Uncover the infinite in IT

Table of Contents
< All Topics

HAPS on Debian 12

Overview

  • Network Configuration:
    • Interface: eth0
    • IP Address: 10.0.5.200/24
    • Gateway: 10.0.5.1
    • DNS: 1.1.1.1 and 1.0.0.1
  • Key Features:
    • SSH key authentication only
    • Port knocking for SSH
    • Traffic and port obfuscation
    • DNS filtering and ad blocking
    • Partition encryption
    • AppArmor confinement
    • iptables for firewall and obfuscation
    • Logging disabled

1. Configure the Network

1. Edit /etc/network/interfaces:

auto eth0
iface eth0 inet static
    address 10.0.5.200
    netmask 255.255.255.0
    gateway 10.0.5.1
    dns-nameservers 1.1.1.1 1.0.0.1

2. Restart the networking service:

sudo systemctl restart networking

2. Secure SSH with Key Authentication Only

1. Generate SSH Key Pair on Your Local Machine:

ssh-keygen -t ed25519 -C "proxy-server-key"

2. Install the Public Key on the Proxy Server:

sudo mkdir -p /root/.ssh
echo "YOUR_PUBLIC_KEY_HERE" | sudo tee /root/.ssh/authorized_keys
sudo chmod 600 /root/.ssh/authorized_keys
sudo chmod 700 /root/.ssh

3. Restrict SSH Configuration: Edit /etc/ssh/sshd_config:

PermitRootLogin prohibit-password
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no

4. Restart SSH:

sudo systemctl restart sshd

3. Enable Port Knocking for SSH

1. Install knockd:

sudo apt install knockd

2. Configure knockd: Edit /etc/knockd.conf:

    [openSSH]
    sequence = 23232,43434,13131,54545,25252
    seq_timeout = 15
    command = /usr/sbin/iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
    tcpflags = syn
    
    [closeSSH]
    sequence = 25252,54545,13131,43434,23232
    seq_timeout = 15
    command = /usr/sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
    tcpflags = syn

    3. Enable and Start knockd:

    sudo systemctl enable knockd
    sudo systemctl start knockd

    4. Install Shadowsocks for Traffic Obfuscation

    1. Install Shadowsocks-libev:

    sudo apt install shadowsocks-libev

    2. Configure Shadowsocks: Edit /etc/shadowsocks-libev/config.json:

    {
        "server": "0.0.0.0",
        "server_port": 8388,
        "password": "yourstrongpassword",
        "method": "chacha20-ietf-poly1305",
        "mode": "tcp_and_udp",
        "plugin": "obfs-server",
        "plugin_opts": "obfs=http"
    }

    3. Start Shadowsocks:

    sudo systemctl enable shadowsocks-libev
    sudo systemctl start shadowsocks-libev

    5. Configure DNS Filtering and Ad Blocking

    1. Install Unbound:

    sudo apt install unbound

    2. Configure Unbound: Edit /etc/unbound/unbound.conf:

    server:
        verbosity: 0
        interface: 0.0.0.0
        access-control: 127.0.0.1/8 allow
        private-address: 10.0.0.0/8
        private-address: 192.168.0.0/16
        forward-zone:
            name: "."
            forward-addr: 1.1.1.1
            forward-addr: 1.0.0.1

    3. Add an Ad-Blocking List: Fetch and include a blocklist:

    curl -o /etc/unbound/ads.conf https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts

    Include the blocklist in Unbound:

    include: "/etc/unbound/ads.conf"

    4. Restart Unbound:

    sudo systemctl restart unbound

    6. Configure iptables for Firewall and Security

    1. Basic Firewall Rules:

    sudo iptables -P INPUT DROP
    sudo iptables -P FORWARD DROP
    sudo iptables -P OUTPUT ACCEPT
    
    # Allow loopback traffic
    sudo iptables -A INPUT -i lo -j ACCEPT
    
    # Allow incoming traffic for established connections
    sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
    
    # Allow Shadowsocks traffic
    sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT

    2. Redirect Port 443 to Shadowsocks:

    sudo iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 8388

    3. Save iptables Rules:

    sudo iptables-save > /etc/iptables/rules.v4

    7. Encrypt Partitions

    1. Install cryptsetup for LUKS:

    sudo apt install cryptsetup

    2. Encrypt a Partition:

    sudo cryptsetup luksFormat /dev/sdX
    sudo cryptsetup open /dev/sdX encrypted_partition
    sudo mkfs.ext4 /dev/mapper/encrypted_partition
    sudo mount /dev/mapper/encrypted_partition /mnt

    8. Enable AppArmor

    1. Install AppArmor:

    sudo apt install apparmor apparmor-profiles

    2. Activate AppArmor:

    sudo systemctl enable apparmor
    sudo systemctl start apparmor

    9. Disable Logging

    1. Stop and Disable rsyslog:

    sudo systemctl stop rsyslog
    sudo systemctl disable rsyslog

    2. Clear Existing Logs:

    sudo rm -rf /var/log/*

    3. Mount /var/log as tmpfs: Edit /etc/fstab:

    tmpfs /var/log tmpfs defaults,noatime,nosuid,nodev,mode=0755 0 0

    10. Testing and Debugging

    1. Test Port Knocking: Send the knock sequence from your local machine:

    knock 10.0.5.200 23232 43434 13131 54545 25252
    ssh -i ~/.ssh/proxy-server-key root@10.0.5.200

    2. Verify DNS Filtering: Query a blocked domain:

    dig ads-domain.com @127.0.0.1

    3. Test Shadowsocks: Connect using a Shadowsocks client with the configuration:

    • Server: 10.0.5.200
    • Port: 443
    • Password: yourstrongpassword
    • Method: chacha20-ietf-poly1305
    • Plugin: obfs-http

    You’ll find in different tutorials on this site, in detail, how to configure LUKS, Apparmor, clients for Shadowsocks and managing computers of the HAPS. If a tutorial is not present, make sure to visit us again soon and you will find it here.