941fd262d0
|
||
|---|---|---|
| .. | ||
| default | ||
| nftables | ||
| ssh | ||
| tor | ||
| README.md | ||
| resolv.conf | ||
| sysctl.conf | ||
Host configuration
Debian
Create VM (from local computer/workstation)
ssh-keygen -t ed25519 -f ~/.ssh/myhub- Create VM (however you need to) and use public key from
~/.ssh/myhub.pub ssh-keyscan <ip_address_of_vm> >> ~/.ssh/known_hosts- create
~/.ssh/configand add the following
Host *
ForwardAgent no
ForwardX11 no
ForwardX11Trusted no
TCPKeepAlive yes
VerifyHostKeyDNS yes
ServerAliveInterval 2
ServerAliveCountMax 10
Protocol 2
CheckHostIP yes
Compression yes
Ciphers aes256-ctr,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
VisualHostKey yes
HostbasedAuthentication no
HashKnownHosts yes
ConnectTimeout 5
ConnectionAttempts 9999
StrictHostKeyChecking yes
Host myhub
User toor
HostName <ip_address_of_vm>
IdentityFile ~/.ssh/myhub
IdentitiesOnly yes
LogLevel DEBUG
ControlMaster auto
ControlPersist 2h
ControlPath ~/.ssh/ControlMaster-%r-%h.%p
KbdInteractiveAuthentication no
ssh myhub
Packages
sudo apt -y install docker.io nftables tcpdump mtr tor git python3-pippip3 install docker-compose
Repo
git clone https://github.com/philoctetes409bc/docker-hybrid.gitcd docker-hybrid/host
Configuration files
cp tor/torrc /etc/tor/torrcchattr +i /etc/tor/torrccp resolv.conf /etc/resolv.confchattr +i /etc/resolv.conf/sbin/setcap CAP_NET_BIND_SERVICE=+eip $(which tor)systemctl enable torsystemctl start torcp sysctl.conf /etc/chattr +i /etc/sysctl.conf/sbin/sysctl -f /etc/sysctl.confcp default/docker /etc/default/dockerchattr +i /etc/default/dockerip link add docker0 type bridgeip link set docker0 upip addr add 100.64.63.129/25 dev docker0
Enable docker service at boot
systemctl enable dockersystemctl start docker
Harden SSH daemon
cp ssh/sshd_config /etc/sshd_configchattr +i /etc/ssh/sshd_configecho "authorized access only" > /etc/issue.netchattr +i /etc/issue.netsystemctl restart sshd
Boot network configuration
- This step ensures that the WAN interface name will match the pre-defined values in the provided nftables scripts
- create
/etc/systemd/network/50-WAN.linkand add the following
[Match]
MACAddress=<replace_this_with_the_MAC_address_of_your_WAN_interface>
[Link]
Description=WAN
MACAddressPolicy=persistent
Name=WAN
systemd-networkd address configuration (DHCP)
-
If you need to change this, visit https://www.freedesktop.org/software/systemd/man/systemd.network.html for more information
-
create
/etc/systemd/network/51-WAN.networkand add the following
[Match]
Name=WAN
[Network]
Description=WAN
DHCP=yes
MulticastDNS=false
LinkLocalAddressing=fallback
IPv4LLRoute=true
LLDP=routers-only
IPv6AcceptRA=true
IPForward=true
IPMasquerade=true
LLMNR=false
systemd-networkd address configuration (static)
-
If you need to change this, visit https://www.freedesktop.org/software/systemd/man/systemd.network.html for more information
-
create
/etc/systemd/network/51-WAN.networkand add the following
[Match]
Name=WAN
[Network]
Description=WAN
DHCP=no
Address=192.168.122.88/24
Gateway=192.168.122.1
MulticastDNS=false
LinkLocalAddressing=fallback
IPv4LLRoute=true
LLDP=routers-only
IPv6AcceptRA=true
IPForward=true
IPMasquerade=true
LLMNR=false
continued
chattr +i /etc/systemd/network/50-WAN.linkchattr +i /etc/systemd/network/51-WAN.networksystemctl enable systemd-networkd
Top-site nftables
cp nftables/nftables.top_site.rules /etc/nftables.conf
Exterior-site nftables
cp nftables/nftables.exterior.rules /etc/nftables.conf
continued
chattr +i /etc/nftables.confsystemctl enable nftables.service- reboot (smoke test)
Verification
- Re-SSH the host
- Check that the interfaces are correctly configured
# ip addr show dev WAN
2: WAN: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq state UP group default qlen 1000
link/ether 52:54:00:38:51:aa brd ff:ff:ff:ff:ff:ff
inet 192.168.122.88/24 brd 192.168.122.255 scope global WAN
valid_lft forever preferred_lft forever
inet6 fe80::5054:ff:fe38:51aa/64 scope link
valid_lft forever preferred_lft forever
# ip addr show dev docker0
4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:09:a7:68:60 brd ff:ff:ff:ff:ff:ff
inet 100.64.63.129/25 brd 100.64.63.255 scope global docker0
valid_lft forever preferred_lft forever
/sbin/nft list rulesetsystemctl status torsystemctl status docker
Hardening
SSH
- Install
toron your local/workstation and enable it at boot, the default install provides SOCKS4/5, you also need to installsocat - on the newly installed debian host
grep "." /var/lib/tor/ssh/hostname - change your local/workstation
~/.ssh/configto match the following
Host myhub
ProxyCommand socat - 'SOCKS4A:127.0.0.1:%h:%p,socksport=9050'
User toor
HostName <the .onion address>
IdentityFile ~/.ssh/myhub
IdentitiesOnly yes
LogLevel DEBUG
ControlMaster auto
ControlPersist 2h
ControlPath ~/.ssh/ControlMaster-%r-%h.%p
KbdInteractiveAuthentication no
- Verify that it can be SSH'd and that the key is correct:
ssh-keyscan myhub- if it's correct,
ssh-keyscan myhub >> ~/.ssh/known_hosts - Verify that you can SSH the host, then in the
/etc/nftables.confremove the following line from the INPUT chain chattr -i /etc/nftables.conf
tcp dport 22 counter accept comment "SSH to host";
chattr +i /etc/nftables.conf/sbin/nft -f /etc/nftables.conf