diff --git a/README.md b/README.md index e69de29..49f69dc 100644 --- a/README.md +++ b/README.md @@ -0,0 +1 @@ +# How to contribute diff --git a/index.html b/index.html new file mode 100644 index 0000000..21ce35c --- /dev/null +++ b/index.html @@ -0,0 +1,197 @@ + + +
+ + + + + + + +
Setting up servers once, and sharing tutorials to show everyone how it's done.
+
Hack The Box is an online platform allowing you to test your penetration testing skills and exchange ideas and methodologies with thousands of people in the security field.
+
gdb, gef, ghidra, pwntools, assembly, C, 32-64bit binaries, reverse engineering, CTF challenges
++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
Before we start, you will need a Debian 10+ VPS (you can get one on digitalocean for example), if you prefer to use your own self hosted server, make sure that port 80 and 443 are correctly port forwarded so that the public ip points to the server and not the router. Once that's done, go and ssh into your debian 10 server.
+You can use DuckDNS to get a free domain name:
+ +
+[ 192.168.100.1/24 ] [ /dev/pts/13 ] [~/Nextcloud/blog/Conf]
+→ ssh root@ech4.duckdns.org
+The authenticity of host 'ech4.duckdns.org (178.128.46.38)' can't be established.
+ECDSA key fingerprint is SHA256:z2HAncB99pfbAUfj9tJY7vlo8EGUzCIUxWBAnjAflcA.
+Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
+Warning: Permanently added 'ech4.duckdns.org,178.128.46.38' (ECDSA) to the list of known hosts.
+Linux debian-s-1vcpu-1gb-lon1-01 4.19.0-10-cloud-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24) x86_64
+
+The programs included with the Debian GNU/Linux system are free software;
+the exact distribution terms for each program are described in the
+individual files in /usr/share/doc/*/copyright.
+
+Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
+permitted by applicable law.
+root@debian-s-1vcpu-1gb-lon1-01:~#
+
+
+
+ + Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ + Death Is Near. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR:498pGjtN5jKGG4QJ7ubS5rVdsWEgovzgM6cCQpFwhXiPSq39q1izZE7UFTfxinyrZud2PpLRMiU6DJUnCEsR3iPGHqswj9U
Contact:notorious@notorious-cloud.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ + Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
First flash the arch iso on your usb stick:
+ +Then just boot onto it from your BIOS.
+ +This is the annoying part since i can't script it. If it doesn't work for you just use Anarchy installer, install arch on your + hard drive in a minimal way (with no DE (Desktop Environment) and no WM (Window Manager)).
+
+######################## MANUAL !!! ############################
+
+loadkeys fr
+timedatectl set-ntp true
+ping -c3 archlinux.org
+
+pacman -Syy
+pacman -S reflector
+reflector -c "France" -f 12 -l 10 -n 12 --save /etc/pacman.d/mirrorlist
+
+fdisk -l | grep /dev/sd | grep Disk
+#/dev/sda 64gb
+cfdisk /dev/sda
+################EFI################
+#gpt
+#delete existing partitions
+#select freespace
+#first partition : 1G (EFI)
+#last partition : 499G (Linux Root x86_64)
+#hit write
+#hit quit
+mkfs.vfat /dev/sda1
+mkfs.ext4 /dev/sda2
+
+mount /dev/sda2 /mnt
+mkdir /mnt/boot/
+mount /dev/sda1 /mnt/boot/
+
+pacstrap /mnt base base-devel linux linux-firmware sudo nano wget
+genfstab -U /mnt >> /mnt/etc/fstab
+arch-chroot /mnt
+#welcome to chroot, use the first script!
+
+
+This will setup your /dev/sda1 as a bootable linux partition, and makes the last 8GB as the swap partition.
+
+wget https://blog.nihilism.network/servers/Arch/1.sh
+chmod +x 1.sh
+nano 1.sh
+./1.sh
+
+
+Just edit whatever you want in this script using nano and then execute it with ./1.sh
+ +After you've rebooted into your arch installation, you can configure your arch install however you want, but here's how i do it:
+
+wget https://blog.nihilism.network/servers/Arch/2.sh
+chmod +x 2.sh
+nano 2.sh
+./2.sh
+
+
+
+Post-booting:
+
+wget https://blog.nihilism.network/servers/Arch/3.sh
+chmod +x 3.sh
+nano 3.sh
+./3.sh
+
+
+
+ + Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+Tutorials to show how to achieve Privacy, Anonymity and Plausible Deniability online. + I have a certain quality standard as to how i do these tutorials, if there are any improvements i can do on them please let me know. + +
SHOWCASED ARTICLE: Learn how to audit your own setup, to determine your OPSEC Level, and find out what is the most appropriate internet use for it.
+ +Articles Status:
+📝 Explaining Concepts
+ + + +📝 Explaining OPSEC ⭐
+ + +📝 Explaining Privacy
+💻 Getting started
+ + + + +💻 Privacy means Open Source (FOSS)
+💻 Decentralisation in the service of Privacy
+ +📝 Explaining Anonymity
+💻 Clientside - Anonymity using the Tor browser (⚠️ Check if your ISP allows Tor or Not!)
+💻 Clientside - Anonymity using VMs (⚠️ Check if your ISP allows Tor or Not!)
+🧅 Serverside - Decentralisation in the service of Anonymity
+ +💻 Clientside - Decentralized Finances
+🧅 Serverside - Anonymity on Remote Servers (⚠️ Remote Hosting = Safer!)
+🧅 Serverside - Clearnet Services (⚠️ Remote Hosting = Safer!)
+ + + + + +📝 Explaining Plausible Deniability
+💻 Clientside - Getting Started
+ +🧅 Serverside - Protecting Plausible Deniability (⚠️ Self Hosting = Risky!)
+💻 Steganography - Hiding secrets in plain sight
+ + + + + +Current services used:
+Previous services:
+
+LEGAL DISCLAIMER:
+Across the entirety of my blog, in all articles that I made, I advocate for the legal use of technologies, even when I am talking about Privacy-enhancing and Anonymity-enabling technologies. In no way am I advocating for any illegal use of any technology showcased in any article on my blog. as the goal of this blog is to remain stricly informative and educative.
+
+
+I decline any and all responsibility for any mis-use of any of the technology i showcase in the entirety of my blog. I also decline any and all responsibility for any physical, digital and psychological damage caused by the mis-use of any showcased technology, as the responsibility of such acts remains with the perpretating third-party. By reading this blog, you permanently, irrevocably and world-widely agree that I am in no way am responsible for any illegal action done by you or anyone that uses any of the showcased technology in my blog articles.
+
+
+
+
+
+ + Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
On your server, edit the torrc file like so:
+
+[ Datura ] [ /dev/pts/9 ] [~]
+→ cat /etc/tor/torrc
+
+HiddenServiceDir /var/lib/tor/onions/daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion/
+HiddenServicePort 22 127.0.0.1:22
+HiddenServicePort 80 127.0.0.1:4443
+
+
+Then just edit your local .ssh config to access it:
+
+[ mainpc ] [ /dev/pts/7 ] [~]
+→ cat .ssh/config
+Host web-gw2024-dedi
+ User root
+ hostname 37.27.32.233
+ IdentityFile ~/.ssh/torified
+
+Host tortura
+ User root
+ hostname daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion
+ IdentityFile ~/.ssh/torified
+ proxyCommand ncat --proxy 127.0.0.1:9050 --proxy-type socks5 %h %p
+
+Host datura
+ User root
+ hostname 65.109.30.253
+ IdentityFile ~/.ssh/torified
+
+
+Then connect to the host via SSH:
+
+[ mainpc ] [ /dev/pts/5 ] [~]
+→ systemctl restart tor@default
+
+[ mainpc ] [ /dev/pts/5 ] [~]
+→ ssh tortura
+The authenticity of host 'daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion (<no hostip for proxy command>)' can't be established.
+ED25519 key fingerprint is SHA256:A0CFTeUixGoK96VenBQ7Z2U8kX5olDCqBvBNeJUfs6I.
+This host key is known by the following other names/addresses:
+ ~/.ssh/known_hosts:144: [hashed name]
+Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
+Warning: Permanently added 'daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion' (ED25519) to the list of known hosts.
+Enter passphrase for key '/home/nihilist/.ssh/torified':
+Linux Datura 6.1.0-18-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.76-1 (2024-02-01) x86_64
+
+The programs included with the Debian GNU/Linux system are free software;
+the exact distribution terms for each program are described in the
+individual files in /usr/share/doc/*/copyright.
+
+Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
+permitted by applicable law.
+Last login: Thu May 2 14:47:23 2024 from 178.255.149.178
+
+[ Datura ] [ /dev/pts/11 ] [~]
+→
+
+
+
+So that's how you do it if you cannot access the server via a public IP directly, but keep in mind that the latency is most likely unbearable due to the 6 hops circuit (since we're doing it via the .onion link, rather than connecting to the IP directly)
+so you're probably better off just connecting to the IP directly but forcing the SSH connection through tor using torsocks, which greatly reduces the latency (3 hops instead of 6):
+
+[ mainpc ] [ /dev/pts/7 ] [~]
+→ torsocks ssh datura
+Enter passphrase for key '/home/nihilist/.ssh/torified':
+Linux Datura 6.1.0-18-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.76-1 (2024-02-01) x86_64
+
+The programs included with the Debian GNU/Linux system are free software;
+the exact distribution terms for each program are described in the
+individual files in /usr/share/doc/*/copyright.
+
+Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
+permitted by applicable law.
+Last login: Thu May 2 15:48:08 2024 from 127.0.0.1
+
+[ Datura ] [ /dev/pts/12 ] [~]
+→ id
+uid=0(root) gid=0(root) groups=0(root)
+
+
+ Let's install cockpit from the apt repositories:
+
+[ Datura ] [ /dev/pts/11 ] [~]
+→ apt install cockpit -y
+
+[ Datura ] [ /dev/pts/11 ] [~]
+→ systemctl status cockpit
+● cockpit.service - Cockpit Web Service
+ Loaded: loaded (/lib/systemd/system/cockpit.service; static)
+ Active: active (running) since Fri 2024-05-03 13:30:51 CEST; 2min 5s ago
+TriggeredBy: ● cockpit.socket
+ Docs: man:cockpit-ws(8)
+ Process: 3563910 ExecStartPre=/usr/lib/cockpit/cockpit-certificate-ensure --for-cockpit-tls (code=exited, status=0/SUCCESS)
+ Main PID: 3563926 (cockpit-tls)
+ Tasks: 1 (limit: 77002)
+ Memory: 2.4M
+ CPU: 355ms
+ CGroup: /system.slice/cockpit.service
+ └─3563926 /usr/lib/cockpit/cockpit-tls
+
+May 03 13:30:51 Datura systemd[1]: Starting cockpit.service - Cockpit Web Service...
+May 03 13:30:51 Datura cockpit-certificate-ensure[3563918]: /usr/lib/cockpit/cockpit-certificate-helper: line 25: sscg: command not found
+May 03 13:30:51 Datura cockpit-certificate-ensure[3563919]: ......+.....+.+......+...+.........+...+..............+.+...+..+...+.......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*...+...+++++++++++++++++++++++++++++++>
+May 03 13:30:51 Datura cockpit-certificate-ensure[3563919]: .+.........+...+...+.......+........+....+..............+.........+......+.+......+..+.+..+...+....+...+.........+.....+....+.....+++++++++++++++++++++++++++++++++++++++++++++++++>
+May 03 13:30:51 Datura cockpit-certificate-ensure[3563919]: -----
+May 03 13:30:51 Datura systemd[1]: Started cockpit.service - Cockpit Web Service.
+May 03 13:30:51 Datura cockpit-tls[3563926]: cockpit-tls: gnutls_handshake failed: A TLS fatal alert has been received.
+May 03 13:30:55 Datura cockpit-tls[3563926]: cockpit-tls: gnutls_handshake failed: A TLS fatal alert has been received.
+
+
+
+once it completes, just connect to it on port 9090:
+ +ignore the self-signed HTTPs warning and enable javascript afterward:
+ +In the Tor browser, select the "Safer" security level to be able to browse to the cockpit service with javascript:
+ + + + + +if it refuses the login, make sure the user has proper sudo access like so::
+
+[ Datura ] [ /dev/pts/11 ] [~]
+→ useradd nihilist
+
+[ Datura ] [ /dev/pts/11 ] [~]
+→ passwd nihilist
+New password:
+Retype new password:
+passwd: password updated successfully
+
+[ Datura ] [ /dev/pts/11 ] [~]
+→ usermod -aG sudo nihilist
+
+[ Datura ] [ /dev/pts/11 ] [~]
+→ visudo
+
+# User privilege specification
+root ALL=(ALL:ALL) ALL
+nihilist ALL=(ALL:ALL) ALL
+
+
+
+ + Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
In this tutorial we're going to look at how you can move from a public persona to an anonymous one online along with the process behind it.
+ +Let's first assume that you have a public internet presence online, you have a domain name registered to your name, and you host some services online.
+Let's also assume that you have followed the previous tutorials, meaning you now have whonix VMs in a veracrypt hidden partition that you can deny the existance of (reminder: do NOT use SSDs, use HDDs otherwise devices that use wear-leveling can reveal the existance of a hidden partition).
+So from now on your publicly you're going to PGP sign a message for everyone to see that you wish to sell the domain and all of it's subdomain services to someone else, and to message you over email/ or a chatrom for the price. The message can look as follows:
+
+Hi all, planning to stop all of my services soon due to lack of interest / or X Y Z.
+Please note that i'm ready to take offers as i'm selling the domain and all of it's underlying services to the highest bidder.
+Contact me at email@example.com to discuss this offer if you're interested.
+
+
+
+Basically here you're going to want someone anonymous to buy your services, officially. Secretely you will simply have moved to an anonymous way of operating.
+ +Unless if you're hosting something incredible, Most likely noone will answer, but in the meantime you're going to audit your infrastructure on the following points:
+
+-How is your domain accessed ?
+ -Did you register your domain under your own name ?
+ -Did you buy your domain using monero ?
+-How are your servers accessed ?
+ -Did you ever not access those servers locally or through tor alone (ssh through tor)?
+ -Did you rent those servers under your own name ?
+ -Did you ever pay for those servers without using monero ?
+-Do you have any services hosted at home ?
+ -if so, are they accessible through your public home IP ?
+ -if not, are they all accessible through a remote VPN gateway ?
+ -if not, are they all accessible through tor alone (via a .onion link) ?
+ -are they behind an open-source router such as pfsense ?
+-Did you implement the recommended physical security measures in the previous tutorials?
+ -for any local home server: movement detection, usb changes, unauthorized login attempts, secret maintenance procedure ?
+ -for any client device (laptop/mainpc/phone):
+ -is the host OS of those devices open source ? (linux for pcs, grapheneOS for phone ?)
+ -are they all tampered protected ?
+-Did you implement a secure OPSEC for your online accesses to services ?
+ - did you ever reuse a password on a closed-source OS ?
+ - did you ever reuse a password at all for an online service ?
+ - did you ever use your public IP, or a VPN IP to create an online email account that you've used in the past ?
+ - did you ever try to do any anonymous activity using that email account ?
+
+
+
+ Once you have the answer to all these questions, you're going to need to formulate a plan to move all of those services to their anonymous counterpart. Yes, sacrifices will need to be made.
+
+-If you have any public domains, you're going to transfer it to a non-KYC domain name registrar or reseller, one that accepts monero and tor traffic, such as https://nicevps.net
+-If you have any public servers, you're going to need to transfer all of your services to another server that will be bought with monero and accessed through tor alone. such as https://servers.guru
+-If you have any servers at home, you're going to need to make sure that no traffic ever goes to and from your public servers without going through Tor first-hand.
+-If you have any servers at home, you're going to need to make sure that they're behind an open-source router such as pfsense. (because closed-source routers cannot be trusted due to government pressures.
+-If you have not implemented the required physical security measures for your client and home server devices, apply them as listed above.
+-If you have ever used a password or an email with bad OPSEC as listed above, consider it burned and immediately give up using those moving forward.
+ -You must have an email address for public activities, and another for anonymous activities.
+ -You must have a master password for a keepass databse for public activities, and another for private activities, and another for anonymous activities.
+
+
+Here's how your ideal infrastructure must look like, if you want to maintain anonymity online:
+ + +Once the plan is clear to you, it's time to implement it. This whole anonymization process can be disguised as a "i've sold all of my services to this anonymous guy online" scenario, while "This anonymous guy online" is secretely you, from the Whonix VMs inside of your hidden veracrypt partitions. A typical anonymization of your services would look like this:
+
+Conversation on email / in a chatroom:
+A: Hey i want to buy your services, i can pay 2 XMR
+you: sure, here's my XMR address:
+A:payment sent, awaiting accesses
+you: ok payment recieved, here is the domain transfer code for domainexample.com: mkmkkljnnuju, i made sure it was unlocked
+A: ok i've created the transfer request on nicevps.net, it will get transfered in a few days (can take 2 weeks for example). Please send me the accesses to your public servers.
+you: here is SSH root access for server A, B, and C (typically the 2 dns servers, and the main public server)
+A: ok i changed all of the accesses, please send me the files for the X Y Z services that you host at home. i've created a temporary user you can SSH with to copy the files in /tmp/
+you: ok i just SCP'd (sent via SSH) the files in /tmp/
+A: recieved, thanks.
+you: Please publicly state, and PGP-sign that the domain, and all of it's servers have been bought by you, by mentionning the new name, email and the plan moving forward.
+A: Domain has been successfully transfered to nicevps.net, all good thanks.
+A: done, and added to the public page as an announcement, thanks.
+
+
+
+Make sure that you save the proof of the transaction (the whole chatlog, and the monero transaction ID), and that you sign it with you PGP key just in case if an adversary asks if you still are the owner of those services.
+As a result, publicly you will now state that you no longer offer any of the services you were doing previously, and that someone else took over the website and services after buying it.
+While secretely onwards, these services will all be accessed, paid for and administered anonymously by you from the Whonix VMs you have inside your hidden veracrypt partition.
+ + ++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
In this tutorial we're going to take a look at how to manage your online Anonymity.
+ +DISCLAIMER: we're using only harddrives (HDDs) here, because using SSDs are not a secure way to have Plausible Deniability, that is due to hidden Volumes being detectable on devices that utilize wear-leveling +
+source: https://anonymousplanet.org/guide.html#understanding-hdd-vs-ssd
+
+regarding wear leveling:
+"Also as mentioned earlier, disabling Trim will reduce the lifetime of your SSD drive and will significantly impact its performance over time (your laptop will become slower and slower over several months of use until it becomes almost unusable, you will then have to clean the drive and re-install everything). But you must do it to prevent data leaks that could allow forensics to defeat your plausible deniability. The only way around this at the moment is to have a laptop with a classic HDD drive instead."
+
+
+
+This tutorial is based on my previous explanation on OPSEC make sure that you take it into account before proceeding.
+ +So, we basically want 3 ways to access websites. The first being while using tor, for complete anonymity, to do that we'll use whonix. The second is to do the same but to masquerade it with a non-KYC VPN which will also be acquired anonymously to be used only in the case of a website blocking tor exit nodes, and the last one is without any protection, for websites you cannot use without KYC.
+ +As a safety measure for Anonymity, there will be a veracrypt hidden partition in use for plausible deniability.
+ +To prepare the computer for those tasks, we will rely on opensource software to avoid any tracking, we'll remove logs from linux.
+And lastly, we're going to take a look at how to keep track of your accesses to the websites you access anonymously
+ + +First let's make sure all logs get erased upon system shutdown as described in my previous tutorial on host OS hardening (by piping all logs to go to the /tmp/ folder):
+ +We also make sure that the script to remove logs also includes shutting down the VMs and closes the veracrypt volume just like the emergency shutdown script we detailed in the previous tutorial on homeserver physical security:
+
+
+[ mainpc ] [ /dev/pts/2 ] [~/logremover]
+→ cat /etc/systemd/system/reboot_logremover.service
+[Unit]
+Description=Shutdown Anti forensics
+DefaultDependencies=no
+Before=shutdown.target reboot.target halt.target
+
+[Service]
+Type=oneshot
+ExecStart=/root/shutdown.sh
+TimeoutStartSec=0
+
+[Install]
+WantedBy=shutdown.target reboot.target halt.target
+
+[ mainpc ] [ /dev/pts/2 ] [~/logremover]
+→ cat shutdown.sh
+#!/bin/bash
+
+#remove VMs
+
+sudo virsh -c qemu:///system destroy Whonix-Gateway
+sudo virsh -c qemu:///system destroy Whonix-Workstation
+sudo virsh -c qemu:///system undefine Whonix-Gateway
+sudo virsh -c qemu:///system undefine Whonix-Workstation
+sudo virsh -c qemu:///system net-destroy Whonix-External
+sudo virsh -c qemu:///system net-destroy Whonix-Internal
+sudo virsh -c qemu:///system net-undefine Whonix-External
+sudo virsh -c qemu:///system net-undefine Whonix-External
+
+#then unmount veracrypt volumes
+
+sudo veracrypt -d -f
+
+# then cleanup logs
+
+sudo rm -rf /dev/shm/*
+sudo rm -rf /var/log/*
+sudo dmesg -c
+
+
+In the shutdown.sh script we also make sure that the VMs are removed, and that the veracrypt volumes are unmounted, before clearing up the logs.
+ +Next we're going to install libvirt as seen in our previous tutorial on host os hardeninghere:
+
+sudo pacman -S libvirt qemu-full virt-manager dnsmasq bridge-utils
+
+sudo systemctl enable --now libvirtd
+
+#####################vault.sh:#######################################
+#!/bin/bash
+echo "[+] MOUNTING VAULTS..."
+
+sudo cryptsetup luksOpen /dev/nvme1n1p1 VAULT
+sudo mkdir /run/media/nihilist/VAULT 2>/dev/null
+sudo mount /dev/mapper/VAULT /run/media/nihilist/VAULT
+
+echo "[+] VAULTS MOUNTED"
+###################################################################
+
+usermod -a -G libvirt nihilist
+usermod -a -G kvm nihilist
+
+[root@nowhere ~]# vim /etc/libvirt/libvirtd.conf
+[root@nowhere ~]# cat /etc/libvirt/libvirtd.conf | grep sock_group
+unix_sock_group = "libvirt"
+unix_sock_rw_perms = "0770"
+
+sudo chmod 770 -R VMs
+sudo chown nihilist:libvirt -R VMs
+
+cat /etc/libvirt/qemu.conf
+group = "libvirt"
+user = "nihilist"
+
+systemctl restart libvirtd.service
+
+virt-manager
+
+
+
+Next step we create the veracrypt drives, so use the /dev/sdb harddrive for it:
+
+[ 10.99.99.9/24 ] [ /dev/pts/2 ] [~/Nextcloud/Obsidian]
+→ lsblk
+NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
+sda 8:0 0 1.8T 0 disk
+└─sda1 8:1 0 1.8T 0 part
+sdb 8:16 0 447.1G 0 disk
+sdc 8:32 0 3.6T 0 disk
+└─VAULTBACKUP 253:1 0 3.6T 0 crypt /mnt/VAULTBACKUP
+zram0 254:0 0 4G 0 disk [SWAP]
+nvme1n1 259:0 0 1.8T 0 disk
+└─nvme1n1p1 259:1 0 1.8T 0 part
+ └─VAULT 253:0 0 1.8T 0 crypt /mnt/VAULT
+nvme0n1 259:2 0 465.8G 0 disk
+├─nvme0n1p1 259:3 0 511M 0 part /boot
+└─nvme0n1p2 259:4 0 465.3G 0 part /
+
+
+
+Be aware that the 3 VMs we need to place in a veracrypt container all weigh 100GB each so you need 300Gb for all 3 VMs, so you need at least 2x300Gb to replicate the setup in the decoy partition, so pick a 1.2TB harddrive instead, with some additional space so preferably a 1.8TB one just to be safe, unlike as shown below (a 500gb disk which is not enough!)
+So let's now setup the hidden partition there:
+
+[ 10.99.99.9/24 ] [ /dev/pts/2 ] [~/Nextcloud/Obsidian]
+→ sudo pacman -S veracrypt
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Now that's done, let's setup the whonix and workstations templates, we will then copy them in the veracrypt harddrive afterward to edit them. So let's go here to download whonix for QEMU:
+ + +
+[ 10.99.99.9/24 ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
+→ mv ~/Downloads/Whonix-Xfce-17.0.3.0.Intel_AMD64.qcow2.libvirt.xz .
+
+[ 10.99.99.9/24 ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
+→ tar -xvf Whonix-Xfce-17.0.3.0.Intel_AMD64.qcow2.libvirt.xz
+WHONIX_BINARY_LICENSE_AGREEMENT
+WHONIX_DISCLAIMER
+Whonix-Gateway-Xfce-17.0.3.0.xml
+Whonix-Workstation-Xfce-17.0.3.0.xml
+Whonix_external_network-17.0.3.0.xml
+Whonix_internal_network-17.0.3.0.xml
+Whonix-Gateway-Xfce-17.0.3.0.Intel_AMD64.qcow2
+Whonix-Workstation-Xfce-17.0.3.0.Intel_AMD64.qcow2
+
+[ 10.99.99.9/24 ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
+→ touch WHONIX_BINARY_LICENSE_AGREEMENT_accepted
+
+Next we edit the XML files to have the working VMs, for which we will give 2GB of ram for the gateway, and 4GB of ram for the workstation while also specifying the path to their .qcow2 volumes:
+
+
+[ 10.99.99.9/24 ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
+→ vim Whonix-Workstation-Xfce-17.0.3.0.xml
+
+[ 10.99.99.9/24 ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
+→ cat Whonix-Workstation-Xfce-17.0.3.0.xml | grep GiB
+ <memory dumpCore='off' unit='GiB'>4
+ <currentMemory unit='GiB'>4
+
+[ 10.99.99.9/24 ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
+→ cat Whonix-Workstation-Xfce-17.0.3.0.xml| grep source
+ <source file='/mnt/VAULT/ISOs/whonix/Whonix-Workstation-Xfce-17.0.3.0.Intel_AMD64.qcow2'/>
+
+
+
+
+
+
+[ 10.99.99.9/24 ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
+→ vim Whonix-Workstation-Xfce-17.0.3.0.xml
+
+[ 10.99.99.9/24 ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
+→ cat Whonix-Gateway-Xfce-17.0.3.0.xml | grep GiB
+ <memory dumpCore='off' unit='GiB'>2
+ <currentMemory unit='GiB'>2
+
+[ 10.99.99.9/24 ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
+→ cat Whonix-Gateway-Xfce-17.0.3.0.xml| grep source
+ <source file='/mnt/VAULT/ISOs/whonix/Whonix-Gateway-Xfce-17.0.3.0.Intel_AMD64.qcow2'/>
+
+
+and now to make things easier let's put a refreshvms.sh script in there to remove and restart the VMs:
+
+[ 10.99.99.9/24 ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
+→ vim refreshvms.sh
+
+[ 10.99.99.9/24 ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
+→ cat refreshvms.sh
+#!/bin/bash
+
+#remove VMs
+
+sudo virsh -c qemu:///system destroy Whonix-Gateway
+sudo virsh -c qemu:///system destroy Whonix-Workstation
+sudo virsh -c qemu:///system undefine Whonix-Gateway
+sudo virsh -c qemu:///system undefine Whonix-Workstation
+sudo virsh -c qemu:///system net-destroy Whonix-External
+sudo virsh -c qemu:///system net-destroy Whonix-Internal
+sudo virsh -c qemu:///system net-undefine Whonix-External
+sudo virsh -c qemu:///system net-undefine Whonix-External
+
+echo '[+] VMs removed, re-install them ? (ctrl+c to exit)'
+read
+
+#install VMs
+
+sudo virsh -c qemu:///system net-define Whonix_external*.xml
+sudo virsh -c qemu:///system net-define Whonix_internal*.xml
+sudo virsh -c qemu:///system net-autostart Whonix-External
+sudo virsh -c qemu:///system net-start Whonix-External
+sudo virsh -c qemu:///system net-autostart Whonix-Internal
+sudo virsh -c qemu:///system net-start Whonix-Internal
+sudo virsh -c qemu:///system define Whonix-Gateway*.xml
+sudo virsh -c qemu:///system define Whonix-Workstation*.xml
+
+[ 10.99.99.9/24 ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
+→ chmod +x refreshvms.sh
+
+
+then run it:
+
+[ 10.99.99.9/24 ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
+→ ./refreshvms.sh
+error: Failed to destroy domain 'Whonix-Gateway'
+error: Requested operation is not valid: domain is not running
+
+error: Failed to destroy domain 'Whonix-Workstation'
+error: Requested operation is not valid: domain is not running
+
+Domain 'Whonix-Gateway' has been undefined
+
+Domain 'Whonix-Workstation' has been undefined
+
+Network Whonix-External destroyed
+
+Network Whonix-Internal destroyed
+
+Network Whonix-External has been undefined
+
+error: failed to get network 'Whonix-External'
+error: Network not found: no network with matching name 'Whonix-External'
+
+[+] VMs removed, re-install them ? (ctrl+c to exit)
+
+Network Whonix-External defined from Whonix_external_network-17.0.3.0.xml
+
+error: Failed to define network from Whonix_internal_network-17.0.3.0.xml
+error: operation failed: network 'Whonix-Internal' already exists with uuid 48298ccf-9352-4b21-b6c4-17ad13ad1d6d
+
+Network Whonix-External marked as autostarted
+
+Network Whonix-External started
+
+Network Whonix-Internal marked as autostarted
+
+Network Whonix-Internal started
+
+Domain 'Whonix-Gateway' defined from Whonix-Gateway-Xfce-17.0.3.0.xml
+
+Domain 'Whonix-Workstation' defined from Whonix-Workstation-Xfce-17.0.3.0.xml
+
+
+Then launch the VMs from virt-manager:
+ +let's start with the Gateway:
+ + + + + +Now that's done you can also finish the initial setup for the workstation:
+ + +So from here you can use whonix regularly to browse with the tor browser, don't forget to disable javascript and to always keep the browser up to date like so:
+ +As suggested above, we'll also upgrade the VMs, and to go further we'll install unattended upgrades (note whonix's default system credentials are user:changeme:
+
+$ passwd
+$ sudo -i
+# apt update -y ; apt upgrade -y ; apt autoremove -y
+# apt install unattended-upgrades apt-listchanges -y
+# dpkg-reconfigure -plow unattended-upgrades
+
+^ select yes there
+
+
+Next step is to have the second workstation which will be used as the vpn over tor setup later on so let's copy the .xml and .qcow2 after shutting down the existing workstation:
+
+[ 10.99.99.9/24 ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
+→ ls
+refreshvms.sh Whonix_external_network-17.0.3.0.xml Whonix-Workstation-Xfce-17.0.3.0.Intel_AMD64.qcow2
+WHONIX_BINARY_LICENSE_AGREEMENT Whonix-Gateway-Xfce-17.0.3.0.Intel_AMD64.qcow2 Whonix-Workstation-Xfce-17.0.3.0.xml
+WHONIX_BINARY_LICENSE_AGREEMENT_accepted Whonix-Gateway-Xfce-17.0.3.0.xml Whonix-Xfce-17.0.3.0.Intel_AMD64.qcow2.libvirt.xz
+WHONIX_DISCLAIMER Whonix_internal_network-17.0.3.0.xml
+
+ 10.99.99.9/24 ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
+→ cp Whonix-Workstation-Xfce-17.0.3.0.xml Whonix-Workstation2-Xfce-17.0.3.0.xml
+
+[ 10.99.99.9/24 ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
+→ cp Whonix-Workstation-Xfce-17.0.3.0.Intel_AMD64.qcow2 Whonix-Workstation2-Xfce-17.0.3.0.Intel_AMD64.qcow2
+
+
+Then edit the new xml file to match the new VM name:
+
+[ 10.99.99.9/24 ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
+→ vim Whonix-Workstation2-Xfce-17.0.3.0.xml
+
+[ 10.99.99.9/24 ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
+→ cat Whonix-Workstation2-Xfce-17.0.3.0.xml | grep Workstation2
+ <name>Whonix-Workstation2</name>
+ <source file='/mnt/VAULT/ISOs/whonix/Whonix-Workstation2-Xfce-17.0.3.0.Intel_AMD64.qcow2'/>
+
+
+Then we include it in the refreshVMs.sh script:
+
+[ 10.99.99.9/24 ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
+→ cat refreshvms.sh
+#!/bin/bash
+
+#remove VMs
+
+sudo virsh -c qemu:///system destroy Whonix-Gateway
+sudo virsh -c qemu:///system destroy Whonix-Workstation
+sudo virsh -c qemu:///system destroy Whonix-Workstation2
+
+sudo virsh -c qemu:///system undefine Whonix-Gateway
+sudo virsh -c qemu:///system undefine Whonix-Workstation
+sudo virsh -c qemu:///system undefine Whonix-Workstation2
+
+
+sudo virsh -c qemu:///system net-destroy Whonix-External
+sudo virsh -c qemu:///system net-destroy Whonix-Internal
+sudo virsh -c qemu:///system net-undefine Whonix-External
+sudo virsh -c qemu:///system net-undefine Whonix-Internal
+
+
+
+
+echo '[+] VMs removed, re-install them ? (ctrl+c to exit)'
+read
+
+#install VMs
+sudo virsh -c qemu:///system net-define Whonix_external*.xml
+sudo virsh -c qemu:///system net-define Whonix_internal*.xml
+
+
+sudo virsh -c qemu:///system net-autostart Whonix-External
+sudo virsh -c qemu:///system net-start Whonix-External
+
+sudo virsh -c qemu:///system net-autostart Whonix-Internal
+sudo virsh -c qemu:///system net-start Whonix-Internal
+
+sudo virsh -c qemu:///system define Whonix-Gateway*.xml
+sudo virsh -c qemu:///system define Whonix-Workstation2*.xml
+sudo virsh -c qemu:///system define Whonix-Workstation-*.xml
+
+[ 10.99.99.9/24 ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
+→ ./refreshvms.sh
+error: Failed to destroy domain 'Whonix-Gateway'
+error: Requested operation is not valid: domain is not running
+
+error: Failed to destroy domain 'Whonix-Workstation'
+error: Requested operation is not valid: domain is not running
+
+error: Failed to destroy domain 'Whonix-Workstation2'
+error: Requested operation is not valid: domain is not running
+
+Domain 'Whonix-Gateway' has been undefined
+
+Domain 'Whonix-Workstation' has been undefined
+
+Domain 'Whonix-Workstation2' has been undefined
+
+Network Whonix-External destroyed
+
+Network Whonix-Internal destroyed
+
+Network Whonix-External has been undefined
+
+Network Whonix-Internal has been undefined
+
+[+] VMs removed, re-install them ? (ctrl+c to exit)
+
+Network Whonix-External defined from Whonix_external_network-17.0.3.0.xml
+
+Network Whonix-Internal defined from Whonix_internal_network-17.0.3.0.xml
+
+Network Whonix-External marked as autostarted
+
+Network Whonix-External started
+
+Network Whonix-Internal marked as autostarted
+
+Network Whonix-Internal started
+
+Domain 'Whonix-Gateway' defined from Whonix-Gateway-Xfce-17.0.3.0.xml
+
+Domain 'Whonix-Workstation2' defined from Whonix-Workstation2-Xfce-17.0.3.0.xml
+
+Domain 'Whonix-Workstation' defined from Whonix-Workstation-Xfce-17.0.3.0.xml
+
+
+Then edit the new workstation VM to have the 10.152.152.12 ip by default (since the other one has the 10.152.152.11 ip):
+ + +Now that our VM templates are done, let's put them on our veracrypt harddrive:
+
+[ 10.99.99.9/24 ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
+→ ./refreshvms.sh
+[sudo] password for nothing:
+Domain 'Whonix-Gateway' destroyed
+
+Domain 'Whonix-Workstation' destroyed
+
+Domain 'Whonix-Workstation2' destroyed
+
+Domain 'Whonix-Gateway' has been undefined
+
+Domain 'Whonix-Workstation' has been undefined
+
+Domain 'Whonix-Workstation2' has been undefined
+
+Network Whonix-External destroyed
+
+Network Whonix-Internal destroyed
+
+Network Whonix-External has been undefined
+
+Network Whonix-Internal has been undefined
+
+[+] VMs removed, re-install them ? (ctrl+c to exit)
+^C
+
+[ 10.99.99.9/24 ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
+→ ls
+refreshvms.sh Whonix-Gateway-Xfce-17.0.3.0.Intel_AMD64.qcow2 Whonix-Workstation-Xfce-17.0.3.0.Intel_AMD64.qcow2
+WHONIX_BINARY_LICENSE_AGREEMENT Whonix-Gateway-Xfce-17.0.3.0.xml Whonix-Workstation-Xfce-17.0.3.0.xml
+WHONIX_BINARY_LICENSE_AGREEMENT_accepted Whonix_internal_network-17.0.3.0.xml Whonix-Xfce-17.0.3.0.Intel_AMD64.qcow2.libvirt.xz
+WHONIX_DISCLAIMER Whonix-Workstation2-Xfce-17.0.3.0.Intel_AMD64.qcow2
+Whonix_external_network-17.0.3.0.xml Whonix-Workstation2-Xfce-17.0.3.0.xml
+
+
+
+
+Once mounted, let's copy them here and launch them:
+
+[ 10.99.99.9/24 ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
+→ cd /media/veracrypt1
+
+[ 10.99.99.9/24 ] [ /dev/pts/23 ] [/media/veracrypt1]
+→ cp /mnt/VAULT/ISOs/whonix/* .
+
+[ 10.99.99.9/24 ] [ /dev/pts/23 ] [/media/veracrypt1]
+→ ls -lash
+total 21G
+4.0K drwxr-xr-x 2 nothing nothing 4.0K Oct 8 13:35 .
+4.0K drwxr-xr-x 3 root root 4.0K Oct 8 13:34 ..
+4.0K -rwxr-xr-x 1 nothing nothing 1.2K Oct 8 13:35 refreshvms.sh
+ 40K -rw-r--r-- 1 nothing nothing 39K Oct 8 13:35 WHONIX_BINARY_LICENSE_AGREEMENT
+ 0 -rw-r--r-- 1 nothing nothing 0 Oct 8 13:35 WHONIX_BINARY_LICENSE_AGREEMENT_accepted
+8.0K -rw-r--r-- 1 nothing nothing 4.1K Oct 8 13:35 WHONIX_DISCLAIMER
+4.0K -rw-r--r-- 1 nothing nothing 172 Oct 8 13:35 Whonix_external_network-17.0.3.0.xml
+5.2G -rw-r--r-- 1 nothing nothing 101G Oct 8 13:35 Whonix-Gateway-Xfce-17.0.3.0.Intel_AMD64.qcow2
+4.0K -rw-r--r-- 1 nothing nothing 2.4K Oct 8 13:35 Whonix-Gateway-Xfce-17.0.3.0.xml
+4.0K -rw-r--r-- 1 nothing nothing 97 Oct 8 13:35 Whonix_internal_network-17.0.3.0.xml
+6.9G -rw-r--r-- 1 nothing nothing 101G Oct 8 13:35 Whonix-Workstation2-Xfce-17.0.3.0.Intel_AMD64.qcow2
+4.0K -rw-r--r-- 1 nothing nothing 2.3K Oct 8 13:35 Whonix-Workstation2-Xfce-17.0.3.0.xml
+7.0G -rw-r--r-- 1 nothing nothing 101G Oct 8 13:35 Whonix-Workstation-Xfce-17.0.3.0.Intel_AMD64.qcow2
+4.0K -rw-r--r-- 1 nothing nothing 2.3K Oct 8 13:35 Whonix-Workstation-Xfce-17.0.3.0.xml
+1.3G -rw-r--r-- 1 nothing nothing 1.3G Oct 8 13:35 Whonix-Xfce-17.0.3.0.Intel_AMD64.qcow2.libvirt.xz
+
+
+Now that's done, you need to edit each XML to make sure it has the correct path in it:
+
+[ 10.99.99.9/24 ] [ /dev/pts/23 ] [/media/veracrypt1]
+→ vim Whonix-Gateway-Xfce-17.0.3.0.xml
+
+[ 10.99.99.9/24 ] [ /dev/pts/23 ] [/media/veracrypt1]
+→ vim Whonix-Workstation2-Xfce-17.0.3.0.xml
+
+[ 10.99.99.9/24 ] [ /dev/pts/23 ] [/media/veracrypt1]
+→ vim Whonix-Workstation-Xfce-17.0.3.0.xml
+
+[ 10.99.99.9/24 ] [ /dev/pts/23 ] [/media/veracrypt1]
+→ cat Whonix-Gateway-Xfce-17.0.3.0.xml| grep source
+ <source file='/media/veracrypt1/Whonix-Gateway-Xfce-17.0.3.0.Intel_AMD64.qcow2'/>
+
+[ 10.99.99.9/24 ] [ /dev/pts/23 ] [/media/veracrypt1]
+→ cat Whonix-Workstation2-Xfce-17.0.3.0.xml | grep source
+ <source file='/media/veracrypt1/whonix/Whonix-Workstation2-Xfce-17.0.3.0.Intel_AMD64.qcow2'/>
+
+[ 10.99.99.9/24 ] [ /dev/pts/23 ] [/media/veracrypt1]
+→ cat Whonix-Workstation-Xfce-17.0.3.0.xml | grep source
+ <source file='/media/veracrypt1/whonix/Whonix-Workstation-Xfce-17.0.3.0.Intel_AMD64.qcow2'/>
+
+
+Then you can use the VMs using the refreshvms.sh script:
+
+[ 10.99.99.9/24 ] [ /dev/pts/23 ] [/media/veracrypt1]
+→ ./refreshvms.sh
+[sudo] password for nothing:
+error: failed to get domain 'Whonix-Gateway'
+
+error: failed to get domain 'Whonix-Workstation'
+
+error: failed to get domain 'Whonix-Workstation2'
+
+error: failed to get domain 'Whonix-Gateway'
+
+error: failed to get domain 'Whonix-Workstation'
+
+error: failed to get domain 'Whonix-Workstation2'
+
+error: failed to get network 'Whonix-External'
+error: Network not found: no network with matching name 'Whonix-External'
+
+error: failed to get network 'Whonix-Internal'
+error: Network not found: no network with matching name 'Whonix-Internal'
+
+error: failed to get network 'Whonix-External'
+error: Network not found: no network with matching name 'Whonix-External'
+
+error: failed to get network 'Whonix-Internal'
+error: Network not found: no network with matching name 'Whonix-Internal'
+
+[+] VMs removed, re-install them ? (ctrl+c to exit)
+
+
+Network Whonix-External defined from Whonix_external_network-17.0.3.0.xml
+
+Network Whonix-Internal defined from Whonix_internal_network-17.0.3.0.xml
+
+Network Whonix-External marked as autostarted
+
+Network Whonix-External started
+
+Network Whonix-Internal marked as autostarted
+
+Network Whonix-Internal started
+
+Domain 'Whonix-Gateway' defined from Whonix-Gateway-Xfce-17.0.3.0.xml
+
+Domain 'Whonix-Workstation2' defined from Whonix-Workstation2-Xfce-17.0.3.0.xml
+
+Domain 'Whonix-Workstation' defined from Whonix-Workstation-Xfce-17.0.3.0.xml
+
+
+Now with this if you are forced to give away the password for that harddrive, you can give them this decoy partition, and they'll find the whonix VMs you've copied there.
+So now dismount the veracrypt partition, to do that you need to first remove the VMs with the script, and then you need to EXIT the folder, otherwise it'll complain and tell you that the target drive is busy and can't be unmounted:
+
+[ 10.99.99.9/24 ] [ /dev/pts/23 ] [/media/veracrypt1]
+→ ./refreshvms.sh
+error: Failed to destroy domain 'Whonix-Gateway'
+error: Requested operation is not valid: domain is not running
+
+error: Failed to destroy domain 'Whonix-Workstation'
+error: Requested operation is not valid: domain is not running
+
+error: Failed to destroy domain 'Whonix-Workstation2'
+error: Requested operation is not valid: domain is not running
+
+Domain 'Whonix-Gateway' has been undefined
+
+Domain 'Whonix-Workstation' has been undefined
+
+Domain 'Whonix-Workstation2' has been undefined
+
+Network Whonix-External destroyed
+
+Network Whonix-Internal destroyed
+
+Network Whonix-External has been undefined
+
+Network Whonix-Internal has been undefined
+
+[+] VMs removed, re-install them ? (ctrl+c to exit)
+^C
+
+[ 10.99.99.9/24 ] [ /dev/pts/23 ] [/media/veracrypt1]
+→ cd ..
+
+[ 10.99.99.9/24 ] [ /dev/pts/23 ] [/media]
+→
+
+
+Now that's done for the decoy partition, we do the same for the hidden partition:
+ + +
+[ 10.99.99.9/24 ] [ /dev/pts/23 ] [/media]
+→ cd veracrypt1
+
+[ 10.99.99.9/24 ] [ /dev/pts/23 ] [/media/veracrypt1]
+→ cp /mnt/VAULT/ISOs/whonix/* .
+
+[ 10.99.99.9/24 ] [ /dev/pts/23 ] [/media/veracrypt1]
+→ ls
+refreshvms.sh Whonix-Gateway-Xfce-17.0.3.0.Intel_AMD64.qcow2 Whonix-Workstation-Xfce-17.0.3.0.Intel_AMD64.qcow2
+WHONIX_BINARY_LICENSE_AGREEMENT Whonix-Gateway-Xfce-17.0.3.0.xml Whonix-Workstation-Xfce-17.0.3.0.xml
+WHONIX_BINARY_LICENSE_AGREEMENT_accepted Whonix_internal_network-17.0.3.0.xml Whonix-Xfce-17.0.3.0.Intel_AMD64.qcow2.libvirt.xz
+WHONIX_DISCLAIMER Whonix-Workstation2-Xfce-17.0.3.0.Intel_AMD64.qcow2
+Whonix_external_network-17.0.3.0.xml Whonix-Workstation2-Xfce-17.0.3.0.xml
+
+
+Then edit the paths again:
+
+[ 10.99.99.9/24 ] [ /dev/pts/23 ] [/media/veracrypt1]
+→ vim Whonix-Gateway-Xfce-17.0.3.0.xml
+
+[ 10.99.99.9/24 ] [ /dev/pts/23 ] [/media/veracrypt1]
+→ vim Whonix-Workstation2-Xfce-17.0.3.0.xml
+
+[ 10.99.99.9/24 ] [ /dev/pts/23 ] [/media/veracrypt1]
+→ vim Whonix-Workstation-Xfce-17.0.3.0.xml
+
+[ 10.99.99.9/24 ] [ /dev/pts/23 ] [/media/veracrypt1]
+→ cat Whonix-Gateway-Xfce-17.0.3.0.xml| grep source
+ <source file='/media/veracrypt1/Whonix-Gateway-Xfce-17.0.3.0.Intel_AMD64.qcow2'/>
+
+[ 10.99.99.9/24 ] [ /dev/pts/23 ] [/media/veracrypt1]
+→ cat Whonix-Workstation2-Xfce-17.0.3.0.xml | grep source
+ <source file='/media/veracrypt1/whonix/Whonix-Workstation2-Xfce-17.0.3.0.Intel_AMD64.qcow2'/>
+
+[ 10.99.99.9/24 ] [ /dev/pts/23 ] [/media/veracrypt1]
+→ cat Whonix-Workstation-Xfce-17.0.3.0.xml | grep source
+ <source file='/media/veracrypt1/whonix/Whonix-Workstation-Xfce-17.0.3.0.Intel_AMD64.qcow2'/>
+
+
+Then start the VMs:
+
+[ 10.99.99.9/24 ] [ /dev/pts/23 ] [/media/veracrypt1]
+→ ./refreshvms.sh
+[sudo] password for nothing:
+error: failed to get domain 'Whonix-Gateway'
+
+error: failed to get domain 'Whonix-Workstation'
+
+error: failed to get domain 'Whonix-Workstation2'
+
+error: failed to get domain 'Whonix-Gateway'
+
+error: failed to get domain 'Whonix-Workstation'
+
+error: failed to get domain 'Whonix-Workstation2'
+
+error: failed to get network 'Whonix-External'
+error: Network not found: no network with matching name 'Whonix-External'
+
+error: failed to get network 'Whonix-Internal'
+error: Network not found: no network with matching name 'Whonix-Internal'
+
+error: failed to get network 'Whonix-External'
+error: Network not found: no network with matching name 'Whonix-External'
+
+error: failed to get network 'Whonix-Internal'
+error: Network not found: no network with matching name 'Whonix-Internal'
+
+[+] VMs removed, re-install them ? (ctrl+c to exit)
+
+Network Whonix-External defined from Whonix_external_network-17.0.3.0.xml
+
+Network Whonix-Internal defined from Whonix_internal_network-17.0.3.0.xml
+
+Network Whonix-External marked as autostarted
+
+Network Whonix-External started
+
+Network Whonix-Internal marked as autostarted
+
+Network Whonix-Internal started
+
+Domain 'Whonix-Gateway' defined from Whonix-Gateway-Xfce-17.0.3.0.xml
+
+Domain 'Whonix-Workstation2' defined from Whonix-Workstation2-Xfce-17.0.3.0.xml
+
+Domain 'Whonix-Workstation' defined from Whonix-Workstation-Xfce-17.0.3.0.xml
+
+
+You need to keep in mind that currently we have not given out any information about ourselves, other than we've used Tor. We won't stop there, and in order to use a VPN anonymously, you need to acquire it through Tor, buy it with Monero, and force the VPN Connection itself through Tor. Cherry on top is that we're going to use a well-used VPN service, so we won't be the only user with that public VPN ip. But what matters is that we do not give any information about us to the VPN provider. If the VPN provider forces you to provide anything personal (if the vpn provider blocks tor connections, or forces you to buy it with something else than monero), then it would not truly be a non-KYC VPN provider, and thus it's against your privacy. That's the only way you can find out which ones are all just marketing.
+ +Now that's done we can go find a vpn provider for the workstation2, let's try out the very praised mullvad vpn provider here, Firstly because it's a non-KYC VPN provider (meaning you can acquire it and use it through Tor, and pay with Monero), also due to the fact that we won't be the only ones using that service, it means we won't need to change the VPN server when we want to have another identity online. On top of that, mullvad gives us the ability to connect to a random server of theirs, via openvpn via TCP on port 443, which is definitely neat because it mimicks web HTTPS traffic, and isn't blockable by tor exit node hosters (which is definitely a trend, most of them block ports that are suceptible to abuse, 443 https being the least likely of them):
+ + +now to not loose your accesses , make sure to save credentials in a local keepass database on the VM.
+ + + +Now let's add time to our account, and of course we will pay with the only cryptocurrency that's used:
+ + +To get some monero you can buy it on localmonero.co, and make sure it arrives on your monero wallet inside the whonix VM, never trust centralised exchanges with your assets, always keep them locally.
+ +Once it finishes installing, create your monero wallet:
+ +Then say no to mining and use an onion-based monero daemon, like the one i'm hosting, you can find a full list of other ones here:
+ +Wait for it to finish synchronizing, then get some monero from a vendor on localmonero.co (by giving them a wallet address you'd have created:
+ + +Once you've paid, download the .ovpn file to connect via vpn:
+ +Then unzip and let's now make sure the vpn goes through tor:
+ + +To do that we need to make sure the VPN goes through the local SOCKS port 9050, and to mention the entry node which is the gateway 10.152.152.10:
+ +before we launch it keep in mind this:
+DISCLAIMER: While on a VPN, DO NOT use the tor browser, this will make the entire tor browsing visible from the VPN server. In this particular setup you need to use Firefox while the VPN connection is active!!! Make sure that all tor-related applications are shutdown before starting the VPN. I suggest to close everything, and then only have the terminal and firefox open before launching the VPN. + +Then launch the VPN and you can then see that you no longer have a tor exit node IP:
+ + +Now check your ip from Firefox, not the tor browser:
+ +You can also check if there are any DNS leaks:
+ +here we see the test revealed a dns ip leak, but upon checking (in shodan.io) we see that it's a tor exit IP address:
+ +We can also check if there are any WebRTC leaks:
+ +and there we see that there are no webRTC leaks either, so it's all good.
+To make sure the vpn is started automatically we can make it a systemd service:
+
+root@workstation:~# cat /etc/systemd/system/vpn.service
+[Unit]
+Description=VPN
+After=network-online.target
+Wants=network-online.target
+
+[Install]
+WantedBy=multi-user.target
+
+[Service]
+Type=simple
+WorkingDirectory=/home/user/Desktop/mullvad_config_linux_nl_ams/
+ExecStart=/usr/sbin/openvpn /home/user/Desktop/mullvad_config_linux_nl_ams/mullvad_nl_ams.conf
+ExecStop=kill -9 $(pidof openvpn)
+Restart=always
+
+root@workstation:~# systemctl daemon-reload ; systemctl enable --now vpn.service ; systemctl restart vpn.service
+
+
+
+Now thanks to that, you can still browse websites anonymously in case if they block tor exit nodes.
+To implement Anonymity Management, simply ask yourselves the following questions:
+First question to answer is "Is the activity Sensitive, and will I need to be able to deny it's existence ?" If the answer is no, then we have the following questions:
+ +If the website requires you to give it your home address like Amazon for example, you can forget trying to be anonymous because you'll anyway need to de-anonymize yourself with your actions, no matter how you accessed the website.
+If the website doesn't block tor exit nodes, browse it via the Whonix VMs. But if it does, then use the VPN through Tor setup to circumvent the blockage.
+And lastly, for all websites you browsed to anonymously, make sure you log it to have an global view of your online anonymity.
+ +If your activities are sensitive enough that you need to be able to deny their existence, then we make use of veracrypt's plausible deniability features, and we open the whonix VMs from inside the hidden partition.
+And there the same questions apply, but you better remain anonymous while you conduct said sensitive activities.
+ ++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
In this tutorial we're going to take a look at how to manage your online Anonymity.
+ +We want 3 ways to access websites. The first being while using tor, for complete anonymity. The second is to do the same but to masquerade it with a non-KYC VPN which will also be acquired anonymously, and the last is without any protection.
+ +As a preventive measure, we're going to separate each VMs using VLANs, so that there's a clear separation between any KYC VMs, and VMs used for anonymity. To do so there will be 3 separate VLANs, one being for Anonymity purposes, and the others for KYC use. +For Anonymity, there will be a veracrypt hidden partition in use for plausible deniability.
+ +To prepare the computer for those tasks, we will rely on opensource software to avoid any tracking, we'll remove logs from arch linux, and from pfsense.
+And lastly, we're going to take a look at how to keep track of your accesses to the websites you access anonymously
+ + +First let's make sure all logs get erased upon system shutdown (by piping all logs to go to the /tmp/ folder):
+
+[ 10.99.99.9/24 ] [ /dev/pts/31 ] [/var]
+→ sudo rm -rf log
+[sudo] password for nothing:
+
+[ 10.99.99.9/24 ] [ /dev/pts/31 ] [/var]
+→ sudo ln -s /tmp/ /var/log
+
+[ 10.99.99.9/24 ] [ /dev/pts/31 ] [/var]
+→ ls -lash log
+0 lrwxrwxrwx 1 root root 5 Sep 24 18:43 log -> /tmp/
+
+
+
+Next we're going to install libvirti as seen here:
+
+sudo pacman -S libvirt qemu virt-manager dnsmasq bridge-utils
+
+sudo systemctl enable --now libvirtd
+
+virt-manager
+
+
+Then create the 2 separate LANs for the VMs in virt-manager like so:
+ + + +Then you're going to need to create the pfsense VM, so first get the iso from the official website:
+ +
+[ 10.99.99.9/24 ] [ /dev/pts/31 ] [/var]
+→ cd /mnt/VAULT/ISOs
+
+[ 10.99.99.9/24 ] [ /dev/pts/31 ] [/mnt/VAULT/ISOs]
+→ mv ~/Downloads/pfSense-CE-2.7.0-RELEASE-amd64.iso.gz .
+
+[ 10.99.99.9/24 ] [ /dev/pts/31 ] [/mnt/VAULT/ISOs]
+→ ls -lash | grep pfSense
+730M -rw-r--r-- 1 nothing nothing 730M Sep 24 19:16 pfSense-CE-2.7.0-RELEASE-amd64.iso
+
+
+Then create the VM:
+ + + + +Before installing the VM we will setup the 3 network cards it will handle: The default WAN, and the 2 LANs
+ + + + +Now let's start installing the pfsense VM:
+ + + + + + + +And now that's done, next step is to make sure pfsense handles the 2 VLANs properly:
+ + + + +Then we set the ip addresses of each interface, starting with the LAN-KYC VLAN:
+ + + + +Then do the same for the LAN-ANON VLAN:
+ + + +For this next step, we're going to put a VM in the KYC vlan to finish the pfsense router setup
+ + +From there, it's a matter of setting up pfsense:
+ + + + + +To change the pfsense theme to a dark theme, go in System > General Setup > webConfiguratior > Theme > set to pfsense-dark
+ +As you've seen above, we've set 2 temporary public dns servers, so next we're going to setup 2 local TOR DNS servers, which will allow the VMs to resolve any domain anonymously.
+ +Once done, we make sure that pfsense takes these 2 dns servers, and only uses them, will also setup firewall rules to deny any other dns traffic.
+ +Here you can see it's working fine:
+ +Then shutdown the VM, clone it and you'll have the 2 tor DNSes working.
+ +Next just put them in the anon VLAN:
+ + +Once in there, we make sure that they are DHCP reserved so their ip won't change over time:
+ + + +Then do the same for the other tordns:
+ + +Then from the firewall, we allow the whole subnet to communicate to tordns1 and 2, because they will also be the bridge nodes, and we allow the tordns 1 and 2 servers to connect anywhere with any protocol. +That way, the only traffic that can escape from the anon subnet, will only be through these 2 servers, that will prevent any data leak from happening.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ + Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+Anonymity is the absence of Identification (or Onymity), it is when individuals are indistinguishable from each other, they all look the same.
+ +In short, Anonymity means you are not identified. In this example, Someone hid their identity, and is talking to Alice. That someone is anonymous until Jack can figure out who that person is.
+Anonymity is extremely fragile when that Someone is not implementing strict OPSEC practices, relating to:
+Using the correct Technology: (What is that Someone using, to protect their Anonymity ? (A mask, a Coat, a mask / the Tor network, i2p, etc))
Using the correct Behavior: (By that Someone's actions, they are not revealing who they are. (They are not saying they are Walter Hartwell White living at XYZ)
DISCLAIMER: That Someone remains Anonymous UNTIL THEY MAKE ONE OPSEC MISTAKE !
+Keep in mind that maintaining Anonymity is a much stricter practice than that of maintaining Privacy, as you will see, more threat vectors come into the picture.
+The first the and foremost enemy of Anonymity is Surveillance of any kind. Privacy is a REQUIREMENT if you want Anonymity.
+
+Example:
+
+Jack is surveilling Bob 24/7. He sees that Bob purchases a mask and a coat, He sees that Bob wears the mask to then go outside to do something sketchy.
+
+Conclusion:
+
+Because Bob did not have Privacy from Jack in the first place, Bob cannot have Anonymity either.
+
+
+Surveillance CANNOT be tolerated when you want Anonymity. So before you try to learn to be anonymous online, learn why and how to get Privacy online here.
+ +The other major enemy of Anonymity is Know Your Customer (KYC) Procedures, these are ways for services to force their customers to identify themselves, wether they like it or not.
+
+Example:
+
+Jack owns an online service (such as a centralised crypto exchange), he accumulated a large userbase over the years, over 1000 active users. The government where Jack operates is ramping up their financial regulations on businesses, and now Jack is being forced to identify all of it's users using standard KYC procedures
+
+Bob (an user on the website) that was anonymous up until that point, is now forced to do the following if he wants to keep using the platform:
+1) state his real life name
+2) his date of birth
+3) his home address
+4) send photos of his identity card
+5) send photos of his face (facial left, front and right sides)
+
+Conclusion:
+
+Jack is either forced to identify his users or go out of business
+Bob is either forced to identify himself or stop using the service
+
+All of it because the government intends to destroy Bob's right to remain Anonymous online.
+
+
+But the root cause of surveillance and KYC procedures, is that every centralised entity (any public or private business) will be eventually forced to comply to their government's requests, at the expense of their users.
+There are only 2 possible long-term outcomes for Centralisation:
+Act as a governmental proxy to enforce regulations/agendas, at the expense of users' rights
Or be forced out of business altogether.
To be able to achieve Anonymity, you need Privacy, and at least some level of Decentralisation (in the case of anonymization networks like Tor for instance), as we will see in our next tutorials.
+In a way, Anonymity is an improvement over Privacy. In the sense that Privacy is about being about to seclude yourself or information about yourself. Anonymity is the logical next step to Privacy, Where you not only just conceal what your actions are, but also who you are.
+Depending on the context, especially if you are living in a dictatorship, Anonymity is vital for you to act freely, out of the grasp of adversaries.
+As we have discussed previously, for a government's laws to be respected, they need to be enforced.
+ +And for the laws to be enforced, governments need:
+To know what happened (lack of Privacy, using Surveillance )
To know who did it (lack of Anonymity, using KYC procedures )
Governmental control as a concept itself rests upon these fundamental 2 pillars, the detriment of the individual's Privacy, and Anonymity.
+In order to regain the control you lost to dictatorships, you first need Privacy, and then you need Anonymity.
+Most governments want to control the public opinion through opression and censorship, Journalism is one of the most demanding sectors in terms of Anonymity, especially in authoritarian/dictatorship governments where censorship is omnipresent, for them, very sadly, Anonymity is the difference-maker between life and death in those areas of the world.
+ +For instance, the Freedom of the Press index is a great indicator to tell if you are living in a country that employs censorship as a means to control the population or not. Make no mistake, Governments are often ready to murder journalists to protect their public image, like in Mexico: [1] [2].
+Essentially, the idea is to reduce your attack surface as much as possible, given the context of near-omnipresent surveillance, Privacy has it's limits, and Anonymity very often becomes the only way out of opression. If noone knows who did something, there can't be any repercussions for the perpetrating party.
+In a way, Anonymity is superior to Privacy because whatever happened may have been hidden thanks to Privacy, but it may be discovered at a later point in time. Anonymity on the other hand, if maintained, remains a permanent way to act without any repercussions.
+ ++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
As we discussed previously, KYC is out of the question if you want to remain anonymous. So you need to find a cloud provider that allows you to rent servers without any KYC.
+To find one you can go on kycnot.me:
+ +the current one I use for my services is ServersGuru, as they can resell popular cloud providers like hetzner.
+In our example below we'll use Cockbox. but first thing we need is a non-KYC email provider, to do so we could follow Privacy Guides' recommendation and create an account on Tuta, but for simplicity i'll use a temporary email from https://tmail.link (do not use it for extended usage)
+ + + +Now that the account is created, we can also validate if we can recieve mails:
+Next we generate a SSH key to connect to the server:
+
+[ mainpc ] [ /dev/pts/5 ] [~]
+→ ssh-keygen -t ed25519 -C ""
+Generating public/private ed25519 key pair.
+Enter file in which to save the key (/home/nihilist/.ssh/id_ed25519): /home/nihilist/.ssh/ssh-key-test
+/home/nihilist/.ssh/ssh-key-test already exists.
+Overwrite (y/n)? y
+Enter passphrase (empty for no passphrase):
+Enter same passphrase again:
+Your identification has been saved in /home/nihilist/.ssh/ssh-key-test
+Your public key has been saved in /home/nihilist/.ssh/ssh-key-test.pub
+The key fingerprint is:
+SHA256:hu1aO2qMU0XuaRDTRiVHH3Jl2hNP/0prlAnpPCTGECo
+The key's randomart image is:
++--[ED25519 256]--+
+| o=+= o.+ .|
+| o.+= + * +.|
+| E .* + * o o|
+| ..oo. = . +.|
+| .+S. + = .|
+| .o+ + o |
+| + .o + |
+| o oo.. . |
+| oo... |
++----[SHA256]-----+
+
+[ mainpc ] [ /dev/pts/5 ] [~]
+→ cat .ssh/ssh-key-test.pub
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHqt0O2ZbRt/7ikk0PdPRcb1GRBE5YNDdBHFCMGIdeHb
+
+
+
+validate the VPS purchase with the Monero option:
+ + +Then here we send the Monero payment:
+ + +then wait 10-20 minutes for the payment to be validated by the network, and then you should recieve the mail with your server accesses:
+ +Now that the server is provisionned, we can connect to it:
+ +To access the server anonymously, you just need to ssh there through tor using torsocks:
+
+[ mainpc ] [ /dev/pts/6 ] [~]
+→ cat .ssh/config| head -n4
+Host test-server
+ User root
+ hostname 185.216.68.156
+ IdentityFile ~/.ssh/id_ed25519
+
+[ mainpc ] [ /dev/pts/6 ] [~]
+→ torsocks ssh test-server
+The authenticity of host '185.216.68.156 (185.216.68.156)' can't be established.
+ED25519 key fingerprint is SHA256:Od5FT4wcALDHXXK2B4t6lM8idsDmUfhqWpDFjStgBwI.
+This key is not known by any other names.
+Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
+Warning: Permanently added '185.216.68.156' (ED25519) to the list of known hosts.
+Linux cockbox 6.1.0-13-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.55-1 (2023-09-29) x86_64
+
+The programs included with the Debian GNU/Linux system are free software;
+the exact distribution terms for each program are described in the
+individual files in /usr/share/doc/*/copyright.
+
+Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
+permitted by applicable law.
+
+root@cockbox:~# id
+uid=0(root) gid=0(root) groups=0(root)
+
+root@cockbox:~# apt update -y ; apt upgrade -y ; apt autoremove -y
+
+
+
+And that's it! We now have access to a remote server, we acquired it anonymously, and are now using it anonymously aswell.
+ ++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
Here in this case, we can say that the conversation between Bob and Alice is private, because it excludes Jack from spying on the conversation.
+ +Here in this case, we can say that the person talking to Alice is Anonymous from Jack's perspective, until he can figure out who he really is. Until that someone makes an OPSEC Mistake (such as saying out loud his real name, or where he lives), he remains Anonymous.
+ +Here, a profit Company offers an online service (such as Twitter) for their own profit, most often they will do everything they can to keep as many users on their service, in order to gather as much personal information about them as they can, for their own profit.
+ +A federated service can be considered as semi-decentralised, due to having a company running the main instance that contains a huge amount of users, while other instances can be ran by individuals with a smaller amount of users. The federation means that instances connect to each other so that individual B may talk to individual A, or individual C.
+ + +We can say that a service is decentralised when individuals are running the services themselves, and offering them back to the individuals, without any profit company coming into the picture.
+ +Here in this case, we can say that the door is secure because it protects Alice and Bob's conversation from Jack's attempts to hear the contents of the conversation.
+ +Bob and Alice are supposed to have their conversation protected by a closed door, but Jack has an 100% sure way of breaking down the door, no matter how they try to reinforce the door, There is nothing Bob and Alice can do about it.
+ ++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
"Hey, i just wrote this code, i compiled it, it gave me this .exe file, run it on your computer!
+What? You want the source code ? Hell no, just trust me bro!"
+ +To briefly explain, any software out there was first written (a developer wrote some source code, for example in the go language), it was then compiled, and then the compilation produced a binary file (for example it became a .exe file on windows)
+ +The catch here is that when you try to reverse-engineer binary files, it's going to be very hard to figure out what the original source code was. This practice is called Reverse Engineering, a niche in cybersecurity, where someone tries to figure out what the original sourcecode was intended to be, with only the binary to work with.
+One thing is for sure: you can't arrive at the original sourcecode from just the binary. It's mostly guess work.
+Most software companies (which can be corporations) out there are greedy, they work hard to produce software, and they hate to have any competition. Hence they want keep their software sourcecode private, to make it as hard as possible to others to arrive at the same level of functionnality. That is exactly why closed source software is used by most people.
+ +The most popular example out there is Windows, they would definitely not like their sourcecode to be leaked/reversed like it with Apple's IOS.
+Let's take a popular example: Discord as detailed in their article on spyware watchdog, it's one of the worst pieces of spyware out there. It's sourcecode is not public, and they confirm that they collect large amounts of sensitive user data (as much as they can).
+Discord even goes out of it's way and contains a process logger to spy on what you do on your computer.
+That service even forces you to add a phone number in case if it suspects you tried to create an account anonymously (via a vpn or via tor).
+You get it, it's a nightmare for privacy and anonymity there is out of the question. The perfect governmental proxy to spy on the masses.
+ + +Matrix : The Decentralised and Open Source Alternative +Take the counter example, Matrix is an open source chat protocol. Meaning if there were any spyware to be baked into the software, you would see it in the sourcecode, and rest assured the entire open source community would go into huge turmoil and you would know it.
+You are also free to use other equally elegant UX/UI clients (for example using cinny or element), you can self host both the server and the client, and it implements E2EE (end to end encryption)
+ + +To conclude, here are the requirements you need to look for, for any software that you use:
+It must be open source
It must be self-hostable (for decentralisation) (meaning the serverside code must also be fully opensource)
It must implement privacy features like encryption
It should not contain any telemetry, or any spyware.
It should ONLY do what it was originally meant to do.
By that standard, you can already discard software like Windows, Discord, Whatsapp, Instagram, iOS, pre-installed phone host OSes, Word, Excel, etc, as none of them are open source, and you can be damn sure that they are spying on everything you do, willfully or not. (ever since the US government passed the FISA section 702.)
+ +YOU CAN NEVER TRUST PEOPLE.
+SO YOU CAN'T TRUST THEIR CLOSED SOURCE SOFTWARE.
+YOU CAN ONLY TRUST TECHNOLOGY THAT CAN BE VERIFIED!
+SO YOU NEED TO USE OPEN SOURCE SOFTWARE!
+ + + +Now that you have the full reasoning laid out, and if being watched by an entire crowd when you are using your computer doesn't sit well with you, it's time for you to move out of all that surveillance, out of that theater/circus that is closed-source software (in which you are the clown on stage, for corporations to see), it's time for you to close the blinds and declare that the show is over to these entire crowds that have infringed upon your basic right of privacy. It's time to install Linux.
+ + ++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
as we have discussed previously, software needs to first be written by a developer, then compiled to produce a binary file (like an .exe file on windows, or a binary file on debian) to be used.
+ +The largest website to find open-source software repositories is Github, where we can find open source projects.
+In this case, Bob wants to have a screenshot software on debian, and he wants it to be open-source:
+ +Here we see that there is a popular screenshot software called "Flameshot" that is available on github:
+ +All of the sourcecode is available, and Bob if is concerned that there may be spyware, he can browse all of the code to check if there is any spyware in it or not.
+ +Next, Bob can find the compiled binaries of flameshot in the releases tab:
+ +But! Bob is an open-source purist, he thinks that the flameshot developers intentionally compiled the software with spyware into it, Bob doesn't trust that they could compile the software for him, hence he wants to compile the software himself.
+Each software can come with different compilation requirements, make sure you read their documentation on how to compile software, for example flameshot has specific instructions to compile their software:
+
+[ mainpc ] [ /dev/pts/4 ] [~]
+→ cd Documents
+
+[ mainpc ] [ /dev/pts/4 ] [~/Documents]
+→ git clone https://github.com/flameshot-org/flameshot
+Cloning into 'flameshot'...
+remote: Enumerating objects: 18204, done.
+remote: Counting objects: 100% (5467/5467), done.
+remote: Compressing objects: 100% (339/339), done.
+remote: Total 18204 (delta 5251), reused 5155 (delta 5128), pack-reused 12737
+Receiving objects: 100% (18204/18204), 23.03 MiB | 2.38 MiB/s, done.
+Resolving deltas: 100% (13494/13494), done.
+
+[ mainpc ] [ /dev/pts/4 ] [~/Documents]
+→ cd flameshot
+
+
+# Compile-time
+sudo apt install g++ cmake build-essential qtbase5-dev qttools5-dev-tools libqt5svg5-dev qttools5-dev -y
+
+# Run-time
+sudo apt install libqt5dbus5 libqt5network5 libqt5core5a libqt5widgets5 libqt5gui5 libqt5svg5 -y
+
+# Optional
+sudo apt install git openssl ca-certificates -y
+
+Now that the dependencies are installed, we start to compile flameshot:
+
+[ mainpc ] [ /dev/pts/4 ] [~/Documents/flameshot]
+→ cmake -S . -B build && cmake --build build
+-- The CXX compiler identification is GNU 12.2.0
+-- Detecting CXX compiler ABI info
+-- Detecting CXX compiler ABI info - done
+-- Check for working CXX compiler: /usr/bin/c++ - skipped
+-- Detecting CXX compile features
+-- Detecting CXX compile features - done
+-- Setting build type to 'RelWithDebInfo' as none was specified.
+CMake Warning at cmake/Cache.cmake:28 (message):
+ ccache is enabled but was not found. Not using it
+Call Stack (most recent call first):
+ CMakeLists.txt:84 (include)
+
+
+-- Performing Test Wall_FLAG_SUPPORTED
+-- Performing Test Wall_FLAG_SUPPORTED - Success
+-- Performing Test pedantic_FLAG_SUPPORTED
+-- Performing Test pedantic_FLAG_SUPPORTED - Success
+-- Performing Test Wextra_FLAG_SUPPORTED
+-- Performing Test Wextra_FLAG_SUPPORTED - Success
+Flameshot predefined color palette large: false
+-- Found Git: /usr/bin/git (found version "2.39.2")
+git found: /usr/bin/git in version 2.39.2
+FLAMESHOT_GIT_HASH: c1dac522
+-- Configuring done
+-- Generating done
+-- Build files have been written to: /home/nihilist/Documents/flameshot/build
+[ 1%] Automatic MOC for target SingleApplication
+[ 1%] Built target SingleApplication_autogen
+[ 2%] Building CXX object external/singleapplication/CMakeFiles/SingleApplication.dir/SingleApplication_autogen/mocs_compilation.cpp.o
+
+[...]
+
+
+
+Here, it's starting to compile, wait for it to reach 100%, then you can run the binary file as follows:
+ +
+[...]
+
+[ 96%] Building CXX object src/CMakeFiles/flameshot.dir/tools/abstracttwopointtool.cpp.o
+[ 97%] Building CXX object src/CMakeFiles/flameshot.dir/tools/capturecontext.cpp.o
+[ 97%] Building CXX object src/CMakeFiles/flameshot.dir/tools/toolfactory.cpp.o
+[ 98%] Building CXX object src/CMakeFiles/flameshot.dir/main.cpp.o
+[ 98%] Building CXX object src/CMakeFiles/flameshot.dir/flameshot_autogen/IJ3KGTTQ5V/qrc_graphics.cpp.o
+[100%] Linking CXX executable flameshot
+[100%] Built target flameshot
+
+[ mainpc ] [ /dev/pts/4 ] [~/Documents/flameshot]
+→ ls
+appveyor.yml CMakeLists.txt docs LICENSE scripts src
+build CODE_OF_CONDUCT.md external packaging shell.nix tests
+cmake data flameshot.example.ini README.md snapcraft.yaml
+
+[ mainpc ] [ /dev/pts/4 ] [~/Documents/flameshot]
+→ ls -lash build/src/flameshot
+49M -rwxr-xr-x 1 nihilist nihilist 49M Jun 28 14:14 build/src/flameshot
+
+[ mainpc ] [ /dev/pts/4 ] [~/Documents/flameshot]
+→ ./build/src/flameshot
+
+
+if you want to be able to launch the flameshot binary without specifying the full path each time, you can add it to your system PATH:
+
+[ mainpc ] [ /dev/pts/5 ] [~/Documents/flameshot]
+→ ls -lash build/src/flameshot
+49M -rwxr-xr-x 1 nihilist nihilist 49M Jun 28 14:14 build/src/flameshot
+
+[ mainpc ] [ /dev/pts/5 ] [~/Documents/flameshot]
+→ echo $PATH
+/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
+
+[ mainpc ] [ /dev/pts/5 ] [~/Documents/flameshot]
+→ ln -s $(pwd)/build/src/flameshot /usr/local/bin/flameshot
+ln: failed to create symbolic link '/usr/local/bin/flameshot': Permission denied
+
+[ mainpc ] [ /dev/pts/5 ] [~/Documents/flameshot]
+→ sudo ln -s $(pwd)/build/src/flameshot /usr/local/bin/flameshot
+[sudo] password for nihilist:
+
+[ mainpc ] [ /dev/pts/5 ] [~/Documents/flameshot]
+→ which flameshot
+/usr/bin/flameshot
+
+[ mainpc ] [ /dev/pts/5 ] [~/Documents/flameshot]
+→ flameshot
+
+
+
+As we run the binary from the commandline, we then see the flameshot program opening here:
+ +as we click on the logo, we can enter the screenshot mode:
+ +then we click and drag to select the area of the screenshot:
+ +Then we can click the "save" icon to save the image somewhere:
+ + +Now Bob isn't going to compile everything, he doesn't have that patience. the next best thing is to download the pre-compiled binaries and to check the hash:
+ + +Here in this case, the appimage flameshot binary has been released along with the sha256 algorithm hash, so Bob downlads both:
+
+[ mainpc ] [ /dev/pts/5 ] [~/Documents/flameshottest]
+→ wget https://github.com/flameshot-org/flameshot/releases/download/v12.1.0/Flameshot-12.1.0.x86_64.AppImage
+--2024-06-28 14:31:09-- https://github.com/flameshot-org/flameshot/releases/download/v12.1.0/Flameshot-12.1.0.x86_64.AppImage
+
+[ mainpc ] [ /dev/pts/5 ] [~/Documents/flameshottest]
+→ wget https://github.com/flameshot-org/flameshot/releases/download/v12.1.0/Flameshot-12.1.0.x86_64.AppImage.sha256sum
+--2024-06-28 14:32:26-- https://github.com/flameshot-org/flameshot/releases/download/v12.1.0/Flameshot-12.1.0.x86_64.AppImage.sha256sum
+
+
+
+Next, to check the integrity of the appimage file, we check the hash that we've downloaded:
+
+[ mainpc ] [ /dev/pts/5 ] [~/Documents/flameshottest]
+→ cat Flameshot-12.1.0.x86_64.AppImage.sha256sum
+c30634c84161f09e8dde74c76367b1ce848414bb1cc269c2a2715f6803220738 Flameshot-12.1.0.x86_64.AppImage
+
+
+and compare it to the hash we get when using the sha256sum command on the flameshot appimage:
+
+[ mainpc ] [ /dev/pts/5 ] [~/Documents/flameshottest]
+→ sha256sum Flameshot-12.1.0.x86_64.AppImage
+c30634c84161f09e8dde74c76367b1ce848414bb1cc269c2a2715f6803220738 Flameshot-12.1.0.x86_64.AppImage
+
+
+Here we see that the sha256 hash we get from the flameshot appimage binary is the same as the hash that was put online by the flameshot developers. This means that the binary didn't get tampered with from the original release, to having it inside Bob's debian VM. Hence, Bob can now use the flameshot appimage binary with peace of mind!
+ ++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
In this tutorial we're going to take a look at how to setup DNS servers using bind9.
+Disclaimer: If you want this service to remain anonymous, make sure you at least keep TOR between you and the service from the VPS acquisition to actual service usage.
+ + +First install the requirements:
+
+root@Temple:~# apt update -y ; apt upgrade -y ; apt install bind9 -y
+root@Temple:~# systemctl disable --now ufw
+
+
+
+Next we edit the /etc/bind/named.conf.options file to define which ip the dns server will serve:
+
+root@Temple:~# vim /etc/bind/named.conf.options
+listen-on {
+ 10.10.10.0/24;
+ 10.1.0.0/16;
+ ...
+};
+
+#OR
+listen-on { any; };
+listen-on-v6 { any; };
+
+
+
+Next, we allow the queries to come from any sources (not just local)
+
+allow-query { any; };
+
+
+and lastly, we add the forwarders which are the dns servers that bind9 will ask if it can't find the domain names, we can put cloudflare's dns servers for example:
+
+forwarders {
+ 1.1.1.1;
+ 1.0.0.1;
+};
+
+
+Here's the result, save it with :wq
+
+options {
+ directory "/var/cache/bind";
+ dnssec-validation auto;
+
+ listen-on-v6 { any; };
+ listen-on { any; };
+ allow-query { any; };
+ forwarders {
+ 1.1.1.1;
+ 1.0.0.1;
+ };
+};
+
+
+Then restart bind9:
+
+root@Temple:~# systemctl restart bind9
+root@Temple:~# systemctl status bind9
+● named.service - BIND Domain Name Server
+ Loaded: loaded (/lib/systemd/system/named.service; enabled; vendor preset: enabled)
+ Active: active (running) since Tue 2021-11-02 20:37:26 UTC; 4s ago
+ Docs: man:named(8)
+ Main PID: 2863095 (named)
+ Tasks: 8 (limit: 4584)
+ Memory: 30.0M
+ CGroup: /system.slice/named.service
+ └─2863095 /usr/sbin/named -f -u bind
+
+Nov 02 20:37:26 Temple named[2863095]: network unreachable resolving './NS/IN': 2001:500:12::d0d#53
+Nov 02 20:37:26 Temple named[2863095]: network unreachable resolving './NS/IN': 2001:500:2d::d#53
+Nov 02 20:37:26 Temple named[2863095]: network unreachable resolving './NS/IN': 2001:7fd::1#53
+Nov 02 20:37:26 Temple named[2863095]: network unreachable resolving './NS/IN': 2001:503:c27::2:30#53
+Nov 02 20:37:26 Temple named[2863095]: managed-keys-zone: Key 20326 for zone . is now trusted (acceptance timer complete)
+Nov 02 20:37:26 Temple named[2863095]: resolver priming query complete
+Nov 02 20:37:30 Temple named[2863095]: listening on IPv4 interface tun0, 10.8.0.1#53
+Nov 02 20:37:30 Temple named[2863095]: listening on IPv6 interface tun0, fe80::5822:e1cd:a277:e3e3%124941#53
+Nov 02 20:37:30 Temple named[2863095]: no longer listening on 10.8.0.1#53
+Nov 02 20:37:30 Temple named[2863095]: no longer listening on fe80::5822:e1cd:a277:e3e3%124941#53
+
+
+and then finally we test if the dns works, let's ask our dns server for the ip address of google:
+
+[ 10.66.66.2/32 ] [ /dev/pts/20 ] [Nextcloud/blog]
+→ nslookup google.com temple.void.yt
+Server: temple.void.yt
+Address: 78.141.239.68#53
+
+Non-authoritative answer:
+Name: google.com
+Address: 172.217.169.14
+Name: google.com
+Address: 2a00:1450:4009:81d::200e
+
+
+And it worked ! Now let's setup an A record on our DNS server, for itself. To do that we need to specify the zones we're going to manage:
+
+
+root@Temple:/etc/bind# vim named.conf.local
+root@Temple:/etc/bind# cat named.conf.local
+//
+// Do any local configuration here
+//
+
+// Consider adding the 1918 zones here, if they are not used in your
+// organization
+include "/etc/bind/zones.rfc1918";
+
+root@Temple:~# vim /etc/bind/zones.rfc1918
+root@Temple:~# cat /etc/bind/zones.rfc1918
+zone "void.yt" {
+ type master;
+ file "db.void.yt";
+ allow-update { none; };
+};
+
+
+Here we want to setup a subdomain of void.yt so let's do it in the db.void.yt file:
+
+$TTL 604800
+@ IN SOA ns1.void.yt. void.yt. (
+ 3 ; Serial
+ 604800 ; Refresh
+ 86400 ; Retry
+ 2419200 ; Expire
+ 604800 ) ; Negative Cache TTL
+;
+; name servers - NS records
+ 3600 IN NS ns1.void.yt.
+ 3600 IN NS ns2.void.yt.
+
+; name servers - A records
+ns1.void.yt. IN A 78.141.239.68
+ns2.void.yt. IN A 45.76.133.0
+
+; other hosts - A records
+host1.void.yt. IN A 1.1.1.1
+host2.void.yt. IN A 1.0.0.1
+
+
+And now we restart the bind9 service, and test if we can resolve the host1.void.yt domain:
+
+root@Temple:/etc/bind# systemctl restart bind9
+root@Temple:/etc/bind# systemctl status bind9
+● bind9.service - BIND Domain Name Server
+ Loaded: loaded (/etc/systemd/system/bind9.service; enabled; vendor preset: enabled)
+ Active: active (running) since Sun 2021-11-14 10:28:16 UTC; 51s ago
+ Docs: man:named(8)
+ Main PID: 3710 (named)
+ Tasks: 8 (limit: 4582)
+ Memory: 29.7M
+ CGroup: /system.slice/bind9.service
+ └─3710 /usr/sbin/named -f -u bind
+
+Nov 14 10:28:16 Temple named[3710]: network unreachable resolving './NS/IN': 2001:500:2f::f#53
+Nov 14 10:28:16 Temple named[3710]: network unreachable resolving './NS/IN': 2001:7fd::1#53
+Nov 14 10:28:16 Temple named[3710]: network unreachable resolving './NS/IN': 2001:500:1::53#53
+Nov 14 10:28:16 Temple named[3710]: network unreachable resolving './NS/IN': 2001:500:a8::e#53
+Nov 14 10:28:16 Temple named[3710]: network unreachable resolving './NS/IN': 2001:500:9f::42#53
+Nov 14 10:28:16 Temple named[3710]: network unreachable resolving './NS/IN': 2001:dc3::35#53
+Nov 14 10:28:16 Temple named[3710]: network unreachable resolving './NS/IN': 2001:500:2::c#53
+Nov 14 10:28:16 Temple named[3710]: network unreachable resolving './NS/IN': 2001:503:ba3e::2:30#53
+Nov 14 10:28:16 Temple named[3710]: managed-keys-zone: Key 20326 for zone . is now trusted (acceptance timer complete)
+Nov 14 10:28:16 Temple named[3710]: resolver priming query complete
+
+
+To do that we use nslookup:
+
+[ 10.66.66.2/32 ] [ /dev/pts/115 ] [~]
+→ nslookup host1.void.yt temple.void.yt
+Server: temple.void.yt
+Address: 78.141.239.68#53
+
+Name: host1.void.yt
+Address: 1.1.1.1
+
+
+Now we fill in the db file for the rest of the hosts we need, i'll post my complete config just for reference:
+
+root@Temple:/etc/bind# vim db.void.yt
+root@Temple:/etc/bind# cat db.void.yt
+$TTL 604800
+@ IN SOA ns1.void.yt. void.yt. (
+ 7 ; Serial INCREMENT THIS EVERYTIME YOU EDIT THE FILE !!!!!!!!
+ 604800 ; Refresh
+ 86400 ; Retry
+ 2419200 ; Expire
+ 604800 ) ; Negative Cache TTL
+;
+; name servers - NS records
+ 3600 IN NS ns1.void.yt.
+ 3600 IN NS ns2.void.yt.
+
+; name servers - A records
+ns1.void.yt. IN A 78.141.239.68
+ns2.void.yt. IN A 45.76.133.0
+
+; A records, public IPs
+temple 3600 IN A 78.141.239.68
+mail 3600 IN A 45.76.133.0
+mail 3600 IN AAAA 2001:19f0:7402:2c6:5400:3ff:fea7:22a3
+;void.yt
+
+
+ 3600 IN MX 10 mail.void.yt.
+ 3600 IN TXT "v=spf1 mx a:mail.void.yt -all"
+_dmarc 3600 IN TXT "v=DMARC1; p=reject; rua=mailto:dmarc@void.yt; fo=1"
+
+autoconfig 3600 IN CNAME void.yt.
+autodiscover 3600 IN CNAME void.yt.
+
+asciinema 3600 IN CNAME void.yt.
+blog 3600 IN CNAME void.yt.
+chat 3600 IN CNAME void.yt.
+cloud 3600 IN CNAME void.yt.
+codimd 3600 IN CNAME void.yt.
+cryptpad 3600 IN CNAME void.yt.
+cyberchef 3600 IN CNAME void.yt.
+ghostblog 3600 IN CNAME void.yt.
+git 3600 IN CNAME void.yt.
+gomez 3600 IN CNAME void.yt.
+haste 3600 IN CNAME void.yt.
+img 3600 IN CNAME void.yt.
+irc 3600 IN CNAME void.yt.
+jitsi 3600 IN CNAME void.yt.
+kb 3600 IN CNAME void.yt.
+kutt 3600 IN CNAME void.yt.
+lady 3600 IN CNAME void.yt.
+lain 3600 IN CNAME void.yt.
+latex 3600 IN CNAME void.yt.
+mind 3600 IN CNAME void.yt.
+notes 3600 IN CNAME void.yt.
+openproject 3600 IN CNAME void.yt.
+pad 3600 IN CNAME void.yt.
+privatebin 3600 IN CNAME void.yt.
+pve 3600 IN CNAME void.yt.
+routeur 3600 IN CNAME void.yt.
+safe 3600 IN CNAME void.yt.
+shells 3600 IN CNAME void.yt.
+status 3600 IN CNAME void.yt.
+sx 3600 IN CNAME void.yt.
+test 3600 IN CNAME void.yt.
+tube 3600 IN CNAME void.yt.
+u 3600 IN CNAME void.yt.
+www 3600 IN CNAME void.yt.
+zabbix 3600 IN CNAME void.yt.
+
+root@Temple:/etc/bind# systemctl restart bind9
+root@Temple:/etc/bind# systemctl status bind9
+● bind9.service - BIND Domain Name Server
+ Loaded: loaded (/etc/systemd/system/bind9.service; enabled; vendor preset: enabled)
+ Active: active (running) since Sun 2021-11-14 11:37:30 UTC; 2s ago
+ Docs: man:named(8)
+ Main PID: 18839 (named)
+ Tasks: 8 (limit: 4582)
+ Memory: 29.3M
+ CGroup: /system.slice/bind9.service
+ └─18839 /usr/sbin/named -f -u bind
+
+Nov 14 11:37:30 Temple named[18839]: network unreachable resolving './NS/IN': 2001:500:12::d0d#53
+Nov 14 11:37:30 Temple named[18839]: network unreachable resolving './NS/IN': 2001:500:a8::e#53
+Nov 14 11:37:30 Temple named[18839]: network unreachable resolving './NS/IN': 2001:500:1::53#53
+Nov 14 11:37:30 Temple named[18839]: network unreachable resolving './NS/IN': 2001:500:2::c#53
+Nov 14 11:37:30 Temple named[18839]: network unreachable resolving './NS/IN': 2001:500:2f::f#53
+Nov 14 11:37:30 Temple named[18839]: network unreachable resolving './NS/IN': 2001:503:ba3e::2:30#53
+Nov 14 11:37:30 Temple named[18839]: network unreachable resolving './NS/IN': 2001:500:200::b#53
+Nov 14 11:37:30 Temple named[18839]: network unreachable resolving './NS/IN': 2001:7fd::1#53
+Nov 14 11:37:30 Temple named[18839]: managed-keys-zone: Key 20326 for zone . is now trusted (acceptance timer complete)
+Nov 14 11:37:30 Temple named[18839]: resolver priming query complete
+
+
+Now, let's setup our secondary DNS server, first let's update the primary DNS server's zones.rfc1918 file as follows:
+
+root@Temple:/etc/bind# vim /etc/bind/zones.rfc1918
+root@Temple:/etc/bind# cat /etc/bind/zones.rfc1918
+zone "void.yt" IN {
+ type master;
+ file "/etc/bind/db.void.yt";
+ allow-update { none; };
+
+ allow-transfer { 45.76.133.0; };
+ also-notify { 45.76.133.0; };
+};
+
+root@Temple:/etc/bind# systemctl restart bind9
+
+
+In the allow-transfer and allow-notify parameters we put the public IP of our second DNS server. Next we restart bind9, and setup bind9 on the second server as a slave to our first server:
+
+root@mail:~# apt install bind9 -y
+root@mail:~# vim /etc/bind/named.conf.local
+root@mail:~# cat /etc/bind/named.conf.local
+//
+// Do any local configuration here
+//
+
+// Consider adding the 1918 zones here, if they are not used in your
+// organization
+include "/etc/bind/zones.rfc1918";
+
+root@mail:~# vim /etc/bind/zones.rfc1918
+root@mail:~# cat /etc/bind/zones.rfc1918
+zone "void.yt" {
+ type slave;
+ file "/etc/bind/db.void.yt";
+ masters {78.141.239.68;};
+};
+
+root@mail:~# vim /etc/bind/db.void.yt
+root@mail:~# cat /etc/bind/db.void.yt
+$TTL 604800
+@ IN SOA ns2.void.yt void.yt. (
+ 8 ; Serial INCREMENT THIS EVERYTIME YOU EDIT THE FILE !!!!!!!!
+ 604800 ; Refresh
+ 86400 ; Retry
+ 2419200 ; Expire
+ 604800 ) ; Negative Cache TTL
+;
+; name servers - NS records
+ IN NS ns1.void.yt.
+ IN NS ns2.void.yt.
+
+; name servers - A records
+ns1.void.yt. IN A 78.141.239.68
+ns2.void.yt. IN A 45.76.133.0
+
+; A records, public IPs
+temple 3600 IN A 78.141.239.68
+mail 3600 IN A 45.76.133.0
+mail 3600 IN AAAA 2001:19f0:7402:2c6:5400:3ff:fea7:22a3
+;void.yt
+
+
+ 3600 IN MX 10 mail.void.yt.
+ 3600 IN TXT "v=spf1 mx a:mail.void.yt -all"
+_dmarc 3600 IN TXT "v=DMARC1; p=reject; rua=mailto:dmarc@void.yt; fo=1"
+
+autoconfig 3600 IN CNAME void.yt.
+autodiscover 3600 IN CNAME void.yt.
+
+asciinema 3600 IN CNAME void.yt.
+blog 3600 IN CNAME void.yt.
+chat 3600 IN CNAME void.yt.
+cloud 3600 IN CNAME void.yt.
+codimd 3600 IN CNAME void.yt.
+cryptpad 3600 IN CNAME void.yt.
+cyberchef 3600 IN CNAME void.yt.
+ghostblog 3600 IN CNAME void.yt.
+git 3600 IN CNAME void.yt.
+gomez 3600 IN CNAME void.yt.
+haste 3600 IN CNAME void.yt.
+img 3600 IN CNAME void.yt.
+irc 3600 IN CNAME void.yt.
+jitsi 3600 IN CNAME void.yt.
+kb 3600 IN CNAME void.yt.
+kutt 3600 IN CNAME void.yt.
+lady 3600 IN CNAME void.yt.
+lain 3600 IN CNAME void.yt.
+latex 3600 IN CNAME void.yt.
+mind 3600 IN CNAME void.yt.
+notes 3600 IN CNAME void.yt.
+openproject 3600 IN CNAME void.yt.
+pad 3600 IN CNAME void.yt.
+privatebin 3600 IN CNAME void.yt.
+pve 3600 IN CNAME void.yt.
+routeur 3600 IN CNAME void.yt.
+safe 3600 IN CNAME void.yt.
+shells 3600 IN CNAME void.yt.
+status 3600 IN CNAME void.yt.
+sx 3600 IN CNAME void.yt.
+test 3600 IN CNAME void.yt.
+tube 3600 IN CNAME void.yt.
+u 3600 IN CNAME void.yt.
+
+www 3600 IN CNAME void.yt.
+zabbix 3600 IN CNAME void.yt.
+
+
+
+
+root@mail:/etc/bind# systemctl restart bind9
+
+root@mail:/etc/bind# systemctl status bind9
+● named.service - BIND Domain Name Server
+ Loaded: loaded (/lib/systemd/system/named.service; enabled; vendor preset: enabled)
+ Active: active (running) since Sun 2021-11-14 14:34:38 UTC; 1min 17s ago
+ Docs: man:named(8)
+ Main PID: 94005 (named)
+ Tasks: 5 (limit: 2340)
+ Memory: 17.8M
+ CPU: 46ms
+ CGroup: /system.slice/named.service
+ └─94005 /usr/sbin/named -f -u bind
+
+Nov 14 14:34:38 mail named[94005]: running
+Nov 14 14:34:38 mail named[94005]: zone void.yt/IN: Transfer started.
+Nov 14 14:34:38 mail named[94005]: transfer of 'void.yt/IN' from 78.141.239.68#53: connected using 45.76.133.0#53677
+Nov 14 14:34:38 mail named[94005]: zone void.yt/IN: transferred serial 9
+Nov 14 14:34:38 mail named[94005]: zone void.yt/IN: transfer: could not set file modification time of '/etc/bind/db.void.yt': permission denied
+Nov 14 14:34:38 mail named[94005]: transfer of 'void.yt/IN' from 78.141.239.68#53: Transfer status: success
+Nov 14 14:34:38 mail named[94005]: transfer of 'void.yt/IN' from 78.141.239.68#53: Transfer completed: 1 messages, 49 records, 1118 bytes, 0.001 secs (1118000 bytes/sec) (serial 9)
+Nov 14 14:34:38 mail named[94005]: zone void.yt/IN: sending notifies (serial 9)
+Nov 14 14:34:38 mail named[94005]: managed-keys-zone: Key 20326 for zone . is now trusted (acceptance timer complete)
+Nov 14 14:34:38 mail named[94005]: resolver priming query complete
+
+root@mail:/etc/bind# systemctl disable --now apparmor
+root@mail:/etc/bind# chown bind:bind -R /etc/bind
+
+root@mail:/etc/bind# systemctl restart bind9
+root@mail:/etc/bind# systemctl status bind9
+● named.service - BIND Domain Name Server
+ Loaded: loaded (/lib/systemd/system/named.service; enabled; vendor preset: enabled)
+ Active: active (running) since Sun 2021-11-14 14:39:17 UTC; 1s ago
+ Docs: man:named(8)
+ Main PID: 94210 (named)
+ Tasks: 4 (limit: 2340)
+ Memory: 14.1M
+ CPU: 29ms
+ CGroup: /system.slice/named.service
+ └─94210 /usr/sbin/named -f -u bind
+
+Nov 14 14:39:17 mail named[94210]: running
+Nov 14 14:39:17 mail named[94210]: zone void.yt/IN: Transfer started.
+Nov 14 14:39:17 mail named[94210]: transfer of 'void.yt/IN' from 78.141.239.68#53: connected using 45.76.133.0#51509
+Nov 14 14:39:17 mail named[94210]: zone void.yt/IN: transferred serial 9
+Nov 14 14:39:17 mail named[94210]: transfer of 'void.yt/IN' from 78.141.239.68#53: Transfer status: success
+Nov 14 14:39:17 mail named[94210]: transfer of 'void.yt/IN' from 78.141.239.68#53: Transfer completed: 1 messages, 49 records, 1118 bytes, 0.004 secs (279500 bytes/sec) (serial 9)
+Nov 14 14:39:17 mail named[94210]: zone void.yt/IN: sending notifies (serial 9)
+Nov 14 14:39:17 mail named[94210]: dumping master file: /etc/bind/tmp-PF5Ud0HF2G: open: permission denied
+Nov 14 14:39:17 mail named[94210]: resolver priming query complete
+Nov 14 14:39:17 mail named[94210]: managed-keys-zone: Key 20326 for zone . is now trusted (acceptance timer complete)
+
+
+And from there let's check if the domain name resolution works:
+
+[ 10.66.66.2/32 ] [ /dev/pts/115 ] [~]
+→ nslookup ns1.void.yt temple.void.yt
+Server: temple.void.yt
+Address: 78.141.239.68#53
+
+Name: ns1.void.yt
+Address: 78.141.239.68
+
+
+[ 10.66.66.2/32 ] [ /dev/pts/115 ] [~]
+→ nslookup ns2.void.yt temple.void.yt
+Server: temple.void.yt
+Address: 78.141.239.68#53
+
+Name: ns2.void.yt
+Address: 45.76.133.0
+
+
+[ 10.66.66.2/32 ] [ /dev/pts/115 ] [~]
+→ nslookup ns2.void.yt mail.void.yt
+Server: mail.void.yt
+Address: 45.76.133.0#53
+
+Name: ns2.void.yt
+Address: 45.76.133.0
+
+
+[ 10.66.66.2/32 ] [ /dev/pts/115 ] [~]
+→ nslookup ns1.void.yt mail.void.yt
+Server: mail.void.yt
+Address: 45.76.133.0#53
+
+Name: ns1.void.yt
+Address: 78.141.239.68
+
+
+Everything looks good, we can resolve domain names on both the master and slave DNS servers
+Now for my current setup, i need my void.yt domain name to resolve a public IP that often changes, therefore i need a dynamic bind9 DNS setup for the A record of my void.yt domain. It is possible to set it up with bind9, so let's do it:
+
+oot@Temple:/etc/bind# apt install bind9utils
+root@Temple:/etc/bind# which ddns-confgen
+/usr/sbin/ddns-confgen
+
+
+root@Temple:/etc/bind# ddns-confgen -s void.yt
+# To activate this key, place the following in named.conf, and
+# in a separate keyfile on the system or systems from which nsupdate
+# will be run:
+key "ddns-key.void.yt" {
+ algorithm hmac-sha256;
+ secret "Rq7gXz4Hu0AZYun6iX/ypbGRcS9W6GHqJiqksEvM8Nw=";
+};
+
+# Then, in the "zone" statement for the zone containing the
+# name "void.yt", place an "update-policy" statement
+# like this one, adjusted as needed for your preferred permissions:
+update-policy {
+ grant ddns-key.void.yt name void.yt ANY;
+};
+
+# After the keyfile has been placed, the following command will
+# execute nsupdate using this key:
+nsupdate -k <keyfile>
+
+
+
+
+Now that's done, we follow the instructions that the command just output for us, starting with named.conf.local edit:
+
+root@Temple:/etc/bind# vim /etc/bind/named.conf.local
+root@Temple:/etc/bind# cat /etc/bind/named.conf.local
+//
+// Do any local configuration here
+//
+
+// Consider adding the 1918 zones here, if they are not used in your
+// organization
+include "/etc/bind/zones.rfc1918";
+key "ddns-key.void.yt" {
+ algorithm hmac-sha256;
+ secret "Rq7gXz4Hu0AZYun6iX/ypbGRcS9W6GHqJiqksEvM8Nw=";
+};
+
+
+Next, we setup the update-policy for our void.yt zone:
+
+root@Temple:/etc/bind# vim zones.rfc1918
+root@Temple:/etc/bind# cat zones.rfc1918
+zone "void.yt" {
+ type master;
+ file "/etc/bind/db.void.yt";
+
+ allow-transfer { 45.76.133.0; };
+ also-notify { 45.76.133.0; };
+
+ update-policy {
+ grant ddns-key.void.yt name void.yt ANY;
+ };
+};
+
+root@Temple:/etc/bind# systemctl restart bind9
+
+
+Now that's done, we're going to setup the dynamic DNS script on our client whose public IP is changing often:
+
+root@home:~# which nsupdate
+/usr/bin/nsupdate
+
+root@home:~# vim /etc/ddnssupdate.key
+root@home:~# cat /etc/ddnssupdate.key
+key "ddns-key.void.yt" {
+ algorithm hmac-sha256;
+ secret "Rq7gXz4Hu0AZYun6iX/ypbGRcS9W6GHqJiqksEvM8Nw=";
+};
+
+root@home:~# cd /var/www/void.yt/
+root@home:/var/www/void.yt# vim dyndns.sh
+root@home:/var/www/void.yt# cat dyndns.sh
+#!/bin/bash
+
+#MYIP=$(dig +short myip.opendns.com @resolver1.opendns.com)
+MYIP=$(curl ifconfig.me)
+
+KEY=/etc/ddnsupdate.key
+NS=ns1.void.yt
+DOMAIN=void.yt.
+ZONE=void.yt.
+
+nsupdate -k $KEY -v << EOF
+server $NS
+zone $ZONE
+update delete $DOMAIN A
+update add $DOMAIN 30 A $MYIP
+send
+EOF
+
+
+Now let's test it:
+
+root@home:/var/www/void.yt# chattr -i /etc/resolv.conf
+root@home:/var/www/void.yt# vim /etc/resolv.conf
+root@home:/var/www/void.yt# cat /etc/resolv.conf
+#nameserver 1.1.1.1
+#nameserver 1.0.0.1
+nameserver 78.141.239.68
+nameserver 45.76.133.0
+root@home:/var/www/void.yt# chattr +i /etc/resolv.conf
+
+root@home:/var/www/void.yt# chmod +x dyndns.sh
+root@home:/var/www/void.yt# ./dyndns.sh
+ % Total % Received % Xferd Average Speed Time Time Time Current
+ Dload Upload Total Spent Left Speed
+100 14 100 14 0 0 89 0 --:--:-- --:--:-- --:--:-- 89
+update failed: SERVFAIL
+
+
+Now if you get this error, it probably means that the dns bind server does not have permissions to edit files in /etc/bind/, and rather has access to /var/lib/bind, so let's make those changes:
+
+root@Temple:/etc/bind# vim /etc/bind/zones.rfc1918
+root@Temple:/etc/bind# cat /etc/bind/zones.rfc1918
+zone "void.yt" {
+ type master;
+ file "/var/lib/bind/db.void.yt";
+
+ allow-transfer { 45.76.133.0; };
+ also-notify { 45.76.133.0; };
+
+ update-policy {
+ grant ddns-key.void.yt name void.yt ANY;
+ };
+};
+
+root@Temple:/etc/bind# mv /etc/bind/db.void.yt /var/lib/bind/
+root@Temple:/etc/bind# systemctl restart bind9
+
+
+Now that's done, let's also do it on the secondary dns:
+
+root@mail:~# vim /etc/bind/zones.rfc1918
+root@mail:~# mv /etc/bind/db.void.yt /var/lib/bind/
+root@mail:~# mv /etc/bind/db._domainkey.void.yt /var/lib/bind/
+root@mail:~# systemctl restart bind9
+
+
+Now that's done, let's test our dynamic dns script:
+
+root@home:/var/www/void.yt# ./dyndns.sh
+ % Total % Received % Xferd Average Speed Time Time Time Current
+ Dload Upload Total Spent Left Speed
+100 14 100 14 0 0 72 0 --:--:-- --:--:-- --:--:-- 72
+root@home:/var/www/void.yt#
+
+
+No error messages, so let's check if our script updated the the zone file as intended:
+
+root@Temple:/etc/bind# cat /var/lib/bind/db.void.yt
+$ORIGIN .
+$TTL 604800 ; 1 week
+void.yt IN SOA ns1.void.yt. void.yt. (
+ 10 ; serial
+ 604800 ; refresh (1 week)
+ 86400 ; retry (1 day)
+ 2419200 ; expire (4 weeks)
+ 604800 ; minimum (1 week)
+ )
+$TTL 3600 ; 1 hour
+ NS ns1.void.yt.
+ NS ns2.void.yt.
+$TTL 30 ; 30 seconds
+ A 92.148.147.119
+$ORIGIN void.yt.
+$TTL 3600 ; 1 hour
+_dmarc TXT "v=DMARC1; p=reject; rua=mailto:dmarc@void.yt; fo=1"
+asciinema CNAME void.yt.
+
+[...]
+
+
+And it did! Now let's make sure our dynamic dns script runs every minute:
+
+root@home:/var/www/void.yt# crontab -e
+* * * * * "/var/www/void.yt/dyndns.sh"
+
+root@home:/var/www/void.yt# cronitor select
+
+✔ "/var/www/void.yt/dyndns.sh"
+----► Running command: "/var/www/void.yt/dyndns.sh"
+
+[+] updating ns1.void.yt:
+
+----► ✔ Command successful Elapsed time 0.353s
+
+
+Looks good! Now don't forget to edit the options file for your secondary dns server:
+
+root@mail:~# vim /etc/bind/named.conf.options
+root@mail:~# cat /etc/bind/named.conf.options
+
+options {
+ directory "/var/cache/bind";
+ dnssec-validation auto;
+
+ listen-on-v6 { any; };
+ listen-on { any; };
+
+ allow-query { any; };
+
+ forwarders {
+ 1.1.1.1;
+ 1.0.0.1;
+ };
+};
+root@mail:~# systemctl restart bind9
+
+
+And that's it! We managed to setup 2 DNS servers using bind9 with a master-slave configuration along with dynamic DNS. Now if you want your DNS servers to propagate, you will have to wait:
+ +You can check the status of the DNS propagation on this website:
+ +As you can see, none of the major DNS servers around the world are aware of my ns1.void.yt record, therefore i need to wait for my dns record to propagate (by setting the DNS server as the DNS servers for a particular domain, on a registrar):
+ + +Once your dns records have propagated we can setup DNSSEC:
+
+root@mail-gw:~# vim /etc/bind/named.conf.options
+root@mail-gw:~# cat /etc/bind/named.conf.options
+options {
+ directory "/var/cache/bind";
+
+ //dnssec-validation yes;
+ //dnssec-enable yes;
+ //dnssec-lookaside auto; //since debian 12 these are no longer needed
+
+ listen-on-v6 { any; };
+ listen-on { any; };
+ allow-query { any; };
+ forwarders {
+ 1.1.1.1;
+ 1.0.0.1;
+ };
+};
+
+
+Then generate the DNS keys for your domain:
+
+root@mail-gw:~# cd /var/cache/bind
+root@mail-gw:/var/cache/bind# dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE nihilism.network
+Generating key pair...................+++++ ..................................................................................................................+++++
+Knihilism.network.+007+54398
+root@mail-gw:/var/cache/bind# dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE nihilism.network
+Generating key pair........................................................................++++ .....................++++
+Knihilism.network.+007+44145
+
+
+then create the zone file:
+
+root@mail-gw:/var/cache/bind# for key in `ls Knihilism.network*.key`; do echo "\$INCLUDE $key">> nihilism.network.zone; done
+root@mail-gw:/var/cache/bind# cat nihilism.network.zone
+$INCLUDE Knihilism.network.+007+44145.key
+$INCLUDE Knihilism.network.+007+54398.key
+
+
+Then sign the zone with the dnssec-signzone command:
+
+root@mail-gw:/var/cache/bind# for key in `ls Knihilism.network*.key`; do echo "\$INCLUDE $key">> nihilism.network.zone; done
+root@mail-gw:/var/cache/bind# cat nihilism.network.zone
+$INCLUDE Knihilism.network.+007+44145.key
+$INCLUDE Knihilism.network.+007+54398.key
+root@mail-gw:/var/cache/bind# dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N INCREMENT -o nihilism.network -t nihilism.network.zone
+
+
+dnssec-signzone: warning: Knihilism.network.+007+44145.key:5: no TTL specified; zone rejected
+dnssec-signzone: fatal: failed loading zone from 'nihilism.network.zone': no ttl
+
+
+if you get the no ttl error like me, regen the keys with the TTL thanks to the -L flag:
+
+
+root@mail-gw:/var/cache/bind# dnssec-keygen -L 3600 -a NSEC3RSASHA1 -b 2048 -n ZONE nihilism.network
+Generating key pair.........................................+++++ .......+++++
+Knihilism.network.+007+35034
+
+root@mail-gw:/var/cache/bind# dnssec-keygen -L 3600 -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE nihilism.network
+Generating key pair......++++ ..................................................................................................................................................................++++
+Knihilism.network.+007+23388
+
+root@mail-gw:/var/cache/bind# for key in `ls Knihilism.network*.key`; do echo "\$INCLUDE $key">> nihilism.network.zone; done
+
+root@mail-gw:/var/cache/bind# cat nihilism.network.zone
+
+$INCLUDE Knihilism.network.+007+23388.key
+$INCLUDE Knihilism.network.+007+35034.key
+
+root@mail-gw:/var/cache/bind# dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N INCREMENT -o nihilism.network -t db.nihilism.network
+dnssec-signzone: warning: db.nihilism.network:17: TTL set to prior TTL (3600)
+dnssec-signzone: fatal: No signing keys specified or found.
+
+root@mail-gw:/var/cache/bind# cat nihilism.network.zone >> db.nihilism.network
+
+
+root@mail-gw:/var/cache/bind# dnssec-signzone -AA -n 3 -3 $(head -c 1000 /dev/urandom | sha1sum | cut -b 1-16) -N INCREMENT -o nihilism.network -t db.nihilism.network
+
+dnssec-signzone: warning: db.nihilism.network:17: TTL set to prior TTL (3600)
+Verifying the zone using the following algorithms:
+- NSEC3RSASHA1
+Zone fully signed:
+Algorithm: NSEC3RSASHA1: KSKs: 1 active, 0 stand-by, 0 revoked
+ ZSKs: 1 active, 0 stand-by, 0 revoked
+db.nihilism.network.signed
+Signatures generated: 51
+Signatures retained: 0
+Signatures dropped: 0
+Signatures successfully verified: 0
+Signatures unsuccessfully verified: 0
+Signing time in seconds: 0.068
+Signatures per second: 750.000
+Runtime in seconds: 0.076
+
+
+If it gives you further errors, debug it here https://dnsviz.net/d/nihilism.network/dnssec/:
+Then we continue:
+
+root@mail-gw:/var/cache/bind# vim /etc/bind/named.conf.local
+root@mail-gw:/var/cache/bind# cat /etc/bind/named.conf.local
+zone "nihilism.network" {
+ type master;
+ file "db.nihilism.network.signed";
+ allow-update { none; };
+};
+
+
+Then restart bind9:
+
+root@mail-gw:/var/cache/bind# systemctl restart bind9
+root@mail-gw:/var/cache/bind# systemctl status bind9
+* named.service - BIND Domain Name Server
+ Loaded: loaded (/lib/systemd/system/named.service; enabled; vendor preset: enabled)
+ Active: active (running) since Fri 2022-09-30 19:58:12 CEST; 3s ago
+ Docs: man:named(8)
+ Main PID: 42611 (named)
+ Tasks: 4 (limit: 507)
+ Memory: 7.8M
+ CPU: 19ms
+ CGroup: /system.slice/named.service
+ `-42611 /usr/sbin/named -f -u bind
+
+Sep 30 19:58:12 mail-gw named[42611]: zone 127.in-addr.arpa/IN: loaded serial 1
+Sep 30 19:58:12 mail-gw named[42611]: zone localhost/IN: loaded serial 2
+Sep 30 19:58:12 mail-gw named[42611]: zone nihilism.network/IN: sig-re-signing-interval less than 3 * refresh.
+Sep 30 19:58:12 mail-gw named[42611]: zone nihilism.network/IN: loaded serial 18 (DNSSEC signed)
+Sep 30 19:58:12 mail-gw named[42611]: all zones loaded
+Sep 30 19:58:12 mail-gw named[42611]: running
+Sep 30 19:58:12 mail-gw named[42611]: zone nihilism.network/IN: sending notifies (serial 18)
+Sep 30 19:58:12 mail-gw named[42611]: client @0x7fad306d5130 23.137.250.141#48501 (nihilism.network): transfer of 'nihilism.network/IN': IXFR version not in journal, falling back to AXFR
+Sep 30 19:58:12 mail-gw named[42611]: client @0x7fad306d5130 23.137.250.141#48501 (nihilism.network): transfer of 'nihilism.network/IN': AXFR-style IXFR started (serial 18)
+Sep 30 19:58:12 mail-gw named[42611]: client @0x7fad306d5130 23.137.250.141#48501 (nihilism.network): transfer of 'nihilism.network/IN': AXFR-style IXFR ended: 2 messages, 104 records, 19335 bytes, 0.001 secs (19335000 bytes/sec) (serial 18)
+
+
+So from now on when you want to edit your zone, you will need to first edit the db file and then run the dnssign command:
+
+root@mail-gw:/var/cache/bind# vim db.nihilism.network
+
+root@mail-gw:/var/cache/bind# dnssec-signzone -AA -n 3 -3 $(head -c 1000 /dev/urandom | sha1sum | cut -b 1-16) -N INCREMENT -o nihilism.network -t db.nihilism.network
+
+dnssec-signzone: warning: db.nihilism.network:17: TTL set to prior TTL (3600)
+Verifying the zone using the following algorithms:
+- NSEC3RSASHA1
+Zone fully signed:
+Algorithm: NSEC3RSASHA1: KSKs: 1 active, 0 stand-by, 0 revoked
+ ZSKs: 1 active, 0 stand-by, 0 revoked
+db.nihilism.network.signed
+Signatures generated: 53
+Signatures retained: 0
+Signatures dropped: 0
+Signatures successfully verified: 0
+Signatures unsuccessfully verified: 0
+Signing time in seconds: 0.068
+Signatures per second: 779.411
+Runtime in seconds: 0.080
+
+root@mail-gw:/var/cache/bind# systemctl restart bind9
+
+root@mail-gw:/var/cache/bind# systemctl status bind9
+* named.service - BIND Domain Name Server
+ Loaded: loaded (/lib/systemd/system/named.service; enabled; vendor preset: enabled)
+ Active: active (running) since Sat 2022-10-01 10:37:34 CEST; 1s ago
+ Docs: man:named(8)
+ Main PID: 45909 (named)
+ Tasks: 4 (limit: 507)
+ Memory: 7.8M
+ CPU: 21ms
+ CGroup: /system.slice/named.service
+ `-45909 /usr/sbin/named -f -u bind
+
+
+Now when we test the dnssec to our bindserver we see the following:
+
+[ 10.0.0.10/16 ] [ nowhere ] [~]
+→ dig @23.137.250.140 stream.nihilism.network. A +dnssec +multiline
+
+; <<>> DiG 9.18.4-2-Debian <<>> @23.137.250.140 stream.nihilism.network. A +dnssec +multiline
+; (1 server found)
+;; global options: +cmd
+;; Got answer:
+;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52175
+;; flags: qr aa rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
+
+;; OPT PSEUDOSECTION:
+; EDNS: version: 0, flags: do; udp: 1232
+; COOKIE: bb834e65ec1896a601000000633c65914ff2b9c6c7b43b1d (good)
+;; QUESTION SECTION:
+;stream.nihilism.network. IN A
+
+;; ANSWER SECTION:
+stream.nihilism.network. 604800 IN CNAME web-gw.nihilism.network.
+stream.nihilism.network. 604800 IN RRSIG CNAME 7 3 604800 (
+ 20221103152726 20221004152726 35034 nihilism.network.
+ qIu/a2pi8e52tLqNBmCbeFHGK3TkQLquJNcziCoCYlQY
+ qOOFiXisOz7sg05uWxvX04kKofQyuUb9X/+e20r28WUe
+ gAhS1LJWE9BfBHfq/iQBXX4yWLTTYMqyjDyW56RUX7Z9
+ zJs46TJB983ggZ1VwAJOifDGvl4vYSld/XeFy0EQy62G
+ 3Etq9GZe+O5ZEKsuYA+9RGockq/TwwLn6ibZfst172xt
+ B/uKxmX+J3gcBzeGp1wwGd07UdlxaLyniQ41DSYmdTdD
+ jECbxVQRvMnC1MhD8nYsmhm/YroKXeQpMX7ugJD1ZomY
+ A7/ofGO6asXTGY2V3JxiITop0nKlfSlLbA== )
+web-gw.nihilism.network. 604800 IN A 23.137.250.141
+web-gw.nihilism.network. 604800 IN RRSIG A 7 3 604800 (
+ 20221103152726 20221004152726 35034 nihilism.network.
+ hlE0hXZiU9/LnSKghK3OKMxIbrrimFqF0HfHJubzQ50U
+ f9g3m9bZJeANu4iJHCmPR1TVJUp0qYxUTRb815kWGKIq
+ DHUNErDN+WhZoTBMT8jzdX8kntKFnd8+N/d/gjQ91Oxp
+ MOGf2V1fAu0wnvVZGzn6PGmQfb1vsZ3pskmTd5bz/A1g
+ nPoT3MXYWQol8x8h9bYdBwwz/cmbHbeZ2s8NIgFj/F46
+ cciq3lIs6HDmmYzE50TQ5YApCyHDYSM7gu/u/O/4pxAP
+ 55Fo5qtkZQCMoRtcRJh+GG5X7W2onoi4zICAZXpD5L6z
+ IaBl++bwjDaSIOiAsV2j+gRGETtUQ4Ef4w== )
+
+;; Query time: 23 msec
+;; SERVER: 23.137.250.140#53(23.137.250.140) (UDP)
+;; WHEN: Tue Oct 04 18:56:01 CEST 2022
+;; MSG SIZE rcvd: 725
+
+
+for simplicity sake i have this script to automate the signing of the dns zone file, the checking of it and the restarting of the service in one script:
+
+root@mail-gw:/var/cache/bind# cat restartdns.sh
+
+#!/bin/bash
+
+# check the zone for errors:
+named-checkzone nihilism.network db.nihilism.network
+
+# sign it:
+dnssec-signzone -AA -n 3 -3 $(head -c 1000 /dev/urandom | sha1sum | cut -b 1-16) -N INCREMENT -o nihilism.network -t db.nihilism.network
+
+#restart bind9
+systemctl restart bind9
+
+#check bind9 status
+systemctl status bind9
+
+
+updated restartdns.sh script: (thanks to Notorious from notlean.net)
+
+
+1) updated algorythms to avoid errors https://dnsviz.net/d/nihilism.network/dnssec/
+
+dnssec-keygen -L 3600 -a ECDSAP256SHA256 -b 2048 -n ZONE notlean.net
+dnssec-keygen -L 3600 -f KSK -a ECDSAP256SHA256 -b 2048 -n ZONE notlean.net
+for key in `ls Knotlean.net*.key`; do echo "\$INCLUDE $key">> notlean.net.zone; done
+cat notlean.net.zone >> forward.notlean.net.db
+dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N INCREMENT -o notlean.net -t forward.notlean.net.db
+rndc reload
+systemctl status named
+
+
+2) cat restartdns.sh
+
+#!/bin/bash
+
+set -eu
+
+# Bnd Path
+ZONE_PATH="/var/cache/bind/notorious"
+
+# Domain name
+ZONE_NAME="notlean.net"
+
+# Bind zone file name
+ZONE_FILE="forward.notlean.net.db"
+
+# Generate NSEC3 salt
+NSEC3_SALT=$(head -c 1000 /dev/urandom | sha1sum | cut -b 1-16)
+
+# Go to zone path
+pushd $ZONE_PATH
+
+# Verify zone and check for errors
+echo "Chcking zone errors for $ZONE_NAME ..."
+if ! named-checkzone $ZONE_NAME $ZONE_FILE; then
+ echo "Error during zonbe checking. Verify the file."
+ exit 1
+fi
+
+# Signing zone DNSSEC
+echo "Signing zone file for $ZONE_NAME..."
+dnssec-signzone -A -3 $NSEC3_SALT -N INCREMENT -o $ZONE_NAME -t $ZONE_FILE
+
+# Restart BIND9
+echo "Restart BIND9..."
+rndc reload
+
+# Check bind status
+echo "Vérification du statut de BIND9..."
+systemctl status bind9
+
+# Back to local dir
+popd
+
+echo "Execution end"
+
+
+
+
+
+ + Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
Let's take our previous analogy to explain what Privacy is:
+
+Bob wants to talk to Alice, He wants the conversation to remain private, so he closes the door
+Jack can't spy on bob and alice's conversation, because the door is closed,
+The door is closed, the conversation remains between Alice and Bob, their conversation is Private.
+
+
+
+For Alice and Bob to protect their conversation from being spied on by Jack, they encrypt their conversation for example by using PGP.
+ +Here the most common usecase for encryption is for people to encrypt their system disk on their computers, because if someone (like jack) were to steal their computer, they don't want to read all of their data.
+ +All in all, encryption is used to provide privacy. As long as the encrypted volumes are closed when Jack is trying to open them, Jack cannot read the contents of the volumes.
+Encryption however, cannot protect against everything.
+ +In this case, Bob is legally, although questionably morally, forced to decrypt his encrypted system disk by the judge. Keep in mind that this is not a far fetched scenario, this has happened previously.
+ +When that is the case, simply encrypting the disk is not enough, as all that is required is for the adversary to know of the existance of the encrypted drive, to be able to force Bob to open it
+ +As far as key encryption laws, the trend is that most developed countries are forcing their citizens to incriminate themselves and to surrender the encryption keys to authorities, when asked. In short,If the encrypted volume is proven to exist, you can be forced to surrender the decryption key/password to open it.
+ +From a legal standpoint, the only way to be protected against that scenario where you're forced to decrypt your harddrive is to be able to deny the existance of said encrypted volume (Plausible Deniability) . If the encrypted volume does not exist, there is no password to be given for it.
+So here we need a technology that can provide us Plausible Deniability. That is what Veracrypt can do for us.
+ +In short, Veracrypt allows you to encrypt volumes, just like LUKS encryption does. However it gives you the choice to hide another encrypted volume inside the same volume, that is exactly what you can deny the existance of.
+So you can hide some random meaningless data inside the decoy volume, while the real data that needs protection sits inside the hidden volume.
+This means, when Jack forces Bob to open the vercrypt volume, Bob types Password A to open the decoy volume, Then, when asked by Jack, Bob declares that there is no Hidden volume, and Jack has no way to prove the existance the Hidden Volume.
+To see how to implement Plausible Deniability protection with Veracrypt, check out this tutorial.
+ ++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
In this tutorial we're going to setup the EndGameV3 Anti DDOS / Load Balancer / WAF service popularized by Dread, it was originally built to block off the incessant DDOS attacks that onion services were facing. Because of that, EndGame was developped, along with the Proof of Work (POW) Defense released by TorProject for more details you can click here.
+
+Endgame should be on a separate server to your backend server. It only proxies content from your backend to the user. You will still need to configure your backend to handle requests from the Endgame Front.
+
+This is the same system that anti-DDOS services like Cloudflare, Indusface, and Imperva use to protect websites from attacks. The difference is this is self-hosted and fully controlled by you for your own needs and made for darknet networks.
+
+
+Now we'll first cover how to have a single Endgame V3 front, to redirect to 2 onion backends, but keep in mind that there is very high latency involved here. The ideal setup as we'll see later, is to have local redirection behind the Endgame front. And we'll also make use of the onionbalance technology to setup multiple Endgame fronts for the same Master Onion!
+ +First of all you need at least 2 backend servers that are reachable via their .onion links. To set them up you can look at my tutorial here.
+In this example we'll use my 2 main websites' onion links:
+
+http://daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion/
+http://nihilhfjmj55gfbleupwl2ub7lvbhq4kkoioatiopahfqwkcnglsawyd.onion/
+
+
+
+Obviously these are not the same service, but we'll pretend that they are. Now let's setup Endgame on a blank Debian 12 VM with internet access:
+ +Let's first download the tar.gz file for endgamev3, and verify the sha256sum hash of the tar.gz file according to the original post's recommendations. Here i downloaded it from the git mirror i host, but if you want the original URL you can get it from here: http://g66ol3eb5ujdckzqqfmjsbpdjufmjd5nsgdipvxmsh7rckzlhywlzlqd.onion/EndGameV3.tar.gz
+
+root@debian:~# wget https://git.datura.network/nihilist/EndGameV3/raw/branch/main/EndGameV3.tar.gz
+--2024-04-13 12:39:00-- https://git.datura.network/nihilist/EndGameV3/raw/branch/main/EndGameV3.tar.gz
+Resolving git.datura.network (git.datura.network)... 65.109.30.253
+Connecting to git.datura.network (git.datura.network)|65.109.30.253|:443... connected.
+HTTP request sent, awaiting response... 200 OK
+Length: 35340090 (34M) [application/octet-stream]
+Saving to: ‘EndGameV3.tar.gz’
+
+EndGameV3.tar.gz 100%[===========================================================================================================================================>] 33.70M 4.22MB/s in 10s
+
+2024-04-13 12:39:12 (3.27 MB/s) - ‘EndGameV3.tar.gz’ saved [35340090/35340090]
+
+root@debian:~# sha256sum EndGameV3.tar.gz
+89036a0ae8631aa1683bb370f357a4042b2e138eebeaea14bb35824f5d1f6bbb EndGameV3.tar.gz
+
+
+
+As of 13/04/2024, the SHA256 Hash of EndGameV3.tar.gz is 89036a0ae8631aa1683bb370f357a4042b2e138eebeaea14bb35824f5d1f6bbb. let's unpack it:
+
+root@debian:~# neofetch
+ _,met$$$$$gg. root@debian
+ ,g$$$$$$$$$$$$$$$P. -----------
+ ,g$$P" """Y$$.". OS: Debian GNU/Linux 12 (bookworm) x86_64
+ ,$$P' `$$$. Host: KVM/QEMU (Standard PC (Q35 + ICH9, 2009) pc-q35-7.2)
+',$$P ,ggs. `$$b: Kernel: 6.1.0-13-amd64
+`d$$' ,$P"' . $$$ Uptime: 1 hour, 19 mins
+ $$P d$' , $$P Packages: 447 (dpkg)
+ $$: $$. - ,d$$' Shell: bash 5.2.15
+ $$; Y$b._ _,d$P' Resolution: 1632x1684
+ Y$$. `.`"Y$$$$P"' CPU: AMD Ryzen 7 5700X (2) @ 3.393GHz
+ `$$b "-.__ GPU: 00:01.0 Red Hat, Inc. Virtio 1.0 GPU
+ `Y$$ Memory: 140MiB / 1966MiB
+ `Y$$.
+ `$$b.
+ `Y$$b.
+ `"Y$b._
+ `"""
+
+root@debian:~# mkdir endgame
+
+root@debian:~# mv EndGameV3.tar.gz endgame/
+
+root@debian:~# cd endgame
+
+root@debian:~/endgame# tar -xzvf EndGameV3.tar.gz
+
+root@debian:~/endgame# ls -lash
+total 34M
+4.0K drwxr-xr-x 8 root root 4.0K Apr 13 13:54 .
+4.0K drwx------ 5 root root 4.0K Apr 13 13:54 ..
+4.0K -rw-r--r-- 1 nihilist nihilist 178 Jul 11 2022 aptpreferences
+4.0K drwxr-xr-x 11 nihilist nihilist 4.0K Mar 18 18:50 dependencies
+8.0K -rw-r--r-- 1 nihilist nihilist 6.1K Apr 10 05:10 endgame.config
+ 34M -rw-r--r-- 1 root root 34M Apr 13 12:48 EndGameV3.tar.gz
+4.0K -rwxr-xr-x 1 nihilist nihilist 1.1K Sep 16 2023 getdependencies.sh
+ 12K -rw-r--r-- 1 nihilist nihilist 9.5K May 9 2023 i2pd.conf
+4.0K -rw-r--r-- 1 nihilist nihilist 145 Mar 30 2023 jail.local
+4.0K -rw-r--r-- 1 nihilist nihilist 2.0K Mar 30 2023 limits.conf
+4.0K drwxr-xr-x 2 nihilist nihilist 4.0K Apr 9 17:45 lua
+4.0K -rw-r--r-- 1 nihilist nihilist 357 Nov 8 01:35 mentions.txt
+8.0K -rw-r--r-- 1 nihilist nihilist 5.9K Jun 29 2022 naxsi_core.rules
+4.0K -rw-r--r-- 1 nihilist nihilist 209 Jun 12 2023 naxsi_whitelist.rules
+4.0K -rw-r--r-- 1 nihilist nihilist 2.0K Jul 18 2023 nginx.conf
+4.0K -rwxr-xr-x 1 nihilist nihilist 1.3K May 9 2023 nginx-update.sh
+ 12K -rw-r--r-- 1 nihilist nihilist 11K Apr 10 04:00 README.md
+4.0K drwxr-xr-x 2 nihilist nihilist 4.0K Jun 1 2023 repokeys
+4.0K drwxr-xr-x 2 nihilist nihilist 4.0K Sep 7 2023 resty
+ 72K -rw-r--r-- 1 nihilist nihilist 71K Apr 10 05:53 resty.tgz
+ 16K -rwxr-xr-x 1 nihilist nihilist 13K Apr 11 23:36 setup.sh
+ 12K -rw-r--r-- 1 nihilist nihilist 12K Apr 10 04:50 site.conf
+4.0K drwxr-xr-x 4 nihilist nihilist 4.0K May 6 2023 sourcecode
+4.0K -rwxr-xr-x 1 nihilist nihilist 464 May 25 2023 startup.sh
+4.0K -rw-r--r-- 1 nihilist nihilist 1.5K May 17 2023 sysctl.conf
+4.0K drwxr-xr-x 2 nihilist nihilist 4.0K Apr 10 05:32 tor-patch
+4.0K -rw-rw-rw- 1 nihilist nihilist 1.8K Apr 10 04:50 torrc
+4.0K -rw-r--r-- 1 nihilist nihilist 157 Mar 29 2023 torrc2
+4.0K -rw-r--r-- 1 nihilist nihilist 157 Mar 29 2023 torrc3
+4.0K -rw-r--r-- 1 nihilist nihilist 179 May 5 2023 tunnels.conf
+
+
+
+From there we can follow the steps as detailed in the README.md
+Go to sourcecode/gobalance and build gobalance with go. Read the README.md about how to compile and generate the gobalance configuration. With that configuration you will be able to see your MASTERONION url. The starting before .key is your master onion address. You will use that as your MASTERONION in the EndGame.config ending it with '.onion'. +
+root@debian:~/endgame# cd sourcecode/gobalance/
+root@debian:~/endgame/sourcecode/gobalance# ls
+go.mod go.sum main.go pkg README.md torrc vendor
+root@debian:~/endgame/sourcecode/gobalance# cat README.md
+
+[...]
+
+# Compiling
+
+- `go get -u` - updates all dependencies
+- `go mod vendor` - stores the updates in the vendor folder
+- `go build -o gobalance main.go` - builds the gobalance application
+
+# Generate Configuration
+
+- `./gobalance g`
+
+or simply use your python onionbalance one! Drop in replacement support (no multisite)!
+
+# Running
+After you have configured your gobalance, you will need a tor process on your localhost. There is a provided torrc file. Run it with Tor like this:
+
+- `tor -f torrc`
+
+After that run gobalance
+
+- `./gobalance`
+
+If you need to run these in the background (in the event your server connection dies or drops) you can use `nohup` or a detached terminal session.
+I, /u/Paris, recommend just running it locally with geo redundancy to not need to worry about server crashes or compromises. Onion key safety is your absolute priority. When it's compromised your operation is done.
+
+
+So as advised, let's compile gobalance using go:
+
+root@debian:~/endgame/sourcecode/gobalance# apt update -y ; apt install golang -y
+
+root@debian:~/endgame/sourcecode/gobalance# go get -u
+go: downloading github.com/sirupsen/logrus v1.9.3
+go: downloading github.com/urfave/cli/v2 v2.27.1
+go: downloading golang.org/x/crypto v0.17.0
+go: downloading golang.org/x/crypto v0.22.0
+go: downloading github.com/urfave/cli v1.22.14
+go: downloading gopkg.in/yaml.v3 v3.0.1
+go: downloading golang.org/x/sys v0.15.0
+go: downloading golang.org/x/sys v0.19.0
+go: downloading maze.io/x/crypto v0.0.0-20190131090603-9b94c9afe066
+go: downloading github.com/cpuguy83/go-md2man/v2 v2.0.3
+go: downloading github.com/cpuguy83/go-md2man/v2 v2.0.4
+go: downloading github.com/cpuguy83/go-md2man v1.0.10
+go: downloading github.com/xrash/smetrics v0.0.0-20231213231151-1d8dd44e695e
+go: downloading github.com/xrash/smetrics v0.0.0-20240312152122-5f08fbb34913
+go: downloading github.com/russross/blackfriday/v2 v2.1.0
+go: downloading github.com/russross/blackfriday v1.6.0
+go: upgraded github.com/cpuguy83/go-md2man/v2 v2.0.3 => v2.0.4
+go: upgraded github.com/xrash/smetrics v0.0.0-20231213231151-1d8dd44e695e => v0.0.0-20240312152122-5f08fbb34913
+go: upgraded golang.org/x/crypto v0.17.0 => v0.22.0
+go: upgraded golang.org/x/sys v0.15.0 => v0.19.0
+
+root@debian:~/endgame/sourcecode/gobalance# go mod vendor
+go: downloading github.com/stretchr/testify v1.8.0
+go: downloading github.com/pmezard/go-difflib v1.0.0
+go: downloading github.com/davecgh/go-spew v1.1.1
+root@debian:~/endgame/sourcecode/gobalance# go build -o gobalance main.go
+
+root@debian:~/endgame/sourcecode/gobalance# ./gobalance g
+root@debian:~/endgame/sourcecode/gobalance# ls
+config.yaml uyrpqcefaftpfq755fv4fe3noc6l3be4qehq3twcu3nfzvycdqko2yyd.key gobalance go.mod go.sum main.go pkg README.md torrc vendor
+
+root@debian:~/endgame/sourcecode/gobalance# cat torrc
+RunAsDaemon 0
+ControlPort 9051
+DataDirectory torfiles
+
+
+
+So in this case our MASTERONION url is uyrpqcefaftpfq755fv4fe3noc6l3be4qehq3twcu3nfzvycdqko2yyd.onion Next step is to edit the endgame.config file:
+
+root@debian:~/endgame/sourcecode/gobalance# cd ../..
+root@debian:~/endgame# vim endgame.config
+
+
+To edit the file we follow the setup process from the README:
+
+Open up and edit the endgame.config, you will need to change your TORAUTHPASSWORD. Change it to a random alphanumeric password of your choice. This is just used for authentication on nginx's layer to send circuit kill commands.
+You have two options for how EndGame sends the traffic to your backend. You can have it direct it to an onion address, or you can have it locally proxy to a server on the same network.
+
+ Tor Proxy: You will need to set both of the BACKENDONION variables to your main onion service you want protected. This means your origin application server needs to have tor running with its own onion service address. You put that onion address on the BACKENDONION(1/2). If you have multiple backends (highly recommended) you can put different backend addresses to have load balancing and fallover. It's easy to add in even more by customizing endgame for your needs.
+ Local Proxy: Change LOCALPROXY to true and edit the PROXYPASSURL to the specific IP or hostname of your backend location. It will default to connect on port 80 via http but you can edit line 320 of the site.conf to change that to your specific needs.
+
+Enable I2PSETUP and/or TORSETUP by setting them to true. You can also enable TORINTRODEFENSE and TORPOWDEFENSE to provide more protection against introduction attacks on the Tor network.
+Edit KEY and SALT to a secure cookie value. PROTECT THESE VALUES. If they get leaked, an attacker could generate EndGame cookies and hurt your EndGame protection.
+
+ KEY: is your encryption key used for encryption. It should be to be between 68 and 128 random alphanumeric characters.
+ SALT: is your salt for the encryption key. It must be exactly 8 alphanumeric characters.
+
+Branding is important. EndGame makes it easy to use your own branding on it. By default, it will use dread's branding, but you should change it.
+
+ HEXCOLOR and HEXCOLORDARK are for the specific colors used on the pages. Set HEXCOLOR to your main site color and HEXCOLORDARK to just a slightly darker version of it.
+ SITENAME, SITETAGLINE, SITESINCE is all information about your site. Self-explanatory.
+ FAVICON is used as your site's favicon in base64. This limits the amount of requests a browser may do when first loading the queue page. Make sure this value is set to something. Otherwise people's connections will get cut off from the queue when their browser makes a request to the favicon.ico.
+ SQUARELOGO is used as the icon for the queue running man and the main splash logo on the captcha page. In base64 format.
+ NETWORKLOGO is used as a bottom network icon for on the captcha page which allows different sites a part of the same organization to be shown. In base64 format.
+
+After you are done EndGame's configuration, you should archive everything except the sourcecode folder. Transfer the archive to a blank debian 12 system. As root, extract the archive and run setup.sh like './setup.sh'. At the end of the setup, it will export an onion address (and i2p if set but don't add that to gobalance) which you can provide to users or add to your gobalance configuration.
+
+
+Let's first generate our KEY (max 128chars) and SALT (8 chars):
+
+[ mainpc ] [ /dev/pts/6 ] [~/Nextcloud/blog]
+→ sudo apt install pwgen -y
+
+[ mainpc ] [ /dev/pts/6 ] [~/Nextcloud/blog]
+→ pwgen 8 1
+OotoNg0s
+
+[ mainpc ] [ /dev/pts/6 ] [~/Nextcloud/blog]
+→ pwgen 127 1
+Ex6meeghah2Voo4iezeequieFoChieyoch2kuish8ubopheikux2hedu5ahng5Iwooquii3tuowi6quie1leeTaeN5ugh0Dooch1naexaetoya9hoh2Fohlu5oP5ohm
+
+
+So we have the following config:
+
+root@debian:~/endgame# cat endgame.config
+#This area
+
+#OPTIONS!
+MASTERONION="uyrpqcefaftpfq755fv4fe3noc6l3be4qehq3twcu3nfzvycdqko2yyd.onion"
+TORAUTHPASSWORD="MYCOMPLEXPASSWORDTOREPLACE!!!"
+BACKENDONION1="daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion"
+BACKENDONION2="nihilhfjmj55gfbleupwl2ub7lvbhq4kkoioatiopahfqwkcnglsawyd.onion"
+
+#set to true if you want to setup local proxy instead of proxy over Tor
+LOCALPROXY=false
+PROXYPASSURL="10.10.10.0"
+
+#Install the latest kernel from debian unstable. Recommended but may cause some issues on old systems.
+LATESTKERNEL=true
+
+#reboot after completion. Highly recommended to get the new kernel active.
+REBOOT=true
+
+#set to true if you want i2pd installed and setup
+I2PSETUP=false
+
+#set to true if you want tor installed and setup
+TORSETUP=true
+
+#enable Tor introduction defense. Keeps the Tor process from stalling but hurts reliability. Only recommended if running on low powered fronts.
+TORINTRODEFENSE=false
+
+#enable Tor POW introduction defense. This should be enabled!
+TORPOWDEFENSE=true
+
+#enable Tor minimum work patch. This builds a new tor binary locally.
+TORMINWORK=true
+
+#Shared Front Captcha Key. Key should be alphanumeric between 64-128. Salt needs to be exactly 8 chars.
+KEY="Ex6meeghah2Voo4iezeequieFoChieyoch2kuish8ubopheikux2hedu5ahng5Iwooquii3tuowi6quie1leeTaeN5ugh0Dooch1naexaetoya9hoh2Fohlu5oP5ohm"
+SALT="OotoNg0s"
+#session length is in seconds. Default is 12 hours.
+SESSION_LENGTH=43200
+
+#Rate Limits!
+#Make sure to set these to reasonable defaults! Having them too low for your site can cause lots of disconnections while having them too high can make endgame ineffective!
+#Set the request rate to the max requests on your largest page! (try to keep it below 10! The lower you go the better endgame's protection is!)
+#Keep the stream limit 1 to 2 higher than your request limit!
+REQUESTRATELIMIT=8
+STREAMRATELIMIT=10
+
+#CSS Branding
+
+HEXCOLOR="9b59b6"
+HEXCOLORDARK="713C86"
+SITENAME="Nihilism"
+SITETAGLINE="Until there is nothing left."
+SITESINCE="2024"
+FAVICON="data:image/x-icon;base64,AAABAAEAEBAAAAEAIABoBAAAFgAAACgAAAAQAAAAIAAAAAEAIAAAAAAAAAQAABMLAAATCwAAAAAAAAAAAACtRI7/rUSO/61Ejv+tRI7/rUSO/61Fjv+qPor/pzaG/6k7if+sQo3/qDiH/6g4h/+sQ43/rUSO/61Ejv+tRI7/rUSO/61Ejv+tRI7/rUSO/61Fjv+sQo3/uV6e/8iBs/+9aaT/sEyT/8V7r//Feq//sEqS/6xDjf+tRI7/rUSO/61Ejv+tRI7/rUSO/65Fj/+vR5D/rEGM/+fI3v///////fv8/+/a6f/+/f7/+vT4/7Zam/+rP4v/rkWP/61Ejv+tRI7/rUSO/61Fjv+sQYz/qTqI/6g4h//hudX/5sXc/+7Z6P////////7///ft9P+2WZr/q0CL/61Fj/+tRI7/rUSO/61Fj/+rQIv/uFyd/82Ou//Njrv/uWGf/6g6iP+uR5D/5sbc///////47vX/tlma/6s/i/+tRY//rUSO/61Ejv+uRo//qDqI/9aix///////69Hj/61Ejv+vSJD/qTqI/8BvqP//////+O/1/7ZZmv+rP4v/rUWP/61Ejv+tRI7/rkaP/6k8if/fttP//////9ekyP+oOIf/sEuS/6tAi/+7ZKH//vv9//nw9v+2WJr/qz+L/61Fj/+tRI7/rUSO/65Gj/+oOoj/1qHG///////pzeH/qj6K/6o8if+lMoP/0pjB///////47vX/tlma/6s/i/+tRY//rUSO/61Ejv+uRo//qj2K/7xmo//8+Pv//////+G61f+8ZqP/zpC8//v2+v//////+O/1/7ZZmv+rP4v/rUWP/61Ejv+tRI7/rUSO/65Gj/+pPIn/zo+7//79/v///////////////////v////////jw9v+2WZr/qz+L/61Fj/+tRI7/rUSO/61Ejv+tRI7/rUWP/6o9iv/Ab6j/37bT/+vR4//kwdr/16XI//36/P/58ff/tlma/6s/i/+tRY//rUSO/61Ejv+tRI7/rUSO/61Ejv+uRo//qj2K/6o9if+tRY7/qDmH/7VYmv/9+fv/+fH3/7ZYmv+rP4v/rUWP/61Ejv+tRI7/rUSO/61Ejv+tRI7/rUSO/65Gj/+uRo//rkaP/6s/i/+6Y6H//Pf6//ju9f+1WJr/q0CL/61Fj/+tRI7/rUSO/61Ejv+tRI7/rUSO/61Ejv+tRI7/rUSO/65Gj/+qPor/umOh//79/v/69Pj/tlqb/6s/i/+uRY//rUSO/61Ejv+tRI7/rUSO/61Ejv+tRI7/rUSO/61Ejv+tRI7/rEKN/7FNk//GfLD/xHmu/7BKkv+sQ43/rUSO/61Ejv+tRI7/rUSO/61Ejv+tRI7/rUSO/61Ejv+tRI7/rUSO/61Ejv+sQo3/qDiH/6g4h/+sQ43/rUSO/61Ejv+tRI7/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=="
+SQUARELOGO="data:image/webp;base64,UklGRkwCAABXRUJQVlA4WAoAAAAQAAAATwAATwAAQUxQSC8AAAABH6CobRuIP9xev3ajERHxDWAqkg1PshdNnqeZJBfAR0T/J2ADngp0E/PbifAGPABWUDgg9gEAAFAMAJ0BKlAAUAA+bS6URiQioiEuGikggA2JQBoZQmgR/d8Cdib6gNsB5gPNy04Dej0a2NXoYw8XMJObQmvWHz52jkOgFebAO+W2C3pjVzORG7gs9ssx8qnjo3F96nSITr1LFsVBFyXhL7ywAP7cUf/iHNu+tvSh+rohhPqZvzMSRXtv7e8U/Dh5LwZIJHvcIx9GmDQsAejcJZBn+c5L63sC8fmQQAde+N776pYSR99TxW58l33OS2vwEbv0MLQQeKEkfOYxulikHr7tl/6ZwLnjENpEv6OnhDWVW53x32zxICdEDZ9TnGenzgbr1pGHJwZ3LX7o1h0RQkYVBag7IsYd+buU+m5wgCohMPbEwS+Vi02J7tVFAvUPVW5VfdjGFbzTfD5g/+nMoacT15PcUWxFNYCacgap7Zh5g0OaAa1rGJBuVbsFrGbbp5C85U3y+OuVTJcUt2wPNQJPA4lpjOyM5wGGRUxrjwy/+cOaOkfLlYc2ImOJLSmchU0u727olq8AMLRMZc/queUbr0E5ec/vKzZb9Z00D8dh5Hk6XNob6WDIFIusbW9UiKlnDFOz6ewFp4sONEBGGtI3gWG86cC+hmvHDzYlWupLMc2pRS9aO6FRiFAPmQXiJyK+lCZPtevTMxcUM4a6g3otDsiMGAOMbvIgAAA="
+NETWORKLOGO="data:image/webp;base64,UklGRpgFAABXRUJQVlA4WAoAAAAQAAAANgAAOwAAQUxQSCMFAAABoLBt2zE3HtddZhone8SubSt2bdu27a7rNqjtJlnvJqljJ7Xbqd1o0Ps4dt7v+6aTiIDgRpIiybnMu3cFb4DxaXs0+0hbmD4tbpO81cLkXLNJklmuptaLYnqa2kKJRaZVddJ9iQeTqppQRAKZK8glEyJMpdZeDdM6zhTM7phC7b66plB5/S1qFzqbFb5KYcqrQjOnOaW880P1bzYmi4xpDERz2VROWcoYoOFuMmfyt2n7z01m+KmAEP1d1TAON7urDwXMulyjLrmr8Vy2FjNjpB0AVTIXYCEXYj6v2QCwHaxmaZSnIisLAHaT1fz8swMAYBLzLLCcy2GRol0GALDf9ImvZtgDsLQSOUyJO9XHKaCAxfHNIMT9EfsBy7gMaDw5GGIaxxXzRqBTnzMJ0xwBuCaT1KVqXv8RDoh2MwrAAs4DKqlUlrbWlQEAYb+/0qTqSF5yQ41fKeRdf1SxEVI1sPRjHQvLauv4PTDq/Mlj5481h6WDjU0V9HlHIdvN/Z6KHsecSExKTExMunj4Lj+f/+vvcw+oDkY0STIM268lJiWdjH4kUgf0/kwxn3QUoiNZQjFzsfYryddtkCd8pE8Ufenrniyxwa1FSGhoWEDoQy4NCA4N9jvAs07YaPDGHx36h4a0cNsgcdkTAeI9VG9tAAAYW3IFQmZyGiTEF2ywVc23giAAkWkk74/N5ftYb6BJCTuI1nO9lOHjece+Y/bY+yRTIwEAAfr8ON0UxwU63p2NGEZD1HpRa2CD5MRs1V1yieMUfUK+PgCC+l8TPDOL66JuDHUF5QW1IZvVeoNOOETuq4d6xdk+CV/rS5oj0zGDF1RQtbtEFnkA3/XaGBMbtSsqemsmDdriwa0OKqjiOAvpbCFVaFOjgGMArODnXVXNRt4o+0pJJJ7FABjLAnPrAjkFLhjFO45o9FrbCxa7SVJBB2RqGsPpLsfAOV9BlctchyiuRvVYGsEPUYzCel6ppgxdy9UztU+8MY+C4luFahnBaPBaM1ut6QojYBvJGaj9WnCif22PTqufSgQBc0jugFFsiphcAxtpsBRC2tyRUSmRN62N9g/MrxschCQdiuXZwNgrjys3fEXySyNIc0xqLsntgFEPefHjf/AlyWvmMiZqZB4y65mmK4x6oQ0WIxBicNZSRv8vci+0zqgXGsW7jlAh3CBBzrBiuX8zxzsc/T/Ff+qxAOBfRvKOs4xVOvGf+mkMgDGSf2r5EopXwcbf1vsBSU6TUqVQdF8ooQuciXS2kC/Y+qhzhEOwPuPs6SvbbCWWayhXsPVRtzjLK15asIH6/Dj9NMf5WhaGQojNTz2rAnBfpiUV20N8nqQ9dE8n+XB8Dt/H+kBkls+dU8YuEopcvhnljnsgbUYh8q1PKl6u8pRan9jXA+B1Rb7RhgxuJfhdwWs/xUab7N73i1JbjwMAVbqCD10U2/rnXoFq0aNoYYhcX25QbXc55eOrOESe+FpsF73tK4wsRwsAgEXbrn6+XX39/f39fH0jQ2wUR9YvKrhdIqlL0bz+IwyS1J7YBEpRGpBJLgAcpyWc7uMYWMDiuKaiRq9e9gVG5Y8CeuSeMVcaxyfjJjsYO/yrzmGeBdZwDSxyuLqydPi/nGYPwMIKSnHbUcwXwqphJq4aizCfl8wlq0bJLncYnfb/aoxebLRJnU25Ri1hNNBwF5kzsaKWtgpaEStoITXp+vugQtZfAIsqZtkGelbUau+aJch0hanT4ibJG81h+rQ5kn2kDYwGAFZQOCBOAAAA0AQAnQEqNwA8AD5tLJJFpCKhmAQAQAbEtIAASD/dKxnoTlaUzRT/Q9kkRNlNuAAA/TH//9wDj/sFX/91UzfhNf+E8DE//4h3B/k1wAAA"
+
+
+SIDENOTES FROM /u/Paris :
+
+If you are using the TORMINWORK=true setting generally you don't need gobalance at all. You can just have a single front handle the load. Gobalance can't handle POW at this time as there are tor control systems to really handle it at this time. When arti is finished with POW onionbalance will be finished in rust. We are waiting for that. Should be within the year.
+
+If you are running endgame and onionbalance on the same server are you doing it wrong. Onionbalance is designed to combine multiple fronts into a single descriptor for load balancing. One address with multiple fronts holding it up. If you only have a single server just run endgame and pass the ending address to others. No onionbalance needed at all.
+
+If you want to have a custom address created use a tool like mkp224o and generate a custom one. You can then transfer the custom one over to your front (replacing the /etc/tor/hidden_service files with the generated one). Then go into /etc/nginx/sites-enabled/site.conf and change out the onion address to your new one. After that reboot and your new custom address should be live on your front.
+
+
+
+Now from here you can run the setup.sh file. However just in case if you messed up at any point up until now, i recommend you take a VM snapshot to revert to in case if something goes wrong.
+ +Snapshot taken, now let's run setup.sh:
+
+root@debian:~/endgame# ./setup.sh
+Welcome To The End Game DDOS Prevention Setup...
+Proceeding to do the configuration and setup. This will take awhile.
+The system will reboot after finishing setup!
+Generating Master Key... should only take a second...
+Done. MASTER_KEY = 1DWWADWAAWAWDWDAWAAWWAWAD3121556778652
+
+[...]
+
+#let it run and reboot
+
+[..]
+
+
+User sessions running outdated binaries:
+ nihilist @ session #1: bash[527], login[466], su[537]
+ nihilist @ session #3: bash[669], sshd[661,668], su[672]
+ nihilist @ user manager service: systemd[520]
+
+No VM guests are running outdated hypervisor (qemu) binaries on this host.
+EndGame Setup Script Finished!
+TOR Hostname:
+gllrw5gzdvje5axxexdtncpxzbrgxp2l5hghbiysgtfxpjmloah2qrqd.onion
+The address it to your gobalance config.yaml file!
+This system will now reboot in 10 seconds!
+
+root@debian:~/endgame# Connection to 10.99.99.216 closed by remote host.
+Connection to 10.99.99.216 closed.
+
+
+VM rebooted, so reconnect there:
+
+root@debian:~/endgame# Connection to 10.99.99.216 closed by remote host.
+Connection to 10.99.99.216 closed.
+
+[ LAN-Home ] [ /dev/pts/4 ] [~]
+→ ssh nihilist@10.99.99.216
+nihilist@10.99.99.216's password:
+Linux debian 6.7.9-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.7.9-2 (2024-03-13) x86_64
+
+The programs included with the Debian GNU/Linux system are free software;
+the exact distribution terms for each program are described in the
+individual files in /usr/share/doc/*/copyright.
+
+Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
+permitted by applicable law.
+You have mail.
+Last login: Sat Apr 13 12:38:34 2024 from 10.99.99.101
+nihilist@debian:~$ su -
+Password:
+
+root@debian:~# systemctl status endgame
+● endgame.service - Endgame Startup Script Service
+ Loaded: loaded (/etc/systemd/system/endgame.service; enabled; preset: enabled)
+ Active: active (running) since Sat 2024-04-13 15:27:20 CEST; 1min 39s ago
+ Process: 501 ExecStart=/startup.sh (code=exited, status=0/SUCCESS)
+ Tasks: 8 (limit: 2323)
+ Memory: 183.0M
+ CPU: 1.245s
+ CGroup: /system.slice/endgame.service
+ ├─521 tor -f /etc/tor/torrc2
+ ├─524 tor -f /etc/tor/torrc3
+ ├─525 socat UNIX-LISTEN:/run/tor_pass1.sock,fork,reuseaddr,unlink-early,user=www-data,group=www-data,mode=777 SOCKS4A:localhost:daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion:80,socksport=9060
+ └─526 socat UNIX-LISTEN:/run/tor_pass2.sock,fork,reuseaddr,unlink-early,user=www-data,group=www-data,mode=777 SOCKS4A:localhost:nihilhfjmj55gfbleupwl2ub7lvbhq4kkoioatiopahfqwkcnglsawyd.onion:80,socksport=9070
+
+Apr 13 15:27:20 debian startup.sh[513]: Apr 13 15:27:20.586 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://support.torproject.org/faq/staying-anonymous/
+Apr 13 15:27:20 debian startup.sh[513]: Apr 13 15:27:20.594 [notice] Read configuration file "/etc/tor/torrc2".
+Apr 13 15:27:20 debian startup.sh[521]: Apr 13 15:27:20.596 [notice] Opening Socks listener on 127.0.0.1:9060
+Apr 13 15:27:20 debian startup.sh[521]: Apr 13 15:27:20.596 [notice] Opened Socks listener connection (ready) on 127.0.0.1:9060
+Apr 13 15:27:20 debian startup.sh[522]: Apr 13 15:27:20.610 [notice] Tor 0.4.8.11 running on Linux with Libevent 2.1.12-stable, OpenSSL 3.0.11, Zlib 1.2.13, Liblzma 5.4.1, Libzstd 1.5.4 and Glibc 2.36 as libc.
+Apr 13 15:27:20 debian startup.sh[522]: Apr 13 15:27:20.610 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://support.torproject.org/faq/staying-anonymous/
+Apr 13 15:27:20 debian startup.sh[522]: Apr 13 15:27:20.610 [notice] Read configuration file "/etc/tor/torrc3".
+Apr 13 15:27:20 debian startup.sh[524]: Apr 13 15:27:20.615 [notice] Opening Socks listener on 127.0.0.1:9070
+Apr 13 15:27:20 debian startup.sh[524]: Apr 13 15:27:20.615 [notice] Opened Socks listener connection (ready) on 127.0.0.1:9070
+Apr 13 15:27:20 debian systemd[1]: Started endgame.service - Endgame Startup Script Service.
+
+
+And here you can see that the endgame systemd service launched successfully, but as hinted above, we need to edit the gobalance config.yaml file:
+
+root@debian:~# vim endgame/sourcecode/gobalance/config.yaml
+root@debian:~# cat endgame/sourcecode/gobalance/config.yaml
+services:
+ - key: uyrpqcefaftpfq755fv4fe3noc6l3be4qehq3twcu3nfzvycdqko2yyd.key
+ instances:
+ - address: gllrw5gzdvje5axxexdtncpxzbrgxp2l5hghbiysgtfxpjmloah2qrqd.onion
+
+root@debian:~/endgame# systemctl restart endgame
+root@debian:~/endgame# systemctl status endgame
+● endgame.service - Endgame Startup Script Service
+ Loaded: loaded (/etc/systemd/system/endgame.service; enabled; preset: enabled)
+ Active: active (running) since Sat 2024-04-13 15:32:26 CEST; 5s ago
+ Process: 1002 ExecStart=/startup.sh (code=exited, status=0/SUCCESS)
+ Tasks: 8 (limit: 2323)
+ Memory: 74.3M
+ CPU: 867ms
+ CGroup: /system.slice/endgame.service
+ ├─1006 tor -f /etc/tor/torrc2
+ ├─1009 tor -f /etc/tor/torrc3
+ ├─1010 socat UNIX-LISTEN:/run/tor_pass1.sock,fork,reuseaddr,unlink-early,user=www-data,group=www-data,mode=777 SOCKS4A:localhost:daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion:80,socksport=9060
+ └─1011 socat UNIX-LISTEN:/run/tor_pass2.sock,fork,reuseaddr,unlink-early,user=www-data,group=www-data,mode=777 SOCKS4A:localhost:nihilhfjmj55gfbleupwl2ub7lvbhq4kkoioatiopahfqwkcnglsawyd.onion:80,socksport=9070
+
+Apr 13 15:32:26 debian startup.sh[1004]: Apr 13 15:32:26.730 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://support.torproject.org/faq/staying-anonymous/
+Apr 13 15:32:26 debian startup.sh[1004]: Apr 13 15:32:26.730 [notice] Read configuration file "/etc/tor/torrc2".
+Apr 13 15:32:26 debian startup.sh[1006]: Apr 13 15:32:26.731 [notice] Opening Socks listener on 127.0.0.1:9060
+Apr 13 15:32:26 debian startup.sh[1006]: Apr 13 15:32:26.732 [notice] Opened Socks listener connection (ready) on 127.0.0.1:9060
+Apr 13 15:32:26 debian startup.sh[1007]: Apr 13 15:32:26.740 [notice] Tor 0.4.8.11 running on Linux with Libevent 2.1.12-stable, OpenSSL 3.0.11, Zlib 1.2.13, Liblzma 5.4.1, Libzstd 1.5.4 and Glibc 2.36 as libc.
+Apr 13 15:32:26 debian startup.sh[1007]: Apr 13 15:32:26.740 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://support.torproject.org/faq/staying-anonymous/
+Apr 13 15:32:26 debian startup.sh[1007]: Apr 13 15:32:26.740 [notice] Read configuration file "/etc/tor/torrc3".
+Apr 13 15:32:26 debian startup.sh[1009]: Apr 13 15:32:26.742 [notice] Opening Socks listener on 127.0.0.1:9070
+Apr 13 15:32:26 debian startup.sh[1009]: Apr 13 15:32:26.742 [notice] Opened Socks listener connection (ready) on 127.0.0.1:9070
+Apr 13 15:32:26 debian systemd[1]: Started endgame.service - Endgame Startup Script Service.
+
+
+Now before we continue, keep in mind that we will access the backend servers using the URL http://gllrw5gzdvje5axxexdtncpxzbrgxp2l5hghbiysgtfxpjmloah2qrqd.onion/, so we need to make sure that the nginx server there has that URL aliased:
+
+[ Belladona ] [ /dev/pts/18 ] [/srv/Binternet]
+→ cat /etc/nginx/sites-available/nihilism.network.conf
+server {
+ listen 80;
+ listen [::]:80;
+ server_name nihilism.network;
+ return 301 https://$server_name$request_uri;
+}
+
+server {
+ ######## TOR CHANGES ########
+ listen 4445;
+ listen [::]:4445;
+ server_name nihilhfjmj55gfbleupwl2ub7lvbhq4kkoioatiopahfqwkcnglsawyd.onion gllrw5gzdvje5axxexdtncpxzbrgxp2l5hghbiysgtfxpjmloah2qrqd.onion;
+ add_header Onion-Location "http://nihilhfjmj55gfbleupwl2ub7lvbhq4kkoioatiopahfqwkcnglsawyd.onion/onion.html" always;
+ ######## TOR CHANGES ########
+
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+ server_name nihilism.network;
+[...]
+
+}
+
+#do the same on the other backend server!
+
+
+Then after restarting the endgame service we check if it works as intended by accessing the main onion at the following URL http://gllrw5gzdvje5axxexdtncpxzbrgxp2l5hghbiysgtfxpjmloah2qrqd.onion/:
+ +Here as you can see we're placed into a queue before being redirected to the captcha:
+ +Then we fill in the captcha before getting redirected to one of the backend servers:
+ +And that's it ! We have been redirected to one of the backend servers as intended. We can redo the whole process again by picking a new Identity in the tor browser to see if it redirects us to the other backend server as intended:
+ +Now you can scale your hidden service operations over multiple backend servers, while still protecting against DDOS attacks.
+ +Now there are 2 issues with that setup. First there are performance issues due to latency as in this current setup we have to go through Tor twice to get to the backend server, that's not ideal at all.
+ +Problem 2: Not big enough! +Second issue, why is there onionbalance in the mix and only one endgame frontend ?! As detailed in the article, onionbalance allows us to introduce high availability over a single onion service (like DNS Load balancing):
+
+Onionbalance is software designed and written by Donncha O'Cearbhaill as part of Tor's Summer of Privacy 2015. It allows onion service operators to achieve the property of high availability by allowing multiple machines to handle requests for a single onion service. You can think of it as the onion service equivalent of load balancing using round-robin DNS.
+
+
+The true goal here is to have multiple Endgame fronts spread across multiple servers, under the same Master Onion Link! So for this second part of the tutorial we have this following setup:
+ +So here we'll have 3 local backend servers for the same service, and we're going to have 2 Endgame servers, which will be under the same master subnet.
+Let's first setup our 3 local backend servers, this time they will be 3 instances of the same service:
+
+root@backend1:~# apt install nginx vim -y
+
+root@backend1:~# vim /var/www/html/index.nginx-debian.html
+root@backend1:~# cat /var/www/html/index.nginx-debian.html
+Welcome to our Nihilist's service!
+
+We are currently on backend server 1 !
+
+
+We clone that VM to the 2 other backend servers:
+ +We edit the web page of the 2 backend servers to know on which backend server we land, and we have the following:
+
+[ LAN-Home ] [ /dev/pts/3 ] [~]
+→ curl 10.99.99.216
+Welcome to our Nihilist's service!
+
+We are currently on backend server 1 !
+
+[ LAN-Home ] [ /dev/pts/3 ] [~]
+→ curl 10.99.99.219
+Welcome to our Nihilist's service!
+
+We are currently on backend server 2 !
+
+
+
+Our backend servers are now be reachable locally at the local IPs 10.99.99.216, and 10.99.99.219 on port 80
+ + +Now let's setup our 2 Endgame Fronts servers on 2 other VMs, this will be a repeat of what we went through above for our previous endgame setup:
+ +So as advised, here we need to configure endgame once, and then archive everything except the sourcecode
+
+After you are done EndGame's configuration, you should archive everything except the sourcecode folder. Transfer the archive to a blank debian 12 system. As root, extract the archive and run setup.sh like './setup.sh'. At the end of the setup, it will export an onion address (and i2p if set but don't add that to gobalance) which you can provide to users or add to your gobalance configuration.
+
+
+So on our Endgame front 1, we configure gobalance to generate the .key file: (not on Endgame front 2!)
+
+root@endgame1:~/endgame/sourcecode/gobalance# go get -u ; go mod vendor ; go build -o gobalance main.go ; ./gobalance g
+go: downloading github.com/sirupsen/logrus v1.9.3
+go: downloading github.com/urfave/cli/v2 v2.27.1
+go: downloading golang.org/x/crypto v0.17.0
+go: downloading golang.org/x/crypto v0.22.0
+go: downloading github.com/urfave/cli v1.22.14
+go: downloading gopkg.in/yaml.v3 v3.0.1
+go: downloading golang.org/x/sys v0.15.0
+go: downloading golang.org/x/sys v0.19.0
+go: downloading maze.io/x/crypto v0.0.0-20190131090603-9b94c9afe066
+go: downloading github.com/cpuguy83/go-md2man/v2 v2.0.3
+go: downloading github.com/cpuguy83/go-md2man v1.0.10
+go: downloading github.com/cpuguy83/go-md2man/v2 v2.0.4
+go: downloading github.com/xrash/smetrics v0.0.0-20231213231151-1d8dd44e695e
+go: downloading github.com/xrash/smetrics v0.0.0-20240312152122-5f08fbb34913
+go: downloading github.com/russross/blackfriday/v2 v2.1.0
+go: downloading github.com/russross/blackfriday v1.6.0
+go: upgraded github.com/cpuguy83/go-md2man/v2 v2.0.3 => v2.0.4
+go: upgraded github.com/xrash/smetrics v0.0.0-20231213231151-1d8dd44e695e => v0.0.0-20240312152122-5f08fbb34913
+go: upgraded golang.org/x/crypto v0.17.0 => v0.22.0
+go: upgraded golang.org/x/sys v0.15.0 => v0.19.0
+go: downloading github.com/stretchr/testify v1.8.0
+go: downloading github.com/pmezard/go-difflib v1.0.0
+go: downloading github.com/davecgh/go-spew v1.1.1
+root@endgame1:~/endgame/sourcecode/gobalance# ls
+config.yaml gobalance go.sum pkg torrc
+ehfs47i5jjzlyolgd24ogkndodz7n4mlbcmhdakyma4lfh2alossuvad.key go.mod main.go README.md vendor
+
+
+Here again i recommend making a snapshot of both VMs before continuing. Next we configure engame.config on the endgame front 1:
+
+root@endgame1:~/endgame# vim endgame.config
+root@endgame1:~/endgame# cat endgame.config
+#This area
+
+#OPTIONS!
+MASTERONION="ehfs47i5jjzlyolgd24ogkndodz7n4mlbcmhdakyma4lfh2alossuvad.onion"
+TORAUTHPASSWORD="CHANGETHISPASSWORD!!!!"
+BACKENDONION1=""
+BACKENDONION2=""
+
+#set to true if you want to setup local proxy instead of proxy over Tor
+LOCALPROXY=true
+PROXYPASSURL="10.99.99.216"
+
+#Install the latest kernel from debian unstable. Recommended but may cause some issues on old systems.
+LATESTKERNEL=true
+
+#reboot after completion. Highly recommended to get the new kernel active.
+REBOOT=true
+
+#set to true if you want i2pd installed and setup
+I2PSETUP=false
+
+#set to true if you want tor installed and setup
+TORSETUP=true
+
+#enable Tor introduction defense. Keeps the Tor process from stalling but hurts reliability. Only recommended if running on low powered fronts.
+TORINTRODEFENSE=false
+
+#enable Tor POW introduction defense. This should be enabled!
+TORPOWDEFENSE=false
+
+#enable Tor minimum work patch. This builds a new tor binary locally.
+TORMINWORK=false
+
+#Shared Front Captcha Key. Key should be alphanumeric between 64-128. Salt needs to be exactly 8 chars.
+KEY="thoh1me2aemoonuo1eiNgaejahbeep5oe9eiZ3aezee5igae9faiv9sailoo1laath9vu7aeteeCh4ShaeVeidooy3see7Goong6gei3eePh6Ba5Leepee7zawooch3"
+SALT="agieLae8"
+#session length is in seconds. Default is 12 hours.
+SESSION_LENGTH=43200
+
+#Rate Limits!
+#Make sure to set these to reasonable defaults! Having them too low for your site can cause lots of disconnections while having them too high can make endgame ineffective!
+#Set the request rate to the max requests on your largest page! (try to keep it below 10! The lower you go the better endgame's protection is!)
+#Keep the stream limit 1 to 2 higher than your request limit!
+REQUESTRATELIMIT=8
+STREAMRATELIMIT=10
+
+#CSS Branding
+
+HEXCOLOR="9b59b6"
+HEXCOLORDARK="713C86"
+SITENAME="Nihilism"
+SITETAGLINE="Until there is nothing left."
+SITESINCE="2024"
+FAVICON="data:image/x-icon;base64,AAABAAEAEBAAAAEAIABoBAAAFgAAACgAAAAQAAAAIAAAAAEAIAAAAAAAAAQAABMLAAATCwAAAAAAAAAAAACtRI7/rUSO/61Ejv+tRI7/rUSO/61Fjv+qPor/pzaG/6k7if+sQo3/qDiH/6g4h/+sQ43/rUSO/61Ejv+tRI7/rUSO/61Ejv+tRI7/rUSO/61Fjv+sQo3/uV6e/8iBs/+9aaT/sEyT/8V7r//Feq//sEqS/6xDjf+tRI7/rUSO/61Ejv+tRI7/rUSO/65Fj/+vR5D/rEGM/+fI3v///////fv8/+/a6f/+/f7/+vT4/7Zam/+rP4v/rkWP/61Ejv+tRI7/rUSO/61Fjv+sQYz/qTqI/6g4h//hudX/5sXc/+7Z6P////////7///ft9P+2WZr/q0CL/61Fj/+tRI7/rUSO/61Fj/+rQIv/uFyd/82Ou//Njrv/uWGf/6g6iP+uR5D/5sbc///////47vX/tlma/6s/i/+tRY//rUSO/61Ejv+uRo//qDqI/9aix///////69Hj/61Ejv+vSJD/qTqI/8BvqP//////+O/1/7ZZmv+rP4v/rUWP/61Ejv+tRI7/rkaP/6k8if/fttP//////9ekyP+oOIf/sEuS/6tAi/+7ZKH//vv9//nw9v+2WJr/qz+L/61Fj/+tRI7/rUSO/65Gj/+oOoj/1qHG///////pzeH/qj6K/6o8if+lMoP/0pjB///////47vX/tlma/6s/i/+tRY//rUSO/61Ejv+uRo//qj2K/7xmo//8+Pv//////+G61f+8ZqP/zpC8//v2+v//////+O/1/7ZZmv+rP4v/rUWP/61Ejv+tRI7/rUSO/65Gj/+pPIn/zo+7//79/v///////////////////v////////jw9v+2WZr/qz+L/61Fj/+tRI7/rUSO/61Ejv+tRI7/rUWP/6o9iv/Ab6j/37bT/+vR4//kwdr/16XI//36/P/58ff/tlma/6s/i/+tRY//rUSO/61Ejv+tRI7/rUSO/61Ejv+uRo//qj2K/6o9if+tRY7/qDmH/7VYmv/9+fv/+fH3/7ZYmv+rP4v/rUWP/61Ejv+tRI7/rUSO/61Ejv+tRI7/rUSO/65Gj/+uRo//rkaP/6s/i/+6Y6H//Pf6//ju9f+1WJr/q0CL/61Fj/+tRI7/rUSO/61Ejv+tRI7/rUSO/61Ejv+tRI7/rUSO/65Gj/+qPor/umOh//79/v/69Pj/tlqb/6s/i/+uRY//rUSO/61Ejv+tRI7/rUSO/61Ejv+tRI7/rUSO/61Ejv+tRI7/rEKN/7FNk//GfLD/xHmu/7BKkv+sQ43/rUSO/61Ejv+tRI7/rUSO/61Ejv+tRI7/rUSO/61Ejv+tRI7/rUSO/61Ejv+sQo3/qDiH/6g4h/+sQ43/rUSO/61Ejv+tRI7/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=="
+SQUARELOGO="data:image/webp;base64,UklGRkwCAABXRUJQVlA4WAoAAAAQAAAATwAATwAAQUxQSC8AAAABH6CobRuIP9xev3ajERHxDWAqkg1PshdNnqeZJBfAR0T/J2ADngp0E/PbifAGPABWUDgg9gEAAFAMAJ0BKlAAUAA+bS6URiQioiEuGikggA2JQBoZQmgR/d8Cdib6gNsB5gPNy04Dej0a2NXoYw8XMJObQmvWHz52jkOgFebAO+W2C3pjVzORG7gs9ssx8qnjo3F96nSITr1LFsVBFyXhL7ywAP7cUf/iHNu+tvSh+rohhPqZvzMSRXtv7e8U/Dh5LwZIJHvcIx9GmDQsAejcJZBn+c5L63sC8fmQQAde+N776pYSR99TxW58l33OS2vwEbv0MLQQeKEkfOYxulikHr7tl/6ZwLnjENpEv6OnhDWVW53x32zxICdEDZ9TnGenzgbr1pGHJwZ3LX7o1h0RQkYVBag7IsYd+buU+m5wgCohMPbEwS+Vi02J7tVFAvUPVW5VfdjGFbzTfD5g/+nMoacT15PcUWxFNYCacgap7Zh5g0OaAa1rGJBuVbsFrGbbp5C85U3y+OuVTJcUt2wPNQJPA4lpjOyM5wGGRUxrjwy/+cOaOkfLlYc2ImOJLSmchU0u727olq8AMLRMZc/queUbr0E5ec/vKzZb9Z00D8dh5Hk6XNob6WDIFIusbW9UiKlnDFOz6ewFp4sONEBGGtI3gWG86cC+hmvHDzYlWupLMc2pRS9aO6FRiFAPmQXiJyK+lCZPtevTMxcUM4a6g3otDsiMGAOMbvIgAAA="
+NETWORKLOGO="data:image/webp;base64,UklGRpgFAABXRUJQVlA4WAoAAAAQAAAANgAAOwAAQUxQSCMFAAABoLBt2zE3HtddZhone8SubSt2bdu27a7rNqjtJlnvJqljJ7Xbqd1o0Ps4dt7v+6aTiIDgRpIiybnMu3cFb4DxaXs0+0hbmD4tbpO81cLkXLNJklmuptaLYnqa2kKJRaZVddJ9iQeTqppQRAKZK8glEyJMpdZeDdM6zhTM7phC7b66plB5/S1qFzqbFb5KYcqrQjOnOaW880P1bzYmi4xpDERz2VROWcoYoOFuMmfyt2n7z01m+KmAEP1d1TAON7urDwXMulyjLrmr8Vy2FjNjpB0AVTIXYCEXYj6v2QCwHaxmaZSnIisLAHaT1fz8swMAYBLzLLCcy2GRol0GALDf9ImvZtgDsLQSOUyJO9XHKaCAxfHNIMT9EfsBy7gMaDw5GGIaxxXzRqBTnzMJ0xwBuCaT1KVqXv8RDoh2MwrAAs4DKqlUlrbWlQEAYb+/0qTqSF5yQ41fKeRdf1SxEVI1sPRjHQvLauv4PTDq/Mlj5481h6WDjU0V9HlHIdvN/Z6KHsecSExKTExMunj4Lj+f/+vvcw+oDkY0STIM268lJiWdjH4kUgf0/kwxn3QUoiNZQjFzsfYryddtkCd8pE8Ufenrniyxwa1FSGhoWEDoQy4NCA4N9jvAs07YaPDGHx36h4a0cNsgcdkTAeI9VG9tAAAYW3IFQmZyGiTEF2ywVc23giAAkWkk74/N5ftYb6BJCTuI1nO9lOHjece+Y/bY+yRTIwEAAfr8ON0UxwU63p2NGEZD1HpRa2CD5MRs1V1yieMUfUK+PgCC+l8TPDOL66JuDHUF5QW1IZvVeoNOOETuq4d6xdk+CV/rS5oj0zGDF1RQtbtEFnkA3/XaGBMbtSsqemsmDdriwa0OKqjiOAvpbCFVaFOjgGMArODnXVXNRt4o+0pJJJ7FABjLAnPrAjkFLhjFO45o9FrbCxa7SVJBB2RqGsPpLsfAOV9BlctchyiuRvVYGsEPUYzCel6ppgxdy9UztU+8MY+C4luFahnBaPBaM1ut6QojYBvJGaj9WnCif22PTqufSgQBc0jugFFsiphcAxtpsBRC2tyRUSmRN62N9g/MrxschCQdiuXZwNgrjys3fEXySyNIc0xqLsntgFEPefHjf/AlyWvmMiZqZB4y65mmK4x6oQ0WIxBicNZSRv8vci+0zqgXGsW7jlAh3CBBzrBiuX8zxzsc/T/Ff+qxAOBfRvKOs4xVOvGf+mkMgDGSf2r5EopXwcbf1vsBSU6TUqVQdF8ooQuciXS2kC/Y+qhzhEOwPuPs6SvbbCWWayhXsPVRtzjLK15asIH6/Dj9NMf5WhaGQojNTz2rAnBfpiUV20N8nqQ9dE8n+XB8Dt/H+kBkls+dU8YuEopcvhnljnsgbUYh8q1PKl6u8pRan9jXA+B1Rb7RhgxuJfhdwWs/xUab7N73i1JbjwMAVbqCD10U2/rnXoFq0aNoYYhcX25QbXc55eOrOESe+FpsF73tK4wsRwsAgEXbrn6+XX39/f39fH0jQ2wUR9YvKrhdIqlL0bz+IwyS1J7YBEpRGpBJLgAcpyWc7uMYWMDiuKaiRq9e9gVG5Y8CeuSeMVcaxyfjJjsYO/yrzmGeBdZwDSxyuLqydPi/nGYPwMIKSnHbUcwXwqphJq4aizCfl8wlq0bJLncYnfb/aoxebLRJnU25Ri1hNNBwF5kzsaKWtgpaEStoITXp+vugQtZfAIsqZtkGelbUau+aJch0hanT4ibJG81h+rQ5kn2kDYwGAFZQOCBOAAAA0AQAnQEqNwA8AD5tLJJFpCKhmAQAQAbEtIAASD/dKxnoTlaUzRT/Q9kkRNlNuAAA/TH//9wDj/sFX/91UzfhNf+E8DE//4h3B/k1wAAA"
+
+
+Here notice that we set both TORPOWDEFENSE and TORMINWORK to false, this is due to not being supported by gobalance as gobalance does not handle POW and won't combine the descriptors correclty. We also left the BACKENDONIONs to empty strings, and instead changed the LOCALPROXY to true, with the PROXYPASSURL set to one of our local backend servers 10.99.99.216. as advised in the README:
+
+Local Proxy: Change LOCALPROXY to true and edit the PROXYPASSURL to the specific IP or hostname of your backend location. It will default to connect on port 80 via http but you can edit line 320 of the site.conf to change that to your specific needs.
+
+
+Then here, we need to archive the entire endgame folder, and extract it to our endgame2 front before running setup.sh:
+
+root@endgame1:~/endgame# cd ..
+root@endgame1:~# tar -czvf EndgameV3-nihilism.tar.gz endgame >/dev/null
+root@endgame1:~# ls
+endgame EndgameV3-nihilism.tar.gz go
+
+
+Now that the archive is created, let's transfer it to endgame2 and extract it:
+
+[term1]
+root@endgame1:~# ip a | grep inet ; python3 -m http.server 9090
+ inet 127.0.0.1/8 scope host lo
+ inet6 ::1/128 scope host noprefixroute
+ inet 10.99.99.221/24 brd 10.99.99.255 scope global dynamic enp1s0
+ inet6 fe80::5054:ff:fe00:3bfa/64 scope link
+Serving HTTP on 0.0.0.0 port 9090 (http://0.0.0.0:9090/) ...
+
+[term2]
+root@endgame2:~/# wget http://10.99.99.221:9090/EndgameV3-nihilism.tar.gz
+--2024-04-14 13:42:20-- http://10.99.99.221:9090/EndgameV3-nihilism.tar.gz
+Connecting to 10.99.99.221:9090... connected.
+HTTP request sent, awaiting response... 200 OK
+Length: 75225067 (72M) [application/gzip]
+Saving to: ‘EndgameV3-nihilism.tar.gz’
+
+EndgameV3-nihilism.tar.gz 100%[====================================>] 71.74M --.-KB/s in 0.09s
+
+2024-04-14 13:42:20 (784 MB/s) - ‘EndgameV3-nihilism.tar.gz’ saved [75225067/75225067]
+root@endgame2:~# tar -xzvf EndgameV3-nihilism.tar.gz >/dev/null
+root@endgame2:~# ls
+endgame EndgameV3-nihilism.tar.gz
+root@endgame2:~# ls endgame
+aptpreferences i2pd.conf naxsi_core.rules repokeys sourcecode torrc2
+dependencies jail.local naxsi_whitelist.rules resty startup.sh torrc3
+endgame.config limits.conf nginx.conf resty.tgz sysctl.conf tunnels.conf
+EndGameV3.tar.gz lua nginx-update.sh setup.sh tor-patch
+getdependencies.sh mentions.txt README.md site.conf torrc
+
+
+Now back to our endgame front 1: we run setup.sh:
+
+root@endgame1:~/endgame# ./setup.sh
+Welcome To The End Game DDOS Prevention Setup...
+Proceeding to do the configuration and setup. This will take awhile.
+The system will reboot after finishing setup!
+
+
+Let it run and take note of the endgame front instance TOR hostname as displayed at the end, which will be our first endgame instance's .onion link:
+
+EndGame Setup Script Finished!
+TOR Hostname:
+xkdrgt35dw4rtmqacjdaymocotcvarfqlodtw2dfykqn3rk2eqxmr4yd.onion
+The address it to your gobalance config.yaml file!
+This system will now reboot in 10 seconds!
+root@endgame1:~/endgame# Connection to 10.99.99.221 closed by remote host.
+Connection to 10.99.99.221 closed.
+
+[ LAN-Home ] [ /dev/pts/6 ] [~]
+→ ssh nihilist@10.99.99.221
+nihilist@10.99.99.221's password:
+Linux endgame1 6.7.9-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.7.9-2 (2024-03-13) x86_64
+
+The programs included with the Debian GNU/Linux system are free software;
+the exact distribution terms for each program are described in the
+individual files in /usr/share/doc/*/copyright.
+
+Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
+permitted by applicable law.
+You have new mail.
+Last login: Sun Apr 14 14:09:56 2024 from 10.99.99.101
+nihilist@endgame1:~$ su -
+Password:
+root@endgame1:~#
+
+root@endgame1:~/endgame/sourcecode/gobalance# vim config.yaml
+root@endgame1:~/endgame/sourcecode/gobalance# cat config.yaml
+services:
+ - key: ehfs47i5jjzlyolgd24ogkndodz7n4mlbcmhdakyma4lfh2alossuvad.key
+ instances:
+ - address: xkdrgt35dw4rtmqacjdaymocotcvarfqlodtw2dfykqn3rk2eqxmr4yd.onion
+
+root@endgame1:~/endgame/sourcecode/gobalance# reboot now
+
+
+Now on the Endgame front 2 VM, edit the endgame.config file to make sure that i redirects to the second backend server:
+
+root@endgame2:~# cat endgame/endgame.config
+#This area
+
+#OPTIONS!
+MASTERONION="ehfs47i5jjzlyolgd24ogkndodz7n4mlbcmhdakyma4lfh2alossuvad.onion"
+TORAUTHPASSWORD="CHANGETHISPASSWORD!!!!"
+BACKENDONION1=""
+BACKENDONION2=""
+
+#set to true if you want to setup local proxy instead of proxy over Tor
+LOCALPROXY=true
+PROXYPASSURL="10.99.99.219"
+
+#Install the latest kernel from debian unstable. Recommended but may cause some issues on old systems.
+LATESTKERNEL=true
+
+#reboot after completion. Highly recommended to get the new kernel active.
+REBOOT=true
+
+#set to true if you want i2pd installed and setup
+I2PSETUP=false
+
+#set to true if you want tor installed and setup
+TORSETUP=true
+
+#enable Tor introduction defense. Keeps the Tor process from stalling but hurts reliability. Only recommended if running on low powered fronts.
+TORINTRODEFENSE=false
+
+#enable Tor POW introduction defense. This should be enabled!
+TORPOWDEFENSE=false
+
+#enable Tor minimum work patch. This builds a new tor binary locally.
+TORMINWORK=false
+
+#Shared Front Captcha Key. Key should be alphanumeric between 64-128. Salt needs to be exactly 8 chars.
+KEY="thoh1me2aemoonuo1eiNgaejahbeep5oe9eiZ3aezee5igae9faiv9sailoo1laath9vu7aeteeCh4ShaeVeidooy3see7Goong6gei3eePh6Ba5Leepee7zawooch3"
+SALT="agieLae8"
+#session length is in seconds. Default is 12 hours.
+SESSION_LENGTH=43200
+
+#Rate Limits!
+#Make sure to set these to reasonable defaults! Having them too low for your site can cause lots of disconnections while having them too high can make endgame ineffective!
+#Set the request rate to the max requests on your largest page! (try to keep it below 10! The lower you go the better endgame's protection is!)
+#Keep the stream limit 1 to 2 higher than your request limit!
+REQUESTRATELIMIT=8
+STREAMRATELIMIT=10
+
+#CSS Branding
+
+HEXCOLOR="9b59b6"
+HEXCOLORDARK="713C86"
+SITENAME="Nihilism"
+SITETAGLINE="Until there is nothing left."
+SITESINCE="2024"
+FAVICON="data:image/x-icon;base64,AAABAAEAEBAAAAEAIABoBAAAFgAAACgAAAAQAAAAIAAAAAEAIAAAAAAAAAQAABMLAAATCwAAAAAAAAAAAACtRI7/rUSO/61Ejv+tRI7/rUSO/61Fjv+qPor/pzaG/6k7if+sQo3/qDiH/6g4h/+sQ43/rUSO/61Ejv+tRI7/rUSO/61Ejv+tRI7/rUSO/61Fjv+sQo3/uV6e/8iBs/+9aaT/sEyT/8V7r//Feq//sEqS/6xDjf+tRI7/rUSO/61Ejv+tRI7/rUSO/65Fj/+vR5D/rEGM/+fI3v///////fv8/+/a6f/+/f7/+vT4/7Zam/+rP4v/rkWP/61Ejv+tRI7/rUSO/61Fjv+sQYz/qTqI/6g4h//hudX/5sXc/+7Z6P////////7///ft9P+2WZr/q0CL/61Fj/+tRI7/rUSO/61Fj/+rQIv/uFyd/82Ou//Njrv/uWGf/6g6iP+uR5D/5sbc///////47vX/tlma/6s/i/+tRY//rUSO/61Ejv+uRo//qDqI/9aix///////69Hj/61Ejv+vSJD/qTqI/8BvqP//////+O/1/7ZZmv+rP4v/rUWP/61Ejv+tRI7/rkaP/6k8if/fttP//////9ekyP+oOIf/sEuS/6tAi/+7ZKH//vv9//nw9v+2WJr/qz+L/61Fj/+tRI7/rUSO/65Gj/+oOoj/1qHG///////pzeH/qj6K/6o8if+lMoP/0pjB///////47vX/tlma/6s/i/+tRY//rUSO/61Ejv+uRo//qj2K/7xmo//8+Pv//////+G61f+8ZqP/zpC8//v2+v//////+O/1/7ZZmv+rP4v/rUWP/61Ejv+tRI7/rUSO/65Gj/+pPIn/zo+7//79/v///////////////////v////////jw9v+2WZr/qz+L/61Fj/+tRI7/rUSO/61Ejv+tRI7/rUWP/6o9iv/Ab6j/37bT/+vR4//kwdr/16XI//36/P/58ff/tlma/6s/i/+tRY//rUSO/61Ejv+tRI7/rUSO/61Ejv+uRo//qj2K/6o9if+tRY7/qDmH/7VYmv/9+fv/+fH3/7ZYmv+rP4v/rUWP/61Ejv+tRI7/rUSO/61Ejv+tRI7/rUSO/65Gj/+uRo//rkaP/6s/i/+6Y6H//Pf6//ju9f+1WJr/q0CL/61Fj/+tRI7/rUSO/61Ejv+tRI7/rUSO/61Ejv+tRI7/rUSO/65Gj/+qPor/umOh//79/v/69Pj/tlqb/6s/i/+uRY//rUSO/61Ejv+tRI7/rUSO/61Ejv+tRI7/rUSO/61Ejv+tRI7/rEKN/7FNk//GfLD/xHmu/7BKkv+sQ43/rUSO/61Ejv+tRI7/rUSO/61Ejv+tRI7/rUSO/61Ejv+tRI7/rUSO/61Ejv+sQo3/qDiH/6g4h/+sQ43/rUSO/61Ejv+tRI7/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=="
+SQUARELOGO="data:image/webp;base64,UklGRkwCAABXRUJQVlA4WAoAAAAQAAAATwAATwAAQUxQSC8AAAABH6CobRuIP9xev3ajERHxDWAqkg1PshdNnqeZJBfAR0T/J2ADngp0E/PbifAGPABWUDgg9gEAAFAMAJ0BKlAAUAA+bS6URiQioiEuGikggA2JQBoZQmgR/d8Cdib6gNsB5gPNy04Dej0a2NXoYw8XMJObQmvWHz52jkOgFebAO+W2C3pjVzORG7gs9ssx8qnjo3F96nSITr1LFsVBFyXhL7ywAP7cUf/iHNu+tvSh+rohhPqZvzMSRXtv7e8U/Dh5LwZIJHvcIx9GmDQsAejcJZBn+c5L63sC8fmQQAde+N776pYSR99TxW58l33OS2vwEbv0MLQQeKEkfOYxulikHr7tl/6ZwLnjENpEv6OnhDWVW53x32zxICdEDZ9TnGenzgbr1pGHJwZ3LX7o1h0RQkYVBag7IsYd+buU+m5wgCohMPbEwS+Vi02J7tVFAvUPVW5VfdjGFbzTfD5g/+nMoacT15PcUWxFNYCacgap7Zh5g0OaAa1rGJBuVbsFrGbbp5C85U3y+OuVTJcUt2wPNQJPA4lpjOyM5wGGRUxrjwy/+cOaOkfLlYc2ImOJLSmchU0u727olq8AMLRMZc/queUbr0E5ec/vKzZb9Z00D8dh5Hk6XNob6WDIFIusbW9UiKlnDFOz6ewFp4sONEBGGtI3gWG86cC+hmvHDzYlWupLMc2pRS9aO6FRiFAPmQXiJyK+lCZPtevTMxcUM4a6g3otDsiMGAOMbvIgAAA="
+NETWORKLOGO="data:image/webp;base64,UklGRpgFAABXRUJQVlA4WAoAAAAQAAAANgAAOwAAQUxQSCMFAAABoLBt2zE3HtddZhone8SubSt2bdu27a7rNqjtJlnvJqljJ7Xbqd1o0Ps4dt7v+6aTiIDgRpIiybnMu3cFb4DxaXs0+0hbmD4tbpO81cLkXLNJklmuptaLYnqa2kKJRaZVddJ9iQeTqppQRAKZK8glEyJMpdZeDdM6zhTM7phC7b66plB5/S1qFzqbFb5KYcqrQjOnOaW880P1bzYmi4xpDERz2VROWcoYoOFuMmfyt2n7z01m+KmAEP1d1TAON7urDwXMulyjLrmr8Vy2FjNjpB0AVTIXYCEXYj6v2QCwHaxmaZSnIisLAHaT1fz8swMAYBLzLLCcy2GRol0GALDf9ImvZtgDsLQSOUyJO9XHKaCAxfHNIMT9EfsBy7gMaDw5GGIaxxXzRqBTnzMJ0xwBuCaT1KVqXv8RDoh2MwrAAs4DKqlUlrbWlQEAYb+/0qTqSF5yQ41fKeRdf1SxEVI1sPRjHQvLauv4PTDq/Mlj5481h6WDjU0V9HlHIdvN/Z6KHsecSExKTExMunj4Lj+f/+vvcw+oDkY0STIM268lJiWdjH4kUgf0/kwxn3QUoiNZQjFzsfYryddtkCd8pE8Ufenrniyxwa1FSGhoWEDoQy4NCA4N9jvAs07YaPDGHx36h4a0cNsgcdkTAeI9VG9tAAAYW3IFQmZyGiTEF2ywVc23giAAkWkk74/N5ftYb6BJCTuI1nO9lOHjece+Y/bY+yRTIwEAAfr8ON0UxwU63p2NGEZD1HpRa2CD5MRs1V1yieMUfUK+PgCC+l8TPDOL66JuDHUF5QW1IZvVeoNOOETuq4d6xdk+CV/rS5oj0zGDF1RQtbtEFnkA3/XaGBMbtSsqemsmDdriwa0OKqjiOAvpbCFVaFOjgGMArODnXVXNRt4o+0pJJJ7FABjLAnPrAjkFLhjFO45o9FrbCxa7SVJBB2RqGsPpLsfAOV9BlctchyiuRvVYGsEPUYzCel6ppgxdy9UztU+8MY+C4luFahnBaPBaM1ut6QojYBvJGaj9WnCif22PTqufSgQBc0jugFFsiphcAxtpsBRC2tyRUSmRN62N9g/MrxschCQdiuXZwNgrjys3fEXySyNIc0xqLsntgFEPefHjf/AlyWvmMiZqZB4y65mmK4x6oQ0WIxBicNZSRv8vci+0zqgXGsW7jlAh3CBBzrBiuX8zxzsc/T/Ff+qxAOBfRvKOs4xVOvGf+mkMgDGSf2r5EopXwcbf1vsBSU6TUqVQdF8ooQuciXS2kC/Y+qhzhEOwPuPs6SvbbCWWayhXsPVRtzjLK15asIH6/Dj9NMf5WhaGQojNTz2rAnBfpiUV20N8nqQ9dE8n+XB8Dt/H+kBkls+dU8YuEopcvhnljnsgbUYh8q1PKl6u8pRan9jXA+B1Rb7RhgxuJfhdwWs/xUab7N73i1JbjwMAVbqCD10U2/rnXoFq0aNoYYhcX25QbXc55eOrOESe+FpsF73tK4wsRwsAgEXbrn6+XX39/f39fH0jQ2wUR9YvKrhdIqlL0bz+IwyS1J7YBEpRGpBJLgAcpyWc7uMYWMDiuKaiRq9e9gVG5Y8CeuSeMVcaxyfjJjsYO/yrzmGeBdZwDSxyuLqydPi/nGYPwMIKSnHbUcwXwqphJq4aizCfl8wlq0bJLncYnfb/aoxebLRJnU25Ri1hNNBwF5kzsaKWtgpaEStoITXp+vugQtZfAIsqZtkGelbUau+aJch0hanT4ibJG81h+rQ5kn2kDYwGAFZQOCBOAAAA0AQAnQEqNwA8AD5tLJJFpCKhmAQAQAbEtIAASD/dKxnoTlaUzRT/Q9kkRNlNuAAA/TH//9wDj/sFX/91UzfhNf+E8DE//4h3B/k1wAAA"
+
+Once that's done, we run setup.sh on the Endgame front 2 VM, here also let it run and take note of the endgame front instance TOR hostname as displayed at the end:
+
+root@endgame2:~/endgame# ./setup.sh
+Welcome To The End Game DDOS Prevention Setup...
+Proceeding to do the configuration and setup. This will take awhile.
+The system will reboot after finishing setup!
+
+[...]
+
+EndGame Setup Script Finished!
+TOR Hostname:
+e7nqqkmeripx7hxov4hy32ovg34nxsrooy7ipxaeaw5edkek73dgowad.onion
+The address it to your gobalance config.yaml file!
+This system will now reboot in 10 seconds!
+
+
+
+So here we're going to mention the 2 endgame onion hostnames in the gobalance config file of both endgame fronts 1 and 2:
+
+[term1]
+root@endgame1:~/endgame# vim sourcecode/gobalance/config.yaml
+root@endgame1:~/endgame# cat sourcecode/gobalance/config.yaml
+services:
+ - key: ehfs47i5jjzlyolgd24ogkndodz7n4mlbcmhdakyma4lfh2alossuvad.key
+ instances:
+ - address: xkdrgt35dw4rtmqacjdaymocotcvarfqlodtw2dfykqn3rk2eqxmr4yd.onion
+ - address: e7nqqkmeripx7hxov4hy32ovg34nxsrooy7ipxaeaw5edkek73dgowad.onion
+
+
+Then we test if both endgame fronts work starting with front 1 on the URL http://xkdrgt35dw4rtmqacjdaymocotcvarfqlodtw2dfykqn3rk2eqxmr4yd.onion :
+ +and we test the other one on the URL http://e7nqqkmeripx7hxov4hy32ovg34nxsrooy7ipxaeaw5edkek73dgowad.onion :
+ +And lastly we enable gobalance to make sure that the masteronion can redirect to either of the 2 after editing the config.yaml file:
+
+root@endgame1:~/endgame/sourcecode/gobalance# cat config.yaml
+services:
+ - key: ehfs47i5jjzlyolgd24ogkndodz7n4mlbcmhdakyma4lfh2alossuvad.key
+ instances:
+ - address: xkdrgt35dw4rtmqacjdaymocotcvarfqlodtw2dfykqn3rk2eqxmr4yd.onion
+ - address: e7nqqkmeripx7hxov4hy32ovg34nxsrooy7ipxaeaw5edkek73dgowad.onion
+
+root@endgame1:~/endgame/sourcecode/gobalance# ./gobalance --torPassword 'CHANGETHISPASSWORD!!!!' -c config.yaml
+WARN[2024-04-14 19:26:24] Initializing gobalance (version: 1.0.0)...
+INFO[2024-04-14 19:26:24] Loaded the config file '/root/endgame/sourcecode/gobalance/config.yaml'.
+WARN[2024-04-14 19:26:24] Loaded onion ehfs47i5jjzlyolgd24ogkndodz7n4mlbcmhdakyma4lfh2alossuvad.onion from /root/endgame/sourcecode/gobalance/ehfs47i5jjzlyolgd24ogkndodz7n4mlbcmhdakyma4lfh2alossuvad.key
+WARN[2024-04-14 19:26:24] Loaded instance xkdrgt35dw4rtmqacjdaymocotcvarfqlodtw2dfykqn3rk2eqxmr4yd
+WARN[2024-04-14 19:26:24] Loaded instance e7nqqkmeripx7hxov4hy32ovg34nxsrooy7ipxaeaw5edkek73dgowad
+WARN[2024-04-14 19:26:24] OnionBalance initialized (tor version: 0.4.8.11-dev (git-caa2ddaa8dc1f4f3))!
+WARN[2024-04-14 19:26:24] ================================================================================
+INFO[2024-04-14 19:26:24] [ADAPTIVE] Waiting for 2 instance descriptors.
+INFO[2024-04-14 19:26:24] [*] FetchInstanceDescriptors() called [*]
+INFO[2024-04-14 19:26:24] Initiating fetch of descriptors for all service instances.
+INFO[2024-04-14 20:02:22] Successfully uploaded descriptor for xkdrgt35dw4rtmqacjdaymocotcvarfqlodtw2dfykqn3rk2eqxmr4yd to $5FAE28CF4D1C520341EE104BF72516F4308B9485~nuker
+INFO[2024-04-14 20:02:22] Successfully uploaded descriptor for xkdrgt35dw4rtmqacjdaymocotcvarfqlodtw2dfykqn3rk2eqxmr4yd to $778DCB9DB6CDD5FF2F1A85571308B492D6DFF962~TorHet
+INFO[2024-04-14 20:02:22] Successfully uploaded descriptor for xkdrgt35dw4rtmqacjdaymocotcvarfqlodtw2dfykqn3rk2eqxmr4yd to $B72663DDF48F7047003DE6E3927936994DA44152~Unnamed
+INFO[2024-04-14 20:02:22] Successfully uploaded descriptor for xkdrgt35dw4rtmqacjdaymocotcvarfqlodtw2dfykqn3rk2eqxmr4yd to $7AC2E7E67ADAC32F6F46AF607896637BBB455D64~mysocratesnote
+INFO[2024-04-14 20:02:23] Successfully uploaded descriptor for xkdrgt35dw4rtmqacjdaymocotcvarfqlodtw2dfykqn3rk2eqxmr4yd to $484F666C491BCDE22B45E0E19D1CEA5ACC5A9611~WinstonSmith
+INFO[2024-04-14 20:02:24] Successfully uploaded descriptor for xkdrgt35dw4rtmqacjdaymocotcvarfqlodtw2dfykqn3rk2eqxmr4yd to $3CA0D15567024D2E0B557DC0CF3E962B37999A79~QuintexAirVPN30
+INFO[2024-04-14 20:02:24] Successfully uploaded descriptor for xkdrgt35dw4rtmqacjdaymocotcvarfqlodtw2dfykqn3rk2eqxmr4yd to $846B3EAAF0C07FF72FC79AEBB11FA3ADC58F240F~dc6jgk5b
+INFO[2024-04-14 20:02:24] Successfully uploaded descriptor for xkdrgt35dw4rtmqacjdaymocotcvarfqlodtw2dfykqn3rk2eqxmr4yd to $455469D1C610E43498ECF88E83E29C0A694EF73B~whyza1
+INFO[2024-04-14 20:02:24] Successfully uploaded descriptor for xkdrgt35dw4rtmqacjdaymocotcvarfqlodtw2dfykqn3rk2eqxmr4yd to $65379EED488599B0A1512E80D4743BC9125CB306~BlueMold
+INFO[2024-04-14 20:02:25] Successfully uploaded descriptor for xkdrgt35dw4rtmqacjdaymocotcvarfqlodtw2dfykqn3rk2eqxmr4yd to $C111AC86B3719F0A2FB6254725CB5A7A62C9B451~LauchYT
+INFO[2024-04-14 20:02:25] Successfully uploaded descriptor for xkdrgt35dw4rtmqacjdaymocotcvarfqlodtw2dfykqn3rk2eqxmr4yd to $235396838BB8FC7AFA529042B19615DF9E2AF218~soP49mzpYUFEwVdiFN3
+INFO[2024-04-14 20:02:26] Successfully uploaded descriptor for xkdrgt35dw4rtmqacjdaymocotcvarfqlodtw2dfykqn3rk2eqxmr4yd to $4ADB08AFCF04657E0A0288AA230EEB74A96B1CEE~Lemminkainen
+INFO[2024-04-14 20:02:27] Successfully uploaded descriptor for xkdrgt35dw4rtmqacjdaymocotcvarfqlodtw2dfykqn3rk2eqxmr4yd to $961B9D86125A08FAA9F7E742B228307EF7E2E082~TorNodeCzech
+INFO[2024-04-14 20:02:28] Successfully uploaded descriptor for xkdrgt35dw4rtmqacjdaymocotcvarfqlodtw2dfykqn3rk2eqxmr4yd to $FBDE535D810756541B31C452C6694876C96A7FC1~BSDnodeAMS
+
+
+And now we test if the masteronion http://ehfs47i5jjzlyolgd24ogkndodz7n4mlbcmhdakyma4lfh2alossuvad.onion/ is reachable:
+ + +Here we see that we were on the endgame front 1 instance, which redirected us to the backend server 1:
+ +Then we check if it still works after shutting down the endgame front 1:
+
+root@endgame1:~# shutdown now
+
+
+As you can see it still works:
+ + +And as you can see here we're being redirected to the backend server 2 as intended:
+ + ++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
Your ISP connection comes with a closed-source router. What makes you think that your ISP isn't giving access to it to an adversary so that he may be able to spy on your home network ? How do you protect against that?
+That same adversary suspects that you are running a hidden service from home. That adversary makes your ISP shut down your internet connection to check if you are actually running it or not. How do you ensure your hidden service keeps running ?
+ +In this tutorial we're going to setup a pfsense VM inside of virt-manager to make sure that our .onion Hidden service is hidden behind an open-source router, rather than a closed-source one. as detailed below:
+ +We're going to also make sure that we protect the hidden service from controlled internet downtimes, with a failover internet connection to a mobile hotspot.
+ +First you're going to need a Libvirtd QEMU hypervisor on your home server, check this tutorial to know how to set it up.
+So here we create the pfsense VM as shown in this tutorial, and we make sure to adjust it to have the following network configuration:
+So for the main network interface we setup the network interface as a direct attachment to the host network interface enp8s0 (as a macvtap device in virt-manager):
+ +As detailed in the previous tutorial, for the LAN network we setup an isolated network and use it like so:
+ +Then from inside pfsense we can set them both like so:
+ +Then we setup the second WAN, which is our mobile USB tethering hotspot. First just connect the mobile phone to the homeserver via USB:
+ +Once plugged in, you can check if the homeserver detects it via the lsusb command, and if it does, just add the USB host device to the VM directly like so:
+ + +However that's not enough as when you enable USB tethering the USB device ID changes, so we enable USB tethering like so (ex: in Graphene OS you go to: Settings > Network and Internet > Hotspot & Tethering > Toggle USB Tethering ON) before adding it in the pfsense VM:
+ +Now that the device is added, enable USB tethering from your phone , then let's make sure that it is proprely configured as a second WAN interface in pfsense:
+ +Here you see the pfsense VM detecting the usb device from console, however to make the setup simpler we'll set it up from the pfsense dashboard, from the VM inside the LAN network:
+ +So after clicking "add" we have now the OPT3 interface that we can configure:
+ +We rename it to WAN-Mobile, set it to DHCP (as it is the mobile phone that gives the DHCP lease to that interface), and hit save:
+ + +Here you can also see that pfsense detects that interface as a gateway in the routing section:
+ +Now that's done, we need to setup the failover by first having both gateways into the same gateway group:
+ + +Now here we have a gateway group, we have set our main WAN interface (WANGW, the ethernet connection) to be tier 1 as in first priority, and we have set our secondary WAN interface (WANMOBILE) to be Tier 2 as in second priority. The trigger level to switch between the 2 is going to be Packet Loss. Meaning if the ethernet connection goes down, the internet connection will resume through the mobile USB tethering hotspot:
+Now we hit save and apply, then we need to edit the LAN firewall rule because otherwise it won't accept any traffic to be routed to the other gateway:
+ + + +Now with this, the lan subnet will automatically route traffic through either gateway as dictated by pfsense. which is what we want. Now hit save and apply:
+ +And now we can see it in action when we unplug the ethernet cable like so:
+ +As you can see here, the traffic first goes through the default WAN interface, and after i unplug the ethernet cable, the same traffic starts to go through the other WAN interface via the mobile connection. Which concludes today's tutorial.
+ ++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
What if an adversary tells your electricity provider to temporarily power off your electricity to check if it manages to shut down a particular hidden service ? How do you ensure that your hidden service running at home remains accessible even without the main electrical input ?
+ +In this tutorial we'll look at the most fundamental part of both Disaster Recovery Planning and Business Continuity for home servers. We'll look at how to deal with power outages.
+ +For the Electrical Outages, we'll setup a UPS in between our homeserver and the main electrical input, so that in case of a power outage the home server can keep running for a while before finally shutting down. The UPS will then send a message to the Network UPS Tools suite to tell the server to shutdown when the batteries run low.
+ +Before buying a UPS, you need to know how much your home server can draw power (in watts), to make it simple just look at your power supply in your Homeserver. Mine is a RM 750x:
+ +and as explained in the technical specs, it can draw up to 750 Watts of power:
+ +So you need a UPS that can generate at least 750 Watts of power, such as the APC Back-UPS 1600VA:
+ +For my usecase, i picked that one because it can power my homeserver with the 900Watts it can output. Perfect for my server that can draw 750Watts.
+First make sure your homeserver's plugged onto the UPS which is plugged onto the main electrical source. Then power on the homeserver, and after it booted, connect the serial to usb cable from the UPS to the homeserver, and you'll see it appear like so:
+
+[ Wonderland ] [ /dev/pts/3 ] [~]
+→ lsusb
+
+[...]
+
+Bus 003 Device 003: ID 051d:0002 American Power Conversion Uninterruptible Power Supply
+
+[...]
+
+
+
+Then, let's install network ups tools (nut) and make it scan for any ups connected via UPS like ours:
+
+[ Wonderland ] [ /dev/pts/3 ] [~]
+→ apt update -y ; apt install nut nut-client nut-server -y
+
+[ Wonderland ] [ /dev/pts/3 ] [~]
+→ sudo nut-scanner -U
+Scanning USB bus.
+[nutdev1]
+ driver = "usbhid-ups"
+ port = "auto"
+ vendorid = "051D"
+ productid = "0002"
+ product = "Back-UPS BX1600MI FW:378600G -302202G"
+ serial = "DWAADWAWDWA"
+ vendor = "American Power Conversion"
+ bus = "003"
+
+
+
+
+
+[ Wonderland ] [ /dev/pts/3 ] [~]
+→ cat /etc/nut/upsmon.conf
+RUN_AS_USER root
+MONITOR apc-ups@localhost 1 admin secret master
+
+MINSUPPLIES 1
+SHUTDOWNCMD "/sbin/shutdown -h +0"
+POLLFREQ 5
+POLLFREQALERT 5
+HOSTSYNC 15
+DEADTIME 15
+POWERDOWNFLAG /etc/killpower
+RBWARNTIME 43200
+NOCOMMWARNTIME 300
+FINALDELAY 5
+
+[ Wonderland ] [ /dev/pts/3 ] [~]
+→ cat /etc/nut/upsd.conf
+LISTEN 0.0.0.0 3493
+
+[ Wonderland ] [ /dev/pts/3 ] [~]
+→ cat /etc/nut/nut.conf
+
+MODE=netserver
+
+
+[ Wonderland ] [ /dev/pts/3 ] [~]
+→ cat /etc/nut/upsd.users
+[monuser]
+ password = secret
+ admin master
+
+
+
+
+
+[ Wonderland ] [ /dev/pts/3 ] [~]
+→ systemctl status nut-server nut-client nut-monitor
+● nut-server.service - Network UPS Tools - power devices information server
+ Loaded: loaded (/lib/systemd/system/nut-server.service; enabled; preset: enabled)
+ Active: active (running) since Sat 2024-04-06 17:23:47 CEST; 5s ago
+ Main PID: 707274 (upsd)
+ Tasks: 1 (limit: 76930)
+ Memory: 620.0K
+ CPU: 2ms
+ CGroup: /system.slice/nut-server.service
+ └─707274 /lib/nut/upsd -F
+
+Apr 06 17:23:47 wonderland systemd[1]: Started nut-server.service - Network UPS Tools - power devices information server.
+Apr 06 17:23:47 wonderland nut-server[707274]: fopen /run/nut/upsd.pid: No such file or directory
+Apr 06 17:23:47 wonderland nut-server[707274]: Could not find PID file '/run/nut/upsd.pid' to see if previous upsd instance is already running!
+Apr 06 17:23:47 wonderland nut-server[707274]: listening on 0.0.0.0 port 3493
+Apr 06 17:23:47 wonderland upsd[707274]: listening on 0.0.0.0 port 3493
+Apr 06 17:23:47 wonderland upsd[707274]: Connected to UPS [apc-ups]: usbhid-ups-apc-ups
+Apr 06 17:23:47 wonderland nut-server[707274]: Connected to UPS [apc-ups]: usbhid-ups-apc-ups
+Apr 06 17:23:47 wonderland nut-server[707274]: Running as foreground process, not saving a PID file
+Apr 06 17:23:47 wonderland upsd[707274]: Running as foreground process, not saving a PID file
+
+● nut-monitor.service - Network UPS Tools - power device monitor and shutdown controller
+ Loaded: loaded (/lib/systemd/system/nut-monitor.service; enabled; preset: enabled)
+ Active: active (running) since Sat 2024-04-06 17:23:47 CEST; 5s ago
+ Main PID: 707276 (upsmon)
+ Tasks: 2 (limit: 76930)
+ Memory: 836.0K
+ CPU: 2ms
+ CGroup: /system.slice/nut-monitor.service
+ ├─707276 /lib/nut/upsmon -F
+ └─707277 /lib/nut/upsmon -F
+
+Apr 06 17:23:47 wonderland systemd[1]: Started nut-monitor.service - Network UPS Tools - power device monitor and shutdown controller.
+Apr 06 17:23:47 wonderland nut-monitor[707276]: fopen /run/nut/upsmon.pid: No such file or directory
+Apr 06 17:23:47 wonderland nut-monitor[707276]: Could not find PID file to see if previous upsmon instance is already running!
+Apr 06 17:23:47 wonderland nut-monitor[707276]: UPS: apc-ups@localhost (primary) (power value 1)
+Apr 06 17:23:47 wonderland nut-monitor[707276]: Using power down flag file /etc/killpower
+Apr 06 17:23:47 wonderland nut-monitor[707277]: Init SSL without certificate database
+Apr 06 17:23:47 wonderland nut-monitor[707277]: Login on UPS [apc-ups@localhost] failed - got [ERR ACCESS-DENIED]
+
+● nut-monitor.service - Network UPS Tools - power device monitor and shutdown controller
+ Loaded: loaded (/lib/systemd/system/nut-monitor.service; enabled; preset: enabled)
+ Active: active (running) since Sat 2024-04-06 17:23:47 CEST; 5s ago
+ Main PID: 707276 (upsmon)
+ Tasks: 2 (limit: 76930)
+ Memory: 836.0K
+ CPU: 2ms
+ CGroup: /system.slice/nut-monitor.service
+ ├─707276 /lib/nut/upsmon -F
+ └─707277 /lib/nut/upsmon -F
+
+Apr 06 17:23:47 wonderland systemd[1]: Started nut-monitor.service - Network UPS Tools - power device monitor and shutdown controller.
+Apr 06 17:23:47 wonderland nut-monitor[707276]: fopen /run/nut/upsmon.pid: No such file or directory
+Apr 06 17:23:47 wonderland nut-monitor[707276]: Could not find PID file to see if previous upsmon instance is already running!
+Apr 06 17:23:47 wonderland nut-monitor[707276]: UPS: apc-ups@localhost (primary) (power value 1)
+Apr 06 17:23:47 wonderland nut-monitor[707276]: Using power down flag file /etc/killpower
+Apr 06 17:23:47 wonderland nut-monitor[707277]: Init SSL without certificate database
+Apr 06 17:23:47 wonderland nut-monitor[707277]: Login on UPS [apc-ups@localhost] failed - got [ERR ACCESS-DENIED]
+
+
+We can check if the server can get all the
+
+[ Wonderland ] [ /dev/pts/3 ] [~]
+→ upsc apc-ups@localhost
+Init SSL without certificate database
+battery.charge: 100
+battery.charge.low: 10
+battery.mfr.date: 2001/01/01
+battery.runtime: 3167
+battery.runtime.low: 120
+battery.type: PbAc
+battery.voltage: 27.2
+battery.voltage.nominal: 24.0
+device.mfr: American Power Conversion
+device.model: Back-UPS BX1600MI
+device.serial: DDWAWADWADADW
+device.type: ups
+driver.name: usbhid-ups
+driver.parameter.pollfreq: 30
+driver.parameter.pollinterval: 1
+driver.parameter.port: auto
+driver.parameter.productid: 0002
+driver.parameter.serial: DWDADWAWDDWAADWDAW
+driver.parameter.synchronous: auto
+driver.parameter.vendorid: 051D
+driver.version: 2.8.0
+driver.version.data: APC HID 0.98
+driver.version.internal: 0.47
+driver.version.usb: libusb-1.0.26 (API: 0x1000109)
+input.sensitivity: medium
+input.transfer.high: 295
+input.transfer.low: 145
+input.voltage: 234.0
+input.voltage.nominal: 230
+ups.beeper.status: enabled
+ups.delay.shutdown: 20
+ups.firmware: 378600G -302202G
+ups.load: 10
+ups.mfr: American Power Conversion
+ups.mfr.date: 2022/02/08
+ups.model: Back-UPS BX1600MI
+ups.productid: 0002
+ups.realpower.nominal: 900
+ups.serial: DAWDWDAWADWADWDAWAD
+ups.status: OL
+ups.test.result: Done and passed
+ups.timer.reboot: 0
+ups.timer.shutdown: -1
+ups.vendorid: 051d
+
+
+Now that the UPS is detected, we can install an interface for the nut service:
+
+[ Wonderland ] [ /dev/pts/3 ] [~]
+→ apt install nut-cgi -y
+
+[ Wonderland ] [ /dev/pts/3 ] [~]
+→ vim /etc/nut/hosts.conf
+
+[ Wonderland ] [ /dev/pts/3 ] [~]
+→ cat /etc/nut/hosts.conf
+
+MONITOR apc-ups@localhost "APC UPS - 1600VA"
+
+[ Wonderland ] [ /dev/pts/3 ] [~]
+→ cat /etc/nut/upsset.conf
+I_HAVE_SECURED_MY_CGI_DIRECTORY
+
+[ Wonderland ] [ /dev/pts/3 ] [~]
+→ apt install apache2 -y
+
+[ Wonderland ] [ /dev/pts/3 ] [~]
+→ a2enmod cgi
+Your MPM seems to be threaded. Selecting cgid instead of cgi.
+Enabling module cgid.
+To activate the new configuration, you need to run:
+ systemctl restart apache2
+
+[ Wonderland ] [ /dev/pts/3 ] [~]
+→ systemctl restart apache2
+
+
+And now we can browse it from the web on port 80: the url is: http://192.168.0.100/cgi-bin/nut/upsstats.cgi?host=apc-ups@localhost&treemode
+ +we can see the following graph to know the Battery Charge, Voltage, Input and Load:
+ +And for more details you can see the data tree:
+ +Now let's test if it works by unplugging the main electrical source:
+ +First thing you'll notice is the UPS starting to do a loud beep every 3 seconds, but you can see it in action from the web interface:
+ +Here as you can see the UPS is working on battery, and slowly the charge is being drained from 100% (now at 97% after 5 minutes) Of course it's being drained slowly due to being on a low load (18% currently), meaning it could last another 20 minutes of electrical outage easily.
++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+As we have discussed previously, governments love centralisation, because it allows them to keep control over what the masses can do, because they can directly affect the owner of said centralised service to further their agenda.
+ +Nowadays, governments love to impose financial sanctions towards the other countries they don't like, by preventing everyone from having any business with said country (example: the EU imposing sanctions against russia), one way to achieve that goal is to block transactions at the banking level, since legitimate businesses require to have a bank account. That is of course intentional, as it allows the government to control any business' finances.
+The banking system has deep roots in any modern country, with very close ties to the governments as it gives them very direct control over their population. As detailed in his book "the right to transact" by Zelinar XY he argues that the right to transact is an extension of one's innate right of expression.
+For a government to have control over one's expenses, is to have control over one's ability to express himself, it is for a government to have the power to censor any individual they deem to be unfit to be in their society.
+And in my opinion, to consider that someone else should be able to decide what YOU do with your money, is madness. You alone should decide what should happen with your money and governments definitely don't want that.
+ +Bitcoin has been the first cryptocurrency to see the day. It has been a remarkable innovation at the time. It allows you to create a wallet from home, to be able to recieve money there, and to transact freely, tax free. All you need is to have a computer, with an internet connection. Of course that does not sit well with governments. They want to keep control over your money, to be able to keep control over your right to transact.
+While Bitcoin has been revolutionary at the time, there are obvious cracks in the armor. While it provides decentralisation of the currency (meaning it is not controlled by a centralised entity, such as the dollar is controlled by the federal reserve), it has a completely transparent blockchain, meaning everyone knows which wallet transacted with whom, and the amount of Bitcoin on each wallet.
+TLDR: noone can stop your bitcoin transaction, but you can be put in prison for it
+Centralised Exchanges and KYC: Governmental Proxies +with Bitcoin everyone knows which wallet is the richest, all that's left is to put a name on those wallets, to be able to tax them! Governments are pushing hard to regulate centralised exchanges, to implement just that, they want their part of the cake at all costs.
+KYC procedures (Know Your Customer procedures) are a direct threat to:
+Centralised exchanges are the current target of choice for regulators. Most of them force their users to have custodial wallets (meaning the wallets with all the customer funds are on the server, not with the client) and so, their funds can be taken hostage to force their customers to comply and complete with all the KYC procedures when they get implemented. Feels like central banks isn't it ? The problem here is centralisation. Why are you using decentralised cryptocurrencies on Centralised platforms in the first place?
+ +All public and popular Centralised Exchange are bound to fall to this fate. They will inevitably comply with the governments of their country, Their users will be forced to identify themselves to transact with other users, they will have to identify themselves so that the exchange (and by extension, the government) knows who's got the money, to be able to tax them later on, and of course if they don't comply, they will be forced out of business one way or the other.
+That's where we are at currently, People have not completely moved away from Centralisation and KYC. But you'll see, as surveillance increases over time and governments try to have as much control as possible over the masses, the need for privacy and anonymity will keep on increasing manyfold.
+In the meantime, to find KYC-free services (centralised or not), check out kycnot.me, as they put it: "KYC reveals fear."
+ +Out of that situation emerged privacy coins, with Monero still at the top to this day (also known as the only cryptocurrency that's used) is basically a cryptocurrency just like bitcoin, except that it does everything to obscure every info regarding transactions. Basically, it's a nightmare for financial regulators.
+ +To make it short, it obscures the amount transacted, the ip addresses, who recieves the transaction and who sends the transaction, To this day not a single monero transaction has been successfully traced. For more details on Monero, check the infodump here.
+Monero's goals differ from what bitcoin has become. It's not to get rich, the goal is to provide transactional privacy, anonymity, and ultimately to be USED as a currency. That is a fundamental difference to the whole bitcoin-fan ecosystem of pump and dump schemes, monero is not meant to be a speculative asset.
+More to the point, given the alarming increase of surveillance worldwide, and incoming regulations forced onto everyone, do you seriously think that people will keep trying to use random coins just to get taxed ? No, eventually only the coins that take privacy and anonymity of it's users as their first priority will remain. Mark my words; hop on the orange boat, and watch every other currency lose value.
+Governments so far have been unable to do anything to stop monero from being transacted. The only thing they can successfully do is to force centralised exchanges to delist it (example: Binance Delists monero), but decentralised currencies don't require centralised exchanges to exist.
+TLDR: Noone can stop your monero transaction and put you in prison for it afterward, unlike bitcoin or any other coin out there.
+ + +Decentralised Exchanges: the next step +As we have discussed before, Centralisation will always lead to regulations imposed by the government. If on the other hand we have a Decentralised alternative to exchange freely, the government has to try and regulate the end user directly, multiplying the efforts!.
+ +In short, Cut out the troublesome middle man, and transact with the end user directly. You can also use semi-centralised platforms such as https://localmonero.co that are platforms who incite crypto owners to exchange amongst themselves, a good alternative to use until Decentralised Exchanges (DEXs) are popularized. If you want to check out how to acquire monero on localmonero check out this tutorial. (edit: localmonero is no longer in business as of april 2024, moving to haveno DEX is your current only option for direct FIAT -> XMR transactions)
+ +The next big Decentralized Exchange that's coming soon is Haveno DEX It will combine Monero and Tor to bring complete decentralisation of your finances. When it will be ready for public use, it will only be a matter of time until everyone shifts to a completely decentralised way of transacting. Check out this tutorial i made to find out how to use it for Fiat -> XMR transcations.
++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
In this tutorial we're going to cover and explain what are governments, and why they are trying to force us into mass surveillance and KYC procedures.
+ +
+A government is the system or group of people governing an organized community, generally a state.
+
+
+Their primary focus is to maintain their control over the country/state, no matter the cost, they will do everything possible to remain in power for as long as possible
+They are the ones who write the rules, the laws by which everyone in the country must must follow for society to remain in order (whether the subjected people accept it or not), according to them.
+Governments pass Laws and to make sure that their laws is respected, they need Law enforcement (LE) to be able to apply sanctions on whoever breaks their laws.
+ +Governments nowadays almost always use bogus reasons to use to pass abusive laws (the typical "it's to fight the boogeymen!" type of reasons) , in order to either make more money, or to enforce surveillance better, or to straight up take away power from businesses and individuals.
+One thing that governments genuinely care about is how modern and economically mature their country is. Hence their close relationships with businesses that generate the most wealth in their country.
+ +These same businesses are often a tool of Centralisation, to extend the government's reach of power, the most common trait there is surveillance, and identifying who did what (ex: with KYC procedures).
+ +Each business is closely regulated, the bigger the business, the higher up the priority list it is to be audited for regulation compliance checks. The exception being with International Banks (ex: see the HSBC scandal) due to everyone's innate greed to get richer even if it means breaking the law.
+ + +Businesses are centralised entities just like governments, they ALL can act as proxies to help law enforcement, whether they want to or not.
+ + +
+Law enforcement is the activity of some members of government who act in an organized manner to enforce the law by discovering, deterring, rehabilitating, or punishing people who violate the rules and norms governing that society.
+
+
+For the Law to be enforceable the authorities need to know 2 things:
+Of course, the law must not be ignored by anyone, and to make sure that everyone is kept in line, they need to show everyone that the law is effectively enforced onto those that behaved badly, very often they brag about catching criminals to let everyone know that they are the good guys protecting everyone from the bad guys.
+That is the basis of this whole Privacy and Anonymity talk. In short, For the law to be enforceable, they need to know both what happened, and who perpretated the act to be able to apply sanctions on the individual / group of individuals that commited the crime.
+Modern governments know this very well, and some go to extreme lengths to make sure that every citizen is under surveillance.
+A very common practice for Law enforcement is also to either bribe or force legitimate businesses to give the data they possess of their users, to know if a crime has been commited or not. See the USA's recent FISA 702, good news is they're not lying about it anymore, the intention is clear and out in the open. The general idea is that this bill is meant for the government to be able to force anyone (individual or business) to conduct spying activities for the governments, with or without their consent, with a gag order.
+In short, the US government grants itself the right to force you or your business to do anything to further their agenda. This world's biggest democracies are all turning into dictatorships in the name of national security.
+Anyway you get the idea. Anonymity is more relevant than ever, we're headed for that surveillance dystopia China has currently established.
+ ++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
In this tutorial we're going to explain why Decentralisation and Anonymity are essential in reducing the power of the government over it's citizens.
+ +As we have discussed previously, governments love centralisation. It's an easy way for them to extend their power to directly affect users of said centralised businesses. Take for example how the US government uses banks to impose financial sanctions onto whoever they consider as a threat to them.
+ +They have largely succeeded in keeping their population hooked onto centralisation, for example you want to watch videos you think youtube, you want to browse the web you think google, social - facebook, twitter, and so on. It's become a natural reflex for most people, hence most people flock to these centralised platforms, and as we have explained previously; governments use them as proxies to spy or enforce censorship onto it's citizens.
+ + +It's convenient for them; you own a large service, which attracts millions of people to use it, and so governments would love to have access to that data you own, to be able to know what's happening. (remember FISA 702)
+ +If the masses were to completely change their habits and embrace decentralisation, like i am trying to promote on Datura Network for example using peertube to replace youtube, matrix to replace discord, mastodon to replace twitter, etc, it would seriously limit the reach of the power they try to have on the population. They wouldn't be able to censor and try to control the public opinion of the people like they did through twitter for example.
+ + +The key difference here is that the INDIVIDUALS are the ones controlling the service, and they're making the overall decentralised ecosystem grow larger and larger as they keep federating together.
+ +So in this case, you are taking out the first pillar that is required for law enforcement ; Surveillance, the government would have to knock on your door, and FORCE you to give them the data of your users.
+I encourage everyone that's fed up with the arbitrary administration of centralised services to start using their decentralised alternatives, see what the Fediverse has to offer for more details.
+That's an easy one. as we discussed in my previous blogpost, for the law to be respected, it needs to be feared by the population, to make sure it remains feared, it needs to be enforced by authorities (law enforcement or LE for short). To do so they need to know what happened, and they need to know who did what.
+ +That's why they go to such extreme lengths to implement surveillance wherever they can. (see China's surveillance state, the USA's FISA 702, and the EU trying to pass anti encryption laws)
+ +Anonymity is a great thing to look for if you care about privacy. It's the perfect way to know if a service intends to respect your privacy or not.
+ +The reason being, that if you use a service anonymously, you are taking out the other pillar that is required for the law to be enforceable, making sure that they cannot know it was you who used the service
+If you want to know if a service intends to respect your privacy or not, access it, and use it anonymously. (use the Tor browser to access it, and see if it accepts monero as payments). Check out my tutorial on OPSEC (Operational Security) to understand the full reasoning.
+You will see that you can already rule out Google, youtube, twitter, instagram, snapchat, Facebook, Baidu, Whatsapp, etc. All of those services sell the data they collect about you to each other, including to governments (see the cambridge analytica scandal)
+ +Stop using services that treat you as a product to sell, regain your lost dignity and defend it.
+ ++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
In this tutorial we're going to setup graphene OS, an open source android operating system for google pixel phones. (Yes google phones, if you don't like it then you'll have to wait for functionnal open hardware alternatives to arrive on the market.) Currently GrapheneOS is one of the most privacy-focused mobile operating systems given that it's fully open source. and that they refuse to implement google services by default, unlike their competitors like LineageOS.
+ +DISCLAIMER: yes the quality of the photos taken are garbage :)
+First step is go acquire a Google pixel phone, and a model that supports grapheneOS. In my case, i purchased a Pixel 6 model. Then on the host OS on your computer, install the required packages:
+
+
+[ nowhere ] [ /dev/pts/11 ] [~]
+→ sudo pacman -Syy android-tools
+[sudo] password for nihilist:
+resolving dependencies...
+looking for conflicting packages...
+
+Packages (4) android-udev-20240221-1 libmtp-1.1.21-1 protobuf-25.3-4
+ android-tools-35.0.1-1
+
+Total Download Size: 4.84 MiB
+Total Installed Size: 22.07 MiB
+
+:: Proceed with installation? [Y/n] y
+
+
+Here on the phone, we need to enable developer settings, to be able to enable the "OEM Unlocking" option:
+ + + + + +Then reboot the phone by holding the power and volume down to enter fastboot mode:
+ +Then, connect the device via usb to your computer:
+
+[ nowhere ] [ /dev/pts/11 ] [~]
+→ lsusb | grep Google
+Bus 001 Device 098: ID 18d1:4ee0 Google Inc. Nexus/Pixel Device (fastboot)
+
+[ nowhere ] [ /dev/pts/11 ] [~]
+→ fastboot --version
+fastboot version 35.0.1-android-tools
+Installed as /usr/bin/fastboot
+
+[ nowhere ] [ /dev/pts/11 ] [~]
+→ fastboot devices
+no permissions; see [http://developer.android.com/tools/device.html] fastboot
+
+[ nowhere ] [ /dev/pts/11 ] [~]
+→ sudo -i
+nowhere# fastboot devices
+1C21FGJH6993LC fastboot
+
+nowhere# fastboot flashing unlock
+OKAY [ 0.043s]
+Finished. Total time: 0.043s
+
+
+
+
+
+
+Next, as i have a google pixel 6 model, i need to download the correct graphene os image
+ +
+nowhere# mv /home/nihilist/Downloads/oriole-factory-2024070201.zip .
+nowhere# unzip oriole-factory-2024070201.zip
+Archive: oriole-factory-2024070201.zip
+ creating: oriole-factory-2024070201/
+ extracting: oriole-factory-2024070201/image-oriole-2024070201.zip
+ inflating: oriole-factory-2024070201/bootloader-oriole-slider-14.5-11677881.img
+ inflating: oriole-factory-2024070201/radio-oriole-g5123b-135085-240517-b-11857288.img
+ extracting: oriole-factory-2024070201/avb_pkmd.bin
+ inflating: oriole-factory-2024070201/flash-all.sh
+ inflating: oriole-factory-2024070201/flash-all.bat
+
+nowhere# cd oriole-factory-2024070201
+
+nowhere# ls
+avb_pkmd.bin flash-all.sh
+bootloader-oriole-slider-14.5-11677881.img image-oriole-2024070201.zip
+flash-all.bat radio-oriole-g5123b-135085-240517-b-11857288.img
+
+nowhere# chmod +x ./flash-all.sh
+nowhere# ./flash-all.sh
+
+
+Then let the bashscript run, it can take a few minutes:
+
+nowhere# ./flash-all.sh
+Warning: skip copying bootloader_a image avb footer (bootloader_a partition size: 0, bootloader_a image size: 14125140).
+Sending 'bootloader_a' (13794 KB) OKAY [ 0.364s]
+Writing 'bootloader_a' (bootloader) Flashing pack version slider-14.5-11677881
+(bootloader) flashing platform gs101
+(bootloader) Validating partition ufs
+(bootloader) Validating partition partition:0
+(bootloader) Validating partition partition:1
+(bootloader) Validating partition partition:2
+(bootloader) Validating partition partition:3
+(bootloader) Validating partition bl1_a
+(bootloader) Validating partition pbl_a
+(bootloader) Validating partition bl2_a
+(bootloader) Validating partition abl_a
+(bootloader) Validating partition bl31_a
+(bootloader) Validating partition tzsw_a
+(bootloader) Validating partition gsa_a
+(bootloader) Validating partition ldfw_a
+(bootloader) Flashing partition ufs
+(bootloader) Flashing partition partition:0
+(bootloader) Flashing partition partition:1
+(bootloader) Flashing partition partition:2
+(bootloader) Flashing partition partition:3
+(bootloader) Flashing partition bl1_a
+(bootloader) Flashing partition pbl_a
+(bootloader) Flashing partition bl2_a
+(bootloader) Flashing partition abl_a
+(bootloader) Flashing partition bl31_a
+(bootloader) Flashing partition tzsw_a
+(bootloader) Flashing partition gsa_a
+(bootloader) Flashing partition ldfw_a
+(bootloader) Loading sideload ufsfwupdate
+OKAY [ 3.089s]
+Finished. Total time: 3.454s
+Setting current slot to 'a' OKAY [ 0.058s]
+Finished. Total time: 0.059s
+Rebooting into bootloader OKAY [ 0.000s]
+
+[...]
+
+Sending sparse 'super' 11/13 (254972 KB) OKAY [ 6.618s]
+Writing 'super' OKAY [ 0.950s]
+Sending sparse 'super' 12/13 (254972 KB) OKAY [ 6.621s]
+Writing 'super' OKAY [ 0.935s]
+Sending sparse 'super' 13/13 (46284 KB) OKAY [ 1.216s]
+Writing 'super' OKAY [ 0.204s]
+Erasing 'userdata' OKAY [ 0.390s]
+Erase successful, but not automatically formatting.
+File system type raw not supported.
+wipe task partition not found: cache
+Erasing 'metadata' OKAY [ 0.007s]
+Erase successful, but not automatically formatting.
+File system type raw not supported.
+Finished. Total time: 105.929s
+Rebooting into bootloader OKAY [ 0.000s]
+Finished. Total time: 0.150s
+nowhere#
+
+
+
+
+
+
+then lock the bootloader:
+
+nowhere# fastboot devices
+1C21FGJH6993LC fastboot
+
+nowhere# fastboot flashing lock
+OKAY [ 0.276s]
+Finished. Total time: 0.276s
+
+
+
+
+
+
+
+
+
+And that's it! we managed to flash grapheneOS on the pixel phone.
+As we have seen previously, it's always a good opsec practice to separate public use from private use. This can also apply on your phone, In this case we'll create a profile specifically for public usage, while we keep the main one for private usage.
+ + + +Now in there, we can keep the closed-source applications in the public usage profile, while we keep the FOSS applications in the default private usage profile.
+ + +Now that's done, we use the private usage profile to install f-droid, in order to install FOSS applications
+ + + + + + +And here we can go into our public usage profile to setup the Aurora store to install closed-source applications like so:
+ + + + + + + + + +And from there, we can install all non-FOSS applications in the public usage profile.
+ ++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
In this tutorial we're going to cover how the Haveno DEX handles trade disputes, which can happen as, after all it's decentralised, and anonymous by default.
+Check out this tutorial if you want to know how to install Haveno DEX on your device.
+ +Back on localmonero, what was at stake was the reputation of the Buyer or the Seller, because if any of their trades go wrong, their reputation would not be a clean 100% successful trades anymore. Problem is, on the Haveno DEX, where there is no centralisation to keep everyone's reputation in check, it could be very easy to give yourself a ton of positive reputation points, by spinning up 2 haveno dex instances, to simulate trades with yourself.
+So there was this need to have something else at stake to prevent people from scamming each other. That is the Security deposit system that we described in the previous tutorial.
+ +In short, both Bob and Alice need to put some XMR into the trade initially, so that if they try to scam each other, they will loose something in the process.
+In this example, The trade will go wrong as Bob will try to scam Alice with an invalid Amazon giftcard code.
+Here, in this case we're Alice, and we want to sell our XMR for an amazon giftcard (which is typically just a code you need to redeem). So here Alice creates her amazon egift card haveno account to be able to trade just that, she needs to mention her email and the country (because a german amazon giftcard code doesnt work on the french amazon website!)
+ + + +Read carefully what exchanging an Amazon egift card to XMR implies then click "I understand"
+ +Then create a selling offer like so:
+ +Mention the amount of XMR you want to sell, and the % above the market price you want to sell it for, currently 0.2018 XMR at market price will give you 25 euros. Then you need to fund your offer with the additional 0.101009 XMR security deposit. Meaning you need to put in 0.302809 XMR total
+ +Once funded, wait for the funds to appear as available balance on your haveno client (can take 20 minutes)
+ + +Then click Place offer to sell monero:
+ +and then click confirm offer to sell monero.
+ + +Here you can see that your offer is enabled from the portfolio tab, and people can see it appear on the Buy tab:
+ + +Now let's switch sides. We're now Bob the scammer, we want to scam Alice. We see her offer on the buy tab, and we take the offer:
+ +Then, just like Alice did, we also fund the offer with the monero security deposit:
+ + +Wait for it to show up as available in your haveno balance:
+ + +Then click confirm to take the offer to buy Monero:
+ + +Back to Alice's perspective, the trade will intiate and can be viewed when going to the portfolio tab:
+ +When opening the trade window, Alice sees that Bob not only does not respect the trade protocol of sending the gift card by mail by just sending the code over chat, but the code is also invalid!
+ + + +Alice sees that she cannot redeem the code as it is invalid. In short, she didn't get paid!
+ +Back to Bob's perspesctive as we are one kind of an asshole, we don't care that Alice didn't get paid and declare that we sent payment anyway.
+ + + + +Back to Alice's perspective, Now the ball is in her park, what does she do ?
+ + +Since she never recieved payment, she does not confirm that she recieved it, and waits until the trade expires
+ + +In this case, the trade should not take more than 24 hours, so she waits until the next day, and when it expires, she'll be able to open up a dispute.
+ +Now that the trade time expired (24hrs), Alice can now open up a dispute, for the Arbitrator to step in:
+ +Here, Alice clicks on "open support ticket", and she goes to the support tab to view her support ticket:
+ + + + +Then the Arbitrator reviews the exchange from Alice's point of view:
+ +Here the arbitrator sees that the trade protocol has not been respected, both parties need to make sure they follow the trade protocol for said payment option correctly for the trade to be considered as valid from the arbitrator's point of view.
+ +Then the Arbitrator sees the exchange from Bob's point of view too:
+ +Obviously, Bob explains that he got his very legit amazon giftcard code from his hat, and he naively thinks that the arbitrator will rule in his favor.
+ + +And finally, back to Alice's POV: the Arbitrator decides that it is Alice who's in the Right, and therefore Bob does not get his Monero security deposit back, hence he's loosing 0.101009 XMR in the process.
+ + +So here, Bob just lost some XMR, and Alice is getting her 0.2018 XMR back, she gets her security deposit back (0.101009 XMR) but also she gets Bob's security deposit (0.101009 XMR), so in total she gets 0.40011456 XMR back (0.101009 XMR more than when she started using Haveno). In the end, it is Bob that ended up giving her some monero against his will.
+ +Now keep in mind that not all payment options are safe, some can come with easy chargebacks (ex: paypal), and some are just next to impossible for an arbitrator to decide who's in the right or wrong (face-to-face trades for instance). Be very careful to know the risks associated with each payment option, along with what precautions need to be taken.
+ +Check out my other tutorials on Decentralised Finances below:
+ + ++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
In this tutorial we're going to cover how to buy Monero, for cash by mail on the Haveno Decentralised Exchange. This was the most popular payment method back on LocalMonero, due to being an improvement over bank transfers (like SEPA in the EU) when it comes to trading larger volumes in the long run, as Cash cannot easily be traced by adversaries unlike bank transfers, making Cash by Mail one of the most private ways to exchange real world money for Monero.
+ + +Here, we're Bob, we create our account on Haveno for Pay by Mail transactions, mentionning our real name, postal address, city and country.
+ +Then we hit "save new account":
+ + +Make sure you understand the risks that cash by mail transactions have, then click "I understand":
+ +Then, we can create a buying offer by going into the Buy section:
+ +Here we want to purchase 20 euros worth of Monero, at the current market price, for 0.1533 XMR:
+ +THen we fund the offer, and when the funds show up in our Haveno client, we hit "Review: Place offer to buy Monero"
+ + +Once the offer is confirmed, we can view it on the Portfolie page:
+ + +Here we wait approx 20 minutes for the monero transaction to be validated by the network, then the offer will appear as enabled:
+ +And from there, other peers will be able to see Bob's offer into the "Sell Monero" section.
+ +Now let's switch over to Alice's side, we also create an account to be able to do Cash by mail transactions:
+ +Then we go into the "Sell monero" section and we take Bob's offer:
+ +Once the offer is taken we fund the offer:
+ +There we send the monero to the address as shown for both the security deposit and the actual monero we want to sell:
+ + + + +Now that the trade has been initiated, let's review the correct trade protocol for Cash By Mail transactions:
+ + +To remain safe with cash by mail transactions, there are a number of steps that Bob need to be take in order to ensure that there is no possibility of being scammed as explained by the following LocalMonero article:
+
+Staying Safe With Cash by Mail (originally from LocalMonero)
+
+If you're buying...
+
+If you stick to high reputation sellers it's very unlikely that you'll encounter any issues while buying with cash by mail, however the following tips will help you prove your payment in a dispute should it arise. The most important thing to do is to make a video recording of your payment. Here are the guidelines:
+Your video should be filmed within a single take, without cuts
+
+You can put the cash in the envelope at home or in the car, and you can put your phone with the video turned on in your front shirt pocket and it'll record the whole process without much extra work from you apart from making sure that you do everything in front of where the camera's pointing. If you have something like a GoPro or the latest iPhone which has a camera with a wider viewing angle it's going to be even easier. Keep the footage in case of a dispute for 180 days.
+
+Put custom markings inside the envelope
+Use some sort of a custom chop/stamp/seal, or a signature or just random movements with a sharpie inside the envelope, covering all surfaces. This will help establish whether the seller is actually opening the envelope you've sent or a fake one. Make sure the mark is visible on the video.
+
+Try to disguise the cash
+To mitigate a (potential, but very rare) case of postal theft en route, try to conceal the fact that the package contains cash. You may put the cash in a magazine, mylar bag or some other container. Vacuum sealing the cash also works.
+
+Place envelopes inside of envelopes
+Instead of simply placing the cash into the envelope, use multiple nested envelopes for your package. Place the cash into the smallest envelope (or simply fold a bigger envelope as necessary), seal it, and place it into another envelope. Repeat this process until you have at least 3 nested envelopes. This helps ensure that if the receiving party tries to tamper with your package they will have a much harder time resealing it all in a way that would be undetectable when inspected by the dispute mediator.
+
+Send with tracking
+Packages sent without tracking may get lost with and without tracking it could be all but impossible to locate it. Having tracking also allows the receiving end to have peace of mind that the package is en route in case it's taking longer than expected.
+
+Conclusion
+As we've mentioned before, with established traders the risk for a buyer is very low. Very low doesn't mean zero though, so make sure to follow these rules to be prepared for a dispute situation.
+
+
+And there are also a few steps that the monero seller (Alice) has to follow in order to make sure the trade is conducted in a secure manner:
+
+If you're selling...
+
+Make a video of receiving and opening the package
+Record yourself receiving the package from the postal worker, the postal worker weighing it, record the label, all the outer sides of the package; open the package while filming with the camera pointed into it, run the cash through a counter and counterfeit scanner. Make sure everything is filmed in one take. Always keep the package in view of the camera. Keep the footage in case of a dispute for 180 days.
+
+Under no circumstances finalize a trade early
+The key thing to remember (and we put disclaimers about this on every step of the way) is to NEVER finalize a trade UNTIL you have the money and you are absolutely confident that everything is in order. A legitimate buyer won't pressure you into early finalize.
+
+Have a buyer put a note with their username and trade ID
+This will help you distinguish packages coming from different buyers and avoid confusion. This also will help in preventing man-in-the-middle attacks, where a scammer interposes themselves in-between the buyer and the seller, pretending to be the seller when talking to the buyer and pretending to be the buyer when talking to the seller.
+
+
+
+To recap the recommendations we have the following graph:
+ +Here bob puts the cash into a mylar bag (to disguise the cash), which gets put into a tamper proof bag (that way, if alice tries to open it, it'll be easy to see), then bob puts it into at least 3 envelope layers with custom markings inside each layer (again, as anti tampering measures), and then putting it inside the tracking envelope.
+Also very important, Bob needs to record himself from the moment he wraps the cash into the mylar bag, all the way to when he places the letter in the letterbox. and Alice needs to do the same from her letterbox, all the way to unpacking the cash from the mylar bag. That way in case if there is a dispute, the arbitrator will be able to see who's at fault if there are any steps along the way that have not been respected.
+In total per cash by mail transaction (assuming the final envelope weighs less than 100grams), the cost involved for the seller should be around 2 euros in France (including tracking), assuming the seller sends the envelope within the same country, and that he buys enevlopes, mylar bags and tamper proof bags in bulk.
+ + +Bob of course makes sure that the envelope is sent to Alice's address as it is showcased within the trade window:
+ +And once he followed the trade protocol to send the envelope to Alice, he can declare that he has sent the payment:
+ +And then, both Alice and Bob will have to wait for the postal service to take the letter to it's destination. Bob also sent Alice the tracking link so that she can pinpoint where the envelope is in case if there is an issue along the way.
+ +Back to Alice's side, we get the following notification:
+ +There, the delay depends on the postal service. But she recieves the envelope 5 days later, she records herself from the point of retrieving, to the unpacking of the cash inside. and then if all is ok on her side, she confirms that she has recieved payment to release the monero funds to Bob:
+ + + +And lastly, Bob sees that the funds are arriving on his Haveno client, and now he closes the trade.
+ +And there, Bob can withdraw his funds from his Haveno monero wallet to another wallet if he chooses so inside the "Funds" tab, as we detailed in our previous tutorial here.
+Check out my other tutorials on Decentralised Finances below:
+ + + ++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
In this tutorial we're going to cover how to do a Fiat to Monero trade from the brand new (and long awaited!) Haveno Decentralised Exchange, using the Face-to-Face (F2F) payment method.
+ +Sidenote: i don't recommend face-to-face as a payment option of choice, this is just to try out how a basic trade Haveno DEX works!
+Before reading through this tutorial, make sure you understand why Decentralised Exchanges are the next step in Decentralised Finances in this blogpost i previously made, so that you have all the context.
+As we are covering a DEX (Decentralised Exchange), it means we are not covering how to use a website onto which you are purchasing monero (like the now defunct Localmonero (RIP)), we are covering a software that you install on your computer (hence the Decentralisation in "DEX"), to trade Peer to Peer (P2P) with the other users.
+ +The resilliency of Haveno is on multiple levels: First of all the more Seed nodes there are, the harder to take down the Haveno network is. The anonymity provided by the Tor network of Haveno for all nodes (which is on by default), also adds up to the resiliency.
+Clientside, the more peers (users) there are, the more diverse and bigger the exchange will be, and so will the decentralised market be at large. The sooner the Monero market moves to Decentralised Exchanges, the more unstoppable it will become.
+Lastly if the Haveno network is completely taken down (let's say if all the seed nodes are taken down somehow), all that's left is for another administrator to spin up a new haveno network since the code is all open source, to repeat the cycle again.
+You can check out my quick coverage of Haveno DEX on Monero Topia here. (Definitely check out MoneroTopia for the latest news in the Monero world, awesome show!)
+DISCLAIMER: THERE ARE NO OFFICIAL HAVENO NETWORK INSTANCES, THERE ARE ONLY THIRD PARTY HAVENO NETWORKS LIKE HAVENO RETO.
+IF YOU SEE A HAVENO CLAIM TO BE THE OFFICIAL NETWORK LIKE THIS ONE, DONT FALL FOR THEIR SCAM!
+ +First, we need to find a Haveno Network, Haveno Reto being one of the first ones to show up, we're going to try them out:
+Let's get the Haveno binaries from Reto's github repository, (which was forked from the original Haveno repository, maintained by Woodser)
+ +Here, we are on a debian machine, so we download the ubuntu package (which contains the .deb and .rpm file)
+ +You can either extract the .rpm (which is originally intended for Fedora users) package and run the haveno binary yourself, or use the AUR package maintained by duje
+If you are a windows user (know that it cant be trusted as it's not an open source operating system, check out my tutorial here on how to install linux instead), if you're too lazy you can check out darknetreporter's tutorial:
+ +Back on Debian (note: these instructions are the same if you are on Whonix!), the zip package is downloaded:
+ +Then unpack the zipfile wherever you want:
+
+[ mainpc ] [ /dev/pts/5 ] [~]
+→ unzip ~/Downloads/HavenoInstaller-ubuntu-latest.zip -d ~/Documents/
+Archive: /home/nihilist/Downloads/HavenoInstaller-ubuntu-latest.zip
+ inflating: /home/nihilist/Documents/desktop-1.0.3-SNAPSHOT-all.jar.SHA-256
+ inflating: /home/nihilist/Documents/haveno-1.0.3-1.x86_64.rpm
+ inflating: /home/nihilist/Documents/haveno_1.0.3-1_amd64.deb
+
+[ mainpc ] [ /dev/pts/5 ] [~]
+→ cd ~/Documents/haveno-reto
+
+[ mainpc ] [ /dev/pts/5 ] [~/Documents/haveno-reto]
+→ ls
+desktop-1.0.3-SNAPSHOT-all.jar.SHA-256 haveno_1.0.3-1_amd64.deb haveno-1.0.3-1.x86_64.rpm
+
+
+Here since we are currently on a debian machine, we're going to use the .deb file to install haveno, as follows:
+
+[ mainpc ] [ /dev/pts/1 ] [~/Documents/haveno-reto]
+→ sudo dpkg -i haveno_1.0.3-1_amd64.deb
+[sudo] password for nihilist:
+Selecting previously unselected package haveno.
+(Reading database ... 214512 files and directories currently installed.)
+Preparing to unpack haveno_1.0.3-1_amd64.deb ...
+Unpacking haveno (1.0.3-1) ...
+Setting up haveno (1.0.3-1) ...
+
+#if it fails, run "apt install -f" to install the missing dependencies and then dpkg -i haveno.deb again.
+
+
+If you previously used haveno, make sure you delete the folder in ~/.local/share/Haveno-reto as follows, to clear up all the previous wallet infos
+
+[ mainpc ] [ /dev/pts/1 ] [~/Documents/haveno-reto]
+→ rm -rf ~/.local/share/Haveno-reto
+
+
+if you want to see the haveno logs from the CLI as you use it, you can do as follows:
+
+[ mainpc ] [ /dev/pts/6 ] [~/Nextcloud/blog]
+→ cd ~/.local/share/Haveno-reto
+
+[ mainpc ] [ /dev/pts/6 ] [.local/share/Haveno-reto]
+→ ls
+haveno.log haveno.properties monerod monero-wallet-rpc monero-wallet-rpc.log version xmr_mainnet
+
+[ mainpc ] [ /dev/pts/6 ] [.local/share/Haveno-reto]
+→ tail -f haveno.log
+May-29 20:55:23.829 [pool-16-thread-5] INFO h.c.t.TaskRunner: Run task: SendOfferAvailabilityRequest
+May-29 20:55:23.830 [pool-16-thread-5] INFO h.c.o.a.t.SendOfferAvailabilityRequest: Send OfferAvailabilityRequest with offerId mqbtqDh-1ec9fa64-e5e7-4766-9936-519951bc5f36-106 and uid d85caa9c-840c-45eb-8642-4cb12828fc93 to peer rlrsc6nfqbvqhly3qjcb36qzvw44xnxqhcht3nqndy324ewg4dut4iqd.onion:9999
+May-29 20:55:23.930 [JavaFX Application Thread] INFO h.c.o.a.t.SendOfferAvailabilityRequest: OfferAvailabilityRequest arrived at peer: offerId=mqbtqDh-1ec9fa64-e5e7-4766-9936-519951bc5f36-106; uid=d85caa9c-840c-45eb-8642-4cb12828fc93
+May-29 20:55:25.292 [JavaFX Application Thread] INFO h.d.c.c.c.PopOver: hide:200.0 ms
+May-29 20:55:25.903 [pool-48-thread-1] INFO h.c.o.a.OfferAvailabilityProtocol: Received OfferAvailabilityResponse from rlrsc6nfqbvqhly3qjcb36qzvw44xnxqhcht3nqndy324ewg4dut4iqd.onion:9999 with offerId mqbtqDh-1ec9fa64-e5e7-4766-9936-519951bc5f36-106 and uid 986ee04a-47d2-4303-a9fc-12d18cc158ce
+May-29 20:55:25.905 [pool-48-thread-1] INFO h.c.t.TaskRunner: Run task: ProcessOfferAvailabilityResponse
+May-29 20:55:25.905 [pool-48-thread-1] INFO h.c.o.a.OfferAvailabilityProtocol: Send AckMessage for OfferAvailabilityResponse to peer rlrsc6nfqbvqhly3qjcb36qzvw44xnxqhcht3nqndy324ewg4dut4iqd.onion:9999 with offerId mqbtqDh-1ec9fa64-e5e7-4766-9936-519951bc5f36-106 and sourceUid 986ee04a-47d2-4303-a9fc-12d18cc158ce
+May-29 20:55:25.907 [JavaFX Application Thread] INFO h.c.o.a.OfferAvailabilityProtocol: AckMessage for OfferAvailabilityResponse arrived at makersNodeAddress rlrsc6nfqbvqhly3qjcb36qzvw44xnxqhcht3nqndy324ewg4dut4iqd.onion:9999. offerId=mqbtqDh-1ec9fa64-e5e7-4766-9936-519951bc5f36-106, sourceUid=986ee04a-47d2-4303-a9fc-12d18cc158ce
+May-29 20:55:26.108 [pool-48-thread-1] INFO h.c.o.OpenOfferManager: Received AckMessage for OfferAvailabilityRequest with offerId mqbtqDh-1ec9fa64-e5e7-4766-9936-519951bc5f36-106 and uid d85caa9c-840c-45eb-8642-4cb12828fc93
+May-29 20:55:27.427 [JavaFX Application Thread] INFO h.d.c.c.c.PopOver: hide:200.0 ms
+
+
+next just launch Haveno as it should have been added to your system:
+ + +Next, haveno is going to connect to Tor. WHONIX USERS: If it is facing issues connecting wait for the client to ask you to set the tor settings:
+ +then just get a torbridge from torproject.org:
+ +and add them inside haveno, and restart it:
+ +Then it should connect just fine:
+ +you may need to wait a bit for your haveno node to sync up initially: (probably 1-2 minutes)
+ +and once it finishes synchronising, you're in Haveno!
+ +If you want to have a TailsOS VM running, check out my latest tutorial on it here.
+Download the latest haveno package just like on debian, then put it in the persistant storage:
+
+amnesia@amnesia:~$ mv ~/Tor\ Browser/haveno_1.0.7-1_amd64.zip ~/Persistent/
+amnesia@amnesia:~$ cd Persistent/
+amnesia@amnesia:~/Persistent$ ls -lash
+total 266M
+4.0K drwx------ 3 amnesia amnesia 4.0K Jun 14 09:58 .
+ 0 drwx------ 24 amnesia amnesia 600 Jun 14 09:19 ..
+266M -rw-r--r-- 1 amnesia amnesia 266M Jun 14 09:57 haveno_1.0.7-1_amd64.zip
+
+amnesia@amnesia:~/Persistent$ sudo apt install unzip
+
+amnesia@amnesia:~/Persistent$ unzip haveno_1.0.7-1_amd64.zip
+Archive: haveno_1.0.7-1_amd64.zip
+ inflating: desktop-1.0.7-SNAPSHOT-all.jar.SHA-256
+ inflating: haveno_1.0.7-1_amd64.deb
+
+
+
+Then we can use BrandyJson's script to install haveno on tails:
+
+amnesia@amnesia:~/Persistent$ wget https://raw.githubusercontent.com/BrandyJSon/haveno-install-tails/main/haveno-install.sh
+--2024-06-14 10:29:07-- https://raw.githubusercontent.com/BrandyJSon/haveno-install-tails/main/haveno-install.sh
+Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.111.133
+Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.111.133|:443... connected.
+HTTP request sent, awaiting response... 200 OK
+Length: 3393 (3.3K) [text/plain]
+Saving to: \u2018haveno-install.sh\u2019
+
+haveno-install.sh 100%[=====================================================================================================================>] 3.31K 14.3KB/s in 0.2s
+
+2024-06-14 10:29:09 (14.3 KB/s) - \u2018haveno-install.sh\u2019 saved [3393/3393]
+
+amnesia@amnesia:~/Persistent$ vim haveno-install.sh #review the script, and change the dpkg -i line with the correct haveno version if it has changed
+
+
+Be aware that this is not an official way of installing haveno on Tails, it's going barbaric on apparmor and the security model of tails, later on, there will be a better way to install haveno on Tails OS
+
+#if the bashscript contains '\r' characters , do the following:
+amnesia@amnesia:~/Persistent$ tr -d '\r' < haveno-install.sh > haveno-install.sh
+
+#then install it:
+amnesia@amnesia:~/Persistent$ sudo bash haveno-install.sh
+[sudo] password for amnesia:
+
+Selecting previously unselected package haveno.
+(Reading database ... 148641 files and directories currently installed.)
+Preparing to unpack .../haveno_1.0.7-1_amd64.deb ...
+Unpacking haveno (1.0.7-1) ...
+Setting up haveno (1.0.7-1) ...
+Allowing amnesia to read tor control port cookie, only run this script when you actually want to use haveno
+
+!!! not secure !!!
+
+Updating apparmor-profile
+Adding rule to iptables to allow for monero-wallet-rpc to work
+Updating torsocks to allow for inbound connection
+Restarting onion-grater service
+Everything is set up just run
+
+source ~/.bashrc
+
+Then you can start haveno using haveno-tails
+
+amnesia@amnesia:~/Persistent$ source ~/.bashrc
+amnesia@amnesia:~/Persistent$ haveno-tails
+Jun-14 10:52:51.099 [main] INFO haveno.common.util.Utilities: System info: os.name=Linux; os.version=6.1.0-21-amd64; os.arch=amd64; sun.arch.data.model=64; JRE=21.0.2+14-LTS (BellSoft); JVM=21.0.2+14-LTS (OpenJDK 64-Bit Server VM)
+Jun-14 10:52:51.120 [main] INFO haveno.common.app.AsciiLogo:
+
+
+
+
+ 0X
+ OOdolcck
+ KXKNN0occcccccck: :Kxxk0d
+ klccccccccccccccccck0xcccccccxK'
+ xccccccccccccccclOKKOocccccccccclxK
+ .xccccccccccccccclWMMMMMd:::::::::ccco
+ 'dccccccc:::cccccclWMMMMMo:::::::::::cc;
+ ,occccc:::::::::::::cxO0kl:::::::::::::cd
+ ;occccc:::::cddddddc;;;;;;;;:ddddddl:::::coldOK
+ :occccc::::::xMMMMMMo,,,,,,,,cMMMMMMk::::::cccccoOc
+ llccccc:::::;;dMMMMMMo,,,,,,,,cMMMMMMk:::::::cccccc,
+ 'cccccc::::;,,dMMMMMMl'''''',,cMMMMMMk::::::::ccccc.
+ .cccccc::::,,,dMMMMMMo'''''',,cMMMMMMk::::::::ccccc
+ :ccccc:::::;;dMMMMMM0xxxxxxxxOMMMMMMk::::::::ccc'
+ ;ccccc:::::::xMMMMMMMMMMMMMMMMMMMMMMk::::::ccccco
+ 'ccccc:::::::xMMMMMMMMMMMMMMMMMMMMMMk:::::ccccccco
+ .ccccccc:::::xMMMMMMd::::::::oMMMMMMk:::::ccccccc
+ :cccccccc:::xMMMMMMo,,,,,,,,cMMMMMMk:::::cccccc
+ cccccccccc:xMMMMMMo,,,,,,,,cMMMMMMk::::cccccc
+ :ccccccccccxMMMMMMo,,,,,,,,cMMMMMMO:cccccccc
+ ccccccccccxMMMMMMd;;;;;;;:lMMMMMMOcccccccc
+ ccccccclooooooc::::::::cddddddlcccccc:
+ .ccccc::::::::::::::ccccccccccccccc
+ :cccc:::::::::::ccccccccccccc
+ .cccc:::::::ccccccccccc,
+ 'ccccccccccccc.
+ ;ccccc:
+
+
+
+
+ .XXX. .XXX. .XXXk dXX0 ;XXX.KXXXXXX, xXX0 :XX0 ,XK000KK
+ .ccc. .ccc. xccccc ;cco .occ. ccccccc. :cccdo ;cc: oxlccccccco0.
+ .ccc. .ccc. dcc'ccl. :ccl dcc. ccc' :cccccO. ;cc: lccc 'ccd
+ .ccclllllccc. ccc: .ccx .ccl,dcc' cccllll. :cc, ccox;cc: :cc: .ccc.
+ .ccc ccc. 'lccl0kcccd .cclcc, ccc. :cc; .ccocc: .ccco kcc:
+ .ccc. .ccc. dcc. :ccl .ccc; cccd000' :cc; cccc: cccxO0kocc,
+ :ccc.
+
+
+
+
+ First step is to setup your account for Face to Face Trades:
+ +Here we specify that we want to do face to face trades in Berlin (Germany) as an example, we will use our FIAT currency, Euros (in cash), you can also specify alternative ways to get contacted if you don't like the built in chat in Haveno DEX, such as email or phone number, etc. Then hit the "save new account" button:
+ +Make sure you read carefully what a face-to-face fiat->XMR trade is, and what are it's risks, if you're fine with it, click "i understand". Now that your account is created, head over to the "Buy" section, as you want to buy monero:
+ + +Then you can publish a Fiat->XMR face to face trade offer like so:
+ +So here we want to purchase 0.10 XMR, for the current market price, which amounts to 12 euros. then hit next step:
+Now here is when we get introduced to the trade protocol's security deposit system as detailed in the Haveno FAQ. I'll make a simple diagram to explain the situation:
+
+Quote from Haveno's FAQ: (https://haveno.exchange/faq/#what-are-the-differences-in-the-trade-protocol)
+
+[...]
+
+Bisq recently adopted a protocol based on 2/2 multisig, while Haveno will use their previous protocol: 2/3 multisignature. In a 2/3 multisignature trade, each trader owns one key; this key will be paired with the key of the other trader and will be used to unlock funds and deposits. It’s a 2 of 3 (2/3) protocol because you need only two out of three keys to move funds from the multisignature wallet.
+
+If everything goes fine, the two traders will use their keys to complete the transfer process. If something goes wrong, one of the two parties won’t use their key to complete the transaction, and this is where the arbitrator comes to action.
+
+Arbitrators are inherited from Bisq’s 2/3 protocol. They are a trusted role and have the duty of releasing the funds to one of the two parties in case of a conflict. To do so, they use the third key of the 2/3 multisig protocol.
+
+[...]
+
+
+
+To make it short, you (Bob) in this case, want to trade Fiat, for Alice's XMR, in person. BOTH you and Alice need to put in some monero into the trade, as a security deposit. That is so in case if you try to scam Alice, you will loose something in the process, preventing you from trying to repeatedly scam people, and vice versa.
+Due to the 2/3 multisig nature of the trade, there needs to be at least 2 agreeing parties to complete the trade. If all goes well, you and Alice agree on the trade, and the security deposit monero is released. If not, the Arbitrator will step in to punish the wrongdoer (by not giving him the security deposit back), and give the security deposit to the honest party.
+The following example will cover a successful trade between you and Alice. If you want to see a trade dispute, check out this tutorial.
+ +So here, you need to send the security deposit to be able to post your buying offer, just send it from your monero wallet like so:
+ +Once you've sent the monero to your haveno trade for the security deposit, you need to wait approx 20 minutes for the transaction to be confirmed by the network
+ +Approx 20 mins later, the trade shows up as enabled:
+Bob: puts 0.1005 XMR into the trade for the security deposit, + +You (and the other haveno peers) can see it from the Sell tab:
+ +Here you just need to wait for someone to accept the trade. Once they do, they will need to send their share of the security deposit too just like we previously did. Once they do it will show up on your end as an initiated trade:
+Alice puts 0.1005 XMR into the trade for the security deposit. Then the trade is secured + +Same as before, you need to wait for the security deposit to be validated by the network (approx 20 mins again). In the meantime you can chat with the trader by clicking the "Open Trader Chat" button.
+ +Once the security deposit has been validated by the network for the other party, you will get a notification that the trade can begin:
+ +Next step is for you to go and give the 12 Euros to Alice, and once you do, you confirm that the Payment has been sent like so:
+ +Then, you wait for Alice to confirm that she has recieved the 12 Euros (it will show up as "Peer confirmed message receipt"):
+ + Alice can then send the 0.10 XMR to Bob, after Bob Pays her in Euros. +Then here, you just wait for the Monero to arrive in your Haveno monero wallet, it will first show up as Pending on the top right corner:
+ +Wait another 20 minutes for the transaction to be validated by the network, and it will show up in your Haveno monero wallet as Available balance:
+ The trade is successful, the security deposit is now released, Bob gets his 0.1005 XMR back, and Alice too. (minus the transcation fees and arbitrator fees) + +And that's it, you can now pop the Champagne as you completed your first Fiat -> XMR transaction on a Decentralised exchange! 🥂
+ +Now all that's left is to withdraw your monero from your Haveno monero wallet to your other Monero Wallet:
+ +Head over to Funds > send funds, tick the "Amounts includes mining fee" option, and select the amount of monero you want to withdraw, in this case i'm withdrawing all of it.
+ +Then confirm that you want to withdraw the funds, and check your monero wallet for the incoming transaction:
+ +And that's it! you just withdrew your funds to your other monero wallet!
+ +Check out my other tutorials on Decentralised Finances below:
+ + ++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
In this tutorial we're going to cover how to use Haveno from a client/user perspective.
+ +let's follow the steps listed here to build haveno
+
+
+[ mainpc ] [ /dev/pts/2 ] [~/Documents]
+→ cd /tmp
+
+[ mainpc ] [ /dev/pts/2 ] [/tmp]
+→ wget https://download.oracle.com/java/21/latest/jdk-21_linux-x64_bin.deb
+
+[ mainpc ] [ /dev/pts/2 ] [/tmp]
+→ sudo dpkg -i jdk-21_linux-x64_bin.deb
+
+[ mainpc ] [ /dev/pts/2 ] [/tmp]
+→ java --version
+java 21.0.3 2024-04-16 LTS
+Java(TM) SE Runtime Environment (build 21.0.3+7-LTS-152)
+Java HotSpot(TM) 64-Bit Server VM (build 21.0.3+7-LTS-152, mixed mode, sharing)
+
+
+[ mainpc ] [ /dev/pts/2 ] [/tmp]
+→ cd -
+
+[ mainpc ] [ /dev/pts/2 ] [~/Documents]
+→ git clone https://github.com/haveno-dex/haveno.git
+Cloning into 'haveno'...
+remote: Enumerating objects: 36625, done.
+remote: Counting objects: 100% (2187/2187), done.
+remote: Compressing objects: 100% (896/896), done.
+remote: Total 36625 (delta 994), reused 2031 (delta 931), pack-reused 34438
+Receiving objects: 100% (36625/36625), 28.79 MiB | 1.92 MiB/s, done.
+Resolving deltas: 100% (22579/22579), done.
+
+[ mainpc ] [ /dev/pts/2 ] [~/Documents]
+→ cd haveno
+
+[ mainpc ] [ /dev/pts/2 ] [~/Documents/haveno]
+→ git checkout master
+Already on 'master'
+Your branch is up to date with 'origin/master'.
+
+[ mainpc ] [ /dev/pts/2 ] [~/Documents/haveno]
+→ make skip-tests
+mkdir -p .localnet
+./gradlew build -x test -x checkstyleMain -x checkstyleTest
+Starting a Gradle Daemon, 1 incompatible Daemon could not be reused, use --status for details
+
+> Task :cli:compileJava
+Note: /home/nihilist/Documents/haveno/cli/src/main/java/haveno/cli/CliMain.java uses or overrides a deprecated API.
+Note: Recompile with -Xlint:deprecation for details.
+
+> Task :common:compileJava
+Note: Some input files use or override a deprecated API.
+Note: Recompile with -Xlint:deprecation for details.
+Note: Some input files use unchecked or unsafe operations.
+Note: Recompile with -Xlint:unchecked for details.
+
+> Task :p2p:compileJava
+Note: Some input files use or override a deprecated API.
+Note: Recompile with -Xlint:deprecation for details.
+
+[...]
+
+
+> Task :relay:compileJava
+Note: /home/nihilist/Documents/haveno/relay/src/main/java/haveno/relay/RelayMain.java uses or overrides a deprecated API.
+Note: Recompile with -Xlint:deprecation for details.
+
+Deprecated Gradle features were used in this build, making it incompatible with Gradle 9.0.
+
+You can use '--warning-mode all' to show the individual deprecation warnings and determine if they come from your own scripts or plugins.
+
+For more on this, please refer to https://docs.gradle.org/8.6/userguide/command_line_interface.html#sec:command_line_warnings in the Gradle documentation.
+
+BUILD SUCCESSFUL in 2m 20s
+81 actionable tasks: 78 executed, 3 up-to-date
+
+
+
+Now that's done, let's join the public test network:
+
+[ mainpc ] [ /dev/pts/2 ] [~/Documents/haveno]
+→ make user1-desktop-stagenet
+./haveno-desktop \
+ --baseCurrencyNetwork=XMR_STAGENET \
+ --useLocalhostForP2P=false \
+ --useDevPrivilegeKeys=false \
+ --nodePort=9999 \
+ --appName=haveno-XMR_STAGENET_user1 \
+ --apiPassword=apitest \
+ --apiPort=3201 \
+ --useNativeXmrWallet=false \
+
+WARNING: Unknown module: javafx.controls specified to --add-opens
+WARNING: Unknown module: javafx.controls specified to --add-opens
+WARNING: Unknown module: javafx.graphics specified to --add-opens
+May-13 19:39:41.967 [main] INFO haveno.common.util.Utilities: System info: os.name=Linux; os.version=6.1.0-20-amd64; os.arch=amd64; sun.arch.data.model=64; JRE=21.0.3+7-LTS-152 (Oracle Corporation); JVM=21.0.3+7-LTS-152 (Java HotSpot(TM) 64-Bit Server VM)
+May-13 19:39:41.990 [main] INFO haveno.common.app.AsciiLogo:
+
+
+
+
+ 0X
+ OOdolcck
+ KXKNN0occcccccck: :Kxxk0d
+ klccccccccccccccccck0xcccccccxK'
+ xccccccccccccccclOKKOocccccccccclxK
+ .xccccccccccccccclWMMMMMd:::::::::ccco
+ 'dccccccc:::cccccclWMMMMMo:::::::::::cc;
+ ,occccc:::::::::::::cxO0kl:::::::::::::cd
+ ;occccc:::::cddddddc;;;;;;;;:ddddddl:::::coldOK
+ :occccc::::::xMMMMMMo,,,,,,,,cMMMMMMk::::::cccccoOc
+ llccccc:::::;;dMMMMMMo,,,,,,,,cMMMMMMk:::::::cccccc,
+ 'cccccc::::;,,dMMMMMMl'''''',,cMMMMMMk::::::::ccccc.
+ .cccccc::::,,,dMMMMMMo'''''',,cMMMMMMk::::::::ccccc
+ :ccccc:::::;;dMMMMMM0xxxxxxxxOMMMMMMk::::::::ccc'
+ ;ccccc:::::::xMMMMMMMMMMMMMMMMMMMMMMk::::::ccccco
+ 'ccccc:::::::xMMMMMMMMMMMMMMMMMMMMMMk:::::ccccccco
+ .ccccccc:::::xMMMMMMd::::::::oMMMMMMk:::::ccccccc
+ :cccccccc:::xMMMMMMo,,,,,,,,cMMMMMMk:::::cccccc
+ cccccccccc:xMMMMMMo,,,,,,,,cMMMMMMk::::cccccc
+ :ccccccccccxMMMMMMo,,,,,,,,cMMMMMMO:cccccccc
+ ccccccccccxMMMMMMd;;;;;;;:lMMMMMMOcccccccc
+ ccccccclooooooc::::::::cddddddlcccccc:
+ .ccccc::::::::::::::ccccccccccccccc
+ :cccc:::::::::::ccccccccccccc
+ .cccc:::::::ccccccccccc,
+ 'ccccccccccccc.
+ ;ccccc:
+
+
+
+
+ .XXX. .XXX. .XXXk dXX0 ;XXX.KXXXXXX, xXX0 :XX0 ,XK000KK
+ .ccc. .ccc. xccccc ;cco .occ. ccccccc. :cccdo ;cc: oxlccccccco0.
+ .ccc. .ccc. dcc'ccl. :ccl dcc. ccc' :cccccO. ;cc: lccc 'ccd
+ .ccclllllccc. ccc: .ccx .ccl,dcc' cccllll. :cc, ccox;cc: :cc: .ccc.
+ .ccc ccc. 'lccl0kcccd .cclcc, ccc. :cc; .ccocc: .ccco kcc:
+ .ccc. .ccc. dcc. :ccl .ccc; cccd000' :cc; cccc: cccxO0kocc,
+ :ccc.
+
+
+
+
+
+
+
+May-13 19:39:42.009 [main] INFO haveno.common.app.Version: Version{VERSION=1.0.3, P2P_NETWORK_VERSION=A, LOCAL_DB_VERSION=1, TRADE_PROTOCOL_VERSION=1, BASE_CURRENCY_NETWORK=1, getP2PNetworkId()=1A}
+May-13 19:39:42.009 [main] INFO haveno.common.setup.CommonSetup: Path to Haveno jar file: /home/nihilist/Documents/haveno/lib/common.jar
+May-13 19:39:42.010 [main] INFO haveno.common.util.Profiler: Total memory: 66 MB; Used memory: 25.56 MB; Free memory: 40.44 MB; Max memory: 1 GB; No. of threads: 1
+May-13 19:39:42.029 [main] INFO h.core.setup.CoreNetworkCapabilities: TRADE_STATISTICS [0], TRADE_STATISTICS_2 [1], ACCOUNT_AGE_WITNESS [2], PROPOSAL [5], BLIND_VOTE [6], ACK_MSG [7], BUNDLE_OF_ENVELOPES [10], SIGNED_ACCOUNT_AGE_WITNESS [11], MEDIATION [12], REFUND_AGENT [13], TRADE_STATISTICS_HASH_UPDATE [14], NO_ADDRESS_PRE_FIX [15], TRADE_STATISTICS_3 [16]
+May-13 19:39:42.031 [main] INFO haveno.core.locale.GlobalSettings: Locale info: en_US
+May 13, 2024 7:39:42 PM com.sun.javafx.application.PlatformImpl startup
+WARNING: Unsupported JavaFX configuration: classes were loaded from 'unnamed module @1de5f259'
+May-13 19:39:42.809 [JavaFX Application Thread] INFO haveno.core.app.AvoidStandbyModeService: Started -- disabled power management via /usr/bin/gnome-session-inhibit --app-id Haveno --inhibit suspend --reason Avoid Standby --inhibit-only
+May-13 19:39:42.812 [JavaFX Application Thread] INFO haveno.core.app.HavenoExecutable: Creating Haveno account with null password
+May-13 19:39:43.058 [JavaFX Application Thread] INFO h.c.n.p2p.seed.DefaultSeedNodeRepository: Seed nodes: [3cqlkowdu766sto5wrdqpntpsi7kezwkkakc532i6jeiyu7hha726ead.onion:3003, dl57jitswby4yhzpqpu7pwq6iyqg2x6vkio73araparbftlqoqxhvqad.onion:2002]
+May-13 19:39:43.620 [JavaFX Application Thread] INFO haveno.core.provider.ProvidersRepository: Selected price provider: http://elaxlgigphpicy5q7pi5wkz2ko2vgjbq4576vic7febmx4xcxvk6deqd.onion/
+May-13 19:39:43.760 [JavaFX Application Thread] INFO haveno.desktop.app.HavenoApp: Starting application
+May-13 19:39:43.895 [JavaFX Application Thread] INFO haveno.core.app.AppStartupState: Combined initialized state = false = updatedDataReceived=false && isBlockDownloadComplete=false && isWalletSynced=false && hasSufficientPeersForBroadcast=false && allDomainServicesInitialized=false
+May-13 19:39:44.867 [JavaFX Application Thread] INFO haveno.desktop.app.HavenoAppMain: Using JavaFX 21.0.2
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ + Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
In this tutorial we're going to cover an instant SEPA transfer (which is a bank transfer) transaction for monero, this is one of the most popular payment options in the EU region. (for more details on how SEPA works, check out this, video). Instant SEPA was a personal favorite of mine back on the now defunct Localmonero, due to the speed of the transanction, the only requirement being that the other peer has a bank account that supports instant SEPA transfers.
+ +If you want to install Haveno DEX (on the Haveno Reto network) check out this tutorial i previously made.
+WARNING: SEPA transactions become risky when it starts to become large transactions and volumes over time:
+
+For SEPA, if you do big volume, also expect interrogation from KYC/Compliance department
+From request for SoF/PoI to full on phonecall interrogation, asking about specific groups of transactions
+Varies according to bank: some will ban, others will let you continue
+Once again, with EMIs and online banks they are less lenient, whereas with physical banks you have wiggle-room
+If you do get banned from an EMI/online bank, it is not uncommon to have IBANs associated with your name to be blacklisted (cannot receive from those EMIs/online banks)
+If you get banned from a physical bank, they may put your name on a fraud registry
+
+
+In short, keep in mind that this may not be a reliable way to purchase monero in the long run especially if you do large transactions each time. (thanks xmrfamily for the infos)
+ + +First step, you need to create your account in the application, in the account:
+ +Then hit "Save account", and make sure you read carefully the trade protocol for SEPA bank transfers:
+ +Currently we're limited to 3 XMR, but gradually over time we're going to be able to do up to 12 XMR trades at once after 60 days signing. This is to reduce chargebacks risks. One thing to note here is that we are able to create multiple sepa for xmr trades, unlike in our previous examples.
+ + +Here, Alice creates her account for sepa instant payments on her Haveno DEX, but in contrast to Bob, she wants to only allow payments from her own country (France), as for her, that reduces risks of having to transact to a bank that can't do Instant SEPA transfers:
+ + +Then Alice creates the new Offer to sell her XMR:
+ +Here Alice wants to sell 0.1014 XMR at current market price (which amounts to 13 euros), and to fund her offer in total she needs to put in 0.201907 XMR as it includes her side of the security deposit.
+ +Alice uses her monero wallet to fund the offer, and then it shows as pending on her Haveno DEX as Pending:
+ + +Then once the offer is funded, the offer is enabled, and other peers can see Alice's offer on the Buy section:
+ + + +Now from Bob's point of view, we see Alice's offer here, and we take the offer:
+ +Bob also funds the offer as we explained here:
+ +Bob confirms he want to buy monero:
+ + + +Next, Bob has to pay 13 Euros to the Alice, via a bank transfer (SEPA instant) as he can now see her bank information:
+ +Sidenote: Tying back to my explanation on why Decentralised exchanges are going to be very costly to an adversary that wants to deanonymize users, the adversary would have to massively fund offers in monero, and loose their side of the security deposit each time, in an attempt to try and regulate the end user directly, that's way harder than just knocking on a centralised exchange owner's door to ask him to / force him to deanonymize his entire userbase for the adversary. This is where the Haveno DEX multiplies potential adversaries' efforts manyfold compared to centralised exchanges.
+So here Bob can follow this procedure to do the sepa instant transfer; he goes on his banking application to add Alice Liddell as a third-party account using her IBAN (see example IBANs per country in the EU here), and then he sends her the 13 euros as a transaction between private individuals, using the instant transaction feature provided by his Bank.
+ +Once completed, Bob declares that he has sent payment. and in case if Alice tries to deny that she recieved payment, Bob can take a screenshot to prove that he has sent the payment, from his bank account by clicking on viewing more details on his transaction (checking the receipt). That way, in case if there is a dispute, (meaning if Alice tries to scam Bob), he will be on the right side of arbitration, and the Arbitrator will favor him.
+ +Back to Alice's side, we see that the trade has been initiated:
+ +So here Alice checks if she recieved payment on her account from the bank account of Bob (whose name just got revealed as "Bob Marley" with a specific IBAN) As a Buyer (like Bob), don't try to use a fake IBAN and name because the infos you use are going to be required by the XMR seller (Alice) to verify from whom the payment came from. The Arbitrators are likely to favor Alice if you use false banking information.
+ +Alice just checked her banking application, she recieved payment from Bob Marley, and she clicks "Confirm payment Receipt" to complete the trade.
+ + +And lastly, Bob gets his Monero without any issue (he needs to wait 20 minutes for the monero to be spendable from his haveno monero wallet):
+ + + +And then he can also withdraw his monero from his Haveno DEX to his other monero wallet like so:
+ + + +And that's it! We now covered one of the fastest and easiest way people can purchase and sell Monero in the EU region. Coming up next we'll cover how to do the most popular option there was on LocalMonero: Cash by Mail, it is the best option if you intend to exchange in large quantities.
+ +Check out my other tutorials on Decentralised Finances below:
+ + ++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
In this tutorial we're going to cover how to setup the open source hypervisor QEMU/KVM in Linux host OS, using the libvirt technology.
+ +Bob has a problem, he wants to use his laptop for 4 different internet uses:
+ +But currently, he has only one laptop with linux as the host OS.
+ +So the idea basically is that Bob does not need to purchase 4 laptops each for a different usage, he just needs to virtualise those machines using a Hypervisor:
+ +Bob is going to use a QEMU/KVM hypervisor to virtualize 4 VMs, each for a specific use. The windows VM will be for public use, the debian VM will be for the private use, the Whonix VM will be for Anonymous use, and the other whonix VMs in the veracrypt hidden volume be used for sensitive uses.
+ + + +Next we do not virtualize anything using closed-source software like VMWare Workstation or else. We use QEMU/KVM with virt-manager, which is an open source hypervisor:
+
+nihilist@debian:~# sudo apt install libvirt0 virt-manager dnsmasq bridge-utils
+
+sudo systemctl enable --now libvirtd
+
+nihilist@debian:~# sudo usermod -a -G libvirt nihilist
+nihilist@debian:~# sudo usermod -a -G kvm nihilist
+
+nihilist@debian:~# sudo vim /etc/libvirt/libvirtd.conf
+nihilist@debian:~# cat /etc/libvirt/libvirtd.conf | grep sock_group
+unix_sock_group = "libvirt"
+unix_sock_rw_perms = "0770"
+
+nihilist@debian:~# sudo chmod 770 -R VMs
+nihilist@debian:~# sudo chown nihilist:libvirt -R VMs
+
+nihilist@debian:~# cat /etc/libvirt/qemu.conf
+group = "libvirt"
+user = "nihilist"
+
+nihilist@debian:~# systemctl restart libvirtd.service
+
+ virt-manager
+
+
+Next just make sure that the NAT network is created, and that the ISOs and VMs folders are with the correct permissions:
+ +
+nihilist@debian:~$ mkdir ISOs
+nihilist@debian:~$ mkdir VMs
+
+nihilist@debian:~$ sudo chmod 770 -R VMs
+nihilist@debian:~$ sudo chmod 770 -R ISOs
+
+nihilist@debian:~$ sudo chown nihilist:libvirt -R VMs
+nihilist@debian:~$ sudo chown nihilist:libvirt -R ISOs
+
+
+Then you can add the file directories in virt-manager like so:
+ + +And now you're all set to start making VMs while maintaining the open-source requirement. If you still want to use a closed-source OS, you can do so in a QEMU VM from virt-manager. always remember that closed-source OSes like Windows belong in a VM, never out of one.
+ +Additional notes: you can prevent an adversary to tamper with your laptop, by using glitter polish as shown in mullvad's tutorial, and also make sure that your phone does not have a closed-source host OS by using Graphene OS.
+ +Next, Bob needs to use VMs for 2 basic needs: Public internet usage, and Private internet usage. He first needs to download the Windows ISO file, and the debian iso file too:
+First he creates the windows VM like so:
+ + + + + + + + + + + +Then he creates the debian VM like so:
+ + +Then in both VMs he installs the OS on the virtual disk:
+ + +Then Bob can launch both VMs (make sure that the VM boots onto the disk instead of the iso in the boot settings):
+ + +Then Bob can use the windows VM for his public usage (such as KYC services, and closed-source software), and use the debian VM for his private usage (any personal matter, with only open source software)
+Next, Bob can setup a VPN by default into his debian VM.
+ + ++ Until there is nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
In this tutorial we're going to cover why it's important to have an Opensource host-OS and virtualisation software for privacy purposes and we're going to go through all the steps we need to set it up. We'll also cover how to harden the OS using kickstart (which was made by the whonix developers), and we'll look at how to virtualize VMs while still using opensource software.
+ +Most people talk about opsec, but they don't realize how bad their opsec is. You would'nt barricade your bedroom door before barricading the frontdoor right ? In this case, the hardware and the host OS are the front door, and the rest is inside your house. You are leaving your front door opened when you're using a closed source Host OS (for example Windows, or MacOS, or similar). Hence you need a Linux host OS. for example we're going to setup the latest Debian in this case.
+
+[ mainpc ] [ /dev/pts/4 ] [~/Downloads]
+→ wget https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/debian-12.4.0-amd64-netinst.iso
+--2024-01-30 14:53:15-- https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/debian-12.4.0-amd64-netinst.iso
+Resolving cdimage.debian.org (cdimage.debian.org)... 194.71.11.165, 194.71.11.173, 194.71.11.163, ...
+Connecting to cdimage.debian.org (cdimage.debian.org)|194.71.11.165|:443... connected.
+HTTP request sent, awaiting response... 302 Found
+Location: https://gemmei.ftp.acc.umu.se/debian-cd/current/amd64/iso-cd/debian-12.4.0-amd64-netinst.iso [following]
+--2024-01-30 14:53:15-- https://gemmei.ftp.acc.umu.se/debian-cd/current/amd64/iso-cd/debian-12.4.0-amd64-netinst.iso
+Resolving gemmei.ftp.acc.umu.se (gemmei.ftp.acc.umu.se)... 194.71.11.137, 2001:6b0:19::137
+Connecting to gemmei.ftp.acc.umu.se (gemmei.ftp.acc.umu.se)|194.71.11.137|:443... connected.
+HTTP request sent, awaiting response... 200 OK
+Length: 658505728 (628M) [application/x-iso9660-image]
+Saving to: ‘debian-12.4.0-amd64-netinst.iso’
+
+debian-12.4.0-amd64-netinst.i 100%[=================================================>] 628.00M 6.85MB/s in 83s
+
+2024-01-30 14:54:39 (7.55 MB/s) - ‘debian-12.4.0-amd64-netinst.iso’ saved [658505728/658505728]
+
+
+
+
+Then flash it onto an usb stick (heres how you do it from linux below):
+
+[ mainpc ] [ /dev/pts/1 ] [~/Downloads]
+→ lsblk
+NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
+sda 8:0 0 3.6T 0 disk
+sdb 8:16 1 14.6G 0 disk
+└─sdb1 8:17 1 14.6G 0 part /media/nihilist/022E-0C69
+
+
+[ mainpc ] [ /dev/pts/1 ] [~/Downloads]
+→ sudo umount /media/nihilist/022E-0C69
+umount: /media/nihilist/022E-0C69: not mounted.
+
+[ mainpc ] [ /dev/pts/1 ] [~/Downloads]
+→ lsblk
+NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
+sda 8:0 0 3.6T 0 disk
+sdb 8:16 1 14.6G 0 disk
+└─sdb1 8:17 1 14.6G 0 part
+
+→ sudo dd if=debian-12.4.0-amd64-netinst.iso of=/dev/sdb1 bs=8M status=progress
+[sudo] password for nihilist:
+78+1 records in
+78+1 records out
+658505728 bytes (659 MB, 628 MiB) copied, 45.6007 s, 14.4 MB/s
+
+
+You can use tools like balenaetcher to do the same from other OSes like Windows.
+Now that's done, we need to reboot the host OS and get into the BIOS:
+ +In this case we need to spam the F2 key upon booting to arrive into the BIOS. Then navigate to the Boot selection in order to boot to the USB key. for example it can be :
+ + + + +Here instead you just choose the usb key you flashed the linux image on, and boot onto it. Then do as follows:
+ + +Now that's done, follow the installation of the host OS on the harddrive you prefer. Make sure its' not LUKS encrypted, as Kicksecure still didn't fix the ram-wipe feature for LUKS systems (as of 30/01/2024). Besides, a simple LUKS encryption would not be enough in a situation where you are forced to give out your password. (see veracrypt's details on Plausible Deniability.)
+ + + + + +Then make sure it has a desktop environment (i recommend cinnamon).
+ +Then let the install finish and then reboot the computer and remove the usb key, it should then boot into a clean host OS.
+ + + + +Now that we're in our host OS, let's harden it by turning it into a Kicksecure distro:
+
+su -
+apt update ; apt full-upgrade ; apt install --no-install-recommends sudo adduser curl apt-transport-tor tor torsocks
+
+/usr/sbin/addgroup --system console
+
+/usr/sbin/adduser nothing console #replace nothing with your username
+/usr/sbin/adduser nothing sudo #replace nothing with your username
+
+reboot now
+
+
+After rebooting, install kicksecure like so: (beware it must be done as the user mentionned above. in this case user is nothing:
+
+nothing@debian:~$ sudo apt update -y ; sudo apt full-upgrade -y
+
+
+Then we download the kicksecure keyring via tor:
+
+nothing@debian:~$ sudo torsocks curl --output /usr/share/keyrings/derivative.asc --url http://www.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion/keys/derivative.asc
+nothing@debian:~$ echo "deb [signed-by=/usr/share/keyrings/derivative.asc] tor+http://deb.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion bookworm main contrib non-free" | sudo tee /etc/apt/sources.list.d/derivative.list
+
+nothing@debian:~$ sudo apt update -y
+Hit:1 http://security.debian.org/debian-security bookworm-security InRelease
+Hit:2 http://deb.debian.org/debian bookworm InRelease
+Hit:3 http://deb.debian.org/debian bookworm-updates InRelease
+Get:4 tor+http://deb.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion bookworm InRelease [39.6 kB]
+Get:5 tor+http://deb.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion bookworm/main amd64 Packages [34.3 kB]
+Get:6 tor+http://deb.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion bookworm/contrib amd64 Packages [506 B]
+Get:7 tor+http://deb.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion bookworm/non-free amd64 Packages [896 B]
+Fetched 75.3 kB in 31s (2,419 B/s)
+Reading package lists... Done
+Building dependency tree... Done
+Reading state information... Done
+All packages are up to date.
+
+nothing@debian:~$ sudo apt full-upgrade -y
+Reading package lists... Done
+Building dependency tree... Done
+Reading state information... Done
+Calculating upgrade... Done
+0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
+
+sudo apt install --no-install-recommends kicksecure-cli-host -y
+#tor connection may crash sometimes, so just relaunch that command again if it fails
+
+
+Then we do the Post-upgrade steps:
+
+sudo mv /etc/apt/sources.list ~/
+sudo touch /etc/apt/sources.list
+
+sudo reboot now
+
+Then as you reboot you'll see that grub shows that it's now kicksecure instead of debian:
+ + +Next, we make sure that unattended upgrades are activated so that minor package updates are automatically carried out by the system.
+
+nothing@debian:~$ sudo apt install unattended-upgrades apt-listchanges -y
+nothing@debian:~$ sudo dpkg-reconfigure -plow unattended-upgrades
+
+
+
+Next we're going to make sure that the ram gets overwritten upon shutdowns to prevent cold boot attacks.
+
+nothing@debian:~$ sudo apt install --no-install-recommends ram-wipe
+
+
+
+If you are testing from a VM, you need to do the following:
+
+nothing@debian:~$ echo 'GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT wiperam=force"' | sudo tee -a /etc/default/grub.d/50_user.cfg
+GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT wiperam=force"
+
+nothing@debian:~$ sudo update-grub
+Generating grub configuration file ...
+Found background image: .background_cache.png
+Found linux image: /boot/vmlinuz-6.1.0-17-amd64
+Found initrd image: /boot/initrd.img-6.1.0-17-amd64
+Found linux image: /boot/vmlinuz-6.1.0-15-amd64
+Found initrd image: /boot/initrd.img-6.1.0-15-amd64
+Warning: os-prober will not be executed to detect other bootable partitions.
+Systems on them will not be added to the GRUB boot configuration.
+Check GRUB_DISABLE_OS_PROBER documentation entry.
+done
+
+
+
+Then you can test if it's working by rebooting and checking the shutdown output logs.Next, we're going to trim out what we don't need from our Host OS. First and foremost, let's get rid of all the logs (both system and kernel logs) on the system. We first make sure that logs are cleared upon startup like so:
+
+root@debian:~# cat startup.sh
+#!/bin/bash
+sudo rm -rf /var/log
+sudo rm -rf /dev/shm/*
+
+sudo ln -s /dev/shm /var/log
+
+sudo dmesg -c
+sudo dmesg -n 1
+sudo dmesg -c
+
+#also uncomment the kernel.printk line in /etc/sysctl.conf to avoid the kernel from printing out errors
+
+root@debian:~# chmod +x startup.sh
+
+root@debian:~# vim /etc/sysctl.conf
+
+root@debian:~# cat /etc/sysctl.conf | grep printk
+kernel.printk = 3 4 1 3
+
+
+root@debian:~# vim /etc/systemd/system/startup.service
+
+root@debian:~# cat /etc/systemd/system/startup.service
+[Unit]
+Description=Clearing logs at startup
+Wants=network.target
+After=network-online.target
+
+[Service]
+Type=oneshot
+ExecStart=/root/startup.sh
+TimeoutStartSec=0
+
+[Install]
+WantedBy=shutdown.target
+
+root@debian:~# systemctl daemon-reload
+
+root@debian:~# systemctl enable startup
+Created symlink /etc/systemd/system/shutdown.target.wants/startup.service → /etc/systemd/system/startup.service.
+
+
+
+Then we make sure that logs are being cleared out minutely:
+
+root@debian:~# cat removelogs.sh
+#!/bin/bash
+
+rm -rf /dev/shm/*
+rm -rf /var/log/*
+dmesg -c
+
+root@debian:~# chmod +x removelogs.sh
+
+root@debian:~# crontab -e
+
+
+
+Then we make sure that logs are cleared out upon shutdown, along with VMs shutdowns if there are any, veracrypt volumes closing, and log cleanups:
+
+root@debian:~# vim shutdown.sh
+root@debian:~# cat shutdown.sh
+#!/bin/bash
+
+#remove VMs
+
+sudo virsh -c qemu:///system destroy Whonix-Gateway
+sudo virsh -c qemu:///system destroy Whonix-Workstation
+sudo virsh -c qemu:///system undefine Whonix-Gateway
+sudo virsh -c qemu:///system undefine Whonix-Workstation
+sudo virsh -c qemu:///system net-destroy Whonix-External
+sudo virsh -c qemu:///system net-destroy Whonix-Internal
+sudo virsh -c qemu:///system net-undefine Whonix-External
+sudo virsh -c qemu:///system net-undefine Whonix-External
+
+#then unmount veracrypt volumes
+
+sudo veracrypt -d -f
+
+# then cleanup logs
+
+sudo rm -rf /dev/shm/*
+sudo rm -rf /var/log/*
+sudo dmesg -c
+
+root@debian:~# chmod +x shutdown.sh
+
+root@debian:~# vim /etc/systemd/system/shutdown.service
+root@debian:~# cat /etc/systemd/system/shutdown.service
+[Unit]
+Description=Shutdown Anti forensics
+DefaultDependencies=no
+Before=shutdown.target reboot.target halt.target
+
+[Service]
+Type=oneshot
+ExecStart=/root/shutdown.sh
+TimeoutStartSec=0
+
+[Install]
+WantedBy=shutdown.target reboot.target halt.target
+root@debian:~# systemctl daemon-reload
+root@debian:~# systemctl enable shutdown
+Created symlink /etc/systemd/system/shutdown.target.wants/shutdown.service → /etc/systemd/system/shutdown.service.
+Created symlink /etc/systemd/system/reboot.target.wants/shutdown.service → /etc/systemd/system/shutdown.service.
+Created symlink /etc/systemd/system/halt.target.wants/shutdown.service → /etc/systemd/system/shutdown.service.
+
+
+Then you can reboot to see that all logs are removed as intended:
+
+sudo reboot now
+
+root@debian:~# ls -lash /var | grep log
+ 0 lrwxrwxrwx 1 root root 8 Jan 30 14:13 log -> /dev/shm
+
+root@debian:~# tail -f /var/log/*.log
+tail: cannot open '/var/log/*.log' for reading: No such file or directory
+tail: no files remaining
+
+root@debian:~# tail -f /dev/shm/*.log
+tail: cannot open '/dev/shm/*.log' for reading: No such file or directory
+tail: no files remaining
+
+root@debian:~# dmesg
+root@debian:~#
+
+
+
+
+ Next step, we do not virtualize anything using closed-source software like vmware or else. We use QEMU/KVM with virt-manager:
+
+nothing@debian:~# sudo apt install libvirt0 virt-manager dnsmasq bridge-utils
+
+sudo systemctl enable --now libvirtd
+
+nothing@debian:~# sudo usermod -a -G libvirt nothing
+nothing@debian:~# sudo usermod -a -G kvm nothing
+
+nothing@debian:~# sudo vim /etc/libvirt/libvirtd.conf
+nothing@debian:~# cat /etc/libvirt/libvirtd.conf | grep sock_group
+unix_sock_group = "libvirt"
+unix_sock_rw_perms = "0770"
+
+nothing@debian:~# sudo chmod 770 -R VMs
+nothing@debian:~# sudo chown nothing:libvirt -R VMs
+
+nothing@debian:~# cat /etc/libvirt/qemu.conf
+group = "libvirt"
+user = "nothing"
+
+nothing@debian:~# systemctl restart libvirtd.service
+
+ virt-manager
+
+
+Next just make sure that the NAT network is created, and that the ISOs and VMs folders are with the correct permissions:
+ +
+nothing@debian:~$ mkdir ISOs
+nothing@debian:~$ mkdir VMs
+
+nothing@debian:~$ sudo chmod 770 -R VMs
+nothing@debian:~$ sudo chmod 770 -R ISOs
+
+nothing@debian:~$ sudo chown nothing:libvirt -R VMs
+nothing@debian:~$ sudo chown nothing:libvirt -R ISOs
+
+
+Then you can add the file directories in virt-manager like so:
+ + +And now you're all set to start making VMs while maintaining the open-source requirement.
+ ++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+Just a bunch of scripts and tutorials that i personally use, to setup servers in an automated or quickest possible way. + For servers that can't be setup using scripts, i create step-by-step tutorials to set them up properly. + I have a certain quality standard as to how i do these tutorials, if there are any improvements i can do on them please let me know. +
++ CONTRIBUTORS : +
+LEGAL DISCLAIMER:
+Across the entirety of my blog, in all articles that I made, I advocate for the legal use of technologies, even when I am talking about Privacy-enhancing and Anonymity-enabling technologies. In no way am I advocating for any illegal use of any technology showcased in any article on my blog, as the goal of this blog is to remain stricly informative and educative.
+
+I decline any and all responsibility for any mis-use of any of the technology i showcase in the entirety of my blog. I also decline any and all responsibility for any physical, digital and psychological damage caused by the mis-use of any showcased technology, as the responsibility of such acts remains with the perpretating third-party. By reading this blog, you permanently, irrevocably and world-widely agree that I am in no way am responsible for any illegal action done by you or anyone that uses any of the showcased technology in my blog articles.
+
+
+
+
+ 📝 Security
+ + +📝 Privacy Front-ends
+📝 Productivity
+💻 Collaborative Work
+⭐ Personal Favorites
+🪟 Windows Server
+🎦 Media
+🟦 pfSense Administration
+🐐 Debian Server Administration
+🔁 Automation
+🖥️ Monitoring
+📜 Scripted Setups:
+🚧Complete Professionnal Projects
+ + + +🗄️ Databases
+🚢 Docker - Management
+🚢 Docker - Containers
+📦 Backups
+🔍 Search Engines
+ +⚠️ Minimal / Experimental / Games
+📡 DNS
+ + ++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
In this tutorial we're going to cover how to properly segment your internet usage. This is the most common opsec practice that you should always use. We're going to base ourselves off from the pyramid of internet use that we have seen previously, to be able to replicate each of the 4 OPSEC levels into our current setup:
+ + +The most common OPSEC mistake out there is the lack of internet usage segmentation. Most people don't have this reflex when they first discover Anonymity and Privacy online. Thing is, it is not possible to be fully anonymous for everything that you do online, there will always be some service that is vital to you, which you will need to access with your real world identity (for example, to access your bank account, or some insurance website, etc). However it is definitely possible to implement proper internet usage segmentation:
+ +In this case we're going to differentiate 4 types of Internet usage:
+ +Internet Uses:
+Public use: What you do is public knowledge
Private use: What you do is not meant to be known (private)
Anonymous use: What you do is meant to be done without revealing your identity
Sensitive use: What you do is meant to remain secret at all cost, only to be known by you
With each different Internet usage, we have different requirements:
+ +Requirements:
+Public use: No requirement ; you can use closed source software (meaning it's all public)
Private use: only open source software, + you use a pseudonym, to practice privacy
Anonymous use: open source, using a false identity to practice anonymity, not sensitive
Sensitive use: open source, using an other false identity and must be plausibly deniable
Now with this we identified the 4 most typical internet use cases, and their requirements.
+As we said previously, segmentation is required for each internet use. This extends to the Identity you use online. For example you cannot use your real name when trying to use the internet anonymously. So you need a different identity for each use case:
+ +Different Identities:
+Public Identity: Linus Torvalds (used on websites that ask for your identity)
Private Identity: Nihilist (used on websites that may KYC, but pseudonym is preferred)
Anonymous Identity: ZacharyJr (used on anonymous websites, non-sensitive use)
Sensitive Identity: Dread Pirate Roberts (used on anonymous websites, sensitive use)
The important thing here is that you must make sure that each identity have nothing in common, it must always remain impossible for and adversary to be able to link those identities together.
+ + +To help you implement your internet usage segmentation, you can use VMs to make sure the segmentation is present inside the system:
+ +Virtual Machines:
+Public use: No requirement ; you can use a windows VM for all closed source software and KYC use
Private use: you can use a Debian VM, with only open source software (ex:matrix and element)
Anonymous use: you can use Whonix VMs, (can also have a with a Tor -> VPN setup)
Sensitive use: You can use Whonix VMs, but they need to be inside a veracrypt hidden volume
Now with this setup, one can segment their Internet use with a system implementation (VMs) along with the associated Identities for each usecase.
+ +For further details on how to dissect your OPSEC, check out this tutorial here, because using the right technologies is only the first half of the work, you also need to have the correct behavior while using them.
+ ++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
In this tutorial, we're going to look at the first and foremost thing anyone can do to remove surveillance from their digital lives, by installing a free and open source software (FOSS) host operating system: Linux, in this case we're going to setup the latest Debian.
+ +So here we are Bob, and we have decided that having an entire crowd watching what we were doing with out computer was no longer acceptable. What can we do from here ?
+ +Bob, after searching for a while on the web, Bob realized that Windows was the problem here. Because it is closed-source (meaning the source code is not available) he couldn't know what Windows was doing in the background. Because that is so, Bob is now certain that his Operating System could be used for surveillance, without him being aware of it.
+"What the hell can I do on Windows privately then ?", Bob thought for a while.
+ +"... Nothing!", He realized. While he was using windows, he would never have any privacy with his digital life.
+Allegory: You have a house, and you have an annoying neighbor (Jack) that wants to know everything you do in your House. If you have windows installed on your computer as a host OS, it is the same as leaving the front door wide open for Jack to enter and watch what you're doing in your house, no matter how much you try to barricade the windows, or the doors. It makes more sense to try and barricade the front door first, before trying to barricade the windows and other rooms in your house, isn't it ?
+ +So Bob looked for an open source operating system to replace Windows, and he found the Linux sourcecode, he read the entire code and found no spyware in it. Then he decided that he would use that instead of using Windows.
+ +Because it is through Windows, that Microsoft employees are able to spy on what Bob was doing so far! By removing windows from the equation, he is also removing Microsoft's surveillance from his digital life!
+Bob has decided that he would use Linux from now on, because he is no longer tolerating being watched by an entire crowd, without his consent.
+First Bob, goes on the web to find a Linux distribution he likes, that is Open Source:
+ +He sees there are many options like Linux Mint, Ubuntu, etc
+ +But he settles on Debian. (Disclaimer: if you use closed-source hardware, like 99.9999999999% of people out there, you will invariably have to use non-free firmware too [1] [2] [3]). If you want a purely FOSS host OS, and you are willing to not have firmware for your CPU, GPU, Motherboard, Ethernet/wifi, check out the OSes recommended by the Free Software Foundation [4] (but it will be at the expense of having your peripherals not working [5]). The status of Open source Hardware is not even competitive in this closed-source hardware domination of the market., hopefully this will change in the future, but for now that's how it is. TLDR: If you don't want to install proprietary firmware, check out PureOS instead of debian.
+ +Now Bob has the Debian ISO image.
+ +But now he needs to put that ISO image on a USB stick. To do so he can use Rufus or Balena Etcher:
+ + +So Bob installs BalenaEtcher:
+ + +Once installed, he selects the ISO image in balenaetcher:
+ +Then, Bob plugs in his USB stick in his computer, to be able to put the ISO image into it:
+ +Then, Bob selects his USB stick from balenaetcher:
+ +Then he clicks "Flash", that way Balenaetecher will put the ISO image on the USB stick.
+ + +Bob waits a few minutes, and now he has a USB stick with the latest Debian OS on it.
+ +Bob will now be able to use it to install Linux and replace Windows with it.
+ +This is where it gets a bit technical for Bob. But here are the steps he needs to do:
+He needs to plug his USB stick in his computer
He needs to restart his computer
As his computer restarts, he needs to repeatedly press the F1 or F2 or DEL or F10 key in order to enter his computer's BIOS (depending on which brand his computer is)
once he is in the BIOS, he then needs to boot on his USB stick that has the Debian image
Then once he boots on his USB stick, he can install debian on his computer
The key that Bob needs to press to enter his computer's BIOS depends on what brand his computer is (see this blogpost for examples).
+Now Bob restarts his computer:
+ +And now, as he has an ASUS motherboard, he repeatedly presses the F2 key to enter his computer's BIOS:
+ +and from there, Bob needs to navigate the BIOS to boot on his USB key. Be aware that the Steps may vary, feel free to research how to change the boot options of your computer's BIOS settings. In Bob's example below, he is on an ASUS computer/motherboard, so he has these specific BIOS steps to do:
+Boot > OS Type > Other OS
+ +Boot > CSM settings > Launch CSM Auto
+ +Boot device Selection > his USB stick
+ +Once he selects his USB Stick, Bob can now boot from it, and he is greeted by Debian's welcome screen:
+ +And from there, Bob installs linux as per his needs:
+ + + + + + + + + +Here Bob decides that he wants to encrypt his whole harddrive too. That way, if someone were to steal his computer, without knowing his password, they would have no way to access Bob's local data.
+ + + + + + + + + + + + + + + +Here Bob can select his window manager. Gnome is the default option, but he chooses Cinnamon to keep the feel similar to how it was on windows.
+ + + + + +And there, Bob finished the Debian installation, he can unplug his USB stick, and click Continue to reboot his computer:
+ +As he reboots his computer, he is greeted by the Debian boot screen, and he then types his password to unlock his harddrive encryption:
+ + +Then he logs in using the password he set earlier:
+ +And now that Bob is logged in, he is greeted by the Cinnamon window manager, the feel of his OS remains similar to what he previously had on Windows, but now it's all open source!
+ +And that's it! Bob has managed to get privacy from Microsoft's constant surveillance by replacing Windows with a Linux distribution.
+ +From there, Bob can update his linux distribution and install new packages, following this tutorial here.
+ ++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
In this tutorial, we're going to take a look at how you can install and update your programs on linux:
+ +First we need to open up a terminal:
+ +and then we can run the following command sudo apt update to make sure that our linux OS has the data regarding which are latest package versions:
+
+nihilist@mainpc:~$ sudo apt update
+[sudo] password for nihilist:
+Hit:1 http://deb.debian.org/debian bookworm InRelease
+Get:2 http://security.debian.org/debian-security bookworm-security InRelease [48.0 kB]
+Get:3 http://deb.debian.org/debian bookworm-updates InRelease [55.4 kB]
+Hit:4 https://repository.mullvad.net/deb/stable bookworm InRelease
+Get:5 http://security.debian.org/debian-security bookworm-security/main Sources [99.0 kB]
+Get:6 http://security.debian.org/debian-security bookworm-security/main amd64 Packages [160 kB]
+Get:7 http://security.debian.org/debian-security bookworm-security/main Translation-en [96.4 kB]
+Get:8 https://packages.element.io/debian default InRelease [3,618 B]
+Get:9 https://packages.element.io/debian default/main amd64 Packages [1,030 B]
+Get:10 tor+http://deb.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion bookworm InRelease [62.0 kB]
+Get:11 tor+http://deb.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion bookworm/main amd64 Packages [36.1 kB]
+Fetched 561 kB in 20s (28.5 kB/s)
+Reading package lists... Done
+Building dependency tree... Done
+Reading state information... Done
+24 packages can be upgraded. Run 'apt list --upgradable' to see them.
+
+
+
+And at the bottom you see that there are 24 packages that can be upgraded, so we run sudo apt upgrade to make sure that those packages are on the latest available versions:
+
+nihilist@mainpc:~$ sudo apt upgrade
+Reading package lists... Done
+Building dependency tree... Done
+Reading state information... Done
+Calculating upgrade... Done
+The following packages were automatically installed and are no longer required:
+ default-jdk-headless libice-dev libpthread-stubs0-dev libsm-dev libwpe-1.0-1 libwpebackend-fdo-1.0-1 libx11-dev libxau-dev libxcb1-dev libxdmcp-dev libxt-dev linux-image-6.1.0-17-amd64 openjdk-17-jdk openjdk-17-jdk-headless x11proto-dev
+ xorg-sgml-doctools xtrans-dev
+Use 'sudo apt autoremove' to remove them.
+The following packages will be upgraded:
+ element-desktop ffmpeg firefox-esr gir1.2-gst-plugins-base-1.0 gstreamer1.0-alsa gstreamer1.0-gl gstreamer1.0-plugins-base gstreamer1.0-x libarchive-tools libarchive13 libavcodec59 libavdevice59 libavfilter8 libavformat59 libavutil57
+ libgstreamer-gl1.0-0 libgstreamer-plugins-base1.0-0 libpostproc56 libswresample4 libswscale6 python3-pil python3-pil.imagetk tb-updater thunderbird
+24 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
+Need to get 134 MB/234 MB of archives.
+After this operation, 5,378 kB of additional disk space will be used.
+Do you want to continue? [Y/n] y
+
+
+
+Here we press y and enter to continue, then let it run:
+
+Do you want to continue? [Y/n] y
+Get:1 http://security.debian.org/debian-security bookworm-security/main amd64 libswscale6 amd64 7:5.1.5-0+deb12u1 [215 kB]
+Get:2 http://security.debian.org/debian-security bookworm-security/main amd64 libavdevice59 amd64 7:5.1.5-0+deb12u1 [114 kB]
+Get:3 http://security.debian.org/debian-security bookworm-security/main amd64 libavformat59 amd64 7:5.1.5-0+deb12u1 [1,102 kB]
+Get:4 http://security.debian.org/debian-security bookworm-security/main amd64 libavfilter8 amd64 7:5.1.5-0+deb12u1 [3,703 kB]
+Get:5 http://security.debian.org/debian-security bookworm-security/main amd64 libavcodec59 amd64 7:5.1.5-0+deb12u1 [5,216 kB]
+Get:6 http://security.debian.org/debian-security bookworm-security/main amd64 libavutil57 amd64 7:5.1.5-0+deb12u1 [363 kB]
+Get:7 http://security.debian.org/debian-security bookworm-security/main amd64 libpostproc56 amd64 7:5.1.5-0+deb12u1 [94.0 kB]
+Get:8 http://security.debian.org/debian-security bookworm-security/main amd64 libswresample4 amd64 7:5.1.5-0+deb12u1 [97.3 kB]
+Get:9 http://security.debian.org/debian-security bookworm-security/main amd64 ffmpeg amd64 7:5.1.5-0+deb12u1 [1,814 kB]
+Get:10 http://security.debian.org/debian-security bookworm-security/main amd64 firefox-esr amd64 115.12.0esr-1~deb12u1 [63.1 MB]
+Get:11 tor+http://deb.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion bookworm/main amd64 tb-updater all 3:33.4-1 [245 kB]
+Get:12 http://security.debian.org/debian-security bookworm-security/main amd64 thunderbird amd64 1:115.12.0-1~deb12u1 [58.3 MB]
+Fetched 134 MB in 20s (6,658 kB/s)
+Reading changelogs... Done
+(Reading database ... 219964 files and directories currently installed.)
+Preparing to unpack .../00-element-desktop_1.11.68_amd64.deb ...
+Unpacking element-desktop (1.11.68) over (1.11.67) ...
+Preparing to unpack .../01-libswscale6_7%3a5.1.5-0+deb12u1_amd64.deb ...
+Unpacking libswscale6:amd64 (7:5.1.5-0+deb12u1) over (7:5.1.4-0+deb12u1) ...
+Preparing to unpack .../02-libavdevice59_7%3a5.1.5-0+deb12u1_amd64.deb ...
+Unpacking libavdevice59:amd64 (7:5.1.5-0+deb12u1) over (7:5.1.4-0+deb12u1) ...
+Preparing to unpack .../03-libavformat59_7%3a5.1.5-0+deb12u1_amd64.deb ...
+Unpacking libavformat59:amd64 (7:5.1.5-0+deb12u1) over (7:5.1.4-0+deb12u1) ...
+Preparing to unpack .../04-libavfilter8_7%3a5.1.5-0+deb12u1_amd64.deb ...
+Unpacking libavfilter8:amd64 (7:5.1.5-0+deb12u1) over (7:5.1.4-0+deb12u1) ...
+Preparing to unpack .../05-libavcodec59_7%3a5.1.5-0+deb12u1_amd64.deb ...
+Unpacking libavcodec59:amd64 (7:5.1.5-0+deb12u1) over (7:5.1.4-0+deb12u1) ...
+Preparing to unpack .../06-libavutil57_7%3a5.1.5-0+deb12u1_amd64.deb ...
+Unpacking libavutil57:amd64 (7:5.1.5-0+deb12u1) over (7:5.1.4-0+deb12u1) ...
+Preparing to unpack .../07-libpostproc56_7%3a5.1.5-0+deb12u1_amd64.deb ...
+Unpacking libpostproc56:amd64 (7:5.1.5-0+deb12u1) over (7:5.1.4-0+deb12u1) ...
+Preparing to unpack .../08-libswresample4_7%3a5.1.5-0+deb12u1_amd64.deb ...
+Unpacking libswresample4:amd64 (7:5.1.5-0+deb12u1) over (7:5.1.4-0+deb12u1) ...
+Preparing to unpack .../09-ffmpeg_7%3a5.1.5-0+deb12u1_amd64.deb ...
+Unpacking ffmpeg (7:5.1.5-0+deb12u1) over (7:5.1.4-0+deb12u1) ...
+Preparing to unpack .../10-firefox-esr_115.12.0esr-1~deb12u1_amd64.deb ...
+Leaving 'diversion of /usr/bin/firefox to /usr/bin/firefox.real by firefox-esr'
+Unpacking firefox-esr (115.12.0esr-1~deb12u1) over (115.11.0esr-1~deb12u1) ...
+Preparing to unpack .../11-libgstreamer-plugins-base1.0-0_1.22.0-3+deb12u2_amd64.deb ...
+Unpacking libgstreamer-plugins-base1.0-0:amd64 (1.22.0-3+deb12u2) over (1.22.0-3+deb12u1) ...
+Preparing to unpack .../12-libgstreamer-gl1.0-0_1.22.0-3+deb12u2_amd64.deb ...
+Unpacking libgstreamer-gl1.0-0:amd64 (1.22.0-3+deb12u2) over (1.22.0-3+deb12u1) ...
+Preparing to unpack .../13-gir1.2-gst-plugins-base-1.0_1.22.0-3+deb12u2_amd64.deb ...
+Unpacking gir1.2-gst-plugins-base-1.0:amd64 (1.22.0-3+deb12u2) over (1.22.0-3+deb12u1) ...
+Preparing to unpack .../14-gstreamer1.0-alsa_1.22.0-3+deb12u2_amd64.deb ...
+Unpacking gstreamer1.0-alsa:amd64 (1.22.0-3+deb12u2) over (1.22.0-3+deb12u1) ...
+Preparing to unpack .../15-gstreamer1.0-gl_1.22.0-3+deb12u2_amd64.deb ...
+Unpacking gstreamer1.0-gl:amd64 (1.22.0-3+deb12u2) over (1.22.0-3+deb12u1) ...
+Preparing to unpack .../16-gstreamer1.0-plugins-base_1.22.0-3+deb12u2_amd64.deb ...
+Unpacking gstreamer1.0-plugins-base:amd64 (1.22.0-3+deb12u2) over (1.22.0-3+deb12u1) ...
+Preparing to unpack .../17-gstreamer1.0-x_1.22.0-3+deb12u2_amd64.deb ...
+Unpacking gstreamer1.0-x:amd64 (1.22.0-3+deb12u2) over (1.22.0-3+deb12u1) ...
+Preparing to unpack .../18-libarchive-tools_3.6.2-1+deb12u1_amd64.deb ...
+Unpacking libarchive-tools (3.6.2-1+deb12u1) over (3.6.2-1) ...
+Preparing to unpack .../19-libarchive13_3.6.2-1+deb12u1_amd64.deb ...
+Unpacking libarchive13:amd64 (3.6.2-1+deb12u1) over (3.6.2-1) ...
+Preparing to unpack .../20-python3-pil.imagetk_9.4.0-1.1+deb12u1_amd64.deb ...
+Unpacking python3-pil.imagetk:amd64 (9.4.0-1.1+deb12u1) over (9.4.0-1.1+b1) ...
+Preparing to unpack .../21-python3-pil_9.4.0-1.1+deb12u1_amd64.deb ...
+Unpacking python3-pil:amd64 (9.4.0-1.1+deb12u1) over (9.4.0-1.1+b1) ...
+Preparing to unpack .../22-tb-updater_3%3a33.4-1_all.deb ...
+Unpacking tb-updater (3:33.4-1) over (3:33.0-1) ...
+Preparing to unpack .../23-thunderbird_1%3a115.12.0-1~deb12u1_amd64.deb ...
+Unpacking thunderbird (1:115.12.0-1~deb12u1) over (1:115.11.0-1~deb12u1) ...
+Setting up libarchive13:amd64 (3.6.2-1+deb12u1) ...
+Setting up element-desktop (1.11.68) ...
+update-alternatives is /usr/bin/update-alternatives
+Setting up libgstreamer-plugins-base1.0-0:amd64 (1.22.0-3+deb12u2) ...
+Setting up python3-pil:amd64 (9.4.0-1.1+deb12u1) ...
+Setting up libavutil57:amd64 (7:5.1.5-0+deb12u1) ...
+Setting up libgstreamer-gl1.0-0:amd64 (1.22.0-3+deb12u2) ...
+Setting up gstreamer1.0-plugins-base:amd64 (1.22.0-3+deb12u2) ...
+Setting up python3-pil.imagetk:amd64 (9.4.0-1.1+deb12u1) ...
+Setting up libswresample4:amd64 (7:5.1.5-0+deb12u1) ...
+Setting up thunderbird (1:115.12.0-1~deb12u1) ...
+Skipping profile in /etc/apparmor.d/disable: usr.bin.thunderbird
+Setting up libpostproc56:amd64 (7:5.1.5-0+deb12u1) ...
+Setting up libavcodec59:amd64 (7:5.1.5-0+deb12u1) ...
+Setting up libswscale6:amd64 (7:5.1.5-0+deb12u1) ...
+Setting up firefox-esr (115.12.0esr-1~deb12u1) ...
+Setting up gstreamer1.0-gl:amd64 (1.22.0-3+deb12u2) ...
+Setting up libarchive-tools (3.6.2-1+deb12u1) ...
+Setting up gstreamer1.0-x:amd64 (1.22.0-3+deb12u2) ...
+Setting up gstreamer1.0-alsa:amd64 (1.22.0-3+deb12u2) ...
+Setting up libavformat59:amd64 (7:5.1.5-0+deb12u1) ...
+Setting up gir1.2-gst-plugins-base-1.0:amd64 (1.22.0-3+deb12u2) ...
+Setting up libavfilter8:amd64 (7:5.1.5-0+deb12u1) ...
+Setting up tb-updater (3:33.4-1) ...
+INFO: Using '--postinst' option but outside of Qubes Template, skipping, ok.
+Setting up libavdevice59:amd64 (7:5.1.5-0+deb12u1) ...
+Setting up ffmpeg (7:5.1.5-0+deb12u1) ...
+Processing triggers for desktop-file-utils (0.26-1) ...
+Processing triggers for hicolor-icon-theme (0.17-2) ...
+Processing triggers for libc-bin (2.36-9+deb12u7) ...
+Processing triggers for man-db (2.11.2-2) ...
+Processing triggers for mailcap (3.70+nmu1) ...
+Scanning processes...
+Scanning candidates...
+Scanning linux images...
+
+Running kernel seems to be up-to-date.
+
+Restarting services...
+ systemctl restart fwupd.service
+
+No containers need to be restarted.
+
+User sessions running outdated binaries:
+ nihilist @ session #2: cinnamon[1513], element-desktop[103821,103826,103827,103829], firefox-esr[1238857]
+ nihilist @ user manager service: systemd[1229]
+
+No VM guests are running outdated hypervisor (qemu) binaries on this host.
+
+
+during the package upgrade it can prompt you if you want to restart processes:
+ +Just press enter to allow the process to be restarted, and for the package upgrade to finish.
+First we can use the apt search pkgname command to look for available packages:
+
+nihilist@mainpc:~$ apt search firefox-esr
+Sorting... Done
+Full Text Search... Done
+
+firefox-esr/stable-security,now 115.12.0esr-1~deb12u1 amd64
+ Mozilla Firefox web browser - Extended Support Release (ESR)
+
+
+
+Here we see that the firefox package is available, so let's install it with the apt install pgkname command:
+
+nihilist@mainpc:~$ sudo apt install firefox-esr -y
+Reading package lists... Done
+Building dependency tree... Done
+Reading state information... Done
+firefox-esr is already the newest version (115.12.0esr-1~deb12u1).
+
+
+
+And then you can launch it:
+
+nihilist@mainpc:~$ which firefox
+/usr/bin/firefox
+nihilist@mainpc:~$ firefox
+
+
+
+and if you want to remove the package you can use the command apt purge firefox-esr
+Next, Bob can setup an open-source hypervisor on his linux laptop to properly segment his internet usage.
+ ++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
Before we start, you will need a Debian 10+ VPS (you can get one on digitalocean for example), if you prefer to use your own self hosted server, make sure that port 80, 443, 587 and 993 are correctly port forwarded so that the public ip points to the server and not the router. Once that's done, go and ssh into your debian 10 server.
+You cannot use DuckDNS for this one because you will need to add specific DNS records, most importantly the MX and DKIM records which are crucial for this tutorial. + Therefore go get an actual paid domain name, i got mine on Infomaniak :
+ +So let's add a subdomain to point at our mail server, to do so you need to go to the DNS Zone settings to add a few entries starting with the MX record:
+ +Here make sure you do not forget the trailing dot (.) at the end of the Target. Next you want to setup that mail subdomain aswell, and to do so you will do + add a CNAME record, that is if your mail server is the SAME as your main server (mail.domain.com == domain.com): +
+ +In the other case where your mailserver is NOT the same as the main server (mail.domain.com != domain.com) you will need an A record which is going to tell + Which IP to goto in order to reach that mail server: +
+ +In this case we're going to make it point to our DigitalOcean VPS as usual and once it's done we can simply ssh into it:
+EDIT: DIGITALOCEAN IS BLOCKING PORT 25 (SMTP) i have to redo this tutorial on another VPS.
+ + + + + + + +
+[ 192.168.100.1/24 ] [ /dev/pts/8 ] [~]
+→ ssh root@mail.void.yt
+The authenticity of host 'mail.void.yt (161.35.41.22)' can't be established.
+ECDSA key fingerprint is SHA256:AMDSjSs4f3CDvivmjFRjGDjmuz079vsS/A+9hdYi9a0.
+Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
+Warning: Permanently added 'mail.void.yt,161.35.41.22' (ECDSA) to the list of known hosts.
+Linux debian-s-1vcpu-1gb-lon1-01 4.19.0-10-cloud-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24) x86_64
+
+The programs included with the Debian GNU/Linux system are free software;
+the exact distribution terms for each program are described in the
+individual files in /usr/share/doc/*/copyright.
+
+Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
+permitted by applicable law.
+root@debian-s-1vcpu-1gb-lon1-01:~#
+
+
+
+ Once you've logged in via SSH, install the following dependencies:
+
+apt install nginx socat curl -y
+
+
+Once that's done, download the nginx config and edit it:
+
+wget https://blog.nihilism.network/servers/mail/mail.conf -O /etc/nginx/sites-available/mail.conf
+nano /etc/nginx/sites-available/mail.conf
+
+Make sure you put your own domain name in there:
+ +Next we're going to get our free TLS certificate by using acme.sh:
+
+wget -O - https://get.acme.sh | sh
+source ~/.bashrc
+
+systemctl stop nginx
+acme.sh --issue --standalone -d mail.void.yt -k 4096
+
+
+Once you're done, hit CTRL+S to save, and CTRL+X to exit nano.
+
+ln -s /etc/nginx/sites-available/mail.conf /etc/nginx/sites-enabled/mail.conf
+nginx -t
+systemctl start nginx
+
+
+Once you're here, nginx should tell you the configuration is successful, if not, make sure you followed the syntax of the original file. Next we're going to see that our configuration works by browsing to it:
+ +Here the 404 error is intended, you also see that the website redirects to https (tls 1.3). Now from here we'll simply need to use Luke Smith's script:
+ + +
+cd ~
+wget https://raw.githubusercontent.com/LukeSmithxyz/emailwiz/master/emailwiz.sh
+chmod +x emailwiz.sh
+sh emailwiz.sh
+
+
+When postfix asks you something, hit "internet site":
+ +Next postfix is going to ask you the FQDN, make sure you type the domain name, NOT the subdomain:
+ +Then hit enter, and wait for the script to install postfix and dovecot. + Luke intended this script to be run and to configure postfix and dovecot together. The main feature here is that once you create an user + added to the mail group, it's going make them able to recieve and send mail. + +
+ + +Once the script finished running, we need to go back to our DNS settings to configure DKIM:
+ +First things first we add the following TXT record:
+ + +If it doesnt work try out the DKIM option and hit save:
+ + +Next we're going to add DMARC:
+ + + +And lastly the @ TXT record:
+ + + +Once that's done, save your DNS settings, Create the user ON THE SERVER, and install thunderbird locally:
+
+useradd -m -G mail -s /bin/bash someone
+passwd someone
+
+
+
+Then run thunderbird with the user's credentials, make sure you use the manual config tab:
+ +And welcome to DigitalOcean, where you can't run mail servers lol. I did some research on DO's forums, and i found out that basically + they are blocking port 25 (SMTP) which, in general indicates that they do not allow any mail hosting on their VPS, so for once i am not going to recommend DO +
+ +TLDR i am incredibly suprised at how difficult it is to setup your own email server. In france, most ISPs simply do not allow port 25 apart from OVH. + Online, both DigitalOcean and Vultr block port 25 to avoid mail spam which makes me wonder where exactly do you even host your mail server. +If anyone knows a particular hosting service that ALLOWS port 25 and other mail-specific ports (993 587 etc) please let me know.
+ + + ++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
In this tutorial we're going to cover how to setup mailinabox on an ubuntu 18.04 VPS:
+yes i was lazy to add comments in this tutorial, it's very straightforward as you'll see:
+ +
+root@mail:~# curl -s https://mailinabox.email/setup.sh | sudo bash
+
+
+
+
+
+
+
+
+
+
+
+Out of the box you will need to fix things on your mailbox, so let's do them one by one:
+
+root@mail:~# vim /etc/ssh/sshd_config
+root@mail:~# cat /etc/ssh/sshd_config | grep 'PasswordAuthentication'
+PasswordAuthentication no
+root@mail:~# systemctl restart sshd
+root@mail:~# reboot now
+
+
+
+
+
+
+
+
+
+
+
+
+Now that's done, most of the DNS related issues should be dealt with (give it a few hours once you made the modifications because DNS can be slow to update records) After a few hours we check again:
+ ++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
In this tutorial we will setup a local mail server (to be able to keep control of our data), we will make it available publicly (so that it can communicate with other mail servers), but we'll make it go through TOR to guarantee Anonymity.
+Note that this setup involves self-hosting, which I do not recommend if the service is supposed to be sensitive. If this is an issue for you, just install it on a non-KYC remote VPS and skip the port-forwarding part if you don't want to host it at your house.
+ + +First let's make it use an external VPS as a VPN server (make sure that you get it from a non-KYC cloud provider, where you create your account with an email that you also registered through TOR.), see this tutorial i made for the full reasoning.
+
+root@mail:~# apt update -y ; apt upgrade -y ; apt autoremove -y ; apt install vim tor obfs4proxy -y
+
+
+
+Then we need to have the systemd services:
+
+root@mail:~# vim /etc/systemd/system/tortables.service
+root@mail:~# vim /etc/systemd/system/torwatch.service
+root@mail:~# vim /etc/systemd/system/vpn.service
+root@mail:~# vim /etc/systemd/system/sshtunnel.service
+
+
+The tortables systemd service will run iptables to make sure our server only communicates locally:
+
+root@mail:~# cat /etc/systemd/system/tortables.service
+[Unit]
+Description=Tor IP Tables
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=simple
+ExecStart=/root/iptables_vpn_tor.sh
+
+[Install]
+WantedBy=multi-user.target
+
+root@mail:~# vim iptables_vpn_tor.sh
+root@mail:~# cat iptables_vpn_tor.sh
+#!/bin/bash
+
+
+#default private networks
+sudo iptables -F
+
+sudo iptables -A INPUT -m iprange --src-range 192.168.0.0-192.168.255.255 -j ACCEPT
+sudo iptables -A INPUT -m iprange --src-range 172.16.0.0-172.31.255.255 -j ACCEPT
+sudo iptables -A INPUT -m iprange --src-range 10.0.0.0-10.255.255.255 -j ACCEPT
+sudo iptables -A INPUT -m iprange --src-range 127.0.0.0-127.255.255.255 -j ACCEPT
+
+sudo iptables -A OUTPUT -m iprange --dst-range 192.168.0.0-192.168.255.255 -j ACCEPT
+sudo iptables -A OUTPUT -m iprange --dst-range 172.16.0.0-172.31.255.255 -j ACCEPT
+sudo iptables -A OUTPUT -m iprange --dst-range 10.0.0.0-10.255.255.255 -j ACCEPT
+sudo iptables -A OUTPUT -m iprange --dst-range 127.0.0.0-127.255.255.255 -j ACCEPT
+
+#ip range of tor VPN:
+
+sudo iptables -A OUTPUT -o tun0 -j ACCEPT
+sudo iptables -A INPUT -i tun0 -j ACCEPT
+
+sudo iptables -A INPUT -j DROP
+sudo iptables -A OUTPUT -j DROP
+
+
+The torwatch systemd service will make sure the tor connection is still up:
+
+root@mail:~# cat /etc/systemd/system/torwatch.service
+[Unit]
+Description=torwatcher
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=simple
+ExecStart=/root/monitor_tor.sh
+ExecStop=kill -9 $(pidof /root/monitor_tor.sh)
+Restart=always
+
+[Install]
+WantedBy=multi-user.target
+root@mail:~# vim monitor_tor.sh
+root@mail:~# cat monitor_tor.sh
+#!/bin/bash
+
+counter=0
+while true; do
+ echo TESTING
+ timeout 10 ping -c1 10.8.0.1 &>/dev/null
+ if [ $? -eq 0 ]; then
+ echo OK;
+ sleep 3
+ else
+ if [ $counter -gt 0 ];
+ then
+ echo 'RESTARTING TOR...'
+ systemctl restart tor@default
+ counter=0
+ sleep 10
+ else
+ counter=$((counter+1))
+ echo "FAIL ( $counter / 2)";
+ sleep 3
+ fi
+ fi
+done
+
+
+But as you can see it checks it by pinging 10.8.0.1, the OpenVPN server IP, meaning we need the vpn systemd service:
+
+root@mail:~# cat /etc/systemd/system/vpn.service
+[Unit]
+Description=VPN
+After=network-online.target
+Wants=network-online.target
+
+[Install]
+WantedBy=multi-user.target
+
+[Service]
+Type=simple
+ExecStart=/usr/sbin/openvpn /root/mail.ovpn
+ExecStop=kill -9 $(pidof openvpn)
+Restart=always
+
+root@mail:~# apt install openvpn -y
+
+
+Then we get the .ovpn file and modify it (if you want to see how to make a openvpn server, see it here) the only requirement here is that you will need to setup the openvpn server to work on TCP, and not UDP as it is set by default. Why? because it will need to go through tor:
+
+root@mail:~# vim mail.ovpn
+root@mail:~# cat mail.ovpn
+client
+proto tcp-client
+remote x.x.x.x 1194
+dev tun
+resolv-retry infinite
+nobind
+persist-key
+persist-tun
+remote-cert-tls server
+verify-x509-name server_6SQ8FnOk0eJa3n0F name
+auth SHA256
+auth-nocache
+cipher AES-128-GCM
+tls-client
+tls-version-min 1.2
+tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
+ignore-unknown-option block-outside-dns
+setenv opt block-outside-dns # Prevent Windows 10 DNS leak
+verb 3
+
+### TOR SETTINGS ###
+socks-proxy 127.0.0.1 9050
+socks-proxy-retry
+up-delay
+route 10.0.0.195 255.255.255.255 net_gateway
+###################
+
+
+This will essentially force the openvpn connection to go through TOR, then we also edit our /etc/tor/torrc file, note that i intentionally route the traffic through a local bridge node, if you want to know how to set it up, please check this tutorial:
+
+root@mail-nihilism:~# cat /etc/tor/torrc
+UseBridges 1
+ClientTransportPlugin obfs4 exec /usr/bin/obfs4proxy
+Bridge obfs4 10.0.1.195:8042 6E9324EC8317DE331DE1EA7969BD868136785748 cert=tyhAPcDxgIcuqcUXXxtkYVPKrWMH7bYf7RJcLa8d+oGbQjoYSK10g4Pz7a/dbJkMXLVvAA iat-mode=0
+DataDirectory /var/lib/tor
+TransPort 9040
+SocksPort 9050
+DNSPort 53
+User debian-tor
+
+root@mail:~# systemctl stop tor
+root@mail:~# tor
+May 15 12:00:17.068 [notice] Tor 0.3.5.16 running on Linux with Libevent 2.1.8-stable, OpenSSL 1.1.1n, Zlib 1.2.11, Liblzma 5.2.4, and Libzstd 1.3.8.
+May 15 12:00:17.068 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
+May 15 12:00:17.068 [notice] Read configuration file "/etc/tor/torrc".
+May 15 12:00:17.076 [notice] Opening Socks listener on 127.0.0.1:9050
+May 15 12:00:17.076 [notice] Opened Socks listener on 127.0.0.1:9050
+May 15 12:00:17.076 [notice] Opening DNS listener on 127.0.0.1:53
+May 15 12:00:17.076 [notice] Opened DNS listener on 127.0.0.1:53
+May 15 12:00:17.076 [notice] Opening Transparent pf/netfilter listener on 127.0.0.1:9040
+May 15 12:00:17.076 [notice] Opened Transparent pf/netfilter listener on 127.0.0.1:9040
+May 15 12:00:17.000 [notice] Parsing GEOIP IPv4 file /usr/share/tor/geoip.
+May 15 12:00:17.000 [notice] Parsing GEOIP IPv6 file /usr/share/tor/geoip6.
+May 15 12:00:17.000 [notice] Bootstrapped 0%: Starting
+May 15 12:00:18.000 [notice] Starting with guard context "bridges"
+May 15 12:00:18.000 [notice] new bridge descriptor 'voidyt' (cached): $2E73653A148DFFF3CA28D53F0C366936FE554335~voidyt at 10.0.0.195
+May 15 12:00:18.000 [notice] Delaying directory fetches: Pluggable transport proxies still configuring
+May 15 12:00:19.000 [notice] Bootstrapped 5%: Connecting to directory server
+May 15 12:00:19.000 [notice] Bootstrapped 10%: Finishing handshake with directory server
+May 15 12:00:19.000 [notice] Bootstrapped 80%: Connecting to the Tor network
+May 15 12:00:19.000 [notice] Bootstrapped 90%: Establishing a Tor circuit
+May 15 12:00:19.000 [notice] Bootstrapped 100%: Done
+
+root@mail-nihilism:~# systemctl restart tor@default.service
+root@mail-nihilism:~# systemctl status tor@default.service
+● tor@default.service - Anonymizing overlay network for TCP
+ Loaded: loaded (/lib/systemd/system/tor@default.service; enabled-runtime; vendor preset: enabled)
+ Active: active (running) since Thu 2022-12-08 12:14:21 CST; 29s ago
+ Process: 3515 ExecStartPre=/usr/bin/install -Z -m 02755 -o debian-tor -g debian-tor -d /run/tor (code=exited, status=0/SUCCESS)
+ Process: 3516 ExecStartPre=/usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 0 --verify-config (code=exited, status=0/SUCCESS)
+ Main PID: 3517 (tor)
+ Tasks: 8 (limit: 4673)
+ Memory: 25.7M
+ CPU: 1.180s
+ CGroup: /system.slice/system-tor.slice/tor@default.service
+ ├─3517 /usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 0
+ └─3518 /usr/bin/obfs4proxy
+
+Dec 08 12:14:22 mail-nihilism Tor[3517]: Bootstrapped 1% (conn_pt): Connecting to pluggable transport
+Dec 08 12:14:23 mail-nihilism Tor[3517]: Opening Control listener on /run/tor/control
+Dec 08 12:14:23 mail-nihilism Tor[3517]: Opened Control listener connection (ready) on /run/tor/control
+Dec 08 12:14:23 mail-nihilism Tor[3517]: Bootstrapped 2% (conn_done_pt): Connected to pluggable transport
+Dec 08 12:14:23 mail-nihilism Tor[3517]: Bootstrapped 10% (conn_done): Connected to a relay
+Dec 08 12:14:23 mail-nihilism Tor[3517]: Bootstrapped 14% (handshake): Handshaking with a relay
+Dec 08 12:14:23 mail-nihilism Tor[3517]: Bootstrapped 15% (handshake_done): Handshake with a relay done
+Dec 08 12:14:23 mail-nihilism Tor[3517]: Bootstrapped 75% (enough_dirinfo): Loaded enough directory info to build circuits
+Dec 08 12:14:23 mail-nihilism Tor[3517]: Bootstrapped 95% (circuit_create): Establishing a Tor circuit
+Dec 08 12:14:23 mail-nihilism Tor[3517]: Bootstrapped 100% (done): Done
+
+
+Now that tor has been setup to use the local TOR relay, we apply iptable rules:
+
+root@mail:~# ls
+iptables_vpn_tor.sh mail.ovpn monitor_tor.sh
+root@mail:~# chmod +x *.sh
+
+root@mail:~# systemctl daemon-reload
+root@mail-nihilism:~# systemctl enable --now tor@default.service tortables
+Synchronizing state of tor.service with SysV service script with /lib/systemd/systemd-sysv-install.
+Executing: /lib/systemd/systemd-sysv-install enable tor
+Created symlink /etc/systemd/system/multi-user.target.wants/tortables.service → /etc/systemd/system/tortables.service.
+root@mail:~# iptables -L
+
+Chain INPUT (policy ACCEPT)
+target prot opt source destination
+ACCEPT all -- anywhere anywhere source IP range 192.168.0.0-192.168.255.255
+ACCEPT all -- anywhere anywhere source IP range 172.16.0.0-172.31.255.255
+ACCEPT all -- anywhere anywhere source IP range 10.0.0.0-10.255.255.255
+ACCEPT all -- anywhere anywhere source IP range 127.0.0.0-127.255.255.255
+ACCEPT all -- anywhere anywhere
+DROP all -- anywhere anywhere
+
+Chain FORWARD (policy ACCEPT)
+target prot opt source destination
+
+Chain OUTPUT (policy ACCEPT)
+target prot opt source destination
+ACCEPT all -- anywhere anywhere destination IP range 192.168.0.0-192.168.255.255
+ACCEPT all -- anywhere anywhere destination IP range 172.16.0.0-172.31.255.255
+ACCEPT all -- anywhere anywhere destination IP range 10.0.0.0-10.255.255.255
+ACCEPT all -- anywhere anywhere destination IP range 127.0.0.0-127.255.255.255
+ACCEPT all -- anywhere anywhere
+DROP all -- anywhere anywhere
+
+
+And from there we can connect to the VPN server:
+
+root@mail:~# systemctl enable --now vpn torwatch
+Created symlink /etc/systemd/system/multi-user.target.wants/torwatch.service → /etc/systemd/system/torwatch.service.
+root@mail:~# systemctl status vpn torwatch
+
+root@mail:~# systemctl status vpn torwatch
+● vpn.service - VPN
+ Loaded: loaded (/etc/systemd/system/vpn.service; static; vendor preset: enabled)
+ Active: active (running) since Sun 2022-05-15 12:03:26 CEST; 18s ago
+ Main PID: 3144 (openvpn)
+ Tasks: 1 (limit: 2359)
+ Memory: 1.5M
+ CGroup: /system.slice/vpn.service
+ └─3144 /usr/sbin/openvpn /root/mail.ovpn
+
+May 15 12:03:28 mail openvpn[3144]: Sun May 15 12:03:28 2022 ROUTE_GATEWAY 10.0.0.1/255.255.0.0 IFACE=ens18 HWADDR=ee:b5:c9:3a:c3:fe
+May 15 12:03:28 mail openvpn[3144]: Sun May 15 12:03:28 2022 TUN/TAP device tun0 opened
+May 15 12:03:28 mail openvpn[3144]: Sun May 15 12:03:28 2022 TUN/TAP TX queue length set to 100
+May 15 12:03:28 mail openvpn[3144]: Sun May 15 12:03:28 2022 /sbin/ip link set dev tun0 up mtu 1500
+May 15 12:03:28 mail openvpn[3144]: Sun May 15 12:03:28 2022 /sbin/ip addr add dev tun0 10.8.0.2/24 broadcast 10.8.0.255
+May 15 12:03:28 mail openvpn[3144]: Sun May 15 12:03:28 2022 /sbin/ip route add 127.0.0.1/32 via 10.0.0.1
+May 15 12:03:28 mail openvpn[3144]: Sun May 15 12:03:28 2022 /sbin/ip route add 0.0.0.0/1 via 10.8.0.1
+May 15 12:03:28 mail openvpn[3144]: Sun May 15 12:03:28 2022 /sbin/ip route add 128.0.0.0/1 via 10.8.0.1
+May 15 12:03:28 mail openvpn[3144]: Sun May 15 12:03:28 2022 /sbin/ip route add 10.0.0.195/32 dev ens18
+May 15 12:03:28 mail openvpn[3144]: Sun May 15 12:03:28 2022 Initialization Sequence Completed
+
+● torwatch.service - torwatcher
+ Loaded: loaded (/etc/systemd/system/torwatch.service; enabled; vendor preset: enabled)
+ Active: active (running) since Sun 2022-05-15 12:03:26 CEST; 18s ago
+ Main PID: 3145 (monitor_tor.sh)
+ Tasks: 2 (limit: 2359)
+ Memory: 1.1M
+ CGroup: /system.slice/torwatch.service
+ ├─3145 /bin/bash /root/monitor_tor.sh
+ └─3172 sleep 3
+
+May 15 12:03:26 mail systemd[1]: Started torwatcher.
+May 15 12:03:26 mail monitor_tor.sh[3145]: TESTING
+May 15 12:03:36 mail monitor_tor.sh[3145]: FAIL ( 1 / 2)
+May 15 12:03:39 mail monitor_tor.sh[3145]: TESTING
+May 15 12:03:39 mail monitor_tor.sh[3145]: OK
+May 15 12:03:42 mail monitor_tor.sh[3145]: TESTING
+May 15 12:03:42 mail monitor_tor.sh[3145]: OK
+
+
+And now our mail server uses the remote server as a VPN server, but only through TOR, meaning even if the VPS provider were to check the server logs, or the networking traffic, he would see that it all came from tor exit nodes, never from public ips.
+Then we setup the mail itself on the local mail VM which is now connected to the VPN:
+
+root@mail:~# apt update -y ; apt upgrade -y ; apt install vim tmux curl certbot python3-certbot-nginx nginx -y
+
+
+Then we make sure that the ports are forwarded through the vpn connection:
+
+#on the VPN server we forward the ports to the local VM via iptables:
+
+root@mail-gw:~# cat iptables_forwardrules.sh
+#!/bin/bash
+iptables -A PREROUTING -t nat -i ens3 -p tcp -d 23.137.250.140 --dport 25 -j DNAT --to-destination 10.8.0.2:25
+iptables -A PREROUTING -t nat -i ens3 -p tcp -d 23.137.250.140 --dport 80 -j DNAT --to-destination 10.8.0.2:80
+iptables -A PREROUTING -t nat -i ens3 -p tcp -d 23.137.250.140 --dport 443 -j DNAT --to-destination 10.8.0.2:443
+iptables -A PREROUTING -t nat -i ens3 -p tcp -d 23.137.250.140 --dport 143 -j DNAT --to-destination 10.8.0.2:143
+iptables -A PREROUTING -t nat -i ens3 -p tcp -d 23.137.250.140 --dport 465 -j DNAT --to-destination 10.8.0.2:465
+iptables -A PREROUTING -t nat -i ens3 -p tcp -d 23.137.250.140 --dport 587 -j DNAT --to-destination 10.8.0.2:587
+iptables -A PREROUTING -t nat -i ens3 -p tcp -d 23.137.250.140 --dport 993 -j DNAT --to-destination 10.8.0.2:993
+
+root@mail:~# chmod +x iptables_forwardrules.sh
+root@mail:~# ./iptables_forwardrules.sh
+
+#from the VM we allow the packets to be forwarded to us:
+
+root@mail-nihilism:~# cat iptables_forwardrules.sh
+#!/bin/bash
+iptables -A FORWARD -p tcp -d 10.8.0.2 --dport 25 -j ACCEPT
+iptables -A FORWARD -p tcp -d 10.8.0.2 --dport 143 -j ACCEPT
+iptables -A FORWARD -p tcp -d 10.8.0.2 --dport 465 -j ACCEPT
+iptables -A FORWARD -p tcp -d 10.8.0.2 --dport 587 -j ACCEPT
+iptables -A FORWARD -p tcp -d 10.8.0.2 --dport 993 -j ACCEPT
+iptables -A FORWARD -p tcp -d 10.8.0.2 --dport 443 -j ACCEPT
+iptables -A FORWARD -p tcp -d 10.8.0.2 --dport 80 -j ACCEPT
+
+root@mail-nihilism:~# chmod +x iptables_forwardrules.sh
+root@mail-nihilism:~# ./iptables_forwardrules.sh
+
+
+Dont forget to allow ip forwarding on the vpn server:
+
+root@mail-gw:~# sysctl net.ipv4.conf.ens3.forwarding=1
+net.ipv4.conf.ens3.forwarding = 1
+root@mail-gw:~# sysctl net.ipv6.conf.ens3.forwarding=1
+net.ipv6.conf.ens3.forwarding = 1
+root@mail-gw:~# echo " net.ipv6.conf.ens3.forwarding=1" >>/etc/sysctl.conf
+root@mail-gw:~# echo " net.ipv4.conf.ens3.forwarding=1" >>/etc/sysctl.conf
+root@mail-gw:~# sysctl -p
+net.ipv6.conf.ens3.forwarding = 1
+net.ipv4.conf.ens3.forwarding = 1
+
+#for arch users, install libvirt:
+sudo pacman -S libvirt
+vim /etc/sysctl.d/30-ipforward.conf
+cat /etc/sysctl.d/30-ipforward.conf
+net.ipv4.ip_forward=1
+net.ipv6.conf.default.forwarding=1
+net.ipv6.conf.all.forwarding=1
+
+[ nihilism ] [ /dev/pts/1 ] [~]
+→ sysctl net.ipv4.ip_forward=1
+net.ipv4.ip_forward = 1
+
+
+Then you make sure that your DNS records are set properly:
+ +example of the record on a bind9 server:
+
+root@mail-gw:~# cat /var/cache/bind/db.nihilism.network
+
+mail.nihilism.network. IN A 23.137.250.140
+
+
+
+Then wait for it to propagate:
+
+root@mail-nihilism:~# curl ifconfig.me
+23.137.250.140root@mail-nihilism:~#
+root@mail-nihilism:~# curl ifconfig.me ; echo
+23.137.250.140
+root@mail-nihilism:~# ping mail.nihilism.network
+PING mail.nihilism.network (23.137.250.140) 56(84) bytes of data.
+64 bytes from 23.137.250.140 (23.137.250.140): icmp_seq=1 ttl=64 time=160 ms
+
+--- mail.nihilism.network ping statistics ---
+2 packets transmitted, 1 received, 50% packet loss, time 1001ms
+rtt min/avg/max/mdev = 160.031/160.031/160.031/0.000 ms
+root@mail-nihilism:~# ping nihilism.network
+PING nihilism.network (23.137.250.141) 56(84) bytes of data.
+64 bytes from 23.137.250.141 (23.137.250.141): icmp_seq=1 ttl=63 time=204 ms
+
+
+
+Once that's done we prepare nginx on the local VM still:
+
+root@mail-nihilism:~# rm /etc/nginx/sites-*/default
+
+root@mail-nihilism:~# cat /etc/nginx/sites-available/mail.nihilism.network.conf
+server {
+ listen 80;
+ listen [::]:80;
+ root /var/www/mail;
+
+ index index.html;
+
+ server_name mail.nihilism.network;
+
+ location / {
+ try_files $uri $uri/ =404;
+ }
+}
+
+root@mail-nihilism:~# ln -s /etc/nginx/sites-available/mail.nihilism.network.conf /etc/nginx/sites-enabled/
+
+root@mail-nihilism:~# systemctl restart nginx
+root@mail-nihilism:~# systemctl status nginx
+● nginx.service - A high performance web server and a reverse proxy server
+ Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
+ Active: active (running) since Thu 2022-12-08 13:18:14 CST; 19s ago
+ Docs: man:nginx(8)
+ Process: 5903 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
+ Process: 5904 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
+ Main PID: 5905 (nginx)
+ Tasks: 3 (limit: 4673)
+ Memory: 3.2M
+ CPU: 49ms
+ CGroup: /system.slice/nginx.service
+ ├─5905 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
+ ├─5906 nginx: worker process
+ └─5907 nginx: worker process
+
+Dec 08 13:18:14 mail-nihilism systemd[1]: Starting A high performance web server and a reverse proxy server...
+Dec 08 13:18:14 mail-nihilism systemd[1]: Started A high performance web server and a reverse proxy server.
+
+root@mail-nihilism:~# mkdir -p /var/www/mail/
+root@mail-nihilism:~# echo 'Nihilism Network' > /var/www/mail/index.html
+root@mail-nihilism:~# curl 127.0.0.1
+Nihilism Network
+root@mail-nihilism:~# ip a | grep inet
+ inet 127.0.0.1/8 scope host lo
+ inet6 ::1/128 scope host
+ inet 10.0.0.203/16 brd 10.0.255.255 scope global dynamic ens18
+ inet6 fe80::e4e7:41ff:fe70:e9a6/64 scope link
+ inet 10.8.0.2/24 scope global tun0
+ inet6 fe80::18b1:efc9:1ae0:d93f/64 scope link stable-privacy
+
+#from the vpn server:
+root@mail-gw:~# curl 10.8.0.2
+Nihilism Network
+
+
+Now that's done we use certbot to get certificate from the local mail server:
+ +
+root@mail-nihilism:~# certbot --nginx
+Saving debug log to /var/log/letsencrypt/letsencrypt.log
+Plugins selected: Authenticator nginx, Installer nginx
+Enter email address (used for urgent renewal and security notices)
+ (Enter 'c' to cancel): nihilist@nihilism.network
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Please read the Terms of Service at
+https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf. You must
+agree in order to register with the ACME server. Do you agree?
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+(Y)es/(N)o: Y
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Would you be willing, once your first certificate is successfully issued, to
+share your email address with the Electronic Frontier Foundation, a founding
+partner of the Let's Encrypt project and the non-profit organization that
+develops Certbot? We'd like to send you email about our work encrypting the web,
+EFF news, campaigns, and ways to support digital freedom.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+(Y)es/(N)o: N
+Account registered.
+
+Which names would you like to activate HTTPS for?
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+1: mail.nihilism.network
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Select the appropriate numbers separated by commas and/or spaces, or leave input
+blank to select all options shown (Enter 'c' to cancel):
+Requesting a certificate for mail.nihilism.network
+Performing the following challenges:
+http-01 challenge for mail.nihilism.network
+Waiting for verification...
+Cleaning up challenges
+Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/mail.nihilism.network.conf
+Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/mail.nihilism.network.conf
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Congratulations! You have successfully enabled https://mail.nihilism.network
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+IMPORTANT NOTES:
+ - Congratulations! Your certificate and chain have been saved at:
+ /etc/letsencrypt/live/mail.nihilism.network/fullchain.pem
+ Your key file has been saved at:
+ /etc/letsencrypt/live/mail.nihilism.network/privkey.pem
+ Your certificate will expire on 2023-03-08. To obtain a new or
+ tweaked version of this certificate in the future, simply run
+ certbot again with the "certonly" option. To non-interactively
+ renew *all* of your certificates, run "certbot renew"
+ - If you like Certbot, please consider supporting our work by:
+
+ Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
+ Donating to EFF: https://eff.org/donate-le
+
+root@mail-nihilism:~# cat /etc/nginx/sites-available/mail.nihilism.network.conf
+server {
+ root /var/www/mail;
+
+ index index.html;
+
+ server_name mail.nihilism.network;
+
+ location / {
+ try_files $uri $uri/ =404;
+ }
+
+ listen [::]:443 ssl ipv6only=on; # managed by Certbot
+ listen 443 ssl; # managed by Certbot
+ ssl_certificate /etc/letsencrypt/live/mail.nihilism.network/fullchain.pem; # managed by Certbot
+ ssl_certificate_key /etc/letsencrypt/live/mail.nihilism.network/privkey.pem; # managed by Certbot
+ include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+ ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+
+}
+
+server {
+ if ($host = mail.nihilism.network) {
+ return 301 https://$host$request_uri;
+ } # managed by Certbot
+
+
+ listen 80;
+ listen [::]:80;
+
+ server_name mail.nihilism.network;
+ return 404; # managed by Certbot
+
+
+
+And that's it! Now we can proceed with creating the mail server locally:
+
+root@mail-nihilism:~# wget https://raw.githubusercontent.com/LukeSmithxyz/emailwiz/master/emailwiz.sh -O emailwiz.sh
+--2022-12-08 13:27:42-- https://raw.githubusercontent.com/LukeSmithxyz/emailwiz/master/emailwiz.sh
+Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.109.133, 185.199.110.133, 185.199.111.133, ...
+Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.109.133|:443... connected.
+HTTP request sent, awaiting response... 200 OK
+Length: 13320 (13K) [text/plain]
+Saving to: ‘emailwiz.sh’
+
+emailwiz.sh 100%[==========================================================================================================================================>] 13.01K --.-KB/s in 0.06s
+
+2022-12-08 13:27:44 (225 KB/s) - ‘emailwiz.sh’ saved [13320/13320]
+
+root@mail-nihilism:~# chmod +x emailwiz.sh
+root@mail-nihilism:~# sh emailwiz.sh
+
+
+
+(putting the TLD instead of mail.nihilism.network here is intentional)
+ +if it complains with the error "Please point your domain (nihilism.network) to your server's ipv4 address, do the following:
+
+#add it into your /etc/hosts
+
+vim /etc/hosts
+cat /etc/hosts | grep nihilism.network
+23.137.250.140 nihilism.network
+
+#add it into your DNS zone too (ex in bind9 below):
+
+
+
+Then we change edit the DNS records as described above:
+ + + + +Here's how you can set it up on a bind9 DNS server:
+
+$TTL 604800
+@ IN SOA ns1.nihilism.network. nihilist.nihilism.network. (
+ 33 ; Serial
+ 604800 ; Refresh
+ 86400 ; Retry
+ 2419200 ; Expire
+ 604800 ) ; Negative Cache TTL
+;
+; name servers - NS records
+ 3600 IN NS ns1.nihilism.network.
+ 3600 IN NS ns2.nihilism.network.
+ 3600 IN A 23.137.250.141
+ 3600 IN AAAA fe80::216:3eff:fe6c:c335
+
+; mail-gw services
+@ IN MX 0 mail.nihilism.network.
+nihilism.network. IN TXT "v=spf1 mx a:mail.nihilism.network -all"
+mail.nihilism.network. IN A 23.137.250.140
+mail._domainkey.nihilism.network. IN TXT (
+ "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu94n6zyhzWLZZrgvRq5HrSAh29TRi"
+ "jw6AXzFoJeahRPoAnJ3njOfOgbCzxUsVNO1L2+NX2P5iZMkdiVtB7rE71wUutegAb0wCDY5k5RNLUlAThxdlou0ro37H"
+ "SWK5GRAcEFKm1iab63uTtAXtIvZDPLYMxZMIUq4osxYEgAXY4BCzFBCyfohvr+eGd/kPbfOC9f7jrBnFiOVllnB+yPQKe"
+ "XwPeVlPrw68muFiVg4vWfMMzayINQgC12d73hKVZIwD8T6V9Kznv0dPi929CDWns2alU2dZypVSHxWm3BZyb4SCobdrFNW"
+ "xfzb1dz7n6/ms5u0EVAKU9ufGOgS4A70oQIDAQAB")
+_dmarc.nihilism.network. IN TXT "v=DMARC1; p=reject; rua=mailto:dmarc@nihilism.network; fo=1"
+
+[...]
+
+Please note that on average the DNS records need 1-2 days to propagate fully throughout the world. So be patient once you've made the changes. Also note the DKIM record is on multiple lines, that's because there is a length limit that bind9 has for some reason, so above is how i managed to get around that restriction.
+Then we add our first user:
+
+root@mail-nihilism:~# useradd -G mail -m nihilist
+useradd: user 'nihilist' already exists
+root@mail-nihilism:~# id nihilist
+uid=1000(nihilist) gid=1000(nihilist) groups=1000(nihilist),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev)
+root@mail-nihilism:~# passwd nihilist
+New password:
+Retype new password:
+passwd: password updated successfully
+
+root@mail:~# apt install nmap -y
+
+root@mail-nihilism:~# nmap 127.0.0.1
+Starting Nmap 7.80 ( https://nmap.org ) at 2022-12-08 13:49 CST
+Nmap scan report for localhost (127.0.0.1)
+Host is up (0.000026s latency).
+Not shown: 989 closed ports
+PORT STATE SERVICE
+22/tcp open ssh
+25/tcp open smtp
+80/tcp open http
+143/tcp open imap
+443/tcp open https
+465/tcp open smtps
+587/tcp open submission
+783/tcp open spamassassin
+993/tcp open imaps
+9040/tcp open tor-trans
+9050/tcp open tor-socks
+
+Nmap done: 1 IP address (1 host up) scanned in 0.27 seconds
+root@mail-nihilism:~# nmap 10.0.0.202
+Starting Nmap 7.80 ( https://nmap.org ) at 2022-12-08 13:49 CST
+Nmap scan report for 10.0.0.202
+Host is up (0.000097s latency).
+Not shown: 992 closed ports
+PORT STATE SERVICE
+22/tcp open ssh
+25/tcp open smtp
+80/tcp open http
+143/tcp open imap
+443/tcp open https
+465/tcp open smtps
+587/tcp open submission
+993/tcp open imaps
+MAC Address: EE:B5:C9:3A:C3:FE (Unknown)
+
+
+The ports we need are ready to be used locally, so let's login:
+
+[ 10.66.66.2/32 ] [ /dev/pts/38 ] [~]
+→ sudo pacman -S thunderbird
+
+[ 10.66.66.2/32 ] [ /dev/pts/38 ] [~]
+→ thunderbird
+
+
+Then test it on thunderbird:
+ + +And that's it! We managed to connect! now we test if the mail works:
+ +(You probably guessed it, i accessed protonmail via tor to make sure i don't leak any personal info) And sending a mail to the VPS gets properly routed through the openvpn connection which is being sent through tor.
+ +If you want to use PGP encryption, you can manually do it in your terminal, please see this tutorial to know how to do it.
+However there's a way to do it in thunderbird:
+ +If you don't have one, you can click create a new OpenPGP key, but i have one so i'll just import it:
+
+[ 10.8.0.3/24 ] [ nowhere ] [~]
+→ gpg --output ~/.nihilist.privkey --export-secret-keys nihilist@nihilism.network
+
+
+
+
+
+So from here you can copy your public key and paste it wherever you want, for example on your website, so that the users who want to message you will be able to encrypt their messages. Also add the following settings in thunderbird to automatically encrypt messages you wish to send out:
+ +Now let's test it:
+ +As you can see, by default you don't have the destination's PGP key, so for this first mail we won't encrypt it and see how it looks like on the receiver's end:
+ + +Now we see that the receiver got the unencrypted message, with our PGP signature as an attachement. The recipient can now save it, and use it to encrypt his messages with us.
+
+[ 10.8.0.3/24 ] [ nowhere ] [~]
+→ gpg --gen-key
+gpg (GnuPG) 2.2.40; Copyright (C) 2022 g10 Code GmbH
+This is free software: you are free to change and redistribute it.
+There is NO WARRANTY, to the extent permitted by law.
+
+Note: Use "gpg --full-generate-key" for a full featured key generation dialog.
+
+GnuPG needs to construct a user ID to identify your key.
+
+Real name: nothing
+Email address: nothing@void.yt
+You selected this USER-ID:
+ "nothing <nothing@void.yt>"
+
+Change (N)ame, (E)mail, or (O)kay/(Q)uit? O
+We need to generate a lot of random bytes. It is a good idea to perform
+some other action (type on the keyboard, move the mouse, utilize the
+disks) during the prime generation; this gives the random number
+generator a better chance to gain enough entropy.
+We need to generate a lot of random bytes. It is a good idea to perform
+some other action (type on the keyboard, move the mouse, utilize the
+disks) during the prime generation; this gives the random number
+generator a better chance to gain enough entropy.
+gpg: revocation certificate stored as '/home/nothing/.gnupg/openpgp-revocs.d/95FC37D748FA891A9C33B821CF39FCDC8049F9FE.rev'
+public and secret key created and signed.
+
+pub rsa3072 2022-12-10 [SC] [expires: 2024-12-09]
+ 95FC37D748FA891A9C33B821CF39FCDC8049F9FE
+uid nothing <nothing@void.yt>
+sub rsa3072 2022-12-10 [E] [expires: 2024-12-09]
+
+[ 10.8.0.3/24 ] [ nowhere ] [~]
+→ gpg --output ~/.nothing.privkey --export-secret-keys nothing@void.yt
+
+
+Now the user nothing can use his PGP key and import it into thunderbird aswell:
+ + + +Same as before, now the user nothing also has E2E encryption setup, so let's now send a reply to nihilist but this time encrypted:
+ +And that's it! We managed to setup a mail service, whose origin is unknown from the cloud provider's perspective, and who's able to send and recieve E2EE mails to prevent any unauthorized third-party from seeing the mails content.
+ + ++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
Explaining why I have a blog in the first place.
+At first, this blog started out as a hacking writeup blog, to show everyone how i hacked half of HackTheBox back in 2022, it was my way of showing that i understood how systems worked from the adversarial point of view. Then once i learned the pentesting methodology i realized that i was doing the same thing over and over again with different technologies, got bored with it, and decided to move on to Sysadmin topics.
+At that point, i dabbled heavily into the self-hosting community, running a servers at home, running every possible service from home, open source only, remaining the only one in control of my data, etc.
+But something was missing. I realized that Decentralisation and Privacy were not enough when reading the news, i realized that the very same governments that were supposed to be at the head of democracies were starting to turn into dictatorships. When that is the case, you have no choice but to fit into their view of a perfect law abiding citizen because any reason is a good reason to put you behind bars.
+That's why i decided to move on to Anonymity topics specifically, because that is the key to remain in control of your freedom, is to make sure your sensitive actions remain secret, while portraying yourself as the perfect citizen. Wether you see this as right or wrong, it does not matter to me.
+What truly matters here, is exploring how you can use technology to protect your abilities, and enhance them.
+ +
+"If you pull that trigger, right, you pull that trigger for a fucking honorable reason. Like an honorable man, not like some fucking civilian that does not understand the wicked way of our world, mate" -Alfie Solomons, Peaky Blinders
+
+
+First of all let's cover the reasons that I see justify the vast majority of actions done out there in our current world:
+
+Limited Reasons:
+-Self-preservation
+-Pleasure seeking
+-Acting
+
+
+The most limited reason behind one's action is that of self-preservation, nothing wrong with it, but every other animal out there is already doing it, you're supposed to be able to be more than just any other creature out there.
+Seeking pleasure (ex: Playing video games, watching movies, behavioral addiction or substance abuse) is alright, but at some point you need to grow up and to realize that it's an immature waste of time.
+Willingly getting things done is a great, until everything you do revolves around your limited sense of self, and identity.
+ +So, here are the reasons that i consider honorable, which all stem out of a broader sense of self (daily practiced as part of my morning routine):
+
+Honorable reasons:
+-Purifying
+-Percieving
+-Transcending
+
+
+I am motivated by my will to purify, refine and enhance my abilities using tools and technology, and I want anyone that also shares that same drive, to be able to explore the full scope of what they can do aswell.
+I am also motivated by my will to clear out any misconceptions and help everyone percieve technology for what it truly is, regardless of any morality or any political view. My blog aims to bring to light that any usage of any technology is to be justified with a clear reason, to be described, and showcased in great detail.
+Yes, anyone that tries to mix politics and ideologies into technology, is merely trying to preserve what they are currently identified with. Such people cannot pretend to have an objective view when talking about anything.
+Transcending limitations is what i consider the most honorable way behind any action. Ultimately, this blog aims to showcase that Technology, when used correctly, can allow one to transcend any limitation. Be it to transcend surveillance, centralisation, deanonymization, lack of security. Any ability that we have as Humans, such as Privacy, Decentralisation, Anonymity, Security, Plausible Deniability can be protected and enhanced by using the correct Technology.
+TLDR: You want to know the most effective technologies that can enhance your life ? It's right there. Just read it up, understand what they are, understand why they are used, understand how they are used, and use them yourself.
+ + + +We, humans are able to do things, and no matter what we can do, we are able to enhance what we can do using tools. We can run that far, but with a car we can run farther, we can calculate fast, but with a computer we can calculate much faster.
+You wished you could do more in the world right now ? Well, maybe you should have turned to technology, a long time ago.
+People are not reliable, as their values, intentions, identities, habits change over time. Technology that you can audit (open source technology) is the only thing you should rely on.
+You should not pay someone, nor put your trust into anyone to enhance your ability to do anything. Understand your needs, understand your abilities, understand your limits and then Look for tools, study those tools, and learn to use those tools to enhance what you can do in the world.
+Yes, noone can be trusted, do not expect anyone to uphold any promise. Putting your trust into politicians will always remain a meaningless circus of broken promises, they are only interested in keeping their current power.
+Everyone's greedy, and the vast majority are only pretending to care for you, they're only looking after their own personal interests.
+Look at what people are doing, but look even closer at the reason behind their actions.
+ +TLDR: Technology dictates the way of our world. So, that's what I focus on. I will continue to share it with everyone, until there is nothing left to cover.
+ ++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ https://docs.joinmastodon.org/admin/install/
+
+
+[ Belladona ] [ /dev/pts/16 ] [~]
+→ adduser --disabled-login mastodon
+Adding user `mastodon' ...
+Adding new group `mastodon' (1000) ...
+Adding new user `mastodon' (1000) with group `mastodon (1000)' ...
+Creating home directory `/home/mastodon' ...
+Copying files from `/etc/skel' ...
+Changing the user information for mastodon
+Enter the new value, or press ENTER for the default
+ Full Name []:
+ Room Number []:
+ Work Phone []:
+ Home Phone []:
+ Other []:
+Is the information correct? [Y/n]
+Adding new user `mastodon' to supplemental / extra groups `users' ...
+Adding user `mastodon' to group `users' ...
+
+[ Belladona ] [ /dev/pts/16 ] [~]
+→ su - mastodon
+This account is currently not available.
+
+[ Belladona ] [ /dev/pts/16 ] [~]
+→ su - mastodon
+This account is currently not available.
+
+[ Belladona ] [ /dev/pts/16 ] [~]
+→ sudo -u mastodon
+usage: sudo -h | -K | -k | -V
+usage: sudo -v [-ABkNnS] [-g group] [-h host] [-p prompt] [-u user]
+usage: sudo -l [-ABkNnS] [-g group] [-h host] [-p prompt] [-U user] [-u user] [command [arg ...]]
+usage: sudo [-ABbEHkNnPS] [-r role] [-t type] [-C num] [-D directory] [-g group] [-h host] [-p prompt] [-R directory] [-T timeout] [-u user] [VAR=value] [-i | -s] [command [arg ...]]
+usage: sudo -e [-ABkNnS] [-r role] [-t type] [-C num] [-D directory] [-g group] [-h host] [-p prompt] [-R directory] [-T timeout] [-u user] file ...
+
+[ Belladona ] [ /dev/pts/16 ] [~]
+→ sudo -u mastodon bash
+mastodon@Belladona:/root$ pwd
+/root
+mastodon@Belladona:/root$ exit
+exit
+
+[ Belladona ] [ /dev/pts/16 ] [~]
+→ mkdir /srv/mastodon
+mkdir: cannot create directory ‘/srv/mastodon’: File exists
+
+[ Belladona ] [ /dev/pts/16 ] [~]
+→ sudo -u mastodon bash
+mastodon@Belladona:/root$ id
+uid=1000(mastodon) gid=1000(mastodon) groups=1000(mastodon),100(users)
+mastodon@Belladona:/root$ ls
+ls: cannot open directory '.': Permission denied
+mastodon@Belladona:/root$ exit
+exit
+
+[ Belladona ] [ /dev/pts/16 ] [~]
+→ mkdir /home/mastodon
+mkdir: cannot create directory ‘/home/mastodon’: File exists
+
+[ Belladona ] [ /dev/pts/16 ] [~]
+→ sudo -u mastodon bash
+mastodon@Belladona:/root$ cd /home/mastodon
+mastodon@Belladona:~$ ls
+mastodon@Belladona:~$ ls -lash
+total 24K
+4.0K drwx------ 2 mastodon mastodon 4.0K Mar 23 15:24 .
+4.0K drwxr-xr-x 3 root root 4.0K Mar 23 15:22 ..
+4.0K -rw------- 1 mastodon mastodon 20 Mar 23 15:24 .bash_history
+4.0K -rw-r--r-- 1 mastodon mastodon 220 Mar 23 15:22 .bash_logout
+4.0K -rw-r--r-- 1 mastodon mastodon 3.5K Mar 23 15:22 .bashrc
+ 0 -rw-r--r-- 1 mastodon mastodon 0 Mar 23 15:22 .cloud-locale-test.skip
+4.0K -rw-r--r-- 1 mastodon mastodon 807 Mar 23 15:22 .profile
+mastodon@Belladona:~$ git clone https://github.com/rbenv/rbenv.git ~/.rbenv
+Cloning into '/home/mastodon/.rbenv'...
+remote: Enumerating objects: 3270, done.
+remote: Counting objects: 100% (420/420), done.
+remote: Compressing objects: 100% (218/218), done.
+remote: Total 3270 (delta 234), reused 327 (delta 188), pack-reused 2850
+Receiving objects: 100% (3270/3270), 662.28 KiB | 5.56 MiB/s, done.
+Resolving deltas: 100% (2024/2024), done.
+mastodon@Belladona:~$ echo 'export PATH="$HOME/.rbenv/bin:$PATH"' >> ~/.bashrc
+mastodon@Belladona:~$ echo 'eval "$(rbenv init -)"' >> ~/.bashrc
+mastodon@Belladona:~$ exec bash
+mastodon@Belladona:~$ git clone https://github.com/rbenv/ruby-build.git ~/.rbenv/plugins/ruby-build
+Cloning into '/home/mastodon/.rbenv/plugins/ruby-build'...
+remote: Enumerating objects: 15923, done.
+remote: Counting objects: 100% (4057/4057), done.
+remote: Compressing objects: 100% (363/363), done.
+remote: Total 15923 (delta 3854), reused 3819 (delta 3682), pack-reused 11866
+Receiving objects: 100% (15923/15923), 3.11 MiB | 15.55 MiB/s, done.
+Resolving deltas: 100% (11360/11360), done.
+mastodon@Belladona:~$ RUBY_CONFIGURE_OPTS=--with-jemalloc rbenv install 3.2.3
+==> Downloading ruby-3.2.3.tar.gz...
+-> curl -q -fL -o ruby-3.2.3.tar.gz https://cache.ruby-lang.org/pub/ruby/3.2/ruby-3.2.3.tar.gz
+ % Total % Received % Xferd Average Speed Time Time Time Current
+ Dload Upload Total Spent Left Speed
+100 19.6M 100 19.6M 0 0 18.7M 0 0:00:01 0:00:01 --:--:-- 18.7M
+==> Installing ruby-3.2.3...
+-> ./configure "--prefix=$HOME/.rbenv/versions/3.2.3" --enable-shared --with-ext=openssl,psych,+ --with-jemalloc
+-> make -j 12
+-> make install
+==> Installed ruby-3.2.3 to /home/mastodon/.rbenv/versions/3.2.3
+
+NOTE: to activate this Ruby version as the new default, run: rbenv global 3.2.3
+mastodon@Belladona:~$ rbenv global 3.2.3
+mastodon@Belladona:~$ gem install bundler --no-document
+Fetching bundler-2.5.7.gem
+Successfully installed bundler-2.5.7
+1 gem installed
+
+A new release of RubyGems is available: 3.4.19 → 3.5.7!
+Run `gem update --system 3.5.7` to update your installation.
+
+mastodon@Belladona:~$ exit
+exit
+
+[ Belladona ] [ /dev/pts/16 ] [~]
+→ sudo -u postgres psql
+psql (16.2 (Debian 16.2-1.pgdg120+2))
+Type "help" for help.
+
+postgres=# CREATE USER mastodon CREATEDB;
+CREATE ROLE
+postgres=# \q
+
+[ Belladona ] [ /dev/pts/16 ] [~]
+→ su - mastodon
+This account is currently not available.
+
+[ Belladona ] [ /dev/pts/16 ] [~]
+→ sudo -u mastodon bash
+mastodon@Belladona:/root$ cd /home/mastodon
+mastodon@Belladona:~$ git clone https://github.com/mastodon/mastodon.git live && cd live
+Cloning into 'live'...
+remote: Enumerating objects: 190880, done.
+remote: Counting objects: 100% (17/17), done.
+remote: Compressing objects: 100% (17/17), done.
+remote: Total 190880 (delta 0), reused 1 (delta 0), pack-reused 190863
+Receiving objects: 100% (190880/190880), 228.45 MiB | 14.19 MiB/s, done.
+Resolving deltas: 100% (141462/141462), done.
+mastodon@Belladona:~/live$ git checkout $(git tag -l | grep '^v[0-9.]*$' | sort -V | tail -n 1)
+Note: switching to 'v4.2.8'.
+
+You are in 'detached HEAD' state. You can look around, make experimental
+changes and commit them, and you can discard any commits you make in this
+state without impacting any branches by switching back to a branch.
+
+If you want to create a new branch to retain commits you create, you may
+do so (now or later) by using -c with the switch command. Example:
+
+ git switch -c new-branch-name>
+
+Or undo this operation with:
+
+ git switch -
+
+Turn off this advice by setting config variable advice.detachedHead to false
+
+HEAD is now at bdb6650eb Bump version to v4.2.8 (#29370)
+mastodon@Belladona:~/live$ bundle config deployment 'true'
+mastodon@Belladona:~/live$ bundle config without 'development test'
+mastodon@Belladona:~/live$ bundle install -j$(getconf _NPROCESSORS_ONLN)
+Bundler 2.5.7 is running, but your lockfile was generated with 2.4.13. Installing Bundler 2.4.13 and restarting using that version.
+Fetching gem metadata from https://rubygems.org/.
+Fetching bundler 2.4.13
+Installing bundler 2.4.13
+Fetching gem metadata from https://rubygems.org/.........
+Fetching https://github.com/stanhu/omniauth-cas.git
+Fetching https://github.com/mastodon/rails-settings-cached.git
+Fetching https://github.com/ClearlyClaire/webpush.git
+Fetching rake 13.0.6
+Installing rake 13.0.6
+Fetching date 3.3.4
+Fetching mini_mime 1.1.5
+Fetching minitest 5.19.0
+Fetching concurrent-ruby 1.2.3
+Fetching erubi 1.12.0
+Fetching racc 1.7.3
+Fetching crass 1.0.6
+Fetching rack 2.2.8.1
+Fetching nio4r 2.7.0
+Fetching websocket-extensions 0.1.5
+Fetching marcel 1.0.2
+Fetching builder 3.2.4
+Installing erubi 1.12.0
+Installing crass 1.0.6
+Installing websocket-extensions 0.1.5
+Installing mini_mime 1.1.5
+Fetching timeout 0.4.1
+Installing builder 3.2.4
+Installing marcel 1.0.2
+Installing date 3.3.4 with native extensions
+Installing racc 1.7.3 with native extensions
+Fetching jsonapi-renderer 0.2.2
+Installing timeout 0.4.1
+Installing minitest 5.19.0
+Installing nio4r 2.7.0 with native extensions
+Fetching public_suffix 5.0.3
+Installing jsonapi-renderer 0.2.2
+Fetching aes_key_wrap 1.1.0
+Installing rack 2.2.8.1
+Fetching android_key_attestation 0.3.0
+Installing aes_key_wrap 1.1.0
+Fetching encryptor 3.0.0
+Fetching attr_required 1.0.1
+Installing android_key_attestation 0.3.0
+Installing public_suffix 5.0.3
+Installing concurrent-ruby 1.2.3
+Installing attr_required 1.0.1
+Fetching awrence 1.2.1
+Fetching aws-eventstream 1.2.0
+Installing awrence 1.2.1
+Fetching aws-partitions 1.809.0
+Installing aws-eventstream 1.2.0
+Fetching jmespath 1.6.2
+Fetching faraday-em_http 1.0.0
+Fetching faraday-em_synchrony 1.0.0
+Installing encryptor 3.0.0
+Installing faraday-em_http 1.0.0
+Installing jmespath 1.6.2
+Installing aws-partitions 1.809.0
+Installing faraday-em_synchrony 1.0.0
+Fetching faraday-excon 1.1.0
+Fetching faraday-httpclient 1.0.1
+Installing faraday-excon 1.1.0
+Fetching multipart-post 2.3.0
+Fetching faraday-net_http 1.0.1
+Installing faraday-httpclient 1.0.1
+Fetching faraday-patron 1.0.0
+Installing multipart-post 2.3.0
+Fetching faraday-net_http_persistent 1.2.0
+Installing faraday-net_http 1.0.1
+Fetching faraday-rack 1.0.0
+Installing faraday-patron 1.0.0
+Installing faraday-net_http_persistent 1.2.0
+Fetching faraday-retry 1.0.3
+Using ruby2_keywords 0.0.5
+Fetching connection_pool 2.4.1
+Fetching bcp47_spec 0.2.1
+Fetching bcrypt 3.1.18
+Installing faraday-rack 1.0.0
+Fetching bindata 2.4.15
+Installing faraday-retry 1.0.3
+Installing connection_pool 2.4.1
+Fetching blurhash 0.1.7
+Installing bcp47_spec 0.2.1
+Fetching msgpack 1.7.1
+Installing blurhash 0.1.7 with native extensions
+Fetching browser 5.3.1
+Fetching redis 4.8.1
+Using bundler 2.4.13
+Fetching cbor 0.5.9.6
+Installing bcrypt 3.1.18 with native extensions
+Installing bindata 2.4.15
+Fetching charlock_holmes 0.7.7
+Fetching multi_json 1.15.0
+Installing msgpack 1.7.1 with native extensions
+Installing cbor 0.5.9.6 with native extensions
+Installing redis 4.8.1
+Installing browser 5.3.1
+Installing charlock_holmes 0.7.7 with native extensions
+Installing multi_json 1.15.0
+Fetching elasticsearch-dsl 0.1.10
+Fetching chunky_png 1.4.0
+Fetching climate_control 0.2.0
+Fetching cocoon 1.2.15
+Installing elasticsearch-dsl 0.1.10
+Installing climate_control 0.2.0
+Fetching color_diff 0.1
+Using openssl 3.1.0
+Fetching orm_adapter 0.5.0
+Installing cocoon 1.2.15
+Installing color_diff 0.1
+Installing chunky_png 1.4.0
+Fetching method_source 1.0.0
+Fetching thor 1.3.0
+Installing method_source 1.0.0
+Fetching rotp 6.2.2
+Fetching zeitwerk 2.6.13
+Installing orm_adapter 0.5.0
+Fetching unf_ext 0.0.8.2
+Installing thor 1.3.0
+Fetching dotenv 2.8.1
+Installing rotp 6.2.2
+Installing zeitwerk 2.6.13
+Installing dotenv 2.8.1
+Fetching ed25519 1.3.0
+Fetching excon 0.100.0
+Fetching fast_blank 1.0.1
+Installing ed25519 1.3.0 with native extensions
+Installing unf_ext 0.0.8.2 with native extensions
+Installing fast_blank 1.0.1 with native extensions
+Fetching fastimage 2.2.7
+Installing excon 0.100.0
+Installing fastimage 2.2.7
+Fetching ffi 1.15.5
+Fetching formatador 0.3.0
+Installing formatador 0.3.0
+Fetching mime-types-data 3.2023.0808
+Fetching ipaddress 0.8.3
+Fetching raabro 1.4.0
+Installing ffi 1.15.5 with native extensions
+Installing mime-types-data 3.2023.0808
+Installing raabro 1.4.0
+Fetching temple 0.10.2
+Fetching tilt 2.2.0
+Installing ipaddress 0.8.3
+Fetching hashie 5.0.0
+Using json 2.6.3
+Fetching hiredis 0.6.3
+Installing temple 0.10.2
+Installing tilt 2.2.0
+Installing hashie 5.0.0
+Fetching hkdf 0.3.0
+Fetching htmlentities 4.3.4
+Fetching http-form_data 2.3.0
+Installing hkdf 0.3.0
+Fetching http_accept_language 2.1.1
+Installing hiredis 0.6.3 with native extensions
+Installing htmlentities 4.3.4
+Installing http_accept_language 2.1.1
+Fetching httpclient 2.8.3
+Fetching rainbow 3.1.1
+Installing http-form_data 2.3.0
+Installing rainbow 3.1.1
+Fetching json-canonicalization 1.0.0
+Fetching idn-ruby 0.1.5
+Installing httpclient 2.8.3
+Installing json-canonicalization 1.0.0
+Installing idn-ruby 0.1.5 with native extensions
+Fetching link_header 0.0.8
+Fetching jwt 2.7.1
+Installing jwt 2.7.1
+Fetching kaminari-core 1.2.2
+Installing kaminari-core 1.2.2
+Using uri 0.12.2
+Installing link_header 0.0.8
+Fetching statsd-ruby 1.5.0
+Fetching net-ldap 0.18.0
+Installing statsd-ruby 1.5.0
+Installing net-ldap 0.18.0
+Fetching oj 3.16.1
+Fetching rexml 3.2.6
+Installing rexml 3.2.6
+Installing oj 3.16.1 with native extensions
+Fetching ox 2.14.17
+Installing ox 2.14.17 with native extensions
+Fetching parslet 2.0.0
+Installing parslet 2.0.0
+Fetching tty-color 0.6.0
+Installing tty-color 0.6.0
+Fetching pg 1.5.5
+Installing pg 1.5.5 with native extensions
+Fetching posix-spawn 0.3.15
+Fetching private_address_check 0.5.0
+Installing posix-spawn 0.3.15 with native extensions
+Installing private_address_check 0.5.0
+Fetching redcarpet 3.6.0
+Installing redcarpet 3.6.0 with native extensions
+Fetching rqrcode_core 1.2.0
+Installing rqrcode_core 1.2.0
+Fetching ruby-progressbar 1.13.0
+Installing ruby-progressbar 1.13.0
+Fetching rubyzip 2.3.2
+Installing rubyzip 2.3.2
+Fetching semantic_range 3.0.0
+Installing semantic_range 3.0.0
+Fetching tty-cursor 0.7.1
+Installing tty-cursor 0.7.1
+Fetching tty-screen 0.8.1
+Installing tty-screen 0.8.1
+Fetching wisper 2.0.1
+Installing wisper 2.0.1
+Fetching xorcist 1.1.3
+Fetching websocket-driver 0.7.6
+Installing xorcist 1.1.3 with native extensions
+Installing websocket-driver 0.7.6 with native extensions
+Fetching net-protocol 0.2.2
+Fetching aws-sigv4 1.6.0
+Installing aws-sigv4 1.6.0
+Installing net-protocol 0.2.2
+Fetching addressable 2.8.5
+Fetching nokogiri 1.16.2 (x86_64-linux)
+Fetching attr_encrypted 4.0.0
+Installing addressable 2.8.5
+Installing attr_encrypted 4.0.0
+Fetching rack-test 2.1.0
+Fetching warden 1.2.9
+Installing rack-test 2.1.0
+Fetching request_store 1.5.1
+Installing warden 1.2.9
+Fetching rack-protection 3.0.5
+Installing request_store 1.5.1
+Installing rack-protection 3.0.5
+Fetching rack-attack 6.7.0
+Fetching rack-cors 2.0.1
+Installing rack-cors 2.0.1
+Installing rack-attack 6.7.0
+Fetching rack-proxy 0.7.6
+Fetching faraday-multipart 1.0.4
+Fetching net-http-persistent 4.0.2
+Installing nokogiri 1.16.2 (x86_64-linux)
+Installing rack-proxy 0.7.6
+Fetching i18n 1.14.1
+Installing net-http-persistent 4.0.2
+Fetching sprockets 3.7.2
+Installing faraday-multipart 1.0.4
+Fetching brpoplpush-redis_script 0.1.3
+Fetching tzinfo 2.0.6
+Installing sprockets 3.7.2
+Installing i18n 1.14.1
+Installing brpoplpush-redis_script 0.1.3
+Fetching mario-redis-lock 1.2.1
+Fetching sidekiq 6.5.12
+Fetching redis-namespace 1.11.0
+Installing tzinfo 2.0.6
+Installing mario-redis-lock 1.2.1
+Fetching redlock 1.3.2
+Fetching elasticsearch-api 7.13.3
+Installing redis-namespace 1.11.0
+Fetching openssl-signature_algorithm 1.3.0
+Installing redlock 1.3.2
+Fetching terrapin 0.6.0
+Installing openssl-signature_algorithm 1.3.0
+Installing sidekiq 6.5.12
+Installing elasticsearch-api 7.13.3
+Installing terrapin 0.6.0
+Fetching mime-types 3.5.1
+Fetching hcaptcha 7.1.0
+Installing mime-types 3.5.1
+Installing hcaptcha 7.1.0
+Fetching haml 6.1.2
+Fetching httplog 1.6.2
+Installing haml 6.1.2 with native extensions
+Fetching safety_net_attestation 0.4.0
+Installing httplog 1.6.2
+Using webpush 0.3.8 from https://github.com/ClearlyClaire/webpush.git (at f14a4d5@f14a4d5)
+Installing safety_net_attestation 0.4.0
+Fetching rdf 3.3.1
+Fetching net-http 0.3.2
+Fetching unf 0.1.4
+Installing rdf 3.3.1
+Installing net-http 0.3.2
+Fetching pastel 0.8.0
+Installing unf 0.1.4
+Installing pastel 0.8.0
+Fetching rqrcode 2.2.0
+Fetching puma 6.4.2
+Fetching tty-reader 0.9.0
+Fetching net-pop 0.1.2
+Fetching net-smtp 0.3.4
+Installing tty-reader 0.9.0
+Fetching aws-sdk-core 3.181.0
+Installing rqrcode 2.2.0
+Installing net-smtp 0.3.4
+Fetching css_parser 1.14.0
+Installing net-pop 0.1.2
+Installing puma 6.4.2 with native extensions
+Fetching omniauth 2.1.1
+Fetching faraday 1.10.3
+Fetching activesupport 7.0.8.1
+Installing css_parser 1.14.0
+Installing omniauth 2.1.1
+Installing aws-sdk-core 3.181.0
+Installing faraday 1.10.3
+Fetching et-orbi 1.2.7
+Installing et-orbi 1.2.7
+Fetching tzinfo-data 1.2023.3
+Fetching stoplight 3.0.2
+Installing stoplight 3.0.2
+Fetching cose 1.3.0
+Installing activesupport 7.0.8.1
+Installing cose 1.3.0
+Fetching tpm-key_attestation 0.12.0
+Installing tpm-key_attestation 0.12.0
+Installing tzinfo-data 1.2023.3
+Fetching sidekiq-bulk 0.2.0
+Installing sidekiq-bulk 0.2.0
+Fetching sidekiq-unique-jobs 7.1.33
+Fetching fog-core 2.1.0
+Fetching bootsnap 1.16.0
+Fetching loofah 2.21.4
+Installing bootsnap 1.16.0 with native extensions
+Installing sidekiq-unique-jobs 7.1.33
+Installing fog-core 2.1.0
+Installing loofah 2.21.4
+Fetching ruby-saml 1.15.0
+Installing ruby-saml 1.15.0
+Fetching sanitize 6.0.2
+Installing sanitize 6.0.2
+Fetching domain_name 0.5.20190701
+Fetching twitter-text 3.1.0
+Fetching json-ld 3.3.1
+Fetching rdf-normalize 0.6.1
+Fetching tty-prompt 0.23.1
+Installing twitter-text 3.1.0
+Installing domain_name 0.5.20190701
+Installing rdf-normalize 0.6.1
+Fetching premailer 1.21.0
+Using omniauth-cas 2.0.0 from https://github.com/stanhu/omniauth-cas.git (at 4211e6d@4211e6d)
+Fetching fugit 1.8.1
+Installing json-ld 3.3.1
+Fetching net-imap 0.3.7
+Fetching faraday_middleware 1.2.0
+Installing tty-prompt 0.23.1
+Installing premailer 1.21.0
+Installing fugit 1.8.1
+Installing faraday_middleware 1.2.0
+Installing net-imap 0.3.7
+Fetching elasticsearch-transport 7.13.3
+Fetching rails-html-sanitizer 1.6.0
+Fetching webauthn 3.0.0
+Fetching rails-dom-testing 2.1.1
+Fetching globalid 1.1.0
+Installing rails-dom-testing 2.1.1
+Installing rails-html-sanitizer 1.6.0
+Fetching activemodel 7.0.8.1
+Installing globalid 1.1.0
+Fetching case_transform 0.2
+Installing webauthn 3.0.0
+Installing elasticsearch-transport 7.13.3
+Fetching json-jwt 1.15.3
+Fetching nsa 0.3.0
+Installing activemodel 7.0.8.1
+Installing case_transform 0.2
+Fetching swd 1.3.0
+Installing nsa 0.3.0
+Installing json-jwt 1.15.3
+Fetching webfinger 1.2.0
+Fetching pundit 2.3.0
+Installing swd 1.3.0
+Fetching simple-navigation 4.4.0
+Fetching fog-json 1.2.0
+Fetching omniauth-saml 2.1.0
+Installing pundit 2.3.0
+Installing webfinger 1.2.0
+Installing fog-json 1.2.0
+Installing omniauth-saml 2.1.0
+Fetching aws-sdk-kms 1.71.0
+Installing simple-navigation 4.4.0
+Fetching http-cookie 1.0.5
+Fetching json-ld-preloaded 3.2.2
+Fetching rufus-scheduler 3.9.1
+Fetching azure-storage-common 2.0.4
+Installing http-cookie 1.0.5
+Installing rufus-scheduler 3.9.1
+Fetching actionview 7.0.8.1
+Installing aws-sdk-kms 1.71.0
+Installing azure-storage-common 2.0.4
+Installing json-ld-preloaded 3.2.2
+Fetching activejob 7.0.8.1
+Fetching mail 2.8.1
+Fetching elasticsearch 7.13.3
+Fetching rack-oauth2 1.21.3
+Fetching activerecord 7.0.8.1
+Installing actionview 7.0.8.1
+Installing activejob 7.0.8.1
+Installing rack-oauth2 1.21.3
+Installing elasticsearch 7.13.3
+Fetching kt-paperclip 7.2.1
+Fetching validate_url 1.0.15
+Installing mail 2.8.1
+Installing validate_url 1.0.15
+Fetching fog-openstack 0.3.10
+Installing activerecord 7.0.8.1
+Fetching sidekiq-scheduler 5.0.3
+Fetching aws-sdk-s3 1.133.0
+Installing kt-paperclip 7.2.1
+Installing sidekiq-scheduler 5.0.3
+Installing fog-openstack 0.3.10
+Fetching azure-storage-blob 2.0.3
+Installing azure-storage-blob 2.0.3
+Installing aws-sdk-s3 1.133.0
+Fetching chewy 7.3.4
+Fetching actionpack 7.0.8.1
+Fetching kaminari-actionview 1.2.2
+Fetching md-paperclip-azure 2.2.0
+Installing chewy 7.3.4
+Installing kaminari-actionview 1.2.2
+Fetching validate_email 0.1.6
+Installing actionpack 7.0.8.1
+Installing md-paperclip-azure 2.2.0
+Installing validate_email 0.1.6
+Fetching openid_connect 1.4.2
+Installing openid_connect 1.4.2
+Fetching discard 1.2.1
+Fetching kaminari-activerecord 1.2.2
+Fetching strong_migrations 0.8.0
+Fetching pghero 3.3.4
+Fetching omniauth_openid_connect 0.6.1
+Installing discard 1.2.1
+Installing kaminari-activerecord 1.2.2
+Fetching kaminari 1.2.2
+Installing omniauth_openid_connect 0.6.1
+Installing strong_migrations 0.8.0
+Installing kaminari 1.2.2
+Fetching actioncable 7.0.8.1
+Fetching actionmailer 7.0.8.1
+Fetching activestorage 7.0.8.1
+Installing pghero 3.3.4
+Installing actioncable 7.0.8.1
+Installing actionmailer 7.0.8.1
+Fetching active_model_serializers 0.10.13
+Fetching railties 7.0.8.1
+Installing activestorage 7.0.8.1
+Fetching omniauth-rails_csrf_protection 1.0.1
+Installing active_model_serializers 0.10.13
+Fetching simple_form 5.2.0
+Installing omniauth-rails_csrf_protection 1.0.1
+Fetching sprockets-rails 3.4.2
+Installing sprockets-rails 3.4.2
+Fetching premailer-rails 1.12.0
+Installing simple_form 5.2.0
+Fetching ffi-compiler 1.0.1
+Installing railties 7.0.8.1
+Installing premailer-rails 1.12.0
+Installing ffi-compiler 1.0.1
+Fetching llhttp-ffi 0.4.0
+Fetching actiontext 7.0.8.1
+Fetching actionmailbox 7.0.8.1
+Installing llhttp-ffi 0.4.0 with native extensions
+Installing actionmailbox 7.0.8.1
+Installing actiontext 7.0.8.1
+Fetching responders 3.1.0
+Fetching dotenv-rails 2.8.1
+Fetching haml-rails 2.1.0
+Fetching rails 7.0.8.1
+Fetching doorkeeper 5.6.6
+Fetching lograge 0.13.0
+Fetching rails-i18n 7.0.7
+Installing dotenv-rails 2.8.1
+Installing responders 3.1.0
+Installing haml-rails 2.1.0
+Installing rails 7.0.8.1
+Installing lograge 0.13.0
+Fetching scenic 1.7.0
+Installing rails-i18n 7.0.7
+Fetching webpacker 5.4.4
+Using rails-settings-cached 0.6.6 from https://github.com/mastodon/rails-settings-cached.git (at v0.6.6-aliases-true@86328ef)
+Installing doorkeeper 5.6.6
+Installing scenic 1.7.0
+Fetching devise 4.9.2
+Installing webpacker 5.4.4
+Installing devise 4.9.2
+Fetching http 5.1.1
+Installing http 5.1.1
+Fetching devise-two-factor 4.1.0
+Installing devise-two-factor 4.1.0
+Bundle complete! 130 Gemfile dependencies, 243 gems now installed.
+Gems in the groups 'development' and 'test' were not installed.
+Bundled gems are installed into `./vendor/bundle`
+Post-install message from encryptor:
+
+
+
+Please be aware that Encryptor v2.0.0 had a major security bug when using AES-*-GCM algorithms.
+
+By default You will not be able to decrypt data that was previously encrypted using an AES-*-GCM algorithm.
+
+Please see the README and https://github.com/attr-encrypted/encryptor/pull/22 for more information.
+
+
+Post-install message from attr_encrypted:
+
+
+
+WARNING: Using `#encrypted_attributes` is no longer supported. Instead, use `#attr_encrypted_encrypted_attributes` to avoid
+ collision with Active Record 7 native encryption.
+
+
+Post-install message from devise:
+
+[DEVISE] Please review the [changelog] and [upgrade guide] for more info on Hotwire / Turbo integration.
+
+ [changelog] https://github.com/heartcombo/devise/blob/main/CHANGELOG.md
+ [upgrade guide] https://github.com/heartcombo/devise/wiki/How-To:-Upgrade-to-Devise-4.9.0-%5BHotwire-Turbo-integration%5D
+ Post-install message from doorkeeper:
+Starting from 5.5.0 RC1 Doorkeeper requires client authentication for Resource Owner Password Grant
+as stated in the OAuth RFC. You have to create a new OAuth client (Doorkeeper::Application) if you didn't
+have it before and use client credentials in HTTP Basic auth if you previously used this grant flow without
+client authentication.
+
+To opt out of this you could set the "skip_client_authentication_for_password_grant" configuration option
+to "true", but note that this is in violation of the OAuth spec and represents a security risk.
+
+Read https://github.com/doorkeeper-gem/doorkeeper/issues/561#issuecomment-612857163 for more details.
+Post-install message from kt-paperclip:
+##################################################
+# NOTE FOR UPGRADING FROM 4.3.0 OR EARLIER #
+##################################################
+
+Paperclip is now compatible with aws-sdk-s3.
+
+If you are using S3 storage, aws-sdk-s3 requires you to make a few small
+changes:
+
+* You must set the `s3_region`
+* If you are explicitly setting permissions anywhere, such as in an initializer,
+ note that the format of the permissions changed from using an underscore to
+ using a hyphen. For example, `:public_read` needs to be changed to
+ `public-read`.
+
+For a walkthrough of upgrading from 4 to *5* (not 6) and aws-sdk >= 2.0 you can watch
+http://rubythursday.com/episodes/ruby-snack-27-upgrade-paperclip-and-aws-sdk-in-prep-for-rails-5
+Post-install message from rubyzip:
+RubyZip 3.0 is coming!
+**********************
+
+The public API of some Rubyzip classes has been modernized to use named
+parameters for optional arguments. Please check your usage of the
+following classes:
+ * `Zip::File`
+ * `Zip::Entry`
+ * `Zip::InputStream`
+ * `Zip::OutputStream`
+
+Please ensure that your Gemfiles and .gemspecs are suitably restrictive
+to avoid an unexpected breakage when 3.0 is released (e.g. ~> 2.3.0).
+See https://github.com/rubyzip/rubyzip for details. The Changelog also
+lists other enhancements and bugfixes that have been implemented since
+version 2.3.0.
+Post-install message from sidekiq-unique-jobs:
+IMPORTANT!
+
+Automatic configuration of the sidekiq middleware is no longer done.
+Please see: https://github.com/mhenrixon/sidekiq-unique-jobs/blob/master/README.md#add-the-middleware
+
+This version deprecated the following sidekiq_options
+
+ - sidekiq_options lock_args: :method_name
+
+It is now configured with:
+
+ - sidekiq_options lock_args_method: :method_name
+
+This is also true for `Sidekiq.default_worker_options`
+
+We also deprecated the global configuration options:
+ - default_lock_ttl
+ - default_lock_ttl=
+ - default_lock_timeout
+ - default_lock_timeout=
+
+The new methods to use are:
+ - lock_ttl
+ - lock_ttl=
+ - lock_timeout
+ - lock_timeout=
+mastodon@Belladona:~/live$ yarn install --pure-lockfile
+yarn install v1.22.22
+[1/6] Validating package.json...
+[2/6] Resolving packages...
+[3/6] Fetching packages...
+warning Pattern ["strip-ansi@^6.0.1"] is trying to unpack in the same destination "/home/mastodon/.cache/yarn/v6/npm-strip-ansi-cjs-6.0.1-9e26c63d30f53443e9489495b2105d37b67a85d9-integrity/node_modules/strip-ansi-cjs" as pattern ["strip-ansi-cjs@npm:strip-ansi@^6.0.1"]. This could result in non-deterministic behavior, skipping.
+warning Pattern ["string-width@^4.1.0"] is trying to unpack in the same destination "/home/mastodon/.cache/yarn/v6/npm-string-width-cjs-4.2.3-269c7117d27b05ad2e536830a8ec895ef9c6d010-integrity/node_modules/string-width-cjs" as pattern ["string-width-cjs@npm:string-width@^4.2.0"]. This could result in non-deterministic behavior, skipping.
+warning Pattern ["strip-ansi@^6.0.0"] is trying to unpack in the same destination "/home/mastodon/.cache/yarn/v6/npm-strip-ansi-cjs-6.0.1-9e26c63d30f53443e9489495b2105d37b67a85d9-integrity/node_modules/strip-ansi-cjs" as pattern ["strip-ansi-cjs@npm:strip-ansi@^6.0.1"]. This could result in non-deterministic behavior, skipping.
+warning Pattern ["string-width@^4.2.3"] is trying to unpack in the same destination "/home/mastodon/.cache/yarn/v6/npm-string-width-cjs-4.2.3-269c7117d27b05ad2e536830a8ec895ef9c6d010-integrity/node_modules/string-width-cjs" as pattern ["string-width-cjs@npm:string-width@^4.2.0"]. This could result in non-deterministic behavior, skipping.
+warning Pattern ["string-width@^1.0.2 || 2 || 3 || 4"] is trying to unpack in the same destination "/home/mastodon/.cache/yarn/v6/npm-string-width-cjs-4.2.3-269c7117d27b05ad2e536830a8ec895ef9c6d010-integrity/node_modules/string-width-cjs" as pattern ["string-width-cjs@npm:string-width@^4.2.0"]. This could result in non-deterministic behavior, skipping.
+warning Pattern ["string-width@^4.2.0"] is trying to unpack in the same destination "/home/mastodon/.cache/yarn/v6/npm-string-width-cjs-4.2.3-269c7117d27b05ad2e536830a8ec895ef9c6d010-integrity/node_modules/string-width-cjs" as pattern ["string-width-cjs@npm:string-width@^4.2.0"]. This could result in non-deterministic behavior, skipping.
+warning Pattern ["wrap-ansi@^7.0.0"] is trying to unpack in the same destination "/home/mastodon/.cache/yarn/v6/npm-wrap-ansi-cjs-7.0.0-67e145cff510a6a6984bdf1152911d69d2eb9e43-integrity/node_modules/wrap-ansi-cjs" as pattern ["wrap-ansi-cjs@npm:wrap-ansi@^7.0.0"]. This could result in non-deterministic behavior, skipping.
+[4/6] Linking dependencies...
+warning " > emoji-mart@3.0.1-j" has incorrect peer dependency "react@^0.14.0 || ^15.0.0-0 || ^16.0.0 || ^17.0.0".
+warning " > react-motion@0.5.2" has incorrect peer dependency "react@^0.14.9 || ^15.3.0 || ^16.0.0".
+warning " > react-notification@6.8.5" has incorrect peer dependency "react@^0.14.0 || ^15.0.0 || ^16.0.0".
+warning " > react-router-scroll-4@1.0.0-beta.2" has incorrect peer dependency "react@^15.0.0 || ^16.0.0".
+warning " > react-router-scroll-4@1.0.0-beta.2" has incorrect peer dependency "react-dom@^15.0.0 || ^16.0.0".
+warning " > react-swipeable-views@0.14.0" has incorrect peer dependency "react@^15.3.0 || ^16.0.0 || ^17.0.0".
+warning "react-swipeable-views > react-swipeable-views-utils > react-event-listener@0.6.6" has incorrect peer dependency "react@^16.3.0".
+[5/6] Building fresh packages...
+[6/6] Cleaning modules...
+$ husky install
+[##################################################################################################################################################################################################################################] 5661/5661husky - Git hooks installed
+Done in 39.39s.
+mastodon@Belladona:~/live$ RAILS_ENV=production bundle exec rake mastodon:setup
+Your instance is identified by its domain name. Changing it afterward will break things.
+Domain name: mastodon.datura.network
+
+Single user mode disables registrations and redirects the landing page to your public profile.
+Do you want to enable single user mode? No
+
+Are you using Docker to run Mastodon? no
+
+PostgreSQL host: /var/run/postgresql
+PostgreSQL port: 5432
+Name of PostgreSQL database: mastodon_production
+Name of PostgreSQL user: mastodon
+Password of PostgreSQL user:
+Database configuration works! 🎆
+
+Redis host: localhost
+Redis port: 6379
+Redis password:
+Redis configuration works! 🎆
+
+Do you want to store uploaded files on the cloud? No
+
+Do you want to send e-mails from localhost? No
+SMTP server: mail.nihilism.network
+SMTP port: 587
+SMTP username: surveillance
+SMTP password:
+SMTP authentication: starttls
+SMTP OpenSSL verify mode: client_once
+Enable STARTTLS: always
+E-mail address to send e-mails "from": surveillance@nihilism.network
+Send a test e-mail with this configuration right now? Yes
+Send test e-mail to: nihilist@nihilism.network
+E-mail could not be sent with this configuration, try again.
+wrong authentication type starttls
+Try again? Yes
+Do you want to send e-mails from localhost? No
+SMTP server: mail.nihilism.network
+SMTP port: 587
+SMTP username: surveillance
+SMTP password:
+SMTP authentication: plain
+SMTP OpenSSL verify mode: none
+Enable STARTTLS: always
+E-mail address to send e-mails "from": surveillance@nihilism.network
+Send a test e-mail with this configuration right now? Yes
+Send test e-mail to: nihilist@nihilism.network
+
+Do you want Mastodon to periodically check for important updates and notify you? (Recommended) Yes
+
+This configuration will be written to .env.production
+Save configuration? Yes
+
+Now that configuration is saved, the database schema must be loaded.
+If the database already exists, this will erase its contents.
+Prepare the database now? Yes
+Running `RAILS_ENV=production rails db:setup` ...
+
+
+Created database 'mastodon_production'
+Done!
+
+The final step is compiling CSS/JS assets.
+This may take a while and consume a lot of RAM.
+Compile the assets now? Yes
+Running `RAILS_ENV=production rails assets:precompile` ...
+
+
+I, [2024-03-23T15:37:10.410961 #561860] INFO -- : Writing /home/mastodon/live/public/assets/doorkeeper/admin/application-a644908e7bab54fb749be0f59fb64a7480bbf9c4c2b79d4a65791cb7ab4d8730.css
+I, [2024-03-23T15:37:10.411250 #561860] INFO -- : Writing /home/mastodon/live/public/assets/doorkeeper/admin/application-a644908e7bab54fb749be0f59fb64a7480bbf9c4c2b79d4a65791cb7ab4d8730.css.gz
+I, [2024-03-23T15:37:10.418962 #561860] INFO -- : Writing /home/mastodon/live/public/assets/doorkeeper/application-c93dac2ad9d65e3393e0e2c958481e86ef7a5e5b0f6ce406842a7b99b25a4850.css
+I, [2024-03-23T15:37:10.419052 #561860] INFO -- : Writing /home/mastodon/live/public/assets/doorkeeper/application-c93dac2ad9d65e3393e0e2c958481e86ef7a5e5b0f6ce406842a7b99b25a4850.css.gz
+I, [2024-03-23T15:37:10.420412 #561860] INFO -- : Writing /home/mastodon/live/public/assets/pghero/favicon-db10337a56c45eb43c22ff5019546b520fa22c7281d4d385f235cbca67ed26bb.png
+I, [2024-03-23T15:37:10.683030 #561860] INFO -- : Writing /home/mastodon/live/public/assets/pghero/application-fc5c893e805df52338bef3bda5a5431f74f1401da68e4f0381ac9ecb7a801e1a.js
+I, [2024-03-23T15:37:10.683160 #561860] INFO -- : Writing /home/mastodon/live/public/assets/pghero/application-fc5c893e805df52338bef3bda5a5431f74f1401da68e4f0381ac9ecb7a801e1a.js.gz
+I, [2024-03-23T15:37:10.689346 #561860] INFO -- : Writing /home/mastodon/live/public/assets/pghero/application-29fa393e673685cdbf2fb2b637098a15b988605f46bfa962f6e0cb94d15bc567.css
+I, [2024-03-23T15:37:10.689459 #561860] INFO -- : Writing /home/mastodon/live/public/assets/pghero/application-29fa393e673685cdbf2fb2b637098a15b988605f46bfa962f6e0cb94d15bc567.css.gz
+Compiling...
+Compiled all packs in /home/mastodon/live/public/packs
+Browserslist: caniuse-lite is outdated. Please run:
+ npx update-browserslist-db@latest
+ Why you should do it regularly: https://github.com/browserslist/update-db#readme
+`isModuleDeclaration` has been deprecated, please migrate to `isImportOrExportDeclaration`
+ at isModuleDeclaration (/home/mastodon/live/node_modules/babel-plugin-lodash/node_modules/@babel/types/lib/validators/generated/index.js:2740:35)
+ at PluginPass.Program (/home/mastodon/live/node_modules/babel-plugin-lodash/lib/index.js:102:44)
+Browserslist: caniuse-lite is outdated. Please run:
+ npx update-browserslist-db@latest
+ Why you should do it regularly: https://github.com/browserslist/update-db#readme
+Browserslist: caniuse-lite is outdated. Please run:
+ npx update-browserslist-db@latest
+ Why you should do it regularly: https://github.com/browserslist/update-db#readme
+
+Done!
+
+All done! You can now power on the Mastodon server 🐘
+
+Do you want to create an admin user straight away? Yes
+Username: nihilist
+E-mail: nihilist@nihilism.network
+You can login with the password:
+You can change your password once you login.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ + Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
In this tutorial we're going to setup a private matrix chat server along with VoIP support for the element desktop client.
+Disclaimer: If you want this service to remain anonymous, make sure you at least keep TOR between you and the service from the VPS acquisition to actual service usage.
+ +First install the required packages:
+
+apt install docker.io docker-compose
+
+
+
+Then create the directories required:
+
+mkdir /srv/matrix/data -p
+chown -R 755 /srv/matrix/data
+cd /srv/matrix
+
+
+Then we'll create the docker-compose.yml file and the generateconfig.sh script:
+
+[ Datura-Network ] [ /dev/pts/1 ] [/srv/matrix]
+→ cat docker-compose.yml
+version: "3.3"
+
+services:
+ synapse:
+ image: "matrixdotorg/synapse:latest"
+ container_name: "matrix_synapse"
+ ports:
+ - 8008:8008
+ volumes:
+ - "./data:/data" #it will look at the current directory where you save the file and look for the data folder inside
+ environment:
+ VIRTUAL_HOST: "m.datura.network"
+ VIRTUAL_PORT: 8008
+ LETSENCRYPT_HOST: "m.datura.network"
+ SYNAPSE_SERVER_NAME: "m.datura.network"
+ SYNAPSE_REPORT_STATS: "yes"
+ coturn:
+ image: instrumentisto/coturn:latest
+ restart: unless-stopped
+ volumes:
+ - ./coturn/turnserver.conf:/etc/coturn/turnserver.conf
+ ports:
+ - 47160-47200:47160-47200/udp
+ - 3478:3478
+ - 5349:5349
+ networks:
+ - mybridge
+networks:
+ mybridge:
+ driver: bridge
+
+[ Datura-Network ] [ /dev/pts/1 ] [/srv/matrix]
+→ cat generateconfig.sh
+#!/bin/bash
+
+docker-compose run --rm -e SYNAPSE_SERVER_NAME=m.datura.network -e SYNAPSE_REPORT_STATS=yes synapse generate
+
+
+My matrix server will have the "m.datura.network" domain name. The coturn config mentionned here is used for the VOIP support. Now let's generate the initial keys of the matrix server like so:
+
+[ Datura-Network ] [ /dev/pts/1 ] [/srv/matrix]
+→ ./generateconfig.sh
+Creating network "matrix_default" with the default driver
+Creating network "matrix_mybridge" with driver "bridge"
+Setting ownership on /data to 991:991
+Creating log config /data/m.datura.network.log.config
+Generating config file /data/homeserver.yaml
+Generating signing key file /data/m.datura.network.signing.key
+A config file has been generated in '/data/homeserver.yaml' for server name 'm.datura.network'. Please review this file and customise it to your needs.
+
+[ Datura-Network ] [ /dev/pts/1 ] [/srv/matrix]
+→ ls
+coturn data docker-compose.yml docker-compose.yml.coturn generateconfig.sh m.datura.network.conf.nginx
+
+[ Datura-Network ] [ /dev/pts/1 ] [/srv/matrix]
+→ ls data -lash
+total 20K
+4.0K drwxr-xr-x 2 991 991 4.0K Jan 14 11:12 .
+4.0K drwxr-xr-x 4 root root 4.0K Jan 4 13:50 ..
+4.0K -rw-r--r-- 1 root root 1.3K Jan 14 11:12 homeserver.yaml
+4.0K -rw-r--r-- 1 root root 694 Jan 14 11:12 m.datura.network.log.config
+4.0K -rw-r--r-- 1 root root 59 Jan 14 11:12 m.datura.network.signing.key
+
+
+Now that's done, we can edit the homeserver.yaml if you want to remove trust into the "matrix.org" keys for federation to make it a truly private server:
+
+[ Datura-Network ] [ /dev/pts/1 ] [/srv/matrix]
+→ cat data/homeserver.yaml | grep server
+
+trusted_key_servers:
+ - server_name: ""
+
+
+Then we can edit the coturn config like so:
+
+[ Datura-Network ] [ /dev/pts/1 ] [/srv/matrix]
+→ ls
+coturn data docker-compose.yml docker-compose.yml.coturn generateconfig.sh m.datura.network.conf.nginx
+
+[ Datura-Network ] [ /dev/pts/1 ] [/srv/matrix]
+→ cat coturn/turnserver.conf
+use-auth-secret
+static-auth-secret=cuAWWAAWWAAWWAWADDWADWADWADWADWADWAWADDWADWWADWADDWADWDWoy
+realm=m.datura.network
+listening-port=3478
+tls-listening-port=5349
+min-port=47160
+max-port=47200
+verbose
+allow-loopback-peers
+cli-password=cuAWWAAWWAAWWAWADDWADWADWADWADWADWAWADDWADWWADWADDWADWDWoy
+external-ip=116.202.216.190
+
+[ Datura-Network ] [ /dev/pts/1 ] [/srv/matrix]
+→ cat data/homeserver.yaml | grep turn
+turn_uris: [ "turn:m.datura.network?transport=udp", "turn:m.datura.network?transport=tcp" ]
+turn_shared_secret: "cuAWWAAWWAAWWAWADDWADWADWADWADWADWAWADDWADWWADWADDWADWDWoy"
+turn_user_lifetime: 86400000
+turn_allow_guests: true
+
+
+
+Make sure the ports match the ones in the docker-compose.yml file, and the external IP is the one of your server:
+
+[ Datura-Network ] [ /dev/pts/1 ] [/srv/matrix]
+→ curl ifconfig.me -4
+116.202.216.190
+
+
+Then we start the docker-compose:
+
+[ Datura-Network ] [ /dev/pts/1 ] [/srv/matrix]
+→ docker-compose up -d
+Creating matrix_coturn_1 ... done
+Creating matrix_synapse ... done
+
+
+Then we create the accounts like so:
+
+[ Datura-Network ] [ /dev/pts/1 ] [/srv/matrix]
+→ docker container ls | grep matrixdot
+134d440b1480 matrixdotorg/synapse:latest "/start.py" About a minute ago Up 25 seconds (healthy) 8009/tcp, 0.0.0.0:8008->8008/tcp, :::8008->8008/tcp, 8448/tcp matrix_synapse
+
+[ Datura-Network ] [ /dev/pts/1 ] [/srv/matrix]
+→ docker exec -it 134 bash
+root@134d440b1480:/#
+[ Datura-Network ] [ /dev/pts/1 ] [/srv/matrix]
+→ docker exec -it 134 bash
+
+root@134d440b1480:/# register_new_matrix_user -c /data/homeserver.yaml http://localhost:8008
+New user localpart [root]: nihilist
+Password:
+Confirm password:
+Make admin [no]: yes
+Sending registration request...
+Success!
+
+root@134d440b1480:/# exit
+exit
+
+
+Then we make sure that we can access the matrix server via nginx:
+
+[ Datura-Network ] [ /dev/pts/1 ] [/srv/matrix]
+→ cat /etc/nginx/sites-enabled/m.datura.network.conf
+server {
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+
+ # For the federation port
+ listen 8448 ssl http2;
+ listen [::]:8448 ssl http2;
+
+ server_name m.datura.network;
+
+ ssl_certificate /etc/acme/certs/m.datura.network/fullchain.cer;
+ ssl_certificate_key /etc/acme/certs/m.datura.network/m.datura.network.key;
+
+ location ~ ^(/_matrix|/_synapse/client) {
+ # note: do not add a path (even a single /) after the port in `proxy_pass`,
+ # otherwise nginx will canonicalise the URI and cause signature verification
+ # errors.
+ proxy_pass http://localhost:8008;
+ proxy_set_header X-Forwarded-For $remote_addr;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ proxy_set_header Host $host;
+
+ # Nginx by default only allows file uploads up to 1M in size
+ # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
+ client_max_body_size 50M;
+
+ # Synapse responses may be chunked, which is an HTTP/1.1 feature.
+ proxy_http_version 1.1;
+ }
+}
+
+[ Datura-Network ] [ /dev/pts/1 ] [/srv/matrix]
+→ nginx -t
+nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
+nginx: configuration file /etc/nginx/nginx.conf test is successful
+
+
+Then we test that we can login from a matrix client (which can be installed inside a whonix VM), let's use element because we want to be able to do voicecalls:
+ + + + + +Here we will setup a secure backup password, that is a separate password, for end to end encryption purposes. Then you can do the following steps:
+ +Make sure you log out of every unverified session:
+ + +You may need to log in and log out before being able to send messages so do that, then create the space along with the chatroom
+ + + + + + + + ++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
In this tutorial we're going to take a look at how to setup a monero node on a Ubuntu VM:
+ +first install monero from the repositories:
+
+[ Datura Network ] [ /dev/pts/0 ] [/srv/datura.network]
+→ apt install monero -y
+
+
+create the systemd service
+
+[ Datura Network ] [ /dev/pts/0 ] [/srv/datura.network]
+→ vim /etc/systemd/system/moneronode.service
+
+[ Datura Network ] [ /dev/pts/0 ] [/srv/datura.network]
+→ cat /etc/systemd/system/moneronode.service
+[Unit]
+Description=monerod
+After=network.target
+Wants=network.target
+
+[Service]
+ExecStart=/usr/bin/monerod --zmq-pub tcp://127.0.0.1:18083 --disable-dns-checkpoints --enable-dns-blocklist --data-dir /srv/XMR --block-sync-size=50 --out-peers 100 --prep-blocks-threads=128 --prune-blockchain --sync-pruned-blocks --rpc-bind-port=18081 --rpc-bind-ip=0.0.0.0 --p2p-bind-ip=0.0.0.0 --p2p-bind-port=18080 --confirm-external-bind --non-interactive
+Restart=on-failure
+RestartSec=10s
+
+
+StandardOutput=journal
+StandardError=journal
+
+[Install]
+WantedBy=multi-user.target
+
+
+Then enable it:
+
+[ Datura Network ] [ /dev/pts/0 ] [/srv/datura.network]
+→ systemctl daemon-reload
+
+[ Datura Network ] [ /dev/pts/0 ] [/srv/datura.network]
+→ systemctl enable --now moneronode
+Created symlink /etc/systemd/system/multi-user.target.wants/moneronode.service → /etc/systemd/system/moneronode.service.
+
+Then wait for it to sync:
+
+[ Datura Network ] [ /dev/pts/0 ] [/srv/datura.network]
+→ systemctl status moneronode
+● moneronode.service - monerod
+ Loaded: loaded (/etc/systemd/system/moneronode.service; enabled; preset: enabled)
+ Active: active (running) since Sun 2023-07-09 15:36:44 CEST; 2min 22s ago
+ Main PID: 8410 (monerod)
+ Tasks: 30 (limit: 77000)
+ Memory: 1.7G
+ CPU: 1min 53.681s
+ CGroup: /system.slice/moneronode.service
+ └─8410 /usr/bin/monerod --zmq-pub tcp://127.0.0.1:18083 --disable-dns-checkpoints --enable-dns-blocklist --data-dir /srv/XMR --block-sync-size=50 --out-peers 100 --prep-blocks-threads=128 --prune-blockchain --sync-pruned-blocks --rpc-bind-port=18081 --rpc-bind-ip=0.0.0.0 ->
+
+Jul 09 15:39:06 Datura monerod[8410]: 2023-07-09 13:39:06.055 I Synced 88702/2925934 (3%, 2837232 left)
+Jul 09 15:39:06 Datura monerod[8410]: 2023-07-09 13:39:06.188 I Synced 88752/2925934 (3%, 2837182 left)
+Jul 09 15:39:06 Datura monerod[8410]: 2023-07-09 13:39:06.310 I Synced 88802/2925934 (3%, 2837132 left)
+Jul 09 15:39:06 Datura monerod[8410]: 2023-07-09 13:39:06.452 I Synced 88852/2925934 (3%, 2837082 left)
+Jul 09 15:39:06 Datura monerod[8410]: 2023-07-09 13:39:06.576 I Synced 88902/2925934 (3%, 2837032 left)
+Jul 09 15:39:06 Datura monerod[8410]: 2023-07-09 13:39:06.756 I Synced 88952/2925934 (3%, 2836982 left)
+Jul 09 15:39:06 Datura monerod[8410]: 2023-07-09 13:39:06.890 I Synced 89002/2925934 (3%, 2836932 left)
+Jul 09 15:39:07 Datura monerod[8410]: 2023-07-09 13:39:07.060 I Synced 89052/2925934 (3%, 2836882 left)
+Jul 09 15:39:07 Datura monerod[8410]: 2023-07-09 13:39:07.182 I Synced 89088/2925934 (3%, 2836846 left)
+Jul 09 15:39:07 Datura monerod[8410]: 2023-07-09 13:39:07.376 I Synced 89138/2925934 (3%, 2836796 left)
+
+
+On a SSD it may take 1 day, and weigh approximately 60 gigs as of writing this tutorial. The synchronisation is a very disk-intensive process, and so it is required to do it on a nvme disk or ssd at least. If you try to do that on a HDD it will take much, much longer. If you don't have a choice, sync it on a nvme somewhere and then rsync it to a server that has only HDDs.
+First let's setup the required dependencies:
+
+root@XMR:~# sudo ufw allow 18080
+Rules updated
+Rules updated (v6)
+root@XMR:~# wget https://downloads.getmonero.org/linux64
+--2021-12-07 17:46:09-- https://downloads.getmonero.org/linux64
+Resolving downloads.getmonero.org (downloads.getmonero.org)... 157.185.175.107, 157.185.145.90
+Connecting to downloads.getmonero.org (downloads.getmonero.org)|157.185.175.107|:443... connected.
+HTTP request sent, awaiting response... 302 Moved Temporarily
+Location: https://downloads.getmonero.org/cli/monero-linux-x64-v0.17.3.0.tar.bz2 [following]
+--2021-12-07 17:46:10-- https://downloads.getmonero.org/cli/monero-linux-x64-v0.17.3.0.tar.bz2
+Reusing existing connection to downloads.getmonero.org:443.
+HTTP request sent, awaiting response... 200 OK
+Length: 75791408 (72M) [application/octet-stream]
+Saving to: 'linux64'
+
+linux64 100%[======================================================================================================================>] 72.28M 505KB/s in 2m 29s
+
+2021-12-07 17:48:39 (497 KB/s) - 'linux64' saved [75791408/75791408]
+
+root@XMR:~# mkdir monero
+root@XMR:~# tar -xjvf linux64 -C monero
+root@XMR:~# cd monero
+root@XMR:~/monero# cd monero-x86_64-linux-gnu-v0.17.3.0/
+
+root@XMR:~/monero/monero-x86_64-linux-gnu-v0.17.3.0# ls -l
+total 218860
+-rw-r--r-- 1 root root 10083 Nov 30 22:07 ANONYMITY_NETWORKS.md
+-rw-r--r-- 1 root root 2730 Nov 30 22:07 LICENSE
+-rw-r--r-- 1 root root 44212 Nov 30 22:07 README.md
+-rwxr-xr-x 1 root root 13548008 Nov 30 22:07 monero-blockchain-ancestry
+-rwxr-xr-x 1 root root 12499760 Nov 30 22:07 monero-blockchain-depth
+-rwxr-xr-x 1 root root 12569272 Nov 30 22:07 monero-blockchain-export
+-rwxr-xr-x 1 root root 12927888 Nov 30 22:07 monero-blockchain-import
+-rwxr-xr-x 1 root root 9722384 Nov 30 22:07 monero-blockchain-mark-spent-outputs
+-rwxr-xr-x 1 root root 12529472 Nov 30 22:07 monero-blockchain-prune
+-rwxr-xr-x 1 root root 12501264 Nov 30 22:07 monero-blockchain-prune-known-spent-data
+-rwxr-xr-x 1 root root 12492048 Nov 30 22:07 monero-blockchain-stats
+-rwxr-xr-x 1 root root 12515000 Nov 30 22:07 monero-blockchain-usage
+-rwxr-xr-x 1 root root 8721000 Nov 30 22:07 monero-gen-ssl-cert
+-rwxr-xr-x 1 root root 25978048 Nov 30 22:07 monero-gen-trusted-multisig
+-rwxr-xr-x 1 root root 27279384 Nov 30 22:07 monero-wallet-cli
+-rwxr-xr-x 1 root root 27732200 Nov 30 22:07 monero-wallet-rpc
+-rwxr-xr-x 1 root root 23004560 Nov 30 22:07 monerod
+root@XMR:~/monero/monero-x86_64-linux-gnu-v0.17.3.0# ./monerod
+
+To add the monero commands to your PATH, do the following:
+
+root@anonymity:~/monero/monero-x86_64-linux-gnu-v0.18.2.0# PATH=$PATH:$(pwd)
+root@anonymity:~/monero/monero-x86_64-linux-gnu-v0.18.2.0# cd
+root@anonymity:~# monerod --version
+Monero 'Fluorine Fermi' (v0.18.2.0-release)
+
+
+
+Now from here, the monerod daemon will start synchronizing with the network.
+
+root@XMR:~/monero/monero-x86_64-linux-gnu-v0.17.3.0# ./monerod
+2021-12-07 17:50:41.765 I Monero 'Oxygen Orion' (v0.17.3.0-release)
+2021-12-07 17:50:41.765 I Initializing cryptonote protocol...
+2021-12-07 17:50:41.765 I Cryptonote protocol initialized OK
+2021-12-07 17:50:41.766 I Initializing core...
+2021-12-07 17:50:41.767 I Loading blockchain from folder /root/.bitmonero/lmdb ...
+2021-12-07 17:50:41.767 W The blockchain is on a rotating drive: this will be very slow, use an SSD if possible
+2021-12-07 17:50:41.918 I Loading checkpoints
+2021-12-07 17:50:41.918 I Core initialized OK
+2021-12-07 17:50:41.918 I Initializing p2p server...
+2021-12-07 17:50:41.919 I p2p server initialized OK
+2021-12-07 17:50:41.919 I Initializing core RPC server...
+2021-12-07 17:50:41.919 I Binding on 127.0.0.1 (IPv4):18081
+2021-12-07 17:50:43.028 I core RPC server initialized OK on port: 18081
+2021-12-07 17:50:43.029 I Starting core RPC server...
+2021-12-07 17:50:43.029 I core RPC server started ok
+2021-12-07 17:50:43.030 I Starting p2p net loop...
+2021-12-07 17:50:44.030 I
+2021-12-07 17:50:44.030 I **********************************************************************
+2021-12-07 17:50:44.031 I The daemon will start synchronizing with the network. This may take a long time to complete.
+2021-12-07 17:50:44.031 I
+2021-12-07 17:50:44.031 I You can set the level of process detailization through "set_log <level|categories>" command,
+2021-12-07 17:50:44.031 I where <level> is between 0 (no details) and 4 (very verbose), or custom category based levels (eg, *:WARNING).
+2021-12-07 17:50:44.031 I
+2021-12-07 17:50:44.031 I Use the "help" command to see the list of available commands.
+2021-12-07 17:50:44.031 I Use "help <command>" to see a command's documentation.
+2021-12-07 17:50:44.031 I **********************************************************************
+2021-12-07 17:50:46.924 I [217.168.143.169:18080 OUT] Sync data returned a new top block candidate: 1 -> 2509762 [Your node is 2509761 blocks (7.6 years) behind]
+2021-12-07 17:50:46.924 I SYNCHRONIZATION started
+2021-12-07 17:50:47.704 I Synced 101/2509762 (0%, 2509661 left)
+2021-12-07 17:50:48.003 I Synced 201/2509762 (0%, 2509561 left)
+2021-12-07 17:50:48.270 I Synced 301/2509762 (0%, 2509461 left)
+2021-12-07 17:50:48.489 I Synced 401/2509762 (0%, 2509361 left)
+2021-12-07 17:50:48.737 I Synced 501/2509762 (0%, 2509261 left)
+2021-12-07 17:50:49.404 I Synced 601/2509762 (0%, 2509161 left)
+2021-12-07 17:50:49.747 I Synced 701/2509762 (0%, 2509061 left)
+2021-12-07 17:50:50.105 I Synced 801/2509762 (0%, 2508961 left)
+2021-12-07 17:50:50.466 I Synced 901/2509762 (0%, 2508861 left)
+2021-12-07 17:50:50.812 I Synced 1001/2509762 (0%, 2508761 left)
+2021-12-07 17:50:51.142 I Synced 1101/2509762 (0%, 2508661 left)
+2021-12-07 17:50:51.478 I Synced 1201/2509762 (0%, 2508561 left)
+2021-12-07 17:50:51.798 I Synced 1301/2509762 (0%, 2508461 left)
+2021-12-07 17:50:52.106 I Synced 1401/2509762 (0%, 2508361 left)
+2021-12-07 17:50:52.311 I Synced 1501/2509762 (0%, 2508261 left)
+2021-12-07 17:50:52.486 I Synced 1601/2509762 (0%, 2508161 left)
+2021-12-07 17:50:52.705 I Synced 1701/2509762 (0%, 2508061 left)
+2021-12-07 17:50:53.052 I Synced 1801/2509762 (0%, 2507961 left)
+2021-12-07 17:50:53.301 I Synced 1901/2509762 (0%, 2507861 left)
+2021-12-07 17:50:53.486 I Synced 2001/2509762 (0%, 2507761 left)
+
+[...]
+
+2021-12-08 22:43:43.742 I Synced 2510440/2510616 (99%, 176 left, 99% of total synced, estimated 1.4 minutes left)
+2021-12-08 22:43:54.585 I Synced 2510460/2510616 (99%, 156 left)
+2021-12-08 22:44:05.633 I Synced 2510480/2510616 (99%, 136 left)
+2021-12-08 22:44:16.890 I Synced 2510500/2510616 (99%, 116 left)
+2021-12-08 22:44:29.678 I Synced 2510520/2510616 (99%, 96 left)
+2021-12-08 22:44:38.997 I Synced 2510540/2510616 (99%, 76 left)
+2021-12-08 22:44:50.386 I Synced 2510560/2510616 (99%, 56 left)
+2021-12-08 22:45:00.147 I Synced 2510580/2510616 (99%, 36 left)
+2021-12-08 22:45:10.336 I Synced 2510600/2510616 (99%, 16 left)
+2021-12-08 22:45:20.776 I Synced 2510615/2510616 (99%, 1 left)
+2021-12-08 22:45:21.325 I Synced 2510616/2510616
+2021-12-08 22:46:17.775 I Synced 2510617/2510617
+2021-12-08 22:46:17.776 I SYNCHRONIZED OK
+2021-12-08 22:46:17.776 I
+2021-12-08 22:46:17.776 I **********************************************************************
+2021-12-08 22:46:17.776 I You are now synchronized with the network. You may now start monero-wallet-cli.
+2021-12-08 22:46:17.776 I
+2021-12-08 22:46:17.776 I Use the "help" command to see the list of available commands.
+2021-12-08 22:46:17.776 I **********************************************************************
+
+
+Now from there you can select the monero node's IP from the monero wallet, or simply choose a local node if you have a ssd and CPU:
+ + +In order to mine monero, let's use xmrig and the p2pool network:
+
+[ 10.66.66.2/32 ] [ /dev/pts/13 ] [~]
+→ yay -S p2pool-git
+:: Checking for conflicts...
+:: Checking for inner conflicts...
+[Repo Make:2] rhash-1.4.2-1 cmake-3.22.1-1
+[Aur:1] p2pool-git-1.0.r16.g2a3cd13-1
+
+==> Remove make dependencies after install? [y/N] y
+ 1 p2pool-git (Build Files Exist)
+==> Packages to cleanBuild?
+==> [N]one [A]ll [Ab]ort [I]nstalled [No]tInstalled or (1 2 3, 1-3, ^4)
+==>
+:: PKGBUILD up to date, Skipping (1/0): p2pool-git
+ 1 p2pool-git (Build Files Exist)
+==> Diffs to show?
+==> [N]one [A]ll [Ab]ort [I]nstalled [No]tInstalled or (1 2 3, 1-3, ^4)
+==>
+:: (1/1) Parsing SRCINFO: p2pool-git
+resolving dependencies...
+looking for conflicting packages...
+
+
+[ 10.66.66.2/32 ] [ /dev/pts/9 ] [~]
+→ monerod --zmq-pub tcp://127.0.0.1:18083 --disable-dns-checkpoints --enable-dns-blocklist
+
+
+[ 10.66.66.2/32 ] [ /dev/pts/13 ] [~/Documents/Github]
+→ p2pool
+P2Pool v1.4.0 (built with GCC/11.1.0 on Dec 11 2021)
+
+Usage:
+
+--wallet Wallet address to mine to. Subaddresses and integrated addresses are not supported!
+--host IP address of your Monero node, default is 127.0.0.1
+--rpc-port monerod RPC API port number, default is 18081
+--zmq-port monerod ZMQ pub port number, default is 18083 (same port as in monerod's "--zmq-pub" command line parameter)
+--stratum Comma-separated list of IP:port for stratum server to listen on
+--p2p Comma-separated list of IP:port for p2p server to listen on
+--addpeers Comma-separated list of IP:port of other p2pool nodes to connect to
+--light-mode Don't allocate RandomX dataset, saves 2GB of RAM
+--loglevel Verbosity of the log, integer number between 0 and 6
+--config Name of the p2pool config file
+--data-api Path to the p2pool JSON data (use it in tandem with an external web-server)
+--stratum-api Enable /local/ path in api path for Stratum Server statistics
+--no-cache Disable p2pool.cache
+--no-color Disable colors in console output
+--no-randomx Disable internal RandomX hasher: p2pool will use RPC calls to monerod to check PoW hashes
+--help Show this help message
+
+Example command line:
+
+./p2pool --host 127.0.0.1 --rpc-port 18081 --zmq-port 18083 --wallet YOUR_WALLET_ADDRESS --stratum 0.0.0.0:3333 --p2p 0.0.0.0:37889
+
+2021-12-11 18:54:36.8175 Log started
+2021-12-11 18:54:36.8176 Log stopped
+
+
+[ 10.66.66.2/32 ] [ /dev/pts/13 ] [~/Documents/Github]
+→ p2pool --host 127.0.0.1 --wallet 447KnLGYbQrHD4npGPmqdGQ3ARqz9kgLLQfaYY9KDC7eUcyKfnwZtj1JLNSqQHKEudHNyuDeKLBbhWtPdS7SoVM54nWHw1b
+2021-12-11 18:56:08.2917 Log started
+2021-12-11 18:56:08.2918 P2Pool v1.4.0 (built with GCC/11.1.0 on Dec 11 2021)
+2021-12-11 18:56:08.2920 SideChain network type = mainnet
+2021-12-11 18:56:08.2920 SideChain using default config
+2021-12-11 18:56:08.2920 SideChain pool name = default
+2021-12-11 18:56:08.2920 SideChain block time = 10 seconds
+2021-12-11 18:56:08.2920 SideChain min diff = 100000
+2021-12-11 18:56:08.2921 SideChain PPLNS window = 2160 blocks
+2021-12-11 18:56:08.2921 SideChain uncle penalty = 20%
+2021-12-11 18:56:08.2921 SideChain generating consensus ID
+2021-12-11 18:56:08.2921 SideChain consensus ID = 22af7ee7************************************************4407f918
+2021-12-11 18:56:08.2921 RandomX_Hasher couldn't allocate RandomX dataset using large pages
+2021-12-11 18:56:08.2921 RandomX_Hasher couldn't allocate RandomX cache using large pages
+2021-12-11 18:56:08.2922 RandomX_Hasher couldn't allocate RandomX cache using large pages
+2021-12-11 18:56:08.2922 RandomX_Hasher allocated 2592 MB
+2021-12-11 18:56:08.2923 ConsoleCommands started
+2021-12-11 18:56:08.4697 P2Pool new miner data
+---------------------------------------------------------------------------------------------------------------
+major_version = 14
+height = 2512684
+prev_id = 9e12d7a34b225e84a9febe1effcdbee003c956cc77c25cd7f6fb446e5ce2f4c4
+seed_hash = 8954432e62d63ad320107fbdae7fdd8667c1d69391660cffd7f99b30d0592147
+difficulty = 353157222750
+median_weight = 300000
+already_generated_coins = 18044465200878847465
+transactions = 45
+---------------------------------------------------------------------------------------------------------------
+2021-12-11 18:56:08.4697 BlockTemplate base reward = 0.767286058102 XMR, 0 transactions, fees = 0.000000000000 XMR, weight = 0
+2021-12-11 18:56:08.4697 RandomX_Hasher new seed 8954432e62d63ad320107fbdae7fdd8667c1d69391660cffd7f99b30d0592147
+2021-12-11 18:56:08.4699 BlockTemplate final reward = 0.767286058102 XMR, weight = 126, outputs = 1, 0 of 0 transactions included
+2021-12-11 18:56:08.4707 RandomX_Hasher old seed 72e85eed124de1b5098f779d89ca07c00ccf7de79f94fcc085e15bc2b45c6c73
+2021-12-11 18:56:08.7374 RandomX_Hasher couldn't allocate RandomX light VM using large pages
+2021-12-11 18:56:08.7374 RandomX_Hasher cache updated
+2021-12-11 18:56:08.7374 RandomX_Hasher running 8 threads to update dataset
+2021-12-11 18:56:12.3926 RandomX_Hasher couldn't allocate RandomX VM using large pages
+2021-12-11 18:56:12.3927 RandomX_Hasher dataset updated
+2021-12-11 18:56:12.6746 RandomX_Hasher couldn't allocate RandomX light VM using large pages
+2021-12-11 18:56:12.6747 RandomX_Hasher old cache updated
+2021-12-11 18:56:12.7170 StratumServer listening on [::]:3333
+2021-12-11 18:56:12.7170 StratumServer listening on 0.0.0.0:3333
+2021-12-11 18:56:12.7170 StratumServer event loop started
+2021-12-11 18:56:12.7175 ZMQReader connected to tcp://127.0.0.1:18083
+2021-12-11 18:56:12.7176 BlockCache loading cached blocks
+2021-12-11 18:56:12.7177 ZMQReader connected to tcp://127.0.0.1:37891
+2021-12-11 18:56:12.7177 ZMQReader worker thread ready
+2021-12-11 18:56:12.7838 BlockCache loaded 0 cached blocks
+2021-12-11 18:56:12.8336 P2PServer listening on [::]:37889
+2021-12-11 18:56:12.8336 P2PServer listening on 0.0.0.0:37889
+2021-12-11 18:56:12.8337 P2PServer event loop started
+
+
+Now let's install xmrig:
+ +
+[ 10.66.66.2/32 ] [ /dev/pts/15 ] [~]
+→ mv Downloads/xmrig-6.16.2-linux-static-x64.tar.gz .
+
+[ 10.66.66.2/32 ] [ /dev/pts/15 ] [~]
+→ mkdir xmrig
+
+[ 10.66.66.2/32 ] [ /dev/pts/15 ] [~]
+→ mv xmrig-6.16.2-linux-static-x64.tar.gz xmrig/
+
+[ 10.66.66.2/32 ] [ /dev/pts/15 ] [~]
+→ cd xmrig
+
+[ 10.66.66.2/32 ] [ /dev/pts/15 ] [~/xmrig]
+→ tar xvf xmrig-6.16.2-linux-static-x64.tar.gz
+xmrig-6.16.2/
+xmrig-6.16.2/config.json
+xmrig-6.16.2/xmrig
+xmrig-6.16.2/SHA256SUMS
+
+[ 10.66.66.2/32 ] [ /dev/pts/15 ] [~/xmrig]
+→ ls -l
+total 2912
+drwxr-xr-x 2 nothing nothing 4096 Dec 2 14:05 xmrig-6.16.2
+-rw-r--r-- 1 nothing nothing 2974083 Dec 11 19:02 xmrig-6.16.2-linux-static-x64.tar.gz
+
+[ 10.66.66.2/32 ] [ /dev/pts/15 ] [~/xmrig]
+→ cd xmrig-6.16.2
+
+[ 10.66.66.2/32 ] [ /dev/pts/15 ] [~/xmrig/xmrig-6.16.2]
+→ ls -l
+total 6892
+-rw-r--r-- 1 nothing nothing 2351 Dec 2 14:05 config.json
+-rw-r--r-- 1 nothing nothing 150 Dec 2 14:05 SHA256SUMS
+-rwxr-xr-x 1 nothing nothing 7047360 Dec 2 14:05 xmrig
+
+[ 10.66.66.2/32 ] [ /dev/pts/15 ] [~/xmrig/xmrig-6.16.2]
+→ cd ..
+
+[ 10.66.66.2/32 ] [ /dev/pts/15 ] [~/xmrig]
+→ mv xmrig-6.16.2/* .
+
+[ 10.66.66.2/32 ] [ /dev/pts/15 ] [~/xmrig]
+→ ls -l
+total 9804
+-rw-r--r-- 1 nothing nothing 2351 Dec 2 14:05 config.json
+-rw-r--r-- 1 nothing nothing 150 Dec 2 14:05 SHA256SUMS
+-rwxr-xr-x 1 nothing nothing 7047360 Dec 2 14:05 xmrig
+drwxr-xr-x 2 nothing nothing 4096 Dec 11 19:04 xmrig-6.16.2
+-rw-r--r-- 1 nothing nothing 2974083 Dec 11 19:02 xmrig-6.16.2-linux-static-x64.tar.gz
+
+[ 10.66.66.2/32 ] [ /dev/pts/15 ] [~/xmrig]
+→ rm xmrig-6.16.2-linux-static-x64.tar.gz
+
+[ 10.66.66.2/32 ] [ /dev/pts/15 ] [~/xmrig]
+→ rm -rf xmrig-6.16.2
+
+[ 10.66.66.2/32 ] [ /dev/pts/15 ] [~/xmrig]
+→ vim config.json
+
+[ 10.66.66.2/32 ] [ /dev/pts/15 ] [~/xmrig]
+→ cat config.json
+{
+ "api": {
+ "id": null,
+ "worker-id": null
+ },
+ "http": {
+ "enabled": false,
+ "host": "127.0.0.1",
+ "port": 0,
+ "access-token": null,
+ "restricted": true
+ },
+ "autosave": true,
+ "background": false,
+ "colors": true,
+ "title": true,
+ "randomx": {
+ "init": -1,
+ "init-avx2": -1,
+ "mode": "auto",
+ "1gb-pages": false,
+ "rdmsr": true,
+ "wrmsr": true,
+ "cache_qos": false,
+ "numa": true,
+ "scratchpad_prefetch_mode": 1
+ },
+ "cpu": {
+ "enabled": true,
+ "huge-pages": true,
+ "huge-pages-jit": false,
+ "hw-aes": null,
+ "priority": null,
+ "memory-pool": false,
+ "yield": true,
+ "max-threads-hint": 100,
+ "asm": true,
+ "argon2-impl": null,
+ "astrobwt-max-size": 550,
+ "astrobwt-avx2": false,
+ "cn/0": false,
+ "cn-lite/0": false
+ },
+ "opencl": {
+ "enabled": false,
+ "cache": true,
+ "loader": null,
+ "platform": "AMD",
+ "adl": true,
+ "cn/0": false,
+ "cn-lite/0": false
+ },
+ "cuda": {
+ "enabled": false,
+ "loader": null,
+ "nvml": true,
+ "cn/0": false,
+ "cn-lite/0": false
+ },
+ "donate-level": 0,
+ "donate-over-proxy": 1,
+ "log-file": null,
+ "pools": [
+ {
+ "algo": null,
+ "coin": null,
+ "url": "donate.v2.xmrig.com:3333",
+ "user": "YOUR_WALLET_ADDRESS",
+ "pass": "x",
+ "rig-id": null,
+ "nicehash": false,
+ "keepalive": false,
+ "enabled": true,
+ "tls": false,
+ "tls-fingerprint": null,
+ "daemon": false,
+ "socks5": null,
+ "self-select": null,
+ "submit-to-origin": false
+ }
+ ],
+ "print-time": 60,
+ "health-print-time": 60,
+ "dmi": true,
+ "retries": 5,
+ "retry-pause": 5,
+ "syslog": false,
+ "tls": {
+ "enabled": false,
+ "protocols": null,
+ "cert": null,
+ "cert_key": null,
+ "ciphers": null,
+ "ciphersuites": null,
+ "dhparam": null
+ },
+ "user-agent": null,
+ "verbose": 0,
+ "watch": true,
+ "pause-on-battery": false,
+ "pause-on-active": false
+}
+
+[ 10.66.66.2/32 ] [ /dev/pts/15 ] [~/xmrig]
+→ ./xmrig
+
+
+
+
+Now we need to add our wallet address and change the pool to be the p2pool address 127.0.0.1:3333
+
+[ 10.66.66.2/32 ] [ /dev/pts/16 ] [~/xmrig]
+→ nmap 127.0.0.1 -p 3333
+Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-11 19:10 UTC
+Nmap scan report for localhost (127.0.0.1)
+Host is up (0.000054s latency).
+
+PORT STATE SERVICE
+3333/tcp open dec-notes
+
+Nmap done: 1 IP address (1 host up) scanned in 0.05 seconds
+
+[ 10.66.66.2/32 ] [ /dev/pts/16 ] [~/xmrig]
+→ cat config.json
+{
+ "api": {
+ "id": null,
+ "worker-id": null
+ },
+ "http": {
+ "enabled": false,
+ "host": "127.0.0.1",
+ "port": 0,
+ "access-token": null,
+ "restricted": true
+ },
+ "autosave": true,
+ "background": false,
+ "colors": true,
+ "title": true,
+ "randomx": {
+ "init": -1,
+ "init-avx2": -1,
+ "mode": "auto",
+ "1gb-pages": false,
+ "rdmsr": true,
+ "wrmsr": true,
+ "cache_qos": false,
+ "numa": true,
+ "scratchpad_prefetch_mode": 1
+ },
+ "cpu": {
+ "enabled": true,
+ "huge-pages": true,
+ "huge-pages-jit": false,
+ "hw-aes": null,
+ "priority": null,
+ "memory-pool": false,
+ "yield": true,
+ "asm": true,
+ "argon2-impl": null,
+ "astrobwt-max-size": 550,
+ "astrobwt-avx2": false,
+ "argon2": [0, 8, 1, 9, 2, 10, 3, 11, 4, 12, 5, 13, 6, 14, 7, 15],
+ "astrobwt": [0, 8, 1, 9, 2, 10, 3, 11, 4, 12, 5, 13, 6, 14, 7, 15],
+ "cn": [
+ [1, 0],
+ [1, 1],
+ [1, 2],
+ [1, 3],
+ [1, 4],
+ [1, 5],
+ [1, 6],
+ [1, 7]
+ ],
+ "cn-heavy": [
+ [1, 0],
+ [1, 1],
+ [1, 2],
+ [1, 3]
+ ],
+ "cn-lite": [
+ [1, 0],
+ [1, 8],
+ [1, 1],
+ [1, 9],
+ [1, 2],
+ [1, 10],
+ [1, 3],
+ [1, 11],
+ [1, 4],
+ [1, 12],
+ [1, 5],
+ [1, 13],
+ [1, 6],
+ [1, 14],
+ [1, 7],
+ [1, 15]
+ ],
+ "cn-pico": [
+ [2, 0],
+ [2, 8],
+ [2, 1],
+ [2, 9],
+ [2, 2],
+ [2, 10],
+ [2, 3],
+ [2, 11],
+ [2, 4],
+ [2, 12],
+ [2, 5],
+ [2, 13],
+ [2, 6],
+ [2, 14],
+ [2, 7],
+ [2, 15]
+ ],
+ "cn/upx2": [
+ [2, 0],
+ [2, 8],
+ [2, 1],
+ [2, 9],
+ [2, 2],
+ [2, 10],
+ [2, 3],
+ [2, 11],
+ [2, 4],
+ [2, 12],
+ [2, 5],
+ [2, 13],
+ [2, 6],
+ [2, 14],
+ [2, 7],
+ [2, 15]
+ ],
+ "ghostrider": [
+ [8, 0],
+ [8, 1],
+ [8, 2],
+ [8, 3],
+ [8, 4],
+ [8, 5],
+ [8, 6],
+ [8, 7]
+ ],
+ "rx": [0, 1, 2, 3, 4, 5, 6, 7],
+ "rx/wow": [0, 8, 1, 9, 2, 10, 3, 11, 4, 12, 5, 13, 6, 14, 7, 15],
+ "cn-lite/0": false,
+ "cn/0": false,
+ "rx/arq": "rx/wow",
+ "rx/keva": "rx/wow"
+ },
+ "log-file": null,
+ "donate-level": 1,
+ "donate-over-proxy": 1,
+ "pools": [
+ {
+ "algo": null,
+ "coin": null,
+ "url": "127.0.0.1:3333",
+ "user": "447KnLGYbQrHD4npGPmqdGQ3ARqz9kgLLQfaYY9KDC7eUcyKfnwZtj1JLNSqQHKEudHNyuDeKLBbhWtPdS7SoVM54nWHw1b",
+ "pass": "x",
+ "rig-id": null,
+ "nicehash": false,
+ "keepalive": false,
+ "enabled": true,
+ "tls": false,
+ "tls-fingerprint": null,
+ "daemon": false,
+ "socks5": null,
+ "self-select": null,
+ "submit-to-origin": false
+ }
+ ],
+ "retries": 5,
+ "retry-pause": 5,
+ "print-time": 60,
+ "dmi": true,
+ "syslog": false,
+ "tls": {
+ "enabled": false,
+ "protocols": null,
+ "cert": null,
+ "cert_key": null,
+ "ciphers": null,
+ "ciphersuites": null,
+ "dhparam": null
+ },
+ "dns": {
+ "ipv6": false,
+ "ttl": 30
+ },
+ "user-agent": null,
+ "verbose": 0,
+ "watch": true,
+ "pause-on-battery": false,
+ "pause-on-active": false
+}
+
+[ 10.66.66.2/32 ] [ /dev/pts/15 ] [~/xmrig]
+→ ./xmrig -o 127.0.0.1:3333
+
+[term2]
+
+[ 10.66.66.2/32 ] [ /dev/pts/7 ] [blog/servers/exodus]
+→ watch -n 0.1 sensors
+
+
+And that's it! We managed to start mining on the p2pool using xmrig, by default it is using half of the CPU. To summarize, here's the commands you want to run:
+
+monerod --zmq-pub tcp://127.0.0.1:18083 --disable-dns-checkpoints --enable-dns-blocklist
+p2pool --host 127.0.0.1 --wallet 447KnLGYbQrHD4npGPmqdGQ3ARqz9kgLLQfaYY9KDC7eUcyKfnwZtj1JLNSqQHKEudHNyuDeKLBbhWtPdS7SoVM54nWHw1b
+sudo ./xmrig -o 127.0.0.1:3333
+watch -n 0.1 sensors
+htop
+
+
+EDIT: run xmrig with SUDO privileges, to enable msr support see here. It nearly doubles the hashrate!!!
+EDIT: if you want to mine from another location (for example another drive with more space)
+
+monerod --zmq-pub tcp://127.0.0.1:18083 --disable-dns-checkpoints --enable-dns-blocklist --data-dir /mnt/VAULT/XMR
+p2pool --host 127.0.0.1 --wallet 447KnLGYbQrHD4npGPmqdGQ3ARqz9kgLLQfaYY9KDC7eUcyKfnwZtj1JLNSqQHKEudHNyuDeKLBbhWtPdS7SoVM54nWHw1b
+sudo ./xmrig -o 127.0.0.1:3333
+watch -n 0.1 sensors
+htop
+
+
+If you want to make it a tmux session automatically, you can put it in your bashrc/ zshrc like so ((careful i added my custom location /mnt/VAULT/XMR/ in here):
+
+xmr(){
+ num=$(tmux list-sessions | grep XMR | wc -l)
+
+ # set up tmux
+ #tmux start-server
+
+ set -g mouse on
+
+ # create a new tmux session, starting vim from a saved session in the new window
+ #tmux kill-session -t $session 2>/dev/null
+ #tmux new -d -s $session -n Blog -y 100 -x 200
+ if [ "$num" -eq "0" ]; then
+ tmux rename-session XMR
+ #tmux rename-window -t 0 'BlogDir'
+
+ tmux splitw -h -p 50
+ #second pane : monerod
+ tmux selectp -t 2
+ tmux send-keys "cd /mnt/VAULT/XMR/" C-m
+ tmux send-keys "monerod --zmq-pub tcp://127.0.0.1:18083 --disable-dns-checkpoints --enable-dns-blocklist --data-dir /mnt/VAULT/XMR --block-sync-size=50 --out-peers 100 --prep-blocks-threads=128 --prune-blockchain --sync-pruned-blocks --rpc-bind-port=18081 --rpc-bind-ip=0.0.0.0 --p2p-bind-ip=0.0.0.0 --p2p-bind-port=18080 --confirm-external-bind" C-m
+
+ sleep 2
+ #after 5 secs, first pane: p2pool
+ tmux selectp -t 1
+ tmux send-keys "p2pool --host 127.0.0.1 --wallet 447KnLGYbQrHD4npGPmqdGQ3ARqz9kgLLQfaYY9KDC7eUcyKfnwZtj1JLNSqQHKEudHNyuDeKLBbhWtPdS7SoVM54nWHw1b" C-m
+ #select 2nd pane, split vertically
+ tmux selectp -t 2
+ tmux splitw -v -p 50
+ tmux send-keys "cd /mnt/VAULT/XMR/xmrig" C-m
+ tmux send-keys "sudo ./xmrig -o 127.0.0.1:3333 -t 4 --cpu-priority=0 -u x+10000" C-m
+ #select 3rd pane, split vertically
+ tmux selectp -t 3
+ tmux splitw -v -p 50
+ tmux send-keys "htop" C-m
+ #select 2nd pane, split horizontally, displaying sensors
+ tmux selectp -t 2
+ tmux splitw -h -p 50
+ tmux send-keys "watch -n0.1 sensors" C-m
+
+ #select 2nd pane, split horizontally, displaying sensors
+ tmux selectp -t 3
+ tmux splitw -v -p 50
+ tmux send-keys "watch -n0.1 dfc" C-m
+ tmux selectp -t 5
+
+#ctrl+b+q to show the tmux pane numbers
+
+ else
+ if [[ $TMUX ]]; then
+ tmux switch -t XMR
+ else
+ tmux attach -t XMR -d
+ fi
+ fi
+
+ }
+
+
+If you want to run a simple node on a debian server, you can use the following systemd service (in this example the node is stored in /srv/XMR/:
+
+[ 10.8.0.2/24 ] [ home ] [~]
+→ cat /etc/systemd/system/moneronode.service
+[Unit]
+Description=monerod
+After=network.target
+Wants=network.target
+
+[Service]
+ExecStart=/usr/bin/monerod --zmq-pub tcp://127.0.0.1:18083 --disable-dns-checkpoints --enable-dns-blocklist --data-dir /srv/XMR --block-sync-size=50 --out-peers 100 --prep-blocks-threads=128 --prune-blockchain --sync-pruned-blocks --rpc-bind-port=18081 --rpc-bind-ip=0.0.0.0 --p2p-bind-ip=0.0.0.0 --p2p-bind-port=18080 --confirm-external-bind --non-interactive
+Restart=on-failure
+RestartSec=10s
+
+
+StandardOutput=journal
+StandardError=journal
+
+[Install]
+WantedBy=multi-user.target
+
+
+
+
+ + Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
In this tutorial we're going to take a look at how to setup a monero wallet locally, how to recieve some monero there, and how to send monero to someone else.
+ +Now on whonix there can be some issues with syncing to the monero nodes over the CLI monero wallet, due to the slow tor network and connection timeouts, So we'll first cover how to install the GUI monero wallet:
+First let's download the monero GUI wallet from https://getmonero.org: (.onion address: http://monerotoruzizulg5ttgat2emf4d6fbmiea25detrmmy7erypseyteyd.onion )
+ +Then we unpack it on the desktop and run the appimage:
+
+[ Whonix ] [ /dev/pts/5 ] [~]
+→ mv /home/user/.tb/tor-browser/Browser/Downloads/monero-gui-linux-x64-v0.18.3.3.tar.bz2 ~/Desktop/
+
+[ Whonix ] [ /dev/pts/5 ] [~/Desktop]
+→ cd Desktop
+
+
+[ Whonix ] [ /dev/pts/5 ] [~/Desktop]
+→ tar -xvf monero-gui-linux-x64-v0.18.3.3.tar.bz2 (2)
+monero-gui-v0.18.3.3/
+monero-gui-v0.18.3.3/LICENSE
+monero-gui-v0.18.3.3/extras/
+monero-gui-v0.18.3.3/extras/monero-blockchain-ancestry
+
+[...]
+
+monero-gui-v0.18.3.3/monero-wallet-gui
+monero-gui-v0.18.3.3/monero-wallet-gui.AppImage
+monero-gui-v0.18.3.3/monerod
+
+[ Whonix ] [ /dev/pts/5 ] [~/Desktop]
+→ cd monero-gui-v0.18.3.3
+
+[ Whonix ] [ /dev/pts/5 ] [~/Desktop/monero-gui-v0.18.3.3]
+→ ls
+LICENSE extras monero-gui-wallet-guide.pdf monero-wallet-gui monero-wallet-gui.AppImage monerod
+
+[ Whonix ] [ /dev/pts/5 ] [~/Desktop/monero-gui-v0.18.3.3]
+→ ./monero-wallet-gui.AppImage (130)
+2024-04-27 09:57:47.456 W Qt:5.15.13 GUI:- | screen: 3840x2160 - available: QSize(3840, 2129) - dpi: 96 - ratio:2.22803
+2024-04-27 09:57:49.847 W qrc:/qt-project.org/imports/QtQuick/Dialogs/DefaultFileDialog.qml:413:17: QML ToolButton: Binding loop detected for property "implicitHeight"
+2024-04-27 09:57:49.850 W qrc:/qt-project.org/imports/QtQuick/Dialogs/DefaultFileDialog.qml:309:21: QML Button: Binding loop detected for property "implicitHeight"
+
+
+Now that the archive is extracted, make sure that the monero wallet gets added to the list of software of your OS:
+ + +Here we use advanced mode as we want to choose our node:
+ + + + +Here very important, make sure you save your monero mnemonic phrase (recovery phrase) into your keepass, along with the recovery height, :
+ + +Then have a wallet password (local password) to open your wallet locally::
+ + + +Here we pick a clearnet monero node (if you dont want to, scroll down to know how to setup a .onion monero node)
+ + + + +Here just wait for the monero wallet to finish synchronizing with the monero node:
+ +Now here you can use the monero wallet like that without going through tor (but here we're in whonix so it goes through tor anyway), if you want to use .onion monero nodes you will need to enable the SOCKS5 proxy option inside the wallet:
+ + +Now with this setup we can use .onion monero nodes as follows (pick one you trust from https://monero.fail/ for example my .onion monero node at this URL: http://daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion:18081
+ +Here again, wait for the monero wallet to finish synchronizing to be able to recieve and send monero:
+ +Now that we're setup let's get some monero from localmonero.co:
+AS OF 7TH OF MAY 2024 LOCALMONERO HAS STOPPED OPERATING, THEY WERE THE ONLY DIRECT FIAT -> XMR OPTION WITHOUT ANY KYC. this means you're now forced to use Haveno DEX!!!!
+ + + + +Now we want to buy monero for euros, for speed i recommend just buying some using SEPA instant transfer if your bank accepts it. However if you don't mind waiting weeks, the preferred method on localmonero.co is cash-by-mail, as cash can't be traced. But still, it shoudln't matter even if you buy monero with your credit card to a random vendor, your bank will see that you sent money to someone, and if the vendor is malicious they may log that you bought some monero, but still they will be unable to know what you do with your monero. it's like retrieving cash from the bank, the bank knows you bought some cash but they can't know what you do with it.
+So here we want to find a vendor that offers monero for SEPA instant transfers, preferably someone who doesn't do KYC.
+ +The trade should go like this:
+if trade is completed smoothly, always rate vendors as trustworthy, as this is how localmonero works, always on trust.
+Now that you recieved some monero, you can send them to whoever has a XMR address like i do:
+ +for example if you want to donate a few leftovers moneros like this feel free to do so:
+ +Keep in mind that services that ask you to pay monero, they will ask you to send an EXACT monero amount for purchases (ex: 0.763011 XMR), that is intentional, do not send more than requested as it is used to know from which customer the monero comes from.
+ +BONUS: CLI Wallet Setup +If you want to get the full Haxx0r vibes, you can install the monero CLI wallet aswell:
+
+[ mainpc ] [ /dev/pts/2 ] [~/Desktop]
+→ apt install monero -y
+
+[ mainpc ] [ /dev/pts/2 ] [~/Desktop]
+→ monero-wallet-cli --version
+Monero 'Fluorine Fermi' (v0.18.0.0-unknown)
+
+
+
+Once it finishes installing, create your monero wallet:
+ +If you're doing it from a whonix VM, then say no to mining and use an onion-based monero daemon (if not on a whonix VM, then use a clearnet monero node), like the one i'm hosting, you can find a full list of other ones on monero.fail or on xmr.datura.network :
+ +Wait for it to finish synchronizing, then you can go get some monero from a vendor on localmonero.co (by giving them a wallet address you'd have created:
+
+apt install monero -y
+
+monero-wallet-cli
+#follow the instructions to create your wallet
+#synchronize it with this command:
+set_daemon http://uyjehlovjudh2wlvkp5a2seme5vgqc4o463atkv2ulsovloqrqw2icyd.onion:18081 trusted
+#then wait for the daemon to finish synchronizing, and type "refresh" regularly to make sure that it synchronizes with the node, expect to type that command a few times as tor connections are unstable at times.
+
+#OR you can use a clearnet monero node, but this is not recommended because you may be spied on!
+
+[wallet 49vq93 (no daemon)]: set_daemon http://datura.network:18081
+Error: This is not Tor/I2P address, and is not a trusted daemon.
+Error: Either use your own trusted node, connect via Tor or I2P, or pass this-is-probably-a-spy-node and be spied on.
+
+[wallet 49vq93 (no daemon)]: set_daemon http://datura.network:18081 this-is-probably-a-spy-node
+Warning: connecting to a non-local daemon without SSL, passive adversaries will be able to spy on you.
+Daemon set to http://datura.network:18081, untrusted
+[wallet 49vq93 (out of sync)]: refresh
+Starting refresh...
+
+[wallet 49vq93 (out of sync)]: refresh
+Starting refresh...
+Refresh done, blocks received: 19388
+Currently selected account: [0] Primary account
+Tag: (No tag assigned)
+Balance: 0.000000000000, unlocked balance: 0.000000000000
+
+
+
+Once that's done, you can order monero from a non-KYC exchange here (out of which i recommend using Haveno DEX.
+You're going to need to create a monero address first like so:
+
+[wallet 49vq93]: help
+
+Important commands:
+
+"welcome" - Show welcome message.
+"help all" - Show the list of all available commands.
+"help <command>" - Show a command's documentation.
+"apropos <keyword>" - Show commands related to a keyword.
+
+"wallet_info" - Show wallet main address and other info.
+"balance" - Show balance.
+"address all" - Show all addresses.
+"address new" - Create new subaddress.
+"transfer <address> " - Send XMR to an address.
+"show_transfers [in|out|pending|failed|pool]" - Show transactions.
+"sweep_all <address>" - Send whole balance to another wallet.
+"seed" - Show secret 25 words that can be used to recover this wallet.
+"refresh" - Synchronize wallet with the Monero network.
+"status" - Check current status of wallet.
+"version" - Check software version.
+"exit" - Exit wallet.
+
+"donate <amount>" - Donate XMR to the development team.
+
+[wallet 49vq93 (out of sync)]: address new
+1 85j1rw64XoMhrXc55kwdCdFAmXaiU23MHYf1VBSLExTve5WM1NeFfw13wXrDeUumj48h5G4nuw3tuAxqpw5WyXniE8pE8uK (Untitled address)
+[wallet 49vq93 (out of sync)]: address new localmonero
+2 89uyMGJunXfSC375iEptD2WLCb5uidKJSEuUYL3n5fRMg6ccM7L5prSUi9YGgGFPS5T8Z95BJh93HKykUYWECmNfJhNFb9z localmonero
+
+
+in this case, we'll use the 89uyMGJunXfSC375iEptD2WLCb5uidKJSEuUYL3n5fRMg6ccM7L5prSUi9YGgGFPS5T8Z95BJh93HKykUYWECmNfJhNFb9z address for all trades on haveno DEX. DO NOT USE IT ELSEWHERE! just like passwords, you want to have one per service. If you want to recieve monero from another place, create a new address.
+ + +Check out my other tutorials on Decentralised Finances below:
+ + + ++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
In this tutorial we're going to take a look at how to setup a monero node
+ +First install monero from the repositories:
+
+[ Datura Network ] [ /dev/pts/0 ] [/srv/datura.network]
+→ apt install monero -y
+
+[ Datura Network ] [ /dev/pts/0 ] [/srv/datura.network]
+→ vim /etc/systemd/system/moneronode.service
+
+[ Datura Network ] [ /dev/pts/0 ] [/srv/datura.network]
+→ cat /etc/systemd/system/moneronode.service
+[Unit]
+Description=monerod
+After=network.target
+Wants=network.target
+
+[Service]
+ExecStart=/usr/bin/monerod --zmq-pub tcp://127.0.0.1:18083 --disable-dns-checkpoints --enable-dns-blocklist --data-dir /srv/XMR --block-sync-size=50 --out-peers 100 --prep-blocks-threads=128 --prune-blockchain --sync-pruned-blocks --rpc-bind-port=18081 --rpc-bind-ip=0.0.0.0 --p2p-bind-ip=0.0.0.0 --p2p-bind-port=18080 --confirm-external-bind --non-interactive
+Restart=on-failure
+RestartSec=10s
+
+
+StandardOutput=journal
+StandardError=journal
+
+[Install]
+WantedBy=multi-user.target
+
+If you want to have a local-only monero node to use over tor, you can use this config instead:
+
+[ Wonderland ] [ /dev/pts/9 ] [/mnt/md3]
+→ cat /etc/systemd/system/moneronode.service
+[Unit]
+Description=monerod
+After=network.target
+Wants=network.target
+
+[Service]
+ExecStart=/usr/bin/monerod --zmq-pub tcp://127.0.0.1:18083 --disable-dns-checkpoints --enable-dns-blocklist --data-dir /mnt/md3/XMR --block-sync-size=50 --out-peers 100 --prep-blocks-threads=128 --prune-blockchain --sync-pruned-blocks --rpc-bind-port=18081 --rpc-bind-ip=127.0.0.1 --p2p-bind-ip=127.0.0.1 --p2p-bind-port=18080 --non-interactive
+Restart=on-failure
+RestartSec=10s
+
+
+StandardOutput=journal
+StandardError=journal
+
+[Install]
+WantedBy=multi-user.target
+
+
+
+Then wait for it to sync after enabling the systemd service:
+
+[ Datura Network ] [ /dev/pts/0 ] [/srv/datura.network]
+→ systemctl daemon-reload
+
+[ Datura Network ] [ /dev/pts/0 ] [/srv/datura.network]
+→ systemctl enable --now moneronode
+Created symlink /etc/systemd/system/multi-user.target.wants/moneronode.service → /etc/systemd/system/moneronode.service.
+
+[ Datura Network ] [ /dev/pts/0 ] [/srv/datura.network]
+→ systemctl status moneronode
+● moneronode.service - monerod
+ Loaded: loaded (/etc/systemd/system/moneronode.service; enabled; preset: enabled)
+ Active: active (running) since Sun 2023-07-09 15:36:44 CEST; 2min 22s ago
+ Main PID: 8410 (monerod)
+ Tasks: 30 (limit: 77000)
+ Memory: 1.7G
+ CPU: 1min 53.681s
+ CGroup: /system.slice/moneronode.service
+ └─8410 /usr/bin/monerod --zmq-pub tcp://127.0.0.1:18083 --disable-dns-checkpoints --enable-dns-blocklist --data-dir /srv/XMR --block-sync-size=50 --out-peers 100 --prep-blocks-threads=128 --prune-blockchain --sync-pruned-blocks --rpc-bind-port=18081 --rpc-bind-ip=0.0.0.0 ->
+
+Jul 09 15:39:06 Datura monerod[8410]: 2023-07-09 13:39:06.055 I Synced 88702/2925934 (3%, 2837232 left)
+Jul 09 15:39:06 Datura monerod[8410]: 2023-07-09 13:39:06.188 I Synced 88752/2925934 (3%, 2837182 left)
+Jul 09 15:39:06 Datura monerod[8410]: 2023-07-09 13:39:06.310 I Synced 88802/2925934 (3%, 2837132 left)
+Jul 09 15:39:06 Datura monerod[8410]: 2023-07-09 13:39:06.452 I Synced 88852/2925934 (3%, 2837082 left)
+Jul 09 15:39:06 Datura monerod[8410]: 2023-07-09 13:39:06.576 I Synced 88902/2925934 (3%, 2837032 left)
+Jul 09 15:39:06 Datura monerod[8410]: 2023-07-09 13:39:06.756 I Synced 88952/2925934 (3%, 2836982 left)
+Jul 09 15:39:06 Datura monerod[8410]: 2023-07-09 13:39:06.890 I Synced 89002/2925934 (3%, 2836932 left)
+Jul 09 15:39:07 Datura monerod[8410]: 2023-07-09 13:39:07.060 I Synced 89052/2925934 (3%, 2836882 left)
+Jul 09 15:39:07 Datura monerod[8410]: 2023-07-09 13:39:07.182 I Synced 89088/2925934 (3%, 2836846 left)
+Jul 09 15:39:07 Datura monerod[8410]: 2023-07-09 13:39:07.376 I Synced 89138/2925934 (3%, 2836796 left)
+
+
+On a SSD it may take 1 day, and weigh approximately 60 gigs as of writing this tutorial. The synchronisation is a very disk-intensive process, and so it is required to do it on a nvme disk or ssd at least. If you try to do that on a HDD it will take much, much longer. If you don't have a choice, sync it on a nvme somewhere and then rsync it to a server that has only HDDs.
+ +Then allow the ports you want from ufw:
+
+root@XMR:~# sudo ufw allow 18080
+Rules updated
+Rules updated (v6)
+
+root@XMR:~# sudo ufw allow 18081
+Rules updated
+Rules updated (v6)
+
+
+Once you've finished setting up your monero instance, make sure you have it listed on https://monero.fail or on https://xmr.datura.network.
+Once your monero node is synchronized, you can allow tor users to access it via a .onion link like so:
+
+[ Wonderland ] [ /dev/pts/9 ] [~]
+→ apt install tor
+
+[ Wonderland ] [ /dev/pts/9 ] [~]
+→ cat /etc/tor/torrc
+HiddenServiceDir /var/lib/tor/monero-service/
+HiddenServicePort 18080 127.0.0.1:18080
+HiddenServicePort 18081 127.0.0.1:18081
+
+
+[ Wonderland ] [ /dev/pts/9 ] [~]
+→ systemctl restart tor@default
+
+
+Then find your onion link right here:
+
+[ Wonderland ] [ /dev/pts/9 ] [~]
+→ cat /var/lib/tor/monero-service/hostname
+uyjehlovjudh2wlvkp5a2seme5vgqc4o463atkv2ulsovloqrqw2icyd.onion
+
+
+And then you can use it to connect to it via your monero wallet. as shown here
+
+apt install monero -y
+
+monero-wallet-cli
+#follow the instructions to create your wallet
+#synchronize it with this command:
+set_daemon http://uyjehlovjudh2wlvkp5a2seme5vgqc4o463atkv2ulsovloqrqw2icyd.onion:18081 trusted
+#then wait for the daemon to finish synchronizing, and type "refresh" regularly to make sure that it synchronizes with the node, expect to type that command a few times as tor connections are unstable at times.
+refresh
+status
+
+
+ + Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+