Fli
02-28-2020, 06:05 PM
It can come handy to some Raspbian users with Raspberry Pi. In my case i did this on RPi4 and Raspbian 10 buster but most things should work also on other Raspberry or even on different HW and Linux. Use at your own risk.
Users
Removing pi's root/superuser/sudo permissions and adding new super user:
sudo adduser newuser
sudo adduser newuser sudo
sudo delgroup pi sudo;sudo rm /etc/sudoers.d/*pi-nopasswd
Preventing cross account data reading and seeing processes of other users:
sudo su
echo "umask 077" >> /etc/profile
chmod -R go-rx /home/*/
sudo sed -i '/proc/s/defaults/defaults,hidepid=2/g' /etc/fstab
exit
Protecting SSH from bruteforce and installing monitoring tools:
apt install ufw fail2ban htop nload nmon
chkconfig ufw enable
ufw limit ssh # reject SSH login attempts for 10 minutes from IP if it fails 6 times in 30 seconds
ufw deny in on eth0 to 224.0.0.0/24 proto igmp
Setting up some new commands:
echo -e "alias myip='for ip in \$(curl -L http://cpanel.net/showip.shtml 2>/dev/null);do echo \$ip && whois \$ip|grep -i netname;done'\nalias sensors='echo CPU: $(cat /sys/class/thermal/thermal_zone0/temp|cut -b -2)°'\nalias kodi='sudo -u pi kodi --standalone &'" >> ~/.bashrc
logout and login, then:
myip - show your public IP
sensors - show cpu temperature
kodi - i do not recommend this alias to anyone
Install VeraCrypt and create new container to protect data:
apt install makeself openssl libfuse2 libwxbase3.0-0v5 -y;
wget -L -O veracrypt-1.21-raspbian-setup.tar.bz2 https://launchpad.net/veracrypt/trunk/1.21/+download/veracrypt-1.21-raspbian-setup.tar.bz2
tar -vxjf ./veracrypt-1.21-raspbian-setup.tar.bz2;chmod +x veracrypt-1.21-setup-*;./veracrypt-1.21-setup-console-armv7
type "1" and hit enter
hit enter
hold spacebar until scrolled down
type "yes" and hit enter
enter key again
rm -rf veracrypt-*;openssl rand -base64 1024 > random
A) create Windows/Linux compatible encrypted container with minimal prompts:
cd;veracrypt enc --text --create --verbose --pim=0 --keyfiles= --volume-type=normal --filesystem=ntfs --encryption=AES --hash=SHA-512 --random-source=random
B) create container, but let me choose all parameters:
cd;veracrypt enc --text --create -v --random-source=random
example answers:
1
/home/you/enc
123G
1
1
6 (NTFS for compatibility with Windows?)
secure non disctionary password
Enter (empty input on PIM)
Enter (no keyfile)
rm random;mkdir dec
Mount volume:
veracrypt --pim=0 --keyfiles= --protect-hidden=no -m nokernelcrypto enc dec
List volumes:
df -h;veracrypt -l
Dismount all volumes:
veracrypt -d
Veracrypt parameters:
veracrypt -h|head
Creating shortcut/command "dec" to decrypt container and "enc" to encrypt (dismount):
echo -e "alias dec="veracrypt --pim=0 --keyfiles= --protect-hidden=no -m nokernelcrypto /home/YOU/enc /home/YOU/dec"" >> ~/.bashrc;echo -e "alias enc="veracrypt -d"" >> ~/.bashrc
Regarding "nokernelcrypto" mount parameter, i selected it, because it gives impression that it allows better performance handling many tiny files.
Installing Tor on Raspbian 10 Buster
(some commands are multi-liners)
sudo su
echo -e "deb https://deb.torproject.org/torproject.org buster main\ndeb-src https://deb.torproject.org/torproject.org buster main" >> /etc/apt/sources.list
curl https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --import;gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -
apt update;apt install tor tor-arm
grep -c "User debian-tor" /usr/share/tor/tor-service-defaults-torrc;echo "You should see 1. Else, there may be some problem."
I wanted to route certain web browser traffic or all computer traffic thru the Tor network. I did it via polipo (somehow it not worked without it) as described below, but under are also links to other methods
sudo apt install polipo;
echo -e "logSyslog = false\nlogFile = /var/log/polipo/polipo.log\nallowedClients = 127.0.0.1, 192.168.0.0/16\nsocksParentProxy = localhost:9050\nsocksProxyType = socks5\nproxyAddress = 127.0.0.1\nproxyPort = 8080\ndiskCacheRoot =" > /etc/polipo/config;
service tor restart;service polipo restart
Then you can use Tor either in web browser only or everywhere.
A) Tor in one web browser only: i install Firefox: apt install firefox-esr
Go to Firefox Settings, Proxy, set manual proxy, type http, IP is 127.0.0.1 and port 8080, tick to use for all protocols, tick to proxy DNS. check www.ipleak.net (http://www.ipleak.net) if you no longer have local internet IP.
B) Tor for all internet activity (i do not believe UDP will go thru it?), following will do it for all users:
sudo su
echo -e "http_proxy=http://127.0.0.1:8080\nhttps_proxy=http://127.0.0.1:8080/\nsocks_proxy=socks5://127.0.0.1:8080/" >> /etc/environment
exit
logout user and login back. command line, browsers should use tor as a proxy thanks to polipo that does http thru Tor's socks. To revert this (not proxify the traffic), run: unset http_proxy;unset https_proxy;unset socks_proxy
Above mentioned process is not ideal i am sure. It likely sends even the requests to localhost via Tor which is wrong and may end in failures to access localhost services from localhost and flood log files like /var/log/syslog with errors, thus logSyslog set to false in polipo conf. Also i do not trust this method is bulletproof in preventing leaking traffic outside Tor and also have doubts about which private data will be sent unencrypted and revealed to the possibly malicious Tor exit node. If you know better approach to use Tor as a proxy, please kindly share. [This script](https://gist.github.com/numb95/8ed337e1a9fca0d78e8d57026b46ce1f) contains some interesting iptables rules for tor killswitch, but it not worked for me somehow.
other tutorials (not tried) for a Tor as a system proxy:
0) https://github.com/GouveaHeitor/nipe
A) https://github.com/SusmithKrishnan/torghost (readme install sh fix, works on Deb. with amd64 arch.)
B) https://gist.github.com/numb95/8ed337e1a9fca0d78e8d57026b46ce1f (basicaly just iptables rules, PORT variable missing " and XXX replace by "debian-tor" likely)
C) https://github.com/t7hm1/GhostNET (Arch based OS, python3)
TIP: https://stadicus.github.io/RaspiBolt/raspibolt_69_tor.html (install Tor on RaspberryPi)
D) https://raspberrytips.nl/tor-proxy-installeren-op-raspberry-pi/ <--------------------
E) https://kifarunix.com/how-to-set-system-wide-proxy-in-ubuntu-18-04/
F) https://howto.biapy.com/en/debian-gnu-linux/servers/http/install-the-anonymizing-proxy-server-tor-on-debian
Users
Removing pi's root/superuser/sudo permissions and adding new super user:
sudo adduser newuser
sudo adduser newuser sudo
sudo delgroup pi sudo;sudo rm /etc/sudoers.d/*pi-nopasswd
Preventing cross account data reading and seeing processes of other users:
sudo su
echo "umask 077" >> /etc/profile
chmod -R go-rx /home/*/
sudo sed -i '/proc/s/defaults/defaults,hidepid=2/g' /etc/fstab
exit
Protecting SSH from bruteforce and installing monitoring tools:
apt install ufw fail2ban htop nload nmon
chkconfig ufw enable
ufw limit ssh # reject SSH login attempts for 10 minutes from IP if it fails 6 times in 30 seconds
ufw deny in on eth0 to 224.0.0.0/24 proto igmp
Setting up some new commands:
echo -e "alias myip='for ip in \$(curl -L http://cpanel.net/showip.shtml 2>/dev/null);do echo \$ip && whois \$ip|grep -i netname;done'\nalias sensors='echo CPU: $(cat /sys/class/thermal/thermal_zone0/temp|cut -b -2)°'\nalias kodi='sudo -u pi kodi --standalone &'" >> ~/.bashrc
logout and login, then:
myip - show your public IP
sensors - show cpu temperature
kodi - i do not recommend this alias to anyone
Install VeraCrypt and create new container to protect data:
apt install makeself openssl libfuse2 libwxbase3.0-0v5 -y;
wget -L -O veracrypt-1.21-raspbian-setup.tar.bz2 https://launchpad.net/veracrypt/trunk/1.21/+download/veracrypt-1.21-raspbian-setup.tar.bz2
tar -vxjf ./veracrypt-1.21-raspbian-setup.tar.bz2;chmod +x veracrypt-1.21-setup-*;./veracrypt-1.21-setup-console-armv7
type "1" and hit enter
hit enter
hold spacebar until scrolled down
type "yes" and hit enter
enter key again
rm -rf veracrypt-*;openssl rand -base64 1024 > random
A) create Windows/Linux compatible encrypted container with minimal prompts:
cd;veracrypt enc --text --create --verbose --pim=0 --keyfiles= --volume-type=normal --filesystem=ntfs --encryption=AES --hash=SHA-512 --random-source=random
B) create container, but let me choose all parameters:
cd;veracrypt enc --text --create -v --random-source=random
example answers:
1
/home/you/enc
123G
1
1
6 (NTFS for compatibility with Windows?)
secure non disctionary password
Enter (empty input on PIM)
Enter (no keyfile)
rm random;mkdir dec
Mount volume:
veracrypt --pim=0 --keyfiles= --protect-hidden=no -m nokernelcrypto enc dec
List volumes:
df -h;veracrypt -l
Dismount all volumes:
veracrypt -d
Veracrypt parameters:
veracrypt -h|head
Creating shortcut/command "dec" to decrypt container and "enc" to encrypt (dismount):
echo -e "alias dec="veracrypt --pim=0 --keyfiles= --protect-hidden=no -m nokernelcrypto /home/YOU/enc /home/YOU/dec"" >> ~/.bashrc;echo -e "alias enc="veracrypt -d"" >> ~/.bashrc
Regarding "nokernelcrypto" mount parameter, i selected it, because it gives impression that it allows better performance handling many tiny files.
Installing Tor on Raspbian 10 Buster
(some commands are multi-liners)
sudo su
echo -e "deb https://deb.torproject.org/torproject.org buster main\ndeb-src https://deb.torproject.org/torproject.org buster main" >> /etc/apt/sources.list
curl https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --import;gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -
apt update;apt install tor tor-arm
grep -c "User debian-tor" /usr/share/tor/tor-service-defaults-torrc;echo "You should see 1. Else, there may be some problem."
I wanted to route certain web browser traffic or all computer traffic thru the Tor network. I did it via polipo (somehow it not worked without it) as described below, but under are also links to other methods
sudo apt install polipo;
echo -e "logSyslog = false\nlogFile = /var/log/polipo/polipo.log\nallowedClients = 127.0.0.1, 192.168.0.0/16\nsocksParentProxy = localhost:9050\nsocksProxyType = socks5\nproxyAddress = 127.0.0.1\nproxyPort = 8080\ndiskCacheRoot =" > /etc/polipo/config;
service tor restart;service polipo restart
Then you can use Tor either in web browser only or everywhere.
A) Tor in one web browser only: i install Firefox: apt install firefox-esr
Go to Firefox Settings, Proxy, set manual proxy, type http, IP is 127.0.0.1 and port 8080, tick to use for all protocols, tick to proxy DNS. check www.ipleak.net (http://www.ipleak.net) if you no longer have local internet IP.
B) Tor for all internet activity (i do not believe UDP will go thru it?), following will do it for all users:
sudo su
echo -e "http_proxy=http://127.0.0.1:8080\nhttps_proxy=http://127.0.0.1:8080/\nsocks_proxy=socks5://127.0.0.1:8080/" >> /etc/environment
exit
logout user and login back. command line, browsers should use tor as a proxy thanks to polipo that does http thru Tor's socks. To revert this (not proxify the traffic), run: unset http_proxy;unset https_proxy;unset socks_proxy
Above mentioned process is not ideal i am sure. It likely sends even the requests to localhost via Tor which is wrong and may end in failures to access localhost services from localhost and flood log files like /var/log/syslog with errors, thus logSyslog set to false in polipo conf. Also i do not trust this method is bulletproof in preventing leaking traffic outside Tor and also have doubts about which private data will be sent unencrypted and revealed to the possibly malicious Tor exit node. If you know better approach to use Tor as a proxy, please kindly share. [This script](https://gist.github.com/numb95/8ed337e1a9fca0d78e8d57026b46ce1f) contains some interesting iptables rules for tor killswitch, but it not worked for me somehow.
other tutorials (not tried) for a Tor as a system proxy:
0) https://github.com/GouveaHeitor/nipe
A) https://github.com/SusmithKrishnan/torghost (readme install sh fix, works on Deb. with amd64 arch.)
B) https://gist.github.com/numb95/8ed337e1a9fca0d78e8d57026b46ce1f (basicaly just iptables rules, PORT variable missing " and XXX replace by "debian-tor" likely)
C) https://github.com/t7hm1/GhostNET (Arch based OS, python3)
TIP: https://stadicus.github.io/RaspiBolt/raspibolt_69_tor.html (install Tor on RaspberryPi)
D) https://raspberrytips.nl/tor-proxy-installeren-op-raspberry-pi/ <--------------------
E) https://kifarunix.com/how-to-set-system-wide-proxy-in-ubuntu-18-04/
F) https://howto.biapy.com/en/debian-gnu-linux/servers/http/install-the-anonymizing-proxy-server-tor-on-debian