Archive for the ‘Servers’ Category

Posted by keith.wirch at November 22, 2016

Category: Email, Linux, Servers

I feel these are poorly documented so I’ll post em here for easy reference for myself.

IMAP:  <box hostname>  ;  Port 993  ;  SSL/TLS  ;  Normal Password for Authenication
SMTP: <box hostname>  ;  Port 587  :  STARTLS  :  Normal Password for Authentication

 

Posted by keith.wirch at July 23, 2014

Category: Cryptography, Linux

In this tutorial I will cover how to setup a LUKS encrypted drive to be mounted with a keyfile and then have it mounted at boot.  It is recommended that you keep the keyfile on an encrypted drive but that’s your business, not mine.  For the purposes of the tutorial I will be using /dev/sdb to be my example drive.

CREATE KEYFILE

You will need to pick a folder to keep your keyfile.  Fill that file with what ever you want or run this command to make one pull of random data.  It does not need to be /etc/secretfoldder/keyfile

sudo dd if=/dev/urandom of=/etc/secretfolder/keyfile bs=1024 count=6

DRIVE FORMAT

First you will need to setup the encrypted drive.  For this part we will use fdisk because it it quite easy to use. Type m if you need some help.  My example below the general flow you need.  Delete all the partitions on the drive and then create a partition.  WARNING!  THIS WILL DELETE ALL DATA ON THE DRIVE

sudo fdisk /dev/sdb

Command (m for help): d
 Selected partition 1

Command (m for help): d
 No partition is defined yet!

Command (m for help): p

Disk /dev/sdb: 250.1 GB, 250059348992 bytes
 255 heads, 63 sectors/track, 30401 cylinders, total 488397166 sectors
 Units = sectors of 1 * 512 = 512 bytes
 Sector size (logical/physical): 512 bytes / 512 bytes
 I/O size (minimum/optimal): 512 bytes / 512 bytes
 Disk identifier: 0x000be3dd

Device Boot      Start         End      Blocks   Id  System

Command (m for help): b
 There is no *BSD partition on /dev/sdb.

Command (m for help): n
 Partition type:
 p   primary (0 primary, 0 extended, 4 free)
 e   extended
 Select (default p): p
 Partition number (1-4, default 1):
 Using default value 1
 First sector (2048-488397165, default 2048):
 Using default value 2048
 Last sector, +sectors or +size{K,M,G} (2048-488397165, default 488397165):
 Using default value 488397165

Command (m for help): w
 The partition table has been altered!

Encryption Filesystem

You are going to need a few kernel modules in order to properly get some encryption out of cryptsetup.

</pre>
sudo modprobe dm-crypt
 sudo modprobe sha256
 sudo modprobe aes

If you get an error with these modules.  Refer to this bug report.  You may need to utilize their workaround.

sudo cryptsetup luksAddKey /dev/sdX /etc/secretfolder/keyfile -c aes -s 256 -h sha256

Now mount your new encrypted partition and create a filesystem.

</pre>
sudo cryptsetup luksOpen /dev/sdb1 crypt
 sudo mkfs -t ext3 /dev/mapper/crypt

This part could take a while if you have a slow computer.

CREATE STARTUP ITEMS

Open up /etc/crypttab and add a line like this.

crypt     /dev/sdb1     /etc/secretfolder/keyfile     luks

If you want to, you used the UUID of your drive instead of the above option.

Now open up fstab.  /etc/fstab and add a new entry at bottom like so.

# Mount Encrypted FileSystem</pre>
/dev/mapper/crypt     /media/sdb1     ext3

BOOM!  You are done son!  Reboot and see that it mounts.  or you can do a mount -a to remount all filesystems.

Posted by keith.wirch at June 28, 2014

Category: Email, Linux, Servers

Some of you may know I made my own email server.  I’ll not explain why yet (maybe in another blog post).  But it involves the decisions of certain government agency overreaching it bounds!  Not gonna go into that right now.

I use roundcube to have webmail access.  Having webmail just makes me uneasy because while it is convenient, it is also is a huge security risk.  So I started using two factor authentication.  I found a tutorial in a series that Arstechnica had up and I’m taking what I learned from them and applying it here.  This two-factor authentication is done by using a plugin for Roundcube called twofactor_gauthenticator.  I don’t really get why it says it uses Google Authentication when it really just uses RFC 6238 for TOTP (Time-Based One-time Passwords).  Which is really all that the Google Authenticator does I believe.  Maybe google came up with the RFC?  I dunno.  But it doesn’t really matter.  This plugin works with any application that uses RFC 6238 including the Windows Phone apps, which is what I use.

Now on to what you likely used a search engine to get here for.

This plugin will require php-soap according to the documentation.  It’s quite easy to get on Debian by using apt-get php-soap.  You Red Hat folks can probably use yum.

First you will need to login to linux server and navigate to your roundcube plugin location.  On debian servers, it is /usr/share/<your web server>/roundcube<version number>/plugins.

Then “git” the plugin.  You’ll need git in order to do this.  apt-get install git will grab it.  Then run this command.

git clone https://github.com/alexandregz/twofactor_gauthenticator.git

Make sure you have permissons to write to this folder. And do an ls -l to make sure that the permissions to twofactor_gauthenticator match the rest of your plugin folders in this directory. lastly, go back to roundcube install folder (/usr/share/<your web server>/roundcube<version number>) and drop into the config folder. Open your main config file for editing and add twofactor_gauthenticator to the last line mentioning your plugins.

It should look something like this:
$config[‘plugins’] = array(‘plugin1’, ‘plugin2’, ‘twofactor_gauthenticator’);

Then just restart your web service. That’ll restart php and the like. Now login to roundcube and goto your settings. You should see “2steps Google Verification” like you see below.

Generate a secret and for the love of pete, set a recovery code. If you loose your phone or key somehow you are suck! So stuck!. Once you get your phone app setup, be sure to check your code at the bottom to make sure that it works. Once you hit save, login again and roundcube will ask for your new code. Enjoy the peice of mind my friends!