Do, or do not. There is no ‘try’

#!/bin/sh
#create a firewall for this machine
IPTABLES=/usr/sbin/iptables
EXTIP=123.123.123.123

$IPTABLES -F
/sbin/modprobe ipt_state
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp

# Disable response to broadcasts.
# You don’t want yourself becoming a Smurf amplifier.
/bin/echo “1″ > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Don’t accept source routed packets. Attackers can use source routing to generate
# traffic pretending to be from inside your network, but which is routed back along
# the path from which it came, namely outside, so attackers can compromise your
# network. Source routing is rarely used for legitimate purposes.
/bin/echo “0″ > /proc/sys/net/ipv4/conf/all/accept_source_route

# Disable ICMP redirect acceptance. ICMP redirects can be used to alter your routing
# tables, possibly to a bad end.
/bin/echo “0″ > /proc/sys/net/ipv4/conf/all/accept_redirects

# Enable bad error message protection.
/bin/echo “1″ > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

# Turn on reverse path filtering. This helps make sure that packets use
# legitimate source addresses, by automatically rejecting incoming packets
# if the routing table entry for their source address doesn’t match the network
# interface they’re arriving on. This has security advantages because it prevents
# so-called IP spoofing, however it can pose problems if you use asymmetric routing
# (packets from you to a host take a different path than packets from that host to you)
# or if you operate a non-routing host which has several IP addresses on different
# interfaces. (Note – If you turn on IP forwarding, you will also get this).
for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do
/bin/echo “1″ > ${interface}
done

# Log spoofed packets, source routed packets, redirect packets.
/bin/echo “1″ > /proc/sys/net/ipv4/conf/all/log_martians

# Make sure that IP forwarding is turned off. We only want this for a multi-homed host.
/bin/echo “0″ > /proc/sys/net/ipv4/ip_forward

#defualts
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP

#internal range is not blocked
$IPTABLES -A INPUT -i eth0 -j ACCEPT

#ping
$IPTABLES -A INPUT -p icmp -j ACCEPT
#dns
$IPTABLES -A INPUT -i eth1 -d $EXTIP -s 217.33.150.220 -p tcp –sport 53 -j ACCEPT
$IPTABLES -A INPUT -i eth1 -d $EXTIP -s 217.33.150.220 -p udp –sport 53 -j ACCEPT
$IPTABLES -A INPUT -i eth1 -d $EXTIP -s 217.33.150.221 -p tcp –sport 53 -j ACCEPT
$IPTABLES -A INPUT -i eth1 -d $EXTIP -s 217.33.150.221 -p udp –sport 53 -j ACCEPT

#allow ftp from anywhere
$IPTABLES -A INPUT -i eth1 -d $EXTIP -p tcp –dport 21 -j ACCEPT
$IPTABLES -A INPUT -i eth1 -d $EXTIP -p tcp –dport 20 -m state –state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i eth1 -d $EXTIP -p tcp –sport 1024: –dport 1024: -m state –state ESTABLISHED,RELATED -j ACCEPT

#drop everything else on this interface
$IPTABLES -A INPUT -i eth1 -d $EXTIP -j LOG

$IPTABLES -L -n -v

Download Here

Source from: http://www.thedumbterminal.co.uk/config/

Sniff – Overview

Makes output from the tcpdump program easier to read and parse.

This software is now redundant as ASCII support as since been added to tcpdump in version 3.8.
Features

* Coloured console output
* Directly accepts tcpdump options (including parsing from packet files)
* Fully customisable output

Requirements

* Linux operating system
* Perl installed
* tcpdump program installed
* Privileges in order to run tcpdump
Sniff – Help

Run the following command for help.

./sniff -h

Sniff options should be placed before the double dash (–) and tcpdump options should be placed after. Here are some examples of how to use sniff.

Capture all incoming FTP packets on eth1 without using colour
As you can see any options after the double-dash “–” are standard tcpdump options.

./sniff -c — -i eth1 tcp port 21

Real time logging to a CSV file
The example below uses the following options:
Enclose data with ” character (-e\”)
Separator lines with the , character (-n,)
Print the separator once only (-t0)
Dont use colour (-c)

./sniff -e\” -n, -s -t0 -c > /tmp/dump.csv

Converting a tcpdump dumb file into CSV format
First use tcpdump to make the dump file, you must use the “-lx -s 1024″ options at least. For example:

tcpdump -lx -s 1024 -w /tmp/dump.txt

Then run sniff with the required options, note the tcpdump options stating to read from the previously created file.

./sniff -e\” -n, -s -t0 -c — -r /tmp/dump.txt > /tmp/dump.csv

Sniff Tool – Downloads

Source from: http://www.thedumbterminal.co.uk/software/sniff.shtml

CREATING ACL CONTENT

To start, you’re going to create a few files that will hold certain pieces of information. These files will later be referenced by Squid when you create the actual acls. The files you’re going to create are:

* A list of domains to block
* A list of file types to block
* A list of ads to block
* A list of your internal subnets

All of these are just basic text files that can be created with your favorite editor, however the author recommends Vim. Start with the list of blocked domains. This will be a list, one per line, of sites that you want to deny access to to your users. Create a file like the following and save it as /etc/squid/denied_domains.acl .

Listing 1. Blocked domain list: /etc/squid/denied_domains.acl

.sex.com
.hackers.com
.xemacs.org

Next up is the list of file types to block. Create a file called /etc/squid/denied_filetypes.acl and add the following to it.
Listing 2. Blocked file type list: /etc/squid/denied_filetypes.acl
.(exe)$
.(zip)$
.(mp3)$
Now for a little ad blocking. I don’t like those pesky advertisement. This won’t block everything, but it makes a good bit of difference. An excerpt from my file is below, but you can find an entire copy of my ad block list here.
Listing 3. Excerpt from /etc/squid/denied_ads.acl
/adv/.*.gif$
/[Aa]ds/.*.gif$
/[Aa]d[Pp]ix/
/[Aa]d[Ss]erver
/[Aa][Dd]/.*.[GgJj][IiPp][FfGg]$
/[Bb]annerads/

Finally, you need a list of all your internal subnets. Here’s how that one should look.
Listing 4. Blocked file type list: /etc/squid/student_subnets.acl

192.168.10.0/24
192.168.11.0/24
192.168.12.0/24
192.168.13.0/24

CREATING USER NOTIFICATION SCREENS

The user notification screen are what will tell a user that they have tried to access a forbidden website, attempted to download an unauthorized file type, or are having advertisements filtered from the page they are viewing. They aren’t extremely necessary, as Squid comes with acceptable defaults, but they help make an impression on the users. You’ll need need three files, one each for denied sites, files, and ads.

The screens I use are simple modified versions of the defaults supplied with a little more color to make them a bit more recognizable. When a user attempts to access a site that is forbidden, they are presented a red screen. After seeing this screen once, users know immediately what it means.
Listing 5. Site Access Denied User Screen

Listing 6. File Access Denied User Screen
Attempting to access a denied file type displays a similar screen, only this one is yellow.

The screen used to replace blocked advertisements is a little different. It’s a solid white page and the only text is “Ad filtered!”. However, you never actually see the page. The header of the page contains a meta tag that redirects the user immediatly when that page loads to a 4 pixel by 4 pixel transparent GIF hosted directly on the proxy.

These files need to be saved in your Squid errors directory. In Gentoo this can be reached at /etc/squid/errors, but it may be different for Red Hat and others. Download the following files and place then in that directory. Remove the “.txt” extension once they’re there.

* Denied site
* Denied file
* Denied ad

And here’s a 4×4 transparent GIF if you need one.

* 4×4.gif

PUTTING IT ALL TOGETHER

First add the directives for the user error screens since they are the easiest. This is done by adding a couple of deny_info lines to your Squid config.
Listing 7. Excerpt From File: /etc/squid/squid.conf

deny_info NOTE_ADS_FILTERED url_ads
deny_info NOTE_FILETYPES_FILTERED filetypes

There’s no need to directly reference the ERR_ACCESS_DENIED file since all you’ve really done is tweak an already existing file.

It’s finally time to add your acls that you built content for at the beginning. In the acl block in your configuration, add the following lines.
Listing 8. Excerpt From File: /etc/squid/squid.conf

acl denied_domains dstdomain "/etc/squid/denied_domains.acl"
acl filetypes urlpath_regex -i "/etc/squid/filetypes.acl"
acl url_ads url_regex "/etc/squid/banner-ads.acl"
acl students src "/etc/squid/student_domains.acl"

Now that Squid knows what types of information you want to control and what to do when accessed by a user, you need to tell Squid how to tie the pieces of information together. This is easily done with a few http_access rules.
Listing 9. Excerpt From File: /etc/squid/squid.conf

http_access deny url_ads
http_access deny students filetypes
http_access deny denied_domains

It’s important to order your http_access lines correctly, or your users may not get the access you’re expecting to give them! A final version of the config you’ve been working on can be found here so you can see a good order to place them in.

Config example:
#http_port 3128
cache_mgr you@yourdomain.com
log_fqdn on
ftp_user anonymous@yourdomain.com
log_icp_queries off
httpd_accel_with_proxy off
httpd_accel_uses_host_header off
visible_hostname hostname
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY

deny_info NOTE_ADS_FILTERED url_ads
deny_info NOTE_FILETYPES_FILTERED filetypes
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny url_ads
http_access deny students filetypes
http_access deny denied_domains
http_access allow all

pache is the most commonly used Web Server on Linux systems. Web Servers are used to serve Web Pages requested by client computers. Clients typically request and view Web Pages using Web Browser applications such as Firefox, Opera, or Mozilla.

Users enter a Uniform Resource Locator (URL) to point to a Web server by means of its Fully Qualified Domain Name (FQDN) and a path to the required resource. For example, to view the home page of the Ubuntu Web site a user will enter only the FQDN. To request specific information about paid support, a user will enter the FQDN followed by a path.

The most common protocol used to transfer Web pages is the Hyper Text Transfer Protocol (HTTP). Protocols such as Hyper Text Transfer Protocol over Secure Sockets Layer (HTTPS), and File Transfer Protocol (FTP), a protocol for uploading and downloading files, are also supported.

Apache Web Servers are often used in combination with the MySQL database engine, the HyperText Preprocessor (PHP) scripting language, and other popular scripting languages such as Python and Perl. This configuration is termed LAMP (Linux, Apache, MySQL and Perl/Python/PHP) and forms a powerful and robust platform for the development and deployment of Web-based applications.
Installation

The Apache2 web server is available in Ubuntu Linux. To install Apache2:

*

At a terminal prompt enter the following command:

sudo apt-get install apache2

Configuration

Apache is configured by placing directives in plain text configuration files. The main configuration file is called apache2.conf. In addition, other configuration files may be added using the Include directive, and wildcards can be used to include many configuration files. Any directive may be placed in any of these configuration files. Changes to the main configuration files are only recognized by Apache2 when it is started or restarted.

The server also reads a file containing mime document types; the filename is set by the TypesConfig directive, and is mime.types by default.

The default Apache2 configuration file is /etc/apache2/apache2.conf . You can edit this file to configure the Apache2 server. You can configure the port number, document root, modules, log files, virtual hosts, etc.
Basic Settings

This section explains Apache2 server essential configuration parameters. Refer to the Apache2 Documentation for more details.

*

Apache2 ships with a virtual-host-friendly default configuration. That is, it is configured with a single default virtual host (using the VirtualHost directive) which can modified or used as-is if you have a single site, or used as a template for additional virtual hosts if you have multiple sites. If left alone, the default virtual host will serve as your default site, or the site users will see if the URL they enter does not match the ServerName directive of any of your custom sites. To modify the default virtual host, edit the file /etc/apache2/sites-available/default. If you wish to configure a new virtual host or site, copy that file into the same directory with a name you choose. For example, sudo cp /etc/apache2/sites-available/default /etc/apache2/sites-available/mynewsite Edit the new file to configure the new site using some of the directives described below.
*

The ServerAdmin directive specifies the email address to be advertised for the server’s administrator. The default value is webmaster@localhost. This should be changed to an email address that is delivered to you (if you are the server’s administrator). If your website has a problem, Apache2 will display an error message containing this email address to report the problem to. Find this directive in your site’s configuration file in /etc/apache2/sites-available.
*

The Listen directive specifies the port, and optionally the IP address, Apache2 should listen on. If the IP address is not specified, Apache2 will listen on all IP addresses assigned to the machine it runs on. The default value for the Listen directive is 80. Change this to 127.0.0.1:80 to cause Apache2 to listen only on your loopback interface so that it will not be available to the Internet, to (for example) 81 to change the port that it listens on, or leave it as is for normal operation. This directive can be found and changed in its own file, /etc/apache2/ports.conf
*

The ServerName directive is optional and specifies what FQDN your site should answer to. The default virtual host has no ServerName directive specified, so it will respond to all requests that do not match a ServerName directive in another virtual host. If you have just acquired the domain name ubunturocks.com and wish to host it on your Ubuntu server, the value of the ServerName directive in your virtual host configuration file should be ubunturocks.com. Add this directive to the new virtual host file you created earlier (/etc/apache2/sites-available/mynewsite).
[Tip]

You may also want your site to respond to www.ubunturocks.com, since many users will assume the www prefix is appropriate. Use the ServerAlias directive for this. You may also use wildcards in the ServerAlias directive. For example, ServerAlias *.ubunturocks.com will cause your site to respond to any domain request ending in .ubunturocks.com.

*

The DocumentRoot directive specifies where Apache should look for the files that make up the site. The default value is /var/www. No site is configured there, but if you uncomment the RedirectMatch directive in /etc/apache2/apache2.conf requests will be redirected to /var/www/apache2-default where the default Apache2 site awaits. Change this value in your site’s virtual host file, and remember to create that directory if necessary!

[Tip]

The /etc/apache2/sites-available directory is not parsed by Apache2. Symbolic links in /etc/apache2/sites-enabled point to “available” sites. Use the a2ensite (Apache2 Enable Site) utility to create those symbolic links, like so: sudo a2ensite mynewsite where your site’s configuration file is /etc/apache2/sites-available/mynewsite. Similarly, the a2dissite utility should be used to disable sites.
Default Settings

This section explains configuration of the Apache2 server default settings. For example, if you add a virtual host, the settings you configure for the virtual host take precedence for that virtual host. For a directive not defined within the virtual host settings, the default value is used.

*

The DirectoryIndex is the default page served by the server when a user requests an index of a directory by specifying a forward slash (/) at the end of the directory name.

For example, when a user requests the page http://www.example.com/this_directory/, he or she will get either the DirectoryIndex page if it exists, a server-generated directory list if it does not and the Indexes option is specified, or a Permission Denied page if neither is true. The server will try to find one of the files listed in the DirectoryIndex directive and will return the first one it finds. If it does not find any of these files and if Options Indexes is set for that directory, the server will generate and return a list, in HTML format, of the subdirectories and files in the directory. The default value, found in /etc/apache2/apache2.conf is ” index.html index.cgi index.pl index.php index.xhtml”. Thus, if Apache2 finds a file in a requested directory matching any of these names, the first will be displayed.
*

The ErrorDocument directive allows you to specify a file for Apache to use for specific error events. For example, if a user requests a resource that does not exist, a 404 error will occur, and per Apache2’s default configuration, the file /usr/share/apache2/error/HTTP_NOT_FOUND.html.var will be displayed. That file is not in the server’s DocumentRoot, but there is an Alias directive in /etc/apache2/apache2.conf that redirects requests to the /error directory to /usr/share/apache2/error/. To see a list of the default ErrorDocument directives, use this command: grep ErrorDocument /etc/apache2/apache2.conf
*

By default, the server writes the transfer log to the file /var/log/apache2/access.log. You can change this on a per-site basis in your virtual host configuration files with the CustomLog directive, or omit it to accept the default, specified in /etc/apache2/apache2.conf. You may also specify the file to which errors are logged, via the ErrorLog directive, whose default is /var/log/apache2/error.log. These are kept separate from the transfer logs to aid in troubleshooting problems with your Apache2 server. You may also specify the LogLevel (the default value is “warn”) and the LogFormat (see /etc/apache2/apache2.conf for the default value).
*

Some options are specified on a per-directory basis rather than per-server. Option is one of these directives. A Directory stanza is enclosed in XML-like tags, like so:

Directory /var/www/mynewsite
...
Directory


The Options directive within a Directory stanza accepts one or more of the following values (among others), separated by spaces:
o

ExecCGI – Allow execution of CGI scripts. CGI scripts are not executed if this option is not chosen.
[Tip]

Most files should not be executed as CGI scripts. This would be very dangerous. CGI scripts should kept in a directory separate from and outside your DocumentRoot, and only this directory should have the ExecCGI option set. This is the default, and the default location for CGI scripts is /usr/lib/cgi-bin.

o

Includes – Allow server-side includes. Server-side includes allow an HTML file to include other files. This is not a common option. See the Apache2 SSI Howto for mor information.
o

IncludesNOEXEC – Allow server-side includes, but disable the #exec and #include commands in CGI scripts.
o

Indexes – Display a formatted list of the directory’s contents, if no DirectoryIndex (such as index.html) exists in the requested directory.
[Caution]

For security reasons, this should usually not be set, and certainly should not be set on your DocumentRoot directory. Enable this option carefully on a per-directory basis only if you are certain you want users to see the entire contents of the directory.

o

Multiview – Support content-negotiated multiviews; this option is disabled by default for security reasons. See the Apache2 documentation on this option.
o

SymLinksIfOwnerMatch – Only follow symbolic links if the target file or directory has the same owner as the link.

Virtual Hosts Settings

Virtual hosts allow you to run different servers for different IP addresses, different host names, or different ports on the same machine. For example, you can run the website for http://www.example.com and http://www.anotherexample.com on the same Web server using virtual hosts. This option corresponds to the directive for the default virtual host and IP-based virtual hosts. It corresponds to the directive for a name-based virtual host.

The directives set for a virtual host only apply to that particular virtual host. If a directive is set server-wide and not defined within the virtual host settings, the default setting is used. For example, you can define a Webmaster email address and not define individual email addresses for each virtual host.

Set the DocumentRoot directive to the directory that contains the root document (such as index.html) for the virtual host. The default DocumentRoot is /var/www.

The ServerAdmin directive within the VirtualHost stanza is the email address used in the footer of error pages if you choose to show a footer with an email address on the error pages.
Server Settings

This section explains how to configure basic server settings.

LockFile – The LockFile directive sets the path to the lockfile used when the server is compiled with either USE_FCNTL_SERIALIZED_ACCEPT or USE_FLOCK_SERIALIZED_ACCEPT. It must be stored on the local disk. It should be left to the default value unless the logs directory is located on an NFS share. If this is the case, the default value should be changed to a location on the local disk and to a directory that is readable only by root.

PidFile – The PidFile directive sets the file in which the server records its process ID (pid). This file should only be readable by root. In most cases, it should be left to the default value.

User – The User directive sets the userid used by the server to answer requests. This setting determines the server’s access. Any files inaccessible to this user will also be inaccessible to your website’s visitors. The default value for User is www-data.
[Warning]

Unless you know exactly what you are doing, do not set the User directive to root. Using root as the User will create large security holes for your Web server.

The Group directive is similar to the User directive. Group sets the group under which the server will answer requests. The default group is also www-data.
Apache Modules

Apache is a modular server. This implies that only the most basic functionality is included in the core server. Extended features are available through modules which can be loaded into Apache. By default, a base set of modules is included in the server at compile-time. If the server is compiled to use dynamically loaded modules, then modules can be compiled separately, and added at any time using the LoadModule directive. Otherwise, Apache must be recompiled to add or remove modules. Ubuntu compiles Apache2 to allow the dynamic loading of modules. Configuration directives may be conditionally included on the presence of a particular module by enclosing them in an block. You can install additional Apache2 modules and use them with your Web server. You can install Apache2 modules using the apt-get command. For example, to install the Apache2 module for MYSQL authentication, you can run the following command from a terminal prompt:

sudo apt-get install libapache2-mod-auth-mysql

Once you install the module, the module will be available in the /etc/apache2/mods-available directory. You can use the a2enmod command to enable a module. You can use the a2dismod command to disable a module. Once you enable the module, the module will be available in the the /etc/apache2/mods-enabled directory.
HTTPS Configuration

The mod_ssl module adds an important feature to the Apache2 server – the ability to encrypt communications. Thus, when your browser is communicating using SSL encryption, the https:// prefix is used at the beginning of the Uniform Resource Locator (URL) in the browser navigation bar.

The mod_ssl module is available in apache2-common package. If you have installed this package, you can run the following command from a terminal prompt to enable the mod_ssl module:

sudo a2enmod ssl

Certificates and Security

To set up your secure server, use public key cryptography to create a public and private key pair. In most cases, you send your certificate request (including your public key), proof of your company’s identity, and payment to a Certificate Authority (CA). The CA verifies the certificate request and your identity, and then sends back a certificate for your secure server.

Alternatively, you can create your own self-signed certificate. Note, however, that self-signed certificates should not be used in most production environments. Self-signed certificates are not automatically accepted by a user’s browser. Users are prompted by the browser to accept the certificate and create the secure connection.

Once you have a self-signed certificate or a signed certificate from the CA of your choice, you need to install it on your secure server.
Types of Certificates

You need a key and a certificate to operate your secure server, which means that you can either generate a self-signed certificate or purchase a CA-signed certificate. A CA-signed certificate provides two important capabilities for your server:

*

Browsers (usually) automatically recognize the certificate and allow a secure connection to be made without prompting the user.
*

When a CA issues a signed certificate, it is guaranteeing the identity of the organization that is providing the web pages to the browser.

Most Web browsers that support SSL have a list of CAs whose certificates they automatically accept. If a browser encounters a certificate whose authorizing CA is not in the list, the browser asks the user to either accept or decline the connection.

You can generate a self-signed certificate for your secure server, but be aware that a self-signed certificate does not provide the same functionality as a CA-signed certificate. A self-signed certificate is not automatically recognized by most Web browsers, and a self-signed certificate does not provide any guarantee concerning the identity of the organization that is providing the website. A CA-signed certificate provides both of these important capabilities for a secure server. The process of getting a certificate from a CA is fairly easy. A quick overview is as follows:

1.

Create a private and public encryption key pair.
2.

Create a certificate request based on the public key. The certificate request contains information about your server and the company hosting it.
3.

Send the certificate request, along with documents proving your identity, to a CA. We cannot tell you which certificate authority to choose. Your decision may be based on your past experiences, or on the experiences of your friends or colleagues, or purely on monetary factors.

Once you have decided upon a CA, you need to follow the instructions they provide on how to obtain a certificate from them.
4.

When the CA is satisfied that you are indeed who you claim to be, they send you a digital certificate.
5.

Install this certificate on your secure server, and begin handling secure transactions.

Whether you are getting a certificate from a CA or generating your own self-signed certificate, the first step is to generate a key.
Generating a Certificate Signing Request (CSR)

To generate the Certificate Signing Request (CSR), you should create your own key. You can run the following command from a terminal prompt to create the key:

openssl genrsa -des3 -out server.key 1024

Generating RSA private key, 1024 bit long modulus
.....................++++++
.................++++++
unable to write 'random state'
e is 65537 (0x10001)
Enter pass phrase for server.key:

You can now enter your passphrase. For best security, it should at least contain eight characters. The minimum length when specifying -des3 is four characters. It should include numbers and/or punctuation and not be a word in a dictionary. Also remember that your passphrase is case-sensitive.

Re-type the passphrase to verify. Once you have re-typed it correctly, the server key is generated and stored in server.key file.
[Warning]

You can also run your secure web server without a passphrase. This is convenient because you will not need to enter the passphrase every time you start your secure web server. But it is highly insecure and a compromise of the key means a compromise of the server as well.

In any case, you can choose to run your secure web server without a passphrase by leaving out the -des3 switch in the generation phase or by issuing the following command at a terminal prompt:

openssl rsa -in server.key -out server.key.insecure

Once you run the above command, the insecure key will be stored in the server.key.insecure file. You can use this file to generate the CSR without passphrase.

To create the CSR, run the following command at a terminal prompt:

openssl req -new -key server.key -out server.csr

It will prompt you enter the passphrase. If you enter the correct passphrase, it will prompt you to enter Company Name, Site Name, Email Id, etc. Once you enter all these details, your CSR will be created and it will be stored in the server.csr file. You can submit this CSR file to a CA for processing. The CAN will use this CSR file and issue the certificate. On the other hand, you can create self-signed certificate using this CSR.
Creating a Self-Signed Certificate

To create the self-signed certificate, run the following command at a terminal prompt:

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

The above command will prompt you to enter the passphrase. Once you enter the correct passphrase, your certificate will be created and it will be stored in the server.crt file.
[Warning]

If your secure server is to be used in a production environment, you probably need a CA-signed certificate. It is not recommended to use self-signed certificate.
Installing the Certificate

You can install the key file server.key and certificate file server.crt or the certificate file issued by your CA by running following commands at a terminal prompt:

sudo cp server.crt /etc/ssl/certs
sudo cp server.key /etc/ssl/private

You should add the following four lines to the /etc/apache2/sites-available/default file or the configuration file for your secure virtual host. You should place them in the VirtualHost section. They should be placed under the DocumentRoot line:

SSLEngine on

SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key

HTTPS should listen on port number 443. You should add the following line to the /etc/apache2/ports.conf file:

Listen 443

Accessing the Server

Once you install your certificate, you should restart your web server. You can run the following command at a terminal prompt to restart your web server:

sudo /etc/init.d/apache2 restart

[Note]

You should remember and enter the passphrase every time you start your secure web server.

You will be prompted to enter the passphrase. Once you enter the correct passphrase, the secure web server will be started. You can access the secure server pages by typing https://your_hostname/url/ in your browser address bar.

From: https://help.ubuntu.com/7.04/server/C/httpd.html

synergy: [noun] a mutually advantageous conjunction of distinct elements

Synergy lets you easily share a single mouse and keyboard between multiple computers with different operating systems, each with its own display, without special hardware. It’s intended for users with multiple computers on their desk since each system uses its own monitor(s).

Home page

http://synergy2.sourceforge.net/

———————————————————————————————————————————-
Config synergy on debian:

http://synergy2.sourceforge.net/configuration.html

using linux machine as a client machine

apt-get install synergy

start synergy client:

synergyc «synergy server IP here»

on windows machine as a server machine:

Debian is my linux machine and it is on the left hand side

Wander is my windows machine and it is on the right hand side

Now config Synergy client on boot in Linux machine:

These instructions should work for running the synergy client on your UBUNTU machine to connect to a locally networked computer running the synergy server. (I’ve not actually tried them myself.)
Let us know how you get on.

NOTE:
The «address of server machine»will probably be an ip address that looks something like 192.168.0.1 (DON’T put in the exact string «address of server machine»

To make the client run when gdm runs, but before anyone has logged in:

edit /etc/gdm/Init/Default:

Code:

sudo gedit /etc/gdm/Init/Default

Added the following lines in the middle of the file BEFORE the “sysmodmap=/etc/X11/Xmodmap” line:
Code:

SYNERGYC=`gdmwhich synergyc`
if [ x$SYNERGYC != x ] ; then
$SYNERGYC «address of server machine»
fi

The only problem with that is once you log in it kills off the client, so you need to make it start again for you.

edited /etc/gdm/Init/Default:

Code:

sudo gedit /etc/gdm/PreSession/Default

Added the following lines in the middle of the file BEFORE the “XSETROOT=`gdmwhich xsetroot`” line:
Code:

SYNERGYC=`gdmwhich synergyc`
if [ x$SYNERGYC != x ] ; then
$SYNERGYC «address of server machine»
fi

Log out and back in again.

The synergy client should now startup and run whenever your gdm session does.

NOTE:
The «address of server machine»will probably be an ip address that looks something like 192.168.0.1 (DON’T put in the exact string «address of server machine»)

Source from: http://ubuntuforums.org/showthread.php?t=48196