cloudkid.fr

Tag: Security

  • Unlock LUKS partition on boot with a USB

    Unlock LUKS partition on boot with a USB

    Generating the passphrase (Keyfile)

    We need to generate the password or keyfile that can unlock your LUKS partition, this “password” will then be a way to unlock your LUKS partition. To create it we can use the following command. 

    dd if=/dev/random bs=32 count=1 of=/pathto/keyfile

    You then need to create a LUKS partition using GUI, or using command line with the following commands :

    Find the partition you want to encrypt

    lsblk

    Then we need to use an utility that is already install on most of Linux distributions (cryptsetup) and use it to encrypt our partition with our keyfile.

    cryptsetup luksFormat partition /pathto/keyfile

    When it’s done, you should be able to open your encrypted partition using the same utility. In this example DEV is your LUKS partition, MAPPING a name you want to give to the LUKS mapping (That can be anything).

    cryptsetup luksOpen DEV MAPPING --key-file /pathto/keyfile

    Then you can close it.

    cryptsetup luksClose MAPPING

    Now that we checked that our partition encryption works and our keyfile too, we can plug the USB drive we want to use and copy the keyfile to it.

    cp /pathto/keyfile /pathtousbdrive/keyfile

    We’re almost done, now we need to specify that we want to unlock our partition automatically when the USB is connected in the crypttab configuration file.

    nano /etc/crypttab

    And add a line that will vary depending of your configuration

    MAPPING UUID=UUIDofyourLUKSpartition /pathtousbdrive/keyfile luks,nofail

    There you go, the last step is to regenerate the initramfs image of your system to apply these changes, to do that use the following commands depending of your system.

    If you want to be safe you can also backup the current initramfs you are using.

    cp /boot/initramfs-$(uname -r).img /boot/initramfs-$(uname -r).bak.$(date +%m-%d-%H%M%S).img

    Then update the initramfs

    On debian-based systems :

    update-initramfs -k all -u

    On Red Hat :

    dracut -f -v

    Useful resources

  • Crowdsec – Collaborative Security

    Crowdsec – Collaborative Security

    Crowdsec is a relatively new tool in the security world, it’s an Intrusion Prevention Systems (IPS), it allow the detection of threats and the adding of necessary firewall rules if needed.

    Crowdsec differs from other IPS because of the collaboration aspect. It also offer an on-premise or cloud dashboard.

    You may have heard, or used Fail2ban, it basically do the same things, but with more functionalities.

    Pros

    • Open-Source
    • Collaborative security
    • Decoupled detection and action software
    • Ease of use
    • IPv6 Ready
    • GDPR Compliant
    • Easy to install & setup
    • Large support for many services

    Cons

    • Not easily understandable
    • Can be hard to setup depending on your setup

    Type of recognized threats

    Threats recognized by Crowdsec

    How does it works ?

    First it gather the logs and parse them from any source, it also applies scenarios to identify cyber-threats, then rules are set depending of the desired behavior.

    Crowdsec has two main components, the scenarios and the bouncers. The scenarios detect the type of threat and the bouncers make an action to ban/correct it. You can also choose to only use one of the two parts.

    Base installation

    curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | sudo bash
    Add the Crowdsec repository
    curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | sudo bash
    Add the Crowdsec repository
    sudo apt-get install crowdsec
    Install Crowdsec

    Understanding bouncers

    Bouncers are used to “apply” decisions, from threats detected by the Crowdsec software.

    Before installing the basic bouncer that will act on your firewall rules, you need to check if your system is using iptable or nftable to determine where your system should act to prevent the attacks.

    Then, you can use the basic firewall bouncer. It will check for the most common cases of attacks on your server (Brute-force, Slow brute-force, …).

    apt install crowdsec-firewall-bouncer-iptables
    Install the Linux firewall bouncer

    Then, depending of the service(s) you are running on your server, you can use one more other bouncers.

    • WordPress bouncer
    • Caddy bouncer
    • HAproxy bouncer
    • Traefik bouncer
    • Nginx bouncer
    • And more …
    🔎
    You can check the full bouncer list on the Crowdsec website
    💡
    Keep in mind that some bouncers are experimental !

    See it in action

    You can then use some commands to see Crowdsec in action after a few hours/days.

    sudo cscli decisions list
    Check if IP bans are been applied
    sudo cscli decisions delete --ip 1.2.3.4
    Delete the ban of the IP 1.2.3.4