Google AdSense Account Login Issues…

I am only posting this because I found a bug in Google’s account ID logic. If you encounter this bug, its very difficult to rectify, especially since there is no direct phone or email AdSense support – only online forums.

Whats the bug?

So an AdSense account is tied to a main google account. This could be your G Suite email, like user@domain.com or generic Gmail google account like user@gmail.com. The account is then associated with a website, say www.domain.com. A website entity can only be assigned to a single account. So here is the bug occurs:

  1. You setup G Suite for business so you can use Gmail with your own domain, lets call this domain foo.com and your G Suite login/account is bob@foo.com.
  2. Over time, you decide to show ads on your foo.com website, so you signup for AdSense using your bob@foo.com google account.
  3. Everything works great, your making money showing Ads.
  4. One day you decide you dont want to use Gmail for email services, you want to move your foo.com email service to another party. So you go into G Suite and cancel all G Suite for foo.com. At this point, your bob@foo.com google account is deleted.
  5. A few months go by and forgot about the AdSense stuff, so you try to login to AdSense… But WAIT.. your AdSense login was bob@foo.com google account, which doesn’t exist now, so you cant login.
  6. You assumeall accounts are deleted that are associated with bob@foo.com so you create a new free generic gmail account, like bob.foo@gmail.com.
  7. You create an AdSense account for bob.foo@gmail.com and associate it with your foo.com website. When you do this, Google analyzes your site and says to check back in 24 hours.
  8. The next day you get an email from AdSense that looks like this:

The problem is none of these options will help you because its IMPOSSIBLE to login to AdSense as bob@foo.com. You are now in this paradox where google has an old invalid account preventing you from creating a new AdSense account, and there is no way to delete the account, nor is there a way to easily contact Google to have them fix this anomaly.

What do you do? 

After many AdSense forum posts, someone (presummably from Google) sent me a link to a hidden form submission page:

https://support.google.com/adsense/contact/cant_log_in

This page gathers basic info, though it still lacks the option to describe whats really going on, then sends to a human at Google. I recommend in the box where it asks about browser issues, type in an explanation of the bug.

 

Using sed to edit files in place…

The other day I ran across a scenario where I needed to edit a file via a web app. Seems simply, but the file permissions were tricky and I didn’t have the rights to delete the file then re-create again since the top level directory permission wont allow it. So the easiest solution is to use sed to edit the file in place. The sed command can be called from inside the web app as long as the file we are editing has the proper permissions.

What is sed?

sed is a Stream Editor, hence the name. Normally you would use it to edit data coming in via STDIN or a STDOUT redirect. But the “-i” flag allows you to edit a flat file in place. Lets look at a few examples, take the following file contents:

Date: Dec 15th, 2019

TODO LIST
Clean house
Take out garbage
Buy groceries
Feed the fish
Watch TV

Lets say I want to edit this file in place and delete the line “Buy groceries”. There are few ways to do this, I can delete it via the line # or via regular expressions. The line # is 6, so the command would be:

# sed -i ” ‘6d’ /some/path/to/filename.txt

Note the empty set of single quotes after the -i, this is required for newer versions of sed, -i tells it to edit the file in place without creating a backup extension file. The ‘6d’ simply tells it to delete the 6th line of the file. Here is how you do it via regular expressions:

# sed -i ” ‘/^Buy.*/d’ /some/path/to/filename.txt

Again the d tells it to delete, the regular expression is inside the forward slashes, in this case the REGEX is find something that matches beginning of line word Buy, followed by anything.

Using a Cisco ASA5510 as a home router and DHCP server

Tired of Cheap Residential Linksys and TP-Link Routers?

If your like me, you’ve probably noticed that your average off the shelf wifi router from Best Buy costs around $100 and lasts about a year… if your lucky. Tired of that? Me too. So I decided to use hardened Cisco ASA5510. These are really solid units, run forever, and they are cheaply found on eBay. You can even run two of them in active/standby fail-over mode.

The Costs…

So an ASA5510 with the Security Plus license runs about $80 on eBay. This unit has 4 NICs, two of which are licensed to run at 1Gbps, in other words, 1 NIC is your ISP uplink (outside interface), the other NIC feeds your home’s LAN space (inside interface). That still leaves 2 NICs running at 100Mbps which you can operate as additional LAN spaces for security. As a small side note, I have two VOIP ATA’s that I run for phone service, these devices tend to be “vulnerable” to remote hacks, so as a precaution, my Grandstream ATA’s sit on a separate network behind my ASA5510 on NIC3.  This security zone is completely isolated from the rest of my network.

What about Wifi?

Clearly an ASA5510 has no Wifi capability, so for that will we use a Cisco SAP2600 access point. These run around $80-$140 on eBay. Again, they are extremely robust and will last forever, they also have excellent range. I will discuss the configuration of the SAP2600 in a separate article, but its very straight forward as the SAP2600 is out-of-the-box a standalone access point, you simply connect it to your WAN, it grabs an IP via DHCP, then you configure your SSIDs for 2 and 5 GHZ. The access simply forwards DHCP requests through to the ASA.

Initial Configuration of the ASA5510

So we will use Ethernet0/0 as “outside” uplink to ISP and Ethernet0/1 as “inside” LAN. In my case, that Ethernet0/1 goes to a switch where I hard wires some devices as well as my Cisco SAP2600 access point. For this example, I am using Verizon FiOS which does not have a static IP,  so the ISP uplink will be done via DHCP. I was also include an example of how to setup port forward to say a personal web server.

Most ASA’s off eBay will come with ASA software version 8.0, 8.1, or 8.2. For home use, this is fine, dont try to run anything higher. Also, dont bother with the ASDM, its useless. ASA’s were meant to be configured via command line. I am not going to bother showing a full config dump, rather, when you get console access, do a “write erase” followed by “reload”. This will bring up the ASA with the default config. From that default config, below is what you want to configure:

interface Ethernet0/0
nameif outside
security-level 0
ip address dhcp setroute

The above sets our ISP uplink, and assigns the WAN IP via DHCP.

interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0

The above sets our inside or LAN interface. In my case, I’m using 192.168.1.X/24 as my LAN space.

access-list outside extended permit icmp any any
access-list outside extended permit icmp any any echo
access-list outside extended permit icmp any any echo-reply
access-list outside extended permit icmp any any time-exceeded
access-list outside extended permit tcp any interface outside eq www

This is a sample ACL for opening port 80 access to a personal web server I am running on the LAN with IP 192.168.1.250.

global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
nat (voice1) 1 192.168.5.0 255.255.255.0

This is required for functionality. The global statement sets our outbound PAT or proxy address translation. The nat statement tells the ASA that the 192.168.1.X range is what should be NAT’d.

static (inside,outside) interface 192.168.1.250 netmask 255.255.255.255
access-group outside in interface outside

This is related to our web server example. The access-group statement binds the ACL to the outside interface. The static translation effectively connects the port forward, it tells the ASA to “connect” the WAN IP of the outside interface (which we get via DHCP from the ISP) to the private LAN IP of my web server, which is 192.168.1.250.

telnet 0.0.0.0 0.0.0.0 inside
dhcpd dns 1.1.1.1 8.8.8.8
dhcpd ping_timeout 750
dhcpd address 192.168.1.100-192.168.1.199 inside
dhcpd enable inside

This last price enables telnet access to the ASA from the LAN. This is also where we configure the LAN’s DHCP server. In this case I have allocated the range 192.168.1.100 through .199, and I also set my resolving DNS servers which DHCP process will send through to the clients.

Lastly, secure your ASA by setting the proper passwords:

enable password CLEAR-TXT-PASSWD
passwd CLEAR-TXT-PASSWD

Securing WordPress – Fool Proof Method

Are you tired of your WordPress site being hacked?

I have a simple and effective solution. The biggest reason WordPress gets hacked is because of very insecure file permissions that exist on the backend server, and there are many bugs within wp-admin that can exploited. These permissions and exploits make it easy to upload content, install plugins, brute force attack the login and so on. But if your like me, once your WordPress environment is setup, it doesn’t really change after that. All I do is upload images and write posts. So I write a simple set of lockdown scripts which I execute from the command line.

The lockdown script does a few things:

1. It removes wp-login.php from the base web root
2. It removes the entire wp-admin directory
3. It resets the permissions on wp-content/uploads

The unlock script effectively does the reverse.

So when I need to make changes or write an article, I SSH into my server and run the unlock script. When I am all done, I run the lockdown script. Here is the raw code for those scripts, in PERL:

lockdown-wp.pl

unlock-wp.pl

A few details. My web server runs as the “www” user, so thats why I chown the uploads directory as www. My web root is /usr/local/www/apache24/data and the resources directory is my WordPress base URL, i.e. http://www.essenz.com/resources/ The script runs as root user and stores the temp files in /root

 

FAMP Install Guide – FreeBSD, Apache, Mysql, and PHP Howto

Here is a quick guide of how to properly do a FAMP install on FreeBSD 11.

I will be using the pkg system for this install, but first lets understand a little bit about pkg. For years, FreeBSD used the ports repository – a file tree that contained Makefiles and all the necessary info needed to build any software package from source. In recent years, FreeBSD has put more emphasize on precompiled packages, the pkg utility does just this, it downloads the latest version of the precompiled package and installs it. The syntax is simple:

# pkg install package_name

You can search by using the command:

# pkg search name

For example, “pkg search apache”, will return this list:

apache-ant-1.10.3 Java- and XML-based build tool, conceptually similar to make
apache-forrest-0.9 Tool for rapid development of small sites
apache-mode.el-2.0_1 Emacs major mode for editing Apache configuration files
apache-openoffice-4.1.5_6 Integrated wordprocessor/dbase/spreadsheet/drawing/chart/browser
apache-openoffice-devel-4.2.1833124,4 Integrated wordprocessor/dbase/spreadsheet/drawing/chart/browser (developer version)
apache-poi-3.15 Java API To Access Microsoft Format Files
apache-rat-0.12 Release audit tool
apache-solr-7.1.0 High performance search server built using Lucene Java
apache-solr3-3.6.2 High performance search server built using Lucene Java
apache-spark-2.1.1_1 Fast big data processing engine
apache-xml-security-c-1.7.3_1 Apache XML security libraries - C++ version
apache24-2.4.34 Version 2.4.x of Apache web server
apachetop-0.12.6_5 Apache realtime log stats
p5-Apache-ASP-2.63 Active Server Pages for Apache
p5-Apache-Admin-Config-0.95_1 Perl module to manipulate Apache configuration files
p5-Apache-AuthCookie-3.27 Perl module to provide custom forms for reauthentication

and so on…

When doing a pkg install, you only need the name portion not the full name with version number. So lets begin with our FAMP tutorial.

Step 1 – Install Apache

# pkg install apache24

Once this is completed, you need to add apache24_enable=”YES” to the /etc/rc.conf file. This can be done manually, or with the command:

# sysrc apache24_enable="YES"

Lastly, start apache with either “/usr/local/etc/rc.d/apache24 start” or “service apache24 start”

Step 2 – Install PHP

Which version? You’ll notice that “pkg search php” returns a few different options. For core PHP, your options are:

php56-5.6.36_1
php70-7.0.31
php71-7.1.20
php72-7.2.8

Lets assume you want the latest 7.2 stable, here is the install command, note in addition to PHP core I am going to install a few other popular PHP add-ons. These add-ons were in the output of “pkg search php72”.

# pkg install php72 php72-gd mod_php72 php72-mysqli php72-zlib

NOTE: If you wanted an older version, say 5.6, you would have used the command:

# pkg install php56 php56-gd mod_php56 php56-mysqli php56-zlib

Once PHP is installed, add the following to /usr/local/etc/apache/Includes/php.conf:

<IfModule dir_module>
    DirectoryIndex index.php index.html
    <FilesMatch "\.php$">
        SetHandler application/x-httpd-php
    </FilesMatch>
    <FilesMatch "\.phps$">
        SetHandler application/x-httpd-php-source
    </FilesMatch>
</IfModule>

Its also important to install the proper php.ini file. The distribution comes with a sample production and development .ini file, choose the one thats appropriate and move it into position as follows:

# cp /usr/local/etc/php.ini-production /usr/local/etc/php.ini

Now lets test everything before we continue:

# echo '<?php phpinfo(); ?>' > /usr/local/www/apache24/data/phpinfo.php
# service apache24 restart

Visit your server via http://IP-ADDRESS/phpinfo.php and you should see something like this:

Step 3 – Install Mysql

Just as we have done before, we do a “pkg search mysql” and find several versions:

mysql55-client-5.5.60
mysql55-server-5.5.60
mysql56-client-5.6.40
mysql56-server-5.6.40
mysql57-client-5.7.22_1
mysql57-server-5.7.22_2
mysql80-client-8.0.11_1
mysql80-server-8.0.11_1

Lets go with version 5.7, so to install we do:

# pkg install mysql57-client mysql57-server

Next, we add the startup syntax to /etc/rc.conf and startup Mysql:

# sysrc mysql_enable="YES"
# service mysql-server start

Now that MySQL us running, we execute the following script:

# mysql_secure_installation

This script allows you to setup the initial root user password for access to mysql via the command line.

/56 Subnet – Delegating IPv6 Reverse Authority

Recently I had a client that wanted a /56 IPv6 WAN range. The idea behind this was he wanted to be able to provision multiple /64’s within his /56 to assign to clients.

Before we go any further, lets clarify what a /56 is, I will use the following sample range:

2600:AB00:1000:2000::/56

This is really the range of IPs from 2600:AB00:1000:2000:0000:0000:0000:0000 through 2600:AB00:1000:20FF:FFFF:FFFF:FFFF:FFFF, in other words, its 256 /64s. Delegating reverse authority of this beast is not so straight forward. Here is how we do it in BIND v9.

The most difficult aspect of this is the /56 delegation has to occur from within the /32 zone file. Huh? So if you were only ever doing DNS yourself (no delegation), you probably never created a zone for the /32, instead you just had all your /64 zone files as is. You can’t declare a /56 in-arpa zone file and delegate, it has to be done from the newly created /32. But dont worry, the /32 will have a catch all that redirects everything back to itself, so all your existing /64’s zones will be fine, no changes needed.

So sticking with the above ranges, assume we are an ISP, our /32 is 2600:AB00::/32, our DNS servers are ns1 and ns2.isp.com. Furthermore, say we have a client with a /64 of 2600:AB00:1234:4000::/64 and we do the DNS for them (no delegation), then lastly, we have client /56 of 2600:AB00:1000:2000::/56 that is going to be delegated to their name servers, ns1 and ns2.client.com.

Assume this is a watered down config snippet, we’re just showing the pertinent info. Here is my master BIND config file showing the zone declarations:


zone "0.0.0.4.4.3.2.1.0.0.b.a.0.0.6.2.ip6.arpa" {
type master;
file "/etc/bind/master/0.0.0.4.4.3.2.1.0.0.b.a.0.0.6.2.ip6.arpa";
};

zone “0.0.f.b.4.0.6.2.ip6.arpa” {
type master;
file “/etc/bind/master/0.0.b.a.0.0.6.2.ip6.arpa”;
};

The first zone is my /64 client, here is that zone file with some sample PTRs:


$ORIGIN 0.0.0.4.4.3.2.1.0.0.b.a.0.0.6.2.ip6.arpa.
$TTL 3600
@ IN SOA ns1.isp.com. hostmaster.isp.com. (
2014022621 ; Serial
10800 ; Refresh
3600 ; Retry
2419200 ; Expire
604800 ) ; Default TTL

IN NS ns1.isp.com.
IN NS ns2.isp.com.

5.5.0.0.0.0.0.0.0.0.0.0.0.0.0.0 PTR web01.isp.com.
5.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0 PTR mail01.isp.com.

The second zone is the /32 zone, and this is where we do the delegation for the /56 and the catch all for everything else, see below:


$ORIGIN 0.0.b.a.0.0.6.2.ip6.arpa.
$TTL 3600
@ IN SOA ns1.isp.com. hostmaster.isp.com. (
2018080107 ; Serial
10800 ; Refresh
3600 ; Retry
2419200 ; Expire
604800 ) ; Default TTL

IN NS ns1.isp.com.
IN NS ns2.isp.com.

0.2.0.0.0.1.0.0.b.a.0.0.6.2.ip6.arpa. IN NS ns1.client.com.
0.2.0.0.0.1.0.0.b.a.0.0.6.2.ip6.arpa. IN NS ns2.client.com.

So looking at this zone file, the first two NS lines is the catch all, basically, anything that doesn’t match below will delegate back to itself. This is why my /64 zone in the master config will work. But we do match the /56 that needs delegation, and its forwarded to those 3rd party NS servers.

Filtering outbound BGP announcements in Cisco IOS

We previously looked at a sample BGP setup for a Cisco 6500 series router. What if you have multiple BGP peers and want to restrict which prefixes or IP blocks you announce to which peers. Simple. We can use the prefix-list command.

What you announce to each BGP peer will effect the traffic that comes in. So sometimes filtering what you announce can help shape your inbound traffic usage, or it can be used to limit one of your peers to very little traffic so you have a backdoor option during a high load event or DDoS.
Lets look at a sample BGP config:

router bgp 17500
bgp log-neighbor-changes
neighbor 200.10.20.1 remote-as 1000
neighbor 200.10.20.1 ebgp-multihop 5
neighbor 200.10.20.1 update-source GigabitEthernet5/8
neighbor 100.5.10.1 remote-as 2000
neighbor 100.5.10.1 ebgp-multihop 5
neighbor 100.5.10.1 update-source GigabitEthernet4/8
!
address-family ipv4
neighbor 200.10.20.1 activate
neighbor 200.10.20.1 next-hop-self
neighbor 200.10.20.1 send-community
neighbor 200.10.20.1 soft-reconfiguration inbound
neighbor 200.10.20.1 prefix-list PeerA-out out
neighbor 200.10.20.1 filter-list 1 in
neighbor 200.10.20.1 filter-list 15 out
neighbor 100.5.10.1 activate
neighbor 100.5.10.1 next-hop-self
neighbor 100.5.10.1 send-community
neighbor 100.5.10.1 soft-reconfiguration inbound
neighbor 100.5.10.1 prefix-list PeerB-out out
neighbor 100.5.10.1 filter-list 1 in
neighbor 100.5.10.1 filter-list 15 out

My ASN is 17500 and I have two BGP uplinks, one to AS 1000 (we’ll call this Peer A) and one to AS 2000 (we’ll call this Peer B). I am announcing the following prefixes:
190.45.60.0/24
209.88.40.0/24
20.10.180.0/24

As you can see, for each peer, I have included a statement with

    prefix-list “LIST-NAME” out

This statement restricts what my ASN will broadcast OUT to my peers. Lets say I want to BGP announce all three prefixes to Peer A, but I only want to announce 190.45.60.0/24 to Peer B. This is what those respective prefix-list’s will look like:

ip prefix-list PeerA-out seq 1 permit 190.45.60.0/24
ip prefix-list PeerA-out seq 2 permit 209.88.40.0/24
ip prefix-list PeerA-out seq 3 permit 20.10.180.0/22
ip prefix-list PeerA-out seq 100 deny 0.0.0.0/0
ip prefix-list PeerB-out seq 1 permit 190.45.60.0/24
ip prefix-list PeerB-out seq 100 deny 0.0.0.0/0

Thats all there is to it.

How is FreeBSD different then Linux

This article gives a basic overview of the major differences between FreeBSD and Linux with regards to IP networking, application installs, and starting/stopping services. The assumption is the reader has a good basic understanding of Linux to start of with. We will cover three areas: 1) IP networking, 2) package installation, and 3) starting/stopping services both manually and automated.
IP Networking
I have covered IP settings in previous articles pertaining to Centos and Debian. Debian uses the /etc/system/interfaces file, and Centos uses the /etc/sysconfig/networking-scripts/if-eth0 file.
FreeBSD is different. Everything is in /etc/rc.conf – not just IP settings but everything pertaining to the entire system is in /etc/rc.conf. Thats sounds great right? Basically, FreeBSD has /etc/defaults/rc.conf which contains everything for default settings, but whatever it sees in /etc/rc.conf at bootup overrides the default. Here is the sample rc.conf syntax for basic IP settings:
ifconfig_em0="208.50.100.5 netmask 255.255.255.0 up"
defaultrouter="208.50.100.1"

And for IPv6 add the additional lines:
ipv6_enable="YES"
ipv6_network_interfaces="lo0 em0"
ipv6_ifconfig_em0="2610:bf00:50:100::5/64"
ipv6_defaultrouter="2610:bf00:50:100::1"

In this case our network interface is em0 – we know that from bootup or by looking at the output of dmesg command. Name resolution is still controlled by /etc/resolv.conf as it is in Linux. If you want to add IPv4 aliases, the rc.conf syntax is:
ifconfig_em0_alias0=”208.50.100.6 netmask 255.255.255.255″
ifconfig_em0_alias1=”208.50.128.7 netmask 255.255.255.255″
ifconfig_em0_alias2=”208.50.100.8 netmask 255.255.255.255″
Software Package Installation
In Linux, apt-get and yum are the common tools for adding packages. FreeBSD has a completely different way of doing this. There are two main ways to add software packages: 1) the ports repository, or 2) the sysinstall utility.
The ports repository is a large directly/file tree located in /usr/ports – under that directory there are categories, like /usr/ports/databases, and within the category directory you will find the individual packages, like /usr/ports/databases/mysql51-server. The install the package you go into the packages directory (i.e. /usr/ports/databases/mysql51-server) and run “make && make install”. This will download the most recent tarball, applying system specific patches, compile, and then install the package. If the package has configurable options, a TEXT GUI will pop-up asking you to make those optional selections.
Obviously, the ports to work you need to have the most recent /usr/ports or even have it at all. If you did not install it when creating the system, you can always add it later using the sysinstall utility – /usr/sbin/sysinstall.
sysinstall
sysinstall is a TEXT GUI system that allows you to do many things (too many for me to describe), one of those things is adding distributions. If you dont have /usr/ports installed, go into sysinstall, select “Configuration”, then select “Distributions”, then scroll down and select “Ports”. When you continue from there, it will ask where to install from and you can select the FreeBSD FTP servers to install over the network.
While inside the sysinstall utility you may notice that the utility itself can be used to install software packages. From the main screen, select “Configure”, then select “Packages”. You can now browse through the same category tree and select, for example, Databases -> Mysql 5.1 Server. When you continue through the process, you will again be asked from where to install and you can select the FreeBSD FTP servers.
A sysinstall package add is different then a ports add because the package is not compiled, rather, a pre-compiled package is downloaded and installed.
System Services – Starting, Stopping, Automation
Lastly, how do you start and stop services and set services for automatic start at bootup? Again, this is vastly different then Linux methods, but again, its all covered in /etc/rc.conf. First, the actual scripts for starting and stopping services that have been been added via ports or the sysinstall package system will always be located in /usr/local/etc/rc.d – the exception being core OS services which are located in /etc/rc.d – things like nfsserver or sendmail (on FreeBSD sendmail is a core base service).
So if you have installed apache22, starting and stopping is done by:
/usr/local/etc/rc.d/apache22 stop
or
/usr/local/etc/rc.d/apache22 start
What about automation? That is done in rc.conf as follows:
apache22_enable="YES"
99% of the time the name of the script located in /usr/local/etc/rc.d is the syntax for the above _enable statement, but there are cases where it differs. To be sure, open up the init script located in /usr/local/etc/rc.d and look for its “name” directive which is located near the top. The name is the service name. Oddly enough, mysql is a culprit of this. The mysql service name is mysql, but the init script in /usr/local/etc/rc.d is named mysql-server, so if you added mysql-server_enable=”YES” to /etc/rc.conf it would not work, it has to be mysql_enable=”YES”.

TCP/IP Networking in Linux without a GUI

There are a few major Linux distributions these days, Centos/RHES, Ubuntu, and Debian. They all differ slightly in how they natively handle IP configuration.
For starters, lets first understand the universal way to IP config ANY Linux OS (this also applies to BSD Unix and Solaris). This is done with the ifconfig and route command. ifconfig places an IP address on an interface and route places the default gateway in the routing table. When using ifconfig you just need to know the interface name, if you dont know the interface name, simple type the command:
ifconfig -a
This will display all the connected interfaces, so if you have two NICs on your server it may list an eth0 and eth1. For our example, lets assume we are connecting a Cat5 cable to eth0 and we want to configure the following network setup:
IP Address: 200.50.100.5
Netmask: 255.255.255.0
Default Gateway: 200.50.100.1

The IP configuration is handled by the following command:
ifconfig eth0 200.50.100.5 netmask 255.255.255.0 up
To add the default gateway, we use the following command:
route add default gw 200.50.100.1
Obviously, if you reboot the system these settings will be lost. So now lets look at how to manually config the IP settings for bootup. Both Debian and Ubuntu use the same setup, it involves editing the interfaces file. CentOS/RHES is a bit different, we’ll cover that one last.
For Ubuntu/Debian, edit the file /etc/network/interfaces and add the following lines:
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address 200.50.100.5
netmask 255.255.255.0
network 200.50.100.0
broadcast 200.50.100.255
gateway 200.50.100.1

The broadcast and network entries are technically not needed, but you might as well add them. After you save this file, use the ifup command to activate and bring up the eth0 interface:
ifup eth0
Finally, make sure you edit /etc/resolv.conf and add your DNS resolvers, the syntax is as follows:
nameserver 8.8.8.8
nameserver 4.4.4.2

Lets take a look at Centos/RHES and how they configure IP networking. Instead of using a singular config file, each interface has its own file located in /etc/sysconfig/network-scripts and the file name format is ifcfg-INT where INT is the name of your interface. In our example, our interface is eth0, so the file we will be editing is /etc/sysconfig/network-scripts/ifcfg-eth0 and the contents of that file is as below:

DEVICE=eth0
BOOTPROTO=static
BROADCAST=200.5.100.255
HWADDR=00:13:72:65:B0:AD
IPADDR=200.50.100.5
NETMASK=255.255.255.0
NETWORK=200.50.100.0
ONBOOT=yes

Again, some of the above lines are not required, HWADDR, NETWORK, and BROADCAST are not required but definitely add them if you know them. The HWADDR is the interfaces MAC Address, which you can find out by typing “ifconfig eth0”. The default gateway setting in CentOS/RHES is handled in a separate file. Edit the file /etc/sysconfig/network and add the following lines:
NETWORKING=yes
HOSTNAME=foobar.domain.com
GATEWAY=200.50.100.1

Once the files are edited, you again run the command “ifup eth0” to bring up the interface. The default gateway and hostname settings will be active on reboot, otherwise you have to restart networking for those changes to take effect, this is done by running:

/etc/init.d/network restart

Configuring SSL VPN on Cisco ASA

Starting a few years ago, Cisco began to phase out their support of the long standing VPN Client software which used IPsec. Basically, they didn’t make a 64-bit version to run on Windows 7 and 8, so unless you use XP, its very hard to use the old Cisco VPN client software. The replacement is AnyConnect, which can be launched via the web. AnyConnect does not use IPsec for the vpn tunnel, it uses SSL. The downside is it requires additional licensing, most ASA’s only come with 1 SSLVPN user license, and 10 IPSec.
Here is how you configure a typical ASA (running IOS 8.3) to use webvpn and AnyConnect.
Assumptions:
1. The outside or public WAN IP of the ASA is 200.50.75.1
2. The inside or local access range is 192.168.1.0/24
3. The VPN IP pool that we will create is 10.100.1.0/24
Here is the complete config with some comments.
Create and apply a nonat access list:
ASA(config)# access-list nonat extended permit ip 192.168.1.0 255.255.255.0 10.100.1.0 255.255.255.0
ASA(config)# nat (inside) 0 access-list nonat


Define a split tunnel access list:

ASA(config)# access-list splitvpn standard permit 192.168.1.0 255.255.255.0

Define the Group Policy for the WebVPN:

ASA(config)# group-policy SSLVPN_POLICY internal
ASA(config)# group-policy SSLVPN_POLICY attributes
ASA(config-group-policy)# vpn-tunnel-protocol svc webvpn
ASA(config-group-policy)# webvpn
ASA(config-group-webvpn)# split-tunnel-policy tunnelspecified
ASA(config-group-webvpn)# split-tunnel-network-list value splitvpn
ASA(config-group-webvpn)# split-dns value foobar.com
ASA(config-group-webvpn)# dns-server value X.X.X.X

In the above case, foobar.com would be your local DNS search suffix. The X.X.X.X would be the IP of your local DNS server if you used one, if not you can leave it out or insert a public DNS server IP like 8.8.8.8.
Define a DHCP pool for the clients to use:
ASA(config)# ip local pool vpnpool 10.100.1.1-10.100.1.254 mask 255.255.255.0
Define a local user to use for the VPN:
ASA(config)# username johndoe password ABC123 privilege 0
ASA(config)# username johndoe attributes
ASA(config-username)# vpn-group-policy SSLVPN_POLICY

Enable WebVPN:
ASA(config)# webvpn
ASA(config-webvpn)# enable outside
ASA(config-webvpn)# svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
ASA(config-webvpn)# svc image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2
ASA(config-webvpn)# svc enable

The above location/filename of the AnyConnect software may vary, to verify just type the “dir” command from the main prompt to see a file listing showing the exact filename versions.
Define the tunnel group:
ASA(config)# Tunnel-group SSLVPN_TUNNEL type remote-access
ASA(config)# Tunnel-group SSLVPN_TUNNEL general-attributes
ASA(config-tunnel-general)# default-group-policy SSLVPN_POLICY
ASA(config-tunnel-general)# address-pool vpnpool


Link the tunnel group to WebVPN:

ASA(config)# webvpn
ASA(config-webvpn)# tunnel-group-list enable
ASA(config-webvpn)# exit
ASA(config)# tunnel-group SSLVPN_TUNNEL webvpn-attributes
ASA(config-tunnel-webvpn)# group-alias AnyConnect enable