Setting up OpenVPN

Linux  Debian 


Install the openvpn package on both client and server.

apt-get install openvpn

Server-side, copy key generating script from openvpn example to /etc/openvpn:

cd /etc/openvpn
cp -a /usr/share/doc/openvpn/examples/easy-rsa/2.0/ easy-rsa

Edit the bottom of /etc/openvpn/easy-rsa/vars according to your organization.

export KEY_COUNTRY="Some country"
export KEY_PROVINCE="Some province/state"
export KEY_CITY="Some City"
export KEY_ORG="Some Organization"
export KEY_EMAIL="some@email.address"

Execute the following commands:

cd easy-rsa/
. ./vars




./build-key-server server

Generate BUILD DIFFIE-HELLMAN PARAMETERS (necessary for the server end of a SSL/TLS connection).


Generate key for each client.

./build-key clientname

Copy the files ca.crt, clientname.crt, clientname.key from the server to client into the /etc/openvpn/easy-rsa/keys/ directory.

On the server create /etc/openvpn/server.conf as follows. Make sure empty lines are completely empty, i.e. no spaces. The port and keepalive lines are optional if you want to use a non-standard port or customized keepalive behaviour. You probably want to change the server line to the desired values.

port 12345
proto udp
dev tun

topology subnet

ca      /etc/openvpn/easy-rsa/keys/ca.crt
cert    /etc/openvpn/easy-rsa/keys/server.crt
key     /etc/openvpn/easy-rsa/keys/server.key
dh      /etc/openvpn/easy-rsa/keys/dh1024.pem

ifconfig-pool-persist ipp.txt

keepalive 10 30


status /var/log/openvpn-status.log

verb 3

Server: Restart OpenVPN.

/etc/init.d/openvpn restart

On the client create /etc/openvpn/client.conf as follows. Don’t forget to change the port and remote lines to match the server settings.

dev tun
port 12345
proto udp

remote server_hostname_or_ip 12345

ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/clientname.crt
key /etc/openvpn/easy-rsa/keys/clientname.key


status /var/log/openvpn-status.log

verb 3

Client: Restart OpenVPN.

/etc/init.d/openvpn restart

Setting up Xpra

Linux  Debian 

Install Xpra on the server and client:

apt-get install xpra

To easily use Xpra in a LAN/VPN for one command at a time, create the following script. Please note that this script will not work for a remote system behind a NAT without the necessary ports opened. Change HOST and PORT to the desired values.



ssh $HOST -- xpra start :100 --start-child="$@" --exit-with-children --bind-tcp=$PORT

# Tries to open HOST:PORT up to 10 times
for i in $(seq 0 9); do
    if netcat -v -w 2 $HOST -z $PORT; then
    sleep 2

xpra attach --encoding=x264 tcp:$HOST:$PORT

Then use the script like this, assuming it’s called

./ xterm

X11VNC as a Xinetd Service

Linux  Debian 


Install necessary packages

apt-get install x11vnc xinetd

Edit ~/.x11vncrc (as root)

display :0
auth guess

Edit /etc/xinetd.d/x11vnc

service x11vnc
        port            = 5900
        type            = UNLISTED
        socket_type     = stream
        protocol        = tcp
        wait            = no
        user            = root
        server          = /usr/bin/x11vnc
        server_args     = -inetd -o /var/log/x11vnc.log -bg
        disable         = no
        only_from       =

Restart xinetd

/etc/init.d/xinetd restart

Setting up Fail2Ban

Linux  Debian 

Sources: [1][], [2][] [1]: [2]:

Login as root user and enter the following command to install Fail2Ban.

apt-get install fail2ban

All configuration files are found in the /etc/fail2ban directory. The main configuration file is /etc/fail2ban/jail.conf. It’s a good idea to make a backup of the main config file to avoid merges during upgrades. Edit local copy of the /etc/fail2ban/jail.conf file as shown below.

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Open up /etc/fail2ban/jail.local file in any editor. You will find a section called [Default]. This section contains the basic set of rules that Fail2ban will follow. Set the values as per your requirement.


# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip =
bantime = 900
maxretry = 3

# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto".
# yoh: For some reason Debian shipped python-gamin didn't work as expected
# This issue left ToDo, so polling is default backend for now
backend = auto

# Destination email address used solely for the interpolations in
# jail.{conf,local} configuration files.
destemail = root@localhost

By default, Fail2Ban contains a set of pre-defined filters for various services. So you don’t need to enter any manual entries in the configuration files. All you need to do is just change the values of enabled to true or false, the respective services are automatically watched by Fail2Ban. Here is the SSH section in the jail.local file:


enabled  = true
port     = ssh
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 3

And the SSH-DDoS section in the jail.local file:


enabled = true
port    = ssh
filter  = sshd-ddos
logpath  = /var/log/auth.log
maxretry = 6

And the Lighttpd-FastCGI section in the jail.local file:


enabled = true
port    = http,https
filter  = lighttpd-fastcgi
logpath = /var/log/lighttpd/error.log
maxretry = 2

Once you have changed the configuration, restart Fail2Ban service to save the changes:

/etc/init.d/fail2ban restart

You can verify the rules that added by Fail2Ban in iptables using the following command:

root@server:~# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
fail2ban-ssh  tcp  --  anywhere             anywhere             multiport dports ssh
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain fail2ban-ssh (1 references)
target     prot opt source               destination         

RETURN     all  --  anywhere             anywhere