The need to encrypt filesystems is to make ur data more secure and safe.
The whole steps include
1) Creating a partition with the fdisk utility ( pre-requisite :-( )
2) Selecting a cipher.
3) Setting up a loop device using the losetup command.
4) Detaching the loop back device
5) Mouting the parition
alright... lets get started..!
let me assume u have created the partition /dev/hda7
first of all we need to shred the partition
#shred -n 1 /dev/hda7
this command would overwrite /dev/hda7 only once!
-OR-
we can use the dd command to overwrite the device..
#dd if=/dev/urandom of=/dev/hda7 bs=1M
Now we need to select a cipher for the encyption
u can list the available ciphers by cat /proc/crypto
here i am using the serpent cipher
make sure u have got the serpent cipher modules inbuilt in ur kernel!
otherwise try
#modprobe serpent
#modprobe cryptoloop ( to setup the loop device described in the next step )
the next step is to setup a loop device using the losetup command.
#losetup -e serpent /dev/loop0 /dev/hda7
It prompts u for a passphrase. DONOT forget the passphrase as its not easy to change
the passphrase as it is hashed to create the encryption key.
Now create a filesystem on the loopback device and mount it.
#mke2fs -j /dev/loop0
#mkdir /cryptfs
#mount -t ext3 /dev/loop0 /cryptfs
once we have mounted the partition, we can then detach the
loop back device frm the partition.
#umount /cryptfs
#losetup -d /dev/loop0
Now mount the partition,
#mount -o encryption=serpent /dev/hda7 /cryptfs
the passphrase which we have given during the loop device setup will be asked
and u need to enter it correctly to mount the device.
Sunday, September 9, 2007
Saturday, September 8, 2007
COPY FROM LINUX TO M$ and vice-versa
SAMBA:
------
Samba acts as a fileserver for windows/linux using the SMB protocol
(Server Message Block), SMB is sometimes referred to as CIFS (Common Internet
File System).
Server Side:
------------
The directory to be shared from a linux server has to be given a sharename.
Clients access server's directory by referring to this sharename.
We can have user level access list and host level access list in samba.
Those users to whom server is granting access shuld be a unix server user
as well, and those users shuld be converted to samba users by giving them a
seperate samba password also. The samba users password database is located
inside /etc/samba directory in the name smbpasswd.
ie, /etc/samba/smbpasswd
Eg:
There is a directory in the server named /backups.
These directory needs to be shared to clients which use windows OS.
First of all we need to give /backups a sharename, by which the windows clients
access our /backups. Let it be UNIXBAKUP.
We are planning to give access to this share only for windows clients
192.168.0.3 and 192.168.0.2 only.
More over, they shuld be granted access if and only if they login as users
jack or jane.
Open the samba configuration file using an editor,
-------------------------------------
#vi /etc/samba/smb.conf
[UNIXBAKUP]
comment = Share for windows clients
path = /backups
valid users = jane jack
hosts allow = 192.168.0.3 192.168.0.2
writeable = yes
create mask = 0765
-------------------------------------
Now we need to add the allowed users
#useradd jane
#useradd jack
#passwd -l jack ; passwd -l jane
this is done to lock their unix password
Now we need to convert these unix users to samba users.
#smbpasswd -a jane
now u will be prompted for a password.
this step only adds the user to the samba password database.
we need to allow this user to use our samba server.
#smbpasswd -e jane
same way add the user jack also.
now we need to give permission to users jane and jack the write permission in
our share
#chmod 777 /backups
#/etc/init.d/smb start
#chkconfig smb on
to make our samba server persistent across reboots.
now we can test whether our samba configuration is correct or not with the
command testparm
#testparm
if any errors are there it will be reported.
--------------------------------------------
Client Side: (in 192.168.0.2 and 192.168.0.3)
------------
#smbclient //sambaserveraddress/sharename -U username
here
#smbclient //192.168.0.4/UNIXBAKUP -U jane/jack
enter the password
u will be put into a samba shell
smb: \>
now u are inside 192.168.0.4's /backups directory
frm here if u want to get some files, frm with in samba shell issue
smb: \>mget filename
file is now copied frm samba server to the client directory frm where we logged into the samba server.
instead if u want to put some files frm the folder where u logged into the
samba server, issue
smb: \>mput file-frm-the-client
smb: \>ls
you will be listed with the file u have just copied frm client to the
samba server.
Using GUI:
------------
Take run in KDE/Gnome and try
smb://sambaserverip
then u will be prompted for the samba username and password!
In M$ Windows u can access the Linux samba share by taking Start>Run and issuing
\\sambaserverip
upon opening any directory u will be asked the samba username and password...!
------
Samba acts as a fileserver for windows/linux using the SMB protocol
(Server Message Block), SMB is sometimes referred to as CIFS (Common Internet
File System).
Server Side:
------------
The directory to be shared from a linux server has to be given a sharename.
Clients access server's directory by referring to this sharename.
We can have user level access list and host level access list in samba.
Those users to whom server is granting access shuld be a unix server user
as well, and those users shuld be converted to samba users by giving them a
seperate samba password also. The samba users password database is located
inside /etc/samba directory in the name smbpasswd.
ie, /etc/samba/smbpasswd
Eg:
There is a directory in the server named /backups.
These directory needs to be shared to clients which use windows OS.
First of all we need to give /backups a sharename, by which the windows clients
access our /backups. Let it be UNIXBAKUP.
We are planning to give access to this share only for windows clients
192.168.0.3 and 192.168.0.2 only.
More over, they shuld be granted access if and only if they login as users
jack or jane.
Open the samba configuration file using an editor,
-------------------------------------
#vi /etc/samba/smb.conf
[UNIXBAKUP]
comment = Share for windows clients
path = /backups
valid users = jane jack
hosts allow = 192.168.0.3 192.168.0.2
writeable = yes
create mask = 0765
-------------------------------------
Now we need to add the allowed users
#useradd jane
#useradd jack
#passwd -l jack ; passwd -l jane
this is done to lock their unix password
Now we need to convert these unix users to samba users.
#smbpasswd -a jane
now u will be prompted for a password.
this step only adds the user to the samba password database.
we need to allow this user to use our samba server.
#smbpasswd -e jane
same way add the user jack also.
now we need to give permission to users jane and jack the write permission in
our share
#chmod 777 /backups
#/etc/init.d/smb start
#chkconfig smb on
to make our samba server persistent across reboots.
now we can test whether our samba configuration is correct or not with the
command testparm
#testparm
if any errors are there it will be reported.
--------------------------------------------
Client Side: (in 192.168.0.2 and 192.168.0.3)
------------
#smbclient //
here
#smbclient //192.168.0.4/UNIXBAKUP -U jane/jack
enter the password
u will be put into a samba shell
smb: \>
now u are inside 192.168.0.4's /backups directory
frm here if u want to get some files, frm with in samba shell issue
smb: \>mget filename
file is now copied frm samba server to the client directory frm where we logged into the samba server.
instead if u want to put some files frm the folder where u logged into the
samba server, issue
smb: \>mput
smb: \>ls
you will be listed with the file u have just copied frm client to the
samba server.
Using GUI:
------------
Take run in KDE/Gnome and try
smb://sambaserverip
then u will be prompted for the samba username and password!
In M$ Windows u can access the Linux samba share by taking Start>Run and issuing
\\sambaserverip
upon opening any directory u will be asked the samba username and password...!
Manage Logical Volumes
LVM Creation:
-------------
Create a linux partition, make it a LVM by toggling the linux partitions id to
8e.
Convert it to a physical volume by issuing the command
#pvcreate devicename
Then, make the volume group in that physical volume,
#vgcreate vgname devicename
Then make logical volumes in the volume group,
#lvcreate -L sizeM -n lvname vgname
Make a linux filesystem in the logical volume,
#mkfs.ext3 /dev/vgname/lvname
This device is a softlink to the device /dev/mapper/vgname-lvname
Then mount that logical volume,
#mount /dev/vgname/lvname
LVM Resizing:
-------------
LVM format 2.0 is now implemented which supports online resizing of filesystems.
check the current size of the filesystem by 'df -h'
Extend the above created logical volume BY X MB,
#lvextend -L +XM /dev/vgname/lvname
we are doing it without unmounting the filesystem
Now to make the extension effective, issue
#resize2fs /dev/vgname/lvname
now recheck the filesystem size by 'df -h',
now the filesystem will be extended by X MB.
Now if u want to reduce the logical volume TO X MB,
u must first umount the device, online reducing of logical volumes cannot be done..!
#umount
then u need to scan the filesystem for integrity.
#e2fsck -f /dev/vgname/lvname
now resize the filesystem
#resize2fs /dev/vgname/lvname X MB
then reduce the volume with lvreduce and mount it..
#lvreduce -L XM /dev/vgname/lvname
#mount /dev/vgname/lvname
-------------
Create a linux partition, make it a LVM by toggling the linux partitions id to
8e.
Convert it to a physical volume by issuing the command
#pvcreate devicename
Then, make the volume group in that physical volume,
#vgcreate vgname
Then make logical volumes in the volume group,
#lvcreate -L size
Make a linux filesystem in the logical volume,
#mkfs.ext3 /dev/
This device is a softlink to the device /dev/mapper/vgname-lvname
Then mount that logical volume,
#mount /dev/
LVM Resizing:
-------------
LVM format 2.0 is now implemented which supports online resizing of filesystems.
check the current size of the filesystem by 'df -h'
Extend the above created logical volume BY X MB,
#lvextend -L +XM /dev/
we are doing it without unmounting the filesystem
Now to make the extension effective, issue
#resize2fs /dev/
now recheck the filesystem size by 'df -h',
now the filesystem will be extended by X MB.
Now if u want to reduce the logical volume TO X MB,
u must first umount the device, online reducing of logical volumes cannot be done..!
#umount
then u need to scan the filesystem for integrity.
#e2fsck -f /dev/vgname
now resize the filesystem
#resize2fs /dev/vgname
then reduce the volume with lvreduce and mount it..
#lvreduce -L XM /dev/vgname
#mount /dev/vgname
Wednesday, September 5, 2007
init-->xinetd
this is how we can convert the init based service ftp to an xinetd service..
1) First of all we need to make FTP not to listen on port 21 by making 'listen=NO' in
/etc/vsftpd/vsftpd.conf.
2) Then, make a file named ftp inside /etc/xinetd.d
the contents of /etc/xinetd.d/ftp should look like this
service ftp
{
disable = no
socket_type = stream
wait = no
user = root
server = /usr/sbin/vsftpd
server_args = /etc/vsftpd/vsftpd.conf
nice = 10
flags = IPv4
}
3) then restart the xinetd service by
#/etc/init.d/xinetd restart
#chkconfig xinetd on
now if u 'nmap localhost', u can see that the port 21 is now open...!
1) First of all we need to make FTP not to listen on port 21 by making 'listen=NO' in
/etc/vsftpd/vsftpd.conf.
2) Then, make a file named ftp inside /etc/xinetd.d
the contents of /etc/xinetd.d/ftp should look like this
service ftp
{
disable = no
socket_type = stream
wait = no
user = root
server = /usr/sbin/vsftpd
server_args = /etc/vsftpd/vsftpd.conf
nice = 10
flags = IPv4
}
3) then restart the xinetd service by
#/etc/init.d/xinetd restart
#chkconfig xinetd on
now if u 'nmap localhost', u can see that the port 21 is now open...!
Tuesday, September 4, 2007
Services - XINETD and INIT
Services in Linux:
------------------
Services in linux are classified into TWO.
XINETD and INIT based services.
XINETD is itself an INIT based service.
All INIT based services are invoked by the command,
#/etc/init.d/service start
XINETD services' configuration file resides in /etc/xinetd.d directory.
All the services are made persistent across reboots by
#chkconfig servicename on , for all init based services.
#chkconfig xinetd on , for all xinetd based services.
XINETD services: e(X)tended (I)(N)tern(E)(T) services (D)aemon
--------------------------------------------------------------
xinetd service is called a super server as it serves as the daemon for a number of seperate services.
For all the services which use xinetd, we need to start the xinetd daemon only. xinetd services' configuration files can be found at /etc/xinetd.d/servicename
All the xinetd services are having the same syntax facilitating the administration of xinetd services very easy.
Extensive logging and fine grained access control can be implemented with xinetd
Xinetd service forks process ids only when a client requests the service.
Only one process is necessary to invoke process ids for individual xinetd services, ie the xinetd super daemon itself.
Logging based on hostname are not supported in XINETD
INIT based services:
--------------------
INIT based services are having individual configuration files under
/etc/service/servicename.
Their starting scripts are placed under /etc/init.d/servicename.
Each individual services can be started by
#/etc/init.d/servicename start
and to sum up... the more the processes .. the lesser the performance of the machine..
so it is advisable to have more xinetd based services than init based ones..!
------------------
Services in linux are classified into TWO.
XINETD and INIT based services.
XINETD is itself an INIT based service.
All INIT based services are invoked by the command,
#/etc/init.d/
XINETD services' configuration file resides in /etc/xinetd.d directory.
All the services are made persistent across reboots by
#chkconfig servicename
#chkconfig xinetd on , for all xinetd based services.
XINETD services: e(X)tended (I)(N)tern(E)(T) services (D)aemon
--------------------------------------------------------------
xinetd service is called a super server as it serves as the daemon for a number of seperate services.
For all the services which use xinetd, we need to start the xinetd daemon only. xinetd services' configuration files can be found at /etc/xinetd.d/service
All the xinetd services are having the same syntax facilitating the administration of xinetd services very easy.
Extensive logging and fine grained access control can be implemented with xinetd
Xinetd service forks process ids only when a client requests the service.
Only one process is necessary to invoke process ids for individual xinetd services, ie the xinetd super daemon itself.
Logging based on hostname are not supported in XINETD
INIT based services:
--------------------
INIT based services are having individual configuration files under
/etc/
Their starting scripts are placed under /etc/init.d/
Each individual services can be started by
#/etc/init.d/
and to sum up... the more the processes .. the lesser the performance of the machine..
so it is advisable to have more xinetd based services than init based ones..!
Monday, September 3, 2007
INODES,LINKS
Inode Table:
All files in linux are having an inode number which is residing inside the inode table of a partition. For every partition there is an inode table, so an inode number will be unique for a partition, and thats the reason why we cannot hardlink between two partitions. Inode number contains a file's uid, gid, access time, modification time, change time and size of the file. inode number DOESNT hold a file's NAME. we can retrieve the contents of a file even if the file is deleted unless and until the inode number corresponding to that file is overwritten.
The inode number can be viewed with the -i switch with the 'ls' command..!
$ls -i filename
softlinks:
softlinks are similar to shortcuts in Microsoft Windows. softlinks' size is determined by the number of characters in the absolute path to the original file it is linking to. Softlinks are apparently having full permissions. Soft links are effective as we can link files among different partitions. If the orignal file is removed ( or renamed )the soft links become dead, meaning softlinks refer only to the NAME of the original file. Soft links will be having a different inode number frm the original file. Soft links cannot be touched (means... their timestamps cannot be updated).
hardlinks:
hardlinks are pointers to the inode number of a file. hardlink will be having the same inode number as that of the original file. The contents will be there in the hardlink if we delete the original file as hardlink points to the same inode number in the inode table. We cannot hardlink between two partitions. same way... we cannot hardlink a directory. if some updates are done in the original file, it is reflected to hardlinks also as the updates are done in the inode number. Hardlink is not at all an overhead as they are pointers to the same inode number.
All files in linux are having an inode number which is residing inside the inode table of a partition. For every partition there is an inode table, so an inode number will be unique for a partition, and thats the reason why we cannot hardlink between two partitions. Inode number contains a file's uid, gid, access time, modification time, change time and size of the file. inode number DOESNT hold a file's NAME. we can retrieve the contents of a file even if the file is deleted unless and until the inode number corresponding to that file is overwritten.
The inode number can be viewed with the -i switch with the 'ls' command..!
$ls -i filename
softlinks:
softlinks are similar to shortcuts in Microsoft Windows. softlinks' size is determined by the number of characters in the absolute path to the original file it is linking to. Softlinks are apparently having full permissions. Soft links are effective as we can link files among different partitions. If the orignal file is removed ( or renamed )the soft links become dead, meaning softlinks refer only to the NAME of the original file. Soft links will be having a different inode number frm the original file. Soft links cannot be touched (means... their timestamps cannot be updated).
hardlinks:
hardlinks are pointers to the inode number of a file. hardlink will be having the same inode number as that of the original file. The contents will be there in the hardlink if we delete the original file as hardlink points to the same inode number in the inode table. We cannot hardlink between two partitions. same way... we cannot hardlink a directory. if some updates are done in the original file, it is reflected to hardlinks also as the updates are done in the inode number. Hardlink is not at all an overhead as they are pointers to the same inode number.
Sunday, September 2, 2007
SSL - Concepts Simplified...!?!!!
Secure Socket Layer:
--------------------
The Secure Socket Layer protocol was first introduced by Netscape to ensure secure transations between
webservers and browsers. The protocol uses a third party Certificate Authority (CA) to identify the both end
of the transactions
SSL philosophy:
---------------
1. Client using some browser requests a secure page (https://www.gmail.com)
2. www.gmail.com sends its public key with its certificate
signed by (Thawte Consulting Pty Limited) (dated: 02/09/2007, 20:48)
3. Our browser checks that the certificate was issued by a trusted party (Thawte here), that the certificate is
still valid and the certificate is related to site we just contacted (www.gmail.com here).
4. The Browser then uses the public key send by www.gmail.com to encrypt some random symmetric
encryption key and sends it to www.gmail.com along with the encrypted URL requested as well as other
encrypted data.
5. www.gmail.com decrypts the encrypted symmetric key send by the browser (in step 4) with its private key and uses this
symmetric key to decrypt the URL and http data.
6. www.gmail.com sends back the requested html data encrypted with the symmetric encrytion key send by the
browser in step 4.
7. Our browser decrypts the http data and html document using symmetric key and displays the information.
With this symmetric key the further communication between www.gmail.com and our browser takes place.
Here asymmetric encryption machanism is taking place between browser and www.gmail.com.
Our browser encrypted some key with public key of www.gmail.com and www.gmail.com on recieval of
this encrypted key, decrypted it with its private key. This mechanisms works with public/private key pairs.
This way www.gmail.com sends its public key to every browser requesting its first page and SSL mechanism
undergoes like the above 7 steps.
--------------------
The Secure Socket Layer protocol was first introduced by Netscape to ensure secure transations between
webservers and browsers. The protocol uses a third party Certificate Authority (CA) to identify the both end
of the transactions
SSL philosophy:
---------------
1. Client using some browser requests a secure page (https://www.gmail.com)
2. www.gmail.com sends its public key with its certificate
signed by (Thawte Consulting Pty Limited) (dated: 02/09/2007, 20:48)
3. Our browser checks that the certificate was issued by a trusted party (Thawte here), that the certificate is
still valid and the certificate is related to site we just contacted (www.gmail.com here).
4. The Browser then uses the public key send by www.gmail.com to encrypt some random symmetric
encryption key and sends it to www.gmail.com along with the encrypted URL requested as well as other
encrypted data.
5. www.gmail.com decrypts the encrypted symmetric key send by the browser (in step 4) with its private key and uses this
symmetric key to decrypt the URL and http data.
6. www.gmail.com sends back the requested html data encrypted with the symmetric encrytion key send by the
browser in step 4.
7. Our browser decrypts the http data and html document using symmetric key and displays the information.
With this symmetric key the further communication between www.gmail.com and our browser takes place.
Here asymmetric encryption machanism is taking place between browser and www.gmail.com.
Our browser encrypted some key with public key of www.gmail.com and www.gmail.com on recieval of
this encrypted key, decrypted it with its private key. This mechanisms works with public/private key pairs.
This way www.gmail.com sends its public key to every browser requesting its first page and SSL mechanism
undergoes like the above 7 steps.
vsFTPd configuration in RHEL 5.0
FTP:
conf file: /etc/vsftpd/vsftpd.conf
Unlike SSH we are having two files to allow/deny users via FTP ( in SSH we did it in the main configuration file itself by AllowUsers/DenyUsers)
The main file for denial is /etc/vsftpd/ftpusers
The other file is /etc/vsftpd/user_list
But if we need to make our FTP check user_list file we need to say it in the main configuration file, like
userlist_enable=YES
If, userlist_enable=NO, ftp doesnt check user_list file
The behaviour of user_list depends upon the declaration inside the vsftpd.conf file
if its declared like,
userlist_deny=YES , those usernames inside user_list is denied even without prompting for a password
if its declared like,
userlist_deny=NO, those in user_list are ONLY allowed to login.
Whatever the behaviour of user_list, FTP searches for ftpusers file for users that are DENIED!
conf file: /etc/vsftpd/vsftpd.conf
Unlike SSH we are having two files to allow/deny users via FTP ( in SSH we did it in the main configuration file itself by AllowUsers/DenyUsers)
The main file for denial is /etc/vsftpd/ftpusers
The other file is /etc/vsftpd/user_list
But if we need to make our FTP check user_list file we need to say it in the main configuration file, like
userlist_enable=YES
If, userlist_enable=NO, ftp doesnt check user_list file
The behaviour of user_list depends upon the declaration inside the vsftpd.conf file
if its declared like,
userlist_deny=YES , those usernames inside user_list is denied even without prompting for a password
if its declared like,
userlist_deny=NO, those in user_list are ONLY allowed to login.
Whatever the behaviour of user_list, FTP searches for ftpusers file for users that are DENIED!
ipv4 to ipv6 and vice-versa...
its been quite a some time that i have started thinking abt switching to ipv6 frm ipv4.... and finally im into configuring an ipv6 dhcp server...
as i was not that good at ipv6... wat i did was to convert the ipv4 addresses to ipv6 using a kool sexy tool available with Red Hat Enterprise editions... 'ipv6calc'
and here it goes...
i need to conver the ipv4 address 172.24.0.7 to ipv6... lets do it now..
$ipv6calc --in ipv4addr 172.24.0.7 --action conv6to4 --out ipv6addr
it will output the ipv6 equivalent of 172.24.0.7
and it will be..
2002:ac18:7::
suppose u want to convert this ipv6 address back to ipv4...
here it goes...
$ipv6calc --in ipv6addr 2002:ac18:7:: --action conv6to4 --out ipv4addr
172.24.0.7
have happy conversions..! :d
~mj0vy
:wq
as i was not that good at ipv6... wat i did was to convert the ipv4 addresses to ipv6 using a kool sexy tool available with Red Hat Enterprise editions... 'ipv6calc'
and here it goes...
i need to conver the ipv4 address 172.24.0.7 to ipv6... lets do it now..
$ipv6calc --in ipv4addr 172.24.0.7 --action conv6to4 --out ipv6addr
it will output the ipv6 equivalent of 172.24.0.7
and it will be..
2002:ac18:7::
suppose u want to convert this ipv6 address back to ipv4...
here it goes...
$ipv6calc --in ipv6addr 2002:ac18:7:: --action conv6to4 --out ipv4addr
172.24.0.7
have happy conversions..! :d
~mj0vy
:wq
Subscribe to:
Posts (Atom)