Pki on Mohamed Raid TechBlog

BasicServerSetup

Wed, 17 Jun 2026 20:30:48 -0400

In this article I will cover the first steps you should do when booting up a fresh new (Cloud VM, VPS, Bare Metal Server, etc.), I will be referring to this article in the future.

The steps are simple but very important to guard the security of your online resources. Nobody wants to fall victim to a simple bot crawling the internet and bombarding sites with basic exploits or even password spraying attacks!! So let’s dive right in.

Log in as ROOT

Just ssh to your IP and log in to your root account

Create a non-root user with sudo privileges

adduser MY-NEW-USER
usermod -aG sudo MY-NEW-USER

Give your new user a nice long password with letters, characters, numbers. Or just use a password generator.

Setup SSH for new user

On your local machine generate a key pair

ssh-keygen -t ed25519

this will create two files: a private and a public key. Go ahead and copy the contents of the public key then login to the remote server create the (~/.ssh/authorized_keys) file then paste the contents there. Try logging in as the newly created user with the ssh. If succeded close the window where you’re logged in root.

Most Cloud Providers will just prompt you for a username and password while resource provisioning, this user will have sudo privileges and the root account would be disabled by default. If you want to change the root password just

sudo passwd root

Enhancing the Security

let’s disable password login for ssh, this is really important to fend off password spraying attacks. Just edit the /etc/ssh/sshd_config file by setting the PasswordAuthentication no

disable the root Login by setting PermitRootLogin no then reload the ssh daemon.

sudo systemctl reload sshd

change the default ssh port, now this will not protect you against AI bots but it will limit scanning.

Setting up a firewall

install UFW if it is not already installed then allow the Openssh service and enable the firewall

ufw allow OpenSSH
ufw enable

SetupOPENVPN

Thu, 11 Jun 2026 18:08:34 -0400

During a slow morning I decided to Setup an Openvpn Server following this tutorial. This is going to be a long article but it is very rich and will help me understand a lot about networking, server setup, pki, and security.

I am going to be using Azure today. Let’s boot up the first vm, this will be the Openvpn server you won’t need something powerful 2gigs of ram is very fine.

Basic server Hygiene

I chose ubuntu server 24.04.4 LTS, the firsstep you need to do after logging in is to disable root ssh login and only login with a non root user. This is done automatically in Azure if you chose the ssh auth during setup, you just have to set PasswordAuthentication to no in the /etc/ssh/sshd_config file then restart ssh.

Now go ahead and update system then install necessary packages.

sudo apt upgrade && sudo apt update
sudo apt install openvpn easy-rsa

Configure easyrsa

after installing easy rsa make a directory then create a symlink from the /usr/share/easy-rsa/* to that directory, you can just copy then contents there instead of the symlink then restrict the access to that directory using the chomd command.

Creating a pki infra

we need to set up easy-rsa to use the elleptic curve Cryptography this will use a shorter keys thus better performance.

set_var EASYRSA_ALGO "ec"
set_var EASYRSA_DIGEST "sha512"

then initiate easy-rsa

./easyrsa init-pki

Setting up the CA

boot up another vm, this will be used as the CA which is going to verify each client request.

Generate a CSR request and a private key

On your Openvpn server, navigate to the easy-rsa directory then generate a csr with this command and then copy the key to then openvpn config directory.

./easyrsa gen-req server nopass
sudo cp /home/USERNAME/easy-rsa/pki/private/server.key /etc/openvpn/server/

the “server” is our CN (common name).

Sign The server CSR request with the CA

transmit the files from the openvpn server to the CA server

scp /home/USERNAME/easy-rsa/pki/reqs USERNAME@CASERVERIP:/tmp
cd ~/easy-rsa
./easyrsa import-req /tmp/server.req server
./easyrsa sign-req server server

after signing the CSR transfer back the certificates to Openvpn server, then transfer them to /etc/openvpn/server

scp pki/issued/server.crt USERNAME@VPNSERVERIP:/tmp
scp pki/ca.crt USERNAME@VPNSERVERIP:/tmp

create a shared secret key that’ll be used by both the client and the server if a packet is signed with this key it’ll be trusted, if it is not it can be discarded. generate it in the easy-rsa directory then transfer it to the /etc/openvpn/server

openvpn --genkey --secret ta.key
sudo cp ta.key /etc/openvpn/server

Generating Client Certificates

Create a directory that’ll hold client configs, keys etc … Restrict access for that directory for better security

mkdir -p ~/client-configs/keys
chmod -R 700 ~/client-configs

Go back to the easy-rsa directory and generate a CSR just like we did before, then transfer the key to the keys folder and the request to the CA server

cp pki/private/client1.key ~/client-configs/keys/
scp pki/reqs/client1.req USERNAME@CASERVERIP:/tmp

Import the request and sign it transfer back the signed certificate to the vpn server and put it in the keys directory, then copy the CA certificate and the shared key to the client-configs/keys/ .

Configure the Openvpn

copy the sample config to your Openvpn directory

sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/server/
sudo gunzip /etc/openvpn/server/server.conf.gz

edit the /etc/openvpn/server/server.conf and add these basic configs

;tls-auth ta.key 0 # This file is secret
tls-crypt ta.key
;cipher AES-256-CBC
cipher AES-256-GCM
auth SHA256
;dh dh2048.pem
dh none
user nobody
group nogroup

Edit the Port Forwarding config

sudo nano /etc/sysctl.conf
net.ipv4.ip_forward = 1

then write this command sudo sysctl -p if the output is 1 . then you’re ok . this is very important any misconfiguration will cause tunneling issues later.

Firewall Configuration

get the name of your interface, now let’s edit the /etc/ufw/before.rules file. By adding these commands, keep in mind that eth0 is interface name yours may be different.

# START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to eth0 (change to the interface you discovered!)
-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE
COMMIT
# END OPENVPN RULES

Edit the /etc/default/ufw file by setting DEFAULT_FORWARD_POLICY to ACCEPT.

allow the openvpn port and openssh service. I’ve kept the default port

sudo ufw allow 1194/udp
sudo ufw allow OpenSSH
sudo ufw disable
sudo ufw enable

Starting the Server

Go Ahead and start the server

Creating the Client Configurations

We will create a files directory inside the client configs directory where we will make a base configuration and an automating script that’ll make it easy in case of creating multiple users.

cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/client-configs/base.conf

the create the base config file which will serve as a config blueprint ~/client-configs/base.conf

. . .
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote your_server_ip 1194
. . .
proto udp
# Downgrade privileges after initialization (non-Windows only)
user nobody
group nogroup
# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
;ca ca.crt
;cert client.crt
;key client.key
# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1
cipher AES-256-GCM
auth SHA256
key-direction 1
; script-security 2
; up /etc/openvpn/update-resolv-conf
; down /etc/openvpn/update-resolv-conf
; script-security 2
; up /etc/openvpn/update-systemd-resolved
; down /etc/openvpn/update-systemd-resolved
; down-pre
; dhcp-option DOMAIN-ROUTE .

Now for the automation script ~/client-configs/make_config.sh

#!/bin/bash
# First argument: Client identifier
KEY_DIR=~/client-configs/keys
OUTPUT_DIR=~/client-configs/files
BASE_CONFIG=~/client-configs/base.conf
cat ${BASE_CONFIG} \
<(echo -e '<ca>') \
${KEY_DIR}/ca.crt \
<(echo -e '</ca>\n<cert>') \
${KEY_DIR}/${1}.crt \
<(echo -e '</cert>\n<key>') \
${KEY_DIR}/${1}.key \
<(echo -e '</key>\n<tls-crypt>') \
${KEY_DIR}/ta.key \
<(echo -e '</tls-crypt>') \
> ${OUTPUT_DIR}/${1}.ovpn

restrict the rights of the file for better security.

Generate the .ovpn config file

cd ~/client-configs
./make_config.sh client1

transfer back the .ovpn file to the client and import it and thaaaaat’s it.

Testing

Before After

SplunkBasics Did You Siem Room

Thu, 28 May 2026 18:56:58 -0400

a while ago I’ve found this room on tryhack me and since it’s an introduction to splunk I decided to do it . I’m increasingly more interested in splunk and soon I’ll be building a local lab and using it as the siem solution.

The room’s story is about a company TBFG gets attacked with a ransomware while preparing for Christmas, you being part of the SOC team are tasked to use Splunk to investigate the breach and trace the attack chains to save the day !!

The Guide is full of information from the Dashboard components like the search Query bar to the time dropdown. it also gives you scenarios and examples of queries you’ll use. So let’s get started !

Question 1: What is the IP attacking the Web Server?

For this we need to set the sourcetype to web_traffic then narrowing the search by execluding the usual and normal clients and browser using the useragent field, next we need set a count and get the top five(example), because a suspicious IP will be making a BIG number of calls to the server.

The command will look like this :

sourcetype=web_traffic user_agent!=*Mozilla* user_agent!=*Chrome* user_agent!=*Safari* user_agent!=*Firefox* | stats count by client_ip | sort -count | head 5

Answer will be 198.51.100.55

Question 2: Which day saw the peak traffic in the logs?

We will funnel the logs to the timechart command and use the span of 1 day and the reverse the order to get the most traffic in one day

index=main sourcetype=web_traffic | timechart span=1d count | sort by count | reverse

Answer is 2025-10-12

Question 3: Count the Havij user_agent found in the logs

Since we got the Ip of the attacker we can just set it as one of the fields in our query together with the given useragent and then count everything

sourcetype=web_traffic client_ip=198.51.100.55 user_agent="*Havij*" | stats count

Answer is 993

Question 4: How many path traversal attempts to acces sensitive files?

So path traversal attempts can be recongnised when the attacker adds ../../ in the paths of his queries (for example), we will also include the redirects

sourcetype=web_traffic client_ip=198.51.100.55 AND path="*..\/..\/*" OR path="*redirect*" | stats count by path

Answer is 658

Question 5: How many bytes transferred to the C2 server based on the firewall logs

First thing is to change the sourcetype to the firewall logs, we need to focus on the allowed actions and set the destination ip as the attacker’s ip determined earlier the pipe the results to the sum function

sourcetype=firewall_logs src_ip="10.10.1.5" AND dest_ip"198.51.100.55" AND action="ALLOWED" | stats sum(bytes_transferred) by src_ip

In this Lab I’ve learned about investigations with splunk and using some SPL keywords, it is a very powerful tool with a simple dashboard I’m looking forward to learn and experience more with it

Setting up PIHOLE as a recursive DNS with UNBOUND

Sat, 16 May 2026 13:36:41 -0400

this is a small project that i did in a weekend a while ago to experiment with the dns protocol , it is based on guide by Craft Computing , you can check him out .

DNS :

Essentially Dns helps you translate domain names such as (google.com , youtube.com) into IP-addresses (A and AAAA) records that computers actually understand , of course dns provide additional informations which you can find in the other records but this is outside the scope of this tutorial.

Recursive DNS :

There are multiple types of Dns servers , an authoritative server this is the server that actually holds the info about your domain , Recursive server this server when queried will check if it holds data in case of absense it will call the root server get the info about the TLD SERVER of your domain then it will ask the tld server about the info of your authoritative server finally it will query it about the IP-address that corresponds to that domain , most recursive dns servers are ran by ISPs , Big operators but anyone can set tis own recursive server like we will be doing !!

let’s get to know PIHOLE : pihole is a network-wide DNS-based AD blocking sinkhole where you define a list of domains that you want to block in your network, it is very easy to set-up as we will see.

Installation :

For this tutorial I’ve installed a debian server on a virtual machine , I then proceeded to install pi-hole it is very easy just follow the installation guide , after downloading go ahead with the defaults we will configure it later

After the installation make sure to change the default password of pi-hole with the command pihole -a -p “newpassword”, login to your dashboard and let’s start the configurations.

Go ahead and install unbound , we are going to change the config file so there will be no port confusion between unbound and pihole you can follow this guide.

after finishing that go to the dashboard and change the dns server of pihole from google to custom then type the address and port , then change the dns server of your system to be pihole by editing the /etc/resolv.conf file .

VOILA we’re finished open up a browser and try accessing a website that’s rich in ads , first time it will take some time because the dns server has an empty cache .

I also set up a light vm i used alpine for this then went ahead and gave the debian machine a static IP , since i’m on debian I edited /etc/network/interfaces file then I restarted the networking service , then I set the dns server of alpine to be the IP of the debian machine and voila it works.

pihole blocks a wide list of ads by default but you can widen this list by adding lists from the internet, this is a script that automatically downloads a list for you.

or you can ban websites that you don’t like example