https://wiki.itcollege.ee/api.php?action=feedcontributions&feedformat=atom&user=AovtsinnICO wiki - User contributions [en]2026-05-07T03:10:06ZUser contributionsMediaWiki 1.45.1https://wiki.itcollege.ee/index.php?title=Category:I805_Authentication_and_Authorization&diff=118025Category:I805 Authentication and Authorization2017-02-22T06:46:42Z<p>Aovtsinn: /* Responsibilities */</p>
<hr />
<div>=Authentication and Authorization=<br />
<br />
==General information==<br />
<br />
In this course we continue where we left off with [https://wiki.itcollege.ee/index.php/Category:I802_Firewalls_and_VPN_IPSec#Firewalls_and_VPN.2FIPSec Firewalls and VPN/IPsec] course.<br />
<br />
Relevant topics for research and implementation in the lab.<br />
Lectures coming up for most of the topics:<br />
<br />
* File based password stores eg. /etc/shadow, .htaccess<br />
* Signing and encrypting e-mail using GPG<br />
* Active Directory protocols: LM, NTLM, Kerberos, GSSAPI, SPNEGO, LDAP<br />
* More TLS and client side authentication in particular<br />
* Filesystem permissions: access control lists, selinux, apparmor<br />
* RADIUS<br />
* Multi-factor authentication: smartcards, Yubikey, Mobile-ID, etc<br />
* Contactless cards<br />
* On the web: Cookies, OAuth, OpenID, iPizza, <br />
<br />
Intro slides & video recording:<br />
<br />
https://docs.google.com/presentation/d/1NzY8AspqZwrYxoJ3Qi-pBWsMDdiIUeA4lgZnwZGTMVg/edit?usp=sharing<br />
<br />
https://echo360.e-ope.ee/ess/echo/presentation/54eb478c-f6ae-4629-b1e3-c43f5a2f6842?ec=true<br />
<br />
=Equipment=<br />
<br />
* 3pcs Sun server in the college server room<br />
* TP-Link WDR3600 wireless router routed to 172.16.*.*<br />
* HP Probook dual-boot laptop<br />
* iMac in 412, use admin/admin to log in with local account<br />
* Robotics Club (wireless) network, routed to to 172.16.*.*<br />
<br />
If you forget (local) Windows password use System Rescue CD to reset the password:<br />
http://www.howtogeek.com/howto/windows-vista/change-your-forgotten-windows-password-with-the-linux-system-rescue-cd/<br />
<br />
=Requirements=<br />
<br />
Every service should use accounts from Active Directory.<br />
To achieve that try to use LDAP protocol first.<br />
Via LDAP you can retreieve the data about accounts.<br />
If the service machine is not joined to domain create<br />
a service account in AD to access LDAP interface first.<br />
It really depends on the software how you need to configure it.<br />
<br />
For fileserver/SSH/FTP/mail server first join to domain using winbind: https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto#Join_AD_domain<br />
For NextCloud, rocket.chat, OwnCloud and most web services configure<br />
LDAP plugin to retrieve accounts from AD and LDAP bind authentication.<br />
<br />
<br />
=Responsibilities=<br />
<br />
Everybody should have a task, prepare a howto on the college wiki and have a topic for presentation:<br />
<br />
* Mohanad - AD up and running, routing, howto for setting up Active Directory on Windows Server; nagios accounts from AD, possibly with Kerberos SSO<br />
* Etienne - NextCloud server set up, howto for configuring client/app<br />
* Taavi - Wiki accounts from AD, possibly using Kerberos SSO<br />
* Madis Lugus - Gogs accounts from AD, possibly using Kerberos SSO and also SSH public keys from AD<br />
* Joosep - enos.itcollege.ee clone, web server and MySQL with accoutns from AD<br />
* Meelis - rocket.chat with accounts from AD via LDAP, possibly with Kerberos SSO, howto for configuring apps<br />
* Sheela - mailserver with accounts from AD via LDAP, with GSSAPI authentication, howto for configuring Thunderbird/Evolution<br />
* Artur - mailserver with AD accounts via LDAP + e-mail encryption with GPG, howto for average users<br />
* Ardi - OpenVPN with ID-card auth, isikukood from AD attribute, howto for configuring client<br />
* Marvin - secondary AD, routing, Samba backup DC?<insert topic of your interest><br />
* Arti - Samba as third DC, setting up fileserver on ZFS with SSD-s as journal/cache<br />
* Kustas - pentest<br />
* Ender - pentest<br />
* Mikus - pentest<br />
* Keijo - how are you going to pass the course?<br />
* Anton - how are you going to pass the course?<br />
* Tarvo - OpenVPN authentication using Estonian ID-card(s)<br />
* Ats - how are you going to pass the course?<br />
* Nazmul - how are you going to pass the course?<br />
<br />
=Presentations=<br />
<br />
Presentation of up to 45min should cover what you did in order to get the service running in the desired state, what problems you had, how others can use your service and what can be done to improve the setup.<br />
<br />
This should be more or less in logical order:<br />
<br />
* 28. feb - Mohanad, Etienne<br />
* 7. mar - Taavi, Madis, Artur<br />
* 14. mar - backup slot<br />
* 21. mar - Joosep, Meelis<br />
* 5. apr - Sheela, Ardi<br />
* 12. apr - backup slot<br />
* 19. apr - Marvin, Arti<br />
* 26. apr - Kustas & Ender<br />
<br />
=Milestones=<br />
<br />
This is just to keep activities in sync<br />
<br />
==Milestone 1==<br />
<br />
Domain controller is working.<br />
In the internal network and over VPN connection blah.office.lan DNS requests work as expected.<br />
<br />
On a Linux box command line users can authenticate with kerberos client utils:<br />
<br />
kinit username@OFFICE.LAN<br />
<br />
On a Linux box command line users can fetch stuff via LDAP:<br />
<br />
ldapsearch -b dc=office,dc=lan -H ldap://dc-hq.office.lan -D lauri@office.lan -W<br />
<br />
Also authenitcation with Kerberos should work:<br />
<br />
ldapsearch -b dc=office,dc=lan -H ldap://dc-hq.office.lan -Y GSSAPI<br />
<br />
To make life easier configure /etc/ldap/ldap.conf, if properly configured short commands work:<br />
<br />
ldapsearch<br />
<br />
<br />
==Milestone 2==<br />
<br />
Deadline 21. Feb<br />
<br />
Some services are using accounts from AD<br />
<br />
==Milestone 3==<br />
<br />
Deadline 28. Feb<br />
<br />
Service owner has client application configured and knows how to configure them<br />
<br />
==Milestone 4==<br />
<br />
Deadline 7. Mar<br />
<br />
Preliminary manual page created on college wiki for configuring the client application(s).<br />
Other students are using your service.<br />
<br />
==Milestone 5==<br />
<br />
Keep services up and running, respond to incidents until 5th of June.<br />
Server teardown on 5th of May. Wipe harddisks.<br />
<br />
Everybody who has completed howto, presented their topic, co-operated with other students and not left all the responsibilities to the last minute will get a passing grade. Slackers have an opportunity to do a (hard) quiz about the topics presented to get a passing grade.</div>Aovtsinnhttps://wiki.itcollege.ee/index.php?title=Category:I802_Firewalls_and_VPN_IPSec&diff=114289Category:I802 Firewalls and VPN IPSec2016-11-09T08:36:53Z<p>Aovtsinn: /* Internal DNS */</p>
<hr />
<div>=Firewalls and VPN/IPSec=<br />
<br />
==General information==<br />
<br />
ECTS: 4<br />
<br />
Lecturer: Lauri Võsandi<br />
<br />
<br />
==Scenario==<br />
<br />
In this course we will attempt to set up a network similar to a corporate network with multiple offices, eg http://docplayer.it/docs-images/20/596222/images/25-0.png<br />
<br />
We will use VPN software to connect subnets to each other and we will use VPN software to connect our personal computers to the intranet.<br />
<br />
<br />
==Setting up virtual machine hosts==<br />
<br />
For this course we have 3 Sun servers, each with 16GB of RAM. In each server we should be able to create 3 or more virtual machines. As host operating system we will install Ubuntu 16.04 server. On disks set up ext4 on mdraid set up in RAID1 configuration.<br />
<br />
For virtualization let's use libvirt and virt-manager on your Ubuntu laptops, for Windows and Mac unfortunately there is no decent UI available instead installing web interface such as [https://github.com/kimchi-project/kimchi Kimchi] is recommended.<br />
<br />
To install libvirt on the server:<br />
<br />
apt install libvirt-bin qemu-kvm<br />
<br />
Also add the primary user to the libvirt group:<br />
<br />
sudo gpasswd -a $USER libvirt<br />
<br />
On your laptop first set up SSH keys between the laptop and server with ssh-keygen and ssh-copy-id. And then you can install virt-manager with:<br />
<br />
sudo apt install virt-manager<br />
<br />
Copy CD ISO files into /var/lib/libvirt/images using scp or FileZilla.<br />
<br />
Continue with creating a virtual machine for each service. For Windows 2012 server virtual machines use 2G of RAM and 50G of storage. For Ubuntu 16.04 server installations use 1G of memory and 50G storage. For Ubuntu 16.04 MATE desktop installations use 2G of RAM.<br />
<br />
<br />
In order to set up virtual switch inside the server use Linux's built-in bridges, start with installing bridge-utils:<br />
<br />
apt install bridge-utils<br />
<br />
Reconfigure your server's /etc/network/interfaces, replace X with number relevant to your server. Also replace eth0, eth1 and eth2 with the network interfaces available in your machine:<br />
<br />
# The loopback network interface<br />
auto lo<br />
iface lo inet loopback<br />
<br />
# Wide area network interface<br />
auto br-wan<br />
iface br-wan inet dhcp<br />
# Until we set up router in a VM we will use DHCP so we can have internet access in 417<br />
bridge_ports eth0<br />
<br />
# Local area network interface<br />
auto br-lan<br />
iface br-lan inet static<br />
address 172.16.X.1<br />
netmask 255.255.255.0<br />
bridge_ports eth1<br />
<br />
# Management interface<br />
auto eth2<br />
iface eth2 inet static<br />
address 192.168.12.1X<br />
netmask 255.255.255.0<br />
<br />
When creating virtual machines, configure network as shown in the screenshot below:<br />
<br />
[[File:Virt-manager_bridges.png]]<br />
<br />
This way your VM-s should be able to access the Internet as the physical machine can<br />
<br />
==Setting up router==<br />
<br />
On Wednesday 14. September we will configure OpenWrt as a router in a virtual machine.<br />
Download the OpenWrt image and uncompress it:<br />
<br />
cd /var/lib/libvirt/images/<br />
wget https://downloads.openwrt.org/chaos_calmer/15.05-rc3/x86/kvm_guest/openwrt-15.05-rc3-x86-kvm_guest-combined-ext4.img.gz<br />
gunzip openwrt-15.05.1-x86-kvm_guest-combined-ext4.img.gz<br />
<br />
Add second network interface to your router's VM.<br />
Configure first NIC as connected to br-wan and second one connected to br-lan.<br />
<br />
After that you should end up with topology similar to this:<br />
<br />
[[File:Topology-inside-server.png]]<br />
<br />
To clarify: 'srv1.office' and 'srv2.office' are the Ubuntu 16.04 servers, you should have configured static IP addresses or set a static lease from the router. The 'router.office' refers to the OpenWrt router you just set up. The router serves IP addresses using DHCP to 'ubuntu-mate.office' Ubuntu MATE 16.04 workstation and 'windows.office' refers to Windows workstation. Your physical server 'host.office' can be accessed as well. The 'office' throughout the diagram refers to your domain name, use abbrevations such as hq, rnd, devops for that.<br />
<br />
<br />
==Domain names==<br />
<br />
Arti will be your DNS registrar (like Godaddy or Zone.ee). Currently added DNS records:<br />
<br />
* http://www.biz.wut.ee - 193.40.194.160 for Wut Incorporated website<br />
* http://gw.biz.wut.ee - 193.40.194.160 for OpenVPN gateway<br />
* http://wiki.biz.wut.ee - 193.40.194.161 for Wut Inc internal wiki<br />
* http://git.biz.wut.ee - 193.40.194.161 for Wut Inc source code hosting<br />
* http://paste.biz.wut.ee - 193.40.194.161 for Wut Inc code snippets<br />
* http://chat.biz.wut.ee - 193.40.194.162 for Wut Inc IRC chatroom<br />
* http://pad.biz.wut.ee - 193.40.194.162 for Wut Inc etherpad<br />
* http://ca.biz.wut.ee - 193.40.194.162 for Wut Inc certificate authority web endpoint<br />
* http://mail.biz.wut.ee - 193.40.194.162 for MX entry of biz.wut.ee<br />
<br />
(Re)configure your services to make use of these DNS records.<br />
<br />
==Monitoring==<br />
<br />
Use this **only** on the physical hosts.<br />
<br />
You can (ab)use Lauri's collectd at http://log.koodur.com/cgp<br />
<br />
Install packages:<br />
<br />
apt install collectd<br />
<br />
Reconfigure service in /etc/collectd/collectd.conf:<br />
<br />
FQDNLookup true<br />
LoadPlugin syslog<br />
LoadPlugin cpu<br />
LoadPlugin df<br />
LoadPlugin disk<br />
LoadPlugin interface<br />
LoadPlugin load<br />
LoadPlugin memory<br />
LoadPlugin network<br />
LoadPlugin processes<br />
LoadPlugin swap<br />
LoadPlugin uptime<br />
LoadPlugin users<br />
LoadPlugin dns<br />
LoadPlugin ping<br />
LoadPlugin sensors<br />
<br />
<Plugin df><br />
FSType rootfs<br />
FSType sysfs<br />
FSType proc<br />
FSType devtmpfs<br />
FSType devpts<br />
FSType tmpfs<br />
FSType fusectl<br />
FSType cgroup<br />
IgnoreSelected true<br />
</Plugin><br />
<br />
<Plugin disk><br />
Disk "/[sv]d[a-z]/"<br />
</Plugin><br />
<br />
<Include "/etc/collectd/collectd.conf.d"><br />
Filter "*.conf"<br />
</Include><br />
<br />
<Plugin network><br />
Server "185.94.112.74"<br />
</Plugin><br />
<br />
==Teams==<br />
<br />
===Headquarters===<br />
<br />
Gateway: 193.40.194.220<br />
<br />
DNS: 193.40.0.12, 193.40.56.245<br />
<br />
Public IP address (port no 0 = enp6s4f0): 193.40.194.160/24<br />
<br />
Management network IP address (port no 1 = enp6s4f1), accessible from robotics club: 192.168.12.10<br />
<br />
Internal IP address of the physical server (port no 2 = enp0s9): 172.16.1.1/24<br />
<br />
Services:<br />
<br />
* Hypervisor, access to physical box - (Mohanad)<br />
* BIND9 as public DNS server, also figure out what domain name we should/can use (Arti)<br />
* domain controller, at this point primarily for user accounts (Keijo)<br />
* nginx web server, for company's homepage (Etienne)<br />
* SMB/CIFS fileserver, join to domain (Etienne)<br />
* VPN server for other subnets, presumably OpenVPN (Mohanad Aly)<br />
<br />
===Research & development===<br />
<br />
Gateway: 193.40.194.220<br />
<br />
DNS: 193.40.0.12, 193.40.56.245<br />
<br />
Public IP address (port no 0 = enp6s4f0): 193.40.194.161/24<br />
<br />
Management network IP address (port no 1 = enp6s4f1), accessible from robotics club: 192.168.12.11<br />
<br />
Internal IP address of the physical server (port no 2 = enp0s9): 172.16.2.1/24<br />
<br />
Team members: Marvin, Madis, Taavi, Berit, Joosep<br />
<br />
Services:<br />
<br />
* Hypervisor, access to physical box - Marvin<br />
* [https://gogs.io/docs Git hosting], for sharing scripts, set up LDAP to authenticate with domain controller (Madis)<br />
* [https://wiki.itcollege.ee/index.php/Installation_MediaWiki Wiki], for exchanging information, [https://www.mediawiki.org/wiki/Extension:LDAP_Authentication/Kerberos_Configuration_Examples set up LDAP to authenticate with domain controller and later possibly configure web server to authenticate with Kerberos] (Taavi)<br />
* Windows XP workstation, join to domain<br />
* Ubuntu 16.04 MATE workstation, [https://raw.githubusercontent.com/laurivosandi/puppet-butterknife/master/files/etc/butterknife/helpers/join-domain join to domain].<br />
* [http://lauri.vosandi.com/2016/09/xenial-ltsp-ja-id-kaart.html LTSP server] (Joosep)<br />
* OpenVPN connection to headquarters, use shared secret at first, later X509 certificates<br />
* [https://github.com/bpoldoja/pastebin Pastebin], possibly later implement [https://github.com/laurivosandi/certidude/blob/master/certidude/auth.py#L37 Kerberos support] (Berit)<br />
====Examples====<br />
Port forwarding example, we have 2 linux virtual machines, one forwarding to host local ip.<br />
[[File:vpn-portForwarding.png|900px|]]<br />
<br />
Network interface example file:<br />
<br />
auto lo<br />
iface lo inet loopback<br />
<br />
# Wide area network interface (port 0)<br />
auto br-wan<br />
iface br-wan inet manual<br />
bridge_ports enp6s4f0<br />
<br />
# Local area network interface (port 3)<br />
auto br-lan<br />
iface br-lan inet static<br />
address 172.16.2.1<br />
gateway 172.16.2.254<br />
dns-nameserver 172.16.2.254<br />
netmask 255.255.255.0<br />
bridge_ports enp0s8<br />
<br />
# Management interface (port 1)<br />
auto enp6s4f1<br />
iface enp6s4f1 inet static<br />
address 192.168.12.11<br />
netmask 255.255.255.0<br />
<br />
Openwrt interface file working example /etc/config/network:<br />
<br />
config interface 'lan'<br />
option ifname 'eth0'<br />
option type 'bridge'<br />
option proto 'static'<br />
option netmask '255.255.255.0'<br />
option ip6assign '60'<br />
option ipaddr '172.16.2.254'<br />
<br />
config interface 'wan'<br />
option ifname 'eth1'<br />
option proto 'static'<br />
option ipaddr '193.40.194.161'<br />
option gateway '193.40.194.220'<br />
option netmask '255.255.255.0'<br />
option dns '192.40.0.12 193.40.56.245'<br />
<br />
<br />
To create poor man's vpn. Install on your computer<br />
apt install sshuttle<br />
<br />
and connection.<br />
sshuttle --dns -HNvr username@server:port<br />
no you should be able to connect local network computers and services.<br />
'''NB! ping is not working with sshuttle'''<br />
you can read more here http://teohm.com/blog/using-sshuttle-in-daily-work/<br />
<br />
====TODO====<br />
<br />
===Devops===<br />
<br />
Gateway: 193.40.194.220<br />
<br />
DNS: 193.40.0.12, 193.40.56.245<br />
<br />
Public IP address (port no 0 = enp6s4f0): 193.40.194.162/24<br />
<br />
Management network IP address (port no 1 = enp6s4f1), accessible from robotics club: 192.168.12.12<br />
<br />
Internal IP address of the physical server (port no 2 = enp0s9): 172.16.3.1/24<br />
<br />
Services:<br />
<br />
* Hypervisor, access to physical box - Artur O<br />
* IRC, for chatting (Meelis Hass)<br />
* [https://github.com/ether/etherpad-lite Etherpad] for collaborating (Sheela)<br />
* [https://github.com/laurivosandi/certidude#usecases Certificate management] for roadwarriors, usecase number #1 (Artur O)<br />
* Monitoring software of your choice to make sure that services are up and running, possibly use LDAP for authentication (Artur O)<br />
* E-mail for sending notifications from monitoring software at first (Ilja), this needs MX records in DNS (Ilja, Mohanad helps)<br />
* Later, in the beginning just monitor public services: OpenVPN connection to headquarters<br />
<br />
===Pentest===<br />
<br />
Find security issues in the deployed services, attempt to plant backdoors, malware etc.<br />
<br />
Team members: Kustas, Ender<br />
<br />
<br />
==Point-to-point tunnels between routers==<br />
<br />
Since routers are the default route for all the internal machines the easiest way to set up routing between internal networks is to set up OpenVPN instances on each router.<br />
<br />
In router install OpenVPN module for OpenWrt:<br />
<br />
opkg update<br />
opkg install luci-app-openvpn openvpn-openssl<br />
<br />
In the OpenWrt web interface there should pop up Services section with OpenVPN underneath it.<br />
<br />
The topology for routers:<br />
<br />
[[File:Point-to-point.png]]<br />
<br />
<br />
For each tunnel configure on one end "Simple server configuration for a routed point-to-point VPN" and on the other end "Simple client configuration for a routed point-to-point VPN" the configuration for connection on hq could look something like this:<br />
<br />
[[File:Openwrt-openvpn-config.png]]<br />
<br />
To upload secret select secret under --Additional fields-- and hit add. To generate secret use following command on your laptop:<br />
<br />
openvpn --genkey --secret static.key<br />
<br />
Under Switch to advanced configuration --> Networking add route field for each subnet you want to make accessible via that tunnel. For each tunnel a new interface pops up under Interfaces section. Assign firewall rules as appropriate. To test I guess you can just insert the interface into LAN zone.<br />
<br />
==Generating certificates==<br />
<br />
To generate key:<br />
<br />
openssl genrsa -out lauri-c720p.key 4096<br />
<br />
To generate signing request:<br />
<br />
openssl req -new -key lauri-c720p.key -out lauri-c720p.csr<br />
<br />
To sign the request:<br />
<br />
openssl ca -config ca.cnf -in lauri-c720p.csr -extensions client_cert -out lauri-c720p.crt<br />
<br />
To dump certificate contents in human-readable format:<br />
<br />
openssl x509 -in lauri-c720p.crt -noout -text<br />
<br />
To test web server's TLS configuration:<br />
<br />
openssl s_client -connect www.koodur.com:443<br />
<br />
To make a HTTP request as well:<br />
<br />
(echo -en "GET / HTTP/1.0\n\n"; sleep 1) | openssl s_client -connect www.koodur.com:443<br />
<br />
See here for more about Estonian ID-card certificates: https://www.sk.ee/en/repository/ldap/ldap-kataloogi-kasutamine/<br />
<br />
==Remote logging==<br />
<br />
In order to send logs to Graylog server, put those lines into new file: /etc/rsyslog.d/client.conf<br />
<br />
$ActionQueueType LinkedList<br />
$ActionQueueFileName srvrfwd<br />
$ActionResumeRetryCount -1<br />
$ActionQueueSaveOnShutdown on<br />
*.* @@172.16.3.228:1514<br />
<br />
and then restart the service:<br />
<br />
sudo service rsyslog restart<br />
<br />
==Internal DNS==<br />
<br />
* http://intranet.office - 172.16.x.x intranet website<br />
* http://wiki.office - 172.16.x.x internal wiki<br />
* http://git.office - 172.16.x.x source code hosting<br />
* http://paste.office - 172.16.x.x code snippets<br />
* http://chat.office - 172.16.3.149 IRC server<br />
* http://pad.office - 172.16.3.247 etherpad<br />
* http://ca.office - 172.16.x.x certificate authority web endpoint<br />
* http://mail.office - 172.16.3.235 webmail<br />
* http://graylog.office - 172.16.3.228 Artur's graylog<br />
* http://nagios.office - 172.16.x.x Mohanad's nagios<br />
<br />
<br />
* http://router-hq.office - 172.16.1.254 hq router<br />
* http://router-rnd.office - 172.16.2.254 rnd router<br />
* http://router-devops.office - 172.16.3.254 devops router<br />
* http://host-hq.office - 172.16.1.1 hq host<br />
* http://host-rnd.office - 172.16.2.1 rnd host<br />
* http://host-devops.office - 172.16.3.1 devops host<br />
<br />
=Boring stuff=<br />
<br />
==Report template==<br />
<br />
Send report as a plaintext e-mail to Lauri, in the title include: Report #number - your name - your team<br />
<br />
In the content make sure you specify the timespan you're talking about (September of 2016, first half of October 2016 etc)<br />
<br />
The content, no need for formal speech:<br />
<br />
* What have been done so far by the team (eg. server hardware setup, virtual machine setup, service setup)<br />
* What was your role for this timespan, note that we will shuffle the teams now and then<br />
* What was your contribution, or in other words what did you do during this timespan<br />
* What (security) incidents happened - red team found messing around with the servers, passwords changed, backdoor found etc.<br />
<br />
==September wrapup & iptables lecture==<br />
<br />
[https://docs.google.com/presentation/d/1mt0g_BN-l_Jz6HQ1D52WJIdMjPtkTt95CPYFejjiikE/ Lecture slides] [https://echo360.e-ope.ee/ess/portal/section/0fa18d0e-f1b2-44b7-878b-5e4c66e6040e video recording]</div>Aovtsinnhttps://wiki.itcollege.ee/index.php?title=Category:I802_Firewalls_and_VPN_IPSec&diff=114287Category:I802 Firewalls and VPN IPSec2016-11-09T08:36:26Z<p>Aovtsinn: /* Internal DNS */</p>
<hr />
<div>=Firewalls and VPN/IPSec=<br />
<br />
==General information==<br />
<br />
ECTS: 4<br />
<br />
Lecturer: Lauri Võsandi<br />
<br />
<br />
==Scenario==<br />
<br />
In this course we will attempt to set up a network similar to a corporate network with multiple offices, eg http://docplayer.it/docs-images/20/596222/images/25-0.png<br />
<br />
We will use VPN software to connect subnets to each other and we will use VPN software to connect our personal computers to the intranet.<br />
<br />
<br />
==Setting up virtual machine hosts==<br />
<br />
For this course we have 3 Sun servers, each with 16GB of RAM. In each server we should be able to create 3 or more virtual machines. As host operating system we will install Ubuntu 16.04 server. On disks set up ext4 on mdraid set up in RAID1 configuration.<br />
<br />
For virtualization let's use libvirt and virt-manager on your Ubuntu laptops, for Windows and Mac unfortunately there is no decent UI available instead installing web interface such as [https://github.com/kimchi-project/kimchi Kimchi] is recommended.<br />
<br />
To install libvirt on the server:<br />
<br />
apt install libvirt-bin qemu-kvm<br />
<br />
Also add the primary user to the libvirt group:<br />
<br />
sudo gpasswd -a $USER libvirt<br />
<br />
On your laptop first set up SSH keys between the laptop and server with ssh-keygen and ssh-copy-id. And then you can install virt-manager with:<br />
<br />
sudo apt install virt-manager<br />
<br />
Copy CD ISO files into /var/lib/libvirt/images using scp or FileZilla.<br />
<br />
Continue with creating a virtual machine for each service. For Windows 2012 server virtual machines use 2G of RAM and 50G of storage. For Ubuntu 16.04 server installations use 1G of memory and 50G storage. For Ubuntu 16.04 MATE desktop installations use 2G of RAM.<br />
<br />
<br />
In order to set up virtual switch inside the server use Linux's built-in bridges, start with installing bridge-utils:<br />
<br />
apt install bridge-utils<br />
<br />
Reconfigure your server's /etc/network/interfaces, replace X with number relevant to your server. Also replace eth0, eth1 and eth2 with the network interfaces available in your machine:<br />
<br />
# The loopback network interface<br />
auto lo<br />
iface lo inet loopback<br />
<br />
# Wide area network interface<br />
auto br-wan<br />
iface br-wan inet dhcp<br />
# Until we set up router in a VM we will use DHCP so we can have internet access in 417<br />
bridge_ports eth0<br />
<br />
# Local area network interface<br />
auto br-lan<br />
iface br-lan inet static<br />
address 172.16.X.1<br />
netmask 255.255.255.0<br />
bridge_ports eth1<br />
<br />
# Management interface<br />
auto eth2<br />
iface eth2 inet static<br />
address 192.168.12.1X<br />
netmask 255.255.255.0<br />
<br />
When creating virtual machines, configure network as shown in the screenshot below:<br />
<br />
[[File:Virt-manager_bridges.png]]<br />
<br />
This way your VM-s should be able to access the Internet as the physical machine can<br />
<br />
==Setting up router==<br />
<br />
On Wednesday 14. September we will configure OpenWrt as a router in a virtual machine.<br />
Download the OpenWrt image and uncompress it:<br />
<br />
cd /var/lib/libvirt/images/<br />
wget https://downloads.openwrt.org/chaos_calmer/15.05-rc3/x86/kvm_guest/openwrt-15.05-rc3-x86-kvm_guest-combined-ext4.img.gz<br />
gunzip openwrt-15.05.1-x86-kvm_guest-combined-ext4.img.gz<br />
<br />
Add second network interface to your router's VM.<br />
Configure first NIC as connected to br-wan and second one connected to br-lan.<br />
<br />
After that you should end up with topology similar to this:<br />
<br />
[[File:Topology-inside-server.png]]<br />
<br />
To clarify: 'srv1.office' and 'srv2.office' are the Ubuntu 16.04 servers, you should have configured static IP addresses or set a static lease from the router. The 'router.office' refers to the OpenWrt router you just set up. The router serves IP addresses using DHCP to 'ubuntu-mate.office' Ubuntu MATE 16.04 workstation and 'windows.office' refers to Windows workstation. Your physical server 'host.office' can be accessed as well. The 'office' throughout the diagram refers to your domain name, use abbrevations such as hq, rnd, devops for that.<br />
<br />
<br />
==Domain names==<br />
<br />
Arti will be your DNS registrar (like Godaddy or Zone.ee). Currently added DNS records:<br />
<br />
* http://www.biz.wut.ee - 193.40.194.160 for Wut Incorporated website<br />
* http://gw.biz.wut.ee - 193.40.194.160 for OpenVPN gateway<br />
* http://wiki.biz.wut.ee - 193.40.194.161 for Wut Inc internal wiki<br />
* http://git.biz.wut.ee - 193.40.194.161 for Wut Inc source code hosting<br />
* http://paste.biz.wut.ee - 193.40.194.161 for Wut Inc code snippets<br />
* http://chat.biz.wut.ee - 193.40.194.162 for Wut Inc IRC chatroom<br />
* http://pad.biz.wut.ee - 193.40.194.162 for Wut Inc etherpad<br />
* http://ca.biz.wut.ee - 193.40.194.162 for Wut Inc certificate authority web endpoint<br />
* http://mail.biz.wut.ee - 193.40.194.162 for MX entry of biz.wut.ee<br />
<br />
(Re)configure your services to make use of these DNS records.<br />
<br />
==Monitoring==<br />
<br />
Use this **only** on the physical hosts.<br />
<br />
You can (ab)use Lauri's collectd at http://log.koodur.com/cgp<br />
<br />
Install packages:<br />
<br />
apt install collectd<br />
<br />
Reconfigure service in /etc/collectd/collectd.conf:<br />
<br />
FQDNLookup true<br />
LoadPlugin syslog<br />
LoadPlugin cpu<br />
LoadPlugin df<br />
LoadPlugin disk<br />
LoadPlugin interface<br />
LoadPlugin load<br />
LoadPlugin memory<br />
LoadPlugin network<br />
LoadPlugin processes<br />
LoadPlugin swap<br />
LoadPlugin uptime<br />
LoadPlugin users<br />
LoadPlugin dns<br />
LoadPlugin ping<br />
LoadPlugin sensors<br />
<br />
<Plugin df><br />
FSType rootfs<br />
FSType sysfs<br />
FSType proc<br />
FSType devtmpfs<br />
FSType devpts<br />
FSType tmpfs<br />
FSType fusectl<br />
FSType cgroup<br />
IgnoreSelected true<br />
</Plugin><br />
<br />
<Plugin disk><br />
Disk "/[sv]d[a-z]/"<br />
</Plugin><br />
<br />
<Include "/etc/collectd/collectd.conf.d"><br />
Filter "*.conf"<br />
</Include><br />
<br />
<Plugin network><br />
Server "185.94.112.74"<br />
</Plugin><br />
<br />
==Teams==<br />
<br />
===Headquarters===<br />
<br />
Gateway: 193.40.194.220<br />
<br />
DNS: 193.40.0.12, 193.40.56.245<br />
<br />
Public IP address (port no 0 = enp6s4f0): 193.40.194.160/24<br />
<br />
Management network IP address (port no 1 = enp6s4f1), accessible from robotics club: 192.168.12.10<br />
<br />
Internal IP address of the physical server (port no 2 = enp0s9): 172.16.1.1/24<br />
<br />
Services:<br />
<br />
* Hypervisor, access to physical box - (Mohanad)<br />
* BIND9 as public DNS server, also figure out what domain name we should/can use (Arti)<br />
* domain controller, at this point primarily for user accounts (Keijo)<br />
* nginx web server, for company's homepage (Etienne)<br />
* SMB/CIFS fileserver, join to domain (Etienne)<br />
* VPN server for other subnets, presumably OpenVPN (Mohanad Aly)<br />
<br />
===Research & development===<br />
<br />
Gateway: 193.40.194.220<br />
<br />
DNS: 193.40.0.12, 193.40.56.245<br />
<br />
Public IP address (port no 0 = enp6s4f0): 193.40.194.161/24<br />
<br />
Management network IP address (port no 1 = enp6s4f1), accessible from robotics club: 192.168.12.11<br />
<br />
Internal IP address of the physical server (port no 2 = enp0s9): 172.16.2.1/24<br />
<br />
Team members: Marvin, Madis, Taavi, Berit, Joosep<br />
<br />
Services:<br />
<br />
* Hypervisor, access to physical box - Marvin<br />
* [https://gogs.io/docs Git hosting], for sharing scripts, set up LDAP to authenticate with domain controller (Madis)<br />
* [https://wiki.itcollege.ee/index.php/Installation_MediaWiki Wiki], for exchanging information, [https://www.mediawiki.org/wiki/Extension:LDAP_Authentication/Kerberos_Configuration_Examples set up LDAP to authenticate with domain controller and later possibly configure web server to authenticate with Kerberos] (Taavi)<br />
* Windows XP workstation, join to domain<br />
* Ubuntu 16.04 MATE workstation, [https://raw.githubusercontent.com/laurivosandi/puppet-butterknife/master/files/etc/butterknife/helpers/join-domain join to domain].<br />
* [http://lauri.vosandi.com/2016/09/xenial-ltsp-ja-id-kaart.html LTSP server] (Joosep)<br />
* OpenVPN connection to headquarters, use shared secret at first, later X509 certificates<br />
* [https://github.com/bpoldoja/pastebin Pastebin], possibly later implement [https://github.com/laurivosandi/certidude/blob/master/certidude/auth.py#L37 Kerberos support] (Berit)<br />
====Examples====<br />
Port forwarding example, we have 2 linux virtual machines, one forwarding to host local ip.<br />
[[File:vpn-portForwarding.png|900px|]]<br />
<br />
Network interface example file:<br />
<br />
auto lo<br />
iface lo inet loopback<br />
<br />
# Wide area network interface (port 0)<br />
auto br-wan<br />
iface br-wan inet manual<br />
bridge_ports enp6s4f0<br />
<br />
# Local area network interface (port 3)<br />
auto br-lan<br />
iface br-lan inet static<br />
address 172.16.2.1<br />
gateway 172.16.2.254<br />
dns-nameserver 172.16.2.254<br />
netmask 255.255.255.0<br />
bridge_ports enp0s8<br />
<br />
# Management interface (port 1)<br />
auto enp6s4f1<br />
iface enp6s4f1 inet static<br />
address 192.168.12.11<br />
netmask 255.255.255.0<br />
<br />
Openwrt interface file working example /etc/config/network:<br />
<br />
config interface 'lan'<br />
option ifname 'eth0'<br />
option type 'bridge'<br />
option proto 'static'<br />
option netmask '255.255.255.0'<br />
option ip6assign '60'<br />
option ipaddr '172.16.2.254'<br />
<br />
config interface 'wan'<br />
option ifname 'eth1'<br />
option proto 'static'<br />
option ipaddr '193.40.194.161'<br />
option gateway '193.40.194.220'<br />
option netmask '255.255.255.0'<br />
option dns '192.40.0.12 193.40.56.245'<br />
<br />
<br />
To create poor man's vpn. Install on your computer<br />
apt install sshuttle<br />
<br />
and connection.<br />
sshuttle --dns -HNvr username@server:port<br />
no you should be able to connect local network computers and services.<br />
'''NB! ping is not working with sshuttle'''<br />
you can read more here http://teohm.com/blog/using-sshuttle-in-daily-work/<br />
<br />
====TODO====<br />
<br />
===Devops===<br />
<br />
Gateway: 193.40.194.220<br />
<br />
DNS: 193.40.0.12, 193.40.56.245<br />
<br />
Public IP address (port no 0 = enp6s4f0): 193.40.194.162/24<br />
<br />
Management network IP address (port no 1 = enp6s4f1), accessible from robotics club: 192.168.12.12<br />
<br />
Internal IP address of the physical server (port no 2 = enp0s9): 172.16.3.1/24<br />
<br />
Services:<br />
<br />
* Hypervisor, access to physical box - Artur O<br />
* IRC, for chatting (Meelis Hass)<br />
* [https://github.com/ether/etherpad-lite Etherpad] for collaborating (Sheela)<br />
* [https://github.com/laurivosandi/certidude#usecases Certificate management] for roadwarriors, usecase number #1 (Artur O)<br />
* Monitoring software of your choice to make sure that services are up and running, possibly use LDAP for authentication (Artur O)<br />
* E-mail for sending notifications from monitoring software at first (Ilja), this needs MX records in DNS (Ilja, Mohanad helps)<br />
* Later, in the beginning just monitor public services: OpenVPN connection to headquarters<br />
<br />
===Pentest===<br />
<br />
Find security issues in the deployed services, attempt to plant backdoors, malware etc.<br />
<br />
Team members: Kustas, Ender<br />
<br />
<br />
==Point-to-point tunnels between routers==<br />
<br />
Since routers are the default route for all the internal machines the easiest way to set up routing between internal networks is to set up OpenVPN instances on each router.<br />
<br />
In router install OpenVPN module for OpenWrt:<br />
<br />
opkg update<br />
opkg install luci-app-openvpn openvpn-openssl<br />
<br />
In the OpenWrt web interface there should pop up Services section with OpenVPN underneath it.<br />
<br />
The topology for routers:<br />
<br />
[[File:Point-to-point.png]]<br />
<br />
<br />
For each tunnel configure on one end "Simple server configuration for a routed point-to-point VPN" and on the other end "Simple client configuration for a routed point-to-point VPN" the configuration for connection on hq could look something like this:<br />
<br />
[[File:Openwrt-openvpn-config.png]]<br />
<br />
To upload secret select secret under --Additional fields-- and hit add. To generate secret use following command on your laptop:<br />
<br />
openvpn --genkey --secret static.key<br />
<br />
Under Switch to advanced configuration --> Networking add route field for each subnet you want to make accessible via that tunnel. For each tunnel a new interface pops up under Interfaces section. Assign firewall rules as appropriate. To test I guess you can just insert the interface into LAN zone.<br />
<br />
==Generating certificates==<br />
<br />
To generate key:<br />
<br />
openssl genrsa -out lauri-c720p.key 4096<br />
<br />
To generate signing request:<br />
<br />
openssl req -new -key lauri-c720p.key -out lauri-c720p.csr<br />
<br />
To sign the request:<br />
<br />
openssl ca -config ca.cnf -in lauri-c720p.csr -extensions client_cert -out lauri-c720p.crt<br />
<br />
To dump certificate contents in human-readable format:<br />
<br />
openssl x509 -in lauri-c720p.crt -noout -text<br />
<br />
To test web server's TLS configuration:<br />
<br />
openssl s_client -connect www.koodur.com:443<br />
<br />
To make a HTTP request as well:<br />
<br />
(echo -en "GET / HTTP/1.0\n\n"; sleep 1) | openssl s_client -connect www.koodur.com:443<br />
<br />
See here for more about Estonian ID-card certificates: https://www.sk.ee/en/repository/ldap/ldap-kataloogi-kasutamine/<br />
<br />
==Remote logging==<br />
<br />
In order to send logs to Graylog server, put those lines into new file: /etc/rsyslog.d/client.conf<br />
<br />
$ActionQueueType LinkedList<br />
$ActionQueueFileName srvrfwd<br />
$ActionResumeRetryCount -1<br />
$ActionQueueSaveOnShutdown on<br />
*.* @@172.16.3.228:1514<br />
<br />
and then restart the service:<br />
<br />
sudo service rsyslog restart<br />
<br />
==Internal DNS==<br />
<br />
* http://intranet.office - 172.16.x.x intranet website<br />
* http://wiki.office - 172.16.x.x internal wiki<br />
* http://git.office - 172.16.x.x source code hosting<br />
* http://paste.office - 172.16.x.x code snippets<br />
* http://chat.office - 172.16.3.149 IRC server<br />
* http://pad.office - 172.16.3.247 etherpad<br />
* http://ca.office - 172.16.x.x certificate authority web endpoint<br />
* http://mail.office - 172.16.3.235 webmail<br />
* http://graylog.office - 172.16.3.228 Artur's graylog<br />
* http://nagios.office - 172.16.x.x Mohanad's nagios<br />
<br />
<br />
* http://router-hq.office - 172.16.1.254 hq router<br />
* http://router-rnd.office - 172.16.2.254 rnd router<br />
* http://router-devops.office - 172.16.3.254 devops router<br />
<br />
=Boring stuff=<br />
<br />
==Report template==<br />
<br />
Send report as a plaintext e-mail to Lauri, in the title include: Report #number - your name - your team<br />
<br />
In the content make sure you specify the timespan you're talking about (September of 2016, first half of October 2016 etc)<br />
<br />
The content, no need for formal speech:<br />
<br />
* What have been done so far by the team (eg. server hardware setup, virtual machine setup, service setup)<br />
* What was your role for this timespan, note that we will shuffle the teams now and then<br />
* What was your contribution, or in other words what did you do during this timespan<br />
* What (security) incidents happened - red team found messing around with the servers, passwords changed, backdoor found etc.<br />
<br />
==September wrapup & iptables lecture==<br />
<br />
[https://docs.google.com/presentation/d/1mt0g_BN-l_Jz6HQ1D52WJIdMjPtkTt95CPYFejjiikE/ Lecture slides] [https://echo360.e-ope.ee/ess/portal/section/0fa18d0e-f1b2-44b7-878b-5e4c66e6040e video recording]</div>Aovtsinnhttps://wiki.itcollege.ee/index.php?title=Category:I802_Firewalls_and_VPN_IPSec&diff=114285Category:I802 Firewalls and VPN IPSec2016-11-09T08:34:57Z<p>Aovtsinn: /* Internal DNS */</p>
<hr />
<div>=Firewalls and VPN/IPSec=<br />
<br />
==General information==<br />
<br />
ECTS: 4<br />
<br />
Lecturer: Lauri Võsandi<br />
<br />
<br />
==Scenario==<br />
<br />
In this course we will attempt to set up a network similar to a corporate network with multiple offices, eg http://docplayer.it/docs-images/20/596222/images/25-0.png<br />
<br />
We will use VPN software to connect subnets to each other and we will use VPN software to connect our personal computers to the intranet.<br />
<br />
<br />
==Setting up virtual machine hosts==<br />
<br />
For this course we have 3 Sun servers, each with 16GB of RAM. In each server we should be able to create 3 or more virtual machines. As host operating system we will install Ubuntu 16.04 server. On disks set up ext4 on mdraid set up in RAID1 configuration.<br />
<br />
For virtualization let's use libvirt and virt-manager on your Ubuntu laptops, for Windows and Mac unfortunately there is no decent UI available instead installing web interface such as [https://github.com/kimchi-project/kimchi Kimchi] is recommended.<br />
<br />
To install libvirt on the server:<br />
<br />
apt install libvirt-bin qemu-kvm<br />
<br />
Also add the primary user to the libvirt group:<br />
<br />
sudo gpasswd -a $USER libvirt<br />
<br />
On your laptop first set up SSH keys between the laptop and server with ssh-keygen and ssh-copy-id. And then you can install virt-manager with:<br />
<br />
sudo apt install virt-manager<br />
<br />
Copy CD ISO files into /var/lib/libvirt/images using scp or FileZilla.<br />
<br />
Continue with creating a virtual machine for each service. For Windows 2012 server virtual machines use 2G of RAM and 50G of storage. For Ubuntu 16.04 server installations use 1G of memory and 50G storage. For Ubuntu 16.04 MATE desktop installations use 2G of RAM.<br />
<br />
<br />
In order to set up virtual switch inside the server use Linux's built-in bridges, start with installing bridge-utils:<br />
<br />
apt install bridge-utils<br />
<br />
Reconfigure your server's /etc/network/interfaces, replace X with number relevant to your server. Also replace eth0, eth1 and eth2 with the network interfaces available in your machine:<br />
<br />
# The loopback network interface<br />
auto lo<br />
iface lo inet loopback<br />
<br />
# Wide area network interface<br />
auto br-wan<br />
iface br-wan inet dhcp<br />
# Until we set up router in a VM we will use DHCP so we can have internet access in 417<br />
bridge_ports eth0<br />
<br />
# Local area network interface<br />
auto br-lan<br />
iface br-lan inet static<br />
address 172.16.X.1<br />
netmask 255.255.255.0<br />
bridge_ports eth1<br />
<br />
# Management interface<br />
auto eth2<br />
iface eth2 inet static<br />
address 192.168.12.1X<br />
netmask 255.255.255.0<br />
<br />
When creating virtual machines, configure network as shown in the screenshot below:<br />
<br />
[[File:Virt-manager_bridges.png]]<br />
<br />
This way your VM-s should be able to access the Internet as the physical machine can<br />
<br />
==Setting up router==<br />
<br />
On Wednesday 14. September we will configure OpenWrt as a router in a virtual machine.<br />
Download the OpenWrt image and uncompress it:<br />
<br />
cd /var/lib/libvirt/images/<br />
wget https://downloads.openwrt.org/chaos_calmer/15.05-rc3/x86/kvm_guest/openwrt-15.05-rc3-x86-kvm_guest-combined-ext4.img.gz<br />
gunzip openwrt-15.05.1-x86-kvm_guest-combined-ext4.img.gz<br />
<br />
Add second network interface to your router's VM.<br />
Configure first NIC as connected to br-wan and second one connected to br-lan.<br />
<br />
After that you should end up with topology similar to this:<br />
<br />
[[File:Topology-inside-server.png]]<br />
<br />
To clarify: 'srv1.office' and 'srv2.office' are the Ubuntu 16.04 servers, you should have configured static IP addresses or set a static lease from the router. The 'router.office' refers to the OpenWrt router you just set up. The router serves IP addresses using DHCP to 'ubuntu-mate.office' Ubuntu MATE 16.04 workstation and 'windows.office' refers to Windows workstation. Your physical server 'host.office' can be accessed as well. The 'office' throughout the diagram refers to your domain name, use abbrevations such as hq, rnd, devops for that.<br />
<br />
<br />
==Domain names==<br />
<br />
Arti will be your DNS registrar (like Godaddy or Zone.ee). Currently added DNS records:<br />
<br />
* http://www.biz.wut.ee - 193.40.194.160 for Wut Incorporated website<br />
* http://gw.biz.wut.ee - 193.40.194.160 for OpenVPN gateway<br />
* http://wiki.biz.wut.ee - 193.40.194.161 for Wut Inc internal wiki<br />
* http://git.biz.wut.ee - 193.40.194.161 for Wut Inc source code hosting<br />
* http://paste.biz.wut.ee - 193.40.194.161 for Wut Inc code snippets<br />
* http://chat.biz.wut.ee - 193.40.194.162 for Wut Inc IRC chatroom<br />
* http://pad.biz.wut.ee - 193.40.194.162 for Wut Inc etherpad<br />
* http://ca.biz.wut.ee - 193.40.194.162 for Wut Inc certificate authority web endpoint<br />
* http://mail.biz.wut.ee - 193.40.194.162 for MX entry of biz.wut.ee<br />
<br />
(Re)configure your services to make use of these DNS records.<br />
<br />
==Monitoring==<br />
<br />
Use this **only** on the physical hosts.<br />
<br />
You can (ab)use Lauri's collectd at http://log.koodur.com/cgp<br />
<br />
Install packages:<br />
<br />
apt install collectd<br />
<br />
Reconfigure service in /etc/collectd/collectd.conf:<br />
<br />
FQDNLookup true<br />
LoadPlugin syslog<br />
LoadPlugin cpu<br />
LoadPlugin df<br />
LoadPlugin disk<br />
LoadPlugin interface<br />
LoadPlugin load<br />
LoadPlugin memory<br />
LoadPlugin network<br />
LoadPlugin processes<br />
LoadPlugin swap<br />
LoadPlugin uptime<br />
LoadPlugin users<br />
LoadPlugin dns<br />
LoadPlugin ping<br />
LoadPlugin sensors<br />
<br />
<Plugin df><br />
FSType rootfs<br />
FSType sysfs<br />
FSType proc<br />
FSType devtmpfs<br />
FSType devpts<br />
FSType tmpfs<br />
FSType fusectl<br />
FSType cgroup<br />
IgnoreSelected true<br />
</Plugin><br />
<br />
<Plugin disk><br />
Disk "/[sv]d[a-z]/"<br />
</Plugin><br />
<br />
<Include "/etc/collectd/collectd.conf.d"><br />
Filter "*.conf"<br />
</Include><br />
<br />
<Plugin network><br />
Server "185.94.112.74"<br />
</Plugin><br />
<br />
==Teams==<br />
<br />
===Headquarters===<br />
<br />
Gateway: 193.40.194.220<br />
<br />
DNS: 193.40.0.12, 193.40.56.245<br />
<br />
Public IP address (port no 0 = enp6s4f0): 193.40.194.160/24<br />
<br />
Management network IP address (port no 1 = enp6s4f1), accessible from robotics club: 192.168.12.10<br />
<br />
Internal IP address of the physical server (port no 2 = enp0s9): 172.16.1.1/24<br />
<br />
Services:<br />
<br />
* Hypervisor, access to physical box - (Mohanad)<br />
* BIND9 as public DNS server, also figure out what domain name we should/can use (Arti)<br />
* domain controller, at this point primarily for user accounts (Keijo)<br />
* nginx web server, for company's homepage (Etienne)<br />
* SMB/CIFS fileserver, join to domain (Etienne)<br />
* VPN server for other subnets, presumably OpenVPN (Mohanad Aly)<br />
<br />
===Research & development===<br />
<br />
Gateway: 193.40.194.220<br />
<br />
DNS: 193.40.0.12, 193.40.56.245<br />
<br />
Public IP address (port no 0 = enp6s4f0): 193.40.194.161/24<br />
<br />
Management network IP address (port no 1 = enp6s4f1), accessible from robotics club: 192.168.12.11<br />
<br />
Internal IP address of the physical server (port no 2 = enp0s9): 172.16.2.1/24<br />
<br />
Team members: Marvin, Madis, Taavi, Berit, Joosep<br />
<br />
Services:<br />
<br />
* Hypervisor, access to physical box - Marvin<br />
* [https://gogs.io/docs Git hosting], for sharing scripts, set up LDAP to authenticate with domain controller (Madis)<br />
* [https://wiki.itcollege.ee/index.php/Installation_MediaWiki Wiki], for exchanging information, [https://www.mediawiki.org/wiki/Extension:LDAP_Authentication/Kerberos_Configuration_Examples set up LDAP to authenticate with domain controller and later possibly configure web server to authenticate with Kerberos] (Taavi)<br />
* Windows XP workstation, join to domain<br />
* Ubuntu 16.04 MATE workstation, [https://raw.githubusercontent.com/laurivosandi/puppet-butterknife/master/files/etc/butterknife/helpers/join-domain join to domain].<br />
* [http://lauri.vosandi.com/2016/09/xenial-ltsp-ja-id-kaart.html LTSP server] (Joosep)<br />
* OpenVPN connection to headquarters, use shared secret at first, later X509 certificates<br />
* [https://github.com/bpoldoja/pastebin Pastebin], possibly later implement [https://github.com/laurivosandi/certidude/blob/master/certidude/auth.py#L37 Kerberos support] (Berit)<br />
====Examples====<br />
Port forwarding example, we have 2 linux virtual machines, one forwarding to host local ip.<br />
[[File:vpn-portForwarding.png|900px|]]<br />
<br />
Network interface example file:<br />
<br />
auto lo<br />
iface lo inet loopback<br />
<br />
# Wide area network interface (port 0)<br />
auto br-wan<br />
iface br-wan inet manual<br />
bridge_ports enp6s4f0<br />
<br />
# Local area network interface (port 3)<br />
auto br-lan<br />
iface br-lan inet static<br />
address 172.16.2.1<br />
gateway 172.16.2.254<br />
dns-nameserver 172.16.2.254<br />
netmask 255.255.255.0<br />
bridge_ports enp0s8<br />
<br />
# Management interface (port 1)<br />
auto enp6s4f1<br />
iface enp6s4f1 inet static<br />
address 192.168.12.11<br />
netmask 255.255.255.0<br />
<br />
Openwrt interface file working example /etc/config/network:<br />
<br />
config interface 'lan'<br />
option ifname 'eth0'<br />
option type 'bridge'<br />
option proto 'static'<br />
option netmask '255.255.255.0'<br />
option ip6assign '60'<br />
option ipaddr '172.16.2.254'<br />
<br />
config interface 'wan'<br />
option ifname 'eth1'<br />
option proto 'static'<br />
option ipaddr '193.40.194.161'<br />
option gateway '193.40.194.220'<br />
option netmask '255.255.255.0'<br />
option dns '192.40.0.12 193.40.56.245'<br />
<br />
<br />
To create poor man's vpn. Install on your computer<br />
apt install sshuttle<br />
<br />
and connection.<br />
sshuttle --dns -HNvr username@server:port<br />
no you should be able to connect local network computers and services.<br />
'''NB! ping is not working with sshuttle'''<br />
you can read more here http://teohm.com/blog/using-sshuttle-in-daily-work/<br />
<br />
====TODO====<br />
<br />
===Devops===<br />
<br />
Gateway: 193.40.194.220<br />
<br />
DNS: 193.40.0.12, 193.40.56.245<br />
<br />
Public IP address (port no 0 = enp6s4f0): 193.40.194.162/24<br />
<br />
Management network IP address (port no 1 = enp6s4f1), accessible from robotics club: 192.168.12.12<br />
<br />
Internal IP address of the physical server (port no 2 = enp0s9): 172.16.3.1/24<br />
<br />
Services:<br />
<br />
* Hypervisor, access to physical box - Artur O<br />
* IRC, for chatting (Meelis Hass)<br />
* [https://github.com/ether/etherpad-lite Etherpad] for collaborating (Sheela)<br />
* [https://github.com/laurivosandi/certidude#usecases Certificate management] for roadwarriors, usecase number #1 (Artur O)<br />
* Monitoring software of your choice to make sure that services are up and running, possibly use LDAP for authentication (Artur O)<br />
* E-mail for sending notifications from monitoring software at first (Ilja), this needs MX records in DNS (Ilja, Mohanad helps)<br />
* Later, in the beginning just monitor public services: OpenVPN connection to headquarters<br />
<br />
===Pentest===<br />
<br />
Find security issues in the deployed services, attempt to plant backdoors, malware etc.<br />
<br />
Team members: Kustas, Ender<br />
<br />
<br />
==Point-to-point tunnels between routers==<br />
<br />
Since routers are the default route for all the internal machines the easiest way to set up routing between internal networks is to set up OpenVPN instances on each router.<br />
<br />
In router install OpenVPN module for OpenWrt:<br />
<br />
opkg update<br />
opkg install luci-app-openvpn openvpn-openssl<br />
<br />
In the OpenWrt web interface there should pop up Services section with OpenVPN underneath it.<br />
<br />
The topology for routers:<br />
<br />
[[File:Point-to-point.png]]<br />
<br />
<br />
For each tunnel configure on one end "Simple server configuration for a routed point-to-point VPN" and on the other end "Simple client configuration for a routed point-to-point VPN" the configuration for connection on hq could look something like this:<br />
<br />
[[File:Openwrt-openvpn-config.png]]<br />
<br />
To upload secret select secret under --Additional fields-- and hit add. To generate secret use following command on your laptop:<br />
<br />
openvpn --genkey --secret static.key<br />
<br />
Under Switch to advanced configuration --> Networking add route field for each subnet you want to make accessible via that tunnel. For each tunnel a new interface pops up under Interfaces section. Assign firewall rules as appropriate. To test I guess you can just insert the interface into LAN zone.<br />
<br />
==Generating certificates==<br />
<br />
To generate key:<br />
<br />
openssl genrsa -out lauri-c720p.key 4096<br />
<br />
To generate signing request:<br />
<br />
openssl req -new -key lauri-c720p.key -out lauri-c720p.csr<br />
<br />
To sign the request:<br />
<br />
openssl ca -config ca.cnf -in lauri-c720p.csr -extensions client_cert -out lauri-c720p.crt<br />
<br />
To dump certificate contents in human-readable format:<br />
<br />
openssl x509 -in lauri-c720p.crt -noout -text<br />
<br />
To test web server's TLS configuration:<br />
<br />
openssl s_client -connect www.koodur.com:443<br />
<br />
To make a HTTP request as well:<br />
<br />
(echo -en "GET / HTTP/1.0\n\n"; sleep 1) | openssl s_client -connect www.koodur.com:443<br />
<br />
See here for more about Estonian ID-card certificates: https://www.sk.ee/en/repository/ldap/ldap-kataloogi-kasutamine/<br />
<br />
==Remote logging==<br />
<br />
In order to send logs to Graylog server, put those lines into new file: /etc/rsyslog.d/client.conf<br />
<br />
$ActionQueueType LinkedList<br />
$ActionQueueFileName srvrfwd<br />
$ActionResumeRetryCount -1<br />
$ActionQueueSaveOnShutdown on<br />
*.* @@172.16.3.228:1514<br />
<br />
and then restart the service:<br />
<br />
sudo service rsyslog restart<br />
<br />
==Internal DNS==<br />
<br />
* http://intranet.office - 172.16.x.x intranet website<br />
* http://wiki.office - 172.16.x.x internal wiki<br />
* http://git.office - 172.16.x.x source code hosting<br />
* http://paste.office - 172.16.x.x code snippets<br />
* http://chat.office - 172.16.3.149 IRC server<br />
* http://pad.office - 172.16.3.247 etherpad<br />
* http://ca.office - 172.16.x.x certificate authority web endpoint<br />
* http://mail.office - 172.16.3.235 webmail<br />
* http://graylog.office - 172.16.3.228 Artur's graylog<br />
* http://nagios.office - 172.16.x.x Mohanad's nagios<br />
<br />
=Boring stuff=<br />
<br />
==Report template==<br />
<br />
Send report as a plaintext e-mail to Lauri, in the title include: Report #number - your name - your team<br />
<br />
In the content make sure you specify the timespan you're talking about (September of 2016, first half of October 2016 etc)<br />
<br />
The content, no need for formal speech:<br />
<br />
* What have been done so far by the team (eg. server hardware setup, virtual machine setup, service setup)<br />
* What was your role for this timespan, note that we will shuffle the teams now and then<br />
* What was your contribution, or in other words what did you do during this timespan<br />
* What (security) incidents happened - red team found messing around with the servers, passwords changed, backdoor found etc.<br />
<br />
==September wrapup & iptables lecture==<br />
<br />
[https://docs.google.com/presentation/d/1mt0g_BN-l_Jz6HQ1D52WJIdMjPtkTt95CPYFejjiikE/ Lecture slides] [https://echo360.e-ope.ee/ess/portal/section/0fa18d0e-f1b2-44b7-878b-5e4c66e6040e video recording]</div>Aovtsinnhttps://wiki.itcollege.ee/index.php?title=Category:I802_Firewalls_and_VPN_IPSec&diff=114283Category:I802 Firewalls and VPN IPSec2016-11-09T08:33:36Z<p>Aovtsinn: /* Internal DNS */</p>
<hr />
<div>=Firewalls and VPN/IPSec=<br />
<br />
==General information==<br />
<br />
ECTS: 4<br />
<br />
Lecturer: Lauri Võsandi<br />
<br />
<br />
==Scenario==<br />
<br />
In this course we will attempt to set up a network similar to a corporate network with multiple offices, eg http://docplayer.it/docs-images/20/596222/images/25-0.png<br />
<br />
We will use VPN software to connect subnets to each other and we will use VPN software to connect our personal computers to the intranet.<br />
<br />
<br />
==Setting up virtual machine hosts==<br />
<br />
For this course we have 3 Sun servers, each with 16GB of RAM. In each server we should be able to create 3 or more virtual machines. As host operating system we will install Ubuntu 16.04 server. On disks set up ext4 on mdraid set up in RAID1 configuration.<br />
<br />
For virtualization let's use libvirt and virt-manager on your Ubuntu laptops, for Windows and Mac unfortunately there is no decent UI available instead installing web interface such as [https://github.com/kimchi-project/kimchi Kimchi] is recommended.<br />
<br />
To install libvirt on the server:<br />
<br />
apt install libvirt-bin qemu-kvm<br />
<br />
Also add the primary user to the libvirt group:<br />
<br />
sudo gpasswd -a $USER libvirt<br />
<br />
On your laptop first set up SSH keys between the laptop and server with ssh-keygen and ssh-copy-id. And then you can install virt-manager with:<br />
<br />
sudo apt install virt-manager<br />
<br />
Copy CD ISO files into /var/lib/libvirt/images using scp or FileZilla.<br />
<br />
Continue with creating a virtual machine for each service. For Windows 2012 server virtual machines use 2G of RAM and 50G of storage. For Ubuntu 16.04 server installations use 1G of memory and 50G storage. For Ubuntu 16.04 MATE desktop installations use 2G of RAM.<br />
<br />
<br />
In order to set up virtual switch inside the server use Linux's built-in bridges, start with installing bridge-utils:<br />
<br />
apt install bridge-utils<br />
<br />
Reconfigure your server's /etc/network/interfaces, replace X with number relevant to your server. Also replace eth0, eth1 and eth2 with the network interfaces available in your machine:<br />
<br />
# The loopback network interface<br />
auto lo<br />
iface lo inet loopback<br />
<br />
# Wide area network interface<br />
auto br-wan<br />
iface br-wan inet dhcp<br />
# Until we set up router in a VM we will use DHCP so we can have internet access in 417<br />
bridge_ports eth0<br />
<br />
# Local area network interface<br />
auto br-lan<br />
iface br-lan inet static<br />
address 172.16.X.1<br />
netmask 255.255.255.0<br />
bridge_ports eth1<br />
<br />
# Management interface<br />
auto eth2<br />
iface eth2 inet static<br />
address 192.168.12.1X<br />
netmask 255.255.255.0<br />
<br />
When creating virtual machines, configure network as shown in the screenshot below:<br />
<br />
[[File:Virt-manager_bridges.png]]<br />
<br />
This way your VM-s should be able to access the Internet as the physical machine can<br />
<br />
==Setting up router==<br />
<br />
On Wednesday 14. September we will configure OpenWrt as a router in a virtual machine.<br />
Download the OpenWrt image and uncompress it:<br />
<br />
cd /var/lib/libvirt/images/<br />
wget https://downloads.openwrt.org/chaos_calmer/15.05-rc3/x86/kvm_guest/openwrt-15.05-rc3-x86-kvm_guest-combined-ext4.img.gz<br />
gunzip openwrt-15.05.1-x86-kvm_guest-combined-ext4.img.gz<br />
<br />
Add second network interface to your router's VM.<br />
Configure first NIC as connected to br-wan and second one connected to br-lan.<br />
<br />
After that you should end up with topology similar to this:<br />
<br />
[[File:Topology-inside-server.png]]<br />
<br />
To clarify: 'srv1.office' and 'srv2.office' are the Ubuntu 16.04 servers, you should have configured static IP addresses or set a static lease from the router. The 'router.office' refers to the OpenWrt router you just set up. The router serves IP addresses using DHCP to 'ubuntu-mate.office' Ubuntu MATE 16.04 workstation and 'windows.office' refers to Windows workstation. Your physical server 'host.office' can be accessed as well. The 'office' throughout the diagram refers to your domain name, use abbrevations such as hq, rnd, devops for that.<br />
<br />
<br />
==Domain names==<br />
<br />
Arti will be your DNS registrar (like Godaddy or Zone.ee). Currently added DNS records:<br />
<br />
* http://www.biz.wut.ee - 193.40.194.160 for Wut Incorporated website<br />
* http://gw.biz.wut.ee - 193.40.194.160 for OpenVPN gateway<br />
* http://wiki.biz.wut.ee - 193.40.194.161 for Wut Inc internal wiki<br />
* http://git.biz.wut.ee - 193.40.194.161 for Wut Inc source code hosting<br />
* http://paste.biz.wut.ee - 193.40.194.161 for Wut Inc code snippets<br />
* http://chat.biz.wut.ee - 193.40.194.162 for Wut Inc IRC chatroom<br />
* http://pad.biz.wut.ee - 193.40.194.162 for Wut Inc etherpad<br />
* http://ca.biz.wut.ee - 193.40.194.162 for Wut Inc certificate authority web endpoint<br />
* http://mail.biz.wut.ee - 193.40.194.162 for MX entry of biz.wut.ee<br />
<br />
(Re)configure your services to make use of these DNS records.<br />
<br />
==Monitoring==<br />
<br />
Use this **only** on the physical hosts.<br />
<br />
You can (ab)use Lauri's collectd at http://log.koodur.com/cgp<br />
<br />
Install packages:<br />
<br />
apt install collectd<br />
<br />
Reconfigure service in /etc/collectd/collectd.conf:<br />
<br />
FQDNLookup true<br />
LoadPlugin syslog<br />
LoadPlugin cpu<br />
LoadPlugin df<br />
LoadPlugin disk<br />
LoadPlugin interface<br />
LoadPlugin load<br />
LoadPlugin memory<br />
LoadPlugin network<br />
LoadPlugin processes<br />
LoadPlugin swap<br />
LoadPlugin uptime<br />
LoadPlugin users<br />
LoadPlugin dns<br />
LoadPlugin ping<br />
LoadPlugin sensors<br />
<br />
<Plugin df><br />
FSType rootfs<br />
FSType sysfs<br />
FSType proc<br />
FSType devtmpfs<br />
FSType devpts<br />
FSType tmpfs<br />
FSType fusectl<br />
FSType cgroup<br />
IgnoreSelected true<br />
</Plugin><br />
<br />
<Plugin disk><br />
Disk "/[sv]d[a-z]/"<br />
</Plugin><br />
<br />
<Include "/etc/collectd/collectd.conf.d"><br />
Filter "*.conf"<br />
</Include><br />
<br />
<Plugin network><br />
Server "185.94.112.74"<br />
</Plugin><br />
<br />
==Teams==<br />
<br />
===Headquarters===<br />
<br />
Gateway: 193.40.194.220<br />
<br />
DNS: 193.40.0.12, 193.40.56.245<br />
<br />
Public IP address (port no 0 = enp6s4f0): 193.40.194.160/24<br />
<br />
Management network IP address (port no 1 = enp6s4f1), accessible from robotics club: 192.168.12.10<br />
<br />
Internal IP address of the physical server (port no 2 = enp0s9): 172.16.1.1/24<br />
<br />
Services:<br />
<br />
* Hypervisor, access to physical box - (Mohanad)<br />
* BIND9 as public DNS server, also figure out what domain name we should/can use (Arti)<br />
* domain controller, at this point primarily for user accounts (Keijo)<br />
* nginx web server, for company's homepage (Etienne)<br />
* SMB/CIFS fileserver, join to domain (Etienne)<br />
* VPN server for other subnets, presumably OpenVPN (Mohanad Aly)<br />
<br />
===Research & development===<br />
<br />
Gateway: 193.40.194.220<br />
<br />
DNS: 193.40.0.12, 193.40.56.245<br />
<br />
Public IP address (port no 0 = enp6s4f0): 193.40.194.161/24<br />
<br />
Management network IP address (port no 1 = enp6s4f1), accessible from robotics club: 192.168.12.11<br />
<br />
Internal IP address of the physical server (port no 2 = enp0s9): 172.16.2.1/24<br />
<br />
Team members: Marvin, Madis, Taavi, Berit, Joosep<br />
<br />
Services:<br />
<br />
* Hypervisor, access to physical box - Marvin<br />
* [https://gogs.io/docs Git hosting], for sharing scripts, set up LDAP to authenticate with domain controller (Madis)<br />
* [https://wiki.itcollege.ee/index.php/Installation_MediaWiki Wiki], for exchanging information, [https://www.mediawiki.org/wiki/Extension:LDAP_Authentication/Kerberos_Configuration_Examples set up LDAP to authenticate with domain controller and later possibly configure web server to authenticate with Kerberos] (Taavi)<br />
* Windows XP workstation, join to domain<br />
* Ubuntu 16.04 MATE workstation, [https://raw.githubusercontent.com/laurivosandi/puppet-butterknife/master/files/etc/butterknife/helpers/join-domain join to domain].<br />
* [http://lauri.vosandi.com/2016/09/xenial-ltsp-ja-id-kaart.html LTSP server] (Joosep)<br />
* OpenVPN connection to headquarters, use shared secret at first, later X509 certificates<br />
* [https://github.com/bpoldoja/pastebin Pastebin], possibly later implement [https://github.com/laurivosandi/certidude/blob/master/certidude/auth.py#L37 Kerberos support] (Berit)<br />
====Examples====<br />
Port forwarding example, we have 2 linux virtual machines, one forwarding to host local ip.<br />
[[File:vpn-portForwarding.png|900px|]]<br />
<br />
Network interface example file:<br />
<br />
auto lo<br />
iface lo inet loopback<br />
<br />
# Wide area network interface (port 0)<br />
auto br-wan<br />
iface br-wan inet manual<br />
bridge_ports enp6s4f0<br />
<br />
# Local area network interface (port 3)<br />
auto br-lan<br />
iface br-lan inet static<br />
address 172.16.2.1<br />
gateway 172.16.2.254<br />
dns-nameserver 172.16.2.254<br />
netmask 255.255.255.0<br />
bridge_ports enp0s8<br />
<br />
# Management interface (port 1)<br />
auto enp6s4f1<br />
iface enp6s4f1 inet static<br />
address 192.168.12.11<br />
netmask 255.255.255.0<br />
<br />
Openwrt interface file working example /etc/config/network:<br />
<br />
config interface 'lan'<br />
option ifname 'eth0'<br />
option type 'bridge'<br />
option proto 'static'<br />
option netmask '255.255.255.0'<br />
option ip6assign '60'<br />
option ipaddr '172.16.2.254'<br />
<br />
config interface 'wan'<br />
option ifname 'eth1'<br />
option proto 'static'<br />
option ipaddr '193.40.194.161'<br />
option gateway '193.40.194.220'<br />
option netmask '255.255.255.0'<br />
option dns '192.40.0.12 193.40.56.245'<br />
<br />
<br />
To create poor man's vpn. Install on your computer<br />
apt install sshuttle<br />
<br />
and connection.<br />
sshuttle --dns -HNvr username@server:port<br />
no you should be able to connect local network computers and services.<br />
'''NB! ping is not working with sshuttle'''<br />
you can read more here http://teohm.com/blog/using-sshuttle-in-daily-work/<br />
<br />
====TODO====<br />
<br />
===Devops===<br />
<br />
Gateway: 193.40.194.220<br />
<br />
DNS: 193.40.0.12, 193.40.56.245<br />
<br />
Public IP address (port no 0 = enp6s4f0): 193.40.194.162/24<br />
<br />
Management network IP address (port no 1 = enp6s4f1), accessible from robotics club: 192.168.12.12<br />
<br />
Internal IP address of the physical server (port no 2 = enp0s9): 172.16.3.1/24<br />
<br />
Services:<br />
<br />
* Hypervisor, access to physical box - Artur O<br />
* IRC, for chatting (Meelis Hass)<br />
* [https://github.com/ether/etherpad-lite Etherpad] for collaborating (Sheela)<br />
* [https://github.com/laurivosandi/certidude#usecases Certificate management] for roadwarriors, usecase number #1 (Artur O)<br />
* Monitoring software of your choice to make sure that services are up and running, possibly use LDAP for authentication (Artur O)<br />
* E-mail for sending notifications from monitoring software at first (Ilja), this needs MX records in DNS (Ilja, Mohanad helps)<br />
* Later, in the beginning just monitor public services: OpenVPN connection to headquarters<br />
<br />
===Pentest===<br />
<br />
Find security issues in the deployed services, attempt to plant backdoors, malware etc.<br />
<br />
Team members: Kustas, Ender<br />
<br />
<br />
==Point-to-point tunnels between routers==<br />
<br />
Since routers are the default route for all the internal machines the easiest way to set up routing between internal networks is to set up OpenVPN instances on each router.<br />
<br />
In router install OpenVPN module for OpenWrt:<br />
<br />
opkg update<br />
opkg install luci-app-openvpn openvpn-openssl<br />
<br />
In the OpenWrt web interface there should pop up Services section with OpenVPN underneath it.<br />
<br />
The topology for routers:<br />
<br />
[[File:Point-to-point.png]]<br />
<br />
<br />
For each tunnel configure on one end "Simple server configuration for a routed point-to-point VPN" and on the other end "Simple client configuration for a routed point-to-point VPN" the configuration for connection on hq could look something like this:<br />
<br />
[[File:Openwrt-openvpn-config.png]]<br />
<br />
To upload secret select secret under --Additional fields-- and hit add. To generate secret use following command on your laptop:<br />
<br />
openvpn --genkey --secret static.key<br />
<br />
Under Switch to advanced configuration --> Networking add route field for each subnet you want to make accessible via that tunnel. For each tunnel a new interface pops up under Interfaces section. Assign firewall rules as appropriate. To test I guess you can just insert the interface into LAN zone.<br />
<br />
==Generating certificates==<br />
<br />
To generate key:<br />
<br />
openssl genrsa -out lauri-c720p.key 4096<br />
<br />
To generate signing request:<br />
<br />
openssl req -new -key lauri-c720p.key -out lauri-c720p.csr<br />
<br />
To sign the request:<br />
<br />
openssl ca -config ca.cnf -in lauri-c720p.csr -extensions client_cert -out lauri-c720p.crt<br />
<br />
To dump certificate contents in human-readable format:<br />
<br />
openssl x509 -in lauri-c720p.crt -noout -text<br />
<br />
To test web server's TLS configuration:<br />
<br />
openssl s_client -connect www.koodur.com:443<br />
<br />
To make a HTTP request as well:<br />
<br />
(echo -en "GET / HTTP/1.0\n\n"; sleep 1) | openssl s_client -connect www.koodur.com:443<br />
<br />
See here for more about Estonian ID-card certificates: https://www.sk.ee/en/repository/ldap/ldap-kataloogi-kasutamine/<br />
<br />
==Remote logging==<br />
<br />
In order to send logs to Graylog server, put those lines into new file: /etc/rsyslog.d/client.conf<br />
<br />
$ActionQueueType LinkedList<br />
$ActionQueueFileName srvrfwd<br />
$ActionResumeRetryCount -1<br />
$ActionQueueSaveOnShutdown on<br />
*.* @@172.16.3.228:1514<br />
<br />
and then restart the service:<br />
<br />
sudo service rsyslog restart<br />
<br />
==Internal DNS==<br />
<br />
* http://intranet.office - 172.16.x.x intranet website<br />
* http://wiki.office - 172.16.x.x internal wiki<br />
* http://git.office - 172.16.x.x source code hosting<br />
* http://paste.office - 172.16.x.x code snippets<br />
* http://chat.office - 172.16.3.149 IRC server<br />
* http://pad.office - 172.16.3.247 etherpad<br />
* http://ca.office - 172.16.x.x certificate authority web endpoint<br />
* http://mail.office - 172.16.3.235 webmail<br />
<br />
=Boring stuff=<br />
<br />
==Report template==<br />
<br />
Send report as a plaintext e-mail to Lauri, in the title include: Report #number - your name - your team<br />
<br />
In the content make sure you specify the timespan you're talking about (September of 2016, first half of October 2016 etc)<br />
<br />
The content, no need for formal speech:<br />
<br />
* What have been done so far by the team (eg. server hardware setup, virtual machine setup, service setup)<br />
* What was your role for this timespan, note that we will shuffle the teams now and then<br />
* What was your contribution, or in other words what did you do during this timespan<br />
* What (security) incidents happened - red team found messing around with the servers, passwords changed, backdoor found etc.<br />
<br />
==September wrapup & iptables lecture==<br />
<br />
[https://docs.google.com/presentation/d/1mt0g_BN-l_Jz6HQ1D52WJIdMjPtkTt95CPYFejjiikE/ Lecture slides] [https://echo360.e-ope.ee/ess/portal/section/0fa18d0e-f1b2-44b7-878b-5e4c66e6040e video recording]</div>Aovtsinnhttps://wiki.itcollege.ee/index.php?title=Monitoring&diff=114275Monitoring2016-11-08T23:23:55Z<p>Aovtsinn: </p>
<hr />
<div>Team: <br />
Mohanad Aly,<br />
Artur Ovtsinnikov<br />
<br />
Group : Cyber Security Engineering (C21)<br />
<br />
Page Created: 23 October 2016<br />
<br />
Last modified: 09 November 2016<br />
<br />
<br />
<br />
= Introduction =<br />
This article introduces the Monitoring application called '''Nagios'''.<br />
<br />
===Monitoring===<br />
Monitoring is the process of keep tracking of system resources.<br />
<br />
Monitoring is the process of observing and checking the progress or quality of something over a period of time; keep under systematic review.<ref>[https://en.wikipedia.org/wiki/System_monitor]</ref><br />
Monitoring cannot be achieved without logging. That is the reason integrated solutions combine the two processes.<br />
Monitoring is used to:<br />
*check performance<br />
*detect if something worth noticing happened<br />
*prevent something to happen<br />
*detect whether a system is under attack<br />
<br />
===The good solution: Nagios===<br />
As of today, [https://www.nagios.org/] is the most popular open-source solution for monitoring computer systems before <br />
<br />
Monitoring is made of three components:<br />
*Apache <br />
*PHP<br />
*MySQL<br />
<br />
The main advantages of Nagios are:<br />
*Open-source<br />
*Customized Dashboards<br />
*Ease of Use<br />
*Infinite Scalability<br />
*Data in Real Time<br />
*Network Security<br />
<br />
<br />
==Why monitor our servers==<br />
There are many reasons why a system administrator would want to monitor its server(s).<br />
*Prevent undesired events to happen<br />
Without monitoring, a system administrator will react to a problem only when it has already occurred. Such issue can in the worst case cause a failure of the [http://whatis.techtarget.com/definition/Confidentiality-integrity-and-availability-CIA CIA triad]. It is of course wiser to anticipate such issues and solve the problem before they arise.<br />
The monitoring system sends alerts that help to identify potential sources of futures failures to avoid.<br />
<br />
*Understand what happened in case of failure<br />
In the event of a system failure, the monitoring system will give crucial information to determine where, when and how the problems occurred. <br />
This information makes the debugging process to be much faster and easier.<br />
<br />
In the end, monitoring a system can be seen as an insurance policy. It costs money and time, but the money and time it saves is worth it.<br />
<br />
=Topology of the Elab system=<br />
<br />
<span style="color:#20B336"><br />
'''Desktop machine'''<br />
<br />
[[File:Screenshot from 2016-10-06 12-02-47.jpg|thumb|right|Topology []]]<br />
Begin with the basic setup, network configuration and make the machine has internet access which the ip address of the machine is 192.168.56.100<br />
<br />
<span style="color:#FF0000"><br />
'''Server machine IP address 192.168.56.200''' <br />
*Can be connected over ssh with student@192.168.56.200<br />
*Also can connect with other IP address ssh student@10.10.10.10<br />
<span style="color:#FF0000"><br />
'''IDS IP address 192.168.56.201'''<br />
<br />
=Starting to update and upgrade the OS=<br />
Check for current version<br />
If your machine is running older version then 16.04 which is the latest long term supported version, please follow the following commands to upgrade your machine to the latest version.<br />
*First check your current Ubuntu version by running the following command: <br />
<code>lsb_release -a</code><br />
<br />
If you find that your machine is already running the following version or higher than:<br />
<br />
Description:Ubuntu 16.04.1 LTS<br />
Release:16.04<br />
<br />
Then there is no need to upgrade the OS<br />
<br />
==== Upgrade ====<br />
<br />
*First become super user "root":<br />
<code>sudo -i</code><br />
<br />
*Begin by updating the package list:<br />
<code>apt-get update</code><br />
<br />
*Upgrade installed packages to their latest available versions:<br />
<code>apt-get upgrade</code><br />
<br />
*Once upgrade finishes, use the dist-upgrade command, which will perform upgrades involving changing dependencies<br />
<code>apt-get dist-upgrade</code><br />
<br />
*Now that you have an up-to-date installation of Ubuntu 16.04 LTS, you can use <code> do-release-upgrade</code> to upgrade to the Ubuntu 16.04 LTS release.<br />
<br />
= Setup of Nagios=<br />
<br />
==== Prerequisites ====<br />
Ubuntu Linux machine, sudo access and some Linux beginner skills are needed.<br />
<br />
In this tutorial, Ubuntu 16.04 64-bit distribution will be used since it is the latest LTS.<br />
<br />
Unfortunately, Nagios cannot be installed simply by using one command, because there are some prerequisite applications needed for it to work.<br />
<br />
This tutorial describes the commands and configuration to make the services work together Nagios.<br />
<br />
<br />
=== Installation tutorial on Ubuntu 16.04 Linux host machine ===<br />
<br />
*It is important to have the latest package lists to update them to get info on the newest versions of packages and their dependencies. So we need to run the following command to update them:<br />
<br />
Command <br />
<code> sudo apt-get update</code><br />
<br />
=== Installing the prerequisites ===<br />
<br />
*Nagios requires the gcc compiler and build-essentials for the compilation, LAMP (Apache, PHP, MySQL) for the Nagios web interface and Send mail to send alerts from the server. To install all those packages, run this command (it's just 1 line):<br />
Command<br />
<br />
<code> sudo apt-get install wget build-essential apache2 php apache2-mod-php7.0 php-gd libgd-dev sendmail unzip </code><br />
<br />
=== User and group configuration ===<br />
<br />
*For Nagios to run, you have to create a new user for Nagios. We will name the user "nagios" and additionally create a group named "nagcmd". We add the new user to the group as shown below:<br />
[[File:Nagios2.png|thumb|right|Nagios add user and group]]<br />
<br />
3- Command<br />
<br />
<code> useradd nagios </code><br />
<br />
4- Command <br />
<br />
<code> groupadd nagcmd </code><br />
<br />
5- Command <br />
<br />
<code> usermod -a -G nagcmd nagios </code><br />
<br />
6- Command <br />
<br />
<code> usermod -a -G nagios,nagcmd www-data </code><br />
<br />
== Installing Nagios == <br />
<br />
*Step 1 - Download and extract the Nagios core<br />
<br />
<code> cd ~ </code><br />
<br />
<code> wget https://assets.nagios.com/downloads/nagioscore/releases/nagios-4.2.0.tar.gz </code><br />
<br />
<code> tar -xzf nagios*.tar.gz </code><br />
<br />
<code> cd nagios-4.2.0 </code><br />
<br />
*Step 2 - Compile Nagios<br />
<br />
Before you build Nagios, you will have to configure it with the user and the group you have created earlier.<br />
<br />
<code> ./configure --with-nagios-group=nagios --with-command-group=nagcmd </code><br />
<br />
For more information please use: ./configure --help .<br />
<br />
*Now to install Nagios:<br />
<br />
<code> make all </code><br />
<br />
<code> sudo make install </code><br />
<br />
<code> sudo make install-commandmode </code><br />
<br />
<code> sudo make install-init </code><br />
<br />
<code> sudo make install-config </code><br />
<br />
<code> /usr/bin/install -c -m 644 sample-config/httpd.conf /etc/apache2/sites-available/nagios.conf </code><br />
<br />
*And copy evenhandler directory to the nagios directory:<br />
<br />
<code> cp -R contrib/eventhandlers/ /usr/local/nagios/libexec/ </code><br />
<br />
<code> chown -R nagios:nagios /usr/local/nagios/libexec/eventhandlers </code><br />
<br />
*Step 3 - Install the Nagios Plugins<br />
<br />
Download and extract the Nagios plugins:<br />
<br />
<code> cd ~ </code><br />
<br />
<code> wget https://nagios-plugins.org/download/nagios-plugins-2.1.2.tar.gz </code><br />
<br />
<code> tar -xzf nagios-plugins*.tar.gz </code><br />
<br />
<code> cd nagios-plugins-2.1.2/ </code><br />
<br />
*Install the Nagios plugin's with the commands below:<br />
<br />
<code> ./configure --with-nagios-user=nagios --with-nagios-group=nagios --with-openssl </code><br />
<br />
<code> make </code><br />
<br />
<code> make install </code><br />
<br />
*Step 4 - Configure Nagios<br />
<br />
After the installation phase is complete, you can find the default configuration of Nagios in /usr/local/nagios/.<br />
We will configure Nagios and Nagios contact.<br />
Edit default nagios configuration with nano:<br />
<br />
<code> nano /usr/local/nagios/etc/nagios.cfg </code><br />
<br />
uncomment line 51 for the host monitor configuration.<br />
*cfg_dir=/usr/local/nagios/etc/servers<br />
<br />
[[File:Nagios3.png|thumb|right|Nagios Email]]<br />
<br />
Save and exit.<br />
Add a new folder named servers:<br />
<br />
<code> mkdir -p /usr/local/nagios/etc/servers </code><br />
<br />
Change the user and group for the new folder to nagios:<br />
<br />
<code> chown nagios:nagios /usr/local/nagios/etc/servers </code><br />
<br />
The Nagios contact can be configured in the contact.cfg file. To open it use:<br />
<br />
<code> nano /usr/local/nagios/etc/objects/contacts.cfg </code><br />
<br />
Then replace the default email with your own email.<br />
<br />
== Configuring Apache ==<br />
<br />
*Step 1 - enable Apache modules<br />
<br />
<code> sudo a2enmod rewrite </code><br />
<br />
<code> sudo a2enmod cgi </code><br />
<br />
You can use the htpasswd command to configure a user nagiosadmin for the nagios web interface<br />
<br />
<code> sudo htpasswd -c /usr/local/nagios/etc/htpasswd.users nagiosadmin </code><br />
<br />
and type your password.<br />
<br />
*Step 2 - enable the Nagios virtualhost<br />
<br />
<code> sudo ln -s /etc/apache2/sites-available/nagios.conf /etc/apache2/sites-enabled/ </code><br />
<br />
*Step 3 - Start Apache and Nagios<br />
<br />
<code> service apache2 restart </code><br />
Start the nagios (if not working look down, there is solution)<br />
<code> service nagios start </code><br />
<br />
<br />
When Nagios starts, you may see the following error :<br />
<br />
*Starting nagios (via systemctl): nagios.serviceFailed<br />
<br />
And this is how to fix it:<br />
<br />
<code> cd /etc/init.d/ </code><br />
<br />
<code> cp /etc/init.d/skeleton /etc/init.d/nagios </code><br />
<br />
Now edit the Nagios file:<br />
<br />
<code> nano /etc/init.d/nagios </code><br />
<br />
<br />
and add the following code:<br />
<br />
<code> DESC="Nagios" </code><br />
<br />
<code> NAME=nagios </code><br />
<br />
<code> DAEMON=/usr/local/nagios/bin/$NAME </code><br />
<br />
<code> DAEMON_ARGS="-d /usr/local/nagios/etc/nagios.cfg" </code><br />
<br />
<code> PIDFILE=/usr/local/nagios/var/$NAME.lock </code><br />
<br />
Make it executable and start Nagios:<br />
<br />
<code> chmod +x /etc/init.d/nagios </code><br />
<br />
<code> service apache2 restart </code><br />
<br />
<code> service nagios start </code><br />
<br />
<br />
*If on this step you are unable to start nagios (nagios.service not found) do the following:<br />
<br />
First we are going to create/change the nagios.service :<br />
<br />
<code> nano /etc/systemd/system/nagios.service </code><br />
<br />
this file should be the same as the following: <br />
<br />
[Unit]<br />
Description=Nagios<br />
BindTo=network.target<br />
<br />
[Install]<br />
WantedBy=multi-user.target<br />
<br />
[Service]<br />
User=nagios<br />
Group=nagios<br />
Type=simple<br />
ExecStart=/usr/local/nagios/bin/nagios /usr/local/nagios/etc/nagios.cfg<br />
<br />
Then we need to enable created nagios.service config :<br />
<code>systemctl enable /etc/systemd/system/nagios.service</code><br />
<br />
Now it should work:<br />
<code>service nagios start</code><br />
<br />
=== Testing the Nagios Server ===<br />
<br />
Please open your browser and access the Nagios server ip, in my case: http://192.168.56.200/nagios.<br />
<br />
Nagios Login with apache htpasswd.<br />
<br />
[[File:Nagios Login.png|thumb|center|Nagios Login]]<br />
<br />
Nagios Admin Dashboard<br />
<br />
[[File:Nagios Admin Dashboard.png|thumb|center|Nagios Admin Dashboard]]<br />
<br />
*Adding a Host to Monitor<br />
<br />
In this tutorial, I will add an Ubuntu host to monitor to the Nagios server we have made above.<br />
<br />
Nagios Server IP : 192.168.56.200<br />
Ubuntu Host IP : 192.168.56.100<br />
<br />
*Step 1 - Connect to ubuntu host<br />
<br />
<code> ssh student@192.168.56.100 </code><br />
<br />
*Step 2 - Install NRPE Service<br />
<br />
<code> sudo apt-get install nagios-nrpe-server nagios-plugins </code><br />
<br />
*Step 3 - Configure NRPE<br />
<br />
After the installation is complete, edit the nrpe file /etc/nagios/nrpe.cfg:<br />
<br />
<code> nano /etc/nagios/nrpe.cfg </code><br />
<br />
and add Nagios Server IP 192.168.56.100 to the server_address.<br />
<br />
server_address=192.168.56.200<br />
<br />
*Step 4 - Restart NRPE<br />
<br />
<code> service nagios-nrpe-server restart </code><br />
<br />
*Step 5 - Add Ubuntu Host to Nagios Server<br />
<br />
Connect back to the Nagios server:<br />
<br />
<code> ssh student@192.168.56.200 </code><br />
<br />
Then create a new file for the host configuration in /usr/local/nagios/etc/servers/.<br />
<br />
<code> nano /usr/local/nagios/etc/servers/ubuntu_host.cfg </code><br />
<br />
Add the following lines:<br />
<code><br />
<br />
#Ubuntu Host configuration file<br />
define host {<br />
use linux-server<br />
host_name ubuntu_host<br />
alias Ubuntu Host<br />
address 192.168.56<br />
register 1<br />
}<br />
<br />
define service {<br />
host_name ubuntu_host<br />
service_description PING<br />
check_command check_ping!100.0,20%!500.0,60%<br />
max_check_attempts 2<br />
check_interval 2<br />
retry_interval 2<br />
check_period 24x7<br />
check_freshness 1<br />
contact_groups admins<br />
notification_interval 2<br />
notification_period 24x7<br />
notifications_enabled 1<br />
register 1<br />
}<br />
<br />
define service {<br />
host_name ubuntu_host<br />
service_description Check Users<br />
check_command check_local_users!20!50<br />
max_check_attempts 2<br />
check_interval 2<br />
retry_interval 2<br />
check_period 24x7<br />
check_freshness 1<br />
contact_groups admins<br />
notification_interval 2<br />
notification_period 24x7<br />
notifications_enabled 1<br />
register 1<br />
}<br />
<br />
define service {<br />
host_name ubuntu_host<br />
service_description Local Disk<br />
check_command check_local_disk!20%!10%!/<br />
max_check_attempts 2<br />
check_interval 2<br />
retry_interval 2<br />
check_period 24x7<br />
check_freshness 1<br />
contact_groups admins<br />
notification_interval 2<br />
notification_period 24x7<br />
notifications_enabled 1<br />
register 1<br />
}<br />
<br />
define service {<br />
host_name ubuntu_host<br />
service_description Check SSH<br />
check_command check_ssh<br />
max_check_attempts 2<br />
check_interval 2<br />
retry_interval 2<br />
check_period 24x7<br />
check_freshness 1<br />
contact_groups admins<br />
notification_interval 2<br />
notification_period 24x7<br />
notifications_enabled 1<br />
register 1<br />
}<br />
<br />
define service {<br />
host_name ubuntu_host<br />
service_description Total Process<br />
check_command check_local_procs!250!400!RSZDT<br />
max_check_attempts 2<br />
check_interval 2<br />
retry_interval 2<br />
check_period 24x7<br />
check_freshness 1<br />
contact_groups admins<br />
notification_interval 2<br />
notification_period 24x7<br />
notifications_enabled 1<br />
register 1<br />
<br />
}<br />
<br />
</code><br />
<br />
You can find many check_command in /usr/local/nagios/etc/objects/commands.cfg file. See there if you want to add more services like DHCP, POP etc.<br />
<br />
And now check the configuration:<br />
<code> /usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg </code><br />
[[File:Nagios check.png|thumb|center|Nagios check]]<br />
<br />
To see if the configuration is correct.<br />
<br />
*Step 6 - Restart all services<br />
<br />
On the Ubuntu Host start NRPE Service:<br />
<br />
<code> service nagios-nrpe-server restart </code><br />
<br />
The Nagios server, start Apache and Nagios:<br />
<br />
<code> service apache2 restart </code><br />
<br />
<code> service nagios restart </code><br />
<br />
*Step 7 - Testing the Ubuntu Host<br />
<br />
Open the Nagios server from the browser and see the ubuntu_host being monitored.<br />
The Ubuntu host is available on monitored host.<br />
<br />
[[File:Nagios server.png|thumb|center|Testing Host]]<br />
<br />
[[File:Nagios server2.png|thumb|center|Testing Host]]<br />
<br />
All services monitored without error.<br />
<br />
=Summary=<br />
Nagios is an open source application for monitoring a system. Nagios has been widely used because of the ease of configuration. Nagios in support by various plugins, and you can even create your own plugins. Look here for more information.<br />
<br />
=See also=<br />
<br />
Nagios agent setup<br />
<br />
1-[http://www.tecmint.com/how-to-add-linux-host-to-nagios-monitoring-server/ Agent setup]<br />
<br />
2-[https://assets.nagios.com/downloads/nagiosxi/docs/Installing_The_XI_Linux_Agent.pdf Linux Agent]<br />
<br />
3-[https://exchange.nagios.org/directory/Documentation/Nagios-XI-Documentation/Installing-The-Nagios-Ubuntu-and-Debian-Linux-Agent/details Ubuntu-and-Debian-Linux-Agent]<br />
<br />
=References=<br />
1- [https://en.wikipedia.org/wiki/System_monitoring System monitoring]<br />
<br />
2- [https://www.howtoforge.com/tutorial/ubuntu-nagios/ Nagios tutorial]<br />
<br />
3- [https://www.nagios.com/products/nagios-log-server/ Nagios Log Server]<br />
<br />
<br />
------<br />
<br />
[[Category:Monitoring]]</div>Aovtsinnhttps://wiki.itcollege.ee/index.php?title=Monitoring&diff=114274Monitoring2016-11-08T23:23:01Z<p>Aovtsinn: /* Testing the Nagios Server */</p>
<hr />
<div>Team: <br />
Mohanad Aly,<br />
Artur Ovtsinnikov<br />
<br />
Group : Cyber Security Engineering (C21)<br />
<br />
Page Created: 23 October 2016<br />
<br />
Last modified: 30 October 2016<br />
<br />
<br />
<br />
= Introduction =<br />
This article introduces the Monitoring application called '''Nagios'''.<br />
<br />
===Monitoring===<br />
Monitoring is the process of keep tracking of system resources.<br />
<br />
Monitoring is the process of observing and checking the progress or quality of something over a period of time; keep under systematic review.<ref>[https://en.wikipedia.org/wiki/System_monitor]</ref><br />
Monitoring cannot be achieved without logging. That is the reason integrated solutions combine the two processes.<br />
Monitoring is used to:<br />
*check performance<br />
*detect if something worth noticing happened<br />
*prevent something to happen<br />
*detect whether a system is under attack<br />
<br />
===The good solution: Nagios===<br />
As of today, [https://www.nagios.org/] is the most popular open-source solution for monitoring computer systems before <br />
<br />
Monitoring is made of three components:<br />
*Apache <br />
*PHP<br />
*MySQL<br />
<br />
The main advantages of Nagios are:<br />
*Open-source<br />
*Customized Dashboards<br />
*Ease of Use<br />
*Infinite Scalability<br />
*Data in Real Time<br />
*Network Security<br />
<br />
<br />
==Why monitor our servers==<br />
There are many reasons why a system administrator would want to monitor its server(s).<br />
*Prevent undesired events to happen<br />
Without monitoring, a system administrator will react to a problem only when it has already occurred. Such issue can in the worst case cause a failure of the [http://whatis.techtarget.com/definition/Confidentiality-integrity-and-availability-CIA CIA triad]. It is of course wiser to anticipate such issues and solve the problem before they arise.<br />
The monitoring system sends alerts that help to identify potential sources of futures failures to avoid.<br />
<br />
*Understand what happened in case of failure<br />
In the event of a system failure, the monitoring system will give crucial information to determine where, when and how the problems occurred. <br />
This information makes the debugging process to be much faster and easier.<br />
<br />
In the end, monitoring a system can be seen as an insurance policy. It costs money and time, but the money and time it saves is worth it.<br />
<br />
=Topology of the Elab system=<br />
<br />
<span style="color:#20B336"><br />
'''Desktop machine'''<br />
<br />
[[File:Screenshot from 2016-10-06 12-02-47.jpg|thumb|right|Topology []]]<br />
Begin with the basic setup, network configuration and make the machine has internet access which the ip address of the machine is 192.168.56.100<br />
<br />
<span style="color:#FF0000"><br />
'''Server machine IP address 192.168.56.200''' <br />
*Can be connected over ssh with student@192.168.56.200<br />
*Also can connect with other IP address ssh student@10.10.10.10<br />
<span style="color:#FF0000"><br />
'''IDS IP address 192.168.56.201'''<br />
<br />
=Starting to update and upgrade the OS=<br />
Check for current version<br />
If your machine is running older version then 16.04 which is the latest long term supported version, please follow the following commands to upgrade your machine to the latest version.<br />
*First check your current Ubuntu version by running the following command: <br />
<code>lsb_release -a</code><br />
<br />
If you find that your machine is already running the following version or higher than:<br />
<br />
Description:Ubuntu 16.04.1 LTS<br />
Release:16.04<br />
<br />
Then there is no need to upgrade the OS<br />
<br />
==== Upgrade ====<br />
<br />
*First become super user "root":<br />
<code>sudo -i</code><br />
<br />
*Begin by updating the package list:<br />
<code>apt-get update</code><br />
<br />
*Upgrade installed packages to their latest available versions:<br />
<code>apt-get upgrade</code><br />
<br />
*Once upgrade finishes, use the dist-upgrade command, which will perform upgrades involving changing dependencies<br />
<code>apt-get dist-upgrade</code><br />
<br />
*Now that you have an up-to-date installation of Ubuntu 16.04 LTS, you can use <code> do-release-upgrade</code> to upgrade to the Ubuntu 16.04 LTS release.<br />
<br />
= Setup of Nagios=<br />
<br />
==== Prerequisites ====<br />
Ubuntu Linux machine, sudo access and some Linux beginner skills are needed.<br />
<br />
In this tutorial, Ubuntu 16.04 64-bit distribution will be used since it is the latest LTS.<br />
<br />
Unfortunately, Nagios cannot be installed simply by using one command, because there are some prerequisite applications needed for it to work.<br />
<br />
This tutorial describes the commands and configuration to make the services work together Nagios.<br />
<br />
<br />
=== Installation tutorial on Ubuntu 16.04 Linux host machine ===<br />
<br />
*It is important to have the latest package lists to update them to get info on the newest versions of packages and their dependencies. So we need to run the following command to update them:<br />
<br />
Command <br />
<code> sudo apt-get update</code><br />
<br />
=== Installing the prerequisites ===<br />
<br />
*Nagios requires the gcc compiler and build-essentials for the compilation, LAMP (Apache, PHP, MySQL) for the Nagios web interface and Send mail to send alerts from the server. To install all those packages, run this command (it's just 1 line):<br />
Command<br />
<br />
<code> sudo apt-get install wget build-essential apache2 php apache2-mod-php7.0 php-gd libgd-dev sendmail unzip </code><br />
<br />
=== User and group configuration ===<br />
<br />
*For Nagios to run, you have to create a new user for Nagios. We will name the user "nagios" and additionally create a group named "nagcmd". We add the new user to the group as shown below:<br />
[[File:Nagios2.png|thumb|right|Nagios add user and group]]<br />
<br />
3- Command<br />
<br />
<code> useradd nagios </code><br />
<br />
4- Command <br />
<br />
<code> groupadd nagcmd </code><br />
<br />
5- Command <br />
<br />
<code> usermod -a -G nagcmd nagios </code><br />
<br />
6- Command <br />
<br />
<code> usermod -a -G nagios,nagcmd www-data </code><br />
<br />
== Installing Nagios == <br />
<br />
*Step 1 - Download and extract the Nagios core<br />
<br />
<code> cd ~ </code><br />
<br />
<code> wget https://assets.nagios.com/downloads/nagioscore/releases/nagios-4.2.0.tar.gz </code><br />
<br />
<code> tar -xzf nagios*.tar.gz </code><br />
<br />
<code> cd nagios-4.2.0 </code><br />
<br />
*Step 2 - Compile Nagios<br />
<br />
Before you build Nagios, you will have to configure it with the user and the group you have created earlier.<br />
<br />
<code> ./configure --with-nagios-group=nagios --with-command-group=nagcmd </code><br />
<br />
For more information please use: ./configure --help .<br />
<br />
*Now to install Nagios:<br />
<br />
<code> make all </code><br />
<br />
<code> sudo make install </code><br />
<br />
<code> sudo make install-commandmode </code><br />
<br />
<code> sudo make install-init </code><br />
<br />
<code> sudo make install-config </code><br />
<br />
<code> /usr/bin/install -c -m 644 sample-config/httpd.conf /etc/apache2/sites-available/nagios.conf </code><br />
<br />
*And copy evenhandler directory to the nagios directory:<br />
<br />
<code> cp -R contrib/eventhandlers/ /usr/local/nagios/libexec/ </code><br />
<br />
<code> chown -R nagios:nagios /usr/local/nagios/libexec/eventhandlers </code><br />
<br />
*Step 3 - Install the Nagios Plugins<br />
<br />
Download and extract the Nagios plugins:<br />
<br />
<code> cd ~ </code><br />
<br />
<code> wget https://nagios-plugins.org/download/nagios-plugins-2.1.2.tar.gz </code><br />
<br />
<code> tar -xzf nagios-plugins*.tar.gz </code><br />
<br />
<code> cd nagios-plugins-2.1.2/ </code><br />
<br />
*Install the Nagios plugin's with the commands below:<br />
<br />
<code> ./configure --with-nagios-user=nagios --with-nagios-group=nagios --with-openssl </code><br />
<br />
<code> make </code><br />
<br />
<code> make install </code><br />
<br />
*Step 4 - Configure Nagios<br />
<br />
After the installation phase is complete, you can find the default configuration of Nagios in /usr/local/nagios/.<br />
We will configure Nagios and Nagios contact.<br />
Edit default nagios configuration with nano:<br />
<br />
<code> nano /usr/local/nagios/etc/nagios.cfg </code><br />
<br />
uncomment line 51 for the host monitor configuration.<br />
*cfg_dir=/usr/local/nagios/etc/servers<br />
<br />
[[File:Nagios3.png|thumb|right|Nagios Email]]<br />
<br />
Save and exit.<br />
Add a new folder named servers:<br />
<br />
<code> mkdir -p /usr/local/nagios/etc/servers </code><br />
<br />
Change the user and group for the new folder to nagios:<br />
<br />
<code> chown nagios:nagios /usr/local/nagios/etc/servers </code><br />
<br />
The Nagios contact can be configured in the contact.cfg file. To open it use:<br />
<br />
<code> nano /usr/local/nagios/etc/objects/contacts.cfg </code><br />
<br />
Then replace the default email with your own email.<br />
<br />
== Configuring Apache ==<br />
<br />
*Step 1 - enable Apache modules<br />
<br />
<code> sudo a2enmod rewrite </code><br />
<br />
<code> sudo a2enmod cgi </code><br />
<br />
You can use the htpasswd command to configure a user nagiosadmin for the nagios web interface<br />
<br />
<code> sudo htpasswd -c /usr/local/nagios/etc/htpasswd.users nagiosadmin </code><br />
<br />
and type your password.<br />
<br />
*Step 2 - enable the Nagios virtualhost<br />
<br />
<code> sudo ln -s /etc/apache2/sites-available/nagios.conf /etc/apache2/sites-enabled/ </code><br />
<br />
*Step 3 - Start Apache and Nagios<br />
<br />
<code> service apache2 restart </code><br />
Start the nagios (if not working look down, there is solution)<br />
<code> service nagios start </code><br />
<br />
<br />
When Nagios starts, you may see the following error :<br />
<br />
*Starting nagios (via systemctl): nagios.serviceFailed<br />
<br />
And this is how to fix it:<br />
<br />
<code> cd /etc/init.d/ </code><br />
<br />
<code> cp /etc/init.d/skeleton /etc/init.d/nagios </code><br />
<br />
Now edit the Nagios file:<br />
<br />
<code> nano /etc/init.d/nagios </code><br />
<br />
<br />
and add the following code:<br />
<br />
<code> DESC="Nagios" </code><br />
<br />
<code> NAME=nagios </code><br />
<br />
<code> DAEMON=/usr/local/nagios/bin/$NAME </code><br />
<br />
<code> DAEMON_ARGS="-d /usr/local/nagios/etc/nagios.cfg" </code><br />
<br />
<code> PIDFILE=/usr/local/nagios/var/$NAME.lock </code><br />
<br />
Make it executable and start Nagios:<br />
<br />
<code> chmod +x /etc/init.d/nagios </code><br />
<br />
<code> service apache2 restart </code><br />
<br />
<code> service nagios start </code><br />
<br />
<br />
*If on this step you are unable to start nagios (nagios.service not found) do the following:<br />
<br />
First we are going to create/change the nagios.service :<br />
<br />
<code> nano /etc/systemd/system/nagios.service </code><br />
<br />
this file should be the same as the following: <br />
<br />
[Unit]<br />
Description=Nagios<br />
BindTo=network.target<br />
<br />
[Install]<br />
WantedBy=multi-user.target<br />
<br />
[Service]<br />
User=nagios<br />
Group=nagios<br />
Type=simple<br />
ExecStart=/usr/local/nagios/bin/nagios /usr/local/nagios/etc/nagios.cfg<br />
<br />
Then we need to enable created nagios.service config :<br />
<code>systemctl enable /etc/systemd/system/nagios.service</code><br />
<br />
Now it should work:<br />
<code>service nagios start</code><br />
<br />
=== Testing the Nagios Server ===<br />
<br />
Please open your browser and access the Nagios server ip, in my case: http://192.168.56.200/nagios.<br />
<br />
Nagios Login with apache htpasswd.<br />
<br />
[[File:Nagios Login.png|thumb|center|Nagios Login]]<br />
<br />
Nagios Admin Dashboard<br />
<br />
[[File:Nagios Admin Dashboard.png|thumb|center|Nagios Admin Dashboard]]<br />
<br />
*Adding a Host to Monitor<br />
<br />
In this tutorial, I will add an Ubuntu host to monitor to the Nagios server we have made above.<br />
<br />
Nagios Server IP : 192.168.56.200<br />
Ubuntu Host IP : 192.168.56.100<br />
<br />
*Step 1 - Connect to ubuntu host<br />
<br />
<code> ssh student@192.168.56.100 </code><br />
<br />
*Step 2 - Install NRPE Service<br />
<br />
<code> sudo apt-get install nagios-nrpe-server nagios-plugins </code><br />
<br />
*Step 3 - Configure NRPE<br />
<br />
After the installation is complete, edit the nrpe file /etc/nagios/nrpe.cfg:<br />
<br />
<code> nano /etc/nagios/nrpe.cfg </code><br />
<br />
and add Nagios Server IP 192.168.56.100 to the server_address.<br />
<br />
server_address=192.168.56.200<br />
<br />
*Step 4 - Restart NRPE<br />
<br />
<code> service nagios-nrpe-server restart </code><br />
<br />
*Step 5 - Add Ubuntu Host to Nagios Server<br />
<br />
Connect back to the Nagios server:<br />
<br />
<code> ssh student@192.168.56.200 </code><br />
<br />
Then create a new file for the host configuration in /usr/local/nagios/etc/servers/.<br />
<br />
<code> nano /usr/local/nagios/etc/servers/ubuntu_host.cfg </code><br />
<br />
Add the following lines:<br />
<code><br />
<br />
#Ubuntu Host configuration file<br />
define host {<br />
use linux-server<br />
host_name ubuntu_host<br />
alias Ubuntu Host<br />
address 192.168.56<br />
register 1<br />
}<br />
<br />
define service {<br />
host_name ubuntu_host<br />
service_description PING<br />
check_command check_ping!100.0,20%!500.0,60%<br />
max_check_attempts 2<br />
check_interval 2<br />
retry_interval 2<br />
check_period 24x7<br />
check_freshness 1<br />
contact_groups admins<br />
notification_interval 2<br />
notification_period 24x7<br />
notifications_enabled 1<br />
register 1<br />
}<br />
<br />
define service {<br />
host_name ubuntu_host<br />
service_description Check Users<br />
check_command check_local_users!20!50<br />
max_check_attempts 2<br />
check_interval 2<br />
retry_interval 2<br />
check_period 24x7<br />
check_freshness 1<br />
contact_groups admins<br />
notification_interval 2<br />
notification_period 24x7<br />
notifications_enabled 1<br />
register 1<br />
}<br />
<br />
define service {<br />
host_name ubuntu_host<br />
service_description Local Disk<br />
check_command check_local_disk!20%!10%!/<br />
max_check_attempts 2<br />
check_interval 2<br />
retry_interval 2<br />
check_period 24x7<br />
check_freshness 1<br />
contact_groups admins<br />
notification_interval 2<br />
notification_period 24x7<br />
notifications_enabled 1<br />
register 1<br />
}<br />
<br />
define service {<br />
host_name ubuntu_host<br />
service_description Check SSH<br />
check_command check_ssh<br />
max_check_attempts 2<br />
check_interval 2<br />
retry_interval 2<br />
check_period 24x7<br />
check_freshness 1<br />
contact_groups admins<br />
notification_interval 2<br />
notification_period 24x7<br />
notifications_enabled 1<br />
register 1<br />
}<br />
<br />
define service {<br />
host_name ubuntu_host<br />
service_description Total Process<br />
check_command check_local_procs!250!400!RSZDT<br />
max_check_attempts 2<br />
check_interval 2<br />
retry_interval 2<br />
check_period 24x7<br />
check_freshness 1<br />
contact_groups admins<br />
notification_interval 2<br />
notification_period 24x7<br />
notifications_enabled 1<br />
register 1<br />
<br />
}<br />
<br />
</code><br />
<br />
You can find many check_command in /usr/local/nagios/etc/objects/commands.cfg file. See there if you want to add more services like DHCP, POP etc.<br />
<br />
And now check the configuration:<br />
<code> /usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg </code><br />
[[File:Nagios check.png|thumb|center|Nagios check]]<br />
<br />
To see if the configuration is correct.<br />
<br />
*Step 6 - Restart all services<br />
<br />
On the Ubuntu Host start NRPE Service:<br />
<br />
<code> service nagios-nrpe-server restart </code><br />
<br />
The Nagios server, start Apache and Nagios:<br />
<br />
<code> service apache2 restart </code><br />
<br />
<code> service nagios restart </code><br />
<br />
*Step 7 - Testing the Ubuntu Host<br />
<br />
Open the Nagios server from the browser and see the ubuntu_host being monitored.<br />
The Ubuntu host is available on monitored host.<br />
<br />
[[File:Nagios server.png|thumb|center|Testing Host]]<br />
<br />
[[File:Nagios server2.png|thumb|center|Testing Host]]<br />
<br />
All services monitored without error.<br />
<br />
=Summary=<br />
Nagios is an open source application for monitoring a system. Nagios has been widely used because of the ease of configuration. Nagios in support by various plugins, and you can even create your own plugins. Look here for more information.<br />
<br />
=See also=<br />
<br />
Nagios agent setup<br />
<br />
1-[http://www.tecmint.com/how-to-add-linux-host-to-nagios-monitoring-server/ Agent setup]<br />
<br />
2-[https://assets.nagios.com/downloads/nagiosxi/docs/Installing_The_XI_Linux_Agent.pdf Linux Agent]<br />
<br />
3-[https://exchange.nagios.org/directory/Documentation/Nagios-XI-Documentation/Installing-The-Nagios-Ubuntu-and-Debian-Linux-Agent/details Ubuntu-and-Debian-Linux-Agent]<br />
<br />
=References=<br />
1- [https://en.wikipedia.org/wiki/System_monitoring System monitoring]<br />
<br />
2- [https://www.howtoforge.com/tutorial/ubuntu-nagios/ Nagios tutorial]<br />
<br />
3- [https://www.nagios.com/products/nagios-log-server/ Nagios Log Server]<br />
<br />
<br />
------<br />
<br />
[[Category:Monitoring]]</div>Aovtsinnhttps://wiki.itcollege.ee/index.php?title=Monitoring&diff=114273Monitoring2016-11-08T22:28:42Z<p>Aovtsinn: /* Configuring Apache */</p>
<hr />
<div>Team: <br />
Mohanad Aly,<br />
Artur Ovtsinnikov<br />
<br />
Group : Cyber Security Engineering (C21)<br />
<br />
Page Created: 23 October 2016<br />
<br />
Last modified: 30 October 2016<br />
<br />
<br />
<br />
= Introduction =<br />
This article introduces the Monitoring application called '''Nagios'''.<br />
<br />
===Monitoring===<br />
Monitoring is the process of keep tracking of system resources.<br />
<br />
Monitoring is the process of observing and checking the progress or quality of something over a period of time; keep under systematic review.<ref>[https://en.wikipedia.org/wiki/System_monitor]</ref><br />
Monitoring cannot be achieved without logging. That is the reason integrated solutions combine the two processes.<br />
Monitoring is used to:<br />
*check performance<br />
*detect if something worth noticing happened<br />
*prevent something to happen<br />
*detect whether a system is under attack<br />
<br />
===The good solution: Nagios===<br />
As of today, [https://www.nagios.org/] is the most popular open-source solution for monitoring computer systems before <br />
<br />
Monitoring is made of three components:<br />
*Apache <br />
*PHP<br />
*MySQL<br />
<br />
The main advantages of Nagios are:<br />
*Open-source<br />
*Customized Dashboards<br />
*Ease of Use<br />
*Infinite Scalability<br />
*Data in Real Time<br />
*Network Security<br />
<br />
<br />
==Why monitor our servers==<br />
There are many reasons why a system administrator would want to monitor its server(s).<br />
*Prevent undesired events to happen<br />
Without monitoring, a system administrator will react to a problem only when it has already occurred. Such issue can in the worst case cause a failure of the [http://whatis.techtarget.com/definition/Confidentiality-integrity-and-availability-CIA CIA triad]. It is of course wiser to anticipate such issues and solve the problem before they arise.<br />
The monitoring system sends alerts that help to identify potential sources of futures failures to avoid.<br />
<br />
*Understand what happened in case of failure<br />
In the event of a system failure, the monitoring system will give crucial information to determine where, when and how the problems occurred. <br />
This information makes the debugging process to be much faster and easier.<br />
<br />
In the end, monitoring a system can be seen as an insurance policy. It costs money and time, but the money and time it saves is worth it.<br />
<br />
=Topology of the Elab system=<br />
<br />
<span style="color:#20B336"><br />
'''Desktop machine'''<br />
<br />
[[File:Screenshot from 2016-10-06 12-02-47.jpg|thumb|right|Topology []]]<br />
Begin with the basic setup, network configuration and make the machine has internet access which the ip address of the machine is 192.168.56.100<br />
<br />
<span style="color:#FF0000"><br />
'''Server machine IP address 192.168.56.200''' <br />
*Can be connected over ssh with student@192.168.56.200<br />
*Also can connect with other IP address ssh student@10.10.10.10<br />
<span style="color:#FF0000"><br />
'''IDS IP address 192.168.56.201'''<br />
<br />
=Starting to update and upgrade the OS=<br />
Check for current version<br />
If your machine is running older version then 16.04 which is the latest long term supported version, please follow the following commands to upgrade your machine to the latest version.<br />
*First check your current Ubuntu version by running the following command: <br />
<code>lsb_release -a</code><br />
<br />
If you find that your machine is already running the following version or higher than:<br />
<br />
Description:Ubuntu 16.04.1 LTS<br />
Release:16.04<br />
<br />
Then there is no need to upgrade the OS<br />
<br />
==== Upgrade ====<br />
<br />
*First become super user "root":<br />
<code>sudo -i</code><br />
<br />
*Begin by updating the package list:<br />
<code>apt-get update</code><br />
<br />
*Upgrade installed packages to their latest available versions:<br />
<code>apt-get upgrade</code><br />
<br />
*Once upgrade finishes, use the dist-upgrade command, which will perform upgrades involving changing dependencies<br />
<code>apt-get dist-upgrade</code><br />
<br />
*Now that you have an up-to-date installation of Ubuntu 16.04 LTS, you can use <code> do-release-upgrade</code> to upgrade to the Ubuntu 16.04 LTS release.<br />
<br />
= Setup of Nagios=<br />
<br />
==== Prerequisites ====<br />
Ubuntu Linux machine, sudo access and some Linux beginner skills are needed.<br />
<br />
In this tutorial, Ubuntu 16.04 64-bit distribution will be used since it is the latest LTS.<br />
<br />
Unfortunately, Nagios cannot be installed simply by using one command, because there are some prerequisite applications needed for it to work.<br />
<br />
This tutorial describes the commands and configuration to make the services work together Nagios.<br />
<br />
<br />
=== Installation tutorial on Ubuntu 16.04 Linux host machine ===<br />
<br />
*It is important to have the latest package lists to update them to get info on the newest versions of packages and their dependencies. So we need to run the following command to update them:<br />
<br />
Command <br />
<code> sudo apt-get update</code><br />
<br />
=== Installing the prerequisites ===<br />
<br />
*Nagios requires the gcc compiler and build-essentials for the compilation, LAMP (Apache, PHP, MySQL) for the Nagios web interface and Send mail to send alerts from the server. To install all those packages, run this command (it's just 1 line):<br />
Command<br />
<br />
<code> sudo apt-get install wget build-essential apache2 php apache2-mod-php7.0 php-gd libgd-dev sendmail unzip </code><br />
<br />
=== User and group configuration ===<br />
<br />
*For Nagios to run, you have to create a new user for Nagios. We will name the user "nagios" and additionally create a group named "nagcmd". We add the new user to the group as shown below:<br />
[[File:Nagios2.png|thumb|right|Nagios add user and group]]<br />
<br />
3- Command<br />
<br />
<code> useradd nagios </code><br />
<br />
4- Command <br />
<br />
<code> groupadd nagcmd </code><br />
<br />
5- Command <br />
<br />
<code> usermod -a -G nagcmd nagios </code><br />
<br />
6- Command <br />
<br />
<code> usermod -a -G nagios,nagcmd www-data </code><br />
<br />
== Installing Nagios == <br />
<br />
*Step 1 - Download and extract the Nagios core<br />
<br />
<code> cd ~ </code><br />
<br />
<code> wget https://assets.nagios.com/downloads/nagioscore/releases/nagios-4.2.0.tar.gz </code><br />
<br />
<code> tar -xzf nagios*.tar.gz </code><br />
<br />
<code> cd nagios-4.2.0 </code><br />
<br />
*Step 2 - Compile Nagios<br />
<br />
Before you build Nagios, you will have to configure it with the user and the group you have created earlier.<br />
<br />
<code> ./configure --with-nagios-group=nagios --with-command-group=nagcmd </code><br />
<br />
For more information please use: ./configure --help .<br />
<br />
*Now to install Nagios:<br />
<br />
<code> make all </code><br />
<br />
<code> sudo make install </code><br />
<br />
<code> sudo make install-commandmode </code><br />
<br />
<code> sudo make install-init </code><br />
<br />
<code> sudo make install-config </code><br />
<br />
<code> /usr/bin/install -c -m 644 sample-config/httpd.conf /etc/apache2/sites-available/nagios.conf </code><br />
<br />
*And copy evenhandler directory to the nagios directory:<br />
<br />
<code> cp -R contrib/eventhandlers/ /usr/local/nagios/libexec/ </code><br />
<br />
<code> chown -R nagios:nagios /usr/local/nagios/libexec/eventhandlers </code><br />
<br />
*Step 3 - Install the Nagios Plugins<br />
<br />
Download and extract the Nagios plugins:<br />
<br />
<code> cd ~ </code><br />
<br />
<code> wget https://nagios-plugins.org/download/nagios-plugins-2.1.2.tar.gz </code><br />
<br />
<code> tar -xzf nagios-plugins*.tar.gz </code><br />
<br />
<code> cd nagios-plugins-2.1.2/ </code><br />
<br />
*Install the Nagios plugin's with the commands below:<br />
<br />
<code> ./configure --with-nagios-user=nagios --with-nagios-group=nagios --with-openssl </code><br />
<br />
<code> make </code><br />
<br />
<code> make install </code><br />
<br />
*Step 4 - Configure Nagios<br />
<br />
After the installation phase is complete, you can find the default configuration of Nagios in /usr/local/nagios/.<br />
We will configure Nagios and Nagios contact.<br />
Edit default nagios configuration with nano:<br />
<br />
<code> nano /usr/local/nagios/etc/nagios.cfg </code><br />
<br />
uncomment line 51 for the host monitor configuration.<br />
*cfg_dir=/usr/local/nagios/etc/servers<br />
<br />
[[File:Nagios3.png|thumb|right|Nagios Email]]<br />
<br />
Save and exit.<br />
Add a new folder named servers:<br />
<br />
<code> mkdir -p /usr/local/nagios/etc/servers </code><br />
<br />
Change the user and group for the new folder to nagios:<br />
<br />
<code> chown nagios:nagios /usr/local/nagios/etc/servers </code><br />
<br />
The Nagios contact can be configured in the contact.cfg file. To open it use:<br />
<br />
<code> nano /usr/local/nagios/etc/objects/contacts.cfg </code><br />
<br />
Then replace the default email with your own email.<br />
<br />
== Configuring Apache ==<br />
<br />
*Step 1 - enable Apache modules<br />
<br />
<code> sudo a2enmod rewrite </code><br />
<br />
<code> sudo a2enmod cgi </code><br />
<br />
You can use the htpasswd command to configure a user nagiosadmin for the nagios web interface<br />
<br />
<code> sudo htpasswd -c /usr/local/nagios/etc/htpasswd.users nagiosadmin </code><br />
<br />
and type your password.<br />
<br />
*Step 2 - enable the Nagios virtualhost<br />
<br />
<code> sudo ln -s /etc/apache2/sites-available/nagios.conf /etc/apache2/sites-enabled/ </code><br />
<br />
*Step 3 - Start Apache and Nagios<br />
<br />
<code> service apache2 restart </code><br />
Start the nagios (if not working look down, there is solution)<br />
<code> service nagios start </code><br />
<br />
<br />
When Nagios starts, you may see the following error :<br />
<br />
*Starting nagios (via systemctl): nagios.serviceFailed<br />
<br />
And this is how to fix it:<br />
<br />
<code> cd /etc/init.d/ </code><br />
<br />
<code> cp /etc/init.d/skeleton /etc/init.d/nagios </code><br />
<br />
Now edit the Nagios file:<br />
<br />
<code> nano /etc/init.d/nagios </code><br />
<br />
<br />
and add the following code:<br />
<br />
<code> DESC="Nagios" </code><br />
<br />
<code> NAME=nagios </code><br />
<br />
<code> DAEMON=/usr/local/nagios/bin/$NAME </code><br />
<br />
<code> DAEMON_ARGS="-d /usr/local/nagios/etc/nagios.cfg" </code><br />
<br />
<code> PIDFILE=/usr/local/nagios/var/$NAME.lock </code><br />
<br />
Make it executable and start Nagios:<br />
<br />
<code> chmod +x /etc/init.d/nagios </code><br />
<br />
<code> service apache2 restart </code><br />
<br />
<code> service nagios start </code><br />
<br />
<br />
*If on this step you are unable to start nagios (nagios.service not found) do the following:<br />
<br />
First we are going to create/change the nagios.service :<br />
<br />
<code> nano /etc/systemd/system/nagios.service </code><br />
<br />
this file should be the same as the following: <br />
<br />
[Unit]<br />
Description=Nagios<br />
BindTo=network.target<br />
<br />
[Install]<br />
WantedBy=multi-user.target<br />
<br />
[Service]<br />
User=nagios<br />
Group=nagios<br />
Type=simple<br />
ExecStart=/usr/local/nagios/bin/nagios /usr/local/nagios/etc/nagios.cfg<br />
<br />
Then we need to enable created nagios.service config :<br />
<code>systemctl enable /etc/systemd/system/nagios.service</code><br />
<br />
Now it should work:<br />
<code>service nagios start</code><br />
<br />
=== Testing the Nagios Server ===<br />
<br />
Please open your browser and access the Nagios server ip, in my case: http://192.168.1.9/nagios.<br />
<br />
Nagios Login with apache htpasswd.<br />
<br />
[[File:Nagios Login.png|thumb|center|Nagios Login]]<br />
<br />
Nagios Admin Dashboard<br />
<br />
[[File:Nagios Admin Dashboard.png|thumb|center|Nagios Admin Dashboard]]<br />
<br />
*Adding a Host to Monitor<br />
<br />
In this tutorial, I will add an Ubuntu host to monitor to the Nagios server we have made above.<br />
<br />
Nagios Server IP : 192.168.1.9<br />
Ubuntu Host IP : 192.168.1.10<br />
<br />
*Step 1 - Connect to ubuntu host<br />
<br />
<code> ssh student@192.168.56.100 </code><br />
<br />
*Step 2 - Install NRPE Service<br />
<br />
<code> sudo apt-get install nagios-nrpe-server nagios-plugins </code><br />
<br />
*Step 3 - Configure NRPE<br />
<br />
After the installation is complete, edit the nrpe file /etc/nagios/nrpe.cfg:<br />
<br />
<code> nano /etc/nagios/nrpe.cfg </code><br />
<br />
and add Nagios Server IP 192.168.1.9 to the server_address.<br />
<br />
server_address=192.168.56.200<br />
<br />
*Step 4 - Restart NRPE<br />
<br />
<code> service nagios-nrpe-server restart </code><br />
<br />
*Step 5 - Add Ubuntu Host to Nagios Server<br />
<br />
Connect back to the Nagios server:<br />
<br />
<code> ssh student@192.168.56.200 </code><br />
<br />
Then create a new file for the host configuration in /usr/local/nagios/etc/servers/.<br />
<br />
<code> nano /usr/local/nagios/etc/servers/ubuntu_host.cfg </code><br />
<br />
Add the following lines:<br />
<code><br />
<br />
#Ubuntu Host configuration file<br />
define host {<br />
use linux-server<br />
host_name ubuntu_host<br />
alias Ubuntu Host<br />
address 192.168.1.10<br />
register 1<br />
}<br />
<br />
define service {<br />
host_name ubuntu_host<br />
service_description PING<br />
check_command check_ping!100.0,20%!500.0,60%<br />
max_check_attempts 2<br />
check_interval 2<br />
retry_interval 2<br />
check_period 24x7<br />
check_freshness 1<br />
contact_groups admins<br />
notification_interval 2<br />
notification_period 24x7<br />
notifications_enabled 1<br />
register 1<br />
}<br />
<br />
define service {<br />
host_name ubuntu_host<br />
service_description Check Users<br />
check_command check_local_users!20!50<br />
max_check_attempts 2<br />
check_interval 2<br />
retry_interval 2<br />
check_period 24x7<br />
check_freshness 1<br />
contact_groups admins<br />
notification_interval 2<br />
notification_period 24x7<br />
notifications_enabled 1<br />
register 1<br />
}<br />
<br />
define service {<br />
host_name ubuntu_host<br />
service_description Local Disk<br />
check_command check_local_disk!20%!10%!/<br />
max_check_attempts 2<br />
check_interval 2<br />
retry_interval 2<br />
check_period 24x7<br />
check_freshness 1<br />
contact_groups admins<br />
notification_interval 2<br />
notification_period 24x7<br />
notifications_enabled 1<br />
register 1<br />
}<br />
<br />
define service {<br />
host_name ubuntu_host<br />
service_description Check SSH<br />
check_command check_ssh<br />
max_check_attempts 2<br />
check_interval 2<br />
retry_interval 2<br />
check_period 24x7<br />
check_freshness 1<br />
contact_groups admins<br />
notification_interval 2<br />
notification_period 24x7<br />
notifications_enabled 1<br />
register 1<br />
}<br />
<br />
define service {<br />
host_name ubuntu_host<br />
service_description Total Process<br />
check_command check_local_procs!250!400!RSZDT<br />
max_check_attempts 2<br />
check_interval 2<br />
retry_interval 2<br />
check_period 24x7<br />
check_freshness 1<br />
contact_groups admins<br />
notification_interval 2<br />
notification_period 24x7<br />
notifications_enabled 1<br />
register 1<br />
<br />
}<br />
<br />
</code><br />
<br />
You can find many check_command in /usr/local/nagios/etc/objects/commands.cfg file. See there if you want to add more services like DHCP, POP etc.<br />
<br />
And now check the configuration:<br />
<code> /usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg </code><br />
[[File:Nagios check.png|thumb|center|Nagios check]]<br />
<br />
To see if the configuration is correct.<br />
<br />
*Step 6 - Restart all services<br />
<br />
On the Ubuntu Host start NRPE Service:<br />
<br />
<code> service nagios-nrpe-server restart </code><br />
<br />
The Nagios server, start Apache and Nagios:<br />
<br />
<code> service apache2 restart </code><br />
<br />
<code> service nagios restart </code><br />
<br />
*Step 7 - Testing the Ubuntu Host<br />
<br />
Open the Nagios server from the browser and see the ubuntu_host being monitored.<br />
The Ubuntu host is available on monitored host.<br />
<br />
[[File:Nagios server.png|thumb|center|Testing Host]]<br />
<br />
[[File:Nagios server2.png|thumb|center|Testing Host]]<br />
<br />
All services monitored without error.<br />
<br />
=Summary=<br />
Nagios is an open source application for monitoring a system. Nagios has been widely used because of the ease of configuration. Nagios in support by various plugins, and you can even create your own plugins. Look here for more information.<br />
<br />
=See also=<br />
<br />
Nagios agent setup<br />
<br />
1-[http://www.tecmint.com/how-to-add-linux-host-to-nagios-monitoring-server/ Agent setup]<br />
<br />
2-[https://assets.nagios.com/downloads/nagiosxi/docs/Installing_The_XI_Linux_Agent.pdf Linux Agent]<br />
<br />
3-[https://exchange.nagios.org/directory/Documentation/Nagios-XI-Documentation/Installing-The-Nagios-Ubuntu-and-Debian-Linux-Agent/details Ubuntu-and-Debian-Linux-Agent]<br />
<br />
=References=<br />
1- [https://en.wikipedia.org/wiki/System_monitoring System monitoring]<br />
<br />
2- [https://www.howtoforge.com/tutorial/ubuntu-nagios/ Nagios tutorial]<br />
<br />
3- [https://www.nagios.com/products/nagios-log-server/ Nagios Log Server]<br />
<br />
<br />
------<br />
<br />
[[Category:Monitoring]]</div>Aovtsinnhttps://wiki.itcollege.ee/index.php?title=Monitoring&diff=114272Monitoring2016-11-08T22:26:08Z<p>Aovtsinn: /* Configuring Apache */</p>
<hr />
<div>Team: <br />
Mohanad Aly,<br />
Artur Ovtsinnikov<br />
<br />
Group : Cyber Security Engineering (C21)<br />
<br />
Page Created: 23 October 2016<br />
<br />
Last modified: 30 October 2016<br />
<br />
<br />
<br />
= Introduction =<br />
This article introduces the Monitoring application called '''Nagios'''.<br />
<br />
===Monitoring===<br />
Monitoring is the process of keep tracking of system resources.<br />
<br />
Monitoring is the process of observing and checking the progress or quality of something over a period of time; keep under systematic review.<ref>[https://en.wikipedia.org/wiki/System_monitor]</ref><br />
Monitoring cannot be achieved without logging. That is the reason integrated solutions combine the two processes.<br />
Monitoring is used to:<br />
*check performance<br />
*detect if something worth noticing happened<br />
*prevent something to happen<br />
*detect whether a system is under attack<br />
<br />
===The good solution: Nagios===<br />
As of today, [https://www.nagios.org/] is the most popular open-source solution for monitoring computer systems before <br />
<br />
Monitoring is made of three components:<br />
*Apache <br />
*PHP<br />
*MySQL<br />
<br />
The main advantages of Nagios are:<br />
*Open-source<br />
*Customized Dashboards<br />
*Ease of Use<br />
*Infinite Scalability<br />
*Data in Real Time<br />
*Network Security<br />
<br />
<br />
==Why monitor our servers==<br />
There are many reasons why a system administrator would want to monitor its server(s).<br />
*Prevent undesired events to happen<br />
Without monitoring, a system administrator will react to a problem only when it has already occurred. Such issue can in the worst case cause a failure of the [http://whatis.techtarget.com/definition/Confidentiality-integrity-and-availability-CIA CIA triad]. It is of course wiser to anticipate such issues and solve the problem before they arise.<br />
The monitoring system sends alerts that help to identify potential sources of futures failures to avoid.<br />
<br />
*Understand what happened in case of failure<br />
In the event of a system failure, the monitoring system will give crucial information to determine where, when and how the problems occurred. <br />
This information makes the debugging process to be much faster and easier.<br />
<br />
In the end, monitoring a system can be seen as an insurance policy. It costs money and time, but the money and time it saves is worth it.<br />
<br />
=Topology of the Elab system=<br />
<br />
<span style="color:#20B336"><br />
'''Desktop machine'''<br />
<br />
[[File:Screenshot from 2016-10-06 12-02-47.jpg|thumb|right|Topology []]]<br />
Begin with the basic setup, network configuration and make the machine has internet access which the ip address of the machine is 192.168.56.100<br />
<br />
<span style="color:#FF0000"><br />
'''Server machine IP address 192.168.56.200''' <br />
*Can be connected over ssh with student@192.168.56.200<br />
*Also can connect with other IP address ssh student@10.10.10.10<br />
<span style="color:#FF0000"><br />
'''IDS IP address 192.168.56.201'''<br />
<br />
=Starting to update and upgrade the OS=<br />
Check for current version<br />
If your machine is running older version then 16.04 which is the latest long term supported version, please follow the following commands to upgrade your machine to the latest version.<br />
*First check your current Ubuntu version by running the following command: <br />
<code>lsb_release -a</code><br />
<br />
If you find that your machine is already running the following version or higher than:<br />
<br />
Description:Ubuntu 16.04.1 LTS<br />
Release:16.04<br />
<br />
Then there is no need to upgrade the OS<br />
<br />
==== Upgrade ====<br />
<br />
*First become super user "root":<br />
<code>sudo -i</code><br />
<br />
*Begin by updating the package list:<br />
<code>apt-get update</code><br />
<br />
*Upgrade installed packages to their latest available versions:<br />
<code>apt-get upgrade</code><br />
<br />
*Once upgrade finishes, use the dist-upgrade command, which will perform upgrades involving changing dependencies<br />
<code>apt-get dist-upgrade</code><br />
<br />
*Now that you have an up-to-date installation of Ubuntu 16.04 LTS, you can use <code> do-release-upgrade</code> to upgrade to the Ubuntu 16.04 LTS release.<br />
<br />
= Setup of Nagios=<br />
<br />
==== Prerequisites ====<br />
Ubuntu Linux machine, sudo access and some Linux beginner skills are needed.<br />
<br />
In this tutorial, Ubuntu 16.04 64-bit distribution will be used since it is the latest LTS.<br />
<br />
Unfortunately, Nagios cannot be installed simply by using one command, because there are some prerequisite applications needed for it to work.<br />
<br />
This tutorial describes the commands and configuration to make the services work together Nagios.<br />
<br />
<br />
=== Installation tutorial on Ubuntu 16.04 Linux host machine ===<br />
<br />
*It is important to have the latest package lists to update them to get info on the newest versions of packages and their dependencies. So we need to run the following command to update them:<br />
<br />
Command <br />
<code> sudo apt-get update</code><br />
<br />
=== Installing the prerequisites ===<br />
<br />
*Nagios requires the gcc compiler and build-essentials for the compilation, LAMP (Apache, PHP, MySQL) for the Nagios web interface and Send mail to send alerts from the server. To install all those packages, run this command (it's just 1 line):<br />
Command<br />
<br />
<code> sudo apt-get install wget build-essential apache2 php apache2-mod-php7.0 php-gd libgd-dev sendmail unzip </code><br />
<br />
=== User and group configuration ===<br />
<br />
*For Nagios to run, you have to create a new user for Nagios. We will name the user "nagios" and additionally create a group named "nagcmd". We add the new user to the group as shown below:<br />
[[File:Nagios2.png|thumb|right|Nagios add user and group]]<br />
<br />
3- Command<br />
<br />
<code> useradd nagios </code><br />
<br />
4- Command <br />
<br />
<code> groupadd nagcmd </code><br />
<br />
5- Command <br />
<br />
<code> usermod -a -G nagcmd nagios </code><br />
<br />
6- Command <br />
<br />
<code> usermod -a -G nagios,nagcmd www-data </code><br />
<br />
== Installing Nagios == <br />
<br />
*Step 1 - Download and extract the Nagios core<br />
<br />
<code> cd ~ </code><br />
<br />
<code> wget https://assets.nagios.com/downloads/nagioscore/releases/nagios-4.2.0.tar.gz </code><br />
<br />
<code> tar -xzf nagios*.tar.gz </code><br />
<br />
<code> cd nagios-4.2.0 </code><br />
<br />
*Step 2 - Compile Nagios<br />
<br />
Before you build Nagios, you will have to configure it with the user and the group you have created earlier.<br />
<br />
<code> ./configure --with-nagios-group=nagios --with-command-group=nagcmd </code><br />
<br />
For more information please use: ./configure --help .<br />
<br />
*Now to install Nagios:<br />
<br />
<code> make all </code><br />
<br />
<code> sudo make install </code><br />
<br />
<code> sudo make install-commandmode </code><br />
<br />
<code> sudo make install-init </code><br />
<br />
<code> sudo make install-config </code><br />
<br />
<code> /usr/bin/install -c -m 644 sample-config/httpd.conf /etc/apache2/sites-available/nagios.conf </code><br />
<br />
*And copy evenhandler directory to the nagios directory:<br />
<br />
<code> cp -R contrib/eventhandlers/ /usr/local/nagios/libexec/ </code><br />
<br />
<code> chown -R nagios:nagios /usr/local/nagios/libexec/eventhandlers </code><br />
<br />
*Step 3 - Install the Nagios Plugins<br />
<br />
Download and extract the Nagios plugins:<br />
<br />
<code> cd ~ </code><br />
<br />
<code> wget https://nagios-plugins.org/download/nagios-plugins-2.1.2.tar.gz </code><br />
<br />
<code> tar -xzf nagios-plugins*.tar.gz </code><br />
<br />
<code> cd nagios-plugins-2.1.2/ </code><br />
<br />
*Install the Nagios plugin's with the commands below:<br />
<br />
<code> ./configure --with-nagios-user=nagios --with-nagios-group=nagios --with-openssl </code><br />
<br />
<code> make </code><br />
<br />
<code> make install </code><br />
<br />
*Step 4 - Configure Nagios<br />
<br />
After the installation phase is complete, you can find the default configuration of Nagios in /usr/local/nagios/.<br />
We will configure Nagios and Nagios contact.<br />
Edit default nagios configuration with nano:<br />
<br />
<code> nano /usr/local/nagios/etc/nagios.cfg </code><br />
<br />
uncomment line 51 for the host monitor configuration.<br />
*cfg_dir=/usr/local/nagios/etc/servers<br />
<br />
[[File:Nagios3.png|thumb|right|Nagios Email]]<br />
<br />
Save and exit.<br />
Add a new folder named servers:<br />
<br />
<code> mkdir -p /usr/local/nagios/etc/servers </code><br />
<br />
Change the user and group for the new folder to nagios:<br />
<br />
<code> chown nagios:nagios /usr/local/nagios/etc/servers </code><br />
<br />
The Nagios contact can be configured in the contact.cfg file. To open it use:<br />
<br />
<code> nano /usr/local/nagios/etc/objects/contacts.cfg </code><br />
<br />
Then replace the default email with your own email.<br />
<br />
== Configuring Apache ==<br />
<br />
*Step 1 - enable Apache modules<br />
<br />
<code> sudo a2enmod rewrite </code><br />
<br />
<code> sudo a2enmod cgi </code><br />
<br />
You can use the htpasswd command to configure a user nagiosadmin for the nagios web interface<br />
<br />
<code> sudo htpasswd -c /usr/local/nagios/etc/htpasswd.users nagiosadmin </code><br />
<br />
and type your password.<br />
<br />
*Step 2 - enable the Nagios virtualhost<br />
<br />
<code> sudo ln -s /etc/apache2/sites-available/nagios.conf /etc/apache2/sites-enabled/ </code><br />
<br />
*Step 3 - Start Apache and Nagios<br />
<br />
<code> service apache2 restart </code><br />
Start the nagios (if not working look Step 3.1)<br />
<code> service nagios start </code><br />
<br />
*Step 3.1 - If on this step you are unable to start nagios (nagios.service not found) do the following:<br />
<br />
First we are going to create/change the nagios.service :<br />
<br />
<code> nano /etc/systemd/system/nagios.service </code><br />
<br />
this file should be the same as the following: <br />
<br />
[Unit]<br />
Description=Nagios<br />
BindTo=network.target<br />
<br />
[Install]<br />
WantedBy=multi-user.target<br />
<br />
[Service]<br />
User=nagios<br />
Group=nagios<br />
Type=simple<br />
ExecStart=/usr/local/nagios/bin/nagios /usr/local/nagios/etc/nagios.cfg<br />
<br />
Then we need to enable created nagios.service config :<br />
<code>systemctl enable /etc/systemd/system/nagios.service</code><br />
<br />
Now it should work:<br />
<code>service nagios start</code><br />
<br />
<br />
When Nagios starts, you may see the following error :<br />
<br />
*Starting nagios (via systemctl): nagios.serviceFailed<br />
<br />
And this is how to fix it:<br />
<br />
<code> cd /etc/init.d/ </code><br />
<br />
<code> cp /etc/init.d/skeleton /etc/init.d/nagios </code><br />
<br />
Now edit the Nagios file:<br />
<br />
<code> nano /etc/init.d/nagios </code><br />
<br />
<br />
and add the following code:<br />
<br />
<code> DESC="Nagios" </code><br />
<br />
<code> NAME=nagios </code><br />
<br />
<code> DAEMON=/usr/local/nagios/bin/$NAME </code><br />
<br />
<code> DAEMON_ARGS="-d /usr/local/nagios/etc/nagios.cfg" </code><br />
<br />
<code> PIDFILE=/usr/local/nagios/var/$NAME.lock </code><br />
<br />
Make it executable and start Nagios:<br />
<br />
<code> chmod +x /etc/init.d/nagios </code><br />
<br />
<code> service apache2 restart </code><br />
<br />
<code> service nagios start </code><br />
<br />
<br />
=== Testing the Nagios Server ===<br />
<br />
Please open your browser and access the Nagios server ip, in my case: http://192.168.1.9/nagios.<br />
<br />
Nagios Login with apache htpasswd.<br />
<br />
[[File:Nagios Login.png|thumb|center|Nagios Login]]<br />
<br />
Nagios Admin Dashboard<br />
<br />
[[File:Nagios Admin Dashboard.png|thumb|center|Nagios Admin Dashboard]]<br />
<br />
*Adding a Host to Monitor<br />
<br />
In this tutorial, I will add an Ubuntu host to monitor to the Nagios server we have made above.<br />
<br />
Nagios Server IP : 192.168.1.9<br />
Ubuntu Host IP : 192.168.1.10<br />
<br />
*Step 1 - Connect to ubuntu host<br />
<br />
<code> ssh student@192.168.56.100 </code><br />
<br />
*Step 2 - Install NRPE Service<br />
<br />
<code> sudo apt-get install nagios-nrpe-server nagios-plugins </code><br />
<br />
*Step 3 - Configure NRPE<br />
<br />
After the installation is complete, edit the nrpe file /etc/nagios/nrpe.cfg:<br />
<br />
<code> nano /etc/nagios/nrpe.cfg </code><br />
<br />
and add Nagios Server IP 192.168.1.9 to the server_address.<br />
<br />
server_address=192.168.56.200<br />
<br />
*Step 4 - Restart NRPE<br />
<br />
<code> service nagios-nrpe-server restart </code><br />
<br />
*Step 5 - Add Ubuntu Host to Nagios Server<br />
<br />
Connect back to the Nagios server:<br />
<br />
<code> ssh student@192.168.56.200 </code><br />
<br />
Then create a new file for the host configuration in /usr/local/nagios/etc/servers/.<br />
<br />
<code> nano /usr/local/nagios/etc/servers/ubuntu_host.cfg </code><br />
<br />
Add the following lines:<br />
<code><br />
<br />
#Ubuntu Host configuration file<br />
define host {<br />
use linux-server<br />
host_name ubuntu_host<br />
alias Ubuntu Host<br />
address 192.168.1.10<br />
register 1<br />
}<br />
<br />
define service {<br />
host_name ubuntu_host<br />
service_description PING<br />
check_command check_ping!100.0,20%!500.0,60%<br />
max_check_attempts 2<br />
check_interval 2<br />
retry_interval 2<br />
check_period 24x7<br />
check_freshness 1<br />
contact_groups admins<br />
notification_interval 2<br />
notification_period 24x7<br />
notifications_enabled 1<br />
register 1<br />
}<br />
<br />
define service {<br />
host_name ubuntu_host<br />
service_description Check Users<br />
check_command check_local_users!20!50<br />
max_check_attempts 2<br />
check_interval 2<br />
retry_interval 2<br />
check_period 24x7<br />
check_freshness 1<br />
contact_groups admins<br />
notification_interval 2<br />
notification_period 24x7<br />
notifications_enabled 1<br />
register 1<br />
}<br />
<br />
define service {<br />
host_name ubuntu_host<br />
service_description Local Disk<br />
check_command check_local_disk!20%!10%!/<br />
max_check_attempts 2<br />
check_interval 2<br />
retry_interval 2<br />
check_period 24x7<br />
check_freshness 1<br />
contact_groups admins<br />
notification_interval 2<br />
notification_period 24x7<br />
notifications_enabled 1<br />
register 1<br />
}<br />
<br />
define service {<br />
host_name ubuntu_host<br />
service_description Check SSH<br />
check_command check_ssh<br />
max_check_attempts 2<br />
check_interval 2<br />
retry_interval 2<br />
check_period 24x7<br />
check_freshness 1<br />
contact_groups admins<br />
notification_interval 2<br />
notification_period 24x7<br />
notifications_enabled 1<br />
register 1<br />
}<br />
<br />
define service {<br />
host_name ubuntu_host<br />
service_description Total Process<br />
check_command check_local_procs!250!400!RSZDT<br />
max_check_attempts 2<br />
check_interval 2<br />
retry_interval 2<br />
check_period 24x7<br />
check_freshness 1<br />
contact_groups admins<br />
notification_interval 2<br />
notification_period 24x7<br />
notifications_enabled 1<br />
register 1<br />
<br />
}<br />
<br />
</code><br />
<br />
You can find many check_command in /usr/local/nagios/etc/objects/commands.cfg file. See there if you want to add more services like DHCP, POP etc.<br />
<br />
And now check the configuration:<br />
<code> /usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg </code><br />
[[File:Nagios check.png|thumb|center|Nagios check]]<br />
<br />
To see if the configuration is correct.<br />
<br />
*Step 6 - Restart all services<br />
<br />
On the Ubuntu Host start NRPE Service:<br />
<br />
<code> service nagios-nrpe-server restart </code><br />
<br />
The Nagios server, start Apache and Nagios:<br />
<br />
<code> service apache2 restart </code><br />
<br />
<code> service nagios restart </code><br />
<br />
*Step 7 - Testing the Ubuntu Host<br />
<br />
Open the Nagios server from the browser and see the ubuntu_host being monitored.<br />
The Ubuntu host is available on monitored host.<br />
<br />
[[File:Nagios server.png|thumb|center|Testing Host]]<br />
<br />
[[File:Nagios server2.png|thumb|center|Testing Host]]<br />
<br />
All services monitored without error.<br />
<br />
=Summary=<br />
Nagios is an open source application for monitoring a system. Nagios has been widely used because of the ease of configuration. Nagios in support by various plugins, and you can even create your own plugins. Look here for more information.<br />
<br />
=See also=<br />
<br />
Nagios agent setup<br />
<br />
1-[http://www.tecmint.com/how-to-add-linux-host-to-nagios-monitoring-server/ Agent setup]<br />
<br />
2-[https://assets.nagios.com/downloads/nagiosxi/docs/Installing_The_XI_Linux_Agent.pdf Linux Agent]<br />
<br />
3-[https://exchange.nagios.org/directory/Documentation/Nagios-XI-Documentation/Installing-The-Nagios-Ubuntu-and-Debian-Linux-Agent/details Ubuntu-and-Debian-Linux-Agent]<br />
<br />
=References=<br />
1- [https://en.wikipedia.org/wiki/System_monitoring System monitoring]<br />
<br />
2- [https://www.howtoforge.com/tutorial/ubuntu-nagios/ Nagios tutorial]<br />
<br />
3- [https://www.nagios.com/products/nagios-log-server/ Nagios Log Server]<br />
<br />
<br />
------<br />
<br />
[[Category:Monitoring]]</div>Aovtsinnhttps://wiki.itcollege.ee/index.php?title=Monitoring&diff=114271Monitoring2016-11-08T21:59:46Z<p>Aovtsinn: /* Installing Nagios */</p>
<hr />
<div>Team: <br />
Mohanad Aly,<br />
Artur Ovtsinnikov<br />
<br />
Group : Cyber Security Engineering (C21)<br />
<br />
Page Created: 23 October 2016<br />
<br />
Last modified: 30 October 2016<br />
<br />
<br />
<br />
= Introduction =<br />
This article introduces the Monitoring application called '''Nagios'''.<br />
<br />
===Monitoring===<br />
Monitoring is the process of keep tracking of system resources.<br />
<br />
Monitoring is the process of observing and checking the progress or quality of something over a period of time; keep under systematic review.<ref>[https://en.wikipedia.org/wiki/System_monitor]</ref><br />
Monitoring cannot be achieved without logging. That is the reason integrated solutions combine the two processes.<br />
Monitoring is used to:<br />
*check performance<br />
*detect if something worth noticing happened<br />
*prevent something to happen<br />
*detect whether a system is under attack<br />
<br />
===The good solution: Nagios===<br />
As of today, [https://www.nagios.org/] is the most popular open-source solution for monitoring computer systems before <br />
<br />
Monitoring is made of three components:<br />
*Apache <br />
*PHP<br />
*MySQL<br />
<br />
The main advantages of Nagios are:<br />
*Open-source<br />
*Customized Dashboards<br />
*Ease of Use<br />
*Infinite Scalability<br />
*Data in Real Time<br />
*Network Security<br />
<br />
<br />
==Why monitor our servers==<br />
There are many reasons why a system administrator would want to monitor its server(s).<br />
*Prevent undesired events to happen<br />
Without monitoring, a system administrator will react to a problem only when it has already occurred. Such issue can in the worst case cause a failure of the [http://whatis.techtarget.com/definition/Confidentiality-integrity-and-availability-CIA CIA triad]. It is of course wiser to anticipate such issues and solve the problem before they arise.<br />
The monitoring system sends alerts that help to identify potential sources of futures failures to avoid.<br />
<br />
*Understand what happened in case of failure<br />
In the event of a system failure, the monitoring system will give crucial information to determine where, when and how the problems occurred. <br />
This information makes the debugging process to be much faster and easier.<br />
<br />
In the end, monitoring a system can be seen as an insurance policy. It costs money and time, but the money and time it saves is worth it.<br />
<br />
=Topology of the Elab system=<br />
<br />
<span style="color:#20B336"><br />
'''Desktop machine'''<br />
<br />
[[File:Screenshot from 2016-10-06 12-02-47.jpg|thumb|right|Topology []]]<br />
Begin with the basic setup, network configuration and make the machine has internet access which the ip address of the machine is 192.168.56.100<br />
<br />
<span style="color:#FF0000"><br />
'''Server machine IP address 192.168.56.200''' <br />
*Can be connected over ssh with student@192.168.56.200<br />
*Also can connect with other IP address ssh student@10.10.10.10<br />
<span style="color:#FF0000"><br />
'''IDS IP address 192.168.56.201'''<br />
<br />
=Starting to update and upgrade the OS=<br />
Check for current version<br />
If your machine is running older version then 16.04 which is the latest long term supported version, please follow the following commands to upgrade your machine to the latest version.<br />
*First check your current Ubuntu version by running the following command: <br />
<code>lsb_release -a</code><br />
<br />
If you find that your machine is already running the following version or higher than:<br />
<br />
Description:Ubuntu 16.04.1 LTS<br />
Release:16.04<br />
<br />
Then there is no need to upgrade the OS<br />
<br />
==== Upgrade ====<br />
<br />
*First become super user "root":<br />
<code>sudo -i</code><br />
<br />
*Begin by updating the package list:<br />
<code>apt-get update</code><br />
<br />
*Upgrade installed packages to their latest available versions:<br />
<code>apt-get upgrade</code><br />
<br />
*Once upgrade finishes, use the dist-upgrade command, which will perform upgrades involving changing dependencies<br />
<code>apt-get dist-upgrade</code><br />
<br />
*Now that you have an up-to-date installation of Ubuntu 16.04 LTS, you can use <code> do-release-upgrade</code> to upgrade to the Ubuntu 16.04 LTS release.<br />
<br />
= Setup of Nagios=<br />
<br />
==== Prerequisites ====<br />
Ubuntu Linux machine, sudo access and some Linux beginner skills are needed.<br />
<br />
In this tutorial, Ubuntu 16.04 64-bit distribution will be used since it is the latest LTS.<br />
<br />
Unfortunately, Nagios cannot be installed simply by using one command, because there are some prerequisite applications needed for it to work.<br />
<br />
This tutorial describes the commands and configuration to make the services work together Nagios.<br />
<br />
<br />
=== Installation tutorial on Ubuntu 16.04 Linux host machine ===<br />
<br />
*It is important to have the latest package lists to update them to get info on the newest versions of packages and their dependencies. So we need to run the following command to update them:<br />
<br />
Command <br />
<code> sudo apt-get update</code><br />
<br />
=== Installing the prerequisites ===<br />
<br />
*Nagios requires the gcc compiler and build-essentials for the compilation, LAMP (Apache, PHP, MySQL) for the Nagios web interface and Send mail to send alerts from the server. To install all those packages, run this command (it's just 1 line):<br />
Command<br />
<br />
<code> sudo apt-get install wget build-essential apache2 php apache2-mod-php7.0 php-gd libgd-dev sendmail unzip </code><br />
<br />
=== User and group configuration ===<br />
<br />
*For Nagios to run, you have to create a new user for Nagios. We will name the user "nagios" and additionally create a group named "nagcmd". We add the new user to the group as shown below:<br />
[[File:Nagios2.png|thumb|right|Nagios add user and group]]<br />
<br />
3- Command<br />
<br />
<code> useradd nagios </code><br />
<br />
4- Command <br />
<br />
<code> groupadd nagcmd </code><br />
<br />
5- Command <br />
<br />
<code> usermod -a -G nagcmd nagios </code><br />
<br />
6- Command <br />
<br />
<code> usermod -a -G nagios,nagcmd www-data </code><br />
<br />
== Installing Nagios == <br />
<br />
*Step 1 - Download and extract the Nagios core<br />
<br />
<code> cd ~ </code><br />
<br />
<code> wget https://assets.nagios.com/downloads/nagioscore/releases/nagios-4.2.0.tar.gz </code><br />
<br />
<code> tar -xzf nagios*.tar.gz </code><br />
<br />
<code> cd nagios-4.2.0 </code><br />
<br />
*Step 2 - Compile Nagios<br />
<br />
Before you build Nagios, you will have to configure it with the user and the group you have created earlier.<br />
<br />
<code> ./configure --with-nagios-group=nagios --with-command-group=nagcmd </code><br />
<br />
For more information please use: ./configure --help .<br />
<br />
*Now to install Nagios:<br />
<br />
<code> make all </code><br />
<br />
<code> sudo make install </code><br />
<br />
<code> sudo make install-commandmode </code><br />
<br />
<code> sudo make install-init </code><br />
<br />
<code> sudo make install-config </code><br />
<br />
<code> /usr/bin/install -c -m 644 sample-config/httpd.conf /etc/apache2/sites-available/nagios.conf </code><br />
<br />
*And copy evenhandler directory to the nagios directory:<br />
<br />
<code> cp -R contrib/eventhandlers/ /usr/local/nagios/libexec/ </code><br />
<br />
<code> chown -R nagios:nagios /usr/local/nagios/libexec/eventhandlers </code><br />
<br />
*Step 3 - Install the Nagios Plugins<br />
<br />
Download and extract the Nagios plugins:<br />
<br />
<code> cd ~ </code><br />
<br />
<code> wget https://nagios-plugins.org/download/nagios-plugins-2.1.2.tar.gz </code><br />
<br />
<code> tar -xzf nagios-plugins*.tar.gz </code><br />
<br />
<code> cd nagios-plugins-2.1.2/ </code><br />
<br />
*Install the Nagios plugin's with the commands below:<br />
<br />
<code> ./configure --with-nagios-user=nagios --with-nagios-group=nagios --with-openssl </code><br />
<br />
<code> make </code><br />
<br />
<code> make install </code><br />
<br />
*Step 4 - Configure Nagios<br />
<br />
After the installation phase is complete, you can find the default configuration of Nagios in /usr/local/nagios/.<br />
We will configure Nagios and Nagios contact.<br />
Edit default nagios configuration with nano:<br />
<br />
<code> nano /usr/local/nagios/etc/nagios.cfg </code><br />
<br />
uncomment line 51 for the host monitor configuration.<br />
*cfg_dir=/usr/local/nagios/etc/servers<br />
<br />
[[File:Nagios3.png|thumb|right|Nagios Email]]<br />
<br />
Save and exit.<br />
Add a new folder named servers:<br />
<br />
<code> mkdir -p /usr/local/nagios/etc/servers </code><br />
<br />
Change the user and group for the new folder to nagios:<br />
<br />
<code> chown nagios:nagios /usr/local/nagios/etc/servers </code><br />
<br />
The Nagios contact can be configured in the contact.cfg file. To open it use:<br />
<br />
<code> nano /usr/local/nagios/etc/objects/contacts.cfg </code><br />
<br />
Then replace the default email with your own email.<br />
<br />
== Configuring Apache ==<br />
<br />
*Step 1 - enable Apache modules<br />
<br />
<code> sudo a2enmod rewrite </code><br />
<br />
<code> sudo a2enmod cgi </code><br />
<br />
You can use the htpasswd command to configure a user nagiosadmin for the nagios web interface<br />
<br />
<code> sudo htpasswd -c /usr/local/nagios/etc/htpasswd.users nagiosadmin </code><br />
<br />
and type your password.<br />
<br />
*Step 2 - enable the Nagios virtualhost<br />
<br />
<code> sudo ln -s /etc/apache2/sites-available/nagios.conf /etc/apache2/sites-enabled/ </code><br />
<br />
*Step 3 - Start Apache and Nagios<br />
<br />
<code> service apache2 restart </code><br />
<br />
<code> service nagios start </code><br />
<br />
When Nagios starts, you may see the following error :<br />
<br />
*Starting nagios (via systemctl): nagios.serviceFailed<br />
<br />
And this is how to fix it:<br />
<br />
<code> cd /etc/init.d/ </code><br />
<br />
<code> cp /etc/init.d/skeleton /etc/init.d/nagios </code><br />
<br />
Now edit the Nagios file:<br />
<br />
<code> nano /etc/init.d/nagios </code><br />
<br />
<br />
and add the following code:<br />
<br />
<code> DESC="Nagios" </code><br />
<br />
<code> NAME=nagios </code><br />
<br />
<code> DAEMON=/usr/local/nagios/bin/$NAME </code><br />
<br />
<code> DAEMON_ARGS="-d /usr/local/nagios/etc/nagios.cfg" </code><br />
<br />
<code> PIDFILE=/usr/local/nagios/var/$NAME.lock </code><br />
<br />
Make it executable and start Nagios:<br />
<br />
<code> chmod +x /etc/init.d/nagios </code><br />
<br />
<code> service apache2 restart </code><br />
<br />
<code> service nagios start </code><br />
<br />
<br />
=== Testing the Nagios Server ===<br />
<br />
Please open your browser and access the Nagios server ip, in my case: http://192.168.1.9/nagios.<br />
<br />
Nagios Login with apache htpasswd.<br />
<br />
[[File:Nagios Login.png|thumb|center|Nagios Login]]<br />
<br />
Nagios Admin Dashboard<br />
<br />
[[File:Nagios Admin Dashboard.png|thumb|center|Nagios Admin Dashboard]]<br />
<br />
*Adding a Host to Monitor<br />
<br />
In this tutorial, I will add an Ubuntu host to monitor to the Nagios server we have made above.<br />
<br />
Nagios Server IP : 192.168.1.9<br />
Ubuntu Host IP : 192.168.1.10<br />
<br />
*Step 1 - Connect to ubuntu host<br />
<br />
<code> ssh student@192.168.56.100 </code><br />
<br />
*Step 2 - Install NRPE Service<br />
<br />
<code> sudo apt-get install nagios-nrpe-server nagios-plugins </code><br />
<br />
*Step 3 - Configure NRPE<br />
<br />
After the installation is complete, edit the nrpe file /etc/nagios/nrpe.cfg:<br />
<br />
<code> nano /etc/nagios/nrpe.cfg </code><br />
<br />
and add Nagios Server IP 192.168.1.9 to the server_address.<br />
<br />
server_address=192.168.56.200<br />
<br />
*Step 4 - Restart NRPE<br />
<br />
<code> service nagios-nrpe-server restart </code><br />
<br />
*Step 5 - Add Ubuntu Host to Nagios Server<br />
<br />
Connect back to the Nagios server:<br />
<br />
<code> ssh student@192.168.56.200 </code><br />
<br />
Then create a new file for the host configuration in /usr/local/nagios/etc/servers/.<br />
<br />
<code> nano /usr/local/nagios/etc/servers/ubuntu_host.cfg </code><br />
<br />
Add the following lines:<br />
<code><br />
<br />
#Ubuntu Host configuration file<br />
define host {<br />
use linux-server<br />
host_name ubuntu_host<br />
alias Ubuntu Host<br />
address 192.168.1.10<br />
register 1<br />
}<br />
<br />
define service {<br />
host_name ubuntu_host<br />
service_description PING<br />
check_command check_ping!100.0,20%!500.0,60%<br />
max_check_attempts 2<br />
check_interval 2<br />
retry_interval 2<br />
check_period 24x7<br />
check_freshness 1<br />
contact_groups admins<br />
notification_interval 2<br />
notification_period 24x7<br />
notifications_enabled 1<br />
register 1<br />
}<br />
<br />
define service {<br />
host_name ubuntu_host<br />
service_description Check Users<br />
check_command check_local_users!20!50<br />
max_check_attempts 2<br />
check_interval 2<br />
retry_interval 2<br />
check_period 24x7<br />
check_freshness 1<br />
contact_groups admins<br />
notification_interval 2<br />
notification_period 24x7<br />
notifications_enabled 1<br />
register 1<br />
}<br />
<br />
define service {<br />
host_name ubuntu_host<br />
service_description Local Disk<br />
check_command check_local_disk!20%!10%!/<br />
max_check_attempts 2<br />
check_interval 2<br />
retry_interval 2<br />
check_period 24x7<br />
check_freshness 1<br />
contact_groups admins<br />
notification_interval 2<br />
notification_period 24x7<br />
notifications_enabled 1<br />
register 1<br />
}<br />
<br />
define service {<br />
host_name ubuntu_host<br />
service_description Check SSH<br />
check_command check_ssh<br />
max_check_attempts 2<br />
check_interval 2<br />
retry_interval 2<br />
check_period 24x7<br />
check_freshness 1<br />
contact_groups admins<br />
notification_interval 2<br />
notification_period 24x7<br />
notifications_enabled 1<br />
register 1<br />
}<br />
<br />
define service {<br />
host_name ubuntu_host<br />
service_description Total Process<br />
check_command check_local_procs!250!400!RSZDT<br />
max_check_attempts 2<br />
check_interval 2<br />
retry_interval 2<br />
check_period 24x7<br />
check_freshness 1<br />
contact_groups admins<br />
notification_interval 2<br />
notification_period 24x7<br />
notifications_enabled 1<br />
register 1<br />
<br />
}<br />
<br />
</code><br />
<br />
You can find many check_command in /usr/local/nagios/etc/objects/commands.cfg file. See there if you want to add more services like DHCP, POP etc.<br />
<br />
And now check the configuration:<br />
<code> /usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg </code><br />
[[File:Nagios check.png|thumb|center|Nagios check]]<br />
<br />
To see if the configuration is correct.<br />
<br />
*Step 6 - Restart all services<br />
<br />
On the Ubuntu Host start NRPE Service:<br />
<br />
<code> service nagios-nrpe-server restart </code><br />
<br />
The Nagios server, start Apache and Nagios:<br />
<br />
<code> service apache2 restart </code><br />
<br />
<code> service nagios restart </code><br />
<br />
*Step 7 - Testing the Ubuntu Host<br />
<br />
Open the Nagios server from the browser and see the ubuntu_host being monitored.<br />
The Ubuntu host is available on monitored host.<br />
<br />
[[File:Nagios server.png|thumb|center|Testing Host]]<br />
<br />
[[File:Nagios server2.png|thumb|center|Testing Host]]<br />
<br />
All services monitored without error.<br />
<br />
=Summary=<br />
Nagios is an open source application for monitoring a system. Nagios has been widely used because of the ease of configuration. Nagios in support by various plugins, and you can even create your own plugins. Look here for more information.<br />
<br />
=See also=<br />
<br />
Nagios agent setup<br />
<br />
1-[http://www.tecmint.com/how-to-add-linux-host-to-nagios-monitoring-server/ Agent setup]<br />
<br />
2-[https://assets.nagios.com/downloads/nagiosxi/docs/Installing_The_XI_Linux_Agent.pdf Linux Agent]<br />
<br />
3-[https://exchange.nagios.org/directory/Documentation/Nagios-XI-Documentation/Installing-The-Nagios-Ubuntu-and-Debian-Linux-Agent/details Ubuntu-and-Debian-Linux-Agent]<br />
<br />
=References=<br />
1- [https://en.wikipedia.org/wiki/System_monitoring System monitoring]<br />
<br />
2- [https://www.howtoforge.com/tutorial/ubuntu-nagios/ Nagios tutorial]<br />
<br />
3- [https://www.nagios.com/products/nagios-log-server/ Nagios Log Server]<br />
<br />
<br />
------<br />
<br />
[[Category:Monitoring]]</div>Aovtsinnhttps://wiki.itcollege.ee/index.php?title=Monitoring&diff=114269Monitoring2016-11-08T21:55:10Z<p>Aovtsinn: /* Installing Nagios */</p>
<hr />
<div>Team: <br />
Mohanad Aly,<br />
Artur Ovtsinnikov<br />
<br />
Group : Cyber Security Engineering (C21)<br />
<br />
Page Created: 23 October 2016<br />
<br />
Last modified: 30 October 2016<br />
<br />
<br />
<br />
= Introduction =<br />
This article introduces the Monitoring application called '''Nagios'''.<br />
<br />
===Monitoring===<br />
Monitoring is the process of keep tracking of system resources.<br />
<br />
Monitoring is the process of observing and checking the progress or quality of something over a period of time; keep under systematic review.<ref>[https://en.wikipedia.org/wiki/System_monitor]</ref><br />
Monitoring cannot be achieved without logging. That is the reason integrated solutions combine the two processes.<br />
Monitoring is used to:<br />
*check performance<br />
*detect if something worth noticing happened<br />
*prevent something to happen<br />
*detect whether a system is under attack<br />
<br />
===The good solution: Nagios===<br />
As of today, [https://www.nagios.org/] is the most popular open-source solution for monitoring computer systems before <br />
<br />
Monitoring is made of three components:<br />
*Apache <br />
*PHP<br />
*MySQL<br />
<br />
The main advantages of Nagios are:<br />
*Open-source<br />
*Customized Dashboards<br />
*Ease of Use<br />
*Infinite Scalability<br />
*Data in Real Time<br />
*Network Security<br />
<br />
<br />
==Why monitor our servers==<br />
There are many reasons why a system administrator would want to monitor its server(s).<br />
*Prevent undesired events to happen<br />
Without monitoring, a system administrator will react to a problem only when it has already occurred. Such issue can in the worst case cause a failure of the [http://whatis.techtarget.com/definition/Confidentiality-integrity-and-availability-CIA CIA triad]. It is of course wiser to anticipate such issues and solve the problem before they arise.<br />
The monitoring system sends alerts that help to identify potential sources of futures failures to avoid.<br />
<br />
*Understand what happened in case of failure<br />
In the event of a system failure, the monitoring system will give crucial information to determine where, when and how the problems occurred. <br />
This information makes the debugging process to be much faster and easier.<br />
<br />
In the end, monitoring a system can be seen as an insurance policy. It costs money and time, but the money and time it saves is worth it.<br />
<br />
=Topology of the Elab system=<br />
<br />
<span style="color:#20B336"><br />
'''Desktop machine'''<br />
<br />
[[File:Screenshot from 2016-10-06 12-02-47.jpg|thumb|right|Topology []]]<br />
Begin with the basic setup, network configuration and make the machine has internet access which the ip address of the machine is 192.168.56.100<br />
<br />
<span style="color:#FF0000"><br />
'''Server machine IP address 192.168.56.200''' <br />
*Can be connected over ssh with student@192.168.56.200<br />
*Also can connect with other IP address ssh student@10.10.10.10<br />
<span style="color:#FF0000"><br />
'''IDS IP address 192.168.56.201'''<br />
<br />
=Starting to update and upgrade the OS=<br />
Check for current version<br />
If your machine is running older version then 16.04 which is the latest long term supported version, please follow the following commands to upgrade your machine to the latest version.<br />
*First check your current Ubuntu version by running the following command: <br />
<code>lsb_release -a</code><br />
<br />
If you find that your machine is already running the following version or higher than:<br />
<br />
Description:Ubuntu 16.04.1 LTS<br />
Release:16.04<br />
<br />
Then there is no need to upgrade the OS<br />
<br />
==== Upgrade ====<br />
<br />
*First become super user "root":<br />
<code>sudo -i</code><br />
<br />
*Begin by updating the package list:<br />
<code>apt-get update</code><br />
<br />
*Upgrade installed packages to their latest available versions:<br />
<code>apt-get upgrade</code><br />
<br />
*Once upgrade finishes, use the dist-upgrade command, which will perform upgrades involving changing dependencies<br />
<code>apt-get dist-upgrade</code><br />
<br />
*Now that you have an up-to-date installation of Ubuntu 16.04 LTS, you can use <code> do-release-upgrade</code> to upgrade to the Ubuntu 16.04 LTS release.<br />
<br />
= Setup of Nagios=<br />
<br />
==== Prerequisites ====<br />
Ubuntu Linux machine, sudo access and some Linux beginner skills are needed.<br />
<br />
In this tutorial, Ubuntu 16.04 64-bit distribution will be used since it is the latest LTS.<br />
<br />
Unfortunately, Nagios cannot be installed simply by using one command, because there are some prerequisite applications needed for it to work.<br />
<br />
This tutorial describes the commands and configuration to make the services work together Nagios.<br />
<br />
<br />
=== Installation tutorial on Ubuntu 16.04 Linux host machine ===<br />
<br />
*It is important to have the latest package lists to update them to get info on the newest versions of packages and their dependencies. So we need to run the following command to update them:<br />
<br />
Command <br />
<code> sudo apt-get update</code><br />
<br />
=== Installing the prerequisites ===<br />
<br />
*Nagios requires the gcc compiler and build-essentials for the compilation, LAMP (Apache, PHP, MySQL) for the Nagios web interface and Send mail to send alerts from the server. To install all those packages, run this command (it's just 1 line):<br />
Command<br />
<br />
<code> sudo apt-get install wget build-essential apache2 php apache2-mod-php7.0 php-gd libgd-dev sendmail unzip </code><br />
<br />
=== User and group configuration ===<br />
<br />
*For Nagios to run, you have to create a new user for Nagios. We will name the user "nagios" and additionally create a group named "nagcmd". We add the new user to the group as shown below:<br />
[[File:Nagios2.png|thumb|right|Nagios add user and group]]<br />
<br />
3- Command<br />
<br />
<code> useradd nagios </code><br />
<br />
4- Command <br />
<br />
<code> groupadd nagcmd </code><br />
<br />
5- Command <br />
<br />
<code> usermod -a -G nagcmd nagios </code><br />
<br />
6- Command <br />
<br />
<code> usermod -a -G nagios,nagcmd www-data </code><br />
<br />
== Installing Nagios == <br />
<br />
*Step 1 - Download and extract the Nagios core<br />
<br />
<code> cd ~ </code><br />
<br />
<code> wget https://assets.nagios.com/downloads/nagioscore/releases/nagios-4.2.0.tar.gz </code><br />
<br />
<code> tar -xzf nagios*.tar.gz </code><br />
<br />
<code> cd nagios-4.2.0 </code><br />
<br />
*Step 2 - Compile Nagios<br />
<br />
Before you build Nagios, you will have to configure it with the user and the group you have created earlier.<br />
<br />
<code> ./configure --with-nagios-group=nagios --with-command-group=nagcmd </code><br />
<br />
For more information please use: ./configure --help .<br />
<br />
*Now to install Nagios:<br />
<br />
<code> make all </code><br />
<br />
<code> sudo make install </code><br />
<br />
<code> sudo make install-commandmode </code><br />
<br />
<code> sudo make install-init </code><br />
<br />
<code> sudo make install-config </code><br />
<br />
<code> /usr/bin/install -c -m 644 sample-config/httpd.conf /etc/apache2/sites-available/nagios.conf </code><br />
<br />
*And copy evenhandler directory to the nagios directory:<br />
<br />
<code> cp -R contrib/eventhandlers/ /usr/local/nagios/libexec/ </code><br />
<br />
<code> chown -R nagios:nagios /usr/local/nagios/libexec/eventhandlers </code><br />
<br />
*Step 3 - Install the Nagios Plugins<br />
<br />
Download and extract the Nagios plugins:<br />
<br />
<code> cd ~ </code><br />
<br />
<code> wget https://nagios-plugins.org/download/nagios-plugins-2.1.2.tar.gz </code><br />
<br />
<code> tar -xzf nagios-plugins*.tar.gz </code><br />
<br />
<code> cd nagios-plugins-2.1.2/ </code><br />
<br />
*Install the Nagios plugin's with the commands below:<br />
<br />
<code> ./configure --with-nagios-user=nagios --with-nagios-group=nagios --with-openssl </code><br />
<br />
<code> make </code><br />
<br />
<code> make install </code><br />
<br />
*Step 4 - Configure Nagios<br />
<br />
After the installation phase is complete, you can find the default configuration of Nagios in /usr/local/nagios/.<br />
We will configure Nagios and Nagios contact.<br />
Edit default nagios configuration with nano:<br />
<br />
<code> nano /usr/local/nagios/etc/nagios.cfg </code><br />
<br />
uncomment line 51 for the host monitor configuration.<br />
*cfg_dir=/usr/local/nagios/etc/servers<br />
<br />
[[File:Nagios3.png|thumb|right|Nagios Email]]<br />
<br />
Save and exit.<br />
Add a new folder named servers:<br />
<br />
<code> mkdir -p /usr/local/nagios/etc/servers </code><br />
<br />
<br />
The Nagios contact can be configured in the contact.cfg file. To open it use:<br />
<br />
<code> nano /usr/local/nagios/etc/objects/contacts.cfg </code><br />
<br />
Then replace the default email with your own email.<br />
<br />
== Configuring Apache ==<br />
<br />
*Step 1 - enable Apache modules<br />
<br />
<code> sudo a2enmod rewrite </code><br />
<br />
<code> sudo a2enmod cgi </code><br />
<br />
You can use the htpasswd command to configure a user nagiosadmin for the nagios web interface<br />
<br />
<code> sudo htpasswd -c /usr/local/nagios/etc/htpasswd.users nagiosadmin </code><br />
<br />
and type your password.<br />
<br />
*Step 2 - enable the Nagios virtualhost<br />
<br />
<code> sudo ln -s /etc/apache2/sites-available/nagios.conf /etc/apache2/sites-enabled/ </code><br />
<br />
*Step 3 - Start Apache and Nagios<br />
<br />
<code> service apache2 restart </code><br />
<br />
<code> service nagios start </code><br />
<br />
When Nagios starts, you may see the following error :<br />
<br />
*Starting nagios (via systemctl): nagios.serviceFailed<br />
<br />
And this is how to fix it:<br />
<br />
<code> cd /etc/init.d/ </code><br />
<br />
<code> cp /etc/init.d/skeleton /etc/init.d/nagios </code><br />
<br />
Now edit the Nagios file:<br />
<br />
<code> nano /etc/init.d/nagios </code><br />
<br />
<br />
and add the following code:<br />
<br />
<code> DESC="Nagios" </code><br />
<br />
<code> NAME=nagios </code><br />
<br />
<code> DAEMON=/usr/local/nagios/bin/$NAME </code><br />
<br />
<code> DAEMON_ARGS="-d /usr/local/nagios/etc/nagios.cfg" </code><br />
<br />
<code> PIDFILE=/usr/local/nagios/var/$NAME.lock </code><br />
<br />
Make it executable and start Nagios:<br />
<br />
<code> chmod +x /etc/init.d/nagios </code><br />
<br />
<code> service apache2 restart </code><br />
<br />
<code> service nagios start </code><br />
<br />
<br />
=== Testing the Nagios Server ===<br />
<br />
Please open your browser and access the Nagios server ip, in my case: http://192.168.1.9/nagios.<br />
<br />
Nagios Login with apache htpasswd.<br />
<br />
[[File:Nagios Login.png|thumb|center|Nagios Login]]<br />
<br />
Nagios Admin Dashboard<br />
<br />
[[File:Nagios Admin Dashboard.png|thumb|center|Nagios Admin Dashboard]]<br />
<br />
*Adding a Host to Monitor<br />
<br />
In this tutorial, I will add an Ubuntu host to monitor to the Nagios server we have made above.<br />
<br />
Nagios Server IP : 192.168.1.9<br />
Ubuntu Host IP : 192.168.1.10<br />
<br />
*Step 1 - Connect to ubuntu host<br />
<br />
<code> ssh student@192.168.56.100 </code><br />
<br />
*Step 2 - Install NRPE Service<br />
<br />
<code> sudo apt-get install nagios-nrpe-server nagios-plugins </code><br />
<br />
*Step 3 - Configure NRPE<br />
<br />
After the installation is complete, edit the nrpe file /etc/nagios/nrpe.cfg:<br />
<br />
<code> nano /etc/nagios/nrpe.cfg </code><br />
<br />
and add Nagios Server IP 192.168.1.9 to the server_address.<br />
<br />
server_address=192.168.56.200<br />
<br />
*Step 4 - Restart NRPE<br />
<br />
<code> service nagios-nrpe-server restart </code><br />
<br />
*Step 5 - Add Ubuntu Host to Nagios Server<br />
<br />
Connect back to the Nagios server:<br />
<br />
<code> ssh student@192.168.56.200 </code><br />
<br />
Then create a new file for the host configuration in /usr/local/nagios/etc/servers/.<br />
<br />
<code> nano /usr/local/nagios/etc/servers/ubuntu_host.cfg </code><br />
<br />
Add the following lines:<br />
<code><br />
<br />
#Ubuntu Host configuration file<br />
define host {<br />
use linux-server<br />
host_name ubuntu_host<br />
alias Ubuntu Host<br />
address 192.168.1.10<br />
register 1<br />
}<br />
<br />
define service {<br />
host_name ubuntu_host<br />
service_description PING<br />
check_command check_ping!100.0,20%!500.0,60%<br />
max_check_attempts 2<br />
check_interval 2<br />
retry_interval 2<br />
check_period 24x7<br />
check_freshness 1<br />
contact_groups admins<br />
notification_interval 2<br />
notification_period 24x7<br />
notifications_enabled 1<br />
register 1<br />
}<br />
<br />
define service {<br />
host_name ubuntu_host<br />
service_description Check Users<br />
check_command check_local_users!20!50<br />
max_check_attempts 2<br />
check_interval 2<br />
retry_interval 2<br />
check_period 24x7<br />
check_freshness 1<br />
contact_groups admins<br />
notification_interval 2<br />
notification_period 24x7<br />
notifications_enabled 1<br />
register 1<br />
}<br />
<br />
define service {<br />
host_name ubuntu_host<br />
service_description Local Disk<br />
check_command check_local_disk!20%!10%!/<br />
max_check_attempts 2<br />
check_interval 2<br />
retry_interval 2<br />
check_period 24x7<br />
check_freshness 1<br />
contact_groups admins<br />
notification_interval 2<br />
notification_period 24x7<br />
notifications_enabled 1<br />
register 1<br />
}<br />
<br />
define service {<br />
host_name ubuntu_host<br />
service_description Check SSH<br />
check_command check_ssh<br />
max_check_attempts 2<br />
check_interval 2<br />
retry_interval 2<br />
check_period 24x7<br />
check_freshness 1<br />
contact_groups admins<br />
notification_interval 2<br />
notification_period 24x7<br />
notifications_enabled 1<br />
register 1<br />
}<br />
<br />
define service {<br />
host_name ubuntu_host<br />
service_description Total Process<br />
check_command check_local_procs!250!400!RSZDT<br />
max_check_attempts 2<br />
check_interval 2<br />
retry_interval 2<br />
check_period 24x7<br />
check_freshness 1<br />
contact_groups admins<br />
notification_interval 2<br />
notification_period 24x7<br />
notifications_enabled 1<br />
register 1<br />
<br />
}<br />
<br />
</code><br />
<br />
You can find many check_command in /usr/local/nagios/etc/objects/commands.cfg file. See there if you want to add more services like DHCP, POP etc.<br />
<br />
And now check the configuration:<br />
<code> /usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg </code><br />
[[File:Nagios check.png|thumb|center|Nagios check]]<br />
<br />
To see if the configuration is correct.<br />
<br />
*Step 6 - Restart all services<br />
<br />
On the Ubuntu Host start NRPE Service:<br />
<br />
<code> service nagios-nrpe-server restart </code><br />
<br />
The Nagios server, start Apache and Nagios:<br />
<br />
<code> service apache2 restart </code><br />
<br />
<code> service nagios restart </code><br />
<br />
*Step 7 - Testing the Ubuntu Host<br />
<br />
Open the Nagios server from the browser and see the ubuntu_host being monitored.<br />
The Ubuntu host is available on monitored host.<br />
<br />
[[File:Nagios server.png|thumb|center|Testing Host]]<br />
<br />
[[File:Nagios server2.png|thumb|center|Testing Host]]<br />
<br />
All services monitored without error.<br />
<br />
=Summary=<br />
Nagios is an open source application for monitoring a system. Nagios has been widely used because of the ease of configuration. Nagios in support by various plugins, and you can even create your own plugins. Look here for more information.<br />
<br />
=See also=<br />
<br />
Nagios agent setup<br />
<br />
1-[http://www.tecmint.com/how-to-add-linux-host-to-nagios-monitoring-server/ Agent setup]<br />
<br />
2-[https://assets.nagios.com/downloads/nagiosxi/docs/Installing_The_XI_Linux_Agent.pdf Linux Agent]<br />
<br />
3-[https://exchange.nagios.org/directory/Documentation/Nagios-XI-Documentation/Installing-The-Nagios-Ubuntu-and-Debian-Linux-Agent/details Ubuntu-and-Debian-Linux-Agent]<br />
<br />
=References=<br />
1- [https://en.wikipedia.org/wiki/System_monitoring System monitoring]<br />
<br />
2- [https://www.howtoforge.com/tutorial/ubuntu-nagios/ Nagios tutorial]<br />
<br />
3- [https://www.nagios.com/products/nagios-log-server/ Nagios Log Server]<br />
<br />
<br />
------<br />
<br />
[[Category:Monitoring]]</div>Aovtsinnhttps://wiki.itcollege.ee/index.php?title=Category:I802_Firewalls_and_VPN_IPSec&diff=113749Category:I802 Firewalls and VPN IPSec2016-11-02T09:19:24Z<p>Aovtsinn: /* Boring stuff */</p>
<hr />
<div>=Firewalls and VPN/IPSec=<br />
<br />
==General information==<br />
<br />
ECTS: 4<br />
<br />
Lecturer: Lauri Võsandi<br />
<br />
<br />
==Scenario==<br />
<br />
In this course we will attempt to set up a network similar to a corporate network with multiple offices, eg http://docplayer.it/docs-images/20/596222/images/25-0.png<br />
<br />
We will use VPN software to connect subnets to each other and we will use VPN software to connect our personal computers to the intranet.<br />
<br />
<br />
==Setting up virtual machine hosts==<br />
<br />
For this course we have 3 Sun servers, each with 16GB of RAM. In each server we should be able to create 3 or more virtual machines. As host operating system we will install Ubuntu 16.04 server. On disks set up ext4 on mdraid set up in RAID1 configuration.<br />
<br />
For virtualization let's use libvirt and virt-manager on your Ubuntu laptops, for Windows and Mac unfortunately there is no decent UI available instead installing web interface such as [https://github.com/kimchi-project/kimchi Kimchi] is recommended.<br />
<br />
To install libvirt on the server:<br />
<br />
apt install libvirt-bin qemu-kvm<br />
<br />
Also add the primary user to the libvirt group:<br />
<br />
sudo gpasswd -a $USER libvirt<br />
<br />
On your laptop first set up SSH keys between the laptop and server with ssh-keygen and ssh-copy-id. And then you can install virt-manager with:<br />
<br />
sudo apt install virt-manager<br />
<br />
Copy CD ISO files into /var/lib/libvirt/images using scp or FileZilla.<br />
<br />
Continue with creating a virtual machine for each service. For Windows 2012 server virtual machines use 2G of RAM and 50G of storage. For Ubuntu 16.04 server installations use 1G of memory and 50G storage. For Ubuntu 16.04 MATE desktop installations use 2G of RAM.<br />
<br />
<br />
In order to set up virtual switch inside the server use Linux's built-in bridges, start with installing bridge-utils:<br />
<br />
apt install bridge-utils<br />
<br />
Reconfigure your server's /etc/network/interfaces, replace X with number relevant to your server. Also replace eth0, eth1 and eth2 with the network interfaces available in your machine:<br />
<br />
# The loopback network interface<br />
auto lo<br />
iface lo inet loopback<br />
<br />
# Wide area network interface<br />
auto br-wan<br />
iface br-wan inet dhcp<br />
# Until we set up router in a VM we will use DHCP so we can have internet access in 417<br />
bridge_ports eth0<br />
<br />
# Local area network interface<br />
auto br-lan<br />
iface br-lan inet static<br />
address 172.16.X.1<br />
netmask 255.255.255.0<br />
bridge_ports eth1<br />
<br />
# Management interface<br />
auto eth2<br />
iface eth2 inet static<br />
address 192.168.12.1X<br />
netmask 255.255.255.0<br />
<br />
When creating virtual machines, configure network as shown in the screenshot below:<br />
<br />
[[File:Virt-manager_bridges.png]]<br />
<br />
This way your VM-s should be able to access the Internet as the physical machine can<br />
<br />
==Setting up router==<br />
<br />
On Wednesday 14. September we will configure OpenWrt as a router in a virtual machine.<br />
Download the OpenWrt image and uncompress it:<br />
<br />
cd /var/lib/libvirt/images/<br />
wget https://downloads.openwrt.org/chaos_calmer/15.05-rc3/x86/kvm_guest/openwrt-15.05-rc3-x86-kvm_guest-combined-ext4.img.gz<br />
gunzip openwrt-15.05.1-x86-kvm_guest-combined-ext4.img.gz<br />
<br />
Add second network interface to your router's VM.<br />
Configure first NIC as connected to br-wan and second one connected to br-lan.<br />
<br />
After that you should end up with topology similar to this:<br />
<br />
[[File:Topology-inside-server.png]]<br />
<br />
To clarify: 'srv1.office' and 'srv2.office' are the Ubuntu 16.04 servers, you should have configured static IP addresses or set a static lease from the router. The 'router.office' refers to the OpenWrt router you just set up. The router serves IP addresses using DHCP to 'ubuntu-mate.office' Ubuntu MATE 16.04 workstation and 'windows.office' refers to Windows workstation. Your physical server 'host.office' can be accessed as well. The 'office' throughout the diagram refers to your domain name, use abbrevations such as hq, rnd, devops for that.<br />
<br />
<br />
==Domain names==<br />
<br />
Arti will be your DNS registrar (like Godaddy or Zone.ee). Currently added DNS records:<br />
<br />
* http://www.biz.wut.ee - 193.40.194.160 for Wut Incorporated website<br />
* http://gw.biz.wut.ee - 193.40.194.160 for OpenVPN gateway<br />
* http://wiki.biz.wut.ee - 193.40.194.161 for Wut Inc internal wiki<br />
* http://git.biz.wut.ee - 193.40.194.161 for Wut Inc source code hosting<br />
* http://paste.biz.wut.ee - 193.40.194.161 for Wut Inc code snippets<br />
* http://chat.biz.wut.ee - 193.40.194.162 for Wut Inc IRC chatroom<br />
* http://pad.biz.wut.ee - 193.40.194.162 for Wut Inc etherpad<br />
* http://ca.biz.wut.ee - 193.40.194.162 for Wut Inc certificate authority web endpoint<br />
* http://mail.biz.wut.ee - 193.40.194.162 for MX entry of biz.wut.ee<br />
<br />
(Re)configure your services to make use of these DNS records.<br />
<br />
==Monitoring==<br />
<br />
Use this **only** on the physical hosts.<br />
<br />
You can (ab)use Lauri's collectd at http://log.koodur.com/cgp<br />
<br />
Install packages:<br />
<br />
apt install collectd<br />
<br />
Reconfigure service in /etc/collectd/collectd.conf:<br />
<br />
FQDNLookup true<br />
LoadPlugin syslog<br />
LoadPlugin cpu<br />
LoadPlugin df<br />
LoadPlugin disk<br />
LoadPlugin interface<br />
LoadPlugin load<br />
LoadPlugin memory<br />
LoadPlugin network<br />
LoadPlugin processes<br />
LoadPlugin swap<br />
LoadPlugin uptime<br />
LoadPlugin users<br />
LoadPlugin dns<br />
LoadPlugin ping<br />
LoadPlugin sensors<br />
<br />
<Plugin df><br />
FSType rootfs<br />
FSType sysfs<br />
FSType proc<br />
FSType devtmpfs<br />
FSType devpts<br />
FSType tmpfs<br />
FSType fusectl<br />
FSType cgroup<br />
IgnoreSelected true<br />
</Plugin><br />
<br />
<Plugin disk><br />
Disk "/[sv]d[a-z]/"<br />
</Plugin><br />
<br />
<Include "/etc/collectd/collectd.conf.d"><br />
Filter "*.conf"<br />
</Include><br />
<br />
<Plugin network><br />
Server "185.94.112.74"<br />
</Plugin><br />
<br />
==Teams==<br />
<br />
===Headquarters===<br />
<br />
Gateway: 193.40.194.220<br />
<br />
DNS: 193.40.0.12, 193.40.56.245<br />
<br />
Public IP address (port no 0 = enp6s4f0): 193.40.194.160/24<br />
<br />
Management network IP address (port no 1 = enp6s4f1), accessible from robotics club: 192.168.12.10<br />
<br />
Internal IP address of the physical server (port no 2 = enp0s9): 172.16.1.1/24<br />
<br />
Services:<br />
<br />
* Hypervisor, access to physical box - (Mohanad)<br />
* BIND9 as public DNS server, also figure out what domain name we should/can use (Arti)<br />
* domain controller, at this point primarily for user accounts (Keijo)<br />
* nginx web server, for company's homepage (Etienne)<br />
* SMB/CIFS fileserver, join to domain (Etienne)<br />
* VPN server for other subnets, presumably OpenVPN (Mohanad Aly)<br />
<br />
===Research & development===<br />
<br />
Gateway: 193.40.194.220<br />
<br />
DNS: 193.40.0.12, 193.40.56.245<br />
<br />
Public IP address (port no 0 = enp6s4f0): 193.40.194.161/24<br />
<br />
Management network IP address (port no 1 = enp6s4f1), accessible from robotics club: 192.168.12.11<br />
<br />
Internal IP address of the physical server (port no 2 = enp0s9): 172.16.2.1/24<br />
<br />
Team members: Marvin, Madis, Taavi, Berit, Joosep<br />
<br />
Services:<br />
<br />
* Hypervisor, access to physical box - Marvin<br />
* [https://gogs.io/docs Git hosting], for sharing scripts, set up LDAP to authenticate with domain controller (Madis)<br />
* [https://wiki.itcollege.ee/index.php/Installation_MediaWiki Wiki], for exchanging information, [https://www.mediawiki.org/wiki/Extension:LDAP_Authentication/Kerberos_Configuration_Examples set up LDAP to authenticate with domain controller and later possibly configure web server to authenticate with Kerberos] (Taavi)<br />
* Windows XP workstation, join to domain<br />
* Ubuntu 16.04 MATE workstation, [https://raw.githubusercontent.com/laurivosandi/puppet-butterknife/master/files/etc/butterknife/helpers/join-domain join to domain].<br />
* [http://lauri.vosandi.com/2016/09/xenial-ltsp-ja-id-kaart.html LTSP server] (Joosep)<br />
* OpenVPN connection to headquarters, use shared secret at first, later X509 certificates<br />
* [https://github.com/bpoldoja/pastebin Pastebin], possibly later implement [https://github.com/laurivosandi/certidude/blob/master/certidude/auth.py#L37 Kerberos support] (Berit)<br />
====Examples====<br />
Port forwarding example, we have 2 linux virtual machines, one forwarding to host local ip.<br />
[[File:vpn-portForwarding.png|900px|]]<br />
<br />
Network interface example file:<br />
<br />
auto lo<br />
iface lo inet loopback<br />
<br />
# Wide area network interface (port 0)<br />
auto br-wan<br />
iface br-wan inet manual<br />
bridge_ports enp6s4f0<br />
<br />
# Local area network interface (port 3)<br />
auto br-lan<br />
iface br-lan inet static<br />
address 172.16.2.1<br />
gateway 172.16.2.254<br />
dns-nameserver 172.16.2.254<br />
netmask 255.255.255.0<br />
bridge_ports enp0s8<br />
<br />
# Management interface (port 1)<br />
auto enp6s4f1<br />
iface enp6s4f1 inet static<br />
address 192.168.12.11<br />
netmask 255.255.255.0<br />
<br />
Openwrt interface file working example /etc/config/network:<br />
<br />
config interface 'lan'<br />
option ifname 'eth0'<br />
option type 'bridge'<br />
option proto 'static'<br />
option netmask '255.255.255.0'<br />
option ip6assign '60'<br />
option ipaddr '172.16.2.254'<br />
<br />
config interface 'wan'<br />
option ifname 'eth1'<br />
option proto 'static'<br />
option ipaddr '193.40.194.161'<br />
option gateway '193.40.194.220'<br />
option netmask '255.255.255.0'<br />
option dns '192.40.0.12 193.40.56.245'<br />
<br />
<br />
To create poor man's vpn. Install on your computer<br />
apt install sshuttle<br />
<br />
and connection.<br />
sshuttle --dns -HNvr username@server:port<br />
no you should be able to connect local network computers and services.<br />
'''NB! ping is not working with sshuttle'''<br />
you can read more here http://teohm.com/blog/using-sshuttle-in-daily-work/<br />
<br />
====TODO====<br />
<br />
===Devops===<br />
<br />
Gateway: 193.40.194.220<br />
<br />
DNS: 193.40.0.12, 193.40.56.245<br />
<br />
Public IP address (port no 0 = enp6s4f0): 193.40.194.162/24<br />
<br />
Management network IP address (port no 1 = enp6s4f1), accessible from robotics club: 192.168.12.12<br />
<br />
Internal IP address of the physical server (port no 2 = enp0s9): 172.16.3.1/24<br />
<br />
Services:<br />
<br />
* Hypervisor, access to physical box - Artur O<br />
* IRC, for chatting (Meelis Hass)<br />
* [https://github.com/ether/etherpad-lite Etherpad] for collaborating (Sheela)<br />
* [https://github.com/laurivosandi/certidude#usecases Certificate management] for roadwarriors, usecase number #1 (Artur O)<br />
* Monitoring software of your choice to make sure that services are up and running, possibly use LDAP for authentication (Artur O)<br />
* E-mail for sending notifications from monitoring software at first (Ilja), this needs MX records in DNS (Ilja, Mohanad helps)<br />
* Later, in the beginning just monitor public services: OpenVPN connection to headquarters<br />
<br />
===Pentest===<br />
<br />
Find security issues in the deployed services, attempt to plant backdoors, malware etc.<br />
<br />
Team members: Kustas, Ender<br />
<br />
<br />
==Point-to-point tunnels between routers==<br />
<br />
Since routers are the default route for all the internal machines the easiest way to set up routing between internal networks is to set up OpenVPN instances on each router.<br />
<br />
In router install OpenVPN module for OpenWrt:<br />
<br />
opkg update<br />
opkg install luci-app-openvpn openvpn-openssl<br />
<br />
In the OpenWrt web interface there should pop up Services section with OpenVPN underneath it.<br />
<br />
The topology for routers:<br />
<br />
[[File:Point-to-point.png]]<br />
<br />
<br />
For each tunnel configure on one end "Simple server configuration for a routed point-to-point VPN" and on the other end "Simple client configuration for a routed point-to-point VPN" the configuration for connection on hq could look something like this:<br />
<br />
[[File:Openwrt-openvpn-config.png]]<br />
<br />
To upload secret select secret under --Additional fields-- and hit add. To generate secret use following command on your laptop:<br />
<br />
openvpn --genkey --secret static.key<br />
<br />
Under Switch to advanced configuration --> Networking add route field for each subnet you want to make accessible via that tunnel. For each tunnel a new interface pops up under Interfaces section. Assign firewall rules as appropriate. To test I guess you can just insert the interface into LAN zone.<br />
<br />
=Boring stuff=<br />
Sending logs to Graylog server<br />
<br />
put those lines into new file : /etc/rsyslog.d/client.conf<br />
<br />
<br />
<code>$ActionQueueType LinkedList</code><br />
<br />
<code>$ActionQueueFileName srvrfwd</code><br />
<br />
<code>$ActionResumeRetryCount -1</code><br />
<br />
<code>$ActionQueueSaveOnShutdown on</code><br />
<br />
<code>*.* @@172.16.3.228:1514</code><br />
<br />
and then do the <code> sudo service rsyslog restart </code><br />
<br />
==Report template==<br />
<br />
Send report as a plaintext e-mail to Lauri, in the title include: Report #number - your name - your team<br />
<br />
In the content make sure you specify the timespan you're talking about (September of 2016, first half of October 2016 etc)<br />
<br />
The content, no need for formal speech:<br />
<br />
* What have been done so far by the team (eg. server hardware setup, virtual machine setup, service setup)<br />
* What was your role for this timespan, note that we will shuffle the teams now and then<br />
* What was your contribution, or in other words what did you do during this timespan<br />
* What (security) incidents happened - red team found messing around with the servers, passwords changed, backdoor found etc.<br />
<br />
==September wrapup & iptables lecture==<br />
<br />
[https://docs.google.com/presentation/d/1mt0g_BN-l_Jz6HQ1D52WJIdMjPtkTt95CPYFejjiikE/ Lecture slides] [https://echo360.e-ope.ee/ess/portal/section/0fa18d0e-f1b2-44b7-878b-5e4c66e6040e video recording]</div>Aovtsinnhttps://wiki.itcollege.ee/index.php?title=Logging%26monitoring&diff=106197Logging&monitoring2016-10-06T06:34:51Z<p>Aovtsinn: /* Securing during logging */</p>
<hr />
<div>Logging and Monitoring - Logging Solution - Graylog<br />
<br />
Team: <br />
Artur Ovtsinnikov,<br />
Mohanad Aly,<br />
Etienne Barrier,<br />
Meelis Hass <br />
<br />
Group : Cyber Security Engineering (C21)<br />
<br />
Page Created: 18 September 2016<br />
<br />
Last modified: 05 October 2016<br />
<br />
= Introduction =<br />
This article introduces the Logging and Monitoring application called '''Graylog'''.<br />
<br />
===Logging and monitoring===<br />
Logging is the process of keeping a continuous record of an event.<br />
The general rule of logging is: Log everything which is not predictable.<br />
<br />
Monitoring is the process of observing and checking the progress or quality of something over a period of time; keep under systematic review.<ref>[https://en.oxforddictionaries.com/definition/monitor]</ref><br />
Monitoring cannot be achieved without logging. That is the reason integrated solutions combine the two processes.<br />
Monitoring is used to:<br />
*check performance<br />
*detect if something worth noticing happened<br />
*prevent something to happen<br />
*detect whether a system is under attack<br />
<br />
===The best solution: Graylog===<br />
As of today, [https://www.graylog.org Graylog] is the most popular open-source solution (developed in Java) for logging and monitoring computer systems before [https://www.elastic.co/webinars/introduction-elk-stack ELK stack].<br />
In the proprietary world, [https://www.splunk.com Splunk] is the leader.<br />
<br />
Graylog is made of three components:<br />
*Elasticsearch as the documents indexing engine<br />
*Mongodb for database<br />
*Graylog itself (server and web interface combined) to collect and view logs<br />
<br />
The main advantages of Graylog are:<br />
*Open-source<br />
*Works with unstructured logs and from any source<br />
*Good looking interface and dashboards<br />
*Supports user management (LDAP)<br />
<br />
Its disadvantages are:<br />
*Designed to work with Linux distributions<br />
<br />
===Why monitor our servers===<br />
There are many reasons why a system administrator would want to monitor its server(s).<br />
*Prevent undesired events to happen<br />
Without monitoring, a system administrator will react to a problem only when it has already occurred. Such issue can in the worst case cause a failure of the [http://whatis.techtarget.com/definition/Confidentiality-integrity-and-availability-CIA CIA triad]. It is of course wiser to anticipate such issues and solve the problem before they arise.<br />
The monitoring system sends alerts that help to identify potential sources of futures failures to avoid.<br />
<br />
*Understand what happened in case of failure<br />
In the event of a system failure, the monitoring system will give crucial information to determine where, when and how the problems occurred. <br />
This information makes the debugging process to be much faster and easier.<br />
<br />
In the end, monitoring a system can be seen as an insurance policy. It costs money and time, but the money and time it saves is worth it.<br />
<br />
===Securing during logging===<br />
<br />
=Topology of the Elab system=<br />
<br />
<span style="color:#20B336"><br />
'''Desktop machine'''<br />
<br />
[[File:Screenshot from 2016-09-18 17-43-55.jpg|thumb|right|Topology []]]<br />
Begin with the basic setup, network configuration and make the machine has internet access which the ip address of the machine is 192.168.56.100<br />
<br />
<span style="color:#FF0000"><br />
'''Server machine ip address 192.168.56.200''' <br />
*Can be connected over ssh with student@192.168.56.200<br />
*Also can connect with other IP address ssh student@10.10.10.10<br />
<span style="color:#FF0000"><br />
'''IDS ip address 192.168.56.201'''<br />
<br />
=Starting to update and upgrade the OS=<br />
==== Check for current version ====<br />
If your machine is running older version then 16.04 which is the latest long term supported version, please follow the following commands to upgrade your machine to the latest version.<br />
*First check your current Ubuntu version by running the following command: <br />
<code>lsb_release -a</code><br />
<br />
If you find that your machine is already running the following version or higher than:<br />
<br />
Description:Ubuntu 16.04.1 LTS<br />
Release:16.04<br />
<br />
Then there is no need to upgrade the OS<br />
<br />
==== Upgrade ====<br />
<br />
*First become super user "root":<br />
<code>sudo -i</code><br />
<br />
*Begin by updating the package list:<br />
<code>apt-get update</code><br />
<br />
*Upgrade installed packages to their latest available versions:<br />
<code>apt-get upgrade</code><br />
<br />
*Once upgrade finishes, use the dist-upgrade command, which will perform upgrades involving changing dependencies<br />
<code>apt-get dist-upgrade</code><br />
<br />
*Now that you have an up-to-date installation of Ubuntu 16.04 LTS, you can use <code> do-release-upgrade</code> to upgrade to the Ubuntu 16.04 LTS release.<br />
<br />
= Initial Setup for graylog=<br />
==== Prerequisites ====<br />
Ubuntu Linux machine, sudo access and some Linux beginner skills are needed.<br />
The installation of Graylog is not that hard as described on some webpages. <br />
In this tutorial the Ubuntu 16.04 64-bit VPS server will be used since it is the latest LTS. <br />
Unfortunately, Graylog cannot be installed simply by using one command apt-get install graylog, because there is some prerequisite applications needed for it to work.<br />
In this tutorial i will describe the commands, what is needed and how to configure the services to work together with the Graylog, installation is simple!<br />
Attention! All links and packages/versions are present to the time of writing this guide it might need to be updated later on.<br />
=== Step by Step Installation tutorial on Ubuntu 16.04 Linux host machine ===<br />
'''1)''' It is important to have the latest package lists to update them to get info on the newst versions of packages and their dependencies. So we need to run the following command to update them:<br />
<br />
''Command:'' <code> sudo apt-get update</code><br />
<br />
'''2)''' Now we can install the setup base packages:<br />
<br />
''Command:'' <code> apt-get install apt-transport-https openjdk-8-jre-headless uuid-runtime pwgen </code><br />
<br />
'''3)''' '''MongoDB''' is a Free and open-source cross-platform document-oriented database program written in C++,C and JavaScript. Classified as a NoSQL database program in favor of JSON-like documents with dynamic schemas (format BSON) making the integration of data in certain types of applications like Graylog easier and faster.<br />
<br />
The version included in Ubuntu 16.04 LTS can be used together with Graylog 2 and higher, but it is also possible to check the [https://www.mongodb.com/download-center?jmp=nav#community official webpage] and download the needed/latest version.<br />
<br />
It can be installed by running the following command:<br />
<br />
''Command:'' <code> apt-get install mongodb-server </code><br />
<br />
'''4)''' '''Elasticsearch''' is a search engine based on Lucene written in Java. It provides a distributed, multitenant-capable full-text search engine with an HTTP web interface and schema-free JSON documents.<br />
<br />
Elasticsearch is required for Graylog 2 and higher to work, so it is possible to see the complete installation instructions on the [https://www.elastic.co/guide/en/elasticsearch/reference/2.3/setup-repositories.html#_apt official page]<br />
<br />
''Commands:'' <br />
<br />
<code>wget -qO - https://packages.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -</code><br />
<br />
<code>echo "deb https://packages.elastic.co/elasticsearch/2.x/debian stable main" | sudo tee -a /etc/apt/sources.list.d/elasticsearch-2.x.list</code><br />
<br />
<code>sudo apt-get update</code><br />
<br />
<code>sudo apt-get install elasticsearch</code><br />
<br />
<br />
'''5)''' Modifying the Elasticsearch configuration file and setting the cluster name to graylog so it will be visible and accessible by graylog.<br />
<br />
''Command:'' <code> nano /etc/elasticsearch/elasticsearch.yml</code><br />
and change <code> cluster.name:elasticsearch</code> to <code> cluster.name: graylog</code><br />
<br />
'''6)''' After config was modified, we can now start Elasticsearch:<br />
<br />
<code>sudo /bin/systemctl daemon-reload</code><br />
<br />
<code>sudo /bin/systemctl enable elasticsearch.service</code><br />
<br />
<code>sudo /bin/systemctl restart elasticsearch.service</code><br />
<br />
It is possible to check if the elasticsearch configured correctly by using the following command:<br />
<br />
<code>curl -XGET http://localhost:9200</code><br />
<br />
'''7)''' '''Graylog''' can now be installed if all the above steps were done successfully<br />
First it is needed to install the Graylog repository using the following commands:<br />
<br />
<code>wget https://packages.graylog2.org/repo/packages/graylog-2.1-repository_latest.deb</code><br />
<br />
<code>sudo dpkg -i graylog-2.1-repository_latest.deb</code><br />
<br />
<code>sudo apt-get update</code><br />
<br />
<code>sudo apt-get install graylog-server</code><br />
<br />
<br />
'''8)''' After the Graylog has been installed it is needed to change the configuration<br />
[[File:Screenshot from 2016-10-05 22-32-56.jpg|thumb|right|graylog web interface]]<br />
<br />
Think about the password (which would be used to login) and then use the command:<br />
<code>echo -n supersecretpassword123 | sha256sum</code><br />
It will generate the sha256 hash of the password which would be needed to copy-pasted and add it to the <code>password_secret</code> and <code>root_password_sha2</code> in the graylog config (<code>/etc/graylog/server/server.conf</code>). This is mandatory to do! Without it Graylog will not start!<br />
<br />
'''9)''' In order to connect to Graylog web-interface it is needed to set <code>rest_listen_uri</code> and <code>web_listen_uri</code> to the public hostname or IP address of the machine.<br />
<br />
'''10)''' Last step is to enable Graylog during the system startup:<br />
<br />
<br />
<code>sudo systemctl daemon-reload</code><br />
<br />
<code>sudo systemctl enable graylog-server.service</code><br />
<br />
<code>sudo systemctl start graylog-server.service</code><br />
<br />
=Summary=<br />
*After setting the graylog and the web interface is working follow the few steps to logging the system <br />
<br />
[[File:Screenshot from 2016-10-05 22-33-18.jpg|thumb|center|input]]<br />
<br />
[[File:Screenshot from 2016-10-05 22-34-25.jpg|thumb|center|Setting up the logging]]<br />
<br />
[[File:Screenshot from 2016-10-05 22-33-41.jpg|thumb|center|input]]<br />
<br />
=See also=<br />
<br />
<br />
<br />
=References=<br />
1- https://www.graylog.org<br />
<br />
2- http://docs.graylog.org/en/2.1/<br />
<br />
<br />
------<br />
<br />
[[Category:Logging and monitoring]]</div>Aovtsinnhttps://wiki.itcollege.ee/index.php?title=Logging%26monitoring&diff=106170Logging&monitoring2016-10-05T19:56:45Z<p>Aovtsinn: /* Starting to update and upgrade the OS */</p>
<hr />
<div>Logging and Monitoring - Logging Solution - Graylog<br />
<br />
Team: <br />
Artur Ovtsinnikov,<br />
Mohanad Aly,<br />
Etienne Barrier,<br />
Meelis Hass <br />
<br />
Group : Cyber Security Engineering (C21)<br />
<br />
Page Created: 18 September 2016<br />
<br />
Last modified: 05 October 2016<br />
<br />
= Aim of this page =<br />
The Aim of this wiki page is to give an introduction to Logging and Monitoring application called Graylog, what are the main benefits of it and how to install it on Ubuntu Machine.<br />
<br />
*'''logging and monitoring.'''<br />
*'''The best solution for logging'''<br />
*'''Why we should logging our servers''' <br />
*'''Securing during logging'''<br />
<br />
=Topology of the Elab system=<br />
<br />
<span style="color:#20B336"><br />
'''Desktop machine'''<br />
<br />
[[File:Screenshot from 2016-09-18 17-43-55.jpg|thumb|right|Topology []]]<br />
Begin with the basic setup, network configuration and make the machine has internet access which the ip address of the machine is 192.168.56.100<br />
<br />
<span style="color:#FF0000"><br />
'''Server machine ip address 192.168.56.200''' <br />
*Can be connected over ssh with student@192.168.56.200<br />
*Also can connect with other IP address ssh student@10.10.10.10<br />
<span style="color:#FF0000"><br />
'''IDS ip address 192.168.56.201'''<br />
<br />
=Starting to update and upgrade the OS=<br />
==== Check for current version ====<br />
If your machine is running older version then 16.04 which is the latest long term supported version, please follow the following commands to upgrade your machine to the latest version.<br />
*First check your current Ubuntu version by running the following command: <br />
<code>lsb_release -a</code><br />
<br />
If you find that your machine is already running the following version or higher than:<br />
<br />
Description:Ubuntu 16.04.1 LTS<br />
Release:16.04<br />
<br />
Then there is no need to upgrade the OS<br />
<br />
==== Upgrade ====<br />
<br />
*First become super user "root":<br />
<code>sudo -i</code><br />
<br />
*Begin by updating the package list:<br />
<code>apt-get update</code><br />
<br />
*Upgrade installed packages to their latest available versions:<br />
<code>apt-get upgrade</code><br />
<br />
*Once upgrade finishes, use the dist-upgrade command, which will perform upgrades involving changing dependencies<br />
<code>apt-get dist-upgrade</code><br />
<br />
*Now that you have an up-to-date installation of Ubuntu 16.04 LTS, you can use <code> do-release-upgrade</code> to upgrade to the Ubuntu 16.04 LTS release.<br />
<br />
= Initial Setup for graylog=<br />
==== Prerequisites ====<br />
Ubuntu Linux machine, sudo access and some Linux beginner skills are needed.<br />
The installation of Graylog is not that hard as described on some webpages. <br />
In this tutorial the Ubuntu 16.04 64-bit VPS server will be used since it is the latest LTS. <br />
Unfortunately, Graylog cannot be installed simply by using one command apt-get install graylog, because there is some prerequisite applications needed for it to work.<br />
In this tutorial i will describe the commands, what is needed and how to configure the services to work together with the Graylog, installation is simple!<br />
Attention! All links and packages/versions are present to the time of writing this guide it might need to be updated later on.<br />
<br />
=== Step by Step Installation tutorial on Ubuntu 16.04 Linux host machine ===<br />
'''1)''' It is important to have the latest package lists to update them to get info on the newst versions of packages and their dependencies. So we need to run the following command to update them:<br />
<br />
''Command:'' <code> sudo apt-get update</code><br />
<br />
'''2)''' Now we can install the setup base packages:<br />
<br />
''Command:'' <code> apt-get install apt-transport-https openjdk-8-jre-headless uuid-runtime pwgen </code><br />
<br />
'''3)''' '''MongoDB''' is a Free and open-source cross-platform document-oriented database program written in C++,C and JavaScript. Classified as a NoSQL database program in favor of JSON-like documents with dynamic schemas (format BSON) making the integration of data in certain types of applications like Graylog easier and faster.<br />
<br />
The version included in Ubuntu 16.04 LTS can be used together with Graylog 2 and higher, but it is also possible to check the [https://www.mongodb.com/download-center?jmp=nav#community official webpage] and download the needed/latest version.<br />
<br />
It can be installed by running the following command:<br />
<br />
''Command:'' <code> apt-get install mongodb-server </code><br />
<br />
'''4)''' '''Elasticsearch''' is a search engine based on Lucene written in Java. It provides a distributed, multitenant-capable full-text search engine with an HTTP web interface and schema-free JSON documents.<br />
<br />
Elasticsearch is required for Graylog 2 and higher to work, so it is possible to see the complete installation instructions on the [https://www.elastic.co/guide/en/elasticsearch/reference/2.3/setup-repositories.html#_apt official page]<br />
<br />
''Commands:'' <br />
<br />
<code>wget -qO - https://packages.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -</code><br />
<br />
<code>echo "deb https://packages.elastic.co/elasticsearch/2.x/debian stable main" | sudo tee -a /etc/apt/sources.list.d/elasticsearch-2.x.list</code><br />
<br />
<code>sudo apt-get update</code><br />
<br />
<code>sudo apt-get install elasticsearch</code><br />
<br />
<br />
'''5)''' Modifying the Elasticsearch configuration file and setting the cluster name to graylog so it will be visible and accessible by graylog.<br />
<br />
''Command:'' <code> nano /etc/elasticsearch/elasticsearch.yml</code><br />
and change <code> cluster.name:elasticsearch</code> to <code> cluster.name: graylog</code><br />
<br />
'''6)''' After config was modified, we can now start Elasticsearch:<br />
<br />
<code>sudo /bin/systemctl daemon-reload</code><br />
<br />
<code>sudo /bin/systemctl enable elasticsearch.service</code><br />
<br />
<code>sudo /bin/systemctl restart elasticsearch.service</code><br />
<br />
It is possible to check if the elasticsearch configured correctly by using the following command:<br />
<br />
<code>curl -XGET http://localhost:9200</code><br />
<br />
'''7)''' '''Graylog''' can now be installed if all the above steps were done successfully<br />
First it is needed to install the Graylog repository using the following commands:<br />
<br />
<code>wget https://packages.graylog2.org/repo/packages/graylog-2.1-repository_latest.deb</code><br />
<br />
<code>sudo dpkg -i graylog-2.1-repository_latest.deb</code><br />
<br />
<code>sudo apt-get update</code><br />
<br />
<code>sudo apt-get install graylog-server</code><br />
<br />
<br />
'''8)''' After the Graylog has been installed it is needed to change the configuration<br />
<br />
Think about the password (which would be used to login) and then use the command:<br />
<code>echo -n supersecretpassword123 | sha256sum</code><br />
It will generate the sha256 hash of the password which would be needed to copy-pasted and add it to the <code>password_secret</code> and <code>root_password_sha2</code> in the graylog config (<code>/etc/graylog/server/server.conf</code>). This is mandatory to do! Without it Graylog will not start!<br />
<br />
'''9)''' In order to connect to Graylog web-interface it is needed to set <code>rest_listen_uri</code> and <code>web_listen_uri</code> to the public hostname or IP address of the machine.<br />
<br />
'''10)''' Last step is to enable Graylog during the system startup:<br />
<br />
<code>sudo systemctl daemon-reload</code><br />
<br />
<code>sudo systemctl enable graylog-server.service</code><br />
<br />
<code>sudo systemctl start graylog-server.service</code><br />
<br />
=Summary=<br />
*After setting the graylog and the web interface is working follow the few steps to logging the system <br />
<br />
[[File:Screenshot from 2016-10-05 22-33-18.jpg|thumb|right|Topology []]]<br />
<br />
[[File:|thumb|right|Topology []]]<br />
<br />
[[File:|thumb|right|Topology []]]<br />
<br />
[[File:|thumb|right|Topology []]]<br />
<br />
[[File:|thumb|right|Topology []]]<br />
<br />
=See also=<br />
<br />
<br />
<br />
=References=<br />
<br />
<br />
<br />
------<br />
<br />
[[Category:Logging and monitoring]]</div>Aovtsinnhttps://wiki.itcollege.ee/index.php?title=Logging%26monitoring&diff=106169Logging&monitoring2016-10-05T19:55:22Z<p>Aovtsinn: /* Starting to update and upgrade the OS */</p>
<hr />
<div>Logging and Monitoring - Logging Solution - Graylog<br />
<br />
Team: <br />
Artur Ovtsinnikov,<br />
Mohanad Aly,<br />
Etienne Barrier,<br />
Meelis Hass <br />
<br />
Group : Cyber Security Engineering (C21)<br />
<br />
Page Created: 18 September 2016<br />
<br />
Last modified: 05 October 2016<br />
<br />
= Aim of this page =<br />
The Aim of this wiki page is to give an introduction to Logging and Monitoring application called Graylog, what are the main benefits of it and how to install it on Ubuntu Machine.<br />
<br />
*'''logging and monitoring.'''<br />
*'''The best solution for logging'''<br />
*'''Why we should logging our servers''' <br />
*'''Securing during logging'''<br />
<br />
=Topology of the Elab system=<br />
<br />
<span style="color:#20B336"><br />
'''Desktop machine'''<br />
<br />
[[File:Screenshot from 2016-09-18 17-43-55.jpg|thumb|right|Topology []]]<br />
Begin with the basic setup, network configuration and make the machine has internet access which the ip address of the machine is 192.168.56.100<br />
<br />
<span style="color:#FF0000"><br />
'''Server machine ip address 192.168.56.200''' <br />
*Can be connected over ssh with student@192.168.56.200<br />
*Also can connect with other IP address ssh student@10.10.10.10<br />
<span style="color:#FF0000"><br />
'''IDS ip address 192.168.56.201'''<br />
<br />
=Starting to update and upgrade the OS=<br />
If your machine is running older version then 16.04 which is the latest long term supported version, please follow the following commands to upgrade your machine to the latest version.<br />
*First check your current Ubuntu version by running the following command: <br />
<code>lsb_release -a</code><br />
<br />
If you find that your machine is already running the following version or higher than:<br />
<br />
Description:Ubuntu 16.04.1 LTS<br />
Release:16.04<br />
<br />
Then there is no need to upgrade the OS<br />
<br />
<br />
<br />
*First become super user "root":<br />
<code>sudo -i</code><br />
<br />
*Begin by updating the package list:<br />
<code>apt-get update</code><br />
<br />
*Upgrade installed packages to their latest available versions:<br />
<code>apt-get upgrade</code><br />
<br />
*Once upgrade finishes, use the dist-upgrade command, which will perform upgrades involving changing dependencies<br />
<code>apt-get dist-upgrade</code><br />
<br />
*Now that you have an up-to-date installation of Ubuntu 16.04 LTS, you can use <code> do-release-upgrade</code> to upgrade to the Ubuntu 16.04 LTS release.<br />
<br />
= Initial Setup for graylog=<br />
==== Prerequisites ====<br />
Ubuntu Linux machine, sudo access and some Linux beginner skills are needed.<br />
The installation of Graylog is not that hard as described on some webpages. <br />
In this tutorial the Ubuntu 16.04 64-bit VPS server will be used since it is the latest LTS. <br />
Unfortunately, Graylog cannot be installed simply by using one command apt-get install graylog, because there is some prerequisite applications needed for it to work.<br />
In this tutorial i will describe the commands, what is needed and how to configure the services to work together with the Graylog, installation is simple!<br />
Attention! All links and packages/versions are present to the time of writing this guide it might need to be updated later on.<br />
<br />
=== Step by Step Installation tutorial on Ubuntu 16.04 Linux host machine ===<br />
'''1)''' It is important to have the latest package lists to update them to get info on the newst versions of packages and their dependencies. So we need to run the following command to update them:<br />
<br />
''Command:'' <code> sudo apt-get update</code><br />
<br />
'''2)''' Now we can install the setup base packages:<br />
<br />
''Command:'' <code> apt-get install apt-transport-https openjdk-8-jre-headless uuid-runtime pwgen </code><br />
<br />
'''3)''' '''MongoDB''' is a Free and open-source cross-platform document-oriented database program written in C++,C and JavaScript. Classified as a NoSQL database program in favor of JSON-like documents with dynamic schemas (format BSON) making the integration of data in certain types of applications like Graylog easier and faster.<br />
<br />
The version included in Ubuntu 16.04 LTS can be used together with Graylog 2 and higher, but it is also possible to check the [https://www.mongodb.com/download-center?jmp=nav#community official webpage] and download the needed/latest version.<br />
<br />
It can be installed by running the following command:<br />
<br />
''Command:'' <code> apt-get install mongodb-server </code><br />
<br />
'''4)''' '''Elasticsearch''' is a search engine based on Lucene written in Java. It provides a distributed, multitenant-capable full-text search engine with an HTTP web interface and schema-free JSON documents.<br />
<br />
Elasticsearch is required for Graylog 2 and higher to work, so it is possible to see the complete installation instructions on the [https://www.elastic.co/guide/en/elasticsearch/reference/2.3/setup-repositories.html#_apt official page]<br />
<br />
''Commands:'' <br />
<br />
<code>wget -qO - https://packages.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -</code><br />
<br />
<code>echo "deb https://packages.elastic.co/elasticsearch/2.x/debian stable main" | sudo tee -a /etc/apt/sources.list.d/elasticsearch-2.x.list</code><br />
<br />
<code>sudo apt-get update</code><br />
<br />
<code>sudo apt-get install elasticsearch</code><br />
<br />
<br />
'''5)''' Modifying the Elasticsearch configuration file and setting the cluster name to graylog so it will be visible and accessible by graylog.<br />
<br />
''Command:'' <code> nano /etc/elasticsearch/elasticsearch.yml</code><br />
and change <code> cluster.name:elasticsearch</code> to <code> cluster.name: graylog</code><br />
<br />
'''6)''' After config was modified, we can now start Elasticsearch:<br />
<br />
<code>sudo /bin/systemctl daemon-reload</code><br />
<br />
<code>sudo /bin/systemctl enable elasticsearch.service</code><br />
<br />
<code>sudo /bin/systemctl restart elasticsearch.service</code><br />
<br />
It is possible to check if the elasticsearch configured correctly by using the following command:<br />
<br />
<code>curl -XGET http://localhost:9200</code><br />
<br />
'''7)''' '''Graylog''' can now be installed if all the above steps were done successfully<br />
First it is needed to install the Graylog repository using the following commands:<br />
<br />
<code>wget https://packages.graylog2.org/repo/packages/graylog-2.1-repository_latest.deb</code><br />
<br />
<code>sudo dpkg -i graylog-2.1-repository_latest.deb</code><br />
<br />
<code>sudo apt-get update</code><br />
<br />
<code>sudo apt-get install graylog-server</code><br />
<br />
<br />
'''8)''' After the Graylog has been installed it is needed to change the configuration<br />
<br />
Think about the password (which would be used to login) and then use the command:<br />
<code>echo -n supersecretpassword123 | sha256sum</code><br />
It will generate the sha256 hash of the password which would be needed to copy-pasted and add it to the <code>password_secret</code> and <code>root_password_sha2</code> in the graylog config (<code>/etc/graylog/server/server.conf</code>). This is mandatory to do! Without it Graylog will not start!<br />
<br />
'''9)''' In order to connect to Graylog web-interface it is needed to set <code>rest_listen_uri</code> and <code>web_listen_uri</code> to the public hostname or IP address of the machine.<br />
<br />
'''10)''' Last step is to enable Graylog during the system startup:<br />
<br />
<code>sudo systemctl daemon-reload</code><br />
<br />
<code>sudo systemctl enable graylog-server.service</code><br />
<br />
<code>sudo systemctl start graylog-server.service</code><br />
<br />
=Summary=<br />
*After setting the graylog and the web interface is working follow the few steps to logging the system <br />
<br />
[[File:Screenshot from 2016-10-05 22-33-18.jpg|thumb|right|Topology []]]<br />
<br />
[[File:|thumb|right|Topology []]]<br />
<br />
[[File:|thumb|right|Topology []]]<br />
<br />
[[File:|thumb|right|Topology []]]<br />
<br />
[[File:|thumb|right|Topology []]]<br />
<br />
=See also=<br />
<br />
<br />
<br />
=References=<br />
<br />
<br />
<br />
------<br />
<br />
[[Category:Logging and monitoring]]</div>Aovtsinnhttps://wiki.itcollege.ee/index.php?title=Logging%26monitoring&diff=106164Logging&monitoring2016-10-05T19:53:19Z<p>Aovtsinn: /* Starting to update and upgrade the OS */</p>
<hr />
<div>Logging and Monitoring - Logging Solution - Graylog<br />
<br />
Team: <br />
Artur Ovtsinnikov,<br />
Mohanad Aly,<br />
Etienne Barrier,<br />
Meelis Hass <br />
<br />
Group : Cyber Security Engineering (C21)<br />
<br />
Page Created: 18 September 2016<br />
<br />
Last modified: 28 September 2016<br />
<br />
= Aim of this page =<br />
The Aim of this wiki page is to give an introduction to Logging and Monitoring application called Graylog, what are the main benefits of it and how to install it on Ubuntu Machine.<br />
<br />
*'''logging and monitoring.'''<br />
*'''The best solution for logging'''<br />
*'''Why we should logging our servers''' <br />
*'''Securing during logging'''<br />
<br />
=Topology of the Elab system=<br />
<br />
<span style="color:#20B336"><br />
'''Desktop machine'''<br />
<br />
[[File:Screenshot from 2016-09-18 17-43-55.jpg|thumb|right|Topology []]]<br />
Begin with the basic setup, network configuration and make the machine has internet access which the ip address of the machine is 192.168.56.100<br />
<br />
<span style="color:#FF0000"><br />
'''Server machine ip address 192.168.56.200''' <br />
*Can be connected over ssh with student@192.168.56.200<br />
*Also can connect with other IP address ssh student@10.10.10.10<br />
<span style="color:#FF0000"><br />
'''IDS ip address 192.168.56.201'''<br />
<br />
=Starting to update and upgrade the OS=<br />
If your machine is running older version then 16.04 which is the latest long term supported version, please follow the following commands to upgrade your machine to the latest version.<br />
*First check your current Ubuntu version by running the following command: <br />
<code>lsb_release -a</code><br />
<br />
If you find that your machine is already running the following version or higher than:<br />
<br />
Description:Ubuntu 16.04.1 LTS<br />
Release:16.04<br />
<br />
Then there is no need to upgrade the OS<br />
<br />
<br />
<br />
*First be super user<br />
<code>sudo -i</code><br />
<br />
*Begin by updating the package list<br />
<code>apt-get update</code><br />
<br />
*Upgrade installed packages to their latest available versions<br />
<code>apt-get upgrade</code><br />
<br />
*Once upgrade finishes, use the dist-upgrade command, which will perform upgrades involving changing dependencies<br />
<code>apt-get dist-upgrade</code><br />
<br />
*Now that you have an up-to-date installation of Ubuntu 15.10, you can use <code> do-release-upgrade</code> to upgrade to the 16.04 release.<br />
<br />
= Initial Setup for graylog=<br />
==== Prerequisites ====<br />
Ubuntu Linux machine, sudo access and some Linux beginner skills are needed.<br />
The installation of Graylog is not that hard as described on some webpages. <br />
In this tutorial the Ubuntu 16.04 64-bit VPS server will be used since it is the latest LTS. <br />
Unfortunately, Graylog cannot be installed simply by using one command apt-get install graylog, because there is some prerequisite applications needed for it to work.<br />
In this tutorial i will describe the commands, what is needed and how to configure the services to work together with the Graylog, installation is simple!<br />
Attention! All links and packages/versions are present to the time of writing this guide it might need to be updated later on.<br />
<br />
=== Step by Step Installation tutorial on Ubuntu 16.04 Linux host machine ===<br />
'''1)''' It is important to have the latest package lists to update them to get info on the newst versions of packages and their dependencies. So we need to run the following command to update them:<br />
<br />
''Command:'' <code> sudo apt-get update</code><br />
<br />
'''2)''' Now we can install the setup base packages:<br />
<br />
''Command:'' <code> apt-get install apt-transport-https openjdk-8-jre-headless uuid-runtime pwgen </code><br />
<br />
'''3)''' '''MongoDB''' is a Free and open-source cross-platform document-oriented database program written in C++,C and JavaScript. Classified as a NoSQL database program in favor of JSON-like documents with dynamic schemas (format BSON) making the integration of data in certain types of applications like Graylog easier and faster.<br />
<br />
The version included in Ubuntu 16.04 LTS can be used together with Graylog 2 and higher, but it is also possible to check the [https://www.mongodb.com/download-center?jmp=nav#community official webpage] and download the needed/latest version.<br />
<br />
It can be installed by running the following command:<br />
<br />
''Command:'' <code> apt-get install mongodb-server </code><br />
<br />
'''4)''' '''Elasticsearch''' is a search engine based on Lucene written in Java. It provides a distributed, multitenant-capable full-text search engine with an HTTP web interface and schema-free JSON documents.<br />
<br />
Elasticsearch is required for Graylog 2 and higher to work, so it is possible to see the complete installation instructions on the [https://www.elastic.co/guide/en/elasticsearch/reference/2.3/setup-repositories.html#_apt official page]<br />
<br />
''Commands:'' <br />
<br />
<code>wget -qO - https://packages.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -</code><br />
<br />
<code>echo "deb https://packages.elastic.co/elasticsearch/2.x/debian stable main" | sudo tee -a /etc/apt/sources.list.d/elasticsearch-2.x.list</code><br />
<br />
<code>sudo apt-get update</code><br />
<br />
<code>sudo apt-get install elasticsearch</code><br />
<br />
<br />
'''5)''' Modifying the Elasticsearch configuration file and setting the cluster name to graylog so it will be visible and accessible by graylog.<br />
<br />
''Command:'' <code> nano /etc/elasticsearch/elasticsearch.yml</code><br />
and change <code> cluster.name:elasticsearch</code> to <code> cluster.name: graylog</code><br />
<br />
'''6)''' After config was modified, we can now start Elasticsearch:<br />
<br />
<code>sudo /bin/systemctl daemon-reload</code><br />
<br />
<code>sudo /bin/systemctl enable elasticsearch.service</code><br />
<br />
<code>sudo /bin/systemctl restart elasticsearch.service</code><br />
<br />
It is possible to check if the elasticsearch configured correctly by using the following command:<br />
<br />
<code>curl -XGET http://localhost:9200</code><br />
<br />
'''7)''' '''Graylog''' can now be installed if all the above steps were done successfully<br />
First it is needed to install the Graylog repository using the following commands:<br />
<br />
<code>wget https://packages.graylog2.org/repo/packages/graylog-2.1-repository_latest.deb</code><br />
<br />
<code>sudo dpkg -i graylog-2.1-repository_latest.deb</code><br />
<br />
<code>sudo apt-get update</code><br />
<br />
<code>sudo apt-get install graylog-server</code><br />
<br />
<br />
'''8)''' After the Graylog has been installed it is needed to change the configuration<br />
<br />
Think about the password (which would be used to login) and then use the command:<br />
<code>echo -n supersecretpassword123 | sha256sum</code><br />
It will generate the sha256 hash of the password which would be needed to copy-pasted and add it to the <code>password_secret</code> and <code>root_password_sha2</code> in the graylog config (<code>/etc/graylog/server/server.conf</code>). This is mandatory to do! Without it Graylog will not start!<br />
<br />
'''9)''' In order to connect to Graylog web-interface it is needed to set <code>rest_listen_uri</code> and <code>web_listen_uri</code> to the public hostname or IP address of the machine.<br />
<br />
'''10)''' Last step is to enable Graylog during the system startup:<br />
<br />
<code>sudo systemctl daemon-reload</code><br />
<br />
<code>sudo systemctl enable graylog-server.service</code><br />
<br />
<code>sudo systemctl start graylog-server.service</code><br />
<br />
=Summary=<br />
*After setting the graylog and the web interface is working follow the few steps to logging the system <br />
<br />
[[File:Screenshot from 2016-09-18 17-43-55.jpg|thumb|right|Topology []]]<br />
<br />
[[File:Screenshot from 2016-09-18 17-43-55.jpg|thumb|right|Topology []]]<br />
<br />
[[File:Screenshot from 2016-09-18 17-43-55.jpg|thumb|right|Topology []]]<br />
<br />
[[File:Screenshot from 2016-09-18 17-43-55.jpg|thumb|right|Topology []]]<br />
<br />
[[File:Screenshot from 2016-09-18 17-43-55.jpg|thumb|right|Topology []]]<br />
<br />
=See also=<br />
<br />
<br />
<br />
=References=<br />
<br />
<br />
<br />
------<br />
<br />
[[Category:Logging and monitoring]]</div>Aovtsinnhttps://wiki.itcollege.ee/index.php?title=Logging%26monitoring&diff=106162Logging&monitoring2016-10-05T19:52:37Z<p>Aovtsinn: /* Starting to update and upgrade the OS */</p>
<hr />
<div>Logging and Monitoring - Logging Solution - Graylog<br />
<br />
Team: <br />
Artur Ovtsinnikov,<br />
Mohanad Aly,<br />
Etienne Barrier,<br />
Meelis Hass <br />
<br />
Group : Cyber Security Engineering (C21)<br />
<br />
Page Created: 18 September 2016<br />
<br />
Last modified: 28 September 2016<br />
<br />
= Aim of this page =<br />
The Aim of this wiki page is to give an introduction to Logging and Monitoring application called Graylog, what are the main benefits of it and how to install it on Ubuntu Machine.<br />
<br />
*'''logging and monitoring.'''<br />
*'''The best solution for logging'''<br />
*'''Why we should logging our servers''' <br />
*'''Securing during logging'''<br />
<br />
=Topology of the Elab system=<br />
<br />
<span style="color:#20B336"><br />
'''Desktop machine'''<br />
<br />
[[File:Screenshot from 2016-09-18 17-43-55.jpg|thumb|right|Topology []]]<br />
Begin with the basic setup, network configuration and make the machine has internet access which the ip address of the machine is 192.168.56.100<br />
<br />
<span style="color:#FF0000"><br />
'''Server machine ip address 192.168.56.200''' <br />
*Can be connected over ssh with student@192.168.56.200<br />
*Also can connect with other IP address ssh student@10.10.10.10<br />
<span style="color:#FF0000"><br />
'''IDS ip address 192.168.56.201'''<br />
<br />
=Starting to update and upgrade the OS=<br />
If your machine is running older version then 16.04 which is the latest long term supported version, please follow the following commands to upgrade your machine to the latest version.<br />
*First check your current Ubuntu version by running the following command: <br />
<code>lsb_release -a</code><br />
<br />
If you find that your machine is already running the following version or higher than:<br />
<code><br />
Description:Ubuntu 16.04.1 LTS<br />
<br />
<br />
Release:16.04<br />
</code><br />
Then there is no need to upgrade the OS<br />
<br />
<br />
<br />
*First be super user<br />
<code>sudo -i</code><br />
<br />
*Begin by updating the package list<br />
<code>apt-get update</code><br />
<br />
*Upgrade installed packages to their latest available versions<br />
<code>apt-get upgrade</code><br />
<br />
*Once upgrade finishes, use the dist-upgrade command, which will perform upgrades involving changing dependencies<br />
<code>apt-get dist-upgrade</code><br />
<br />
*Now that you have an up-to-date installation of Ubuntu 15.10, you can use <code> do-release-upgrade</code> to upgrade to the 16.04 release.<br />
<br />
= Initial Setup for graylog=<br />
==== Prerequisites ====<br />
Ubuntu Linux machine, sudo access and some Linux beginner skills are needed.<br />
The installation of Graylog is not that hard as described on some webpages. <br />
In this tutorial the Ubuntu 16.04 64-bit VPS server will be used since it is the latest LTS. <br />
Unfortunately, Graylog cannot be installed simply by using one command apt-get install graylog, because there is some prerequisite applications needed for it to work.<br />
In this tutorial i will describe the commands, what is needed and how to configure the services to work together with the Graylog, installation is simple!<br />
Attention! All links and packages/versions are present to the time of writing this guide it might need to be updated later on.<br />
<br />
=== Step by Step Installation tutorial on Ubuntu 16.04 Linux host machine ===<br />
'''1)''' It is important to have the latest package lists to update them to get info on the newst versions of packages and their dependencies. So we need to run the following command to update them:<br />
<br />
''Command:'' <code> sudo apt-get update</code><br />
<br />
'''2)''' Now we can install the setup base packages:<br />
<br />
''Command:'' <code> apt-get install apt-transport-https openjdk-8-jre-headless uuid-runtime pwgen </code><br />
<br />
'''3)''' '''MongoDB''' is a Free and open-source cross-platform document-oriented database program written in C++,C and JavaScript. Classified as a NoSQL database program in favor of JSON-like documents with dynamic schemas (format BSON) making the integration of data in certain types of applications like Graylog easier and faster.<br />
<br />
The version included in Ubuntu 16.04 LTS can be used together with Graylog 2 and higher, but it is also possible to check the [https://www.mongodb.com/download-center?jmp=nav#community official webpage] and download the needed/latest version.<br />
<br />
It can be installed by running the following command:<br />
<br />
''Command:'' <code> apt-get install mongodb-server </code><br />
<br />
'''4)''' '''Elasticsearch''' is a search engine based on Lucene written in Java. It provides a distributed, multitenant-capable full-text search engine with an HTTP web interface and schema-free JSON documents.<br />
<br />
Elasticsearch is required for Graylog 2 and higher to work, so it is possible to see the complete installation instructions on the [https://www.elastic.co/guide/en/elasticsearch/reference/2.3/setup-repositories.html#_apt official page]<br />
<br />
''Commands:'' <br />
<br />
<code>wget -qO - https://packages.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -</code><br />
<br />
<code>echo "deb https://packages.elastic.co/elasticsearch/2.x/debian stable main" | sudo tee -a /etc/apt/sources.list.d/elasticsearch-2.x.list</code><br />
<br />
<code>sudo apt-get update</code><br />
<br />
<code>sudo apt-get install elasticsearch</code><br />
<br />
<br />
'''5)''' Modifying the Elasticsearch configuration file and setting the cluster name to graylog so it will be visible and accessible by graylog.<br />
<br />
''Command:'' <code> nano /etc/elasticsearch/elasticsearch.yml</code><br />
and change <code> cluster.name:elasticsearch</code> to <code> cluster.name: graylog</code><br />
<br />
'''6)''' After config was modified, we can now start Elasticsearch:<br />
<br />
<code>sudo /bin/systemctl daemon-reload</code><br />
<br />
<code>sudo /bin/systemctl enable elasticsearch.service</code><br />
<br />
<code>sudo /bin/systemctl restart elasticsearch.service</code><br />
<br />
It is possible to check if the elasticsearch configured correctly by using the following command:<br />
<br />
<code>curl -XGET http://localhost:9200</code><br />
<br />
'''7)''' '''Graylog''' can now be installed if all the above steps were done successfully<br />
First it is needed to install the Graylog repository using the following commands:<br />
<br />
<code>wget https://packages.graylog2.org/repo/packages/graylog-2.1-repository_latest.deb</code><br />
<br />
<code>sudo dpkg -i graylog-2.1-repository_latest.deb</code><br />
<br />
<code>sudo apt-get update</code><br />
<br />
<code>sudo apt-get install graylog-server</code><br />
<br />
<br />
'''8)''' After the Graylog has been installed it is needed to change the configuration<br />
<br />
Think about the password (which would be used to login) and then use the command:<br />
<code>echo -n supersecretpassword123 | sha256sum</code><br />
It will generate the sha256 hash of the password which would be needed to copy-pasted and add it to the <code>password_secret</code> and <code>root_password_sha2</code> in the graylog config (<code>/etc/graylog/server/server.conf</code>). This is mandatory to do! Without it Graylog will not start!<br />
<br />
'''9)''' In order to connect to Graylog web-interface it is needed to set <code>rest_listen_uri</code> and <code>web_listen_uri</code> to the public hostname or IP address of the machine.<br />
<br />
'''10)''' Last step is to enable Graylog during the system startup:<br />
<br />
<code>sudo systemctl daemon-reload</code><br />
<br />
<code>sudo systemctl enable graylog-server.service</code><br />
<br />
<code>sudo systemctl start graylog-server.service</code><br />
<br />
=Summary=<br />
<br />
<br />
=See also=<br />
<br />
<br />
<br />
=References=<br />
<br />
<br />
<br />
------<br />
<br />
[[Category:Logging and monitoring]]</div>Aovtsinnhttps://wiki.itcollege.ee/index.php?title=Logging%26monitoring&diff=106161Logging&monitoring2016-10-05T19:52:24Z<p>Aovtsinn: /* Starting to update and upgrade the OS */</p>
<hr />
<div>Logging and Monitoring - Logging Solution - Graylog<br />
<br />
Team: <br />
Artur Ovtsinnikov,<br />
Mohanad Aly,<br />
Etienne Barrier,<br />
Meelis Hass <br />
<br />
Group : Cyber Security Engineering (C21)<br />
<br />
Page Created: 18 September 2016<br />
<br />
Last modified: 28 September 2016<br />
<br />
= Aim of this page =<br />
The Aim of this wiki page is to give an introduction to Logging and Monitoring application called Graylog, what are the main benefits of it and how to install it on Ubuntu Machine.<br />
<br />
*'''logging and monitoring.'''<br />
*'''The best solution for logging'''<br />
*'''Why we should logging our servers''' <br />
*'''Securing during logging'''<br />
<br />
=Topology of the Elab system=<br />
<br />
<span style="color:#20B336"><br />
'''Desktop machine'''<br />
<br />
[[File:Screenshot from 2016-09-18 17-43-55.jpg|thumb|right|Topology []]]<br />
Begin with the basic setup, network configuration and make the machine has internet access which the ip address of the machine is 192.168.56.100<br />
<br />
<span style="color:#FF0000"><br />
'''Server machine ip address 192.168.56.200''' <br />
*Can be connected over ssh with student@192.168.56.200<br />
*Also can connect with other IP address ssh student@10.10.10.10<br />
<span style="color:#FF0000"><br />
'''IDS ip address 192.168.56.201'''<br />
<br />
=Starting to update and upgrade the OS=<br />
If your machine is running older version then 16.04 which is the latest long term supported version, please follow the following commands to upgrade your machine to the latest version.<br />
*First check your current Ubuntu version by running the following command: <br />
<code>lsb_release -a</code><br />
<br />
If you find that your machine is already running the following version or higher than:<br />
<code><br />
Description:Ubuntu 16.04.1 LTS<br />
<br />
Release:16.04<br />
</code><br />
Then there is no need to upgrade the OS<br />
<br />
<br />
<br />
*First be super user<br />
<code>sudo -i</code><br />
<br />
*Begin by updating the package list<br />
<code>apt-get update</code><br />
<br />
*Upgrade installed packages to their latest available versions<br />
<code>apt-get upgrade</code><br />
<br />
*Once upgrade finishes, use the dist-upgrade command, which will perform upgrades involving changing dependencies<br />
<code>apt-get dist-upgrade</code><br />
<br />
*Now that you have an up-to-date installation of Ubuntu 15.10, you can use <code> do-release-upgrade</code> to upgrade to the 16.04 release.<br />
<br />
= Initial Setup for graylog=<br />
==== Prerequisites ====<br />
Ubuntu Linux machine, sudo access and some Linux beginner skills are needed.<br />
The installation of Graylog is not that hard as described on some webpages. <br />
In this tutorial the Ubuntu 16.04 64-bit VPS server will be used since it is the latest LTS. <br />
Unfortunately, Graylog cannot be installed simply by using one command apt-get install graylog, because there is some prerequisite applications needed for it to work.<br />
In this tutorial i will describe the commands, what is needed and how to configure the services to work together with the Graylog, installation is simple!<br />
Attention! All links and packages/versions are present to the time of writing this guide it might need to be updated later on.<br />
<br />
=== Step by Step Installation tutorial on Ubuntu 16.04 Linux host machine ===<br />
'''1)''' It is important to have the latest package lists to update them to get info on the newst versions of packages and their dependencies. So we need to run the following command to update them:<br />
<br />
''Command:'' <code> sudo apt-get update</code><br />
<br />
'''2)''' Now we can install the setup base packages:<br />
<br />
''Command:'' <code> apt-get install apt-transport-https openjdk-8-jre-headless uuid-runtime pwgen </code><br />
<br />
'''3)''' '''MongoDB''' is a Free and open-source cross-platform document-oriented database program written in C++,C and JavaScript. Classified as a NoSQL database program in favor of JSON-like documents with dynamic schemas (format BSON) making the integration of data in certain types of applications like Graylog easier and faster.<br />
<br />
The version included in Ubuntu 16.04 LTS can be used together with Graylog 2 and higher, but it is also possible to check the [https://www.mongodb.com/download-center?jmp=nav#community official webpage] and download the needed/latest version.<br />
<br />
It can be installed by running the following command:<br />
<br />
''Command:'' <code> apt-get install mongodb-server </code><br />
<br />
'''4)''' '''Elasticsearch''' is a search engine based on Lucene written in Java. It provides a distributed, multitenant-capable full-text search engine with an HTTP web interface and schema-free JSON documents.<br />
<br />
Elasticsearch is required for Graylog 2 and higher to work, so it is possible to see the complete installation instructions on the [https://www.elastic.co/guide/en/elasticsearch/reference/2.3/setup-repositories.html#_apt official page]<br />
<br />
''Commands:'' <br />
<br />
<code>wget -qO - https://packages.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -</code><br />
<br />
<code>echo "deb https://packages.elastic.co/elasticsearch/2.x/debian stable main" | sudo tee -a /etc/apt/sources.list.d/elasticsearch-2.x.list</code><br />
<br />
<code>sudo apt-get update</code><br />
<br />
<code>sudo apt-get install elasticsearch</code><br />
<br />
<br />
'''5)''' Modifying the Elasticsearch configuration file and setting the cluster name to graylog so it will be visible and accessible by graylog.<br />
<br />
''Command:'' <code> nano /etc/elasticsearch/elasticsearch.yml</code><br />
and change <code> cluster.name:elasticsearch</code> to <code> cluster.name: graylog</code><br />
<br />
'''6)''' After config was modified, we can now start Elasticsearch:<br />
<br />
<code>sudo /bin/systemctl daemon-reload</code><br />
<br />
<code>sudo /bin/systemctl enable elasticsearch.service</code><br />
<br />
<code>sudo /bin/systemctl restart elasticsearch.service</code><br />
<br />
It is possible to check if the elasticsearch configured correctly by using the following command:<br />
<br />
<code>curl -XGET http://localhost:9200</code><br />
<br />
'''7)''' '''Graylog''' can now be installed if all the above steps were done successfully<br />
First it is needed to install the Graylog repository using the following commands:<br />
<br />
<code>wget https://packages.graylog2.org/repo/packages/graylog-2.1-repository_latest.deb</code><br />
<br />
<code>sudo dpkg -i graylog-2.1-repository_latest.deb</code><br />
<br />
<code>sudo apt-get update</code><br />
<br />
<code>sudo apt-get install graylog-server</code><br />
<br />
<br />
'''8)''' After the Graylog has been installed it is needed to change the configuration<br />
<br />
Think about the password (which would be used to login) and then use the command:<br />
<code>echo -n supersecretpassword123 | sha256sum</code><br />
It will generate the sha256 hash of the password which would be needed to copy-pasted and add it to the <code>password_secret</code> and <code>root_password_sha2</code> in the graylog config (<code>/etc/graylog/server/server.conf</code>). This is mandatory to do! Without it Graylog will not start!<br />
<br />
'''9)''' In order to connect to Graylog web-interface it is needed to set <code>rest_listen_uri</code> and <code>web_listen_uri</code> to the public hostname or IP address of the machine.<br />
<br />
'''10)''' Last step is to enable Graylog during the system startup:<br />
<br />
<code>sudo systemctl daemon-reload</code><br />
<br />
<code>sudo systemctl enable graylog-server.service</code><br />
<br />
<code>sudo systemctl start graylog-server.service</code><br />
<br />
=Summary=<br />
<br />
<br />
=See also=<br />
<br />
<br />
<br />
=References=<br />
<br />
<br />
<br />
------<br />
<br />
[[Category:Logging and monitoring]]</div>Aovtsinnhttps://wiki.itcollege.ee/index.php?title=Logging%26monitoring&diff=106160Logging&monitoring2016-10-05T19:51:30Z<p>Aovtsinn: /* Starting to update and upgrade the OS */</p>
<hr />
<div>Logging and Monitoring - Logging Solution - Graylog<br />
<br />
Team: <br />
Artur Ovtsinnikov,<br />
Mohanad Aly,<br />
Etienne Barrier,<br />
Meelis Hass <br />
<br />
Group : Cyber Security Engineering (C21)<br />
<br />
Page Created: 18 September 2016<br />
<br />
Last modified: 28 September 2016<br />
<br />
= Aim of this page =<br />
The Aim of this wiki page is to give an introduction to Logging and Monitoring application called Graylog, what are the main benefits of it and how to install it on Ubuntu Machine.<br />
<br />
*'''logging and monitoring.'''<br />
*'''The best solution for logging'''<br />
*'''Why we should logging our servers''' <br />
*'''Securing during logging'''<br />
<br />
=Topology of the Elab system=<br />
<br />
<span style="color:#20B336"><br />
'''Desktop machine'''<br />
<br />
[[File:Screenshot from 2016-09-18 17-43-55.jpg|thumb|right|Topology []]]<br />
Begin with the basic setup, network configuration and make the machine has internet access which the ip address of the machine is 192.168.56.100<br />
<br />
<span style="color:#FF0000"><br />
'''Server machine ip address 192.168.56.200''' <br />
*Can be connected over ssh with student@192.168.56.200<br />
*Also can connect with other IP address ssh student@10.10.10.10<br />
<span style="color:#FF0000"><br />
'''IDS ip address 192.168.56.201'''<br />
<br />
=Starting to update and upgrade the OS=<br />
If your machine is running older version then 16.04 which is the latest long term supported version, please follow the following commands to upgrade your machine to the latest version.<br />
*First check your current Ubuntu version by running the following command: <br />
<code>lsb_release -a</code><br />
<br />
If you found your machine <br />
<br />
Description:Ubuntu 16.04.1 LTS<br />
<br />
Release:16.04<br />
<br />
Then no need to do the next steps<br />
<br />
<br />
<br />
*First be super user<br />
<code>sudo -i</code><br />
<br />
*Begin by updating the package list<br />
<code>apt-get update</code><br />
<br />
*Upgrade installed packages to their latest available versions<br />
<code>apt-get upgrade</code><br />
<br />
*Once upgrade finishes, use the dist-upgrade command, which will perform upgrades involving changing dependencies<br />
<code>apt-get dist-upgrade</code><br />
<br />
*Now that you have an up-to-date installation of Ubuntu 15.10, you can use <code> do-release-upgrade</code> to upgrade to the 16.04 release.<br />
<br />
= Initial Setup for graylog=<br />
==== Prerequisites ====<br />
Ubuntu Linux machine, sudo access and some Linux beginner skills are needed.<br />
The installation of Graylog is not that hard as described on some webpages. <br />
In this tutorial the Ubuntu 16.04 64-bit VPS server will be used since it is the latest LTS. <br />
Unfortunately, Graylog cannot be installed simply by using one command apt-get install graylog, because there is some prerequisite applications needed for it to work.<br />
In this tutorial i will describe the commands, what is needed and how to configure the services to work together with the Graylog, installation is simple!<br />
Attention! All links and packages/versions are present to the time of writing this guide it might need to be updated later on.<br />
<br />
=== Step by Step Installation tutorial on Ubuntu 16.04 Linux host machine ===<br />
'''1)''' It is important to have the latest package lists to update them to get info on the newst versions of packages and their dependencies. So we need to run the following command to update them:<br />
<br />
''Command:'' <code> sudo apt-get update</code><br />
<br />
'''2)''' Now we can install the setup base packages:<br />
<br />
''Command:'' <code> apt-get install apt-transport-https openjdk-8-jre-headless uuid-runtime pwgen </code><br />
<br />
'''3)''' '''MongoDB''' is a Free and open-source cross-platform document-oriented database program written in C++,C and JavaScript. Classified as a NoSQL database program in favor of JSON-like documents with dynamic schemas (format BSON) making the integration of data in certain types of applications like Graylog easier and faster.<br />
<br />
The version included in Ubuntu 16.04 LTS can be used together with Graylog 2 and higher, but it is also possible to check the [https://www.mongodb.com/download-center?jmp=nav#community official webpage] and download the needed/latest version.<br />
<br />
It can be installed by running the following command:<br />
<br />
''Command:'' <code> apt-get install mongodb-server </code><br />
<br />
'''4)''' '''Elasticsearch''' is a search engine based on Lucene written in Java. It provides a distributed, multitenant-capable full-text search engine with an HTTP web interface and schema-free JSON documents.<br />
<br />
Elasticsearch is required for Graylog 2 and higher to work, so it is possible to see the complete installation instructions on the [https://www.elastic.co/guide/en/elasticsearch/reference/2.3/setup-repositories.html#_apt official page]<br />
<br />
''Commands:'' <br />
<br />
<code>wget -qO - https://packages.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -</code><br />
<br />
<code>echo "deb https://packages.elastic.co/elasticsearch/2.x/debian stable main" | sudo tee -a /etc/apt/sources.list.d/elasticsearch-2.x.list</code><br />
<br />
<code>sudo apt-get update</code><br />
<br />
<code>sudo apt-get install elasticsearch</code><br />
<br />
<br />
'''5)''' Modifying the Elasticsearch configuration file and setting the cluster name to graylog so it will be visible and accessible by graylog.<br />
<br />
''Command:'' <code> nano /etc/elasticsearch/elasticsearch.yml</code><br />
and change <code> cluster.name:elasticsearch</code> to <code> cluster.name: graylog</code><br />
<br />
'''6)''' After config was modified, we can now start Elasticsearch:<br />
<br />
<code>sudo /bin/systemctl daemon-reload</code><br />
<br />
<code>sudo /bin/systemctl enable elasticsearch.service</code><br />
<br />
<code>sudo /bin/systemctl restart elasticsearch.service</code><br />
<br />
It is possible to check if the elasticsearch configured correctly by using the following command:<br />
<br />
<code>curl -XGET http://localhost:9200</code><br />
<br />
'''7)''' '''Graylog''' can now be installed if all the above steps were done successfully<br />
First it is needed to install the Graylog repository using the following commands:<br />
<br />
<code>wget https://packages.graylog2.org/repo/packages/graylog-2.1-repository_latest.deb</code><br />
<br />
<code>sudo dpkg -i graylog-2.1-repository_latest.deb</code><br />
<br />
<code>sudo apt-get update</code><br />
<br />
<code>sudo apt-get install graylog-server</code><br />
<br />
<br />
'''8)''' After the Graylog has been installed it is needed to change the configuration<br />
<br />
Think about the password (which would be used to login) and then use the command:<br />
<code>echo -n supersecretpassword123 | sha256sum</code><br />
It will generate the sha256 hash of the password which would be needed to copy-pasted and add it to the <code>password_secret</code> and <code>root_password_sha2</code> in the graylog config (<code>/etc/graylog/server/server.conf</code>). This is mandatory to do! Without it Graylog will not start!<br />
<br />
'''9)''' In order to connect to Graylog web-interface it is needed to set <code>rest_listen_uri</code> and <code>web_listen_uri</code> to the public hostname or IP address of the machine.<br />
<br />
'''10)''' Last step is to enable Graylog during the system startup:<br />
<br />
<code>sudo systemctl daemon-reload</code><br />
<br />
<code>sudo systemctl enable graylog-server.service</code><br />
<br />
<code>sudo systemctl start graylog-server.service</code><br />
<br />
=Summary=<br />
<br />
<br />
=See also=<br />
<br />
<br />
<br />
=References=<br />
<br />
<br />
<br />
------<br />
<br />
[[Category:Logging and monitoring]]</div>Aovtsinnhttps://wiki.itcollege.ee/index.php?title=Logging%26monitoring&diff=106159Logging&monitoring2016-10-05T19:49:29Z<p>Aovtsinn: /* Starting to update and upgrade for all machines on the Elab */</p>
<hr />
<div>Logging and Monitoring - Logging Solution - Graylog<br />
<br />
Team: <br />
Artur Ovtsinnikov,<br />
Mohanad Aly,<br />
Etienne Barrier,<br />
Meelis Hass <br />
<br />
Group : Cyber Security Engineering (C21)<br />
<br />
Page Created: 18 September 2016<br />
<br />
Last modified: 28 September 2016<br />
<br />
= Aim of this page =<br />
The Aim of this wiki page is to give an introduction to Logging and Monitoring application called Graylog, what are the main benefits of it and how to install it on Ubuntu Machine.<br />
<br />
*'''logging and monitoring.'''<br />
*'''The best solution for logging'''<br />
*'''Why we should logging our servers''' <br />
*'''Securing during logging'''<br />
<br />
=Topology of the Elab system=<br />
<br />
<span style="color:#20B336"><br />
'''Desktop machine'''<br />
<br />
[[File:Screenshot from 2016-09-18 17-43-55.jpg|thumb|right|Topology []]]<br />
Begin with the basic setup, network configuration and make the machine has internet access which the ip address of the machine is 192.168.56.100<br />
<br />
<span style="color:#FF0000"><br />
'''Server machine ip address 192.168.56.200''' <br />
*Can be connected over ssh with student@192.168.56.200<br />
*Also can connect with other IP address ssh student@10.10.10.10<br />
<span style="color:#FF0000"><br />
'''IDS ip address 192.168.56.201'''<br />
<br />
=Starting to update and upgrade the OS=<br />
If your machine is running older version then 16.04 which is the latest long term supported version, please follow the following commands to upgrade your machine to the latest version.<br />
*First check your machine <br />
<code>lsb_release -a</code><br />
<br />
If you found your machine <br />
<br />
Description:Ubuntu 16.04.1 LTS<br />
<br />
Release:16.04<br />
<br />
Then no need to do the next steps<br />
<br />
<br />
<br />
*First be super user<br />
<code>sudo -i</code><br />
<br />
*Begin by updating the package list<br />
<code>apt-get update</code><br />
<br />
*Upgrade installed packages to their latest available versions<br />
<code>apt-get upgrade</code><br />
<br />
*Once upgrade finishes, use the dist-upgrade command, which will perform upgrades involving changing dependencies<br />
<code>apt-get dist-upgrade</code><br />
<br />
*Now that you have an up-to-date installation of Ubuntu 15.10, you can use <code> do-release-upgrade</code> to upgrade to the 16.04 release.<br />
<br />
= Initial Setup for graylog=<br />
==== Prerequisites ====<br />
Ubuntu Linux machine, sudo access and some Linux beginner skills are needed.<br />
The installation of Graylog is not that hard as described on some webpages. <br />
In this tutorial the Ubuntu 16.04 64-bit VPS server will be used since it is the latest LTS. <br />
Unfortunately, Graylog cannot be installed simply by using one command apt-get install graylog, because there is some prerequisite applications needed for it to work.<br />
In this tutorial i will describe the commands, what is needed and how to configure the services to work together with the Graylog, installation is simple!<br />
Attention! All links and packages/versions are present to the time of writing this guide it might need to be updated later on.<br />
<br />
=== Step by Step Installation tutorial on Ubuntu 16.04 Linux host machine ===<br />
'''1)''' It is important to have the latest package lists to update them to get info on the newst versions of packages and their dependencies. So we need to run the following command to update them:<br />
<br />
''Command:'' <code> sudo apt-get update</code><br />
<br />
'''2)''' Now we can install the setup base packages:<br />
<br />
''Command:'' <code> apt-get install apt-transport-https openjdk-8-jre-headless uuid-runtime pwgen </code><br />
<br />
'''3)''' '''MongoDB''' is a Free and open-source cross-platform document-oriented database program written in C++,C and JavaScript. Classified as a NoSQL database program in favor of JSON-like documents with dynamic schemas (format BSON) making the integration of data in certain types of applications like Graylog easier and faster.<br />
<br />
The version included in Ubuntu 16.04 LTS can be used together with Graylog 2 and higher, but it is also possible to check the [https://www.mongodb.com/download-center?jmp=nav#community official webpage] and download the needed/latest version.<br />
<br />
It can be installed by running the following command:<br />
<br />
''Command:'' <code> apt-get install mongodb-server </code><br />
<br />
'''4)''' '''Elasticsearch''' is a search engine based on Lucene written in Java. It provides a distributed, multitenant-capable full-text search engine with an HTTP web interface and schema-free JSON documents.<br />
<br />
Elasticsearch is required for Graylog 2 and higher to work, so it is possible to see the complete installation instructions on the [https://www.elastic.co/guide/en/elasticsearch/reference/2.3/setup-repositories.html#_apt official page]<br />
<br />
''Commands:'' <br />
<br />
<code>wget -qO - https://packages.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -</code><br />
<br />
<code>echo "deb https://packages.elastic.co/elasticsearch/2.x/debian stable main" | sudo tee -a /etc/apt/sources.list.d/elasticsearch-2.x.list</code><br />
<br />
<code>sudo apt-get update</code><br />
<br />
<code>sudo apt-get install elasticsearch</code><br />
<br />
<br />
'''5)''' Modifying the Elasticsearch configuration file and setting the cluster name to graylog so it will be visible and accessible by graylog.<br />
<br />
''Command:'' <code> nano /etc/elasticsearch/elasticsearch.yml</code><br />
and change <code> cluster.name:elasticsearch</code> to <code> cluster.name: graylog</code><br />
<br />
'''6)''' After config was modified, we can now start Elasticsearch:<br />
<br />
<code>sudo /bin/systemctl daemon-reload</code><br />
<br />
<code>sudo /bin/systemctl enable elasticsearch.service</code><br />
<br />
<code>sudo /bin/systemctl restart elasticsearch.service</code><br />
<br />
It is possible to check if the elasticsearch configured correctly by using the following command:<br />
<br />
<code>curl -XGET http://localhost:9200</code><br />
<br />
'''7)''' '''Graylog''' can now be installed if all the above steps were done successfully<br />
First it is needed to install the Graylog repository using the following commands:<br />
<br />
<code>wget https://packages.graylog2.org/repo/packages/graylog-2.1-repository_latest.deb</code><br />
<br />
<code>sudo dpkg -i graylog-2.1-repository_latest.deb</code><br />
<br />
<code>sudo apt-get update</code><br />
<br />
<code>sudo apt-get install graylog-server</code><br />
<br />
<br />
'''8)''' After the Graylog has been installed it is needed to change the configuration<br />
<br />
Think about the password (which would be used to login) and then use the command:<br />
<code>echo -n supersecretpassword123 | sha256sum</code><br />
It will generate the sha256 hash of the password which would be needed to copy-pasted and add it to the <code>password_secret</code> and <code>root_password_sha2</code> in the graylog config (<code>/etc/graylog/server/server.conf</code>). This is mandatory to do! Without it Graylog will not start!<br />
<br />
'''9)''' In order to connect to Graylog web-interface it is needed to set <code>rest_listen_uri</code> and <code>web_listen_uri</code> to the public hostname or IP address of the machine.<br />
<br />
'''10)''' Last step is to enable Graylog during the system startup:<br />
<br />
<code>sudo systemctl daemon-reload</code><br />
<br />
<code>sudo systemctl enable graylog-server.service</code><br />
<br />
<code>sudo systemctl start graylog-server.service</code><br />
<br />
=Summary=<br />
<br />
<br />
=See also=<br />
<br />
<br />
<br />
=References=<br />
<br />
<br />
<br />
------<br />
<br />
[[Category:Logging and monitoring]]</div>Aovtsinnhttps://wiki.itcollege.ee/index.php?title=Logging%26monitoring&diff=106158Logging&monitoring2016-10-05T19:48:28Z<p>Aovtsinn: /* Starting to update and upgrade for all machines on the Elab */</p>
<hr />
<div>Logging and Monitoring - Logging Solution - Graylog<br />
<br />
Team: <br />
Artur Ovtsinnikov,<br />
Mohanad Aly,<br />
Etienne Barrier,<br />
Meelis Hass <br />
<br />
Group : Cyber Security Engineering (C21)<br />
<br />
Page Created: 18 September 2016<br />
<br />
Last modified: 28 September 2016<br />
<br />
= Aim of this page =<br />
The Aim of this wiki page is to give an introduction to Logging and Monitoring application called Graylog, what are the main benefits of it and how to install it on Ubuntu Machine.<br />
<br />
*'''logging and monitoring.'''<br />
*'''The best solution for logging'''<br />
*'''Why we should logging our servers''' <br />
*'''Securing during logging'''<br />
<br />
=Topology of the Elab system=<br />
<br />
<span style="color:#20B336"><br />
'''Desktop machine'''<br />
<br />
[[File:Screenshot from 2016-09-18 17-43-55.jpg|thumb|right|Topology []]]<br />
Begin with the basic setup, network configuration and make the machine has internet access which the ip address of the machine is 192.168.56.100<br />
<br />
<span style="color:#FF0000"><br />
'''Server machine ip address 192.168.56.200''' <br />
*Can be connected over ssh with student@192.168.56.200<br />
*Also can connect with other IP address ssh student@10.10.10.10<br />
<span style="color:#FF0000"><br />
'''IDS ip address 192.168.56.201'''<br />
<br />
=Starting to update and upgrade for all machines on the Elab=<br />
If your machine is running older version then 16.04 which is the latest long term supported version, please follow the following commands to upgrade your machine to the latest version.<br />
*First check your machine <br />
<code>lsb_release -a</code><br />
<br />
If you found your machine <br />
<br />
Description:Ubuntu 16.04.1 LTS<br />
<br />
Release:16.04<br />
<br />
Then no need to do the next steps<br />
<br />
<br />
<br />
*First be super user<br />
<code>sudo -i</code><br />
<br />
*Begin by updating the package list<br />
<code>apt-get update</code><br />
<br />
*Upgrade installed packages to their latest available versions<br />
<code>apt-get upgrade</code><br />
<br />
*Once upgrade finishes, use the dist-upgrade command, which will perform upgrades involving changing dependencies<br />
<code>apt-get dist-upgrade</code><br />
<br />
*Now that you have an up-to-date installation of Ubuntu 15.10, you can use <code> do-release-upgrade</code> to upgrade to the 16.04 release.<br />
<br />
= Initial Setup for graylog=<br />
==== Prerequisites ====<br />
Ubuntu Linux machine, sudo access and some Linux beginner skills are needed.<br />
The installation of Graylog is not that hard as described on some webpages. <br />
In this tutorial the Ubuntu 16.04 64-bit VPS server will be used since it is the latest LTS. <br />
Unfortunately, Graylog cannot be installed simply by using one command apt-get install graylog, because there is some prerequisite applications needed for it to work.<br />
In this tutorial i will describe the commands, what is needed and how to configure the services to work together with the Graylog, installation is simple!<br />
Attention! All links and packages/versions are present to the time of writing this guide it might need to be updated later on.<br />
<br />
=== Step by Step Installation tutorial on Ubuntu 16.04 Linux host machine ===<br />
'''1)''' It is important to have the latest package lists to update them to get info on the newst versions of packages and their dependencies. So we need to run the following command to update them:<br />
<br />
''Command:'' <code> sudo apt-get update</code><br />
<br />
'''2)''' Now we can install the setup base packages:<br />
<br />
''Command:'' <code> apt-get install apt-transport-https openjdk-8-jre-headless uuid-runtime pwgen </code><br />
<br />
'''3)''' '''MongoDB''' is a Free and open-source cross-platform document-oriented database program written in C++,C and JavaScript. Classified as a NoSQL database program in favor of JSON-like documents with dynamic schemas (format BSON) making the integration of data in certain types of applications like Graylog easier and faster.<br />
<br />
The version included in Ubuntu 16.04 LTS can be used together with Graylog 2 and higher, but it is also possible to check the [https://www.mongodb.com/download-center?jmp=nav#community official webpage] and download the needed/latest version.<br />
<br />
It can be installed by running the following command:<br />
<br />
''Command:'' <code> apt-get install mongodb-server </code><br />
<br />
'''4)''' '''Elasticsearch''' is a search engine based on Lucene written in Java. It provides a distributed, multitenant-capable full-text search engine with an HTTP web interface and schema-free JSON documents.<br />
<br />
Elasticsearch is required for Graylog 2 and higher to work, so it is possible to see the complete installation instructions on the [https://www.elastic.co/guide/en/elasticsearch/reference/2.3/setup-repositories.html#_apt official page]<br />
<br />
''Commands:'' <br />
<br />
<code>wget -qO - https://packages.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -</code><br />
<br />
<code>echo "deb https://packages.elastic.co/elasticsearch/2.x/debian stable main" | sudo tee -a /etc/apt/sources.list.d/elasticsearch-2.x.list</code><br />
<br />
<code>sudo apt-get update</code><br />
<br />
<code>sudo apt-get install elasticsearch</code><br />
<br />
<br />
'''5)''' Modifying the Elasticsearch configuration file and setting the cluster name to graylog so it will be visible and accessible by graylog.<br />
<br />
''Command:'' <code> nano /etc/elasticsearch/elasticsearch.yml</code><br />
and change <code> cluster.name:elasticsearch</code> to <code> cluster.name: graylog</code><br />
<br />
'''6)''' After config was modified, we can now start Elasticsearch:<br />
<br />
<code>sudo /bin/systemctl daemon-reload</code><br />
<br />
<code>sudo /bin/systemctl enable elasticsearch.service</code><br />
<br />
<code>sudo /bin/systemctl restart elasticsearch.service</code><br />
<br />
It is possible to check if the elasticsearch configured correctly by using the following command:<br />
<br />
<code>curl -XGET http://localhost:9200</code><br />
<br />
'''7)''' '''Graylog''' can now be installed if all the above steps were done successfully<br />
First it is needed to install the Graylog repository using the following commands:<br />
<br />
<code>wget https://packages.graylog2.org/repo/packages/graylog-2.1-repository_latest.deb</code><br />
<br />
<code>sudo dpkg -i graylog-2.1-repository_latest.deb</code><br />
<br />
<code>sudo apt-get update</code><br />
<br />
<code>sudo apt-get install graylog-server</code><br />
<br />
<br />
'''8)''' After the Graylog has been installed it is needed to change the configuration<br />
<br />
Think about the password (which would be used to login) and then use the command:<br />
<code>echo -n supersecretpassword123 | sha256sum</code><br />
It will generate the sha256 hash of the password which would be needed to copy-pasted and add it to the <code>password_secret</code> and <code>root_password_sha2</code> in the graylog config (<code>/etc/graylog/server/server.conf</code>). This is mandatory to do! Without it Graylog will not start!<br />
<br />
'''9)''' In order to connect to Graylog web-interface it is needed to set <code>rest_listen_uri</code> and <code>web_listen_uri</code> to the public hostname or IP address of the machine.<br />
<br />
'''10)''' Last step is to enable Graylog during the system startup:<br />
<br />
<code>sudo systemctl daemon-reload</code><br />
<br />
<code>sudo systemctl enable graylog-server.service</code><br />
<br />
<code>sudo systemctl start graylog-server.service</code><br />
<br />
=Summary=<br />
<br />
<br />
=See also=<br />
<br />
<br />
<br />
=References=<br />
<br />
<br />
<br />
------<br />
<br />
[[Category:Logging and monitoring]]</div>Aovtsinnhttps://wiki.itcollege.ee/index.php?title=Logging%26monitoring&diff=106157Logging&monitoring2016-10-05T19:48:01Z<p>Aovtsinn: /* Starting to update and upgrade for all machines on the Elab */</p>
<hr />
<div>Logging and Monitoring - Logging Solution - Graylog<br />
<br />
Team: <br />
Artur Ovtsinnikov,<br />
Mohanad Aly,<br />
Etienne Barrier,<br />
Meelis Hass <br />
<br />
Group : Cyber Security Engineering (C21)<br />
<br />
Page Created: 18 September 2016<br />
<br />
Last modified: 28 September 2016<br />
<br />
= Aim of this page =<br />
The Aim of this wiki page is to give an introduction to Logging and Monitoring application called Graylog, what are the main benefits of it and how to install it on Ubuntu Machine.<br />
<br />
*'''logging and monitoring.'''<br />
*'''The best solution for logging'''<br />
*'''Why we should logging our servers''' <br />
*'''Securing during logging'''<br />
<br />
=Topology of the Elab system=<br />
<br />
<span style="color:#20B336"><br />
'''Desktop machine'''<br />
<br />
[[File:Screenshot from 2016-09-18 17-43-55.jpg|thumb|right|Topology []]]<br />
Begin with the basic setup, network configuration and make the machine has internet access which the ip address of the machine is 192.168.56.100<br />
<br />
<span style="color:#FF0000"><br />
'''Server machine ip address 192.168.56.200''' <br />
*Can be connected over ssh with student@192.168.56.200<br />
*Also can connect with other IP address ssh student@10.10.10.10<br />
<span style="color:#FF0000"><br />
'''IDS ip address 192.168.56.201'''<br />
<br />
=Starting to update and upgrade for all machines on the Elab=<br />
If your machine is running older version then 16.04.1 which is the latest long term supported version, please follow the following commands to upgrade your machine to the latest version.<br />
*First check your machine <br />
<code>lsb_release -a</code><br />
<br />
If you found your machine <br />
<br />
Description:Ubuntu 16.04.1 LTS<br />
<br />
Release:16.04<br />
<br />
Then no need to do the next steps<br />
<br />
<br />
<br />
*First be super user<br />
<code>sudo -i</code><br />
<br />
*Begin by updating the package list<br />
<code>apt-get update</code><br />
<br />
*Upgrade installed packages to their latest available versions<br />
<code>apt-get upgrade</code><br />
<br />
*Once upgrade finishes, use the dist-upgrade command, which will perform upgrades involving changing dependencies<br />
<code>apt-get dist-upgrade</code><br />
<br />
*Now that you have an up-to-date installation of Ubuntu 15.10, you can use <code> do-release-upgrade</code> to upgrade to the 16.04 release.<br />
<br />
= Initial Setup for graylog=<br />
==== Prerequisites ====<br />
Ubuntu Linux machine, sudo access and some Linux beginner skills are needed.<br />
The installation of Graylog is not that hard as described on some webpages. <br />
In this tutorial the Ubuntu 16.04 64-bit VPS server will be used since it is the latest LTS. <br />
Unfortunately, Graylog cannot be installed simply by using one command apt-get install graylog, because there is some prerequisite applications needed for it to work.<br />
In this tutorial i will describe the commands, what is needed and how to configure the services to work together with the Graylog, installation is simple!<br />
Attention! All links and packages/versions are present to the time of writing this guide it might need to be updated later on.<br />
<br />
=== Step by Step Installation tutorial on Ubuntu 16.04 Linux host machine ===<br />
'''1)''' It is important to have the latest package lists to update them to get info on the newst versions of packages and their dependencies. So we need to run the following command to update them:<br />
<br />
''Command:'' <code> sudo apt-get update</code><br />
<br />
'''2)''' Now we can install the setup base packages:<br />
<br />
''Command:'' <code> apt-get install apt-transport-https openjdk-8-jre-headless uuid-runtime pwgen </code><br />
<br />
'''3)''' '''MongoDB''' is a Free and open-source cross-platform document-oriented database program written in C++,C and JavaScript. Classified as a NoSQL database program in favor of JSON-like documents with dynamic schemas (format BSON) making the integration of data in certain types of applications like Graylog easier and faster.<br />
<br />
The version included in Ubuntu 16.04 LTS can be used together with Graylog 2 and higher, but it is also possible to check the [https://www.mongodb.com/download-center?jmp=nav#community official webpage] and download the needed/latest version.<br />
<br />
It can be installed by running the following command:<br />
<br />
''Command:'' <code> apt-get install mongodb-server </code><br />
<br />
'''4)''' '''Elasticsearch''' is a search engine based on Lucene written in Java. It provides a distributed, multitenant-capable full-text search engine with an HTTP web interface and schema-free JSON documents.<br />
<br />
Elasticsearch is required for Graylog 2 and higher to work, so it is possible to see the complete installation instructions on the [https://www.elastic.co/guide/en/elasticsearch/reference/2.3/setup-repositories.html#_apt official page]<br />
<br />
''Commands:'' <br />
<br />
<code>wget -qO - https://packages.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -</code><br />
<br />
<code>echo "deb https://packages.elastic.co/elasticsearch/2.x/debian stable main" | sudo tee -a /etc/apt/sources.list.d/elasticsearch-2.x.list</code><br />
<br />
<code>sudo apt-get update</code><br />
<br />
<code>sudo apt-get install elasticsearch</code><br />
<br />
<br />
'''5)''' Modifying the Elasticsearch configuration file and setting the cluster name to graylog so it will be visible and accessible by graylog.<br />
<br />
''Command:'' <code> nano /etc/elasticsearch/elasticsearch.yml</code><br />
and change <code> cluster.name:elasticsearch</code> to <code> cluster.name: graylog</code><br />
<br />
'''6)''' After config was modified, we can now start Elasticsearch:<br />
<br />
<code>sudo /bin/systemctl daemon-reload</code><br />
<br />
<code>sudo /bin/systemctl enable elasticsearch.service</code><br />
<br />
<code>sudo /bin/systemctl restart elasticsearch.service</code><br />
<br />
It is possible to check if the elasticsearch configured correctly by using the following command:<br />
<br />
<code>curl -XGET http://localhost:9200</code><br />
<br />
'''7)''' '''Graylog''' can now be installed if all the above steps were done successfully<br />
First it is needed to install the Graylog repository using the following commands:<br />
<br />
<code>wget https://packages.graylog2.org/repo/packages/graylog-2.1-repository_latest.deb</code><br />
<br />
<code>sudo dpkg -i graylog-2.1-repository_latest.deb</code><br />
<br />
<code>sudo apt-get update</code><br />
<br />
<code>sudo apt-get install graylog-server</code><br />
<br />
<br />
'''8)''' After the Graylog has been installed it is needed to change the configuration<br />
<br />
Think about the password (which would be used to login) and then use the command:<br />
<code>echo -n supersecretpassword123 | sha256sum</code><br />
It will generate the sha256 hash of the password which would be needed to copy-pasted and add it to the <code>password_secret</code> and <code>root_password_sha2</code> in the graylog config (<code>/etc/graylog/server/server.conf</code>). This is mandatory to do! Without it Graylog will not start!<br />
<br />
'''9)''' In order to connect to Graylog web-interface it is needed to set <code>rest_listen_uri</code> and <code>web_listen_uri</code> to the public hostname or IP address of the machine.<br />
<br />
'''10)''' Last step is to enable Graylog during the system startup:<br />
<br />
<code>sudo systemctl daemon-reload</code><br />
<br />
<code>sudo systemctl enable graylog-server.service</code><br />
<br />
<code>sudo systemctl start graylog-server.service</code><br />
<br />
=Summary=<br />
<br />
<br />
=See also=<br />
<br />
<br />
<br />
=References=<br />
<br />
<br />
<br />
------<br />
<br />
[[Category:Logging and monitoring]]</div>Aovtsinnhttps://wiki.itcollege.ee/index.php?title=Logging%26monitoring&diff=105860Logging&monitoring2016-09-28T20:43:23Z<p>Aovtsinn: /* Initial Setup */</p>
<hr />
<div>Logging and Monitoring - Logging Solution - Graylog<br />
<br />
Team: <br />
Artur Ovtsinnikov,<br />
Mohanad Aly,<br />
Etienne Barrier,<br />
Meelis Hass <br />
<br />
Group : Cyber Security Engineering (C21)<br />
<br />
Page Created: 18 September 2016<br />
<br />
Last modified: 28 September 2016<br />
<br />
= Aim of this page =<br />
The Aim of this wiki page is to give an introduction to Logging and Monitoring application called Graylog, what are the main benefits of it and how to install it on Ubuntu Machine.<br />
<br />
*'''logging and monitoring.'''<br />
*'''The best solution for logging'''<br />
*'''Threats.''' <br />
*'''Securing during logging'''<br />
<br />
=Topology of the system=<br />
<br />
<span style="color:#20B336"><br />
'''Desktop machine'''<br />
<br />
[[File:Screenshot from 2016-09-18 17-43-55.jpg|thumb|right|Topology []]]<br />
<br />
Begin with the basic setup, network configuration and make the machine has internet access which the ip address of the machine is 192.168.56.100<br />
<br />
<span style="color:#FF0000"><br />
'''Server machine ip address 192.168.56.200''' <br />
*Can be connected over ssh with student@192.168.56.200<br />
*Also can connect with other IP address ssh student@10.10.10.10<br />
<span style="color:#FF0000"><br />
'''IDS ip address 192.168.56.201'''<br />
<br />
=Starting to update an upgrade for all machines=<br />
*First be super user <code>sudo -i</code><br />
<code>apt-get update</code><br />
<br />
<code>apt-get upgrade</code><br />
<br />
= Initial Setup=<br />
==== Prerequisites ====<br />
Ubuntu Linux machine, sudo access and some Linux beginner skills are needed.<br />
The installation of Graylog is not that hard as described on some webpages. <br />
In this tutorial the Ubuntu 16.04 64-bit VPS server will be used since it is the latest LTS. <br />
Unfortunately, Graylog cannot be installed simply by using one command apt-get install graylog, because there is some prerequisite applications needed for it to work.<br />
In this tutorial i will describe the commands, what is needed and how to configure the services to work together with the Graylog, installation is simple!<br />
Attention! All links and packages/versions are present to the time of writing this guide it might need to be updated later on.<br />
<br />
=== Step by Step Installation tutorial on Ubuntu 16.04 Linux host machine ===<br />
'''1)''' It is important to have the latest package lists to update them to get info on the newst versions of packages and their dependencies. So we need to run the following command to update them:<br />
<br />
''Command:'' <code> sudo apt-get update</code><br />
<br />
'''2)''' Now we can install the setup base packages:<br />
<br />
''Command:'' <code> apt-get install apt-transport-https openjdk-8-jre-headless uuid-runtime pwgen </code><br />
<br />
'''3)''' '''MongoDB''' is a Free and open-source cross-platform document-oriented database program written in C++,C and JavaScript. Classified as a NoSQL database program in favor of JSON-like documents with dynamic schemas (format BSON) making the integration of data in certain types of applications like Graylog easier and faster.<br />
<br />
The version included in Ubuntu 16.04 LTS can be used together with Graylog 2 and higher, but it is also possible to check the [https://www.mongodb.com/download-center?jmp=nav#community official webpage] and download the needed/latest version.<br />
<br />
It can be installed by running the following command:<br />
<br />
''Command:'' <code> apt-get install mongodb-server </code><br />
<br />
'''4)''' '''Elasticsearch''' is a search engine based on Lucene written in Java. It provides a distributed, multitenant-capable full-text search engine with an HTTP web interface and schema-free JSON documents.<br />
<br />
Elasticsearch is required for Graylog 2 and higher to work, so it is possible to see the complete installation instructions on the [https://www.elastic.co/guide/en/elasticsearch/reference/2.3/setup-repositories.html#_apt official page]<br />
<br />
''Commands:'' <br />
<br />
<code>wget -qO - https://packages.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -</code><br />
<br />
<code>echo "deb https://packages.elastic.co/elasticsearch/2.x/debian stable main" | sudo tee -a /etc/apt/sources.list.d/elasticsearch-2.x.list</code><br />
<br />
<code>sudo apt-get update</code><br />
<br />
<code>sudo apt-get install elasticsearch</code><br />
<br />
<br />
'''5)''' Modifying the Elasticsearch configuration file and setting the cluster name to graylog so it will be visible and accessible by graylog.<br />
<br />
''Command:'' <code> nano /etc/elasticsearch/elasticsearch.yml</code><br />
and change <code> cluster.name:elasticsearch</code> to <code> cluster.name: graylog</code><br />
<br />
'''6)''' After config was modified, we can now start Elasticsearch:<br />
<br />
<code>sudo /bin/systemctl daemon-reload</code><br />
<br />
<code>sudo /bin/systemctl enable elasticsearch.service</code><br />
<br />
<code>sudo /bin/systemctl restart elasticsearch.service</code><br />
<br />
It is possible to check if the elasticsearch configured correctly by using the following command:<br />
<br />
<code>curl -XGET http://localhost:9200</code><br />
<br />
'''7)''' '''Graylog''' can now be installed if all the above steps were done successfully<br />
First it is needed to install the Graylog repository using the following commands:<br />
<br />
<code>wget https://packages.graylog2.org/repo/packages/graylog-2.1-repository_latest.deb</code><br />
<br />
<code>sudo dpkg -i graylog-2.1-repository_latest.deb</code><br />
<br />
<code>sudo apt-get update</code><br />
<br />
<code>sudo apt-get install graylog-server</code><br />
<br />
<br />
'''8)''' After the Graylog has been installed it is needed to change the configuration<br />
<br />
Think about the password (which would be used to login) and then use the command:<br />
<code>echo -n supersecretpassword123 | sha256sum</code><br />
It will generate the sha256 hash of the password which would be needed to copy-pasted and add it to the <code>password_secret</code> and <code>root_password_sha2</code> in the graylog config (<code>/etc/graylog/server/server.conf</code>). This is mandatory to do! Without it Graylog will not start!<br />
<br />
'''9)''' In order to connect to Graylog web-interface it is needed to set <code>rest_listen_uri</code> and <code>web_listen_uri</code> to the public hostname or IP address of the machine.<br />
<br />
'''10)''' Last step is to enable Graylog during the system startup:<br />
<br />
<code>sudo systemctl daemon-reload</code><br />
<br />
<code>sudo systemctl enable graylog-server.service</code><br />
<br />
<code>sudo systemctl start graylog-server.service</code><br />
<br />
=Summary=<br />
<br />
<br />
=See also=<br />
<br />
<br />
<br />
=References=<br />
<br />
<br />
<br />
------<br />
<br />
[[Category:Logging and monitoring]]</div>Aovtsinnhttps://wiki.itcollege.ee/index.php?title=Logging%26monitoring&diff=105854Logging&monitoring2016-09-28T19:30:01Z<p>Aovtsinn: /* Aim of this page */</p>
<hr />
<div>Logging and Monitoring - Logging Solution - Graylog<br />
<br />
Team: <br />
Artur Ovtsinnikov,<br />
Mohanad Aly,<br />
Etienne Barrier,<br />
Meelis Hass <br />
<br />
Group : Cyber Security Engineering (C21)<br />
<br />
Page Created: 18 September 2016<br />
<br />
Last modified: 28 September 2016<br />
<br />
= Aim of this page =<br />
The Aim of this wiki page is to give an introduction to Logging and Monitoring application called Graylog, what are the main benefits of it and how to install it on Ubuntu Machine.<br />
<br />
*'''logging and monitoring.'''<br />
*'''The best solution for logging'''<br />
*'''Threats.''' <br />
*'''Securing during logging'''<br />
<br />
=Topology of the system=<br />
<br />
<span style="color:#20B336"><br />
'''Desktop machine'''<br />
<br />
[[File:Screenshot from 2016-09-18 17-43-55.jpg|thumb|right|Topology []]]<br />
<br />
Begin with the basic setup, network configuration and make the machine has internet access which the ip address of the machine is 192.168.56.100<br />
<br />
<span style="color:#FF0000"><br />
'''Server machine ip address 192.168.56.200''' <br />
*Can be connected over ssh with student@192.168.56.200<br />
*Also can connect with other IP address ssh student@10.10.10.10<br />
<span style="color:#FF0000"><br />
'''IDS ip address 192.168.56.201'''<br />
<br />
=Starting to update an upgrade for all machines=<br />
*First be super user <code>sudo -i</code><br />
<code>apt-get update</code><br />
<br />
<code>apt-get upgrade</code><br />
<br />
= Initial Setup=<br />
<br />
<br />
=Summary=<br />
<br />
<br />
=See also=<br />
<br />
<br />
<br />
=References=<br />
<br />
<br />
<br />
------<br />
<br />
[[Category:Logging and monitoring]]</div>Aovtsinnhttps://wiki.itcollege.ee/index.php?title=Logging%26monitoring&diff=105853Logging&monitoring2016-09-28T19:26:36Z<p>Aovtsinn: </p>
<hr />
<div>Logging and Monitoring - Logging Solution - Graylog<br />
<br />
Team: <br />
Artur Ovtsinnikov,<br />
Mohanad Aly,<br />
Etienne Barrier,<br />
Meelis Hass <br />
<br />
Group : Cyber Security Engineering (C21)<br />
<br />
Page Created: 18 September 2016<br />
<br />
Last modified: 28 September 2016<br />
<br />
= Aim of this page =<br />
*'''logging and monitoring.'''<br />
*'''The best solution for logging'''<br />
*'''Threats.''' <br />
*'''Securing during logging'''<br />
<br />
<br />
<br />
=Topology of the system=<br />
<br />
<span style="color:#20B336"><br />
'''Desktop machine'''<br />
<br />
[[File:Screenshot from 2016-09-18 17-43-55.jpg|thumb|right|Topology []]]<br />
<br />
Begin with the basic setup, network configuration and make the machine has internet access which the ip address of the machine is 192.168.56.100<br />
<br />
<span style="color:#FF0000"><br />
'''Server machine ip address 192.168.56.200''' <br />
*Can be connected over ssh with student@192.168.56.200<br />
*Also can connect with other IP address ssh student@10.10.10.10<br />
<span style="color:#FF0000"><br />
'''IDS ip address 192.168.56.201'''<br />
<br />
=Starting to update an upgrade for all machines=<br />
*First be super user <code>sudo -i</code><br />
<code>apt-get update</code><br />
<br />
<code>apt-get upgrade</code><br />
<br />
= Initial Setup=<br />
<br />
<br />
=Summary=<br />
<br />
<br />
=See also=<br />
<br />
<br />
<br />
=References=<br />
<br />
<br />
<br />
------<br />
<br />
[[Category:Logging and monitoring]]</div>Aovtsinnhttps://wiki.itcollege.ee/index.php?title=Logging%26monitoring&diff=105852Logging&monitoring2016-09-28T19:26:04Z<p>Aovtsinn: </p>
<hr />
<div>Logging and Monitoring - Logging Solution - Graylog<br />
<br />
Team: <br />
Artur Ovtsinnikov<br />
Mohanad Aly<br />
Etienne Barrier<br />
Meelis Hass <br />
<br />
Group : Cyber Security Engineering (C21)<br />
<br />
Page Created: 18 September 2016<br />
<br />
Last modified: 28 September 2016<br />
<br />
= Aim of this page =<br />
*'''logging and monitoring.'''<br />
*'''The best solution for logging'''<br />
*'''Threats.''' <br />
*'''Securing during logging'''<br />
<br />
<br />
<br />
=Topology of the system=<br />
<br />
<span style="color:#20B336"><br />
'''Desktop machine'''<br />
<br />
[[File:Screenshot from 2016-09-18 17-43-55.jpg|thumb|right|Topology []]]<br />
<br />
Begin with the basic setup, network configuration and make the machine has internet access which the ip address of the machine is 192.168.56.100<br />
<br />
<span style="color:#FF0000"><br />
'''Server machine ip address 192.168.56.200''' <br />
*Can be connected over ssh with student@192.168.56.200<br />
*Also can connect with other IP address ssh student@10.10.10.10<br />
<span style="color:#FF0000"><br />
'''IDS ip address 192.168.56.201'''<br />
<br />
=Starting to update an upgrade for all machines=<br />
*First be super user <code>sudo -i</code><br />
<code>apt-get update</code><br />
<br />
<code>apt-get upgrade</code><br />
<br />
= Initial Setup=<br />
<br />
<br />
=Summary=<br />
<br />
<br />
=See also=<br />
<br />
<br />
<br />
=References=<br />
<br />
<br />
<br />
------<br />
<br />
[[Category:Logging and monitoring]]</div>Aovtsinnhttps://wiki.itcollege.ee/index.php?title=English&diff=105405English2016-09-14T11:12:00Z<p>Aovtsinn: /* Courses */</p>
<hr />
<div>__NOTOC__<br />
<br />
Welcome to Estonian IT College wikis English version.<br />
<br />
Our official web page<br />
<br />
==Courses==<br />
<br />
* [https://wiki.itcollege.ee/index.php/I253_Presessional_Informatics Presessional course in Informatics]<br />
* [https://wiki.itcollege.ee/index.php/Category:I600_Introduction_to_Computers_and_Informatics Introduction to Computers and Informatics]<br />
** [[Exam help]]<br />
* [[Logic and Discrete Mathematics Exam Help]]<br />
* [[Operating systems]]<br />
* [https://wiki.itcollege.ee/index.php/Category:I703_Python Python]<br />
* [https://wiki.itcollege.ee/index.php/Category:I702_Web_Application_Programming Web Application Programming]<br />
* [https://wiki.itcollege.ee/index.php/Category:I802_Firewalls_and_VPN_IPSec Firewalls and VPN/IPSec]<br />
* [https://wiki.itcollege.ee/index.php/Category:Ideas Ideas for research project or thesis]<br />
* [[I803 IT Infrastructure services]]<br />
<br />
==Quickstart==<br />
<br />
This section is for freshmen who want to get up to speed with latest open-source technology.<br />
<br />
* [https://wiki.itcollege.ee/index.php/User:Akerge CSE survival guide]<br />
* [[Getting started with Ubuntu]]<br />
* [[Getting started with Raspberry Pi]]<br />
* [[Accessing a virtual machine via SSH connection]]<br />
* [[Setting up SSH access to enos.itcollege.ee]]<br />
* [[Getting started with GCC]]<br />
<br />
==International Projects==<br />
<br />
* [[Deploying IT Infrastructure Solutions| Erasmus intensive program "Deploying IT Infrastructure Solutions"]]</div>Aovtsinnhttps://wiki.itcollege.ee/index.php?title=OpenVPN_Access_Server&diff=104297OpenVPN Access Server2016-06-03T00:59:13Z<p>Aovtsinn: /* Summary */</p>
<hr />
<div>__NOTOC__<br />
[[File:Openvpn2.png|thumb|right|alt=A screenshot of Open VPN Client UI.| Logged in Open VPN Client UI]]<br />
<br />
<br />
OpenVPN Access Server (OpenVPN-AS) is a set of installation and configuration tools that simplify the rapid deployment of a VPN remote access solution. It is based on the popular OpenVPN open-source software, making the deployed VPN immediately compatible with OpenVPN client software across multiple user platforms. The server configurations options supported are a carefully selected subset of a quite large set of possible OpenVPN configurations. Thus, OpenVPN Access Server streamlines the configuration and management of an OpenVPN-based secure remote access deployment. OpenVPN was written by James Yonan and is published under the GNU General Public License (GPL). <ref>[https://openvpn.net/index.php/access-server/overview.html] Information about OpenVPN</ref><br />
<br />
__TOC__<br />
<br />
=== Overview===<br />
OpenVPN Access Server is a full featured secure network tunneling VPN software solution that integrates OpenVPN server capabilities, enterprise management capabilities, simplified OpenVPN Connect UI, and OpenVPN Client software packages that accommodate Windows, MAC, Linux, Android, and iOS environments. OpenVPN Access Server supports a wide range of configurations, including secure and granular remote access to internal network and/ or private cloud network resources and applications with fine-grained access control. <ref>[https://openvpn.net/index.php/access-server/overview.html] OpenVPN Overview</ref> <ref>[https://en.wikipedia.org/wiki/OpenVPN] OpenVPN Wikipedia</ref><br />
<br />
=== Supported Operation Systems===<br />
OpenVPN currently supports all main operation systems such as Windows, Mac OS X, Android, iOS and Linux It is possible to download software for the machine on the official website or it is possible to get it after installation of Access Server and logging in with the credentials to server ip_address_or_domain_name:943 (port 943 is default can be changed in the config) and it is possible to download after logging in connection profile for autologin or user-locked profile. (possible to change those settings in the Admin panel of OpenVPN Access Server.<ref>[https://openvpn.net/index.php/access-server/overview.html] Information about Supported Operation Systems</ref><br />
<br />
=== Pricing===<br />
OpenVPN is a free sorfware application which provides 2 user license ( which means that 2 users/machines can be using current OpenVPN Access Server at the same time) after installation which is more then enough for a one person to use. Although it is possible to purchase more Licenses on official website for 9.60$ per concurrent user. And minimum license term is for one year.<ref>[https://openvpn.net/index.php/access-server/section-faq-openvpn-as/pricing.html] Pricing OpenVPN</ref><br />
<br />
== Operating system to Host Access Server software==<br />
Currently, the Access Server software must be run on a 32-bit or 64-bit Linux host. The software is released in the form of binary package files for particular Linux distributions. Supported are RedHat, Fedora, CentOS, Ubuntu, Debian and openSUSE (Most RPM packages can be ran on the following systems: CentOS 6 and 7, Fedora 22, RHEL 6, openSUSE 13. The Deb packages can be ran on the following systems: Ubuntu 12, Debian 6,7,8) <ref>[https://openvpn.net/index.php/access-server/section-faq-openvpn-as/general/136-which-operating-system-does-the-access-server-software-support.html] FAQ OpenVPN</ref><br />
<br />
== Difference between Community Edition VPN and Access Server==<br />
Both Community Edition and Access Server is provided by OpenVPN and they both have something in common like: Secured VPN Tunnel, GUI Client, Bridging, Configurable Ciphers and Real-time compression. But Access Server provides more options such as Web Based GUI (it is possible to use VPN without need of downloading any additional software), Pre-configured Client (possible to download auto filled profile and Auto-login option available), Automated Certificate Creation (Access server web page will also be protected with encrypted https connection (TLS 1.2, The connection is encrypted and authenticated using AES_128_GCM and uses ECDHE_RSA as the key exchange mechanism.) Easy Deployment, Failover Solution, Simple User Management, Pre-built Virtual Appliances, Fill LDAP support, Easy Scalability, User-mode Client, Multi-daemon mode and DMZ mode. <ref>[https://openvpn.net] VPN Solution</ref><br />
<ref>[https://openvpn.net/index.php/access-server/section-faq-openvpn-as/general/136-which-operating-system-does-the-access-server-software-support.html] VPN Solutions and differences</ref><br />
<br />
==Installation==<br />
Prerequisites: Ubuntu Linux machine and some Linux beginner skills.<br />
The installation of OpenVPN-AS is simple. In this tutorial I will be using Ubuntu 14.04 64-bit VPS server. <br />
Unfortunately, OpenVPN Assess Server cannot be installed using apt-get install, so manual installation steps can be found in this tutorial.<br />
=== Step by Step Installation tutorial on Ubuntu Linux host machine===<br />
<br />
<br />
'''1)''' First it is needed to become root user<br />
<br />
''Command:'' <code> sudo su</code><br />
<br />
'''2)''' It is needed to download the latest software installation files from official website which can be found here: [https://openvpn.net/index.php/access-server/download-openvpn-as-sw.html Official Download Page] (Click on the needed Operation System and select needed version to download (32 bit or 64 bit and Ubuntu version 12 or 14) then right click on it and copy link) <br />
<br />
'''3)''' Now it is possible to go back to server console panel and download the OpenVPN Access Server using wget and paste copied link before. File will be downloaded by default to the folder where user currently are. (it is possible to change, use pwd to see current directory) File will be something around 28 MB (for 64bit Ubuntu Linux)<br />
<br />
''Command:'' <code>wget http://swupdate.openvpn.org/as/openvpn-as-2.0.25-Ubuntu12.amd_64.deb </code><br />
<br />
'''4)''' Now it is possible to install downloaded file using following command dpkg –i (downloaded file name)<br />
<br />
''Command:'' <code>dpkg –i openvpn-as-2.0.25-Ubuntu12.amd_64.deb</code><br />
<br />
This is it. OpenVPN AS is now installed. But there is some configurations needed before using it. <br />
<br />
'''5)''' During the installation OpenVPN created admin user which is by default called “openvpn” but the password left empty for security reasons it is needed to be changed using command (as root) after it user will be provided to enter password. Make sure the password is secure!<br />
<br />
''Command:'' <code>passwd openvpn</code><br />
<br />
'''6)''' Now the OpenVPN AS web interface is ready, it can be found by default port 943 and server ip address, login using username openvpn and password that have been set before. (After logging in user would need to click Agree to accept the License Agreement.<br />
<br />
* Admin page: https://ip_address_or_domain:943/admin<br />
<br />
* Client page: https://ip_address_or_domain:943/<br />
<br />
Note: The server’s SSL is self-signed so not need to worry about the bad security warning<br />
<br />
'''7)''' Download needed OpenVPN Connect software by clicking the link. After it has finished downloading, run it and enter user credentials. And connection to the Access Server have been established. It is also possible to download official Android or iOS application to use VPN on the smartphone.<br />
Note: There is also a possibility to login to Admin Ul page if it is needed to add users or change settings, although the default settings works fine without any problems.<br />
<br />
Done! OpenVPN Access Server have been installed and configured for free and user can be more secure using this encrypted connection. <br />
<br />
Tutorial created by Artur Ovtsinnikov using Linux Ubuntu 14.02 at 03.04.2016, if any questions appear please contact me by email.<br />
<br />
==Summary==<br />
OpenVPN is an open-source software application that implements virtual private network (VPN) techniques for creating secure point-to-point connections in routed or bridged configurations and remote access facilities. It uses a custom security protocol that utilizes SSL/TLS for key exchange. It is capable of traversing network address translators (NATs) and firewalls.<br />
OpenVPN Access Server is amazing, free (2 license) and user friendly VPN service which can be installed on any Linux machine and used as much as needed without additional cost, logs can be deleted and only the owner of the server see the traffic which makes it even better and safer. The installation and configuration of the Access Server is very easy and can be done in easy 7 steps.<br />
I have been using this for years and would recommend it to everyone who is interested in having their own VPN.<br />
<br />
== See Also==<br />
A bit better Step-by-Step pdf tutorial with screenshots can be downloaded here: [http://cloud.arturich.tk/Access%20Server.pdf LINK]<br />
<br />
==References==<br />
{{reflist|30em}}</div>Aovtsinnhttps://wiki.itcollege.ee/index.php?title=OpenVPN_Access_Server&diff=104296OpenVPN Access Server2016-06-03T00:56:58Z<p>Aovtsinn: /* Difference between Community Edition VPN and Access Server */</p>
<hr />
<div>__NOTOC__<br />
[[File:Openvpn2.png|thumb|right|alt=A screenshot of Open VPN Client UI.| Logged in Open VPN Client UI]]<br />
<br />
<br />
OpenVPN Access Server (OpenVPN-AS) is a set of installation and configuration tools that simplify the rapid deployment of a VPN remote access solution. It is based on the popular OpenVPN open-source software, making the deployed VPN immediately compatible with OpenVPN client software across multiple user platforms. The server configurations options supported are a carefully selected subset of a quite large set of possible OpenVPN configurations. Thus, OpenVPN Access Server streamlines the configuration and management of an OpenVPN-based secure remote access deployment. OpenVPN was written by James Yonan and is published under the GNU General Public License (GPL). <ref>[https://openvpn.net/index.php/access-server/overview.html] Information about OpenVPN</ref><br />
<br />
__TOC__<br />
<br />
=== Overview===<br />
OpenVPN Access Server is a full featured secure network tunneling VPN software solution that integrates OpenVPN server capabilities, enterprise management capabilities, simplified OpenVPN Connect UI, and OpenVPN Client software packages that accommodate Windows, MAC, Linux, Android, and iOS environments. OpenVPN Access Server supports a wide range of configurations, including secure and granular remote access to internal network and/ or private cloud network resources and applications with fine-grained access control. <ref>[https://openvpn.net/index.php/access-server/overview.html] OpenVPN Overview</ref> <ref>[https://en.wikipedia.org/wiki/OpenVPN] OpenVPN Wikipedia</ref><br />
<br />
=== Supported Operation Systems===<br />
OpenVPN currently supports all main operation systems such as Windows, Mac OS X, Android, iOS and Linux It is possible to download software for the machine on the official website or it is possible to get it after installation of Access Server and logging in with the credentials to server ip_address_or_domain_name:943 (port 943 is default can be changed in the config) and it is possible to download after logging in connection profile for autologin or user-locked profile. (possible to change those settings in the Admin panel of OpenVPN Access Server.<ref>[https://openvpn.net/index.php/access-server/overview.html] Information about Supported Operation Systems</ref><br />
<br />
=== Pricing===<br />
OpenVPN is a free sorfware application which provides 2 user license ( which means that 2 users/machines can be using current OpenVPN Access Server at the same time) after installation which is more then enough for a one person to use. Although it is possible to purchase more Licenses on official website for 9.60$ per concurrent user. And minimum license term is for one year.<ref>[https://openvpn.net/index.php/access-server/section-faq-openvpn-as/pricing.html] Pricing OpenVPN</ref><br />
<br />
== Operating system to Host Access Server software==<br />
Currently, the Access Server software must be run on a 32-bit or 64-bit Linux host. The software is released in the form of binary package files for particular Linux distributions. Supported are RedHat, Fedora, CentOS, Ubuntu, Debian and openSUSE (Most RPM packages can be ran on the following systems: CentOS 6 and 7, Fedora 22, RHEL 6, openSUSE 13. The Deb packages can be ran on the following systems: Ubuntu 12, Debian 6,7,8) <ref>[https://openvpn.net/index.php/access-server/section-faq-openvpn-as/general/136-which-operating-system-does-the-access-server-software-support.html] FAQ OpenVPN</ref><br />
<br />
== Difference between Community Edition VPN and Access Server==<br />
Both Community Edition and Access Server is provided by OpenVPN and they both have something in common like: Secured VPN Tunnel, GUI Client, Bridging, Configurable Ciphers and Real-time compression. But Access Server provides more options such as Web Based GUI (it is possible to use VPN without need of downloading any additional software), Pre-configured Client (possible to download auto filled profile and Auto-login option available), Automated Certificate Creation (Access server web page will also be protected with encrypted https connection (TLS 1.2, The connection is encrypted and authenticated using AES_128_GCM and uses ECDHE_RSA as the key exchange mechanism.) Easy Deployment, Failover Solution, Simple User Management, Pre-built Virtual Appliances, Fill LDAP support, Easy Scalability, User-mode Client, Multi-daemon mode and DMZ mode. <ref>[https://openvpn.net] VPN Solution</ref><br />
<ref>[https://openvpn.net/index.php/access-server/section-faq-openvpn-as/general/136-which-operating-system-does-the-access-server-software-support.html] VPN Solutions and differences</ref><br />
<br />
==Installation==<br />
Prerequisites: Ubuntu Linux machine and some Linux beginner skills.<br />
The installation of OpenVPN-AS is simple. In this tutorial I will be using Ubuntu 14.04 64-bit VPS server. <br />
Unfortunately, OpenVPN Assess Server cannot be installed using apt-get install, so manual installation steps can be found in this tutorial.<br />
=== Step by Step Installation tutorial on Ubuntu Linux host machine===<br />
<br />
<br />
'''1)''' First it is needed to become root user<br />
<br />
''Command:'' <code> sudo su</code><br />
<br />
'''2)''' It is needed to download the latest software installation files from official website which can be found here: [https://openvpn.net/index.php/access-server/download-openvpn-as-sw.html Official Download Page] (Click on the needed Operation System and select needed version to download (32 bit or 64 bit and Ubuntu version 12 or 14) then right click on it and copy link) <br />
<br />
'''3)''' Now it is possible to go back to server console panel and download the OpenVPN Access Server using wget and paste copied link before. File will be downloaded by default to the folder where user currently are. (it is possible to change, use pwd to see current directory) File will be something around 28 MB (for 64bit Ubuntu Linux)<br />
<br />
''Command:'' <code>wget http://swupdate.openvpn.org/as/openvpn-as-2.0.25-Ubuntu12.amd_64.deb </code><br />
<br />
'''4)''' Now it is possible to install downloaded file using following command dpkg –i (downloaded file name)<br />
<br />
''Command:'' <code>dpkg –i openvpn-as-2.0.25-Ubuntu12.amd_64.deb</code><br />
<br />
This is it. OpenVPN AS is now installed. But there is some configurations needed before using it. <br />
<br />
'''5)''' During the installation OpenVPN created admin user which is by default called “openvpn” but the password left empty for security reasons it is needed to be changed using command (as root) after it user will be provided to enter password. Make sure the password is secure!<br />
<br />
''Command:'' <code>passwd openvpn</code><br />
<br />
'''6)''' Now the OpenVPN AS web interface is ready, it can be found by default port 943 and server ip address, login using username openvpn and password that have been set before. (After logging in user would need to click Agree to accept the License Agreement.<br />
<br />
* Admin page: https://ip_address_or_domain:943/admin<br />
<br />
* Client page: https://ip_address_or_domain:943/<br />
<br />
Note: The server’s SSL is self-signed so not need to worry about the bad security warning<br />
<br />
'''7)''' Download needed OpenVPN Connect software by clicking the link. After it has finished downloading, run it and enter user credentials. And connection to the Access Server have been established. It is also possible to download official Android or iOS application to use VPN on the smartphone.<br />
Note: There is also a possibility to login to Admin Ul page if it is needed to add users or change settings, although the default settings works fine without any problems.<br />
<br />
Done! OpenVPN Access Server have been installed and configured for free and user can be more secure using this encrypted connection. <br />
<br />
Tutorial created by Artur Ovtsinnikov using Linux Ubuntu 14.02 at 03.04.2016, if any questions appear please contact me by email.<br />
<br />
==Summary==<br />
OpenVPN is an open-source software application that implements virtual private network (VPN) techniques for creating secure point-to-point connections in routed or bridged configurations and remote access facilities. It uses a custom security protocol that utilizes SSL/TLS for key exchange. It is capable of traversing network address translators (NATs) and firewalls.<br />
OpenVPN Access Server is amazing, free (2 license) and user friendly VPN service which can be installed on any Linux machine and used as much as needed without additional cost, logs can be deleted and only the owner of the server see the traffic which makes it even better and safer. The installation and configuration of the Access Server is very easy and can be done in easy 7 steps.<br />
I have been using this for years and would recommend it to everyone interested in having their own VPN.<br />
<br />
== See Also==<br />
A bit better Step-by-Step pdf tutorial with screenshots can be downloaded here: [http://cloud.arturich.tk/Access%20Server.pdf LINK]<br />
<br />
==References==<br />
{{reflist|30em}}</div>Aovtsinnhttps://wiki.itcollege.ee/index.php?title=OpenVPN_Access_Server&diff=104295OpenVPN Access Server2016-06-03T00:56:01Z<p>Aovtsinn: /* Supported Operation Systems */</p>
<hr />
<div>__NOTOC__<br />
[[File:Openvpn2.png|thumb|right|alt=A screenshot of Open VPN Client UI.| Logged in Open VPN Client UI]]<br />
<br />
<br />
OpenVPN Access Server (OpenVPN-AS) is a set of installation and configuration tools that simplify the rapid deployment of a VPN remote access solution. It is based on the popular OpenVPN open-source software, making the deployed VPN immediately compatible with OpenVPN client software across multiple user platforms. The server configurations options supported are a carefully selected subset of a quite large set of possible OpenVPN configurations. Thus, OpenVPN Access Server streamlines the configuration and management of an OpenVPN-based secure remote access deployment. OpenVPN was written by James Yonan and is published under the GNU General Public License (GPL). <ref>[https://openvpn.net/index.php/access-server/overview.html] Information about OpenVPN</ref><br />
<br />
__TOC__<br />
<br />
=== Overview===<br />
OpenVPN Access Server is a full featured secure network tunneling VPN software solution that integrates OpenVPN server capabilities, enterprise management capabilities, simplified OpenVPN Connect UI, and OpenVPN Client software packages that accommodate Windows, MAC, Linux, Android, and iOS environments. OpenVPN Access Server supports a wide range of configurations, including secure and granular remote access to internal network and/ or private cloud network resources and applications with fine-grained access control. <ref>[https://openvpn.net/index.php/access-server/overview.html] OpenVPN Overview</ref> <ref>[https://en.wikipedia.org/wiki/OpenVPN] OpenVPN Wikipedia</ref><br />
<br />
=== Supported Operation Systems===<br />
OpenVPN currently supports all main operation systems such as Windows, Mac OS X, Android, iOS and Linux It is possible to download software for the machine on the official website or it is possible to get it after installation of Access Server and logging in with the credentials to server ip_address_or_domain_name:943 (port 943 is default can be changed in the config) and it is possible to download after logging in connection profile for autologin or user-locked profile. (possible to change those settings in the Admin panel of OpenVPN Access Server.<ref>[https://openvpn.net/index.php/access-server/overview.html] Information about Supported Operation Systems</ref><br />
<br />
=== Pricing===<br />
OpenVPN is a free sorfware application which provides 2 user license ( which means that 2 users/machines can be using current OpenVPN Access Server at the same time) after installation which is more then enough for a one person to use. Although it is possible to purchase more Licenses on official website for 9.60$ per concurrent user. And minimum license term is for one year.<ref>[https://openvpn.net/index.php/access-server/section-faq-openvpn-as/pricing.html] Pricing OpenVPN</ref><br />
<br />
== Operating system to Host Access Server software==<br />
Currently, the Access Server software must be run on a 32-bit or 64-bit Linux host. The software is released in the form of binary package files for particular Linux distributions. Supported are RedHat, Fedora, CentOS, Ubuntu, Debian and openSUSE (Most RPM packages can be ran on the following systems: CentOS 6 and 7, Fedora 22, RHEL 6, openSUSE 13. The Deb packages can be ran on the following systems: Ubuntu 12, Debian 6,7,8) <ref>[https://openvpn.net/index.php/access-server/section-faq-openvpn-as/general/136-which-operating-system-does-the-access-server-software-support.html] FAQ OpenVPN</ref><br />
<br />
== Difference between Community Edition VPN and Access Server==<br />
Both Community Edition and Access Server is provided by OpenVPN and they both have something in common like: Secured VPN Tunnel, GUI Client, Bridging, Configurable Ciphers and Real-time compression. But Access Server provides more options such as Web Based GUI (it is possible to use VPN without need of downloading any additional software), Pre-configured Client (possible to download auto filled profile and Auto-login option available), Automated Certificate Creation (Access server web page will also be protected with encrypted https connection (TLS 1.2, The connection is encrypted and authenticated using AES_128_GCM and uses ECDHE_RSA as the key exchange mechanism.) Easy Deployment, Failover Solution, Simple User Management, Pre-built Virtual Appliances, Fill LDAP support, Easy Scalability, User-mode Client, Multi-daemon mode and DMZ mode. <ref>[https://openvpn.net] VPN Solution</ref><br />
<ref>[https://openvpn.net/index.php/access-server/section-faq-openvpn-as/general/136-which-operating-system-does-the-access-server-software-support.html] FAQ OpenVPN</ref><br />
<br />
==Installation==<br />
Prerequisites: Ubuntu Linux machine and some Linux beginner skills.<br />
The installation of OpenVPN-AS is simple. In this tutorial I will be using Ubuntu 14.04 64-bit VPS server. <br />
Unfortunately, OpenVPN Assess Server cannot be installed using apt-get install, so manual installation steps can be found in this tutorial.<br />
=== Step by Step Installation tutorial on Ubuntu Linux host machine===<br />
<br />
<br />
'''1)''' First it is needed to become root user<br />
<br />
''Command:'' <code> sudo su</code><br />
<br />
'''2)''' It is needed to download the latest software installation files from official website which can be found here: [https://openvpn.net/index.php/access-server/download-openvpn-as-sw.html Official Download Page] (Click on the needed Operation System and select needed version to download (32 bit or 64 bit and Ubuntu version 12 or 14) then right click on it and copy link) <br />
<br />
'''3)''' Now it is possible to go back to server console panel and download the OpenVPN Access Server using wget and paste copied link before. File will be downloaded by default to the folder where user currently are. (it is possible to change, use pwd to see current directory) File will be something around 28 MB (for 64bit Ubuntu Linux)<br />
<br />
''Command:'' <code>wget http://swupdate.openvpn.org/as/openvpn-as-2.0.25-Ubuntu12.amd_64.deb </code><br />
<br />
'''4)''' Now it is possible to install downloaded file using following command dpkg –i (downloaded file name)<br />
<br />
''Command:'' <code>dpkg –i openvpn-as-2.0.25-Ubuntu12.amd_64.deb</code><br />
<br />
This is it. OpenVPN AS is now installed. But there is some configurations needed before using it. <br />
<br />
'''5)''' During the installation OpenVPN created admin user which is by default called “openvpn” but the password left empty for security reasons it is needed to be changed using command (as root) after it user will be provided to enter password. Make sure the password is secure!<br />
<br />
''Command:'' <code>passwd openvpn</code><br />
<br />
'''6)''' Now the OpenVPN AS web interface is ready, it can be found by default port 943 and server ip address, login using username openvpn and password that have been set before. (After logging in user would need to click Agree to accept the License Agreement.<br />
<br />
* Admin page: https://ip_address_or_domain:943/admin<br />
<br />
* Client page: https://ip_address_or_domain:943/<br />
<br />
Note: The server’s SSL is self-signed so not need to worry about the bad security warning<br />
<br />
'''7)''' Download needed OpenVPN Connect software by clicking the link. After it has finished downloading, run it and enter user credentials. And connection to the Access Server have been established. It is also possible to download official Android or iOS application to use VPN on the smartphone.<br />
Note: There is also a possibility to login to Admin Ul page if it is needed to add users or change settings, although the default settings works fine without any problems.<br />
<br />
Done! OpenVPN Access Server have been installed and configured for free and user can be more secure using this encrypted connection. <br />
<br />
Tutorial created by Artur Ovtsinnikov using Linux Ubuntu 14.02 at 03.04.2016, if any questions appear please contact me by email.<br />
<br />
==Summary==<br />
OpenVPN is an open-source software application that implements virtual private network (VPN) techniques for creating secure point-to-point connections in routed or bridged configurations and remote access facilities. It uses a custom security protocol that utilizes SSL/TLS for key exchange. It is capable of traversing network address translators (NATs) and firewalls.<br />
OpenVPN Access Server is amazing, free (2 license) and user friendly VPN service which can be installed on any Linux machine and used as much as needed without additional cost, logs can be deleted and only the owner of the server see the traffic which makes it even better and safer. The installation and configuration of the Access Server is very easy and can be done in easy 7 steps.<br />
I have been using this for years and would recommend it to everyone interested in having their own VPN.<br />
<br />
== See Also==<br />
A bit better Step-by-Step pdf tutorial with screenshots can be downloaded here: [http://cloud.arturich.tk/Access%20Server.pdf LINK]<br />
<br />
==References==<br />
{{reflist|30em}}</div>Aovtsinnhttps://wiki.itcollege.ee/index.php?title=OpenVPN_Access_Server&diff=104294OpenVPN Access Server2016-06-03T00:55:13Z<p>Aovtsinn: /* Overview */</p>
<hr />
<div>__NOTOC__<br />
[[File:Openvpn2.png|thumb|right|alt=A screenshot of Open VPN Client UI.| Logged in Open VPN Client UI]]<br />
<br />
<br />
OpenVPN Access Server (OpenVPN-AS) is a set of installation and configuration tools that simplify the rapid deployment of a VPN remote access solution. It is based on the popular OpenVPN open-source software, making the deployed VPN immediately compatible with OpenVPN client software across multiple user platforms. The server configurations options supported are a carefully selected subset of a quite large set of possible OpenVPN configurations. Thus, OpenVPN Access Server streamlines the configuration and management of an OpenVPN-based secure remote access deployment. OpenVPN was written by James Yonan and is published under the GNU General Public License (GPL). <ref>[https://openvpn.net/index.php/access-server/overview.html] Information about OpenVPN</ref><br />
<br />
__TOC__<br />
<br />
=== Overview===<br />
OpenVPN Access Server is a full featured secure network tunneling VPN software solution that integrates OpenVPN server capabilities, enterprise management capabilities, simplified OpenVPN Connect UI, and OpenVPN Client software packages that accommodate Windows, MAC, Linux, Android, and iOS environments. OpenVPN Access Server supports a wide range of configurations, including secure and granular remote access to internal network and/ or private cloud network resources and applications with fine-grained access control. <ref>[https://openvpn.net/index.php/access-server/overview.html] OpenVPN Overview</ref> <ref>[https://en.wikipedia.org/wiki/OpenVPN] OpenVPN Wikipedia</ref><br />
<br />
=== Supported Operation Systems===<br />
OpenVPN currently supports all main operation systems such as Windows, Mac OS X, Android, iOS and Linux It is possible to download software for the machine on the official website or it is possible to get it after installation of Access Server and logging in with the credentials to server ip_address_or_domain_name:943 (port 943 is default can be changed in the config) and it is possible to download after logging in connection profile for autologin or user-locked profile. (possible to change those settings in the Admin panel of OpenVPN Access Server.<ref>[https://openvpn.net/index.php/access-server/overview.html] Information about OpenVPN</ref><br />
<br />
=== Pricing===<br />
OpenVPN is a free sorfware application which provides 2 user license ( which means that 2 users/machines can be using current OpenVPN Access Server at the same time) after installation which is more then enough for a one person to use. Although it is possible to purchase more Licenses on official website for 9.60$ per concurrent user. And minimum license term is for one year.<ref>[https://openvpn.net/index.php/access-server/section-faq-openvpn-as/pricing.html] Pricing OpenVPN</ref><br />
<br />
== Operating system to Host Access Server software==<br />
Currently, the Access Server software must be run on a 32-bit or 64-bit Linux host. The software is released in the form of binary package files for particular Linux distributions. Supported are RedHat, Fedora, CentOS, Ubuntu, Debian and openSUSE (Most RPM packages can be ran on the following systems: CentOS 6 and 7, Fedora 22, RHEL 6, openSUSE 13. The Deb packages can be ran on the following systems: Ubuntu 12, Debian 6,7,8) <ref>[https://openvpn.net/index.php/access-server/section-faq-openvpn-as/general/136-which-operating-system-does-the-access-server-software-support.html] FAQ OpenVPN</ref><br />
<br />
== Difference between Community Edition VPN and Access Server==<br />
Both Community Edition and Access Server is provided by OpenVPN and they both have something in common like: Secured VPN Tunnel, GUI Client, Bridging, Configurable Ciphers and Real-time compression. But Access Server provides more options such as Web Based GUI (it is possible to use VPN without need of downloading any additional software), Pre-configured Client (possible to download auto filled profile and Auto-login option available), Automated Certificate Creation (Access server web page will also be protected with encrypted https connection (TLS 1.2, The connection is encrypted and authenticated using AES_128_GCM and uses ECDHE_RSA as the key exchange mechanism.) Easy Deployment, Failover Solution, Simple User Management, Pre-built Virtual Appliances, Fill LDAP support, Easy Scalability, User-mode Client, Multi-daemon mode and DMZ mode. <ref>[https://openvpn.net] VPN Solution</ref><br />
<ref>[https://openvpn.net/index.php/access-server/section-faq-openvpn-as/general/136-which-operating-system-does-the-access-server-software-support.html] FAQ OpenVPN</ref><br />
<br />
==Installation==<br />
Prerequisites: Ubuntu Linux machine and some Linux beginner skills.<br />
The installation of OpenVPN-AS is simple. In this tutorial I will be using Ubuntu 14.04 64-bit VPS server. <br />
Unfortunately, OpenVPN Assess Server cannot be installed using apt-get install, so manual installation steps can be found in this tutorial.<br />
=== Step by Step Installation tutorial on Ubuntu Linux host machine===<br />
<br />
<br />
'''1)''' First it is needed to become root user<br />
<br />
''Command:'' <code> sudo su</code><br />
<br />
'''2)''' It is needed to download the latest software installation files from official website which can be found here: [https://openvpn.net/index.php/access-server/download-openvpn-as-sw.html Official Download Page] (Click on the needed Operation System and select needed version to download (32 bit or 64 bit and Ubuntu version 12 or 14) then right click on it and copy link) <br />
<br />
'''3)''' Now it is possible to go back to server console panel and download the OpenVPN Access Server using wget and paste copied link before. File will be downloaded by default to the folder where user currently are. (it is possible to change, use pwd to see current directory) File will be something around 28 MB (for 64bit Ubuntu Linux)<br />
<br />
''Command:'' <code>wget http://swupdate.openvpn.org/as/openvpn-as-2.0.25-Ubuntu12.amd_64.deb </code><br />
<br />
'''4)''' Now it is possible to install downloaded file using following command dpkg –i (downloaded file name)<br />
<br />
''Command:'' <code>dpkg –i openvpn-as-2.0.25-Ubuntu12.amd_64.deb</code><br />
<br />
This is it. OpenVPN AS is now installed. But there is some configurations needed before using it. <br />
<br />
'''5)''' During the installation OpenVPN created admin user which is by default called “openvpn” but the password left empty for security reasons it is needed to be changed using command (as root) after it user will be provided to enter password. Make sure the password is secure!<br />
<br />
''Command:'' <code>passwd openvpn</code><br />
<br />
'''6)''' Now the OpenVPN AS web interface is ready, it can be found by default port 943 and server ip address, login using username openvpn and password that have been set before. (After logging in user would need to click Agree to accept the License Agreement.<br />
<br />
* Admin page: https://ip_address_or_domain:943/admin<br />
<br />
* Client page: https://ip_address_or_domain:943/<br />
<br />
Note: The server’s SSL is self-signed so not need to worry about the bad security warning<br />
<br />
'''7)''' Download needed OpenVPN Connect software by clicking the link. After it has finished downloading, run it and enter user credentials. And connection to the Access Server have been established. It is also possible to download official Android or iOS application to use VPN on the smartphone.<br />
Note: There is also a possibility to login to Admin Ul page if it is needed to add users or change settings, although the default settings works fine without any problems.<br />
<br />
Done! OpenVPN Access Server have been installed and configured for free and user can be more secure using this encrypted connection. <br />
<br />
Tutorial created by Artur Ovtsinnikov using Linux Ubuntu 14.02 at 03.04.2016, if any questions appear please contact me by email.<br />
<br />
==Summary==<br />
OpenVPN is an open-source software application that implements virtual private network (VPN) techniques for creating secure point-to-point connections in routed or bridged configurations and remote access facilities. It uses a custom security protocol that utilizes SSL/TLS for key exchange. It is capable of traversing network address translators (NATs) and firewalls.<br />
OpenVPN Access Server is amazing, free (2 license) and user friendly VPN service which can be installed on any Linux machine and used as much as needed without additional cost, logs can be deleted and only the owner of the server see the traffic which makes it even better and safer. The installation and configuration of the Access Server is very easy and can be done in easy 7 steps.<br />
I have been using this for years and would recommend it to everyone interested in having their own VPN.<br />
<br />
== See Also==<br />
A bit better Step-by-Step pdf tutorial with screenshots can be downloaded here: [http://cloud.arturich.tk/Access%20Server.pdf LINK]<br />
<br />
==References==<br />
{{reflist|30em}}</div>Aovtsinnhttps://wiki.itcollege.ee/index.php?title=OpenVPN_Access_Server&diff=104293OpenVPN Access Server2016-06-03T00:54:11Z<p>Aovtsinn: /* References */</p>
<hr />
<div>__NOTOC__<br />
[[File:Openvpn2.png|thumb|right|alt=A screenshot of Open VPN Client UI.| Logged in Open VPN Client UI]]<br />
<br />
<br />
OpenVPN Access Server (OpenVPN-AS) is a set of installation and configuration tools that simplify the rapid deployment of a VPN remote access solution. It is based on the popular OpenVPN open-source software, making the deployed VPN immediately compatible with OpenVPN client software across multiple user platforms. The server configurations options supported are a carefully selected subset of a quite large set of possible OpenVPN configurations. Thus, OpenVPN Access Server streamlines the configuration and management of an OpenVPN-based secure remote access deployment. OpenVPN was written by James Yonan and is published under the GNU General Public License (GPL). <ref>[https://openvpn.net/index.php/access-server/overview.html] Information about OpenVPN</ref><br />
<br />
__TOC__<br />
<br />
=== Overview===<br />
OpenVPN Access Server is a full featured secure network tunneling VPN software solution that integrates OpenVPN server capabilities, enterprise management capabilities, simplified OpenVPN Connect UI, and OpenVPN Client software packages that accommodate Windows, MAC, Linux, Android, and iOS environments. OpenVPN Access Server supports a wide range of configurations, including secure and granular remote access to internal network and/ or private cloud network resources and applications with fine-grained access control. <ref>[https://openvpn.net/index.php/access-server/overview.html] Information about OpenVPN</ref> <ref>[https://en.wikipedia.org/wiki/OpenVPN] OpenVPN Wikipedia</ref><br />
<br />
=== Supported Operation Systems===<br />
OpenVPN currently supports all main operation systems such as Windows, Mac OS X, Android, iOS and Linux It is possible to download software for the machine on the official website or it is possible to get it after installation of Access Server and logging in with the credentials to server ip_address_or_domain_name:943 (port 943 is default can be changed in the config) and it is possible to download after logging in connection profile for autologin or user-locked profile. (possible to change those settings in the Admin panel of OpenVPN Access Server.<ref>[https://openvpn.net/index.php/access-server/overview.html] Information about OpenVPN</ref><br />
<br />
=== Pricing===<br />
OpenVPN is a free sorfware application which provides 2 user license ( which means that 2 users/machines can be using current OpenVPN Access Server at the same time) after installation which is more then enough for a one person to use. Although it is possible to purchase more Licenses on official website for 9.60$ per concurrent user. And minimum license term is for one year.<ref>[https://openvpn.net/index.php/access-server/section-faq-openvpn-as/pricing.html] Pricing OpenVPN</ref><br />
<br />
== Operating system to Host Access Server software==<br />
Currently, the Access Server software must be run on a 32-bit or 64-bit Linux host. The software is released in the form of binary package files for particular Linux distributions. Supported are RedHat, Fedora, CentOS, Ubuntu, Debian and openSUSE (Most RPM packages can be ran on the following systems: CentOS 6 and 7, Fedora 22, RHEL 6, openSUSE 13. The Deb packages can be ran on the following systems: Ubuntu 12, Debian 6,7,8) <ref>[https://openvpn.net/index.php/access-server/section-faq-openvpn-as/general/136-which-operating-system-does-the-access-server-software-support.html] FAQ OpenVPN</ref><br />
<br />
== Difference between Community Edition VPN and Access Server==<br />
Both Community Edition and Access Server is provided by OpenVPN and they both have something in common like: Secured VPN Tunnel, GUI Client, Bridging, Configurable Ciphers and Real-time compression. But Access Server provides more options such as Web Based GUI (it is possible to use VPN without need of downloading any additional software), Pre-configured Client (possible to download auto filled profile and Auto-login option available), Automated Certificate Creation (Access server web page will also be protected with encrypted https connection (TLS 1.2, The connection is encrypted and authenticated using AES_128_GCM and uses ECDHE_RSA as the key exchange mechanism.) Easy Deployment, Failover Solution, Simple User Management, Pre-built Virtual Appliances, Fill LDAP support, Easy Scalability, User-mode Client, Multi-daemon mode and DMZ mode. <ref>[https://openvpn.net] VPN Solution</ref><br />
<ref>[https://openvpn.net/index.php/access-server/section-faq-openvpn-as/general/136-which-operating-system-does-the-access-server-software-support.html] FAQ OpenVPN</ref><br />
<br />
==Installation==<br />
Prerequisites: Ubuntu Linux machine and some Linux beginner skills.<br />
The installation of OpenVPN-AS is simple. In this tutorial I will be using Ubuntu 14.04 64-bit VPS server. <br />
Unfortunately, OpenVPN Assess Server cannot be installed using apt-get install, so manual installation steps can be found in this tutorial.<br />
=== Step by Step Installation tutorial on Ubuntu Linux host machine===<br />
<br />
<br />
'''1)''' First it is needed to become root user<br />
<br />
''Command:'' <code> sudo su</code><br />
<br />
'''2)''' It is needed to download the latest software installation files from official website which can be found here: [https://openvpn.net/index.php/access-server/download-openvpn-as-sw.html Official Download Page] (Click on the needed Operation System and select needed version to download (32 bit or 64 bit and Ubuntu version 12 or 14) then right click on it and copy link) <br />
<br />
'''3)''' Now it is possible to go back to server console panel and download the OpenVPN Access Server using wget and paste copied link before. File will be downloaded by default to the folder where user currently are. (it is possible to change, use pwd to see current directory) File will be something around 28 MB (for 64bit Ubuntu Linux)<br />
<br />
''Command:'' <code>wget http://swupdate.openvpn.org/as/openvpn-as-2.0.25-Ubuntu12.amd_64.deb </code><br />
<br />
'''4)''' Now it is possible to install downloaded file using following command dpkg –i (downloaded file name)<br />
<br />
''Command:'' <code>dpkg –i openvpn-as-2.0.25-Ubuntu12.amd_64.deb</code><br />
<br />
This is it. OpenVPN AS is now installed. But there is some configurations needed before using it. <br />
<br />
'''5)''' During the installation OpenVPN created admin user which is by default called “openvpn” but the password left empty for security reasons it is needed to be changed using command (as root) after it user will be provided to enter password. Make sure the password is secure!<br />
<br />
''Command:'' <code>passwd openvpn</code><br />
<br />
'''6)''' Now the OpenVPN AS web interface is ready, it can be found by default port 943 and server ip address, login using username openvpn and password that have been set before. (After logging in user would need to click Agree to accept the License Agreement.<br />
<br />
* Admin page: https://ip_address_or_domain:943/admin<br />
<br />
* Client page: https://ip_address_or_domain:943/<br />
<br />
Note: The server’s SSL is self-signed so not need to worry about the bad security warning<br />
<br />
'''7)''' Download needed OpenVPN Connect software by clicking the link. After it has finished downloading, run it and enter user credentials. And connection to the Access Server have been established. It is also possible to download official Android or iOS application to use VPN on the smartphone.<br />
Note: There is also a possibility to login to Admin Ul page if it is needed to add users or change settings, although the default settings works fine without any problems.<br />
<br />
Done! OpenVPN Access Server have been installed and configured for free and user can be more secure using this encrypted connection. <br />
<br />
Tutorial created by Artur Ovtsinnikov using Linux Ubuntu 14.02 at 03.04.2016, if any questions appear please contact me by email.<br />
<br />
==Summary==<br />
OpenVPN is an open-source software application that implements virtual private network (VPN) techniques for creating secure point-to-point connections in routed or bridged configurations and remote access facilities. It uses a custom security protocol that utilizes SSL/TLS for key exchange. It is capable of traversing network address translators (NATs) and firewalls.<br />
OpenVPN Access Server is amazing, free (2 license) and user friendly VPN service which can be installed on any Linux machine and used as much as needed without additional cost, logs can be deleted and only the owner of the server see the traffic which makes it even better and safer. The installation and configuration of the Access Server is very easy and can be done in easy 7 steps.<br />
I have been using this for years and would recommend it to everyone interested in having their own VPN.<br />
<br />
== See Also==<br />
A bit better Step-by-Step pdf tutorial with screenshots can be downloaded here: [http://cloud.arturich.tk/Access%20Server.pdf LINK]<br />
<br />
==References==<br />
{{reflist|30em}}</div>Aovtsinnhttps://wiki.itcollege.ee/index.php?title=OpenVPN_Access_Server&diff=104292OpenVPN Access Server2016-06-03T00:52:56Z<p>Aovtsinn: /* References */</p>
<hr />
<div>__NOTOC__<br />
[[File:Openvpn2.png|thumb|right|alt=A screenshot of Open VPN Client UI.| Logged in Open VPN Client UI]]<br />
<br />
<br />
OpenVPN Access Server (OpenVPN-AS) is a set of installation and configuration tools that simplify the rapid deployment of a VPN remote access solution. It is based on the popular OpenVPN open-source software, making the deployed VPN immediately compatible with OpenVPN client software across multiple user platforms. The server configurations options supported are a carefully selected subset of a quite large set of possible OpenVPN configurations. Thus, OpenVPN Access Server streamlines the configuration and management of an OpenVPN-based secure remote access deployment. OpenVPN was written by James Yonan and is published under the GNU General Public License (GPL). <ref>[https://openvpn.net/index.php/access-server/overview.html] Information about OpenVPN</ref><br />
<br />
__TOC__<br />
<br />
=== Overview===<br />
OpenVPN Access Server is a full featured secure network tunneling VPN software solution that integrates OpenVPN server capabilities, enterprise management capabilities, simplified OpenVPN Connect UI, and OpenVPN Client software packages that accommodate Windows, MAC, Linux, Android, and iOS environments. OpenVPN Access Server supports a wide range of configurations, including secure and granular remote access to internal network and/ or private cloud network resources and applications with fine-grained access control. <ref>[https://openvpn.net/index.php/access-server/overview.html] Information about OpenVPN</ref> <ref>[https://en.wikipedia.org/wiki/OpenVPN] OpenVPN Wikipedia</ref><br />
<br />
=== Supported Operation Systems===<br />
OpenVPN currently supports all main operation systems such as Windows, Mac OS X, Android, iOS and Linux It is possible to download software for the machine on the official website or it is possible to get it after installation of Access Server and logging in with the credentials to server ip_address_or_domain_name:943 (port 943 is default can be changed in the config) and it is possible to download after logging in connection profile for autologin or user-locked profile. (possible to change those settings in the Admin panel of OpenVPN Access Server.<ref>[https://openvpn.net/index.php/access-server/overview.html] Information about OpenVPN</ref><br />
<br />
=== Pricing===<br />
OpenVPN is a free sorfware application which provides 2 user license ( which means that 2 users/machines can be using current OpenVPN Access Server at the same time) after installation which is more then enough for a one person to use. Although it is possible to purchase more Licenses on official website for 9.60$ per concurrent user. And minimum license term is for one year.<ref>[https://openvpn.net/index.php/access-server/section-faq-openvpn-as/pricing.html] Pricing OpenVPN</ref><br />
<br />
== Operating system to Host Access Server software==<br />
Currently, the Access Server software must be run on a 32-bit or 64-bit Linux host. The software is released in the form of binary package files for particular Linux distributions. Supported are RedHat, Fedora, CentOS, Ubuntu, Debian and openSUSE (Most RPM packages can be ran on the following systems: CentOS 6 and 7, Fedora 22, RHEL 6, openSUSE 13. The Deb packages can be ran on the following systems: Ubuntu 12, Debian 6,7,8) <ref>[https://openvpn.net/index.php/access-server/section-faq-openvpn-as/general/136-which-operating-system-does-the-access-server-software-support.html] FAQ OpenVPN</ref><br />
<br />
== Difference between Community Edition VPN and Access Server==<br />
Both Community Edition and Access Server is provided by OpenVPN and they both have something in common like: Secured VPN Tunnel, GUI Client, Bridging, Configurable Ciphers and Real-time compression. But Access Server provides more options such as Web Based GUI (it is possible to use VPN without need of downloading any additional software), Pre-configured Client (possible to download auto filled profile and Auto-login option available), Automated Certificate Creation (Access server web page will also be protected with encrypted https connection (TLS 1.2, The connection is encrypted and authenticated using AES_128_GCM and uses ECDHE_RSA as the key exchange mechanism.) Easy Deployment, Failover Solution, Simple User Management, Pre-built Virtual Appliances, Fill LDAP support, Easy Scalability, User-mode Client, Multi-daemon mode and DMZ mode. <ref>[https://openvpn.net] VPN Solution</ref><br />
<ref>[https://openvpn.net/index.php/access-server/section-faq-openvpn-as/general/136-which-operating-system-does-the-access-server-software-support.html] FAQ OpenVPN</ref><br />
<br />
==Installation==<br />
Prerequisites: Ubuntu Linux machine and some Linux beginner skills.<br />
The installation of OpenVPN-AS is simple. In this tutorial I will be using Ubuntu 14.04 64-bit VPS server. <br />
Unfortunately, OpenVPN Assess Server cannot be installed using apt-get install, so manual installation steps can be found in this tutorial.<br />
=== Step by Step Installation tutorial on Ubuntu Linux host machine===<br />
<br />
<br />
'''1)''' First it is needed to become root user<br />
<br />
''Command:'' <code> sudo su</code><br />
<br />
'''2)''' It is needed to download the latest software installation files from official website which can be found here: [https://openvpn.net/index.php/access-server/download-openvpn-as-sw.html Official Download Page] (Click on the needed Operation System and select needed version to download (32 bit or 64 bit and Ubuntu version 12 or 14) then right click on it and copy link) <br />
<br />
'''3)''' Now it is possible to go back to server console panel and download the OpenVPN Access Server using wget and paste copied link before. File will be downloaded by default to the folder where user currently are. (it is possible to change, use pwd to see current directory) File will be something around 28 MB (for 64bit Ubuntu Linux)<br />
<br />
''Command:'' <code>wget http://swupdate.openvpn.org/as/openvpn-as-2.0.25-Ubuntu12.amd_64.deb </code><br />
<br />
'''4)''' Now it is possible to install downloaded file using following command dpkg –i (downloaded file name)<br />
<br />
''Command:'' <code>dpkg –i openvpn-as-2.0.25-Ubuntu12.amd_64.deb</code><br />
<br />
This is it. OpenVPN AS is now installed. But there is some configurations needed before using it. <br />
<br />
'''5)''' During the installation OpenVPN created admin user which is by default called “openvpn” but the password left empty for security reasons it is needed to be changed using command (as root) after it user will be provided to enter password. Make sure the password is secure!<br />
<br />
''Command:'' <code>passwd openvpn</code><br />
<br />
'''6)''' Now the OpenVPN AS web interface is ready, it can be found by default port 943 and server ip address, login using username openvpn and password that have been set before. (After logging in user would need to click Agree to accept the License Agreement.<br />
<br />
* Admin page: https://ip_address_or_domain:943/admin<br />
<br />
* Client page: https://ip_address_or_domain:943/<br />
<br />
Note: The server’s SSL is self-signed so not need to worry about the bad security warning<br />
<br />
'''7)''' Download needed OpenVPN Connect software by clicking the link. After it has finished downloading, run it and enter user credentials. And connection to the Access Server have been established. It is also possible to download official Android or iOS application to use VPN on the smartphone.<br />
Note: There is also a possibility to login to Admin Ul page if it is needed to add users or change settings, although the default settings works fine without any problems.<br />
<br />
Done! OpenVPN Access Server have been installed and configured for free and user can be more secure using this encrypted connection. <br />
<br />
Tutorial created by Artur Ovtsinnikov using Linux Ubuntu 14.02 at 03.04.2016, if any questions appear please contact me by email.<br />
<br />
==Summary==<br />
OpenVPN is an open-source software application that implements virtual private network (VPN) techniques for creating secure point-to-point connections in routed or bridged configurations and remote access facilities. It uses a custom security protocol that utilizes SSL/TLS for key exchange. It is capable of traversing network address translators (NATs) and firewalls.<br />
OpenVPN Access Server is amazing, free (2 license) and user friendly VPN service which can be installed on any Linux machine and used as much as needed without additional cost, logs can be deleted and only the owner of the server see the traffic which makes it even better and safer. The installation and configuration of the Access Server is very easy and can be done in easy 7 steps.<br />
I have been using this for years and would recommend it to everyone interested in having their own VPN.<br />
<br />
== See Also==<br />
A bit better Step-by-Step pdf tutorial with screenshots can be downloaded here: [http://cloud.arturich.tk/Access%20Server.pdf LINK]<br />
<br />
==References==</div>Aovtsinnhttps://wiki.itcollege.ee/index.php?title=OpenVPN_Access_Server&diff=104291OpenVPN Access Server2016-06-03T00:52:27Z<p>Aovtsinn: </p>
<hr />
<div>__NOTOC__<br />
[[File:Openvpn2.png|thumb|right|alt=A screenshot of Open VPN Client UI.| Logged in Open VPN Client UI]]<br />
<br />
<br />
OpenVPN Access Server (OpenVPN-AS) is a set of installation and configuration tools that simplify the rapid deployment of a VPN remote access solution. It is based on the popular OpenVPN open-source software, making the deployed VPN immediately compatible with OpenVPN client software across multiple user platforms. The server configurations options supported are a carefully selected subset of a quite large set of possible OpenVPN configurations. Thus, OpenVPN Access Server streamlines the configuration and management of an OpenVPN-based secure remote access deployment. OpenVPN was written by James Yonan and is published under the GNU General Public License (GPL). <ref>[https://openvpn.net/index.php/access-server/overview.html] Information about OpenVPN</ref><br />
<br />
__TOC__<br />
<br />
=== Overview===<br />
OpenVPN Access Server is a full featured secure network tunneling VPN software solution that integrates OpenVPN server capabilities, enterprise management capabilities, simplified OpenVPN Connect UI, and OpenVPN Client software packages that accommodate Windows, MAC, Linux, Android, and iOS environments. OpenVPN Access Server supports a wide range of configurations, including secure and granular remote access to internal network and/ or private cloud network resources and applications with fine-grained access control. <ref>[https://openvpn.net/index.php/access-server/overview.html] Information about OpenVPN</ref> <ref>[https://en.wikipedia.org/wiki/OpenVPN] OpenVPN Wikipedia</ref><br />
<br />
=== Supported Operation Systems===<br />
OpenVPN currently supports all main operation systems such as Windows, Mac OS X, Android, iOS and Linux It is possible to download software for the machine on the official website or it is possible to get it after installation of Access Server and logging in with the credentials to server ip_address_or_domain_name:943 (port 943 is default can be changed in the config) and it is possible to download after logging in connection profile for autologin or user-locked profile. (possible to change those settings in the Admin panel of OpenVPN Access Server.<ref>[https://openvpn.net/index.php/access-server/overview.html] Information about OpenVPN</ref><br />
<br />
=== Pricing===<br />
OpenVPN is a free sorfware application which provides 2 user license ( which means that 2 users/machines can be using current OpenVPN Access Server at the same time) after installation which is more then enough for a one person to use. Although it is possible to purchase more Licenses on official website for 9.60$ per concurrent user. And minimum license term is for one year.<ref>[https://openvpn.net/index.php/access-server/section-faq-openvpn-as/pricing.html] Pricing OpenVPN</ref><br />
<br />
== Operating system to Host Access Server software==<br />
Currently, the Access Server software must be run on a 32-bit or 64-bit Linux host. The software is released in the form of binary package files for particular Linux distributions. Supported are RedHat, Fedora, CentOS, Ubuntu, Debian and openSUSE (Most RPM packages can be ran on the following systems: CentOS 6 and 7, Fedora 22, RHEL 6, openSUSE 13. The Deb packages can be ran on the following systems: Ubuntu 12, Debian 6,7,8) <ref>[https://openvpn.net/index.php/access-server/section-faq-openvpn-as/general/136-which-operating-system-does-the-access-server-software-support.html] FAQ OpenVPN</ref><br />
<br />
== Difference between Community Edition VPN and Access Server==<br />
Both Community Edition and Access Server is provided by OpenVPN and they both have something in common like: Secured VPN Tunnel, GUI Client, Bridging, Configurable Ciphers and Real-time compression. But Access Server provides more options such as Web Based GUI (it is possible to use VPN without need of downloading any additional software), Pre-configured Client (possible to download auto filled profile and Auto-login option available), Automated Certificate Creation (Access server web page will also be protected with encrypted https connection (TLS 1.2, The connection is encrypted and authenticated using AES_128_GCM and uses ECDHE_RSA as the key exchange mechanism.) Easy Deployment, Failover Solution, Simple User Management, Pre-built Virtual Appliances, Fill LDAP support, Easy Scalability, User-mode Client, Multi-daemon mode and DMZ mode. <ref>[https://openvpn.net] VPN Solution</ref><br />
<ref>[https://openvpn.net/index.php/access-server/section-faq-openvpn-as/general/136-which-operating-system-does-the-access-server-software-support.html] FAQ OpenVPN</ref><br />
<br />
==Installation==<br />
Prerequisites: Ubuntu Linux machine and some Linux beginner skills.<br />
The installation of OpenVPN-AS is simple. In this tutorial I will be using Ubuntu 14.04 64-bit VPS server. <br />
Unfortunately, OpenVPN Assess Server cannot be installed using apt-get install, so manual installation steps can be found in this tutorial.<br />
=== Step by Step Installation tutorial on Ubuntu Linux host machine===<br />
<br />
<br />
'''1)''' First it is needed to become root user<br />
<br />
''Command:'' <code> sudo su</code><br />
<br />
'''2)''' It is needed to download the latest software installation files from official website which can be found here: [https://openvpn.net/index.php/access-server/download-openvpn-as-sw.html Official Download Page] (Click on the needed Operation System and select needed version to download (32 bit or 64 bit and Ubuntu version 12 or 14) then right click on it and copy link) <br />
<br />
'''3)''' Now it is possible to go back to server console panel and download the OpenVPN Access Server using wget and paste copied link before. File will be downloaded by default to the folder where user currently are. (it is possible to change, use pwd to see current directory) File will be something around 28 MB (for 64bit Ubuntu Linux)<br />
<br />
''Command:'' <code>wget http://swupdate.openvpn.org/as/openvpn-as-2.0.25-Ubuntu12.amd_64.deb </code><br />
<br />
'''4)''' Now it is possible to install downloaded file using following command dpkg –i (downloaded file name)<br />
<br />
''Command:'' <code>dpkg –i openvpn-as-2.0.25-Ubuntu12.amd_64.deb</code><br />
<br />
This is it. OpenVPN AS is now installed. But there is some configurations needed before using it. <br />
<br />
'''5)''' During the installation OpenVPN created admin user which is by default called “openvpn” but the password left empty for security reasons it is needed to be changed using command (as root) after it user will be provided to enter password. Make sure the password is secure!<br />
<br />
''Command:'' <code>passwd openvpn</code><br />
<br />
'''6)''' Now the OpenVPN AS web interface is ready, it can be found by default port 943 and server ip address, login using username openvpn and password that have been set before. (After logging in user would need to click Agree to accept the License Agreement.<br />
<br />
* Admin page: https://ip_address_or_domain:943/admin<br />
<br />
* Client page: https://ip_address_or_domain:943/<br />
<br />
Note: The server’s SSL is self-signed so not need to worry about the bad security warning<br />
<br />
'''7)''' Download needed OpenVPN Connect software by clicking the link. After it has finished downloading, run it and enter user credentials. And connection to the Access Server have been established. It is also possible to download official Android or iOS application to use VPN on the smartphone.<br />
Note: There is also a possibility to login to Admin Ul page if it is needed to add users or change settings, although the default settings works fine without any problems.<br />
<br />
Done! OpenVPN Access Server have been installed and configured for free and user can be more secure using this encrypted connection. <br />
<br />
Tutorial created by Artur Ovtsinnikov using Linux Ubuntu 14.02 at 03.04.2016, if any questions appear please contact me by email.<br />
<br />
==Summary==<br />
OpenVPN is an open-source software application that implements virtual private network (VPN) techniques for creating secure point-to-point connections in routed or bridged configurations and remote access facilities. It uses a custom security protocol that utilizes SSL/TLS for key exchange. It is capable of traversing network address translators (NATs) and firewalls.<br />
OpenVPN Access Server is amazing, free (2 license) and user friendly VPN service which can be installed on any Linux machine and used as much as needed without additional cost, logs can be deleted and only the owner of the server see the traffic which makes it even better and safer. The installation and configuration of the Access Server is very easy and can be done in easy 7 steps.<br />
I have been using this for years and would recommend it to everyone interested in having their own VPN.<br />
<br />
== See Also==<br />
A bit better Step-by-Step pdf tutorial with screenshots can be downloaded here: [http://cloud.arturich.tk/Access%20Server.pdf LINK]<br />
<br />
==References== <br />
https://openvpn.net<br />
<br />
https://openvpn.net/index.php/access-server/overview.html<br />
<br />
https://openvpn.net/index.php/access-server/docs/admin-guides-sp-859543150.html<br />
<br />
https://en.wikipedia.org/wiki/OpenVPN<br />
<br />
https://en.wikipedia.org/wiki/Pre-shared_key</div>Aovtsinnhttps://wiki.itcollege.ee/index.php?title=OpenVPN_Access_Server&diff=104290OpenVPN Access Server2016-06-03T00:44:03Z<p>Aovtsinn: </p>
<hr />
<div>__NOTOC__<br />
[[File:Openvpn2.png|thumb|right|alt=A screenshot of Open VPN Client UI.| Logged in Open VPN Client UI]]<br />
<br />
<br />
OpenVPN Access Server (OpenVPN-AS) is a set of installation and configuration tools that simplify the rapid deployment of a VPN remote access solution. It is based on the popular OpenVPN open-source software, making the deployed VPN immediately compatible with OpenVPN client software across multiple user platforms. The server configurations options supported are a carefully selected subset of a quite large set of possible OpenVPN configurations. Thus, OpenVPN Access Server streamlines the configuration and management of an OpenVPN-based secure remote access deployment. OpenVPN was written by James Yonan and is published under the GNU General Public License (GPL).<br />
<br />
__TOC__<br />
<br />
=== Overview===<br />
OpenVPN Access Server is a full featured secure network tunneling VPN software solution that integrates OpenVPN server capabilities, enterprise management capabilities, simplified OpenVPN Connect UI, and OpenVPN Client software packages that accommodate Windows, MAC, Linux, Android, and iOS environments. OpenVPN Access Server supports a wide range of configurations, including secure and granular remote access to internal network and/ or private cloud network resources and applications with fine-grained access control.<br />
=== Supported Operation Systems===<br />
OpenVPN currently supports all main operation systems such as Windows, Mac OS X, Android, iOS and Linux It is possible to download software for the machine on the official website or it is possible to get it after installation of Access Server and logging in with the credentials to server ip_address_or_domain_name:943 (port 943 is default can be changed in the config) and it is possible to download after logging in connection profile for autologin or user-locked profile. (possible to change those settings in the Admin panel of OpenVPN Access Server.<br />
<br />
=== Pricing===<br />
OpenVPN is a free sorfware application which provides 2 user license ( which means that 2 users/machines can be using current OpenVPN Access Server at the same time) after installation which is more then enough for a one person to use. Although it is possible to purchase more Licenses on official website for 9.60$ per concurrent user. And minimum license term is for one year.<br />
<br />
== Operating system to Host Access Server software==<br />
Currently, the Access Server software must be run on a 32-bit or 64-bit Linux host. The software is released in the form of binary package files for particular Linux distributions. Supported are RedHat, Fedora, CentOS, Ubuntu, Debian and openSUSE (Most RPM packages can be ran on the following systems: CentOS 6 and 7, Fedora 22, RHEL 6, openSUSE 13. The Deb packages can be ran on the following systems: Ubuntu 12, Debian 6,7,8)<br />
<br />
== Difference between Community Edition VPN and Access Server==<br />
Both Community Edition and Access Server is provided by OpenVPN and they both have something in common like: Secured VPN Tunnel, GUI Client, Bridging, Configurable Ciphers and Real-time compression. But Access Server provides more options such as Web Based GUI (it is possible to use VPN without need of downloading any additional software), Pre-configured Client (possible to download auto filled profile and Auto-login option available), Automated Certificate Creation (Access server web page will also be protected with encrypted https connection (TLS 1.2, The connection is encrypted and authenticated using AES_128_GCM and uses ECDHE_RSA as the key exchange mechanism.) Easy Deployment, Failover Solution, Simple User Management, Pre-built Virtual Appliances, Fill LDAP support, Easy Scalability, User-mode Client, Multi-daemon mode and DMZ mode.<br />
<br />
==Installation==<br />
Prerequisites: Ubuntu Linux machine and some Linux beginner skills.<br />
The installation of OpenVPN-AS is simple. In this tutorial I will be using Ubuntu 14.04 64-bit VPS server. <br />
Unfortunately, OpenVPN Assess Server cannot be installed using apt-get install, so manual installation steps can be found in this tutorial.<br />
=== Step by Step Installation tutorial on Ubuntu Linux host machine===<br />
<br />
<br />
'''1)''' First it is needed to become root user<br />
<br />
''Command:'' <code> sudo su</code><br />
<br />
'''2)''' It is needed to download the latest software installation files from official website which can be found here: [https://openvpn.net/index.php/access-server/download-openvpn-as-sw.html Official Download Page] (Click on the needed Operation System and select needed version to download (32 bit or 64 bit and Ubuntu version 12 or 14) then right click on it and copy link) <br />
<br />
'''3)''' Now it is possible to go back to server console panel and download the OpenVPN Access Server using wget and paste copied link before. File will be downloaded by default to the folder where user currently are. (it is possible to change, use pwd to see current directory) File will be something around 28 MB (for 64bit Ubuntu Linux)<br />
<br />
''Command:'' <code>wget http://swupdate.openvpn.org/as/openvpn-as-2.0.25-Ubuntu12.amd_64.deb </code><br />
<br />
'''4)''' Now it is possible to install downloaded file using following command dpkg –i (downloaded file name)<br />
<br />
''Command:'' <code>dpkg –i openvpn-as-2.0.25-Ubuntu12.amd_64.deb</code><br />
<br />
This is it. OpenVPN AS is now installed. But there is some configurations needed before using it. <br />
<br />
'''5)''' During the installation OpenVPN created admin user which is by default called “openvpn” but the password left empty for security reasons it is needed to be changed using command (as root) after it user will be provided to enter password. Make sure the password is secure!<br />
<br />
''Command:'' <code>passwd openvpn</code><br />
<br />
'''6)''' Now the OpenVPN AS web interface is ready, it can be found by default port 943 and server ip address, login using username openvpn and password that have been set before. (After logging in user would need to click Agree to accept the License Agreement.<br />
<br />
* Admin page: https://ip_address_or_domain:943/admin<br />
<br />
* Client page: https://ip_address_or_domain:943/<br />
<br />
Note: The server’s SSL is self-signed so not need to worry about the bad security warning<br />
<br />
'''7)''' Download needed OpenVPN Connect software by clicking the link. After it has finished downloading, run it and enter user credentials. And connection to the Access Server have been established. It is also possible to download official Android or iOS application to use VPN on the smartphone.<br />
Note: There is also a possibility to login to Admin Ul page if it is needed to add users or change settings, although the default settings works fine without any problems.<br />
<br />
Done! OpenVPN Access Server have been installed and configured for free and user can be more secure using this encrypted connection. <br />
<br />
Tutorial created by Artur Ovtsinnikov using Linux Ubuntu 14.02 at 03.04.2016, if any questions appear please contact me by email.<br />
<br />
==Summary==<br />
OpenVPN is an open-source software application that implements virtual private network (VPN) techniques for creating secure point-to-point connections in routed or bridged configurations and remote access facilities. It uses a custom security protocol that utilizes SSL/TLS for key exchange. It is capable of traversing network address translators (NATs) and firewalls.<br />
OpenVPN Access Server is amazing, free (2 license) and user friendly VPN service which can be installed on any Linux machine and used as much as needed without additional cost, logs can be deleted and only the owner of the server see the traffic which makes it even better and safer. The installation and configuration of the Access Server is very easy and can be done in easy 7 steps.<br />
I have been using this for years and would recommend it to everyone interested in having their own VPN.<br />
<br />
== See Also==<br />
A bit better Step-by-Step pdf tutorial with screenshots can be downloaded here: [http://cloud.arturich.tk/Access%20Server.pdf LINK]<br />
<br />
==References== <br />
https://openvpn.net<br />
<br />
https://openvpn.net/index.php/access-server/overview.html<br />
<br />
https://openvpn.net/index.php/access-server/docs/admin-guides-sp-859543150.html<br />
<br />
https://en.wikipedia.org/wiki/OpenVPN<br />
<br />
https://en.wikipedia.org/wiki/Pre-shared_key</div>Aovtsinnhttps://wiki.itcollege.ee/index.php?title=OpenVPN_Access_Server&diff=104289OpenVPN Access Server2016-06-03T00:34:02Z<p>Aovtsinn: /* Installation */</p>
<hr />
<div>__NOTOC__<br />
[[File:Openvpn2.png|thumb|right|alt=A screenshot of Open VPN Client UI.| Logged in Open VPN Client UI]]<br />
<br />
<br />
OpenVPN Access Server (OpenVPN-AS) is a set of installation and configuration tools that simplify the rapid deployment of a VPN remote access solution. It is based on the popular OpenVPN open-source software, making the deployed VPN immediately compatible with OpenVPN client software across multiple user platforms. The server configurations options supported are a carefully selected subset of a quite large set of possible OpenVPN configurations. Thus, OpenVPN Access Server streamlines the configuration and management of an OpenVPN-based secure remote access deployment.<br />
<br />
__TOC__<br />
<br />
== About OpenVPN ==<br />
OpenVPN is an open-source software application that implements virtual private network (VPN) techniques for creating secure point-to-point connections in routed or bridged configurations and remote access facilities. It uses a custom security protocol that utilizes SSL/TLS for key exchange. It is capable of traversing network address translators (NATs) and firewalls. It was written by James Yonan and is published under the GNU General Public License (GPL).<br />
<br />
=== Overview===<br />
OpenVPN Access Server is a full featured secure network tunneling VPN software solution that integrates OpenVPN server capabilities, enterprise management capabilities, simplified OpenVPN Connect UI, and OpenVPN Client software packages that accommodate Windows, MAC, Linux, Android, and iOS environments. OpenVPN Access Server supports a wide range of configurations, including secure and granular remote access to internal network and/ or private cloud network resources and applications with fine-grained access control.<br />
=== Supported Operation Systems===<br />
OpenVPN currently supports all main operation systems such as Windows, Mac OS X, Android, iOS and Linux It is possible to download software for the machine on the official website or it is possible to get it after installation of Access Server and logging in with the credentials to server ip_address_or_domain_name:943 (port 943 is default can be changed in the config) and it is possible to download after logging in connection profile for autologin or user-locked profile. (possible to change those settings in the Admin panel of OpenVPN Access Server.<br />
<br />
=== Pricing===<br />
OpenVPN is a free sorfware application which provides 2 user license ( which means that 2 users/machines can be using current OpenVPN Access Server at the same time) after installation which is more then enough for a one person to use. Although it is possible to purchase more Licenses on official website for 9.60$ per concurrent user. And minimum license term is for one year.<br />
<br />
== Operating system to Host Access Server software==<br />
Currently, the Access Server software must be run on a 32-bit or 64-bit Linux host. The software is released in the form of binary package files for particular Linux distributions. Supported are RedHat, Fedora, CentOS, Ubuntu, Debian and openSUSE (Most RPM packages can be ran on the following systems: CentOS 6 and 7, Fedora 22, RHEL 6, openSUSE 13. The Deb packages can be ran on the following systems: Ubuntu 12, Debian 6,7,8)<br />
<br />
== Difference between Community Edition VPN and Access Server==<br />
Both Community Edition and Access Server is provided by OpenVPN and they both have something in common like: Secured VPN Tunnel, GUI Client, Bridging, Configurable Ciphers and Real-time compression. But Access Server provides more options such as Web Based GUI (it is possible to use VPN without need of downloading any additional software), Pre-configured Client (possible to download auto filled profile and Auto-login option available), Automated Certificate Creation (Access server web page will also be protected with encrypted https connection (TLS 1.2, The connection is encrypted and authenticated using AES_128_GCM and uses ECDHE_RSA as the key exchange mechanism.) Easy Deployment, Failover Solution, Simple User Management, Pre-built Virtual Appliances, Fill LDAP support, Easy Scalability, User-mode Client, Multi-daemon mode and DMZ mode.<br />
<br />
==Installation==<br />
Prerequisites: Ubuntu Linux machine and some Linux beginner skills.<br />
The installation of OpenVPN-AS is simple. In this tutorial I will be using Ubuntu 14.04 64-bit VPS server. <br />
Unfortunately, OpenVPN Assess Server cannot be installed using apt-get install, so manual installation steps can be found in this tutorial.<br />
=== Step by Step Installation tutorial on Ubuntu Linux host machine===<br />
<br />
<br />
'''1)''' First it is needed to become root user<br />
<br />
''Command:'' <code> sudo su</code><br />
<br />
'''2)''' It is needed to download the latest software installation files from official website which can be found here: [https://openvpn.net/index.php/access-server/download-openvpn-as-sw.html Official Download Page] (Click on the needed Operation System and select needed version to download (32 bit or 64 bit and Ubuntu version 12 or 14) then right click on it and copy link) <br />
<br />
'''3)''' Now it is possible to go back to server console panel and download the OpenVPN Access Server using wget and paste copied link before. File will be downloaded by default to the folder where user currently are. (it is possible to change, use pwd to see current directory) File will be something around 28 MB (for 64bit Ubuntu Linux)<br />
<br />
''Command:'' <code>wget http://swupdate.openvpn.org/as/openvpn-as-2.0.25-Ubuntu12.amd_64.deb </code><br />
<br />
'''4)''' Now it is possible to install downloaded file using following command dpkg –i (downloaded file name)<br />
<br />
''Command:'' <code>dpkg –i openvpn-as-2.0.25-Ubuntu12.amd_64.deb</code><br />
<br />
This is it. OpenVPN AS is now installed. But there is some configurations needed before using it. <br />
<br />
'''5)''' During the installation OpenVPN created admin user which is by default called “openvpn” but the password left empty for security reasons it is needed to be changed using command (as root) after it user will be provided to enter password. Make sure the password is secure!<br />
<br />
''Command:'' <code>passwd openvpn</code><br />
<br />
'''6)''' Now the OpenVPN AS web interface is ready, it can be found by default port 943 and server ip address, login using username openvpn and password that have been set before. (After logging in user would need to click Agree to accept the License Agreement.<br />
<br />
* Admin page: https://ip_address_or_domain:943/admin<br />
<br />
* Client page: https://ip_address_or_domain:943/<br />
<br />
Note: The server’s SSL is self-signed so not need to worry about the bad security warning<br />
<br />
'''7)''' Download needed OpenVPN Connect software by clicking the link. After it has finished downloading, run it and enter user credentials. And connection to the Access Server have been established. It is also possible to download official Android or iOS application to use VPN on the smartphone.<br />
Note: There is also a possibility to login to Admin Ul page if it is needed to add users or change settings, although the default settings works fine without any problems.<br />
<br />
Done! OpenVPN Access Server have been installed and configured for free and user can be more secure using this encrypted connection. <br />
<br />
Tutorial created by Artur Ovtsinnikov using Linux Ubuntu 14.02 at 03.04.2016, if any questions appear please contact me by email.<br />
<br />
== See Also==<br />
A bit better Step-by-Step pdf tutorial with screenshots can be downloaded here: [http://cloud.arturich.tk/Access%20Server.pdf LINK]<br />
<br />
==References== <br />
https://openvpn.net<br />
<br />
https://openvpn.net/index.php/access-server/overview.html<br />
<br />
https://openvpn.net/index.php/access-server/docs/admin-guides-sp-859543150.html<br />
<br />
https://en.wikipedia.org/wiki/OpenVPN<br />
<br />
https://en.wikipedia.org/wiki/Pre-shared_key</div>Aovtsinnhttps://wiki.itcollege.ee/index.php?title=OpenVPN_Access_Server&diff=104288OpenVPN Access Server2016-06-03T00:32:36Z<p>Aovtsinn: /* Pricing */</p>
<hr />
<div>__NOTOC__<br />
[[File:Openvpn2.png|thumb|right|alt=A screenshot of Open VPN Client UI.| Logged in Open VPN Client UI]]<br />
<br />
<br />
OpenVPN Access Server (OpenVPN-AS) is a set of installation and configuration tools that simplify the rapid deployment of a VPN remote access solution. It is based on the popular OpenVPN open-source software, making the deployed VPN immediately compatible with OpenVPN client software across multiple user platforms. The server configurations options supported are a carefully selected subset of a quite large set of possible OpenVPN configurations. Thus, OpenVPN Access Server streamlines the configuration and management of an OpenVPN-based secure remote access deployment.<br />
<br />
__TOC__<br />
<br />
== About OpenVPN ==<br />
OpenVPN is an open-source software application that implements virtual private network (VPN) techniques for creating secure point-to-point connections in routed or bridged configurations and remote access facilities. It uses a custom security protocol that utilizes SSL/TLS for key exchange. It is capable of traversing network address translators (NATs) and firewalls. It was written by James Yonan and is published under the GNU General Public License (GPL).<br />
<br />
=== Overview===<br />
OpenVPN Access Server is a full featured secure network tunneling VPN software solution that integrates OpenVPN server capabilities, enterprise management capabilities, simplified OpenVPN Connect UI, and OpenVPN Client software packages that accommodate Windows, MAC, Linux, Android, and iOS environments. OpenVPN Access Server supports a wide range of configurations, including secure and granular remote access to internal network and/ or private cloud network resources and applications with fine-grained access control.<br />
=== Supported Operation Systems===<br />
OpenVPN currently supports all main operation systems such as Windows, Mac OS X, Android, iOS and Linux It is possible to download software for the machine on the official website or it is possible to get it after installation of Access Server and logging in with the credentials to server ip_address_or_domain_name:943 (port 943 is default can be changed in the config) and it is possible to download after logging in connection profile for autologin or user-locked profile. (possible to change those settings in the Admin panel of OpenVPN Access Server.<br />
<br />
=== Pricing===<br />
OpenVPN is a free sorfware application which provides 2 user license ( which means that 2 users/machines can be using current OpenVPN Access Server at the same time) after installation which is more then enough for a one person to use. Although it is possible to purchase more Licenses on official website for 9.60$ per concurrent user. And minimum license term is for one year.<br />
<br />
== Operating system to Host Access Server software==<br />
Currently, the Access Server software must be run on a 32-bit or 64-bit Linux host. The software is released in the form of binary package files for particular Linux distributions. Supported are RedHat, Fedora, CentOS, Ubuntu, Debian and openSUSE (Most RPM packages can be ran on the following systems: CentOS 6 and 7, Fedora 22, RHEL 6, openSUSE 13. The Deb packages can be ran on the following systems: Ubuntu 12, Debian 6,7,8)<br />
<br />
== Difference between Community Edition VPN and Access Server==<br />
Both Community Edition and Access Server is provided by OpenVPN and they both have something in common like: Secured VPN Tunnel, GUI Client, Bridging, Configurable Ciphers and Real-time compression. But Access Server provides more options such as Web Based GUI (it is possible to use VPN without need of downloading any additional software), Pre-configured Client (possible to download auto filled profile and Auto-login option available), Automated Certificate Creation (Access server web page will also be protected with encrypted https connection (TLS 1.2, The connection is encrypted and authenticated using AES_128_GCM and uses ECDHE_RSA as the key exchange mechanism.) Easy Deployment, Failover Solution, Simple User Management, Pre-built Virtual Appliances, Fill LDAP support, Easy Scalability, User-mode Client, Multi-daemon mode and DMZ mode.<br />
<br />
==Installation==<br />
Prerequisites: Ubuntu Linux machine and some Linux beginner skills.<br />
The installation of OpenVPN-AS is simple. In this tutorial I will be using Ubuntu 14.04 64-bit VPS server. <br />
Unfortunately, OpenVPN Assess Server cannot be installed using apt-get install, so we will be downloading installation files by ourselves.<br />
=== Step by Step Installation tutorial on Ubuntu Linux host machine===<br />
<br />
<br />
'''1)''' First it is needed to become root user<br />
<br />
''Command:'' <code> sudo su</code><br />
<br />
'''2)''' It is needed to download the latest software installation files from official website which can be found here: [https://openvpn.net/index.php/access-server/download-openvpn-as-sw.html Official Download Page] (Click on the needed Operation System and select needed version to download (32 bit or 64 bit and Ubuntu version 12 or 14) then right click on it and copy link) <br />
<br />
'''3)''' Now it is possible to go back to server console panel and download the OpenVPN Access Server using wget and paste copied link before. File will be downloaded by default to the folder where user currently are. (it is possible to change, use pwd to see current directory) File will be something around 28 MB (for 64bit Ubuntu Linux)<br />
<br />
''Command:'' <code>wget http://swupdate.openvpn.org/as/openvpn-as-2.0.25-Ubuntu12.amd_64.deb </code><br />
<br />
'''4)''' Now it is possible to install downloaded file using following command dpkg –i (downloaded file name)<br />
<br />
''Command:'' <code>dpkg –i openvpn-as-2.0.25-Ubuntu12.amd_64.deb</code><br />
<br />
This is it. OpenVPN AS is now installed. But there is some configurations needed before using it. <br />
<br />
'''5)''' During the installation OpenVPN created admin user which is by default called “openvpn” but the password left empty for security reasons it is needed to be changed using command (as root) after it user will be provided to enter password. Make sure the password is secure!<br />
<br />
''Command:'' <code>passwd openvpn</code><br />
<br />
'''6)''' Now the OpenVPN AS web interface is ready, it can be found by default port 943 and server ip address, login using username openvpn and password that have been set before. (After logging in user would need to click Agree to accept the License Agreement.<br />
<br />
* Admin page: https://ip_address_or_domain:943/admin<br />
<br />
* Client page: https://ip_address_or_domain:943/<br />
<br />
Note: The server’s SSL is self-signed so not need to worry about the bad security warning<br />
<br />
'''7)''' Download needed OpenVPN Connect software by clicking the link. After it has finished downloading, run it and enter user credentials. And connection to the Access Server have been established. It is also possible to download official Android or iOS application to use VPN on the smartphone.<br />
Note: There is also a possibility to login to Admin Ul page if it is needed to add users or change settings, although the default settings works fine without any problems.<br />
<br />
Done! OpenVPN Access Server have been installed and configured for free and user can be more secure using this encrypted connection. <br />
<br />
Tutorial created by Artur Ovtsinnikov using Linux Ubuntu 14.02 at 03.04.2016, if any questions appear please contact me by email.<br />
<br />
== See Also==<br />
A bit better Step-by-Step pdf tutorial with screenshots can be downloaded here: [http://cloud.arturich.tk/Access%20Server.pdf LINK]<br />
<br />
==References== <br />
https://openvpn.net<br />
<br />
https://openvpn.net/index.php/access-server/overview.html<br />
<br />
https://openvpn.net/index.php/access-server/docs/admin-guides-sp-859543150.html<br />
<br />
https://en.wikipedia.org/wiki/OpenVPN<br />
<br />
https://en.wikipedia.org/wiki/Pre-shared_key</div>Aovtsinnhttps://wiki.itcollege.ee/index.php?title=OpenVPN_Access_Server&diff=104287OpenVPN Access Server2016-06-03T00:32:16Z<p>Aovtsinn: /* Supported Operation Systems */</p>
<hr />
<div>__NOTOC__<br />
[[File:Openvpn2.png|thumb|right|alt=A screenshot of Open VPN Client UI.| Logged in Open VPN Client UI]]<br />
<br />
<br />
OpenVPN Access Server (OpenVPN-AS) is a set of installation and configuration tools that simplify the rapid deployment of a VPN remote access solution. It is based on the popular OpenVPN open-source software, making the deployed VPN immediately compatible with OpenVPN client software across multiple user platforms. The server configurations options supported are a carefully selected subset of a quite large set of possible OpenVPN configurations. Thus, OpenVPN Access Server streamlines the configuration and management of an OpenVPN-based secure remote access deployment.<br />
<br />
__TOC__<br />
<br />
== About OpenVPN ==<br />
OpenVPN is an open-source software application that implements virtual private network (VPN) techniques for creating secure point-to-point connections in routed or bridged configurations and remote access facilities. It uses a custom security protocol that utilizes SSL/TLS for key exchange. It is capable of traversing network address translators (NATs) and firewalls. It was written by James Yonan and is published under the GNU General Public License (GPL).<br />
<br />
=== Overview===<br />
OpenVPN Access Server is a full featured secure network tunneling VPN software solution that integrates OpenVPN server capabilities, enterprise management capabilities, simplified OpenVPN Connect UI, and OpenVPN Client software packages that accommodate Windows, MAC, Linux, Android, and iOS environments. OpenVPN Access Server supports a wide range of configurations, including secure and granular remote access to internal network and/ or private cloud network resources and applications with fine-grained access control.<br />
=== Supported Operation Systems===<br />
OpenVPN currently supports all main operation systems such as Windows, Mac OS X, Android, iOS and Linux It is possible to download software for the machine on the official website or it is possible to get it after installation of Access Server and logging in with the credentials to server ip_address_or_domain_name:943 (port 943 is default can be changed in the config) and it is possible to download after logging in connection profile for autologin or user-locked profile. (possible to change those settings in the Admin panel of OpenVPN Access Server.<br />
<br />
=== Pricing===<br />
OpenVPN is a free sorfware application which provides you 2 user license ( which means that 2 users/machines can be using current OpenVPN Access Server at the same time) after installation which is more then enough for a one person to use. Although it is possible to purchase more Licenses on official website for 9.60$ per concurrent user. And minimum license term is for one year.<br />
== Operating system to Host Access Server software==<br />
Currently, the Access Server software must be run on a 32-bit or 64-bit Linux host. The software is released in the form of binary package files for particular Linux distributions. Supported are RedHat, Fedora, CentOS, Ubuntu, Debian and openSUSE (Most RPM packages can be ran on the following systems: CentOS 6 and 7, Fedora 22, RHEL 6, openSUSE 13. The Deb packages can be ran on the following systems: Ubuntu 12, Debian 6,7,8)<br />
<br />
== Difference between Community Edition VPN and Access Server==<br />
Both Community Edition and Access Server is provided by OpenVPN and they both have something in common like: Secured VPN Tunnel, GUI Client, Bridging, Configurable Ciphers and Real-time compression. But Access Server provides more options such as Web Based GUI (it is possible to use VPN without need of downloading any additional software), Pre-configured Client (possible to download auto filled profile and Auto-login option available), Automated Certificate Creation (Access server web page will also be protected with encrypted https connection (TLS 1.2, The connection is encrypted and authenticated using AES_128_GCM and uses ECDHE_RSA as the key exchange mechanism.) Easy Deployment, Failover Solution, Simple User Management, Pre-built Virtual Appliances, Fill LDAP support, Easy Scalability, User-mode Client, Multi-daemon mode and DMZ mode.<br />
<br />
==Installation==<br />
Prerequisites: Ubuntu Linux machine and some Linux beginner skills.<br />
The installation of OpenVPN-AS is simple. In this tutorial I will be using Ubuntu 14.04 64-bit VPS server. <br />
Unfortunately, OpenVPN Assess Server cannot be installed using apt-get install, so we will be downloading installation files by ourselves.<br />
=== Step by Step Installation tutorial on Ubuntu Linux host machine===<br />
<br />
<br />
'''1)''' First it is needed to become root user<br />
<br />
''Command:'' <code> sudo su</code><br />
<br />
'''2)''' It is needed to download the latest software installation files from official website which can be found here: [https://openvpn.net/index.php/access-server/download-openvpn-as-sw.html Official Download Page] (Click on the needed Operation System and select needed version to download (32 bit or 64 bit and Ubuntu version 12 or 14) then right click on it and copy link) <br />
<br />
'''3)''' Now it is possible to go back to server console panel and download the OpenVPN Access Server using wget and paste copied link before. File will be downloaded by default to the folder where user currently are. (it is possible to change, use pwd to see current directory) File will be something around 28 MB (for 64bit Ubuntu Linux)<br />
<br />
''Command:'' <code>wget http://swupdate.openvpn.org/as/openvpn-as-2.0.25-Ubuntu12.amd_64.deb </code><br />
<br />
'''4)''' Now it is possible to install downloaded file using following command dpkg –i (downloaded file name)<br />
<br />
''Command:'' <code>dpkg –i openvpn-as-2.0.25-Ubuntu12.amd_64.deb</code><br />
<br />
This is it. OpenVPN AS is now installed. But there is some configurations needed before using it. <br />
<br />
'''5)''' During the installation OpenVPN created admin user which is by default called “openvpn” but the password left empty for security reasons it is needed to be changed using command (as root) after it user will be provided to enter password. Make sure the password is secure!<br />
<br />
''Command:'' <code>passwd openvpn</code><br />
<br />
'''6)''' Now the OpenVPN AS web interface is ready, it can be found by default port 943 and server ip address, login using username openvpn and password that have been set before. (After logging in user would need to click Agree to accept the License Agreement.<br />
<br />
* Admin page: https://ip_address_or_domain:943/admin<br />
<br />
* Client page: https://ip_address_or_domain:943/<br />
<br />
Note: The server’s SSL is self-signed so not need to worry about the bad security warning<br />
<br />
'''7)''' Download needed OpenVPN Connect software by clicking the link. After it has finished downloading, run it and enter user credentials. And connection to the Access Server have been established. It is also possible to download official Android or iOS application to use VPN on the smartphone.<br />
Note: There is also a possibility to login to Admin Ul page if it is needed to add users or change settings, although the default settings works fine without any problems.<br />
<br />
Done! OpenVPN Access Server have been installed and configured for free and user can be more secure using this encrypted connection. <br />
<br />
Tutorial created by Artur Ovtsinnikov using Linux Ubuntu 14.02 at 03.04.2016, if any questions appear please contact me by email.<br />
<br />
== See Also==<br />
A bit better Step-by-Step pdf tutorial with screenshots can be downloaded here: [http://cloud.arturich.tk/Access%20Server.pdf LINK]<br />
<br />
==References== <br />
https://openvpn.net<br />
<br />
https://openvpn.net/index.php/access-server/overview.html<br />
<br />
https://openvpn.net/index.php/access-server/docs/admin-guides-sp-859543150.html<br />
<br />
https://en.wikipedia.org/wiki/OpenVPN<br />
<br />
https://en.wikipedia.org/wiki/Pre-shared_key</div>Aovtsinnhttps://wiki.itcollege.ee/index.php?title=OpenVPN_Access_Server&diff=104286OpenVPN Access Server2016-06-03T00:31:39Z<p>Aovtsinn: /* Step by Step Installation tutorial on Ubuntu Linux host machine */</p>
<hr />
<div>__NOTOC__<br />
[[File:Openvpn2.png|thumb|right|alt=A screenshot of Open VPN Client UI.| Logged in Open VPN Client UI]]<br />
<br />
<br />
OpenVPN Access Server (OpenVPN-AS) is a set of installation and configuration tools that simplify the rapid deployment of a VPN remote access solution. It is based on the popular OpenVPN open-source software, making the deployed VPN immediately compatible with OpenVPN client software across multiple user platforms. The server configurations options supported are a carefully selected subset of a quite large set of possible OpenVPN configurations. Thus, OpenVPN Access Server streamlines the configuration and management of an OpenVPN-based secure remote access deployment.<br />
<br />
__TOC__<br />
<br />
== About OpenVPN ==<br />
OpenVPN is an open-source software application that implements virtual private network (VPN) techniques for creating secure point-to-point connections in routed or bridged configurations and remote access facilities. It uses a custom security protocol that utilizes SSL/TLS for key exchange. It is capable of traversing network address translators (NATs) and firewalls. It was written by James Yonan and is published under the GNU General Public License (GPL).<br />
<br />
=== Overview===<br />
OpenVPN Access Server is a full featured secure network tunneling VPN software solution that integrates OpenVPN server capabilities, enterprise management capabilities, simplified OpenVPN Connect UI, and OpenVPN Client software packages that accommodate Windows, MAC, Linux, Android, and iOS environments. OpenVPN Access Server supports a wide range of configurations, including secure and granular remote access to internal network and/ or private cloud network resources and applications with fine-grained access control.<br />
=== Supported Operation Systems===<br />
OpenVPN currently supports all main operation systems such as Windows, Mac OS X, Android, iOS and Linux It is possible to download software for your machine on the official website or it is possible to get it after installation of Access Server and logging in with your credentials to your ip_address_or_domain_name:943 (port 943 is default can be changed in the config) and it is possible to download after logging in connection profile for autologin or user-locked profile. (possible to change those settings in the Admin panel of OpenVPN Access Server.<br />
=== Pricing===<br />
OpenVPN is a free sorfware application which provides you 2 user license ( which means that 2 users/machines can be using current OpenVPN Access Server at the same time) after installation which is more then enough for a one person to use. Although it is possible to purchase more Licenses on official website for 9.60$ per concurrent user. And minimum license term is for one year.<br />
== Operating system to Host Access Server software==<br />
Currently, the Access Server software must be run on a 32-bit or 64-bit Linux host. The software is released in the form of binary package files for particular Linux distributions. Supported are RedHat, Fedora, CentOS, Ubuntu, Debian and openSUSE (Most RPM packages can be ran on the following systems: CentOS 6 and 7, Fedora 22, RHEL 6, openSUSE 13. The Deb packages can be ran on the following systems: Ubuntu 12, Debian 6,7,8)<br />
<br />
== Difference between Community Edition VPN and Access Server==<br />
Both Community Edition and Access Server is provided by OpenVPN and they both have something in common like: Secured VPN Tunnel, GUI Client, Bridging, Configurable Ciphers and Real-time compression. But Access Server provides more options such as Web Based GUI (it is possible to use VPN without need of downloading any additional software), Pre-configured Client (possible to download auto filled profile and Auto-login option available), Automated Certificate Creation (Access server web page will also be protected with encrypted https connection (TLS 1.2, The connection is encrypted and authenticated using AES_128_GCM and uses ECDHE_RSA as the key exchange mechanism.) Easy Deployment, Failover Solution, Simple User Management, Pre-built Virtual Appliances, Fill LDAP support, Easy Scalability, User-mode Client, Multi-daemon mode and DMZ mode.<br />
<br />
==Installation==<br />
Prerequisites: Ubuntu Linux machine and some Linux beginner skills.<br />
The installation of OpenVPN-AS is simple. In this tutorial I will be using Ubuntu 14.04 64-bit VPS server. <br />
Unfortunately, OpenVPN Assess Server cannot be installed using apt-get install, so we will be downloading installation files by ourselves.<br />
=== Step by Step Installation tutorial on Ubuntu Linux host machine===<br />
<br />
<br />
'''1)''' First it is needed to become root user<br />
<br />
''Command:'' <code> sudo su</code><br />
<br />
'''2)''' It is needed to download the latest software installation files from official website which can be found here: [https://openvpn.net/index.php/access-server/download-openvpn-as-sw.html Official Download Page] (Click on the needed Operation System and select needed version to download (32 bit or 64 bit and Ubuntu version 12 or 14) then right click on it and copy link) <br />
<br />
'''3)''' Now it is possible to go back to server console panel and download the OpenVPN Access Server using wget and paste copied link before. File will be downloaded by default to the folder where user currently are. (it is possible to change, use pwd to see current directory) File will be something around 28 MB (for 64bit Ubuntu Linux)<br />
<br />
''Command:'' <code>wget http://swupdate.openvpn.org/as/openvpn-as-2.0.25-Ubuntu12.amd_64.deb </code><br />
<br />
'''4)''' Now it is possible to install downloaded file using following command dpkg –i (downloaded file name)<br />
<br />
''Command:'' <code>dpkg –i openvpn-as-2.0.25-Ubuntu12.amd_64.deb</code><br />
<br />
This is it. OpenVPN AS is now installed. But there is some configurations needed before using it. <br />
<br />
'''5)''' During the installation OpenVPN created admin user which is by default called “openvpn” but the password left empty for security reasons it is needed to be changed using command (as root) after it user will be provided to enter password. Make sure the password is secure!<br />
<br />
''Command:'' <code>passwd openvpn</code><br />
<br />
'''6)''' Now the OpenVPN AS web interface is ready, it can be found by default port 943 and server ip address, login using username openvpn and password that have been set before. (After logging in user would need to click Agree to accept the License Agreement.<br />
<br />
* Admin page: https://ip_address_or_domain:943/admin<br />
<br />
* Client page: https://ip_address_or_domain:943/<br />
<br />
Note: The server’s SSL is self-signed so not need to worry about the bad security warning<br />
<br />
'''7)''' Download needed OpenVPN Connect software by clicking the link. After it has finished downloading, run it and enter user credentials. And connection to the Access Server have been established. It is also possible to download official Android or iOS application to use VPN on the smartphone.<br />
Note: There is also a possibility to login to Admin Ul page if it is needed to add users or change settings, although the default settings works fine without any problems.<br />
<br />
Done! OpenVPN Access Server have been installed and configured for free and user can be more secure using this encrypted connection. <br />
<br />
Tutorial created by Artur Ovtsinnikov using Linux Ubuntu 14.02 at 03.04.2016, if any questions appear please contact me by email.<br />
<br />
== See Also==<br />
A bit better Step-by-Step pdf tutorial with screenshots can be downloaded here: [http://cloud.arturich.tk/Access%20Server.pdf LINK]<br />
<br />
==References== <br />
https://openvpn.net<br />
<br />
https://openvpn.net/index.php/access-server/overview.html<br />
<br />
https://openvpn.net/index.php/access-server/docs/admin-guides-sp-859543150.html<br />
<br />
https://en.wikipedia.org/wiki/OpenVPN<br />
<br />
https://en.wikipedia.org/wiki/Pre-shared_key</div>Aovtsinnhttps://wiki.itcollege.ee/index.php?title=OpenVPN_Access_Server&diff=103071OpenVPN Access Server2016-05-04T09:12:17Z<p>Aovtsinn: /* Step by Step Installation tutorial on Ubuntu Linux host machine */</p>
<hr />
<div>__NOTOC__<br />
[[File:Openvpn2.png|thumb|right|alt=A screenshot of Open VPN Client UI.| Logged in Open VPN Client UI]]<br />
<br />
<br />
OpenVPN Access Server (OpenVPN-AS) is a set of installation and configuration tools that simplify the rapid deployment of a VPN remote access solution. It is based on the popular OpenVPN open-source software, making the deployed VPN immediately compatible with OpenVPN client software across multiple user platforms. The server configurations options supported are a carefully selected subset of a quite large set of possible OpenVPN configurations. Thus, OpenVPN Access Server streamlines the configuration and management of an OpenVPN-based secure remote access deployment.<br />
<br />
__TOC__<br />
<br />
== About OpenVPN ==<br />
OpenVPN is an open-source software application that implements virtual private network (VPN) techniques for creating secure point-to-point connections in routed or bridged configurations and remote access facilities. It uses a custom security protocol that utilizes SSL/TLS for key exchange. It is capable of traversing network address translators (NATs) and firewalls. It was written by James Yonan and is published under the GNU General Public License (GPL).<br />
<br />
=== Overview===<br />
OpenVPN Access Server is a full featured secure network tunneling VPN software solution that integrates OpenVPN server capabilities, enterprise management capabilities, simplified OpenVPN Connect UI, and OpenVPN Client software packages that accommodate Windows, MAC, Linux, Android, and iOS environments. OpenVPN Access Server supports a wide range of configurations, including secure and granular remote access to internal network and/ or private cloud network resources and applications with fine-grained access control.<br />
=== Supported Operation Systems===<br />
OpenVPN currently supports all main operation systems such as Windows, Mac OS X, Android, iOS and Linux It is possible to download software for your machine on the official website or it is possible to get it after installation of Access Server and logging in with your credentials to your ip_address_or_domain_name:943 (port 943 is default can be changed in the config) and it is possible to download after logging in connection profile for autologin or user-locked profile. (possible to change those settings in the Admin panel of OpenVPN Access Server.<br />
=== Pricing===<br />
OpenVPN is a free sorfware application which provides you 2 user license ( which means that 2 users/machines can be using current OpenVPN Access Server at the same time) after installation which is more then enough for a one person to use. Although it is possible to purchase more Licenses on official website for 9.60$ per concurrent user. And minimum license term is for one year.<br />
== Operating system to Host Access Server software==<br />
Currently, the Access Server software must be run on a 32-bit or 64-bit Linux host. The software is released in the form of binary package files for particular Linux distributions. Supported are RedHat, Fedora, CentOS, Ubuntu, Debian and openSUSE (Most RPM packages can be ran on the following systems: CentOS 6 and 7, Fedora 22, RHEL 6, openSUSE 13. The Deb packages can be ran on the following systems: Ubuntu 12, Debian 6,7,8)<br />
<br />
== Difference between Community Edition VPN and Access Server==<br />
Both Community Edition and Access Server is provided by OpenVPN and they both have something in common like: Secured VPN Tunnel, GUI Client, Bridging, Configurable Ciphers and Real-time compression. But Access Server provides more options such as Web Based GUI (it is possible to use VPN without need of downloading any additional software), Pre-configured Client (possible to download auto filled profile and Auto-login option available), Automated Certificate Creation (Access server web page will also be protected with encrypted https connection (TLS 1.2, The connection is encrypted and authenticated using AES_128_GCM and uses ECDHE_RSA as the key exchange mechanism.) Easy Deployment, Failover Solution, Simple User Management, Pre-built Virtual Appliances, Fill LDAP support, Easy Scalability, User-mode Client, Multi-daemon mode and DMZ mode.<br />
<br />
==Installation==<br />
Prerequisites: Ubuntu Linux machine and some Linux beginner skills.<br />
The installation of OpenVPN-AS is simple. In this tutorial I will be using Ubuntu 14.04 64-bit VPS server. <br />
Unfortunately, OpenVPN Assess Server cannot be installed using apt-get install, so we will be downloading installation files by ourselves.<br />
=== Step by Step Installation tutorial on Ubuntu Linux host machine===<br />
<br />
<br />
'''1)''' First we would need to become root <br />
<br />
''Command:'' <code> sudo su</code><br />
<br />
'''2)''' We would need to download the latest software installation files from official website which can be found here: [https://openvpn.net/index.php/access-server/download-openvpn-as-sw.html Official Download Page] (Click on the needed Operation System and select needed version to download (32 bit or 64 bit and Ubuntu version 12 or 14) then right click on it and copy link) <br />
<br />
'''3)''' Now we go back to our console panel and download the OpenVPN Access Server using wget and paste copied link before. File will be downloaded by default to the folder where you currently are. (it is possible to change, use pwd to see your current directory) File will be something around 28 MB (for 64bit Ubuntu Linux)<br />
<br />
''Command:'' <code>wget http://swupdate.openvpn.org/as/openvpn-as-2.0.25-Ubuntu12.amd_64.deb </code><br />
<br />
'''4)''' Now we install downloaded file using following command dpkg –i (And downloaded file name)<br />
<br />
''Command:'' <code>dpkg –i openvpn-as-2.0.25-Ubuntu12.amd_64.deb</code><br />
<br />
That’s it. OpenVPN AS is now installed. But there is some configurations needed before we can use it. <br />
<br />
'''5)''' During the installation OpenVPN created admin user which is by default called “openvpn” but the password left empty for security reasons we are going to change the password using command (as root) after it you will be provided to enter password. Make sure your password is secure!<br />
<br />
''Command:'' <code>passwd openvpn</code><br />
<br />
'''6)''' Now we are going to check the OpenVPN AS web interface which can be found by default port 943 and your ip address, login using username openvpn and password what you set before. (After logging in you would need to click Agree to accept the License Agreement.<br />
<br />
* Admin page: https://ip_address_or_domain:943/admin<br />
<br />
* Client page: https://ip_address_or_domain:943/<br />
<br />
Note: The server’s SSL is self-signed so not need to worry about the bad security warning<br />
<br />
'''7)''' Download needed OpenVPN Connect software by clicking the link. After it has finished downloading, run it and enter your credentials. And connection to your Access Server have been established. You can also download official Android or iOS application to use VPN on your smartphone.<br />
Note: You can also login to Admin Ul page if you want to add users or change settings, although the default settings works fine without any problems.<br />
<br />
We are done! Have fun with your OpenVPN Access Server for free and be more secure using this encrypted connection. <br />
<br />
Tutorial created by Artur Ovtsinnikov using Linux Ubuntu 14.02 at 03.04.2016, if you have any questions it is possible to contact me by email.<br />
<br />
== See Also==<br />
A bit better Step-by-Step pdf tutorial with screenshots can be downloaded here: [http://cloud.arturich.tk/Access%20Server.pdf LINK]<br />
<br />
==References== <br />
https://openvpn.net<br />
<br />
https://openvpn.net/index.php/access-server/overview.html<br />
<br />
https://openvpn.net/index.php/access-server/docs/admin-guides-sp-859543150.html<br />
<br />
https://en.wikipedia.org/wiki/OpenVPN<br />
<br />
https://en.wikipedia.org/wiki/Pre-shared_key</div>Aovtsinnhttps://wiki.itcollege.ee/index.php?title=OpenVPN_Access_Server&diff=102405OpenVPN Access Server2016-04-03T16:12:05Z<p>Aovtsinn: </p>
<hr />
<div>__NOTOC__<br />
[[File:Openvpn2.png|thumb|right|alt=A screenshot of Open VPN Client UI.| Logged in Open VPN Client UI]]<br />
<br />
<br />
OpenVPN Access Server (OpenVPN-AS) is a set of installation and configuration tools that simplify the rapid deployment of a VPN remote access solution. It is based on the popular OpenVPN open-source software, making the deployed VPN immediately compatible with OpenVPN client software across multiple user platforms. The server configurations options supported are a carefully selected subset of a quite large set of possible OpenVPN configurations. Thus, OpenVPN Access Server streamlines the configuration and management of an OpenVPN-based secure remote access deployment.<br />
<br />
__TOC__<br />
<br />
== About OpenVPN ==<br />
OpenVPN is an open-source software application that implements virtual private network (VPN) techniques for creating secure point-to-point connections in routed or bridged configurations and remote access facilities. It uses a custom security protocol that utilizes SSL/TLS for key exchange. It is capable of traversing network address translators (NATs) and firewalls. It was written by James Yonan and is published under the GNU General Public License (GPL).<br />
<br />
=== Overview===<br />
OpenVPN Access Server is a full featured secure network tunneling VPN software solution that integrates OpenVPN server capabilities, enterprise management capabilities, simplified OpenVPN Connect UI, and OpenVPN Client software packages that accommodate Windows, MAC, Linux, Android, and iOS environments. OpenVPN Access Server supports a wide range of configurations, including secure and granular remote access to internal network and/ or private cloud network resources and applications with fine-grained access control.<br />
=== Supported Operation Systems===<br />
OpenVPN currently supports all main operation systems such as Windows, Mac OS X, Android, iOS and Linux It is possible to download software for your machine on the official website or it is possible to get it after installation of Access Server and logging in with your credentials to your ip_address_or_domain_name:943 (port 943 is default can be changed in the config) and it is possible to download after logging in connection profile for autologin or user-locked profile. (possible to change those settings in the Admin panel of OpenVPN Access Server.<br />
=== Pricing===<br />
OpenVPN is a free sorfware application which provides you 2 user license ( which means that 2 users/machines can be using current OpenVPN Access Server at the same time) after installation which is more then enough for a one person to use. Although it is possible to purchase more Licenses on official website for 9.60$ per concurrent user. And minimum license term is for one year.<br />
== Operating system to Host Access Server software==<br />
Currently, the Access Server software must be run on a 32-bit or 64-bit Linux host. The software is released in the form of binary package files for particular Linux distributions. Supported are RedHat, Fedora, CentOS, Ubuntu, Debian and openSUSE (Most RPM packages can be ran on the following systems: CentOS 6 and 7, Fedora 22, RHEL 6, openSUSE 13. The Deb packages can be ran on the following systems: Ubuntu 12, Debian 6,7,8)<br />
<br />
== Difference between Community Edition VPN and Access Server==<br />
Both Community Edition and Access Server is provided by OpenVPN and they both have something in common like: Secured VPN Tunnel, GUI Client, Bridging, Configurable Ciphers and Real-time compression. But Access Server provides more options such as Web Based GUI (it is possible to use VPN without need of downloading any additional software), Pre-configured Client (possible to download auto filled profile and Auto-login option available), Automated Certificate Creation (Access server web page will also be protected with encrypted https connection (TLS 1.2, The connection is encrypted and authenticated using AES_128_GCM and uses ECDHE_RSA as the key exchange mechanism.) Easy Deployment, Failover Solution, Simple User Management, Pre-built Virtual Appliances, Fill LDAP support, Easy Scalability, User-mode Client, Multi-daemon mode and DMZ mode.<br />
<br />
==Installation==<br />
Prerequisites: Ubuntu Linux machine and some Linux beginner skills.<br />
The installation of OpenVPN-AS is simple. In this tutorial I will be using Ubuntu 14.04 64-bit VPS server. <br />
Unfortunately, OpenVPN Assess Server cannot be installed using apt-get install, so we will be downloading installation files by ourselves.<br />
=== Step by Step Installation tutorial on Ubuntu Linux host machine===<br />
<br />
<br />
'''1)''' First we would need to become root <br />
<br />
''Command:'' <code> sudo su</code><br />
<br />
'''2)''' We would need to download the latest software installation files from official website which can be found here: [https://openvpn.net/index.php/access-server/download-openvpn-as-sw.html Official Download Page] (Click on the needed Operation System and select needed version to download (32 bit or 64 bit and Ubuntu version 12 or 14) then right click on it and copy link) <br />
<br />
'''3)''' Now we go back to our console panel and download the OpenVPN Access Server using wget and paste copied link before. File will be downloaded by default to the folder where you currently are. (it is possible to change, use pwd to see your current directory) File will be something around 28 MB (my file 64bit Ubuntu Linux)<br />
<br />
''Command:'' <code>wget http://swupdate.openvpn.org/as/openvpn-as-2.0.25-Ubuntu12.amd_64.deb </code><br />
<br />
'''4)''' Now we install downloaded file using following command dpkg –i (And downloaded file name)<br />
<br />
''Command:'' <code>dpkg –i openvpn-as-2.0.25-Ubuntu12.amd_64.deb</code><br />
<br />
That’s it. OpenVPN AS is now installed. But there is some configurations needed before we can use it. <br />
<br />
'''5)''' During the installation OpenVPN created admin user which is by default called “openvpn” but the password left empty for security reasons are are going to change the password using command (as root) after command you will be provided with be promted to enter password. Make sure your password is secure!<br />
<br />
''Command:'' <code>passwd openvpn</code><br />
<br />
'''6)''' Now we are going to check the OpenVPN AS web interface which can be found by default port 943 and your ip address, login using username openvpn and password what you set before. (After logging in you would need to click Agree to accept the License Agreement.<br />
<br />
* Admin page: https://ip_address_or_domain:943/admin<br />
<br />
* Client page: https://ip_address_or_domain:943/<br />
<br />
Note: The server’s SSL is self-signed so not need to worry about the bad security warning<br />
<br />
'''7)''' Download needed OpenVPN Connect software by clicking the link. After it has finished downloading, run it and enter your credentials. And connection to your Access Server have been established. You can also download official Android or iOS application to use VPN on your smartphone.<br />
Note: You can also login to Admin Ul page if you want to add users or change settings, although the default settings works fine without any problems.<br />
<br />
We are done! Have fun with your OpenVPN Access Server for free and be more secure using this encrypted connection. <br />
<br />
Tutorial created by Artur Ovtsinnikov, if you have any questions it is possible to contact me by email.<br />
<br />
== See Also==<br />
A bit better Step-by-Step pdf tutorial with screenshots can be downloaded here: [http://cloud.arturich.tk/Access%20Server.pdf LINK]<br />
<br />
==References== <br />
https://openvpn.net<br />
<br />
https://openvpn.net/index.php/access-server/overview.html<br />
<br />
https://openvpn.net/index.php/access-server/docs/admin-guides-sp-859543150.html<br />
<br />
https://en.wikipedia.org/wiki/OpenVPN<br />
<br />
https://en.wikipedia.org/wiki/Pre-shared_key</div>Aovtsinnhttps://wiki.itcollege.ee/index.php?title=OpenVPN_Access_Server&diff=102404OpenVPN Access Server2016-04-03T16:07:36Z<p>Aovtsinn: </p>
<hr />
<div>__NOTOC__<br />
[[File:Openvpn2.png|thumb|right|alt=A screenshot of Open VPN Client UI.| Logged in Open VPN Client UI]]<br />
<br />
<br />
OpenVPN Access Server (OpenVPN-AS) is a set of installation and configuration tools that simplify the rapid deployment of a VPN remote access solution. It is based on the popular OpenVPN open-source software, making the deployed VPN immediately compatible with OpenVPN client software across multiple user platforms. The server configurations options supported are a carefully selected subset of a quite large set of possible OpenVPN configurations. Thus, OpenVPN Access Server streamlines the configuration and management of an OpenVPN-based secure remote access deployment.<br />
<br />
__TOC__<br />
<br />
== About OpenVPN ==<br />
OpenVPN is an open-source software application that implements virtual private network (VPN) techniques for creating secure point-to-point connections in routed or bridged configurations and remote access facilities. It uses a custom security protocol that utilizes SSL/TLS for key exchange. It is capable of traversing network address translators (NATs) and firewalls. It was written by James Yonan and is published under the GNU General Public License (GPL).<br />
<br />
=== Overview===<br />
OpenVPN Access Server is a full featured secure network tunneling VPN software solution that integrates OpenVPN server capabilities, enterprise management capabilities, simplified OpenVPN Connect UI, and OpenVPN Client software packages that accommodate Windows, MAC, Linux, Android, and iOS environments. OpenVPN Access Server supports a wide range of configurations, including secure and granular remote access to internal network and/ or private cloud network resources and applications with fine-grained access control.<br />
=== Supported Operation Systems===<br />
OpenVPN currently supports all main operation systems such as Windows, Mac OS X, Android, iOS and Linux It is possible to download software for your machine on the official website or it is possible to get it after installation of Access Server and logging in with your credentials to your ip_address_or_domain_name:943 (port 943 is default can be changed in the config) and it is possible to download after logging in connection profile for autologin or user-locked profile. (possible to change those settings in the Admin panel of OpenVPN Access Server.<br />
=== Pricing===<br />
OpenVPN is a free sorfware application which provides you 2 user license ( which means that 2 users/machines can be using current OpenVPN Access Server at the same time) after installation which is more then enough for a one person to use. Although it is possible to purchase more Licenses on official website for 9.60$ per concurrent user. And minimum license term is for one year.<br />
== Operating system to Host Access Server software==<br />
Currently, the Access Server software must be run on a 32-bit or 64-bit Linux host. The software is released in the form of binary package files for particular Linux distributions. Supported are RedHat, Fedora, CentOS, Ubuntu, Debian and openSUSE (Most RPM packages can be ran on the following systems: CentOS 6 and 7, Fedora 22, RHEL 6, openSUSE 13. The Deb packages can be ran on the following systems: Ubuntu 12, Debian 6,7,8)<br />
<br />
== Difference between Community Edition VPN and Access Server==<br />
Both Community Edition and Access Server is provided by OpenVPN and they both have something in common like: Secured VPN Tunnel, GUI Client, Bridging, Configurable Ciphers and Real-time compression. But Access Server provides more options such as Web Based GUI (it is possible to use VPN without need of downloading any additional software), Pre-configured Client (possible to download auto filled profile and Auto-login option available), Automated Certificate Creation (Access server web page will also be protected with encrypted https connection (TLS 1.2, The connection is encrypted and authenticated using AES_128_GCM and uses ECDHE_RSA as the key exchange mechanism.) Easy Deployment, Failover Solution, Simple User Management, Pre-built Virtual Appliances, Fill LDAP support, Easy Scalability, User-mode Client, Multi-daemon mode and DMZ mode.<br />
== Step by Step Installation tutorial on Ubuntu Linux host machine==<br />
Prerequisites: Ubuntu Linux machine and some Linux beginner skills.<br />
The installation of OpenVPN-AS is simple. In this tutorial I will be using Ubuntu 14.04 64-bit VPS server. <br />
Unfortunately, OpenVPN Assess Server cannot be installed using apt-get install, so we will be downloading installation files by ourselves.<br />
<br />
'''1)''' First we would need to become root <br />
<br />
''Command:'' <code> sudo su</code><br />
<br />
'''2)''' We would need to download the latest software installation files from official website which can be found here: [https://openvpn.net/index.php/access-server/download-openvpn-as-sw.html Official Download Page] (Click on the needed Operation System and select needed version to download (32 bit or 64 bit and Ubuntu version 12 or 14) then right click on it and copy link) <br />
<br />
'''3)''' Now we go back to our console panel and download the OpenVPN Access Server using wget and paste copied link before. File will be downloaded by default to the folder where you currently are. (it is possible to change, use pwd to see your current directory) File will be something around 28 MB (my file 64bit Ubuntu Linux)<br />
<br />
''Command:'' <code>wget http://swupdate.openvpn.org/as/openvpn-as-2.0.25-Ubuntu12.amd_64.deb </code><br />
<br />
'''4)''' Now we install downloaded file using following command dpkg –i (And downloaded file name)<br />
<br />
''Command:'' <code>dpkg –i openvpn-as-2.0.25-Ubuntu12.amd_64.deb</code><br />
<br />
That’s it. OpenVPN AS is now installed. But there is some configurations needed before we can use it. <br />
<br />
'''5)''' During the installation OpenVPN created admin user which is by default called “openvpn” but the password left empty for security reasons are are going to change the password using command (as root) after command you will be provided with be promted to enter password. Make sure your password is secure!<br />
<br />
''Command:'' <code>passwd openvpn</code><br />
<br />
'''6)''' Now we are going to check the OpenVPN AS web interface which can be found by default port 943 and your ip address, login using username openvpn and password what you set before. (After logging in you would need to click Agree to accept the License Agreement.<br />
<br />
* Admin page: https://ip_address_or_domain:943/admin<br />
<br />
* Client page: https://ip_address_or_domain:943/<br />
<br />
Note: The server’s SSL is self-signed so not need to worry about the bad security warning<br />
<br />
'''7)''' Download needed OpenVPN Connect software by clicking the link. After it has finished downloading, run it and enter your credentials. And connection to your Access Server have been established. You can also download official Android or iOS application to use VPN on your smartphone.<br />
Note: You can also login to Admin Ul page if you want to add users or change settings, although the default settings works fine without any problems.<br />
<br />
We are done! Have fun with your OpenVPN Access Server for free and be more secure using this encrypted connection. <br />
<br />
Tutorial created by Artur Ovtsinnikov, if you have any questions it is possible to contact me by email.<br />
<br />
== See Also==<br />
A bit better Step-by-Step pdf tutorial with screenshots can be downloaded here: [http://cloud.arturich.tk/Access%20Server.pdf LINK]<br />
<br />
==References== <br />
https://openvpn.net<br />
<br />
https://openvpn.net/index.php/access-server/overview.html<br />
<br />
https://openvpn.net/index.php/access-server/docs/admin-guides-sp-859543150.html<br />
<br />
https://en.wikipedia.org/wiki/OpenVPN<br />
<br />
https://en.wikipedia.org/wiki/Pre-shared_key</div>Aovtsinnhttps://wiki.itcollege.ee/index.php?title=Operating_systems&diff=102403Operating systems2016-04-03T16:05:57Z<p>Aovtsinn: /* List of the topics chosen: */</p>
<hr />
<div>=Operating systems subject related info=<br />
<br />
Lecturer: <br />
<br />
Katrin Loodus (katrin.loodus@itcollege.ee) <br />
<br />
Room 516 (5th floor), phone (6285) 834<br />
<br />
All subject related infotmation will be put up on Wiki page, due to the possibility to have access to the materials even after the subject has concluded. Materials, such as tests, lectures and links to additional materials, will remain available throughout the subject teaching period. <br />
<br />
<br />
=Aim of this course=<br />
<br />
The aim of this course is to introduce the basics of operating systems and IT system life cycle from the viewpoint of the IT system administrator of operating systems. This subject provides hands-on skills needed to complete other field specific subjects in the curriculum.<br />
<br />
Lectures give a theoretical background and the labs give hands-on skills on the same topic using Ubuntu Linux Server.<br />
<br />
<br />
'''This subject is oriented on hands-on practical assignments to compliment the theoretical side of the subject.'''<br />
<br />
Learning outcome 1: <br />
<br />
A student who has completed the subject is able to perform the most common administrative tasks (user management, software management, disk usage, process management) in at least one of the most popular operating system on a server.<br />
<br />
Learning outcome 2: <br />
<br />
A student who has completed the subject understands and is able to explain orally the basic concepts of operating systems and its security aspects.<br />
<br />
Learning outcome 3: <br />
<br />
The student is able to document an operating system's service from an IT systems administrator's viewpoint.<br />
<br />
=Deadlines for assignments 2016=<br />
<br />
'''03.04.2016''' - Submission of wiki article's topic (Sending an e-mail with the chosen topic is mandatory!)<br />
<br />
'''10.05.2016''' - Pre practical test for students, who have done all of their labs<br />
<br />
'''08.05.2016 23:59''' - Submission of wiki article and sending an e-mail to the lecturer in order to get it graded<br />
<br />
'''23.05.2016''' - Last option to defend lab work (Lab1 and/or Lab2)<br />
<br />
'''24.05.2016''' - Practical test<br />
<br />
'''??.06.2016''' - Exam in room ???<br />
<br />
All dates are inclusive.<br />
<br />
=(Occasional) Homework=<br />
<br />
==Week 0 & 1==<br />
<br />
Get familiar with the Unix command line by trying out this Codeacadamy [https://www.codecademy.com/learn/learn-the-command-line short course].<br />
<br />
=Timetable for lectures 2016=<br />
<br />
Public chat for any subject related questions that were left unasked during the lecture: https://chatlink.com/#osadmin_ITKolledz<br />
<br />
<span style="color:#FF0000"><br />
Link to lecture and lab captures:</span> [https://echo360.e-ope.ee/ess/portal/section/d38715c3-2cc6-43ee-bc1c-818df79d0b41 Go to captures]<br />
<br />
==Lecture 0==<br />
February 09th 2016 [http://enos.itcollege.ee/~kloodus/opsys/lecture00%20-%20Introduction%20-%202016.odp Lecture 0 - Introduction to subject (OpenDocument)] [http://enos.itcollege.ee/~kloodus/opsys/lecture00%20-%20Introduction%20-%202016.pdf (PDF) ]<br />
<br />
[http://enos.itcollege.ee/~kloodus/opsys/test_answers_spring2016.txt Test answers].<br />
<br />
==Lecture 1==<br />
<br />
February 12th 2016 [http://enos.itcollege.ee/~kloodus/opsys/lecture01%20-%20OS%20introduction.odp Lecture 1 - Operating systems introduction (OpenDocument)] [http://enos.itcollege.ee/~kloodus/opsys/lecture01%20-%20OS%20introduction.pdf (PDF) ]<br />
<br />
* Lecture will be on the February 12th at 8:15 in room 219<br />
<br />
* Practice will be on the same day at 10:00 in room 410<br />
<br />
<span style="color:#FF0000"> Homereading materials:</span><br />
<br />
[https://www.youtube.com/playlist?list=PLmbPuZ0NsyGS8ef6zaHd2qYylzsHxL63x Introduction to operating systems (videos)]<br />
<br />
[https://en.wikipedia.org/wiki/Operating_system Operating systems (wikipedia article)]<br />
<br />
==Lecture 2==<br />
<br />
February 16th 2016 [http://enos.itcollege.ee/~kloodus/opsys/lecture02%20-%20user%20management.odp Lecture 2 - User management (OpenDocument)] [http://enos.itcollege.ee/~kloodus/opsys/lecture02%20-%20user%20management.pdf (PDF) ]<br />
<br />
==Lecture 3==<br />
<br />
February 23rd 2016 [http://enos.itcollege.ee/~kloodus/opsys/lecture03%20-%20managing%20files%20-%202016.odp Lecture 3 - File permissions (OpenDocument)] [http://enos.itcollege.ee/~kloodus/opsys/lecture03%20-%20managing%20files%20-%202016.pdf (PDF)]<br />
<br />
==Lecture 4==<br />
March 1st 2016 [http://enos.itcollege.ee/~kloodus/opsys/lecture04%20-%20user%20environment%20and%20processes%20-%202016.odp Lecture 4 - User environment and processes (OpenDocument)] [http://enos.itcollege.ee/~kloodus/opsys/lecture04%20-%20user%20environment%20and%20processes%20-%202016.pdf (PDF)]<br />
<br />
==Lecture 5==<br />
<br />
March 8th 2016 Lecture 5 - [http://enos.itcollege.ee/~kloodus/opsys/lecture05%20-%20FHS%20and%20links%20-%202016.odp Filesystem Hierarchy (OpenDocument)] [http://enos.itcollege.ee/~kloodus/opsys/lecture05%20-%20FHS%20and%20links%20-%202016.pdf (PDF)]<br />
<br />
==Lecture 6==<br />
<br />
March 15th 2016 [http://enos.itcollege.ee/~kloodus/opsys/lecture06%20-%20Software%20management%20-%202016.odp Lecture 6 - Software management (OpenDocument)] [http://enos.itcollege.ee/~kloodus/opsys/lecture06%20-%20Software%20management%20-%202016.pdf (PDF)]<br />
<br />
==Lecture 7==<br />
<br />
March 22nd 2016 - [http://enos.itcollege.ee/~kloodus/opsys/lecture07%20-%20Documentation%20-%202016.odp Lecture 7 - Documentation (OpenDocument)] [http://enos.itcollege.ee/~kloodus/opsys/lecture07%20-%20Documentation%20-%202016.prd (PDF)]<br />
<br />
==Lecture 8==<br />
<br />
April 5th 2016 - Lecture 8 - Security session<br />
<br />
==Lecture 9==<br />
<br />
<br />
<span style="color:#FF0000"> April 12th 2016 - No lecture nor labs - Lecturer is away </span><br />
<br />
Substitute lecture and lab time will be announced later<br />
<br />
==Lecture 10==<br />
<br />
April 19th 2016 - Lecture 10 - Disks, partitions and swap area<br />
<br />
==Lecture 11==<br />
<br />
April 26th 2016 - Lecture 11 - RAID; LVM, SAN and NAS technologies<br />
<br />
==Lecture 12==<br />
May 3rd 2016 - Lecture 12 - Backup and recovery<br />
<br />
==Lecture 13==<br />
<br />
May 10th 2016 - Lecture 13 - Monitoring<br />
<br />
==Lecture 14==<br />
<br />
May 17th 2016 - Lecture 14 - Miscellaneous topics<br />
<br />
<span style="color:#FF0000"><br />
Lecture will be held in room '''319!''' </span><br />
<br />
==Lecture 15==<br />
<br />
=Lab works=<br />
<br />
==Lab 0==<br />
<br />
Installing Ubuntu Server 14.04.3 LTS<br />
<br />
'''Introduction to Unix command line''' (cd, ls, cat, full path, relative path etc)<br />
<br />
==Lab 1== <br />
<br />
3 points - '''Managing users''' (adduser, addgroup, passwd, /etc/passwd, /etc/shadow)<br />
<br />
<br />
1) Create a user noodle<br />
<br />
2) Add a new group food and add a the user noodle to a group called food.<br />
<br />
3) Divert the user noodle's password hash via cowsay to a file called cownoodle.txt.<br />
<br />
4) Lock the user noodle and be ready to show me the indication of the user being locked. <br />
<br />
5) Change the user's current home directory into /home/unknown so that the files will also be moved to the new location.<br />
<br />
<br />
5 points - '''Managing files''' (mkdir, cp, mv, rm, touch, nano, less, chmod, chown, rwx, 644 etc)<br />
<br />
<br />
1) Create a folder march in root user directory and for every march day a subfolder with a name day1, day2, day3 … day31. (Example: /root/march/day1 or /root/march/day2 etc)<br />
<br />
2) Modify the march folder owner so that it will be student and the new group audio.<br />
<br />
3) Modify the march folder's and its subfolders so that the user can do anything, group can do ls in the folder and cd into it and others can't do anything with it.<br />
<br />
4) Create a hard link called network to a file /etc/network/interfaces <br />
<br />
5) Copy /var/log directory into march folder so that the timestamp and user info will be preserved.<br />
<br />
<br />
4 points - '''Processes and environment variables''' (kill, using directing input/output/error: |, <, >, >>; env, PATH, HOME etc)<br />
<br />
<br />
1) Divert the list with the student user's groups via cowsay into a fail studgroup.txt.<br />
<br />
2) Create a environment variable called MYHOME that has the value of the system's HOME environment variable. (Hint: you have tu use variable symbol here!)<br />
<br />
3) Send 2 htop's to the background and be ready to present how you send a kill signal to the first htop by job number and term signal to the second htop by a process number. <br />
<br />
4) Create an alias called bye that logs you out of the terminal. Make this alias permanent. <br />
<br />
5) Execute a programm called espdiff and diver the standardoutput to a file called okay.txt and the standard error to a file called notokay.txt. <br />
<br />
<br />
3 points - '''Managing software''' (installation, updating, deleting, apt and dpkg utils)<br />
<br />
==Lab 2==<br />
<br />
7 points - <br />
'''Managing disks by creating partitions''' (fdisk, mkfs, blkid, mount, umount)<br />
<br />
5 points - <br />
'''Managing swap''' (mkswap, swapon, swapoff)<br />
<br />
=Practical tests=<br />
<br />
==2016==<br />
<br />
=Exams=<br />
<br />
==2016==<br />
<br />
=Wiki article information=<br />
<br />
* Choose a topic from personal experience or from topics found on the wiki page<br />
<br />
*Send the topic to the lecturer kloodus@itcollege.ee<br />
<br />
*Lecturer will confirm the topic<br />
<br />
*Write your article in wiki environment <br />
<br />
*Inform the lecturer when the article is finished<br />
<br />
*Receive feedback with corrections<br />
<br />
<span style="color:#FF0000"> <br />
Bare in mind that this is an open environment, so everything you write in your wiki article, will be public :) </span><br />
<br />
===List of the topics chosen:===<br />
<br />
[[User:akerge|Artur Kerge]] is doing an article on [[Irssi]].<br />
<br />
[[OpenVPN_Access_Server|OpenVPN Access Server]] by [[User:aovtsinn|Artur Ovtsinnikov]]<br />
<br />
[https://wiki.itcollege.ee/index.php/Securing_database_with_command_line_linux Securing database with command line Linux] [Mohanad Aly]</div>Aovtsinnhttps://wiki.itcollege.ee/index.php?title=OpenVPN_Access_Server&diff=102402OpenVPN Access Server2016-04-03T15:59:43Z<p>Aovtsinn: </p>
<hr />
<div>__NOTOC__<br />
[[File:Openvpn2.png|thumb|right|alt=A screenshot of Open VPN Client UI.| Logged in Open VPN Client UI]]<br />
<br />
<br />
OpenVPN Access Server (OpenVPN-AS) is a set of installation and configuration tools that simplify the rapid deployment of a VPN remote access solution. It is based on the popular OpenVPN open-source software, making the deployed VPN immediately compatible with OpenVPN client software across multiple user platforms. The server configurations options supported are a carefully selected subset of a quite large set of possible OpenVPN configurations. Thus, OpenVPN Access Server streamlines the configuration and management of an OpenVPN-based secure remote access deployment.<br />
<br />
== About OpenVPN ==<br />
OpenVPN is an open-source software application that implements virtual private network (VPN) techniques for creating secure point-to-point connections in routed or bridged configurations and remote access facilities. It uses a custom security protocol that utilizes SSL/TLS for key exchange. It is capable of traversing network address translators (NATs) and firewalls. It was written by James Yonan and is published under the GNU General Public License (GPL).<br />
<br />
=== Overview===<br />
OpenVPN Access Server is a full featured secure network tunneling VPN software solution that integrates OpenVPN server capabilities, enterprise management capabilities, simplified OpenVPN Connect UI, and OpenVPN Client software packages that accommodate Windows, MAC, Linux, Android, and iOS environments. OpenVPN Access Server supports a wide range of configurations, including secure and granular remote access to internal network and/ or private cloud network resources and applications with fine-grained access control.<br />
=== Supported Operation Systems===<br />
OpenVPN currently supports all main operation systems such as Windows, Mac OS X, Android, iOS and Linux It is possible to download software for your machine on the official website or it is possible to get it after installation of Access Server and logging in with your credentials to your ip_address_or_domain_name:943 (port 943 is default can be changed in the config) and it is possible to download after logging in connection profile for autologin or user-locked profile. (possible to change those settings in the Admin panel of OpenVPN Access Server.<br />
=== Pricing===<br />
OpenVPN is a free sorfware application which provides you 2 user license ( which means that 2 users/machines can be using current OpenVPN Access Server at the same time) after installation which is more then enough for a one person to use. Although it is possible to purchase more Licenses on official website for 9.60$ per concurrent user. And minimum license term is for one year.<br />
== Operating system to Host Access Server software==<br />
Currently, the Access Server software must be run on a 32-bit or 64-bit Linux host. The software is released in the form of binary package files for particular Linux distributions. Supported are RedHat, Fedora, CentOS, Ubuntu, Debian and openSUSE (Most RPM packages can be ran on the following systems: CentOS 6 and 7, Fedora 22, RHEL 6, openSUSE 13. The Deb packages can be ran on the following systems: Ubuntu 12, Debian 6,7,8)<br />
<br />
== Difference between Community Edition VPN and Access Server==<br />
Both Community Edition and Access Server is provided by OpenVPN and they both have something in common like: Secured VPN Tunnel, GUI Client, Bridging, Configurable Ciphers and Real-time compression. But Access Server provides more options such as Web Based GUI (it is possible to use VPN without need of downloading any additional software), Pre-configured Client (possible to download auto filled profile and Auto-login option available), Automated Certificate Creation (Access server web page will also be protected with encrypted https connection (TLS 1.2, The connection is encrypted and authenticated using AES_128_GCM and uses ECDHE_RSA as the key exchange mechanism.) Easy Deployment, Failover Solution, Simple User Management, Pre-built Virtual Appliances, Fill LDAP support, Easy Scalability, User-mode Client, Multi-daemon mode and DMZ mode.<br />
== Step by Step Installation tutorial on Ubuntu Linux host machine==<br />
Prerequisites: Ubuntu Linux machine and some Linux beginner skills.<br />
The installation of OpenVPN-AS is simple. In this tutorial I will be using Ubuntu 14.04 64-bit VPS server. <br />
Unfortunately, OpenVPN Assess Server cannot be installed using apt-get install, so we will be downloading installation files by ourselves.<br />
<br />
'''1)''' First we would need to become root <br />
<br />
''Command:'' <code> sudo su</code><br />
<br />
'''2)''' We would need to download the latest software installation files from official website which can be found here: [https://openvpn.net/index.php/access-server/download-openvpn-as-sw.html Official Download Page] (Click on the needed Operation System and select needed version to download (32 bit or 64 bit and Ubuntu version 12 or 14) then right click on it and copy link) <br />
<br />
'''3)''' Now we go back to our console panel and download the OpenVPN Access Server using wget and paste copied link before. File will be downloaded by default to the folder where you currently are. (it is possible to change, use pwd to see your current directory) File will be something around 28 MB (my file 64bit Ubuntu Linux)<br />
<br />
''Command:'' <code>wget http://swupdate.openvpn.org/as/openvpn-as-2.0.25-Ubuntu12.amd_64.deb </code><br />
<br />
'''4)''' Now we install downloaded file using following command dpkg –i (And downloaded file name)<br />
<br />
''Command:'' <code>dpkg –i openvpn-as-2.0.25-Ubuntu12.amd_64.deb</code><br />
<br />
That’s it. OpenVPN AS is now installed. But there is some configurations needed before we can use it. <br />
<br />
'''5)''' During the installation OpenVPN created admin user which is by default called “openvpn” but the password left empty for security reasons are are going to change the password using command (as root) after command you will be provided with be promted to enter password. Make sure your password is secure!<br />
<br />
''Command:'' <code>passwd openvpn</code><br />
<br />
'''6)''' Now we are going to check the OpenVPN AS web interface which can be found by default port 943 and your ip address, login using username openvpn and password what you set before. (After logging in you would need to click Agree to accept the License Agreement.<br />
<br />
* Admin page: https://ip_address_or_domain:943/admin<br />
<br />
* Client page: https://ip_address_or_domain:943/<br />
<br />
Note: The server’s SSL is self-signed so not need to worry about the bad security warning<br />
<br />
'''7)''' Download needed OpenVPN Connect software by clicking the link. After it has finished downloading, run it and enter your credentials. And connection to your Access Server have been established. You can also download official Android or iOS application to use VPN on your smartphone.<br />
Note: You can also login to Admin Ul page if you want to add users or change settings, although the default settings works fine without any problems.<br />
<br />
We are done! Have fun with your OpenVPN Access Server for free and be more secure using this encrypted connection. <br />
<br />
Tutorial created by Artur Ovtsinnikov, if you have any questions it is possible to contact me by email.<br />
<br />
== See Also==<br />
A bit better Step-by-Step pdf tutorial with screenshots can be downloaded here: [http://cloud.arturich.tk/Access%20Server.pdf LINK]<br />
<br />
==References== <br />
https://openvpn.net<br />
<br />
https://openvpn.net/index.php/access-server/overview.html<br />
<br />
https://openvpn.net/index.php/access-server/docs/admin-guides-sp-859543150.html<br />
<br />
https://en.wikipedia.org/wiki/OpenVPN<br />
<br />
https://en.wikipedia.org/wiki/Pre-shared_key</div>Aovtsinnhttps://wiki.itcollege.ee/index.php?title=OpenVPN_Access_Server&diff=102399OpenVPN Access Server2016-04-03T15:12:00Z<p>Aovtsinn: /* Step by Step Installation tutorial on Ubuntu Linux host machine */</p>
<hr />
<div>__NOTOC__<br />
[[File:Openvpn2.png|thumb|right|alt=A screenshot of Open VPN Client UI.| Logged in Open VPN Client UI]]<br />
<br />
<br />
OpenVPN Access Server (OpenVPN-AS) is a set of installation and configuration tools that simplify the rapid deployment of a VPN remote access solution. It is based on the popular OpenVPN open-source software, making the deployed VPN immediately compatible with OpenVPN client software across multiple user platforms. The server configurations options supported are a carefully selected subset of a quite large set of possible OpenVPN configurations. Thus, OpenVPN Access Server streamlines the configuration and management of an OpenVPN-based secure remote access deployment.<br />
<br />
== About OpenVPN ==<br />
OpenVPN is an open-source software application that implements virtual private network (VPN) techniques for creating secure point-to-point connections in routed or bridged configurations and remote access facilities. It uses a custom security protocol that utilizes SSL/TLS for key exchange. It is capable of traversing network address translators (NATs) and firewalls. It was written by James Yonan and is published under the GNU General Public License (GPL).<br />
<br />
=== Overview===<br />
OpenVPN Access Server is a full featured secure network tunneling VPN software solution that integrates OpenVPN server capabilities, enterprise management capabilities, simplified OpenVPN Connect UI, and OpenVPN Client software packages that accommodate Windows, MAC, Linux, Android, and iOS environments. OpenVPN Access Server supports a wide range of configurations, including secure and granular remote access to internal network and/ or private cloud network resources and applications with fine-grained access control.<br />
=== Supported Operation Systems===<br />
OpenVPN currently supports all main operation systems such as Windows, Mac OS X, Android, iOS and Linux It is possible to download software for your machine on the official website or it is possible to get it after installation of Access Server and logging in with your credentials to your ip_address_or_domain_name:943 (port 943 is default can be changed in the config) and it is possible to download after logging in connection profile for autologin or user-locked profile. (possible to change those settings in the Admin panel of OpenVPN Access Server.<br />
=== Pricing===<br />
OpenVPN is a free sorfware application which provides you 2 user license ( which means that 2 users/machines can be using current OpenVPN Access Server at the same time) after installation which is more then enough for a one person to use. Although it is possible to purchase more Licenses on official website for 9.60$ per concurrent user. And minimum license term is for one year.<br />
== Operating system to Host Access Server software==<br />
Currently, the Access Server software must be run on a 32-bit or 64-bit Linux host. The software is released in the form of binary package files for particular Linux distributions. Supported are RedHat, Fedora, CentOS, Ubuntu, Debian and openSUSE (Most RPM packages can be ran on the following systems: CentOS 6 and 7, Fedora 22, RHEL 6, openSUSE 13. The Deb packages can be ran on the following systems: Ubuntu 12, Debian 6,7,8)<br />
<br />
== Difference between Community Edition VPN and Access Server==<br />
Both Community Edition and Access Server is provided by OpenVPN and they both have something in common like: Secured VPN Tunnel, GUI Client, Bridging, Configurable Ciphers and Real-time compression. But Access Server provides more options such as Web Based GUI (it is possible to use VPN without need of downloading any additional software), Pre-configured Client (possible to download auto filled profile and Auto-login option available), Automated Certificate Creation (Access server web page will also be protected with encrypted https connection (TLS 1.2, The connection is encrypted and authenticated using AES_128_GCM and uses ECDHE_RSA as the key exchange mechanism.) Easy Deployment, Failover Solution, Simple User Management, Pre-built Virtual Appliances, Fill LDAP support, Easy Scalability, User-mode Client, Multi-daemon mode and DMZ mode.<br />
== Step by Step Installation tutorial on Ubuntu Linux host machine==<br />
Prerequisites: Ubuntu Linux machine and some Linux beginner skills.<br />
The installation of OpenVPN-AS is simple. In this tutorial I will be using Ubuntu 14.04 64-bit VPS server. <br />
Unfortunately, OpenVPN Assess Server cannot be installed using apt-get install, so we will be downloading installation files by ourselves.<br />
<br />
'''1)''' First we would need to become root <br />
<br />
''Command:'' <code> sudo su</code><br />
<br />
'''2)''' We would need to download the latest software installation files from official website which can be found here: [https://openvpn.net/index.php/access-server/download-openvpn-as-sw.html Official Download Page] (Click on the needed Operation System and select needed version to download (32 bit or 64 bit and Ubuntu version 12 or 14) then right click on it and copy link) <br />
<br />
'''3)''' Now we go back to our console panel and download the OpenVPN Access Server using wget and paste copied link before. File will be downloaded by default to the folder where you currently are. (it is possible to change, use pwd to see your current directory) File will be something around 28 MB (my file 64bit Ubuntu Linux)<br />
<br />
''Command:'' <code>wget http://swupdate.openvpn.org/as/openvpn-as-2.0.25-Ubuntu12.amd_64.deb </code><br />
<br />
'''4)''' Now we install downloaded file using following command dpkg –i (And downloaded file name)<br />
<br />
''Command:'' <code>dpkg –i openvpn-as-2.0.25-Ubuntu12.amd_64.deb</code><br />
<br />
That’s it. OpenVPN AS is now installed. But there is some configurations needed before we can use it. <br />
<br />
'''5)''' During the installation OpenVPN created admin user which is by default called “openvpn” but the password left empty for security reasons are are going to change the password using command (as root) after command you will be provided with be promted to enter password. Make sure your password is secure!<br />
<br />
''Command:'' <code>passwd openvpn</code><br />
<br />
'''6)''' Now we are going to check the OpenVPN AS web interface which can be found by default port 943 and your ip address, login using username openvpn and password what you set before. (After logging in you would need to click Agree to accept the License Agreement.<br />
<br />
* Admin page: https://ip_address_or_domain:943/admin<br />
<br />
* Client page: https://ip_address_or_domain:943/<br />
<br />
Note: The server’s SSL is self-signed so not need to worry about the bad security warning<br />
<br />
'''7)''' Download needed OpenVPN Connect software by clicking the link. After it has finished downloading, run it and enter your credentials. And connection to your Access Server have been established. You can also download official Android or iOS application to use VPN on your smartphone.<br />
Note: You can also login to Admin Ul page if you want to add users or change settings, although the default settings works fine without any problems.<br />
<br />
We are done! Have fun with your OpenVPN Access Server for free and be more secure using this encrypted connection. <br />
<br />
Tutorial created by Artur Ovtsinnikov, if you have any questions it is possible to contact me by email.<br />
<br />
== See Also==<br />
A bit better Step-by-Step pdf tutorial with screenshots can be downloaded here: LINK <br />
<br />
==References== <br />
https://openvpn.net<br />
<br />
https://openvpn.net/index.php/access-server/overview.html<br />
<br />
https://openvpn.net/index.php/access-server/docs/admin-guides-sp-859543150.html<br />
<br />
https://en.wikipedia.org/wiki/OpenVPN<br />
<br />
https://en.wikipedia.org/wiki/Pre-shared_key</div>Aovtsinnhttps://wiki.itcollege.ee/index.php?title=OpenVPN_Access_Server&diff=102398OpenVPN Access Server2016-04-03T15:03:02Z<p>Aovtsinn: /* Step by Step Installation and configuration tutorial on Ubuntu Linux host machine */</p>
<hr />
<div>__NOTOC__<br />
[[File:Openvpn2.png|thumb|right|alt=A screenshot of Open VPN Client UI.| Logged in Open VPN Client UI]]<br />
<br />
<br />
OpenVPN Access Server (OpenVPN-AS) is a set of installation and configuration tools that simplify the rapid deployment of a VPN remote access solution. It is based on the popular OpenVPN open-source software, making the deployed VPN immediately compatible with OpenVPN client software across multiple user platforms. The server configurations options supported are a carefully selected subset of a quite large set of possible OpenVPN configurations. Thus, OpenVPN Access Server streamlines the configuration and management of an OpenVPN-based secure remote access deployment.<br />
<br />
== About OpenVPN ==<br />
OpenVPN is an open-source software application that implements virtual private network (VPN) techniques for creating secure point-to-point connections in routed or bridged configurations and remote access facilities. It uses a custom security protocol that utilizes SSL/TLS for key exchange. It is capable of traversing network address translators (NATs) and firewalls. It was written by James Yonan and is published under the GNU General Public License (GPL).<br />
<br />
=== Overview===<br />
OpenVPN Access Server is a full featured secure network tunneling VPN software solution that integrates OpenVPN server capabilities, enterprise management capabilities, simplified OpenVPN Connect UI, and OpenVPN Client software packages that accommodate Windows, MAC, Linux, Android, and iOS environments. OpenVPN Access Server supports a wide range of configurations, including secure and granular remote access to internal network and/ or private cloud network resources and applications with fine-grained access control.<br />
=== Supported Operation Systems===<br />
OpenVPN currently supports all main operation systems such as Windows, Mac OS X, Android, iOS and Linux It is possible to download software for your machine on the official website or it is possible to get it after installation of Access Server and logging in with your credentials to your ip_address_or_domain_name:943 (port 943 is default can be changed in the config) and it is possible to download after logging in connection profile for autologin or user-locked profile. (possible to change those settings in the Admin panel of OpenVPN Access Server.<br />
=== Pricing===<br />
OpenVPN is a free sorfware application which provides you 2 user license ( which means that 2 users/machines can be using current OpenVPN Access Server at the same time) after installation which is more then enough for a one person to use. Although it is possible to purchase more Licenses on official website for 9.60$ per concurrent user. And minimum license term is for one year.<br />
== Operating system to Host Access Server software==<br />
Currently, the Access Server software must be run on a 32-bit or 64-bit Linux host. The software is released in the form of binary package files for particular Linux distributions. Supported are RedHat, Fedora, CentOS, Ubuntu, Debian and openSUSE (Most RPM packages can be ran on the following systems: CentOS 6 and 7, Fedora 22, RHEL 6, openSUSE 13. The Deb packages can be ran on the following systems: Ubuntu 12, Debian 6,7,8)<br />
<br />
== Difference between Community Edition VPN and Access Server==<br />
Both Community Edition and Access Server is provided by OpenVPN and they both have something in common like: Secured VPN Tunnel, GUI Client, Bridging, Configurable Ciphers and Real-time compression. But Access Server provides more options such as Web Based GUI (it is possible to use VPN without need of downloading any additional software), Pre-configured Client (possible to download auto filled profile and Auto-login option available), Automated Certificate Creation (Access server web page will also be protected with encrypted https connection (TLS 1.2, The connection is encrypted and authenticated using AES_128_GCM and uses ECDHE_RSA as the key exchange mechanism.) Easy Deployment, Failover Solution, Simple User Management, Pre-built Virtual Appliances, Fill LDAP support, Easy Scalability, User-mode Client, Multi-daemon mode and DMZ mode.<br />
== Step by Step Installation tutorial on Ubuntu Linux host machine==<br />
Prerequisites: Ubuntu Linux machine and some Linux beginner skills.<br />
The installation of OpenVPN-AS is simple. In this tutorial I will be using Ubuntu 14.04 64-bit VPS server. <br />
Unfortunately, OpenVPN Assess Server cannot be installed using apt-get install, so we will be downloading installation files by ourselves.<br />
<br />
'''1)''' First we would need to become root <br />
<br />
''Command:'' <code> sudo su</code><br />
<br />
'''2)''' We would need to download the latest software installation files from official website which can be found here: [https://openvpn.net/index.php/access-server/download-openvpn-as-sw.html Official Download Page] (Click on the needed Operation System and select needed version to download (32 bit or 64 bit and Ubuntu version 12 or 14) then right click on it and copy link) <br />
<br />
'''3)''' Now we go back to our console panel and download the OpenVPN Access Server using wget and paste copied link before. File will be downloaded by default to root user home directory. (it is possible to change.) File will be something around 28 MB (my file 64bit Ubuntu Linux)<br />
<br />
''Command:'' <code>wget http://swupdate.openvpn.org/as/openvpn-as-2.0.25-Ubuntu12.amd_64.deb </code><br />
<br />
'''4)''' Now we install downloaded file using following command dpkg –i (And downloaded file name)<br />
<br />
''Command:'' <code>dpkg –i openvpn-as-2.0.25-Ubuntu12.amd_64.deb</code><br />
<br />
That’s it. OpenVPN AS is now installed. But there is some configurations needed before we can use it. <br />
<br />
'''5)''' During the installation OpenVPN created admin user which is by default called “openvpn” but the password left empty for security reasons are are going to change the password using command (as root) after command you will be provided with be promted to enter password. Make sure your password is secure!<br />
<br />
''Command:'' <code>passwd openvpn</code><br />
<br />
'''6)''' Now we are going to check the OpenVPN AS web interface which can be found by default port 943 and your ip address, login using username openvpn and password what you set before. (After logging in you would need to click Agree to accept the License Agreement.<br />
<br />
* Admin page: https://ip_address_or_domain:943/admin<br />
<br />
* Client page: https://ip_address_or_domain:943/<br />
<br />
Note: The server’s SSL is self-signed so not need to worry about the bad security warning<br />
<br />
'''7)''' Download needed OpenVPN Connect software by clicking the link. After it has finished downloading, run it and enter your credentials. And connection to your Access Server have been established. You can also download official Android or iOS application to use VPN on your smartphone.<br />
Note: You can also login to Admin Ul page if you want to add users or change settings, although the default settings works fine without any problems.<br />
<br />
We are done! Have fun with your OpenVPN Access Server for free and be more secure using this encrypted connection. <br />
<br />
Tutorial created by Artur Ovtsinnikov, if you have any questions it is possible to contact me by email.<br />
<br />
== See Also==<br />
A bit better Step-by-Step pdf tutorial with screenshots can be downloaded here: LINK <br />
<br />
==References== <br />
https://openvpn.net<br />
<br />
https://openvpn.net/index.php/access-server/overview.html<br />
<br />
https://openvpn.net/index.php/access-server/docs/admin-guides-sp-859543150.html<br />
<br />
https://en.wikipedia.org/wiki/OpenVPN<br />
<br />
https://en.wikipedia.org/wiki/Pre-shared_key</div>Aovtsinnhttps://wiki.itcollege.ee/index.php?title=OpenVPN_Access_Server&diff=102397OpenVPN Access Server2016-04-03T15:02:41Z<p>Aovtsinn: </p>
<hr />
<div>__NOTOC__<br />
[[File:Openvpn2.png|thumb|right|alt=A screenshot of Open VPN Client UI.| Logged in Open VPN Client UI]]<br />
<br />
<br />
OpenVPN Access Server (OpenVPN-AS) is a set of installation and configuration tools that simplify the rapid deployment of a VPN remote access solution. It is based on the popular OpenVPN open-source software, making the deployed VPN immediately compatible with OpenVPN client software across multiple user platforms. The server configurations options supported are a carefully selected subset of a quite large set of possible OpenVPN configurations. Thus, OpenVPN Access Server streamlines the configuration and management of an OpenVPN-based secure remote access deployment.<br />
<br />
== About OpenVPN ==<br />
OpenVPN is an open-source software application that implements virtual private network (VPN) techniques for creating secure point-to-point connections in routed or bridged configurations and remote access facilities. It uses a custom security protocol that utilizes SSL/TLS for key exchange. It is capable of traversing network address translators (NATs) and firewalls. It was written by James Yonan and is published under the GNU General Public License (GPL).<br />
<br />
=== Overview===<br />
OpenVPN Access Server is a full featured secure network tunneling VPN software solution that integrates OpenVPN server capabilities, enterprise management capabilities, simplified OpenVPN Connect UI, and OpenVPN Client software packages that accommodate Windows, MAC, Linux, Android, and iOS environments. OpenVPN Access Server supports a wide range of configurations, including secure and granular remote access to internal network and/ or private cloud network resources and applications with fine-grained access control.<br />
=== Supported Operation Systems===<br />
OpenVPN currently supports all main operation systems such as Windows, Mac OS X, Android, iOS and Linux It is possible to download software for your machine on the official website or it is possible to get it after installation of Access Server and logging in with your credentials to your ip_address_or_domain_name:943 (port 943 is default can be changed in the config) and it is possible to download after logging in connection profile for autologin or user-locked profile. (possible to change those settings in the Admin panel of OpenVPN Access Server.<br />
=== Pricing===<br />
OpenVPN is a free sorfware application which provides you 2 user license ( which means that 2 users/machines can be using current OpenVPN Access Server at the same time) after installation which is more then enough for a one person to use. Although it is possible to purchase more Licenses on official website for 9.60$ per concurrent user. And minimum license term is for one year.<br />
== Operating system to Host Access Server software==<br />
Currently, the Access Server software must be run on a 32-bit or 64-bit Linux host. The software is released in the form of binary package files for particular Linux distributions. Supported are RedHat, Fedora, CentOS, Ubuntu, Debian and openSUSE (Most RPM packages can be ran on the following systems: CentOS 6 and 7, Fedora 22, RHEL 6, openSUSE 13. The Deb packages can be ran on the following systems: Ubuntu 12, Debian 6,7,8)<br />
<br />
== Difference between Community Edition VPN and Access Server==<br />
Both Community Edition and Access Server is provided by OpenVPN and they both have something in common like: Secured VPN Tunnel, GUI Client, Bridging, Configurable Ciphers and Real-time compression. But Access Server provides more options such as Web Based GUI (it is possible to use VPN without need of downloading any additional software), Pre-configured Client (possible to download auto filled profile and Auto-login option available), Automated Certificate Creation (Access server web page will also be protected with encrypted https connection (TLS 1.2, The connection is encrypted and authenticated using AES_128_GCM and uses ECDHE_RSA as the key exchange mechanism.) Easy Deployment, Failover Solution, Simple User Management, Pre-built Virtual Appliances, Fill LDAP support, Easy Scalability, User-mode Client, Multi-daemon mode and DMZ mode.<br />
== Step by Step Installation and configuration tutorial on Ubuntu Linux host machine==<br />
Prerequisites: Ubuntu Linux machine and some Linux beginner skills.<br />
The installation of OpenVPN-AS is simple. In this tutorial I will be using Ubuntu 14.04 64-bit VPS server. <br />
Unfortunately, OpenVPN Assess Server cannot be installed using apt-get install, so we will be downloading installation files by ourselves.<br />
<br />
'''1)''' First we would need to become root <br />
<br />
''Command:'' <code> sudo su</code><br />
<br />
'''2)''' We would need to download the latest software installation files from official website which can be found here: [https://openvpn.net/index.php/access-server/download-openvpn-as-sw.html Official Download Page] (Click on the needed Operation System and select needed version to download (32 bit or 64 bit and Ubuntu version 12 or 14) then right click on it and copy link) <br />
<br />
'''3)''' Now we go back to our console panel and download the OpenVPN Access Server using wget and paste copied link before. File will be downloaded by default to root user home directory. (it is possible to change.) File will be something around 28 MB (my file 64bit Ubuntu Linux)<br />
<br />
''Command:'' <code>wget http://swupdate.openvpn.org/as/openvpn-as-2.0.25-Ubuntu12.amd_64.deb </code><br />
<br />
'''4)''' Now we install downloaded file using following command dpkg –i (And downloaded file name)<br />
<br />
''Command:'' <code>dpkg –i openvpn-as-2.0.25-Ubuntu12.amd_64.deb</code><br />
<br />
That’s it. OpenVPN AS is now installed. But there is some configurations needed before we can use it. <br />
<br />
'''5)''' During the installation OpenVPN created admin user which is by default called “openvpn” but the password left empty for security reasons are are going to change the password using command (as root) after command you will be provided with be promted to enter password. Make sure your password is secure!<br />
<br />
''Command:'' <code>passwd openvpn</code><br />
<br />
'''6)''' Now we are going to check the OpenVPN AS web interface which can be found by default port 943 and your ip address, login using username openvpn and password what you set before. (After logging in you would need to click Agree to accept the License Agreement.<br />
<br />
* Admin page: https://ip_address_or_domain:943/admin<br />
<br />
* Client page: https://ip_address_or_domain:943/<br />
<br />
Note: The server’s SSL is self-signed so not need to worry about the bad security warning<br />
<br />
'''7)''' Download needed OpenVPN Connect software by clicking the link. After it has finished downloading, run it and enter your credentials. And connection to your Access Server have been established. You can also download official Android or iOS application to use VPN on your smartphone.<br />
Note: You can also login to Admin Ul page if you want to add users or change settings, although the default settings works fine without any problems.<br />
<br />
We are done! Have fun with your OpenVPN Access Server for free and be more secure using this encrypted connection. <br />
<br />
Tutorial created by Artur Ovtsinnikov, if you have any questions it is possible to contact me by email.<br />
<br />
== See Also==<br />
A bit better Step-by-Step pdf tutorial with screenshots can be downloaded here: LINK <br />
<br />
==References== <br />
https://openvpn.net<br />
<br />
https://openvpn.net/index.php/access-server/overview.html<br />
<br />
https://openvpn.net/index.php/access-server/docs/admin-guides-sp-859543150.html<br />
<br />
https://en.wikipedia.org/wiki/OpenVPN<br />
<br />
https://en.wikipedia.org/wiki/Pre-shared_key</div>Aovtsinnhttps://wiki.itcollege.ee/index.php?title=OpenVPN_Access_Server&diff=102396OpenVPN Access Server2016-04-03T15:02:10Z<p>Aovtsinn: </p>
<hr />
<div>__NOTOC__<br />
[[File:Openvpn2.png|thumb|right|alt=A screenshot of Open VPN Client UI.| Logged in Open VPN Client UI]]<br />
<br />
<br />
OpenVPN Access Server (OpenVPN-AS) is a set of installation and configuration tools that simplify the rapid deployment of a VPN remote access solution. It is based on the popular OpenVPN open-source software, making the deployed VPN immediately compatible with OpenVPN client software across multiple user platforms. The server configurations options supported are a carefully selected subset of a quite large set of possible OpenVPN configurations. Thus, OpenVPN Access Server streamlines the configuration and management of an OpenVPN-based secure remote access deployment.<br />
<br />
== About OpenVPN ==<br />
OpenVPN is an open-source software application that implements virtual private network (VPN) techniques for creating secure point-to-point connections in routed or bridged configurations and remote access facilities. It uses a custom security protocol that utilizes SSL/TLS for key exchange. It is capable of traversing network address translators (NATs) and firewalls. It was written by James Yonan and is published under the GNU General Public License (GPL).<br />
<br />
=== Overview===<br />
OpenVPN Access Server is a full featured secure network tunneling VPN software solution that integrates OpenVPN server capabilities, enterprise management capabilities, simplified OpenVPN Connect UI, and OpenVPN Client software packages that accommodate Windows, MAC, Linux, Android, and iOS environments. OpenVPN Access Server supports a wide range of configurations, including secure and granular remote access to internal network and/ or private cloud network resources and applications with fine-grained access control.<br />
=== Supported Operation Systems===<br />
OpenVPN currently supports all main operation systems such as Windows, Mac OS X, Android, iOS and Linux It is possible to download software for your machine on the official website or it is possible to get it after installation of Access Server and logging in with your credentials to your ip_address_or_domain_name:943 (port 943 is default can be changed in the config) and it is possible to download after logging in connection profile for autologin or user-locked profile. (possible to change those settings in the Admin panel of OpenVPN Access Server.<br />
=== Pricing===<br />
OpenVPN is a free sorfware application which provides you 2 user license ( which means that 2 users/machines can be using current OpenVPN Access Server at the same time) after installation which is more then enough for a one person to use. Although it is possible to purchase more Licenses on official website for 9.60$ per concurrent user. And minimum license term is for one year.<br />
== Operating system to Host Access Server software==<br />
Currently, the Access Server software must be run on a 32-bit or 64-bit Linux host. The software is released in the form of binary package files for particular Linux distributions. Supported are RedHat, Fedora, CentOS, Ubuntu, Debian and openSUSE (Most RPM packages can be ran on the following systems: CentOS 6 and 7, Fedora 22, RHEL 6, openSUSE 13. The Deb packages can be ran on the following systems: Ubuntu 12, Debian 6,7,8)<br />
<br />
== Difference between Community Edition VPN and Access Server==<br />
Both Community Edition and Access Server is provided by OpenVPN and they both have something in common like: Secured VPN Tunnel, GUI Client, Bridging, Configurable Ciphers and Real-time compression. But Access Server provides more options such as Web Based GUI (it is possible to use VPN without need of downloading any additional software), Pre-configured Client (possible to download auto filled profile and Auto-login option available), Automated Certificate Creation (Access server web page will also be protected with encrypted https connection (TLS 1.2, The connection is encrypted and authenticated using AES_128_GCM and uses ECDHE_RSA as the key exchange mechanism.) Easy Deployment, Failover Solution, Simple User Management, Pre-built Virtual Appliances, Fill LDAP support, Easy Scalability, User-mode Client, Multi-daemon mode and DMZ mode.<br />
== Step by Step Installation and configuration tutorial on Ubuntu Linux host machine==<br />
Prerequisites: Ubuntu Linux machine and some Linux beginner skills.<br />
The installation of OpenVPN-AS is simple. In this tutorial I will be using Ubuntu 14.04 64-bit VPS server. <br />
Unfortunately, OpenVPN Assess Server cannot be installed using apt-get install, so we will be downloading installation files by ourselves.<br />
<br />
'''1)''' First we would need to become root <br />
<br />
''Command:'' <code> sudo su</code><br />
<br />
'''2)''' We would need to download the latest software installation files from official website which can be found here: [https://openvpn.net/index.php/access-server/download-openvpn-as-sw.html Official Download Page] (Click on the needed Operation System and select needed version to download (32 bit or 64 bit and Ubuntu version 12 or 14) then right click on it and copy link) <br />
<br />
'''3)''' Now we go back to our console panel and download the OpenVPN Access Server using wget and paste copied link before. File will be downloaded by default to root user home directory. (it is possible to change.) File will be something around 28 MB (my file 64bit Ubuntu Linux)<br />
<br />
''Command:'' <code>wget http://swupdate.openvpn.org/as/openvpn-as-2.0.25-Ubuntu12.amd_64.deb </code><br />
<br />
'''4)''' Now we install downloaded file using following command dpkg –i (And downloaded file name)<br />
<br />
''Command:'' <code>dpkg –i openvpn-as-2.0.25-Ubuntu12.amd_64.deb</code><br />
<br />
That’s it. OpenVPN AS is now installed. But there is some configurations needed before we can use it. <br />
<br />
'''5)''' During the installation OpenVPN created admin user which is by default called “openvpn” but the password left empty for security reasons are are going to change the password using command (as root) after command you will be provided with be promted to enter password. Make sure your password is secure!<br />
<br />
''Command:'' <code>passwd openvpn</code><br />
<br />
'''6)''' Now we are going to check the OpenVPN AS web interface which can be found by default port 943 and your ip address, login using username openvpn and password what you set before. (After logging in you would need to click Agree to accept the License Agreement.<br />
<br />
Admin page: https://ip_address_or_domain:943/admin<br />
<br />
Client page: https://ip_address_or_domain:943/<br />
<br />
Note: The server’s SSL is self-signed so not need to worry about the bad security warning<br />
<br />
'''7)''' Download needed OpenVPN Connect software by clicking the link. After it has finished downloading, run it and enter your credentials. And connection to your Access Server have been established. You can also download official Android or iOS application to use VPN on your smartphone.<br />
Note: You can also login to Admin Ul page if you want to add users or change settings, although the default settings works fine without any problems.<br />
<br />
We are done! Have fun with your OpenVPN Access Server for free and be more secure using this encrypted connection. <br />
<br />
Tutorial created by Artur Ovtsinnikov, if you have any questions it is possible to contact me by email.<br />
<br />
== See Also==<br />
A bit better Step-by-Step pdf tutorial with screenshots can be downloaded here: LINK <br />
<br />
==References== <br />
https://openvpn.net<br />
<br />
https://openvpn.net/index.php/access-server/overview.html<br />
<br />
https://openvpn.net/index.php/access-server/docs/admin-guides-sp-859543150.html<br />
<br />
https://en.wikipedia.org/wiki/OpenVPN<br />
<br />
https://en.wikipedia.org/wiki/Pre-shared_key</div>Aovtsinnhttps://wiki.itcollege.ee/index.php?title=OpenVPN_Access_Server&diff=102395OpenVPN Access Server2016-04-03T14:48:48Z<p>Aovtsinn: </p>
<hr />
<div>__NOTOC__<br />
[[File:Openvpn2.png|thumb|right|alt=A screenshot of Open VPN Client UI.| Logged in Open VPN Client UI]]<br />
<br />
<br />
OpenVPN Access Server (OpenVPN-AS) is a set of installation and configuration tools that simplify the rapid deployment of a VPN remote access solution. It is based on the popular OpenVPN open-source software, making the deployed VPN immediately compatible with OpenVPN client software across multiple user platforms. The server configurations options supported are a carefully selected subset of a quite large set of possible OpenVPN configurations. Thus, OpenVPN Access Server streamlines the configuration and management of an OpenVPN-based secure remote access deployment.<br />
<br />
== About OpenVPN ==<br />
OpenVPN is an open-source software application that implements virtual private network (VPN) techniques for creating secure point-to-point connections in routed or bridged configurations and remote access facilities. It uses a custom security protocol that utilizes SSL/TLS for key exchange. It is capable of traversing network address translators (NATs) and firewalls. It was written by James Yonan and is published under the GNU General Public License (GPL).<br />
<br />
=== Overview===<br />
OpenVPN Access Server is a full featured secure network tunneling VPN software solution that integrates OpenVPN server capabilities, enterprise management capabilities, simplified OpenVPN Connect UI, and OpenVPN Client software packages that accommodate Windows, MAC, Linux, Android, and iOS environments. OpenVPN Access Server supports a wide range of configurations, including secure and granular remote access to internal network and/ or private cloud network resources and applications with fine-grained access control.<br />
=== Supported Operation Systems===<br />
OpenVPN currently supports all main operation systems such as Windows, Mac OS X, Android, iOS and Linux It is possible to download software for your machine on the official website or it is possible to get it after installation of Access Server and logging in with your credentials to your ip_address_or_domain_name:943 (port 943 is default can be changed in the config) and it is possible to download after logging in connection profile for autologin or user-locked profile. (possible to change those settings in the Admin panel of OpenVPN Access Server.<br />
=== Pricing===<br />
OpenVPN is a free sorfware application which provides you 2 user license ( which means that 2 users/machines can be using current OpenVPN Access Server at the same time) after installation which is more then enough for a one person to use. Although it is possible to purchase more Licenses on official website for 9.60$ per concurrent user. And minimum license term is for one year.<br />
== Operating system to Host Access Server software==<br />
Currently, the Access Server software must be run on a 32-bit or 64-bit Linux host. The software is released in the form of binary package files for particular Linux distributions. Supported are RedHat, Fedora, CentOS, Ubuntu, Debian and openSUSE (Most RPM packages can be ran on the following systems: CentOS 6 and 7, Fedora 22, RHEL 6, openSUSE 13. The Deb packages can be ran on the following systems: Ubuntu 12, Debian 6,7,8)<br />
<br />
== Difference between Community Edition VPN and Access Server==<br />
Both Community Edition and Access Server is provided by OpenVPN and they both have something in common like: Secured VPN Tunnel, GUI Client, Bridging, Configurable Ciphers and Real-time compression. But Access Server provides more options such as Web Based GUI (it is possible to use VPN without need of downloading any additional software), Pre-configured Client (possible to download auto filled profile and Auto-login option available), Automated Certificate Creation (Access server web page will also be protected with encrypted https connection (TLS 1.2, The connection is encrypted and authenticated using AES_128_GCM and uses ECDHE_RSA as the key exchange mechanism.) Easy Deployment, Failover Solution, Simple User Management, Pre-built Virtual Appliances, Fill LDAP support, Easy Scalability, User-mode Client, Multi-daemon mode and DMZ mode.<br />
== Step by Step Installation and configuration tutorial on Ubuntu Linux host machine==<br />
Prerequisites: Ubuntu Linux machine and some Linux beginner skills.<br />
The installation of OpenVPN-AS is simple. In this tutorial I will be using Ubuntu 14.04 64-bit VPS server. <br />
<br />
'''1)''' First we would need to become root <br />
<br />
''Command:'' <code> sudo su</code><br />
<br />
'''2)''' We would need to download the latest software installation files from official website which can be found here: [https://openvpn.net/index.php/access-server/download-openvpn-as-sw.html Official Download Page] (Click on the needed Operation System and select needed version to download (32 bit or 64 bit and Ubuntu version 12 or 14) then right click on it and copy link) <br />
<br />
'''3)''' Now we go back to our console panel and download the OpenVPN Access Server using wget and paste copied link before. File will be downloaded by default to root user home directory. (it is possible to change.) File will be something around 28 MB (my file 64bit Ubuntu Linux)<br />
<br />
''Command:'' <code>wget http://swupdate.openvpn.org/as/openvpn-as-2.0.25-Ubuntu12.amd_64.deb </code><br />
<br />
'''4)''' Now we install downloaded file using following command dpkg –i (And downloaded file name)<br />
<br />
''Command:'' <code>dpkg –i openvpn-as-2.0.25-Ubuntu12.amd_64.deb</code><br />
<br />
That’s it. OpenVPN AS is now installed. But there is some configurations needed before we can use it. <br />
<br />
'''5)''' During the installation OpenVPN created admin user which is by default called “openvpn” but the password left empty for security reasons are are going to change the password using command (as root) after command you will be provided with be promted to enter password. Make sure your password is secure!<br />
<br />
''Command:'' <code>passwd openvpn</code><br />
<br />
'''6)''' Now we are going to check the OpenVPN AS web interface which can be found by default port 943 and your ip address, login using username openvpn and password what you set before. (After logging in you would need to click Agree to accept the License Agreement.<br />
<br />
Admin page: https://ip_address_or_domain:943/admin<br />
Client page: https://ip_address_or_domain:943/<br />
<br />
Note: The server’s SSL is self-signed so not need to worry about the bad security warning<br />
<br />
'''7)''' Download needed OpenVPN Connect software by clicking the link. After it has finished downloading, run it and enter your credentials. And connection to your Access Server have been established. You can also download official Android or iOS application to use VPN on your smartphone.<br />
Note: You can also login to Admin Ul page if you want to add users or change settings, although the default settings works fine without any problems.<br />
<br />
We are done! Have fun with your OpenVPN Access Server for free and be more secure using this encrypted connection. <br />
<br />
Tutorial created by Artur Ovtsinnikov, if you have any questions it is possible to contact me by email.<br />
<br />
== See Also==<br />
A bit better Step-by-Step pdf tutorial with screenshots can be downloaded here: LINK <br />
<br />
==References== <br />
https://openvpn.net<br />
<br />
https://openvpn.net/index.php/access-server/overview.html<br />
<br />
https://openvpn.net/index.php/access-server/docs/admin-guides-sp-859543150.html<br />
<br />
https://en.wikipedia.org/wiki/OpenVPN<br />
<br />
https://en.wikipedia.org/wiki/Pre-shared_key</div>Aovtsinnhttps://wiki.itcollege.ee/index.php?title=File:Openvpn2.png&diff=102394File:Openvpn2.png2016-04-03T14:47:56Z<p>Aovtsinn: </p>
<hr />
<div></div>Aovtsinn