We build a secure system based on TOR and I2P

Introduction


In this post I will try to describe the steps on how to build a secure system for the safe reception, transmission, storage and processing of confidential and other dangerous data. It’s no secret that now various people and organizations are trying to stifle the freedom of both the Internet itself and its users, and often they succeed. Therefore, now we will try to build a small but strong fortress inside our computer.

To the provocation “with such a system you can merge state secrets to the enemy” I answer right away: with the help of nuclear missiles it is possible not only to end the world, but also to drive off or split an asteroid threatening our planet.

What do we need?


Firstly, it is a computer of sufficient performance with a large amount of RAM . Its operating system does not matter, since the software installed on it is cross-platform. Well, perhaps, with the exception of exotic or very ancient OSs.
Secondly, software . I will list it in the order in which it will be needed in building the system:

  • TrueCrypt
  • VirtualBox (do not rush from the official site yet)
  • Ubuntu . I did on version 11.10 x86, since 12.04 was not there at that time. Put the image to swing right now, so as not to lose time. No need to cut to disk.
  • Tor
  • I2P

Please note that all of the above software is open source. This is very important , because these programs are the core of our security, and some proprietary bookmark could be very expensive.

Let's get started!


In order to protect data from direct capture of the hard drive, we need to encrypt them. For this, we will use the TrueCrypt utility.

Using it, we create an encrypted volume stored in a file. You can create it on a partition, but, in my opinion, this is less convenient.

Should I create a hidden volume? The question is controversial. This feature is intended for use in England, where the non-issuance of passwords during confiscation of the PC itself is a crime. At the same time, there is no such legislative norm in Russia, and the use of a hidden partition eats up the usable disk space. I did not begin to create the hidden section.

The size of the section we choose at our discretion. Personally, I chose 50 GB.

Encryption Algorithm - I chose AES. Firstly, he is trusted by the US military to protect the highest vultures of secrecy, and secondly, it is hardware accelerated by new Intel processors and TrueCrypt has support for this acceleration.

Further, everything is standard: we come up with a complex and long password, generate entropy with random mouse movements and create a section. The type of partition must be NTFS, since it will store large files.

Next, we need a virtual machine. Everything that we protect will be stored in it.
This is due to the fact that:
  • work in the main OS leaves various traces in various places;
  • if the main OS is proprietary (I won’t point with a finger) - it does not exclude the presence of bookmarks;
  • application software in the main OS also falls under the previous requirement (recall PunkBuster, whose EULA allows you to scan a user's hard drive).

We will use VirtualBox, but not the main distribution, but portable . Download the installer to a pre-mounted encrypted disk, run and download the supported Box distribution using the utility itself. Next, the utility will unpack it and configure it for portability.

Let's create a box with two hard drives in Boxing: one for 8-10 GB and the second for the remaining space, of course, placing both on an encrypted drive. Let's go through the settings, put the network in NAT and configure the rest to your liking - there is nothing particularly critical there. Connect the image of Ubunta (which, I hope, has already downloaded) as a drive.

We start the machine and start installing the OS. When partitioning disks, we will do something like this: place the root and swap on the first, small, and / home on the big one. All data we will store in / home. Thus, the separation of the system and data occurs between different files of Box's hard drives. Next, we carry out everything to your liking.

It is established! Now we begin setup.

The idea is to leave direct access to the network to only two chosen ones - TOR and I2P routers.

First, we install TOR from their own repository (in the official version it may be outdated) according to the instructions from the official site . Then we will install I2P, again from our own PPA-turnip for developers - an instruction .

Please note that TOR itself provides only SOCKS5 proxies, and not all programs support it. Therefore, install Polipo - a free HTTP proxy:
sudo apt-get install polipo

Configure it:
sudo nano /etc/polipo/config

Add a line to it:
proxyPort = 8118

Uncomment below (or fix it if something is wrong): Save it. Restart the polyp: Now configure the I2P: including running as a daemon: At the same time we see in the file name of the user from which the router works - I have this i2psvc Save. We start: Now we learn the user from whom TOR works: I have it debian-tor . And now - the most delicious: we cut off access to the network for everything that is not TOR and not I2P. Once again - to everything
socksParentProxy = "localhost:9050"
socksProxyType = socks5


sudo service polipo restart


sudo nano /etc/default/i2p


RUN_DAEMON="true"



sudo service i2p start


lsof -c tor


.
Here is the finished iptables-restore script, just check the usernames again.
The general policy is DROP, everyone is allowed access to the localhost, I2P and TOR - to the external network.
sudo nano /etc/iptables.up.rules

Content: Open the network configuration file: Let's add the command for loading the rules: It looks like this: Since I manage the network through network-manager - the eth0 interface is not in the file. Rules are prescribed when raising a backback, but there is no difference, since these rules are the same for all interfaces. Upload the rules to iptables. You can restart the network, but we will do this: Done! The fortress was built, a moat dug, archers on the walls exposed. But we have not yet issued passes to its residents! We fix it.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT DROP [0:0]
-A OUTPUT -d 127.0.0.1/32 -j ACCEPT
-A OUTPUT -m owner --uid-owner debian-tor -j ACCEPT
-A OUTPUT -m owner --uid-owner i2psvc -j ACCEPT
COMMIT


sudo nano /etc/network/interfaces


pre-up iptables-restore < /etc/iptables.up.rules


auto lo
iface lo inet loopback
pre-up iptables-restore < /etc/iptables.up.rules




sudo iptables-restore < /etc/iptables.up.rules


To access the external Internet, it is better to use TOR, whose HTTP interface we have on port 8118.
nano ~/.bashrc

Let's add to the end:
export http_proxy="http://127.0.0.1:8118/"

Now in the terminal it’s simple.
bash
At the same time, the shell re-reads its config. However, apt, without whom in Ubunt - as without water (and neither tudes nor syuds), I wanted to sneeze on this environment variable. Let us explain to him personally the intraobjective regime of our fortress:
sudo nano /etc/apt/apt.conf.d/proxy

There should be: We
Acquire::http::Proxy "http://127.0.0.1:8118/";
save, close.

Well, that’s all. Now it remains to install the browser (if something does not like the default Foxy) and start using not very fast, but protected from all sides access. And I repeat - the program inside the virtual machine can be stuffed with at least a thousand bookmarks - it may merge the data, only they will be anonymous. Nobody can calculate the external IP.

However (thanks to amarao for the addition), look carefully at what programs you run from the root! Since a malicious program can circumvent protection in two ways: by writing its own malicious rule to iptables or by implementing a spyware kernel module. Both procedures require root.

I built the system completely on my own, without relying on the ready-made How-To (if any exist, I could not find it). Therefore, I will be glad to accept from the readers possible improvements and indications of shortcomings.

Thanks for attention! I hope at least someone has benefited.

Also popular now: