Basic Set Up Encrypted Swap on LMDE 2

Encrypted swap is essential if your usage sometimes require extra bit of memory on the legacy or solid state harddrive which happens to be fully encrypted.

In this post, i will briefly go through the steps in setting up encrypted swap partition on Debian GNU/Linux OS (Linux Mint variant) with a sysV init system.

To begin, let's save any changes to your work and check if the swap partition is in use using command 'free -m'  and deactivate the existing non-encrypted swap partition using command 'sudo swapoff -a'.

Next step is to initialise the (yet to be encrypted) swap partition as a LUKS formatted partition using 'sudo luksFormat /dev/sdaX' for a legacy harddrive where sd is the prefix for a sata interface connected harddrive, a is the English letter name convention for the first harddrive detected as such, and X is the Indian numerical name convention for partition to be used as swap. We will need to enter a password or passphrase for the setting up. It is advisable to choose a unique password that is different from the root or user password on your Debian system.

Now, we can create the conventional Linux swap area on the Luks formatted partition using 'sudo mkswap /dev/mapper/encryptedswap'. We then open the LUKS formatted drive '/dev/sdaX' and mapped it to '/dev/mapper/encryptedswap' using 'sudo  cryptsetup  open  --type  luks  /dev/sdaX  encryptedswap'.

We are finalising the change by editing the ('crypttab' and ('fstab' admin folder (/etc/crypttab and /etc/fstab) :

Under /etc/crypttab
# <target name> <source device>         <key file>      <options>
cswap /dev/sdaX /dev/urandom swap,luks

Note: you can also use the /dev/disk/by-id/wwn-.....-partX name convention as the source device.

Under /etc/fstab (comment out  or delete the existing swap partition)
# /dev/sdaX
/dev/mapper/cswap       none   swap    sw      0       0
Next we run update the initramfs so that the configuration at the admin folder should load at boot using ' sudo update-initramfs -u '

We then run 'swapon -s' to activate the 'encryptedswap' and check the status of the 'encryptedswap' using 'sudo cryptsetup status encryptedswap'. The status should read as '/dev/mapper/encryptedswap is active and is in use. ' and further information is listed as type, cipher, keysize (usually 256 bits) , device, offset, size and mode (usually read/write) .

We can further run ' free -m' and ' lsblk -la ' to verify the status. 'encryptedswap' with type crypt mountpoint [SWAP] should be listed below ' /dev/sdaX ' under lsblk command.


Follow my blog with Bloglovin

Hardening Edgerouter ER-X by SSH

Generating RSA keys on client device (e.g. Ubuntu 16.04 LTS):

ssh-keygen -t rsa

which will store key in $HOME directory. Then, prompt for passphrase will appear, but we will keep it empty. The ssh key pair is generated where id_rsa.pub is the public key (we can share with the public) and id_rsa is the private key (we shall keep it secret as long as we can)

Copying public SSH key from client to router (server):

scp ~/.ssh/id_rsa.pub username@router.current.ip.address:/home/username/.ssh

For e.g. the username is edgemax and the router ip address is 192.168.1.1, the command would be:

scp ~/.ssh/id_rsa.pub edgemax@192.168.1.1:/home/edgemax

Alternatively, we use ssh-copy-id to copy the key to ~/.ssh/authorized_keys :

 sudo ssh-copy-id -i .ssh/nvy_rsa.pub navoyjw@192.168.0.1

Setting ownership to username (better) if the owner of the files are not under you (check ownership or username using "ls -la /home/username/" ) as you do not need to access files as a root user [a prime security concern among GNU/Linux administrator or user]:

chown -R edgemax /home/edgemax

Setting the permission of folder in $HOME directory:

chmod 755 /home/edgemax [same as: chmod go-w /home/edgemax]
chmod 700 /home/edgemax/.ssh
chmod 600 /home/edgemax/.ssh/authorized_keys

chown edgemax: /home/edgemax/.ssh/authorized_keys

Editing the ssh_config file at path /etc/ssh/ssh_config by editing the line IdentityFile with the corresponding ssh key type (RSA in this example). Since we are using default name in this example, we keep the path and only remove the '#' character in front :

IdentityFile ~/.ssh/id_rsa

SSH in to the router using password and do the final step to activate SSH login and operate in configuration mode (edgemax@router_name:~$ configure):

loadkey /home/edgemax/.ssh/id_rsa.pub 

or,

 loadkey /home/edgemax/.ssh/authorized_keys #using ssh-copy-id 

After loadkey command, we commit and save and exit twice to extit ssh. Now we should be able to ssh into edgerouter securely.

Follow my blog with Bloglovin

Mongodb Systemd service on Ubuntu 16.04

Getting inspiration from Digital Ocean article on setting up mongodb on Ubuntu 16.04. There is a small caveat which i found today in the [Service] text and the config path /path/to/mongo/config which is causing my mongodb.service to fail to run.

Here is my take based on the mongodb configuration file path on my Ubuntu 16.04:

[Unit]
Description=High-performance, schema-free document-oriented database
After=network.target

[Service]
User=mongodb
ExecStart=/usr/bin/mongod --quiet --config /etc/mongodb.conf

[Install]
WantedBy=multi-user.target

If you have noticed in the original documentation the ExecStart points to /etc/mongod.conf, whereas on my system it should point to /etc/mongodb.conf.

That's all for today.


Follow my blog with Bloglovin

Setting up Firewall ports on Ubiquiti Unifi AP Controller @ Ubuntu 16.04

I am going to list TCP/UDP ports that need to be opened in setting up of Ubiquiti AP AC products on a locally based controller powered by Linux/GNU OS.

The information contained herein are gleaned from various sources including the friendly Ubiquiti community.

The tool used is UFW on a Ubuntu 16.04.3 device. The Ubiquiti reference page is here: https://help.ubnt.com/hc/en-us/articles/218506997-UniFi-Ports-Used

Let's begin:

sudo ufw limit 22/tcp   /* rate limit for openssh
sudo ufw allow 80,443/tcp   /* for http and https connection respectively
sudo ufw allow 8080,8443/tcp   /* for locally based unifi controller connection                                                      with the AP
sudo ufw allow 3478/udp    /* STUN
sudo ufw allow 10001/udp   /* ap discovery (optional)
sudo ufw allow 8880,8843/tcp   /* for guest portals (optional for home user
                                                        unless operating a homestay biz)

sudo ufw allow out 22/tcp   /* openssh
sudo ufw allow out 80,443/tcp   /* http and https respectively
sudo ufw allow out 8080,8443/tcp   /* HTTP adn HTTPS connection with                                                                          controller
sudo ufw allow out 3478/udp   /* STUN
sudo ufw allow out 10001/udp    /*ap discovery (optional)
sudo ufw allow out 8880,8843/tcp    /* guest portals (optional)

#sudo ufw allow 27117/tcp   /*inbound DB server connection

As the inbound DB port 27117 is limited to only localhost access, it need not be open.

Additional note for removal of ports if changing default ports (must be done locally and on AP device):

sudo ufw delete rule args
where rule = allow, allow out, limit
           args = ports number

           For example, to delete 8880 and 8843 ports, we apply:
           sudo ufw delete allow 8880,8843/tcp   /*inbound connection
           sudo ufw delete allow out 8880,8843/tcp   /*outbound connection

That's all for today.
            


 




Follow my blog with Bloglovin

Brief Setup on Ubuntu UFW

As security is elusive ever since mankind invented encryption methods. It is important to set some form of wall to keep some marauding data thieves out of the walled 'data' garden. The old timeless saying of 'better late than never' rings true in this context.

A firewall is a basic protection for personal consumers since the late 1990s when internet usage becomes prevalent. In Ubuntu 16.04, the firewall typically consists of UFW (Uncomplicated Firewall). There is a graphical front-end but if you prefer to use commandline or your
computer is in need of more computing resource, the UFW is your preferred choice.

This brief is on setting up Ubuntu UFW using the gnome console or terminal using relatively simple rules (in comparison to setting up the Linux Firewall using iptables).

As an average user, we need to open certain ports to access the internet. Without a firewall, the 'attack surface' (as security commentators commonly use it to label the 'connection loopholes' that cyber 'predator' discover to 'listen' on its 'prey' ) is big enough to break into and is detrimental to your internet security.

The list of TCP and UDP and its concomitant service description can be found on the Wikipedia here.  If you are curious to know more in depth, you can go to the Internet Assigned Numbers Authority website (IANA website) to read further on the ports available.

To add rule to allow incoming access to your network, we execute the command:

sudo ufw allow 993/tcp

To delete rule that you have added, we execute the command:

sudo ufw delete allow 993/tcp

To add rule to allow outgoing access to the external network, we execute the command:

sudo ufw allow out 465/tcp

Similarly, to delete the outgoing rule we have added above, we execute:

sudo ufw delete allow out 465/tcp

To view the status of the UFW rules we have added to date, we execute:

sudo ufw status

That's all for today!

Attached is a screenshot of the UFW Rules (v6 stands for ipv6) and you can check /etc/default/ufw for the configuration:

Follow my blog with Bloglovin

Encrypted Storage: Create Encrypted File Container Ubuntu 16.04LTS

Luks-formatted file container on your harddrive or cloud storage solutions

In the year 2017, a lot of security issues surfaces, and ransomware are lurking in the cyberspace preying on the next victim. Be it the oft-quoted 'vulnerable operating system' like Windows, or other 'more secure' platforms like Linux kernel driven operating system or Macintosh operating system, once you are in the cloud, you are equally vulnerable.

Hence, we can take one small step in securing our data online. I have read this article on a security blog written by Nick Thomadakis from Cybrary, a education provider for IT security.

You can read on this website. Just be aware that you need to register to view the content or you can use chrome extension, ScriptSafe, to turn off the script giving the website to your browser.

Let's begin with the first approach (a casual approach to creating the file container) :

1st step:  let's search for the module dm_crypt (to know more: click on the attached link to Archlinux documentation on dm-crypt) which is an application to create a virtual partition using embedded cryptographic capability in the Linux kernel.

Run command: lsmod | grep 'dm_crypt'

If the module is loaded the following output should appear below the command:

dm_crypt                                     28672          0

2nd step: If not, we can always insert the dm_crypt module with the option verbose (-v) to see the module being activated.

Run command: sudo modprobe -v dm_crypt

3rd step: We proceed to install the Ubuntu package of dm-crypt known as cryptsetup. ( You can read the man pages by running command man cryptsetup )

Run command: sudo apt-get install cryptsetup

4th step: As the package is installed, we can now do the proper setup of the file container. We create a storage size depends on our own need. For example, i going to create a 500MB  file container on my Dropbox folder by navigating to the Dropbox folder and create a file container called 'crypt' using fallocate command.

Run command: cd ~/path/to/Dropbox
                         fallocate -l 500MB crypt

Note: Depends on your storage capacity on Dropbox or other media, you can create the file container size in multiplicative suffixes of following: KB, MB, GB, TB,  PB, EB, ZB and YB. (or alternative unit suffixes : KiB, MiB, GiB, TiB, PiB, EiB, ZiB, YiB.)

A 500MB file of unknown filesystem appears in my Dropbox folder. It is time to encrypt the file container with industrial strength application.

5th step: Let's start using the cryptsetup application to encrypt 'crypt' with LUKS format, a open source industrial grade encryption which claims to require several times the world GDP to break the encryption.

Run command: sudo cryptsetup luksFormat ~/path/to/Dropbox/crypt

We answer YES (uppercase letter please) to the prompt to overwrite 'crypt' file container irrevocably. We set the password (passphrase) which we need to open the 'crypt' file container. You can create a tough but easy to enter (on your laptop keyboard) password using a password manager like KeePass2 (or KeePassX) which is recommended because it is easily available on Android smartphone and Windows too for your day to day web surfing.

6th step: Now we open the luks-formatted 'crypt' file container in a intermediate holding folder, arbitrarily called 'decrypt' or you can use a simple 2-letter name like 'SG'. The command takes the format 'sudo cryptsetup luksOpen /path/to/source /path/to/holding'. Note the option 'luksOpen' as in the previous option 'luksFormat' has the uppercase character 'O' and 'F' respectively after the 'luks' prefix.

Run command: sudo cryptsetup luksOpen ~/path/to/Dropbox/crypt decrypt

7th step: Before we start saving any files, we need to create a proper filesystem on 'decrypt' folder which has the following path dev/mapper/decrypted_folder. In my case, i choose Ext4, which is stable since late 2009 (October 2009 release of Ubuntu 9.10).

Run command: sudo mkfs -t ext4 /dev/mapper/decrypt

8th step: Now we create an arbitrarily named folder in $HOME with root permission. In my case i create the folder called 'secondcrypt' so that the decrypted files is not easily editable by people with no root permission.

Run command: sudo mkdir ~/secondcrypt

9th step: We can now mount the 'decrypt' folder on 'secondcrypt' folder. Once done, we can start saving files in the folder with root permission. Note: some files are not saved easily when you use a application with no root permission to edit. Hence you need to save it in a temporary location and move it into the mounted 'secondcrypt' folder with root permission. Best is you can directly edit the file permission using sudo nautilus.

Run command: sudo mount /dev/mapper/decrypt ~/secondcrypt

10th step: Once we are done with saving our precious work, we proceed to dismount the 'secondcrypt' folder. Then we close the intermediate decrypted folder 'decrypt' using the command luksClose (in format sudo cryptsetup luksClose /path/to/holding) .

Run command: sudo umount ~/secondcrypt
                         sudo cryptsetup luksClose decrypt

Now, the serious Second approach that is more secure: 

We need to only alter the 4th step in comparison with the 1st approach that is maybe less secure. A reference is here which is written by Justin Ellingwood from DigitalOcean, a cloud infrastructure service provider. The file container referred to is hosted on a Virtual Private Server(VPS).

4th step: The move away from the above approach is due to the fact that the old, deleted files may exist beneath the allocated space that is now held by ~/path/to/Dropbox/crypt or 'crypt' file container. The encrypted data may be easily distinguished from the rest of the empty hard disk drive written with zeros and random data.

One way of securely erasing the old, deleted data is using dd command. ( You can read the man pages by running command man dd ). Below are the dd commands stated by Justin Ellingwood in the DigitalOcean blog.

'Most paranoid' Run command: dd if=/dev/random of=~/path/to/Dropbox/crypt bs=1M count=512
'Secure' Run command: dd if=/dev/urandom of=~/path/to/Dropbox/crypt bs=1M count=512
'Quite Secure' Run command: dd if=/dev/zero of=~/path/to/Dropbox/crypt bs=1M count=512

The main thing in how secure is the wipe of the allocated space is dependent on the input file path (if) assigned with the 3 pseudo-devices : /dev/zero, /dev/urandom, /dev/random.

The /dev/urandom pseudo-device is good enough to mimic the encrypted data that will be written into the 'crypt' file container.

Conclusion

Let's summarise the steps we may need in our daily life to store our data in the 'crypt' file container.

1st command: sudo cryptsetup luksOpen ~/path/to/Dropbox/crypt decrypt
2nd command:  sudo mount /dev/mapper/decrypt ~/secondcrypt
3rd command: sudo umount ~/secondcrypt
4th command: sudo cryptsetup luksClose decrypt


Happy encrypting our data!

Follow my blog with Bloglovin

Using HDSentinel in Ubuntu 16.04

If you are still using spinning harddrive, concerned about the health of your harddrive and using Linux/GNU, in particular, Ubuntu 16.04, you are in the right place

Running HDSentinel is quite simple in Linux. You need to download the file Hard Disk Sentinel LINUX (FREE) from http://www.hdsentinel.com/download.php

After extracting the file into your preferred directory, we export the path which is the directory using the command 'export' : export PATH=$PATH:/path/to/bin . Then, we can preserve the path enviroment to run HDSentinel using administrative sudo command: sudo -E env "PATH=$PATH" HDSentinel. Alternatively, we may need to edit the sudoers file to include the /path/to/bin using the command: sudo -E visudo and add /path/to/bin  in the line below Defaults  mail_badpass like this : Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin:/path/to/bin"

The change above in /etc/sudoers is differentated in light green (and yellow highlight) from the original in dark green. To double check the path in environment, use the command : sudo echo $PATH.

We are done and ready to run the command to check the health of our spinning Harddisk: sudo HDSentinel .





Follow my blog with Bloglovin

KeePass in Firefox on Fedora 25/Ubuntu 16.04: Passwords No Fear

If you are using KeePass on Fedora 25 or Ubuntu 16.04, you are in luck. There may be other addons or applications that may do the same task, KeePass is the used and tested application for storing passwords.

Background history: KeePass is built using Xamarin
 
Do try to use the default theme for Firefox, as there may be interface issue on a 3rd party theme.


Addons needed: PassIFox (either), KeeFox (either), KeePass Helper (optional).

First, you have to install the either one of the addons in Firefox:  KeeFox, or PassIFox. These are the two available addons to act as a go-between for KeePass and Firefox. Personally, i prefer KeeFox, since it has better support at keefox.org

After adding this, we need to install the Mono files (which the application is built on) and extract the pre-built KeePass zip file.

To install Mono is a breeze, just go to the official Fedora community website and execute the Quick command. In Ubuntu, use the apt-get command to install the package 'mono-complete'.

The Keepass Professional file is found here: http://keepass.info/download.html.

Download and extract the lastest to a directory you found convenient, for e.g., /home/your_username/KeePass

In this directory, create a 'plugins' folder and paste the keepassRPC.plgx file into 'plugins'. The plugin can be found at the developer github repository:
https://github.com/luckyrat/KeeFox

You are ready to create a new database in a local directory (in .kdbx format) ,create a key file (in .key format) and a master password.

Remember to set the database or one of the subcategory as KeeFox start group as shown in the picture below.

Now you are ready to go with Keepass integration with Firefox.

Follow my blog with Bloglovin