Using ExpressVPN with Ubuntu, Linux Mint or Debian Linux

ExpressVPN is one the highest rated and fastest VPNs. Debian strains of Linux such as Ubuntu, Linux Mint, and Debian itself are the most widely used desktop distros in the world. Putting these two things together provides fast downloads with a very high degree of anonymity and privacy.

ExpressVPN supports Windows, Linux, and macOS. The Windows and macOS versions are fairly similar for both, but the Linux version is a wide departure. It is a command line tool instead of a polished graphical application and comes in 32-bit and 64-bit flavours to accommodate both types of processors typically seen in PCs today. You can run the following command to see what the bitness of your Linux distribution is:

Anything with ‘64’ in the output is running a 64-bit Linux distribution and you should use the 64-bit ExpressVPN  download. If you’re running a 32-bit distribution you’ll likely see something with ‘i386’ in the output. For example, my 64-bit system looks uname output is this (note the 64):

While Ubuntu, Linux Mint, and Debian are all based on the same package manager system, there are some differences in installation. I used 64-bit versions of Ubuntu 16.10, Linux Mint 18, and Debian 8.6.0 for this article.

Installing ExpressVPN

ExpressVPN is available from http://expressvpn.com. You’ll need to login to your ExpressVPN account and navigate to the setup page.

ExpressVPN account

Linux should be preselected for you so you’ll just have to ensure you get one of the Ubuntu downloads.

ExpressVPN Linux download

Ubuntu 16.10 installation

Continue reading “Using ExpressVPN with Ubuntu, Linux Mint or Debian Linux”

OpenSSH v7 and DSA key support. AKA “Permission denied (publickey)”

sshI have a little personal server farm with a handful of hosts that run things like my websites, a BBS and my VPN server. I recently upgraded my desktop to Kubuntu 16.04 and suddenly my SSH key was no longer working. I started seeing this when I tried to log in:

I began troubleshooting to determine what was wrong with my key. I had just upgraded my workstation, after all, I could have restored the wrong keys from my backup. That is when I discovered that I was able to log in to some of my servers, just not all of them. That puzzled me because I knew I had not touched the servers and I thought that they all used the same key. What could cause my key to work on some servers, but not others? It had to be a client-side issue but I didn’t know what.

I have a continuity plan to access my servers if anything like this should happen so I implemented it and it allowed me to look in the auth.log. I saw these messages in the server logs:

Continue reading “OpenSSH v7 and DSA key support. AKA “Permission denied (publickey)””

Defeating poor port knocking configurations

I was thinking about port knocking the other day (yep, that’s how I roll) and while I consider it to be a valid security layer, it occurred to me that it would be pretty easy to set up a poor implementation of it that was susceptible to being gamed. Here’s how that thought process went.

Caveat: This is a proof of concept and has many points against it which I outline at the end of this post.

For the uninitiated, port knocking is a process whereby some port on a server can be fire-walled off until some pre-determined set of ports are ‘knocked’ on, and then the firewall can be reconfigured to open some other port. A practical example is a server where you need SSH access, but you don’t want to leave the SSH daemon running wide open to the world all the time. You can use a port knocking daemon like knockd, coupled with an IPTables firewall to protect that port. The normal configuration would be to have the SSH daemon running on some arbitrary port and have the firewall dropping connections to that port until a valid set of ports are knocked on, and then the IPTables would be rewritten, usually temporarily, to allow connections to the SSH port.

Continue reading “Defeating poor port knocking configurations”

Centralizing logs with Papertrail

Sysadmins have a love/hate relationship with logs. We spend hours and hours every day diving through them looking for clues about what happened that shouldn’t have, what didn’t happen that should have, what systems and people are actually doing, and gauging capacity for the future.

It’s one thing to look at one log for one particular issue; but some complex issues lead a merry chase through many logs or many servers which can get very complicated very fast. To ease that burden, all but the simplest of setups should employ some form of log centralization. Centralized logs are easier to access en masse and they’re easier to bring analytical tools to bear to pry out their secrets.

Continue reading “Centralizing logs with Papertrail”

Fun with Curl

Curl is one of those quintessential *nix tools that adheres beautifully to the “one tool, one task” philosophy. curl exists to give us the ability to issue requests against web servers. As sysadmins we’re usually concerned with how the web server responds to requests rather than how the actual page renders so a CLI tool like curl is quick and easy. It also lets us spoof things like user agents and referers in case we want to see how the web site responds to different browsers or different referers.

Let’s look at this site:

$ curl http://slumpedoverkeyboarddead.com | head

Continue reading “Fun with Curl”

Elections in the democratic republic of Splunk

If you can’t have fun with your technology, then throw it out and get new technology. The product I interact most with at work is Splunk. It’s very simple in some ways and very complicated in others, but underlying it all is the spirit of fun.

Watching a Splunk instance start up gives some insight into the culture at the company. Startup messages contain gems like:

  • Splunk> All batbelt. No tights.
  • Splunk> Finding your faults, just like mom.
  • Splunk> See your world. Maybe wish you hadn’t.

Or my all time favourite:

  • Splunk> Take the sh out of IT.

Continue reading “Elections in the democratic republic of Splunk”

What does brute force SSH hacking look like?

Brute force hacking is the easiest, least effective, and messiest method of all the ways to attempt to gain access to a system. It leaves a really obvious trail, and it’s fairly easy to stop unless you’ve become the target of large organization that really is out to get you.

By definition, brute force hack attempts are simply some variation of just trying to guess a proper username and password combination. I will look at attempts to break in to a Linux box via SSH, but the principals are the same regardless of the attack target.

Continue reading “What does brute force SSH hacking look like?”

Looking for hacking activity in Apache Logs

This is my first post with Ghost and since it contains code snippets and command line goodies I thought it would be a good test for Ghost’s markdown language. Let’s see how it goes.

The sheer number of bad people on the planet mean that there’s a really good chance your website has at least been probed to see if it is a good attack platform. It may also mean that your website has already been compromised and is doing bad things for some other person as we speak. Some people I talk to say things like “well, if I get hacked, I’ll deal with it then”. But that’s dumb. It’s dumb because when someone compromises your website, they’re not going to put a big banner on it letting you know. It may be days, weeks or months before you notice.

Continue reading “Looking for hacking activity in Apache Logs”

My Pebble Watch: First Week Using and Coding

One of my gifts for Christmas was a Pebble “classic” smart watch. I’ve wanted one for a while because the idea of smart watches and other wearable computing devices is interesting to me, but having never had any experience with one, it was hard for me to determine if I’d actually like it. The Pebble Classic is cheap enough ($109 here in Canada, generally) that it’s worth the risk. I’ve had my Pebble for a little over a week now and here are my thoughts.

The Concept

The million dollar questions is why would anyone need yet another device to tell them when they have an email or a text message? It’s a good question and part of the reason why I was not 100% sold on the idea, but here’s what I thought the advantages would be and so far it has worked out as I expected.

Continue reading “My Pebble Watch: First Week Using and Coding”

What can I do with a Chromebook?

I recently bought a Chromebook. Over the years I have had a short, unimpressive experience with one of those “Netbooks” that tried to create a place in the market so I was prepared to be a little disappointed. However, the critical role this thing had to fulfill is to be a backup computer to RDP into work if my primary system died so I was willing to put up with some limitations as long as it could plug that hole.

The first thing I learned during this process is that customer reviews from Chromebook users are almost totally useless. They mostly consist of incredibly naive and clearly non-technical people who were shocked and dismayed that their $250 “laptop” did not run Windows or MS Office. I doubt the critical thinking skills of these people because if it were possible to produce such a beast at that price point, it seems obvious to me that the market would be flush with them. Having said that, there are some low end $350 full-blown laptops out there from Acer and HP so the market is pretty close.

Continue reading “What can I do with a Chromebook?”