4444 lines
138 KiB
Plaintext
4444 lines
138 KiB
Plaintext
#+TITLE: FreedomBone
|
||
#+AUTHOR: Bob Mottram
|
||
#+EMAIL: bob@robotics.uk.to
|
||
#+KEYWORDS: freedombox, debian, beaglebone, friendica, email, web server, home server, internet, censorship, surveillance, social network, irc, jabber, chat
|
||
#+DESCRIPTION: Turn the Beaglebone Black into a personal communications server
|
||
#+OPTIONS: ^:nil
|
||
#+STYLE: <link rel="stylesheet" type="text/css" href="index.css" />
|
||
|
||
#+BEGIN_CENTER
|
||
*How to turn the Beaglebone Black into a FreedomBox-like personal communications server*
|
||
#+END_CENTER
|
||
|
||
#+CAPTION: BeagleBone Black
|
||
#+ATTR_HTML: :alt BeagleBone Black image :align center
|
||
[[[[./images/freedombone.jpg]]]]
|
||
|
||
#+BEGIN_CENTER
|
||
Copyright (C) 2014 Bob Mottram
|
||
|
||
Permission is granted to copy, distribute and/or modify this document under the terms of the [[https://gnu.org/licenses/fdl.html][GNU Free Documentation License]], Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts.
|
||
|
||
Source for this web site in [[https://en.wikipedia.org/wiki/Org-mode][Emacs org-mode]] format is available [[/beaglebone.txt][here]]. Comments or patches may be submitted via [[https://github.com/fuzzgun/freedombone][Github]].
|
||
#+END_CENTER
|
||
|
||
* Introduction
|
||
|
||
#+BEGIN_VERSE
|
||
/If you look at it from an engineering perspective, an iterative perspective, it’s clear that you have to try something rather than do nothing./
|
||
|
||
-- Edward J. Snowden
|
||
#+END_VERSE
|
||
|
||
** What is FreedomBone?
|
||
Today many of us rely upon "free" services in the cloud, such as Gmail, Facebook, Google+ and so on. It might appear that these services are indispensible infrastructure of the modern internet, but actually they're not strictly needed and the amount of value which they deliver to the average internet user is very marginal. It is possible to be a citizen of the internet and yet not use those things - to disintermediate the most well known companies and cut out their prurient or merely cringeworthy business models.
|
||
|
||
FreedomBone is a personal home communications server based upon the BeagleBone Black hardware. It's small and cheap and will allow you to use email, have your own web site and do social networking in a federated way without needing to rely upon any intermediary companies other than your ISP.
|
||
** Do I need any prior knowledge?
|
||
In these instructions only a minimal level of familiarity with Linux is assumed. It's assumed that you know the basics of the /nano/ and /emacs/ editors, but it would be simple to also use other editors if you prefer.
|
||
** Why should I do this?
|
||
You should consider doing this if you are a freedom-oriented sort of person and you want to maintain sovereignty over your information. Laws in many places in the world consider you to have relinquished any property rights over data which you put onto a server not owned by youself (i.e. owned by a third party, such as Google or Facebook).
|
||
|
||
If you don't like the idea of having all your communications intercepted and investigated by the Surveillance State then you should consider running a FreedomBone. If your profession involves maintaining confidentiality as an essential feature, such as legal or medical services, counselling, teaching or any sort of activism then you should consider running a FreedomBone.
|
||
|
||
As Eben Moglen noted in his now famous [[https://www.youtube.com/watch?v=QOEMv0S8AcA]["Freedom in The Cloud"]] talk the simple fact of you keeping your own internet logs (found in the /var/log directory) puts a certain amount of power in your hands and takes it away from parties who would otherwise sell that information without your knowledge or permission to advertisers or other shady outfits who may not have your best interests at heart.
|
||
** After it's installed will it need a lot of maintenance?
|
||
So long as the hardware is ok the amount of maintenance needed should be very small. Unlike on Windows based systems you don't need to defragment drives or mess about with anti-virus programs. I ran a similar Sheevaplug system between 2010 and 2013 with only occasional software updates or reboots, and uptime was probably 99% or better.
|
||
** Is it secure?
|
||
Nothing is totally secure or infallible. You could have the most secure technology and yet still use easy to guess passwords. This system will not defend you from an attacker who is actively trying to block or corrupt your communications, but I assume that doesn't apply in the majority of cases. Another thing to be aware of is that running a FreedomBone could make you more vulnerable to traffic analysis, since the server is associated with your home address and isn't a giant aggregation of users somewhere in the cloud. You need to weigh this alongside the additional legal protection which owning the server and having it in your own home gives you.
|
||
|
||
FreedomBone should be far more secure than using popular cloud-based services which have spying built into them as a core feature (although not one which is typically advertised), but it is not necessarily an impenetrable information fortress. This project is at least as much about achieving communications independence as it is about being able to do that securely.
|
||
** Will running a server all the time affect my electricity bill?
|
||
Hardly at all. The BeagleBone Black consumes very little power - less than 5W. It would even be potentially possible to run it from a solar panel.
|
||
* Inventory
|
||
|
||
#+BEGIN_VERSE
|
||
/You can’t help someone just by making a wish to do so, you have to take action./
|
||
|
||
-- Dalai Lama
|
||
#+END_VERSE
|
||
|
||
These instructions assume that you have the following ingredients.
|
||
|
||
** A BeagleBone Black (BBB)
|
||
|
||
It should come with a suitable USB cable for the initial setup. To make things look nicer you may also want to get a case for it.
|
||
|
||
** An internet connection
|
||
|
||
It is assumed that the most common situation is via a router installed at home. The router should have ethernet sockets on it and a web interface which allows you to forward ports (sometimes under the "firewall" settings), so that you can forward ssh and web traffic to the BBB.
|
||
|
||
** microSD card
|
||
|
||
To use as the main storage for the BBB. 16 or 32GB is fine, and can be obtained quite cheaply. Try to use Sandisk (class 10 or better) where possible and avoid cheaper cards which often have poor performance.
|
||
|
||
You may also need an SD card adaptor or USB card reader in order to flash the operating image to the microSD card. For instance, many laptops have an SD card slot but not a microSD slot.
|
||
|
||
** 5V/1A power supply
|
||
|
||
With a plug suitable for powering the BBB. If you have some device with a USB socket nearby you may also be able to just use that for electrical power. However, powering from the USB cable alone might result in crashes when the system is under load, depending upon how many milliamps can be supplied by the USB hub/socket. If the system crashes due to running out of power then you will see that the LEDs on the BBB are continuously on, rather than flashing.
|
||
|
||
** An ethernet patch cable
|
||
|
||
Just an ordinary cat5 or cat6 cable that you can get from most electrical/computer stores.
|
||
|
||
* Installing Debian onto the microSD card
|
||
|
||
The Debian Linux OS will be installed onto a small flash drive. It's a good idea to do this rather than using the internal flash, because it will allow you to easily create backups of the entire system if necessary using the dd command.
|
||
|
||
Download the image.
|
||
|
||
#+BEGIN_SRC: bash
|
||
cd ~/
|
||
wget http://freedombone.uk.to/debian-7.2-console-armhf-2013-11-15.tar.xz
|
||
#+END_SRC
|
||
|
||
Verify it.
|
||
|
||
#+BEGIN_SRC: bash
|
||
sha256sum debian-7.2-console-armhf-2013-11-15.tar.xz
|
||
262ea96d6bff530ad545e001eb2aa50b26a999c02f0c0e2e5f8536edf21c973a debian-7.2-console-armhf-2013-11-15.tar.xz
|
||
#+END_SRC
|
||
|
||
Uncompress it.
|
||
|
||
#+BEGIN_SRC: bash
|
||
tar xJf debian-7.2-console-armhf-2013-11-15.tar.xz
|
||
cd debian-7.2-console-armhf-2013-11-15
|
||
#+END_SRC
|
||
|
||
Create the disk image, where sdX is the name of the flash drive (probably it will be sdb or sdc).
|
||
|
||
#+BEGIN_SRC: bash
|
||
sudo apt-get install u-boot-tools
|
||
sudo ./setup_sdcard.sh --mmc /dev/sdX --uboot bone --swap-file 1024
|
||
#+END_SRC
|
||
|
||
Once completed then safely remove the microSD card via your file manager (usually right click and "safely remove" or "eject").
|
||
|
||
* Setup
|
||
|
||
#+BEGIN_VERSE
|
||
/Build the tools for a future you would want to live in/
|
||
|
||
-- Kurt Opsahl
|
||
#+END_VERSE
|
||
|
||
** Things to be aware of
|
||
*** A note on ssh
|
||
When using ssh to log into the BBB if you get warnings of the type "/the ECDSA host key for domain differs from the key for the IP address/" then run the command:
|
||
|
||
#+BEGIN_SRC: bash
|
||
ssh-keygen -R <IP address>
|
||
#+END_SRC
|
||
*** Passwords
|
||
It's highly recommended that you use a password manager, such as KeepassX, and make all your passwords long random strings. It's also a good idea to use different passwords for different pieces of software, instead of one or two passwords for the whole system. That compartmentalises the security such that even if an attacker gains access to one system they can't necessarily get access to others.
|
||
*** HTTPS
|
||
Throughout these instructions self signed SSL certificates are used to implement access to web pages via HTTPS. The whole HTTPS security model upon which much of the internet currently rests seems broken in that it usually depends upon "trusted certificate authorities" who are not really trusted, except perhaps by the maintainers of certain web browser software. So all that HTTPS really guarantees is that you have an encrypted connection, but an encrypted connection /to who/ can be subject to doubt. As was seen in 2013 with the [[https://www.schneier.com/essay-455.html][information coming from Edward Snowden]], and also the [[http://en.wikipedia.org/wiki/Lavabit][Lavabit email service]], it's possible for companies/organisations to be compromised or bribed and SSL private keys for all users can be demanded using gagging orders or secret laws without any individual user ever being able to know that their communications is no longer secure..
|
||
|
||
Not knowing who you're really connecting to is especially true for self-signed certificates, so it is in principle possible that when logging into a site with a username and password a system such as [[http://arstechnica.com/tech-policy/2013/11/uk-spies-continue-quantum-insert-attack-via-linkedin-slashdot-pages/][Quantum Insert]], or a compromised [[http://en.wikipedia.org/wiki/Domain_Name_System][DNS service]], could be used to direct the user to a fake copy of the login screen for the purposes of obtaining their login details. While this doesn't seem to be a major problem at the time of writing it's something to keep in mind. So if you can't log in or if you log in and what you see doesn't look like your site then it's possible that such a compromise could have taken place. Using a password manager with different login details for each site is one way to ensure that if one system is compromised then the attacker can't necessarily get access to all your other stuff.
|
||
** Initial
|
||
|
||
Plug the microSD card into the BBB and Connect the USB cable to your laptop/desktop, then login via ssh.
|
||
|
||
#+BEGIN_SRC: bash
|
||
ssh debian@192.168.7.2
|
||
#+END_SRC
|
||
|
||
The default password is /temppwd/
|
||
|
||
Then log in as root:
|
||
|
||
#+BEGIN_SRC: bash
|
||
su
|
||
#+END_SRC
|
||
|
||
The default password is /root/
|
||
|
||
The first thing to do is to change the passwords from their defaults.
|
||
|
||
#+BEGIN_SRC: bash
|
||
passwd
|
||
#+END_SRC
|
||
|
||
Then you will need to change the network interfaces. The main task here is to comment out the stuff related to usb0. That will enable you to plug the BBB into the back of a router and for it to be detectable on the network.
|
||
|
||
#+BEGIN_SRC: bash
|
||
nano /etc/network/interfaces
|
||
#+END_SRC
|
||
|
||
The resulting interfaces file should look like this:
|
||
|
||
#+BEGIN_SRC: bash
|
||
# This file describes the network interfaces available on your system
|
||
# and how to activate them. For more information, see interfaces(5).
|
||
|
||
# The loopback network interface
|
||
auto lo
|
||
iface lo inet loopback
|
||
|
||
# The primary network interface
|
||
allow-hotplug eth0
|
||
iface eth0 inet static
|
||
address 192.168.1.60
|
||
netmask 255.255.255.0
|
||
gateway 192.168.1.254
|
||
dns-nameservers 213.73.91.35 85.214.20.141
|
||
# Example to keep MAC address between reboots
|
||
#hwaddress ether DA:AD:CE:EF:CA:FE
|
||
|
||
# WiFi Example
|
||
#auto wlan0
|
||
#iface wlan0 inet dhcp
|
||
# wpa-ssid "essid"
|
||
# wpa-psk "password"
|
||
|
||
# Ethernet/RNDIS gadget (g_ether)
|
||
# ... or on host side, usbnet and random hwaddr
|
||
# Note on some boards, usb0 is automaticly setup with an init script
|
||
# in that case, to completely disable remove file [run_boot-scripts] from the boot partition
|
||
#iface usb0 inet static
|
||
# address 192.168.7.2
|
||
# netmask 255.255.255.0
|
||
# network 192.168.7.0
|
||
# gateway 192.168.7.1
|
||
#+END_SRC
|
||
|
||
CTRL-O followed by ENTER to save, then CTRL-X to exit.
|
||
|
||
In the above example "address 192.168.1.60" is a static IP address for the BBB, which will allow incoming network traffic to be directed from the router in a reliable manner. It should be outside of the DHCP range set up on the router.
|
||
|
||
"gateway 192.168.1.254" should be the IP address of the router.
|
||
|
||
Note that setting the DNS servers with dns-nameservers is important because some home routers do not allow you to change the DNS settings.
|
||
|
||
Edit resolv.conf.
|
||
|
||
#+BEGIN_SRC: bash
|
||
nano /etc/resolv.conf
|
||
#+END_SRC
|
||
|
||
It should look something like the following:
|
||
|
||
#+BEGIN_SRC: bash
|
||
domain localdomain
|
||
search localdomain
|
||
nameserver 213.73.91.35
|
||
nameserver 85.214.20.141
|
||
#+END_SRC
|
||
|
||
CTRL-O followed by ENTER to save, then CTRL-X to exit.
|
||
|
||
Now disconnect the BBB from your computer and plug it into the router. You'll need an ethernet patch cable and you may also need a 5V/1A power supply for the BBB.
|
||
|
||
If you go to the web administration screen for your internet router (often it's on 192.168.2.1 or 192.168.1.254) then after a few minutes you should see the BBB appear on the network. It's name will be "arm".
|
||
|
||
** Add a user
|
||
|
||
Ssh back in to the BBB and login as root. In this example the BBB's IP address is 192.168.1.60.
|
||
|
||
#+BEGIN_SRC: bash
|
||
ssh-keygen -f "/home/myusername/.ssh/known_hosts" -R 192.168.1.60
|
||
ssh debian@192.168.1.60
|
||
su
|
||
#+END_SRC
|
||
|
||
Then make a new user. It's a bad idea to add users to the sudo group, because that then means that an attacker potentially only needs to know one password in order to get administrator access to the system. With no sudoers an attacker needs to know, or be able to obtain, two separate passwords to be able to really compromise the system.
|
||
|
||
#+BEGIN_SRC: bash
|
||
adduser myusername
|
||
#+END_SRC
|
||
|
||
Exit from the ssh login by typing "exit" a couple of times, then ssh back in as the new user. Make sure you use a difficult to guess password/phrase, or ideally a randomly generated password used together with a password manager such as KeepassX.
|
||
|
||
Remove the default debian user.
|
||
|
||
#+BEGIN_SRC: bash
|
||
userdel -r debian
|
||
#+END_SRC
|
||
|
||
** Text editor
|
||
|
||
For an editor which is less erratic than vi when used within a remote console such as Terminator.
|
||
|
||
#+BEGIN_SRC: bash
|
||
apt-get update
|
||
apt-get install emacs
|
||
#+END_SRC
|
||
|
||
Some basic Emacs keys which will be useful to new users are:
|
||
|
||
| Load a file | CTRL-x CTRL-f |
|
||
| Save | CTRL-x CTRL-s |
|
||
| Exit | CTRL-x CTRL-c |
|
||
|
||
** Create a swap file
|
||
|
||
Without a swap file the system may occasionally run out of memory and crash, since the Beaglebone only has 512MB of RAM. The following commands will create a 1GB swap file:
|
||
|
||
#+BEGIN_SRC: bash
|
||
mkdir -p /var/cache/swap/
|
||
dd if=/dev/zero of=/var/cache/swap/swapfile bs=1M count=1024
|
||
chmod 600 /var/cache/swap/swapfile
|
||
mkswap /var/cache/swap/swapfile
|
||
swapon /var/cache/swap/swapfile
|
||
#+END_SRC
|
||
|
||
To tell the OS to load this swapfile on each start up.
|
||
|
||
#+BEGIN_SRC: bash
|
||
emacs /etc/fstab
|
||
#+END_SRC
|
||
|
||
Append the following line:
|
||
|
||
#+BEGIN_SRC: bash
|
||
/var/cache/swap/swapfile none swap sw 0 0
|
||
#+END_SRC
|
||
|
||
Then save and exit.
|
||
|
||
To verify that the swapfile is accessilble type /top/ and look for the line which begins with "KiB Swap". Probably there will be zero bytes used, but this might be non-zero when the system is under some load (for example getting a lot of web views or being crawled by a search engine). CTRL-C exits from the /top/ command.
|
||
|
||
** Enable backports
|
||
|
||
To enable some newer packages add backports to the repositories.
|
||
|
||
#+BEGIN_SRC: bash
|
||
echo "deb http://ftp.us.debian.org/debian wheezy-backports main" >> /etc/apt/sources.list
|
||
apt-get update
|
||
apt-get dist-upgrade
|
||
#+END_SRC
|
||
|
||
** Random number generation
|
||
|
||
#+BEGIN_VERSE
|
||
/Near as I can tell, the answer on what has been requested is everything: deliberate weakenings of encryption algorithms, deliberate weakenings of random number generations, copies of master keys, encryption of the session key with an NSA-specific key … everything./
|
||
|
||
-- Bruce Schneier, on the 2013 leaked NSA documents
|
||
#+END_VERSE
|
||
|
||
|
||
The security of encryption depends upon the randomness of the random source used on your system. If it isn't very random then it may be far more vulnerable to cryptanalysis, and it's known that in the past some dubious agencies have encouraged the use of flawed random number generators to assist with their prurient activities. Randomness - typically referred to as /entropy/ - is often gathered from factors such as the timing of key presses or mouse movements, but since the BBB won't have such devices plugged into it this reduces the amount of entropy available.
|
||
|
||
To improve entropy generation there are two options. One is to install a kernel module which enables the hardware crypto available on the BBB, but that's a bit complicated and might have some stability implications. The other option is to install [[http://www.issihosts.com/haveged/][havegd]]. While not as good as a true hardware random number generator, havegd is better than the default pseudo-random number generation within the Linux kernel. To install it:
|
||
|
||
#+BEGIN_SRC: bash
|
||
apt-get install haveged
|
||
#+END_SRC
|
||
|
||
At the time of writing there is also some hardware called [[http://beagleboard.org/project/CryptoCape/][cryptocape]] being developed, with the intention of adding extra random number generation capabilities to the BBB.
|
||
|
||
** Alter ssh configuration
|
||
|
||
Altering the ssh configuration will make it a little more secure than the standard Debian settings.
|
||
|
||
#+BEGIN_SRC: bash
|
||
emacs /etc/ssh/sshd_config
|
||
#+END_SRC
|
||
|
||
Check the following values:
|
||
|
||
#+BEGIN_SRC: bash
|
||
PermitRootLogin no
|
||
X11Forwarding no
|
||
ServerKeyBits 4096
|
||
Protocol 2
|
||
PermitEmptyPasswords no
|
||
StrictModes yes
|
||
#+END_SRC
|
||
|
||
Append the following:
|
||
|
||
#+BEGIN_SRC: bash
|
||
Ciphers aes256-ctr,aes192-ctr,aes128-ctr
|
||
MACs hmac-sha2-512,hmac-sha2-256,hmac-ripemd160
|
||
KexAlgorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1
|
||
#+END_SRC
|
||
|
||
CTRL-X CTRL-S to save, then CTRL-X CTRL-C to exit.
|
||
|
||
#+BEGIN_SRC: bash
|
||
service ssh restart
|
||
#+END_SRC
|
||
|
||
To test the new settings log out by typing "exit" a couple of times, then log back in again with:
|
||
|
||
#+BEGIN_SRC: bash
|
||
ssh -vvv myusername@192.168.1.60
|
||
#+END_SRC
|
||
|
||
and check that some number of bits are set within a 4096 bit sized key:
|
||
|
||
#+BEGIN_SRC: bash
|
||
debug2: bits set: */4096
|
||
#+END_SRC
|
||
|
||
** Getting onto the web
|
||
Create a subdomain on [[http://freedns.afraid.org][freeDNS]]. You may need to click on "/subdomains/" a couple of times. FreeDNS is preferred because it is one of the few domain name providers which supports genuinely free (as in beer) accounts. So if your budget is tiny or non-existent you can still participate as a first class citizen of the internet. If you do have money to spend there is also a premium option.
|
||
|
||
Select "/dynamic DNS/" then click "/quick cron example/"
|
||
|
||
An example would look like:
|
||
|
||
#+BEGIN_SRC: bash
|
||
4,9,14,19,24,29,34,39,44,49,54,59 * * * * root sleep 29 ; wget -O - http://free\ dns.afraid.org/dynamic/update.php?ABCKDNRCLFHENSLKNFEGSBFLFF== >> /\ tmp/freedns_mysubdomain_us_to.log 2>&1 &
|
||
#+END_SRC
|
||
|
||
Edit */etc/crontab* and append that to the end of the file.
|
||
|
||
Via your router's firewall settings you should now open port 22 (secure shell). This will allow you to ssh into your BBB from any location - not just your own local network.
|
||
|
||
The freeDNS subdomain which you just created will hereafter just be refered to as "/your domain name/".
|
||
|
||
** Set the host name
|
||
|
||
#+BEGIN_SRC: bash
|
||
emacs /etc/hostname
|
||
#+END_SRC
|
||
|
||
CTRL-x CTRL-s to save, then CTRL-x CTRL-c to exit.
|
||
|
||
Also issue the command, replacing /mydomainname.com/ with your domain name.
|
||
|
||
#+BEGIN_SRC: bash
|
||
hostname mydomainname.com
|
||
#+END_SRC
|
||
|
||
You may also need to assign the same hostname separately via your router's web interface.
|
||
|
||
#+BEGIN_SRC: bash
|
||
emacs /etc/hosts
|
||
#+END_SRC
|
||
|
||
Append the following, replacing /mydomainname.com/ with your domain name.
|
||
|
||
#+BEGIN_SRC: bash
|
||
127.0.1.1 mydomainname.com
|
||
#+END_SRC
|
||
|
||
If you then run the command:
|
||
|
||
#+BEGIN_SRC: bash
|
||
hostname -f
|
||
#+END_SRC
|
||
|
||
it should return your domain name.
|
||
|
||
** Install NTP
|
||
|
||
To synchronise time.
|
||
|
||
#+BEGIN_SRC: bash
|
||
apt-get install ntp
|
||
#+END_SRC
|
||
|
||
** Install fail2ban
|
||
|
||
#+BEGIN_SRC: bash
|
||
apt-get install fail2ban
|
||
#+END_SRC
|
||
|
||
** Set up a firewall
|
||
|
||
#+BEGIN_VERSE
|
||
/The documents, from a PowerPoint presentation prepared for a 2012 NSA conference called SIGDEV, show that the unit known as the Joint Threat Research Intelligence Group, or JTRIG, boasted of using the DDOS attack – which it dubbed Rolling Thunder/
|
||
|
||
-- NBC News article: /War on Anonymous: British Spies Attacked Hackers, Snowden Docs Show/
|
||
#+END_VERSE
|
||
|
||
A basic firewall limits the maximum rate at which connections can be made and closes any unused ports, and this helps to defend against various kinds of DDOS attack.
|
||
|
||
#+BEGIN_SRC: bash
|
||
apt-get install portsentry
|
||
emacs /etc/portsentry/portsentry.conf
|
||
#+END_SRC
|
||
|
||
Uncomment the entry for *iptables support for Linux*
|
||
|
||
Set the following properties:
|
||
|
||
#+BEGIN_SRC: bash
|
||
TCP_PORTS="1,7,9,11,15,79,109,110,111,119,138,139,512,513,514,515,540,635,1080,1524,2000,2001,4000,4001,5742,6000,6001,6667,12345,12346,20034,27665,30303,32771,32772,32773,32774,31337,40421,40425,49724,54320"
|
||
UDP_PORTS="1,7,9,66,67,68,69,111,137,138,161,162,474,513,517,518,635,640,641,666,700,2049,31335,27444,34555,32770,32771,32772,32773,32774,31337,54321"
|
||
|
||
ADVANCED_EXCLUDE_TCP="113,139,70,80,443,143,6670,993,5060,5061,25,465,22,5222,5223,5269,5280,5281,8444"
|
||
ADVANCED_EXCLUDE_UDP="520,138,137,67,70,80,443,143,6670,993, 5060,5061,25,465,22,5222,5223,5269,5280,5281,8444"
|
||
|
||
SCAN_TRIGGER="2"
|
||
|
||
BLOCK_UDP="2"
|
||
BLOCK_TCP="2"
|
||
#+END_SRC
|
||
|
||
Save and exit.
|
||
|
||
#+BEGIN_SRC: bash
|
||
service portsentry restart
|
||
emacs /tmp/firewall.sh
|
||
#+END_SRC
|
||
|
||
Enter the following:
|
||
|
||
#+BEGIN_SRC: bash
|
||
#!/bin/bash
|
||
|
||
# Enable syn cookies
|
||
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
|
||
|
||
# Other settings
|
||
echo 1 > /proc/sys/net/ipv4/tcp_keepalive_probes
|
||
echo 2 > /proc/sys/net/ipv4/tcp_synack_retries
|
||
echo 1 > /proc/sys/net/ipv4/tcp_syn_retries
|
||
|
||
# First of all delete any existing rules.
|
||
# This means you're back to a known state:
|
||
iptables -P INPUT ACCEPT
|
||
iptables -F
|
||
iptables -X
|
||
|
||
# Drop access to unused ports
|
||
iptables -A INPUT -p tcp --destination-port 1 -j DROP
|
||
iptables -A INPUT -p tcp --destination-port 7 -j DROP
|
||
iptables -A INPUT -p tcp --destination-port 109:111 -j DROP
|
||
iptables -A INPUT -p tcp --destination-port 995 -j DROP
|
||
iptables -A INPUT -p tcp --destination-port 139 -j DROP
|
||
iptables -A INPUT -p tcp --destination-port 6000:6001 -j DROP
|
||
iptables -A INPUT -p tcp --destination-port 9 -j DROP
|
||
iptables -A INPUT -p tcp --destination-port 79 -j DROP
|
||
iptables -A INPUT -p tcp --destination-port 515 -j DROP
|
||
iptables -A INPUT -p tcp --destination-port 4001 -j DROP
|
||
iptables -A INPUT -p tcp --destination-port 1524 -j DROP
|
||
iptables -A INPUT -p tcp --destination-port 1080 -j DROP
|
||
iptables -A INPUT -p tcp --destination-port 512:514 -j DROP
|
||
iptables -A INPUT -p tcp --destination-port 31337 -j DROP
|
||
iptables -A INPUT -p tcp --destination-port 2000:2001 -j DROP
|
||
iptables -A INPUT -p tcp --destination-port 12345 -j DROP
|
||
iptables -A INPUT -p tcp --destination-port 32771:32774 -j DROP
|
||
iptables -A INPUT -p tcp --destination-port 4000 -j DROP
|
||
iptables -A INPUT -p udp --destination-port 1 -j DROP
|
||
iptables -A INPUT -p udp --destination-port 7 -j DROP
|
||
iptables -A INPUT -p udp --destination-port 109:111 -j DROP
|
||
iptables -A INPUT -p udp --destination-port 995 -j DROP
|
||
iptables -A INPUT -p udp --destination-port 139 -j DROP
|
||
iptables -A INPUT -p udp --destination-port 6000:6001 -j DROP
|
||
iptables -A INPUT -p udp --destination-port 9 -j DROP
|
||
iptables -A INPUT -p udp --destination-port 79 -j DROP
|
||
iptables -A INPUT -p udp --destination-port 515 -j DROP
|
||
iptables -A INPUT -p udp --destination-port 4001 -j DROP
|
||
iptables -A INPUT -p udp --destination-port 1524 -j DROP
|
||
iptables -A INPUT -p udp --destination-port 1080 -j DROP
|
||
iptables -A INPUT -p udp --destination-port 512:514 -j DROP
|
||
iptables -A INPUT -p udp --destination-port 31337 -j DROP
|
||
iptables -A INPUT -p udp --destination-port 2000:2001 -j DROP
|
||
iptables -A INPUT -p udp --destination-port 12345 -j DROP
|
||
iptables -A INPUT -p udp --destination-port 32771:32774 -j DROP
|
||
iptables -A INPUT -p udp --destination-port 4000 -j DROP
|
||
|
||
# Make sure NEW incoming tcp connections are SYN packets
|
||
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
|
||
|
||
# Drop packets with incoming fragments
|
||
iptables -A INPUT -f -j DROP
|
||
|
||
# Incoming malformed XMAS packets drop them
|
||
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
|
||
iptables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
|
||
iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
|
||
|
||
# Incoming malformed NULL packets:
|
||
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
|
||
|
||
# Drop UDP to used ports
|
||
iptables -A INPUT -p udp --match multiport --dports 70,80,443,143,6670,993,5060,5061,25 -j DROP
|
||
iptables -A INPUT -p udp --match multiport --dports 465,22,5222,5223,5269,5280,5281,8444 -j DROP
|
||
|
||
# Limit ssh logins
|
||
iptables -A INPUT -p tcp --dport 22 -m limit --limit 3/minute --limit-burst 1 -j ACCEPT
|
||
|
||
# Limit web connections
|
||
iptables -A INPUT -p tcp --dport 80 -m limit --limit 10/minute --limit-burst 1 -j ACCEPT
|
||
iptables -A INPUT -p tcp --dport 443 -m limit --limit 10/minute --limit-burst 1 -j ACCEPT
|
||
|
||
# Limit number of XMPP connections
|
||
iptables -A INPUT -p tcp --match multiport --dports 5222:5223,5269,5280:5281 -m limit --limit 10/minute --limit-burst 1 -j ACCEPT
|
||
|
||
# Limit NNTP connections
|
||
iptables -A INPUT -p tcp --dport 119 -m limit --limit 5/minute --limit-burst 1 -j ACCEPT
|
||
|
||
# Limit IRC connections
|
||
iptables -A INPUT -p tcp --dport 6666:6670 -m limit --limit 10/minute --limit-burst 1 -j ACCEPT
|
||
|
||
# Limit gopher connections
|
||
iptables -A INPUT -p tcp --dport 70 -m limit --limit 10/minute --limit-burst 1 -j ACCEPT
|
||
|
||
# Limit IMAP connections
|
||
iptables -A INPUT -p tcp --dport 143 -m limit --limit 10/minute --limit-burst 1 -j ACCEPT
|
||
iptables -A INPUT -p tcp --dport 993 -m limit --limit 10/minute --limit-burst 1 -j ACCEPT
|
||
|
||
# Limit SIP connections
|
||
iptables -A INPUT -p tcp --dport 5060:5061 -m limit --limit 10/minute --limit-burst 1 -j ACCEPT
|
||
|
||
# Limit SMTP/SMTPS connections
|
||
iptables -A INPUT -p tcp --dport 25 -m limit --limit 3/minute --limit-burst 1 -j ACCEPT
|
||
iptables -A INPUT -p tcp --dport 465 -m limit --limit 3/minute --limit-burst 1 -j ACCEPT
|
||
|
||
# Limit Bitmessage connections
|
||
iptables -A INPUT -p tcp --dport 8444 -m limit --limit 10/minute --limit-burst 1 -j ACCEPT
|
||
|
||
# Limit the number of incoming tcp connections
|
||
# Interface 0 incoming syn-flood protection
|
||
iptables -N syn_flood
|
||
iptables -A INPUT -p tcp --syn -j syn_flood
|
||
iptables -A syn_flood -m limit --limit 1/s --limit-burst 3 -j RETURN
|
||
iptables -A syn_flood -j DROP
|
||
|
||
# Limiting the incoming icmp ping request:
|
||
iptables -A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j ACCEPT
|
||
iptables -A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j LOG --log-prefix PING-DROP:
|
||
iptables -A INPUT -p icmp -j DROP
|
||
iptables -A OUTPUT -p icmp -j ACCEPT
|
||
|
||
# Save the settings
|
||
iptables-save > /etc/firewall.conf
|
||
echo '#!/bin/sh' > /etc/network/if-up.d/iptables
|
||
echo 'iptables-restore < /etc/firewall.conf' >> /etc/network/if-up.d/iptables
|
||
chmod +x /etc/network/if-up.d/iptables
|
||
#+END_SRC
|
||
|
||
Save and exit
|
||
|
||
#+BEGIN_SRC: bash
|
||
chmod +x /tmp/firewall.sh
|
||
. /tmp/firewall.sh
|
||
rm /tmp/firewall.sh
|
||
#+END_SRC
|
||
|
||
Also disable ping. This may be inconvenient to some extent, but it seems common for malicious systems, including but not limited to the [[http://www.nbcnews.com/news/investigations/snowden-docs-british-spies-used-sex-dirty-tricks-n23091][JTRIG "EFFECTS" team]], to try to disable the machine by flooding it with pings. These days there seems to be not much difference between "cybercrime" and nefarious state-sponsored internet activities.
|
||
|
||
#+BEGIN_SRC: bash
|
||
emacs /etc/sysctl.conf
|
||
#+END_SRC
|
||
|
||
Uncomment or change the following:
|
||
|
||
#+BEGIN_SRC: bash
|
||
net.ipv4.conf.all.accept_redirects = 0
|
||
net.ipv6.conf.all.accept_redirects = 0
|
||
net.ipv4.conf.all.send_redirects = 0
|
||
net.ipv4.conf.all.accept_source_route = 0
|
||
net.ipv6.conf.all.accept_source_route = 0
|
||
net.ipv4.conf.default.rp_filter=1
|
||
net.ipv4.conf.all.rp_filter=1
|
||
#+END_SRC
|
||
|
||
And append the following:
|
||
|
||
#+BEGIN_SRC: bash
|
||
# ignore pings
|
||
net.ipv4.icmp_echo_ignore_all = 1
|
||
#+END_SRC
|
||
|
||
Save and exit. It may be a good idea to reboot at this point and then log back into the BBB using ssh. You can do a safe reboot of the system by typing:
|
||
|
||
#+BEGIN_SRC: bash
|
||
reboot
|
||
#+END_SRC
|
||
|
||
** Install Email
|
||
|
||
#+BEGIN_VERSE
|
||
/If you knew what I know about email, you might not use it/
|
||
|
||
-- Ladar Levison
|
||
#+END_VERSE
|
||
|
||
Email is not very secure, but its usefulness and ubiquity mean that it's likely to continue as a primary communications method for many years to come. You can encrypt the contents of email using PGP/GPG, but very few people do that and even for those that do the metadata (the From/To/CC/BCC) is always transmitted in the clear as a fundamental aspect of the protocol, allowing an attacker to easily construct detailed models of people's social network and life patterns even without knowing the content.
|
||
|
||
Exim4 seems much easier to install and configure than Postfix.
|
||
|
||
#+BEGIN_SRC: bash
|
||
aptitude install exim4 sasl2-bin swaks libnet-ssleay-perl
|
||
#+END_SRC
|
||
|
||
You will be prompted to remove postfix. Say yes and yes again.
|
||
|
||
#+BEGIN_SRC: bash
|
||
dpkg-reconfigure exim4-config
|
||
#+END_SRC
|
||
|
||
Settings as follows:
|
||
|
||
#+BEGIN_SRC: bash
|
||
internet site
|
||
|
||
System mail name: mydomainname.com
|
||
|
||
IP addresses to listen on: blank
|
||
|
||
Destinations: mydomainname.com
|
||
|
||
Domains to relay mail: blank
|
||
|
||
Smarthost Relay: 192.168.1.0/60 (the range of addresses on your LAN)
|
||
|
||
Dial on demand = no
|
||
|
||
Maildir format in home directory
|
||
|
||
Split configuration = no
|
||
|
||
Root and postmaster: root email
|
||
#+END_SRC
|
||
|
||
To test the installation:
|
||
|
||
#+BEGIN_SRC: bash
|
||
telnet 192.168.1.60 25
|
||
ehlo xxx
|
||
quit
|
||
#+END_SRC
|
||
|
||
#+BEGIN_SRC: bash
|
||
emacs /etc/default/saslauthd
|
||
#+END_SRC
|
||
|
||
set START=yes then save and exit.
|
||
|
||
#+BEGIN_SRC: bash
|
||
/etc/init.d/saslauthd start
|
||
emacs exim-gencert
|
||
#+END_SRC
|
||
|
||
#+BEGIN_SRC: bash
|
||
#!/bin/sh -e
|
||
|
||
if [ -n "$EX4DEBUG" ]; then
|
||
echo "now debugging $0 $@"
|
||
set -x
|
||
fi
|
||
|
||
DIR=/etc/exim4
|
||
CERT=$DIR/exim.crt
|
||
KEY=$DIR/exim.key
|
||
|
||
# This exim binary was built with GnuTLS which does not support dhparams
|
||
# from a file. See /usr/share/doc/exim4-base/README.Debian.gz
|
||
#DH=$DIR/exim.dhparam
|
||
|
||
if ! which openssl > /dev/null ;then
|
||
echo "$0: openssl is not installed, exiting" 1>&2
|
||
exit 1
|
||
fi
|
||
|
||
# valid for ten years
|
||
DAYS=3650
|
||
|
||
if [ "$1" != "--force" ] && [ -f $CERT ] && [ -f $KEY ]; then
|
||
echo "[*] $CERT and $KEY exists!"
|
||
echo " Use \"$0 --force\" to force generation!"
|
||
exit 0
|
||
fi
|
||
|
||
if [ "$1" = "--force" ]; then
|
||
shift
|
||
fi
|
||
|
||
#SSLEAY=/tmp/exim.ssleay.$$.cnf
|
||
SSLEAY="$(tempfile -m600 -pexi)"
|
||
cat > $SSLEAY <<EOM
|
||
RANDFILE = $HOME/.rnd
|
||
[ req ]
|
||
default_bits = 4096
|
||
default_keyfile = exim.key
|
||
distinguished_name = req_distinguished_name
|
||
[ req_distinguished_name ]
|
||
countryName = Country Code (2 letters)
|
||
countryName_default = GB
|
||
countryName_min = 2
|
||
countryName_max = 2
|
||
stateOrProvinceName = State or Province Name (full name)
|
||
localityName = Locality Name (eg, city)
|
||
organizationName = Organization Name (eg, company; recommended)
|
||
organizationName_max = 64
|
||
organizationalUnitName = Organizational Unit Name (eg, section)
|
||
organizationalUnitName_max = 64
|
||
commonName = Server name (eg. ssl.domain.tld; required!!!)
|
||
commonName_max = 64
|
||
emailAddress = Email Address
|
||
emailAddress_max = 40
|
||
EOM
|
||
|
||
echo "[*] Creating a self signed SSL certificate for Exim!"
|
||
echo " This may be sufficient to establish encrypted connections but for"
|
||
echo " secure identification you need to buy a real certificate!"
|
||
echo " "
|
||
echo " Please enter the hostname of your MTA at the Common Name (CN) prompt!"
|
||
echo " "
|
||
|
||
openssl req -config $SSLEAY -x509 -sha256 -newkey rsa:4096 -keyout $KEY -out $CERT -days $DAYS -nodes
|
||
#see README.Debian.gz*# openssl dhparam -check -text -5 512 -out $DH
|
||
rm -f $SSLEAY
|
||
|
||
chown root:Debian-exim $KEY $CERT $DH
|
||
chmod 640 $KEY $CERT $DH
|
||
|
||
echo "[*] Done generating self signed certificates for exim!"
|
||
echo " Refer to the documentation and example configuration files"
|
||
echo " over at /usr/share/doc/exim4-base/ for an idea on how to enable TLS"
|
||
echo " support in your mail transfer agent."
|
||
#+END_SRC
|
||
|
||
Save and exit
|
||
|
||
#+BEGIN_SRC: bash
|
||
chmod +x exim-gencert
|
||
./exim-gencert
|
||
#+END_SRC
|
||
|
||
This will generate the certificate used for email authentication. You will be asked for various details, the most important of which is the server name, which should be your domain name.
|
||
|
||
#+BEGIN_SRC: bash
|
||
emacs /etc/exim4/exim4.conf.template
|
||
#+END_SRC
|
||
|
||
Append the following:
|
||
|
||
#+BEGIN_SRC: bash
|
||
login_saslauthd_server:
|
||
driver = plaintext
|
||
public_name = LOGIN
|
||
server_prompts = "Username:: : Password::"
|
||
# don't send system passwords over unencrypted connections
|
||
server_condition = ${if saslauthd{{$auth1}{$auth2}}{1}{0}}
|
||
server_set_id = $auth1
|
||
.ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
|
||
server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
|
||
.endif
|
||
#+END_SRC
|
||
|
||
Search for the line *.ifdef MAIN_HARDCODE_PRIMARY_HOSTNAME* and above it insert the line:
|
||
|
||
#+BEGIN_SRC: bash
|
||
MAIN_HARDCODE_PRIMARY_HOSTNAME = mydomainname.com
|
||
#+END_SRC
|
||
|
||
Save and exit.
|
||
|
||
#+BEGIN_SRC: bash
|
||
emacs /etc/exim4/exim4.conf.template
|
||
#+END_SRC
|
||
|
||
Add the line:
|
||
|
||
#+BEGIN_SRC: bash
|
||
MAIN_TLS_ENABLE = true
|
||
#+END_SRC
|
||
|
||
Save and exit.
|
||
|
||
#+BEGIN_SRC: bash
|
||
emacs /etc/default/exim4
|
||
change SMTPLISTENEROPTIONS to:
|
||
SMTPLISTENEROPTIONS='-oX 465:25 -oP /var/run/exim4/exim.pid'
|
||
#+END_SRC
|
||
|
||
save and exit
|
||
|
||
#+BEGIN_SRC: bash
|
||
emacs /etc/exim4/exim4.conf.template
|
||
under the section "main/03_exim4-config_tlsoptions"
|
||
Add the following:
|
||
tls_on_connect_ports=465
|
||
#+END_SRC
|
||
|
||
save and exit
|
||
|
||
#+BEGIN_SRC: bash
|
||
adduser myusername sasl
|
||
addgroup Debian-exim sasl
|
||
/etc/init.d/exim4 restart
|
||
mkdir /etc/skel/Maildir
|
||
#+END_SRC
|
||
|
||
** Spam filtering
|
||
|
||
#+BEGIN_SRC: bash
|
||
apt-get install spamassassin exim4-daemon-heavy
|
||
emacs /etc/default/spamassassin
|
||
#+END_SRC
|
||
|
||
Set ENABLED=1 then save and exit.
|
||
|
||
#+BEGIN_SRC: bash
|
||
emacs /etc/exim4/exim4.conf.template
|
||
#+END_SRC
|
||
|
||
uncomment or change according to your configuration
|
||
|
||
#+BEGIN_SRC: bash
|
||
# For spam scanning, there is a similar option that defines the interface to
|
||
# SpamAssassin. You do not need to set this if you are using the default, which
|
||
# is shown in this commented example. As for virus scanning, you must also
|
||
# modify the acl_check_data access control list to enable spam scanning.
|
||
|
||
spamd_address = 127.0.0.1 783
|
||
#+END_SRC
|
||
|
||
add spam header in the /acl_check_data/ section:
|
||
|
||
#+BEGIN_SRC: bash
|
||
### acl/40_exim4-config_check_data
|
||
#################################
|
||
|
||
# This ACL is used after the contents of a message have been received. This
|
||
# is the ACL in which you can test a message's headers or body, and in
|
||
# particular, this is where you can invoke external virus or spam scanners.
|
||
|
||
acl_check_data:
|
||
...
|
||
...
|
||
...
|
||
# See the exim docs and the exim wiki for more suitable examples.
|
||
#
|
||
# warn
|
||
# spam = Debian-exim:true
|
||
# add_header = X-Spam_score: $spam_score\n\
|
||
# X-Spam_score_int: $spam_score_int\n\
|
||
# X-Spam_bar: $spam_bar\n\
|
||
# X-Spam_report: $spam_report
|
||
|
||
# put headers in all messages (no matter if spam or not)
|
||
warn spam = nobody:true
|
||
add_header = X-Spam-Score: $spam_score ($spam_bar)
|
||
add_header = X-Spam-Report: $spam_report
|
||
|
||
# add second subject line with *SPAM* marker when message
|
||
# is over threshold
|
||
warn spam = nobody
|
||
add_header = Subject: ***SPAM (score:$spam_score)*** $h_Subject:
|
||
#+END_SRC
|
||
|
||
Save and exit.
|
||
|
||
Then restart
|
||
|
||
#+BEGIN_SRC: bash
|
||
exit
|
||
emacs ~/.procmailrc
|
||
#+END_SRC
|
||
|
||
The text should look like the following.
|
||
|
||
#+BEGIN_SRC: sh
|
||
MAILDIR=$HOME/Maildir
|
||
DEFAULT=$MAILDIR/
|
||
LOGFILE=$HOME/log/procmail.log
|
||
LOGABSTRACT=all
|
||
|
||
# get spamassassin to check emails
|
||
:0fw: .spamassassin.lock
|
||
* < 256000
|
||
| spamc
|
||
|
||
# strong spam are discarded
|
||
:0
|
||
* ^X-Spam-Level: \*\*\*\*\*\*
|
||
/dev/null
|
||
|
||
# weak spam are kept just in case - clear this out every now and then
|
||
:0
|
||
* ^X-Spam-Level: \*\*\*\*\*
|
||
.0-spam/
|
||
|
||
# if it wasn't detected as spam, but is to a fake address, then we
|
||
# know it is spam, so learn from that
|
||
:0
|
||
* !^(From|To|cc|bcc)[ :].*($USER|root|webmaster|admin|postmaster).*@acooke\.org
|
||
* !^(From|To|cc|bcc)[ :].*@isti\.com
|
||
# add mailing lists below
|
||
* !^From[ :].*(snowmail_daily@...|Section@...|rforno@...|alert@...).*
|
||
{
|
||
# save in case of screw-ups, mailing lists, etc
|
||
:0 c
|
||
.0-spam/
|
||
:0
|
||
.learn-spam/
|
||
}
|
||
|
||
# otherwise, marginal spam goes here for revision
|
||
:0
|
||
* ^X-Spam-Level: \*\*
|
||
.spam/
|
||
#+END_SRC
|
||
|
||
Save and exit.
|
||
|
||
#+BEGIN_SRC: bash
|
||
su
|
||
emacs /usr/bin/filterspam
|
||
#+END_SRC
|
||
|
||
Add the following contents:
|
||
|
||
#+BEGIN_SRC: bash
|
||
#!/bin/bash
|
||
|
||
USERNAME=$1
|
||
MAILDIR=/home/$USERNAME/Maildir/.learn-spam
|
||
|
||
if [ ! -d "$MAILDIR" ]; then
|
||
exit
|
||
fi
|
||
|
||
for f in `ls $MAILDIR/cur`
|
||
do
|
||
spamc -L spam < "$MAILDIR/cur/$f" > /dev/null
|
||
rm "$MAILDIR/cur/$f"
|
||
done
|
||
for f in `ls $MAILDIR/new`
|
||
do
|
||
spamc -L spam < "$MAILDIR/new/$f" > /dev/null
|
||
rm "$MAILDIR/new/$f"
|
||
done
|
||
#+END_SRC
|
||
|
||
Save and exit.
|
||
|
||
#+BEGIN_SRC: bash
|
||
emacs /usr/bin/filterham
|
||
#+END_SRC
|
||
|
||
Add the following contents:
|
||
|
||
#+BEGIN_SRC: bash
|
||
#!/bin/bash
|
||
|
||
USERNAME=$1
|
||
MAILDIR=/home/$USERNAME/Maildir/.learn-ham
|
||
|
||
if [ ! -d "$MAILDIR" ]; then
|
||
exit
|
||
fi
|
||
|
||
for f in `ls $MAILDIR/cur`
|
||
do
|
||
spamc -L ham < "$MAILDIR/cur/$f" > /dev/null
|
||
rm "$MAILDIR/cur/$f"
|
||
done
|
||
for f in `ls $MAILDIR/new`
|
||
do
|
||
spamc -L ham < "$MAILDIR/new/$f" > /dev/null
|
||
rm "$MAILDIR/new/$f"
|
||
done
|
||
#+END_SRC
|
||
|
||
Save and exit.
|
||
|
||
#+BEGIN_SRC: bash
|
||
emacs /etc/crontab
|
||
#+END_SRC
|
||
|
||
Append the following, replacing *myusername* with your username.
|
||
|
||
#+BEGIN_SRC: bash
|
||
*/3 * * * * root /usr/bin/filterspam myusername
|
||
*/3 * * * * root /usr/bin/filterham myusername
|
||
#+END_SRC
|
||
|
||
Save and exit.
|
||
|
||
#+BEGIN_SRC: bash
|
||
chmod 655 /usr/bin/filterspam /usr/bin/filterham
|
||
service spamassassin restart
|
||
service exim4 restart
|
||
service cron restart
|
||
#+END_SRC
|
||
|
||
** Install Dovecot
|
||
|
||
Install the required packages.
|
||
|
||
#+BEGIN_SRC: bash
|
||
aptitude -y install dovecot-common dovecot-pop3d dovecot-imapd
|
||
#+END_SRC
|
||
|
||
Edit the configuration file.
|
||
|
||
#+BEGIN_SRC: bash
|
||
emacs /etc/dovecot/dovecot.conf
|
||
#+END_SRC
|
||
|
||
Line 26: change:
|
||
|
||
#+BEGIN_SRC: bash
|
||
listen = *
|
||
#+END_SRC
|
||
|
||
Save and exit.
|
||
|
||
#+BEGIN_SRC: bash
|
||
emacs /etc/dovecot/conf.d/10-auth.conf
|
||
#+END_SRC
|
||
|
||
Line 9: uncomment and change (allow plain text auth)
|
||
|
||
#+BEGIN_SRC: bash
|
||
disable_plaintext_auth = no
|
||
#+END_SRC
|
||
|
||
Line 99: add:
|
||
|
||
#+BEGIN_SRC: bash
|
||
auth_mechanisms = plain login
|
||
#+END_SRC
|
||
|
||
Save and exit.
|
||
|
||
#+BEGIN_SRC: bash
|
||
emacs /etc/dovecot/conf.d/10-mail.conf
|
||
#+END_SRC
|
||
|
||
Line 30: uncomment and add:
|
||
|
||
#+BEGIN_SRC: bash
|
||
mail_location = maildir:~/Maildir
|
||
#+END_SRC
|
||
|
||
Save and exit, then start the dovecot service.
|
||
|
||
#+BEGIN_SRC: bash
|
||
service dovecot restart
|
||
#+END_SRC
|
||
|
||
** Setting up a web site
|
||
|
||
#+BEGIN_VERSE
|
||
/It's important to have the geek community as a whole think about its responsibility and what it can do. We need various alternative voices pushing back on conventional government sometimes./
|
||
|
||
-- Tim Berners-Lee
|
||
#+END_VERSE
|
||
|
||
Edit the apache configuration so that it doesn't run out of memory if there are a lot of connections.
|
||
|
||
#+BEGIN_SRC: bash
|
||
su
|
||
emacs /etc/apache2/apache2.conf
|
||
#+END_SRC
|
||
|
||
Search for MaxClients and replace the value with 10 then save and exit.
|
||
|
||
In the examples below replace mydomainname.com with your own domain.
|
||
|
||
#+BEGIN_SRC: bash
|
||
export HOSTNAME=mydomainname.com
|
||
mkdir /var/www/$HOSTNAME
|
||
mkdir /var/www/$HOSTNAME/htdocs
|
||
emacs /etc/apache2/sites-available/$HOSTNAME
|
||
#+END_SRC
|
||
|
||
The Apache configuration for the site should look something like the following. Replace /mydonainname.com/ with the site domain name.
|
||
|
||
#+BEGIN_SRC: bash
|
||
<VirtualHost *:80>
|
||
ServerAdmin myusername@mydomainname.com
|
||
ServerName mydomainname.com
|
||
|
||
DocumentRoot /var/www/mydomainname.com/htdocs
|
||
<Directory />
|
||
Options FollowSymLinks
|
||
AllowOverride All
|
||
</Directory>
|
||
<Directory /var/www/mydomainname.com/htdocs/>
|
||
Options All
|
||
AllowOverride All
|
||
Order allow,deny
|
||
allow from all
|
||
</Directory>
|
||
|
||
# Don't serve .php~ or .php# files created by emacs
|
||
<Files ~ "(^#.*#|~|\.sw[op])$">
|
||
Order allow,deny
|
||
Deny from all
|
||
</Files>
|
||
|
||
<IfModule headers_module>
|
||
Header set X-Content-Type-Options nosniff
|
||
Header set Cache-Control "max-age=0, no-cache, no-store, must-revalidate, private"
|
||
Header set Pragma no-cache
|
||
</IfModule>
|
||
|
||
<Files .htaccess>
|
||
deny from all
|
||
</Files>
|
||
|
||
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
|
||
<Directory "/usr/lib/cgi-bin">
|
||
AllowOverride All
|
||
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
|
||
Order allow,deny
|
||
Allow from all
|
||
</Directory>
|
||
|
||
ErrorLog ${APACHE_LOG_DIR}/error.log
|
||
|
||
# Possible values include: debug, info, notice, warn, error, crit,
|
||
# alert, emerg.
|
||
LogLevel error
|
||
|
||
CustomLog ${APACHE_LOG_DIR}/access.log combined
|
||
</VirtualHost>
|
||
|
||
<IfModule mod_ssl.c>
|
||
<VirtualHost *:443>
|
||
ServerAdmin myusername@mydomainname.com
|
||
ServerName mydomainname.com
|
||
|
||
DocumentRoot /var/www/mydomainname.com/htdocs
|
||
<Directory />
|
||
Options FollowSymLinks
|
||
AllowOverride All
|
||
</Directory>
|
||
<Directory /var/www/mydomainname.com/htdocs/>
|
||
Options All
|
||
AllowOverride All
|
||
Order allow,deny
|
||
allow from all
|
||
</Directory>
|
||
|
||
# Don't serve .php~ or .php# files created by emacs
|
||
<Files ~ "(^#.*#|~|\.sw[op])$">
|
||
Order allow,deny
|
||
Deny from all
|
||
</Files>
|
||
|
||
<IfModule headers_module>
|
||
Header set X-Content-Type-Options nosniff
|
||
Header set Cache-Control "max-age=0, no-cache, no-store, must-revalidate, private"
|
||
Header set Pragma no-cache
|
||
</IfModule>
|
||
|
||
<Files .htaccess>
|
||
deny from all
|
||
</Files>
|
||
|
||
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
|
||
<Directory "/usr/lib/cgi-bin">
|
||
AllowOverride All
|
||
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
|
||
Order allow,deny
|
||
Allow from all
|
||
</Directory>
|
||
|
||
ErrorLog ${APACHE_LOG_DIR}/error.log
|
||
|
||
# Possible values include: debug, info, notice, warn, error, crit,
|
||
# alert, emerg.
|
||
LogLevel error
|
||
|
||
CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
|
||
|
||
# SSL Engine Switch:
|
||
# Enable/Disable SSL for this virtual host.
|
||
SSLEngine on
|
||
|
||
# A self-signed certificate
|
||
SSLCertificateFile /etc/ssl/certs/mydomainname.com.crt
|
||
SSLCertificateKeyFile /etc/ssl/private/mydomainname.com.key
|
||
|
||
# Options based on bettercrypto.org
|
||
SSLProtocol All -SSLv2 -SSLv3
|
||
SSLHonorCipherOrder On
|
||
SSLCompression off
|
||
SSLCipherSuite EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
|
||
|
||
# Add six earth month HSTS header for all users ...
|
||
Header add Strict-Transport-Security "max-age=15768000"
|
||
# If you want to protect all subdomains , use the following header
|
||
# ALL subdomains HAVE TO support https if you use this !
|
||
# Strict-Transport-Security: max-age=15768000 ; includeSubDomains
|
||
|
||
# SSL Engine Options:
|
||
# Set various options for the SSL engine.
|
||
# o FakeBasicAuth:
|
||
# Translate the client X.509 into a Basic Authorisation. This means that
|
||
# the standard Auth/DBMAuth methods can be used for access control. The
|
||
# user name is the `one line' version of the client's X.509 certificate.
|
||
# Note that no password is obtained from the user. Every entry in the user
|
||
# file needs this password: `xxj31ZMTZzkVA'.
|
||
# o ExportCertData:
|
||
# This exports two additional environment variables: SSL_CLIENT_CERT and
|
||
# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
|
||
# server (always existing) and the client (only existing when client
|
||
# authentication is used). This can be used to import the certificates
|
||
# into CGI scripts.
|
||
# o StdEnvVars:
|
||
# This exports the standard SSL/TLS related `SSL_*' environment variables.
|
||
# Per default this exportation is switched off for performance reasons,
|
||
# because the extraction step is an expensive operation and is usually
|
||
# useless for serving static content. So one usually enables the
|
||
# exportation for CGI and SSI requests only.
|
||
# o StrictRequire:
|
||
# This denies access when "SSLRequireSSL" or "SSLRequire" applied even
|
||
# under a "Satisfy any" situation, i.e. when it applies access is denied
|
||
# and no other module can change it.
|
||
# o OptRenegotiate:
|
||
# This enables optimized SSL connection renegotiation handling when SSL
|
||
# directives are used in per-directory context.
|
||
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
|
||
<FilesMatch "\.(cgi|shtml|phtml|php)$">
|
||
SSLOptions +StdEnvVars
|
||
</FilesMatch>
|
||
<Directory /usr/lib/cgi-bin>
|
||
SSLOptions +StdEnvVars
|
||
</Directory>
|
||
|
||
# SSL Protocol Adjustments:
|
||
# The safe and default but still SSL/TLS standard compliant shutdown
|
||
# approach is that mod_ssl sends the close notify alert but doesn't wait for
|
||
# the close notify alert from client. When you need a different shutdown
|
||
# approach you can use one of the following variables:
|
||
# o ssl-unclean-shutdown:
|
||
# This forces an unclean shutdown when the connection is closed, i.e. no
|
||
# SSL close notify alert is send or allowed to received. This violates
|
||
# the SSL/TLS standard but is needed for some brain-dead browsers. Use
|
||
# this when you receive I/O errors because of the standard approach where
|
||
# mod_ssl sends the close notify alert.
|
||
# o ssl-accurate-shutdown:
|
||
# This forces an accurate shutdown when the connection is closed, i.e. a
|
||
# SSL close notify alert is send and mod_ssl waits for the close notify
|
||
# alert of the client. This is 100% SSL/TLS standard compliant, but in
|
||
# practice often causes hanging connections with brain-dead browsers. Use
|
||
# this only for browsers where you know that their SSL implementation
|
||
# works correctly.
|
||
# Notice: Most problems of broken clients are also related to the HTTP
|
||
# keep-alive facility, so you usually additionally want to disable
|
||
# keep-alive for those clients, too. Use variable "nokeepalive" for this.
|
||
# Similarly, one has to force some clients to use HTTP/1.0 to workaround
|
||
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
|
||
# "force-response-1.0" for this.
|
||
BrowserMatch "MSIE [2-6]" \
|
||
nokeepalive ssl-unclean-shutdown \
|
||
downgrade-1.0 force-response-1.0
|
||
# MSIE 7 and newer should be able to use keepalive
|
||
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
|
||
|
||
</VirtualHost>
|
||
</IfModule>
|
||
#+END_SRC
|
||
|
||
Then to enable the site:
|
||
|
||
#+BEGIN_SRC: bash
|
||
a2ensite
|
||
a2dissite default
|
||
a2dissite default-ssl
|
||
a2enmod rewrite
|
||
a2enmod headers
|
||
#+END_SRC
|
||
|
||
Ensure that "NameVirtualHost *:443" is added to /etc/apache2/ports.conf. It should look something like the following:
|
||
|
||
#+BEGIN_SRC: bash
|
||
NameVirtualHost *:80
|
||
Listen 80
|
||
|
||
<IfModule mod_ssl.c>
|
||
NameVirtualHost *:443
|
||
Listen 443
|
||
</IfModule>
|
||
|
||
<IfModule mod_gnutls.c>
|
||
NameVirtualHost *:443
|
||
Listen 443
|
||
</IfModule>
|
||
#+END_SRC
|
||
|
||
Create a self-signed certificate. The passphrase isn't important and will be removed, so make it easy (such as "password").
|
||
|
||
#+BEGIN_SRC: bash
|
||
emacs makecert
|
||
#+END_SRC
|
||
|
||
Enter the following:
|
||
|
||
#+BEGIN_SRC: bash
|
||
#!/bin/bash
|
||
|
||
HOSTNAME=$1
|
||
|
||
openssl genrsa -des3 -out $HOSTNAME.key 1024
|
||
openssl req -new -x509 -nodes -sha1 -days 3650 -key $HOSTNAME.key -out $HOSTNAME.crt
|
||
openssl rsa -in $HOSTNAME.key -out $HOSTNAME.new.key
|
||
cp $HOSTNAME.new.key $HOSTNAME.key
|
||
rm $HOSTNAME.new.key
|
||
cp $HOSTNAME.key /etc/ssl/private
|
||
chmod 400 /etc/ssl/private/$HOSTNAME.key
|
||
cp $HOSTNAME.crt /etc/ssl/certs
|
||
shred -zu $HOSTNAME.key $HOSTNAME.crt
|
||
a2enmod ssl
|
||
service apache2 restart
|
||
#+END_SRC
|
||
|
||
Save and exit.
|
||
|
||
#+BEGIN_SRC: bash
|
||
chmod +x makecert
|
||
./makecert mydomainname.com
|
||
#+END_SRC
|
||
|
||
Enter some trivial password for the key file. The password will be removed as part of the makecert script. Note that leaving a password on the key file would mean that after a power cycle the apache server will not be able to boot properly (it would wait indefinitely for a password to be manually entered) and would look as if it had crashed.
|
||
|
||
If all has gone well then there should be no warnings or errors after you run the service restart command. After that you should enable ports 80 (HTTP) and 443 (HTTPS) on your internet router/firewall, such that they are redirected to the BBB.
|
||
|
||
** Accessing your Email
|
||
*** Mutt email client
|
||
|
||
#+BEGIN_VERSE
|
||
/I dreamt last night that I was living in a surveillance state. I woke up and… I’m still in a surveillance state./
|
||
|
||
-- Conrad Kramer
|
||
#+END_VERSE
|
||
|
||
#+BEGIN_SRC: bash
|
||
apt-get install mutt lynx abook
|
||
exit
|
||
mkdir ~/.mutt
|
||
echo "text/html; lynx -dump -width=78 -nolist %s | sed ‘s/^ //’; copiousoutput; needsterminal; nametemplate=%s.html" > ~/.mutt/mailcap
|
||
#+END_SRC
|
||
|
||
Save and exit.
|
||
|
||
#+BEGIN_SRC: bash
|
||
su
|
||
emacs /etc/Muttrc
|
||
#+END_SRC
|
||
|
||
Append the following:
|
||
|
||
#+BEGIN_SRC: bash
|
||
set mbox_type=Maildir
|
||
set folder="~/Maildir"
|
||
set mask="!^\\.[^.]"
|
||
set mbox="~/Maildir"
|
||
set record="+.Sent"
|
||
set postponed="+.Drafts"
|
||
set spoolfile="~/Maildir"
|
||
auto_view text/x-vcard text/html text/enriched
|
||
set editor="emacsclient %s"
|
||
set header_cache="+.cache"
|
||
|
||
macro index S "<tag-prefix><save-message>=.learn-spam<enter>" "move to learn-spam"
|
||
macro pager S "<save-message>=.learn-spam<enter>" "move to learn-spam"
|
||
macro index H "<tag-prefix><copy-message>=.learn-ham<enter>" "copy to learn-ham"
|
||
macro pager H "<copy-message>=.learn-ham<enter>" "copy to learn-ham"
|
||
#+END_SRC
|
||
|
||
Save and exit.
|
||
|
||
#+BEGIN_SRC: bash
|
||
emacs /etc/mail/spamassassin/local.cf
|
||
#+END_SRC
|
||
|
||
Uncomment *use_bayes*, *bayes_auto_learn*
|
||
|
||
Save and exit, then run:
|
||
|
||
#+BEGIN_SRC: bash
|
||
service spamassassin restart
|
||
#+END_SRC
|
||
|
||
Now to add an address book:
|
||
|
||
#+BEGIN_SRC: bash
|
||
emacs ~/.muttrc
|
||
#+END_SRC
|
||
|
||
Append the following:
|
||
|
||
#+BEGIN_SRC: bash
|
||
set alias_file=~/.mutt-alias
|
||
source ~/.mutt-alias
|
||
set query_command= "abook --mutt-query '%s'"
|
||
macro index,pager A "<pipe-message>abook --add-email-quiet<return>" "add the sender address to abook"
|
||
#+END_SRC
|
||
|
||
Then save and exit.
|
||
|
||
#+BEGIN_SRC: bash
|
||
touch ~/.mutt-alias
|
||
#+END_SRC
|
||
|
||
Finally you can then type *mutt* to get access to your email. Hence as a fallback, or if you prefer as the primary way of accessing email, you can ssh into the BBB and use the mutt command line email client. Ssh clients are available for all operating systems, and also you should be reasonably protected from passive surveillance between wherever you are and the BBB (although not between the BBB and the wider internet), which can be useful if you are for example using an Android tablet from a cafe or railway station.
|
||
|
||
To use the address book system open an email and then to add the sender to the address list press the A key. It will ask you for an alias which may be used the next time you want to send a mail. Alternatively you may just edit the *~/.mutt-alias* file directly to add email addresses.
|
||
|
||
Some useful keys to know are:
|
||
|
||
| ESC / | Search for text within message contents |
|
||
| "/" | Search for text within headers |
|
||
| * | Move to the last message |
|
||
| TAB | Move to the next unread message |
|
||
| d | Delete a message |
|
||
| u | Undelete a mail which is pending deletion |
|
||
| $ | Delete all messages selected and check for new messages |
|
||
| a | Add to the address book |
|
||
| m | Send a new mail |
|
||
| S | Mark a message as spam |
|
||
| H | Mark a message as ham |
|
||
|
||
*** K9 Android client
|
||
|
||
#+BEGIN_VERSE
|
||
/The surveillance state is robust. It is robust politically, legally, and technically./
|
||
|
||
-- Bruce Schneier
|
||
#+END_VERSE
|
||
|
||
**** Incoming server settings
|
||
* Select settings/account settings
|
||
* Select Fetching mail/incoming server
|
||
* Enter your username and password
|
||
* IMAP server should be your domain name
|
||
* Security: SSL/TLS (always)
|
||
* Authentication: Plain
|
||
* Port: 993
|
||
**** Outgoing (SMTP) server settings
|
||
* Select settings/account settings
|
||
* Select Sending mail/outgoing server
|
||
* Set SMTP server to your domain name
|
||
* Set Security to SSL/TLS (always)
|
||
* Set port to 465
|
||
* Set authentication to PLAIN
|
||
* Enter your username and password
|
||
* Accept the SSL certificate
|
||
*** Webmail
|
||
|
||
#+BEGIN_VERSE
|
||
/Most of the information extracted is "content", such as recordings of phone calls or the substance of email messages./
|
||
|
||
-- From a 2013 Guardian article on GCHQ/NSA bulk internet data interception.
|
||
#+END_VERSE
|
||
|
||
For maximum speed and efficiency the recommended email client is Mutt, accessed via ssh, but non-technical people who aren't using an Android app are unlikely to want to use email in that manner. So it's a good idea to also have a webmail system installed, both for accessibility and as a fallback should ssh not be available due to port blocking.
|
||
|
||
Install dependencies.
|
||
|
||
#+BEGIN_SRC: bash
|
||
apt-get install libapache2-mod-authz-unixgroup
|
||
#+END_SRC
|
||
|
||
Create a mysql database, specifying a password which should be a long random string generated with a password manager such as KeepassX.
|
||
|
||
#+BEGIN_SRC: bash
|
||
mysql -u root -p
|
||
create database roundcubemail;
|
||
CREATE USER 'roundcube'@'localhost' IDENTIFIED BY 'roundcubepassword';
|
||
GRANT ALL PRIVILEGES ON roundcubemail.* TO 'roundcube'@'localhost';
|
||
quit
|
||
#+END_SRC
|
||
|
||
Download roundcube.
|
||
|
||
#+BEGIN_SRC: bash
|
||
cd /tmp
|
||
wget http://freedombone.uk.to/roundcubemail.tar.gz
|
||
#+END_SRC
|
||
|
||
Verify it.
|
||
|
||
#+BEGIN_SRC: bash
|
||
sha256sum roundcubemail.tar.gz
|
||
e8a311b22a8e1f70abb72ed9551cc9233cf6c5221f1eebf1ae64974117e3148b roundcubemail.tar.gz
|
||
#+END_SRC
|
||
|
||
Extract the files.
|
||
|
||
#+BEGIN_SRC: bash
|
||
tar -xzvf roundcubemail.tar.gz
|
||
export HOSTNAME=mydomainname.com
|
||
cp -r roundcubemail-* /var/www/$HOSTNAME/htdocs/mail
|
||
chown -R www-data:www-data /var/www/$HOSTNAME/htdocs/mail/temp
|
||
chown -R www-data:www-data /var/www/$HOSTNAME/htdocs/mail/logs
|
||
rm /var/www/$HOSTNAME/htdocs/mail/.htaccess
|
||
#+END_SRC
|
||
|
||
Edit your web site configuration.
|
||
|
||
#+BEGIN_SRC: bash
|
||
emacs /etc/apache2/sites-available/$HOSTNAME
|
||
#+END_SRC
|
||
|
||
Within the 80 VirtualHost section add the following:
|
||
|
||
#+BEGIN_SRC: bash
|
||
<Directory /var/www/mydomainname.com/htdocs/mail>
|
||
deny from all
|
||
</Directory>
|
||
#+END_SRC
|
||
|
||
Within the 443 VirtualHost section add the following:
|
||
|
||
#+BEGIN_SRC: bash
|
||
<Directory /var/www/mydomainname.com/htdocs/mail>
|
||
Options Indexes FollowSymLinks MultiViews
|
||
AllowOverride All
|
||
Order allow,deny
|
||
allow from all
|
||
</Directory>
|
||
#+END_SRC
|
||
|
||
Save and exit, then restart Apache.
|
||
|
||
#+BEGIN_SRC: bash
|
||
service apache2 restart
|
||
#+END_SRC
|
||
|
||
Now with a browser visit https://mydomainname.com/mail/installer. Scroll down and click "next". Give your webmail site a product name.
|
||
|
||
The *spellcheck_engine* option being limited to Google is slightly concerning in terms of privacy and security, but seems not to be implemented.
|
||
|
||
Change the *database password* to the password you gave when creating the MySql database above.
|
||
|
||
Set *smtp_port* to 465.
|
||
|
||
Click *create config*
|
||
|
||
Click download to download the file.
|
||
|
||
In a terminal on your local machine (not logged into the BBB):
|
||
|
||
#+BEGIN_SRC: bash
|
||
cd ~/Downloads
|
||
scp config.inc.php myusername@mydomainname.com:/home/myusername
|
||
#+END_SRC
|
||
|
||
Then in a terminal ssh'd into the BBB:
|
||
|
||
#+BEGIN_SRC: bash
|
||
mv /home/myusername/config.inc.php /var/www/$HOSTNAME/htdocs/mail/config
|
||
chmod 755 /var/www/$HOSTNAME/htdocs/mail/config/config.inc.php
|
||
#+END_SRC
|
||
|
||
Click *continue*.
|
||
|
||
Click *initialize database*.
|
||
|
||
Under *Test SMTP config* you can use a [[mailinator.com]] address to check that mail can be sent.
|
||
|
||
Now we can delete the installer.
|
||
|
||
#+BEGIN_SRC: bash
|
||
rm -rf /var/www/$HOSTNAME/htdocs/mail/installer
|
||
#+END_SRC
|
||
|
||
Now with a browser navigate to https://mydomainname.com/mail and log in.
|
||
|
||
TODO: connect Sent and Draft folders.
|
||
|
||
*** Thunderbird
|
||
|
||
#+BEGIN_VERSE
|
||
/Towards the end of 2012, we heard from the National Technical Assistance Centre (NTAC), a division of GCHQ and a liaison with the Home Office, [that] they wanted the keys to decrypt the customer data./
|
||
|
||
-- Brian Spector, on the shutting down of the PrivateSky encrypted email service
|
||
#+END_VERSE
|
||
|
||
Another common way in which you may want to access email is via Thunderbird. This may be especially useful if you're trying to convert former Windows users who may previously have been using some version of Outlook.
|
||
|
||
The following instructions should be carried out on the client machines (laptop, etc), not on the BBB itself.
|
||
|
||
**** Initial setup
|
||
|
||
Install *Thunderbird* and *Enigmail*. How you do this just depends upon your distro and software manager or "app store".
|
||
|
||
Open Thinderbird
|
||
|
||
Select "*Skip this and use existing email*"
|
||
|
||
Enter your name, email address (myusername@mydomainname.com) and the password for your user (the one from [[Add a user]]).
|
||
|
||
You'll get a message saying "/Thunderbird failed to find the settings/"
|
||
|
||
The settings should be as follows, substituting /mydomainname.com/ for your domain name and /myusername/ for the username given previously in [[Add a user]].
|
||
|
||
* Incoming: IMAP, mydomainname.com, 993, SSL/TLS, Normal Password
|
||
* Outgoing: SMTP, mydomainname.com, 465, SSL/TLS, Normal Password
|
||
* Username: myusername
|
||
|
||
Click *Done*.
|
||
|
||
Click *Get Certificate* and make sure "*permanently store this exception*" is selected", then click *Store Security Exception*.
|
||
|
||
From OpenPGP setup select "*Yes, I would like the wizard to get me started*". If the wizard doesn't start automatically then "setup wizard" can be selected from OpenPGP on the menu bar.
|
||
|
||
Select "*Yes, I want to sign all of my email*"
|
||
|
||
Select "*No, I will create per-recipient rules*"
|
||
|
||
Select "*yes*" to change default settings.
|
||
|
||
**** If you have existing GPG key
|
||
|
||
Export your GPG public and private keys.
|
||
|
||
#+BEGIN_SRC: bash
|
||
gpg --output ~/public_key.txt --armor --export KEY_ID
|
||
gpg --output ~/private_key.txt --armor --export-secret-key KEY_ID
|
||
#+END_SRC
|
||
|
||
Select "*I have existing public and private keys*".
|
||
|
||
Select your public and private GPG exported key files.
|
||
|
||
Select the account which you want to use and click *Next*, *Next* and *Finish*.
|
||
|
||
Remove your exported key files.
|
||
|
||
#+BEGIN_SRC: bash
|
||
shred -zu ~/public_key.txt
|
||
shred -zu ~/private_key.txt
|
||
#+END_SRC
|
||
|
||
**** If you don't have any existing GPG or PGP key
|
||
Select "*I want to create a new key pair*"
|
||
|
||
Enter a passphrase and click *Next* a couple of times.
|
||
|
||
Click *Generate Certificate* to generate a revocation certificate.
|
||
|
||
Enter the passphrase which you gave previously.
|
||
|
||
Click *Finish*
|
||
|
||
From the menu select *OpenPGP* and then *Key Management*. Make sure that *Display all keys* is selected and then select your key. Select *Keyserver* on the menu and then *Upload Public Keys*. This will upload your public key to a key server so that others can find it.
|
||
|
||
Select *File* from the menu then *Export keys to file*. Click on *Export Secret keys* and select a location to save them to. It's a good idea to save them to a USB stick which can then be removed from the computer and carried around on a keyring together with your physical keys. If you need to set up GPG or Thunderbird/Enigmail on others then this file will be used to import your keys.
|
||
|
||
**** Using for the first time
|
||
|
||
Click on the Thunderbird menu, which looks like three horizontal bars on the right hand side.
|
||
|
||
Hover over *preferences* and then *Account settings*.
|
||
|
||
Select *Synchronization & Storage*.
|
||
|
||
Make sure that *Keep messages for this account on this computer* is unticked, then click *Ok*.
|
||
|
||
Click on *Inbox*. Depending upon how much email you have it may take a while to import the subject lines.
|
||
|
||
Note that when sending an email for the first time you will also need to accept the SSL certificate.
|
||
|
||
Get into the habit of using email encryption and encourage others to do so. Remember that you may not think that your emails are very interesting but the Surveillance State is highly interested in them and will be actively trying to data mine your private life looking for "suspicious" patterns, regardless of whether you are guilty of any crime or not.
|
||
|
||
** Install a Blog
|
||
|
||
#+BEGIN_VERSE
|
||
/When society gives censors wide and vague powers they never confine themselves to deserving targets. They are not snipers, but machine-gunners. Allow them to fire at will, and they will hit anything that moves./
|
||
|
||
-- Nick Cohen
|
||
#+END_VERSE
|
||
|
||
Wordpress is the most popular blogging platform, but in practice I found it to be high maintenance with frequent security updates and breakages. More practical for a home server is Flatpress. Flatpress doesn't use a MySql database, just text files, and so is easy to relocate or reinstall.
|
||
|
||
See the [[Setting up a web site]] section of this document for details of how to configure the web server for your blog's domain.
|
||
|
||
Download flatpress.
|
||
|
||
#+BEGIN_SRC: bash
|
||
cd /tmp
|
||
wget http://freedombone.uk.to/flatpress.tar.gz
|
||
#+END_SRC
|
||
|
||
Verify the download:
|
||
|
||
#+BEGIN_SRC: bash
|
||
sha256sum flatpress.tar.gz
|
||
6312a49aab5aabd6371518dcaf081f489dff04d001bc34b4fe3f2a81170bbd4e flatpress.tar.gz
|
||
#+END_SRC
|
||
|
||
Extract and install it.
|
||
|
||
#+BEGIN_SRC: bash
|
||
tar -xzvf flatpress.tar.gz
|
||
cd flatpress-*
|
||
cp -r * /var/www/$HOSTNAME/htdocs
|
||
rm -rf flatpress-*
|
||
rm -f flatpress.tar.gz
|
||
#+END_SRC
|
||
|
||
Now visit your blog and follow the setup instructions, which are quite minimal. Various themes and addons are available from the Flatpress web site, http://www.flatpress.org
|
||
|
||
** Install an IRC server
|
||
|
||
#+BEGIN_VERSE
|
||
/Give me the liberty to know, to utter, and to argue freely according to conscience, above all liberties./
|
||
|
||
-- John Milton
|
||
#+END_VERSE
|
||
|
||
*** Base install
|
||
|
||
IRC is not an especially secure system. For instance, even with the best encryption it's easily possible to imagine IRC-specific cribs which could be used by cryptanalytic systems. However, we'll try to implement it in a manner which will at least give the surveillance aparatus something to ponder over.
|
||
|
||
First install some dependencies.
|
||
|
||
#+BEGIN_SRC: bash
|
||
apt-get update
|
||
apt-get install build-essential openssl libssl-dev
|
||
#+END_SRC
|
||
|
||
Then get the source code for ircd-hybrid.
|
||
|
||
#+BEGIN_SRC: bash
|
||
cd /tmp
|
||
mkdir hybrid
|
||
cd hybrid
|
||
apt-get source ircd-hybrid
|
||
#+END_SRC
|
||
|
||
Modify the source code to include SSL security.
|
||
|
||
#+BEGIN_SRC: bash
|
||
emacs ircd-hybrid-*/debian/rules
|
||
#+END_SRC
|
||
|
||
Beneath MAXCLIENTS add the line:
|
||
|
||
#+BEGIN_SRC: bash
|
||
USE_OPENSSL = 1
|
||
#+END_SRC
|
||
|
||
Then save and exit. Now we can build the debian package for ircd-hybrid and install it.
|
||
|
||
#+BEGIN_SRC: bash
|
||
cd ircd-hybrid-*
|
||
dpkg-buildpackage -rfakeroot -uc -b
|
||
cd ..
|
||
dpkg -i ircd-hybrid_*.deb
|
||
#+END_SRC
|
||
|
||
Customise the configuration to your system, giving it a name and description. In this example 192.168.1.60 is the static IP address on the BBB on the local network, so change that if necessary.
|
||
|
||
#+BEGIN_SRC: bash
|
||
emacs /etc/ircd-hybrid/ircd.conf
|
||
#+END_SRC
|
||
|
||
Set *name* to the name of your server, and set a description.
|
||
|
||
Set a *network_name* and *network_desc*. The network name should not contain any spaces.
|
||
|
||
Set max_clients to 20, or however many you expect that you'll typically need.
|
||
|
||
Within the admin section set your *name* and *email*.
|
||
|
||
Within the *listen* section set host to your fixed IP address (in the earlier
|
||
sections it was 192.168.1.60).
|
||
|
||
Within the *auth* section set user = "*@192.168.1.60" - or whatever the fixed IP address of the BBB is on your network.
|
||
|
||
Uncomment the first *connect* section and set the *name* to your domain name, the *host* to 192.168.1.60 and the send/accept passwords to a password which you use to log into the IRC server. Also set the *port* to 6670.
|
||
|
||
Save and exit, then restart the IRC server. Open port 6670 on your internet router and forward it to the BBB.
|
||
|
||
Ensure that the configuration is only readable by the root user.
|
||
|
||
#+BEGIN_SRC: bash
|
||
chmod 600 /etc/ircd-hybrid/ircd.conf
|
||
#+END_SRC
|
||
|
||
*** Channel management
|
||
|
||
To to install channel management tools.
|
||
|
||
#+BEGIN_SRC: bash
|
||
cd /tmp
|
||
wget http://freedombone.uk.to/hybserv_1.9.4-1_armhf.deb
|
||
#+END_SRC
|
||
|
||
Verify it.
|
||
|
||
#+BEGIN_SRC: bash
|
||
sha256sum hybserv_1.9.4-1_armhf.deb
|
||
41bf4eb6e24c87610a80bc14db1103a57484835510eea7e4ba9709c523318615 hybserv_1.9.4-1_armhf.deb
|
||
#+END_SRC
|
||
|
||
Install it.
|
||
|
||
#+BEGIN_SRC: bash
|
||
dpkg -i hybserv_1.9.4-1_armhf.deb
|
||
#+END_SRC
|
||
|
||
Make a md5 version of the password for the IRC server operator.
|
||
|
||
#+BEGIN_SRC: bash
|
||
/usr/bin/mkpasswd <myoperatorpassword>
|
||
#+END_SRC
|
||
|
||
Edit the ircd-hybrid configuration.
|
||
|
||
#+BEGIN_SRC: bash
|
||
emacs /etc/ircd-hybrid/ircd.conf
|
||
#+END_SRC
|
||
|
||
Enter the md5 password which you previously created within the /operator/ section. Also change /user/ to:
|
||
|
||
#+BEGIN_SRC: bash
|
||
user = "*@*";
|
||
#+END_SRC
|
||
|
||
Then save and exit.
|
||
|
||
#+BEGIN_SRC: bash
|
||
emacs /etc/hybserv/hybserv.conf
|
||
#+END_SRC
|
||
|
||
Change #MD5 PASSWORD HERE# to the md5 operator password created earlier, mydomainname.com to your domain name and mysendacceptpassword to the send/accept password specified within /ircd.conf/.
|
||
|
||
#+BEGIN_SRC: bash
|
||
A:mynickname <myemailaddress>
|
||
N:irc.mydomainname.com:Hybrid services
|
||
O:*@*:#MD5 PASSWORD HERE#:root:segj (comment out other Q: lines)
|
||
S:mysendacceptpassword:192.168.1.60:6670 (remove the other two services)
|
||
#+END_SRC
|
||
|
||
Also remove the line *#NOT-EDITED#*, then save and exit.
|
||
|
||
Now we need to restart the ircd and hybrid server to make things work:
|
||
|
||
#+BEGIN_SRC: bash
|
||
service ircd-hybrid restart
|
||
service hybserv start
|
||
#+END_SRC
|
||
|
||
*** Usage
|
||
|
||
On another computer (not the BBB).
|
||
|
||
#+BEGIN_SRC: bash
|
||
sudo apt-get install irssi
|
||
irssi
|
||
#+END_SRC
|
||
|
||
Connect to the IRC and identify yourself as an operator. Here /mynetwork/ should be the same as *network_name* specified earlier within /ircd.conf/.
|
||
|
||
#+BEGIN_SRC: bash
|
||
/server add -auto -network mynetwork -ssl mydonainname.com 6670 mysendacceptpassword
|
||
|
||
/connect mydomainname.com
|
||
|
||
/channel add -auto #mychannel mynetwork channelpassword
|
||
|
||
/network add -nick mynick mychannel
|
||
|
||
/join #mychannel
|
||
|
||
/msg -servername chanserv REGISTER #mychannel channelpassword
|
||
|
||
/msg -servername chanserv set #mychannel mlock +k channelpassword
|
||
#+END_SRC
|
||
|
||
If you edit the irssi config file:
|
||
|
||
#+BEGIN_SRC: bash
|
||
emacs ~/.irssi/config
|
||
#+END_SRC
|
||
|
||
It should look something like this:
|
||
|
||
#+BEGIN_SRC: bash
|
||
{
|
||
address = "mydomainname.com";
|
||
chatnet = "mynetwork";
|
||
port = "6670";
|
||
password = "mysendacceptpassword";
|
||
use_ssl = "yes";
|
||
ssl_verify = "no";
|
||
autoconnect = "yes";
|
||
},
|
||
#+END_SRC
|
||
|
||
If you're not using a self-signed certificate (self-signed is the default) then you can set *ssl_verify* to "yes".
|
||
|
||
** Install a Jabber/XMPP server
|
||
|
||
#+BEGIN_VERSE
|
||
/Well heck, it isn’t that hard to write an instant messaging system./
|
||
|
||
--Jeremie Miller
|
||
#+END_VERSE
|
||
|
||
*** The Server
|
||
|
||
Generate a SSL certificate.
|
||
|
||
#+BEGIN_SRC: bash
|
||
openssl ecparam -out /etc/ssl/private/xmpp.pem -name prime256v1
|
||
openssl genpkey -paramfile /etc/ssl/private/xmpp.pem -out /etc/ssl/private/xmpp.key
|
||
openssl req -new -x509 -key /etc/ssl/private/xmpp.key -out /etc/ssl/certs/xmpp.crt -days 3650
|
||
#+END_SRC
|
||
|
||
The above uses a Diffie-Hellman elliptic curve (ECDH P-256) algorithm. It is apparent that amongst crypographers there are differences of opinion about the security of elliptic curves, so if you prefer there is also a more traditional RSA way to generate an SSL certificate:
|
||
|
||
#+BEGIN_SRC: bash
|
||
openssl genrsa -out /etc/ssl/private/xmpp.key 4096
|
||
openssl req -new -x509 -key /etc/ssl/private/xmpp.key -out /etc/ssl/certs/xmpp.crt -days 3650
|
||
#+END_SRC
|
||
|
||
Change permissions.
|
||
|
||
#+BEGIN_SRC: bash
|
||
chmod 600 /etc/ssl/private/xmpp.key
|
||
chmod 600 /etc/ssl/certs/xmpp.crt
|
||
chown prosody:prosody /etc/ssl/private/xmpp.key
|
||
chown prosody:prosody /etc/ssl/certs/xmpp.crt
|
||
#+END_SRC
|
||
|
||
Install Prosody.
|
||
|
||
#+BEGIN_SRC: bash
|
||
apt-get install prosody
|
||
cp -a /etc/prosody/conf.avail/example.com.cfg.lua /etc/prosody/conf.avail/xmpp.cfg.lua
|
||
emacs /etc/prosody/conf.avail/xmpp.cfg.lua
|
||
#+END_SRC
|
||
|
||
Change the *VirtualHost* name to your domain name and remove the line below it.
|
||
|
||
Set the ssl section to:
|
||
|
||
#+BEGIN_SRC: bash
|
||
ssl = {
|
||
key = "/etc/ssl/private/xmpp.key";
|
||
certificate = "/etc/ssl/certs/xmpp.crt";
|
||
}
|
||
#+END_SRC
|
||
|
||
And also append the following:
|
||
|
||
#+BEGIN_SRC: bash
|
||
modules_enabled = {
|
||
"bosh"; -- Enable mod_bosh
|
||
"tls"; -- Enable mod_tls
|
||
}
|
||
|
||
c2s_require_encryption = true
|
||
s2s_require_encryption = true
|
||
#+END_SRC
|
||
|
||
Save and exit. Create a symbolic link.
|
||
|
||
#+BEGIN_SRC: bash
|
||
ln -sf /etc/prosody/conf.avail/xmpp.cfg.lua /etc/prosody/conf.d/xmpp.cfg.lua
|
||
#+END_SRC
|
||
|
||
Add a user. You will be prompted to specify a password. You can repeat the process for as many users as needed. This will also be your Jabber ID (JID).
|
||
|
||
#+BEGIN_SRC: bash
|
||
prosodyctl adduser myusername@mydomainname.com
|
||
#+END_SRC
|
||
|
||
Restart the server
|
||
|
||
#+BEGIN_SRC: bash
|
||
service prosody restart
|
||
#+END_SRC
|
||
|
||
On your internet router/firewall open ports 5222, 5223, 5269, 5280 and 5281 and forward them to the BBB.
|
||
|
||
It's possible to test that your XMPP server is working at https://xmpp.net. It may take several minutes and you'll get a low score because of the self-signed certificate, but it will at least verify that your server is capable of communicating.
|
||
|
||
*** Managing users
|
||
|
||
To add a user:
|
||
|
||
#+BEGIN_SRC: bash
|
||
prosodyctl adduser myusername@mydomainname.com
|
||
#+END_SRC
|
||
|
||
To change a user password:
|
||
|
||
#+BEGIN_SRC: bash
|
||
prosodyctl passwd myusername@mydomainname.com
|
||
#+END_SRC
|
||
|
||
To remove a user:
|
||
|
||
#+BEGIN_SRC: bash
|
||
prosodyctl deluser myusername@mydomainname.com
|
||
#+END_SRC
|
||
|
||
Report the status of the XMPP server:
|
||
|
||
#+BEGIN_SRC: bash
|
||
prosodyctl status
|
||
#+END_SRC
|
||
|
||
*** Using with Jitsi
|
||
Jitsi is the recommended communications client for desktop or laptop systems, since it includes the /off the record/ (OTR) feature which provides some additional security beyond the usual SSL certificates.
|
||
|
||
Jitsi can be downloaded from https://jitsi.org/
|
||
|
||
On your desktop/laptop open Jitsi and select *Options* from the *Tools* menu.
|
||
|
||
Click *Add* to add a new user, then enter the Jabber ID which you previously specified with /prosodyctl/ when setting up the XMPP server. Close and then you should notice that your status is "Online" (or if not then you should be able to set it to online).
|
||
|
||
From the *File* menu you can add contacts, then select the chat icon to begin a chat. Click on the lock icon on the right hand side and this will initiate an authentication procedure in which you can specify a question and answer to verify the identity of the person you're communicating with. Once authentication is complete then you'll be chating using OTR, which provides an additional layer of security.
|
||
|
||
When opening Jitsi initially you will get a certificate warning for your domain name (assuming that you're using a self-signed certificate). If this happens then select *View Certificate* and enable the checkbox to trust the certificate, then select *Continue Anyway*. Once you've done this then the certificate warning will not appear again unless you reinstall Jitsi or use a different computer.
|
||
|
||
You can also [[https://www.youtube.com/watch?v=vgx7VSrDGjk][see this video]] as an example of using OTR.
|
||
*** Using with Ubuntu
|
||
The default XMPP client in Ubuntu is Empathy. Using Empathy isn't as secure as using Jitsi, since it doesn't include the /off the record/ feature, but since it's the default it's what many users will have easy access to.
|
||
|
||
Open *System Settings* and select *Online Accounts*, *Add account* and then *Jabber*.
|
||
|
||
Enter your username (myusername@mydomainname.com) and password.
|
||
|
||
Click on *Advanced* and make sure that *Encryption required* and *Ignore SSL certificate errors* are checked. Ignoring the certificate errors will allow you to use the self-signed certificate created earlier. Then click *Done* and set your Jabber account and Empathy to *On*.
|
||
*** Using with Android
|
||
|
||
There are a few XMPP clients available on Android. Ideally choose ones which support off-the-record messaging. Here are some examples.
|
||
|
||
**** Xabber
|
||
Install [[https://f-droid.org/][F-Droid]]
|
||
|
||
Search for and install Xabber.
|
||
|
||
Add an account and enter your Jabber/XMPP ID and password.
|
||
|
||
From the menu select *Settings* then *Security* then *OTR mode*. Set the mode to *Required*.
|
||
|
||
Make sure that *Check server certificate* is not checked.
|
||
|
||
Go back to the initial screen and then using the menu you can add contacts and begin chatting. Both parties will need to go through the off-the-record question and answer verification before the chat can begin, but that only needs to be done once for each person you're chatting with.
|
||
|
||
**** Gibberbot
|
||
Install [[https://f-droid.org/][F-Droid]]
|
||
|
||
Search for and install Gibberbot, otherwise known as ChatSecure.
|
||
|
||
From the menu open *Accounts*
|
||
|
||
Select *Add account*
|
||
|
||
Change the server port from 0 to 5222
|
||
|
||
Done
|
||
|
||
Accept unknown certificate? Select *Always*
|
||
|
||
Go back to the initial screen and then using the menu you can add contacts and begin chatting.
|
||
|
||
** Social Networking
|
||
|
||
#+BEGIN_VERSE
|
||
/Facebook is not your friend, it is a surveillance engine./
|
||
|
||
-- Richard Stallman, Free Software Foundation
|
||
#+END_VERSE
|
||
|
||
*** Friendica
|
||
**** Installation
|
||
|
||
See [[Setting up a web site]] for details of how to update the Apache configuration for your Friendica site. You should have a separate domain name specifically to run Friendica on. It can't be installed in a subdirectory on a domain used for something else.
|
||
|
||
Edit your Apache configuration and disable the port 80 (HTTP) version of the site. We only want to log into Friendica via HTTPS, so to prevent anyone from accidentally logging in insecurely:
|
||
|
||
#+BEGIN_SRC: bash
|
||
emacs /etc/apache2/sites-available/mydomainname.com
|
||
#+END_SRC
|
||
|
||
Within the section which begins with *<VirtualHost *:80>* change the following:
|
||
|
||
#+BEGIN_SRC: bash
|
||
<Directory /var/www/mydomainname.com/htdocs/>
|
||
deny from all
|
||
</Directory>
|
||
#+END_SRC
|
||
|
||
Save and exit, then restart the apache server.
|
||
|
||
#+BEGIN_SRC: bash
|
||
service apache2 restart
|
||
#+END_SRC
|
||
|
||
Now install some dependencies.
|
||
|
||
#+BEGIN_SRC: bash
|
||
apt-get install mysql-server php5-common php5-cli php5-curl php5-gd php5-mysql php5-mcrypt
|
||
#+END_SRC
|
||
|
||
Enter an admin password for MySQL.
|
||
|
||
Create a mysql database.
|
||
|
||
#+BEGIN_SRC: bash
|
||
mysql -u root -p
|
||
create database friendica;
|
||
CREATE USER 'friendicaadmin'@'localhost' IDENTIFIED BY 'password';
|
||
GRANT ALL PRIVILEGES ON friendica.* TO 'friendicaadmin'@'localhost';
|
||
quit
|
||
#+END_SRC
|
||
|
||
You may need to fix Git SSL problems.
|
||
|
||
#+BEGIN_SRC: bash
|
||
git config --global http.sslVerify true
|
||
apt-get install ca-certificates
|
||
cd ~/
|
||
emacs .gitconfig
|
||
#+END_SRC
|
||
|
||
The .gitconfig file should look something like this:
|
||
|
||
#+BEGIN_SRC: bash
|
||
[http]
|
||
sslVerify = true
|
||
sslCAinfo = /etc/ssl/certs/ca-certificates.crt
|
||
[user]
|
||
email = myusername@mydomainname.com
|
||
name = yourname
|
||
#+END_SRC
|
||
|
||
Get the source code.
|
||
|
||
#+BEGIN_SRC: bash
|
||
export HOSTNAME=mydomainname.com
|
||
cd /var/www/$HOSTNAME
|
||
mv htdocs htdocs_old
|
||
git clone https://github.com/friendica/friendica.git htdocs
|
||
chmod -R 755 htdocs
|
||
chown -R www-data:www-data htdocs
|
||
chown -R www-data:www-data htdocs/view/smarty3
|
||
git clone https://github.com/friendica/friendica-addons.git htdocs/addon
|
||
#+END_SRC
|
||
|
||
Now visit the URL of your site and you should be taken through the rest of the installation procedure. If you have trouble with "allow override" ensure that "AllowOverride" is set to "all" in your Apache settings for the site (within /etc/apache2/sites-available) and then restart the apache2 service.
|
||
|
||
Install the poller.
|
||
|
||
#+BEGIN_SRC: bash
|
||
emacs /etc/crontab
|
||
#+END_SRC
|
||
|
||
and append the following, changing mydomainname.com to whatever your domain is.
|
||
|
||
#+BEGIN_SRC: bash
|
||
*/10 * * * * root cd /var/www/mydomainname.com/htdocs; /usr/bin/php include/poller.php
|
||
#+END_SRC
|
||
|
||
Save and exit, then restart cron.
|
||
|
||
#+BEGIN_SRC: bash
|
||
service cron restart
|
||
#+END_SRC
|
||
|
||
You can improve the speed of Friendica database searches by adding the following indexes:
|
||
|
||
#+BEGIN_SRC: bash
|
||
mysql -u root -p
|
||
use friendica;
|
||
CREATE INDEX `uri_received` ON item(`uri`, `received`);
|
||
CREATE INDEX `received_uri` ON item(`received`, `uri`);
|
||
CREATE INDEX `contact-id_created` ON item(`contact-id`, created);
|
||
CREATE INDEX `uid_network_received` ON item(`uid`, `network`, `received`);
|
||
CREATE INDEX `uid_parent` ON item(`uid`, `parent`);
|
||
CREATE INDEX `uid_received` ON item(`uid`, `received`);
|
||
CREATE INDEX `uid_network_commented` ON item(`uid`, `network`, `commented`);
|
||
CREATE INDEX `uid_title` ON item(uid, `title`);
|
||
CREATE INDEX `created_contact-id` ON item(`created`, `contact-id`);
|
||
quit
|
||
#+END_SRC
|
||
|
||
Make sure that Friendica doesn't use too much memory.
|
||
|
||
#+BEGIN_SRC: bash
|
||
emacs /var/www/$HOSTNAME/htdocs/.htaccess
|
||
#+END_SRC
|
||
|
||
Append the following:
|
||
|
||
#+BEGIN_SRC: bash
|
||
php_value memory_limit 32M
|
||
#+END_SRC
|
||
|
||
The save ane exit.
|
||
|
||
**** Backups
|
||
|
||
Make sure that the database gets backed up. By using cron if anything goes wrong then you should be able to recover the database either from the previous day or the previous week.
|
||
|
||
#+BEGIN_SRC: bash
|
||
emacs /etc/cron.daily/friendicabackup
|
||
#+END_SRC
|
||
|
||
Enter the following
|
||
|
||
#+BEGIN_SRC: bash
|
||
#!/bin/sh
|
||
|
||
MYSQL_PASSWORD=<mysql root password>
|
||
|
||
umask 0077
|
||
|
||
# Backup the database
|
||
mysqldump --password=$MYSQL_PASSWORD friendica > /var/backups/friendica_daily.sql
|
||
|
||
# Make the backup readable only by root
|
||
chmod 600 /var/backups/friendica_daily.sql
|
||
#+END_SRC
|
||
|
||
Save and exit.
|
||
|
||
#+BEGIN_SRC: bash
|
||
chmod 600 /etc/cron.daily/friendicabackup
|
||
chmod +x /etc/cron.daily/friendicabackup
|
||
emacs /etc/cron.weekly/friendicabackup
|
||
#+END_SRC
|
||
|
||
Enter the following
|
||
|
||
#+BEGIN_SRC: bash
|
||
#!/bin/sh
|
||
|
||
MYSQL_PASSWORD=<mysql root password>
|
||
|
||
umask 0077
|
||
|
||
# Backup the database
|
||
mysqldump --password=$MYSQL_PASSWORD friendica > /var/backups/friendica_weekly.sql
|
||
|
||
# Make the backup readable only by root
|
||
chmod 600 /var/backups/friendica_weekly.sql
|
||
#+END_SRC
|
||
|
||
Save and exit.
|
||
|
||
#+BEGIN_SRC: bash
|
||
chmod 600 /etc/cron.weekly/friendicabackup
|
||
chmod +x /etc/cron.weekly/friendicabackup
|
||
#+END_SRC
|
||
|
||
**** Recommended configuration
|
||
***** Admin
|
||
To get to the admin settings you will need to be logged in with the admin email address which you specified at the beginning of the installation procedure. Depending upon the theme which you're using "/admin/" will be available either as an icon or on a drop down menu.
|
||
|
||
Under the *plugins* section the main one which you may wish to enable is the NSFW plugin. With that enabled if a post contans the #NSFW tag then it will appear minimised by default and you will need to click a button to open it.
|
||
|
||
Under the *themes* section select a few themes, including mobile themes which are suitable for phones or tablets.
|
||
|
||
Under the *site* section give your Friendica node a name other than "/my friend network/", you can change the icon and banner text and set the default mobile theme typically to /frost-mobile/. If you don't want your node to host a lot of accounts for people you don't know then you may want to set the register policy to "/requires approval/". For security it's probably a good idea only to host accounts for people who you actually know, rather than random strangers. Also be aware that the Beaglebone does not have a great deal of computational power or bandwidth and will not function well if there are hundreds of users using your node. If you're not federating with Diaspora or other sites then you may wish to select "/only allow Friendica contacts/". That improves the security of the system, since communication between Friendica nodes is always encrypted separately and in addition to the usual SSL encryption layer - which makes life interesting for the Surveillance State and at least keeps those cryptanalysts employed.
|
||
|
||
It's probably a good idea to enable "/private posts by default for new users/" and also "/don't include post content in email notifications/". Since traditional email isn't a secure system and is easily vulnerable to attack by systems such as [[https://en.wikipedia.org/wiki/XKeyscore][Xkeyscore]].
|
||
|
||
***** Settings
|
||
Each user has their own customisable settings, typically available either via an icon or by an entry on a drop down menu.
|
||
|
||
Under *additional features* enable "/richtext editor/", "/post preview/", "/group filter/", "/network filter/", "/edit sent posts/" and "/dislike posts/".
|
||
|
||
Under *display settings* select your desktop and mobile themes.
|
||
|
||
Once you have connected to enough friends it's also a good idea to use the "/export personal data/" option from here. This will save a file to your local system, which you can import into another friendica node if necessary.
|
||
**** To access from an Android device
|
||
***** App
|
||
Open a browser on your device and go to https://f-droid.org/ then download and install the F-Droid apk. If you then open F-Droid you can search for and install the Friendica app.
|
||
|
||
If you are using a self-signed certificate then at the login screen scroll down to the bottom, select the SSL settings then scroll down and disable SSL certificate checks. You will then be able to log in using https, which at least gives you some protection via the encryption.
|
||
|
||
More information about the Friendica app can be found on http://friendica-for-android.wiki-lab.net/
|
||
***** Mobile Theme
|
||
Another way to access Friendica from a mobile device is to just use the web browser. If you have selected a mobile theme within your settings then when viewing from an Android system the mobile theme will be displayed.
|
||
*** Movim
|
||
|
||
#+BEGIN_VERSE
|
||
/The way we communicate with others and with ourselves ultimately determines the quality of our lives/
|
||
|
||
-- Anthony Robbins
|
||
#+END_VERSE
|
||
|
||
Movim is another social networking system based around the XMPP protocol.
|
||
|
||
You will need to have previously [[Install a Jabber/XMPP server][installed the Jabber/XMPP server]].
|
||
|
||
Edit your Apache configuration and disable the port 80 (HTTP) version of the site. We only want to log into Movim via HTTPS, so to prevent anyone from accidentally logging in insecurely:
|
||
|
||
#+BEGIN_SRC: bash
|
||
emacs /etc/apache2/sites-available/mydomainname.com
|
||
#+END_SRC
|
||
|
||
Within the section which begins with *<VirtualHost *:80>* add the following:
|
||
|
||
#+BEGIN_SRC: bash
|
||
<Directory /var/www/mydomainname.com/htdocs/movim>
|
||
deny from all
|
||
</Directory>
|
||
#+END_SRC
|
||
|
||
Within the section which begins with *<VirtualHost *:443>* add the following:
|
||
|
||
#+BEGIN_SRC: bash
|
||
<Directory /var/www/mydomainname.com/htdocs/movim>
|
||
Options Indexes FollowSymLinks MultiViews
|
||
AllowOverride All
|
||
Order allow,deny
|
||
allow from all
|
||
</Directory>
|
||
#+END_SRC
|
||
|
||
Save and exit, then restart the apache server.
|
||
|
||
#+BEGIN_SRC: bash
|
||
service apache2 restart
|
||
#+END_SRC
|
||
|
||
Download the source.
|
||
|
||
#+BEGIN_SRC: bash
|
||
cd /tmp
|
||
wget http://freedombone.uk.to/movim.tar.gz
|
||
#+END_SRC
|
||
|
||
Verify it.
|
||
|
||
#+BEGIN_SRC: bash
|
||
sha256sum movim.tar.gz
|
||
2740ddbedf6cefcc2934759374376643b6cdea4fb7f944ec25098a6868cb499e movim.tar.gz
|
||
#+END_SRC
|
||
|
||
Install it.
|
||
|
||
#+BEGIN_SRC: bash
|
||
tar -xzvf movim.tar.gz
|
||
export HOSTNAME=mydomainname.com
|
||
cp -r movim-* /var/www/$HOSTNAME/htdocs/movim
|
||
chmod 755 /var/www/$HOSTNAME/htdocs/movim
|
||
chown -R www-data:www-data /var/www/$HOSTNAME/htdocs/movim
|
||
#+END_SRC
|
||
|
||
Install some MySql prerequisites.
|
||
|
||
#+BEGIN_SRC: bash
|
||
apt-get install mysql-server php5-common php5-cli php5-curl php5-gd php5-mysql php5-mcrypt
|
||
#+END_SRC
|
||
|
||
If necessary, enter an admin password for MySQL.
|
||
|
||
Create a mysql database.
|
||
|
||
#+BEGIN_SRC: bash
|
||
mysql -u root -p
|
||
create database movim;
|
||
CREATE USER 'movimadmin'@'localhost' IDENTIFIED BY 'movimadminpassword';
|
||
GRANT ALL PRIVILEGES ON movim.* TO 'movimadmin'@'localhost';
|
||
quit
|
||
#+END_SRC
|
||
|
||
With a web browser navigate to:
|
||
|
||
https://mydomainname.com/movim/admin
|
||
|
||
Enter /admin/ as the username and /password/ as the password.
|
||
|
||
Click on /General Settings/ and alter the administrator username to /movimadmin/ and password to some long random string (using a password manager such as KeepassX).
|
||
|
||
Change the /Environment/ from /Development/ to /Production/.
|
||
|
||
The /BOSH URL/ should be http://localhost:5280/http-bind (TODO: should this be https://localhost:5281/http-bind and if so do certificate warnings need to be disabled?)
|
||
|
||
Click /Submit/ followed by /Resend/.
|
||
|
||
Click on /Database Settings/ and alter the MySql movim database username to /movimadmin/ and password to the password you specified in the previous step.
|
||
|
||
Click /Submit/ followed by /Resend/. If you get a lot of orange warnings about database fields being created then hit /Submit/ again until you see "Movim database is up to date".
|
||
|
||
If everything on all three tabs looks green then you are ready to go. Click on the Movim logo at the top left and then log in with your Jabber ID (JID).
|
||
|
||
*** Red Matrix
|
||
**** Introduction
|
||
Red Matrix is the current version of the Friendica social networking system. It's more general than Friendica in that it's designed as a generic communication system based around a protocol called "zot". At the time of writing in early 2014 Red Matrix remains at an alpha stage of development and so it's not advised that you install it unless you're willing to put up with bugs and frustrations. In the large majority of cases it's better to stick with Friendica for now.
|
||
|
||
**** Prerequisites
|
||
The main problem with Red Matrix is that in order to install it you will need to have purchased a domain name (i.e. not a FreeDNS subdomain) and a SSL certificate for it.
|
||
|
||
You could join some other Red Matrix server, but this suffers from "/The Levison Problem/" in which some goons show up with a gagging order demanding coppies of the SSL private key. In that scenario unless the owner of the server is exceptionally brave users may never be informed that the site has been compromised or that there is interception hardware attached to the server. Joining another server defeats the object of being digitally self-sufficient and raises legal question marks about the ownership of data which you might upload to a server which doesn't belong to you.
|
||
|
||
**** Installation
|
||
|
||
See [[Setting up a web site]] for details of how to update the Apache configuration for your Red Matrix site. You should have a separate domain name specifically to run Red Matrix on. It can't be installed in a subdirectory on a domain used for something else.
|
||
|
||
Edit your Apache configuration and disable the port 80 (HTTP) version of the site. We only want to log into Red Matrix via HTTPS, so to prevent anyone from accidentally logging in insecurely:
|
||
|
||
#+BEGIN_SRC: bash
|
||
emacs /etc/apache2/sites-available/mydomainname.com
|
||
#+END_SRC
|
||
|
||
Within the section which begins with *<VirtualHost *:80>* change the following:
|
||
|
||
#+BEGIN_SRC: bash
|
||
<Directory /var/www/mydomainname.com/htdocs/>
|
||
deny from all
|
||
</Directory>
|
||
#+END_SRC
|
||
|
||
Save and exit, then restart the apache server.
|
||
|
||
#+BEGIN_SRC: bash
|
||
service apache2 restart
|
||
#+END_SRC
|
||
|
||
Now install some dependencies.
|
||
|
||
#+BEGIN_SRC: bash
|
||
apt-get install mysql-server php5-common php5-cli php5-curl php5-gd php5-mysql php5-mcrypt
|
||
#+END_SRC
|
||
|
||
Enter an admin password for MySQL.
|
||
|
||
Create a mysql database.
|
||
|
||
#+BEGIN_SRC: bash
|
||
mysql -u root -p
|
||
create database redmatrix;
|
||
CREATE USER 'redmatrixadmin'@'localhost' IDENTIFIED BY 'password';
|
||
GRANT ALL PRIVILEGES ON redmatrix.* TO 'redmatrixadmin'@'localhost';
|
||
quit
|
||
#+END_SRC
|
||
|
||
You may need to fix Git SSL problems.
|
||
|
||
#+BEGIN_SRC: bash
|
||
git config --global http.sslVerify true
|
||
apt-get install ca-certificates
|
||
cd ~/
|
||
emacs .gitconfig
|
||
#+END_SRC
|
||
|
||
The .gitconfig file should look something like this:
|
||
|
||
#+BEGIN_SRC: bash
|
||
[http]
|
||
sslVerify = true
|
||
sslCAinfo = /etc/ssl/certs/ca-certificates.crt
|
||
[user]
|
||
email = myusername@mydomainname.com
|
||
name = yourname
|
||
#+END_SRC
|
||
|
||
Get the source code.
|
||
|
||
#+BEGIN_SRC: bash
|
||
export HOSTNAME=mydomainname.com
|
||
cd /var/www/$HOSTNAME
|
||
mv htdocs htdocs_old
|
||
git clone https://github.com/friendica/red.git htdocs
|
||
chmod -R 755 htdocs
|
||
chown -R www-data:www-data htdocs
|
||
mkdir htdocs/view/tpl/smarty3
|
||
chmod 777 htdocs/view/tpl
|
||
chmod 777 htdocs/view/tpl/smarty3
|
||
git clone https://github.com/friendica/red-addons.git htdocs/addon
|
||
#+END_SRC
|
||
|
||
Now visit the URL of your site and you should be taken through the rest of the installation procedure. Note that this may take a few minutes so don't be concerned if it looks as if it has crashed - just leave it running. If you have trouble with "allow override" ensure that "AllowOverride" is set to "all" in your Apache settings for the site (within /etc/apache2/sites-available) and then restart the apache2 service.
|
||
|
||
Install the poller.
|
||
|
||
#+BEGIN_SRC
|
||
emacs /etc/crontab
|
||
#+END_SRC
|
||
|
||
and append the following, changing mydomainname.com to whatever your domain is.
|
||
|
||
#+BEGIN_SRC
|
||
*/10 * * * * root cd /var/www/mydomainname.com/htdocs; /usr/bin/php include/poller.php
|
||
#+END_SRC
|
||
|
||
Save and exit, then restart cron.
|
||
|
||
#+BEGIN_SRC: bash
|
||
service cron restart
|
||
#+END_SRC
|
||
|
||
**** Backups
|
||
|
||
Make sure that the database gets backed up. By using cron if anything goes wrong then you should be able to recover the database either from the previous day or the previous week.
|
||
|
||
#+BEGIN_SRC: bash
|
||
emacs /etc/cron.daily/redmatrixbackup
|
||
#+END_SRC
|
||
|
||
Enter the following
|
||
|
||
#+BEGIN_SRC: bash
|
||
#!/bin/sh
|
||
|
||
MYSQL_PASSWORD=<mysql root password>
|
||
|
||
umask 0077
|
||
|
||
# Backup the database
|
||
mysqldump --password=$MYSQL_PASSWORD redmatrix > /var/backups/redmatrix_daily.sql
|
||
|
||
# Make the backup readable only by root
|
||
chmod 600 /var/backups/redmatrix_daily.sql
|
||
#+END_SRC
|
||
|
||
Save and exit.
|
||
|
||
#+BEGIN_SRC: bash
|
||
chmod 600 /etc/cron.daily/redmatrixbackup
|
||
chmod +x /etc/cron.daily/redmatrixbackup
|
||
emacs /etc/cron.weekly/redmatrixbackup
|
||
#+END_SRC
|
||
|
||
Enter the following
|
||
|
||
#+BEGIN_SRC: bash
|
||
#!/bin/sh
|
||
|
||
MYSQL_PASSWORD=<mysql root password>
|
||
|
||
umask 0077
|
||
|
||
# Backup the database
|
||
mysqldump --password=$MYSQL_PASSWORD redmatrix > /var/backups/redmatrix_weekly.sql
|
||
|
||
# Make the backup readable only by root
|
||
chmod 600 /var/backups/redmatrix_weekly.sql
|
||
#+END_SRC
|
||
|
||
Save and exit.
|
||
|
||
#+BEGIN_SRC: bash
|
||
chmod 600 /etc/cron.weekly/redmatrixbackup
|
||
chmod +x /etc/cron.weekly/redmatrixbackup
|
||
#+END_SRC
|
||
**** To access from an Android device
|
||
***** App
|
||
Open a browser on your device and go to https://f-droid.org/ then download and install the F-Droid apk. If you then open F-Droid you can search for and install the Friendica app.
|
||
|
||
If you are using a self-signed certificate then at the login screen scroll down to the bottom, select the SSL settings then scroll down and disable SSL certificate checks. You will then be able to log in using https, which at least gives you some protection via the encryption.
|
||
|
||
More information about the Friendica app can be found on http://friendica-for-android.wiki-lab.net/
|
||
|
||
** Install Gopher
|
||
Gopher is an old internet protocol which originated a few years before the web and is purely text based. It can be quite fun to build a gopher site and browse the gopherverse. One thing to keep in mind is that there is no security with gopher, so any text transmitted is trivially interceptable by systems such as [[https://en.wikipedia.org/wiki/XKeyscore][Xkeyscore]] or deep packet inspection.
|
||
|
||
To set up a gopher server:
|
||
|
||
#+BEGIN_SRC: bash
|
||
apt-get install build-essential
|
||
cd /tmp
|
||
wget http://freedombone.uk.to/geomyidae-current.tgz
|
||
#+END_SRC
|
||
|
||
Verify the download:
|
||
|
||
#+BEGIN_SRC: bash
|
||
sha256sum geomyidae-current.tgz
|
||
162f55ab059ab0a9be8e840497795293bbd51c34b1f4564dcdf3f0ddd5c0db31 geomyidae-current.tgz
|
||
#+END_SRC
|
||
|
||
Then extract and install it.
|
||
|
||
#+BEGIN_SRC: bash
|
||
tar -xzvf geomyidae-current.tgz
|
||
cd geomyidae-*
|
||
make
|
||
make install
|
||
mkdir -p /var/gopher
|
||
#+END_SRC
|
||
|
||
Your content should be placed within /var/gopher with the index page being named index.gph. The Gopher format is very simple - simpler than HTML - so creating pages is not much more difficult than editing a text file.
|
||
|
||
#+BEGIN_SRC: bash
|
||
emacs /etc/init.d/gopher
|
||
#+END_SRC
|
||
|
||
Enter the following:
|
||
|
||
#+BEGIN_SRC: bash
|
||
#! /bin/sh
|
||
### BEGIN INIT INFO
|
||
# Provides: gopher
|
||
# Required-Start: $remote_fs $syslog
|
||
# Required-Stop: $remote_fs $syslog
|
||
# Default-Start: 2 3 4 5
|
||
# Default-Stop: 0 1 6
|
||
# Short-Description: Gopher daemon
|
||
# Description: Gopher daemon
|
||
### END INIT INFO
|
||
|
||
# Do NOT "set -e"
|
||
|
||
# PATH should only include /usr/* if it runs after the mountnfs.sh script
|
||
PATH=/sbin:/usr/sbin:/bin:/usr/bin
|
||
DESC="Gopher daemon"
|
||
NAME=geomyidae
|
||
DAEMON=/usr/bin/$NAME
|
||
DAEMON_ARGS="-l /var/log/geomyidae.log -b /var/gopher -p 70"
|
||
PIDFILE=/var/run/$NAME.pid
|
||
SCRIPTNAME=/etc/init.d/$NAME
|
||
|
||
# Exit if the package is not installed
|
||
[ -x "$DAEMON" ] || exit 0
|
||
|
||
# Read configuration variable file if it is present
|
||
[ -r /etc/default/$NAME ] && . /etc/default/$NAME
|
||
|
||
# Load the VERBOSE setting and other rcS variables
|
||
. /lib/init/vars.sh
|
||
|
||
# Define LSB log_* functions.
|
||
# Depend on lsb-base (>= 3.2-14) to ensure that this file is present
|
||
# and status_of_proc is working.
|
||
. /lib/lsb/init-functions
|
||
|
||
#
|
||
# Function that starts the daemon/service
|
||
#
|
||
do_start()
|
||
{
|
||
# Return
|
||
# 0 if daemon has been started
|
||
# 1 if daemon was already running
|
||
# 2 if daemon could not be started
|
||
start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
|
||
|| return 1
|
||
start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -- \
|
||
$DAEMON_ARGS \
|
||
|| return 2
|
||
# Add code here, if necessary, that waits for the process to be ready
|
||
# to handle requests from services started subsequently which depend
|
||
# on this one. As a last resort, sleep for some time.
|
||
}
|
||
|
||
#
|
||
# Function that stops the daemon/service
|
||
#
|
||
do_stop()
|
||
{
|
||
# Return
|
||
# 0 if daemon has been stopped
|
||
# 1 if daemon was already stopped
|
||
# 2 if daemon could not be stopped
|
||
# other if a failure occurred
|
||
start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME
|
||
RETVAL="$?"
|
||
[ "$RETVAL" = 2 ] && return 2
|
||
# Wait for children to finish too if this is a daemon that forks
|
||
# and if the daemon is only ever run from this initscript.
|
||
# If the above conditions are not satisfied then add some other code
|
||
# that waits for the process to drop all resources that could be
|
||
# needed by services started subsequently. A last resort is to
|
||
# sleep for some time.
|
||
start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON
|
||
[ "$?" = 2 ] && return 2
|
||
# Many daemons don't delete their pidfiles when they exit.
|
||
rm -f $PIDFILE
|
||
return "$RETVAL"
|
||
}
|
||
|
||
#
|
||
# Function that sends a SIGHUP to the daemon/service
|
||
#
|
||
do_reload() {
|
||
#
|
||
# If the daemon can reload its configuration without
|
||
# restarting (for example, when it is sent a SIGHUP),
|
||
# then implement that here.
|
||
#
|
||
start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME
|
||
return 0
|
||
}
|
||
|
||
case "$1" in
|
||
start)
|
||
[ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
|
||
do_start
|
||
case "$?" in
|
||
0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
|
||
2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
|
||
esac
|
||
;;
|
||
stop)
|
||
[ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
|
||
do_stop
|
||
case "$?" in
|
||
0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
|
||
2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
|
||
esac
|
||
;;
|
||
status)
|
||
status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
|
||
;;
|
||
#reload|force-reload)
|
||
#
|
||
# If do_reload() is not implemented then leave this commented out
|
||
# and leave 'force-reload' as an alias for 'restart'.
|
||
#
|
||
#log_daemon_msg "Reloading $DESC" "$NAME"
|
||
#do_reload
|
||
#log_end_msg $?
|
||
#;;
|
||
restart|force-reload)
|
||
#
|
||
# If the "reload" option is implemented then remove the
|
||
# 'force-reload' alias
|
||
#
|
||
log_daemon_msg "Restarting $DESC" "$NAME"
|
||
do_stop
|
||
case "$?" in
|
||
0|1)
|
||
do_start
|
||
case "$?" in
|
||
0) log_end_msg 0 ;;
|
||
1) log_end_msg 1 ;; # Old process is still running
|
||
*) log_end_msg 1 ;; # Failed to start
|
||
esac
|
||
;;
|
||
*)
|
||
# Failed to stop
|
||
log_end_msg 1
|
||
;;
|
||
esac
|
||
;;
|
||
*)
|
||
#echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2
|
||
echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
|
||
exit 3
|
||
;;
|
||
esac
|
||
|
||
:
|
||
#+END_SRC
|
||
|
||
Save and exit. Then start the gopher service.
|
||
|
||
#+BEGIN_SRC: bash
|
||
chmod +x /etc/init.d/gopher
|
||
update-rc.d gopher defaults
|
||
service gopher start
|
||
#+END_SRC
|
||
|
||
On your internet router change the firewall settings to route port 70 to the BBB, then provided that you have a gopher plugin installed within your browser then you should be able to navigate to your gopher site with:
|
||
|
||
#+BEGIN_SRC: bash
|
||
gopher://mydomainname.com
|
||
#+END_SRC
|
||
|
||
There is a browser addon for Gopher called "overbite". Installing that should enable you to view your site.
|
||
|
||
** Install Owncloud
|
||
|
||
#+BEGIN_VERSE
|
||
/It's not water vapour/
|
||
|
||
-- Larry Ellison
|
||
#+END_VERSE
|
||
|
||
Owncloud will allow you to upload and download files, share photos, collaboratively edit documents, have a calendar and more. You should be warned that Owncloud runs quite slowly via an ordinary web browser, but it can be a convenient way to access and share your data from any location in a reasonably secure manner.
|
||
|
||
*** Server Installation
|
||
|
||
Install some dependencies:
|
||
|
||
#+BEGIN_SRC: bash
|
||
apt-get install apache2 php5 php5-gd php-xml-parser php5-intl
|
||
apt-get install php5-sqlite php5-mysql smbclient curl libcurl3 php5-curl
|
||
#+END_SRC
|
||
|
||
It's very important that /mod_php5/ and not /mod_php5filter/ be installed. If you have /mod_php5filter/ installed then Owncloud will always fail to install.
|
||
|
||
#+BEGIN_SRC: bash
|
||
a2dismod php5filter
|
||
apt-get install libapache2-mod-php5
|
||
#+END_SRC
|
||
|
||
Ensure that the size of files which may be uploaded or downloaded is large enough.
|
||
|
||
#+BEGIN_SRC: bash
|
||
emacs /etc/php5/apache2/php.ini
|
||
#+END_SRC
|
||
|
||
Set the following:
|
||
|
||
#+BEGIN_SRC: bash
|
||
upload_max_filesize = 512M
|
||
post_max_size = 512M
|
||
#+END_SRC
|
||
|
||
Save and exit, then edit your Apache configuration.
|
||
|
||
#+BEGIN_SRC: bash
|
||
export HOSTNAME=mydomainname.com
|
||
emacs /etc/apache2/sites-available/$HOSTNAME
|
||
#+END_SRC
|
||
|
||
And add the following, to the 443 VirtualHost section. Really we only will want to be using Owncloud with HTTPS to ensure some level of security and avoidance of dragnet surveillance.
|
||
|
||
#+BEGIN_SRC: bash
|
||
<Directory /var/www/mydomainname.com/htdocs/owncloud>
|
||
Options Indexes FollowSymLinks MultiViews
|
||
AllowOverride All
|
||
Order allow,deny
|
||
allow from all
|
||
</Directory>
|
||
#+END_SRC
|
||
|
||
To ensure that nobody logs in insecurely add the following to the 80 VirtualHost section.
|
||
|
||
#+BEGIN_SRC: bash
|
||
<Directory /var/www/mydomainname.com/htdocs/owncloud>
|
||
deny from all
|
||
</Directory>
|
||
#+END_SRC
|
||
|
||
Save and exit, then restart apache.
|
||
|
||
#+BEGIN_SRC: bash
|
||
service apache2 restart
|
||
#+END_SRC
|
||
|
||
Download owncloud.
|
||
|
||
#+BEGIN_SRC: bash
|
||
cd /tmp
|
||
wget http://freedombone.uk.to/owncloud.tar.bz2
|
||
#+END_SRC
|
||
|
||
Verify the download:
|
||
|
||
#+BEGIN_SRC: bash
|
||
sha256sum owncloud.tar.bz2
|
||
92b53fdfa7c4165b83dd2f8447f63928454a5815d08ff2d6165dd1a8969ecbe1 owncloud.tar.bz2
|
||
#+END_SRC
|
||
|
||
Extract the archive. This may take a couple of minutes, so don't be alarmed that the system has crashed.
|
||
|
||
#+BEGIN_SRC: bash
|
||
export HOSTNAME=mydomainname.com
|
||
tar -xjf owncloud.tar.bz2
|
||
#+END_SRC
|
||
|
||
Move the extracted files to your site and set file permissions.
|
||
|
||
#+BEGIN_SRC: bash
|
||
cp -r owncloud /var/www/$HOSTNAME/htdocs
|
||
chown -R www-data:www-data /var/www/$HOSTNAME/htdocs/owncloud/apps
|
||
chown -R www-data:www-data /var/www/$HOSTNAME/htdocs/owncloud/config
|
||
chown www-data:www-data /var/www/$HOSTNAME/htdocs/owncloud
|
||
#+END_SRC
|
||
|
||
Edit the htaccess file for Owncloud.
|
||
|
||
#+BEGIN_SRC: bash
|
||
emacs /var/www/$HOSTNAME/htdocs/owncloud/.htaccess
|
||
#+END_SRC
|
||
|
||
Set the following.
|
||
|
||
#+BEGIN_SRC: bash
|
||
php_value upload_max_filesize 512M
|
||
php_value post_max_size 512M
|
||
php_value memory_limit 32M
|
||
#+END_SRC
|
||
|
||
Save and exit.
|
||
|
||
With a web browser visit your domain (mydomainname.com/owncloud) and enter an administrator username and password.
|
||
|
||
*** Owncloud on Android
|
||
|
||
First install [[https://f-droid.org/][F-Droid]] and then search for the current Owncloud app. Once it's installed you'll then be able to log into the BBB with the URL https://mydomainname.com/opencloud, supplying your username and password.
|
||
|
||
** Install a Wiki
|
||
|
||
#+BEGIN_VERSE
|
||
/I believe that technology can liberate, but you need to be a master rather than a user. You need to pull technology apart and master it rather than letting it control you./
|
||
|
||
-- Tom Barbalet
|
||
#+END_VERSE
|
||
|
||
Dokuwiki is based upon flat files, and so is easy to move from one server to another without a lot of database complications.
|
||
|
||
Download the wiki.
|
||
|
||
#+BEGIN_SRC: bash
|
||
cd /tmp
|
||
wget http://freedombone.uk.to/dokuwiki.tgz
|
||
#+END_SRC
|
||
|
||
Verify it.
|
||
|
||
#+BEGIN_SRC: bash
|
||
sha256sum dokuwiki.tgz
|
||
6b126f90979463d9ddaa74acc6f96aa230cfdc789946f241c3646086d9574be8 dokuwiki.tgz
|
||
#+END_SRC
|
||
|
||
Then extract and install it.
|
||
|
||
#+BEGIN_SRC: bash
|
||
export HOSTNAME=mywikidomainname.com
|
||
tar -xzvf dokuwiki.tgz
|
||
mv /var/www/$HOSTNAME/htdocs /var/www/$HOSTNAME/htdocs_old
|
||
mv dokuwiki /var/www/$HOSTNAME/htdocs
|
||
#+END_SRC
|
||
|
||
Edit the Apache configuration for your wiki site.
|
||
|
||
#+BEGIN_SRC: bash
|
||
emacs /etc/apache2/sites-available/$HOSTNAME
|
||
#+END_SRC
|
||
|
||
The settings should look something like the following. Replace /mywikidomainname.com/ with your wiki domain name.
|
||
|
||
#+BEGIN_SRC: bash
|
||
<VirtualHost *:80>
|
||
ServerAdmin myusername@mywikidomainname.com
|
||
ServerName mydomainname.com
|
||
|
||
DocumentRoot /var/www/mywikidomainname.com/htdocs
|
||
|
||
<Directory /var/www/mywikidomainname.com/htdocs>
|
||
order deny,allow
|
||
allow from all
|
||
</Directory>
|
||
|
||
<LocationMatch "/(data|conf|bin|inc)/">
|
||
order allow,deny
|
||
deny from all
|
||
satisfy all
|
||
</LocationMatch>
|
||
|
||
<Directory />
|
||
Options FollowSymLinks
|
||
AllowOverride All
|
||
</Directory>
|
||
|
||
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
|
||
<Directory "/usr/lib/cgi-bin">
|
||
AllowOverride All
|
||
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
|
||
Order allow,deny
|
||
Allow from all
|
||
</Directory>
|
||
|
||
ErrorLog ${APACHE_LOG_DIR}/error.log
|
||
|
||
# Possible values include: debug, info, notice, warn, error, crit,
|
||
# alert, emerg.
|
||
LogLevel error
|
||
|
||
CustomLog ${APACHE_LOG_DIR}/access.log combined
|
||
</VirtualHost>
|
||
|
||
<IfModule mod_ssl.c>
|
||
<VirtualHost *:443>
|
||
ServerAdmin myusername@mywikidomainname.com
|
||
ServerName mywikidomainname.com
|
||
|
||
DocumentRoot /var/www/mywikidomainname.com/htdocs
|
||
|
||
<Directory /var/www/mywikidomainname.com/htdocs>
|
||
order deny,allow
|
||
allow from all
|
||
</Directory>
|
||
|
||
<LocationMatch "/(data|conf|bin|inc)/">
|
||
order allow,deny
|
||
deny from all
|
||
satisfy all
|
||
</LocationMatch>
|
||
|
||
<Directory />
|
||
Options FollowSymLinks
|
||
AllowOverride All
|
||
</Directory>
|
||
|
||
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
|
||
<Directory "/usr/lib/cgi-bin">
|
||
AllowOverride All
|
||
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
|
||
Order allow,deny
|
||
Allow from all
|
||
</Directory>
|
||
|
||
ErrorLog ${APACHE_LOG_DIR}/error.log
|
||
|
||
# Possible values include: debug, info, notice, warn, error, crit,
|
||
# alert, emerg.
|
||
LogLevel error
|
||
|
||
CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
|
||
|
||
# SSL Engine Switch:
|
||
# Enable/Disable SSL for this virtual host.
|
||
SSLEngine on
|
||
|
||
# A self-signed certificate
|
||
SSLCertificateFile /etc/ssl/certs/mydomainname.com.crt
|
||
SSLCertificateKeyFile /etc/ssl/private/mydomainname.com.key
|
||
|
||
# Options based on bettercrypto.org
|
||
SSLProtocol All -SSLv2 -SSLv3
|
||
SSLHonorCipherOrder On
|
||
SSLCompression off
|
||
SSLCipherSuite EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
|
||
|
||
# SSL Engine Options:
|
||
# Set various options for the SSL engine.
|
||
# o FakeBasicAuth:
|
||
# Translate the client X.509 into a Basic Authorisation. This means that
|
||
# the standard Auth/DBMAuth methods can be used for access control. The
|
||
# user name is the `one line' version of the client's X.509 certificate.
|
||
# Note that no password is obtained from the user. Every entry in the user
|
||
# file needs this password: `xxj31ZMTZzkVA'.
|
||
# o ExportCertData:
|
||
# This exports two additional environment variables: SSL_CLIENT_CERT and
|
||
# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
|
||
# server (always existing) and the client (only existing when client
|
||
# authentication is used). This can be used to import the certificates
|
||
# into CGI scripts.
|
||
# o StdEnvVars:
|
||
# This exports the standard SSL/TLS related `SSL_*' environment variables.
|
||
# Per default this exportation is switched off for performance reasons,
|
||
# because the extraction step is an expensive operation and is usually
|
||
# useless for serving static content. So one usually enables the
|
||
# exportation for CGI and SSI requests only.
|
||
# o StrictRequire:
|
||
# This denies access when "SSLRequireSSL" or "SSLRequire" applied even
|
||
# under a "Satisfy any" situation, i.e. when it applies access is denied
|
||
# and no other module can change it.
|
||
# o OptRenegotiate:
|
||
# This enables optimized SSL connection renegotiation handling when SSL
|
||
# directives are used in per-directory context.
|
||
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
|
||
<FilesMatch "\.(cgi|shtml|phtml|php)$">
|
||
SSLOptions +StdEnvVars
|
||
</FilesMatch>
|
||
<Directory /usr/lib/cgi-bin>
|
||
SSLOptions +StdEnvVars
|
||
</Directory>
|
||
|
||
# SSL Protocol Adjustments:
|
||
# The safe and default but still SSL/TLS standard compliant shutdown
|
||
# approach is that mod_ssl sends the close notify alert but doesn't wait for
|
||
# the close notify alert from client. When you need a different shutdown
|
||
# approach you can use one of the following variables:
|
||
# o ssl-unclean-shutdown:
|
||
# This forces an unclean shutdown when the connection is closed, i.e. no
|
||
# SSL close notify alert is send or allowed to received. This violates
|
||
# the SSL/TLS standard but is needed for some brain-dead browsers. Use
|
||
# this when you receive I/O errors because of the standard approach where
|
||
# mod_ssl sends the close notify alert.
|
||
# o ssl-accurate-shutdown:
|
||
# This forces an accurate shutdown when the connection is closed, i.e. a
|
||
# SSL close notify alert is send and mod_ssl waits for the close notify
|
||
# alert of the client. This is 100% SSL/TLS standard compliant, but in
|
||
# practice often causes hanging connections with brain-dead browsers. Use
|
||
# this only for browsers where you know that their SSL implementation
|
||
# works correctly.
|
||
# Notice: Most problems of broken clients are also related to the HTTP
|
||
# keep-alive facility, so you usually additionally want to disable
|
||
# keep-alive for those clients, too. Use variable "nokeepalive" for this.
|
||
# Similarly, one has to force some clients to use HTTP/1.0 to workaround
|
||
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
|
||
# "force-response-1.0" for this.
|
||
BrowserMatch "MSIE [2-6]" \
|
||
nokeepalive ssl-unclean-shutdown \
|
||
downgrade-1.0 force-response-1.0
|
||
# MSIE 7 and newer should be able to use keepalive
|
||
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
|
||
|
||
</VirtualHost>
|
||
</IfModule>
|
||
#+END_SRC
|
||
|
||
Enable your site with:
|
||
|
||
#+BEGIN_SRC: bash
|
||
a2ensite
|
||
#+END_SRC
|
||
|
||
then select the domain name and reload.
|
||
|
||
#+BEGIN_SRC: bash
|
||
service apache2 reload
|
||
#+END_SRC
|
||
|
||
and alter permissions:
|
||
|
||
#+BEGIN_SRC: bash
|
||
chmod -R 755 /var/www/$HOSTNAME/htdocs
|
||
chown -R www-data:www-data /var/www/$HOSTNAME/htdocs
|
||
#+END_SRC
|
||
|
||
Open a browser and visit http://$HOSTNAME/install.php, then fill out the details. Once everything has been accepted without errors:
|
||
|
||
#+BEGIN_SRC: bash
|
||
rm /var/www/$HOSTNAME/htdocs/install.php
|
||
#+END_SRC
|
||
|
||
Add a few extra mime types:
|
||
|
||
#+BEGIN_SRC: bash
|
||
emacs /var/www/$HOSTNAME/htdocs/conf/mime.conf
|
||
#+END_SRC
|
||
|
||
Append the following:
|
||
|
||
#+BEGIN_SRC: bash
|
||
ogv video/ogg
|
||
mp4 video/mp4
|
||
webm video/webm
|
||
#+END_SRC
|
||
|
||
Save and exit.
|
||
|
||
If you need to be able to upload large files to the wiki then edit */etc/php5/apache2/php.ini* and set *upload_max_filesize* accordingly. If the directory */etc/php5/apache2* doesn't exist then you will need to install the package *libapache2-mod-php5*.
|
||
|
||
Now you can visit your wiki and begin editing.
|
||
|
||
** Install Bitmessage
|
||
|
||
#+BEGIN_VERSE
|
||
/Love your neighbour. Fight the future. If you are reading this you ARE the resistance./
|
||
|
||
-- BitChirp
|
||
#+END_VERSE
|
||
|
||
*** A new kind of Email
|
||
[[https://bitmessage.org][Bitmessage]] is a new type of messaging system intended to fulfill the same role as email, but without the security problems. In particular, Bitmessage attempts to not just encrypt the content but also the metadata. It's message broadcasting system makes it exceedingly difficult for an attacker to know which computer a message is destined for. The only way you know whether a message has been sent to you is whether you are able to decrypt it from the passing stream of messages.
|
||
|
||
Although similar to Bitcoin in some regards, such as "/proof of work/", Bitmessage has no block chain and messages are only buffered for approximately three days after which they are deleted from any given node.
|
||
|
||
Installing Bitmessage as a daemon will increase the size of the network, and therefore the level of security for all users.
|
||
|
||
*** The Daemon
|
||
|
||
Install from the current source code.
|
||
|
||
#+BEGIN_SRC: bash
|
||
apt-get install python screen
|
||
cd /tmp
|
||
git clone https://github.com/Bitmessage/PyBitmessage.git
|
||
cd PyBitmessage
|
||
make install
|
||
#+END_SRC
|
||
|
||
Now create the daemon.
|
||
|
||
#+BEGIN_SRC: bash
|
||
emacs /etc/init.d/pybitmessage
|
||
#+END_SRC
|
||
|
||
Add the following text:
|
||
|
||
#+BEGIN_SRC: bash
|
||
#!/bin/bash
|
||
# /etc/init.d/bitmessage
|
||
|
||
### BEGIN INIT INFO
|
||
# Provides: pybitmessage
|
||
# Required-Start: $remote_fs $syslog
|
||
# Required-Stop: $remote_fs $syslog
|
||
# Default-Start: 2 3 4 5
|
||
# Default-Stop: 0 1 6
|
||
# Short-Description: starts bitmessage as a background daemon, suitable for servers
|
||
# Description: This file should be used to construct scripts to be
|
||
# placed in /etc/init.d.
|
||
### END INIT INFO
|
||
|
||
# Author: Super-Nathan <BM-Gu2k3Wy2hpTMYBxSoM2937SPcuU6xzEj>
|
||
|
||
#Settings
|
||
SERVICE='pybitmessage'
|
||
LOGFILE='/dev/null' # this disables logging
|
||
# LOGFILE='/var/log/bitmessage.log' # comment out the above line and un-comment this line to save a log
|
||
COMMAND="python bitmessagemain.py > $LOGFILE"
|
||
USERNAME='bitmsg'
|
||
NICELEVEL=19 # from 0-19 the bigger the number, the less the impact on system resources
|
||
HISTORY=1024
|
||
PBM_LOCATION="/usr/local/share/pybitmessage"
|
||
INVOCATION="nice -n ${NICELEVEL} ${COMMAND}"
|
||
PATH='/usr/local/sbin:/usr/local/bin:/usr/bin:/usr/bin/core_perl:/sbin:/usr/sbin:/bin:/usr/local/share/pybitmessage'
|
||
|
||
|
||
|
||
|
||
bm_start() {
|
||
echo "Starting $SERVICE..."
|
||
cd ${PBM_LOCATION}
|
||
su --command "screen -h ${HISTORY} -dmS ${SERVICE} ${INVOCATION}" $USERNAME
|
||
}
|
||
|
||
|
||
bm_stop() {
|
||
echo "Stopping $SERVICE"
|
||
su --command "screen -p 0 -S ${SERVICE} -X stuff "'^C'"" $USERNAME
|
||
}
|
||
|
||
|
||
#Start-Stop here
|
||
case "$1" in
|
||
start)
|
||
bm_start
|
||
;;
|
||
stop)
|
||
bm_stop
|
||
;;
|
||
restart)
|
||
bm_stop
|
||
sleep 60s
|
||
bm_start
|
||
;;
|
||
*)
|
||
echo "Usage: $0 {start|stop|restart}"
|
||
exit 1
|
||
;;
|
||
esac
|
||
|
||
exit 0
|
||
#+END_SRC
|
||
|
||
Save and exit.
|
||
|
||
Add a user which will be specifically for Bitmessage. Since bitmessage is still a relatively young and experimental project, this adds further compartmentalisation such that if there are any bugs within PyBitmessage then an attacker can't neccessarily gain control of root or any other user account. Here we create a user called /bitmsg/ and give it a long random password.
|
||
|
||
#+BEGIN_SRC: bash
|
||
adduser bitmsg
|
||
#+END_SRC
|
||
|
||
Create a /keys.dat/ file which is used to configure Bitmessage.
|
||
|
||
#+BEGIN_SRC: bash
|
||
mkdir /home/bitmsg/.config
|
||
mkdir /home/bitmsg/.config/PyBitmessage
|
||
emacs /home/bitmsg/.config/PyBitmessage/keys.dat
|
||
#+END_SRC
|
||
|
||
Add the following:
|
||
|
||
#+BEGIN_SRC: bash
|
||
[bitmessagesettings]
|
||
settingsversion = 7
|
||
port = 8444
|
||
timeformat = %%a, %%d %%b %%Y %%I:%%M %%p
|
||
blackwhitelist = black
|
||
startonlogon = false
|
||
minimizetotray = false
|
||
showtraynotifications = false
|
||
startintray = false
|
||
socksproxytype = none
|
||
sockshostname = localhost
|
||
socksport = 9050
|
||
socksauthentication = false
|
||
sockslisten = false
|
||
socksusername =
|
||
sockspassword =
|
||
keysencrypted = false
|
||
messagesencrypted = false
|
||
defaultnoncetrialsperbyte = 640
|
||
defaultpayloadlengthextrabytes = 14000
|
||
minimizeonclose = false
|
||
maxacceptablenoncetrialsperbyte = 0
|
||
maxacceptablepayloadlengthextrabytes = 0
|
||
userlocale = system
|
||
namecoinrpctype = namecoind
|
||
namecoinrpchost = localhost
|
||
namecoinrpcuser =
|
||
namecoinrpcpassword =
|
||
namecoinrpcport = 8336
|
||
sendoutgoingconnections = True
|
||
daemon = true
|
||
#+END_SRC
|
||
|
||
Save and exit. Then enable the daemon and run it.
|
||
|
||
#+BEGIN_SRC: bash
|
||
rm -f /tmp/-usr-local-share-pybitmessage-*.lock
|
||
chown -R bitmsg:bitmsg /home/bitmsg
|
||
chmod +x /etc/init.d/pybitmessage
|
||
update-rc.d pybitmessage defaults
|
||
service pybitmessage start
|
||
#+END_SRC
|
||
|
||
Now open port 8444 on your internet router or firewall and direct it to the BBB.
|
||
|
||
*** Using Bitmessage
|
||
Although in principle it would be possible to send Bitmessages directly from the BBB, in practice the /proof of work/ requirement would mean that it would take an infeasibly long time to send messages, and the computational workload would likely greatly impair the performance of other services also running on the system. So to send and receive Bitmessages it's better to just install the client on a laptop or desktop machine.
|
||
|
||
The easiest way to install the client is either to download it from [[https://bitmessage.org][bitmessage.org]] or to get the latest build from Github as follows:
|
||
|
||
#+BEGIN_SRC: bash
|
||
cd /tmp
|
||
git clone https://github.com/Bitmessage/PyBitmessage.git
|
||
cd PyBitmessage
|
||
make install
|
||
pybitmessage
|
||
#+END_SRC
|
||
|
||
*** Connect to Email
|
||
Surely Bitmessage is supposed to be a
|
||
|
||
#+BEGIN_SRC: bash
|
||
cd /tmp
|
||
wget http://freedombone.uk.to/notbit.tar.gz
|
||
#+END_SRC
|
||
|
||
Verify it.
|
||
|
||
#+BEGIN_SRC: bash
|
||
sha256sum notbit.tar.gz
|
||
972fdc9cbb8034141282337dcd5e557bce57969ff6bd1d607da89bd93cc7bb68
|
||
#+END_SRC
|
||
|
||
Extract and install it.
|
||
|
||
#+BEGIN_SRC: bash
|
||
tar -xzvf notbit.tar.gz
|
||
cd notbit
|
||
apt-get install dh-autoreconf
|
||
./autogen.sh --prefix=/home/myusername
|
||
make
|
||
make install
|
||
#+END_SRC
|
||
|
||
** Overcome restrictive environments
|
||
|
||
#+BEGIN_VERSE
|
||
/Censorship reflects a society's lack of confidence in itself. It is a hallmark of an authoritarian regime./
|
||
|
||
-- Potter Stewart
|
||
#+END_VERSE
|
||
|
||
In some environments, such as behind corporate firewalls or under regimes hostile towards the idea of open access to knowledge and information you may find that you're not able to use tools such as /ssh/ to get access to the BBB. In the worst case all ports other than 80 and 443 may be blocked.
|
||
|
||
In that scenario you can use a tool called [[http://code.google.com/p/shellinabox/][shellinabox]] to log into your BBB via your web site rather than via a terminal. This means that you can administrate your system from any device which has a web browser and keyboard.
|
||
|
||
#+BEGIN_SRC: bash
|
||
apt-get install shellinabox libapache2-mod-proxy-html
|
||
#+END_SRC
|
||
|
||
Update your Apache configuration.
|
||
|
||
#+BEGIN_SRC: bash
|
||
export HOSTNAME=mydomainname.com
|
||
emacs /etc/apache2/sites-available/$HOSTNAME
|
||
#+END_SRC
|
||
|
||
Within the section which begins with *<VirtualHost *:443>* add the following, replacing /mydomainname.com/ with your domain name and /myusername/ with your username.
|
||
|
||
#+BEGIN_SRC: bash
|
||
<Location /shell>
|
||
ProxyPass http://localhost:4200/
|
||
Order allow,deny
|
||
Allow from all
|
||
|
||
AuthName "Authentication for shellinabox"
|
||
AuthUserFile /home/mydomainname.com/public_html/.htpasswd
|
||
AuthGroupFile /home/mydomainname.com/public_html/.htgroup
|
||
AuthType Basic
|
||
Require group shellinabox
|
||
Require user myusername
|
||
</Location>
|
||
#+END_SRC
|
||
|
||
Save and exit, then create a login password. It's recommended that the password be a long random string and that you then access it using a password manager such as KeepassX.
|
||
|
||
#+BEGIN_SRC: bash
|
||
mkdir /home/$HOSTNAME
|
||
mkdir /home/$HOSTNAME/public_html
|
||
htpasswd -c /home/$HOSTNAME/public_html/.htpasswd myusername
|
||
#+END_SRC
|
||
|
||
Create a user group.
|
||
|
||
#+BEGIN_SRC: bash
|
||
emacs /home/$HOSTNAME/public_html/.htgroup
|
||
#+END_SRC
|
||
|
||
Add the following:
|
||
|
||
#+BEGIN_SRC: bash
|
||
shellinabox: myusername
|
||
#+END_SRC
|
||
|
||
Save and exit, then restart Apache.
|
||
|
||
#+BEGIN_SRC: bash
|
||
a2enmod proxy_http
|
||
service apache2 restart
|
||
#+END_SRC
|
||
|
||
Now with a web browser navigate to https://mydomainname.com/shell and log in.
|
||
|
||
If you're in a very locked down environment where access to web sites is severely restricted then as a last resort you may be able to use a command line browser, such as [[https://en.wikipedia.org/wiki/Lynx_%28web_browser%29][lynx]] from within /shellinabox/.
|
||
|
||
** Set up a mailing list
|
||
|
||
#+BEGIN_VERSE
|
||
/All over the world there are many people who are united in creating software, content, and culture that is freely available for others to share, enjoy and enrich their lives. Together we believe that freedom is good. We believe it helps people do good things, make better choices, and lead safer and more secure lives. Together we are a community united by this belief./
|
||
|
||
-- Jono Bacon
|
||
#+END_VERSE
|
||
|
||
*** With Email
|
||
Email mailing lists are old skool but still remain as a common and easy way of communicating on the internet. If you're running a public organisation such as an open source project or community group then you may want to set one up.
|
||
|
||
**** Installation
|
||
|
||
#+BEGIN_SRC: bash
|
||
export HOSTNAME=mydomainname.com
|
||
apt-get install mailman
|
||
newlist mailman
|
||
#+END_SRC
|
||
|
||
Enter an email address for the list administrator and a password.
|
||
|
||
#+BEGIN_SRC: bash
|
||
emacs /etc/mailman/mm_cfg.py
|
||
#+END_SRC
|
||
|
||
Set *MTA=None* and change *http:* to *https:*, then save and exit.
|
||
|
||
Add some settings.
|
||
|
||
#+BEGIN_SRC: bash
|
||
emacs /etc/exim4/conf.d/main/04_mailman_options
|
||
#+END_SRC
|
||
|
||
Add the following, replacing /mydomainname.com/ with your domain name.
|
||
|
||
#+BEGIN_SRC: bash
|
||
# Mailman macro definitions
|
||
|
||
# Home dir for the Mailman installation
|
||
MM_HOME=/var/lib/mailman
|
||
|
||
# User and group for Mailman
|
||
MM_UID=list
|
||
MM_GID=list
|
||
|
||
#
|
||
# Domains that your lists are in - colon separated list
|
||
# you may wish to add these into local_domains as well
|
||
domainlist mm_domains=mydomainname.com
|
||
|
||
# The path of the Mailman mail wrapper script
|
||
MM_WRAP=MM_HOME/mail/mailman
|
||
#
|
||
# The path of the list config file (used as a required file when
|
||
# verifying list addresses)
|
||
MM_LISTCHK=MM_HOME/lists/${lc::$local_part}/config.pck
|
||
#+END_SRC
|
||
|
||
Save and exit.
|
||
|
||
#+BEGIN_SRC: bash
|
||
emacs /etc/exim4/conf.d/main/000_localmacros
|
||
#+END_SRC
|
||
|
||
Append the following:
|
||
|
||
#+BEGIN_SRC: bash
|
||
SYSTEM_ALIASES_PIPE_TRANSPORT = address_pipe
|
||
SYSTEM_ALIASES_USER = list
|
||
SYSTEM_ALIASES_GROUP = list
|
||
#+END_SRC
|
||
|
||
Save and exit.
|
||
|
||
#+BEGIN_SRC: bash
|
||
emacs /etc/exim4/conf.d/acl/30_exim4-config_check_rcpt
|
||
#+END_SRC
|
||
|
||
Append the following, before the final /accept/:
|
||
|
||
#+BEGIN_SRC: bash
|
||
# Do callback verification unless Mailman incoming bounce
|
||
deny !local_parts = *-bounces : *-bounces+*
|
||
!verify = sender/callout=30s,defer_ok
|
||
#+END_SRC
|
||
|
||
Save and exit.
|
||
|
||
#+BEGIN_SRC: bash
|
||
emacs
|
||
/etc/exim4/conf.d/router/450_mailman_aliases
|
||
#+END_SRC
|
||
|
||
Add the following:
|
||
|
||
#+BEGIN_SRC: bash
|
||
mailman_router:
|
||
driver = accept
|
||
domains = +mm_domains
|
||
require_files = MM_LISTCHK
|
||
local_part_suffix_optional
|
||
local_part_suffix = -admin : \
|
||
-bounces : -bounces+* : \
|
||
-confirm : -confirm+* : \
|
||
-join : -leave : \
|
||
-owner : -request : \
|
||
-subscribe : -unsubscribe
|
||
transport = mailman_transport
|
||
#+END_SRC
|
||
|
||
Save and exit.
|
||
|
||
#+BEGIN_SRC: bash
|
||
emacs /etc/exim4/conf.d/transport/40_mailman_pipe
|
||
#+END_SRC
|
||
|
||
Add the following:
|
||
|
||
#+BEGIN_SRC: bash
|
||
mailman_transport:
|
||
driver = pipe
|
||
command = MM_WRAP \
|
||
'${if def:local_part_suffix \
|
||
{${sg{$local_part_suffix}{-(\\w+)(\\+.*)?}{\$1}}} \
|
||
{post}}' \
|
||
$local_part
|
||
current_directory = MM_HOME
|
||
home_directory = MM_HOME
|
||
user = MM_UID
|
||
group = MM_GID
|
||
#+END_SRC
|
||
|
||
Save and exit.
|
||
|
||
#+BEGIN_SRC: bash
|
||
chown root:list /var/lib/mailman/mail/mailman
|
||
update-exim4.conf.template -r
|
||
update-exim4.conf
|
||
service exim4 restart
|
||
emacs /etc/apache2/conf.d/mailman
|
||
#+END_SRC
|
||
|
||
Add the following:
|
||
|
||
#+BEGIN_SRC: bash
|
||
Alias /pipermail /var/lib/mailman/archives/public
|
||
Alias /images/mailman /usr/share/images/mailman
|
||
<directory /var/lib/mailman/archives/public>
|
||
DirectoryIndex index.html
|
||
</directory>
|
||
#+END_SRC
|
||
|
||
Save and exit.
|
||
|
||
#+BEGIN_SRC: bash
|
||
emacs /etc/apache2/sites-available/$HOSTNAME
|
||
#+END_SRC
|
||
|
||
Add the following to the 443 section.
|
||
|
||
#+BEGIN_SRC: bash
|
||
<Location /mailman>
|
||
Options Indexes FollowSymLinks MultiViews
|
||
Order allow,deny
|
||
Allow from all
|
||
|
||
RedirectMatch ^/$ /cgi-bin/mailman/listinfo
|
||
</Location>
|
||
#+END_SRC
|
||
|
||
Save and exit.
|
||
|
||
#+BEGIN_SRC: bash
|
||
service apache2 restart
|
||
#+END_SRC
|
||
|
||
Now add your mailing list. The list name should not include any spaces.
|
||
|
||
#+BEGIN_SRC: bash
|
||
newlist mymailinglistname
|
||
#+END_SRC
|
||
|
||
With a browser visit https://$HOSTNAME/cgi-bin/mailman/admin/mymailinglistname to configure the mailing list.
|
||
|
||
Under *General Options* add an email address for a moderator (could be the same as the administrator) and click *Submit your changes*.
|
||
|
||
Under *Privacy Options* set steps required for subscription to *Confirm and approve* and click *Submit your changes*.
|
||
|
||
Also change these settings for the account within https://$HOSTNAME/cgi-bin/mailman/admin/mailman
|
||
|
||
#+BEGIN_SRC: bash
|
||
emacs /etc/aliases
|
||
#+END_SRC
|
||
|
||
Append the following, replacing /mymailinglistname/ with your mailing list name:
|
||
|
||
#+BEGIN_SRC: bash
|
||
mymailinglistname: "|/var/lib/mailman/mail/mailman post mymailinglistname"
|
||
mymailinglistname-admin: "|/var/lib/mailman/mail/mailman admin mymailinglistname"
|
||
mymailinglistname-bounces: "|/var/lib/mailman/mail/mailman bounces mymailinglistname"
|
||
mymailinglistname-confirm: "|/var/lib/mailman/mail/mailman confirm mymailinglistname"
|
||
mymailinglistname-join: "|/var/lib/mailman/mail/mailman join mymailinglistname"
|
||
mymailinglistname-leave: "|/var/lib/mailman/mail/mailman leave mymailinglistname"
|
||
mymailinglistname-owner: "|/var/lib/mailman/mail/mailman owner mymailinglistname"
|
||
mymailinglistname-request: "|/var/lib/mailman/mail/mailman request mymailinglistname"
|
||
mymailinglistname-subscribe: "|/var/lib/mailman/mail/mailman subscribe mymailinglistname"
|
||
mymailinglistname-unsubscribe: "|/var/lib/mailman/mail/mailman unsubscribe mymailinglistname"
|
||
#+END_SRC
|
||
|
||
Save and exit. Then to test that the mailing list works:
|
||
|
||
#+BEGIN_SRC: bash
|
||
exim -d+route -bt mymailinglistname@$HOSTNAME
|
||
#+END_SRC
|
||
|
||
If everything is working then this shouldn't show any problems.
|
||
|
||
**** Using the mailing list
|
||
Direct subscribers towards:
|
||
|
||
#+BEGIN_SRC: bash
|
||
https://mydomainname.com/cgi-bin/mailman/listinfo/mymailinglistname
|
||
#+END_SRC
|
||
|
||
To administrate the list visit:
|
||
|
||
#+BEGIN_SRC: bash
|
||
https://mydomainname.com/cgi-bin/mailman/admin/mymailinglistname
|
||
#+END_SRC
|
||
|
||
To add another mailing list:
|
||
|
||
#+BEGIN_SRC: bash
|
||
newlist mymailinglistname
|
||
#+END_SRC
|
||
|
||
To delete a mailing list:
|
||
|
||
#+BEGIN_SRC: bash
|
||
rmlist -a mymailinglistname
|
||
#+END_SRC
|
||
|
||
*** With Bitmessage
|
||
On your local machine (not the BBB) you can make a private mailing list which is difficult to censor and where there is no single point of failure. This type of mailing list is known as a "chan".
|
||
|
||
On a Debian based system:
|
||
|
||
#+BEGIN_SRC: bash
|
||
sudo apt-get install makepasswd
|
||
#+END_SRC
|
||
|
||
or on an RPM based system:
|
||
|
||
#+BEGIN_SRC: bash
|
||
sudo yum install makepasswd
|
||
#+END_SRC
|
||
|
||
Create a name for your mailing list. This will be a random string.
|
||
|
||
#+BEGIN_SRC: bash
|
||
makepasswd -c 40
|
||
#+END_SRC
|
||
|
||
Keep a note of this.
|
||
|
||
Run the Bitmessage client and on the menu select *File/Join-Create Chan/Create new chan*
|
||
|
||
Enter the random string which you created as the name of the mailing list. Also take a note of the BM address which is created.
|
||
|
||
You can hand out the random string used to generate the mailing list and its corresponding BM address to fellow members, either within a bitmessage or on paper or via [[https://en.wikipedia.org/wiki/Sneakernet][sneakernet]] or in a GPG/PGP encrypted email or via an XMPP+OTR or Friendica private message. Once others have those two pieces of data then they will be able to join.
|
||
|
||
To make the list easier to identify, rather than just appearing as a random string, then under the *Your Identities* tab right click on it and select *Set Avatar* and assign a suitable icon.
|
||
|
||
The disadvantage of this type of mailing list is that it's not possible for any one participant to act as a list moderator, or in other words each participant must do their own moderation. That's ok if the size of the group is small, but if it's larger then anyone spamming or trolling the list can make things miserable for the others.
|
||
** Install Tripwire
|
||
|
||
#+BEGIN_VERSE
|
||
/...by the time you get done with all of that, we have a freedom box/
|
||
|
||
-- Eben Moglen
|
||
#+END_VERSE
|
||
|
||
Tripwire will try to detect any intrusions into your system. It's a good idea to install it after you have installed all of the other programs which you intend to use.
|
||
|
||
#+BEGIN_SRC: bash
|
||
apt-get install tripwire
|
||
export HOSTNAME=mydomainname.com
|
||
cd /etc/tripwire
|
||
cp arm-local.key $HOSTNAME-local.key
|
||
cp site.key $HOSTNAME-site.key
|
||
tripwire --init
|
||
tripwire --update-policy --secure-mode low /etc/tripwire/twpol.txt
|
||
tripwire --check --interactive
|
||
#+END_SRC
|
||
|
||
you will be asked for two passphrases ("site" and "local"). Make a note of these.
|
||
|
||
Turn off reporting of changes to system logs.
|
||
|
||
#+BEGIN_SRC: bash
|
||
emacs /etc/tripwire/twcfg.txt
|
||
#+END_SRC
|
||
|
||
Set *SYSLOGREPORTING* to false, then save and exit.
|
||
|
||
If you subsequently install any more packages or make configuration changes then update the policy again with:
|
||
|
||
#+BEGIN_SRC: bash
|
||
tripwire --update-policy --secure-mode low /etc/tripwire/twpol.txt
|
||
#+END_SRC
|
||
|
||
Also, to look for any rootkits.
|
||
|
||
#+BEGIN_SRC: bash
|
||
apt-get install rkhunter
|
||
#+END_SRC
|
||
|
||
* Router/Firewall ports
|
||
The following ports on your internet router/firewall should be forwarded to the BBB.
|
||
|
||
| Protocol | Port/s |
|
||
|---------------+------------|
|
||
| Gopher | 70 |
|
||
| HTTP | 80 |
|
||
| HTTPS | 443 |
|
||
| IMAP | 143 |
|
||
| IRC SSL | 6670 |
|
||
| SIP | 5060..5061 |
|
||
| SMTP | 25 |
|
||
| SMTPS | 465 |
|
||
| SSH | 22 |
|
||
| XMPP | 5222..5223 |
|
||
| XMPP (server) | 5269 |
|
||
| XMPP (BOSH) | 5280..5281 |
|
||
| Bitmessage | 8444 |
|
||
|
||
* Hints and Tips
|
||
** Messaging security
|
||
If you're connected to other friends via Friendica then the preferred way to send private messages is via Friendica's built-in messaging system. This is a lot more convenient than using GPG with ordinary email and yet still provides a similar level of protection from unwarranted interception.
|
||
** Moving Domains
|
||
If you're moving servers and using a different domain name or path then you can search and replace URLs within files in the following way:
|
||
|
||
#+BEGIN_SRC: bash
|
||
find /var/www/mynewdomain/htdocs -type f -exec sed -i 's@myolddomain@mynewdomain@g' {} \;
|
||
#+END_SRC
|
||
|
||
** MySql foo
|
||
*** Backup all databases
|
||
To back up all mysql databases:
|
||
|
||
#+BEGIN_SRC: bash
|
||
mysqldump -u root -p --all-databases --events > /var/backups/databasebackup.sql
|
||
#+END_SRC
|
||
*** Restoring a particular mysql database
|
||
To restore yesterday's friendica backup:
|
||
|
||
#+BEGIN_SRC: bash
|
||
mysql -D friendica -o < /var/backups/friendica_daily.sql
|
||
#+END_SRC
|
||
|
||
To restore yesterday's mediawiki backup:
|
||
|
||
#+BEGIN_SRC: bash
|
||
mysql -D wikidb -o < /var/backups/wikidb_daily.sql
|
||
#+END_SRC
|
||
*** Removing mysql server
|
||
|
||
If you manage to screw up sql server completely then it can be fully deleted with:
|
||
|
||
#+BEGIN_SRC: bash
|
||
ps aux | grep mysql
|
||
#+END_SRC
|
||
|
||
and use /kill -9 <pid>/ to kill all mysql processes.
|
||
|
||
#+BEGIN_SRC: bash
|
||
apt-get remove --purge mysql\*
|
||
apt-get clean
|
||
updatedb
|
||
#+END_SRC
|
||
* Deprecated
|
||
|
||
The following items have been deprecated until such time as a successful installation is achieved.
|
||
|
||
** Collaborative Document Editing
|
||
|
||
#+BEGIN_VERSE
|
||
/Openness and participation are antidotes to surveillance and control./
|
||
|
||
-- Howard Rheingold
|
||
#+END_VERSE
|
||
|
||
#+BEGIN_SRC: bash
|
||
apt-get install nodejs-legacy
|
||
curl https://npmjs.org/install.sh | sh
|
||
#+END_SRC
|
||
|
||
Create an etherpad database.
|
||
|
||
#+BEGIN_SRC: bash
|
||
mysql -p
|
||
CREATE DATABASE etherpad CHARACTER SET utf8 COLLATE utf8_general_ci;
|
||
GRANT ALL PRIVILEGES ON etherpad.* TO etherpad@localhost IDENTIFIED BY '__yourPasswd__';
|
||
FLUSH PRIVILEGES;
|
||
exit
|
||
#+END_SRC
|
||
|
||
Download etherpad.
|
||
|
||
#+BEGIN_SRC: bash
|
||
export HOSTNAME=mydomainname.com
|
||
cd /var/www/$HOSTNAME/htdocs
|
||
git clone git://github.com/ether/etherpad-lite.git etherpad
|
||
#+END_SRC
|
||
|
||
Edit the configuration file
|
||
|
||
#+BEGIN_SRC: bash
|
||
cd /var/www/$HOSTNAME/htdocs/etherpad
|
||
cp settings.json.template settings.json
|
||
emacs /var/www/$HOSTNAME/htdocs/etherpad/settings.json
|
||
#+END_SRC
|
||
|
||
Change the following settings. /rAnD0m5tRIng/ should be altered to a random string 10 characters in length.
|
||
|
||
#+BEGIN_SRC: bash
|
||
//IP and port which etherpad should bind at
|
||
"ip": "127.0.0.1",
|
||
// set a session key
|
||
"sessionKey" : "rAnD0m5tRIng",
|
||
//configure the connection settings
|
||
"dbType" : "mysql",
|
||
"dbSettings" : {
|
||
"user" : "etherpad",
|
||
"host" : "localhost",
|
||
"password": "__yourPassword__",
|
||
"database": "etherpad"
|
||
},
|
||
// add admin user
|
||
"users": {
|
||
"admin": {
|
||
"password": "__yourAdminPassword__",
|
||
"is_admin": true
|
||
}
|
||
},
|
||
#+END_SRC
|
||
|
||
Save and exit, then create a system user.
|
||
|
||
#+BEGIN_SRC: bash
|
||
adduser --system --home=/var/www/$HOSTNAME/htdocs/etherpad/ --group etherpad
|
||
chown -R etherpad: /var/www/$HOSTNAME/htdocs/etherpad/
|
||
#+END_SRC
|
||
|
||
Create an init script using your favorite editor.
|
||
|
||
#+BEGIN_SRC: bash
|
||
emacs /etc/init.d/etherpad
|
||
#+END_SRC
|
||
|
||
Add the following, replacing /mydomainname.com/ with your domain name:
|
||
|
||
#+BEGIN_SRC: bash
|
||
#!/bin/sh
|
||
|
||
### BEGIN INIT INFO
|
||
# Provides: etherpad-lite
|
||
# Required-Start: $local_fs $remote_fs $network $syslog
|
||
# Required-Stop: $local_fs $remote_fs $network $syslog
|
||
# Default-Start: 2 3 4 5
|
||
# Default-Stop: 0 1 6
|
||
# Short-Description: starts etherpad lite
|
||
# Description: starts etherpad lite using start-stop-daemon
|
||
### END INIT INFO
|
||
|
||
PATH="/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/opt/node/bin"
|
||
LOGFILE="/var/www/mydomainname.com/htdocs/etherpad/etherpad-lite.log"
|
||
EPLITE_DIR="/var/www/mydomainname.com/htdocs/etherpad"
|
||
EPLITE_BIN="bin/safeRun.sh"
|
||
USER="etherpad"
|
||
GROUP="etherpad"
|
||
DESC="Etherpad Lite"
|
||
NAME="etherpad-lite"
|
||
|
||
set -e
|
||
|
||
. /lib/lsb/init-functions
|
||
|
||
start() {
|
||
echo "Starting $DESC... "
|
||
|
||
start-stop-daemon --start --chuid "$USER:$GROUP" --background --make-pidfile --pidfile /var/run/$NAME.pid --exec $EPLITE_DIR/$EPLITE_BIN -- $LOGFILE || true
|
||
echo "done"
|
||
}
|
||
|
||
#We need this function to ensure the whole process tree will be killed
|
||
killtree() {
|
||
local _pid=$1
|
||
local _sig=${2-TERM}
|
||
for _child in $(ps -o pid --no-headers --ppid ${_pid}); do
|
||
killtree ${_child} ${_sig}
|
||
done
|
||
kill -${_sig} ${_pid}
|
||
}
|
||
|
||
stop() {
|
||
echo "Stopping $DESC... "
|
||
while test -d /proc/$(cat /var/run/$NAME.pid); do
|
||
killtree $(cat /var/run/$NAME.pid) 15
|
||
sleep 0.5
|
||
done
|
||
rm /var/run/$NAME.pid
|
||
echo "done"
|
||
}
|
||
|
||
status() {
|
||
status_of_proc -p /var/run/$NAME.pid "" "etherpad-lite" && exit 0 || exit $?
|
||
}
|
||
|
||
case "$1" in
|
||
start)
|
||
start
|
||
;;
|
||
stop)
|
||
stop
|
||
;;
|
||
restart)
|
||
stop
|
||
start
|
||
;;
|
||
status)
|
||
status
|
||
;;
|
||
*)
|
||
echo "Usage: $NAME {start|stop|restart|status}" >&2
|
||
exit 1
|
||
;;
|
||
esac
|
||
|
||
exit 0
|
||
#+END_SRC
|
||
|
||
Save and exit, then enable the daemon.
|
||
|
||
#+BEGIN_SRC: bash
|
||
chmod +x /etc/init.d/etherpad
|
||
update-rc.d etherpad defaults
|
||
service etherpad start
|
||
#+END_SRC
|
||
|
||
Update your Apache configuration.
|
||
|
||
#+BEGIN_SRC: bash
|
||
emacs /etc/apache2/sites-available/$HOSTNAME
|
||
#+END_SRC
|
||
|
||
Within the section which begins with *<VirtualHost *:443>* add the following:
|
||
|
||
#+BEGIN_SRC: bash
|
||
<Location /etherpad>
|
||
ProxyPass http://localhost:9001/
|
||
ProxyPassReverse http://localhost:9001/
|
||
|
||
Order allow,deny
|
||
allow from all
|
||
|
||
AuthName "Welcome to Etherpad"
|
||
AuthUserFile /home/mydomainname.com/public_html/.htpasswd
|
||
AuthGroupFile /home/mydomainname.com/public_html/.htgroup
|
||
AuthType Basic
|
||
Require group etherpad
|
||
</Location>
|
||
#+END_SRC
|
||
|
||
Save and exit, then restart Apache.
|
||
|
||
#+BEGIN_SRC: bash
|
||
apt-get install libapache2-mod-proxy-html
|
||
a2enmod proxy proxy_http headers deflate
|
||
service apache2 restart
|
||
#+END_SRC
|
||
|
||
Create some passwords for users.
|
||
|
||
#+BEGIN_SRC: bash
|
||
mkdir /home/$HOSTNAME
|
||
mkdir /home/$HOSTNAME/public_html
|
||
htpasswd -c /home/$HOSTNAME/public_html/.htpasswd myusername
|
||
#+END_SRC
|
||
|
||
Create a user group.
|
||
|
||
#+BEGIN_SRC: bash
|
||
emacs /home/$HOSTNAME/public_html/.htgroup
|
||
#+END_SRC
|
||
|
||
Add the following:
|
||
|
||
#+BEGIN_SRC: bash
|
||
etherpad: myusername
|
||
#+END_SRC
|
||
|
||
Save and exit.
|
||
|
||
** Install a VoIP server
|
||
|
||
#+BEGIN_VERSE
|
||
/Our core principles, whether in software or sovereignty, have always been about freedom and dignity, for all people, on an equal basis/
|
||
|
||
-- David Sugar, GNU Telephony
|
||
#+END_VERSE
|
||
|
||
*** The server
|
||
Sipwitch is like an introduction service or phone book for SIP VoIP clients. Once introduced the clients can then talk directly, and this means that sipwitch is very lightweight and can run on low power systems such as the BBB.
|
||
|
||
Edit your package sources:
|
||
|
||
#+BEGIN_SRC: bash
|
||
emacs /etc/apt/sources.list
|
||
#+END_SRC
|
||
|
||
Append the following line:
|
||
|
||
#+BEGIN_SRC: bash
|
||
deb http://dev.gnutelephony.org/archive/ wheezy/
|
||
#+END_SRC
|
||
|
||
Save and exit.
|
||
|
||
To load the repository the first time after adding it to the sources.list, since you do not have the verification keys already installed yet. Then do
|
||
|
||
#+BEGIN_SRC: bash
|
||
apt-get install gnutelephony-keyring
|
||
#+END_SRC
|
||
|
||
After that it will be happy to accept it as a signed repository. The verification keys can also be directly fetched with
|
||
|
||
#+BEGIN_SRC: bash
|
||
cd /tmp
|
||
wget http://dev.gnutelephony.org/archive/wheezy/public.key
|
||
#+END_SRC
|
||
|
||
and manually added instead with
|
||
|
||
#+BEGIN_SRC: bash
|
||
apt-key add public.key
|
||
#+END_SRC
|
||
|
||
To make sure you have all dependencies, do
|
||
|
||
#+BEGIN_SRC: bash
|
||
apt-get update;apt-get dist-upgrade
|
||
#+END_SRC
|
||
|
||
Before we install anything, let's inspect what is available to us by using
|
||
|
||
#+BEGIN_SRC: bash
|
||
dpkg -l sipwitch
|
||
#+END_SRC
|
||
|
||
To see the main application. The columns will indicate if the package is installed, which version and a description of the package. Then do
|
||
|
||
#+BEGIN_SRC: bash
|
||
dpkg -l sipwitch-*
|
||
#+END_SRC
|
||
|
||
to see available supporting applications and plugins. Again, the columns will indicate if the package is installed, which version and a description of each of these.
|
||
|
||
To install only the main application, do
|
||
|
||
#+BEGIN_SRC: bash
|
||
apt-get install sipwitch
|
||
#+END_SRC
|
||
|
||
and to install all supporting plugins:
|
||
|
||
#+BEGIN_SRC: bash
|
||
apt-get install sipwitch-plugin-scripting sipwitch-plugin-subscriber sipwitch-plugin-forward sipwitch-plugin-zeroconf
|
||
#+END_SRC
|
||
|
||
Add your user into the sipwitch group
|
||
|
||
#+BEGIN_SRC: bash
|
||
groupadd sipwitch
|
||
groupadd sipusers
|
||
usermod -aG sipwitch myusername
|
||
usermod -aG sipusers myusername
|
||
#+END_SRC
|
||
|
||
Then edit the configuration
|
||
|
||
#+BEGIN_SRC: bash
|
||
emacs /etc/sipwitch.conf
|
||
#+END_SRC
|
||
|
||
Change the *mapped* value from 200 to 20, since we don't want to be serving huge numbers of calls.
|
||
|
||
Alter the *range* value to 10, since we don't need a large number of extensions. This will mean that exension numbers 200 to 209 are available.
|
||
|
||
Do not set the *realm* value, as doing so seems to prevent the server from working.
|
||
|
||
Save and exit.
|
||
|
||
Create a digest string for your username:
|
||
|
||
#+BEGIN_SRC: bash
|
||
sipwitch digest myusername
|
||
#+END_SRC
|
||
|
||
Make a note of the resulting string because you're going to use it in the users file you'll now create.
|
||
|
||
#+BEGIN_SRC: bash
|
||
export HOSTNAME=mydomainname.com
|
||
touch /etc/sipwitch.d/$HOSTNAME.xml
|
||
chmod 600 /etc/sipwitch.d/$HOSTNAME.xml
|
||
emacs /etc/sipwitch.d/$HOSTNAME.xml
|
||
#+END_SRC
|
||
|
||
It should look something like the following:
|
||
|
||
#+BEGIN_SRC: bash
|
||
<provision>
|
||
<user id="myusername">
|
||
<digest>yourdigeststring</digest>
|
||
<extension>201</extension>
|
||
<display>Your full name</display>
|
||
</user>
|
||
</provision>
|
||
#+END_SRC
|
||
|
||
Save and exit. Now edit the configuration.
|
||
|
||
#+BEGIN_SRC: bash
|
||
emacs /etc/default/sipwitch
|
||
#+END_SRC
|
||
|
||
Change "desktop" to "server", then save and exit.
|
||
|
||
Update the IP settings:
|
||
|
||
#+BEGIN_SRC: bash
|
||
iptables -A INPUT -p tcp --dport 5060 -j ACCEPT
|
||
iptables -A INPUT -p udp --dport 5060 -j ACCEPT
|
||
iptables -A INPUT -p tcp --dport 5061 -j ACCEPT
|
||
iptables -A INPUT -p udp --dport 5061 -j ACCEPT
|
||
iptables-save
|
||
#+END_SRC
|
||
|
||
Test that it's working:
|
||
|
||
#+BEGIN_SRC: bash
|
||
pkill -9 sipw
|
||
sipw -x9 -f
|
||
#+END_SRC
|
||
|
||
Then try to register with the server using a SIP client (such as Jitsi). If everything worked then use CTRL-C to exit. Then start the service.
|
||
|
||
#+BEGIN_SRC: bash
|
||
service sipwitch start
|
||
#+END_SRC
|
||
|
||
*** Clients
|
||
**** Jitsi
|
||
Download the latst version from https://jitsi.org/index.php/Main/Download
|
||
|
||
TODO
|
||
**** Twinkle client
|
||
|
||
The client should have a user profile as following:
|
||
|
||
The "user name" is the xxx id used in the <user id="xxx"> entry of /etc/sipwitch.conf
|
||
|
||
The "domain" is the yyy domain in the main config <stack><domain>yyy entry of /etc/sipwitch.conf
|
||
|
||
The SIP Authentication should have:
|
||
|
||
realm = realm as set in <registry><realm> of /etc/sipwitch.conf
|
||
|
||
authentication name = <user id="xx"> entry, same as "User Name" field.
|
||
|
||
password = value of <secret>zzz in <user> entry of /etc/sipwitch.conf
|
||
|
||
Under security tab, set "Enable ZRTP/SRTP encryption"
|
||
**** Android
|
||
TODO
|
||
|
||
CSipSimple?
|
||
** Install Mediagoblin
|
||
|
||
#+BEGIN_SRC: bash
|
||
apt-get install git-core python python-dev python-lxml python-imaging python-virtualenv apache2-suexec libapache2-mod-fcgid
|
||
#+END_SRC
|
||
|
||
#+BEGIN_SRC: bash
|
||
adduser --system mediagoblin
|
||
addgroup mediagoblin
|
||
adduser mediagoblin mediagoblin
|
||
export HOSTNAME=mydomainname.com
|
||
cd /var/www/$HOSTNAME/htdocs
|
||
git clone git://gitorious.org/mediagoblin/mediagoblin.git mediagoblin
|
||
chown -hR mediagoblin:mediagoblin /var/www/$HOSTNAME/htdocs/mediagoblin
|
||
cd /var/www/$HOSTNAME/htdocs/mediagoblin
|
||
git submodule init && git submodule update
|
||
cp mediagoblin.ini mediagoblin_local.ini
|
||
emacs mediagoblin.ini
|
||
#+END_SRC
|
||
|
||
Set email_sender_address to the address you wish to be used as the sender for system-generated emails
|
||
|
||
Edit direct_remote_path, base_dir, and base_url if your mediagoblin directory is not the root directory of your vhost.
|
||
|
||
Save and exit.
|
||
|
||
#+BEGIN_SRC: bash
|
||
a2enmod suexec
|
||
a2enmod fcgid
|
||
emacs /etc/apache2/sites-available/$HOSTNAME
|
||
#+END_SRC
|
||
|
||
Add the following to the 80 virtual host, replacing mydomainname.com with your domain name.
|
||
|
||
#+BEGIN_SRC: bash
|
||
<Directory /var/www/mydomainname.com/htdocs/mediagoblin>
|
||
deny from all
|
||
</Directory>
|
||
#+END_SRC
|
||
|
||
Add the following to the 443 virtual host.
|
||
|
||
#+BEGIN_SRC: bash
|
||
# Serve static and media files via alias
|
||
Alias /mgoblin_static/ /var/www/mydomainname.com/htdocs/mediagoblin/mediagoblin/static/
|
||
Alias /mgoblin_media/ /var/www/mydomainname.com/htdocs/mediagoblin/user_dev/media/public/
|
||
|
||
# Rewrite all URLs to fcgi, except for static and media urls
|
||
RewriteEngine On
|
||
RewriteRule ^(mgoblin_static|mgoblin_media)($|/) - [L]
|
||
RewriteCond %{REQUEST_FILENAME} !-f
|
||
RewriteRule ^/(.*)$ /mg.fcgi/$1 [QSA,L]
|
||
|
||
# Allow access to static and media directories
|
||
<Directory /var/www/mydomainname.com/htdocs/mediagoblin/mediagoblin/static>
|
||
Order allow,deny
|
||
Allow from all
|
||
</Directory>
|
||
<Directory /var/www/mydomainname.com/htdocs/mediagoblin/mediagoblin/user_dev/media/public>
|
||
Order allow,deny
|
||
Allow from all
|
||
</Directory>
|
||
|
||
# Connect to fcgi server
|
||
FastCGIExternalServer /var/www/mg.fcgi -host 127.0.0.1:26543
|
||
#+END_SRC
|
||
|
||
Save and exit
|
||
|
||
#+BEGIN_SRC: bash
|
||
cd /var/www/$HOSTNAME/htdocs/mediagoblin
|
||
./lazyserver.sh --server-name=fcgi fcgi_host=127.0.0.1 fcgi_port=26543
|
||
#+END_SRC
|
||
|
||
https://github.com/joar/mediagoblin-init-scripts
|
||
|
||
** Kune
|
||
Kune is a collaboration tool aimed at not just socialising but also getting stuff done within a community. It's based upon Apache Wave (formerly Google Wave).
|
||
|
||
#+BEGIN_SRC: bash
|
||
apt-get install openjdk-6-jdk openjdk-7-jre mysql-server adduser dbconfig-common libjmagick6-jni
|
||
#+END_SRC
|
||
|
||
Add the Kune repository:
|
||
|
||
#+BEGIN_SRC: bash
|
||
emacs /etc/apt/sources.list
|
||
#+END_SRC
|
||
|
||
Append the following:
|
||
|
||
#+BEGIN_SRC: bash
|
||
deb ftp://ftp.kune.ourproject.org/pub/kune/debian/ stable/
|
||
#+END_SRC
|
||
|
||
Save and exit, then install the Kune package.
|
||
|
||
#+BEGIN_SRC: bash
|
||
gpg --keyserver pgp.mit.edu --recv-keys 9E358A05
|
||
gpg --armor --export 9E358A05 | apt-key add -
|
||
apt-get update
|
||
apt-get install kune
|
||
#+END_SRC
|
||
|
||
You will be asked for the MySql root password and another password to be used with the Kune database.
|
||
|
||
Allow the system to start automatically at boot.
|
||
|
||
#+BEGIN_SRC: bash
|
||
emacs /etc/default/kune
|
||
#+END_SRC
|
||
|
||
Set /START=yes/, then save and exit.
|
||
|
||
#+BEGIN_SRC: bash
|
||
service kune start
|
||
#+END_SRC
|
||
|
||
Now configure Apache.
|
||
|
||
#+BEGIN_SRC: bash
|
||
a2enmod expires
|
||
a2enmod proxy
|
||
a2enmod proxy_connect
|
||
a2enmod proxy_http
|
||
#+END_SRC
|
||
|
||
Upgrade the database.
|
||
|
||
#+BEGIN_SRC: bash
|
||
mysql -p kune_prod < /usr/share/dbconfig-common/data/kune/upgrade/mysql/0.1.0+b5
|
||
mysql -p kune_prod < /usr/share/dbconfig-common/data/kune/upgrade/mysql/0.1.0+b6
|
||
mysql -p kune_prod < /usr/share/dbconfig-common/data/kune/upgrade/mysql/0.2.0+b12
|
||
mysql -p kune_prod < /usr/share/dbconfig-common/data/kune/upgrade/mysql/0.2.0+b23
|
||
mysql -p kune_prod < /usr/share/dbconfig-common/data/kune/upgrade/mysql/0.2.0+b25
|
||
#+END_SRC
|
||
|
||
Edit the Apache configuration.
|
||
|
||
#+BEGIN_SRC: bash
|
||
emacs /etc/apache2/sites-available/$HOSTNAME
|
||
#+END_SRC
|
||
|
||
<VirtualHost *:80>
|
||
ServerName YOURSERVERNAME
|
||
|
||
ProxyRequests Off
|
||
<Proxy *>
|
||
Order deny,allow
|
||
Allow from all
|
||
</Proxy>
|
||
|
||
<Files *.cache.*>
|
||
ExpiresActive On
|
||
ExpiresDefault "modification plus 2 years"
|
||
</Files>
|
||
|
||
<Files *.nocache.*>
|
||
ExpiresActive Off
|
||
</Files>
|
||
|
||
ProxyPass /kune/ http://localhost:8888/
|
||
ProxyPassReverse /kune/ http://localhost:8888/
|
||
<Location /var/www/mydomainname.com/htdocs/kune/>
|
||
Order allow,deny
|
||
Allow from all
|
||
</Location>
|
||
</VirtualHost>
|
||
|
||
|
||
Within a browser open https://mydomainname.com:8888
|
||
|
||
See documentation in /usr/share/doc/kune/INSTALL.gz
|
||
|
||
* Related projects
|
||
|
||
* [[https://freedomboxfoundation.org/][Freedombox]]
|
||
* [[https://arkos.io/][ArkOS]]
|