Steps I take when setting up a VPN server on Digital Ocean
##Table of Contents
- Create SSH keys on client computer
- Login after creating droplet
- Disable root login and change SSH port
- Enable UFW
- Install OpenVPN
- Install Libreswan
- Install Dnsmasq
- Install NTP
- Install send only SSMTP service
- Install Fail2ban
- Install Tripwire
- Enable Automatic upgrades
- Autostart OpenVPN on Debian client computer
- Allow multiple clients to connect with same ovpn file
- Maintenance commands
Check for existing SSH keys
ls -al ~/.sshGenerate new SSH key
ssh-keygen -t rsa -b 4096 -C [email protected]Public key is now located in /home/demo/.ssh/id_rsa.pub. Private key is now located in /home/demo/.ssh/id_rsa. While creating new droplet, add these keys.
Login as root
ssh root@server_ip_addressUpgrade system
sudo apt-get update && sudo apt-get upgrade && sudo apt-get dist-upgradeCreate new user
adduser demoGive root privileges
gpasswd -a demo sudoAdd public key authentication for new user using client computer. Call new public key id_rsa_demo
ssh-keygen -t rsa -b 4096 -C [email protected]Copy contents of public key by CTRL-C or (cat ~/.ssh/id_rsa_demo.pub)
Manually install public key on server
su - demo
mkdir .ssh
chmod 700 .sshPaste in public key while in nano
sudo nano .ssh/authorized_keys
chmod 600 .ssh/authorized_keysExit returns to root
exitLogin as new user
###Disable root login and change SSH port
It is possible to change SSH port to anything you like as long as it doesn't conflict with other active ports. Port 22 is written below, but any port can be used. Allow new port in ufw rules below and restart ufw before restarting ssh
sudo nano /etc/ssh/sshd_config
Port 22
PermitRootLogin without-password
reload ssh
sudo restart sshufw limit 22
ufw allow 1194/udp
ufw allow 500/udp
ufw allow 4500/udpChange from DROP to ACCEPT
sudo nano /etc/default/ufw
DEFAULT_FORWARD_POLICY="ACCEPT"Add these lines to the before.rules file
sudo nano /etc/ufw/before.rules
# START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to eth0
-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE
COMMIT
# END OPENVPN RULESUFW rules should look similar to this
#Status: active
#Logging: on (low)
#Default: deny (incoming), allow (outgoing), allow (routed)
#New profiles: skip
#To Action From
#-- ------ ----
#22 LIMIT IN Anywhere
#1194/udp ALLOW IN Anywhere
#500/udp ALLOW IN Anywhere
#4500/udp ALLOW IN Anywhere
#1194/udp (v6) ALLOW IN Anywhere (v6)
#22 (v6) LIMIT IN Anywhere (v6)
#500/udp (v6) ALLOW IN Anywhere (v6)
#4500/udp (v6) ALLOW IN Anywhere (v6)#https://github.com/Nyr/openvpn-installwget git.io/vpn -O openvpn-install.sh && bash openvpn-install.shCopy unified .ovpn to client computer
scp -P root@server_ip_address:client.ovpn Downloads/#https://blog.ls20.com/ipsec-l2tp-vpn-auto-setup-for-ubuntu-12-04-on-amazon-ec2/
#https://github.com/hwdsl2/setup-ipsec-vpnwget https://github.com/hwdsl2/setup-ipsec-vpn/raw/master/vpnsetup.sh -O vpnsetup.shsudo nano -w vpnsetup.sh
PSK:your_private_key
Username:your_username
Password:your_password/bin/sh vpnsetup.shRun following commands if OpenVPN doesn't work after reboot
sudo iptables -I INPUT -p udp --dport 1194 -j ACCEPT
sudo iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT
sudo iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo service ufw stop
sudo service ufw start
sudo /etc/init.d/openvpn restart
sudo iptables-save > /etc/iptables.rulessudo nano /etc/rc.local
iptables-restore < /etc/iptables.rulesCheck current nameserver configuration
cat /etc/resolv.confInstall Dnsmasq
sudo apt-get install dnsmasq
cat /etc/resolv.confTake note of query time
dig duckduckgo.com @localhostCheck again after cached
dig duckduckgo.com @localhostsudo apt-get install ntpsudo dpkg-reconfigure tzdata
sudo ntpdate pool.ntp.org
sudo service ntp startsudo apt-get install ssmtpsudo nano /etc/ssmtp/ssmtp.conf
#root=postmaster
[email protected]
#mailhub=mail
mailhub=smtp.gmail.com:587
[email protected]
AuthPass=your_password
UseTLS=YES
UseSTARTTLS=YES
#rewriteDomain=
rewriteDomain=gmail.com
#hostname=your_hostname
[email protected]Test ssmtp in terminal
ssmtp [email protected]Format message as below
To: [email protected]
From: [email protected]
Subject: test email
test emailInsert blank line after Subject:. This is the body of the email. Press CTRL-D to send message. Sometimes pressing CTRL-D a second time after about 10 seconds is needed if message is not sent.
sudo apt-get install fail2ban
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.localsudo nano /etc/fail2ban/jail.local
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Use space separator to add more than one IP
ignoreip = 127.0.0.⅛
bantime = 600
maxretry = 3
destemail = [email protected]
sendername = Fail2Ban
mta = sendmail
#_mwl sends email with logs
action = %(action_mwl)sJails which can be initially set to true without any errors
#ssh
#dropbear
#pam-generic
#ssh-ddos
#postfix
#couriersmtp
#courierauth
#sasl
#dovecotRestart Fail2ban
sudo service fail2ban stop
sudo service fail2ban startCheck list of banned IPs for Fail2ban
fail2ban-client status ssh
iptables --list -n | fgrep DROP###Full system backup using rsync.
Using the -aAX set of options, all attributes are preserved
rsync -aAXv --exclude={"/dev/*","/proc/*","/sys/*","/tmp/*","/run/*","/mnt/*","/media/*","/lost+found"} root@your_hostname:/ /home/demo/backup/#https://www.digitalocean.com/community/tutorials/how-to-use-tripwire-to-detect-server-intrusions-on-an-ubuntu-vpssudo apt-get install tripwireSet the Site-Key and Local-Key passphrase
Create policy file
sudo twadmin --create-polfile /etc/tripwire/twpol.txtInitialize database
sudo tripwire --init
sudo sh -c 'tripwire --check | grep Filename > /etc/tripwire/test_results'Entries may look like this
less /etc/tripwire/test_results Filename: /etc/rc.boot
Filename: /root/mail
Filename: /root/Mail
Filename: /root/.xsession-errors
Filename: /root/.xauth
Filename: /root/.tcshrc
Filename: /root/.sawfish
Filename: /root/.pinerc
Filename: /root/.mc
Filename: /root/.gnome_private
Filename: /root/.gnome-desktop
Filename: /root/.gnome
Filename: /root/.esd_auth
Filename: /root/.elm
Filename: /root/.cshrc
Filename: /root/.bash_profile
Filename: /root/.bash_logout
Filename: /root/.amandahosts
Filename: /root/.addressbook.lu
Filename: /root/.addressbook
Filename: /root/.Xresources
Filename: /root/.Xauthority
Filename: /root/.ICEauthority
Filename: /proc/30400/fd/3
Filename: /proc/30400/fdinfo/3
Filename: /proc/30400/task/30400/fd/3
Filename: /proc/30400/task/30400/fdinfo/3Edit text policy in editor
sudo nano /etc/tripwire/twpol.txtSearch for each of the files that were returned in the test_results file. Comment out lines that match.
{
/dev -> $(Device) ;
/dev/pts -> $(Device) ;
#/proc -> $(Device) ;
/proc/devices -> $(Device) ;
/proc/net -> $(Device) ;
/proc/tty -> $(Device) ;
. . .Comment out /var/run and /var/lock lines
(
rulename = "System boot changes",
severity = $(SIG_HI)
)
{
#/var/lock -> $(SEC_CONFIG) ;
#/var/run -> $(SEC_CONFIG) ; # daemon PIDs
/var/log -> $(SEC_CONFIG) ;
}Save and close
Re-create encrypted policy file
sudo twadmin -m P /etc/tripwire/twpol.txtRe-initialize database
sudo tripwire --initWarnings should be gone. If there are still warnings, continue editing /etc/tripwire/twpol.txt file until gone.
Check current status of warnings
sudo tripwire --checkDelete test_results file that was just created
sudo rm /etc/tripwire/test_resultsRemove plain text configuration files
sudo sh -c 'twadmin --print-polfile > /etc/tripwire/twpol.txt'Move text version to backup location and recreate it
sudo mv /etc/tripwire/twpol.txt /etc/tripwire/twpol.txt.bak
sudo sh -c 'twadmin --print-polfile > /etc/tripwire/twpol.txt'Remove plain text files
sudo rm /etc/tripwire/twpol.txt
sudo rm /etc/tripwire/twpol.txt.bakSend an email notifications
sudo apt-get install mailutilsSee if we can send email
sudo tripwire --check | mail -s "Tripwire report for `uname -n`" [email protected]Check report that was sent with the email
sudo tripwire --check --interactiveRemove x from box if not ok with change. Re-run above command to reset warning after each email received
Automate Tripwire with Cron
Check if root already has crontab by issuing this command
sudo crontab -lIf crontab is present, pipe into file to back it up
sudo sh -c 'crontab -l > crontab.bad'Edit crontab
sudo crontab -eTo have tripwire run at 3:30am every day, insert this line
30 3 * * * /usr/sbin/tripwire --check | mail -s "Tripwire report for `uname -n`" [email protected]sudo apt-get install unattended-upgrades
sudo dpkg-reconfigure unattended-upgradesUpdate the 10 periodic file. 1 means that it will upgrade every day
sudo nano /etc/apt/apt.conf.d/10periodic
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "1";
APT::Periodic::Unattended-Upgrade "1";sudo nano /etc/default/openvpnUncomment:
AUTOSTART=allCopy client.ovpn to /etc/openvpn/client.conf by renaming file
gksu -w -u root gksu thunarReload openvpn configuration
/etc/init.d/openvpn reload /etc/openvpn/client.confCheck for tun0 interface
ifconfigNote: It is safer to create multiple ovpn files
sudo nano /etc/openvpn/server.confUncomment following line:
duplicate-nRestart OpenVPN service
sudo service openvpn restart#Programs holding open network socket
lsof -i
#Show all running processes
ps -ef
#Who is logged on
who -u
#Kill the process that you want
kill "pid"
#Check SSH sessions
ps aux | egrep "sshd: [a-zA-Z]+@"
#Check SSHD
ps fax
#Check last logins
last
#Check ufw status
sudo ufw status verbose
#Delete ufw rules
sudo ufw delete deny "port"
#Check logs
grep -ir ssh /var/log/*
grep -ir sshd /var/log/*
grep -ir breakin /var/log/*
grep -ir security /var/log/*
#Tree directory
http://www.cyberciti.biz/faq/linux-show-directory-structure-command-line/
#See all files
tree -a
#List directories only
tree -d
#Colorized output
tree -C
#File management
https://www.digitalocean.com/community/tutorials/basic-linux-navigation-and-file-management
http://www.computerworld.com/article/2598082/linux/linux-linux-command-line-cheat-sheet.html
http://www.debian-tutorials.com/beginners-how-to-navigate-the-linux-filesystem
#LSOF Commands
https://stackoverflow.com/questions/106234/lsof-survival-guide
#How to kill zombie process
ps aux | grep 'Z'
#Find the parent PID of the zombie
pstree -p -s 93572
#Check IPTables traffic
sudo iptables -v -x -n -L
#Report file system disk space
df -Th
#Check trash size
sudo find / -type d -name '*Trash*' | sudo xargs du -h | sort
#Check size of packages in apt
du -h /var/cache/apt/
#Check size of log files
sudo du -h /var/log
#Check size of lost+found folder
sudo find / -name "lost+found" | sudo xargs du -h
#How to delete lots of text in nano
Scroll to top of text, press Alt+A, Ctrl-V to bottom of text, press Ctrl-K to cut the text, Ctrl-O to save, Ctrl-X to exit
#How to scan top 8000 ports using nmap
nmap -vv --top-ports 8000 your_hostname
#Delete ufw and iptable rules by line number. In this example we use number 666
sudo ufw status numbered
sudo ufw delete 666
sudo iptables -L --line-numbers
sudo iptables -D INPUT 666