Hardware: - Intel NUC - CPU: i5-5250U - RAM: 4 GByte - 500 GByte SSD (overkill, but was what we had) OS: Ubuntu 16.04 "xenial" (as per EOTK supported) ## OS Install Download an Ubuntu 18.04 server .iso file, verify checksup, and `dd` it to a USB thumbdrive. Power on the Intel NUC with keyboard and monitor attached, hold F10 to get boot menu and select the USB drive (I didn't use UEFI). Install as english/USA. Select use whole disk with LVM. Select "install security upgrades automatically". Install: - standard system utilities - OpenSSH server Hostname: ia-onion1 User: eotk Password: eotk-changeme Have grub overwrite MBR Reboot, pull USB drive, login as eotk. sudo apt update sudo apt upgrade sudo apt install git cd ~ git clone https://git.bnewbold.net/ia-onion-service cd ia-onion-service # you can cut this line out into a shell script or something instead of # re-typing sudo apt install build-essential cowsay manpages-dev apt-transport-https curl git htop iftop iotop iputils-ping less molly-guard mtr-tiny netbase net-tools openssh-server screen sudo tcpdump tree unattended-upgrades util-linux vim-nox wget ntp fail2ban rkhunter debsums whois lynis etckeeper # whoops, that seemed to install postfix! don't want that! sudo apt remove postfix Ok, some crude security lock-down... edit `/etc/ssh/sshd_config`: # only these two of the keys HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_ed25519_key PermitRootLogin no # hard to disable until keys on the device #PasswordAuthentication yes X11Forwarding no # disable sftp #Subsystem ... Then `sudo service ssh restart`. For passwordless sudo: sudo visudo # on '%sudo' line, replace the last "ALL" with "NOPASSWD: ALL" Ok, ready for SSH login. Look up IP with `ip addr` and login with password as `eotk`. Change password with `passwd`. On laptop, run `ssh-copy-id` (and enter new passwd) to install your personal SSH key in `authorized_keys2`. TODO: should probably just disable password login entirely, and use root shell in person if we need to recover? Install tor to set up remote SSH access: # follow directions at https://2019.www.torproject.org/docs/debian.html.en # for bionic upstream # should get tor 0.4 or newer sudo apt install tor Add to /etc/tor/torrc (for v3 onion service): HiddenServiceDir /var/lib/tor/ssh_hidden_service HiddenServiceVersion 3 HiddenServicePort 22 127.0.0.1:22 # uncomment this one Log notice file /var/log/tor/notices.log Restart tor (`sudo service tor restart`). Get hidden service/secret: sudo cat /var/lib/tor/ssh_hidden_service/hostname Add to your local (laptop) torbrowser (or whatever) config: HidServAuth .onion Add to local (laptop) ssh config: Host ia-onion1 HostName .onion User eotk proxyCommand ncat --proxy 127.0.0.1:9150 --proxy-type socks5 %h %p Or: torsocks ssh eotk@.onion Note that the Tor Browser Bundle default local proxy port is now 9150; the regular tor daemon when run as itself (not part of TBB) listens on port 9050. Ok, now set up a 1GByte encrypted partition for EOTK et al, using LUKS: sudo mkdir -p /private sudo dd if=/dev/urandom of=/private.img bs=1M count=1000 sudo cryptsetup luksFormat /private.img # YES # enter strong/long password sudo cryptsetup luksOpen /private.img eotk_private_volume sudo mkfs.ext4 /dev/mapper/eotk_private_volume sudo mount /dev/mapper/eotk_private_volume /private sudo chown -R eotk:eotk /private To mount/unlock the partition (eg, after a reboot): sudo cryptsetup luksOpen /private.img eotk_private_volume sudo mount /dev/mapper/eotk_private_volume /private sudo /etc/init.d/eotk-init.sh stop sudo /etc/init.d/eotk-init.sh start These commands should be put in an `~/after_reboot.sh` file on the device. Ensure that you can SSH in over tor, then reboot the NUC and make sure you can still SSH in. Install mkcert: sudo apt install libnss3-tools # download from https://github.com/FiloSottile/mkcert/releases # install in /usr/local/bin mkcert -install Ok, now ready for service setup following `prototyping.md` (bionic section).