顯示文章

這裡允許您檢視這個會員的所有文章。請注意, 您只能看見您有權限閱讀的文章。


主題 - krab

頁: [1]
1
參考這篇教學 http://www.thebakershome.net/openvpn_tutorial  之後的筆記

aptitude install openvpn bridge-utils
cd /etc/init.d
nano bridge

代碼: [選擇]
#!/bin/bash 
# Create global variables   
# Define Bridge Interface
br="br0"
# Define list of TAP interfaces to be bridged,
# for example tap="tap0 tap1 tap2".
tap="tap0"
# Define physical ethernet interface to be bridged
# with TAP interface(s) above.
eth="eth0"
eth_ip="172.16.0.5"
eth_netmask="255.255.255.0"
eth_broadcast="172.16.0.255"
gw="172.16.0.1"   
start_bridge () {   
#################################   
# Set up Ethernet bridge on Linux   
# Requires: bridge-utils   
#################################   
for t in $tap; do
openvpn --mktun --dev $t   
done   
for t in $tap; do
ifconfig $t 0.0.0.0 promisc up   
done
ifconfig $eth 0.0.0.0 promisc up
brctl addbr $br
brctl addif $br $eth
for t in $tap; do
brctl addif $br $t   
done   
ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast up   
route add default gw $gw $br
}
stop_bridge () {   
####################################   
# Tear Down Ethernet bridge on Linux   
####################################   
ifconfig $br down
brctl delbr $br   
for t in $tap; do
openvpn --rmtun --dev $t   
done   
ifconfig $eth $eth_ip netmask $eth_netmask broadcast $eth_broadcast up   
route add default gw $gw $eth

case "$1" in
start)   
echo -n "Starting Bridge"   
start_bridge   
;;
stop)   
echo -n "Stopping Bridge"   
stop_bridge   
;;
restart)   
stop_bridge   
sleep 2   
start_bridge   
;;
*)   
echo "Usage: $0 {start|stop|restart}" >&2   
exit 1   
;;
esac




cd /etc/openvpn
cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0/ /etc/openvpn
cd 2.0
nano vars
#this is to ensure secure data 只節錄要填寫的地方,不可以空白
         export KEY_SIZE=1024  //也可以2048
         # These are the default values for fields
         # which will be placed in the certificate.
         # Don't leave any of these fields blank.
         export KEY_COUNTRY="TW"
         export KEY_PROVINCE="Taiwan"
         export KEY_CITY="Taipei"
         export KEY_ORG="Doctorvoice"
         export KEY_EMAIL="doctorvoice@gmail.com"
. ./vars
./clean-all
./build-ca

./build-key-server server
#generate client key with or without password,選擇一種就好了
./build-key-pass amigo
./build-key amigo

./build-dh
cd keys
openssl dhparam -out dh1024.pem 1024
cd ..
openvpn --genkey --secret ta.key

nano server.conf
代碼: [選擇]
# Which local IP address should OpenVPN
# listen on? (optional)
local 172.16.0.5
port 1194
# TCP or UDP server?
proto udp
#This is key to configuring our bridge
dev tap0
#direct these to your generated files
ca /etc/openvpn/2.0/keys/ca.crt
cert /etc/openvpn/2.0/keys/server.crt
key /etc/openvpn/2.0/keys/server.key   
dh /etc/openvpn/2.0/keys/dh1024.pem
ifconfig-pool-persist ipp.txt
#ensure the range of ip addresses you use in the last  two arguments
# of this statement are not in use by  either the DHCP server or any other
# device on your  internal network.
server-bridge 172.16.0.5 255.255.255.0 172.16.0.60 172.16.0.70
#needed to allow communication to internal network
client-to-client
keepalive 10 120
#encryption - very important ;)
#AES encryption is backed by many security firms
#however if you are concerned about speed use blowfish: "BF-CB"
cipher AES-128-CBC 
#if you have another subnet you need to provide the route
#push "route 173.23.2.0 255.255.255.0"
#server id protection
#tls-auth ta.key 0
#compression for network speed
comp-lzo
# if packets are too large fragment them (only really useful if you have an old router)
#fragment 1400
#limit the number of connections
max-clients 5
#some secuurity settings
# do not use if running server on Windows
user nobody
group nogroup
persist-key
persist-tun
#log file settings
status openvpn-status.log
verb 3
# authentication plugin
#forces client to have a linux acount in order to connect
plugin /usr/lib/openvpn/openvpn-auth-pam.so login

nano client.conf
代碼: [選擇]
client
dev tap
proto udp
# change this to your server's address
remote 172.16.0.5 1194
resolv-retry infinite
nobind
persist-key
persist-tun
# Point the key and crt files to 
# the ones for this user
tls-client
ca ca.crt
cert amigo.crt
key amigo.key
#ensure that we are talking to a server
ns-cert-type server
#confirm we are talking to the correct server
#tls-auth ta.key 1
# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
cipher AES-128-CBC
# Enable compression on the VPN link.
comp-lzo
#fragment large packets
# I found I needed this for some games but it is
# not required
#fragment 1400 
# enable user/pass authentication
# auth-user-pass

/etc/init.d/bridge start
openvpn /etc/openvpn/2.0/server.conf

Windows XP Client端
下載並安裝openvpn-gui
http://openvpn.se/files/install_packages/openvpn-2.0.2-gui-1.0.3-install.exe
取得伺服器產生的client.conf, ca.crt, amigo.crt, amigo.key給client amigo使用
將client.conf適度修改指向ca.crt, amigo.crt, amigo.key的正確位置,然後更改檔名為client.ovpn放置在c:\program files\openvpn\config\
代碼: [選擇]
#client.ovpn
client
dev tap
proto udp
# change this to your server's address
remote 172.16.0.5 1194
resolv-retry infinite
nobind
persist-key
persist-tun
# Point the key and crt files to 
# the ones for this user
tls-client
ca c:\\program files\\openvpn\\config\\ca.crt
cert c:\\openvpn\\keys\\amigo.crt
key c:\\openvpn\\keys\\amigo.key
#ensure that we are talking to a server
ns-cert-type server
#confirm we are talking to the correct server
#tls-auth ta.key 1
# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
cipher AES-128-CBC
# Enable compression on the VPN link.
comp-lzo
#fragment large packets
# I found I needed this for some games but it is
# not required
#fragment 1400 
# enable user/pass authentication
# auth-user-pass

openvpn-gui開機之後就自動啟動了,只要在右下角的工作列上openvpn-gui按連結就可以完成連線。





伺服器端的訊息
代碼: [選擇]
root@web:/etc/openvpn# openvpn /etc/openvpn/2.0/server.conf
Wed Jun  4 09:18:25 2008 OpenVPN 2.1_rc7 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] built on May 14 2008
Wed Jun  4 09:18:25 2008 /usr/sbin/openssl-vulnkey -q /etc/openvpn/2.0/keys/server.key
Wed Jun  4 09:18:25 2008 Diffie-Hellman initialized with 1024 bit key
Wed Jun  4 09:18:25 2008 TLS-Auth MTU parms [ L:1590 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Jun  4 09:18:25 2008 TUN/TAP device tap0 opened
Wed Jun  4 09:18:25 2008 TUN/TAP TX queue length set to 100
Wed Jun  4 09:18:25 2008 Data Channel MTU parms [ L:1590 D:1450 EF:58 EB:135 ET:32 EL:0 AF:3/1 ]
Wed Jun  4 09:18:25 2008 GID set to nogroup
Wed Jun  4 09:18:25 2008 UID set to nobody
Wed Jun  4 09:18:25 2008 Socket Buffers: R=[110592->131072] S=[110592->131072]
Wed Jun  4 09:18:25 2008 UDPv4 link local (bound): 172.16.0.5:1194
Wed Jun  4 09:18:25 2008 UDPv4 link remote: [undef]
Wed Jun  4 09:18:25 2008 MULTI: multi_init called, r=256 v=256
Wed Jun  4 09:18:25 2008 IFCONFIG POOL: base=172.16.0.60 size=11
Wed Jun  4 09:18:25 2008 IFCONFIG POOL LIST
Wed Jun  4 09:18:25 2008 Initialization Sequence Completed
Wed Jun  4 09:18:26 2008 MULTI: multi_create_instance called
Wed Jun  4 09:18:26 2008 192.168.0.15:1181 Re-using SSL/TLS context
Wed Jun  4 09:18:26 2008 192.168.0.15:1181 LZO compression initialized
Wed Jun  4 09:18:26 2008 192.168.0.15:1181 Control Channel MTU parms [ L:1590 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Jun  4 09:18:26 2008 192.168.0.15:1181 Data Channel MTU parms [ L:1590 D:1450 EF:58 EB:135 ET:32 EL:0 AF:3/1 ]
Wed Jun  4 09:18:26 2008 192.168.0.15:1181 Local Options hash (VER=V4): '26e19fc0'
Wed Jun  4 09:18:26 2008 192.168.0.15:1181 Expected Remote Options hash (VER=V4): 'b498be7c'
Wed Jun  4 09:18:26 2008 192.168.0.15:1181 TLS: Initial packet from 192.168.0.15:1181, sid=d8522637 287b3ad0
Wed Jun  4 09:18:26 2008 192.168.0.15:1181 VERIFY OK: depth=1, /C=TW/ST=Taiwan/L=Taipei/O=Doctorvoice/CN=Doctorvoice_CA/emailAddress=doctorvoice@gmail.com
Wed Jun  4 09:18:26 2008 192.168.0.15:1181 VERIFY OK: depth=0, /C=TW/ST=Taiwan/L=Taipei/O=Doctorvoice/CN=amigo/emailAddress=doctorvoice@gmail.com
Wed Jun  4 09:18:26 2008 192.168.0.15:1181 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Wed Jun  4 09:18:26 2008 192.168.0.15:1181 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jun  4 09:18:26 2008 192.168.0.15:1181 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Wed Jun  4 09:18:26 2008 192.168.0.15:1181 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jun  4 09:18:26 2008 192.168.0.15:1181 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Wed Jun  4 09:18:26 2008 192.168.0.15:1181 [amigo] Peer Connection Initiated with 192.168.0.15:1181
Wed Jun  4 09:18:27 2008 amigo/192.168.0.15:1181 PUSH: Received control message: 'PUSH_REQUEST'
Wed Jun  4 09:18:27 2008 amigo/192.168.0.15:1181 SENT CONTROL [amigo]: 'PUSH_REPLY,route-gateway 172.16.0.5,ping 10,ping-restart 120,ifconfig 172.16.0.60 255.255.255.0' (status=1)
Wed Jun  4 09:22:27 2008 amigo/192.168.0.15:1181 [amigo] Inactivity timeout (--ping-restart), restarting
Wed Jun  4 09:22:27 2008 amigo/192.168.0.15:1181 SIGUSR1[soft,ping-restart] received, client-instance restarting






         


2
聯合報的報導

很久以前,我吃了好幾年,好吃,除了豬肝湯之外,還有蚵仔湯,舌肉湯也都不錯,看各人喜好。(當然只是小吃啦)

現在離太遠了,每辦法拍照給各位鑑賞,十分抱歉。

3
美食行動區 / 有圖有真相,用imageshack貼圖
« 於: 2006-08-04 00:59 »
step 1.
Choose the image host you like, i.e. imageshack here.
Go to http://www.imageshack.us

step 2.
1. browse your image file in your computer, 2. check the resize box and choose 800x600 to fit most monitors and 3. click on host it.


step 3.
get the codes you need, right click and copy the codes of hotlink for forum(1)


step 4.
Paste the code you get on the content area of your post.

4
這是我的異地備份方案:oops:,我一位不懂linux的朋友(診所在新竹)要求也要這麼做(或者更好),有大大願意大材小用賺一點小外快嗎?

有意願請PM或留言,謝謝 :D

5
我猜想是太忙了,以致於來不及換上........

6
Linux 討論版 / rsync over ssh
« 於: 2005-07-04 20:26 »
rsync over ssh最簡單的作法都是類似rsync -e ssh,當然還有其他作法。

小弟在google大海搜尋無意中發現下列:

http://hacks.oreilly.com/pub/h/38

引用
As of rsync 2.6, ssh is the default remote shell so you no longer need to specify -e ssh.


想進一步挖掘,卻找不到更進一步的資料。除求助原文作者之外,也請大大們指導。

謝謝!

7
Linux 討論版 / rsync密集備份檔案
« 於: 2005-06-27 17:56 »


我的工作環境如上圖:
A、B、C都是linux,其中A、C是Debian,而B是fedora core2
D是windows 2000 pro,在區域網路裡同時有三部windows 2000 pro存取A samba server裡office的資料。

資料的備份,目前都是利用windows 2000未存取A office的空檔備份,一日三次備份。

D以secondcopy透過網路磁碟機備份A office,incremental backup需時約6分鐘。
B透過LAN以rsync -auvrtopg --progress --delete --password-file=/etc/rsync.pass rsync@192.168.1.100::office /home/office 需時不到1分鐘
C透過internet一樣以rsync備份A的office需時大約3 分鐘

從花費的時間看來,rsync遠比windows的secondcopy來得有效率的多。

問題:
secondcopy對於使用中的檔案,無法備份;不知道rsync對於使用中的檔案會如何處理?由於目前的工作環境是實際production的環境,未敢冒然嘗試。先請教各位前輩的高見,敬請指導。

如果rsync對於使用中的檔案一樣可以備份的話,小弟很想用crontab每幾分鐘就以C備份A一次,這樣的想法是否可行?

8
肉腳版 / RJ45接觸不良?
« 於: 2005-06-09 11:38 »
我的小辦公室裡有七部電腦,網路線是自己佈的,RJ45接頭照著書本上的位置自己買一支工具壓的,用兩個集線器把一、二樓連結起來。

前一年相安無事,但漸漸的連線開始有狀況,偶而斷斷續續的,以為是電腦的問題或者軟體的問題,後來看到集線器上的”燈”時亮時暗,才發現是接觸不良,個人猜想應該是自己製作的接頭不良的關係,於是剪掉重新壓製,好了一段時間後,偶而又有類似的狀況,不堪其擾,只好放棄,買現成已壓製好的網路線來用,一年來都很通暢,無奈今天有一條線又不通了,揉揉捏捏之後又通了。

問題:
1. 我自己壓製的接頭不好,這是得承認的,但是一般市售的網路線也是如此不耐嗎?
2. 集線器的插槽是否也是接觸不良的地方之一?

請各位大大解惑,謝謝。

9
系統安全討論版 / 不認識htt這個帳號
« 於: 2005-04-25 14:04 »
系統一:fedora core2 kernel 2.6.9-mppe-mppc patched, NAT, firewall, vpn-pptp server;apt每日自動更新
系統二:fedora core2, kernel-2.6.11, web server, behind 系統一,本身沒設定防火牆; apt每日自動更新

狀況:log檔出現可疑點

/var/log/messages
代碼: [選擇]
Apr 25 07:52:15 web su(pam_unix)[2272]: session opened for user htt by (uid=0)
/var/log/secure
代碼: [選擇]
Apr 23 08:09:51 web su: pam_succeed_if: requirement "uid < 100" not met by user "htt"
Apr 23 17:04:30 web sshd[9946]: Illegal user db2inst1 from ::ffff:172.16.0.5
Apr 23 17:04:30 web sshd[9957]: Illegal user friday from ::ffff:172.16.0.5
Apr 23 17:04:30 web sshd[9980]: Illegal user guest from ::ffff:172.16.0.5
Apr 23 17:04:30 web xinetd[2228]: START: ftp pid=9998 from=172.16.0.5
Apr 23 17:04:30 web xinetd[2228]: START: ftp pid=10020 from=172.16.0.5
Apr 23 17:04:31 web sshd[10009]: Illegal user super from ::ffff:172.16.0.5
Apr 23 17:04:32 web sshd[10112]: Illegal user db2as from ::ffff:172.16.0.5
Apr 23 17:04:32 web sshd[10115]: Illegal user outofbox from ::ffff:172.16.0.5


由於我不曉得htt這個帳號哪裡來的,而且又有所屬目錄,加上系統又連續被試密碼試圖登入,害我緊張的很;而且系統一跟二都出現類似的狀況,另一部fedora core2卻沒有htt這個帳號,我以為系統一有防火牆的伺服器已拱手讓人侵入,在防火牆後面的web server,一樣器械投降了。

一方面緊張,另一方面實在是丈二金剛,摸不著頭緒,只好先用userdel把htt這個帳號砍了。

線索:
1. rkhunter沒有查出異狀來。
2. 被try密碼,回想起來,原來是我安裝nessus後,自己掃安全漏洞的關係。
2. google "htt",發現原來它是IIIMF htt server的帳號。雖然察看了htt server的資料一知半解,不過顯然不是入侵者。

後續:
1. htt帳號被砍了之後,IIIMF無法啟動,原本想查一查,有沒有指令可以restore user;不過似乎都在探討如何restore file。最後找來/etc/passwd備份檔裡htt的資料,直接鍵入。
2. 目前IIIMF啟動如常。

問題:
1.在防火牆後面的系統,到底有多不安全?真的必須再加另一道防火牆嗎?
2.對外的NAT, VPN server幾乎用不到的port都關了(sshd port 22 closed, ftp port 21 closed),只有DNAT port 80到LAN的網頁伺服器,這樣的伺服器每日apt自動更新,是不是夠堅強呢?
3.如果沒有備份的/etc/passwd的話,有沒有指令可以回復被刪除的帳號呢?

感想:
系統安全莫測高深,該讀的書還很多很多。 :oops:

10
現有環境及機器

1.Linux Fedora core2, Pentium 450MHz, Firewall, NAT, Router, VPN server,
  三張網卡 - 對內eth0: 192.168.0.20  
              - 對外eth1: ADSL
              - 對外eth2: Hinet HiFly VPN

2.Linux Fedora core3, Celeron 1100mHz, Samba server, 192.168.0.30

3.Windows 2000 server: Pentium 2.4G 192.168.0.10 file server(visual foxpro以及access資料庫), Officescan server(pccillin)

4.Windows 2000 pro: workstation pentium 350MHz 192.168.0.11

5.Windows 2000 pro: workstation pentium 300MHz 192.168.0.12

6.Windows 2000 pro: workstation pentium 500MHz 192.168.0.13

7.Windows 2000 pro: 24小時監控錄影 AMD 1800MHz 192.168.0.14

8.Windows ME: pentium 200MHz,獨立的檢查儀器使用

現在動腦筋想做的是:

1. 不用windows 2000 server,把它改安裝成Linux Samba server,肩負起visual foxpro以及access資料庫的file server。samba server的設定檔只設定為user的level,不作netlogon,利用user隸屬不同的group來規劃資料夾存取的權限,因此使用者都只要在windows2000的工作站本機登入就可以而不登入domain。把officescan server丟給機器7來做。

2. 機器2不跑samba server了,原本就已安裝LAMP,讓它轉換成DMZ(172.16.0.2)當web server。因為幾乎只當告示板的功能,訪客只有小貓兩三隻,應該綽綽有餘吧。w

3. 因應DMZ,機器1加裝一片NIC:172.16.0.1, shorewall 設定DNAT將port 80轉到機器2:172.16.0.2,另外也將監視錄影的port DNAT到機器6,以便可以遠端監控

請問各位學長,這樣的規劃是否恰當可行?

11
鳥哥臨時公佈欄 / 呼叫鳥哥,聽到請回答
« 於: 2005-01-31 23:21 »
從seednet 連不上鳥哥的論壇 :-?

頁: [1]