Multiple OpenVPN Clients Sharing the Same Certificate

Traditionally I've been configuring OpenVPN in a scenario where each client would have a unique certificate. This requires a bit more time initially but is well worth it in terms of security.

Sometimes this is not needed though, so you can probably get away with multiple clients sharing the same certificate. This way you build a client key once and then propagate it across all the clients that you plan on connecting to your VPN server.

While setting this up just now, I noticed a curious thing: by default all clients with the same cert would end up having the same internal IP address. This behaviour is unlikely to be what you wanted though.

So in order to allow multiple OpenVPN clients share the same client certificate but enjoy a unique internal IP address (so that clients could connect to each other, for instance), add the following line to your OpenVPN server:

duplicate-cn

That's it! Restart your openvpn service and enjoy.

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

Changing Passphrase to your SSH Private Key

If you need to change or add a passphrase to your existing SSH private key just use ssh-keygen, the same tool which creates the key in the first place. Just add the -p option to specify you want to change an existing private key's passphrase instead of creating a new private key. So running this command will be changing the passphrase of the current user's private key, stored in ~/.ssh/:

ssh-keygen -p

If you have your key elsewhere and want to specify the file where it is then use the -f option followed by the path to the key file, and then the -p option:

ssh-keygen -f id_rsa -p

Just replace id_rsa with the path to your key file if you're not in the same directory as the file.

If you have an existing passphrase ssh-keygen will first ask you to enter that before allowing you to set the new passphrase, and if you haven't had a passphrase before then it will just allow you to set one.

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

Using md5deep for Comparing Directories in Unix

You can compare the contents of two directories by their md5 hashes, which could be useful when you want to make sure that a sync operation went smoothly, for instance. By inspecting the hashes of all the files in the directory and confirming they're identical you can rest assured all data was copied successfully and fully.

You can use md5sum to get the md5 sums of all the files in a directory, but comparing like this could be pretty daunting:

md5sum dir/*

This outputs a list of all files with their md5 sums.

A better way is using md5deep instead. If you don't have it you can most likely install it using your package manager very easily (sudo apt-get install md5deep on Ubuntu).

Then if you run the following you'll get a list of md5 sums of all files in the directory as well as the files of sub-directories:

md5deep -r dir/

The real solution is in the ability of md5deep to compare its own outputs. First you get the md5 sums in a file:

md5deep -r -s /dir1> dir1sums

And then have md5deep read that file and compare the second directory to it:

md5deep -r -X dir1sums /dir2

If there is no output that means the directories are identical. Otherwise it will display the hashes of files that are different. Thus the comparison has been accomplished.

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

How to Confirm which Ports are Open on Your Linux System

If you wish to see which ports are open on your Linux system, perhaps to check your configuration, you can use the nmap tool. It's a powerful tool, but we'll focus on just this simple task.

If you don't have nmap, first install it. For example, on Ubuntu just run sudo apt-get install nmap. On Fedora it should be sudo yum install nmap. On Arch it should be sudo pacman -Sy nmap.

Once you've got nmap just run this simple command. Note that we're running it with superuser privileges (sudo), which is necessary.

nmap localhost

Your output may look something like this:

Starting Nmap 6.40 ( http://nmap.org ) at 2014-11-26 23:56 CET
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0089s latency).
Other addresses for localhost (not scanned): 127.0.0.1
Not shown: 994 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
53/tcp   open  domain
80/tcp   open  http
443/tcp  open  https
3306/tcp open  mysql

So it shows you the open port numbers and the service that is using each. The above is pretty standard stuff. If you don't see what you expected you should check your configuration.

If you'd like to do more with nmap you can explore the nmap built in documentation by running man nmap, which contains a breadth of information.

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

How to Patch Bash Against Shellshock

Since you're reading this you're probably already aware of what Shellshock is; a number of vulnerabilities found in the widely used Bash shell system in the summer of 2014. The quickest and easiest way to patch against these vulnerabilities and ensure the safety of your system is to update your Bash to the latest version. Here are the update commands for the popular Linux distributions.

Fedora

yum update bash -y

Ubuntu

apt-get update; apt-get install --only-upgrade bash

Arch

pacman -Syu

That should have you covered. However, if for any reason you wish to apply the available patches yourself you can do so by running the following commands. We'll explain what each does.

First enter your home directory, create (mkdir) the "bash" directory in it, and enter it.

cd ~/ && mkdir bash && cd bash

Download the bash source package from the official server.

wget https://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz

Then download the relevant patches. This command should automatically get the ones you need.

while [ true ]; do i=`expr $i + 1`; wget -N https://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-$(printf '%03g' $i); if [ $? -ne 0 ]; then break; fi; done

Extract the bash package and enter its directory.

tar zxvf bash-4.3.tar.gz && cd bash-4.3

Apply all of the patches that have been previously downloaded with this:

for p in `ls ../bash43-[0-9][0-9][0-9]`; do patch -p0 < $p; done

And then recompile the newly patched bash and install.

./configure && make && make install

If you want to just compile it, but not install to your system, simply remove the && make install part from the command.

Or you could simply run this one line that downloads the above as a script and does it all for you automatically:

curl https://shellshocker.net/fixbash | sh

The script is provided by Shellshocker.net, which has detailed information about the vulnerabilities, testing, updating and patching.

If you're on a Mac just download and install the patches provided by Apple. It should be pretty straightforward. Here they are for Mavericks, Mountain Lion, and Lion.

And that's all there is to it.

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

How to Check If Your System is Vulnerable to Shellshock

Shellshock refers to a set of vulnerabilities discovered in late summer 2014 that affects Bash (Bourne again shell), a command line shell program used on all Linux systems and almost all UNIX systems, including Mac OSX. If Bash on your system is still vulnerable it could allow an attacker to take control of parts of your systems and run potentially harmful programs by manipulating the environment variables using this Bash vulnerability.

Fortunately, it is fairly easy to check whether your system is vulnerable, and just as easy to fix it. Just run this one command to test your system:

curl https://shellshocker.net/shellshock_test.sh | bash

This is provided by Shellshocker.net, which allows you to easily check your system for the shellshock vulnerability and provides detailed information about it, and how to fix it. The command simply downloads and runs their shellshock_test.sh bash script that probes your installation for all known vulnerabilities and tells you if you're vulnerable and to which. They list the commands that this script will run on the site, and you can also inspect the script's code by opening it in a text editor.

If you are vulnerable it just means you need to upgrade Bash on your system to the latest patched version, or apply provided patches. On most Linux distributions just a simple security update should do the trick or you could opt to update only Bash specifically. Here are example update commands for popular distributions:

Fedora

yum update bash -y

Ubuntu

apt-get update; apt-get install --only-upgrade bash

Arch

pacman -Syu

More detailed information including how to build from source if you want to take that route are available at Shellshocker.net.

If you are on Mac OSX you just need to install a patch Apple made available for Mavericks, Mountain Lion, and Lion depending on which of these OSX versions you are on. Installing an update should be as straightforward as launching and running it.

This vulnerability shows just how plausible it is for a massive number of systems to become vulnerable due to a bug in a single ubiquitous piece of software, but more importantly, it underscores the importance of keeping your systems up to date at all times.

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

Most useful options in rsync

The rsync command line tool is an invaluable tool for advanced copying and syncing operations, particularly useful for efficiently making and maintaining backups. It can be used to copy and sync files from any source and to any destination both locally and remotely. It is famous for its ability to copy only the differences in files rather than the whole files when they have been modified, which drastically reduces the required bandwidth.

Rsync commands are written in the following format: rsync -options [source] [destination].

Here is an example:

rsync -avz data/ /media/backups/data

This will copy all the files and folders from the data directory to /media/backups/data, which could be on your external backup device. This example already contains three commonly used and useful options:

-a copies recursively (all directories and subdirectories) while preserving symbolic links, permissions, file ownerships and timestamps. Similar to -r except that -r does not preserve permissions and timestamps-

-v shows verbose output, telling you more of what it's doing.

-z uses compression when transferring, which can speed up the transfer, especially over the network.

There are, of course, other useful options that can be added, such as:

-h displays numbers in a human readable form, easier to understand the amount of data transferred.

–stats shows statistics on file transfers if you want even more insight into the statistics of the transferred data.

-m prunes empty directories

-n so called "dry run", that is, it simulates what it would do with a given command without actually making any changes. Could be very useful if you want to make sure you don't screw up and end up losing your data.

-p preserve permissions, in case you're using the -r option instead of -a or don't use recursive syncing, but want to preserve permissions.

-e allows specifying the remote shell to use when you want to use the remote source or destination.

With the -e option you can, for example, use ssh to transfer data with rsync. It would look something like this:

rsync -avze ssh data user@example.com:/home/backups/

When you run a command like this it will ask you for your remote SSH server password, and then copy over the contents of the data directory to /home/backups/ on the remote system.

As with most standard Linux and UNIX utilities, you can run man rsync to quickly get more information about what other options are available, but this should cover most important uses.

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

5 things you can do with netstat command

The netstat command, which stands for "network statistics", can show you a lot of information about your network including statistics on connections to and from others on the network, used network interfaces, services, ports, and routing tables.

So what could all this information be used for? Just running netstat alone will give you an overview of your network, which will show a list of addresses connected to your system, over which port they're connected, and what services or programs they're talking to.

Here are five relatively simple examples of what you can actually do with netstat.

1. Show who is connected to your system

One of the most useful things you can do with netstat is show exactly who is connected to your system either through an incoming or outgoing connection (whether it is your system which initiated it or the other system). This will simply list all of them:

netstat -a

Look at the "Foreign Address" column to see where the connection is coming from, and "Local Address" to see what on the local machine is it connected.

The following command will show just the TCP (-t) and UDP (-u) connections:

netstat -tua

If you want to turn off hostnames, or domain names, and display only IP numbers just add the -n option.

netstat -tuan

If you want it to display this continuously to see as connections come and go add the -c option.

netstat -tuanc

Needless to say, perhaps, with IP addresses of everyone connecting revealed you can use other tools like traceroute to determine where exactly is it coming from.

2. Show listening ports

If you'd like to see which services are actually listening for incoming connections, perhaps to ensure you don't have something listening that you don't want to be listening, just use the -l option.

netstat -l

You can also limit this to only a specific type of traffic, like TCP in this example (for UDP just use -u):

netstat -lt

3. Find the port used by a program

We can get a little bit more specific by combining the netstat command with other common UNIX utilities like grep, in this example, where we make it easier to find which port is used by a program. We use grep to conveniently dig this info out of the netstat output:

netstat -ap | grep znc

In this example we get a list of all connections mentioning ZNC with the ports it is using, and addresses it is connected to.

4. Check on the routing table

With netstat you can easily see the kernel IP routing table being used on your system using the -r option:

netstat -r

5. Show all statistics

Being a statistics utility you can of course see a summary of a great number of statistics about your system's networking. Just run the netstat command with the -s option:

netstat -s

This will display a huge list of statistics, but you'll immediately recognize the most interesting ones depending on what you're looking for. For example you can see a total number of packets received, number of active TCP connections, and a number of extended more detailed statistics for each protocol.

Note

These examples are based on netstat in Linux, where it has been succeeded by the ss command from the iproute2 package, but it should apply to most UNIX and UNIX like systems. You can also check the manual page readily available via the man netstat command for more information.

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

How To Create an Alias in Unix shell

When you want to save yourself from typing an unwieldy command over and over again you can create and use an alias for it. It will then act as a shortcut to the larger command, which you can type and run instead.

Creating aliases in UNIX (and Linux) is done with a simple alias command which follows this format: alias name='command you want to run'.

Replace the "name" with your shortcut command, and "command you want to run" with the larger command you want to create an alias of. Here's a simple example:

alias accesslog='tail -f /var/log/lighttpd/access.log'  

In this example I've effectively created a new accesslog command which is an alias of the tail -f /var/log/lighttpd/access.log command. What it does is follow the access.log file and display new entries in it as they happen. Now instead of having to write the whole tail -f command every time I want to look at what's happening in the access.log file I can simply run the accesslog alias command instead, which is pretty nifty.

What if I want to unset the alias once I no longer need it or wish to set a new better alias? Well, simply run:

unalias accesslog  

Quite logical. Now the accesslog alias no longer exists.

One thing to keep in mind though is that aliases that are set this way get lost the moment you close the command line session, or in other words, they are temporary. If you want to save aliases permanently you will have to edit the bash configuration file, which is usually .bashrc or .bash_profile residing in your user home directory. You can edit whichever you prefer, or whichever exists on your system.

To edit .bashrc just open it in a command line text editor such as nano, or any other you might prefer, and add the same exact alias command as in the above example at the bottom of it, or find where other aliases are already set and add yours after them.

nano .bashrc  

Once you add your aliases save the file, which in the nano editor is done by pressing the –°trl-x keyboard shortcut, answering "y" when asked to save, and hitting enter.

Now your alias is saved permanently, and it will therefore work even after you close the session and come back. Of course, to remove the permanent alias just edit the file again and remove the line you've just added. If it's still set run the unalias command as shown above and it will be gone.

Note that aliases are set for the currently active user. So you have to edit the .bashrc file in the home directory of that user. If you're logged in as root that would be /root/.bashrc, and if you're logged in as joe, for example, it will be in /home/joe/.bashrc. If you try to run root's alias while acting as joe or vice versa you'll get a "command not found" error.

Also note that aliases added to .bashrc aren't active immediately after you save the file since that file is read on user's login. If you log out and log back in then it will work.

Finally, once you have a bunch of aliases set up you might want to check up on which aliases are available. To do that just run the alias command by itself:

alias  

And it will list something like this:

alias accesslog='tail -f /var/log/lighttpd/access.log' 
alias ls='ls --color=auto'  

The list represents all of the aliases that have been set in .bashrc, or on the command line during the current session. In the above example we see my accesslog alias, and another one for the ls command associating it with the ls –color=auto command, which simply adds some coloring to our ls lists.

That brings us to the final point worth a mention, as demonstrated by the above ls alias, and that is that you can alias an already existing real command. For example if we have a nmon command installed, which shows various system activity information, we can actually turn it into an alias for the top command, which also shows system activity.

You probably don't want to do this, or at least, you don't want to keep this alias, but for the sake of demonstration:

alias nmon='top'  

And now when you run nmon, instead of opening the actual nmon program it will open top. In other words the alias is masking the original command.

This serves as a word of caution when it comes to setting names of aliases; try to avoid setting names that match existing commands. Chances are you'll want those commands doing what they're supposed to do, except in special cases like the above ls alias, which simply aliases to its own coloring options.

And that's how aliases work in UNIX (and Linux).

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

3 Ways to List Groups for a User in Linux

Okay, today's post will be the back-to-basics style, but to make it more interesting I've come up with as many (reasonable) ways to list groups of a Linux user as possible. As always, these commands are actually quite universal, so will likely work in most Unix and Unix-like flavours.

Using the groups command to list groups for a user

This is probably the most obvious way of getting the job done. Simply type "groups" followed by a username and you will get the list of all the groups that user belongs to:

greys@ubuntu$ groups greys
greys : greys adm dialout cdrom plugdev lpadmin sambashare admin

Now, as you noticed, I'm confirming my own groups (running groups greys as user greys), so this means that we can omit the longer form shown above and simply type "groups" to get the same result:

greys@ubuntu$ groups
greys : greys adm dialout cdrom plugdev lpadmin sambashare admin

Using id command to identify Unix groups for a user

Another way to confirm groups is to use the id command, it's very simple and I tend to use this approach in most case.

Here's how using the id command will look like:

greys@ubuntu$ id greys
uid=1000(greys) gid=1000(greys) groups=1000(greys),4(adm),20(dialout),24(cdrom),46(plugdev),115(lpadmin),116(sambashare),117(admin)

Looking into /etc/group file to confirm groups for a user

This last approach may be helpful when the above things don't work. I tend to use it for another indirect benefit – comparing a user's group membership against other users.

What you do for this situation is simply grep for a username in the /etc/group file:

greys@ubuntu$ grep greys /etc/group
adm:x:4:greys
dialout:x:20:greys
cdrom:x:24:greys
plugdev:x:46:greys
greys:x:1000:
lpadmin:x:115:greys
sambashare:x:116:greys
admin:x:117:greys

Bonus: confirming groups for a user using getent

This last approach will help you confirm the group membership regardless of where your usernames/passwords and groups are stored. As you know, they are most often local to your Unix system, but sometimes can be managed using NIS/NIS+ or LDAP.

So here's a universal way for listing groups for a user, it relies on the getent command:

greys@ubuntu$ getent group | grep greys
adm:x:4:greys
dialout:x:20:greys
cdrom:x:24:greys
plugdev:x:46:greys
greys:x:1000:
lpadmin:x:115:greys
sambashare:x:116:greys
admin:x:117:greys

That's it for today, thanks for your time and hope I made it worthwhile!

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS