Archives for posts with tag: linux

 

How to get IPSEC/L2TP VPN working on Ubuntu with network manager GUI:

This is already documented, you can follow the following post:
http://blog.z-proj.com/enabling-l2tp-over-ipsec-on-ubuntu-16-04/

Just a note on the above post, I did not install custom xl2tpd version like mentioned in the above post on my Lubuntu 16.04 box and I went with the stock xl2tpd provided in the repos and it worked fine. In fact I did not compile anything, apart from using the PPA and installing whatever it pulled in.

 

 

In this post I will detail how I used Debian 9 to connect to corporate VPN based on IPSEC/L2TP from the CLI.
The other VPNs which can be connected using OpenVPN and Cisco Openconnect are fairly straight forward to work with and I never had any trouble with them before. But some organizations that we work with use this type of VPN. I wanted to achieve this without any GUI and using only CLI as I have stopped using Network-Manager.

Further, I wanted to make this work on both FreeBSD and Debian as these are my OSs of choice. Network Manager does not support FreeBSD yet.
Note that FreeBSD 11 and onward has kernel support built in  for this VPN stack/protocol, in older releases you will need to use a custom kernel with patches applied to get this working. I will focus on Debian 9 in this post and perhaps the next post will be on FreeBSD 11, if I get it working.

I have tried real hard to make it work using CLI tools, but it did not work causing much frustration, so I used Lubuntu 16.04 VM to connect using the GUI and get the content of the config files which worked and mirror the config setup on the other VMs, along with the help from different posts shared below in references.

 

How to get IPSEC/L2TP VPN working on Debain 9:

The IT guy provided me with:

A username and password, my LDAP and account details.
The URL of the VPN to connect to.
A secret/PSK(pre shared key).

What I need in addition to above was the hash, encryption scheme used, etc which we will collect below, other than these I used the default values provided by the respective software.

As root install:

root shell> apt-get install -y strongswan xl2tp ppp ike-scan

ike-scan is for determining the remote VPN server settings related to authentication.

Run it on the target server, where you need to connect:

root shell> ike-scan YOUR_VPN_URL_OR_IP_HERE.COM

Starting ike-scan 1.9.4 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
 3x.xxx.xxx.xxx Main Mode Handshake returned HDR=(CKY-R=e7f46fcf375e22e3) SA=(Enc=3DES Hash=SHA1 Auth=PSK
 Group=2:modp1024 LifeType=Seconds LifeDuration(4)=0x00007080)

Ending ike-scan 1.9.4: 1 hosts scanned in 0.635 seconds (1.58 hosts/sec). 1 returned handshake; 0 returned notify

 

You will need the above details to configure strongswan/openswan/libreswan:

 

Edit /etc/ipsec.conf, add following, I am pasting the snippet from my configuration:

config setup
  # strictcrlpolicy=yes
  # uniqueids = no

# Add connections here.

conn myvpn
  auto=add
  type=transport
  authby=psk
  keyingtries=0
  left=%defaultroute
  leftprotoport=udp/l2tp
  right=3x.xxx.xxx.xxx
  rightid=%any
  rightprotoport=udp/l2tp
  keyexchange=ikev1
  ike=3des-sha1-modp1024
  esp=3des-sha1

 

Values for ike and esp vary according to the setup, use ike-scan to determine these and/or consult the IT person to get these, if all fails, connect from GUI and check the values after successful connection.

Next edit and add the pre-shared key(PSK/secret) /etc/ipsec.secrets:
Important! Ensure you echo the line instead of manually adding it, I have spent few days debugging around when I manually edited the file!

root shell> echo ': PSK "YOUR_PSK_OR_SECRET_HERE"' >> /etc/ipsec.secrets

 

You can now test whether this work by restarting strongswan service:

root shell> systemctl -u strongswan.service

In another terminal check the logs using

root shell> journalctl -u strongswan.service

Jan 13 15:06:14 debian charon[6503]: 00[LIB] dropped capabilities, running as uid 0, gid 0
 Jan 13 15:06:14 debian charon[6503]: 00[JOB] spawning 16 worker threads
 Jan 13 15:06:14 debian ipsec[6489]: charon (6503) started after 20 ms
 Jan 13 15:06:14 debian ipsec_starter[6489]: charon (6503) started after 20 ms
 Jan 13 15:06:14 debian charon[6503]: 05[CFG] received stroke: add connection 'myvpn'
 Jan 13 15:06:14 debian charon[6503]: 05[CFG] added configuration 'myvpn'

Now run

root shell> ipsec status

Security Associations (0 up, 0 connecting):
 none




root shell> ipsec up myvpn
 .
 .
 .
 sending packet: from 10.0.2.15[4500] to 3x.xxx.xxx.xxx[4500] (220 bytes)
 received packet: from 3x.xxx.xxx.xxx[4500] to 10.0.2.15[4500] (172 bytes)
 parsed QUICK_MODE response 150100366 [ HASH SA No ID ID NAT-OA NAT-OA ]
 connection 'myvpn' established successfully

In the other terminal where journalctl -u strongswan.service, you should see something like:

Jan 13 15:08:26 debian charon[6503]: 06[NET] received packet: from 3x.xxx.xxx.xxx[4500] to 10.0.2.15[4500] (92 bytes)
 Jan 13 15:08:26 debian charon[6503]: 06[ENC] parsed ID_PROT response 0 [ ID HASH V ]
 Jan 13 15:08:26 debian charon[6503]: 06[IKE] received DPD vendor ID
 Jan 13 15:08:26 debian charon[6503]: 06[IKE] IKE_SA myvpn[1] established between 10.0.2.15[10.0.2.15]...3x.xxx.xxx.xxx[3x.xxx.xxx.xxx]
 Jan 13 15:08:26 debian charon[6503]: 06[IKE] IKE_SA myvpn[1] established between 10.0.2.15[10.0.2.15]...3x.xxx.xxx.xxx[3x.xxx.xxx.xxx]

 

Check the status with ipsec status/statusall:

root shell> ipsec status
 Security Associations (1 up, 0 connecting):
 myvpn[1]: ESTABLISHED 3 minutes ago, 10.0.2.15[10.0.2.15]...3x.xxx.xxx.xxx[3x.xxx.xxx.xxx]
 myvpn{1}: INSTALLED, TRANSPORT, reqid 1, ESP in UDP SPIs: c641102f_i 03118698_o
 myvpn{1}: 10.0.2.15/32[udp/l2f] === 3x.xxx.xxx.xxx/32[udp/l2f]

 

Now, stop the service and move on with configuring other components.

Configure xl2tpd:

Edit file /etc/xl2tpd/xl2tpd.conf:

[global]
 access control = yes
 port = 1701
 [lac l2tp]
 lns = 3x.xxx.xxx.xxx
 pppoptfile = /etc/ppp/ppp-options.opts
 autodial = yes
 tunnel rws = 8

Now edit file /etc/ppp/ppp-options.opts, you can change the location to something else.

nodetach
 usepeerdns
 noipdefault
 nodefaultroute
 noauth
 noccp
 refuse-eap
 refuse-chap
 refuse-mschap
 refuse-mschap-v2
 lcp-echo-failure 0
 lcp-echo-interval 0
 mru 1400
 mtu 1400
 user YOUR_LDAP_USERNAME_OR_ACCOUNTANME_GIVEN_BY_IT
 password YOUR_ACCOUNT_OR_LDAP_PASSWORD_PROVIDED

Once done start strongswan first then run ipsec up command like above and start xl2tpd service, so as in one line:

systemctl start strongswan.service ; sleep 3; ipsec up myvpn; systemctl start xl2tpd.service

Check whether the connection got established using ipsec statusall.

To stop, run:

systemctl stop xl2tpd.service ; ipsec down myvpn; systemctl stop strongswan.service;

The VPN got setup by we need to add the routing tables inorder for the traffic to flow in and out of VPN:

 

As root user:

route add 3x.xxx.xxx.xxx gw 10.0.2.2
 route add default dev ppp0

So in general:

route add VPN-PUBLIC-IP gw LOCAL-NIC-IP
 route add default dev pppX

Here 10.0.2.2 is the local IP my VM received from NAT of Virtalbox service, in your case change this accordingly.

Check using a fetch/curl/wget command and you should see the the public IP address of the remote network, like:

wget -qO- https://canihazip.com/s

or,

curl https://canihazip.com/s

To change back to non-VPN setup:

1. Change routing table to what it was before,
2. Stop xl2tpd and strongswan services.

To delete the added routes:

route del default dev ppp0
route del 3x.xxx.xxx.xxx gw 10.0.2.2

 

To understand what happens, before you configure, check the routing tables and current network setup on your local machine, this is just to get an understanding, or for troubleshooting the setup, not necessary for the actual setup.

Pre-connection routing table:

$ netstat -nr4

Kernel IP routing table
 Destination Gateway Genmask Flags MSS Window irtt Iface
 0.0.0.0 10.0.2.2 0.0.0.0 UG 0 0 0 enp0s3
 10.0.2.0 0.0.0.0 255.255.255.0 U 0 0 0 enp0s3
 192.168.56.0 0.0.0.0 255.255.255.0 U 0 0 0 enp0s8

 

$ ip route

default via 10.0.2.2 dev enp0s3 proto static metric 100
 10.0.2.0/24 dev enp0s3 proto kernel scope link src 10.0.2.15 metric 100
 192.168.56.0/24 dev enp0s8 proto kernel scope link src 192.168.56.8 metric 100

Network address/link/device configuration:

$ ip a

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
 inet 127.0.0.1/8 scope host lo
 valid_lft forever preferred_lft forever
 inet6 ::1/128 scope host
 valid_lft forever preferred_lft forever
 2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
 link/ether 08:00:27:85:30:8b brd ff:ff:ff:ff:ff:ff
 inet 10.0.2.15/24 brd 10.0.2.255 scope global dynamic enp0s3
 valid_lft 78860sec preferred_lft 78860sec
 inet6 fe80::a00:27ff:fe85:308b/64 scope link
 valid_lft forever preferred_lft forever
 3: enp0s8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
 link/ether 08:00:27:67:7e:ad brd ff:ff:ff:ff:ff:ff
 inet 192.168.56.8/24 brd 192.168.56.255 scope global enp0s8
 valid_lft forever preferred_lft forever
 inet6 fe80::a00:27ff:fe67:7ead/64 scope link
 valid_lft forever preferred_lft forever

 

Compare the above output to routing/networking information after connection.

Post connection routing table:

$ ip a

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
 inet 127.0.0.1/8 scope host lo
 valid_lft forever preferred_lft forever
 inet6 ::1/128 scope host
 valid_lft forever preferred_lft forever
 2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
 link/ether 08:00:27:85:30:8b brd ff:ff:ff:ff:ff:ff
 inet 10.0.2.15/24 brd 10.0.2.255 scope global dynamic enp0s3
 valid_lft 78910sec preferred_lft 78910sec
 inet6 fe80::a00:27ff:fe85:308b/64 scope link
 valid_lft forever preferred_lft forever
 3: enp0s8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
 link/ether 08:00:27:67:7e:ad brd ff:ff:ff:ff:ff:ff
 inet 192.168.56.8/24 brd 192.168.56.255 scope global enp0s8
 valid_lft forever preferred_lft forever
 inet6 fe80::a00:27ff:fe67:7ead/64 scope link
 valid_lft forever preferred_lft forever
 4: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1400 qdisc pfifo_fast state UNKNOWN group default qlen 3
 link/ppp
 inet 10.12.14.147 peer 192.0.2.1/32 scope global ppp0
 valid_lft forever preferred_lft forever



$ netstat -nr4

Kernel IP routing table
 Destination Gateway Genmask Flags MSS Window irtt Iface
 0.0.0.0 0.0.0.0 0.0.0.0 U 0 0 0 ppp0
 0.0.0.0 10.0.2.2 0.0.0.0 UG 0 0 0 enp0s3
 10.0.2.0 0.0.0.0 255.255.255.0 U 0 0 0 enp0s3
 3x.xxx.xxx.xxx 10.0.2.2 255.255.255.255 UGH 0 0 0 enp0s3
 192.0.2.1 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
 192.168.56.0 0.0.0.0 255.255.255.0 U 0 0 0 enp0s8

$ ip route

default dev ppp0 proto static scope link metric 50
 default via 10.0.2.2 dev enp0s3 proto static metric 100
 10.0.2.0/24 dev enp0s3 proto kernel scope link src 10.0.2.15 metric 100
 3x.xxx.xxx.xxx via 10.0.2.2 dev enp0s3 proto static metric 100
 192.0.2.1 dev ppp0 proto kernel scope link src 10.12.14.147 metric 50
 192.168.56.0/24 dev enp0s8 proto kernel scope link src 192.168.56.8 metric 100

 

References:

https://wiki.archlinux.org/index.php/Openswan_L2TP/IPsec_VPN_client_setup

http://www.jasonernst.com/2016/06/21/l2tp-ipsec-vpn-on-ubuntu-16-04/

https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv1_with_L2TP

 

 

Advertisements

I don’t use a smartphone and for the recent engagement I was selected for required setup of MFA/2FA by scanning QR code on github and AWS accounts.

The other troubles were – GitHub did not list India as region where I could setup 2FA using SMS! AWS did not list any SMS option!
I initially used Python library – pyotp to decode the secret from the base64 encoded string which I got after scanning the QR code with a online/offline tool, but it was not sufficient as the accounts require the user to supply the OPT each time the user logs out of the service.

Enter Sneezry:

https://github.com/Sneezry/authenticator/wiki/Introduction

A Chromium browser plugin which allows a user to setup 2FA without a smartphone, it even allows scanning the QR code directly from the page that is open, and there is also a way to copy paste the secret and register the account. Another advantage is that it works on both of my OSs(Debian and FreeBSD) as it runs in the browser. 🙂

Now I just need to find equivalent addon for Firefox and Seamonkey.

My smartphone less journey continues!

For more reasons why one should avoid smartphones with closed source software, checkout:

https://www.gnu.org/proprietary/proprietary-surveillance.en.html#SpywareInAndroid
https://www.fsf.org/blogs/community/the-apple-is-still-rotten-why-you-should-avoid-the-new-iphone

 

Excellent laptop for having a wireless chip which is compatible with stock Debian and FreeBSD installation! This is one of the first hardware I have come across where the OS detected the wireless chip during installation.

Next, I used UEFI based dual boot installation and had to manually add the Debian entry in the BIOS setup. FreeBSD EFI partition got detected out of the box, sweet!

The hardware list from lspci on Debian:

00:00.0 Host bridge: Intel Corporation Broadwell-U Host Bridge -OPI (rev 09)
00:02.0 VGA compatible controller: Intel Corporation Broadwell-U Integrated Graphics (rev 09)
00:03.0 Audio device: Intel Corporation Broadwell-U Audio Controller (rev 09)
00:04.0 Signal processing controller: Intel Corporation Broadwell-U Camarillo Device (rev 09)
00:14.0 USB controller: Intel Corporation Wildcat Point-LP USB xHCI Controller (rev 03)
00:16.0 Communication controller: Intel Corporation Wildcat Point-LP MEI Controller #1 (rev 03)
00:19.0 Ethernet controller: Intel Corporation Ethernet Connection (3) I218-LM (rev 03)
00:1b.0 Audio device: Intel Corporation Wildcat Point-LP High Definition Audio Controller (rev 03)
00:1c.0 PCI bridge: Intel Corporation Wildcat Point-LP PCI Express Root Port #1 (rev e3)
00:1c.3 PCI bridge: Intel Corporation Wildcat Point-LP PCI Express Root Port #4 (rev e3)
00:1c.4 PCI bridge: Intel Corporation Wildcat Point-LP PCI Express Root Port #5 (rev e3)
00:1d.0 USB controller: Intel Corporation Wildcat Point-LP USB EHCI Controller (rev 03)
00:1f.0 ISA bridge: Intel Corporation Wildcat Point-LP LPC Controller (rev 03)
00:1f.2 SATA controller: Intel Corporation Wildcat Point-LP SATA Controller [AHCI Mode] (rev 03)
00:1f.3 SMBus: Intel Corporation Wildcat Point-LP SMBus Controller (rev 03)
01:00.0 SD Host controller: O2 Micro, Inc. SD/MMC Card Reader Controller (rev 01)
02:00.0 Network controller: Qualcomm Atheros QCA9565 / AR9565 Wireless Network Adapter (rev 01)

 

On Debian everything works fine, but you might want to remove the intel xorg driver(xserver-xorg-video-intel), as that is for hardware older than 2007, with the old driver installed the graphics were not that smooth and the CPU utilization increased.

Other than this I was unable to suspend to RAM when HT was disabled. Enabling HT in BIOS would solve this.

On FreeBSD, the integrated GPU is not yet supported :(, so just command line for now).

Will consider Dell again for my computing.

Just a list of ideas for securing the servers.

I try to make sure that the first line of defense is not breached, if the attacker can breach that, then he is determined and can overcome any other defense you may have. Most of the “spray and pray” attacks on the internet are not that complicated and kiddies try to attack the nodes which do not patch known vulnerabilities or lack basic protection, like having easy to guess passwords.

Another point to be aware is that the more restrictive security measures we have(SELinux, etc), it may work against us, when we try to troubleshoot, implement a feature, or some software might not work etc.

Only you can decide what level of protection you need and what is at stake. Following are the absolute minimum which are highly effective, use other software(IDS, HIDS) on top of this if you can afford to spend time and effort

* Keep the server patched at regular intervals, like weekly/bi-weekly. This is very important, helps to plug any application level vulnerabilities.

* Setup a firewall allowing access to ports that are needed, like TCP:80/443 for HTTP/s, UDP:53 for DNS, etc.

* Do a netstat query on the node to check if any other services are active, either disable them permanently using /etc/rc.conf on BSD, chkconfig on CentOS, update-rc.d on Debian. Reboot the node and check whether they are disabled.

* Do not expose database services over public internet, restrict them to local network, or better yet to restrict which local IPs can connect.

* SSH access can be limited to a particular network/subnet/IP at firewall level, like only from company network, admin team, etc.

* Prefer to have non root based SSH login and then user using sudo/doas to perform actions which require root privileges.

* If direct root based SSH is required, then set “PermitRootLogin without-password” in sshd_config and restart the SSH daemon, this ensures that users having a key can connect as root. Also make sure select people have key to login as root, it makes them responsible, accountable.

* If you want to monitor the login attempts, health, use something like logwatch.

* If password based authentication is necessary to be exposed to public(which is not recommended) use a tool like fail2ban or SSHGuard. This delays the brute force attack. If the incorrect attempts are indefinitely blocked along with password expiration(+ password complexity like diceware) then brute attacks can be stopped.  As this involves many variables which can go wrong this is not recommended.

* Do not block ping unless you have experienced flood attacks, ping is necessary to troubleshoot.

The aim of having security measure is to frustrate a prospective attacker to give up, not frustrate the Admin. 😉

The other day(some months ago!) I had a task to store old Apache logs instead of discarding them.

Logrotate is a utility to rotate logs in a manageable size.  Depending upon the options logs can be rotated at a fixed interval on size, age of log, etc

There were two options:

  1. Either increase the old log retention period in logrotate
  2. Copy the logs to a separate location and archive them, with the default log retention period which removes old log files

In the first option the default log directory will get cluttered because of old logs, in the second option, however, the directory stays neat and you have a different location where you would be dumping old logs.

In this post I will be editing file under /etc/logrotate.d/httpd, I won’t be modifying the default settings in /etc/logrotate.conf, which is recommended.

Contents of /etc/logrotate.conf:

###START-of-config###

# see "man logrotate" for details
 # rotate log files weekly
 weekly

# keep 4 weeks worth of backlogs
 rotate 4

# create new (empty) log files after rotating old ones
 create

# use date as a suffix of the rotated file
 dateext

# uncomment this if you want your log files compressed
 #compress

# RPM packages drop log rotation information into this directory
 include /etc/logrotate.d

# no packages own wtmp and btmp -- we'll rotate them here
 /var/log/wtmp {
 monthly
 create 0664 root utmp
 minsize 1M
 rotate 1
 }

/var/log/btmp {
 missingok
 monthly
 create 0600 root utmp
 rotate 1
 }

 

###END-of-config###

And the default contents of /etc/logrotate.d/httpd:

###START-of-httpd###

/var/log/httpd/*log {
 missingok
 notifempty
 sharedscripts
 delaycompress
 postrotate
 /sbin/service httpd reload > /dev/null 2>/dev/null || true
 endscript
 }

###END-of-httpd###

After modification the file will be:

###START-of-NEW-httpd###

/var/log/httpd/*log {
 missingok
 notifempty
 sharedscripts
 delaycompress
 postrotate
 /sbin/service httpd reload > /dev/null 2>/dev/null || true
 /usr/bin/rsync -a /var/log/httpd/* /srv/backup/
  /usr/bin/rsync -a /var/log/httpd/* /srv/backup/
 endscript
 }

###END-of-NEW-httpd###

As you can see, I have used rsync to move the files, using rsync is necessary as this will skip overwriting the files which were already copied.

In India some of the IT companies, universities have restrictive firewalls and you are forced to use a proxy server which they maintain.

As a system admin/engineer you might want to connect to servers, but this will be not be possible from such networks.

Sites like youtube, gmail, etc are blocked. I have been in networks which block even technical blog sites which apparently are harmless/helpful for the company. This might not be a problem if you are using it for entertainment, but platforms like edx,make use of youtube and blocking an educational platform works against you. Blocking technical blogs does not help employees.

I am writing this post which might help you to have private access. Use the following steps at your own risk, as every company has its own policy, you might want to check it once, and if they are sane enough or have provision for exceptions, you might want to talk to them and ask them to relax the unnecessary restrictions than bypassing.

Ok,  first, we need following prerequisites:

1) A server running BSD or GNU/Linux on an external network with a public IP address.

2)  The above server running ssh on port 443.

3) SSH client + tunnel software application on your PC which is on the restricted network allowing at least 443(https). On BSD/Linux you will have openssh, proxytunnel, corkscrew, on Windows use Putty.

Without the above, the following steps in this post won’t work for you. There are multiple ways of achieving a tunnel, but the post focuses on specific way.

==Get a remote server==

You will need a remote server running ssh, you can get one from digitalocean or vultr, both of them offer VPSs with Unix-like operating systems on which you can configure ssh.

==Configure ssh to listen on port 443 on remote server==

Now that you have this server, configure ssh, which by default listens on port 22, make it to listen on both 22, 443.

In file “/etc/ssh/sshd_config”, look for line “Port 22”, and add  “Port 443”.

You will need to have:

Port 22

Port 443

Once this is edited restart the ssh daemon after checking for possible errors in the config file.

As a privileged user run “sshd -t” and fix any error it outputs, then restart the service, using “service sshd restart”. If you restart when there are errors, you risk loosing connection to the server. If necessary, check and change firewall settings to let port 443 be accessible.

==Configure and create a tunnel on FreeBSD client PC ==

Install tunneling software like proxytunnel, corkscrew, httptunnel along with openssh client.

shell> pkg install proxytunnel

Configure proxytunnel to use http proxy for connecting to the remote ssh server running on port 443. For this edit the “~/.ssh/config” file which your ssh client uses.

And add:

Host <ip_address_of_remote_server_here>

ProxyCommand proxytunnel -p http.proxy.server.here:port_number_here -d remote_server_ip_here:443

ServerAliveInterval 60  #Optional, ensures the connection stays alive when connection is not being used.

GSSAPIAuthentication no  #Optional, speeds up the authentication.

For instance it could be following,

Host 1.2.3.4

ProxyCommand proxytunnel -p proxy.example.com:8080 -d 1.2.3.4:443

What this does is, when you issue the command “ssh user@1.2.3.4” it reads the config file and applies the directives for this particular host/ip. Which in this case directs to use the “proxytunnel” command to tunnel your connection over the proxy mentioned with “-p” and to the destination mentioned using “-d“.

It works, as the remote destination is listening on port 443 and  the restrictive proxy allows 443, which now thinks that you are initiating an https connection.

With this you can now ssh to the remote host 1.2.3.4.

If you have a proxy which requires authentication, use -P option of proxytunnel, like:

ProxyCommand proxytunnel -p proxy.example.com:8080 -P user_name:password_here  -d 1.2.3.4:443

==Create a socks poxy==

When you can create a ssh connection, with openssh you can take it further to create a socks proxy which can be used by applications which support socks, like web browsers. Before following open canihazip.com in your browser and note down the ip address you currently have.

Next, from the command line on shell

“ssh -D localhost:8888 <remote_server_ip>:443”

With this ssh now listens on localhost (which is 127.0.0.1) on port 8888, all communication on this port will be passed/originate through the remote_server_ip on port 443.

Now change the proxy settings of the application to use this tunnel. With a browser set the socks proxy and open canihzip.com, your IP must be different.

Limitations:

This might not work,

If the network is using a packet analyzer and they actively block ssh packets.

If the http proxy does not support connect method.

If https is not supported over the proxy.

These are unlikely to happen, as this cripples the network access for normal usage and unless you have a paranoid admin.

An application running on client must support socks. Or you can configure a http proxy which uses socks proxy, for this you need privoxy, proxychains, polipo, etc.

Further reading:

https://wiki.archlinux.org/index.php/HTTP_tunneling

https://wiki.archlinux.org/index.php/Privoxy

There are a few compelling reasons why I switched from Debian/Ubuntu to FreeBSD 10.x. This was written after using FreeBSD 10.1 for more than 3 months, and is now on my production PC/workstation.

Software:

Debian stable comes with a large tested repository with regular security updates, but a bit old software, same case is with Ubuntu LTS the software starts getting a little old. FreeBSD on the other hand packages (credit volunteers) the most recent software possible, the current number of packages on FreeBSD stands around ~24k, which is comparable to Debian. Debian splits every application into binaries, documentation, *-devel so the number looks bigger on Debian/Ubuntu.

Stability:

One of the reason to use Debian over Ubuntu and any other GNU/Linux distribution is its stability. You deploy an application and it runs without much maintenance, FreeBSD is also know for its stability. So its a tie.

Documentation:

Now this is where FreeBSD stands out, with an impressive manual which covers most necessary things a user might require. The other projects which can compete are Arch and Gentoo. Debian falls short here.

Package management:

Debian is known for its  package manager apt-get/aptitude(dpkg), Arch’s new pacman is also a good contender. FreeBSD was lacking one until version 9 or 10 when it started including pkg. This is another reason which made me try FreeBSD, or, I was reluctant to use a distribution where the primary way to install applications was compiling them from source. pkg is good enough with room for improvement, behaves like apt-get but with a single command like yum. No more apt-cache, apt-get,dpkg for different things, makes my life simple.

Enterprise Features:

Some of the features like BSD jails, zfs, boot environment really impressed me. Why? Because I have seen enterprise Unix/Linux teams struggle with virtualization, storage management with VMware, KVM, veritas volume manager, etc Then I saw how Solaris 10 solved it with zones, ZFS, and boot environments.

This made me wonder how do CentOS/Debian stack up?

For containers – we have Linux containers(LXC) but they are not as robust as OpenVZ containers, but OpenVZ is not supported in the mainline kernel, you have to install a custom vzkernel. Some kernel space applications don’t work with a modified kernel and modifying the default setup voids warranty! You don’t get support if you are not using the stock kernel.

GNU/Linux still does not have a default go to container virtualization, I don’t consider Docker here, as its just LXC with enhancements(at the time of writing), it also follows a different path, I prefer the Unix way. There are no plans to include OpenVZ support into the mainline kernel.

On Storage front GNU/Linux has ZFS on Linux(zol) but it is not native yet, still under development and missing features. Btrfs is new, struggles with performance. I wonder why does not Oracle license ZFS on a bi/tri license like Mozilla, instead of developing yet another file system.

What about LVM? – Why do you need another layer of management when the file systems acts as both filesystem, vloume manager ?  Use ZFS!

Both FreeBSD and Solaris have boot environment support. This makes it easy to upgrade your production servers and switch back if you face any issues with the new environment. Updating servers is fun!

GNU/Linux equivalent is not robust yet.

Other goodies:

There are some other reasons to choose FreeBSD, like managing services with rc.conf, compare this with CentOS 6 where you use chkconfig, on Debian update-rc.d. CentOS chkconfig is pretty easy to get used to but Debian’s update-rc.d feels like it is still under development.

Unlike GNU/Linux which uses SysV init, there are no run levels in FreeBSD, only user modes like single, multi and other states like reboot, halt. I still could not understand the rationale behind run levels and why do we need them.

Conclusion:

Debian is known for its stability, large repository of applications. However it does fall short in other spheres.

Arch and Gentoo though having good documentation, large software application support, still fall behind in areas like package management, stability and ease of use, like the core repository of Arch is not large enough, the security advisory support is not reliable and things tend to break. Gentoo expects you to compile. I can’t, and I prefer to use package mangers.

FreeBSD becomes a good alternative in such comparison. However, FreeBSD still needs to improve on drivers and laptop support(FreeBSD cannot be at fault, vendors!), and it will, as the user base increases, it can come on par with any GNU/Linux distribution. I have seen how Ubuntu evolved release after release and how it improved.

Personally, I am getting old and just need a cozy comfortable environment and consistent way of managing things, FreeBSD provides that.

Think I have got something right/wrong? Comment below with references and links. If you are a new user to FLOSS world, I recommend starting with something easier like PC-BSD or GhostBSD. If you prefer GNU/Linux try Linux Mint. If you are an experienced user, try running FreeBSD on a spare machine or in a virtual machine(for example using Oracle VirtualBox).