Tutorials

Primary tabs

Private Internet Access OpenVPN in Kubuntu 14.04 (Trusty Tahr)

OpenVPN Logo

I recently purchased a VPN service from Private Internet Access (PIA), because I wanted to learn about openvpn and thought it would be a neat way to get an outside view of my network. At £25/year, I think PIA is great value.

PIA provides a shell script that you can run to set up the OpenVPN to connect to their servers, but I wanted to know how to do it manually. It took me a while to figure out exactly how to connect to it using Kubuntu's Network Management widget, so hopefully this will save you some trouble.

This method should be the same for any distribution using a recent version KDE's Plasma desktop.

Shellshock BASH probe alert using Fail2ban

"Shellshock" is the nickname for a recently discovered vulnerability in GNU BASH (Bourne-Again SHell) that has the potential to allow an attacker to execute arbitrary commands through carefully crafted environment variables (see CVE-2014-6271).

This is bad for desktop users, but far worse for servers because it's possible to exploit this vulnerability by attacking CGI scripts. The CGI script doesn't even have to be written in BASH; on distributions that use BASH as the default shell, the environment variables will be passed to BASH before any CGI script is executed. Luckily, the default shell in Debian is DASH, which limits the problem for Debian derivatives like Ubuntu and Raspbian.

If you run a Linux or UNIX-like system that uses BASH, you should update to the new patched version now. In fact, most Linux users probably updated before they even realised anything was wrong, since the patched version was available in the repositories very quickly. Meanwhile, Mac users were still waiting for Apple to comment... lol.

Site now SSL by default

encrypt-all-the-things.png

Google recently announced that it is going to start prioritising websites that offer HTTPS by default in its search engine results. At first, the positive effect will be small to give webmasters time to switch to HTTPS, but it will gradually become more of a significant signal. This is a good thing for the internet: SSL doesn't cost much for webhosts, and it makes it more difficult to spy on everyone all the time! The Electronic Frontier Foundation praised the decision calling it a "bold and welcome move to protect users".

I wanted to start offering some of the services I run on my server to other friends and family, and I couldn't easily install the CAcert root on all of their devices, so this seemed like a good time to purchase a cert. The following describes how I configured the various services (Apache, Postfix, Dovecot) to use the new certificate from COMODO.

Introduction to Fail2ban

fail2ban logo

Fail2ban is a great little tool for system administration. In a nutshell, it watches your log files for pre-defined patterns and then executes actions if it sees them. Ususally, this is of the form "if there are more than X failed authentication attempts in Y minutes from a single IP address, update the firewall to block the offending IP for Z minutes". The actions are not restricted to updating the firewall with iptables - you can also configure fail2ban to send notification emails, for example.

This is useful for protecting against brute force attacks against services like:

  • SSH (you should be using Publickey authentication if possible which will stop them ever guessing a password, but allowing them to try is still a waste of resources)
  • SASL authentication attempts (Postfix and Dovecot)
  • Login forms for web based services like Roundcube webmail.

Raspberry Pi Print & Scanner Server

Got a spare RasPi knocking around? Why not hook it up to your all-in-one and use it as a handy print and scanner server?

I have previously tried to get my multifunction printer/scanner working with OpenWrt, but ran into difficulty with the scanner. Having tried it with the RasPi, I'm pleased to report that it's as easy as Pi ;)

Print server capability is provided by the Common Unix Printing System (CUPS), and scanner capability is provided by Scanner Access Now Easy (SANE).

Backup script for Drupal using Drush and Cron

This is something I have been meaning to write up for a while: how to automate backups using cron and Drush, a commandline tool for Drupal. Drush makes creating backups of your Drupal website's database and files really easy, and I have written a script that calls Drush to create a backup, and then manages your existing backups so you don't use up too much space on your drive. Once a month, it will also create an encrypted copy of that day's backup file and email it to an external email address.

Personally, I think that daily backups from a month ago aren't useful to me any more - if I was going to revert to a backup from that long ago, I'd be looking to restore a weekly backup. Similarly, after several months, I'd only be interested in monthly backups. After creating your daily backup, the script runs through the other files in the backup directory and deletes the files you don't need any more. The script will keep:

  • One week of daily backups
  • One month of weekly backups (1st, 8th, 15th and 22nd)
  • Monthly backups for one year
  • Yearly backups for ever

Before I wrote the script, samhobbs.co.uk was a WordPress site hosted on a Raspberry Pi until the drive I was using bricked. I didn't have a recent backup so I lost the lot. Now I make backups to an external hard drive, so that if the SSD in the my Intel NUC gets corrupted I'll be able to recover. The encrypted copies sent to an external email address protect against the server being stolen or lost in a fire.

Apache ModSecurity Whitelist Generator Script

ModSecurity Logo

This script has been superseded by a commandline utility. Please visit this page for more information

ModSecurity is a Web Application Firewall for Apache. It can monitor all of the traffic that is seen by your web server, including request headers and GET and POST data, and block dodgy requests. ModSecurity itself is actually just a rule engine; the clever part is in the rules you pass to it. Many people use the Open Web Appplication Security Project's (OWASP) Core Rule Set (CRS), an open source set of rules that ModSecurity can use to sift the wheat from the chaff, and foil some common types of attack.

The CRS was written by studying known vulnerabilities and writing rules that would not only have prevented the attacks, but prevented other similar attacks too. Thus, ModSecurity provides a good all-round protection for your web server.

SSL Certificate Signing with CAcert for Raspberry Pi, Ubuntu & Debian

CAcert logo

If you run your own website, email server or other services like OwnCloud at home then you may find yourself in need of a SSL certificate. When you install Apache, it generates a self-signed "snakeoil" certificate that can be used to encrypt your session. However, while this certificate is useful for testing purposes, it falls short in a couple of important ways:

  1. The snakeoil certificate has not been signed by an authority that your browser trusts, so your browser will throw an error when you connect.
  2. The common name on the certificate probably doesn't match your domain name. Another browser error.
  3. Short of manually inspecting the certificate's checksum, you have no guarantee that you are communicating with your own server - it could easily be an imposter using another self-signed certificate.

This tutorial will show you how to generate your own SSL certificate, and get it signed by the community driven SSL certificate signing authority CAcert. Once you have imported the certificate into your browser or into your operating system's root filesystem, your computer will automatically verify the identity of the server and you will enjoy error-free secure communications. Oh, and CAcert is free of charge!

Raspberry Pi Email Server

raspberry-pi-email-server.png

The RasPi’s small size and low power consumption make it an ideal choice for use as a home email server. After trying a couple of different pieces of software, I finally found an excellent combination: Postfix with Dovecot and Squirrelmail, plus Spamasssassin and Sieve for spam filtering.

Pages

Subscribe to Tutorials