How To Reduce Your Vulnerability to Evil Maid Attack When You Have Disk Encryption

  1. Zero hard drive(s) with dd
  2. Mark drive(s) as raw lvm disk
  3. Make your vg and lv
  4. Make your encryption
  5. Make file system ext4
  6. Install Ubuntu
  7. Make sure you have SDcard inserted before you turn on computer
  8. When you get to disk partitioner in install, format SDcard ext2, all of it, the whole thing, except if you need a little bit for efi partition in which case the SDcard will have two partitions a grub/boot partition/mbr and efi.
  9. Mark your lvm volume as ext4 and use entire volume for /
  10. In the partitioner select SDcard for grub/boot partition/mbr/efi install.
  11. If you install grub/boot partition/mbr/efi to your lvm disk the computer will not boot as you overwrote the lvm.
  12. Now proceed with install and the grub/boot partition//mbr/efi will be installed to the SDcard and the OS will be installed to the encrypted lvm.
  13. If you need efi partition that also will need to be installed to SDcard.
  14. Reboot when installer says to.
  15. Check everything works.
  16. Shutdown computer and remove SDcard.
  17. Boot computer, it should fail to boot if it’s working right. The bios/efi should behave as if the hard drives were blank.
  18. Shut down computer and insert SDcard. Boot computer and it should now boot to encrypted password box and you should now be able to log in.
  19. Reboot and set a bios/efi admin and user password.
  20. Reboot and verify bios/efi passwords are required.
  21. Now when you leave the house always hide the SDcard or take it with you or if you have a laptop always put the SDcard in a separate backpack pocket as the criminal is unlikely to know the significance of the SDcard.

You can always have two or three SDcards that are dd clones of the key and you can update the clones whenever you have an update.  If you have to you can always make new boot cards from an known good computer.  The point is you never have to rely upon the idea that your stuck with the boot code Ubuntu installed.  Any suspicion that SDcard has been compromised you can make new SDcard boot key.  Give the keys to trusted family/friends or hide them around the house. Now you are much more secure against evil maid attack as any attempt to write to lvm disk will destroy encrypted lvm disk. Attacker will need the key which is your SDcard.  Yes of course attacker can use their own boot code and attempt an attack upon the disk.  However we are concerned here with boot code integrity.

If you are kidnapped and they demand key, I highly recommend that you give them the key as no data is worth the loss of human life.

Install and Setup Logwatch on Ubuntu

I installed the program logwatch. A little confusing at first. This is mostly so I don’t forget. I thought it could help others.  An excellent tool for auditing an Ubuntu system.

sudo apt-get install exim4

I prefer EXIM4, however some people like Postfix. Setting up EXIM4 and Postfix is beyond the scope of this logwatch thread.

dpkg-reconfigure exim4-config
sudo apt-get install logwatch
sudo nano -w -W /usr/share/logwatch/default.conf/logwatch.conf

Use nano to change the following settings.

#To make Html the default formatting Format = html
Format = html
# Default person to mail reports to.  Can be a local account or a
# complete email address.  Variable Output should be set to mail, or
# --output mail should be passed on command line to enable mail feature.
MailTo = user@example.org
# Default person to mail reports from.  Can be a local account or a
# complete email address.
MailFrom = user@ubuntu.org
sudo logwatch --html_wrap 80 > logwatch.html

When done, open logwatch.html in your home dir. Example /home/nate/logwatch.html, should open in your web browser. Everything should work. Now you will need to wait 12 to 24 hours for an email from logwatch. Check your spam box too if you missed it. Be sure to add logwatch to your email address contact list.

Here’s My SSH Port Forward Command

ssh -2TND 1080 user@ip-or-hostname

A special note about option -C. Unless you are on a dial-up modem connection, the -C option only hurts you on virtually all modern network connections. I would not use the -C unless your speed is slower than about 1Mbps. It really is designed for 56K dial-up modems and other similar slow connections like ISDN. Here is the man page entry for -C;

-C Requests compression of all data (including stdin, stdout,
stderr, and data for forwarded X11 and TCP connections). The
compression algorithm is the same used by gzip(1), and the
“level” can be controlled by the CompressionLevel option for pro‐
tocol version 1. Compression is desirable on modem lines and
other slow connections, but will only slow down things on fast
networks. The default value can be set on a host-by-host basis
in the configuration files; see the Compression option.

Most SSH advice concerning -C is incorrect. Unfortunately too many people blindly use the -C option without understanding the option. Most people just copy and paste the command from some web site and don’t bother to read the man page. As you can see it’s a pet peeve of mine.

ssh -2TND 1080

I’ll break it down for you.

-2 Forces ssh to try protocol version 2 only.

T Disable pseudo-tty allocation.

N Do not execute a remote command. This is useful for just for forwarding ports (protocol version 2 only).

D [bind_address:]port
Specifies a local “dynamic” application-level port forwarding.
This works by allocating a socket to listen to port on the local
side, optionally bound to the specified bind_address. Whenever a
connection is made to this port, the connection is forwarded over
the secure channel, and the application protocol is then used to
determine where to connect to from the remote machine. Currently
the SOCKS4 and SOCKS5 protocols are supported, and ssh will act
as a SOCKS server. Only root can forward privileged ports.
Dynamic port forwardings can also be specified in the configura‐
tion file.

1080 I’d use this port as it’s the socks port. Use of another port is fine, but will not give you any security advantage. So I use this port. The only reason not to use this port is if you already have another application using 1080.

I’m interested in hearing from anybody about their commands. Just so you know I use keys without a password. My keys have a bit strength of 8192 bits and I maintain strict control over the devices that have keys, so devices are all encrypted with very strong passwords.

Get an Email Every time Sudo is Used

Every time I use sudo on the command line I get an email.  This way I can always know if someone has attempted to run sudo on my computer.  Plus; combined with Gmail, it makes for an excellent audit trail.

I set it up following the guide here; Sudo email setup, original post

Or you can do the below.

I wanted to get an email from the computer every time sudo was used successfully or not. You need an MTA or mail transport agent. I have Postfix on my computer. There may be other ways to send an email; but that is beyond the scope of this post. I will show you what I did and I will assume you have an MTA already setup.

The first command tells visudo where to create the file. All edits should go to /etc/sudoers.d because this will make software updates more sane.

sudo visudo -f /etc/sudoers.d/mail_sudoers

File should look exactly like below. Be sure to include double quotes.

Defaults    mail_always
Defaults    mailto="youremail@gmail.com"

Visudo will set the proper permissions for you. No need for chmod if you are using Ubuntu 16.10 or later.

man sudo, visudo, sudoers will help greatly.
I’ve included a screenshot of what the email looks like. Naturally the important bits after the @ have been removed.

sudo