Easy with DigitalOcean instructions here:
https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-debian-9
Category: Tech
I just did what was documented here but added in case they go away ever.
1 – get the installed packages
dpkg -l | grep php | tee packages.txt2 – get php 7
sudo apt install php7.3 php7.3-common php7.3-cli
3 – get the rest of the packages that you got in step 1
4 – uninstall php5
sudo apt-get purge php5*
5 – if you have fpm for web serving point all the things that used to point to
/var/run/php5-fpm.sock
to
/var/run/php/php7-fpm.sock
To block ads using Squid is simple.
Get the list of ad urls:
## get new ad server list
curl -sS -L --compressed "http://pgl.yoyo.org/adservers/serverlist.php?hostformat=nohtml&showintro=0&mimetype=plaintext" > /etc/squid/ad_block.txt
Then add this to squid.conf to reference the file and block the urls:
## disable ads ( http://pgl.yoyo.org/adservers/ )
acl ads dstdom_regex "/etc/squid/ad_block.txt"
http_access deny ads
#deny_info TCP_RESET ads
Then, for Mac Ports at least, do this:
sudo port reload squid4
Or for a recent Linux it’d be something like:
sudo service squid4 restart
This may not make much sense to others but it’s all the things for setting up Exim4 in Debian that weren’t obvious.
- Add all the names and ip address to /etc/hosts
- Add ip address to exim4 files. Copy the other things added from the old server..
- Edit just the main folder after doing the exim4 dpkg
- Update /etc/letsencrypt to allow execute on /etc/letsencrypts/archive and live to get rid of the /var/log/exim4/mainlog pem related errors
- Remember the sasl stuff from Debian’s exim4 setup to let the user login.
This is the command to cleanup old backups in Time Machine should you ever need to. Replace with an appropriate path for your backup location. I find it’d best to delete ranges of old backups with the * wildcard as well.
tmutil delete /Volumes/BackupDriveName/Backups.backupdb/MacComputerName/YYYY-MM-DD-HHMMSS/
Easy to ad block with your own DNS server if you don’t want to trust adblock or other plugins.
1 – you need a web server to host a blank image
2 – Get blacklist
Get the blacklist from http://pgl.yoyo.org/adservers/
Choose for the bind 8 config format.
I had to change the file so that the records read like this:
zone "101com.com" IN { type master; notify no; file "/etc/bind/null.zone.file"; };
by adding the “IN” between the domain name and the “{ type master ….” part. Use your vi-skills for this.
Give this file a easy name, like ‘blacklist’. Now create a line in /etc/bind/named.conf.local:
include "/etc/bind/blacklist";
Create the null zone file
Create a file /etc/bin/null.zone.file with the following contents:
$TTL 86400 ; one day
@ IN SOA nds.example.com. hostmaster.example.com. (
2002061000 ; serial number YYMMDDNN
28800 ; refresh 8 hours
7200 ; retry 2 hours
864000 ; expire 10 days
86400 ) ; min ttl 1 day
NS nds.example.com
A 192.168.1.100
@ IN A 192.168.1.100
* IN A 192.168.1.100
and replace example.com by your internal domain name and replace 192.168.1.100 by the name of your web server. The above format allow for the use of wildcards. This means that you do not have to care about the subdomains.
Restart bind (Ubuntu version)
service bind9 restart
2 is copied from here for posterity: https://box.matto.nl/dnsadblok.html
3 – use a different DNS source if you want
If you want to use a different DNS server (say you don’t trust your ISP or Google to know every site you query) you can find others here:
And then in /etc/bind/named.conf.options add the forward to the dns servers:
forwarders {
69.195.152.204;
96.47.228.108;
96.90.175.167;
};
Google appears to update it’s SSL cert nightly which breaks my fetch mail script nightly as well. Here’s a simple python script in case this happens to you!
import ssl
import socket
import hashlib
import sys
addr = 'imap.gmail.com'
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(1)
wrappedSocket = ssl.wrap_socket(sock)
try:
wrappedSocket.connect((addr, 993))
except:
response = False
else:
der_cert_bin = wrappedSocket.getpeercert(True)
pem_cert = ssl.DER_cert_to_PEM_cert(wrappedSocket.getpeercert(True))
#print(pem_cert)
#Thumbprint
thumb_md5 = hashlib.md5(der_cert_bin).hexdigest()
#print("MD5: " + thumb_md5)
wrappedSocket.close()
cnt = 0
thumb_md5_d = ''
for letter in thumb_md5:
if cnt%2 == 0 and cnt!=0:
thumb_md5_d += ':'
thumb_md5_d += letter
cnt += 1
thumb_md5_d = thumb_md5_d.upper()
infile = "//home//user//fetchmailrc.tmp"
text = open(infile)
outfile = open('/etc/fetchmailrc', 'w')
outfile.truncate()
textToSearch = 'GOOGLE_FINGERPRINT'
for line in text:
if textToSearch in line:
line = line.replace( textToSearch, thumb_md5_d )
outfile.write(line)
Where fetchmailrc.tmp is this (in addition to whatever else in your fetchmailrc):
poll imap.gmail.com protocol IMAP user "login@gmail.com" there with password "password" is blah@blah.com here nofetchall ssl sslfingerprint 'GOOGLE_FINGERPRINT'
Then you setup a cron job to run it nightly and now you’ve got up to date Google fingerprints!
Somehow a Debian update broke bfs and I was getting this issue:
The ZFS modules are not loaded. Try running '/sbin/modprobe zfs' as root to load them.
To reinstall ZFS this worked for me – a compilation of many suggestions so not sure all were necessary but it worked:
apt-get clean apt-get update apt-get purge zfs* --get rid of everything ZFS apt-get remove spl dkms spl-dkms --get rid of more ZFS apt-get autoremove apt-get install -t jessie-backports zfsutils-linux --change to whatever your distribution uses --these commands recompile the libraries if they are still having issues dkms remove -m zfs -v 0.6.5.9 --all dkms remove -m spl -v 0.6.5.9 --all dkms add -m spl -v 0.6.5.9 dkms add -m zfs -v 0.6.5.9 dkms install -m spl -v 0.6.5.9 dkms install -m zfs -v 0.6.5.9
A couple of handy sites for getting that setup:
And this debian one for support.
https://wiki.debian.org/HowTo/AndroidVPNServer#L2TP.2FIPSec
Couple of notes that the script didn’t cover:
- Instead of openswan had to use strongswan.
- Had to add a shared secret to /etc/ipsec.secrets
- To use a proxy you just point the proxy to listen on 172.16.1.1 and point the computer to that proxy’s port
The script he had is the key so it’s here for posterity:
apt-get install -y openswan xl2tpd ppp apt-get install -y lsof iptables --table nat --append POSTROUTING --jump MASQUERADE echo "net.ipv4.ip_forward = 1" | tee -a /etc/sysctl.conf echo "net.ipv4.conf.all.accept_redirects = 0" | tee -a /etc/sysctl.conf echo "net.ipv4.conf.all.send_redirects = 0" | tee -a /etc/sysctl.conf for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done sysctl -p echo "for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done" | tee -a /etc/rc.local echo "iptables --table nat --append POSTROUTING --jump MASQUERADE" | tee -a /etc/rc.local echo "config setup dumpdir=/var/run/pluto/ #in what directory should things started by setup (notably the Pluto daemon) be allowed to dump core? nat_traversal=yes #whether to accept/offer to support NAT (NAPT, also known as "IP Masqurade") workaround for IPsec virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v6:fd00::/8,%v6:fe80::/10 #contains the networks that are allowed as subnet= for the remote client. In other words, the address ranges that may live behind a NAT router through which a client connects. protostack=netkey #decide which protocol stack is going to be used. conn L2TP-PSK-NAT rightsubnet=vhost:%priv also=L2TP-PSK-noNAT conn L2TP-PSK-noNAT authby=secret #shared secret. Use rsasig for certificates. pfs=no #Disable pfs auto=add #start at boot keyingtries=3 #Only negotiate a conn. 3 times. ikelifetime=8h keylife=1h type=transport #because we use l2tp as tunnel protocol left=%SERVERIP% #fill in server IP above leftprotoport=17/1701 right=%any rightprotoport=17/%any" > /etc/ipsec.conf ipsec verify echo "[global] ipsec saref = yes [lns default] ip range = 172.16.1.30-172.16.1.100 local ip = 172.16.1.1 refuse pap = yes require authentication = yes ppp debug = yes pppoptfile = /etc/ppp/options.xl2tpd length bit = yes" > /etc/xl2tpd/xl2tpd.conf echo "require-mschap-v2 ms-dns 8.8.8.8 ms-dns 8.8.4.4 auth mtu 1200 mru 1000 crtscts hide-password modem name l2tpd proxyarp lcp-echo-interval 30 lcp-echo-failure 4" > /etc/ppp/options.xl2tpd echo "# username l2tpd password *" >> /etc/ppp/chap-secrets echo "" echo "" echo "To Do:" echo "" echo "- Add users: /etc/ppp/chap-secrets" echo "Restart the software: /etc/init.d/ipsec restart; /etc/init.d/xl2tpd restart"
First, take a look at the report you received or run (and read):
sudo tripwire --check
If everything is OK, run the following command:
sudo tripwire -m u -Z low -r /var/lib/tripwire/report/hostname-timestamp.twr