Skip to content

Latest commit

 

History

History
276 lines (218 loc) · 8.73 KB

CentOS-7.md

File metadata and controls

276 lines (218 loc) · 8.73 KB
Raw

CentOS disk-encryption-hetzner for SecurityOnion2

This should be a clean step-by-step guide how to setup a hetzner root server from the server auctions at hetzners "serverbörse" to get a fully encrypted software raid1 with lvm on top.

The goal of this guide is to have a server system that has encrypted drives and is remotely unlockable.

This guide could work at any other provider with a rescue system.

Client Configuration

Generate SSH Keys

ls la ~/.ssh
ssh-keygen -t ecdsa  -f ~/.ssh/hetzner_unlock
ssh-keygen -t ecdsa  -f ~/.ssh/hetzner_login
ssh-keygen -t ecdsa  -f ~/.ssh/hetzner_rescue
ls la ~/.ssh

This generates the following output with ls la ~/.ssh:

  • hetzner_unlock
  • hetzner_unlock.pub
  • hetzner_login
  • hetzner_login.pub
  • hetzner_rescue
  • hetzner_rescue.pub

SSH Config

content of ssh ~/.ssh/config:

echo "
# For disk encryption unlock
Host unlock_<NAME>
    User root
    Hostname <IP>
    HostKeyAlias unlock_<NAME>
    Port 22
    PreferredAuthentications publickey
    IdentityFile ~/.ssh/hetzner_unlock

# For Rescure Mode
Host rescue_<NAME>
    User root
    Hostname <IP>
    HostKeyAlias rescue_<NAME>
    Port 22
    IdentityFile ~/.ssh/hetzner_rescue

# For normal Login
Host <NAME>
    User root
    Hostname <IP>
    HostKeyAlias hetzner_<NAME>
    Port 22
	PreferredAuthentications publickey
    IdentityFile ~/.ssh/hetzner_login " >> ~/.ssh/config

Login to System

# For rescue System:
ssh rescue_<NAME>

# For unlock the System:
ssh unlock_<NAME>

# For normal login to the System:
ssh <NAME>

Server Configuration

Install Base Distribution | First steps in rescue image

  1. Activate Hetzner Rescue Mode
## Setup Server for Disk Encrpytion | Second steps in rescure image

# Next, fill the named rootfs partition with pseudo-random data. This will take a little over a half an hour to complete.
dd if=/dev/urandom of=/dev/sda3 bs=1M status=progress

#Recreate partitions
parted -a opt -s /dev/sda mklabel gpt
parted -s /dev/sda unit mb
parted -s /dev/sda mkpart primary 1 3
parted -s /dev/sda name 1 grub
parted -s /dev/sda set 1 bios_grub on
parted -s /dev/sda mkpart primary 3 520
parted -s /dev/sda name 2 boot
parted -s /dev/sda mkpart primary 520 100%
parted -s /dev/sda name 3 root
parted -s /dev/sda print

# After this, we encrypt
##for software raid: use `/dev/md1` instead of `/dev/sda3`
cryptsetup luksFormat /dev/sda3 -c serpent-xts-plain64 -h whirlpool -s 512
##(!!!Choose a strong passphrase (something like `pwgen 64 1`)!!!)
  1. Activate VNC Installer for CentOS 7.9 and restart
  2. Login via VNC Client to the proposed IP and port and with the shown password
  3. Install CentOS with encrypted volume group with custom partiotioning like described in https://www.vultr.com/docs/install-and-setup-centos-7-to-remotely-unlock-lvm-on-luks-disk-encryption-using-ssh
  • Partitions scheme:
  • Biosboot 2M
  • /boot ext2 512M
  • LUKS Encrypted
    • root 10G
    • var/log 20G
    • var/lib/docker xG
    • swap 8G
    • /backup | /nsm | ...
  1. If finished Activate Hetzner rescue system on Hetzner Robot
  2. Click Reboot on VNC screen
  3. Login to hetzner Rescue system
  4. Resize sda3 to full size: cgdisk /dev/sda
  • Remove sda3
  • Add additional partition with full size, partition code was used on my setup: 0700 whyever
  1. Open luks disk: cryptsetup luksOpen /dev/sda3 crypt # OR for software raid: cryptsetup luksOpen /dev/md1 crypt
  2. Resize pv: pvresize /dev/mapper/crypt
  3. Copy things from script below...
# Mount:
mount /dev/vg0/root /mnt
mount --bind /dev /mnt/dev
mount --bind /sys /mnt/sys
mount --bind /proc /mnt/proc

# Change chroot environment
chroot /mnt

# mount all other
mount -a -v

# Update system, install base things
sudo yum -y install vim wget git bash-completion epel-release nano sudo fail2ban
sudo wget -O /etc/yum.repos.d/rbu-dracut-crypt-ssh-epel-7.repo https://copr.fedorainfracloud.org/coprs/rbu/dracut-crypt-ssh/repo/epel-7/rbu-dracut-crypt-ssh-epel-7.repo
sudo yum -y install dracut-crypt-ssh

# Update grub config
# more help: https://github.com/dracut-crypt-ssh/dracut-crypt-ssh
## Insert rd.neednet=1 ip=<IP>::<Gatewa<>:<subnet>:<cryptodevicename>:enp0s8:off between GRUB_CMDLINE_LINUX="crashkernel=auto and rd.luks.uuid=luks-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.
sudo nano /etc/default/grub
## Regenerate you GRUB configuration file by type the command below.
sudo grub2-mkconfig -o /etc/grub2.cfg 

# Backup the original /etc/dracut.conf.d/crypt-ssh.conf by typing the following command below.
sudo mv /etc/dracut.conf.d/crypt-ssh.conf /etc/dracut.conf.d/crypt-ssh.conf.orig

# Create a new /etc/dracut.conf.d/crypt-ssh.conf file by typing the following command below.
echo 'dropbear_acl="/etc/dropbear/keys/authorized_keys"' >> /etc/dracut.conf.d/crypt-ssh.conf
echo 'dropbear_ecdsa_key="/etc/dropbear/keys/ssh_ecdsa_key"' >> /etc/dracut.conf.d/crypt-ssh.conf
echo 'dropbear_rsa_key="/etc/dropbear/keys/ssh_rsa_key"' >> /etc/dracut.conf.d/crypt-ssh.conf
# You can also choose any other port
echo 'dropbear_port="222"' >> /etc/dracut.conf.d/crypt-ssh.conf
cat /etc/dracut.conf.d/crypt-ssh.conf
sudo mkdir /etc/dropbear/keys/;

Generate ECDSA key: sudo ssh-keygen -t ecdsa -f /etc/dropbear/keys/ssh_ecdsa_key -C dropbear@luks Generate RSA key: sudo ssh-keygen -t rsa -b 4096 -f /etc/dropbear/keys/ssh_rsa_key -C dropbear@luks

sudo chmod 400 /etc/dropbear/keys/*_key; sudo chmod 444 /etc/dropbear/keys/*.pub

# Add authorized SSH key
sudo nano /etc/dropbear/keys/authorized_keys

# Create a configuration .conf file under the /etc/dracut.conf.d/ directory with the following contents:
echo 'omit_dracutmodules+="ifcfg"' >> /etc/dracut.conf.d/omit_dracutmodule.conf

# Update dracut
sudo dracut -f -v

# fix network settings for hetzner
# see https://docs.hetzner.com/de/robot/dedicated-server/network/net-config-cent-os
vi /etc/sysconfig/network-scripts/ifcfg-enp3s0


# SSH settings for user
su <user>

Add user ssh key: ssh-keygen -t ecdsa -C <user>@<hostname>

# Add your user SSH pub key
vi ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
restorecon -r ~/.ssh/
exit

# SSHD Hardening from https://docs.securityonion.net/en/2.3/ssh.html#hardening
sshd -T | grep "^ciphers" | sed -e "s/\(3des-cbc\|aes128-cbc\|aes192-cbc\|aes256-cbc\|arcfour\|arcfour128\|arcfour256\|blowfish-cbc\|cast128-cbc\|[email protected]\)\,\?//g" >> /etc/ssh/sshd_config
sshd -T | grep "^kexalgorithms" | sed -e "s/\(diffie-hellman-group14-sha1\|ecdh-sha2-nistp256\|diffie-hellman-group-exchange-sha256\|diffie-hellman-group1-sha1\|diffie-hellman-group-exchange-sha1\|ecdh-sha2-nistp521\|ecdh-sha2-nistp384\)\,\?//g" >> /etc/ssh/sshd_config
sshd -T | grep "^macs" | sed -e "s/\(hmac-sha2-512,\|[email protected],\|hmac-sha2-256,\|[email protected],\|hmac-sha1,\|[email protected],\|[email protected],\|hmac-sha1\)//g" >> /etc/ssh/sshd_config
sshd -T | grep "^hostkeyalgorithms" | sed "s|ecdsa-sha2-nistp256,||g" | sed "s|ssh-rsa,||g" >> /etc/ssh/sshd_config


# Set SELinux to permissive mode:
vi /etc/sysconfig/selinux
# Change from enforcing to permissive

# Update System
sudo yum update -y && sudo yum clean all

# umount
umount -a -v

# leave chroot environment
exit

# umount all
umount /mnt/dev
umount /mnt/sys
umount /mnt/proc
umount /mnt

# deactivate volume group
vgchange -a n


# close encrypted disk
cryptsetup luksClose crypt
# sync disks
sync
# Now ready for reboot
reboot

Have fun with your new system!

Start Server

Unlock Server

After a few seconds the dropbear ssh server is coming up on your system, connect to it and unlock your system like this:

ssh -i ~/.ssh/hetzner_unlock root@<yourserverip>
# or 
ssh <NAME>_unlock

Now unlocking your drive: console_auth add your unlock password.

Login to Server

ssh -i ~/.ssh/hetzner_login root@<yourserverip>
# or
ssh <NAME>

Sources:

Special thanks to the people who wrote already this guides:

Thanks

Special thanks to TheReal1604 from github.com.

Contribution

PRs are very welcome or open an issue if something not works for you as described