Build your own livething
From Telecomix Crypto Munitions Bureau
This "tutorial" isn't finished yet and needs (a lot ?) of enhancements -- Feel free to contribute :)
Contents |
[edit] What is this liveThing ?!
According to wikipedia: A live USB is a USB flash drive or a USB external hard disk drive containing a full operating system that can be booted. Live USBs are closely related to live CDs, but sometimes have the ability to persistently save settings and permanently install software packages back onto the USB device. [1]
So, here, what we are going to do, is to build a debian based liveUsb system with persistent storage, and all that on a totally encrypted system. (or at least, the [most] important parts of it). This guide also group maybe useless shit you won't use. Then just skip them.
[edit] Why ?
Dunno... Just saw this page [2], and wanted to try, make my own (probably not) light usbkey. And wanted to share this ... experience ? ...
Then I searched the web to find things I could include, and included them. Wrote it in this wiki, and that's all.
Hope someone would find that interesting, make is own usbkey, and also share his knowlegde on this wiki.
[edit] Create a basic install using qemu
[edit] Part 0 : Create the qemu image
I've a 3.8G usbkey (should be 4Go but the system tells me it's 3.8 ...), so I create a 3.5G qemu image (to be sure the image will fits in it)
$ qemu-img create liveusb.img 3.5G
Boot qemu on it with thoses options. ie: the harddisk is "liveusb.img", the cdrom is the debian iso, and tell qemu to boot from the cdrom
$ qemu -hda liveusb.img -cdrom debian-netinst.iso -boot d
[edit] Part 1 : Basic infos
- Just follow the installer instructions.
- The only thing you should care of is your location.
- Select something else than the real one. Use "Sweden" if you can't decide.
[edit] Part 2 : Partitionning
- Select "Guided - use entire disk and set up encrypted LVM" (third choice) and confirm the disk selection on the next screen.
- Partition scheme : you can select "all files in one partition" (first choice) and confirm on the next screen
- Let the installer do it's stuffs. This can take a lot of time depending of the disk size.
- Now it's time to think about the passphrase. Use a strong one. White spaces and stuff are allowed. ( have a look at this: [3], and this [4] and this [5] , to create a strong passphrase ).
<random person> I'd imagine a good approach to generating a "pattern" on the password-grid would be to throw a dice a couple of times. That'd truely generate a random pattern ^^
- Enter it. And confirm it on the next screen.
- Hit "finish partitioning and write changes to disk" and confirm on the next screen.
- Let the installer do some stuff
[edit] Part 3 : the minimalistic system
- Now it's time to choose a mirror. Use a swedish one ??
- Next screen : if you've a proxy available on your network (Tor?), maybe you could/should use it. The download will be slow but ... or just skip this step
- Do not participate to the "popularity-contest"-thing. Even if it's done anonymously...
- on the software selection screen uncheck everything, then accept grub to be installed. Reboot. Sucess.
- Now you have a very minimalistic working system, without graphical interface and stuff.
- Shut down the qemu machine.
[edit] Transfert the image to the usbStick using dd
- NAO, the liveusb creation thing. It's quite simple. All you need to do is: plug your usbkey, find the /dev/<something> associated (/dev/sdb or something, use "dmesg" to be sure).
DO NOT MOUNT IT OR UNMOUNT IF YOUR SYSTEM DO IT AUTOMATICALLY.
# umount /dev/sdThing
- Copy the image
# dd if=liveusb.img of=/dev/sdThing bs=8192 # sync
To test that everything is working as espected, make qemu boot on this usbkey:
$ qemu -usb -hda /dev/sdThing
it should boot. if it's not, so ... maybe you did something wrong. The image could be bigger than the usbStick, the usbStick is maybe bugged (too old ?), or something else happened. Just try again.
If it is working, you can finish the customization directly in qemu, and once you're done, halt the qemu machine, and reboot your *real* computer on the usbkey.
[edit] Installing a minimal Desktop Environement
You can just browse the web to find which DE you'll prefer. Anyway, as the system needs to be quite small, I'll recommend to use a tiny DE as fluxbox, blackbox, openbox or similar. The rest of this tuto will pretend you're using awesome
You may want to, first of all, reconfigure the whole system to have a better hand on it. But first, let's reconfigure the configurator :)
# dpkg-reconfigure debconf
The following command will list every package, except cron, which cause an error, debconf that you already reconfigured, and grub, to avoid misconfiguration of it.
# dpkg --get-selections | awk '{print $1 }' | grep -vE 'cron|debconf|grub' | while read package; do echo "reconfiguring: $package"; dpkg-reconfigure $package; done;
To make your image having a working xorg server compatible with most video cards, you will need to install thoses packages:
# apt-get install --no-install-recommends xserver-xorg-video-vesa xserver-xorg-video-radeon xserver-xorg-video-nouveau xserver-xorg-video-intel
and also xinit (maybe automagically installed ... probably ... but don't remember)
# apt-get install --no-install-recommends xinit
[edit] Desktop & software example
- The desktop Environment
# apt-get install --no-install-recommends awesome feh pcmanfm lxde-icon-theme mutt terminator
- awesome is the desktop environment
- feh is a background manager (for wallpaper and stuff)
- pcmanfm is a tiny file manager
- lxde-icon-theme is for nice looking
- mutt is a command line email manager. I use it to read mails from system.
- terminator is a very powerfull terminal with very nice things
- For the interwebs
# apt-get install --no-install-recommends claws-mail midori flashplugin-nonfree wicd wicd-gtk irssi irssi-plugin-otr
- claws-mail is an email manager ...
- midori to surf the interwebz
- flashplugin-nonfree to watch some porn^Wdocumentary videos
- wicd & wicd-gtk is the network manager and it's graphical utility.
- irssi is a command line irc client & it's OTR plugin
- Security, becous we need that, also. -- vulns oriented
# apt-get install --no-install-recommends clamav clamav-freshclam rkhunter lsat debsecan
- clamav is an antivirus, and clamav-freshclam it's updater tool
- rkhunter checks for rootkits on your machine
- lsat is the Linux Security Auditing Tool , which checks for misconfigured things
- debsecan lists your system vulnerabilities
- Security, interwebs oriented
# apt-get install --no-install-recommends tor tor-geoipdb privoxy i2p proxychains telnet-ssl cryptcat openssh-client
- tor, tor-geopipdb and privoxy : things required to surf anonymously (yeah I know, beeing anonymous on the interwebz is not only "going through Tor")
- i2p is the invisible internet project ( https://i2p2.de )
- proxychain is for chaining multiple proxies
- telnet-ssl is telnet witl ssl support
- cryptcat is netcat with encryption support
- Virtual Private Network stuffs
# apt-get install --no-install-recommends openvpn gadmin-openvpn-client gadmin-openvpn-server n2n vpnc
- openvpn, the famous vpn client & server, gadmin-openvpn-{client,server} are graphical utilities
- n2n is a peer-to-peer network daemon
- vpnc is a cisco-compatible VPN client
- Crypto
# apt-get install --no-install-recommends outguess steghide
- outguess : "universal steganographic tool"
- steghide : a steganographic hiding tool
- Office, sound & image things
# apt-get install --no-install-recommends abiword xpdf vlc ristretto mtpaint
- abiword : AbiWord is a full-featured, efficient word processing application, with plugin support
- xpdf : a tiny pdf viewer
- vlc : eh, you know..
- ristretto : an image viewer
- mtpaint : an image manipulator
- Miscelangelous
# apt-get install --no-install-recommends ddrescue wipe secure-delete
- ddrescue is for data recovery
- wipe & secure-delete are tools to erase securly your files (and hope they won't be recoverable)
[edit] Enforcement
Miscellangelous possible enforcement. You don't HAVE to implement them. But remember they exists :)
Sources grabbed from the internets:
[edit] tor dns
- Install needed tools
For this to work, you will need to add torproject's official repo - follow the instructions from the official website if you've doubts :) https://www.torproject.org/docs/debian.html.en
To do so, add
deb http://deb.torproject.org/torproject.org <DISTRIBUTION> main
in your /etc/apt/source.list. PLEASE REPLACE <DISTRIBUTION> BY YOUR RUNNING DEBIAN VERSION. ie: sid OR squeeze OR wheezy OR ...
Then, add the key used to sign the packages
# gpg --keyserver keys.gnupg.net --recv 886DDD89; gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | apt-key add -
Now update the package list and install needed tools
# apt-get update && apt-get install pdnsd ttdnsd resolvconf tor tor-geoipdb privoxy torsocks socat --no-install-recommends
pdnsd will ask you what type of configuration you want. Choose "manual".
One everything is installed, it's time to modify the config files...
- Enable Tor internal resolver
Add this in /etc/tor/torrc
DNSPort 8853 AutomapHostsOnResolve 1 AutomapHostsSuffixes .exit,.onion
- Not directly related but, you would also maybe add this in your /etc/tor/torrc
# Try for at most NUM seconds when building circuits. If the circuit isn't # open in that time, give up on it. (Default: 1 minute.) CircuitBuildTimeout 20 # Send a padding cell every N seconds to keep firewalls from closing our # connections while Tor is not in use. KeepalivePeriod 60 # Force Tor to consider whether to build a new circuit every NUM seconds. NewCircuitPeriod 20 # How many entry guards should we keep at a time? NumEntryGuards 8
- Replace /etc/pdnsd.conf content with this:
global {
perm_cache = 2048;
cache_dir = "/var/cache/pdnsd";
run_as = "pdnsd";
server_ip = 127.0.0.1;
status_ctl = on;
min_ttl = 15m;
max_ttl = 1w;
timeout = 120;
}
# Tor DNS resolver
server {
label = "tor";
ip = 127.0.0.1;
port = 8853;
uptest = none;
exclude=".invalid";
policy=included;
proxy_only = on;
lean_query = on;
}
# ttdnsd
server {
label = "ttdnsd";
ip = 127.0.0.2;
port = 53;
uptest = none;
exclude=".invalid",".exit",".onion";
policy=included;
proxy_only = on;
lean_query = on;
}
- Edit /etc/default/ttdnsd and make the options look like this
ADDR_ARG="-b 127.0.0.2" PORT_ARG="-p 53"
- Replace the evil google DNS ip by the lovely telecomix one
# sed -i 's/8.8.8.8/91.191.136.152/' /etc/ttdnsd.conf
- Enable pdnsd
# sed -i 's/START_DAEMON=no/START_DAEMON=yes/' /etc/default/pdnsd
- And restart everything
# /etc/init.d/tor reload && /etc/init.d/pdnsd restart && /etc/init.d/ttdnsd restart
[edit] privoxy
Configure privoxy to handle i2p AND tor connections. Add this, somewhere, in /etc/privoxy/config
forward .i2p localhost:4444 forward-socks4a / localhost:9050 .
You may also want to tell privoxy to not store logs, then find and comment the lines
#logfile logfile #debug 1
To find them easly, you can get their line number using
# grep -nE '^logfile|^debug' /etc/privoxy/config
[edit] firewall
Based on the tails' iptables rules
#!/usr/bin/env sh
### BEGIN INIT INFO
# Provides: fw
# Required-Start:
# Required-Stop:
# Should-Start:
# Should-Stop:
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: try to enhance some security
# Description: small tool to do things
### END INIT INFO
fw_start() {
iptables -F
iptables -X
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# Established incoming connections are accepted.
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Traffic on the loopback interface is accepted.
iptables -A INPUT -i lo -j ACCEPT
# Established outgoing connections are accepted.
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Internal network connections are accepted.
iptables -A OUTPUT -d 127.0.0.0/255.0.0.0 -j ACCEPT
# Local network connections should not go through Tor but DNS shall be
# rejected.
iptables -N lan
iptables -A lan -p TCP --dport domain -j REJECT
iptables -A lan -p UDP --dport domain -j REJECT
iptables -A lan -j ACCEPT
# Sort out traffic to local network
# Note that we exclude the VirtualAddrNetwork used for .onion:s here.
iptables -A OUTPUT -d 192.168.0.0/255.255.0.0 -j lan
iptables -A OUTPUT -d 10.0.0.0/255.0.0.0 -j lan
iptables -A OUTPUT -d 172.16.0.0/255.240.0.0 -j lan
# Tor is allowed to do anything it wants to.
grep -q debian-tor /etc/passwd && iptables -A OUTPUT -m owner --uid-owner debian-tor -j ACCEPT
# i2p is allowed to do anything it wants to.
grep -q i2psvc /etc/passwd && iptables -A OUTPUT -m owner --uid-owner i2psvc -j ACCEPT
# Everything else is dropped.
iptables -A OUTPUT -j REJECT --reject-with icmp-port-unreachable
# log incomming connection attempts
iptables -A INPUT -p tcp -m tcp -m state --state NEW -j LOG --log-prefix "input(tcp) " -m limit --limit 1/minute
iptables -A INPUT ! -p tcp -j LOG --log-prefix "input(all) " -m limit --limit 1/minute
# some kernel enhancement
# ; ignore broadcast
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# ; disable forwarding
echo 0 > /proc/sys/net/ipv4/ip_forward
# ; enable tcp syn cookie protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# ; ignore buggus icmp responses
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# ; ignore all icmp
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
# ; ip spoofing protection
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
# Don't accept or send ICMP redirects.
for i in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $i; done
for i in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $i; done
# Disable Source Routed Packets
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $f
done
# ; Log martian
for f in /proc/sys/net/ipv4/conf/*/log_martians; do
echo 1 > $f
done
# Disable proxy_arp.
for i in /proc/sys/net/ipv4/conf/*/proxy_arp; do echo 0 > $i; done
# Reduce number of possible SYN Floods
echo "512" >/proc/sys/net/ipv4/tcp_max_syn_backlog
}
fw_stop() {
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
}
case $1 in
start)
echo -n "firewall : starting ... "
fw_start
echo "ok"
;;
stop)
echo -n "firewall: stopping ... "
fw_stop
echo "ok"
;;
*)
echo "usage: $0 <start|stop> ; that's all."
;;
esac
exit 0
[edit] proxy environment
Add this, as root, in /etc/profile (at the very bottom is a good choice), to make applications (which take care of the system configuration) to auto redirect traffic through your proxy (and then, probably tor/i2p/whatever).
export http_proxy='http://127.0.0.1:8118' export https_proxy='http://127.0.0.1:8118' export ftp_proxy='http://127.0.0.1:8118' export ftps_proxy='http://127.0.0.1:8118' export sftp_proxy='http://127.0.0.1:8118' export HTTP_PROXY='http://127.0.0.1:8118' export HTTPS_PROXY='http://127.0.0.1:8118'
[edit] random hostname on boot
Just follow this page: https://cryptoanarchy.org/wiki/Random_hostname_on_boot
[edit] random mac interfaces
Just follow this page: https://cryptoanarchy.org/wiki/Random_MAC_when_bringing_the_network_interfaces
[edit] Tips
- to make bash completion working with the packages names, you'll need the ... bash-completion package
# apt-get install --no-install-recommends bash-completion && source /etc/bash_completion
- remove the loggin daemon
# apt-get remove --purge rsyslog
- remove aptitude & tasksel
# apt-get remove --purge aptitude tasksel tasksel-data
- decrease the number of virtual ttys
# nano /etc/inittab
find the lines containing "respawn" , and comment some of them. Close & save : ctrl^x y <enter>
- use apt-get clean to save disk space (this will erase the .deb from cache)
- try to use "--no-install-recommends" to avoid the installation of useless packages (which will "eat" your limited disk space)
- read this http://www.linuxsecurity.com/resource_files/host_security/securing-debian-howto/index.en.html
[edit] To Do
- make it possible to load into RAM (to be able to remove the usb stick and leave to OS working) - probably using "toram" option in grub.conf or something
- hidden volume creation (truecrypt) ? [6] http://www.truecrypt.org/downloads.
- A lot of things ! :)
