Last update: 2019-1-18 2200 GMT
===================================================================
=== Instructions for a VPS Installation of a Mixmaster Remailer ===
===================================================================
[Debian 8.x Jessie - Mixmaster will not compile on Debian 9 or greater]

## Note1: All of my comments are preceded by ##
## Note2: All references to 'yourFQDN' in this text refer to your chosen
##        'Fully Qualified Domain Name' (FQDN). Example: inwtx.net

## The following instructions contain the course of action that was
## taken to install a Mixmaster remailer on a DigitalOcean 'Linux Virtual
## Private Server', using a remote Windows 7 machine.

## A DigitalOcean VPS (Linux Debian) was chosen because of its low cost
## ($5/month) and because you have a choice of placing the remailer
## on several different servers throughout the world.
## (
Note: DigitalOcean has received a complaint and has ordered three
## exit remailers residing on their servers to stop operation (5-9-14).
## My remailer is a middle and I have not been asked to leave.)
## (See: lowendbox.com/blog/top-provider-poll-2014-q1-the-results/
## for other low cost 'Bare Minimum VPS/Dedicated Servers'. Disregard
## the skewed votes - see comments.)

## I cover purchasing an FQDN (Fully Qualified Domain Name) at
## NameCheap.com (a very popular Domain Service), and setting up
## the necessary parameters. NameCheap.com allows you to have full
## control to modify your FQDN yourself. Some other Domain Services
## charge to make modifications for you and some take quite some
## time to get your modifications implemented.

## Linux experience is necessary for this installation, however most
## of the necessary Linux Dabian commands used to set up this
## remailer are covered in this text.

## Some useful addresses:
## digitalocean.com    # DigitalOcean site
## postfix.org         # Postfix site
## LinuxQuestions.org  # A somewhat helpful Linux forum
## putty.org           # Putty site
## winscp.net          # WinSCP Windows ftp client program
## openssl.org/source/ # OpenSSL tarball site
## linux.about.com/library/cmd/blcmdl1_procmail.htm # Procmail usage
## http://www.zen19351.zen.co.uk/mixmaster31/       # Mixmaster package site

## There are going to be 4 programs installed on your VPS:
## 1. OpenSSL Transport Layer Security.
## 2. Postfix mail server to handle mail input and output.
## 3. The Mixmaster remailer package.
## 4. The Unbound DNS Resolver.

## You will also need to install Putty on your local computer to
## efficiently access your VPS on the DigitalOcean site.
## DigitalOcean requires a bank issued credit card when you sign up.
## If your card is rejected for some reason, notify their customer
## service. Best to first purchase your $5 per month VPS and purchase
## your FQDN after you determine that you can correctly set everything
## up.

## Other help in setting up this remailer came through the many
## remailer Gurus at the alt.privacy.anon-server news group.
## LinuxQuestions.org was also somewhat helpful.

## Index:
##       I. Purchasing Your DigitalOcean VPS Droplet
##      II. Purchase and Setup Of An FQDN
##     III. Installing Putty On Your Windows Machine
##      IV. Installing Postfix
##       V. Installing OpenSSL
##      VI. Installing Mixmaster
##     VII. Setting Up Mixmaster's Parameters
##    VIII. Testing/Announcing the Remailer
##      IX. Installing The Unbound DNS Resolver
##       X. Installing WinSCP On Your Windows Machine
##      XI. Appendix - Additional hints and suggestions

## Note: These instructions must be followed implicitly.
##       COMPLETE EACH STEP before going to the next step.
##       DO NOT change the case in any of the examples.
##       DO NOT presume anything when it comes to the use of Linux.
##       Linux can be exacting, temperamental, and non-intuitive.
##       This guide is being continuous updated with corrections,
##       etc. Check to see that you have the latest copy.



=================================================
   I. Purchasing Your DigitalOcean VPS Droplet
=================================================

>> A. Go to: DigitalOcean.com
##    Enter in a valid email address and the password you desire to
##    use for logging into the DigitalOcean website.
##    Next you will be taken to a page with three options. The first
##    option will be to purchase the size VPS you need. The smallest
##    is probably all you will need to set up a remailer.

>> B. Once through the purchase phase, you will go on to the Droplet
##    creation phase.
##       (
Note: See the 'SSH Keys' setup section on the DigitalOcean
##       website to get around having to use a password for login.
##       Your ssl key must be created and submitted to DigitalOcean
##       before creating your Droplet.)
##    1. On the 'Hostname:' line, type in what you want to name the
##       Droplet. You can use your planned FQDN: xyz.net
##    2. Choose an image: Click on Linux operating system Debian 8.n x64.'
##       button.
##    3. Choose a size: Click to highlight the '1GB 1/CPU...' button.
##    4. Next I suggest you select one of the Amsterdam servers.
##    5. [DELETED]
##    6. Finish by clicking 'Create Droplet'.
##    7. If you didn't setup your server for 'SSH Keys', an email
##       will be sent with your new VPS password. This will need to
##       be changed because it was sent in the clear.

##    Note: If you work on your server from the DigitalOcean web
##          site's 'Console' window, you will probably not be able to
##          access the VPS's 'Console' window from your machine
##          through a proxy, and your firewall may have to be disabled
##          (using the Putty terminal will get around all of this).

##    It now takes you to a page that displays your assigned IP
##    address along with a summary of your Droplet choices. This
##    information will always display when you login to DO. I found
##    that I was not able to do anything with my Droplet just after
##    its creation until after I first clicked the 'Power Cycle'
##    button. This shouldn't do any harm because you haven't made any
##    entries to your Droplet yet. Do not 'Power Cycle' after making
##    any entries to your Droplet.

##    Before going any further, you need to check the ip address you
##    have been assigned to make sure it is not in any blacklists.
##    Blacklists are lists that contain known spammer addresses and
##    are placed in the lists from past knowledge of it being used
##    as such. The spammer has dropped the use of the ip address,
##    nevertheless, it remains in the blacklists. Go to
##    mxtoolbox.com/blacklists.aspx, type the ip address into the
##    search box and wait for the results. If it has been blacklisted,
##    destroy the droplet and create another one.

##    If you decide to make any changes to your Droplet creation
##    selections above, you can use the Destroy button to completely
##    delete your Droplet and start over. Your assigned DigitalOcean
##    ip address will then change. A new password will be mailed to
##    you each time if you have not created an SSH Key, however.

##    After your Droplet is created, you can get to it through the
##    'Console Access' button. It is best to use a Putty terminal -
##    setup explained below. The first time you log in with Putty,
##    you will get a warning message. Just click Yes. If you have not
##    set up an SSH Key, you should receive a request to enter your
##    emailed server's password. After logged into root, type in
##    
passwd and follow the instructions to change it from the
##    emailed password to something more easily remembered.

>> C. Set up your DNS records on the DigitalOcean web site next. If
##    you have not purchased your domain name yet, check to see that
##    it is available at NameCheap and use it in absentia. Click the
##    DNS button on the DigitalOcean web page. The instructions for
##    this process are found here:
##    https://digitalocean.com/community/articles/how-to-set-up-a-host-name-with-digitalocean
##    (
Note: After filling in the first DNS line with your DO issued
##    IP address and saving the change, you might have to refresh your
##    browser to get the 'Add Record' button to work.)
##    Make your MX record 'mail.yourFQDN.'. Note the required periods
##    at the ends. Also create an A record for your MX record and a
##    CNAME record for www.yourFQDN as shown. Your DigitalOcean DNS
##    page should end up looking like this:

A           @                 UR.DO.IP.ADR
A           mail              UR.DO.IP.ADR
CNAME       www               yourFQDN.
MX          0                 mail.yourFQDN.
NS          NS1.DIGITALOCEAN.COM.
NS          NS2.DIGITALOCEAN.COM.
NS          NS3.DIGITALOCEAN.COM.

##    This is an example of how the inwtx.net DigitalOcean DNS
##    was set up.

=======I. End=======



=======================================
   II. Purchase and Setup Of An FQDN
=======================================

## When choosing an FQDN, it is probably best to choose a domain name
## ending in .net or .com . The reason being, you can hide your
## personal identity (called WhoisGuard - about $3/yr) with .net and
## .com, whereas you can not do this with some other names¹ (such as
## .us, etc). When I purchased my .net name, it came with a one year
## free WhoisGuard. Although this will not keep the authorities from
## finding out who you are, it will keep your personal name off the
## domain name record. Before you choose to pay for WhoisGuard during
## the sign up process, first see if you don't get one year of this
## service free. The NameCheap DNS service has a chat help system
## where you can get most of your questions quickly answered. If you
## can't get a satisfactory answer, the service rep may not have
## enough DNS experience, so check in with the chat service later to
## talk with a different Indian.

## Once your name is registered, it is a simple matter of logging
## in, clicking on your FQDN, clicking on the 'Domain Name Server
## Setup' button, and then check 'Specify Custom DNS Servers' and
## enter these three entries into the boxes (do not add periods at
## end):

1.     ns1.digitalocean.com
2.     ns2.digitalocean.com
3.     ns3.digitalocean.com

## Last, click the 'Save Changes' button. It may take an hour+ to
## activate.

## ¹See www.namecheap.com/security/whoisguard.aspx

=======II. End=======



===================================================
   III. Installing Putty On Your Windows Machine
===================================================

## It is best to use the Putty terminal program to access and work with
## your DigitalOcean VPS. The terminal on the DigitalOcean website is
## sluggish and the window cannot be scrolled.

## 1. Start the Putty program.
## 2. Type in the DigitalOcean IP address you were issued during sign up
##    into the 'Host Name (or IP address)' box.
## 3. Port number should be 22.
## 4. Enter the 'name of your Droplet'¹ in the 'Saved Sessions' box.
## 5. Under Connection/Data, type root into the Auto-login username box.
## 6. Under Session, click the Save button.

## To login to your VPS, double click on ¹'name of your Droplet'.

=======III. End=======



=========================================
   IV. Installing Postfix and Procmail
=========================================


>> A. When installing Postfix from /root, any other mail server already
##    installed will most likely be automatically un-installed.

sudo apt-get update
sudo apt-get install postfix

>> B. Entering requested parameters:
##    1. Choose the 'Internet site' option (using the Up/Down keys - it
##       will probably already be selected in red). Tab to OK.
##    2. Replace the content that comes up in the 'System mail name'
##       (could be anything) with the FQDN that you plan to or
##       have already purchased (example as: 'xyz.net').
##    3. Postfix will then finish installing and will start itself.
##       Postfix is fairly good at setting itself up, but it will be
##       necessary to make further changes.

>> C. In the /etc/postfix/main.cf file:
##    1. The myhostname line must be changed to (whatever name you gave
##       your MX record):

myhostname = mail.yourFQDN

##    2. The mydestination line must look like this:

mydestination = yourFQDN, localhost, localhost.localdomain

##    3. If you are going to use a name like 'mixmaster.yourFQDN',
##       then add that into the mydestination line:

mydestination = yourFQDN, mixmaster.yourFQDN, localhost, localhost.localdomain

##    4. Place these lines just above the 'myhostname = ' line. Note the
##       required indentions:

smtpd_relay_restrictions =
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_unauth_destination

smtpd_recipient_restrictions =
    reject_invalid_hostname,
    reject_non_fqdn_sender,
    reject_non_fqdn_recipient,
    reject_unauth_pipelining,
    permit_mynetworks

##    5. See that the 'mynetworks =' and 'inet_interfaces =' lines are
##       set as shown below:

mynetworks = 0.0.0.0/8 Your-VPS-IP-Address-here
inet_interfaces = all

##       The mynetworks should look something like this:
##       mynetworks = 0.0.0.0/8 12.34.56.789

>> D. Any email user name you intend to allow Postfix to service must
##    have the user email name placed into the '/etc/aliases' file. Add
##    these to the bottom of the /etc/aliases file:

abuse: remopmail
admin: remopmail
mix: mix

##    You can put in a valid email address in the abuse and admin lines
##    to have that mail forwarded to another email address in addition
##    to being sent to the user remopmail:

abuse: remopmail,AnyEmailAddress@yourISP.com
admin: remopmail,AnyEmailAddress@anywhere.com

##    The /etc/aliases file should ended up looking like this:

#/etc/aliases
mailer-daemon: postmaster
postmaster: remopmail,me@myhomeisp.net
hostmaster: remopmail,me@myhomeisp.net
webmaster: remopmail,me@myhomeisp.net
admin: remopmail,me@myhomeisp.net
abuse: remopmail,me@myhomeisp.net
mix: mix

>> E. Due to the change made in C. 1., you are going to have to
##    add another user, otherwise mail that used to come into a
##    name pointing at root will simply disappear. Do not use
##    user 'mix' for this. Execute the adduser line below.
##    (You can use something other than 'remopmail' as the user
##    name. Be sure it is also changed in the /etc/aliases file.)

adduser remopmail

>> F. Any time you make changes to Postfix files, you have to execute
##    the following commands. (If Postfix says it is not running,
##    then execute this commmand:
sudo service postfix restart
##    and then execute the commands below again.)

sudo postalias /etc/aliases && sudo postfix reload

>> G. Note: After installing the remaining sections in this tutorial,
##          see Appendix A. on hardening the Postfix SMTP.

=======IV. End=======



===========================
   V. Installing OpenSSL
===========================

>> A. Be sure to be in '/root' to install the following.

>> B. First install some packages required by OpenSSL and Mixmaster.

sudo apt-get update
sudo apt-get install build-essential libpcre3 libpcre3-dev wget zlib1g-dev libncurses5-dev curl perl dc bc bison libssl-dev libbison-dev ssl-cert haveged

     Note: On Debian 8.1+, you may have to install sudo, gcc, and make:
     (Execute '
find / -name <name>' to see if they are already installed
      and if found, remove the name from the string below)

sudo apt-get install sudo gcc make

>> C. Now download and install the [LATEST] version of OpenSSL from
##    the source site (https://www.openssl.org/source/). The [LATEST]
##    version should be at the top of the list.
##    Note: Mixmaster will no longer work with the new OpenSSL 1.1.n versions.
##    Use an older openssl-1.0.1u.tar.gz version from here:
##    http://ftp.nluug.nl/security/openssl/

wget --no-check-certificate https://www.openssl.org/source/openssl-1.0.1u.tar.gz

>> D. Extract the tarball.

tar xvf openssl-1.0.1u.tar.gz

>> E. Build the distribution (ignore 'make test' errors):

cd openssl-1.0.1u
./config
make
make test
sudo make install

>> F. Take back some space on your VPS by removing the
##    tarball and install files:

cd
rm openssl-1.0.1u.tar.gz
rm -rf openssl-1.0.1u

=======V. End=======



==============================
   VI. Installing Mixmaster
==============================


>> A. Download and install in /root the most current Mixmaster remailer
##    package from the website. Check the webpage to determine the most
##    current download: http://www.zen19351.zen.co.uk/mixmaster31:

cd
wget --no-check-certificate http://www.zen19351.zen.co.uk/mixmaster31/debian84_mixmaster_3.1-1_amd64.deb

>> B. Install the package (installs quickly):

dpkg -i debian84_mixmaster_3.1-1_amd64.deb

>> C. Take back some space on your VPS by removing the .deb file:

rm debian84_mixmaster_3.1-1_amd64.deb

>> D. Make a list of where the mixmaster files are located:

sudo updatedb
locate -i mixmaster

=======VI. End=======



============================================
   VII. Setting Up Mixmaster's Parameters
============================================

>> A. Change the /var/mixmaster/mix.cfg file per 1., 2., and 3. below.
##    Note: The parameters in this file are sensitive to inappropriate
##    and/or extra spaces. A tab must be between a parameter and its
##    value. A script will be run at the end of the following setup to
##    assure that there are no inappropriate spaces in the parameter lines.

##    1. Parameters that will need to be added to the mix.cfg file:
##
        ALLPINGERSURL    https://raw.githubusercontent.com/remops/allpingers/master/allpingers.txt
##        KEYLIFETIME      42d
##        KEYOVERLAPPERIOD 12d
##        KEYGRACEPERIOD   5d

##    2. Parameters that will need to be changed:
##       
MAILBOX       /etc/mbox
##       
PASSPHRASE    <choose a good long one>
##       
AUTOBLOCK     n
##       
COMPLAINTS    admin@yourFQDN
##        REMAILERNAME  yourFQDN Anonymous Remailer
##        
ANONNAME  The yourFQDN Anonymous Remailer
##        SIZELIMIT     100
##       
NEWS          mail2news@m2n.mixmin.net
##       
ORGANIZATION  Anonymous Posting Service
##       
MID y
##       Note: SIZELIMIT should be kept small (100) on a 500MB VPS.

##    3. Parameters that can be deleted:
##       
CHAIN *,*,*,*

##    4. Best now go through the entire file to see that there are no
##       blank spaces between a parameter and its value (a parameter
##       is the 1st word in a line, the value follows). Again, they
##       must be separated by tab(s) only. Make sure that there are
##       no blank spaces past the end of any line also.

##       Invalid spaces testing script (execute on command line):

cat /var/mixmaster/mix.cfg | sed '/ *#/d; /^ *$/d' | while read line; do echo "$line"; echo "$line" | fold -1 | grep -c $' '; done

##       The results of executing the above line will print out each
##       parameter line with a number underneath. The number underneath
##       shows the number of spaces in the previous line. Example:

SENDMAIL        /usr/sbin/sendmail -t
1
MAILIN  /etc/Maildir/
0
REMAILERNAME    My Remailer
1
MIX             y
1
ORGANIZATION    Anonymous Posting Service
2

##       The SENDMAIL line shows to have 1 space. That is valid because
##       there is one space before the '-t'.
##       The
MAILIN line shows to have no space. That is correct and
##       shows that the separation between the parameter and its value
##       is due to a tab.
##       The
REMAILERNAME line shows to have 1 space. That is valid because
##       there is one space between 'My' and 'Remailer'.
##       The
MIX line shows to have 1 space. That is invalid because
##       no spaces are allowed in a parameter/value line. The rogue space(s)
##       could be hiding anywhere in the line, including at the line's end.
##       The
ORGANIZATION line shows to have 2 spaces. That is valid because
##       there are two spaces within 'Anonymous Posting Service'.


#---mix.cfg example file begin--------------------------------------#
## mix.cfg -- installed Sun May  5 21:52:04 UTC 2014
SENDMAIL        /usr/sbin/sendmail -t

# Where to store non-remailer messages (all messages deleted here):
MAILBOX         /etc/mbox
#MAILABUSE      mbox.abuse
#MAILBLOCK      mbox.block
#MAILUSAGE      mbox.usage
#MAILANON       mbox.anon
#MAILERROR      mbox.error
#MAILBOUNCE     mbox.bounce

REMAIL          y
MIDDLEMAN       y

PASSPHRASE      ?123?

ALLPINGERSURL https://raw.githubusercontent.com/remops/allpingers/master/allpingers.txt
BINFILTER       y
AUTOBLOCK       y
AUTOREPLY       n

ERRLOG          error.log
VERBOSE         1
KEYLIFETIME     42d
KEYOVERLAPPERIOD 12d
KEYGRACEPERIOD  5d

# Remailer name and addresses

REMAILERADDR    mix@
yourFQDN
ANONADDR        mix@yourFQDN
COMPLAINTS      abuse@yourFQDN

SHORTNAME       [can be yourFQDN minus the TLD (.net) (lowercase only - length 10 or less)]
REMAILERNAME    yourFQDN Anonymous Remailer
ANONNAME        The
[yourFQDN minus the TLD (.net)] Anonymous Remailer

# Supported formats:
MIX             y
PGP             n
UNENCRYPTED     n

# Maximum message size in kB (0 for no limit):
# (Note: Due to the small size of the VPS, this probably should be limited.)
SIZELIMIT       100

# Usenet news:
NEWS    mail2news@m2n.mixmin.net
ORGANIZATION    Anonymous Posting Service
MID     y

# Remailing strategy:
SENDPOOLTIME    5m
POOLSIZE        20
RATE            65
INDUMMYP        10
OUTDUMMYP       90

IDEXP           7d
PACKETEXP       7d
#---mix.cfg example file end----------------------------------------#

>> B. Stats are updated automatically daily, but starting out we will
##    do this manually before starting mixmaster. Type this on the
##    command line:

/usr/bin/mixmaster-getstats

>> C. Now reboot your machine and mixmaster will automatically start
##    if everything is ok. Do a 'ps -ef' at the command line to see
##    if it is running. It should appear as:

mix        626     1  0 21:43 ?        00:00:00 /usr/bin/mixmaster -D

>> D. Additional mixmaster commands:

1. Start:   su - mix
            mixmaster -D
            exit

2. Start:   service mixmaster start

3. Start:   systemctl start mixmaster

4. Stop:    service mixmaster stop

5. Stop:    systemctl stop mixmaster

>> E. Note: If mixmaster hangs when doing step B. or you continuously
##    see one or more 'mixmaster -RM' after doing a 'ps -ef', then
##    try doing the following and afterwards reboot:

cd /dev/
mv randon randonOLD
ln -sfv urandom /dev/random


=======VII. End=======



===========================================
   VIII. Testing/Announcing the Remailer
===========================================


## 1. Test your remailer by sending an empty request for the
##    keys to mix@yourFQDN with a subject of remailer-key.
##    You should receive back three public keys, an RSA PGP key,
##    a DSA PGP key, and the Mixmaster key. Also test your remailer
##    by sending additional empty requests to mix@yourFQDN
##    with a subjects of remailer-conf, remailer-stats,
##    remailer-help, and remailer-adminkey. After receiving the
##    requests, stop mixmaster, remove the 'EXTFLAGS testing' line
##    from the /vat/mixmaster/mix.cfg file, and start mixmaster
##    again.
## 2. Announce your remailer by posting a copy of the 3 public keys
##    you received above to the alt.privacy.anon-server news group.
##    Make the Subject something like 'Announcing New Remailer'.
## 3. You can also join the remop's list at lists.mixmin.net and
##    announce your remailer there.
## 4. It will take several days and possibly weeks before your
##    remailer will begin to show up in the pingers stats. Look for
##    your remailer name in http://www.mixmin.net/echolot/mlist.txt.
##    Pingers list: https://raw.githubusercontent.com/remops/allpingers/master/allpingers.txt.

=======VIII. End=======



=============================================
   IX. Installing The Unbound DNS Resolver
=============================================


## The Unbound DNS Resolver needs to be installed to switch the
## VPS from using its default - Google. This can be done with the
## execution of these instructions:

cd
apt-get update
apt-get install unbound
cat /etc/resolv.conf > /etc/resolv.conf.bkp
echo "nameserver 127.0.0.1" > /etc/resolv.conf
chattr +i /etc/resolv.conf

## In /etc/unbound/unbound.conf, replace all lines with:

# Unbound configuration file for Debian.
#
# See the unbound.conf(5) man page.
#
# See /usr/share/doc/unbound/examples/unbound.conf for a commented
# reference config file.

server:
    # The following line will configure unbound to perform cryptographic
    # DNSSEC validation using the root trust anchor.
    auto-trust-anchor-file: "/var/lib/unbound/root.key"
    logfile: "/etc/unbound/unbound.log"
    verbosity: 1
    target-fetch-policy: "3 2 1 0 0"
    use-syslog: yes
    log-queries: yes

    forward-zone:
       name: "."
       forward-addr: 8.26.56.26       # Comodo
       forward-addr: 8.20.247.20      # Comodo
       forward-addr: 8.8.8.8          # google as last resort

## In /etc/network/interfaces, change the dns addresses in the
## 'dns-nameservers' line to 127.0.0.1

## Last, reload unbound and the network:

sudo /etc/init.d/unbound restart
sudo /etc/init.d/networking reload

=======IX. End=======



===================================================
   X. Installing WinSCP On Your Windows Machine
===================================================

>> A. Windows users can use the WinSCP program to upload files to the
##    DigitalOcean VPS.
##    1. Start the WinSCP program.
##    2. In the 'Session/Stored Sessions' tree item, click the New
##       button.
##    3. Type your DigitalOcean issued IP address into the 'Host name'
##       box.
##    4. Port number should be 22.
##    5. User name should be root.
##    6. If you are using ssl authentication, Go to
##       'Session/SSH/Authentication' tree item and un-check 'Respond
##       with password to the first prompt'.
##    7. Go to the 'Session' tree item and click the Save... button.
##    8. 'Save session as': DigitalOcean.

>> B. To login to your server, click on the 'Session/Stored Sessions'
##    tree item and double click on 'DigitalOcean'.

>> C. It would probably be a good idea to backup these files to your
##    local machine:
##    /etc/aliases
##    /etc/postfix/main.cf
##    /var/mixmaster

=======X. End=======



===================
   XI. Appendix
===================

>> A. The Logjam attack allows a man-in-the-middle attacker to downgrade
      vulnerable TLS connections to 512-bit export-grade cryptography.
      (see: weakdh.org). It is therefore important to harden Postfix
      SMTP against these attacks.

##    How to harden Postfix SMTP:
##    1. From root, generated 2048 key:

openssl dhparam -out /etc/ssl/certs/dhparams.pem 2048

##    2. There seems to be a requirement for the dhparams.pem key to be
##       in /etc/postfix/:

cp /etc/ssl/certs/dhparams.pem /etc/postfix/dh2048.pem

##    3. Place the following line in the '# TLS parameters' section in
##       /etc/postfix/main.cf:

smtpd_tls_dh1024_param_file = /etc/postfix/dh2048.pem

##    4. Restart Postfix:

sudo /etc/init.d/postfix restart

>> B. Suggestion: I stopped a service on the VPS that is no longer
##    actively maintained. It is a CPU hog and does basically nothing
##    for your Linux experience. Linux runs perfectly ok without it.
##    You can't just kill it because it will just restart itself, so
##    you will have to drive a wooden stake through its heart also.

##    How to permanently kill ConsoleKit:
##    1. In /root, open the following file in a text editor.

nano /usr/share/dbus-1/system-services/org.freedesktop.ConsoleKit.service

##    2. Delimiter out all lines. This is what it should looks like:

#[D-BUS Service]
#Name=org.freedesktop.ConsoleKit
#Exec=/usr/sbin/console-kit-daemon --no-daemon
#User=root
#SystemdService=console-kit-daemon.service


##    3. Now execute this command and kill the ConsoleKit's pid:

ps -elf
kill <ConsoleKit's pid>


>> C. To make sure mixmaster is running, you can implemented a script
##    that checks it every hour. This script should notify you to
##    prevent your remailer from accidentally backing up traffic
##    for being down.
##    1. From /root, create a new file called mixcheck.sh in
##       the /etc/ directory:

cd /etc/
nano mixcheck.sh

##    2. Place the following script therein:

#!/bin/bash
# Script to see if mixmaster is running - mixcheck.sh

i=5
while [ "$i" -gt 0 ]
do
psvar=$(ps -ef)
if [[ "$psvar" =~ "mixmaster" ]]
then
# matched
exit 0
else
# no match
sleep 1m
fi
let i--
done

echo "Mixmaster not running!" | mail -s "Mixmaster not running!" you@yourisp.net

##    3. Save the script and change file attributes:

chmod 755 mixcheck.sh

##    4. In /root, create a cron to execute the script hourly:

cd
crontab -e

##    5. Place these lines at the bottom of the cron file:

#Every 60 minutes check if mixmaster running
*/60 * * * * cd /etc/ && ./mixcheck.sh

>> D. It would be in your best interest to make a backup of your
##    VPS. Each VPS service will have a different way of doing
##    this. The procedure on DigitalOcean is as follows:
##    1. Log into your VPS with your terminal and stop mixmaster:

killall mixmaster

##    2. Poweroff your droplet from the terminal command line:

shutdown -h now

##    3. Log in to the DigitalOcean website. Go to your droplet's
##       page and click on Snapshots. Then click on the 'Take a
##       Snapshot' line and wait for the Snapshot to end. Your VPS
##       will automatically start after the Snapshot is finished.

##    4. Log into your VPS with your terminal. Log into /root
##       and start mixmaster:

service mixmaster start

>> E. It is good practice to change the server's SSH port. Port 22
##    is the default SSH port and this port will be continuously
##    attacked by hackers attempting to break into your server.
##    Changing this port number completely eliminated these attacks
##    on this server. Only one hacker later did a port scan to
##    discover which port was being used for SSH and he was easily
##    discovered and IP blocked.

##    1. Open /etc/ssh/sshd_config

nano /etc/ssh/sshd_config


##    2. Change the 'Port: 22' line to 'Port <number-of-choice>':

Port: 49152


##    3. Now restart SSH:

/etc/init.d/ssh restart


##    4. It is now important to test to see if you are able to
##       connect to your server on this new port BEFORE you
##       disconect the current terminal you have been using to make
##       these changes. Start another Putty terminal. Single click
##       on the 'name of your Droplet' (see III. #3), click the
##       'Load' button, change the 'Port' to the new port <number-of-choice>
##       you made above, and click the 'Open button'. If the new
##       terminal window connects and opens correctly, then click
##       the 'Save' button. Putty will connect on this new port
##       from now on. You can now close the old terminal window.

##    5. Last, you need to change the port number in WinSCP if
##       you are going to use that program (see XVI. #4).

>> F. To protect against various web attacks, place these in iptables:

iptables -A INPUT -i eth0 -p tcp -m state --state NEW -m recent --set --name DEFAULT --mask 255.255.255.255 --rsource
iptables -A INPUT -i eth0 -p tcp -m state --state NEW -m recent --update --seconds 30 --hitcount 10 --name DEFAULT --mask 255.255.255.255 --rsource -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -m comment --comment "NEW incoming tcp = SYN?" -j DROP
iptables -A INPUT -f -m comment --comment "Fragments packets" -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m comment --comment "NULL packets" -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j syn_flood
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPTv iptables -A syn_flood -m limit --limit 1/sec --limit-burst 3 -j RETURN
iptables -A syn_flood -j DROP

=======XI. End=======

=======================
=======GUIDE End=======
=======================