Setting up Personal VPN Server

No Comments

This is my second attempt at setting up a VPN service. This this time with lessons learned.
Server provider: RamNode
Price: $3/month
Virtualization: KVM
Specs: 512 GB RAM, 10 GB Storage, 1000 GB Bandwidth
Chosen OS: CentOS 7

After you set up your server, ssh into it.

Optionally, install and enable firewall for better security. Better to do before you run the vpn script. Otherwise, will have to manually update firewall rules.

yum update
# If you want vim:
yum search vim
yum install vim-enhanced.x86_64
yum install firewalld


systemctl enable firewalld
systemctl start firewalld

#Show configuration for the given zone:
firewall-cmd --zone=public --list-all

# add a port for your ssh console. Recommended to change from default 12
firewall-cmd --add-port 1234/tcp
firewall-cmd --add-port 1234/tcp --permanent
vim /etc/ssh/sshd_config
# update Port to 1234 (or whatever you picked above)
# Uncomment Protocol 2 - it provides better security
service sshd restart


# this retrieves the vpn script - see https://github.com/Nyr/openvpn-install
wget https://git.io/vpn -O openvpn-install.sh && bash openvpn-install.sh


# if you plan to run VPN on port 443
firewall-cmd --zone=public --add-port=443/udp
firewall-cmd --permanent --zone=public --add-port=443/udp
vim /etc/openvpn/server.conf
#add "port 443" or change to 443 if there is already an entry

#in the generated .ovpn file make the same change for the port
# should look something like this: remote your_server_ip 443


# additional security feature (not necessary for VPN)
yum install epel-release
yum install fail2ban
yum install fail2ban-systemd
cp -pf /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
systemctl enable fail2ban
vim /etc/fail2ban/jail.local
#set to somehting like this
------------------------
[DEFAULT]
# ban hosts for 300 seconds:
bantime = 300
maxretry = 2

[sshd]
port = your_ssh_port
enabled = true

#Override /etc/fail2ban/jail.d/00-firewalld.conf:
banaction = iptables-multiport


#if SELinux is enabled (check with sestatus)
[selinux-ssh]
port     = ssh
logpath  = %(auditd_log)s
enabled = true


#Check logs:
/var/log/fail2ban.log
------------------------
systemctl restart fail2ban



# if you need more users, just execute the script again
sh openvpn-install.sh

This generates a single some_name.ovpn file that you can download and use with an OpenVPN client. Hopefully, you now have a personal VPN server for roughly $30 a year.

Disabling ipv6
If you’re not planning on using ipv6, may as well disable it. Unfortunately fail2ban doesn’t support it yet.

sysctl -w net.ipv6.conf.all.disable_ipv6=1
sysctl -w net.ipv6.conf.default.disable_ipv6=1

Multiple instances of OpenVPN

If you want to run multiple instances of vpn (say a typical 1194 udp and another one on 443 tcp to avoid blocking)
Add a new config in /etc/openvpn
For simplicity, you can copy existing server.conf and lets name it server2.conf.

Update server2.conf to use a different port and change the server ip (let’s say if original server.conf has ip of 10.8.0.0, let’s give the new config
10.8.2.0:

port 443
proto tcp
server 10.8.2.0 255.255.255.0

Start your new openvpn instance:

systemctl start [email protected]_443_tcp

If using firewalld, add new rules:

firewall-cmd --zone=trusted --add-source=10.8.2.0/24
firewall-cmd --permanent --zone=trusted --add-source=10.8.2.0/24
firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.8.2.0/24 -j SNAT --to your_server_ip
firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.8.2.0/24 -j SNAT --to your_server_ip

Restart your new openvpn server:

systemctl restart [email protected]_443_tcp

If you’d like to use the same .ovpn config on the client side to connect to both ports, add this to client config:

server-poll-timeout 4
remote your_ip 1194 udp
remote your_ip 443 tcp
remote your_ip 1194 udp
remote your_ip 1194 udp

This will try to connect to 1194 udp first, then if unsuccessful, it’ll try 443 tcp, then 1194
In order for this to work, both configs on the server must have the same settings (except for IP’s of course)

OpenDNS
If using OpenDNS head to https://dashboard.opendns.com/ and set it up

Auto-update all CentOS packages

yum -y install yum-cron

vim /etc/yum/yum-cron.conf
# set:
# download_updates = yes
# apply_updates = yes
sudo systemctl enable yum-cron.service
systemctl start yum-cron

Harden SSH
vim /etc/ssh/sshd_config

Ciphers aes128-ctr,aes192-ctr,aes256-ctr
KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256
MACs hmac-sha2-256,hmac-sha2-512

A nice resource to test the speed: https://speedof.me/.

Categories: Security

Free Options to Protect a WordPress Site

No Comments
  • Do not use username “admin” – when someone tries to brute-force into your site, this will likely be the first username they try.
    Keep your WordPress and plugins up to date.
  • Use a password manager to store your passwords. This will allow you to use strong passwords for your site (and anything else) without committing your memory to remembering all of the combinations special characters, letters and numbers.
  • Akismet – a very effective option to detect and block spam comments from your blog.
  • Wordfence (free/paid) – a free version allows to scan your source code, themes and plugins; set up limits on login attempts; sent email notifications when somebody logs in to your site or enters invalid credentials. If the number of users who can login to you site is relatively small, I recommend immediately locking out the users who try to log in with an invalid name, which is an excellent option to defend against brute-force attacks.
    A paid version allows to set up two-factor authentication, country-blocking, advanced spam scan options.
  • IQ Block Country (free) – you can combine it with the Wordfence to get additional protection for country blocking if you don’t want to pay Premium for Wordfence. IQ Block Country allows to block certain countries (determined by IP) from logging to either your frontend or backend pages.

There is a potential that Wordfence and IQ Block country may conflict with each other; I have used both plugins without experiencing any conflicts.
When considering country blocking, you may want to check your Spam folder to see where most of your spam comes from; or if you already use Wordfence – it can tell from which countries most of the invalid logins orginate. Use this information to lock your back-end or front-end. I found country blocking surprisingly effective against spam.
Continue reading “Free Options to Protect a WordPress Site” »

Categories: Security Tags: Tags: