###########################################
All security installation and configuration
###########################################
:author: Marcel van Duijvendijk
.. tabularcolumns:: | p{32pt} | p{54pt} | p{326pt} |
.. table:: List of changes
+---------+------------+----------------------------------------------------------------------+
| Version | Date | Description |
+=========+============+======================================================================+
| 00.00 | 2018-06-01 | original file |
+---------+------------+----------------------------------------------------------------------+
| | | |
+---------+------------+----------------------------------------------------------------------+
This file contains all security precautions on the computer systems in the local
network.
This file can be used to copy-paste commands in Konsole (Terminal). little
explanation is given as to what to do. For more information, go to the provided
links
.. contents::
:depth: 1
===================
Physical protection
===================
- House, garden and office are protected against burglary (break-in) to some
extend
- Some equipment is hidden: difficult to find
- All data es encrypted, see below how
- 1 data backup is saved in the house, daily
- double data backup is saved monthly and stored at another location (in case
of fire or other severe data loss)
.. todo:: double daily backup, so I get 3 daily versions of all data.
========
Hardware
========
Most hardware is not secure. known insecurities are:
- `intel Vpro `_
- `intel AMT `_
- `intel ME `_
can be disabled, for example when buying new laptop such as:
`thinkpenguin `_
- intel-microcode firmware for CPU's is closed software.
- NVIDEA graphical drivers is closed software.
.. todo:: finish this list
The majority of people is using this hardware. Why not using it as well?
Strategy is to move away from hardware that is known to be inherently insecure,
thus:
- use AMD processors where possible, AMD has a history to support open software
more as measure to compete intel.
- or even better: use open hardware, such as:
- Hardware using `openpower CPU's `_
- `Open compute project `_
Off course, when affordable.
.. _`Passphrases`:
===========
Passphrases
===========
Passwords should be difficult to break, easy to remember. This guideline is used
to generate passphrases:
- `Passphrases That You Can Memorize - But That Even the NSA Can’t Guess`_
Strong enough is 7x5 dice rolls, thus seven words to remember.
- English Diceware list: http://world.std.com/~reinhold/dicewarewordlist.pdf
- Other language diceware list: http://world.std.com/%7Ereinhold/diceware.html
- Dutch Diceware list: http://theworld.com/%7Ereinhold/DicewareDutch.txt
- Dutch diceware, only use with spaces: https://d18sc3w29ndn46.cloudfront.net/diceware/diceware-wordlist-composites-nl-cb-cc5553b4fa.txt
- safer Dutch diceware, can be used without spaces: https://d18sc3w29ndn46.cloudfront.net/diceware/diceware-wordlist-nl-cb-d549b95b07.txt
.. _`Passphrases That You Can Memorize - But That Even the NSA Can’t Guess`: https://theintercept.com/2015/03/26/passphrases-can-memorize-attackers-cant-guess/
===============
(software) keys
===============
Software keys are stored on an encrypted USB-disk in 3 copies
- 2 in the house
- 1 at a remote location, in case of fire.
When updates are made, the 2 USB-sticks in the house are updated, 1 is exchanged
with the remote location and the remote one is also updated again.
===============
Security wallet
===============
Passwords can be stored in wallets. By default passwords are stored in:
- firefox (easy to break, not a good idea)
- Kleopatra (default in Kubuntu, seems OK)
Some more generic password database programs are considered, should be compatible
with Linux and Windows, but none has been selected yet. Considered options:
- KeePassX
For logging in to websites and other servers, use a password database. I like
`KeePassX`_ because it’s free, open source, cross-platform, and it never stores
anything in the cloud. Then lock up all your passwords behind a master
passphrase that you generate with Diceware. Use your password manager to
generate and store a different random password for each website you log in to.
But, better use `KeePassXC`_
.. _`KeePassX`: https://www.keepassx.org/
.. _`KeePassXC`: https://keepassxc.org/project/
.. todo::
- use better passwords when visiting websites and save them in a wallet.
- backup wallet in a safe place in case the wallet gets corrupted.
===================
Software in general
===================
In the end, the only way to know that your system is safe, is by using an open
OS, such as linux, because you can review what is inside. All closed components
are security hazards.
However, As the system grows and it becomes virtually impossible to check all
components of a computer system, one has to trust on somebody else's eyes
for checking the security of the software. The danger is when everybody trust
somebody else to check the software and nobody actually does it.
Why free software:
- Freedom
- free to use,
- ... study,
- ... improve
- ... share
- against monopolies
- against supplier dependence
- Costs
- No license costs,
- especially engineering software is expensive
- Legal, no penalty risks
- invest only to
- further development
- training
- maintenance
- Flexibility
- Functionality
- own influence on functionality
- invest once for further development of the software
- Security
- FOSS is safer (virusses, hacks)
- FOSS is more reliable (bugs)
- Employees
- (future) employees can train themselves with the software legally at home
- more interesting work for (software) professionals
- Results
- stimulates economy
- SME
- innovation
Why not using FOSS:
- Vulnerable to malicious users
- often not as user-friendly as commercial versions
- Don’t come with extensive support
- Because there is no requirement to create a commercial product that will sell
and generate money, open source software can tend to evolve more in line with
developers’ wishes than the needs of the end user.
- requires more technical know-how
- difficult to find drivers for some devices
:sources:
- https://connectusfund.org/7-main-advantages-and-disadvantages-of-open-source-software
- https://entrepreneurhandbook.co.uk/open-source-software/
Free software by R. Stallman from Free software Foundation
==========================================================
================
Operating system
================
Installation on different computers
===================================
all systems:
`Check L1TF fault`_
-------------------
.. _`Check L1TF fault`: https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/L1TF
::
cat /sys/devices/system/cpu/vulnerabilities/l1tf
output should be::
not affected
otherwise, check `Check L1TF fault`_.
OJO
hernando@hernando-S451LB:~$ cat /sys/devices/system/cpu/vulnerabilities/l1tf
Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT vulnerable
Processors that have Hyper-Threading support enabled will indicate that SMT is vulnerable when used in conjunction with Intel Virtualization Technology (VMX):
$ cat /sys/devices/system/cpu/vulnerabilities/l1tf
Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT vulnerable
Installation en PC, i7
----------------------
.. code-block:: text
System: Host: hernando-S451LB Kernel: 4.15.0-42-generic x86_64
bits: 64 gcc: 7.3.0
Console: tty 0 Distro: Ubuntu 18.04.1 LTS
Machine: Device: laptop System: ASUSTeK product: S451LB v: 1.0 serial: E1N0CX072672058
Mobo: ASUSTeK model: S451LB v: 1.0 serial: BSN12345678901234567
UEFI: American Megatrends v: S451LB.402 date: 12/20/2013
Battery BAT0: charge: 30.9 Wh 98.3% condition: 31.4/46.4 Wh (68%)
model: ASUSTeK S451-32 status: Charging
CPU: Dual core Intel Core i7-4500U (-MT-MCP-)
arch: Haswell rev.1 cache: 4096 KB
flags: (lm nx sse sse2 sse3 sse4_1 sse4_2 ssse3 vmx) bmips: 9577
clock speeds: max: 3000 MHz 1: 2279 MHz 2: 1654 MHz 3: 1511 MHz
4: 1717 MHz
Memory: Array-1 capacity: 32 GB devices: 4 EC: None
Device-1: ChannelA-DIMM0 size: 4 GB speed: 1600 MT/s type: DDR3
part: N/A
Device-2: ChannelA-DIMM1 size: No Module Installed type: N/A
Device-3: ChannelB-DIMM0 size: 4 GB speed: 1600 MT/s type: DDR3
part: M471B5173QH0-YK0
Device-4: ChannelB-DIMM1 size: No Module Installed type: N/A
Graphics: Card-1: Intel Haswell-ULT Integrated Graphics Controller
bus-ID: 00:02.0
Card-2: NVIDIA GK208M [GeForce GT 740M] bus-ID: 04:00.0
Display Server: X.Org 1.19.6
drivers: modesetting,nvidia (unloaded: fbdev,vesa,nouveau)
Resolution: 1366x768@60.06hz, 1920x1080@74.97hz
OpenGL: renderer: GeForce GT 740M/PCIe/SSE2
version: 4.6.0 NVIDIA 390.87 Direct Render: Yes
Audio: Card-1 Intel 8 Series HD Audio Controller
driver: snd_hda_intel bus-ID: 00:1b.0
Card-2 Intel Haswell-ULT HD Audio Controller
driver: snd_hda_intel bus-ID: 00:03.0
Sound: Advanced Linux Sound Architecture v: k4.15.0-42-generic
Network: Card-1: Realtek RTL8111/8168/8411 PCIE Gigabit Ethernet Controller
driver: r8169 v: 2.3LK-NAPI port: e000 bus-ID: 02:00.0
IF: enp2s0 state: up speed: 100 Mbps duplex: full
mac: e0:3f:49:c6:eb:dd
Card-2: Qualcomm Atheros AR9485 Wireless Network Adapter
driver: ath9k bus-ID: 03:00.0
IF: wlp3s0 state: up mac: 6c:71:d9:d5:0b:f3
Drives: HDD Total Size: 3000.6GB (33.5% used)
ID-1: /dev/sda model: TOSHIBA_MQ01ABD1 size: 1000.2GB temp: 38C
ID-2: USB /dev/sdb model: HV620 size: 2000.4GB temp: 0C
Partition: ID-1: / size: 635G used: 100G (17%) fs: ext4 dev: /dev/sda6
ID-2: swap-1 size: 8.47GB used: 0.00GB (0%)
fs: swap dev: /dev/sda7
RAID: No RAID devices: /proc/mdstat, md_mod kernel module present
Sensors: System Temperatures: cpu: 56.0C mobo: N/A gpu: 0.0:58C
Fan Speeds (in rpm): cpu: 2700
Info: Processes: 278 Uptime: 2:11 Memory: 2458.6/7860.8MB
Init: systemd runlevel: 5 Gcc sys: 7.3.0
Client: Shell (sudo) inxi: 2.3.56
Ubuntu Server installation on network server
--------------------------------------------
Get system characteristics::
sudo inxi -Fmx
output::
System: Host: w1 Kernel: 4.15.0-22-generic x86_64 bits: 64 gcc: 7.3.0 Console: tty 1
Distro: Ubuntu 18.04 LTS
Machine: Device: desktop System: Hewlett-Packard product: HP t620 Quad Core TC serial: CZC5020DMF
Mobo: Hewlett-Packard model: 21B4 v: A01 serial: N/A UEFI: AMI v: L40 v02.08 date: 10/09/2014
CPU: Quad core AMD GX-415GA SOC with Radeon HD Graphics (-MCP-) arch: Jaguar rev.1 cache: 2048 KB
flags: (lm nx sse sse2 sse3 sse4_1 sse4_2 sse4a ssse3 svm) bmips: 11977
clock speeds: max: 1500 MHz 1: 1058 MHz 2: 1009 MHz 3: 1008 MHz 4: 811 MHz
Memory: Array-1 capacity: 4 GB devices: 2 EC: None
Device-1: DIMM 0 size: No Module Installed type: DDR3
Device-2: DIMM 1 size: 4 GB speed: 1600 MT/s type: DDR3 part: HMT451S6BFR8A-PB
Graphics: Card: Advanced Micro Devices [AMD/ATI] Kabini [Radeon HD 8330E] bus-ID: 00:01.0
Display Server: N/A driver: radeon tty size: 160x64 Advanced Data: N/A for root out of X
Audio: Card-1 Advanced Micro Devices [AMD] FCH Azalia Controller driver: snd_hda_intel bus-ID: 00:14.2
Card-2 Advanced Micro Devices [AMD/ATI] Kabini HDMI/DP Audio driver: snd_hda_intel bus-ID: 00:01.1
Sound: Advanced Linux Sound Architecture v: k4.15.0-22-generic
Network: Card: Realtek RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller
driver: r8169 v: 2.3LK-NAPI port: e000 bus-ID: 01:00.0
IF: enp1s0 state: up speed: 100 Mbps duplex: full mac: 00:8c:fa:d6:de:79
Drives: HDD Total Size: 17.0GB (34.5% used)
ID-1: /dev/sda model: SanDisk_SDSA6MM size: 16.0GB temp: 37C
ID-2: USB /dev/sdb model: USB_DISK size: 1.0GB temp: 0C
Partition: ID-1: / size: 15G used: 5.5G (41%) fs: ext4 dev: /dev/sda2
RAID: No RAID devices: /proc/mdstat, md_mod kernel module present
Sensors: System Temperatures: cpu: 44.8C mobo: N/A gpu: 44.0
Fan Speeds (in rpm): cpu: N/A
Info: Processes: 121 Uptime: 2:29 Memory: 232.9/3371.8MB Init: systemd runlevel: 5 Gcc sys: N/A
Client: Shell (sudo) inxi: 2.3.56
Added hardware ordered by Conrad.nl
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
======= ========= ========================================== ========
Aantal Bestnr. Omschrijving Stukspr.
======= ========= ========================================== ========
1 649891 USB 3.0 naar 2,5" SATA converterkabel 16.99
1 1697683 Toshiba HDWL120EZSTA Harde schijf (2.5 i 94.49
======= ========= ========================================== ========
The usb drives are mounted on the vesa mount, using angle iron, used to protect
corners for plastering walls.
Installation
~~~~~~~~~~~~
guided use entire disk: /dev/sda model: SanDisk_SDSA6MM size: 16.0GB
non encrypted.
.. todo:: swap is still used and data in swap is still visible. Should put
swap off or encrypt swap.
Add disks
~~~~~~~~~~
disk are encrypted seperate from the system. So, when the system is off, they
can be disconnected and mounted on another system easily.
See further :ref:`disk encryption`.
Encrypted drives are mounted using their UUID::
lsblk
and find it to be /dev/sdb1
Search for the UUID of this drive, using::
sudo blkid /dev/sdb1
output::
/dev/sdb1: UUID="9901d346-cecc-4b89-929e-12a8ace70223" TYPE="crypto_LUKS" PARTUUID="03d941c1-c698-4210-8e90-9573c9989bef"
To decrypt the volume and to mount it as usual::
# sudo cryptsetup luksOpen /dev/sdb1 wiens
sudo cryptsetup luksOpen /dev/disk/by-uuid/9901d346-cecc-4b89-929e-12a8ace70223 wiens
sudo mount /dev/mapper/wiens /media/wiens
perhaps, assign user rights for current user::
sudo chown -R admins:users /media/wiens
Automate the mounting process in a bash script::
cd ~/Scripts
nano mountDisk.sh
add content::
# Script to mount encypted drive
umount /media/wiens
cryptsetup luksClose wiens
cryptsetup luksOpen /dev/disk/by-uuid/9901d346-cecc-4b89-929e-12a8ace70223 wiens
mount /dev/mapper/wiens /media/wiens
mount --bind /media/wiens /export/WIENS
service nfs-kernel-server restart
cd /media/wiens
ls
Save and exit, make executable::
chmod +x mountDisk.sh
Run it as::
sudo bash mountDisk.sh
The script can be set to run automatically at login, in::
sudo nano ~/.profile
and insert this line at the bottom::
# run an automatic mount script
echo To mount the encrypted drive, type password, else press ctrl-c
echo
~/Scripts/mountDisk.sh
Whenever the server boots, it asks for passphrase and password to unlock the
additional disk
VGA dummy plug
~~~~~~~~~~~~~~
When booting without a VGA monitor or displayport, the HP-t620 starts
6x beeping and red lights blinking.
To avoid this a resistance is placed between one of the colors ( pin 1, 2 or 3)
and ground (pin 5). The resistance should have a value between :math:`50 \Ohm`
and :math:`150 \Ohm`.
:source: http://blog.zorinaq.com/the-5-second-vga-dummy-plug/
cover lights
~~~~~~~~~~~~
In order to reduce visibility, all lights are covered with black plastic.
2 lights on the front: on/off and hard disk activity. On the back, 2 ethernet
leds are covered.
.. todo:: do not use swap, as swap is not encrypted... or use encrypted swap.
Installation laptop, dual boot windows
---------------------------------------
Eso era mas dificil...
Get system characteristics::
sudo inxi -Fmx
output::
System: Host: HP-8540w Kernel: 4.15.0-39-generic x86_64 bits: 64 gcc: 7.3.0 Console: tty 1
Distro: Ubuntu 18.04.1 LTS
Machine: Device: laptop System: Hewlett-Packard product: HP EliteBook 8540w serial: CND136GSNF
Mobo: Hewlett-Packard model: 1521 v: KBC Version 32.36 serial: CND136GSNF
BIOS: Hewlett-Packard v: 68CVD Ver. F.60 date: 11/11/2015
Battery BAT0: charge: 56.8 Wh 95.5% condition: 59.5/59.5 Wh (100%) model: Hewlett-Packard Primary status: N/A
CPU: Dual core Intel Core i7 M 640 (-MT-MCP-) arch: Nehalem rev.5 cache: 4096 KB
flags: (lm nx sse sse2 sse3 sse4_1 sse4_2 ssse3 vmx) bmips: 11171
clock speeds: max: 2800 MHz 1: 1686 MHz 2: 2198 MHz 3: 1576 MHz 4: 1672 MHz
Memory: Array-1 capacity: 8 GB devices: 2 EC: None
Device-1: Top-Slot 1(top) size: 2 GB speed: 1333 MT/s type: DDR3 part: 99U5594-005.A00LF
Device-2: Bottom-Slot 1(right) size: 4 GB speed: 1333 MT/s type: DDR3 part: M471B5273CH0-CH9
Graphics: Card: NVIDIA GT215GLM [Quadro FX 1800M] bus-ID: 01:00.0
Display Server: X.Org 1.19.6 drivers: nvidia (unloaded: modesetting,fbdev,vesa,nouveau)
Resolution: 1920x1080@59.93hz, 2560x1600@59.97hz
OpenGL: renderer: Quadro FX 1800M/PCIe/SSE2 version: 3.3.0 NVIDIA 340.107 Direct Render: Yes
Audio: Card-1 Intel 5 Series/3400 Series High Definition Audio driver: snd_hda_intel bus-ID: 00:1b.0
Card-2 NVIDIA High Definition Audio Controller driver: snd_hda_intel bus-ID: 01:00.1
Sound: Advanced Linux Sound Architecture v: k4.15.0-39-generic
Network: Card-1: Intel 82577LM Gigabit Network Connection driver: e1000e v: 3.2.6-k port: 6020 bus-ID: 00:19.0
IF: enp0s25 state: up speed: 100 Mbps duplex: half mac: b4:99:ba:f3:ca:06
Card-2: Intel Centrino Ultimate-N 6300 driver: iwlwifi bus-ID: 44:00.0
IF: wlo1 state: down mac: 00:24:d7:e3:1a:70
Drives: HDD Total Size: 1024.2GB (8.3% used)
ID-1: /dev/sda model: Samsung_SSD_850 size: 1024.2GB temp: 0C
Partition: ID-1: / size: 671G used: 65G (11%) fs: ext4 dev: /dev/dm-2
ID-2: /boot size: 976M used: 148M (17%) fs: ext4 dev: /dev/sda6
ID-3: swap-1 size: 17.18GB used: 0.00GB (0%) fs: swap dev: /dev/dm-1
RAID: No RAID devices: /proc/mdstat, md_mod kernel module present
Sensors: System Temperatures: cpu: 46.0C mobo: 0.0C gpu: 0.0:50C
Fan Speeds (in rpm): cpu: N/A
Info: Processes: 229 Uptime: 1:21 Memory: 1752.7/5816.1MB Init: systemd runlevel: 5 Gcc sys: 7.3.0
Client: Shell (sudo) inxi: 2.3.56
- only `manual full disk encryption on ubuntu 18.04`_ on EFI systems. You cannot
encrypt boot folder.
.. _`manual full disk encryption on ubuntu 18.04`: https://help.ubuntu.com/community/ManualFullSystemEncryption
:source: https://www.linux.com/blog/how-full-encrypt-your-linux-system-lvm-luks
Prepare disks:
- start Kubuntu live usb, select option: `try kubuntu`
- use KDE partion manager to create the following partions
- create extended volume in the unallocated space of 90% of total space. The
remaining 10% is for the SSD firmware to safe SSD life
- create an 600 MiB ext4 partition labelled efi
- create an 1024 MiB ext4 partition labelled boot
- the rest of the extended volume create an excrypted volume using LUKS with
a strong pass phrase.
- confirm all changes
- the current disk looks like::
sudo lsblk
output::
NAME TYPE
sda disk
├─sda1 part
├─sda2 part
├─sda5 part
├─sda6 part
└─sda7 part
└─luks-3a83dd2c-0fc3-4cc4-b54d-3d0eb5b12a51 crypt
another handy command::
sudo fdisk -l
- open the encrypted disk::
sudo cryptsetup luksOpen /dev/sda7 sda_crypt
- probably, you get an error saying the device is already mapped or mounted.
just reboot the live session and try again.
Give the passphrase.
- create a physical volume::
sudo pvcreate /dev/mapper/sda_crypt
got a question::
ext4 signature deteccted on /dev/mapper/sda_crypt at offset 1000. Wipe it? [y/n]
select y [#]_ to get the message::
physical volume "/dev/mapper/sda_crypt" successfully created.
- now create the volume groups that will contain the physical device::
sudo vgcreate vg00 /dev/mapper/sda_crypt
- create two logical volumes, one for root and one for swap::
sudo lvcreate -n lv00-swap -L 16G vg00
sudo lvcreate -n lv01-root -l +100%FREE vg00
- it is recommended to install boot partition on separate device, e.g. a usb
stick to create an extra layer of security. Not implemented here, yet.
- Continue the installation as below, allocate the different mount points to the
different sections:
- /dev/mapper/vg00-lv00-swap swap
- /dev/mapper/vg00-lv01-root root
- sda5 /boot/efi
- sda6 /boot
- device for boot loader installation: /dev/sda
- Install now and continue testing
Post installation [#]_ [#]
.. [#] from step 9 follow: https://askubuntu.com/questions/293028/how-can-i-install-ubuntu-encrypted-with-luks-with-dual-boot
.. [#] further improvements from: https://askubuntu.com/questions/918021/encrypted-custom-install
- Find the UUID of the LUKS partitions (/dev/sda7 in this case), you will need it
later::
sudo blkid /dev/sda7
output::
/dev/sda7: UUID="3a83dd2c-0fc3-4cc4-b54d-3b0eb5b12a33" TYPE="crypto_LUKS" PARTUUID="baf111db-07"
- Mount the appropriate devices to the appropriate locations in /mnt, and chroot
into it::
sudo mount /dev/mapper/vg00-lv01--root /mnt
sudo mount /dev/sda6 /mnt/boot
sudo mount --bind /dev /mnt/dev
sudo chroot /mnt
> mount -t proc proc /proc
> mount -t sysfs sys /sys
> mount -t devpts devpts /dev/pts
- Create a file named /etc/crypttab in the chrooted environment to contain this
line, replacing the UUID value with the UUID of the LUKS partition, and
vgcherries with the name of the volume group::
nano /etc/crypttab
add lines::
#
sda_crypt UUID=3a83dd2c-0fc3-4cc4-b54d-3b0eb5b12a33 none luks,retry=1,lvm=vg00
- Run the following command in the chrooted environment::
update-initramfs -k all -c
update-grub
- Reboot and boot into the encrypted Ubuntu. You should be prompted for a
password.
- Check that you're using the encrypted partition for / by running mount::
mount
output::
/dev/mapper/vgcherries-lvcherriesroot on / type ext4 (rw,errors=remount-ro)
/dev/sda4 on /boot type ext3 (rw)
# rest of output cut for brevity
- Check that you're using the encrypted swap partition (not any unencrypted swap
partitions from any other installations) by running this command::
swapon -s
output::
Filename Type Size Used Priority
/dev/dm-1 partition 16777212 0 -2
Check that you can boot into recovery mode, you don't want to find out later
during an emergency that recovery mode doesn't work :)
Install any updates, which are likely to rebuild the ramdisk and update the grub
configuration. Reboot and test both normal mode and recovery mode.
Finally disk looks like (sda1..sda3 is used for Windows, perhaps sda4 as well??)::
lsblk
output::
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 953,9G 0 disk
├─sda1 8:1 0 300M 0 part
├─sda2 8:2 0 176,1G 0 part
├─sda3 8:3 0 1K 0 part
├─sda5 8:5 0 600M 0 part /boot/efi
├─sda6 8:6 0 1G 0 part /boot
└─sda7 8:7 0 697,8G 0 part
└─sda_crypt 253:0 0 697,8G 0 crypt
├─vg00-lv00--swap 253:1 0 16G 0 lvm [SWAP]
└─vg00-lv01--root 253:2 0 681,8G 0 lvm /
sr0 11:0 1 1024M 0 rom
Security measures on all systems
================================
Firewall
--------
.. code-block:: bash
sudo ufw enable
sudo ufw status
.. todo:: add more on policies
`Virus-scanner`_
~~~~~~~~~~~~~~~~~
.. _`Virus-scanner`: https://help.ubuntu.com/community/ClamAV
The daemon is only needed when you want to search for incoming virusses
continuesly::
sudo apt -y install clamav clamav-daemon
check status virusscanner by looking in process list::
sudo service clamav-freshclam status
without the daemon does not seem to be in memory. probably a restart necessary.
On desktop computers also a GUI is installed::
sudo apt -y install clamtk
usage::
clamscan -rv /home/marcel
clamscan -rv /
clamscan --help
Rootkit checker
~~~~~~~~~~~~~~~~
Rootkits are malicious trojan-like programs to allow an intruder to become a
root user and therefore have complete administrative control over the system.
There aren't many rootkits in the wild for Linux. Still, this is a growing
security problem (especially in other operating systems) and it is a matter of
time before more rootkits appear in Linux. Checking for rootkits isn't always
successful from a system that is already infected. Your rootkit checker should
therefore be run from another system, or a USB pendrive with an Ubuntu LiveCD
installation. See the rootkit checker manuals for instructions how to do this.
If you are infected with a rootkit, you must backup all your files and
re-install your system. (Thank goodness this is easy with Ubuntu, unlike with
other operating systems).::
sudo apt -y install rkhunter
sudo rkhunter # to find out more options of the program
sudo rkhunter --check
.. _`disk encryption`:
================================
Encrypt hard disks to store data
================================
Short version
=============
Here name for encrypted drive is `usbstick` and mountpoint is `/media/usbstick`
other names can be used as well.
create mountpoint once::
sudo mkdir /media/usbstick
sudo chown -R marcel:users /media/usbstick
format encrypted::
dmesg # get device ID, here /dev/sdb
sudo fdisk /dev/sdb # d, w
sudo fdisk /dev/sdb # n, p, for 90% of the total size in case of flash drives
sudo cryptsetup luksFormat /dev/sdb1
sudo cryptsetup luksOpen /dev/sdb1 usbstick
sudo mkfs.ext4 /dev/mapper/usbstick -L
mount::
sudo mount /dev/mapper/usbstick /media/usbstick
cd /media/usbstick
umount::
cd ~
sudo umount /media/usbstick
sudo cryptsetup luksClose usbstick
Long version
============
You can also encrypt a drive via KDE partition manager.
:source: `Encrypting data on USB flash drives with LUKS `_
:date: 2011-08-25
:author: `Balau `_
I wanted to explore a different way to encrypt data on portable USB flash drives
other than Truecrypt, so I checked what could be done with Linux Unified Key
Setup (LUKS). LUKS is an encryption method that is implemented on Linux by
“cryptsetup” package, and on Windows by FreeOTFE. It encrypts a partition or a
file using a key that can be accessed by one or more passphrases. The passphrase
can be asked to the user or it can be a file (key-file).
What I wanted to understand about LUKS, with respect to Truecrypt and in
general, was:
- Security: what are the risks and benefits of using it.
- Usability: how much struggle does a user need to setup and then use it.
- Portability: if the USB drive can be used both on Linux and Windows.
There are multiple ways to use LUKS to have encrypted data on a USB drive. Here
I consider three ways:
Encrypt a partition
===================
Because of Windows lack of functionality, only the first partition of a
removable drive can be used. So if I want to encrypt a partition and want the
setup to be portable between the two OS, I need to format the USB drive with a
single partition.
Modern Linux file managers such as Thunar or Nautilus have the support to
recognize a LUKS partition, they ask you for the password to decrypt the volume
and then mount it as a removable drive. This integration is very useful and
works quite well, but the catch is that you can’t use a key-file.
These are the steps that I followed to prepare an encrypted USB drive on a Linux
machine (Debian wheezy). This procedure wipes the content of the drive, so be
careful to choose the USB flash drive that you want to use:
First I plug an USB removable drive, and check with::
dmesg
the device which is created to access it. In my case the device is `/dev/sdd`.
Be careful to choose the right device, or else you could inadvertently delete
one of your hard disks.
Then I wipe the partition table and create a new one, using `fdisk`. Everything
is run as root at the time of creating the encrypted partition::
$ sudo su
# fdisk /dev/sdd
Command (m for help): o
Building a new DOS disklabel with disk identifier 0x28265921.
Changes will remain in memory only, until you decide to write them.
After that, of course, the previous content won't be recoverable.
Warning: invalid flag 0x0000 of partition table 4 will be corrected by w(rite)
Command (m for help): w
The partition table has been altered!
Calling ioctl() to re-read partition table.
WARNING: Re-reading the partition table failed with error 16: Device or resource busy.
The kernel still uses the old table. The new table will be used at
the next reboot or after you run partprobe(8) or kpartx(8)
Syncing disks.
I create a new partition, that will hold the LUKS encrypted data::
# fdisk /dev/sdd
Command (m for help): n
Command action
e extended
p primary partition (1-4)
p
Partition number (1-4, default 1):
Using default value 1
First sector (2048-1015807, default 2048):
Using default value 2048
Last sector, +sectors or +size{K,M,G} (2048-1015807, default 1015807):
Using default value 1015807
Command (m for help): w
The partition table has been altered!
Calling ioctl() to re-read partition table.
WARNING: Re-reading the partition table failed with error 16: Device or resource busy.
The kernel still uses the old table. The new table will be used at
the next reboot or after you run partprobe(8) or kpartx(8)
Syncing disks.
The partition is accessible in Linux in `/dev/sdd1`. After that, I format that
partition using “cryptsetup” command, creating a LUKS-encrypted partition with a
passphrase::
# cryptsetup luksFormat /dev/sdd1
output::
WARNING!
========
This will overwrite data on /dev/sdd1 irrevocably.
Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
Now I need to format the decrypted partition; since I want to use the USB disk
both on Linux and on Windows, I use FAT32. In order to format the decrypted
partition, I need to use the `luksOpen` command of `cryptsetup` and map a
device, which I name LUKS001::
# cryptsetup luksOpen /dev/sdd1 LUKS001
Enter passphrase for /dev/sdd1:
The mapped device will be present in `/dev/mapper/LUKS001`. After that, we can
format the mapped device (with name LUKS001) and close it::
# mkfs.vfat /dev/mapper/LUKS001 -n LUKS001
mkfs.vfat 3.0.9 (31 Jan 2010)
unable to get drive geometry, using default 255/63
# cryptsetup luksClose LUKS001
We can now unplug and re-plug the USB. I tried both with Xfce and Gnome desktop
environment, and in both cases when I replug the USB drive a dialog appears,
asking for a passphrase. I provide the passphrase that I chose before and the
FAT32 volume with name “LUKS001” gets automatically mounted.
On Windows we need to use FreeOTFE: once the USB drive is plugged in, we open
FreeOTFE and choose to mount a partition. Then we supply the passphrase and a
new removable media will appear. Note that the Windows computer must have
FreeOTFE installed, or at least present in portable mode or explorer mode.
Otherwise it could be possible to take with you a portable installation of
FreeOTFE, but that means using another USB drive.
Encrypt a volume file
=====================
Another possibility is to use a file instead of a partition to store encrypted
data. This works better for Windows, because you can take with you an USB drive
containing both the encrypted data and a portable installation of FreeOTFE. I
noticed this solution does not integrate well with Linux desktop environments.
These are the steps that I followed to prepare an encrypted volume file on a
Linux machine (Debian wheezy).
First I create a 256MB file with `dd` option::
# dd if=/dev/zero of=~/luks.img bs=1 count=0 seek=256M
Then I mount the file as a loopback device::
# losetup -f
/dev/loop0
# losetup /dev/loop0 ~/luks.img
Now I do the same steps as before with the `/dev/loop0` device instead of the
partition::
# cryptsetup luksFormat /dev/loop0
WARNING!
========
This will overwrite data on /dev/loop0 irrevocably.
Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
# cryptsetup luksOpen /dev/loop0 luksimg
Enter passphrase for /dev/loop0:
# mkfs.vfat /dev/mapper/luksimg -n LUKSIMG
mkfs.vfat 3.0.9 (31 Jan 2010)
unable to get drive geometry, using default 255/63
# cryptsetup luksClose luksimg
# losetup -d /dev/loop0
This creates a `luks.img` file that can be carried around in a USB stick, but in
order to be used on Linux, the root user must mount it with something like::
losetup -f luks.img
first. Then from the file manager you can open the new drive that has appeared,
it asks for a password and then it ask again for the root/sudo password.
On Windows instead the procedure is very similar, we open FreeOTFE, then select
to mount a file, choose the image and provide the passphrase. The file will be
mounted as a new removable drive. On Windows the added benefit is that you can
carry around the portable version of FreeOTFE together with the encrypted data
on a USB drive.
Use lukstool
============
`lukstool` is a script to create very secure data storage with LUKS. More
information about the tools and the author here:
`Military-Grade Cryptofile `_.
An USB drive completely encrypted can be created with `lukstool make` and then
providing `/dev/sdd` for example, and then the USB drive can be
mounted/unmounted with `lukstool load` and `lukstool unload`. The scripts works
in the same way using volume files instead of flash drives.
The pros/cons of using lukstool are:
- Very high security: it uses two-factor authentication, which means that both
a passphrase and a key-file must be provided to decrypt data. Also the details
of the script are tailored to achieve as much security as possible.
- Simplicity: the scripts hide most of the complexity of adding two-factor
authentication on top of LUKS.
- You can encrypt an entire USB drive or just use a file.
- No OS portability: works only on Linux.
- No desktop integration: they are command line scripts.
- Needs to have root/sudo privileges also when mounting.
Tutorials and explanation are present on the author’s website.
Conclusions
===========
I think Truecrypt is still the most valid compromise between portability,
security and usability. That said, LUKS seems a valid alternative in particular
cases. I think that partition encryption is very easy to use both on Linux and
on Windows, even easier than Truecrypt, but with less security since LUKS does
not support two-factor authentication and Linux desktop environments do not
support key-files. Also if you are familiar with command line and if you use
only your own Linux machines and want maximum (military-grade claimed) security
you can use lukstool and feel safe. Then, if you use mainly Windows machines and
are concerned about Truecrypt because of licensing issues, low transparency of
development and so on, be aware that FreeOTFE is a viable solution to encrypt
data on file volumes.
================
Email encryption
================
PGP
================
Network Security
================
Remote access via secure shell SSH
==================================
Server side installation and configuration
==========================================
.. warning::
When you make mistakes to the configuration file, especially when connected
remotely to the server, you may get locked out... loose connection to the
server
install::
sudo apt -y install openssh-server
configuration
-------------
Make a copy of the original configuration file and protect it against writing::
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.original
sudo chmod a-w /etc/ssh/sshd_config.original
configure the server (sshd) by editing the file::
sudo nano /etc/ssh/sshd_config
A manual for the configuration file can be found using::
man sshd_config
Change port to non-standard port number by adding a line::
Port xxxx # xxx is port number for wiens
Prevent root login::
PermitRootLogin no
optional: Limit to certain users who need remote access::
AllowUsers marcel alice bob
(could not find that one, lately)
After making changes to the /etc/ssh/sshd_config file, save the file, and
restart the sshd server application to effect the changes using the following
command at a terminal prompt::
sudo systemctl restart sshd.service
.. _`server: setup firewall`:
setup firewall
--------------
Port xxxx on the server must be opened up, so that clients can reach the server::
sudo ufw enable
sudo ufw allow xxx # wiens
sudo ufw status
.. _`ref generate keys`:
Generate keys for ssh access
----------------------------
SSH keys allow authentication between two hosts without the need of a password.
SSH key authentication uses two keys, a private key and a public key.
.. todo:: complete this part.
Client side
===========
installation::
sudo apt -y install openssh-client
connect to server (now, without DNS)::
ssh -p xxx -2 admins@192.168.1.XXX # XXX is IP number of server
You'll get a message similar to::
The authenticity of host '...' can't be established.
ECDSA key fingerprint is SHA256:xIxdlitb9HjMKID8w3pOdr76yh/98km2kXlDRnIIP3p.
Are you sure you want to continue connecting (yes/no)?
Answer with "yes".
When the system is installed several times, old keys might still be present
in a local directory. Remove them using::
ssh-keygen -f "/home/marcel/.ssh/known_hosts" -R "[192.168.1.XXX]:xxxx"
and confirm deletion and new acceptance of keys.
remove it permanently using::
nano ~/.ssh/known_hosts
and remove the line with the key that is conflicting, in this case row 5
(numbering starts at 1)::
Warning: the ECDSA host key for '...' differs from the key for the IP address '[192.168.1.20]:2234'
Offending key for IP in /home/marcel/.ssh/known_hosts:5
Matching host key in /home/marcel/.ssh/known_hosts:6
The current access allows remote access within the current network, when
the network port is protected from the outside world, otherwise others might
get access to the server as well. It case the server needs to be accessed
over the internet, follow this section: :ref:`ref generate keys`.
The rest of the installation can now take place over a remote connection, using
ssh. This enables the use of copy-paste.
Network Intrusion detection and prevention: `suricata `_
===================================================================================
install::
sudo apt -y install suricata
configures by itself. Runs process in background (htop)::
/usr/bin/suricata -D --af-packet -c /etc/suricata/suricata.yaml --pidfile /var/run/suracata.pid
Meaning:
:D: Run as a background daemon (suricata will fork itself).
:af-packet: --af-packet[=] Run in AF_PACKET mode. No dev value selects
interfaces from main configuration file.
:c: -c Load main configuration file (by default,
/etc/suricata/suricata.yaml).
:pidfile: Write PID to the file.
Edit configuration file::
sudo nano /etc/suricata/suricata.yaml
edits::
vars:
address-groups:
HOME_NET: "[192.168.1.0/24]"
port-groups:
SSH_PORTS: "any"
.. todo:: must be setup much better and add updated rule-sets
Can be integrated in `Logstash` and can be used together with:
`BASE`, `Snorby`, `Sguil`, `SQueRT`.
=================
computer disposal
=================
Before a computer or hard drives are disposed, information needs to be destroyed
Wipen HDD
via hardware
============
- search via Gparted
- type in konsole::
sudo hdparm -I /dev/
example::
sudo hdparm -I /dev/sdd
should be: “not frozen” otherwise: https://ata.wiki.kernel.org/index.php/ATA_Secure_Erase
set PW ‘Eins’::
sudo hdparm --user-master u --security-set-pass Eins /dev/sdb
erase HDD::
sudo time hdparm --user-master u --security-erase Eins /dev/sdb
check::
sudo hdparm -I /dev/sdd
via software
============
maak single ext4 partition using e.g. Gparted, en bepaal , example /dev/sda1
type in konsole::
sudo apt-get -y install wipe
sudo wipe
Run minstens 6 pass, snelle schijven 20 pass
::
sudo wipe /dev/sdc1
[sudo] password for marcel:
Okay to WIPE 1 special file ? (Yes/No) yes
Wiping /dev/sdc1, pass 1 (1 ) 8588891 / 19535616] ETA 4d 6h
Interupted with ctrl-c::
*** Interrupted by signal 2
*** If you want to resume wiping while preserving the pass order, use these options:
*** -X 1 -x 0,1,2,3,29,19,20,8,13,6,30,27,10,22,9,14,21,5,11,7,26,28,4,16,17,15,12,18,23,24,25,31,32,33,34
Continue wiping::
sudo wipe /dev/sdc1 -X 1 -x 0,1,2,3,29,19,20,8,13,6,30,27,10,22,9,14,21,5,11,7,26,28,4,16,17,15,12,18,23,24,25,31,32,33,34
sudo wipe /dev/sdc1 -X 3 -x 0,1,2,3,29,19,20,8,13,6,30,27,10,22,9,14,21,5,11,7,26,28,4,16,17,15,12,18,23,24,25,31,32,33,34
zeroing
=======
- via linux live
- Delete all files
- then::
dd if=/dev/zero of=/dev/
unlock
======
Sometimes, the drive cannot be recognised from USB or Esata and has to be
connected directly to the motherboard. repeating command::
sudo hdparm -I /dev/sdb
gives at the bottom::
Security:
Master password revision code = 65534
supported
enabled
locked
not frozen
not expired: security count
supported: enhanced erase
Security level high
208min for SECURITY ERASE UNIT. 208min for ENHANCED SECURITY ERASE UNIT.
Hence, drive is locked. You can `unlock `_ it by using::
sudo hdparm --user-master m --security-unlock PASS /dev/sdb
PASS is supposed to be the `master password `_
In this case (different from listed on website)::
sudo hdparm --user-master m --security-unlock WDCWDCWDCWDCWDCWDCWDCWDCWDCWDCW /dev/sdb
output::
[sudo] password for marcel:
security_password: "WDCWDCWDCWDCWDCWDCWDCWDCWDCWDCW"
/dev/sdb:
Issuing SECURITY_UNLOCK command, password="WDCWDCWDCWDCWDCWDCWDCWDCWDCWDCW", user=master
again::
sudo hdparm -I /dev/sdb
gives at the bottom::
Security:
Master password revision code = 65534
supported
enabled
not locked
not frozen
not expired: security count
supported: enhanced erase
Security level high
208min for SECURITY ERASE UNIT. 208min for ENHANCED SECURITY ERASE UNIT.
not locked anymore!