We build a secure system based on TOR and I2P

Introduction

In this post I will try to describe in steps how to build a secure system for the safe reception, transmission, storage and processing of confidential and other dangerous data. It is not a secret for anyone that now various individuals and organizations are trying to stifle the freedom of both the Internet itself and its users, and often they succeed. Therefore, now we will try to build a small but solid fortress inside our computer.



I can respond to a provocation of the form “with the help of such a system,” I respond immediately: with the help of nuclear missiles, you can not only make the end of the world, but also drive away or split an asteroid that threatens our planet.

What do we need?

First, it is a computer of sufficient performance with a large amount of RAM . Its operating system does not matter, since the software installed on it is cross-platform. Well, except perhaps for exotic or very ancient OS.

Secondly, the software . I will list it in the order in which it will be required in building the system:

• Truecrypt
• VirtualBox (download from the official site is not in a hurry)
• Ubuntu I did on version 11.10 x86, because 12.04 at that time was not. Put the image to swing right now so as not to lose time. Cut to disk is not necessary.
• TOR
• I2p

I draw your attention that all the above software is open source. This is very important , since these programs are the core of our security, and some proprietary bookmark could be very costly.

')

Let's start!

In order to protect data from direct capture of the hard disk, we need to encrypt them. For this we will use the utility TrueCrypt.



Let's create with its help an encrypted volume stored in a file. You can create a section, but, in my opinion, it is less convenient.



Whether to create a hidden volume? The question is ambiguous. This feature is intended for use in England, where the failure to issue passwords when confiscating a PC is itself a crime. At the same time, there is no such legal norm in Russia, and the use of a hidden partition eats up the usable disk space. I did not create a hidden section.



The size of the section will choose at its discretion. Personally, I chose 50 GB.



Encryption algorithm - I chose AES. First, the US military trusts him to protect the top security marks, and secondly, it is hardware accelerated by new Intel processors and TrueCrypt has support for this acceleration.



Then everything is standard: we invent a complex and long password, generate entropy with random mouse movements and create a partition. The partition type must be NTFS, since it will store large files.



Next we need a virtual machine. Everything that we protect will be stored in it.

This is due to the fact that:

• work in the main OS leaves various traces in various places;
• if the main OS is proprietary (I will not point with a finger) - it does not exclude the presence of bookmarks;
• application software in the main OS also falls under the previous requirement (remember PunkBuster, whose EULA allows you to scan a user's hard disk).

We will use VirtualBox, but not the main distribution, but a portable one . Download the installer on a pre-mounted encrypted disk, launch and download the supported Box distribution using the utility itself. Next, the utility will unpack it and configure it for portability.



We will create a machine with two hard disks in Box: one for 8-10 GB and the second for the rest of the space, of course, placing both on an encrypted disk. Let's go through the settings, put the network in the NAT and configure the rest to your liking - there is nothing particularly critical there. We connect the image of Ubunt (which I hope has already been downloaded) as a drive.



We start the car and start installing the OS. When partitioning disks, we do something like this: put it on the first, small, root and swap, and on the large / home. All data we will store in / home. Thus, the separation of the system and data occurs between different files of hard drives Box. Then we do everything to your liking.



It is established! Now we begin setup.



The idea is to leave direct access to the network only for two of your favorites — the TOR and I2P routers.



First, we put TOR from their own repository (in the official version it may be outdated) according to the instructions from the official site . Then we will install I2P, again from the developers' own PPA-turnip - instruction .



Note that TOR itself only provides SOCKS5 proxies, and not all programs support it. Therefore, install Polipo - a free HTTP proxy:

sudo apt-get install polipo



Configure it:

sudo nano /etc/polipo/config



Add a line to it:

proxyPort = 8118



Uncomment below (or correct if something is wrong):

socksParentProxy = "localhost:9050"

socksProxyType = socks5



Let's save. Restart Polyp:

sudo service polipo restart



Now configure I2P:

sudo nano /etc/default/i2p



Enable the launch as a daemon:

RUN_DAEMON="true"



At the same time we see in the file the name of the user from whom the router is working - I have this i2psvc

We save.

Run: sudo service i2p start



Now we recognize the user from whom TOR works:

lsof -c tor

I have this debian-tor .



And now - the most delicious: we cut access to the network to everything that is not TOR and not I2P. Once again - everything .

Here is a ready-made iptables-restore script, just check the usernames again.

The general policy of DROP, allowed access to everyone on localhost, I2P and TOR - to the external network.

sudo nano /etc/iptables.up.rules



Content:

*filter

:INPUT ACCEPT [0:0]

:FORWARD ACCEPT [0:0]

:OUTPUT DROP [0:0]

-A OUTPUT -d 127.0.0.1/32 -j ACCEPT

-A OUTPUT -m owner --uid-owner debian-tor -j ACCEPT

-A OUTPUT -m owner --uid-owner i2psvc -j ACCEPT

COMMIT



Open the network configuration file:

sudo nano /etc/network/interfaces



We add the command to load the rules:

pre-up iptables-restore < /etc/iptables.up.rules



It looks like this:

auto lo

iface lo inet loopback

pre-up iptables-restore < /etc/iptables.up.rules



Since I manage the network through network-manager, there is no eth0 interface in the file. The rules are prescribed when raising a loopback, but there is no difference, since these rules are the same for all interfaces.



Load the rules in iptables. You can restart the network, but we will do this:

sudo iptables-restore < /etc/iptables.up.rules



Done! The fortress is built, the moat is dug, archers are exposed on the walls. But we have not yet distributed the passes to its residents! Fix it.

For access to the external Internet, it is better to use TOR, whose HTTP interface is on port 8118.

nano ~/.bashrc



We add to the end:

export http_proxy="http://127.0.0.1:8118/"



Now in the terminal just

bash

In this case, the shell re-reads its config. However, apt, without which in Ubunt - as if without water (neither tudy nor syudy), I wanted to sneeze on this environmental variable. Let us explain to him personally the intra-object regime of our fortress:

sudo nano /etc/apt/apt.conf.d/proxy



There should be:

Acquire::http::Proxy "http://127.0.0.1:8118/";

Save, close.



Well, almost everything. Now it remains to put the browser (if something does not like the default Foxy) and start using not very fast, but protected access from all sides. And I repeat - the program inside the virtual machine can be stuffed with at least a thousand bookmarks - the data it may merge, only they will be anonymous. Nobody can calculate the external IP.



However (thanks to amarao for the add-on), watch carefully what programs you run from root! Since a malware can bypass the protection in two ways: by setting its own malicious rule in iptables or by introducing a spyware kernel module. Both procedures require root.



The system was built entirely on its own, not relying on ready-made How-To (if such exist, I did not find). Therefore, I will be glad to accept from the readers possible improvements and indications of shortcomings.



Thanks for attention! I hope I have brought some benefit.