## Automatically Mounting a LUKS Drive With a Keyfile at Boot

Posted by keith.wirch at July 23, 2014

Category: Cryptography, Linux

In this tutorial I will cover how to setup a LUKS encrypted drive to be mounted with a keyfile and then have it mounted at boot.  It is recommended that you keep the keyfile on an encrypted drive but that’s your business, not mine.  For the purposes of the tutorial I will be using /dev/sdb to be my example drive.

# CREATE KEYFILE

You will need to pick a folder to keep your keyfile.  Fill that file with what ever you want or run this command to make one pull of random data.  It does not need to be /etc/secretfoldder/keyfile

sudo dd if=/dev/urandom of=/etc/secretfolder/keyfile bs=1024 count=6

# DRIVE FORMAT

First you will need to setup the encrypted drive.  For this part we will use fdisk because it it quite easy to use. Type m if you need some help.  My example below the general flow you need.  Delete all the partitions on the drive and then create a partition.  WARNING!  THIS WILL DELETE ALL DATA ON THE DRIVE

sudo fdisk /dev/sdb

Command (m for help): d
Selected partition 1

Command (m for help): d
No partition is defined yet!

Command (m for help): p

Disk /dev/sdb: 250.1 GB, 250059348992 bytes
255 heads, 63 sectors/track, 30401 cylinders, total 488397166 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x000be3dd

Device Boot      Start         End      Blocks   Id  System

Command (m for help): b
There is no *BSD partition on /dev/sdb.

Command (m for help): n
Partition type:
p   primary (0 primary, 0 extended, 4 free)
e   extended
Select (default p): p
Partition number (1-4, default 1):
Using default value 1
First sector (2048-488397165, default 2048):
Using default value 2048
Last sector, +sectors or +size{K,M,G} (2048-488397165, default 488397165):
Using default value 488397165

Command (m for help): w
The partition table has been altered!


# Encryption Filesystem

You are going to need a few kernel modules in order to properly get some encryption out of cryptsetup.

</pre>
sudo modprobe dm-crypt
sudo modprobe sha256
sudo modprobe aes


If you get an error with these modules.  Refer to this bug report.  You may need to utilize their workaround.

sudo cryptsetup luksAddKey /dev/sdX /etc/secretfolder/keyfile -c aes -s 256 -h sha256


Now mount your new encrypted partition and create a filesystem.

</pre>
sudo cryptsetup luksOpen /dev/sdb1 crypt
sudo mkfs -t ext3 /dev/mapper/crypt


This part could take a while if you have a slow computer.

# CREATE STARTUP ITEMS

Open up /etc/crypttab and add a line like this.

crypt     /dev/sdb1     /etc/secretfolder/keyfile     luks


If you want to, you used the UUID of your drive instead of the above option.

Now open up fstab.  /etc/fstab and add a new entry at bottom like so.

# Mount Encrypted FileSystem</pre>
/dev/mapper/crypt     /media/sdb1     ext3


BOOM!  You are done son!  Reboot and see that it mounts.  or you can do a mount -a to remount all filesystems.

## Adding Two-Factor Authentication to Roundcube

Posted by keith.wirch at June 28, 2014

Category: Email, Linux, Servers

Some of you may know I made my own email server.  I’ll not explain why yet (maybe in another blog post).  But it involves the decisions of certain government agency overreaching it bounds!  Not gonna go into that right now.

I use roundcube to have webmail access.  Having webmail just makes me uneasy because while it is convenient, it is also is a huge security risk.  So I started using two factor authentication.  I found a tutorial in a series that Arstechnica had up and I’m taking what I learned from them and applying it here.  This two-factor authentication is done by using a plugin for Roundcube called twofactor_gauthenticator.  I don’t really get why it says it uses Google Authentication when it really just uses RFC 6238 for TOTP (Time-Based One-time Passwords).  Which is really all that the Google Authenticator does I believe.  Maybe google came up with the RFC?  I dunno.  But it doesn’t really matter.  This plugin works with any application that uses RFC 6238 including the Windows Phone apps, which is what I use.

Now on to what you likely used a search engine to get here for.

This plugin will require php-soap according to the documentation.  It’s quite easy to get on Debian by using apt-get php-soap.  You Red Hat folks can probably use yum.

First you will need to login to linux server and navigate to your roundcube plugin location.  On debian servers, it is /usr/share/<your web server>/roundcube<version number>/plugins.

Then “git” the plugin.  You’ll need git in order to do this.  apt-get install git will grab it.  Then run this command.

git clone https://github.com/alexandregz/twofactor_gauthenticator.git

Make sure you have permissons to write to this folder. And do an ls -l to make sure that the permissions to twofactor_gauthenticator match the rest of your plugin folders in this directory. lastly, go back to roundcube install folder (/usr/share/<your web server>/roundcube<version number>) and drop into the config folder. Open your main config file for editing and add twofactor_gauthenticator to the last line mentioning your plugins.

It should look something like this:
$config[‘plugins’] = array(‘plugin1’, ‘plugin2’, ‘twofactor_gauthenticator’); Then just restart your web service. That’ll restart php and the like. Now login to roundcube and goto your settings. You should see “2steps Google Verification” like you see below. Generate a secret and for the love of pete, set a recovery code. If you loose your phone or key somehow you are suck! So stuck!. Once you get your phone app setup, be sure to check your code at the bottom to make sure that it works. Once you hit save, login again and roundcube will ask for your new code. Enjoy the peice of mind my friends! ## (Batch) Ping Sweep Posted by keith.wirch at October 28, 2013 Category: Batch, Scripts So we inherited this system from a department at work. The department got downsized and all documentation was GONE! When I say gone…. I mean there people are gone and everything that was documented for it. We got no logins, no IP addresses, nothing. It was a VMware environment so the benefits of physical server hacking was gone. After a while we finally were able to get administrative access. This was some wizardry by one of the other admins. My part was discover what was on the network. Network Discovery was turned off for security reasons. So I used a hacking technique called a Ping Sweep . This ping sweep allows us to fill our ARP table on the computer and see which computers responded to the arp request. I’m not a fan of installing random software on servers and workstations so I wanted a script. So my friend Brian and I got to work on this script. Batch scripting is not typically my favorite but it works decently well. @echo off cls @color 0A echo echo ********************* echo PING SWEEP echo ********************* echo for /l %%a in (0,1,255) do ( for /l %%b in (1,1,255) do ( start ping -n 1 192.168.%%a.%%b | find "Reply" echo 192.168.%%a.%%b ) REM Used to break up ping so not to overload the workstation. REM This is curently used for the 3rd octect in the IP Address. Change the variable or the number to change increments. IF %%a EQU 5 pause IF %%a EQU 10 pause IF %%a EQU 15 pause IF %%a EQU 20 pause IF %%a EQU 25 pause IF %%a EQU 30 pause IF %%a EQU 35 pause IF %%a EQU 40 pause IF %%a EQU 45 pause IF %%a EQU 50 pause IF %%a EQU 55 pause IF %%a EQU 60 pause IF %%a EQU 65 pause IF %%a EQU 70 pause IF %%a EQU 75 pause IF %%a EQU 80 pause IF %%a EQU 85 pause IF %%a EQU 90 pause IF %%a EQU 95 pause IF %%a EQU 100 pause IF %%a EQU 105 pause IF %%a EQU 110 pause IF %%a EQU 115 pause IF %%a EQU 120 pause IF %%a EQU 125 pause IF %%a EQU 130 pause IF %%a EQU 135 pause IF %%a EQU 140 pause IF %%a EQU 145 pause IF %%a EQU 150 pause IF %%a EQU 155 pause IF %%a EQU 160 pause IF %%a EQU 165 pause IF %%a EQU 170 pause IF %%a EQU 175 pause IF %%a EQU 180 pause IF %%a EQU 185 pause IF %%a EQU 190 pause IF %%a EQU 195 pause IF %%a EQU 200 pause IF %%a EQU 205 pause IF %%a EQU 210 pause IF %%a EQU 215 pause IF %%a EQU 220 pause IF %%a EQU 225 pause IF %%a EQU 230 pause IF %%a EQU 235 pause IF %%a EQU 240 pause IF %%a EQU 245 pause IF %%a EQU 250 pause IF %%a EQU 255 pause )  So because I like color in my scritps, Line 3 allows you to pick your color. I like Green. Enjoy! The script will open multiple command windows with the sole purpose of running a Ping command. You can remove the “start” command from line 11 and it will only ping one at a time. This will be very slow but you will bog down the workstation so much. Which brings me to the last part of the script. (Lines 18-70) ****WARNING**** This script is VERY processor instensive by default. Do not try to do anything else while this script is running. It will slow everything to a crawl. This is why the last part of the script exists. Those IF states cause the script to hault waiting for you to continue. This allows the worksation to have a stopping point to catch up.If these are not there the scipt will just constantly run and run until you have just ping all ranges in the Class B address. Don’t kill your workstation. Just modify the IF statements to fit your liking. Line 11 is where you designate the first two octets of your class B. This can be configured to a class C easily if you understand variables. Comment if you need help doing that. ## (Powershell) File Delete Posted by keith.wirch at October 16, 2013 Category: Powershell, Uncategorized I find VBScript to be buggy and doesn’t flow very well for me. I’m still decent at it but Powershell has been my scripting language of choice for a while. Here is another little diddy I made out of Powershell. I present to you…. File Delete! Yea it’s a common thing you do I know but darn it, I don’t like using the admin share all the time to delete files off hundreds of computers. I execute this script… kick back… watch the beauty of the text scroll up my screen and watch for any errors and investigate. All while the user is using the computer and they never know! Makes me feel like some sort of wizard… or ninja…. Ok, grown up time Keith. So the script is similar to the rest. Change the last line to your computers.txt file path. Line 4 is then the file path you want to delete on your remote computer. This script takes advantages of UNC paths for windows so when you enter this part in, just think of it as you would for a standard admin share. Remember you will need access to the file location. Powershell will use the credentials that was opened with your Powershell or Powershell ISE window. Because I am also experimenting with using Log files, you’ll also need to make an area for the log file for this script. Or you can delete that area. I’m starting to like log file though in my scripts. #MAIN function delete-remotefile { Process{$file = "\\$_\c$\path\deleted\folder\or\items"
if (test-path $file) { echo "$_ File Exists"
Remove-Item $file -force echo "$_ Files deleted"
}
}
}

# Reads list and pipes to function
Get-Content C:\Scripts\FileDelete\Computers.txt | delete-remotefile >> C:\Scripts\FileDelete\Log.txt


## (Powershell) Check if Hosts are Up

Posted by keith.wirch at October 15, 2013

Category: Powershell

Small one but a good one.  This script will ping all hosts in a text file to see if they are up.  It’s great in the of case you want to see all of the stations in a classroom before you push an update or something.

Here it is.


$names = Get-Content "C:\Scripts\Computers.txt" foreach ($name in $names) { if ( Test-Connection -ComputerName$name -Count 1 -ErrorAction SilentlyContinue ) {

Write-Host "$name is up" -ForegroundColor Magenta } else { Write-Host "$name is down" -ForegroundColor Red

}

}



Line 1 is where you designate your text file of computers.  From there you just execute the powershell script and it will run something like the output below.  I’d reccomend making a bunch of “computer” files for each room you will routinly check like this and then only changeing line 1 to match what you need.

Again, some areas are blurred to protect the innocent!  MSPaint for the win my friends!

Enjoy!

## CCNA Up and Up, CCNP Up and Down

Posted by keith.wirch at October 15, 2013

Category: Personal

If you get the networking joke in the title, laugh a little.  I thought I was clever.

But I got my CCNA a while ago.  Loved it.  ICND-1 was a cinch but INCD-2 had me worried though the exam but I passed both with flying colors.  WAN technologies had me worried and I still have a little trouble with MPLS but I think it is similar to Frame-Relay but Frame-Relay is static whereas MPLS is more dynamic.  If anyone reads this let me know if you have questions about CCNA.  I’d love to talk about it.  Unfortunately I don’t get a lot of poeple to talk about it with.  The CCNA track was a ton of fun with the home labs and Jeremy from CBTNuggets was awesome.  Odom’s bookwas great too.

But now I am on to bigger things.  I debated a lot wether to follow another CCNA track like Security, Wireless, or Voice but I kept reading about folks who got to those after you got to CCNP.  I can understand that.  Where I live I doubt I’ll need much past CCNP but the dream of day being CCIE is something I’ll just toy with for now.  The job market around here isn’t great for IT.  A lot people think I should move but my wife and I are very involved in the church we goto and really like staying there.

To study the CCNP track I’m going with the Route Exam fist.  Using Jeremy from CBTNuggets and Diane Teare’s Cisco Press book at the moment.  I like the idea of going with the CCNP Routing and Switching Track so far.  It’s a ton of fun and make soooooo much more sense to me than the MCITP track I followed with Microsoft.

Not to knock against Microsoft but a lot of how to the application works in the background (Like DFS Replication) is unknown!  I know how to set it up, but I’d really like to know how it knows when files match!  Does it use checksums?  I hate that grey area of understanding IT.  With Cisco and networking I can totally understand the logic of everything I work with.  How does dot1q work?  Well the switch adds the vlan tag in the layer 2 header of an IP packet so that the switch at the other end of trunk link know what VLAN it is for!  It’s a 4 byte tag!  I know that information down to that level!

Anyway.  Really excited for CCNP.  I’ll likely post things about what I learn on here.  A lot of the material is likely gonna be new so I’m quite excited to jump in.

For those who didn’t get the joke.  In a Cisco, there is to states for an Ethernet (Or Serial) Interface; Link Status and Protocol Status.  If you have Up and Up that means the cable is connected and the Line Protocol is up and everything should be working.  So CCNA Up and Up means I have started and understand the content.  An Up and Down in networking is where the cable is plugged in but the Line Protocol is Down.  This means I have started the process but don’t completely understand the content.

## Port Secuirty Issues with Dell T1650. Wake On Lan Enabled

Posted by keith.wirch at August 9, 2013

Category: Weird Fixes

So me and the network engineer at work had been working on something that was causing us both grief.  I had enable Wake on Lan for all my Dell T1650 Laptops.  It was working great! Magic Packet (mc-wol) was working fine.  Problem was with with Port Security.

When the station were Shutdown or Hibernating we were getting random port security issues.  Only when they were in this state though.  We “wiresharked” the traffic and found that the stations were sending MAC address advertisements of 00:00:00:00:00:00.  There might an “on” bit here and there but really it was just sending garbage!  Well since this garbage looked like a MAC address to the switch, Port-Secuirty on the switch shut the port down.  This would be flagged on our syslog server and we’d have to restart the computer only to later have it happen again a few weeks later.  I really seemed random.  It was popcorning throughout the network.

So we tried updating the BIOS.  Our thought was “Well it is happening when the computers were off.  Probably not an OS level issue”. That didn’t fix the issue.  But we did get shiny new BIOS’s.  Yay!?!

So we hemmed and hawed trying to think of something.  Then we finally started looking at the OS level.  We thought… maybe the drivers?  Turns out, we were right (finally).  The NICs were all Intel NICs so we grabbed the updated drivers from the Intel site.  We then updated the drivers on all the T1650 workstations.  It’s been over a month now and not one of our over 300 has thrown MAC garbage to trigger port security.  I guess when the stations were shutting down, the OS does some voodoo with the NIC to keep it alive during shutdown and that is why the drivers fixed it?  I dunno.  I do know that our syslog server is seeing much better days.  Unless the NE takes down the Core switch again!  hehe.

I hope this helps some other poor sysadmin who has port security issues with these stations.  Hope you found this post via Google.  Cause Google wasn’t really helping us.

## Script to push out files/folders over the network

Posted by keith.wirch at March 23, 2013

Category: Scripts, Visual Basic

Tags:

This is a script that can be used to push out files and folders to computer across a network using computer names located within a text file, one by one. The script takes the name from the file and turns it into \\\c$\path\to\destination\. It is executed through Visual Basic’s Scripting Host (VBS). It will output what is currently happening and the outcome of that computer. If it fails, it will continue on to the next computer. For those of you who can read the comments decipher what to do, go for it. It’s quite simple. If you need further explanation, keep reading. Const ForReading = 1 Const ForWriting = 2 Const OverwriteExisting = True Set objFSO = CreateObject("Scripting.FileSystemObject") 'Get list of Computers Set objFile = objFSO.OpenTextFile("C:\Scripts\Computers.txt") Set fso = CreateObject("Scripting.FileSystemObject") ' Put Errors in Text File ErrorFile = "C:\Scripts\ErrorLog-FilePush.txt" Set ErrorsFound = fso.OpenTextFile(ErrorFile, ForWriting, True) 'Keep going through the list until the end Do Until objFile.AtEndOfStream strComputer = objFile.Readline WScript.Echo "Now working on " & strComputer strRemoteFile = "\\" & strComputer & "\c$\path\to\destination"
'To push folder make this "objFSO.CopyFolder"
'To push files make this "objFSO.CopyFile"
'Change filepath there were the source of the files are.
objFSO.CopyFile "C:\path\to\source", strRemoteFile, OverwriteExisting
' If Computer is not found, goto next.  If is found, say yay!
If Err = 0 Then
Wscript.echo "Success.  Yay!"
'Otherwise print "Fail.  BOOO!!! , note it in ErrorFile and goto next"
Else
Wscript.echo "Fail.  BOOO!!!"
ErrorsFound.WriteLine(strComputer & " Failed")
End If
On Error Resume Next
Loop

ErrorsFound.WriteLine ("=======  Script Ended ========")


Step 1: Create a folder named “Scripts” in “C:\” This is decent place to keep scripts that you collect. We will be working from this scripts folder, so any more files you create can be placed here in the “Scripts” folder.

Step 2: Open notepad (or your favorite text editor like notepad++) and copy/paste the code from above. Save the file in your new folder.

Step 3: Make two more text files named “computers.txt” and “ErrorLog-FilePush.txt” and have them in the same folder.

Step 4: On line 18 change “path\to\destination” to the actual destination on your remote computers.

Step 5: On line 22 change “path\to\source” to your actual source file or folders.  Take a look at “objFSO.CopyFile”.  If you are pushing a whole folder to your destination, you need to change this too “objFSO.CopyFolder”.

Step 6: Once you have all that configured, open a command prompt in the C:\Scripts folder and execute the command “cscript FilePush.vbs” and the script will start.  Any errors that happen will show in ErrorLog-FilePush.txt.

The script should execute with something like this.  (Computer names are blocked out to protect the innocent.)

(Note: I didn’t put “cscript” infront of filepush.vbs because running cscript is default behavior of .vbs files on my workstation)

==========================================
TROUBLESHOOTING
==========================================

I’m getting File not found errors on lines 18 or 22!
Be sure you have the path correct.  I like copying and pasting from windows explorer.  When copying whole folders on like 22, you usually need to an extra backslash at the end.

I’m getting File not found errors on line 12!
This is because the script cannot find the error file to output errors too.  Make sure you created the files in Step 3 in the right place.

I’m getting access denied!
Make sure you have permissions on the remote coomputers.  The script will take your current permissions of the logged in user.  To use the permissions of another user, Shift+Right-Click “cmd” in the start menu and select “Run as different user”