I'm looking for possible solutions to the following need:
I have a VPN configured (using openVPN over Linux, BTW), and I want to know at any moment which hosts are connected to it. I recognize that it probably is the same thing as trying to know which hosts are connected to a lan, so any of the solutions might do the job...
The fact is that I once used a hamachi vpn on linux and with it I had the chance to know which hosts were connected to a particular network where I belonged, so I was wondering if something similar might be possible in openVPN (or even any VPN and/or any LAN).
Preferably, I'm looking for opensource/free sw solutions, or maybe the hints to program it myself (in the most simple way if possible, not that I don't know how to program, but I'm trying to achieve this in a simple manner). But anyway, if there are no os/fsw solutions, any other one might do...
Thanks a lot!
Javier,
Mexico city
An easy way to do this with OpenVPN in linux is to use the client-connect and client-disconnect scripts on the server end to maintain a list for you. The client-connect script can log the $common_name environment variable (and also its $trusted_ip, if you like) each time a client connects, and the client-disconnect script can remove that client from the list.
If you also write both connections and disconnections to a different time-stamped log, you'll have a permanent record of the time and duration of each connection.
Related
I have a win box(clean, no bloat, no node, no servers) that I develop with, and incidentally have cygwin on it. I also have an arch linux server fully configured like a dream, the way i like it, and even use putty on the win box for it. I would love to use the resoures on the linux for this, however the problem is i spend too much time on nginx, php-fpm and crap like that on the server, to keep a proper dns name dialed in to have proper dns accessible names to map the browser on the dev machine to the server, normally, when i need it.
Im willing to break the pattern, to stab at a quick solution, since this comes up so often for me, but i want the easy option, i thought i ask opinions.
-What i need is a way to access the node server, any node server for that matter, from the win box browsers. that's my main requirement.
-Secondarily, i need to access git, on the server, for repo storage, and preferable even work on the files out of there as \\hostname\projects\site\index.js etc.. on the winbox.
-I prefer NOT to use git through any kind of start menu, or icon, i would hate that, im a command line guy.
Existing
win development, want to work on a node app, arch box on 192.168 subnet with working node, no dns mapped (can add to etc/hosts, but to have the linux box capture that dns name too much work for now)
Option 1
use cygwin right here, install node on it, go to town on development, but i want to use the git repo/git on the arch linux box somehow still, i wont install git, or nodejs on windows per say, only through command line, choclatey maybe, but preferable cygwin, if there is such a thing, i just havent used it before really.
Option 2
Whats available for me to map something easy to the linux, and use the resources available there and putty, e.g. do i need a quick dns solution or what am i looking for? (dont suggest bind or dnsmasq please) i much prefer bind, have it on there, but dont want to get that dialed in, just want to spend an hour on this each time i need to work on a website, i need something quick.
What about a proxy, if i point my browsers to proxy to the ip of the server? I dont really mind using ips, as long as the site allow it.
suggestions?
There is nothing wrong with dnsmasq. Its wayyy simpler than Bind, you just put names in etc/hosts. For the Windows machine, install Virtual Box and Ubuntu. Not sure cygwin works at all with Node but it would probably suck compared to Virtual Box.
There is no simple Linux DNS that I know of besides dnsmasq. nsd is not bad but its still a pain in the ass. There might be an easy to setup Windows DNS server though. But I would just use Virtual Box and dnsmasq.
On Windows the hosts file is normally in \WINDOWS\system32\drivers\etc
I have a slight problem bit of the back story. recently ive been trying to test out univention which is a linux distribution with the goal of being able to replace Microsoft active directory.
I tested it locally and all went reasonably well after a few minor issues i then decided to test it remotely as the company wants to allow remote users to access this so i used myhyve.com to host it and its now been setup successfully and works reasonably well.
however
my main problem is DNS based as when trying to connect to the domain the only way windows will recognize it is by editing the network adapter and setting ip v4 dns server address to the ip address of the server hosting the univention active directory replacement. although this does allow every thing to work its not ideal and dns look up on the internet are considerably longer. i was wondering if any one had any ideas or have done something similar and encountered this problems before and know a work around. i want to avoid setting up a vpn if possible.
after initially registering the computer on the domain i am able to remove the dns server address and just use a couple of amendments to the HOST file to keep it running but this still leads to having issues connecting to the domain controller sometimes and is not ideal. any ideas and suggestions would be greatly received.
.Michael
For the HOST entries, the most likely issue is, that there are several service records a computer in the domain needs. I'm not sure, whether these can be provided via the HOST file or not but you'll definitely have authentication issues if they are missing. To see the records your domain is using issue the following commands on the UCS system.
/usr/share/univention-samba4/scripts/check_essential_samba4_dns_records.sh
For the slow resolution of the DNS records there are several points where you could start looking. My first test would be whether or not you are using a forwarder for the web DNS requests and whether or not the forwarder is having a decent speed. To check if you are using one, type
ucr search dns/forwarder
If you get a valid IP for either of the UCR Variables, dns/forwarder1, dns/forwarder2 or dns/forwarder3, you are forwarding your DNS requests to a different Server. If all of them are empty or not valid IPs then your server is doing the resolution itself.
Not using a forwarder is often slow, as the DNS servers caching is optimized for the AD operations, like the round robin load balancing. Likewise a number of ISPs require you to use a forwarder to minimize the DNS traffic. You can simply define a forwarder using ucr, I use Google on IPv4 for the example
ucr set dns/forwarder1='8.8.8.8'
The other scenario might be a slow forwarder. To check it try to query the forwarder directly using the following command
dig univention.com #(ucr get dns/forwarder1)
If it takes long, then there is nothing the UCS server can do, you'll simply have to choose a different forwarder from the ucr command above.
If neither of the above helps, the next step would be to check whether there are error messages for the named daemon in the syslog file. Normally these come when you are trying to manually remove software or if the firewall configuration got changed.
Kevin
Sponsored post, as I work for Univention North America, Inc.
On a local machine, I can just do
cat /etc/iscsi/initiatorname.iscsi
to get the IQN that is sent to targets when establishing an ISCSI session.
What I am trying to find out is whether it is possible to establish another machine's initiator IQN without ssh'ing to it.
This is because, given a set of IPs or hostnames of machines I have no control over, I need to set up targets to allow ISCSI logins from those machines only.
It doesn't seem to be possible using, e.g., iscsiadm. I'm assuming the answer is No, but I'm no expert in ISCSI, so asking anyway.
If the answer is No, we'll have to deal with the problem in some other way, perhaps by requiring the initiators to be set up with IQNs from a known pool, or even that the IQN is set to the same on all those machines (I suspect there might be adverse consequences with the latter workaround, but I'm not sure).
There's no in-band way to get the initiator IQN of a remote machine, until it tries to connect to your target. It's best to assign them IQN's you know about. Definitely don't give them the same IQN; that'll just give you headaches later. If you can't assign them, then:
Just have the hosts attempt to connect to your target and get the IQN out of the target's logs when it rejects the login attempt.
Or, if you can't ssh to them, perhaps have the hosts ssh out to drop their IP's and IQNs in a centralized place you have some control over?
Is it possible for you to set up an iSNS?
In this case, it sounds like you will need the clients to submit their IQN ahead of time so you can add it to your list of allowed initiators.
In my university there's a certain wlan network open for the students and employees. To use it, however, one must first log in via a website using your own username and password. This can also be done by submitting a http request with the right POST-data to the same website. I already have a shell script that does this but I'm still curious to whether it would be possible to have this script run automagically every time my computer connects to the university wlan. Is it possible to do this in some semi-easy way?
I know that NetworkManager (which is used in Ubuntu) exposes a DBUS interface -- I would suspect there is an event for network connected / disconnected which you could use. Try checking the NetworkManager DBUS Interface spec.
If you've never worked with DBUS before, fear not, there are bindings for pretty much every language. I'm sure there's even a CLI client you could invoke from a shell script. This blog entry shows how to detect a new connection from NetworkManager with Python -- it might be a good starting point
You might write a simple script that runs "iwconfig" and processes it's output. If the name of the network is found (with Regex for example) you send a request.
I don't think you can trigger the script when you are acutally connected to the network, but you can add it to CRON, so it is executed for example every ten seconds.
Heres's a document you may find helpful: https://help.ubuntu.com/community/CronHowto
I'd like to set up a cheap Linux box as a web server to host a variety of web technologies (PHP & Java EE come to mind, but I'd like to experiment with Ruby or Python in the future as well).
I'm fairly versed in setting up Tomcat to run on Linux for serving up Java EE applications, but I'd like to be able to open this server up, even just so I can create some tools I can use while I am working in the office. All the experience I've had with configuring Java EE sites has all been for intranet applications where we were told not to focus on securing the pages for external users.
What is your advice on setting up a personal Linux web server in a secure enough way to open it up for external traffic?
This article has some of the best ways to lock things down:
http://www.petefreitag.com/item/505.cfm
Some highlights:
Make sure no one can browse the directories
Make sure only root has write privileges to everything, and only root has read privileges to certain config files
Run mod_security
The article also takes some pointers from this book:
Apache Securiy (O'Reilly Press)
As far as distros, I've run Debain and Ubuntu, but it just depends on how much you want to do. I ran Debian with no X and just ssh'd into it whenever i needed anything. That is a simple way to keep overhead down. Or Ubuntu has some nice GUI things that make it easy to control Apache/MySQL/PHP.
It's important to follow security best practices wherever possible, but you don't want to make things unduly difficult for yourself or lose sleep worrying about keeping up with the latest exploits. In my experience, there are two key things that can help keep your personal server secure enough to throw up on the internet while retaining your sanity:
1) Security through obscurity
Needless to say, relying on this in the 'real world' is a bad idea and not to be entertained. But that's because in the real world, baddies know what's there and that there's loot to be had.
On a personal server, the majority of 'attacks' you'll suffer will simply be automated sweeps from machines that have already been compromised, looking for default installations of products known to be vulnerable. If your server doesn't offer up anything enticing on the default ports or in the default locations, the automated attacker will move on. Therefore, if you're going to run a ssh server, put it on a non-standard port (>1024) and it's likely it will never be found. If you can get away with this technique for your web server then great, shift that to an obscure port too.
2) Package management
Don't compile and install Apache or sshd from source yourself unless you absolutely have to. If you do, you're taking on the responsibility of keeping up-to-date with the latest security patches. Let the nice package maintainers from Linux distros such as Debian or Ubuntu do the work for you. Install from the distro's precompiled packages, and staying current becomes a matter of issuing the occasional apt-get update && apt-get -u dist-upgrade command, or using whatever fancy GUI tool Ubuntu provides.
One thing you should be sure to consider is what ports are open to the world. I personally just open port 22 for SSH and port 123 for ntpd. But if you open port 80 (http) or ftp make sure you learn to know at least what you are serving to the world and who can do what with that. I don't know a lot about ftp, but there are millions of great Apache tutorials just a Google search away.
Bit-Tech.Net ran a couple of articles on how to setup a home server using linux. Here are the links:
Article 1
Article 2
Hope those are of some help.
#svrist mentioned EC2. EC2 provides an API for opening and closing ports remotely. This way, you can keep your box running. If you need to give a demo from a coffee shop or a client's office, you can grab your IP and add it to the ACL.
Its safe and secure if you keep your voice down about it (i.e., rarely will someone come after your home server if you're just hosting a glorified webroot on a home connection) and your wits up about your configuration (i.e., avoid using root for everything, make sure you keep your software up to date).
On that note, albeit this thread will potentially dwindle down to just flaming, my suggestion for your personal server is to stick to anything Ubuntu (get Ubuntu Server here); in my experience, the quickest to get answers from whence asking questions on forums (not sure what to say about uptake though).
My home server security BTW kinda benefits (I think, or I like to think) from not having a static IP (runs on DynDNS).
Good luck!
/mp
Be careful about opening the SSH port to the wild. If you do, make sure to disable root logins (you can always su or sudo once you get in) and consider more aggressive authentication methods within reason. I saw a huge dictionary attack in my server logs one weekend going after my SSH server from a DynDNS home IP server.
That being said, it's really awesome to be able to get to your home shell from work or away... and adding on the fact that you can use SFTP over the same port, I couldn't imagine life without it. =)
You could consider an EC2 instance from Amazon. That way you can easily test out "stuff" without messing with production. And only pay for the space,time and bandwidth you use.
If you do run a Linux server from home, install ossec on it for a nice lightweight IDS that works really well.
[EDIT]
As a side note, make sure that you do not run afoul of your ISP's Acceptable Use Policy and that they allow incoming connections on standard ports. The ISP I used to work for had it written in their terms that you could be disconnected for running servers over port 80/25 unless you were on a business-class account. While we didn't actively block those ports (we didn't care unless it was causing a problem) some ISPs don't allow any traffic over port 80 or 25 so you will have to use alternate ports.
If you're going to do this, spend a bit of money and at the least buy a dedicated router/firewall with a separate DMZ port. You'll want to firewall off your internal network from your server so that when (not if!) your web server is compromised, your internal network isn't immediately vulnerable as well.
There are plenty of ways to do this that will work just fine. I would usually jsut use a .htaccess file. Quick to set up and secure enough . Probably not the best option but it works for me. I wouldn't put my credit card numbers behind it but other than that I dont really care.
Wow, you're opening up a can of worms as soon as you start opening anything up to external traffic. Keep in mind that what you consider an experimental server, almost like a sacrificial lamb, is also easy pickings for people looking to do bad things with your network and resources.
Your whole approach to an externally-available server should be very conservative and thorough. It starts with simple things like firewall policies, includes the underlying OS (keeping it patched, configuring it for security, etc.) and involves every layer of every stack you'll be using. There isn't a simple answer or recipe, I'm afraid.
If you want to experiment, you'll do much better to keep the server private and use a VPN if you need to work on it remotely.