Christmas brougth an new laptop with a preinstalled Windows XP. Because windows is only usefull for games but not for work, it was necessary to resize the NTFS partition to create space for an later Linux or OpenSolaris installation.
Because Windows XP is not able to resize it's own partitions I had to look for a third party software to do the resize. First I found all this well known commercial stuff like Paragon Partition Manager but they simply cost to much money for resizing this partition only once.
After a while, I found the Gnome Partition Manager (aka gparted). This tool allows you to add, delete, move and resize a lot of different types of partitions.
Using gparted is very simple. First download the gparted-ISO-image from the website and burn it on to an cd. This cd is bootable. After booting your computer from the cd you can directly start editing your partitions via a nice graphical user interface.
All in all a very nice and simple to use tool for doing all this partitioning stuff.
2008-12-27
2008-11-09
Encrypting your /tmp partition
In my last post I explained how to encrypt the SWAP partition. Today I'm going to show how to encrypt the /tmp partition. First of all it is necessary to install the cryptsetup tool.
Let us assume that /dev/sda7 should become our encrypted /tmp partition. We will start and write a lot of random data into this partition. This will protect against some kind of cryptoanalysis attacks.
Depending on the size of your /tmp partition you should go and drink one or more coffees. This step will take some time.
Next we setup the cryptography device using cryptsetup:
Finnaly we modify
/etc/crypttab:
/etc/fstab:
Now restart your computer and your /tmp partition should be encrypted.
apt-get install cryptsetupLet us assume that /dev/sda7 should become our encrypted /tmp partition. We will start and write a lot of random data into this partition. This will protect against some kind of cryptoanalysis attacks.
dd if=/dev/urandom of=/dev/sda7Depending on the size of your /tmp partition you should go and drink one or more coffees. This step will take some time.
Next we setup the cryptography device using cryptsetup:
cryptsetup --key-file /dev/urandom --key-size 128 create ctmp /dev/hda7Finnaly we modify
/etc/crypttab and /etc/fstab:/etc/crypttab:
ctmp /dev/sda7 /dev/urandom tmp,chiper=aes-cbc-essiv:sha256,size=128,hash=ripemd160/etc/fstab:
/dev/mapper/ctmp none ext2 nodev,nosuid 0 2Now restart your computer and your /tmp partition should be encrypted.
2008-11-05
Encrypting your SWAP partition
Today I started playing with file system encryption. Mostly all people are aware of the necessity of encrypting their data partitions. But there are some simple side channel attacks to avoid this security feature.
Many applications write temporary data into the /tmp directory. So there is a high chance that an attacker can find secret information simply by looking into /tmp. Another possibility is grepping the swap partition for secret information (maybe by using a linux live cd. Otherwise the data would be overwritten during the boot sequence).
I will show how simple it is to fend such an side channel attack on the swap partition. Maybe I will write a post about encryption of data and /tmp partitions in the future, but at the moment my solution isn't as perfect as it should be and it still needs to be optimized.
Now, let's start encrypting the swap partition. We assume that your swap partition is /dev/sda3. Please fit this to your systems configuration otherwise you can loose some data.
At the first, you have to install the necessary deb packages:
Next edit the file
Now remove the old entry for the swap partition from
Thats all. Now reboot your system and in the future your swap partition should be encrypted.
Many applications write temporary data into the /tmp directory. So there is a high chance that an attacker can find secret information simply by looking into /tmp. Another possibility is grepping the swap partition for secret information (maybe by using a linux live cd. Otherwise the data would be overwritten during the boot sequence).
I will show how simple it is to fend such an side channel attack on the swap partition. Maybe I will write a post about encryption of data and /tmp partitions in the future, but at the moment my solution isn't as perfect as it should be and it still needs to be optimized.
Now, let's start encrypting the swap partition. We assume that your swap partition is /dev/sda3. Please fit this to your systems configuration otherwise you can loose some data.
At the first, you have to install the necessary deb packages:
apt-get install cryptsetupNext edit the file
/etc/crypttab:cryptoswap /dev/sda3 /dev/urandom swap,cipher=aes-cbc-essiv:sha256,size=128,hash=ripemd160Now remove the old entry for the swap partition from
/etc/fstab and insert the following:/dev/mapper/cryptoswap none swap sw 0 0Thats all. Now reboot your system and in the future your swap partition should be encrypted.
2008-11-02
OpenSSH Visual Host Key
The new OpenSSH 5.1p1 offers a new feature called visual host key. The idea of this feature is that our brain is better in remembering images than in remembering text. So this new feature tries to visualize the host key to make it more appreciable to our brain.
Host *
VisualHostKey yes
2008-10-21
Systems 2008
Today the Systems trade fair started in Munich. This year the Systems spans five halls. The same size as in 2007.
The most interesting hall this year was hall B3. The IT security hall, which covers one of the most important topics in IT business today.
Together with one of it's partners the Rittal company showed the world smallest computing center. Only one rack, but it includes a climate control unit and a fire extinguishing equipment. The rack is also protected against common risks like fire (outside the rack) and thief's.
At the stand of the Federal Office for Information Security (BSI) I got very good information about security certifications. They offer a lot of standard procedures to introduce IT security processes in companies.
In the open source area I found a lot of very well known people from the German company SerNet. Karolin Seeger and Volker Lendecke talked about the news around the Samba server. Nearby the Debian project informed about the upcoming Lenny release.
A big topic on this years System was also virtualisation. I was able to compare different solutions from different vendors. Parallels Virtuzzo and Citrixs XenServer seemed to be the big players in addition to VMware. Unfortunately, Google did not show their Xen based Ganeti cluster software, which I was really interested in.
I also met a lot of friends and well known people on the systems. So we found much time to exchange experiences and to squall the stand people with our questions together.
At the end of the day it was a nice trade fair without really big news. But I was able to take a more detailed look on some interesting products.
The most interesting hall this year was hall B3. The IT security hall, which covers one of the most important topics in IT business today.
Together with one of it's partners the Rittal company showed the world smallest computing center. Only one rack, but it includes a climate control unit and a fire extinguishing equipment. The rack is also protected against common risks like fire (outside the rack) and thief's.
At the stand of the Federal Office for Information Security (BSI) I got very good information about security certifications. They offer a lot of standard procedures to introduce IT security processes in companies.
In the open source area I found a lot of very well known people from the German company SerNet. Karolin Seeger and Volker Lendecke talked about the news around the Samba server. Nearby the Debian project informed about the upcoming Lenny release.
A big topic on this years System was also virtualisation. I was able to compare different solutions from different vendors. Parallels Virtuzzo and Citrixs XenServer seemed to be the big players in addition to VMware. Unfortunately, Google did not show their Xen based Ganeti cluster software, which I was really interested in.
I also met a lot of friends and well known people on the systems. So we found much time to exchange experiences and to squall the stand people with our questions together.
At the end of the day it was a nice trade fair without really big news. But I was able to take a more detailed look on some interesting products.
2008-10-20
Restrict user logins with pam_listfile
In some situations it can be useful to allow a direct ssh login only to a hand full of privileged users or groups. A typical scenario could be a web server or a mail server which is included into a LDAP framework. In this case all users in your directory may be able to login by default.
A very flexible and easy way to restrict the login is the pam_listfile module. It allows you to restrict the login to single users or groups. The allowed users and/or groups are listed in a simple configuration file. One entry per line. Thats all.
But first you have to change your pam (for the noobs: pam == pluggable authentication modules) configuration a little bit. Here you can see a simplified configuration for the sshd login on a debian box:
At least add all groups, which should be able to login, to the /etc/logingroups file. Don't forget to add the root group if you want allow root logins via ssh.
You can do the same with users. Simply change item=group into item=user and choose another name for the file attribute.
There may be other possibilities to restrict logins, but I believe this one is really elegant. Naturally, you can use the module also with other pam based services (eg login) too.
A very flexible and easy way to restrict the login is the pam_listfile module. It allows you to restrict the login to single users or groups. The allowed users and/or groups are listed in a simple configuration file. One entry per line. Thats all.
But first you have to change your pam (for the noobs: pam == pluggable authentication modules) configuration a little bit. Here you can see a simplified configuration for the sshd login on a debian box:
# PAM configuration for the Secure Shell service
# Allow only users who are in the groups listed in /etc/logingroups
auth required pam_listfile.so onerr=fail item=group sense=allow file=/etc/logingroups
# Standard Un*x authentication.
@include common-auth
# Standard Un*x authorization.
@include common-account
# Standard Un*x session setup and teardown.
@include common-session
# Standard Un*x password updating.
@include common-password
At least add all groups, which should be able to login, to the /etc/logingroups file. Don't forget to add the root group if you want allow root logins via ssh.
You can do the same with users. Simply change item=group into item=user and choose another name for the file attribute.
There may be other possibilities to restrict logins, but I believe this one is really elegant. Naturally, you can use the module also with other pam based services (eg login) too.
Lets go!
Today I started the IT Futtzy blog and I went into the new Web 2.0 world. What is Web 2.0? Most people believe it has to do something with technics. But for me the main idea behind Web 2.0 is that everybody is able to add content.
So this should be a place were I want to share my experiences in different IT topics with the worldwide Internet community. I hope there are a lot of people outside who will be happy to get some information from this blog.
So this should be a place were I want to share my experiences in different IT topics with the worldwide Internet community. I hope there are a lot of people outside who will be happy to get some information from this blog.
Subscribe to:
Posts (Atom)