Chaining Operations and Operators in Linux

This is my list of my most used chaining operators in Ubuntu.

1 .   Semi-colon operator ;

The semi-colon allows you to chain multiple commands so that they run in-order.

# apt-get update ; apt-get upgrade ; echo 'upgrades are done'


2 . Single Ampersand &

The single ampersand will execute a command in the background and can chain commands to run in the background. You use the command followed by a space and the ampersand per command.
To run a single command:

# ping &

To run more than 1 command in the background:

# ping & cp ~/* . & apt-get update &


3 . Double Ampersand AND Operator &&

The && symbol, also called the AND Operator, links and executes commands in order only if the previous command is successful.
Technically a command is successful if it completes with exit status 0.
For example, I want to create a directory and file, but I only want to create the file is the directory is created correctly.

# mkdir ~/test && touch ~/test/tempfile1


4. Single PIPE |

The PIPE operator is used when you want the output of one command to be the input of a following command.
For example, this will list installed packaged then search for lines with ‘java’.

# dpkg -l | grep java


5. OR Operator ||

The OR operatorm || is similar to the AND operator, only here it will execute the following command only if the previous command failed. A command fails if it exits with status code 1.

# mkdir ~/test || echo 'The command failed'


6. NOT Operator !

The NOT operator ! is used in a command to identify those items that should be exempt from the command.
For example, imagine a directory with various filetypes and you wanted to remove all files except the PDFs.

# rm -r !(*.pdf)  


7. AND OR Operator && ||

This combination of the AND && and the OR || operators delivers what is basically an if-else statement based on the exit status code of the 1st command. BASH Shell has other command to get an if-else result, but this is using just the Operators.
For Example:

# mkdir ~/testdir && echo 'Directory Created' || echo 'Directory Creation Failed'


8. Precedence ()

When using && and ||, the exit codes determine whether or not to execute the following commands. Also, it is important to understand that the && and || only evaluate the 2 commands preceding and following the operators. So when using multiple operators, setting groups and precedence comes in handy when you want to ensure groups of commands complete or fail in a certain way.
In this example, Both commands in the 1st set () must exit with 0 in order for the next () set to execute.

# (ls *.pdf > pdf-files.list && cp *.pdf ~\) && (ls *.tar > tar-tiles.list && cp *.tar ~\) || echo 'Needs attention' 



Precedence can become very unreadable very quickly. I prefer using BASH’s IF THEN ELSE commands. These work just like any programming languange… IF something is true, THEN execute this command, otherwise (ELSE) run this command. Note that in BASH the if is concluded with ‘fi’.
There are pages of options for IF THEN ELSE which you should explore.
For example, this is a very basic example:

# if ls *.pdf ; then echo 'There are PDFs here' ; else echo 'There are no PDFs here' ; fi 

How to Install OwnCloud to Ubuntu 14.04 LTS

This quick how-to steps you through a simple installation of OwnCloud to a Ubuntu 14.04 server.

First, you need some prereqs:

 sudo apt-get install php5-gd mysql-server

To begin, you need to add the repository for ownCloud for ubuntu 14.04.

wget -nv -O Release.key
apt-key add - < Release.key

Next, update the lists and install the package.

sh -c "echo 'deb /' >> /etc/apt/sources.list.d/owncloud.list"
apt-get update
apt-get install owncloud

Once the package is installed, access the ownCloud interface at http://SERVERNAME/owncloud

The first time you launch it, it will prompt you to create an admin id and password. Optionally, you can pick the Data folder location and choose MySQL vs SQLite.

owncloud setup 1404


After you create the admin user and sign into the OwnCloud Interface, if you are installing this for home use, you will probably want to enable some basic plug-ins.   If you plan on syncing calendars and contacts, then you will need at least those 2 add-ons.

Click on the Files entry on the upper left for the pull down menu shown below.   Click on the + to add new apps.

owncloud setup 1404

owncloud setup 1404


Select ‘Productivity’ from the left hand menu and Enable the Calendar and Contacts Applications.

owncloud setup 1404

owncloud setup 1404


Once completed, you will be taken to the web interface. Here you can add users and adjust settings as needed. I create the users here and that will pretty much complete the basic install.

ownCloud Admin menu

Last thing to do is load a desktop client available from ownCloud’s web page

Next Steps that you should consider:
1) Enforce https connectivity to the owncloud, this is done through the admin menu selection.
2) Turn on Antivirus. Enabling this app in the Admin->apps menu sets up ClamAV to scan all uploaded content.
3) Make sure you are backing up the Owncloud Data Directory and the MySQL database.


There are additional options here for LDAP authentication, email alerts, and much more beyond this basic setup. Explore the add-on applications as well.

How to Install Mylar for use with SABnzbd on Ubuntu Linux

In other posts, I have installed SabNZBD, Sickbeard, and Couchpotato for auto downloading of TV and Movies. In this case, I wanted to use the same process to download Comic Book Files, CBRs, automatically based on created lists, have SABnzbd download them, and have them moved to a permanent folder for viewing access.

Mylar is a great solution. It’s an open-source project maintained by evilhero and works very well and is still under active development.

Before you start, make sure you have a working SABnzbd install on the Host.

Let’s get the pre-reqs out of the way also:

sudo apt-get install git-core

Download the latest copy of Mylar. I like using the /opt directory for full contained applications. Mylar is still in active development so I opt to have the latest development branch downloaded via git.

cd /opt
git clone -b development

To have Mylar start automatically, copy out the /opt/mylar/mylar.init.d file to /etc/init.d, make it executable, and add it to auto start.

sudo cp /opt/mylar/init-scripts/ubuntu.init.d /etc/init.d/mylar
sudo chmod +x /etc/init.d/mylar
sudo update-rc.d mylar defaults

Create the user account for mylar to use and optionally add it to a user group.

## Create the system only mylar user
sudo adduser --system --no-create-home mylar

## If you use my tutorials, add mylar to the nabd group so it can access the common Downloads folder.   Otherwise, you don't need this. 
sudo usermod -g nzbd mylar

Change the owner of the /opt/mylar directory to the newly created ‘mylar’ user

chown -R mylar:root /opt/mylar

Now create/edit the /etc/default/mylar file and add the following items:

# path to app
# user

Start the service

/etc/init.d/mylar start

Mylar should now be available from that host on port 8090 using http://SERVERNAME:8090 The web interface should load and provide you with additional config options.

Now I want to get mylar to work with SABnzbd.

Bring up mylar web interface and click on Settings in the upper right and then click on the Download Settings tab. Fill in the information for your SABnzbd host. Note that in the API field, I used the NZB API from SABnzbd. Mylar doesn’t need full control over SAB, it only needs to add NZBs to SAB. Fill in the fields with the values for your system. If you have been using my examples, the image below should match the values you would use.

Configure Mylar

Last thing to do in order to get the basics up and running is to add a search provider. Here I use a custom NZB indexer. Click on upper right, for settings, select the search providers tab, check the box for Use Newznab, and fill in your indexer’s details. Be sure to save your changes.

Mylar Newznab Config

Now lets get the Post-processing scripts ready. Locate the scripts in /opt/mylar/sabnzbd.   Copy the 1 file  to the directory you have configured in SAB to hold the processing scripts, I prefer to use a softlink instead of copying the file for easier upgrades.

ln -s /opt/mylar/post-processing/sabnzbd/ /opt/sabprocessingscripts/

In SAB, you will want to add a new category for the mylar downloads. I choose the category ‘comics’ but you can call it whatever you want, just so long as the mylar download category matches exactly.
Mylar Sab Config

With that, you should have a basic, working Mylar installed.

Troubleshooting Permissions
If you encounter problems with the creation, copying, renaming of any files, check your mylar account permissions. In this example, I added mylar to a group called nzbd. When Mylar creates new sub-directories for content, the Linux default is to create the directory with permissions of 0755 meaning that the group nzbd does not have write permissions. You can solve this issue in many ways.

Make sure that you have both Mylar and SABNzbd configured to create directories with permissions of 777 and 0777 respectively.

Mylar Permissions

Mylar Permissions

SABNzbd Permissions

To make life easy, if you already have an nzbd user for SABnzbd to use, you can just run mylar under the nzbd account instead of creating a mylar account. This way mylar and SABNzbd are both running with the same user permissions.   If you do this, you’ll want to use ‘chown -R nzbd:nzbd /opt/mylar’ and change the RUN_AS user from mylar to nzbd.

For the security conscious, you can implement ACLs in linux to handle the permissions on directories. This requires the installation and configuration of an ACL utility on your system.

Install Couchpotato on Ubuntu Server

Couchpotato is an automatic NZBD downloader. Very similar to SickBeard in that it will watch newsgroups for NZBD files, download the NZBD, and hand the file off to SABNzbd, other download utility, or save it off to a directory so that the system can download the media.

In this example, I have a Linux server running SABNzbd. If you don’t have this setup, have a look here:
The goal here is to have couchpotato pull watch for and pull the nzbd, hand it off to SABnzbd, and let the server download the file.

I like to keep these “all in one” apps in /opt/.

 cd /opt

If you don’t already have Git installed, you will need that:

 apt-get install git-core

Grab the source from git.

 git clone

Once the GIT clone is complete, you should have a /opt/CouchPotatoServer directory.

Since I don’t want to run couchpotato as root, I am going to change the user it runs under. I already had a user called ‘nzbd’ from the previous SABnzbd/Sickbeard installations, so I’m going to use that since it would already have permissions to write out the nzbd files to the correct directories for SAB.

Here lets change the permissions on the new CouchPotato Directory.

 chown -R nzbd:root CouchPotatoServer/

Next, copy the init script out to /etc/init.d/ and make it executable.  Copy the Defaults file into /etc/default

cp /opt/CouchPotatoServer/init/ubuntu /etc/init.d/couchpotato
chmod +x /etc/init.d/couchpotato
cp /opt/CouchPotatoServer/init/ubuntu.default /etc/default/couchpotato

Edit the /etc/default/couchpotato file and edit the path and user as needed.   If you are using my tutorials, I have a common account called nzbd for all Download applications that use SABnzbd.

nano /etc/default/couchpotato

# path to app
# user

And finally, add it to start automatically.

# update-rc.d couchpotato defaults

With the Install completed, open up a browser and connect to the linux host on port 5050 to access couchpotato’s config page.

Since this is a new install, we don’t need to import a data.db. If you have one, Enter the location of the data.db here.

Here we add an id/pw to the couchpotato website. I always add one to all my sites. You can also change the default port if you wanted. I left it at the default of 5050.

Here you can specify the nzbd download app you are using. In this example, we use SABnzbd. So I check the box next to SAB and enter the information.
1) SAB host, I’m running on localhost:8080
2) SAB api key. This is found in the SAB webpage -> config -> general. Copy and paste the API key from the API key field.
3) Add a category. I used ‘movies’.

This is where you add in the information on your news provider. Whatever service you have, check the box and fill in to info required. The API keys for these services can be found on that service’s website under your account logon. Copy and paste the API key if needed.

Couchpotato will move and rename files for you after a complete download. Fill in the fields as needed. In my example, I am moving items:

FROM    /home/nzbd/Downloads/complete/
TO      /mnt/media/movies

Leave everything else as default.

Add movies to your wanted list
I love this little feature. Add the +Couchpotato link to your browser and as you browse IMDB or other sites, you can add the movie directly to your couchpotato want-list.

That’s it. Open up your browser, point it to your host on 5050, and start adding items.

If you enter a search item and nothing pops up, restart couchpotato on the server to kick it into gear.

StrongSwan Ipsec VPN for Remote Users with Certificate Based Authentication

This is a working strongswan ipsec config that can be used for a roadwarrior setup for remote users utilizing certificate based authentication instead of id/pw.

This is a pure IPSEC with ESP setup, not L2tp.
This is not 2 factor, it is cert only.

To get started:

sudo apt-get install strongswan

You need is a CA that is capable of registering AltNames in a cert. OpenSSL can do this easily. I used this guide to setup the basic openssl CA.

Once the CA is ready and you have generated your ca cert and ca private key, you next need to create a cert for the ipsec host and a cert for the end user.

For the Server:
Since I need the Alt Names in the certs, make a copy of /etc/ssl/openssl.cnf to be used for the Server.

cp /etc/ssl/openssl.cnf /etc/ssl/openssl-for-server.cnf
# Extension copying option: use with caution. copy_extensions = copy [ v3_req ] # Extensions to add to a certificate request basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName=@alt_names [alt_names] DNS.1 = DNS.2 =

Now, using Openssl, create the request for the server, fill in the details of the req as needed, then sign the request.

openssl req -new -nodes -out ipsechost-req.pem -keyout private/ipsechost-key.pem -config /etc/ssl/openssl-for-server.cnf
openssl ca -config /etc/ssl/openssl-for-server.cnf -out ipsechost-cert.pem -in ipsechost-req.pem

Copy the certs to the correct locations for strongswan to use.

cp cacert.pem /etc/ipsec.d/cacerts
cp ipsechost-cert.pem /etc/ipsec.d/certs
cp private/ipsechost-key.pem /etc/ipsec.d/private/

Stongswan is configured using the /etc/ipsec.conf and /etc/ipsec.secrets files.
This is a very simple config that will work for providing access to remote users:
Edit /etc/ipsec.conf

# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup

conn %default

conn common
        left=IP_OF_IPSEC_HOST          # Ip of the host
        leftcert=ipsechost-cert.pem    # the cert we just created and copied  # the Alt name in the Cert we just created
        leftsubnet=      # The internal subnet the remote user wants to access
        right=%any                     # Connections can come from anywhere
        rightsourceip=   # Use this pool of IPs to assign to these inbound connections

conn ikev2

Edit the /etc/ipsec.secrets file

: RSA ipsechost-key.pem

Restart/Reload IPsec.

ipsec restart

I like to watch logs just to be sure there are no errors:

tail -f /var/log/syslog /var/log/auth.log

Next we create a client cert. We need another copy of the openssl config file for user requests since the Alt Name changes from DNS to Email.

cp /etc/ssl/openssl-for-server.cnf /etc/ssl/openssl-for-users.cnf
[ v3_req ] # Extensions to add to a certificate request basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName=email:copy #[alt_names] #DNS.1 = #DNS.2 =

Create the request, fill in the details as needed for the user especially the email address, and Sign the request. The email address specified in the request prompts will be used in the cert for the Alt name and in the config for the user’s side of the tunnel.

openssl req -new -nodes -out user1-req.pem -keyout private/user1-key.pem -config /etc/ssl/openssl.cnf 
openssl ca -config /etc/ssl/openssl-for-users.cnf -out user1-cert.pem -in user1-req.pem 

You need to copy the user1-cert.pem, user1-key.pem, and the cacert.pem to the user’s machine. We will need these file to complete the VPN.

On the User’s Side:

sudo apt-get install strongswan

Copy the files into the proper directories
user1-cert.pem to /etc/ipsec.d/certs
user1-key.pem to /etc/ipsec.d/private
cacert.pem to /etc/ipsec.d/cacerts

Edit the client side ipsec.conf. This is a working config:

conn %default

conn roadwarrior
     leftsourceip=%config                # This will take an IP from the ip pool on server
     leftcert=ipsecuser1-cert.pem        # The user cert we copied in      # This is the email included in the Alt Name in the user cert
     leftfirewall=yes   # The location of the host, FQDN or IP # the Altname used by the ipsec host
     rightsubnet=          # the subnet on the servers side you want to access. 

Edit the ipsec.secrets file

: RSA ipsecuser1-key.pem

On the client, issue an “ipsec restart” and it should attempt to build the tunnel with that you are done.

Use “ipsec statusall” to get details on the tunnels. From the server, a healthy tunnel looks like this:

Security Associations (1 up, 0 connecting):
       ikev2[11]: ESTABLISHED 3 minutes ago, HOST_IP[]...REMOTE_IP[]
       ikev2[11]: IKEv2 SPIs: 49c4512b56436e5b_i 6276554588ce1803_r*, public key reauthentication in 50 minutes
       ikev2[11]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
       ikev2{9}:  INSTALLED, TUNNEL, ESP in UDP SPIs: cd1e015f_i cd3cb1c1_o
       ikev2{9}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 12 minutes

Use “ipsec listall” for details on the host’s certs and configs. Here we want to be sure Alt Names are good, and the CA and certs are loaded correctly.

List of X.509 End Entity Certificates:
  subject:  "C=US, ST=NY, O=OpenPeak, OU=IT,,"
  issuer:   "C=US, ST=NY, L=NY, O=mydomain, OU=IT, CN=ipsecserver-ca,"
  serial:    10:03
  validity:  not before Mar 18 20:44:25 2015, ok
             not after  Nov 24 20:44:25 2028, ok 
  pubkey:    RSA 2048 bits, has private key
  keyid:     10:15:77:ae:2e:a4:e8:3f:cc:1f:6d:a9:d9:80:bd:9f:41:fb:63:e5
  subjkey:   3f:0c:bf:01:2f:c7:16:be:d4:83:5c:76:81:56:a9:f1:3a:84:b4:5f
  authkey:   b7:61:d7:32:19:65:c3:10:1a:43:23:27:bc:46:29:e5:ff:df:03:1c

List of X.509 CA Certificates:

  subject:  "C=US, ST=NY, L=NY, O=mydomain, OU=IT, CN=ipsecserver-ca,"
  issuer:   "C=US, ST=NY, L=NY, O=mydomain, OU=IT, CN=ipsecserver-ca,"
  serial:    db:e9:16:e0:44:a3:57:83
  validity:  not before Mar 18 15:49:45 2015, ok
             not after  Mar 15 15:49:45 2025, ok 
  pubkey:    RSA 2048 bits
  keyid:     18:47:07:92:b8:3d:a0:bb:88:bf:27:2b:4d:0b:a7:79:8b:c1:1b:ba
  subjkey:   b7:61:d7:32:19:65:c3:10:1a:43:23:27:bc:46:29:e5:ff:df:03:1c
  authkey:   b7:61:d7:32:19:65:c3:10:1a:43:23:27:bc:46:29:e5:ff:df:03:1c

Note that if you want to enable 2 factor with this, change the openssl request for the Clients to omit the -nodes option. This will prompt you for a password during the certificate creation that must be entered every time the client wants to connect.

Using Postfix to Relay messages to an ISP Email Server

Since my ISP blocks port 25, preventing me from running my own in-house email, I relay all my in-house emails and notifications generated from various components though the ISP email servers. This allows me to have internal components send messages to my in house server on 25 and those messages are relayed out to the ISP for delivery.

This setup works on Ubuntu 12.04 and 14.04

nano /etc/postfix/

Add the following (obviously replace the domain names and IP ranges with your own.)

myhostname = server.mydomain.local
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination =, localhost
relayhost = []:587
mynetworks = [::ffff:]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all

#fix for some isp configs being stupid.
smtp_discard_ehlo_keyword_address_maps = hash:/etc/postfix/busted-servers
smtp_connection_cache_on_demand = no
smtp_discard_ehlo_keywords = pipelining,silent-discard

### Relay client Auth
smtp_sasl_auth_enable = yes
smtp_sasl_security_options =
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd

Next we need to give the server the credentials it needs to perform the relay.
Create the password file:

nano /etc/postfix/sasl_passwd

Add the following line for your ISP.


Create the mailname file and change what is there

Echo >> /etc/mailname

Change permissions and run the mapping command.

Chmod 600 sasl_passwd
Postmap hash:/etc/postfix/sasl_passwd

That’s it. Send some test messages to your internal server and it should get delivered.

Replace Outlook Mail, Contacts, and Calendar with Thunderbird

My company uses MS Exchange 2013 for mail, contacts, calendars, and tasks. However, we have a lot of users on LInux desktops that can’t run Outlook. For others, the new Outlook 2013 is a horrible monstrosity of Flat icons on all all white background that burns your eyes after a few hours in front of the monitor. So I was after a complete replacement for Outlook to access email, contacts, and calendar on Exchange. Well, Email is easy. Calendar not so much. Contacts are deliberately making the task complicated on purpose. But here is a working solution using Thunderbird with some available plugins. These examples were taken from a machine running Mint 17 64bit but the same tasks should work well on Windows.


Install Thunderbird

Thunderbird is the mozilla based mail client. It comes installed on many Linux distros. IF you need to install it for any reason you can find it in the repos or directly from the thunderbird website.


Configure Thunderbird for Exchange Mail

  1. Add a new Mail account (Edit > Account Settings > Account Actions Button > Add Email Account)
  2. Note if you get prompted to add a new email at some 3rd party service, select “Skip this and use my existing Mail”
  3. Enter You Name to be displayed, email address, and password.setupTB1
  4. Thunderbird will most likely fail to autodetect the settings for Exchange.     An expanded window will appear prompting for settings for your Exchange.   These settings can be provided by the email admin.   You need the IMAP settings, SMTP settings, and note that the Username usually takes the form of DOMAINUsername.setupTB2
  5. Hit DONE when complete


Install Lightning for Thunderbird

Lightning is a Thunderbord Add-on that provides the calendar and task list services.   Installation is done from Thunderbird.

  1. Click Tooks > Add-ons (or use the menu button on the right and pick add-ons.  BTW to get the menu bar back, click to the right of the tabs and select Menu Bar).
  2. In the Search box, enter ‘lightning’
  3. Select the Lightning Plug-in.   Install it and Restart.


Install Exchange connector

The real trick here is getting the calendar, contacts, and tasks to sync with Exchange.   The only plug-in that I’ve found that does this is located at

  1. Access that link and download the lastest version of the plugin.
  2. Save the xpi file on your machine.
  3. From Thunderbird, Access the add-on manager (Tools > Add-ons)
  4. Click the box next to the search window and select “Install add-on From File”
  5. Select the xpi plug in you just downloaded.
  6. Restart Thunderbird


Configure Calendar

  1. Click the Calendar button to open the calendar tab.
  2. Right click on the blank space under calendar and select “New Calendar”
  3. Select “On the Network” and click next
  4. Select “Microsoft Exchange 2007/2010/2013” and click nextcalendar-pick_msexch
  5. Give the Calendar a name like “Exchange Calendar” and pick the email associated with the Exchange account (this should match the one you just setup on IMAP above).  Hit next when done.calendar_calendaroptions
  6. Click the Autodiscover (any good admin has this setup). Fill in the username and the domain.  Leave the Folder id field empty.   Click “Perform Autodiscovery” when ready.calendar-Perform_autodiscovery
  7. You will probably get a prompt to enter your Email account password.   Enter the Password and continue.
  8. You will probably get the option to Pick an EWS server.   You’ll probably only have 1 in the list, otherwise, ask your admin.  Continue when ready.
  9. You will get a final window showing the calendar root.   make edits as needed, but most can just accept the default and hit Next.calendar_final
  10. In the list of calendars, you should now see an entry for your calendar on Exchange.


Configure Contacts

  1. In Thunderbird’s inbox tab, select Address Book.AddressBook-1
  2. In the Address Book window, select the “Add Exchange Contact Folder”AddressBook-2
  3. Enter a Descriptive Name
  4. Check the Add Global Address List to Serch results.
  5. Check the Use Exchange’s Autodiscovery function.
  6. Enter your email, username and Domain in the correct fields and perform the autodiscovery when ready.AddressBook-3
  7. Once again, enter password if prompted and pick the correct EWS server if prompted.
  8. Make edits to the contact root folder as needed.  Most can leave it at default.   If your company uses a Public Folder for contacts, you can change the root to Public Folders and browse to the correct folder.


That’s it.   You can add as many calendars and address book entries as you need.  I did this and now don’t have very good solution to replace Outlook in any desktop.

OpenSwan Error – One Way Traffic with Cisco ASA

Openswan 2.6.37

Symptom: OpenSwan to Cisco ASA Site to Site Tunnel has one way traffic.
Description: The Ipsec Tunnel builds, both the openswan host and the ASA show the tunnel up but traffic only flows from the ASA into Openswan, traffic does not flow back from openswan. No errors were shown in the auth.log.

Solution: It turns out that the issue was related to the openswan ipsec conf file for this connection. The Leftid and rightid were setup as shown here in the problematic conf file:

conn tunnel-to-HQ


This conf file would would just fin for an Openswan to Openswan IPSEC tunnel. But for an ASA to Openswan tunnel, it failed to pass two way traffic.

The simple fix was to replace the leftid and rightid with the IP addresses of the 2 peers as shown below:

conn tunnel-to-HQ

The secrets file should reflect the IP addresses in the conf for this PSK setup: PUBLIC.IP.OF.ASA: PSK "123456789"

Restart the tunnel and traffic flowed normally.

How to Log IPTABLES Dropped Packets to Syslog

Simply, I want to have IPTABLES log whenever it drops a packet.

To log all dropped incoming packets, add these entries to the bottom of your IPTABLES rules:

iptables -N LOGGING
iptables -A INPUT -j LOGGING
iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
iptables -A LOGGING -j DROP

To log all dropped outgoing packets, add these entries to the bottom of your IPTABLES rules:

iptables -N LOGGING
iptables -A OUTPUT -j LOGGING
iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
iptables -A LOGGING -j DROP

To log all dropped packets, incoming and outgoing:

iptables -N LOGGING
iptables -A INPUT -j LOGGING
iptables -A OUTPUT -j LOGGING
iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
iptables -A LOGGING -j DROP

All items will be sent to the local syslog.

Enabling HTTPS access to OwnCloud

This document can be used for Owncloud Ver 8 and Ubuntu Server 14.04.

If you are running owncloud and have it facing the public internet, you should really be enforcing https communication. Even if it is internal only, enforcing https is a good idea. Since owncloud runs on top of apache2, enabling https is pretty easy. There are lots of tutorials available for this. I have added this here for easy reference.

To start, you need to have a cert issued from a known authority or you create a self signed cert. If you plan on using WebDAV with IOS, I have found that a cert from a known authority works where a self signed certs cause issues. You can thank apple for that.

Since we are using certs, you need openssl modules if you don’t already have it installed.

You should have a public cert, private key, and a root-CA from the issuing Authority.
Copy your public cert PEM file into /etc/ssl/certs/my-public-cert.pem
Copy your private key file into /etc/ssl/private/my-private-key.key
Copy your CertAuth-Rootca.crt file into /usr/local/share/ca-certificates

This command will read in the Root-CA Cert and add it to the trusted list for this server.

sudo update-ca-certificates

Note: For some installations, you need to use “sudo dpkg-reconfigure ca-certificates” instead which calls update-ca-certificates

Now that the CA is trusted, enable the needed apache plugins:

a2enmod rewrite && a2enmod headers && a2enmod ssl

Create an apache virtual host:

nano /etc/apache2/conf-available/owncloud-ssl.conf

Add the following to the new file.   This will forward requests from port http port 80 to https port 443 ensuring all communication is encrypted.    The virtual host 443 is setup with the certificates specified.   The mod_headers is an best practices entry from owncloud for a more secure server.

<VirtualHost *:80>
    RewriteEngine on
    ReWriteCond %{SERVER_PORT} !^443$
    RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [NC,R,L]
<VirtualHost *:443>
    SSLEngine on
    SSLCertificateFile /etc/ssl/certs/my-public-cert.pem
    SSLCertificateKeyFile /etc/ssl/private/my-private-key.key
    DocumentRoot /var/www/owncloud

    <IfModule mod_headers.c>
        Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"

Next we enable the new conf file:

a2enconf owncloud-ssl.conf

Restart apache:.conf

sudo service apache2 restart

Now access owncloud over https://servername . Notice “/owncloud” is not requried in the URL because of the Document Root entry in the conf we added to apache. Navigate to the Admin page and enable the “Enforce HTTPS” option. Enforce HTTPS can only be enabled while accessing the page via https.

HTTPS Enforcement on OwnCloud

HTTPS Enforcement on OwnCloud

All clients can now use https://servername to access the cloud. Http access is no longer available for clients making the server more secure.