From 2eae676c3a15946ffc1ace2f75715fa92815d390 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Mon, 26 Jan 2015 10:36:00 +0000 Subject: [PATCH] Move docs --- doc/{ => gb}/backups.org | 0 doc/{ => gb}/beaglebone.txt | 0 doc/{ => gb}/code.org | 0 doc/{ => gb}/faq.org | 0 doc/{ => gb}/index.org | 0 doc/{ => gb}/installation.org | 0 doc/{ => gb}/related.org | 0 doc/{ => gb}/support.org | 0 doc/{ => gb}/usage.org | 0 doc/{ => gb}/variants.org | 0 doc/us/backups.org | 120 + doc/us/beaglebone.txt | 8386 +++++++++++++++++++++++++++++++++ doc/us/code.org | 17 + doc/us/faq.org | 246 + doc/us/index.org | 32 + doc/us/installation.org | 184 + doc/us/related.org | 36 + doc/us/support.org | 39 + doc/us/usage.org | 463 ++ doc/us/variants.org | 21 + 20 files changed, 9544 insertions(+) rename doc/{ => gb}/backups.org (100%) rename doc/{ => gb}/beaglebone.txt (100%) rename doc/{ => gb}/code.org (100%) rename doc/{ => gb}/faq.org (100%) rename doc/{ => gb}/index.org (100%) rename doc/{ => gb}/installation.org (100%) rename doc/{ => gb}/related.org (100%) rename doc/{ => gb}/support.org (100%) rename doc/{ => gb}/usage.org (100%) rename doc/{ => gb}/variants.org (100%) create mode 100644 doc/us/backups.org create mode 100644 doc/us/beaglebone.txt create mode 100644 doc/us/code.org create mode 100644 doc/us/faq.org create mode 100644 doc/us/index.org create mode 100644 doc/us/installation.org create mode 100644 doc/us/related.org create mode 100644 doc/us/support.org create mode 100644 doc/us/usage.org create mode 100644 doc/us/variants.org diff --git a/doc/backups.org b/doc/gb/backups.org similarity index 100% rename from doc/backups.org rename to doc/gb/backups.org diff --git a/doc/beaglebone.txt b/doc/gb/beaglebone.txt similarity index 100% rename from doc/beaglebone.txt rename to doc/gb/beaglebone.txt diff --git a/doc/code.org b/doc/gb/code.org similarity index 100% rename from doc/code.org rename to doc/gb/code.org diff --git a/doc/faq.org b/doc/gb/faq.org similarity index 100% rename from doc/faq.org rename to doc/gb/faq.org diff --git a/doc/index.org b/doc/gb/index.org similarity index 100% rename from doc/index.org rename to doc/gb/index.org diff --git a/doc/installation.org b/doc/gb/installation.org similarity index 100% rename from doc/installation.org rename to doc/gb/installation.org diff --git a/doc/related.org b/doc/gb/related.org similarity index 100% rename from doc/related.org rename to doc/gb/related.org diff --git a/doc/support.org b/doc/gb/support.org similarity index 100% rename from doc/support.org rename to doc/gb/support.org diff --git a/doc/usage.org b/doc/gb/usage.org similarity index 100% rename from doc/usage.org rename to doc/gb/usage.org diff --git a/doc/variants.org b/doc/gb/variants.org similarity index 100% rename from doc/variants.org rename to doc/gb/variants.org diff --git a/doc/us/backups.org b/doc/us/backups.org new file mode 100644 index 00000000..d844207b --- /dev/null +++ b/doc/us/backups.org @@ -0,0 +1,120 @@ +#+TITLE: +#+AUTHOR: Bob Mottram +#+EMAIL: bob@robotics.uk.to +#+KEYWORDS: freedombox, debian, beaglebone, red matrix, email, web server, home server, internet, censorship, surveillance, social network, irc, jabber +#+DESCRIPTION: Turn the Beaglebone Black into a personal communications server +#+OPTIONS: ^:nil +#+BEGIN_CENTER +[[./images/logo.png]] +#+END_CENTER + +#+BEGIN_CENTER +#+ATTR_HTML: :border -1 +| [[file:index.html][Home]] | +| [[Backup to USB]] | +| [[Restore from USB]] | +| [[Distributed backups]] | +| [[Restore from a friend]] | +#+END_CENTER + +* Backup to USB +Insert a USB thumb drive into the front socket of the Beaglebone Black. + +Log into the system and become the root user, then run the /backup/ command. + +#+BEGIN_SRC bash +su username@domainname -p 2222 +su +backup +#+END_SRC + +If this is the first time that you've made a backup then you will be prompted for your GPG key password. + +When the backup ends remove the USB drive and keep it somewhere safe. Even if it gets lost or falls into the wrong hands the content is encrypted and so is unlikely to become a source of leaks. +* Restore from USB +Insert the USB thumb drive containing your backup into the front socket of the Beaglebone Black. + +Log into the system and become the root user, then run the /restore/ command. + +#+BEGIN_SRC bash +su username@domainname -p 2222 +su +restore +#+END_SRC + +You will be prompted to enter your GPG key password, then when the restore is complete you can remove the USB drive. +* Distributed backups +Distributed backups are a better way of ensuring the persistence of your data, such that even if your system gets stolen or destroyed then the data will still be recoverable from your friends. Since the backups are encrypted your friends (or anyone else with access to their systems) won't be able to read your backed up content even if their systems are subsequently compromised. + +Firstly you will need to have a user account on one or more of your friends servers. They don't necessarily need to be using Freedombone, just some version of GNU/Linux with ssh access. They can create a user account for you with the *adduser * command when logged in as root and then give you the username and password via a secure method, such as on paper or via an encrypted email or via an XMPP chat using OTR. Make sure that the password used is a strong one - preferably a long random string stored in a password manager - so that dictionary attacks will fail. Also for maximum resilience put your password manager file onto a USB thumb drive and carry it with you. + +To add friends servers create a file called /backup.list/ in the following way. + +#+BEGIN_SRC bash +ssh username@domainname -p 2222 +emacs ~/backup.list +#+END_SRC + +Add entries like this. The numbers are the ssh port number to log in on. + +#+BEGIN_SRC bash +username1@frienddomain1:2222//home/username1 ssh_password1 +username2@frienddomain2:2222//home/username2 ssh_password2 +... +#+END_SRC + +Save and exit with *CTRL-x CTRL-s* then *CTRL-x CTRL-c*, then type *exit*. + +The system will try to backup to these remote locations once per day. +* Restore from a friend +** With a completely new Freedombone installation +This is the ultimate disaster recovery scenario in which you are beginning completely from scratch with new hardware and a new Freedombone installation. It is assumed that the old hardware was destroyed, but that you have the passwords stored within a password manager on a USB thumb drive. + +First log in and create a new friends list: + +#+BEGIN_SRC bash +ssh username@domainname -p 2222 +emacs ~/backup.list +#+END_SRC + +Add entries like this. The numbers are the ssh port number to log in on. + +#+BEGIN_SRC bash +username1@frienddomain1:2222//home/username1 ssh_password1 +username2@frienddomain2:2222//home/username2 ssh_password2 +... +#+END_SRC + +Save and exit with *CTRL-x CTRL-s* then *CTRL-x CTRL-c*. + +Now log in as root and edit the restore script. + +#+BEGIN_SRC bash +su +emacs /usr/bin/restorefromfriend +#+END_SRC + +Recover your backup password from your password manager and set the PASSPHRASE variable accordingly. + +Save and exit with *CTRL-x CTRL-s* and *CTRL-x CTRL-c*. + +Then use the command: + +#+BEGIN_SRC bash +restorefromfriend +#+END_SRC +** On an existing Freedombone installation +This is for more common situations in which maybe some data became corrupted and you want to restore it. + +Log in as root: + +#+BEGIN_SRC bash +ssh username@domainname -p 2222 +su +#+END_SRC + +Then use the command: + +#+BEGIN_SRC bash +restorefromfriend +#+END_SRC diff --git a/doc/us/beaglebone.txt b/doc/us/beaglebone.txt new file mode 100644 index 00000000..88ba02a9 --- /dev/null +++ b/doc/us/beaglebone.txt @@ -0,0 +1,8386 @@ +#+TITLE: FreedomBone +#+AUTHOR: Bob Mottram +#+EMAIL: bob@robotics.uk.to +#+KEYWORDS: freedombox, debian, beaglebone, friendica, email, web server, home server, internet, censorship, surveillance, social network, irc, jabber +#+DESCRIPTION: Turn the Beaglebone Black into a personal communications server +#+OPTIONS: ^:nil +#+STYLE: + +#+BEGIN_CENTER +*How to turn the Beaglebone Black into a FreedomBox-like personal communications server* +#+END_CENTER + +[[./images/freedombone_small.jpg]] + +#+BEGIN_CENTER +Copyright (C) 2014 Bob Mottram + +Permission is granted to copy, distribute and/or modify this document under the terms of the [[https://gnu.org/licenses/fdl.html][GNU Free Documentation License]], Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. + +Source for this web site in [[https://en.wikipedia.org/wiki/Org-mode][Emacs org-mode]] format is available [[/beaglebone.txt][here]]. Comments or patches may be submitted via [[https://github.com/bashrc/freedombone][Github]]. +#+END_CENTER + +* Introduction + +#+BEGIN_VERSE +/The battle for liberty is never won, and is never lost. The battle for liberty always continues. It is never too late, and it is never soon enough, to defend freedom. No matter how enslaved we are, we always have hope. No matter how free we are we are never safe. Nothing ever limits the government, except the people. Any generation which fails to defend freedom will lose it, and the next generation will have to shed blood to gain it back./ + +-- John Perna +#+END_VERSE + +** What is FreedomBone? +Today many of us rely upon "free" services in the cloud, such as Gmail, Facebook, Google+ and so on. It might appear that these services are indispensible infrastructure of the modern internet, but actually they're not strictly needed and the amount of value which they deliver to the average internet user is very marginal. It is possible to be a citizen of the internet and yet not use those things - to disintermediate the most well known companies and cut out their prurient or merely cringeworthy business models. + +FreedomBone is a personal home communications server based upon the BeagleBone Black hardware. It's small and cheap and will allow you to use email, have your own web site and do social networking in a federated way without needing to rely upon any intermediary companies other than your ISP. +** Do I need any prior knowledge? +In these instructions only a minimal level of familiarity with Linux is assumed. It's assumed that you know the basics of the /nano/ and /emacs/ editors, but it would be simple to also use other editors if you prefer. +** Why should I do this? +You should consider doing this if you are a freedom-oriented sort of person and you want to maintain sovereignty over your information. Laws in many places in the world consider you to have relinquished any property rights over data which you put onto a server not owned by youself (i.e. owned by a third party, such as Google or Facebook). The frequently cited and often absurd mantra is that there is "/no reasonable expectation of privacy/". + +If you don't like the idea of having all your communications intercepted and investigated by the Surveillance State then you should consider running a FreedomBone. If your profession involves maintaining confidentiality as an essential feature, such as legal or medical services, counselling, teaching or any sort of activism then you should consider running a FreedomBone. Especially if your activities include [[https://firstlook.org/theintercept/article/2014/03/20/inside-nsa-secret-efforts-hunt-hack-system-administrators/][systems administration]] or [[http://www.spiegel.de/international/germany/gchq-and-nsa-targeted-private-german-companies-a-961444.html][software engineering for any communications-related systems]] then it is highly likely that you have already been targeted and "tasked" by the surveillance apparatus. + +As Eben Moglen noted in his now famous [[https://www.youtube.com/watch?v=QOEMv0S8AcA]["Freedom in The Cloud"]] talk the simple fact of you keeping your own internet logs (found in the /var/log directory) puts a certain amount of power in your hands and takes it away from parties who would otherwise sell that information without your knowledge or permission to advertisers or other shady outfits who may not have your best interests at heart. +** After it's installed will it need a lot of maintenance? +So long as the hardware is ok the amount of maintenance needed should be very small. Unlike on Windows based systems you don't need to defragment drives or mess about with anti-virus programs. I ran a similar Sheevaplug system between 2010 and 2013 with only occasional software updates or reboots, and uptime was probably 99% or better. +** Is it secure? +Nothing is totally secure or infallible. You could have the most secure technology and yet still use easy to guess passwords. In general any software described as "uncrackable", "guaranteed secure" or "NSA-proof" is likely to be bogus and should be treated with suspicion. No matter what the hype may claim, all software has bugs so it's really a question of whether your communications are more secure or less secure. Using something like Freedombone will be likely to increase your degree of communications security to a level which is above average. + +This system will not defend you from an attacker who is actively trying to block or corrupt your communications, but I assume that doesn't apply in the majority of cases. Another thing to be aware of is that running a FreedomBone could make you more vulnerable to traffic analysis, since the server is associated with your home address and isn't a giant aggregation of users somewhere in the cloud. You need to weigh this alongside the additional legal protection which owning the server and having it in your own home gives you. + +FreedomBone should be far more secure than using popular cloud-based services which have spying built into them as a core feature (although not one which is typically advertised), but it is not necessarily any kind of impenetrable information fortress. + +This project is not only about security. It's also about having independence and at least in the realm of information being able to have more control over your own life, without having gatekeepers, censors or companies in the middle. That's the way that the internet was designed to be in the first place. +** Will running a server all the time affect my electricity bill? +Hardly at all. The BeagleBone Black consumes very little power - less than 5W. It would even be potentially possible to run it from a solar panel. +** Can I use a Raspberry Pi or Cubieboard instead? +These instructions are not highly specific to the Beaglebone Black and so will likely also work on other single board computers (SBCs) such as the [[https://en.wikipedia.org/wiki/Raspberry_pi][Raspberry Pi]] or [[https://en.wikipedia.org/wiki/Cubieboard][Cubieboard]]. The original Raspberry Pi only had 256MB of RAM and so the performance of some services may be more limited. The Beaglebone Black was chosen mainly because of its low cost, relatively good CPU performance for the price (by the standards of 2013) and also low electricity consumption. The Cubieboard is also another good alternative, with the A20 version having similar specifications but twice as much RAM as the BeagleBone Black. +** Why should I trust the packages or source code downloaded from this site? +If you're particularly security conscious then you shouldn't. Binary or source packages have only been included here for convenience and to avoid confusion. "/Go and find a Debian installation for the BeagleBone Black somewhere on the web/" is too vague an instruction for my liking, and I've attempted to keep things as concise and unambiguous as possible - particularly with an average or new Linux user in mind. + +However, for maximum security for those software systems which are not already packaged within the Debian repositories then seek out the original sources and verify the hashes independently. + +It's worth adopting an attitude of "/trust but verify/". Don't let fear of mass surveillance and [[https://www.techdirt.com/articles/20140207/08354426130/gchq-has-entire-program-dirty-tricks-including-honeypots-using-journalists-deleting-online-accounts.shtml]["dirty tricks"]] paralyse you into trusting nothing and consequently doing nothing. Doing nothing means that the surveillance apparatus has succeeded in keeping you under observation at all times. +** Do I need to have a static IP address? +This is often a question which people ask about running a server from home. The answer is that you don't need a static IP address. In the vast majority of cases you will have a dynamic IP address issued by your ISP, which may change from time to time. How then does the DNS system know how to resolve your domain name correctly? To do this you need to use a dynamic IP address system, such as [[http://freedns.afraid.org/][freeDNS]]. The details of that are explained [[Getting onto the web][here]]. Other services are available, but they're not usually /free as in beer/. In this guide a static IP address of 192.168.1.60 is only used within your /local network/ (i.e. not the big bad internet of public IP addresses), so that your internet router can be set up to send incoming traffic to the right computer. +* Inventory + +#+BEGIN_VERSE +/You can’t help someone just by making a wish to do so, you have to take action./ + +-- Dalai Lama +#+END_VERSE + +These instructions assume that you have the following ingredients. + +** A BeagleBone Black (BBB) + +It should come with a suitable USB cable for the initial setup. To make things look nicer you may also want to get a case for it. + +** An internet connection + +It is assumed that the most common situation is via a router installed at home. The router should have ethernet sockets on it and a web interface which allows you to forward ports (sometimes under the "firewall" settings), so that you can forward ssh and web traffic to the BBB. + +** microSD card + +To use as the main storage for the BBB. 16 or 32GB is fine, and can be obtained quite cheaply. Try to use Sandisk (class 10 or better) where possible and avoid cheaper cards which often have poor performance. + +You may also need an SD card adaptor or USB card reader in order to flash the operating image to the microSD card. For instance, many laptops have an SD card slot but not a microSD slot. + +** 5V/2A power supply + +With a plug suitable for powering the BBB. If you have some device with a USB socket nearby you may also be able to just use that for electrical power. However, powering from the USB cable alone might result in crashes when the system is under load, depending upon how many milliamps can be supplied by the USB hub/socket. If the system crashes due to running out of power then you will see that the LEDs on the BBB are continuously on, rather than flashing. One way to test whether the board has enough power is to try compiling a Linux kernel on it, but any CPU and disk intensive program will also suffice as a test. + +[[http://beagleboard.org/Support/FAQ][beagleboard.org]] gives the following advice on power supplies: + +#+BEGIN_VERSE +/Power over USB is sufficient as long as the software and system running perform some management to keep it under the USB current limit threshold. For simplicity and maximum capability, powering over the 5V barrel connector is typically recommended./ + +/The power adapter is required to provide 5V over a 5.5mm outer diameter and 2.1mm inner diameter barrel connector (a barrel connector length of 9.5mm is more than sufficient). The recommended supply current is at least 1.2A (or 6W), but at least 2A (or 10W) is recommended if you are going to connect up anything over the USB./ +#+END_VERSE + +The plug should be /centre positive/, meaning that the centre/tip is positive and the outer part is negative. + +** An ethernet patch cable + +Just an ordinary cat5 or cat6 cable that you can get from most electrical/computer stores. + +* Installing Debian onto the microSD card +** Beaglebone Black + +The Debian Linux OS will be installed onto a small flash drive. It's a good idea to do this rather than using the internal flash, because it will allow you to easily create backups of the entire system if necessary using the dd command. + +Download the image. + +#+BEGIN_SRC: bash +cd ~/ +wget http://freedombone.uk.to/debian-jessie-console-armhf-2014-08-13.tar.xz +#+END_SRC + +Verify it. + +#+BEGIN_SRC: bash +sha256sum debian-jessie-console-armhf-2014-08-13.tar.xz +fc225cfb3c2dfad92cccafa97e92c3cd3db9d94f4771af8da364ef59609f43de +#+END_SRC + +Uncompress it. + +#+BEGIN_SRC: bash +tar xJf debian-jessie-console-armhf-2014-08-13.tar.xz +cd debian-jessie-console-armhf-2014-08-13 +#+END_SRC + +Create the disk image, where sdX is the name of the flash drive (probably it will be sdb or sdc). An easy way to find out the device name of the flash drive is to enter the command: + +#+BEGIN_SRC: bash +ls /dev/sd* +#+END_SRC + +then plug in the flash drive and type the same command again. You'll be able to see the difference. Once you know the device name then you can proceed to install the image onto the flash drive. + +#+BEGIN_SRC: bash +sudo apt-get install u-boot-tools dosfstools git-core kpartx wget parted +sudo ./setup_sdcard.sh --mmc /dev/sdX --dtb beaglebone +#+END_SRC + +Once that is completed we need to copy a boot file to enable the system to boot correctly. An example /uEnv.txt/ file can also be [[Boot (uEnv.txt)][seen here]]. + +#+BEGIN_SRC: bash +sudo cp /media/$USER/BOOT/bbb-uEnv.txt /media/$USER/BOOT/uEnv.txt +sync +#+END_SRC + +Now the microSD card can be safely removed via your file manager (usually right click and "safely remove" or "eject"). + +** Cubieboard + +The Debian Linux OS will be installed onto a small flash drive. It's a good idea to do this rather than using the internal flash, because it will allow you to easily create backups of the entire system if necessary using the dd command. + +Download the Cubieboard image from http://cubian.org/downloads/ + +#+BEGIN_SRC: bash +sudo apt-get install p7zip-full +7z x CUBIAN_IMAGE.7z +#+END_SRC + +Create the disk image, where sdX is the name of the flash drive (probably it will be sdb or sdc). An easy way to find out the device name of the flash drive is to enter the command: + +#+BEGIN_SRC: bash +ls /dev/sd* +#+END_SRC + +then plug in the flash drive and type the same command again. You'll be able to see the difference. Once you know the device name then you can proceed to install the image onto the flash drive. + +#+BEGIN_SRC: bash +sudo dd if=EXTRACTED_CUBIAN_IMAGE of=/dev/sdX bs=4096; sync +#+END_SRC + +* Setup + +#+BEGIN_VERSE +/Build the tools for a future you would want to live in/ + +-- Kurt Opsahl +#+END_VERSE + +** Things to be aware of +*** A note on ssh +When using ssh to log into the BBB if you get warnings of the type "/the ECDSA host key for domain differs from the key for the IP address/" then run the command: + +#+BEGIN_SRC: bash +ssh-keygen -R +#+END_SRC +*** Passwords +It's highly recommended that you use a password manager, such as KeepassX, and make all your passwords long random strings. It's also a good idea to use different passwords for different pieces of software, instead of one or two passwords for the whole system. That compartmentalises the security such that even if an attacker gains access to one system they can't necessarily get access to others. +*** HTTPS +Throughout these instructions self signed SSL certificates are used to implement access to web pages via HTTPS. The whole HTTPS security model upon which much of the internet currently rests seems broken in that it usually depends upon "trusted certificate authorities" who are not really trusted, except perhaps by the maintainers of certain web browser software. So all that HTTPS really guarantees is that you have an encrypted connection, but an encrypted connection /to who/ can be subject to doubt. As was seen in 2013 with the [[https://www.schneier.com/essay-455.html][information coming from Edward Snowden]], and also the [[http://en.wikipedia.org/wiki/Lavabit][Lavabit email service]], it's possible for companies/organisations to be compromised or bribed and SSL private keys for all users can be demanded using gagging orders or secret laws without any individual user ever being able to know that their communications is no longer secure.. + +Not knowing who you're really connecting to is especially true for self-signed certificates, so it is in principle possible that when logging into a site with a username and password a system such as [[http://arstechnica.com/tech-policy/2013/11/uk-spies-continue-quantum-insert-attack-via-linkedin-slashdot-pages/][Quantum Insert]], or a compromised [[http://en.wikipedia.org/wiki/Domain_Name_System][DNS service]], could be used to direct the user to a fake copy of the login screen for the purposes of obtaining their login details. While this doesn't seem to be a major problem at the time of writing it's something to keep in mind. So if you can't log in or if you log in and what you see doesn't look like your site then it's possible that such a compromise could have taken place. Using a password manager with different login details for each site is one way to ensure that if one system is compromised then the attacker can't necessarily get access to all your other stuff. +** Initial + +Eject the microSD card from your computer and plug it into the BBB, then connect the USB cable between the two. You may need to wait for a couple of minutes for the BBB to boot from the card, then you can then open a terminal and login via ssh. + +Note that if you're using a Cubieboard then the ssh login is different (see https://github.com/cubieplayer/Cubian/wiki/Get-started-with-Cubian) and it may be easier to directly edit the following files with the microSD card plugged into your laptop. + +#+BEGIN_SRC: bash +ssh debian@192.168.7.2 +#+END_SRC + +The default password is /temppwd/ + +Then log in as root: + +#+BEGIN_SRC: bash +su +#+END_SRC + +The default password is /root/ + +The first thing to do is to change the passwords from their defaults. + +#+BEGIN_SRC: bash +passwd +#+END_SRC + +Then you will need to change the network interfaces. The main task here is to comment out the stuff related to usb0. That will enable you to plug the BBB into the back of a router and for it to be detectable on the network. + +#+BEGIN_SRC: bash +nano /etc/network/interfaces +#+END_SRC + +The resulting interfaces file should look like this: + +#+BEGIN_SRC: bash +# This file describes the network interfaces available on your system +# and how to activate them. For more information, see interfaces(5). + +# The loopback network interface +auto lo +iface lo inet loopback + +# The primary network interface +allow-hotplug eth0 +iface eth0 inet static + address 192.168.1.60 + netmask 255.255.255.0 + gateway 192.168.1.254 + dns-nameservers 213.73.91.35 85.214.20.141 +# Example to keep MAC address between reboots +#hwaddress ether DA:AD:CE:EF:CA:FE + +# WiFi Example +#auto wlan0 +#iface wlan0 inet dhcp +# wpa-ssid "essid" +# wpa-psk "password" + +# Ethernet/RNDIS gadget (g_ether) +# ... or on host side, usbnet and random hwaddr +# Note on some boards, usb0 is automaticly setup with an init script +# in that case, to completely disable remove file [run_boot-scripts] from the boot partition +#iface usb0 inet static +# address 192.168.7.2 +# netmask 255.255.255.0 +# network 192.168.7.0 +# gateway 192.168.7.1 +#+END_SRC + +CTRL-o followed by ENTER to save, then CTRL-x to exit. + +In the above example "address 192.168.1.60" is a static IP address for the BBB, which will allow incoming network traffic to be directed from the router in a reliable manner. It should be outside of the DHCP range set up on the router. + +"gateway 192.168.1.254" should be the IP address of the router. + +Note that setting the DNS servers with dns-nameservers is important because some home routers do not allow you to change the DNS settings. + +Edit resolv.conf. + +#+BEGIN_SRC: bash +nano /etc/resolv.conf +#+END_SRC + +It should look something like the following: + +#+BEGIN_SRC: bash +domain localdomain +search localdomain +nameserver 213.73.91.35 +nameserver 85.214.20.141 +#+END_SRC + +It's not a good idea to use the DNS servers provided by default by your ISP, since those are almost certainly subject to censorship and monitoring. Other possible IP addresses are: + +| DNS IP | Organisation | Location | +|-----------------+--------------------------------+-------------| +| 85.214.73.63 | Digitalcourage | Germany | +| 87.118.100.175 | German Privacy Foundation e.V. | Germany | +| 94.75.228.29 | German Privacy Foundation e.V. | Germany | +| 85.25.251.254 | German Privacy Foundation e.V. | Germany | +| 2.141.58.13 | German Privacy Foundation e.V. | Germany | +| 213.73.91.35 | Chaos Computer Club Berlin | Germany | +| 212.82.225.7 | ClaraNet | Germany | +| 212.82.226.212 | ClaraNet | Germany | +| 58.6.115.42 | OpenNIC | Australia | +| 58.6.115.43 | OpenNIC | Australia | +| 119.31.230.42 | OpenNIC | Australia | +| 200.252.98.162 | OpenNIC | Brazil | +| 217.79.186.148 | OpenNIC | Germany | +| 81.89.98.6 | OpenNIC | Germany | +| 78.159.101.37 | OpenNIC | Germany | +| 203.167.220.153 | OpenNIC | New Zealand | +| 82.229.244.191 | OpenNIC | France | +| 82.229.244.191 | OpenNIC | Czechnya | +| 216.87.84.211 | OpenNIC | USA | +| 66.244.95.20 | OpenNIC | USA | +| 207.192.69.155 | OpenNIC | USA | +| 72.14.189.120 | OpenNIC | USA | +| 194.145.226.26 | PowerNS | Germany | +| 77.220.232.44 | PowerNS | Germany | +| 78.46.89.147 | ValiDOM | Germany | +| 88.198.75.145 | ValiDOM | Germany | +| 85.25.149.144 | Freie Unzensierte Nameserver | Germany | +| 87.106.37.196 | Freie Unzensierte Nameserver | Germany | +| 209.59.210.167 | Christoph Hochstätter | USA | +| 85.214.117.11 | Christoph Hochstätter | Germany | +| 83.243.5.253 | private | Germany | +| 88.198.130.211 | private | Germany | +| 85.10.211.244 | private | Germany | + +CTRL-o followed by ENTER to save, then CTRL-x to exit. + +Now disconnect the BBB from your computer and plug it into the router. You'll need an ethernet patch cable and you may also need a 5V/1A power supply for the BBB. + +If you go to the web administration screen for your internet router (often it's on 192.168.2.1 or 192.168.1.254) then after a few minutes you should see the BBB appear on the network. It's name will be "arm". + +If you're using a Cubieboard: + +#+BEGIN_SRC: bash +nano /etc/apt/sources.list +#+END_SRC + +Delete the existing sources and replace them with the sources [[Example software sources][listed here]], then save and exit. If you use the default Cubian software sources then dependency problems will occur later on. + +** Add a user + +Ssh back in to the BBB and login as root. In this example the BBB's IP address is 192.168.1.60. + +#+BEGIN_SRC: bash +ssh-keygen -f "/home/myusername/.ssh/known_hosts" -R 192.168.1.60 +ssh debian@192.168.1.60 +su +#+END_SRC + +Then make a new user. It's a bad idea to add users to the sudo group, because that then means that an attacker potentially only needs to know one password in order to get administrator access to the system. With no sudoers an attacker needs to know, or be able to obtain, two separate passwords to be able to really compromise the system. + +#+BEGIN_SRC: bash +adduser myusername +#+END_SRC + +Exit from the ssh login by typing "exit" a couple of times, then ssh back in as the new user. Make sure you use a difficult to guess password/phrase, or ideally a randomly generated password used together with a password manager such as KeepassX. + +Remove the default debian user. + +#+BEGIN_SRC: bash +userdel -r debian +#+END_SRC + +** Text editor + +For an editor which is less erratic than vi when used within a remote console such as Terminator. + +#+BEGIN_SRC: bash +apt-get update +apt-get install emacs24 +update-alternatives --set editor /usr/bin/emacs24 +#+END_SRC + +Some basic Emacs keys which will be useful to new users are: + +| Load a file | CTRL-x CTRL-f | +| Save | CTRL-x CTRL-s | +| Exit | CTRL-x CTRL-c | + +If you need an example Emacs configuration file to get you going then one can be [[Emacs setup][found here]]. + +** Remove proprietary repositories + +By default the Debian operating system includes references to a repository which can be used to install some proprietary software. Because the source code of proprietary software cannot be independently audited or patched it could contain malicious backdoors or malware, or more likely because it's unmaintainable it could just be old and out of date and so may contain security vulnerabilities which the Surveillance State can make use of via its [[https://en.wikipedia.org/wiki/FOXACID][automated exploit delivery system]]. It's a good idea to remove those repositories as follows, so that the software from them can't be installed by accident: + +#+BEGIN_SRC: bash +editor /etc/apt/sources.list +#+END_SRC + +Then remove any references to *non-free*, save and exit. With that done you can be sure that all the software on your system is [[https://en.wikipedia.org/wiki/Free_and_open_source_software][FOSS]], and so can be checked, updated or customized as necessary. +** Enable backports + +To enable some newer packages add backports to the repositories. + +#+BEGIN_SRC: bash +echo "deb http://ftp.us.debian.org/debian jessie-backports main" >> /etc/apt/sources.list +apt-get update +apt-get dist-upgrade +apt-get install ca-certificates +#+END_SRC + +** Configure your location/language + +Not everybody lives in the US or Europe. You may want to change your location and language settings accordingly. + +#+BEGIN_SRC: bash +dpkg-reconfigure locales +apt-get install keyboard-configuration +reboot +#+END_SRC + +After reboot is complete ssh back in as the root user, then to verify the change. + +#+BEGIN_SRC: bash +locale -a +#+END_SRC + +Set your time zone with: + +#+BEGIN_SRC: bash +tzselect +#+END_SRC + +For example, for British time: + +#+BEGIN_SRC: bash +export TZ='Europe/London' +echo "export TZ='Europe/London'" >> ~/.bashrc +echo "export TZ='Europe/London'" >> /home/myusername/.bashrc +#+END_SRC + +** Upgrade the kernel +Using a more recent kernel should improve stability of the system and also allow it to make use of hardware random number generation, which improves the overall security. Please note that this kernel is specific to the BBB, so if you're using a Raspberry Pi, Cubieboard or other SBC then look elsewhere on the web for information about upgrading the kernel. Newer kernels are also available at http://rcn-ee.net/deb/jessie-armhf ("bone" in the name indicates kernels with BBB specific patches). + +#+BEGIN_SRC: bash +cd /opt/scripts/tools +./update_kernel.sh --kernel v3.15.10-bone7 +reboot +#+END_SRC + +After the system has rebooted you can ssh back unto it and log in as the root user. You can check that the kernel version has changed with the command: + +#+BEGIN_SRC: bash +uname -mrs +#+END_SRC + +Note: If you're upgrading to any other kernel version and the BBB fails to reboot, with lights continuously on, then remove power, take out the microSD, insert it into your laptop then do something like "*sudo emacs /media/$USER/rootfs/boot/uEnv.txt*" and change the kernel version to the previous one which you were using, then eject the microSD drive, re-insert it into the BBB and re-apply power. + +Now enable zram. + +#+BEGIN_SRC: bash +editor /etc/modprobe.d/zram.conf +#+END_SRC + +Add the following: + +#+BEGIN_SRC: bash +options zram num_devices=1 +#+END_SRC + +Save and exit, then create an initialisation script. + +#+BEGIN_SRC: bash +editor /etc/init.d/zram +#+END_SRC + +Add the following: + +#+BEGIN_SRC: bash +#!/bin/bash +### BEGIN INIT INFO +# Provides: zram +# Required-Start: +# Required-Stop: +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: Increased Performance In Linux With zRam (Virtual Swap Compressed in RAM) +# Description: Adapted from systemd scripts at https://github.com/mystilleef/FedoraZram +### END INIT INFO + +start() { + # get the number of CPUs + num_cpus=$(grep -c processor /proc/cpuinfo) + # if something goes wrong, assume we have 1 + [ "$num_cpus" != 0 ] || num_cpus=1 + + # set decremented number of CPUs + decr_num_cpus=$((num_cpus - 1)) + + # get the amount of memory in the machine + mem_total_kb=$(grep MemTotal /proc/meminfo | grep -E --only-matching '[[:digit:]]+') + mem_total=$((mem_total_kb * 1024)) + + # load dependency modules + modprobe zram num_devices=$num_cpus + + # initialize the devices + for i in $(seq 0 $decr_num_cpus); do + echo $((mem_total / num_cpus)) > /sys/block/zram$i/disksize + done + + # Creating swap filesystems + for i in $(seq 0 $decr_num_cpus); do + mkswap /dev/zram$i + done + + # Switch the swaps on + for i in $(seq 0 $decr_num_cpus); do + swapon -p 100 /dev/zram$i + done +} + +stop() { + # get the number of CPUs + num_cpus=$(grep -c processor /proc/cpuinfo) + + # set decremented number of CPUs + decr_num_cpus=$((num_cpus - 1)) + + # Switching off swap + for i in $(seq 0 $decr_num_cpus); do + if [ "$(grep /dev/zram$i /proc/swaps)" != "" ]; then + swapoff /dev/zram$i + sleep 1 + fi + done + + sleep 1 + rmmod zram +} + +case "$1" in + start) + start + ;; + stop) + stop + ;; + restart) + stop + sleep 3 + start + ;; + *) + echo "Usage: $0 {start|stop|restart}" + RETVAL=1 +esac +exit $RETVAL +#+END_SRC + +Save and exit. + +#+BEGIN_SRC: bash +chmod +x /etc/init.d/zram +update-rc.d zram defaults +service zram start +reboot +#+END_SRC + +After the system has rebooted ssh back into it and become the root user, then to check that the changes were successful: + +#+BEGIN_SRC: bash +dmesg | grep zram +#+END_SRC + +Should show something like: + +#+BEGIN_SRC: bash +[ 507.322337] zram: Created 1 device(s) ... +[ 507.651151] Adding 505468k swap on /dev/zram0. Priority:100 extents:1 across:505468k SS +#+END_SRC + +** Random number generation + +#+BEGIN_VERSE +/Near as I can tell, the answer on what has been requested is everything: deliberate weakenings of encryption algorithms, deliberate weakenings of random number generations, copies of master keys, encryption of the session key with an NSA-specific key … everything./ + +-- Bruce Schneier, on the 2013 leaked NSA documents +#+END_VERSE + +The security of encryption depends upon the randomness of the random source used on your system. If it isn't very random then it may be far more vulnerable to cryptanalysis, and it's known that in the past some dubious agencies have encouraged the use of flawed random number generators to assist with their prurient activities. Randomness - typically referred to as /entropy/ - is often gathered from factors such as the timing of key presses or mouse movements, but since the BBB won't have such devices plugged into it this reduces the amount of entropy available. + +*** On the Beaglebone Black +Computers can't really generate truly random numbers by themselves, since they're deterministic and so operate in a highly predictable manner. Fortunately, the BBB has an onboard hardware random number generator, which is a physical process which behaves randomly and which can then be read into the computer and stored for later use in encryption algorithms. + +Information on exactly how the hardware random number generator on the Beaglebone AM335x CPU works [[http://e2e.ti.com/support/arm/sitara_arm/f/791/t/292794.aspx][seems hard to come by]], but we can later use some software to verify that it does indeed produce random numbers and hasn't been deliberately weakened. + +If you are using a Beaglebone and have updated the kernel then install: + +#+BEGIN_SRC: bash +apt-get install rng-tools +editor /etc/default/rng-tools +#+END_SRC + +Uncomment *HRNGDEVICE=/dev/hwrng*, save and exit then restart the daemon. + +#+BEGIN_SRC: bash +service rng-tools restart +#+END_SRC + +Your BBB will now use hardware to generate random numbers. + +*** On other Single Board Computers +If you are not using a Beaglebone (a Cubieboard for example), or if you didn't update the kernel, then you can still improve the random number generation by installing: + +#+BEGIN_SRC: bash +apt-get install haveged +#+END_SRC + +*** Verifying random number quality + +#+BEGIN_VERSE +/Living in a surveillance state is exactly like being guilty until proven guilty./ + +-- Mohammad Tarakiyee +#+END_VERSE + +You can check how much randomness (entropy) is available with: + +#+BEGIN_SRC: bash +cat /proc/sys/kernel/random/entropy_avail +#+END_SRC + +Ideally it should be in the range 1000-4096. If it is persistently below 500 then there may be a problem with your system which could make it less secure. + +To verify that random number generation is good on the BBB run: + +#+BEGIN_SRC: bash +cat /dev/hwrng | rngtest -c 1000 +#+END_SRC + +You should see something like this, with zero or a small number of failures: + +#+BEGIN_SRC: bash +rngtest: starting FIPS tests... +rngtest: bits received from input: 20000032 +rngtest: FIPS 140-2 successes: 1000 +rngtest: FIPS 140-2 failures: 0 +rngtest: FIPS 140-2(2001-10-10) Monobit: 0 +rngtest: FIPS 140-2(2001-10-10) Poker: 0 +rngtest: FIPS 140-2(2001-10-10) Runs: 0 +rngtest: FIPS 140-2(2001-10-10) Long run: 0 +rngtest: FIPS 140-2(2001-10-10) Continuous run: 0 +rngtest: input channel speed: (min=3.104; avg=26.015; max=18.626)Gibits/s +rngtest: FIPS tests speed: (min=160.281; avg=165.696; max=168.792)Mibits/s +rngtest: Program run time: 115987 microseconds +#+END_SRC +*** Cryptotronix Hashlet +#+BEGIN_VERSE +/One must acknowledge with cryptography no amount of violence will ever solve a math problem./ + +-- Jacob Appelbaum +#+END_VERSE + +An optional extra is the [[http://cryptotronix.com/products/hashlet/][Cryptotronix Hashlet]] which also has hardware random number generation capability via the [[./Atmel-8740-CryptoAuth-ATSHA204-Datasheet.pdf][Atmel ATSHA204]] chip. + +Install the hashlet [[./images/hashlet_installed.jpg][like this]] on the BBB, then install some dependencies. + +#+BEGIN_SRC: bash +apt-get install git automake libtool bison flex build-essential libgcrypt11-dev texinfo +#+END_SRC + +Download the source code. + +#+BEGIN_SRC: bash +mkdir ~/build +cd ~/build +git clone https://github.com/cryptotronix/hashlet +#+END_SRC + +Now install the driver. + +#+BEGIN_SRC: bash +cd hashlet +chmod o+rw /dev/i2c* +./autogen.sh +make check +make install +#+END_SRC + +To check the initial state of the device: + +#+BEGIN_SRC: bash +hashlet --bus=/dev/i2c-2 state +#+END_SRC + +It should return the message "/Factory/". This is intended to provide an indication that the hardware hasn't been tampered with by [[https://en.wikipedia.org/wiki/Tailored_Access_Operations][TAO]] or other shady outfits in transit. If /i2c-2/ fails then try /i2c-1/ or /i2c-0/. + +#+BEGIN_SRC: bash +hashlet --bus=/dev/i2c-2 personalize +#+END_SRC + +Nothing should be returned by this command, but a file called ~/.hashlet will be generated which is the private key of the device. This personalization process is a one-time operation which physically alters the hardware, so it would not be trivial to reset the device back to "Factory" again. To make sure it's only accessible by the root user: + +#+BEGIN_SRC: bash +chmod 400 ~/.hashlet +#+END_SRC + +Now create a daemon which will create a random number generator device */dev/hashletrng*. + +#+BEGIN_SRC: bash +editor /usr/bin/hashletd +#+END_SRC + +#+BEGIN_SRC: bash +#!/bin/sh + +PATH='/usr/local/sbin:/usr/local/bin:/usr/bin:/sbin:/usr/sbin:/bin' +I2CBUS=2 +BYTES=32 +DEVICE=/dev/hashletrng + +# create a device +if [ ! -e ${DEVICE} ]; then + chmod o+rw /dev/i2c* + mknod ${DEVICE} p +fi + +while : +do +/usr/local/bin/hashlet --bus=/dev/i2c-${I2CBUS} random ${BYTES} > ${DEVICE} +done +#+END_SRC + +Save and exit. Now create an init script to run it. + +#+BEGIN_SRC: bash +editor /etc/init.d/hashlet +#+END_SRC + +Add the following: + +#+BEGIN_SRC: bash +#!/bin/bash + +# /etc/init.d/hashlet + +### BEGIN INIT INFO +# Provides: hashlet +# Required-Start: $remote_fs $syslog +# Required-Stop: $remote_fs $syslog +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: hashlet +# Description: Creates a random number generator device +### END INIT INFO + +# Author: Bob Mottram + +#Settings +SERVICE='hashlet' +LOGFILE='/dev/null' +COMMAND="/usr/bin/hashletd" +USERNAME='root' +NICELEVEL=19 +HISTORY=1024 +INVOCATION="nice -n ${NICELEVEL} ${COMMAND}" +PATH='/usr/local/sbin:/usr/local/bin:/usr/bin:/sbin:/usr/sbin:/bin' + +hashlet_start() { +echo "Starting $SERVICE..." +su --command "screen -h ${HISTORY} -dmS ${SERVICE} ${INVOCATION}" $USERNAME +} + + +hashlet_stop() { +echo "Stopping $SERVICE" +su --command "screen -p 0 -S ${SERVICE} -X stuff "'^C'"" $USERNAME +} + + +#Start-Stop here +case "$1" in + start) + hashlet_start + ;; + stop) + hashlet_stop + ;; + restart) + hashlet_stop + sleep 10s + hashlet_start + ;; + *) + echo "Usage: $0 {start|stop|restart}" + exit 1 + ;; +esac + +exit 0 +#+END_SRC + +Save and exit, then start the daemon. + +#+BEGIN_SRC: bash +chmod +x /usr/bin/hashletd +chmod +x /etc/init.d/hashlet +update-rc.d hashlet defaults +service hashlet start +#+END_SRC + +Then to obtain some random bytes: + +#+BEGIN_SRC: bash +cat /dev/hashletrng +#+END_SRC + +The rate of entropy generation by the Hashlet seems very slow compared to */dev/hwrng*, and this is most likely because of the I2C interface. So it's probably a good idea to keep hwrng as the main random source and only use the Hashlet's random number generator for any ancillary stuff. + +** Alter ssh configuration + +#+BEGIN_VERSE +/The privacy rights of US persons in international communications are significantly diminished, if not completely eliminated, when those communications have been transmitted to or obtained from non-US persons located outside the United States./ + +-- US Department Of Justice +#+END_VERSE + +Altering the ssh configuration will make it a little more secure than the standard Debian settings. + +#+BEGIN_SRC: bash +editor /etc/ssh/sshd_config +#+END_SRC + +Check the following values: + +#+BEGIN_SRC: bash +PermitRootLogin no +X11Forwarding no +ServerKeyBits 4096 +Protocol 2 +PermitEmptyPasswords no +StrictModes yes +TCPKeepAlive no +#+END_SRC + +Comment out: + +#+BEGIN_SRC: bash +#HostKey /etc/ssh/ssh_host_dsa_key +#HostKey /etc/ssh/ssh_host_ecdsa_key +#+END_SRC + +Append the following: + +#+BEGIN_SRC: bash +ClientAliveInterval 60 +ClientAliveCountMax 3 +Ciphers aes256-ctr,aes128-ctr +MACs hmac-sha2-512,hmac-sha2-256,hmac-ripemd160 +KexAlgorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1 +#+END_SRC + +Save and exit. Now clear out any pre-existing host keys and reconfigure the ssh server. + +#+BEGIN_SRC: bash +rm /etc/ssh/ssh_host_* +dpkg-reconfigure openssh-server +service ssh restart +#+END_SRC + +To test the new settings log out by typing "exit" a couple of times, then log back in again with: + +#+BEGIN_SRC: bash +ssh -vvv myusername@192.168.1.60 +#+END_SRC + +and check that some number of bits are set within a 4096 bit sized key: + +#+BEGIN_SRC: bash +debug2: bits set: */4096 +#+END_SRC + +** Install CPU limiter + +#+BEGIN_VERSE +/On every side, and at every hour of the day, we came up against the relentless limitations of pioneer life./ + +-- Anna Howard Shaw +#+END_VERSE + +Some process may consume a lot of CPU power and cause the system to become unresponsive or to crash. To avoid that it's possible to limit the maximum percentage of the CPU which processes can use. We can whitelist some editors and tools that are commonly used and which have an initial CPU spike (such as Emacs loading its configuration files), with everything else being subject to a CPU limit if usage goes above a threshold percentage for more than one second. + +#+BEGIN_SRC: bash +apt-get install cpulimit gawk +#+END_SRC + +Create a script which can be run as a daemon. + +#+BEGIN_SRC: bash +editor /usr/bin/cpulimit_daemon.sh +#+END_SRC + +Add the following: + +#+BEGIN_SRC: bash +#!/bin/bash +# ============================================================== +# CPU limit daemon - set PID's max. percentage CPU consumptions +# ============================================================== + +# Variables +CPU_LIMIT=50 # Maximum percentage CPU consumption by each PID +DAEMON_INTERVAL=1 # Daemon check interval in seconds +BLACK_PROCESSES_LIST= # Limit only processes defined in this variable. If variable is empty (default) all violating processes are limited. +WHITE_PROCESSES_LIST="cron|top|emacs|vi|vim|nano" # Limit all processes except processes defined in this variable. If variable is empty (default) all violating processes are limited. + +# Check if one of the variables BLACK_PROCESSES_LIST or WHITE_PROCESSES_LIST is defined. +if [[ -n "$BLACK_PROCESSES_LIST" && -n "$WHITE_PROCESSES_LIST" ]] ; then # If both variables are defined then error is produced. + echo "At least one or both of the variables BLACK_PROCESSES_LIST or WHITE_PROCESSES_LIST must be empty." + exit 1 +elif [[ -n "$BLACK_PROCESSES_LIST" ]] ; then # If this variable is non-empty then set NEW_PIDS_COMMAND variable to bellow command + NEW_PIDS_COMMAND="top -b -n1 -c | grep -E '$BLACK_PROCESSES_LIST' | gawk '\$9>CPU_LIMIT {print \$1}' CPU_LIMIT=$CPU_LIMIT" +elif [[ -n "$WHITE_PROCESSES_LIST" ]] ; then # If this variable is non-empty then set NEW_PIDS_COMMAND variable to bellow command + NEW_PIDS_COMMAND="top -b -n1 -c | gawk 'NR>6' | grep -E -v '$WHITE_PROCESSES_LIST' | gawk '\$9>CPU_LIMIT {print \$1}' CPU_LIMIT=$CPU_LIMIT" +else + NEW_PIDS_COMMAND="top -b -n1 -c | gawk 'NR>6 && \$9>CPU_LIMIT {print \$1}' CPU_LIMIT=$CPU_LIMIT" +fi + +# Search and limit violating PIDs +while sleep $DAEMON_INTERVAL +do + NEW_PIDS=$(eval "$NEW_PIDS_COMMAND") # Violating PIDs + LIMITED_PIDS=$(ps -eo args | gawk '$1=="cpulimit" {print $3}') # Already limited PIDs + QUEUE_PIDS=$(comm -23 <(echo "$NEW_PIDS" | sort -u) <(echo "$LIMITED_PIDS" | sort -u) | grep -v '^$') # PIDs in queue + + # These can be uncommented for debugging purposes +# echo "DAEMON_INTERVAL: " $DAEMON_INTERVAL +# echo "CPU_LIMI: " $CPU_LIMIT +# echo "NEW_PIDS: " $NEW_PIDS +# echo "LIMITED_PIDS: " $LIMITED_PIDS +# echo "QUEUE_PIDS: " $QUEUE_PIDS + + for i in $QUEUE_PIDS + do + cpulimit -p $i -l $CPU_LIMIT -z & # Limit new violating processes + done +done +#+END_SRC + +Save and exit. + +#+BEGIN_SRC: bash +chmod +x /usr/bin/cpulimit_daemon.sh +editor /etc/init.d/cpulimit +#+END_SRC + +Add the following: + +#+BEGIN_SRC: bash +#!/bin/sh +# /etc/init.d/cpulimit + +### BEGIN INIT INFO +# Provides: cpulimit +# Required-Start: $remote_fs $syslog +# Required-Stop: $remote_fs $syslog +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: Limits CPU use by processes +# Description: Limits CPU use by processes +### END INIT INFO + +# Author: Bob Mottram + +set -e + +case "$1" in +start) +if [ $(ps -eo pid,args | gawk '$3=="/usr/bin/cpulimit_daemon.sh" {print $1}' | wc -l) -eq 0 ]; then + nohup /usr/bin/cpulimit_daemon.sh >/dev/null 2>&1 & + ps -eo pid,args | gawk '$3=="/usr/bin/cpulimit_daemon.sh" {print}' | wc -l | gawk '{ if ($1 == 1) print " * cpulimit daemon started successfully"; else print " * cpulimit daemon can not be started" }' +else + echo " * cpulimit daemon can't be started, because it is already running" +fi +;; +stop) +CPULIMIT_DAEMON=$(ps -eo pid,args | gawk '$3=="/usr/bin/cpulimit_daemon.sh" {print $1}' | wc -l) +CPULIMIT_INSTANCE=$(ps -eo pid,args | gawk '$2=="cpulimit" {print $1}' | wc -l) +CPULIMIT_ALL=$((CPULIMIT_DAEMON + CPULIMIT_INSTANCE)) +if [ $CPULIMIT_ALL -gt 0 ]; then + if [ $CPULIMIT_DAEMON -gt 0 ]; then + ps -eo pid,args | gawk '$3=="/usr/bin/cpulimit_daemon.sh" {print $1}' | xargs kill -9 # kill cpulimit daemon + fi + + if [ $CPULIMIT_INSTANCE -gt 0 ]; then + ps -eo pid,args | gawk '$2=="cpulimit" {print $1}' | xargs kill -9 # release cpulimited process to normal priority + fi + ps -eo pid,args | gawk '$3=="/usr/bin/cpulimit_daemon.sh" {print}' | wc -l | gawk '{ if ($1 == 1) print " * cpulimit daemon can not be stopped"; else print " * cpulimit daemon stopped successfully" }' +else + echo " * cpulimit daemon can't be stopped, because it is not running" +fi +;; +restart) +$0 stop +sleep 3 +$0 start +;; +status) +ps -eo pid,args | gawk '$3=="/usr/bin/cpulimit_daemon.sh" {print}' | wc -l | gawk '{ if ($1 == 1) print " * cpulimit daemon is running"; else print " * cpulimit daemon is not running" }' +;; +esac +exit 0 +#+END_SRC + +Save and exit. + +#+BEGIN_SRC: bash +chmod +x /etc/init.d/cpulimit +update-rc.d cpulimit defaults +service cpulimit start +#+END_SRC + +** Getting onto the web +Create a subdomain on [[http://freedns.afraid.org][freeDNS]]. You may need to click on "/subdomains/" a couple of times. FreeDNS is preferred because it is one of the few domain name providers which supports genuinely free (as in beer) accounts. So if your budget is tiny or non-existent you can still participate as a first class citizen of the internet. If you do have money to spend there is also a premium option. + +Select "/dynamic DNS/" then click "/quick cron example/" + +An example would look like: + +#+BEGIN_SRC: bash +4,14,24,34,44,54 * * * * root sleep 29 ; /usr/bin/timeout 200 wget -O - https://free\ dns.afraid.org/dynamic/update.php?ABCKDNRCLFHENSLKNFEGSBFLFF== >> /dev/null 2>&1 & +#+END_SRC + +It's important to make sure that you change the *http* to *https*, since this will help to prevent a potential attacker from hijacking your site and redirecting it to a fake version for the purposes of obtaining your login details. + +Edit */etc/crontab* and append that to the top of the file, underneath the heading line which looks like this: + +#+BEGIN_SRC: bash +# m h dom mon dow user command +#+END_SRC + +In general the most frequently run crontab entries should be at the top. Then save and exit. + +Via your router's firewall settings you should now open port 22 (secure shell). This will allow you to ssh into your BBB from any location - not just your own local network. + +The freeDNS subdomain which you just created will hereafter just be refered to as "/your domain name/". + +If you have multiple freedns subdomains then you may want to rationalise that a little within */etc/crontab*. Rather than listing them all individually create a script: + +#+BEGIN_SRC: bash +editor /usr/bin/dynamicdns +#+END_SRC + +Add however many freedns subdomains you have. + +#+BEGIN_SRC: bash +#!/bin/bash +# subdomain name 1 +wget -O - https://freedns.afraid.org/dynamic/update.php?== >> /dev/null 2>&1 +# subdomain name 2 +wget -O - https://freedns.afraid.org/dynamic/update.php?== >> /dev/null 2>&1 +... +#+END_SRC + +Save and exit, then make the script runnable and only readable by the root user. + +#+BEGIN_SRC: bash +chmod 600 /usr/bin/dynamicdns +chmod +x /usr/bin/dynamicdns +#+END_SRC + +Then within */etc/crontab* + +#+BEGIN_SRC: bash +editor /etc/crontab +#+END_SRC + +You can replace the multiple freedns entries with a single line: + +#+BEGIN_SRC: bash +*/5 * * * * root /usr/bin/timeout 240 /usr/bin/dynamicdns +#+END_SRC + +Then save and exit and restart the cron daemon. + +#+BEGIN_SRC: bash +service cron restart +#+END_SRC + +If you want to know what a typical /crontab/ file might look like then see the [[Example crontab file]] + +** Set the host name + +#+BEGIN_SRC: bash +editor /etc/hostname +#+END_SRC + +Save and exit. + +Also issue the command, replacing /mydomainname.com/ with your domain name. + +#+BEGIN_SRC: bash +hostname mydomainname.com +#+END_SRC + +You may also need to assign the same hostname separately via your router's web interface. + +#+BEGIN_SRC: bash +editor /etc/hosts +#+END_SRC + +Append the following, replacing /mydomainname.com/ with your domain name. + +#+BEGIN_SRC: bash +127.0.1.1 mydomainname.com +#+END_SRC + +If you then run the command: + +#+BEGIN_SRC: bash +hostname -f +#+END_SRC + +it should return your domain name. + +** Install time synchronisation + +#+BEGIN_VERSE +/You may delay, but time will not./ + +-- Benjamin Franklin +#+END_VERSE + +It's convenient to have the clock on your server automatically synchronised with other servers on the internet so that you don't need to set the clock manually. The usual way of doing this is via [[https://en.wikipedia.org/wiki/Network_Time_Protocol][NTP]], but that method uses unencrypted signals which could potentially be interfered with in order to mess up your system. /tlsdate/ provides a slightly more secure way of setting the date and time over a SSL/TLS connection to a known good time source. + +First install some prerequisites. + +#+BEGIN_SRC: bash +apt-get install build-essential automake git pkg-config autoconf libtool libssl-dev +apt-get remove ntpdate +#+END_SRC + +Now download and install tlsdate. + +#+BEGIN_SRC: bash +mkdir ~/build +cd ~/build +git clone https://github.com/ioerror/tlsdate.git +cd ~/build/tlsdate +./autogen.sh +./configure +make +make install +#+END_SRC + +If you get errors during the /configure/ stage then you may need to reboot so that some of the installed dependencies take effect. + +#+BEGIN_SRC: bash +editor /usr/bin/updatedate +#+END_SRC + +Add the following, changing /username@mydomainname.com/ to your email address: + +#+BEGIN_SRC: bash +#!/bin/bash + +TIMESOURCE=google.com +TIMESOURCE2=www.ptb.de +LOGFILE=/var/log/tlsdate.log +TIMEOUT=5 +EMAIL=username@mydomainname.com + +# File which contains the previous date as a number +BEFORE_DATE_FILE=/var/log/tlsdateprevious.txt + +# File which contains the previous date as a string +BEFORE_FULLDATE_FILE=/var/log/tlsdate.txt + +DATE_BEFORE=$(date) +BEFORE=$(date -d "$Y-$M-$D" '+%s') +BACKWARDS_BETWEEN=0 + +# If the date was previously set +if [[ -f "$BEFORE_DATE_FILE" ]]; then + BEFORE_FILE=$(cat $BEFORE_DATE_FILE) + BEFORE_FULLDATE=$(cat $BEFORE_FULLDATE_FILE) + + # is the date going backwards? + if (( BEFORE_FILE > BEFORE )); then + echo -n "Date went backwards between tlsdate updates. " \ + >> $LOGFILE + echo -n "$BEFORE_FILE > $BEFORE, " >> $LOGFILE + echo "$BEFORE_FULLDATE > $DATE_BEFORE" >> $LOGFILE + + # Send a warning email + echo $(tail $LOGFILE -n 2) | mail -s "tlsdate anomaly" $EMAIL + + # Try another time source + TIMESOURCE=$TIMESOURCE2 + + # try running without any parameters + tlsdate >> $LOGFILE + + BACKWARDS_BETWEEN=1 + fi +fi + +# Set the date +/usr/bin/timeout $TIMEOUT tlsdate -l -t -H $TIMESOURCE -p 443 >> $LOGFILE + +DATE_AFTER=$(date) +AFTER=$(date -d "$Y-$M-$D" '+%s') + +# After setting the date did it go backwards? +if (( AFTER < BEFORE )); then + echo "Incorrect date: $DATE_BEFORE -> $DATE_AFTER" >> $LOGFILE + + # Send a warning email + echo $(tail $LOGFILE -n 2) | mail -s "tlsdate anomaly" $EMAIL + + # Try resetting the date from another time source + /usr/bin/timeout $TIMEOUT tlsdate -l -t -H $TIMESOURCE2 -p 443 >> $LOGFILE + DATE_AFTER=$(date) + AFTER=$(date -d "$Y-$M-$D" '+%s') +else + echo -n $TIMESOURCE >> $LOGFILE + if [[ -f "$BEFORE_DATE_FILE" ]]; then + echo -n " " >> $LOGFILE + echo -n $BEFORE_FILE >> $LOGFILE + fi + echo -n " " >> $LOGFILE + echo -n $BEFORE >> $LOGFILE + echo -n " " >> $LOGFILE + echo -n $AFTER >> $LOGFILE + echo -n " " >> $LOGFILE + echo $DATE_AFTER >> $LOGFILE +fi + +# Log the last date +if [ BACKWARDS_BETWEEN == 0 ]; then + echo "$AFTER" > $BEFORE_DATE_FILE + echo "$DATE_AFTER" > $BEFORE_FULLDATE_FILE + exit 0 +else + exit 1 +fi +#+END_SRC + +Save and exit. + +#+BEGIN_SRC: bash +chmod +x /usr/bin/updatedate +editor /etc/crontab +#+END_SRC + +Add the following near the top of the list of tasks. + +#+BEGIN_SRC: bash +*/15 * * * * root /usr/bin/updatedate +#+END_SRC + +Save and exit. + +#+BEGIN_SRC: bash +service cron restart +#+END_SRC + +This obtains the date and time from www.ptb.de every 15 minutes. Obviously if you wish to use a different source for the date and time then the cron entry can be edited accordingly. + +To ensure that the system always gets the correct time on initial bootup create an init script. + +#+BEGIN_SRC: bash +editor /etc/init.d/tlsdate +#+END_SRC + +Add the following: + +#+BEGIN_SRC: bash +#!/bin/bash +# /etc/init.d/tlsdate + +### BEGIN INIT INFO +# Provides: tlsdate +# Required-Start: $remote_fs $syslog +# Required-Stop: $remote_fs $syslog +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: Initially calls tlsdate with the timewarp option +# Description: Initially calls tlsdate with the timewarp option +### END INIT INFO + +# Author: Bob Mottram + +PATH='/usr/local/sbin:/usr/local/bin:/usr/bin:/sbin:/usr/sbin:/bin' + +LOGFILE="/var/log/tlsdate.log" +TLSDATECOMMAND="tlsdate --timewarp -l -H www.ptb.de -p 443 >> $LOGFILE" + +#Start-Stop here +case "$1" in + start) + echo "tlsdate started" + $TLSDATECOMMAND + ;; + stop) + echo "tlsdate stopped" + ;; + restart) + echo "tlsdate restarted" + $TLSDATECOMMAND + ;; + *) + echo "Usage: $0 {start|stop|restart}" + exit 1 + ;; +esac + +exit 0 +#+END_SRC + +Save and exit, then start the daemon. + +#+BEGIN_SRC: bash +chmod +x /etc/init.d/tlsdate +update-rc.d tlsdate defaults +service tlsdate start +#+END_SRC + +** Install fail2ban + +#+BEGIN_SRC: bash +apt-get install fail2ban +#+END_SRC + +** Set up a firewall + +#+BEGIN_VERSE +/The NSA also attacks network devices directly: routers, switches, firewalls, etc. Most of these devices have surveillance capabilities already built in; the trick is to surreptitiously turn them on. This is an especially fruitful avenue of attack; routers are updated less frequently, tend not to have security software installed on them, and are generally ignored as a vulnerability./ + +-- Bruce Schneier +#+END_VERSE + +A basic firewall limits the maximum rate at which connections can be made and closes any unused ports, and this helps to defend against various kinds of DDOS attack. Your internet router may contain a firewall, but chances are that it also contains proprietary software which can be remotely changed/updated by the ISP. Unless you're running free software, such as [[https://en.wikipedia.org/wiki/OpenWrt][OpenWrt]], on your internet router then it's reasonable to assume that the device is hostile and could be conducting surveillance, trying to do [[https://en.wikipedia.org/wiki/Man-in-the-middle_attack]["man in the middle"]] attacks or be pushing "implants" onto the computers and mobile devices on your local network. That means that your server needs its own firewall. + +#+BEGIN_SRC: bash +apt-get install portsentry +editor /etc/portsentry/portsentry.conf +#+END_SRC + +Uncomment the entry for *iptables support for Linux* + +Set the following properties: + +#+BEGIN_SRC: bash +TCP_PORTS="1,7,9,11,15,79,109,110,111,119,138,139,512,513,514,515,540,635,1080,1524,2000,2001,3000,4000,4001,5742,6000,6001,6667,12345,12346,20034,27665,30303,32771,32772,32773,32774,31337,40421,40425,49724,54320" +UDP_PORTS="1,7,9,66,67,68,69,111,137,138,161,162,474,513,517,518,635,640,641,666,700,2049,3000,31335,27444,34555,32770,32771,32772,32773,32774,31337,54321" + +ADVANCED_EXCLUDE_TCP="113,139,70,80,443,587,143,6697,993,5060,5061,25,465,22,4040,5222,5223,5269,5280,5281,8444" +ADVANCED_EXCLUDE_UDP="520,138,137,67,70,80,443,143,6697,993, 5060,5061,25,465,22,4040,5222,5223,5269,5280,5281,8444" + +SCAN_TRIGGER="2" + +BLOCK_UDP="2" +BLOCK_TCP="2" +#+END_SRC + +Save and exit. + +#+BEGIN_SRC: bash +service portsentry restart +editor /tmp/firewall.sh +#+END_SRC + +Enter the following: + +#+BEGIN_SRC: bash +#!/bin/bash + +# First of all delete any existing rules. +# This means you're back to a known state: +iptables -P INPUT ACCEPT +ip6tables -P INPUT ACCEPT +iptables -F +ip6tables -F +iptables -X +ip6tables -X + +# Drop any IPv6 traffic +ip6tables -A INPUT -p icmp -j DROP +ip6tables -A INPUT -p tcp -j DROP +ip6tables -A INPUT -p udp -j DROP + +# Drop access to unused ports +iptables -A INPUT -p tcp --destination-port 1 -j DROP +iptables -A INPUT -p tcp --destination-port 7 -j DROP +iptables -A INPUT -p tcp --destination-port 109:111 -j DROP +iptables -A INPUT -p tcp --destination-port 995 -j DROP +iptables -A INPUT -p tcp --destination-port 139 -j DROP +iptables -A INPUT -p tcp --destination-port 6000:6001 -j DROP +iptables -A INPUT -p tcp --destination-port 9 -j DROP +iptables -A INPUT -p tcp --destination-port 79 -j DROP +iptables -A INPUT -p tcp --destination-port 515 -j DROP +iptables -A INPUT -p tcp --destination-port 4001 -j DROP +iptables -A INPUT -p tcp --destination-port 1524 -j DROP +iptables -A INPUT -p tcp --destination-port 1080 -j DROP +iptables -A INPUT -p tcp --destination-port 512:514 -j DROP +iptables -A INPUT -p tcp --destination-port 31337 -j DROP +iptables -A INPUT -p tcp --destination-port 2000:2001 -j DROP +iptables -A INPUT -p tcp --destination-port 12345 -j DROP +iptables -A INPUT -p tcp --destination-port 32771:32774 -j DROP +iptables -A INPUT -p tcp --destination-port 4000 -j DROP +iptables -A INPUT -p tcp --destination-port 119 -j DROP +iptables -A INPUT -p tcp --destination-port 137 -j DROP +iptables -A INPUT -p tcp --destination-port 4242 -j DROP +iptables -A INPUT -p tcp --destination-port 9050 -j DROP +iptables -A INPUT -p tcp --destination-port 3000 -j DROP +iptables -A INPUT -p tcp --destination-port 3306 -j DROP +iptables -A INPUT -p tcp --destination-port 8432 -j DROP +iptables -A INPUT -p tcp --destination-port 8433 -j DROP +iptables -A INPUT -p udp --destination-port 1 -j DROP +iptables -A INPUT -p udp --destination-port 7 -j DROP +iptables -A INPUT -p udp --destination-port 109:111 -j DROP +iptables -A INPUT -p udp --destination-port 995 -j DROP +iptables -A INPUT -p udp --destination-port 139 -j DROP +iptables -A INPUT -p udp --destination-port 6000:6001 -j DROP +iptables -A INPUT -p udp --destination-port 9 -j DROP +iptables -A INPUT -p udp --destination-port 79 -j DROP +iptables -A INPUT -p udp --destination-port 515 -j DROP +iptables -A INPUT -p udp --destination-port 4001 -j DROP +iptables -A INPUT -p udp --destination-port 1524 -j DROP +iptables -A INPUT -p udp --destination-port 1080 -j DROP +iptables -A INPUT -p udp --destination-port 512:514 -j DROP +iptables -A INPUT -p udp --destination-port 31337 -j DROP +iptables -A INPUT -p udp --destination-port 2000:2001 -j DROP +iptables -A INPUT -p udp --destination-port 12345 -j DROP +iptables -A INPUT -p udp --destination-port 32771:32774 -j DROP +iptables -A INPUT -p udp --destination-port 6665:6669 -j DROP +iptables -A INPUT -p udp --destination-port 4000 -j DROP +iptables -A INPUT -p udp --destination-port 119 -j DROP +iptables -A INPUT -p udp --destination-port 137 -j DROP +iptables -A INPUT -p udp --destination-port 8432 -j DROP +iptables -A INPUT -p udp --destination-port 8433 -j DROP +iptables -A INPUT -p udp --destination-port 3306 -j DROP +iptables -A INPUT -p udp --destination-port 4242 -j DROP +iptables -A INPUT -p udp --destination-port 9050 -j DROP +iptables -A INPUT -p udp --destination-port 3000 -j DROP +iptables -A INPUT -p udp --destination-port 8442 -j DROP + +# Make sure NEW incoming tcp connections are SYN packets +iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP + +# Drop packets with incoming fragments +iptables -A INPUT -f -j DROP + +# Incoming malformed XMAS packets drop them +iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP +iptables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP +iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP + +# Incoming malformed NULL packets: +iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP + +# Drop UDP to used ports +iptables -A INPUT -p udp --match multiport --dports 70,80,443,143,6697,993,5060,5061,25 -j DROP +iptables -A INPUT -p udp --match multiport --dports 465,587,22,5222,5223,5269,5280,5281,8444 -j DROP + +# Limit ssh logins +iptables -A INPUT -p tcp --dport 22 -m limit --limit 3/minute --limit-burst 1 -j ACCEPT + +# Limit web connections +iptables -A INPUT -p tcp --dport 80 -m limit --limit 10/minute --limit-burst 1 -j ACCEPT +iptables -A INPUT -p tcp --dport 443 -m limit --limit 10/minute --limit-burst 1 -j ACCEPT + +# Limit number of XMPP connections +iptables -A INPUT -p tcp --match multiport --dports 5222:5223,5269,5280:5281 -m limit --limit 3/minute --limit-burst 1 -j ACCEPT + +# Limit IRC connections +iptables -A INPUT -p tcp --dport 6665:6669 -m limit --limit 3/minute --limit-burst 1 -j ACCEPT +iptables -A INPUT -p tcp --dport 6697 -m limit --limit 3/minute --limit-burst 1 -j ACCEPT + +# Limit gopher connections +iptables -A INPUT -p tcp --dport 70 -m limit --limit 3/minute --limit-burst 1 -j ACCEPT + +# Limit IMAP connections +iptables -A INPUT -p tcp --dport 143 -m limit --limit 3/minute --limit-burst 1 -j ACCEPT +iptables -A INPUT -p tcp --dport 993 -m limit --limit 3/minute --limit-burst 1 -j ACCEPT + +# Limit Subsonic connections +iptables -A INPUT -p tcp --dport 4040 -m limit --limit 10/minute --limit-burst 1 -j ACCEPT +iptables -A INPUT -p udp --dport 4040 -m limit --limit 10/minute --limit-burst 1 -j ACCEPT + +# Limit SIP connections +iptables -A INPUT -p tcp --dport 5060:5061 -m limit --limit 3/minute --limit-burst 1 -j ACCEPT + +# Limit SMTP/SMTPS connections +iptables -A INPUT -p tcp --dport 25 -m limit --limit 3/minute --limit-burst 1 -j ACCEPT +iptables -A INPUT -p tcp --dport 465 -m limit --limit 3/minute --limit-burst 1 -j ACCEPT +iptables -A INPUT -p tcp --dport 587 -m limit --limit 3/minute --limit-burst 1 -j ACCEPT + +# Limit Bitmessage connections +iptables -A INPUT -p tcp --dport 8444 -m limit --limit 3/minute --limit-burst 1 -j ACCEPT + +# Limit the number of incoming tcp connections +# Interface 0 incoming syn-flood protection +iptables -N syn_flood +iptables -A INPUT -p tcp --syn -j syn_flood +iptables -A syn_flood -m limit --limit 1/s --limit-burst 3 -j RETURN +iptables -A syn_flood -j DROP + +# Limiting the incoming icmp ping request: +#iptables -A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j ACCEPT +#iptables -A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j LOG --log-prefix PING-DROP: +iptables -A INPUT -p icmp -j DROP +#iptables -A OUTPUT -p icmp -j ACCEPT + +# Block malware servers (See Der Spiegel Snowden files) +iptables -A INPUT -s 146.185.26.163 -j DROP +iptables -A INPUT -s 37.130.229.100 -j DROP +iptables -A INPUT -s 85.237.211.198 -j DROP +iptables -A INPUT -s 85.237.212.52 -j DROP +iptables -A INPUT -s 85.237.211.177 -j DROP +iptables -A INPUT -s 212.118.232.184 -j DROP +iptables -A INPUT -s 212.118.232.50 -j DROP +iptables -A INPUT -s 176.249.28.104 -j DROP +iptables -A INPUT -s 212.118.232.140 -j DROP +iptables -A INPUT -s 37.130.229.101 -j DROP +iptables -A INPUT -s 31.6.17.94 -j DROP +iptables -A INPUT -s 84.45.121.218 -j DROP +iptables -A INPUT -s 80.84.63.242 -j DROP +iptables -A INPUT -s 37.220.10.28 -j DROP +iptables -A INPUT -s 94.229.78.58 -j DROP + +iptables -A OUTPUT -s 146.185.26.163 -j DROP +iptables -A OUTPUT -s 37.130.229.100 -j DROP +iptables -A OUTPUT -s 85.237.211.198 -j DROP +iptables -A OUTPUT -s 85.237.212.52 -j DROP +iptables -A OUTPUT -s 85.237.211.177 -j DROP +iptables -A OUTPUT -s 212.118.232.184 -j DROP +iptables -A OUTPUT -s 212.118.232.50 -j DROP +iptables -A OUTPUT -s 176.249.28.104 -j DROP +iptables -A OUTPUT -s 212.118.232.140 -j DROP +iptables -A OUTPUT -s 37.130.229.101 -j DROP +iptables -A OUTPUT -s 31.6.17.94 -j DROP +iptables -A OUTPUT -s 84.45.121.218 -j DROP +iptables -A OUTPUT -s 80.84.63.242 -j DROP +iptables -A OUTPUT -s 37.220.10.28 -j DROP +iptables -A OUTPUT -s 94.229.78.58 -j DROP + +# Save the settings +iptables-save > /etc/firewall.conf +ip6tables-save > /etc/firewall6.conf +printf '#!/bin/sh\n' > /etc/network/if-up.d/iptables +printf 'iptables-restore < /etc/firewall.conf\n' >> /etc/network/if-up.d/iptables +printf 'ip6tables-restore < /etc/firewall6.conf\n' >> /etc/network/if-up.d/iptables +chmod +x /etc/network/if-up.d/iptables +#+END_SRC + +Save and exit. + +Note that this will disable IP version 6. At the time of writing it is expected that the average internet user is running on IP version 4. + +#+BEGIN_SRC: bash +chmod +x /tmp/firewall.sh +. /tmp/firewall.sh +rm /tmp/firewall.sh +#+END_SRC + +Also disable ping. This may be inconvenient to some extent, but it seems common for malicious systems, including but not limited to the [[http://www.nbcnews.com/news/investigations/snowden-docs-british-spies-used-sex-dirty-tricks-n23091][JTRIG "EFFECTS" team]], to try to disable the machine by flooding it with pings. These days there seems to be not much difference between "cybercrime" and nefarious state-sponsored internet activities. + +#+BEGIN_SRC: bash +editor /etc/sysctl.conf +#+END_SRC + +Uncomment or change the following: + +#+BEGIN_SRC: bash +net.ipv4.tcp_syncookies = 1 +net.ipv4.conf.all.accept_redirects = 0 +net.ipv6.conf.all.accept_redirects = 0 +net.ipv4.conf.all.send_redirects = 0 +net.ipv4.conf.all.accept_source_route = 0 +net.ipv6.conf.all.accept_source_route = 0 +net.ipv4.conf.default.rp_filter=1 +net.ipv4.conf.all.rp_filter=1 +net.ipv4.ip_forward=0 +net.ipv6.conf.all.forwarding=0 +#+END_SRC + +And append the following: + +#+BEGIN_SRC: bash +# ignore pings +net.ipv4.icmp_echo_ignore_all = 1 +net.ipv6.icmp_echo_ignore_all = 1 + +# disable ipv6 +net.ipv6.conf.all.disable_ipv6 = 1 + +net.ipv4.tcp_synack_retries = 2 +net.ipv4.tcp_syn_retries = 1 + +# keepalive +net.ipv4.tcp_keepalive_probes = 9 +net.ipv4.tcp_keepalive_intvl = 75 +net.ipv4.tcp_keepalive_time = 7200 +#+END_SRC + +Save and exit. It may be a good idea to reboot at this point and then log back into the BBB using ssh. You can do a safe reboot of the system by typing: + +#+BEGIN_SRC: bash +reboot +#+END_SRC + +After reboot and logging back in to the root account via /ssh/ you can verify that the firewall rules were restored correctly with: + +#+BEGIN_SRC: bash +iptables -L +#+END_SRC + +and + +#+BEGIN_SRC: bash +ip6tables -L +#+END_SRC + +** Make SSL/TLS certificates + +For email, web server and other services we will be using SSL/TLS certificates, so create a script which makes this easy to do with a single command. + +#+BEGIN_SRC: bash +editor /usr/bin/makecert +#+END_SRC + +Enter the following. You can change the country code and location if you wish, but that's not essential. + +#+BEGIN_SRC: bash +#!/bin/bash + +HOSTNAME=$1 +COUNTRY_CODE="US" +AREA="Free Speech Zone" +LOCATION="Freedomville" +ORGANISATION="Freedombone" +UNIT="Freedombone Unit" + +if ! which openssl > /dev/null ;then + echo "$0: openssl is not installed, exiting" 1>&2 + exit 1 +fi + +openssl req \ + -x509 -nodes -days 3650 \ + -sha256 \ + -subj "/O=$ORGANISATION/OU=$UNIT/C=$COUNTRY_CODE/ST=$AREA/L=$LOCATION/CN=$HOSTNAME" \ + -newkey rsa:2048 \ + -keyout /etc/ssl/private/$HOSTNAME.key \ + -out /etc/ssl/certs/$HOSTNAME.crt + +openssl dhparam -check -text -5 1024 -out /etc/ssl/certs/$HOSTNAME.dhparam + +chmod 400 /etc/ssl/private/$HOSTNAME.key +chmod 640 /etc/ssl/certs/$HOSTNAME.crt +chmod 640 /etc/ssl/certs/$HOSTNAME.dhparam +/etc/init.d/nginx reload + +# add the public certificate to a separate directory +# so that we can redistribute it easily +if [ ! -d /etc/ssl/mycerts ]; then + mkdir /etc/ssl/mycerts +fi +cp /etc/ssl/certs/$HOSTNAME.crt /etc/ssl/mycerts +# Create a bundle of your certificates +cat /etc/ssl/mycerts/*.crt > /etc/ssl/freedombone-bundle.crt +tar -czvf /etc/ssl/freedombone-certs.tar.gz /etc/ssl/mycerts/*.crt +#+END_SRC + +Save and exit. + +#+BEGIN_SRC: bash +chmod +x /usr/bin/makecert +#+END_SRC +** Install Email + +#+BEGIN_VERSE +/The government argued that, since the "inspection" of the data was to be carried out by a machine, they were exempt from the normal search-and-seizure protections of the Fourth Amendment...The prosecution also argued that my users had no expectation of privacy, even though the service I provided - encryption - is designed for users' privacy/ + +-- Ladar Levison +#+END_VERSE + +Email is not very secure, but its usefulness and ubiquity mean that it's likely to continue as a primary communications method for many years to come. You can encrypt the contents of email using PGP/GPG, but very few people do that and even for those that do the metadata (the From/To/CC/BCC) is always transmitted in the clear as a fundamental aspect of the protocol, allowing an attacker to easily construct detailed models of people's social network and life patterns even without knowing the content. + +Exim4 seems much easier to install and configure than Postfix. + +#+BEGIN_SRC: bash +service postfix stop +apt-get remove postfix +aptitude install exim4 sasl2-bin swaks libnet-ssleay-perl procmail +#+END_SRC + +You will be prompted to remove postfix. Say yes and yes again. + +#+BEGIN_SRC: bash +dpkg-reconfigure exim4-config +#+END_SRC + +Settings as follows: + +#+BEGIN_SRC: bash +internet site + +System mail name: mydomainname.com + +IP addresses to listen on: blank + +Destinations: mydomainname.com (and any other domains that you own) + +Domains to relay mail: blank + +Smarthost Relay: 192.168.1.0/24 (the range of addresses on your LAN) + +Dial on demand = no + +Maildir format in home directory + +Split configuration = no + +Root and postmaster: root email +#+END_SRC + +To test the installation: + +#+BEGIN_SRC: bash +telnet 192.168.1.60 25 +ehlo xxx +quit +#+END_SRC + +#+BEGIN_SRC: bash +editor /etc/default/saslauthd +#+END_SRC + +set START=yes then save and exit. + +#+BEGIN_SRC: bash +/etc/init.d/saslauthd start +makecert exim +mv /etc/ssl/private/exim.key /etc/exim4 +mv /etc/ssl/certs/exim.crt /etc/exim4 +mv /etc/ssl/certs/exim.dhparam /etc/exim4 +chown root:Debian-exim /etc/exim4/exim.key /etc/exim4/exim.crt /etc/exim4/exim.dhparam +chmod 640 /etc/exim4/exim.key /etc/exim4/exim.crt /etc/exim4/exim.dhparam +editor /etc/exim4/exim4.conf.template +#+END_SRC + +Uncomment the section which begins with *login_saslauthd_server* + +Search for the line *.ifdef MAIN_HARDCODE_PRIMARY_HOSTNAME* and above it insert the lines: + +#+BEGIN_SRC: bash +MAIN_HARDCODE_PRIMARY_HOSTNAME = mydomainname.com +MAIN_TLS_ENABLE = true +#+END_SRC + +Save and exit. + +#+BEGIN_SRC: bash +editor /etc/default/exim4 +change SMTPLISTENEROPTIONS to: +SMTPLISTENEROPTIONS='-oX 465:25:587 -oP /var/run/exim4/exim.pid' +#+END_SRC + +save and exit + +#+BEGIN_SRC: bash +editor /etc/exim4/exim4.conf.template +#+END_SRC + +Under the section *main/03_exim4-config_tlsoptions* add the following: + +#+BEGIN_SRC: bash +tls_on_connect_ports=465 +#+END_SRC + +save and exit + +#+BEGIN_SRC: bash +adduser myusername sasl +addgroup Debian-exim sasl +/etc/init.d/exim4 restart +mkdir -m 700 /etc/skel/Maildir +mkdir -m 700 /etc/skel/Maildir/Sent +mkdir -m 700 /etc/skel/Maildir/Sent/tmp +mkdir -m 700 /etc/skel/Maildir/Sent/cur +mkdir -m 700 /etc/skel/Maildir/Sent/new +mkdir -m 700 /etc/skel/Maildir/.learn-spam +mkdir -m 700 /etc/skel/Maildir/.learn-spam/cur +mkdir -m 700 /etc/skel/Maildir/.learn-spam/new +mkdir -m 700 /etc/skel/Maildir/.learn-spam/tmp +mkdir -m 700 /etc/skel/Maildir/.learn-ham +mkdir -m 700 /etc/skel/Maildir/.learn-ham/cur +mkdir -m 700 /etc/skel/Maildir/.learn-ham/new +mkdir -m 700 /etc/skel/Maildir/.learn-ham/tmp +ln -s /etc/skel/Maildir/.learn-spam /etc/skel/Maildir/spam +ln -s /etc/skel/Maildir/.learn-ham /etc/skel/Maildir/ham +#+END_SRC + +If you're starting from scratch and don't already have a /Maildir/ directory in your home directory, then create one as follows: + +#+BEGIN_SRC: bash +export MYUSERNAME=myusername +mkdir -m 700 /home/$MYUSERNAME/Maildir +mkdir -m 700 /home/$MYUSERNAME/Maildir/cur +mkdir -m 700 /home/$MYUSERNAME/Maildir/tmp +mkdir -m 700 /home/$MYUSERNAME/Maildir/new +mkdir -m 700 /home/$MYUSERNAME/Maildir/Sent +mkdir -m 700 /home/$MYUSERNAME/Maildir/Sent/cur +mkdir -m 700 /home/$MYUSERNAME/Maildir/Sent/tmp +mkdir -m 700 /home/$MYUSERNAME/Maildir/Sent/new +mkdir -m 700 /home/$MYUSERNAME/Maildir/.learn-spam +mkdir -m 700 /home/$MYUSERNAME/Maildir/.learn-spam/cur +mkdir -m 700 /home/$MYUSERNAME/Maildir/.learn-spam/new +mkdir -m 700 /home/$MYUSERNAME/Maildir/.learn-spam/tmp +mkdir -m 700 /home/$MYUSERNAME/Maildir/.learn-ham +mkdir -m 700 /home/$MYUSERNAME/Maildir/.learn-ham/cur +mkdir -m 700 /home/$MYUSERNAME/Maildir/.learn-ham/new +mkdir -m 700 /home/$MYUSERNAME/Maildir/.learn-ham/tmp +ln -s /home/$MYUSERNAME/Maildir/.learn-spam /home/$MYUSERNAME/Maildir/spam +ln -s /home/$MYUSERNAME/Maildir/.learn-ham /home/$MYUSERNAME/Maildir/ham +chown -R $MYUSERNAME:$MYUSERNAME /home/$MYUSERNAME/Maildir +#+END_SRC + +** Spam filtering + +#+BEGIN_SRC: bash +aptitude install spamassassin exim4-daemon-heavy +#+END_SRC + +If you encounter any problems with dependencies then select 'n' and then 'y' to whatever the suggestion for removals is. Repeat the aptitude install process until you don't get any more dependency errors. + +#+BEGIN_SRC: bash +editor /etc/default/spamassassin +#+END_SRC + +Set *ENABLED=1* then save and exit. + +#+BEGIN_SRC: bash +editor /etc/exim4/exim4.conf.template +#+END_SRC + +Uncomment or change according to your configuration + +#+BEGIN_SRC: bash +# For spam scanning, there is a similar option that defines the interface to +# SpamAssassin. You do not need to set this if you are using the default, which +# is shown in this commented example. As for virus scanning, you must also +# modify the acl_check_data access control list to enable spam scanning. + + spamd_address = 127.0.0.1 783 +#+END_SRC + +Add spam header in the /acl_check_data/ section: + +#+BEGIN_SRC: bash +### acl/40_exim4-config_check_data +################################# + +# This ACL is used after the contents of a message have been received. This +# is the ACL in which you can test a message's headers or body, and in +# particular, this is where you can invoke external virus or spam scanners. + +acl_check_data: +... +... +... +# See the exim docs and the exim wiki for more suitable examples. +# +# warn +# spam = Debian-exim:true +# add_header = X-Spam_score: $spam_score\n\ +# X-Spam_score_int: $spam_score_int\n\ +# X-Spam_bar: $spam_bar\n\ +# X-Spam_report: $spam_report + +# put headers in all messages (no matter if spam or not) + warn spam = nobody:true + add_header = X-Spam-Score: $spam_score ($spam_bar) + add_header = X-Spam-Report: $spam_report + +# add second subject line with *SPAM* marker when message +# is over threshold + warn spam = nobody + add_header = Subject: ***SPAM (score:$spam_score)*** $h_Subject: +#+END_SRC + +Save and exit, then restart + +#+BEGIN_SRC: bash +exit +editor ~/.procmailrc +#+END_SRC + +The text should look like the following. + +#+BEGIN_SRC: sh +MAILDIR=$HOME/Maildir +DEFAULT=$MAILDIR/ +LOGFILE=$HOME/log/procmail.log +LOGABSTRACT=all + +# get spamassassin to check emails +:0fw: .spamassassin.lock + * < 256000 +| spamc + +# strong spam are discarded +:0 + * ^X-Spam-Level: \*\*\*\*\*\* +/dev/null + +# weak spam are kept just in case - clear this out every now and then +:0 + * ^X-Spam-Level: \*\*\*\*\* +.0-spam/ + +# otherwise, marginal spam goes here for revision +:0 + * ^X-Spam-Level: \*\* +.spam/ +#+END_SRC + +Save and exit. + +#+BEGIN_SRC: bash +su +editor /usr/bin/filterspam +#+END_SRC + +Add the following contents: + +#+BEGIN_SRC: bash +#!/bin/bash + +USERNAME=$1 +MAILDIR=/home/$USERNAME/Maildir/.learn-spam + +if [ ! -d "$MAILDIR" ]; then + exit +fi + +for f in `ls $MAILDIR/cur` +do + spamc -L spam < "$MAILDIR/cur/$f" > /dev/null + rm "$MAILDIR/cur/$f" +done +for f in `ls $MAILDIR/new` +do + spamc -L spam < "$MAILDIR/new/$f" > /dev/null + rm "$MAILDIR/new/$f" +done +#+END_SRC + +Save and exit. + +#+BEGIN_SRC: bash +editor /usr/bin/filterham +#+END_SRC + +Add the following contents: + +#+BEGIN_SRC: bash +#!/bin/bash + +USERNAME=$1 +MAILDIR=/home/$USERNAME/Maildir/.learn-ham + +if [ ! -d "$MAILDIR" ]; then + exit +fi + +for f in `ls $MAILDIR/cur` +do + spamc -L ham < "$MAILDIR/cur/$f" > /dev/null + rm "$MAILDIR/cur/$f" +done +for f in `ls $MAILDIR/new` +do + spamc -L ham < "$MAILDIR/new/$f" > /dev/null + rm "$MAILDIR/new/$f" +done +#+END_SRC + +Save and exit. + +#+BEGIN_SRC: bash +editor /etc/crontab +#+END_SRC + +Append the following, replacing *myusername* with your username. + +#+BEGIN_SRC: bash +*/3 * * * * root /usr/bin/timeout 120 /usr/bin/filterspam myusername +*/3 * * * * root /usr/bin/timeout 120 /usr/bin/filterham myusername +#+END_SRC + +Save and exit. + +#+BEGIN_SRC: bash +chmod 655 /usr/bin/filterspam /usr/bin/filterham +service spamassassin restart +service exim4 restart +service cron restart +#+END_SRC + +** Install Dovecot + +#+BEGIN_VERSE +/I dreamt last night that I was living in a surveillance state. I woke up and… I’m still in a surveillance state./ + +-- Conrad Kramer +#+END_VERSE + +Install the required packages. + +#+BEGIN_SRC: bash +aptitude -y install dovecot-common dovecot-imapd +#+END_SRC + +Edit the configuration file. + +#+BEGIN_SRC: bash +editor /etc/dovecot/dovecot.conf +#+END_SRC + +Line 26: change: + +#+BEGIN_SRC: bash +listen = * +#+END_SRC + +Save and exit. + +#+BEGIN_SRC: bash +editor /etc/dovecot/conf.d/10-auth.conf +#+END_SRC + +Line 9: uncomment and change (allow plain text auth) + +#+BEGIN_SRC: bash +disable_plaintext_auth = no +#+END_SRC + +Line 99: add: + +#+BEGIN_SRC: bash +auth_mechanisms = plain login +#+END_SRC + +Save and exit. + +#+BEGIN_SRC: bash +editor /etc/dovecot/conf.d/10-mail.conf +#+END_SRC + +Line 30: uncomment and add: + +#+BEGIN_SRC: bash +mail_location = maildir:~/Maildir:LAYOUT=fs +#+END_SRC + +Save and exit. + +#+BEGIN_SRC: bash +editor /etc/dovecot/conf.d/10-ssl.conf +#+END_SRC + +Append the following: + +#+BEGIN_SRC: bash +ssl_cipher_list = 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA' +#+END_SRC + +Save and exit, then start the dovecot service. + +#+BEGIN_SRC: bash +service dovecot restart +#+END_SRC + +** Create a GPG key +#+BEGIN_VERSE +/If privacy is outlawed, only outlaws will have privacy./ + +-- Philip Zimmermann +#+END_VERSE + +*** Initial installation + +Assuming that you are logged in as root, first ensure that GPG is installed and then exit to your user account. + +#+BEGIN_SRC: bash +apt-get install gnupg +exit +#+END_SRC + +Now we will add some settings: + +#+BEGIN_SRC: bash +mkdir ~/.gnupg +editor ~/.gnupg/gpg.conf +#+END_SRC + +The configuration should look like the following. Of particular importance are the default preferences at the end. + +#+BEGIN_SRC: bash +# Options for GnuPG +# Copyright 1998, 1999, 2000, 2001, 2002, 2003, +# 2010 Free Software Foundation, Inc. +# +# This file is free software; as a special exception the author gives +# unlimited permission to copy and/or distribute it, with or without +# modifications, as long as this notice is preserved. +# +# This file is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY, to the extent permitted by law; without even the +# implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. +# +# Unless you specify which option file to use (with the command line +# option "--options filename"), GnuPG uses the file ~/.gnupg/gpg.conf +# by default. +# +# An options file can contain any long options which are available in +# GnuPG. If the first non white space character of a line is a '#', +# this line is ignored. Empty lines are also ignored. +# +# See the man page for a list of options. + +# Uncomment the following option to get rid of the copyright notice + +#no-greeting + +# If you have more than 1 secret key in your keyring, you may want to +# uncomment the following option and set your preferred keyid. + +#default-key 621CC013 + +# If you do not pass a recipient to gpg, it will ask for one. Using +# this option you can encrypt to a default key. Key validation will +# not be done in this case. The second form uses the default key as +# default recipient. + +#default-recipient some-user-id +#default-recipient-self + +# Use --encrypt-to to add the specified key as a recipient to all +# messages. This is useful, for example, when sending mail through a +# mail client that does not automatically encrypt mail to your key. +# In the example, this option allows you to read your local copy of +# encrypted mail that you've sent to others. + +#encrypt-to some-key-id + +# By default GnuPG creates version 4 signatures for data files as +# specified by OpenPGP. Some earlier (PGP 6, PGP 7) versions of PGP +# require the older version 3 signatures. Setting this option forces +# GnuPG to create version 3 signatures. + +#force-v3-sigs + +# Because some mailers change lines starting with "From " to ">From " +# it is good to handle such lines in a special way when creating +# cleartext signatures; all other PGP versions do it this way too. + +#no-escape-from-lines + +# If you do not use the Latin-1 (ISO-8859-1) charset, you should tell +# GnuPG which is the native character set. Please check the man page +# for supported character sets. This character set is only used for +# metadata and not for the actual message which does not undergo any +# translation. Note that future version of GnuPG will change to UTF-8 +# as default character set. In most cases this option is not required +# as GnuPG is able to figure out the correct charset at runtime. + +#charset utf-8 + +# Group names may be defined like this: +# group mynames = paige 0x12345678 joe patti +# +# Any time "mynames" is a recipient (-r or --recipient), it will be +# expanded to the names "paige", "joe", and "patti", and the key ID +# "0x12345678". Note there is only one level of expansion - you +# cannot make an group that points to another group. Note also that +# if there are spaces in the recipient name, this will appear as two +# recipients. In these cases it is better to use the key ID. + +#group mynames = paige 0x12345678 joe patti + +# Lock the file only once for the lifetime of a process. If you do +# not define this, the lock will be obtained and released every time +# it is needed, which is usually preferable. + +#lock-once + +# GnuPG can send and receive keys to and from a keyserver. These +# servers can be HKP, email, or LDAP (if GnuPG is built with LDAP +# support). +# +# Example HKP keyserver: +# hkp://keys.gnupg.net +# hkp://subkeys.pgp.net +# +# Example email keyserver: +# mailto:pgp-public-keys@keys.pgp.net +# +# Example LDAP keyservers: +# ldap://keyserver.pgp.com +# +# Regular URL syntax applies, and you can set an alternate port +# through the usual method: +# hkp://keyserver.example.net:22742 +# +# Most users just set the name and type of their preferred keyserver. +# Note that most servers (with the notable exception of +# ldap://keyserver.pgp.com) synchronize changes with each other. Note +# also that a single server name may actually point to multiple +# servers via DNS round-robin. hkp://keys.gnupg.net is an example of +# such a "server", which spreads the load over a number of physical +# servers. To see the IP address of the server actually used, you may use +# the "--keyserver-options debug". + +keyserver hkp://keys.gnupg.net +#keyserver mailto:pgp-public-keys@keys.nl.pgp.net +#keyserver ldap://keyserver.pgp.com + +# Common options for keyserver functions: +# +# include-disabled : when searching, include keys marked as "disabled" +# on the keyserver (not all keyservers support this). +# +# no-include-revoked : when searching, do not include keys marked as +# "revoked" on the keyserver. +# +# verbose : show more information as the keys are fetched. +# Can be used more than once to increase the amount +# of information shown. +# +# use-temp-files : use temporary files instead of a pipe to talk to the +# keyserver. Some platforms (Win32 for one) always +# have this on. +# +# keep-temp-files : do not delete temporary files after using them +# (really only useful for debugging) +# +# http-proxy="proxy" : set the proxy to use for HTTP and HKP keyservers. +# This overrides the "http_proxy" environment variable, +# if any. +# +# auto-key-retrieve : automatically fetch keys as needed from the keyserver +# when verifying signatures or when importing keys that +# have been revoked by a revocation key that is not +# present on the keyring. +# +# no-include-attributes : do not include attribute IDs (aka "photo IDs") +# when sending keys to the keyserver. + +keyserver-options auto-key-retrieve + +# Display photo user IDs in key listings + +# list-options show-photos + +# Display photo user IDs when a signature from a key with a photo is +# verified + +# verify-options show-photos + +# Use this program to display photo user IDs +# +# %i is expanded to a temporary file that contains the photo. +# %I is the same as %i, but the file isn't deleted afterwards by GnuPG. +# %k is expanded to the key ID of the key. +# %K is expanded to the long OpenPGP key ID of the key. +# %t is expanded to the extension of the image (e.g. "jpg"). +# %T is expanded to the MIME type of the image (e.g. "image/jpeg"). +# %f is expanded to the fingerprint of the key. +# %% is %, of course. +# +# If %i or %I are not present, then the photo is supplied to the +# viewer on standard input. If your platform supports it, standard +# input is the best way to do this as it avoids the time and effort in +# generating and then cleaning up a secure temp file. +# +# If no photo-viewer is provided, GnuPG will look for xloadimage, eog, +# or display (ImageMagick). On Mac OS X and Windows, the default is +# to use your regular JPEG image viewer. +# +# Some other viewers: +# photo-viewer "qiv %i" +# photo-viewer "ee %i" +# +# This one saves a copy of the photo ID in your home directory: +# photo-viewer "cat > ~/photoid-for-key-%k.%t" +# +# Use your MIME handler to view photos: +# photo-viewer "metamail -q -d -b -c %T -s 'KeyID 0x%k' -f GnuPG" + +# Passphrase agent +# +# We support the old experimental passphrase agent protocol as well as +# the new Assuan based one (currently available in the "newpg" package +# at ftp.gnupg.org/gcrypt/alpha/aegypten/). To make use of the agent, +# you have to run an agent as daemon and use the option +# +# use-agent +# +# which tries to use the agent but will fallback to the regular mode +# if there is a problem connecting to the agent. The normal way to +# locate the agent is by looking at the environment variable +# GPG_AGENT_INFO which should have been set during gpg-agent startup. +# In certain situations the use of this variable is not possible, thus +# the option +# +# --gpg-agent-info=::1 +# +# may be used to override it. + +# Automatic key location +# +# GnuPG can automatically locate and retrieve keys as needed using the +# auto-key-locate option. This happens when encrypting to an email +# address (in the "user@example.com" form), and there are no +# user@example.com keys on the local keyring. This option takes the +# following arguments, in the order they are to be tried: +# +# cert = locate a key using DNS CERT, as specified in RFC-4398. +# GnuPG can handle both the PGP (key) and IPGP (URL + fingerprint) +# CERT methods. +# +# pka = locate a key using DNS PKA. +# +# ldap = locate a key using the PGP Universal method of checking +# "ldap://keys.(thedomain)". For example, encrypting to +# user@example.com will check ldap://keys.example.com. +# +# keyserver = locate a key using whatever keyserver is defined using +# the keyserver option. +# +# You may also list arbitrary keyservers here by URL. +# +# Try CERT, then PKA, then LDAP, then hkp://subkeys.net: +#auto-key-locate cert pka ldap hkp://subkeys.pgp.net + +# default preferences +personal-digest-preferences SHA256 +cert-digest-algo SHA256 +default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed +#+END_SRC + +Save and exit. + +*** If you have an existing key +#+BEGIN_SRC: bash +gpg --import ~/public_key.txt +gpg --allow-secret-key-import --import ~/private_key.txt +shred -zu ~/private_key.txt +#+END_SRC + +Now check the digest preferences, replacing /keyID/ with your GPG key ID. This applies especially if you have a key which was generated some time ago. + +#+BEGIN_SRC: bash +export MYGPGKEYID=keyID +gpg --edit-key $MYGPGKEYID +setpref SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed +save +gpg --send-keys $MYGPGKEYID +#+END_SRC +*** To create a new key +Generate a key with the following command: + +#+BEGIN_SRC: bash +gpg --gen-key +#+END_SRC + +You can find your GPG key ID by entering: + +#+BEGIN_SRC: bash +gpg --list-keys +#+END_SRC + +The key ID is the second part of the string of numbers and letters. So for example in: + +#+BEGIN_SRC: bash +pub 4096R/EA982E38 2012-05-20 +#+END_SRC + +the key ID is EA982E38. Now send your public key to a server so that others can find it. + +#+BEGIN_SRC: bash +gpg --send-keys $MYGPGKEYID +#+END_SRC +*** root settings +If you later create an encrypted mailing list then the root user will also need to have good GPG settings so that it can generate key pairs for the list. The easiest way to ensure this is to do the following, replacing /myusername/ with your username: + +#+BEGIN_SRC: bash +su +cp -r /home/myusername/.gnupg ~/ +chown -R root:root ~/.gnupg +#+END_SRC + +** Protect processes +Because the BBB has limited RAM some processes may occasionally be automatically killed if physical memory availability is getting too low. The way in which processes are chosen to be sacrificed is not particularly intelligent, and so can result in vital systems being stopped. To try to prevent that from ever happening the following script can be used, which should ensure that at a minimum ssh, email and mysql keep running. + +#+BEGIN_SRC: bash +editor /usr/bin/protectprocesses +#+END_SRC + +Add the following: + +#+BEGIN_SRC: bash +#!/bin/bash + +declare -a protect=('/usr/sbin/sshd' '/usr/sbin/mysqld --basedir=/usr' '/bin/sh /usr/bin/mysqld_safe' '/usr/sbin/exim4') + +for p in "${protect[@]}" +do + OOM_PROC_ID=$(ps aux | grep '$p' | grep -v grep | head -n 1 | awk -F ' ' '{print $2}') + if [ ! -z "$OOM_PROC_ID" ]; then + echo -1000 >/proc/$OOM_PROC_ID/oom_score_adj + echo -17 >/proc/$OOM_PROC_ID/oom_adj + fi +done +#+END_SRC + +Save and exit, then edit the cron jobs: + +#+BEGIN_SRC: bash +editor /etc/crontab +#+END_SRC + +And add the line: + +#+BEGIN_SRC: bash +*/1 * * * * root /usr/bin/timeout 30 /usr/bin/protectprocesses +#+END_SRC + +Then save and exit and restart cron. + +#+BEGIN_SRC: bash +chmod +x /usr/bin/protectprocesses +service cron restart +#+END_SRC + +Here cron is used so that if we stop one of the relevant processes and then restart it then its oom priority will be reassigned again +. +** Setting up a web site + +#+BEGIN_VERSE +/It's important to have the geek community as a whole think about its responsibility and what it can do. We need various alternative voices pushing back on conventional government sometimes./ + +-- Tim Berners-Lee +#+END_VERSE + +First remove any existing web server installation and then install nginx together with some scripts for easily enabling and disabling the web sites which we will create. + +#+BEGIN_SRC: bash +apt-get remove --purge apache2 +apt-get install nginx php5-fpm git +cd ~/build +git clone https://github.com/perusio/nginx_ensite +cd ~/build/nginx_ensite +cp nginx_* /usr/sbin +#+END_SRC + +In the examples below replace /mydomainname.com/ with your own domain name. + +#+BEGIN_SRC: bash +export HOSTNAME=mydomainname.com +mkdir /var/www/$HOSTNAME +mkdir /var/www/$HOSTNAME/htdocs +editor /etc/nginx/sites-available/$HOSTNAME +#+END_SRC + +The configuration for the site should look something like the following. Replace /mydonainname.com/ with the site domain name. + +#+BEGIN_SRC: bash +server { + listen 80; + server_name mydomainname.com; + root /var/www/mydomainname.com/htdocs; + error_log /var/www/mydomainname.com/error.log; + index index.html index.htm index.php; + + # Uncomment this if you need to redirect HTTP to HTTPS + #rewrite ^ https://$server_name$request_uri? permanent; + + location / { + try_files $uri $uri/ /index.html; + } + + location ~ \.php$ { + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_pass unix:/var/run/php5-fpm.sock; + fastcgi_index index.php; + include fastcgi_params; + } +} + +server { + listen 443 ssl; + root /var/www/mydomainname.com/htdocs; + server_name mydomainname.com; + error_log /var/www/mydomainname.com/error_ssl.log; + index index.html index.htm index.php; + charset utf-8; + client_max_body_size 20m; + client_body_buffer_size 128k; + + ssl on; + ssl_certificate /etc/ssl/certs/mydomainname.com.crt; + ssl_certificate_key /etc/ssl/private/mydomainname.com.key; + ssl_dhparam /etc/ssl/certs/mydomainname.com.dhparam; + + ssl_session_timeout 5m; + ssl_prefer_server_ciphers on; + ssl_session_cache builtin:1000 shared:SSL:10m; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # not possible to do exclusive + ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA'; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + add_header Strict-Transport-Security max-age=15768000; + # if you want to be able to access the site via HTTP + # then replace the above with the following: + # add_header Strict-Transport-Security "max-age=0;"; + + # rewrite to front controller as default rule + location / { + rewrite ^/(.*) /index.php?q=$uri&$args last; + } + + # make sure webfinger and other well known services aren't blocked + # by denying dot files and rewrite request to the front controller + location ^~ /.well-known/ { + allow all; + rewrite ^/(.*) /index.php?q=$uri&$args last; + } + + # statically serve these file types when possible + # otherwise fall back to front controller + # allow browser to cache them + # added .htm for advanced source code editor library + location ~* \.(jpg|jpeg|gif|png|ico|css|js|htm|html|ttf|woff|svg)$ { + expires 30d; + try_files $uri /index.php?q=$uri&$args; + } + + # block these file types + location ~* \.(tpl|md|tgz|log|out)$ { + deny all; + } + + # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 + # or a unix socket + location ~* \.php$ { + # Zero-day exploit defense. + # http://forum.nginx.org/read.php?2,88845,page=3 + # Won't work properly (404 error) if the file is not stored on this + # server, which is entirely possible with php-fpm/php-fcgi. + # Comment the 'try_files' line out if you set up php-fpm/php-fcgi on + # another machine. And then cross your fingers that you won't get hacked. + try_files $uri =404; + # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini + fastcgi_split_path_info ^(.+\.php)(/.+)$; + # With php5-cgi alone: + # fastcgi_pass 127.0.0.1:9000; + # With php5-fpm: + fastcgi_pass unix:/var/run/php5-fpm.sock; + include fastcgi_params; + fastcgi_index index.php; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + } + + # deny access to all dot files + location ~ /\. { + deny all; + } + + #deny access to store + location ~ /store { + deny all; + } +} +#+END_SRC + +Save and exit. Then change the domain name. + +#+BEGIN_SRC: bash +sed "s/mydomainname.com/$HOSTNAME/g" /etc/nginx/sites-available/$HOSTNAME > /tmp/website +cp -f /tmp/website /etc/nginx/sites-available/$HOSTNAME +#+END_SRC + +Then to enable the site: + +#+BEGIN_SRC: bash +nginx_dissite default +nginx_ensite $HOSTNAME +makecert $HOSTNAME +#+END_SRC + +If all has gone well then there should be no warnings or errors after you run the service restart command. After that you should enable ports 80 (HTTP) and 443 (HTTPS) on your internet router/firewall, such that they are redirected to the BBB. + +Also limit the amount of memory which any php scripts can use. + +#+BEGIN_SRC: bash +editor /etc/php5/fpm/php.ini +#+END_SRC + +Set the following: + +#+BEGIN_SRC: bash +memory_limit = 32M +#+END_SRC + +Also set: + +#+BEGIN_SRC: bash +cgi.fix_pathinfo=0 +#+END_SRC + +Save and exit. Also edit */etc/php5/cli/php.ini* and set /memory_limit/ to the same value. This should prevent any rogue scripts from crashing the system. + +#+BEGIN_SRC: bash +editor /etc/php5/fpm/pool.d/www.conf +#+END_SRC + +Set the following: + +#+BEGIN_SRC: bash +pm.max_children = 20 +#+END_SRC + +Save and exit. + +#+BEGIN_SRC: bash +service php5-fpm restart +service nginx restart +#+END_SRC + +** Accessing your Email + +#+BEGIN_VERSE +/The emails showed that Google...was among several other military/defense contractors vying for a piece of DAC’s $10.9-million surveillance contracting action./ + +-- Article on the "Google-Military-Surveillance Complex" by Yasha Levine +#+END_VERSE + +*** Mutt email client + +#+BEGIN_SRC: bash +apt-get install mutt-patched lynx abook +exit +mkdir ~/.mutt +echo "text/html; lynx -dump -width=78 -nolist %s | sed ‘s/^ //’; copiousoutput; needsterminal; nametemplate=%s.html" > ~/.mutt/mailcap +su +editor /etc/Muttrc +#+END_SRC + +Append the following: + +#+BEGIN_SRC: bash +set mbox_type=Maildir +set folder="~/Maildir" +set mask="!^\\.[^.]" +set mbox="~/Maildir" +set record="+Sent" +set postponed="+Drafts" +set trash="+Trash" +set spoolfile="~/Maildir" +auto_view text/x-vcard text/html text/enriched +set editor="emacs" +set header_cache="+.cache" + +macro index S "=.learn-spam" "move to learn-spam" +macro pager S "=.learn-spam" "move to learn-spam" +macro index H "=.learn-ham" "copy to learn-ham" +macro pager H "=.learn-ham" "copy to learn-ham" + +# set up the sidebar +set sidebar_width=12 +set sidebar_visible=yes +set sidebar_delim='|' +set sidebar_sort=yes + +set rfc2047_parameters + +# Show inbox and sent items +mailboxes = =Sent + +# Alter these colours as needed for maximum bling +color sidebar_new yellow default +color normal white default +color hdrdefault brightcyan default +color signature green default +color attachment brightyellow default +color quoted green default +color quoted1 white default +color tilde blue default + +# ctrl-n, ctrl-p to select next, prev folder +# ctrl-o to open selected folder +bind index \Cp sidebar-prev +bind index \Cn sidebar-next +bind index \Co sidebar-open +bind pager \Cp sidebar-prev +bind pager \Cn sidebar-next +bind pager \Co sidebar-open + +# ctrl-b toggles sidebar visibility +macro index,pager \Cb 'toggle sidebar_visible' "toggle sidebar" + +# esc-m Mark new messages as read +macro index m "T~N;WNT~O;WO\CT~T" "mark all messages read" + + +# Collapsing threads +macro index [ "" "collapse/uncollapse thread" +macro index ] "" "collapse/uncollapse all threads" + +# threads containing new messages +uncolor index "~(~N)" + color index brightblue default "~(~N)" + +# new messages themselves +uncolor index "~N" + color index brightyellow default "~N" + + +# GPG/PGP integration + +# this set the number of seconds to keep in memory the passphrase used to encrypt/sign +set pgp_timeout=60 + +# automatically sign and encrypt with PGP/MIME +set pgp_autosign # autosign all outgoing mails +set pgp_replyencrypt # autocrypt replies to crypted +set pgp_replysign # autosign replies to signed +set pgp_auto_decode=yes # decode attachments +unset smime_is_default + +set alias_file=~/.mutt-alias +source ~/.mutt-alias +set query_command= "abook --mutt-query '%s'" +macro index,pager A "abook --add-email-quiet" "add the sender address to abook" +#+END_SRC + +Save and exit. + +#+BEGIN_SRC: bash +editor /etc/mail/spamassassin/local.cf +#+END_SRC + +Uncomment *use_bayes*, *bayes_auto_learn* + +Save and exit, then run: + +#+BEGIN_SRC: bash +service spamassassin restart +exit +cp /etc/Muttrc ~/.muttrc +touch ~/.mutt-alias +#+END_SRC + +Finally you can then type *mutt* to get access to your email. Hence as a fallback, or if you prefer as the primary way of accessing email, you can ssh into the BBB and use the mutt command line email client. Ssh clients are available for all operating systems, and also you should be reasonably protected from passive surveillance between wherever you are and the BBB (although not between the BBB and the wider internet), which can be useful if you are for example using an Android tablet from a cafe or railway station. + +To use the address book system open an email and then to add the sender to the address list press the A key. It will ask you for an alias which may be used the next time you want to send a mail. Alternatively you may just edit the *~/.mutt-alias* file directly to add email addresses. + +Some useful keys to know are: + +| ESC / | Search for text within message contents | +| "/" | Search for text within headers | +| * | Move to the last message | +| TAB | Move to the next unread message | +| d | Delete a message | +| u | Undelete a mail which is pending deletion | +| $ | Delete all messages selected and check for new messages | +| a | Add to the address book | +| m | Send a new mail | +| ESC-m | Mark all messages as having been read | +| S | Mark a message as spam | +| H | Mark a message as ham | +| CTRL-b | Toggle side bar on/off | +| CTRL-n | Next mailbox (on side bar) | +| CTRL-p | Previous mailbox (on side bar) | +| CTRL-o | Open mailbox (on side bar) | +| ] | Expand or collapse all threads | +| [ | Expand of collapse the current thread | +| CTRL-k | Import a PGP/GPG public key | + +One of the most common things which you might wish to do is to send an email. To do this first press /m/ to create a new message. Enter the address to send to and the subject, then after a few seconds the Emacs editor will appear with a blank document. Type your email then press /CTRL-x CTRL-s/ to save it and /CTRL-x CTRL-c/ to exit. You will then see a summary of the email to be sent out. Press /y/ to send it and then enter your GPG key passphrase (the one you gave when creating a PGP/GPG key). The purpose of that is to add a signature which is a strong proof that the email was written by you and not by someone else. + +*** K9 Android client + +#+BEGIN_VERSE +/The surveillance state is robust. It is robust politically, legally, and technically./ + +-- Bruce Schneier +#+END_VERSE + +**** Incoming server settings + * Select settings/account settings + * Select Fetching mail/incoming server + * Enter your username and password + * IMAP server should be your domain name + * Security: SSL/TLS (always) + * Authentication: Plain + * Port: 993 +**** Outgoing (SMTP) server settings + * Select settings/account settings + * Select Sending mail/outgoing server + * Set SMTP server to your domain name + * Set Security to SSL/TLS (always) + * Set port to 465 + * Set authentication to PLAIN + * Enter your username and password + * Accept the SSL certificate +**** Folders +To view any new folders which you may have created using the /mailinglistrule/ script from your inbox press the *K9 icon* at the top left to access folders, then press the *menu button* and select *refresh folder list*. + +If your folder still doesn't show up then press the *menu button*, select *show folders* and select *all folders*. +*** Webmail + +#+BEGIN_VERSE +/Most of the information extracted is "content", such as recordings of phone calls or the substance of email messages./ + +-- From a 2013 Guardian article on GCHQ/NSA bulk internet data interception. +#+END_VERSE + +For maximum speed and efficiency the recommended email client is Mutt, accessed via ssh, but non-technical people who aren't using an Android app are unlikely to want to use email in that manner. So it's a good idea to also have a webmail system installed, both for accessibility and as a fallback should ssh not be available due to port blocking. + +If you're not already logged in as root: + +#+BEGIN_SRC: bash +su +#+END_SRC + +Install dependencies. + +#+BEGIN_SRC: bash +apt-get install mysql-server +#+END_SRC + +Create a mysql database, specifying a password which should be a long random string generated with a password manager such as KeepassX. + +#+BEGIN_SRC: bash +mysql -u root -p +create database roundcubemail; +CREATE USER 'roundcube'@'localhost' IDENTIFIED BY 'roundcubepassword'; +GRANT ALL PRIVILEGES ON roundcubemail.* TO 'roundcube'@'localhost'; +quit +#+END_SRC + +Download roundcube. + +#+BEGIN_SRC: bash +mkdir ~/build +cd ~/build +wget http://freedombone.uk.to/roundcubemail.tar.gz +#+END_SRC + +Verify it. + +#+BEGIN_SRC: bash +sha256sum roundcubemail.tar.gz +1c1560a7a56e6884b45c49f52961dbbb3f6bacbc7e7c755440750a1ab027171c +#+END_SRC + +Extract the files. + +#+BEGIN_SRC: bash +tar -xzvf roundcubemail.tar.gz +export HOSTNAME=mydomainname.com +cp -r roundcubemail-* /var/www/$HOSTNAME/htdocs/mail +chown -R www-data:www-data /var/www/$HOSTNAME/htdocs/mail/temp +chown -R www-data:www-data /var/www/$HOSTNAME/htdocs/mail/logs +rm /var/www/$HOSTNAME/htdocs/mail/.htaccess +#+END_SRC + +Edit your web site configuration. + +#+BEGIN_SRC: bash +editor /etc/nginx/sites-available/$HOSTNAME +#+END_SRC + +Within the 80 VirtualHost section add the following: + +#+BEGIN_SRC: bash + location /mail/ { + deny all; + } +#+END_SRC + +Within the 443 VirtualHost section add the following: + +#+BEGIN_SRC: bash + location /mail/ { + autoindex on; + allow all; + } +#+END_SRC + +Save and exit, then restart the web server. + +#+BEGIN_SRC: bash +service nginx restart +#+END_SRC + +Now with a browser visit https://mydomainname.com/mail/installer. Scroll down and click "next". Give your webmail site a product name. + +Change *spellcheck_engine* to *ATD*. + +Under database settings change the database type to SQlite and leave all other fields blank. + +Unser IMAP set *default_host* to ssl://mydomainname.com, *default_port* to 993 and *username_domain* to your domain name. + +Set *smtp_port* to 465. + +Check "Use the current IMAP username and password for SMTP authentication" + +Change the *database password* to the password you gave when creating the MySql database above. + + + + + +Click *create config* + +Click download to download the file. + +The config file which you downloaded should contain the following: + +#+BEGIN_SRC: bash +$config['default_host'] = 'localhost'; +$config['smtp_port'] = 465; +$config['username_domain'] = ''; +#+END_SRC + +In a terminal on your local machine (not logged into the BBB): + +#+BEGIN_SRC: bash +cd ~/Downloads +scp config.inc.php myusername@mydomainname.com:/home/myusername +#+END_SRC + +Then in a terminal ssh'd into the BBB: + +#+BEGIN_SRC: bash +mv /home/myusername/config.inc.php /var/www/$HOSTNAME/htdocs/mail/config +chmod 755 /var/www/$HOSTNAME/htdocs/mail/config/config.inc.php +#+END_SRC + +Click *continue*. + +Click *initialize database*. + +Under *Test SMTP config* you can use a [[mailinator.com]] address to check that mail can be sent. + +Now we can delete the installer. + +#+BEGIN_SRC: bash +rm -rf /var/www/$HOSTNAME/htdocs/mail/installer +#+END_SRC + +Now with a browser navigate to https://mydomainname.com/mail and log in. + +You'll notice that you may not be able to see any mailing list folders which you may have created earlier using the /mailinglistrule/ script. To make folders visible click on the cog-like settings icon at the bottom left of the screen then select *manage folders*. You will then be able to select which folders you wish to become visible. Make sure that the *Sent*, *spam* and *ham* folders are selected. + +Click on the *Mail* icon to go back to your main mail screen then click on the *Settings* icon at the top right of the screen and select *special folders*. Set *Junk* to *spam* then click the save button. Also select *identities* and make sure that your email address is correct. + +*** Thunderbird + +#+BEGIN_VERSE +/Towards the end of 2012, we heard from the National Technical Assistance Centre (NTAC), a division of GCHQ and a liaison with the Home Office, [that] they wanted the keys to decrypt the customer data./ + +-- Brian Spector, on the shutting down of the PrivateSky encrypted email service +#+END_VERSE + +Another common way in which you may want to access email is via Thunderbird. This may be especially useful if you're trying to convert former Windows users who may previously have been using some version of Outlook. + +The following instructions should be carried out on the client machines (laptop, etc), not on the BBB itself. + +**** Initial setup + +Install *Thunderbird* and *Enigmail*. How you do this just depends upon your distro and software manager or "app store". + +Open Thinderbird + +Select "*Skip this and use existing email*" + +Enter your name, email address (myusername@mydomainname.com) and the password for your user (the one from [[Add a user]]). + +You'll get a message saying "/Thunderbird failed to find the settings/" + +The settings should be as follows, substituting /mydomainname.com/ for your domain name and /myusername/ for the username given previously in [[Add a user]]. + + * Incoming: IMAP, mydomainname.com, 993, SSL/TLS, Normal Password + * Outgoing: SMTP, mydomainname.com, 465, SSL/TLS, Normal Password + * Username: myusername + +Click *Done*. + +Click *Get Certificate* and make sure "*permanently store this exception*" is selected", then click *Store Security Exception*. + +From OpenPGP setup select "*Yes, I would like the wizard to get me started*". If the wizard doesn't start automatically then "setup wizard" can be selected from OpenPGP on the menu bar. + +Select "*Yes, I want to sign all of my email*" + +Select "*No, I will create per-recipient rules*" + +Select "*yes*" to change default settings. + +**** If you have existing GPG key + +Export your GPG public and private keys. + +#+BEGIN_SRC: bash +gpg --output ~/public_key.txt --armor --export KEY_ID +gpg --output ~/private_key.txt --armor --export-secret-key KEY_ID +#+END_SRC + +Select "*I have existing public and private keys*". + +Select your public and private GPG exported key files. + +Select the account which you want to use and click *Next*, *Next* and *Finish*. + +Remove your exported key files. + +#+BEGIN_SRC: bash +shred -zu ~/public_key.txt +shred -zu ~/private_key.txt +#+END_SRC + +**** If you don't have any existing GPG or PGP key +Select "*I want to create a new key pair*" + +Enter a passphrase and click *Next* a couple of times. + +Click *Generate Certificate* to generate a revocation certificate. + +Enter the passphrase which you gave previously. + +Click *Finish* + +From the menu select *OpenPGP* and then *Key Management*. Make sure that *Display all keys* is selected and then select your key. Select *Keyserver* on the menu and then *Upload Public Keys*. This will upload your public key to a key server so that others can find it. + +Select *File* from the menu then *Export keys to file*. Click on *Export Secret keys* and select a location to save them to. It's a good idea to save them to a USB stick which can then be removed from the computer and carried around on a keyring together with your physical keys. If you need to set up GPG or Thunderbird/Enigmail on others then this file will be used to import your keys. + +**** Using for the first time + +Click on the Thunderbird menu, which looks like three horizontal bars on the right hand side. + +Hover over *preferences* and then *Account settings*. + +Select *OpenPGP Security* and make sure that *use PGP/MIME by default* is ticked. This will enable you to sign/encrypt attachments, HTML bodies and UTF-8 without any problems. + +Select *Synchronization & Storage*. + +Make sure that *Keep messages for this account on this computer* is unticked, then click *Ok*. + +Click on *Inbox*. Depending upon how much email you have it may take a while to import the subject lines. + +Note that when sending an email for the first time you will also need to accept the SSL certificate. + +Get into the habit of using email encryption and encourage others to do so. Remember that you may not think that your emails are very interesting but the Surveillance State is highly interested in them and will be actively trying to data mine your private life looking for "suspicious" patterns, regardless of whether you are guilty of any crime or not. + +**** Making folders visible +By default you won't be able to see any folders which you may have created earlier using the /mailinglistrule/ script. To make folders visible select: + +*Menu*, hover over *Preferences*, select *Account Settings*, select *Server Settings* then click on the *Advanced* button. + +Make sure that "*show only subscribed folders*" is not checked. Then click the *ok* buttons. Folders will be re-scanned, which may take some time depending upon how much email you have, but your folders will then appear. +*** Kmail +Kmail doesn't work very well and so isn't recommended. In particular the inbox doesn't appear to be accessible via IMAP. + +When the account assistant screen appears enter your email address and user login. + +Account type: Generic IMAP Email Server +Check /Download all messages for offline use/ +Enter a password for KDE Wallet +When a certificate error appears click /Continue/ then accept /Forever/ +After "could not authenticate" click /Account settings/ +Select /General/ tab +Change your account name, username and password +Select the /Advanced/ tab +Click on /Serverside Subscription/ and ensure that the relevant folders are checked +Click /Finish/ +Click /Check Mail/ +** Create Email folders and rules + +#+BEGIN_VERSE +/Yes, the NSA set fire to the Internet but it’s the business models of Google, Facebook, etc, that provide the firewood. Trusting the companies supplying the firewood to be your fire fighters is naïve at best./ + +-- Aral Balkan +#+END_VERSE + +*** Rules for mailing lists +A common situation with email is that you may be subscribed to various mailing lists and want incoming email from those to be automatically grouped into a separate folder for each list. + +We can make a script to make adding mailing list rules easy: + +#+BEGIN_SRC: bash +editor /usr/bin/mailinglistrule +#+END_SRC + +Add the following: + +#+BEGIN_SRC: bash +#!/bin/bash +MYUSERNAME=$1 +MAILINGLIST=$2 +SUBJECTTAG=$3 +MUTTRC=/home/$MYUSERNAME/.muttrc +PM=/home/$MYUSERNAME/.procmailrc +LISTDIR=/home/$MYUSERNAME/Maildir/$MAILINGLIST +if [ ! -d "$LISTDIR" ]; then + mkdir -m 700 $LISTDIR + mkdir -m 700 $LISTDIR/tmp + mkdir -m 700 $LISTDIR/new + mkdir -m 700 $LISTDIR/cur +fi +chown -R $MYUSERNAME:$MYUSERNAME $LISTDIR +echo "" >> $PM +echo ":0" >> $PM +echo " * ^Subject:.*()\[$SUBJECTTAG\]" >> $PM +echo "$LISTDIR/new" >> $PM +chown $MYUSERNAME:$MYUSERNAME $PM +if [ ! -f "$MUTTRC" ]; then + cp /etc/Muttrc $MUTTRC + chown $MYUSERNAME:$MYUSERNAME $MUTTRC +fi +PROCMAILLOG=/home/$MYUSERNAME/log +if [ ! -d $PROCMAILLOG ]; then + mkdir $PROCMAILLOG + chown -R $MYUSERNAME:$MYUSERNAME $PROCMAILLOG +fi +#+END_SRC + +Save and exit, then make the script executable. + +#+BEGIN_SRC: bash +chmod +x /usr/bin/mailinglistrule +#+END_SRC + +Now we can add a new mailing list rule with the following, where /myusername/ is your username, /mailinglistname/ is the name of the mailing list (with no spaces) and /subjecttag/ is the tag which usually appears within square brackets in the subject line of emails from the list. + +#+BEGIN_SRC: bash +mailinglistrule [myusername] [mailinglistname] [subjecttag] +#+END_SRC + +Repeat this command for as many mailing lists as you need. Then edit your local Mutt configuration. + +#+BEGIN_SRC: bash +editor /home/myusername/.muttrc +#+END_SRC + +Search for the *mailboxes* variable and add entries for the mailing lists you just created. For example: + +#+BEGIN_SRC: bash +mailboxes = =Sent =mailinglistname +#+END_SRC + +Then save and exit. + +*** Rules for specific email addresses + +You can also make a script which will allow you to move mail from specific email addresses to a folder. + +#+BEGIN_SRC: bash +editor /usr/bin/emailrule +#+END_SRC + +Add the following: + +#+BEGIN_SRC: bash +#!/bin/bash +MYUSERNAME=$1 +EMAILADDRESS=$2 +MAILINGLIST=$3 +MUTTRC=/home/$MYUSERNAME/.muttrc +PM=/home/$MYUSERNAME/.procmailrc +LISTDIR=/home/$MYUSERNAME/Maildir/$MAILINGLIST +if [ ! -d "$LISTDIR" ]; then + mkdir -m 700 $LISTDIR + mkdir -m 700 $LISTDIR/tmp + mkdir -m 700 $LISTDIR/new + mkdir -m 700 $LISTDIR/cur +fi +chown -R $MYUSERNAME:$MYUSERNAME $LISTDIR +echo "" >> $PM +echo ":0" >> $PM +echo " * ^From: $EMAILADDRESS" >> $PM +echo "$LISTDIR/new" >> $PM +chown $MYUSERNAME:$MYUSERNAME $PM +if [ ! -f "$MUTTRC" ]; then + cp /etc/Muttrc $MUTTRC + chown $MYUSERNAME:$MYUSERNAME $MUTTRC +fi +PROCMAILLOG=/home/$MYUSERNAME/log +if [ ! -d $PROCMAILLOG ]; then + mkdir $PROCMAILLOG + chown -R $MYUSERNAME:$MYUSERNAME $PROCMAILLOG +fi +#+END_SRC + +Save and exit, then make the script executable. + +#+BEGIN_SRC: bash +chmod +x /usr/bin/emailrule +#+END_SRC + +Then to add a particular email address to a folder run the command: + +#+BEGIN_SRC: bash +emailrule [myusername] [emailaddress] [foldername] +#+END_SRC + +If you want any mail from the given email address to be deleted then set the /foldername/ to /Trash/. + +To ensure that the folder appears within Mutt. + +#+BEGIN_SRC: bash +editor /home/myusername/.muttrc +#+END_SRC + +Search for the *mailboxes* variable and add entries for the mailing lists you just created. For example: + +#+BEGIN_SRC: bash +mailboxes = =Sent =foldername +#+END_SRC + +Then save and exit. + +** Install a Blog + +#+BEGIN_VERSE +/When society gives censors wide and vague powers they never confine themselves to deserving targets. They are not snipers, but machine-gunners. Allow them to fire at will, and they will hit anything that moves./ + +-- Nick Cohen +#+END_VERSE + +Wordpress is the most popular blogging platform, but in practice I found it to be high maintenance with frequent security updates and breakages. More practical for a home server is Flatpress. Flatpress doesn't use a MySql database, just text files, and so is easy to relocate or reinstall. + +See the [[Setting up a web site]] section of this document for details of how to configure the web server for your blog's domain. + +Download flatpress. + +#+BEGIN_SRC: bash +mkdir ~/build +cd ~/build +wget http://freedombone.uk.to/flatpress.tar.gz +#+END_SRC + +Verify the download: + +#+BEGIN_SRC: bash +sha256sum flatpress.tar.gz +6312a49aab5aabd6371518dcaf081f489dff04d001bc34b4fe3f2a81170bbd4e flatpress.tar.gz +#+END_SRC + +Extract and install it. + +#+BEGIN_SRC: bash +tar -xzvf flatpress.tar.gz +cd flatpress-* +cp -r * /var/www/$HOSTNAME/htdocs +chmod -R 755 /var/www/$HOSTNAME/htdocs/fp-content +chown -R www-data:www-data /var/www/$HOSTNAME/htdocs/fp-content +cd .. +rm -rf flatpress-* +rm -f flatpress.tar.gz +#+END_SRC + +Now visit your blog and follow the setup instructions, which are quite minimal. Various themes and addons are available from the Flatpress web site, http://www.flatpress.org + +** Install an IRC server + +#+BEGIN_VERSE +/Give me the liberty to know, to utter, and to argue freely according to conscience, above all liberties./ + +-- John Milton +#+END_VERSE + +*** Base install + +IRC is not an especially secure system. For instance, even with the best encryption it's easily possible to imagine IRC-specific cribs which could be used by cryptanalytic systems. However, we'll try to implement it in a manner which will at least give the surveillance aparatus something to ponder over. + +#+BEGIN_SRC: bash +adduser ircserver +cd ~/build +wget http://freedombone.uk.to/ircd-hybrid-8.1.20.tgz +#+END_SRC + +Verify the download. + +#+BEGIN_SRC: bash +sha256sum ircd-hybrid-8.1.20.tgz +5570be89fa76b2712d7f08d6c828d613d201daed8c1064be7245fe10bdffa228 +#+END_SRC + +Download Anope. + +#+BEGIN_SRC: bash +wget http://freedombone.uk.to/anope-2.0.1-source.tar.gz +#+END_SRC + +And verify it. + +#+BEGIN_SRC: bash +sha256sum anope-2.0.1-source.tar.gz +539f603adc4f982e3a5ffd175ecb007aadc619a692409b3e9e1f7f15fb1288e6 +#+END_SRC + +Then compile and install them. + +#+BEGIN_SRC: bash +apt-get install libssl-dev cmake +tar -xvf ircd-hybrid-8.1.20.tgz +tar -xvf anope-2.0.1-source.tar.gz +cd ~/build/ircd-hybrid-8.1.20 +./configure -prefix="/home/ircserver/ircd" +make +make install +cd ~/build/anope-2.0.1-source +./Config +#+END_SRC + +Answer the questions as follows: + +#+BEGIN_SRC: bash +In what directory do you want the binaries to be installed? +/home/ircserver/services + +Create it? +y + +Where do you want the data files to be installed? +/home/ircserver/services + +Which group should all Services data files be owned by? +ircserver + +What should the default umask for data files be (in octal)? +007 + +Would you like to build a debug version of Anope? +n + +Would you like to utilize run-cc.pl? +n + +Do you want to build using precompiled headers? +n + +If you need no extra include directories. +NONE + +Are there any extra arguments you wish to pass to CMake? +NONE +#+END_SRC + +Then build and install Anope. + +#+BEGIN_SRC: bash +cd build +make +make install +cd /home/ircserver/ircd/etc +cp reference.conf ircd.conf +#+END_SRC + +Create some ssl certificates: + +#+BEGIN_SRC: bash +mkdir /home/ircserver/ircd/ssl +makecert ircd +mv /etc/ssl/private/ircd.key /home/ircserver/ircd/ssl/ +mv /etc/ssl/certs/ircd.crt /home/ircserver/ircd/ssl/ircd.pem +mv /etc/ssl/certs/ircd.dhparam /home/ircserver/ircd/ssl/dhparam.pem +chmod 640 /home/ircserver/ircd/ssl/* +chown -R ircserver:ircserver /home/ircserver/ircd +chown -R ircserver:ircserver /home/ircserver/services +chown -R ircserver:ircserver /home/ircserver/ircd/ssl +#+END_SRC + +Now edit the configuration: + +#+BEGIN_SRC: bash +editor /home/ircserver/ircd/etc/ircd.conf +#+END_SRC + +Comment out: + +#+BEGIN_SRC: bash +// havent_read_conf = 1; +// flags = need_ident; +#+END_SRC + +Uncomment and change the following lines: + +#+BEGIN_SRC: bash +rsa_private_key_file = "/home/ircserver/ircd/ssl/ircd.key"; +ssl_certificate_file = "/home/ircserver/ircd/ssl/ircd.pem"; +ssl_dh_param_file = "/home/ircserver/ircd/ssl/dhparam.pem"; +#+END_SRC + +Above the ssl parameters set *network_name* to your domain name. + +Uncomment: + +#+BEGIN_SRC: bash +ssl_server_method = tldv1, sslv3; +#+END_SRC + +Within the *operator* section (line 424): + +#+BEGIN_SRC: bash +name = "myusername"; +user = "*@192.168.1.*"; +password = "mypassword"; +encrypted = no; +#+END_SRC + +Within the *connect* section (line 555): + +#+BEGIN_SRC: bash +name = "mydomainname.com"; +host = "192.168.1.60"; +vhost = "192.168.1.60"; +send_password = "mysendacceptpassword"; +accept_password = "mysendacceptpassword"; +#+END_SRC + +And within the *service* section: + +#+BEGIN_SRC: bash +name = "mydomainname.com"; +#+END_SRC + +Within the serverinfo section change *name*, *network_name* and *network_desc* to a name and description for your IRC server. To avoid confusion you could make the name and network name the same as your domain name. + +Change *max_clients* to 20, or a number which is sufficient for the number of simultaneous users you expect. + +Save and exit. + +#+BEGIN_SRC: bash +cd /home/ircserver/services/conf +cp example.conf services.conf +editor services.conf +#+END_SRC + +Set the following, replacing /operatorpassword/ with a password which will be used to manage your IRC channels, /mydomainname.com/ with your domain name and /myusername/ with your username: + +Within the *module* section set *name* to "hybrid". + +Within the *uplink* section set *password* to the /sendacceptpassword/. + +Uncomment *#oper* and *name* underneath it, and change the name to your username. + +Save and exit, then create a daemon. + +#+BEGIN_SRC: bash +editor /etc/init.d/ircd-hybrid +#+END_SRC + +Add the following: + +#+BEGIN_SRC: bash +#!/bin/bash +# /etc/init.d/ircd-hybrid + +### BEGIN INIT INFO +# Provides: ircd-hybrid +# Required-Start: $remote_fs $syslog +# Required-Stop: $remote_fs $syslog +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: starts irc server +# Description: starts irc server +### END INIT INFO + +# Author: Bob Mottram + +#Settings +SERVICE='ircd-hybrid' +COMMAND='ircd' +USER='ircserver' +NICELEVEL=19 # from 0-19 the bigger the number, the less the impact on system resources +HISTORY=1024 +INVOCATION="nice -n ${NICELEVEL} ${COMMAND}" +PATH='/usr/local/sbin:/usr/local/bin:/usr/bin:/sbin:/usr/sbin:/bin:/home/ircserver/ircd/sbin:/home/ircserver/ircd/bin' + + +irc_start() { +echo "Starting $SERVICE..." +cd /home/$USER/ircd +su --command "bin/$COMMAND" $USER +su --command "/home/$USER/services/bin/services" $USER +} + + +irc_stop() { +echo "Stopping $SERVICE" +killall -15 $COMMAND +killall -15 $USER +} + + +#Start-Stop here +case "$1" in + start) + irc_start + ;; + stop) + irc_stop + ;; + restart) + irc_stop + sleep 10s + irc_start + ;; + *) + echo "Usage: $0 {start|stop|restart}" + exit 1 + ;; +esac + +exit 0 +#+END_SRC + +Save and exit, then start the daemon. + +#+BEGIN_SRC: bash +chmod +x /etc/init.d/ircd-hybrid +update-rc.d ircd-hybrid defaults +service ircd-hybrid start +#+END_SRC + +*** Channel management + +To to install channel management tools. + +#+BEGIN_SRC: bash +mkdir ~/build +cd ~/build +wget http://freedombone.uk.to/hybserv_1.9.4-1_armhf.deb +#+END_SRC + +Verify it. + +#+BEGIN_SRC: bash +sha256sum hybserv_1.9.4-1_armhf.deb +41bf4eb6e24c87610a80bc14db1103a57484835510eea7e4ba9709c523318615 hybserv_1.9.4-1_armhf.deb +#+END_SRC + +Install it. + +#+BEGIN_SRC: bash +dpkg -i hybserv_1.9.4-1_armhf.deb +#+END_SRC + +Make a md5 version of the password for the IRC server operator. + +#+BEGIN_SRC: bash +/usr/bin/mkpasswd +#+END_SRC + +Edit the ircd-hybrid configuration. + +#+BEGIN_SRC: bash +editor /etc/ircd-hybrid/ircd.conf +#+END_SRC + +Enter the md5 password which you previously created within the /operator/ section. Also change /user/ to: + +#+BEGIN_SRC: bash + user = "*@*"; +#+END_SRC + +Then save and exit. + +#+BEGIN_SRC: bash +editor /etc/hybserv/hybserv.conf +#+END_SRC + +Change #MD5 PASSWORD HERE# to the md5 operator password created earlier, mydomainname.com to your domain name and mysendacceptpassword to the send/accept password specified within /ircd.conf/. + +#+BEGIN_SRC: bash +A:mynickname +N:irc.mydomainname.com:Hybrid services +O:*@*:#MD5 PASSWORD HERE#:root:segj (comment out other Q: lines) +S:mysendacceptpassword:192.168.1.60:6697 (remove the other two services) +#+END_SRC + +Also remove the line *#NOT-EDITED#*, then save and exit. + +Now we need to restart the ircd and hybrid server to make things work: + +#+BEGIN_SRC: bash +service ircd-hybrid restart +service hybserv start +#+END_SRC + +*** Usage with Irssi + +On another computer (not the BBB). + +#+BEGIN_SRC: bash +sudo apt-get install irssi irssi-plugin-otr irssi-plugin-xmpp +irssi +#+END_SRC + +Connect to the IRC and identify yourself as an operator. Here /mynetwork/ should be the same as *network_name* specified earlier within /ircd.conf/. The network name is something equivalent to "freenode". + +#+BEGIN_SRC: bash +/network add -nick mynick mynetwork + +/channel add -auto #mychannel mynetwork channelpassword + +/server add -auto -network mynetwork -ssl mydonainname.com 6697 mysendacceptpassword + +/connect mydomainname.com + +/join #mychannel + +/msg -servername chanserv REGISTER #mychannel channelpassword + +/msg -servername chanserv set #mychannel mlock +k channelpassword + +/set paste_join_multiline OFF +#+END_SRC + +If you edit the irssi config file: + +#+BEGIN_SRC: bash +editor ~/.irssi/config +#+END_SRC + +It should look something like this: + +#+BEGIN_SRC: bash + { + address = "mydomainname.com"; + chatnet = "mynetwork"; + port = "6697"; + password = "mysendacceptpassword"; + use_ssl = "yes"; + ssl_verify = "no"; + autoconnect = "yes"; + }, +#+END_SRC + +If you're not using a self-signed certificate (self-signed is the default) then you can set *ssl_verify* to "yes". + +By default irssi will use UTC time. An example of setting to some other time zone is as follows: + +#+BEGIN_SRC: bash +echo "load perl" >> ~/.irssi/startup +echo "script exec $ENV{'TZ'}='Europe/London';" >> ~/.irssi/startup +#+END_SRC + +Also enable /Off The Record/ (OTR) messaging. + +#+BEGIN_SRC: bash +echo "load otr" >> ~/.irssi/startup +#+END_SRC + +By default Irssi does not look especially attractive. To improve it's looks: + +#+BEGIN_SRC: bash +cd ~/.irssi +wget http://freedombone.uk.to/irssi/xchat.theme +mkdir ~/.irssi/scripts +mkdir ~/.irssi/scripts/autorun +cd ~/.irssi/scripts/autorun +wget http://freedombone.uk.to/irssi/xchatnickcolor.pl +wget http://freedombone.uk.to/irssi/adv_windowlist.pl +#+END_SRC + +Verify the files: + +#+BEGIN_SRC: bash +sha256sum ~/.irssi/xchat.theme +7a84130ad55aabd0b043a03b013628438e6c7f82a58e15267633bc7eb443e60b + +sha256sum ~/.irssi/scripts/autorun/xchatnickcolor.pl +8293e867a22d42ce5a28cd755237509b6f3587fd2b21d7d20af4a832081610ca + +sha256sum ~/.irssi/scripts/autorun/adv_windowlist.pl +e4dd8f6d384bf4f2d0ab5ccf06df06e4a69d2647b08d37c8fc6cfd9326688395 +#+END_SRC + +Then run Irssi and enter the commands: + +#+BEGIN_SRC: bash +/set theme xchat +/statusbar window remove act +/set awl +/set awl_block -14 +/set awl_display_key $Q%K|$N%n $H$C$S +/set awl_display_key_active $Q%K|$N%n $H%U$C%n$S +/set awl_display_nokey [$N]$H$C$S +/run autorun/adv_windowlist.pl +/set awl_viewer off +/save +#+END_SRC + +*** Using irssi with Off The Record messaging (OTR) +Once you're running irssi then you can enable OTR with: + +#+BEGIN_SRC: bash +/statusbar window add otr +/otr genkey mynick@network (for example mynick@irc.freenode.net) +#+END_SRC + +Then to see your OTR fingerprint: + +#+BEGIN_SRC: bash +/otr info +#+END_SRC + +And to trust or distrust someone else's fingerprint. + +#+BEGIN_SRC: bash +/otr trust [fingerprint] +/otr distrust [fingerprint] +#+END_SRC + +*** Usage with XChat +Within the network list click, *Add* and enter your domain name then click *Edit*. + +Select the entry within the servers box, then enter *mydomainname.com/6697* and press *Enter*. + +Uncheck *use global user information*. + +Enter first and second nicknames and check *auto connect to this network on startup*. + +Check *use SSL* and *accept invalid SSL certificate*. + +Enter some favourite channels and within *server password* enter /mysendacceptpassword/ which you defined earlier when setting up the server. + +Click *close* and then *connect*. +*** Install Irssi as a daemon + +It may be useful to run a persistent Irssi session on the BBB. This will enable you to log in and see any entries which occurred previously so that you don't find yourself in an argument without knowledge of what was said in the last few minutes or hours. This feature only works for a single user on the BBB - typically the administrator. + +First install some prerequisites. + +#+BEGIN_SRC: bash +apt-get install irssi irssi-plugin-otr irssi-plugin-xmpp screen +#+END_SRC + +Create an initialisation script. + +#+BEGIN_SRC: bash +editor /etc/init.d/irssid +#+END_SRC + +Add the following: + +#+BEGIN_SRC: bash +#!/bin/bash + +### BEGIN INIT INFO +# Provides: irssid +# Required-Start: $network +# Required-Stop: $network +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: Start irssi daemon within screen session at boot time +# Description: This init script will start an irssi session under screen using the settings provided in /etc/irssid.conf +### END INIT INFO + +# Include the LSB library functions +. /lib/lsb/init-functions + +# Setup static variables +configFile='/etc/irssid.conf' +daemonExec='/usr/bin/screen' +daemonArgs='-D -m' +daemonName="$(basename "$daemonExec")" +pidFile='/var/run/irssid.pid' + +# +# Checks if the environment is capable of running the script (such as +# availability of programs etc). +# +# Return: 0 if the environmnt is properly setup for execution of init script, 1 +# if not all conditions have been met. +# +function checkEnvironment() { + # Verify that the necessary binaries are available for execution. + local binaries=(irssi screen) + + for bin in "${binaries[@]}"; do + if ! which "$bin" > /dev/null; then + log_failure_msg "Binary '$bin' is not available. Please install \ +package containing it." + exit 5 + fi + done +} + +# +# Checks if the configuration files are available and properly setup. +# +# Return: 0 if irssid if properly configured, 1 otherwise. +# +function checkConfig() { + # Make sure the configuration file has been created + if ! [[ -f $configFile ]]; then + log_failure_msg "Please populate the configuration file '$configFile' \ +before running." + exit 6 + fi + + # Make sure the required options have been set + local reqOptions=(user group session) + for option in "${reqOptions[@]}"; do + if ! grep -q -e "^[[:blank:]]*$option=" "$configFile"; then + log_failure_msg "Mandatory option '$option' was not specified in \ +'$configFile'" + exit 6 + fi + done +} + +# +# Loads the configuration file and performs any additional configuration steps. +# +function configure() { + . "$configFile" + daemonArgs="$daemonArgs -S $session irssi" + [[ -n $args ]] && daemonArgs="$daemonArgs $args" + daemonCommand="$daemonExec $daemonArgs" +} + +# +# Starts the daemon. +# +# Return: LSB-compliant code. +# +function start() { + start-stop-daemon --start -v -b -x /bin/su -p /tmp/irssi.screen.session -m --chdir /home/$user -- - $user -c "screen -D -m -S irssi -- irssi" 1>>/log.irssi +} + +# +# Stops the daemon. +# +# Return: LSB-compliant code. +# +function stop() { + start-stop-daemon --stop -x /bin/su -p /tmp/irssi.screen.session -q +} + +checkEnvironment +checkConfig +configure + +case "$1" in + start) + log_daemon_msg "Starting daemon" "irssid" + start && log_end_msg 0 || log_end_msg $? + ;; + stop) + log_daemon_msg "Stopping daemon" "irssid" + stop && log_end_msg 0 || log_end_msg $? + ;; + restart) + log_daemon_msg "Restarting daemon" "irssid" + stop + start && log_end_msg 0 || log_end_msg $? + ;; + force-reload) + log_daemon_msg "Restarting daemon" "irssid" + stop + start && log_end_msg 0 || log_end_msg $? + ;; + status) + status_of_proc -p "$pidFile" "$daemonExec" screen && exit 0 || exit $? + ;; + *) + echo "irssid (start|stop|restart|force-reload|status|help)" + ;; +esac +#+END_SRC + +Save and exit. + +#+BEGIN_SRC: bash +chmod +x /etc/init.d/irssid +#+END_SRC + +Create a configuration file, replacing /myusername/ with your username. + +#+BEGIN_SRC: bash +editor /etc/irssid.conf +#+END_SRC + +#+BEGIN_SRC: bash +# +# Configuration file for irssid init script +# +# Mandatory options: +# +# user - Specify user for running irssi. +# group - Specify group for running irssi. +# session - Specify screen session name to be used for irssi. +# +# Non-mandatory options: +# +# args - Pass additional arguments to irssi. +# + +user='myusername' +group='irssi' +session='irssi' +args='--config /home/myusername/.irssi/config' +#+END_SRC + +Save and exit. Then add your user to the irssi group and start the daemon. + +#+BEGIN_SRC: bash +groupadd irssi +usermod -aG irssi myusername +update-rc.d irssid defaults +chown -R myusername:irssi /home/myusername/.irssi +service irssid start +#+END_SRC + +Create a script to make running IRC on the server easier. + +#+BEGIN_SRC: bash +editor /usr/bin/irc +#+END_SRC + +Add the following: + +#+BEGIN_SRC: bash +#!/bin/bash +screen -r irssi +#+END_SRC + +Save and exit. + +#+BEGIN_SRC: bash +chmod +x /usr/bin/irc +chown myusername:myusername /usr/bin/irc +#+END_SRC + +Then to subsequently access irssi log into the BBB using ssh and type: + +#+BEGIN_SRC: bash +irc +#+END_SRC + +To set UK time within Irssi: + +#+BEGIN_SRC: bash +/script exec $ENV{'TZ'}='Europe/London'; +/save +#+END_SRC + +** Install a Jabber/XMPP server + +#+BEGIN_VERSE +/Well heck, it isn’t that hard to write an instant messaging system./ + +--Jeremie Miller +#+END_VERSE + +*** The Server + +Generate a SSL certificate. + +#+BEGIN_SRC: bash +makecert xmpp +chown prosody:prosody /etc/ssl/private/xmpp.key +chown prosody:prosody /etc/ssl/certs/xmpp.* +#+END_SRC + +Install Prosody. + +#+BEGIN_SRC: bash +apt-get install prosody +chown prosody:prosody /etc/ssl/private/xmpp.key +chown prosody:prosody /etc/ssl/certs/xmpp.crt +cp -a /etc/prosody/conf.avail/example.com.cfg.lua /etc/prosody/conf.avail/xmpp.cfg.lua +editor /etc/prosody/conf.avail/xmpp.cfg.lua +#+END_SRC + +Change the *VirtualHost* name to your domain name and remove the line below it. + +Set the ssl section to: + +#+BEGIN_SRC: bash + ssl = { + key = "/etc/ssl/private/xmpp.key"; + certificate = "/etc/ssl/certs/xmpp.crt"; + dhparam = "/etc/ssl/certs/xmpp.dhparam"; + } +#+END_SRC + +And also append the following: + +#+BEGIN_SRC: bash +modules_enabled = { + "bosh"; -- Enable mod_bosh + "tls"; -- Enable mod_tls +} + +c2s_require_encryption = true +s2s_require_encryption = true +#+END_SRC + +Save and exit. Create a symbolic link. + +#+BEGIN_SRC: bash +ln -sf /etc/prosody/conf.avail/xmpp.cfg.lua /etc/prosody/conf.d/xmpp.cfg.lua +editor /etc/prosody/prosody.cfg.lua +#+END_SRC + +Within the *ssl* section set: + +#+BEGIN_SRC: bash +ssl = { + key = "/etc/ssl/private/xmpp.key"; + certificate = "/etc/ssl/certs/xmpp.crt"; + dhparam = "/etc/ssl/certs/xmpp.dhparam"; +} +#+END_SRC + +Uncomment and set the following to *true* + +#+BEGIN_SRC: bash +c2s_require_encryption = true +s2s_require_encryption = true +#+END_SRC + +Within the *modules_enabled* section uncomment *bosh*, then save and exit. + +Add a user. You will be prompted to specify a password. You can repeat the process for as many users as needed. This will also be your Jabber ID (JID). + +#+BEGIN_SRC: bash +prosodyctl adduser myusername@mydomainname.com +#+END_SRC + +Restart the server + +#+BEGIN_SRC: bash +service prosody restart +#+END_SRC + +On your internet router/firewall open ports 5222, 5223, 5269, 5280 and 5281 and forward them to the BBB. + +It's possible to test that your XMPP server is working at https://xmpp.net. It may take several minutes and you'll get a low score because of the self-signed certificate, but it will at least verify that your server is capable of communicating. + +*** Managing users + +To add a user: + +#+BEGIN_SRC: bash +prosodyctl adduser myusername@mydomainname.com +#+END_SRC + +To change a user password: + +#+BEGIN_SRC: bash +prosodyctl passwd myusername@mydomainname.com +#+END_SRC + +To remove a user: + +#+BEGIN_SRC: bash +prosodyctl deluser myusername@mydomainname.com +#+END_SRC + +Report the status of the XMPP server: + +#+BEGIN_SRC: bash +prosodyctl status +#+END_SRC + +*** Using with Jitsi +Jitsi is the recommended communications client for desktop or laptop systems, since it includes the /off the record/ (OTR) feature which provides some additional security beyond the usual SSL certificates. + +Jitsi can be downloaded from https://jitsi.org/ + +On your desktop/laptop open Jitsi and select *Options* from the *Tools* menu. + +Click *Add* to add a new user, then enter the Jabber ID which you previously specified with /prosodyctl/ when setting up the XMPP server. Close and then you should notice that your status is "Online" (or if not then you should be able to set it to online). + +From the *File* menu you can add contacts, then select the chat icon to begin a chat. Click on the lock icon on the right hand side and this will initiate an authentication procedure in which you can specify a question and answer to verify the identity of the person you're communicating with. Once authentication is complete then you'll be chating using OTR, which provides an additional layer of security. + +When opening Jitsi initially you will get a certificate warning for your domain name (assuming that you're using a self-signed certificate). If this happens then select *View Certificate* and enable the checkbox to trust the certificate, then select *Continue Anyway*. Once you've done this then the certificate warning will not appear again unless you reinstall Jitsi or use a different computer. + +You can also [[https://www.youtube.com/watch?v=vgx7VSrDGjk][see this video]] as an example of using OTR. +*** Using with Ubuntu +The default XMPP client in Ubuntu is Empathy. Using Empathy isn't as secure as using Jitsi, since it doesn't include the /off the record/ feature, but since it's the default it's what many users will have easy access to. + +Open *System Settings* and select *Online Accounts*, *Add account* and then *Jabber*. + +Enter your username (myusername@mydomainname.com) and password. + +Click on *Advanced* and make sure that *Encryption required* and *Ignore SSL certificate errors* are checked. Ignoring the certificate errors will allow you to use the self-signed certificate created earlier. Then click *Done* and set your Jabber account and Empathy to *On*. +*** Using with Android + +There are a few XMPP clients available on Android. Ideally choose ones which support off-the-record messaging. Here are some examples. + +**** Xabber +Install [[https://f-droid.org/][F-Droid]] + +Search for and install Xabber. + +Add an account and enter your Jabber/XMPP ID and password. + +From the menu select *Settings* then *Security* then *OTR mode*. Set the mode to *Required*. + +Make sure that *Check server certificate* is not checked. + +Go back to the initial screen and then using the menu you can add contacts and begin chatting. Both parties will need to go through the off-the-record question and answer verification before the chat can begin, but that only needs to be done once for each person you're chatting with. + +**** Gibberbot +Install [[https://f-droid.org/][F-Droid]] + +Search for and install Gibberbot, otherwise known as ChatSecure. + +From the menu open *Accounts* + +Select *Add account* + +Change the server port from 0 to 5222 + +Done + +Accept unknown certificate? Select *Always* + +Go back to the initial screen and then using the menu you can add contacts and begin chatting. + +** Social Networking + +#+BEGIN_VERSE +/Facebook is not your friend, it is a surveillance engine./ + +-- Richard Stallman, Free Software Foundation +#+END_VERSE + +*** Friendica +**** Installation + +See [[Setting up a web site]] for details of how to update a web server configuration for your Friendica site. You should have a separate domain name specifically to run Friendica on. It can't be installed in a subdirectory on a domain used for something else. + +Edit your web server configuration: + +#+BEGIN_SRC: bash +editor /etc/nginx/sites-available/myfriendicadomainname.com +#+END_SRC + +Replace the section which begins with "listen 80" with the following: + +#+BEGIN_SRC: bash +server { + listen 80; + rewrite ^ https://$server_name$request_uri? permanent; +} +#+END_SRC + +Save and exit, then restart the web server. + +#+BEGIN_SRC: bash +service nginx restart +#+END_SRC + +Now install some dependencies. + +#+BEGIN_SRC: bash +apt-get install mysql-server php5-common php5-cli php5-curl php5-gd php5-mysql php5-mcrypt php5-fpm php5-cgi php-apc +#+END_SRC + +If you are installing /mysql-server/ for the first time then enter an admin password. + +Reduce the memory use of mysql by using the "small" configuration. + +#+BEGIN_SRC: bash +cp /usr/share/doc/mysql-server-5.5/examples/my-small.cnf /etc/mysql/my.cnf +#+END_SRC + +Create a mysql database, replacing /myfriendicapassword/ with a password used to administer the friendica database. + +#+BEGIN_SRC: bash +mysql -u root -p +create database friendica; +CREATE USER 'friendicaadmin'@'localhost' IDENTIFIED BY 'myfriendicapassword'; +GRANT ALL PRIVILEGES ON friendica.* TO 'friendicaadmin'@'localhost'; +quit +#+END_SRC + +You may need to fix Git SSL problems. + +#+BEGIN_SRC: bash +git config --global http.sslVerify true +apt-get install ca-certificates +cd ~/ +editor .gitconfig +#+END_SRC + +The .gitconfig file should look something like this: + +#+BEGIN_SRC: bash +[user] + name = yourname + email = myusername@mydomainname.com +[http] + sslVerify = true + sslCAinfo = /etc/ssl/certs/ca-certificates.crt +#+END_SRC + +Get the source code. + +#+BEGIN_SRC: bash +export HOSTNAME=myfriendicadomainname.com +cd /var/www/$HOSTNAME +rm -rf htdocs +git clone https://github.com/friendica/friendica.git htdocs +chmod -R 755 htdocs +chown -R www-data:www-data htdocs +chown -R www-data:www-data htdocs/view/smarty3 +git clone https://github.com/friendica/friendica-addons.git htdocs/addon +#+END_SRC + +Now visit the URL of your site and you should be taken through the rest of the installation procedure. + +| Database Server Name | localhost | +| Database login name | friendicaadmin | +| Database Login Password | myfriendicapassword | +| Database Name | friendica | + +When installation is complete if you already have an exported account which you wish to import then visit https://myfriendicadomain.com/uimport, rather than registering a new user. + +Install the poller. + +#+BEGIN_SRC: bash +editor /etc/crontab +#+END_SRC + +and append the following, changing /myfriendicadomainname.com/ to whatever your Friendica domain is. + +#+BEGIN_SRC: bash +*/10 * * * * root cd /var/www/myfriendicadomainname.com/htdocs; /usr/bin/timeout 120 /usr/bin/php include/poller.php +#+END_SRC + +Save and exit, then restart cron. + +#+BEGIN_SRC: bash +service cron restart +#+END_SRC + +You can improve the speed of Friendica database searches by adding the following indexes: + +#+BEGIN_SRC: bash +mysql -u root -p +use friendica; +CREATE INDEX `uri_received` ON item(`uri`, `received`); +CREATE INDEX `received_uri` ON item(`received`, `uri`); +CREATE INDEX `contact-id_created` ON item(`contact-id`, created); +CREATE INDEX `uid_network_received` ON item(`uid`, `network`, `received`); +CREATE INDEX `uid_parent` ON item(`uid`, `parent`); +CREATE INDEX `uid_received` ON item(`uid`, `received`); +CREATE INDEX `uid_network_commented` ON item(`uid`, `network`, `commented`); +CREATE INDEX `uid_title` ON item(uid, `title`); +CREATE INDEX `created_contact-id` ON item(`created`, `contact-id`); +quit +#+END_SRC + +Make sure that Friendica doesn't use too much memory. + +#+BEGIN_SRC: bash +editor /var/www/$HOSTNAME/htdocs/.htaccess +#+END_SRC + +Append the following: + +#+BEGIN_SRC: bash +php_value memory_limit 32M +#+END_SRC + +The save ane exit. + +**** Backups + +Make sure that the database gets backed up. By using cron if anything goes wrong then you should be able to recover the database either from the previous day or the previous week. + +#+BEGIN_SRC: bash +editor /etc/cron.daily/backup +#+END_SRC + +Enter the following, replacing /myusername@mydomainname.com/ with your email address and the mysql root password as appropriate. + +#+BEGIN_SRC: bash +#!/bin/sh + +EMAIL=myusername@mydomainname.com + +MYSQL_PASSWORD= +umask 0077 + +# stop the web server to avoid any changes to the databases during backup +service nginx stop + +# Save to a temporary file first so that it can be checked for non-zero size +TEMPFILE=/tmp/friendicared.sql + +# Backup the Friendica database +DAILYFILE=/var/backups/friendica_daily.sql +mysqldump --password=$MYSQL_PASSWORD friendica > $TEMPFILE +FILESIZE=$(stat -c%s $TEMPFILE) +if [ "$FILESIZE" -eq "0" ]; then + if [ -f $DAILYFILE ]; then + cp $DAILYFILE $TEMPFILE + + # try to restore yesterday's database + mysql -u root --password=$MYSQL_PASSWORD friendica -o < $DAILYFILE + + # Send a warning email + echo "Unable to create a backup of the Friendica database. Attempted to restore from yesterday's backup." | mail -s "Friendica backup" $EMAIL + else + # Send a warning email + echo "Unable to create a backup of the Friendica database." | mail -s "Friendica backup" $EMAIL + fi +else + chmod 600 $TEMPFILE + mv $TEMPFILE $DAILYFILE + + # Make the backup readable only by root + chmod 600 $DAILYFILE +fi + + +# Backup the Roundcube database +DAILYFILE=/var/backups/roundcubemail_daily.sql +mysqldump --password=$MYSQL_PASSWORD roundcubemail > $TEMPFILE +FILESIZE=$(stat -c%s $TEMPFILE) +if [ "$FILESIZE" -eq "0" ]; then + if [ -f $DAILYFILE ]; then + cp $DAILYFILE $TEMPFILE + + # try to restore yesterday's database + mysql -u root --password=$MYSQL_PASSWORD roundcubemail -o < $DAILYFILE + + # Send a warning email + echo "Unable to create a backup of the Roundcube database. Attempted to restore from yesterday's backup" | mail -s "Roundcube backup" $EMAIL + else + # Send a warning email + echo "Unable to create a backup of the Roundcube database." | mail -s "Roundcube backup" $EMAIL + fi +else + chmod 600 $TEMPFILE + mv $TEMPFILE $DAILYFILE + + # Make the backup readable only by root + chmod 600 $DAILYFILE +fi + + +# Backup the Red Matrix database +DAILYFILE=/var/backups/redmatrix_daily.sql +#mysqldump --password=$MYSQL_PASSWORD redmatrix > $TEMPFILE +#FILESIZE=$(stat -c%s $TEMPFILE) +#if [ "$FILESIZE" -eq "0" ]; then +# if [ -f $DAILYFILE ]; then +# cp $DAILYFILE $TEMPFILE + +# # try to restore yesterday's database +# mysql -u root --password=$MYSQL_PASSWORD redmatrix -o < $DAILYFILE + +# # Send a warning email +# echo "Unable to create a backup of the Red Matrix database. Attempted to restore from yesterday's backup" | mail -s "Red Matrix backup" $EMAIL +# else +# # Send a warning email +# echo "Unable to create a backup of the Red Matrix database." | mail -s "Red Matrix backup" $EMAIL +# fi +#else +# chmod 600 $TEMPFILE +# mv $TEMPFILE $DAILYFILE + +# # Make the backup readable only by root +# chmod 600 $DAILYFILE +#fi + + +# restart the web server +service nginx start + +exit 0 +#+END_SRC + +Save and exit. + +#+BEGIN_SRC: bash +chmod 600 /etc/cron.daily/backup +chmod +x /etc/cron.daily/backup +editor /etc/cron.weekly/backup +#+END_SRC + +Enter the following + +#+BEGIN_SRC: bash +#!/bin/sh + +umask 0077 + +# Friendica +cp -f /var/backups/friendica_weekly.sql /var/backups/friendica_2weekly.sql +cp -f /var/backups/friendica_daily.sql /var/backups/friendica_weekly.sql + +# Roundcube +cp -f /var/backups/roundcubemail_weekly.sql /var/backups/roundcubemail_2weekly.sql +cp -f /var/backups/roundcubemail_daily.sql /var/backups/roundcubemail_weekly.sql + +# Red Matrix +#cp -f /var/backups/redmatrix_weekly.sql /var/backups/redmatrix_2weekly.sql +#cp -f /var/backups/redmatrix_daily.sql /var/backups/redmatrix_weekly.sql +#+END_SRC + +Save and exit. + +#+BEGIN_SRC: bash +chmod 600 /etc/cron.weekly/backup +chmod +x /etc/cron.weekly/backup +editor /etc/cron.monthly/backup +#+END_SRC + +Enter the following + +#+BEGIN_SRC: bash +#!/bin/sh + +# Friendica +cp -f /var/backups/friendica_monthly.sql /var/backups/friendica_2monthly.sql +cp -f /var/backups/friendica_weekly.sql /var/backups/friendica_monthly.sql + +# Roundcube +cp -f /var/backups/roundcubemail_monthly.sql /var/backups/roundcubemail_2monthly.sql +cp -f /var/backups/roundcubemail_weekly.sql /var/backups/roundcubemail_monthly.sql + +# Red Matrix +#cp -f /var/backups/redmatrix_monthly.sql /var/backups/redmatrix_2monthly.sql +#cp -f /var/backups/redmatrix_weekly.sql /var/backups/redmatrix_monthly.sql +#+END_SRC + +Save and exit. + +#+BEGIN_SRC: bash +chmod 600 /etc/cron.monthly/backup +chmod +x /etc/cron.monthly/backup +#+END_SRC + +**** Recommended configuration +***** Admin +To get to the admin settings you will need to be logged in with the admin email address which you specified at the beginning of the installation procedure. Depending upon the theme which you're using "/admin/" will be available either as an icon or on a drop down menu. + +Under the *plugins* section the main one which you may wish to enable is the NSFW plugin. With that enabled if a post contans the #NSFW tag then it will appear minimised by default and you will need to click a button to open it. + +Under the *themes* section select a few themes, including mobile themes which are suitable for phones or tablets. + +Under the *site* section give your Friendica node a name other than "/my friend network/", you can change the icon and banner text and set the default mobile theme typically to /frost-mobile/. If you don't want your node to host a lot of accounts for people you don't know then you may want to set the register policy to "/requires approval/". For security it's probably a good idea only to host accounts for people who you actually know, rather than random strangers. Also be aware that the Beaglebone does not have a great deal of computational power or bandwidth and will not function well if there are hundreds of users using your node. If you're not federating with Diaspora or other sites then you may wish to select "/only allow Friendica contacts/". That improves the security of the system, since communication between Friendica nodes is always encrypted separately and in addition to the usual SSL encryption layer - which makes life interesting for the Surveillance State and at least keeps those cryptanalysts employed. + +If you also wish to publish your public posts to a Diaspora node then within the *site* settings select *enable Diaspora support*. + +It's probably a good idea to enable "/private posts by default for new users/" and also "/don't include post content in email notifications/". Since traditional email isn't a secure system and is easily vulnerable to attack by systems such as [[https://en.wikipedia.org/wiki/XKeyscore][Xkeyscore]]. + +***** Settings +Each user has their own customisable settings, typically available either via an icon or by an entry on a drop down menu. + +Under *additional features* enable "/richtext editor/", "/post preview/", "/group filter/", "/network filter/", "/edit sent posts/" and "/dislike posts/". + +Under *display settings* select your desktop and mobile themes. + +Once you have connected to enough friends it's also a good idea to use the "/export personal data/" option from here. This will save a file to your local system, which you can import into another friendica node if necessary. +**** To access from an Android device +***** App +Open a browser on your device and go to https://f-droid.org/ then download and install the F-Droid apk. If you then open F-Droid you can search for and install the Friendica app. + +If you are using a self-signed certificate then at the login screen scroll down to the bottom, select the SSL settings then scroll down and disable SSL certificate checks. You will then be able to log in using https, which at least gives you some protection via the encryption. + +More information about the Friendica app can be found on http://friendica-for-android.wiki-lab.net/ +***** Mobile Theme +Another way to access Friendica from a mobile device is to just use the web browser. If you have selected a mobile theme within your settings then when viewing from an Android system the mobile theme will be displayed. +*** Movim + +#+BEGIN_VERSE +/The way we communicate with others and with ourselves ultimately determines the quality of our lives/ + +-- Anthony Robbins +#+END_VERSE + +Movim is another social networking system based around the XMPP protocol. + +You will need to have previously [[Install a Jabber/XMPP server][installed the Jabber/XMPP server]]. + +Edit your Apache configuration and disable the port 80 (HTTP) version of the site. We only want to log into Movim via HTTPS, so to prevent anyone from accidentally logging in insecurely: + +#+BEGIN_SRC: bash +editor /etc/apache2/sites-available/mydomainname.com +#+END_SRC + +Within the section which begins with ** add the following: + +#+BEGIN_SRC: bash + + deny from all + +#+END_SRC + +Within the section which begins with ** add the following: + +#+BEGIN_SRC: bash + + Options Indexes FollowSymLinks MultiViews + AllowOverride All + Order allow,deny + allow from all + +#+END_SRC + +Save and exit, then restart the apache server. + +#+BEGIN_SRC: bash +service apache2 restart +#+END_SRC + +Download the source. + +#+BEGIN_SRC: bash +mkdir ~/build +cd ~/build +wget http://freedombone.uk.to/movim.tar.gz +#+END_SRC + +Verify it. + +#+BEGIN_SRC: bash +sha256sum movim.tar.gz +2740ddbedf6cefcc2934759374376643b6cdea4fb7f944ec25098a6868cb499e movim.tar.gz +#+END_SRC + +Install it. + +#+BEGIN_SRC: bash +tar -xzvf movim.tar.gz +export HOSTNAME=mydomainname.com +cp -r movim-* /var/www/$HOSTNAME/htdocs/movim +chmod 755 /var/www/$HOSTNAME/htdocs/movim +chown -R www-data:www-data /var/www/$HOSTNAME/htdocs/movim +#+END_SRC + +Install some MySql prerequisites. + +#+BEGIN_SRC: bash +apt-get install mysql-server php5-common php5-cli php5-curl php5-gd php5-mysql php5-mcrypt +#+END_SRC + +If necessary, enter an admin password for MySQL. + +Reduce the memory use of mysql by using the "small" configuration. + +#+BEGIN_SRC: bash +cp /usr/share/doc/mysql-server-5.5/examples/my-small.cnf /etc/mysql/my.cnf +#+END_SRC + +Create a mysql database. + +#+BEGIN_SRC: bash +mysql -u root -p +create database movim; +CREATE USER 'movimadmin'@'localhost' IDENTIFIED BY 'movimadminpassword'; +GRANT ALL PRIVILEGES ON movim.* TO 'movimadmin'@'localhost'; +quit +#+END_SRC + +With a web browser navigate to: + +https://mydomainname.com/movim/admin + +Enter /admin/ as the username and /password/ as the password. + +Click on /General Settings/ and alter the administrator username to /movimadmin/ and password to some long random string (using a password manager such as KeepassX). + +Change the /Environment/ from /Development/ to /Production/. + +The /BOSH URL/ should be http://localhost:5280/http-bind (TODO: should this be https://localhost:5281/http-bind and if so do certificate warnings need to be disabled?) + +Click /Submit/ followed by /Resend/. + +Click on /Database Settings/ and alter the MySql movim database username to /movimadmin/ and password to the password you specified in the previous step. + +Click /Submit/ followed by /Resend/. If you get a lot of orange warnings about database fields being created then hit /Submit/ again until you see "Movim database is up to date". + +If everything on all three tabs looks green then you are ready to go. Click on the Movim logo at the top left and then log in with your Jabber ID (JID). + +*** Red Matrix +**** Introduction +Red Matrix is the current version of the Friendica social networking system. It's more general than Friendica in that it's designed as a generic communication system based around a protocol called "zot". At the time of writing in early 2014 Red Matrix remains at an alpha stage of development and so it's not advised that you install it unless you're willing to put up with bugs and frustrations. In the large majority of cases it's better to stick with Friendica for now. + +**** Prerequisites +The main problem with Red Matrix is that in order to install it you will need to have purchased a domain name (i.e. not a FreeDNS subdomain) and a SSL certificate for it. + +You could join some other Red Matrix server, but this suffers from "/The Levison Problem/" in which some goons show up with a gagging order demanding coppies of the SSL private key. In that scenario unless the owner of the server is exceptionally brave users may never be informed that the site has been compromised or that there is interception hardware attached to the server. Joining another server defeats the object of being digitally self-sufficient and raises legal question marks about the ownership of data which you might upload to a server which doesn't belong to you. + +**** Installation + +See [[Setting up a web site]] for details of how to update the Apache configuration for your Red Matrix site. You should have a separate domain name specifically to run Red Matrix on. It can't be installed in a subdirectory on a domain used for something else. + +Edit your Apache configuration and disable the port 80 (HTTP) version of the site. We only want to log into Red Matrix via HTTPS, so to prevent anyone from accidentally logging in insecurely: + +#+BEGIN_SRC: bash +editor /etc/apache2/sites-available/mydomainname.com +#+END_SRC + +Replace the section which begins with ** with the following: + +#+BEGIN_SRC: bash + + ServerAdmin myusername@mydomainname.com + ServerName myredmatrixdomainname.com + + RewriteEngine On + RewriteCond %{HTTPS} off + RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} + +#+END_SRC + +Save and exit, then restart the apache server. + +#+BEGIN_SRC: bash +service apache2 restart +#+END_SRC + +Now install some dependencies. + +#+BEGIN_SRC: bash +apt-get install mysql-server php5-common php5-cli php5-curl php5-gd php5-mysql php5-mcrypt +#+END_SRC + +Enter an admin password for MySQL. + +Reduce the memory use of mysql by using the "small" configuration. + +#+BEGIN_SRC: bash +cp /usr/share/doc/mysql-server-5.5/examples/my-small.cnf /etc/mysql/my.cnf +#+END_SRC + +Create a mysql database. + +#+BEGIN_SRC: bash +mysql -u root -p +create database redmatrix; +CREATE USER 'redmatrixadmin'@'localhost' IDENTIFIED BY 'password'; +GRANT ALL PRIVILEGES ON redmatrix.* TO 'redmatrixadmin'@'localhost'; +quit +#+END_SRC + +You may need to fix Git SSL problems. + +#+BEGIN_SRC: bash +git config --global http.sslVerify true +apt-get install ca-certificates +cd ~/ +editor .gitconfig +#+END_SRC + +The .gitconfig file should look something like this: + +#+BEGIN_SRC: bash +[http] + sslVerify = true + sslCAinfo = /etc/ssl/certs/ca-certificates.crt +[user] + email = myusername@mydomainname.com + name = yourname +#+END_SRC + +Get the source code. + +#+BEGIN_SRC: bash +export HOSTNAME=mydomainname.com +mkdir /var/www/$HOSTNAME +cd /var/www/$HOSTNAME +rm -rf htdocs +git clone https://github.com/friendica/red.git htdocs +chmod -R 755 htdocs +chown -R www-data:www-data htdocs +mkdir htdocs/view/tpl/smarty3 +mkdir htdocs/store/[data] +mkdir htdocs/store/[data]/smarty3 +chmod 777 htdocs/view/tpl +chmod 777 htdocs/view/tpl/smarty3 +chmod 777 htdocs/store/[data]/smarty3 +git clone https://github.com/friendica/red-addons.git htdocs/addon +#+END_SRC + +Now visit the URL of your site and you should be taken through the rest of the installation procedure. Note that this may take a few minutes so don't be concerned if it looks as if it has crashed - just leave it running. If you have trouble with "allow override" ensure that "AllowOverride" is set to "all" in your Apache settings for the site (within /etc/apache2/sites-available) and then restart the apache2 service. + +Install the poller. + +#+BEGIN_SRC +editor /etc/crontab +#+END_SRC + +and append the following, changing /mydomainname.com/ to whatever your domain is. + +#+BEGIN_SRC +12,22,32,42,52 * * * * root cd /var/www/mydomainname.com/htdocs; /usr/bin/timeout 240 /usr/bin/php include/poller.php +#+END_SRC + +Save and exit, then restart cron. + +#+BEGIN_SRC: bash +service cron restart +#+END_SRC + +**** Backups + +Make sure that the database gets backed up. By using cron if anything goes wrong then you should be able to recover the database either from the previous day or the previous week. + +#+BEGIN_SRC: bash +editor /etc/cron.daily/backup +#+END_SRC + +Uncomment the lines for Red Matrix, then save and exit. If you didn't install Friendica earlier then see the backup section within the Friendica install instructions. + +#+BEGIN_SRC: bash +chmod 600 /etc/cron.daily/backup +chmod +x /etc/cron.daily/backup +editor /etc/cron.weekly/backup +#+END_SRC + +If you already have a backup script created for Friendica then just uncomment the lines for Red Matrix. The backup script should look something like the following: + +#+BEGIN_SRC: bash +#!/bin/sh + +umask 0077 + +# Friendica +cp -f /var/backups/friendica_weekly.sql /var/backups/friendica_2weekly.sql +cp -f /var/backups/friendica_daily.sql /var/backups/friendica_weekly.sql + +# Red Matrix +cp -f /var/backups/redmatrix_weekly.sql /var/backups/redmatrix_2weekly.sql +cp -f /var/backups/redmatrix_daily.sql /var/backups/redmatrix_weekly.sql +#+END_SRC + +Save and exit. + +#+BEGIN_SRC: bash +chmod 600 /etc/cron.weekly/backup +chmod +x /etc/cron.weekly/backup +editor /etc/cron.monthly/backup +#+END_SRC + +If you already have a backup script created for Friendica then just uncomment the lines for Red Matrix. The backup script should look something like the following: + +#+BEGIN_SRC: bash +#!/bin/sh + +# Friendica +cp -f /var/backups/friendica_monthly.sql /var/backups/friendica_2monthly.sql +cp -f /var/backups/friendica_weekly.sql /var/backups/friendica_monthly.sql + +# Red Matrix +cp -f /var/backups/redmatrix_monthly.sql /var/backups/redmatrix_2monthly.sql +cp -f /var/backups/redmatrix_weekly.sql /var/backups/redmatrix_monthly.sql +#+END_SRC + +Save and exit. + +#+BEGIN_SRC: bash +chmod 600 /etc/cron.monthly/backup +chmod +x /etc/cron.monthly/backup +#+END_SRC + +**** To access from an Android device +***** App +Open a browser on your device and go to https://f-droid.org/ then download and install the F-Droid apk. If you then open F-Droid you can search for and install the Friendica app. + +If you are using a self-signed certificate then at the login screen scroll down to the bottom, select the SSL settings then scroll down and disable SSL certificate checks. You will then be able to log in using https, which at least gives you some protection via the encryption. + +More information about the Friendica app can be found on http://friendica-for-android.wiki-lab.net/ + +*** pump.io + :PROPERTIES: + :ORDERED: t + :END: + +pump.io is the successor to StatusNet (which later became [[GNU Social]]) and is a communications system which can do things other than just microblogging. It takes fewer system resources to run and so is better suited to low power servers such as the BBB, but is more complicated to install. pump.io doesn't work well with self-signed SSL certificates so this may be something which you can only use if you have your own domain and an "authority" issued certificate. Using a self-signed certificate you can only use pump.io as a /data silo/ which won't federate with other servers. + +For a pump.io site you will need a separate domain/subdomain, so see [[Setting up a web site]] for details of how to create an Apache configuration for your site. If you're using freedns then you will need to create a new subdomain. + +#+BEGIN_SRC: bash +apt-get update +apt-get install build-essential openssl libssl-dev redis-server imagemagick graphicsmagick git-core screen +#+END_SRC + +Download nodejs + +#+BEGIN_SRC: bash +mkdir ~/build +cd ~/build +wget http://freedombone.uk.to/node_0.10.28-1_armhf.deb +#+END_SRC + +Verify it. + +#+BEGIN_SRC: bash +sha256sum node_0.10.28-1_armhf.deb +42000a475d3397f295fe76998e79af999eebb8324ac9bb4981e931fabd9297aa +#+END_SRC + +Install it. + +#+BEGIN_SRC: bash +dpkg -i node_0.10.28-1_armhf.deb +#+END_SRC + +Install pump.io + +#+BEGIN_SRC: bash +cd /opt +git clone https://github.com/e14n/pump.io.git +cd /opt/pump.io +npm install +npm install databank-redis +echo "vm.overcommit_memory=1" >> /etc/sysctl.conf +sysctl vm.overcommit_memory=1 +#+END_SRC + +Now edit the configuration file. + +#+BEGIN_SRC: bash +editor /etc/pump.io.json +#+END_SRC + +Add the following, replacing /mypumpiodomainname.com/ with your domain name. + +#+BEGIN_SRC: bash +{ + "driver": "redis", + "params": {"host":"localhost","port":6379}, + "secret": "A long random string", + "noweb": false, + "site": "Name of my pump.io site", + "owner": "My name or organisation", + "ownerURL": "https://mypumpiodomainname.com/", + "port": 7270, + "urlPort": 443, + "hostname": "mypumpiodomainname.com", + "address": "localhost", + "nologger": true, + "serverUser": "pumpio", + "rejectUnauthorized": false, + "key": "/var/local/pump.io/keys/mypumpiodomainname.com.key", + "cert": "/var/local/pump.io/keys/mypumpiodomainname.com.bundle.crt", + "uploaddir": "/var/local/pump.io/uploads", + "debugClient": false, + "firehose": "ofirehose.example", + "logfile": "/var/local/pump.io/pump.log", + "disableRegistration": false +} +#+END_SRC + +Save and exit. + +#+BEGIN_SRC: bash +export HOSTNAME=mypumpiodomainname.com +mkdir /var/local/pump.io +mkdir /var/local/pump.io/uploads +mkdir /var/local/pump.io/keys +cp /etc/ssl/private/$HOSTNAME.key /var/local/pump.io/keys +cp /etc/ssl/certs/$HOSTNAME.crt /var/local/pump.io/keys +cp /etc/ssl/certs/$HOSTNAME.bundle.crt /var/local/pump.io/keys +useradd -s /bin/bash -d /var/local/pump.io pumpio +chown -R pumpio:pumpio /var/local/pump.io +chmod 400 /var/local/pump.io/keys/* +chmod -R 777 /opt +#+END_SRC + +Edit your web server configuration. + +#+BEGIN_SRC: bash +editor /etc/nginx/sites-available/$HOSTNAME +#+END_SRC + +Delete all existing contents then add the following: + +#+BEGIN_SRC: bash +upstream pumpbackend { + server 127.0.0.1:7270 max_fails=3 fail_timeout=30s; + server 127.0.0.1:7270 max_fails=3 fail_timeout=60s; + server 127.0.0.1:7270 max_fails=3 fail_timeout=90s; +} + +server { + listen 80; + server_name mypumpiodomainname.com; + rewrite ^ https://$server_name$request_uri? permanent; +} + +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} + +server { + listen 443 ssl; + server_name mypumpiodomainname.com; + + error_log /var/www/mypumpiodomainname.com/error.log debug; + + ssl on; + ssl_certificate /etc/ssl/certs/mypumpiodomainname.com.bundle.crt; + ssl_certificate_key /etc/ssl/private/mypumpiodomainname.com.key; + ssl_dhparam /etc/ssl/certs/mypumpiodomainname.com.dhparam; + + ssl_session_timeout 5m; + ssl_prefer_server_ciphers on; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # not possible to do exclusive + ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA'; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + add_header Strict-Transport-Security max-age=15768000; + # if you want to be able to access the site via HTTP + # then replace the above with the following: + # add_header Strict-Transport-Security "max-age=0;"; + + client_max_body_size 6m; + + keepalive_timeout 75 75; + gzip_vary off; + + location / { + proxy_pass https://pumpbackend; + proxy_http_version 1.1; + proxy_redirect off; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_buffers 16 32k; + } +} +#+END_SRC + +Save and exit. + +#+BEGIN_SRC: bash +sed "s/mypumpiodomainname.com/$HOSTNAME/g" /etc/nginx/sites-available/$HOSTNAME > /tmp/website +cp -f /tmp/website /etc/nginx/sites-available/$HOSTNAME +service nginx restart +npm install forever -g +#+END_SRC + +Now create the daemon. + +#+BEGIN_SRC: bash +editor /etc/init.d/pumpio +#+END_SRC + +Add the following text: + +#+BEGIN_SRC: bash +#!/bin/bash +# /etc/init.d/pumpio + +### BEGIN INIT INFO +# Provides: pump.io +# Required-Start: $remote_fs $syslog +# Required-Stop: $remote_fs $syslog +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: starts pump.io as a background daemon +# Description: Starts pump.io on boot +### END INIT INFO + +# Author: Bob Mottram + +#Settings +SERVICE='pumpio' +COMMAND="forever /opt/pump.io/bin/pump > /var/local/pump.io/daemon.log" +USERNAME='pumpio' +NICELEVEL=19 # from 0-19 the bigger the number, the less the impact on system OAresources +HISTORY=1024 +INVOCATION="nice -n ${NICELEVEL} ${COMMAND}" +PATH='/usr/local/sbin:/usr/local/bin:/usr/bin:/sbin:/usr/sbin:/bin:/var/local/pump.io' + +pumpio_start() { +echo "Starting $SERVICE..." +su --command "screen -h ${HISTORY} -dmS ${SERVICE} ${INVOCATION}" $USERNAME +} + +pumpio_stop() { +echo "Stopping $SERVICE" +su --command "screen -p 0 -S ${SERVICE} -X stuff "'^C'"" $USERNAME +} + +#Start-Stop here +case "$1" in + start) + pumpio_start + ;; + stop) + pumpio_stop + ;; + restart) + pumpio_stop + sleep 10s + pumpio_start + ;; + *) + echo "Usage: $0 {start|stop|restart}" + exit 1 + ;; +esac + +exit 0 +#+END_SRC + +Save and exit. Then enable the daemon and run it. + +#+BEGIN_SRC: bash +chmod +x /etc/init.d/pumpio +update-rc.d pumpio defaults +service pumpio start +#+END_SRC + +Now visit your pump.io site by navigating to: + +https://mypumpiodomainname.com + +and add a new user. If you wish this to be a single user node not open to the general public (including spammers and sockpuppets) then edit */etc/pump.io.json* and set *disableRegistration* to *true*. After making that change restart with the command *service pumpio restart*. + +Once you've set up your user account it's recommended that you don't use the web based user interface and instead use a native client such as [[http://jancoding.wordpress.com/dianara/][Dianara]] or Pumpa. On Ubuntu you can install these via the Software Center. On mobile devices you can install AndStatus via F-Droid. + +A list of pump.io sites can be found at http://pumpstatus.jpope.org. At the time of writing there isn't any public directory and so finding people to follow is really a question of navigating through lists of /following/ or /followers/ (rather like the web before search engines were invented). + +Ensure that data data gets backed up with: + +#+BEGIN_SRC: bash +printf "\n\n# Redis backup" >> /etc/cron.daily/backup +printf "\ntar -czvf /var/backups/redis_daily.tar.gz /var/lib/redis/dump.rdb" >> /etc/cron.daily/backup +printf "\n\n# Redis backup" >> /etc/cron.weekly/backup +printf "\ncp -f /var/backups/redis_weekly.tar.gz /var/backups/redis_weekly2.tar.gz" >> /etc/cron.weekly/backup +printf "\ncp -f /var/backups/redis_daily.tar.gz /var/backups/redis_weekly.tar.gz" >> /etc/cron.weekly/backup +printf "\n\n# Redis backup" >> /etc/cron.monthly/backup +printf "\ncp -f /var/backups/redis_monthly.tar.gz /var/backups/redis_monthly2.tar.gz" >> /etc/cron.monthly/backup +printf "\ncp -f /var/backups/redis_weekly.tar.gz /var/backups/redis_monthly.tar.gz" >> /etc/cron.monthly/backup + +printf "\n\n# Pump.io backup" >> /etc/cron.daily/backup +printf "\ntar -czvf /var/backups/pumpio_daily.tar.gz /var/local/pump.io --exclude /var/local/pump.io/.forever" >> /etc/cron.daily/backup +printf "\n\n# Pump.io backup" >> /etc/cron.weekly/backup +printf "\ncp -f /var/backups/pumpio_weekly.tar.gz /var/backups/pumpio_weekly2.tar.gz" >> /etc/cron.weekly/backup +printf "\ncp -f /var/backups/pumpio_daily.tar.gz /var/backups/pumpio_weekly.tar.gz" >> /etc/cron.weekly/backup +printf "\n\n# Pump.io backup" >> /etc/cron.monthly/backup +printf "\ncp -f /var/backups/pumpio_monthly.tar.gz /var/backups/pumpio_monthly2.tar.gz" >> /etc/cron.monthly/backup +printf "\ncp -f /var/backups/pumpio_weekly.tar.gz /var/backups/pumpio_monthly.tar.gz" >> /etc/cron.monthly/backup +#+END_SRC + +At the time of writing creating backups of the pump.io database is critically important, because regenerating the database or moving to a different databank type causes you to be /permanently banned/ from the pump.io network unless you change your domain name (which may not always be an available option). + +** Install Gopher +*** Server setup + +Gopher is an old internet protocol which originated a few years before the web and is purely text based. It can be quite fun to build a gopher site and browse the gopherverse. One thing to keep in mind is that there is no security with gopher, so any text transmitted is trivially interceptable by systems such as [[https://en.wikipedia.org/wiki/XKeyscore][Xkeyscore]] or deep packet inspection. + +To set up a gopher server: + +#+BEGIN_SRC: bash +apt-get install build-essential +mkdir ~/build +cd ~/build +wget http://freedombone.uk.to/geomyidae-current.tgz +#+END_SRC + +Verify the download: + +#+BEGIN_SRC: bash +sha256sum geomyidae-current.tgz +162f55ab059ab0a9be8e840497795293bbd51c34b1f4564dcdf3f0ddd5c0db31 geomyidae-current.tgz +#+END_SRC + +Then extract and install it. + +#+BEGIN_SRC: bash +tar -xzvf geomyidae-current.tgz +cd geomyidae-* +make +make install +mkdir -p /var/gopher +#+END_SRC + +Your content should be placed within /var/gopher with the index page being named index.gph. The Gopher format is very simple - simpler than HTML - so creating pages is not much more difficult than editing a text file. + +#+BEGIN_SRC: bash +editor /etc/init.d/gopher +#+END_SRC + +Enter the following: + +#+BEGIN_SRC: bash +#! /bin/sh +### BEGIN INIT INFO +# Provides: gopher +# Required-Start: $remote_fs $syslog +# Required-Stop: $remote_fs $syslog +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: Gopher daemon +# Description: Gopher daemon +### END INIT INFO + +# Do NOT "set -e" + +# PATH should only include /usr/* if it runs after the mountnfs.sh script +PATH=/sbin:/usr/sbin:/bin:/usr/bin +DESC="Gopher daemon" +NAME=geomyidae +DAEMON=/usr/bin/$NAME +DAEMON_ARGS="-l /var/log/geomyidae.log -b /var/gopher -p 70" +PIDFILE=/var/run/$NAME.pid +SCRIPTNAME=/etc/init.d/$NAME + +# Exit if the package is not installed +[ -x "$DAEMON" ] || exit 0 + +# Read configuration variable file if it is present +[ -r /etc/default/$NAME ] && . /etc/default/$NAME + +# Load the VERBOSE setting and other rcS variables +. /lib/init/vars.sh + +# Define LSB log_* functions. +# Depend on lsb-base (>= 3.2-14) to ensure that this file is present +# and status_of_proc is working. +. /lib/lsb/init-functions + +# +# Function that starts the daemon/service +# +do_start() +{ + # Return + # 0 if daemon has been started + # 1 if daemon was already running + # 2 if daemon could not be started + start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \ + || return 1 + start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -- \ + $DAEMON_ARGS \ + || return 2 + # Add code here, if necessary, that waits for the process to be ready + # to handle requests from services started subsequently which depend + # on this one. As a last resort, sleep for some time. +} + +# +# Function that stops the daemon/service +# +do_stop() +{ + # Return + # 0 if daemon has been stopped + # 1 if daemon was already stopped + # 2 if daemon could not be stopped + # other if a failure occurred + start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME + RETVAL="$?" + [ "$RETVAL" = 2 ] && return 2 + # Wait for children to finish too if this is a daemon that forks + # and if the daemon is only ever run from this initscript. + # If the above conditions are not satisfied then add some other code + # that waits for the process to drop all resources that could be + # needed by services started subsequently. A last resort is to + # sleep for some time. + start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON + [ "$?" = 2 ] && return 2 + # Many daemons don't delete their pidfiles when they exit. + rm -f $PIDFILE + return "$RETVAL" +} + +# +# Function that sends a SIGHUP to the daemon/service +# +do_reload() { + # + # If the daemon can reload its configuration without + # restarting (for example, when it is sent a SIGHUP), + # then implement that here. + # + start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME + return 0 +} + +case "$1" in + start) + [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME" + do_start + case "$?" in + 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; + 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; + esac + ;; + stop) + [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME" + do_stop + case "$?" in + 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; + 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; + esac + ;; + status) + status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $? + ;; + #reload|force-reload) + # + # If do_reload() is not implemented then leave this commented out + # and leave 'force-reload' as an alias for 'restart'. + # + #log_daemon_msg "Reloading $DESC" "$NAME" + #do_reload + #log_end_msg $? + #;; + restart|force-reload) + # + # If the "reload" option is implemented then remove the + # 'force-reload' alias + # + log_daemon_msg "Restarting $DESC" "$NAME" + do_stop + case "$?" in + 0|1) + do_start + case "$?" in + 0) log_end_msg 0 ;; + 1) log_end_msg 1 ;; # Old process is still running + *) log_end_msg 1 ;; # Failed to start + esac + ;; + *) + # Failed to stop + log_end_msg 1 + ;; + esac + ;; + *) + #echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2 + echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2 + exit 3 + ;; +esac + +: +#+END_SRC + +Save and exit. Then start the gopher service. + +#+BEGIN_SRC: bash +chmod +x /etc/init.d/gopher +update-rc.d gopher defaults +service gopher start +#+END_SRC + +On your internet router change the firewall settings to route port 70 to the BBB, then provided that you have a gopher plugin installed within your browser then you should be able to navigate to your gopher site with: + +#+BEGIN_SRC: bash +gopher://mydomainname.com +#+END_SRC + +There is a browser addon for Gopher called "overbite". Installing that should enable you to view your site. + +*** A phlogging script + +A phlog is the gopher equivalent of a blog on the web. You can create a script which makes phlogging easy. + +#+BEGIN_SRC: bash +editor /usr/bin/mkphlog +#+END_SRC + +Add the following: + +#+BEGIN_SRC: bash +#!/bin/sh + +# mkphlog - a utility to ease the creation of phlogs. +# Organizes phlog posts in separate directories. +# Created by octotep; anyone can distribute, modify, and +# share this file however they please. +# +# Version 0.3 +# +# Modified by Bob Mottram +# +# Please note, all date strings are in the form of mm/dd/yy(yy) + +# The base of the entire gopher site. +gopherRoot="/var/gopher" + +# The name of the phlog directory (contained in $gopherHome) +phlogDirName="phlog" + +# Default editor, unless the user has one specified in env +editor=${EDITOR:-emacs} + +# Default timezone, unless the user has one specified in env +TZ=${TZ:-UTC} + +# Tells the script how many lines the title of the main page spans. +# Used to insert the newest post at the top. +# Titles created by mkphlog are 3 lines. +# Isn't used if $addTitleToMain is false +titleLineCount=3 + +entryDate=`date +%Y-%m-%d` + +# Creates the phlog directory if it dosen't already exist. +CreatePhlogDir() { + mkdir $phlogDirName + chmod 755 $phlogDirName + cd $phlogDirName + echo "Phlog directory created." +} + +# Updates the main phlog listing +UpdatePhlogListing() { + # Just in case the user didn't specify a title + if [ "$postTitleAns" = "" ] ; then + echo -n "Do you want to create a blank post? (y/n) " + read blankPostAns + case $blankPostAns in + y* | Y* ) $postTitleAns="New Post" ;; + n* | N* ) echo "Goodbye, then." ; exit 1 ;; + * ) exit 1 ;; + esac + fi + + cd $gopherRoot/$phlogDirName/ + title2=$(echo "${postTitleAns}" | tr " " _) + postfilename="${entryDate}_${title2}.txt" + touch ${postfilename} + echo $postTitleAns >> ${postfilename} + date "+%A %b %e %l:%M:%S %Y" >> ${postfilename} + echo "------------------------------" >> ${postfilename} + echo >> ${postfilename} +} + + +if [ -d $gopherRoot ] ; then + cd $gopherRoot +else + echo "You don't have a gopherspace set-up. Please run the gopher server setup instructions." + exit 1 +fi + +if [ -d $phlogDirName ] ; then + cd $phlogDirName +else + echo -n "Do you want to create a phlog directory? (y/n) " + read phlogDirAns + case $phlogDirAns in + y* | Y* ) CreatePhlogDir ;; + n* | N* ) exit 1 ;; + * ) exit 1 ;; + esac +fi + +echo -n "Would you like to create a phlog entry for today? (y/n) " +read phlogAns +case $phlogAns in + y* | Y* ) echo "Creating today's phlog entry..." ;; + n* | N* ) exit 0 ;; + * ) exit 1 ;; +esac + +# Make sure there isn't a post for that day, lest we overwrite it. +if [ ! -d $entryDate ]; then + echo -n "Title: " + read postTitleAns + title2=$(echo "${postTitleAns}" | tr " " _) + postfilename="${entryDate}_${title2}.txt" + touch ${postfilename} + chmod 644 ${postfilename} + UpdatePhlogListing + echo -n "Would you like to edit the post with $editor? (y/n) " + read editorAns + case $editorAns in + y* | Y* ) $editor $gopherRoot/$phlogDirName/${postfilename} ;; + n* | N* ) exit 0 ;; + * ) exit 0 ;; + esac + + rm $gopherRoot/$phlogDirName/${postfilename}~ +else + echo "There is already a post for today." + echo -n "Would you like to edit the post with $editor? (y/n) " + read editorAns + case $editorAns in + y* | Y* ) $editor $gopherRoot/$phlogDirName/$entryDate*.txt ;; + n* | N* ) exit 0 ;; + * ) exit 1 ;; + esac + rm $gopherRoot/$phlogDirName/${postfilename}.txt~ +fi +exit 0 +#+END_SRC + +Save and exit. + +#+BEGIN_SRC: bash +chmod +x /usr/bin/mkphlog +#+END_SRC + +Now entering the command /mkphlog/ will allow you to create a phlog entry. + +** Install Owncloud + +#+BEGIN_VERSE +/It's not water vapour/ + +-- Larry Ellison +#+END_VERSE + +Owncloud will allow you to upload and download files, share photos, collaboratively edit documents, have a calendar and more. You should be warned that Owncloud runs quite slowly via an ordinary web browser, but it can be a convenient way to access and share your data from any location in a reasonably secure manner. + +*** Server Installation + +Install some dependencies: + +#+BEGIN_SRC: bash +apt-get install php5 php5-gd php-xml-parser php5-intl +apt-get install php5-sqlite php5-mysql smbclient curl libcurl3 php5-curl +#+END_SRC + +You will need to create a new subdomain, so see [[Setting up a web site]] for details of how to do that. + +#+BEGIN_SRC: bash +export HOSTNAME=myowncloudcomainname.com +editor /etc/nginx/sites-available/$HOSTNAME +#+END_SRC + +Delete all existing contents, then add the following: + +#+BEGIN_SRC: bash +server { + listen 80; + server_name myownclouddomainname.com; + rewrite ^ https://$server_name$request_uri? permanent; +} + +server { + listen 443 ssl; + root /var/www/myownclouddomainname.com/htdocs; + server_name myownclouddomainname.com; + + ssl on; + ssl_certificate /etc/ssl/certs/myownclouddomainname.com.crt; + ssl_certificate_key /etc/ssl/private/myownclouddomainname.com.key; + ssl_dhparam /etc/ssl/certs/myownclouddomainname.com.dhparam; + + ssl_session_timeout 5m; + ssl_prefer_server_ciphers on; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # not possible to do exclusive + ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA'; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + add_header Strict-Transport-Security max-age=15768000; + # if you want to be able to access the site via HTTP + # then replace the above with the following: + # add_header Strict-Transport-Security "max-age=0;"; + + # make sure webfinger and other well known services aren't blocked + # by denying dot files and rewrite request to the front controller + location ^~ /.well-known/ { + allow all; + rewrite ^/(.*) /index.php?q=$uri&$args last; + } + + client_max_body_size 10G; # set max upload size + client_body_buffer_size 128k; + fastcgi_buffers 64 4K; + + rewrite ^/caldav(.*)$ /remote.php/caldav$1 redirect; + rewrite ^/carddav(.*)$ /remote.php/carddav$1 redirect; + rewrite ^/webdav(.*)$ /remote.php/webdav$1 redirect; + + index index.php; + error_page 403 /core/templates/403.php; + error_page 404 /core/templates/404.php; + + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + + location ~ ^/(data|config|\.ht|db_structure\.xml|README) { + deny all; + } + + location / { + # The following 2 rules are only needed with webfinger + rewrite ^/.well-known/host-meta /public.php?service=host-meta last; + rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last; + + rewrite ^/.well-known/carddav /remote.php/carddav/ redirect; + rewrite ^/.well-known/caldav /remote.php/caldav/ redirect; + + rewrite ^(/core/doc/[^\/]+/)$ $1/index.html; + + try_files $uri $uri/ index.php; + } + + location ~ ^(.+?\.php)(/.*)?$ { + try_files $1 =404; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_pass unix:/var/run/php5-fpm.sock; + fastcgi_index index.php; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$1; + fastcgi_param PATH_INFO $2; + fastcgi_param HTTPS on; + } + + # Optional: set long EXPIRES header on static assets + location ~* ^.+\.(jpg|jpeg|gif|bmp|ico|png|css|js|swf)$ { + expires 30d; + # Optional: Don't log access to assets + access_log off; + } +} +#+END_SRC + +Save and exit. Then change the domain name. + +#+BEGIN_SRC: bash +sed "s/myownclouddomainname.com/$HOSTNAME/g" /etc/nginx/sites-available/$HOSTNAME > /tmp/website +cp -f /tmp/website /etc/nginx/sites-available/$HOSTNAME +#+END_SRC + +Download owncloud. + +#+BEGIN_SRC: bash +mkdir ~/build +cd ~/build +wget http://freedombone.uk.to/owncloud.tar.bz2 +#+END_SRC + +Verify the download: + +#+BEGIN_SRC: bash +sha256sum owncloud.tar.bz2 +9aca2aa0a0cd7b052e881c30ad6de25d135ec3f88a3920274f1be223b4cabedf +#+END_SRC + +Extract the archive. This may take a couple of minutes, so don't be alarmed that the system has crashed. + +#+BEGIN_SRC: bash +tar -xjf owncloud.tar.bz2 +#+END_SRC + +The extraction will take a few minutes. Move the extracted files to your site and set file permissions. + +#+BEGIN_SRC: bash +cp -r owncloud/* /var/www/$HOSTNAME/htdocs +#+END_SRC + +The copying also takes a few minutes. Then change the file permissions. + +#+BEGIN_SRC: bash +chown -R www-data:www-data /var/www/$HOSTNAME/htdocs/apps +chown -R www-data:www-data /var/www/$HOSTNAME/htdocs/config +chown www-data:www-data /var/www/$HOSTNAME/htdocs +#+END_SRC + +Increase the maximum upload size: + +#+BEGIN_SRC: bash +editor /etc/php5/fpm/php.ini +#+END_SRC + +Set the following: + +#+BEGIN_SRC: bash +upload_max_filesize = 50M +post_max_size = 50M +#+END_SRC + +Save and exit. + +#+BEGIN_SRC: bash +service php5-fpm restart +service nginx restart +#+END_SRC + +With a web browser visit your domain (mydomainname.com/owncloud) and enter an administrator username and password. + +For extra security you may also wish to create an ordinary owncloud user with limited privileges. To do that click on the *settings* dropdown menu (top right) then *users* then enter a *Login Name* and *password* and click on *create*. Under *quota* select a size which is suitable for the remaining space on your microSD card, then select the settings menu from the top right and select *log out*. You can now log back in as your new user. + +*** Owncloud on Android + +First install [[https://f-droid.org/][F-Droid]] and then search for the current Owncloud app. Once it's installed you'll then be able to log into the BBB with the URL https://mydomainname.com/opencloud, supplying your username and password. + +** Install a Wiki + +#+BEGIN_VERSE +/I believe that technology can liberate, but you need to be a master rather than a user. You need to pull technology apart and master it rather than letting it control you./ + +-- Tom Barbalet +#+END_VERSE + +Dokuwiki is based upon flat files, and so is easy to move from one server to another without a lot of database complications. + +Download the wiki. + +#+BEGIN_SRC: bash +mkdir ~/build +cd ~/build +wget http://freedombone.uk.to/dokuwiki.tgz +#+END_SRC + +Verify it. + +#+BEGIN_SRC: bash +sha256sum dokuwiki.tgz +6b126f90979463d9ddaa74acc6f96aa230cfdc789946f241c3646086d9574be8 dokuwiki.tgz +#+END_SRC + +Then extract and install it. + +#+BEGIN_SRC: bash +export HOSTNAME=mywikidomainname.com +tar -xzvf dokuwiki.tgz +rm -rf /var/www/$HOSTNAME/htdocs +mv dokuwiki /var/www/$HOSTNAME/htdocs +#+END_SRC + +and alter permissions: + +#+BEGIN_SRC: bash +chmod -R 755 /var/www/$HOSTNAME/htdocs +chown -R www-data:www-data /var/www/$HOSTNAME/htdocs +#+END_SRC + +Open a browser and visit http://$HOSTNAME/install.php, then fill out the details. Once everything has been accepted without errors: + +#+BEGIN_SRC: bash +rm /var/www/$HOSTNAME/htdocs/install.php +#+END_SRC + +Add a few extra mime types: + +#+BEGIN_SRC: bash +editor /var/www/$HOSTNAME/htdocs/conf/mime.conf +#+END_SRC + +Append the following: + +#+BEGIN_SRC: bash +ogv video/ogg +mp4 video/mp4 +webm video/webm +#+END_SRC + +Save and exit. + +If you need to be able to upload large files to the wiki then edit */etc/php5/fpm/php.ini* and set *upload_max_filesize* accordingly. + +Now you can visit your wiki and begin editing. + +** Install Bitmessage + +#+BEGIN_VERSE +/The weakness of mass surveillance is that it can very easily be made much more expensive through changes in technical standards: pervasive, end-to-end encryption can quickly make indiscriminate surveillance impossible on a cost-effective basis/ + +-- Edward J. Snowden, testimony to the EU parliament +#+END_VERSE + +*** A new kind of Email +[[https://bitmessage.org][Bitmessage]] is a new type of messaging system intended to fulfill the same role as email, but without the security problems. In particular, Bitmessage attempts to not just encrypt the content but also the metadata. It's message broadcasting system makes it exceedingly difficult for an attacker to know which computer a message is destined for. The only way you know whether a message has been sent to you is whether you are able to decrypt it from the passing stream of messages. + +Although similar to Bitcoin in some regards, such as "/proof of work/", Bitmessage has no block chain and messages are only buffered for approximately three days after which they are deleted from any given node. + +Installing Bitmessage as a daemon will increase the size of the network, and therefore the level of security for all users. + +*** The Daemon + +Install from the current source code. + +#+BEGIN_SRC: bash +apt-get install python screen +mkdir ~/build +cd ~/build +git clone https://github.com/bashrc/PyBitmessage.git +cd PyBitmessage +make install +#+END_SRC + +Now create the daemon. + +#+BEGIN_SRC: bash +editor /etc/init.d/pybitmessage +#+END_SRC + +Add the following text: + +#+BEGIN_SRC: bash +#!/bin/bash +# /etc/init.d/bitmessage + +### BEGIN INIT INFO +# Provides: pybitmessage +# Required-Start: $remote_fs $syslog +# Required-Stop: $remote_fs $syslog +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: starts bitmessage as a background daemon, suitable for servers +# Description: This file should be used to construct scripts to be +# placed in /etc/init.d. +### END INIT INFO + +# Author: Super-Nathan + +#Settings +SERVICE='pybitmessage' +LOGFILE='/dev/null' # this disables logging +# LOGFILE='/var/log/bitmessage.log' # comment out the above line and un-comment this line to save a log +COMMAND="python bitmessagemain.py > $LOGFILE" +USERNAME='bitmsg' +NICELEVEL=19 # from 0-19 the bigger the number, the less the impact on system resources +HISTORY=1024 +PBM_LOCATION="/usr/local/share/pybitmessage" +INVOCATION="nice -n ${NICELEVEL} ${COMMAND}" +PATH='/usr/local/sbin:/usr/local/bin:/usr/bin:/usr/bin/core_perl:/sbin:/usr/sbin:/bin:/usr/local/share/pybitmessage' + + + + +bm_start() { +echo "Starting $SERVICE..." +cd ${PBM_LOCATION} +su --command "screen -h ${HISTORY} -dmS ${SERVICE} ${INVOCATION}" $USERNAME +} + + +bm_stop() { +echo "Stopping $SERVICE" +su --command "screen -p 0 -S ${SERVICE} -X stuff "'^C'"" $USERNAME +} + + +#Start-Stop here +case "$1" in + start) + bm_start + ;; + stop) + bm_stop + ;; + restart) + bm_stop + sleep 60s + bm_start + ;; + *) + echo "Usage: $0 {start|stop|restart}" + exit 1 + ;; +esac + +exit 0 +#+END_SRC + +Save and exit. + +Add a user which will be specifically for Bitmessage. Since bitmessage is still a relatively young and experimental project, this adds further compartmentalisation such that if there are any bugs within PyBitmessage then an attacker can't neccessarily gain control of root or any other user account. Here we create a user called /bitmsg/ and give it a long random password. + +#+BEGIN_SRC: bash +adduser bitmsg +#+END_SRC + +Create a /keys.dat/ file which is used to configure Bitmessage. + +#+BEGIN_SRC: bash +mkdir /home/bitmsg/.config +mkdir /home/bitmsg/.config/PyBitmessage +editor /home/bitmsg/.config/PyBitmessage/keys.dat +#+END_SRC + +Add the following, changing /apipassword/ to some long random string: + +#+BEGIN_SRC: bash +[bitmessagesettings] +settingsversion = 8 +port = 8444 +timeformat = %%a, %%d %%b %%Y %%I:%%M %%p +blackwhitelist = black +startonlogon = False +minimizetotray = False +showtraynotifications = True +startintray = False +socksproxytype = none +sockshostname = localhost +socksport = 9050 +socksauthentication = False +sockslisten = False +socksusername = +sockspassword = +keysencrypted = false +messagesencrypted = false +defaultnoncetrialsperbyte = 640 +defaultpayloadlengthextrabytes = 14000 +minimizeonclose = false +maxacceptablenoncetrialsperbyte = 0 +maxacceptablepayloadlengthextrabytes = 0 +userlocale = system +useidenticons = True +identiconsuffix = re9E9UtSEaWD +replybelow = False +stopresendingafterxdays = 4 +stopresendingafterxmonths = +namecoinrpctype = namecoind +namecoinrpchost = localhost +namecoinrpcuser = +namecoinrpcpassword = +namecoinrpcport = 8336 +sendoutgoingconnections = True +willinglysendtomobile = False +maxpayloadlengthkb = 256 +daemon = true +apienabled = true +apiport = 8442 +apiinterface = 127.0.0.1 +apiusername = bitmsg +maxpayloadlengthkb = 256 +apipassword = change_this_password +#+END_SRC + +Save and exit. Then enable the daemon and run it. + +#+BEGIN_SRC: bash +rm -f /tmp/-usr-local-share-pybitmessage-*.lock +chown -R bitmsg:bitmsg /home/bitmsg +chmod +x /etc/init.d/pybitmessage +update-rc.d pybitmessage defaults +service pybitmessage start +#+END_SRC + +Now open port 8444 on your internet router or firewall and direct it to the BBB. + +*** Using Bitmessage +Although in principle it would be possible to send Bitmessages directly from the BBB, in practice the /proof of work/ requirement would mean that it would take an infeasibly long time to send messages, and the computational workload would likely greatly impair the performance of other services also running on the system. So to send and receive Bitmessages it's better to just install the client on a laptop or desktop machine. + +The easiest way to install the client is either to download it from [[https://bitmessage.org][bitmessage.org]] or to get the latest build from Github as follows: + +#+BEGIN_SRC: bash +mkdir ~/build +cd ~/build +git clone https://github.com/Bitmessage/PyBitmessage.git +cd PyBitmessage +make install +pybitmessage +#+END_SRC + +*** Connect Bitmessage to Email + +It may be convenient to have any Bitmessages addressed to you which arrive at the BBB to be transfered to your email, so that you can check for messages on mobile devices or on computers where installing a Bitmessage client isn't an available option. This transference will take place on the BBB itself, so will not involve transmitting any plaintext over the local network or internet. To do this first you'll need to set up a receiving Bitmessage address by editing: + +#+BEGIN_SRC: bash +/home/bitmsg/.config/PyBitmessage/keys.dat +#+END_SRC + +and adding the details for your address, which could be coppied from another machine (such as a laptop running a Bitmessage client). + +It will look something like: + +#+BEGIN_SRC: bash +[BM-address] +label = myusername@mydomainname.com +enabled = true +decoy = false +noncetrialsperbyte = 640 +payloadlengthextrabytes = 14000 +privsigningkey = ... +privencryptionkey = ... +lastpubkeysendtime = ... +#+END_SRC + +Note that it's particularly important that /label/ be set to your email address. This is how the system will know that when a bitmessage arrives which account to transfer it to. + +You should also make sure that /apipassword/ is set to some long random string. + +Save and close /keys.dat/, then restart the Bitmessage daemon. + +#+BEGIN_SRC: bash +service pybitmessage restart +#+END_SRC + +The restart will take 30 seconds or so. Next install the Bitmessage to email gateway. + +#+BEGIN_SRC: bash +cd /usr/share +git clone https://github.com/bashrc/bitmessage-email-gateway +chown -R bitmsg:bitmsg bitmessage-email-gateway +cd bitmessage-email-gateway +mkdir /home/bitmsg/Maildir +mkdir /home/bitmsg/Maildir/new +chown -R bitmsg:bitmsg /home/bitmsg +#+END_SRC + +Substitute /your_domain_name/ for your domain name (the main one used for email). + +#+BEGIN_SRC: bash +sed 's/mydomainname.com/your_domain_name/g' bitmessage-gateway.py > bitmessage-gateway.py +#+END_SRC + +Find out what the API password is: + +#+BEGIN_SRC: bash +grep "apipassword" /home/bitmsg/.config/PyBitmessage/keys.dat | awk -F ' ' '{print $3}' +#+END_SRC + +Then change it with: + +#+BEGIN_SRC: bash +sed "s/'password' : ''/'password' : 'bitmessage_api_password'/g" bitmessage-gateway.py > bitmessage-gateway.py +#+END_SRC + +Now create the daemon. + +#+BEGIN_SRC: bash +editor /etc/init.d/bitmessage-gateway +#+END_SRC + +Add the following text: + +#+BEGIN_SRC: bash +#!/bin/bash +# /etc/init.d/bitmessage-gateway + +### BEGIN INIT INFO +# Provides: bitmessage-gateway +# Required-Start: $remote_fs $syslog +# Required-Stop: $remote_fs $syslog +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: starts a gateway between bitmessage and email +# Description: +### END INIT INFO + +# Author: Bob Mottram + +#Settings +SERVICE='bitmessage-gateway' +LOGFILE='/dev/null' +COMMAND="python bitmessage-gateway.py > $LOGFILE" +USERNAME='bitmsg' +NICELEVEL=19 # from 0-19 the bigger the number, the less the impact on system resources +HISTORY=1024 +BMG_LOCATION="/usr/share/bitmessage-email-gateway" +INVOCATION="nice -n ${NICELEVEL} ${COMMAND}" +PATH='/usr/local/sbin:/usr/local/bin:/usr/bin:/sbin:/usr/sbin:/bin:/usr/share/bitmessage-email-gateway' + + +bmg_start() { +echo "Starting $SERVICE..." +cd ${BMG_LOCATION} +su --command "screen -h ${HISTORY} -dmS ${SERVICE} ${INVOCATION}" $USERNAME +} + + +bmg_stop() { +echo "Stopping $SERVICE" +su --command "screen -p 0 -S ${SERVICE} -X stuff "'^C'"" $USERNAME +} + + +#Start-Stop here +case "$1" in + start) + bmg_start + ;; + stop) + bmg_stop + ;; + restart) + bmg_stop + sleep 5s + bmg_start + ;; + *) + echo "Usage: $0 {start|stop|restart}" + exit 1 + ;; +esac + +exit 0 +#+END_SRC + +Save and exit. + +#+BEGIN_SRC: bash +chmod +x /etc/init.d/bitmessage-gateway +update-rc.d bitmessage-gateway defaults +service bitmessage-gateway start +#+END_SRC + +From a Bitmessage client you should now be able to send a message to your Bitmessage address and have it eventually appear as an email in your inbox. + +** Overcome restrictive environments + +#+BEGIN_VERSE +/Censorship reflects a society's lack of confidence in itself. It is a hallmark of an authoritarian regime./ + +-- Potter Stewart +#+END_VERSE + +In some environments, such as behind corporate firewalls or under regimes hostile towards the idea of open access to knowledge and information you may find that you're not able to use tools such as /ssh/ to get access to the BBB. In the worst case all ports other than 80 and 443 may be blocked. + +In that scenario you can use a tool called [[http://code.google.com/p/shellinabox/][shellinabox]] to log into your BBB via your web site rather than via a terminal. This means that you can administrate your system from any device which has a web browser and keyboard. + +#+BEGIN_SRC: bash +apt-get install shellinabox libapache +2-mod-proxy-html +#+END_SRC + +Update your Apache configuration. + +#+BEGIN_SRC: bash +export HOSTNAME=mydomainname.com +editor /etc/apache2/sites-available/$HOSTNAME +#+END_SRC + +Within the section which begins with ** add the following, replacing /mydomainname.com/ with your domain name and /myusername/ with your username. + +#+BEGIN_SRC: bash + + ProxyPass http://localhost:4200/ + Order allow,deny + Allow from all + + AuthName "Authentication for shellinabox" + AuthUserFile /home/mydomainname.com/public_html/.htpasswd + AuthGroupFile /home/mydomainname.com/public_html/.htgroup + AuthType Basic + Require group shellinabox + Require user myusername + +#+END_SRC + +Save and exit, then create a login password. It's recommended that the password be a long random string and that you then access it using a password manager such as KeepassX. + +#+BEGIN_SRC: bash +mkdir /home/$HOSTNAME +mkdir /home/$HOSTNAME/public_html +htpasswd -c /home/$HOSTNAME/public_html/.htpasswd myusername +#+END_SRC + +Create a user group. + +#+BEGIN_SRC: bash +editor /home/$HOSTNAME/public_html/.htgroup +#+END_SRC + +Add the following: + +#+BEGIN_SRC: bash +shellinabox: myusername +#+END_SRC + +Save and exit, then restart Apache. + +#+BEGIN_SRC: bash +a2enmod proxy_http +service apache2 restart +#+END_SRC + +Now with a web browser navigate to https://mydomainname.com/shell and log in. + +If you're in a very locked down environment where access to web sites is severely restricted then as a last resort you may be able to use a command line browser, such as [[https://en.wikipedia.org/wiki/Lynx_%28web_browser%29][lynx]] from within /shellinabox/. + +** Set up a mailing list + +#+BEGIN_VERSE +/All over the world there are many people who are united in creating software, content, and culture that is freely available for others to share, enjoy and enrich their lives. Together we believe that freedom is good. We believe it helps people do good things, make better choices, and lead safer and more secure lives. Together we are a community united by this belief./ + +-- Jono Bacon +#+END_VERSE + +*** Public mailing list +Email mailing lists are old skool but still remain as a common and easy way of communicating on the internet. If you're running a public organisation such as an open source project or community group then you may want to set one up. + +**** Installation + +#+BEGIN_SRC: bash +export HOSTNAME=mydomainname.com +apt-get install mailman +newlist mailman +#+END_SRC + +Enter an email address for the list administrator and a password. + +#+BEGIN_SRC: bash +editor /etc/mailman/mm_cfg.py +#+END_SRC + +Set *MTA=None* and change *http:* to *https:*, then save and exit. + +Add some settings. + +#+BEGIN_SRC: bash +editor /etc/exim4/conf.d/main/04_mailman_options +#+END_SRC + +Add the following, replacing /mydomainname.com/ with your domain name. + +#+BEGIN_SRC: bash +# Mailman macro definitions + +# Home dir for the Mailman installation +MM_HOME=/var/lib/mailman + +# User and group for Mailman +MM_UID=list +MM_GID=list + +# +# Domains that your lists are in - colon separated list +# you may wish to add these into local_domains as well +domainlist mm_domains=mydomainname.com + +# The path of the Mailman mail wrapper script +MM_WRAP=MM_HOME/mail/mailman +# +# The path of the list config file (used as a required file when +# verifying list addresses) +MM_LISTCHK=MM_HOME/lists/${lc::$local_part}/config.pck +#+END_SRC + +Save and exit. + +#+BEGIN_SRC: bash +editor /etc/exim4/conf.d/main/000_localmacros +#+END_SRC + +Append the following: + +#+BEGIN_SRC: bash +SYSTEM_ALIASES_PIPE_TRANSPORT = address_pipe +SYSTEM_ALIASES_USER = list +SYSTEM_ALIASES_GROUP = list +#+END_SRC + +Save and exit. + +#+BEGIN_SRC: bash +editor /etc/exim4/conf.d/acl/30_exim4-config_check_rcpt +#+END_SRC + +Append the following, before the final /accept/: + +#+BEGIN_SRC: bash + # Do callback verification unless Mailman incoming bounce + deny !local_parts = *-bounces : *-bounces+* + !verify = sender/callout=30s,defer_ok +#+END_SRC + +Save and exit. + +#+BEGIN_SRC: bash +editor +/etc/exim4/conf.d/router/450_exim4-config_mailman_aliases +#+END_SRC + +Add the following: + +#+BEGIN_SRC: bash +mailman: + driver = accept + domains = +mm_domains + require_files = MM_LISTCHK + local_part_suffix_optional + local_part_suffix = -admin : \ + -bounces : -bounces+* : \ + -confirm : -confirm+* : \ + -join : -leave : \ + -owner : -request : \ + -subscribe : -unsubscribe + transport = mailman_transport +#+END_SRC + +Save and exit. + +#+BEGIN_SRC: bash +editor /etc/exim4/conf.d/transport/40_exim4-config_mailman_pipe +#+END_SRC + +Add the following: + +#+BEGIN_SRC: bash +mailman_transport: + driver = pipe + command = MM_WRAP \ + '${if def:local_part_suffix \ + {${sg{$local_part_suffix}{-(\\w+)(\\+.*)?}{\$1}}} \ + {post}}' \ + $local_part + current_directory = MM_HOME + home_directory = MM_HOME + user = MM_UID + group = MM_GID +#+END_SRC + +Save and exit. + +#+BEGIN_SRC: bash +chown root:list /var/lib/mailman/mail/mailman +update-exim4.conf.template -r +update-exim4.conf +service exim4 restart +editor /etc/apache2/conf.d/mailman +#+END_SRC + +Add the following: + +#+BEGIN_SRC: bash +Alias /pipermail /var/lib/mailman/archives/public +Alias /images/mailman /usr/share/images/mailman + + DirectoryIndex index.html + +#+END_SRC + +Save and exit. + +#+BEGIN_SRC: bash +editor /etc/apache2/sites-available/$HOSTNAME +#+END_SRC + +Add the following to the 443 section. + +#+BEGIN_SRC: bash + + Options Indexes FollowSymLinks MultiViews + Order allow,deny + Allow from all + + RedirectMatch ^/$ /cgi-bin/mailman/listinfo + +#+END_SRC + +Save and exit. + +#+BEGIN_SRC: bash +service apache2 restart +#+END_SRC + +Now add your mailing list. The list name should not include any spaces. + +#+BEGIN_SRC: bash +newlist mymailinglistname +#+END_SRC + +With a browser visit https://$HOSTNAME/cgi-bin/mailman/admin/mymailinglistname to configure the mailing list. + +Under *General Options* add an email address for a moderator (could be the same as the administrator) and click *Submit your changes*. + +Under *Privacy Options* set steps required for subscription to *Confirm and approve* and click *Submit your changes*. + +Also change these settings for the account within https://$HOSTNAME/cgi-bin/mailman/admin/mailman + +Then to test that the mailing list works: + +#+BEGIN_SRC: bash +exim -d+route -bt mymailinglistname@$HOSTNAME +#+END_SRC + +If everything is working then this shouldn't show any problems. + +**** Using the mailing list +Direct subscribers towards: + +#+BEGIN_SRC: bash +https://mydomainname.com/cgi-bin/mailman/listinfo/mymailinglistname +#+END_SRC + +To administrate the list visit: + +#+BEGIN_SRC: bash +https://mydomainname.com/cgi-bin/mailman/admin/mymailinglistname +#+END_SRC + +To add another mailing list: + +#+BEGIN_SRC: bash +newlist mymailinglistname +#+END_SRC + +To delete a mailing list: + +#+BEGIN_SRC: bash +rmlist -a mymailinglistname +#+END_SRC + +*** Private (encrypted) mailing list +In addition to conventional public email lists it's also possible to set up a private mailing list which is only readable by members. A private email list uses [[https://en.wikipedia.org/wiki/GNU_Privacy_Guard][GPG]] and a public/private key pair for the server which can then be used to send emails to the list in an encrypted form. The email addresses and public GPG keys of members may be added to the list so that any new messages can be distributed to them in a secure manner. + +Private mailing lists are likely to be able to keep the contents of the discussion out of the clutches of warrantless mass surveillance but, as with all conventional email, it won't prevent such systems from generating social graphs of who is communicating with the list since the /from/ and /to/ attributes are always transmitted in the clear. + +**** Installation +#+BEGIN_SRC: bash +apt-get install schleuder +#+END_SRC + +Edit the configuration: + +#+BEGIN_SRC: bash +editor /etc/schleuder/schleuder.conf +#+END_SRC + +Set the following parameters, replacing /mydomainname.com/ with your domain name: + +#+BEGIN_SRC: bash +smtp_port: 465 +superadminaddr: root@mydomainname.com +#+END_SRC + +Save and exit. + +Get your GPG public key, replacing /myGPGkeyID/ with your GPG key ID: + +#+BEGIN_SRC: bash +export MYKEYID=myGPGkeyID +gpg --search-keys $MYKEYID +gpg --output /tmp/mypublickey.txt --armor --export $MYKEYID +#+END_SRC + +Then to create a mailing list, replacing /mydomainname.com/ with your domain name, /myusername/ with your username and /mailinglistname/ with the name of the mailing list. /mailinglistname/ should be all one word, with no spaces. + +#+BEGIN_SRC: bash +export MAILINGLISTNAME=mailinglistname +export MYUSERNAME=myusername +export HOSTNAME=mydomainname.com +export EMAILADDRESS=$MYUSERNAME@$HOSTNAME +schleuder-newlist $MAILINGLISTNAME@$HOSTNAME -realname "mailing list name" -adminaddress $EMAILADDRESS -initmember $EMAILADDRESS -initmemberkey /tmp/mypublickey.txt -nointeractive +#+END_SRC + +Now add a mailing list rule: + +#+BEGIN_SRC: bash +emailrule $MYUSERNAME $MAILINGLISTNAME@$HOSTNAME $MAILINGLISTNAME +#+END_SRC + +Edit your Mutt configuration. + +#+BEGIN_SRC: bash +editor /home/$MYUSERNAME/.muttrc +#+END_SRC + +Search for the /mailboxes/ parameter and add "=mailinglistname". For example: + +#+BEGIN_SRC: bash +mailboxes = =Sent =Drafts =mailinglistname +#+END_SRC + +Save and exit. + +Update Exim routing. + +#+BEGIN_SRC: bash +editor /etc/exim4/conf.d/router/550_exim4-config_schleuder +#+END_SRC + +Add the following: + +#+BEGIN_SRC: bash +schleuder: + debug_print = "R: schleuder for $local_part@$domain" + driver = accept + local_part_suffix_optional + local_part_suffix = +* : -bounce : -sendkey + domains = +local_domains + user = schleuder + group = schleuder + require_files = schleuder:+/var/lib/schleuder/$domain/${local_part} + transport = schleuder_transport +#+END_SRC + +Save and exit. + +#+BEGIN_SRC: bash +editor /etc/exim4/conf.d/transport/30_exim4-config_schleuder +#+END_SRC + +Add the following. + +#+BEGIN_SRC: bash +schleuder_transport: + debug_print = "T: schleuder_transport for $local_part@$domain" + driver = pipe + home_directory = "/var/lib/schleuder/$domain/$local_part" + command = "/usr/bin/schleuder $local_part@$domain" +#+END_SRC + +Save and exit. + +#+BEGIN_SRC: bash +chown -R schleuder:schleuder /var/lib/schleuder +update-exim4.conf.template -r +update-exim4.conf +service exim4 restart +useradd -d /var/schleuderlists -s /bin/false schleuder +adduser Debian-exim schleuder +usermod -a -G mail schleuder +#+END_SRC + +Test the routing. + +#+BEGIN_SRC: bash +exim -d -bt mailinglistname@mydomainname.com +#+END_SRC + +**** Importing the public key of the mailing list +Before you can use the mailing list you will first need to import its public key. How you do this depends upon which email client you're using. + +***** Using Mutt +Send an email to /mailinglistname-sendkey@mydomainname.com/ to have the list public key emailed to you. + +When you receive the email open it and press *CTRL-k* to import it. +***** Using Thunderbird +Send an email to /mailinglistname-sendkey@mydomainname.com/ to have the list public key emailed to you. + +When you receive the email open it, select all the text with *CTRL-a* then *CTRL-c*. + +On the menu select *OpenPGP* followed by *Key Management*. + +You will now see a new menu bar. Select *Edit* followed by *Import keys from clipboard*. + +Click on *Import* followed by *Ok*. +**** Using the list +To obtain the public keys of list members send an email to /mailinglistname-request@mydomainname.com/ containing *X-LIST-KEYS* in the message body. + +To add a member: *X-ADD-MEMBER: othermember@otherdomain.net* + +An example of adding a public key to the list: + +#+BEGIN_SRC: bash +X-ADD-KEY: +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v1.4.9 (GNU/Linux) + +mQGiBEjVO7oRBADQvT6wtD2IzzIiK0NbrcilCKCp4MWb8cYXTXguwPQI6y0Nerz4 +dsK6J0X1Vgeo02tqA4xd3EDK8rdqL2yZfl/2egH8+85R3gDk+kqkfEp4pwCgp6VO +[...] +pNlF/qkaWwRb048h+iMrW21EkouLKTDPFkdFbapV2X5KJZIcfhO1zEbwc1ZKF3Ju +Q9X5GRmY62hz9SCZnsC0jeYAni8OUQV9NXfXlS/vePBUnOL08NQB +=xTv3 +-----END PGP PUBLIC KEY BLOCK----- +#+END_SRC + +To get details for a member: *X-GET-MEMBER: othermember@otherdomain.net* + +To delete a member: *X-DELETE-MEMBER: othermember@otherdomain.net* + +To delete a public key: *X-DELETE-KEY: keyID* + +You can unsubscribe from the list with *X-UNSUBSCRIBE* in the message body. + +*** Decentralised mailing list +A disadvantage with encrypted mailing lists which use the conventional email system is that there is a single server on which the list resides, and this creates a single point of failure and a bandwidth bottleneck for more heavily subscribed lists. If the mailing list server goes down for whatever reason then that may cause a lot of disruption to its users. + +An alternative is to use a decentralised mailing list, implemented using Bitmessage. On your local machine (not the BBB) you can make a private mailing list which is difficult to censor and where there is no single point of failure. This type of mailing list is known as a "/chan/". + +With Bitmessage if any one computer goes offline then the conversation can still keep going since there is no central mailing list server. Bitmessages are also encrypted with public/private key pairs and the manner in which the system operates makes it very difficult for the surveillance apparatus to exfiltrate the social graph of list users. + +On a Debian based system: + +#+BEGIN_SRC: bash +sudo apt-get install makepasswd +#+END_SRC + +or on an RPM based system: + +#+BEGIN_SRC: bash +sudo yum install makepasswd +#+END_SRC + +Create a name for your mailing list. This will be a random string. + +#+BEGIN_SRC: bash +makepasswd -c 40 +#+END_SRC + +Keep a note of this. + +Run the Bitmessage client and on the menu select *File/Join-Create Chan/Create new chan* + +Enter the random string which you created as the name of the mailing list. Also take a note of the BM address which is created. + +You can hand out the random string used to generate the mailing list and its corresponding BM address to fellow members, either within a bitmessage or on paper or via [[https://en.wikipedia.org/wiki/Sneakernet][sneakernet]] or in a GPG/PGP encrypted email or via an XMPP+OTR or Friendica private message. Once others have those two pieces of data then they will be able to join. + +To make the list easier to identify, rather than just appearing as a random string, then under the *Your Identities* tab right click on it and select *Set Avatar* and assign a suitable icon. + +The disadvantage of this type of mailing list is that it's not possible for any one participant to act as a list moderator, or in other words each participant must do their own moderation. That's ok if the size of the group is small, but if it's larger then anyone spamming or trolling the list can make things miserable for the others. +** Install a microblog + +#+BEGIN_VERSE +/If you want to have more control over how you interact on the web, and regain your freedom, privacy and autonomy from outside interference, you need to start moving towards using programs like GNU Social/ + +-- Jason Self +#+END_VERSE + +For a microblog you will need a separate domain/subdomain, so see [[Setting up a web site]] for details of how to create an Apache configuration for your microblog. If you're using freedns then you will need to create a new subdomain. + +Install some dependencies: + +#+BEGIN_SRC: bash +apt-get install php5-xcache php-gettext php5-curl php5-gd php5-mysql +#+END_SRC + +Download GNU Social + +#+BEGIN_SRC: bash +mkdir ~/build +cd ~/build +wget http://freedombone.uk.to/gnu-social.tar.gz +#+END_SRC + +Verify it. + +#+BEGIN_SRC: bash +sha256sum gnu-social.tar.gz +1f886241c7f1a175e7be3cccbcb944ab6c03617fb75aefa4d62d37abed87d2b4 +#+END_SRC + +Extract the files and set permissions on them, where /mydomainname.com/ is your domain name. + +#+BEGIN_SRC: bash +export HOSTNAME=mydomainname.com +tar zxf gnu-social.tar.gz +rm -rf /var/www/$HOSTNAME/htdocs +mv statusnet-gnu-social /var/www/$HOSTNAME/htdocs +chmod a+w /var/www/$HOSTNAME/htdocs +chown www-data:www-data /var/www/$HOSTNAME/htdocs +chmod a+w /var/www/$HOSTNAME/htdocs/avatar +chmod a+w /var/www/$HOSTNAME/htdocs/background +chmod a+w /var/www/$HOSTNAME/htdocs/file +chmod +x /var/www/$HOSTNAME/htdocs/scripts/maildaemon.php +#+END_SRC + +Edit the Apache access settings. + +#+BEGIN_SRC: bash +editor /var/www/$HOSTNAME/htdocs/.htaccess +#+END_SRC + +Add the following: + +#+BEGIN_SRC: bash + + RewriteEngine On + RewriteBase / + + ## Uncomment these if having trouble with API authentication + ## when PHP is running in CGI or FastCGI mode. + # + #RewriteCond %{HTTP:Authorization} ^(.*) + #RewriteRule ^(.*) - [E=HTTP_AUTHORIZATION:%1] + + RewriteCond %{REQUEST_FILENAME} !-f + RewriteCond %{REQUEST_FILENAME} !-d + RewriteRule (.*) index.php?p=$1 [L,QSA] + + + + Order allow,deny + +#+END_SRC + +Save and exit, then create a database. + +#+BEGIN_SRC: bash +mysql -u root -p +create database gnusocial; +CREATE USER 'gnusocialadmin'@'localhost' IDENTIFIED BY 'gnusocialpassword'; +GRANT ALL PRIVILEGES ON gnusocial.* TO 'gnusocialadmin'@'localhost'; +quit +#+END_SRC + +Add the mailer script to the aliases file: + +#+BEGIN_SRC: bash +editor /etc/aliases +#+END_SRC + +Add the following, replacing /mydomainname.com/ with your domain name. + +#+BEGIN_SRC: bash +www-data: root +*: /var/www/mydomainname.com/htdocs/scripts/maildaemon.php +#+END_SRC + +Save and exit. Update the aliases by typing: + +#+BEGIN_SRC: bash +newaliases +#+END_SRC + +Then with a web browser navigate to: + +https://$HOSTNAME/install.php + +Set a name for the site. + +Server SSL: enable + +Hostname: localhost + +Type: MySql + +Name: gnusocial + +DB username: gnusocialadmin + +DB Password; your gnu social admin password goes here + +Administrator nickname: myusername + +Administrator password: mylongrandompassword + +Subscribe to announcements: ticked + +Site profile: Community + +Press the *Submit* button. It may take a few minutes, so don't be concerned that it has crashed. When the process completes you will see a lot of "Strict standards" warnings which you can ignore. + +Navigate to http://$HOSTNAME/gnusocial and you can then complete the configuration via the *Admin* section on the header bar. Some recommended admin settings are: + +Under the *Site* settings: + + Text limit: 140 + + Dupe Limit: 60000 + +Under the *User* settings: + + Bio limit: 1000 + +Under the *Access* settings: + + /Invite only/ ticked + +Under the License section select a license if you wish. Details for Creative Commons licenses [[https://creativecommons.org/licenses/][can be found here]]. If you only intend to do private microblogging then just leave these settings as they are. + +If you want to invite more users then click on the big button *Invite more colleagues*, then enter their email addresses and hit the *send* button. The invite only configuration which you've just installed is useful because it prevents spammers, or other [[https://en.wikipedia.org/wiki/Joint_Threat_Research_Intelligence_Group]["bad actors"]], from clogging your system with nonsense. + +Edit the config file. + +#+BEGIN_SRC: bash +editor /var/www/$HOSTNAME/htdocs/config.php +#+END_SRC + +Change the ssl setting from *always* to *sometimes*, hten save and exit. + +So, you're now microblogging on the open web, with no companies in the middle. Congratulations! To find some other people to connect to you can try searching other nodes listed at http://gnu.io/try/ + +When following other GNU Social users enter the URL of your profile. For example, https://mygnusocialdomain/myusername + +** Install Mediagoblin + +#+BEGIN_VERSE +/The silos that are the main current points of media sharing are not only vulnerable to attacks on free speech, but also hamper important grassroots economic activity by privileging the interests of a tiny minority over those of most of the world./ +#+END_VERSE + +Mediagoblin allows you to have a YouTube/Soundcloud/Flickr/Picasa type of site to share your pictures, videos or audio files. An advantage of not having any company in the middle is that you can't be arbitrarily censored without any explanation, as seems to frequently occur on YouTube. It is recommended that you use media formats which are not encumbered by patents, such as /ogg/ or /ogv/. + +For a mediagoblin site it is recommended to use a separate domain/subdomain, so see [[Setting up a web site]] for details of how to create an Apache configuration for your microblog. If you're using freedns then you will need to create a new subdomain. + +Install some dependencies. + +#+BEGIN_SRC: bash +aptitude install git-core python python-dev python-lxml python-imaging python-virtualenv python-gst0.10 libjpeg8-dev sqlite3 libapache2-mod-fcgid gstreamer0.10-plugins-base gstreamer0.10-plugins-bad gstreamer0.10-plugins-good gstreamer0.10-plugins-ugly gstreamer0.10-ffmpeg python-numpy python-scipy libsndfile1-dev +#+END_SRC + +Create a user, replacing /mymediagoblindomain/ with the domain name for your mediagoblin site. + +#+BEGIN_SRC: bash +export HOSTNAME=mymediagoblindomain +adduser mediagoblin +#+END_SRC + +Give the user a long random password. + +#+BEGIN_SRC: bash +mkdir -p /srv/$HOSTNAME +chown -hR mediagoblin:mediagoblin /srv/$HOSTNAME +su - mediagoblin +export HOSTNAME=mymediagoblindomain +cd /srv/$HOSTNAME +git clone git://gitorious.org/mediagoblin/mediagoblin.git +cd mediagoblin +git submodule init +git submodule update +virtualenv --system-site-packages . +./bin/python setup.py develop +./bin/easy_install flup +cp mediagoblin.ini mediagoblin_local.ini +cp paste.ini paste_local.ini +editor mediagoblin_local.ini +#+END_SRC + +Change *email_sender_address* to your email address and set *email_debug_mode* to false. Also append the following to the bottom of the file, under the *plugins* section. + +#+BEGIN_SRC: bash +[[mediagoblin.media_types.audio]] +[[mediagoblin.media_types.video]] +[[mediagoblin.media_types.stl]] +#+END_SRC + +Then save and exit. + +#+BEGIN_SRC: bash +./bin/pip install scikits.audiolab +./bin/gmg dbupdate +exit # to go back to the root user +editor /etc/init.d/mediagoblin +#+END_SRC + +Add the following, replacing /mymediagoblindomain/ with the domain name for your mediagoblin site. + +#+BEGIN_SRC: bash +#!/bin/bash +# /etc/init.d/mediagoblin + +### BEGIN INIT INFO +# Provides: mediagoblin +# Required-Start: $remote_fs $syslog +# Required-Stop: $remote_fs $syslog +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: starts mediagoblin +# Description: Other methods may work, but I found this the easiest +### END INIT INFO + +# Author: Bob Mottram + +#Settings +SERVICE='mediagoblin' +LOGFILE='/srv/mymediagoblindomain/mediagoblin.log' +COMMAND="./lazyserver.sh > $LOGFILE" +USERNAME='mediagoblin' +NICELEVEL=15 # from 0-19 the bigger the number, the less the impact on system resources +HISTORY=1024 +MG_LOCATION="/srv/mymediagoblindomain/mediagoblin" +INVOCATION="nice -n ${NICELEVEL} ${COMMAND}" +PATH='/usr/local/sbin:/usr/local/bin:/usr/bin:/usr/bin/core_perl:/sbin:/usr/sbin:/bin' + + + +mg_start() { +echo "Starting $SERVICE..." +cd ${MG_LOCATION} +su --command "screen -h ${HISTORY} -dmS ${SERVICE} ${INVOCATION}" $USERNAME +} + + +mg_stop() { +echo "Stopping $SERVICE" +su --command "screen -p 0 -S ${SERVICE} -X stuff "'^C'"" $USERNAME +} + + +#Start-Stop here +case "$1" in + start) + mg_start + ;; + stop) + mg_stop + ;; + restart) + mg_stop + sleep 10s + mg_start + ;; + *) + echo "Usage: $0 {start|stop|restart}" + exit 1 + ;; +esac + +exit 0 +#+END_SRC + +Save and exit. + +#+BEGIN_SRC: bash +chmod +x /etc/init.d/mediagoblin +update-rc.d mediagoblin defaults +service mediagoblin start +#+END_SRC + +Edit the Apache configuration for your mediagoblin site. + +#+BEGIN_SRC: bash +editor /etc/apache2/sites-available/mymediagoblindomain +#+END_SRC + +Delete the existing configuration (in Emacs it's CTRL-x h then CTRL-w) and paste the following, replacing /mymediagoblindomain/ with your mediagoblin domain name and /myusername@mydomainname.com/ with your email address. + +#+BEGIN_SRC: bash + + ServerAdmin myusername@mydomainname.com + + DocumentRoot /srv/mymediagoblindomain/mediagoblin + ServerName mymediagoblindomain + + + Options FollowSymLinks + AllowOverride None + + + Options Indexes FollowSymLinks MultiViews + AllowOverride All + Order allow,deny + allow from all + LimitRequestBody 536870912 + + + LogLevel warn + + ProxyVia On + + ProxyRequests off + ProxyPreserveHost on + + ProxyPass / http://localhost:6543/ + + ErrorLog "/var/log/apache2/error.log" + CustomLog "/var/log/apache2/access.log" combined + + RewriteEngine On + RewriteOptions Inherit + +#+END_SRC + +Save and exit. + +Now in a browser visit http://mymediagoblindomain and create a user. If you wish this to be a single user installation to prevent a lot of spammers signing up. + +#+BEGIN_SRC: bash +editor /srv/mymediagoblindomain/mediagoblin/mediagoblin_local.ini +#+END_SRC + +Then set: + +#+BEGIN_SRC: bash +allow_registration = false +#+END_SRC + +Save and exit. + +** Run a pastebin service +If you need to be able to share short text files or other kinds of files on a temporary basis (doing technical support or reporting a bug, for example) then it's useful to have a pastebin system running on your server. + +For this you will need to set up a new subdomain and create a new Apache configuration. For details on how to do that see [[Getting onto the web]] and [[Setting up a web site]]. + +#+BEGIN_SRC: bash +adduser --disabled-login zerobin +mkdir ~/build +cd ~/build +git clone https://github.com/sametmax/0bin.git +cd 0bin +python setup.py install +chown -R zerobin:zerobin /usr/local/lib/python2.7/dist-packages/zerobin-0.4.1-py2.7.egg/zerobin/static +#+END_SRC + +For the /chown/ command you may need to change the directory name within /dist-packages/, depending upon the version number of [[https://github.com/sametmax/0bin][0bin]]. + +Now create the daemon. + +#+BEGIN_SRC: bash +editor /etc/init.d/zerobin +#+END_SRC + +Add the following text: + +#+BEGIN_SRC: bash +#!/bin/bash +# /etc/init.d/zerobin + +### BEGIN INIT INFO +# Provides: zerobin +# Required-Start: $remote_fs $syslog +# Required-Stop: $remote_fs $syslog +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: starts zerobin as a background daemon +# Description: starts zerobin as a background daemon +### END INIT INFO + +# Author: Bob Mottram + +#Settings +SERVICE='zerobin' +LOGFILE='/home/zerobin/zerobin.log' +COMMAND="zerobin > $LOGFILE" +USERNAME='zerobin' +NICELEVEL=19 # from 0-19 the bigger the number, the less the impact on system resources +HISTORY=1024 +INVOCATION="nice -n ${NICELEVEL} ${COMMAND}" +PATH='/usr/local/sbin:/usr/local/bin:/usr/bin:/sbin:/usr/sbin:/bin' + + +zerobin_start() { +echo "Starting $SERVICE..." +su --command "screen -h ${HISTORY} -dmS ${SERVICE} ${INVOCATION}" $USERNAME +} + + +zerobin_stop() { +echo "Stopping $SERVICE" +su --command "screen -p 0 -S ${SERVICE} -X stuff "'^C'"" $USERNAME +} + + +#Start-Stop here +case "$1" in + start) + zerobin_start + ;; + stop) + zerobin_stop + ;; + restart) + zerobin_stop + sleep 2s + zerobin_start + ;; + *) + echo "Usage: $0 {start|stop|restart}" + exit 1 + ;; +esac + +exit 0 +#+END_SRC + +Save and exit. + +#+BEGIN_SRC: bash +chmod +x /etc/init.d/zerobin +update-rc.d zerobin defaults +service zerobin start +#+END_SRC + +Now edit the Apache configuration, delete anything which already exists and add the following, changing /mypastedomainname.com/ to your pastebin subdomain and /username@mydomainname.com/ to your email address: + +#+BEGIN_SRC: bash + + ServerAdmin username@mydomainname.com + ServerName mypastedomainname.com + + + ProxyPass http://localhost:8000/ + Order allow,deny + Allow from all + LimitRequestBody 256000 + + + ErrorLog ${APACHE_LOG_DIR}/paste_error.log + + # Possible values include: debug, info, notice, warn, error, crit, + # alert, emerg. + LogLevel error + + CustomLog ${APACHE_LOG_DIR}/paste.log combined + +#+END_SRC + +Save and exit. + +The encryption used here is really just intended to provide you with plausible deniability for content which other users may post to your server. Pastes aren't really intended to be totally private, so if your intention is to send private messages then Bitmessage, an XMPP chat session with OTR or a GPG encrypted email is a far better solution. + +#+BEGIN_SRC: bash +service apache2 restart +#+END_SRC + +You can now visit your new site and paste things for others to see, and vice versa. Uploads are limited to 256K in size to prevent your storage space from being used up. You can further limit the maximum amount of storage space by doing the following: + +#+BEGIN_SRC: bash +editor /usr/bin/zerobinupdate +#+END_SRC + +Add the following: + +#+BEGIN_SRC: bash +#!/bin/bash + +CONTENT=/usr/local/lib/python2.7/dist-packages/zerobin-0.4.1-py2.7.egg/zerobin/static/content + +# Exit if there is no content directory +if [[ ! -d $CONTENT ]]; then + exit +fi + +LOG=/home/zerobin/zerobin.log +CHECK=`du -hs $CONTENT` +regex="([0-9]+)G" + +if [[ $CHECK =~ $regex && ${BASH_REMATCH[1]} -gt 1 ]]; then + echo "Directory size limit exceeded - removing zerobin content" >> $LOG + rm -rf $CONTENT/* +fi +#+END_SRC + +Save and exit. + +#+BEGIN_SRC: bash +chmod +x /usr/bin/zerobinupdate +echo "*/5 * * * * root /usr/bin/timeout 120 /usr/bin/zerobinupdate" >> /etc/crontab +#+END_SRC + +Additionally to ensure that the service is being used as intended and not as a permanent data store: + +#+BEGIN_SRC: bash +editor /usr/bin/zerobinclear +#+END_SRC + +Add the following: + +#+BEGIN_SRC: bash +#!/bin/bash + +CONTENT=/usr/local/lib/python2.7/dist-packages/zerobin-0.4.1-py2.7.egg/zerobin/static/content + +# Exit if there is no content directory +if [[ ! -d $CONTENT ]]; then + exit +fi + +rm -rf $CONTENT +#+END_SRC + +Save and exit. + +#+BEGIN_SRC: bash +chmod +x /usr/bin/zerobinclear +echo "35 3 * * * root /usr/bin/zerobinclear" >> /etc/crontab +service cron restart +#+END_SRC + +This will delete all pasted content once per day. + +** Subsonic music server + +#+BEGIN_VERSE +/Where words fail, music speaks./ + +-- Hans Christian Andersen +#+END_VERSE + +*** Introduction +Owncloud is probably the easiest way to handle your media, but Subsonic is another alternative and has a mobile app which can be used to conveniently play your music. Unless you particularly prefer Subsonic it's probably better to stick with Owncloud and skip this section. Another limitation of Subsonic is that it requires Java, which uses a lot of RAM, so it may be better to only install it on systems with 1GB or more of memory and also increases the [[https://en.wikipedia.org/wiki/Attack_surface]["attack surface"]]. + +The method of installing Subsonic described here is not ideal, but works. The main issue is that the Debian package supplied from sourceforge contains a licensing [[https://www.fsf.org/blogs/community/antifeatures][antifeature]], which needs to be removed in order to achieve a fully free system. +*** Installing the Server +For this you will need a new subdomain (or your own domain), so see [[Setting up a web site]] for details of how to do that. + +#+BEGIN_SRC: bash +apt-get install openjdk-7-jre openjdk-7-jdk lintian maven libav-tools +adduser subsonic +mkdir ~/build +cd ~/build +wget http://freedombone.uk.to/subsonic-4.9.deb +sha256sum subsonic-4.9.deb +064c2a7e69d47715ce230f3dfcacdc627c18f6466e0fe48952f133ce06be698d +dpkg -i subsonic-4.9.deb +#+END_SRC + +Now we remove the antifeature by compiling from source and then overwriting the relevant files. + +#+BEGIN_SRC: bash +git clone https://github.com/EugeneKay/subsonic.git +cd subsonic +git checkout release +mvn package +mvn -P full -pl subsonic-booter -am install +mvn -P full -pl subsonic-installer-debian/ -am install +cp ~/build/subsonic/subsonic-booter/target/subsonic-booter-jar-with-dependencies.jar /usr/share/subsonic/ +cp ~/build/subsonic/subsonic-main/target/subsonic.war /usr/share/subsonic/subsonic.war +cp ~/build/subsonic/subsonic-booter/src/main/script/subsonic.sh /usr/share/subsonic/subsonic.sh +editor /etc/default/subsonic +#+END_SRC + +Settings should look like the following. + +#+BEGIN_SRC: bash +SUBSONIC_ARGS="--max-memory=100" +SUBSONIC_USER=subsonic +#+END_SRC + +Save and exit. + +#+BEGIN_SRC: bash +chown -R subsonic:subsonic /var/subsonic +mkdir /var/music +chown -R subsonic:subsonic /var/music +service subsonic restart +#+END_SRC + +Edit your web server configuration. + +#+BEGIN_SRC: bash +editor /etc/nginx/sites-available/$HOSTNAME +#+END_SRC + +Delete all existing contents then add the following: + +#+BEGIN_SRC: bash +server { + listen 80; + server_name mysubsonicdomainname.com; + rewrite ^ https://$server_name$request_uri? permanent; +} + +server { + listen 443; + server_name mysubsonicdomainname.com; + index index.html index.htm; + + error_log /var/www/mysubsonicdomainname.com/error.log debug; + + ssl on; + ssl_certificate /etc/ssl/certs/mysubsonicdomainname.com.crt; + ssl_certificate_key /etc/ssl/private/mysubsonicdomainname.com.key; + ssl_dhparam /etc/ssl/certs/mysubsonicdomainname.com.dhparam; + + ssl_session_timeout 5m; + ssl_prefer_server_ciphers on; + ssl_session_cache builtin:1000 shared:SSL:10m; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # not possible to do exclusive + ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA'; + add_header Strict-Transport-Security "max-age=0;"; + + client_max_body_size 20M; + + location / { + proxy_pass http://localhost:4040/; + proxy_redirect http:// https://; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } +} +#+END_SRC + +Save and exit. + +#+BEGIN_SRC: bash +export HOSTNAME=mysubsonicdomainname.com +sed "s/mysubsonicdomainname.com/$HOSTNAME/g" /etc/nginx/sites-available/$HOSTNAME > /tmp/website +cp -f /tmp/website /etc/nginx/sites-available/$HOSTNAME +/etc/init.d/nginx reload +#+END_SRC + +*** Configuration +Open a browser and go to your subsonic domain name. Log in with username /admin/ and password /admin/, then change your administrator password. + +Still logged in as the administrator, click /settings/ and select /transcoding/. Change the transcoding settings to the following: + + +| Name | Convert from | Convert to | Step 1 | +|----------------+---------------------------------------------------+------------+------------------------------------------------------------------------------------------------------------------------------------------| +| mp3 audio | ogg oga aac m4a flac wav wma aif aiff ape mpc shn | mp3 | avconv -i %s -b %bk -q 0 -loglevel error -f mp3 - | +| flv/h264 video | avi mpg mpeg mp4 m4v mkv mov wmv ogv divx m2ts | flv | avconv -ss %o -i %s -async 1 -b %bk -s %wx%h -c:a libmp3lame -ar 44100 -ac 2 -v debug -f flv -c:v libx264 -preset superfast -threads 0 - | + +| Downsample command | avconv -i %s -b %bk -v 0 -f mp3 - | +| HTTP Live Streaming command | avconv -ss %0 -t %d -i %s -async 1 -b %bk -s %wx%h -ar 44100 -ac 2 -v 0 -f mpegts -vcodec libx264 -preset superfast -acodec libmp3lame -threads 0 - | + +Then save. + +Within the settings click on /users/ and add a user. Give your user access to everything by ticking all the checkboxes. You can then log out and log back in as the user. + +Open port 4040 on your internet router and forward it to the BBB. + +*** Adding your music +The easiest way to add your music is to obtain a large capacity USB stick, copy your music onto it, plug it into the front of the BBB and then mount it as a drive. + +So with the USB stick plugged in and logged into the BBB as root via ssh: + +#+BEGIN_SRC: bash +editor /usr/bin/attach-music +#+END_SRC + +Add the following: + +#+BEGIN_SRC: bash +#!/bin/bash +if [ ! -d /var/music ]; then + mkdir /var/music +fi +mount /dev/sda1 /var/music +chown root:root /var/music +chown -R subsonic:subsonic /var/music/* +#+END_SRC + +Save and exit + +#+BEGIN_SRC: bash +chmod +x /usr/bin/attach-music +#+END_SRC + +Then just typing "attach-music" on the command line will mount the USB drive. + +Then within a browser go to your Subsonic domain name, log in as the administrator, select *settings*, then *Media folders* then *Scan media folders now*. Depending upon how much music you have this could take a while, so don't be too impatient. WHen It's complete you can log out and log back in as a user. + +*** Android App +Within [[https://f-droid.org/][F-Droid]] search for *Dsub* and install it. + +Open the app, then press on the Dsub icon (top left) and select *settings*, followed by *servers*. Select one of the unused servers then set the name to your domain name, the server address to https://mysubsonicdomainname.com (the domain name you used for subsonic) and your username and password for the Subsonic user which you created earlier. Press on *test server* to check the internet connection to the BBB. + +Remove any other servers (including the demo) by pressing on them then selecting *remove server*. + +You can then press *back* a few times to return to the main Dsub menu and press *recently added*. If your media library has been scanned (as in the earlier "adding your music" step) then you should see tracks appear. Press on one, then press the play button. + +Other proprietary Subsonic mobile apps are available, but are not recommended. Anything proprietary could contain backdoors, malware or other nasties which merely assist the surveillance apparatus. +** Database maintenance + +#+BEGIN_VERSE +/To be ready to fail is to be prepared for success./ + +-- Jose Bergamin +#+END_VERSE + +Ideally the system should be as close to "/install and forget/" as possible, but sometimes mysql databases can become corrupted. To handle that situation we can set up a script to monitor the databases and automatically try to repair them, and if the repair fails then to roll back to the previous day's backup, so that at most you may have lost one day of social media updates, rather than losing everything. + +#+BEGIN_SRC: bash +editor /usr/bin/repairdatabase +#+END_SRC + +Add the following, using your mysql root password and entering your email address. + +#+BEGIN_SRC: bash +#!/bin/bash + +DATABASE=$1 +EMAIL=myusername@mydomainname.com + +MYSQL_ROOT_PASSWORD=mysqlrootpassword +TEMPFILE=/tmp/repairdatabase_$DATABASE + +umask 0077 + +# check the database +mysqlcheck -c -u root --password=$MYSQL_ROOT_PASSWORD $DATABASE > $TEMPFILE + +# Attempt to repair the database if it contains errors +if grep -q "Error" "$TEMPFILE"; then + mysqlcheck -u root --password=$MYSQL_ROOT_PASSWORD --auto-repair $DATABASE +else + # No errors were found, so exit + rm -f $TEMPFILE + exit 0 +fi +rm -f $TEMPFILE + +# Check the database again +mysqlcheck -c -u root --password=$MYSQL_ROOT_PASSWORD $DATABASE > $TEMPFILE + +# If it still contains errors then restore from backup +if grep -q "Error" "$TEMPFILE"; then + mysql -u root --password=$MYSQL_ROOT_PASSWORD $DATABASE -o < /var/backups/${DATABASE}_daily.sql + + # Send a warning email + echo "$DATABASE database corruption could not be repaired. Restored from backup." | mail -s "Freedombone database maintenance" $EMAIL + rm -f $TEMPFILE + + exit 1 +fi +rm -f $TEMPFILE + +exit 0 +#+END_SRC + +Save and exit. + +#+BEGIN_SRC: bash +chmod 600 /usr/bin/repairdatabase +editor /etc/cron.hourly/repair +#+END_SRC + +Add the following. If you're using Red Matrix then uncomment that line. + +#+BEGIN_SRC: bash +#!/bin/bash + +repairdatabase friendica +#repairdatabase redmatrix +repairdatabase roundcubemail +#+END_SRC + +Save and exit. + +#+BEGIN_SRC: bash +chmod +x /etc/cron.hourly/repair +#+END_SRC + +Also to keep maintenance to the minimum we need to automatically repair the databases when the system initially boots after a power cycle. So if there's an electrical power outage and the session table gets corrupted then you don't need to be concerned with repairing it manually. + +#+BEGIN_SRC: bash +editor /usr/bin/runinitialrepair +#+END_SRC + +Add the following: + +#+BEGIN_SRC: bash +#!/bin/bash +sleep 180 +/etc/cron.hourly/repair > /var/log/initialrepair.log +exit 0 +#+END_SRC + +Save and exit. + +#+BEGIN_SRC: bash +chmod +x /usr/bin/runinitialrepair +editor /etc/init.d/initialrepair +#+END_SRC + +Add the following: + +#+BEGIN_SRC: bash +#!/bin/bash + +# /etc/init.d/initialrepair + +### BEGIN INIT INFO +# Provides: initialrepair +# Required-Start: $remote_fs $syslog +# Required-Stop: $remote_fs $syslog +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: mysql database repair on boot +# Description: Repairs mysql databases at startup +### END INIT INFO + +# Author: Bob Mottram + +#Settings +SERVICE='initialrepair' +INVOCATION='/usr/bin/runinitialrepair' +PATH='/usr/local/sbin:/usr/local/bin:/usr/bin:/sbin:/usr/sbin:/bin' + +initialrepair_start() { +echo "Starting $SERVICE..." +su --command "screen -h 1024 -dmS ${SERVICE} ${INVOCATION}" root +} + + +initialrepair_stop() { +echo "Stopping $SERVICE" +su --command "screen -p 0 -S ${SERVICE} -X stuff "'^C'"" root +} + + +#Start-Stop here +case "$1" in + start) + initialrepair_start + ;; + stop) + initialrepair_stop + ;; + restart) + initialrepair_stop + initialrepair_start + ;; + *) + echo "Usage: $0 {start|stop|restart}" + exit 1 + ;; +esac + +exit 0 +#+END_SRC + +Save and exit. + +#+BEGIN_SRC: bash +chmod +x /etc/init.d/initialrepair +update-rc.d initialrepair defaults +service initialrepair start +#+END_SRC + +** Install Tripwire + +#+BEGIN_VERSE +/...by the time you get done with all of that, we have a freedom box/ + +-- Eben Moglen +#+END_VERSE + +Tripwire will try to detect any intrusions into your system. It's a good idea to install it after you have installed all of the other programs which you intend to use. + +#+BEGIN_SRC: bash +apt-get install tripwire +export HOSTNAME=mydomainname.com +cd /etc/tripwire +cp arm-local.key $HOSTNAME-local.key +cp site.key $HOSTNAME-site.key +tripwire --init +tripwire --update-policy --secure-mode low /etc/tripwire/twpol.txt +tripwire --check --interactive +#+END_SRC + +you will be asked for two passphrases ("site" and "local"). Make a note of these. + +Turn off reporting of changes to system logs. + +#+BEGIN_SRC: bash +editor /etc/tripwire/twcfg.txt +#+END_SRC + +Set *SYSLOGREPORTING* to false and comment out the line, then save and exit. + +#+BEGIN_SRC: bash +editor /etc/tripwire/twpol.txt +#+END_SRC + +Edit the "Root config files" section so that it looks like this: + +#+BEGIN_SRC: bash +# These files change the behavior of the root account +( + rulename = "Root config files", + severity = 100 +) +{ + /root -> $(SEC_CRIT) ; # Catch all additions to /root + /root/.bashrc -> $(SEC_CONFIG) ; + /root/.bash_history -> $(SEC_CONFIG) ; +} +#+END_SRC + +Then save and exit. + +#+BEGIN_SRC: bash +editor /usr/bin/reset-tripwire +#+END_SRC + +Add the following: + +#+BEGIN_SRC: bash +#!/bin/sh +tripwire --update-policy --secure-mode low /etc/tripwire/twpol.txt +#+END_SRC + +Save and exit. + +#+BEGIN_SRC: bash +chmod +x /usr/bin/reset-tripwire +#+END_SRC + +If you subsequently install any more packages or make configuration changes then update the policy again with: + +#+BEGIN_SRC: bash +reset-tripwire +#+END_SRC + +Also, to look for any rootkits. + +#+BEGIN_SRC: bash +apt-get install rkhunter +#+END_SRC + +* Router/Firewall ports +The following ports on your internet router/firewall should be forwarded to the BBB. + +| Protocol | Port/s | +|---------------+------------| +| Gopher | 70 | +| HTTP | 80 | +| HTTPS | 443 | +| IMAP | 143 | +| IRC | 6665..6669 | +| IRC SSL | 6697 | +| SIP | 5060..5061 | +| SMTP | 25,587 | +| SMTPS | 465 | +| SSH | 22 | +| XMPP | 5222..5223 | +| XMPP (server) | 5269 | +| XMPP (BOSH) | 5280..5281 | +| Bitmessage | 8444 | +| Subsonic | 4040 | + +* Hints and Tips +** Example configurations +*** Software sources +If you get errors when running *apt-get update* then you may need to check your repositories list. Here are examples of repositories within */etc/apt/sources.list* + +**** Beaglebone Black + +#+BEGIN_SRC: bash +deb http://ftp.us.debian.org/debian/ jessie main contrib +deb-src http://ftp.us.debian.org/debian/ jessie main contrib + +deb http://ftp.us.debian.org/debian/ jessie-updates main contrib +deb-src http://ftp.us.debian.org/debian/ jessie-updates main contrib + +#Kernel source: https://github.com/RobertCNelson/linux-stable-rcn-ee +deb [arch=armhf] http://repos.rcn-ee.net/debian/ jessie main +deb http://ftp.us.debian.org/debian jessie-backports main +#+END_SRC +**** Cubieboard +#+BEGIN_SRC: bash +deb http://ftp.us.debian.org/debian/ wheezy main contrib +deb-src http://ftp.us.debian.org/debian/ wheezy main contrib + +deb http://ftp.us.debian.org/debian/ wheezy-updates main contrib +deb-src http://ftp.us.debian.org/debian/ wheezy-updates main contrib + +deb http://security.debian.org/ wheezy/updates main contrib +deb-src http://security.debian.org/ wheezy/updates main contrib + +deb http://ftp.us.debian.org/debian wheezy-backports main contrib + +deb http://mirrors.sohu.com/debian/ wheezy main contrib +deb-src http://mirrors.sohu.com/debian/ wheezy main contrib + +deb http://packages.cubian.org/ wheezy main +deb http://repo.ajenti.org/debian main main debian +#+END_SRC + +*** Emacs setup +An example Emacs configuration file. This should be saved to */home/myusername/.emacs* and */root/.emacs* + +#+BEGIN_SRC: bash +(add-to-list 'load-path "~/.emacs.d/") + +;; ===== Remove trailing whitepace ====================================== + +(add-hook 'before-save-hook 'delete-trailing-whitespace) + +;; ===== Press CTRL-L to go to a line number ============================ + +(global-set-key "\C-l" 'goto-line) + +;; ===== Show line numbers ============================================== + +(add-hook 'find-file-hook (lambda () (linum-mode 1))) + +;; ===== Enable line wrapping in org-mode =============================== + + (add-hook 'org-mode-hook + '(lambda () + (visual-line-mode 1))) + +;; ===== Enable shift select in org mode ================================ + +(setq org-support-shift-select t) + +;; ===== Set standard indent to 4 spaces ================================ + +(setq standard-indent 4) +(setq-default tab-width 4) +(setq c-basic-offset 4) + +;; ===== Support Wheel Mouse Scrolling ================================= + +(mouse-wheel-mode t) + +;; ===== Place Backup Files in Specific Directory ====================== + +(setq make-backup-files t) +(setq version-control t) +(setq backup-directory-alist (quote ((".*" . "~/.emacs_backups/")))) + +;; ===== Make Text mode the default mode for new buffers =============== + +(setq default-major-mode 'text-mode) + +;; ===== Line length =================================================== + +(setq-default fill-column 72) + +;; ===== Enable Line and Column Numbering ============================== + +(line-number-mode 1) +(column-number-mode 1) + +;; ===== Turn on Auto Fill mode automatically in all modes ============= + +;; Auto-fill-mode the the automatic wrapping of lines and insertion of +;; newlines when the cursor goes over the column limit. + +;; This should actually turn on auto-fill-mode by default in all major +;; modes. The other way to do this is to turn on the fill for specific +;; modes via hooks. + +(setq auto-fill-mode 1) + +;; ===== Enable GPG encryption ======================================== + +(require 'epa) +(epa-file-enable) +#+END_SRC +*** Boot (uEnv.txt) +An example of the uEnv.txt file within the BOOT partition on the microSD card of the BBB. + +#+BEGIN_SRC: bash +##These are needed to be compliant with Debian 2014-05-14 u-boot. + +loadximage=load mmc 0:2 ${loadaddr} /boot/vmlinuz-${uname_r} +loadxfdt=load mmc 0:2 ${fdtaddr} /boot/dtbs/${uname_r}/${fdtfile} +loadxrd=load mmc 0:2 ${rdaddr} /boot/initrd.img-${uname_r}; setenv rdsize ${filesize} +loaduEnvtxt=load mmc 0:2 ${loadaddr} /boot/uEnv.txt ; env import -t ${loadaddr} ${filesize}; +loadall=run loaduEnvtxt; run loadximage; run loadxrd; run loadxfdt; + +mmcargs=setenv bootargs console=tty0 console=${console} ${optargs} ${cape_disable} ${cape_enable} root=${mmcroot} rootfstype=${mmcrootfstype} ${cmdline} + +uenvcmd=run loadall; run mmcargs; bootz ${loadaddr} ${rdaddr}:${rdsize} ${fdtaddr}; +#+END_SRC +** Messaging security +If you're connected to other friends via Friendica then the preferred way to send private messages is via Friendica's built-in messaging system. This is a lot more convenient than using GPG with ordinary email and yet still provides a similar level of protection from unwarranted interception. +** Moving Domains +If you're moving servers and using a different domain name or path then you can search and replace URLs within files in the following way: + +#+BEGIN_SRC: bash +find /var/www/mynewdomain/htdocs -type f -exec sed -i 's@myolddomain@mynewdomain@g' {} \; +#+END_SRC + +If you're moving the blog to a new domain then you will need to delete the lock file: + +#+BEGIN_SRC: bash +rm /var/www/myblogdomainname.com/htdocs/fp-content/%%setup.lock +#+END_SRC + +Then visit your blog and reinstall it. Your existing content will be unaffected but you will need to delete the welcome post which gets added and also re-select your chosen theme. + +If you need to import blog posts from another blog then copy the *fp-content/content* directory from the old blog to the new blog, then within the admin panel select *maintain* and *rebuild index*. + +** MySql foo +*** Reset the root password +To reset the root password, or if mysql forgets its root password. + +#+BEGIN_SRC: bash +/etc/init.d/mysql stop +mysqld_safe --skip-grant-tables & +mysql -u root +use mysql; +update user set password=PASSWORD("mynewpassword") where User='root'; +flush privileges; +quit +/etc/init.d/mysql stop +/etc/init.d/mysql start +#+END_SRC +*** Repair and optimize databases +To check, repair and optimize the databases. + +#+BEGIN_SRC: bash +mysqlcheck -c -u root -p --all-databases +mysqlcheck -u root -p --auto-repair --all-databases +mysqlcheck -u root -p -o --all-databases +#+END_SRC +*** Backup all databases +To back up all mysql databases: + +#+BEGIN_SRC: bash +mysqldump -u root -p --all-databases --events > /var/backups/databasebackup.sql +#+END_SRC +*** Restoring a particular mysql database +To restore yesterday's friendica backup: + +#+BEGIN_SRC: bash +mysql -u root -p friendica -o < /var/backups/friendica_daily.sql +#+END_SRC + +To restore the webmail database: + +#+BEGIN_SRC: bash +mysql -u root -p roundcubemail -o < /var/backups/roundcubemail_daily.sql +#+END_SRC + +To restore yesterday's Red Matrix backup: + +#+BEGIN_SRC: bash +mysql -u root -p redmatrix -o < /var/backups/redmatrix_daily.sql +#+END_SRC +*** Removing and reinstalling mysql server + +Sometimes the mysql database may get completely messed up, and running /service mysql start/ may always fail with nothing reported in the logs. So if you manage to get into that unfortinate situation then you can fully remove mysql and reinstall it as follows: + +#+BEGIN_SRC: bash +ps aux | grep mysql +#+END_SRC + +and use /kill -9 / to kill all mysql processes. + +#+BEGIN_SRC: bash +apt-get remove --purge mysql\* +rm -rf /etc/mysql +rm -rf /var/lib/mysql +apt-get clean +updatedb +#+END_SRC + +Reinstall mysql: + +#+BEGIN_SRC: bash +apt-get install mysql-server php5-common php5-cli php5-curl php5-gd php5-mysql php5-mcrypt php5-fpm php5-cgi php-apc +#+END_SRC + +Then to recreate the Friendica and webmail databases: + +#+BEGIN_SRC: bash +mysql -p +create database friendica; +CREATE USER 'friendicaadmin'@'localhost' IDENTIFIED BY 'myfriendicapassword'; +GRANT ALL PRIVILEGES ON friendica.* TO 'friendicaadmin'@'localhost'; +create database roundcubemail; +CREATE USER 'roundcube'@'localhost' IDENTIFIED BY 'roundcubepassword'; +GRANT ALL PRIVILEGES ON roundcubemail.* TO 'roundcube'@'localhost'; +quit +mysql -u root -p friendica -o < /var/backups/friendica_daily.sql +mysql -u root -p roundcubemail -o < /var/backups/roundcubemail_daily.sql +#+END_SRC + +And if you previously had Red Matrix installed: + +#+BEGIN_SRC: bash +mysql -p +create database redmatrix; +CREATE USER 'redmatrixadmin'@'localhost' IDENTIFIED BY 'myredmatrixpassword'; +GRANT ALL PRIVILEGES ON redmatrix.* TO 'redmatrixadmin'@'localhost'; +quit +mysql -u root -p redmatrix -o < /var/backups/redmatrix_daily.sql +#+END_SRC + +Since IMAP seems entangled with mysql it may also be necessary to reinstall Exim and Dovecot. + +#+BEGIN_SRC: bash +apt-get remove --purge exim4\* +#+END_SRC + +Then follow the instructions in [[Install Email]], [[Spam filtering]] and [[Install Dovecot]]. +** Regenerating SSL certificates +If a security vulnerability arrises which requires you to regenerate your SSL certificates, such as [[http://filippo.io/Heartbleed]["heartbleed"]], then this can be done as follows: + +Obtain the latest updates: + +#+BEGIN_SRC: bash +apt-get update +apt-get upgrade +#+END_SRC + +Run *makecert * for each of your sites. + +Recreate the XMPP certificate: + +#+BEGIN_SRC: bash +makecert xmpp +chown prosody:prosody /etc/ssl/private/xmpp.key +chown prosody:prosody /etc/ssl/certs/xmpp.* +#+END_SRC + +And regenerate the IRC server keys: + +#+BEGIN_SRC: bash +makecert ircd +mv /etc/ssl/private/ircd.key /home/ircserver/ircd/ssl/ +mv /etc/ssl/certs/ircd.crt /home/ircserver/ircd/ssl/ircd.pem +mv /etc/ssl/certs/ircd.dhparam /home/ircserver/ircd/ssl/dhparam.pem +chmod 640 /home/ircserver/ircd/ssl/* +chown -R ircserver:ircserver /home/ircserver/ircd +chown -R ircserver:ircserver /home/ircserver/services +chown -R ircserver:ircserver /home/ircserver/ircd/ssl +#+END_SRC + +Regenerate email certificate. + +#+BEGIN_SRC: bash +makecert exim +mv /etc/ssl/private/exim.key /etc/exim4 +mv /etc/ssl/certs/exim.crt /etc/exim4 +mv /etc/ssl/certs/exim.dhparam /etc/exim4 +chown root:Debian-exim /etc/exim4/exim.key /etc/exim4/exim.crt /etc/exim4/exim.dhparam +chmod 640 /etc/exim4/exim.key /etc/exim4/exim.crt /etc/exim4/exim.dhparam +#+END_SRC + +As an added precaution you may wish to regenerate your ssh host keys: + +#+BEGIN_SRC: bash +rm /etc/ssh/ssh_host_* +dpkg-reconfigure openssh-server +#+END_SRC + +Then reboot the server with: + +#+BEGIN_SRC: bash +reboot +#+END_SRC + +** Example crontab file + +This is an example of what your crontab file might look like, with the more frequently run tasks at the top. For the two most frequent tasks specific minutes within each hour are given and they're arranged to try to minimise the number of things running simultaneously. + +#+BEGIN_SRC: bash +# /etc/crontab: system-wide crontab +# Unlike any other crontab you don't have to run the `crontab' +# command to install the new version when you edit this file +# and files in /etc/cron.d. These files also have username fields, +# that none of the other crontabs do. + +SHELL=/bin/sh +PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin + +# m h dom mon dow user command +10,20,30,40,50 * * * * root /usr/bin/timeout 120 /usr/bin/dynamicdns && /usr/bin/spamfilter myusername +15,35,55 * * * * root cd /var/www/mydomainname/htdocs; /usr/bin/timeout 240 /usr/bin/php include/poller.php +17 * * * * root cd / && run-parts --report /etc/cron.hourly +25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily ) +47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly ) +52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly ) +#+END_SRC + +** Using your own domain +Suppose that you have bought a domain name (rather than using a free subdomain on freedns) and you want to use that instead. + +Remove any existing nameservers for your domain (or select "custom" nameservers), then add: + +#+BEGIN_SRC: bash +NS1.AFRAID.ORG +NS2.AFRAID.ORG +NS3.AFRAID.ORG +NS4.AFRAID.ORG +#+END_SRC + +It might take a few minutes for the above change to take effect. Within freedns click on "Domains" and add your domains (this might only be available to paid members). Make sure that they're marked as "private". + +Select "Subdomains" from the menu on the left then select the MX entry for your domain and change the destination to *10:mydomainname* rather than *10:mail.mydomainname*. + +To route email to one of your freedns domains: + +#+BEGIN_SRC: bash +editor /etc/mailname +#+END_SRC + +Add any extra domains which you own, then save and exit. + +#+BEGIN_SRC: bash +editor /etc/exim4/update-exim4.conf.conf +#+END_SRC + +Within dc_other_hostnames add your extra domain names, separated by a colon ':' character. + +Save and exit, then restart exim. + +#+BEGIN_SRC: bash +update-exim4.conf.template -r +update-exim4.conf +service exim4 restart +#+END_SRC + +You should now be able to send an email from /postmaster@mynewdomainname/ and it should arrive in your inbox. + +** Obtaining an "official" SSL certificate +You can obtain a free "official" (as in recognised by default by web browsers) SSL certificate from [[https://www.startssl.com/][StartSSL]]. You will first need to have bought a domain name, since it's not possible to obtain one for a freedns subdomain, so see [[Using your own domain]] for details of how to do that. You should also have tested that you can send email to the domain and receive it on the BBB (via Mutt or any other email client). + +When creating a SSL certificate it's important that the private key (the private component of the public/private pair in [[https://en.wikipedia.org/wiki/Public-key_cryptography][public key cryptography]]) be generated on the BBB /and remain there/. Don't generate the private key via the StartSSL certificate wizard because this means that potentially they may retain a copy of it which could then be exfiltrated either via [[https://en.wikipedia.org/wiki/Lavabit][Lavabit]] style methodology, "implants", compromised sysadmins or other "side channel" methods. So that the private key isn't broadcast on the internet we can instead generate a certificate request, which is really just a request for authorisation of a public key. + +Firstly you should have a web server site configuration ready to go. See [[Setting up a web site]] for details. + +Within StartSSL under the validations wizard validate your domain, which means sending an email to it and confirming a code. + +Now we can generate the certificate request as follows. + +#+BEGIN_SRC: bash +export HOSTNAME=mydomainname.com +openssl genrsa -out /etc/ssl/private/$HOSTNAME.key 2048 +chown root:ssl-cert /etc/ssl/private/$HOSTNAME.key +chmod 440 /etc/ssl/private/$HOSTNAME.key +mkdir /etc/ssl/requests +#+END_SRC + +Now make a certificate request as follows. You should copy and paste the whole of this, not just line by line. + +#+BEGIN_SRC: bash +openssl req -new -sha256 -key /etc/ssl/private/$HOSTNAME.key -out /etc/ssl/requests/$HOSTNAME.csr +#+END_SRC + +For the email address it's a good idea to use postmaster@mydomainname. + +Use a random 20 character password, and keep a note of it. We'll remove this later. + +View the request with: + +#+BEGIN_SRC: bash +cat /etc/ssl/requests/$HOSTNAME.csr +#+END_SRC + +You can then click on "skip" within the StartSSL certificates wizard and copy and paste the encrypted request into the text entry box. A confirmation will be emailed back to you normally within a few hours. + +Log into your StartSSL account and select *Retrieve Certificate* from the *Tool Box* tab. Copy the text. + +#+BEGIN_SRC: bash +editor /etc/ssl/certs/$HOSTNAME.crt +#+END_SRC + +Paste the public key, then save and exit. Then on the BBB. + +#+BEGIN_SRC: bash +mkdir /etc/ssl/roots +mkdir /etc/ssl/chains +wget "http://www.startssl.com/certs/ca.pem" --output-document="/etc/ssl/roots/startssl-root.ca" +wget "http://www.startssl.com/certs/sub.class1.server.ca.pem" --output-document="/etc/ssl/chains/startssl-sub.class1.server.ca.pem" +wget "http://www.startssl.com/certs/sub.class2.server.ca.pem" --output-document="/etc/ssl/chains/startssl-sub.class2.server.ca.pem" +wget "http://www.startssl.com/certs/sub.class3.server.ca.pem" --output-document="/etc/ssl/chains/startssl-sub.class3.server.ca.pem" +ln -s "/etc/ssl/roots/startssl-root.ca" "/etc/ssl/roots/$HOSTNAME-root.ca" +ln -s "/etc/ssl/chains/startssl-sub.class1.server.ca.pem" "/etc/ssl/chains/$HOSTNAME.ca" +cp "/etc/ssl/certs/$HOSTNAME.crt" "/etc/ssl/certs/$HOSTNAME.crt+chain+root" +test -e "/etc/ssl/chains/$HOSTNAME.ca" && cat "/etc/ssl/chains/$HOSTNAME.ca" >> "/etc/ssl/certs/$HOSTNAME.crt+chain+root" +test -e "/etc/ssl/roots/$HOSTNAME-root.ca" && cat "/etc/ssl/roots/$HOSTNAME-root.ca" >> "/etc/ssl/certs/$HOSTNAME.crt+chain+root" +#+END_SRC + +To avoid any possibility of the certificates being accidentally overwritten by self-signed ones at a later date you can create backups. + +#+BEGIN_SRC: bash +mkdir /etc/ssl/backups +mkdir /etc/ssl/backups/certs +mkdir /etc/ssl/backups/private +cp /etc/ssl/certs/$HOSTNAME* /etc/ssl/backups/certs/ +cp /etc/ssl/private/$HOSTNAME* /etc/ssl/backups/private/ +chmod -R 400 /etc/ssl/backups/certs/* +chmod -R 400 /etc/ssl/backups/private/* +#+END_SRC + +Remove the certificate password, so if the server is rebooted then it won't wait indefinitely for a non-existant keyboard user to type in a password. + +#+BEGIN_SRC: bash +openssl rsa -in /etc/ssl/private/$HOSTNAME.key -out /etc/ssl/private/$HOSTNAME.new.key +cp /etc/ssl/private/$HOSTNAME.new.key /etc/ssl/private/$HOSTNAME.key +shred -zu /etc/ssl/private/$HOSTNAME.new.key +#+END_SRC + +Create a bundled certificate which joins the certificate and chain file together. + +#+BEGIN_SRC: bash +cat /etc/ssl/certs/$HOSTNAME.crt /etc/ssl/chains/startssl-sub.class1.server.ca.pem > /etc/ssl/certs/$HOSTNAME.bundle.crt +#+END_SRC + +And also add it to the overall bundle of certificates for the BBB. This will allow you to easily install the certificates onto other systems. + +#+BEGIN_SRC: bash +mkdir /etc/ssl/mycerts +cp /etc/ssl/certs/$HOSTNAME.bundle.crt /etc/ssl/mycerts +cat /etc/ssl/mycerts/*.crt > /etc/ssl/freedombone-bundle.crt +tar -czvf /etc/ssl/freedombone-certs.tar.gz /etc/ssl/mycerts/*.crt +#+END_SRC + +Edit your configuration file. + +#+BEGIN_SRC: bash +editor /etc/nginx/sites-available/$HOSTNAME +#+END_SRC + +Add the following to the section which starts with *listen 443* + +#+BEGIN_SRC: bash + ssl_certificate /etc/ssl/certs/mydomainname.com.bundle.crt; +#+END_SRC + +Save and exit, then restart the web server. + +#+BEGIN_SRC: bash +service nginx restart +#+END_SRC + +Now visit your web site at https://mydomainname.com and you should notice that there is no certificate warning displayed. You will now be able to install systems which don't allow the use of self-signed certificates, such as [[https://redmatrix.me/&JS=1][Red Matrix]]. + +* Deprecated + +The following items have been deprecated until such time as a successful installation is achieved. + +** Gitlab + +Install some dependencies: + +#+BEGIN_SRC: bash +apt-get update -y +apt-get upgrade -y +apt-get install sudo -y +apt-get install -y build-essential zlib1g-dev libyaml-dev libssl-dev libgdbm-dev libreadline-dev libncurses5-dev libffi-dev curl openssh-server redis-server checkinstall libxml2-dev libxslt-dev libcurl4-openssl-dev libicu-dev logrotate git-core +#+END_SRC + +Install bundler + +#+BEGIN_SRC: bash +gem install bundler --no-ri --no-rdoc +#+END_SRC + +Create a user for running Gitlab. + +#+BEGIN_SRC: bash +adduser --disabled-login --gecos 'GitLab' git +#+END_SRC + +Install mysql (it may already be installed). + +#+BEGIN_SRC: bash +apt-get install -y mysql-server mysql-client libmysqlclient-dev +mysql_secure_installation +mysql -u root -p +#+END_SRC + +Enter the following commands, substituting /gitlabpassword/ with a password to be used for the Gitlab installation. + +#+BEGIN_SRC: bash +CREATE USER 'git'@'localhost' IDENTIFIED BY 'gitlabpassword'; +SET storage_engine=INNODB; +CREATE DATABASE IF NOT EXISTS `gitlabhq_production` DEFAULT CHARACTER SET `utf8` COLLATE `utf8_unicode_ci`; +GRANT SELECT, LOCK TABLES, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER ON `gitlabhq_production`.* TO 'git'@'localhost'; +quit +#+END_SRC + +Obtain the code and install it. + +#+BEGIN_SRC: bash +cd /home/git +sudo -u git -H git clone https://gitlab.com/gitlab-org/gitlab-ce.git -b 6-8-stable gitlab +cd /home/git/gitlab +sudo -u git -H cp /home/git/gitlab/config/gitlab.yml.example /home/git/gitlab/config/gitlab.yml +sudo -u git -H editor /home/git/gitlab/config/gitlab.yml +#+END_SRC + +Set /host/ to your gitlab domain name, /port/ to 443 and /https/ to true, then save and exit. + +#+BEGIN_SRC: bash +chown -R git /home/git/gitlab/log/ +chown -R git /home/git/gitlab/tmp/ +chmod -R u+rwX /home/git/gitlab/log/ +chmod -R u+rwX /home/git/gitlab/tmp/ +sudo -u git -H mkdir /home/git/gitlab-satellites +chmod u+rwx,g+rx,o-rwx /home/git/gitlab-satellites +chmod -R u+rwX /home/git/gitlab/tmp/pids/ +chmod -R u+rwX /home/git/gitlab/tmp/sockets/ +chmod -R u+rwX /home/git/gitlab/public/uploads +sudo -u git -H cp /home/git/gitlab/config/unicorn.rb.example /home/git/gitlab/config/unicorn.rb +#sudo -u git -H editor /home/git/gitlab/config/unicorn.rb +sudo -u git -H cp /home/git/gitlab/config/initializers/rack_attack.rb.example /home/git/gitlab/config/initializers/rack_attack.rb +sudo -u git -H git config --global user.name "GitLab" +sudo -u git -H git config --global user.email "gitlab@localhost" +sudo -u git -H git config --global core.autocrlf input +sudo -u git cp /home/git/gitlab/config/database.yml.mysql /home/git/gitlab/config/database.yml +sudo -u git -H chmod o-rwx /home/git/gitlab/config/database.yml +sudo -u git -H bundle install --deployment --without development test postgres aws +#+END_SRC + +Fails here with: + +/Could not find libv8-3.16.14.3 in any of the sources/ +/Run `bundle install` to install missing gems./ + +#+BEGIN_SRC: bash +sudo -u git -H bundle exec rake gitlab:setup RAILS_ENV=production +sudo -u git -H bundle exec rake gitlab:shell:install[v1.9.3] REDIS_URL=redis://localhost:6379 +sudo -u git -H editor /home/git/gitlab-shell/config.yml +cp lib/support/init.d/gitlab /etc/init.d/gitlab +update-rc.d gitlab defaults 21 +cp lib/support/logrotate/gitlab /etc/logrotate.d/gitlab +sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production +sudo -u git -H bundle exec rake assets:precompile RAILS_ENV=production +service gitlab start +#+END_SRC + +Set up the Apache configuration. + +#+BEGIN_SRC: bash +cp lib/support/apache/gitlab /etc/apache2/sites-available/mygitlabdomain +editor /etc/apache2/sites-available/mygitlabdomain +#+END_SRC + +Set your domain name and email accordingly. + +#+BEGIN_SRC: bash +a2ensite mygitlabdomain +#+END_SRC + +** Monkeysphere + +#+BEGIN_SRC: bash +aptitude install monkeysphere +aptitude install msva-perl +aptitude install xul-ext-monkeysphere + +export HOSTNAME=mydomainname.com +monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key ssh://$HOSTNAME +monkeysphere-host publish-key +#+END_SRC + +** Diaspora + +First install some dependencies: + +#+BEGIN_SRC: bash +aptitude install build-essential libssl-dev libcurl4-openssl-dev libxml2-dev libxslt-dev imagemagick git-core redis-server curl libmysqlclient-dev libmagickwand-dev librtmp-dev libgnutls-dev libp11-kit-dev libp11-kit0 curl gawk libreadline6-dev libyaml-dev sqlite3 libgdbm-dev libffi-dev +#+END_SRC + +If there is trouble with dependencies select 'n' then 'y' to the solution. + +Create a diaspora user. + +#+BEGIN_SRC: bash +adduser --disabled-login diaspora +su diaspora +cd ~/ +curl -L dspr.tk/1t | bash +echo "[[ -s \"$HOME/.rvm/scripts/rvm\" ]] && source \"$HOME/.rvm/scripts/rvm\"" >> ~/.bashrc +. ~/.bashrc +rvm autolibs read-only +rvm install ruby-2.0.0-p481 +git clone https://github.com/diaspora/diaspora.git +cd diaspora +#+END_SRC + +Select 'y' to trust /home/diaspora/diaspora/.rvmrc + +#+BEGIN_SRC: bash +cp config/diaspora.yml.example config/diaspora.yml +editor config/diaspora.yml +#+END_SRC + +Set *url* to https://mydiasporadomainname.com/ + +Set *certificate_authorities* to */etc/ssl/certs/ca-certificates.crt* + +Set *require_ssl* to *true* + +Set *single_process_mode* to *false* + +Set *port* to 3001 + +Set *rails_environment* to 'production'. + +Set *pod_name* to the name of your pod. + +Set *enable_registrations* to *true*. + +Set *autofollow_on_join* to *false* + +Under *captcha* set *enable* to *false* + +Under *invitations* set *open* to *true* + +Set *bitcoin_address* if you wish to accept donations. + +Under *mail* set *enable* to *true* + +Set *sender_address* to no-reply@mydiasporadomainname.com + +Set *method* to *sendmail* + +Set *exim_fix* to true. + +Under *admins* set *account* to your username + +Under *admins* set *podmin_email* to your email address + +Save and exit. + +#+BEGIN_SRC: bash +RAILS_ENV=production bundle install --without test development +#+END_SRC + +This will take quite a while to install. + +#+BEGIN_SRC: bash +RAILS_ENV=production bundle exec rake db:create db:schema:load +bundle exec rake assets:precompile +#+END_SRC + +Alter the Apache configuration. + +#+BEGIN_SRC: bash +exit +export HOSTNAME=mydiasporadomainname.com +editor /etc/apache2/sites-available/$HOSTNAME +#+END_SRC + +Delete anything which already exists and add the following: + +#+BEGIN_SRC: bash + + ServerName mydiasporadomainname.com + ServerAlias www.mydiasporadomainname.com + + RedirectPermanent / https://mydiasporadomainname.com/ + + + + ServerName mydiasporadomainname.com + ServerAlias www.mydiasporadomainname.com + + DocumentRoot /home/diaspora/diaspora/public + + RewriteEngine On + + RewriteCond %{HTTP_HOST} !^mydiasporadomainname\.com [NC] + RewriteRule ^/(.*)$ https://mydiasporadomainname\.com/$1 [L,R,QSA] + + RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f + RewriteRule ^/(.*)$ balancer://upstream%{REQUEST_URI} [P,QSA,L] + + + BalancerMember http://127.0.0.1:3001 + + + ProxyRequests Off + ProxyVia On + ProxyPreserveHost On + RequestHeader set X_FORWARDED_PROTO https + + + # Apache < 2.4 + Order allow,deny + Allow from all + # Apache >= 2.4 + #Require all granted + + + + Options -MultiViews + # Apache < 2.4 + Allow from all + AllowOverride all + # Apache >= 2.4 + #Require all granted + + + SSLEngine On + SSLCertificateFile /etc/ssl/certs/mydiasporadomainname.com.crt + SSLCertificateKeyFile /etc/ssl/private/mydiasporadomainname.com.key + + # maybe not needed, need for example for startssl to point to a local + # copy of http://www.startssl.com/certs/sub.class1.server.ca.pem + SSLCertificateChainFile /etc/ssl/chains/startssl-sub.class1.server.ca.pem + + # Based on https://wiki.mozilla.org/Security/Server_Side_TLS - consider as global configuration + SSLProtocol all -SSLv2 + SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK + SSLHonorCipherOrder on + SSLCompression off + +#+END_SRC + +Save and exit. + +#+BEGIN_SRC: bash +editor /usr/bin/rundiaspora +#+END_SRC + +Add the following. + +#+BEGIN_SRC: bash +#!/bin/sh +USERNAME=diaspora +COMMAND="cd /home/$USERNAME/diaspora; /bin/sh /home/$USERNAME/diaspora/script/server > /home/$USERNAME/diaspora.log" +su -l $USERNAME -c '$COMMAND' +#+END_SRC + +Save and exit. + +Create an init script: + +#+BEGIN_SRC: bash +chmod +x /usr/bin/rundiaspora +editor /etc/init.d/diaspora +#+END_SRC + +Add the following. + +#+BEGIN_SRC: bash +#!/bin/bash +# /etc/init.d/diaspora + +### BEGIN INIT INFO +# Provides: diaspora +# Required-Start: $remote_fs $syslog +# Required-Stop: $remote_fs $syslog +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: starts diaspora +# Description: Starts Diaspora. +### END INIT INFO + +# Author: Bob Mottram + +#Settings +SERVICE='diaspora' +HISTORY=1024 +USERNAME='diaspora' +COMMAND="rundiaspora" +NICELEVEL=19 # from 0-19 +INVOCATION="nice -n ${NICELEVEL} ${COMMAND}" +PATH='/usr/local/sbin:/usr/local/bin:/usr/bin:/sbin:/usr/sbin:/bin' + + +diaspora_start() { + echo -n $"Starting $SERVICE service" + screen -h ${HISTORY} -dmS ${SERVICE} ${INVOCATION} +# su --command "screen -h ${HISTORY} -dmS ${SERVICE} ${INVOCATION}" $USERNAME +# su -l $USERNAME -c "$COMMAND" +# RETVAL=$? + echo +} + + +diaspora_stop() { + echo -n $"Stopping $SERVICE service" + screen -p 0 -S ${SERVICE} -X stuff "'^C'" +# su --command "screen -p 0 -S ${SERVICE} -X stuff "'^C'"" $USERNAME +# su -l $USERNAME -c "/home/$USERNAME/diaspora/script/server" +# RETVAL=$? + echo +} + + +#Start-Stop here +case "$1" in + start) + diaspora_start + ;; + stop) + diaspora_stop + ;; + restart) + diaspora_stop + diaspora_start + ;; + *) + echo "Usage: $0 {start|stop|restart}" + exit 1 + ;; +esac + +exit 0 +#+END_SRC + +Save and exit. + +#+BEGIN_SRC: bash +chmod +x /etc/init.d/diaspora +update-rc.d diaspora defaults +service diaspora start +#+END_SRC + +Now enable the site: + +#+BEGIN_SRC: bash +a2enmod ssl +a2enmod rewrite +a2enmod headers +a2enmod proxy +a2enmod proxy_connect +a2enmod proxy_http +a2enmod proxy_balancer +a2ensite $HOSTNAME +service apache2 restart +#+END_SRC + +* Related projects + + * [[https://arkos.io/][ArkOS]] + * [[https://freedomboxfoundation.org/][Freedombox]] + * [[https://github.com/JoshData/mailinabox][Mail-in-a-Box]] + * [[https://github.com/sandstorm-io/sandstorm][Sandstorm]] + * [[https://github.com/al3x/sovereign][Sovereign]] diff --git a/doc/us/code.org b/doc/us/code.org new file mode 100644 index 00000000..4f6b3638 --- /dev/null +++ b/doc/us/code.org @@ -0,0 +1,17 @@ +#+TITLE: +#+AUTHOR: Bob Mottram +#+EMAIL: bob@robotics.uk.to +#+KEYWORDS: freedombox, debian, beaglebone, red matrix, email, web server, home server, internet, censorship, surveillance, social network, irc, jabber +#+DESCRIPTION: Turn the Beaglebone Black into a personal communications server +#+OPTIONS: ^:nil +#+BEGIN_CENTER +[[./images/logo.png]] +#+END_CENTER + +| [[file:index.html][Home]] | + +Freedombone is really just a couple of [[http://www.gnu.org/software/bash][bash]] scripts which install and configure software on a Debian GNU/Linux system. If you're a system administrator, software engineer or Linux hobbyist you'll probably be familiar with command line scripting and be able to make your own modifications or custom variants to suit your needs. Freedombone is licensed under the [[https://www.gnu.org/licenses/gpl-3.0-standalone.html][GNU General Public License version 3]]. + +You can find the source code for this project [[https://github.com/bashrc/freedombone][on Github]]. + +Bugs or feature requests should be [[https://github.com/bashrc/freedombone/issues][entered here]]. diff --git a/doc/us/faq.org b/doc/us/faq.org new file mode 100644 index 00000000..21df4eca --- /dev/null +++ b/doc/us/faq.org @@ -0,0 +1,246 @@ +#+TITLE: +#+AUTHOR: Bob Mottram +#+EMAIL: bob@robotics.uk.to +#+KEYWORDS: freedombox, debian, beaglebone, red matrix, email, web server, home server, internet, censorship, surveillance, social network, irc, jabber +#+DESCRIPTION: Turn the Beaglebone Black into a personal communications server +#+OPTIONS: ^:nil +#+BEGIN_CENTER +[[./images/logo.png]] +#+END_CENTER + +#+BEGIN_CENTER +#+ATTR_HTML: :border -1 +| [[file:index.html][Home]] | +| [[Why not supply a disk image download?]] | +| [[Is metadata protected?]] | +| [[Why isn't dynamic DNS working?]] | +| [[How do I get a domain name?]] | +| [[How do I get a "real" SSL certificate?]] | +| [[Why use self-signed certificates?]] | +| [[Why not use the services of $company instead? They took the Seppuku pledge]] | +#+END_CENTER + +* Why not supply a disk image download? +Shipping a Freedombone disk image ready to install on a flash disk would be easy, but disk images are relatively opaque. It would be quite easy to hide something nasty within a disk image and the user might never know. To guard against that possibility installing via the *freedombone* command is a lot more transparent, since it's really just a bash script. You can check the script code to see exactly what it's doing, and the packages are all downloaded from standard Debian repos (you can even choose which one you trust) or git repos. Doing it this way the system is fully auditable, whereas when shipping a disk image it's harder to be confident that no nefarious extras have been added. +* Is metadata protected? +Even when using Freedombone metadata analysis by third parties is still possible. They might have a much harder time knowing what the content is, but they can potentially construct extensive dossiers based upon who communicated with your server when. Metadata leakage is a general problem with most current web systems and it is hoped that more secure technology will become available in future. But for now if metadata protection is your main concern using Freedombone won't help. +* Why isn't dynamic DNS working? +If you run the command: + +#+BEGIN_SRC bash +service inadyn status +#+END_SRC + +And see some error related to checking for changes in the IP address then you can try other external IP services. Edit */etc/inadyn.conf* and change the domain for the *checkip-url* parameter. Possible sites are: + +#+BEGIN_SRC bash +https://check.torproject.org/ +https://www.whatsmydns.net/whats-my-ip-address.html +https://www.privateinternetaccess.com/pages/whats-my-ip/ +http://checkip.two-dns.de +http://ip.dnsexit.com +http://ifconfig.me/ip +http://ipecho.net/plain +http://checkip.dyndns.org/plain +http://ipogre.com/linux.php +http://whatismyipaddress.com/ +http://ip.my-proxy.com/ +http://websiteipaddress.com/WhatIsMyIp +http://getmyipaddress.org/ +http://www.my-ip-address.net/ +http://myexternalip.com/raw +http://www.canyouseeme.org/ +http://www.trackip.net/ +http://icanhazip.com/ +http://www.iplocation.net/ +http://www.howtofindmyipaddress.com/ +http://www.ipchicken.com/ +http://whatsmyip.net/ +http://www.ip-adress.com/ +http://checkmyip.com/ +http://www.tracemyip.org/ +http://checkmyip.net/ +http://www.lawrencegoetz.com/programs/ipinfo/ +http://www.findmyip.co/ +http://ip-lookup.net/ +http://www.dslreports.com/whois +http://www.mon-ip.com/en/my-ip/ +http://www.myip.ru +http://ipgoat.com/ +http://www.myipnumber.com/my-ip-address.asp +http://www.whatsmyipaddress.net/ +http://formyip.com/ +http://www.displaymyip.com/ +http://www.bobborst.com/tools/whatsmyip/ +http://www.geoiptool.com/ +http://checkip.dyndns.com/ +http://myexternalip.com/ +http://www.ip-adress.eu/ +http://www.infosniper.net/ +http://wtfismyip.com/ +http://ipinfo.io/ +http://httpbin.org/ip +#+END_SRC + +* How do I get a domain name? +Suppose that you have bought a domain name (rather than using a free subdomain on freedns) and you want to use that instead. + +Remove any existing nameservers for your domain (or select "custom" nameservers), then add: + +#+BEGIN_SRC bash +NS1.AFRAID.ORG +NS2.AFRAID.ORG +NS3.AFRAID.ORG +NS4.AFRAID.ORG +#+END_SRC + +It might take a few minutes for the above change to take effect. Within freedns click on "Domains" and add your domains (this might only be available to paid members). Make sure that they're marked as "private". + +Select "Subdomains" from the menu on the left then select the MX entry for your domain and change the destination to *10:mydomainname* rather than *10:mail.mydomainname*. + +To route email to one of your freedns domains: + +#+BEGIN_SRC bash +editor /etc/mailname +#+END_SRC + +Add any extra domains which you own, then save and exit. + +#+BEGIN_SRC bash +editor /etc/exim4/update-exim4.conf.conf +#+END_SRC + +Within dc_other_hostnames add your extra domain names, separated by a colon ':' character. + +Save and exit, then restart exim. + +#+BEGIN_SRC bash +update-exim4.conf.template -r +update-exim4.conf +service exim4 restart +#+END_SRC + +You should now be able to send an email from /postmaster@mynewdomainname/ and it should arrive in your inbox. + +* How do I get a "real" SSL certificate? +You can obtain a free "official" (as in recognised by default by web browsers) SSL certificate from [[https://www.startssl.com/][StartSSL]]. You will first need to have bought a domain name, since it's not possible to obtain one for a freedns subdomain, so see [[Using your own domain]] for details of how to do that. You should also have tested that you can send email to the domain and receive it on the Freedombone (via Mutt or any other email client). + +When creating a SSL certificate it's important that the private key (the private component of the public/private pair in [[https://en.wikipedia.org/wiki/Public-key_cryptography][public key cryptography]]) be generated on the Freedombone /and remain there/. Don't generate the private key via the StartSSL certificate wizard because this means that potentially they may retain a copy of it which could then be exfiltrated either via [[https://en.wikipedia.org/wiki/Lavabit][Lavabit]] style methodology, "implants", compromised sysadmins or other "side channel" methods. So that the private key isn't broadcast on the internet we can instead generate a certificate request, which is really just a request for authorisation of a public key. + +Firstly you should have a web server site configuration ready to go. See [[Setting up a web site]] for details. + +Within StartSSL under the validations wizard validate your domain, which means sending an email to it and confirming a code. + +Now we can generate the certificate request as follows. + +#+BEGIN_SRC bash +export HOSTNAME=mydomainname.com +openssl genrsa -out /etc/ssl/private/$HOSTNAME.key 2048 +chown root:ssl-cert /etc/ssl/private/$HOSTNAME.key +chmod 440 /etc/ssl/private/$HOSTNAME.key +mkdir /etc/ssl/requests +#+END_SRC + +Now make a certificate request as follows. You should copy and paste the whole of this, not just line by line. + +#+BEGIN_SRC bash +openssl req -new -sha256 -key /etc/ssl/private/$HOSTNAME.key -out /etc/ssl/requests/$HOSTNAME.csr +#+END_SRC + +For the email address it's a good idea to use postmaster@mydomainname. + +Use a random 20 character password, and keep a note of it. We'll remove this later. + +View the request with: + +#+BEGIN_SRC bash +cat /etc/ssl/requests/$HOSTNAME.csr +#+END_SRC + +You can then click on "skip" within the StartSSL certificates wizard and copy and paste the encrypted request into the text entry box. A confirmation will be emailed back to you normally within a few hours. + +Log into your StartSSL account and select *Retrieve Certificate* from the *Tool Box* tab. Copy the text. + +#+BEGIN_SRC bash +editor /etc/ssl/certs/$HOSTNAME.crt +#+END_SRC + +Paste the public key, then save and exit. Then on the Freedombone. + +#+BEGIN_SRC bash +mkdir /etc/ssl/roots +mkdir /etc/ssl/chains +wget "http://www.startssl.com/certs/ca.pem" --output-document="/etc/ssl/roots/startssl-root.ca" +wget "http://www.startssl.com/certs/sub.class1.server.ca.pem" --output-document="/etc/ssl/chains/startssl-sub.class1.server.ca.pem" +wget "http://www.startssl.com/certs/sub.class2.server.ca.pem" --output-document="/etc/ssl/chains/startssl-sub.class2.server.ca.pem" +wget "http://www.startssl.com/certs/sub.class3.server.ca.pem" --output-document="/etc/ssl/chains/startssl-sub.class3.server.ca.pem" +ln -s "/etc/ssl/roots/startssl-root.ca" "/etc/ssl/roots/$HOSTNAME-root.ca" +ln -s "/etc/ssl/chains/startssl-sub.class1.server.ca.pem" "/etc/ssl/chains/$HOSTNAME.ca" +cp "/etc/ssl/certs/$HOSTNAME.crt" "/etc/ssl/certs/$HOSTNAME.crt+chain+root" +test -e "/etc/ssl/chains/$HOSTNAME.ca" && cat "/etc/ssl/chains/$HOSTNAME.ca" >> "/etc/ssl/certs/$HOSTNAME.crt+chain+root" +test -e "/etc/ssl/roots/$HOSTNAME-root.ca" && cat "/etc/ssl/roots/$HOSTNAME-root.ca" >> "/etc/ssl/certs/$HOSTNAME.crt+chain+root" +#+END_SRC + +To avoid any possibility of the certificates being accidentally overwritten by self-signed ones at a later date you can create backups. + +#+BEGIN_SRC bash +mkdir /etc/ssl/backups +mkdir /etc/ssl/backups/certs +mkdir /etc/ssl/backups/private +cp /etc/ssl/certs/$HOSTNAME* /etc/ssl/backups/certs/ +cp /etc/ssl/private/$HOSTNAME* /etc/ssl/backups/private/ +chmod -R 400 /etc/ssl/backups/certs/* +chmod -R 400 /etc/ssl/backups/private/* +#+END_SRC + +Remove the certificate password, so if the server is rebooted then it won't wait indefinitely for a non-existant keyboard user to type in a password. + +#+BEGIN_SRC bash +openssl rsa -in /etc/ssl/private/$HOSTNAME.key -out /etc/ssl/private/$HOSTNAME.new.key +cp /etc/ssl/private/$HOSTNAME.new.key /etc/ssl/private/$HOSTNAME.key +shred -zu /etc/ssl/private/$HOSTNAME.new.key +#+END_SRC + +Create a bundled certificate which joins the certificate and chain file together. + +#+BEGIN_SRC bash +cat /etc/ssl/certs/$HOSTNAME.crt /etc/ssl/chains/startssl-sub.class1.server.ca.pem > /etc/ssl/certs/$HOSTNAME.bundle.crt +#+END_SRC + +And also add it to the overall bundle of certificates for the Freedombone. This will allow you to easily install the certificates onto other systems. + +#+BEGIN_SRC bash +mkdir /etc/ssl/mycerts +cp /etc/ssl/certs/$HOSTNAME.bundle.crt /etc/ssl/mycerts +cat /etc/ssl/mycerts/*.crt > /etc/ssl/freedombone-bundle.crt +tar -czvf /etc/ssl/freedombone-certs.tar.gz /etc/ssl/mycerts/*.crt +#+END_SRC + +Edit your configuration file. + +#+BEGIN_SRC bash +editor /etc/nginx/sites-available/$HOSTNAME +#+END_SRC + +Add the following to the section which starts with *listen 443* + +#+BEGIN_SRC bash + ssl_certificate /etc/ssl/certs/mydomainname.com.bundle.crt; +#+END_SRC + +Save and exit, then restart the web server. + +#+BEGIN_SRC bash +service nginx restart +#+END_SRC + +Now visit your web site at https://mydomainname.com and you should notice that there is no certificate warning displayed. You will now be able to install systems which don't allow the use of self-signed certificates, such as [[https://redmatrix.me/&JS=1][Red Matrix]]. + +* Why use self-signed certificates? +Almost everywhere on the web you will read that self-signed certificates are worthless. They bring up scary looking browser warnings and gurus will advise you not to use them. Self-signed certificates are quite useful though. What the scary warnings mean - and it would be good if they explained this more clearly - is that you have an encrypted connection established but there is /no certainty about who that connection is with/. The usual solution to this is to get a "real" SSL certificate from one of the certificate authorities, but it's far from clear that such authorities can be trusted. There have been various scandals involving such organisations, and it does not seem plausible to assume that they are somehow immune to the sort of treatment which [[http://en.wikipedia.org/wiki/Lavabit][Lavabit]] received. So although most internet users have been trained to look for the lock icon as an indication that the connection is secured that belief may not always be well founded. + +Security of web sites on the internet is still a somewhat unsolved problem, and what we have now is a less than ideal but /good enough to fool most of the people most of the time/ kind of arrangement. Long term a better solution might be to have a number of certificate authorities in a number of different jurisdictions vote on whether a given certificate actually belongs to a given domain name. Experimental systems like this exist, but they're not widely used. Since the current certificate system has an enormous amount of inertia behind it change could be slow in arriving. + +For now a self-signed certificate will probably in most cases protect your communications from "bulk" passive surveillance. Once you've got past the scary browser warning and accepted the certificate under most conditions (except when starting up the Tor browser) you should not repeatedly see that warning. If you do then someone may be trying to meddle with your connection to the server. You can also take a note of the fingerprint of the certificate and verify that if you are especially concerned. If the fingerprint remains the same then you're probably ok. +* Why not use the services of $company instead? They took the Seppuku pledge +[[http://seppuku.cryptostorm.org][That pledge]] is utterly worthless. Years ago people trusted Google in the same sort of way, because they promised not be be evil and because a lot of the engineers working for them seemed like honest types who were "/on our side/". Post-[[https://en.wikipedia.org/wiki/Nymwars][nymwars]] and post-[[https://en.wikipedia.org/wiki/PRISM_%28surveillance_program%29][PRISM]] we know exactly how much Google cared about the privacy and security of its users. But Google is only one particular example. In general don't trust pledges made by companies, even if the people running them seem really sincere. diff --git a/doc/us/index.org b/doc/us/index.org new file mode 100644 index 00000000..1e17a458 --- /dev/null +++ b/doc/us/index.org @@ -0,0 +1,32 @@ +#+TITLE: +#+AUTHOR: Bob Mottram +#+EMAIL: bob@robotics.uk.to +#+KEYWORDS: freedombox, debian, beaglebone, red matrix, email, web server, home server, internet, censorship, surveillance, social network, irc, jabber +#+DESCRIPTION: Turn the Beaglebone Black into a personal communications server +#+OPTIONS: ^:nil +#+BEGIN_CENTER +[[./images/logo.png]] +#+END_CENTER + +#+BEGIN_CENTER +#+ATTR_HTML: :border -1 +| [[./variants.html][Variants]] | [[./installation.html][Installation]] | [[./usage.html][How to use it]] | [[file:backups.html][Backups]] | [[./code.html][Code]] | [[./related.html][Related Projects]] | [[file:faq.html][FAQ]] | [[file:support.html][Support]] | [[https://www.gnu.org/licenses/gpl-3.0-standalone.html][License]] | +#+END_CENTER + +Freedombone is a self-hosted home server configuration which can be installed onto any computer capable of running Debian Jessie. If you have an old laptop or netbook which you can leave turned on then you can use Freedombone to provide your own internet services, such as blogging, wiki, email, chat and social networking and have independence from the well known internet companies. + +#+BEGIN_QUOTE +"With the increasing move of our computing to cloud infrastructures, we give up the control of our computing to the managers of those infrastructures. Our terminals (laptops, desktops) might now be running entirely on Free Software, but this is increasingly irrelevant given that most of what actually matters gets executed on a remote closed system that we don’t control. The Free Software community needs to work to help users keep the control of all their computing, by developing suitable alternatives and facilitating their deployment." -- Lucas Nussbaum +#+END_QUOTE + +Today everyone is concerned about privacy on the internet. At the same time there's a problem with the companies who have traditionally provided most of the web services. The people running those companies may be well-intentioned - as in the famous motto "/don't be evil/" - but the advertising based business model which currently dominates, combined with an increasing level of political pressure to insert backdoors means that it is usually impossible for companies operating within both their own business models and the framework of national laws to provide you with services which don't intentionally leak your private communications to advertisers, insurers or governments. + +Another problem is the precariousness of the terms of service. Except in rare cases such terms are not easy to read, so many people end up clicking through terms which if explained more clearly they would never agree to. Over the past decade many internet users have had the unpleasant experience of having their blogs, videos or other web content inexplicably removed, typically due to some ill-defined terms of service violation or a false accusation of copyright infringement. + +You can bypass all of these dilemmas and take back ownership of your internet content with Freedombone. Originally based upon the Beaglebone Black, Freedombone is a small and cheap home server which enables you to use email, have your own web site and do social networking without any built-in spying and without having to agree to any legal terms of service other than those of your ISP. It provides independence and security in an era where those things are in short supply. + +#+BEGIN_CENTER +[[file:images/surveillance.png]] +#+END_CENTER + +An emphasis of the Freedombone project is the protection of private communications from indiscriminate mass surveillance, otherwise known as "/bulk intercept/" or "/warrantless wiretapping/". With only a few exceptions data entering and leaving the system is encrypted using settings recommended by [[https://bettercrypto.org][bettercrypto.org]]. Stored emails are encrypted such that only someone knowing your GPG password can read them and a GPG key is created automatically if you don't already have one. The system is firewalled with only the necessary ports being opened. Exclusively [[http://en.wikipedia.org/wiki/Free_software][free software]] is used so that all of it can potentially be security audited and proprietary repositaries are disabled by default. There are still numerous security problems with the internet in general and software always contains bugs, but a best attempt has been made to ensure that the Freedombone is at least more secure than average. A limitation is that this system will not protect you from metadata analysis, although it is hoped that new types of email system may be able to do that in future. diff --git a/doc/us/installation.org b/doc/us/installation.org new file mode 100644 index 00000000..71210150 --- /dev/null +++ b/doc/us/installation.org @@ -0,0 +1,184 @@ +#+TITLE: +#+AUTHOR: Bob Mottram +#+EMAIL: bob@robotics.uk.to +#+KEYWORDS: freedombox, debian, beaglebone, red matrix, email, web server, home server, internet, censorship, surveillance, social network, irc, jabber +#+DESCRIPTION: Turn the Beaglebone Black into a personal communications server +#+OPTIONS: ^:nil +#+BEGIN_CENTER +[[./images/logo.png]] +#+END_CENTER +| [[file:index.html][Home]] | [[Preparation for the Beaglebone Black]] | [[Checklist]] | [[GPG Keys]] | [[Interactive Setup]] | [[Non-Interactive Setup]] | [[Post-Setup]] | [[On Client Machines]] | + + +* Preparation for the Beaglebone Black +This section is specific to the Beaglebone Black hardware. If you're not using that hardware then just skip to the next section. + +To get started you will need: + + - A Beaglebone Black + - A MicroSD card + - Ethernet cable + - Optionally a 5V 2A power supply for the Beaglebone Black + - Access to the internet via a router with ethernet sockets + - USB thumb drive (for backups or storing media) + - One or more domains available via a dynamic DNS provider, such as https://freedns.afraid.org + - A purchased domain name and SSL certificate (only needed for Red Matrix) + - A laptop or desktop machine with the ability to write to a microSD card (might need an adaptor) + +You will also need to know, or find out, the IP address of your internet router and have a suitable static IP address for the Beaglebone on your local network. The router should allow you to forward ports to the Beaglebone (often this is under firewall or "advanced" settings). + +You can either install from a debian package or manually as follows: + +#+BEGIN_SRC bash +sudo apt-get update +sudo apt-get install git dialog build-essential +git clone https://github.com/bashrc/freedombone +cd freedombone +sudo make install +#+END_SRC + +Plug the microSD card into your laptop/desktop and then run the *freedombone-prep* command. For example: + +#+BEGIN_SRC bash +freedombone-prep -d /dev/sdX --ip freedombone_IP_address --iprouter router_IP_address +#+END_SRC + +where /dev/sdX is the device name for the microSD card. Often it's /dev/sdb or /dev/sdc, depending upon how many drives there are on your system. The script will download the Debian installer and update the microSD card. It can take a while, so be patient. + +When the initial setup is done follow the instructions on screen to run the main freedombone command. + +* Checklist +Before running the freedombone command you will need a few things. + + * Have some domains, or subdomains, registered with a dynamic DNS service + * System with a new installation of Debian Jessie + * Ethernet connection to an internet router + * It is possible to forward ports from the internet router to the system + * If you want to set up a social network or microblog then you will need SSL certificates corresponding to those domains + * Have ssh access to the system + +* GPG Keys +If you have existing GPG keys then copy the .gnupg directory onto the system. + +#+BEGIN_SRC bash +scp -r ~/.gnupg username@freedombone_IP_address:/home/username +#+END_SRC + +* Interactive Setup +The interactive server configuration setup is recommended for most users. On the system where freedombone is to be installed create a configuration file. + +#+BEGIN_SRC bash +ssh username@freedombone_IP_address +su +sudo apt-get update +apt-get install git dialog build-essential +git clone https://github.com/bashrc/freedombone +cd freedombone +make install +#+END_SRC + +Now the easiest way to install the system is via the interactive setup. + +#+BEGIN_SRC bash +freedombone menuconfig +#+END_SRC + +You can select which variant you wish to install and then enter the details as requested. A video of the install sequence can be [[./installer.ogv][seen here]]. + +* Non-Interactive Setup +If you don't want to install interactively then it's possible to manually create a configuration file as follows: + +On the system where freedombone is to be installed create a configuration file. + +#+BEGIN_SRC bash +ssh username@freedombone_IP_address +su +sudo apt-get update +apt-get install git build-essential +git clone https://github.com/bashrc/freedombone +cd freedombone +make install +nano /home/username/freedombone/freedombone.cfg +#+END_SRC + +Add the following, and set the values as needed. + +#+BEGIN_SRC bash +MY_EMAIL_ADDRESS= +MY_NAME= +MY_BLOG_TITLE= +MY_BLOG_SUBTITLE= +FULLBLOG_DOMAIN_NAME= +MICROBLOG_DOMAIN_NAME= +REDMATRIX_DOMAIN_NAME= +OWNCLOUD_DOMAIN_NAME= +WIKI_DOMAIN_NAME= +WIKI_TITLE= +ENABLE_CJDNS=no +LOCAL_NETWORK_STATIC_IP_ADDRESS= +ROUTER_IP_ADDRESS= +#+END_SRC + +Both of the IP addresses are local IP addresses, typically of the form 192.168.x.x, with one being for the system and the other being for the internet router. + +Save the configuration file and exit from your editor. + +Now you can begin the installation. If you are doing this on a Beaglebone Black: + +#+BEGIN_SRC bash +freedombone --bbb -d [default domain name] -u [username] --ddns [dynamic DNS provider domain] --ddnsuser [dynamic DNS username] --ddnspass [dynamic DNS password] +#+END_SRC + +Or on any other system don't include the *--bbb* option. + +#+BEGIN_SRC bash +freedombone -d [default domain name] -u [username] --ddns [dynamic DNS provider domain] --ddnsuser [dynamic DNS username] --ddnspass [dynamic DNS password] +#+END_SRC + +The above command should be run in the same directory in which your configuration file exists. You can use any of your domains as the default one, but typically the default domain is the same as the one for your wiki. + +Also see the manpage for additional options which can be used instead of a configuration file. If you don't specify a variant type with the final option then everything will be installed. If you have a *freedombone.cfg* file then it should be in the same directory from which the *freedombone* command is run. + +* Post-Setup +Setup of the server and installation of all the relevant packages is not quick, and depends upon which variant you choose and your internet bandwidth. Allow about three hours for a full installation on the Beaglebone Black. On the Beaglebone installation is in two parts, since a reboot is needed to enable the hardware random number generator and zram. + +When done you can ssh into the Freedombone with: + +#+BEGIN_SRC bash +ssh username@domain -p 2222 +#+END_SRC + +Any manual post-installation setup instructions or passwords can be found in /home/username/README. You should remove any passwords from that file and store them within a password manager such as KeepassX. + +On your internet router, typically under firewall settings, open the following ports and forward them to your server. + +| Service | Ports | +|---------+------------| +| HTTP | 80 | +| HTTPS | 443 | +| SSH | 2222 | +| DLNA | 1900 | +| DLNA | 8200 | +| XMPP | 5222..5223 | +| XMPP | 5269 | +| XMPP | 5280..5281 | +| IRC | 6697 | +| IRC | 9999 | +| Git | 9418 | +| Email | 25 | +| Email | 587 | +| Email | 465 | +| Email | 993 | +| VoIP | 64738 | + +* On Client Machines +You can configure laptops or desktop machines which connect to the Freedombone server in the following way. This alters encryption settings to improve overall security. + +#+BEGIN_SRC bash +sudo apt-get update +sudo apt-get install git dialog haveged build-essential +git clone https://github.com/bashrc/freedombone +cd freedombone +sudo make install +freedombone-client +#+END_SRC diff --git a/doc/us/related.org b/doc/us/related.org new file mode 100644 index 00000000..b6841b96 --- /dev/null +++ b/doc/us/related.org @@ -0,0 +1,36 @@ +#+TITLE: +#+AUTHOR: Bob Mottram +#+EMAIL: bob@robotics.uk.to +#+KEYWORDS: freedombox, debian, beaglebone, red matrix, email, web server, home server, internet, censorship, surveillance, social network, irc, jabber +#+DESCRIPTION: Turn the Beaglebone Black into a personal communications server +#+OPTIONS: ^:nil +#+BEGIN_CENTER +[[./images/logo.png]] +#+END_CENTER + +| [[file:index.html][Home]] | + +#+BEGIN_CENTER +The following projects made Freedombone possible. +#+END_CENTER + +#+BEGIN_CENTER +[[http://wiki.nginx.org][file:images/nginx.png]] +[[https://www.openssl.org][file:images/openssl.png]] +#+END_CENTER +#+BEGIN_CENTER +[[https://www.gnupg.org][file:images/gnupg.png]] +[[https://www.debian.org/][file:images/debian.png]] +[[http://freedomboxfoundation.org/][file:images/freedombox.png]] +[[http://beagleboard.org/products/beaglebone+black][file:images/beagleboard.png]] +[[https://www.dokuwiki.org/dokuwiki][file:images/dokuwiki.png]] +#+END_CENTER +#+BEGIN_CENTER +[[http://gnu.io][file:images/gnusocial.png]] +[[https://redmatrix.me/][file:images/redmatrix.png]] +#+END_CENTER +#+BEGIN_CENTER +[[https://prosody.im][file:images/prosody.png]] +[[http://owncloud.org][file:images/owncloud.png]] +[[https://bettercrypto.org/][file:images/bettercrypto.png]] +#+END_CENTER diff --git a/doc/us/support.org b/doc/us/support.org new file mode 100644 index 00000000..f06cb0e3 --- /dev/null +++ b/doc/us/support.org @@ -0,0 +1,39 @@ +#+TITLE: +#+AUTHOR: Bob Mottram +#+EMAIL: bob@robotics.uk.to +#+KEYWORDS: freedombox, debian, beaglebone, red matrix, email, web server, home server, internet, censorship, surveillance, social network, irc, jabber +#+DESCRIPTION: Turn the Beaglebone Black into a personal communications server +#+OPTIONS: ^:nil +#+BEGIN_CENTER +[[./images/logo.png]] +#+END_CENTER + +You can support the Freedombone project with the following banner ads. Download an image and add it to your site or blog with a link to [[http://freedombone.uk.to][http://freedombone.uk.to]]. If you're using [[https://addons.mozilla.org/en-us/firefox/addon/adblock-edge/][AdBlock]] then you may need to disable it on this page to see the images below. + +#+BEGIN_CENTER +[[./ads/freedombone_ad7.jpg]] +#+END_CENTER + +#+BEGIN_CENTER +[[./ads/freedombone_ad1.jpg]] +#+END_CENTER + +#+BEGIN_CENTER +[[./ads/freedombone_ad2.jpg]] +#+END_CENTER + +#+BEGIN_CENTER +[[./ads/freedombone_ad3.jpg]] +#+END_CENTER + +#+BEGIN_CENTER +[[./ads/freedombone_ad4.jpg]] +#+END_CENTER + +#+BEGIN_CENTER +[[./ads/freedombone_ad5.jpg]] +#+END_CENTER + +#+BEGIN_CENTER +[[./ads/freedombone_ad6.jpg]] +#+END_CENTER diff --git a/doc/us/usage.org b/doc/us/usage.org new file mode 100644 index 00000000..e24364f2 --- /dev/null +++ b/doc/us/usage.org @@ -0,0 +1,463 @@ +#+TITLE: +#+AUTHOR: Bob Mottram +#+EMAIL: bob@robotics.uk.to +#+KEYWORDS: freedombox, debian, beaglebone, red matrix, email, web server, home server, internet, censorship, surveillance, social network, irc, jabber +#+DESCRIPTION: Turn the Beaglebone Black into a personal communications server +#+OPTIONS: ^:nil +#+BEGIN_CENTER +[[./images/logo.png]] +#+END_CENTER + +| [[file:index.html][Home]] | [[Readme]] | [[Using Email]] | [[Mailing List]] | [[Syncing to the Cloud]] | [[Play Music]] | [[Microblogging]] | [[Social Network]] | [[Chat Services]] | + +* Readme +After the system has installed a README file will be generated which contains passwords and some brief advice on using the installed systems. You can read this with the following commands: + +#+BEGIN_SRC bash +ssh username@domainname -p 2222 +emacs ~/README +#+END_SRC + +You should transfer any passwords to a password manager such as [[http://www.keepassx.org/][KeepassX]] and then delete them from the README file. To save the file after removing passwords use *CTRL-x CTRL-s*. + +To exit you can either just close the terminal or use *CTRL-x CTRL-c* followed by the *exit* command. +* Improving ssh security +To improve ssh security you can generate an ssh key pair on your system and then upload the public key to the Freedombone. + +On your local machine: + +#+BEGIN_SRC bash +ssh-keygen +#+END_SRC + +For extra security you may also want to add a passphrase to the ssh private key. You can show the generated public key with: + +#+BEGIN_SRC bash +cat ~/.ssh/id_rsa.pub +#+END_SRC + +Copy the contents of *~/.ssh/id_rsa* and *~/.ssh/id_rsa.pub* to you password manager, together with the private key password if you created one. + +ssh to the Freedombone and edit the authorized keys: + +#+BEGIN_SRC bash +ssh username@domain -p 2222 +emacs ~/.ssh/authorized_keys +#+END_SRC + +Now copy and paste the contents of *id_rsa.pub* into the authorized_keys file. Save the file and exit. Open another terminal window and try logging in again and you should notice that you are no longer asked for a password, because the ssh key is used instead. + +There are advantages and disadvantages to using ssh keys for logins. The advantage is that this is much more secure than a memorised password, but the disadvantage is that you need to carry your ssh keys around and be able to install them on any computer of mobile device that you use. In high security or hostile infosec environments it may not be possible to carry or use USB thumb drives containing your keys and so memorised passwords may be the only available choice. + +If you wish to only use ssh keys then log in to the Freedombone and edit */etc/ssh/sshd_config*, then change *PasswordAuthentication* to "no", save and run *service ssh restart*. Any subsequent attempts to log in via a password will then be denied. + +* Using Email +** A technical note about email transport security +Port 465 is used for SMTP and this is supposedly deprecated for secure email. However, using TLS from the start of the communications seems far more secure than starting off with insecure communications and then trying to upgrade it with a command to begin TLS, as happens with STARTTLS. There are [[https://www.eff.org/deeplinks/2014/11/starttls-downgrade-attacks][possible attacks against STARTTLS]] in which the command to begin secure communications is removed or overwritten which could then result in email being transferred in plain text over the internet and be readable by third parties. +** Add a password to your GPG key +If you didn't use existing GPG keys during the Freedombone installation then you'll need to add a password to your newly generated private key. This is highly recommended. Go through the following sequence of commands to ssh into the Freedombone and then change your GPG password. + +#+BEGIN_SRC bash +ssh username@domainname -p 2222 +gpg --edit-key username@domain +passwd +save +quit +exit +#+END_SRC + +Having a password on your GPG key will prevent someone from reading your email /even if your server gets lost or stolen/ or if someone else has physical access to it. Make the password something long and unlikely to be guessable or vulnerable to a brute force [[http://en.wikipedia.org/wiki/Dictionary_attack][dictionary attack]]. + +** Publishing your GPG public key +If you havn't already then you should publish your GPG public key so that others can find it. + +#+BEGIN_SRC bash +ssh username@domainname -p 2222 +gpg --send-keys username@domainname +exit +#+END_SRC +** Mutt email client +Mutt is a terminal based email client which comes already installed onto the Freedombone. To access it you'll need to access it via ssh with: + +#+BEGIN_SRC bash +ssh username@domainname -p 2222 +#+END_SRC + +If you're using Windows there is an ssh client called putty, on Linux just open a terminal and enter the above command with your username and domain name. On Android you can use the ConnectBot app with the hostname *username@domain:2222* + +Once you have logged in via ssh then just type *mutt*. Like most terminal programs mutt is quite easy once you've learned the main keys. + +Some useful keys to know are: + +| "/" | Search for text within headers | +| * | Move to the last message | +| TAB | Move to the next unread message | +| d | Delete a message | +| u | Undelete a mail which is pending deletion | +| $ | Delete all messages selected and check for new messages | +| a | Add to the address book | +| m | Send a new mail | +| ESC-m | Mark all messages as having been read | +| S | Mark a message as spam | +| H | Mark a message as ham | +| CTRL-b | Toggle side bar on/off | +| CTRL-n | Next mailbox (on side bar) | +| CTRL-p | Previous mailbox (on side bar) | +| CTRL-o | Open mailbox (on side bar) | +| ] | Expand or collapse all threads | +| [ | Expand of collapse the current thread | +| CTRL-k | Import a PGP/GPG public key | +| q | Quit | + +To use the address book system open an email by pressing the enter key on it and then to add the sender to the address list press the A key. It will ask you for an alias which may be used the next time you want to send a mail. Alternatively you may just edit the *~/.mutt-alias* file directly to add email addresses. + +One of the most common things which you might wish to do is to send an email. To do this first press /m/ to create a new message. Enter the address to send to and the subject, then after a few seconds the Emacs editor will appear with a blank document. Type your email then press /CTRL-x CTRL-s/ to save it and /CTRL-x CTRL-c/ to exit. You will then see a summary of the email to be sent out. Press /y/ to send it and then enter your GPG key passphrase (the one you gave when creating a PGP/GPG key). The purpose of that is to add a signature which is a strong proof that the email was written by you and not by someone else. + +When reading emails you will initially need to enter your GPG password. It will be retained in RAM for a while afterwards. + +** Thunderbird +Another common way in which you may want to access email is via Thunderbird. This may be especially useful if you're trying to convert former Windows users who may previously have been using some version of Outlook. + +The following instructions should be carried out on the client machines (laptop, etc), not on the BBB itself. + +*** Initial setup + +Install *Thunderbird* and *Enigmail*. How you do this just depends upon your distro and software manager or "app store". + +Open Thinderbird + +Select "*Skip this and use existing email*" + +Enter your name, email address (myusername@mydomainname.com) and the password for your user (the one from [[Add a user]]). + +You'll get a message saying "/Thunderbird failed to find the settings/" + +The settings should be as follows, substituting /mydomainname.com/ for your domain name and /myusername/ for the username given previously in [[Add a user]]. + + * Incoming: IMAP, mydomainname.com, 993, SSL/TLS, Normal Password + * Outgoing: SMTP, mydomainname.com, 465, SSL/TLS, Normal Password + * Username: myusername + +Click *Done*. + +Click *Get Certificate* and make sure "*permanently store this exception*" is selected", then click *Store Security Exception*. + +From OpenPGP setup select "*Yes, I would like the wizard to get me started*". If the wizard doesn't start automatically then "setup wizard" can be selected from OpenPGP on the menu bar. + +Select "*Yes, I want to sign all of my email*" + +Select "*No, I will create per-recipient rules*" + +Select "*yes*" to change default settings. +*** Import your GPG keys +On the Freedombone export your GPG public and private keys. + +#+BEGIN_SRC bash +ssh username@domainname -p 2222 +gpg --list-keys username@domainname +gpg --output ~/public_key.gpg --armor --export KEY_ID +gpg --output ~/private_key.gpg --armor --export-secret-key KEY_ID +#+END_SRC + +On your laptop or desktop you can import the keys with: + +#+BEGIN_SRC bash +scp -P 2222 username@domain:/home/username/*.gpg ~/ +#+END_SRC + +Select "*I have existing public and private keys*". + +Select your public and private GPG exported key files. + +Select the account which you want to use and click *Next*, *Next* and *Finish*. + +Remove your exported key files, both on your laptop/desktop and also on the Freedombone. + +#+BEGIN_SRC bash +shred -zu ~/public_key.gpg +shred -zu ~/private_key.gpg +#+END_SRC + +*** Using for the first time + +Click on the Thunderbird menu, which looks like three horizontal bars on the right hand side. + +Hover over *preferences* and then *Account settings*. + +Select *OpenPGP Security* and make sure that *use PGP/MIME by default* is ticked. This will enable you to sign/encrypt attachments, HTML bodies and UTF-8 without any problems. + +Select *Synchronization & Storage*. + +Make sure that *Keep messages for this account on this computer* is unticked, then click *Ok*. + +Click on *Inbox*. Depending upon how much email you have it may take a while to import the subject lines. + +Note that when sending an email for the first time you will also need to accept the SSL certificate. + +Get into the habit of using email encryption and encourage others to do so. Remember that you may not think that your emails are very interesting but the Surveillance State is highly interested in them and will be actively trying to data mine your private life looking for "suspicious" patterns, regardless of whether you are guilty of any crime or not. + +*** Making folders visible +By default you won't be able to see any folders which you may have created earlier using the /mailinglistrule/ script. To make folders visible select: + +*Menu*, hover over *Preferences*, select *Account Settings*, select *Server Settings* then click on the *Advanced* button. + +Make sure that "*show only subscribed folders*" is not checked. Then click the *ok* buttons. Folders will be re-scanned, which may take some time depending upon how much email you have, but your folders will then appear. + +** K9 Android client +*NOTE*: Currently the K9 email client will not work with the Freedombone since it doesn't support PGP/MIME encoding. However, there is development work taking place on that feature and it is hoped that K9 may be usable in the near future. + +*** Incoming server settings + * Select settings/account settings + * Select Fetching mail/incoming server + * Enter your username and password + * IMAP server should be your domain name + * Security: SSL/TLS (always) + * Authentication: Plain + * Port: 993 +*** Outgoing (SMTP) server settings + * Select settings/account settings + * Select Sending mail/outgoing server + * Set SMTP server to your domain name + * Set Security to SSL/TLS (always) + * Set port to 465 + * Set authentication to PLAIN + * Enter your username and password + * Accept the SSL certificate +*** Folders +To view any new folders which you may have created using the /mailinglistrule/ script from your inbox press the *K9 icon* at the top left to access folders, then press the *menu button* and select *refresh folder list*. + +If your folder still doesn't show up then press the *menu button*, select *show folders* and select *all folders*. + +** Subscribing to mailing lists +To subscribe to a mailing list so that it appears within Mutt or Thunderbird. + +#+BEGIN_SRC bash +ssh username@domainname -p 2222 +addmailinglist +exit +#+END_SRC + +The subject tag should be the word or phrase which appears within the brackets in the subject line of emails from the mailing list. The mailing list name should be something short so that it is readable within the left side column of the mutt email client. +** Adding email addresses to a group/folder +Similar to adding mailing list folders you can also add specified email addresses into a folder. + +#+BEGIN_SRC bash +ssh username@domainname -p 2222 +addemailtofolder +exit +#+END_SRC + +The mailing list name should be something short so that it is readable within the left side column of the mutt email client. + +* Mailing List +If you want to set up a public mailing list then when installing the system remember to set the *PUBLIC_MAILING_LIST* variable within *freedombone.cfg* to the name of your list. The name should have no spaces in it. Public mailing lists are unencrypted so anyone will be able to read the contents, including non subscribers. + +To subscribe to your list send a cleartext email to: + +#+BEGIN_SRC bash +mymailinglistname+subscribe@domainname +#+END_SRC + +Tip: When using the Mutt email client if you want to send an email in cleartext then press *p* (for PGP) on the sending screen and select *clear*. Unsecure email is treated as being the exception rather than the default. +* Syncing to the Cloud +** Initial install +Within a browser go to your owncloud domain, then create an administrator account. The username and password can be anything, and ideally should be generated from a password manager. + +You will also need to enter database details: + +| Owncloud database user | owncloudadmin | +| Owncloud database password | See the [[Readme]] file | +| Owncloud database name | owncloud | + +After creating an administrator account then create a user account via the Users dropdown menu entry on the right hand side and log the details in a password manager. Give the user a quota suitable for the size of your microSD card or other storage. + +Log out from the administrator account and then log back in as the user you just created. +** On Android +Within F-droid search for *owncloud* and install the client. Also install *CalDAV Sync Adapter*. + +Open the owncloud app and enter your owncloud domain name (including the https prefix) and login details for the user you created. + +Open the calendar app and under *settings* add a CalDav account with the url: + +#+BEGIN_SRC bash +https://myownclouddomain/remote.php/caldav/principals/myowncloudusername +#+END_SRC + +You will also be prompted to enter login details. Your Android and Owncloud calendars should now be synchronised. +** On Linux +Open your software center and search for "owncloud client". Enter your owncloud domain name (with the https prefix) and login details. + +You can now drag files into the *~/owncloud* directory and they will automatically sync to your server. It's that easy. +* Play Music +** With the DLNA service +An easy way to play music on any mobile device in your home is to use the DLNA service. Copy your music into a directory called "/Music/" on a USB thumb drive and then insert it into from socket on the Beaglebone. + +ssh into the system with: + +#+BEGIN_SRC bash +ssh myusername@mydomain.com -p 2222 +#+END_SRC + +Then mount the USB drive with: + +#+BEGIN_SRC bash +su +attach-music +#+END_SRC + +The system will scan the Music directory, which could take a while if there are thousands of files, but you don't need to do anything further with the Beaglebone other than perhaps to log out by typing *exit* a couple of times. + +If you have an Android device then go to F-Droid (if you don't already have it installed then it can be [[https://f-droid.org/][downloaded here]]) and search for *ControlDLNA*. On running the app you should see a red Debian icon which you can press on, then you may need to select "local". After a few seconds the list of albums or tracks should then appear and you can browse and play them. + +The DLNA service will only work within your local home network, and isn't remotely accessible from other locations via the internet. That can be both a good and a bad thing. Another consideration is that there are no access controls on DLNA services, so any music or videos on the USB drive will be playable by anyone within your home network. If you need to restrict access to certain files then it may be better to use the music player within Owncloud. + +** With Owncloud +The main advantage of playing music via Owncloud is that you can do that from anywhere - not only within your home network. + +By default a music player is installed into Owncloud, so all you need to do is to visit your Owncloud web site, select the *music* directory and then upload some music files. Afterwards you can select the *music icon* from the top left drop down menu and albums will then appear which can be played. If you want to share music with other users then you can select the *share* option from within the files view to make the tracks available. + +* Microblogging +** Initial configuration +To set up your microblog go to: + +#+BEGIN_SRC bash +https://yourmicroblogdomainname/install.php +#+END_SRC + +and enter the following settings: + +| Server SSL | enable | +| Hostname | localhost | +| Type | MySql/MariaDB | +| Name | gnusocial | +| DB username | root | +| DB Password | See the MariaDB password in the [[Readme]] file | +| Administrator nickname | Your username | +| Administrator password | See the [[Readme]] file | +| Subscribe to announcements | ticked | +| Site profile | Community | + +When the install is complete you will see a lot of warnings but just ignore those and navigate to your microblog domain and you can then complete the configuration via the *Admin* section on the header bar. Some recommended admin settings are: + +| Site settings | Text limit 140, Dupe Limit 60000 | +| User settings | Bio limit 1000 | +| Access settings | /Invite only/ ticked | +* Social Network +** Certificates +You will need to have a non self-signed SSL certificate in order to use Red Matrix. Put the public certificate in */etc/ssl/certs/yourredmatrixdomainname.crt* and the private certificate in */etc/ssl/private/yourredmatrixdomainname.key*. If there is an intermediate certificate needed (such as with StartSSL) then this will need to be concatenated onto the end of the crt file, like this: + +#+BEGIN_SRC bash +cat /etc/ssl/certs/yourredmatrixdomainname.crt /etc/ssl/chains/startssl-sub.class1.server.ca.pem > + /etc/ssl/certs/yourredmatrixdomainname.bundle.crt +#+END_SRC + +Then change ssl_certificate to */etc/ssl/certs/yourredmatrixdomainname.bundle.crt* within */etc/nginx/sites-available/yourredmatrixdomainname* +** Initial install +Visit the URL of your Red Matrix site and you should be taken through the rest of the installation procedure. Note that this may take a few minutes so don't be concerned if it looks as if it has crashed - just leave it running. + +When installation is complete you can register a new user. +* Chat Services +** IRC +IRC is useful for multi-user chat. The classic use case is for software development where many engineers might need to coordinate their activities, but it's also useful for meetings, parties and general socialising. +*** Irssi +If you are using the [[http://www.irssi.org][irssi]] IRC client then you can use the following commands to connect to your IRC server. + +#+BEGIN_SRC bash +/server add -auto -ssl yourdomainname 6697 +/connect yourdomainname +/join freedombone +#+END_SRC +*** XChat +If you are using the XChat client: + +Within the network list click, *Add* and enter your domain name then click *Edit*. + +Select the entry within the servers box, then enter *mydomainname/6697* and press *Enter*. + +Uncheck *use global user information*. + +Enter first and second nicknames and check *auto connect to this network on startup*. + +Check *use SSL* and *accept invalid SSL certificate*. + +Enter *#freedombone* as the channel name. + +Click *close* and then *connect*. + +** XMPP/Jabber +*** Managing users + +To add a user: + +#+BEGIN_SRC bash +ssh username@domainname -p 2222 +su +prosodyctl adduser newusername@newdomainname +exit +exit +#+END_SRC + +To change a user password: + +#+BEGIN_SRC bash +ssh username@domainname -p 2222 +su +prosodyctl passwd username@domainname +exit +exit +#+END_SRC + +To remove a user: + +#+BEGIN_SRC bash +ssh username@domainname -p 2222 +su +prosodyctl deluser username@domainname.com +exit +exit +#+END_SRC + +Report the status of the XMPP server: + +#+BEGIN_SRC bash +ssh username@domainname -p 2222 +su +prosodyctl status +exit +exit +#+END_SRC + +*** Using with Jitsi +Jitsi is the recommended communications client for desktop or laptop systems, since it includes the /off the record/ (OTR) feature which provides some additional security beyond the usual SSL certificates. + +Jitsi can be downloaded from https://jitsi.org + +On your desktop/laptop open Jitsi and select *Options* from the *Tools* menu. + +Click *Add* to add a new user, then enter the Jabber ID which you previously specified with /prosodyctl/ when setting up the XMPP server. Close and then you should notice that your status is "Online" (or if not then you should be able to set it to online). + +From the *File* menu you can add contacts, then select the chat icon to begin a chat. Click on the lock icon on the right hand side and this will initiate an authentication procedure in which you can specify a question and answer to verify the identity of the person you're communicating with. Once authentication is complete then you'll be chating using OTR, which provides an additional layer of security. + +When opening Jitsi initially you will get a certificate warning for your domain name (assuming that you're using a self-signed certificate). If this happens then select *View Certificate* and enable the checkbox to trust the certificate, then select *Continue Anyway*. Once you've done this then the certificate warning will not appear again unless you reinstall Jitsi or use a different computer. + +You can also [[https://www.youtube.com/watch?v=vgx7VSrDGjk][see this video]] as an example of using OTR. +*** Using with Ubuntu +The default XMPP client in Ubuntu is Empathy. Using Empathy isn't as secure as using Jitsi, since it doesn't include the /off the record/ feature, but since it's the default it's what many users will have easy access to. + +Open *System Settings* and select *Online Accounts*, *Add account* and then *Jabber*. + +Enter your username (username@domainname) and password. + +Click on *Advanced* and make sure that *Encryption required* and *Ignore SSL certificate errors* are checked. Ignoring the certificate errors will allow you to use the self-signed certificate created earlier. Then click *Done* and set your Jabber account and Empathy to *On*. +*** Using with Android +Install [[https://f-droid.org/][F-Droid]] + +Search for and install Xabber. + +Add an account and enter your Jabber/XMPP ID and password. + +From the menu select *Settings* then *Security* then *OTR mode*. Set the mode to *Required*. + +Make sure that *Check server certificate* is not checked. + +Go back to the initial screen and then using the menu you can add contacts and begin chatting. Both parties will need to go through the off-the-record question and answer verification before the chat can begin, but that only needs to be done once for each person you're chatting with. diff --git a/doc/us/variants.org b/doc/us/variants.org new file mode 100644 index 00000000..bbe30137 --- /dev/null +++ b/doc/us/variants.org @@ -0,0 +1,21 @@ +#+TITLE: +#+AUTHOR: Bob Mottram +#+EMAIL: bob@robotics.uk.to +#+KEYWORDS: freedombox, debian, beaglebone, red matrix, email, web server, home server, internet, censorship, surveillance, social network, irc, jabber +#+DESCRIPTION: Turn the Beaglebone Black into a personal communications server +#+OPTIONS: ^:nil +#+BEGIN_CENTER +[[./images/logo.png]] +#+END_CENTER + +| [[file:index.html][Home]] | + +Freedombone may be installed either in its entirety or as different variants with a more specialised purpose. So for example if you just want to run a blog but don't care about any other services then you can do that. The following variants are available: + +| *Mailbox* | An email server with GPG encryption and mailing list | +| *Cloud* | Share files, maintain a calendar and collaborate on document editing | +| *Social* | Social networking with Red Matrix and GNU Social | +| *Media* | Runs media services such as DLNA to play music or videos on your devices | +| *Writer* | Host your blog and wiki | +| *Chat* | Encrypted IRC and XMPP services for one-to-one and many-to-many chat | +| *Nonmailbox* | Installs eveything except for the email server |