Pedro M. S. Oliveira

CentOS 7 – How to setup your encrypted filesystem in less than 15 minutes

Nowadays setting up encryption on a file system is something that can be achieved in a matter of minutes, there’s a small drop in FS performance but it’s barely noticeable and the benefits are countless.

All the major distributions allow you to conveniently setup encryption during the installation and that is very convenient your for you laptop/desktop, nevertheless on the server-side these options are often neglected.

With this how to you’ll be able to set up your encrypted LVM volume in 8 easy steps and less than 15 minutes.

I’m assuming that you’re running LVM already, and that you have some free space available on your volume group (in this case 249G):

The steps:

 

lvcreate -L249G -n EncryptedStorage storage

skip the shred command if you just have 15 minutes, look at the explanation bellow to see if you’re willing to do so.

 

shred -v –iterations=1 /dev/storage/EncryptedStorage

cryptsetup –verify-passphrase –cipher aes-cbc-essiv:sha256 –key-size 256 luksFormat /dev/storage/EncryptedStorage

cryptsetup luksOpen /dev/storage/EncryptedStorage enc_encrypted_storage

mkfs.ext4 /dev/mapper/enc_encrypted_storage

Edit /etc/cryptotab and add the following entry:

 

enc_encrypted_storage /dev/storage/EncryptedStorage none noauto

Edit /etc/fstab and add the following entry:

 

/dev/mapper/enc_encrypted_storage /encrypted_storage ext4 noauto,defaults 1 2

Finally mount your encrypted volume

 

mount /encrypted_storage

 

 

After reboot you’ll need to run these two commands to have the filesystem available:

 

cryptsetup luksOpen /dev/storage/EncryptedStorage enc_encrypted_storage

mount /encrypted_storage

 

 

Now the steps explained.

Step 1:

 

lvcreate -L249G -n EncryptedStorage storage

I’ve created a volume with 249GB named EncryptedStorage on my volume group storage (each distribution has a naming convention for the volume group name, so you better check yours, just type:

 

vgdisplay

The output:

— Volume group —
VG Name storage
System ID
Format lvm2
Metadata Areas 1
Metadata Sequence No 3
VG Access read/write
VG Status resizable
MAX LV 0
Cur LV 2
Open LV 1
Max PV 0
Cur PV 1
Act PV 1
VG Size 499.97 GiB
PE Size 32.00 MiB
Total PE 15999
Alloc PE / Size 15968 / 499.00 GiB
Free PE / Size 31 / 992.00 MiB
VG UUID tpiJO0-OR9M-fdbx-vTil-2dty-c7PF-xxxxxx

— Volume group —
VG Name centos
System ID
Format lvm2
Metadata Areas 1
Metadata Sequence No 3
VG Access read/write
VG Status resizable
MAX LV 0
Cur LV 2
Open LV 2
Max PV 0
Cur PV 1
Act PV 1
VG Size 23.51 GiB
PE Size 4.00 MiB
Total PE 6018
Alloc PE / Size 6018 / 23.51 GiB
Free PE / Size 0 / 0
VG UUID sncB8Z-0Upw-VrwH-DOPJ-hELz-377f-yyyyy

As you can see I have 2 volume groups, one installed by default on all VMs and it’s called centos, and another one installed by me called storage, in the how to I’m using the storage volume group.

Step 2:

 

shred -v –iterations=1 /dev/storage/EncryptedStorage

This command proceeds at the sequential write speed of your device and may take some time to complete. It is an important step to ensure no unencrypted data is left on a used device, and to obfuscate the parts of the device that contain encrypted data as opposed to just random data.

You may omit this step although not recommended.

Step 3:

 

cryptsetup –verify-passphrase –cipher aes-cbc-essiv:sha256 –key-size 256 luksFormat /dev/storage/EncryptedStorage

On this step we format the volume with our selected block cypher, in this case I’m using AES encryption with CBC mode, essiv IV and 256 bits key.

A block cipher is a deterministic algorithm that operates on data blocks and allows encryption and decryption of bulk data. The block cipher mode describes a way the block cipher is repeatedly applied on bulk data in order to encrypt or decrypt the data securely. An initial vector is a block of data used for ciphertext randomization. IV ensures that repeated encryption of the same plain text provides different ciphertext output. IV must not be reused with the same encryption key. For ciphers in CBC mode, IV must be unpredictable, otherwise the system could become vulnerable to certain watermarking attacks (and this is the reason for the sha256).

 

Step 4:

 

cryptsetup luksOpen /dev/storage/EncryptedStorage enc_encrypted_storage

Here we assign and open the encrypted volume to a device that will mapped using device mapper, after this step you will be able to do regular block device operations like on any other lvm volume.

 

Step 5:

 

mkfs.ext4 /dev/mapper/enc_encrypted_storage

Format the volume with the default ext4 settings, you may use whatever flags you wish though.

 

Step 6:

Edit /etc/crypttab and the following line:

 

enc_encrypted_storage /dev/storage/EncryptedStorage none noauto

With this line we will permanently enable  /dev/storage/EncryptedStorage volume assignment to the enc_encrypted_storage mapped device.

The noauto setting is important in order to the server boot correctly if the blockdevice password is not entered during the boot process, this will enable you to use your custom script or manually insert the password in a later stage using ssh for example.

 

Step 7:

Edit /etc/fstab and add the following entry:

 

/dev/mapper/enc_encrypted_storage /encrypted_storage ext4 noauto,defaults 1 2

This is where we map the previously mapped device to a mount point, in this case /encrypted_storage, the noauto parameter is set due to the same reasons as in step 5.

 

Step 8

 

mount /encrypted_storage

Simple mount command, you’ll be able to store and access your files in /encrypted_storage, it will be a good location for the files you want to keep private.

You may find more information about supported cyphers and options on Redhat documentation:

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/

Cheers,

Pedro Oliveira

20 July 2014 at 17:48 - Comments
Pedro M. S. Oliveira

First impression on CentOS 7

After testing the new CentOS 7.0 here are my first impressions:

  1. systemctl took some time to get into (learning done on my SuSE laptop distro)
  2. I  don’t really like the new FW config although I see some advantage there, if you already know iptables good enough not much to gain.
  3. The default installation is very good, kickstart also works as a charm.
  4. I would love to see a kernel 3.13.xxx instead of the 3.10.xxx though (need to read what has been back-ported).
  5. The new default XFS file-system surprised me, and for the standard VMs install I’ve come back to ext4 with some custom options, you need to take attention to this specially if you are deploying small VMs. Big filesystems with more than 2 cores will benefit of using it.
  6. The network configuration manager also changed and it’s better, nice to be able to fully use network-manager (nm), also the command line interface is really nice (nmtui).
  7. The boot loader is now grub2 instead of grub
  8. Also great the EPEL repo with all the goodies we are used to, you may install it just by running:

 

rpm -Uvh http://dl.fedoraproject.org/pub/epel/beta/7/x86_64/epel-release-7-0.2.noarch.rpm

 

I still think Redhat and it’s army of clones is ahead of all the major distribution to carry mission critical and deliver the best performance out of your boxes.

Great work CentOS team, and thank you Redhat!

PS – I’m also proud of Redhat 6, a few years ago I’ve installed an email cluster consisting of 2 servers and SAN storage this email cluster served 3000+ IMAP accounts(10GB quota, maildir format), the nice thing is since it was installed with Redhat 6.0 (one month after release aprox.) and it’s still running without reboots (4 years). This is impressive but now I hope my ex-work make update it to Redhat 7, although Redhat 6 support will still be available for until 2020.

13 July 2014 at 12:40 - Comments
Pedro M. S. Oliveira

OpenVPN username/password authentication on DD-WRT

In this post I’ll be using DD-WRT build 23320 and an ASUS RT-AC66U router to establish two “always on” VPNs (using openvpn) using username / password authentication. This router supports all the new wifi protocols and in theory has over 1Gbps capability using dual band, also supports 2.4GHz and 5.0Ghz band communication. I’ve used it with DD-WRT without any stability issues for more than 6 months now.

DD-WRT is one of my favourite linux distros, it’s specially made to work on home routers, APs and small appliances. You may download it from: http://www.dd-wrt.com and make sure your equipment is supported by looking into the router database.

Apart from the regular home router needs it also support a complete set of network functionality like:

  • FreeRadius
  • PPPoE Serverdd-wrt
  • VPN
  • USB (printing/mass storage)
  • NAS
  • Hotspot
  • SIP Proxy
  • Adblocking
  • Webserver
  • QOS

As I said, I’ll be talking about enhancing the standard functionality of openvpn in dd-wrt. OpenVPN is available on most of the dd-wrt appliances, nevertheless you can only have one vpn connected and it doesn’t support username/password authentication.

Let me describe the setup:asus

  1. Home at country A (localnet 192.168.17.0/27)
  2. Home at country B (localnet 192.168.18.0/27)
  3. External third-party net at country C (localnet 172.17.31.0/23)
  4. In order to see IPTV on country A I need to route all the IPTV network through openvpn server at country B
  5. I want to have full network access to networks on country B and C from country A
  6. I want to have full network access from country B to country A
  7. I don’t want access from country C on country A (or B but it’s not relevant for us)

What’s needed:

  1. DD-WRT enabled router (in this case ASUS RT-AC66U) with support for openvpn (mega version for example).
  2. OpenVPN endpoint* (in this examples we will be using 2 endpoints, one for country B and another to country C).
  3. User access to those endpoint (username/password/certificates).openvpn

* as an endpoint you may use anykind of applyance or custom made openvpn solution, if you want to build it fast I’d recommend you Endian FW.

DD-WRT has a very nice graphical interface and we will use it to build our setup, previously I configured the router thought the command line, storing all the config data in nvram with the commands:

nvram set _VAR1_=”config blabla”

nvram commit

and the created a startup script that would read all those variables and create the config files.

But as I said there’s a better way of doing it and that’s by using the startup option on the command menu that can be found under administration.

dd-wrt-header

We will create a unique script that will be read when the router comes to live and startup our VPNs.

Just go to press edit under the startup place older.

You may insert the text bellow, I’ll describe what it does further on the post.


mkdir /tmp/openvpncl
cat > /tmp/openvpncl/myauth1.txt << EOF
MY_USER_NAME_GOES_HERE
MY_PASSWORD_GOES_HERE
EOF
cat > /tmp/openvpncl/myauth2.txt << EOF
MY_USER_NAME_GOES_HERE
MY_PASSWORD_GOES_HERE
EOF
chmod 500 /tmp/openvpncl/myauth1.txt
chmod 500 /tmp/openvpncl/myauth2.txt
cat > /tmp/openvpncl/route-up_1.sh << EOF
#!/bin/sh
route add -net 23.13.0.0/16 gw xxx.xxx.xxx.xxx #IPTV ROUTES
route add -net 80.24.178.0/23 gw xxx.xxx.xxx.xxx #IPTV ROUTES
route add -net 10.2.2.0/24 gw xxx.xxx.xxx.xxx #IPTV ROUTES
route add -net 10.22.0.0/16 gw xxx.xxx.xxx.xxx #IPTV ROUTES
EOF
cat > /tmp/openvpncl/route-up_2.sh << EOF
#!/bin/sh
route add -net 16.13.0.0/16 gw xxx.xxx.xxx.xxx #EXT NET ROUTES
route add -net 12.24.178.0/23 gw xxx.xxx.xxx.xxx #EXT NET ROUTES
route add -net 13.2.2.0/24 gw xxx.xxx.xxx.xxx #EXT NET ROUTES
route add -net 10.232.0.0/16 gw xxx.xxx.xxx.xxx #EXT NET ROUTES
EOF
chmod 500 /tmp/openvpncl/route-up_1.sh
chmod 500 /tmp/openvpncl/route-up_2.sh
cat > /tmp/openvpncl/CHANGE_TO_HOSTNAME_or_IP_1.conf << EOF
client
proto udp
resolv-retry infinite
nobind
persist-key
persist-tun
ca /tmp/openvpncl/CHANGE_TO_HOSTNAME_or_IP_1.ca
auth-user-pass /tmp/openvpncl/myauth1.txt
script-security 2
dev tap1
cipher bf-cbc
auth sha1
remote CHANGE_TO_HOSTNAME_or_IP_1 1194
comp-lzo no
tls-client
tun-mtu 1500
mtu-disc yes
fast-io
EOF
cat > /tmp/openvpncl/CHANGE_TO_HOSTNAME_or_IP_2.conf << EOF
client
proto udp
resolv-retry infinite
nobind
persist-key
persist-tun
ca /tmp/openvpncl/CHANGE_TO_HOSTNAME_or_IP_2.ca
auth-user-pass /tmp/openvpncl/myauth2.txt
script-security 2
dev tap2
cipher bf-cbc
auth sha1
remote CHANGE_TO_HOSTNAME_or_IP_2 1194
comp-lzo no
tls-client
tun-mtu 1500
mtu-disc yes
fast-io
EOF
cat > /tmp/openvpncl/CHANGE_TO_HOSTNAME_or_IP_1.ca << EOF
-----BEGIN CERTIFICATE-----
YOUR_CERTIFICATE_GOES_HERE__dasdadasdasdsasalzELMAkGA1UE
BhMCUFQx CzAJBgNVBAgTAkxYMQswCQYDVQQHEwJMWDEbMBkGA1UEChM
Sd3d3LmxpbnV4LWdl ZXguY29tMQswCQYDVQQLEwJJVDEeMBwGA1UEAx
MVd3d3LmxpbnV4LWdlZXguY29t IENBMSQwIgYJKoZIhvcNAQkBFhVwb
XNvbGl2ZWlyYUBnbWFpbC5jb20wHhcNMTAw MTE0MTk0NzE0WhcNMjUx
MTI1MTAyMTU0WjCBlzELMAkGA1UEBhMCUFQxCzAJBgNV BAgTAkxYMQs
wCQYDVQQHEwJMWDEbMBkGA1UEChMSd3d3LmxpbnV4LWdlZXguY29t MQ
swCQYDVQlfhoashoadasiodasiodqwenzczcpzocp4LWdlZXguY29tIE
NBMSQw IgYJKoZIhvcNAQkBFhVwbXNvbGl2zdsadsasdadsZWlyYUBnb
-----END CERTIFICATE-----
EOF
cat > /tmp/openvpncl/CHANGE_TO_HOSTNAME_or_IP_2.ca << EOF
-----BEGIN CERTIFICATE-----
YOUR_CERTIFICATE_GOES_HERE__dasdadasdasdsasalzELMAkGA1UE
BhMCUFQx CzAJBgNVBAgTAkxYMQswCQYDVQQHEwJMWDEbMBkGA1UEChM
Sd3d3LmxpbnV4LWdl ZXguY29tMQswCQYDVQQLEwJJVDEeMBwGA1UEAx
MVd3d3LmxpbnV4LWdlZXguY29t IENBMSQwIgYJKoZIhvcNAQkBFhVwb
XNvbGl2ZWlyYUBnbWFpbC5jb20wHhcNMTAw MTE0MTk0NzE0WhcNMjUx
MTI1MTAyMTU0WjCBlzELMAkGA1UEBhMCUFQxCzAJBgNV BAgTAkxYMQs
wCQYDVQQHEwJMWDEbMBkGA1UEChMSd3d3LmxpbnV4LWdlZXguY29t MQ
swCQYDVQlfhoashoadasiodasiodqwenzczcpzocp4LWdlZXguY29tIE
NBMSQw IgYJKoZIhvcNAQkBFhVwbXNvbGl2zdsadsasdadsZWlyYUBnb
-----END CERTIFICATE-----
EOF
chmod 700 /tmp/openvpncl/CHANGE_TO_HOSTNAME_or_IP_1.ca
chmod 700 /tmp/openvpncl/CHANGE_TO_HOSTNAME_or_IP_2.ca
sleep 5

(nohup openvpn –config /tmp/openvpncl/CHANGE_TO_HOSTNAME_or_IP_1.conf –route-up /tmp/openvpncl/route-up1.sh &) > /dev/null
(nohup openvpn –config /tmp/openvpncl/CHANGE_TO_HOSTNAME_or_IP_2.conf –route-up /tmp/openvpncl/route-up2.sh &) > /dev/null

If you know openvpn a bit deeper you may find odd that I’m not using LZO compression, this is done on purpose, LZO will limit the bandwidth available on the router because of cpu usage. In my case most of the traffic is already compressed (ssh, mp4, images, and so on). With LZO I would find my cpu near 100% with traffic around 25Mbps. So I prefer to disable it and compress the traffic between the endpoints at application level. This allow me to have 50Mbps+ throughput available with this router.

You will have have to edit the firewall place older, once again press edit and insert the following:

iptables -I FORWARD 1 -i br0 -o tap1 -j ACCEPT
iptables -I FORWARD 2 -i tap1 -o br0 -j ACCEPT
iptables -I FORWARD 3 -i br0 -0 tap2 -j ACCEPT
iptables -I INPUT 1 -i tap1 -o br0 -j ACCEPT

The startup script is nothing more than a set of commands that will be run to create the configuration files, please be advised that you will have the VPNs in plain text on the configuration, this may pose a security risk. Nevertheless it’s not less insecure than have the full configuration relaying on certificates as if someone is able to retrieve your data from the router he will also be able to retrieve the certificates. If you really don’t want to have the password on play text you won’t be able to fully automate the VPN startup process.

The iptables rules are need in order to allow access to the different networks, this is the most basic set of rules that will allow the configuration I proposed at the beginning. Finally please don’t forget to change the route-upX.sh scripts to match your needs.

Happy networking :)

Pedro Oliveira

 

19 January 2014 at 03:55 - Comments
Pedro M S Oliveira

Enable IP forwarding on you Linux router

How do I enable IP forwarding on a Linux router? People ask me this time and time again so here are 2 short answers (if you don’t use IPv6 ignore the lines that contain ipv6 in the content):

Temporarily:

echo 1 > /proc/sys/net/ipv4/ip_forward ;
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding;

Permanent:

echo "net.ipv4.ip_forward=1" > /etc/sysctl.d/999_ip_forward.conf ;
echo "net.ipv6.conf.all.forwarding=1" >> /etc/sysctl.d/999_ip_forward.conf ;
sysctl -p;

Cheers,

Pedro Oliveira

11 December 2013 at 13:27 - Comments
Pedro M. S. Oliveira

TOR 0.4.17 for Redhat and it’s clones (CentOS, Scientific Linux, etc)

Hi!

Here is the new version of TOR rpm package, you may also install other mainstreams versions from EPEL, currently this one is the latest.

This package is for RHEL 6.4 and all it’s clones (CentOS, Scientific Linux, etc)

tor-0.2.4.17.rc-tor.0.rh6_4.x86_64

md5sum: 11bf2bf0e0185f85e9433d5c1b5ddeb8

scr code: https://www.torproject.org/dist/tor-0.2.4.17-rc.tar.gz

to install:

rpm -Uvh tor-0.2.4.17.rc-tor.0.rh6_4.x86_64

 

or

yum localinstall  tor-0.2.4.17.rc-tor.0.rh6_4.x86_64

 

Hope it helps,

Pedro Oliveira

7 September 2013 at 16:02 - Comments
Pedro M. S. Oliveira

Mental note – openssl commands usage

From: ciberciti  (15 Greatest Open Source Terminal Applications Of 2012) for personal reference:

## connect to mail server for testing purpose ##
openssl s_client -connect smtp.server.com:995
openssl s_client -connect smtp.server.com:995 -CApath /etc/ssl
## encrypt file ##
openssl aes-256-cbc -salt -in records-fy-2011-12.dbx   -out records-fy-2011-12.dbx.aes
## decrypt file ##
openssl aes-256-cbc -d -in records-fy-2011-12.dbx.aes -out records-fy-2011-12.dbx
13 December 2012 at 09:58 - Comments
Pedro M. S. Oliveira

Tor 0.2.2.39 for RHEL, CentOS and Scientific Linux

It’s been a while since I last wrote and today I won’t write much either, I’ll just leave an update on the TOR rpm packages for RHEL 6 and it’s clones.

Cheers,

Pedro M. S. Oliveira

Binary:

tor-0.2.2.39-tor.0.rh6_3.x86_64.rpm

Source:

tor-0.2.2.39-tor.0.rh6_3.src.rpm

11 November 2012 at 02:19 - Comments
Pedro M. S. Oliveira

How to re-scan scsi bus

For my personal reference (from http://jeff.blogs.ocjtech.us/2008/05/how-to-re-scan-scsi-bus-on-linux.html)

How to re-scan the SCSI bus on Linux
Note to self/Google, here’s how to re-scan the SCSI bus on Linux:

echo “- – -” > /sys/class/scsi_host/host0/scan

Update: Tim Verhoeven has a more complete description of the re-scanning process.
(http://misterd77.blogspot.com/2007/12/how-to-scan-scsi-bus-with-26-kernel.html)

23 August 2012 at 07:03 - Comments
Pedro M. S. Oliveira

Average file size on directory using filters

While tuning and benchmarking an HP backup device (HPD2D backup system) I needed to estimate the average file size of the IMAP server storage.
You may think I could just count the number of files and the divide the used space by the number of files, but that wasn’t the case because I didn’t want all the files to count, in this case I just needed the maildir files that have the email content.
So I did a little script (just a command line) to do it for me:

find /home/vmail -type f -name [0-9]* -exec ls -l {} \; | gawk '{sum += $5; n++;} END {print sum/n;}'

First I find all the files that starts with a number on the base directory of my dovecot server (IMAP storage), and the I need to list them as the size info is needed.
Second I’ve a little gawk script (and this part isn’t mine (I’ve looked for it on the net years ago)) that will do the sum and division.
Let me say this took a few hours as the storage holding the files has 8TB of data.
Well hope this will help some1 else.
Cheers,
Pedro

17 March 2012 at 01:50 - Comments
Pedro M. S. Oliveira

Listing storage (scsi) paths for use with multipath

Hi!

About a year ago I’ve setup some linux RHEL 6 with multipath access to an HP EVA storage.

Today I needed to do it again, and to do so i needed to list all the path available to the storage device, here’s my command line (hope it helps someone else) to list all the path and volumes:


ls /dev/sd* | grep -E -v '[0-9]' | while read D ; do F=$(echo $D) ; \
echo -n $F ; echo -n " " ; scsi_id --page=0x83 --whitelisted --device=$F | \
sort -k 2 ; done | sort -k 2

The output should be something like this:


/dev/sda 3600508b1001c927a634cedb90322b49e
/dev/sdb 3600508b4000744ff0000a00001fd0000
/dev/sdf 3600508b4000744ff0000a00001fd0000
/dev/sdj 3600508b4000744ff0000a00001fd0000
/dev/sdn 3600508b4000744ff0000a00001fd0000
/dev/sdd 3600508b4000744ff0000a000025c0000
/dev/sdh 3600508b4000744ff0000a000025c0000
/dev/sdl 3600508b4000744ff0000a000025c0000
/dev/sdp 3600508b4000744ff0000a000025c0000
/dev/sde 3600508b4000744ff0000a000025f0000
/dev/sdi 3600508b4000744ff0000a000025f0000
/dev/sdm 3600508b4000744ff0000a000025f0000
/dev/sdq 3600508b4000744ff0000a000025f0000
/dev/sdc 3600508b4000744ff0000a00002660000
/dev/sdg 3600508b4000744ff0000a00002660000
/dev/sdk 3600508b4000744ff0000a00002660000
/dev/sdo 3600508b4000744ff0000a00002660000


As you can see I’ve one available disk on this server, actually this one is a RAID1 (HW) config (sda), 16 paths to my storage device, that delivers 4 different volumes (4 paths to each volume).
Sometime later I’ll discuss the multipath configuration but for now i just wanted to leave the command line that help me list all the paths ids.
Cheers,
Pedro Oliveira

9 March 2012 at 20:12 - Comments
então e multipath -ll ? Um forte Abraço!
5 June 12 at 16:43
Pedro M. S. Oliveira
Tens razão Telmo, no entanto o comando multipath -ll é muito mais "verboso". Abraço
6 June 12 at 13:39