Linux Tips and Tricks

The Poor Man's VPN

 Here's a situation that a colleague and I of mine just ran into while installing a system behind a hostile firewall. (Ok, it wasn't really hostile, the the point was that we didn't have access to modify any of the rules on the firewall.) We needed a way to remote back into the system for a bit longer while we were doing the initial configuration, but the box didn't have an Internet-accessible IP address. ssh to the rescue! Here's a quick way to leave yourself a backdoor - useful for as long as your ssh session is alive. Let's assume you have two systems, pluto and mars, and pluto has a private IP address and/or is located behind a firewall. While you still have access to pluto, you want to ssh into mars, but you want to use an additional option to set up an ssh tunnel - 
pluto> ssh tony@mars -R 9999:localhost:22
This logs you into mars, and leaves you at a shell prompt. Maybe you want to to kick off top or something like that to keep the shell alive. Now, from mars, you can do the following: 
ssh -p 9999 localhost
, which will actually connect you to port 22, the ssh port, on pluto. That's in, you're in!

VPN Access from Home: Linux Client and a Microsoft RAS Server

 You can't always get what you want. But if you try some time, you just might find - you get what you need...

After changing jobs from a company that had SSH and Cisco VPN client (available as a native Linux client), I was admittedly wary of trying to get remote access via a WindowsNT RAS service. Fortunately, it ended up being a piece of cake. To get this going, do the following:

  1. Make sure that you have a kernel with support for pppd, including the ppp modules for the various line disciplines. If you get error messages in syslog along the lines of:

    modprobe: modprobe: Can't locate module tty-ldisc-3
    pppd[10163]: Couldn't set tty to PPP discipline: Invalid argument

    then you know that you need to recompile your kernel with support for ppp_async, pppoe, and pppox. If you have this support via modules, make sure the modules are loaded or that your kernel support autoloading of modules.

  2. Edit the /etc/ppp/chap-secrets to include the NT domain authentication needed to log in to the domain. My chap-secrets file looks like: 
    root@bach:~# cat /etc/ppp/chap-secrets 
# Secrets for authentication using CHAP
# client             server		  secret         IP addresses
ras.yourcompany.com  DOMAIN\\user	  "mypassword"
DOMAIN\\user         ras.yourcompany.com  "mypassword"

  3. Install the pptp-linux package - pptp-linux on Debian, or see http://pptpclient.sourceforge.net/ to get the sources and build them yourself.

  4. Kick off pptp as follows using debugging switches until you get things going: 
    pptp ras.yourcompany.com mtu 576 mru 576 debug 	\
	noauth name 'DOMAIN\user' remotename ras.yourcompany.com
    If all goes well, you'll now be able to add routes to your office environment over ppp0. If you have any problems, look in /var/log/syslog to get an idea of what pptp or pppd don't like.

  5. To drop your connection, just kill pppd or use the poff command on Debian systems.
For normal invocation, you can drop the debug flag. You can also adjust the mtu and mru settings to something comfortable for your usage patterns.

Related links:

The 5-minute Anti-spam Setup for Home

 Everyone is tired of dealing with spam, and if you're like I am, the only reason you haven't done something about it yet is because procmail scares the hell out of you (in my case, it reminds me too much of a sed script). Anyway, if you have a fairly simple setup and use fetchmail and Pine, here's a simple way to get SpamAssassin filtering out spam. I'm a Debian GNU/Linux user, but the configuration should work for anything even remotely similar to a modern Linux distro, and also for mail readers other than Pine:
  • Install SpamAssassin (hopefully as simple as apt-get install spamassassin).
  • Modify your ~/.fetchmailrc to use the spamassassin binary as your MDA (Mail Delivery Agent). A sample stanza from this configuration file might be: 
    poll mail.your.isp with protocol POP3
       user '' there 
       with password ''
       is '' here 
       mda "/usr/bin/spamassassin -a"
    You want the '-a' switch so that the auto-whitelist feature will work. Note, however, that spamassassin will write the mail directly to your mail spool file - i.e. to the user's mailbox, where ``user'' means the user who is invoking spamassassin. Therefore, the configuration above will work fine if you're setting up fetchmail to run as you. If you're pulling mail for multiple accounts, you'll want a configuration that will deliver them correctly. For example: 
    poll mail.your.isp with protocol POP3
       user '' there 
       with password ''
       is '' here 
       mda "/usr/bin/spamassassin -a -P | /usr/bin/deliver %T"
    The -P switch tells spamassassin to pipe the message to STDOUT after scoring it, and deliver is called with %T, which fetchmail populates with the local recipient address. Note that if you have multiple mailboxes that will all use this as the MDA, you can specify once in the fetchmailrc to act as the global MDA. Be sure to test new configurations, with test accounts if possible. There is nothing more frustrating than sending your (or your users') mailboxes to /dev/null a few times before you get it right. Note: As of spamassassin version 2.43, the -P option is enabled by default and no longer necessary.
  • Configure Pine to match the string *****SPAM***** in the Subject pattern and move that mail to the folder junkmail (or an appropriate name of your choosing). In brief, from the main menu, (S)etup, (R)ules, (F)ilters, (A)dd, set the nickname to ``spamassassin'' (or any name that suits you), change the Subject pattern to ``*****SPAM*****'', and set the Filter Action/Move/Folder List to ``junkmail'' (alternately, you can mark the Filter Action/Delete to remove the spam without saving it; you'll find that SpamAssassin is pretty accurate and rarely produces false positives). Now (E)xit your way out of setup and commit your changes.
  • You're done! fetchmail will invoke SpamAssassin and pipe the contents of the email into it for every email it fetches from that mailbox. (Be sure to update the MDA for other mailboxes you may have.) SpamAssassin will then score the email and place the string ``*****SPAM*****'' at the beginning of the subject line as well as adding additional spam headers. (You can also have your mailreader match on these if you want, but it might take you more than 5 minutes... :) Without specifying any options, SpamAssassin will assume that it is to deliver the mail to your local mailspool file (what you wanted to happen anyway).
  • If you find emails in your junkmail folder that shouldn't be marked as such, you can (E)xport the email to somewhere in your filesystem and then use spamassassin -W < exportedmessage to add the mail headers to your whitelist.