Last update: 2019-1-18 2200 GMT
===================================================================
=== Instructions for a VPS Installation of a Mixmaster Remailer ===
===================================================================
[Debian 8.x Jessie - Mixmaster will not compile on Debian 9 or greater]
## Note1: All of my comments are preceded by ##
## Note2: All references to 'yourFQDN' in this text refer to your chosen
## 'Fully Qualified Domain Name' (FQDN). Example: inwtx.net
## The following instructions contain the course of action that was
## taken to install a Mixmaster remailer on a DigitalOcean 'Linux Virtual
## Private Server', using a remote Windows 7 machine.
## A DigitalOcean VPS (Linux Debian) was chosen because of its low cost
## ($5/month) and because you have a choice of placing the remailer
## on several different servers throughout the world.
## (Note:
DigitalOcean has received a complaint and has ordered three
## exit remailers residing on their servers to stop operation (5-9-14).
## My remailer is a middle and I have not been asked to leave.)
## (See: lowendbox.com/blog/top-provider-poll-2014-q1-the-results/
## for other low cost 'Bare Minimum VPS/Dedicated Servers'. Disregard
## the skewed votes - see comments.)
## I cover purchasing an FQDN (Fully Qualified Domain Name) at
## NameCheap.com (a very popular Domain Service), and setting up
## the necessary parameters. NameCheap.com allows you to have full
## control to modify your FQDN yourself. Some other Domain Services
## charge to make modifications for you and some take quite some
## time to get your modifications implemented.
## Linux experience is necessary for this installation, however most
## of the necessary Linux Dabian commands used to set up this
## remailer are covered in this text.
## Some useful addresses:
## digitalocean.com # DigitalOcean site
## postfix.org # Postfix site
## LinuxQuestions.org # A somewhat helpful Linux forum
## putty.org # Putty site
## winscp.net # WinSCP Windows ftp client program
## openssl.org/source/ # OpenSSL tarball site
## linux.about.com/library/cmd/blcmdl1_procmail.htm # Procmail usage
## http://www.zen19351.zen.co.uk/mixmaster31/ # Mixmaster package site
## There are going to be 4 programs installed on your VPS:
## 1. OpenSSL Transport Layer Security.
## 2. Postfix mail server to handle mail input and output.
## 3. The Mixmaster remailer package.
## 4. The Unbound DNS Resolver.
## You will also need to install Putty on your local computer to
## efficiently access your VPS on the DigitalOcean site.
## DigitalOcean requires a bank issued credit card when you sign up.
## If your card is rejected for some reason, notify their customer
## service. Best to first purchase your $5 per month VPS and purchase
## your FQDN after you determine that you can correctly set everything
## up.
## Other help in setting up this remailer came through the many
## remailer Gurus at the alt.privacy.anon-server news group.
## LinuxQuestions.org was also somewhat helpful.
## Index:
## I. Purchasing Your DigitalOcean VPS Droplet
## II. Purchase and Setup Of An FQDN
## III. Installing Putty On Your Windows Machine
## IV. Installing Postfix
## V. Installing OpenSSL
## VI. Installing Mixmaster
## VII. Setting Up Mixmaster's Parameters
## VIII. Testing/Announcing the Remailer
## IX. Installing The Unbound DNS Resolver
## X. Installing WinSCP On Your Windows Machine
## XI. Appendix - Additional hints and suggestions
## Note: These instructions must be followed implicitly.
## COMPLETE EACH STEP before going to the next step.
## DO NOT change the case in any of the examples.
## DO NOT presume anything when it comes to the use of Linux.
## Linux can be exacting, temperamental, and non-intuitive.
## This guide is being continuous updated with corrections,
## etc. Check to see that you have the latest copy.
=================================================
I. Purchasing Your DigitalOcean VPS Droplet
=================================================
>>
A. Go to: DigitalOcean.com
## Enter in a valid email address and the password you desire to
## use for logging into the DigitalOcean website.
## Next you will be taken to a page with three options. The first
## option will be to purchase the size VPS you need. The smallest
## is probably all you will need to set up a remailer.
>>
B. Once through the purchase phase, you will go on to the Droplet
## creation phase.
## (Note:
See the 'SSH Keys' setup section on the DigitalOcean
## website to get around having to use a password for login.
## Your ssl key must be created and submitted to DigitalOcean
## before creating your Droplet.)
## 1. On the 'Hostname:' line, type in what you want to name the
## Droplet. You can use your planned FQDN: xyz.net
## 2. Choose an image: Click on Linux operating system Debian 8.n x64.'
## button.
## 3. Choose a size: Click to highlight the '1GB 1/CPU...' button.
## 4. Next I suggest you select one of the Amsterdam servers.
## 5. [DELETED]
## 6. Finish by clicking 'Create Droplet'.
## 7. If you didn't setup your server for 'SSH Keys', an email
## will be sent with your new VPS password. This will need to
## be changed because it was sent in the clear.
## Note: If you work on your server from the DigitalOcean web
## site's 'Console' window, you will probably not be able to
## access the VPS's 'Console' window from your machine
## through a proxy, and your firewall may have to be disabled
## (using the Putty terminal will get around all of this).
## It now takes you to a page that displays your assigned IP
## address along with a summary of your Droplet choices. This
## information will always display when you login to DO. I found
## that I was not able to do anything with my Droplet just after
## its creation until after I first clicked the 'Power Cycle'
## button. This shouldn't do any harm because you haven't made any
## entries to your Droplet yet. Do not 'Power Cycle' after making
## any entries to your Droplet.
## Before going any further, you need to check the ip address you
## have been assigned to make sure it is not in any blacklists.
## Blacklists are lists that contain known spammer addresses and
## are placed in the lists from past knowledge of it being used
## as such. The spammer has dropped the use of the ip address,
## nevertheless, it remains in the blacklists. Go to
## mxtoolbox.com/blacklists.aspx, type the ip address into the
## search box and wait for the results. If it has been blacklisted,
## destroy the droplet and create another one.
## If you decide to make any changes to your Droplet creation
## selections above, you can use the Destroy button to completely
## delete your Droplet and start over. Your assigned DigitalOcean
## ip address will then change. A new password will be mailed to
## you each time if you have not created an SSH Key, however.
## After your Droplet is created, you can get to it through the
## 'Console Access' button. It is best to use a Putty terminal -
## setup explained below. The first time you log in with Putty,
## you will get a warning message. Just click Yes. If you have not
## set up an SSH Key, you should receive a request to enter your
## emailed server's password. After logged into root, type in
## passwd
and follow the instructions to change it from the
## emailed password to something more easily remembered.
>>
C. Set up your DNS records on the DigitalOcean web site next. If
## you have not purchased your domain name yet, check to see that
## it is available at NameCheap and use it in absentia. Click the
## DNS button on the DigitalOcean web page. The instructions for
## this process are found here:
## https://digitalocean.com/community/articles/how-to-set-up-a-host-name-with-digitalocean
## (Note:
After filling in the first DNS line with your DO issued
## IP address and saving the change, you might have to refresh your
## browser to get the 'Add Record' button to work.)
## Make your MX record 'mail.yourFQDN.'. Note the required periods
## at the ends. Also create an A record for your MX record and a
## CNAME record for www.yourFQDN as shown. Your DigitalOcean DNS
## page should end up looking like this:
A @ UR.DO.IP.ADR
A mail UR.DO.IP.ADR
CNAME www yourFQDN.
MX 0
mail.yourFQDN.
NS NS1.DIGITALOCEAN.COM.
NS NS2.DIGITALOCEAN.COM.
NS NS3.DIGITALOCEAN.COM.
## This is an example of how the inwtx.net DigitalOcean DNS
## was set up.
=======I. End=======
=======================================
II. Purchase and Setup Of An FQDN
=======================================
## When choosing an FQDN, it is probably best to choose a domain name
## ending in .net or .com . The reason being, you can hide your
## personal identity (called WhoisGuard - about $3/yr) with .net and
## .com, whereas you can not do this with some other names¹ (such as
## .us, etc). When I purchased my .net name, it came with a one year
## free WhoisGuard. Although this will not keep the authorities from
## finding out who you are, it will keep your personal name off the
## domain name record. Before you choose to pay for WhoisGuard during
## the sign up process, first see if you don't get one year of this
## service free. The NameCheap DNS service has a chat help system
## where you can get most of your questions quickly answered. If you
## can't get a satisfactory answer, the service rep may not have
## enough DNS experience, so check in with the chat service later to
## talk with a different Indian.
## Once your name is registered, it is a simple matter of logging
## in, clicking on your FQDN, clicking on the 'Domain Name Server
## Setup' button, and then check 'Specify Custom DNS Servers' and
## enter these three entries into the boxes (do not add periods at
## end):
1. ns1.digitalocean.com
2. ns2.digitalocean.com
3. ns3.digitalocean.com
## Last, click the 'Save Changes' button. It may take an hour+ to
## activate.
## ¹See www.namecheap.com/security/whoisguard.aspx
=======II. End=======
===================================================
III. Installing Putty On Your Windows Machine
===================================================
## It is best to use the Putty terminal program to access and work with
## your DigitalOcean VPS. The terminal on the DigitalOcean website is
## sluggish and the window cannot be scrolled.
## 1. Start the Putty program.
## 2. Type in the DigitalOcean IP address you were issued during sign up
## into the 'Host Name (or IP address)' box.
## 3. Port number should be 22.
## 4. Enter the 'name of your Droplet'¹ in the 'Saved Sessions' box.
## 5. Under Connection/Data, type root into the Auto-login username box.
## 6. Under Session, click the Save button.
## To login to your VPS, double click on ¹'name of your Droplet'.
=======III. End=======
=========================================
IV. Installing Postfix and Procmail
=========================================
>>
A. When installing Postfix from /root, any other mail server already
## installed will most likely be automatically un-installed.
sudo apt-get update
sudo apt-get install postfix
>>
B. Entering requested parameters:
## 1. Choose the 'Internet site' option (using the Up/Down keys - it
## will probably already be selected in red). Tab to OK.
## 2. Replace the content that comes up in the 'System mail name'
## (could be anything) with the FQDN that you plan to or
## have already purchased (example as: 'xyz.net').
## 3. Postfix will then finish installing and will start itself.
## Postfix is fairly good at setting itself up, but it will be
## necessary to make further changes.
>>
C. In the /etc/postfix/main.cf file:
## 1. The myhostname line must be changed to (whatever name you gave
## your MX record):
myhostname = mail.yourFQDN
## 2. The mydestination line must look like this:
mydestination = yourFQDN, localhost, localhost.localdomain
## 3. If you are going to use a name like 'mixmaster.yourFQDN',
## then add that into the mydestination line:
mydestination = yourFQDN, mixmaster.yourFQDN, localhost, localhost.localdomain
## 4. Place these lines just above the 'myhostname = ' line. Note the
## required indentions:
smtpd_relay_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination
smtpd_recipient_restrictions =
reject_invalid_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unauth_pipelining,
permit_mynetworks
## 5. See that the 'mynetworks =' and 'inet_interfaces =' lines are
## set as shown below:
mynetworks = 0.0.0.0/8 Your-VPS-IP-Address-here
inet_interfaces = all
## The mynetworks should look something like this:
## mynetworks = 0.0.0.0/8 12.34.56.789
>>
D. Any email user name you intend to allow Postfix to service must
## have the user email name placed into the '/etc/aliases' file. Add
## these to the bottom of the /etc/aliases file:
abuse: remopmail
admin: remopmail
mix: mix
## You can put in a valid email address in the abuse and admin lines
## to have that mail forwarded to another email address in addition
## to being sent to the user remopmail:
abuse:
remopmail,AnyEmailAddress@yourISP.com
admin: remopmail,AnyEmailAddress@anywhere.com
## The /etc/aliases file should ended up looking like this:
#/etc/aliases
mailer-daemon: postmaster
postmaster: remopmail,me@myhomeisp.net
hostmaster: remopmail,me@myhomeisp.net
webmaster: remopmail,me@myhomeisp.net
admin: remopmail,me@myhomeisp.net
abuse: remopmail,me@myhomeisp.net
mix: mix
>>
E. Due to the change made in C. 1., you are going to have to
## add another user, otherwise mail that used to come into a
## name pointing at root will simply disappear. Do not use
## user 'mix' for this. Execute the adduser line below.
## (You can use something other than 'remopmail' as the user
## name. Be sure it is also changed in the /etc/aliases file.)
adduser remopmail
>>
F. Any time you make changes to Postfix files, you have to execute
## the following commands. (If Postfix says it is not running,
## then execute this commmand: sudo service postfix restart
## and then execute the commands below again.)
sudo postalias /etc/aliases && sudo postfix reload
>>
G. Note: After installing the remaining sections in this tutorial,
## see Appendix A. on hardening the Postfix SMTP.
=======IV. End=======
===========================
V. Installing OpenSSL
===========================
>>
A. Be sure to be in '/root' to install the following.
>>
B. First install some packages required by OpenSSL and Mixmaster.
sudo apt-get update
sudo apt-get install build-essential libpcre3 libpcre3-dev wget zlib1g-dev libncurses5-dev curl perl dc bc bison libssl-dev libbison-dev ssl-cert haveged
Note: On Debian 8.1+, you may have to install sudo, gcc, and make:
(Execute 'find / -name <name>'
to see if they are already installed
and if found, remove the name from the string below)
sudo apt-get install sudo gcc make
>>
C. Now download and install the [LATEST] version of OpenSSL from
## the source site (https://www.openssl.org/source/). The [LATEST]
## version should be at the top of the list.
## Note: Mixmaster will no longer work with the new OpenSSL 1.1.n versions.
## Use an older openssl-1.0.1u.tar.gz version from here:
## http://ftp.nluug.nl/security/openssl/
wget --no-check-certificate https://www.openssl.org/source/openssl-1.0.1u.tar.gz
>>
D. Extract the tarball.
tar xvf openssl-1.0.1u.tar.gz
>>
E. Build the distribution (ignore 'make test' errors):
cd openssl-1.0.1u
./config
make
make test
sudo make install
>>
F. Take back some space on your VPS by removing
the
## tarball and install files:
cd
rm openssl-1.0.1u.tar.gz
rm -rf openssl-1.0.1u
=======V. End=======
==============================
VI. Installing Mixmaster
==============================
>>
A. Download and install in /root the most current Mixmaster remailer
## package from the website. Check the webpage to determine the most
## current download: http://www.zen19351.zen.co.uk/mixmaster31:
cd
wget --no-check-certificate http://www.zen19351.zen.co.uk/mixmaster31/debian84_mixmaster_3.1-1_amd64.deb
>>
B. Install the package (installs quickly):
dpkg -i debian84_mixmaster_3.1-1_amd64.deb
>>
C. Take back some space on your VPS by removing the .deb file:
rm debian84_mixmaster_3.1-1_amd64.deb
>>
D. Make a list of where the mixmaster files are located:
sudo updatedb
locate -i mixmaster
=======VI. End=======
============================================
VII. Setting Up Mixmaster's Parameters
============================================
>>
A. Change the /var/mixmaster/mix.cfg file per
1., 2., and 3. below.
## Note: The parameters in this file are sensitive to inappropriate
## and/or extra spaces. A tab must be between a parameter and its
## value. A script will be run at the end of the following setup to
## assure that there are no inappropriate spaces in the parameter lines.
## 1. Parameters that will need to be added to the mix.cfg file:
## ALLPINGERSURL https://raw.githubusercontent.com/remops/allpingers/master/allpingers.txt
## KEYLIFETIME 42d
## KEYOVERLAPPERIOD 12d
## KEYGRACEPERIOD 5d
## 2. Parameters that will need to be changed:
## MAILBOX /etc/mbox
## PASSPHRASE <choose a good long one>
## AUTOBLOCK n
## COMPLAINTS admin@yourFQDN
## REMAILERNAME
yourFQDN Anonymous Remailer
## ANONNAME The
yourFQDN Anonymous Remailer
## SIZELIMIT 100
## NEWS mail2news@m2n.mixmin.net
## ORGANIZATION Anonymous Posting Service
## MID y
## Note: SIZELIMIT should be kept small (100) on a 500MB VPS.
## 3. Parameters that can be deleted:
## CHAIN *,*,*,*
## 4. Best now go through the entire file to see that there are no
## blank spaces between a parameter and its value (a parameter
## is the 1st word in a line, the value follows). Again, they
## must be separated by tab(s) only. Make sure that there are
## no blank spaces past the end of any line also.
## Invalid spaces testing script (execute on command line):
cat /var/mixmaster/mix.cfg | sed '/ *#/d; /^ *$/d' | while read line; do echo "$line"; echo "$line" | fold -1 | grep -c $' '; done
## The results of executing the above line will print out each
## parameter line with a number underneath. The number underneath
## shows the number of spaces in the previous line. Example:
SENDMAIL /usr/sbin/sendmail -t
1
MAILIN /etc/Maildir/
0
REMAILERNAME My Remailer
1
MIX y
1
ORGANIZATION Anonymous Posting Service
2
## The SENDMAIL line shows to have 1 space. That is valid because
## there is one space before the '-t'.
## The MAILIN line shows to have no space. That is correct and
## shows that the separation between the parameter and its value
## is due to a tab.
## The REMAILERNAME line shows to have 1 space. That is valid because
## there is one space between 'My' and 'Remailer'.
## The MIX line shows to have 1 space. That is invalid because
## no spaces are allowed in a parameter/value line. The rogue space(s)
## could be hiding anywhere in the line, including at the line's end.
## The ORGANIZATION line shows to have 2 spaces. That is valid because
## there are two spaces within 'Anonymous Posting Service'.
#---mix.cfg example file begin--------------------------------------#
## mix.cfg -- installed Sun May 5 21:52:04 UTC 2014
SENDMAIL /usr/sbin/sendmail -t
# Where to store non-remailer messages (all messages deleted here):
MAILBOX /etc/mbox
#MAILABUSE mbox.abuse
#MAILBLOCK mbox.block
#MAILUSAGE mbox.usage
#MAILANON mbox.anon
#MAILERROR mbox.error
#MAILBOUNCE mbox.bounce
REMAIL y
MIDDLEMAN y
PASSPHRASE ?123?
ALLPINGERSURL https://raw.githubusercontent.com/remops/allpingers/master/allpingers.txt
BINFILTER y
AUTOBLOCK y
AUTOREPLY n
ERRLOG error.log
VERBOSE 1
KEYLIFETIME 42d
KEYOVERLAPPERIOD 12d
KEYGRACEPERIOD 5d
# Remailer name and addresses
REMAILERADDR mix@yourFQDN
ANONADDR mix@yourFQDN
COMPLAINTS abuse@yourFQDN
SHORTNAME
[can be yourFQDN minus the
TLD (.net) (lowercase only - length 10 or less)]
REMAILERNAME
yourFQDN
Anonymous Remailer
ANONNAME The
[yourFQDN minus the
TLD (.net)] Anonymous
Remailer
# Supported formats:
MIX
y
PGP
n
UNENCRYPTED n
# Maximum message size in kB (0 for no limit):
# (Note: Due to the small size of the VPS, this probably should be limited.)
SIZELIMIT 100
# Usenet news:
NEWS mail2news@m2n.mixmin.net
ORGANIZATION Anonymous Posting
Service
MID y
# Remailing strategy:
SENDPOOLTIME 5m
POOLSIZE 20
RATE
65
INDUMMYP 10
OUTDUMMYP 90
IDEXP
7d
PACKETEXP 7d
#---mix.cfg example file end----------------------------------------#
>>
B. Stats are updated automatically daily, but starting out we will
## do this manually before starting mixmaster. Type this on the
## command line:
/usr/bin/mixmaster-getstats
>>
C. Now reboot your machine and mixmaster will automatically start
## if everything is ok. Do a 'ps -ef' at the command line to see
## if it is running. It should appear as:
mix 626 1 0 21:43 ? 00:00:00 /usr/bin/mixmaster -D
>>
D. Additional mixmaster commands:
1. Start: su - mix
mixmaster -D
exit
2. Start: service mixmaster start
3. Start: systemctl start mixmaster
4. Stop: service mixmaster stop
5. Stop: systemctl stop mixmaster
>>
E. Note: If mixmaster hangs when doing step B. or you continuously
## see one or more 'mixmaster -RM' after doing a 'ps -ef', then
## try doing the following and afterwards reboot:
cd /dev/
mv randon randonOLD
ln -sfv urandom /dev/random
=======VII. End=======
===========================================
VIII. Testing/Announcing the Remailer
===========================================
## 1. Test your remailer by sending an empty request for the
## keys to mix@yourFQDN with a subject of remailer-key.
## You should receive back three public keys, an RSA PGP key,
## a DSA PGP key, and the Mixmaster key. Also test your remailer
## by sending additional empty requests to mix@yourFQDN
## with a subjects of remailer-conf, remailer-stats,
## remailer-help, and remailer-adminkey. After receiving the
## requests, stop mixmaster, remove the 'EXTFLAGS testing' line
## from the /vat/mixmaster/mix.cfg file, and start mixmaster
## again.
## 2. Announce your remailer by posting a copy of the 3 public keys
## you received above to the alt.privacy.anon-server news group.
## Make the Subject something like 'Announcing New Remailer'.
## 3. You can also join the remop's list at lists.mixmin.net and
## announce your remailer there.
## 4. It will take several days and possibly weeks before your
## remailer will begin to show up in the pingers stats. Look for
## your remailer name in http://www.mixmin.net/echolot/mlist.txt.
## Pingers list: https://raw.githubusercontent.com/remops/allpingers/master/allpingers.txt.
=======VIII. End=======
=============================================
IX. Installing The Unbound DNS Resolver
=============================================
## The Unbound DNS Resolver needs to be installed to switch the
## VPS from using its default - Google. This can be done with the
## execution of these instructions:
cd
apt-get update
apt-get install unbound
cat /etc/resolv.conf > /etc/resolv.conf.bkp
echo "nameserver 127.0.0.1" > /etc/resolv.conf
chattr +i /etc/resolv.conf
## In /etc/unbound/unbound.conf, replace all lines with:
# Unbound configuration file for Debian.
#
# See the unbound.conf(5) man page.
#
# See /usr/share/doc/unbound/examples/unbound.conf for a commented
# reference config file.
server:
# The following line will configure unbound to perform cryptographic
# DNSSEC validation using the root trust anchor.
auto-trust-anchor-file: "/var/lib/unbound/root.key"
logfile: "/etc/unbound/unbound.log"
verbosity: 1
target-fetch-policy: "3 2 1 0 0"
use-syslog: yes
log-queries: yes
forward-zone:
name: "."
forward-addr: 8.26.56.26 # Comodo
forward-addr: 8.20.247.20 # Comodo
forward-addr: 8.8.8.8 # google as last resort
## In /etc/network/interfaces, change the dns addresses in the
## 'dns-nameservers' line to 127.0.0.1
## Last, reload unbound and the network:
sudo /etc/init.d/unbound restart
sudo /etc/init.d/networking reload
=======IX. End=======
===================================================
X. Installing WinSCP On Your Windows Machine
===================================================
>>
A. Windows users can use the WinSCP program to
upload files to the
## DigitalOcean VPS.
## 1. Start the WinSCP program.
## 2. In the 'Session/Stored
Sessions' tree item, click the New
## button.
## 3. Type your DigitalOcean
issued IP address into the 'Host name'
## box.
## 4. Port number should be 22.
## 5. User name should be root.
## 6. If you are using ssl
authentication, Go to
##
'Session/SSH/Authentication' tree item and un-check
'Respond
## with password to the
first prompt'.
## 7. Go to the 'Session' tree
item and click the Save... button.
## 8. 'Save session as':
DigitalOcean.
>>
B. To login to your server, click on the
'Session/Stored Sessions'
## tree item and double click on
'DigitalOcean'.
>>
C. It would probably be a good idea to backup these files to your
## local machine:
## /etc/aliases
## /etc/postfix/main.cf
## /var/mixmaster
=======X. End=======
===================
XI. Appendix
===================
>>
A. The Logjam attack allows a man-in-the-middle attacker to downgrade
vulnerable TLS connections to 512-bit export-grade cryptography.
(see: weakdh.org). It is therefore important to harden Postfix
SMTP against these attacks.
## How to harden Postfix SMTP:
## 1. From root, generated 2048 key:
openssl dhparam -out /etc/ssl/certs/dhparams.pem 2048
## 2. There seems to be a requirement for the dhparams.pem key to be
## in /etc/postfix/:
cp /etc/ssl/certs/dhparams.pem /etc/postfix/dh2048.pem
## 3. Place the following line in the '# TLS parameters' section in
## /etc/postfix/main.cf:
smtpd_tls_dh1024_param_file = /etc/postfix/dh2048.pem
## 4. Restart Postfix:
sudo /etc/init.d/postfix restart
>>
B. Suggestion: I stopped a service on the VPS that is no longer
## actively maintained. It is a CPU hog and does basically nothing
## for your Linux experience. Linux runs perfectly ok without it.
## You can't just kill it because it will just restart itself, so
## you will have to drive a wooden stake through its heart also.
## How to permanently kill ConsoleKit:
## 1. In /root, open the following file in a text editor.
nano /usr/share/dbus-1/system-services/org.freedesktop.ConsoleKit.service
## 2. Delimiter out all lines. This is what it should looks like:
#[D-BUS Service]
#Name=org.freedesktop.ConsoleKit
#Exec=/usr/sbin/console-kit-daemon --no-daemon
#User=root
#SystemdService=console-kit-daemon.service
## 3. Now execute this command and kill the ConsoleKit's pid:
ps -elf
kill <ConsoleKit's pid>
>>
C. To make sure mixmaster is running, you can implemented a script
## that checks it every hour. This script should notify you to
## prevent your remailer from accidentally backing up traffic
## for being down.
## 1. From /root, create a new file called mixcheck.sh in
## the /etc/ directory:
cd /etc/
nano mixcheck.sh
## 2. Place the following script therein:
#!/bin/bash
# Script to see if mixmaster is running - mixcheck.sh
i=5
while [ "$i" -gt 0 ]
do
psvar=$(ps -ef)
if [[ "$psvar" =~ "mixmaster" ]]
then
# matched
exit 0
else
# no match
sleep 1m
fi
let i--
done
echo "Mixmaster not running!" | mail -s "Mixmaster not running!" you@yourisp.net
## 3. Save the script and change file attributes:
chmod 755 mixcheck.sh
## 4. In /root, create a cron to execute the script hourly:
cd
crontab -e
## 5. Place these lines at the bottom of the cron file:
#Every 60 minutes check if mixmaster running
*/60 * * * * cd /etc/ && ./mixcheck.sh
>>
D. It would be in your best interest to make a backup of your
## VPS. Each VPS service will have a different way of doing
## this. The procedure on DigitalOcean is as follows:
## 1. Log into your VPS with your terminal and stop mixmaster:
killall mixmaster
## 2. Poweroff your droplet from the terminal command line:
shutdown -h now
## 3. Log in to the DigitalOcean website. Go to your droplet's
## page and click on Snapshots. Then click on the 'Take a
## Snapshot' line and wait for the Snapshot to end. Your VPS
## will automatically start after the Snapshot is finished.
## 4. Log into your VPS with your terminal. Log into /root
## and start mixmaster:
service mixmaster start
>>
E. It is good practice to change the server's SSH port. Port 22
## is the default SSH port and this port will be continuously
## attacked by hackers attempting to break into your server.
## Changing this port number completely eliminated these attacks
## on this server. Only one hacker later did a port scan to
## discover which port was being used for SSH and he was easily
## discovered and IP blocked.
## 1. Open /etc/ssh/sshd_config
nano /etc/ssh/sshd_config
## 2. Change the 'Port: 22' line to 'Port <number-of-choice>':
Port: 49152
## 3. Now restart SSH:
/etc/init.d/ssh restart
## 4. It is now important to test to see if you are able to
## connect to your server on this new port BEFORE you
## disconect the current terminal you have been using to make
## these changes. Start another Putty terminal. Single click
## on the 'name of your Droplet' (see III. #3), click the
## 'Load' button, change the 'Port' to the new port <number-of-choice>
## you made above, and click the 'Open button'. If the new
## terminal window connects and opens correctly, then click
## the 'Save' button. Putty will connect on this new port
## from now on. You can now close the old terminal window.
## 5. Last, you need to change the port number in WinSCP if
## you are going to use that program (see XVI. #4).
>>
F. To protect against various web attacks, place these in iptables:
iptables -A INPUT -i eth0 -p tcp -m state --state NEW -m recent --set --name DEFAULT --mask 255.255.255.255 --rsource
iptables -A INPUT -i eth0 -p tcp -m state --state NEW -m recent --update --seconds 30 --hitcount 10 --name DEFAULT --mask 255.255.255.255 --rsource -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -m comment --comment "NEW incoming tcp = SYN?" -j DROP
iptables -A INPUT -f -m comment --comment "Fragments packets" -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m comment --comment "NULL packets" -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j syn_flood
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPTv
iptables -A syn_flood -m limit --limit 1/sec --limit-burst 3 -j RETURN
iptables -A syn_flood -j DROP
=======XI. End=======
=======================
=======GUIDE End=======
=======================