Tuesday, 8 August 2017

Brief Setup on Ubuntu UFW

As security is elusive ever since mankind invented encryption methods. It is important to set some form of wall to keep some marauding data thieves out of the walled 'data' garden. The old timeless saying of 'better late than never' rings true in this context.

A firewall is a basic protection for personal consumers since the late 1990s when internet usage becomes prevalent. In Ubuntu 16.04, the firewall typically consists of UFW (Uncomplicated Firewall). There is a graphical front-end but if you prefer to use commandline or your
computer is in need of more computing resource, the UFW is your preferred choice.

This brief is on setting up Ubuntu UFW using the gnome console or terminal using relatively simple rules (in comparison to setting up the Linux Firewall using iptables).

As an average user, we need to open certain ports to access the internet. Without a firewall, the 'attack surface' (as security commentators commonly use it to label the 'connection loopholes' that cyber 'predator' discover to 'listen' on its 'prey' ) is big enough to break into and is detrimental to your internet security.

The list of TCP and UDP and its concomitant service description can be found on the Wikipedia here.  If you are curious to know more in depth, you can go to the Internet Assigned Numbers Authority website (IANA website) to read further on the ports available.

To add rule to allow incoming access to your network, we execute the command:

sudo ufw allow 993/tcp

To delete rule that you have added, we execute the command:

sudo ufw delete allow 993/tcp

To add rule to allow outgoing access to the external network, we execute the command:

sudo ufw allow out 465/tcp

Similarly, to delete the outgoing rule we have added above, we execute:

sudo ufw delete allow out 465/tcp

To view the status of the UFW rules we have added to date, we execute:

sudo ufw status

That's all for today!

Attached is a screenshot of the UFW Rules (v6 stands for ipv6) and you can check /etc/default/ufw for the configuration:


Follow my blog with Bloglovin

Friday, 4 August 2017

Encrypted Storage: Create Encrypted File Container Ubuntu 16.04LTS

Luks-formatted file container on your harddrive or cloud storage solutions


In the year 2017, a lot of security issues surfaces, and ransomware are lurking in the cyberspace preying on the next victim. Be it the oft-quoted 'vulnerable operating system' like Windows, or other 'more secure' platforms like Linux kernel driven operating system or Macintosh operating system, once you are in the cloud, you are equally vulnerable.

Hence, we can take one small step in securing our data online. I have read this article on a security blog written by Nick Thomadakis from Cybrary, a education provider for IT security.

You can read on this website. Just be aware that you need to register to view the content or you can use chrome extension, ScriptSafe, to turn off the script giving the website to your browser.

Let's begin with the first approach (a casual approach to creating the file container) :


1st step:  let's search for the module dm_crypt (to know more: click on the attached link to Archlinux documentation on dm-crypt) which is an application to create a virtual partition using embedded cryptographic capability in the Linux kernel.

Run command: lsmod | grep 'dm_crypt'

If the module is loaded the following output should appear below the command:

dm_crypt                                     28672          0

2nd step: If not, we can always insert the dm_crypt module with the option verbose (-v) to see the module being activated.

Run command: sudo modprobe -v dm_crypt

3rd step: We proceed to install the Ubuntu package of dm-crypt known as cryptsetup. ( You can read the man pages by running command man cryptsetup )

Run command: sudo apt-get install cryptsetup

4th step: As the package is installed, we can now do the proper setup of the file container. We create a storage size depends on our own need. For example, i going to create a 500MB  file container on my Dropbox folder by navigating to the Dropbox folder and create a file container called 'crypt' using fallocate command.

Run command: cd ~/path/to/Dropbox
                         fallocate -l 500MB crypt

Note: Depends on your storage capacity on Dropbox or other media, you can create the file container size in multiplicative suffixes of following: KB, MB, GB, TB,  PB, EB, ZB and YB. (or alternative unit suffixes : KiB, MiB, GiB, TiB, PiB, EiB, ZiB, YiB.)

A 500MB file of unknown filesystem appears in my Dropbox folder. It is time to encrypt the file container with industrial strength application.

5th step: Let's start using the cryptsetup application to encrypt 'crypt' with LUKS format, a open source industrial grade encryption which claims to require several times the world GDP to break the encryption.

Run command: sudo cryptsetup luksFormat ~/path/to/Dropbox/crypt

We answer YES (uppercase letter please) to the prompt to overwrite 'crypt' file container irrevocably. We set the password (passphrase) which we need to open the 'crypt' file container. You can create a tough but easy to enter (on your laptop keyboard) password using a password manager like KeePass2 (or KeePassX) which is recommended because it is easily available on Android smartphone and Windows too for your day to day web surfing.

6th step: Now we open the luks-formatted 'crypt' file container in a intermediate holding folder, arbitrarily called 'decrypt' or you can use a simple 2-letter name like 'SG'. The command takes the format 'sudo cryptsetup luksOpen /path/to/source /path/to/holding'. Note the option 'luksOpen' as in the previous option 'luksFormat' has the uppercase character 'O' and 'F' respectively after the 'luks' prefix.

Run command: sudo cryptsetup luksOpen ~/path/to/Dropbox/crypt decrypt

7th step: Before we start saving any files, we need to create a proper filesystem on 'decrypt' folder which has the following path dev/mapper/decrypted_folder. In my case, i choose Ext4, which is stable since late 2009 (October 2009 release of Ubuntu 9.10).

Run command: sudo mkfs -t ext4 /dev/mapper/decrypt

8th step: Now we create an arbitrarily named folder in $HOME with root permission. In my case i create the folder called 'secondcrypt' so that the decrypted files is not easily editable by people with no root permission.

Run command: sudo mkdir ~/secondcrypt

9th step: We can now mount the 'decrypt' folder on 'secondcrypt' folder. Once done, we can start saving files in the folder with root permission. Note: some files are not saved easily when you use a application with no root permission to edit. Hence you need to save it in a temporary location and move it into the mounted 'secondcrypt' folder with root permission. Best is you can directly edit the file permission using sudo nautilus.

Run command: sudo mount /dev/mapper/decrypt ~/secondcrypt

10th step: Once we are done with saving our precious work, we proceed to dismount the 'secondcrypt' folder. Then we close the intermediate decrypted folder 'decrypt' using the command luksClose (in format sudo cryptsetup luksClose /path/to/holding) .

Run command: sudo umount ~/secondcrypt
                         sudo cryptsetup luksClose decrypt


Now, the serious Second approach that is more secure: 


We need to only alter the 4th step in comparison with the 1st approach that is maybe less secure. A reference is here which is written by Justin Ellingwood from DigitalOcean, a cloud infrastructure service provider. The file container referred to is hosted on a Virtual Private Server(VPS).

4th step: The move away from the above approach is due to the fact that the old, deleted files may exist beneath the allocated space that is now held by ~/path/to/Dropbox/crypt or 'crypt' file container. The encrypted data may be easily distinguished from the rest of the empty hard disk drive written with zeros and random data.

One way of securely erasing the old, deleted data is using dd command. ( You can read the man pages by running command man dd ). Below are the dd commands stated by Justin Ellingwood in the DigitalOcean blog.

'Most paranoid' Run command: dd if=/dev/random of=~/path/to/Dropbox/crypt bs=1M count=512
'Secure' Run command: dd if=/dev/urandom of=~/path/to/Dropbox/crypt bs=1M count=512
'Quite Secure' Run command: dd if=/dev/zero of=~/path/to/Dropbox/crypt bs=1M count=512

The main thing in how secure is the wipe of the allocated space is dependent on the input file path (if) assigned with the 3 pseudo-devices : /dev/zero, /dev/urandom, /dev/random.

The /dev/urandom pseudo-device is good enough to mimic the encrypted data that will be written into the 'crypt' file container.


Conclusion


Let's summarise the steps we may need in our daily life to store our data in the 'crypt' file container.

1st command: sudo cryptsetup luksOpen ~/path/to/Dropbox/crypt decrypt
2nd command:  sudo mount /dev/mapper/decrypt ~/secondcrypt
3rd command: sudo umount ~/secondcrypt
4th command: sudo cryptsetup luksClose decrypt


Happy encrypting our data!

















Follow my blog with Bloglovin

Experimenting with Archlinux on Legacy Bios system

nano /etc/wpa_suppplicant/wpa_supplicant.conf    ctrl_interface=/run/wpa_supplicant    update_config=1 wpa_supplicant -B -i wlan0 -c /e...