Feb 25, 2011

How To Password Protect Zip/Tar Archive Via Script in Linux

So the reason I am writing this post is because I was searching for something very similar myself recently. I recently setup a password server at my office, and wanted an easy way to back it up in case I ever had to restore it. We use Microsoft DPM at my company, and it doesn’t really back up Linux, so I needed a way to copy the configs and such for my server over to a Windows box to be backed up to tape.

I decided I wanted to compress the install directory for my program into an archive, then copy over to a Windows file server. Since it contained passwords, even though they are stored using AES encryption, I wanted to password protect the archive for another layer of security. Normally for Linux I like to create tar.gz files, however no matter where I searched, I couldn’t find an article on how to password protect it. I found a lot of people encrypting their tarballs with GPG, but that wasn’t what I wanted.

7zipNext I thought about using zip, so I installed zip in my Linux server. Zip has an –e switch for password protecting, but it prompts you. I couldn’t figure out a good way to script that. Then I sat back and had an aha moment. Why not use 7zip?

I wrote a few months ago about how easy it is to use 7zip for a backup program in Windows. Well, 7zip is available for Linux too! To install it run the following:

sudo apt-get install p7zip-full

Once installed, I used the following script to create a 7z archive of my directory with password protection!


NOW=$(date +"%b-%d-%y")
7za a "/path/to/archive/DIRECTORYNAME-$NOW.7z" "/path/to/directory/to/backup" -pYOURPASSWORD

If you don’t speak shell, what I’ve done above is created a variable called NOW that puts the date in a MM-DD-YY format. I do that so I can time stamp the filename of my archive. I do that by adding the $NOW in the archive name. Make sure to change the above to fit your environment. Also, make a note that there is NO space between the –p switch and the password.

There you have it, it will now create a 7z archive that is password protected for somewhat secure transportation and/or offsite backup!

Do you do something different to password protect archives on your Linux server? Let us know in the comments!

Feb 21, 2011

How To Use 3rd Party SSL Certs with WebKeePass

I wrote up a quick article on how to setup WebKeePass last week. WebKeepass is a great open source password vault server that is web based. It allows you to store your shared network passwords in a secure place in one central location. The initial install is really easy, and if you don’t have a problem using self signed SSL certs, the initial install is all you need to know.

However, if you are like me and prefer to use legit 3rd party certs for important stuff like passwords, then you are going to need this article too. Now the WebKeePass documentation has a blurb about 3rd party SSL certs, but all it says is to look at the Tomcat Jakarta documentation for installing SSL certs. Not exactly a good clue on how to change it out for WebKeePass specifically. After some trial and error, I finally figured it out, so you don’t have to. One of the things I figured out was that the alias they use for their self signed cert is ‘tomcat’. That leads us to step number 1, after installation, we have to remove the old alias of tomcat so we can continue. To do that, change into your WebKeePass install directory (Mine is /opt/wkp) then change into the config directory. From inside there, run the following:

keytool -delete -alias tomcat -keystore webKeePass.key

You will be prompted by a password. The default password is changeit.

Now that tomcat is deleted, we need to recreate it by running the following:

keytool -genkey -alias tomcat -keyalg RSA -keysize 2048 -keystore webKeePass.key -dname "CN=<yourservers fqdn>,OU=DEPT, O=COMPANY, L=CITY, ST=STATE, C=us"

Make sure to change the above to match your server/company/location. After that run the following to generate a new SSL CSR to give to your third party SSL provider.

keytool -certreq -alias tomcat –file <your fqdn>.csr -keystore webKeePass.key

Now that you have your CSR, go ahead and go through the process of requesting a cert with your certificate authority of choice. May I suggest GoDaddy because they have SSL certs for only $12.99 if you use this link: (GoDaddy Deal)


Once you have your certificate, you have to install all root, intermediate and cross intermediate certificates into your keystore. Download them, and copy them into your keystore directory. Once again, for me it’s /opt/wkp/conf/. Run the following to install your root certificate:

keytool -import -alias root -keystore webKeePass.key -trustcacerts -file rootcert.crt

Run the following to install your intermediate:

keytool -import -trustcacerts -alias intermediate -keystore webKeePass.key -file intermediate.crt

Run the following to install your cross intermediate if you have one:

keytool -import -trustcacerts -alias cross -keystore webKeePass.key -file cross_intermediate.crt

Now that all of your signing certificates are installed and trusted, you are ready to install your new third party SSL certificate for WebKeePass. To do that run the following:

keytool -import -trustcacerts -alias tomcat -file <yourcertificate>.crt -keystore webKeePass.key

Now either start your WebKeePass service if you haven’t already, or reboot if it is already running. Your new certificate should now be working! Questions? Comments? Hit me up below!

Feb 17, 2011

Free Open Source Password Vault Server

So here’s the deal at my day gig. I’m sure you all have something similar. There are a number of shared service account, or web portal passwords that your team uses and you want to make sure that only authorized people get to them. Some security experts frown on this, while others suggest this. I’m not going to get into that argument in this post, I am just going to write about what I stood up for my company that looks like it will work for our needs.

So the other day my boss asked us to start looking at a central password vault where we can manage all of our secure passwords. He wanted to make it so we could store all shared company passwords in one place. He also wanted to be able to control which groups had access to which passwords. He also didn’t want to spend any money. When I hear that, I immediately start looking in Linux and Open Source.

It took me a while to find, but I think I found the right solution. Now if you are scared of Linux, don’t worry, this solution works on a Windows server too. I however set it up in Ubuntu Linux Server edition, so that is what I will post about. The tool is called Web KeePass. It is a Java web-based port of the popular KeePass password safe. When I say web-based, that means a central server repository of your sensitive credentials.

With it you can store your passwords using AES, 3DES, Blowfish, Serpent or other encryption algorithms to ensure your credentials stay safe. You can also configure multiple users, and groups to control who has access to certain passwords. Since it’s open source, it also means it is free! Sounds like I am meeting all my boss’s requirements.

To set it up in Ubuntu do the following:

  • First install Java SDKkeepass_logo

    sudo apt-get install default-jdk

  • Next Install unzip

    sudo apt-get install unzip

  • Download the Web Keepass install pack

    wget http://downloads.sourceforge.net/project/webkeepass/WebKeePass-3.101127.zip

  • Create a directory called wkp in /opt

    sudo mkdir /opt/wkp

  • Unzip the Web KeePass install pack

    unzip WebKeePass-3.101127.zip

  • Change into the Web Keepass Install folder

    cd WebKeyPass*

  • Make the Install-no-gui.sh file executable

    sudo chmod +x Install-no-gui.sh

  • Execute the Install-no-gui.sh file

    sudo ./Install-no-gui.sh

  • Enter the following info when prompted

    Installation Path: /opt/wkp
    JAVA_HOME Path: /usr/lib/jvm/java-6-openjdk
    Tomcat HTTPS/SSL Port:
    (Leave the rest as defaults)

  • Change into the /opt/wkp directory

    cd /opt/wkp

  • Make startup.sh executable and set permissions

    sudo chmod a+x ./startup.sh
    sudo chmod a+x ./jakarta-tomcat-5.5.7/bin/*.sh

  • Run startup.sh to launch your new server

    sudo ./startup.sh

  • You can now browse to your KeePass Web Server at https://youruserver



Simple right? You could stand this thing up in under 10 minutes if your wanted to, and have a really secure place to store your sensitive passwords. If you want to make sure Web Keepass starts at bootup, add the following lines to /etc/rc.local right before exit 0:

export JAVA_HOME=/usr/lib/jvm/java-6-openjdk
/bin/sh /opt/wkp/jakarta-tomcat-5.5.7/bin/startup.sh

What do you guys think? Do you know of a similar password vault solution? One that is web-based? I would love to hear about your favorites in the comments.

Feb 16, 2011

A Must Have For Android: Lookout Mobile Security

I loves me some apps on my HTC Evo. I also like to tinker with my phone, root it, blow it up, and what not. It’s sort of what I do. What I don’t always like is after I’m done testing an app, or modding my phone someway, and I have to rebuild. It’s just not fun.

Today I was browsing through the Google App market on my phone looking for a new Twitter application to play with, and I came across an app that I have seen before and decided to give it a try. This app boasts free antivirus/anti-spyware, cloud backup and the ability to track down a lost phone. Yes, I said for free! I figured, why the hell not and promptly downloaded it. On a side note, look out for RackSpace cloud computing for your cloud needs.

This app is called Lookout Mobile Security, and it does exactly what I mentioned above. In the free version it will backup all your contacts to the cloud for free, protect your computer from malware, and if you ever lose your phone you can find it on a map. Heck, if you lose your phone in your apartment, you can make your phone set off a loud siren so you can find it! (Perfect for my wife). If someone steals your phone, imagine their embarrassment when the phone they boosted starts squawking loudly drawing attention to them. Can’t be fun for them.


Also, not only can you control setting, backup your phone and more from the app on your phone, you can also login using your account on the My Lookout website and remotely control your security from anywhere.

They have a premium version as well that is free to try for 30 days, and is only $2.99 per month or $29.99 per year. Cheap if you ask me!

With the premium version you get the same stuff as above plus:

  • Ability to backup photos and call history
  • Remotely wipe your phone if it gets lost or stolen
  • Remotely lock your phone if it gets lost or stolen
  • Privacy dashboard
  • Privacy scans
  • Premium support

This app isn’t only available for Android users either. There is a version for Blackberry and Windows Mobile as well. Sorry iPhone users, you can suck it!

All in all, $2.99 per month for a little peace of mind isn’t a bad deal. Plus the next time I blow up my phone, I know I can easily restore my data from the cloud.

Feb 2, 2011

How To Sysprep Windows 7 On The Easy

As some of you know that have been following me on Twitter, or Facebook, I have been setting up a new OS/Software deployment server using Fog. The cool thing about Fog, besides it is free, and runs on Linux is that it is ridiculously easy to implement, and put into production. My boss originally had me try to use Microsoft System Center Configuration Manager (SCCM) but that thing is such a bear to deploy. Especially in a multi-domain environment like I maintain, something domain agnostic (and free) simply works better.
Now, since Fog is a cloning solution like Symantec Ghost Cast, you take an old fashion image of a computer which we all know is hardware specific. What's cool with Fog though is that you only need to image the operating system with drivers and updates. All other software can be deployed with Fog separately, making it easy to keep your image software up to date.
Since we are creating an image, we need to Sysprep right? I have spoken to a lot of admins, and running Sysprep in Windows 7 causes gasps, cold sweats and nightmares. Everybody knows that Sysprep for Windows XP was a piece of cake, but for Windows Vista and Windows 7 Microsoft came up with the Windows Automated Installation Kit (WAIK) tool. Lets be honest here, using the WAIK tool is about as intuitive as trying to find the wet spot on a fat chick.
So WAIK sucks. I think we can all agree on that. We still need to Sysprep though. According to Wikipedia, here's why:
Windows operating system installations include many unique elements per installation that need to be "generalized" before capturing and deploying a disk image to multiple computers. Some of these elements include:
  • Computer name
  • Security Identifier (SID)
  • Driver Cache
Sysprep seeks to solve these issues by allowing for the generation of new computer names, unique SIDs, and custom driver cache databases during the Sysprep process.
So how to we go about doing this without having to screw around with WAIK? Glad you asked! First of all, my process is really easy to do, and once you do it, you never really need to do it again. The trick with Windows 7 sysprep, as with Windows XP, is creating the answer file. Once it's created, you can use it over and over again.
What you will need:
  • Windows Automated Installation Kit (Yes you still need it, but bare with me)
  • Windows 7 Installation Media
  • RT Se7en Lite
Before I go further, don't be scared of WAIK. It has to be installed on the same machine as RT Se7en Lite because RT Se7en Lite uses WAIK as the engine to do what it has to do. It also provides you an easy to use intuitive interface to do what you have to do which is to create an XML answer file for Sysprep.
Here is what you need to do:
  • Open RT Se7en Lite, and point it to your Windows 7 Installation Media
  • Click the Tasks button and select Export XML and Save Settings from the Quick Start Drop Down
  • Uncheck ISO bootable (You don't need it for this post)
  • Click on the Unattended button
  • On the General tab, Check all of the boxes (including skip product key as it doesn't work) then fill in the information to fit your environment
  • Click on the OOBE tab
  • Check all the boxes except Disable Auto Daylight Savings Time Set (Unless you live where daylight savings is not recognized), and change the Network Location and Security Updates settings according you your environment
  • Click on the Regional tab, and choose your regional information
  • Click the Export button on the lower right, then check the box to explore the generated XML directory
  • Boom! Your new Autounattend.xml file will be located in the root of your Windows 7 Installation media.
Okay, that was the hard part. Doing that in WAIK by itself is way more difficult! RT 7 Lite makes it stupidly easy! You're not done yet though. You still have to do a couple of things. Before we go further, go ahead and make a batch file called SetupComplete.cmd. Actually, you can name it whatever you want, but lets keep it simple. In SetupComplete.cmd paste the following commands:
del /Q /F c:\windows\system32\sysprep\Autounattend.xml
del /Q /F c:\windows\panther\Autounattend.xml
echo Sysprep Completed %date%>c:\ImageLog.txt
cscript //b c:\windows\system32\slmgr.vbs /ipk XXXXX-XXXXX-XXXXX-XXXXX-XXXXX
cscript //b C:\windows\system32\slmgr.vbs -ato
As you can probably guess, you will need to change the X's above with your Windows 7 product key. Once you have that saved in SetupComplete.cmd, on the machine you want to image create create a folder in c:\windows\setup called scripts and drop SetupComplete.cmd in there. The reason is because after Sysprep does it's thing it runs any script in the folder. SetupComplete.cmd cleans up our XML answer file with sensitive passwords, creates a log on the root of C:\ called ImageLog.txt then inserts our Windows 7 key. Now you can try adding your Windows 7 key to your XML file using RT 7 Lite, but trust me, it doesn't work. My method with the script does.
Now that SetupComplete.cmd is in c:\windows\setup\scripts, take Autounattend.xml that we created earlier and drop that sucker in c:\windows\system32\sysprep. Now we are almost out of the woods. Open a command prompt in c:\windows\system32\sysprep by pressing shift and right clicking in the white space (assuming you are in that directory using Windows Explorer) and select Open Command Window Here. Now with command prompt open in the sysprep directory run the following command and crack open a cold one:
sysprep /generalize /oobe /shutdown /unattend:Autounattend.xml
Sysprep will do its thing using your answer file, then shut down. Your computer is now ready to be uploaded using whatever imaging solution you use! Tell me that wasn't easy!
Do you know of a better way to create the XML file for Sysprep? I would really like to not have to use the cscript command, however it is still better than trying to screw around with WAIK! If you know of a better tool that makes this process easier, let me know in the comments!
NOTE: If you want to join your computer to your domain, add the following command to your SetupComplete.cmd file right after del /Q /F c:\windows\panther\Autounattend.xml:

I didn't mention that above because I use Fog to join my machines to the domain for me.

Twitter Delicious Facebook Digg Stumbleupon Favorites More

Design by Free WordPress Themes | Bloggerized by Lasantha - Premium Blogger Themes | stopping spam