Customers who sign-up prior to 30/06/2024 get unlimited access to free features, newer features (with some restrictions), but for free for at least 1 year.Sign up now! https://webveta.alightservices.com/

Category: Linux

Categories
.Net C# Linux Security

How to easily install OpenVPN and some easy C# code snippets for Process class

This blog article is based on the script provided at:

https://raw.githubusercontent.com/Nyr/openvpn-install/master/openvpn-install.sh

This script has been slightly modified for certain reasons mentioned below:

  1. The above script uses pre-defined dh.pem (My version generates a new random 2048 bit dh params)
  2. The above script generates client cert without password (My version mandates password and allows specifying the passwords in a separate file)
  3. The above script generates certificates with 10 years validity (My version generates certificates with 1 day validity i.e because I plan to re-generate certificates often, hmmmm, more like One time use certificates like OTP’s)

I have mentioned in a previous blog post – https://www.alightservices.com/2023/08/03/a-method-for-randomizing-vpn-security-for-cloud-based-workloads-alight-technology-and-services-limited/

I am looking for ways to randomize server-side cert, client ovpn, etc…

This script is part of the effort.

The script is attached here. Later a separate GitHub repo with some demo code would be provided. Then this blog post would be updated.

https://www.alightservices.com/wp-content/uploads/2023/08/openvpn-install.sh_.zip

Download the zip file, unzip, change the extension i.e remove .txt.

Provide execute permissions and execute the script.

> wget https://www.alightservices.com/wp-content/uploads/2023/08/openvpn-install.sh_.zip

> unzip openvpn-install.sh_.zip

> mv openvpn-install.sh.txt openvpn-install.sh

> sudo chmod +x openvpn-install.sh

> echo 'password
password' > infile

> cp infile outfile

> ./openvpn-install.sh

In the above snippets, infile and outfile contains the same password two times on two different lines. Replace the password with what’s necessary or use some tools or utilities for generating password and writing into infile and outfile.

Now the C# part:

Using C# code, it’s very easy to generate random passwords and writing the passwords to infile, outfile.

System.Diagnostics.Process class allows executing shell scripts on Linux. Let’s look at some code sample:

Process process = new();
process.StartInfo.WorkingDirectory = "/path";
process.StartInfo.FileName = "/path/openvpn-install.sh";
process.StartInfo.Arguments = "";
process.EnableRaisingEvents = true;
process.Exited += Process_Exited;
process.ErrorDataReceived += Process_ErrorDataReceived;
process.OutputDataReceived += Process_OutputDataReceived;
process.StartInfo.RedirectStandardInput = true;
process.Start();
.
.
.
process.WaitForExit();


void Process_ErrorDataReceived(object sender, DataReceivedEventArgs e)
{
    // Do whatever is necessary with e.Data;
}

void Process_OutputDataReceived(object sender, DataReceivedEventArgs e)
{
     // Do whatever is necessary with e.Data;
}

void Process_Exited(object? sender, EventArgs e)
{
     // Handle code if necessary
}

In the above code snippet, we are executing a shell script located inside /path directory.

Because we are re-directing StandardInput by setting RedirectStandardInput = true, we can enter different values programatically on a necessary basis.

Or in the above shell script, the interactive prompts can be removed and pre-defined values can be used.

Using the above mentioned script, C# code snippets and by having passwords inside file, it becomes very easy to generate new server and client certificates and re-genrate certificates.

BTW the above mentioned script generates /etc/openvpn/server/server.conf, the following code server-config snippets might be of use, if needed add manually or update the script.

max-clients n
log /var/log/openvpn/openvpn.log
status /var/log/openvpn/status.txt

max-clients limits the maximum number of simultaneous connections.

log – writes log file, the verbosity can be controlled using verb. verb value of 9 means very verbose.

status – a little text file having information about current clients connections.

Mr. Kanti Kalyan Arumilli

Arumilli Kanti Kalyan, Founder & CEO
Arumilli Kanti Kalyan, Founder & CEO

B.Tech, M.B.A

Facebook

LinkedIn

Threads

Instagram

Youtube

Founder & CEO, Lead Full-Stack .Net developer

ALight Technology And Services Limited

ALight Technologies USA Inc

Youtube

Facebook

LinkedIn

Phone / SMS / WhatsApp on the following 3 numbers:

+91-789-362-6688, +1-480-347-6849, +44-07718-273-964

+44-33-3303-1284 (Preferred number if calling from U.K, No WhatsApp)

kantikalyan@gmail.com, kantikalyan@outlook.com, admin@alightservices.com, kantikalyan.arumilli@alightservices.com, KArumilli2020@student.hult.edu, KantiKArumilli@outlook.com and 3 more rarely used email addresses – hardly once or twice a year.

Categories
Linux Security

Some important log management techniques on Linux – AuditD

In my continued pursuit of strengthening the security infrastructure at my own startup – ALight Technology And Services Limited, I have written few blog articles in the past regarding securing web applications, importance of audit, logs – part of the NIST Cyber Security Framework. This blog post talks about some things I have done on AWS infrastructure. While running a company with no other employees and while being the target of state-sponsored / state-trained hackers, I ended up learning a lot and now I have dabbled in pretty much everything in computing (expert at development, learning system administration, infosec etc… as part of running my own startup).

  1. I created a base Ubuntu image by enabling ufw, installed auditd, installed cloudwatch log agent, closing unnecessary ports, some custom alerters as soon as a SSH login happens etc… I call this AMI the golden AMI. I also update the golden AMI every few months. The advantage of using a golden AMI like this is any EC2 instance you would launch would have these in place.
  2. I am using ELK stack along with Cloudwatch logs and S3 for logs. ELK stack for log analysis i.e logs are stored for a shorter period, Cloudwatch logs for various other reasons, (can’t disclose) and finally S3 glacier for longer term retention.
  3. With the above mentioned setup, if an incident happens, all the necessary logs would in place for analysis.

I wanted to give a quick introduction to Cloudwatch log agent, AuditD as part of this blog post.

Cloudwatch log agent:

A small piece of software that ingests logs into AWS Cloudwatch. https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/QuickStartEC2Instance.html

The setup needs IAM role with proper permissions, more details are at the above mentioned link.

On Ubuntu the logs config is stored at:

/var/awslogs/etc/awslogs.conf

The configuration file is very simple and straightforward.

I would suggest ingesting all the ubuntu system logs along with auditd logs and create a golden AMI.

AuditD:

This is a nice audit tool for Linux capable of auditing a lot of things.

Installation:

sudo apt update
sudo apt-get install auditd
sudo systemctl enable auditd
sudo systemctl start auditd

The configuration and rules are stored at /etc/audit. The config file is auditd.conf, rules should be in audit.rules.

The configuration file is self-explanatory.

There are no default rules.

But thankfully there is a github repo with several rule templates for meeting several compliance standards such as PCI. The PCI rules are at: https://github.com/linux-audit/audit-userspace/blob/master/rules/30-pci-dss-v31.rules

Several rule files are located in the same repository:

https://github.com/linux-audit/audit-userspace/tree/master/rules

Stay safe & secure! Stay away from hac#?ers / ransom thieves.

Happy computing!

Mr. Kanti Kalyan Arumilli

Arumilli Kanti Kalyan, Founder & CEO
Arumilli Kanti Kalyan, Founder & CEO

B.Tech, M.B.A

Facebook

LinkedIn

Threads

Instagram

Youtube

Founder & CEO, Lead Full-Stack .Net developer

ALight Technology And Services Limited

ALight Technologies USA Inc

Youtube

Facebook

LinkedIn

Phone / SMS / WhatsApp on the following 3 numbers:

+91-789-362-6688, +1-480-347-6849, +44-07718-273-964

+44-33-3303-1284 (Preferred number if calling from U.K, No WhatsApp)

kantikalyan@gmail.com, kantikalyan@outlook.com, admin@alightservices.com, kantikalyan.arumilli@alightservices.com, KArumilli2020@student.hult.edu, KantiKArumilli@outlook.com and 3 more rarely used email addresses – hardly once or twice a year.