Did my blog help you? Please link to me!
05 Feb 10 Linux LUKS Crypt HOWTO
Linux kernels now support encrypted filesystems. Setting one up should take 5 minutes, or 3 hours if you’re like me and can’t read.
Firstly, install the right tools: apt-get install cryptsetup
Make a new partition, and initialize it with: cryptsetup luksFormat /dev/sda3 mycrypto
Where /dev/sda3 is your newly created partition and ‘mycrypto’ is your name for the container.
You will be prompted to type YES in uppercase to confirm your understanding that your partition is about to be wiped. If, like me, you type ‘yes’ in lowercase, it will fail with “Command Failed.”. You’ll then spend hours checking for loaded kernel modules, log files, and trawling google for more information. The answer is to type ‘YES’ in uppercase as you’re told 
Enter a passphrase, and you’re ready to go.
Next, ‘open’ the container. cryptsetup luksOpen /dev/sdb3 enter the passphrase, and you should at this point end up with a /dev/mapper/mycrypto
Format with your desired partition mkfs.ext3 /dev/mapper/mycrypto
Then, you can mount /dev/mapper/mycrypto as you would any other block device: mount /dev/mapper/mycrypto /mnt/my_mount_point
To close the container:
umount /dev/mapper/mycrypto
cryptsetup luksClose mycrypto
Easy
Tags: crypto, cryptsetup, Linux, luks, mount, umount
02 Nov 09 Easy Reverse Engineering
Compiling a program doesn’t protect it or necessarily hide the source. Take the following example C program. It serves no real life purpose and should never print anything to the console:
#include <stdio.h>
int main(void)
{
const char *password = "secretpassword";
const char *otherpassword = "othersecretpassword";
if(!strcmp(password, otherpassword))
{
printf("This will never get evaluated");
}
return 0;
}
To assemble the code using gcc -S test.c leaves test.s. The important point being that all strings remain intact:
(more…)
Tags: C, gcc, Linux, ls, reverse engineering, strings
20 Oct 09 Setting up an LVM filesystem
Setting up an LVM filesystem is quite easy assuming you have the right tools installed and a recent kernel. LVM has a lot of advantages, most notably the ability to take snapshots of the current filesystem – this is why LVM is often used in live database environments.
Assuming a Debian Lenny machine, get the relevant packages. Some may already be installed: apt-get install lvm2 dmsetup mdadm
In this example, we will assuming that /dev/sda is your boot drive, and that you want to leave it out of your LVM array, but include /dev/sdb and /dev/sdc. Both /dev/sdb and /dev/sdc should be of equal sizes.
Firstly, using fdisk, remove any existing partitions with ‘d’, on /dev/sdb and /dev/sdc, and create one new partition to span the drive. Change the partition type to ‘8e’ which is the LVM type.
Now prepare your physical disk for LVM with the ‘pvcreate’ tool:
pvcreate /dev/sdb1 /dev/sdc1
Note that you can reverse this with pvremove. You can also use pvdisplay now to display information on all physical volumes.
Oh – you do realie that you can use /dev/mdX just as easily to create LVM on your RAID devices?
Now, we need to create a ‘volume group’: vgcreate myvg /dev/sdb1 /dev/sdc1
Tags: dd, ext3, kernel, Linux, lvcreate, lvdisplay, lvm, lvremove, mkfs, mount, pvcreate, pvdisplay, pvremove, resize, tar, vgcreate, vgdisplay, vgremove, xen
18 Oct 09 Installing and Configuring Xen with guests
Installing and Configuring Xen on a Debian Lenny machine is pretty easy. Firstly, install the system:
apt-get install xen-tools xen-utils-3.2-1 xen-linux-system-2.6.26-2-xen-686
xen-linux-system-2.6.26-2-xen-686 comes with the Xen kernel that you’ll need. It should install a new kernel as the default, and therefore you’ll now need to reboot.
Once rebooted, issue uname -a to ensure that your new Xen kernel is running:
Linux apnic01 2.6.26-2-xen-686 #1 SMP Wed Aug 19 08:47:57 UTC 2009 i686 GNU/Linux
You now have Xen installed! Now, you’ll need to make a few changes. Firstly, none of my new guest VMs had working console, apparently this is a known issue in Lenny with Lenny guests. The work around is to change the inittab on the guest. I wanted to create guests without modifications, so in this case, I edited /etc/xen-tools/xen-tools.conf and uncommented:
#serial_device = hvc0 #default
It’s listed as the default, but uncommenting this seemed to solve my issues.
Now, you’re ready to create your first guest:
(more…)
Tags: apt-get, debian, lenny, Linux, uname, xen, xm
14 Oct 09 Xen, LVM and friends
I’m going to write 3 articles next, the first on installing Xen on a Debian Lenny host (Dom0) with Debian Lenny guests (DomU) on a regular loopback filesystem. Next I’m going to write about setting up LVM and some basic working examples, and then finally how to move your Xen over to LVM once you realise that you don’t want loopback. This is the same order in which I performed my installation, and covers Xen setup, LVM setup and migration from loopback to LVM which is a valid upgrade path. My Xen installation is entirely automated. Watch this space..
Tags: debian, lenny, Linux, lvm, xen
03 Oct 09 Linux C setuid setgid tutorial
Here’s a very brief example of how to use setuid() and setgid() functions in your C program.
#include <sys/types.h>
#include <unistd.h>
int main(void)
{
int current_uid = getuid();
printf(”My UID is: %d. My GID is: %d\n”, current_uid, getgid());
system(”/usr/bin/id”);
if (setuid(0))
{
perror(”setuid”);
return 1;
}
//I am now root!
printf(”My UID is: %d. My GID is: %d\n”, getuid(), getgid());
system(”/usr/bin/id”);
//Time to drop back to regular user priviledges
setuid(current_uid);
printf(”My UID is: %d. My GID is: %d\n”, getuid(), getgid());
system(”/usr/bin/id”);
return 0;
}
The program above should be pretty self explainatory, now:
adam@staging:~$ ls -al setuid
-rwxr-xr-x 1 adam adam 9792 2009-10-03 18:09 setuid
adam@staging:~$
Tags: C, gcc, Linux, setgid, setuid, System
03 Oct 09 Linux Security Freelancer – Securing a node – Where to start?
As a Linux Security Freelancer, I’m often asked where best to start when securing a single linux host. Whereas most would suggest configuring iptables or similar, the most effective first step in my opinion is to remove unnecessary services.
There are a number of methods that you can use to show open sockets at least:
lsof -U will list open sockets
nmap -sT -sU localhost will scan your local machine for open TCP or UDP ports
netstat -a | grep LISTEN will show all listening sockets.
Forgive me for stating the obvious, but the first thing to do is disable any open sockets or services that aren’t required. On a default install, this could include the likes of the portmapper service, identd and an smtpd.
Next, you want to suitably lock down user accounts, check passwords, and perhaps consider enforcing a secure password policy, at minimum I generally prefer at least 8 characters, at least one uppercase, one lowercase and one integer. Obviously this shouldn’t be easily guessible, nor should it just end in a ‘1′.
Once done, the next thing that you want to do is to suitably firewall the services that you do require open, and perhaps also restrict the rate of ICMPs, etc, with iptables.
(more…)
Tags: buffer overflow, freelancer, icmp, identd, iptables, Linux, linux security freelancer, lsof, netstat, nmap, node, ping, portmapper, root, security, Security Consultant, setuid, smtpd, suid
02 Oct 09 Linux Consultant – Disk Speed
Using hdparm it’s pretty easy to find out your disk’s readLinux Consultant – Disk Speed speed. hdparm is actually an entire IDE/SATA management utility.
Firstly, ensure that you have the tool – apt-get install hdparm
Once done, quite simply use hdparm with -t or -T options to time buffered reads and cache reads respectively. Be VERY careful about other options that hdparm offers, some are very dangerous and can completely corrupt your data.
/dev/sda:
Timing buffered disk reads: 200 MB in 3.00 seconds = 66.57 MB/sec
apnic03:~# hdparm -T /dev/sda
/dev/sda:
Timing cached reads: 4372 MB in 2.00 seconds = 2187.38 MB/sec
Tags: disk read, hdparm, ide, Linux, linux consultant, sata
19 Sep 09 Installing Linux on the Embedded PPC50 Touchscreen
I personally really like this touch screen PC! I’ve installed Debian (of course), graphical interface, and configured the HUAWEI data card along with the TSCOM touchscreen drivers.
I also modified the boot up to log in and start the graphical interface automatically. Using xvkbd for a virtual keyboard works really well, and I might just have to carry this around in the car along with the datacard for those emergency situations.
It’s a simple x86 with 1GB diskspace and 1GB RAM. The device takes a simple 12V/6A input and therefore wiring it up to a car, battery, or other portable power supply shouldn’t be a problem!
Any ideas what next?
Tags: datacard, debian, embedded, Huawei, Linux, ppc50, touchscreen, tscom, x86, xvkbd
15 Sep 09 Linux Color Directory Listings
How to add color to ‘ls’?
Adding color to your ls directory listings is easy enough, just use ls –color. You can set this behavior as the default with alias ls=’ls –color’ which I personally find quite useful. It plays well with PuTTY.
The environment variable LS_COLORS dictates what colors are applied to what file types and file extensions.
(more…)
|
I'm Adam Palmer, and I'm a Freelance Embedded Linux/Embedded Hardware enthusiast and Security Consultant. I run 'APNIC Solutions Ltd' and spend most of my time managing server clusters, and doing some PHP/MySQL development, whilst what little spare time I have is dedicated to playing with gadgets. I'm always happy to consult on or manage any Linux related, Web Application or Hosting project. Please get in touch with me! |
