Posted on

OpenVPN on Debian

OpenVPN on Debian is the second step in securing an operating system. Below we include ufw firewall installation and configuration as well.

Related Artices in Debian Services and Applications - Debian on AWS Lightsail - OpenVPN on Debian + UFW Firewall - Nginx and Letsencrypt on Debian - PHP & MariaDB on Debian

- Grav CMS on Debian

Note: install and configure ufw prior to openvpn installation and configuration

apt-get install ufw
sudo ufw allow http
sudo ufw allow https
sudo ufw allow 1194/udp
sudo ufw allow ssh
sudo ufw status
sudo ufw enable
sudo service ufw restart

; set the default to DROP Edit the ufw config file

nano /etc/default/ufw
  • Change line from DROP to: DEFAULT_FORWARD_POLICY="ACCEPT"
  • Save Edit the before.rules
nano /etc/ufw/before.rules

Add the START OPENVPN RULES as follows:

#
# rules.before
#
# Rules that should be run before the ufw command line added rules. Custom
# rules should be added to one of these chains:
#   ufw-before-input
#   ufw-before-output
#   ufw-before-forward
#
# START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to eth0
-A POSTROUTING -s 10.10.0.0/8 -o eth0 -j MASQUERADE
COMMIT
# END OPENVPN RULES
# Don't delete these required lines, otherwise there will be errors
*filter

Save file Enable UFW

ufw enable

Check status

ufw status

Next install and configure the OpenVPN Server

Note: do this as root as it may not work otherwise, even with sudo

sudo apt-get install -y openvpn easy-rsa
gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf
nano /etc/openvpn/server.conf
  • uncomment push "redirect-gateway def1 bypass-dhcp"
  • uncomment/modify push "dhcp-option DNS 84.200.69.80"
  • uncomment/modify push "dhcp-option DNS 84.200.70.40"
  • uncomment user nobody
  • uncomment group nogroup Save file. Note at some point the file should look like this:
port 1194
proto udp
dev tun
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
reneg-sec 0
ca ca.crt
cert fir.crt
key fir.key  # This file should be kept secret
dh dh2048.pem
server 10.10.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
duplicate-cn
keepalive 10 120
;tls-auth ta.key 0 # This file is secret
;cipher BF-CBC        # Blowfish (default)
;cipher AES-128-CBC   # AES
;cipher AES-256-CBC   # AES 256
;cipher DES-EDE3-CBC  # Triple-DES
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify 0

Next, enable forwarding:

echo 1 > /proc/sys/net/ipv4/ip_forward

Enable forwarding again:

nano /etc/sysctl.conf

Uncomment net.ipv4.ip_forward=1

Next Configure and Build Certificates

Copy scripts and templates as follows:

cp -r /usr/share/easy-rsa/ /etc/openvpn
mkdir /etc/openvpn/easy-rsa/keys
nano /etc/openvpn/easy-rsa/vars
  • Change export KEY_ variables (there are six of them) to match the organization
  • Change the export KEY_NAME="EasyRSA" to your servername
  • Change the line export KEY_CONFIG=$EASY_RSA/whichopensslcnf $EASY_RSAtoexport KEY_CONFIG=/etc/openvpn/easy-rsa/openssl-1.0.0.cnf`
  • Save and exit Next, generate the dh parameters
openssl dhparam -out /etc/openvpn/dh2048.pem 2048

Next, clean up and build the ca, as follows:

cd /etc/openvpn/easy-rsa
chmod 0755 *
source ./vars
./clean-all
./build-ca

Generate Certificate and Key for the Server

Note: servername is your servername

./build-key-server servername

Note it will ask you to hit enter to accept variables multiple times, do that, and any additional questions just use enter. When it asks to sigh the cert and commit the cert, use y and y. Next, move the certs/keys, but make sure to change the servername as above:

cp /etc/openvpn/easy-rsa/keys/{servername.crt,servername.key,ca.crt} /etc/openvpn

Verify files were copied:

ls -la /etc/openvpn

Start the service and check status:

service openvpn start
service openvpn status

Make sure you see Active: active (exited) since...

Generate Client Certs

Note that clientname is the client name, but in reality it is actually for the servername, so you know what/where you will connect to. The main point is to rename the clientname.ovpn file to servername.ovpn after it has concatenated and moved to the client. Note: can use one client cert for everyone as long as the following line is added to the server.conf file: duplicate-cn

cd /etc/openvpn/easy-rsa
./build-key clientname

Next, copy and rename the client.conf to clientname.ovpn

cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/easy-rsa/keys/clientname.ovpn

Edit the .ovpn file:

nano /etc/openvpn/easy-rsa/keys/clientname.ovpn

Should be something like:


-----BEGIN CERTIFICATE----- -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- -----BEGIN PRIVATE KEY----- -----END PRIVATE KEY----- key-direction 1 client dev tun remote 1.2.3.4 1194 udp resolv-retry infinite nobind tun-mtu 1500 user nobody group nogroup persist-key persist-tun pull tls-client push "redirect-gateway def1" mssfix 1450 tun-mtu-extra 32 reneg-sec 0 ;ca ca.crt ;cert client.crt ;key client.key ns-cert-type server comp-lzo verb 3

Note that the concatenated (unified) OpenVPN profile includes the ca, cert, and key. This can be done as follows (fix the below, it puts stuff at the end, not begining:

echo '' >> /etc/openvpn/easy-rsa/keys/clientname.ovpn
cat /etc/openvpn/ca.crt >> /etc/openvpn/easy-rsa/keys/clientname.ovpn
echo '' >> /etc/openvpn/easy-rsa/keys/clientname.ovpn
echo '' >> /etc/openvpn/easy-rsa/keys/clientname.ovpn
cat /etc/openvpn/easy-rsa/keys/clientname.crt >> /etc/openvpn/easy-rsa/keys/clientname.ovpn
echo '' >> /etc/openvpn/easy-rsa/keys/clientname.ovpn
echo '' >> /etc/openvpn/easy-rsa/keys/clientname.ovpn
cat /etc/openvpn/easy-rsa/keys/clientname.key >> /etc/openvpn/easy-rsa/keys/clientname.ovpn
echo '' >> /etc/openvpn/easy-rsa/keys/clientname.ovpn

One can scp the file from server to client with the following command from the client:

scp -i /home/usr/drive/.ssh/servername.pem admin@servername:etc/openvpn/easy-rsa/keys/clientname.ovpn /home/usr/drive/.ssh/clientname.ovpn

Change names of drives and users as applicable.

Posted on

Debian on AWS Lightsail

This is a setup of several items, starting with Debian 9 on Amazon AWS Lightsail. This has server basics and apt, and then follows with links to additional articles. In general, after several years of running CentOS on Linode, and then Amazon Linux AMI on EC2 and Lightsail, I find that Debian 9 is simply faster, just as secure, and at least slightly easier to use. While there are many flavors of linux, clearly two particular lineages predominate: RHEL/CentOS/AMI and Debian/Ubuntu/Mint. Either are just as valid, though of course niche requirements may make one or the other more attractive. Android and ChromeOS are even more popular, but we are dealing with server OS here. For me, Debian on the desktop via LMDE3 (Linux Mint Debian Edition) is currently a favorite.

AWS Lightsail is a decently priced VPS package. Equivalents can be found in various first and second tier cloud providers such as Digital Ocean, Vultr, Linode, and perhaps even Azure and Google Cloud, who knows? Anyone with any experience with AWS can leverage this with Lightsail, though the main web interface is a bit different.

Related Artices in Debian Services and Applications - Debian on AWS Lightsail - OpenVPN on Debian + UFW Firewall - Nginx and Letsencrypt on Debian - PHP & MariaDB on Debian

- Grav CMS on Debian

Choose Debian Distribution

On Lightsail as of late 2018 Debian 9.5 is an option. - Install PHP from special repository sources (found in the Running PHP on Debian article) - Install special packages from Backports when needed (such as certbot) - Use apt install PACKAGE -y -t stretch-backports Example:

sudo apt install -y python-certbot-nginx -t stretch-backports

Packages available from Distributions

Update Debian

sudo apt update -y
sudo apt update -y -t stretch-backports update

Upgrade Debian

Do some checks and then execute upgrade and dist-upgrade: Note: accept the locally modified files for upgrading when asked.

sudo apt upgrade -y
sudo apt upgrade -y -t stretch-backports

Note: can have system service restarts be done automatically, when asked.

Upgrade Debian Distribution

This will change from one release to the next if there is a next one for the version being run (e.g., stable).

sudo apt dist-upgrade -y

Next, run the command to reload the terminal session:

hash -r

Steps in Configuration

Server Basics Steps

  • Configure servername, ip addresses
  • Apt, Configure repositories, Update, Upgrade, Clean, etc.

Servername, IP Addresses

For private IP Addresses

ip addr show eth0 | grep inet | awk '{ print $2; }' | sed 's/\/.*$//'

For a public IP address (esp. Amazon AWS Elastic IP)

curl -4 icanhazip.com

Apt Sources List

ls -la /etc/apt

and see what is in subdirectories

Installed packages

dpkg-query -l

apt-get commands

Note, this is largely obsolete with the apt command set -- need to UPDATE this section below

apt-get clean
apt-get autoclean
apt-get dist-upgrade
apt-get clean
apt-get check
apt-get autoremove
  • autoclean deletes .deb files from local cache
  • clean deletes .deb files from distribution installation
  • autoremove removes previous, but no longer needed dependencies
  • dist-upgrade deals with dependencies, not just applications, and will add/remove/upgrade them
  • apt-get check will check for dependencies missing note: difference between apt-get remove xyz vs. apt-get purge xyz, as the first preserves configuration files (for possible later use)

Completely Remove Packages

sudo apt-get --purge remove package-name
Posted on

KeePassXC, KeePass2Android & OTP

My beloved KeepassX has not seen a release since 2016, but a newer fork entitled KeePassXC has. The latest version looks very much the same when viewed from LMDE3 with a dark theme. The added functionality is quite nice: A TOTP Seed and Code Generator.

OTP / TOTP Seed + Generator

OTP in software (virtual device) is needed, and is the most convenient approach to having some kind of 2FA (two-factor authentication). This means not only a password but some other kind of evidence is needed. Sometimes this key is tied to a device (as in the case of the Google Authenticator). When not virtual, it is a dedicated hardware device (banks like to make you have their particular hardware device), though there can be multiple copies of the hardware device (as in multiple Yubikeys). The problem with a single virtual device is the well-known issue of losing it (such as a phone that the software is kept on). Backups can be made of seed codes (QR Codes and/or the string that is represented).

Authy Apps, Synchronization, and Cloud Backup

Authy is the best (and free) solution, though it does have a third-party involved (namely their cloud backup/sync application). Other than that, it is a reasonable approach and beats out Google Authenticator, and the sheer add once, access across multiple apps is definitely a modern desire. That said, if it were possible to have seeds in a more generic encrypted database with access to generated codes, that would be better (especially if multi-device, cross-platform). Well that is exactly what KeePassXC and KeePass2Android support. This was a revelation for me.

KeePassXC Desktop Application

KeePassXC is a fork of a fork, most recently to spur the development of what was KeePassXC that had very slow development, and is now dormant. The ability to do OTP was originally a plugin for the original KeePass (which supports plugins). Now we have something with a built-in function, and also includes some enhancements from the older (and still serviceable) KeePassX, which unfortunately has 85 open pull requests in github (come on, give someone else ownership of this project, already).

Keepass2Android Mobile Application

The most serviceable Android Keepass2 implementation is the aptly named Keepass2Android, which is actively developed and available through the Google Play store. It too has OTP functionality, eloquently implemented.

Posted on

Obfsproxy, Viscosity, OpenVPN

OpenVPN is great, and the OpenVPN command line client and the Viscosity GUI are also nice. However, all configurations need to be checked to ensure there is no information leakage. Secondly, the basic OpenVPN connection needs another layer of encryption and/or obfuscation, in order to interoperate with Internet firewalls and services that use deep packet inspection to determine vpn/proxy traffic.

Viscosity

Viscosity is probably the best gui client for OSX and Windows. That said, there is a lot to be desired. In fact, it is wise to skip the gui altogether with most things. - Editing a Viscosity Connection Manually - Advanced Viscosity Commands For OSX, the connections are separate, numbered folders, with copied keys and certs and a config.conf file, located in ~/Library/Application Support/Viscosity/OpenVPN/1 with second and subsequent configurations in /2, /3, etc. Manually edit these files, and copy the ca.crt, username.crt, and username.key, and put those filenames in the entries. Set the security to chmod 700 on the certs and keys. Example:

#-- Configuration Generated By Viscosity --#
#viscosity startonopen false
#viscosity protocol openvpn
#viscosity dns full
#viscosity usepeerdns true
#viscosity dnsserver 10.10.0.1
#viscosity autoreconnect true
#viscosity name host.domain.tld
#viscosity dhcp true
remote 12.34.56.78 1194 udp
nobind
dev tun
redirect-gateway def1
tun-mtu 1500
persist-tun
persist-key
compress lzo
pull
tls-client
ca username-ca.crt
cert username-cert.crt
key username-key.key
push "redirect-gateway def1"
comp-lzo
mssfix 1450
resolv-retry infinite
tun-mtu-extra 32
reneg-sec 0

Current Problems with my OpenVPN Configuration

SSL Tunnel with Stunnel for OpenVPN

SSH Tunnel

... Incomplete, more to follow ...

Obfsproxy

... Incomplete, more to follow ...

OpenVPN Client for IOS

The OpenVPN Connect client app for IOS works well. First, configure Viscosity, then copy the config.conf file and rename to config.ovpn. Next, install the OpenVPN IOS app, and hen share all four files (the two certificates, the key, and the configuration file) via iTunes or email (select Help button). Go to Settings > OpenVPN and enable Seamless tunnel and Reconnect on wakeup. Set the protocol, compression, connection timeout, network state detection, and IPv6 settings.

Resources Consulted

Posted on

ufw, firewalld, iptables on Amazon Linux

ufw is known as a Debian (and Ubuntu) firewall, which is disabled by default but easy to use. There are some GUI front-ends which make it popular for Linux on the desktop. Coming from a CentOS background (RHEL/Amazon Linux AMI), ufw is not as common (as, say firewalld, or simply iptables, to which both ufw and firewalld are more or less interfaces). Recall that netfilter is where the actual firewalling takes place, with iptables an interface on top of that, and ufw/firewalld as interfaces on top of iptables. Given this, there is no reason why ufw or firewalld cannot be run on any linux, provided packages (or compiling) are available. - See comparison of commands for iptables, ufw, and firewalld - Firewalld: improving security of EC2 - Introduction to uncomplicated firewall (ufw) - UFW Essentials - How to Configure a Firewall with UFW - UFW man pages (Ubuntu 8) - How To Setup a Firewall with UFW

Posted on

OpenVPN on Amazon Linux

OpenVPN on an AWS EC2 T2.Nano Instance

The T2.Nano instance is the smallest instance generally available for AWS EC2. As of 17-June-2017, the Nano includes the following resources: - 512mb RAM - 1 vcpu (30 credits + 3/hr, up to 72 credits) - 1gb network out traffic Alternatively, a $5 USD Amazon Lightsail instance can be used (see below)

Amazon Linux AMI

For those who prefer RHEL/CentOS, these are not available for the T2.Nano instance, rather Amazon Linux AMI is the only RHEL-derrived OS available. Note that Amazon AMI Linux is akin to CentOS 6.x (no systemd). Alternatively, Ubuntu is also available for the Nano. Note, there is now (Dec 2017) an Amazon Linux 2 option. Some say not to use any Amazon Linux. I tend to agree, though the main reason of not being able to use AMI outside of EC2 isn't correct, as there are container versions available for use locally.

Amazon Lightsail as an Alternative to EC2 T2.Nano

Amazon Lightsail is a VPS package that provides simplified control panel, and greater resources. For $5 USD/month, the smallest Lightsail instance is essentially a T2.Nano plus Elastic IP address, 20gb EBS storage, 1tb of outbound data, and Route53 DNS interface. Since outbound data can run 0.10/gb (with elastic IP), this is potentially $10/mo in database. The EBS storage is ~$2 USD, Route53 is $0.50 USD, and a nano instance with 1 year contract is ~$3.50 USD. This means for $5 USD/mo, one gets between $6-106 USD in AWS resources. For the $10 USD Lightsail, the value consists of a T2.Micro, and all the rest, which is worth $11-$211 USD in services due to an increase to 30gb EBS and 2TB data transfer out. - Amazon Lightsail FAQ Note: on Lightsail, the Security Groups are port-based only, so any IP filtering needs to be done wiht a separate firewall, such as iptables.

Steps to install OpenVPN on AMI - Pre-Installation

These steps are similar for a Nano instance. This should work on a Lightsail instance, though some control panel settings may be in different places.

Assume Root

sudo su

Set the hostname, timezone, nameservers

hostname server.domain.tld

Set the timezone

nano /etc/sysconfig/clock

Change the ZONE line to appropriate continent/city, e.g.,

ZONE="Continent/City"
UTC=false
ARC=false

Create a symbolic link

rm -rf /etc/localtime
ln -sf /usr/share/zoneinfo/Continent/City /etc/localtime

Update nameservers (using dns.watch resolvers)

echo "nameserver 84.200.69.80" > /etc/resolv.conf
echo "nameserver 84.200.70.40" >> /etc/resolv.conf

Edit the network sysconfig

nano /etc/sysconfig/network

Change HOSTNAME to server.domain.tld Check to ensure the change with the command:

hostname

Don't worry about /etc/hosts for now...

reboot

Update yum, configure EPEL

Note that we want the Amazon EPEL Repository

yum clean all
yum update
yum -y install epel-release
yum -y install yum-utils
yum-config-manager --enable epel

Update AMI without EPEL

This is done by disabling the repositories, which can be enabled later, including:

yum-config-manager --disable epel
yum clean all
yum update
cat /etc/system-release
uname -r

After the update version is confirmed, then re-enable the repositories with:

yum-config-manager --enable epel

Secure SSHD

nano /etc/ssh/sshd_config

make sure of the following:

PasswordAuthentication no
PermitRootLogin no

If you want to do fancy stuff like have an sftp login inside of a web directory, and need different than 700, 750, or 755 rights (say, for example, having the group be apache, and the user be a login) then include:

StrictModes no

Restart sshd

service sshd restart

Install and enable MOSH

yum -y install mosh

Mosh makes connections more resilient, but there is a cost of disabling the ability to scroll up in the console.

firewalld or ufw

This may or may not be desirable, in addition to the AWS firewall configuration. Likely desirable.

Install OpenVPN on AMI

yum -y install openvpn

Install Easy-RSA on AMI

Note that since there is a version 3.x, have to get an older distribution or it won't work. Note the below might still be a bit of a mess. Inspect directories as you go.

cd /etc/openvpn
wget -v https://github.com/OpenVPN/easy-rsa/releases/download/2.2.2/EasyRSA-2.2.2.tgz
tar -xvzf EasyRSA-2.2.2.tgz
mkdir easy-rsa
mv EasyRSA-2.2.2 /etc/openvpn/easy-rsa
cd easy-rsa
mv EasyRSA-2.2.2 2.0
mkdir -p /etc/openvpn/easy-rsa/keys
cp -R /usr/share/easy-rsa/2.0/ /etc/openvpn/easy-rsa/

NAT routing using iptables

Put in nat routing, ensure that the network on the masquarade is the same as in /etc/openvpn/server.conf First edit the iptables-config file

nano /etc/sysconfig/iptables-config

Change most things to yes, with a final config looking like:

IPTABLES_MODULES=""
IPTABLES_MODULES_UNLOAD="yes"
IPTABLES_SAVE_ON_STOP="yes"
IPTABLES_SAVE_ON_RESTART="yes"
IPTABLES_SAVE_COUNTER="no"
IPTABLES_STATUS_NUMERIC="yes"
IPTABLES_STATUS_VERBOSE="yes"
IPTABLES_STATUS_LINENUMBERS="yes"

Now do the rest of the iptables configuration

touch /etc/sysconfig/iptables
chkconfig iptables on
service iptables start
modprobe iptable_nat
echo 1 | tee /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth0 -s 10.8.0.0/24 -j MASQUERADE
service iptables save
service iptables restart

Edit the Easy RSA settings

nano /etc/openvpn/easy-rsa/2.0/vars

Find and modify these values:

# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY="CA"
export KEY_PROVINCE=""
export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="me@myhost.mydomain"
export KEY_OU="MyOrganizationalUnit"

Also change

export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`

to

export KEY_CONFIG=/etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf

Initialize Easy RSA and create Certs and Keys

cd /etc/openvpn/easy-rsa/2.0
chmod 0755 *
source ./vars
./clean-all
./build-ca

Verify success

ls -la keys

Now build the cert and key

./build-key-server server

Note: leave the challenge password and optional company name blank Next, Verify success

ls -la keys

Next build a cert and key for each vpn user:

./build-key username

Provide this with a challenge password Next, build the .pem

./build-dh

Next, build the ta.key // rather forget about this, just comment out, it is trouble // get this going later openvpn --genkey --secret /etc/openvpn/easy-rsa/2.0/keys/ta.key Copy the keys and certs

cd /etc/openvpn/easy-rsa/2.0/keys
cp dh2048.pem ca.crt server.crt server.key username.crt username.key /etc/openvpn

Create OpenVPN Config File

Note that previously a version was copied and edited from the /usr/share/doc directory, but latest versions of OpenVPN no longer include this. Instead touch and then use the following file below as the base server.conf:

touch /etc/openvpn/server.conf
cd /etc/openvpn
chmod 0644 dh2048.pem ca.crt server.crt server.key server.conf username.crt username.key

Next, edit server.conf

nano /etc/openvpn/server.conf

Here is an example of server.conf. Ensure the masquerade iptables and server configuration are identical.

port 1194
proto udp
dev tun
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
reneg-sec 0
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 84.200.69.80"
push "dhcp-option DNS 84.200.70.40"
duplicate-cn
keepalive 10 120
;cipher BF-CBC        # Blowfish (default)
;cipher AES-128-CBC   # AES
;cipher DES-EDE3-CBC  # Triple-DES
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify 0

Enable Routing

nano /etc/sysctl.conf

Change ip forwarding to 1

net.ipv4.ip_forward = 1

Restart networking services

service network restart

Enable and start the OpenVPN service

chkconfig openvpn on
service openvpn restart

Install and Configure OpenVPN Client

For OSX, there is Tunnelblick, which sucks, and Viscosity which sucks less (but costs $9). An example Viscosity config file looks like:

#viscosity startonopen false
#viscosity protocol openvpn
#viscosity dns off
#viscosity usepeerdns false
#viscosity autoreconnect true
#viscosity name host.domain.tld
#viscosity dhcp true
remote 12.34.56.78 1194 udp
nobind
dev tun
redirect-gateway def1
tun-mtu 1500
pull
tls-client
ca ca.crt
cert cert.crt
key key.key
push "redirect-gateway def1"
comp-lzo
mssfix 1450
resolv-retry infinite
tun-mtu-extra 32
reneg-sec 0

For installing an OVPN command line client on Linux, simply taking the config.conf file, along with ca.crt, cert.crt, and key.key files. Installation on a Debian system looks like:

sudo apt-get update
apt-get install openvpn

Then scp the four files into the home directory and run:

openvpn config.conf

After this works, then set up OVPN as a service with scripts for automation. - See also OpenVPN on ChromeOS and Android

Resources Consulted

Posted on

Referer, Referral, Analytics Spam

Spam, spam, spam, spam, spam, eggs, and spam. You get spam with your analytics. These are not real visitors, just spam in the logs. Here is how to de-spam your analytics.

Google Analytics Spam Filters

Statcounter Referer Blocking

StatCounter does not have Referral Spam filters, beyond IP address filters (completely useless). The solution is to regenerate a security code and then update the tracking code used on the site. This is of course only temporary, but for lazy spammers, it does get them to stop (unless and until they return to the site to scrape the access code from the javascript once again). See: What is the Security Code? - StatCounter

Piwik Referral Filters

Piwik regularly updates their own spam filters automatically. For any new spammers, report directly to Piwik via forking and creating a pull request for the referrer spam file on Github. And now for something completely different...

Posted on

Link Disavow Tool Bing Google Yandex

Link disavowel is desired someone (a competitor, or simply a derranged troll) has created low-quality links to your site. In some cases, in competitive, global markets, this may actually be the result of perhaps hundreds of domains created for the purpose of wrecking large numbers of competitors by providing Google with evidence of negative behavior. Since things things are sorted algorithmically, and Google's current algorithms might not have the more global perspective needed to see such a problem, it is incumbent that people with websites need to monitor what links are being created to those sites.

Google Link Disavow Tool

What this means in practice is, a part of managing a site is to monitor inbound links and take action when necessary. There are two tools to do this: - Regularly monitor inbound links as reported in Google Webmaster tools - Google Webmaster Tools > Search Traffic > Links to Your Site - Use the Google Disavow Links tool to ensure that any poor quality links are disregarded by Google. > Remember, Google (and Yandex) treat https://domain.com and http://domain.com as different properties, and so even if one is using 301s to route to a primary domain, any inbound domain will need to have its links dealt with at the level of its original domain protocol. This means registering both http:// and https:// versions of a site, and possibly www for each as well (resulting in 4 different property configurations of a single site site, when using 301 redirection).

Google Link Disavow File

Each property in Google Webmaster can have a single Link Disavow text file. In that file there can be links and/or domains that are disavowed. In many cases, especially if poor quality links are regularly being created in an ongoing blackhat campaign against a site, domains will be used over and over to get a count of several links from each poor-quality site to the target site. It is easier to manage with a list of domains than a longer list of each link.

Bing Link Disavow Tool

The Bing Webmaster Disavow tool is a lot less flexible (they require manual entry one-at-a-time for each domain/link, see complaint):

Yandex Link Disavow Tool

Unfortunately, there appears to be no way to disavow links in Yandex Webmaster tools (an otherwise useful set of tools). There is no Yandex Link Disavow tool. As of 2015 Yandex was stating that they had no intention of creating such a tool.

Disavow Files Crowdsource Tool

Bruce Clay crated a crowdsourcing site for disavow files, which has a decent dashboard, but not much functionality beyond basic reporting (the idea is that all disavow files are parsed and any new inbound links matching previously reported files/domains would create a notification for the user).

Posted on

WordPress Form and Comment Spam

As with security in general, escaping the scourge of WordPress form and content spam requires a layered approach. Here is what works.

Databases and Behavioral Anti-Spam

The first step is the one that nowadays works the least well. In the beginning we had Akismet, and things got better, but this is an arms race, and Akismet has not been getting better. In WordPress, this battlefront has basically been ceded (with some exceptions, below). For things like Google's Gmail, this still works fairly well (along with manual rules), a vast majority of the time.

Manual Rules and Keyword Blocking

Manual rules and keyword lists help block a particular subset of spam, namely that manually created by humans, with the purpose of pestering someone to hire a so-called SEO Expert, Web Designer, or Marketing services. By placing these highlighted keywords in the WordPress Admin > Settings > Discussion > Comment Blacklist field, they are not only used as a filter by the WordPress commenting function, but also used by Contact Form 7.

Javascript and/or Session Detection

For the average bot, which is fairly simplistic and won't accept session cookies or have javascript enabled, testing for one or both of these conditions will generally allow those to be ignored. For Comment Spam (on sites that must have comments enabled), the WordPress plugin WP-SpamShield is a fairly effective option. In the future, it might be better to ensure no plugins do PHP Sessions, for performance reasons, but on a moderately busy site this shouldn't be much of a problem.

Honeypot Form Fields

Another way to detect bots is to provide form fields that they see but that humans do not (via CSS). Bots will attempt to fill out these fields, and thereby have their submissions identified and silently rejected. For Contact Form 7, a good choice is the aptly named Contact Form 7 Honeypot. For WordPress account creation/registration, there is the Registration Honeypot.

Captchas and NoCaptchas

Captchas are another older technology that there are several instances of. Google famously acquired ReCaptcha in 2009 for hundreds of millions of dollars. They introduced a new version in 2014, called NoCaptcha ReCaptcha. And in early 2017, the Invisible ReCaptcha was unveiled, so to speak. ReCaptcha has gone from a human vision solution to a fully automated approach (hence full circle back to the first item above, databases and behavioral). Personally, I've had so much nonsense from the Google ReCaptchas that either end up making me solve a half-dozen puzzles or more, or that insist on presenting in a human language I cannot read. Google is very bad at both of these issues (producing puzzles for humans, and providing better language support. In both cases the problem could very easily be made much, much less horrible, if simple human factors were taken into account, such as the size of text and providing a consistent language menu item that is labeled to be identified by non-readers of the currently selected language. Both huge failures for a company that should have worked this out a decade ago. There is one captcha system that actually works well, both for humans (to provide access to them), and for bots (to deny access to them), and that is the Really Simple Captcha. Orginally designed to work with Contact Form 7 -- which it still does -- it also can work well with other forms, and has a basic library that can be used by WordPress developers.

Summary of Anti-Spam Solutions

For contact forms, use: - Contact Form 7 - Contact Form 7 Honeypot - Really Simple Captcha - Add keywords to the > Settings > Discussion > Blacklist section For comments in general - WP-Spamshield - Add keywords to the > Settings > Discussion > Blacklist section For bot registration denial - Registration Honeypot

Posted on

Telegram + Trello, Github, WP

Telegram is my favorite go-to chat. Unfortunately people are invested in their use of Facebook messenger, Line, Hangouts, etc., and you have to be where they are to chat with them. I have one guy who is only chatting on the apps I don't use: Facebook and WeChat. Sure, I might see a Facebook chat when I log in, but I don't use the apps and so it just doesn't work out well. I'm forced to use LINE but the same thing holds, I'm not logged in so semi-real-time just doesn't happen. I'll get a text message and also a Facetime message, and a Telegram message, and that is where I leave it. Even Twitter I use when I use it, not real-time, even for direct messages. I've also abandoned Gitter, possibly because of their support channel and its tone, but also because it is limited and can't really do what a full-blown chat/IM client is meant to.

Advantages of Telegram

Telegram is free and encrypted, and also has the nice distinction of a free sticker ecosystem, Telegram Native Apps, Telegram Bots, and chats can now be edited, after being sent. There are two more pretty great integrations: Trello and Github, and WordPress

Integram = Telegram + Trello + Github

Integram is a tool that can be added to groups and then has a unique link that can then grant access to Trello boards and Github repositories. Telegram Integram

Telegram + WordPress

There are many Telegram WordPress Plugins (about 20 currently). I've not yet (as of 28 May 2016) evaluated which look useful, but several potential features immediately stand out as interesting: - Notify a Telegram Channel (or SuperGroup) of a new post on the site - Integrate with CF7 to send a message via Telegram instead, or in addition to Email - To emulate comments on a page but that would be overhead The WordPress Plugin for Telegram (see also this discussion for installation) uses the Telegram Bot system, as well as Notificaster, an already existing Telegram bot, for discussion in terms of a group, as well as a channel for public notifications (e.g., new post). This is great for announcements/posts and things like a general chat channel for a particular website. However, what about initiating private chats? That is easy in terms of 1-to-1 chatting, just add a Telegram.me address. While a supergroup (or regular group) might be used, it is probably best to keep a broadcast channel, small group, and individual telegram accounts. It really depends on the use cases what to configure. There could be a channel per site, or perhaps on the main category pages. Telegram Botfather

Signal, an Alternative/Competitor

Signal is a free and open source software designed primarily for mobile chat and voice calls. There is a Signal Chrome app that allows for computer-based use via associating with a mobile device account (the encryption keys are shared). Chat is basic, but includes images and other attachments, and of course voice is a great option. What Signal doesn't have (yet), are stickers and bots. What Telegram doesn't have (yet) is voice calls.