Silk Road forums
Discussion => Security => Topic started by: Bazille on September 29, 2013, 03:54 pm
-
This step-by-step tutorial explains how to install Raspbian with Tor on a Raspberry PI remotely (without connecting a keyboard/monitor to the Raspberry PI).
It is based on the Onion PI tutorial from Adafruit but has many changes and additions. Every step needed to make it work is mentioned in the tutorial.
The system functions as a wireless access point which physically isolates the wireless computers from the rest of the network.
This means that the computers connecting to it through wifi can only connect to the internet through Tor.
The wireless computers will not be able to connect to other computers in the local network.
You can also use it as a Tor proxy through the local network provided by your router, but the computer will not be physically isolated from the rest of the local network/internet in that case.
It is assumed that you have a router which is connected to the internet and automatically assigns an IP address to the Raspberry PI when you connect it with a cable.
With a few modifications it should be possible to connect a 3G modem or another wireless card to connect to mobile internet, but that is not covered by this tutorial.
The system is not a transparent proxy which tunnels all connections from the wireless computers through Tor. That could potentially provide an attacker with too much information.
Instead it only forwards connections which specifically use the Tor/Privoxy proxies running on the Raspberry PI.
If you are Edward Snowden, then you should take extra care about the computers you connect to the wireless access point. That is not covered by this tutorial.
Generally the laptop should have been bought anonymously with cash and never have been connected to the internet through your local network.
The setup should look like this:
Clean laptop -> Raspberry PI wifi adapter -> Tor/Privoxy running on Raspberry PI -> Raspberry PI ethernet cable -> router -> internet
Features:
* Uses latest development version of Tor
* Privoxy HTTP proxy which can only connect to the Tor socks proxy
* Iptables firewall which restricts input from all network interfaces and impedes SSH brute forcing
* Logging is diverted to a ram disk - after powering off the Raspberry PI it will not be visible how often computers connected to the Raspberry PI or which MAC address they used
* Swap is disabled to prevent swapping memory to the SD card
* Fetches time using tlsdate (secure parasitic rdate replacement coded by one of the Tor developers)
Skill needed:
Using the command line a lot. No graphical interface will be used during the installation. You don't really need to understand what you are doing however, as long as you exactly follow the instructions.
Requirements:
* Raspberry PI Model B preferably with case
* Micro-USB charger/power supply
* Wifi dongle - this tutorial is specifically made with the Edimax EW-7811Un wifi adapter in mind, Onion PI wifi adapters will work too
* SD card reader
* 4GB SD card, preferably with 20-30mb/s reading speed
* Router with RJ-45 network cable port and connection to the internet
* Computer with wireless or cable connection to the router
* Network cable (RJ-45)
Instead of purchasing all parts seperately you could buy an Onion PI bundle from Adafruit:
Onion PI with mini wifi dongle
https://www.adafruit.com/products/1410
Onion PI with wifi antenna dongle
https://www.adafruit.com/products/1406
DISCLAIMER: This tutorial is work in progres. Do not rely on it for strong security. If you aren't Edward Snowden it may be secure enough however. While it doesn't prevent traffic correlation this system provides more security than the Onion PI tutorial.
Date: 29.09.2013
-
1. Download files
Download the latest version of win32diskimager:
http://sourceforge.net/projects/win32diskimager/files/latest/download
If you don't use Windows you need to Google how to write the .img file to the SD card.
Download the latest version of Raspbian:
http://downloads.raspberrypi.org/raspbian_latest
or
http://downloads.raspberrypi.org/raspbian_latest.torrent
If you're using Windows download Putty (SSH client):
http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe
2. Writing Raspbian OS to SD card
Unzip the Win32 Disk Imager and Raspbian ZIP files.
Start Win32 Disk Imager, select the Raspbian IMG file and select the proper device (SD card).
Click Write to write the image to the SD card.
When writing is finished put the SD card into the Raspberry PI.
Use the ethernet cable to connect the Raspberry PI to your router.
Do not connect the wifi dongle yet.
Power on the Raspberry PI by connecting it to the USB power supply and wait 30 seconds.
3. Find out the IP address of the Raspberry PI
Now you have to find out the IP address which was assigned to the Raspberry PI by your router.
You can probably do this by using the web interface of your router, or you can guess it by looking at the LAN IP address of your desktop computer.
Press Windows key + R and enter "cmd.exe".
At the DOS prompt enter "ipconfig".
You should see a line like this, which shows the IP address of your computer in the local network.
IPv4 Address 192.168.0.101
Now you can send a ping request to random IP addresses in your local network and see if any of them sends an answer. You may have to allow it in your firewall or turn the firewall off.
If you don't have any other devices connected to your router, then the Raspberry IP address may be <desktop IP address + 1>, e.g. 192.168.0.102.
Enter "ping 192.168.0.102" and wait a few seconds.
If you get a "Reply from 192.168.0.102" response, then that is the IP address of your Raspberry PI.
If there is no reply, press CTRL-c and enter "ping 192.168.0.103". Keep incrementing the last number until you get a ping reply.
If that fails, then you can also use other tools to detect the IP addresses of devices connected to your router, e.g. Fing:
http://www.overlooksoft.com/download
If this doesn't help then Google is your friend. Search for "how do i find out the ip address raspberry pi remotely" or ask in the forum.
When you found out the IP address write it down so you don't forget it later.
3. Connect with SSH
To setup the Raspberry PI without keyboard and monitor it is necessary to use SSH.
If you're using Windows, start Putty.exe, enter the IP address you wrote down as host name and click Open.
If you're using Linux, open a terminal and enter "ssh pi@192.168.0.101", replace the IP address with the correct address.
If you got the right IP address then you should see a login prompt ("login as:").
Enter "pi" and use "raspberry" as password.
You should see command prompt
pi@raspberrypi ~ $
Enter this command to start the Raspbian configuration tool:
sudo raspi-config
Press enter to Expand Filesystem, so the SD card partition will be enlarged.
Use cursor keys to navigate the menu to Change User Password.
Press enter and enter your new password 2 times. The password should not be guessable and not in a dictionary. 8 characters or more is recommended.
Select "Finish" by using the cursor keys and press enter.
Press enter again to reboot now.
Wait a minute, then start Putty.exe again with the same IP address as before. This time use your new password for logging in.
-
4. Installing and updating packages
4.1. Changing/adding package sources
When you're at the command prompt again enter
sudo nano /etc/apt/sources.list
Look at the line
deb http://mirrordirector.raspbian.org/raspbian/ wheezy main contrib non-free rpi
"wheezy" is the current default repository of Raspbian, this may change in the future.
Change wheezy to jessie if it isn't set to jessie already. This is needed to install tlsdate later.
Navigate to the end of the text file with the cursors keys.
Paste these 2 lines by copying them to your clipboard and pressing the right mouse button in the Putty window:
deb-src http://deb.torproject.org/torproject.org jessie main
deb-src http://deb.torproject.org/torproject.org experimental-jessie main
Press CTRL-x to save the changes, enter y and press enter to confirm the filename
4.2. Updating packages
At the command prompt enter
sudo apt-get update && sudo apt-get dist-upgrade -y
This can take a 20 inutes to complete. If you get a message about restarting services select Yes.
If you get an error about dependencies enter
apt-get -f install
4.3. Compiling and setting up Tor
Because the torproject repository doesn't currently seem to provide correct packages for the Raspberry PI it is necessary to compile the latest version of Tor.
Don't worry, you don't need to understand anything about programming to do this. Simply follow the instructions.
At the command prompt enter
sudo apt-get install build-essential fakeroot devscripts -y
This will take a few minutes to complete.
When the command prompt is visible again paste these lines
gpg --keyserver keys.gnupg.net --recv 886DDD89
gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -
sudo apt-get update
sudo apt-get install deb.torproject.org-keyring -y
sudo apt-get build-dep tor -y
When the command prompt is visible again enter
cd
mkdir debian-packages
cd debian-packages
apt-get source tor
Wait until the download is finished then enter
cd tor-*
debuild -rfakeroot -uc -us
The latest development version of Tor will now get compiled. This will take about 45 minutes to complete.
When the command prompt is visible again enter the following lines to install Tor:
cd ..
sudo dpkg -i tor_*.deb
sudo dpkg -i tor-geo*
To replace the Raspbian fake clock with tlsdate and install the relay monitor enter the next 2 lines. Tlsdate does pretty much the same as the fake clock, but it's more secure.
sudo apt-get install tor-arm tlsdate -y
sudo apt-get remove fakehw-clock -y
Tor-arm is the anonymous relay monitor command line tool which provides similar functionality as Vidalia.
Next edit the Tor configuration file:
nano /etc/tor/torrc
Paste these lines into the editor:
SocksPort 9050
SocksPort 0.0.0.0:9001
SocksPort 0.0.0.0:9002 IsolateDestAddr IsolateDestPort
StrictNodes 1
AvoidDiskWrites 1
DisableDebuggerAttachment 0
EntryNodes {us}
The SocksPort 0.0.0.0* lines will trigger warnings when starting Tor, but this is not a problem, as it will get restricted by iptables later.
Change the "us" in the Entrynodes {us} line to your country code, so Tor will only use entry guards in your country.
The country codes are not top level domains. Have a look at this is a list to find the country code you have to use: http://dev.maxmind.com/geoip/legacy/codes/iso3166/
You could also use bridges instead of the EntryNodes line.
Press CTRL-X to save the changes, enter y and press enter to confirm the filename
4.4. Privoxy
Tor is not a HTTP proxy, so to connect to Tor with a browser we need to install a proxy which uses the Tor socks proxy.
At the command prompt enter
sudo apt-get install privoxy -y
Find the lines which says "listen-address localhost:8118" and change it to "listen-address :8118".
Scroll down to the end of the text file and enter
forward-socks5 / 127.0.0.1:9050 .
Press CTRL-X to save the changes, enter y and press enter to confirm the filename
-
4.5. DHCP server and access point
To automatically assign IP addresses to wireless computers connecting to the Raspberry PI access point it is necessary to install a DHCP server.
At the command prompt enter
sudo apt-get install hostapd isc-dhcp-server -y
4.5.1 DHCP server
Edit the DHCP config file by entering
sudo nano /etc/dhcp/dhcpd.conf
Find the lines that say
option domain-name "example.org";
option domain-name-servers ns1.example.org, ns2.example.org;
and change them to add a # in the beginning so they say
#option domain-name "example.org";
#option domain-name-servers ns1.example.org, ns2.example.org;
Find the lines that say
# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
#authoritative;
and remove the # so it says
# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
authoritative;
Then scroll down to the bottom of the text file and paste the following lines
subnet 10.0.42.0 netmask 255.255.255.0 {
range 10.0.42.10 10.0.42.50;
option broadcast-address 10.0.42.255;
option routers 10.0.42.1;
default-lease-time 600;
max-lease-time 7200;
option domain-name "local";
option domain-name-servers 10.0.42.1;
option ntp-servers 10.0.42.1;
}
Press CTRL-X to save the changes, enter y and press enter to confirm the filename
Enter the next line to edit the DHCP server parameters:
sudo nano /etc/default/isc-dhcp-server
Scroll down to INTERFACES="" and update it to say INTERFACES="wlan0".
Press CTRL-X to save the changes, enter y and press enter to confirm the filename
4.5.2. Wifi adapter configuration
Enter the next line to edit the wifi adapter configuration:
sudo nano /etc/network/interfaces
Find the line with "iface wlan0" and add a # in front of the line, and in front of every line afterwards.
Then add the lines
iface wlan0 inet static
address 10.0.42.1
netmask 255.255.255.0
up iptables-restore < /etc/iptables.rules
Press CTRL-X to save the changes, enter y and press enter to confirm the filename
4.5.3. Access point
Enter
nano /etc/hostapd/hostapd.conf
Paste the following in, you can change the text after ssid= to another name, that will be the network broadcast name. The password can be changed with the text after wpa_passphrase=
interface=wlan0
driver=rtl871xdrv
ssid=NSA_GCHQ
hw_mode=g
channel=6
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
wpa=2
wpa_passphrase=snowden23
wpa_key_mgmt=WPA-PSK
wpa_pairwise=CCMP
rsn_pairwise=CCMP
Make sure each line has no extra spaces or tabs at the end or beginning - this file is pretty picky!
If you don't use the Edimax wifi dongle or the Onion PI then you may have to change the driver= line. This is not covered by this tutorial.
Press CTRL-X to save the changes, enter y and press enter to confirm the filename
Enter
nano /etc/default/hostapd
Find the line #DAEMON_CONF="" and edit it so it says DAEMON_CONF="/etc/hostapd/hostapd.conf"
Don't forget to remove the # in front to activate it!
Press CTRL-X to save the changes, enter y and press enter to confirm the filename
4.5.4. Download access point software from Adafruit
If you use the Edimax EW-7811Un wifi dongle or the Adafruit Onion PI then you'll have to use a special version of the access point software:
Enter these lines:
cd; mkdir downloads; cd downloads
wget http://www.adafruit.com/downloads/adafruit_hostapd.zip
unzip adafruit_hostapd.zip
sudo mv /usr/sbin/hostapd /usr/sbin/hostapd.ORIG
sudo mv hostapd /usr/sbin
sudo chmod 755 /usr/sbin/hostapd
sudo reboot
Wait 30 seconds and connect to the PI again with Putty. You can connect the wifi dongle now or later.
-
5. Prevent logging to SD card
To increase the lifetime of the SD card and to not disclose informations about which MAC addresses connected to the Raspberry PI logging has to be diverted to the ram disk.
After rebooting the Raspberry PI no informations of previous connections will be left. Simply turning off the Raspberry PI may reveal the data since last reboot in a cold boot attack however.
Enter
sudo su
and enter your password.
You are now logged in as root (admin).
5.1. Stop and disable services
Enter these lines to stop the services and disable them from starting too early at boot time:
/etc/init.d/tor stop
/etc/init.d/privoxy stop
/etc/init.d/isc-dhcp-server stop
update-rc.d tor disable
update-rc.d privoxy disable
update-rc.d isc-dhcp-server disable
5.2. Create ram disk
Enter the next lines to erase the tor logfile and create a mount point for a ram disk.
rm -f /var/log/tor/log
mkdir /mnt/ramdisk
Enter the next line to edit the fstab file which automatically mounts disks at boot time:
nano /etc/fstab
Use the cursor keys to get to the bottom of the text file and paste these lines:
none /tmp ramfs defaults 0 0
none /mnt/ramdisk ramfs defaults 0 0
none /var/log/tor ramfs defaults 0 0
none /var/log/privoxy ramfs defaults 0 0
none /var/log/apt ramfs defaults 0 0
none /var/lib/dhcp ramfs defaults 0 0
Press CTRL-X to save the changes, enter y and press enter to confirm the filename
Enter the next lines to mount the ram disks, move the current syslog to the ramdisk and uninstall the swap file package:
mount -a
mv /var/log/syslog /mnt/ramdisk/syslog; ln -s /mnt/ramdisk/syslog /var/log/syslog
mv /var/log/messages /mnt/ramdisk/messages; ln -s /mnt/ramdisk/messages /var/log/messages
apt-get remove dphys-swapfile -y
5.3. Startup script
Edit the rc.local script which gets executed at boot time by entering
nano /etc/rc.local
Before the last line ("exit 0") enter the following lines, which will start Tor, DHCP and access point after changing some folder permissions:
chmod 777 /var/log/tor && /etc/init.d/tor restart
chmod 777 /var/log/privoxy && /etc/init.d/privoxy restart
chmod 1777 /tmp
touch /var/lib/dhcp/dhcpd.leases && /etc/init.d/isc-dhcp-server restart
Press CTRL-X to save the changes, enter y and press enter to confirm the filename
-
6. Firewall
The system should by quite secure, but it doesn't hurt to add some extra security with an iptables firewall.
It will prevent all unnecessary incoming connections from all network interfaces and makes sure it would take a very long time to successfully brute force the SSH server.
If an unauthorized person gets your access point password they won't be able to do anything except connecting to Tor and trying to very slowly brute force the SSH server.
You are probably still logged in as root, so enter "exit".
Enter the next 2 lines to change to the pi home directory and create a firewall script:
cd
nano firewall
Paste the following script into the editor:
##################################
#
# CHANGE THE NEXT LINE BEFORE RUNNING THE FIREWALL SCRIPT
LOCALNET=192.168.0.0
# this should be the local network of your router
#
##################################
iptables -F
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
# allow loopback
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth0 -p udp --sport 53 -j ACCEPT # dns response from ethernet
iptables -A INPUT -i wlan0 -p udp --dport 67 -j ACCEPT # dhcp requests from wifi
iptables -A INPUT -i wlan0 -p udp --dport 123 -j ACCEPT # time requests from wifi
# accept privoxy and ssh connections from wifi and local network
iptables -A INPUT -i wlan0 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i wlan0 -p tcp --dport 8118 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -s $LOCALNET/24 --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -s $LOCALNET/24 --dport 8118 -j ACCEPT
# accept tor socks connections from wifi and local network
iptables -A INPUT -i wlan0 -p tcp --dport 9000:9020 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -s $LOCALNET/24 --dport 9000:9020 -j ACCEPT
# allow only 2 connections to SSH per minute to make brute forcing useless
iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 2 -j DROP
# probably not necessary: drop privoxy connections through ethernet
iptables -A OUTPUT -o eth0 ! -d $LOCALNET/24 -j DROP -m owner --uid-owner privoxy
iptables -L -v
Note the line LOCALNET=. You have to change this to point at your local network IP range.
If the IP address of the Raspberry PI is 192.168.0.something then you can leave the line as it is.
If the IP address of the PI is 172.168.0.something then you have to change the line to LOCALNET=172.168.0.0.
Basically you simply replace the last number of the Raspberry PI IP address with a 0.
If you don't get this right then you will lock yourself out of the Raspberry PI until the next reboot.
Press CTRL-X to save the changes, enter y and press enter to confirm the filename
Enter the next 2 lines to make the firewall script executable and activate it:
chmod +x firewall
sudo ./firewall
If you still have a connection to the Raspberry PI at this point, then everything went well and you have to edit the firewall script again.
If you get disconnected from the PI at this point then you have to restart it and make sure you enter the right IP range in the LOCALNET= line.
Enter
nano firewall
Scroll down to the end of the text file and enter in a new line:
iptables-save > /etc/iptables.rules
Press CTRL-X to save the changes, enter y and press enter to confirm the filename
Again enter
sudo ./firewall
This will save the firewall rules to a file in the /etc folder which will get applied automatically when the network interfaces start up.
-
7. Using the system
The installation is now complete. Reboot the Raspberry PI by entering "sudo reboot" and boot your laptop.
Connect the laptop to the right access point ("NSA_GCHQ" if you didn't change the name) and enter the access point password ("snowden" if you didn't change it).
Go to the network configuration in your web browser and enter 10.0.42.1 port 8118 as proxy server.
If you want to use it as a Tor proxy from within your local network (connected through the router) then you have to replace 10.0.42.1 with the Raspberry PI IP addresse, e.g. 192.168.0.101.
Connecting to it through the router does not provide physical isolation however.
If you are using the Tor Browser Bundle then you have to prevent Vidalia from starting up. This is not covered by this tutorial.
If you need to use an application with socks5 proxy support (IRC, Pidgin, ...) you can use 10.0.42.1 port 9001 or port 9002.
Socks port 9001 will use the same Tor circuit for all connections for 10 minutes or so.
Socks port 9002 will use a different Tor circuit for every new connection.
If you want to manually create a new circuit (like "new identity" in Vidalia) then you'll have to connect to the Raspberry PI with SSH first. This will work from the laptop.
Enter "arm" at the command prompt and press "n" to get a new circuit, or "m" for a menu.
When James Clapper and General Alexander are knocking on your door while you're using the Raspberry PI enter "sudo reboot" in the terminal. This should clear the log files from the RAM.
Simply turning off the Raspberry PI may leave some residue in the memory chips.
-
stub
-
Another great tutorial, Bazille. :)
-
+1 and sub, I have three PI boards and could do more with them.
-
How is this different from the Grugq's PORTAL aside from using Pi?
-
I don't know PORTAL. Does it prevent permanent logging of MAC addresses after rebooting? Does it make your computer use a transparent Tor proxy which can provide the exit node with too much information when not being careful? Does it use a self-compiled latest development version of Tor? Does it use tlsdate to fetch the time securely?
With this system you will also be able to easily update the software packges You don't have to flash the device again. Instead you simply do apt-get update && apt-get dist-upgrade. Though that's not really necessary. PORTAL looked like it wasn't updated since 2012 when I searched for it last week. You can also easily make a backup of your whole system by reading the SD card with Win32 Disk Imager.
-
The tutorial has been updated. /tmp gets the right permissions in rc.local. The WPA passphrase length has been increased to minimum length. /var/log/messages has been moved to the ram disk.
DHCP server now offers time server to connecting clients and the firewall port has been opened.
-
I haven't fully analised it all but on the surface it appears sound.
However your configuration is for WPA with TKIP. TKIP should be considered as secure as un-encrypted wifi! Please use WPA2 + AES instead. Even better would be not to buy a USB WiFi but instead to buy a USB ethernet as wifi can be captured over the air, replayed and brute forced.
-
Latest change in PORTAL was done in 2013 and PORTALofPi came out a month ago.
https://github.com/grugq/portal
https://github.com/grugq/PORTALofPi
I'm not trying to downplay your contributions (on the contrary, I find them very valuable), I'm just interested in the differences between the two setups.
-
By making these changes to the system you can turn your Raspberry PI into a transparent Tor hotspot.
When someone connects to the PI and starts their browser it will redirect them to a landing page where they have to agree to the terms of service.
After they agreed it will route all their traffic transparently through Tor. If they don't agree they can still use the Tor proxy as it is described in the above tutorial.
You could change the ssid= line in /etc/hostapd/hostapd.conf to something like "Free Inet - password: snowden23" to let everyone in range connect to it.
Instead of announcing the password you could also remove the encryption options in /etc/hostapd/hostapd.conf to make it an obviously public hotspot without password and encryption.
You could hide it somewhere near a public hotspot and attach a solar power battery pack and another wifi dongle to it to provide free anonymous internet for everyone.
The MAC addresses which connected to it will be logged in the ram disk for 1 day only, as the PI will automatically reboot daily.
It is assumed that you have already set up the Raspberry PI according to the above tutorial in this thread. If you did not, then you have to make further changes to your system.
The method is partly based on the captive portal tutorial from here: http://aryo.info/labs/captive-portal-using-php-and-iptables.html
Disclaimer:
Making the hotspot password public may create some attack possibilities for scriptkiddies, e.g. they could try to DoS the webserver.
Though the webserver itself probably can't be hacked to gain root access to the system, unless you add more webpages to it.
If you installed Privoxy on your system you should uninstall it, because it displays too much information when trying to access a non-existing URL.
############################################################################################################
1. Dnsmasq and Lighttpd
First we install Dnsmasq which will answer all DNS requests with the IP of the Raspberry PI wifi interface.
Enter the following lines to install Dnsmasq and configure it:
apt-get install dnsmasq -y
sudo nano /etc/dnsmasq.conf
Scroll down to the end of the text file and paste
address=/#/10.0.42.1
interface=wlan0
no-resolv
no-hosts
Press CTRL-X to save the changes, enter y and press enter to confirm the filename
To provide a landing page and change firewall rules for users who accepted the TOS we need a webserver with PHP support.
sudo apt-get install lighttpd -y
sudo apt-get install php5-common php5-cgi php5 -y
sudo lighty-enable-mod fastcgi-php
sudo rm /var/www/*
To have the landing page displayed to users starting their browser it is necessary to create a 404 error handler which redirects users.
Enter
sudo nano /etc/lighttpd/lighttpd.conf
Scroll down to the end of the text file and paste
server.error-handler-404 = "/404.php"
server.tag = "NSA Web Server"
dir-listing.activate = "disable"
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/ssl/nsa.pem"
}
$HTTP["scheme"] == "https" {
$HTTP["host"] =~ ".*" {
url.redirect = (".*" => "http://%0$0")
}
}
Change 'server.errorlog = "/var/log/lighttpd/error.log"'
to server.errorlog = "/tmp/serror.log"
Press CTRL-X to save the changes, enter y and press enter to confirm the filename
To redirect users whose browser tries to connect to a HTTPS URL we have to create a SSL certificate.
Enter
sudo mkdir /etc/lighttpd/ssl
sudo chmod 755 /etc/lighttpd/ssl
cd /etc/lighttpd/ssl
sudo openssl req -new -x509 -keyout nsa.pem -out nsa.pem -days 9001 -nodes
Press enter to accept default values or change them
Enter
sudo chmod 400 nsa.pem
To allow the webserver to change the firewall rules it needs to get added to sudoers:
sudo visudo
Scroll down to the end of the text file and paste
www-data ALL=NOPASSWD: /sbin/iptables -t nat -I PREROUTING -j MARK*
Press CTRL-X to save the changes, enter y and press enter to confirm the filename
To prevent the webserver to get started before /tmp (ram disk) permissions allow it to create a logfile it needs to get removed from rc.d and added to rc.local
sudo update-rc.d lighttpd disable
sudo nano /etc/rc.local
Before "exit 0" add
/etc/init.d/lighttpd restart
Press CTRL-X to save the changes, enter y and press enter to confirm the filename
############################################################################################################
2. Create the webserver landing pages
Users connecting to the hotspot will automatically get redirected to this landing page when they start their browser.
The landing page will get their MAC address so it can get added to the firewall rules if they accept the TOS.
Enter
sudo nano /var/www/index.php
Paste this into the editor:
<html><body><title>Hello? Yes, this is NSA!</title>
<?php
// capture their IP address
$ip = $_SERVER['REMOTE_ADDR'];
// execute the arp command to get their mac address
$mac = shell_exec("arp -an " . $ip);
preg_match('/..:..:..:..:..:../',$mac , $matches);
$mac = @$matches[0];
// if MAC Address couldn't be identified.
if( $mac === NULL) {
echo "Access Denied.";
exit;
}
?>
<pre>
This is a service which provides connection to the internet through the Tor anonymity network.
You are not directly connected to the internet, instead the connection gets routed through random nodes in various countries.
Connections can sometimes be slow. If a connection times out simply reload the webpage.
###################################################################################################################
Do not use this service for illegal activity
Do not send sensitive data unless you are 100% sure the connection to the webserver is encrypted
Do not use this service for filesharing or puppies will die
###################################################################################################################
Before using this free service you have to agree to sell your soul.
Do you accept the deal?
</pre>
<form method="post" action="process.php">
<input type="hidden" name="mac" value="<?php echo $mac; ?>" />
<input type="hidden" name="ip" value="<?php echo $ip; ?>" />
<input type="submit" value="YAY!" style="padding:10px 20px;" />
</form>
</body></html>
Press CTRL-X to save the changes, enter y and press enter to confirm the filename
Enter
sudo nano /var/www/process.php
Paste this into the editor:
<html><body>
<?php
if( isset($_POST['ip'] ) && isset ( $_POST['mac'] ) ) {
$ip = $_POST['ip'];
$mac = $_POST['mac'];
exec("sudo iptables -t nat -I PREROUTING -j MARK --set-mark 42 -i wlan0 -m mac --mac-source $mac");
} else {
echo "Access Denied";
exit;
}
?>
<pre>
Your computer is now connected to the internet through the Tor anonymity network.
Optionally you can connect to .onion websites ("Darknet").
You can find Onion links on Reddit:
<a href="http://www.reddit.com/r/onions">http://www.reddit.com/r/onions</a>
With best regards,
Keith the General Alexander
</pre></body></html>
Press CTRL-X to save the changes, enter y and press enter to confirm the filename
Enter
sudo nano /var/www/404.php
and paste
<?php
header("Location: http://10.0.42.1/", TRUE, 303);
exit;
?>
Press CTRL-X to save the changes, enter y and press enter to confirm the filename
Enter
sudo chown -R www-data:www-data /var/www
to make sure the webserver is the owner of the .php files.
############################################################################################################
3. Tor configuration
Tor needs some additional configuration options to transparently tunnel all connections from wifi clients through Tor.
Enter
sudo nano /etc/tor/torrc
Scroll down to the end of the text file and paste these lines:
VirtualAddrNetwork 10.23.0.0/10
AutomapHostsOnResolve 1
TransPort 9040
TransListenAddress 10.0.42.1
DNSPort 5553
DNSListenAddress 10.0.42.1
Press CTRL-X to save the changes, enter y and press enter to confirm the filename
############################################################################################################
4. Firewall
The firewall script needs some additional lines to accept DNS and http connections from the wifi clients.
It will redirect every data packet marked with 42 to the transparent Tor proxy.
The process.php script we created earlier marks all connections from those MAC addresses which accepted the TOS with 42.
Enter
nano /home/pi/firewall
Below "iptables -F" add
iptables -t nat -F
Before "iptables -L -v" paste these lines:
iptables -A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT # connections to lighttpd
iptables -A INPUT -i wlan0 -p udp --dport 53 -j ACCEPT # connections to dnsmasq
iptables -A INPUT -p udp --dport 5553 -j ACCEPT # connections to Tor DNSPort
iptables -A INPUT -p tcp --dport 9040 -j ACCEPT # connections to Tor TransPort
# redirect DNS requests and TCP traffic from wifi clients which accepted the TOS (mark 42)
iptables -t nat -A PREROUTING -i wlan0 -p udp -m mark --mark 42 --dport 53 -j REDIRECT --to-ports 5553
iptables -t nat -A PREROUTING -i wlan0 -p tcp -m mark --mark 42 --syn -j REDIRECT --to-ports 9040
# prevent flooding of lighttpd - allow 5 new connections per IP in 10 seconds
iptables -I INPUT -p tcp --dport 80 -i wlan0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 80 -i wlan0 -m state --state NEW -m recent --update --seconds 10 --hitcount 5 -j DROP
# prevent flooding of dnsmasq/Tor DNS - allow 20 new connections per IP in 10 seconds
iptables -I INPUT -p udp -m multiport --dports 53,5553 -i wlan0 -m state --state NEW -m recent --set
iptables -I INPUT -p udp -m multiport --dports 53,5553 -i wlan0 -m state --state NEW -m recent --update --seconds 10 --hitcount 20 -j DROP
# probably not necessary: drop dnsmasq connections through ethernet
iptables -A OUTPUT -o eth0 ! -d $LOCALNET/24 -j DROP -m owner --uid-owner dnsmasq
# drop connections to lighttpd from users who accepted TOS
iptables -I INPUT -i wlan0 -p tcp -m mark --mark 42 -m state --state NEW -m multiport --dports 80,443 -j DROP
Press CTRL-X to save the changes, enter y and press enter to confirm the filename
Enter this line to update the firewall
sudo /home/pi/firewall
############################################################################################################
5. Daily reboot
To clear the previously connected MAC addresses from the ram disk we automatically reboot the Raspberry PI daily.
Enter
sudo nano /etc/cron.daily/reboot
and paste
#!/bin/sh
reboot
Press CTRL-X to save the changes, enter y and press enter to confirm the filename
Enter
sudo chmod 755 /etc/cron.daily/reboot
############################################################################################################
6. Done
If you want to provide public access to Tor you should remove the Privoxy proxy, because it can display too much information about the system when someone connects to it.
Enter
sudo apt-get remove privoxy
Enter
sudo reboot
to reboot the Raspberry PI. After 30 seconds you can connect your laptop via wifi and test the connection.
-
However your configuration is for WPA with TKIP. TKIP should be considered as secure as un-encrypted wifi! Please use WPA2 + AES instead.
I think the TKIP option doesn't even get used, because the AP runs on wpa2. So only CCMP should be used. Or it's optional. Anyway I simply copied that part from another tutorial. Will test it and remove the option if it still works.
Even better would be not to buy a USB WiFi but instead to buy a USB ethernet as wifi can be captured over the air, replayed and brute forced.
True, but some people may want to connect their smartphones to it.
-
Latest change in PORTAL was done in 2013 and PORTALofPi came out a month ago.
https://github.com/grugq/portal
https://github.com/grugq/PORTALofPi
I'm not trying to downplay your contributions (on the contrary, I find them very valuable), I'm just interested in the differences between the two setups.
Apparently PORTAL uses NTP for time synchronization, which an attacker could use to deanonymize you by feeding your system the wrong time. Though that attack may never get used by anyone anyway, and it's probably useless as the connecting client computer is not affected by it.
PORTAL does also not log to the ram disk, so MAC's which connected to it will be logged permanently, even after reboot. It doesn't seem to use the latest development version of Tor, and Tor is not self-compiled.
Apart from that there don't seem to be many differences. Those differences may not be very important anyway. I don't see any significant reason against using PORTAL, but when using it you should replace the installed Tor package with the latest development version.
The PORTALofPI executes a shell script to do all configuration for you. That is convenient, but I think doing it all yourself is better for learning and understanding how the system works.
-
In case this forum gets taken down my tutorials are available on the clearnet.
if it happens: see you soon on another marketplace.
http://torforum.org/viewtopic.php?f=2&t=18337
http://torforum.org/viewtopic.php?f=2&t=18324
http://torforum.org/viewtopic.php?f=2&t=18320