I am incredibly curious and I am always finding new ways of tinkering around with new things so in my neverending quest to better understand the nature of security, vulnerabilities and hacking I decided to setup a honeypot machine live on the internet 24×7 with a public IP. The PC has Gentoo linux installed which is running on top of a 2.6.12 general-use kernel. There is no special security or intrusion detection software installed. SSH is the only noteworthy service running which is listening on port 22 and it’s configured to allow root logins – usually a big no-no but completely acceptable in this situation. The hackable IP is 68.144.238.32 if you want to give it a shot.
Now we all know how long it takes to install Gentoo (see my Gentoo Install Guide for a streamlined install process without the extra garbage), especially on a P2/233 with 164MB of RAM (64+64+32) and an 8Gig UDMA/33 Hard Drive. I wanted to have the ability to quickly and easily restore my Gentoo root partition in the ‘likely’ event that this PC became compromised.
So I went about setting up 4 partitions, boot/root/swap/spare, now I only had 8gig’s to work with and I knew that a standard Gentoo install takes up 1.5GB’s (at least by following the standard install guide it did on mine).
I started out by creating the 4 partitions and installing Gentoo on hda3. hda1 and hda2 house the boot and swap partitions and these are never modified. Essentially what we are going to accomplish is have 2 bootable Gentoo installs, one on hda3 and the other on hda4, the reason for this being so that we can use hda4 with partimage to create backup images of hda3. These are going to be mirror images, in other words everything from the hostname to the NIC configuration are going to be the same. hda3 and 4 better be the same filesystem, I havn’t tested it with other filesystems but it’s better just to do this, I don’t even think that these 2 partitions have to be the same size for it to work (mine are).
- Grab a linux livecd, for this I used the Gentoo Universal 2005.1 CD.
- Boot up off of it and get to the console
- We’re now going to copy hda3 over to hda4 (you did create a filesystem on hda4 right?) mount hda3 and hda4 by entering these commands
- mkdir /to
- mkdir /from
- mount -t ext3 /dev/hda3 /to (assuming you’re running an ext3 filesystem, if you followed the standard install guide then it should be)
- mount -t ext3 /dev/hda4 /from
- cp -a /from/* /to (don’t leave out the -a, this is important)
- This will take ages depending on the speed of your HD, on my 8gig it took about 45mins. You might also want to check if you’ve got DMA enabled on the HD by typing hdparm -d /dev/hda.
- Once the copy is complete do the following:
- mount /boot (I’m a bit iffy on this one, you may or may not have to do this but if you try the command below and it doesn’t display the grub.conf file then you will have to do this one)
- nano -w /from/boot/grub/grub.conf and add a second entry into the boot menu so that it looks like this, leave out the <code> bits and make sure that your kernel version is reflected correctly:
<code>
default 0
timeout 10
title=Gentoo Linux 2.6.12-gentoo-r6
root (hd0,0)
kernel /linux-2.6.12-gentoo-r6 root=/dev/hda3
title=Gentoo Backup 2.6.12-gentoo-r6 w/ partimage
root (hd0,0)
kernel /linux-2.6.12-gentoo-r6 root=/dev/hda4
</code>
- So now when you boot up you will be given the option to choose which Gentoo partition to start up.
- nano -w /to/etc/fstab
- Edit the fstab file and replace hda3 with hda4
- umount /to /from
- reboot
- Test out both installations and make sure they are both bootable, because the partitions are identical in almost every way you may want to check that each partition *is* different. You can do this by simply creating a temporary test file in / on one of the partitions booting up and doing an ls / to see if its there or not. Hint: It will be.
- Boot up into the second partition, ie the one that we’re going to use with partimage.
- This step is optional, I disabled networking (after completing the step below) and changed the hostname to reflect which partition I am in and for a bit of extra security.
- Boot into hda4, this is where we’re going to install partimage and store the hard drive images from hda3
- emerge partimage
- Type partimage to load up the program
- Select which partition you want to backup, in this case select hda3. hda3 is currently in an unmounted state so don’t worry about open files.
- Follow the image creation wizard step by step and you will have backed up hda3 completely. When I did this I selected ‘use maximum compression’ and the 1.5GB’s of files from hda3 came out to be a mere +-350MB’s stored in a nice single file image. Note this is not an .ISO, it is a bzip2 compressed file.
- In the future when you want to restore hda3 simply boot up into the ‘partimage’ partition aka hda4, load up partimage and use the restore option, select the HD image file you want which will then fully and completely restore hda3 to the state that it was saved in.
The ‘gist’ of this guide is such that the tools but most importantly the techniques outlined here can easily be ported to just about any OS environment with a bit of elbow grease and know-how.
This guide is created so that somewhere down the road somebody will find the information useful in their own environment and modify it to suit their needs and perhaps, hopefully, learn something cool and interesting that can be expanded upon in very deep & complex ways with a bit of ingenius creativity on their part. If I’ve left out any steps just email me and let me know thanks copelandj@NOSPAMgmail.com. Remove the NOSPAM part.
Update 2 October 2005: I have been informed that you can do something similar to this backup/restore technique with the ‘dd’ GNU program, once I’ve looked at it I’ll probably write a guide on it so check back in a couple weeks.
Update 4 August 2008: Re-positioning my old articles on the new blog site. Yeah this one’s really old!
