How to Configure Digital Ocean VPS with PPTPD on Ubuntu 12.04 with Fail2Ban DenyHosts SSH and sudoer user

How to Configure Digital Ocean VPS with PPTPD on Ubuntu 12.04 with Fail2Ban DenyHosts SSH and sudoer user

As the current reality stands, there are so many reasons to have a VPN these days. Justifications range from the mundane not wanting your language to change in foreign countries, all the way up to legitimately protecting free speech. With so many sub-par or insecure sites offering this service, and the insane charges that these company ask here is a simple solution. Get yourself a Digital Ocean VPS. The lowest cost per droplet (their name for a virtual server) is US$5 per month, and it is charged only by the hours that it is provisioned. So if you only need a server one week a month… thats all you pay for (US$1.25). Just remember to make a backup, and remove the ‘droplet’ so you are not continually charged.

First, I have verified that this works with default clients for iphone4, iphone5, windows 7, Mac OS, android (ics), and I am sure many others. So lets get on with the configuration. I make no promises that this will work with other VPS solutions but it may.

Update: I have also verified that this works on Amazon EC2. (the only modification is Amazon does not start you off logged in as a root user so you will need to type “sudo su” before completing these instructions)

Lets start from the very first terminal/console session you make with your new droplet after you log in. When you log in, you will notice that you are root (tsk.. tsk…), but that makes everything simpler for us lets just roll with it shall we?

First, lets apply those updates:

apt-get update
apt-get upgrade
reboot now

My prerogative is to make you use vim because that’s what I prefer. You can use whatever you want, just replace vim with nano or vi or whatever.

apt-get install vim

You will for security sake want to create a new user (replace cynic with whatever you want)

 adduser cynic

Follow prompts (you don’t need to set useless fields like phone numbers)

Now lets make this user have admin rights and the sudoer right (ability to use sudo)

usermod -aG sudo cynic

Now lets make your ssh more secure (the most frequent attack is a brute force over ssh on port 22) simply changing the port makes you much safer.

vim /etc/ssh/sshd_config

In /etc/ssh/sshd_config Find this

Port 22

Replace with this (or whatever you want)

Port 102

Also in /etc/ssh/sshd_config Find this

PermitRootLogin yes

Replace with this

PermitRootLogin no

Prevent IP Spoofing

vim /etc/host.conf

In /etc/host.conf Add this to the bottom of the file

nospoof on

Install VPN Tunnel

apt-get install pptpd

In /etc/ppp/chap-secrets add one line for each user you want to authenticate

vim /etc/ppp/chap-secrets

When you are adding data to this file, use tab to create spacing, although it may not appear that way in this post, those are tabs between the username, asterisk and password and the last asterisk.

# Secrets for authentication using CHAP
# client server secret IP addresses
user11 * s83udh2h *
user * 8sku2hd *

Open the /etc/pptpd.conf

vim /etc/pptpd.conf

In /etc/pptpd.conf replace the entire file with this, but make sure to change the local ip. The local is the ip of your server (this is the ip sent to you when your created a new droplet). If you want, you can modify the remote ip. This is the range of ips that you will provide dhcp for. I have allowed for 21 connections below.

option /etc/ppp/pptpd-options
logwtmp
bcrelay eth0
localip 198.142.70.106
remoteip 192.168.10.100-120
netmask 255.255.255.0

Now lets edit the options

vim /etc/ppp/pptpd-options

In /etc/ppp/pptpd-options

Replace the entire file with this:

name pptpd
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128
ms-dns 8.8.8.8
ms-dns 8.8.4.4
#ms-wins 10.0.0.3
#ms-wins 10.0.0.4
proxyarp
nodefaultroute
#debug
#dump
netmask 255.255.255.0
lock
nobsdcomp

Purge all iptable rules

iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

Verify the tables are clean

iptables -nvL

It should return something like this

Chain INPUT (policy ACCEPT 24 packets, 1688 bytes)
 pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 16 packets, 2144 bytes)
 pkts bytes target prot opt in out source destination

Now lets enable forwarding

vim /etc/sysctl.conf

In /etc/sysctl.conf uncomment the following line (remove the #)

net.ipv4.ip_forward=1

Apply the change

sysctl -p

Setup forwarding rules

iptables -A INPUT -i eth0 -p tcp --dport 1723 -j ACCEPT
iptables -A INPUT -i eth0 -p gre -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i ppp+ -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o ppp+ -j ACCEPT
iptables --table nat --append POSTROUTING   --out-interface ppp0 --jump MASQUERADE
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

It should be noted that the “iptables –table nat –append POSTROUTING   –out-interface ppp0 –jump MASQUERADE” command will be adding peer communication (meaning two connected clients to the vpn will be able to ping and communicate with each other) so you can use icmp, samba, or whatever else.

It should also be noted that “iptables -I FORWARD -p tcp –tcp-flags SYN,RST SYN -j TCPMSS –clamp-mss-to-pmtu” will solve a problem with MTU size variations (make sure to check this rule if you are unable to load some wbsites, but others work fine).

Now we must save the rules and set them to restore on reboot

sh -c "iptables-save > /etc/iptables.rules"

Create new file /etc/network/if-pre-up.d/iptablesload

vim /etc/network/if-pre-up.d/iptablesload

Update /etc/network/if-pre-up.d/iptablesload with the following:

#!/bin/sh
iptables-restore < /etc/iptables.rules
exit 0

Make your script executable

chmod +x /etc/network/if-pre-up.d/iptablesload

Automatically ban hosts that bruteforce

apt-get install denyhosts fail2ban

Update the ssh port to monitor

vim /etc/fail2ban/jail.conf

In /etc/fail2ban/jail.conf Find this

port = ssh

Replace with this

port = 102

Lets get it all over with

reboot

Now next time you login to your server make sure to use port 102 instead of 22 (or whatever you happened to change it to). You should be able to use pptpd now. if you were to have literally used all the configuration settings above your new login information is:

VPN Type: PPTP
Server: 198.14.7.31
User: user11
Password: s83udh2h

With these settings I have confirmed the following can connect with the OS default PPTP adapter: Windows 7, Windows 8, Mac OSX, Iphone 4s (IOS6.1.1), Iphone 5 (IOS 6.1), Ubuntu 13.04 x64. I am sure many others work. I sucessfully am using ubuntu samba, windows broadcasts and am able to play games on windows using this VPN.

Common problems:

Problem 1 – Your unable to connect to the VPN and reviewing the /var/log/syslog you find the following:
GRE: Bad checksum from pppd.
MPPE required but peer negotiation failed
GRE: read(fd=6,buffer=80504c0,len=8196) from PTY failed: status = -1 error = Input/output error, usually caused by unexpected termination of pppd, check option syntax and pppd logs

Solution 1:
In many cases this is due to the fact that the client trying to connect is not sending its authorizaton using mppe. If its a linux machine, likely you need to turn on encyrption in your vpn settings. If this is a router, and you have ensured that you have set enyrption, likely it is a router limitation and you will need to remove the require-mppe-128 and require-mschap-v2 options from /etc/ppp/pptpd-options.

Problem 2 – You connect to the VPN and have internet, but cannot ping other machines on your VPN

Solution 2:
Likely this is due to a routing or configuration issue. Make sure bcrelay is enabled for eth0 in /etc/pptpd.conf. Make sure sure proxyarp is enabled in /etc/ppp/pptpd-options. Then follow the best guide I have ever seen on the subject at http://poptop.sourceforge.net/dox/diagnose-forwarding.phtml (my hats off to the creator) to troubleshoot.

Problem 3 – You can connect to the VPN but you are not getting internet.

Solution 3:
Likely this is due to your dns server. Make sure you are using the correct dns in /etc/ppp/pptpd-options. Try using googles dns servers ms-dns 8.8.8.8 ms-dns 8.8.4.4.

A Traditionalists Guide to Configure – Ubuntu 11.10 Oneiric Ocelot

If your a traditionalist, you obviously want to get rid of the cumbersome left bar now configured by default in Ubuntu. Most likely you dont want it, dont need it, dont want to adjust to it, and had you wanted it you would have purchased an {insert shiver here} Apple (even then you would expect it to be customizable and not be bound to the left). Since Ubuntu 9.10 I, like many others, have spent their time systematically breaking, circumventing and cursing to the gods names like Shuttleworth. Well, since it has been made clear that no matter how many people do not like this new shit uhmm… functionality, it will proceed anyway, I have decided its time to move on.

Documented here is the simplest path (that I have found) to configuring Ubuntu the way that it should be out of the box. I have left the packages separate to make it easier to decide what a person wants or does not:

1) Ignoring Unity

From a terminal run the following commands
sudo apt-get install gnome-shell
sudo apt-get install gnome-session-fallback
If you want to move the buttons to the right run this command from terminal
gconftool-2 –set “/apps/metacity/general/button_layout” –type string “:minimize,maximize,close”
Now, you have spent enough time with Unity, go ahead and logout.
Now login again, click the settings icon, and choose Gnome Classic

2)Fix Dependencies (NEEDED FOR X64 VERSIONS ONLY)

sudo apt-get -f install

3) Install Chrome

I personally prefer to use Chrome instead of Chromium
Go HERE (or browse to Google yourself to download Chrome)
Download the deb Package (either 32 or 64 bit)
Only 32 bit just open the package to install
On 64 bit run the following from terminal (assuming you downloaded to the default firefox path)
sudo dpkg -i ‘./Downloads/google-chrome-stable_current_amd64.deb’
If you have some trouble with the install try the following command from terminal
sudo apt-get install libnspr4-0d libnss3-1d libxss1 libcurl3
then run dpkg again.
Install support for ffmpeg in Chrome (if your not using Chrome or Chromium skip this)
sudo apt-get install chromium-codecs-ffmpeg-extra

4) Install support for DVD playback and ‘proprietary’ codecs

sudo apt-get install ubuntu-restricted-extras
sudo apt-get install libdvdread4
sudo /usr/share/doc/libdvdread4/install-css.sh

5) Install support for you webcam

sudo apt-get install cheese

6) Install VLC Media Player

sudo apt-get install vlc

7) Install Dropbox

sudo apt-get install nautilus-dropbox

8) Install Pysdm (a lazy mans tool for automatically mounting windows or other partitions)

sudo apt-get install pysdm

9) Install audacious

sudo apt-get install audacious

Script to KeePass safely in DropBox

Need: I want a multiple platform (Windows/x86/x64/Vista/XP/7) key manager available to my work, home, and well everywhere.

Resolution: KeePass in Dropbox

Problem: I am concerned that if my database is corrupted (which is likely if you are access it from multiple computers and accounts), I will loose all of my keys.

Solution:

Keys are a valuable commodity, and they are what hackers are looking for when they access your computer. You should be encrypting them and you should be aware keyloggers could be hiding out even if your technically inclined.  So many people resort to key safes like Keepass.  Now, this allows us to have the 56 character keys that make brute force attempts almost humorous… almost…. That being said, dropbox now transfers files from your computer via ssl to the s3 data centers that place another 256 bit AES encryption on the files and your keypass database is encrypted already. Well this leaves you with a couple of problems.  1) because of this process there is a much greater likelihood of corrupted database files.  2) Dropbox only stores the last two revisions of a file.

Well, rather than launch keypass directly, use this script instead:

For /f “tokens=2-4 delims=/ ” %%a in (‘date /t’) do (set date=%%a%%b%%c)

IF EXIST KeePassX\back\%date%backup.kdb GOTO ENDME

copy howto.kdb KeePassX\back\%date%backup.kdb

:ENDMESTART

KeePassx\KeePassX.exe howto.kdbexit

I am assuming that in your dropbox folder you have placed this .bat file and you have created a folder inside of dropbox called KeePassx. Please note that in line 3 you need to replace howto.kdb with your keypass database name. Here is my structure to make it more plain.

Stay safe!!!

 

 

Microsoft Wireless Hosted Network Enables Counter Hacking

If you live in a large technically aware city like me, I am sure you have seen it. The wireless router has ports shared that you have never opened or you will occasionally find an ip on your network that certainly does not belong to you. Naturally you change your router name and password, make it invisible, reduce the signal, give it the really long key that you have to look up in your password database every time a friend comes over or you re-install Windows. Thinking your safe you forget about it until it happens again. Then you ask yourself, what were they doing? Was my ip used to hack a bank, or upload child porn, or do I now have a nasty trojan? Of course your router logs were almost intentionally made to be worthless for these answers, and it takes all of a double click to spoof the worthless mac address you did get from your router log. The bottom line is, unless you are a corporation, you cant justify investing man hours and thousands of dollars just to actively monitor these situations. Well now we certainly are closer to having an OS based solution simple enough for anyone to monitor this kind of activity, at least closer than companies like Asus or Linksys enhancing their functionality.

A certainly cool (while not extremely original) function was added to Windows 7, the Wireless Hosted Network. Now, buried in the heaps of libraries and binaries that Microsoft has stashed away for a rainy day they tend to dust one like this off and sneak it into a release. This new functionality enables the new rage app ‘Connectify’. Now I commonly only link to a website for reference or download, but you should visit their main site and watch some of the videos if you want a few minutes entertainment.

What is Connectify? Very simply its an application that allows Windows 7 (and 2008 Server R2) to use a wireless connection as a router. Previously this was not feasible due to the way that Windows handles its connection to the networking device. I only mention this app because it is a free ad-enabled software that extends these new functions and gives a convenient user interface.

What is Virtual Router? Virtual Router is a CodePlex open source software that in essence does the same thing as Connectify. However, you may be surprised to note how similar they are. Virtual Router is important to us because it is an open source c# application that we can modify and use as a learning tool in the new SoftAP marketplace for Windows.

Terminology Review:

STA – Station Adapter

PAN – Personal Area Network

AP – Access Point

SoftAP – Software Access Point

VSTA – Virtual Station Adapter

Netsh

What is the Wireless Hosted Network

Ubuntu 10.10 releases 10/10/2010, according to who?

So, here I sit (currently in Taiwan), awaiting the Ubuntu 10.10 release. Well, I know I am the only one as everyone else is celebrating their independence day (very ironic considering the government just reprimanded students for waving a taiwan flag in taiwan). What I didnt mention is the fact that like any true geek I am on all of the ftp sites and the main site waiting for that special moment that lets you know… 10.10 is here. Really, I dont want 10.10, but today is that illustrious day that we find out why (of all things) we moved the controls for minimize, restore and close to the left hand side of the screen.

Now lets take a raise of hands people, and tell me… is the first thing you do when you re-install or upgrade a new Ubuntu box to move the controls back where they belong? I switch between many OS’s, and I always know where to look to close my windows. Basically when I download 10.10 and boot from the live CD I had better hear angels singing and the earth moving and the illustrious glow from my far improved machine should be so bright that I have to turn reduce my monitor lighting. This is the last straw, I havent looked at community previews or betas because I want to know for myself what possessed these people to screw with my application work-flow.

I have put up with slow releases, applications from 4 years ago running because they dont have time to ‘test’ the new versions, corrupted package managers as they release upgrades, being told that I dont know what I really want in my OS as they continue these far fetched business vision based ideas like the controls on the left side of the screen, and frankly just too much more. I want a kernal that was released in the last year, I want a linux os that I can point my non tech friends to and say look at that, open source can succeed and it needs more support, and most of all I want a release that doesnt leave me twiddling my thumbs until > 18:00 on the release date wondering exactly what time is considered the release time for a global OS.

Most of the world will likely be asleep and waiting for their 10/11 release because the snooty Americans seem to think the world should run on their time zone. I mean, come on Canonical France, you hate those US Bastards where is your ftp update, huh? I know a bottle of wine would calm me down about this issue, and obviously everyone at your office has gone home to smash some grapes and forget about this crap..

AHhh… It is here. It better be good.

I did a new install rather than the live cd. Booted, and ironically the default 10.10 theme is bright enough to make you want to turn down your monitor brightness. The installation continued to copy files while I answered questions. However this install took almost 2x as long as the previous version. But the buck stops here: THERE IS NOTHING IN THE UPPER RIGHT HAND CORNER OF MY WINDOWS . THANK YOU UBUNTU VISIONARIES FOR BEING A PAIN IN THE ASS WHILE AT THE SAME TIME ON THE OTHER SIDE OF YOUR MOUTH PROMISING IT WILL BE USED IN 10.10. NEXT TIME YOU GET A BRIGHT IDEA, I HOPE ITS TO GO WORK FOR MICROSOFT BECAUSE YOU WILL FIT RIGHT IN. TONS OF USELESS WORTHLESS IDEAS, BRILLIANT VISIONS (ONLY TO YOURSELF ANYWAY) AND CONTRARY TO THE REST OF THE COMMUNITIES ADVICE, YOU CONTINUE WITH WHAT YOUR DOING ANYWAY. THATS IT I WILL NEVER INSTALL UBUNTU AGAIN ON ANY MACHINE IN ANY COMPANY I OWN OR WORK FOR UNTIL YOU FIX MY WORK-FLOW. I WILL, OVER TIME, REPLACE EXISTING BOXES WITH MINT OR DEBIAN OR MAYBE FUCKING OS/2. YOU WORTHLESS THOUGHTLESS SACKS OF PRIMEVAL SLUDGE CAN YOU EVEN BOOT THE OS YOUR STEERING DECISIONS FOR? LET ME GUESS, SOME ‘PARTNER’ TOLD YOU THAT SUPPORTING XX VERTICAL WOULD INCREASE YOUR PIPELINE IN MAINTENANCE IF YOU DID XYZ, BUT YOU FOUND YOU WEREN’T ABLE TO COMPLETE XYZ, WHICH CONTRARY TO EVERYONE BUT YOU, SHOULD HAVE BEEN THROWN IN THE WASTEBASKET. LET ME TAKE YOUR DIGITAL DOWNLOAD AND SHOVE IT BACK UP YOUR T1 FIBER BACKBONE.

Oh, by the way, I do like the minor modifications to the button images and menus, it is nice to know someone cared, now go convince numb-nuts to put the icons back by default and use the left side of the screen for his social media ideas (or whatever it happened to be).

(Broken) Script to enable multiple DropBox accounts in Windows 7

UPDATE: Please be aware this method is no longer working. It seems that more than 30,000 people have viewed this solution. I hope you no longer continue to use it… Thanks.

As you can see I am convinced that DropBox is cool, but somethings just aren’t quite right. Namely multiple accounts on one machine. I see many posts with a long set of descriptions on how to accomplish multiple drop box accounts. But what happens if you dont want a bunch of logins messing up your login page? What if you want it to automatically log you in when you start windows (and you dont want to enter your password every time)?

Pre-requisites

You need to have admin access to your computer

You need to have SysInternals psexec installed and in your path. Here is the Microsoft Download Page.

(If you don’t know what ‘in your path’ means, you can just extract it to the c:\windows\system32 folder)

If you are just creating one extra account, this method is about the same amount of work as manually creating another user. But… Multiple users, well  you can see how much easier it will be. You could theoretically create 10 different accounts in less than 10 min if you understand these instructions.

How-To

1) Copy my script into your dropbox folder (C:\Users\<your name>\AppData\Roaming\Dropbox) (dont worry userlinklist will be added later you dont need to add it)

2) Run cmd with elevated permissions (Click on start, type cmd, right click on cmd.exe and choose run as administrator)

3) Change to the path the script is in “cd C:\Users\globalcynic\AppData\Roaming\Dropbox” for example

4) use this syntax: new <username> <password> (i.e. “new dropboxusr24 mypass”) (Read note Below)

5) repeat step 4 as many times as you need

*Note for step 4… This username and password is not for dropbox but for windows. Even though I hide the accounts from the login screen, these are still valid windows logins. Located in the textfile are your username and password so you can remember them, but if you are paranoid about security, delete this file.

What the script does?

  • Creates a new user account
  • Hides that account from your login page
  • Loads the new user profile
  • Copies the dropbox into the new profile
  • Starts dropbox for the first time for you
  • Creates a text file that shows the exact shortcut that you can place in your startup if you want.

Here is the script

Simply copy this script into a new text file and save as new.bat (or whatever name you want).

net user %1 %2 /add
REG QUERY “HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts”
if [%errorlevel%]==[1] REG ADD “HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts”
REG QUERY “HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList”
if [%errorlevel%]==[1] REG ADD “HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList”
REG QUERY “HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList” /v %1
if [%errorlevel%]==[1] REG ADD “HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList” /v %1 /t reg_dword /d 0
psexec -d -u %1 -p %2 whoami
xcopy bin “C:\Users\%1\AppData\Roaming\Dropbox\bin” /i
psexec -d -u %1 -p %2 “C:\Users\%1\AppData\Roaming\Dropbox\bin\Dropbox.exe”
echo psexec -d -u %1 -p %2 “C:\Users\%1\AppData\Roaming\Dropbox\bin\Dropbox.exe” >> userlinklist.txt

Important Notes

Note: The “userlinklist,txt” contains a command that will allow you to execute DropBox. If you want dropbox to start when windows does, create a shortcut with that command in your windows startup folder for every account that you want to start. Or if you want to start all dropbox accounts manually, simply rename the userlinklist to userlinklist.bat and it will start all of your drop box accounts at once.

Note: The first time you start dropbox and link it to an account, it will not sync. This is a problem also observed in their (discontinued) portable app. All you have to do is link it for the first time, exit Dropbox, and then start it again and there are no more problems.

Note: It should be obvious, but if it is not, do not attempt to place all synced folder in the same location. Each DropBox account must be syncing in a different folder.

Note: Removal Instructions. You need to remove the windows user, then delete the profiles folder (c:\users\username). You can use the command net user username /delete to remove the user accounts also.

DropBox Hack Map to a Drive in Windows

Well I just found a new DropBox Hack. Hmm hack is perhaps too strong, lets try value adding benefit via an under-documented MS Windows command line feature. But since everyone calls a cool feature a hack in these days, I am taking the liberty. So… Let me try to follow the dialog I used while explaining this to someone, I have faith that you will understand too.

What does it do? Nothing really, other than allow you to access dropbox from windows just like its another drive on your system.

How do I do it? Well its really easy click on start and type subst <drive> <folder>

Great now I have a cool mapped virtual drive, now how do I get rid of it? Type subst <drive> /d

I still dont get it? Hmm, should i draw you a picture? Fine lets say you want to create a D drive for your dropbox folder, and lets say your windows username is globalcynic. Look at the examples below. The first one will add your drive, and the second example will remove it.

subst d: “c:\users\globalcynic\Documents\My Dropbox”

subst d: /d

Hey that is cool, but how do I automate it? Well you could make it a batch file, or if your really adventurous could make it a service that looks to see if dropbox is running.