forked from grugq/PORTALofPi
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathbuild.sh
248 lines (206 loc) · 6.68 KB
/
build.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
#!/bin/bash
# ___ ___ ___ _____ _ _
# | _ \/ _ \| _ \_ _/_\ | | of ._ o
# | _/ (_) | / | |/ _ \| |__ |_)|
# |_| \___/|_|_\ |_/_/ \_\____| |
#
# Licensed GPLv3
#
# (c) 2013 the grugq <the.grugq@gmail.com>
# See the README.md for indepth details.
#
# Based on the RaspberryPi Arch distribution.
# View official installation instructions:
# https://archlinuxarm.org/platforms/armv6/raspberry-pi#installation
# Or run the automated setup script:
# bash flash-sdcard.sh /dev/yoursdcard
# PORTAL configuration overview
#
# ((Internet))---[wlan0]<[Pi]>[wlan1]----((LAN))
# wlan0: 192.168.12.1
# * anything from here can only reach 9050 (Tor proxy) or,
# * the transparent Tor proxy
# wlan0: ???.
# * Internet access. You're on your own
# * No services exposed here
# STEP 1 !!!
# configure Internet access, we'll neet to install some basic tools.
# update pacman
pacman -Syu
# install a comfortable work environment
pacman -S vim htop lsof strace wget unzip
# install development tools, needed only for Tor (? check this ?)
#pacman -S base-devel
# install dnsmasq and hostapd for Wireless adaptor AP
pacman -S dnsmasq hostapd
# Install Tor
pacman -S tor
# logrunner & tlsdate both need to be built :(
## Setup the hardware random number generator
echo "bcm2708-rng" > /etc/modules-load.d/bcm2708-rng.conf
pacman -Sy rng-tools
# Tell rngd to seed /dev/random using the hardware rng
echo 'RNGD_OPTS="-o /dev/random -r /dev/hwrng"' > /etc/conf.d/rngd
systemctl enable rngd
# set the time to UTC, because that's how we roll
rm /etc/localtime
ln -s /usr/share/zoneinfo/UTC /etc/localtime
# set hostname to random chars \m/
tr -dc '[:alpha:]' < /dev/urandom | head -c10 > /etc/hostname
echo "Hostname: $(cat /etc/hostname)"
# This is the config for Tor, lets set it up:
cat > /etc/tor/torrc << __TORRC__
## CONFIGURED FOR ARCHLINUX
## Replace this with "SocksPort 0" if you plan to run Tor only as a
## server, and not make any local application connections yourself.
SocksPort 9050 # port to listen on for localhost connections
# SocksPort 127.0.0.1:9050 # functionally the same as the line above
SocksPort 192.168.12.1:9050 # listen on a chosen IP/port too
## Allow no-name routers (ones that the dirserver operators don't
## know anything about) in only these positions in your circuits.
## Other choices (not advised) are entry,exit,introduction.
AllowUnverifiedNodes middle,rendezvous
## No _extra_ information logging
SafeLogging 1
Log notice syslog
DataDirectory /var/lib/tor
## The port on which Tor will listen for local connections from Tor controller
## applications, as documented in control-spec.txt. NB: this feature is
## currently experimental.
#ControlPort 9051
## Map requests for .onion/.exit addresses to virtual addresses so
## applications can resolve and connect to them transparently.
AutomapHostsOnResolve 1
## Subnet to automap .onion/.exit address to.
VirtualAddrNetworkIPv4 10.192.0.0/10
## Open this port to listen for transparent proxy connections.
TransPort 192.168.12.1:9040
## Open this port to listen for UDP DNS requests, and resolve them anonymously.
DNSPort 192.168.12.1:9053
__TORRC__
# enable ip forwarding
sysctl -w net.ipv4.ip_forward=1
# get create_ap
pacman -S create_ap
cat > /etc/create_ap.conf << __CREATEAP__
CHANNEL=default
GATEWAY=192.168.12.1
WPA_VERSION=2
ETC_HOSTS=1
DHCP_DNS=gateway
NO_DNS=0
HIDDEN=1
MAC_FILTER=0
MAC_FILTER_ACCEPT=/etc/hostapd/hostapd.accept
ISOLATE_CLIENTS=0
SHARE_METHOD=nat
IEEE80211N=0
IEEE80211AC=0
HT_CAPAB=[HT40+]
VHT_CAPAB=
DRIVER=nl80211
NO_VIRT=0
COUNTRY=
FREQ_BAND=2.4
NEW_MACADDR=
DAEMONIZE=1
NO_HAVEGED=0
WIFI_IFACE=wlan1
INTERNET_IFACE=wlan0
SSID=InPORTAL
PASSPHRASE=CHANGEME
USE_PSK=0
__CREATEAP__
systemctl enable create_ap.service
# setup the iptables rules
cat > /etc/iptables/iptables.rules << __IPTABLES__
# Generated by iptables-save v1.4.16.3 on Thu Jan 1 01:24:22 1970
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -i wlan1 -m conntrack --ctstate NEW -p tcp -m tcp --dport 22 -j REDIRECT --to-ports 22
-A PREROUTING -i wlan1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040
-A PREROUTING -i wlan1 -p udp -m udp --dport 53 -j REDIRECT --to-ports 9053
COMMIT
# Completed on Thu Jan 1 01:24:22 1970
# Generated by iptables-save v1.4.16.3 on Thu Jan 1 01:24:22 1970
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [64:3712]
-A INPUT -p icmp -j ACCEPT
-A INPUT -i wlan1 -m conntrack --ctstate NEW -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i wlan1 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i wlan1 -p tcp -m tcp --dport 9050 -j ACCEPT
-A INPUT -i wlan1 -p tcp -m tcp --dport 9040 -j ACCEPT
-A INPUT -i wlan1 -p udp -m udp --dport 9053 -j ACCEPT
-A INPUT -i wlan1 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
COMMIT
# Completed on Thu Jan 1 01:24:22 1970 ## truf!
__IPTABLES__
systemctl enable iptables.service
# don't start TOR service before create_ap
cat > /usr/lib/systemd/system/tor.service << __TOR_SERVICE__
# /usr/lib/systemd/system/tor.service
[Unit]
Description=Anonymizing Overlay Network
After=network-online.target create_ap.service
[Service]
User=tor
Type=simple
ExecStart=/usr/bin/tor -f /etc/tor/torrc
ExecReload=/usr/bin/kill -HUP $MAINPID
KillSignal=SIGINT
LimitNOFILE=8192
PrivateDevices=yes
# restart if tor fails
Restart=on-failure
RestartSec=3
[Install]
WantedBy=multi-user.target
__TOR_SERVICE__
# turn on tor
systemctl enable tor.service
# we don't need this but it creates resolv.conf, so...
#systemctl disable systemd-resolved
# no logs
sh empty_logs.sh
# change root and alarm passwd
passwd
passwd alarm
# only listen for wlan1 incoming ssh connections
vim "+s/^#ListenAddress 0\.0\.0\.0/ListenAddress 192.168.12.1/g" +x /etc/ssh/sshd_config
# proxychains for internal use (try to avoid this...)
pacman -S proxychains
sed -ie 's@#quiet_mode@quiet_mode@' /etc/proxychains.conf
# no fucking social media, don't use this to be social!
wget https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/social/hosts
if [ $? -eq 0 ];then
mv hosts /etc/hosts
fi
# no history
hists=(
".bash_history"
".sh_history"
".zsh_history"
)
history -c
for f in ${hists[*]};do
if [ -f ~/$f ]; then
file ~/$f
gshred -n 1 -u ~/$f
ln -s /dev/null ~/$f
fi
done
if [ -e ~/.bash_sessions ];then
rm -rf ~/.bash_sessions
fi
# done and reboot... it should work.
exit 0