Security through simplicity

How I setup a VPN server on Digital Ocean

Note: These instructions are useful if you would like to learn how to setup a VPN server yourself, or learn individual aspects. There are automated scripts that can perform everything below in some form. I recommend using Algo, or Nyr's openvpn-install for a mostly automated VPN setup script.

https://github.com/trailofbits/algo
https://github.com/Nyr/openvpn-install

Table of Contents

Create SSH keys on client computer

Check for existing SSH keys

ls -al ~/.ssh

Generate new SSH key

ssh-keygen -t rsa -b 4096 -C your_email@example.com

Public key is now located in /home/demo/.ssh/id_rsa.pub. Private key is now located in /home/demo/.ssh/id_rsa. While creating new droplet, add these keys.

Login after creating droplet

Login as root

ssh root@server_ip_address

Upgrade system

sudo apt-get update && sudo apt-get upgrade && sudo apt-get dist-upgrade

Create new user

adduser demo

Give root privileges

gpasswd -a demo sudo

Add public key authentication for new user using client computer. Call new public key id_rsa_demo

ssh-keygen -t rsa -b 4096 -C your_email@example.com

Copy contents of public key by CTRL-C or (cat ~/.ssh/id_rsa_demo.pub) Manually install public key on server

su - demo
mkdir .ssh
chmod 700 .ssh

Paste in public key while in nano

sudo nano .ssh/authorized_keys

chmod 600 .ssh/authorized_keys

Exit returns to root

exit

Login as new user

Disable root login and change SSH port

It is possible to change SSH port to anything you like as long as it doesn't conflict with other active ports. Port 22 is written below, but any port can be used. Allow new port in ufw rules below and restart ufw before restarting ssh

sudo nano /etc/ssh/sshd_config

Port 22
PermitRootLogin without-password
reload ssh
sudo restart ssh

Enable UFW

ufw limit 22
ufw allow 1194/udp
ufw allow 500/udp
ufw allow 4500/udp

Change from DROP to ACCEPT

sudo nano /etc/default/ufw

DEFAULT_FORWARD_POLICY="ACCEPT"

Add these lines to the before.rules file

sudo nano /etc/ufw/before.rules

# START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to eth0
-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE
COMMIT
# END OPENVPN RULES

UFW rules should look similar to this

#Status: active
#Logging: on (low)
#Default: deny (incoming), allow (outgoing), allow (routed)
#New profiles: skip

#To                         Action      From
#--                         ------      ----
#22                         LIMIT IN    Anywhere
#1194/udp                   ALLOW IN    Anywhere
#500/udp                    ALLOW IN    Anywhere
#4500/udp                   ALLOW IN    Anywhere
#1194/udp (v6)              ALLOW IN    Anywhere (v6)
#22 (v6)                    LIMIT IN    Anywhere (v6)
#500/udp (v6)               ALLOW IN    Anywhere (v6)
#4500/udp (v6)              ALLOW IN    Anywhere (v6)

Install OpenVPN

https://github.com/Nyr/openvpn-install

wget git.io/vpn -O openvpn-install.sh && bash openvpn-install.sh

Copy unified .ovpn to client computer

scp -P root@server_ip_address:client.ovpn Downloads/

Install Libreswan

https://blog.ls20.com/ipsec-l2tp-vpn-auto-setup-for-ubuntu-12-04-on-amazon-ec2/
https://github.com/hwdsl2/setup-ipsec-vpn
wget https://github.com/hwdsl2/setup-ipsec-vpn/raw/master/vpnsetup.sh -O vpnsetup.sh

sudo nano -w vpnsetup.sh

PSK:your_private_key
Username:your_username
Password:your_password

/bin/sh vpnsetup.sh

Run following commands if OpenVPN doesn't work after reboot

sudo iptables -I INPUT -p udp --dport 1194 -j ACCEPT
sudo iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT
sudo iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo service ufw stop
sudo service ufw start
sudo /etc/init.d/openvpn restart

sudo iptables-save > /etc/iptables.rules

sudo nano /etc/rc.local
iptables-restore < /etc/iptables.rules

Install Dnsmasq

Check current nameserver configuration cat /etc/resolv.conf

Install Dnsmasq

sudo apt-get install dnsmasq
cat /etc/resolv.conf

Take note of query time

dig duckduckgo.com @localhost

Check again after cached

dig duckduckgo.com @localhost

Install NTP

sudo apt-get install ntp

sudo dpkg-reconfigure tzdata
sudo ntpdate pool.ntp.org
sudo service ntp start

Install send only SSMTP service

sudo apt-get install ssmtp sudo nano /etc/ssmtp/ssmtp.conf

#root=postmaster
root=your_email@example.com
#mailhub=mail
mailhub=smtp.gmail.com:587
AuthUser=your_email@example.com
AuthPass=your_password
UseTLS=YES
UseSTARTTLS=YES
#rewriteDomain=
rewriteDomain=gmail.com
#hostname=your_hostname
hostname=your_email@example.com

Test ssmtp in terminal

ssmtp recipient_email@example.com

Format message as below

To: recipient_email@example.com
From: myemailaddress@gmail.com
Subject: test email

test email

Insert blank line after Subject:. This is the body of the email. Press CTRL-D to send message. Sometimes pressing CTRL-D a second time after about 10 seconds is needed if message is not sent.

Install Fail2ban

sudo apt-get install fail2ban
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

sudo nano /etc/fail2ban/jail.local

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Use space separator to add more than one IP
ignoreip = 127.0.0.
bantime  = 600
maxretry = 3

destemail = your_email@example.com
sendername = Fail2Ban
mta = sendmail
#_mwl sends email with logs
action = %(action_mwl)s

Jails which can be initially set to true without any errors

#ssh
#dropbear
#pam-generic
#ssh-ddos
#postfix
#couriersmtp
#courierauth
#sasl
#dovecot

Restart Fail2ban

sudo service fail2ban stop
sudo service fail2ban start

Check list of banned IPs for Fail2ban

fail2ban-client status ssh
iptables --list -n | fgrep DROP

Full system backup using rsync.

Using the -aAX set of options, all attributes are preserved rsync -aAXv --exclude={"/dev/*","/proc/*","/sys/*","/tmp/*","/run/*","/mnt/*","/media/*","/lost+found"} root@your_hostname:/ /home/demo/backup/

Install TripWire

https://www.digitalocean.com/community/tutorials/how-to-use-tripwire-to-detect-server-intrusions-on-an-ubuntu-vps

sudo apt-get install tripwire Set the Site-Key and Local-Key passphrase

Create policy file sudo twadmin --create-polfile /etc/tripwire/twpol.txt

Initialize database

sudo tripwire --init
sudo sh -c 'tripwire --check | grep Filename > /etc/tripwire/test_results'

Entries may look like this less /etc/tripwire/test_results

Filename: /etc/rc.boot
     Filename: /root/mail
     Filename: /root/Mail
     Filename: /root/.xsession-errors
     Filename: /root/.xauth
     Filename: /root/.tcshrc
     Filename: /root/.sawfish
     Filename: /root/.pinerc
     Filename: /root/.mc
     Filename: /root/.gnome_private
     Filename: /root/.gnome-desktop
     Filename: /root/.gnome
     Filename: /root/.esd_auth
     Filename: /root/.elm
     Filename: /root/.cshrc
     Filename: /root/.bash_profile
     Filename: /root/.bash_logout
     Filename: /root/.amandahosts
     Filename: /root/.addressbook.lu
     Filename: /root/.addressbook
     Filename: /root/.Xresources
     Filename: /root/.Xauthority
     Filename: /root/.ICEauthority
     Filename: /proc/30400/fd/3
     Filename: /proc/30400/fdinfo/3
     Filename: /proc/30400/task/30400/fd/3
     Filename: /proc/30400/task/30400/fdinfo/3

Edit text policy in editor sudo nano /etc/tripwire/twpol.txt

Search for each of the files that were returned in the test_results file. Comment out lines that match.

{
        /dev                    -> $(Device) ;
        /dev/pts                -> $(Device) ;
        #/proc                  -> $(Device) ;
        /proc/devices           -> $(Device) ;
        /proc/net               -> $(Device) ;
        /proc/tty               -> $(Device) ;
        . . .

Comment out /var/run and /var/lock lines

(
  rulename = "System boot changes",
  severity = $(SIG_HI)
    )
    {
        #/var/lock              -> $(SEC_CONFIG) ;
        #/var/run               -> $(SEC_CONFIG) ; # daemon PIDs
        /var/log                -> $(SEC_CONFIG) ;
    }

Save and close Re-create encrypted policy file

sudo twadmin -m P /etc/tripwire/twpol.txt

Re-initialize database

sudo tripwire --init

Warnings should be gone. If there are still warnings, continue editing /etc/tripwire/twpol.txt file until gone.

Check current status of warnings

sudo tripwire --check

Delete test_results file that was just created

sudo rm /etc/tripwire/test_results

Remove plain text configuration files

sudo sh -c 'twadmin --print-polfile > /etc/tripwire/twpol.txt'

Move text version to backup location and recreate it

sudo mv /etc/tripwire/twpol.txt /etc/tripwire/twpol.txt.bak
sudo sh -c 'twadmin --print-polfile > /etc/tripwire/twpol.txt'

Remove plain text files

sudo rm /etc/tripwire/twpol.txt
sudo rm /etc/tripwire/twpol.txt.bak

Send an email notifications

sudo apt-get install mailutils

See if we can send email

sudo tripwire --check | mail -s "Tripwire report foruname -n" your_email@example.com

Check report that was sent with the email

sudo tripwire --check --interactive

Remove x from box if not ok with change. Re-run above command to reset warning after each email received

Automate Tripwire with Cron Check if root already has crontab by issuing this command

sudo crontab -l

If crontab is present, pipe into file to back it up

sudo sh -c 'crontab -l > crontab.bad'

Edit crontab

sudo crontab -e

To have tripwire run at 3:30am every day, insert this line

30 3 * * * /usr/sbin/tripwire --check | mail -s "Tripwire report foruname -n" your_email@example.com

Enable Automatic Upgrades

sudo apt-get install unattended-upgrades
sudo dpkg-reconfigure unattended-upgrades

Update the 10 periodic file. 1 means that it will upgrade every day

sudo nano /etc/apt/apt.conf.d/10periodic

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "1";
APT::Periodic::Unattended-Upgrade "1";

Autostart OpenVPN on Debian client computer

sudo nano /etc/default/openvpn

Uncomment:

AUTOSTART=all

Copy client.ovpn to /etc/openvpn/client.conf by renaming file gksu -w -u root gksu thunar

Reload openvpn configuration

/etc/init.d/openvpn reload /etc/openvpn/client.conf

Check for tun0 interface

ifconfig

Allow multiple clients to connect with same ovpn file

Note: It is safer to create multiple ovpn files

sudo nano /etc/openvpn/server.conf

Uncomment following line:

duplicate-n

Restart OpenVPN service

sudo service openvpn restart

Maintenance Commands

Programs holding open network socket

lsof -i

Show all running processes

ps -ef

Who is logged on

who -u

Kill the process that you want

kill "pid"

Check SSH sessions

ps aux | egrep "sshd: [a-zA-Z]+@"

Check SSHD

ps fax

Check last logins

last

Check ufw status

sudo ufw status verbose

Delete ufw rules

sudo ufw delete deny "port"

Check logs

grep -ir ssh /var/log/* 
grep -ir sshd /var/log/* 
grep -ir breakin /var/log/* 
grep -ir security /var/log/*

Tree directory

http://www.cyberciti.biz/faq/linux-show-directory-structure-command-line/

See all files

tree -a

List directories only

tree -d

Colorized output

tree -C

File management

https://www.digitalocean.com/community/tutorials/basic-linux-navigation-and-file-management
http://www.computerworld.com/article/2598082/linux/linux-linux-command-line-cheat-sheet.html
http://www.debian-tutorials.com/beginners-how-to-navigate-the-linux-filesystem

LSOF Commands

https://stackoverflow.com/questions/106234/lsof-survival-guide

How to kill zombie process

ps aux | grep 'Z'

Find the parent PID of the zombie

pstree -p -s 93572

Check IPTables traffic

sudo iptables -v -x -n -L

Report file system disk space

df -Th

Check trash size

sudo find / -type d -name '*Trash*' | sudo xargs du -h | sort

Check size of packages in apt

du -h /var/cache/apt/

Check size of log files

sudo du -h /var/log

Check size of lost+found folder

sudo find / -name "lost+found" | sudo xargs du -h

How to delete lots of text in nano

Scroll to top of text, press Alt+A, Ctrl-V to bottom of text, press Ctrl-K to cut the text, Ctrl-O to save, Ctrl-X to exit

How to scan top 8000 ports using nmap

nmap -vv --top-ports 8000 your_hostname

Delete ufw and iptable rules by line number. In this example we use number 666

sudo ufw status numbered
sudo ufw delete 666

sudo iptables -L --line-numbers
sudo iptables -D INPUT 666

ʕ •́؈•̀)

I welcome feedback to help make this install more efficient and secure.

If you found this guide useful, please consider a donation:

bc1q0c24zxnqxqy43r6gnjfjv7pgkjx5mpf5e8vyl4

#linux #vpn #server #openvpn #digitalocean

- 18 toasts