Howto wipe your hard disk quickly, securely & easily

I was looking for a way to clean all the data from a hard disk and found a tool that I had never seen before: dcfldd. I haven’t looked into all the options yet, but what I have seen works very well. Basically it is a replace for the *nix command dd. The thing that I liked about it was that it lets you add an input pattern, thus speeding up the process significantly.

So the next thing was to figure out what to write to the disk, I was taught that multi-pass writes were really a good thing, but have read a lot more recently that says you only need 1 pass to get basically the same effect. Being paranoid but in a bit of a hurry, I decided to do a 2 pass wipe. First set all bits to 1, then do a second to 0. This means that every bit will go high then low. So the history would be: ? -> 1 -> 0. That seems like a good / fast solution to me, and it does not need the slow random pass. I like the 0’s to be on the final pass so installers see a nice clean drive. If you are going to encrypt the drive you might want to a random on the end

Anyway here are the steps:

  1. Download & burn your favorite Linux live CD. Make sure that it is 32bit (i386). I used CentOS 6.
  2. Boot from the CD, login
  3. Open a terminal
  4. sudo su –
  5. goto /dev and find your hard drive(s), lets use /dev/sdb for this example (make sure to use the root drive not a partition so /dev/sdb not /dev/sdb1)
  6. write ones: dcfldd pattern=FF of=/dev/sdb bs=1024   (this is the really nice part of dcfldd the pattern statement makes this really easy)
  7. write zeros: dcfldd pattern=00 of=/dev/sdb bs=1024   (pattern should be even faster than /dev/zero, I haven’t played with block sizes with dcfldd, but coming from dd, 1024 seems to be good)

Mac OSX Server from Ubuntu

http://rajeev.name/2007/11/08/integrating-linux-into-open-directory/

http://en.wikipedia.org/wiki/Apple_Open_Directory

Looks like a good tutorial at:
http://www.kremalicious.com/2008/06/ubuntu-as-mac-file-server-and-time-machine-volume/

http://linux.sys-con.com/node/803618

Little bit of a hint with mac network logins:
http://hints.macworld.com/article.php?story=20060404091349425

Windows / Linux / Mac integration
http://weblog.bignerdranch.com/?p=6&page=3

Certificate Authentication Behind a Bastion Host

I needed Certificate Authentication on a Bastion host. I was pointed to the article from Zeitoun.net (below) by a friend, but it did not work with Apache 2.2.

Apache took my SSL_* variables and passed them along as HTTP_SSL_* variables. This is ok, but not good enough if I don’t want to change source code.

After hacking it a little I found the following seemed to work:

Bastion:

#LoadModule proxy_module   modules/mod_proxy.so
#LoadModule headers_module modules/mod_headers.so
LoadModule ssl_module     modules/mod_ssl.so

Listen 443


AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl

SSLPassPhraseDialog  builtin
SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout  300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin

SSLCryptoDevice builtin


<VirtualHost _default_:443>
Servername bastion
# this did not work the way I wanted
# SSLProxyEngineSSLProxyMachineCertificateFile /usr/local/etc/proxyUser.crt

ErrorLog logs/bastion_error_log
TransferLog logs/bastion_access_log
LogLevel warn

SSLEngine on

SSLProtocol all -SSLv2

SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM

SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

SSLCACertificatePath /usr/local/etc/auth/

SSLVerifyClient require
SSLVerifyDepth 2

SSLOptions +ExportCertData

   <Proxy *>
     AddDefaultCharset Off
     Order deny,allow
     Allow from all
   </Proxy>
 
   # initialize the special headers to a blank value to avoid http header forgeries
   RequestHeader set SSL_CLIENT_S_DN    ""
   RequestHeader set SSL_CLIENT_I_DN    ""
   RequestHeader set SSL_SERVER_S_DN_OU ""
   RequestHeader set SSL_CLIENT_VERIFY  ""
   RequestHeader set SSL_CLIENT_S_DN_CN ""
 
   <Location />
     # add all the SSL_* you need in the internal web application
     RequestHeader set SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}s"
     RequestHeader set SSL_CLIENT_I_DN "%{SSL_CLIENT_I_DN}s"
     RequestHeader set SSL_SERVER_S_DN_OU "%{SSL_SERVER_S_DN_OU}s"
     RequestHeader set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s"
     RequestHeader set SSL_CLIENT_S_DN_CN "%{SSL_CLIENT_S_DN_CN}s"
 
     ProxyPass          https://internal/
     ProxyPassReverse   https://internal/
   </Location>

SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

CustomLog logs/bastion_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>                                  

On the Internal machine
Turn off Client SSL Authentication
# SSLVerifyClient require
and add the following for each SSL variable that you need
SetEnvIfNoCase SSL_CLIENT_S_DN_CN “(.*)” SSL_CLIENT_S_DN_CN=$1

Cool thing is that I can run HTTPS on the backside, just not Client Certificate authentication.

http://www.zeitoun.net/articles/client-certificate-x509-authentication-behind-reverse-proxy/start
http://www.askapache.com/htaccess/setenvif.html
http://httpd.apache.org/docs/2.2/mod/mod_headers.html
http://httpd.apache.org/docs/2.2/mod/mod_proxy.html
http://httpd.apache.org/docs/2.2/mod/mod_ssl.html

ASUS EEE PC Flash

Needed to update bios on my ASUS EEE PC 900A.

This is really easy:
1. Download ROM file from ASUS (Current one is 900A-ASUS-1102.zip)
2. Name it 900A.ROM in the root of a USB Drive
3. Plug in USB Drive and boot
4. Press ALT-F2 while checking system
5. System is updated

Thanks to:
http://forums.vr-zone.com/notebooks-netbooks/230543-reflashing-eee-pcs-bios.html

Ref:
http://support.asus.com/download/download.aspx

SSH Config

I needed to setup svn+ssh on a non standard port. I had not used ssh config file before & it does exactly what I needed it to do.

~user/.ssh/config

FROM:

Subversion Users: Re: Useing a non-standard ssh port in a svn+ssh://example.com:123456/repository

host svn1
    Hostname svn.example.com
    Port 80
    ForwardAgent no
    ForwardX11 no

host svn2
    Hostname svn.example.com
    Port 123456
    ForwardAgent no
    ForwardX11 no

Linksys Home Repeater

I have 2 linksys WAP54 g routers and was using one as a wireless repeater, I had WEP setup because I just wanted a no trespassing sign. This setup worked most of the time with an occasionaly reboot of both routers (every 1-2 weeks) and restarting the wireless connection on the client every few days. — not great reliability but OK for home.

I just got an eee PC with linux. The network driver is not as stable as I like, but it really does not like my network setup.

I have also been wanting to actually put a lock on the door to my network so I spent a few hours this w/e looking at retooling my network. I was shocked to find out that the linksys wireless repeater feature does not work with WPA. So back to the drawing board — looks like either run an ethernet cable upstairs or buy an N router. (hmmm… new toy OR a lot of work)