Some things I have learned the hard way

... and don't want to figure out again

Some comments on tmux and my configuration

May 09, 2017

Tmux is the modern terminal multiplexer that should generally be used anywhere that you used "screen" in the past. While screen still works well, it is no longer actively developed to meet modern needs.

If somehow looking and feeling like screen is important to you then tmux can still accommodate your needs. But you might be better advised to just learn the natural tmux commands and gradually add personalization options as you learn it.

I suggest that you read every tmux.config file you run across just to learn a thing or 3 that might work in your configuration. Here is a link to my current configuration file that you can read and use as you wish, in part or in total. I try to include lots of comments so I can remember why I did things. I hope you can benefit from it.

Tags: tmux

Learn and practice Linux commands

April 02, 2017

Here are some links that can help you learning linux terminal commands and more... :

http://www.ee.surrey.ac.uk/Teaching/Unix/

http://linuxcommand.org/

http://www.linuxtopia.org/online_books/linux_for_beginners_index.html

http://linuxcommand.org/lc3_learning_the_shell.php

https://koding.com/


Here are some neat virtual terminals and virtual machines you can use to practice what you have learned... :

https://autellinux.wordpress.com/2013/09/04/online-simulator-in-linux-practice-linux-commands


Last, but certainly not the least you can search on your own:

https://duckduckgo.com/?q=learn+linux

and... https://duckduckgo.com/?q=learn+programming



Tags: Linux, Unix, command line

Irssi logging

March 26, 2017

Compressed and daily rotated irssi logs are as simple as:

1. Get the irssi script logcompress.pl ...

From your command line run:

  mkdir -p ~/.irssi/scripts/autorun
  cd ~/.irssi/scripts/autorun
  wget http://scripts.irssi.org/scripts/logcompress.pl
2. Then start irssi if not already running and ...

In irssi do:

  /set autolog ON
  /set autolog_path ~/irclogs/$tag/$0.%Y%m%d
  /load ~/.irssi/scripts/autorun/logcompress.pl
3. Now you can search the logs with bzgrep or read them with bzless.

4. Now have fun with irssi and IRC.

Tags: irssi, irc

A user management script for openvpn administrators

March 08, 2017

... in progress

What you get:

  • Your users will have only very limited access to your server.
    • using the vpn
    • changing their own password
  • You will have a convenient log of user additions and revocations with emails (if provided).
    * The log location is set in the variables section of the mangagement script.
  • A very easy to use script for adding, revoking or listing users. The script has many checks and safeguards to help prevent mistakes.


Prerequisites:

  1. A working openvpn server with password authentication.
    • Refer to my openvpn server page.
  2. In order for the management script to send emails to clients you will need a functioning mutt configuration that is capable of sending from the command line.
    • If you can already send emails from your server then this is probably as simple as installing mutt and using the default configuration.
    • This can be tested by attempting to send a test message like this:
      run:

      echo "This is a test email" | mutt -s "Testing testing" <youremail.addr>


The following commands are done as root (or sudo the commands).

Add a new group for the vpn users. This is not necessary but helps to know who the users are and control their use of the server. This user group will be allowed only very limited use on your server by following the steps below.
run:

addgroup vpnusers


Grab these 2 scripts and put them both in your /etc/openvpn/ directory:

vpnusers
vpnusershell

Make sure your new vpn gateway IP (perhaps 10.8.0.1) is listening for connections from all vpn clients on the vpn endpoint address and the desired port (2222 in the example).
run:

vi /etc/ssh/sshd.config

Insert a line similar to this below all the other ListenAddress lines.
code:

  ListenAddress 10.8.0.1:2222


Edit the variables as necessary in the vpnusers script.
run:

vi /etc/openvpn/vpnusers

Now have some fun and learn how to use the script. Create a user, try it, then revoke it, etc. Play, learn.
run:

./etc/openvpn/vpnusers add testuser
./etc/openvpn/vpnusers list
./etc/openvpn/vpnusers revoke testuser

Tags: openvpn, security, privacy

Recipe for an OpenVPN server with password auth to provide remote users security of communications

March 07, 2017

... in progress.

This project was done on a Debian 8 (Jessie) vps.

Proxy server for multiple clients with password auth:

All of the below is done as root (or sudo the commands)

In a nutshell:
Install openvpn, easy-rsa and dnsmasq (if you want the vpn to provide dns to the client). Configure your server firewall to masquerade the vpn to the internet, details depend on your firewall and how you configure it. Then configure the openvpn server and give clients login credentials and config files for their client openvpn.

Configure your system for packet forwarding:
Make sure this line is in /etc/sysctl.conf
code:

  net.ipv4.ip_forward=1



I use the shorewall firewall so I can provide confguration details, you will have to do something similar with whatever firewall you are using.
run:

vi -o /etc/shorewall/{policy,rules,interfaces,zones,tunnels,masq}

NOTE: I am showing only the relevant lines, not my entire shorewall files

policy:

  $FW     net     ACCEPT
  $FW     ovpn    ACCEPT
  net     ovpn    ACCEPT
  ovpn    net     ACCEPT
  ovpn    $FW     ACCEPT
  net     all     DROP    info
  all     all     REJECT  info

rules:

  ?SECTION NEW
  ACCEPT          net     $FW     udp     1194            # openvpn server

interfaces:

  ovpn    tun+  detect    routeback

zones:

  ovpn    tun+  detect    routeback   # openvpn server
  FW              firewall 
  net             ipv4

tunnels:

  openvpnserver:udp:1194          net     0.0.0.0/0       #openvpn server

masq:

  venet0  10.8.0.0/24



Configure dnsmasq to serve DNS to the vpn users:

Add the following 2 lines then restart the dnsmasq daemon. run:

vi /etc/dnsmasq.conf

code:

  interface=tun0
  no-dhcp-interface=tun0



Now the fun of setting up your openvpn server.
run:

cp -r /usr/share/easy-rsa/ /etc/openvpn
cd /etc/openvpn/easy-rsa
vi /etc/openvpn/easy-rsa/vars # These are the variables that will be used throughout the process of creating your server and users. Edit as necessary for your system. source ./vars
./clean-all
./build-dh
./pkitool --initca
./pkitool --server <myserver>
OR one-liner (change server name):
cd /etc/openvpn/easy-rsa/ && source /etc/openvpn/easy-rsa/vars && ./clean-all && ./build-dh && ./pkitool --initca && ./pkitool --server <myserver> # gen the server cert, prepare for adding clients
openvpn --genkey --secret /etc/openvpn/keys/ta.key
cp /etc/openvpn/easy-rsa/keys/ca.crt /etc/openvpn/<myserver>.ca.crt
cp /etc/openvpn/easy-rsa/keys/<myserver>.crt /etc/openvpn/
cp /etc/openvpn/easy-rsa/keys/<myserver>.key /etc/openvpn/
cp /etc/openvpn/easy-rsa/keys/ta.key /etc/openvpn/<myserver>.ta.key
cp /etc/openvpn/easy-rsa/keys/dh2048.pem /etc/openvpn/



Copy or build a server.conf file and put in /etc/openvpn/ example:
code:

  port 1194
  proto udp
  dev tun
  ca /etc/openvpn/<myserver>.ca.crt
  cert /etc/openvpn/<myserver>.crt
  key /etc/openvpn/<myserver>.key  # This file should be kept secret
  tls-auth /etc/openvpn/<myserver>.ta.key 0 # This file is secret
  dh /etc/openvpn/dh2048.pem
  server 10.8.0.0 255.255.255.0
  ifconfig-pool-persist /var/run/openvpn/ipp.txt
  push "redirect-gateway def1 bypass-dhcp"
  push "dhcp-option DNS 10.8.0.1"
  push "dhcp-option DNS 185.121.177.177"
  push "dhcp-option DNS 185.121.177.53"
  keepalive 10 40                 i
  cipher AES-256-CBC   # AES 256
  user nobody
  group nogroup
  persist-key
  persist-tun
  status /var/log/openvpn-status.log
  verb 3
  mute 20
  route-gateway dhcp
  topology subnet
  # crl-verify /etc/openvpn/easy-rsa/keys/crl.pem
  client-cert-not-required
  username-as-common-name
  plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so login

Now the server is setup and should run, test with:
run:

openvpn /etc/openvpn/server.conf

Read any errors carefully and correct until you get "Initialization Sequence Completed".



Make a compatible client config template file. Example: (edit to apply to your system)
code:

  client  
  dev tun  
  proto udp  
  remote <address> <port>  # The server IP or DNS hostname  <-- This line MUST be edited  
  auth-user-pass  
  resolv-retry infinite  
  nobind
  persist-tun
  persist-key
  ns-cert-type server
  remote-cert-tls server
  key-direction 1
  cipher AES-256-CBC
  verb 3
  mute 20
  script-security 2
  up /etc/openvpn/update-resolv-conf
  down /etc/openvpn/update-resolv-conf


Provide the client with the <myserver>.client.conf, <myserver>.ca.crt, and <myserver>.ta.key files

This can be done manually or
more easily by using my system for openvpn client management.

Enjoy your new vpn.


Troubleshooting tips:

  1. If your server and your client both show "Initialization Sequence Completed" yet the client does not have internet connectivity the problem is likely one of the following.
    • The server firewall is allowing connections but is not masquarading the internet to your vpn.
    • Another possibility is DNS (port 53) is not properly open from the vpn to the server.
    • Or, the dns server (dnsmasq in my example) is not listening on the proper vpn address.
  2. If you do not get "Initialization Sequence Completed" on both server and client then you need to carefully read the error messages that are reported.
    • You can tell if the connection is started to the correct IP address and port.
    • Then you follow the authorization sequence.
  3. You can increase the verbosity of the openvpn instance by changing "verb 3" to "verb 5", etc.
  4. Keep struggling, it will be a great feeling when it suddenly begins working!

Tags: openvpn, security, privacy

Gmail and Mutt

January 31, 2016

Gmail and Mutt are an odd couple. Both are somewhat unconventional. Terminology is confusing and the notion of folders in gmail is unusual. If you are accustomed to the Gmail web interface then it will you will not be comfortable with Mutt until you use it and learn the differences.

If you search for "gmail mutt" in your favorite search engine you will find many discussions. There is even a Mutt patch to make it more compatible. I didn't use the patch myself, but I wish it was incorporated into the main branch Mutt because gmail IS widely used.

Here are some good links to get you started, but there are many others you can find yourself :
https://blog.bartbania.com/raspberry_pi/consolify-your-gmail-with-mutt/

http://dev.mutt.org/trac/wiki/UseCases/Gmail

If you care to see my Mutt configuration files click here.

Important:

  1. To enable Gmail imap service you need to go to your GMail settings page and then the "Forwarding and POP/IMAP" tab.
    • click on "Enable IMAP"
  2. I also set "Folder Size Limits" to 5000 for my needs. I am a low volume user and connect Mutt directly to the imap server.
    • Many other users use an email downloader, offlineimap is popular and widely used. But not by me.
    • On rare occasions I need to search or view a message beyond my 5000 limit, then I just go to the Gmail web GUI and do it.
  3. Consider the other settings on the Gmail imap settings page and adjust to suit your needs. They can make a difference, especially when deleting/archiving.
  4. You will need to go to your Gmail account and set it for "less secure applications". Frightening indeed, but necessary as far as I know.
  5. You will also probably need to log into your Gmail account by the web interface at least once from the same IP address you will be using.
  6. Gmail will disconnect sometimes (maybe a few times a day) apparently randomly. There does not seem to be an effective cure for this. It is not the fault of mutt.
    • My workaround is to make a macro like macro index i "=INBOX". When I notice a disconnection I can press "i" and reopen my gmail INBOX. Sometimes you need to do it 2 times to get the reconnection but it is much better than closing mutt and restarting.
  7. If you have trouble connecting please make sure you can connect without using Mutt before you complain. Here's a great method to test imap connectivity.

There are some things you need to learn concerning the differences in "deleting" and "archiving" and "expunging", etc. It depends on how you want gmail to respond, but be warned that the Gmail and Mutt terminology is not exactly compatible. Do some testing before you work with important messages.

If you want Gmail to mark as read before archiving, then you need to jump some hoops. You will need to mark a message read in Mutt first, sync to the Gmail imap server, then mark for delete in Mutt, then sync again to the Gmail imap server. It's not as hard as it sounds in practice, but it is not as easy as you would hope. The settings and procedure is described more in my sample muttrc file

Update: Here's a cool idea I just found that automagically sets all archived mails as read. Marking Gmail read with Apps Script

To use the Gmail smtp servers there are a few other hoops to jump through.

  1. Gmail has very strict standards if you happen to use IPv6 to send to the smtp server. Use IPv4 if you can easily. If you must use IPv6, you will need DNS AAAA record set for your domain or else Gmail will think you are a spammer. Read the error messages carefully.
  2. Follow item 4. and 5. above.
  3. You can use either gmail port 465 or 587. But you must specify the proper protocol in your smtp_url line. smtps for port 465, smtp for port 587.

    • Typical configuration lines are:
      1. set smtp_url = 'smtp://yourusername@smtp.gmail.com:587/' OR
      2. set smtp_url = 'smtps://yourusername@smtp.gmail.com:465/'
  4. If you have trouble with any smtp service, I have found swaks is a very useful tool. Examples:

    1. swaks --to yourname@yourservice.com --server smtp.gmail.com:465 --protocol ssmtp --auth plain
    2. swaks --to yourname@yourservice.com --server smtp.gmail.com:587 --protocol ESMTPS --auth plain
  5. Learn to use 'mutt -d2' option and read the debug files. See 'man mutt' for more on debugging info.

Tags: email, mutt, gmail

IPv6 and OpenVPN

January 17, 2016

If you don't have native IPv6 and must rely on a tunnel broker for your route then you can open your mind a bit from the traditional address thinking. There is no shortage of IPv6 addresses so you can use as many as you want. You can have as many IPv6 tunnels as you want, all active at the same time.

You could do the same with IPv4 but that would seem like such a waste of a precious address.

Common free IPv6 tunnel brokers are Hurricane Electric (HE), SixXS, Freenet6, and teredo. There are certainly others, or will be when you read this. They are all very easy to install/activate. They each have benefits and limitations. I currently have all of those providers activated on servers to leverage the benefits of each and provide a more reliable OpenVPN connection between 2 networks that can't have an IPv4 link.

Here is an outline of the benefits/limitations of each of those providers.

Hurricane Electric (HE) -- Very popular and well liked but email and IRC is restricted and it requires a primary router capable of passing Protocol 41 (many do, many do not), static addresses, very reliable service.

SixXS -- Pretty strict rules but fair and liberal until you violate something, requires human approval, you gain credits over time to permit other funcitons, many partner providers around the globe, static addresses, reliable service. This is the one to try if you need email, IRC, or have routing problems with Protocol 41. update: Unfortunately the provider has stopped accepting applications for new accounts. The service remains active for existing users, but no new accounts. update2: Sadly this fine service has announced that they will end operations as of 06/06/2017.

Freenet6 -- On debian just apt-get gogoc, you can use this with or without an account.

teredo -- On a debian system is installed easily with apt-get miredo, can provide some anonymity by changing addresses, available servers come and go.

.... more to follow

Tags: ipv6, openvpn, networking

How to convert Debian Wheezy to Devuan Jessie (avoid systemd)

January 03, 2016
  1. In /etc/apt/sources.list comment out all lines pointing to a Debian repo.

  2. Add the following Devuan repos to the file, remove or add as you require (this list also adds Devuan testing and unstable repos):

    # Devuan repositories
    deb http://packages.devuan.org/merged jessie main contrib non-free
    #deb-src http://packages.devuan.org/merged jessie main contrib non-free
    deb http://packages.devuan.org/merged jessie-backports main contrib non-free
    deb http://packages.devuan.org/merged jessie-proposed-updates main contrib non-free
    deb http://packages.devuan.org/merged jessie-updates main contrib non-free
    deb http://packages.devuan.org/merged ascii main contrib non-free
    deb http://packages.devuan.org/merged ascii-backports main contrib non-free
    deb http://packages.devuan.org/merged ascii-proposed-updates main contrib non-free
    deb http://packages.devuan.org/merged ascii-updates main contrib non-free
    deb http://packages.devuan.org/merged ceres main contrib non-free
    
  3. Save and exit.

  4. Edit as necessary your /etc/apt/preferences file. Especially if you leave the ascii and ceres repos uncommented. Here's a suggestion:

    Explanation: do not use asterisk archive unless specified
    Package: *
    Pin: origin "packages.asterisk.org"
    Pin-Priority: -10
    
    
    Explanation: use the stable archive unless specified otherwise
    Package: *
    Pin: release o=Devuan,a=stable
    Pin-Priority: 990
    
    
    Explanation: do not use unstable archive unless specified
    Package: *
    Pin: release o=Devuan,a=unstable
    Pin-Priority: -10
    
    
    Explanation: do not use testing archive unless specified
    Package: *
    Pin: release o=Devuan,a=testing
    Pin-Priority: -10
    
    
    Explanation: do not use proposed-updates archive unless specified
    Package: *
    Pin: release a=*proposed-updates
    Pin-Priority: -10
    
    
    Explanation: do not use stable-backports archive unless specified or upgrade to previously installed package
    Package: *
    Pin: release a=jessie-backports
    Pin-Priority: 500
    
  5. Run apt-get update

  6. apt-get install devuan-keyring

  7. apt-get update (yes, do it again now that you have the keyring)

  8. apt-get install devuan-baseconf

  9. apt-get upgrade

  10. optional for kernel and udev upgrade without problems

    1. touch /etc/udev/kernel-upgrade && apt-get -t jessie-backports install udev linux-image-4.2.0-0.bpo.1-686-pae

    2. reboot to new kernel

  11. apt-get dist-upgrade

  12. Congratulations, now you are free from systemd on this system!

Tags: Debian, Devuan