All security installation and configuration¶
- author:
Marcel van Duijvendijk
Version |
Date |
Description |
|---|---|---|
00.00 |
2018-06-01 |
original file |
This file contains all security precautions on the computer systems in the local network.
This file can be used to copy-paste commands in Konsole (Terminal). little explanation is given as to what to do. For more information, go to the provided links
Physical protection¶
House, garden and office are protected against burglary (break-in) to some extend
Some equipment is hidden: difficult to find
All data es encrypted, see below how
1 data backup is saved in the house, daily
double data backup is saved monthly and stored at another location (in case of fire or other severe data loss)
Por hacer
double daily backup, so I get 3 daily versions of all data.
Hardware¶
Most hardware is not secure. known insecurities are:
intel ME can be disabled, for example when buying new laptop such as: thinkpenguin
intel-microcode firmware for CPU’s is closed software.
NVIDEA graphical drivers is closed software.
Por hacer
finish this list
The majority of people is using this hardware. Why not using it as well?
Strategy is to move away from hardware that is known to be inherently insecure, thus:
use AMD processors where possible, AMD has a history to support open software more as measure to compete intel.
or even better: use open hardware, such as:
Hardware using openpower CPU’s
Off course, when affordable.
Passphrases¶
Passwords should be difficult to break, easy to remember. This guideline is used to generate passphrases:
Strong enough is 7x5 dice rolls, thus seven words to remember.
English Diceware list: http://world.std.com/~reinhold/dicewarewordlist.pdf
Other language diceware list: http://world.std.com/%7Ereinhold/diceware.html
Dutch Diceware list: http://theworld.com/%7Ereinhold/DicewareDutch.txt
Dutch diceware, only use with spaces: https://d18sc3w29ndn46.cloudfront.net/diceware/diceware-wordlist-composites-nl-cb-cc5553b4fa.txt
safer Dutch diceware, can be used without spaces: https://d18sc3w29ndn46.cloudfront.net/diceware/diceware-wordlist-nl-cb-d549b95b07.txt
(software) keys¶
Software keys are stored on an encrypted USB-disk in 3 copies
2 in the house
1 at a remote location, in case of fire.
When updates are made, the 2 USB-sticks in the house are updated, 1 is exchanged with the remote location and the remote one is also updated again.
Security wallet¶
Passwords can be stored in wallets. By default passwords are stored in:
firefox (easy to break, not a good idea)
Kleopatra (default in Kubuntu, seems OK)
Some more generic password database programs are considered, should be compatible with Linux and Windows, but none has been selected yet. Considered options:
KeePassX
For logging in to websites and other servers, use a password database. I like KeePassX because it’s free, open source, cross-platform, and it never stores anything in the cloud. Then lock up all your passwords behind a master passphrase that you generate with Diceware. Use your password manager to generate and store a different random password for each website you log in to.
But, better use KeePassXC
Por hacer
use better passwords when visiting websites and save them in a wallet.
backup wallet in a safe place in case the wallet gets corrupted.
Software in general¶
In the end, the only way to know that your system is safe, is by using an open OS, such as linux, because you can review what is inside. All closed components are security hazards.
However, As the system grows and it becomes virtually impossible to check all components of a computer system, one has to trust on somebody else’s eyes for checking the security of the software. The danger is when everybody trust somebody else to check the software and nobody actually does it.
Why free software:
Freedom
free to use,
… study,
… improve
… share
against monopolies
against supplier dependence
Costs
No license costs,
especially engineering software is expensive
Legal, no penalty risks
invest only to
further development
training
maintenance
Flexibility
Functionality
own influence on functionality
invest once for further development of the software
Security
FOSS is safer (virusses, hacks)
FOSS is more reliable (bugs)
Employees
(future) employees can train themselves with the software legally at home
more interesting work for (software) professionals
Results
stimulates economy
SME
innovation
Why not using FOSS:
Vulnerable to malicious users
often not as user-friendly as commercial versions
Don’t come with extensive support
Because there is no requirement to create a commercial product that will sell and generate money, open source software can tend to evolve more in line with developers’ wishes than the needs of the end user.
requires more technical know-how
difficult to find drivers for some devices
- sources:
Free software by R. Stallman from Free software Foundation¶
Operating system¶
Installation on different computers¶
all systems:
Check L1TF fault¶
cat /sys/devices/system/cpu/vulnerabilities/l1tf
output should be:
not affected
otherwise, check Check L1TF fault.
OJO hernando@hernando-S451LB:~$ cat /sys/devices/system/cpu/vulnerabilities/l1tf Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT vulnerable
Processors that have Hyper-Threading support enabled will indicate that SMT is vulnerable when used in conjunction with Intel Virtualization Technology (VMX):
$ cat /sys/devices/system/cpu/vulnerabilities/l1tf Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT vulnerable
Installation en PC, i7¶
System: Host: hernando-S451LB Kernel: 4.15.0-42-generic x86_64
bits: 64 gcc: 7.3.0
Console: tty 0 Distro: Ubuntu 18.04.1 LTS
Machine: Device: laptop System: ASUSTeK product: S451LB v: 1.0 serial: E1N0CX072672058
Mobo: ASUSTeK model: S451LB v: 1.0 serial: BSN12345678901234567
UEFI: American Megatrends v: S451LB.402 date: 12/20/2013
Battery BAT0: charge: 30.9 Wh 98.3% condition: 31.4/46.4 Wh (68%)
model: ASUSTeK S451-32 status: Charging
CPU: Dual core Intel Core i7-4500U (-MT-MCP-)
arch: Haswell rev.1 cache: 4096 KB
flags: (lm nx sse sse2 sse3 sse4_1 sse4_2 ssse3 vmx) bmips: 9577
clock speeds: max: 3000 MHz 1: 2279 MHz 2: 1654 MHz 3: 1511 MHz
4: 1717 MHz
Memory: Array-1 capacity: 32 GB devices: 4 EC: None
Device-1: ChannelA-DIMM0 size: 4 GB speed: 1600 MT/s type: DDR3
part: N/A
Device-2: ChannelA-DIMM1 size: No Module Installed type: N/A
Device-3: ChannelB-DIMM0 size: 4 GB speed: 1600 MT/s type: DDR3
part: M471B5173QH0-YK0
Device-4: ChannelB-DIMM1 size: No Module Installed type: N/A
Graphics: Card-1: Intel Haswell-ULT Integrated Graphics Controller
bus-ID: 00:02.0
Card-2: NVIDIA GK208M [GeForce GT 740M] bus-ID: 04:00.0
Display Server: X.Org 1.19.6
drivers: modesetting,nvidia (unloaded: fbdev,vesa,nouveau)
Resolution: 1366x768@60.06hz, 1920x1080@74.97hz
OpenGL: renderer: GeForce GT 740M/PCIe/SSE2
version: 4.6.0 NVIDIA 390.87 Direct Render: Yes
Audio: Card-1 Intel 8 Series HD Audio Controller
driver: snd_hda_intel bus-ID: 00:1b.0
Card-2 Intel Haswell-ULT HD Audio Controller
driver: snd_hda_intel bus-ID: 00:03.0
Sound: Advanced Linux Sound Architecture v: k4.15.0-42-generic
Network: Card-1: Realtek RTL8111/8168/8411 PCIE Gigabit Ethernet Controller
driver: r8169 v: 2.3LK-NAPI port: e000 bus-ID: 02:00.0
IF: enp2s0 state: up speed: 100 Mbps duplex: full
mac: e0:3f:49:c6:eb:dd
Card-2: Qualcomm Atheros AR9485 Wireless Network Adapter
driver: ath9k bus-ID: 03:00.0
IF: wlp3s0 state: up mac: 6c:71:d9:d5:0b:f3
Drives: HDD Total Size: 3000.6GB (33.5% used)
ID-1: /dev/sda model: TOSHIBA_MQ01ABD1 size: 1000.2GB temp: 38C
ID-2: USB /dev/sdb model: HV620 size: 2000.4GB temp: 0C
Partition: ID-1: / size: 635G used: 100G (17%) fs: ext4 dev: /dev/sda6
ID-2: swap-1 size: 8.47GB used: 0.00GB (0%)
fs: swap dev: /dev/sda7
RAID: No RAID devices: /proc/mdstat, md_mod kernel module present
Sensors: System Temperatures: cpu: 56.0C mobo: N/A gpu: 0.0:58C
Fan Speeds (in rpm): cpu: 2700
Info: Processes: 278 Uptime: 2:11 Memory: 2458.6/7860.8MB
Init: systemd runlevel: 5 Gcc sys: 7.3.0
Client: Shell (sudo) inxi: 2.3.56
Ubuntu Server installation on network server¶
Get system characteristics:
sudo inxi -Fmx
output:
System: Host: w1 Kernel: 4.15.0-22-generic x86_64 bits: 64 gcc: 7.3.0 Console: tty 1
Distro: Ubuntu 18.04 LTS
Machine: Device: desktop System: Hewlett-Packard product: HP t620 Quad Core TC serial: CZC5020DMF
Mobo: Hewlett-Packard model: 21B4 v: A01 serial: N/A UEFI: AMI v: L40 v02.08 date: 10/09/2014
CPU: Quad core AMD GX-415GA SOC with Radeon HD Graphics (-MCP-) arch: Jaguar rev.1 cache: 2048 KB
flags: (lm nx sse sse2 sse3 sse4_1 sse4_2 sse4a ssse3 svm) bmips: 11977
clock speeds: max: 1500 MHz 1: 1058 MHz 2: 1009 MHz 3: 1008 MHz 4: 811 MHz
Memory: Array-1 capacity: 4 GB devices: 2 EC: None
Device-1: DIMM 0 size: No Module Installed type: DDR3
Device-2: DIMM 1 size: 4 GB speed: 1600 MT/s type: DDR3 part: HMT451S6BFR8A-PB
Graphics: Card: Advanced Micro Devices [AMD/ATI] Kabini [Radeon HD 8330E] bus-ID: 00:01.0
Display Server: N/A driver: radeon tty size: 160x64 Advanced Data: N/A for root out of X
Audio: Card-1 Advanced Micro Devices [AMD] FCH Azalia Controller driver: snd_hda_intel bus-ID: 00:14.2
Card-2 Advanced Micro Devices [AMD/ATI] Kabini HDMI/DP Audio driver: snd_hda_intel bus-ID: 00:01.1
Sound: Advanced Linux Sound Architecture v: k4.15.0-22-generic
Network: Card: Realtek RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller
driver: r8169 v: 2.3LK-NAPI port: e000 bus-ID: 01:00.0
IF: enp1s0 state: up speed: 100 Mbps duplex: full mac: 00:8c:fa:d6:de:79
Drives: HDD Total Size: 17.0GB (34.5% used)
ID-1: /dev/sda model: SanDisk_SDSA6MM size: 16.0GB temp: 37C
ID-2: USB /dev/sdb model: USB_DISK size: 1.0GB temp: 0C
Partition: ID-1: / size: 15G used: 5.5G (41%) fs: ext4 dev: /dev/sda2
RAID: No RAID devices: /proc/mdstat, md_mod kernel module present
Sensors: System Temperatures: cpu: 44.8C mobo: N/A gpu: 44.0
Fan Speeds (in rpm): cpu: N/A
Info: Processes: 121 Uptime: 2:29 Memory: 232.9/3371.8MB Init: systemd runlevel: 5 Gcc sys: N/A
Client: Shell (sudo) inxi: 2.3.56
Added hardware ordered by Conrad.nl¶
Aantal |
Bestnr. |
Omschrijving |
Stukspr. |
|---|---|---|---|
1 |
649891 |
USB 3.0 naar 2,5» SATA converterkabel |
16.99 |
1 |
1697683 |
Toshiba HDWL120EZSTA Harde schijf (2.5 i |
94.49 |
The usb drives are mounted on the vesa mount, using angle iron, used to protect corners for plastering walls.
Installation¶
guided use entire disk: /dev/sda model: SanDisk_SDSA6MM size: 16.0GB non encrypted.
Por hacer
swap is still used and data in swap is still visible. Should put swap off or encrypt swap.
Add disks¶
disk are encrypted seperate from the system. So, when the system is off, they can be disconnected and mounted on another system easily.
See further Encrypt hard disks to store data.
Encrypted drives are mounted using their UUID:
lsblk
and find it to be /dev/sdb1
Search for the UUID of this drive, using:
sudo blkid /dev/sdb1
output:
/dev/sdb1: UUID="9901d346-cecc-4b89-929e-12a8ace70223" TYPE="crypto_LUKS" PARTUUID="03d941c1-c698-4210-8e90-9573c9989bef"
To decrypt the volume and to mount it as usual:
# sudo cryptsetup luksOpen /dev/sdb1 wiens
sudo cryptsetup luksOpen /dev/disk/by-uuid/9901d346-cecc-4b89-929e-12a8ace70223 wiens
sudo mount /dev/mapper/wiens /media/wiens
perhaps, assign user rights for current user:
sudo chown -R admins:users /media/wiens
Automate the mounting process in a bash script:
cd ~/Scripts
nano mountDisk.sh
add content:
# Script to mount encypted drive
umount /media/wiens
cryptsetup luksClose wiens
cryptsetup luksOpen /dev/disk/by-uuid/9901d346-cecc-4b89-929e-12a8ace70223 wiens
mount /dev/mapper/wiens /media/wiens
mount --bind /media/wiens /export/WIENS
service nfs-kernel-server restart
cd /media/wiens
ls
Save and exit, make executable:
chmod +x mountDisk.sh
Run it as:
sudo bash mountDisk.sh
The script can be set to run automatically at login, in:
sudo nano ~/.profile
and insert this line at the bottom:
# run an automatic mount script
echo To mount the encrypted drive, type password, else press ctrl-c
echo
~/Scripts/mountDisk.sh
Whenever the server boots, it asks for passphrase and password to unlock the additional disk
VGA dummy plug¶
When booting without a VGA monitor or displayport, the HP-t620 starts 6x beeping and red lights blinking.
To avoid this a resistance is placed between one of the colors ( pin 1, 2 or 3) and ground (pin 5). The resistance should have a value between \(50 \Ohm\) and \(150 \Ohm\).
cover lights¶
In order to reduce visibility, all lights are covered with black plastic. 2 lights on the front: on/off and hard disk activity. On the back, 2 ethernet leds are covered.
Por hacer
do not use swap, as swap is not encrypted… or use encrypted swap.
Installation laptop, dual boot windows¶
Eso era mas dificil…
Get system characteristics:
sudo inxi -Fmx
output:
System: Host: HP-8540w Kernel: 4.15.0-39-generic x86_64 bits: 64 gcc: 7.3.0 Console: tty 1
Distro: Ubuntu 18.04.1 LTS
Machine: Device: laptop System: Hewlett-Packard product: HP EliteBook 8540w serial: CND136GSNF
Mobo: Hewlett-Packard model: 1521 v: KBC Version 32.36 serial: CND136GSNF
BIOS: Hewlett-Packard v: 68CVD Ver. F.60 date: 11/11/2015
Battery BAT0: charge: 56.8 Wh 95.5% condition: 59.5/59.5 Wh (100%) model: Hewlett-Packard Primary status: N/A
CPU: Dual core Intel Core i7 M 640 (-MT-MCP-) arch: Nehalem rev.5 cache: 4096 KB
flags: (lm nx sse sse2 sse3 sse4_1 sse4_2 ssse3 vmx) bmips: 11171
clock speeds: max: 2800 MHz 1: 1686 MHz 2: 2198 MHz 3: 1576 MHz 4: 1672 MHz
Memory: Array-1 capacity: 8 GB devices: 2 EC: None
Device-1: Top-Slot 1(top) size: 2 GB speed: 1333 MT/s type: DDR3 part: 99U5594-005.A00LF
Device-2: Bottom-Slot 1(right) size: 4 GB speed: 1333 MT/s type: DDR3 part: M471B5273CH0-CH9
Graphics: Card: NVIDIA GT215GLM [Quadro FX 1800M] bus-ID: 01:00.0
Display Server: X.Org 1.19.6 drivers: nvidia (unloaded: modesetting,fbdev,vesa,nouveau)
Resolution: 1920x1080@59.93hz, 2560x1600@59.97hz
OpenGL: renderer: Quadro FX 1800M/PCIe/SSE2 version: 3.3.0 NVIDIA 340.107 Direct Render: Yes
Audio: Card-1 Intel 5 Series/3400 Series High Definition Audio driver: snd_hda_intel bus-ID: 00:1b.0
Card-2 NVIDIA High Definition Audio Controller driver: snd_hda_intel bus-ID: 01:00.1
Sound: Advanced Linux Sound Architecture v: k4.15.0-39-generic
Network: Card-1: Intel 82577LM Gigabit Network Connection driver: e1000e v: 3.2.6-k port: 6020 bus-ID: 00:19.0
IF: enp0s25 state: up speed: 100 Mbps duplex: half mac: b4:99:ba:f3:ca:06
Card-2: Intel Centrino Ultimate-N 6300 driver: iwlwifi bus-ID: 44:00.0
IF: wlo1 state: down mac: 00:24:d7:e3:1a:70
Drives: HDD Total Size: 1024.2GB (8.3% used)
ID-1: /dev/sda model: Samsung_SSD_850 size: 1024.2GB temp: 0C
Partition: ID-1: / size: 671G used: 65G (11%) fs: ext4 dev: /dev/dm-2
ID-2: /boot size: 976M used: 148M (17%) fs: ext4 dev: /dev/sda6
ID-3: swap-1 size: 17.18GB used: 0.00GB (0%) fs: swap dev: /dev/dm-1
RAID: No RAID devices: /proc/mdstat, md_mod kernel module present
Sensors: System Temperatures: cpu: 46.0C mobo: 0.0C gpu: 0.0:50C
Fan Speeds (in rpm): cpu: N/A
Info: Processes: 229 Uptime: 1:21 Memory: 1752.7/5816.1MB Init: systemd runlevel: 5 Gcc sys: 7.3.0
Client: Shell (sudo) inxi: 2.3.56
only manual full disk encryption on ubuntu 18.04 on EFI systems. You cannot encrypt boot folder.
Prepare disks:
start Kubuntu live usb, select option: try kubuntu
use KDE partion manager to create the following partions
create extended volume in the unallocated space of 90% of total space. The remaining 10% is for the SSD firmware to safe SSD life
create an 600 MiB ext4 partition labelled efi
create an 1024 MiB ext4 partition labelled boot
the rest of the extended volume create an excrypted volume using LUKS with a strong pass phrase.
confirm all changes
the current disk looks like:
sudo lsblk
output:
NAME TYPE sda disk ├─sda1 part ├─sda2 part ├─sda5 part ├─sda6 part └─sda7 part └─luks-3a83dd2c-0fc3-4cc4-b54d-3d0eb5b12a51 crypt
another handy command:
sudo fdisk -l
open the encrypted disk:
sudo cryptsetup luksOpen /dev/sda7 sda_crypt
probably, you get an error saying the device is already mapped or mounted. just reboot the live session and try again.
Give the passphrase.
create a physical volume:
sudo pvcreate /dev/mapper/sda_crypt
got a question:
ext4 signature deteccted on /dev/mapper/sda_crypt at offset 1000. Wipe it? [y/n]
select y [1] to get the message:
physical volume "/dev/mapper/sda_crypt" successfully created.
now create the volume groups that will contain the physical device:
sudo vgcreate vg00 /dev/mapper/sda_crypt
create two logical volumes, one for root and one for swap:
sudo lvcreate -n lv00-swap -L 16G vg00 sudo lvcreate -n lv01-root -l +100%FREE vg00
it is recommended to install boot partition on separate device, e.g. a usb stick to create an extra layer of security. Not implemented here, yet.
Continue the installation as below, allocate the different mount points to the different sections:
/dev/mapper/vg00-lv00-swap swap
/dev/mapper/vg00-lv01-root root
sda5 /boot/efi
sda6 /boot
device for boot loader installation: /dev/sda
Install now and continue testing
Post installation [2] [#]
Find the UUID of the LUKS partitions (/dev/sda7 in this case), you will need it later:
sudo blkid /dev/sda7
output:
/dev/sda7: UUID="3a83dd2c-0fc3-4cc4-b54d-3b0eb5b12a33" TYPE="crypto_LUKS" PARTUUID="baf111db-07"
Mount the appropriate devices to the appropriate locations in /mnt, and chroot into it:
sudo mount /dev/mapper/vg00-lv01--root /mnt sudo mount /dev/sda6 /mnt/boot sudo mount --bind /dev /mnt/dev sudo chroot /mnt > mount -t proc proc /proc > mount -t sysfs sys /sys > mount -t devpts devpts /dev/pts
Create a file named /etc/crypttab in the chrooted environment to contain this line, replacing the UUID value with the UUID of the LUKS partition, and vgcherries with the name of the volume group:
nano /etc/crypttab
add lines:
# <target name> <source device> <key file> <options> sda_crypt UUID=3a83dd2c-0fc3-4cc4-b54d-3b0eb5b12a33 none luks,retry=1,lvm=vg00
Run the following command in the chrooted environment:
update-initramfs -k all -c update-grub
Reboot and boot into the encrypted Ubuntu. You should be prompted for a password.
Check that you’re using the encrypted partition for / by running mount:
mountoutput:
/dev/mapper/vgcherries-lvcherriesroot on / type ext4 (rw,errors=remount-ro) /dev/sda4 on /boot type ext3 (rw) # rest of output cut for brevity
Check that you’re using the encrypted swap partition (not any unencrypted swap partitions from any other installations) by running this command:
swapon -s
output:
Filename Type Size Used Priority /dev/dm-1 partition 16777212 0 -2
Check that you can boot into recovery mode, you don’t want to find out later during an emergency that recovery mode doesn’t work :)
Install any updates, which are likely to rebuild the ramdisk and update the grub configuration. Reboot and test both normal mode and recovery mode.
Finally disk looks like (sda1..sda3 is used for Windows, perhaps sda4 as well??):
lsblk
output:
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 953,9G 0 disk
├─sda1 8:1 0 300M 0 part
├─sda2 8:2 0 176,1G 0 part
├─sda3 8:3 0 1K 0 part
├─sda5 8:5 0 600M 0 part /boot/efi
├─sda6 8:6 0 1G 0 part /boot
└─sda7 8:7 0 697,8G 0 part
└─sda_crypt 253:0 0 697,8G 0 crypt
├─vg00-lv00--swap 253:1 0 16G 0 lvm [SWAP]
└─vg00-lv01--root 253:2 0 681,8G 0 lvm /
sr0 11:0 1 1024M 0 rom
Security measures on all systems¶
Firewall¶
sudo ufw enable
sudo ufw status
Por hacer
add more on policies
Virus-scanner¶
The daemon is only needed when you want to search for incoming virusses continuesly:
sudo apt -y install clamav clamav-daemon
check status virusscanner by looking in process list:
sudo service clamav-freshclam status
without the daemon does not seem to be in memory. probably a restart necessary.
On desktop computers also a GUI is installed:
sudo apt -y install clamtk
usage:
clamscan -rv /home/marcel
clamscan -rv /
clamscan --help
Rootkit checker¶
Rootkits are malicious trojan-like programs to allow an intruder to become a root user and therefore have complete administrative control over the system. There aren’t many rootkits in the wild for Linux. Still, this is a growing security problem (especially in other operating systems) and it is a matter of time before more rootkits appear in Linux. Checking for rootkits isn’t always successful from a system that is already infected. Your rootkit checker should therefore be run from another system, or a USB pendrive with an Ubuntu LiveCD installation. See the rootkit checker manuals for instructions how to do this. If you are infected with a rootkit, you must backup all your files and re-install your system. (Thank goodness this is easy with Ubuntu, unlike with other operating systems).:
sudo apt -y install rkhunter
sudo rkhunter # to find out more options of the program
sudo rkhunter --check
Encrypt hard disks to store data¶
Short version¶
Here name for encrypted drive is usbstick and mountpoint is /media/usbstick other names can be used as well.
create mountpoint once:
sudo mkdir /media/usbstick
sudo chown -R marcel:users /media/usbstick
format encrypted:
dmesg # get device ID, here /dev/sdb
sudo fdisk /dev/sdb # d, w
sudo fdisk /dev/sdb # n, p, for 90% of the total size in case of flash drives
sudo cryptsetup luksFormat /dev/sdb1
sudo cryptsetup luksOpen /dev/sdb1 usbstick
sudo mkfs.ext4 /dev/mapper/usbstick -L <labelname>
mount:
sudo mount /dev/mapper/usbstick /media/usbstick
cd /media/usbstick
umount:
cd ~
sudo umount /media/usbstick
sudo cryptsetup luksClose usbstick
Long version¶
You can also encrypt a drive via KDE partition manager.
- source:
- date:
2011-08-25
- author:
I wanted to explore a different way to encrypt data on portable USB flash drives other than Truecrypt, so I checked what could be done with Linux Unified Key Setup (LUKS). LUKS is an encryption method that is implemented on Linux by “cryptsetup” package, and on Windows by FreeOTFE. It encrypts a partition or a file using a key that can be accessed by one or more passphrases. The passphrase can be asked to the user or it can be a file (key-file).
What I wanted to understand about LUKS, with respect to Truecrypt and in general, was:
Security: what are the risks and benefits of using it.
Usability: how much struggle does a user need to setup and then use it.
Portability: if the USB drive can be used both on Linux and Windows.
There are multiple ways to use LUKS to have encrypted data on a USB drive. Here I consider three ways:
Encrypt a partition¶
Because of Windows lack of functionality, only the first partition of a removable drive can be used. So if I want to encrypt a partition and want the setup to be portable between the two OS, I need to format the USB drive with a single partition.
Modern Linux file managers such as Thunar or Nautilus have the support to recognize a LUKS partition, they ask you for the password to decrypt the volume and then mount it as a removable drive. This integration is very useful and works quite well, but the catch is that you can’t use a key-file.
These are the steps that I followed to prepare an encrypted USB drive on a Linux machine (Debian wheezy). This procedure wipes the content of the drive, so be careful to choose the USB flash drive that you want to use:
First I plug an USB removable drive, and check with:
dmesg
the device which is created to access it. In my case the device is /dev/sdd. Be careful to choose the right device, or else you could inadvertently delete one of your hard disks.
Then I wipe the partition table and create a new one, using fdisk. Everything is run as root at the time of creating the encrypted partition:
$ sudo su
# fdisk /dev/sdd
Command (m for help): o
Building a new DOS disklabel with disk identifier 0x28265921.
Changes will remain in memory only, until you decide to write them.
After that, of course, the previous content won't be recoverable.
Warning: invalid flag 0x0000 of partition table 4 will be corrected by w(rite)
Command (m for help): w
The partition table has been altered!
Calling ioctl() to re-read partition table.
WARNING: Re-reading the partition table failed with error 16: Device or resource busy.
The kernel still uses the old table. The new table will be used at
the next reboot or after you run partprobe(8) or kpartx(8)
Syncing disks.
I create a new partition, that will hold the LUKS encrypted data:
# fdisk /dev/sdd
Command (m for help): n
Command action
e extended
p primary partition (1-4)
p
Partition number (1-4, default 1):
Using default value 1
First sector (2048-1015807, default 2048):
Using default value 2048
Last sector, +sectors or +size{K,M,G} (2048-1015807, default 1015807):
Using default value 1015807
Command (m for help): w
The partition table has been altered!
Calling ioctl() to re-read partition table.
WARNING: Re-reading the partition table failed with error 16: Device or resource busy.
The kernel still uses the old table. The new table will be used at
the next reboot or after you run partprobe(8) or kpartx(8)
Syncing disks.
The partition is accessible in Linux in /dev/sdd1. After that, I format that partition using “cryptsetup” command, creating a LUKS-encrypted partition with a passphrase:
# cryptsetup luksFormat /dev/sdd1
output:
WARNING!
========
This will overwrite data on /dev/sdd1 irrevocably.
Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
Now I need to format the decrypted partition; since I want to use the USB disk both on Linux and on Windows, I use FAT32. In order to format the decrypted partition, I need to use the luksOpen command of cryptsetup and map a device, which I name LUKS001:
# cryptsetup luksOpen /dev/sdd1 LUKS001
Enter passphrase for /dev/sdd1:
The mapped device will be present in /dev/mapper/LUKS001. After that, we can format the mapped device (with name LUKS001) and close it:
# mkfs.vfat /dev/mapper/LUKS001 -n LUKS001
mkfs.vfat 3.0.9 (31 Jan 2010)
unable to get drive geometry, using default 255/63
# cryptsetup luksClose LUKS001
We can now unplug and re-plug the USB. I tried both with Xfce and Gnome desktop environment, and in both cases when I replug the USB drive a dialog appears, asking for a passphrase. I provide the passphrase that I chose before and the FAT32 volume with name “LUKS001” gets automatically mounted.
On Windows we need to use FreeOTFE: once the USB drive is plugged in, we open FreeOTFE and choose to mount a partition. Then we supply the passphrase and a new removable media will appear. Note that the Windows computer must have FreeOTFE installed, or at least present in portable mode or explorer mode. Otherwise it could be possible to take with you a portable installation of FreeOTFE, but that means using another USB drive.
Encrypt a volume file¶
Another possibility is to use a file instead of a partition to store encrypted data. This works better for Windows, because you can take with you an USB drive containing both the encrypted data and a portable installation of FreeOTFE. I noticed this solution does not integrate well with Linux desktop environments.
These are the steps that I followed to prepare an encrypted volume file on a Linux machine (Debian wheezy).
First I create a 256MB file with dd option:
# dd if=/dev/zero of=~/luks.img bs=1 count=0 seek=256M
Then I mount the file as a loopback device:
# losetup -f
/dev/loop0
# losetup /dev/loop0 ~/luks.img
Now I do the same steps as before with the /dev/loop0 device instead of the partition:
# cryptsetup luksFormat /dev/loop0
WARNING!
========
This will overwrite data on /dev/loop0 irrevocably.
Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
# cryptsetup luksOpen /dev/loop0 luksimg
Enter passphrase for /dev/loop0:
# mkfs.vfat /dev/mapper/luksimg -n LUKSIMG
mkfs.vfat 3.0.9 (31 Jan 2010)
unable to get drive geometry, using default 255/63
# cryptsetup luksClose luksimg
# losetup -d /dev/loop0
This creates a luks.img file that can be carried around in a USB stick, but in order to be used on Linux, the root user must mount it with something like:
losetup -f luks.img
first. Then from the file manager you can open the new drive that has appeared, it asks for a password and then it ask again for the root/sudo password.
On Windows instead the procedure is very similar, we open FreeOTFE, then select to mount a file, choose the image and provide the passphrase. The file will be mounted as a new removable drive. On Windows the added benefit is that you can carry around the portable version of FreeOTFE together with the encrypted data on a USB drive.
Use lukstool¶
lukstool is a script to create very secure data storage with LUKS. More information about the tools and the author here: Military-Grade Cryptofile.
An USB drive completely encrypted can be created with lukstool make and then providing /dev/sdd for example, and then the USB drive can be mounted/unmounted with lukstool load and lukstool unload. The scripts works in the same way using volume files instead of flash drives.
The pros/cons of using lukstool are:
Very high security: it uses two-factor authentication, which means that both a passphrase and a key-file must be provided to decrypt data. Also the details of the script are tailored to achieve as much security as possible.
Simplicity: the scripts hide most of the complexity of adding two-factor authentication on top of LUKS.
You can encrypt an entire USB drive or just use a file.
No OS portability: works only on Linux.
No desktop integration: they are command line scripts.
Needs to have root/sudo privileges also when mounting.
Tutorials and explanation are present on the author’s website.
Conclusions¶
I think Truecrypt is still the most valid compromise between portability, security and usability. That said, LUKS seems a valid alternative in particular cases. I think that partition encryption is very easy to use both on Linux and on Windows, even easier than Truecrypt, but with less security since LUKS does not support two-factor authentication and Linux desktop environments do not support key-files. Also if you are familiar with command line and if you use only your own Linux machines and want maximum (military-grade claimed) security you can use lukstool and feel safe. Then, if you use mainly Windows machines and are concerned about Truecrypt because of licensing issues, low transparency of development and so on, be aware that FreeOTFE is a viable solution to encrypt data on file volumes.
Email encryption¶
PGP
Network Security¶
Remote access via secure shell SSH¶
Server side installation and configuration¶
Advertencia
When you make mistakes to the configuration file, especially when connected remotely to the server, you may get locked out… loose connection to the server
install:
sudo apt -y install openssh-server
configuration¶
Make a copy of the original configuration file and protect it against writing:
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.original
sudo chmod a-w /etc/ssh/sshd_config.original
configure the server (sshd) by editing the file:
sudo nano /etc/ssh/sshd_config
A manual for the configuration file can be found using:
man sshd_config
Change port to non-standard port number by adding a line:
Port xxxx # xxx is port number for wiens
Prevent root login:
PermitRootLogin no
optional: Limit to certain users who need remote access:
AllowUsers marcel alice bob
(could not find that one, lately)
After making changes to the /etc/ssh/sshd_config file, save the file, and restart the sshd server application to effect the changes using the following command at a terminal prompt:
sudo systemctl restart sshd.service
setup firewall¶
Port xxxx on the server must be opened up, so that clients can reach the server:
sudo ufw enable
sudo ufw allow xxx # wiens
sudo ufw status
Generate keys for ssh access¶
SSH keys allow authentication between two hosts without the need of a password. SSH key authentication uses two keys, a private key and a public key.
Por hacer
complete this part.
Client side¶
installation:
sudo apt -y install openssh-client
connect to server (now, without DNS):
ssh -p xxx -2 admins@192.168.1.XXX # XXX is IP number of server
You’ll get a message similar to:
The authenticity of host '...' can't be established.
ECDSA key fingerprint is SHA256:xIxdlitb9HjMKID8w3pOdr76yh/98km2kXlDRnIIP3p.
Are you sure you want to continue connecting (yes/no)?
Answer with «yes».
When the system is installed several times, old keys might still be present in a local directory. Remove them using:
ssh-keygen -f "/home/marcel/.ssh/known_hosts" -R "[192.168.1.XXX]:xxxx"
and confirm deletion and new acceptance of keys.
remove it permanently using:
nano ~/.ssh/known_hosts
and remove the line with the key that is conflicting, in this case row 5 (numbering starts at 1):
Warning: the ECDSA host key for '...' differs from the key for the IP address '[192.168.1.20]:2234'
Offending key for IP in /home/marcel/.ssh/known_hosts:5
Matching host key in /home/marcel/.ssh/known_hosts:6
The current access allows remote access within the current network, when the network port is protected from the outside world, otherwise others might get access to the server as well. It case the server needs to be accessed over the internet, follow this section: Generate keys for ssh access.
The rest of the installation can now take place over a remote connection, using ssh. This enables the use of copy-paste.
Network Intrusion detection and prevention: suricata¶
install:
sudo apt -y install suricata
configures by itself. Runs process in background (htop):
/usr/bin/suricata -D --af-packet -c /etc/suricata/suricata.yaml --pidfile /var/run/suracata.pid
Meaning:
- D:
Run as a background daemon (suricata will fork itself).
- af-packet:
–af-packet[=<dev>] Run in AF_PACKET mode. No dev value selects interfaces from main configuration file.
- c:
-c <path> Load main configuration file (by default, /etc/suricata/suricata.yaml).
- pidfile:
<path> Write PID to the file.
Edit configuration file:
sudo nano /etc/suricata/suricata.yaml
edits:
vars:
address-groups:
HOME_NET: "[192.168.1.0/24]"
port-groups:
SSH_PORTS: "any"
Por hacer
must be setup much better and add updated rule-sets
Can be integrated in Logstash and can be used together with: BASE, Snorby, Sguil, SQueRT.
computer disposal¶
Before a computer or hard drives are disposed, information needs to be destroyed
Wipen HDD
via hardware¶
search <disk id> via Gparted
type in konsole:
sudo hdparm -I /dev/<disk id>
example:
sudo hdparm -I /dev/sdd
should be: “not frozen” otherwise: https://ata.wiki.kernel.org/index.php/ATA_Secure_Erase
set PW ‘Eins’:
sudo hdparm --user-master u --security-set-pass Eins /dev/sdb
erase HDD:
sudo time hdparm --user-master u --security-erase Eins /dev/sdb
check:
sudo hdparm -I /dev/sdd
via software¶
maak single ext4 partition using e.g. Gparted, en bepaal <diskid>, example /dev/sda1
type in konsole:
sudo apt-get -y install wipe
sudo wipe <disk id>
Run minstens 6 pass, snelle schijven 20 pass
sudo wipe /dev/sdc1
[sudo] password for marcel:
Okay to WIPE 1 special file ? (Yes/No) yes
Wiping /dev/sdc1, pass 1 (1 ) 8588891 / 19535616] ETA 4d 6h
Interupted with ctrl-c:
*** Interrupted by signal 2
*** If you want to resume wiping while preserving the pass order, use these options:
*** -X 1 -x 0,1,2,3,29,19,20,8,13,6,30,27,10,22,9,14,21,5,11,7,26,28,4,16,17,15,12,18,23,24,25,31,32,33,34
Continue wiping:
sudo wipe /dev/sdc1 -X 1 -x 0,1,2,3,29,19,20,8,13,6,30,27,10,22,9,14,21,5,11,7,26,28,4,16,17,15,12,18,23,24,25,31,32,33,34
sudo wipe /dev/sdc1 -X 3 -x 0,1,2,3,29,19,20,8,13,6,30,27,10,22,9,14,21,5,11,7,26,28,4,16,17,15,12,18,23,24,25,31,32,33,34
zeroing¶
via linux live
Delete all files
then:
dd if=/dev/zero of=/dev/<disk id>
unlock¶
Sometimes, the drive cannot be recognised from USB or Esata and has to be connected directly to the motherboard. repeating command:
sudo hdparm -I /dev/sdb
gives at the bottom:
Security:
Master password revision code = 65534
supported
enabled
locked
not frozen
not expired: security count
supported: enhanced erase
Security level high
208min for SECURITY ERASE UNIT. 208min for ENHANCED SECURITY ERASE UNIT.
Hence, drive is locked. You can unlock it by using:
sudo hdparm --user-master m --security-unlock PASS /dev/sdb
PASS is supposed to be the master password In this case (different from listed on website):
sudo hdparm --user-master m --security-unlock WDCWDCWDCWDCWDCWDCWDCWDCWDCWDCW /dev/sdb
output:
[sudo] password for marcel:
security_password: "WDCWDCWDCWDCWDCWDCWDCWDCWDCWDCW"
/dev/sdb:
Issuing SECURITY_UNLOCK command, password="WDCWDCWDCWDCWDCWDCWDCWDCWDCWDCW", user=master
again:
sudo hdparm -I /dev/sdb
gives at the bottom:
Security:
Master password revision code = 65534
supported
enabled
not locked
not frozen
not expired: security count
supported: enhanced erase
Security level high
208min for SECURITY ERASE UNIT. 208min for ENHANCED SECURITY ERASE UNIT.
not locked anymore!