Now that we have a VM that sits on an encrypted data store. We can install utilities that can make the our guest OS more secure.
Since I opted for XUbuntu as my guest OS I'll be using apt-get and ubuntu's package management system.
Ok first I think we need a secure way of deleting data. Since deleting data doesn't actually overwrite the data. We'll need something that does that. Two programs I use are wipe and scrub.
Now we need a way to browse the Internet. I prefer firefox but chrome/chromium is also a good choice. If you want to take to the next level I suggest using tor. Either install tor and a proxy server on the OS or get the tor bundle. The bundle include firefox with some addons that promote safe browsing.
Deletion
wipe
scrub
Internet Browsing
chrome/chromium
firefox
tor bundle
Email/Messaging
Thunderbird
pidgin
torchat
enigmail
aide
snort
apg
ntop
darkstat
nmap
openvpn
strongswan
ufw
firestarter
denyhost
fail2ban
disable root ssh login
Thursday, June 28, 2012
Thursday, June 14, 2012
Secure Virutal Machine. Creating
Creating a secure VM using Linux, Encfs, and Virtutal Box.
First install and setup Encfs.
To create an Encfs directory run.
encfs /path/to/encrypted-directory /path/to/mount-directory
encfs ~/.encOS ~/encOS;
This command also mount the directory.
Now time to choose the OS. For this example I chose XUbuntu.
Install Virtual Box and create your VM using the Encfs directory.
Create the VM image in the Encfs directory. I feel an image is more portable than any of the other disk options in Virtual Box.
For an added level of complexity you might want to encrypt the system or your home directory in the VM.
Also use a complex password. I suggest a password with at least 14 characters including letters, numbers, and special characters.
GRC has a password calculator if you to see how complex your password is.
Once you have finished installing your OS. You are done with the first part of creating a secure VM. Now all data on the VM is encrypted and if you enabled home directory encryption your personal files in your home directory are double encrypted.
Later we'll add utilities to add more security to the VM.
First install and setup Encfs.
To create an Encfs directory run.
encfs /path/to/encrypted-directory /path/to/mount-directory
encfs ~/.encOS ~/encOS;
This command also mount the directory.
Now time to choose the OS. For this example I chose XUbuntu.
Install Virtual Box and create your VM using the Encfs directory.
Create the VM image in the Encfs directory. I feel an image is more portable than any of the other disk options in Virtual Box.
For an added level of complexity you might want to encrypt the system or your home directory in the VM.
Also use a complex password. I suggest a password with at least 14 characters including letters, numbers, and special characters.
GRC has a password calculator if you to see how complex your password is.
Once you have finished installing your OS. You are done with the first part of creating a secure VM. Now all data on the VM is encrypted and if you enabled home directory encryption your personal files in your home directory are double encrypted.
Later we'll add utilities to add more security to the VM.
Thursday, June 7, 2012
Nagios server and client on CentOS 6
Install Centos 6 and configure as needed
Nagios Server install
rpm -ivh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-7.noarch.rpm
yum install nagios nagios-plugins-all nagios-plugins-nrpe php-pear mod_ssl net-snmp-utils sendmail
chkconfig httpd on
chkconfig sendmail on
service sendmail restart
uncomment SSLRequireSSL in /etc/httpd/conf.d/nagios.conf
restart httpd
Add check nrpe command.
Add the following to /etc/nagios/objects/commands.cfg.
define command{
command_name check_nrpe
command_line /usr/lib64/nagios/plugins/check_nrpe -H $HOSTADDRESS$ -c $ARG1$
}
make the servers directory
mkdir /etc/nagios/servers
chown root:nagios /etc/nagios/servers
service nagios restart
(a reboot might be necessary)
The Nagios server should working and accessible from the web interface.
On a separate machine install Centos 6 with minimal packages. Configure the system as needed.
Client nrpe install
rpm -ivh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-7.noarch.rpm
yum install nagios-plugins-nrpe nagios-plugins-all nagios-nrpe openssl
allowed_hosts=127.0.0.1,x.x.x.x
Also change the server_address to the nrpe client IP
chown nrpe:nrpe /etc/nagios/nrpe.cfg
chkconfig nrpe on
service nrpe restart
Allow port 5666 in iptables
Check connections from both nrpe and nagios server
/usr/lib64/nagios/plugins/check_nrpe -H (IP of nrpe)
define host{
use linux-server
host_name (nrpe client name)
alias CentOS 6
address (nrpe client)
}
service nagios restart
There should now be two hosts on in the web interface.
Nagios Server install
- Install epel
rpm -ivh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-7.noarch.rpm
- Disable selinux
- Install Nagios packages
yum install nagios nagios-plugins-all nagios-plugins-nrpe php-pear mod_ssl net-snmp-utils sendmail
- Create nagios user and password or web interface
- Iptables
- Add apache to nagios group
- configure services
chkconfig httpd on
chkconfig sendmail on
service sendmail restart
- Edit httpd.conf and enable SSL in nagios.conf
uncomment SSLRequireSSL in /etc/httpd/conf.d/nagios.conf
restart httpd
- Configure for nrpe
Add check nrpe command.
Add the following to /etc/nagios/objects/commands.cfg.
define command{
command_name check_nrpe
command_line /usr/lib64/nagios/plugins/check_nrpe -H $HOSTADDRESS$ -c $ARG1$
}
make the servers directory
mkdir /etc/nagios/servers
chown root:nagios /etc/nagios/servers
service nagios restart
(a reboot might be necessary)
The Nagios server should working and accessible from the web interface.
On a separate machine install Centos 6 with minimal packages. Configure the system as needed.
Client nrpe install
- Install epel
rpm -ivh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-7.noarch.rpm
- Disable selinux
- Install Nagios nrpe packages
yum install nagios-plugins-nrpe nagios-plugins-all nagios-nrpe openssl
- Add allowed hosts
allowed_hosts=127.0.0.1,x.x.x.x
Also change the server_address to the nrpe client IP
chown nrpe:nrpe /etc/nagios/nrpe.cfg
- nrpe services
chkconfig nrpe on
service nrpe restart
Allow port 5666 in iptables
Check connections from both nrpe and nagios server
/usr/lib64/nagios/plugins/check_nrpe -H (IP of nrpe)
- Add the nrpe client to the nagios server
define host{
use linux-server
host_name (nrpe client name)
alias CentOS 6
address (nrpe client)
}
service nagios restart
There should now be two hosts on in the web interface.
Thursday, May 31, 2012
The beginning of an ISCSI server with LVM and CentOS
Creating an iscsi storage server. The hardware I'm using is an old server with 8 250GB drives. The plan is to install CentOS even though something like FreeNAS would work fine. Setup the disks in a LVM layout with the majority of the free space is used for data storage. Ideally the OS would be on a raided disk array separate from the data storage. But just to get a simple setup going I'll have the OS on a single disk.
General steps:
pvcreate --zero y /dev/sde will zero the first 2048 bytes of sde and initialize sde for use.
I created 4 PVs using pvcreate --zero y /dev/sde /dev/sdf /dev/sdg /dev/sdh.
Next is to create a volume group.
To create a volume group use vgcreate. vgcreate VG_stor /dev/sde, this will create a volume group with the name VG_stor which contains the PV sde.
For my VG I ran vgcreate VG_stor /dev/sde /dev/sdf /dev/sdg /dev/sdh
Now time to create logical volumes
Logical volumes are created using lvcreate. To create a 100GB volume the command would look like lvcreate -L 100G -n vol_scsi VG_stor. This creates a 100GB volume with the name vol_scsi from the volume group VG_stor.
The command I used was lvcreate -L 100G -n vol_scsi VG_stor
In short
pvcreate --zero y /dev/sde /dev/sdf /dev/sdg /dev/sdh;
vgcreate VG_stor /dev/sde /dev/sdf /dev/sdg /dev/sdh;
lvcreate -L 100G -n vol_scsi VG_stor;
To config file for the iSCSI target is /etc/tgt/targets.conf.
This setup will be very simple. Edit targets.conf and add the following:
<target iqn.2012-05.host.server:target0>
backing-store /dev/VG_stor/vol_scsi
</target>
Now start the target daemon and have it startup on boot.
service tgtd start;
chkconfig tgtd on;
Check the target information
tgtadm --mode target --op show;
Allow port 3260 via tcp in iptables.
This should show the targets that are configured.
All that is left is to create and setup the iSCSI initiator.
install iscsi-initiator-utils and configure /etc/iscsi/iscsid.conf if needed.
Now time to discover the target. iscsiadm -m discovery -t sendtargets -p iscsi-target-ip
There should be a target listed with the iqn of the iscsi target.
start the iscsi services
service iscsi start;
service iscsid start;
Look at the discovered targets.
iscsiadm -m node -o show;
Time to login to the target and confirm session.
iscsiadm -m node --login;
iscsiadm -m session -o show;
There should be a new entry in /proc/partitions. In my case it was sdd.
Now that is a basic run through on using LVM and iSCSI. It can get much more complex.
General steps:
- create and setup logical volume
- install iscsi target
- configure iscsi
- test
- LVM
pvcreate --zero y /dev/sde will zero the first 2048 bytes of sde and initialize sde for use.
I created 4 PVs using pvcreate --zero y /dev/sde /dev/sdf /dev/sdg /dev/sdh.
Next is to create a volume group.
To create a volume group use vgcreate. vgcreate VG_stor /dev/sde, this will create a volume group with the name VG_stor which contains the PV sde.
For my VG I ran vgcreate VG_stor /dev/sde /dev/sdf /dev/sdg /dev/sdh
Now time to create logical volumes
Logical volumes are created using lvcreate. To create a 100GB volume the command would look like lvcreate -L 100G -n vol_scsi VG_stor. This creates a 100GB volume with the name vol_scsi from the volume group VG_stor.
The command I used was lvcreate -L 100G -n vol_scsi VG_stor
In short
pvcreate --zero y /dev/sde /dev/sdf /dev/sdg /dev/sdh;
vgcreate VG_stor /dev/sde /dev/sdf /dev/sdg /dev/sdh;
lvcreate -L 100G -n vol_scsi VG_stor;
- iSCSI target setup
To config file for the iSCSI target is /etc/tgt/targets.conf.
This setup will be very simple. Edit targets.conf and add the following:
<target iqn.2012-05.host.server:target0>
backing-store /dev/VG_stor/vol_scsi
</target>
Now start the target daemon and have it startup on boot.
service tgtd start;
chkconfig tgtd on;
Check the target information
tgtadm --mode target --op show;
Allow port 3260 via tcp in iptables.
This should show the targets that are configured.
All that is left is to create and setup the iSCSI initiator.
- iSCSI initiator setup
install iscsi-initiator-utils and configure /etc/iscsi/iscsid.conf if needed.
Now time to discover the target. iscsiadm -m discovery -t sendtargets -p iscsi-target-ip
There should be a target listed with the iqn of the iscsi target.
start the iscsi services
service iscsi start;
service iscsid start;
Look at the discovered targets.
iscsiadm -m node -o show;
Time to login to the target and confirm session.
iscsiadm -m node --login;
iscsiadm -m session -o show;
There should be a new entry in /proc/partitions. In my case it was sdd.
Now that is a basic run through on using LVM and iSCSI. It can get much more complex.
Subscribe to:
Posts (Atom)