DEV Community: Dhirva Makadiya

Set up FreeIPA Server & Client.

Dhirva Makadiya — Thu, 09 May 2024 06:18:00 +0000

In this guide, we'll set up a FreeIPA server and client on AWS EC2 instances using CentOS 9, restrict particular users to allow/deny SSH to a particular client, and also restrict the particular user to allow/deny only particular sudo commands inside the client.

What is FreeIPA?

FreeIPA aims to provide a centrally managed Identity, Policy, and Audit (IPA) system. It is an integrated Identity and Authentication solution for Linux/UNIX networked environments. A FreeIPA server provides centralized authentication, authorization, and account information by storing data about users, groups, hosts, and other objects necessary to manage the security aspects of a network of computers.

Advantages of FreeIPA

Convenient User and Group Management: FreeIPA provides an interface for creating, editing, and deleting users and groups. This simplifies the tasks of administrators to manage user access.
Centralized Management: Administrators can centrally manage and monitor users and devices on the network, which increases security and facilitates administration.
Free and Open-Source
Enhanced Security: The platform provides mechanisms for two-factor authentication, centralized management of certificates and keys, and role-based access control.

Setup FreeIPA Server and Client

1. Provision EC2 Instances

Launch two EC2 instances: Server: FreeIPA Server Client: FreeIPA Client
Attach Elastic IP (EIP) to each instance for static public IP.

2. Initial Setup on FreeIPA Server



yum update -y
dnf install nano
dnf install firewalld
systemctl enable firewalld
systemctl start firewalld

3. Configure DNS Records

Log in to GoDaddy and navigate to your domain management.
Add DNS records for FreeIPA domains:

ipa.letsgoanywhere.info pointing to FreeIPA Server's public IP
free.ipa.letsgoanywhere.info pointing to FreeIPA Server's public IP
client.ipa.letsgoanywhere.info pointing to FreeIPA Client's public IP

4. Configure FreeIPA Server
Connect to the server through SSH



echo "<server_private_ip> free.ipa.letsgoanywhere.info" | sudo tee -a /etc/hosts
echo "free.ipa.letsgoanywhere.info" | sudo tee /etc/hostname
sudo reboot

# After reboot:
sudo yum install ipa-server ipa-server-dns -y
sudo firewall-cmd --permanent --add-service={dns,ntp,http,https,ldap,ldaps,kerberos,kpasswd}
sudo firewall-cmd --reload
sudo ipa-server-install --setup-dns

NOTE: Remember the following values while setting up FreeIPA server dns
Hostname : free.ipa.letsgoanywhere.info
Domainname: ipa.letsgoanywhere.info
IP : <Private ip of IPA server>
Continue to configure system with these values: yes

To obtain a ticket-granting, run the following command:
kinit admin
Access FreeIPA web UI using the FreeIPA Server's public IP. Log in as admin with the admin password.
Add a new user and explore user management features. By default only one admin user is present.

5. Configure FreeIPA Client
Connect to the client through SSH



sudo yum update -y
sudo dnf install nano

# Update hostname and hosts file
sudo hostnamectl set-hostname client.ipa.letsgoanywhere.info
echo "<private-ip-of-client> client.ipa.letsgoanywhere.info" | sudo tee -a /etc/hosts
echo "<private-ip-of-server> free.ipa.letsgoanywhere.info" | sudo tee -a /etc/hosts

# Install and configure FreeIPA client
sudo yum install ipa-client -y
sudo ipa-client-install --hostname=client.ipa.letsgoanywhere.info --mkhomedir --server=free.ipa.letsgoanywhere.info --domain=ipa.letsgoanywhere.info --realm=IPA.LETSGOANYWHERE.INFO

NOTE: Remember the following values while setting up the FreeIPA client
Proceed with fixed values and no DNS discovery: yes (Check all client and server hostnames and domain names)
Continue to configure the system with these values: yes
User authorized to enroll computers: Username: admin and Password: <which we had set up for IPA admin server setup>

After the server and client are connected it will show two hosts in FreeIPA server. Initially, before the client setup, there was only one host present.

6. Testing

Test connectivity from the FreeIPA Server to the FreeIPA Client. To connect to FreeIPA client first we need to connect to FreeIPA server and inside it we will SSH with client's IP. ```

ssh @

Example: ssh abc@54.175.68.226

![Image description](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/5fs3jt5zlnc58l618ej0.png)

## **Restrict/Allow particular user to connect(SSH) to any particular client**

1. Create a user which you want to restrict to SSH to particular client
![Image description](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/6ichvnlc6al16qz0epcf.png)
2. Go to Policy > HBAC rule and disable the current rules
![Image description](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/g36w9k6abd1ewmd80x4t.png)
3. Add new HBAC rule where we allow only demo user to SSH to client and no other user is allowed to SSH to that particular client.
![Image description](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/2nhambs41y9wiyutxltj.png)
4. Test: If we SSH using the demo user we can connect to a client but if we SSH using user2 it shows permission denied as we have allowed only demo user to connect to client.
![Image description](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/qaucfdq1qj69f00vwjnv.png) 

## **Restrict/Allow particular user to execute commands inside client**

1. Go to Policy > Sudo > Sudo commands. Add commands which you want to allow demo user to execute using sudo.
![Image description](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/6n0co9gt0ntffxekglrk.png)
2. Create sudo command group and add the sudo commands inside this group
![Image description](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/eadu7n0xmn82omua5x9n.png)
3. Create a sudo rule where we will allow the demo user to execute the `sudo touch demo.txt` command only. All other sudo commands will be denied by default.
![Image description](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/xniiqb8zhrg8qsrlwmha.png)
![Image description](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/66zrwpgt84ccc3l9d58n.png)

4. Test: Using demo user if we run `sudo touch demo.txt`, it is allowed. But if we run `sudo touch demo.pdf`, it shows permission denied.
![Image description](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/5uxcdcryzmd0r65a5wlr.png)

## **Conclusion**

> By following these steps, you'll have a fully functional FreeIPA server and client setup integrated with a custom domain. 
Most importantly we have restricted users to allow/deny to execute sudo commands and to ssh to particular clients using FreeIPA server. This configuration enables secure identity management and user authentication using FreeIPA.

Set up Pritunl Server and Integrate with Filebeat, Elasticsearch & Kibana for getting logs and alerts.

Dhirva Makadiya — Thu, 02 May 2024 11:16:15 +0000

In this comprehensive guide, we’ll walk through the process of setting up a Pritunl VPN server on Ubuntu 22.04 instance. We’ll then integrate the Pritunl server logs with Filebeat, Elasticsearch, and Kibana to visualize and monitor VPN activities and set up alerts for specific events.

What is Pritunl Server?

Pritunl Server is an open-source VPN server that's easy to set up and manage through a web-based interface. It supports various authentication methods, offers scalability for large deployments, and works on multiple platforms. Key features include security with two-factor authentication, high availability configurations, and built-in logging and monitoring. It's a user-friendly solution for setting up VPNs in businesses and enterprises.

Benefits of the Pritunl server over VPN:

Simplicity: Using the web interface or command line, you can easily install and configure Pritunl VPN on your server. You can also connect to VPN networks using the free and cross-platform Pritunl client or any other client supporting OpenVPN.
Security: You can be sure that your traffic is protected by strong encryption and authentication using OpenVPN standards and protocols.
Openness: You can use Pritunl VPN for free.
Integration: Using API and webhooks, you can integrate Pritunl VPN with other applications and platforms. For example, you can integrate Pritunl VPN with your Identity Management System (IAM), such as Active Directory, LDAP, or SAML.

Deploying Pritunl Server

1. Launch EC2 Instance and Private Server

Launch an Ubuntu 22.04 instance and one private instance within the same VPC.

2. Create Installation Script for Pritunl

Create a bash script named install_pritunl.sh with the following content to set up Pritunl and MongoDB: ```

!/bin/bash

Add Pritunl repository

sudo tee /etc/apt/sources.list.d/pritunl.list << EOF
deb http://repo.pritunl.com/stable/apt jammy main
EOF

Import Pritunl signing key

sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com --recv 7568D9BB55FF9E5287D586017AE645C0CF8E292A

Update package repository

sudo apt update

Install WireGuard and Pritunl

sudo apt -y install wireguard wireguard-tools
sudo apt -y install pritunl mongodb-org

Enable and start services

sudo systemctl enable mongod pritunl
sudo systemctl start mongod pritunl

- Run the script:
`. ./install_pritunl.sh`

**_3. Configure Pritunl Server_**
- Access the Pritunl web interface using the public IP over HTTPS.
- Sign up
![Image description](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/rs3h1tm7uv89791fpsdm.png)
- Create organization
![Image description](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/hhrg204hj7cen4o756wg.png)
- Create a user inside the organization that you created
![Image description](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/dxr1zw8cs0iyya7zqvak.png)
- Add a server
![Image description](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/xn0jyk08wn09xa6pn9q8.png)
- Attach the server to the organization that you created
![Image description](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/tkpaoy9i20pd9nb7xmcy.png)
- Download the user's profile by going to the temporary profile link and download the zip file. Unzip that ovpn file.
![Image description](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/rt8t3dcg625m99a80kcf.png)
- Download OpenVPN if not present
- Inside OpenVPN add the user's profile and connect to the Pritunl server. Add username and password of pritunl login . Add a response pin which is set when we create a user.
![Image description](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/hqacfn8xwfjtw6oemb9v.png)
- Successfully connected to the Pritunl VPN.
- Now we will test whether we can connect(SSH) our private server which is in the same VPC network when we are connected to pritunl VPN.
![Image description](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/w3k3ybi2zszhfk4l4971.png)
We can successfully SSH to our private server if they are in the same network and connected to our Pritunl VPN server. 

## **Integrating Pritunl Logs with Elasticsearch and Kibana using Filebeat.**

**_1. Install Elasticsearch_**
- Install and configure Elasticsearch for log storage:

wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
sudo apt-get install apt-transport-https
echo "deb https://artifacts.elastic.co/packages/8.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elastic-8.x.list
sudo apt-get update
sudo apt-get install elasticsearch


_**2. Configure Elasticsearch**_
- Edit /etc/elasticsearch/elasticsearch.yml with the following settings:

cluster.name: my-application
node.name: node-1
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: localhost
http.port: 9200
discovery.seed_hosts: ["127.0.0.1"]
xpack.security.enabled: false

- Start Elasticsearch service:

sudo systemctl enable elasticsearch.service
sudo systemctl start elasticsearch.service

- Access Elasticsearch at _http://public-ip-address:9200_
![Image description](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/9w41bwhfxeo2k4e2mmpf.png)

**_3. Install and Configure Filebeat_**
- Install and configure Filebeat to ship logs to Elasticsearch:

curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-8.0.0-amd64.deb
sudo dpkg -i filebeat-8.0.0-amd64.deb
sudo nano /etc/filebeat/filebeat.yml

- Example filebeat.yml configuration:

filebeat.inputs:

type: log paths:
- /var/log/pritunl.log

output.elasticsearch:
hosts: ["localhost:9200"]
username: "your_username"
password: "your_password"

- Start and enable Filebeat:

sudo systemctl enable filebeat
sudo systemctl start filebeat


**_4.  Install and Configure Kibana_**
- Install and configure Kibana for log visualization:

wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
sudo apt-get install apt-transport-https
echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-7.x.list
sudo apt-get update
sudo apt-get install kibana
sudo nano /etc/kibana/kibana.yml

- Example kibana.yml configuration:

server.port: 5601
server.host: 0.0.0.0
elasticsearch.hosts: ["http://localhost:9200"]

- Start and enable Kibana:

sudo systemctl enable kibana
sudo systemctl start kibana


**_5. Setting Up Alerts in Kibana_**
- Access Kibana at http://public-ip-address:5601.
- Navigate to Discover and configure the message and timestamp fields.
- In Observability, go to Alerts > Manage Rules.
- Create a new rule with conditions based on Pritunl logs (e.g., Authenticating user).
- We will create a rule that whenever a user connects to our Pritunl VPN server we should get an alert.
![Image description](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/gtz6v0yvklija9c9pafi.png)
- Add actions to activate alerts (e.g., add server log)
![Image description](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/5ym8w00z2prh0h5gmoiy.png)
- Logs dashboard and Triggered alerts 
![Image description](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/wm0nricqf4knqx49r9nj.png)
![Image description](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/kq6hjswtegnr9f89ddcf.png)

## **Conclusion**

> We have successfully set up a Pritunl VPN server, integrated its logs with Filebeat and Elasticsearch, and configured alerts in Kibana. This setup provides comprehensive visibility into VPN activities and enables proactive monitoring through real-time alerts. 
Happy monitoring and secure VPN access!