Linux Blimp

Oct 16, 2018, 23:00 (0 Talkback[s])

(Other stories by Sean Michael Kerner)

The U.S. government has advanced email security significantly over the course of the past year, thanks to the adoption of the Domain-based Message Authentication, Reporting and Conformance (DMARC) email security protocols.

As of Oct. 16, a large set of U.S. federal government agencies are required to be compliant with the Department of Homeland Security (DHS) 18-01 binding operational directive (BOD), which mandates the use of DMARC. The directive was issued in October 2017, giving agencies a year to incrementally implement the new email security approach.

Complete Story

Related Stories:

• How to Set Up and Implement DMARC Email Security(Jan 25, 2018)

Source

Source

mesa-17.0.0-3 can now be installed side-by-side with nvidia-378.13 driver without any libgl/libglx hacks, and with the help of Fedora and upstream xorg-server patches.

• First step was to remove the libglx symlinks with xorg-server-1.19.1-3 and associated mesa/nvidia drivers through the removal of various libgl packages. It was a tough moment because it was breaking optimus system, xorg-server configuration needs manual updating.
• The second step is now here, with an updated 10-nvidia-drm-outputclass.conf file that should help to have an “out-of-the-box” working xorg-server experience with optimus system.

Please test this extensively and post your feedback in this forum thread or in our bugtracker.

Source

Despite it being 2018, there is still a common misconception related to Linux; that Linux is mainly utilized for people who want better access to their operating system. While that is most certainly true, there are many reasons why Linux also stands out as a better operating system than Windows.

Furthermore, Windows has strategically placed itself as the go-to OS in the world and most devices have partnered with them and are providing Windows as their default OS. This highlights the problems of users being forced to use something.

However, there are always options. To make up your mind, today we will discuss the top 5 reasons why Linux is a better operating system than Windows.

First and foremost, the major difference between both operating systems is that Linux is free whereas Windows is not. For those interested in premium quality, Linux is the go-to solution irrespective of the fact whether they want to utilize their OS as a desktop or a server.

In addition to that, the related applications are also completely free and open source. This is a massive difference when drawing a comparison with Windows. Although Windows does provide the flexibility of installing free software – they are generally cracked meaning that they are an illegal copy of the original software.

This also raises a key point of security, which Linux deals with swiftly. On the other hand, Windows is prone to security threats and other Trojans; this also eliminates the need for an anti-virus in Linux-based systems.

For those looking for a free and a safer option, Linux is the obvious answer.

2. Compatible with Lower-end Hardware

To improve the user experience, Windows put a minimum hardware requirement which limits users who own a lower tier device. The newer version of Windows, such as 7, 8 and 10 require at least 1GB RAM. The Windows experience on devices, which barely meet the minimum requirement, is rather poor; the devices experience awfully slow performance along with auto shutdown of the devices.

Similarly, older generation laptops have aging components and since Linux consumes fewer system resources (RAM, disk space etc), it makes Linux the ideal operating system for those devices.

With the introduction of simpler distros like Ubuntu and Elementary OS, users migrating from Windows can enjoy similar but simpler graphical user-friendliness. This acts as an added incentive as to why users should opt for Linux.

3. No need for drivers anymore:

If you have ever used a Windows device for an extensive period of time, then you are automatically aware of the struggle of finding drivers for the device itself and for other devices you want to connect for example a printer.

With Linux, users don’t have to worry about additional drivers as most of them are supported directly by the Linux kernel; this implies that most devices are plug and play for Linux, which is a huge advantage for consumers.

This alone can be a reason to switch to Linux as the annoyance of having to deal with finding the right drivers and making them work with the particular model of the device you have.

4. Reliability is Key!

How often have you ended up pressing the Ctrl-Alt-Del combination on Windows? Probably enough times to lose count. This is one of the biggest drawbacks of Windows operating system that applications often face issues while launching, often aggravated due to device’s limitations.

However, with Linux, users experience unparalleled up-time. The operating system provides built-in security which helps keep the system secure from all the harm which might be caused later on.

Traditionally, Unix-like systems are renowned for running without registering a single issue or failure which demands a restart; this is a key aspect to consider when choosing a server system. This is why most servers in the modern world are running Linux.

5. Massive Community Support

The best thing about being a Linux user is perhaps that you will never feel alone if an issue arises. Apart from a handful of forums, you can drop by any forum with your problems; either you will find a solution right away or someone will always try to help you out since the community members are very active.

There is no doubt that every operating system has its pros and cons. However, Linux has many reasons to be picked over Windows OS. Linux provides flexibility and good control over everything whereas those things are limited in Windows OS. The number of flavors it provides can cater to the needs of various users; be it a graphic designer, programmer or a content writer.

What do you think about our list? If you are an avid user of Linux let us know what you like most about the OS and how it compares with Windows OS?

Source

Whether you want to access the Internet safely and securely while connected on an untrusty public Wi-Fi network, bypass Geo-restricted content or allow your coworkers to connect securely to your company network when working remotely, using a VPN is the best solution.

VPN allows you to connect to remote VPN servers, making your connection encrypted and secure and surf the web anonymously by keeping your traffic data private.

There are many commercial VPN providers you can choose from, but you can never be truly sure that the provider is not logging your activity. The safest option is to set up your own VPN server.

This tutorial will walk you through the process of setting up your own VPN server by installing and configuring OpenVPN. We will also show you how to generate clients certificates and create configuration files

OpenVPN is a fully featured, open-source Secure Socket Layer (SSL) VPN solution. It implements OSI layer 2 or 3 secure network extension using the SSL/TLS protocol.

Prerequisites

To complete this tutorial, you will need:

• Sudo access to an Ubuntu 18.04 server to host your OpenVPN instance.
• The server should have a basic UFW firewall configured.
• Separate dedicated machine to serve as your CA (certificate authority). If you don’t want to use a dedicated machine for your CA, you can build the CA on your OpenVPN server or your local machine. Once you are done building the CA it’s recommended to move the CA directory somewhere secure or offline.

This tutorial assumes that the CA is on a separate Ubuntu 18.04 machine. The same steps (with small modifications) will apply if you’re using your server as a CA.

The reason why we are using a separate CA machine, is to prevent attackers to infiltrate the server. If an attacker manages to access the CA private key they could use it to sign new certificates, which will give them access to the VPN server.

Building CA with EasyRSA

When setting up a new OpenVPN server the first step is to build a Public Key Infrastructure (PKI). To do so we’ll need to create the following:

• A Certificate Authority (CA) certificate and private key.
• A separate certificate and private key pair for the server issued by our CA.
• A separate certificate and private key pair for each client issued by our CA.

As mentioned in the prerequisites for security reasons, we’ll build the CA on a standalone machine.

To create CA, certificates requests and sign certificates we will use a CLI utility named EasyRSA.

Perform the following steps on your CA machine.

1. First, download the latest release of EasyRSA from the project Github repository with the following wget command:

   cd && wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.5/EasyRSA-nix-3.0.5.tgz

2. Once the download is completed extract the archive with:

   tar xzf EasyRSA-nix-3.0.5.tgz

3. Switch to the EasyRSA directory and create a configuration file named vars by copying the vars.example file:

   cd ~/EasyRSA-3.0.5/
   cp vars.example vars

4. Open the file and uncomment and update the following entries to match your information.

   nano ~/EasyRSA-3.0.5/vars

   ~/EasyRSA-3.0.5/vars

   set_var EASYRSA_REQ_COUNTRY “US”
   set_var EASYRSA_REQ_PROVINCE “Pennsylvania”
   set_var EASYRSA_REQ_CITY “Pittsburgh”
   set_var EASYRSA_REQ_ORG “Linuxize”
   set_var EASYRSA_REQ_EMAIL “[email protected]”
   set_var EASYRSA_REQ_OU “Community”

5. Before generating a CA keypair first we need to initialize a new PKI with:

   init-pki complete; you may now create a CA or requests.
   Your newly created PKI dir is: /home/causer/EasyRSA-3.0.5/pki

6. The next step is to build the CA:

   If you don’t want to be prompted for a password each time you sign your certificates, run the build-ca command using the nopass option: ./easyrsa build-ca nopass.

   …
   Enter PEM pass phrase:
   Verifying – Enter PEM pass phrase:
   —–
   …
   —–
   Common Name (eg: your user, host, or server name) [Easy-RSA CA]:

   CA creation complete and you may now import and sign cert requests.
   Your new CA certificate file for publishing is at:
   /home/causer/EasyRSA-3.0.5/pki/ca.crt

   You’ll be asked to set a password for the CA key and enter a common name for your CA.

   Once completed, the script will create two files — CA public certificate ca.crt and CA private key ca.key.

   Now that the Certificate Authority (CA) is created, you can use it to sign certificate requests for one or multiple OpenVPN servers and clients.

Installing OpenVPN and EasyRSA

Our next step is to install the OpenVPN package which is available in Ubuntu’s repositories and download the latest version of EasyRSA.

The following steps are performed on the OpenVPN server.

1. OpenVPN installation is pretty straightforward, just run the following commands on the OpenVPN server:

   sudo apt update
   sudo apt install openvpn

2. Download the latest release of EasyRSA:

   cd && wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.5/EasyRSA-nix-3.0.5.tgz

   Once the download is completed type the following command to extract the archive:

   tar xzf EasyRSA-nix-3.0.5.tgz

   Although we have already initialized a PKI on the CA machine, we also need to create a new PKI on the OpenVPN server. To do so, use the same commands as before:

   cd ~/EasyRSA-3.0.5/
   ./easyrsa init-pki

   If you still wonder why we need two EasyRSA installations, it is because we will use this EasyRSA instance to generate certificate requests which will be signed using the EasyRSA instance on the CA machine.

   It may sound complicated, and little confusing but once you read the whole tutorial you’ll see that it really isn’t complicated.

Creating Diffie-Hellman and HMAC keys

In this section we will generate a strong Diffie-Hellman key which will be used during the key exchange and a HMAC signature file to add an additional layer of security to the connection.

1. First navigate to the EasyRSA directory on your OpenVPN server.
2. Generate a Diffie-Hellman key:

   The script will generate 2048-bit long DH parameters. This can take some time, especially on servers with little resources. Once completed the following message will be printed on your screen:

   DH parameters of size 2048 created at /home/serveruser/EasyRSA-3.0.5/pki/dh.pem

   Copy the dh.pem file to the /etc/openvpn directory:

   sudo cp ~/EasyRSA-3.0.5/pki/dh.pem /etc/openvpn/

3. Generate a HMAC signature:

   sudo openvpn –genkey –secret ta.key

   Once completed copy the ta.key file to the /etc/openvpn directory:

   sudo cp ~/EasyRSA-3.0.5/ta.key /etc/openvpn/

Creating Server Certificate and Private Key

This section describes how to generate a private key and certificate request for the OpenVPN server.

1. Navigate to the EasyRSA directory on your OpenVPN server and generate a new private key for the server and a certificate request file:

   cd ~/EasyRSA-3.0.5/
   ./easyrsa gen-req server1 nopass

   We are using the nopass argument because we want to start the OpenVPN server without a password input. Also in this example we are using server1 as a server name (entity) identifier. If you choose a different name for your server don’t forget to adjust the instructions below where the server name is used.

   The command will create two files, a private key (server1.key) and a certificate request file (server1.req).

   —–
   Common Name (eg: your user, host, or server name) [server1]:

   Keypair and certificate request completed. Your files are:
   req: /home/serveruser/EasyRSA-3.0.5/pki/reqs/server1.req
   key: /home/serveruser/EasyRSA-3.0.5/pki/private/server1.key

2. Copy the private key to the /etc/openvpn directory:

   sudo cp ~/EasyRSA-3.0.5/pki/private/server1.key /etc/openvpn/

3. Transfer the certificate request file to your CA machine:

   In this example we are using scp to transfer the file, you can also use rsync over ssh or any other secure method.

4. Login to your CA machine, switch to the EasyRSA directory and import the certificate request file:

   cd ~/EasyRSA-3.0.5
   ./easyrsa import-req /tmp/server1.req server1

   The first argument is the path to the certificate request file and the second one is the server short (entity) name. In our case the server name is server1.

   The request has been successfully imported with a short name of: server1
   You may now use this name to perform signing operations on this request.

   This command just copies the request file into the pki/reqs directory.

5. While still in the EasyRSA directory on CA machine run the following command to sign the request:

   cd ~/EasyRSA-3.0.5
   ./easyrsa sign-req server server1

   The first argument can either be server or client and the second one is the server short (entity) name.

   You’ll be prompted to verify that the request comes from a trusted source. Type yes and press enter to confirm:

   You are about to sign the following certificate.
   Please check over the details shown below for accuracy. Note that this request
   has not been cryptographically verified. Please be sure it came from a trusted
   source or that you have verified the request checksum with the sender.

   Request subject, to be signed as a server certificate for 1080 days:

   subject=
   commonName = server1

   Type the word ‘yes’ to continue, or any other input to abort.
   Confirm request details: yes
   …

   If your CA key is password protected, you’ll be prompted to enter the password. Once verified the script will generate the SSL certificate and print the full path to it.

   …
   Certificate is to be certified until Sep 17 10:54:48 2021 GMT (1080 days)

   Write out database with 1 new entries
   Data Base Updated

   Certificate created at: /home/causer/EasyRSA-3.0.5/pki/issued/server1.crt

6. Next step is to transfer the signed certificate server1.crt and ca.crt files back to your OpenVPN server. Again you can use scp, rsync or any other secure method:
7. Login to your OpenVPN server, and move the server1.crt and ca.crt files into the /etc/openvpn/ directory:

   sudo mv /tmp/.crt /etc/openvpn/

Upon completing the steps outlined in this section, you should have the following new files on your OpenVPN server:

• /etc/openvpn/ca.crt
• /etc/openvpn/dh.pem
• /etc/openvpn/ta.key
• /etc/openvpn/server1.crt
• /etc/openvpn/server1.key

Configuring the OpenVPN Service

Now that you have the server certificate signed by your CA and transferred to your OpenVPN server, it’s time to configure the OpenVNP service.

We will use the sample configuration file provided with OpenVNP installation package as a starting point and then add our own custom configuration options to it.

Start by extracting the configuration file to the /etc/openvpn/ directory:

sudo sh -c “gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server1.conf”

Open the file with your favorite text editor:

sudo nano /etc/openvpn/server1.conf

• Find the Certificate, Key and DH parameters directives and change the file names:

  /etc/openvpn/server1.conf

  cert server1.crt
  key server1.key

  dh dh.pem

• To redirect the clients traffic through the VPN find and uncomment the redirect-gateway and dhcp-option options:

  /etc/openvpn/server1.conf

  push “redirect-gateway def1 bypass-dhcp”

  push “dhcp-option DNS 208.67.222.222”
  push “dhcp-option DNS 208.67.220.220”

  By default OpenDNS resolvers are used. You can change it and use CloudFlare, Google or any other DNS resolvers you want.

• Find the user and group directives and uncomment these settings by removing the “;” at the beginning of each line:

  /etc/openvpn/server1.conf

  user nobody
  group nogroup

• Append the following line at the end of the file. This directive will change the message authentication algorithm (HMAC) from SHA1 to SHA256

  /etc/openvpn/server1.conf

Once you are done, the server configuration file (excluding comments) should look something like this:

/etc/openvpn/server1.conf

port 1194
proto udp
dev tun
ca ca.crt
cert server1.crt
key server1.key # This file should be kept secret
dh dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
push “redirect-gateway def1 bypass-dhcp”
push “dhcp-option DNS 208.67.222.222”
push “dhcp-option DNS 208.67.220.220”
keepalive 10 120
tls-auth ta.key 0 # This file is secret
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
verb 3
explicit-exit-notify 1
auth SHA256

Starting OpenVPN Service

In this tutorial we’ve used server1.conf as a configuration file. To start the OpenVPN service with this configuration we need to specify the configuration file name after the systemd unit file name:

On your OpenVPN server run the following command to start the OpenVPN service:

Verify whether the service has started successfully by typing:

If the service is active and running, the output will look something like this:

● [email protected] – OpenVPN connection to server1
Loaded: loaded (/lib/systemd/system/[email protected]; disabled; vendor preset: enabled)
Active: active (running) since Mon 2018-10-08 20:11:57 UTC; 6min ago
Docs: man:openvpn(8)
https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
https://community.openvpn.net/openvpn/wiki/HOWTO
Main PID: 26739 (openvpn)
Status: “Initialization Sequence Completed”

Enable the service to automatically start on boot with:

If the OpenVPN service fails to s tart check the logs with sudo journalctl -u [email protected]

When starting, the OpenVPN Server creates a tun device tun0. To check if the device is available type:

The output should look something like this:

4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq state UNKNOWN group default qlen 100
link/none
inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::1627:9a20:bca8:e6a5/64 scope link stable-privacy
valid_lft forever preferred_lft forever

At this point, your OpenVPN server is configured and running properly.

Firewall and Server Networking Configuration

In order to forward network packets properly we need to enable IP forwarding.

The following steps are performed on the OpenVPN server.

Open the /etc/sysctl.conf file and add or uncomment the line which reads net.ipv4.ip_forward = 0:

sudo nano /etc/sysctl.conf

/etc/sysctl.conf

# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1

Once you are finished, save and close the file.

Apply the new settings by running the following command:

If you followed the prerequisites, you should already have a UFW firewall running on your server.

Now we need to add firewall rules to enable masquerading. This will allow traffic to leave the VPN, giving your VPN clients access to the Internet.

Before adding the rules you need to know the public network interface of your Ubuntu OpenVPN Server. You can easily find the interface by running the following command:

ip -o -4 route show to default | awk ”

In our case the interface is named ens3 as shown on the output bellow. Your interface will probably have a different name.

By default, when using UFW the forwarded packets are dropped. We’ll need to change that and instruct our firewall to allow forwarded packets.

Open the UFW configuration file, locate the DEFAULT_FORWARD_POLICY key and change the value from DROP to ACCEPT:

sudo nano /etc/default/ufw

/etc/default/ufw

…
# Set the default forward policy to ACCEPT, DROP or REJECT. Please note that
# if you change this you will most likely want to adjust your rules
DEFAULT_FORWARD_POLICY=”ACCEPT”
…

Next, we need to set the default policy for the POSTROUTING chain in the nat table and set the masquerade rule.

To do so, open the /etc/ufw/before.rules file and append the lines highlighted in yellow as shown below.

sudo nano /etc/ufw/before.rules

Don’t forget to replace ens3 in the -A POSTROUTING line to match the name of public network interface you found in the previous command. Paste the lines after the last line starting with COMMIT.

/etc/ufw/before.rules

…
# don’t delete the ‘COMMIT’ line or these rules won’t be processed
COMMIT

#NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]

# Forward traffic through ens3 – Change to public network interface
-A POSTROUTING -s 10.8.0.0/16 -o ens3 -j MASQUERADE

# don’t delete the ‘COMMIT’ line or these rules won’t be processed
COMMIT

When you are done, save and close the file.

We also need to open UDP traffic on port 1194 which is the default OpenVPN port. To do so, run the following command:

In case you forgot to open the SSH port, to avoid being locked out run the following command to open the port:

Finally reload the UFW rules by disabling and re-enabling UFW:

sudo ufw disable
sudo ufw enable

To verify the changes run the following command to list the POSTROUTING rules:

sudo iptables -nvL POSTROUTING -t natChain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all — * ens3 10.8.0.0/16 0.0.0.0/0

Creating the Client Configuration Infrastructure

In this tutorial we’ll create a separate SSL certificate and generate a different configuration file for each VPN client.

The client private key and certificate request can be generated either on the client machine or on the server. For simplicity we will generate the certificate request on the server and then send it to the CA to be signed.

The whole process of generating the client certificate and configuration file is as follows:

1. Generate private key and certificate request on the OpenVPN server.
2. Send the request to the CA machine to be signed.
3. Copy the signed SSL certificate to the OpenVPN server and generate a configuration file.
4. Send the configuration file to the VPN client machine.

Start by creating a set of directories to store the clients files:

mkdir -p ~/openvpn-clients/

• base directory will store the base files and configuration that will be shared across all client files.
• configs directory will store the generated client configuration.
• files directory will store client specific certificate/key pair.

Copy the ca.crt and ta.key files to the ~/openvpn-clients/base directory:

cp ~/EasyRSA-3.0.5/ta.key ~/openvpn-clients/base/
cp /etc/openvpn/ca.crt ~/openvpn-clients/base/

Next copy the sample VPN client configuration file into the client-~/openvpn-clients/base directory. We will use this file as a base configuration:

cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/openvpn-clients/base/

Now we need to edit the file to match our server settings and configuration. Open the configuration file with your text editor:

nano ~/openvpn-clients/base.conf

• Find the remote directive and change the default placeholder with the public IP address of your OpenVPN server:

  ~/openvpn-clients/base.conf

  # The hostname/IP and port of the server.
  # You can have multiple remote entries
  # to load balance between the servers.
  remote 45.76.22.45 1194

• Locate and comment the ca, cert, and key directives. The certs and keys will be added within the configuration file:

  ~/openvpn-clients/base.conf

  # SSL/TLS parms.
  # See the server config file for more
  # description. It’s best to use
  # a separate .crt/.key file pair
  # for each client. A single ca
  # file can be used for all clients.
  # ca ca.crt
  # cert client.crt
  # key client.key

• Append the following line at the end of the file to match the server settings:

  ~/openvpn-clients/base.conf

Once you are done, the server configuration file should look something like this:

~/openvpn-clients/base.conf

client
dev tun
proto udp
remote 45.76.22.45 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
verb 3
auth SHA256
key-direction 1

Next, create a simple bash script that will merge the base configuration and files with the client certificate and key, and store the generated configuration in the ~/openvpn-clients/configs directory.

Open your text editor and create the following script:

nano ~/openvpn-clients/gen_config.sh

~/openvpn-clients/gen_config.sh

#!/bin/bash

FILES_DIR=$HOME/openvpn-clients/files
BASE_DIR=$HOME/openvpn-clients/base
CONFIGS_DIR=$HOME/openvpn-clients/configs

BASE_CONF=$/client.conf
CA_FILE=$/ca.crt
TA_FILE=$/ta.key

CLIENT_CERT=$/$.crt
CLIENT_KEY=$/$.key

# Test for files
for i in “$BASE_CONF” “$CA_FILE” “$TA_FILE” “$CLIENT_CERT” “$CLIENT_KEY”; do
if [[ ! -f $i ]]; then
echo ” The file $i does not exist”
exit 1
fi

if [[ ! -r $i ]]; then
echo ” The file $i is not readable.”
exit 1
fi
done

# Generate client config
cat > $/$.ovpn <<EOF
$(cat $)
<key>
$(cat $)
</key>
<cert>
$(cat $)
</cert>
<ca>
$(cat $)
</ca>
<tls-auth>
$(cat $)
</tls-auth>
EOF

Save the file and make it executable by running:

chmod u+x ~/openvpn-clients/gen_config.sh

Creating Client Certificate Private Key and Configuration

The process of generating a client private key and certificate request is same as we did when generating a server key and certificate request.

As we already mentioned in the previous section, we’ll generate the client private key and certificate request on the OpenVPN server. In this example the name of or firs VPN client will be client1.

1. Navigate to the EasyRSA directory on your OpenVPN server and generate a new private key and a certificate request file for the client:

   cd ~/EasyRSA-3.0.5/
   ./easyrsa gen-req client1 nopass

   The command will create two files, a private key (client1.key) and a certificate request file (client1.req).

   Common Name (eg: your user, host, or server name) [client1]:

   Keypair and certificate request completed. Your files are:
   req: /home/serveruser/EasyRSA-3.0.5/pki/reqs/client1.req
   key: /home/serveruser/EasyRSA-3.0.5/pki/private/client1.key

2. Copy the private key client1.key to the ~/openvpn-clients/files directory you created in the previous section:

   cp ~/EasyRSA-3.0.5/pki/private/client1.key ~/openvpn-clients/files/

3. Transfer the certificate request file to your CA machine:

   In this example we are using scp to transfer the file, you can also use rsync over ssh or any other secure method.

4. Login to your CA machine, switch to the EasyRSA directory and import the certificate request file:

   cd ~/EasyRSA-3.0.5
   ./easyrsa import-req /tmp/client1.req client1

   The first argument is the path to the certificate request file and the second one is the client name.

   The request has been successfully imported with a short name of: client1
   You may now use this name to perform signing operations on this request.

5. From within the EasyRSA directory on CA machine run the following command to sign the request:

   cd ~/EasyRSA-3.0.5
   ./easyrsa sign-req client client1

   You’ll be prompted to verify that the request comes from a trusted source. Type yes and press enter to confirm:

   If your CA key is password protected, you’ll be prompted to enter the password. Once verified the script will generate the SSL certificate and print the full path to it.

   …
   Certificate created at: /home/causer/EasyRSA-3.0.5/pki/issued/client1.crt

6. Next, transfer the signed certificate client1.crt file back to your OpenVPN server. You can use scp, rsync or any other secure method:
7. Login to your OpenVPN server, and move the client1.crt file into the ~/openvpn-clients/files directory:

   mv /tmp/client1.crt ~/openvpn-clients/files

8. The final step is to generate a client configuration using the gen_config.sh script. Switch to the ~/openvpn-clients directory and run the script using the client name as an argument:

   cd ~/openvpn-clients
   ./gen_config.sh client1

   The script will create a file named client1.ovpn in the ~/client-configs/configs directory. You can check by listing the directory:

   ls ~/client-configs/configs

At this point the client configuration is created. You can now transfer the configuration file to the device you intend to use as a client.

For example to transfer the configuration file to your local machine with scp you should run the following command:

sftp ~/client-configs/files/client1.ovpn your_local_ip:/

To add additional clients, just repeat the same steps.

Connecting Clients

Linux

Your distribution or desktop environment may provide a tool or graphic user interface to connect to OpenVPN servers. In this turtorial we will show you how to connect to the server using the openvpn tool.

• Install OpenVPN on Ubuntu and Debian

  sudo apt update
  sudo apt install openvpn

• Install OpenVPN on CentOS and Fedora

  sudo yum install epel-release
  sudo yum install openvpn

Once the package is installed, to connect to the VPN server use the openvpn command and specify the client configuration file:

sudo openvpn –config client1.ovpn

macOS

Tunnelblick is a free, open source graphic user interface for OpenVPN on OS X and macOS.

Windows

Download and install the latest build of OpenVPN application the OpenVPN’s Downloads page.

Copy the .ovpn file to to the OpenVPN config folder (Users<Name>OpenVPNConfig or Program FilesOpenVPNconfig).

Launch the OpenVPN application.

Right click on the OpenVPN system tray icon and the name of OpenVPN configiration file you copied will be listed on the menu. Click Connect.

Android & iOS

A VPN application developed by OpenVPN is available for both Android and iOS. Install the application and import the client .ovp file.

• Android OpenVPN Connect
• iOS OpenVPN Connect

Revoking Client Certificates

Revoking a certificate means to invalidate a signed certificate so that it can no longer be used for accessing the OpenVPN server.

To revoke a client certificate follow the steps below:

1. Login to your CA machine and switch to the EasyRSA directory:
2. Run the easyrsa script using the revoke argument, followed by the client name you want to revoke:

   You’ll be prompted to verify that you wish to revoke the certificate. Type yes and press enter to confirm:

   Please confirm you wish to revoke the certificate with the following subject:

   subject=
   commonName = client1

   Type the word ‘yes’ to continue, or any other input to abort.
   Continue with revocation: yes
   …

   If your CA key is password protected, you’ll be prompted to enter the password. Once verified the script will revoke the certificate.

   …
   Revocation was successful. You must run gen-crl and upload a CRL to your
   infrastructure in order to prevent the revoked cert from being accepted.

3. Use the gen-crl option to generate a certificate revocation list (CRL):

   An updated CRL has been created.
   CRL file: /home/causer/EasyRSA-3.0.5/pki/crl.pem

4. Upload the CRL file to the OpenVPN server:
5. Login to your OpenVPN server server and move the file to the /etc/openvpn directory:

   sudo mv /tmp/crl.pem /etc/openvpn

6. Open the OpenVPN server configuration file:

   sudo nano /etc/openvpn/server1.conf

   Paste the following line at the end of the file

   ~/openvpn-clients/gen_config.sh

   Save and close the file.

7. Restart the OpenVPN service for the revocation directive to take efect:

   At this point the client should no longer be able to access the OpenVPN server using the revoked certificate.

If you need revoke additional client certificates just repeat the same steps.

Conclusion

In this tutorial you learned how to install and configure an OpenVPN server on an Ubuntu 18.04 machine.

Source

Contents

• What’s the dark web
  
• How to access the dark web
• Installation of TOR browser – Windows and Kali
• Finding onion websites

Dark Web

What is the dark web

In short, dark web is part of the web which requires special software to browse, and isn’t indexed by search engines. (More technical content is enclosed in <extra> tags ahead, and colored purple. Scroll through it if you just want to browse the dark web right away.)

Originally, the internet used telephone network for communication. My first internet connection was a “dial-up” connection which used the telephone network at my house to connect to my ISP. This is what an overlay network is, and in that case, internet was an overlay over the telephone network. Now, the reverse phenomenon can be seen, with people using the internet for voice calls (Voice over IP to be precise), and the telephone network is turning into an overlay over the internet.

How does knowing what an overlay network is help us? Well, to understand the dark web, we need to understand what the dark net is first.

The dark net is the opposite of clear-net. Clear-net is simply parts of the internet which are index-able by search engines. This means that search engine crawlers can read up the pages, understand what the content is, and return those pages when relevant search queries are made to the search engine. On the other hand, dark net can’t be indexed, and usually uses uncommon communication protocols, encryption, etc. to achieve that result. Here’s where overlay networks get relevant, all of dark net is an overlay network over the internet. Hence, while the Darknet and clear-net reside on the internet, Darknet still manages to be structurally different from the rest of the internet.

From the darknet, we move to the dark web, which is a subset of the dark net. While dark net consists of all sorts of stuff, from www pages to file transfer service and peer to peer connections, dark web only includes the world wide web pages of the dark net (Hence the change from the more encompassing term net in darknet to web in dark web).

What does it contain

1. Child pornography and illegal drug markets – These are the two things which the dark web is most infamous for, and if you’ve heard about the dark web, it’s quite likely it in reference to either (or both) of these.
2. Bitcoin services – Bitcoin is a Cryptocurrency, and considering the nature of activities that go on in the dark web, and the need for anonymity, it’s the most common form of payment for any service that you seek on the dark-web.
3. Hackers for hire
4. Carding forums
5. Plenty of scam sites, phishing sites, etc.
6. Terrorism
7. Social media
8. File sharing

However, the dark web, in general, consists mostly of file sharing, as shown by many studies. While the first few pointers in the list stand out in the crowd, they are not what the dark web is all about. PS: I make no guarantee about the accuracy of these stats.

Dark web statistics

Note : Using TOR is not illegal (in most countries) , but many of the things on the dark web are illegal. Despite the strongly encrypted communications and high level of anonymity, I’d like to suggest that you don’t access any illegal content of the site. This article is only meant to educate you about the presence of the dark web, as not knowing about it doesn’t mean it’ll cease to exist, and as someone interested in the field of computer security/hacking, you must know about the dark web.

How to Access the dark web

There are many ways to access the dark web. Being a part of the deep net, dark web operates differently than the clear-net, and needs special client software to be accessed. While there are multiple ways to access the dark web, the most common and recommended method involves using TOR, and then visiting the .onion websites. All dark web website have a url with .onion TLD (top level domain), which looks similar to the way the clear-net websites have .com, .org, .net, etc. TLD. Once you have TOR and find out the .onion address of a deep web site (hidden web site), you can simply enter it in the URL bar on TOR browser, and it’ll open, just as normal websites open in usual browsers.

If you read the previous boring section, you’d see that I mentioned how the darknet often uses uncommon communication protocols, etc. In case of the dark web, we see that phenomenon with respect to the onion websites. I won’t go in much depth, but first look at a .onion URL suggests that it’s similar to the clear-net websites. However, internally, the way they work is nothing similar to the clear-net. Precisely, .onion is not part of the internet’s DNS root, and hence, normal DNS servers can’t resolve your request if you type the URL of a .onion website on your browser. TOR redirects these requests through it’s own servers, similar to the way proxies work, and then we get to the website, without the involvement of DNS servers anywhere. This ensures that search engine bots can’t browse around the deep web, and that anonymity is maintained, both of the client looking at the web pages, as well as the server serving the web pages. In other words, the server doesn’t know who the client is, and the client doesn’t know anything about where the server is.)

Install TOR

All required instructions can be found here, and I suggest you skip this section of the guide and use the  official page

(which has very very detailed instructions if you scroll down on that page)

Windows

Simply go to TOR Browser Download

page, and download and run the executable provided. No further instructions are needed as far as installation goes, since it’s quite similar to how you’d install regular software on windows.

Linux

Go to TOR Browser Download

page, and download the .tar.xz archive (according to your architecture, 64bit or 32bit). There is no installation procedure. Simply extract the archive (using GUI or using tar on terminal).

Just extract the archive and you’re good to go

Common for both Windows and Linux

Finding onion websites

Now that you have what looks like Mozilla Firefox running in front of you. You can simply enter normal URLs and enjoy surfing the web with privacy. However, we are here to browse the dark web, and we have no idea what to enter in the URL bar.

The solution is simple, just head over to the hidden wiki (clearnet link), and you’ll have a list of websites you can go to. Better yet, go to the dark web hidden wiki (link opens only on TOR), with an indexing of dark web websites. You are now surfing the dark web. This is the furthest I’m taking you, and from here on, you can go wherever you want. You can simply click URLs on the hidden wiki like you’d do on a regular browser, and the website would open. Regardless of what happens behind the scenes, the user experience from here on is what it’s like in the clear web (albeit a lot slower).

As far as finding websites is concerned, you are left with indexes of websites, such as the hidden wiki, and some search engines, which are nowhere as good as the clearnet search engines, which is, by design, the intention of the dark web.

The hidden wiki, link provided above

Torch search engine, the hidden wiki has a link to it, which can be opened directly on TOR

Conclusion

Go around, explore the place, don’t go anywhere illegal, don’t do anything illegal. Also, beware of scams, and don’t leave your personal information anywhere. Take a look at instructions on

how to be safe when using tor,  follow them properly, and you won’t face any troubles.

Source

Shadow icon theme is a new comer for Linux desktop, it looks beautiful with all kind of themes. It is meant to be modern clean and customizable, the primary color of this set most likely bluish and many apps icons are in round shape. So basically this theme is mixture of round and normal (square) shape icons, lets see where this theme will head in the future, it should choose shape what users asks. As creator mentioned this icon theme is his first so please bare any bugs or missing icons. You can report bugs or suggest new icons to include in this set via this link.

You can use Unity Tweak Tool, Gnome-tweak-tool

to change themes/icons.

Available for Ubuntu 18.04 Bionic/18.10/16.04 Xenial/14.04 Trusty/Linux Mint 19/18/17/other Ubuntu derivatives
To install Shadow Icons in Ubuntu/Linux Mint open Terminal (Press Ctrl+Alt+T) and copy the following commands in the terminal:Note: The Places and mimetypes icons are round by default, if you want to replace them with Square Places and Mimetypes then run following commands:

If you want to revert back to Round Places then run following commands:

That’s it

Source

Creator of the world wide web, Tim Berners-Lee has unveiled his plans to create a new decentralized web where the data will be controlled by the users.

Tim Berners-Lee is known for creating the world wide web, i.e., the internet you know today. More than two decades later, Tim is working to free the internet from the clutches of corporate giants and give the power back to the people via a decentralized web.

Berners-Lee was unhappy with the way ‘powerful forces’ of the internet handle data of the users for their own agenda. So he started working on his own open source project Solid “to restore the power and agency of individuals on the web.”

Solid changes the current model where users have to hand over personal data to digital giants in exchange for perceived value. As we’ve all discovered, this hasn’t been in our best interests. Solid is how we evolve the web in order to restore balance — by giving every one of us complete control over data, personal or not, in a revolutionary way.

Basically, Solid is a platform built using the existing web where you create own ‘pods’ (personal data store). You decide where this pod will be hosted, who will access which data element and how the data will be shared through this pod.

Berners-Lee believes that Solid “will empower individuals, developers and businesses with entirely new ways to conceive, build and find innovative, trusted and beneficial applications and services.”

Developers need to integrate Solid into their apps and sites. Solid is still in the early stages so there are no apps for now but the project website claims that “the first wave of Solid apps are being created now.”

Berners-Lee has created a startup called Inrupt and has taken a sabbatical from MIT to work full-time on Solid and to take it “from the vision of a few to the reality of many.”

If you are interested in Solid, learn how to create apps or contribute to the project in your own way. Of course, it will take a lot of effort to build and drive the broad adoption of Solid so every bit of contribution will count to the success of a decentralized web.

Do you think a decentralized web will be a reality? What do you think of decentralized web in general and project Solid in particular?

About Abhishek Prakash

I am a professional software developer, and founder of It’s FOSS. I am an avid Linux lover and Open Source enthusiast. I use Ubuntu and believe in sharing knowledge. Apart from Linux, I love classic detective mysteries. I’m a huge fan of Agatha Christie’s work.

Source

KDE Frameworks is an open source and free software project distributed as part of the KDE desktop environment and designed to provide developers with a collection of tools and libraries for developing powerful applications for the KDE Plasma graphical environment, built using the Qt5 framework.

Includes the code base of almost all KDE apps

The software includes the code base of almost all KDE applications, with well-defined abilities and dependencies, providing high-level functionality like menus and toolbars, file access and spell checking. The great thing about it is that all the tools and libraries are available as separate downloads.

Introducing the Qt Addons

The libraries comprised in this the KDE Frameworks project are distributed as independent and cross-platform modules, called Qt Addons. They’re available to Qt and KDE developers alike, as well as to all who want to accelerate, simplify and reduce the cost of Qt development on any platform.

Building KDE Frameworks

KDE Framework has been successfully tested on a wide range of GNU/Linux distributions, including Debian, Ubuntu, Arch Linux, Fedora and openSUSE. To build it, you will need to install the Qt5 framework, as well as various other essential libraries and tools that are listed on the project’s homepage at https://community.kde.org/Frameworks/Building.

Under the hood

Most of the tools and libraries included in the KDE Frameworks project are written in the C++ programming language. You will need to have a recent GCC compiler, Git and the latest kdesrc-build package. Detailed installation instructions can be found by accessing the above link. It should also work on other GNU/Linux operating systems if all the dependencies are installed.

KDE library KDE framework KDE development KDE Framework Frameworks Development

Source

Save the date for the following presentations:

Deployment Options for the Digital Core from SAP (lecture session): The digital core from SAP covers the crown jewels of your company’s data. But what are the available deployment options?
Wednesday, October 24 | 15:45 | Session ID: OPP203

Practical Architecture for SAP Data Hub on Premise (lecture session): Teams from Lenovo, SUSE, and SAP worked on a unified architectural vision and joint engineering effort to create a reference architecture for the SAP Data Hub solution. Learn about this integrated solution built on selected, proven-to-work components. A flexible building-block approach helps ensure high scalability, from proof of concept to large production implementations. Best practices from SAP, SUSE, and Lenovo are built into the solution for high availability, flexibility, and performance.
Tuesday, October 23 | 17:15 | Session ID: DAT224

Shattering SAP HANA limits with IBM Power Systems (lecture session): This session will highlight the latest best-practices from SAP HANA customers that have achieved unprecedented levels of performane using TDI 5.0 and IBM Power Systems. We will also cover latest IBM POWER9 technology that help clients deploy SAP HANA in a flexible, resilient and scalable infrastructure.
Tuesday, October 23rd | 11:00 | Session ID: EXP215

You will also find us there:

The Latest & Greatest in Open Source – SUSE Solutions for SAP Infrastructure
Wednesday, October 24 | 16:00 | HPE Booth #27

Building resilient SAP landscapes with SUSE on Microsoft Azure

Tuesday, October 23 |18:00 | Microsoft booth #28Thursday, October 25|16:30

Activities on SUSE booth

Protera answers your questions about your SAP migration
Tuesday, October 23 | 14:30

And there are prizes to win

You’ll also be able to play the TUX RACER Game for a chance to win daily prizes!

 

Share with friends and colleagues on social media

Source