a3b8 Build your own livething - Telecomix Crypto Munitions Bureau

Build your own livething

From Telecomix Crypto Munitions Bureau

Jump to: navigation, search

This "tutorial" isn't finished yet and needs (a lot ?) of enhancements -- Feel free to contribute :)


[edit] What is this liveThing ?!

According to wikipedia: A live USB is a USB flash drive or a USB external hard disk drive containing a full operating system that can be booted. Live USBs are closely related to live CDs, but sometimes have the ability to persistently save settings and permanently install software packages back onto the USB device. [1]

So, here, what we are going to do, is to build a debian based liveUsb system with persistent storage, and all that on a totally encrypted system. (or at least, the [most] important parts of it). This guide also group maybe useless shit you won't use. Then just skip them.

[edit] Why ?

Dunno... Just saw this page [2], and wanted to try, make my own (probably not) light usbkey. And wanted to share this ... experience ? ...

Then I searched the web to find things I could include, and included them. Wrote it in this wiki, and that's all.

Hope someone would find that interesting, make is own usbkey, and also share his knowlegde on this wiki.

[edit] Create a basic install using qemu

[edit] Part 0 : Create the qemu image

I've a 3.8G usbkey (should be 4Go but the system tells me it's 3.8 ...), so I create a 3.5G qemu image (to be sure the image will fits in it)

$ qemu-img create liveusb.img 3.5G

Boot qemu on it with thoses options. ie: the harddisk is "liveusb.img", the cdrom is the debian iso, and tell qemu to boot from the cdrom

$ qemu -hda liveusb.img -cdrom debian-netinst.iso -boot d

[edit] Part 1 : Basic infos

  • Just follow the installer instructions.
  • The only thing you should care of is your location.
  • Select something else than the real one. Use "Sweden" if you can't decide.

[edit] Part 2 : Partitionning

  • Select "Guided - use entire disk and set up encrypted LVM" (third choice) and confirm the disk selection on the next screen.
  • Partition scheme : you can select "all files in one partition" (first choice) and confirm on the next screen
  • Let the installer do it's stuffs. This can take a lot of time depending of the disk size.
  • Now it's time to think about the passphrase. Use a strong one. White spaces and stuff are allowed. ( have a look at this: [3], and this [4] and this [5] , to create a strong passphrase ).
<random person> I'd imagine a good approach to generating a "pattern" on the password-grid would be to throw a dice a couple of times. That'd truely generate a random pattern ^^
  • Enter it. And confirm it on the next screen.
  • Hit "finish partitioning and write changes to disk" and confirm on the next screen.
  • Let the installer do some stuff

[edit] Part 3 : the minimalistic system

  • Now it's time to choose a mirror. Use a swedish one ??
  • Next screen : if you've a proxy available on your network (Tor?), maybe you could/should use it. The download will be slow but ... or just skip this step
  • Do not participate to the "popularity-contest"-thing. Even if it's done anonymously...
  • on the software selection screen uncheck everything, then accept grub to be installed. Reboot. Sucess.
  • Now you have a very minimalistic working system, without graphical interface and stuff.
  • Shut down the qemu machine.

[edit] Transfert the image to the usbStick using dd

  • NAO, the liveusb creation thing. It's quite simple. All you need to do is: plug your usbkey, find the /dev/<something> associated (/dev/sdb or something, use "dmesg" to be sure).


# umount /dev/sdThing
  • Copy the image
# dd if=liveusb.img of=/dev/sdThing bs=8192
# sync

To test that everything is working as espected, make qemu boot on this usbkey:

$ qemu -usb -hda /dev/sdThing

it should boot. if it's not, so ... maybe you did something wrong. The image could be bigger than the usbStick, the usbStick is maybe bugged (too old ?), or something else happened. Just try again.

If it is working, you can finish the customization directly in qemu, and once you're done, halt the qemu machine, and reboot your *real* computer on the usbkey.

[edit] Installing a minimal Desktop Environement

You can just browse the web to find which DE you'll prefer. Anyway, as the system needs to be quite small, I'll recommend to use a tiny DE as fluxbox, blackbox, openbox or similar. The rest of this tuto will pretend you're using awesome

You may want to, first of all, reconfigure the whole system to have a better hand on it. But first, let's reconfigure the configurator :)

# dpkg-reconfigure debconf

The following command will list every package, except cron, which cause an error, debconf that you already reconfigured, and grub, to avoid misconfiguration of it.

# dpkg --get-selections | awk '{print $1 }' | grep -vE 'cron|debconf|grub' | while read package; do echo "reconfiguring: $package"; dpkg-reconfigure $package; done;

To make your image having a working xorg server compatible with most video cards, you will need to install thoses packages:

# apt-get install --no-install-recommends xserver-xorg-video-vesa xserver-xorg-video-radeon xserver-xorg-video-nouveau xserver-xorg-video-intel

and also xinit (maybe automagically installed ... probably ... but don't remember)

# apt-get install --no-install-recommends xinit

[edit] Desktop & software example

  • The desktop Environment
# apt-get install --no-install-recommends awesome feh pcmanfm lxde-icon-theme mutt terminator
    • awesome is the desktop environment
    • feh is a background manager (for wallpaper and stuff)
    • pcmanfm is a tiny file manager
    • lxde-icon-theme is for nice looking
    • mutt is a command line email manager. I use it to read mails from system.
    • terminator is a very powerfull terminal with very nice things

  • For the interwebs
# apt-get install --no-install-recommends claws-mail midori flashplugin-nonfree wicd wicd-gtk irssi irssi-plugin-otr
    • claws-mail is an email manager ...
    • midori to surf the interwebz
    • flashplugin-nonfree to watch some porn^Wdocumentary videos
    • wicd & wicd-gtk is the network manager and it's graphical utility.
    • irssi is a command line irc client & it's OTR plugin

  • Security, becous we need that, also. -- vulns oriented
# apt-get install --no-install-recommends clamav clamav-freshclam rkhunter lsat debsecan
    • clamav is an antivirus, and clamav-freshclam it's updater tool
    • rkhunter checks for rootkits on your machine
    • lsat is the Linux Security Auditing Tool , which checks for misconfigured things
    • debsecan lists your system vulnerabilities

  • Security, interwebs oriented
# apt-get install --no-install-recommends tor tor-geoipdb privoxy i2p proxychains telnet-ssl cryptcat openssh-client
    • tor, tor-geopipdb and privoxy : things required to surf anonymously (yeah I know, beeing anonymous on the interwebz is not only "going through Tor")
    • i2p is the invisible internet project ( https://i2p2.de )
    • proxychain is for chaining multiple proxies
    • telnet-ssl is telnet witl ssl support
    • cryptcat is netcat with encryption support

  • Virtual Private Network stuffs
# apt-get install --no-install-recommends openvpn gadmin-openvpn-client gadmin-openvpn-server n2n vpnc
    • openvpn, the famous vpn client & server, gadmin-openvpn-{client,server} are graphical utilities
    • n2n is a peer-to-peer network daemon
    • vpnc is a cisco-compatible VPN client

  • Crypto
# apt-get install --no-install-recommends outguess steghide 
    • outguess : "universal steganographic tool"
    • steghide : a steganographic hiding tool

  • Office, sound & image things
# apt-get install --no-install-recommends abiword xpdf vlc ristretto mtpaint
    • abiword : AbiWord is a full-featured, efficient word processing application, with plugin support
    • xpdf : a tiny pdf viewer
    • vlc : eh, you know..
    • ristretto : an image viewer
    • mtpaint : an image manipulator

  • Miscelangelous
# apt-get install --no-install-recommends ddrescue wipe secure-delete
    • ddrescue is for data recovery
    • wipe & secure-delete are tools to erase securly your files (and hope they won't be recoverable)

[edit] Enforcement

Miscellangelous possible enforcement. You don't HAVE to implement them. But remember they exists :)

Sources grabbed from the internets:

[edit] tor dns

  • Install needed tools

For this to work, you will need to add torproject's official repo - follow the instructions from the official website if you've doubts :) https://www.torproject.org/docs/debian.html.en

To do so, add

deb http://deb.torproject.org/torproject.org <DISTRIBUTION> main

in your /etc/apt/source.list. PLEASE REPLACE <DISTRIBUTION> BY YOUR RUNNING DEBIAN VERSION. ie: sid OR squeeze OR wheezy OR ...

Then, add the key used to sign the packages

# gpg --keyserver keys.gnupg.net --recv 886DDD89; gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | apt-key add -

Now update the package list and install needed tools

# apt-get update && apt-get install pdnsd ttdnsd resolvconf tor tor-geoipdb privoxy torsocks socat --no-install-recommends

pdnsd will ask you what type of configuration you want. Choose "manual".

One everything is installed, it's time to modify the config files...

  • Enable Tor internal resolver

Add this in /etc/tor/torrc

DNSPort 8853
AutomapHostsOnResolve 1
AutomapHostsSuffixes .exit,.onion
  • Not directly related but, you would also maybe add this in your /etc/tor/torrc
# Try for at most NUM seconds when building circuits. If the circuit isn't
# open in that time, give up on it. (Default: 1 minute.)
CircuitBuildTimeout 20
# Send a padding cell every N seconds to keep firewalls from closing our
# connections while Tor is not in use.
KeepalivePeriod 60
# Force Tor to consider whether to build a new circuit every NUM seconds.
NewCircuitPeriod 20
# How many entry guards should we keep at a time?
NumEntryGuards 8
  • Replace /etc/pdnsd.conf content with this:
global {
   perm_cache = 2048;
   cache_dir = "/var/cache/pdnsd";
   run_as = "pdnsd";
   server_ip =;          
   status_ctl = on;
   min_ttl = 15m;
   max_ttl = 1w;
   timeout = 120;

# Tor DNS resolver
server {
   label = "tor";
   ip =;
   port = 8853;
   uptest = none;
   proxy_only = on;
   lean_query = on;
# ttdnsd
server {
   label = "ttdnsd";
   ip =;
   port = 53;
   uptest = none;
   proxy_only = on;
   lean_query = on;
  • Edit /etc/default/ttdnsd and make the options look like this
PORT_ARG="-p 53"
  • Replace the evil google DNS ip by the lovely telecomix one
# sed -i 's/' /etc/ttdnsd.conf
  • Enable pdnsd
# sed -i 's/START_DAEMON=no/START_DAEMON=yes/' /etc/default/pdnsd
  • And restart everything
# /etc/init.d/tor reload && /etc/init.d/pdnsd restart && /etc/init.d/ttdnsd restart

[edit] privoxy

Configure privoxy to handle i2p AND tor connections. Add this, somewhere, in /etc/privoxy/config

forward .i2p localhost:4444
forward-socks4a / localhost:9050 .

You may also want to tell privoxy to not store logs, then find and comment the lines

#logfile logfile
#debug 1

To find them easly, you can get their line number using

# grep -nE '^logfile|^debug' /etc/privoxy/config

[edit] firewall

Based on the tails' iptables rules

#!/usr/bin/env sh

# Provides: fw
# Required-Start:
# Required-Stop:
# Should-Start:
# Should-Stop:
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: try to enhance some security
# Description: small tool to do things

fw_start() {
    iptables -F
    iptables -X

    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    iptables -P OUTPUT DROP

    # Established incoming connections are accepted.
    iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

    # Traffic on the loopback interface is accepted.
    iptables -A INPUT -i lo -j ACCEPT

    # Established outgoing connections are accepted.
    iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

    # Internal network connections are accepted.
    iptables -A OUTPUT -d -j ACCEPT

    # Local network connections should not go through Tor but DNS shall be
    # rejected.
    iptables -N lan
    iptables -A lan -p TCP --dport domain -j REJECT
    iptables -A lan -p UDP --dport domain -j REJECT
    iptables -A lan -j ACCEPT

    # Sort out traffic to local network
    # Note that we exclude the VirtualAddrNetwork used for .onion:s here.
    iptables -A OUTPUT -d -j lan
    iptables -A OUTPUT -d -j lan
    iptables -A OUTPUT -d -j lan

    # Tor is allowed to do anything it wants to.
    grep -q debian-tor /etc/passwd && iptables -A OUTPUT -m owner --uid-owner debian-tor -j ACCEPT

    # i2p is allowed to do anything it wants to.
    grep -q i2psvc /etc/passwd && iptables -A OUTPUT -m owner --uid-owner i2psvc -j ACCEPT

    # Everything else is dropped.
    iptables -A OUTPUT -j REJECT --reject-with icmp-port-unreachable

    # log incomming connection attempts
    iptables -A INPUT -p tcp -m tcp -m state --state NEW -j LOG --log-prefix "input(tcp) " -m limit --limit 1/minute
    iptables -A INPUT ! -p tcp -j LOG --log-prefix "input(all) " -m limit --limit 1/minute

    # some kernel enhancement

    # ; ignore broadcast
    echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts 

    # ; disable forwarding
    echo 0 > /proc/sys/net/ipv4/ip_forward

    # ; enable tcp syn cookie protection
    echo 1 > /proc/sys/net/ipv4/tcp_syncookies
    # ; ignore buggus icmp responses
    echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

    # ; ignore all icmp
    echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all 

    # ; ip spoofing protection
    for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
      echo 1 > $f

    # Don't accept or send ICMP redirects.
    for i in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $i; done
    for i in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $i; done

    # Disable Source Routed Packets
    for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
      echo 0 > $f

    # ; Log martian
    for f in /proc/sys/net/ipv4/conf/*/log_martians; do
      echo 1 > $f

    # Disable proxy_arp.
    for i in /proc/sys/net/ipv4/conf/*/proxy_arp; do echo 0 > $i; done

    # Reduce number of possible SYN Floods
    echo "512" >/proc/sys/net/ipv4/tcp_max_syn_backlog


fw_stop() {
  iptables -F
  iptables -t nat -F
  iptables -t mangle -F
  iptables -P INPUT DROP
  iptables -P FORWARD DROP
  iptables -P OUTPUT DROP

case $1 in
    echo -n "firewall : starting ... "
    echo "ok"
    echo -n "firewall: stopping ... "
    echo "ok"
    echo "usage: $0 <start|stop> ; that's all."

exit 0

[edit] proxy environment

Add this, as root, in /etc/profile (at the very bottom is a good choice), to make applications (which take care of the system configuration) to auto redirect traffic through your proxy (and then, probably tor/i2p/whatever).

export http_proxy=''
export https_proxy=''
export ftp_proxy=''
export ftps_proxy=''
export sftp_proxy=''
export HTTP_PROXY=''
export HTTPS_PROXY=''

[edit] random hostname on boot

Just follow this page: https://cryptoanarchy.org/wiki/Random_hostname_on_boot

[edit] random mac interfaces

Just follow this page: https://cryptoanarchy.org/wiki/Random_MAC_when_bringing_the_network_interfaces

[edit] Tips

  • to make bash completion working with the packages names, you'll need the ... bash-completion package
# apt-get install --no-install-recommends bash-completion && source /etc/bash_completion
  • remove the loggin daemon
# apt-get remove --purge rsyslog
  • remove aptitude & tasksel
# apt-get remove --purge aptitude tasksel tasksel-data
  • decrease the number of virtual ttys
# nano /etc/inittab

find the lines containing "respawn" , and comment some of them. Close & save : ctrl^x y <enter>

[edit] To Do

  • make it possible to load into RAM (to be able to remove the usb stick and leave to OS working) - probably using "toram" option in grub.conf or something
  • hidden volume creation (truecrypt) ? [6] http://www.truecrypt.org/downloads.
  • A lot of things ! :)
Personal tools
1 0