I've spent few days on corporate VPNs with few Linux and BSD distros and I've decided to write down some notes and publish few screenshots for practical usage, even for newbies.

I've read some docs but I've never found a quick guide with practical examples for newbies to create a VPN from scratch, in these episodes I'll create VPNs with real examples. As you may know you can create VPN between two machines/networks by using a lot of different security mechanisms like:

• IPSec (my favorite) IPv4 and IPv6 capable

• OpenVPN (SSL/TLS based), nice for roadwarrior connections but you may have troubles with NAT and firewall policies

• MPVPN, never used it, I've seen it during certification exams but I really don't know who uses it

• PPTP, Microsoft Point to Point encryption system, avoid it like a plague if possible, buggy and it had several security issues

• SSTP, Secure Socket Tunneling protocol introduced by Microsoft with their Windows Server 2008 and Vista/7, seems to be nice but not so portable or available on third party systems

• DTLS, mainly from Cisco Systems

There are even more VPN solutions but mostly proprietary based, this saga has several different achievements in mind:

• It has to be portable. I'd like to use my favorite security mechanism with available hardware or software, we don't want to rely on specific OS or platform. I even want to use it on very cheap hardware or embedded devices (read: high class smart phones)

• It has to be secure, so we don't want security issues or known troubles around us

• It has to be free and publicly available so everyone may take a look at it

When you need to connect two different hosts/networks you may have different scenarios:

• you need to connect a single host to a remote network

• you need to connect a network to a remote network

• you've public and static IPs on on both side

• you've dynamic IP at least on one side

• you've one or more firewalls in the middle with one or more blocking rules (and sometimes you cannot modify them)

As you may know from the top I'd like to use IPSec because that's what I'm using now for these reasons:

• It's available everywhere, from cheap DLink DSL routers to heavy BSD servers, it's not tied to a particular operating system

• It's stable and solid

• no security issues (yet) [http://bsd.slashdot.org/story/10/12/15/004235/FBI-Alleged-To-Have-Backdoored-OpenBSDs-IPSEC-Stack is it real or a fake ??]

• IPv4 and IPv6 ready

• few troubles with NAT'd networks compared to others

• works great with static IPs (and that's my case), but even with dynamic if you cheat something; by the way I'll show you even something more from OpenVPN, that is my favorite roadwarrior solution

I'll start with IPSec in different scenarios but I'll go further with other solutions like OpenVPN or PPTP if you want, I'll try to publish a single and detailed article for every case or you can suggest me your needs.

Resources

If you've a lot of time and you'd like to know everything on IPSec you may take a look at (http://www.ipsec-howto.org/), it's a good guide for a Linux sys admin. Also read Openswan documentation (http://www.openswan.org/), Openswan is an implementation of IPSec for Linux. It's quite hard to start from scratch with Openswan on the command line but this is the definitive guide (now) for it. If you've enough time to set everything up and fine tune every aspect of your connection I suggest you to use only these components: the Linux kernel, IPTables, Openswan. If you've limited time and you want to deal with ready made distros oriented to firewall/VPN solutions you may follow next articles.

Next Step:
IPCop to IPCop with IPSec
IPCop to PFSense with IPSec

Glad to read your comments

Andrea Benini

Preface

Thanks to the rise of computer networking and the internet it is now more important than ever to have a firewall installed an running on your system. This entry is intended to give you a basic understanding of what a firewall is so you can choose the best firewall for your needs.

For one of the projects I'm working on, I decided to avoid using a separate CSS framework and instead rely on 960 grid (plain old css) and m4, the macro processing language that's been in UNIX/Linux since forever. M4 gives you a way to use variables and define functions to use in your CSS and to make up for the flaws of CSS. Just like other separate CSS frameworks, you have to compile the code.

After all that mess about US Embassy Cables on WikiLeaks I think this is a good moment to explain to a political analyst/columnist why he or she should use Linux. I will not cover here how to download distro, cut a CD and install Linux, every distro is giving those instruction in detail. I will describe how it looks on Ubuntu, though it will look about the same on any other distro.

Get files

We point Firefox to http://wikileaks.ch/cablegate.html and towards the bottom of the page we locate “Click here to download full site in single archive.”. Since that is the link to torrent, Firefox will offer to open it with the default application Transmission. We accept that by clicking the OK button. Then Transmission will ask if we want to add torrent. We click Add button and give some time to Transmission to finish the download. We may wish to help the others by providing upload or we stop uploads using File->Pause All and quit Transmission. That is the procedure for handling any kind of torrent.

Do processing of files

We can find the result of a successful download in Downloads folder and that is 7z archive. Since Ubuntu doesn't support 7z out of the box we need to install it. We can do it like this: Applications->Accessories->Terminal and execute:

sudo apt-get install p7zip

It will prompt for password and install 7z. Now we can return to GUI, right click on archive, and from the menu select Extract Here. Back to terminal and we change the directory and do the search:

cd Downloads/cablegate-201012200724/cable/

find . -name "*.html" | xargs grep -l "UFO"

which will produce a list of files which contain UFO:

./2009/12/09STATE129362.html

./2009/09/09LISBON514.html

./2009/02/09STATE11937.html

./2009/04/09PRISTINA148.html

./2008/03/08PARIS461.html

./2008/09/08LAGOS368.html

./2008/08/08PARIS1501.html

./2008/08/08LISBON2300.html

./2008/02/08MADRID174.html

./2008/02/08ABUJA320.html

./2006/03/06MINSK311.html

./2006/09/06KINSHASA1410.html

./2006/06/06MINSK641.html

./2010/01/10PRISTINA44.html

./2010/02/10PRISTINA84.html

./2010/02/10ADDISABABA288.html

./2010/02/10BAMAKO52.html

./2007/03/07KINSHASA282.html

./2007/07/07ANKARA1842.html

./2007/07/07KINSHASA797.html

./2007/07/07HARARE638.html

Unfortunately, those are not real UFO's but some other acronims like EUFOR. To see what is in the file we can use Gedit or Firefox like this:

gedit ./2008/08/08PARIS1501.html

firefox ./2008/08/08PARIS1501.html

To do more complicated searches we can go mastering find and grep or switch to SWISH++. Again we need to install it:

sudo apt-get install swish++

then we create index file:

index++ -v3 -e "text:*.html" .

and we can do the search:

search++ Chapman

The result is:

# results: 4

100 ./2009/11/09MAPUTO1291.html 46552 09MAPUTO1291.html

89 ./2009/07/09MAPUTO713.html 51555 09MAPUTO713.html

87 ./2010/01/10MAPUTO86.html 52688 10MAPUTO86.html

87 ./2010/01/10MAPUTO80.html 49769 10MAPUTO80.html

What would Anna Chapman do in Maputo? So we do a better search:

search++ Anna near Chapman

where we get a disappointing 0 files. To learn more about using and, not, or and near we execute:

man search++

There are quite a few examples towards the end of man file.

During indexing we may want to save log file and see what words index++ will discard:

index++ -v3 -e "text:*.html" . > log

There are quite a few of them and those are frequent words like Moscow, Clinton and so on. In order to search on those words we can do this:

search++ Mosco*

It will skip Moscow in the origin section. Alternatively we can always fall back to find and grep.

One of the things you want when you move into an apartment or in my case, the school's residences, is a phone. Like many residential facilities today, phones are still plugged into the trusty RJ11 plug. Some decide to go with a landline phone, others go with a cell phone. And there's a bunch who go straight with VoIP.

When I moved away from my parent's cozy home, I was equipped with Skype and a cell phone.  I had no cell phone plan - I only activated it in times I needed to receive calls (the school requires to have a valid phone number for some rather essential operations like internship interviews) and for the rest, I used the Skype-out service.

That setup was more or less effective. First of all, I couldn't call any emergency services. Of course I don't call them daily, but it's always a nice to have. You know, in case of... an emergency. Second of all, it turned out I needed to receive calls more than I anticipated. Since my cell phone was down 75% of the time, people found it a bit difficult to call me. Finally, if you work in a 64 bit Linux environment, you know how Skype can be a pain.

I needed a solution. Now, if you are a student, you don't want to pay too much (unless you want to spend the next 15 years paying back all your bills). It seemed to me like an impossible equation to have a constantly opened phone (landline or cell phone) and have a low bill at the end of the month. For landlines, I could only pick from one phone provider inside the school's residences - and that's one provider I specifically didn't want to go with (paying too much for too little is only one concern). For Skype, numbers aren't available in Canada so that was out of questions. And for cell phones, I didn't want to wrestle with providers to have something decent.

Now, with these parameters in mind, how do you save cash and still have a decent setup? One of my friends suggested that I go with a VoIP provider. More specifically, one using SIP. I was new to this kind of technology and I didn't know if it was the good thing for me. So I tried some SIP software before switching to a paid subscription. I tried the Ekiga software and service. Although I had difficulties with my router (mainly because of NAT problems), the service was working well. After a couple of months, I finally went for a paid subscription with a provider that a friend of mine suggested and connected to the service with Twinkle.  After a couple of months, I was able to get my hands on a SIP-capable phone and I couldn't be merrier. The price is low (not the lowest, but still very acceptable - roughly ten bucks CAD per month) and I can call landline phones anywhere in Canada and US with no extra charge.

Going with a SIP provider has many advantages - one of them is that you can connect to their servers with any SIP software you want. So whether you're in Windows, Mac OS or Linux, you can easily find SIP software that fits your needs (should you not have a SIP-capable phone or a VoIP ATA). Moreover, you can also manage to have some mobility by installing a VoIP program on your laptop (there's also maybe SIP software that can run on your mobile device).

There are also some shortcomings to using VoIP services. One of them is your Internet connection. If yours is reliable, there's no worry. But if your Internet provider has a tendency of cutting out your connection for whatever reason, you might be annoyed by interrupted calls. There's also the problem of NAT - if you are behind a router, you'll have to make sure that you setup your port forwarding correctly. In the case that you want to use SIP software with both a phone and a computer behind your router, things can get complicated.

Nevertheless, if you search for an economic solution for telephony, search for VoIP providers in your area - you might be surprised at the money you can save compared to standard landline or mobile phone services. Some providers will give you only the connection information - you do your own phone setup. Others will give you an ATA to plug your standard phone into. The choice is up to you! And I am for one who likes choice. Taking the extra steps to setup your own phone system at home using SIP is both interesting and economic.

The script below will read through file usersfile.txt and then add users to a linux system with perl installed on it.

the script reads line by line through usersfile.txt which is space separated like so

User1 passwd1 group1

User2 passwd2 groupx, and so on.

You need to supply passwords in plaintext in this file, so I only suggest keeping the file on a server for the duration of the script run.

The plaintext password then uses the perl crypt library alongside the standard useradd script.

#!/bin/bash
if [ $(id -u) -eq 0 ]; then
NEW_USERS="/usersfile.txt"
HOME_BASE="/home/"
cat ${NEW_USERS} | while read USER PASSWORD GROUP
do
pass=$(perl -e 'print crypt($ARGV[0], "password")' $PASSWORD)
egrep "^$USER[0]" /etc/passwd > /dev/null
if [ $? -eq 0 ]; then
echo "User $USER exists!"
exit 1
else
useradd -g ${GROUP} -p ${pass} -m -d ${HOME_BASE}${USER} ${USER}
[ $? -eq 0 ] && echo "User $USER has been added to the system" || echo "Failed adding user $USER!"
fi
done
fi

Looking for a quick win with taking some of the pressure off of your webservers??

This could be one for you. The Alternative PHP Cache is really quick and simple to install. Because of the way it caches, you should see no issues with using this one a site with dynamic content.

Its straight forward to install this using the PEAR PECL installer:

from the commandline   $>pecl install apc

this will install APC, but to be able to see all the nice performance statistics you have to compile and make the source version to allow you to grab the apc.php file. – I did this on a non production local box.

grab the latest one here http://pecl.php.net/get/APC-3.1.6.tgz

then:  $> tar zxvf APC-3.1.6.tgz

$>cd APC-3.1.6

$>phpize
$>./configure –with-php-config=/usr/local/php/bin/php-config
$>make

Now take a look in the current working directory and you will see that apc.php has appeared. You can now move this to wherever you want to serve the graphs from on your production server. For a quick test you can just put it in your default webroot.

Next up you need to put the following entry in your php.ini file:

extension=apc.so

To see this working ‘out-of-the-box’ you should just be able to run apachectl restart, and check the PHP extensions to see if APC is running. You can do this using phpinfo(); inside a php file inside your webroot or from the commandline run: php -i|grep apc

If you decide after running the cache a bit and seeing how frequently the cache is being filled/purged you might want to increase the amount of memory you are giving to the cache, you can do this by adding a line like the following to the php.ini file

apc.shm_size=128

This will make the cache 128M in size the next time that apache is restarted. Bear in mind that you need to have enough free resources on your box to adjust this value.

Now to see the graphing information you will need to edit apc.php and change the default user and password that is listed in the top of the file, then when you access apc.php you will get presented with a .htaccess style user/passwd  dialog box. Put the user and password you entered in the apc.php file here. Next you should see a load of great stats on how well the cache is optimizing your site. You can also see which frequently accessed pages it is cachind and the amount of total cache hits/misses,etc.

Theres loads more to this tool, which I will follow up on next time. But this should be enough to see a performance benefit straight away. Enjoy!

I wrote this which is basically a checklist of what needs doing to get LDAP working for DB2 on SuSE Linux installations

, as the ibm boulder site provides several contradictory installation processes. Hopefully this will help someone else and

save them the time that I wasted trawling the ibm site for the correct answer:

This list is mainly focused on the 8 character limit on DB2 (Linux)UW (which is I guess the only reason you might want to use the

security plugins instead as this will allow you to use more than 8 characters to authenticate against DB2.

What I ended up doing with the help of theLDAP admin was creating an LDAP alias of 8 characters for each user, as the

transparent LDAP (for me) seemed to work better than the security plugin approach.

Here goes:

install nss_ldap-32bit-262-11.16.x86_64.rpm,nss_ldap-262-11.16.x86_64.rpm,pam_ldap-32bit-184-147.20.x86_64.rpm and

pam_ldap-184-147.20.x86_64.rpm

edit /etc/ldap.conf to contain the necessary config for BASE DN and BIND DN for LDAP server.

host
base dc=ldapserver,dc-ldapserverdomain,dc=ldapserver.co.uk
bind_policy soft
pam_password exop
nss_initgroups_ignoreusers root,ldap
nss_schema rfc2307bis
nss_map_attribute uniqueMember member
ssl no
ldap_version 3
pam_filter objectClass=posixAccount
tls_checkpeer no

create /etc/pam.d/db2 and make read/write to root only

enter following:

auth       sufficient pam_ldap.so     use_first_pass
auth     required   pam_unix2.so
account  sufficient pam_ldap.so
account  required   pam_unix2.so
password required   pam_pwcheck.so
password sufficient pam_ldap.so      use_first_pass
password required   pam_unix2.so     use_authtok use_first_pass
session  required   pam_unix2.so

use Yast LDAP client screen to restart all the proper processes.

” yast ldap pam disable/enable “

check for presence of LDAP users in the db2cc list.
add a user to the preferred database and exit

db2set DB2AUTH=OSAUTHDB
login as an ‘LDAP user’ to server
export DB2DIR=/opt/ibm/db2/V9.7
export DB2INSTANCE=db2inst1(or other instance name)
unset USERNAME
source /home//sqllib/db2profile

db2 connect to TOOLSDB

####NEXT PART IS ONLY IF YOU OPT TO USE THE SECURITY PLUGIN APPROACH INSTEAD

OF THE TRANSPARENT LOGIN,ETC.###########

copy /opt/ibm/db2/version/cfg/IBMLDAPSecurity.ini /home/db2inst1/sqllib/cfg

db2 update dbm cfg using diaglevel 4

db2 update dbm cfg using SRVCON_PW_PLUGIN IBMLDAPauthserver

db2stop force

***PASTE the IBMLDAPSecurity.ini here ****

;———————————————————————-
; Licensed Materials – Property of IBM
;
; Governed under the terms of the International
; License Agreement for Non-Warranted Sample Code.
;
; (C) COPYRIGHT International Business Machines Corp. 2006
; All Rights Reserved.
;
; US Government Users Restricted Rights – Use, duplication or
; disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
;———————————————————————-
;
; Sample configuration file for the IBM DB2 LDAP Security Plugin
;
; The default name and location for this file is
;   UNIX:    INSTHOME/sqllib/cfg/IBMLDAPSecurity.ini
;   Windows:

I have an Asus Linux netbook.  I am having problem with getting e-mails through Yahoo.  My daughter is also not able to play on the Club Penguin website.  She was  able until a few days ago.  Now the screen/graphics won't come up.  Things we have done and are still not able to get to these sites:
1.  Updated Firefox
2.  Updated Adobe Flash Player
3.  Updated Java
4.  Downloaded SeaMonkey web browser, but can't find it.

We are very frustrated!  If someone could please help us, it would be greatly appreciated!

Bunga Bunga is... something you can check out yourself on the Urban Dictionary. The Bunga Bunga Dictator is a show about Silvio Berlusconi, Italy's Prime Minister. It was broadcast live in online streaming yesterday, because all the italian parties, including the one that organized it, hail the Internet as an enabler of democracy and participation. But they didn't enable Italian Linux users to watch it.