10 Red Hat® Linux™
Tips and Tricks
1-800-COURSES www.globalknowledge.com
Expert Reference Series of White Papers
Written and Provided by
Introduction
Are you looking for a quick and simple reference guide to help you navigate Red Hat® Linux™ systems?
Look no further! Global Knowledge and Red Hat have assembled these 10 Tips and Tricks from Red Hat
Certified Engineers® (RHCEs) to give you an edge on managing these systems.
1.Wiping a Hard Drive
By Dominic Duval, Red Hat Certified Engineer
Have you ever needed to completely wipe out critical data from a hard drive? As we all know, mkfs doesn’t
erase a lot. (You already knew this, right?) mkfs and its variants (e.g., mkfs.ext3 and mke2fs) only get
rid of a few important data structures on the filesystem, but the data is still there! For a SCSI disk connected
as /dev/sdb, a quick
dd if=/dev/sdb | strings
will let anyone recover text data from a supposedly erased hard drive. Binary data is more complicated to
retrieve, but the same basic principle applies: the data was not completely erased.
To make things harder for the bad guys, an old trick was to use the ‘dd’ command as a way to erase a drive.
Note: This command will erase your disk!
dd if=/dev/zero of=/dev/sdb
There’s one problem with this: newer, more advanced, techniques make it possible to retrieve data that were
replaced with a bunch of 0s. To make it more difficult, if not impossible, for the bad guys to read data that was
previously stored on a disk, Red Hat ships the “shred” utility as part of the coreutils RPM package. Launching
“shred” on a disk or a partition will write repeatedly (25 times by default) to all locations on the disk.
Note: Be careful with this one too!
shred /dev/sdb
This is currently known to be a very safe way to delete data from a hard drive before, let’s say, you ship it back
to the manufacturer for repair or before you sell it on eBay!
Compiled by Red Hat Certified Engineers
10 Red Hat® Linux™ Tips and Tricks
Copyright ©2007 Global Knowledge Training LLC. All rights reserved. Page 2
2. How To Determine the Manufacturer of a Laptop Battery
By Dominic Duval, Red Hat Certfied Engineer
With all the recent news about laptop batteries suddenly exploding, it might be a good idea to determine the
manufacturer and model number of the battery that’s currently connected to your laptop.
A simple file, included with the 2.6 kernel that runs on Red Hat Enterprise Linux 4, can easily show this information
on any laptop running with ACPI enabled:
cat /proc/acpi/battery/BAT0/info
Look for the “model number” and “OEM info” fields.
3. Sharing a Hot Spare Device in Software RAID
By Forrest Taylor, Red Hat Certified Engineer
Have you ever wondered if you could share a hot spare device between two software RAID arrays? You can
share a hot spare device if you put mdadm in daemon mode and have it poll your RAID arrays.
Let's assume that you have two RAID 1 arrays with one hot spare configured in this manner:
/dev/md0 RAID1
--
/dev/sda1
/dev/sdb1
/dev/md1 RAID1
--
/dev/sdc1
/dev/sdd1
/dev/sde1 (Hot Spare)
This setup shows /dev/md0 with two devices, and /dev/md1 with three devices, with /dev/sde1 as a
hot spare. In this scenario, you want to share /dev/sde1 with /dev/md0 if it should need it. To do that,
you must configure the /etc/mdadm.conf file and define a spare-group name.
In /etc/mdadm.conf, start off by listing all of the devices:
echo "DEVICE /dev/sda1 /dev/sdb1 /dev/sdc1 /dev/sdd1 /dev/sde1"
>> /etc/mdadm.conf
Scan the RAID arrays for the current details, and add it to the file:
mdadm -D -s >> /etc/mdadm.conf
/etc/mdadm.conf should now contain something like the following:
# Caution, the ARRAY and UUID should be on the same line.
Copyright ©2007 Global Knowledge Training LLC. All rights reserved. Page 3
DEVICE /dev/sda1 /dev/sdb1 /dev/sdc1 /dev/sdd1
/dev/sde1
ARRAY /dev/md0 level=raid1 num-devices=2
UUID=29bc861f:6f1c72b0:162f7a88:1db03ffe
devices=/dev/sda1,/dev/sdb1
ARRAY /dev/md1 level=raid1 num-devices=2
UUID=aee2ae4c:ec7e4bab:51aefe40:9b54af78
devices=/dev/sdc1,/dev/sdd1,/dev/sde1
At this point, you need to create a spare-group entry for each array. The name does not matter, as long as it is
the same for each array that you want to share the hot spare device(s).
Here, we choose "shared" as the name of the spare-group and add an entry for each ARRAY in the
/etc/mdadm.conf file:
# Caution, the ARRAY and UUID should be on the same line.
DEVICE /dev/sda1 /dev/sdb1 /dev/sdc1 /dev/sdd1 /dev/sde1
ARRAY /dev/md0 level=raid1 num-devices=2
UUID=29bc861f:6f1c72b0:162f7a88:1db03ffe
devices=/dev/sda1,/dev/sdb1
spare-group=shared
ARRAY /dev/md1 level=raid1 num-devices=2
UUID=aee2ae4c:ec7e4bab:51aefe40:9b54af78
devices=/dev/sdc1,/dev/sdd1,/dev/sde1
spare-group=shared
Once the configuration file is ready, mdadm can run in daemon mode and poll the devices. If mdadm determines
that a device has failed, it will look for an array in the same spare-group that contains all of the standard
devices plus a hot spare device. If it finds any, it will move the hot spare to the array that needs it. In our
case, if /dev/md0 were to lose a device, it would look at /dev/md1 and find the two devices of the array
plus a hot spare, and it will move the hot spare device to /dev/md0 and begin the rebuild process.
Run mdadm in daemon mode and have it monitor and scan the arrays:
mdadm -F -s -m root@localhost -f
The default poll time is 60 seconds, but can be changed using the -d option (e.g., -d 300 would poll every 5
minutes).
Now test out this feature by failing and removing a device from /dev/md0:
mdadm /dev/md0 -f /dev/sda1 -r /dev/sda1
The next time that mdadm polls the devices, it should determine that /dev/md1 has a spare device, and it
should move /dev/sde1 to /dev/md0 and rebuild the array. You can then add in /dev/sda1 and it
will become your hot spare device:
mdadm /dev/md0 -a /dev/sda1
Copyright ©2007 Global Knowledge Training LLC. All rights reserved. Page 4
4. USB when the Drivers Aren't Available
By Dominic Duval, Red Hat Certfied Engineer
As a way to save a few valuable pennies on newer PCs, manufacturers are increasingly getting rid of the good
old PS/2 keyboard and mouse interfaces. As a result, some recent systems only ship with USB ports to which
we need to connect a USB keyboard and mouse.
USB is all well and good, but what if the driver for your USB controller is not loaded? In practice, this is not a
problem, as Red Hat loads the ehci- hcd and uhci-hcd drivers automatically at boot time.
There are situations, namely in emergency mode, where the USB drivers won't be available. So you won't even
be able to enter a command. This is due to the fact that in emergency mode all drivers need to be provided in
the initrd file under /boot, and USB is not there by default. The trick is to add those drivers, so that they will be
available earlier. The 'mkinitrd' command can do precisely that with the '--with' argument (this only
works under RHEL4):
mkinitrd --with=ehci-hcd --with=uhci-hcd /boot/newinitrd-`uname -
r`.img
`uname -r`
Add a new entry in your grub.conf file (always do backups!) that points to this new initrd image, and you're
done! Your USB keyboard now works in emergency mode.
5. Using Proc
By Steve Bonneville, Red Hat Certfied Engineer
In /proc, there are subdirectories for each process running on the system, named based on the PID number
of the process. In each of these directories, there is a fd/ subdirectory that contains files that represent the
file descriptors the process currently has open. These files are actually symlinks that point to the actual device,
socket, or other file the process currently has open and mapped to that file descriptor.
If you have a program that can read input from a file but not from standard input, or that can write to a file
but not to standard output, you may be able to cheat by taking advantage of these special files:
/proc/self/fd/0 is standard input of the current process
/proc/self/fd/1 is standard output of the current process
/proc/self/fd/2 is standard error of the current process
For example if 'myfilter' can only read from a file, which it takes as its first argument, you can make it
read from standard input instead with:
'myfilter /proc/self/fd/0'
Copyright ©2007 Global Knowledge Training LLC. All rights reserved. Page 5
Another example: 'cat filename > /proc/self/fd/2' sends the contents of filename out standard
error instead of standard output.
Whether these tricks will behave in a sane manner will depend on how the process actually handles the file it
opens.
6. Growing the Devices in a RAID Array
By Forrest Taylor, Red Hat Certfied Engineer
As hard disk space is ever increasing, you may get replacement drives that are significantly larger than the
original devices that they replace, so this tip will show how to increase the size of a RAID array using larger
partitions to replace smaller partitions in the original RAID array.
We will assume that you have a RAID 5 array using three partitions (/dev/sdb1, /dev/sdc1, and
/dev/sdd1) on /dev/md0. These partitions are 1 GB each, giving you about 2 GB of usable space. You
add new disks and create three partitions (/dev/sde1, /dev/sdf1, and /dev/sdg1) of 5 GB in size.
By the end, you should have about 10 GB of usable space.
After you have created the partitions and set the partitions type to 0xfd, you can add these devices to the
array. They will become hot spares:
mdadm /dev/md0 -a /dev/sde1 /dev/sdf1 /dev/sdg1
Fail the original devices one at a time, ensuring that the array rebuilds after each failed device.
Note: Do not fail more than one of the original devices without verifying that the array has finished rebuilding.
If you fail two devices in a RAID 5 array, you may destroy data!
First, fail and remove the first device, and verify that the array has finished rebuilding:
mdadm /dev/md0 -f /dev/sdb1 -r /dev/sdb1
watch cat /proc/mdstat
Once it has finished rebuilding, fail the second device:
mdadm /dev/md0 -f /dev/sdc1 -r /dev/sdc1
watch cat /proc/mdstat
Once it has finished rebuilding, fail the third device:
mdadm /dev/md0 -f /dev/sdd1 -r /dev/sdd1
watch cat /proc/mdstat
Copyright ©2007 Global Knowledge Training LLC. All rights reserved. Page 6
After it has finished rebuilding, you have replaced all of the 1 GB original devices with the new 5 GB devices.
However, we are not finished yet.We have two problems: the RAID array is still only using 1 GB of my 5 GB
devices, and the filesystem is still 2 GB.
First, grow the RAID array. mdadm can grow the RAID array to a certain size, using the -G and -z options.
The -z option can take a currently undocumented argument of max, which will resize the array to the maximum
available space:
mdadm -G /dev/md0 -z max
`cat /proc/mdstat` and `mdadm -D /dev/md0` should show that the array is now using a 5
GB device size.
Second, we need to enlarge the filesystem to match. Assuming that you have an ext3 filesystem on /dev/md0,
and that you have mounted it, you can increase the size of the filesystem by using ext2online:
ext2online /dev/md0
After that command completes, you should see about 10 GB of usable space.
7. Installing Third-Party RPMs
By Doug Bunger, Red Hat Certified Engineer
After rebuilding a system, it may be necessary to add several additional RPMs. These could be third-party
applications or vendor-specific patches. Trying to do an RPM -i or -U with an *.rpm would fail if the
process encountered an error. Since the list of RPMs might include packages that were not included with the
Red Hat distribution, a -F might not work. In such a case, the following could help:
find /start/dir -name "*.rpm" \
-exec rpm -Uvh --aid {} \;
The first line of the command would get a list of the RPMs available in the directory (/start/dir, in the
example). The second line would install each RPM in turn. Depending on the nature of the RPMs, it may be
necessary to issue the command twice, though the --aid option should attempt to resolve dependencies.
8. Partprobe
By Richard Keech, Red Hat Certified Engineer
Many system administrators may be in the habit of re-booting their systems to make partition changes visible
to the kernel. With Red Hat Enterprise Linux, this is not usually necessary. The partprobe command, from
the parted package, informs the kernel about changes to partitions. After all, anything that can help you avoid
a re-boot has to be a good thing!
Copyright ©2007 Global Knowledge Training LLC. All rights reserved. Page 7
For example:
# cat /proc/partitions
major minor #blocks name
3 0 58605120 hda
3 1 200781 hda1
3 2 2040255 hda2
3 3 56364052 hda3
8 01018880 sda
8 110224 sda1
# partprobe
# cat /proc/partitions
major minor #blocks name
3 0 58605120 hda
3 1 200781 hda1
3 2 2040255 hda2
3 3 56364052 hda3
8 0 1018880 sda
8 1 10224 sda1
8 2 1008640 sda2
9. Pyshell
By Brad Smith, Red Hat Certified Engineer
Python developers: You probably know that the python interpreter can be run in interactive mode, allowing
you to quickly try out an approach or prototype a script. Fedora includes an even more powerful version of this
tool from an unlikely source. The wxPython-common-gtk2-unicode package provides files related to
the wxWindows widget set and, more-or-less unrelated to the rest of the package's contents, a tool
called pyshell.
Pyshell performs the same basic function as the interactive-mode python interpreter, but with a lot of great
bells and whistles. Try importing a module, such as "os" and then referencing an element of the module:
>>> import os
>>> os.
When "." is typed, up pops a list of every property and method within the "os" module. You can use the
mouse or arrow keys (plus tab-completion) to select what you want. If you select a method, begining the argument
list with "(" pops up a list of the method's accepted arguments and its pydoc string, where applicable.
The best part is that, since pyshell reads the pydoc information for each module as it is loaded, this
works for any module, including those you've written yourself.
Copyright ©2007 Global Knowledge Training LLC. All rights reserved. Page 8
Moving around within pyshell can take some getting used to. The up arrow moves you up line by line
instead of moving through the interpreter's history like it does in the basic interpreter. Ctrl+Up moves
through the history. However, the history is in blocks, not lines. So, for example, if you'd defined a class earlier
on and then pressed Ctrl+Up, when you reached the class in your history, its whole definition would come
up. You could then use the arrow keys to move around the definition, making changes. Ctrl+Enter even
allows you to insert new lines into the definition. When you're done, press Enter and the class is re-defined
according to your revised code.
Pyshell makes it even easier than before to write and test small applications “on the fly.” Once you've got
the hang of it, try out the even fancier alternative, pycrust, which integrates a number of tools for browsing
structures within the interpreter's memory, viewing output, etc into pyshell.Want more? Try pyalamode,
which has all the features of pycrust, plus an integrated version of the pyalacarte text editor,
for all your cut-and-pasting needs (cutting and pasting into any other editor works fine too).
10. Un-killable Processes
By Johnathan Kupferer, Red Hat Certified Engineer
Before Red Hat Enterprise Linux 4, there really wasn't a good way to handle processes that had entered an
uninterruptible sleep waiting on an unresponsive NFS server. This was particularly frustrating because the
umount man page promises that “-f” will "Force unmount.” This allows an NFS-mounted filesystem to be
unmounted if the NFS server is “unreachable." That was how it was supposed to work, with the caveat that
the filesystem must have originally been mounted with "soft" or "intr" options.Well, no more. Though the
man page doesn't say so, umount -f now comes to the rescue and will unmount hard and uninterruptible
mounts.
Learn More
Learn more about how you can improve productivity, enhance efficiency, and sharpen your competitive edge.
Check out our complete Red Hat Linux curriculum at www.globalknowledge.com/redhat.
For more information or to register, visit www.globalknowledge.com or call 1-800-COURSES to speak with a
sales representative.
Through expert instruction, you will understand key concepts and how to apply them to your specific work situation.
Choose from more than 700 courses, delivered through Classrooms, e-Learning, and On-site sessions, to
meet your IT and management training needs.
Copyright ©2007 Global Knowledge Training LLC. All rights reserved. Page 9
 
regards,
Prakash.M
9840304424

THE ONE PAGE LINUX MANUAL
A summary of useful Linux commands
Version 3.0 May 1999 squadron@powerup.com.au
Starting & Stopping
shutdown -h now Shutdown the system now and do not
reboot
halt Stop all processes - same as above
shutdown -r 5 Shutdown the system in 5 minutes and
reboot
shutdown -r now Shutdown the system now and reboot
reboot Stop all processes and then reboot - same
as above
startx Start the X system
Accessing & mounting file systems
mount -t iso9660 /dev/cdrom
/mnt/cdrom
Mount the device cdrom
and call it cdrom under the
/mnt directory
mount -t msdos /dev/hdd
/mnt/ddrive
Mount hard disk “d” as a
msdos file system and call
it ddrive under the /mnt
directory
mount -t vfat /dev/hda1
/mnt/cdrive
Mount hard disk “a” as a
VFAT file system and call it
cdrive under the /mnt
directory
umount /mnt/cdrom Unmount the cdrom
Finding files and text within files
find / -name fname Starting with the root directory, look
for the file called fname
find / -name ”*fname*” Starting with the root directory, look
for the file containing the string fname
locate missingfilename Find a file called missingfilename
using the locate command - this
assumes you have already used the
command updatedb (see next)
updatedb Create or update the database of files
on all file systems attached to the linux
root directory
which missingfilename Show the subdirectory containing the
executable file called missingfilename
grep textstringtofind
/dir
Starting with the directory called dir ,
look for and list all files containing
textstringtofind
The X Window System
xvidtune Run the X graphics tuning utility
XF86Setup Run the X configuration menu with
automatic probing of graphics cards
Xconfigurator Run another X configuration menu with
automatic probing of graphics cards
xf86config Run a text based X configuration menu
Moving, copying, deleting & viewing files
ls -l List files in current directory using
long format
ls -F List files in current directory and
indicate the file type
ls -laC List all files in current directory in
long format and display in columns
rm name Remove a file or directory called
name
rm -rf name Kill off an entire directory and all it’s
includes files and subdirectories
cp filename
/home/dirname
Copy the file called filename to the
/home/dirname directory
mv filename
/home/dirname
Move the file called filename to the
/home/dirname directory
cat filetoview Display the file called filetoview
man -k keyword Display man pages containing
keyword
more filetoview Display the file called filetoview one
page at a time, proceed to next page
using the spacebar
head filetoview Display the first 10 lines of the file
called filetoview
head -20 filetoview Display the first 20 lines of the file
called filetoview
tail filetoview Display the last 10 lines of the file
called filetoview
tail -20 filetoview Display the last 20 lines of the file
called filetoview
Installing software for Linux
rpm -ihv name.rpm Install the rpm package called name
rpm -Uhv name.rpm Upgrade the rpm package called
name
rpm -e package Delete the rpm package called
package
rpm -l package List the files in the package called
package
rpm -ql package List the files and state the installed
version of the package called
package
rpm -i --force package Reinstall the rpm package called
name having deleted parts of it (not
deleting using rpm -e)
tar -zxvf archive.tar.gz or
tar -zxvf archive.tgz
Decompress the files contained in
the zipped and tarred archive called
archive
./configure Execute the script preparing the
installed files for compiling
User Administration
adduser accountname Create a new user call accountname
passwd accountname Give accountname a new password
su Log in as superuser from current login
exit Stop being superuser and revert to
normal user
Little known tips and tricks
ifconfig List ip addresses for all devices on
the machine
apropos subject List manual pages for subject
usermount Executes graphical application for
mounting and unmounting file
systems
/sbin/e2fsck hda5 Execute the filesystem check utility
on partition hda5
fdformat /dev/fd0H1440 Format the floppy disk in device fd0
tar -cMf /dev/fd0 Backup the contents of the current
directory and subdirectories to
multiple floppy disks
tail -f /var/log/messages Display the last 10 lines of the system
log.
cat /var/log/dmesg Display the file containing the boot
time messages - useful for locating
problems. Alternatively, use the
dmesg command.
* wildcard - represents everything. eg.
cp from/* to will copy all files in the
from directory to the to directory
? Single character wildcard. eg.
cp config.? /configs will copy all files
beginning with the name config. in
the current directory to the directory
named configs.
[xyz] Choice of character wildcards. eg.
ls [xyz]* will list all files in the current
directory starting with the letter x, y,
or z.
linux single At the lilo prompt, start in single user
mode. This is useful if you have
forgotten your password. Boot in
single user mode, then run the
passwd command.
ps List current processes
kill 123 Kill a specific process eg. kill 123
Configuration files and what they do
/etc/profile System wide environment variables for
all users.
/etc/fstab List of devices and their associated mount
points. Edit this file to add cdroms, DOS
partitions and floppy drives at startup.
/etc/motd Message of the day broadcast to all users
at login.
etc/rc.d/rc.local Bash script that is executed at the end of
login process. Similar to autoexec.bat in
DOS.
/etc/HOSTNAME Conatins full hostname including domain.
/etc/cron.* There are 4 directories that automatically
execute all scripts within the directory at
intervals of hour, day, week or month.
/etc/hosts A list of all know host names and IP
addresses on the machine.
/etc/httpd/conf Paramters for the Apache web server
/etc/inittab Specifies the run level that the machine
should boot into.
/etc/resolv.conf Defines IP addresses of DNS servers.
/etc/smb.conf Config file for the SAMBA server. Allows
file and print sharing with Microsoft
clients.
/etc/X11/XF86Confi
g
Config file for X-Windows.
~/.xinitrc Defines the windows manager loaded by
X. ~ refers to user’s home directory.
File permissions
If the command ls -l is given, a long list of file names is
displayed. The first column in this list details the permissions
applying to the file. If a permission is missing for a owner,
group of other, it is represented by - eg. drwxr-x—x
Read = 4
Write = 2
Execute = 1
File permissions are altered by giving the
chmod command and the appropriate
octal code for each user type. eg
chmod 7 6 4 filename will make the file
called filename R+W+X for the owner,
R+W for the group and R for others.
chmod 7 5 5 Full permission for the owner, read and
execute access for the group and others.
chmod +x filename Make the file called filename executable
to all users.
X Shortcuts - (mainly for Redhat)
Control|Alt + or - Increase or decrease the screen
resolution. eg. from 640x480 to
800x600
Alt | escape Display list of active windows
Shift|Control F8 Resize the selected window
Right click on desktop
background
Display menu
Shift|Control Altr Refresh the screen
Shift|Control Altx Start an xterm session
Printing
/etc/rc.d/init.d/lpd start Start the print daemon
/etc/rc.d/init.d/lpd stop Stop the print daemon
/etc/rc.d/init.d/lpd
status
Display status of the print daemon
lpq Display jobs in print queue
lprm Remove jobs from queue
lpr Print a file
lpc Printer control tool
man subject | lpr Print the manual page called subject
as plain text
man -t subject | lpr Print the manual page called subject
as Postscript output
printtool Start X printer setup interface
~/.Xdefaults Define configuration for some Xapplications.
~ refers to user’s home
directory.
Get your own Official Linux Pocket Protector - includes
handy command summary. Visit:
www.powerup.com.au/~squadron

securing linux
 
Securing Linux
These instructions are probably specific to RedHat Linux 6.x. If you are running some other distribution you should be familiar with Linux and system management and be able to adapt these instructions.
 
Decide what services you need to provide with this machine. If it is your desktop machine and noone else needs access to it over the network, then you do not need to provide any services to the internet. In that case do not even start up inetd at all. The best way to do this is to just delete /etc/inetd.conf
 
Edit /etc/inetd.conf to stop services that are not needed. Here is what your /etc/inetd.conf file should look like:
 
ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l -a
telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd
shell stream tcp nowait root /usr/sbin/tcpd in.rshd
login stream tcp nowait root /usr/sbin/tcpd in.rlogind
talk dgram udp wait root /usr/sbin/tcpd in.talkd
ntalk dgram udp wait root /usr/sbin/tcpd in.ntalkd
time stream tcp nowait nobody /usr/sbin/tcpd in.timed
time dgram udp wait nobody /usr/sbin/tcpd in.timed
auth stream tcp nowait nobody /usr/sbin/in.identd in.identd -l -e -o
 
Restrict the services that are staying open to specific machines through the use of tcp wrappers. Tcp wrappers are installed by default on RedHat 5.x machines, but they are not doing anything other than logging. Tcp wrappers use the files /etc/hosts.deny and /etc/hosts.allow to determine which users and domainnames are allowed to connect to services on your machine. Here is /etc/hosts.deny:
 
#
# hosts.deny This file describes the names of the hosts which are
# *not* allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
# The portmap line is redundant, but it is left to remind you that
# the new secure portmap uses hosts.deny and hosts.allow. In particular
# you should know that NFS uses portmap!
ALL: ALL
portmap: ALL
and here is /etc/hosts.allow:
 
#
# hosts.allow This file describes the names of the hosts which are
# allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
ALL: 127.0.0.1, 128.227.64.XXX
portmap: 128.227.64.0/255.255.255.0
portmap: 255.255.255.255 0.0.0.0
XXX identifies a particular machine that you want to allow access to. For example you might have the ip number of your office PC if the Linux machine is in your lab and you want to be able to telnet in.
 
After making the above changes send a HUP to the inetd process
 
 
Test your setup:
make sure finger is not answering: finger @localhost
check to see if telnet works from the hosts which are allowed:
telnet yourhostname from the local machine
telnet yourhostname from a machine not listed in /etc/hosts.allow
telnet yourhostname from a machine listed in /etc/hosts.allow
 
Next cut back on the daemons started at boot time. To see some of what is being started type /sbin/chkconfig --list. This will tell you which daemons are being started in what runlevels. If you see something like this:
 
atd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
gpm 0:off 1:off 2:on 3:on 4:on 5:on 6:off
network 0:off 1:off 2:on 3:on 4:on 5:on 6:off
nfsfs 0:off 1:off 2:off 3:on 4:on 5:on 6:off
random 0:off 1:on 2:on 3:on 4:on 5:on 6:off
keytable 0:off 1:off 2:on 3:on 4:on 5:on 6:off
pcmcia 0:off 1:off 2:on 3:on 4:on 5:on 6:off
linuxconf 0:off 1:off 2:on 3:on 4:on 5:on 6:off
lpd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
kerneld 0:off 1:on 2:on 3:on 4:on 5:on 6:off
inet 0:off 1:off 2:off 3:on 4:on 5:on 6:off
portmap 0:off 1:off 2:off 3:on 4:on 5:on 6:off
routed 0:off 1:off 2:off 3:on 4:on 5:on 6:off
sound 0:off 1:off 2:off 3:on 4:on 5:on 6:off
sendmail 0:off 1:off 2:on 3:on 4:on 5:on 6:off
syslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off
crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off
You can start turning things off. For example, routed is being started in run levels three, four, and five. It should not be started, so I type /sbin/chkconfig --del routed
 
Turn off services that are not chkconfig compliant. To do this I like to remove the link from /etc/rc.d/init.d/whatever to /etc/rc.d/rc?.d/SnnWhatever. Basically the way things work is you have startup/shutdown scripts in /etc/rc.d/init.d which are linked to from the different runlevel directories. If you remove the link then the scripts are never called. I don't remove the original script in case I need it later. For example, suppose inetd is being started and the script is not chkconfig compliant. I look for the link by doing:
cd /etc/rc.d
find . -print | grep inet
 
Here is the output:
./init.d/inet
./rc0.d/K50inet
./rc1.d/K50inet
./rc2.d/K50inet
./rc3.d/S50inet
./rc4.d/S50inet
./rc5.d/S50inet
./rc6.d/K50inet
This tells me that inetd is being started in runlevels 3, 4 and 5. I remove the links and then reboot and there are no longer any of the inetd controlled services to worry about.
 
Configure sendmail for queuing only:
edit /etc/sysconfig/sendmail and change DAEMON=yes to no
create a /etc/sendmail.cf file that forwards to the mail server for Physics. To do this use the clientproto.mc file which comes with sendmail and specify phys.ufl.edu as the mail server. Or you can use the file which I have already made for sendmail 8.9.3. To use this file just backup /etc/mail/sendmail.cf and replace it with mine. If phys.ufl.edu is not your smtp server please look through the cf file and specify your smtp server and domain name. Please remember to edit /etc/aliases and specify that mail destined for "root" goes to the appropriate person. If that person is you then just look for the line in the file with root on the left hand side and put your email address on the right hand side. On current RedHat distributions this line is commented out and the mail goes to "marc."
 
Edit /etc/rc.d/rc.local to stop telling people what kernel you are running and the OS. Just put a welcome message, or some kind of warning in /etc/issue rather than the output of uname. People will telnet to every machine in a subnet looking for a particular revision of RedHat which they know has a security problem.
 
Have the machine scanned for known problems, contact us to schedule this.
 
Restrict the machines that can get an XDM session from you (unless you are serving Xterminals or PC full screen sessions). The file to edit is /etc/X11/xdm/Xaccess. You will want to comment out two lines in this file which allow any machine to be served XDM and also the chooser which responds to broadcasts:
#* #any host can get a login window
#* CHOOSER BROADCAST #any indirect host can get a chooser
 
Not really related to security, but this is useful info. To have X startup in 16bpp mode rather than 8bpp edit the file /etc/X11/xdm/Xservers and set the line for the local display (screen :0) like so:
:0 local /usr/X11R6/bin/X -bpp 16
 
Once you are sure that X is working fine you can make the machine boot in X by default. To do this edit /etc/inittab and change the default runlevel:
# Default runlevel. The runlevels used by RHS are:
# 0 - halt (Do NOT set initdefault to this)
# 1 - Single user mode
# 2 - Multiuser, without NFS (The same as 3, if you do not have networking)
# 3 - Full multiuser mode
# 4 - unused
# 5 - X11
# 6 - reboot (Do NOT set initdefault to this)
#
id:5:initdefault:
 
Reconfigure rsh and install ssh.
 
rsh needs to be moved out of the users path so that it is only used if ssh fails and the user is warned that they are using an insecure protocol. Remove the rsh binary by typing
rpm -e rsh
Now grab the rpm source file from the ftp site and install it (rpm -i) into /usr/src/redhat/SOURCES the tar file you need is netkit-rsh*.tar.gz Unpack it and configure
./configure --prefix=/usr/notinpath --disable-pam --disable-shadow
This only sets the install path for rsh though, edit the file pathnames.h in the rcp and rsh dir to change the path from:
#define _PATH_RSH "/usr/bin/rsh"
to:
#define _PATH_RSH "/usr/notinpath/bin/rsh"
When you actually install the programs you will have to make the directories as the Makefile does not do it.
 
Configure ssh to fall back to the rsh binary just installed:
./configure --with-x --with-rsh=/usr/notinpath/bin/rsh \
--program-transform-name='s/^s/r/' --with-libwrap \
--with-etcdir=/etc/ssh --with-rsaref
Refer to our general ssh page for more info. Here is what your /etc/inetd.conf should now look like:
ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l -a
auth stream tcp nowait nobody /usr/sbin/in.identd in.identd -l -e -o
 
Turn off anonymous ftp access (if you have to have ftp at all) by editing /etc/ftpaccess You will see a line :
class all real,guest,anonymous *
Just remove the words guest and anonymous from the line.

vpn=linux
 
Chapter 2. Theory
 
2.1. What is a VPN?
 
VPN stands for Virtual Private Network. A VPN uses the Internet as it's
transport mechanism, while maintaining the security of the data on the VPN.
-----------------------------------------------------------------------------
 
2.2. But really, what IS a VPN?
 
There are several answers to that question. It really depends on your
network layout. The most common configuration is to have a single main
internal network with remote nodes using VPN to gain full access to the
central net. The remote nodes are commonly remote offices or employees
working from home. You can also link two small (or large) networks to form an
even larger single network.
-----------------------------------------------------------------------------
 
2.3. So how does it work?
 
Put simply, to make a VPN, you create a secure tunnel between the two
networks and route IP through it. If I've lost you already, you should read
[http://www.tldp.org/HOWTO/'>http://www.tldp.org/HOWTO/Networking-Overview-HOWTO.html]'>http://www.tldp.org/HOWTO/Networking-Overview-HOWTO.html] The Linux
Networking Overview HOWTO to learn more about networking with Linux.
 
Here are some diagrams to illustrate this concept:
\ \
-------- / / --------
Remote ______| Client |______\ Internet \_____| Server |______ Private
Network | Router | / / | Router | Network
-------- \ \ --------
/ /
 
 
Client Router
----------------------------------------------------
| /-> 10.0.0.0/255.0.0.0 \ |
Remote | |--> 172.16.0.0/255.240.0.0 |--> Tunnel >---\ |
Network >---|--|--> 192.168.0.0/255.255.0.0 / |--|----> Internet
192.168.12.0 | | | |
| \-----> 0.0.0.0/0.0.0.0 --> IP Masquerade >--/ |
----------------------------------------------------
 
 
Server Router
----------------------------------------------------
| /-> 10.0.0.0/255.0.0.0 \ |
| /--> Tunnel >--|--> 172.16.0.0/255.240.0.0 |--|----> Private
Internet >--|--| \--> 192.168.0.0/255.255.0.0 / | Network
| | | 172.16.0.0/12
| \-----> 0.0.0.0/0.0.0.0 -----> /dev/null | 192.168.0.0/16
----------------------------------------------------
 
The above diagram shows how the network might be set up. If you don't know
what IP Masquerading is, you should probably read the The Linux Networking
Overview HOWTO and come back once you understand how it works.
 
The Client Router is a Linux box acting as the gateway/firewall for the
remote network. The remote network uses the local IP address 192.168.12.0.
For the sake of a simple diagram, I left out the local routing information on
the routers. The basic idea is to route traffic for all of the private
networks (10.0.0.0, 172.16.0.0, and 192.168.0.0) through the tunnel. The
setup shown here is one way. That is, while the remote network can see the
private network, the private network cannot necessarily see the remote
network. In order for that to happen, you must specify that the routes are
bidirectional.
 
From the diagram you should also note that all of the traffic coming out of
the client router appears to be from the client router, that is, all from one
IP address. You could route real numbers from inside your network but that
brings all sorts of security problems with it.
-----------------------------------------------------------------------------
 
2.4. SSH and PPP
 
The system that I describe to implement VPN uses SSH and PPP. Basically I
use ssh to create a tunnel connection, and then use pppd to run TCP/IP
traffic though it. That's what makes up the tunnel.
 
The real trick to getting ssh and pppd to play well together is the utility
written by Arpad Magosanyi that allows the redirection of standard in and
standard out to a pseudo tty. This allows pppd to talk through ssh as if it
were a serial line. On the server side, pppd is run as the users shell in the
ssh session, completing the link. After that, all you need to do is the
routing.
-----------------------------------------------------------------------------
 
2.5. Alternative VPN Systems
 
There are of course other ways of setting up a VPN. Here are a couple of
other systems:
-----------------------------------------------------------------------------
 
2.5.1. PPTP
 
PPTP is a Microsoft protocol for VPN. It is supported under Linux, but is
known to have serious security issues. I do not describe how to use it here
since it is covered by the [http://www.tldp.org/HOWTO/
VPN-Masquerade-HOWTO.html] Linux VPN Masquerade HOWTO.
-----------------------------------------------------------------------------
 
2.5.2. IP Sec
 
IP Sec is a different set of protocols from SSH. I don't actually know all
that much about it, so if someone wants to help me out with a description,
I'd be most appreciative. Again, I do not describe how to use it here since
it is covered by the [ http://www.tldp.org/HOWTO/VPN-Masquerade-HOWTO.html]
Linux VPN Masquerade HOWTO.
-----------------------------------------------------------------------------
 
2.5.3. CIPE
 
CIPE is a kernel level network encryption system that may be better suited
to enterprise setups. You can find out more about it at [ http://sites.inka.de
/sites/bigred/devel/cipe.html] the CIPE homepage.
-----------------------------------------------------------------------------
 
Chapter 3. Server
 
This section tells you how to set up the server side of things. I figured
that this should go first since without a server, your client is kind of
useless.
-----------------------------------------------------------------------------
 
3.1. Security - keeping people out
 
Security is very important for a VPN. That's why you're building one in the
first place, isn't it? You need to keep a few things in mind while setting up
your server.
-----------------------------------------------------------------------------
 
3.1.1. Trim your daemons
 
Since this server is going to be on both sides of your firewall, and set up
to forward traffic into your network, it's a good idea to secure the box as
well as you possibly can. You can read up more on Linux security in the [/
HOWTO/Security-HOWTO.html] Linux Security HOWTO. In this case I killed
everything but sshd and a Roxen Web server. I use the web server to download
a couple of files (my scripts, etc) for setting up new machines to access the
VPN. I don't use an FTP server since it's harder to configure one to be
secure than it is to just make a few files available with a web server. Plus,
I only need to be able to download files. If you really want to run different
servers on your gateway, you might want to think about restricting access to
them to only those machines on your private network.
-----------------------------------------------------------------------------
 
3.1.2. Don't allow passwords
 
Yes, it sounds kind of silly, but it got your attention, didn't it? No, you
don't use passwords, you disable them completely. All authentication on this
machine should be done via ssh's public key authentication system. This way,
only those with keys can get in, and it's pretty much impossible to remember
a binary key that's 530 characters long.
 
So how do you do that? It requires editing the /etc/passwd file. The second
field contains either the password hash, or alternatively 'x' telling the
authentication system to look in the /etc/shadow file. What you do is change
that field to read "*" instead. This tells the authentication system that
there is no password, and that none should be allowed.
 
Here's how a typical /etc/passwd file looks:
...
nobody:x:65534:100:nobody:/dev/null:
mwilson:x:1000:100:Matthew Wilson,,,:/home/mwilson:/bin/bash
joe:*:504:101:Joe Mode (home),,,:/home/vpn-users:/usr/sbin/pppd
bill:*:504:101:Bill Smith (home),,,:/home/vpn-users:/usr/sbin/pppd
frank:*:504:101:Frank Jones (home),,,:/home/vpn-users:/usr/sbin/pppd
...
 
Note that I've done more than just editing the second field. I'll explain
the other fields later on.
-----------------------------------------------------------------------------
 
3.2. User Access - letting people in
 
User access is done via ssh's authentication scheme. As stated above, this
is how users get access to the system, while maintaining a high level of
security. If you're not familiar with ssh, check out [ http://www.ssh.org/]
http://www.ssh.org/. Note that I am using ssh version 1, not version 2. There
is a big difference, notably that version 1 is free, and 2 isn't.
-----------------------------------------------------------------------------
 
3.2.1. Configuring sshd
 
You'll need to configure sshd. The idea is to disable password
authentication and rhosts authentication. The following options should be
present in your /etc/sshd_config file.
PermitRootLogin yes
IgnoreRhosts yes
StrictModes yes
QuietMode no
CheckMail no
IdleTimeout 3d
X11Forwarding no
PrintMotd no
KeepAlive yes
RhostsAuthentication no
RhostsRSAAuthentication no
RSAAuthentication yes
PasswordAuthentication no
PermitEmptyPasswords no
UseLogin no
-----------------------------------------------------------------------------
 
3.3. Restricting Users
 
Now that you're keeping the bad people out, and only letting the good people
in, you may need to make sure that the good people behave themselves. This is
most easily done by not letting them do anything except run pppd. This may or
may not be necessary. I restrict users because the system that I maintain is
dedicated to VPN, so users have no business doing anything else on it.
-----------------------------------------------------------------------------
 
3.3.1. sudo or not sudo
 
There is this neat little program called sudo that allows the admin on a
Unix system to grant certain users the ability to run certain programs as
root. This is necessary in this case since pppd must be run as root. You'll
need to use this method if you want to allow users shell access. Read up on
how to setup and use sudo in the sudo man page. Using sudo is best on
multi-use systems that typically host a small number of trusted users.
 
If you decide to not allow users to have shell access, then the best way to
keep them from gaining it is to make their shell pppd. This is done in the /
etc/passwd file. You can see /etc/passwd file that I did this for the last
three users. The last field of the /etc/passwd file is the user's shell. You
needn't do anything special to pppd in order to make it work. It gets
executed as root when the user connects. This is certainly the simplest setup
to be had, as well as the most secure, and ideal for large scale and
corporate systems. I describe exactly what all needs to be done later in this
document. You can Section 5.7 if you like.
-----------------------------------------------------------------------------
 
3.4. Networking
 
Now that your users have access to the system, we need to make sure that
they have access to the network. We do that by using the Linux kernel's
firewalling rules and routing tables. Using the route and ipfwadm commands,
we can set up the kernel to handle network traffic in the appropriate ways.
For more info on ipfwadm, ipchains and route see the [http://www.tldp.org/
HOWTO/Linux-Networking-HOWTO.html] Linux Networking HOWTO.
-----------------------------------------------------------------------------
 
3.4.1. The Kernel
 
In order for any of this to work, you must have your kernel configured
correctly. If you don't know how to build your own kernel, then you should
read the [ http://www.tldp.org/HOWTO/Kernel-HOWTO.html] Kernel HOWTO. You'll
need to make sure that the following kernel options are turned on in addition
to basic networking. I use a 2.0.38 kernel in my system.
 
For 2.0 kernels:
 
* CONFIG_FIREWALL
 
* CONFIG_IP_FORWARD
 
* CONFIG_IP_FIREWALL
 
* CONFIG_IP_ROUTER
 
* CONFIG_IP_MASQUERADE (optional)
 
* CONFIG_IP_MASQUERADE_ICMP (optional)
 
* CONFIG_PPP
 
 
For 2.2 kernels:
 
* CONFIG_FIREWALL
 
* CONFIG_IP_ADVANCED_ROUTER
 
* CONFIG_IP_FIREWALL
 
* CONFIG_IP_ROUTER
 
* CONFIG_IP_MASQUERADE (optional)
 
* CONFIG_IP_MASQUERADE_ICMP (optional)
 
* CONFIG_PPP
 
 
-----------------------------------------------------------------------------
3.4.2. Filter Rules
 
First, we write firewall filter rules that allow our users to access our
internal nets, while restricting them from accessing the outside internet.
This sounds strange, but since the users already have access to the internet,
why let them use the tunnel to access the net? It wastes both bandwidth and
processor resources.
 
The filter rules that we use depend upon which internal nets we use, but
translate to: "Allow traffic coming from our VPNs that is destined for our
internal nets to go there." So how do we do that? As always, it depends. If
you are running a 2.0 kernel, you use the tool called ipfwadm, but if you are
using a 2.2 kernel, you use the utility called ipchains.
 
To set the rules with ipfwadm, run it with options similar to the following:
# /sbin/ipfwadm -F -f
# /sbin/ipfwadm -F -p deny
# /sbin/ipfwadm -F -a accept -S 192.168.13.0/24 -D 172.16.0.0/12
 
To set the rules with ipchains, run it with options similar to the
following:
# /sbin/ipchains -F forward
# /sbin/ipchains -P forward DENY
# /sbin/ipchains -A forward -j ACCEPT -s 192.168.13.0/24 -d 172.16.0.0/12
 
For those using 2.2 kernels, please read Section 6.1.3.
-----------------------------------------------------------------------------
 
3.4.3. Routing
 
Now that users are allowed to access our nets, we need to tell the kernel
where to send the packets. On my system, I have two ethernet cards, one is on
the external network, while the other is on the internal network. This helps
keep things secure, as outbound traffic is masqueraded by the gateway, and
any incoming traffic is filtered and routed by the Cisco Router. For most
setups, the routing should be simple.
 
Next, route all traffic destined for the private networks out the internal
interface, and all other traffic out the external interface. The specific
routing commands depend on which internal nets you are using. Below is an
example of what they might look like. These lines are of course in addition
to your basic routes for your local nets. I also doubt that you are using all
3 groups of internal numbers:
Assuming that 172.16.254.254 is the internal gateway:
 
# /sbin/route add -net 10.0.0.0 netmask 255.0.0.0 gw 172.16.254.254 dev eth1
# /sbin/route add -net 172.16.0.0 netmask 255.240.0.0 gw 172.16.254.254 dev eth1
# /sbin/route add -net 192.168.0.0 netmask 255.255.0.0 gw 172.16.254.254 dev eth1
 
One additional note on routing. If you are using two way routing for say, a
remote office, then you will need to do one more thing. You need to set up
routes on the server that point back to the client. The easiest way to
accomplish this is to run a cron job every minute that quietly sets back
routes. If the client is not connected, route will just spit out an error
(that you've conveniently sent to /dev/null.)
-----------------------------------------------------------------------------
 
Chapter 4. Client
 
Now we examine the client end. In practice, when used to allow access to a
remote network, this box can easily serve as a Samba (Windows Networking)
server, DHCP server, and even an internal web server. The important thing to
remember is that this box should be as secure as possible, as it runs your
whole remote network.
-----------------------------------------------------------------------------
 
4.1. The Kernel
 
First things first, you must have ppp available in your kernel. If you are
going to allow multiple machines to use the tunnel, then you need to have
firewalling and forwarding available too. If the client is going to be a
single machine, ppp is enough.
-----------------------------------------------------------------------------
 
4.2. Bring up the link
 
The link is created by running pppd through a pseudo terminal that is
created by pty-redir and connected to ssh. This is done with something
similar to the following sequence of commands:
# /usr/sbin/pty-redir /usr/bin/ssh -t -e none -o 'Batchmode yes' -c blowfish -i /root/.ssh/identity.vpn -l joe > /tmp/vpn-device
# sleep 10
 
# /usr/sbin/pppd `cat /tmp/vpn-device`
# sleep 15
 
# /sbin/route add -net 172.16.0.0 gw vpn-internal.mycompany.com netmask 255.240.0.0
# /sbin/route add -net 192.168.0.0 gw vpn-internal.mycompany.com netmask 255.255.0.0
 
What this does is run ssh, redirecting the input and output to pppd. The
options passed to ssh configure it to run without escape characters (-e),
using the blowfish crypto algorithm (-c), using the identity file specified
(-i), in terminal mode (-t), with the options 'Batchmode yes' (-o). The sleep
commands are used to space out the executions of the commands so that each
can complete their startup before the next is run.
-----------------------------------------------------------------------------
 
4.3. Scripting
 
If you don't want to have to type those commands in every time that you want
to get the tunnel running, I've written a set of bash scripts that keep the
tunnel up and running. You can download the package from [http://
www.shinythings.com/vpnd/vpnd.tar.gz] here. Just download and uncompress it
into /usr/local/vpn. Inside you'll find three files:
 
 
 
* vpnd: The script that controls the tunnel connection.
 
* check-vpnd: a script to be run by cron to check that vpnd is still up.
 
* pty-redir: a small executable needed to initialize the tunnel.
 
 
You'll need to edit the vpnd script to set things like the client's username
and the server's names. You may also need to modify the starttunnel section
of the script to specify which networks you are using. Below is a copy of the
script for your reading enjoyment. You'll note that you could put the script
in a different directory, you just need to change the VPN_DIR variable.
#! /bin/bash
#
# vpnd: Monitor the tunnel, bring it up and down as necessary
#
 
USERNAME=vpn-username
IDENTITY=/root/.ssh/identity.vpn
 
VPN_DIR=/usr/local/vpn
LOCK_DIR=/var/run
VPN_EXTERNAL=vpn.mycompany.com
VPN_INTERNAL=vpn-internal.mycompany.com
PTY_REDIR=${VPN_DIR}/pty-redir
SSH=${VPN_DIR}/${VPN_EXTERNAL}
PPPD=/usr/sbin/pppd
ROUTE=/sbin/route
CRYPTO=blowfish
PPP_OPTIONS="noipdefault ipcp-accept-local ipcp-accept-remote local noauth nocrtscts lock nodefaultroute"
ORIG_SSH=/usr/bin/ssh
 
 
starttunnel () {
$PTY_REDIR $SSH -t -e none -o 'Batchmode yes' -c $CRYPTO -i $IDENTITY -l $USERNAME > /tmp/vpn-device
sleep 15
 
$PPPD `cat /tmp/vpn-device` $PPP_OPTIONS
sleep 15
 
# Add routes (modify these lines as necessary)
/sbin/route add -net 10.0.0.0 gw $VPN_INTERNAL netmask 255.0.0.0
/sbin/route add -net 172.16.0.0 gw $VPN_INTERNAL netmask 255.240.0.0
/sbin/route add -net 192.168.0.0 gw $VPN_INTERNAL netmask 255.255.0.0
}
 
stoptunnel () {
kill `ps ax | grep $SSH | grep -v grep | awk '{print $1}'`
}
 
resettunnel () {
echo "reseting tunnel."
date >> ${VPN_DIR}/restart.log
eval stoptunnel
sleep 5
eval starttunnel
}
 
checktunnel () {
ping -c 4 $VPN_EXTERNAL 2>/dev/null 1>/dev/null
 
if [ $? -eq 0 ]; then
ping -c 4 $VPN_INTERNAL 2>/dev/null 1>/dev/null
if [ $? -ne 0 ]; then
eval resettunnel
fi
fi
}
 
settraps () {
trap "eval stoptunnel; exit 0" INT TERM
trap "eval resettunnel" HUP
trap "eval checktunnel" USR1
}
 
runchecks () {
if [ -f ${LOCK_DIR}/tunnel.pid ]; then
OLD_PID=`cat ${LOCK_DIR}/vpnd.pid`
if [ -d /proc/${OLD_PID} ]; then
echo "vpnd is already running on process ${OLD_PID}."
exit 1
else
echo "removing stale pid file."
rm -rf ${LOCK_DIR}/vpnd.pid
echo $$ > ${LOCK_DIR}/vpnd.pid
echo "checking tunnel state."
eval checktunnel
fi
else
echo $$ > ${LOCK_DIR}/vpnd.pid
eval starttunnel
fi
}
 
case $1 in
check) if [ -d /proc/`cat ${LOCK_DIR}/vpnd.pid` ]; then
kill -USR1 `cat ${LOCK_DIR}/vpnd.pid`
exit 0
else
echo "vpnd is not running."
exit 1
fi ;;
 
reset) if [ -d /proc/`cat ${LOCK_DIR}/vpnd.pid` ]; then
kill -HUP `cat ${LOCK_DIR}/vpnd.pid`
exit 0
else
echo "vpnd is not running."
exit 1
fi ;;
 
--help | -h)
echo "Usage: vpnd [ check | reset ]"
echo "Options:"
echo " check Sends running vpnd a USR1 signal, telling it to check"
echo " the tunnel state, and restart if neccesary."
echo " reset Sends running vpnd a HUP signal, telling it to reset"
echo " it's tunnel connection." ;;
esac
 
ln -sf $ORIG_SSH $SSH
settraps
runchecks
 
while true; do
i=0
while [ $i -lt 600 ]; do
i=((i+1))
sleep 1
done
eval checktunnel
done
 
-----------------------------------------------------------------------------
 
4.4. LRP - Linux Router Project
 
I actually run this setup on Pentium 90's running the LRP distribution of
Linux. LRP is a distribution of Linux that fits in, and boots off of a single
floppy disk. You can learn more about it at [ http://www.linuxrouter.org/]
http://www.linuxrouter.org/ You can download my LRP package for the VPN
client from [ http://www.shinythings.com/vpnd/vpnd.lrp] here. You will also
need both the ppp and ssh packages from the LRP site.
-----------------------------------------------------------------------------
 
Chapter 5. Implementation
 
In this section, I explain step by step how to set up your VPN system. I'll
start with the server, and then move on to the client. For the purposes of an
example, I will invent a situation that would require a couple of different
kinds of VPN set up.
-----------------------------------------------------------------------------
 
5.1. Planning
 
Let's imagine that we have a company, called mycompany.com. At our head
office, we are using the 192.168.0.0 reserved network, breaking the class B
into 256 class C networks to allow routing. We have just set up two small
remote offices, and want to add them to our network. We also want to allow
employees who work from home to be able to use their DSL and cable modem
connections instead of making them use dialup. To start, we need to plan
things out a little.
 
I decide that I want to give each remote office a class C network range to
allow them to expand as necessary. So, I reserve the 192.168.10.0 and
192.168.11.0 nets. I also decide that for home users, I've got enough numbers
that I don't need to masquerade them on the VPN server side. Each client gets
it's own internal IP. So, I need to reserve another class C for that, say
192.168.40.0. The only thing that I must now do is to add these ranges to my
router. Let's imagine that our company owns a small Cisco (192.168.254.254)
that handles all of the traffic through our OC1. Just set routes on the Cisco
such that traffic headed to these reserved nets goes to our VPN server
(192.168.40.254). I put the VPN server into the home user's net for reasons
that should become clear later. We'll name the external interface of the
server vpn.mycompany.com, and the internal vpn-internal.mycompany.com.
 
As for external numbers, we don't need to know them explicitly. You should
have your own numbers, supplied by your ISP.
-----------------------------------------------------------------------------
 
5.2. Gather the tools
 
We will need a few pieces of software. Get the following packages, and
install them where specified.
-----------------------------------------------------------------------------
 
5.2.1. For the Server:
 
 
 
* pppd (version 2.3 or greater)
 
* ssh (version 1.2.26 or better)
 
 
-----------------------------------------------------------------------------
5.2.2. For the Client:
 
 
 
* pppd (same version as server)
 
* ssh
 
* [ftp://ftp.vein.hu/ssa/contrib/mag/pty-redir-0.1.tar.gz] pty-redir
 
 
-----------------------------------------------------------------------------
5.3. Server: Build the kernel
 
To start, you probably need to rebuild your kernel for the server. You need
to make sure that the following kernel options are turned on in addition to
basic networking and everything else that you might need. If you've never
built your own kernel before, read the [/HOWTO/Kernel-HOWTO.html] Kernel
HOWTO.
 
For 2.0 kernels:
 
* CONFIG_FIREWALL
 
* CONFIG_IP_FORWARD
 
* CONFIG_IP_FIREWALL
 
* CONFIG_IP_ROUTER
 
* CONFIG_PPP
 
 
For 2.2 kernels:
 
* CONFIG_FIREWALL
 
* CONFIG_IP_ADVANCED_ROUTER
 
* CONFIG_IP_FIREWALL
 
* CONFIG_IP_ROUTER
 
* CONFIG_PPP
 
 
-----------------------------------------------------------------------------
5.4. Server: Configure Networking
 
If you are building a server that has only one network card, I suggest that
you think about buying another, and rewiring your network. The best way to
keep your network private is to keep it on it's own wires. So if you do have
two network cards, you'll need to know how to configure both of them. We'll
use eth0 for the external interface, and eth1 for the internal interface.
-----------------------------------------------------------------------------
 
5.4.1. Configuring the interfaces
 
We first should configure the external interface of the server. You should
already know how to do this, and probably already have it done. If you don't,
then do so now. If you don't know how, go back and read the [/HOWTO/
NET3-4-HOWTO.html] Networking HOWTO
 
Now we bring up the internal interface. According to the numbers that we've
chosen, the internal interface of the server is 192.168.40.254. so we have to
configure that interface.
 
For 2.0 kernels, use the following:
# /sbin/ifconfig eth1 192.168.40.254 netmask 255.255.255.0 broadcast 192.168.40.255
# /sbin/route add -net 192.168.40.0 netmask 255.255.255.0 dev eth1
 
For 2.2 kernels, use the following:
# /sbin/ifconfig eth1 192.168.40.254 netmask 255.255.255.0 broadcast 192.168.40.255
 
That gets our basic interfaces up. You can now talk to machines on both
local networks that are attached to the server.
-----------------------------------------------------------------------------
 
5.4.2. Setting routes
 
We can now talk to machines on our local nets, but we can't get to the rest
of our internal network. That requires a few more lines of code. In order to
reach the other machines on other subnets, we need have a route that tells
traffic to go to the Cisco router. Here's that line:
# /sbin/route add -net 192.168.0.0 gw 192.168.254.254 netmask 255.255.0.0 dev eth1
 
That line tells the kernel that any traffic destined for the 192.168.0.0
network should go out eth1, and that it should be handed off to the Cisco.
Traffic for our local net still gets where it is supposed to because the
routing tables are ordered by the size of the netmask. If we were to have
other internal nets in our network, we would have a line like the above for
each net.
-----------------------------------------------------------------------------
 
5.4.3. Making filter rules
 
Now that we can reach every machine that we could need to, we need to write
the firewall filtering rules that allow or deny access through the VPN
server.
 
To set the rules with ipfwadm, run it like so:
# /sbin/ipfwadm -F -f
# /sbin/ipfwadm -F -p deny
# /sbin/ipfwadm -F -a accept -S 192.168.40.0/24 -D 192.168.0.0/16
# /sbin/ipfwadm -F -a accept -b -S 192.168.10.0/24 -D 192.168.0.0/16
# /sbin/ipfwadm -F -a accept -b -S 192.168.11.0/24 -D 192.168.0.0/16
 
To set the rules with ipchains, run it like so:
# /sbin/ipchains -F forward
# /sbin/ipchains -P forward DENY
# /sbin/ipchains -A forward -j ACCEPT -s 192.168.40.0/24 -d 192.168.0.0/16
# /sbin/ipchains -A forward -j ACCEPT -b -s 192.168.10.0/24 -d 192.168.0.0/16
# /sbin/ipchains -A forward -j ACCEPT -b -s 192.168.11.0/24 -d 192.168.0.0/16
 
This tells the kernel to deny all traffic except for the traffic that is
coming from the 192.168.40.0/24 network and destined for the 192.168.0.0/16
network. It also tells the kernel that traffic going between the 192.168.10.0
/24 and 192.168.0.0/16 nets is allowed, and the same for the 192.168.11.0
net. These last two are bidirectional rules, this is important for getting
the routing to work going both ways.
-----------------------------------------------------------------------------
 
5.4.4. Routing
 
For home users, everything will work fine to here. However for the remote
offices, we need to do some routing. First of all, we need to tell the main
router, or Cisco, that the remote offices are behind the VPN server. So
specify routes on the Cisco that tell it to send traffic destined for the
remote offices to the VPN server. Now that that is taken care of, we must
tell the VPN server what to do with the traffic destined for the remote
offices. To do this, we run the route command on the server. The only problem
is that in order for the route command to work, the link must be up, and if
it goes down, the route will be lost. The solution is to add the routes when
the clients connects, or more simply, to run the route command frequently as
it's not a problem to run it more than is necessary. So, create a script and
add it to your crontab to be run every few minutes, in the script, put the
following:
/sbin/route add -net 192.168.11.0 gw 192.168.10.253 netmask 255.255.255.0
/sbin/route add -net 192.168.10.0 gw 192.168.11.253 netmask 255.255.255.0
-----------------------------------------------------------------------------
 
5.5. Server: Configure pppd
 
Now we will configure pppd on the server to handle VPN connections. If you
are already using this server to handle dialup users or even dialing out
yourself, then you should note that these changes may affect those services.
I go over how to avoid conflicts at the end of this section.
-----------------------------------------------------------------------------
 
5.5.1. /etc/ppp/
 
This directory may contain a number of files. You probably already have a
file called options. This file holds all of the global options for pppd.
These options cannot be overridden by pppd on the command line.
-----------------------------------------------------------------------------
 
5.5.2. /etc/ppp/options
 
Your options file should contain at least the following:
ipcp-accept-local
ipcp-accept-remote
proxyarp
noauth
 
The first two lines tell pppd to accept what the other end specifies for IP
addresses. This is necessary when hooking up remote offices, but can be
disabled if you are only connecting home users. It's okay to leave it on, as
it does not prevent the server from assigning addresses, it only says it that
it's okay to accept what the client asks for.
 
The third line is very important. From the pppd man page:
proxyarp
Add an entry to this system's ARP [Address Resolu-
tion Protocol] table with the IP address of the
peer and the Ethernet address of this system. This
will have the effect of making the peer appear to
other systems to be on the local ethernet.
 
This is important because if it is not done, local traffic will not be able
to get back through the tunnel.
 
The last line is just as important. This tells pppd to allow connections
without username and password. This is safe since authentication is already
handled by sshd.
-----------------------------------------------------------------------------
 
5.5.3. Avoiding conflicts
 
If you are handling other services with pppd, you should consider that the
configurations for these other services may not be the same as what the VPN
system needs. pppd is designed such that the options in the main options file
/etc/ppp/options cannot be overridden by options specified at runtime. This
is done for security reasons. In order to avoid conflict, determine which
options cause the conflict, and move them from the main file into a separate
options file that is loaded when the appropriate application of pppd is run.
-----------------------------------------------------------------------------
 
5.6. Server: Configure sshd
 
The following is what my /etc/sshd_config file looks like. Yours should look
the same or similar:
# This is the ssh server system wide configuration file.
 
Port 22
ListenAddress 0.0.0.0
HostKey /etc/ssh_host_key
RandomSeed /etc/ssh_random_seed
ServerKeyBits 768
LoginGraceTime 600
KeyRegenerationInterval 3600
PermitRootLogin yes
IgnoreRhosts yes
StrictModes yes
QuietMode no
FascistLogging yes
CheckMail no
IdleTimeout 3d
X11Forwarding no
PrintMotd no
KeepAlive yes
SyslogFacility DAEMON
RhostsAuthentication no
RhostsRSAAuthentication no
RSAAuthentication yes
PasswordAuthentication no
PermitEmptyPasswords no
UseLogin no
 
The important points to note are that password authentication is disabled as
are all of the "R" services. I have also turned off mail checking and the
message of the day as they can confuse pppd on the client side. I still allow
root login, but as this can only be done with a key, it is adequately safe.
-----------------------------------------------------------------------------
 
5.7. Server: Set up user accounts
 
Now we'll set up the user accounts.
-----------------------------------------------------------------------------
 
5.8. Add vpn-users group
 
just run:
# /usr/sbin/groupadd vpn-users
 
Now cat the /etc/group file and look at the last line. It should be the
entry for the vpn-users group. Note the third field. This is the group ID
(GID). Write it down, as we'll need it in a minute. For this example, the GID
is 101.
-----------------------------------------------------------------------------
 
5.9. create the vpn-users home directory
 
We're going to use a single home directory for all of the users. So just
run:
# mkdir /home/vpn-users
-----------------------------------------------------------------------------
 
5.10. The .ssh directory
 
Now create the .ssh directory in the vpn-users home directory.
# mkdir /home/vpn-users/.ssh
-----------------------------------------------------------------------------
 
5.11. Adding users
 
Now comes the fun part. We're going to edit the /etc/passwd file by hand.
Normally you let the system handle this file, but for an unusual setup like
this, it is easier to do it yourself. To start, open the /etc/passwd file and
see what's in there. Here's an example of what you might find:
...
nobody:x:65534:100:nobody:/dev/null:
mwilson:x:1000:100:Matthew Wilson,,,:/home/mwilson:/bin/bash
joe:*:1020:101:Joe Mode (home),,,:/home/vpn-users:/usr/sbin/pppd
bill:*:1020:101:Bill Smith (home),,,:/home/vpn-users:/usr/sbin/pppd
frank:*:1020:101:Frank Jones (home),,,:/home/vpn-users:/usr/sbin/pppd
...
 
You'll find the first user on most any system. The second one is me. After
that are a few made up vpn-users. The first field is the username, and the
second is the password field. The third is user ID (UID) and the fourth is
the group ID (GID). After that comes some info on who the people are in the
fifth field. The sixth field is the user's home directory, and the last is
their shell. As you can see, each field is separated by a colon. Look at the
last three lines. The only difference between them is the username in the
first field, and the user info in the fifth field. What we want to do is
create lines like this for each user. Don't just use one user for all of the
connections, you'll never be able to tell them apart if you do. So copy the
last line of this file and edit it so that it looks something like the above.
Make sure that the second field has an asterisk (*). The second field should
be unique to all the other IDs in the file. I used 1020. You should use a
number above 1000, since those below are typically reserved for system use.
The fourth field should be the group ID for vpn-users. I told you to write it
down, now is the time that you need it. So put the group ID in there. Lastly,
change the home directory to /home/vpn-users, and the shell to /usr/sbin/
pppd. Now copy that line to make more users. Just edit the first the fifth
fields and you're set.
-----------------------------------------------------------------------------
 
5.12. Server: Administration
 
One of the advantages to using this system for user accounts is that you can
take advantage of the UNIX user administration commands. Since each client is
logged in as a user, you can use standard methods to get user statistics. The
following are a few commands that I like to use to see what all is going on.
 
 
 
who
Prints the users currently logged in, as well as when they logged in,
from where (name or IP), and on which port.
 
w
This command prints a more extensive listing of who is currently logged
in. It also tells you uptime and load averages for the system. It also
lists the user's current process (which should be -pppd for VPN clients)
as well as idle time, and current CPU usage for all processes as well as
the current process. Read the w man page for more info.
 
last [username]
This lists the login history for the specified user, or for all users if
a username is not provided. It's most useful for finding out how well the
tunnels are running as it prints the length of time that the user was
logged in, or states that the user is still logged in. I should warn you
that on a system that has been up a long time, this list can grow
extremely long. Pipe is through grep or head to find out exactly what you
want to know.
 
 
You can also control which users are allowed to connect by modifying the /
home/vpn-users/.ssh/authorized_keys file. If you remove the user's public key
line from this file, they won't be able to log in.
-----------------------------------------------------------------------------
 
5.13. Client: Build the kernel
 
Now we move onto the client. First we must rebuild the kernel so that it can
support all of the functions that we need. The minimum requirement is to have
ppp in the kernel. You will need forwarding, a firewall, and a gateway only
if you are going to allow other machines access to the tunnel. For this
example, I will setup one of the remote office machines in my example layout.
Add the following options to your kernel. Again, if you've never built a
kernel before, read the [/HOWTO/Kernel-HOWTO.html] Kernel HOWTO.
 
For 2.0 kernels:
 
* CONFIG_PPP
 
* CONFIG_FIREWALL
 
* CONFIG_IP_FORWARD
 
* CONFIG_IP_FIREWALL
 
* CONFIG_IP_ROUTER
 
* CONFIG_IP_MASQUERADE
 
* CONFIG_IP_MASQUERADE_ICMP
 
 
For 2.2 kernels:
 
* CONFIG_PPP
 
* CONFIG_FIREWALL
 
* CONFIG_IP_ADVANCED_ROUTER
 
* CONFIG_IP_FIREWALL
 
* CONFIG_IP_ROUTER
 
* CONFIG_IP_MASQUERADE
 
* CONFIG_IP_MASQUERADE_ICMP
 
 
-----------------------------------------------------------------------------
5.14. Client: Configure Networking
 
Now we should setup the networking on our client box. Let's assume that
we've configured the external network and that it works. Now we will
configure the internal interface of the client to service our intranet.
-----------------------------------------------------------------------------
 
5.14.1. Interface
 
We need to first bring up the internal network interface. To do this, add
the following to your /etc/rc.d/rc.inet1 (or equivalent) file:
 
For 2.0 Kernels:
/sbin/ifconfig eth1 192.168.10.253 broadcast 192.168.10.255 netmask 255.255.255.0
/sbin/route add -net 192.168.10.0 netmask 255.255.255.0 dev eth1
 
For 2.2 Kernels:
/sbin/ifconfig eth1 192.168.10.253 broadcast 192.168.10.255 netmask 255.255.255.0
-----------------------------------------------------------------------------
 
5.14.2. Filter rules
 
To set up the remote office, we will want to set up our filter rules that
allow traffic to go both directions through the tunnel. Add the following
lines to your /etc/rc.d/rc.inet1 (or equivalent) file:
 
For 2.0 kernels:
/sbin/ipfwadm -F -f
/sbin/ipfwadm -F -p deny
/sbin/ipfwadm -F -a accept -b -S 192.168.10.0/24 -D 192.168.0.0/16
 
For 2.2 kernels:
/sbin/ipchains -F forward
/sbin/ipchains -P forward DENY
/sbin/ipchains -A forward -j ACCEPT -b -s 192.168.10.0/24 -d 192.168.0.0/16
 
You may have noticed that these lines look like what we have on the server.
That's because they are the same. These rules just say where traffic is
allowed to go between these two networks.
-----------------------------------------------------------------------------
 
5.14.3. Routing
 
The only extra routes that are needed are created by the script that bring
the tunnel up.
-----------------------------------------------------------------------------
 
5.15. Client: Configure pppd
 
You may not need to edit the client's /etc/ppp/options file at all. You will
if the "auth" option is present, or some of the other priveledged options.
Try it, and if it fails, a black /etc/ppp/options will work. just keep adding
the options from the old file to figure out which one broke it (if it's not
obvious) and see if you can get around that. Maybe you don't need them at
all. You probably don't if you don't use pppd for anything else.
-----------------------------------------------------------------------------
 
5.16. Client: Configure ssh
 
As root on the client, run the following lines:
# mkdir /root/.ssh
# ssh-keygen -f /root/.ssh/identity.vpn -P ""
 
This will create two files, identity.vpn and identity.vpn.pub in the .ssh
directory. The first is your private key, and should be kept such. Never send
this over the net unless it is via an encrypted session. The second file is
your public key, and you can send this anywhere you want, it only serves to
allow you access to other systems, and cannot be used to get into your own.
It is a text file with one line in it that is your actual key. At the end of
the line is the comment field which you may change without fear of breaking
the key. an example key looks something like this:
1024 35 1430723736674162619588314275167.......250872101150654839 root@vpn-client.mycompany.com
 
It's actually a lot longer than that, but it wouldn't fit on the page if I
showed the whole thing. Copy your key into the /home/vpn-users/.ssh/
authorized_keys file on the server. Make sure that there is only one key per
line, and that each key is not broken onto multiple lines. You may alter the
comment field all that you like in order to help you remember which line goes
with which user. I highly recommend doing so.
-----------------------------------------------------------------------------
 
5.17. Client: Bring up the connection
 
Now we'll try to actually make the connection to the VPN server. First we'll
need to make a single connection to set up the ssh known_hosts file. Run
this:
# ssh vpn.mycompany.com
 
Answer "yes" when it asks you if you want to continue connecting. The server
will tell you "permission denied", but that's okay. It's important that you
use the same name for the server that you are using in your connection
scripts. Now run the following lines. You will obviously need to change the
options to suit your setup.
# /usr/sbin/pty-redir /usr/bin/ssh -t -e none -o 'Batchmode yes' -c blowfish -i /root/.ssh/identity.vpn -l vpn-user vpn.mycompany.com > /tmp/vpn-device