Archiv der Kategorie: Security

RAM Analysis – Part 1: Introduction and Obtaining the RAM image

I just found this old draft from July 2010, which I completely forgot about. This was supposed to be a series of blogposts but I didn’t had the time back then. Even this post is far from complete, but maybe it’s useful for somebody.

1.1 Introduction

This multiparted series will summarize the various aspects, possibilities and methods to obtain and analyse a computers physical memory. You can find a lot of information about memory analysis on the net and this series neither wants to nor won’t be able to cover all aspects. Part I will focus on the different methods to obtain an memory dump, which will be analyzed later. If you’re not interested in getting a memory dump and just want to take a look at its content, you can download some of the sample memory images for example from here, here, or here.

1.2 Hardware Tools

There are a few PCI cards out there, but most of them are research projects or not available to the costumer.

Tribbel PCI card
Tribble is a proof-of-concept research project by Joe Grand of Grand Idea Studio and Brian Carrier of digital-evidence.org. Most information about the device can be found in this paper.

CoPilot
CoPilot was developed by Komoku as a malware protection and rootkit detection PCI card and was later on acquired by Microsoft.

FRED: Forensic RAM extraction device
Only a few information about this project is available on the developers website at BBN Technologies.

1.3 Software Tools

1.3.1 Windows (free)

http://www.mantech.com/capabilities/mdd.asp

http://sourceforge.net/projects/mdd/

https://www.hbgary.com/products-services/fastdump-pro/

1.3.2 Windows (paid)

http://gmgsystemsinc.com/knttools/

http://www.x-ways.net/capture/index-d.html

1.3.2 Unix/Linux/Mac

Firewire http://www.storm.net.nz/projects/16

Firewire, only for use by law enforcement http://goldfish.ae/

http://www.sleuthkit.org/index.php
http://www.forensicswiki.org/index.php?title=Jesse_Kornblum

1.4 Forensic live cds

http://www.caine-live.net/

http://www.deftlinux.net/

helix

1.5 Links

http://www.gmgsystemsinc.com/fau/
http://computer.forensikblog.de/themen/windows/speicheranalyse/index10.html
http://cybercrimetech.com/projects/reaper/
http://www.digital-evidence.org/tools/index.html
http://www.forensicswiki.org/wiki/Tools:Memory_Imaging
http://www.informaworld.com/smpp/section?content=a779634402&fulltext=713240928
http://www.dfrws.org/

Raspberry Pi: Truecrypt on Raspbian

16 Antworten

Quick howto on how to install truecrypt on the rapberry pi.

Get the source for Mac OS X/Linux from http://www.truecrypt.org/downloads2 (Update: https://www.grc.com/misc/truecrypt/truecrypt.htm) and copy the file to the pi:

pat@earth Downloads]$ scp TrueCrypt 7.1a Source.tar.gz pi@pi:/home/pi/

Connect to the pi and extract the archive:

pi@raspberrypi ~ $ tar xfv TrueCrypt 7.1a Source.tar.gz

Even without a GUI, you’ll need WxWidget. Download and extract:

pi@raspberrypi ~ $ wget http://prdownloads.sourceforge.net/wxwindows/wxWidgets-2.8.12.tar.gz
pi@raspberrypi ~ $ tar xfv wxWidgets-2.8.12.tar.gz

Install the fuse library:

pi@raspberrypi ~ $ sudo aptitude install libfuse-dev

Create a folder and download some needed header files:

pi@raspberrypi ~ $ mkdir ~/truecrypt-7.1a-source/pkcs
pi@raspberrypi ~ $ wget ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-20/*.h -P truecrypt-7.1a-source/pkcs/

Change to the truecrypt directory and compile WxWidgets (takes about 20 minutes):

pi@raspberrypi ~ $ cd truecrypt-7.1a-source/
pi@raspberrypi ~/truecrypt-7.1a-source $ export PKCS11_INC=/home/pi/truecrypt-7.1a-source/pkcs/
pi@raspberrypi ~/truecrypt-7.1a-source $ make NOGUI=1 WX_ROOT=/home/pi/wxWidgets-2.8.12 wxbuild

Now compile truecrypt (~ 40 minutes):

pi@raspberrypi ~/truecrypt-7.1a-source $ make NOGUI=1 WXSTATIC=1

Copy the binary into the bin directory:

pi@raspberrypi ~/truecrypt-7.1a-source $ sudo cp Main/truecrypt /usr/local/bin/

Mount your container:

pi@raspberrypi ~/truecrypt-7.1a-source $ truecrypt -t -k „“ –protect-hidden=no –mount /mnt/usb/crypt /mnt/truecrypt/ -m=nokernelcrypto

Cleanup:

pi@raspberrypi ~/truecrypt-7.1a-source $ cd ~
pi@raspberrypi ~ $ rm -r truecrypt-7.1a-source TrueCrypt 7.1a Source.tar.gz wxWidgets-2.8.12*

Edit: I uploaded the binary. If you don’t want to compile truecrypt yourself, feel free to use this one.

Edit 2: If you want to automatically mount the truecrypt container on startup and unmount on shutdown, take a look at this howto.

SSH keys nachträglich mit einem Passwort schützen

Schreibe eine Antwort

Hat man sich einmal an die Vorteile von public key Authentifizierung bei einem System gewöhnt, stellt man meist zügig alle anderen Systeme ebenfalls auf diese Art der Authentifizierung um. Möchte man sich von verschiedenen Systemen aus anmelden, muss der eigene private Key auf diese kopiert oder z.B. per USB-Stick mit sich geführt werden. Kommt dieser allerdings in falsche Hände, muss man einen neuen Schlüssel generieren und erneut an alle Systeme verteilen. Zum Schutz des privaten Keys, ist es möglich, diesen mit einem Passwort (besser: Passphrase) zu schützen. Dieses wird benötigt um den Key „freizuschalten“, die eigentliche Anmeldung am entfernten System läuft weiterhin über das public key Verfahren und benötigt kein Passwort. Für eine einfachere Unterscheidung wird das Kennwort zur Freischaltung deshalb auch als „Passphrase“ und nich als Passwort bezeichnet. Sollte man den privaten Schlüssel bei der Erstellung nicht mit einer Passphrase versehen haben, kann man dies noch nachträglich mit ssh-keygen tun.

[pat@earth ~]$ ssh-keygen -p
Enter file in which the key is (/home/pat/.ssh/id_rsa): [Enter]
Key has comment ‚/home/pat/.ssh/id_rsa‘
Enter new passphrase (empty for no passphrase): newSuperSavePassword
Enter same passphrase again: newSuperSavePassword
Your identification has been saved with the new passphrase.

Quellen:

http://kimmo.suominen.com/docs/ssh/#passwd

http://www.manpagez.com/man/1/ssh-keygen/

VPN einrichten mit pptpclient / pptp-linux

2 Antworten

Für den Netzzugang über ein virtuelles privates Netz (VPN) gibt es sicherlich eine ganze Menge guter Gründe, einer davon ist z.B. die Überwindung der geobasierten Sperrung von Webseiten à la Youtube („Dieses Video ist in deinem Land nicht verfügbar“). Auf Amerika beschränkte Angebote wie der Streaming Dienst Hulu sind damit in Deutschland nutzbar. Der Anbieter VPN on Demand befindet sich seit einiger Zeit in der Betaphase und ermöglicht einen kostenlosen VPN Zugang. Dazu einfach eine E-Mail mit dem Betreff „vpnod“ an promotion@vpnod.com schicken und kurze Zeit später gibt es die Zugangsdaten per E-Mail.

Als erstes muss der PPTP-Client installiert werden. Unter Arch Linux mittels

[pat@earth ~]$ sudo pacman -S pptpclient

unter Debian und Ubuntu heißt das Paket pptp-linux und wird mittels

[pat@earth ~]$ sudo aptitude install pptp-linux

installiert. Nach der Installation konfigurieren wir eine neue VPN Verbindung, hier im Beispiel von VPN on Demand. Dazu legen wir im Verzeichnis /etc/ppp/peers eine Datei für die neue VPN-Verbindung an und tragen folgendes ein: (Die im folgenden verwendeten Variablen $BENUTZER und $PASSWORT sind natürlich mit den erhaltenen Zugangsdaten zu ersetzen)

[pat@earth ~]$ sudo vim /etc/ppp/peers/vpnod

pty „pptp vpn.vpnod.com –nolaunchpppd“
name $USER
linkname vpnod
remotename vpnod
ipparam vpnod
usepeerdns
require-mppe-128
file /etc/ppp/options.pptp

In der Datei chap-secrets werden nun die Zugangsdaten definiert.

[pat@earth ~]$ sudo vim /etc/ppp/chap-secrets

$BENUTZER vpnod $PASSWORT *

Zum testen starten wir das VPN und setzen die Schnittstelle als Standardgateway, so dass der gesamte Internetverkehr über das VPN läuft. Am besten vorher und nachher diese Seite zur Überprüfung der eigenen IP besuchen. Hinweis: Ab diesem Zeitpunkt wird jeglicher Traffic über das VPN geroutet, d.h. auch E-Mails, Instant Messenger oder andere Anwendungen die auf dem System laufen. Die Daten sind zwar bis zur VPN Gegenstelle verschlüsselt, ab dort ist es allerdings Aufgabe des Anwenders für die Verschlüsselung zu sorgen. Wer dem VPN Anbieter nicht traut (oder leicht zu Paranoia neigt :) ) sollte hier die selben Sicherheitsvorkehrungen wie bei der Nutzung eines öffentlichen WLAN Hotspots, sprich HTTPS/SSL, vornehmen.

[pat@earth ~]$ sudo pon vpnod
[pat@earth ~]$ sudo route add default dev ppp0

Sollte der Verbindungsaufbau scheitern, kann der Aufruf von pon mittels

[pat@earth ~]$ sudo pon vpnod debug dump logfd 2 nodetach

bei der Fehlersuche hilfreich sein.

Zum Abbau der Verbindung, die Route wieder entfernen (sollte poff automatisch machen) und die Verbindung trennen.

[pat@earth ~]$ sudo route del default
[pat@earth ~]$ sudo poff

Klappt alles ohne Probleme, kann man das ganze nun automatisieren. Alle Scripte (*.sh) im Ordner /etc/ppp/if-up.d/ werden automatisch nach dem Aufbau der VPN Verbindung ausgeführt. Da Rounting eine komplexe Sache und ein Post für sich wäre, hier nur beispielhalt ein Script zum routen des gesammten Traffics über das VPN.

pat@earth ~]$ sudo vim /etc/ppp/ip-up.d/10-route.sh

#!/bin/bash

# Interface (eth0 or wlan0 in most cases)
INTERFACE=eth0

# Interface as provided by calling pppd
VPN=$1
#VPN=ppp0

route del default ${INTERFACE}
route add default dev ${VPN}

Und erstellen ein weiteres Script, welches nach dem Abbau der VPN Verbindung wieder die richtige Route einträgt.

[pat@earth ~]$ sudo vim /etc/ppp/ip-down.d/10-route.sh
#!/bin/bash

# Interface (eth0 or wlan0 in most cases)
INTERFACE=eth0

# Interface as provided by calling pppd
VPN=$1

# Gateway (use ‚route‘ to find out, IP or name)
GATEWAY=192.168.2.1

route del default ${VPN}
route add default gw ${GATEWAY} ${INTERFACE}

Ist der Hostname oder die IP des Gateways nicht bekannt, hilft das Kommando route.

[pat@earth ip-up.d]$ route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.2.0 * 255.255.255.0 U 202 0 0 eth0
default 192.168.2.1 0.0.0.0 UG 202 0 0 eth0

Eine Möglichkeit das Ganze nun automatisch beim Systemstart zu machen, findet man für Arch Linux z.B. hier.

Quellen: http://pptpclient.sourceforge.net

Must-have Firefox Add-ons

2 Antworten

Ich wurde vor einiger Zeit gefragt welche Firefox Add-Ons ich verwende und diese Frage möchte ich heute beantworten. Da sich einige Add-Ons nicht exakt einer Kategorie zuordnen lassen, habe ich die Kategorien nur grob eingeteilt.

Allgemein
Adblock Plus – Blockt lästige Werbung und Pop-Ups
NoScript – Selektives Erlauben/Verbieten von Javascript, Java etc. für einzelne Seiten
Omnibar – Integriert die Suchfunktion in die Adresszeile
OptimizeGoogle – Verbessert die Google Suchergebnisse und entfernt Werbung und Spam
Session Manager – Speichert geöffnete Tabs/Fenster und stellt Sie nach einem Absturz wieder her
Tab Preview – Seitenvorschau wenn der Mauszeiger über das Tab fährt
ColorfulTabs – Färbt Tabs in verschiedene Farben und verschafft so Überblick
FaviconizeTab – Verkleinert Tabs auf die Größe der Favicons
Xmarks – Synchronisiert Lesezeichen/Passwörter zwischen mehreren Firefox Installationen
Firefox Sync – Siehe Xmarks
Fast Dial – Miniaturansicht von Lesezeichen als Startseite
FEBE – Sicherung der Firefox Einstellungen, Add-Ons etc.
FlashGot – Downloadmanager
VTzilla – Untersucht download per Rechtsklick auf Viren mit VirusTotal

Entwicklung
Web Developer – Menüleiste mit verschiedenen Tools zur Webentwicklung
ColorZilla – Pipette, ColorPicker etc.
Firebug – Webentwicklungs „suite“
CodeBurner for Firebug – Erweitert Firebug um HTML und CSS Referenzen

Sicherheit / Penetration Testing
Access Me – Testet Lücken im Session Handling
Add N Edit Cookies – Kann Sessions und Cookies hinzufügen/bearbeiten
Fireforce – GET/POST Formular BruteForcer
FoxyProxy Standard – Proxy Manager
FxIF – Zeigt die EXIF Daten in den Bildeigenschaften an
HackBar – Toolbar zur Unterstützung bei der Suche nach SQL Injections
HTTPS-Everywhere – Verwendet automatisch SSL auf vielen Seiten
Live HTTP headers – Zeigt die HTTP Header einer Seite
PassiveRecon – Information Gathering Tool
ShowIP – Zeigt die IP Adresse der aktuellen Seite in der Statusleiste
SQL Inject Me – Testet verschiedene SQL Injection Schwachstellen
Tamper Data – Kann HTTP(S) Header bearbeiten und verfolgen
Wappalyzer – Erkennt die verwendete Software auf einer Webseite
XSS Me – Testet eine Seite auf XSS Schwachstellen

Ubuntu 10.10 + Pidgin (libpurple) + ICQ (Oscar) = Fail!

2 Antworten

Auch wenn ich der Meinung bin, man sollte lieber das Jabber Protokoll für Instant Messenger nutzen, wie beispielsweise Google es bei Google Talk macht, ist ICQ wohl immer noch in Deutschland am weitesten verbreitet. Gründe für den Wechsel findet man z.B. bei Wikipedia.

Gelegentlich kommt es vor, dass Änderungen am ICQ Protokoll oder an der Infrastruktur vorgenommen werden und sich alternative Clients kurzzeitig nicht anmelden können. Genau das ist wohl dieses Wochenende passiert. Da laut offizieller Pidgin homepage nur Sicherheitsupdates außerhalb des Releasezyklus von Ubuntu angeboten werden, gibt es wohl erstmal keine automatisierte Lösung des Problems. In diversen Foren gibt es mittlerweile verschiedene Lösungen, wobei das Deaktivieren von SSL die einfachste, allerdings auch „unschönste“ Lösung ist, da somit eure Logindaten unverschlüsselt übertragen werden. Am sinnvollsten erscheint mir da die Installation des pidgin ppa und Aktualisierung auf das neuste Release.

Vorgehensweise:

Installer paket herunterladen: Pidgin PPA Package
Rechtsklick auf die Datei und „Mit GDebi Paket-Installationsprogramm öffnen“ auswählen
Rechts auf den Button „Paket installieren“ klicken
Nach der Installation die Aktualisierungsverwaltung öffnen (Unter xfce: Startmenü -> System)
Auf Aktualisierungen überprüfen und anschließend installieren
Pidgin neustarten und die Einstellungen für das ICQ Konto öffnen (Konten -> ICQ -> Konto bearbeiten)
Auf dem Reiter Erweitert den Server auf slogin.icq.com ändern und ein Häkchen bei „Benutze SSL“ und „clientLogin benutzen“ setzen

Danach sollte die Anmeldung am ICQ Server auch über SSL wieder funktionieren. Außerdem bekommt ihr durch die PPA Installation jetzt immer die neuste Version von Pidgin bequem über die Aktualisierungsverwaltung.

Public Key Authentication on OpenWRT using dropbear

2 Antworten

OpenWRT is a linux distribution for embedded devices like a router. The installation of OpenWRT on your device instead of the original vendor’s firmware allows you to do some nifty stuff with your router like installing additional software out of openWRT’s own repository.

Although there is a package for the openSSH server available, dropbear is the default choice. To enable password-less ssh access you first need to generate the ssh keys on your client machine if you haven’t already. If you want, you can secure your key by typing in a password, otherwise just press enter.

pat@earth:~$ ssh-keygen

Next you have to transfer your public key (the file ending with .pub) to your openWRT installation.

pat@earth:~$ scp ~/.ssh/id_rsa.pub 192.168.1.1:/tmp/

Replace 192.168.1.1 with the IP of your router. If you changed the Port of your ssh server, you have to define it using the -P parameter like scp -P 4321 etc.

Connect to your router and add the transferred public key file to your authorized_keys. Unlike OpenSSH, Dropbear doesn’t look in .ssh underneath your home directory for the authorized_keys file, so you have to create the file in /etc/dropbear/.

root@router:~# cd /etc/dropbear/
root@router:~# cat /tmp/id_rsa.pub >> authorized_keys
root@router:~# chmod 0600 authorized_keys

Now you should be able to ssh from your client pc to your openWRT device without the need of a password.

Restricted sftp access with rssh and ssh chroot

Schreibe eine Antwort

OpenSSH 4.9 was the first version of the famous daemon that came with an built-in chroot functionality (changelog). Chrooting the sshd and restricting the shell access to a few commands can be a great solution to grant a few users secure access to exchange files. We will use the rssh shell to only allow sftp access for one user, locked to his chrooted home directory. Since it is dangerous to give a user write access to the root of a chroot, you have to create the user’s home directory inside the chroot. In this example /home/ftp will be the chroot and /home/ftp/secftp is the home directory of the user, the place where he finds himself when connecting to the machine.

Install the rssh shell with

$ aptitude install rssh

and adjust the config file for the user secftp to allow sftp access.

$ vim /etc/rssh.conf

user=secftp:027:00010 #user:umask:proto

Then add the new user secftp (with /secftp as home and /usr/bin/rssh as shell) to your system and set a password.

$ useradd -d /secftp -s /usr/bin/rssh -g users secftp
$ passwd secftp

Create the directory and adjust the ownership so secftp can read/write and other group members can read the uploaded files.

$ mkdir -p /home/ftp/secftp
$ chown secftp:users /home/ftp/secftp

Edit your sshd configuration and add the user specific options for your chroot. Don’t forget to add secftp to your AllowUsers (which you should have configured :)).

$ vim /etc/ssh/sshd_config

AllowUsers secftp

Subsystem sftp internal-sftp

Match User secftp
   ChrootDirectory /home/ftp
   AllowTCPForwarding no
   X11Forwarding no
   ForceCommand internal-sftp

Restart the sshd daemon and you should be done.

Sources:
http://www.gossamer-threads.com/lists/openssh/dev/44657
http://hp.kairaven.de/scpsftp/ssh-rssh-sftp.html
http://www.debian-administration.org/articles/590

Fully encrypted gentoo system with LUKS/cryptsetup and LVM

5 Antworten

I have installed this setup some time ago on my system and wrote down the steps. To validate that every step is still correct I used VirtualBox and installed the system again.

At the end of this howto, you will have a full working gentoo system with (nearly) full disk encryption, coded RAM and an easily expandable disk partition schema. Full disk encryption under GNU/Linux isn’t possible like it is with e.g. Truecrypt under Windows. So in most cases you will have to leave your /boot partition unencrypted or use a removable medium like an usb stick to boot your system. In this setup we will leave /boot as it is.

What you need:

Backup of your running system since your disks will be erased
Linux compatible hardware
Internet connection
Some time
Experience with the GNU/Linux system is highly recommended
A GNU/Linux system (Live CD, usb stick, installation on other disk etc.) This howto uses the Gentoo Weekly Minimal Install CD for amd64

Although I will try, explaining every step in detail would be to much for this howto so I have to point you to Google and the Gentoo Handbook.

1. Preparing the installation

Use for example UNetbootin to create a bootable usb stick or just burn the cd. When you’re using GRUB2 on your system, you can boot the iso file directly through grub’s loopback ability. Change your BIOS settings accordingly.

2. Booting and choosing the correct keyboard layout

Boot the installation system and choose the default kernel at prompt. When all kernel modules are loaded you have the opportunity to change the keyboard layout to your needs (for german layout, type de or 10).

3. Configuring your network

Find out how your network adapters are called with ifconfig -a. To obtain an IP for the wired network link on eth0, type dhcpd eth0. To show your IP just type ifconfig eth0 and look for inet addr. To continue the installation from another computer, start the sshd server with /etc/init.d/sshd start, set a password for root with the passwd command and connect from the other computer with ssh root@IP under Linux or use Putty under Windows.

4. Preparing your harddisk(s)

At this point you have more then one possibility on how to create your disk layout, so you should be really sure what you want. If you are not sure or don’t know how to split your disk, check out the handbook again and/or search Google. You have to decide in which order your different layers occur. It is possible to create one big (physical) LVM partition, configure the logical volumes and encrypt these individually. You can also create a standard partition, encrypt the whole partition and configure your logical volumes inside your secure container. Both setups have advantages and disadvantages. The first makes it quite easy to change your LVM layout and you can different passwords for every mount point if you like. The second method has the advantage that other systems will only see one big encrypted partition and nothing else and you only need one password to decrypt the system (although this is also possible with the first setup).
In this setup we will create a small partition for /boot, a separate partition for swap and another one for the physical LVM. Maybe I will add one or two alternatives to this guide in the future, but for now I am going with the first method as I think it is the more difficult one to reproduce. Use fdisk or cfdisk to configure the harddisk(s) to your needs.

The partition table I chose for this howto

livecd ~ # fdisk -l /dev/sda
Disk /dev/sda: 21.5 GB, 21474836480 bytes
255 heads, 63 sectors/track, 2610 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x00000000
Device Boot Start End Blocks Id System
/dev/sda1 * 1 61 489951 83 Linux
/dev/sda2 62 183 979965 82 Linux swap / Solaris
/dev/sda3 184 2007 14651280 8e Linux LVM

5. Loading the necessary kernel modules

You need to load the necessary kernel modules for your algorithm and cipher. Use google to learn more about algorithms and ciphers.

livecd ~ # modprobe dm-mod dm-crypt sha256

6. Create and activate the LVM Setup

First we need to create the physical volume on /dev/sda3 and a volume group called vg1 with

livecd ~ # pvcreate /dev/sda3
livecd ~ # vgcreate vg1 /dev/sda3

Next we use lvcreate to create the individual logical volumes. This step is similar to the standard partitioning process, however, since we are creating logical volumes here, it is possible to change their size later again. The chosen layout here is just a demonstration of the general functionality. The name defined with the -n flag (-L is size) is just for you, so the name doesn’t have to match the later mountpoint.

livecd ~ # lvcreate -L7G -nroot vg1
livecd ~ # lvcreate -L3G -ntmp vg1
livecd ~ # lvcreate -L3G -nhome vg1

You can use the vgdisplay or vgs command to see the remaining disk space. Check your result with lvscan.

livecd ~ # lvscan
ACTIVE ‚/dev/vg1/root‘ [7.00 GiB] inherit
ACTIVE ‚/dev/vg1/tmp‘ [3.00 GiB] inherit
ACTIVE ‚/dev/vg1/home‘ [3.00 GiB] inherit

HINT:If you need to reboot, you can reactivate the LVM setup with lvchange -a y vg1 .

7. Encrypting

Next step is to encrypt the freshly generated volumes using this short loop (easily expandable if you want to create more containers).

livecd ~ # for i in root tmp home
> do
> cryptsetup -c aes-cbc-essiv:sha256 -s 256 luksFormat /dev/vg1/$i
> done

Confirm with YES and type in your password twice per volume.
Also encrypt the swap partition during the setup process.

livecd ~ # cryptsetup create -c aes-cbc-essiv:sha256 -s 256 -d /dev/urandom swap /dev/sda2
livecd ~ # mkswap /dev/mapper/swap
livecd ~ # swapon /dev/mapper/swap

8. Open the containers and format with a filesystem

Next we open our containers and create a filesystem. The choice of the filesystem depends on your needs, see google or the gentoo handbook.

livecd ~ # for i in root tmp home
> do
> cryptsetup luksOpen /dev/vg1/$i crypt$i
> done

Put in the password for every volume.

livecd ~ # for i in root tmp home
> do
> mkfs.ext4 /dev/mapper/crypt$i
> done
livecd ~ # mkfs.ext2 /dev/sda1

Don’t forget to format the boot partition as well.

9. Create the mountpoints and mount your volumes

livecd ~ # mount /dev/mapper/cryptroot /mnt/gentoo/
livecd ~ # for i in boot tmp home
> do
> mkdir /mnt/gentoo/$i
> done
livecd ~ # mount /dev/sda1 /mnt/gentoo/boot/
livecd ~ # for i in tmp home
> do
> mount /dev/mapper/crypt$i /mnt/gentoo/$i
> done

10. Preparing the chroot

Before chrooting into the new installation directory we have to prepare a few things, e.g. setting the correct file permissions before changing the directory

livecd ~ # chmod 1777 /mnt/gentoo/tmp/
livecd ~ # cd /mnt/gentoo/

and setting the correct date.

livecd gentoo # date MMDDhhmmYYYY

Next download the needed installation files. Select the best mirror near you and download (press d in links) the latest stage3 and portage files as well as the .CONTENTS .DIGESTS and .md5sum files using links.

livecd gentoo # links http://www.gentoo.org/main/en/mirrors.xml

Latest stage3 file can be found under /releases/amd64/current-stage3/ (select the right folder for your architecture) and the latest can be found using the symlink in /snapshots/portage-latest.tar.bz2.

Verify your downloads with md5sum and extract them when there is no error.

livecd gentoo # md5sum -c stage3-amd64-20100617.tar.bz2.DIGESTS
livecd gentoo # md5sum -c portage-latest.tar.bz2.md5sum

livecd gentoo # tar xvjpf stage3-amd64-20100617.tar.bz2
livecd gentoo # tar xvjf /mnt/gentoo/portage-latest.tar.bz2 -C /mnt/gentoo/usr

Take a look at the wiki entry about CFLAGS and edit the make.conf to your needs. I use the Amd Athlon 64 64bit settings here.

livecd gentoo # nano /mnt/gentoo/etc/make.conf

CHOST=“x86_64-pc-linux-gnu“
CFLAGS=“-march=k8 -O2 -pipe“
CXXFLAGS=“${CFLAGS}“

Select the nearest mirror

livecd gentoo # mirrorselect -i -o >> /mnt/gentoo/etc/make.conf
livecd gentoo # mirrorselect -i -r -o >> /mnt/gentoo/etc/make.conf

Copy the DNS information to your chroot and mount the needed devices

livecd gentoo # cp -L /etc/resolv.conf /mnt/gentoo/etc/
livecd gentoo # mount -t proc none /mnt/gentoo/proc
livecd gentoo # mount -o bind /dev /mnt/gentoo/dev

11. Chroot into your new environment

Change into your new root and sync and update your system.

livecd gentoo # chroot /mnt/gentoo/ /bin/bash

livecd / # env-update && source /etc/profile
livecd / # emerge –sync

12. Select a profile

Select the right profile for you using eselect

livecd / # eselect profile list
Available profile symlink targets:
[1] default/linux/amd64/10.0 *
[2] default/linux/amd64/10.0/desktop
[3] default/linux/amd64/10.0/desktop/gnome
[4] default/linux/amd64/10.0/desktop/kde
[5] default/linux/amd64/10.0/developer
[6] default/linux/amd64/10.0/no-multilib
[7] default/linux/amd64/10.0/server
[8] hardened/linux/amd64/10.0
[9] hardened/linux/amd64/10.0/no-multilib
[10] selinux/2007.0/amd64
[11] selinux/2007.0/amd64/hardened
[12] selinux/v2refpolicy/amd64
[13] selinux/v2refpolicy/amd64/desktop
[14] selinux/v2refpolicy/amd64/developer
[15] selinux/v2refpolicy/amd64/hardened
[16] selinux/v2refpolicy/amd64/server
livecd / # eselect profile set 2

13. Adjust make.conf

Adjust the make.conf file to your needs and set the needed USE flags, languages and devices

livecd / # nano /etc/make.conf
MAKEOPTS=“-j2″

USE=“3dnow 3dnowext a52 aac acl acpi alsa -amd64 apache2 -avahi
avi bluetooth -beagle cairo cdb cddb cdparanoia cdr cli cracklib
crypt css -cups daap dbus dga directfb dri dts dvb dvd dvdr dvdread -eds
-emboss encode -esd -evo exif fam ffmpeg flac ftp gdbm gif -gnome gstreamer gtk
hal -ipv6 -isdnlog -joystick -kde libnotify lirc lm_sensors mad mmx mmxext mp3
mpeg mysql ncurses nls ogg opengl pdf png -ppds -pppd qt3 qt3support quicktime samba sdl sse sse2
ssl svg tiff transcode unicode usb v4l vcd vorbis wma
X x264 xcomposite xine xml xorg xv xvid xvmc zlib“

LINGUAS=“de en“

INPUT_DEVICES=“keyboard mouse“
VIDEO_CARDS=“vesa“

14. Configure your charsets

Define (uncomment) and generate the needed charsets incl. UTF-8 (german)

livecd / # nano /etc/locale.gen
en_US ISO-8859-1
en_US.UTF-8 UTF-8
de_DE ISO-8859-1
de_DE@euro ISO-8859-15
de_DE.UTF-8 UTF-8

livecd / # locale-gen

15. Setting the timezone

Find the right timezone for you and copy it

livecd / # ls /usr/share/zoneinfo/
livecd / # cp /usr/share/zoneinfo/Europe/Berlin /etc/localtime

16. Installation of kernel sources and other needed pakets

Install the kernel sources and other pakets that are needed for your setup

livecd / # emerge -av gentoo-sources
livecd / # emerge -av genkernel cryptsetup lvm2

17. Compile your own kernel

The next step is one of the most important. Take care that you include everything in your kernel that you need for your hardware to work. Use genkernel to make life a little bit easier.

livecd / # cd /usr/src/linux
livecd linux # genkernel –no-clean –menuconfig –save-config –luks –lvm all

You can use the kernel configuration of the gentoo live cd as a basis for your own configuration. Just copy the config file before running genkernel.

livecd linux # zcat /proc/config.gz > /usr/share/genkernel/arch/x86_64/kernel-config

The most important kernel options for this guide to add. You might need others depending on the chosen cipher etc. Don’t forget to enable Ext4 support if you need it.

Device Drivers —>
Multi-device support (RAID and LVM) —>
[*] Multiple devices driver support (RAID and LVM)
< > RAID support
<*> Device mapper support
<*> Crypt target support

File Systems —>
<*> The Extended 4 (ext4) filesystem

Cryptographic API —>
<*> SHA256 digest algorithm
<*> AES cipher algorithms

I found a few postings on the net saying, that genkernel needs a valid /etc/fstab to build a correct initramfs. Do step 19 first to be 100% safe.

18. Kernel Modules

List the compiled kernel modules with

livecd linux # find /lib/modules/<kernel version>/ -type f -iname ‚*.o‘ -or -iname ‚*.ko‘ | less

and add them to your /etc/modules.autoload.d/kernel-2.6.

19. Edit the /etc/fstab

# <fs>                  <mountpoint>    <type>          <opts>          <dump/pass>
/dev/sda1               /boot           ext2            noauto,noatime 1 2
/dev/mapper/swap        none            swap            sw              0 0
/dev/mapper/cryptroot   /               ext4            noatime         0 0
/dev/mapper/crypthome   /home           ext4            noatime         0 1
/dev/mapper/crypttmp    /tmp            ext4            noatime         0 2
/dev/cdrom              /mnt/cdrom      auto            noauto,ro       0 0
shm                     /dev/shm        tmpfs           nodev,nosuid,noexec     0 0

20. Basic system configuration

Setting a hostname

livecd / # nano /etc/conf.d/hostname

Setting the root password. Important: This password is inside your chroot and for your future system, the password you set at the beginning was just needed for ssh access to the box! If you don’t set it, you won’t be able to login.

livecd / # passwd

System information like default editor or windows manager

livecd / # nano /etc/rc.conf

Change the keymap and timezone

livecd / # nano /etc/conf.d/keymaps
KEYMAP=“de“

Setting the clock

livecd / # nano /etc/conf.d/clock
TIMEZONE=“Europe/Berlin“

Installing some system tools (logger, filesystem tools etc.)

livecd / # emerge -av syslog-ng logrotate pciutils gentoolkit

Start the system logger at boot

livecd / # rc-update add syslog-ng default

Networking: Installing a dhcp client

livecd / # emerge -av dhcp

21. Installing the bootloader GRUB

Another really important part is the installation of a bootloader. Take care that you use the correct devices, partitions and paths – double check! If you want or need the features of GRUB 2 take a look at this page.

livecd / # emerge -av grub

Now you need to find out the exact file names for your kernel and initramfs and edit /boot/grub/grub.conf accordingly.

livecd / # ls /boot/initramfs* /boot/kernel*
-rw-r–r– 1 root root 1814297 Jul 24 00:14 /boot/initramfs-genkernel-x86_64-2.6.34-gentoo-r1
-rw-r–r– 1 root root 4261424 Jul 24 00:13 /boot/kernel-genkernel-x86_64-2.6.34-gentoo-r1

livecd / # nano /boot/grub/grub.conf

title Gentoo Linux 2.6.34-r1
root (hd0,0)
kernel /boot/kernel-genkernel-x86_64-2.6.34-gentoo-r1 root=/dev/ram0 crypt_root=/dev/vg1/root init=/linuxrc splash=silent dolvm
initrd /boot/initramfs-genkernel-x86_64-2.6.34-gentoo-r1

Creating /etc/mtab

livecd / # grep -v rootfs /proc/mounts > /etc/mtab

Installing GRUB

livecd / # grub-install –no-floppy /dev/sda

If this doesn’t work for you, try running grub manually

livecd / # grub
root (hd0,0)
setup (hd0)
quit

22. LVM configuration

The LVM process scans all connected drives for volumes. You can define a filter so that only the needed block devices are scanned.

livecd / # nano /etc/lvm/lvm.conf
filter = [ „a|/dev/sda|“, „r/.*/“ ]

23. LUKS/dm-crypt configuration

Next we edit /etc/conf.d/dmcrypt and define which encrypted containers should be opened and with which name. We will use a keyfile to decrypt the volumes.

livecd / # nano /etc/conf.d/dmcrypt

## swap
swap=swap
source=’/dev/sda2′
options=‘-c aes-cbc-essiv:sha256 -s 256 -d /dev/urandom‘

## /home with keyfile
target=crypthome
source=’/dev/mapper/vg1-home‘
key=’/root/hdpw‘

## /tmp with keyfile
target=crypttmp
source=’/dev/mapper/vg1-tmp‘
key=’/root/hdpw‘

Generating the keyfile. This can take some time depending on the activities on your box.

livecd / # dd if=/dev/random of=/root/hdpw bs=1 count=512
livecd / # chmod 400 /root/hdpw

Adding the generated keyfile to the known and valid keys in the LUKS keyring. After this step you can open your containers either using the password defined in step 7 or this file.

livecd / # for i in home tmp
> do
> cryptsetup luksAddKey /dev/vg1/$i /root/hdpw
> done

24. Finish the installation and clean up

Delete the installation files.

livecd / # rm /stage3-* /portage-*

Exit the chroot and unmount all devices.

livecd / # exit
livecd gentoo # cd ..
livecd mnt # umount /mnt/gentoo/*
livecd mnt # umount /mnt/gentoo

Close the LUKS containers and deactivate your LVM.

livecd mnt # for i in home tmp root
> do
> cryptsetup luksClose crypt$i
> done

livecd mnt # lvchange -a n vg1

Restart and pray! :)

livecd mnt # shutdown -r now

25. Success!

Welcome to your new system. Log in with the username root and password set in step 20.

26. Some more basic configuration

Start the SSH daemon at boot.

gentoo ~ # rc-update add sshd default

Synchronize your portage tree and make an update.

gentoo ~ # emerge –sync
gentoo ~ # emerge -avDuN world
gentoo ~ # env-update && source /etc/profile

Install ntp to sync your systemtime on boot.

gentoo ~ # emerge -av ntp

gentoo ~ # nano /etc/conf.d/ntp-client
NTPCLIENT_OPTS=“-s -b -u
0.de.pool.ntp.org 1.de.pool.ntp.org
2.de.pool.ntp.org 3.de.pool.ntp.org“

gentoo ~ # rc-update add ntp-client default

Clean your system and check for consistency and errors.

gentoo ~ # emerge –clean
gentoo ~ # revdep-rebuild

Opera Mini on Android also a Proxy-Browser

Schreibe eine Antwort

Today Marc Ruef released an article about Opera Mini on the iPhone and pointed out that all traffic is routed through Opera’s own proxy server. Opera isn’t allowed to use his own rendering engine on the iPhone because of Apple’s strict license. Opera Mini just provides another frontend for Apple’s safari engine, while the rendering happens on Opera’s server.
Users of Opera Mini should be aware that all their traffic could be analysed and used for data mining.

A quick test reveals that the Android version of Opera Mini also uses Opera’s own server as a proxy.

t09-07.opera-mini.net – – [16/Apr/2010:13:27:39 +0200] „GET /blog HTTP/1.1“ 301 198 „http://www.carrier-lost.org/blog/about/“ „Opera/9.80 (J2ME/MIDP; Opera Mini/5.0.18302/764; U; en) Presto/2.4.15“
t09-07.opera-mini.net – – [16/Apr/2010:13:27:39 +0200] „GET /blog/ HTTP/1.1“ 200 3886 „http://www.carrier-lost.org/blog/about/“ „Opera/9.80 (J2ME/MIDP; Opera Mini/5.0.18302/764; U; en) Presto/2.4.15“
t09-07.opera-mini.net – – [16/Apr/2010:13:27:39 +0200] „GET /blog/wp-content/themes/decoder/img/bg-meta.gif HTTP/1.1“ 404 2400 „http://www.carrier-lost.org/blog/“ „Opera/9.80 (J2ME/MIDP; Opera Mini/5.0.18302/764; U; en) Presto/2.4.15“

Where t09-07.opera-mini.net is the proxy server.