31C3/laptop preparation

From Fixme.ch
Jump to: navigation, search

Laptop preparation

Goal is easy: prevent unauthorized accesses to your laptop while still being able to access resources. Oh, and, ensure resources aren't faked or messed up by some rogue proxy.

It's mainly based on CCC Survival Guide . It's a (very) good start to follow their advices, especially regarding physical protection ;).

Network

The proposed setup is based on two Onion Routers<ref>Wikipedia: Onion Routing</ref>: i2p<ref>Wikipedia: i2p</ref> and Tor<ref>Wikipedia: Tor</ref>. The first one is optional, but it's always cool having some new stuff in order to try them. Well, new… i2p is 11 years old now ;).

All is based on Debian Sid, but most of the packages are present on Arch, Ubuntu, Gentoo and so on.

Tor

Get package

First, install Tor. On Debian, we can use Torporject sources in order to get the latest official releases:
deb http://deb.torproject.org/torproject.org <DISTRIBUTION> main

You can get the distribution code with this command: lsb_release -c.

You will also need the GPG key in order to be able to validate packages:

gpg --keyserver keys.gnupg.net --recv 886DDD89
gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -

Then, sudo apt-get update && sudo apt-get install deb.torproject.org-keyring && sudo apt-get install tor.

Configuration

Now we have the package and related daemon, we have to configure it a bit. As the main aim of this setup is to make all the traffic through Tor, here are the settings you'll need. You may empty the file and copy&paste this:

# Create SOCKS port, and ensure we isolate streams
SocksPort 9050 IsolateDestAddr IsolateDestPort
SafeSocks 0
TestSocks 1
# This port will be used for "non-socks" connection. I.e. for
# stupid apps which just don't know what a SOCKS is
TransPort 9040
TransListenAddress 127.0.0.1
# Create a listener for DNS queries.
DNSPort 5400
DNSListenAddress 127.0.0.1
NumCPUs 1
VirtualAddrNetwork 10.192.0.0/10
AvoidDiskWrites 1
AutomapHostsOnResolve 1

Comments should be enough, but you might want to read some more documentation about the tor configuration file.

Restart Tor with sudo service tor restart, and we're done :).

i2p

As said, this step is optional. But anyway, it's cool. And even easier in fact.

Get package

Add the following source to your Debian system:
deb http://deb.i2p2.no/ unstable main

Import the following key for package signature: wget https://geti2p.net/_static/debian-repo.pub -O - | sudo apt-key add -

Install required packages: sudo apt-get update && sudo apt-get install i2p i2p-keyring

Edit the /etc/default/i2p file in order to enable the daemon. Start it with sudo service i2p start, and… well, that's all ;).

More information available here.

IPTables

Now we hit the game: we might as well kill our connection capabilities, or make some great things. After all, that's IPTables<ref>Wikipedia: iptables</ref> ;)

There are multiple goals with the proposed configuration:

  1. lock out the intruders
  2. force outgoing traffic through Tor by default
  3. allow "smart" application to connect by them-selves to the SOCKS or Transproxy
  4. allow i2p to go out freely
  5. allow Tor to go out freely

More over, we want this policy to be enforced as soon as we get network. In order to do so, we will need an "iptables-restore" call, and a script/configuration to feed it.

The following content is to be put in /etc/network/iptables file (or something like that, you'll have to create the file anyway). We will explain bellow how it works. 

*filter
:INPUT DROP [1:264]
:FORWARD ACCEPT [0:0]
:OUTPUT DROP [60:12415]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i vboxnet0 -j ACCEPT
-A INPUT -j LOG --log-prefix "INPUT DROP "

-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m owner --uid-owner debian-tor -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -m owner --uid-owner i2psvc -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -d 127.0.0.1/32 -p udp -m udp --dport 5400 -j ACCEPT
-A OUTPUT -d 127.0.0.1/32 -p tcp -m tcp --dport 9050 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A OUTPUT -d 127.0.0.1/32 -p tcp -m tcp --dport 9040 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A OUTPUT -d 127.0.0.1/32 -s 127.0.0.1/32 -p tcp -m tcp --dport 631 -j ACCEPT
-A OUTPUT -p icmp --icmp-type 8 -j ACCEPT
-A OUTPUT -j LOG --log-prefix "OUTPUT DROP "
COMMIT

*nat
:INPUT DROP [524:86738]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [637739:421546290]
-A OUTPUT -m owner --uid-owner debian-tor -j RETURN
-A OUTPUT -m owner --uid-owner i2psvc -j RETURN
-A OUTPUT -p udp -m udp --dport 53 -j REDIRECT --to-ports 5400
-A OUTPUT  -p udp -m udp --dport 123 -j REDIRECT --to-ports 123
-A OUTPUT ! -o lo -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040
-A OUTPUT -j LOG --log-prefix "OUTPUT nat DROP "
-A INPUT -j LOG --log-prefix "INPUT nat DROP "
COMMIT

So. How does it work? Pretty easy in the end: with iptables, we can filter packets by user ID, i.e. iptables knows "who" sends the packet it's filtering. As bot Tor and i2p daemon have dedicated users, we can tell iptables to let those two guys connections, while forcing the others through Tor. Or whatever you want, in fact.

The filter table (block starting with the *filter) will manage the IN and OUT, allowing only i2p and tor traffic out, while allowing related traffic in. It will force non-i2p/tor traffic to go through Tor TransPort we defined earlier, and it will also redirect DNS queries to Tor in order to avoid DNS poisoning.

The nat table (block starting with *nat) will do the redirects.

In order to enforce that, you'll need to edit your /etc/network/interfaces file and add the following line in your eth0/wlan0 definitions: post-up iptables-restore /etc/network/iptables.

Firefox

Firefox is smart. It can speak "SOCKS". Hence, we can make it speak both i2p and Tor. At the same time. But that's not all: we will also install a specific profile in order to ensure we don't leak too much data. For that, we will use the firefox profile proposed by JonDonym<ref>JonDonym </ref>.

It will avoid some bad behavior of Firefox, cover up our traces and avoid a too precise match with our browser. You might want to try the well-known Panopticlick proposed by the EFF in a "before/after" mode ;).

Also, we will use a very old standard: Proxy auto-config, also known as PAC file<ref>Wikipedia: Proxy auto-config</ref>.

JonDonym

As said, we will install a special profile. In order to do so, simply follow the steps as described here. Beware, JonDo is another thing, and proposes some proxies we don't need for the current setup. Follow the steps for the "JonDoFox" installation.

Once this is done, start Firefox and check if you have the JonDonym profile ­— you will know pretty soon if you have it or not ;).

PAC

The PAC file is, in fact, a simple Javascript… err… script. It provides some nice features, allows you to tell Firefox (or any browser supporting this file type) how it should handle a request.

The script content looks like that:

function FindProxyForURL(url, host) {
  var lhost = host.toLowerCase();
  host = lhost;
  tor = 'SOCKS5 localhost:9050';
  i2p_ssl = 'PROXY localhost:4445';
  i2p_clear = 'PROXY localhost:4444';

  if (shExpMatch(host, "*.onion")) {
    alert("Tor hidden service");
    return tor;
  }

  if (shExpMatch(url, "https")) {
    if (shExpMatch(host, "*.i2p")) {
      alert("i2p SSL");
      return i2p_ssl;
    }
  } else {
    if (shExpMatch(host, "*.i2p")) {
      alert("i2p CLEAR");
      return i2p_clear;
    }
  }
  alert("No match at all for "+url);

  return tor;
}

Such easiness. Such love. Such nice.

It:

  1. checks if the hostname maches ".onion"
    1. if it matches ".onion", it redirects to the Tor SOCKS port
  2. checks if we're using HTTPS
    1. if it matches ".i2p", redirect to the HTTPS i2p proxy
  3. If we're "in the clear" (HTTP) and match ".i2p", redirect to the HTTP i2p proxy
  4. if it matches nothing, it redirects to Tor anyway.


You might save this file in something like ~/.mozilla/rules.pac and load it in Firefox using Preferences -> Advanced -> Network -> Settings and point to file:///home/<user>/.mozilla/rules.pac</pre>.

You might want to check how it goes using the Browser Console (ctrl+shift+j or Developers -> Web Console).

Physical

Feel free to add stuff ;).


References

<references />

Retrieved from "https://fixme.ch/w/index.php?title=31C3/laptop_preparation&oldid=6116"