, telnet, MySQL, FTP etc. PPTP server doesn’t demand high usage of CPU resources, but still, all traffic is 128-bit encrypted. This provides decent level of security and protection for our sensitive data and information.


Link: http://vexxhost.com/blog/how-to-setup-your-own-vpn-with-pptp-on-linux-centos-ubuntu-debian/ 

Tuesday, February 22, 2011

Running VM inside ESXi inside ESXi

 

Under Options: Advanced -> General -> Configuration Parameters (button), I made the following changes:

(add) deploymentPlatform = "vmkernel"

(add) monitor_control.vt32 = "TRUE"

(add) monitor_control.restrict_backdoor = "TRUE"

Windows NTP best guide

http://robsilver.org/ad/demystifying-time-in-a-forest/ 

 

Thing session is missing in document

1. Start->Run cmd.exe
2. net stop w32time
3. w32tm /unregister [ignore error message]
4. w32tm /unregister
5. w32tm /register
6. net start w32time

Wednesday, November 17, 2010

Adding Ubuntu to the domain and then modifying sudoers to enable a group to gain access

I found this in a couple of different places and decided to put it together into one place. I did this for the linux servers I am managing so that I didn’t have to keep track of usernames and passwords and make sure everything was in sync and got changed when needed. Luckily I am running Ubuntu, which made this even easier:

Here is the process to add a linux machine running ubuntu to a domain:

sudo apt-get update
sudo apt-get install likewise-open
sudo domainjoin-cli join fqdn.of.your.domain Administrator
sudo update-rc.d likewise-open defaults
sudo /etc/init.d/likewise-open start

Now to modify the system to allow any user in a specified group on the domain access to sudo do the following:

sudo visudo

Go down to:
#Members of the Admin group may gain root privileges and do the following:
%(domain)\\(group) ALL=(ALL) ALL

This will allow the members of that group to sudo any command on the system.

/etc/samba/lwiauthd.conf: add line

“winbind use default domain = yes”

sudo /etc/init.d/likewise-open restart

then you can log in as “USER” instead of “DOMAIN\USER”

Monday, November 15, 2010

Installing and Configuring Kerberos, Samba, and Winbind on Ubuntu Server 5

Installing and Configuring Kerberos, Samba, and Winbind on Ubuntu Server 5
Steps
Step 1: Install the Required Packages
Note: Enter Y when asked if you want to install the additional packages
apt-get install krb5-user
apt-get install winbind samba
Step 2: Edit the /etc/krb5.conf File
[logging]
default = FILE10000:/var/log/krb5lib.log
[libdefaults]
ticket_lifetime = 24000
default_realm = DOMAIN.INTERNAL
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
[realms]
DOMAIN.INTERNAL = {
kdc = domainserver.domain.internal
admin_server = domainserver.domain.internal
default_domain = DOMAIN.INTERNAL
}
[domain_realm]
.domain.internal = DOMAIN.INTERNAL
domain.internal = DOMAIN.INTERNAL
Step 3: Edit /etc/samba/smb/conf
Notes: Change the NETBIOS name parameter to be correct for the server. Make a backup copy of the original file!!!
1) Make the edits. The configuration shown is the bare minimum and doesn't share anything.
[global]
security = ads
netbios name = CMHRG02
realm = DOMAIN.INTERNAL
password server = domainserver.domain.internal
workgroup = DOMAIN
idmap uid = 500-10000000
idmap gid = 500-10000000
winbind separator = +
winbind enum users = no
winbind enum groups = no
winbind use default domain = yes
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
domain master = no
2) Test the configuration with the testparm command
Step 4: Edit /etc/nsswitch.conf to look like the example below
passwd: compat winbind
group: compat winbind
shadow: compat
hosts: files dns wins
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
Step 5: Modify the PAM settings
1) /etc/pam.d/common-account should contain only the following lines
account sufficient pam_winbind.so
account required pam_unix.so
2) /etc/pam.d/common-auth should contain only the following lines
auth sufficient pam_winbind.so
auth required pam_unix.so nullok_secure use_first_pass
3) Modify the /etc/pam.d/common-password file, so the max parameter is set to 50, similar to the one shown below
password required pam_unix.so nullok obscure min=4 max=50 md5
4) Make sure the /etc/pam.d/common-session file contains the following line
session required pam_mkhomedir.so umask=0022 skel=/etc/skel
Step 6: Make a directory to hold domain user home directories
Note: Use the value you put in the WORKGROUP tag of the /etc/samba/smb.conf file
mkdir /home/DOMAIN
Step 7: Initialize Kerberos
1) kinit domain_admin_account@DOMAIN.INTERNAL
Next check to be sure you got a ticket from the domain controller
2) klist
Step 8: Join the system to the
net ads join -U domainadminuser@DOMAIN.INTERNAL
Step 9: Restart Samba-related Services (Or reboot the server)
Note: The order is important
/etc/init.d/samba stop
/etc/init.d/winbind stop
/etc/init.d/samba start
/etc/init.d/winbind start
Step 10: Restart SSH and Test Connectivity
Note: If you rebooted the server in the previous step, just try and login.
/etc/init.d/ssh restart
ssh useraccount@server
If you can login using your active directory username and password then everything is working!
Step 11: Configure SUDO
1) First create a group in Active Directory called UnixAdmins and add the names of people whom you want to be able to use sudo to admin the server.
2) Next, add the UnixAdmins group to the /etc/sudoers so these users can use sudo
%UnixAdmins ALL=(ALL) ALL
HELPFUL COMMAND LINES
1) List the derived UNIX GID values for Active Directory groups
for gid in $(wbinfo -r <username>); \
do SID=$(wbinfo -G $gid);GROUP=$(wbinfo -s $SID); echo $gid is $GROUP; done
2) See the Active Directory SID for a particular named user
wbinfo –n <username>

Thursday, August 26, 2010

PFX to CRT on Apache Server

PFX to CRT on Apache Server

Move your PFX file to the Apache server.  To convert the .pfx file to a  file that your Apache server will understand

Run the following command using OPENSSL:

1. To export the Private key file from the .pfx file
openssl pkcs12 -in filename.p12  -nocerts -out privatekey.key
2. To export the Certificate file from the .pfx file
openssl pkcs12 -in filename.p12 -clcerts -nokeys -out sslcert.crt

filename.p12 (is your existing IIS PFX file)
privatekey.key (is your new exported private key file)
ssl.crt (is your new exported your Entrust SSL certificate)

3. You now need to copy the  files to the locations as described in the httpd.conf
4. To find out where the files should be copied to run this on the httpd.conf

cat httpd.conf | grep SSLCertificateFile  (this will give you the location of where to copy the certificate file)
cat httpd.conf | grep SSLCertificateKeyFile (this will give you the location of where to copy the key file)

5. You will now need to restart apache

Saturday, August 14, 2010

Change AD UNIX shell

Dim oContainer
Set  oContainer=GetObject("LDAP://CN=Users,DC=domain,DC=com")
ModifyUsers oContainer
'cleanup
Set oContainer = Nothing
WScript.Echo "Finished"
Sub ModifyUsers(oObject)
Dim oUser
oObject.Filter = Array("user")
For Each oUser in oObject
oUser.Put "LoginShell", "/bin/bash"
oUser.SetInfo
Next
End Sub