1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
|
Hardware:
- Intel NUC
- CPU: i5-5250U
- RAM: 4 GByte
- 500 GByte SSD (overkill, but was what we had)
OS: Ubuntu 16.04 "xenial" (as per EOTK supported)
## OS Install
Download an Ubuntu 18.04 server .iso file, verify checksup, and `dd` it to a USB thumbdrive.
Power on the Intel NUC with keyboard and monitor attached, hold F10 to get boot
menu and select the USB drive (I didn't use UEFI).
Install as english/USA.
Select use whole disk with LVM.
Select "install security upgrades automatically".
Install:
- standard system utilities
- OpenSSH server
Hostname: ia-onion1
User: eotk
Password: eotk-changeme
Have grub overwrite MBR
Reboot, pull USB drive, login as eotk.
sudo apt update
sudo apt upgrade
sudo apt install git
cd ~
git clone https://git.bnewbold.net/ia-onion-service
cd ia-onion-service
# you can cut this line out into a shell script or something instead of
# re-typing
sudo apt install build-essential cowsay manpages-dev apt-transport-https
curl git htop iftop iotop iputils-ping less molly-guard mtr-tiny netbase
net-tools openssh-server screen sudo tcpdump tree unattended-upgrades
util-linux vim-nox wget ntp fail2ban rkhunter debsums whois lynis
etckeeper
# whoops, that seemed to install postfix! don't want that!
sudo apt remove postfix
Ok, some crude security lock-down...
edit `/etc/ssh/sshd_config`:
# only these two of the keys
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
PermitRootLogin no
# hard to disable until keys on the device
#PasswordAuthentication yes
X11Forwarding no
# disable sftp
#Subsystem ...
Then `sudo service ssh restart`.
For passwordless sudo:
sudo visudo
# on '%sudo' line, replace the last "ALL" with "NOPASSWD: ALL"
Ok, ready for SSH login. Look up IP with `ip addr` and login with password as
`eotk`.
Change password with `passwd`. On laptop, run `ssh-copy-id` (and enter new
passwd) to install your personal SSH key in `authorized_keys2`.
TODO: should probably just disable password login entirely, and use root shell
in person if we need to recover?
Install tor to set up remote SSH access:
# follow directions at https://2019.www.torproject.org/docs/debian.html.en
# for bionic upstream
# should get tor 0.4 or newer
sudo apt install tor
Add to /etc/tor/torrc (for v3 onion service):
HiddenServiceDir /var/lib/tor/ssh_hidden_service
HiddenServiceVersion 3
HiddenServicePort 22 127.0.0.1:22
# uncomment this one
Log notice file /var/log/tor/notices.log
Restart tor (`sudo service tor restart`). Get hidden service/secret:
sudo cat /var/lib/tor/ssh_hidden_service/hostname
Add to your local (laptop) torbrowser (or whatever) config:
HidServAuth <hostname>.onion <stealth_secret>
Add to local (laptop) ssh config:
Host ia-onion1
HostName <hostname>.onion
User eotk
proxyCommand ncat --proxy 127.0.0.1:9150 --proxy-type socks5 %h %p
Or:
torsocks ssh eotk@<hostname>.onion
Note that the Tor Browser Bundle default local proxy port is now 9150; the
regular tor daemon when run as itself (not part of TBB) listens on port 9050.
Ok, now set up a 1GByte encrypted partition for EOTK et al, using LUKS:
sudo mkdir -p /private
sudo dd if=/dev/urandom of=/private.img bs=1M count=1000
sudo cryptsetup luksFormat /private.img
# YES
# enter strong/long password
sudo cryptsetup luksOpen /private.img eotk_private_volume
sudo mkfs.ext4 /dev/mapper/eotk_private_volume
sudo mount /dev/mapper/eotk_private_volume /private
sudo chown -R eotk:eotk /private
To mount/unlock the partition (eg, after a reboot):
sudo cryptsetup luksOpen /private.img eotk_private_volume
sudo mount /dev/mapper/eotk_private_volume /private
sudo /etc/init.d/eotk-init.sh stop
sudo /etc/init.d/eotk-init.sh start
These commands should be put in an `~/after_reboot.sh` file on the device.
Ensure that you can SSH in over tor, then reboot the NUC and make sure you can
still SSH in.
Install mkcert:
sudo apt install libnss3-tools
# download from https://github.com/FiloSottile/mkcert/releases
# install in /usr/local/bin
mkcert -install
Ok, now ready for service setup following `prototyping.md` (bionic section).
|