apt-get install openvpn
openvpn --genkey --secret /etc/openvpn/mysecret.key
 
vi /etc/openvpn/server-udp-53.conf

server:~# wget -q http://updates.vmd.citrix.com/XenServer/5.5.0/GPG-KEY -O- | apt-key add -

apt-get install nginx

user www-data;
 
error_log  /var/log/nginx/error.log;
pid        /var/run/nginx.pid;
 
worker_processes  16;
worker_rlimit_nofile 32768;
events {
	worker_connections  8192;
	use epoll;
} 
 
http {
    include       /etc/nginx/mime.types;
 
    access_log	/var/log/nginx/access.log;
 
    sendfile			on;
    #tcp_nopush		on;
 
    #keepalive_timeout	 0;
    keepalive_timeout	65;
    tcp_nodelay		on;
 
    gzip			on;
 
    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;
}

upstream pool_dynamic {
	server 192.168.1.11:80;
	server 192.168.1.12:80;
}
upstream pool_static {
	server 192.168.1.11:80;
	server 192.168.1.12:80;
}
 
server {
	listen   80;
	server_name  _;
 
	#access_log /var/log/nginx/localhost.access.log;
	access_log	off;
 
	location / {
		proxy_pass		http://pool_dynamic;
		include		/etc/nginx/proxy.conf;
		access_log		/var/log/nginx/dynamic.access.log;
	}
 
	location ~* ^.+.(jpg|jpeg|gif|png|ico|css|zip|tgz|gz|rar|bz2|doc|xls|exe|pdf|ppt|txt|tar|mid|midi|wav|bmp|rtf|js|swf|wma|wmv)$ {
		proxy_pass		http://pool_static;
		include		/etc/nginx/proxy.conf;
		#access_log	/var/log/nginx/static.access.log;
		access_log		off;
	}
 
	location ~ /\.ht {
		deny  all;
	}
 
	location /nginx_status {
		# copied from http://blog.kovyrin.net/2006/04/29/monitoring-nginx-with-rrdtool/
		stub_status	on;
		access_log		off;
		allow			all;
	}
 
}

proxy_redirect			off;
proxy_set_header		Host $host;
proxy_set_header		X-Real-IP $remote_addr;
proxy_set_header		X-Forwarded-For $proxy_add_x_forwarded_for;
client_max_body_size		10m;
client_body_buffer_size	128k;
proxy_connect_timeout	90;
proxy_send_timeout		90;
proxy_read_timeout		90;
proxy_buffer_size		4k;
proxy_buffers			4 32k;
proxy_busy_buffers_size	64k;
proxy_temp_file_write_size	64k;

#!/bin/sh
#
# rc.firewall - Initial IP Firewall
#
 
INET_IFACE="eth0"
IPTABLES="/sbin/iptables"
 
IP_ALLOW="61.19.249.66"
IP_BAND=""
ICMP_ALLOW="0 3 5 11"
TCP_ALLOW="22 25 53 80 8000 90 3128 20001" 
UDP_ALLOW="53"
 
FTP_PORT="1024:65335"
FTP_ENABLE=1
 
 
SSH_ATTACH=1
SSH_HITCOUNT=5
SSH_PORT=22
 
PORTSCAN_CHECK=1
SPOOFINGIP_CHECK=1
 
LOGLEVEL="DEBUG"
 
 
#
# Load IPTables Modules
#
modprobe ip_conntrack
modprobe ip_conntrack_ftp
 
#
# Reset IPTables
#
$IPTABLES -F
$IPTABLES -F -t nat
$IPTABLES -X
$IPTABLES -X -t nat
 
#
# Create separate chains for ICMP, TCP and UDP to traverse
#
$IPTABLES -N vip_packets
$IPTABLES -N band_packets
$IPTABLES -N icmp_packets
$IPTABLES -N tcp_packets
$IPTABLES -N udp_packets
$IPTABLES -N log_attach
 
$IPTABLES -N DROP_TRAFFIC
 
 
 
#
# Drop packet
#
$IPTABLES -A DROP_TRAFFIC -p TCP -j REJECT --reject-with tcp-reset 
$IPTABLES -A DROP_TRAFFIC -p UDP -j REJECT --reject-with icmp-port-unreachable
 
#
# Log Attack
#
$IPTABLES -A log_attach -j LOG --log-level $LOGLEVEL --log-prefix "Attack:"
$IPTABLES -A log_attach -j DROP_TRAFFIC
 
 
#
# VIP IPaddress
#
for ip in $IP_ALLOW
do
        $IPTABLES -A vip_packets -s $ip -j DROP_TRAFFIC
done
 
 
#
# Band IPaddress
#
for ip in $IP_BAND
do
        $IPTABLES -A band_packets -s $ip -j DROP_TRAFFIC
done
 
 
 
#
# ICMP rules
#
for icmp in $ICMP_ALLOW
do
        $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type $icmp -j ACCEPT
done
 
#
# TCP rules
#
for port in $TCP_ALLOW
do
        $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport $port -j ACCEPT
done
 
#
# UDP rules
#
for port in $UDP_ALLOW
do
        $IPTABLES -A udp_packets -p UDP -s 0/0 --dport $port -j ACCEPT
done
 
 
#
# INPUT chain
#
$IPTABLES -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -p tcp -i $INET_IFACE ! --syn -m state --state NEW -j log_attach
 
#
# Rules for incoming packets from the internet
#
 
if [ "$SPOOFINGIP_CHECK" == "1" ]; then
	$IPTABLES -N spoofing_check
 
	$IPTABLES -A spoofing_check -s 10.0.0.0/8 -j DROP_TRAFFIC
	$IPTABLES -A spoofing_check -s 169.254.0.0/16 -j DROP_TRAFFIC
	$IPTABLES -A spoofing_check -s 172.16.0.0/12 -j DROP_TRAFFIC
	$IPTABLES -A spoofing_check -s 127.0.0.0/8 -j DROP_TRAFFIC
 
	$IPTABLES -A spoofing_check -s 224.0.0.0/4 -j DROP_TRAFFIC
	$IPTABLES -A spoofing_check -d 224.0.0.0/4 -j DROP_TRAFFIC
	$IPTABLES -A spoofing_check -s 240.0.0.0/5 -j DROP_TRAFFIC
	$IPTABLES -A spoofing_check -d 240.0.0.0/5 -j DROP_TRAFFIC
	$IPTABLES -A spoofing_check -s 0.0.0.0/8 -j DROP_TRAFFIC
	$IPTABLES -A spoofing_check -d 0.0.0.0/8 -j DROP_TRAFFIC
	$IPTABLES -A spoofing_check -d 239.255.255.0/24 -j DROP_TRAFFIC
	$IPTABLES -A spoofing_check -d 255.255.255.255 -j DROP_TRAFFIC
 
	$IPTABLES -A INPUT -i $INET_IFACE -j spoofing_check
fi
 
if [ "$SSH_ATTACH" == "1" ]; then
        $IPTABLES -N sshattach_check
        $IPTABLES -A sshattach_check -m recent --set --name SSH
        $IPTABLES -A sshattach_check -m recent --update --seconds 60 --hitcount $SSH_HITCOUNT --name SSH -j log_attach
 
        $IPTABLES -A INPUT -i $INET_IFACE -p tcp --dport $SSH_PORT -m state --state NEW -j sshattach_check
fi
 
#
# Port scan
#
if [ "$PORTSCAN_CHECK" == "1" ]; then
	$IPTABLES -N check-flags
	$IPTABLES -A check-flags -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 5/minute -j LOG --log-level $LOGLEVEL --log-prefix "NMAP:"
	$IPTABLES -A check-flags -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP_TRAFFIC
	$IPTABLES -A check-flags -p tcp --tcp-flags ALL ALL -m limit --limit 5/minute -j LOG --log-level $LOGLEVEL --log-prefix "XMAS:"
	$IPTABLES -A check-flags -p tcp --tcp-flags ALL ALL -j DROP_TRAFFIC
	$IPTABLES -A check-flags -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit --limit 5/minute -j LOG --log-level $LOGLEVEL --log-prefix "XMAS-PSH:"
	$IPTABLES -A check-flags -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP_TRAFFIC
	$IPTABLES -A check-flags -p tcp --tcp-flags ALL NONE -m limit --limit 5/minute -j LOG --log-level $LOGLEVEL --log-prefix "NULL_SCAN:"
	$IPTABLES -A check-flags -p tcp --tcp-flags ALL NONE -j DROP_TRAFFIC
	$IPTABLES -A check-flags -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/minute -j LOG --log-level $LOGLEVEL --log-prefix "SYN/RST:"
	$IPTABLES -A check-flags -p tcp --tcp-flags SYN,RST SYN,RST -j DROP_TRAFFIC
	$IPTABLES -A check-flags -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/minute -j LOG --log-level $LOGLEVEL --log-prefix "SYN/FIN:"
	$IPTABLES -A check-flags -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP_TRAFFIC
 
	$IPTABLES -A INPUT -p TCP -i $INET_IFACE -j check-flags
fi
 
 
if [ "$FTP_ENABLE" == "1" ]; then
        #Allow FTP traffic (Control)
        iptables -A INPUT -p tcp --sport $FTP_PORT --dport 21 -j ACCEPT
        iptables -A OUTPUT -p tcp --sport 21 --dport $FTP_PORT -j ACCEPT
 
        #Allow FTP traffic (Data)
        iptables -A INPUT -p tcp --sport $FTP_PORT --dport 20 -j ACCEPT
        iptables -A OUTPUT -p tcp --sport 20 --dport $FTP_PORT -j ACCEPT
fi
 
 
$IPTABLES -A INPUT -i $INET_IFACE -j vip_packets
$IPTABLES -A INPUT -i $INET_IFACE -j band_packets
 
$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
$IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
$IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udp_packets
 
 
# Default policy
$IPTABLES -A INPUT -i $INET_IFACE -j DROP_TRAFFIC

MacClient:~ UserA$ ssh-keygen -t rsa

MacClient:~ UserA$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/UserA/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /Users/UserA/.ssh/id_rsa.
Your public key has been saved in /Users/UserA/.ssh/id_rsa.pub.
The key fingerprint is:
a4:74:0b:bc:2f:d1:f5:c7:4e:90:51:7f:f4:45:84:a0 UserA@MacClient

MacClient:~ UserA$ ssh UserA@UbuntuServer mkdir -p .ssh

MacClient:~ UserA$ ssh UserA@UbuntuServer mkdir -p .ssh
UserA@vmtuserver's password:

MacClient:~ UserA$ cat .ssh/id_rsa | ssh UserA@UbuntuServer 'cat >> .ssh/authorized_keys'

MacClient:~ UserA$ cat .ssh/id_rsa | ssh UserA@UbuntuServer 'cat >> .ssh/authorized_keys'
UserA@vmtuserver's password:

MacClient:~ UserA$ ssh UserA@UbuntuServer

MacClient:~ UserA$ ssh UserA@UbuntuServer
Linux UbuntuServer 2.6.24-19-server #1 SMP Wed Jun 18 15:18:00 UTC 2008 i686
 
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
 
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
 
To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
You have mail.
Last login: Tue Jan 13 00:14:19 2009 from MacClient
UserA@UbuntuServer:~$

cat /proc/version

Linux version 2.6.27-9-generic (buildd@rothera) (gcc version 4.3.2 (Ubuntu 4.3.2-1ubuntu11) ) #1 SMP Thu Nov 20 21:57:00 UTC 200

cat /etc/issue

Ubuntu 8.10 \n \l

Server# apt-get install openvpn
Server# vi /etc/openvpn/server.conf

Client# apt-get install openvpn
Client# vi /etc/openvpn/client.conf

Server# /etc/init.d/openvpn start
Client# /etc/init.d/openvpn start

#!/bin/sh
 
#
#	Check Proxy	v.10
#	By Auttasak Wongkitta
#	http://howtoconfig.com
 
PROXY="192.168.100.254:3128"
URL="http://manager.co.th"
LINUX_IP="192.168.100.254"
LINUX_IF="eth2.1"
 
RESULT=$(curl -x $PROXY  $URL 2>/dev/null | wc -l)
USEPROXY=$(iptables -t nat -L PREROUTING -n | grep $PROXY | wc -l)
 
if [ $RESULT -eq 0 ]; then
        if [ $USEPROXY -ne 0 ]; then
                iptables -t nat -D PREROUTING -i $LINUX_IF -d ! $LINUX_IP -p tcp --dport http -j DNAT --to $PROXY
        fi
else
        if [ $USEPROXY -eq 0 ]; then
                iptables -t nat -A PREROUTING -i $LINUX_IF -d ! $LINUX_IP -p tcp --dport http -j DNAT --to $PROXY
        fi
fi

#!/bin/sh
#
#    Howtoconfig.com
#    Squid Log Rotate v0.1
#    By Mr. Auttasak Wongkitta
 
SQUID_CONF="/etc/squid/squid.conf"
COMPRESS=yes
LOG="/var/log/backup_log"
 
###############################
DATE=$(date "+%Y%m%d-%H")
HOSTNAME=$(hostname -s)
SQUID_PATH=$(whereis squid | awk '{print $2}')
 
SQUID_LOG=$(cat $SQUID_CONF | grep "^access_log" | awk '{print $2}')
if [ -z $SQUID_LOG ]; then
echo " * Error : access_log not found!!!"
fi
SQUID_LOG_NEW="$SQUID_LOG-$HOSTNAME-$DATE"
 
###############################
Log()
{
local LogText;
LogText="$@"
echo $(date +"%d/%m/%y %T")  "   " $LogText >> $LOG
}
###############################
###############################
Log ""
Log ""
Log "--------------------------------------------"
Log "Squid log rotate - startup"
Log ""
 
Log "Rotate Log"
$SQUID_PATH -k rotate
Log "done"
Log ""
 
Log "Loop check $SQUID_LOG.0"
while [ ! -f $SQUID_LOG.0 ]; do
sleep 1;
done
Log "done"
Log ""
 
Log "Move $SQUID_LOG.0 $SQUID_LOG_NEW"
mv $SQUID_LOG.0 $SQUID_LOG_NEW
Log "done"
Log ""
 
if [ -f $SQUID_LOG_NEW ]; then
Log "MD5 Sum : $SQUID_LOG_NEW"
SQUID_MD5=$(md5sum $SQUID_LOG_NEW | awk '{print $1}')
Log "Checksum : $SQUID_MD5"
Log "done"
Log ""
fi
 
if [ $COMPRESS=='yes' ]; then
Log "Compress log $SQUID_LOG_NEW"
SIZE_OLD=$(ls -sh $SQUID_LOG_NEW | awk '{print $1}')
tar jpcf $SQUID_LOG_NEW.tar.bz2 $SQUID_LOG_NEW 2>/dev/null
SIZE_NEW=$(ls -sh $SQUID_LOG_NEW.tar.bz2 | awk '{print $1}')
Log "Compress from $SIZE_OLD -> $SIZE_NEW"
Log "done"
Log ""
 
if [ -f $SQUID_LOG_NEW.tar.bz2 ]; then
Log "Remove file : $SQUID_LOG_NEW"
rm $SQUID_LOG_NEW
Log "done"
Log ""
fi
fi
 
Log ""
Log "End"