Source: http://wiki.debian.org/OpenVPN
Install the openvpn package on both client and server.
Server-side, copy key generating script from openvpn example to /etc/openvpn:
cd /etc/openvpn
cp -a /usr/share/doc/openvpn/examples/easy-rsa/2.0/ easy-rsa
Edit the bottom of /etc/openvpn/easy-rsa/vars according to your organization.
export KEY_COUNTRY="Some country"
export KEY_PROVINCE="Some province/state"
export KEY_CITY="Some City"
export KEY_ORG="Some Organization"
export KEY_EMAIL="some@email.address"
Execute the following commands:
cd easy-rsa/
. ./vars
./clean-all
Generate CERTIFICATE AUTHORITY (CA) CERTIFICATE/KEY.
./build-key-server server
Generate BUILD DIFFIE-HELLMAN PARAMETERS (necessary for the server end of a SSL/TLS connection).
Generate key for each client.
Copy the files ca.crt, clientname.crt, clientname.key from the server to client into the /etc/openvpn/easy-rsa/keys/ directory.
On the server create /etc/openvpn/server.conf as follows. Make sure empty lines are completely empty, i.e. no spaces. The port and keepalive lines are optional if you want to use a non-standard port or customized keepalive behaviour. You probably want to change the server line to the desired values.
port 12345
proto udp
dev tun
topology subnet
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
server 192.168.100.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 30
comp-lzo
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 3
client-to-client
Server: Restart OpenVPN.
/etc/init.d/openvpn restart
On the client create /etc/openvpn/client.conf as follows. Don’t forget to change the port and remote lines to match the server settings.
client
dev tun
port 12345
proto udp
remote server_hostname_or_ip 12345
nobind
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/clientname.crt
key /etc/openvpn/easy-rsa/keys/clientname.key
comp-lzo
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 3
Client: Restart OpenVPN.
/etc/init.d/openvpn restart
Install Xpra on the server and client:
To easily use Xpra in a LAN/VPN for one command at a time, create the following script. Please note that this script will not work for a remote system behind a NAT without the necessary ports opened. Change HOST and PORT to the desired values.
#!/bin/sh
HOST=remote
PORT=20100
ssh $HOST -- xpra start :100 --start-child="$@" --exit-with-children --bind-tcp=0.0.0.0:$PORT
# Tries to open HOST:PORT up to 10 times
for i in $(seq 0 9); do
if netcat -v -w 2 $HOST -z $PORT; then
break;
fi
sleep 2
done
xpra attach --encoding=x264 tcp:$HOST:$PORT
Then use the script like this, assuming it’s called remote_xpra.sh:
Source: http://ubuntuforums.org/showthread.php?t=363236
Install necessary packages
apt-get install x11vnc xinetd
Edit ~/.x11vncrc (as root)
display :0
quiet
nopw
auth guess
Edit /etc/xinetd.d/x11vnc
service x11vnc
{
port = 5900
type = UNLISTED
socket_type = stream
protocol = tcp
wait = no
user = root
server = /usr/bin/x11vnc
server_args = -inetd -o /var/log/x11vnc.log -bg
disable = no
only_from = 192.168.100.0
}
Restart xinetd
/etc/init.d/xinetd restart
Sources: [1][], [2][]
[1]: http://www.unixmen.com/how-to-prevent-ssh-brute-force-attacks-with-fail2ban-on-debian-7/?utm_source=rss&utm_medium=rss&utm_campaign=how-to-prevent-ssh-brute-force-attacks-with-fail2ban-on-debian-7
[2]: http://blogs.buanzo.com.ar/2009/01/fail2ban-rules-for-lighttpd-fastcgi-alerts.html
Login as root user and enter the following command to install Fail2Ban.
All configuration files are found in the /etc/fail2ban directory. The main configuration file is /etc/fail2ban/jail.conf. It’s a good idea to make a backup of the main config file to avoid merges during upgrades. Edit local copy of the /etc/fail2ban/jail.conf file as shown below.
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Open up /etc/fail2ban/jail.local file in any editor. You will find a section called [Default]. This section contains the basic set of rules that Fail2ban will follow. Set the values as per your requirement.
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1 192.168.100.1/24
bantime = 900
maxretry = 3
# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto".
# yoh: For some reason Debian shipped python-gamin didn't work as expected
# This issue left ToDo, so polling is default backend for now
backend = auto
#
# Destination email address used solely for the interpolations in
# jail.{conf,local} configuration files.
destemail = root@localhost
By default, Fail2Ban contains a set of pre-defined filters for various services. So you don’t need to enter any manual entries in the configuration files. All you need to do is just change the values of enabled to true or false, the respective services are automatically watched by Fail2Ban. Here is the SSH section in the jail.local file:
[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
And the SSH-DDoS section in the jail.local file:
[ssh-ddos]
enabled = true
port = ssh
filter = sshd-ddos
logpath = /var/log/auth.log
maxretry = 6
And the Lighttpd-FastCGI section in the jail.local file:
[lighttpd-fastcgi]
enabled = true
port = http,https
filter = lighttpd-fastcgi
logpath = /var/log/lighttpd/error.log
maxretry = 2
Once you have changed the configuration, restart Fail2Ban service to save the changes:
/etc/init.d/fail2ban restart
You can verify the rules that added by Fail2Ban in iptables using the following command:
root@server:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain fail2ban-ssh (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere