Friday, December 30, 2016

Fortigate - LAN & WIFI interface configuration and communication with both interface


Step 1 -  Configure the LAN & WIFI Interface by using different IP network.

Step 2 - Create an address for WIFI connectivity users & group for accessing and managing WIFI router.

Step 3 - Create a policy for internet access to WIFI users. We can also assign limited services to the users.

Step 4 - Create a another policy for LAN to WIFI interface, the main purpose is, if we need to access WIFI modem or devices we must create this policy and select the access only to assigned users or group.

After that check the communication status for Wifi users to Internet access.

That's it....

How to setup VSFTPd server in ubuntu 14.04

FTP is used to transfer files from one host to another over TCP network. There are 3 popular FTP server packages available PureFTPD, VsFTPD and ProFTPD. 

If you are login as a normal user, you have to use "sudo" before the command, only for the first time. If your in root login, you can simply use the command, without "sudo".

Step 1 » Update your repositories.
     root@digidom:~# apt-get update

Step 2 » Install VsFTPD package using the below command.
     root@digidom:~# apt-get install vsftpd

Step 3 » Check the vsftpd directories and file paths.
     root@digidom:~# whereis vsftpd

     vsftpd: /usr/sbin/vsftpd /etc/vsftpd.conf /usr/share/man/man8/vsftpd.8.gz



Step 4 » Backup the /etc/vsftpd.con file

     root@digidom:~# cp /etc/vsftpd.conf /etc/vsftpd.conf.back


Step 5 » After installation open /etc/vsftpd.conf file and make changes as follows.
     root@digidom:~# vi /etc/vsftpd.conf
     root@digidom:~# egrep -v '^#|^$' /etc/vsftpd.conf
     listen=YES
     anonymous_enable=NO
     local_enable=YES
     write_enable=YES
     dirmessage_enable=YES
     use_localtime=YES
     xferlog_enable=YES
     connect_from_port_20=YES
     secure_chroot_dir=/var/run/vsftpd/empty
     pam_service_name=vsftpd
     rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
     rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key

Step 6 » Restart vsftpd service using the below command.
     root@digidom:~# service vsftpd restart

Step 7 >> Create a FTP User account.
Assign a password and feel free to press "ENTER" through the other prompts. Now, give root ownership of the ftpuser's home directory:

     root@digidom:~# sudo adduser ftpuser  

Step 8 >> Now try to connect this ftp server with the username and password on port 21 using winscp or filezilla client.
As this default configuration is not secure, you can access all directories through ftp client. Here FTP connection is working fine.

Step 9 >> To enable  chroot_local_user option to restrict users to their own home directories.
     root@digidom:~# vi /etc/vsftpd.conf
     chroot_local_user=YES

Error : 500 OOPS: vsftpd: refusing to run with writable root inside chroot(). This error for allow to write chroot.

     root@digidom:~# vi /etc/vsftpd.conf
     allow_writeable_chroot=YES

Note : If this option "allow_writesble-chroot" is enabled no need to create a Directory. If not enabled we need to create Directory on inside the user home directory and set Permissions.


Optional Setup : If not enabled allow_writeable_chroot=YES

     root@digidom:~# tail /etc/passwd | grep ftpuser
          ftpuser:x:1000:1000:,,,:/home/ftpuser:/bin/bash

     root@digidom:~# chown root:root /home/ftpuser/

     root@digidom:~# mkdir /home/ftpuser/mailbox
     root@digidom:~# chown ftpuser:ftpuser /home/ftpuser/mailbox/

     root@digidom:~# ll -d /home/ftpuser/

          drwxr-xr-x 3 root root 4096 Dec 17 04:27 /home/ftpuser/

     root@digidom:~# ll /home/ftpuser/

          drwxr-xr-x 2 ftpuser ftpuser 4096 Dec 17 04:27 mailbox/

That's it...

Saturday, December 24, 2016

Fortigate - Site to Site IPsec VPN Tunnel using with Fortigate 30D & 100D


Part : Branch Office configuration:


Step 1 - Login to Fortigate 30D and check the details (Branch).


Step 2 - Before changing anything, please take the backup configuration.
 

Step 3 - Create fortigate DDNS, for accessing through Domain Name.

Dynamic DNS is very helpful if your Internet Service Provider provides you with a DHCP address. Fortinet hosts their own Dynamic DNS servers that is configurable in the GUI. Utilizing their servers will allow you to access your Fortigate via a DNS name that updates automatically when your IP address changes.

After that, check that if it is resolved through online.

Step 4 - Now, we need to create VPN tunnel using IPsec in 30D branch office.
Here, I am choosing custom VPN tunnel. In this section, we need to configure manually.
In the Authentication step, set the HO FortiGate’s IP as the Remote Gateway. Set the same Pre-shared Key that was used for HO’s VPN and Branch VPN.

Step 5 - After creating IPsec VPN, automatically create a VPN interface. Then create zone and add the IPsec VPN interface to this zone.

Step 6 - Create a new policy for VPN communication LAN to VPN & VPN to LAN


Step 7 - Create a static route Branch to HO.


Part 2 : Head Office configuration


Step 8 - Before doing, check the details and backup the configuration file.

Step 9 - Create IPsec VPN tunnel Phase1 and Phase2.
Here, we are selecting Remote gateway as 'Dynamic DNS' option and enter the Branch DDNS.



Step 10 - Check the interface and create new zone for IPsec VPN, then insert the newly created interface.

Step 11 - Create a new policy for IPsec VPN, LAN to VPN and VPN to LAN

Step 12 - Configure static route HO to Branch.

Step 13 - Finally, we can monitor and check the IPsec VPN connection.

Thats it...