#+TITLE: FreedomBone #+AUTHOR: Bob Mottram #+EMAIL: bob@robotics.uk.to #+KEYWORDS: freedombox, debian, beaglebone, friendica, email, web server, home server, internet, censorship, surveillance, social network, irc, jabber #+DESCRIPTION: Turn the Beaglebone Black into a personal communications server #+OPTIONS: ^:nil #+STYLE: #+BEGIN_CENTER *How to turn the Beaglebone Black into a FreedomBox-like personal communications server* #+END_CENTER [[./images/freedombone_small.jpg]] #+BEGIN_CENTER Copyright (C) 2014 Bob Mottram Permission is granted to copy, distribute and/or modify this document under the terms of the [[https://gnu.org/licenses/fdl.html][GNU Free Documentation License]], Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. Source for this web site in [[https://en.wikipedia.org/wiki/Org-mode][Emacs org-mode]] format is available [[/beaglebone.txt][here]]. Comments or patches may be submitted via [[https://github.com/bashrc/freedombone][Github]]. #+END_CENTER * Introduction #+BEGIN_VERSE /If you look at it from an engineering perspective, an iterative perspective, it’s clear that you have to try something rather than do nothing./ -- Edward J. Snowden #+END_VERSE ** What is FreedomBone? Today many of us rely upon "free" services in the cloud, such as Gmail, Facebook, Google+ and so on. It might appear that these services are indispensible infrastructure of the modern internet, but actually they're not strictly needed and the amount of value which they deliver to the average internet user is very marginal. It is possible to be a citizen of the internet and yet not use those things - to disintermediate the most well known companies and cut out their prurient or merely cringeworthy business models. FreedomBone is a personal home communications server based upon the BeagleBone Black hardware. It's small and cheap and will allow you to use email, have your own web site and do social networking in a federated way without needing to rely upon any intermediary companies other than your ISP. ** Do I need any prior knowledge? In these instructions only a minimal level of familiarity with Linux is assumed. It's assumed that you know the basics of the /nano/ and /emacs/ editors, but it would be simple to also use other editors if you prefer. ** Why should I do this? You should consider doing this if you are a freedom-oriented sort of person and you want to maintain sovereignty over your information. Laws in many places in the world consider you to have relinquished any property rights over data which you put onto a server not owned by youself (i.e. owned by a third party, such as Google or Facebook). If you don't like the idea of having all your communications intercepted and investigated by the Surveillance State then you should consider running a FreedomBone. If your profession involves maintaining confidentiality as an essential feature, such as legal or medical services, counselling, teaching or any sort of activism then you should consider running a FreedomBone. Especially if your activities include [[https://firstlook.org/theintercept/article/2014/03/20/inside-nsa-secret-efforts-hunt-hack-system-administrators/][systems administration]] or [[http://www.spiegel.de/international/germany/gchq-and-nsa-targeted-private-german-companies-a-961444.html][software engineering for any communications-related systems]] then it is highly likely that you have already been targeted and "tasked" by the surveillance apparatus. As Eben Moglen noted in his now famous [[https://www.youtube.com/watch?v=QOEMv0S8AcA]["Freedom in The Cloud"]] talk the simple fact of you keeping your own internet logs (found in the /var/log directory) puts a certain amount of power in your hands and takes it away from parties who would otherwise sell that information without your knowledge or permission to advertisers or other shady outfits who may not have your best interests at heart. ** After it's installed will it need a lot of maintenance? So long as the hardware is ok the amount of maintenance needed should be very small. Unlike on Windows based systems you don't need to defragment drives or mess about with anti-virus programs. I ran a similar Sheevaplug system between 2010 and 2013 with only occasional software updates or reboots, and uptime was probably 99% or better. ** Is it secure? Nothing is totally secure or infallible. You could have the most secure technology and yet still use easy to guess passwords. In general any software described as "uncrackable" or "guaranteed secure" is likely to be bogus and should be treated with suspicion. No matter what the hype may claim, all software has bugs so it's really a question of whether your communications are more secure or less secure. Using something like Freedombone will be likely to increase your degree of communications security to a level which is above average. This system will not defend you from an attacker who is actively trying to block or corrupt your communications, but I assume that doesn't apply in the majority of cases. Another thing to be aware of is that running a FreedomBone could make you more vulnerable to traffic analysis, since the server is associated with your home address and isn't a giant aggregation of users somewhere in the cloud. You need to weigh this alongside the additional legal protection which owning the server and having it in your own home gives you. FreedomBone should be far more secure than using popular cloud-based services which have spying built into them as a core feature (although not one which is typically advertised), but it is not necessarily any kind of impenetrable information fortress. This project is not only about security. It's also about having independence and at least in the realm of information being able to have more control over your own life, without having gatekeepers, censors or companies in the middle. That's the way that the internet was designed to be in the first place. ** Will running a server all the time affect my electricity bill? Hardly at all. The BeagleBone Black consumes very little power - less than 5W. It would even be potentially possible to run it from a solar panel. ** Can I use a Raspberry Pi or Cubieboard instead? These instructions are not highly specific to the Beaglebone Black and so will likely also work on other single board computers (SBCs) such as the [[https://en.wikipedia.org/wiki/Raspberry_pi][Raspberry Pi]] or [[https://en.wikipedia.org/wiki/Cubieboard][Cubieboard]]. The original Raspberry Pi only had 256MB of RAM and so the performance of some services may be more limited. The Beaglebone Black was chosen mainly because of its low cost, relatively good CPU performance for the price (by the standards of 2013) and also low electricity consumption. The Cubieboard is also another good alternative, with the A20 version having similar specifications but twice as much RAM as the BeagleBone Black. ** Why should I trust the packages or source code downloaded from this site? If you're particularly security conscious then you shouldn't. Binary or source packages have only been included here for convenience and to avoid confusion. "/Go and find a Debian installation for the BeagleBone Black somewhere on the web/" is too vague an instruction for my liking, and I've attempted to keep things as concise and unambiguous as possible - particularly with an average or new Linux user in mind. However, for maximum security for those software systems which are not already packaged within the Debian repositories then seek out the original sources and verify the hashes independently. It's worth adopting an attitude of "/trust but verify/". Don't let fear of mass surveillance and [[https://www.techdirt.com/articles/20140207/08354426130/gchq-has-entire-program-dirty-tricks-including-honeypots-using-journalists-deleting-online-accounts.shtml]["dirty tricks"]] paralyse you into trusting nothing and consequently doing nothing. Doing nothing means that the surveillance apparatus has succeeded in keeping you under observation at all times. * Inventory #+BEGIN_VERSE /You can’t help someone just by making a wish to do so, you have to take action./ -- Dalai Lama #+END_VERSE These instructions assume that you have the following ingredients. ** A BeagleBone Black (BBB) It should come with a suitable USB cable for the initial setup. To make things look nicer you may also want to get a case for it. ** An internet connection It is assumed that the most common situation is via a router installed at home. The router should have ethernet sockets on it and a web interface which allows you to forward ports (sometimes under the "firewall" settings), so that you can forward ssh and web traffic to the BBB. ** microSD card To use as the main storage for the BBB. 16 or 32GB is fine, and can be obtained quite cheaply. Try to use Sandisk (class 10 or better) where possible and avoid cheaper cards which often have poor performance. You may also need an SD card adaptor or USB card reader in order to flash the operating image to the microSD card. For instance, many laptops have an SD card slot but not a microSD slot. ** 5V/2A power supply With a plug suitable for powering the BBB. If you have some device with a USB socket nearby you may also be able to just use that for electrical power. However, powering from the USB cable alone might result in crashes when the system is under load, depending upon how many milliamps can be supplied by the USB hub/socket. If the system crashes due to running out of power then you will see that the LEDs on the BBB are continuously on, rather than flashing. One way to test whether the board has enough power is to try compiling a Linux kernel on it, but any CPU and disk intensive program will also suffice as a test. [[http://beagleboard.org/Support/FAQ][beagleboard.org]] gives the following advice on power supplies: #+BEGIN_VERSE /Power over USB is sufficient as long as the software and system running perform some management to keep it under the USB current limit threshold. For simplicity and maximum capability, powering over the 5V barrel connector is typically recommended./ /The power adapter is required to provide 5V over a 5.5mm outer diameter and 2.1mm inner diameter barrel connector (a barrel connector length of 9.5mm is more than sufficient). The recommended supply current is at least 1.2A (or 6W), but at least 2A (or 10W) is recommended if you are going to connect up anything over the USB./ #+END_VERSE The plug should be /centre positive/, meaning that the centre/tip is positive and the outer part is negative. ** An ethernet patch cable Just an ordinary cat5 or cat6 cable that you can get from most electrical/computer stores. * Installing Debian onto the microSD card The Debian Linux OS will be installed onto a small flash drive. It's a good idea to do this rather than using the internal flash, because it will allow you to easily create backups of the entire system if necessary using the dd command. Download the image. #+BEGIN_SRC: bash cd ~/ wget http://freedombone.uk.to/debian-7.2-console-armhf-2013-11-15.tar.xz #+END_SRC Verify it. #+BEGIN_SRC: bash sha256sum debian-7.2-console-armhf-2013-11-15.tar.xz 262ea96d6bff530ad545e001eb2aa50b26a999c02f0c0e2e5f8536edf21c973a debian-7.2-console-armhf-2013-11-15.tar.xz #+END_SRC Uncompress it. #+BEGIN_SRC: bash tar xJf debian-7.2-console-armhf-2013-11-15.tar.xz cd debian-7.2-console-armhf-2013-11-15 #+END_SRC Create the disk image, where sdX is the name of the flash drive (probably it will be sdb or sdc). An easy way to find out the device name of the flash drive is to enter the command: #+BEGIN_SRC: bash ls /dev/sd* #+END_SRC then plug in the flash drive and type the same command again. You'll be able to see the difference. Once you know the device name then you can proceed to install the image onto the flash drive. #+BEGIN_SRC: bash sudo apt-get install u-boot-tools dosfstools git-core kpartx wget parted sudo ./setup_sdcard.sh --mmc /dev/sdX --uboot bone --swap-file 1024 #+END_SRC Once completed then safely remove the microSD card via your file manager (usually right click and "safely remove" or "eject"). * Setup #+BEGIN_VERSE /Build the tools for a future you would want to live in/ -- Kurt Opsahl #+END_VERSE ** Things to be aware of *** A note on ssh When using ssh to log into the BBB if you get warnings of the type "/the ECDSA host key for domain differs from the key for the IP address/" then run the command: #+BEGIN_SRC: bash ssh-keygen -R #+END_SRC *** Passwords It's highly recommended that you use a password manager, such as KeepassX, and make all your passwords long random strings. It's also a good idea to use different passwords for different pieces of software, instead of one or two passwords for the whole system. That compartmentalises the security such that even if an attacker gains access to one system they can't necessarily get access to others. *** HTTPS Throughout these instructions self signed SSL certificates are used to implement access to web pages via HTTPS. The whole HTTPS security model upon which much of the internet currently rests seems broken in that it usually depends upon "trusted certificate authorities" who are not really trusted, except perhaps by the maintainers of certain web browser software. So all that HTTPS really guarantees is that you have an encrypted connection, but an encrypted connection /to who/ can be subject to doubt. As was seen in 2013 with the [[https://www.schneier.com/essay-455.html][information coming from Edward Snowden]], and also the [[http://en.wikipedia.org/wiki/Lavabit][Lavabit email service]], it's possible for companies/organisations to be compromised or bribed and SSL private keys for all users can be demanded using gagging orders or secret laws without any individual user ever being able to know that their communications is no longer secure.. Not knowing who you're really connecting to is especially true for self-signed certificates, so it is in principle possible that when logging into a site with a username and password a system such as [[http://arstechnica.com/tech-policy/2013/11/uk-spies-continue-quantum-insert-attack-via-linkedin-slashdot-pages/][Quantum Insert]], or a compromised [[http://en.wikipedia.org/wiki/Domain_Name_System][DNS service]], could be used to direct the user to a fake copy of the login screen for the purposes of obtaining their login details. While this doesn't seem to be a major problem at the time of writing it's something to keep in mind. So if you can't log in or if you log in and what you see doesn't look like your site then it's possible that such a compromise could have taken place. Using a password manager with different login details for each site is one way to ensure that if one system is compromised then the attacker can't necessarily get access to all your other stuff. ** Initial Eject the microSD card from your computer and plug it into the BBB, then connect the USB cable between the two. You may need to wait for a couple of minutes for the BBB to boot from the card, then you can then open a terminal and login via ssh. #+BEGIN_SRC: bash ssh debian@192.168.7.2 #+END_SRC The default password is /temppwd/ Then log in as root: #+BEGIN_SRC: bash su #+END_SRC The default password is /root/ The first thing to do is to change the passwords from their defaults. #+BEGIN_SRC: bash passwd #+END_SRC Then you will need to change the network interfaces. The main task here is to comment out the stuff related to usb0. That will enable you to plug the BBB into the back of a router and for it to be detectable on the network. #+BEGIN_SRC: bash nano /etc/network/interfaces #+END_SRC The resulting interfaces file should look like this: #+BEGIN_SRC: bash # This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). # The loopback network interface auto lo iface lo inet loopback # The primary network interface allow-hotplug eth0 iface eth0 inet static address 192.168.1.60 netmask 255.255.255.0 gateway 192.168.1.254 dns-nameservers 213.73.91.35 85.214.20.141 # Example to keep MAC address between reboots #hwaddress ether DA:AD:CE:EF:CA:FE # WiFi Example #auto wlan0 #iface wlan0 inet dhcp # wpa-ssid "essid" # wpa-psk "password" # Ethernet/RNDIS gadget (g_ether) # ... or on host side, usbnet and random hwaddr # Note on some boards, usb0 is automaticly setup with an init script # in that case, to completely disable remove file [run_boot-scripts] from the boot partition #iface usb0 inet static # address 192.168.7.2 # netmask 255.255.255.0 # network 192.168.7.0 # gateway 192.168.7.1 #+END_SRC CTRL-o followed by ENTER to save, then CTRL-x to exit. In the above example "address 192.168.1.60" is a static IP address for the BBB, which will allow incoming network traffic to be directed from the router in a reliable manner. It should be outside of the DHCP range set up on the router. "gateway 192.168.1.254" should be the IP address of the router. Note that setting the DNS servers with dns-nameservers is important because some home routers do not allow you to change the DNS settings. Edit resolv.conf. #+BEGIN_SRC: bash nano /etc/resolv.conf #+END_SRC It should look something like the following: #+BEGIN_SRC: bash domain localdomain search localdomain nameserver 213.73.91.35 nameserver 85.214.20.141 #+END_SRC CTRL-o followed by ENTER to save, then CTRL-x to exit. Now disconnect the BBB from your computer and plug it into the router. You'll need an ethernet patch cable and you may also need a 5V/1A power supply for the BBB. If you go to the web administration screen for your internet router (often it's on 192.168.2.1 or 192.168.1.254) then after a few minutes you should see the BBB appear on the network. It's name will be "arm". ** Add a user Ssh back in to the BBB and login as root. In this example the BBB's IP address is 192.168.1.60. #+BEGIN_SRC: bash ssh-keygen -f "/home/myusername/.ssh/known_hosts" -R 192.168.1.60 ssh debian@192.168.1.60 su #+END_SRC Then make a new user. It's a bad idea to add users to the sudo group, because that then means that an attacker potentially only needs to know one password in order to get administrator access to the system. With no sudoers an attacker needs to know, or be able to obtain, two separate passwords to be able to really compromise the system. #+BEGIN_SRC: bash adduser myusername #+END_SRC Exit from the ssh login by typing "exit" a couple of times, then ssh back in as the new user. Make sure you use a difficult to guess password/phrase, or ideally a randomly generated password used together with a password manager such as KeepassX. Remove the default debian user. #+BEGIN_SRC: bash userdel -r debian #+END_SRC ** Text editor For an editor which is less erratic than vi when used within a remote console such as Terminator. #+BEGIN_SRC: bash apt-get update apt-get install emacs #+END_SRC Some basic Emacs keys which will be useful to new users are: | Load a file | CTRL-x CTRL-f | | Save | CTRL-x CTRL-s | | Exit | CTRL-x CTRL-c | ** Enable backports To enable some newer packages add backports to the repositories. #+BEGIN_SRC: bash echo "deb http://ftp.us.debian.org/debian wheezy-backports main" >> /etc/apt/sources.list apt-get update apt-get dist-upgrade #+END_SRC ** Configure your location/language #+BEGIN_SRC: bash dpkg-reconfigure locales apt-get install keyboard-configuration #+END_SRC You may need to reboot for this to take effect. To verify the change. #+BEGIN_SRC: bash locale -a #+END_SRC Set your time zone with: #+BEGIN_SRC: bash tzselect #+END_SRC For example, for British time: #+BEGIN_SRC: bash TZ='Europe/London'; export TZ echo "TZ='Europe/London'; export TZ" >> ~/.bashrc echo "TZ='Europe/London'; export TZ" >> /home/myusername/.bashrc #+END_SRC ** Upgrade the kernel Using a more recent kernel should improve stability of the system and also allow it to make use of hardware random number generation, which improves the overall security. Please note that this kernel is specific to the BBB, so if you're using a Raspberry Pi, Cubieboard or other SBC then look elsewhere on the web for information about upgrading the kernel. #+BEGIN_SRC: bash cd /tmp wget http://freedombone.uk.to/kernel-3.14.tar.gz #+END_SRC Verify it. #+BEGIN_SRC: bash sha256sum kernel-3.14.tar.gz c0f76ace9ae149ffbba785dd83ee1f1b7e2d5cdcd41120c8cb3fa4aea2612753 #+END_SRC Then extract and install it. #+BEGIN_SRC: bash mkdir kernel-3.14 cd kernel-3.14 tar -xzvf ../kernel-3.14.tar.gz sh install-me.sh reboot #+END_SRC After the system has rebooted you can ssh back unto it and log in as the root user. You can check that the kernel version has changed with the command: #+BEGIN_SRC: bash uname -mrs #+END_SRC Now enable zram. #+BEGIN_SRC: bash emacs /etc/modprobe.d/zram.conf #+END_SRC Add the following: #+BEGIN_SRC: bash options zram num_devices=1 #+END_SRC Save and exit, then create an initialisation script. #+BEGIN_SRC: bash emacs /etc/init.d/zram #+END_SRC Add the following: #+BEGIN_SRC: bash #!/bin/bash ### BEGIN INIT INFO # Provides: zram # Required-Start: # Required-Stop: # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Increased Performance In Linux With zRam (Virtual Swap Compressed in RAM) # Description: Adapted from systemd scripts at https://github.com/mystilleef/FedoraZram ### END INIT INFO start() { # get the number of CPUs num_cpus=$(grep -c processor /proc/cpuinfo) # if something goes wrong, assume we have 1 [ "$num_cpus" != 0 ] || num_cpus=1 # set decremented number of CPUs decr_num_cpus=$((num_cpus - 1)) # get the amount of memory in the machine mem_total_kb=$(grep MemTotal /proc/meminfo | grep -E --only-matching '[[:digit:]]+') mem_total=$((mem_total_kb * 1024)) # load dependency modules modprobe zram num_devices=$num_cpus # initialize the devices for i in $(seq 0 $decr_num_cpus); do echo $((mem_total / num_cpus)) > /sys/block/zram$i/disksize done # Creating swap filesystems for i in $(seq 0 $decr_num_cpus); do mkswap /dev/zram$i done # Switch the swaps on for i in $(seq 0 $decr_num_cpus); do swapon -p 100 /dev/zram$i done } stop() { # get the number of CPUs num_cpus=$(grep -c processor /proc/cpuinfo) # set decremented number of CPUs decr_num_cpus=$((num_cpus - 1)) # Switching off swap for i in $(seq 0 $decr_num_cpus); do if [ "$(grep /dev/zram$i /proc/swaps)" != "" ]; then swapoff /dev/zram$i sleep 1 fi done sleep 1 rmmod zram } case "$1" in start) start ;; stop) stop ;; restart) stop sleep 3 start ;; *) echo "Usage: $0 {start|stop|restart}" RETVAL=1 esac exit $RETVAL #+END_SRC Save and exit, then reboot again. #+BEGIN_SRC: bash chmod +x /etc/init.d/zram update-rc.d zram defaults service zram start reboot #+END_SRC After the system has rebooted ssh back into it and become the root user, then to check that the changes were successful: #+BEGIN_SRC: bash cat dmesg | grep zram #+END_SRC Should show something like: #+BEGIN_SRC: bash [ 507.322337] zram: Created 1 device(s) ... [ 507.651151] Adding 505468k swap on /dev/zram0. Priority:100 extents:1 across:505468k SS #+END_SRC ** Random number generation #+BEGIN_VERSE /Near as I can tell, the answer on what has been requested is everything: deliberate weakenings of encryption algorithms, deliberate weakenings of random number generations, copies of master keys, encryption of the session key with an NSA-specific key … everything./ -- Bruce Schneier, on the 2013 leaked NSA documents #+END_VERSE The security of encryption depends upon the randomness of the random source used on your system. If it isn't very random then it may be far more vulnerable to cryptanalysis, and it's known that in the past some dubious agencies have encouraged the use of flawed random number generators to assist with their prurient activities. Randomness - typically referred to as /entropy/ - is often gathered from factors such as the timing of key presses or mouse movements, but since the BBB won't have such devices plugged into it this reduces the amount of entropy available. *** On the Beaglebone Black Computers can't really generate truly random numbers by themselves, since they're deterministic and so operate in a highly predictable manner. Fortunately, the BBB has an onboard hardware random number generator, which is a physical process which behaves randomly and which can then be read into the computer and stored for later use in encryption algorithms. Information on exactly how the hardware random number generator on the Beaglebone AM335x CPU works [[http://e2e.ti.com/support/arm/sitara_arm/f/791/t/292794.aspx][seems hard to come by]], but we can later use some software to verify that it does indeed produce random numbers and hasn't been deliberately weakened. If you are using a Beaglebone and have updated the kernel then install: #+BEGIN_SRC: bash apt-get install rng-tools emacs /etc/default/rng-tools #+END_SRC Uncomment *HRNGDEVICE=/dev/hwrng*, save and exit then restart the daemon. #+BEGIN_SRC: bash service rng-tools restart #+END_SRC Your BBB will now use hardware to generate random numbers. *** On other Single Board Computers If you are not using a Beaglebone (a Cubieboard for example), or if you didn't update the kernel, then you can still improve the random number generation by installing: #+BEGIN_SRC: bash apt-get install haveged #+END_SRC *** Verifying random number quality #+BEGIN_VERSE /Living in a surveillance state is exactly like being guilty until proven guilty./ -- Mohammad Tarakiyee #+END_VERSE You can check how much randomness (entropy) is available with: #+BEGIN_SRC: bash cat /proc/sys/kernel/random/entropy_avail #+END_SRC Ideally it should be in the range 1000-4096. If it is persistently below 500 then there may be a problem with your system which could make it less secure. To verify that random number generation is good on the BBB run: #+BEGIN_SRC: bash cat /dev/hwrng | rngtest -c 1000 #+END_SRC You should see something like this, with zero or a small number of failures: #+BEGIN_SRC: bash rngtest: starting FIPS tests... rngtest: bits received from input: 20000032 rngtest: FIPS 140-2 successes: 1000 rngtest: FIPS 140-2 failures: 0 rngtest: FIPS 140-2(2001-10-10) Monobit: 0 rngtest: FIPS 140-2(2001-10-10) Poker: 0 rngtest: FIPS 140-2(2001-10-10) Runs: 0 rngtest: FIPS 140-2(2001-10-10) Long run: 0 rngtest: FIPS 140-2(2001-10-10) Continuous run: 0 rngtest: input channel speed: (min=3.104; avg=26.015; max=18.626)Gibits/s rngtest: FIPS tests speed: (min=160.281; avg=165.696; max=168.792)Mibits/s rngtest: Program run time: 115987 microseconds #+END_SRC *** Cryptotronix Hashlet #+BEGIN_VERSE /One must acknowledge with cryptography no amount of violence will ever solve a math problem./ -- Jacob Appelbaum #+END_VERSE An optional extra is the [[http://cryptotronix.com/products/hashlet/][Cryptotronix Hashlet]] which also has hardware random number generation capability via the [[./Atmel-8740-CryptoAuth-ATSHA204-Datasheet.pdf][Atmel ATSHA204]] chip. Install the hashlet [[./images/hashlet_installed.jpg][like this]] on the BBB, then install some dependencies. #+BEGIN_SRC: bash apt-get install git build-essential libgcrypt11-dev texinfo #+END_SRC Download the source code. #+BEGIN_SRC: bash cd /tmp git clone https://github.com/bashrc/hashlet.git #+END_SRC Now install the driver. #+BEGIN_SRC: bash cd hashlet chmod o+rw /dev/i2c* ./autogen.sh make check make install #+END_SRC To check the initial state of the device: #+BEGIN_SRC: bash hashlet --bus=/dev/i2c-2 state #+END_SRC It should return the message "/Factory/". This is intended to provide an indication that the hardware hasn't been tampered with by [[https://en.wikipedia.org/wiki/Tailored_Access_Operations][TAO]] or other shady outfits in transit. If /i2c-2/ fails then try /i2c-1/ or /i2c-0/. #+BEGIN_SRC: bash hashlet --bus=/dev/i2c-2 personalize #+END_SRC Nothing should be returned by this command, but a file called ~/.hashlet will be generated which is the private key of the device. This personalization process is a one-time operation which physically alters the hardware, so it would not be trivial to reset the device back to "Factory" again. To make sure it's only accessible by the root user: #+BEGIN_SRC: bash chmod 400 ~/.hashlet #+END_SRC Now create a daemon which will create a random number generator device */dev/hashletrng*. #+BEGIN_SRC: bash emacs /usr/bin/hashletd #+END_SRC #+BEGIN_SRC: bash #!/bin/sh PATH='/usr/local/sbin:/usr/local/bin:/usr/bin:/sbin:/usr/sbin:/bin' I2CBUS=2 BYTES=32 DEVICE=/dev/hashletrng # create a device if [ ! -e ${DEVICE} ]; then chmod o+rw /dev/i2c* mknod ${DEVICE} p fi while : do hashlet --bus=/dev/i2c-${I2CBUS} --Bytes ${BYTES} random-bytes > ${DEVICE} done #+END_SRC Save and exit. Now create an init script to run it. #+BEGIN_SRC: bash emacs /etc/init.d/hashlet #+END_SRC Add the following: #+BEGIN_SRC: bash #!/bin/bash # /etc/init.d/hashlet ### BEGIN INIT INFO # Provides: hashlet # Required-Start: $remote_fs $syslog # Required-Stop: $remote_fs $syslog # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: hashlet # Description: Creates a random number generator device ### END INIT INFO # Author: Bob Mottram #Settings SERVICE='hashlet' LOGFILE='/dev/null' COMMAND="/usr/bin/hashletd" USERNAME='root' NICELEVEL=19 HISTORY=1024 INVOCATION="nice -n ${NICELEVEL} ${COMMAND}" PATH='/usr/local/sbin:/usr/local/bin:/usr/bin:/sbin:/usr/sbin:/bin' hashlet_start() { echo "Starting $SERVICE..." su --command "screen -h ${HISTORY} -dmS ${SERVICE} ${INVOCATION}" $USERNAME } hashlet_stop() { echo "Stopping $SERVICE" su --command "screen -p 0 -S ${SERVICE} -X stuff "'^C'"" $USERNAME } #Start-Stop here case "$1" in start) hashlet_start ;; stop) hashlet_stop ;; restart) hashlet_stop sleep 10s hashlet_start ;; *) echo "Usage: $0 {start|stop|restart}" exit 1 ;; esac exit 0 #+END_SRC Save and exit, then start the daemon. #+BEGIN_SRC: bash chmod +x /usr/bin/hashletd chmod +x /etc/init.d/hashlet update-rc.d hashlet defaults service hashlet start #+END_SRC Then to obtain some random bytes: #+BEGIN_SRC: bash cat /dev/hashletrng #+END_SRC The rate of entropy generation by the Hashlet seems very slow compared to */dev/hwrng*, and this is most likely because of the I2C interface. So it's probably a good idea to keep hwrng as the main random source and only use the Hashlet's random number generator for any ancillary stuff. ** Alter ssh configuration Altering the ssh configuration will make it a little more secure than the standard Debian settings. #+BEGIN_SRC: bash emacs /etc/ssh/sshd_config #+END_SRC Check the following values: #+BEGIN_SRC: bash PermitRootLogin no X11Forwarding no ServerKeyBits 4096 Protocol 2 PermitEmptyPasswords no StrictModes yes TCPKeepAlive no #+END_SRC Append the following: #+BEGIN_SRC: bash ClientAliveInterval 60 ClientAliveCountMax 3 Ciphers aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-512,hmac-sha2-256,hmac-ripemd160 KexAlgorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1 #+END_SRC CTRL-x CTRL-s to save, then CTRL-x CTRL-c to exit. Now clear out any pre-existing host keys and reconfigure the ssh server. #+BEGIN_SRC: bash rm /etc/ssh/ssh_host_* dpkg-reconfigure openssh-server service ssh restart #+END_SRC To test the new settings log out by typing "exit" a couple of times, then log back in again with: #+BEGIN_SRC: bash ssh -vvv myusername@192.168.1.60 #+END_SRC and check that some number of bits are set within a 4096 bit sized key: #+BEGIN_SRC: bash debug2: bits set: */4096 #+END_SRC ** Getting onto the web Create a subdomain on [[http://freedns.afraid.org][freeDNS]]. You may need to click on "/subdomains/" a couple of times. FreeDNS is preferred because it is one of the few domain name providers which supports genuinely free (as in beer) accounts. So if your budget is tiny or non-existent you can still participate as a first class citizen of the internet. If you do have money to spend there is also a premium option. Select "/dynamic DNS/" then click "/quick cron example/" An example would look like: #+BEGIN_SRC: bash 4,14,24,34,44,54 * * * * root sleep 29 ; /usr/bin/timeout 200 wget -O - https://free\ dns.afraid.org/dynamic/update.php?ABCKDNRCLFHENSLKNFEGSBFLFF== >> /dev/null 2>&1 & #+END_SRC It's important to make sure that you change the *http* to *https*, since this will help to prevent a potential attacker from hijacking your site and redirecting it to a fake version for the purposes of obtaining your login details. Edit */etc/crontab* and append that to the top of the file, underneath the heading line which looks like this: #+BEGIN_SRC: bash # m h dom mon dow user command #+END_SRC In general the most frequently run crontab entries should be at the top. Then save and exit. Via your router's firewall settings you should now open port 22 (secure shell). This will allow you to ssh into your BBB from any location - not just your own local network. The freeDNS subdomain which you just created will hereafter just be refered to as "/your domain name/". If you have multiple freedns subdomains then you may want to rationalise that a little within */etc/crontab*. Rather than listing them all individually create a script: #+BEGIN_SRC: bash emacs /usr/bin/dynamicdns #+END_SRC Add however many freedns subdomains you have. #+BEGIN_SRC: bash #!/bin/bash # subdomain name 1 wget -O - https://freedns.afraid.org/dynamic/update.php?== >> /dev/null 2>&1 # subdomain name 2 wget -O - https://freedns.afraid.org/dynamic/update.php?== >> /dev/null 2>&1 ... #+END_SRC Save and exit, then make the script runnable and only readable by the root user. #+BEGIN_SRC: bash chmod 600 /usr/bin/dynamicdns chmod +x /usr/bin/dynamicdns #+END_SRC Then within */etc/crontab* #+BEGIN_SRC: bash emacs /etc/crontab #+END_SRC You can replace the multiple freedns entries with a single line: #+BEGIN_SRC: bash */10 * * * * root /usr/bin/timeout 200 /usr/bin/dynamicdns #+END_SRC Then save and exit and restart the cron daemon. #+BEGIN_SRC: bash service cron restart #+END_SRC If you want to know what a typical /crontab/ file might look like then see the [[Example crontab file]] ** Set the host name #+BEGIN_SRC: bash emacs /etc/hostname #+END_SRC CTRL-x CTRL-s to save, then CTRL-x CTRL-c to exit. Also issue the command, replacing /mydomainname.com/ with your domain name. #+BEGIN_SRC: bash hostname mydomainname.com #+END_SRC You may also need to assign the same hostname separately via your router's web interface. #+BEGIN_SRC: bash emacs /etc/hosts #+END_SRC Append the following, replacing /mydomainname.com/ with your domain name. #+BEGIN_SRC: bash 127.0.1.1 mydomainname.com #+END_SRC If you then run the command: #+BEGIN_SRC: bash hostname -f #+END_SRC it should return your domain name. ** Install time synchronisation #+BEGIN_VERSE /You may delay, but time will not./ -- Benjamin Franklin #+END_VERSE It's convenient to have the clock on your server automatically synchronised with other servers on the internet so that you don't need to set the clock manually. First install some prerequisites. #+BEGIN_SRC: bash apt-get install build-essential automake git #+END_SRC Now download and install tlsdate. #+BEGIN_SRC: bash cd /tmp git clone https://github.com/ioerror/tlsdate.git cd tlsdate ./autogen.sh ./configure make make install #+END_SRC Create an init script. #+BEGIN_SRC: bash emacs /etc/init.d/tlsdated #+END_SRC Add the following: #+BEGIN_SRC: bash #!/bin/sh ### BEGIN INIT INFO # Provides: tlsdate # Required-Start: $network $local_fs $remote_fs # Required-Stop: $local_fs $remote_fs # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: secure parasitic rdate replacement # Description: tlsdate sets the local clock by securely connecting with # TLS to remote servers and extracting the remote time out # of the secure handshake. Unlike ntpdate, tlsdate uses # TCP, for instance connecting to a remote HTTPS or TLS # enabled service, and provides some protection against # adversaries that try to feed you malicious time # information. # ### END INIT INFO # Author: Jacob Appelbaum # PATH should only include /usr/* if it runs after the mountnfs.sh script PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/local/sbin DESC="secure parasitic rdate replacement daemon" NAME=tlsdated DAEMON=/usr/local/sbin/tlsdated DAEMON_ARGS="" PIDFILE=/var/run/$NAME.pid SCRIPTNAME=/etc/init.d/$NAME # Exit if the package is not installed [ -x $DAEMON ] || exit 0 # Read configuration variable file if it is present [ -r /etc/default/$NAME ] && . /etc/default/$NAME # Load the VERBOSE setting and other rcS variables . /lib/init/vars.sh # Define LSB log_* functions. # Depend on lsb-base (>= 3.0-6) to ensure that this file is present. . /lib/lsb/init-functions # # Function that starts the daemon/service # do_start() { # Return # 0 if daemon has been started # 1 if daemon was already running # 2 if daemon could not be started start-stop-daemon --background --start --quiet --pidfile $PIDFILE \ --exec $DAEMON --test > /dev/null \ || return 1 start-stop-daemon --background --start --quiet --pidfile $PIDFILE \ --exec $DAEMON -- \ $DAEMON_ARGS \ || return 2 # Add code here, if necessary, that waits for the process to be ready # to handle requests from services started subsequently which depend # on this one. As a last resort, sleep for some time. } # # Function that stops the daemon/service # do_stop() { # Return # 0 if daemon has been stopped # 1 if daemon was already stopped # 2 if daemon could not be stopped # other if a failure occurred start-stop-daemon --stop --quiet --retry=TERM/5/KILL/1 --pidfile $PIDFILE \ --name $NAME RETVAL="$?" [ "$RETVAL" = 2 ] && return 2 # Wait for children to finish too if this is a daemon that forks # and if the daemon is only ever run from this initscript. # If the above conditions are not satisfied then add some other code # that waits for the process to drop all resources that could be # needed by services started subsequently. A last resort is to # sleep for some time. start-stop-daemon --stop --quiet --oknodo --retry=0/5/KILL/5 --exec $DAEMON [ "$?" = 2 ] && return 2 # Many daemons don't delete their pidfiles when they exit. rm -f $PIDFILE return "$RETVAL" } # # Function that sends a SIGHUP to the daemon/service # do_reload() { # # If the daemon can reload its configuration without # restarting (for example, when it is sent a SIGHUP), # then implement that here. # start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME return 0 } case "$1" in start) [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC " "$NAME" do_start case "$?" in 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; esac ;; stop) [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME" do_stop case "$?" in 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; esac ;; status) status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $? ;; #reload|force-reload) # # If do_reload() is not implemented then leave this commented out # and leave 'force-reload' as an alias for 'restart'. # #log_daemon_msg "Reloading $DESC" "$NAME" #do_reload #log_end_msg $? #;; restart|force-reload) # # If the "reload" option is implemented then remove the # 'force-reload' alias # log_daemon_msg "Restarting $DESC" "$NAME" do_stop case "$?" in 0|1) do_start case "$?" in 0) log_end_msg 0 ;; 1) log_end_msg 1 ;; # Old process is still running *) log_end_msg 1 ;; # Failed to start esac ;; *) # Failed to stop log_end_msg 1 ;; esac ;; *) echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2 exit 3 ;; esac : #+END_SRC Save and exit, then start the daemon. #+BEGIN_SRC: bash chmod +x /etc/init.d/tlsdated update-rc.d tlsdated defaults service tlsdated start #+END_SRC ** Install fail2ban #+BEGIN_SRC: bash apt-get install fail2ban #+END_SRC ** Set up a firewall #+BEGIN_VERSE /The documents, from a PowerPoint presentation prepared for a 2012 NSA conference called SIGDEV, show that the unit known as the Joint Threat Research Intelligence Group, or JTRIG, boasted of using the DDOS attack – which it dubbed Rolling Thunder/ -- NBC News article: /War on Anonymous: British Spies Attacked Hackers, Snowden Docs Show/ #+END_VERSE A basic firewall limits the maximum rate at which connections can be made and closes any unused ports, and this helps to defend against various kinds of DDOS attack. #+BEGIN_SRC: bash apt-get install portsentry emacs /etc/portsentry/portsentry.conf #+END_SRC Uncomment the entry for *iptables support for Linux* Set the following properties: #+BEGIN_SRC: bash TCP_PORTS="1,7,9,11,15,79,109,110,111,119,138,139,512,513,514,515,540,635,1080,1524,2000,2001,4000,4001,5742,6000,6001,6667,12345,12346,20034,27665,30303,32771,32772,32773,32774,31337,40421,40425,49724,54320" UDP_PORTS="1,7,9,66,67,68,69,111,137,138,161,162,474,513,517,518,635,640,641,666,700,2049,31335,27444,34555,32770,32771,32772,32773,32774,31337,54321" ADVANCED_EXCLUDE_TCP="113,139,70,80,443,143,6670,993,5060,5061,25,465,22,5222,5223,5269,5280,5281,8432,8433,8444" ADVANCED_EXCLUDE_UDP="520,138,137,67,70,80,443,143,6670,993, 5060,5061,25,465,22,5222,5223,5269,5280,5281,8444" SCAN_TRIGGER="2" BLOCK_UDP="2" BLOCK_TCP="2" #+END_SRC Save and exit. #+BEGIN_SRC: bash service portsentry restart emacs /tmp/firewall.sh #+END_SRC Enter the following: #+BEGIN_SRC: bash #!/bin/bash # First of all delete any existing rules. # This means you're back to a known state: iptables -P INPUT ACCEPT ip6tables -P INPUT ACCEPT iptables -F ip6tables -F iptables -X ip6tables -X # Drop any IPv6 traffic ip6tables -A INPUT -p icmp -j DROP ip6tables -A INPUT -p tcp -j DROP ip6tables -A INPUT -p udp -j DROP # Drop access to unused ports iptables -A INPUT -p tcp --destination-port 1 -j DROP iptables -A INPUT -p tcp --destination-port 7 -j DROP iptables -A INPUT -p tcp --destination-port 109:111 -j DROP iptables -A INPUT -p tcp --destination-port 995 -j DROP iptables -A INPUT -p tcp --destination-port 139 -j DROP iptables -A INPUT -p tcp --destination-port 6000:6001 -j DROP iptables -A INPUT -p tcp --destination-port 9 -j DROP iptables -A INPUT -p tcp --destination-port 79 -j DROP iptables -A INPUT -p tcp --destination-port 515 -j DROP iptables -A INPUT -p tcp --destination-port 4001 -j DROP iptables -A INPUT -p tcp --destination-port 1524 -j DROP iptables -A INPUT -p tcp --destination-port 1080 -j DROP iptables -A INPUT -p tcp --destination-port 512:514 -j DROP iptables -A INPUT -p tcp --destination-port 31337 -j DROP iptables -A INPUT -p tcp --destination-port 2000:2001 -j DROP iptables -A INPUT -p tcp --destination-port 12345 -j DROP iptables -A INPUT -p tcp --destination-port 32771:32774 -j DROP iptables -A INPUT -p tcp --destination-port 4000 -j DROP iptables -A INPUT -p tcp --destination-port 119 -j DROP iptables -A INPUT -p tcp --destination-port 137 -j DROP iptables -A INPUT -p tcp --destination-port 3306 -j DROP iptables -A INPUT -p tcp --destination-port 4242 -j DROP iptables -A INPUT -p udp --destination-port 1 -j DROP iptables -A INPUT -p udp --destination-port 7 -j DROP iptables -A INPUT -p udp --destination-port 109:111 -j DROP iptables -A INPUT -p udp --destination-port 995 -j DROP iptables -A INPUT -p udp --destination-port 139 -j DROP iptables -A INPUT -p udp --destination-port 6000:6001 -j DROP iptables -A INPUT -p udp --destination-port 9 -j DROP iptables -A INPUT -p udp --destination-port 79 -j DROP iptables -A INPUT -p udp --destination-port 515 -j DROP iptables -A INPUT -p udp --destination-port 4001 -j DROP iptables -A INPUT -p udp --destination-port 1524 -j DROP iptables -A INPUT -p udp --destination-port 1080 -j DROP iptables -A INPUT -p udp --destination-port 512:514 -j DROP iptables -A INPUT -p udp --destination-port 31337 -j DROP iptables -A INPUT -p udp --destination-port 2000:2001 -j DROP iptables -A INPUT -p udp --destination-port 12345 -j DROP iptables -A INPUT -p udp --destination-port 32771:32774 -j DROP iptables -A INPUT -p udp --destination-port 4000 -j DROP iptables -A INPUT -p udp --destination-port 119 -j DROP iptables -A INPUT -p udp --destination-port 137 -j DROP iptables -A INPUT -p udp --destination-port 8432 -j DROP iptables -A INPUT -p udp --destination-port 8433 -j DROP iptables -A INPUT -p udp --destination-port 3306 -j DROP iptables -A INPUT -p udp --destination-port 4242 -j DROP # Make sure NEW incoming tcp connections are SYN packets iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP # Drop packets with incoming fragments iptables -A INPUT -f -j DROP # Incoming malformed XMAS packets drop them iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP iptables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP # Incoming malformed NULL packets: iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP # Drop UDP to used ports iptables -A INPUT -p udp --match multiport --dports 70,80,443,143,6670,993,5060,5061,25 -j DROP iptables -A INPUT -p udp --match multiport --dports 465,22,5222,5223,5269,5280,5281,8444 -j DROP # Limit ssh logins iptables -A INPUT -p tcp --dport 22 -m limit --limit 3/minute --limit-burst 1 -j ACCEPT # Limit web connections iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp --dport 443 -j ACCEPT # Limit number of XMPP connections iptables -A INPUT -p tcp --match multiport --dports 5222:5223,5269,5280:5281 -m limit --limit 3/minute --limit-burst 1 -j ACCEPT # Limit IRC connections iptables -A INPUT -p tcp --dport 6666:6670 -m limit --limit 3/minute --limit-burst 1 -j ACCEPT # Limit gopher connections iptables -A INPUT -p tcp --dport 70 -m limit --limit 3/minute --limit-burst 1 -j ACCEPT # Limit IMAP connections iptables -A INPUT -p tcp --dport 143 -m limit --limit 3/minute --limit-burst 1 -j ACCEPT iptables -A INPUT -p tcp --dport 993 -m limit --limit 3/minute --limit-burst 1 -j ACCEPT # Limit SIP connections iptables -A INPUT -p tcp --dport 5060:5061 -m limit --limit 3/minute --limit-burst 1 -j ACCEPT # Limit SMTP/SMTPS connections iptables -A INPUT -p tcp --dport 25 -m limit --limit 3/minute --limit-burst 1 -j ACCEPT iptables -A INPUT -p tcp --dport 465 -m limit --limit 3/minute --limit-burst 1 -j ACCEPT # Limit Bitmessage connections iptables -A INPUT -p tcp --dport 8444 -m limit --limit 3/minute --limit-burst 1 -j ACCEPT # Limit Convergence notary iptables -A INPUT -p tcp --dport 8432:8433 -m limit --limit 3/minute --limit-burst 1 -j ACCEPT # Limit the number of incoming tcp connections # Interface 0 incoming syn-flood protection iptables -N syn_flood iptables -A INPUT -p tcp --syn -j syn_flood iptables -A syn_flood -m limit --limit 1/s --limit-burst 3 -j RETURN iptables -A syn_flood -j DROP # Limiting the incoming icmp ping request: #iptables -A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j ACCEPT #iptables -A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j LOG --log-prefix PING-DROP: iptables -A INPUT -p icmp -j DROP #iptables -A OUTPUT -p icmp -j ACCEPT # Save the settings iptables-save > /etc/firewall.conf ip6tables-save > /etc/firewall6.conf printf '#!/bin/sh\n' > /etc/network/if-up.d/iptables printf 'iptables-restore < /etc/firewall.conf\n' >> /etc/network/if-up.d/iptables printf 'ip6tables-restore < /etc/firewall6.conf\n' >> /etc/network/if-up.d/iptables chmod +x /etc/network/if-up.d/iptables #+END_SRC Save and exit. Note that this will disable IP version 6. At the time of writing it is expected that the average internet user is running on IP version 4. #+BEGIN_SRC: bash chmod +x /tmp/firewall.sh . /tmp/firewall.sh rm /tmp/firewall.sh #+END_SRC Also disable ping. This may be inconvenient to some extent, but it seems common for malicious systems, including but not limited to the [[http://www.nbcnews.com/news/investigations/snowden-docs-british-spies-used-sex-dirty-tricks-n23091][JTRIG "EFFECTS" team]], to try to disable the machine by flooding it with pings. These days there seems to be not much difference between "cybercrime" and nefarious state-sponsored internet activities. #+BEGIN_SRC: bash emacs /etc/sysctl.conf #+END_SRC Uncomment or change the following: #+BEGIN_SRC: bash net.ipv4.tcp_syncookies = 1 net.ipv4.conf.all.accept_redirects = 0 net.ipv6.conf.all.accept_redirects = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.all.accept_source_route = 0 net.ipv6.conf.all.accept_source_route = 0 net.ipv4.conf.default.rp_filter=1 net.ipv4.conf.all.rp_filter=1 net.ipv4.ip_forward=0 net.ipv6.conf.all.forwarding=0 #+END_SRC And append the following: #+BEGIN_SRC: bash # ignore pings net.ipv4.icmp_echo_ignore_all = 1 net.ipv6.icmp_echo_ignore_all = 1 # disable ipv6 net.ipv6.conf.all.disable_ipv6 = 1 net.ipv4.tcp_synack_retries = 2 net.ipv4.tcp_syn_retries = 1 # keepalive net.ipv4.tcp_keepalive_probes = 9 net.ipv4.tcp_keepalive_intvl = 75 net.ipv4.tcp_keepalive_time = 7200 #+END_SRC Save and exit. It may be a good idea to reboot at this point and then log back into the BBB using ssh. You can do a safe reboot of the system by typing: #+BEGIN_SRC: bash reboot #+END_SRC After reboot and logging back in to the root account via /ssh/ you can verify that the firewall rules were restored correctly with: #+BEGIN_SRC: bash iptables -L #+END_SRC and #+BEGIN_SRC: bash ip6tables -L #+END_SRC ** Install Email #+BEGIN_VERSE /If you knew what I know about email, you might not use it/ -- Ladar Levison #+END_VERSE Email is not very secure, but its usefulness and ubiquity mean that it's likely to continue as a primary communications method for many years to come. You can encrypt the contents of email using PGP/GPG, but very few people do that and even for those that do the metadata (the From/To/CC/BCC) is always transmitted in the clear as a fundamental aspect of the protocol, allowing an attacker to easily construct detailed models of people's social network and life patterns even without knowing the content. Exim4 seems much easier to install and configure than Postfix. #+BEGIN_SRC: bash service postfix stop apt-get remove postfix aptitude install exim4 sasl2-bin swaks libnet-ssleay-perl procmail #+END_SRC You will be prompted to remove postfix. Say yes and yes again. #+BEGIN_SRC: bash dpkg-reconfigure exim4-config #+END_SRC Settings as follows: #+BEGIN_SRC: bash internet site System mail name: mydomainname.com IP addresses to listen on: blank Destinations: mydomainname.com Domains to relay mail: blank Smarthost Relay: 192.168.1.0/24 (the range of addresses on your LAN) Dial on demand = no Maildir format in home directory Split configuration = no Root and postmaster: root email #+END_SRC To test the installation: #+BEGIN_SRC: bash telnet 192.168.1.60 25 ehlo xxx quit #+END_SRC #+BEGIN_SRC: bash emacs /etc/default/saslauthd #+END_SRC set START=yes then save and exit. #+BEGIN_SRC: bash /etc/init.d/saslauthd start emacs exim-gencert #+END_SRC #+BEGIN_SRC: bash #!/bin/sh -e if [ -n "$EX4DEBUG" ]; then echo "now debugging $0 $@" set -x fi DIR=/etc/exim4 CERT=$DIR/exim.crt KEY=$DIR/exim.key # This exim binary was built with GnuTLS which does not support dhparams # from a file. See /usr/share/doc/exim4-base/README.Debian.gz #DH=$DIR/exim.dhparam if ! which openssl > /dev/null ;then echo "$0: openssl is not installed, exiting" 1>&2 exit 1 fi # valid for ten years DAYS=3650 if [ "$1" != "--force" ] && [ -f $CERT ] && [ -f $KEY ]; then echo "[*] $CERT and $KEY exists!" echo " Use \"$0 --force\" to force generation!" exit 0 fi if [ "$1" = "--force" ]; then shift fi #SSLEAY=/tmp/exim.ssleay.$$.cnf SSLEAY="$(tempfile -m600 -pexi)" cat > $SSLEAY < /dev/null rm "$MAILDIR/cur/$f" done for f in `ls $MAILDIR/new` do spamc -L spam < "$MAILDIR/new/$f" > /dev/null rm "$MAILDIR/new/$f" done #+END_SRC Save and exit. #+BEGIN_SRC: bash emacs /usr/bin/filterham #+END_SRC Add the following contents: #+BEGIN_SRC: bash #!/bin/bash USERNAME=$1 MAILDIR=/home/$USERNAME/Maildir/.learn-ham if [ ! -d "$MAILDIR" ]; then exit fi for f in `ls $MAILDIR/cur` do spamc -L ham < "$MAILDIR/cur/$f" > /dev/null rm "$MAILDIR/cur/$f" done for f in `ls $MAILDIR/new` do spamc -L ham < "$MAILDIR/new/$f" > /dev/null rm "$MAILDIR/new/$f" done #+END_SRC Save and exit. #+BEGIN_SRC: bash emacs /etc/crontab #+END_SRC Append the following, replacing *myusername* with your username. #+BEGIN_SRC: bash */3 * * * * root /usr/bin/timeout 120 /usr/bin/filterspam myusername */3 * * * * root /usr/bin/timeout 120 /usr/bin/filterham myusername #+END_SRC Save and exit. #+BEGIN_SRC: bash chmod 655 /usr/bin/filterspam /usr/bin/filterham service spamassassin restart service exim4 restart service cron restart #+END_SRC ** Install Dovecot #+BEGIN_VERSE /I dreamt last night that I was living in a surveillance state. I woke up and… I’m still in a surveillance state./ -- Conrad Kramer #+END_VERSE Install the required packages. #+BEGIN_SRC: bash aptitude -y install dovecot-common dovecot-imapd #+END_SRC Edit the configuration file. #+BEGIN_SRC: bash emacs /etc/dovecot/dovecot.conf #+END_SRC Line 26: change: #+BEGIN_SRC: bash listen = * #+END_SRC Save and exit. #+BEGIN_SRC: bash emacs /etc/dovecot/conf.d/10-auth.conf #+END_SRC Line 9: uncomment and change (allow plain text auth) #+BEGIN_SRC: bash disable_plaintext_auth = no #+END_SRC Line 99: add: #+BEGIN_SRC: bash auth_mechanisms = plain login #+END_SRC Save and exit. #+BEGIN_SRC: bash emacs /etc/dovecot/conf.d/10-mail.conf #+END_SRC Line 30: uncomment and add: #+BEGIN_SRC: bash mail_location = maildir:~/Maildir:LAYOUT=fs #+END_SRC Save and exit. #+BEGIN_SRC: bash emacs /etc/dovecot/conf.d/10-ssl.conf #+END_SRC Append the following: #+BEGIN_SRC: bash ssl_cipher_list = 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA' #+END_SRC Save and exit, then start the dovecot service. #+BEGIN_SRC: bash service dovecot restart #+END_SRC ** Create a GPG key #+BEGIN_VERSE /If privacy is outlawed, only outlaws will have privacy./ -- Philip Zimmermann #+END_VERSE *** Initial installation Assuming that you are logged in as root, first ensure that GPG is installed and then exit to your user account. #+BEGIN_SRC: bash apt-get install gnupg exit #+END_SRC Now we will add some settings: #+BEGIN_SRC: bash mkdir ~/.gnupg emacs ~/.gnupg/gpg.conf #+END_SRC The configuration should look like the following. Of particular importance are the default preferences at the end. #+BEGIN_SRC: bash # Options for GnuPG # Copyright 1998, 1999, 2000, 2001, 2002, 2003, # 2010 Free Software Foundation, Inc. # # This file is free software; as a special exception the author gives # unlimited permission to copy and/or distribute it, with or without # modifications, as long as this notice is preserved. # # This file is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY, to the extent permitted by law; without even the # implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. # # Unless you specify which option file to use (with the command line # option "--options filename"), GnuPG uses the file ~/.gnupg/gpg.conf # by default. # # An options file can contain any long options which are available in # GnuPG. If the first non white space character of a line is a '#', # this line is ignored. Empty lines are also ignored. # # See the man page for a list of options. # Uncomment the following option to get rid of the copyright notice #no-greeting # If you have more than 1 secret key in your keyring, you may want to # uncomment the following option and set your preferred keyid. #default-key 621CC013 # If you do not pass a recipient to gpg, it will ask for one. Using # this option you can encrypt to a default key. Key validation will # not be done in this case. The second form uses the default key as # default recipient. #default-recipient some-user-id #default-recipient-self # Use --encrypt-to to add the specified key as a recipient to all # messages. This is useful, for example, when sending mail through a # mail client that does not automatically encrypt mail to your key. # In the example, this option allows you to read your local copy of # encrypted mail that you've sent to others. #encrypt-to some-key-id # By default GnuPG creates version 4 signatures for data files as # specified by OpenPGP. Some earlier (PGP 6, PGP 7) versions of PGP # require the older version 3 signatures. Setting this option forces # GnuPG to create version 3 signatures. #force-v3-sigs # Because some mailers change lines starting with "From " to ">From " # it is good to handle such lines in a special way when creating # cleartext signatures; all other PGP versions do it this way too. #no-escape-from-lines # If you do not use the Latin-1 (ISO-8859-1) charset, you should tell # GnuPG which is the native character set. Please check the man page # for supported character sets. This character set is only used for # metadata and not for the actual message which does not undergo any # translation. Note that future version of GnuPG will change to UTF-8 # as default character set. In most cases this option is not required # as GnuPG is able to figure out the correct charset at runtime. #charset utf-8 # Group names may be defined like this: # group mynames = paige 0x12345678 joe patti # # Any time "mynames" is a recipient (-r or --recipient), it will be # expanded to the names "paige", "joe", and "patti", and the key ID # "0x12345678". Note there is only one level of expansion - you # cannot make an group that points to another group. Note also that # if there are spaces in the recipient name, this will appear as two # recipients. In these cases it is better to use the key ID. #group mynames = paige 0x12345678 joe patti # Lock the file only once for the lifetime of a process. If you do # not define this, the lock will be obtained and released every time # it is needed, which is usually preferable. #lock-once # GnuPG can send and receive keys to and from a keyserver. These # servers can be HKP, email, or LDAP (if GnuPG is built with LDAP # support). # # Example HKP keyserver: # hkp://keys.gnupg.net # hkp://subkeys.pgp.net # # Example email keyserver: # mailto:pgp-public-keys@keys.pgp.net # # Example LDAP keyservers: # ldap://keyserver.pgp.com # # Regular URL syntax applies, and you can set an alternate port # through the usual method: # hkp://keyserver.example.net:22742 # # Most users just set the name and type of their preferred keyserver. # Note that most servers (with the notable exception of # ldap://keyserver.pgp.com) synchronize changes with each other. Note # also that a single server name may actually point to multiple # servers via DNS round-robin. hkp://keys.gnupg.net is an example of # such a "server", which spreads the load over a number of physical # servers. To see the IP address of the server actually used, you may use # the "--keyserver-options debug". keyserver hkp://keys.gnupg.net #keyserver mailto:pgp-public-keys@keys.nl.pgp.net #keyserver ldap://keyserver.pgp.com # Common options for keyserver functions: # # include-disabled : when searching, include keys marked as "disabled" # on the keyserver (not all keyservers support this). # # no-include-revoked : when searching, do not include keys marked as # "revoked" on the keyserver. # # verbose : show more information as the keys are fetched. # Can be used more than once to increase the amount # of information shown. # # use-temp-files : use temporary files instead of a pipe to talk to the # keyserver. Some platforms (Win32 for one) always # have this on. # # keep-temp-files : do not delete temporary files after using them # (really only useful for debugging) # # http-proxy="proxy" : set the proxy to use for HTTP and HKP keyservers. # This overrides the "http_proxy" environment variable, # if any. # # auto-key-retrieve : automatically fetch keys as needed from the keyserver # when verifying signatures or when importing keys that # have been revoked by a revocation key that is not # present on the keyring. # # no-include-attributes : do not include attribute IDs (aka "photo IDs") # when sending keys to the keyserver. keyserver-options auto-key-retrieve # Display photo user IDs in key listings # list-options show-photos # Display photo user IDs when a signature from a key with a photo is # verified # verify-options show-photos # Use this program to display photo user IDs # # %i is expanded to a temporary file that contains the photo. # %I is the same as %i, but the file isn't deleted afterwards by GnuPG. # %k is expanded to the key ID of the key. # %K is expanded to the long OpenPGP key ID of the key. # %t is expanded to the extension of the image (e.g. "jpg"). # %T is expanded to the MIME type of the image (e.g. "image/jpeg"). # %f is expanded to the fingerprint of the key. # %% is %, of course. # # If %i or %I are not present, then the photo is supplied to the # viewer on standard input. If your platform supports it, standard # input is the best way to do this as it avoids the time and effort in # generating and then cleaning up a secure temp file. # # If no photo-viewer is provided, GnuPG will look for xloadimage, eog, # or display (ImageMagick). On Mac OS X and Windows, the default is # to use your regular JPEG image viewer. # # Some other viewers: # photo-viewer "qiv %i" # photo-viewer "ee %i" # # This one saves a copy of the photo ID in your home directory: # photo-viewer "cat > ~/photoid-for-key-%k.%t" # # Use your MIME handler to view photos: # photo-viewer "metamail -q -d -b -c %T -s 'KeyID 0x%k' -f GnuPG" # Passphrase agent # # We support the old experimental passphrase agent protocol as well as # the new Assuan based one (currently available in the "newpg" package # at ftp.gnupg.org/gcrypt/alpha/aegypten/). To make use of the agent, # you have to run an agent as daemon and use the option # # use-agent # # which tries to use the agent but will fallback to the regular mode # if there is a problem connecting to the agent. The normal way to # locate the agent is by looking at the environment variable # GPG_AGENT_INFO which should have been set during gpg-agent startup. # In certain situations the use of this variable is not possible, thus # the option # # --gpg-agent-info=::1 # # may be used to override it. # Automatic key location # # GnuPG can automatically locate and retrieve keys as needed using the # auto-key-locate option. This happens when encrypting to an email # address (in the "user@example.com" form), and there are no # user@example.com keys on the local keyring. This option takes the # following arguments, in the order they are to be tried: # # cert = locate a key using DNS CERT, as specified in RFC-4398. # GnuPG can handle both the PGP (key) and IPGP (URL + fingerprint) # CERT methods. # # pka = locate a key using DNS PKA. # # ldap = locate a key using the PGP Universal method of checking # "ldap://keys.(thedomain)". For example, encrypting to # user@example.com will check ldap://keys.example.com. # # keyserver = locate a key using whatever keyserver is defined using # the keyserver option. # # You may also list arbitrary keyservers here by URL. # # Try CERT, then PKA, then LDAP, then hkp://subkeys.net: #auto-key-locate cert pka ldap hkp://subkeys.pgp.net # default preferences personal-digest-preferences SHA256 cert-digest-algo SHA256 default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed #+END_SRC Save and exit. *** If you have an existing key #+BEGIN_SRC: bash gpg --import ~/public_key.txt gpg --allow-secret-key-import --import ~/private_key.txt shred -zu ~/private_key.txt #+END_SRC Now check the digest preferences, replacing /keyID/ with your GPG key ID. This applies especially if you have a key which was generated some time ago. #+BEGIN_SRC: bash export MYGPGKEYID=keyID gpg --edit-key $MYGPGKEYID setpref SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed save gpg --send-keys $MYGPGKEYID #+END_SRC *** To create a new key Generate a key with the following command: #+BEGIN_SRC: bash gpg --gen-key #+END_SRC You can find your GPG key ID by entering: #+BEGIN_SRC: bash gpg --list-keys #+END_SRC The key ID is the second part of the string of numbers and letters. So for example in: #+BEGIN_SRC: bash pub 4096R/EA982E38 2012-05-20 #+END_SRC the key ID is EA982E38. Now send your public key to a server so that others can find it. #+BEGIN_SRC: bash gpg --send-keys $MYGPGKEYID #+END_SRC *** root settings If you later create an encrypted mailing list then the root user will also need to have good GPG settings so that it can generate key pairs for the list. The easiest way to ensure this is to do the following, replacing /myusername/ with your username: #+BEGIN_SRC: bash su cp -r /home/myusername/.gnupg ~/ chown -R root:root ~/.gnupg #+END_SRC ** Protect processes Because the BBB has limited RAM some processes may occasionally be automatically killed if physical memory availability is getting too low. The way in which processes are chosen to be sacrificed is not particularly intelligent, and so can result in vital systems being stopped. To try to prevent that from ever happening the following script can be used, which should ensure that at a minimum ssh, email and mysql keep running. #+BEGIN_SRC: bash emacs /usr/bin/protectprocesses #+END_SRC Add the following: #+BEGIN_SRC: bash #!/bin/bash declare -a protect=('/usr/sbin/sshd' '/usr/sbin/mysqld --basedir=/usr' '/bin/sh /usr/bin/mysqld_safe' '/usr/sbin/exim4') for p in "${protect[@]}" do OOM_PROC_ID=$(ps aux | grep '$p' | grep -v grep | head -n 1 | awk -F ' ' '{print $2}') if [ ! -z "$OOM_PROC_ID" ]; then echo -1000 >/proc/$OOM_PROC_ID/oom_score_adj echo -17 >/proc/$OOM_PROC_ID/oom_adj fi done #+END_SRC Save and exit, then edit the cron jobs: #+BEGIN_SRC: bash emacs /etc/crontab #+END_SRC And add the line: #+BEGIN_SRC: bash */1 * * * * root /usr/bin/timeout 30 /usr/bin/protectprocesses #+END_SRC Then save and exit and restart cron. #+BEGIN_SRC: bash chmod +x /usr/bin/protectprocesses service cron restart #+END_SRC Here cron is used so that if we stop one of the relevant processes and then restart it then its oom priority will be reassigned again . ** Setting up a web site #+BEGIN_VERSE /It's important to have the geek community as a whole think about its responsibility and what it can do. We need various alternative voices pushing back on conventional government sometimes./ -- Tim Berners-Lee #+END_VERSE Edit the apache configuration so that it doesn't run out of memory if there are a lot of connections. #+BEGIN_SRC: bash su emacs /etc/apache2/apache2.conf #+END_SRC Search for MaxClients and replace the value with 6. As an example the settings should look something like this: #+BEGIN_SRC: bash Timeout 30 KeepAlive On MaxKeepAliveRequests 5 KeepAliveTimeout 10 StartServers 1 MinSpareServers 1 MaxSpareServers 3 MaxClients 10 MaxRequestsPerChild 3000 StartServers 1 MinSpareThreads 5 MaxSpareThreads 15 ThreadLimit 25 ThreadsPerChild 5 MaxClients 25 MaxRequestsPerChild 200 StartServers 1 MinSpareThreads 5 MaxSpareThreads 15 ThreadLimit 25 ThreadsPerChild 5 MaxClients 25 MaxRequestsPerChild 200 #+END_SRC Also append the following: #+BEGIN_SRC: bash ServerSignature Off ServerTokens Prod #+END_SRC Then save and exit. Install some extra security. #+BEGIN_SRC: bash apt-get install libapache2-modsecurity apt-get install libapache2-mod-evasive #+END_SRC In the examples below replace /mydomainname.com/ with your own domain name. #+BEGIN_SRC: bash export HOSTNAME=mydomainname.com mkdir /var/www/$HOSTNAME mkdir /var/www/$HOSTNAME/htdocs emacs /etc/apache2/sites-available/$HOSTNAME #+END_SRC The Apache configuration for the site should look something like the following. Replace /mydonainname.com/ with the site domain name. #+BEGIN_SRC: bash ServerAdmin myusername@mydomainname.com ServerName mydomainname.com DocumentRoot /var/www/mydomainname.com/htdocs Options FollowSymLinks AllowOverride All Options All AllowOverride All Order allow,deny allow from all LimitRequestBody 128000 # Don't serve .php~ or .php# files created by emacs Order allow,deny Deny from all Header set X-Content-Type-Options nosniff Header set Cache-Control "max-age=0, no-cache, no-store, must-revalidate, private" Header set Pragma no-cache deny from all ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ AllowOverride All Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch Order allow,deny Allow from all LimitRequestBody 128000 ErrorLog ${APACHE_LOG_DIR}/error.log # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel error CustomLog ${APACHE_LOG_DIR}/access.log combined ServerAdmin myusername@mydomainname.com ServerName mydomainname.com DocumentRoot /var/www/mydomainname.com/htdocs Options FollowSymLinks AllowOverride All Options All AllowOverride All Order allow,deny allow from all LimitRequestBody 128000 # Don't serve .php~ or .php# files created by emacs Order allow,deny Deny from all Header set X-Content-Type-Options nosniff Header set Cache-Control "max-age=0, no-cache, no-store, must-revalidate, private" Header set Pragma no-cache deny from all ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ AllowOverride All Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch Order allow,deny Allow from all LimitRequestBody 128000 ErrorLog ${APACHE_LOG_DIR}/error.log # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel error CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined # SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on # A self-signed certificate SSLCertificateFile /etc/ssl/certs/mydomainname.com.crt SSLCertificateKeyFile /etc/ssl/private/mydomainname.com.key # Options based on bettercrypto.org SSLProtocol All -SSLv2 -SSLv3 SSLHonorCipherOrder On SSLCompression off SSLCipherSuite EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA # Add six earth month HSTS header for all users ... Header add Strict-Transport-Security "max-age=15768000" # If you want to protect all subdomains , use the following header # ALL subdomains HAVE TO support https if you use this ! # Strict-Transport-Security: max-age=15768000 ; includeSubDomains # SSL Engine Options: # Set various options for the SSL engine. # o FakeBasicAuth: # Translate the client X.509 into a Basic Authorisation. This means that # the standard Auth/DBMAuth methods can be used for access control. The # user name is the `one line' version of the client's X.509 certificate. # Note that no password is obtained from the user. Every entry in the user # file needs this password: `xxj31ZMTZzkVA'. # o ExportCertData: # This exports two additional environment variables: SSL_CLIENT_CERT and # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the # server (always existing) and the client (only existing when client # authentication is used). This can be used to import the certificates # into CGI scripts. # o StdEnvVars: # This exports the standard SSL/TLS related `SSL_*' environment variables. # Per default this exportation is switched off for performance reasons, # because the extraction step is an expensive operation and is usually # useless for serving static content. So one usually enables the # exportation for CGI and SSI requests only. # o StrictRequire: # This denies access when "SSLRequireSSL" or "SSLRequire" applied even # under a "Satisfy any" situation, i.e. when it applies access is denied # and no other module can change it. # o OptRenegotiate: # This enables optimized SSL connection renegotiation handling when SSL # directives are used in per-directory context. #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire SSLOptions +StdEnvVars SSLOptions +StdEnvVars # SSL Protocol Adjustments: # The safe and default but still SSL/TLS standard compliant shutdown # approach is that mod_ssl sends the close notify alert but doesn't wait for # the close notify alert from client. When you need a different shutdown # approach you can use one of the following variables: # o ssl-unclean-shutdown: # This forces an unclean shutdown when the connection is closed, i.e. no # SSL close notify alert is send or allowed to received. This violates # the SSL/TLS standard but is needed for some brain-dead browsers. Use # this when you receive I/O errors because of the standard approach where # mod_ssl sends the close notify alert. # o ssl-accurate-shutdown: # This forces an accurate shutdown when the connection is closed, i.e. a # SSL close notify alert is send and mod_ssl waits for the close notify # alert of the client. This is 100% SSL/TLS standard compliant, but in # practice often causes hanging connections with brain-dead browsers. Use # this only for browsers where you know that their SSL implementation # works correctly. # Notice: Most problems of broken clients are also related to the HTTP # keep-alive facility, so you usually additionally want to disable # keep-alive for those clients, too. Use variable "nokeepalive" for this. # Similarly, one has to force some clients to use HTTP/1.0 to workaround # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and # "force-response-1.0" for this. BrowserMatch "MSIE [2-6]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 # MSIE 7 and newer should be able to use keepalive BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown #+END_SRC Then to enable the site: #+BEGIN_SRC: bash a2ensite a2dissite default a2dissite default-ssl a2enmod rewrite a2enmod headers #+END_SRC Ensure that "NameVirtualHost *:443" is added to /etc/apache2/ports.conf. It should look something like the following: #+BEGIN_SRC: bash NameVirtualHost *:80 Listen 80 NameVirtualHost *:443 Listen 443 NameVirtualHost *:443 Listen 443 #+END_SRC Create a self-signed certificate. The passphrase isn't important and will be removed, so make it easy (such as "password"). #+BEGIN_SRC: bash emacs /usr/bin/makecert #+END_SRC Enter the following: #+BEGIN_SRC: bash #!/bin/bash HOSTNAME=$1 openssl genrsa -des3 -out $HOSTNAME.key 1024 openssl req -new -x509 -nodes -sha1 -days 3650 -key $HOSTNAME.key -out $HOSTNAME.crt openssl rsa -in $HOSTNAME.key -out $HOSTNAME.new.key cp $HOSTNAME.new.key $HOSTNAME.key rm $HOSTNAME.new.key cp $HOSTNAME.key /etc/ssl/private chmod 400 /etc/ssl/private/$HOSTNAME.key cp $HOSTNAME.crt /etc/ssl/certs shred -zu $HOSTNAME.key $HOSTNAME.crt a2enmod ssl service apache2 restart #+END_SRC Save and exit. #+BEGIN_SRC: bash chmod +x /usr/bin/makecert makecert mydomainname.com #+END_SRC Enter some trivial password for the key file, such as "password". The password will be removed as part of the /makecert/ script which you just created. Note that leaving a password on the key file would mean that after a power cycle the Apache server will not be able to boot properly (it would wait indefinitely for a password to be manually entered) and would look as if it had crashed. If all has gone well then there should be no warnings or errors after you run the service restart command. After that you should enable ports 80 (HTTP) and 443 (HTTPS) on your internet router/firewall, such that they are redirected to the BBB. Also limit the amount of memory which any php scripts can use. #+BEGIN_SRC: bash emacs /etc/php5/apache2/php.ini #+END_SRC Set the following: #+BEGIN_SRC: bash memory_limit = 32M #+END_SRC Save and exit. Also edit */etc/php5/cli/php.ini* and set /memory_limit/ to the same value. This should prevent any rogue scripts from crashing the system. ** Accessing your Email #+BEGIN_VERSE /The emails showed that Google...was among several other military/defense contractors vying for a piece of DAC’s $10.9-million surveillance contracting action./ -- Article on the "Google-Military-Surveillance Complex" by Yasha Levine #+END_VERSE *** Mutt email client #+BEGIN_SRC: bash apt-get install mutt-patched lynx abook exit mkdir ~/.mutt echo "text/html; lynx -dump -width=78 -nolist %s | sed ‘s/^ //’; copiousoutput; needsterminal; nametemplate=%s.html" > ~/.mutt/mailcap su emacs /etc/Muttrc #+END_SRC Append the following: #+BEGIN_SRC: bash set mbox_type=Maildir set folder="~/Maildir" set mask="!^\\.[^.]" set mbox="~/Maildir" set record="+Sent" set postponed="+Drafts" set trash="+Trash" set spoolfile="~/Maildir" auto_view text/x-vcard text/html text/enriched set editor="emacs" set header_cache="+.cache" macro index S "=.learn-spam" "move to learn-spam" macro pager S "=.learn-spam" "move to learn-spam" macro index H "=.learn-ham" "copy to learn-ham" macro pager H "=.learn-ham" "copy to learn-ham" # set up the sidebar set sidebar_width=12 set sidebar_visible=yes set sidebar_delim='|' set sidebar_sort=yes set rfc2047_parameters # Show inbox and sent items mailboxes = =Sent # Alter these colours as needed for maximum bling color sidebar_new yellow default color normal white default color hdrdefault brightcyan default color signature green default color attachment brightyellow default color quoted green default color quoted1 white default color tilde blue default # ctrl-n, ctrl-p to select next, prev folder # ctrl-o to open selected folder bind index \Cp sidebar-prev bind index \Cn sidebar-next bind index \Co sidebar-open bind pager \Cp sidebar-prev bind pager \Cn sidebar-next bind pager \Co sidebar-open # ctrl-b toggles sidebar visibility macro index,pager \Cb 'toggle sidebar_visible' "toggle sidebar" # esc-m Mark new messages as read macro index m "T~N;WNT~O;WO\CT~T" "mark all messages read" # Collapsing threads macro index [ "" "collapse/uncollapse thread" macro index ] "" "collapse/uncollapse all threads" # threads containing new messages uncolor index "~(~N)" color index brightblue default "~(~N)" # new messages themselves uncolor index "~N" color index brightyellow default "~N" # GPG/PGP integration # this set the number of seconds to keep in memory the passphrase used to encrypt/sign set pgp_timeout=60 # automatically sign and encrypt set pgp_autosign # autosign all outgoing mails set pgp_replyencrypt # autocrypt replies to crypted set pgp_replysign # autosign replies to signed set pgp_auto_decode=yes # decode attachments #+END_SRC Save and exit. #+BEGIN_SRC: bash emacs /etc/mail/spamassassin/local.cf #+END_SRC Uncomment *use_bayes*, *bayes_auto_learn* Save and exit, then run: #+BEGIN_SRC: bash service spamassassin restart #+END_SRC Now to add an address book: #+BEGIN_SRC: bash emacs ~/.muttrc #+END_SRC Append the following: #+BEGIN_SRC: bash set alias_file=~/.mutt-alias source ~/.mutt-alias set query_command= "abook --mutt-query '%s'" macro index,pager A "abook --add-email-quiet" "add the sender address to abook" #+END_SRC Then save and exit. #+BEGIN_SRC: bash touch ~/.mutt-alias #+END_SRC Finally you can then type *mutt* to get access to your email. Hence as a fallback, or if you prefer as the primary way of accessing email, you can ssh into the BBB and use the mutt command line email client. Ssh clients are available for all operating systems, and also you should be reasonably protected from passive surveillance between wherever you are and the BBB (although not between the BBB and the wider internet), which can be useful if you are for example using an Android tablet from a cafe or railway station. To use the address book system open an email and then to add the sender to the address list press the A key. It will ask you for an alias which may be used the next time you want to send a mail. Alternatively you may just edit the *~/.mutt-alias* file directly to add email addresses. Some useful keys to know are: | ESC / | Search for text within message contents | | "/" | Search for text within headers | | * | Move to the last message | | TAB | Move to the next unread message | | d | Delete a message | | u | Undelete a mail which is pending deletion | | $ | Delete all messages selected and check for new messages | | a | Add to the address book | | m | Send a new mail | | ESC-m | Mark all messages as having been read | | S | Mark a message as spam | | H | Mark a message as ham | | CTRL-b | Toggle side bar on/off | | CTRL-n | Next mailbox (on side bar) | | CTRL-p | Previous mailbox (on side bar) | | CTRL-o | Open mailbox (on side bar) | | ] | Expand or collapse all threads | | [ | Expand of collapse the current thread | | CTRL-k | Import a PGP/GPG public key | One of the most common things which you might wish to do is to send an email. To do this first press /m/ to create a new message. Enter the address to send to and the subject, then after a few seconds the Emacs editor will appear with a blank document. Type your email then press /CTRL-x CTRL-s/ to save it and /CTRL-x CTRL-c/ to exit. You will then see a summary of the email to be sent out. Press /y/ to send it and then enter your GPG key passphrase (the one you gave when creating a PGP/GPG key). The purpose of that is to add a signature which is a strong proof that the email was written by you and not by someone else. *** K9 Android client #+BEGIN_VERSE /The surveillance state is robust. It is robust politically, legally, and technically./ -- Bruce Schneier #+END_VERSE **** Incoming server settings * Select settings/account settings * Select Fetching mail/incoming server * Enter your username and password * IMAP server should be your domain name * Security: SSL/TLS (always) * Authentication: Plain * Port: 993 **** Outgoing (SMTP) server settings * Select settings/account settings * Select Sending mail/outgoing server * Set SMTP server to your domain name * Set Security to SSL/TLS (always) * Set port to 465 * Set authentication to PLAIN * Enter your username and password * Accept the SSL certificate **** Folders To view any new folders which you may have created using the /mailinglistrule/ script from your inbox press the *K9 icon* at the top left to access folders, then press the *menu button* and select *refresh folder list*. If your folder still doesn't show up then press the *menu button*, select *show folders* and select *all folders*. *** Webmail #+BEGIN_VERSE /Most of the information extracted is "content", such as recordings of phone calls or the substance of email messages./ -- From a 2013 Guardian article on GCHQ/NSA bulk internet data interception. #+END_VERSE For maximum speed and efficiency the recommended email client is Mutt, accessed via ssh, but non-technical people who aren't using an Android app are unlikely to want to use email in that manner. So it's a good idea to also have a webmail system installed, both for accessibility and as a fallback should ssh not be available due to port blocking. Install dependencies. #+BEGIN_SRC: bash apt-get install libapache2-mod-authz-unixgroup #+END_SRC Create a mysql database, specifying a password which should be a long random string generated with a password manager such as KeepassX. #+BEGIN_SRC: bash mysql -u root -p create database roundcubemail; CREATE USER 'roundcube'@'localhost' IDENTIFIED BY 'roundcubepassword'; GRANT ALL PRIVILEGES ON roundcubemail.* TO 'roundcube'@'localhost'; quit #+END_SRC Download roundcube. #+BEGIN_SRC: bash cd /tmp wget http://freedombone.uk.to/roundcubemail.tar.gz #+END_SRC Verify it. #+BEGIN_SRC: bash sha256sum roundcubemail.tar.gz e8a311b22a8e1f70abb72ed9551cc9233cf6c5221f1eebf1ae64974117e3148b roundcubemail.tar.gz #+END_SRC Extract the files. #+BEGIN_SRC: bash tar -xzvf roundcubemail.tar.gz export HOSTNAME=mydomainname.com cp -r roundcubemail-* /var/www/$HOSTNAME/htdocs/mail chown -R www-data:www-data /var/www/$HOSTNAME/htdocs/mail/temp chown -R www-data:www-data /var/www/$HOSTNAME/htdocs/mail/logs rm /var/www/$HOSTNAME/htdocs/mail/.htaccess #+END_SRC Edit your web site configuration. #+BEGIN_SRC: bash emacs /etc/apache2/sites-available/$HOSTNAME #+END_SRC Within the 80 VirtualHost section add the following: #+BEGIN_SRC: bash deny from all #+END_SRC Within the 443 VirtualHost section add the following: #+BEGIN_SRC: bash Options Indexes FollowSymLinks MultiViews AllowOverride All Order allow,deny allow from all #+END_SRC Save and exit, then restart Apache. #+BEGIN_SRC: bash service apache2 restart #+END_SRC Now with a browser visit https://mydomainname.com/mail/installer. Scroll down and click "next". Give your webmail site a product name. The *spellcheck_engine* option being limited to Google is slightly concerning in terms of privacy and security, but seems not to be implemented. Change the *database password* to the password you gave when creating the MySql database above. Set *smtp_port* to 465. Click *create config* Click download to download the file. The config file which you downloaded should contain the following: #+BEGIN_SRC: bash $config['default_host'] = 'localhost'; $config['smtp_port'] = 465; $config['username_domain'] = ''; #+END_SRC In a terminal on your local machine (not logged into the BBB): #+BEGIN_SRC: bash cd ~/Downloads scp config.inc.php myusername@mydomainname.com:/home/myusername #+END_SRC Then in a terminal ssh'd into the BBB: #+BEGIN_SRC: bash mv /home/myusername/config.inc.php /var/www/$HOSTNAME/htdocs/mail/config chmod 755 /var/www/$HOSTNAME/htdocs/mail/config/config.inc.php #+END_SRC Click *continue*. Click *initialize database*. Under *Test SMTP config* you can use a [[mailinator.com]] address to check that mail can be sent. Now we can delete the installer. #+BEGIN_SRC: bash rm -rf /var/www/$HOSTNAME/htdocs/mail/installer #+END_SRC Now with a browser navigate to https://mydomainname.com/mail and log in. You'll notice that you may not be able to see any mailing list folders which you may have created earlier using the /mailinglistrule/ script. To make folders visible click on the cog-like settings icon at the bottom left of the screen then select *manage folders*. You will then be able to select which folders you wish to become visible. Make sure that the *Sent*, *spam* and *ham* folders are selected. Click on the *Mail* icon to go back to your main mail screen then click on the *Settings* icon at the top right of the screen and select *special folders*. Set *Junk* to *spam* then click the save button. Also select *identities* and make sure that your email address is correct. *** Thunderbird #+BEGIN_VERSE /Towards the end of 2012, we heard from the National Technical Assistance Centre (NTAC), a division of GCHQ and a liaison with the Home Office, [that] they wanted the keys to decrypt the customer data./ -- Brian Spector, on the shutting down of the PrivateSky encrypted email service #+END_VERSE Another common way in which you may want to access email is via Thunderbird. This may be especially useful if you're trying to convert former Windows users who may previously have been using some version of Outlook. The following instructions should be carried out on the client machines (laptop, etc), not on the BBB itself. **** Initial setup Install *Thunderbird* and *Enigmail*. How you do this just depends upon your distro and software manager or "app store". Open Thinderbird Select "*Skip this and use existing email*" Enter your name, email address (myusername@mydomainname.com) and the password for your user (the one from [[Add a user]]). You'll get a message saying "/Thunderbird failed to find the settings/" The settings should be as follows, substituting /mydomainname.com/ for your domain name and /myusername/ for the username given previously in [[Add a user]]. * Incoming: IMAP, mydomainname.com, 993, SSL/TLS, Normal Password * Outgoing: SMTP, mydomainname.com, 465, SSL/TLS, Normal Password * Username: myusername Click *Done*. Click *Get Certificate* and make sure "*permanently store this exception*" is selected", then click *Store Security Exception*. From OpenPGP setup select "*Yes, I would like the wizard to get me started*". If the wizard doesn't start automatically then "setup wizard" can be selected from OpenPGP on the menu bar. Select "*Yes, I want to sign all of my email*" Select "*No, I will create per-recipient rules*" Select "*yes*" to change default settings. **** If you have existing GPG key Export your GPG public and private keys. #+BEGIN_SRC: bash gpg --output ~/public_key.txt --armor --export KEY_ID gpg --output ~/private_key.txt --armor --export-secret-key KEY_ID #+END_SRC Select "*I have existing public and private keys*". Select your public and private GPG exported key files. Select the account which you want to use and click *Next*, *Next* and *Finish*. Remove your exported key files. #+BEGIN_SRC: bash shred -zu ~/public_key.txt shred -zu ~/private_key.txt #+END_SRC **** If you don't have any existing GPG or PGP key Select "*I want to create a new key pair*" Enter a passphrase and click *Next* a couple of times. Click *Generate Certificate* to generate a revocation certificate. Enter the passphrase which you gave previously. Click *Finish* From the menu select *OpenPGP* and then *Key Management*. Make sure that *Display all keys* is selected and then select your key. Select *Keyserver* on the menu and then *Upload Public Keys*. This will upload your public key to a key server so that others can find it. Select *File* from the menu then *Export keys to file*. Click on *Export Secret keys* and select a location to save them to. It's a good idea to save them to a USB stick which can then be removed from the computer and carried around on a keyring together with your physical keys. If you need to set up GPG or Thunderbird/Enigmail on others then this file will be used to import your keys. **** Using for the first time Click on the Thunderbird menu, which looks like three horizontal bars on the right hand side. Hover over *preferences* and then *Account settings*. Select *Synchronization & Storage*. Make sure that *Keep messages for this account on this computer* is unticked, then click *Ok*. Click on *Inbox*. Depending upon how much email you have it may take a while to import the subject lines. Note that when sending an email for the first time you will also need to accept the SSL certificate. Get into the habit of using email encryption and encourage others to do so. Remember that you may not think that your emails are very interesting but the Surveillance State is highly interested in them and will be actively trying to data mine your private life looking for "suspicious" patterns, regardless of whether you are guilty of any crime or not. **** Making folders visible By default you won't be able to see any folders which you may have created earlier using the /mailinglistrule/ script. To make folders visible select: *Menu*, hover over *Preferences*, select *Account Settings*, select *Server Settings* then click on the *Advanced* button. Make sure that "*show only subscribed folders*" is not checked. Then click the *ok* buttons. Folders will be re-scanned, which may take some time depending upon how much email you have, but your folders will then appear. ** Create Email folders and rules #+BEGIN_VERSE /Yes, the NSA set fire to the Internet but it’s the business models of Google, Facebook, etc, that provide the firewood. Trusting the companies supplying the firewood to be your fire fighters is naïve at best./ -- Aral Balkan #+END_VERSE *** Rules for mailing lists A common situation with email is that you may be subscribed to various mailing lists and want incoming email from those to be automatically grouped into a separate folder for each list. We can make a script to make adding mailing list rules easy: #+BEGIN_SRC: bash emacs /usr/bin/mailinglistrule #+END_SRC Add the following: #+BEGIN_SRC: bash #!/bin/bash MYUSERNAME=$1 MAILINGLIST=$2 SUBJECTTAG=$3 MUTTRC=/home/$MYUSERNAME/.muttrc PM=/home/$MYUSERNAME/.procmailrc LISTDIR=/home/$MYUSERNAME/Maildir/$MAILINGLIST if [ ! -d "$LISTDIR" ]; then mkdir -m 700 $LISTDIR mkdir -m 700 $LISTDIR/tmp mkdir -m 700 $LISTDIR/new mkdir -m 700 $LISTDIR/cur fi chown -R $MYUSERNAME:$MYUSERNAME $LISTDIR echo "" >> $PM echo ":0" >> $PM echo " * ^Subject:.*()\[$SUBJECTTAG\]" >> $PM echo "$LISTDIR/new" >> $PM chown $MYUSERNAME:$MYUSERNAME $PM if [ ! -f "$MUTTRC" ]; then cp /etc/Muttrc $MUTTRC chown $MYUSERNAME:$MYUSERNAME $MUTTRC fi PROCMAILLOG=/home/$MYUSERNAME/log if [ ! -d $PROCMAILLOG ]; then mkdir $PROCMAILLOG chown -R $MYUSERNAME:$MYUSERNAME $PROCMAILLOG fi #+END_SRC Save and exit, then make the script executable. #+BEGIN_SRC: bash chmod +x /usr/bin/mailinglistrule #+END_SRC Now we can add a new mailing list rule with the following, where /myusername/ is your username, /mailinglistname/ is the name of the mailing list (with no spaces) and /subjecttag/ is the tag which usually appears within square brackets in the subject line of emails from the list. #+BEGIN_SRC: bash mailinglistrule [myusername] [mailinglistname] [subjecttag] #+END_SRC Repeat this command for as many mailing lists as you need. Then edit your local Mutt configuration. #+BEGIN_SRC: bash emacs /home/myusername/.muttrc #+END_SRC Search for the *mailboxes* variable and add entries for the mailing lists you just created. For example: #+BEGIN_SRC: bash mailboxes = =Sent =mailinglistname #+END_SRC Then save and exit. *** Rules for specific email addresses You can also make a script which will allow you to move mail from specific email addresses to a folder. #+BEGIN_SRC: bash emacs /usr/bin/emailrule #+END_SRC Add the following: #+BEGIN_SRC: bash #!/bin/bash MYUSERNAME=$1 EMAILADDRESS=$2 MAILINGLIST=$3 MUTTRC=/home/$MYUSERNAME/.muttrc PM=/home/$MYUSERNAME/.procmailrc LISTDIR=/home/$MYUSERNAME/Maildir/$MAILINGLIST if [ ! -d "$LISTDIR" ]; then mkdir -m 700 $LISTDIR mkdir -m 700 $LISTDIR/tmp mkdir -m 700 $LISTDIR/new mkdir -m 700 $LISTDIR/cur fi chown -R $MYUSERNAME:$MYUSERNAME $LISTDIR echo "" >> $PM echo ":0" >> $PM echo " * ^From: $EMAILADDRESS" >> $PM echo "$LISTDIR/new" >> $PM chown $MYUSERNAME:$MYUSERNAME $PM if [ ! -f "$MUTTRC" ]; then cp /etc/Muttrc $MUTTRC chown $MYUSERNAME:$MYUSERNAME $MUTTRC fi PROCMAILLOG=/home/$MYUSERNAME/log if [ ! -d $PROCMAILLOG ]; then mkdir $PROCMAILLOG chown -R $MYUSERNAME:$MYUSERNAME $PROCMAILLOG fi #+END_SRC Save and exit, then make the script executable. #+BEGIN_SRC: bash chmod +x /usr/bin/emailrule #+END_SRC Then to add a particular email address to a folder run the command: #+BEGIN_SRC: bash emailrule [myusername] [emailaddress] [foldername] #+END_SRC If you want any mail from the given email address to be deleted then set the /foldername/ to /Trash/. To ensure that the folder appears within Mutt. #+BEGIN_SRC: bash emacs /home/myusername/.muttrc #+END_SRC Search for the *mailboxes* variable and add entries for the mailing lists you just created. For example: #+BEGIN_SRC: bash mailboxes = =Sent =foldername #+END_SRC Then save and exit. ** Install a Blog #+BEGIN_VERSE /When society gives censors wide and vague powers they never confine themselves to deserving targets. They are not snipers, but machine-gunners. Allow them to fire at will, and they will hit anything that moves./ -- Nick Cohen #+END_VERSE Wordpress is the most popular blogging platform, but in practice I found it to be high maintenance with frequent security updates and breakages. More practical for a home server is Flatpress. Flatpress doesn't use a MySql database, just text files, and so is easy to relocate or reinstall. See the [[Setting up a web site]] section of this document for details of how to configure the web server for your blog's domain. Download flatpress. #+BEGIN_SRC: bash cd /tmp wget http://freedombone.uk.to/flatpress.tar.gz #+END_SRC Verify the download: #+BEGIN_SRC: bash sha256sum flatpress.tar.gz 6312a49aab5aabd6371518dcaf081f489dff04d001bc34b4fe3f2a81170bbd4e flatpress.tar.gz #+END_SRC Extract and install it. #+BEGIN_SRC: bash tar -xzvf flatpress.tar.gz cd flatpress-* cp -r * /var/www/$HOSTNAME/htdocs cd .. rm -rf flatpress-* rm -f flatpress.tar.gz #+END_SRC Now visit your blog and follow the setup instructions, which are quite minimal. Various themes and addons are available from the Flatpress web site, http://www.flatpress.org ** Install an IRC server #+BEGIN_VERSE /Give me the liberty to know, to utter, and to argue freely according to conscience, above all liberties./ -- John Milton #+END_VERSE *** Base install IRC is not an especially secure system. For instance, even with the best encryption it's easily possible to imagine IRC-specific cribs which could be used by cryptanalytic systems. However, we'll try to implement it in a manner which will at least give the surveillance aparatus something to ponder over. First install some dependencies. #+BEGIN_SRC: bash apt-get update apt-get install build-essential openssl libssl-dev debhelper dpatch docbook-to-man flex bison libpcre3-dev #+END_SRC Then get the source code for ircd-hybrid. #+BEGIN_SRC: bash cd /tmp mkdir hybrid cd hybrid apt-get source ircd-hybrid #+END_SRC Modify the source code to include SSL security. #+BEGIN_SRC: bash emacs ircd-hybrid-*/debian/rules #+END_SRC Beneath MAXCLIENTS add the line: #+BEGIN_SRC: bash USE_OPENSSL = 1 #+END_SRC Then save and exit. Now we can build the debian package for ircd-hybrid and install it. #+BEGIN_SRC: bash cd ircd-hybrid-* dpkg-buildpackage -rfakeroot -uc -b cd .. dpkg -i ircd-hybrid_*.deb #+END_SRC Customise the configuration to your system, giving it a name and description. In this example 192.168.1.60 is the static IP address on the BBB on the local network, so change that if necessary. #+BEGIN_SRC: bash emacs /etc/ircd-hybrid/ircd.conf #+END_SRC Set *name* to the name of your server, and set a description. Set a *network_name* and *network_desc*. The network name should not contain any spaces. Set max_clients to 20, or however many you expect that you'll typically need. Within the admin section set your *name* and *email*. Within the *listen* section set host to your fixed IP address (in the earlier sections it was 192.168.1.60). Within the *auth* section set user = "*@192.168.1.60" - or whatever the fixed IP address of the BBB is on your network. Uncomment the first *connect* section and set the *name* to your domain name, the *host* to 192.168.1.60 and the send/accept passwords to a password which you use to log into the IRC server. Also set the *port* to 6670. Save and exit, then restart the IRC server. Open port 6670 on your internet router and forward it to the BBB. Ensure that the configuration is only readable by the root user. #+BEGIN_SRC: bash chmod 600 /etc/ircd-hybrid/ircd.conf #+END_SRC *** Channel management To to install channel management tools. #+BEGIN_SRC: bash cd /tmp wget http://freedombone.uk.to/hybserv_1.9.4-1_armhf.deb #+END_SRC Verify it. #+BEGIN_SRC: bash sha256sum hybserv_1.9.4-1_armhf.deb 41bf4eb6e24c87610a80bc14db1103a57484835510eea7e4ba9709c523318615 hybserv_1.9.4-1_armhf.deb #+END_SRC Install it. #+BEGIN_SRC: bash dpkg -i hybserv_1.9.4-1_armhf.deb #+END_SRC Make a md5 version of the password for the IRC server operator. #+BEGIN_SRC: bash /usr/bin/mkpasswd #+END_SRC Edit the ircd-hybrid configuration. #+BEGIN_SRC: bash emacs /etc/ircd-hybrid/ircd.conf #+END_SRC Enter the md5 password which you previously created within the /operator/ section. Also change /user/ to: #+BEGIN_SRC: bash user = "*@*"; #+END_SRC Then save and exit. #+BEGIN_SRC: bash emacs /etc/hybserv/hybserv.conf #+END_SRC Change #MD5 PASSWORD HERE# to the md5 operator password created earlier, mydomainname.com to your domain name and mysendacceptpassword to the send/accept password specified within /ircd.conf/. #+BEGIN_SRC: bash A:mynickname N:irc.mydomainname.com:Hybrid services O:*@*:#MD5 PASSWORD HERE#:root:segj (comment out other Q: lines) S:mysendacceptpassword:192.168.1.60:6670 (remove the other two services) #+END_SRC Also remove the line *#NOT-EDITED#*, then save and exit. Now we need to restart the ircd and hybrid server to make things work: #+BEGIN_SRC: bash service ircd-hybrid restart service hybserv start #+END_SRC *** Usage with Irssi On another computer (not the BBB). #+BEGIN_SRC: bash sudo apt-get install irssi irssi-plugin-otr irssi-plugin-xmpp irssi #+END_SRC Connect to the IRC and identify yourself as an operator. Here /mynetwork/ should be the same as *network_name* specified earlier within /ircd.conf/. The network name is something equivalent to "freenode". #+BEGIN_SRC: bash /network add -nick mynick mynetwork /channel add -auto #mychannel mynetwork channelpassword /server add -auto -network mynetwork -ssl mydonainname.com 6670 mysendacceptpassword /connect mydomainname.com /join #mychannel /msg -servername chanserv REGISTER #mychannel channelpassword /msg -servername chanserv set #mychannel mlock +k channelpassword #+END_SRC If you edit the irssi config file: #+BEGIN_SRC: bash emacs ~/.irssi/config #+END_SRC It should look something like this: #+BEGIN_SRC: bash { address = "mydomainname.com"; chatnet = "mynetwork"; port = "6670"; password = "mysendacceptpassword"; use_ssl = "yes"; ssl_verify = "no"; autoconnect = "yes"; }, #+END_SRC If you're not using a self-signed certificate (self-signed is the default) then you can set *ssl_verify* to "yes". By default irssi will use UTC time. An example of setting to some other time zone is as follows: #+BEGIN_SRC: bash echo "load perl" >> ~/.irssi/startup echo "script exec $ENV{'TZ'}='Europe/London';" >> ~/.irssi/startup #+END_SRC Also enable /Off The Record/ (OTR) messaging. #+BEGIN_SRC: bash echo "load otr" >> ~/.irssi/startup #+END_SRC By default Irssi does not look especially attractive. To improve it's looks: #+BEGIN_SRC: bash cd ~/.irssi wget http://freedombone.uk.to/irssi/xchat.theme mkdir ~/.irssi/scripts mkdir ~/.irssi/scripts/autorun cd ~/.irssi/scripts/autorun wget http://freedombone.uk.to/irssi/xchatnickcolor.pl wget http://freedombone.uk.to/irssi/adv_windowlist.pl #+END_SRC Verify the files: #+BEGIN_SRC: bash sha256sum ~/.irssi/xchat.theme 7a84130ad55aabd0b043a03b013628438e6c7f82a58e15267633bc7eb443e60b sha256sum ~/.irssi/scripts/autorun/xchatnickcolor.pl 8293e867a22d42ce5a28cd755237509b6f3587fd2b21d7d20af4a832081610ca sha256sum ~/.irssi/scripts/autorun/adv_windowlist.pl e4dd8f6d384bf4f2d0ab5ccf06df06e4a69d2647b08d37c8fc6cfd9326688395 #+END_SRC Then run Irssi and enter the commands: #+BEGIN_SRC: bash /set theme xchat /statusbar window remove act /set awl /set awl_block -14 /set awl_display_key $Q%K|$N%n $H$C$S /set awl_display_key_active $Q%K|$N%n $H%U$C%n$S /set awl_display_nokey [$N]$H$C$S /run autorun/adv_windowlist.pl /set awl_viewer off /save #+END_SRC *** Using irssi with Off The Record messaging (OTR) Once you're running irssi then you can enable OTR with: #+BEGIN_SRC: bash /statusbar window add otr /otr genkey mynick@network (for example mynick@irc.freenode.net) #+END_SRC Then to see your OTR fingerprint: #+BEGIN_SRC: bash /otr info #+END_SRC And to trust or distrust someone else's fingerprint. #+BEGIN_SRC: bash /otr trust [fingerprint] /otr distrust [fingerprint] #+END_SRC *** Usage with XChat Within the network list click, *Add* and enter your domain name then click *Edit*. Select the entry within the servers box, then enter *mydomainname.com/6670* and press *Enter*. Uncheck *use global user information*. Enter first and second nicknames and check *auto connect to this network on startup*. Check *use SSL* and *accept invalid SSL certificate*. Enter some favourite channels and within *server password* enter /mysendacceptpassword/ which you defined earlier when setting up the server. Click *close* and then *connect*. *** Install Irssi as a daemon It may be useful to run a persistent Irssi session on the BBB. This will enable you to log in and see any entries which occurred previously so that you don't find yourself in an argument without knowledge of what was said in the last few minutes or hours. This feature only works for a single user on the BBB - typically the administrator. First install some prerequisites. #+BEGIN_SRC: bash apt-get install irssi irssi-plugin-otr irssi-plugin-xmpp screen #+END_SRC Create an initialisation script. #+BEGIN_SRC: bash emacs /etc/init.d/irssid #+END_SRC Add the following: #+BEGIN_SRC: bash #!/bin/bash ### BEGIN INIT INFO # Provides: irssid # Required-Start: $network # Required-Stop: $network # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Start irssi daemon within screen session at boot time # Description: This init script will start an irssi session under screen using the settings provided in /etc/irssid.conf ### END INIT INFO # Include the LSB library functions . /lib/lsb/init-functions # Setup static variables configFile='/etc/irssid.conf' daemonExec='/usr/bin/screen' daemonArgs='-D -m' daemonName="$(basename "$daemonExec")" pidFile='/var/run/irssid.pid' # # Checks if the environment is capable of running the script (such as # availability of programs etc). # # Return: 0 if the environmnt is properly setup for execution of init script, 1 # if not all conditions have been met. # function checkEnvironment() { # Verify that the necessary binaries are available for execution. local binaries=(irssi screen) for bin in "${binaries[@]}"; do if ! which "$bin" > /dev/null; then log_failure_msg "Binary '$bin' is not available. Please install \ package containing it." exit 5 fi done } # # Checks if the configuration files are available and properly setup. # # Return: 0 if irssid if properly configured, 1 otherwise. # function checkConfig() { # Make sure the configuration file has been created if ! [[ -f $configFile ]]; then log_failure_msg "Please populate the configuration file '$configFile' \ before running." exit 6 fi # Make sure the required options have been set local reqOptions=(user group session) for option in "${reqOptions[@]}"; do if ! grep -q -e "^[[:blank:]]*$option=" "$configFile"; then log_failure_msg "Mandatory option '$option' was not specified in \ '$configFile'" exit 6 fi done } # # Loads the configuration file and performs any additional configuration steps. # function configure() { . "$configFile" daemonArgs="$daemonArgs -S $session irssi" [[ -n $args ]] && daemonArgs="$daemonArgs $args" daemonCommand="$daemonExec $daemonArgs" } # # Starts the daemon. # # Return: LSB-compliant code. # function start() { start-stop-daemon --start -v -b -x /bin/su -p /tmp/irssi.screen.session -m --chdir /home/$user -- - $user -c "screen -D -m -S irssi -- irssi" 1>>/log.irssi } # # Stops the daemon. # # Return: LSB-compliant code. # function stop() { start-stop-daemon --stop -x /bin/su -p /tmp/irssi.screen.session -q } checkEnvironment checkConfig configure case "$1" in start) log_daemon_msg "Starting daemon" "irssid" start && log_end_msg 0 || log_end_msg $? ;; stop) log_daemon_msg "Stopping daemon" "irssid" stop && log_end_msg 0 || log_end_msg $? ;; restart) log_daemon_msg "Restarting daemon" "irssid" stop start && log_end_msg 0 || log_end_msg $? ;; force-reload) log_daemon_msg "Restarting daemon" "irssid" stop start && log_end_msg 0 || log_end_msg $? ;; status) status_of_proc -p "$pidFile" "$daemonExec" screen && exit 0 || exit $? ;; *) echo "irssid (start|stop|restart|force-reload|status|help)" ;; esac #+END_SRC Save and exit. #+BEGIN_SRC: bash chmod +x /etc/init.d/irssid #+END_SRC Create a configuration file, replacing /myusername/ with your username. #+BEGIN_SRC: bash emacs /etc/irssid.conf #+END_SRC #+BEGIN_SRC: bash # # Configuration file for irssid init script # # Mandatory options: # # user - Specify user for running irssi. # group - Specify group for running irssi. # session - Specify screen session name to be used for irssi. # # Non-mandatory options: # # args - Pass additional arguments to irssi. # user='myusername' group='irssi' session='irssi' args='--config /home/myusername/.irssi/config' #+END_SRC Save and exit. Then add your user to the irssi group and start the daemon. #+BEGIN_SRC: bash groupadd irssi usermod -aG irssi myusername update-rc.d irssid defaults chown -R myusername:irssi /home/myusername/.irssi service irssid start #+END_SRC Create a script to make running IRC on the server easier. #+BEGIN_SRC: bash emacs /usr/bin/irc #+END_SRC Add the following: #+BEGIN_SRC: bash #!/bin/bash screen -r irssi #+END_SRC Save and exit. #+BEGIN_SRC: bash chmod +x /usr/bin/irc chown myusername:myusername /usr/bin/irc #+END_SRC Then to subsequently access irssi log into the BBB using ssh and type: #+BEGIN_SRC: bash irc #+END_SRC ** Install a Jabber/XMPP server #+BEGIN_VERSE /Well heck, it isn’t that hard to write an instant messaging system./ --Jeremie Miller #+END_VERSE *** The Server Generate a SSL certificate. #+BEGIN_SRC: bash openssl ecparam -out /etc/ssl/private/xmpp.pem -name prime256v1 openssl genpkey -paramfile /etc/ssl/private/xmpp.pem -out /etc/ssl/private/xmpp.key openssl req -new -x509 -key /etc/ssl/private/xmpp.key -out /etc/ssl/certs/xmpp.crt -days 3650 #+END_SRC The above uses a Diffie-Hellman elliptic curve (ECDH P-256) algorithm. It is apparent that amongst crypographers there are differences of opinion about the security of elliptic curves, so if you prefer there is also a more traditional RSA way to generate an SSL certificate: #+BEGIN_SRC: bash openssl genrsa -out /etc/ssl/private/xmpp.key 4096 openssl req -new -x509 -key /etc/ssl/private/xmpp.key -out /etc/ssl/certs/xmpp.crt -days 3650 #+END_SRC Change permissions. #+BEGIN_SRC: bash chmod 600 /etc/ssl/private/xmpp.key chmod 600 /etc/ssl/certs/xmpp.crt chown prosody:prosody /etc/ssl/private/xmpp.key chown prosody:prosody /etc/ssl/certs/xmpp.crt #+END_SRC Install Prosody. #+BEGIN_SRC: bash apt-get install prosody cp -a /etc/prosody/conf.avail/example.com.cfg.lua /etc/prosody/conf.avail/xmpp.cfg.lua emacs /etc/prosody/conf.avail/xmpp.cfg.lua #+END_SRC Change the *VirtualHost* name to your domain name and remove the line below it. Set the ssl section to: #+BEGIN_SRC: bash ssl = { key = "/etc/ssl/private/xmpp.key"; certificate = "/etc/ssl/certs/xmpp.crt"; } #+END_SRC And also append the following: #+BEGIN_SRC: bash modules_enabled = { "bosh"; -- Enable mod_bosh "tls"; -- Enable mod_tls } c2s_require_encryption = true s2s_require_encryption = true #+END_SRC Save and exit. Create a symbolic link. #+BEGIN_SRC: bash ln -sf /etc/prosody/conf.avail/xmpp.cfg.lua /etc/prosody/conf.d/xmpp.cfg.lua #+END_SRC Add a user. You will be prompted to specify a password. You can repeat the process for as many users as needed. This will also be your Jabber ID (JID). #+BEGIN_SRC: bash prosodyctl adduser myusername@mydomainname.com #+END_SRC Restart the server #+BEGIN_SRC: bash service prosody restart #+END_SRC On your internet router/firewall open ports 5222, 5223, 5269, 5280 and 5281 and forward them to the BBB. It's possible to test that your XMPP server is working at https://xmpp.net. It may take several minutes and you'll get a low score because of the self-signed certificate, but it will at least verify that your server is capable of communicating. *** Managing users To add a user: #+BEGIN_SRC: bash prosodyctl adduser myusername@mydomainname.com #+END_SRC To change a user password: #+BEGIN_SRC: bash prosodyctl passwd myusername@mydomainname.com #+END_SRC To remove a user: #+BEGIN_SRC: bash prosodyctl deluser myusername@mydomainname.com #+END_SRC Report the status of the XMPP server: #+BEGIN_SRC: bash prosodyctl status #+END_SRC *** Using with Jitsi Jitsi is the recommended communications client for desktop or laptop systems, since it includes the /off the record/ (OTR) feature which provides some additional security beyond the usual SSL certificates. Jitsi can be downloaded from https://jitsi.org/ On your desktop/laptop open Jitsi and select *Options* from the *Tools* menu. Click *Add* to add a new user, then enter the Jabber ID which you previously specified with /prosodyctl/ when setting up the XMPP server. Close and then you should notice that your status is "Online" (or if not then you should be able to set it to online). From the *File* menu you can add contacts, then select the chat icon to begin a chat. Click on the lock icon on the right hand side and this will initiate an authentication procedure in which you can specify a question and answer to verify the identity of the person you're communicating with. Once authentication is complete then you'll be chating using OTR, which provides an additional layer of security. When opening Jitsi initially you will get a certificate warning for your domain name (assuming that you're using a self-signed certificate). If this happens then select *View Certificate* and enable the checkbox to trust the certificate, then select *Continue Anyway*. Once you've done this then the certificate warning will not appear again unless you reinstall Jitsi or use a different computer. You can also [[https://www.youtube.com/watch?v=vgx7VSrDGjk][see this video]] as an example of using OTR. *** Using with Ubuntu The default XMPP client in Ubuntu is Empathy. Using Empathy isn't as secure as using Jitsi, since it doesn't include the /off the record/ feature, but since it's the default it's what many users will have easy access to. Open *System Settings* and select *Online Accounts*, *Add account* and then *Jabber*. Enter your username (myusername@mydomainname.com) and password. Click on *Advanced* and make sure that *Encryption required* and *Ignore SSL certificate errors* are checked. Ignoring the certificate errors will allow you to use the self-signed certificate created earlier. Then click *Done* and set your Jabber account and Empathy to *On*. *** Using with Android There are a few XMPP clients available on Android. Ideally choose ones which support off-the-record messaging. Here are some examples. **** Xabber Install [[https://f-droid.org/][F-Droid]] Search for and install Xabber. Add an account and enter your Jabber/XMPP ID and password. From the menu select *Settings* then *Security* then *OTR mode*. Set the mode to *Required*. Make sure that *Check server certificate* is not checked. Go back to the initial screen and then using the menu you can add contacts and begin chatting. Both parties will need to go through the off-the-record question and answer verification before the chat can begin, but that only needs to be done once for each person you're chatting with. **** Gibberbot Install [[https://f-droid.org/][F-Droid]] Search for and install Gibberbot, otherwise known as ChatSecure. From the menu open *Accounts* Select *Add account* Change the server port from 0 to 5222 Done Accept unknown certificate? Select *Always* Go back to the initial screen and then using the menu you can add contacts and begin chatting. ** Social Networking #+BEGIN_VERSE /Facebook is not your friend, it is a surveillance engine./ -- Richard Stallman, Free Software Foundation #+END_VERSE *** Friendica **** Installation See [[Setting up a web site]] for details of how to update the Apache configuration for your Friendica site. You should have a separate domain name specifically to run Friendica on. It can't be installed in a subdirectory on a domain used for something else. Edit your Apache configuration and disable the port 80 (HTTP) version of the site. We only want to log into Friendica via HTTPS, so to prevent anyone from accidentally logging in insecurely: #+BEGIN_SRC: bash emacs /etc/apache2/sites-available/myfriendicadomainname.com #+END_SRC Replace the section which begins with ** with the following, replacing /myusername@mydomainname.com/ with your email address and /myfriendicadomainname.com/ with your Friendica domain name: #+BEGIN_SRC: bash ServerAdmin myusername@mydomainname.com ServerName myfriendicadomainname.com RewriteEngine On RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} #+END_SRC Save and exit, then restart the apache server. #+BEGIN_SRC: bash service apache2 restart #+END_SRC Now install some dependencies. #+BEGIN_SRC: bash apt-get install mysql-server php5-common php5-cli php5-curl php5-gd php5-mysql php5-mcrypt #+END_SRC Enter an admin password for MySQL. Reduce the memory use of mysql by using the "small" configuration. #+BEGIN_SRC: bash cp /usr/share/doc/mysql-server-5.5/examples/my-small.cnf /etc/mysql/my.cnf #+END_SRC Create a mysql database. #+BEGIN_SRC: bash mysql -u root -p create database friendica; CREATE USER 'friendicaadmin'@'localhost' IDENTIFIED BY 'password'; GRANT ALL PRIVILEGES ON friendica.* TO 'friendicaadmin'@'localhost'; quit #+END_SRC You may need to fix Git SSL problems. #+BEGIN_SRC: bash git config --global http.sslVerify true apt-get install ca-certificates cd ~/ emacs .gitconfig #+END_SRC The .gitconfig file should look something like this: #+BEGIN_SRC: bash [http] sslVerify = true sslCAinfo = /etc/ssl/certs/ca-certificates.crt [user] email = myusername@mydomainname.com name = yourname #+END_SRC Get the source code. #+BEGIN_SRC: bash export HOSTNAME=myfriendicadomainname.com cd /var/www/$HOSTNAME mv htdocs htdocs_old git clone https://github.com/friendica/friendica.git htdocs chmod -R 755 htdocs chown -R www-data:www-data htdocs chown -R www-data:www-data htdocs/view/smarty3 git clone https://github.com/friendica/friendica-addons.git htdocs/addon #+END_SRC Now visit the URL of your site and you should be taken through the rest of the installation procedure. If you have trouble with "allow override" ensure that "AllowOverride" is set to "all" in your Apache settings for the site (within /etc/apache2/sites-available) and then restart the apache2 service. Install the poller. #+BEGIN_SRC: bash emacs /etc/crontab #+END_SRC and append the following, changing /myfriendicadomainname.com/ to whatever your Friendica domain is. #+BEGIN_SRC: bash */10 * * * * root cd /var/www/myfriendicadomainname.com/htdocs; /usr/bin/timeout 120 /usr/bin/php include/poller.php #+END_SRC Save and exit, then restart cron. #+BEGIN_SRC: bash service cron restart #+END_SRC You can improve the speed of Friendica database searches by adding the following indexes: #+BEGIN_SRC: bash mysql -u root -p use friendica; CREATE INDEX `uri_received` ON item(`uri`, `received`); CREATE INDEX `received_uri` ON item(`received`, `uri`); CREATE INDEX `contact-id_created` ON item(`contact-id`, created); CREATE INDEX `uid_network_received` ON item(`uid`, `network`, `received`); CREATE INDEX `uid_parent` ON item(`uid`, `parent`); CREATE INDEX `uid_received` ON item(`uid`, `received`); CREATE INDEX `uid_network_commented` ON item(`uid`, `network`, `commented`); CREATE INDEX `uid_title` ON item(uid, `title`); CREATE INDEX `created_contact-id` ON item(`created`, `contact-id`); quit #+END_SRC Make sure that Friendica doesn't use too much memory. #+BEGIN_SRC: bash emacs /var/www/$HOSTNAME/htdocs/.htaccess #+END_SRC Append the following: #+BEGIN_SRC: bash php_value memory_limit 32M #+END_SRC The save ane exit. **** Backups Make sure that the database gets backed up. By using cron if anything goes wrong then you should be able to recover the database either from the previous day or the previous week. #+BEGIN_SRC: bash emacs /etc/cron.daily/friendicabackup #+END_SRC Enter the following #+BEGIN_SRC: bash #!/bin/sh MYSQL_PASSWORD= umask 0077 # Backup the database mysqldump --password=$MYSQL_PASSWORD friendica > /var/backups/friendica_daily.sql # Make the backup readable only by root chmod 600 /var/backups/friendica_daily.sql #+END_SRC Save and exit. #+BEGIN_SRC: bash chmod 600 /etc/cron.daily/friendicabackup chmod +x /etc/cron.daily/friendicabackup emacs /etc/cron.weekly/friendicabackup #+END_SRC Enter the following #+BEGIN_SRC: bash #!/bin/sh MYSQL_PASSWORD= umask 0077 # records go back a couple of weeks cp -f /var/backups/friendica_weekly.sql /var/backups/friendica_2weekly.sql # Backup the database mysqldump --password=$MYSQL_PASSWORD friendica > /var/backups/friendica_weekly.sql # Make the backup readable only by root chmod 600 /var/backups/friendica_weekly.sql #+END_SRC Save and exit. #+BEGIN_SRC: bash chmod 600 /etc/cron.weekly/friendicabackup chmod +x /etc/cron.weekly/friendicabackup #+END_SRC **** Recommended configuration ***** Admin To get to the admin settings you will need to be logged in with the admin email address which you specified at the beginning of the installation procedure. Depending upon the theme which you're using "/admin/" will be available either as an icon or on a drop down menu. Under the *plugins* section the main one which you may wish to enable is the NSFW plugin. With that enabled if a post contans the #NSFW tag then it will appear minimised by default and you will need to click a button to open it. Under the *themes* section select a few themes, including mobile themes which are suitable for phones or tablets. Under the *site* section give your Friendica node a name other than "/my friend network/", you can change the icon and banner text and set the default mobile theme typically to /frost-mobile/. If you don't want your node to host a lot of accounts for people you don't know then you may want to set the register policy to "/requires approval/". For security it's probably a good idea only to host accounts for people who you actually know, rather than random strangers. Also be aware that the Beaglebone does not have a great deal of computational power or bandwidth and will not function well if there are hundreds of users using your node. If you're not federating with Diaspora or other sites then you may wish to select "/only allow Friendica contacts/". That improves the security of the system, since communication between Friendica nodes is always encrypted separately and in addition to the usual SSL encryption layer - which makes life interesting for the Surveillance State and at least keeps those cryptanalysts employed. It's probably a good idea to enable "/private posts by default for new users/" and also "/don't include post content in email notifications/". Since traditional email isn't a secure system and is easily vulnerable to attack by systems such as [[https://en.wikipedia.org/wiki/XKeyscore][Xkeyscore]]. ***** Settings Each user has their own customisable settings, typically available either via an icon or by an entry on a drop down menu. Under *additional features* enable "/richtext editor/", "/post preview/", "/group filter/", "/network filter/", "/edit sent posts/" and "/dislike posts/". Under *display settings* select your desktop and mobile themes. Once you have connected to enough friends it's also a good idea to use the "/export personal data/" option from here. This will save a file to your local system, which you can import into another friendica node if necessary. **** To access from an Android device ***** App Open a browser on your device and go to https://f-droid.org/ then download and install the F-Droid apk. If you then open F-Droid you can search for and install the Friendica app. If you are using a self-signed certificate then at the login screen scroll down to the bottom, select the SSL settings then scroll down and disable SSL certificate checks. You will then be able to log in using https, which at least gives you some protection via the encryption. More information about the Friendica app can be found on http://friendica-for-android.wiki-lab.net/ ***** Mobile Theme Another way to access Friendica from a mobile device is to just use the web browser. If you have selected a mobile theme within your settings then when viewing from an Android system the mobile theme will be displayed. *** Movim #+BEGIN_VERSE /The way we communicate with others and with ourselves ultimately determines the quality of our lives/ -- Anthony Robbins #+END_VERSE Movim is another social networking system based around the XMPP protocol. You will need to have previously [[Install a Jabber/XMPP server][installed the Jabber/XMPP server]]. Edit your Apache configuration and disable the port 80 (HTTP) version of the site. We only want to log into Movim via HTTPS, so to prevent anyone from accidentally logging in insecurely: #+BEGIN_SRC: bash emacs /etc/apache2/sites-available/mydomainname.com #+END_SRC Within the section which begins with ** add the following: #+BEGIN_SRC: bash deny from all #+END_SRC Within the section which begins with ** add the following: #+BEGIN_SRC: bash Options Indexes FollowSymLinks MultiViews AllowOverride All Order allow,deny allow from all #+END_SRC Save and exit, then restart the apache server. #+BEGIN_SRC: bash service apache2 restart #+END_SRC Download the source. #+BEGIN_SRC: bash cd /tmp wget http://freedombone.uk.to/movim.tar.gz #+END_SRC Verify it. #+BEGIN_SRC: bash sha256sum movim.tar.gz 2740ddbedf6cefcc2934759374376643b6cdea4fb7f944ec25098a6868cb499e movim.tar.gz #+END_SRC Install it. #+BEGIN_SRC: bash tar -xzvf movim.tar.gz export HOSTNAME=mydomainname.com cp -r movim-* /var/www/$HOSTNAME/htdocs/movim chmod 755 /var/www/$HOSTNAME/htdocs/movim chown -R www-data:www-data /var/www/$HOSTNAME/htdocs/movim #+END_SRC Install some MySql prerequisites. #+BEGIN_SRC: bash apt-get install mysql-server php5-common php5-cli php5-curl php5-gd php5-mysql php5-mcrypt #+END_SRC If necessary, enter an admin password for MySQL. Reduce the memory use of mysql by using the "small" configuration. #+BEGIN_SRC: bash cp /usr/share/doc/mysql-server-5.5/examples/my-small.cnf /etc/mysql/my.cnf #+END_SRC Create a mysql database. #+BEGIN_SRC: bash mysql -u root -p create database movim; CREATE USER 'movimadmin'@'localhost' IDENTIFIED BY 'movimadminpassword'; GRANT ALL PRIVILEGES ON movim.* TO 'movimadmin'@'localhost'; quit #+END_SRC With a web browser navigate to: https://mydomainname.com/movim/admin Enter /admin/ as the username and /password/ as the password. Click on /General Settings/ and alter the administrator username to /movimadmin/ and password to some long random string (using a password manager such as KeepassX). Change the /Environment/ from /Development/ to /Production/. The /BOSH URL/ should be http://localhost:5280/http-bind (TODO: should this be https://localhost:5281/http-bind and if so do certificate warnings need to be disabled?) Click /Submit/ followed by /Resend/. Click on /Database Settings/ and alter the MySql movim database username to /movimadmin/ and password to the password you specified in the previous step. Click /Submit/ followed by /Resend/. If you get a lot of orange warnings about database fields being created then hit /Submit/ again until you see "Movim database is up to date". If everything on all three tabs looks green then you are ready to go. Click on the Movim logo at the top left and then log in with your Jabber ID (JID). *** Red Matrix **** Introduction Red Matrix is the current version of the Friendica social networking system. It's more general than Friendica in that it's designed as a generic communication system based around a protocol called "zot". At the time of writing in early 2014 Red Matrix remains at an alpha stage of development and so it's not advised that you install it unless you're willing to put up with bugs and frustrations. In the large majority of cases it's better to stick with Friendica for now. **** Prerequisites The main problem with Red Matrix is that in order to install it you will need to have purchased a domain name (i.e. not a FreeDNS subdomain) and a SSL certificate for it. You could join some other Red Matrix server, but this suffers from "/The Levison Problem/" in which some goons show up with a gagging order demanding coppies of the SSL private key. In that scenario unless the owner of the server is exceptionally brave users may never be informed that the site has been compromised or that there is interception hardware attached to the server. Joining another server defeats the object of being digitally self-sufficient and raises legal question marks about the ownership of data which you might upload to a server which doesn't belong to you. **** Installation See [[Setting up a web site]] for details of how to update the Apache configuration for your Red Matrix site. You should have a separate domain name specifically to run Red Matrix on. It can't be installed in a subdirectory on a domain used for something else. Edit your Apache configuration and disable the port 80 (HTTP) version of the site. We only want to log into Red Matrix via HTTPS, so to prevent anyone from accidentally logging in insecurely: #+BEGIN_SRC: bash emacs /etc/apache2/sites-available/mydomainname.com #+END_SRC Replace the section which begins with ** with the following: #+BEGIN_SRC: bash ServerAdmin myusername@mydomainname.com ServerName myredmatrixdomainname.com RewriteEngine On RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} #+END_SRC Save and exit, then restart the apache server. #+BEGIN_SRC: bash service apache2 restart #+END_SRC Now install some dependencies. #+BEGIN_SRC: bash apt-get install mysql-server php5-common php5-cli php5-curl php5-gd php5-mysql php5-mcrypt #+END_SRC Enter an admin password for MySQL. Reduce the memory use of mysql by using the "small" configuration. #+BEGIN_SRC: bash cp /usr/share/doc/mysql-server-5.5/examples/my-small.cnf /etc/mysql/my.cnf #+END_SRC Create a mysql database. #+BEGIN_SRC: bash mysql -u root -p create database redmatrix; CREATE USER 'redmatrixadmin'@'localhost' IDENTIFIED BY 'password'; GRANT ALL PRIVILEGES ON redmatrix.* TO 'redmatrixadmin'@'localhost'; quit #+END_SRC You may need to fix Git SSL problems. #+BEGIN_SRC: bash git config --global http.sslVerify true apt-get install ca-certificates cd ~/ emacs .gitconfig #+END_SRC The .gitconfig file should look something like this: #+BEGIN_SRC: bash [http] sslVerify = true sslCAinfo = /etc/ssl/certs/ca-certificates.crt [user] email = myusername@mydomainname.com name = yourname #+END_SRC Get the source code. #+BEGIN_SRC: bash export HOSTNAME=mydomainname.com cd /var/www/$HOSTNAME rm -rf htdocs git clone https://github.com/friendica/red.git htdocs chmod -R 755 htdocs chown -R www-data:www-data htdocs mkdir htdocs/view/tpl/smarty3 chmod 777 htdocs/view/tpl chmod 777 htdocs/view/tpl/smarty3 git clone https://github.com/friendica/red-addons.git htdocs/addon #+END_SRC Now visit the URL of your site and you should be taken through the rest of the installation procedure. Note that this may take a few minutes so don't be concerned if it looks as if it has crashed - just leave it running. If you have trouble with "allow override" ensure that "AllowOverride" is set to "all" in your Apache settings for the site (within /etc/apache2/sites-available) and then restart the apache2 service. Install the poller. #+BEGIN_SRC emacs /etc/crontab #+END_SRC and append the following, changing mydomainname.com to whatever your domain is. #+BEGIN_SRC 12,22,32,42,52 * * * * root cd /var/www/apespace.org/htdocs; /usr/bin/timeout 240 /usr/bin/php include/poller.php #+END_SRC Save and exit, then restart cron. #+BEGIN_SRC: bash service cron restart #+END_SRC **** Backups Make sure that the database gets backed up. By using cron if anything goes wrong then you should be able to recover the database either from the previous day or the previous week. #+BEGIN_SRC: bash emacs /etc/cron.daily/redmatrixbackup #+END_SRC Enter the following #+BEGIN_SRC: bash #!/bin/sh MYSQL_PASSWORD= umask 0077 # Backup the database mysqldump --password=$MYSQL_PASSWORD redmatrix > /var/backups/redmatrix_daily.sql # Make the backup readable only by root chmod 600 /var/backups/redmatrix_daily.sql #+END_SRC Save and exit. #+BEGIN_SRC: bash chmod 600 /etc/cron.daily/redmatrixbackup chmod +x /etc/cron.daily/redmatrixbackup emacs /etc/cron.weekly/redmatrixbackup #+END_SRC Enter the following #+BEGIN_SRC: bash #!/bin/sh MYSQL_PASSWORD= umask 0077 # records go back a couple of weeks cp -f /var/backups/redmatrix_weekly.sql /var/backups/redmatrix_2weekly.sql # Backup the database mysqldump --password=$MYSQL_PASSWORD redmatrix > /var/backups/redmatrix_weekly.sql # Make the backup readable only by root chmod 600 /var/backups/redmatrix_weekly.sql #+END_SRC Save and exit. #+BEGIN_SRC: bash chmod 600 /etc/cron.weekly/redmatrixbackup chmod +x /etc/cron.weekly/redmatrixbackup #+END_SRC **** To access from an Android device ***** App Open a browser on your device and go to https://f-droid.org/ then download and install the F-Droid apk. If you then open F-Droid you can search for and install the Friendica app. If you are using a self-signed certificate then at the login screen scroll down to the bottom, select the SSL settings then scroll down and disable SSL certificate checks. You will then be able to log in using https, which at least gives you some protection via the encryption. More information about the Friendica app can be found on http://friendica-for-android.wiki-lab.net/ *** pump.io pump.io is the successor to StatusNet (which later became [[GNU Social]]) and is a communications system which can do things other than just microblogging. It takes fewer system resources to run and so is better suited to low power servers such as the BBB, but is more complicated to install. Currently when using self-signed certificates it seems very hard to federate with other pump.io servers so it may be that although GNU Social is an older system it may still be more practical. For the instructions which follow it will be possible to run your own pump.io site for your family and friends, as a kind of /data silo/, but federating with anyone else could turn out to be difficult or impossible. A list of pump.io sites can be found at http://pumpstatus.jpope.org For a pump.io site you will need a separate domain/subdomain, so see [[Setting up a web site]] for details of how to create an Apache configuration for your site. If you're using freedns then you will need to create a new subdomain. #+BEGIN_SRC: bash apt-get update && apt-get install redis-server nodejs-legacy imagemagick graphicsmagick git-core screen cd /opt git clone https://github.com/e14n/pump.io.git cd /opt/pump.io npm install npm install databank-redis #+END_SRC Edit the configuration file. #+BEGIN_SRC: bash emacs /etc/pump.io.json #+END_SRC Add the following, replacing /mypumpiodomainname.com/ with your domain name. #+BEGIN_SRC: bash { "driver": "redis", "params": {"host":"localhost","port":6379}, "secret": "A long random string", "noweb": false, "site": "Name of my pump.io site", "owner": "My name or organisation", "ownerURL": "https://mypumpiodomainname.com/", "port": 7270, "urlPort": 443, "hostname": "mypumpiodomainname.com", "address": "localhost", "nologger": false, "serverUser": "pumpio", "rejectUnauthorized": false, "key": "/var/local/pump.io/keys/mypumpiodomainname.com.key", "cert": "/var/local/pump.io/keys/mypumpiodomainname.com.crt", "uploaddir": "/var/local/pump.io/uploads", "debugClient": false, "firehose": "ofirehose.example", "logfile": "/var/local/pump.io/pump.io.log", "disableRegistration": false } #+END_SRC Save and exit. #+BEGIN_SRC: bash export HOSTNAME=mypumpiodomainname.com mkdir /var/local/pump.io mkdir /var/local/pump.io/uploads mkdir /var/local/pump.io/keys cp /etc/ssl/private/$HOSTNAME.key /var/local/pump.io/keys cp /etc/ssl/certs/$HOSTNAME.crt /var/local/pump.io/keys useradd -s /bin/bash -d /var/local/pump.io pumpio chown -R pumpio:pumpio /var/local/pump.io chmod 400 /var/local/pump.io/keys/* mkdir /tmp/apache2 cd /tmp/apache2 apt-get build-dep apache2 apt-get install autoconf apt-get source apache2 cd apache2-* wget http://freedombone.uk.to/apache-2.2-wstunnel.patch sha256sum apache-2.2-wstunnel.patch cfc4866da2688a8eb76e0300cf16b52539ef4e525053a3851d4b6bba9a77e439 patch -p1 -i apache-2.2-wstunnel.patch autoconf ./configure --enable-so --enable-proxy=shared --enable-proxy-wstunnel=shared make cp modules/proxy/.libs/mod_proxy_wstunnel.so /usr/lib/apache2/modules/ cd /etc/apache2/mods-enabled ln -s /usr/lib/apache2/modules/mod_proxy_wstunnel.so ../mods-available/proxy_wstunnel.load #+END_SRC Within the section of your Apache site configuration: #+BEGIN_SRC: bash emacs /etc/apache2/sites-available/mypumpiodomainname.com #+END_SRC The initial section which begins with ** should be replaced by the following, replacing /mypumpiodomainname.com/ with your pump.io domain name and /myusername@mydomainname.com/ with your email address. #+BEGIN_SRC: bash ServerAdmin myusername@mydomainname.com ServerName mypumpiodomainname.com RewriteEngine On RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} #+END_SRC Add the following in the section which begins with **. #+BEGIN_SRC: bash LoadModule proxy_wstunnel_module /usr/lib/apache2/modules/mod_proxy_wstunnel.so ProxyPass wss://localhost/main/realtime/sockjs ProxyPassReverse wss://localhost/main/realtime/sockjs # # CacheEnable disk # ProxyVia On ProxyPreserveHost On SSLProxyEngine On ProxyPass / https://localhost:7270/ ProxyPassReverse / https://localhost:7270/ #+END_SRC Save and exit. #+BEGIN_SRC: bash a2enmod cache a2enmod disk_cache apachectl configtest service apache2 restart npm install forever -g #+END_SRC Now create the daemon. #+BEGIN_SRC: bash emacs /etc/init.d/pumpio #+END_SRC Add the following text: #+BEGIN_SRC: bash #!/bin/bash # /etc/init.d/pumpio ### BEGIN INIT INFO # Provides: pump.io # Required-Start: $remote_fs $syslog # Required-Stop: $remote_fs $syslog # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: starts pump.io as a background daemon # Description: Starts pump.io on boot ### END INIT INFO # Author: Bob Mottram #Settings SERVICE='pumpio' COMMAND="forever /opt/pump.io/bin/pump > /var/local/pump.io/daemon.log" USERNAME='pumpio' NICELEVEL=19 # from 0-19 the bigger the number, the less the impact on system resources HISTORY=1024 INVOCATION="nice -n ${NICELEVEL} ${COMMAND}" PATH='/usr/local/sbin:/usr/local/bin:/usr/bin:/sbin:/usr/sbin:/bin:/var/local/pump.io' pumpio_start() { echo "Starting $SERVICE..." su --command "screen -h ${HISTORY} -dmS ${SERVICE} ${INVOCATION}" $USERNAME } pumpio_stop() { echo "Stopping $SERVICE" su --command "screen -p 0 -S ${SERVICE} -X stuff "'^C'"" $USERNAME } #Start-Stop here case "$1" in start) pumpio_start ;; stop) pumpio_stop ;; restart) pumpio_stop sleep 10s pumpio_start ;; *) echo "Usage: $0 {start|stop|restart}" exit 1 ;; esac exit 0 #+END_SRC Save and exit. Then enable the daemon and run it. #+BEGIN_SRC: bash chmod +x /etc/init.d/pumpio update-rc.d pumpio defaults service pumpio start #+END_SRC Now visit your pump.io site by navigating to: https://mypumpiodomainname.com and add a new user. If you wish this to be a single user node not open to the general public (including spammers and sockpuppets) then edit */etc/pump.io.json* and set *disableRegistration* to *true*. After making that change restart with the command *service pumpio restart*. ** Install Gopher *** Server setup Gopher is an old internet protocol which originated a few years before the web and is purely text based. It can be quite fun to build a gopher site and browse the gopherverse. One thing to keep in mind is that there is no security with gopher, so any text transmitted is trivially interceptable by systems such as [[https://en.wikipedia.org/wiki/XKeyscore][Xkeyscore]] or deep packet inspection. To set up a gopher server: #+BEGIN_SRC: bash apt-get install build-essential cd /tmp wget http://freedombone.uk.to/geomyidae-current.tgz #+END_SRC Verify the download: #+BEGIN_SRC: bash sha256sum geomyidae-current.tgz 162f55ab059ab0a9be8e840497795293bbd51c34b1f4564dcdf3f0ddd5c0db31 geomyidae-current.tgz #+END_SRC Then extract and install it. #+BEGIN_SRC: bash tar -xzvf geomyidae-current.tgz cd geomyidae-* make make install mkdir -p /var/gopher #+END_SRC Your content should be placed within /var/gopher with the index page being named index.gph. The Gopher format is very simple - simpler than HTML - so creating pages is not much more difficult than editing a text file. #+BEGIN_SRC: bash emacs /etc/init.d/gopher #+END_SRC Enter the following: #+BEGIN_SRC: bash #! /bin/sh ### BEGIN INIT INFO # Provides: gopher # Required-Start: $remote_fs $syslog # Required-Stop: $remote_fs $syslog # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Gopher daemon # Description: Gopher daemon ### END INIT INFO # Do NOT "set -e" # PATH should only include /usr/* if it runs after the mountnfs.sh script PATH=/sbin:/usr/sbin:/bin:/usr/bin DESC="Gopher daemon" NAME=geomyidae DAEMON=/usr/bin/$NAME DAEMON_ARGS="-l /var/log/geomyidae.log -b /var/gopher -p 70" PIDFILE=/var/run/$NAME.pid SCRIPTNAME=/etc/init.d/$NAME # Exit if the package is not installed [ -x "$DAEMON" ] || exit 0 # Read configuration variable file if it is present [ -r /etc/default/$NAME ] && . /etc/default/$NAME # Load the VERBOSE setting and other rcS variables . /lib/init/vars.sh # Define LSB log_* functions. # Depend on lsb-base (>= 3.2-14) to ensure that this file is present # and status_of_proc is working. . /lib/lsb/init-functions # # Function that starts the daemon/service # do_start() { # Return # 0 if daemon has been started # 1 if daemon was already running # 2 if daemon could not be started start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \ || return 1 start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -- \ $DAEMON_ARGS \ || return 2 # Add code here, if necessary, that waits for the process to be ready # to handle requests from services started subsequently which depend # on this one. As a last resort, sleep for some time. } # # Function that stops the daemon/service # do_stop() { # Return # 0 if daemon has been stopped # 1 if daemon was already stopped # 2 if daemon could not be stopped # other if a failure occurred start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME RETVAL="$?" [ "$RETVAL" = 2 ] && return 2 # Wait for children to finish too if this is a daemon that forks # and if the daemon is only ever run from this initscript. # If the above conditions are not satisfied then add some other code # that waits for the process to drop all resources that could be # needed by services started subsequently. A last resort is to # sleep for some time. start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON [ "$?" = 2 ] && return 2 # Many daemons don't delete their pidfiles when they exit. rm -f $PIDFILE return "$RETVAL" } # # Function that sends a SIGHUP to the daemon/service # do_reload() { # # If the daemon can reload its configuration without # restarting (for example, when it is sent a SIGHUP), # then implement that here. # start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME return 0 } case "$1" in start) [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME" do_start case "$?" in 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; esac ;; stop) [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME" do_stop case "$?" in 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; esac ;; status) status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $? ;; #reload|force-reload) # # If do_reload() is not implemented then leave this commented out # and leave 'force-reload' as an alias for 'restart'. # #log_daemon_msg "Reloading $DESC" "$NAME" #do_reload #log_end_msg $? #;; restart|force-reload) # # If the "reload" option is implemented then remove the # 'force-reload' alias # log_daemon_msg "Restarting $DESC" "$NAME" do_stop case "$?" in 0|1) do_start case "$?" in 0) log_end_msg 0 ;; 1) log_end_msg 1 ;; # Old process is still running *) log_end_msg 1 ;; # Failed to start esac ;; *) # Failed to stop log_end_msg 1 ;; esac ;; *) #echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2 echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2 exit 3 ;; esac : #+END_SRC Save and exit. Then start the gopher service. #+BEGIN_SRC: bash chmod +x /etc/init.d/gopher update-rc.d gopher defaults service gopher start #+END_SRC On your internet router change the firewall settings to route port 70 to the BBB, then provided that you have a gopher plugin installed within your browser then you should be able to navigate to your gopher site with: #+BEGIN_SRC: bash gopher://mydomainname.com #+END_SRC There is a browser addon for Gopher called "overbite". Installing that should enable you to view your site. *** A phlogging script A phlog is the gopher equivalent of a blog on the web. You can create a script which makes phlogging easy. #+BEGIN_SRC: bash emacs /usr/bin/mkphlog #+END_SRC Add the following: #+BEGIN_SRC: bash #!/bin/sh # mkphlog - a utility to ease the creation of phlogs. # Organizes phlog posts in separate directories. # Created by octotep; anyone can distribute, modify, and # share this file however they please. # # Version 0.3 # # Modified by Bob Mottram # # Please note, all date strings are in the form of mm/dd/yy(yy) # The base of the entire gopher site. gopherRoot="/var/gopher" # The name of the phlog directory (contained in $gopherHome) phlogDirName="phlog" # Default editor, unless the user has one specified in env editor=${EDITOR:-emacs} # Default timezone, unless the user has one specified in env TZ=${TZ:-UTC} # Tells the script how many lines the title of the main page spans. # Used to insert the newest post at the top. # Titles created by mkphlog are 3 lines. # Isn't used if $addTitleToMain is false titleLineCount=3 entryDate=`date +%Y-%m-%d` # Creates the phlog directory if it dosen't already exist. CreatePhlogDir() { mkdir $phlogDirName chmod 755 $phlogDirName cd $phlogDirName echo "Phlog directory created." } # Updates the main phlog listing UpdatePhlogListing() { # Just in case the user didn't specify a title if [ "$postTitleAns" = "" ] ; then echo -n "Do you want to create a blank post? (y/n) " read blankPostAns case $blankPostAns in y* | Y* ) $postTitleAns="New Post" ;; n* | N* ) echo "Goodbye, then." ; exit 1 ;; * ) exit 1 ;; esac fi cd $gopherRoot/$phlogDirName/ title2=$(echo "${postTitleAns}" | tr " " _) postfilename="${entryDate}_${title2}.txt" touch ${postfilename} echo $postTitleAns >> ${postfilename} date "+%A %b %e %l:%M:%S %Y" >> ${postfilename} echo "------------------------------" >> ${postfilename} echo >> ${postfilename} } if [ -d $gopherRoot ] ; then cd $gopherRoot else echo "You don't have a gopherspace set-up. Please run the gopher server setup instructions." exit 1 fi if [ -d $phlogDirName ] ; then cd $phlogDirName else echo -n "Do you want to create a phlog directory? (y/n) " read phlogDirAns case $phlogDirAns in y* | Y* ) CreatePhlogDir ;; n* | N* ) exit 1 ;; * ) exit 1 ;; esac fi echo -n "Would you like to create a phlog entry for today? (y/n) " read phlogAns case $phlogAns in y* | Y* ) echo "Creating today's phlog entry..." ;; n* | N* ) exit 0 ;; * ) exit 1 ;; esac # Make sure there isn't a post for that day, lest we overwrite it. if [ ! -d $entryDate ]; then echo -n "Title: " read postTitleAns title2=$(echo "${postTitleAns}" | tr " " _) postfilename="${entryDate}_${title2}.txt" touch ${postfilename} chmod 644 ${postfilename} UpdatePhlogListing echo -n "Would you like to edit the post with $editor? (y/n) " read editorAns case $editorAns in y* | Y* ) $editor $gopherRoot/$phlogDirName/${postfilename} ;; n* | N* ) exit 0 ;; * ) exit 0 ;; esac rm $gopherRoot/$phlogDirName/${postfilename}~ else echo "There is already a post for today." echo -n "Would you like to edit the post with $editor? (y/n) " read editorAns case $editorAns in y* | Y* ) $editor $gopherRoot/$phlogDirName/$entryDate*.txt ;; n* | N* ) exit 0 ;; * ) exit 1 ;; esac rm $gopherRoot/$phlogDirName/${postfilename}.txt~ fi exit 0 #+END_SRC Save and exit. #+BEGIN_SRC: bash chmod +x /usr/bin/mkphlog #+END_SRC Now entering the command /mkphlog/ will allow you to create a phlog entry. ** Install Owncloud #+BEGIN_VERSE /It's not water vapour/ -- Larry Ellison #+END_VERSE Owncloud will allow you to upload and download files, share photos, collaboratively edit documents, have a calendar and more. You should be warned that Owncloud runs quite slowly via an ordinary web browser, but it can be a convenient way to access and share your data from any location in a reasonably secure manner. *** Server Installation Install some dependencies: #+BEGIN_SRC: bash apt-get install apache2 php5 php5-gd php-xml-parser php5-intl apt-get install php5-sqlite php5-mysql smbclient curl libcurl3 php5-curl #+END_SRC It's very important that /mod_php5/ and not /mod_php5filter/ be installed. If you have /mod_php5filter/ installed then Owncloud will always fail to install. #+BEGIN_SRC: bash a2dismod php5filter apt-get install libapache2-mod-php5 #+END_SRC Ensure that the size of files which may be uploaded or downloaded is large enough. #+BEGIN_SRC: bash emacs /etc/php5/apache2/php.ini #+END_SRC Set the following: #+BEGIN_SRC: bash upload_max_filesize = 512M post_max_size = 512M #+END_SRC Save and exit, then edit your Apache configuration. #+BEGIN_SRC: bash export HOSTNAME=mydomainname.com emacs /etc/apache2/sites-available/$HOSTNAME #+END_SRC And add the following, to the 443 VirtualHost section. Really we only will want to be using Owncloud with HTTPS to ensure some level of security and avoidance of dragnet surveillance. #+BEGIN_SRC: bash Options Indexes FollowSymLinks MultiViews AllowOverride All Order allow,deny allow from all #+END_SRC To ensure that nobody logs in insecurely add the following to the 80 VirtualHost section. #+BEGIN_SRC: bash deny from all #+END_SRC Save and exit, then restart apache. #+BEGIN_SRC: bash service apache2 restart #+END_SRC Download owncloud. #+BEGIN_SRC: bash cd /tmp wget http://freedombone.uk.to/owncloud.tar.bz2 #+END_SRC Verify the download: #+BEGIN_SRC: bash sha256sum owncloud.tar.bz2 92b53fdfa7c4165b83dd2f8447f63928454a5815d08ff2d6165dd1a8969ecbe1 owncloud.tar.bz2 #+END_SRC Extract the archive. This may take a couple of minutes, so don't be alarmed that the system has crashed. #+BEGIN_SRC: bash export HOSTNAME=mydomainname.com tar -xjf owncloud.tar.bz2 #+END_SRC Move the extracted files to your site and set file permissions. #+BEGIN_SRC: bash cp -r owncloud /var/www/$HOSTNAME/htdocs chown -R www-data:www-data /var/www/$HOSTNAME/htdocs/owncloud/apps chown -R www-data:www-data /var/www/$HOSTNAME/htdocs/owncloud/config chown www-data:www-data /var/www/$HOSTNAME/htdocs/owncloud #+END_SRC Edit the htaccess file for Owncloud. #+BEGIN_SRC: bash emacs /var/www/$HOSTNAME/htdocs/owncloud/.htaccess #+END_SRC Set the following. #+BEGIN_SRC: bash php_value upload_max_filesize 512M php_value post_max_size 512M php_value memory_limit 32M #+END_SRC Save and exit. With a web browser visit your domain (mydomainname.com/owncloud) and enter an administrator username and password. *** Owncloud on Android First install [[https://f-droid.org/][F-Droid]] and then search for the current Owncloud app. Once it's installed you'll then be able to log into the BBB with the URL https://mydomainname.com/opencloud, supplying your username and password. ** Install a Wiki #+BEGIN_VERSE /I believe that technology can liberate, but you need to be a master rather than a user. You need to pull technology apart and master it rather than letting it control you./ -- Tom Barbalet #+END_VERSE Dokuwiki is based upon flat files, and so is easy to move from one server to another without a lot of database complications. Download the wiki. #+BEGIN_SRC: bash cd /tmp wget http://freedombone.uk.to/dokuwiki.tgz #+END_SRC Verify it. #+BEGIN_SRC: bash sha256sum dokuwiki.tgz 6b126f90979463d9ddaa74acc6f96aa230cfdc789946f241c3646086d9574be8 dokuwiki.tgz #+END_SRC Then extract and install it. #+BEGIN_SRC: bash export HOSTNAME=mywikidomainname.com tar -xzvf dokuwiki.tgz mv /var/www/$HOSTNAME/htdocs /var/www/$HOSTNAME/htdocs_old mv dokuwiki /var/www/$HOSTNAME/htdocs #+END_SRC Edit the Apache configuration for your wiki site. #+BEGIN_SRC: bash emacs /etc/apache2/sites-available/$HOSTNAME #+END_SRC The settings should look something like the following. Replace /mywikidomainname.com/ with your wiki domain name. #+BEGIN_SRC: bash ServerAdmin myusername@mywikidomainname.com ServerName mydomainname.com DocumentRoot /var/www/mywikidomainname.com/htdocs order deny,allow allow from all order allow,deny deny from all satisfy all Options FollowSymLinks AllowOverride All ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ AllowOverride All Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch Order allow,deny Allow from all ErrorLog ${APACHE_LOG_DIR}/error.log # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel error CustomLog ${APACHE_LOG_DIR}/access.log combined ServerAdmin myusername@mywikidomainname.com ServerName mywikidomainname.com DocumentRoot /var/www/mywikidomainname.com/htdocs order deny,allow allow from all order allow,deny deny from all satisfy all Options FollowSymLinks AllowOverride All ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ AllowOverride All Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch Order allow,deny Allow from all ErrorLog ${APACHE_LOG_DIR}/error.log # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel error CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined # SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on # A self-signed certificate SSLCertificateFile /etc/ssl/certs/mydomainname.com.crt SSLCertificateKeyFile /etc/ssl/private/mydomainname.com.key # Options based on bettercrypto.org SSLProtocol All -SSLv2 -SSLv3 SSLHonorCipherOrder On SSLCompression off SSLCipherSuite EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA # SSL Engine Options: # Set various options for the SSL engine. # o FakeBasicAuth: # Translate the client X.509 into a Basic Authorisation. This means that # the standard Auth/DBMAuth methods can be used for access control. The # user name is the `one line' version of the client's X.509 certificate. # Note that no password is obtained from the user. Every entry in the user # file needs this password: `xxj31ZMTZzkVA'. # o ExportCertData: # This exports two additional environment variables: SSL_CLIENT_CERT and # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the # server (always existing) and the client (only existing when client # authentication is used). This can be used to import the certificates # into CGI scripts. # o StdEnvVars: # This exports the standard SSL/TLS related `SSL_*' environment variables. # Per default this exportation is switched off for performance reasons, # because the extraction step is an expensive operation and is usually # useless for serving static content. So one usually enables the # exportation for CGI and SSI requests only. # o StrictRequire: # This denies access when "SSLRequireSSL" or "SSLRequire" applied even # under a "Satisfy any" situation, i.e. when it applies access is denied # and no other module can change it. # o OptRenegotiate: # This enables optimized SSL connection renegotiation handling when SSL # directives are used in per-directory context. #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire SSLOptions +StdEnvVars SSLOptions +StdEnvVars # SSL Protocol Adjustments: # The safe and default but still SSL/TLS standard compliant shutdown # approach is that mod_ssl sends the close notify alert but doesn't wait for # the close notify alert from client. When you need a different shutdown # approach you can use one of the following variables: # o ssl-unclean-shutdown: # This forces an unclean shutdown when the connection is closed, i.e. no # SSL close notify alert is send or allowed to received. This violates # the SSL/TLS standard but is needed for some brain-dead browsers. Use # this when you receive I/O errors because of the standard approach where # mod_ssl sends the close notify alert. # o ssl-accurate-shutdown: # This forces an accurate shutdown when the connection is closed, i.e. a # SSL close notify alert is send and mod_ssl waits for the close notify # alert of the client. This is 100% SSL/TLS standard compliant, but in # practice often causes hanging connections with brain-dead browsers. Use # this only for browsers where you know that their SSL implementation # works correctly. # Notice: Most problems of broken clients are also related to the HTTP # keep-alive facility, so you usually additionally want to disable # keep-alive for those clients, too. Use variable "nokeepalive" for this. # Similarly, one has to force some clients to use HTTP/1.0 to workaround # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and # "force-response-1.0" for this. BrowserMatch "MSIE [2-6]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 # MSIE 7 and newer should be able to use keepalive BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown #+END_SRC Enable your site with: #+BEGIN_SRC: bash a2ensite #+END_SRC then select the domain name and reload. #+BEGIN_SRC: bash service apache2 reload #+END_SRC and alter permissions: #+BEGIN_SRC: bash chmod -R 755 /var/www/$HOSTNAME/htdocs chown -R www-data:www-data /var/www/$HOSTNAME/htdocs #+END_SRC Open a browser and visit http://$HOSTNAME/install.php, then fill out the details. Once everything has been accepted without errors: #+BEGIN_SRC: bash rm /var/www/$HOSTNAME/htdocs/install.php #+END_SRC Add a few extra mime types: #+BEGIN_SRC: bash emacs /var/www/$HOSTNAME/htdocs/conf/mime.conf #+END_SRC Append the following: #+BEGIN_SRC: bash ogv video/ogg mp4 video/mp4 webm video/webm #+END_SRC Save and exit. If you need to be able to upload large files to the wiki then edit */etc/php5/apache2/php.ini* and set *upload_max_filesize* accordingly. If the directory */etc/php5/apache2* doesn't exist then you will need to install the package *libapache2-mod-php5*. Now you can visit your wiki and begin editing. ** Install Bitmessage #+BEGIN_VERSE /The weakness of mass surveillance is that it can very easily be made much more expensive through changes in technical standards: pervasive, end-to-end encryption can quickly make indiscriminate surveillance impossible on a cost-effective basis/ -- Edward J. Snowden, testimony to the EU parliament #+END_VERSE *** A new kind of Email [[https://bitmessage.org][Bitmessage]] is a new type of messaging system intended to fulfill the same role as email, but without the security problems. In particular, Bitmessage attempts to not just encrypt the content but also the metadata. It's message broadcasting system makes it exceedingly difficult for an attacker to know which computer a message is destined for. The only way you know whether a message has been sent to you is whether you are able to decrypt it from the passing stream of messages. Although similar to Bitcoin in some regards, such as "/proof of work/", Bitmessage has no block chain and messages are only buffered for approximately three days after which they are deleted from any given node. Installing Bitmessage as a daemon will increase the size of the network, and therefore the level of security for all users. *** The Daemon Install from the current source code. #+BEGIN_SRC: bash apt-get install python screen cd /tmp git clone https://github.com/Bitmessage/PyBitmessage.git cd PyBitmessage make install #+END_SRC Now create the daemon. #+BEGIN_SRC: bash emacs /etc/init.d/pybitmessage #+END_SRC Add the following text: #+BEGIN_SRC: bash #!/bin/bash # /etc/init.d/bitmessage ### BEGIN INIT INFO # Provides: pybitmessage # Required-Start: $remote_fs $syslog # Required-Stop: $remote_fs $syslog # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: starts bitmessage as a background daemon, suitable for servers # Description: This file should be used to construct scripts to be # placed in /etc/init.d. ### END INIT INFO # Author: Super-Nathan #Settings SERVICE='pybitmessage' LOGFILE='/dev/null' # this disables logging # LOGFILE='/var/log/bitmessage.log' # comment out the above line and un-comment this line to save a log COMMAND="python bitmessagemain.py > $LOGFILE" USERNAME='bitmsg' NICELEVEL=19 # from 0-19 the bigger the number, the less the impact on system resources HISTORY=1024 PBM_LOCATION="/usr/local/share/pybitmessage" INVOCATION="nice -n ${NICELEVEL} ${COMMAND}" PATH='/usr/local/sbin:/usr/local/bin:/usr/bin:/usr/bin/core_perl:/sbin:/usr/sbin:/bin:/usr/local/share/pybitmessage' bm_start() { echo "Starting $SERVICE..." cd ${PBM_LOCATION} su --command "screen -h ${HISTORY} -dmS ${SERVICE} ${INVOCATION}" $USERNAME } bm_stop() { echo "Stopping $SERVICE" su --command "screen -p 0 -S ${SERVICE} -X stuff "'^C'"" $USERNAME } #Start-Stop here case "$1" in start) bm_start ;; stop) bm_stop ;; restart) bm_stop sleep 60s bm_start ;; *) echo "Usage: $0 {start|stop|restart}" exit 1 ;; esac exit 0 #+END_SRC Save and exit. Add a user which will be specifically for Bitmessage. Since bitmessage is still a relatively young and experimental project, this adds further compartmentalisation such that if there are any bugs within PyBitmessage then an attacker can't neccessarily gain control of root or any other user account. Here we create a user called /bitmsg/ and give it a long random password. #+BEGIN_SRC: bash adduser bitmsg #+END_SRC Create a /keys.dat/ file which is used to configure Bitmessage. #+BEGIN_SRC: bash mkdir /home/bitmsg/.config mkdir /home/bitmsg/.config/PyBitmessage emacs /home/bitmsg/.config/PyBitmessage/keys.dat #+END_SRC Add the following: #+BEGIN_SRC: bash [bitmessagesettings] settingsversion = 7 port = 8444 timeformat = %%a, %%d %%b %%Y %%I:%%M %%p blackwhitelist = black startonlogon = false minimizetotray = false showtraynotifications = false startintray = false socksproxytype = none sockshostname = localhost socksport = 9050 socksauthentication = false sockslisten = false socksusername = sockspassword = keysencrypted = false messagesencrypted = false defaultnoncetrialsperbyte = 640 defaultpayloadlengthextrabytes = 14000 minimizeonclose = false maxacceptablenoncetrialsperbyte = 0 maxacceptablepayloadlengthextrabytes = 0 userlocale = system namecoinrpctype = namecoind namecoinrpchost = localhost namecoinrpcuser = namecoinrpcpassword = namecoinrpcport = 8336 sendoutgoingconnections = True daemon = true #+END_SRC Save and exit. Then enable the daemon and run it. #+BEGIN_SRC: bash rm -f /tmp/-usr-local-share-pybitmessage-*.lock chown -R bitmsg:bitmsg /home/bitmsg chmod +x /etc/init.d/pybitmessage update-rc.d pybitmessage defaults service pybitmessage start #+END_SRC Now open port 8444 on your internet router or firewall and direct it to the BBB. *** Using Bitmessage Although in principle it would be possible to send Bitmessages directly from the BBB, in practice the /proof of work/ requirement would mean that it would take an infeasibly long time to send messages, and the computational workload would likely greatly impair the performance of other services also running on the system. So to send and receive Bitmessages it's better to just install the client on a laptop or desktop machine. The easiest way to install the client is either to download it from [[https://bitmessage.org][bitmessage.org]] or to get the latest build from Github as follows: #+BEGIN_SRC: bash cd /tmp git clone https://github.com/Bitmessage/PyBitmessage.git cd PyBitmessage make install pybitmessage #+END_SRC *** Connect to Email TODO: how to connect Bitmessage to an email client. #+BEGIN_SRC: bash cd /tmp wget http://freedombone.uk.to/notbit.tar.gz #+END_SRC Verify it. #+BEGIN_SRC: bash sha256sum notbit.tar.gz 972fdc9cbb8034141282337dcd5e557bce57969ff6bd1d607da89bd93cc7bb68 #+END_SRC Extract and install it. #+BEGIN_SRC: bash tar -xzvf notbit.tar.gz cd notbit apt-get install dh-autoreconf ./autogen.sh --prefix=/home/myusername make make install #+END_SRC ** Overcome restrictive environments #+BEGIN_VERSE /Censorship reflects a society's lack of confidence in itself. It is a hallmark of an authoritarian regime./ -- Potter Stewart #+END_VERSE In some environments, such as behind corporate firewalls or under regimes hostile towards the idea of open access to knowledge and information you may find that you're not able to use tools such as /ssh/ to get access to the BBB. In the worst case all ports other than 80 and 443 may be blocked. In that scenario you can use a tool called [[http://code.google.com/p/shellinabox/][shellinabox]] to log into your BBB via your web site rather than via a terminal. This means that you can administrate your system from any device which has a web browser and keyboard. #+BEGIN_SRC: bash apt-get install shellinabox libapache2-mod-proxy-html #+END_SRC Update your Apache configuration. #+BEGIN_SRC: bash export HOSTNAME=mydomainname.com emacs /etc/apache2/sites-available/$HOSTNAME #+END_SRC Within the section which begins with ** add the following, replacing /mydomainname.com/ with your domain name and /myusername/ with your username. #+BEGIN_SRC: bash ProxyPass http://localhost:4200/ Order allow,deny Allow from all AuthName "Authentication for shellinabox" AuthUserFile /home/mydomainname.com/public_html/.htpasswd AuthGroupFile /home/mydomainname.com/public_html/.htgroup AuthType Basic Require group shellinabox Require user myusername #+END_SRC Save and exit, then create a login password. It's recommended that the password be a long random string and that you then access it using a password manager such as KeepassX. #+BEGIN_SRC: bash mkdir /home/$HOSTNAME mkdir /home/$HOSTNAME/public_html htpasswd -c /home/$HOSTNAME/public_html/.htpasswd myusername #+END_SRC Create a user group. #+BEGIN_SRC: bash emacs /home/$HOSTNAME/public_html/.htgroup #+END_SRC Add the following: #+BEGIN_SRC: bash shellinabox: myusername #+END_SRC Save and exit, then restart Apache. #+BEGIN_SRC: bash a2enmod proxy_http service apache2 restart #+END_SRC Now with a web browser navigate to https://mydomainname.com/shell and log in. If you're in a very locked down environment where access to web sites is severely restricted then as a last resort you may be able to use a command line browser, such as [[https://en.wikipedia.org/wiki/Lynx_%28web_browser%29][lynx]] from within /shellinabox/. ** Set up a mailing list #+BEGIN_VERSE /All over the world there are many people who are united in creating software, content, and culture that is freely available for others to share, enjoy and enrich their lives. Together we believe that freedom is good. We believe it helps people do good things, make better choices, and lead safer and more secure lives. Together we are a community united by this belief./ -- Jono Bacon #+END_VERSE *** Public mailing list Email mailing lists are old skool but still remain as a common and easy way of communicating on the internet. If you're running a public organisation such as an open source project or community group then you may want to set one up. **** Installation #+BEGIN_SRC: bash export HOSTNAME=mydomainname.com apt-get install mailman newlist mailman #+END_SRC Enter an email address for the list administrator and a password. #+BEGIN_SRC: bash emacs /etc/mailman/mm_cfg.py #+END_SRC Set *MTA=None* and change *http:* to *https:*, then save and exit. Add some settings. #+BEGIN_SRC: bash emacs /etc/exim4/conf.d/main/04_mailman_options #+END_SRC Add the following, replacing /mydomainname.com/ with your domain name. #+BEGIN_SRC: bash # Mailman macro definitions # Home dir for the Mailman installation MM_HOME=/var/lib/mailman # User and group for Mailman MM_UID=list MM_GID=list # # Domains that your lists are in - colon separated list # you may wish to add these into local_domains as well domainlist mm_domains=mydomainname.com # The path of the Mailman mail wrapper script MM_WRAP=MM_HOME/mail/mailman # # The path of the list config file (used as a required file when # verifying list addresses) MM_LISTCHK=MM_HOME/lists/${lc::$local_part}/config.pck #+END_SRC Save and exit. #+BEGIN_SRC: bash emacs /etc/exim4/conf.d/main/000_localmacros #+END_SRC Append the following: #+BEGIN_SRC: bash SYSTEM_ALIASES_PIPE_TRANSPORT = address_pipe SYSTEM_ALIASES_USER = list SYSTEM_ALIASES_GROUP = list #+END_SRC Save and exit. #+BEGIN_SRC: bash emacs /etc/exim4/conf.d/acl/30_exim4-config_check_rcpt #+END_SRC Append the following, before the final /accept/: #+BEGIN_SRC: bash # Do callback verification unless Mailman incoming bounce deny !local_parts = *-bounces : *-bounces+* !verify = sender/callout=30s,defer_ok #+END_SRC Save and exit. #+BEGIN_SRC: bash emacs /etc/exim4/conf.d/router/450_exim4-config_mailman_aliases #+END_SRC Add the following: #+BEGIN_SRC: bash mailman: driver = accept domains = +mm_domains require_files = MM_LISTCHK local_part_suffix_optional local_part_suffix = -admin : \ -bounces : -bounces+* : \ -confirm : -confirm+* : \ -join : -leave : \ -owner : -request : \ -subscribe : -unsubscribe transport = mailman_transport #+END_SRC Save and exit. #+BEGIN_SRC: bash emacs /etc/exim4/conf.d/transport/40_exim4-config_mailman_pipe #+END_SRC Add the following: #+BEGIN_SRC: bash mailman_transport: driver = pipe command = MM_WRAP \ '${if def:local_part_suffix \ {${sg{$local_part_suffix}{-(\\w+)(\\+.*)?}{\$1}}} \ {post}}' \ $local_part current_directory = MM_HOME home_directory = MM_HOME user = MM_UID group = MM_GID #+END_SRC Save and exit. #+BEGIN_SRC: bash chown root:list /var/lib/mailman/mail/mailman update-exim4.conf.template -r update-exim4.conf service exim4 restart emacs /etc/apache2/conf.d/mailman #+END_SRC Add the following: #+BEGIN_SRC: bash Alias /pipermail /var/lib/mailman/archives/public Alias /images/mailman /usr/share/images/mailman DirectoryIndex index.html #+END_SRC Save and exit. #+BEGIN_SRC: bash emacs /etc/apache2/sites-available/$HOSTNAME #+END_SRC Add the following to the 443 section. #+BEGIN_SRC: bash Options Indexes FollowSymLinks MultiViews Order allow,deny Allow from all RedirectMatch ^/$ /cgi-bin/mailman/listinfo #+END_SRC Save and exit. #+BEGIN_SRC: bash service apache2 restart #+END_SRC Now add your mailing list. The list name should not include any spaces. #+BEGIN_SRC: bash newlist mymailinglistname #+END_SRC With a browser visit https://$HOSTNAME/cgi-bin/mailman/admin/mymailinglistname to configure the mailing list. Under *General Options* add an email address for a moderator (could be the same as the administrator) and click *Submit your changes*. Under *Privacy Options* set steps required for subscription to *Confirm and approve* and click *Submit your changes*. Also change these settings for the account within https://$HOSTNAME/cgi-bin/mailman/admin/mailman Then to test that the mailing list works: #+BEGIN_SRC: bash exim -d+route -bt mymailinglistname@$HOSTNAME #+END_SRC If everything is working then this shouldn't show any problems. **** Using the mailing list Direct subscribers towards: #+BEGIN_SRC: bash https://mydomainname.com/cgi-bin/mailman/listinfo/mymailinglistname #+END_SRC To administrate the list visit: #+BEGIN_SRC: bash https://mydomainname.com/cgi-bin/mailman/admin/mymailinglistname #+END_SRC To add another mailing list: #+BEGIN_SRC: bash newlist mymailinglistname #+END_SRC To delete a mailing list: #+BEGIN_SRC: bash rmlist -a mymailinglistname #+END_SRC *** Private (encrypted) mailing list In addition to conventional public email lists it's also possible to set up a private mailing list which is only readable by members. A private email list uses [[https://en.wikipedia.org/wiki/GNU_Privacy_Guard][GPG]] and a public/private key pair for the server which can then be used to send emails to the list in an encrypted form. The email addresses and public GPG keys of members may be added to the list so that any new messages can be distributed to them in a secure manner. Private mailing lists are likely to be able to keep the contents of the discussion out of the clutches of warrantless mass surveillance but, as with all conventional email, it won't prevent such systems from generating social graphs of who is communicating with the list since the /from/ and /to/ attributes are always transmitted in the clear. **** Installation #+BEGIN_SRC: bash apt-get install schleuder #+END_SRC Edit the configuration: #+BEGIN_SRC: bash emacs /etc/schleuder/schleuder.conf #+END_SRC Set the following parameters, replacing /mydomainname.com/ with your domain name: #+BEGIN_SRC: bash smtp_port: 465 superadminaddr: root@mydomainname.com #+END_SRC Save and exit. Get your GPG public key, replacing /myGPGkeyID/ with your GPG key ID: #+BEGIN_SRC: bash export MYKEYID=myGPGkeyID gpg --search-keys $MYKEYID gpg --output /tmp/mypublickey.txt --armor --export $MYKEYID #+END_SRC Then to create a mailing list, replacing /mydomainname.com/ with your domain name, /myusername/ with your username and /mailinglistname/ with the name of the mailing list. /mailinglistname/ should be all one word, with no spaces. #+BEGIN_SRC: bash export MAILINGLISTNAME=mailinglistname export MYUSERNAME=myusername export HOSTNAME=mydomainname.com export EMAILADDRESS=$MYUSERNAME@$HOSTNAME schleuder-newlist $MAILINGLISTNAME@$HOSTNAME -realname "mailing list name" -adminaddress $EMAILADDRESS -initmember $EMAILADDRESS -initmemberkey /tmp/mypublickey.txt -nointeractive #+END_SRC Now add a mailing list rule: #+BEGIN_SRC: bash emailrule $MYUSERNAME $MAILINGLISTNAME@$HOSTNAME $MAILINGLISTNAME #+END_SRC Edit your Mutt configuration. #+BEGIN_SRC: bash emacs /home/$MYUSERNAME/.muttrc #+END_SRC Search for the /mailboxes/ parameter and add "=mailinglistname". For example: #+BEGIN_SRC: bash mailboxes = =Sent =Drafts =mailinglistname #+END_SRC Save and exit. Update Exim routing. #+BEGIN_SRC: bash emacs /etc/exim4/conf.d/router/550_exim4-config_schleuder #+END_SRC Add the following: #+BEGIN_SRC: bash schleuder: debug_print = "R: schleuder for $local_part@$domain" driver = accept local_part_suffix_optional local_part_suffix = +* : -bounce : -sendkey domains = +local_domains user = schleuder group = schleuder require_files = schleuder:+/var/lib/schleuder/$domain/${local_part} transport = schleuder_transport #+END_SRC Save and exit. #+BEGIN_SRC: bash emacs /etc/exim4/conf.d/transport/30_exim4-config_schleuder #+END_SRC Add the following. #+BEGIN_SRC: bash schleuder_transport: debug_print = "T: schleuder_transport for $local_part@$domain" driver = pipe home_directory = "/var/lib/schleuder/$domain/$local_part" command = "/usr/bin/schleuder $local_part@$domain" #+END_SRC Save and exit. #+BEGIN_SRC: bash chown -R schleuder:schleuder /var/lib/schleuder update-exim4.conf.template -r update-exim4.conf service exim4 restart useradd -d /var/schleuderlists -s /bin/false schleuder adduser Debian-exim schleuder usermod -a -G mail schleuder #+END_SRC Test the routing. #+BEGIN_SRC: bash exim -d -bt mailinglistname@mydomainname.com #+END_SRC **** Importing the public key of the mailing list Before you can use the mailing list you will first need to import its public key. How you do this depends upon which email client you're using. ***** Using Mutt Send an email to /mailinglistname-sendkey@mydomainname.com/ to have the list public key emailed to you. When you receive the email open it and press *CTRL-k* to import it. ***** Using Thunderbird Send an email to /mailinglistname-sendkey@mydomainname.com/ to have the list public key emailed to you. When you receive the email open it, select all the text with *CTRL-a* then *CTRL-c*. On the menu select *OpenPGP* followed by *Key Management*. You will now see a new menu bar. Select *Edit* followed by *Import keys from clipboard*. Click on *Import* followed by *Ok*. **** Using the list To obtain the public keys of list members send an email to /mailinglistname-request@mydomainname.com/ containing *X-LIST-KEYS* in the message body. To add a member: *X-ADD-MEMBER: othermember@otherdomain.net* An example of adding a public key to the list: #+BEGIN_SRC: bash X-ADD-KEY: -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.9 (GNU/Linux) mQGiBEjVO7oRBADQvT6wtD2IzzIiK0NbrcilCKCp4MWb8cYXTXguwPQI6y0Nerz4 dsK6J0X1Vgeo02tqA4xd3EDK8rdqL2yZfl/2egH8+85R3gDk+kqkfEp4pwCgp6VO [...] pNlF/qkaWwRb048h+iMrW21EkouLKTDPFkdFbapV2X5KJZIcfhO1zEbwc1ZKF3Ju Q9X5GRmY62hz9SCZnsC0jeYAni8OUQV9NXfXlS/vePBUnOL08NQB =xTv3 -----END PGP PUBLIC KEY BLOCK----- #+END_SRC To get details for a member: *X-GET-MEMBER: othermember@otherdomain.net* To delete a member: *X-DELETE-MEMBER: othermember@otherdomain.net* To delete a public key: *X-DELETE-KEY: keyID* You can unsubscribe from the list with *X-UNSUBSCRIBE* in the message body. *** Decentralised mailing list A disadvantage with encrypted mailing lists which use the conventional email system is that there is a single server on which the list resides, and this creates a single point of failure and a bandwidth bottleneck for more heavily subscribed lists. If the mailing list server goes down for whatever reason then that may cause a lot of disruption to its users. An alternative is to use a decentralised mailing list, implemented using Bitmessage. On your local machine (not the BBB) you can make a private mailing list which is difficult to censor and where there is no single point of failure. This type of mailing list is known as a "/chan/". With Bitmessage if any one computer goes offline then the conversation can still keep going since there is no central mailing list server. Bitmessages are also encrypted with public/private key pairs and the manner in which the system operates makes it very difficult for the surveillance apparatus to exfiltrate the social graph of list users. On a Debian based system: #+BEGIN_SRC: bash sudo apt-get install makepasswd #+END_SRC or on an RPM based system: #+BEGIN_SRC: bash sudo yum install makepasswd #+END_SRC Create a name for your mailing list. This will be a random string. #+BEGIN_SRC: bash makepasswd -c 40 #+END_SRC Keep a note of this. Run the Bitmessage client and on the menu select *File/Join-Create Chan/Create new chan* Enter the random string which you created as the name of the mailing list. Also take a note of the BM address which is created. You can hand out the random string used to generate the mailing list and its corresponding BM address to fellow members, either within a bitmessage or on paper or via [[https://en.wikipedia.org/wiki/Sneakernet][sneakernet]] or in a GPG/PGP encrypted email or via an XMPP+OTR or Friendica private message. Once others have those two pieces of data then they will be able to join. To make the list easier to identify, rather than just appearing as a random string, then under the *Your Identities* tab right click on it and select *Set Avatar* and assign a suitable icon. The disadvantage of this type of mailing list is that it's not possible for any one participant to act as a list moderator, or in other words each participant must do their own moderation. That's ok if the size of the group is small, but if it's larger then anyone spamming or trolling the list can make things miserable for the others. ** Add a Convergenge notary Convergence is a secure replacement for the Certificate Authority System. Rather than employing a traditionally hard-coded list of immutable and largely untrusted CAs, Convergence allows you to configure a dynamic set of Notaries which use network perspective to validate your communication. For more details see [[http://convergence.io][convergence.io]] or [[http://www.youtube.com/watch?v=Z7Wl2FW2TcA][this talk which explains the concepts]]. *** Installation #+BEGIN_SRC: bash apt-get install python python-twisted-web python-twisted-names python-m2crypto python-openssl cd /tmp git clone https://github.com/fuzzgun/convergence cd convergence/server python ./setup.py install #+END_SRC Generate a key pair: #+BEGIN_SRC: bash convergence gencert #+END_SRC When asked for a challenge password just hit *Enter* a couple of times. Then move the key pair to the appropriate directories as follows. #+BEGIN_SRC: bash mv mynotary.key /etc/ssl/private chmod 400 /etc/ssl/private/mynotary.key mv mynotary.pem /etc/ssl/certs #+END_SRC Now create the database: #+BEGIN_SRC: bash rm /var/lib/convergence/convergence.db convergence createdb #+END_SRC Create an initialisation script: #+BEGIN_SRC: bash emacs /etc/init.d/convergence #+END_SRC Add the following: #+BEGIN_SRC: bash #+END_SRC Save and exit. #+BEGIN_SRC: bash adduser converg #+END_SRC The details for the user don't especially matter, but give them a long random password. #+BEGIN_SRC: bash chown -R converg:converg /home/converg chmod +x /etc/init.d/convergence update-rc.d convergence defaults service convergence start #+END_SRC Generate a notary bundle: #+BEGIN_SRC: bash convergence bundle #+END_SRC Enter your name, nickname, handle or whatever. For the bundle location enter https://mydomainname.com/convergence.notary For the Hostname enter your domain name For SSL port enter *8433* and for HTTP port nter *8432* For the pem file enter */etc/ssl/certs/mynotary.pem* #+BEGIN_SRC: bash export HOSTNAME=mydomainname.com mv mynotarybundle.notary /var/www/$HOSTNAME/htdocs/convergence.notary chown www-data:www-data /var/www/$HOSTNAME/htdocs/convergence.notary #+END_SRC Now open ports 8432 and 8433 on your internet router or firewall and direct it to the BBB. *** Using Convergence On a computer which is not the BBB (your laptop, etc): Install the browser plugin by navigating to https://addons.mozilla.org/en-us/firefox/addon/convergence-extra/ After installation restart your browser. You will notice that an icon appears in the top right corner of the browser, which resembles a lock and two plus signs. Click on the down arrow to the right of it and select *options*. ** Install a microblog #+BEGIN_VERSE /If you want to have more control over how you interact on the web, and regain your freedom, privacy and autonomy from outside interference, you need to start moving towards using programs like GNU Social/ -- Jason Self #+END_VERSE For a microblog you will need a separate domain/subdomain, so see [[Setting up a web site]] for details of how to create an Apache configuration for your microblog. If you're using freedns then you will need to create a new subdomain. Install some dependencies: #+BEGIN_SRC: bash apt-get install php5-xcache php-gettext php5-curl php5-gd php5-mysql #+END_SRC Download GNU Social #+BEGIN_SRC: bash cd /tmp wget http://freedombone.uk.to/gnu-social.tar.gz #+END_SRC Verify it. #+BEGIN_SRC: bash sha256sum gnu-social.tar.gz 1f886241c7f1a175e7be3cccbcb944ab6c03617fb75aefa4d62d37abed87d2b4 #+END_SRC Extract the files and set permissions on them, where /mydomainname.com/ is your domain name. #+BEGIN_SRC: bash export HOSTNAME=mydomainname.com tar zxf gnu-social.tar.gz rm -rf /var/www/$HOSTNAME/htdocs mv statusnet-gnu-social /var/www/$HOSTNAME/htdocs chmod a+w /var/www/$HOSTNAME/htdocs chown www-data:www-data /var/www/$HOSTNAME/htdocs chmod a+w /var/www/$HOSTNAME/htdocs/avatar chmod a+w /var/www/$HOSTNAME/htdocs/background chmod a+w /var/www/$HOSTNAME/htdocs/file chmod +x /var/www/$HOSTNAME/htdocs/scripts/maildaemon.php #+END_SRC Edit the Apache access settings. #+BEGIN_SRC: bash emacs /var/www/$HOSTNAME/htdocs/.htaccess #+END_SRC Add the following: #+BEGIN_SRC: bash RewriteEngine On RewriteBase / ## Uncomment these if having trouble with API authentication ## when PHP is running in CGI or FastCGI mode. # #RewriteCond %{HTTP:Authorization} ^(.*) #RewriteRule ^(.*) - [E=HTTP_AUTHORIZATION:%1] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule (.*) index.php?p=$1 [L,QSA] Order allow,deny #+END_SRC Save and exit, then create a database. #+BEGIN_SRC: bash mysql -u root -p create database gnusocial; CREATE USER 'gnusocialadmin'@'localhost' IDENTIFIED BY 'gnusocialpassword'; GRANT ALL PRIVILEGES ON gnusocial.* TO 'gnusocialadmin'@'localhost'; quit #+END_SRC Add the mailer script to the aliases file: #+BEGIN_SRC: bash emacs /etc/aliases #+END_SRC Add the following, replacing /mydomainname.com/ with your domain name. #+BEGIN_SRC: bash www-data: root *: /var/www/mydomainname.com/htdocs/scripts/maildaemon.php #+END_SRC Save and exit. Update the aliases by typing: #+BEGIN_SRC: bash newaliases #+END_SRC Then with a web browser navigate to: https://$HOSTNAME/install.php Set a name for the site. Server SSL: enable Hostname: localhost Type: MySql Name: gnusocial DB username: gnusocialadmin DB Password; your gnu social admin password goes here Administrator nickname: myusername Administrator password: mylongrandompassword Subscribe to announcements: ticked Site profile: Community Press the *Submit* button. It may take a few minutes, so don't be concerned that it has crashed. When the process completes you will see a lot of "Strict standards" warnings which you can ignore. Navigate to http://$HOSTNAME/gnusocial and you can then complete the configuration via the *Admin* section on the header bar. Some recommended admin settings are: Under the *Site* settings: Text limit: 140 Dupe Limit: 60000 Under the *User* settings: Bio limit: 1000 Under the *Access* settings: /Invite only/ ticked Under the License section select a license if you wish. Details for Creative Commons licenses [[https://creativecommons.org/licenses/][can be found here]]. If you only intend to do private microblogging then just leave these settings as they are. If you want to invite more users then click on the big button *Invite more colleagues*, then enter their email addresses and hit the *send* button. The invite only configuration which you've just installed is useful because it prevents spammers, or other [[https://en.wikipedia.org/wiki/Joint_Threat_Research_Intelligence_Group]["bad actors"]], from clogging your system with nonsense. Edit the config file. #+BEGIN_SRC: bash emacs /var/www/$HOSTNAME/htdocs/config.php #+END_SRC Change the ssl setting from *always* to *sometimes*, hten save and exit. So, you're now microblogging on the open web, with no companies in the middle. Congratulations! To find some other people to connect to you can try searching other nodes listed at http://gnu.io/try/ When following other GNU Social users enter the URL of your profile. For example, https://mygnusocialdomain/myusername ** Install Mediagoblin #+BEGIN_VERSE /The silos that are the main current points of media sharing are not only vulnerable to attacks on free speech, but also hamper important grassroots economic activity by privileging the interests of a tiny minority over those of most of the world./ #+END_VERSE Mediagoblin allows you to have a YouTube/Soundcloud/Flickr/Picasa type of site to share your pictures, videos or audio files. An advantage of not having any company in the middle is that you can't be arbitrarily censored without any explanation, as seems to frequently occur on YouTube. It is recommended that you use media formats which are not encumbered by patents, such as /ogg/ or /ogv/. For a mediagoblin site it is recommended to use a separate domain/subdomain, so see [[Setting up a web site]] for details of how to create an Apache configuration for your microblog. If you're using freedns then you will need to create a new subdomain. Install some dependencies. #+BEGIN_SRC: bash apt-get install git-core python python-dev python-lxml python-imaging python-virtualenv python-gst0.10 libjpeg8-dev sqlite3 libapache2-mod-fcgid gstreamer0.10-plugins-base gstreamer0.10-plugins-bad gstreamer0.10-plugins-good gstreamer0.10-plugins-ugly gstreamer0.10-ffmpeg python-numpy python-scipy libsndfile1-dev #+END_SRC Create a user, replacing /mymediagoblindomain/ with the domain name for your mediagoblin site. #+BEGIN_SRC: bash export HOSTNAME=mymediagoblindomain adduser mediagoblin #+END_SRC Give the user a long random password. #+BEGIN_SRC: bash mkdir -p /srv/$HOSTNAME chown -hR mediagoblin:mediagoblin /srv/$HOSTNAME su - mediagoblin export HOSTNAME=mymediagoblindomain cd /srv/$HOSTNAME git clone git://gitorious.org/mediagoblin/mediagoblin.git cd mediagoblin git submodule init git submodule update virtualenv --system-site-packages . ./bin/python setup.py develop ./bin/easy_install flup cp mediagoblin.ini mediagoblin_local.ini cp paste.ini paste_local.ini emacs mediagoblin_local.ini #+END_SRC Change *email_sender_address* to your email address and set *email_debug_mode* to false. Also append the following to the bottom of the file, under the *plugins* section. #+BEGIN_SRC: bash [[mediagoblin.media_types.audio]] [[mediagoblin.media_types.video]] [[mediagoblin.media_types.stl]] #+END_SRC Then save and exit. #+BEGIN_SRC: bash ./bin/pip install scikits.audiolab ./bin/gmg dbupdate exit # to go back to the root user emacs /etc/init.d/mediagoblin #+END_SRC Add the following, replacing /mymediagoblindomain/ with the domain name for your mediagoblin site. #+BEGIN_SRC: bash #!/bin/bash # /etc/init.d/mediagoblin ### BEGIN INIT INFO # Provides: mediagoblin # Required-Start: $remote_fs $syslog # Required-Stop: $remote_fs $syslog # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: starts mediagoblin # Description: Other methods may work, but I found this the easiest ### END INIT INFO # Author: Bob Mottram #Settings SERVICE='mediagoblin' LOGFILE='/srv/mymediagoblindomain/mediagoblin.log' COMMAND="./lazyserver.sh > $LOGFILE" USERNAME='mediagoblin' NICELEVEL=15 # from 0-19 the bigger the number, the less the impact on system resources HISTORY=1024 MG_LOCATION="/srv/mymediagoblindomain/mediagoblin" INVOCATION="nice -n ${NICELEVEL} ${COMMAND}" PATH='/usr/local/sbin:/usr/local/bin:/usr/bin:/usr/bin/core_perl:/sbin:/usr/sbin:/bin' mg_start() { echo "Starting $SERVICE..." cd ${MG_LOCATION} su --command "screen -h ${HISTORY} -dmS ${SERVICE} ${INVOCATION}" $USERNAME } mg_stop() { echo "Stopping $SERVICE" su --command "screen -p 0 -S ${SERVICE} -X stuff "'^C'"" $USERNAME } #Start-Stop here case "$1" in start) mg_start ;; stop) mg_stop ;; restart) mg_stop sleep 10s mg_start ;; *) echo "Usage: $0 {start|stop|restart}" exit 1 ;; esac exit 0 #+END_SRC Save and exit. #+BEGIN_SRC: bash chmod +x /etc/init.d/mediagoblin update-rc.d mediagoblin defaults service mediagoblin start #+END_SRC Edit the Apache configuration for your mediagoblin site. #+BEGIN_SRC: bash emacs /etc/apache2/sites-available/mymediagoblindomain #+END_SRC Delete the existing configuration (in Emacs it's CTRL-x h then CTRL-w) and paste the following, replacing /mymediagoblindomain/ with your mediagoblin domain name and /myusername@mydomainname.com/ with your email address. #+BEGIN_SRC: bash ServerAdmin myusername@mydomainname.com DocumentRoot /srv/mymediagoblindomain/mediagoblin ServerName mymediagoblindomain Options FollowSymLinks AllowOverride None Options Indexes FollowSymLinks MultiViews AllowOverride All Order allow,deny allow from all LogLevel warn ProxyVia On ProxyRequests off ProxyPreserveHost on ProxyPass / http://localhost:6543/ ErrorLog "/var/log/apache2/error.log" CustomLog "/var/log/apache2/access.log" combined RewriteEngine On RewriteOptions Inherit #+END_SRC Save and exit. Now in a browser visit http://mymediagoblindomain and create a user. If you wish this to be a single user installation to prevent a lot of spammers signing up. #+BEGIN_SRC: bash emacs /srv/mymediagoblindomain/mediagoblin/mediagoblin_local.ini #+END_SRC Then set: #+BEGIN_SRC: bash allow_registration = false #+END_SRC Save and exit. ** Install Tripwire #+BEGIN_VERSE /...by the time you get done with all of that, we have a freedom box/ -- Eben Moglen #+END_VERSE Tripwire will try to detect any intrusions into your system. It's a good idea to install it after you have installed all of the other programs which you intend to use. #+BEGIN_SRC: bash apt-get install tripwire export HOSTNAME=mydomainname.com cd /etc/tripwire cp arm-local.key $HOSTNAME-local.key cp site.key $HOSTNAME-site.key tripwire --init tripwire --update-policy --secure-mode low /etc/tripwire/twpol.txt tripwire --check --interactive #+END_SRC you will be asked for two passphrases ("site" and "local"). Make a note of these. Turn off reporting of changes to system logs. #+BEGIN_SRC: bash emacs /etc/tripwire/twcfg.txt #+END_SRC Set *SYSLOGREPORTING* to false and comment out the line, then save and exit. #+BEGIN_SRC: bash emacs /etc/tripwire/twpol.txt #+END_SRC Comment out the line: #+BEGIN_SRC: bash /var/log -> $(SEC_CONFIG) ; #+END_SRC Then save and exit. If you subsequently install any more packages or make configuration changes then update the policy again with: #+BEGIN_SRC: bash tripwire --update-policy --secure-mode low /etc/tripwire/twpol.txt #+END_SRC Also, to look for any rootkits. #+BEGIN_SRC: bash apt-get install rkhunter #+END_SRC * Router/Firewall ports The following ports on your internet router/firewall should be forwarded to the BBB. | Protocol | Port/s | |---------------+------------| | Gopher | 70 | | HTTP | 80 | | HTTPS | 443 | | IMAP | 143 | | IRC SSL | 6670 | | SIP | 5060..5061 | | SMTP | 25 | | SMTPS | 465 | | SSH | 22 | | XMPP | 5222..5223 | | XMPP (server) | 5269 | | XMPP (BOSH) | 5280..5281 | | Bitmessage | 8444 | | Convergence | 8432..8433 | * Hints and Tips ** Messaging security If you're connected to other friends via Friendica then the preferred way to send private messages is via Friendica's built-in messaging system. This is a lot more convenient than using GPG with ordinary email and yet still provides a similar level of protection from unwarranted interception. ** Moving Domains If you're moving servers and using a different domain name or path then you can search and replace URLs within files in the following way: #+BEGIN_SRC: bash find /var/www/mynewdomain/htdocs -type f -exec sed -i 's@myolddomain@mynewdomain@g' {} \; #+END_SRC If you're moving the blog to a new domain then you will need to delete the lock file: #+BEGIN_SRC: bash rm /var/www/myblogdomainname.com/htdocs/fp-content/%%setup.lock #+END_SRC Then visit your blog and reinstall it. Your existing content will be unaffected but you will need to delete the welcome post which gets added and also re-select your chosen theme. ** MySql foo *** Backup all databases To back up all mysql databases: #+BEGIN_SRC: bash mysqldump -u root -p --all-databases --events > /var/backups/databasebackup.sql #+END_SRC *** Restoring a particular mysql database To restore yesterday's friendica backup: #+BEGIN_SRC: bash mysql -D friendica -o < /var/backups/friendica_daily.sql #+END_SRC To restore yesterday's mediawiki backup: #+BEGIN_SRC: bash mysql -D wikidb -o < /var/backups/wikidb_daily.sql #+END_SRC *** Removing mysql server If you manage to screw up sql server completely then it can be fully deleted with: #+BEGIN_SRC: bash ps aux | grep mysql #+END_SRC and use /kill -9 / to kill all mysql processes. #+BEGIN_SRC: bash apt-get remove --purge mysql\* apt-get clean updatedb #+END_SRC ** Regenerating SSL certificates If a security vulnerability arrises which requires you to regenerate your SSL certificates, such as [[http://filippo.io/Heartbleed]["heartbleed"]], then this can be done as follows: Obtain the latest updates: #+BEGIN_SRC: bash apt-get update apt-get upgrade #+END_SRC Run *makecert * for each of your sites. Recreate the XMPP certificate: #+BEGIN_SRC: bash openssl genrsa -out /etc/ssl/private/xmpp.key 4096 openssl req -new -x509 -key /etc/ssl/private/xmpp.key -out /etc/ssl/certs/xmpp.crt -days 3650 chmod 600 /etc/ssl/private/xmpp.key chmod 600 /etc/ssl/certs/xmpp.crt chown prosody:prosody /etc/ssl/private/xmpp.key chown prosody:prosody /etc/ssl/certs/xmpp.crt #+END_SRC And regenerate the IRC server keys: #+BEGIN_SRC: bash openssl genrsa -out /etc/ircd-hybrid/key/ircd.key 4096 openssl req -new -x509 -key /etc/ircd-hybrid/key/ircd.key -out /etc/ircd-hybrid/key/ircd.pem -days 3650 chmod 600 /etc/ircd-hybrid/key/ircd.key chmod 600 /etc/ircd-hybrid/key/ircd.pem #+END_SRC As an added precaution you may wish to regenerate your ssh host keys: #+BEGIN_SRC: bash rm /etc/ssh/ssh_host_* dpkg-reconfigure openssh-server #+END_SRC Then reboot the server with: #+BEGIN_SRC: bash reboot #+END_SRC ** Example crontab file This is an example of what your crontab file might look like, with the more frequently run tasks at the top. For the two most frequent tasks specific minutes within each hour are given and they're arranged to try to minimise the number of things running simultaneously. #+BEGIN_SRC: bash # /etc/crontab: system-wide crontab # Unlike any other crontab you don't have to run the `crontab' # command to install the new version when you edit this file # and files in /etc/cron.d. These files also have username fields, # that none of the other crontabs do. SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin # m h dom mon dow user command 10,20,30,40,50 * * * * root /usr/bin/timeout 120 /usr/bin/dynamicdns && /usr/bin/spamfilter myusername 15,35,55 * * * * root cd /var/www/mydomainname/htdocs; /usr/bin/timeout 240 /usr/bin/php include/poller.php 17 * * * * root cd / && run-parts --report /etc/cron.hourly 25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily ) 47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly ) 52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly ) #+END_SRC ** Using your own domain Suppose that you have bought a domain name (rather than using a free subdomain on freedns) and you want to use that instead. Remove any existing nameservers for your domain (or select "custom" nameservers), then add: #+BEGIN_SRC: bash NS1.AFRAID.ORG NS2.AFRAID.ORG NS3.AFRAID.ORG NS4.AFRAID.ORG #+END_SRC It might take a few minutes for the above change to take effect. Within freedns click on "Domains" and add your domains (this might only be available to paid members). Make sure that they're marked as "private". Select "Subdomains" from the menu on the left then select the MX entry for your domain and change the destination to *10:mydomainname* rather than *10:mail.mydomainname*. To route email to one of your freedns domains: #+BEGIN_SRC: bash emacs /etc/mailname #+END_SRC Add any extra domains which you own, then save and exit. #+BEGIN_SRC: bash emacs /etc/exim4/update-exim4.conf.conf #+END_SRC Within dc_other_hostnames add your extra domain names, separated by a colon ':' character. Save and exit, then restart exim. #+BEGIN_SRC: bash update-exim4.conf.template -r update-exim4.conf service exim4 restart #+END_SRC You should now be able to send an email from /postmaster@mynewdomainname/ and it should arrive in your inbox. ** Obtaining an "official" SSL certificate You can obtain a free "official" (as in recognised by default by web browsers) SSL certificate from [[https://www.startssl.com/][StartSSL]]. You will first need to have bought a domain name, since it's not possible to obtain one for a freedns subdomain, so see [[Using your own domain]] for details of how to do that. You should also have tested that you can send email to the domain and receive it on the BBB (via Mutt or any other email client). When creating a SSL certificate it's important that the private key (the private component of the public/private pair in [[https://en.wikipedia.org/wiki/Public-key_cryptography][public key cryptography]]) be generated on the BBB /and remain there/. Don't generate the private key via the StartSSL certificate wizard because this means that potentially they may retain a copy of it which could then be exfiltrated either via [[https://en.wikipedia.org/wiki/Lavabit][Lavabit]] style methodology, "implants", compromised sysadmins or other "side channel" methods. So that the private key isn't broadcast on the internet we can instead generate a certificate request, which is really just a request for authorisation of a public key. Firstly you should have an Apache web site configutaion ready to go. See [[Setting up a web site]] for details. Within StartSSL under the validations wizard validate your domain, which means sending an email to it and confirming a code. Now we can generate the certificate request as follows. #+BEGIN_SRC: bash export HOSTNAME=mydomainname.com openssl genrsa -out /etc/ssl/private/$HOSTNAME.key 2048 chown root:ssl-cert /etc/ssl/private/$HOSTNAME.key chmod 440 /etc/ssl/private/$HOSTNAME.key mkdir /etc/ssl/requests #+END_SRC Now make a certificate request as follows. You should copy and paste the whole of this, not just line by line. #+BEGIN_SRC: bash openssl req -new -key /etc/ssl/private/$HOSTNAME.key -out /etc/ssl/requests/$HOSTNAME.csr #+END_SRC For the email address it's a good idea to use postmaster@mydomainname. Use a random 20 character password, and keep a note of it. We'll remove this later. View the request with: #+BEGIN_SRC: bash cat /etc/ssl/requests/$HOSTNAME.csr #+END_SRC You can then click on "skip" within the StartSSL certificates wizard and copy and paste the encrypted request into the text entry box. A confirmation will be emailed back to you normally within a few hours. Log into your StartSSL account and select *Retrieve Certificate* from the *Tool Box* tab. Copy the text. #+BEGIN_SRC: bash emacs /etc/ssl/certs/$HOSTNAME.crt #+END_SRC Paste the public key, then save and exit. Then on the BBB. #+BEGIN_SRC: bash mkdir /etc/ssl/roots mkdir /etc/ssl/chains wget "http://www.startssl.com/certs/ca.pem" --output-document="/etc/ssl/roots/startssl-root.ca" wget "http://www.startssl.com/certs/sub.class1.server.ca.pem" --output-document="/etc/ssl/chains/startssl-sub.class1.server.ca.pem" wget "http://www.startssl.com/certs/sub.class2.server.ca.pem" --output-document="/etc/ssl/chains/startssl-sub.class2.server.ca.pem" wget "http://www.startssl.com/certs/sub.class3.server.ca.pem" --output-document="/etc/ssl/chains/startssl-sub.class3.server.ca.pem" ln -s "/etc/ssl/roots/startssl-root.ca" "/etc/ssl/roots/$HOSTNAME-root.ca" ln -s "/etc/ssl/chains/startssl-sub.class1.server.ca.pem" "/etc/ssl/chains/$HOSTNAME.ca" cp "/etc/ssl/certs/$HOSTNAME.crt" "/etc/ssl/certs/$HOSTNAME.crt+chain+root" test -e "/etc/ssl/chains/$HOSTNAME.ca" && cat "/etc/ssl/chains/$HOSTNAME.ca" >> "/etc/ssl/certs/$HOSTNAME.crt+chain+root" test -e "/etc/ssl/roots/$HOSTNAME-root.ca" && cat "/etc/ssl/roots/$HOSTNAME-root.ca" >> "/etc/ssl/certs/$HOSTNAME.crt+chain+root" #+END_SRC To avoid any possibility of the certificates being accidentally overwritten by self-signed ones at a later date you can create backups. #+BEGIN_SRC: bash mkdir /etc/ssl/backups mkdir /etc/ssl/backups/certs mkdir /etc/ssl/backups/private cp /etc/ssl/certs/$HOSTNAME* /etc/ssl/backups/certs/ cp /etc/ssl/private/$HOSTNAME* /etc/ssl/backups/private/ chmod -R 400 /etc/ssl/backups/certs/* chmod -R 400 /etc/ssl/backups/private/* #+END_SRC Remove the certificate password, so if the server is rebooted then it won't wait indefinitely for a non-existant keyboard user to type in a password. #+BEGIN_SRC: bash openssl rsa -in /etc/ssl/private/$HOSTNAME.key -out /etc/ssl/private/$HOSTNAME.new.key cp /etc/ssl/private/$HOSTNAME.new.key /etc/ssl/private/$HOSTNAME.key shred -zu /etc/ssl/private/$HOSTNAME.new.key #+END_SRC Edit your Apache configuration file. #+BEGIN_SRC: bash emacs /etc/apache2/sites-available/$HOSTNAME #+END_SRC Add the following to the section which starts with ** #+BEGIN_SRC: bash SSLCertificateChainFile /etc/ssl/chains/startssl-sub.class1.server.ca.pem #+END_SRC Save and exit, then restart apache. #+BEGIN_SRC: bash service apache2 restart #+END_SRC Now visit your web site at https://mydomainname.com and you should notice that there is no certificate warning displayed. You will now be able to install systems which don't allow the use of self-signed certificates, such as [[https://redmatrix.me/&JS=1][Red Matrix]]. * Deprecated The following items have been deprecated until such time as a successful installation is achieved. ** Install a VoIP server #+BEGIN_VERSE /Our core principles, whether in software or sovereignty, have always been about freedom and dignity, for all people, on an equal basis/ -- David Sugar, GNU Telephony #+END_VERSE *** The server Sipwitch is like an introduction service or phone book for SIP VoIP clients. Once introduced the clients can then talk directly, and this means that sipwitch is very lightweight and can run on low power systems such as the BBB. Edit your package sources: #+BEGIN_SRC: bash emacs /etc/apt/sources.list #+END_SRC Append the following line: #+BEGIN_SRC: bash deb http://dev.gnutelephony.org/archive/ wheezy/ #+END_SRC Save and exit. To load the repository the first time after adding it to the sources.list, since you do not have the verification keys already installed yet. Then do #+BEGIN_SRC: bash apt-get install gnutelephony-keyring #+END_SRC After that it will be happy to accept it as a signed repository. The verification keys can also be directly fetched with #+BEGIN_SRC: bash cd /tmp wget http://dev.gnutelephony.org/archive/wheezy/public.key #+END_SRC and manually added instead with #+BEGIN_SRC: bash apt-key add public.key #+END_SRC To make sure you have all dependencies, do #+BEGIN_SRC: bash apt-get update;apt-get dist-upgrade #+END_SRC Before we install anything, let's inspect what is available to us by using #+BEGIN_SRC: bash dpkg -l sipwitch #+END_SRC To see the main application. The columns will indicate if the package is installed, which version and a description of the package. Then do #+BEGIN_SRC: bash dpkg -l sipwitch-* #+END_SRC to see available supporting applications and plugins. Again, the columns will indicate if the package is installed, which version and a description of each of these. To install only the main application, do #+BEGIN_SRC: bash apt-get install sipwitch #+END_SRC and to install all supporting plugins: #+BEGIN_SRC: bash apt-get install sipwitch-plugin-scripting sipwitch-plugin-subscriber sipwitch-plugin-forward sipwitch-plugin-zeroconf #+END_SRC Add your user into the sipwitch group #+BEGIN_SRC: bash groupadd sipwitch groupadd sipusers usermod -aG sipwitch myusername usermod -aG sipusers myusername #+END_SRC Then edit the configuration #+BEGIN_SRC: bash emacs /etc/sipwitch.conf #+END_SRC Change the *mapped* value from 200 to 20, since we don't want to be serving huge numbers of calls. Alter the *range* value to 10, since we don't need a large number of extensions. This will mean that exension numbers 200 to 209 are available. Do not set the *realm* value, as doing so seems to prevent the server from working. Save and exit. Create a digest string for your username: #+BEGIN_SRC: bash sipwitch digest myusername #+END_SRC Make a note of the resulting string because you're going to use it in the users file you'll now create. #+BEGIN_SRC: bash export HOSTNAME=mydomainname.com touch /etc/sipwitch.d/$HOSTNAME.xml chmod 600 /etc/sipwitch.d/$HOSTNAME.xml emacs /etc/sipwitch.d/$HOSTNAME.xml #+END_SRC It should look something like the following: #+BEGIN_SRC: bash yourdigeststring 201 Your full name #+END_SRC Save and exit. Now edit the configuration. #+BEGIN_SRC: bash emacs /etc/default/sipwitch #+END_SRC Change "desktop" to "server", then save and exit. Update the IP settings: #+BEGIN_SRC: bash iptables -A INPUT -p tcp --dport 5060 -j ACCEPT iptables -A INPUT -p udp --dport 5060 -j ACCEPT iptables -A INPUT -p tcp --dport 5061 -j ACCEPT iptables -A INPUT -p udp --dport 5061 -j ACCEPT iptables-save #+END_SRC Test that it's working: #+BEGIN_SRC: bash pkill -9 sipw sipw -x9 -f #+END_SRC Then try to register with the server using a SIP client (such as Jitsi). If everything worked then use CTRL-C to exit. Then start the service. #+BEGIN_SRC: bash service sipwitch start #+END_SRC *** Clients **** Jitsi Download the latst version from https://jitsi.org/index.php/Main/Download TODO **** Twinkle client The client should have a user profile as following: The "user name" is the xxx id used in the entry of /etc/sipwitch.conf The "domain" is the yyy domain in the main config yyy entry of /etc/sipwitch.conf The SIP Authentication should have: realm = realm as set in of /etc/sipwitch.conf authentication name = entry, same as "User Name" field. password = value of zzz in entry of /etc/sipwitch.conf Under security tab, set "Enable ZRTP/SRTP encryption" **** Android TODO CSipSimple? ** Kune Kune is a collaboration tool aimed at not just socialising but also getting stuff done within a community. It's based upon Apache Wave (formerly Google Wave). #+BEGIN_SRC: bash apt-get install openjdk-6-jdk openjdk-7-jre mysql-server adduser dbconfig-common libjmagick6-jni #+END_SRC Add the Kune repository: #+BEGIN_SRC: bash emacs /etc/apt/sources.list #+END_SRC Append the following: #+BEGIN_SRC: bash deb ftp://ftp.kune.ourproject.org/pub/kune/debian/ stable/ #+END_SRC Save and exit, then install the Kune package. #+BEGIN_SRC: bash gpg --keyserver pgp.mit.edu --recv-keys 9E358A05 gpg --armor --export 9E358A05 | apt-key add - apt-get update apt-get install kune #+END_SRC You will be asked for the MySql root password and another password to be used with the Kune database. Allow the system to start automatically at boot. #+BEGIN_SRC: bash emacs /etc/default/kune #+END_SRC Set /START=yes/, then save and exit. #+BEGIN_SRC: bash service kune start #+END_SRC Now configure Apache. #+BEGIN_SRC: bash a2enmod expires a2enmod proxy a2enmod proxy_connect a2enmod proxy_http #+END_SRC Upgrade the database. #+BEGIN_SRC: bash mysql -p kune_prod < /usr/share/dbconfig-common/data/kune/upgrade/mysql/0.1.0+b5 mysql -p kune_prod < /usr/share/dbconfig-common/data/kune/upgrade/mysql/0.1.0+b6 mysql -p kune_prod < /usr/share/dbconfig-common/data/kune/upgrade/mysql/0.2.0+b12 mysql -p kune_prod < /usr/share/dbconfig-common/data/kune/upgrade/mysql/0.2.0+b23 mysql -p kune_prod < /usr/share/dbconfig-common/data/kune/upgrade/mysql/0.2.0+b25 #+END_SRC Edit the Apache configuration. #+BEGIN_SRC: bash emacs /etc/apache2/sites-available/$HOSTNAME #+END_SRC ServerName YOURSERVERNAME ProxyRequests Off Order deny,allow Allow from all ExpiresActive On ExpiresDefault "modification plus 2 years" ExpiresActive Off ProxyPass /kune/ http://localhost:8888/ ProxyPassReverse /kune/ http://localhost:8888/ Order allow,deny Allow from all Within a browser open https://mydomainname.com:8888 See documentation in /usr/share/doc/kune/INSTALL.gz ** Loomio #+BEGIN_SRC: bash apt-get install imagemagick libmagickcore-dev postgresql libmagickwand-dev #+END_SRC psql -d postgres postgres=# create role postgres login createdb; postgres=# \q #+BEGIN_SRC: bash cd /srv git clone https://github.com/loomio/loomio.git cd /srv/loomio bundle install cp config/database.example.yml config/database.yml cp .example-env .env bundle exec rake db:create bundle exec rake db:schema:load bundle exec rake db:schema:load RAILS_ENV=test bundle exec rake db:seed #+END_SRC foreman start Edit the Apache configuration for your mediagoblin site. #+BEGIN_SRC: bash emacs /etc/apache2/sites-available/myloomiodomain #+END_SRC Delete the existing configuration (in Emacs it's CTRL-x h then CTRL-w) and paste the following, replacing /myloomiodomain/ with your mediagoblin domain name and /myusername@mydomainname.com/ with your email address. #+BEGIN_SRC: bash ServerAdmin myusername@mydomainname.com DocumentRoot /srv/myloomiodomain ServerName myloomiodomain Options FollowSymLinks AllowOverride None Options Indexes FollowSymLinks MultiViews AllowOverride All Order allow,deny allow from all LogLevel warn ProxyVia On ProxyRequests off ProxyPreserveHost on ProxyPass / http://localhost:3000/ ErrorLog "/var/log/apache2/error.log" CustomLog "/var/log/apache2/access.log" combined RewriteEngine On RewriteOptions Inherit #+END_SRC Save and exit. Now in a browser visit http://myloomiodomain and create a user. * Related projects * [[https://freedomboxfoundation.org/][Freedombox]] * [[https://arkos.io/][ArkOS]]