HAPS Setup on Debian 12

Overview of HAPS Setup on Debian 12

This guide details the HAPS setup on Debian 12, which stands for High Anonymity Proxy Server. It includes SSH key authentication, port knocking, Shadowsocks for traffic obfuscation, DNS filtering, partition encryption with LUKS, and AppArmor confinement.

1. Configure the Network

1. Configure a static IP for eth0 with Cloudflare’s DNS servers for improved privacy and speed.

Learn more about Basic Security on Debian

auto eth0
iface eth0 inet static
    address 10.0.5.200
    netmask 255.255.255.0
    gateway 10.0.5.1
    dns-nameservers 1.1.1.1 1.0.0.1

2. Restart the networking service:

sudo systemctl restart networking

2. Secure SSH with Key Authentication Only

1. Generate SSH Key Pair on Your Local Machine:

ssh-keygen -t ed25519 -C "proxy-server-key"

2. Install the Public Key on the Proxy Server:

sudo mkdir -p /root/.ssh
echo "YOUR_PUBLIC_KEY_HERE" | sudo tee /root/.ssh/authorized_keys
sudo chmod 600 /root/.ssh/authorized_keys
sudo chmod 700 /root/.ssh

3. Restrict SSH Configuration: Edit /etc/ssh/sshd_config:

PermitRootLogin prohibit-password
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no

4. Restart SSH:

sudo systemctl restart sshd

3. Enable Port Knocking for SSH

1. Install knockd:

sudo apt install knockd

2. Configure knockd: Edit /etc/knockd.conf:

[openSSH]
sequence = 23232,43434,13131,54545,25252
seq_timeout = 15
command = /usr/sbin/iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
tcpflags = syn

[closeSSH]
sequence = 25252,54545,13131,43434,23232
seq_timeout = 15
command = /usr/sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
tcpflags = syn

3. Enable and Start knockd:

sudo systemctl enable knockd
sudo systemctl start knockd

4. Install Shadowsocks for Traffic Obfuscation

1. Install Shadowsocks-libev:

sudo apt install shadowsocks-libev

2. Configure Shadowsocks: Edit /etc/shadowsocks-libev/config.json:

{
    "server": "0.0.0.0",
    "server_port": 8388,
    "password": "yourstrongpassword",
    "method": "chacha20-ietf-poly1305",
    "mode": "tcp_and_udp",
    "plugin": "obfs-server",
    "plugin_opts": "obfs=http"
}

3. Start Shadowsocks:

sudo systemctl enable shadowsocks-libev
sudo systemctl start shadowsocks-libev

5. Configure DNS Filtering and Ad Blocking

1. Install Unbound:

sudo apt install unbound

2. Configure Unbound: Edit /etc/unbound/unbound.conf:

server:
    verbosity: 0
    interface: 0.0.0.0
    access-control: 127.0.0.1/8 allow
    private-address: 10.0.0.0/8
    private-address: 192.168.0.0/16
    forward-zone:
        name: "."
        forward-addr: 1.1.1.1
        forward-addr: 1.0.0.1

3. Add an Ad-Blocking List: Fetch and include a blocklist:

curl -o /etc/unbound/ads.conf https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts

Include the blocklist in Unbound:

include: "/etc/unbound/ads.conf"

4. Restart Unbound:

sudo systemctl restart unbound

6. Configure iptables for Firewall and Security

1. Basic Firewall Rules:

sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
sudo iptables -P OUTPUT ACCEPT

# Allow loopback traffic
sudo iptables -A INPUT -i lo -j ACCEPT

# Allow incoming traffic for established connections
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# Allow Shadowsocks traffic
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT

2. Redirect Port 443 to Shadowsocks:

sudo iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 8388

3. Save iptables Rules:

sudo iptables-save > /etc/iptables/rules.v4

7. Encrypt Partitions

1. Install cryptsetup for LUKS:

sudo apt install cryptsetup

2. Encrypt a Partition:

sudo cryptsetup luksFormat /dev/sdX
sudo cryptsetup open /dev/sdX encrypted_partition
sudo mkfs.ext4 /dev/mapper/encrypted_partition
sudo mount /dev/mapper/encrypted_partition /mnt

8. Enable AppArmor

1. Install AppArmor:

sudo apt install apparmor apparmor-profiles

2. Activate AppArmor:

sudo systemctl enable apparmor
sudo systemctl start apparmor

More about AppArmor

9. Disable Logging

1. Stop and Disable rsyslog:

sudo systemctl stop rsyslog
sudo systemctl disable rsyslog

2. Clear Existing Logs:

sudo rm -rf /var/log/*

3. Mount /var/log as tmpfs: Edit /etc/fstab:

tmpfs /var/log tmpfs defaults,noatime,nosuid,nodev,mode=0755 0 0

10. Testing and Debugging

1. Test Port Knocking: Send the knock sequence from your local machine:

knock 10.0.5.200 23232 43434 13131 54545 25252
ssh -i ~/.ssh/proxy-server-key [email protected]

2. Verify DNS Filtering: Query a blocked domain:

dig ads-domain.com @127.0.0.1

3. Test Shadowsocks: Connect using a Shadowsocks client with the configuration:

Server: 10.0.5.200
Port: 443
Password: yourstrongpassword
Method: chacha20-ietf-poly1305
Plugin: obfs-http

This HAPS setup on Debian 12 (High Anonymity Proxy Server) enhances network security with advanced obfuscation techniques. With Shadowsocks and port knocking, your server becomes virtually invisible to attackers.

What can we help you with?