Easy with DigitalOcean instructions here:
https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-debian-9
Category: BSD/Linux
I just did what was documented here but added in case they go away ever.
1 – get the installed packages
dpkg -l | grep php | tee packages.txt2 – get php 7
sudo apt install php7.3 php7.3-common php7.3-cli
3 – get the rest of the packages that you got in step 1
4 – uninstall php5
sudo apt-get purge php5*
5 – if you have fpm for web serving point all the things that used to point to
/var/run/php5-fpm.sock
to
/var/run/php/php7-fpm.sock
To block ads using Squid is simple.
Get the list of ad urls:
## get new ad server list
curl -sS -L --compressed "http://pgl.yoyo.org/adservers/serverlist.php?hostformat=nohtml&showintro=0&mimetype=plaintext" > /etc/squid/ad_block.txt
Then add this to squid.conf to reference the file and block the urls:
## disable ads ( http://pgl.yoyo.org/adservers/ )
acl ads dstdom_regex "/etc/squid/ad_block.txt"
http_access deny ads
#deny_info TCP_RESET ads
Then, for Mac Ports at least, do this:
sudo port reload squid4
Or for a recent Linux it’d be something like:
sudo service squid4 restart
This may not make much sense to others but it’s all the things for setting up Exim4 in Debian that weren’t obvious.
- Add all the names and ip address to /etc/hosts
- Add ip address to exim4 files. Copy the other things added from the old server..
- Edit just the main folder after doing the exim4 dpkg
- Update /etc/letsencrypt to allow execute on /etc/letsencrypts/archive and live to get rid of the /var/log/exim4/mainlog pem related errors
- Remember the sasl stuff from Debian’s exim4 setup to let the user login.
Easy to ad block with your own DNS server if you don’t want to trust adblock or other plugins.
1 – you need a web server to host a blank image
2 – Get blacklist
Get the blacklist from http://pgl.yoyo.org/adservers/
Choose for the bind 8 config format.
I had to change the file so that the records read like this:
zone "101com.com" IN { type master; notify no; file "/etc/bind/null.zone.file"; };
by adding the “IN” between the domain name and the “{ type master ….” part. Use your vi-skills for this.
Give this file a easy name, like ‘blacklist’. Now create a line in /etc/bind/named.conf.local:
include "/etc/bind/blacklist";
Create the null zone file
Create a file /etc/bin/null.zone.file with the following contents:
$TTL 86400 ; one day
@ IN SOA nds.example.com. hostmaster.example.com. (
2002061000 ; serial number YYMMDDNN
28800 ; refresh 8 hours
7200 ; retry 2 hours
864000 ; expire 10 days
86400 ) ; min ttl 1 day
NS nds.example.com
A 192.168.1.100
@ IN A 192.168.1.100
* IN A 192.168.1.100
and replace example.com by your internal domain name and replace 192.168.1.100 by the name of your web server. The above format allow for the use of wildcards. This means that you do not have to care about the subdomains.
Restart bind (Ubuntu version)
service bind9 restart
2 is copied from here for posterity: https://box.matto.nl/dnsadblok.html
3 – use a different DNS source if you want
If you want to use a different DNS server (say you don’t trust your ISP or Google to know every site you query) you can find others here:
And then in /etc/bind/named.conf.options add the forward to the dns servers:
forwarders {
69.195.152.204;
96.47.228.108;
96.90.175.167;
};
Google appears to update it’s SSL cert nightly which breaks my fetch mail script nightly as well. Here’s a simple python script in case this happens to you!
import ssl
import socket
import hashlib
import sys
addr = 'imap.gmail.com'
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(1)
wrappedSocket = ssl.wrap_socket(sock)
try:
wrappedSocket.connect((addr, 993))
except:
response = False
else:
der_cert_bin = wrappedSocket.getpeercert(True)
pem_cert = ssl.DER_cert_to_PEM_cert(wrappedSocket.getpeercert(True))
#print(pem_cert)
#Thumbprint
thumb_md5 = hashlib.md5(der_cert_bin).hexdigest()
#print("MD5: " + thumb_md5)
wrappedSocket.close()
cnt = 0
thumb_md5_d = ''
for letter in thumb_md5:
if cnt%2 == 0 and cnt!=0:
thumb_md5_d += ':'
thumb_md5_d += letter
cnt += 1
thumb_md5_d = thumb_md5_d.upper()
infile = "//home//user//fetchmailrc.tmp"
text = open(infile)
outfile = open('/etc/fetchmailrc', 'w')
outfile.truncate()
textToSearch = 'GOOGLE_FINGERPRINT'
for line in text:
if textToSearch in line:
line = line.replace( textToSearch, thumb_md5_d )
outfile.write(line)
Where fetchmailrc.tmp is this (in addition to whatever else in your fetchmailrc):
poll imap.gmail.com protocol IMAP user "login@gmail.com" there with password "password" is blah@blah.com here nofetchall ssl sslfingerprint 'GOOGLE_FINGERPRINT'
Then you setup a cron job to run it nightly and now you’ve got up to date Google fingerprints!
Somehow a Debian update broke bfs and I was getting this issue:
The ZFS modules are not loaded. Try running '/sbin/modprobe zfs' as root to load them.
To reinstall ZFS this worked for me – a compilation of many suggestions so not sure all were necessary but it worked:
apt-get clean apt-get update apt-get purge zfs* --get rid of everything ZFS apt-get remove spl dkms spl-dkms --get rid of more ZFS apt-get autoremove apt-get install -t jessie-backports zfsutils-linux --change to whatever your distribution uses --these commands recompile the libraries if they are still having issues dkms remove -m zfs -v 0.6.5.9 --all dkms remove -m spl -v 0.6.5.9 --all dkms add -m spl -v 0.6.5.9 dkms add -m zfs -v 0.6.5.9 dkms install -m spl -v 0.6.5.9 dkms install -m zfs -v 0.6.5.9
A couple of handy sites for getting that setup:
And this debian one for support.
https://wiki.debian.org/HowTo/AndroidVPNServer#L2TP.2FIPSec
Couple of notes that the script didn’t cover:
- Instead of openswan had to use strongswan.
- Had to add a shared secret to /etc/ipsec.secrets
- To use a proxy you just point the proxy to listen on 172.16.1.1 and point the computer to that proxy’s port
The script he had is the key so it’s here for posterity:
apt-get install -y openswan xl2tpd ppp apt-get install -y lsof iptables --table nat --append POSTROUTING --jump MASQUERADE echo "net.ipv4.ip_forward = 1" | tee -a /etc/sysctl.conf echo "net.ipv4.conf.all.accept_redirects = 0" | tee -a /etc/sysctl.conf echo "net.ipv4.conf.all.send_redirects = 0" | tee -a /etc/sysctl.conf for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done sysctl -p echo "for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done" | tee -a /etc/rc.local echo "iptables --table nat --append POSTROUTING --jump MASQUERADE" | tee -a /etc/rc.local echo "config setup dumpdir=/var/run/pluto/ #in what directory should things started by setup (notably the Pluto daemon) be allowed to dump core? nat_traversal=yes #whether to accept/offer to support NAT (NAPT, also known as "IP Masqurade") workaround for IPsec virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v6:fd00::/8,%v6:fe80::/10 #contains the networks that are allowed as subnet= for the remote client. In other words, the address ranges that may live behind a NAT router through which a client connects. protostack=netkey #decide which protocol stack is going to be used. conn L2TP-PSK-NAT rightsubnet=vhost:%priv also=L2TP-PSK-noNAT conn L2TP-PSK-noNAT authby=secret #shared secret. Use rsasig for certificates. pfs=no #Disable pfs auto=add #start at boot keyingtries=3 #Only negotiate a conn. 3 times. ikelifetime=8h keylife=1h type=transport #because we use l2tp as tunnel protocol left=%SERVERIP% #fill in server IP above leftprotoport=17/1701 right=%any rightprotoport=17/%any" > /etc/ipsec.conf ipsec verify echo "[global] ipsec saref = yes [lns default] ip range = 172.16.1.30-172.16.1.100 local ip = 172.16.1.1 refuse pap = yes require authentication = yes ppp debug = yes pppoptfile = /etc/ppp/options.xl2tpd length bit = yes" > /etc/xl2tpd/xl2tpd.conf echo "require-mschap-v2 ms-dns 8.8.8.8 ms-dns 8.8.4.4 auth mtu 1200 mru 1000 crtscts hide-password modem name l2tpd proxyarp lcp-echo-interval 30 lcp-echo-failure 4" > /etc/ppp/options.xl2tpd echo "# username l2tpd password *" >> /etc/ppp/chap-secrets echo "" echo "" echo "To Do:" echo "" echo "- Add users: /etc/ppp/chap-secrets" echo "Restart the software: /etc/init.d/ipsec restart; /etc/init.d/xl2tpd restart"
First, take a look at the report you received or run (and read):
sudo tripwire --check
If everything is OK, run the following command:
sudo tripwire -m u -Z low -r /var/lib/tripwire/report/hostname-timestamp.twr
I keep looking this up so saving for posterity. This is a good way to get memory info in Ubuntu:
sudo lshw -C memoryThis gets all sort of useful info. I needed to get the memory speed since I have too many computers with too many different memory speeds. Doesn’t seem to show that it is ECC memory but I also had to know that. See below for ECC and memory speed.
*-firmware
description: BIOS
vendor: LENOVO
physical id: 0
version: 5JKT50AUS
date: 09/27/2010
size: 64KiB
capacity: 2496KiB
capabilities: pci upgrade shadowing cdboot bootselect socketedrom edd int13floppy1200 int13floppy720 int13floppy2880 int5printscreen int9keyboard int14serial int17printer acpi usb biosbootspecification
*-cache:0
description: L1 cache
physical id: 5
slot: L1-Cache
size: 32KiB
capacity: 32KiB
capabilities: internal write-back unified
configuration: level=1
*-cache:1
description: L2 cache
physical id: 6
slot: L2-Cache
size: 256KiB
capacity: 256KiB
capabilities: internal varies unified
configuration: level=2
*-cache:2 DISABLED
description: L3 cache
physical id: 7
slot: L3-Cache
size: 4MiB
capacity: 4MiB
capabilities: internal unified
configuration: level=3
*-memory
description: System Memory
physical id: 2c
slot: System board or motherboard
size: 14GiB
*-bank:0
description: DIMM DDR3 Synchronous 1066 MHz (0.9 ns)
product: M391B5673EH1-CH9
vendor: Samsung
physical id: 0
serial: FCBB3D85
slot: A1_DIMM0
size: 2GiB
width: 64 bits
clock: 1066MHz (0.9ns)
*-bank:1
description: DIMM DDR3 Synchronous 1066 MHz (0.9 ns)
product: 18JSF51272AZ-1G1D1
vendor: Micron Technology
physical id: 1
serial: D7172936
slot: A1_DIMM1
size: 4GiB
width: 64 bits
clock: 1066MHz (0.9ns)
*-bank:2
description: DIMM DDR3 Synchronous 1066 MHz (0.9 ns)
product: CT51272BA1067.M18F
vendor: Undefined
physical id: 2
serial: 00000000
slot: A1_DIMM2
size: 4GiB
width: 64 bits
clock: 1066MHz (0.9ns)
*-bank:3
description: DIMM DDR3 Synchronous 1066 MHz (0.9 ns)
product: 18JSF51272AZ-1G1D1
vendor: Micron Technology
physical id: 3
serial: 5DC579DE
slot: A1_DIMM3
size: 4GiB
width: 64 bits
clock: 1066MHz (0.9ns)
To get ECC and speed use this:
dmidecode --type memory
...
Handle 0x002C, DMI type 16, 15 bytes
Physical Memory Array
Location: System Board Or Motherboard
Use: System Memory
Error Correction Type: Single-bit ECC
Maximum Capacity: 8 GB
Error Information Handle: 0x002D
Number Of Devices: 4
...
Handle 0x0032, DMI type 17, 28 bytes
Memory Device
Array Handle: 0x002C
Error Information Handle: 0x0033
Total Width: 72 bits
Data Width: 64 bits
Size: 4096 MB
Form Factor: DIMM
Set: None
Locator: A1_DIMM1
Bank Locator: A1_BANK1
Type: DDR3
Type Detail: Synchronous
Speed: 1066 MHz
Manufacturer: Micron Technology
Serial Number: D7172936
Asset Tag: NULL
Part Number: 18JSF51272AZ-1G1D1
Rank: 2