Create an encrypted file luks container

Today, we well create an encrypted file container with some key-file needed to open this container.

At the beginning, we must create a file at size we want. I create a 200GB file with random data:

dd if=/dev/urandom of=/mnt/example/ssd/private.img bs=2M count=102400
...
214748364800 bytes (215 GB, 200 GiB) copied, 1896,49 s, 113 MB/s

Now, create a key file, needed for open this file, again with random data. But it can be file of any type – photo, documents, video, movie…

dd if=/dev/urandom of=/mnt/example/ssd/secret.bin bs=1024 count=1 
...
1024 bytes (1,0 kB, 1,0 KiB) copied, 0,000155504 s, 6,6 MB/s

Now, format this file with luks. Be sure, that your password is strong. And answer YES to question:

cryptsetup luksFormat -v /mnt/example/ssd/private.img /mnt/example/ssd/secret.bin 

Now, we unlock this file:

sudo cryptsetup -v luksOpen /mnt/example/ssd/encrypted.img myEncryptedVolume -–key-file /mnt/example/ssd/secret.bin 

And check status of this luks container:

sudo cryptsetup -v status myEncryptedVolume

/dev/mapper/myEncryptedVolume is active.
  type:    LUKS2
  cipher:  aes-xts-plain64
  keysize: 512 bits
  key location: keyring
  device:  /dev/loop24
  loop:    /mnt/example/ssd/encrypted.img
  sector size:  512
  offset:  32768 sectors
  size:    419397632 sectors
  mode:    read/write
Command successful.

And now, like commands bellow, we close, open and format our file. Then mount it and copy files there 🙂

sudo cryptsetup luksClose myEncryptedVolume
sudo cryptsetup -v luksOpen /mnt/example/ssd/encrypted.img myEncryptedVolume -–key-file /mnt/example/ssd/secret.bin 
sudo cryptsetup -v status myEncryptedVolume
sudo mkfs -t ext4 /dev/mapper/myEncryptedVolume
mkdir /home/privates
sudo mount /dev/mapper/myEncryptedVolume /home/privates
...copy files there...
sudo umount /home/privates
sudo cryptsetup luksClose myEncryptedVolume

And that all 🙂

Total Page Visits: 153763 - Today Page Visits: 102

Hardening iptables from “ACCEPT all” to “DROP all”

Now I write some rules, for hardening iptables. From default policy “accept” everything to “drop” everything except something I want to accept. This setup was made on Server Ubuntu 18.04.2 LTS.

This post is related to and made from sites:

https://help.ubuntu.com/community/IptablesHowTo

https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-using-iptables-on-ubuntu-14-0

By default, we can see, that everything is allowed:

iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination

So we start with allowing established sessions to receive traffic:

iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

-A INPUT: The -A flag appends a rule to the end of a chain. This is the portion of the command that tells iptables that we wish to add a new rule, that we want that rule added to the end of the chain, and that the chain we want to operate on is the INPUT chain.

And now, we can allow specific port or service, which we want to allow:

iptables -A INPUT -p tcp --dport ssh -j ACCEPT
iptables -A INPUT -p tcp --dport http -j ACCEPT
iptables -A INPUT -p tcp --dport https -j ACCEPT

And now, we block everything else commint to us:

iptables -A INPUT -j DROP

Now we can see our input chain in firewall:

iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
DROP all -- anywhere anywhere

Now we must add some rule for loopback. because we block it now. If we add it right now with above command, we add it at the end of chain (after drop all). So all traffic will be blocked. We must add it at the begining of this chain:

iptables -I INPUT 1 -i lo -j ACCEPT

-I INPUT 1: The -I flag tells iptables to insert a rule. This is different than the -A flag which appends a rule to the end. The -I flag takes a chain and the rule position where you want to insert the new rule.

-i lo: This component of the rule matches if the interface that the packet is using is the “lo” interface. The “lo” interface is another name for the loopback device. This means that any packet using that interface to communicate (packets generated on our server, for our server) should be accepted.

And now we can see it:

iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
DROP all -- anywhere anywhere

The first and the last lines looks very similar, so use the variable -v (verbose) os -S (list rules). See

iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo any anywhere anywhere
287 46814 ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:http
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:https
211 45230 DROP all -- any any anywhere anywhere
iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -j DROP

Now we have five rules to ACCEPT packets, which we want. The we have the sixth rule for DROP all another packets.

The policy DROP everything can be done by two ways. We have the first way (Default policy of chain is ACCEPT everything. Our five rules catch certain packets and at the end we have the sixth rule to DROP all packet which catch all other remain packets). In case of breaking firewall, or accidentally flush our rules, we still can connect to our server (by default chain policy ACCEPT).

The second way is set default chain policy to DROP, and set our five rules first. So if packets are catch by one of this rules, is ACCEPTed. Then it is DROPPEd by default. There is a possibility, that if we flush our firewall rules, we never reach our server from network because the default chain policy is DROP. So first, we need the rules like above mentioned except the DROP rule. And then, at the end, change the default chain policy by command:

iptables -P INPUT DROP

And now look at this way of firewall:

iptables -S
-P INPUT DROP
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

So we can see, that we DROP all packet, we want and ACCEPT packets we want. It can be done by this two ways. So pick one, which you want. I prefer the second way, because I have another access to server (via console-keyboard connected directly to server). So if something go wrong, I am still be able to connect it.

So if you choose the first way, you must add others rules before the DROP rule, because it will be matched by this rule. Like the loopback rule, you must insert it somewhere before the DROP rules. See the lines:

iptables -L --line-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- anywhere anywhere
2 ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
3 ACCEPT tcp -- anywhere anywhere tcp dpt:http
4 ACCEPT tcp -- anywhere anywhere tcp dpt:https
5 ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
6 DROP all -- anywhere anywhere

And now we can add another rule somewhere in the middle:

iptables -I INPUT 6 -p tcp --dport 5666 -j ACCEPT

And we see it:

iptables -L --line-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- anywhere anywhere
2 ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
3 ACCEPT tcp -- anywhere anywhere tcp dpt:http
4 ACCEPT tcp -- anywhere anywhere tcp dpt:https
5 ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
6 ACCEPT tcp -- anywhere anywhere tcp dpt:nrpe
7 DROP all -- anywhere anywhere

For save this rules and set it persistant after reboot, I use package:

apt-get install iptables-persistent

During installation you will be asked for some questions, like save this rules for permanent use and load next boot. If you haven’t yet, never mind. You can do it later with this:

iptables-save -c > /etc/iptables/rules.v4

Total Page Visits: 153763 - Today Page Visits: 102

Rescue disk with ddrescue from ubuntu

I have a broken disk, partially working. This is part of dmesg after plug-in USB removable 2,5″ disk, and list from fdisk:

[1448.206941] blk_update_request: I/O error, dev sdb, sector 6293504
fdisk -l /dev/sdb
Disk /dev/sdb: 931,5 GiB, 1000170586112 bytes, 1953458176 sectors
......
Device     Boot Start        End    Sectors   Size Id Type
/dev/sdb1        2048 1953458175 1953456128 931,5G  7 HPFS/NTFS/exFAT

So I will try to rescue some data from it. I will use a gddrescue program:

apt-get install gddrescue

And now, I have mounted a big 3TB nfs storage, where I will save image of this disk:

ddrescue -r1 -v -d /dev/sdb /mnt/nfs/sdb.img /mnt/nfs/sdb.log
  • -r1  means, that ddrescue will try read every block one time before giving it up on this block (reading from it)
  • -v  means verbose mode
  • -d means, that ddrescue use direct disk access and ignore kernel’s cache
  • /dev/sdb is the failing drive
  • /mnt/nfs/sdb.img is the destination image, where we save any data
  • /mnt/nfs/sdb.log is the log file, where is written every bad block and actual position of ddrescue. We can brake this rescue at any time and continue it later with the same command. When ddrescue finish, we can repeat this check only on bad blocks with more retries

 

  • 22.3.2017 – it was stared. post will continue after it finished 😀 maybe it take 3 days to finish, maybe more 🙂 This operation takes a long time to finish…
Total Page Visits: 153763 - Today Page Visits: 102