Enter ip to see all ip ranges from /8 to /32
Enter ip to see all ip ranges from /8 to /32
In this post you will find a form for checking which SSL host you should use for your email server at my workplace.
This is just a test though.
Use aptitude to download and install openvpn and required software.
apt-get install bridge-utils openvpn easy-rsa
Create easy-rsa key creating directory.
Edit vars file with commonname etc. for your certficate.
Edit the following to your needs.
export KEY_COUNTRY="NO" export KEY_PROVINCE="Somewhere" export KEY_CITY="somecity" export KEY_ORG="somename" export KEY_EMAIL="firstname.lastname@example.org"
Vars file is also where you specify key strenght, you can set this to 4096 for increased security.
Start creating keys for server
cd /etc/openvpn/easy-rsa/ source vars ./clean-all ./build-dh ./pkitool --initca ./pkitool --server server cd keys openvpn --genkey --secret ta.key
Copy keys to openssl config folder.
cp server.crt server.key ca.crt dh4096.pem /etc/openvpn/
create keys for client, in this example we will call this client for bob.
cd .. source vars ./pkitool bob
Download bobs keys to your computer as we will need them when creating bobs openvpn config file.
Edit /etc/openvpn/openvpn.conf in this example i have ip range 192.168.0.20-44.
dev tap proto udp port 1194 ca /etc/openvpn/ca.crt cert /etc/openvpn/server.crt key /etc/openvpn/server.key dh /etc/openvpn/dh4096.pem user nobody group nogroup server-bridge 192.168.0.45 255.255.255.0 192.168.0.20 192.168.0.44 duplicate-cn persist-key persist-tun status /var/log/openvpn-status.log verb 3 client-to-client keepalive 10 120 log-append /var/log/openvpn auth SHA1 cipher AES-256-CBC comp-lzo
start openvpn server
If something doesnt work check /var/log/openvpn and consult comment field below or google.
for simplicity i will still use bob as an example, and now we need to create a file called bob.ovpn and fill it with the following.
dev tap proto udp remote example.com 1194 # cipher: [NULL-CIPHER] NULL AES-128-CBC AES-192-CBC AES-256-CBC BF-CBC # CAST-CBC CAST5-CBC DES-CBC DES-EDE-CBC DES-EDE3-CBC DESX-CBC # RC2-40-CBC RC2-64-CBC RC2-CBC # auth: SHA SHA1 MD5 MD4 RMD160 cipher AES-256-CBC auth SHA1 resolv-retry 1 nobind persist-key persist-tun client comp-lzo verb 3 <ca> </ca> <cert> </cert> <key> </key>
Now we need to chance domain name from example.com to your domain name or ip adress.
As you can see in the config above there are some fields called and and so forth, this is where we will copy inn the certificated we created for bob and stored on our computer.
in between the and we will enter everyting between “—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–” also including those two from the ca.crt which you can find in /etc/openvpn/ca.crt
The procedure is the same for and although bob.crt will fill out and bob.key will fill out
And thats all, copy config file into openvpn config file folder and start openvpn and you will connect to your lan via vpn.
This howto does not cover installation of mod_security, it will only cover the finer points about rules and how to write your own custom ones 🙂
A ModSecurity rule does consist of the following.
Always consult the reference manual when writing rules, it covers everything you need. https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual
Directive : Eg. SecRule for rules duh…
Scanfiler : REQUEST_URI or USERAGENT etc. full list here.
Scantarget : For example this can be googlebot when checking for useragent.
Action : What to do if filter fount a hit, Eg. Deny, Pass, Allow, log. It also has to contain a unique ID. full list here.
Some actions and scanfilters have prerequisites to work, and they are mostly documented in reference manual.
To start with you can add the following modsecurity rules in modsec config before including custom rules.
SecDataDir /tmp/sectmp SecTmpDir /tmp SecAuditLogDirMode 0777 SecPcreMatchLimit 1500 SecPcreMatchLimitRecursion 1500 SecCollectionTimeout 28800 SecRequestBodyAccess On SecStreamInBodyInspection On SecHashEngine On SecRequestBodyInMemoryLimit 1310720
With this set you can forexample store connection ip adresses for up to 8 hours (28800 sec.) and to make a comparison you can say this is a form of session, which you can store session data upon.
With ModSecurity you can have a rule which store a variable on top of a ip, with this you can for example store how many times in the last 10 minutes someone has visited a page on you webpage.
Lets make an example like that.
First we need to start storing a “Session” for every visiting ip address.
This you can do with ACTION initcol like so.
Then we can start storing information, lets say we will store how many times googlebot visit us total for up to 8 hours, when it will be reset.
SecRule REQUEST_HEADERS:User-agent "googlebot" "phase:1,nolog,id:1371,setvar:ip.counter=+1,pass"
We can then use this information to block googlebot requests if over 10 requests in last 8 hours.
SecRule ip:counter "@gt 10" "phase:1,log,msg:'googlebot has been blocked due to over 10 requests.',deny,id:1372"
You can also use AND in rules, in modsec this is done by using chains. Chained rules do not require ID.
Let say we will only block googlebot when it has over 10 requests and is visiting a specific file.
SecRule ip:counter "@gt 10" "phase:1,log,msg:'googlebot has been blocked due to over 10 requests.',deny,id:1372,chain" SecRule REQUEST_URI "somefile.php" "t:none"
With this you should have grasped how modsecurity rules are written, and with the reference manual you can start doing magic 🙂