HAPS on Debian 12
Overview
- Network Configuration:
- Interface:
eth0
- IP Address:
10.0.5.200/24
- Gateway:
10.0.5.1
- DNS:
1.1.1.1
and1.0.0.1
- Interface:
- Key Features:
- SSH key authentication only
- Port knocking for SSH
- Traffic and port obfuscation
- DNS filtering and ad blocking
- Partition encryption
- AppArmor confinement
- iptables for firewall and obfuscation
- Logging disabled
1. Configure the Network
1. Edit /etc/network/interfaces:
auto eth0
iface eth0 inet static
address 10.0.5.200
netmask 255.255.255.0
gateway 10.0.5.1
dns-nameservers 1.1.1.1 1.0.0.1
2. Restart the networking service:
sudo systemctl restart networking
2. Secure SSH with Key Authentication Only
1. Generate SSH Key Pair on Your Local Machine:
ssh-keygen -t ed25519 -C "proxy-server-key"
2. Install the Public Key on the Proxy Server:
sudo mkdir -p /root/.ssh
echo "YOUR_PUBLIC_KEY_HERE" | sudo tee /root/.ssh/authorized_keys
sudo chmod 600 /root/.ssh/authorized_keys
sudo chmod 700 /root/.ssh
3. Restrict SSH Configuration: Edit /etc/ssh/sshd_config:
PermitRootLogin prohibit-password
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no
4. Restart SSH:
sudo systemctl restart sshd
3. Enable Port Knocking for SSH
1. Install knockd:
sudo apt install knockd
2. Configure knockd: Edit /etc/knockd.conf:
[openSSH]
sequence = 23232,43434,13131,54545,25252
seq_timeout = 15
command = /usr/sbin/iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
tcpflags = syn
[closeSSH]
sequence = 25252,54545,13131,43434,23232
seq_timeout = 15
command = /usr/sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
tcpflags = syn
3. Enable and Start knockd:
sudo systemctl enable knockd
sudo systemctl start knockd
4. Install Shadowsocks for Traffic Obfuscation
1. Install Shadowsocks-libev:
sudo apt install shadowsocks-libev
2. Configure Shadowsocks: Edit /etc/shadowsocks-libev/config.json:
{
"server": "0.0.0.0",
"server_port": 8388,
"password": "yourstrongpassword",
"method": "chacha20-ietf-poly1305",
"mode": "tcp_and_udp",
"plugin": "obfs-server",
"plugin_opts": "obfs=http"
}
3. Start Shadowsocks:
sudo systemctl enable shadowsocks-libev
sudo systemctl start shadowsocks-libev
5. Configure DNS Filtering and Ad Blocking
1. Install Unbound:
sudo apt install unbound
2. Configure Unbound: Edit /etc/unbound/unbound.conf:
server:
verbosity: 0
interface: 0.0.0.0
access-control: 127.0.0.1/8 allow
private-address: 10.0.0.0/8
private-address: 192.168.0.0/16
forward-zone:
name: "."
forward-addr: 1.1.1.1
forward-addr: 1.0.0.1
3. Add an Ad-Blocking List: Fetch and include a blocklist:
curl -o /etc/unbound/ads.conf https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
Include the blocklist in Unbound:
include: "/etc/unbound/ads.conf"
4. Restart Unbound:
sudo systemctl restart unbound
6. Configure iptables for Firewall and Security
1. Basic Firewall Rules:
sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
sudo iptables -P OUTPUT ACCEPT
# Allow loopback traffic
sudo iptables -A INPUT -i lo -j ACCEPT
# Allow incoming traffic for established connections
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Allow Shadowsocks traffic
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT
2. Redirect Port 443 to Shadowsocks:
sudo iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 8388
3. Save iptables Rules:
sudo iptables-save > /etc/iptables/rules.v4
7. Encrypt Partitions
1. Install cryptsetup for LUKS:
sudo apt install cryptsetup
2. Encrypt a Partition:
sudo cryptsetup luksFormat /dev/sdX
sudo cryptsetup open /dev/sdX encrypted_partition
sudo mkfs.ext4 /dev/mapper/encrypted_partition
sudo mount /dev/mapper/encrypted_partition /mnt
8. Enable AppArmor
1. Install AppArmor:
sudo apt install apparmor apparmor-profiles
2. Activate AppArmor:
sudo systemctl enable apparmor
sudo systemctl start apparmor
9. Disable Logging
1. Stop and Disable rsyslog:
sudo systemctl stop rsyslog
sudo systemctl disable rsyslog
2. Clear Existing Logs:
sudo rm -rf /var/log/*
3. Mount /var/log as tmpfs: Edit /etc/fstab:
tmpfs /var/log tmpfs defaults,noatime,nosuid,nodev,mode=0755 0 0
10. Testing and Debugging
1. Test Port Knocking: Send the knock sequence from your local machine:
knock 10.0.5.200 23232 43434 13131 54545 25252
ssh -i ~/.ssh/proxy-server-key root@10.0.5.200
2. Verify DNS Filtering: Query a blocked domain:
dig ads-domain.com @127.0.0.1
3. Test Shadowsocks: Connect using a Shadowsocks client with the configuration:
- Server:
10.0.5.200
- Port:
443
- Password:
yourstrongpassword
- Method:
chacha20-ietf-poly1305
- Plugin:
obfs-http
You’ll find in different tutorials on this site, in detail, how to configure LUKS, Apparmor, clients for Shadowsocks and managing computers of the HAPS. If a tutorial is not present, make sure to visit us again soon and you will find it here.