POS/420
description
Transcript of POS/420
![Page 1: POS/420](https://reader036.fdocuments.net/reader036/viewer/2022062518/5681472a550346895db46321/html5/thumbnails/1.jpg)
POS/420
Joshua Margolin – April 2, 2013 (Week 4)University of Phoenix Mililani Campus
Introduction to Unix
![Page 2: POS/420](https://reader036.fdocuments.net/reader036/viewer/2022062518/5681472a550346895db46321/html5/thumbnails/2.jpg)
Agenda: Week 4
• Installations• Week 4
• Virtual Private Server- Anonymous Proxy Server- Firewall- Open VPN (Time Permitting)
![Page 3: POS/420](https://reader036.fdocuments.net/reader036/viewer/2022062518/5681472a550346895db46321/html5/thumbnails/3.jpg)
What is a Virtual Private Server?
• VPS is a virtual machine provide by an internet hosting service.
• VPS runs on software on the same physical computer as other customer’s virtual machines.
• Can have multiple servers on one physical machine.• Advantage
• Cheap• Space• Easy to setup
![Page 4: POS/420](https://reader036.fdocuments.net/reader036/viewer/2022062518/5681472a550346895db46321/html5/thumbnails/4.jpg)
Why is VPS important?
• Companies are moving towards “Cloud Computing.”• Amazon uses Virtual Private Servers on the backend.• Many of Amazon’s data centers rely on VPS technology.
• Get a job with Amazon and you could be configuring Linux on a VPS.
![Page 5: POS/420](https://reader036.fdocuments.net/reader036/viewer/2022062518/5681472a550346895db46321/html5/thumbnails/5.jpg)
What is a Proxy?
• Proxy is a server that acts as an intermediary device between a client and server. (Middleman)
• Intercepts and inspects data before sending to recipient.• Makes connection on behalf of the source.• Machine that talks to the outside world ensuring no computer has
direct access to internal computers. • Common Uses
• Keep machines anonymous for security (Anonymous Proxy)• Packet scanning (Firewall Proxy)• Speed up access to resources via caching (Web Proxy)
![Page 6: POS/420](https://reader036.fdocuments.net/reader036/viewer/2022062518/5681472a550346895db46321/html5/thumbnails/6.jpg)
What is a Proxy?
![Page 7: POS/420](https://reader036.fdocuments.net/reader036/viewer/2022062518/5681472a550346895db46321/html5/thumbnails/7.jpg)
Proxy Installation
• root@yourdomain:/#• This = root prompt
• root@yourdomain:~# cd ..• Cd .. Command moves up one directory
• root@yourdomain:/# ls –a• ls –a command displays folders and files horizontally.
• root@yourdomain:/# cd /etc/apt• Changes to apt directory
• Simply type:• root@yourdomain:/etc/apt# apt-get update
![Page 8: POS/420](https://reader036.fdocuments.net/reader036/viewer/2022062518/5681472a550346895db46321/html5/thumbnails/8.jpg)
Proxy Installation
• apt-get update• Updates the software on VPS. This is necessary
to make sure all software tools are installed on VPS.
• root@yourdomain:/etc/apt# apt-get install wget• wget is a built in program that retrieves content
from web servers.• root@yourdomain:/etc/apt# wget
http://www.dorkatron.com/docs/POS420/proxy.sh• This is a script that will install apache (webserver),
and squid (proxy)
![Page 9: POS/420](https://reader036.fdocuments.net/reader036/viewer/2022062518/5681472a550346895db46321/html5/thumbnails/9.jpg)
Proxy Installation
• root@yourdomain:/etc/apt# chmod a+x proxy.sh• By changing permissions chmod a+x will allow the
file proxy.sh to become executable• (a) = all users/groups/others (x) = executable
• root@yourdomain:/etc/apt# ./proxy.sh• Will execute the following contained in the script.
![Page 10: POS/420](https://reader036.fdocuments.net/reader036/viewer/2022062518/5681472a550346895db46321/html5/thumbnails/10.jpg)
Proxy Installation
• Proxy.sh• apt-get update• apt-get install apache2• apt-get install squid3• touch /etc/squid3/squid_passwd• chmod +r /etc/squid3/squid_passwd• /etc/init.d/apache2 stop• update-rc.d -f apache2 remove• cd /etc/squid3• htpasswd /etc/squid3/squid_passwd account1• htpasswd /etc/squid3/squid_passwd account2• rm squid.conf• wget http://www.dorkatron.com/docs/POS420/squid.conf• /etc/init.d/squid3 restart
![Page 11: POS/420](https://reader036.fdocuments.net/reader036/viewer/2022062518/5681472a550346895db46321/html5/thumbnails/11.jpg)
Proxy Installation
• Script will execute.• Will see the following:
• Do you want to continue [Y/N]? (hit y and press enter)
• New Password:• Re-type new Password:
• Passwords are for user accounts• Repeat process for second user account
• VI file editor will open up squid.conf• Squid.conf = config file for proxy server
![Page 12: POS/420](https://reader036.fdocuments.net/reader036/viewer/2022062518/5681472a550346895db46321/html5/thumbnails/12.jpg)
Proxy Installation
![Page 13: POS/420](https://reader036.fdocuments.net/reader036/viewer/2022062518/5681472a550346895db46321/html5/thumbnails/13.jpg)
Proxy Installation
• Proxy Testing• Settings Control Panel• Internet Options• Connections• LAN settings• Check mark use a Proxy• Put in address and port 3128• Run browser put in account1 and password• www.google.com type in what is my IP address
![Page 14: POS/420](https://reader036.fdocuments.net/reader036/viewer/2022062518/5681472a550346895db46321/html5/thumbnails/14.jpg)
Proxy Completion
• Congratulations Linux Guru. You have successfully completed this training module
![Page 15: POS/420](https://reader036.fdocuments.net/reader036/viewer/2022062518/5681472a550346895db46321/html5/thumbnails/15.jpg)
What is a Firewall?
• Either software or hardware based• Keeps networks secure • Works based on predetermined rules
• Port security • Stateful packet inspection
• Records all connections and determines connection state
• Connections must be initiated by source/client and not receivers.
![Page 16: POS/420](https://reader036.fdocuments.net/reader036/viewer/2022062518/5681472a550346895db46321/html5/thumbnails/16.jpg)
What is a Firewall?
![Page 17: POS/420](https://reader036.fdocuments.net/reader036/viewer/2022062518/5681472a550346895db46321/html5/thumbnails/17.jpg)
Firewall Installation
• root@yourdomain:~# wget http://www.configserver.com/free/csf.tgz
• root@yourdomain:~# tar -xzf csf.tgz• Tar –xzf is the command to uncompress an archived
file• x = extract z = filter the archive through gzip f=archive
file name• root@yourdomain:~# cd csf• root@yourdomain:~/csf# sh install.sh
• Sh install.sh is a script that configures csf firewall for the OS the VPS is running.
![Page 18: POS/420](https://reader036.fdocuments.net/reader036/viewer/2022062518/5681472a550346895db46321/html5/thumbnails/18.jpg)
Firewall Installation
• OOPS! can’t find perl module. Google the error!• Google “can't locate lwp/useragent.pm in @inc (@inc
contains” • It appears other people have had the same issue!• Advantage of Linux is since its open source someone is
bound to have the same problem. Google has the answers.
![Page 19: POS/420](https://reader036.fdocuments.net/reader036/viewer/2022062518/5681472a550346895db46321/html5/thumbnails/19.jpg)
Firewall Installation
• root@yourdomain:~/csf# apt-get install libwww-perl• root@yourdomain:~/csf# sh install.sh
• Next, test whether you have the required iptables modules:
• root@yourdomain:~/csf# perl /etc/csf/csftest.pl• RESULT: csf should function on this server
• root@yourdomain:~/csf# cd ..• root@yourdomain:~# cd ..• root@yourdomain:/# cd etc• root@yourdomain:/etc/csf# vi csf.conf
![Page 20: POS/420](https://reader036.fdocuments.net/reader036/viewer/2022062518/5681472a550346895db46321/html5/thumbnails/20.jpg)
Firewall Installation
• Csf.conf• Edit conf file by reading instructions.
• Change from testing mode to live mode.• Add 3128 proxy port to TCP IN/OUT.• Save changes• Restart csf
• root@yourdomain:/etc/csf# csf –r• root@yourdomain:/etc/csf# lfd –r
• Lfd (login Failure Daemon) logging software that logs failed loggings and brute force attacks.
![Page 21: POS/420](https://reader036.fdocuments.net/reader036/viewer/2022062518/5681472a550346895db46321/html5/thumbnails/21.jpg)
Firewall Installation
• Check mail to see if you have any hacker attacks!• root@yourdomain:/etc/csf# mail• N 2 [email protected] Sun Mar 17 02:01 23/926 lfd on
yourdomain: Excessive resource usage: proxy (3204 (Parent PID:3201))• Oops! this MSG will fill up mailbox real quick. Message
means that logging server is flagging what it thinks is suspicious activity due to VPS memory limitations. We will disable this alert.
• Go back and edit csf.conf• Scroll down and set PT_USERPROC, PT_USERMEM,
and PT_USERTIME = “0”
• Restart csf and lfd.
![Page 22: POS/420](https://reader036.fdocuments.net/reader036/viewer/2022062518/5681472a550346895db46321/html5/thumbnails/22.jpg)
Firewall Installation
• No hacker attempts so lets create one.• Have person next to you, SSH to your VPS but enter
wrong password. • Log into your VPS.• Login to mail.• Investigate the mail msg.
![Page 23: POS/420](https://reader036.fdocuments.net/reader036/viewer/2022062518/5681472a550346895db46321/html5/thumbnails/23.jpg)
Firewall Completion
• Congratulations Linux Guru. You have successfully completed this training module.
![Page 24: POS/420](https://reader036.fdocuments.net/reader036/viewer/2022062518/5681472a550346895db46321/html5/thumbnails/24.jpg)
What is a Virtual Private Network?
• A VPN is a virtual point to point connection between a client and receiver through the use of dedicated connections and encryption.
• Protects the confidentiality of information.
• Common uses
• Private and secure connection between your home computer and your online banking website. This is known as Secure Socket Layer (SSL)
• Government uses for the protection of classified information in transmit.
• Corporations use it to communicate between regional offices.
![Page 25: POS/420](https://reader036.fdocuments.net/reader036/viewer/2022062518/5681472a550346895db46321/html5/thumbnails/25.jpg)
What is a Virtual Private Network?
![Page 26: POS/420](https://reader036.fdocuments.net/reader036/viewer/2022062518/5681472a550346895db46321/html5/thumbnails/26.jpg)
VPN Installation
• What is OpenVPN?• OpenVPN is an open source software application that
implements a VPN.• Uses a custom security protocol that uses SSL/TLS for key
exchange. • OpenVPN allows peers to authenticate to each other using pre-
shared (secret key) and certificates. • Secret key is called “symmetric encryption.”
• Asymmetric is used to encrypt (protect) the secret key during key exchange.
• Symmetric is used to encrypt and decrypt information once key exchange has been established.
![Page 27: POS/420](https://reader036.fdocuments.net/reader036/viewer/2022062518/5681472a550346895db46321/html5/thumbnails/27.jpg)
VPN Installation
• What root@yourdomain:~# apt-get install openvpn• Copy easy-rsa into the correct place
• cp -R /usr/share/doc/openvpn/examples/easy-rsa /etc/openvpn
• Easy-rsa is the folder that will hold the certifications and secret keys.
• Cp –R = command for copying directories recursively (will copy all files and directories)
![Page 28: POS/420](https://reader036.fdocuments.net/reader036/viewer/2022062518/5681472a550346895db46321/html5/thumbnails/28.jpg)
VPN Installation
• Generate Keys • cd /etc/openvpn/easy-rsa/2.0• ./vars (./=execute file in current directory)
• Permission denied• chmod +x vars
• ./clean-all• source the vars script first (i.e. "source ./vars")
• source ./vars ./clean-all• ./build-ca• ./build-key-server server• ./build-key client• ./build-dh (Use DIFFIE-HELLMAN encryption algorithm)
![Page 29: POS/420](https://reader036.fdocuments.net/reader036/viewer/2022062518/5681472a550346895db46321/html5/thumbnails/29.jpg)
VPN Installation
![Page 30: POS/420](https://reader036.fdocuments.net/reader036/viewer/2022062518/5681472a550346895db46321/html5/thumbnails/30.jpg)
VPN Installation
![Page 31: POS/420](https://reader036.fdocuments.net/reader036/viewer/2022062518/5681472a550346895db46321/html5/thumbnails/31.jpg)
VPN Installation
ETHERNET2 +------------+ +-------------+to ISP provider | Linux #1 | ETHERNET1 | Anybox | | | | | <--------- venet0 | IP Tables |venet0 -------- NIC CARD | Virtual | | MASQ. | | Tun/TAP | 198.147.X.X | | 10.8.X.X | Card | +------------+ +-------------+
In the above drawing, a Linux box with IP_MASQUERADING is installed as Linux #1 and is connected to the Internet via Ethernet2 It has an assigned public IP address of 198.147.X.X. It also has another network interface (venet0) connected to allow incoming network traffic be it from a ETHERNET1 connection.
![Page 32: POS/420](https://reader036.fdocuments.net/reader036/viewer/2022062518/5681472a550346895db46321/html5/thumbnails/32.jpg)
VPN Installation
ETHERNET2 +------------+ +-------------+to ISP provider | Linux #1 | ETHERNET1 | Anybox | | | | | <--------- venet0 | IP Tables |venet0 -------- NIC CARD | Virtual | | MASQ. | | Tun/TAP | 198.147.X.X | | 10.8.X.X | Card | +------------+ +-------------+
The second system (which does not need to be Linux) connects into the Linux #1 box and starts its network traffic to the Internet. This second machine does NOT have a publicly assigned IP address from the Internet, so it uses say 10.8.X.X
![Page 33: POS/420](https://reader036.fdocuments.net/reader036/viewer/2022062518/5681472a550346895db46321/html5/thumbnails/33.jpg)
VPN Installation
ETHERNET2 +------------+ +-------------+to ISP provider | Linux #1 | ETHERNET1 | Anybox | | | | | <--------- venet0 | IP Tables |venet0 -------- NIC CARD | Virtual | | MASQ. | | Tun/TAP | 198.147.X.X | | 10.8.X.X | Card | +------------+ +-------------+
With IP Masquerade and the routing configured properly, this second machine "Anybox" can interact with the Internet as if it was directly connected to the Internet with a few small exceptions [noted later].
![Page 34: POS/420](https://reader036.fdocuments.net/reader036/viewer/2022062518/5681472a550346895db46321/html5/thumbnails/34.jpg)
VPN Installation
ETHERNET2 +------------+ +-------------+to ISP provider | Linux #1 | ETHERNET1 | Anybox | | | | | <--------- venet0 | IP Tables |venet0 -------- NIC CARD | Virtual | | MASQ. | | Tun/TAP | 198.147.X.X | | 10.8.X.X | Card | +------------+ +-------------+
I tell machine ANYBOX that Linux box is its gateway.
When a packet comes into the Linux box from ANYBOX, it will assign the packet to a new TCP/IP source port number and insert its own IP address inside the packet header, saving the originals. The MASQ server will then send the modified packet over the ETHERNET interface onto the Internet.
![Page 35: POS/420](https://reader036.fdocuments.net/reader036/viewer/2022062518/5681472a550346895db46321/html5/thumbnails/35.jpg)
VPN Installation
ETHERNET2 +------------+ +-------------+to ISP provider | Linux #1 | ETHERNET1 | Anybox | | | | | <--------- venet0 | IP Tables |venet0 -------- NIC CARD | Virtual | | MASQ. | | Tun/TAP | 198.147.X.X | | 10.8.X.X | Card | +------------+ +-------------+
When a packet returns from the Internet into the Linux box, Linux examines if the port number is one of those ports that was assigned above. If so, the MASQ server will then take the original port and IP address, put them back in the returned packet header, and send the packet to ANYBOX.The host that sent the packet will never know the difference.
![Page 36: POS/420](https://reader036.fdocuments.net/reader036/viewer/2022062518/5681472a550346895db46321/html5/thumbnails/36.jpg)
VPN Installation
• Create the VPS OpenVPN configuration file• root@yourdomain:/etc/openvpn# wget http://www.dorkatron.com/docs/POS420/server.conf• vi /etc/openvpn/server.conf
• port 1194• proto tcp• dev tun• ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt• cert /etc/openvpn/easy-rsa/2.0/keys/server.crt• key /etc/openvpn/easy-rsa/2.0/keys/server.key• dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem• server 10.8.0.0 255.255.255.0• ifconfig-pool-persist ipp.txt• push "redirect-gateway def1"• push "dhcp-option DNS 10.8.0.1"• client-to-client• duplicate-cn• keepalive 10 120• comp-lzo• user nobody• group nogroup• persist-key• persist-tun• status openvpn-status.log• log /var/log/openvpn.log• verb 3
![Page 37: POS/420](https://reader036.fdocuments.net/reader036/viewer/2022062518/5681472a550346895db46321/html5/thumbnails/37.jpg)
VPN Installation
• Start OpenVPN• root@yourdomain:/etc/openvpn# openvpn
server.conf • starts openvpn using server.conf file
• Create the PC OpenVPN Configuration file• cd /etc/openvpn/easy-rsa/2.0/keys/• wget
http://www.dorkatron.com/docs/POS420/client.conf
![Page 38: POS/420](https://reader036.fdocuments.net/reader036/viewer/2022062518/5681472a550346895db46321/html5/thumbnails/38.jpg)
VPN Installation
• Config.conf• client
dev tunproto tcpremote 198.147.XX.XXX 1194resolv-retry infinitenobindpersist-keypersist-tunca ca.crtcert client.crtkey client.keycomp-lzoverb 3redirect-gatewayscript-security 2
![Page 39: POS/420](https://reader036.fdocuments.net/reader036/viewer/2022062518/5681472a550346895db46321/html5/thumbnails/39.jpg)
VPN Installation
• Reboot• vi /etc/rc.local• Write the following contents above “exit o”
• iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j MASQUERADE
![Page 40: POS/420](https://reader036.fdocuments.net/reader036/viewer/2022062518/5681472a550346895db46321/html5/thumbnails/40.jpg)
VPN Installation
• Download Certs and Keys• Caution! Use secure means! Keys and certs are
not encrypted. SFTP or SSH.• client.conf• ca.crt• client.crt• client.key
• Reboot VPS• Install Wireshark• Install OpenVPN client on desktop• Move Certs and Keys into OpenVPN config folder
![Page 41: POS/420](https://reader036.fdocuments.net/reader036/viewer/2022062518/5681472a550346895db46321/html5/thumbnails/41.jpg)
VPN Installation
• Configure the client.ovpn file
![Page 42: POS/420](https://reader036.fdocuments.net/reader036/viewer/2022062518/5681472a550346895db46321/html5/thumbnails/42.jpg)
VPN Completion
• Congratulations Linux Guru. You have successfully completed this training module.