beaglebone.txt 89KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479148014811482148314841485148614871488148914901491149214931494149514961497149814991500150115021503150415051506150715081509151015111512151315141515151615171518151915201521152215231524152515261527152815291530153115321533153415351536153715381539154015411542154315441545154615471548154915501551155215531554155515561557155815591560156115621563156415651566156715681569157015711572157315741575157615771578157915801581158215831584158515861587158815891590159115921593159415951596159715981599160016011602160316041605160616071608160916101611161216131614161516161617161816191620162116221623162416251626162716281629163016311632163316341635163616371638163916401641164216431644164516461647164816491650165116521653165416551656165716581659166016611662166316641665166616671668166916701671167216731674167516761677167816791680168116821683168416851686168716881689169016911692169316941695169616971698169917001701170217031704170517061707170817091710171117121713171417151716171717181719172017211722172317241725172617271728172917301731173217331734173517361737173817391740174117421743174417451746174717481749175017511752175317541755175617571758175917601761176217631764176517661767176817691770177117721773177417751776177717781779178017811782178317841785178617871788178917901791179217931794179517961797179817991800180118021803180418051806180718081809181018111812181318141815181618171818181918201821182218231824182518261827182818291830183118321833183418351836183718381839184018411842184318441845184618471848184918501851185218531854185518561857185818591860186118621863186418651866186718681869187018711872187318741875187618771878187918801881188218831884188518861887188818891890189118921893189418951896189718981899190019011902190319041905190619071908190919101911191219131914191519161917191819191920192119221923192419251926192719281929193019311932193319341935193619371938193919401941194219431944194519461947194819491950195119521953195419551956195719581959196019611962196319641965196619671968196919701971197219731974197519761977197819791980198119821983198419851986198719881989199019911992199319941995199619971998199920002001200220032004200520062007200820092010201120122013201420152016201720182019202020212022202320242025202620272028202920302031203220332034203520362037203820392040204120422043204420452046204720482049205020512052205320542055205620572058205920602061206220632064206520662067206820692070207120722073207420752076207720782079208020812082208320842085208620872088208920902091209220932094209520962097209820992100210121022103210421052106210721082109211021112112211321142115211621172118211921202121212221232124212521262127212821292130213121322133213421352136213721382139214021412142214321442145214621472148214921502151215221532154215521562157215821592160216121622163216421652166216721682169217021712172217321742175217621772178217921802181218221832184218521862187218821892190219121922193219421952196219721982199220022012202220322042205220622072208220922102211221222132214221522162217221822192220222122222223222422252226222722282229223022312232223322342235223622372238223922402241224222432244224522462247224822492250225122522253225422552256225722582259226022612262226322642265226622672268226922702271227222732274227522762277227822792280228122822283228422852286228722882289229022912292229322942295229622972298229923002301230223032304230523062307230823092310231123122313231423152316231723182319232023212322232323242325232623272328232923302331233223332334233523362337233823392340234123422343234423452346234723482349235023512352235323542355235623572358235923602361236223632364236523662367236823692370237123722373237423752376237723782379238023812382238323842385238623872388238923902391239223932394239523962397239823992400240124022403240424052406240724082409241024112412241324142415241624172418241924202421242224232424242524262427242824292430243124322433243424352436243724382439244024412442244324442445244624472448244924502451245224532454245524562457245824592460246124622463246424652466246724682469247024712472247324742475247624772478247924802481248224832484248524862487248824892490249124922493249424952496249724982499250025012502250325042505250625072508250925102511251225132514251525162517251825192520252125222523252425252526252725282529253025312532253325342535253625372538253925402541254225432544254525462547254825492550255125522553255425552556255725582559256025612562256325642565256625672568256925702571257225732574257525762577257825792580258125822583258425852586258725882589259025912592259325942595259625972598259926002601260226032604260526062607260826092610261126122613261426152616261726182619262026212622262326242625262626272628262926302631263226332634263526362637263826392640264126422643264426452646264726482649265026512652265326542655265626572658265926602661266226632664266526662667266826692670267126722673267426752676267726782679268026812682268326842685268626872688268926902691269226932694269526962697269826992700270127022703270427052706270727082709271027112712271327142715271627172718271927202721272227232724272527262727272827292730273127322733273427352736273727382739274027412742274327442745274627472748274927502751275227532754275527562757275827592760276127622763276427652766276727682769277027712772277327742775277627772778277927802781278227832784278527862787278827892790279127922793279427952796279727982799280028012802280328042805280628072808280928102811281228132814281528162817281828192820282128222823282428252826282728282829283028312832283328342835283628372838283928402841284228432844284528462847284828492850285128522853285428552856285728582859286028612862286328642865286628672868286928702871287228732874287528762877287828792880288128822883288428852886288728882889
  1. #+TITLE: FreedomBone
  2. #+AUTHOR: Bob Mottram
  3. #+EMAIL: bob@robotics.uk.to
  4. #+KEYWORDS: freedombox, debian, beaglebone, friendica, email, web server, home server, internet, censorship, surveillance, social network, irc, jabber, chat
  5. #+DESCRIPTION: Turn the Beaglebone Black into a personal communications server
  6. #+BEGIN_CENTER
  7. *How to turn the Beaglebone Black into a FreedomBox-like personal communications server*
  8. #+END_CENTER
  9. #+BEGIN_CENTER
  10. [[[[file:images/freedombone.jpg]]]]
  11. #+END_CENTER
  12. #+BEGIN_CENTER
  13. Copyright (C) 2014 Bob Mottram
  14. Permission is granted to copy, distribute and/or modify this document under the terms of the [[https://gnu.org/licenses/fdl.html][GNU Free Documentation License]], Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts.
  15. Source for this web site in [[https://en.wikipedia.org/wiki/Org-mode][Emacs org-mode]] format is available [[/beaglebone.txt][here]]. Comments or patches may be submitted via [[https://github.com/fuzzgun/freedombone][Github]].
  16. #+END_CENTER
  17. * Introduction
  18. #+BEGIN_VERSE
  19. /If you look at it from an engineering perspective, an iterative perspective, it’s clear that you have to try something rather than do nothing./
  20. -- Edward J. Snowden
  21. #+END_VERSE
  22. ** What is FreedomBone?
  23. Today many of us rely upon "free" services in the cloud, such as Gmail, Facebook, Google+ and so on. It might appear that these services are indispensible infrastructure of the modern internet, but actually they're not strictly needed and the amount of value which they deliver to the average internet user is very marginal. It is possible to be a citizen of the internet and yet not use those things - to disintermediate the most well known companies and cut out their prurient or merely cringeworthy business models.
  24. FreedomBone is a personal home communications server based upon the BeagleBone Black hardware. It's small and cheap and will allow you to use email, have your own web site and do social networking in a federated way without needing to rely upon any intermediary companies other than your ISP.
  25. ** Do I need any prior knowledge?
  26. In these instructions only a minimal level of familiarity with Linux is assumed. It's assumed that you know the basics of the /nano/ and /emacs/ editors, but it would be simple to also use other editors if you prefer.
  27. ** Why should I do this?
  28. You should consider doing this if you are a freedom-oriented sort of person and you want to maintain sovereignty over your information. Laws in many places in the world consider you to have relinquished any property rights over data which you put onto a server not owned by youself (i.e. owned by a third party, such as Google or Facebook).
  29. If you don't like the idea of having all your communications intercepted and investigated by the Surveillance State then you should consider running a FreedomBone. If your profession involves maintaining confidentiality as an essential feature, such as legal or medical services, counselling, teaching or any sort of activism then you should consider running a FreedomBone.
  30. As Eben Moglen noted in his now famous [[https://www.youtube.com/watch?v=QOEMv0S8AcA]["Freedom in The Cloud"]] talk the simple fact of you keeping your own internet logs (found in the /var/log directory) puts a certain amount of power in your hands and takes it away from parties who would otherwise sell that information without your knowledge or permission to advertisers or other shady outfits who may not have your best interests at heart.
  31. ** After it's installed will it need a lot of maintenance?
  32. So long as the hardware is ok the amount of maintenance needed should be very small. Unlike on Windows based systems you don't need to defragment drives or mess about with anti-virus programs. I ran a similar Sheevaplug system between 2010 and 2013 with only occasional software updates or reboots, and uptime was probably 99% or better.
  33. ** Is it secure?
  34. Nothing is totally secure or infallible. You could have the most secure technology and yet still use easy to guess passwords. This system will not defend you from an attacker who is actively trying to block or corrupt your communications, but I assume that doesn't apply in the majority of cases. Another thing to be aware of is that running a FreedomBone could make you more vulnerable to traffic analysis, since the server is associated with your home address and isn't a giant aggregation of users somewhere in the cloud. You need to weigh this alongside the additional legal protection which owning the server and having it in your own home gives you.
  35. FreedomBone should be far more secure than using popular cloud-based services which have spying built into them as a core feature (although not one which is typically advertised), but it is not necessarily an impenetrable information fortress.
  36. ** Will running a server all the time affect my electricity bill?
  37. Hardly at all. The BeagleBone Black consumes very little power - less than 5W. It would even be potentially possible to run it from a solar panel.
  38. * Inventory
  39. #+BEGIN_VERSE
  40. /You can’t help someone just by making a wish to do so, you have to take action./
  41. -- Dalai Lama
  42. #+END_VERSE
  43. These instructions assume that you have the following ingredients.
  44. ** A BeagleBone Black (BBB)
  45. It should come with a suitable USB cable for the initial setup. To make things look nicer you may also want to get a case for it.
  46. ** An internet connection
  47. It is assumed that the most common situation is via a router installed at home. The router should have ethernet sockets on it and a web interface which allows you to forward ports (sometimes under the "firewall" settings), so that you can forward ssh and web traffic to the BBB.
  48. ** microSD card
  49. To use as the main storage for the BBB. 16 or 32GB is fine, and can be obtained quite cheaply. Try to use Sandisk (class 10 or better) where possible and avoid cheaper cards which often have poor performance.
  50. You may also need an SD card adaptor or USB card reader in order to flash the operating image to the microSD card. For instance, many laptops have an SD card slot but not a microSD slot.
  51. ** 5V/1A power supply
  52. With a plug suitable for powering the BBB. If you have some device with a USB socket nearby you may also be able to just use that for electrical power. However, powering from the USB cable alone might result in crashes when the system is under load, depending upon how many milliamps can be supplied by the USB hub/socket. If the system crashes due to running out of power then you will see that the LEDs on the BBB are continuously on, rather than flashing.
  53. ** An ethernet patch cable
  54. Just an ordinary cat5 or cat6 cable that you can get from most electrical/computer stores.
  55. * Installing Debian onto the microSD card
  56. The Debian Linux OS will be installed onto a small flash drive. It's a good idea to do this rather than using the internal flash, because it will allow you to easily create backups of the entire system if necessary using the dd command.
  57. Download the image.
  58. #+BEGIN_SRC: bash
  59. wget http://freedombone.uk.to/debian-7.2-console-armhf-2013-11-15.tar.xz
  60. #+END_SRC
  61. Verify it.
  62. #+BEGIN_SRC: bash
  63. md5sum debian-7.2-console-armhf-2013-11-15.tar.xz
  64. 0a448f55d14f64c5a7eb3d7cb2c54185 debian-7.2-console-armhf-2013-11-15.tar.xz
  65. #+END_SRC
  66. Uncompress it.
  67. #+BEGIN_SRC: bash
  68. tar xJf debian-7.2-console-armhf-2013-11-15.tar.xz
  69. cd debian-7.2-console-armhf-2013-11-15
  70. #+END_SRC
  71. Create the disk image, where sdX is the name of the flash drive (probably it will be sdb or sdc).
  72. #+BEGIN_SRC: bash
  73. sudo apt-get install u-boot-tools
  74. sudo ./setup_sdcard.sh --mmc /dev/sdX --uboot bone --swap-file 1024
  75. #+END_SRC
  76. Once completed then safely remove the microSD card via your file manager (usually right click and "safely remove" or "eject").
  77. * Setup
  78. #+BEGIN_VERSE
  79. /Build the tools for a future you would want to live in/
  80. -- Kurt Opsahl
  81. #+END_VERSE
  82. ** Things to be aware of
  83. *** A note on ssh
  84. When using ssh to log into the BBB if you get warnings of the type "/the ECDSA host key for domain differs from the key for the IP address/" then run the command:
  85. #+BEGIN_SRC: bash
  86. ssh-keygen -R <IP address>
  87. #+END_SRC
  88. *** Passwords
  89. It's highly recommended that you use a password manager, such as KeepassX, and make all your passwords long random strings. It's also a good idea to use different passwords for different pieces of software, instead of one or two passwords for the whole system. That compartmentalises the security such that even if an attacker gains access to one system they can't necessarily get access to others.
  90. ** Initial
  91. Plug the microSD card into the BBB and Connect the USB cable to your laptop/desktop, then login via ssh.
  92. #+BEGIN_SRC: bash
  93. ssh debian@192.168.7.2
  94. #+END_SRC
  95. The default password is /temppwd/
  96. Then log in as root:
  97. #+BEGIN_SRC: bash
  98. su
  99. #+END_SRC
  100. The default password is /root/
  101. The first thing to do is to change the passwords from their defaults.
  102. #+BEGIN_SRC: bash
  103. passwd
  104. #+END_SRC
  105. Then you will need to change the network interfaces. The main task here is to comment out the stuff related to usb0. That will enable you to plug the BBB into the back of a router and for it to be detectable on the network.
  106. #+BEGIN_SRC: bash
  107. nano /etc/network/interfaces
  108. #+END_SRC
  109. The resulting interfaces file should look like this:
  110. #+BEGIN_SRC: bash
  111. # This file describes the network interfaces available on your system
  112. # and how to activate them. For more information, see interfaces(5).
  113. # The loopback network interface
  114. auto lo
  115. iface lo inet loopback
  116. # The primary network interface
  117. allow-hotplug eth0
  118. iface eth0 inet static
  119. address 192.168.1.60
  120. netmask 255.255.255.0
  121. gateway 192.168.1.254
  122. dns-nameservers 213.73.91.35 85.214.20.141
  123. # Example to keep MAC address between reboots
  124. #hwaddress ether DA:AD:CE:EF:CA:FE
  125. # WiFi Example
  126. #auto wlan0
  127. #iface wlan0 inet dhcp
  128. # wpa-ssid "essid"
  129. # wpa-psk "password"
  130. # Ethernet/RNDIS gadget (g_ether)
  131. # ... or on host side, usbnet and random hwaddr
  132. # Note on some boards, usb0 is automaticly setup with an init script
  133. # in that case, to completely disable remove file [run_boot-scripts] from the boot partition
  134. #iface usb0 inet static
  135. # address 192.168.7.2
  136. # netmask 255.255.255.0
  137. # network 192.168.7.0
  138. # gateway 192.168.7.1
  139. #+END_SRC
  140. CTRL-O followed by ENTER to save, then CTRL-X to exit.
  141. In the above example "address 192.168.1.60" is a static IP address for the BBB, which will allow incoming network traffic to be directed from the router in a reliable manner. It should be outside of the DHCP range set up on the router.
  142. "gateway 192.168.1.254" should be the IP address of the router.
  143. Note that setting the DNS servers with dns-nameservers is important because some home routers do not allow you to change the DNS settings.
  144. Edit resolv.conf.
  145. #+BEGIN_SRC: bash
  146. nano /etc/resolv.conf
  147. #+END_SRC
  148. It should look something like the following:
  149. #+BEGIN_SRC: bash
  150. domain localdomain
  151. search localdomain
  152. nameserver 213.73.91.35
  153. nameserver 85.214.20.141
  154. #+END_SRC
  155. CTRL-O followed by ENTER to save, then CTRL-X to exit.
  156. Now disconnect the BBB from your computer and plug it into the router. You'll need an ethernet patch cable and you may also need a 5V/1A power supply for the BBB.
  157. If you go to the web administration screen for your internet router (often it's on 192.168.2.1 or 192.168.1.254) then after a few minutes you should see the BBB appear on the network. It's name will be "arm".
  158. ** Add a user
  159. Ssh back in to the BBB and login as root. In this example the BBB's IP address is 192.168.1.60.
  160. #+BEGIN_SRC: bash
  161. ssh-keygen -f "/home/myusername/.ssh/known_hosts" -R 192.168.1.60
  162. ssh debian@192.168.1.60
  163. su
  164. #+END_SRC
  165. Then make a new user. It's a bad idea to add users to the sudo group, because that then means that an attacker potentially only needs to know one password in order to get administrator access to the system. With no sudoers an attacker needs to know, or be able to obtain, two separate passwords to be able to really compromise the system.
  166. #+BEGIN_SRC: bash
  167. adduser myusername
  168. #+END_SRC
  169. Exit from the ssh login by typing "exit" a couple of times, then ssh back in as the new user. Make sure you use a difficult to guess password/phrase, or ideally a randomly generated password used together with a password manager such as KeepassX.
  170. Remove the default debian user.
  171. #+BEGIN_SRC: bash
  172. userdel -r debian
  173. #+END_SRC
  174. ** Text editor
  175. For an editor which is less erratic than vi when used within a remote console such as Terminator.
  176. #+BEGIN_SRC: bash
  177. apt-get update
  178. apt-get install emacs
  179. #+END_SRC
  180. ** Alter ssh configuration
  181. Altering the ssh configuration will make it a little more secure than the standard Debian settings.
  182. #+BEGIN_SRC: bash
  183. emacs /etc/ssh/sshd_config
  184. #+END_SRC
  185. Check the following values:
  186. #+BEGIN_SRC: bash
  187. PermitRootLogin no
  188. X11Forwarding no
  189. ServerKeyBits 4096
  190. Protocol 2
  191. PermitEmptyPasswords no
  192. StrictModes yes
  193. #+END_SRC
  194. Append the following:
  195. #+BEGIN_SRC: bash
  196. Ciphers aes256-ctr,aes192-ctr,aes128-ctr
  197. MACs hmac-sha2-512,hmac-sha2-256,hmac-ripemd160
  198. KexAlgorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1
  199. #+END_SRC
  200. CTRL-X CTRL-S to save, then CTRL-X CTRL-C to exit.
  201. #+BEGIN_SRC: bash
  202. service ssh restart
  203. #+END_SRC
  204. To test the new settings log out by typing "exit" a couple of times, then log back in again with:
  205. #+BEGIN_SRC: bash
  206. ssh -vvv myusername@192.168.1.60
  207. #+END_SRC
  208. and check that some number of bits are set within a 4096 bit sized key:
  209. #+BEGIN_SRC: bash
  210. debug2: bits set: */4096
  211. #+END_SRC
  212. ** Set the host name
  213. #+BEGIN_SRC: bash
  214. emacs /etc/hostname
  215. #+END_SRC
  216. CTRL-X CTRL-S to save, then CTRL-X CTRL-C to exit.
  217. also issue the command
  218. #+BEGIN_SRC: bash
  219. hostname /myhostname/
  220. #+END_SRC
  221. You may also need to assign the same hostname separately via your router's web interface.
  222. ** Install NTP
  223. To synchronise time.
  224. #+BEGIN_SRC: bash
  225. apt-get install ntp
  226. #+END_SRC
  227. ** Install fail2ban
  228. #+BEGIN_SRC: bash
  229. apt-get install fail2ban
  230. #+END_SRC
  231. ** Getting onto the web
  232. Create a subdomain on [[http://freedns.afraid.org][freeDNS]]. You may need to click on "/subdomains/" a couple of times. FreeDNS is preferred because it is one of the few domain name providers which supports genuinely free (as in beer) accounts. So if your budget is tiny or non-existent you can still participate as a first class citizen of the internet. If you do have money to spend there is also a premium option.
  233. Select "/dynamic DNS/" then click "/quick cron example/"
  234. An example would look like:
  235. #+BEGIN_SRC: bash
  236. 4,9,14,19,24,29,34,39,44,49,54,59 * * * * root sleep 29 ; wget -O - http://free\ dns.afraid.org/dynamic/update.php?ABCKDNRCLFHENSLKNFEGSBFLFF== >> /\ tmp/freedns_mysubdomain_us_to.log 2>&1 &
  237. #+END_SRC
  238. Edit /etc/crontab and append that to the end of the file.
  239. Via your router's firewall settings you should now open port 22 (secure shell). This will allow you to ssh into your BBB from any location - not just your own local network.
  240. ** install Email
  241. #+BEGIN_VERSE
  242. /If you knew what I know about email, you might not use it/
  243. -- Ladar Levison
  244. #+END_VERSE
  245. Email is not very secure, but its usefulness and ubiquity mean that it's likely to continue as a primary communications method for many years to come. You can encrypt the contents of email using PGP/GPG, but very few people do that and even for those that do the metadata (the From/To/CC/BCC) is always transmitted in the clear as a fundamental aspect of the protocol, allowing an attacker to easily construct detailed models of people's social network and life patterns even without knowing the content.
  246. Exim4 seems much easier to install and configure than Postfix.
  247. #+BEGIN_SRC: bash
  248. aptitude install exim4 sasl2-bin swaks libnet-ssleay-perl
  249. #+END_SRC
  250. You will be prompted to remove postfix. Say yes and yes again.
  251. #+BEGIN_SRC: bash
  252. dpkg-reconfigure exim4-config
  253. #+END_SRC
  254. Settings as follows:
  255. #+BEGIN_SRC: bash
  256. internet site
  257. System mail name: mydomainname.com
  258. IP addresses to listen on: blank
  259. Destinations: mydomainname.com
  260. Domains to relay mail: blank
  261. Smarthost Relay: 192.168.1.0/60 (the range of addresses on your LAN)
  262. Dial on demand = no
  263. Maildir format in home directory
  264. Split configuration = no
  265. Root and postmaster: root email
  266. #+END_SRC
  267. To test the installation:
  268. #+BEGIN_SRC: bash
  269. telnet 192.168.1.60 25
  270. ehlo xxx
  271. quit
  272. #+END_SRC
  273. #+BEGIN_SRC: bash
  274. emacs /etc/default/saslauthd
  275. #+END_SRC
  276. set START=yes then save and exit.
  277. #+BEGIN_SRC: bash
  278. /etc/init.d/saslauthd start
  279. emacs exim-gencert
  280. #+END_SRC
  281. #+BEGIN_SRC: bash
  282. #!/bin/sh -e
  283. if [ -n "$EX4DEBUG" ]; then
  284. echo "now debugging $0 $@"
  285. set -x
  286. fi
  287. DIR=/etc/exim4
  288. CERT=$DIR/exim.crt
  289. KEY=$DIR/exim.key
  290. # This exim binary was built with GnuTLS which does not support dhparams
  291. # from a file. See /usr/share/doc/exim4-base/README.Debian.gz
  292. #DH=$DIR/exim.dhparam
  293. if ! which openssl > /dev/null ;then
  294. echo "$0: openssl is not installed, exiting" 1>&2
  295. exit 1
  296. fi
  297. # valid for ten years
  298. DAYS=3650
  299. if [ "$1" != "--force" ] && [ -f $CERT ] && [ -f $KEY ]; then
  300. echo "[*] $CERT and $KEY exists!"
  301. echo " Use \"$0 --force\" to force generation!"
  302. exit 0
  303. fi
  304. if [ "$1" = "--force" ]; then
  305. shift
  306. fi
  307. #SSLEAY=/tmp/exim.ssleay.$$.cnf
  308. SSLEAY="$(tempfile -m600 -pexi)"
  309. cat > $SSLEAY <<EOM
  310. RANDFILE = $HOME/.rnd
  311. [ req ]
  312. default_bits = 4096
  313. default_keyfile = exim.key
  314. distinguished_name = req_distinguished_name
  315. [ req_distinguished_name ]
  316. countryName = Country Code (2 letters)
  317. countryName_default = GB
  318. countryName_min = 2
  319. countryName_max = 2
  320. stateOrProvinceName = State or Province Name (full name)
  321. localityName = Locality Name (eg, city)
  322. organizationName = Organization Name (eg, company; recommended)
  323. organizationName_max = 64
  324. organizationalUnitName = Organizational Unit Name (eg, section)
  325. organizationalUnitName_max = 64
  326. commonName = Server name (eg. ssl.domain.tld; required!!!)
  327. commonName_max = 64
  328. emailAddress = Email Address
  329. emailAddress_max = 40
  330. EOM
  331. echo "[*] Creating a self signed SSL certificate for Exim!"
  332. echo " This may be sufficient to establish encrypted connections but for"
  333. echo " secure identification you need to buy a real certificate!"
  334. echo " "
  335. echo " Please enter the hostname of your MTA at the Common Name (CN) prompt!"
  336. echo " "
  337. openssl req -config $SSLEAY -x509 -sha256 -newkey rsa:4096 -keyout $KEY -out $CERT -days $DAYS -nodes
  338. #see README.Debian.gz*# openssl dhparam -check -text -5 512 -out $DH
  339. rm -f $SSLEAY
  340. chown root:Debian-exim $KEY $CERT $DH
  341. chmod 640 $KEY $CERT $DH
  342. echo "[*] Done generating self signed certificates for exim!"
  343. echo " Refer to the documentation and example configuration files"
  344. echo " over at /usr/share/doc/exim4-base/ for an idea on how to enable TLS"
  345. echo " support in your mail transfer agent."
  346. #+END_SRC
  347. Save and exit
  348. #+BEGIN_SRC: bash
  349. chmod +x exim-gencert
  350. ./exim-gencert
  351. #+END_SRC
  352. This will generate the certificate used for email authentication. You will be asked for various details, the most important of which is the server name, which should be your domain name.
  353. #+BEGIN_SRC: bash
  354. emacs /etc/exim4/exim4.conf.template
  355. #+END_SRC
  356. Append the following:
  357. #+BEGIN_SRC: bash
  358. login_saslauthd_server:
  359. driver = plaintext
  360. public_name = LOGIN
  361. server_prompts = "Username:: : Password::"
  362. # don't send system passwords over unencrypted connections
  363. server_condition = ${if saslauthd{{$auth1}{$auth2}}{1}{0}}
  364. server_set_id = $auth1
  365. .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
  366. server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
  367. .endif
  368. #+END_SRC
  369. Search for the line *.ifdef MAIN_HARDCODE_PRIMARY_HOSTNAME* and above it insert the line:
  370. #+BEGIN_SRC: bash
  371. MAIN_HARDCODE_PRIMARY_HOSTNAME = mydomainname.com
  372. #+END_SRC
  373. Save and exit.
  374. #+BEGIN_SRC: bash
  375. emacs /etc/exim4/exim4.conf.template
  376. #+END_SRC
  377. Add the line:
  378. #+BEGIN_SRC: bash
  379. MAIN_TLS_ENABLE = true
  380. #+END_SRC
  381. Save and exit.
  382. #+BEGIN_SRC: bash
  383. emacs /etc/default/exim4
  384. change SMTPLISTENEROPTIONS to:
  385. SMTPLISTENEROPTIONS='-oX 465:25 -oP /var/run/exim4/exim.pid'
  386. #+END_SRC
  387. save and exit
  388. #+BEGIN_SRC: bash
  389. emacs /etc/exim4/exim4.conf.template
  390. under the section "main/03_exim4-config_tlsoptions"
  391. Add the following:
  392. tls_on_connect_ports=465
  393. #+END_SRC
  394. save and exit
  395. #+BEGIN_SRC: bash
  396. adduser myusername sasl
  397. addgroup Debian-exim sasl
  398. /etc/init.d/exim4 restart
  399. mkdir /etc/skel/Maildir
  400. #+END_SRC
  401. ** Spam filtering
  402. #+BEGIN_SRC: bash
  403. apt-get install spamassassin exim4-daemon-heavy
  404. emacs /etc/default/spamassassin
  405. #+END_SRC
  406. Set ENABLED=1 then save and exit.
  407. #+BEGIN_SRC: bash
  408. emacs /etc/exim4/exim4.conf.template
  409. #+END_SRC
  410. uncomment or change according to your configuration
  411. #+BEGIN_SRC: bash
  412. # For spam scanning, there is a similar option that defines the interface to
  413. # SpamAssassin. You do not need to set this if you are using the default, which
  414. # is shown in this commented example. As for virus scanning, you must also
  415. # modify the acl_check_data access control list to enable spam scanning.
  416. spamd_address = 127.0.0.1 783
  417. #+END_SRC
  418. add spam header in the /acl_check_data/ section:
  419. #+BEGIN_SRC: bash
  420. ### acl/40_exim4-config_check_data
  421. #################################
  422. # This ACL is used after the contents of a message have been received. This
  423. # is the ACL in which you can test a message's headers or body, and in
  424. # particular, this is where you can invoke external virus or spam scanners.
  425. acl_check_data:
  426. ...
  427. ...
  428. ...
  429. # See the exim docs and the exim wiki for more suitable examples.
  430. #
  431. # warn
  432. # spam = Debian-exim:true
  433. # add_header = X-Spam_score: $spam_score\n\
  434. # X-Spam_score_int: $spam_score_int\n\
  435. # X-Spam_bar: $spam_bar\n\
  436. # X-Spam_report: $spam_report
  437. # put headers in all messages (no matter if spam or not)
  438. warn spam = nobody:true
  439. add_header = X-Spam-Score: $spam_score ($spam_bar)
  440. add_header = X-Spam-Report: $spam_report
  441. # add second subject line with *SPAM* marker when message
  442. # is over threshold
  443. warn spam = nobody
  444. add_header = Subject: ***SPAM (score:$spam_score)*** $h_Subject:
  445. #+END_SRC
  446. Save and exit.
  447. Then restart
  448. #+BEGIN_SRC: bash
  449. exit
  450. emacs ~/.procmailrc
  451. #+END_SRC
  452. The text should look like the following.
  453. #+BEGIN_SRC: sh
  454. MAILDIR=$HOME/Maildir
  455. DEFAULT=$MAILDIR/
  456. LOGFILE=$HOME/log/procmail.log
  457. LOGABSTRACT=all
  458. # get spamassassin to check emails
  459. :0fw: .spamassassin.lock
  460. * < 256000
  461. | spamc
  462. # strong spam are discarded
  463. :0
  464. * ^X-Spam-Level: \*\*\*\*\*\*
  465. /dev/null
  466. # weak spam are kept just in case - clear this out every now and then
  467. :0
  468. * ^X-Spam-Level: \*\*\*\*\*
  469. .0-spam/
  470. # if it wasn't detected as spam, but is to a fake address, then we
  471. # know it is spam, so learn from that
  472. :0
  473. * !^(From|To|cc|bcc)[ :].*($USER|root|webmaster|admin|postmaster).*@acooke\.org
  474. * !^(From|To|cc|bcc)[ :].*@isti\.com
  475. # add mailing lists below
  476. * !^From[ :].*(snowmail_daily@...|Section@...|rforno@...|alert@...).*
  477. {
  478. # save in case of screw-ups, mailing lists, etc
  479. :0 c
  480. .0-spam/
  481. :0
  482. .learn-spam/
  483. }
  484. # otherwise, marginal spam goes here for revision
  485. :0
  486. * ^X-Spam-Level: \*\*
  487. .spam/
  488. #+END_SRC
  489. Save and exit.
  490. #+BEGIN_SRC: bash
  491. su
  492. emacs /usr/bin/filterspam
  493. #+END_SRC
  494. Add the following contents:
  495. #+BEGIN_SRC: bash
  496. #!/bin/bash
  497. USERNAME=$1
  498. MAILDIR=/home/$USERNAME/Maildir/.learn-spam
  499. if [ ! -d "$MAILDIR" ]; then
  500. exit
  501. fi
  502. for f in `ls $MAILDIR/cur`
  503. do
  504. spamc -L spam < "$MAILDIR/cur/$f" > /dev/null
  505. rm "$MAILDIR/cur/$f"
  506. done
  507. for f in `ls $MAILDIR/new`
  508. do
  509. spamc -L spam < "$MAILDIR/new/$f" > /dev/null
  510. rm "$MAILDIR/new/$f"
  511. done
  512. #+END_SRC
  513. Save and exit.
  514. #+BEGIN_SRC: bash
  515. emacs /usr/bin/filterham
  516. #+END_SRC
  517. Add the following contents:
  518. #+BEGIN_SRC: bash
  519. #!/bin/bash
  520. USERNAME=$1
  521. MAILDIR=/home/$USERNAME/Maildir/.learn-ham
  522. if [ ! -d "$MAILDIR" ]; then
  523. exit
  524. fi
  525. for f in `ls $MAILDIR/cur`
  526. do
  527. spamc -L ham < "$MAILDIR/cur/$f" > /dev/null
  528. rm "$MAILDIR/cur/$f"
  529. done
  530. for f in `ls $MAILDIR/new`
  531. do
  532. spamc -L ham < "$MAILDIR/new/$f" > /dev/null
  533. rm "$MAILDIR/new/$f"
  534. done
  535. #+END_SRC
  536. Save and exit.
  537. #+BEGIN_SRC: bash
  538. emacs /etc/crontab
  539. #+END_SRC
  540. Append the following, replacing *myusername* with your username.
  541. #+BEGIN_SRC: bash
  542. */3 * * * * root /usr/bin/filterspam myusername
  543. */3 * * * * root /usr/bin/filterham myusername
  544. #+END_SRC
  545. Save and exit.
  546. #+BEGIN_SRC: bash
  547. chmod 655 /usr/bin/filterspam /usr/bin/filterham
  548. service spamassassin restart
  549. service exim4 restart
  550. service cron restart
  551. #+END_SRC
  552. ** Install dovecot
  553. #+BEGIN_SRC: bash
  554. aptitude -y install dovecot-common dovecot-pop3d dovecot-imapd
  555. #+END_SRC
  556. #+BEGIN_SRC: bash
  557. emacs /etc/dovecot/dovecot.conf
  558. #+END_SRC
  559. # line 26: change ( if not listen IPv6 port )
  560. listen = *
  561. #+BEGIN_SRC: bash
  562. emacs /etc/dovecot/conf.d/10-auth.conf
  563. #+END_SRC
  564. # line 9: uncomment and change ( allow plain text auth )
  565. disable_plaintext_auth = no
  566. # line 99: add
  567. auth_mechanisms = plain login
  568. #+BEGIN_SRC: bash
  569. emacs /etc/dovecot/conf.d/10-mail.conf
  570. #+END_SRC
  571. # line 30: uncomment and add
  572. mail_location = maildir:~/Maildir
  573. #+BEGIN_SRC: bash
  574. service dovecot restart
  575. #+END_SRC
  576. ** Mutt email client
  577. #+BEGIN_SRC: bash
  578. apt-get install mutt lynx abook
  579. exit
  580. mkdir ~/.mutt
  581. echo "text/html; lynx -dump -width=78 -nolist %s | sed ‘s/^ //’; copiousoutput; needsterminal; nametemplate=%s.html" > ~/.mutt/mailcap
  582. #+END_SRC
  583. Save and exit.
  584. #+BEGIN_SRC: bash
  585. su
  586. emacs /etc/Muttrc
  587. #+END_SRC
  588. Append the following:
  589. #+BEGIN_SRC: bash
  590. set mbox_type=Maildir
  591. set folder="~/Maildir"
  592. set mask="!^\\.[^.]"
  593. set mbox="~/Maildir"
  594. set record="+.Sent"
  595. set postponed="+.Drafts"
  596. set spoolfile="~/Maildir"
  597. auto_view text/x-vcard text/html text/enriched
  598. set editor="emacsclient %s"
  599. macro index S "<tag-prefix><save-message>=.learn-spam<enter>" "move to learn-spam"
  600. macro pager S "<save-message>=.learn-spam<enter>" "move to learn-spam"
  601. macro index H "<tag-prefix><copy-message>=.learn-ham<enter>" "copy to learn-ham"
  602. macro pager H "<copy-message>=.learn-ham<enter>" "copy to learn-ham"
  603. #+END_SRC
  604. Save and exit.
  605. #+BEGIN_SRC: bash
  606. emacs /etc/mail/spamassassin/local.cf
  607. #+END_SRC
  608. Uncomment *use_bayes*, *bayes_auto_learn*
  609. Save and exit, then run:
  610. #+BEGIN_SRC: bash
  611. service spamassassin restart
  612. #+END_SRC
  613. Now to add an address book:
  614. #+BEGIN_SRC: bash
  615. emacs ~/.muttrc
  616. #+END_SRC
  617. Append the following:
  618. #+BEGIN_SRC: bash
  619. set alias_file=~/.mutt-alias
  620. source ~/.mutt-alias
  621. set query_command= "abook --mutt-query '%s'"
  622. macro index,pager A "<pipe-message>abook --add-email-quiet<return>" "add the sender address to abook"
  623. #+END_SRC
  624. Then save and exit.
  625. #+BEGIN_SRC: bash
  626. touch ~/.mutt-alias
  627. #+END_SRC
  628. Finally you can then type *mutt* to get access to your email. Hence as a fallback, or if you prefer as the primary way of accessing email, you can ssh into the BBB and use the mutt command line email client. Ssh clients are available for all operating systems, and also you should be reasonably protected from passive surveillance between wherever you are and the BBB (although not between the BBB and the wider internet), which can be useful if you are for example using an Android tablet from a cafe or railway station.
  629. To use the address book system open an email and then to add the sender to the address list press the A key. It will ask you for an alias which may be used the next time you want to send a mail. Alternatively you may just edit the *~/.mutt-alias* file directly to add email addresses.
  630. Some useful keys to know are:
  631. | ESC / | Search for text within message contents |
  632. | "/" | Search for text within headers |
  633. | * | Move to the last message |
  634. | TAB | Move to the next unread message |
  635. | d | Delete a message |
  636. | u | Undelete a mail which is pending deletion |
  637. | $ | Delete all messages selected and check for new messages |
  638. | a | Add to the address book |
  639. | m | Send a new mail |
  640. | S | Mark a message as spam |
  641. | H | Mark a message as ham |
  642. ** K9 email client
  643. *** Incoming server settings
  644. * Select settings/account settings
  645. * Select Fetching mail/incoming server
  646. * Enter your username and password
  647. * IMAP server should be your domain name
  648. * Security: SSL/TLS (always)
  649. * Authentication: Plain
  650. * Port: 993
  651. *** Outgoing (SMTP) server settings
  652. * Select settings/account settings
  653. * Select Sending mail/outgoing server
  654. * Set SMTP server to your domain name
  655. * Set Security to SSL/TLS (always)
  656. * Set port to 465
  657. ** Setting up a web site
  658. #+BEGIN_VERSE
  659. /I hope we will use the Net to cross barriers and connect cultures./
  660. -- Tim Berners-Lee
  661. #+END_VERSE
  662. Edit the apache configuration so that it doesn't run out of memory if there are a lot of connections.
  663. #+BEGIN_SRC: bash
  664. su
  665. emacs /etc/apache2/apache2.conf
  666. #+END_SRC
  667. Search for MaxClients and replace the value with 20 then save and exit.
  668. In the examples below replace mydomainname.com with your own domain.
  669. #+BEGIN_SRC: bash
  670. export HOSTNAME=mydomainname.com
  671. mkdir /var/www/$HOSTNAME
  672. mkdir /var/www/$HOSTNAME/htdocs
  673. emacs /etc/apache2/sites-available/$HOSTNAME
  674. #+END_SRC
  675. The Apache configuration for the site should look something like the following. Replace /mydonainname.com/ with the site domain name.
  676. #+BEGIN_SRC: bash
  677. <VirtualHost *:80>
  678. ServerAdmin myusername@mydomainname.com
  679. ServerName mydomainname.com
  680. DocumentRoot /var/www/mydomainname.com/htdocs
  681. <Directory />
  682. Options FollowSymLinks
  683. AllowOverride All
  684. </Directory>
  685. <Directory /var/www/mydomainname.com/htdocs/>
  686. Options All
  687. AllowOverride All
  688. Order allow,deny
  689. allow from all
  690. </Directory>
  691. # Don't serve .php~ or .php# files created by emacs
  692. <Files ~ "(^#.*#|~|\.sw[op])$">
  693. Order allow,deny
  694. Deny from all
  695. </Files>
  696. <IfModule headers_module>
  697. Header set X-Content-Type-Options nosniff
  698. Header set Cache-Control "max-age=0, no-cache, no-store, must-revalidate, private"
  699. Header set Pragma no-cache
  700. </IfModule>
  701. <Files .htaccess>
  702. deny from all
  703. </Files>
  704. ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
  705. <Directory "/usr/lib/cgi-bin">
  706. AllowOverride All
  707. Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
  708. Order allow,deny
  709. Allow from all
  710. </Directory>
  711. ErrorLog ${APACHE_LOG_DIR}/error.log
  712. # Possible values include: debug, info, notice, warn, error, crit,
  713. # alert, emerg.
  714. LogLevel warn
  715. CustomLog ${APACHE_LOG_DIR}/access.log combined
  716. </VirtualHost>
  717. <IfModule mod_ssl.c>
  718. <VirtualHost *:443>
  719. ServerAdmin myusername@mydomainname.com
  720. ServerName mydomainname.com
  721. DocumentRoot /var/www/mydomainname.com/htdocs
  722. <Directory />
  723. Options FollowSymLinks
  724. AllowOverride All
  725. </Directory>
  726. <Directory /var/www/mydomainname.com/htdocs/>
  727. Options All
  728. AllowOverride All
  729. Order allow,deny
  730. allow from all
  731. </Directory>
  732. # Don't serve .php~ or .php# files created by emacs
  733. <Files ~ "(^#.*#|~|\.sw[op])$">
  734. Order allow,deny
  735. Deny from all
  736. </Files>
  737. <IfModule headers_module>
  738. Header set X-Content-Type-Options nosniff
  739. Header set Cache-Control "max-age=0, no-cache, no-store, must-revalidate, private"
  740. Header set Pragma no-cache
  741. </IfModule>
  742. <Files .htaccess>
  743. deny from all
  744. </Files>
  745. ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
  746. <Directory "/usr/lib/cgi-bin">
  747. AllowOverride All
  748. Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
  749. Order allow,deny
  750. Allow from all
  751. </Directory>
  752. ErrorLog ${APACHE_LOG_DIR}/error.log
  753. # Possible values include: debug, info, notice, warn, error, crit,
  754. # alert, emerg.
  755. LogLevel warn
  756. CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
  757. # SSL Engine Switch:
  758. # Enable/Disable SSL for this virtual host.
  759. SSLEngine on
  760. # A self-signed certificate
  761. SSLCertificateFile /etc/ssl/certs/mydomainname.com.crt
  762. SSLCertificateKeyFile /etc/ssl/private/mydomainname.com.key
  763. # Options based on bettercrypto.org
  764. SSLProtocol All -SSLv2 -SSLv3
  765. SSLHonorCipherOrder On
  766. SSLCompression off
  767. SSLCipherSuite EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
  768. # Add six earth month HSTS header for all users ...
  769. Header add Strict-Transport-Security "max-age=15768000"
  770. # If you want to protect all subdomains , use the following header
  771. # ALL subdomains HAVE TO support https if you use this !
  772. # Strict-Transport-Security: max-age=15768000 ; includeSubDomains
  773. # SSL Engine Options:
  774. # Set various options for the SSL engine.
  775. # o FakeBasicAuth:
  776. # Translate the client X.509 into a Basic Authorisation. This means that
  777. # the standard Auth/DBMAuth methods can be used for access control. The
  778. # user name is the `one line' version of the client's X.509 certificate.
  779. # Note that no password is obtained from the user. Every entry in the user
  780. # file needs this password: `xxj31ZMTZzkVA'.
  781. # o ExportCertData:
  782. # This exports two additional environment variables: SSL_CLIENT_CERT and
  783. # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
  784. # server (always existing) and the client (only existing when client
  785. # authentication is used). This can be used to import the certificates
  786. # into CGI scripts.
  787. # o StdEnvVars:
  788. # This exports the standard SSL/TLS related `SSL_*' environment variables.
  789. # Per default this exportation is switched off for performance reasons,
  790. # because the extraction step is an expensive operation and is usually
  791. # useless for serving static content. So one usually enables the
  792. # exportation for CGI and SSI requests only.
  793. # o StrictRequire:
  794. # This denies access when "SSLRequireSSL" or "SSLRequire" applied even
  795. # under a "Satisfy any" situation, i.e. when it applies access is denied
  796. # and no other module can change it.
  797. # o OptRenegotiate:
  798. # This enables optimized SSL connection renegotiation handling when SSL
  799. # directives are used in per-directory context.
  800. #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
  801. <FilesMatch "\.(cgi|shtml|phtml|php)$">
  802. SSLOptions +StdEnvVars
  803. </FilesMatch>
  804. <Directory /usr/lib/cgi-bin>
  805. SSLOptions +StdEnvVars
  806. </Directory>
  807. # SSL Protocol Adjustments:
  808. # The safe and default but still SSL/TLS standard compliant shutdown
  809. # approach is that mod_ssl sends the close notify alert but doesn't wait for
  810. # the close notify alert from client. When you need a different shutdown
  811. # approach you can use one of the following variables:
  812. # o ssl-unclean-shutdown:
  813. # This forces an unclean shutdown when the connection is closed, i.e. no
  814. # SSL close notify alert is send or allowed to received. This violates
  815. # the SSL/TLS standard but is needed for some brain-dead browsers. Use
  816. # this when you receive I/O errors because of the standard approach where
  817. # mod_ssl sends the close notify alert.
  818. # o ssl-accurate-shutdown:
  819. # This forces an accurate shutdown when the connection is closed, i.e. a
  820. # SSL close notify alert is send and mod_ssl waits for the close notify
  821. # alert of the client. This is 100% SSL/TLS standard compliant, but in
  822. # practice often causes hanging connections with brain-dead browsers. Use
  823. # this only for browsers where you know that their SSL implementation
  824. # works correctly.
  825. # Notice: Most problems of broken clients are also related to the HTTP
  826. # keep-alive facility, so you usually additionally want to disable
  827. # keep-alive for those clients, too. Use variable "nokeepalive" for this.
  828. # Similarly, one has to force some clients to use HTTP/1.0 to workaround
  829. # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
  830. # "force-response-1.0" for this.
  831. BrowserMatch "MSIE [2-6]" \
  832. nokeepalive ssl-unclean-shutdown \
  833. downgrade-1.0 force-response-1.0
  834. # MSIE 7 and newer should be able to use keepalive
  835. BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
  836. </VirtualHost>
  837. </IfModule>
  838. #+END_SRC
  839. Then to enable the site:
  840. #+BEGIN_SRC: bash
  841. a2ensite
  842. a2dissite default
  843. a2dissite default-ssl
  844. a2enmod rewrite
  845. a2enmod headers
  846. #+END_SRC
  847. Ensure that "NameVirtualHost *:443" is added to /etc/apache2/ports.conf. It should look something like the following:
  848. #+BEGIN_SRC: bash
  849. NameVirtualHost *:80
  850. Listen 80
  851. <IfModule mod_ssl.c>
  852. NameVirtualHost *:443
  853. Listen 443
  854. </IfModule>
  855. <IfModule mod_gnutls.c>
  856. NameVirtualHost *:443
  857. Listen 443
  858. </IfModule>
  859. #+END_SRC
  860. Create a self-signed certificate. The passphrase isn't important and will be removed, so make it easy (such as "password").
  861. #+BEGIN_SRC: bash
  862. emacs makecert
  863. #+END_SRC
  864. Enter the following:
  865. #+BEGIN_SRC: bash
  866. #!/bin/bash
  867. HOSTNAME=$1
  868. openssl genrsa -des3 -out $HOSTNAME.key 1024
  869. openssl req -new -x509 -nodes -sha1 -days 3650 -key $HOSTNAME.key -out $HOSTNAME.crt
  870. openssl rsa -in $HOSTNAME.key -out $HOSTNAME.new.key
  871. cp $HOSTNAME.new.key $HOSTNAME.key
  872. rm $HOSTNAME.new.key
  873. cp $HOSTNAME.key /etc/ssl/private
  874. chmod 400 /etc/ssl/private/$HOSTNAME.key
  875. cp $HOSTNAME.crt /etc/ssl/certs
  876. shred -zu $HOSTNAME.key $HOSTNAME.crt
  877. a2enmod ssl
  878. service apache2 restart
  879. #+END_SRC
  880. Save and exit.
  881. #+BEGIN_SRC: bash
  882. chmod +x makecert
  883. ./makecert mydomainname.com
  884. #+END_SRC
  885. Enter some trivial password for the key file. The password will be removed as part of the makecert script. Note that leaving a password on the key file would mean that after a power cycle the apache server will not be able to boot properly (it would wait indefinitely for a password to be manually entered) and would look as if it had crashed.
  886. If all has gone well then there should be no warnings or errors after you run the service restart command. After that you should enable ports 80 (HTTP) and 443 (HTTPS) on your internet router/firewall, such that they are redirected to the BBB.
  887. ** Social Networking
  888. #+BEGIN_VERSE
  889. /Facebook is not your friend, it is a surveillance engine./
  890. -- Richard Stallman, Free Software Foundation
  891. #+END_VERSE
  892. *** Friendica
  893. **** Installation
  894. See [[Setting up a web site]] for details of how to update the Apache configuration for your Friendica site.
  895. #+BEGIN_SRC: bash
  896. apt-get install mysql-server php5-common php5-cli php5-curl php5-gd php5-mysql php5-mcrypt
  897. #+END_SRC
  898. Enter an admin password for MySQL.
  899. Create a mysql database.
  900. #+BEGIN_SRC: bash
  901. mysql -u root -p
  902. create database friendica;
  903. CREATE USER 'friendicaadmin'@'localhost' IDENTIFIED BY 'password';
  904. GRANT ALL PRIVILEGES ON friendica.* TO 'friendicaadmin'@'localhost';
  905. quit
  906. #+END_SRC
  907. You may need to fix Git SSL problems.
  908. #+BEGIN_SRC: bash
  909. git config --global http.sslVerify true
  910. apt-get install ca-certificates
  911. cd ~/
  912. emacs .gitconfig
  913. #+END_SRC
  914. The .gitconfig file should look something like this:
  915. #+BEGIN_SRC: bash
  916. [http]
  917. sslVerify = true
  918. sslCAinfo = /etc/ssl/certs/ca-certificates.crt
  919. [user]
  920. email = myusername@mydomainname.com
  921. name = yourname
  922. #+END_SRC
  923. Get the source code.
  924. #+BEGIN_SRC: bash
  925. export HOSTNAME=mydomainname.com
  926. cd /var/www/$HOSTNAME
  927. mv htdocs htdocs_old
  928. git clone https://github.com/friendica/friendica.git htdocs
  929. chmod -R 755 htdocs
  930. chown -R www-data:www-data htdocs
  931. chown -R www-data:www-data htdocs/view/smarty3
  932. git clone https://github.com/friendica/friendica-addons.git htdocs/addon
  933. #+END_SRC
  934. Now visit the URL of your site and you should be taken through the rest of the installation procedure. If you have trouble with "allow override" ensure that "AllowOverride" is set to "all" in your Apache settings for the site (within /etc/apache2/sites-available) and then restart the apache2 service.
  935. Install the poller.
  936. #+BEGIN_SRC: bash
  937. emacs /etc/crontab
  938. #+END_SRC
  939. and append the following, changing mydomainname.com to whatever your domain is.
  940. #+BEGIN_SRC: bash
  941. */10 * * * * root cd /var/www/mydomainname.com/htdocs; /usr/bin/php include/poller.php
  942. #+END_SRC
  943. Save and exit, then restart cron.
  944. #+BEGIN_SRC: bash
  945. service cron restart
  946. #+END_SRC
  947. You can improve the speed of Friendica database searches by adding the following indexes:
  948. #+BEGIN_SRC: bash
  949. mysql -u root -p
  950. use friendica;
  951. CREATE INDEX `uri_received` ON item(`uri`, `received`);
  952. CREATE INDEX `received_uri` ON item(`received`, `uri`);
  953. CREATE INDEX `contact-id_created` ON item(`contact-id`, created);
  954. CREATE INDEX `uid_network_received` ON item(`uid`, `network`, `received`);
  955. CREATE INDEX `uid_parent` ON item(`uid`, `parent`);
  956. CREATE INDEX `uid_received` ON item(`uid`, `received`);
  957. CREATE INDEX `uid_network_commented` ON item(`uid`, `network`, `commented`);
  958. CREATE INDEX `uid_title` ON item(uid, `title`);
  959. CREATE INDEX `created_contact-id` ON item(`created`, `contact-id`);
  960. quit
  961. #+END_SRC
  962. **** Backups
  963. Make sure that the database gets backed up. By using cron if anything goes wrong then you should be able to recover the database either from the previous day or the previous week.
  964. #+BEGIN_SRC: bash
  965. emacs /etc/cron.daily/friendicabackup
  966. #+END_SRC
  967. Enter the following
  968. #+BEGIN_SRC: bash
  969. #!/bin/sh
  970. MYSQL_PASSWORD=<mysql root password>
  971. umask 0077
  972. # Backup the database
  973. mysqldump --password=$MYSQL_PASSWORD friendica > /var/backups/friendica_daily.sql
  974. # Make the backup readable only by root
  975. chmod 600 /var/backups/friendica_daily.sql
  976. #+END_SRC
  977. Save and exit.
  978. #+BEGIN_SRC: bash
  979. chmod 600 /etc/cron.daily/friendicabackup
  980. chmod +x /etc/cron.daily/friendicabackup
  981. emacs /etc/cron.weekly/friendicabackup
  982. #+END_SRC
  983. Enter the following
  984. #+BEGIN_SRC: bash
  985. #!/bin/sh
  986. MYSQL_PASSWORD=<mysql root password>
  987. umask 0077
  988. # Backup the database
  989. mysqldump --password=$MYSQL_PASSWORD friendica > /var/backups/friendica_weekly.sql
  990. # Make the backup readable only by root
  991. chmod 600 /var/backups/friendica_weekly.sql
  992. #+END_SRC
  993. Save and exit.
  994. #+BEGIN_SRC: bash
  995. chmod 600 /etc/cron.weekly/friendicabackup
  996. chmod +x /etc/cron.weekly/friendicabackup
  997. #+END_SRC
  998. **** Recommended configuration
  999. ***** Admin
  1000. To get to the admin settings you will need to be logged in with the admin email address which you specified at the beginning of the installation procedure. Depending upon the theme which you're using "/admin/" will be available either as an icon or on a drop down menu.
  1001. Under the *plugins* section the main one which you may wish to enable is the NSFW plugin. With that enabled if a post contans the #NSFW tag then it will appear minimised by default and you will need to click a button to open it.
  1002. Under the *themes* section select a few themes, including mobile themes which are suitable for phones or tablets.
  1003. Under the *site* section give your Friendica node a name other than "/my friend network/", you can change the icon and banner text and set the default mobile theme typically to /frost-mobile/. If you don't want your node to host a lot of accounts for people you don't know then you may want to set the register policy to "/requires approval/". For security it's probably a good idea only to host accounts for people who you actually know, rather than random strangers. Also be aware that the Beaglebone does not have a great deal of computational power or bandwidth and will not function well if there are hundreds of users using your node. If you're not federating with Diaspora or other sites then you may wish to select "/only allow Friendica contacts/". That improves the security of the system, since communication between Friendica nodes is always encrypted separately and in addition to the usual SSL encryption layer - which makes life interesting for the Surveillance State and at least keeps those cryptanalysts employed.
  1004. It's probably a good idea to enable "/private posts by default for new users/" and also "/don't include post content in email notifications/". Since traditional email isn't a secure system and is easily vulnerable to attack by systems such as [[https://en.wikipedia.org/wiki/XKeyscore][Xkeyscore]].
  1005. ***** Settings
  1006. Each user has their own customisable settings, typically available either via an icon or by an entry on a drop down menu.
  1007. Under *additional features* enable "/richtext editor/", "/post preview/", "/group filter/", "/network filter/", "/edit sent posts/" and "/dislike posts/".
  1008. Under *display settings* select your desktop and mobile themes.
  1009. Once you have connected to enough friends it's also a good idea to use the "/export personal data/" option from here. This will save a file to your local system, which you can import into another friendica node if necessary.
  1010. **** To access from an Android device
  1011. ***** App
  1012. Open a browser on your device and go to https://f-droid.org/ then download and install the F-Droid apk. If you then open F-Droid you can search for and install the Friendica app.
  1013. If you are using a self-signed certificate then at the login screen scroll down to the bottom, select the SSL settings then scroll down and disable SSL certificate checks. You will then be able to log in using https, which at least gives you some protection via the encryption.
  1014. More information about the Friendica app can be found on http://friendica-for-android.wiki-lab.net/
  1015. ***** Mobile Theme
  1016. Another way to access Friendica from a mobile device is to just use the web browser. If you have selected a mobile theme within your settings then when viewing from an Android system the mobile theme will be displayed.
  1017. *** Red Matrix
  1018. **** Introduction
  1019. Red Matrix is the current version of the Friendica social networking system. It's more general than Friendica in that it's designed as a generic communication system based around a protocol called "zot". At the time of writing in early 2014 Red Matrix remains at an alpha stage of development and so it's not advised that you install it unless you're willing to put up with bugs and frustrations. In the large majority of cases it's better to stick with Friendica for now.
  1020. **** Prerequisites
  1021. The main problem with Red Matrix is that in order to install it you will need to have purchased a domain name (i.e. not a FreeDNS subdomain) and a SSL certificate for it.
  1022. You could join some other Red Matrix server, but this suffers from "/The Levison Problem/" in which some goons show up with a gagging order demanding coppies of the SSL private key. In that scenario unless the owner of the server is exceptionally brave users may never be informed that the site has been compromised or that there is interception hardware attached to the server. Joining another server defeats the object of being digitally self-sufficient and raises legal question marks about the ownership of data which you might upload to a server which doesn't belong to you.
  1023. **** Installation
  1024. See [[Setting up a web site]] for details of how to update the Apache configuration for your Red Matrix site.
  1025. #+BEGIN_SRC: bash
  1026. apt-get install mysql-server php5-common php5-cli php5-curl php5-gd php5-mysql php5-mcrypt
  1027. #+END_SRC
  1028. Enter an admin password for MySQL.
  1029. Create a mysql database.
  1030. #+BEGIN_SRC: bash
  1031. mysql -u root -p
  1032. create database redmatrix;
  1033. CREATE USER 'redmatrixadmin'@'localhost' IDENTIFIED BY 'password';
  1034. GRANT ALL PRIVILEGES ON redmatrix.* TO 'redmatrixadmin'@'localhost';
  1035. quit
  1036. #+END_SRC
  1037. You may need to fix Git SSL problems.
  1038. #+BEGIN_SRC: bash
  1039. git config --global http.sslVerify true
  1040. apt-get install ca-certificates
  1041. cd ~/
  1042. emacs .gitconfig
  1043. #+END_SRC
  1044. The .gitconfig file should look something like this:
  1045. #+BEGIN_SRC: bash
  1046. [http]
  1047. sslVerify = true
  1048. sslCAinfo = /etc/ssl/certs/ca-certificates.crt
  1049. [user]
  1050. email = myusername@mydomainname.com
  1051. name = yourname
  1052. #+END_SRC
  1053. Get the source code.
  1054. #+BEGIN_SRC: bash
  1055. export HOSTNAME=mydomainname.com
  1056. cd /var/www/$HOSTNAME
  1057. mv htdocs htdocs_old
  1058. git clone https://github.com/friendica/red.git htdocs
  1059. chmod -R 755 htdocs
  1060. chown -R www-data:www-data htdocs
  1061. mkdir htdocs/view/tpl/smarty3
  1062. chmod 777 htdocs/view/tpl
  1063. chmod 777 htdocs/view/tpl/smarty3
  1064. git clone https://github.com/friendica/red-addons.git htdocs/addon
  1065. #+END_SRC
  1066. Now visit the URL of your site and you should be taken through the rest of the installation procedure. Note that this may take a few minutes so don't be concerned if it looks as if it has crashed - just leave it running. If you have trouble with "allow override" ensure that "AllowOverride" is set to "all" in your Apache settings for the site (within /etc/apache2/sites-available) and then restart the apache2 service.
  1067. Install the poller.
  1068. #+BEGIN_SRC
  1069. emacs /etc/crontab
  1070. #+END_SRC
  1071. and append the following, changing mydomainname.com to whatever your domain is.
  1072. #+BEGIN_SRC
  1073. */10 * * * * root cd /var/www/mydomainname.com/htdocs; /usr/bin/php include/poller.php
  1074. #+END_SRC
  1075. Save and exit, then restart cron.
  1076. #+BEGIN_SRC: bash
  1077. service cron restart
  1078. #+END_SRC
  1079. **** Backups
  1080. Make sure that the database gets backed up. By using cron if anything goes wrong then you should be able to recover the database either from the previous day or the previous week.
  1081. #+BEGIN_SRC: bash
  1082. emacs /etc/cron.daily/redmatrixbackup
  1083. #+END_SRC
  1084. Enter the following
  1085. #+BEGIN_SRC: bash
  1086. #!/bin/sh
  1087. MYSQL_PASSWORD=<mysql root password>
  1088. umask 0077
  1089. # Backup the database
  1090. mysqldump --password=$MYSQL_PASSWORD redmatrix > /var/backups/redmatrix_daily.sql
  1091. # Make the backup readable only by root
  1092. chmod 600 /var/backups/redmatrix_daily.sql
  1093. #+END_SRC
  1094. Save and exit.
  1095. #+BEGIN_SRC: bash
  1096. chmod 600 /etc/cron.daily/redmatrixbackup
  1097. chmod +x /etc/cron.daily/redmatrixbackup
  1098. emacs /etc/cron.weekly/redmatrixbackup
  1099. #+END_SRC
  1100. Enter the following
  1101. #+BEGIN_SRC: bash
  1102. #!/bin/sh
  1103. MYSQL_PASSWORD=<mysql root password>
  1104. umask 0077
  1105. # Backup the database
  1106. mysqldump --password=$MYSQL_PASSWORD redmatrix > /var/backups/redmatrix_weekly.sql
  1107. # Make the backup readable only by root
  1108. chmod 600 /var/backups/redmatrix_weekly.sql
  1109. #+END_SRC
  1110. Save and exit.
  1111. #+BEGIN_SRC: bash
  1112. chmod 600 /etc/cron.weekly/redmatrixbackup
  1113. chmod +x /etc/cron.weekly/redmatrixbackup
  1114. #+END_SRC
  1115. **** To access from an Android device
  1116. ***** App
  1117. Open a browser on your device and go to https://f-droid.org/ then download and install the F-Droid apk. If you then open F-Droid you can search for and install the Friendica app.
  1118. If you are using a self-signed certificate then at the login screen scroll down to the bottom, select the SSL settings then scroll down and disable SSL certificate checks. You will then be able to log in using https, which at least gives you some protection via the encryption.
  1119. More information about the Friendica app can be found on http://friendica-for-android.wiki-lab.net/
  1120. ** Install a Blog
  1121. #+BEGIN_VERSE
  1122. /When society gives censors wide and vague powers they never confine themselves to deserving targets. They are not snipers, but machine-gunners. Allow them to fire at will, and they will hit anything that moves./
  1123. -- Nick Cohen
  1124. #+END_VERSE
  1125. Wordpress is the most popular blogging platform, but in practice I found it to be high maintenance with frequent security updates and breakages. More practical for a home server is Flatpress. Flatpress doesn't use a MySql database, just text files, and so is easy to relocate or reinstall.
  1126. See the [[Setting up a web site]] section of this document for details of how to configure the web server for your blog's domain.
  1127. Download flatpress.
  1128. #+BEGIN_SRC: bash
  1129. wget http://freedombone.uk.to/flatpress.tar.gz
  1130. #+END_SRC
  1131. Verify the download:
  1132. #+BEGIN_SRC: bash
  1133. md5sum flatpress.tar.gz
  1134. 6ad5c230a5cb1ac096ff657f1b138cc7 flatpress.tar.gz
  1135. #+END_SRC
  1136. Extract and install it.
  1137. #+BEGIN_SRC: bash
  1138. tar -xzvf flatpress.tar.gz
  1139. cd flatpress-*
  1140. cp -r * /var/www/$HOSTNAME/htdocs
  1141. rm -rf flatpress-*
  1142. rm -f flatpress.tar.gz
  1143. #+END_SRC
  1144. Now visit your blog and follow the setup instructions, which are quite minimal. Various themes and addons are available from the Flatpress web site, http://www.flatpress.org
  1145. ** Install a VoIP server
  1146. #+BEGIN_VERSE
  1147. /Our core principles, whether in software or sovereignty, have always been about freedom and dignity, for all people, on an equal basis/
  1148. -- David Sugar, GNU Telephony
  1149. #+END_VERSE
  1150. *** The server
  1151. Sipwitch is like an introduction service or phone book for SIP VoIP clients. Once introduced the clients can then talk directly, and this means that sipwitch is very lightweight and can run on low power systems such as the BBB.
  1152. Edit your package sources:
  1153. #+BEGIN_SRC: bash
  1154. emacs /etc/apt/sources.list
  1155. #+END_SRC
  1156. Append the following line:
  1157. #+BEGIN_SRC: bash
  1158. deb http://dev.gnutelephony.org/archive/ wheezy/
  1159. #+END_SRC
  1160. Save and exit.
  1161. To load the repository the first time after adding it to the sources.list, since you do not have the verification keys already installed yet. Then do
  1162. #+BEGIN_SRC: bash
  1163. apt-get install gnutelephony-keyring
  1164. #+END_SRC
  1165. After that it will be happy to accept it as a signed repository. The verification keys can also be directly fetched with
  1166. #+BEGIN_SRC: bash
  1167. wget http://dev.gnutelephony.org/archive/wheezy/public.key
  1168. #+END_SRC
  1169. and manually added instead with
  1170. #+BEGIN_SRC: bash
  1171. apt-key add public.key
  1172. #+END_SRC
  1173. To make sure you have all dependencies, do
  1174. #+BEGIN_SRC: bash
  1175. apt-get update;apt-get dist-upgrade
  1176. #+END_SRC
  1177. Before we install anything, let's inspect what is available to us by using
  1178. #+BEGIN_SRC: bash
  1179. dpkg -l sipwitch
  1180. #+END_SRC
  1181. To see the main application. The columns will indicate if the package is installed, which version and a description of the package. Then do
  1182. #+BEGIN_SRC: bash
  1183. dpkg -l sipwitch-*
  1184. #+END_SRC
  1185. to see available supporting applications and plugins. Again, the columns will indicate if the package is installed, which version and a description of each of these.
  1186. To install only the main application, do
  1187. #+BEGIN_SRC: bash
  1188. apt-get install sipwitch
  1189. #+END_SRC
  1190. and to install all supporting plugins:
  1191. #+BEGIN_SRC: bash
  1192. apt-get install sipwitch-plugin-scripting sipwitch-plugin-subscriber sipwitch-plugin-forward sipwitch-plugin-zeroconf
  1193. #+END_SRC
  1194. Add your user into the sipwitch group
  1195. #+BEGIN_SRC: bash
  1196. groupadd sipwitch
  1197. groupadd sipusers
  1198. usermod -aG sipwitch myusername
  1199. usermod -aG sipusers myusername
  1200. #+END_SRC
  1201. Then edit the configuration
  1202. #+BEGIN_SRC: bash
  1203. emacs /etc/sipwitch.conf
  1204. #+END_SRC
  1205. Change the *mapped* value from 200 to 20, since we don't want to be serving huge numbers of calls.
  1206. Alter the *range* value to 10, since we don't need a large number of extensions. This will mean that exension numbers 200 to 209 are available.
  1207. Do not set the *realm* value, as doing so seems to prevent the server from working.
  1208. Save and exit.
  1209. Create a digest string for your username:
  1210. #+BEGIN_SRC: bash
  1211. sipwitch digest myusername
  1212. #+END_SRC
  1213. Make a note of the resulting string because you're going to use it in the users file you'll now create.
  1214. #+BEGIN_SRC: bash
  1215. export HOSTNAME=mydomainname.com
  1216. touch /etc/sipwitch.d/$HOSTNAME.xml
  1217. chmod 600 /etc/sipwitch.d/$HOSTNAME.xml
  1218. emacs /etc/sipwitch.d/$HOSTNAME.xml
  1219. #+END_SRC
  1220. It should look something like the following:
  1221. #+BEGIN_SRC: bash
  1222. <provision>
  1223. <user id="myusername">
  1224. <digest>yourdigeststring</digest>
  1225. <extension>201</extension>
  1226. <display>Your full name</display>
  1227. </user>
  1228. </provision>
  1229. #+END_SRC
  1230. Save and exit. Now edit the configuration.
  1231. #+BEGIN_SRC: bash
  1232. emacs /etc/default/sipwitch
  1233. #+END_SRC
  1234. Change "desktop" to "server", then save and exit.
  1235. Update the IP settings:
  1236. #+BEGIN_SRC: bash
  1237. iptables -A INPUT -p tcp --dport 5060 -j ACCEPT
  1238. iptables -A INPUT -p udp --dport 5060 -j ACCEPT
  1239. iptables -A INPUT -p tcp --dport 5061 -j ACCEPT
  1240. iptables -A INPUT -p udp --dport 5061 -j ACCEPT
  1241. iptables-save
  1242. #+END_SRC
  1243. Test that it's working:
  1244. #+BEGIN_SRC: bash
  1245. pkill -9 sipw
  1246. sipw -x9 -f
  1247. #+END_SRC
  1248. Then try to register with the server using a SIP client (such as Jitsi). If everything worked then use CTRL-C to exit. Then start the service.
  1249. #+BEGIN_SRC: bash
  1250. service sipwitch start
  1251. #+END_SRC
  1252. *** Clients
  1253. **** Jitsi
  1254. Download the latst version from https://jitsi.org/index.php/Main/Download
  1255. TODO
  1256. **** Twinkle client
  1257. The client should have a user profile as following:
  1258. The "user name" is the xxx id used in the <user id="xxx"> entry of /etc/sipwitch.conf
  1259. The "domain" is the yyy domain in the main config <stack><domain>yyy entry of /etc/sipwitch.conf
  1260. The SIP Authentication should have:
  1261. realm = realm as set in <registry><realm> of /etc/sipwitch.conf
  1262. authentication name = <user id="xx"> entry, same as "User Name" field.
  1263. password = value of <secret>zzz in <user> entry of /etc/sipwitch.conf
  1264. Under security tab, set "Enable ZRTP/SRTP encryption"
  1265. **** Android
  1266. TODO
  1267. CSipSimple?
  1268. ** Install an IRC server
  1269. #+BEGIN_VERSE
  1270. /Give me the liberty to know, to utter, and to argue freely according to conscience, above all liberties./
  1271. -- John Milton
  1272. #+END_VERSE
  1273. *** Base install
  1274. IRC is not an especially secure system. For instance, even with the best encryption it's easily possible to imagine IRC-specific cribs which could be used by cryptanalytic systems. However, we'll try to implement it in a manner which will at least give the surveillance aparatus something to ponder over.
  1275. First install some dependencies.
  1276. #+BEGIN_SRC: bash
  1277. apt-get update
  1278. apt-get install build-essential openssl libssl-dev
  1279. #+END_SRC
  1280. Then get the source code for ircd-hybrid.
  1281. #+BEGIN_SRC: bash
  1282. cd /tmp
  1283. mkdir hybrid
  1284. cd hybrid
  1285. apt-get source ircd-hybrid
  1286. #+END_SRC
  1287. Modify the source code to include SSL security.
  1288. #+BEGIN_SRC: bash
  1289. emacs ircd-hybrid-*/debian/rules
  1290. #+END_SRC
  1291. Beneath MAXCLIENTS add the line:
  1292. #+BEGIN_SRC: bash
  1293. USE_OPENSSL = 1
  1294. #+END_SRC
  1295. Then save and exit. Now we can build the debian package for ircd-hybrid and install it.
  1296. #+BEGIN_SRC: bash
  1297. cd ircd-hybrid-*
  1298. dpkg-buildpackage -rfakeroot -uc -b
  1299. cd ..
  1300. dpkg -i ircd-hybrid_*.deb
  1301. #+END_SRC
  1302. Customise the configuration to your system, giving it a name and description. In this example 192.168.1.60 is the static IP address on the BBB on the local network, so change that if necessary.
  1303. #+BEGIN_SRC: bash
  1304. emacs /etc/ircd-hybrid/ircd.conf
  1305. #+END_SRC
  1306. Set *name* to the name of your server, and set a description.
  1307. Set a *network_name* and *network_desc*. The network name should not contain any spaces.
  1308. Set max_clients to 20, or however many you expect that you'll typically need.
  1309. Within the admin section set your *name* and *email*.
  1310. Within the *listen* section set host to your fixed IP address (in the earlier
  1311. sections it was 192.168.1.60).
  1312. Within the *auth* section set user = "*@192.168.1.60" - or whatever the fixed IP address of the BBB is on your network.
  1313. Uncomment the first *connect* section and set the *name* to your domain name, the *host* to 192.168.1.60 and the send/accept passwords to a password which you use to log into the IRC server. Also set the *port* to 6670.
  1314. Save and exit, then restart the IRC server. Open port 6670 on your internet router and forward it to the BBB.
  1315. Ensure that the configuration is only readable by the root user.
  1316. #+BEGIN_SRC: bash
  1317. chmod 600 /etc/ircd-hybrid/ircd.conf
  1318. #+END_SRC
  1319. *** Channel management
  1320. To to install channel management tools.
  1321. #+BEGIN_SRC: bash
  1322. cd /tmp
  1323. wget http://freedombone.uk.to/hybserv_1.9.4-1_armhf.deb
  1324. #+END_SRC
  1325. Verify it.
  1326. #+BEGIN_SRC: bash
  1327. md5sum hybserv_1.9.4-1_armhf.deb
  1328. 5b66551ceabb679bdeda1859d23ca6ac hybserv_1.9.4-1_armhf.deb
  1329. #+END_SRC
  1330. Install it.
  1331. #+BEGIN_SRC: bash
  1332. dpkg -i hybserv_1.9.4-1_armhf.deb
  1333. #+END_SRC
  1334. Edit the configuration.
  1335. Make a md5 version of the password for the IRC server operator.
  1336. #+BEGIN_SRC: bash
  1337. /usr/bin/mkpasswd <myoperatorpassword>
  1338. #+END_SRC
  1339. Edit the ircd-hybrid configuration.
  1340. #+BEGIN_SRC: bash
  1341. emacs /etc/ircd-hybrid/ircd.conf
  1342. #+END_SRC
  1343. Enter the md5 password which you previously created within the /operator/ section. Also change /user/ to:
  1344. #+BEGIN_SRC: bash
  1345. user = "*@*";
  1346. #+END_SRC
  1347. Then save and exit.
  1348. #+BEGIN_SRC: bash
  1349. emacs /etc/hybserv/hybserv.conf
  1350. #+END_SRC
  1351. Change #MD5 PASSWORD HERE# to the md5 operator password created earlier, mydomainname.com to your domain name and mysendacceptpassword to the send/accept password specified within /ircd.conf/.
  1352. #+BEGIN_SRC: bash
  1353. A:mynickname <myemailaddress>
  1354. N:irc.mydomainname.com:Hybrid services
  1355. O:*@*:#MD5 PASSWORD HERE#:root:segj (comment out other Q: lines)
  1356. S:mysendacceptpassword:192.168.1.60:6670 (remove the other two services)
  1357. #+END_SRC
  1358. Also remove the line *#NOT-EDITED#*, then save and exit.
  1359. Now we need to restart the ircd and hybrid server to make things work:
  1360. #+BEGIN_SRC: bash
  1361. service ircd-hybrid restart
  1362. service hybserv start
  1363. #+END_SRC
  1364. *** Usage
  1365. On another computer (not the BBB).
  1366. #+BEGIN_SRC: bash
  1367. sudo apt-get install irssi
  1368. irssi
  1369. #+END_SRC
  1370. Connect to the IRC and identify yourself as an operator. Here /mynetwork/ should be the same as *network_name* specified earlier within /ircd.conf/.
  1371. #+BEGIN_SRC: bash
  1372. /server add -auto -network mynetwork -ssl mydonainname.com 6670 mysendacceptpassword
  1373. /connect mydomainname.com
  1374. /channel add -auto #mychannel mynetwork channelpassword
  1375. /network add -nick mynick mychannel
  1376. /join #mychannel
  1377. /msg -servername chanserv REGISTER #mychannel channelpassword
  1378. /msg -servername chanserv set #mychannel mlock +k channelpassword
  1379. #+END_SRC
  1380. If you edit the irssi config file:
  1381. #+BEGIN_SRC: bash
  1382. emacs ~/.irssi/config
  1383. #+END_SRC
  1384. It should look something like this:
  1385. #+BEGIN_SRC: bash
  1386. {
  1387. address = "mydomainname.com";
  1388. chatnet = "mynetwork";
  1389. port = "6670";
  1390. password = "mysendacceptpassword";
  1391. use_ssl = "yes";
  1392. ssl_verify = "no";
  1393. autoconnect = "yes";
  1394. },
  1395. #+END_SRC
  1396. If you're not using a self-signed certificate (self-signed is the default) then you can set *ssl_verify* to "yes".
  1397. ** Install a Jabber/XMPP server
  1398. #+BEGIN_VERSE
  1399. /Well heck, it isn’t that hard to write an instant messaging system./
  1400. --Jeremie Miller
  1401. #+END_VERSE
  1402. *** The Server
  1403. Generate a SSL certificate.
  1404. #+BEGIN_SRC: bash
  1405. openssl ecparam -out /etc/ssl/private/xmpp.pem -name prime256v1
  1406. openssl genpkey -paramfile /etc/ssl/private/xmpp.pem -out /etc/ssl/private/xmpp.key
  1407. openssl req -new -x509 -key /etc/ssl/private/xmpp.key -out /etc/ssl/certs/xmpp.crt -days 3650
  1408. #+END_SRC
  1409. The above uses a Diffie-Hellman elliptic curve (ECDH P-256) algorithm. It is apparent that amongst crypographers there are differences of opinion about the security of elliptic curves, so if you prefer there is also a more traditional RSA way to generate an SSL certificate:
  1410. #+BEGIN_SRC: bash
  1411. openssl genrsa -out /etc/ssl/private/xmpp.key 4096
  1412. openssl req -new -x509 -key /etc/ssl/private/xmpp.key -out /etc/ssl/certs/xmpp.crt -days 3650
  1413. #+END_SRC
  1414. Change permissions.
  1415. #+BEGIN_SRC: bash
  1416. chmod 600 /etc/ssl/private/xmpp.key
  1417. chmod 600 /etc/ssl/certs/xmpp.crt
  1418. chown prosody:prosody /etc/ssl/private/xmpp.key
  1419. chown prosody:prosody /etc/ssl/certs/xmpp.crt
  1420. #+END_SRC
  1421. Install Prosody.
  1422. #+BEGIN_SRC: bash
  1423. apt-get install prosody
  1424. cp -a /etc/prosody/conf.avail/example.com.cfg.lua /etc/prosody/conf.avail/xmpp.cfg.lua
  1425. emacs /etc/prosody/conf.avail/xmpp.cfg.lua
  1426. #+END_SRC
  1427. Change the *VirtualHost* name to your domain name and remove the line below it.
  1428. Set the ssl section to:
  1429. #+BEGIN_SRC: bash
  1430. ssl = {
  1431. key = "/etc/ssl/private/xmpp.key";
  1432. certificate = "/etc/ssl/certs/xmpp.crt";
  1433. }
  1434. #+END_SRC
  1435. Save and exit. Create a symbolic link.
  1436. #+BEGIN_SRC: bash
  1437. ln -sf /etc/prosody/conf.avail/xmpp.cfg.lua /etc/prosody/conf.d/xmpp.cfg.lua
  1438. #+END_SRC
  1439. Add a user. You will be prompted to specify a password. You can repeat the process for as many users as needed. This will also be your Jabber ID (JID).
  1440. #+BEGIN_SRC: bash
  1441. prosodyctl adduser myusername@mydomainname.com
  1442. #+END_SRC
  1443. Restart the server
  1444. #+BEGIN_SRC: bash
  1445. service prosody restart
  1446. #+END_SRC
  1447. On your internet router/firewall open ports 5222, 5223 and 5269 and forward them to the BBB.
  1448. It's possible to test that your XMPP server is working at https://xmpp.net. It may take several minutes and you'll get a low score because of the self-signed certificate, but it will at least verify that your server is capable of communicating.
  1449. *** Managing users
  1450. To add a user:
  1451. #+BEGIN_SRC: bash
  1452. prosodyctl adduser myusername@mydomainname.com
  1453. #+END_SRC
  1454. To change a user password:
  1455. #+BEGIN_SRC: bash
  1456. prosodyctl passwd myusername@mydomainname.com
  1457. #+END_SRC
  1458. To remove a user:
  1459. #+BEGIN_SRC: bash
  1460. prosodyctl deluser myusername@mydomainname.com
  1461. #+END_SRC
  1462. Report the status of the XMPP server:
  1463. #+BEGIN_SRC: bash
  1464. prosodyctl status
  1465. #+END_SRC
  1466. *** Using with Jitsi
  1467. Jitsi is the recommended communications client for desktop or laptop systems, since it includes the /off the record/ (OTR) feature which provides some additional security beyond the usual SSL certificates.
  1468. Jitsi can be downloaded from https://jitsi.org/
  1469. On your desktop/laptop open Jitsi and select *Options* from the *Tools* menu.
  1470. Click *Add* to add a new user, then enter the Jabber ID which you previously specified with /prosodyctl/ when setting up the XMPP server. Close and then you should notice that your status is "Online" (or if not then you should be able to set it to online).
  1471. From the *File* menu you can add contacts, then select the chat icon to begin a chat. Click on the lock icon on the right hand side and this will initiate an authentication procedure in which you can specify a question and answer to verify the identity of the person you're communicating with. Once authentication is complete then you'll be chating using OTR, which provides an additional layer of security.
  1472. You can also [[https://www.youtube.com/watch?v=vgx7VSrDGjk][see this video]] as an example of using OTR.
  1473. *** Using with Ubuntu
  1474. The default XMPP client in Ubuntu is Empathy. Using Empathy isn't as secure as using Jitsi, since it doesn't include the /off the record/ feature, but since it's the default it's what many users will have easy access to.
  1475. Open *System Settings* and select *Online Accounts*, *Add account* and then *Jabber*.
  1476. Enter your username (myusername@mydomainname.com) and password.
  1477. Click on *Advanced* and make sure that *Encryption required* and *Ignore SSL certificate errors* are checked. Ignoring the certificate errors will allow you to use the self-signed certificate created earlier. Then click *Done* and set your Jabber account and Empathy to *On*.
  1478. *** Using with Android
  1479. Install [[https://f-droid.org/][F-Droid]]
  1480. Search for and install Gibberbot
  1481. From the menu open *Accounts*
  1482. Select *Add account*
  1483. Change the server port from 0 to 5222
  1484. Done
  1485. Accept unknown certificate? Select *Always*
  1486. Go back to the initial screen and then using the menu you can add contacts and begin chatting.
  1487. ** Install Gopher
  1488. Gopher is an old internet protocol which originated a few years before the web and is purely text based. It can be quite fun to build a gopher site and browse the gopherverse. One thing to keep in mind is that there is no security with gopher, so any text transmitted is trivially interceptable by systems such as [[https://en.wikipedia.org/wiki/XKeyscore][Xkeyscore]] or deep packet inspection.
  1489. To set up a gopher server:
  1490. #+BEGIN_SRC: bash
  1491. apt-get install build-essential
  1492. wget http://freedombone.uk.to/geomyidae-current.tgz
  1493. #+END_SRC
  1494. Verify the download:
  1495. #+BEGIN_SRC: bash
  1496. md5sum geomyidae-current.tgz
  1497. 3d8bb8601f37ca953b00fc2445ab5abe geomyidae-current.tgz
  1498. #+END_SRC
  1499. Then extract and install it.
  1500. #+BEGIN_SRC: bash
  1501. tar -xzvf geomyidae-current.tgz
  1502. cd geomyidae-*
  1503. make
  1504. make install
  1505. mkdir -p /var/gopher
  1506. #+END_SRC
  1507. Your content should be placed within /var/gopher with the index page being named index.gph. The Gopher format is very simple - simpler than HTML - so creating pages is not much more difficult than editing a text file.
  1508. #+BEGIN_SRC: bash
  1509. emacs /etc/init.d/gopher
  1510. #+END_SRC
  1511. Enter the following:
  1512. #+BEGIN_SRC: bash
  1513. #! /bin/sh
  1514. ### BEGIN INIT INFO
  1515. # Provides: gopher
  1516. # Required-Start: $remote_fs $syslog
  1517. # Required-Stop: $remote_fs $syslog
  1518. # Default-Start: 2 3 4 5
  1519. # Default-Stop: 0 1 6
  1520. # Short-Description: Gopher daemon
  1521. # Description: Gopher daemon
  1522. ### END INIT INFO
  1523. # Do NOT "set -e"
  1524. # PATH should only include /usr/* if it runs after the mountnfs.sh script
  1525. PATH=/sbin:/usr/sbin:/bin:/usr/bin
  1526. DESC="Gopher daemon"
  1527. NAME=geomyidae
  1528. DAEMON=/usr/bin/$NAME
  1529. DAEMON_ARGS="-l /var/log/geomyidae.log -b /var/gopher -p 70"
  1530. PIDFILE=/var/run/$NAME.pid
  1531. SCRIPTNAME=/etc/init.d/$NAME
  1532. # Exit if the package is not installed
  1533. [ -x "$DAEMON" ] || exit 0
  1534. # Read configuration variable file if it is present
  1535. [ -r /etc/default/$NAME ] && . /etc/default/$NAME
  1536. # Load the VERBOSE setting and other rcS variables
  1537. . /lib/init/vars.sh
  1538. # Define LSB log_* functions.
  1539. # Depend on lsb-base (>= 3.2-14) to ensure that this file is present
  1540. # and status_of_proc is working.
  1541. . /lib/lsb/init-functions
  1542. #
  1543. # Function that starts the daemon/service
  1544. #
  1545. do_start()
  1546. {
  1547. # Return
  1548. # 0 if daemon has been started
  1549. # 1 if daemon was already running
  1550. # 2 if daemon could not be started
  1551. start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
  1552. || return 1
  1553. start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -- \
  1554. $DAEMON_ARGS \
  1555. || return 2
  1556. # Add code here, if necessary, that waits for the process to be ready
  1557. # to handle requests from services started subsequently which depend
  1558. # on this one. As a last resort, sleep for some time.
  1559. }
  1560. #
  1561. # Function that stops the daemon/service
  1562. #
  1563. do_stop()
  1564. {
  1565. # Return
  1566. # 0 if daemon has been stopped
  1567. # 1 if daemon was already stopped
  1568. # 2 if daemon could not be stopped
  1569. # other if a failure occurred
  1570. start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME
  1571. RETVAL="$?"
  1572. [ "$RETVAL" = 2 ] && return 2
  1573. # Wait for children to finish too if this is a daemon that forks
  1574. # and if the daemon is only ever run from this initscript.
  1575. # If the above conditions are not satisfied then add some other code
  1576. # that waits for the process to drop all resources that could be
  1577. # needed by services started subsequently. A last resort is to
  1578. # sleep for some time.
  1579. start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON
  1580. [ "$?" = 2 ] && return 2
  1581. # Many daemons don't delete their pidfiles when they exit.
  1582. rm -f $PIDFILE
  1583. return "$RETVAL"
  1584. }
  1585. #
  1586. # Function that sends a SIGHUP to the daemon/service
  1587. #
  1588. do_reload() {
  1589. #
  1590. # If the daemon can reload its configuration without
  1591. # restarting (for example, when it is sent a SIGHUP),
  1592. # then implement that here.
  1593. #
  1594. start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME
  1595. return 0
  1596. }
  1597. case "$1" in
  1598. start)
  1599. [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
  1600. do_start
  1601. case "$?" in
  1602. 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
  1603. 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
  1604. esac
  1605. ;;
  1606. stop)
  1607. [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
  1608. do_stop
  1609. case "$?" in
  1610. 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
  1611. 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
  1612. esac
  1613. ;;
  1614. status)
  1615. status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
  1616. ;;
  1617. #reload|force-reload)
  1618. #
  1619. # If do_reload() is not implemented then leave this commented out
  1620. # and leave 'force-reload' as an alias for 'restart'.
  1621. #
  1622. #log_daemon_msg "Reloading $DESC" "$NAME"
  1623. #do_reload
  1624. #log_end_msg $?
  1625. #;;
  1626. restart|force-reload)
  1627. #
  1628. # If the "reload" option is implemented then remove the
  1629. # 'force-reload' alias
  1630. #
  1631. log_daemon_msg "Restarting $DESC" "$NAME"
  1632. do_stop
  1633. case "$?" in
  1634. 0|1)
  1635. do_start
  1636. case "$?" in
  1637. 0) log_end_msg 0 ;;
  1638. 1) log_end_msg 1 ;; # Old process is still running
  1639. *) log_end_msg 1 ;; # Failed to start
  1640. esac
  1641. ;;
  1642. *)
  1643. # Failed to stop
  1644. log_end_msg 1
  1645. ;;
  1646. esac
  1647. ;;
  1648. *)
  1649. #echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2
  1650. echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
  1651. exit 3
  1652. ;;
  1653. esac
  1654. :
  1655. #+END_SRC
  1656. Save and exit. Then start the gopher service.
  1657. #+BEGIN_SRC: bash
  1658. chmod +x /etc/init.d/gopher
  1659. update-rc.d gopher defaults
  1660. service gopher start
  1661. #+END_SRC
  1662. On your internet router change the firewall settings to route port 70 to the BBB, then provided that you have a gopher plugin installed within your browser then you should be able to navigate to your gopher site with:
  1663. #+BEGIN_SRC: bash
  1664. gopher://mydomainname.com
  1665. #+END_SRC
  1666. There is a browser addon for Gopher called "overbite". Installing that should enable you to view your site.
  1667. ** Install a Wiki
  1668. Dokuwiki is based upon flat files, and so is easy to move from one server to another without a lot of database complications.
  1669. Download the wiki.
  1670. #+BEGIN_SRC: bash
  1671. wget http://freedombone.uk.to/dokuwiki.tgz
  1672. #+END_SRC
  1673. Verify it.
  1674. #+BEGIN_SRC: bash
  1675. md5sum dokuwiki.tgz
  1676. 9f35055848429659fd63cda1cfea5a48 dokuwiki.tgz
  1677. #+END_SRC
  1678. Then extract and install it.
  1679. #+BEGIN_SRC: bash
  1680. export HOSTNAME=mywikidomainname.com
  1681. tar -xzvf dokuwiki.tgz
  1682. mv /var/www/$HOSTNAME/htdocs /var/www/$HOSTNAME/htdocs_old
  1683. mv dokuwiki /var/www/$HOSTNAME/htdocs
  1684. #+END_SRC
  1685. Edit the Apache configuration for your wiki site.
  1686. #+BEGIN_SRC: bash
  1687. emacs /etc/apache2/sites-available/$HOSTNAME
  1688. #+END_SRC
  1689. The settings should look something like the following.
  1690. #+BEGIN_SRC: bash
  1691. <VirtualHost *:80>
  1692. ServerAdmin myusername@mywikidomainname.com
  1693. ServerName mydomainname.com
  1694. DocumentRoot /var/www/mywikidomainname.com/htdocs
  1695. <Directory /var/www/mywikidomainname.com/htdocs>
  1696. order deny,allow
  1697. allow from all
  1698. </Directory>
  1699. <LocationMatch "/(data|conf|bin|inc)/">
  1700. order allow,deny
  1701. deny from all
  1702. satisfy all
  1703. </LocationMatch>
  1704. <Directory />
  1705. Options FollowSymLinks
  1706. AllowOverride All
  1707. </Directory>
  1708. ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
  1709. <Directory "/usr/lib/cgi-bin">
  1710. AllowOverride All
  1711. Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
  1712. Order allow,deny
  1713. Allow from all
  1714. </Directory>
  1715. ErrorLog ${APACHE_LOG_DIR}/error.log
  1716. # Possible values include: debug, info, notice, warn, error, crit,
  1717. # alert, emerg.
  1718. LogLevel warn
  1719. CustomLog ${APACHE_LOG_DIR}/access.log combined
  1720. </VirtualHost>
  1721. <IfModule mod_ssl.c>
  1722. <VirtualHost *:443>
  1723. ServerAdmin myusername@mywikidomainname.com
  1724. ServerName mywikidomainname.com
  1725. DocumentRoot /var/www/mywikidomainname.com/htdocs
  1726. <Directory /var/www/mywikidomainname.com/htdocs>
  1727. order deny,allow
  1728. allow from all
  1729. </Directory>
  1730. <LocationMatch "/(data|conf|bin|inc)/">
  1731. order allow,deny
  1732. deny from all
  1733. satisfy all
  1734. </LocationMatch>
  1735. <Directory />
  1736. Options FollowSymLinks
  1737. AllowOverride All
  1738. </Directory>
  1739. ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
  1740. <Directory "/usr/lib/cgi-bin">
  1741. AllowOverride All
  1742. Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
  1743. Order allow,deny
  1744. Allow from all
  1745. </Directory>
  1746. ErrorLog ${APACHE_LOG_DIR}/error.log
  1747. # Possible values include: debug, info, notice, warn, error, crit,
  1748. # alert, emerg.
  1749. LogLevel warn
  1750. CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
  1751. # SSL Engine Switch:
  1752. # Enable/Disable SSL for this virtual host.
  1753. SSLEngine on
  1754. # A self-signed certificate
  1755. SSLCertificateFile /etc/ssl/certs/mydomainname.com.crt
  1756. SSLCertificateKeyFile /etc/ssl/private/mydomainname.com.key
  1757. # Options based on bettercrypto.org
  1758. SSLProtocol All -SSLv2 -SSLv3
  1759. SSLHonorCipherOrder On
  1760. SSLCompression off
  1761. SSLCipherSuite EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
  1762. # SSL Engine Options:
  1763. # Set various options for the SSL engine.
  1764. # o FakeBasicAuth:
  1765. # Translate the client X.509 into a Basic Authorisation. This means that
  1766. # the standard Auth/DBMAuth methods can be used for access control. The
  1767. # user name is the `one line' version of the client's X.509 certificate.
  1768. # Note that no password is obtained from the user. Every entry in the user
  1769. # file needs this password: `xxj31ZMTZzkVA'.
  1770. # o ExportCertData:
  1771. # This exports two additional environment variables: SSL_CLIENT_CERT and
  1772. # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
  1773. # server (always existing) and the client (only existing when client
  1774. # authentication is used). This can be used to import the certificates
  1775. # into CGI scripts.
  1776. # o StdEnvVars:
  1777. # This exports the standard SSL/TLS related `SSL_*' environment variables.
  1778. # Per default this exportation is switched off for performance reasons,
  1779. # because the extraction step is an expensive operation and is usually
  1780. # useless for serving static content. So one usually enables the
  1781. # exportation for CGI and SSI requests only.
  1782. # o StrictRequire:
  1783. # This denies access when "SSLRequireSSL" or "SSLRequire" applied even
  1784. # under a "Satisfy any" situation, i.e. when it applies access is denied
  1785. # and no other module can change it.
  1786. # o OptRenegotiate:
  1787. # This enables optimized SSL connection renegotiation handling when SSL
  1788. # directives are used in per-directory context.
  1789. #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
  1790. <FilesMatch "\.(cgi|shtml|phtml|php)$">
  1791. SSLOptions +StdEnvVars
  1792. </FilesMatch>
  1793. <Directory /usr/lib/cgi-bin>
  1794. SSLOptions +StdEnvVars
  1795. </Directory>
  1796. # SSL Protocol Adjustments:
  1797. # The safe and default but still SSL/TLS standard compliant shutdown
  1798. # approach is that mod_ssl sends the close notify alert but doesn't wait for
  1799. # the close notify alert from client. When you need a different shutdown
  1800. # approach you can use one of the following variables:
  1801. # o ssl-unclean-shutdown:
  1802. # This forces an unclean shutdown when the connection is closed, i.e. no
  1803. # SSL close notify alert is send or allowed to received. This violates
  1804. # the SSL/TLS standard but is needed for some brain-dead browsers. Use
  1805. # this when you receive I/O errors because of the standard approach where
  1806. # mod_ssl sends the close notify alert.
  1807. # o ssl-accurate-shutdown:
  1808. # This forces an accurate shutdown when the connection is closed, i.e. a
  1809. # SSL close notify alert is send and mod_ssl waits for the close notify
  1810. # alert of the client. This is 100% SSL/TLS standard compliant, but in
  1811. # practice often causes hanging connections with brain-dead browsers. Use
  1812. # this only for browsers where you know that their SSL implementation
  1813. # works correctly.
  1814. # Notice: Most problems of broken clients are also related to the HTTP
  1815. # keep-alive facility, so you usually additionally want to disable
  1816. # keep-alive for those clients, too. Use variable "nokeepalive" for this.
  1817. # Similarly, one has to force some clients to use HTTP/1.0 to workaround
  1818. # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
  1819. # "force-response-1.0" for this.
  1820. BrowserMatch "MSIE [2-6]" \
  1821. nokeepalive ssl-unclean-shutdown \
  1822. downgrade-1.0 force-response-1.0
  1823. # MSIE 7 and newer should be able to use keepalive
  1824. BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
  1825. </VirtualHost>
  1826. </IfModule>
  1827. #+END_SRC
  1828. Enable your site with:
  1829. #+BEGIN_SRC: bash
  1830. a2ensite
  1831. #+END_SRC
  1832. then select the domain name and reload.
  1833. #+BEGIN_SRC: bash
  1834. service apache2 reload
  1835. #+END_SRC
  1836. and alter permissions:
  1837. #+BEGIN_SRC: bash
  1838. chmod -R 755 /var/www/$HOSTNAME/htdocs
  1839. chown -R www-data:www-data /var/www/$HOSTNAME/htdocs
  1840. #+END_SRC
  1841. Open a browser and visit http://$HOSTNAME/install.php, then fill out the details. Once everything has been accepted without errors:
  1842. #+BEGIN_SRC: bash
  1843. rm /var/www/$HOSTNAME/htdocs/install.php
  1844. #+END_SRC
  1845. ** Install Owncloud
  1846. #+BEGIN_VERSE
  1847. /It's not water vapour/
  1848. -- Larry Ellison
  1849. #+END_VERSE
  1850. Owncloud will allow you to upload and download files, share photos, collaboratively edit documents, have a calendar and more. You should be warned that Owncloud runs quite slowly via an ordinary web browser, but it can be a convenient way to access and share your data from any location in a reasonably secure manner.
  1851. *** Server Installation
  1852. Install some dependencies:
  1853. #+BEGIN_SRC: bash
  1854. apt-get install apache2 php5 php5-gd php-xml-parser php5-intl
  1855. apt-get install php5-sqlite php5-mysql smbclient curl libcurl3 php5-curl
  1856. #+END_SRC
  1857. It's very important that /mod_php5/ and not /mod_php5filter/ be installed. If you have /mod_php5filter/ installed then Owncloud will always fail to install.
  1858. #+BEGIN_SRC: bash
  1859. a2dismod php5filter
  1860. apt-get install libapache2-mod-php5
  1861. #+END_SRC
  1862. Ensure that the size of files which may be uploaded or downloaded is large enough.
  1863. #+BEGIN_SRC: bash
  1864. emacs /etc/php5/apache2/php.ini
  1865. #+END_SRC
  1866. Set the following:
  1867. #+BEGIN_SRC: bash
  1868. upload_max_filesize = 512M
  1869. post_max_size = 512M
  1870. #+END_SRC
  1871. Save and exit, then edit your Apache configuration.
  1872. #+BEGIN_SRC: bash
  1873. export HOSTNAME=mydomainname.com
  1874. emacs /etc/apache2/sites-available/$HOSTNAME
  1875. #+END_SRC
  1876. And add the following, to the 443 VirtualHost section. Really we only will want to be using Owncloud with HTTPS to ensure some level of security and avoidance of dragnet surveillance.
  1877. #+BEGIN_SRC: bash
  1878. <Directory /var/www/mydomainname.com/htdocs/owncloud>
  1879. Options Indexes FollowSymLinks MultiViews
  1880. AllowOverride All
  1881. Order allow,deny
  1882. allow from all
  1883. </Directory>
  1884. #+END_SRC
  1885. To ensure that nobody logs in insecurely add the following to the 80 VirtualHost section.
  1886. #+BEGIN_SRC: bash
  1887. <Directory /var/www/mydomainname.com/htdocs/owncloud>
  1888. deny from all
  1889. </Directory>
  1890. #+END_SRC
  1891. Save and exit, then restart apache.
  1892. #+BEGIN_SRC: bash
  1893. service apache2 restart
  1894. #+END_SRC
  1895. Download owncloud.
  1896. #+BEGIN_SRC: bash
  1897. cd /tmp
  1898. wget http://freedombone.uk.to/owncloud.tar.bz2
  1899. #+END_SRC
  1900. Verify the download:
  1901. #+BEGIN_SRC: bash
  1902. md5sum owncloud.tar.bz2
  1903. f43eabb746b5e339ee70d0a6aaf4a49c
  1904. #+END_SRC
  1905. Extract the archive. This may take a couple of minutes, so don't be alarmed that the system has crashed.
  1906. #+BEGIN_SRC: bash
  1907. export HOSTNAME=mydomainname.com
  1908. tar -xjf owncloud.tar.bz2
  1909. #+END_SRC
  1910. Move the extracted files to your site and set file permissions.
  1911. #+BEGIN_SRC: bash
  1912. cp -r owncloud /var/www/$HOSTNAME/htdocs
  1913. chown -R www-data:www-data /var/www/$HOSTNAME/htdocs/owncloud/apps
  1914. chown -R www-data:www-data /var/www/$HOSTNAME/htdocs/owncloud/config
  1915. chown www-data:www-data /var/www/$HOSTNAME/htdocs/owncloud
  1916. #+END_SRC
  1917. Edit the htaccess file for Owncloud.
  1918. #+BEGIN_SRC: bash
  1919. emacs /var/www/$HOSTNAME/htdocs/owncloud/.htaccess
  1920. #+END_SRC
  1921. Set the following.
  1922. #+BEGIN_SRC: bash
  1923. php_value upload_max_filesize 512M
  1924. php_value post_max_size 512M
  1925. php_value memory_limit 128M
  1926. #+END_SRC
  1927. Save and exit.
  1928. With a web browser visit your domain (mydomainname.com/owncloud) and enter an administrator username and password.
  1929. *** Owncloud on Android
  1930. First install [[https://f-droid.org/][F-Droid]] and then search for the current Owncloud app. Once it's installed you'll then be able to log into the BBB with the URL https://mydomainname.com/opencloud, supplying your username and password.
  1931. ** Install Bitmessage
  1932. #+BEGIN_VERSE
  1933. /Love your neighbour. Fight the future. If you are reading this you ARE the resistance./
  1934. -- BitChirp
  1935. #+END_VERSE
  1936. *** A new kind of Email
  1937. [[https://bitmessage.org][Bitmessage]] is a new type of messaging system intended to fulfill the same role as email, but without the security problems. In particular, Bitmessage attempts to not just encrypt the content but also the metadata. It's message broadcasting system makes it exceedingly difficult for an attacker to know which computer a message is destined for. The only way you know whether a message has been sent to you is whether you are able to decrypt it from the passing stream of messages.
  1938. Although similar to Bitcoin in some regards, such as "/proof of work/", Bitmessage has no block chain and messages are only buffered for approximately three days after which they are deleted from any given node.
  1939. Installing Bitmessage as a daemon will increase the size of the network, and therefore the level of security for all users.
  1940. *** The Daemon
  1941. Install from the current source code.
  1942. #+BEGIN_SRC: bash
  1943. apt-get install python screen
  1944. cd /tmp
  1945. git clone https://github.com/Bitmessage/PyBitmessage.git
  1946. cd PyBitmessage
  1947. make install
  1948. #+END_SRC
  1949. Now create the daemon.
  1950. #+BEGIN_SRC: bash
  1951. emacs /etc/init.d/pybitmessage
  1952. #+END_SRC
  1953. Add the following text:
  1954. #+BEGIN_SRC: bash
  1955. #!/bin/bash
  1956. # /etc/init.d/bitmessage
  1957. ### BEGIN INIT INFO
  1958. # Provides: pybitmessage
  1959. # Required-Start: $remote_fs $syslog
  1960. # Required-Stop: $remote_fs $syslog
  1961. # Default-Start: 2 3 4 5
  1962. # Default-Stop: 0 1 6
  1963. # Short-Description: starts bitmessage as a background daemon, suitable for servers
  1964. # Description: This file should be used to construct scripts to be
  1965. # placed in /etc/init.d.
  1966. ### END INIT INFO
  1967. # Author: Super-Nathan <BM-Gu2k3Wy2hpTMYBxSoM2937SPcuU6xzEj>
  1968. #Settings
  1969. SERVICE='pybitmessage'
  1970. LOGFILE='/dev/null' # this disables logging
  1971. # LOGFILE='/var/log/bitmessage.log' # comment out the above line and un-comment this line to save a log
  1972. COMMAND="python bitmessagemain.py > $LOGFILE"
  1973. USERNAME='bitmsg'
  1974. NICELEVEL=19 # from 0-19 the bigger the number, the less the impact on system resources
  1975. HISTORY=1024
  1976. PBM_LOCATION="/usr/local/share/pybitmessage"
  1977. INVOCATION="nice -n ${NICELEVEL} ${COMMAND}"
  1978. PATH='/usr/local/sbin:/usr/local/bin:/usr/bin:/usr/bin/core_perl:/sbin:/usr/sbin:/bin:/usr/local/share/pybitmessage'
  1979. bm_start() {
  1980. echo "Starting $SERVICE..."
  1981. cd ${PBM_LOCATION}
  1982. su --command "screen -h ${HISTORY} -dmS ${SERVICE} ${INVOCATION}" $USERNAME
  1983. }
  1984. bm_stop() {
  1985. echo "Stopping $SERVICE"
  1986. su --command "screen -p 0 -S ${SERVICE} -X stuff "'^C'"" $USERNAME
  1987. }
  1988. #Start-Stop here
  1989. case "$1" in
  1990. start)
  1991. bm_start
  1992. ;;
  1993. stop)
  1994. bm_stop
  1995. ;;
  1996. restart)
  1997. bm_stop
  1998. sleep 60s
  1999. bm_start
  2000. ;;
  2001. *)
  2002. echo "Usage: $0 {start|stop|restart}"
  2003. exit 1
  2004. ;;
  2005. esac
  2006. exit 0
  2007. #+END_SRC
  2008. Save and exit.
  2009. Add a user which will be specifically for Bitmessage. Since bitmessage is still a relatively young and experimental project, this adds further compartmentalisation such that if there are any bugs within PyBitmessage then an attacker can't neccessarily gain control of root or any other user account. Here we create a user called /bitmsg/ and give it a long random password.
  2010. #+BEGIN_SRC: bash
  2011. adduser bitmsg
  2012. #+END_SRC
  2013. Create a /keys.dat/ file which is used to configure Bitmessage.
  2014. #+BEGIN_SRC: bash
  2015. mkdir /home/bitmsg/.config
  2016. mkdir /home/bitmsg/.config/PyBitmessage
  2017. emacs /home/bitmsg/.config/PyBitmessage/keys.dat
  2018. #+END_SRC
  2019. Add the following:
  2020. #+BEGIN_SRC: bash
  2021. [bitmessagesettings]
  2022. settingsversion = 7
  2023. port = 8444
  2024. timeformat = %%a, %%d %%b %%Y %%I:%%M %%p
  2025. blackwhitelist = black
  2026. startonlogon = false
  2027. minimizetotray = false
  2028. showtraynotifications = false
  2029. startintray = false
  2030. socksproxytype = none
  2031. sockshostname = localhost
  2032. socksport = 9050
  2033. socksauthentication = false
  2034. sockslisten = false
  2035. socksusername =
  2036. sockspassword =
  2037. keysencrypted = false
  2038. messagesencrypted = false
  2039. defaultnoncetrialsperbyte = 640
  2040. defaultpayloadlengthextrabytes = 14000
  2041. minimizeonclose = false
  2042. maxacceptablenoncetrialsperbyte = 0
  2043. maxacceptablepayloadlengthextrabytes = 0
  2044. userlocale = system
  2045. namecoinrpctype = namecoind
  2046. namecoinrpchost = localhost
  2047. namecoinrpcuser =
  2048. namecoinrpcpassword =
  2049. namecoinrpcport = 8336
  2050. sendoutgoingconnections = True
  2051. daemon = true
  2052. #+END_SRC
  2053. Save and exit. Then enable the daemon and run it.
  2054. #+BEGIN_SRC: bash
  2055. rm -f /tmp/-usr-local-share-pybitmessage-*.lock
  2056. chown -R bitmsg:bitmsg /home/bitmsg
  2057. chmod +x /etc/init.d/pybitmessage
  2058. update-rc.d pybitmessage defaults
  2059. service pybitmessage start
  2060. #+END_SRC
  2061. Now open port 8444 on your internet router or firewall and direct it to the BBB.
  2062. *** Using Bitmessage
  2063. Although in principle it would be possible to send Bitmessages directly from the BBB, in practice the /proof of work/ requirement would mean that it would take an infeasibly long time to send messages, and the computational workload would likely greatly impair the performance of other services also running on the system. So to send and receive Bitmessages it's better to just install the client on a laptop or desktop machine.
  2064. The easiest way to install the client is either to download it from [[https://bitmessage.org][bitmessage.org]] or to get the latest build from Github as follows:
  2065. #+BEGIN_SRC: bash
  2066. cd /tmp
  2067. git clone https://github.com/Bitmessage/PyBitmessage.git
  2068. cd PyBitmessage
  2069. make install
  2070. pybitmessage
  2071. #+END_SRC
  2072. ** Install Tripwire
  2073. #+BEGIN_VERSE
  2074. /...by the time you get done with all of that, we have a freedom box/
  2075. -- Eben Moglen
  2076. #+END_VERSE
  2077. Tripwire will try to detect any intrusions into your system. It's a good idea to install it after you have installed all of the other programs which you intend to use.
  2078. #+BEGIN_SRC: bash
  2079. apt-get install tripwire
  2080. export HOSTNAME=mydomainname.com
  2081. cd /etc/tripwire
  2082. cp arm-local.key $HOSTNAME-local.key
  2083. cp site.key $HOSTNAME-site.key
  2084. tripwire --init
  2085. tripwire --update-policy --secure-mode low /etc/tripwire/twpol.txt
  2086. tripwire --check --interactive
  2087. #+END_SRC
  2088. you will be asked for two passphrases ("site" and "local"). Make a note of these.
  2089. If you subsequently install any more packages or make configuration changes then update the policy again with:
  2090. #+BEGIN_SRC: bash
  2091. tripwire --update-policy --secure-mode low /etc/tripwire/twpol.txt
  2092. #+END_SRC
  2093. Also, to look for any rootkits.
  2094. #+BEGIN_SRC: bash
  2095. apt-get install rkhunter
  2096. #+END_SRC
  2097. * Router/Firewall ports
  2098. The following ports on your internet router/firewall should be forwarded to the BBB.
  2099. | Protocol | Port/s |
  2100. |---------------+------------|
  2101. | Gopher | 70 |
  2102. | HTTP | 80 |
  2103. | HTTPS | 443 |
  2104. | IMAP | 143 |
  2105. | IRC SSL | 6670 |
  2106. | SIP | 5060..5061 |
  2107. | SMTP | 25 |
  2108. | SMTPS | 465 |
  2109. | SSH | 22 |
  2110. | XMPP | 5222..5223 |
  2111. | XMPP (server) | 5269 |
  2112. | Bitmessage | 8444 |
  2113. * Hints and Tips
  2114. ** Messaging security
  2115. If you're connected to other friends via Friendica then the preferred way to send private messages is via Friendica's built-in messaging system. This is a lot more convenient than using GPG with ordinary email and yet still provides a similar level of protection from unwarranted interception.
  2116. ** Restrictive/hostile user environments
  2117. If you are typically operating within a restrictive of hostile environment where using ssh is not an option because everything other than web ports are blocked then you may wish to try installing oterm:
  2118. http://www.coralbits.com/oterm/
  2119. https://github.com/davidmoreno/onion
  2120. ** Moving Domains
  2121. If you're moving servers and using a different domain name or path then you can search and replace URLs within files in the following way:
  2122. #+BEGIN_SRC: bash
  2123. find /var/www/mynewdomain/htdocs -type f -exec sed -i 's@myolddomain@mynewdomain@g' {} \;
  2124. #+END_SRC
  2125. ** MySql foo
  2126. *** Backup all databases
  2127. To back up all mysql databases:
  2128. #+BEGIN_SRC: bash
  2129. mysqldump -u root -p --all-databases --events > /var/backups/databasebackup.sql
  2130. #+END_SRC
  2131. *** Restoring a particular mysql database
  2132. To restore yesterday's friendica backup:
  2133. #+BEGIN_SRC: bash
  2134. mysql -D friendica -o < /var/backups/friendica_daily.sql
  2135. #+END_SRC
  2136. To restore yesterday's mediawiki backup:
  2137. #+BEGIN_SRC: bash
  2138. mysql -D wikidb -o < /var/backups/wikidb_daily.sql
  2139. #+END_SRC
  2140. *** Removing mysql server
  2141. If you manage to screw up sql server completely then it can be fully deleted with:
  2142. #+BEGIN_SRC: bash
  2143. ps aux | grep mysql
  2144. #+END_SRC
  2145. and use /kill -9 <pid>/ to kill all mysql processes.
  2146. #+BEGIN_SRC: bash
  2147. apt-get remove --purge mysql\*
  2148. apt-get clean
  2149. updatedb
  2150. #+END_SRC