+
+
+
+
+
+
+ 
Setting up servers once, and sharing tutorials to show everyone how it's done.
+
+ Hack The Box is an online platform allowing you to test your penetration testing skills and exchange ideas and methodologies with thousands of people in the security field.
+
gdb, gef, ghidra, pwntools, assembly, C, 32-64bit binaries, reverse engineering, CTF challenges
++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
Before we start, you will need a Debian 10+ VPS (you can get one on digitalocean for example), if you prefer to use your own self hosted server, make sure that port 80 and 443 are correctly port forwarded so that the public ip points to the server and not the router. Once that's done, go and ssh into your debian 10 server.
+You can use DuckDNS to get a free domain name:
+
+
+[ 192.168.100.1/24 ] [ /dev/pts/13 ] [~/Nextcloud/blog/Conf]
+→ ssh root@ech4.duckdns.org
+The authenticity of host 'ech4.duckdns.org (178.128.46.38)' can't be established.
+ECDSA key fingerprint is SHA256:z2HAncB99pfbAUfj9tJY7vlo8EGUzCIUxWBAnjAflcA.
+Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
+Warning: Permanently added 'ech4.duckdns.org,178.128.46.38' (ECDSA) to the list of known hosts.
+Linux debian-s-1vcpu-1gb-lon1-01 4.19.0-10-cloud-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24) x86_64
+
+The programs included with the Debian GNU/Linux system are free software;
+the exact distribution terms for each program are described in the
+individual files in /usr/share/doc/*/copyright.
+
+Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
+permitted by applicable law.
+root@debian-s-1vcpu-1gb-lon1-01:~#
+
++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
++ Death Is Near. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR:498pGjtN5jKGG4QJ7ubS5rVdsWEgovzgM6cCQpFwhXiPSq39q1izZE7UFTfxinyrZud2PpLRMiU6DJUnCEsR3iPGHqswj9U
Contact:notorious@notorious-cloud.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
First flash the arch iso on your usb stick:
+
+ Then just boot onto it from your BIOS.
+ +This is the annoying part since i can't script it. If it doesn't work for you just use Anarchy installer, install arch on your + hard drive in a minimal way (with no DE (Desktop Environment) and no WM (Window Manager)).
+
+######################## MANUAL !!! ############################
+
+loadkeys fr
+timedatectl set-ntp true
+ping -c3 archlinux.org
+
+pacman -Syy
+pacman -S reflector
+reflector -c "France" -f 12 -l 10 -n 12 --save /etc/pacman.d/mirrorlist
+
+fdisk -l | grep /dev/sd | grep Disk
+#/dev/sda 64gb
+cfdisk /dev/sda
+################EFI################
+#gpt
+#delete existing partitions
+#select freespace
+#first partition : 1G (EFI)
+#last partition : 499G (Linux Root x86_64)
+#hit write
+#hit quit
+mkfs.vfat /dev/sda1
+mkfs.ext4 /dev/sda2
+
+mount /dev/sda2 /mnt
+mkdir /mnt/boot/
+mount /dev/sda1 /mnt/boot/
+
+pacstrap /mnt base base-devel linux linux-firmware sudo nano wget
+genfstab -U /mnt >> /mnt/etc/fstab
+arch-chroot /mnt
+#welcome to chroot, use the first script!
+
+This will setup your /dev/sda1 as a bootable linux partition, and makes the last 8GB as the swap partition.
+
+wget https://blog.nihilism.network/servers/Arch/1.sh
+chmod +x 1.sh
+nano 1.sh
+./1.sh
+
+Just edit whatever you want in this script using nano and then execute it with ./1.sh
+ +After you've rebooted into your arch installation, you can configure your arch install however you want, but here's how i do it:
+
+wget https://blog.nihilism.network/servers/Arch/2.sh
+chmod +x 2.sh
+nano 2.sh
+./2.sh
+
+Post-booting:
+
+wget https://blog.nihilism.network/servers/Arch/3.sh
+chmod +x 3.sh
+nano 3.sh
+./3.sh
+
+
+ + Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+ Tutorials to show how to achieve Privacy, Anonymity and Plausible Deniability online.
+ I have a certain quality standard as to how i do these tutorials, if there are any improvements i can do on them please let me know.
+
+
SHOWCASED ARTICLE: Learn how to audit your own setup, to determine your OPSEC Level, and find out what is the most appropriate internet use for it.
+ +Articles Status:
+📝 Explaining Concepts
+ + + +📝 Explaining OPSEC ⭐
+ + +
OPSEC LEVEL 1: Privacy 📝 Explaining Privacy
+💻 Getting started
+ + + + +💻 Privacy means Open Source (FOSS)
+💻 Decentralisation in the service of Privacy
+ +
OPSEC LEVEL 2: Anonymity 📝 Explaining Anonymity
+💻 Clientside - Anonymity using the Tor browser (⚠️ Check if your ISP allows Tor or Not!)
+💻 Clientside - Anonymity using VMs (⚠️ Check if your ISP allows Tor or Not!)
+🧅 Serverside - Decentralisation in the service of Anonymity
+ +💻 Clientside - Decentralized Finances
+🧅 Serverside - Anonymity on Remote Servers (⚠️ Remote Hosting = Safer!)
+🧅 Serverside - Clearnet Services (⚠️ Remote Hosting = Safer!)
+ + + + + +
OPSEC LEVEL 3: Plausible Deniability 📝 Explaining Plausible Deniability
+💻 Clientside - Getting Started
+ +🧅 Serverside - Protecting Plausible Deniability (⚠️ Self Hosting = Risky!)
+💻 Steganography - Hiding secrets in plain sight
+ + + + + +Current services used:
+Previous services:
+
+LEGAL DISCLAIMER:
+Across the entirety of my blog, in all articles that I made, I advocate for the legal use of technologies, even when I am talking about Privacy-enhancing and Anonymity-enabling technologies. In no way am I advocating for any illegal use of any technology showcased in any article on my blog. as the goal of this blog is to remain stricly informative and educative.
+
+
+I decline any and all responsibility for any mis-use of any of the technology i showcase in the entirety of my blog. I also decline any and all responsibility for any physical, digital and psychological damage caused by the mis-use of any showcased technology, as the responsibility of such acts remains with the perpretating third-party. By reading this blog, you permanently, irrevocably and world-widely agree that I am in no way am responsible for any illegal action done by you or anyone that uses any of the showcased technology in my blog articles.
+
++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
On your server, edit the torrc file like so:
+
+[ Datura ] [ /dev/pts/9 ] [~]
+→ cat /etc/tor/torrc
+
+HiddenServiceDir /var/lib/tor/onions/daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion/
+HiddenServicePort 22 127.0.0.1:22
+HiddenServicePort 80 127.0.0.1:4443
+
+Then just edit your local .ssh config to access it:
+
+[ mainpc ] [ /dev/pts/7 ] [~]
+→ cat .ssh/config
+Host web-gw2024-dedi
+ User root
+ hostname 37.27.32.233
+ IdentityFile ~/.ssh/torified
+
+Host tortura
+ User root
+ hostname daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion
+ IdentityFile ~/.ssh/torified
+ proxyCommand ncat --proxy 127.0.0.1:9050 --proxy-type socks5 %h %p
+
+Host datura
+ User root
+ hostname 65.109.30.253
+ IdentityFile ~/.ssh/torified
+
+Then connect to the host via SSH:
+
+[ mainpc ] [ /dev/pts/5 ] [~]
+→ systemctl restart tor@default
+
+[ mainpc ] [ /dev/pts/5 ] [~]
+→ ssh tortura
+The authenticity of host 'daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion (<no hostip for proxy command>)' can't be established.
+ED25519 key fingerprint is SHA256:A0CFTeUixGoK96VenBQ7Z2U8kX5olDCqBvBNeJUfs6I.
+This host key is known by the following other names/addresses:
+ ~/.ssh/known_hosts:144: [hashed name]
+Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
+Warning: Permanently added 'daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion' (ED25519) to the list of known hosts.
+Enter passphrase for key '/home/nihilist/.ssh/torified':
+Linux Datura 6.1.0-18-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.76-1 (2024-02-01) x86_64
+
+The programs included with the Debian GNU/Linux system are free software;
+the exact distribution terms for each program are described in the
+individual files in /usr/share/doc/*/copyright.
+
+Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
+permitted by applicable law.
+Last login: Thu May 2 14:47:23 2024 from 178.255.149.178
+
+[ Datura ] [ /dev/pts/11 ] [~]
+→
+
+So that's how you do it if you cannot access the server via a public IP directly, but keep in mind that the latency is most likely unbearable due to the 6 hops circuit (since we're doing it via the .onion link, rather than connecting to the IP directly)
+so you're probably better off just connecting to the IP directly but forcing the SSH connection through tor using torsocks, which greatly reduces the latency (3 hops instead of 6):
+
+[ mainpc ] [ /dev/pts/7 ] [~]
+→ torsocks ssh datura
+Enter passphrase for key '/home/nihilist/.ssh/torified':
+Linux Datura 6.1.0-18-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.76-1 (2024-02-01) x86_64
+
+The programs included with the Debian GNU/Linux system are free software;
+the exact distribution terms for each program are described in the
+individual files in /usr/share/doc/*/copyright.
+
+Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
+permitted by applicable law.
+Last login: Thu May 2 15:48:08 2024 from 127.0.0.1
+
+[ Datura ] [ /dev/pts/12 ] [~]
+→ id
+uid=0(root) gid=0(root) groups=0(root)
+
+Let's install cockpit from the apt repositories:
+
+[ Datura ] [ /dev/pts/11 ] [~]
+→ apt install cockpit -y
+
+[ Datura ] [ /dev/pts/11 ] [~]
+→ systemctl status cockpit
+● cockpit.service - Cockpit Web Service
+ Loaded: loaded (/lib/systemd/system/cockpit.service; static)
+ Active: active (running) since Fri 2024-05-03 13:30:51 CEST; 2min 5s ago
+TriggeredBy: ● cockpit.socket
+ Docs: man:cockpit-ws(8)
+ Process: 3563910 ExecStartPre=/usr/lib/cockpit/cockpit-certificate-ensure --for-cockpit-tls (code=exited, status=0/SUCCESS)
+ Main PID: 3563926 (cockpit-tls)
+ Tasks: 1 (limit: 77002)
+ Memory: 2.4M
+ CPU: 355ms
+ CGroup: /system.slice/cockpit.service
+ └─3563926 /usr/lib/cockpit/cockpit-tls
+
+May 03 13:30:51 Datura systemd[1]: Starting cockpit.service - Cockpit Web Service...
+May 03 13:30:51 Datura cockpit-certificate-ensure[3563918]: /usr/lib/cockpit/cockpit-certificate-helper: line 25: sscg: command not found
+May 03 13:30:51 Datura cockpit-certificate-ensure[3563919]: ......+.....+.+......+...+.........+...+..............+.+...+..+...+.......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*...+...+++++++++++++++++++++++++++++++>
+May 03 13:30:51 Datura cockpit-certificate-ensure[3563919]: .+.........+...+...+.......+........+....+..............+.........+......+.+......+..+.+..+...+....+...+.........+.....+....+.....+++++++++++++++++++++++++++++++++++++++++++++++++>
+May 03 13:30:51 Datura cockpit-certificate-ensure[3563919]: -----
+May 03 13:30:51 Datura systemd[1]: Started cockpit.service - Cockpit Web Service.
+May 03 13:30:51 Datura cockpit-tls[3563926]: cockpit-tls: gnutls_handshake failed: A TLS fatal alert has been received.
+May 03 13:30:55 Datura cockpit-tls[3563926]: cockpit-tls: gnutls_handshake failed: A TLS fatal alert has been received.
+
+once it completes, just connect to it on port 9090:
+
+ignore the self-signed HTTPs warning and enable javascript afterward:
+
+In the Tor browser, select the "Safer" security level to be able to browse to the cockpit service with javascript:
+
+
+
+
+
+if it refuses the login, make sure the user has proper sudo access like so::
+
+[ Datura ] [ /dev/pts/11 ] [~]
+→ useradd nihilist
+
+[ Datura ] [ /dev/pts/11 ] [~]
+→ passwd nihilist
+New password:
+Retype new password:
+passwd: password updated successfully
+
+[ Datura ] [ /dev/pts/11 ] [~]
+→ usermod -aG sudo nihilist
+
+[ Datura ] [ /dev/pts/11 ] [~]
+→ visudo
+
+# User privilege specification
+root ALL=(ALL:ALL) ALL
+nihilist ALL=(ALL:ALL) ALL
+
++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
+In this tutorial we're going to look at how you can move from a public persona to an anonymous one online along with the process behind it.
+ +Let's first assume that you have a public internet presence online, you have a domain name registered to your name, and you host some services online.
+Let's also assume that you have followed the previous tutorials, meaning you now have whonix VMs in a veracrypt hidden partition that you can deny the existance of (reminder: do NOT use SSDs, use HDDs otherwise devices that use wear-leveling can reveal the existance of a hidden partition).
+So from now on your publicly you're going to PGP sign a message for everyone to see that you wish to sell the domain and all of it's subdomain services to someone else, and to message you over email/ or a chatrom for the price. The message can look as follows:
+
+Hi all, planning to stop all of my services soon due to lack of interest / or X Y Z.
+Please note that i'm ready to take offers as i'm selling the domain and all of it's underlying services to the highest bidder.
+Contact me at email@example.com to discuss this offer if you're interested.
+
+Basically here you're going to want someone anonymous to buy your services, officially. Secretely you will simply have moved to an anonymous way of operating.
+
+Unless if you're hosting something incredible, Most likely noone will answer, but in the meantime you're going to audit your infrastructure on the following points:
+
+-How is your domain accessed ?
+ -Did you register your domain under your own name ?
+ -Did you buy your domain using monero ?
+-How are your servers accessed ?
+ -Did you ever not access those servers locally or through tor alone (ssh through tor)?
+ -Did you rent those servers under your own name ?
+ -Did you ever pay for those servers without using monero ?
+-Do you have any services hosted at home ?
+ -if so, are they accessible through your public home IP ?
+ -if not, are they all accessible through a remote VPN gateway ?
+ -if not, are they all accessible through tor alone (via a .onion link) ?
+ -are they behind an open-source router such as pfsense ?
+-Did you implement the recommended physical security measures in the previous tutorials?
+ -for any local home server: movement detection, usb changes, unauthorized login attempts, secret maintenance procedure ?
+ -for any client device (laptop/mainpc/phone):
+ -is the host OS of those devices open source ? (linux for pcs, grapheneOS for phone ?)
+ -are they all tampered protected ?
+-Did you implement a secure OPSEC for your online accesses to services ?
+ - did you ever reuse a password on a closed-source OS ?
+ - did you ever reuse a password at all for an online service ?
+ - did you ever use your public IP, or a VPN IP to create an online email account that you've used in the past ?
+ - did you ever try to do any anonymous activity using that email account ?
+
+Once you have the answer to all these questions, you're going to need to formulate a plan to move all of those services to their anonymous counterpart. Yes, sacrifices will need to be made.
+
+-If you have any public domains, you're going to transfer it to a non-KYC domain name registrar or reseller, one that accepts monero and tor traffic, such as https://nicevps.net
+-If you have any public servers, you're going to need to transfer all of your services to another server that will be bought with monero and accessed through tor alone. such as https://servers.guru
+-If you have any servers at home, you're going to need to make sure that no traffic ever goes to and from your public servers without going through Tor first-hand.
+-If you have any servers at home, you're going to need to make sure that they're behind an open-source router such as pfsense. (because closed-source routers cannot be trusted due to government pressures.
+-If you have not implemented the required physical security measures for your client and home server devices, apply them as listed above.
+-If you have ever used a password or an email with bad OPSEC as listed above, consider it burned and immediately give up using those moving forward.
+ -You must have an email address for public activities, and another for anonymous activities.
+ -You must have a master password for a keepass databse for public activities, and another for private activities, and another for anonymous activities.
+
+Here's how your ideal infrastructure must look like, if you want to maintain anonymity online:
+
+
+ Once the plan is clear to you, it's time to implement it. This whole anonymization process can be disguised as a "i've sold all of my services to this anonymous guy online" scenario, while "This anonymous guy online" is secretely you, from the Whonix VMs inside of your hidden veracrypt partitions. A typical anonymization of your services would look like this:
+
+Conversation on email / in a chatroom:
+A: Hey i want to buy your services, i can pay 2 XMR
+you: sure, here's my XMR address:
+A:payment sent, awaiting accesses
+you: ok payment recieved, here is the domain transfer code for domainexample.com: mkmkkljnnuju, i made sure it was unlocked
+A: ok i've created the transfer request on nicevps.net, it will get transfered in a few days (can take 2 weeks for example). Please send me the accesses to your public servers.
+you: here is SSH root access for server A, B, and C (typically the 2 dns servers, and the main public server)
+A: ok i changed all of the accesses, please send me the files for the X Y Z services that you host at home. i've created a temporary user you can SSH with to copy the files in /tmp/
+you: ok i just SCP'd (sent via SSH) the files in /tmp/
+A: recieved, thanks.
+you: Please publicly state, and PGP-sign that the domain, and all of it's servers have been bought by you, by mentionning the new name, email and the plan moving forward.
+A: Domain has been successfully transfered to nicevps.net, all good thanks.
+A: done, and added to the public page as an announcement, thanks.
+
+Make sure that you save the proof of the transaction (the whole chatlog, and the monero transaction ID), and that you sign it with you PGP key just in case if an adversary asks if you still are the owner of those services.
+As a result, publicly you will now state that you no longer offer any of the services you were doing previously, and that someone else took over the website and services after buying it.
+While secretely onwards, these services will all be accessed, paid for and administered anonymously by you from the Whonix VMs you have inside your hidden veracrypt partition.
+ + ++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
In this tutorial we're going to take a look at how to manage your online Anonymity.
+ +DISCLAIMER: we're using only harddrives (HDDs) here, because using SSDs are not a secure way to have Plausible Deniability, that is due to hidden Volumes being detectable on devices that utilize wear-leveling +
+source: https://anonymousplanet.org/guide.html#understanding-hdd-vs-ssd
+
+regarding wear leveling:
+"Also as mentioned earlier, disabling Trim will reduce the lifetime of your SSD drive and will significantly impact its performance over time (your laptop will become slower and slower over several months of use until it becomes almost unusable, you will then have to clean the drive and re-install everything). But you must do it to prevent data leaks that could allow forensics to defeat your plausible deniability. The only way around this at the moment is to have a laptop with a classic HDD drive instead."
+
+This tutorial is based on my previous explanation on OPSEC make sure that you take it into account before proceeding.
+
+So, we basically want 3 ways to access websites. The first being while using tor, for complete anonymity, to do that we'll use whonix. The second is to do the same but to masquerade it with a non-KYC VPN which will also be acquired anonymously to be used only in the case of a website blocking tor exit nodes, and the last one is without any protection, for websites you cannot use without KYC.
+
+As a safety measure for Anonymity, there will be a veracrypt hidden partition in use for plausible deniability.
+
+To prepare the computer for those tasks, we will rely on opensource software to avoid any tracking, we'll remove logs from linux.
+And lastly, we're going to take a look at how to keep track of your accesses to the websites you access anonymously
+ + +First let's make sure all logs get erased upon system shutdown as described in my previous tutorial on host OS hardening (by piping all logs to go to the /tmp/ folder):
+ +We also make sure that the script to remove logs also includes shutting down the VMs and closes the veracrypt volume just like the emergency shutdown script we detailed in the previous tutorial on homeserver physical security:
+
+
+[ mainpc ] [ /dev/pts/2 ] [~/logremover]
+→ cat /etc/systemd/system/reboot_logremover.service
+[Unit]
+Description=Shutdown Anti forensics
+DefaultDependencies=no
+Before=shutdown.target reboot.target halt.target
+
+[Service]
+Type=oneshot
+ExecStart=/root/shutdown.sh
+TimeoutStartSec=0
+
+[Install]
+WantedBy=shutdown.target reboot.target halt.target
+
+[ mainpc ] [ /dev/pts/2 ] [~/logremover]
+→ cat shutdown.sh
+#!/bin/bash
+
+#remove VMs
+
+sudo virsh -c qemu:///system destroy Whonix-Gateway
+sudo virsh -c qemu:///system destroy Whonix-Workstation
+sudo virsh -c qemu:///system undefine Whonix-Gateway
+sudo virsh -c qemu:///system undefine Whonix-Workstation
+sudo virsh -c qemu:///system net-destroy Whonix-External
+sudo virsh -c qemu:///system net-destroy Whonix-Internal
+sudo virsh -c qemu:///system net-undefine Whonix-External
+sudo virsh -c qemu:///system net-undefine Whonix-External
+
+#then unmount veracrypt volumes
+
+sudo veracrypt -d -f
+
+# then cleanup logs
+
+sudo rm -rf /dev/shm/*
+sudo rm -rf /var/log/*
+sudo dmesg -c
+
+In the shutdown.sh script we also make sure that the VMs are removed, and that the veracrypt volumes are unmounted, before clearing up the logs.
+ +Next we're going to install libvirt as seen in our previous tutorial on host os hardeninghere:
+
+sudo pacman -S libvirt qemu-full virt-manager dnsmasq bridge-utils
+
+sudo systemctl enable --now libvirtd
+
+#####################vault.sh:#######################################
+#!/bin/bash
+echo "[+] MOUNTING VAULTS..."
+
+sudo cryptsetup luksOpen /dev/nvme1n1p1 VAULT
+sudo mkdir /run/media/nihilist/VAULT 2>/dev/null
+sudo mount /dev/mapper/VAULT /run/media/nihilist/VAULT
+
+echo "[+] VAULTS MOUNTED"
+###################################################################
+
+usermod -a -G libvirt nihilist
+usermod -a -G kvm nihilist
+
+[root@nowhere ~]# vim /etc/libvirt/libvirtd.conf
+[root@nowhere ~]# cat /etc/libvirt/libvirtd.conf | grep sock_group
+unix_sock_group = "libvirt"
+unix_sock_rw_perms = "0770"
+
+sudo chmod 770 -R VMs
+sudo chown nihilist:libvirt -R VMs
+
+cat /etc/libvirt/qemu.conf
+group = "libvirt"
+user = "nihilist"
+
+systemctl restart libvirtd.service
+
+virt-manager
+
+Next step we create the veracrypt drives, so use the /dev/sdb harddrive for it:
+
+[ 10.99.99.9/24 ] [ /dev/pts/2 ] [~/Nextcloud/Obsidian]
+→ lsblk
+NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
+sda 8:0 0 1.8T 0 disk
+└─sda1 8:1 0 1.8T 0 part
+sdb 8:16 0 447.1G 0 disk
+sdc 8:32 0 3.6T 0 disk
+└─VAULTBACKUP 253:1 0 3.6T 0 crypt /mnt/VAULTBACKUP
+zram0 254:0 0 4G 0 disk [SWAP]
+nvme1n1 259:0 0 1.8T 0 disk
+└─nvme1n1p1 259:1 0 1.8T 0 part
+ └─VAULT 253:0 0 1.8T 0 crypt /mnt/VAULT
+nvme0n1 259:2 0 465.8G 0 disk
+├─nvme0n1p1 259:3 0 511M 0 part /boot
+└─nvme0n1p2 259:4 0 465.3G 0 part /
+
+Be aware that the 3 VMs we need to place in a veracrypt container all weigh 100GB each so you need 300Gb for all 3 VMs, so you need at least 2x300Gb to replicate the setup in the decoy partition, so pick a 1.2TB harddrive instead, with some additional space so preferably a 1.8TB one just to be safe, unlike as shown below (a 500gb disk which is not enough!)
+So let's now setup the hidden partition there:
+
+[ 10.99.99.9/24 ] [ /dev/pts/2 ] [~/Nextcloud/Obsidian]
+→ sudo pacman -S veracrypt
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Now that's done, let's setup the whonix and workstations templates, we will then copy them in the veracrypt harddrive afterward to edit them. So let's go here to download whonix for QEMU:
+ +
+
+[ 10.99.99.9/24 ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
+→ mv ~/Downloads/Whonix-Xfce-17.0.3.0.Intel_AMD64.qcow2.libvirt.xz .
+
+[ 10.99.99.9/24 ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
+→ tar -xvf Whonix-Xfce-17.0.3.0.Intel_AMD64.qcow2.libvirt.xz
+WHONIX_BINARY_LICENSE_AGREEMENT
+WHONIX_DISCLAIMER
+Whonix-Gateway-Xfce-17.0.3.0.xml
+Whonix-Workstation-Xfce-17.0.3.0.xml
+Whonix_external_network-17.0.3.0.xml
+Whonix_internal_network-17.0.3.0.xml
+Whonix-Gateway-Xfce-17.0.3.0.Intel_AMD64.qcow2
+Whonix-Workstation-Xfce-17.0.3.0.Intel_AMD64.qcow2
+
+[ 10.99.99.9/24 ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
+→ touch WHONIX_BINARY_LICENSE_AGREEMENT_accepted
+Next we edit the XML files to have the working VMs, for which we will give 2GB of ram for the gateway, and 4GB of ram for the workstation while also specifying the path to their .qcow2 volumes:
+
+
+[ 10.99.99.9/24 ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
+→ vim Whonix-Workstation-Xfce-17.0.3.0.xml
+
+[ 10.99.99.9/24 ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
+→ cat Whonix-Workstation-Xfce-17.0.3.0.xml | grep GiB
+ <memory dumpCore='off' unit='GiB'>4
+ <currentMemory unit='GiB'>4
+
+[ 10.99.99.9/24 ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
+→ cat Whonix-Workstation-Xfce-17.0.3.0.xml| grep source
+ <source file='/mnt/VAULT/ISOs/whonix/Whonix-Workstation-Xfce-17.0.3.0.Intel_AMD64.qcow2'/>
+
+
+
+
+
+
+[ 10.99.99.9/24 ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
+→ vim Whonix-Workstation-Xfce-17.0.3.0.xml
+
+[ 10.99.99.9/24 ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
+→ cat Whonix-Gateway-Xfce-17.0.3.0.xml | grep GiB
+ <memory dumpCore='off' unit='GiB'>2
+ <currentMemory unit='GiB'>2
+
+[ 10.99.99.9/24 ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
+→ cat Whonix-Gateway-Xfce-17.0.3.0.xml| grep source
+ <source file='/mnt/VAULT/ISOs/whonix/Whonix-Gateway-Xfce-17.0.3.0.Intel_AMD64.qcow2'/>
+
+and now to make things easier let's put a refreshvms.sh script in there to remove and restart the VMs:
+
+[ 10.99.99.9/24 ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
+→ vim refreshvms.sh
+
+[ 10.99.99.9/24 ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
+→ cat refreshvms.sh
+#!/bin/bash
+
+#remove VMs
+
+sudo virsh -c qemu:///system destroy Whonix-Gateway
+sudo virsh -c qemu:///system destroy Whonix-Workstation
+sudo virsh -c qemu:///system undefine Whonix-Gateway
+sudo virsh -c qemu:///system undefine Whonix-Workstation
+sudo virsh -c qemu:///system net-destroy Whonix-External
+sudo virsh -c qemu:///system net-destroy Whonix-Internal
+sudo virsh -c qemu:///system net-undefine Whonix-External
+sudo virsh -c qemu:///system net-undefine Whonix-External
+
+echo '[+] VMs removed, re-install them ? (ctrl+c to exit)'
+read
+
+#install VMs
+
+sudo virsh -c qemu:///system net-define Whonix_external*.xml
+sudo virsh -c qemu:///system net-define Whonix_internal*.xml
+sudo virsh -c qemu:///system net-autostart Whonix-External
+sudo virsh -c qemu:///system net-start Whonix-External
+sudo virsh -c qemu:///system net-autostart Whonix-Internal
+sudo virsh -c qemu:///system net-start Whonix-Internal
+sudo virsh -c qemu:///system define Whonix-Gateway*.xml
+sudo virsh -c qemu:///system define Whonix-Workstation*.xml
+
+[ 10.99.99.9/24 ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
+→ chmod +x refreshvms.sh
+
+then run it:
+
+[ 10.99.99.9/24 ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
+→ ./refreshvms.sh
+error: Failed to destroy domain 'Whonix-Gateway'
+error: Requested operation is not valid: domain is not running
+
+error: Failed to destroy domain 'Whonix-Workstation'
+error: Requested operation is not valid: domain is not running
+
+Domain 'Whonix-Gateway' has been undefined
+
+Domain 'Whonix-Workstation' has been undefined
+
+Network Whonix-External destroyed
+
+Network Whonix-Internal destroyed
+
+Network Whonix-External has been undefined
+
+error: failed to get network 'Whonix-External'
+error: Network not found: no network with matching name 'Whonix-External'
+
+[+] VMs removed, re-install them ? (ctrl+c to exit)
+
+Network Whonix-External defined from Whonix_external_network-17.0.3.0.xml
+
+error: Failed to define network from Whonix_internal_network-17.0.3.0.xml
+error: operation failed: network 'Whonix-Internal' already exists with uuid 48298ccf-9352-4b21-b6c4-17ad13ad1d6d
+
+Network Whonix-External marked as autostarted
+
+Network Whonix-External started
+
+Network Whonix-Internal marked as autostarted
+
+Network Whonix-Internal started
+
+Domain 'Whonix-Gateway' defined from Whonix-Gateway-Xfce-17.0.3.0.xml
+
+Domain 'Whonix-Workstation' defined from Whonix-Workstation-Xfce-17.0.3.0.xml
+
+Then launch the VMs from virt-manager:
+
+let's start with the Gateway:
+
+
+
+
+
+Now that's done you can also finish the initial setup for the workstation:
+
+
+So from here you can use whonix regularly to browse with the tor browser, don't forget to disable javascript and to always keep the browser up to date like so:
+
+As suggested above, we'll also upgrade the VMs, and to go further we'll install unattended upgrades (note whonix's default system credentials are user:changeme:
+
+$ passwd
+$ sudo -i
+# apt update -y ; apt upgrade -y ; apt autoremove -y
+# apt install unattended-upgrades apt-listchanges -y
+# dpkg-reconfigure -plow unattended-upgrades
+
+^ select yes there
+
+Next step is to have the second workstation which will be used as the vpn over tor setup later on so let's copy the .xml and .qcow2 after shutting down the existing workstation:
+
+[ 10.99.99.9/24 ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
+→ ls
+refreshvms.sh Whonix_external_network-17.0.3.0.xml Whonix-Workstation-Xfce-17.0.3.0.Intel_AMD64.qcow2
+WHONIX_BINARY_LICENSE_AGREEMENT Whonix-Gateway-Xfce-17.0.3.0.Intel_AMD64.qcow2 Whonix-Workstation-Xfce-17.0.3.0.xml
+WHONIX_BINARY_LICENSE_AGREEMENT_accepted Whonix-Gateway-Xfce-17.0.3.0.xml Whonix-Xfce-17.0.3.0.Intel_AMD64.qcow2.libvirt.xz
+WHONIX_DISCLAIMER Whonix_internal_network-17.0.3.0.xml
+
+ 10.99.99.9/24 ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
+→ cp Whonix-Workstation-Xfce-17.0.3.0.xml Whonix-Workstation2-Xfce-17.0.3.0.xml
+
+[ 10.99.99.9/24 ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
+→ cp Whonix-Workstation-Xfce-17.0.3.0.Intel_AMD64.qcow2 Whonix-Workstation2-Xfce-17.0.3.0.Intel_AMD64.qcow2
+
+Then edit the new xml file to match the new VM name:
+
+[ 10.99.99.9/24 ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
+→ vim Whonix-Workstation2-Xfce-17.0.3.0.xml
+
+[ 10.99.99.9/24 ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
+→ cat Whonix-Workstation2-Xfce-17.0.3.0.xml | grep Workstation2
+ <name>Whonix-Workstation2</name>
+ <source file='/mnt/VAULT/ISOs/whonix/Whonix-Workstation2-Xfce-17.0.3.0.Intel_AMD64.qcow2'/>
+
+Then we include it in the refreshVMs.sh script:
+
+[ 10.99.99.9/24 ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
+→ cat refreshvms.sh
+#!/bin/bash
+
+#remove VMs
+
+sudo virsh -c qemu:///system destroy Whonix-Gateway
+sudo virsh -c qemu:///system destroy Whonix-Workstation
+sudo virsh -c qemu:///system destroy Whonix-Workstation2
+
+sudo virsh -c qemu:///system undefine Whonix-Gateway
+sudo virsh -c qemu:///system undefine Whonix-Workstation
+sudo virsh -c qemu:///system undefine Whonix-Workstation2
+
+
+sudo virsh -c qemu:///system net-destroy Whonix-External
+sudo virsh -c qemu:///system net-destroy Whonix-Internal
+sudo virsh -c qemu:///system net-undefine Whonix-External
+sudo virsh -c qemu:///system net-undefine Whonix-Internal
+
+
+
+
+echo '[+] VMs removed, re-install them ? (ctrl+c to exit)'
+read
+
+#install VMs
+sudo virsh -c qemu:///system net-define Whonix_external*.xml
+sudo virsh -c qemu:///system net-define Whonix_internal*.xml
+
+
+sudo virsh -c qemu:///system net-autostart Whonix-External
+sudo virsh -c qemu:///system net-start Whonix-External
+
+sudo virsh -c qemu:///system net-autostart Whonix-Internal
+sudo virsh -c qemu:///system net-start Whonix-Internal
+
+sudo virsh -c qemu:///system define Whonix-Gateway*.xml
+sudo virsh -c qemu:///system define Whonix-Workstation2*.xml
+sudo virsh -c qemu:///system define Whonix-Workstation-*.xml
+
+[ 10.99.99.9/24 ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
+→ ./refreshvms.sh
+error: Failed to destroy domain 'Whonix-Gateway'
+error: Requested operation is not valid: domain is not running
+
+error: Failed to destroy domain 'Whonix-Workstation'
+error: Requested operation is not valid: domain is not running
+
+error: Failed to destroy domain 'Whonix-Workstation2'
+error: Requested operation is not valid: domain is not running
+
+Domain 'Whonix-Gateway' has been undefined
+
+Domain 'Whonix-Workstation' has been undefined
+
+Domain 'Whonix-Workstation2' has been undefined
+
+Network Whonix-External destroyed
+
+Network Whonix-Internal destroyed
+
+Network Whonix-External has been undefined
+
+Network Whonix-Internal has been undefined
+
+[+] VMs removed, re-install them ? (ctrl+c to exit)
+
+Network Whonix-External defined from Whonix_external_network-17.0.3.0.xml
+
+Network Whonix-Internal defined from Whonix_internal_network-17.0.3.0.xml
+
+Network Whonix-External marked as autostarted
+
+Network Whonix-External started
+
+Network Whonix-Internal marked as autostarted
+
+Network Whonix-Internal started
+
+Domain 'Whonix-Gateway' defined from Whonix-Gateway-Xfce-17.0.3.0.xml
+
+Domain 'Whonix-Workstation2' defined from Whonix-Workstation2-Xfce-17.0.3.0.xml
+
+Domain 'Whonix-Workstation' defined from Whonix-Workstation-Xfce-17.0.3.0.xml
+
+Then edit the new workstation VM to have the 10.152.152.12 ip by default (since the other one has the 10.152.152.11 ip):
+
+
+Now that our VM templates are done, let's put them on our veracrypt harddrive:
+
+[ 10.99.99.9/24 ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
+→ ./refreshvms.sh
+[sudo] password for nothing:
+Domain 'Whonix-Gateway' destroyed
+
+Domain 'Whonix-Workstation' destroyed
+
+Domain 'Whonix-Workstation2' destroyed
+
+Domain 'Whonix-Gateway' has been undefined
+
+Domain 'Whonix-Workstation' has been undefined
+
+Domain 'Whonix-Workstation2' has been undefined
+
+Network Whonix-External destroyed
+
+Network Whonix-Internal destroyed
+
+Network Whonix-External has been undefined
+
+Network Whonix-Internal has been undefined
+
+[+] VMs removed, re-install them ? (ctrl+c to exit)
+^C
+
+[ 10.99.99.9/24 ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
+→ ls
+refreshvms.sh Whonix-Gateway-Xfce-17.0.3.0.Intel_AMD64.qcow2 Whonix-Workstation-Xfce-17.0.3.0.Intel_AMD64.qcow2
+WHONIX_BINARY_LICENSE_AGREEMENT Whonix-Gateway-Xfce-17.0.3.0.xml Whonix-Workstation-Xfce-17.0.3.0.xml
+WHONIX_BINARY_LICENSE_AGREEMENT_accepted Whonix_internal_network-17.0.3.0.xml Whonix-Xfce-17.0.3.0.Intel_AMD64.qcow2.libvirt.xz
+WHONIX_DISCLAIMER Whonix-Workstation2-Xfce-17.0.3.0.Intel_AMD64.qcow2
+Whonix_external_network-17.0.3.0.xml Whonix-Workstation2-Xfce-17.0.3.0.xml
+
+
+
+Once mounted, let's copy them here and launch them:
+
+[ 10.99.99.9/24 ] [ /dev/pts/23 ] [VAULT/ISOs/whonix]
+→ cd /media/veracrypt1
+
+[ 10.99.99.9/24 ] [ /dev/pts/23 ] [/media/veracrypt1]
+→ cp /mnt/VAULT/ISOs/whonix/* .
+
+[ 10.99.99.9/24 ] [ /dev/pts/23 ] [/media/veracrypt1]
+→ ls -lash
+total 21G
+4.0K drwxr-xr-x 2 nothing nothing 4.0K Oct 8 13:35 .
+4.0K drwxr-xr-x 3 root root 4.0K Oct 8 13:34 ..
+4.0K -rwxr-xr-x 1 nothing nothing 1.2K Oct 8 13:35 refreshvms.sh
+ 40K -rw-r--r-- 1 nothing nothing 39K Oct 8 13:35 WHONIX_BINARY_LICENSE_AGREEMENT
+ 0 -rw-r--r-- 1 nothing nothing 0 Oct 8 13:35 WHONIX_BINARY_LICENSE_AGREEMENT_accepted
+8.0K -rw-r--r-- 1 nothing nothing 4.1K Oct 8 13:35 WHONIX_DISCLAIMER
+4.0K -rw-r--r-- 1 nothing nothing 172 Oct 8 13:35 Whonix_external_network-17.0.3.0.xml
+5.2G -rw-r--r-- 1 nothing nothing 101G Oct 8 13:35 Whonix-Gateway-Xfce-17.0.3.0.Intel_AMD64.qcow2
+4.0K -rw-r--r-- 1 nothing nothing 2.4K Oct 8 13:35 Whonix-Gateway-Xfce-17.0.3.0.xml
+4.0K -rw-r--r-- 1 nothing nothing 97 Oct 8 13:35 Whonix_internal_network-17.0.3.0.xml
+6.9G -rw-r--r-- 1 nothing nothing 101G Oct 8 13:35 Whonix-Workstation2-Xfce-17.0.3.0.Intel_AMD64.qcow2
+4.0K -rw-r--r-- 1 nothing nothing 2.3K Oct 8 13:35 Whonix-Workstation2-Xfce-17.0.3.0.xml
+7.0G -rw-r--r-- 1 nothing nothing 101G Oct 8 13:35 Whonix-Workstation-Xfce-17.0.3.0.Intel_AMD64.qcow2
+4.0K -rw-r--r-- 1 nothing nothing 2.3K Oct 8 13:35 Whonix-Workstation-Xfce-17.0.3.0.xml
+1.3G -rw-r--r-- 1 nothing nothing 1.3G Oct 8 13:35 Whonix-Xfce-17.0.3.0.Intel_AMD64.qcow2.libvirt.xz
+
+Now that's done, you need to edit each XML to make sure it has the correct path in it:
+
+[ 10.99.99.9/24 ] [ /dev/pts/23 ] [/media/veracrypt1]
+→ vim Whonix-Gateway-Xfce-17.0.3.0.xml
+
+[ 10.99.99.9/24 ] [ /dev/pts/23 ] [/media/veracrypt1]
+→ vim Whonix-Workstation2-Xfce-17.0.3.0.xml
+
+[ 10.99.99.9/24 ] [ /dev/pts/23 ] [/media/veracrypt1]
+→ vim Whonix-Workstation-Xfce-17.0.3.0.xml
+
+[ 10.99.99.9/24 ] [ /dev/pts/23 ] [/media/veracrypt1]
+→ cat Whonix-Gateway-Xfce-17.0.3.0.xml| grep source
+ <source file='/media/veracrypt1/Whonix-Gateway-Xfce-17.0.3.0.Intel_AMD64.qcow2'/>
+
+[ 10.99.99.9/24 ] [ /dev/pts/23 ] [/media/veracrypt1]
+→ cat Whonix-Workstation2-Xfce-17.0.3.0.xml | grep source
+ <source file='/media/veracrypt1/whonix/Whonix-Workstation2-Xfce-17.0.3.0.Intel_AMD64.qcow2'/>
+
+[ 10.99.99.9/24 ] [ /dev/pts/23 ] [/media/veracrypt1]
+→ cat Whonix-Workstation-Xfce-17.0.3.0.xml | grep source
+ <source file='/media/veracrypt1/whonix/Whonix-Workstation-Xfce-17.0.3.0.Intel_AMD64.qcow2'/>
+
+Then you can use the VMs using the refreshvms.sh script:
+
+[ 10.99.99.9/24 ] [ /dev/pts/23 ] [/media/veracrypt1]
+→ ./refreshvms.sh
+[sudo] password for nothing:
+error: failed to get domain 'Whonix-Gateway'
+
+error: failed to get domain 'Whonix-Workstation'
+
+error: failed to get domain 'Whonix-Workstation2'
+
+error: failed to get domain 'Whonix-Gateway'
+
+error: failed to get domain 'Whonix-Workstation'
+
+error: failed to get domain 'Whonix-Workstation2'
+
+error: failed to get network 'Whonix-External'
+error: Network not found: no network with matching name 'Whonix-External'
+
+error: failed to get network 'Whonix-Internal'
+error: Network not found: no network with matching name 'Whonix-Internal'
+
+error: failed to get network 'Whonix-External'
+error: Network not found: no network with matching name 'Whonix-External'
+
+error: failed to get network 'Whonix-Internal'
+error: Network not found: no network with matching name 'Whonix-Internal'
+
+[+] VMs removed, re-install them ? (ctrl+c to exit)
+
+
+Network Whonix-External defined from Whonix_external_network-17.0.3.0.xml
+
+Network Whonix-Internal defined from Whonix_internal_network-17.0.3.0.xml
+
+Network Whonix-External marked as autostarted
+
+Network Whonix-External started
+
+Network Whonix-Internal marked as autostarted
+
+Network Whonix-Internal started
+
+Domain 'Whonix-Gateway' defined from Whonix-Gateway-Xfce-17.0.3.0.xml
+
+Domain 'Whonix-Workstation2' defined from Whonix-Workstation2-Xfce-17.0.3.0.xml
+
+Domain 'Whonix-Workstation' defined from Whonix-Workstation-Xfce-17.0.3.0.xml
+
+Now with this if you are forced to give away the password for that harddrive, you can give them this decoy partition, and they'll find the whonix VMs you've copied there.
+So now dismount the veracrypt partition, to do that you need to first remove the VMs with the script, and then you need to EXIT the folder, otherwise it'll complain and tell you that the target drive is busy and can't be unmounted:
+
+[ 10.99.99.9/24 ] [ /dev/pts/23 ] [/media/veracrypt1]
+→ ./refreshvms.sh
+error: Failed to destroy domain 'Whonix-Gateway'
+error: Requested operation is not valid: domain is not running
+
+error: Failed to destroy domain 'Whonix-Workstation'
+error: Requested operation is not valid: domain is not running
+
+error: Failed to destroy domain 'Whonix-Workstation2'
+error: Requested operation is not valid: domain is not running
+
+Domain 'Whonix-Gateway' has been undefined
+
+Domain 'Whonix-Workstation' has been undefined
+
+Domain 'Whonix-Workstation2' has been undefined
+
+Network Whonix-External destroyed
+
+Network Whonix-Internal destroyed
+
+Network Whonix-External has been undefined
+
+Network Whonix-Internal has been undefined
+
+[+] VMs removed, re-install them ? (ctrl+c to exit)
+^C
+
+[ 10.99.99.9/24 ] [ /dev/pts/23 ] [/media/veracrypt1]
+→ cd ..
+
+[ 10.99.99.9/24 ] [ /dev/pts/23 ] [/media]
+→
+
+Now that's done for the decoy partition, we do the same for the hidden partition:
+
+
+
+[ 10.99.99.9/24 ] [ /dev/pts/23 ] [/media]
+→ cd veracrypt1
+
+[ 10.99.99.9/24 ] [ /dev/pts/23 ] [/media/veracrypt1]
+→ cp /mnt/VAULT/ISOs/whonix/* .
+
+[ 10.99.99.9/24 ] [ /dev/pts/23 ] [/media/veracrypt1]
+→ ls
+refreshvms.sh Whonix-Gateway-Xfce-17.0.3.0.Intel_AMD64.qcow2 Whonix-Workstation-Xfce-17.0.3.0.Intel_AMD64.qcow2
+WHONIX_BINARY_LICENSE_AGREEMENT Whonix-Gateway-Xfce-17.0.3.0.xml Whonix-Workstation-Xfce-17.0.3.0.xml
+WHONIX_BINARY_LICENSE_AGREEMENT_accepted Whonix_internal_network-17.0.3.0.xml Whonix-Xfce-17.0.3.0.Intel_AMD64.qcow2.libvirt.xz
+WHONIX_DISCLAIMER Whonix-Workstation2-Xfce-17.0.3.0.Intel_AMD64.qcow2
+Whonix_external_network-17.0.3.0.xml Whonix-Workstation2-Xfce-17.0.3.0.xml
+
+Then edit the paths again:
+
+[ 10.99.99.9/24 ] [ /dev/pts/23 ] [/media/veracrypt1]
+→ vim Whonix-Gateway-Xfce-17.0.3.0.xml
+
+[ 10.99.99.9/24 ] [ /dev/pts/23 ] [/media/veracrypt1]
+→ vim Whonix-Workstation2-Xfce-17.0.3.0.xml
+
+[ 10.99.99.9/24 ] [ /dev/pts/23 ] [/media/veracrypt1]
+→ vim Whonix-Workstation-Xfce-17.0.3.0.xml
+
+[ 10.99.99.9/24 ] [ /dev/pts/23 ] [/media/veracrypt1]
+→ cat Whonix-Gateway-Xfce-17.0.3.0.xml| grep source
+ <source file='/media/veracrypt1/Whonix-Gateway-Xfce-17.0.3.0.Intel_AMD64.qcow2'/>
+
+[ 10.99.99.9/24 ] [ /dev/pts/23 ] [/media/veracrypt1]
+→ cat Whonix-Workstation2-Xfce-17.0.3.0.xml | grep source
+ <source file='/media/veracrypt1/whonix/Whonix-Workstation2-Xfce-17.0.3.0.Intel_AMD64.qcow2'/>
+
+[ 10.99.99.9/24 ] [ /dev/pts/23 ] [/media/veracrypt1]
+→ cat Whonix-Workstation-Xfce-17.0.3.0.xml | grep source
+ <source file='/media/veracrypt1/whonix/Whonix-Workstation-Xfce-17.0.3.0.Intel_AMD64.qcow2'/>
+
+Then start the VMs:
+
+[ 10.99.99.9/24 ] [ /dev/pts/23 ] [/media/veracrypt1]
+→ ./refreshvms.sh
+[sudo] password for nothing:
+error: failed to get domain 'Whonix-Gateway'
+
+error: failed to get domain 'Whonix-Workstation'
+
+error: failed to get domain 'Whonix-Workstation2'
+
+error: failed to get domain 'Whonix-Gateway'
+
+error: failed to get domain 'Whonix-Workstation'
+
+error: failed to get domain 'Whonix-Workstation2'
+
+error: failed to get network 'Whonix-External'
+error: Network not found: no network with matching name 'Whonix-External'
+
+error: failed to get network 'Whonix-Internal'
+error: Network not found: no network with matching name 'Whonix-Internal'
+
+error: failed to get network 'Whonix-External'
+error: Network not found: no network with matching name 'Whonix-External'
+
+error: failed to get network 'Whonix-Internal'
+error: Network not found: no network with matching name 'Whonix-Internal'
+
+[+] VMs removed, re-install them ? (ctrl+c to exit)
+
+Network Whonix-External defined from Whonix_external_network-17.0.3.0.xml
+
+Network Whonix-Internal defined from Whonix_internal_network-17.0.3.0.xml
+
+Network Whonix-External marked as autostarted
+
+Network Whonix-External started
+
+Network Whonix-Internal marked as autostarted
+
+Network Whonix-Internal started
+
+Domain 'Whonix-Gateway' defined from Whonix-Gateway-Xfce-17.0.3.0.xml
+
+Domain 'Whonix-Workstation2' defined from Whonix-Workstation2-Xfce-17.0.3.0.xml
+
+Domain 'Whonix-Workstation' defined from Whonix-Workstation-Xfce-17.0.3.0.xml
+
+You need to keep in mind that currently we have not given out any information about ourselves, other than we've used Tor. We won't stop there, and in order to use a VPN anonymously, you need to acquire it through Tor, buy it with Monero, and force the VPN Connection itself through Tor. Cherry on top is that we're going to use a well-used VPN service, so we won't be the only user with that public VPN ip. But what matters is that we do not give any information about us to the VPN provider. If the VPN provider forces you to provide anything personal (if the vpn provider blocks tor connections, or forces you to buy it with something else than monero), then it would not truly be a non-KYC VPN provider, and thus it's against your privacy. That's the only way you can find out which ones are all just marketing.
+
+Now that's done we can go find a vpn provider for the workstation2, let's try out the very praised mullvad vpn provider here, Firstly because it's a non-KYC VPN provider (meaning you can acquire it and use it through Tor, and pay with Monero), also due to the fact that we won't be the only ones using that service, it means we won't need to change the VPN server when we want to have another identity online. On top of that, mullvad gives us the ability to connect to a random server of theirs, via openvpn via TCP on port 443, which is definitely neat because it mimicks web HTTPS traffic, and isn't blockable by tor exit node hosters (which is definitely a trend, most of them block ports that are suceptible to abuse, 443 https being the least likely of them):
+
+
+now to not loose your accesses , make sure to save credentials in a local keepass database on the VM.
+
+
+
+Now let's add time to our account, and of course we will pay with the only cryptocurrency that's used:
+
+
+To get some monero you can buy it on localmonero.co, and make sure it arrives on your monero wallet inside the whonix VM, never trust centralised exchanges with your assets, always keep them locally.
+
+Once it finishes installing, create your monero wallet:
+
+Then say no to mining and use an onion-based monero daemon, like the one i'm hosting, you can find a full list of other ones here:
+
+Wait for it to finish synchronizing, then get some monero from a vendor on localmonero.co (by giving them a wallet address you'd have created:
+
+
+Once you've paid, download the .ovpn file to connect via vpn:
+
+Then unzip and let's now make sure the vpn goes through tor:
+
+
+To do that we need to make sure the VPN goes through the local SOCKS port 9050, and to mention the entry node which is the gateway 10.152.152.10:
+
+before we launch it keep in mind this:
+DISCLAIMER: While on a VPN, DO NOT use the tor browser, this will make the entire tor browsing visible from the VPN server. In this particular setup you need to use Firefox while the VPN connection is active!!! Make sure that all tor-related applications are shutdown before starting the VPN. I suggest to close everything, and then only have the terminal and firefox open before launching the VPN. +
+Then launch the VPN and you can then see that you no longer have a tor exit node IP:
+
+
+Now check your ip from Firefox, not the tor browser:
+
+You can also check if there are any DNS leaks:
+
+here we see the test revealed a dns ip leak, but upon checking (in shodan.io) we see that it's a tor exit IP address:
+
+We can also check if there are any WebRTC leaks:
+
+and there we see that there are no webRTC leaks either, so it's all good.
+To make sure the vpn is started automatically we can make it a systemd service:
+
+root@workstation:~# cat /etc/systemd/system/vpn.service
+[Unit]
+Description=VPN
+After=network-online.target
+Wants=network-online.target
+
+[Install]
+WantedBy=multi-user.target
+
+[Service]
+Type=simple
+WorkingDirectory=/home/user/Desktop/mullvad_config_linux_nl_ams/
+ExecStart=/usr/sbin/openvpn /home/user/Desktop/mullvad_config_linux_nl_ams/mullvad_nl_ams.conf
+ExecStop=kill -9 $(pidof openvpn)
+Restart=always
+
+root@workstation:~# systemctl daemon-reload ; systemctl enable --now vpn.service ; systemctl restart vpn.service
+
+
+Now thanks to that, you can still browse websites anonymously in case if they block tor exit nodes.
+To implement Anonymity Management, simply ask yourselves the following questions:
+First question to answer is "Is the activity Sensitive, and will I need to be able to deny it's existence ?" If the answer is no, then we have the following questions:
+
+If the website requires you to give it your home address like Amazon for example, you can forget trying to be anonymous because you'll anyway need to de-anonymize yourself with your actions, no matter how you accessed the website.
+If the website doesn't block tor exit nodes, browse it via the Whonix VMs. But if it does, then use the VPN through Tor setup to circumvent the blockage.
+And lastly, for all websites you browsed to anonymously, make sure you log it to have an global view of your online anonymity.
+
+If your activities are sensitive enough that you need to be able to deny their existence, then we make use of veracrypt's plausible deniability features, and we open the whonix VMs from inside the hidden partition.
+And there the same questions apply, but you better remain anonymous while you conduct said sensitive activities.
+ ++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
In this tutorial we're going to take a look at how to manage your online Anonymity.
+
+We want 3 ways to access websites. The first being while using tor, for complete anonymity. The second is to do the same but to masquerade it with a non-KYC VPN which will also be acquired anonymously, and the last is without any protection.
+
+As a preventive measure, we're going to separate each VMs using VLANs, so that there's a clear separation between any KYC VMs, and VMs used for anonymity. To do so there will be 3 separate VLANs, one being for Anonymity purposes, and the others for KYC use. +For Anonymity, there will be a veracrypt hidden partition in use for plausible deniability.
+
+To prepare the computer for those tasks, we will rely on opensource software to avoid any tracking, we'll remove logs from arch linux, and from pfsense.
+And lastly, we're going to take a look at how to keep track of your accesses to the websites you access anonymously
+ + +First let's make sure all logs get erased upon system shutdown (by piping all logs to go to the /tmp/ folder):
+
+[ 10.99.99.9/24 ] [ /dev/pts/31 ] [/var]
+→ sudo rm -rf log
+[sudo] password for nothing:
+
+[ 10.99.99.9/24 ] [ /dev/pts/31 ] [/var]
+→ sudo ln -s /tmp/ /var/log
+
+[ 10.99.99.9/24 ] [ /dev/pts/31 ] [/var]
+→ ls -lash log
+0 lrwxrwxrwx 1 root root 5 Sep 24 18:43 log -> /tmp/
+
+Next we're going to install libvirti as seen here:
+
+sudo pacman -S libvirt qemu virt-manager dnsmasq bridge-utils
+
+sudo systemctl enable --now libvirtd
+
+virt-manager
+
+Then create the 2 separate LANs for the VMs in virt-manager like so:
+ +
+
+Then you're going to need to create the pfsense VM, so first get the iso from the official website:
+
+
+[ 10.99.99.9/24 ] [ /dev/pts/31 ] [/var]
+→ cd /mnt/VAULT/ISOs
+
+[ 10.99.99.9/24 ] [ /dev/pts/31 ] [/mnt/VAULT/ISOs]
+→ mv ~/Downloads/pfSense-CE-2.7.0-RELEASE-amd64.iso.gz .
+
+[ 10.99.99.9/24 ] [ /dev/pts/31 ] [/mnt/VAULT/ISOs]
+→ ls -lash | grep pfSense
+730M -rw-r--r-- 1 nothing nothing 730M Sep 24 19:16 pfSense-CE-2.7.0-RELEASE-amd64.iso
+
+Then create the VM:
+
+
+
+
+Before installing the VM we will setup the 3 network cards it will handle: The default WAN, and the 2 LANs
+
+
+
+
+Now let's start installing the pfsense VM:
+
+
+
+
+
+
+
+And now that's done, next step is to make sure pfsense handles the 2 VLANs properly:
+
+
+
+
+Then we set the ip addresses of each interface, starting with the LAN-KYC VLAN:
+
+
+
+
+Then do the same for the LAN-ANON VLAN:
+
+
+
+For this next step, we're going to put a VM in the KYC vlan to finish the pfsense router setup
+
+
+From there, it's a matter of setting up pfsense:
+
+
+
+
+
+To change the pfsense theme to a dark theme, go in System > General Setup > webConfiguratior > Theme > set to pfsense-dark
+
+As you've seen above, we've set 2 temporary public dns servers, so next we're going to setup 2 local TOR DNS servers, which will allow the VMs to resolve any domain anonymously.
+
+Once done, we make sure that pfsense takes these 2 dns servers, and only uses them, will also setup firewall rules to deny any other dns traffic.
+
+Here you can see it's working fine:
+
+Then shutdown the VM, clone it and you'll have the 2 tor DNSes working.
+
+Next just put them in the anon VLAN:
+
+
+Once in there, we make sure that they are DHCP reserved so their ip won't change over time:
+
+
+
+Then do the same for the other tordns:
+
+
+Then from the firewall, we allow the whole subnet to communicate to tordns1 and 2, because they will also be the bridge nodes, and we allow the tordns 1 and 2 servers to connect anywhere with any protocol. +That way, the only traffic that can escape from the anon subnet, will only be through these 2 servers, that will prevent any data leak from happening.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+Anonymity is the absence of Identification (or Onymity), it is when individuals are indistinguishable from each other, they all look the same.
+
+In short, Anonymity means you are not identified. In this example, Someone hid their identity, and is talking to Alice. That someone is anonymous until Jack can figure out who that person is.
+Anonymity is extremely fragile when that Someone is not implementing strict OPSEC practices, relating to:
+Using the correct Technology: (What is that Someone using, to protect their Anonymity ? (A mask, a Coat, a mask / the Tor network, i2p, etc))
Using the correct Behavior: (By that Someone's actions, they are not revealing who they are. (They are not saying they are Walter Hartwell White living at XYZ)
DISCLAIMER: That Someone remains Anonymous UNTIL THEY MAKE ONE OPSEC MISTAKE !
+Keep in mind that maintaining Anonymity is a much stricter practice than that of maintaining Privacy, as you will see, more threat vectors come into the picture.
+
The first the and foremost enemy of Anonymity is Surveillance of any kind. Privacy is a REQUIREMENT if you want Anonymity.
+Example:
+
+Jack is surveilling Bob 24/7. He sees that Bob purchases a mask and a coat, He sees that Bob wears the mask to then go outside to do something sketchy.
+
+Conclusion:
+
+Because Bob did not have Privacy from Jack in the first place, Bob cannot have Anonymity either.
+
+Surveillance CANNOT be tolerated when you want Anonymity. So before you try to learn to be anonymous online, learn why and how to get Privacy online here.
+ +
The other major enemy of Anonymity is Know Your Customer (KYC) Procedures, these are ways for services to force their customers to identify themselves, wether they like it or not.
+Example:
+
+Jack owns an online service (such as a centralised crypto exchange), he accumulated a large userbase over the years, over 1000 active users. The government where Jack operates is ramping up their financial regulations on businesses, and now Jack is being forced to identify all of it's users using standard KYC procedures
+
+Bob (an user on the website) that was anonymous up until that point, is now forced to do the following if he wants to keep using the platform:
+1) state his real life name
+2) his date of birth
+3) his home address
+4) send photos of his identity card
+5) send photos of his face (facial left, front and right sides)
+
+Conclusion:
+
+Jack is either forced to identify his users or go out of business
+Bob is either forced to identify himself or stop using the service
+
+All of it because the government intends to destroy Bob's right to remain Anonymous online.
+
+
But the root cause of surveillance and KYC procedures, is that every centralised entity (any public or private business) will be eventually forced to comply to their government's requests, at the expense of their users.
There are only 2 possible long-term outcomes for Centralisation:
+Act as a governmental proxy to enforce regulations/agendas, at the expense of users' rights
Or be forced out of business altogether.
+To be able to achieve Anonymity, you need Privacy, and at least some level of Decentralisation (in the case of anonymization networks like Tor for instance), as we will see in our next tutorials.
+In a way, Anonymity is an improvement over Privacy. In the sense that Privacy is about being about to seclude yourself or information about yourself. Anonymity is the logical next step to Privacy, Where you not only just conceal what your actions are, but also who you are.
+Depending on the context, especially if you are living in a dictatorship, Anonymity is vital for you to act freely, out of the grasp of adversaries.
+As we have discussed previously, for a government's laws to be respected, they need to be enforced.
+
+And for the laws to be enforced, governments need:
+To know what happened (lack of 
Privacy, using Surveillance )
To know who did it (lack of 
Anonymity, using KYC procedures )
Governmental control as a concept itself rests upon these fundamental 2 pillars, the detriment of the individual's Privacy, and Anonymity.
+In order to regain the control you lost to dictatorships, you first need Privacy, and then you need Anonymity.
+Most governments want to control the public opinion through opression and censorship, Journalism is one of the most demanding sectors in terms of Anonymity, especially in authoritarian/dictatorship governments where censorship is omnipresent, for them, very sadly, Anonymity is the difference-maker between life and death in those areas of the world.
+
+For instance, the Freedom of the Press index is a great indicator to tell if you are living in a country that employs censorship as a means to control the population or not. Make no mistake, Governments are often ready to murder journalists to protect their public image, like in Mexico: [1] [2].
+Essentially, the idea is to reduce your attack surface as much as possible, given the context of near-omnipresent surveillance, Privacy has it's limits, and Anonymity very often becomes the only way out of opression. If noone knows who did something, there can't be any repercussions for the perpetrating party.
+In a way, Anonymity is superior to Privacy because whatever happened may have been hidden thanks to Privacy, but it may be discovered at a later point in time. Anonymity on the other hand, if maintained, remains a permanent way to act without any repercussions.
+ ++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
As we discussed previously, KYC is out of the question if you want to remain anonymous. So you need to find a cloud provider that allows you to rent servers without any KYC.
+To find one you can go on kycnot.me:
+
+the current one I use for my services is ServersGuru, as they can resell popular cloud providers like hetzner.
+In our example below we'll use Cockbox. but first thing we need is a non-KYC email provider, to do so we could follow Privacy Guides' recommendation and create an account on Tuta, but for simplicity i'll use a temporary email from https://tmail.link (do not use it for extended usage)
+
+
+
+Now that the account is created, we can also validate if we can recieve mails:
+
+
+
+Next we generate a SSH key to connect to the server:
+
+[ mainpc ] [ /dev/pts/5 ] [~]
+→ ssh-keygen -t ed25519 -C ""
+Generating public/private ed25519 key pair.
+Enter file in which to save the key (/home/nihilist/.ssh/id_ed25519): /home/nihilist/.ssh/ssh-key-test
+/home/nihilist/.ssh/ssh-key-test already exists.
+Overwrite (y/n)? y
+Enter passphrase (empty for no passphrase):
+Enter same passphrase again:
+Your identification has been saved in /home/nihilist/.ssh/ssh-key-test
+Your public key has been saved in /home/nihilist/.ssh/ssh-key-test.pub
+The key fingerprint is:
+SHA256:hu1aO2qMU0XuaRDTRiVHH3Jl2hNP/0prlAnpPCTGECo
+The key's randomart image is:
++--[ED25519 256]--+
+| o=+= o.+ .|
+| o.+= + * +.|
+| E .* + * o o|
+| ..oo. = . +.|
+| .+S. + = .|
+| .o+ + o |
+| + .o + |
+| o oo.. . |
+| oo... |
++----[SHA256]-----+
+
+[ mainpc ] [ /dev/pts/5 ] [~]
+→ cat .ssh/ssh-key-test.pub
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHqt0O2ZbRt/7ikk0PdPRcb1GRBE5YNDdBHFCMGIdeHb
+
+validate the VPS purchase with the Monero option:
+
+
+Then here we send the Monero payment:
+
+
+then wait 10-20 minutes for the payment to be validated by the network, and then you should recieve the mail with your server accesses:
+
+Now that the server is provisionned, we can connect to it:
+ +To access the server anonymously, you just need to ssh there through tor using torsocks:
+
+[ mainpc ] [ /dev/pts/6 ] [~]
+→ cat .ssh/config| head -n4
+Host test-server
+ User root
+ hostname 185.216.68.156
+ IdentityFile ~/.ssh/id_ed25519
+
+[ mainpc ] [ /dev/pts/6 ] [~]
+→ torsocks ssh test-server
+The authenticity of host '185.216.68.156 (185.216.68.156)' can't be established.
+ED25519 key fingerprint is SHA256:Od5FT4wcALDHXXK2B4t6lM8idsDmUfhqWpDFjStgBwI.
+This key is not known by any other names.
+Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
+Warning: Permanently added '185.216.68.156' (ED25519) to the list of known hosts.
+Linux cockbox 6.1.0-13-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.55-1 (2023-09-29) x86_64
+
+The programs included with the Debian GNU/Linux system are free software;
+the exact distribution terms for each program are described in the
+individual files in /usr/share/doc/*/copyright.
+
+Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
+permitted by applicable law.
+
+root@cockbox:~# id
+uid=0(root) gid=0(root) groups=0(root)
+
+root@cockbox:~# apt update -y ; apt upgrade -y ; apt autoremove -y
+
+And that's it! We now have access to a remote server, we acquired it anonymously, and are now using it anonymously aswell.
+ ++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
+
+Here in this case, we can say that the conversation between Bob and Alice is private, because it excludes Jack from spying on the conversation.
+ +
+
+Here in this case, we can say that the person talking to Alice is Anonymous from Jack's perspective, until he can figure out who he really is. Until that someone makes an OPSEC Mistake (such as saying out loud his real name, or where he lives), he remains Anonymous.
+ +
+
+
+
+
+
+ 
+Here, a profit Company offers an online service (such as Twitter) for their own profit, most often they will do everything they can to keep as many users on their service, in order to gather as much personal information about them as they can, for their own profit.
+
+A federated service can be considered as semi-decentralised, due to having a company running the main instance that contains a huge amount of users, while other instances can be ran by individuals with a smaller amount of users. The federation means that instances connect to each other so that individual B may talk to individual A, or individual C.
+
+
+We can say that a service is decentralised when individuals are running the services themselves, and offering them back to the individuals, without any profit company coming into the picture.
+ +
+
+Here in this case, we can say that the door is secure because it protects Alice and Bob's conversation from Jack's attempts to hear the contents of the conversation.
+ +
+
+Bob and Alice are supposed to have their conversation protected by a closed door, but Jack has an 100% sure way of breaking down the door, no matter how they try to reinforce the door, There is nothing Bob and Alice can do about it.
+ ++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
"Hey, i just wrote this code, i compiled it, it gave me this .exe file, run it on your computer!
+What? You want the source code ? Hell no, just trust me bro!"
+ +To briefly explain, any software out there was first written (a developer wrote some source code, for example in the go language), it was then compiled, and then the compilation produced a binary file (for example it became a .exe file on windows)
+
+The catch here is that when you try to reverse-engineer binary files, it's going to be very hard to figure out what the original source code was. This practice is called Reverse Engineering, a niche in cybersecurity, where someone tries to figure out what the original sourcecode was intended to be, with only the binary to work with.
+One thing is for sure: you can't arrive at the original sourcecode from just the binary. It's mostly guess work.
+Most software companies (which can be corporations) out there are greedy, they work hard to produce software, and they hate to have any competition. Hence they want keep their software sourcecode private, to make it as hard as possible to others to arrive at the same level of functionnality. That is exactly why closed source software is used by most people.
+ +The most popular example out there is Windows, they would definitely not like their sourcecode to be leaked/reversed like it with Apple's IOS.
+Let's take a popular example: Discord as detailed in their article on spyware watchdog, it's one of the worst pieces of spyware out there. It's sourcecode is not public, and they confirm that they collect large amounts of sensitive user data (as much as they can).
+Discord even goes out of it's way and contains a process logger to spy on what you do on your computer.
+That service even forces you to add a phone number in case if it suspects you tried to create an account anonymously (via a vpn or via tor).
+You get it, it's a nightmare for privacy and anonymity there is out of the question. The perfect governmental proxy to spy on the masses.
+ +
+Matrix : The Decentralised and Open Source Alternative
+Take the counter example, Matrix is an open source chat protocol. Meaning if there were any spyware to be baked into the software, you would see it in the sourcecode, and rest assured the entire open source community would go into huge turmoil and you would know it.
+You are also free to use other equally elegant UX/UI clients (for example using cinny or element), you can self host both the server and the client, and it implements E2EE (end to end encryption)
+ + +To conclude, here are the requirements you need to look for, for any software that you use:
+It must be open source
It must be self-hostable (for decentralisation) (meaning the serverside code must also be fully opensource)
It must implement privacy features like encryption
It should not contain any telemetry, or any spyware.
It should ONLY do what it was originally meant to do.
By that standard, you can already discard software like Windows, Discord, Whatsapp, Instagram, iOS, pre-installed phone host OSes, Word, Excel, etc, as none of them are open source, and you can be damn sure that they are spying on everything you do, willfully or not. (ever since the US government passed the FISA section 702.)
+ +YOU CAN NEVER TRUST PEOPLE.
+SO YOU CAN'T TRUST THEIR CLOSED SOURCE SOFTWARE.
+YOU CAN ONLY TRUST TECHNOLOGY THAT CAN BE VERIFIED!
+SO YOU NEED TO USE OPEN SOURCE SOFTWARE!
+ + +
+Now that you have the full reasoning laid out, and if being watched by an entire crowd when you are using your computer doesn't sit well with you, it's time for you to move out of all that surveillance, out of that theater/circus that is closed-source software (in which you are the clown on stage, for corporations to see), it's time for you to close the blinds and declare that the show is over to these entire crowds that have infringed upon your basic right of privacy. It's time to install Linux.
+ + ++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
as we have discussed previously, software needs to first be written by a developer, then compiled to produce a binary file (like an .exe file on windows, or a binary file on debian) to be used.
+
+The largest website to find open-source software repositories is Github, where we can find open source projects.
+In this case, Bob wants to have a screenshot software on debian, and he wants it to be open-source:
+
+Here we see that there is a popular screenshot software called "Flameshot" that is available on github:
+
+All of the sourcecode is available, and Bob if is concerned that there may be spyware, he can browse all of the code to check if there is any spyware in it or not.
+
+Next, Bob can find the compiled binaries of flameshot in the releases tab:
+
+But! Bob is an open-source purist, he thinks that the flameshot developers intentionally compiled the software with spyware into it, Bob doesn't trust that they could compile the software for him, hence he wants to compile the software himself.
+Each software can come with different compilation requirements, make sure you read their documentation on how to compile software, for example flameshot has specific instructions to compile their software:
+
+[ mainpc ] [ /dev/pts/4 ] [~]
+→ cd Documents
+
+[ mainpc ] [ /dev/pts/4 ] [~/Documents]
+→ git clone https://github.com/flameshot-org/flameshot
+Cloning into 'flameshot'...
+remote: Enumerating objects: 18204, done.
+remote: Counting objects: 100% (5467/5467), done.
+remote: Compressing objects: 100% (339/339), done.
+remote: Total 18204 (delta 5251), reused 5155 (delta 5128), pack-reused 12737
+Receiving objects: 100% (18204/18204), 23.03 MiB | 2.38 MiB/s, done.
+Resolving deltas: 100% (13494/13494), done.
+
+[ mainpc ] [ /dev/pts/4 ] [~/Documents]
+→ cd flameshot
+
+
+# Compile-time
+sudo apt install g++ cmake build-essential qtbase5-dev qttools5-dev-tools libqt5svg5-dev qttools5-dev -y
+
+# Run-time
+sudo apt install libqt5dbus5 libqt5network5 libqt5core5a libqt5widgets5 libqt5gui5 libqt5svg5 -y
+
+# Optional
+sudo apt install git openssl ca-certificates -y
+Now that the dependencies are installed, we start to compile flameshot:
+
+[ mainpc ] [ /dev/pts/4 ] [~/Documents/flameshot]
+→ cmake -S . -B build && cmake --build build
+-- The CXX compiler identification is GNU 12.2.0
+-- Detecting CXX compiler ABI info
+-- Detecting CXX compiler ABI info - done
+-- Check for working CXX compiler: /usr/bin/c++ - skipped
+-- Detecting CXX compile features
+-- Detecting CXX compile features - done
+-- Setting build type to 'RelWithDebInfo' as none was specified.
+CMake Warning at cmake/Cache.cmake:28 (message):
+ ccache is enabled but was not found. Not using it
+Call Stack (most recent call first):
+ CMakeLists.txt:84 (include)
+
+
+-- Performing Test Wall_FLAG_SUPPORTED
+-- Performing Test Wall_FLAG_SUPPORTED - Success
+-- Performing Test pedantic_FLAG_SUPPORTED
+-- Performing Test pedantic_FLAG_SUPPORTED - Success
+-- Performing Test Wextra_FLAG_SUPPORTED
+-- Performing Test Wextra_FLAG_SUPPORTED - Success
+Flameshot predefined color palette large: false
+-- Found Git: /usr/bin/git (found version "2.39.2")
+git found: /usr/bin/git in version 2.39.2
+FLAMESHOT_GIT_HASH: c1dac522
+-- Configuring done
+-- Generating done
+-- Build files have been written to: /home/nihilist/Documents/flameshot/build
+[ 1%] Automatic MOC for target SingleApplication
+[ 1%] Built target SingleApplication_autogen
+[ 2%] Building CXX object external/singleapplication/CMakeFiles/SingleApplication.dir/SingleApplication_autogen/mocs_compilation.cpp.o
+
+[...]
+
+Here, it's starting to compile, wait for it to reach 100%, then you can run the binary file as follows:
+
+[...]
+
+[ 96%] Building CXX object src/CMakeFiles/flameshot.dir/tools/abstracttwopointtool.cpp.o
+[ 97%] Building CXX object src/CMakeFiles/flameshot.dir/tools/capturecontext.cpp.o
+[ 97%] Building CXX object src/CMakeFiles/flameshot.dir/tools/toolfactory.cpp.o
+[ 98%] Building CXX object src/CMakeFiles/flameshot.dir/main.cpp.o
+[ 98%] Building CXX object src/CMakeFiles/flameshot.dir/flameshot_autogen/IJ3KGTTQ5V/qrc_graphics.cpp.o
+[100%] Linking CXX executable flameshot
+[100%] Built target flameshot
+
+[ mainpc ] [ /dev/pts/4 ] [~/Documents/flameshot]
+→ ls
+appveyor.yml CMakeLists.txt docs LICENSE scripts src
+build CODE_OF_CONDUCT.md external packaging shell.nix tests
+cmake data flameshot.example.ini README.md snapcraft.yaml
+
+[ mainpc ] [ /dev/pts/4 ] [~/Documents/flameshot]
+→ ls -lash build/src/flameshot
+49M -rwxr-xr-x 1 nihilist nihilist 49M Jun 28 14:14 build/src/flameshot
+
+[ mainpc ] [ /dev/pts/4 ] [~/Documents/flameshot]
+→ ./build/src/flameshot
+
+if you want to be able to launch the flameshot binary without specifying the full path each time, you can add it to your system PATH:
+
+[ mainpc ] [ /dev/pts/5 ] [~/Documents/flameshot]
+→ ls -lash build/src/flameshot
+49M -rwxr-xr-x 1 nihilist nihilist 49M Jun 28 14:14 build/src/flameshot
+
+[ mainpc ] [ /dev/pts/5 ] [~/Documents/flameshot]
+→ echo $PATH
+/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
+
+[ mainpc ] [ /dev/pts/5 ] [~/Documents/flameshot]
+→ ln -s $(pwd)/build/src/flameshot /usr/local/bin/flameshot
+ln: failed to create symbolic link '/usr/local/bin/flameshot': Permission denied
+
+[ mainpc ] [ /dev/pts/5 ] [~/Documents/flameshot]
+→ sudo ln -s $(pwd)/build/src/flameshot /usr/local/bin/flameshot
+[sudo] password for nihilist:
+
+[ mainpc ] [ /dev/pts/5 ] [~/Documents/flameshot]
+→ which flameshot
+/usr/bin/flameshot
+
+[ mainpc ] [ /dev/pts/5 ] [~/Documents/flameshot]
+→ flameshot
+
+As we run the binary from the commandline, we then see the flameshot program opening here:
+
+as we click on the logo, we can enter the screenshot mode:
+
+then we click and drag to select the area of the screenshot:
+
+Then we can click the "save" icon to save the image somewhere:
+
+
+ Now Bob isn't going to compile everything, he doesn't have that patience. the next best thing is to download the pre-compiled binaries and to check the hash:
+ +
+Here in this case, the appimage flameshot binary has been released along with the sha256 algorithm hash, so Bob downlads both:
+
+[ mainpc ] [ /dev/pts/5 ] [~/Documents/flameshottest]
+→ wget https://github.com/flameshot-org/flameshot/releases/download/v12.1.0/Flameshot-12.1.0.x86_64.AppImage
+--2024-06-28 14:31:09-- https://github.com/flameshot-org/flameshot/releases/download/v12.1.0/Flameshot-12.1.0.x86_64.AppImage
+
+[ mainpc ] [ /dev/pts/5 ] [~/Documents/flameshottest]
+→ wget https://github.com/flameshot-org/flameshot/releases/download/v12.1.0/Flameshot-12.1.0.x86_64.AppImage.sha256sum
+--2024-06-28 14:32:26-- https://github.com/flameshot-org/flameshot/releases/download/v12.1.0/Flameshot-12.1.0.x86_64.AppImage.sha256sum
+
+Next, to check the integrity of the appimage file, we check the hash that we've downloaded:
+
+[ mainpc ] [ /dev/pts/5 ] [~/Documents/flameshottest]
+→ cat Flameshot-12.1.0.x86_64.AppImage.sha256sum
+c30634c84161f09e8dde74c76367b1ce848414bb1cc269c2a2715f6803220738 Flameshot-12.1.0.x86_64.AppImage
+
+and compare it to the hash we get when using the sha256sum command on the flameshot appimage:
+
+[ mainpc ] [ /dev/pts/5 ] [~/Documents/flameshottest]
+→ sha256sum Flameshot-12.1.0.x86_64.AppImage
+c30634c84161f09e8dde74c76367b1ce848414bb1cc269c2a2715f6803220738 Flameshot-12.1.0.x86_64.AppImage
+
+Here we see that the sha256 hash we get from the flameshot appimage binary is the same as the hash that was put online by the flameshot developers. This means that the binary didn't get tampered with from the original release, to having it inside Bob's debian VM. Hence, Bob can now use the flameshot appimage binary with peace of mind!
+ ++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
+In this tutorial we're going to take a look at how to setup DNS servers using bind9.
+Disclaimer: If you want this service to remain anonymous, make sure you at least keep TOR between you and the service from the VPS acquisition to actual service usage.
+ + +First install the requirements:
+
+root@Temple:~# apt update -y ; apt upgrade -y ; apt install bind9 -y
+root@Temple:~# systemctl disable --now ufw
+
+Next we edit the /etc/bind/named.conf.options file to define which ip the dns server will serve:
+
+root@Temple:~# vim /etc/bind/named.conf.options
+listen-on {
+ 10.10.10.0/24;
+ 10.1.0.0/16;
+ ...
+};
+
+#OR
+listen-on { any; };
+listen-on-v6 { any; };
+
+Next, we allow the queries to come from any sources (not just local)
+
+allow-query { any; };
+
+and lastly, we add the forwarders which are the dns servers that bind9 will ask if it can't find the domain names, we can put cloudflare's dns servers for example:
+
+forwarders {
+ 1.1.1.1;
+ 1.0.0.1;
+};
+
+Here's the result, save it with :wq
+
+options {
+ directory "/var/cache/bind";
+ dnssec-validation auto;
+
+ listen-on-v6 { any; };
+ listen-on { any; };
+ allow-query { any; };
+ forwarders {
+ 1.1.1.1;
+ 1.0.0.1;
+ };
+};
+
+Then restart bind9:
+
+root@Temple:~# systemctl restart bind9
+root@Temple:~# systemctl status bind9
+● named.service - BIND Domain Name Server
+ Loaded: loaded (/lib/systemd/system/named.service; enabled; vendor preset: enabled)
+ Active: active (running) since Tue 2021-11-02 20:37:26 UTC; 4s ago
+ Docs: man:named(8)
+ Main PID: 2863095 (named)
+ Tasks: 8 (limit: 4584)
+ Memory: 30.0M
+ CGroup: /system.slice/named.service
+ └─2863095 /usr/sbin/named -f -u bind
+
+Nov 02 20:37:26 Temple named[2863095]: network unreachable resolving './NS/IN': 2001:500:12::d0d#53
+Nov 02 20:37:26 Temple named[2863095]: network unreachable resolving './NS/IN': 2001:500:2d::d#53
+Nov 02 20:37:26 Temple named[2863095]: network unreachable resolving './NS/IN': 2001:7fd::1#53
+Nov 02 20:37:26 Temple named[2863095]: network unreachable resolving './NS/IN': 2001:503:c27::2:30#53
+Nov 02 20:37:26 Temple named[2863095]: managed-keys-zone: Key 20326 for zone . is now trusted (acceptance timer complete)
+Nov 02 20:37:26 Temple named[2863095]: resolver priming query complete
+Nov 02 20:37:30 Temple named[2863095]: listening on IPv4 interface tun0, 10.8.0.1#53
+Nov 02 20:37:30 Temple named[2863095]: listening on IPv6 interface tun0, fe80::5822:e1cd:a277:e3e3%124941#53
+Nov 02 20:37:30 Temple named[2863095]: no longer listening on 10.8.0.1#53
+Nov 02 20:37:30 Temple named[2863095]: no longer listening on fe80::5822:e1cd:a277:e3e3%124941#53
+
+and then finally we test if the dns works, let's ask our dns server for the ip address of google:
+
+[ 10.66.66.2/32 ] [ /dev/pts/20 ] [Nextcloud/blog]
+→ nslookup google.com temple.void.yt
+Server: temple.void.yt
+Address: 78.141.239.68#53
+
+Non-authoritative answer:
+Name: google.com
+Address: 172.217.169.14
+Name: google.com
+Address: 2a00:1450:4009:81d::200e
+
+And it worked ! Now let's setup an A record on our DNS server, for itself. To do that we need to specify the zones we're going to manage:
+
+
+root@Temple:/etc/bind# vim named.conf.local
+root@Temple:/etc/bind# cat named.conf.local
+//
+// Do any local configuration here
+//
+
+// Consider adding the 1918 zones here, if they are not used in your
+// organization
+include "/etc/bind/zones.rfc1918";
+
+root@Temple:~# vim /etc/bind/zones.rfc1918
+root@Temple:~# cat /etc/bind/zones.rfc1918
+zone "void.yt" {
+ type master;
+ file "db.void.yt";
+ allow-update { none; };
+};
+
+Here we want to setup a subdomain of void.yt so let's do it in the db.void.yt file:
+
+$TTL 604800
+@ IN SOA ns1.void.yt. void.yt. (
+ 3 ; Serial
+ 604800 ; Refresh
+ 86400 ; Retry
+ 2419200 ; Expire
+ 604800 ) ; Negative Cache TTL
+;
+; name servers - NS records
+ 3600 IN NS ns1.void.yt.
+ 3600 IN NS ns2.void.yt.
+
+; name servers - A records
+ns1.void.yt. IN A 78.141.239.68
+ns2.void.yt. IN A 45.76.133.0
+
+; other hosts - A records
+host1.void.yt. IN A 1.1.1.1
+host2.void.yt. IN A 1.0.0.1
+
+And now we restart the bind9 service, and test if we can resolve the host1.void.yt domain:
+
+root@Temple:/etc/bind# systemctl restart bind9
+root@Temple:/etc/bind# systemctl status bind9
+● bind9.service - BIND Domain Name Server
+ Loaded: loaded (/etc/systemd/system/bind9.service; enabled; vendor preset: enabled)
+ Active: active (running) since Sun 2021-11-14 10:28:16 UTC; 51s ago
+ Docs: man:named(8)
+ Main PID: 3710 (named)
+ Tasks: 8 (limit: 4582)
+ Memory: 29.7M
+ CGroup: /system.slice/bind9.service
+ └─3710 /usr/sbin/named -f -u bind
+
+Nov 14 10:28:16 Temple named[3710]: network unreachable resolving './NS/IN': 2001:500:2f::f#53
+Nov 14 10:28:16 Temple named[3710]: network unreachable resolving './NS/IN': 2001:7fd::1#53
+Nov 14 10:28:16 Temple named[3710]: network unreachable resolving './NS/IN': 2001:500:1::53#53
+Nov 14 10:28:16 Temple named[3710]: network unreachable resolving './NS/IN': 2001:500:a8::e#53
+Nov 14 10:28:16 Temple named[3710]: network unreachable resolving './NS/IN': 2001:500:9f::42#53
+Nov 14 10:28:16 Temple named[3710]: network unreachable resolving './NS/IN': 2001:dc3::35#53
+Nov 14 10:28:16 Temple named[3710]: network unreachable resolving './NS/IN': 2001:500:2::c#53
+Nov 14 10:28:16 Temple named[3710]: network unreachable resolving './NS/IN': 2001:503:ba3e::2:30#53
+Nov 14 10:28:16 Temple named[3710]: managed-keys-zone: Key 20326 for zone . is now trusted (acceptance timer complete)
+Nov 14 10:28:16 Temple named[3710]: resolver priming query complete
+
+To do that we use nslookup:
+
+[ 10.66.66.2/32 ] [ /dev/pts/115 ] [~]
+→ nslookup host1.void.yt temple.void.yt
+Server: temple.void.yt
+Address: 78.141.239.68#53
+
+Name: host1.void.yt
+Address: 1.1.1.1
+
+Now we fill in the db file for the rest of the hosts we need, i'll post my complete config just for reference:
+
+root@Temple:/etc/bind# vim db.void.yt
+root@Temple:/etc/bind# cat db.void.yt
+$TTL 604800
+@ IN SOA ns1.void.yt. void.yt. (
+ 7 ; Serial INCREMENT THIS EVERYTIME YOU EDIT THE FILE !!!!!!!!
+ 604800 ; Refresh
+ 86400 ; Retry
+ 2419200 ; Expire
+ 604800 ) ; Negative Cache TTL
+;
+; name servers - NS records
+ 3600 IN NS ns1.void.yt.
+ 3600 IN NS ns2.void.yt.
+
+; name servers - A records
+ns1.void.yt. IN A 78.141.239.68
+ns2.void.yt. IN A 45.76.133.0
+
+; A records, public IPs
+temple 3600 IN A 78.141.239.68
+mail 3600 IN A 45.76.133.0
+mail 3600 IN AAAA 2001:19f0:7402:2c6:5400:3ff:fea7:22a3
+;void.yt
+
+
+ 3600 IN MX 10 mail.void.yt.
+ 3600 IN TXT "v=spf1 mx a:mail.void.yt -all"
+_dmarc 3600 IN TXT "v=DMARC1; p=reject; rua=mailto:dmarc@void.yt; fo=1"
+
+autoconfig 3600 IN CNAME void.yt.
+autodiscover 3600 IN CNAME void.yt.
+
+asciinema 3600 IN CNAME void.yt.
+blog 3600 IN CNAME void.yt.
+chat 3600 IN CNAME void.yt.
+cloud 3600 IN CNAME void.yt.
+codimd 3600 IN CNAME void.yt.
+cryptpad 3600 IN CNAME void.yt.
+cyberchef 3600 IN CNAME void.yt.
+ghostblog 3600 IN CNAME void.yt.
+git 3600 IN CNAME void.yt.
+gomez 3600 IN CNAME void.yt.
+haste 3600 IN CNAME void.yt.
+img 3600 IN CNAME void.yt.
+irc 3600 IN CNAME void.yt.
+jitsi 3600 IN CNAME void.yt.
+kb 3600 IN CNAME void.yt.
+kutt 3600 IN CNAME void.yt.
+lady 3600 IN CNAME void.yt.
+lain 3600 IN CNAME void.yt.
+latex 3600 IN CNAME void.yt.
+mind 3600 IN CNAME void.yt.
+notes 3600 IN CNAME void.yt.
+openproject 3600 IN CNAME void.yt.
+pad 3600 IN CNAME void.yt.
+privatebin 3600 IN CNAME void.yt.
+pve 3600 IN CNAME void.yt.
+routeur 3600 IN CNAME void.yt.
+safe 3600 IN CNAME void.yt.
+shells 3600 IN CNAME void.yt.
+status 3600 IN CNAME void.yt.
+sx 3600 IN CNAME void.yt.
+test 3600 IN CNAME void.yt.
+tube 3600 IN CNAME void.yt.
+u 3600 IN CNAME void.yt.
+www 3600 IN CNAME void.yt.
+zabbix 3600 IN CNAME void.yt.
+
+root@Temple:/etc/bind# systemctl restart bind9
+root@Temple:/etc/bind# systemctl status bind9
+● bind9.service - BIND Domain Name Server
+ Loaded: loaded (/etc/systemd/system/bind9.service; enabled; vendor preset: enabled)
+ Active: active (running) since Sun 2021-11-14 11:37:30 UTC; 2s ago
+ Docs: man:named(8)
+ Main PID: 18839 (named)
+ Tasks: 8 (limit: 4582)
+ Memory: 29.3M
+ CGroup: /system.slice/bind9.service
+ └─18839 /usr/sbin/named -f -u bind
+
+Nov 14 11:37:30 Temple named[18839]: network unreachable resolving './NS/IN': 2001:500:12::d0d#53
+Nov 14 11:37:30 Temple named[18839]: network unreachable resolving './NS/IN': 2001:500:a8::e#53
+Nov 14 11:37:30 Temple named[18839]: network unreachable resolving './NS/IN': 2001:500:1::53#53
+Nov 14 11:37:30 Temple named[18839]: network unreachable resolving './NS/IN': 2001:500:2::c#53
+Nov 14 11:37:30 Temple named[18839]: network unreachable resolving './NS/IN': 2001:500:2f::f#53
+Nov 14 11:37:30 Temple named[18839]: network unreachable resolving './NS/IN': 2001:503:ba3e::2:30#53
+Nov 14 11:37:30 Temple named[18839]: network unreachable resolving './NS/IN': 2001:500:200::b#53
+Nov 14 11:37:30 Temple named[18839]: network unreachable resolving './NS/IN': 2001:7fd::1#53
+Nov 14 11:37:30 Temple named[18839]: managed-keys-zone: Key 20326 for zone . is now trusted (acceptance timer complete)
+Nov 14 11:37:30 Temple named[18839]: resolver priming query complete
+
+Now, let's setup our secondary DNS server, first let's update the primary DNS server's zones.rfc1918 file as follows:
+
+root@Temple:/etc/bind# vim /etc/bind/zones.rfc1918
+root@Temple:/etc/bind# cat /etc/bind/zones.rfc1918
+zone "void.yt" IN {
+ type master;
+ file "/etc/bind/db.void.yt";
+ allow-update { none; };
+
+ allow-transfer { 45.76.133.0; };
+ also-notify { 45.76.133.0; };
+};
+
+root@Temple:/etc/bind# systemctl restart bind9
+
+In the allow-transfer and allow-notify parameters we put the public IP of our second DNS server. Next we restart bind9, and setup bind9 on the second server as a slave to our first server:
+
+root@mail:~# apt install bind9 -y
+root@mail:~# vim /etc/bind/named.conf.local
+root@mail:~# cat /etc/bind/named.conf.local
+//
+// Do any local configuration here
+//
+
+// Consider adding the 1918 zones here, if they are not used in your
+// organization
+include "/etc/bind/zones.rfc1918";
+
+root@mail:~# vim /etc/bind/zones.rfc1918
+root@mail:~# cat /etc/bind/zones.rfc1918
+zone "void.yt" {
+ type slave;
+ file "/etc/bind/db.void.yt";
+ masters {78.141.239.68;};
+};
+
+root@mail:~# vim /etc/bind/db.void.yt
+root@mail:~# cat /etc/bind/db.void.yt
+$TTL 604800
+@ IN SOA ns2.void.yt void.yt. (
+ 8 ; Serial INCREMENT THIS EVERYTIME YOU EDIT THE FILE !!!!!!!!
+ 604800 ; Refresh
+ 86400 ; Retry
+ 2419200 ; Expire
+ 604800 ) ; Negative Cache TTL
+;
+; name servers - NS records
+ IN NS ns1.void.yt.
+ IN NS ns2.void.yt.
+
+; name servers - A records
+ns1.void.yt. IN A 78.141.239.68
+ns2.void.yt. IN A 45.76.133.0
+
+; A records, public IPs
+temple 3600 IN A 78.141.239.68
+mail 3600 IN A 45.76.133.0
+mail 3600 IN AAAA 2001:19f0:7402:2c6:5400:3ff:fea7:22a3
+;void.yt
+
+
+ 3600 IN MX 10 mail.void.yt.
+ 3600 IN TXT "v=spf1 mx a:mail.void.yt -all"
+_dmarc 3600 IN TXT "v=DMARC1; p=reject; rua=mailto:dmarc@void.yt; fo=1"
+
+autoconfig 3600 IN CNAME void.yt.
+autodiscover 3600 IN CNAME void.yt.
+
+asciinema 3600 IN CNAME void.yt.
+blog 3600 IN CNAME void.yt.
+chat 3600 IN CNAME void.yt.
+cloud 3600 IN CNAME void.yt.
+codimd 3600 IN CNAME void.yt.
+cryptpad 3600 IN CNAME void.yt.
+cyberchef 3600 IN CNAME void.yt.
+ghostblog 3600 IN CNAME void.yt.
+git 3600 IN CNAME void.yt.
+gomez 3600 IN CNAME void.yt.
+haste 3600 IN CNAME void.yt.
+img 3600 IN CNAME void.yt.
+irc 3600 IN CNAME void.yt.
+jitsi 3600 IN CNAME void.yt.
+kb 3600 IN CNAME void.yt.
+kutt 3600 IN CNAME void.yt.
+lady 3600 IN CNAME void.yt.
+lain 3600 IN CNAME void.yt.
+latex 3600 IN CNAME void.yt.
+mind 3600 IN CNAME void.yt.
+notes 3600 IN CNAME void.yt.
+openproject 3600 IN CNAME void.yt.
+pad 3600 IN CNAME void.yt.
+privatebin 3600 IN CNAME void.yt.
+pve 3600 IN CNAME void.yt.
+routeur 3600 IN CNAME void.yt.
+safe 3600 IN CNAME void.yt.
+shells 3600 IN CNAME void.yt.
+status 3600 IN CNAME void.yt.
+sx 3600 IN CNAME void.yt.
+test 3600 IN CNAME void.yt.
+tube 3600 IN CNAME void.yt.
+u 3600 IN CNAME void.yt.
+
+www 3600 IN CNAME void.yt.
+zabbix 3600 IN CNAME void.yt.
+
+
+root@mail:/etc/bind# systemctl restart bind9
+
+root@mail:/etc/bind# systemctl status bind9
+● named.service - BIND Domain Name Server
+ Loaded: loaded (/lib/systemd/system/named.service; enabled; vendor preset: enabled)
+ Active: active (running) since Sun 2021-11-14 14:34:38 UTC; 1min 17s ago
+ Docs: man:named(8)
+ Main PID: 94005 (named)
+ Tasks: 5 (limit: 2340)
+ Memory: 17.8M
+ CPU: 46ms
+ CGroup: /system.slice/named.service
+ └─94005 /usr/sbin/named -f -u bind
+
+Nov 14 14:34:38 mail named[94005]: running
+Nov 14 14:34:38 mail named[94005]: zone void.yt/IN: Transfer started.
+Nov 14 14:34:38 mail named[94005]: transfer of 'void.yt/IN' from 78.141.239.68#53: connected using 45.76.133.0#53677
+Nov 14 14:34:38 mail named[94005]: zone void.yt/IN: transferred serial 9
+Nov 14 14:34:38 mail named[94005]: zone void.yt/IN: transfer: could not set file modification time of '/etc/bind/db.void.yt': permission denied
+Nov 14 14:34:38 mail named[94005]: transfer of 'void.yt/IN' from 78.141.239.68#53: Transfer status: success
+Nov 14 14:34:38 mail named[94005]: transfer of 'void.yt/IN' from 78.141.239.68#53: Transfer completed: 1 messages, 49 records, 1118 bytes, 0.001 secs (1118000 bytes/sec) (serial 9)
+Nov 14 14:34:38 mail named[94005]: zone void.yt/IN: sending notifies (serial 9)
+Nov 14 14:34:38 mail named[94005]: managed-keys-zone: Key 20326 for zone . is now trusted (acceptance timer complete)
+Nov 14 14:34:38 mail named[94005]: resolver priming query complete
+
+root@mail:/etc/bind# systemctl disable --now apparmor
+root@mail:/etc/bind# chown bind:bind -R /etc/bind
+
+root@mail:/etc/bind# systemctl restart bind9
+root@mail:/etc/bind# systemctl status bind9
+● named.service - BIND Domain Name Server
+ Loaded: loaded (/lib/systemd/system/named.service; enabled; vendor preset: enabled)
+ Active: active (running) since Sun 2021-11-14 14:39:17 UTC; 1s ago
+ Docs: man:named(8)
+ Main PID: 94210 (named)
+ Tasks: 4 (limit: 2340)
+ Memory: 14.1M
+ CPU: 29ms
+ CGroup: /system.slice/named.service
+ └─94210 /usr/sbin/named -f -u bind
+
+Nov 14 14:39:17 mail named[94210]: running
+Nov 14 14:39:17 mail named[94210]: zone void.yt/IN: Transfer started.
+Nov 14 14:39:17 mail named[94210]: transfer of 'void.yt/IN' from 78.141.239.68#53: connected using 45.76.133.0#51509
+Nov 14 14:39:17 mail named[94210]: zone void.yt/IN: transferred serial 9
+Nov 14 14:39:17 mail named[94210]: transfer of 'void.yt/IN' from 78.141.239.68#53: Transfer status: success
+Nov 14 14:39:17 mail named[94210]: transfer of 'void.yt/IN' from 78.141.239.68#53: Transfer completed: 1 messages, 49 records, 1118 bytes, 0.004 secs (279500 bytes/sec) (serial 9)
+Nov 14 14:39:17 mail named[94210]: zone void.yt/IN: sending notifies (serial 9)
+Nov 14 14:39:17 mail named[94210]: dumping master file: /etc/bind/tmp-PF5Ud0HF2G: open: permission denied
+Nov 14 14:39:17 mail named[94210]: resolver priming query complete
+Nov 14 14:39:17 mail named[94210]: managed-keys-zone: Key 20326 for zone . is now trusted (acceptance timer complete)
+
+And from there let's check if the domain name resolution works:
+
+[ 10.66.66.2/32 ] [ /dev/pts/115 ] [~]
+→ nslookup ns1.void.yt temple.void.yt
+Server: temple.void.yt
+Address: 78.141.239.68#53
+
+Name: ns1.void.yt
+Address: 78.141.239.68
+
+
+[ 10.66.66.2/32 ] [ /dev/pts/115 ] [~]
+→ nslookup ns2.void.yt temple.void.yt
+Server: temple.void.yt
+Address: 78.141.239.68#53
+
+Name: ns2.void.yt
+Address: 45.76.133.0
+
+
+[ 10.66.66.2/32 ] [ /dev/pts/115 ] [~]
+→ nslookup ns2.void.yt mail.void.yt
+Server: mail.void.yt
+Address: 45.76.133.0#53
+
+Name: ns2.void.yt
+Address: 45.76.133.0
+
+
+[ 10.66.66.2/32 ] [ /dev/pts/115 ] [~]
+→ nslookup ns1.void.yt mail.void.yt
+Server: mail.void.yt
+Address: 45.76.133.0#53
+
+Name: ns1.void.yt
+Address: 78.141.239.68
+
+Everything looks good, we can resolve domain names on both the master and slave DNS servers
+Now for my current setup, i need my void.yt domain name to resolve a public IP that often changes, therefore i need a dynamic bind9 DNS setup for the A record of my void.yt domain. It is possible to set it up with bind9, so let's do it:
+
+oot@Temple:/etc/bind# apt install bind9utils
+root@Temple:/etc/bind# which ddns-confgen
+/usr/sbin/ddns-confgen
+
+
+root@Temple:/etc/bind# ddns-confgen -s void.yt
+# To activate this key, place the following in named.conf, and
+# in a separate keyfile on the system or systems from which nsupdate
+# will be run:
+key "ddns-key.void.yt" {
+ algorithm hmac-sha256;
+ secret "Rq7gXz4Hu0AZYun6iX/ypbGRcS9W6GHqJiqksEvM8Nw=";
+};
+
+# Then, in the "zone" statement for the zone containing the
+# name "void.yt", place an "update-policy" statement
+# like this one, adjusted as needed for your preferred permissions:
+update-policy {
+ grant ddns-key.void.yt name void.yt ANY;
+};
+
+# After the keyfile has been placed, the following command will
+# execute nsupdate using this key:
+nsupdate -k <keyfile>
+
+
+Now that's done, we follow the instructions that the command just output for us, starting with named.conf.local edit:
+
+root@Temple:/etc/bind# vim /etc/bind/named.conf.local
+root@Temple:/etc/bind# cat /etc/bind/named.conf.local
+//
+// Do any local configuration here
+//
+
+// Consider adding the 1918 zones here, if they are not used in your
+// organization
+include "/etc/bind/zones.rfc1918";
+key "ddns-key.void.yt" {
+ algorithm hmac-sha256;
+ secret "Rq7gXz4Hu0AZYun6iX/ypbGRcS9W6GHqJiqksEvM8Nw=";
+};
+
+Next, we setup the update-policy for our void.yt zone:
+
+root@Temple:/etc/bind# vim zones.rfc1918
+root@Temple:/etc/bind# cat zones.rfc1918
+zone "void.yt" {
+ type master;
+ file "/etc/bind/db.void.yt";
+
+ allow-transfer { 45.76.133.0; };
+ also-notify { 45.76.133.0; };
+
+ update-policy {
+ grant ddns-key.void.yt name void.yt ANY;
+ };
+};
+
+root@Temple:/etc/bind# systemctl restart bind9
+
+Now that's done, we're going to setup the dynamic DNS script on our client whose public IP is changing often:
+
+root@home:~# which nsupdate
+/usr/bin/nsupdate
+
+root@home:~# vim /etc/ddnssupdate.key
+root@home:~# cat /etc/ddnssupdate.key
+key "ddns-key.void.yt" {
+ algorithm hmac-sha256;
+ secret "Rq7gXz4Hu0AZYun6iX/ypbGRcS9W6GHqJiqksEvM8Nw=";
+};
+
+root@home:~# cd /var/www/void.yt/
+root@home:/var/www/void.yt# vim dyndns.sh
+root@home:/var/www/void.yt# cat dyndns.sh
+#!/bin/bash
+
+#MYIP=$(dig +short myip.opendns.com @resolver1.opendns.com)
+MYIP=$(curl ifconfig.me)
+
+KEY=/etc/ddnsupdate.key
+NS=ns1.void.yt
+DOMAIN=void.yt.
+ZONE=void.yt.
+
+nsupdate -k $KEY -v << EOF
+server $NS
+zone $ZONE
+update delete $DOMAIN A
+update add $DOMAIN 30 A $MYIP
+send
+EOF
+
+Now let's test it:
+
+root@home:/var/www/void.yt# chattr -i /etc/resolv.conf
+root@home:/var/www/void.yt# vim /etc/resolv.conf
+root@home:/var/www/void.yt# cat /etc/resolv.conf
+#nameserver 1.1.1.1
+#nameserver 1.0.0.1
+nameserver 78.141.239.68
+nameserver 45.76.133.0
+root@home:/var/www/void.yt# chattr +i /etc/resolv.conf
+
+root@home:/var/www/void.yt# chmod +x dyndns.sh
+root@home:/var/www/void.yt# ./dyndns.sh
+ % Total % Received % Xferd Average Speed Time Time Time Current
+ Dload Upload Total Spent Left Speed
+100 14 100 14 0 0 89 0 --:--:-- --:--:-- --:--:-- 89
+update failed: SERVFAIL
+
+Now if you get this error, it probably means that the dns bind server does not have permissions to edit files in /etc/bind/, and rather has access to /var/lib/bind, so let's make those changes:
+
+root@Temple:/etc/bind# vim /etc/bind/zones.rfc1918
+root@Temple:/etc/bind# cat /etc/bind/zones.rfc1918
+zone "void.yt" {
+ type master;
+ file "/var/lib/bind/db.void.yt";
+
+ allow-transfer { 45.76.133.0; };
+ also-notify { 45.76.133.0; };
+
+ update-policy {
+ grant ddns-key.void.yt name void.yt ANY;
+ };
+};
+
+root@Temple:/etc/bind# mv /etc/bind/db.void.yt /var/lib/bind/
+root@Temple:/etc/bind# systemctl restart bind9
+
+Now that's done, let's also do it on the secondary dns:
+
+root@mail:~# vim /etc/bind/zones.rfc1918
+root@mail:~# mv /etc/bind/db.void.yt /var/lib/bind/
+root@mail:~# mv /etc/bind/db._domainkey.void.yt /var/lib/bind/
+root@mail:~# systemctl restart bind9
+
+Now that's done, let's test our dynamic dns script:
+
+root@home:/var/www/void.yt# ./dyndns.sh
+ % Total % Received % Xferd Average Speed Time Time Time Current
+ Dload Upload Total Spent Left Speed
+100 14 100 14 0 0 72 0 --:--:-- --:--:-- --:--:-- 72
+root@home:/var/www/void.yt#
+
+No error messages, so let's check if our script updated the the zone file as intended:
+
+root@Temple:/etc/bind# cat /var/lib/bind/db.void.yt
+$ORIGIN .
+$TTL 604800 ; 1 week
+void.yt IN SOA ns1.void.yt. void.yt. (
+ 10 ; serial
+ 604800 ; refresh (1 week)
+ 86400 ; retry (1 day)
+ 2419200 ; expire (4 weeks)
+ 604800 ; minimum (1 week)
+ )
+$TTL 3600 ; 1 hour
+ NS ns1.void.yt.
+ NS ns2.void.yt.
+$TTL 30 ; 30 seconds
+ A 92.148.147.119
+$ORIGIN void.yt.
+$TTL 3600 ; 1 hour
+_dmarc TXT "v=DMARC1; p=reject; rua=mailto:dmarc@void.yt; fo=1"
+asciinema CNAME void.yt.
+
+[...]
+
+And it did! Now let's make sure our dynamic dns script runs every minute:
+
+root@home:/var/www/void.yt# crontab -e
+* * * * * "/var/www/void.yt/dyndns.sh"
+
+root@home:/var/www/void.yt# cronitor select
+
+✔ "/var/www/void.yt/dyndns.sh"
+----► Running command: "/var/www/void.yt/dyndns.sh"
+
+[+] updating ns1.void.yt:
+
+----► ✔ Command successful Elapsed time 0.353s
+
+Looks good! Now don't forget to edit the options file for your secondary dns server:
+
+root@mail:~# vim /etc/bind/named.conf.options
+root@mail:~# cat /etc/bind/named.conf.options
+
+options {
+ directory "/var/cache/bind";
+ dnssec-validation auto;
+
+ listen-on-v6 { any; };
+ listen-on { any; };
+
+ allow-query { any; };
+
+ forwarders {
+ 1.1.1.1;
+ 1.0.0.1;
+ };
+};
+root@mail:~# systemctl restart bind9
+
+And that's it! We managed to setup 2 DNS servers using bind9 with a master-slave configuration along with dynamic DNS. Now if you want your DNS servers to propagate, you will have to wait:
+
+You can check the status of the DNS propagation on this website:
+
+As you can see, none of the major DNS servers around the world are aware of my ns1.void.yt record, therefore i need to wait for my dns record to propagate (by setting the DNS server as the DNS servers for a particular domain, on a registrar):
+ + +Once your dns records have propagated we can setup DNSSEC:
+
+root@mail-gw:~# vim /etc/bind/named.conf.options
+root@mail-gw:~# cat /etc/bind/named.conf.options
+options {
+ directory "/var/cache/bind";
+
+ //dnssec-validation yes;
+ //dnssec-enable yes;
+ //dnssec-lookaside auto; //since debian 12 these are no longer needed
+
+ listen-on-v6 { any; };
+ listen-on { any; };
+ allow-query { any; };
+ forwarders {
+ 1.1.1.1;
+ 1.0.0.1;
+ };
+};
+
+Then generate the DNS keys for your domain:
+
+root@mail-gw:~# cd /var/cache/bind
+root@mail-gw:/var/cache/bind# dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE nihilism.network
+Generating key pair...................+++++ ..................................................................................................................+++++
+Knihilism.network.+007+54398
+root@mail-gw:/var/cache/bind# dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE nihilism.network
+Generating key pair........................................................................++++ .....................++++
+Knihilism.network.+007+44145
+
+then create the zone file:
+
+root@mail-gw:/var/cache/bind# for key in `ls Knihilism.network*.key`; do echo "\$INCLUDE $key">> nihilism.network.zone; done
+root@mail-gw:/var/cache/bind# cat nihilism.network.zone
+$INCLUDE Knihilism.network.+007+44145.key
+$INCLUDE Knihilism.network.+007+54398.key
+
+Then sign the zone with the dnssec-signzone command:
+
+root@mail-gw:/var/cache/bind# for key in `ls Knihilism.network*.key`; do echo "\$INCLUDE $key">> nihilism.network.zone; done
+root@mail-gw:/var/cache/bind# cat nihilism.network.zone
+$INCLUDE Knihilism.network.+007+44145.key
+$INCLUDE Knihilism.network.+007+54398.key
+root@mail-gw:/var/cache/bind# dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N INCREMENT -o nihilism.network -t nihilism.network.zone
+
+
+dnssec-signzone: warning: Knihilism.network.+007+44145.key:5: no TTL specified; zone rejected
+dnssec-signzone: fatal: failed loading zone from 'nihilism.network.zone': no ttl
+
+if you get the no ttl error like me, regen the keys with the TTL thanks to the -L flag:
+
+
+root@mail-gw:/var/cache/bind# dnssec-keygen -L 3600 -a NSEC3RSASHA1 -b 2048 -n ZONE nihilism.network
+Generating key pair.........................................+++++ .......+++++
+Knihilism.network.+007+35034
+
+root@mail-gw:/var/cache/bind# dnssec-keygen -L 3600 -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE nihilism.network
+Generating key pair......++++ ..................................................................................................................................................................++++
+Knihilism.network.+007+23388
+
+root@mail-gw:/var/cache/bind# for key in `ls Knihilism.network*.key`; do echo "\$INCLUDE $key">> nihilism.network.zone; done
+
+root@mail-gw:/var/cache/bind# cat nihilism.network.zone
+
+$INCLUDE Knihilism.network.+007+23388.key
+$INCLUDE Knihilism.network.+007+35034.key
+
+root@mail-gw:/var/cache/bind# dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N INCREMENT -o nihilism.network -t db.nihilism.network
+dnssec-signzone: warning: db.nihilism.network:17: TTL set to prior TTL (3600)
+dnssec-signzone: fatal: No signing keys specified or found.
+
+root@mail-gw:/var/cache/bind# cat nihilism.network.zone >> db.nihilism.network
+
+
+root@mail-gw:/var/cache/bind# dnssec-signzone -AA -n 3 -3 $(head -c 1000 /dev/urandom | sha1sum | cut -b 1-16) -N INCREMENT -o nihilism.network -t db.nihilism.network
+
+dnssec-signzone: warning: db.nihilism.network:17: TTL set to prior TTL (3600)
+Verifying the zone using the following algorithms:
+- NSEC3RSASHA1
+Zone fully signed:
+Algorithm: NSEC3RSASHA1: KSKs: 1 active, 0 stand-by, 0 revoked
+ ZSKs: 1 active, 0 stand-by, 0 revoked
+db.nihilism.network.signed
+Signatures generated: 51
+Signatures retained: 0
+Signatures dropped: 0
+Signatures successfully verified: 0
+Signatures unsuccessfully verified: 0
+Signing time in seconds: 0.068
+Signatures per second: 750.000
+Runtime in seconds: 0.076
+
+If it gives you further errors, debug it here https://dnsviz.net/d/nihilism.network/dnssec/:
+Then we continue:
+
+root@mail-gw:/var/cache/bind# vim /etc/bind/named.conf.local
+root@mail-gw:/var/cache/bind# cat /etc/bind/named.conf.local
+zone "nihilism.network" {
+ type master;
+ file "db.nihilism.network.signed";
+ allow-update { none; };
+};
+
+Then restart bind9:
+
+root@mail-gw:/var/cache/bind# systemctl restart bind9
+root@mail-gw:/var/cache/bind# systemctl status bind9
+* named.service - BIND Domain Name Server
+ Loaded: loaded (/lib/systemd/system/named.service; enabled; vendor preset: enabled)
+ Active: active (running) since Fri 2022-09-30 19:58:12 CEST; 3s ago
+ Docs: man:named(8)
+ Main PID: 42611 (named)
+ Tasks: 4 (limit: 507)
+ Memory: 7.8M
+ CPU: 19ms
+ CGroup: /system.slice/named.service
+ `-42611 /usr/sbin/named -f -u bind
+
+Sep 30 19:58:12 mail-gw named[42611]: zone 127.in-addr.arpa/IN: loaded serial 1
+Sep 30 19:58:12 mail-gw named[42611]: zone localhost/IN: loaded serial 2
+Sep 30 19:58:12 mail-gw named[42611]: zone nihilism.network/IN: sig-re-signing-interval less than 3 * refresh.
+Sep 30 19:58:12 mail-gw named[42611]: zone nihilism.network/IN: loaded serial 18 (DNSSEC signed)
+Sep 30 19:58:12 mail-gw named[42611]: all zones loaded
+Sep 30 19:58:12 mail-gw named[42611]: running
+Sep 30 19:58:12 mail-gw named[42611]: zone nihilism.network/IN: sending notifies (serial 18)
+Sep 30 19:58:12 mail-gw named[42611]: client @0x7fad306d5130 23.137.250.141#48501 (nihilism.network): transfer of 'nihilism.network/IN': IXFR version not in journal, falling back to AXFR
+Sep 30 19:58:12 mail-gw named[42611]: client @0x7fad306d5130 23.137.250.141#48501 (nihilism.network): transfer of 'nihilism.network/IN': AXFR-style IXFR started (serial 18)
+Sep 30 19:58:12 mail-gw named[42611]: client @0x7fad306d5130 23.137.250.141#48501 (nihilism.network): transfer of 'nihilism.network/IN': AXFR-style IXFR ended: 2 messages, 104 records, 19335 bytes, 0.001 secs (19335000 bytes/sec) (serial 18)
+So from now on when you want to edit your zone, you will need to first edit the db file and then run the dnssign command:
+
+root@mail-gw:/var/cache/bind# vim db.nihilism.network
+
+root@mail-gw:/var/cache/bind# dnssec-signzone -AA -n 3 -3 $(head -c 1000 /dev/urandom | sha1sum | cut -b 1-16) -N INCREMENT -o nihilism.network -t db.nihilism.network
+
+dnssec-signzone: warning: db.nihilism.network:17: TTL set to prior TTL (3600)
+Verifying the zone using the following algorithms:
+- NSEC3RSASHA1
+Zone fully signed:
+Algorithm: NSEC3RSASHA1: KSKs: 1 active, 0 stand-by, 0 revoked
+ ZSKs: 1 active, 0 stand-by, 0 revoked
+db.nihilism.network.signed
+Signatures generated: 53
+Signatures retained: 0
+Signatures dropped: 0
+Signatures successfully verified: 0
+Signatures unsuccessfully verified: 0
+Signing time in seconds: 0.068
+Signatures per second: 779.411
+Runtime in seconds: 0.080
+
+root@mail-gw:/var/cache/bind# systemctl restart bind9
+
+root@mail-gw:/var/cache/bind# systemctl status bind9
+* named.service - BIND Domain Name Server
+ Loaded: loaded (/lib/systemd/system/named.service; enabled; vendor preset: enabled)
+ Active: active (running) since Sat 2022-10-01 10:37:34 CEST; 1s ago
+ Docs: man:named(8)
+ Main PID: 45909 (named)
+ Tasks: 4 (limit: 507)
+ Memory: 7.8M
+ CPU: 21ms
+ CGroup: /system.slice/named.service
+ `-45909 /usr/sbin/named -f -u bind
+
+Now when we test the dnssec to our bindserver we see the following:
+
+[ 10.0.0.10/16 ] [ nowhere ] [~]
+→ dig @23.137.250.140 stream.nihilism.network. A +dnssec +multiline
+
+; <<>> DiG 9.18.4-2-Debian <<>> @23.137.250.140 stream.nihilism.network. A +dnssec +multiline
+; (1 server found)
+;; global options: +cmd
+;; Got answer:
+;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52175
+;; flags: qr aa rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
+
+;; OPT PSEUDOSECTION:
+; EDNS: version: 0, flags: do; udp: 1232
+; COOKIE: bb834e65ec1896a601000000633c65914ff2b9c6c7b43b1d (good)
+;; QUESTION SECTION:
+;stream.nihilism.network. IN A
+
+;; ANSWER SECTION:
+stream.nihilism.network. 604800 IN CNAME web-gw.nihilism.network.
+stream.nihilism.network. 604800 IN RRSIG CNAME 7 3 604800 (
+ 20221103152726 20221004152726 35034 nihilism.network.
+ qIu/a2pi8e52tLqNBmCbeFHGK3TkQLquJNcziCoCYlQY
+ qOOFiXisOz7sg05uWxvX04kKofQyuUb9X/+e20r28WUe
+ gAhS1LJWE9BfBHfq/iQBXX4yWLTTYMqyjDyW56RUX7Z9
+ zJs46TJB983ggZ1VwAJOifDGvl4vYSld/XeFy0EQy62G
+ 3Etq9GZe+O5ZEKsuYA+9RGockq/TwwLn6ibZfst172xt
+ B/uKxmX+J3gcBzeGp1wwGd07UdlxaLyniQ41DSYmdTdD
+ jECbxVQRvMnC1MhD8nYsmhm/YroKXeQpMX7ugJD1ZomY
+ A7/ofGO6asXTGY2V3JxiITop0nKlfSlLbA== )
+web-gw.nihilism.network. 604800 IN A 23.137.250.141
+web-gw.nihilism.network. 604800 IN RRSIG A 7 3 604800 (
+ 20221103152726 20221004152726 35034 nihilism.network.
+ hlE0hXZiU9/LnSKghK3OKMxIbrrimFqF0HfHJubzQ50U
+ f9g3m9bZJeANu4iJHCmPR1TVJUp0qYxUTRb815kWGKIq
+ DHUNErDN+WhZoTBMT8jzdX8kntKFnd8+N/d/gjQ91Oxp
+ MOGf2V1fAu0wnvVZGzn6PGmQfb1vsZ3pskmTd5bz/A1g
+ nPoT3MXYWQol8x8h9bYdBwwz/cmbHbeZ2s8NIgFj/F46
+ cciq3lIs6HDmmYzE50TQ5YApCyHDYSM7gu/u/O/4pxAP
+ 55Fo5qtkZQCMoRtcRJh+GG5X7W2onoi4zICAZXpD5L6z
+ IaBl++bwjDaSIOiAsV2j+gRGETtUQ4Ef4w== )
+
+;; Query time: 23 msec
+;; SERVER: 23.137.250.140#53(23.137.250.140) (UDP)
+;; WHEN: Tue Oct 04 18:56:01 CEST 2022
+;; MSG SIZE rcvd: 725
+
+for simplicity sake i have this script to automate the signing of the dns zone file, the checking of it and the restarting of the service in one script:
+
+root@mail-gw:/var/cache/bind# cat restartdns.sh
+
+#!/bin/bash
+
+# check the zone for errors:
+named-checkzone nihilism.network db.nihilism.network
+
+# sign it:
+dnssec-signzone -AA -n 3 -3 $(head -c 1000 /dev/urandom | sha1sum | cut -b 1-16) -N INCREMENT -o nihilism.network -t db.nihilism.network
+
+#restart bind9
+systemctl restart bind9
+
+#check bind9 status
+systemctl status bind9
+
+updated restartdns.sh script: (thanks to Notorious from notlean.net)
+
+
+1) updated algorythms to avoid errors https://dnsviz.net/d/nihilism.network/dnssec/
+
+dnssec-keygen -L 3600 -a ECDSAP256SHA256 -b 2048 -n ZONE notlean.net
+dnssec-keygen -L 3600 -f KSK -a ECDSAP256SHA256 -b 2048 -n ZONE notlean.net
+for key in `ls Knotlean.net*.key`; do echo "\$INCLUDE $key">> notlean.net.zone; done
+cat notlean.net.zone >> forward.notlean.net.db
+dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N INCREMENT -o notlean.net -t forward.notlean.net.db
+rndc reload
+systemctl status named
+
+
+2) cat restartdns.sh
+
+#!/bin/bash
+
+set -eu
+
+# Bnd Path
+ZONE_PATH="/var/cache/bind/notorious"
+
+# Domain name
+ZONE_NAME="notlean.net"
+
+# Bind zone file name
+ZONE_FILE="forward.notlean.net.db"
+
+# Generate NSEC3 salt
+NSEC3_SALT=$(head -c 1000 /dev/urandom | sha1sum | cut -b 1-16)
+
+# Go to zone path
+pushd $ZONE_PATH
+
+# Verify zone and check for errors
+echo "Chcking zone errors for $ZONE_NAME ..."
+if ! named-checkzone $ZONE_NAME $ZONE_FILE; then
+ echo "Error during zonbe checking. Verify the file."
+ exit 1
+fi
+
+# Signing zone DNSSEC
+echo "Signing zone file for $ZONE_NAME..."
+dnssec-signzone -A -3 $NSEC3_SALT -N INCREMENT -o $ZONE_NAME -t $ZONE_FILE
+
+# Restart BIND9
+echo "Restart BIND9..."
+rndc reload
+
+# Check bind status
+echo "Vérification du statut de BIND9..."
+systemctl status bind9
+
+# Back to local dir
+popd
+
+echo "Execution end"
+
++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
Let's take our previous analogy to explain what Privacy is:
+
+Bob wants to talk to Alice, He wants the conversation to remain private, so he closes the door
+Jack can't spy on bob and alice's conversation, because the door is closed,
+The door is closed, the conversation remains between Alice and Bob, their conversation is Private.
+
+For Alice and Bob to protect their conversation from being spied on by Jack, they encrypt their conversation for example by using PGP.
+
+Here the most common usecase for encryption is for people to encrypt their system disk on their computers, because if someone (like jack) were to steal their computer, they don't want to read all of their data.
+
+All in all, encryption is used to provide privacy. As long as the encrypted volumes are closed when Jack is trying to open them, Jack cannot read the contents of the volumes.
+Encryption however, cannot protect against everything.
+
+In this case, Bob is legally, although questionably morally, forced to decrypt his encrypted system disk by the judge. Keep in mind that this is not a far fetched scenario, this has happened previously.
+ +When that is the case, simply encrypting the disk is not enough, as all that is required is for the adversary to know of the existance of the encrypted drive, to be able to force Bob to open it
+
+As far as key encryption laws, the trend is that most developed countries are forcing their citizens to incriminate themselves and to surrender the encryption keys to authorities, when asked. In short,If the encrypted volume is proven to exist, you can be forced to surrender the decryption key/password to open it.
+ +From a legal standpoint, the only way to be protected against that scenario where you're forced to decrypt your harddrive is to be able to deny the existance of said encrypted volume (Plausible Deniability) . If the encrypted volume does not exist, there is no password to be given for it.
+So here we need a technology that can provide us Plausible Deniability. That is what Veracrypt can do for us.
+
+In short, Veracrypt allows you to encrypt volumes, just like LUKS encryption does. However it gives you the choice to hide another encrypted volume inside the same volume, that is exactly what you can deny the existance of.
+So you can hide some random meaningless data inside the decoy volume, while the real data that needs protection sits inside the hidden volume.
+This means, when Jack forces Bob to open the vercrypt volume, Bob types Password A to open the decoy volume, Then, when asked by Jack, Bob declares that there is no Hidden volume, and Jack has no way to prove the existance the Hidden Volume.
+To see how to implement Plausible Deniability protection with Veracrypt, check out this tutorial.
+ ++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
+In this tutorial we're going to setup the EndGameV3 Anti DDOS / Load Balancer / WAF service popularized by Dread, it was originally built to block off the incessant DDOS attacks that onion services were facing. Because of that, EndGame was developped, along with the Proof of Work (POW) Defense released by TorProject for more details you can click here.
+
+Endgame should be on a separate server to your backend server. It only proxies content from your backend to the user. You will still need to configure your backend to handle requests from the Endgame Front.
+
+This is the same system that anti-DDOS services like Cloudflare, Indusface, and Imperva use to protect websites from attacks. The difference is this is self-hosted and fully controlled by you for your own needs and made for darknet networks.
+
+Now we'll first cover how to have a single Endgame V3 front, to redirect to 2 onion backends, but keep in mind that there is very high latency involved here. The ideal setup as we'll see later, is to have local redirection behind the Endgame front. And we'll also make use of the onionbalance technology to setup multiple Endgame fronts for the same Master Onion!
+ +First of all you need at least 2 backend servers that are reachable via their .onion links. To set them up you can look at my tutorial here.
+In this example we'll use my 2 main websites' onion links:
+
+http://daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion/
+http://nihilhfjmj55gfbleupwl2ub7lvbhq4kkoioatiopahfqwkcnglsawyd.onion/
+
+Obviously these are not the same service, but we'll pretend that they are. Now let's setup Endgame on a blank Debian 12 VM with internet access:
+ +Let's first download the tar.gz file for endgamev3, and verify the sha256sum hash of the tar.gz file according to the original post's recommendations. Here i downloaded it from the git mirror i host, but if you want the original URL you can get it from here: http://g66ol3eb5ujdckzqqfmjsbpdjufmjd5nsgdipvxmsh7rckzlhywlzlqd.onion/EndGameV3.tar.gz
+
+root@debian:~# wget https://git.datura.network/nihilist/EndGameV3/raw/branch/main/EndGameV3.tar.gz
+--2024-04-13 12:39:00-- https://git.datura.network/nihilist/EndGameV3/raw/branch/main/EndGameV3.tar.gz
+Resolving git.datura.network (git.datura.network)... 65.109.30.253
+Connecting to git.datura.network (git.datura.network)|65.109.30.253|:443... connected.
+HTTP request sent, awaiting response... 200 OK
+Length: 35340090 (34M) [application/octet-stream]
+Saving to: ‘EndGameV3.tar.gz’
+
+EndGameV3.tar.gz 100%[===========================================================================================================================================>] 33.70M 4.22MB/s in 10s
+
+2024-04-13 12:39:12 (3.27 MB/s) - ‘EndGameV3.tar.gz’ saved [35340090/35340090]
+
+root@debian:~# sha256sum EndGameV3.tar.gz
+89036a0ae8631aa1683bb370f357a4042b2e138eebeaea14bb35824f5d1f6bbb EndGameV3.tar.gz
+
+As of 13/04/2024, the SHA256 Hash of EndGameV3.tar.gz is 89036a0ae8631aa1683bb370f357a4042b2e138eebeaea14bb35824f5d1f6bbb. let's unpack it:
+
+root@debian:~# neofetch
+ _,met$$$$$gg. root@debian
+ ,g$$$$$$$$$$$$$$$P. -----------
+ ,g$$P" """Y$$.". OS: Debian GNU/Linux 12 (bookworm) x86_64
+ ,$$P' `$$$. Host: KVM/QEMU (Standard PC (Q35 + ICH9, 2009) pc-q35-7.2)
+',$$P ,ggs. `$$b: Kernel: 6.1.0-13-amd64
+`d$$' ,$P"' . $$$ Uptime: 1 hour, 19 mins
+ $$P d$' , $$P Packages: 447 (dpkg)
+ $$: $$. - ,d$$' Shell: bash 5.2.15
+ $$; Y$b._ _,d$P' Resolution: 1632x1684
+ Y$$. `.`"Y$$$$P"' CPU: AMD Ryzen 7 5700X (2) @ 3.393GHz
+ `$$b "-.__ GPU: 00:01.0 Red Hat, Inc. Virtio 1.0 GPU
+ `Y$$ Memory: 140MiB / 1966MiB
+ `Y$$.
+ `$$b.
+ `Y$$b.
+ `"Y$b._
+ `"""
+
+root@debian:~# mkdir endgame
+
+root@debian:~# mv EndGameV3.tar.gz endgame/
+
+root@debian:~# cd endgame
+
+root@debian:~/endgame# tar -xzvf EndGameV3.tar.gz
+
+root@debian:~/endgame# ls -lash
+total 34M
+4.0K drwxr-xr-x 8 root root 4.0K Apr 13 13:54 .
+4.0K drwx------ 5 root root 4.0K Apr 13 13:54 ..
+4.0K -rw-r--r-- 1 nihilist nihilist 178 Jul 11 2022 aptpreferences
+4.0K drwxr-xr-x 11 nihilist nihilist 4.0K Mar 18 18:50 dependencies
+8.0K -rw-r--r-- 1 nihilist nihilist 6.1K Apr 10 05:10 endgame.config
+ 34M -rw-r--r-- 1 root root 34M Apr 13 12:48 EndGameV3.tar.gz
+4.0K -rwxr-xr-x 1 nihilist nihilist 1.1K Sep 16 2023 getdependencies.sh
+ 12K -rw-r--r-- 1 nihilist nihilist 9.5K May 9 2023 i2pd.conf
+4.0K -rw-r--r-- 1 nihilist nihilist 145 Mar 30 2023 jail.local
+4.0K -rw-r--r-- 1 nihilist nihilist 2.0K Mar 30 2023 limits.conf
+4.0K drwxr-xr-x 2 nihilist nihilist 4.0K Apr 9 17:45 lua
+4.0K -rw-r--r-- 1 nihilist nihilist 357 Nov 8 01:35 mentions.txt
+8.0K -rw-r--r-- 1 nihilist nihilist 5.9K Jun 29 2022 naxsi_core.rules
+4.0K -rw-r--r-- 1 nihilist nihilist 209 Jun 12 2023 naxsi_whitelist.rules
+4.0K -rw-r--r-- 1 nihilist nihilist 2.0K Jul 18 2023 nginx.conf
+4.0K -rwxr-xr-x 1 nihilist nihilist 1.3K May 9 2023 nginx-update.sh
+ 12K -rw-r--r-- 1 nihilist nihilist 11K Apr 10 04:00 README.md
+4.0K drwxr-xr-x 2 nihilist nihilist 4.0K Jun 1 2023 repokeys
+4.0K drwxr-xr-x 2 nihilist nihilist 4.0K Sep 7 2023 resty
+ 72K -rw-r--r-- 1 nihilist nihilist 71K Apr 10 05:53 resty.tgz
+ 16K -rwxr-xr-x 1 nihilist nihilist 13K Apr 11 23:36 setup.sh
+ 12K -rw-r--r-- 1 nihilist nihilist 12K Apr 10 04:50 site.conf
+4.0K drwxr-xr-x 4 nihilist nihilist 4.0K May 6 2023 sourcecode
+4.0K -rwxr-xr-x 1 nihilist nihilist 464 May 25 2023 startup.sh
+4.0K -rw-r--r-- 1 nihilist nihilist 1.5K May 17 2023 sysctl.conf
+4.0K drwxr-xr-x 2 nihilist nihilist 4.0K Apr 10 05:32 tor-patch
+4.0K -rw-rw-rw- 1 nihilist nihilist 1.8K Apr 10 04:50 torrc
+4.0K -rw-r--r-- 1 nihilist nihilist 157 Mar 29 2023 torrc2
+4.0K -rw-r--r-- 1 nihilist nihilist 157 Mar 29 2023 torrc3
+4.0K -rw-r--r-- 1 nihilist nihilist 179 May 5 2023 tunnels.conf
+
+From there we can follow the steps as detailed in the README.md
+Go to sourcecode/gobalance and build gobalance with go. Read the README.md about how to compile and generate the gobalance configuration. With that configuration you will be able to see your MASTERONION url. The starting before .key is your master onion address. You will use that as your MASTERONION in the EndGame.config ending it with '.onion'. +
+root@debian:~/endgame# cd sourcecode/gobalance/
+root@debian:~/endgame/sourcecode/gobalance# ls
+go.mod go.sum main.go pkg README.md torrc vendor
+root@debian:~/endgame/sourcecode/gobalance# cat README.md
+
+[...]
+
+# Compiling
+
+- `go get -u` - updates all dependencies
+- `go mod vendor` - stores the updates in the vendor folder
+- `go build -o gobalance main.go` - builds the gobalance application
+
+# Generate Configuration
+
+- `./gobalance g`
+
+or simply use your python onionbalance one! Drop in replacement support (no multisite)!
+
+# Running
+After you have configured your gobalance, you will need a tor process on your localhost. There is a provided torrc file. Run it with Tor like this:
+
+- `tor -f torrc`
+
+After that run gobalance
+
+- `./gobalance`
+
+If you need to run these in the background (in the event your server connection dies or drops) you can use `nohup` or a detached terminal session.
+I, /u/Paris, recommend just running it locally with geo redundancy to not need to worry about server crashes or compromises. Onion key safety is your absolute priority. When it's compromised your operation is done.
+
+So as advised, let's compile gobalance using go:
+
+root@debian:~/endgame/sourcecode/gobalance# apt update -y ; apt install golang -y
+
+root@debian:~/endgame/sourcecode/gobalance# go get -u
+go: downloading github.com/sirupsen/logrus v1.9.3
+go: downloading github.com/urfave/cli/v2 v2.27.1
+go: downloading golang.org/x/crypto v0.17.0
+go: downloading golang.org/x/crypto v0.22.0
+go: downloading github.com/urfave/cli v1.22.14
+go: downloading gopkg.in/yaml.v3 v3.0.1
+go: downloading golang.org/x/sys v0.15.0
+go: downloading golang.org/x/sys v0.19.0
+go: downloading maze.io/x/crypto v0.0.0-20190131090603-9b94c9afe066
+go: downloading github.com/cpuguy83/go-md2man/v2 v2.0.3
+go: downloading github.com/cpuguy83/go-md2man/v2 v2.0.4
+go: downloading github.com/cpuguy83/go-md2man v1.0.10
+go: downloading github.com/xrash/smetrics v0.0.0-20231213231151-1d8dd44e695e
+go: downloading github.com/xrash/smetrics v0.0.0-20240312152122-5f08fbb34913
+go: downloading github.com/russross/blackfriday/v2 v2.1.0
+go: downloading github.com/russross/blackfriday v1.6.0
+go: upgraded github.com/cpuguy83/go-md2man/v2 v2.0.3 => v2.0.4
+go: upgraded github.com/xrash/smetrics v0.0.0-20231213231151-1d8dd44e695e => v0.0.0-20240312152122-5f08fbb34913
+go: upgraded golang.org/x/crypto v0.17.0 => v0.22.0
+go: upgraded golang.org/x/sys v0.15.0 => v0.19.0
+
+root@debian:~/endgame/sourcecode/gobalance# go mod vendor
+go: downloading github.com/stretchr/testify v1.8.0
+go: downloading github.com/pmezard/go-difflib v1.0.0
+go: downloading github.com/davecgh/go-spew v1.1.1
+root@debian:~/endgame/sourcecode/gobalance# go build -o gobalance main.go
+
+root@debian:~/endgame/sourcecode/gobalance# ./gobalance g
+root@debian:~/endgame/sourcecode/gobalance# ls
+config.yaml uyrpqcefaftpfq755fv4fe3noc6l3be4qehq3twcu3nfzvycdqko2yyd.key gobalance go.mod go.sum main.go pkg README.md torrc vendor
+
+root@debian:~/endgame/sourcecode/gobalance# cat torrc
+RunAsDaemon 0
+ControlPort 9051
+DataDirectory torfiles
+
+So in this case our MASTERONION url is uyrpqcefaftpfq755fv4fe3noc6l3be4qehq3twcu3nfzvycdqko2yyd.onion Next step is to edit the endgame.config file:
+
+root@debian:~/endgame/sourcecode/gobalance# cd ../..
+root@debian:~/endgame# vim endgame.config
+
+To edit the file we follow the setup process from the README:
+
+Open up and edit the endgame.config, you will need to change your TORAUTHPASSWORD. Change it to a random alphanumeric password of your choice. This is just used for authentication on nginx's layer to send circuit kill commands.
+You have two options for how EndGame sends the traffic to your backend. You can have it direct it to an onion address, or you can have it locally proxy to a server on the same network.
+
+ Tor Proxy: You will need to set both of the BACKENDONION variables to your main onion service you want protected. This means your origin application server needs to have tor running with its own onion service address. You put that onion address on the BACKENDONION(1/2). If you have multiple backends (highly recommended) you can put different backend addresses to have load balancing and fallover. It's easy to add in even more by customizing endgame for your needs.
+ Local Proxy: Change LOCALPROXY to true and edit the PROXYPASSURL to the specific IP or hostname of your backend location. It will default to connect on port 80 via http but you can edit line 320 of the site.conf to change that to your specific needs.
+
+Enable I2PSETUP and/or TORSETUP by setting them to true. You can also enable TORINTRODEFENSE and TORPOWDEFENSE to provide more protection against introduction attacks on the Tor network.
+Edit KEY and SALT to a secure cookie value. PROTECT THESE VALUES. If they get leaked, an attacker could generate EndGame cookies and hurt your EndGame protection.
+
+ KEY: is your encryption key used for encryption. It should be to be between 68 and 128 random alphanumeric characters.
+ SALT: is your salt for the encryption key. It must be exactly 8 alphanumeric characters.
+
+Branding is important. EndGame makes it easy to use your own branding on it. By default, it will use dread's branding, but you should change it.
+
+ HEXCOLOR and HEXCOLORDARK are for the specific colors used on the pages. Set HEXCOLOR to your main site color and HEXCOLORDARK to just a slightly darker version of it.
+ SITENAME, SITETAGLINE, SITESINCE is all information about your site. Self-explanatory.
+ FAVICON is used as your site's favicon in base64. This limits the amount of requests a browser may do when first loading the queue page. Make sure this value is set to something. Otherwise people's connections will get cut off from the queue when their browser makes a request to the favicon.ico.
+ SQUARELOGO is used as the icon for the queue running man and the main splash logo on the captcha page. In base64 format.
+ NETWORKLOGO is used as a bottom network icon for on the captcha page which allows different sites a part of the same organization to be shown. In base64 format.
+
+After you are done EndGame's configuration, you should archive everything except the sourcecode folder. Transfer the archive to a blank debian 12 system. As root, extract the archive and run setup.sh like './setup.sh'. At the end of the setup, it will export an onion address (and i2p if set but don't add that to gobalance) which you can provide to users or add to your gobalance configuration.
+
+Let's first generate our KEY (max 128chars) and SALT (8 chars):
+
+[ mainpc ] [ /dev/pts/6 ] [~/Nextcloud/blog]
+→ sudo apt install pwgen -y
+
+[ mainpc ] [ /dev/pts/6 ] [~/Nextcloud/blog]
+→ pwgen 8 1
+OotoNg0s
+
+[ mainpc ] [ /dev/pts/6 ] [~/Nextcloud/blog]
+→ pwgen 127 1
+Ex6meeghah2Voo4iezeequieFoChieyoch2kuish8ubopheikux2hedu5ahng5Iwooquii3tuowi6quie1leeTaeN5ugh0Dooch1naexaetoya9hoh2Fohlu5oP5ohm
+
+So we have the following config:
+
+root@debian:~/endgame# cat endgame.config
+#This area
+
+#OPTIONS!
+MASTERONION="uyrpqcefaftpfq755fv4fe3noc6l3be4qehq3twcu3nfzvycdqko2yyd.onion"
+TORAUTHPASSWORD="MYCOMPLEXPASSWORDTOREPLACE!!!"
+BACKENDONION1="daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion"
+BACKENDONION2="nihilhfjmj55gfbleupwl2ub7lvbhq4kkoioatiopahfqwkcnglsawyd.onion"
+
+#set to true if you want to setup local proxy instead of proxy over Tor
+LOCALPROXY=false
+PROXYPASSURL="10.10.10.0"
+
+#Install the latest kernel from debian unstable. Recommended but may cause some issues on old systems.
+LATESTKERNEL=true
+
+#reboot after completion. Highly recommended to get the new kernel active.
+REBOOT=true
+
+#set to true if you want i2pd installed and setup
+I2PSETUP=false
+
+#set to true if you want tor installed and setup
+TORSETUP=true
+
+#enable Tor introduction defense. Keeps the Tor process from stalling but hurts reliability. Only recommended if running on low powered fronts.
+TORINTRODEFENSE=false
+
+#enable Tor POW introduction defense. This should be enabled!
+TORPOWDEFENSE=true
+
+#enable Tor minimum work patch. This builds a new tor binary locally.
+TORMINWORK=true
+
+#Shared Front Captcha Key. Key should be alphanumeric between 64-128. Salt needs to be exactly 8 chars.
+KEY="Ex6meeghah2Voo4iezeequieFoChieyoch2kuish8ubopheikux2hedu5ahng5Iwooquii3tuowi6quie1leeTaeN5ugh0Dooch1naexaetoya9hoh2Fohlu5oP5ohm"
+SALT="OotoNg0s"
+#session length is in seconds. Default is 12 hours.
+SESSION_LENGTH=43200
+
+#Rate Limits!
+#Make sure to set these to reasonable defaults! Having them too low for your site can cause lots of disconnections while having them too high can make endgame ineffective!
+#Set the request rate to the max requests on your largest page! (try to keep it below 10! The lower you go the better endgame's protection is!)
+#Keep the stream limit 1 to 2 higher than your request limit!
+REQUESTRATELIMIT=8
+STREAMRATELIMIT=10
+
+#CSS Branding
+
+HEXCOLOR="9b59b6"
+HEXCOLORDARK="713C86"
+SITENAME="Nihilism"
+SITETAGLINE="Until there is nothing left."
+SITESINCE="2024"
+FAVICON="data:image/x-icon;base64,AAABAAEAEBAAAAEAIABoBAAAFgAAACgAAAAQAAAAIAAAAAEAIAAAAAAAAAQAABMLAAATCwAAAAAAAAAAAACtRI7/rUSO/61Ejv+tRI7/rUSO/61Fjv+qPor/pzaG/6k7if+sQo3/qDiH/6g4h/+sQ43/rUSO/61Ejv+tRI7/rUSO/61Ejv+tRI7/rUSO/61Fjv+sQo3/uV6e/8iBs/+9aaT/sEyT/8V7r//Feq//sEqS/6xDjf+tRI7/rUSO/61Ejv+tRI7/rUSO/65Fj/+vR5D/rEGM/+fI3v///////fv8/+/a6f/+/f7/+vT4/7Zam/+rP4v/rkWP/61Ejv+tRI7/rUSO/61Fjv+sQYz/qTqI/6g4h//hudX/5sXc/+7Z6P////////7///ft9P+2WZr/q0CL/61Fj/+tRI7/rUSO/61Fj/+rQIv/uFyd/82Ou//Njrv/uWGf/6g6iP+uR5D/5sbc///////47vX/tlma/6s/i/+tRY//rUSO/61Ejv+uRo//qDqI/9aix///////69Hj/61Ejv+vSJD/qTqI/8BvqP//////+O/1/7ZZmv+rP4v/rUWP/61Ejv+tRI7/rkaP/6k8if/fttP//////9ekyP+oOIf/sEuS/6tAi/+7ZKH//vv9//nw9v+2WJr/qz+L/61Fj/+tRI7/rUSO/65Gj/+oOoj/1qHG///////pzeH/qj6K/6o8if+lMoP/0pjB///////47vX/tlma/6s/i/+tRY//rUSO/61Ejv+uRo//qj2K/7xmo//8+Pv//////+G61f+8ZqP/zpC8//v2+v//////+O/1/7ZZmv+rP4v/rUWP/61Ejv+tRI7/rUSO/65Gj/+pPIn/zo+7//79/v///////////////////v////////jw9v+2WZr/qz+L/61Fj/+tRI7/rUSO/61Ejv+tRI7/rUWP/6o9iv/Ab6j/37bT/+vR4//kwdr/16XI//36/P/58ff/tlma/6s/i/+tRY//rUSO/61Ejv+tRI7/rUSO/61Ejv+uRo//qj2K/6o9if+tRY7/qDmH/7VYmv/9+fv/+fH3/7ZYmv+rP4v/rUWP/61Ejv+tRI7/rUSO/61Ejv+tRI7/rUSO/65Gj/+uRo//rkaP/6s/i/+6Y6H//Pf6//ju9f+1WJr/q0CL/61Fj/+tRI7/rUSO/61Ejv+tRI7/rUSO/61Ejv+tRI7/rUSO/65Gj/+qPor/umOh//79/v/69Pj/tlqb/6s/i/+uRY//rUSO/61Ejv+tRI7/rUSO/61Ejv+tRI7/rUSO/61Ejv+tRI7/rEKN/7FNk//GfLD/xHmu/7BKkv+sQ43/rUSO/61Ejv+tRI7/rUSO/61Ejv+tRI7/rUSO/61Ejv+tRI7/rUSO/61Ejv+sQo3/qDiH/6g4h/+sQ43/rUSO/61Ejv+tRI7/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=="
+SQUARELOGO="data:image/webp;base64,UklGRkwCAABXRUJQVlA4WAoAAAAQAAAATwAATwAAQUxQSC8AAAABH6CobRuIP9xev3ajERHxDWAqkg1PshdNnqeZJBfAR0T/J2ADngp0E/PbifAGPABWUDgg9gEAAFAMAJ0BKlAAUAA+bS6URiQioiEuGikggA2JQBoZQmgR/d8Cdib6gNsB5gPNy04Dej0a2NXoYw8XMJObQmvWHz52jkOgFebAO+W2C3pjVzORG7gs9ssx8qnjo3F96nSITr1LFsVBFyXhL7ywAP7cUf/iHNu+tvSh+rohhPqZvzMSRXtv7e8U/Dh5LwZIJHvcIx9GmDQsAejcJZBn+c5L63sC8fmQQAde+N776pYSR99TxW58l33OS2vwEbv0MLQQeKEkfOYxulikHr7tl/6ZwLnjENpEv6OnhDWVW53x32zxICdEDZ9TnGenzgbr1pGHJwZ3LX7o1h0RQkYVBag7IsYd+buU+m5wgCohMPbEwS+Vi02J7tVFAvUPVW5VfdjGFbzTfD5g/+nMoacT15PcUWxFNYCacgap7Zh5g0OaAa1rGJBuVbsFrGbbp5C85U3y+OuVTJcUt2wPNQJPA4lpjOyM5wGGRUxrjwy/+cOaOkfLlYc2ImOJLSmchU0u727olq8AMLRMZc/queUbr0E5ec/vKzZb9Z00D8dh5Hk6XNob6WDIFIusbW9UiKlnDFOz6ewFp4sONEBGGtI3gWG86cC+hmvHDzYlWupLMc2pRS9aO6FRiFAPmQXiJyK+lCZPtevTMxcUM4a6g3otDsiMGAOMbvIgAAA="
+NETWORKLOGO="data:image/webp;base64,UklGRpgFAABXRUJQVlA4WAoAAAAQAAAANgAAOwAAQUxQSCMFAAABoLBt2zE3HtddZhone8SubSt2bdu27a7rNqjtJlnvJqljJ7Xbqd1o0Ps4dt7v+6aTiIDgRpIiybnMu3cFb4DxaXs0+0hbmD4tbpO81cLkXLNJklmuptaLYnqa2kKJRaZVddJ9iQeTqppQRAKZK8glEyJMpdZeDdM6zhTM7phC7b66plB5/S1qFzqbFb5KYcqrQjOnOaW880P1bzYmi4xpDERz2VROWcoYoOFuMmfyt2n7z01m+KmAEP1d1TAON7urDwXMulyjLrmr8Vy2FjNjpB0AVTIXYCEXYj6v2QCwHaxmaZSnIisLAHaT1fz8swMAYBLzLLCcy2GRol0GALDf9ImvZtgDsLQSOUyJO9XHKaCAxfHNIMT9EfsBy7gMaDw5GGIaxxXzRqBTnzMJ0xwBuCaT1KVqXv8RDoh2MwrAAs4DKqlUlrbWlQEAYb+/0qTqSF5yQ41fKeRdf1SxEVI1sPRjHQvLauv4PTDq/Mlj5481h6WDjU0V9HlHIdvN/Z6KHsecSExKTExMunj4Lj+f/+vvcw+oDkY0STIM268lJiWdjH4kUgf0/kwxn3QUoiNZQjFzsfYryddtkCd8pE8Ufenrniyxwa1FSGhoWEDoQy4NCA4N9jvAs07YaPDGHx36h4a0cNsgcdkTAeI9VG9tAAAYW3IFQmZyGiTEF2ywVc23giAAkWkk74/N5ftYb6BJCTuI1nO9lOHjece+Y/bY+yRTIwEAAfr8ON0UxwU63p2NGEZD1HpRa2CD5MRs1V1yieMUfUK+PgCC+l8TPDOL66JuDHUF5QW1IZvVeoNOOETuq4d6xdk+CV/rS5oj0zGDF1RQtbtEFnkA3/XaGBMbtSsqemsmDdriwa0OKqjiOAvpbCFVaFOjgGMArODnXVXNRt4o+0pJJJ7FABjLAnPrAjkFLhjFO45o9FrbCxa7SVJBB2RqGsPpLsfAOV9BlctchyiuRvVYGsEPUYzCel6ppgxdy9UztU+8MY+C4luFahnBaPBaM1ut6QojYBvJGaj9WnCif22PTqufSgQBc0jugFFsiphcAxtpsBRC2tyRUSmRN62N9g/MrxschCQdiuXZwNgrjys3fEXySyNIc0xqLsntgFEPefHjf/AlyWvmMiZqZB4y65mmK4x6oQ0WIxBicNZSRv8vci+0zqgXGsW7jlAh3CBBzrBiuX8zxzsc/T/Ff+qxAOBfRvKOs4xVOvGf+mkMgDGSf2r5EopXwcbf1vsBSU6TUqVQdF8ooQuciXS2kC/Y+qhzhEOwPuPs6SvbbCWWayhXsPVRtzjLK15asIH6/Dj9NMf5WhaGQojNTz2rAnBfpiUV20N8nqQ9dE8n+XB8Dt/H+kBkls+dU8YuEopcvhnljnsgbUYh8q1PKl6u8pRan9jXA+B1Rb7RhgxuJfhdwWs/xUab7N73i1JbjwMAVbqCD10U2/rnXoFq0aNoYYhcX25QbXc55eOrOESe+FpsF73tK4wsRwsAgEXbrn6+XX39/f39fH0jQ2wUR9YvKrhdIqlL0bz+IwyS1J7YBEpRGpBJLgAcpyWc7uMYWMDiuKaiRq9e9gVG5Y8CeuSeMVcaxyfjJjsYO/yrzmGeBdZwDSxyuLqydPi/nGYPwMIKSnHbUcwXwqphJq4aizCfl8wlq0bJLncYnfb/aoxebLRJnU25Ri1hNNBwF5kzsaKWtgpaEStoITXp+vugQtZfAIsqZtkGelbUau+aJch0hanT4ibJG81h+rQ5kn2kDYwGAFZQOCBOAAAA0AQAnQEqNwA8AD5tLJJFpCKhmAQAQAbEtIAASD/dKxnoTlaUzRT/Q9kkRNlNuAAA/TH//9wDj/sFX/91UzfhNf+E8DE//4h3B/k1wAAA"
+
+SIDENOTES FROM /u/Paris :
+
+If you are using the TORMINWORK=true setting generally you don't need gobalance at all. You can just have a single front handle the load. Gobalance can't handle POW at this time as there are tor control systems to really handle it at this time. When arti is finished with POW onionbalance will be finished in rust. We are waiting for that. Should be within the year.
+
+If you are running endgame and onionbalance on the same server are you doing it wrong. Onionbalance is designed to combine multiple fronts into a single descriptor for load balancing. One address with multiple fronts holding it up. If you only have a single server just run endgame and pass the ending address to others. No onionbalance needed at all.
+
+If you want to have a custom address created use a tool like mkp224o and generate a custom one. You can then transfer the custom one over to your front (replacing the /etc/tor/hidden_service files with the generated one). Then go into /etc/nginx/sites-enabled/site.conf and change out the onion address to your new one. After that reboot and your new custom address should be live on your front.
+
+Now from here you can run the setup.sh file. However just in case if you messed up at any point up until now, i recommend you take a VM snapshot to revert to in case if something goes wrong.
+
+Snapshot taken, now let's run setup.sh:
+
+root@debian:~/endgame# ./setup.sh
+Welcome To The End Game DDOS Prevention Setup...
+Proceeding to do the configuration and setup. This will take awhile.
+The system will reboot after finishing setup!
+Generating Master Key... should only take a second...
+Done. MASTER_KEY = 1DWWADWAAWAWDWDAWAAWWAWAD3121556778652
+
+[...]
+
+#let it run and reboot
+
+[..]
+
+
+User sessions running outdated binaries:
+ nihilist @ session #1: bash[527], login[466], su[537]
+ nihilist @ session #3: bash[669], sshd[661,668], su[672]
+ nihilist @ user manager service: systemd[520]
+
+No VM guests are running outdated hypervisor (qemu) binaries on this host.
+EndGame Setup Script Finished!
+TOR Hostname:
+gllrw5gzdvje5axxexdtncpxzbrgxp2l5hghbiysgtfxpjmloah2qrqd.onion
+The address it to your gobalance config.yaml file!
+This system will now reboot in 10 seconds!
+
+root@debian:~/endgame# Connection to 10.99.99.216 closed by remote host.
+Connection to 10.99.99.216 closed.
+
+VM rebooted, so reconnect there:
+
+root@debian:~/endgame# Connection to 10.99.99.216 closed by remote host.
+Connection to 10.99.99.216 closed.
+
+[ LAN-Home ] [ /dev/pts/4 ] [~]
+→ ssh nihilist@10.99.99.216
+nihilist@10.99.99.216's password:
+Linux debian 6.7.9-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.7.9-2 (2024-03-13) x86_64
+
+The programs included with the Debian GNU/Linux system are free software;
+the exact distribution terms for each program are described in the
+individual files in /usr/share/doc/*/copyright.
+
+Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
+permitted by applicable law.
+You have mail.
+Last login: Sat Apr 13 12:38:34 2024 from 10.99.99.101
+nihilist@debian:~$ su -
+Password:
+
+root@debian:~# systemctl status endgame
+● endgame.service - Endgame Startup Script Service
+ Loaded: loaded (/etc/systemd/system/endgame.service; enabled; preset: enabled)
+ Active: active (running) since Sat 2024-04-13 15:27:20 CEST; 1min 39s ago
+ Process: 501 ExecStart=/startup.sh (code=exited, status=0/SUCCESS)
+ Tasks: 8 (limit: 2323)
+ Memory: 183.0M
+ CPU: 1.245s
+ CGroup: /system.slice/endgame.service
+ ├─521 tor -f /etc/tor/torrc2
+ ├─524 tor -f /etc/tor/torrc3
+ ├─525 socat UNIX-LISTEN:/run/tor_pass1.sock,fork,reuseaddr,unlink-early,user=www-data,group=www-data,mode=777 SOCKS4A:localhost:daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion:80,socksport=9060
+ └─526 socat UNIX-LISTEN:/run/tor_pass2.sock,fork,reuseaddr,unlink-early,user=www-data,group=www-data,mode=777 SOCKS4A:localhost:nihilhfjmj55gfbleupwl2ub7lvbhq4kkoioatiopahfqwkcnglsawyd.onion:80,socksport=9070
+
+Apr 13 15:27:20 debian startup.sh[513]: Apr 13 15:27:20.586 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://support.torproject.org/faq/staying-anonymous/
+Apr 13 15:27:20 debian startup.sh[513]: Apr 13 15:27:20.594 [notice] Read configuration file "/etc/tor/torrc2".
+Apr 13 15:27:20 debian startup.sh[521]: Apr 13 15:27:20.596 [notice] Opening Socks listener on 127.0.0.1:9060
+Apr 13 15:27:20 debian startup.sh[521]: Apr 13 15:27:20.596 [notice] Opened Socks listener connection (ready) on 127.0.0.1:9060
+Apr 13 15:27:20 debian startup.sh[522]: Apr 13 15:27:20.610 [notice] Tor 0.4.8.11 running on Linux with Libevent 2.1.12-stable, OpenSSL 3.0.11, Zlib 1.2.13, Liblzma 5.4.1, Libzstd 1.5.4 and Glibc 2.36 as libc.
+Apr 13 15:27:20 debian startup.sh[522]: Apr 13 15:27:20.610 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://support.torproject.org/faq/staying-anonymous/
+Apr 13 15:27:20 debian startup.sh[522]: Apr 13 15:27:20.610 [notice] Read configuration file "/etc/tor/torrc3".
+Apr 13 15:27:20 debian startup.sh[524]: Apr 13 15:27:20.615 [notice] Opening Socks listener on 127.0.0.1:9070
+Apr 13 15:27:20 debian startup.sh[524]: Apr 13 15:27:20.615 [notice] Opened Socks listener connection (ready) on 127.0.0.1:9070
+Apr 13 15:27:20 debian systemd[1]: Started endgame.service - Endgame Startup Script Service.
+
+And here you can see that the endgame systemd service launched successfully, but as hinted above, we need to edit the gobalance config.yaml file:
+
+root@debian:~# vim endgame/sourcecode/gobalance/config.yaml
+root@debian:~# cat endgame/sourcecode/gobalance/config.yaml
+services:
+ - key: uyrpqcefaftpfq755fv4fe3noc6l3be4qehq3twcu3nfzvycdqko2yyd.key
+ instances:
+ - address: gllrw5gzdvje5axxexdtncpxzbrgxp2l5hghbiysgtfxpjmloah2qrqd.onion
+
+root@debian:~/endgame# systemctl restart endgame
+root@debian:~/endgame# systemctl status endgame
+● endgame.service - Endgame Startup Script Service
+ Loaded: loaded (/etc/systemd/system/endgame.service; enabled; preset: enabled)
+ Active: active (running) since Sat 2024-04-13 15:32:26 CEST; 5s ago
+ Process: 1002 ExecStart=/startup.sh (code=exited, status=0/SUCCESS)
+ Tasks: 8 (limit: 2323)
+ Memory: 74.3M
+ CPU: 867ms
+ CGroup: /system.slice/endgame.service
+ ├─1006 tor -f /etc/tor/torrc2
+ ├─1009 tor -f /etc/tor/torrc3
+ ├─1010 socat UNIX-LISTEN:/run/tor_pass1.sock,fork,reuseaddr,unlink-early,user=www-data,group=www-data,mode=777 SOCKS4A:localhost:daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion:80,socksport=9060
+ └─1011 socat UNIX-LISTEN:/run/tor_pass2.sock,fork,reuseaddr,unlink-early,user=www-data,group=www-data,mode=777 SOCKS4A:localhost:nihilhfjmj55gfbleupwl2ub7lvbhq4kkoioatiopahfqwkcnglsawyd.onion:80,socksport=9070
+
+Apr 13 15:32:26 debian startup.sh[1004]: Apr 13 15:32:26.730 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://support.torproject.org/faq/staying-anonymous/
+Apr 13 15:32:26 debian startup.sh[1004]: Apr 13 15:32:26.730 [notice] Read configuration file "/etc/tor/torrc2".
+Apr 13 15:32:26 debian startup.sh[1006]: Apr 13 15:32:26.731 [notice] Opening Socks listener on 127.0.0.1:9060
+Apr 13 15:32:26 debian startup.sh[1006]: Apr 13 15:32:26.732 [notice] Opened Socks listener connection (ready) on 127.0.0.1:9060
+Apr 13 15:32:26 debian startup.sh[1007]: Apr 13 15:32:26.740 [notice] Tor 0.4.8.11 running on Linux with Libevent 2.1.12-stable, OpenSSL 3.0.11, Zlib 1.2.13, Liblzma 5.4.1, Libzstd 1.5.4 and Glibc 2.36 as libc.
+Apr 13 15:32:26 debian startup.sh[1007]: Apr 13 15:32:26.740 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://support.torproject.org/faq/staying-anonymous/
+Apr 13 15:32:26 debian startup.sh[1007]: Apr 13 15:32:26.740 [notice] Read configuration file "/etc/tor/torrc3".
+Apr 13 15:32:26 debian startup.sh[1009]: Apr 13 15:32:26.742 [notice] Opening Socks listener on 127.0.0.1:9070
+Apr 13 15:32:26 debian startup.sh[1009]: Apr 13 15:32:26.742 [notice] Opened Socks listener connection (ready) on 127.0.0.1:9070
+Apr 13 15:32:26 debian systemd[1]: Started endgame.service - Endgame Startup Script Service.
+
+Now before we continue, keep in mind that we will access the backend servers using the URL http://gllrw5gzdvje5axxexdtncpxzbrgxp2l5hghbiysgtfxpjmloah2qrqd.onion/, so we need to make sure that the nginx server there has that URL aliased:
+
+[ Belladona ] [ /dev/pts/18 ] [/srv/Binternet]
+→ cat /etc/nginx/sites-available/nihilism.network.conf
+server {
+ listen 80;
+ listen [::]:80;
+ server_name nihilism.network;
+ return 301 https://$server_name$request_uri;
+}
+
+server {
+ ######## TOR CHANGES ########
+ listen 4445;
+ listen [::]:4445;
+ server_name nihilhfjmj55gfbleupwl2ub7lvbhq4kkoioatiopahfqwkcnglsawyd.onion gllrw5gzdvje5axxexdtncpxzbrgxp2l5hghbiysgtfxpjmloah2qrqd.onion;
+ add_header Onion-Location "http://nihilhfjmj55gfbleupwl2ub7lvbhq4kkoioatiopahfqwkcnglsawyd.onion/onion.html" always;
+ ######## TOR CHANGES ########
+
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+ server_name nihilism.network;
+[...]
+
+}
+
+#do the same on the other backend server!
+
+Then after restarting the endgame service we check if it works as intended by accessing the main onion at the following URL http://gllrw5gzdvje5axxexdtncpxzbrgxp2l5hghbiysgtfxpjmloah2qrqd.onion/:
+
+Here as you can see we're placed into a queue before being redirected to the captcha:
+
+Then we fill in the captcha before getting redirected to one of the backend servers:
+
+And that's it ! We have been redirected to one of the backend servers as intended. We can redo the whole process again by picking a new Identity in the tor browser to see if it redirects us to the other backend server as intended:
+
+Now you can scale your hidden service operations over multiple backend servers, while still protecting against DDOS attacks.
+ +Now there are 2 issues with that setup. First there are performance issues due to latency as in this current setup we have to go through Tor twice to get to the backend server, that's not ideal at all.
+
+Problem 2: Not big enough!
+Second issue, why is there onionbalance in the mix and only one endgame frontend ?! As detailed in the article, onionbalance allows us to introduce high availability over a single onion service (like DNS Load balancing):
+
+Onionbalance is software designed and written by Donncha O'Cearbhaill as part of Tor's Summer of Privacy 2015. It allows onion service operators to achieve the property of high availability by allowing multiple machines to handle requests for a single onion service. You can think of it as the onion service equivalent of load balancing using round-robin DNS.
+
+The true goal here is to have multiple Endgame fronts spread across multiple servers, under the same Master Onion Link! So for this second part of the tutorial we have this following setup:
+
+So here we'll have 3 local backend servers for the same service, and we're going to have 2 Endgame servers, which will be under the same master subnet.
+Let's first setup our 3 local backend servers, this time they will be 3 instances of the same service:
+
+root@backend1:~# apt install nginx vim -y
+
+root@backend1:~# vim /var/www/html/index.nginx-debian.html
+root@backend1:~# cat /var/www/html/index.nginx-debian.html
+Welcome to our Nihilist's service!
+
+We are currently on backend server 1 !
+
+We clone that VM to the 2 other backend servers:
+
+We edit the web page of the 2 backend servers to know on which backend server we land, and we have the following:
+
+[ LAN-Home ] [ /dev/pts/3 ] [~]
+→ curl 10.99.99.216
+Welcome to our Nihilist's service!
+
+We are currently on backend server 1 !
+
+[ LAN-Home ] [ /dev/pts/3 ] [~]
+→ curl 10.99.99.219
+Welcome to our Nihilist's service!
+
+We are currently on backend server 2 !
+
+Our backend servers are now be reachable locally at the local IPs 10.99.99.216, and 10.99.99.219 on port 80
+
+
+Now let's setup our 2 Endgame Fronts servers on 2 other VMs, this will be a repeat of what we went through above for our previous endgame setup:
+
+So as advised, here we need to configure endgame once, and then archive everything except the sourcecode
+
+After you are done EndGame's configuration, you should archive everything except the sourcecode folder. Transfer the archive to a blank debian 12 system. As root, extract the archive and run setup.sh like './setup.sh'. At the end of the setup, it will export an onion address (and i2p if set but don't add that to gobalance) which you can provide to users or add to your gobalance configuration.
+
+So on our Endgame front 1, we configure gobalance to generate the .key file: (not on Endgame front 2!)
+
+root@endgame1:~/endgame/sourcecode/gobalance# go get -u ; go mod vendor ; go build -o gobalance main.go ; ./gobalance g
+go: downloading github.com/sirupsen/logrus v1.9.3
+go: downloading github.com/urfave/cli/v2 v2.27.1
+go: downloading golang.org/x/crypto v0.17.0
+go: downloading golang.org/x/crypto v0.22.0
+go: downloading github.com/urfave/cli v1.22.14
+go: downloading gopkg.in/yaml.v3 v3.0.1
+go: downloading golang.org/x/sys v0.15.0
+go: downloading golang.org/x/sys v0.19.0
+go: downloading maze.io/x/crypto v0.0.0-20190131090603-9b94c9afe066
+go: downloading github.com/cpuguy83/go-md2man/v2 v2.0.3
+go: downloading github.com/cpuguy83/go-md2man v1.0.10
+go: downloading github.com/cpuguy83/go-md2man/v2 v2.0.4
+go: downloading github.com/xrash/smetrics v0.0.0-20231213231151-1d8dd44e695e
+go: downloading github.com/xrash/smetrics v0.0.0-20240312152122-5f08fbb34913
+go: downloading github.com/russross/blackfriday/v2 v2.1.0
+go: downloading github.com/russross/blackfriday v1.6.0
+go: upgraded github.com/cpuguy83/go-md2man/v2 v2.0.3 => v2.0.4
+go: upgraded github.com/xrash/smetrics v0.0.0-20231213231151-1d8dd44e695e => v0.0.0-20240312152122-5f08fbb34913
+go: upgraded golang.org/x/crypto v0.17.0 => v0.22.0
+go: upgraded golang.org/x/sys v0.15.0 => v0.19.0
+go: downloading github.com/stretchr/testify v1.8.0
+go: downloading github.com/pmezard/go-difflib v1.0.0
+go: downloading github.com/davecgh/go-spew v1.1.1
+root@endgame1:~/endgame/sourcecode/gobalance# ls
+config.yaml gobalance go.sum pkg torrc
+ehfs47i5jjzlyolgd24ogkndodz7n4mlbcmhdakyma4lfh2alossuvad.key go.mod main.go README.md vendor
+
+Here again i recommend making a snapshot of both VMs before continuing. Next we configure engame.config on the endgame front 1:
+
+root@endgame1:~/endgame# vim endgame.config
+root@endgame1:~/endgame# cat endgame.config
+#This area
+
+#OPTIONS!
+MASTERONION="ehfs47i5jjzlyolgd24ogkndodz7n4mlbcmhdakyma4lfh2alossuvad.onion"
+TORAUTHPASSWORD="CHANGETHISPASSWORD!!!!"
+BACKENDONION1=""
+BACKENDONION2=""
+
+#set to true if you want to setup local proxy instead of proxy over Tor
+LOCALPROXY=true
+PROXYPASSURL="10.99.99.216"
+
+#Install the latest kernel from debian unstable. Recommended but may cause some issues on old systems.
+LATESTKERNEL=true
+
+#reboot after completion. Highly recommended to get the new kernel active.
+REBOOT=true
+
+#set to true if you want i2pd installed and setup
+I2PSETUP=false
+
+#set to true if you want tor installed and setup
+TORSETUP=true
+
+#enable Tor introduction defense. Keeps the Tor process from stalling but hurts reliability. Only recommended if running on low powered fronts.
+TORINTRODEFENSE=false
+
+#enable Tor POW introduction defense. This should be enabled!
+TORPOWDEFENSE=false
+
+#enable Tor minimum work patch. This builds a new tor binary locally.
+TORMINWORK=false
+
+#Shared Front Captcha Key. Key should be alphanumeric between 64-128. Salt needs to be exactly 8 chars.
+KEY="thoh1me2aemoonuo1eiNgaejahbeep5oe9eiZ3aezee5igae9faiv9sailoo1laath9vu7aeteeCh4ShaeVeidooy3see7Goong6gei3eePh6Ba5Leepee7zawooch3"
+SALT="agieLae8"
+#session length is in seconds. Default is 12 hours.
+SESSION_LENGTH=43200
+
+#Rate Limits!
+#Make sure to set these to reasonable defaults! Having them too low for your site can cause lots of disconnections while having them too high can make endgame ineffective!
+#Set the request rate to the max requests on your largest page! (try to keep it below 10! The lower you go the better endgame's protection is!)
+#Keep the stream limit 1 to 2 higher than your request limit!
+REQUESTRATELIMIT=8
+STREAMRATELIMIT=10
+
+#CSS Branding
+
+HEXCOLOR="9b59b6"
+HEXCOLORDARK="713C86"
+SITENAME="Nihilism"
+SITETAGLINE="Until there is nothing left."
+SITESINCE="2024"
+FAVICON="data:image/x-icon;base64,AAABAAEAEBAAAAEAIABoBAAAFgAAACgAAAAQAAAAIAAAAAEAIAAAAAAAAAQAABMLAAATCwAAAAAAAAAAAACtRI7/rUSO/61Ejv+tRI7/rUSO/61Fjv+qPor/pzaG/6k7if+sQo3/qDiH/6g4h/+sQ43/rUSO/61Ejv+tRI7/rUSO/61Ejv+tRI7/rUSO/61Fjv+sQo3/uV6e/8iBs/+9aaT/sEyT/8V7r//Feq//sEqS/6xDjf+tRI7/rUSO/61Ejv+tRI7/rUSO/65Fj/+vR5D/rEGM/+fI3v///////fv8/+/a6f/+/f7/+vT4/7Zam/+rP4v/rkWP/61Ejv+tRI7/rUSO/61Fjv+sQYz/qTqI/6g4h//hudX/5sXc/+7Z6P////////7///ft9P+2WZr/q0CL/61Fj/+tRI7/rUSO/61Fj/+rQIv/uFyd/82Ou//Njrv/uWGf/6g6iP+uR5D/5sbc///////47vX/tlma/6s/i/+tRY//rUSO/61Ejv+uRo//qDqI/9aix///////69Hj/61Ejv+vSJD/qTqI/8BvqP//////+O/1/7ZZmv+rP4v/rUWP/61Ejv+tRI7/rkaP/6k8if/fttP//////9ekyP+oOIf/sEuS/6tAi/+7ZKH//vv9//nw9v+2WJr/qz+L/61Fj/+tRI7/rUSO/65Gj/+oOoj/1qHG///////pzeH/qj6K/6o8if+lMoP/0pjB///////47vX/tlma/6s/i/+tRY//rUSO/61Ejv+uRo//qj2K/7xmo//8+Pv//////+G61f+8ZqP/zpC8//v2+v//////+O/1/7ZZmv+rP4v/rUWP/61Ejv+tRI7/rUSO/65Gj/+pPIn/zo+7//79/v///////////////////v////////jw9v+2WZr/qz+L/61Fj/+tRI7/rUSO/61Ejv+tRI7/rUWP/6o9iv/Ab6j/37bT/+vR4//kwdr/16XI//36/P/58ff/tlma/6s/i/+tRY//rUSO/61Ejv+tRI7/rUSO/61Ejv+uRo//qj2K/6o9if+tRY7/qDmH/7VYmv/9+fv/+fH3/7ZYmv+rP4v/rUWP/61Ejv+tRI7/rUSO/61Ejv+tRI7/rUSO/65Gj/+uRo//rkaP/6s/i/+6Y6H//Pf6//ju9f+1WJr/q0CL/61Fj/+tRI7/rUSO/61Ejv+tRI7/rUSO/61Ejv+tRI7/rUSO/65Gj/+qPor/umOh//79/v/69Pj/tlqb/6s/i/+uRY//rUSO/61Ejv+tRI7/rUSO/61Ejv+tRI7/rUSO/61Ejv+tRI7/rEKN/7FNk//GfLD/xHmu/7BKkv+sQ43/rUSO/61Ejv+tRI7/rUSO/61Ejv+tRI7/rUSO/61Ejv+tRI7/rUSO/61Ejv+sQo3/qDiH/6g4h/+sQ43/rUSO/61Ejv+tRI7/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=="
+SQUARELOGO="data:image/webp;base64,UklGRkwCAABXRUJQVlA4WAoAAAAQAAAATwAATwAAQUxQSC8AAAABH6CobRuIP9xev3ajERHxDWAqkg1PshdNnqeZJBfAR0T/J2ADngp0E/PbifAGPABWUDgg9gEAAFAMAJ0BKlAAUAA+bS6URiQioiEuGikggA2JQBoZQmgR/d8Cdib6gNsB5gPNy04Dej0a2NXoYw8XMJObQmvWHz52jkOgFebAO+W2C3pjVzORG7gs9ssx8qnjo3F96nSITr1LFsVBFyXhL7ywAP7cUf/iHNu+tvSh+rohhPqZvzMSRXtv7e8U/Dh5LwZIJHvcIx9GmDQsAejcJZBn+c5L63sC8fmQQAde+N776pYSR99TxW58l33OS2vwEbv0MLQQeKEkfOYxulikHr7tl/6ZwLnjENpEv6OnhDWVW53x32zxICdEDZ9TnGenzgbr1pGHJwZ3LX7o1h0RQkYVBag7IsYd+buU+m5wgCohMPbEwS+Vi02J7tVFAvUPVW5VfdjGFbzTfD5g/+nMoacT15PcUWxFNYCacgap7Zh5g0OaAa1rGJBuVbsFrGbbp5C85U3y+OuVTJcUt2wPNQJPA4lpjOyM5wGGRUxrjwy/+cOaOkfLlYc2ImOJLSmchU0u727olq8AMLRMZc/queUbr0E5ec/vKzZb9Z00D8dh5Hk6XNob6WDIFIusbW9UiKlnDFOz6ewFp4sONEBGGtI3gWG86cC+hmvHDzYlWupLMc2pRS9aO6FRiFAPmQXiJyK+lCZPtevTMxcUM4a6g3otDsiMGAOMbvIgAAA="
+NETWORKLOGO="data:image/webp;base64,UklGRpgFAABXRUJQVlA4WAoAAAAQAAAANgAAOwAAQUxQSCMFAAABoLBt2zE3HtddZhone8SubSt2bdu27a7rNqjtJlnvJqljJ7Xbqd1o0Ps4dt7v+6aTiIDgRpIiybnMu3cFb4DxaXs0+0hbmD4tbpO81cLkXLNJklmuptaLYnqa2kKJRaZVddJ9iQeTqppQRAKZK8glEyJMpdZeDdM6zhTM7phC7b66plB5/S1qFzqbFb5KYcqrQjOnOaW880P1bzYmi4xpDERz2VROWcoYoOFuMmfyt2n7z01m+KmAEP1d1TAON7urDwXMulyjLrmr8Vy2FjNjpB0AVTIXYCEXYj6v2QCwHaxmaZSnIisLAHaT1fz8swMAYBLzLLCcy2GRol0GALDf9ImvZtgDsLQSOUyJO9XHKaCAxfHNIMT9EfsBy7gMaDw5GGIaxxXzRqBTnzMJ0xwBuCaT1KVqXv8RDoh2MwrAAs4DKqlUlrbWlQEAYb+/0qTqSF5yQ41fKeRdf1SxEVI1sPRjHQvLauv4PTDq/Mlj5481h6WDjU0V9HlHIdvN/Z6KHsecSExKTExMunj4Lj+f/+vvcw+oDkY0STIM268lJiWdjH4kUgf0/kwxn3QUoiNZQjFzsfYryddtkCd8pE8Ufenrniyxwa1FSGhoWEDoQy4NCA4N9jvAs07YaPDGHx36h4a0cNsgcdkTAeI9VG9tAAAYW3IFQmZyGiTEF2ywVc23giAAkWkk74/N5ftYb6BJCTuI1nO9lOHjece+Y/bY+yRTIwEAAfr8ON0UxwU63p2NGEZD1HpRa2CD5MRs1V1yieMUfUK+PgCC+l8TPDOL66JuDHUF5QW1IZvVeoNOOETuq4d6xdk+CV/rS5oj0zGDF1RQtbtEFnkA3/XaGBMbtSsqemsmDdriwa0OKqjiOAvpbCFVaFOjgGMArODnXVXNRt4o+0pJJJ7FABjLAnPrAjkFLhjFO45o9FrbCxa7SVJBB2RqGsPpLsfAOV9BlctchyiuRvVYGsEPUYzCel6ppgxdy9UztU+8MY+C4luFahnBaPBaM1ut6QojYBvJGaj9WnCif22PTqufSgQBc0jugFFsiphcAxtpsBRC2tyRUSmRN62N9g/MrxschCQdiuXZwNgrjys3fEXySyNIc0xqLsntgFEPefHjf/AlyWvmMiZqZB4y65mmK4x6oQ0WIxBicNZSRv8vci+0zqgXGsW7jlAh3CBBzrBiuX8zxzsc/T/Ff+qxAOBfRvKOs4xVOvGf+mkMgDGSf2r5EopXwcbf1vsBSU6TUqVQdF8ooQuciXS2kC/Y+qhzhEOwPuPs6SvbbCWWayhXsPVRtzjLK15asIH6/Dj9NMf5WhaGQojNTz2rAnBfpiUV20N8nqQ9dE8n+XB8Dt/H+kBkls+dU8YuEopcvhnljnsgbUYh8q1PKl6u8pRan9jXA+B1Rb7RhgxuJfhdwWs/xUab7N73i1JbjwMAVbqCD10U2/rnXoFq0aNoYYhcX25QbXc55eOrOESe+FpsF73tK4wsRwsAgEXbrn6+XX39/f39fH0jQ2wUR9YvKrhdIqlL0bz+IwyS1J7YBEpRGpBJLgAcpyWc7uMYWMDiuKaiRq9e9gVG5Y8CeuSeMVcaxyfjJjsYO/yrzmGeBdZwDSxyuLqydPi/nGYPwMIKSnHbUcwXwqphJq4aizCfl8wlq0bJLncYnfb/aoxebLRJnU25Ri1hNNBwF5kzsaKWtgpaEStoITXp+vugQtZfAIsqZtkGelbUau+aJch0hanT4ibJG81h+rQ5kn2kDYwGAFZQOCBOAAAA0AQAnQEqNwA8AD5tLJJFpCKhmAQAQAbEtIAASD/dKxnoTlaUzRT/Q9kkRNlNuAAA/TH//9wDj/sFX/91UzfhNf+E8DE//4h3B/k1wAAA"
+
+Here notice that we set both TORPOWDEFENSE and TORMINWORK to false, this is due to not being supported by gobalance as gobalance does not handle POW and won't combine the descriptors correclty. We also left the BACKENDONIONs to empty strings, and instead changed the LOCALPROXY to true, with the PROXYPASSURL set to one of our local backend servers 10.99.99.216. as advised in the README:
+
+Local Proxy: Change LOCALPROXY to true and edit the PROXYPASSURL to the specific IP or hostname of your backend location. It will default to connect on port 80 via http but you can edit line 320 of the site.conf to change that to your specific needs.
+
+Then here, we need to archive the entire endgame folder, and extract it to our endgame2 front before running setup.sh:
+
+root@endgame1:~/endgame# cd ..
+root@endgame1:~# tar -czvf EndgameV3-nihilism.tar.gz endgame >/dev/null
+root@endgame1:~# ls
+endgame EndgameV3-nihilism.tar.gz go
+
+Now that the archive is created, let's transfer it to endgame2 and extract it:
+
+[term1]
+root@endgame1:~# ip a | grep inet ; python3 -m http.server 9090
+ inet 127.0.0.1/8 scope host lo
+ inet6 ::1/128 scope host noprefixroute
+ inet 10.99.99.221/24 brd 10.99.99.255 scope global dynamic enp1s0
+ inet6 fe80::5054:ff:fe00:3bfa/64 scope link
+Serving HTTP on 0.0.0.0 port 9090 (http://0.0.0.0:9090/) ...
+
+[term2]
+root@endgame2:~/# wget http://10.99.99.221:9090/EndgameV3-nihilism.tar.gz
+--2024-04-14 13:42:20-- http://10.99.99.221:9090/EndgameV3-nihilism.tar.gz
+Connecting to 10.99.99.221:9090... connected.
+HTTP request sent, awaiting response... 200 OK
+Length: 75225067 (72M) [application/gzip]
+Saving to: ‘EndgameV3-nihilism.tar.gz’
+
+EndgameV3-nihilism.tar.gz 100%[====================================>] 71.74M --.-KB/s in 0.09s
+
+2024-04-14 13:42:20 (784 MB/s) - ‘EndgameV3-nihilism.tar.gz’ saved [75225067/75225067]
+root@endgame2:~# tar -xzvf EndgameV3-nihilism.tar.gz >/dev/null
+root@endgame2:~# ls
+endgame EndgameV3-nihilism.tar.gz
+root@endgame2:~# ls endgame
+aptpreferences i2pd.conf naxsi_core.rules repokeys sourcecode torrc2
+dependencies jail.local naxsi_whitelist.rules resty startup.sh torrc3
+endgame.config limits.conf nginx.conf resty.tgz sysctl.conf tunnels.conf
+EndGameV3.tar.gz lua nginx-update.sh setup.sh tor-patch
+getdependencies.sh mentions.txt README.md site.conf torrc
+
+Now back to our endgame front 1: we run setup.sh:
+
+root@endgame1:~/endgame# ./setup.sh
+Welcome To The End Game DDOS Prevention Setup...
+Proceeding to do the configuration and setup. This will take awhile.
+The system will reboot after finishing setup!
+
+Let it run and take note of the endgame front instance TOR hostname as displayed at the end, which will be our first endgame instance's .onion link:
+
+EndGame Setup Script Finished!
+TOR Hostname:
+xkdrgt35dw4rtmqacjdaymocotcvarfqlodtw2dfykqn3rk2eqxmr4yd.onion
+The address it to your gobalance config.yaml file!
+This system will now reboot in 10 seconds!
+root@endgame1:~/endgame# Connection to 10.99.99.221 closed by remote host.
+Connection to 10.99.99.221 closed.
+
+[ LAN-Home ] [ /dev/pts/6 ] [~]
+→ ssh nihilist@10.99.99.221
+nihilist@10.99.99.221's password:
+Linux endgame1 6.7.9-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.7.9-2 (2024-03-13) x86_64
+
+The programs included with the Debian GNU/Linux system are free software;
+the exact distribution terms for each program are described in the
+individual files in /usr/share/doc/*/copyright.
+
+Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
+permitted by applicable law.
+You have new mail.
+Last login: Sun Apr 14 14:09:56 2024 from 10.99.99.101
+nihilist@endgame1:~$ su -
+Password:
+root@endgame1:~#
+
+root@endgame1:~/endgame/sourcecode/gobalance# vim config.yaml
+root@endgame1:~/endgame/sourcecode/gobalance# cat config.yaml
+services:
+ - key: ehfs47i5jjzlyolgd24ogkndodz7n4mlbcmhdakyma4lfh2alossuvad.key
+ instances:
+ - address: xkdrgt35dw4rtmqacjdaymocotcvarfqlodtw2dfykqn3rk2eqxmr4yd.onion
+
+root@endgame1:~/endgame/sourcecode/gobalance# reboot now
+
+Now on the Endgame front 2 VM, edit the endgame.config file to make sure that i redirects to the second backend server:
+
+root@endgame2:~# cat endgame/endgame.config
+#This area
+
+#OPTIONS!
+MASTERONION="ehfs47i5jjzlyolgd24ogkndodz7n4mlbcmhdakyma4lfh2alossuvad.onion"
+TORAUTHPASSWORD="CHANGETHISPASSWORD!!!!"
+BACKENDONION1=""
+BACKENDONION2=""
+
+#set to true if you want to setup local proxy instead of proxy over Tor
+LOCALPROXY=true
+PROXYPASSURL="10.99.99.219"
+
+#Install the latest kernel from debian unstable. Recommended but may cause some issues on old systems.
+LATESTKERNEL=true
+
+#reboot after completion. Highly recommended to get the new kernel active.
+REBOOT=true
+
+#set to true if you want i2pd installed and setup
+I2PSETUP=false
+
+#set to true if you want tor installed and setup
+TORSETUP=true
+
+#enable Tor introduction defense. Keeps the Tor process from stalling but hurts reliability. Only recommended if running on low powered fronts.
+TORINTRODEFENSE=false
+
+#enable Tor POW introduction defense. This should be enabled!
+TORPOWDEFENSE=false
+
+#enable Tor minimum work patch. This builds a new tor binary locally.
+TORMINWORK=false
+
+#Shared Front Captcha Key. Key should be alphanumeric between 64-128. Salt needs to be exactly 8 chars.
+KEY="thoh1me2aemoonuo1eiNgaejahbeep5oe9eiZ3aezee5igae9faiv9sailoo1laath9vu7aeteeCh4ShaeVeidooy3see7Goong6gei3eePh6Ba5Leepee7zawooch3"
+SALT="agieLae8"
+#session length is in seconds. Default is 12 hours.
+SESSION_LENGTH=43200
+
+#Rate Limits!
+#Make sure to set these to reasonable defaults! Having them too low for your site can cause lots of disconnections while having them too high can make endgame ineffective!
+#Set the request rate to the max requests on your largest page! (try to keep it below 10! The lower you go the better endgame's protection is!)
+#Keep the stream limit 1 to 2 higher than your request limit!
+REQUESTRATELIMIT=8
+STREAMRATELIMIT=10
+
+#CSS Branding
+
+HEXCOLOR="9b59b6"
+HEXCOLORDARK="713C86"
+SITENAME="Nihilism"
+SITETAGLINE="Until there is nothing left."
+SITESINCE="2024"
+FAVICON="data:image/x-icon;base64,AAABAAEAEBAAAAEAIABoBAAAFgAAACgAAAAQAAAAIAAAAAEAIAAAAAAAAAQAABMLAAATCwAAAAAAAAAAAACtRI7/rUSO/61Ejv+tRI7/rUSO/61Fjv+qPor/pzaG/6k7if+sQo3/qDiH/6g4h/+sQ43/rUSO/61Ejv+tRI7/rUSO/61Ejv+tRI7/rUSO/61Fjv+sQo3/uV6e/8iBs/+9aaT/sEyT/8V7r//Feq//sEqS/6xDjf+tRI7/rUSO/61Ejv+tRI7/rUSO/65Fj/+vR5D/rEGM/+fI3v///////fv8/+/a6f/+/f7/+vT4/7Zam/+rP4v/rkWP/61Ejv+tRI7/rUSO/61Fjv+sQYz/qTqI/6g4h//hudX/5sXc/+7Z6P////////7///ft9P+2WZr/q0CL/61Fj/+tRI7/rUSO/61Fj/+rQIv/uFyd/82Ou//Njrv/uWGf/6g6iP+uR5D/5sbc///////47vX/tlma/6s/i/+tRY//rUSO/61Ejv+uRo//qDqI/9aix///////69Hj/61Ejv+vSJD/qTqI/8BvqP//////+O/1/7ZZmv+rP4v/rUWP/61Ejv+tRI7/rkaP/6k8if/fttP//////9ekyP+oOIf/sEuS/6tAi/+7ZKH//vv9//nw9v+2WJr/qz+L/61Fj/+tRI7/rUSO/65Gj/+oOoj/1qHG///////pzeH/qj6K/6o8if+lMoP/0pjB///////47vX/tlma/6s/i/+tRY//rUSO/61Ejv+uRo//qj2K/7xmo//8+Pv//////+G61f+8ZqP/zpC8//v2+v//////+O/1/7ZZmv+rP4v/rUWP/61Ejv+tRI7/rUSO/65Gj/+pPIn/zo+7//79/v///////////////////v////////jw9v+2WZr/qz+L/61Fj/+tRI7/rUSO/61Ejv+tRI7/rUWP/6o9iv/Ab6j/37bT/+vR4//kwdr/16XI//36/P/58ff/tlma/6s/i/+tRY//rUSO/61Ejv+tRI7/rUSO/61Ejv+uRo//qj2K/6o9if+tRY7/qDmH/7VYmv/9+fv/+fH3/7ZYmv+rP4v/rUWP/61Ejv+tRI7/rUSO/61Ejv+tRI7/rUSO/65Gj/+uRo//rkaP/6s/i/+6Y6H//Pf6//ju9f+1WJr/q0CL/61Fj/+tRI7/rUSO/61Ejv+tRI7/rUSO/61Ejv+tRI7/rUSO/65Gj/+qPor/umOh//79/v/69Pj/tlqb/6s/i/+uRY//rUSO/61Ejv+tRI7/rUSO/61Ejv+tRI7/rUSO/61Ejv+tRI7/rEKN/7FNk//GfLD/xHmu/7BKkv+sQ43/rUSO/61Ejv+tRI7/rUSO/61Ejv+tRI7/rUSO/61Ejv+tRI7/rUSO/61Ejv+sQo3/qDiH/6g4h/+sQ43/rUSO/61Ejv+tRI7/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=="
+SQUARELOGO="data:image/webp;base64,UklGRkwCAABXRUJQVlA4WAoAAAAQAAAATwAATwAAQUxQSC8AAAABH6CobRuIP9xev3ajERHxDWAqkg1PshdNnqeZJBfAR0T/J2ADngp0E/PbifAGPABWUDgg9gEAAFAMAJ0BKlAAUAA+bS6URiQioiEuGikggA2JQBoZQmgR/d8Cdib6gNsB5gPNy04Dej0a2NXoYw8XMJObQmvWHz52jkOgFebAO+W2C3pjVzORG7gs9ssx8qnjo3F96nSITr1LFsVBFyXhL7ywAP7cUf/iHNu+tvSh+rohhPqZvzMSRXtv7e8U/Dh5LwZIJHvcIx9GmDQsAejcJZBn+c5L63sC8fmQQAde+N776pYSR99TxW58l33OS2vwEbv0MLQQeKEkfOYxulikHr7tl/6ZwLnjENpEv6OnhDWVW53x32zxICdEDZ9TnGenzgbr1pGHJwZ3LX7o1h0RQkYVBag7IsYd+buU+m5wgCohMPbEwS+Vi02J7tVFAvUPVW5VfdjGFbzTfD5g/+nMoacT15PcUWxFNYCacgap7Zh5g0OaAa1rGJBuVbsFrGbbp5C85U3y+OuVTJcUt2wPNQJPA4lpjOyM5wGGRUxrjwy/+cOaOkfLlYc2ImOJLSmchU0u727olq8AMLRMZc/queUbr0E5ec/vKzZb9Z00D8dh5Hk6XNob6WDIFIusbW9UiKlnDFOz6ewFp4sONEBGGtI3gWG86cC+hmvHDzYlWupLMc2pRS9aO6FRiFAPmQXiJyK+lCZPtevTMxcUM4a6g3otDsiMGAOMbvIgAAA="
+NETWORKLOGO="data:image/webp;base64,UklGRpgFAABXRUJQVlA4WAoAAAAQAAAANgAAOwAAQUxQSCMFAAABoLBt2zE3HtddZhone8SubSt2bdu27a7rNqjtJlnvJqljJ7Xbqd1o0Ps4dt7v+6aTiIDgRpIiybnMu3cFb4DxaXs0+0hbmD4tbpO81cLkXLNJklmuptaLYnqa2kKJRaZVddJ9iQeTqppQRAKZK8glEyJMpdZeDdM6zhTM7phC7b66plB5/S1qFzqbFb5KYcqrQjOnOaW880P1bzYmi4xpDERz2VROWcoYoOFuMmfyt2n7z01m+KmAEP1d1TAON7urDwXMulyjLrmr8Vy2FjNjpB0AVTIXYCEXYj6v2QCwHaxmaZSnIisLAHaT1fz8swMAYBLzLLCcy2GRol0GALDf9ImvZtgDsLQSOUyJO9XHKaCAxfHNIMT9EfsBy7gMaDw5GGIaxxXzRqBTnzMJ0xwBuCaT1KVqXv8RDoh2MwrAAs4DKqlUlrbWlQEAYb+/0qTqSF5yQ41fKeRdf1SxEVI1sPRjHQvLauv4PTDq/Mlj5481h6WDjU0V9HlHIdvN/Z6KHsecSExKTExMunj4Lj+f/+vvcw+oDkY0STIM268lJiWdjH4kUgf0/kwxn3QUoiNZQjFzsfYryddtkCd8pE8Ufenrniyxwa1FSGhoWEDoQy4NCA4N9jvAs07YaPDGHx36h4a0cNsgcdkTAeI9VG9tAAAYW3IFQmZyGiTEF2ywVc23giAAkWkk74/N5ftYb6BJCTuI1nO9lOHjece+Y/bY+yRTIwEAAfr8ON0UxwU63p2NGEZD1HpRa2CD5MRs1V1yieMUfUK+PgCC+l8TPDOL66JuDHUF5QW1IZvVeoNOOETuq4d6xdk+CV/rS5oj0zGDF1RQtbtEFnkA3/XaGBMbtSsqemsmDdriwa0OKqjiOAvpbCFVaFOjgGMArODnXVXNRt4o+0pJJJ7FABjLAnPrAjkFLhjFO45o9FrbCxa7SVJBB2RqGsPpLsfAOV9BlctchyiuRvVYGsEPUYzCel6ppgxdy9UztU+8MY+C4luFahnBaPBaM1ut6QojYBvJGaj9WnCif22PTqufSgQBc0jugFFsiphcAxtpsBRC2tyRUSmRN62N9g/MrxschCQdiuXZwNgrjys3fEXySyNIc0xqLsntgFEPefHjf/AlyWvmMiZqZB4y65mmK4x6oQ0WIxBicNZSRv8vci+0zqgXGsW7jlAh3CBBzrBiuX8zxzsc/T/Ff+qxAOBfRvKOs4xVOvGf+mkMgDGSf2r5EopXwcbf1vsBSU6TUqVQdF8ooQuciXS2kC/Y+qhzhEOwPuPs6SvbbCWWayhXsPVRtzjLK15asIH6/Dj9NMf5WhaGQojNTz2rAnBfpiUV20N8nqQ9dE8n+XB8Dt/H+kBkls+dU8YuEopcvhnljnsgbUYh8q1PKl6u8pRan9jXA+B1Rb7RhgxuJfhdwWs/xUab7N73i1JbjwMAVbqCD10U2/rnXoFq0aNoYYhcX25QbXc55eOrOESe+FpsF73tK4wsRwsAgEXbrn6+XX39/f39fH0jQ2wUR9YvKrhdIqlL0bz+IwyS1J7YBEpRGpBJLgAcpyWc7uMYWMDiuKaiRq9e9gVG5Y8CeuSeMVcaxyfjJjsYO/yrzmGeBdZwDSxyuLqydPi/nGYPwMIKSnHbUcwXwqphJq4aizCfl8wlq0bJLncYnfb/aoxebLRJnU25Ri1hNNBwF5kzsaKWtgpaEStoITXp+vugQtZfAIsqZtkGelbUau+aJch0hanT4ibJG81h+rQ5kn2kDYwGAFZQOCBOAAAA0AQAnQEqNwA8AD5tLJJFpCKhmAQAQAbEtIAASD/dKxnoTlaUzRT/Q9kkRNlNuAAA/TH//9wDj/sFX/91UzfhNf+E8DE//4h3B/k1wAAA"
+Once that's done, we run setup.sh on the Endgame front 2 VM, here also let it run and take note of the endgame front instance TOR hostname as displayed at the end:
+
+root@endgame2:~/endgame# ./setup.sh
+Welcome To The End Game DDOS Prevention Setup...
+Proceeding to do the configuration and setup. This will take awhile.
+The system will reboot after finishing setup!
+
+[...]
+
+EndGame Setup Script Finished!
+TOR Hostname:
+e7nqqkmeripx7hxov4hy32ovg34nxsrooy7ipxaeaw5edkek73dgowad.onion
+The address it to your gobalance config.yaml file!
+This system will now reboot in 10 seconds!
+
+
+So here we're going to mention the 2 endgame onion hostnames in the gobalance config file of both endgame fronts 1 and 2:
+
+[term1]
+root@endgame1:~/endgame# vim sourcecode/gobalance/config.yaml
+root@endgame1:~/endgame# cat sourcecode/gobalance/config.yaml
+services:
+ - key: ehfs47i5jjzlyolgd24ogkndodz7n4mlbcmhdakyma4lfh2alossuvad.key
+ instances:
+ - address: xkdrgt35dw4rtmqacjdaymocotcvarfqlodtw2dfykqn3rk2eqxmr4yd.onion
+ - address: e7nqqkmeripx7hxov4hy32ovg34nxsrooy7ipxaeaw5edkek73dgowad.onion
+
+Then we test if both endgame fronts work starting with front 1 on the URL http://xkdrgt35dw4rtmqacjdaymocotcvarfqlodtw2dfykqn3rk2eqxmr4yd.onion :
+
+and we test the other one on the URL http://e7nqqkmeripx7hxov4hy32ovg34nxsrooy7ipxaeaw5edkek73dgowad.onion :
+
+And lastly we enable gobalance to make sure that the masteronion can redirect to either of the 2 after editing the config.yaml file:
+
+root@endgame1:~/endgame/sourcecode/gobalance# cat config.yaml
+services:
+ - key: ehfs47i5jjzlyolgd24ogkndodz7n4mlbcmhdakyma4lfh2alossuvad.key
+ instances:
+ - address: xkdrgt35dw4rtmqacjdaymocotcvarfqlodtw2dfykqn3rk2eqxmr4yd.onion
+ - address: e7nqqkmeripx7hxov4hy32ovg34nxsrooy7ipxaeaw5edkek73dgowad.onion
+
+root@endgame1:~/endgame/sourcecode/gobalance# ./gobalance --torPassword 'CHANGETHISPASSWORD!!!!' -c config.yaml
+WARN[2024-04-14 19:26:24] Initializing gobalance (version: 1.0.0)...
+INFO[2024-04-14 19:26:24] Loaded the config file '/root/endgame/sourcecode/gobalance/config.yaml'.
+WARN[2024-04-14 19:26:24] Loaded onion ehfs47i5jjzlyolgd24ogkndodz7n4mlbcmhdakyma4lfh2alossuvad.onion from /root/endgame/sourcecode/gobalance/ehfs47i5jjzlyolgd24ogkndodz7n4mlbcmhdakyma4lfh2alossuvad.key
+WARN[2024-04-14 19:26:24] Loaded instance xkdrgt35dw4rtmqacjdaymocotcvarfqlodtw2dfykqn3rk2eqxmr4yd
+WARN[2024-04-14 19:26:24] Loaded instance e7nqqkmeripx7hxov4hy32ovg34nxsrooy7ipxaeaw5edkek73dgowad
+WARN[2024-04-14 19:26:24] OnionBalance initialized (tor version: 0.4.8.11-dev (git-caa2ddaa8dc1f4f3))!
+WARN[2024-04-14 19:26:24] ================================================================================
+INFO[2024-04-14 19:26:24] [ADAPTIVE] Waiting for 2 instance descriptors.
+INFO[2024-04-14 19:26:24] [*] FetchInstanceDescriptors() called [*]
+INFO[2024-04-14 19:26:24] Initiating fetch of descriptors for all service instances.
+INFO[2024-04-14 20:02:22] Successfully uploaded descriptor for xkdrgt35dw4rtmqacjdaymocotcvarfqlodtw2dfykqn3rk2eqxmr4yd to $5FAE28CF4D1C520341EE104BF72516F4308B9485~nuker
+INFO[2024-04-14 20:02:22] Successfully uploaded descriptor for xkdrgt35dw4rtmqacjdaymocotcvarfqlodtw2dfykqn3rk2eqxmr4yd to $778DCB9DB6CDD5FF2F1A85571308B492D6DFF962~TorHet
+INFO[2024-04-14 20:02:22] Successfully uploaded descriptor for xkdrgt35dw4rtmqacjdaymocotcvarfqlodtw2dfykqn3rk2eqxmr4yd to $B72663DDF48F7047003DE6E3927936994DA44152~Unnamed
+INFO[2024-04-14 20:02:22] Successfully uploaded descriptor for xkdrgt35dw4rtmqacjdaymocotcvarfqlodtw2dfykqn3rk2eqxmr4yd to $7AC2E7E67ADAC32F6F46AF607896637BBB455D64~mysocratesnote
+INFO[2024-04-14 20:02:23] Successfully uploaded descriptor for xkdrgt35dw4rtmqacjdaymocotcvarfqlodtw2dfykqn3rk2eqxmr4yd to $484F666C491BCDE22B45E0E19D1CEA5ACC5A9611~WinstonSmith
+INFO[2024-04-14 20:02:24] Successfully uploaded descriptor for xkdrgt35dw4rtmqacjdaymocotcvarfqlodtw2dfykqn3rk2eqxmr4yd to $3CA0D15567024D2E0B557DC0CF3E962B37999A79~QuintexAirVPN30
+INFO[2024-04-14 20:02:24] Successfully uploaded descriptor for xkdrgt35dw4rtmqacjdaymocotcvarfqlodtw2dfykqn3rk2eqxmr4yd to $846B3EAAF0C07FF72FC79AEBB11FA3ADC58F240F~dc6jgk5b
+INFO[2024-04-14 20:02:24] Successfully uploaded descriptor for xkdrgt35dw4rtmqacjdaymocotcvarfqlodtw2dfykqn3rk2eqxmr4yd to $455469D1C610E43498ECF88E83E29C0A694EF73B~whyza1
+INFO[2024-04-14 20:02:24] Successfully uploaded descriptor for xkdrgt35dw4rtmqacjdaymocotcvarfqlodtw2dfykqn3rk2eqxmr4yd to $65379EED488599B0A1512E80D4743BC9125CB306~BlueMold
+INFO[2024-04-14 20:02:25] Successfully uploaded descriptor for xkdrgt35dw4rtmqacjdaymocotcvarfqlodtw2dfykqn3rk2eqxmr4yd to $C111AC86B3719F0A2FB6254725CB5A7A62C9B451~LauchYT
+INFO[2024-04-14 20:02:25] Successfully uploaded descriptor for xkdrgt35dw4rtmqacjdaymocotcvarfqlodtw2dfykqn3rk2eqxmr4yd to $235396838BB8FC7AFA529042B19615DF9E2AF218~soP49mzpYUFEwVdiFN3
+INFO[2024-04-14 20:02:26] Successfully uploaded descriptor for xkdrgt35dw4rtmqacjdaymocotcvarfqlodtw2dfykqn3rk2eqxmr4yd to $4ADB08AFCF04657E0A0288AA230EEB74A96B1CEE~Lemminkainen
+INFO[2024-04-14 20:02:27] Successfully uploaded descriptor for xkdrgt35dw4rtmqacjdaymocotcvarfqlodtw2dfykqn3rk2eqxmr4yd to $961B9D86125A08FAA9F7E742B228307EF7E2E082~TorNodeCzech
+INFO[2024-04-14 20:02:28] Successfully uploaded descriptor for xkdrgt35dw4rtmqacjdaymocotcvarfqlodtw2dfykqn3rk2eqxmr4yd to $FBDE535D810756541B31C452C6694876C96A7FC1~BSDnodeAMS
+
+And now we test if the masteronion http://ehfs47i5jjzlyolgd24ogkndodz7n4mlbcmhdakyma4lfh2alossuvad.onion/ is reachable:
+
+
+Here we see that we were on the endgame front 1 instance, which redirected us to the backend server 1:
+
+Then we check if it still works after shutting down the endgame front 1:
+
+root@endgame1:~# shutdown now
+
+As you can see it still works:
+
+
+And as you can see here we're being redirected to the backend server 2 as intended:
+
+
+ + Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
Your ISP connection comes with a closed-source router. What makes you think that your ISP isn't giving access to it to an adversary so that he may be able to spy on your home network ? How do you protect against that?
+That same adversary suspects that you are running a hidden service from home. That adversary makes your ISP shut down your internet connection to check if you are actually running it or not. How do you ensure your hidden service keeps running ?
+
+In this tutorial we're going to setup a pfsense VM inside of virt-manager to make sure that our .onion Hidden service is hidden behind an open-source router, rather than a closed-source one. as detailed below:
+
+We're going to also make sure that we protect the hidden service from controlled internet downtimes, with a failover internet connection to a mobile hotspot.
+ +First you're going to need a Libvirtd QEMU hypervisor on your home server, check this tutorial to know how to set it up.
+So here we create the pfsense VM as shown in this tutorial, and we make sure to adjust it to have the following network configuration:
+So for the main network interface we setup the network interface as a direct attachment to the host network interface enp8s0 (as a macvtap device in virt-manager):
+
+As detailed in the previous tutorial, for the LAN network we setup an isolated network and use it like so:
+
+Then from inside pfsense we can set them both like so:
+
+Then we setup the second WAN, which is our mobile USB tethering hotspot. First just connect the mobile phone to the homeserver via USB:
+
+Once plugged in, you can check if the homeserver detects it via the lsusb command, and if it does, just add the USB host device to the VM directly like so:
+
+
+However that's not enough as when you enable USB tethering the USB device ID changes, so we enable USB tethering like so (ex: in Graphene OS you go to: Settings > Network and Internet > Hotspot & Tethering > Toggle USB Tethering ON) before adding it in the pfsense VM:
+
+Now that the device is added, enable USB tethering from your phone , then let's make sure that it is proprely configured as a second WAN interface in pfsense:
+
+Here you see the pfsense VM detecting the usb device from console, however to make the setup simpler we'll set it up from the pfsense dashboard, from the VM inside the LAN network:
+
+So after clicking "add" we have now the OPT3 interface that we can configure:
+
+We rename it to WAN-Mobile, set it to DHCP (as it is the mobile phone that gives the DHCP lease to that interface), and hit save:
+
+
+Here you can also see that pfsense detects that interface as a gateway in the routing section:
+
+Now that's done, we need to setup the failover by first having both gateways into the same gateway group:
+
+
+Now here we have a gateway group, we have set our main WAN interface (WANGW, the ethernet connection) to be tier 1 as in first priority, and we have set our secondary WAN interface (WANMOBILE) to be Tier 2 as in second priority. The trigger level to switch between the 2 is going to be Packet Loss. Meaning if the ethernet connection goes down, the internet connection will resume through the mobile USB tethering hotspot:
+Now we hit save and apply, then we need to edit the LAN firewall rule because otherwise it won't accept any traffic to be routed to the other gateway:
+
+
+
+Now with this, the lan subnet will automatically route traffic through either gateway as dictated by pfsense. which is what we want. Now hit save and apply:
+
+And now we can see it in action when we unplug the ethernet cable like so:
+
+As you can see here, the traffic first goes through the default WAN interface, and after i unplug the ethernet cable, the same traffic starts to go through the other WAN interface via the mobile connection. Which concludes today's tutorial.
+ ++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
What if an adversary tells your electricity provider to temporarily power off your electricity to check if it manages to shut down a particular hidden service ? How do you ensure that your hidden service running at home remains accessible even without the main electrical input ?
+
+In this tutorial we'll look at the most fundamental part of both Disaster Recovery Planning and Business Continuity for home servers. We'll look at how to deal with power outages.
+
+For the Electrical Outages, we'll setup a UPS in between our homeserver and the main electrical input, so that in case of a power outage the home server can keep running for a while before finally shutting down. The UPS will then send a message to the Network UPS Tools suite to tell the server to shutdown when the batteries run low.
+ +Before buying a UPS, you need to know how much your home server can draw power (in watts), to make it simple just look at your power supply in your Homeserver. Mine is a RM 750x:
+
+and as explained in the technical specs, it can draw up to 750 Watts of power:
+
+So you need a UPS that can generate at least 750 Watts of power, such as the APC Back-UPS 1600VA:
+
+For my usecase, i picked that one because it can power my homeserver with the 900Watts it can output. Perfect for my server that can draw 750Watts.
+First make sure your homeserver's plugged onto the UPS which is plugged onto the main electrical source. Then power on the homeserver, and after it booted, connect the serial to usb cable from the UPS to the homeserver, and you'll see it appear like so:
+
+[ Wonderland ] [ /dev/pts/3 ] [~]
+→ lsusb
+
+[...]
+
+Bus 003 Device 003: ID 051d:0002 American Power Conversion Uninterruptible Power Supply
+
+[...]
+
+Then, let's install network ups tools (nut) and make it scan for any ups connected via UPS like ours:
+
+[ Wonderland ] [ /dev/pts/3 ] [~]
+→ apt update -y ; apt install nut nut-client nut-server -y
+
+[ Wonderland ] [ /dev/pts/3 ] [~]
+→ sudo nut-scanner -U
+Scanning USB bus.
+[nutdev1]
+ driver = "usbhid-ups"
+ port = "auto"
+ vendorid = "051D"
+ productid = "0002"
+ product = "Back-UPS BX1600MI FW:378600G -302202G"
+ serial = "DWAADWAWDWA"
+ vendor = "American Power Conversion"
+ bus = "003"
+
+
+[ Wonderland ] [ /dev/pts/3 ] [~]
+→ cat /etc/nut/upsmon.conf
+RUN_AS_USER root
+MONITOR apc-ups@localhost 1 admin secret master
+
+MINSUPPLIES 1
+SHUTDOWNCMD "/sbin/shutdown -h +0"
+POLLFREQ 5
+POLLFREQALERT 5
+HOSTSYNC 15
+DEADTIME 15
+POWERDOWNFLAG /etc/killpower
+RBWARNTIME 43200
+NOCOMMWARNTIME 300
+FINALDELAY 5
+
+[ Wonderland ] [ /dev/pts/3 ] [~]
+→ cat /etc/nut/upsd.conf
+LISTEN 0.0.0.0 3493
+
+[ Wonderland ] [ /dev/pts/3 ] [~]
+→ cat /etc/nut/nut.conf
+
+MODE=netserver
+
+
+[ Wonderland ] [ /dev/pts/3 ] [~]
+→ cat /etc/nut/upsd.users
+[monuser]
+ password = secret
+ admin master
+
+
+[ Wonderland ] [ /dev/pts/3 ] [~]
+→ systemctl status nut-server nut-client nut-monitor
+● nut-server.service - Network UPS Tools - power devices information server
+ Loaded: loaded (/lib/systemd/system/nut-server.service; enabled; preset: enabled)
+ Active: active (running) since Sat 2024-04-06 17:23:47 CEST; 5s ago
+ Main PID: 707274 (upsd)
+ Tasks: 1 (limit: 76930)
+ Memory: 620.0K
+ CPU: 2ms
+ CGroup: /system.slice/nut-server.service
+ └─707274 /lib/nut/upsd -F
+
+Apr 06 17:23:47 wonderland systemd[1]: Started nut-server.service - Network UPS Tools - power devices information server.
+Apr 06 17:23:47 wonderland nut-server[707274]: fopen /run/nut/upsd.pid: No such file or directory
+Apr 06 17:23:47 wonderland nut-server[707274]: Could not find PID file '/run/nut/upsd.pid' to see if previous upsd instance is already running!
+Apr 06 17:23:47 wonderland nut-server[707274]: listening on 0.0.0.0 port 3493
+Apr 06 17:23:47 wonderland upsd[707274]: listening on 0.0.0.0 port 3493
+Apr 06 17:23:47 wonderland upsd[707274]: Connected to UPS [apc-ups]: usbhid-ups-apc-ups
+Apr 06 17:23:47 wonderland nut-server[707274]: Connected to UPS [apc-ups]: usbhid-ups-apc-ups
+Apr 06 17:23:47 wonderland nut-server[707274]: Running as foreground process, not saving a PID file
+Apr 06 17:23:47 wonderland upsd[707274]: Running as foreground process, not saving a PID file
+
+● nut-monitor.service - Network UPS Tools - power device monitor and shutdown controller
+ Loaded: loaded (/lib/systemd/system/nut-monitor.service; enabled; preset: enabled)
+ Active: active (running) since Sat 2024-04-06 17:23:47 CEST; 5s ago
+ Main PID: 707276 (upsmon)
+ Tasks: 2 (limit: 76930)
+ Memory: 836.0K
+ CPU: 2ms
+ CGroup: /system.slice/nut-monitor.service
+ ├─707276 /lib/nut/upsmon -F
+ └─707277 /lib/nut/upsmon -F
+
+Apr 06 17:23:47 wonderland systemd[1]: Started nut-monitor.service - Network UPS Tools - power device monitor and shutdown controller.
+Apr 06 17:23:47 wonderland nut-monitor[707276]: fopen /run/nut/upsmon.pid: No such file or directory
+Apr 06 17:23:47 wonderland nut-monitor[707276]: Could not find PID file to see if previous upsmon instance is already running!
+Apr 06 17:23:47 wonderland nut-monitor[707276]: UPS: apc-ups@localhost (primary) (power value 1)
+Apr 06 17:23:47 wonderland nut-monitor[707276]: Using power down flag file /etc/killpower
+Apr 06 17:23:47 wonderland nut-monitor[707277]: Init SSL without certificate database
+Apr 06 17:23:47 wonderland nut-monitor[707277]: Login on UPS [apc-ups@localhost] failed - got [ERR ACCESS-DENIED]
+
+● nut-monitor.service - Network UPS Tools - power device monitor and shutdown controller
+ Loaded: loaded (/lib/systemd/system/nut-monitor.service; enabled; preset: enabled)
+ Active: active (running) since Sat 2024-04-06 17:23:47 CEST; 5s ago
+ Main PID: 707276 (upsmon)
+ Tasks: 2 (limit: 76930)
+ Memory: 836.0K
+ CPU: 2ms
+ CGroup: /system.slice/nut-monitor.service
+ ├─707276 /lib/nut/upsmon -F
+ └─707277 /lib/nut/upsmon -F
+
+Apr 06 17:23:47 wonderland systemd[1]: Started nut-monitor.service - Network UPS Tools - power device monitor and shutdown controller.
+Apr 06 17:23:47 wonderland nut-monitor[707276]: fopen /run/nut/upsmon.pid: No such file or directory
+Apr 06 17:23:47 wonderland nut-monitor[707276]: Could not find PID file to see if previous upsmon instance is already running!
+Apr 06 17:23:47 wonderland nut-monitor[707276]: UPS: apc-ups@localhost (primary) (power value 1)
+Apr 06 17:23:47 wonderland nut-monitor[707276]: Using power down flag file /etc/killpower
+Apr 06 17:23:47 wonderland nut-monitor[707277]: Init SSL without certificate database
+Apr 06 17:23:47 wonderland nut-monitor[707277]: Login on UPS [apc-ups@localhost] failed - got [ERR ACCESS-DENIED]
+
+We can check if the server can get all the
+
+[ Wonderland ] [ /dev/pts/3 ] [~]
+→ upsc apc-ups@localhost
+Init SSL without certificate database
+battery.charge: 100
+battery.charge.low: 10
+battery.mfr.date: 2001/01/01
+battery.runtime: 3167
+battery.runtime.low: 120
+battery.type: PbAc
+battery.voltage: 27.2
+battery.voltage.nominal: 24.0
+device.mfr: American Power Conversion
+device.model: Back-UPS BX1600MI
+device.serial: DDWAWADWADADW
+device.type: ups
+driver.name: usbhid-ups
+driver.parameter.pollfreq: 30
+driver.parameter.pollinterval: 1
+driver.parameter.port: auto
+driver.parameter.productid: 0002
+driver.parameter.serial: DWDADWAWDDWAADWDAW
+driver.parameter.synchronous: auto
+driver.parameter.vendorid: 051D
+driver.version: 2.8.0
+driver.version.data: APC HID 0.98
+driver.version.internal: 0.47
+driver.version.usb: libusb-1.0.26 (API: 0x1000109)
+input.sensitivity: medium
+input.transfer.high: 295
+input.transfer.low: 145
+input.voltage: 234.0
+input.voltage.nominal: 230
+ups.beeper.status: enabled
+ups.delay.shutdown: 20
+ups.firmware: 378600G -302202G
+ups.load: 10
+ups.mfr: American Power Conversion
+ups.mfr.date: 2022/02/08
+ups.model: Back-UPS BX1600MI
+ups.productid: 0002
+ups.realpower.nominal: 900
+ups.serial: DAWDWDAWADWADWDAWAD
+ups.status: OL
+ups.test.result: Done and passed
+ups.timer.reboot: 0
+ups.timer.shutdown: -1
+ups.vendorid: 051d
+
+Now that the UPS is detected, we can install an interface for the nut service:
+
+[ Wonderland ] [ /dev/pts/3 ] [~]
+→ apt install nut-cgi -y
+
+[ Wonderland ] [ /dev/pts/3 ] [~]
+→ vim /etc/nut/hosts.conf
+
+[ Wonderland ] [ /dev/pts/3 ] [~]
+→ cat /etc/nut/hosts.conf
+
+MONITOR apc-ups@localhost "APC UPS - 1600VA"
+
+[ Wonderland ] [ /dev/pts/3 ] [~]
+→ cat /etc/nut/upsset.conf
+I_HAVE_SECURED_MY_CGI_DIRECTORY
+
+[ Wonderland ] [ /dev/pts/3 ] [~]
+→ apt install apache2 -y
+
+[ Wonderland ] [ /dev/pts/3 ] [~]
+→ a2enmod cgi
+Your MPM seems to be threaded. Selecting cgid instead of cgi.
+Enabling module cgid.
+To activate the new configuration, you need to run:
+ systemctl restart apache2
+
+[ Wonderland ] [ /dev/pts/3 ] [~]
+→ systemctl restart apache2
+
+And now we can browse it from the web on port 80: the url is: http://192.168.0.100/cgi-bin/nut/upsstats.cgi?host=apc-ups@localhost&treemode
+
+we can see the following graph to know the Battery Charge, Voltage, Input and Load:
+
+And for more details you can see the data tree:
+
+Now let's test if it works by unplugging the main electrical source:
+
+First thing you'll notice is the UPS starting to do a loud beep every 3 seconds, but you can see it in action from the web interface:
+
+Here as you can see the UPS is working on battery, and slowly the charge is being drained from 100% (now at 97% after 5 minutes) Of course it's being drained slowly due to being on a low load (18% currently), meaning it could last another 20 minutes of electrical outage easily.
++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+As we have discussed previously, governments love centralisation, because it allows them to keep control over what the masses can do, because they can directly affect the owner of said centralised service to further their agenda.
+
+Nowadays, governments love to impose financial sanctions towards the other countries they don't like, by preventing everyone from having any business with said country (example: the EU imposing sanctions against russia), one way to achieve that goal is to block transactions at the banking level, since legitimate businesses require to have a bank account. That is of course intentional, as it allows the government to control any business' finances.
+The banking system has deep roots in any modern country, with very close ties to the governments as it gives them very direct control over their population. As detailed in his book "the right to transact" by Zelinar XY he argues that the right to transact is an extension of one's innate right of expression.
+For a government to have control over one's expenses, is to have control over one's ability to express himself, it is for a government to have the power to censor any individual they deem to be unfit to be in their society.
+And in my opinion, to consider that someone else should be able to decide what YOU do with your money, is madness. You alone should decide what should happen with your money and governments definitely don't want that.
+ +Bitcoin has been the first cryptocurrency to see the day. It has been a remarkable innovation at the time. It allows you to create a wallet from home, to be able to recieve money there, and to transact freely, tax free. All you need is to have a computer, with an internet connection. Of course that does not sit well with governments. They want to keep control over your money, to be able to keep control over your right to transact.
+While Bitcoin has been revolutionary at the time, there are obvious cracks in the armor. While it provides decentralisation of the currency (meaning it is not controlled by a centralised entity, such as the dollar is controlled by the federal reserve), it has a completely transparent blockchain, meaning everyone knows which wallet transacted with whom, and the amount of Bitcoin on each wallet.
+TLDR: noone can stop your bitcoin transaction, but you can be put in prison for it
+Centralised Exchanges and KYC: Governmental Proxies +with Bitcoin everyone knows which wallet is the richest, all that's left is to put a name on those wallets, to be able to tax them! Governments are pushing hard to regulate centralised exchanges, to implement just that, they want their part of the cake at all costs.
+KYC procedures (Know Your Customer procedures) are a direct threat to:
+Centralised exchanges are the current target of choice for regulators. Most of them force their users to have custodial wallets (meaning the wallets with all the customer funds are on the server, not with the client) and so, their funds can be taken hostage to force their customers to comply and complete with all the KYC procedures when they get implemented. Feels like central banks isn't it ? The problem here is centralisation. Why are you using decentralised cryptocurrencies on Centralised platforms in the first place?
+
+All public and popular Centralised Exchange are bound to fall to this fate. They will inevitably comply with the governments of their country, Their users will be forced to identify themselves to transact with other users, they will have to identify themselves so that the exchange (and by extension, the government) knows who's got the money, to be able to tax them later on, and of course if they don't comply, they will be forced out of business one way or the other.
+That's where we are at currently, People have not completely moved away from Centralisation and KYC. But you'll see, as surveillance increases over time and governments try to have as much control as possible over the masses, the need for privacy and anonymity will keep on increasing manyfold.
+In the meantime, to find KYC-free services (centralised or not), check out kycnot.me, as they put it: "KYC reveals fear."
+ +Out of that situation emerged privacy coins, with Monero still at the top to this day (also known as the only cryptocurrency that's used) is basically a cryptocurrency just like bitcoin, except that it does everything to obscure every info regarding transactions. Basically, it's a nightmare for financial regulators.
+
+To make it short, it obscures the amount transacted, the ip addresses, who recieves the transaction and who sends the transaction, To this day not a single monero transaction has been successfully traced. For more details on Monero, check the infodump here.
+Monero's goals differ from what bitcoin has become. It's not to get rich, the goal is to provide transactional privacy, anonymity, and ultimately to be USED as a currency. That is a fundamental difference to the whole bitcoin-fan ecosystem of pump and dump schemes, monero is not meant to be a speculative asset.
+More to the point, given the alarming increase of surveillance worldwide, and incoming regulations forced onto everyone, do you seriously think that people will keep trying to use random coins just to get taxed ? No, eventually only the coins that take privacy and anonymity of it's users as their first priority will remain. Mark my words; hop on the orange boat, and watch every other currency lose value.
+Governments so far have been unable to do anything to stop monero from being transacted. The only thing they can successfully do is to force centralised exchanges to delist it (example: Binance Delists monero), but decentralised currencies don't require centralised exchanges to exist.
+TLDR: Noone can stop your monero transaction and put you in prison for it afterward, unlike bitcoin or any other coin out there.
+ + +Decentralised Exchanges: the next step +As we have discussed before, Centralisation will always lead to regulations imposed by the government. If on the other hand we have a Decentralised alternative to exchange freely, the government has to try and regulate the end user directly, multiplying the efforts!.
+
+In short, Cut out the troublesome middle man, and transact with the end user directly. You can also use semi-centralised platforms such as https://localmonero.co that are platforms who incite crypto owners to exchange amongst themselves, a good alternative to use until Decentralised Exchanges (DEXs) are popularized. If you want to check out how to acquire monero on localmonero check out this tutorial. (edit: localmonero is no longer in business as of april 2024, moving to haveno DEX is your current only option for direct FIAT -> XMR transactions)
+
+The next big Decentralized Exchange that's coming soon is Haveno DEX It will combine Monero and Tor to bring complete decentralisation of your finances. When it will be ready for public use, it will only be a matter of time until everyone shifts to a completely decentralised way of transacting. Check out this tutorial i made to find out how to use it for Fiat -> XMR transcations.
++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
In this tutorial we're going to cover and explain what are governments, and why they are trying to force us into mass surveillance and KYC procedures.
+ +
+A government is the system or group of people governing an organized community, generally a state.
+
+Their primary focus is to maintain their control over the country/state, no matter the cost, they will do everything possible to remain in power for as long as possible
+They are the ones who write the rules, the laws by which everyone in the country must must follow for society to remain in order (whether the subjected people accept it or not), according to them.
+Governments pass Laws and to make sure that their laws is respected, they need Law enforcement (LE) to be able to apply sanctions on whoever breaks their laws.
+
+Governments nowadays almost always use bogus reasons to use to pass abusive laws (the typical "it's to fight the boogeymen!" type of reasons) , in order to either make more money, or to enforce surveillance better, or to straight up take away power from businesses and individuals.
+One thing that governments genuinely care about is how modern and economically mature their country is. Hence their close relationships with businesses that generate the most wealth in their country.
+ +These same businesses are often a tool of Centralisation, to extend the government's reach of power, the most common trait there is surveillance, and identifying who did what (ex: with KYC procedures).
+ +Each business is closely regulated, the bigger the business, the higher up the priority list it is to be audited for regulation compliance checks. The exception being with International Banks (ex: see the HSBC scandal) due to everyone's innate greed to get richer even if it means breaking the law.
+
+
+Businesses are centralised entities just like governments, they ALL can act as proxies to help law enforcement, whether they want to or not.
+ + +
+Law enforcement is the activity of some members of government who act in an organized manner to enforce the law by discovering, deterring, rehabilitating, or punishing people who violate the rules and norms governing that society.
+
+For the Law to be enforceable the authorities need to know 2 things:
+
+Of course, the law must not be ignored by anyone, and to make sure that everyone is kept in line, they need to show everyone that the law is effectively enforced onto those that behaved badly, very often they brag about catching criminals to let everyone know that they are the good guys protecting everyone from the bad guys.
+That is the basis of this whole Privacy and Anonymity talk. In short, For the law to be enforceable, they need to know both what happened, and who perpretated the act to be able to apply sanctions on the individual / group of individuals that commited the crime.
+Modern governments know this very well, and some go to extreme lengths to make sure that every citizen is under surveillance.
+A very common practice for Law enforcement is also to either bribe or force legitimate businesses to give the data they possess of their users, to know if a crime has been commited or not. See the USA's recent FISA 702, good news is they're not lying about it anymore, the intention is clear and out in the open. The general idea is that this bill is meant for the government to be able to force anyone (individual or business) to conduct spying activities for the governments, with or without their consent, with a gag order.
+In short, the US government grants itself the right to force you or your business to do anything to further their agenda. This world's biggest democracies are all turning into dictatorships in the name of national security.
+Anyway you get the idea. Anonymity is more relevant than ever, we're headed for that surveillance dystopia China has currently established.
+ ++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
In this tutorial we're going to explain why Decentralisation and Anonymity are essential in reducing the power of the government over it's citizens.
+ +As we have discussed previously, governments love centralisation. It's an easy way for them to extend their power to directly affect users of said centralised businesses. Take for example how the US government uses banks to impose financial sanctions onto whoever they consider as a threat to them.
+ +They have largely succeeded in keeping their population hooked onto centralisation, for example you want to watch videos you think youtube, you want to browse the web you think google, social - facebook, twitter, and so on. It's become a natural reflex for most people, hence most people flock to these centralised platforms, and as we have explained previously; governments use them as proxies to spy or enforce censorship onto it's citizens.
+
+
+It's convenient for them; you own a large service, which attracts millions of people to use it, and so governments would love to have access to that data you own, to be able to know what's happening. (remember FISA 702)
+ +If the masses were to completely change their habits and embrace decentralisation, like i am trying to promote on Datura Network for example using peertube to replace youtube, matrix to replace discord, mastodon to replace twitter, etc, it would seriously limit the reach of the power they try to have on the population. They wouldn't be able to censor and try to control the public opinion of the people like they did through twitter for example.
+ +
+The key difference here is that the INDIVIDUALS are the ones controlling the service, and they're making the overall decentralised ecosystem grow larger and larger as they keep federating together.
+
+So in this case, you are taking out the first pillar that is required for law enforcement ; Surveillance, the government would have to knock on your door, and FORCE you to give them the data of your users.
+I encourage everyone that's fed up with the arbitrary administration of centralised services to start using their decentralised alternatives, see what the Fediverse has to offer for more details.
+That's an easy one. as we discussed in my previous blogpost, for the law to be respected, it needs to be feared by the population, to make sure it remains feared, it needs to be enforced by authorities (law enforcement or LE for short). To do so they need to know what happened, and they need to know who did what.
+ +That's why they go to such extreme lengths to implement surveillance wherever they can. (see China's surveillance state, the USA's FISA 702, and the EU trying to pass anti encryption laws)
+ +Anonymity is a great thing to look for if you care about privacy. It's the perfect way to know if a service intends to respect your privacy or not.
+
+The reason being, that if you use a service anonymously, you are taking out the other pillar that is required for the law to be enforceable, making sure that they cannot know it was you who used the service
+If you want to know if a service intends to respect your privacy or not, access it, and use it anonymously. (use the Tor browser to access it, and see if it accepts monero as payments). Check out my tutorial on OPSEC (Operational Security) to understand the full reasoning.
+You will see that you can already rule out Google, youtube, twitter, instagram, snapchat, Facebook, Baidu, Whatsapp, etc. All of those services sell the data they collect about you to each other, including to governments (see the cambridge analytica scandal)
+ +Stop using services that treat you as a product to sell, regain your lost dignity and defend it.
+ ++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
+In this tutorial we're going to setup graphene OS, an open source android operating system for google pixel phones. (Yes google phones, if you don't like it then you'll have to wait for functionnal open hardware alternatives to arrive on the market.) Currently GrapheneOS is one of the most privacy-focused mobile operating systems given that it's fully open source. and that they refuse to implement google services by default, unlike their competitors like LineageOS.
+ +DISCLAIMER: yes the quality of the photos taken are garbage :)
+First step is go acquire a Google pixel phone, and a model that supports grapheneOS. In my case, i purchased a Pixel 6 model. Then on the host OS on your computer, install the required packages:
+
+
+[ nowhere ] [ /dev/pts/11 ] [~]
+→ sudo pacman -Syy android-tools
+[sudo] password for nihilist:
+resolving dependencies...
+looking for conflicting packages...
+
+Packages (4) android-udev-20240221-1 libmtp-1.1.21-1 protobuf-25.3-4
+ android-tools-35.0.1-1
+
+Total Download Size: 4.84 MiB
+Total Installed Size: 22.07 MiB
+
+:: Proceed with installation? [Y/n] y
+
+Here on the phone, we need to enable developer settings, to be able to enable the "OEM Unlocking" option:
+
+
+
+
+
+Then reboot the phone by holding the power and volume down to enter fastboot mode:
+
+Then, connect the device via usb to your computer:
+
+[ nowhere ] [ /dev/pts/11 ] [~]
+→ lsusb | grep Google
+Bus 001 Device 098: ID 18d1:4ee0 Google Inc. Nexus/Pixel Device (fastboot)
+
+[ nowhere ] [ /dev/pts/11 ] [~]
+→ fastboot --version
+fastboot version 35.0.1-android-tools
+Installed as /usr/bin/fastboot
+
+[ nowhere ] [ /dev/pts/11 ] [~]
+→ fastboot devices
+no permissions; see [http://developer.android.com/tools/device.html] fastboot
+
+[ nowhere ] [ /dev/pts/11 ] [~]
+→ sudo -i
+nowhere# fastboot devices
+1C21FGJH6993LC fastboot
+
+nowhere# fastboot flashing unlock
+OKAY [ 0.043s]
+Finished. Total time: 0.043s
+
+Next, as i have a google pixel 6 model, i need to download the correct graphene os image
+
+
+nowhere# mv /home/nihilist/Downloads/oriole-factory-2024070201.zip .
+nowhere# unzip oriole-factory-2024070201.zip
+Archive: oriole-factory-2024070201.zip
+ creating: oriole-factory-2024070201/
+ extracting: oriole-factory-2024070201/image-oriole-2024070201.zip
+ inflating: oriole-factory-2024070201/bootloader-oriole-slider-14.5-11677881.img
+ inflating: oriole-factory-2024070201/radio-oriole-g5123b-135085-240517-b-11857288.img
+ extracting: oriole-factory-2024070201/avb_pkmd.bin
+ inflating: oriole-factory-2024070201/flash-all.sh
+ inflating: oriole-factory-2024070201/flash-all.bat
+
+nowhere# cd oriole-factory-2024070201
+
+nowhere# ls
+avb_pkmd.bin flash-all.sh
+bootloader-oriole-slider-14.5-11677881.img image-oriole-2024070201.zip
+flash-all.bat radio-oriole-g5123b-135085-240517-b-11857288.img
+
+nowhere# chmod +x ./flash-all.sh
+nowhere# ./flash-all.sh
+
+Then let the bashscript run, it can take a few minutes:
+
+nowhere# ./flash-all.sh
+Warning: skip copying bootloader_a image avb footer (bootloader_a partition size: 0, bootloader_a image size: 14125140).
+Sending 'bootloader_a' (13794 KB) OKAY [ 0.364s]
+Writing 'bootloader_a' (bootloader) Flashing pack version slider-14.5-11677881
+(bootloader) flashing platform gs101
+(bootloader) Validating partition ufs
+(bootloader) Validating partition partition:0
+(bootloader) Validating partition partition:1
+(bootloader) Validating partition partition:2
+(bootloader) Validating partition partition:3
+(bootloader) Validating partition bl1_a
+(bootloader) Validating partition pbl_a
+(bootloader) Validating partition bl2_a
+(bootloader) Validating partition abl_a
+(bootloader) Validating partition bl31_a
+(bootloader) Validating partition tzsw_a
+(bootloader) Validating partition gsa_a
+(bootloader) Validating partition ldfw_a
+(bootloader) Flashing partition ufs
+(bootloader) Flashing partition partition:0
+(bootloader) Flashing partition partition:1
+(bootloader) Flashing partition partition:2
+(bootloader) Flashing partition partition:3
+(bootloader) Flashing partition bl1_a
+(bootloader) Flashing partition pbl_a
+(bootloader) Flashing partition bl2_a
+(bootloader) Flashing partition abl_a
+(bootloader) Flashing partition bl31_a
+(bootloader) Flashing partition tzsw_a
+(bootloader) Flashing partition gsa_a
+(bootloader) Flashing partition ldfw_a
+(bootloader) Loading sideload ufsfwupdate
+OKAY [ 3.089s]
+Finished. Total time: 3.454s
+Setting current slot to 'a' OKAY [ 0.058s]
+Finished. Total time: 0.059s
+Rebooting into bootloader OKAY [ 0.000s]
+
+[...]
+
+Sending sparse 'super' 11/13 (254972 KB) OKAY [ 6.618s]
+Writing 'super' OKAY [ 0.950s]
+Sending sparse 'super' 12/13 (254972 KB) OKAY [ 6.621s]
+Writing 'super' OKAY [ 0.935s]
+Sending sparse 'super' 13/13 (46284 KB) OKAY [ 1.216s]
+Writing 'super' OKAY [ 0.204s]
+Erasing 'userdata' OKAY [ 0.390s]
+Erase successful, but not automatically formatting.
+File system type raw not supported.
+wipe task partition not found: cache
+Erasing 'metadata' OKAY [ 0.007s]
+Erase successful, but not automatically formatting.
+File system type raw not supported.
+Finished. Total time: 105.929s
+Rebooting into bootloader OKAY [ 0.000s]
+Finished. Total time: 0.150s
+nowhere#
+
+
+then lock the bootloader:
+
+nowhere# fastboot devices
+1C21FGJH6993LC fastboot
+
+nowhere# fastboot flashing lock
+OKAY [ 0.276s]
+Finished. Total time: 0.276s
+
+And that's it! we managed to flash grapheneOS on the pixel phone.
+As we have seen previously, it's always a good opsec practice to separate public use from private use. This can also apply on your phone, In this case we'll create a profile specifically for public usage, while we keep the main one for private usage.
+
+
+
+Now in there, we can keep the closed-source applications in the public usage profile, while we keep the FOSS applications in the default private usage profile.
+ + +Now that's done, we use the private usage profile to install f-droid, in order to install FOSS applications
+
+
+
+
+
+
+And here we can go into our public usage profile to setup the Aurora store to install closed-source applications like so:
+
+
+
+
+
+
+
+
+
+And from there, we can install all non-FOSS applications in the public usage profile.
+ ++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
+In this tutorial we're going to cover how the Haveno DEX handles trade disputes, which can happen as, after all it's decentralised, and anonymous by default.
+Check out this tutorial if you want to know how to install Haveno DEX on your device.
+ +Back on localmonero, what was at stake was the reputation of the Buyer or the Seller, because if any of their trades go wrong, their reputation would not be a clean 100% successful trades anymore. Problem is, on the Haveno DEX, where there is no centralisation to keep everyone's reputation in check, it could be very easy to give yourself a ton of positive reputation points, by spinning up 2 haveno dex instances, to simulate trades with yourself.
+So there was this need to have something else at stake to prevent people from scamming each other. That is the Security deposit system that we described in the previous tutorial.
+
+In short, both Bob and Alice need to put some XMR into the trade initially, so that if they try to scam each other, they will loose something in the process.
+In this example, The trade will go wrong as Bob will try to scam Alice with an invalid Amazon giftcard code.
+
+Here, in this case we're Alice, and we want to sell our XMR for an amazon giftcard (which is typically just a code you need to redeem). So here Alice creates her amazon egift card haveno account to be able to trade just that, she needs to mention her email and the country (because a german amazon giftcard code doesnt work on the french amazon website!)
+
+
+
+Read carefully what exchanging an Amazon egift card to XMR implies then click "I understand"
+
+Then create a selling offer like so:
+
+Mention the amount of XMR you want to sell, and the % above the market price you want to sell it for, currently 0.2018 XMR at market price will give you 25 euros. Then you need to fund your offer with the additional 0.101009 XMR security deposit. Meaning you need to put in 0.302809 XMR total
+
+Once funded, wait for the funds to appear as available balance on your haveno client (can take 20 minutes)
+
+
+Then click Place offer to sell monero:
+
+and then click confirm offer to sell monero.
+
+
+Here you can see that your offer is enabled from the portfolio tab, and people can see it appear on the Buy tab:
+
+
+Now let's switch sides. We're now Bob the scammer, we want to scam Alice. We see her offer on the buy tab, and we take the offer:
+
+Then, just like Alice did, we also fund the offer with the monero security deposit:
+
+
+Wait for it to show up as available in your haveno balance:
+
+
+Then click confirm to take the offer to buy Monero:
+
+
+Back to Alice's perspective, the trade will intiate and can be viewed when going to the portfolio tab:
+
+When opening the trade window, Alice sees that Bob not only does not respect the trade protocol of sending the gift card by mail by just sending the code over chat, but the code is also invalid!
+
+
+
+Alice sees that she cannot redeem the code as it is invalid. In short, she didn't get paid!
+
+Back to Bob's perspesctive as we are one kind of an asshole, we don't care that Alice didn't get paid and declare that we sent payment anyway.
+
+
+
+
+Back to Alice's perspective, Now the ball is in her park, what does she do ?
+
+
+Since she never recieved payment, she does not confirm that she recieved it, and waits until the trade expires
+
+
+In this case, the trade should not take more than 24 hours, so she waits until the next day, and when it expires, she'll be able to open up a dispute.
+ +Now that the trade time expired (24hrs), Alice can now open up a dispute, for the Arbitrator to step in:
+
+Here, Alice clicks on "open support ticket", and she goes to the support tab to view her support ticket:
+
+
+
+
+Then the Arbitrator reviews the exchange from Alice's point of view:
+
+Here the arbitrator sees that the trade protocol has not been respected, both parties need to make sure they follow the trade protocol for said payment option correctly for the trade to be considered as valid from the arbitrator's point of view.
+
+Then the Arbitrator sees the exchange from Bob's point of view too:
+
+Obviously, Bob explains that he got his very legit amazon giftcard code from his hat, and he naively thinks that the arbitrator will rule in his favor.
+ +
+And finally, back to Alice's POV: the Arbitrator decides that it is Alice who's in the Right, and therefore Bob does not get his Monero security deposit back, hence he's loosing 0.101009 XMR in the process.
+ +
+So here, Bob just lost some XMR, and Alice is getting her 0.2018 XMR back, she gets her security deposit back (0.101009 XMR) but also she gets Bob's security deposit (0.101009 XMR), so in total she gets 0.40011456 XMR back (0.101009 XMR more than when she started using Haveno). In the end, it is Bob that ended up giving her some monero against his will.
+
+Now keep in mind that not all payment options are safe, some can come with easy chargebacks (ex: paypal), and some are just next to impossible for an arbitrator to decide who's in the right or wrong (face-to-face trades for instance). Be very careful to know the risks associated with each payment option, along with what precautions need to be taken.
+ +Check out my other tutorials on Decentralised Finances below:
+ + ++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
+In this tutorial we're going to cover how to buy Monero, for cash by mail on the Haveno Decentralised Exchange. This was the most popular payment method back on LocalMonero, due to being an improvement over bank transfers (like SEPA in the EU) when it comes to trading larger volumes in the long run, as Cash cannot easily be traced by adversaries unlike bank transfers, making Cash by Mail one of the most private ways to exchange real world money for Monero.
+
+
+
+Here, we're Bob, we create our account on Haveno for Pay by Mail transactions, mentionning our real name, postal address, city and country.
+
+Then we hit "save new account":
+
+
+Make sure you understand the risks that cash by mail transactions have, then click "I understand":
+
+Then, we can create a buying offer by going into the Buy section:
+
+Here we want to purchase 20 euros worth of Monero, at the current market price, for 0.1533 XMR:
+
+THen we fund the offer, and when the funds show up in our Haveno client, we hit "Review: Place offer to buy Monero"
+
+
+Once the offer is confirmed, we can view it on the Portfolie page:
+
+
+Here we wait approx 20 minutes for the monero transaction to be validated by the network, then the offer will appear as enabled:
+
+And from there, other peers will be able to see Bob's offer into the "Sell Monero" section.
+
+Now let's switch over to Alice's side, we also create an account to be able to do Cash by mail transactions:
+
+Then we go into the "Sell monero" section and we take Bob's offer:
+
+Once the offer is taken we fund the offer:
+
+There we send the monero to the address as shown for both the security deposit and the actual monero we want to sell:
+
+
+
+
+Now that the trade has been initiated, let's review the correct trade protocol for Cash By Mail transactions:
+ + +To remain safe with cash by mail transactions, there are a number of steps that Bob need to be take in order to ensure that there is no possibility of being scammed as explained by the following LocalMonero article:
+
+Staying Safe With Cash by Mail (originally from LocalMonero)
+
+If you're buying...
+
+If you stick to high reputation sellers it's very unlikely that you'll encounter any issues while buying with cash by mail, however the following tips will help you prove your payment in a dispute should it arise. The most important thing to do is to make a video recording of your payment. Here are the guidelines:
+Your video should be filmed within a single take, without cuts
+
+You can put the cash in the envelope at home or in the car, and you can put your phone with the video turned on in your front shirt pocket and it'll record the whole process without much extra work from you apart from making sure that you do everything in front of where the camera's pointing. If you have something like a GoPro or the latest iPhone which has a camera with a wider viewing angle it's going to be even easier. Keep the footage in case of a dispute for 180 days.
+
+Put custom markings inside the envelope
+Use some sort of a custom chop/stamp/seal, or a signature or just random movements with a sharpie inside the envelope, covering all surfaces. This will help establish whether the seller is actually opening the envelope you've sent or a fake one. Make sure the mark is visible on the video.
+
+Try to disguise the cash
+To mitigate a (potential, but very rare) case of postal theft en route, try to conceal the fact that the package contains cash. You may put the cash in a magazine, mylar bag or some other container. Vacuum sealing the cash also works.
+
+Place envelopes inside of envelopes
+Instead of simply placing the cash into the envelope, use multiple nested envelopes for your package. Place the cash into the smallest envelope (or simply fold a bigger envelope as necessary), seal it, and place it into another envelope. Repeat this process until you have at least 3 nested envelopes. This helps ensure that if the receiving party tries to tamper with your package they will have a much harder time resealing it all in a way that would be undetectable when inspected by the dispute mediator.
+
+Send with tracking
+Packages sent without tracking may get lost with and without tracking it could be all but impossible to locate it. Having tracking also allows the receiving end to have peace of mind that the package is en route in case it's taking longer than expected.
+
+Conclusion
+As we've mentioned before, with established traders the risk for a buyer is very low. Very low doesn't mean zero though, so make sure to follow these rules to be prepared for a dispute situation.
+
+And there are also a few steps that the monero seller (Alice) has to follow in order to make sure the trade is conducted in a secure manner:
+
+If you're selling...
+
+Make a video of receiving and opening the package
+Record yourself receiving the package from the postal worker, the postal worker weighing it, record the label, all the outer sides of the package; open the package while filming with the camera pointed into it, run the cash through a counter and counterfeit scanner. Make sure everything is filmed in one take. Always keep the package in view of the camera. Keep the footage in case of a dispute for 180 days.
+
+Under no circumstances finalize a trade early
+The key thing to remember (and we put disclaimers about this on every step of the way) is to NEVER finalize a trade UNTIL you have the money and you are absolutely confident that everything is in order. A legitimate buyer won't pressure you into early finalize.
+
+Have a buyer put a note with their username and trade ID
+This will help you distinguish packages coming from different buyers and avoid confusion. This also will help in preventing man-in-the-middle attacks, where a scammer interposes themselves in-between the buyer and the seller, pretending to be the seller when talking to the buyer and pretending to be the buyer when talking to the seller.
+
+To recap the recommendations we have the following graph:
+
+Here bob puts the cash into a mylar bag (to disguise the cash), which gets put into a tamper proof bag (that way, if alice tries to open it, it'll be easy to see), then bob puts it into at least 3 envelope layers with custom markings inside each layer (again, as anti tampering measures), and then putting it inside the tracking envelope.
+Also very important, Bob needs to record himself from the moment he wraps the cash into the mylar bag, all the way to when he places the letter in the letterbox. and Alice needs to do the same from her letterbox, all the way to unpacking the cash from the mylar bag. That way in case if there is a dispute, the arbitrator will be able to see who's at fault if there are any steps along the way that have not been respected.
+In total per cash by mail transaction (assuming the final envelope weighs less than 100grams), the cost involved for the seller should be around 2 euros in France (including tracking), assuming the seller sends the envelope within the same country, and that he buys enevlopes, mylar bags and tamper proof bags in bulk.
+ + +
+Bob of course makes sure that the envelope is sent to Alice's address as it is showcased within the trade window:
+
+And once he followed the trade protocol to send the envelope to Alice, he can declare that he has sent the payment:
+
+And then, both Alice and Bob will have to wait for the postal service to take the letter to it's destination. Bob also sent Alice the tracking link so that she can pinpoint where the envelope is in case if there is an issue along the way.
+
+Back to Alice's side, we get the following notification:
+
+There, the delay depends on the postal service. But she recieves the envelope 5 days later, she records herself from the point of retrieving, to the unpacking of the cash inside. and then if all is ok on her side, she confirms that she has recieved payment to release the monero funds to Bob:
+
+
+
+And lastly, Bob sees that the funds are arriving on his Haveno client, and now he closes the trade.
+
+And there, Bob can withdraw his funds from his Haveno monero wallet to another wallet if he chooses so inside the "Funds" tab, as we detailed in our previous tutorial here.
+Check out my other tutorials on Decentralised Finances below:
+ + + ++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
+In this tutorial we're going to cover how to do a Fiat to Monero trade from the brand new (and long awaited!) Haveno Decentralised Exchange, using the Face-to-Face (F2F) payment method.
+
+Sidenote: i don't recommend face-to-face as a payment option of choice, this is just to try out how a basic trade Haveno DEX works!
+Before reading through this tutorial, make sure you understand why Decentralised Exchanges are the next step in Decentralised Finances in this blogpost i previously made, so that you have all the context.
+As we are covering a DEX (Decentralised Exchange), it means we are not covering how to use a website onto which you are purchasing monero (like the now defunct Localmonero (RIP)), we are covering a software that you install on your computer (hence the Decentralisation in "DEX"), to trade Peer to Peer (P2P) with the other users.
+
+The resilliency of Haveno is on multiple levels: First of all the more Seed nodes there are, the harder to take down the Haveno network is. The anonymity provided by the Tor network of Haveno for all nodes (which is on by default), also adds up to the resiliency.
+Clientside, the more peers (users) there are, the more diverse and bigger the exchange will be, and so will the decentralised market be at large. The sooner the Monero market moves to Decentralised Exchanges, the more unstoppable it will become.
+Lastly if the Haveno network is completely taken down (let's say if all the seed nodes are taken down somehow), all that's left is for another administrator to spin up a new haveno network since the code is all open source, to repeat the cycle again.
+You can check out my quick coverage of Haveno DEX on Monero Topia here. (Definitely check out MoneroTopia for the latest news in the Monero world, awesome show!)
+DISCLAIMER: THERE ARE NO OFFICIAL HAVENO NETWORK INSTANCES, THERE ARE ONLY THIRD PARTY HAVENO NETWORKS LIKE HAVENO RETO.
+IF YOU SEE A HAVENO CLAIM TO BE THE OFFICIAL NETWORK LIKE THIS ONE, DONT FALL FOR THEIR SCAM!
+ +First, we need to find a Haveno Network, Haveno Reto being one of the first ones to show up, we're going to try them out:
+Let's get the Haveno binaries from Reto's github repository, (which was forked from the original Haveno repository, maintained by Woodser)
+ +Here, we are on a debian machine, so we download the ubuntu package (which contains the .deb and .rpm file)
+
+ You can either extract the .rpm (which is originally intended for Fedora users) package and run the haveno binary yourself, or use the AUR package maintained by duje
+If you are a windows user (know that it cant be trusted as it's not an open source operating system, check out my tutorial here on how to install linux instead), if you're too lazy you can check out darknetreporter's tutorial:
+ +Back on Debian (note: these instructions are the same if you are on Whonix!), the zip package is downloaded:
+
+Then unpack the zipfile wherever you want:
+
+[ mainpc ] [ /dev/pts/5 ] [~]
+→ unzip ~/Downloads/HavenoInstaller-ubuntu-latest.zip -d ~/Documents/
+Archive: /home/nihilist/Downloads/HavenoInstaller-ubuntu-latest.zip
+ inflating: /home/nihilist/Documents/desktop-1.0.3-SNAPSHOT-all.jar.SHA-256
+ inflating: /home/nihilist/Documents/haveno-1.0.3-1.x86_64.rpm
+ inflating: /home/nihilist/Documents/haveno_1.0.3-1_amd64.deb
+
+[ mainpc ] [ /dev/pts/5 ] [~]
+→ cd ~/Documents/haveno-reto
+
+[ mainpc ] [ /dev/pts/5 ] [~/Documents/haveno-reto]
+→ ls
+desktop-1.0.3-SNAPSHOT-all.jar.SHA-256 haveno_1.0.3-1_amd64.deb haveno-1.0.3-1.x86_64.rpm
+
+Here since we are currently on a debian machine, we're going to use the .deb file to install haveno, as follows:
+
+[ mainpc ] [ /dev/pts/1 ] [~/Documents/haveno-reto]
+→ sudo dpkg -i haveno_1.0.3-1_amd64.deb
+[sudo] password for nihilist:
+Selecting previously unselected package haveno.
+(Reading database ... 214512 files and directories currently installed.)
+Preparing to unpack haveno_1.0.3-1_amd64.deb ...
+Unpacking haveno (1.0.3-1) ...
+Setting up haveno (1.0.3-1) ...
+
+#if it fails, run "apt install -f" to install the missing dependencies and then dpkg -i haveno.deb again.
+
+If you previously used haveno, make sure you delete the folder in ~/.local/share/Haveno-reto as follows, to clear up all the previous wallet infos
+
+[ mainpc ] [ /dev/pts/1 ] [~/Documents/haveno-reto]
+→ rm -rf ~/.local/share/Haveno-reto
+
+if you want to see the haveno logs from the CLI as you use it, you can do as follows:
+
+[ mainpc ] [ /dev/pts/6 ] [~/Nextcloud/blog]
+→ cd ~/.local/share/Haveno-reto
+
+[ mainpc ] [ /dev/pts/6 ] [.local/share/Haveno-reto]
+→ ls
+haveno.log haveno.properties monerod monero-wallet-rpc monero-wallet-rpc.log version xmr_mainnet
+
+[ mainpc ] [ /dev/pts/6 ] [.local/share/Haveno-reto]
+→ tail -f haveno.log
+May-29 20:55:23.829 [pool-16-thread-5] INFO h.c.t.TaskRunner: Run task: SendOfferAvailabilityRequest
+May-29 20:55:23.830 [pool-16-thread-5] INFO h.c.o.a.t.SendOfferAvailabilityRequest: Send OfferAvailabilityRequest with offerId mqbtqDh-1ec9fa64-e5e7-4766-9936-519951bc5f36-106 and uid d85caa9c-840c-45eb-8642-4cb12828fc93 to peer rlrsc6nfqbvqhly3qjcb36qzvw44xnxqhcht3nqndy324ewg4dut4iqd.onion:9999
+May-29 20:55:23.930 [JavaFX Application Thread] INFO h.c.o.a.t.SendOfferAvailabilityRequest: OfferAvailabilityRequest arrived at peer: offerId=mqbtqDh-1ec9fa64-e5e7-4766-9936-519951bc5f36-106; uid=d85caa9c-840c-45eb-8642-4cb12828fc93
+May-29 20:55:25.292 [JavaFX Application Thread] INFO h.d.c.c.c.PopOver: hide:200.0 ms
+May-29 20:55:25.903 [pool-48-thread-1] INFO h.c.o.a.OfferAvailabilityProtocol: Received OfferAvailabilityResponse from rlrsc6nfqbvqhly3qjcb36qzvw44xnxqhcht3nqndy324ewg4dut4iqd.onion:9999 with offerId mqbtqDh-1ec9fa64-e5e7-4766-9936-519951bc5f36-106 and uid 986ee04a-47d2-4303-a9fc-12d18cc158ce
+May-29 20:55:25.905 [pool-48-thread-1] INFO h.c.t.TaskRunner: Run task: ProcessOfferAvailabilityResponse
+May-29 20:55:25.905 [pool-48-thread-1] INFO h.c.o.a.OfferAvailabilityProtocol: Send AckMessage for OfferAvailabilityResponse to peer rlrsc6nfqbvqhly3qjcb36qzvw44xnxqhcht3nqndy324ewg4dut4iqd.onion:9999 with offerId mqbtqDh-1ec9fa64-e5e7-4766-9936-519951bc5f36-106 and sourceUid 986ee04a-47d2-4303-a9fc-12d18cc158ce
+May-29 20:55:25.907 [JavaFX Application Thread] INFO h.c.o.a.OfferAvailabilityProtocol: AckMessage for OfferAvailabilityResponse arrived at makersNodeAddress rlrsc6nfqbvqhly3qjcb36qzvw44xnxqhcht3nqndy324ewg4dut4iqd.onion:9999. offerId=mqbtqDh-1ec9fa64-e5e7-4766-9936-519951bc5f36-106, sourceUid=986ee04a-47d2-4303-a9fc-12d18cc158ce
+May-29 20:55:26.108 [pool-48-thread-1] INFO h.c.o.OpenOfferManager: Received AckMessage for OfferAvailabilityRequest with offerId mqbtqDh-1ec9fa64-e5e7-4766-9936-519951bc5f36-106 and uid d85caa9c-840c-45eb-8642-4cb12828fc93
+May-29 20:55:27.427 [JavaFX Application Thread] INFO h.d.c.c.c.PopOver: hide:200.0 ms
+
+next just launch Haveno as it should have been added to your system:
+
+
+ Next, haveno is going to connect to Tor. WHONIX USERS: If it is facing issues connecting wait for the client to ask you to set the tor settings:
+
+then just get a torbridge from torproject.org:
+
+and add them inside haveno, and restart it:
+
+Then it should connect just fine:
+
+you may need to wait a bit for your haveno node to sync up initially: (probably 1-2 minutes)
+
+and once it finishes synchronising, you're in Haveno!
+
+ If you want to have a TailsOS VM running, check out my latest tutorial on it here.
+Download the latest haveno package just like on debian, then put it in the persistant storage:
+
+amnesia@amnesia:~$ mv ~/Tor\ Browser/haveno_1.0.7-1_amd64.zip ~/Persistent/
+amnesia@amnesia:~$ cd Persistent/
+amnesia@amnesia:~/Persistent$ ls -lash
+total 266M
+4.0K drwx------ 3 amnesia amnesia 4.0K Jun 14 09:58 .
+ 0 drwx------ 24 amnesia amnesia 600 Jun 14 09:19 ..
+266M -rw-r--r-- 1 amnesia amnesia 266M Jun 14 09:57 haveno_1.0.7-1_amd64.zip
+
+amnesia@amnesia:~/Persistent$ sudo apt install unzip
+
+amnesia@amnesia:~/Persistent$ unzip haveno_1.0.7-1_amd64.zip
+Archive: haveno_1.0.7-1_amd64.zip
+ inflating: desktop-1.0.7-SNAPSHOT-all.jar.SHA-256
+ inflating: haveno_1.0.7-1_amd64.deb
+
+Then we can use BrandyJson's script to install haveno on tails:
+
+amnesia@amnesia:~/Persistent$ wget https://raw.githubusercontent.com/BrandyJSon/haveno-install-tails/main/haveno-install.sh
+--2024-06-14 10:29:07-- https://raw.githubusercontent.com/BrandyJSon/haveno-install-tails/main/haveno-install.sh
+Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.111.133
+Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.111.133|:443... connected.
+HTTP request sent, awaiting response... 200 OK
+Length: 3393 (3.3K) [text/plain]
+Saving to: \u2018haveno-install.sh\u2019
+
+haveno-install.sh 100%[=====================================================================================================================>] 3.31K 14.3KB/s in 0.2s
+
+2024-06-14 10:29:09 (14.3 KB/s) - \u2018haveno-install.sh\u2019 saved [3393/3393]
+
+amnesia@amnesia:~/Persistent$ vim haveno-install.sh #review the script, and change the dpkg -i line with the correct haveno version if it has changed
+
+Be aware that this is not an official way of installing haveno on Tails, it's going barbaric on apparmor and the security model of tails, later on, there will be a better way to install haveno on Tails OS
+
+#if the bashscript contains '\r' characters , do the following:
+amnesia@amnesia:~/Persistent$ tr -d '\r' < haveno-install.sh > haveno-install.sh
+
+#then install it:
+amnesia@amnesia:~/Persistent$ sudo bash haveno-install.sh
+[sudo] password for amnesia:
+
+Selecting previously unselected package haveno.
+(Reading database ... 148641 files and directories currently installed.)
+Preparing to unpack .../haveno_1.0.7-1_amd64.deb ...
+Unpacking haveno (1.0.7-1) ...
+Setting up haveno (1.0.7-1) ...
+Allowing amnesia to read tor control port cookie, only run this script when you actually want to use haveno
+
+!!! not secure !!!
+
+Updating apparmor-profile
+Adding rule to iptables to allow for monero-wallet-rpc to work
+Updating torsocks to allow for inbound connection
+Restarting onion-grater service
+Everything is set up just run
+
+source ~/.bashrc
+
+Then you can start haveno using haveno-tails
+
+amnesia@amnesia:~/Persistent$ source ~/.bashrc
+amnesia@amnesia:~/Persistent$ haveno-tails
+Jun-14 10:52:51.099 [main] INFO haveno.common.util.Utilities: System info: os.name=Linux; os.version=6.1.0-21-amd64; os.arch=amd64; sun.arch.data.model=64; JRE=21.0.2+14-LTS (BellSoft); JVM=21.0.2+14-LTS (OpenJDK 64-Bit Server VM)
+Jun-14 10:52:51.120 [main] INFO haveno.common.app.AsciiLogo:
+
+
+
+
+ 0X
+ OOdolcck
+ KXKNN0occcccccck: :Kxxk0d
+ klccccccccccccccccck0xcccccccxK'
+ xccccccccccccccclOKKOocccccccccclxK
+ .xccccccccccccccclWMMMMMd:::::::::ccco
+ 'dccccccc:::cccccclWMMMMMo:::::::::::cc;
+ ,occccc:::::::::::::cxO0kl:::::::::::::cd
+ ;occccc:::::cddddddc;;;;;;;;:ddddddl:::::coldOK
+ :occccc::::::xMMMMMMo,,,,,,,,cMMMMMMk::::::cccccoOc
+ llccccc:::::;;dMMMMMMo,,,,,,,,cMMMMMMk:::::::cccccc,
+ 'cccccc::::;,,dMMMMMMl'''''',,cMMMMMMk::::::::ccccc.
+ .cccccc::::,,,dMMMMMMo'''''',,cMMMMMMk::::::::ccccc
+ :ccccc:::::;;dMMMMMM0xxxxxxxxOMMMMMMk::::::::ccc'
+ ;ccccc:::::::xMMMMMMMMMMMMMMMMMMMMMMk::::::ccccco
+ 'ccccc:::::::xMMMMMMMMMMMMMMMMMMMMMMk:::::ccccccco
+ .ccccccc:::::xMMMMMMd::::::::oMMMMMMk:::::ccccccc
+ :cccccccc:::xMMMMMMo,,,,,,,,cMMMMMMk:::::cccccc
+ cccccccccc:xMMMMMMo,,,,,,,,cMMMMMMk::::cccccc
+ :ccccccccccxMMMMMMo,,,,,,,,cMMMMMMO:cccccccc
+ ccccccccccxMMMMMMd;;;;;;;:lMMMMMMOcccccccc
+ ccccccclooooooc::::::::cddddddlcccccc:
+ .ccccc::::::::::::::ccccccccccccccc
+ :cccc:::::::::::ccccccccccccc
+ .cccc:::::::ccccccccccc,
+ 'ccccccccccccc.
+ ;ccccc:
+
+
+
+
+ .XXX. .XXX. .XXXk dXX0 ;XXX.KXXXXXX, xXX0 :XX0 ,XK000KK
+ .ccc. .ccc. xccccc ;cco .occ. ccccccc. :cccdo ;cc: oxlccccccco0.
+ .ccc. .ccc. dcc'ccl. :ccl dcc. ccc' :cccccO. ;cc: lccc 'ccd
+ .ccclllllccc. ccc: .ccx .ccl,dcc' cccllll. :cc, ccox;cc: :cc: .ccc.
+ .ccc ccc. 'lccl0kcccd .cclcc, ccc. :cc; .ccocc: .ccco kcc:
+ .ccc. .ccc. dcc. :ccl .ccc; cccd000' :cc; cccc: cccxO0kocc,
+ :ccc.
+First step is to setup your account for Face to Face Trades:
+
+Here we specify that we want to do face to face trades in Berlin (Germany) as an example, we will use our FIAT currency, Euros (in cash), you can also specify alternative ways to get contacted if you don't like the built in chat in Haveno DEX, such as email or phone number, etc. Then hit the "save new account" button:
+
+Make sure you read carefully what a face-to-face fiat->XMR trade is, and what are it's risks, if you're fine with it, click "i understand". Now that your account is created, head over to the "Buy" section, as you want to buy monero:
+
+
+Then you can publish a Fiat->XMR face to face trade offer like so:
+
+So here we want to purchase 0.10 XMR, for the current market price, which amounts to 12 euros. then hit next step:
+Now here is when we get introduced to the trade protocol's security deposit system as detailed in the Haveno FAQ. I'll make a simple diagram to explain the situation:
+
+Quote from Haveno's FAQ: (https://haveno.exchange/faq/#what-are-the-differences-in-the-trade-protocol)
+
+[...]
+
+Bisq recently adopted a protocol based on 2/2 multisig, while Haveno will use their previous protocol: 2/3 multisignature. In a 2/3 multisignature trade, each trader owns one key; this key will be paired with the key of the other trader and will be used to unlock funds and deposits. It’s a 2 of 3 (2/3) protocol because you need only two out of three keys to move funds from the multisignature wallet.
+
+If everything goes fine, the two traders will use their keys to complete the transfer process. If something goes wrong, one of the two parties won’t use their key to complete the transaction, and this is where the arbitrator comes to action.
+
+Arbitrators are inherited from Bisq’s 2/3 protocol. They are a trusted role and have the duty of releasing the funds to one of the two parties in case of a conflict. To do so, they use the third key of the 2/3 multisig protocol.
+
+[...]
+
+To make it short, you (Bob) in this case, want to trade Fiat, for Alice's XMR, in person. BOTH you and Alice need to put in some monero into the trade, as a security deposit. That is so in case if you try to scam Alice, you will loose something in the process, preventing you from trying to repeatedly scam people, and vice versa.
+Due to the 2/3 multisig nature of the trade, there needs to be at least 2 agreeing parties to complete the trade. If all goes well, you and Alice agree on the trade, and the security deposit monero is released. If not, the Arbitrator will step in to punish the wrongdoer (by not giving him the security deposit back), and give the security deposit to the honest party.
+The following example will cover a successful trade between you and Alice. If you want to see a trade dispute, check out this tutorial.
+
+So here, you need to send the security deposit to be able to post your buying offer, just send it from your monero wallet like so:
+
+Once you've sent the monero to your haveno trade for the security deposit, you need to wait approx 20 minutes for the transaction to be confirmed by the network
+
+Approx 20 mins later, the trade shows up as enabled:
+Bob: puts 0.1005 XMR into the trade for the security deposit, +
+You (and the other haveno peers) can see it from the Sell tab:
+
+Here you just need to wait for someone to accept the trade. Once they do, they will need to send their share of the security deposit too just like we previously did. Once they do it will show up on your end as an initiated trade:
+Alice puts 0.1005 XMR into the trade for the security deposit. Then the trade is secured +
+Same as before, you need to wait for the security deposit to be validated by the network (approx 20 mins again). In the meantime you can chat with the trader by clicking the "Open Trader Chat" button.
+
+Once the security deposit has been validated by the network for the other party, you will get a notification that the trade can begin:
+
+Next step is for you to go and give the 12 Euros to Alice, and once you do, you confirm that the Payment has been sent like so:
+
+Then, you wait for Alice to confirm that she has recieved the 12 Euros (it will show up as "Peer confirmed message receipt"):
+
+ Alice can then send the 0.10 XMR to Bob, after Bob Pays her in Euros.
+Then here, you just wait for the Monero to arrive in your Haveno monero wallet, it will first show up as Pending on the top right corner:
+
+Wait another 20 minutes for the transaction to be validated by the network, and it will show up in your Haveno monero wallet as Available balance:
+ The trade is successful, the security deposit is now released, Bob gets his 0.1005 XMR back, and Alice too. (minus the transcation fees and arbitrator fees) +
+And that's it, you can now pop the Champagne as you completed your first Fiat -> XMR transaction on a Decentralised exchange! 🥂
+ +Now all that's left is to withdraw your monero from your Haveno monero wallet to your other Monero Wallet:
+
+Head over to Funds > send funds, tick the "Amounts includes mining fee" option, and select the amount of monero you want to withdraw, in this case i'm withdrawing all of it.
+
+Then confirm that you want to withdraw the funds, and check your monero wallet for the incoming transaction:
+
+And that's it! you just withdrew your funds to your other monero wallet!
+ +Check out my other tutorials on Decentralised Finances below:
+ + ++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
In this tutorial we're going to cover how to use Haveno from a client/user perspective.
+ +let's follow the steps listed here to build haveno
+
+
+[ mainpc ] [ /dev/pts/2 ] [~/Documents]
+→ cd /tmp
+
+[ mainpc ] [ /dev/pts/2 ] [/tmp]
+→ wget https://download.oracle.com/java/21/latest/jdk-21_linux-x64_bin.deb
+
+[ mainpc ] [ /dev/pts/2 ] [/tmp]
+→ sudo dpkg -i jdk-21_linux-x64_bin.deb
+
+[ mainpc ] [ /dev/pts/2 ] [/tmp]
+→ java --version
+java 21.0.3 2024-04-16 LTS
+Java(TM) SE Runtime Environment (build 21.0.3+7-LTS-152)
+Java HotSpot(TM) 64-Bit Server VM (build 21.0.3+7-LTS-152, mixed mode, sharing)
+
+
+[ mainpc ] [ /dev/pts/2 ] [/tmp]
+→ cd -
+
+[ mainpc ] [ /dev/pts/2 ] [~/Documents]
+→ git clone https://github.com/haveno-dex/haveno.git
+Cloning into 'haveno'...
+remote: Enumerating objects: 36625, done.
+remote: Counting objects: 100% (2187/2187), done.
+remote: Compressing objects: 100% (896/896), done.
+remote: Total 36625 (delta 994), reused 2031 (delta 931), pack-reused 34438
+Receiving objects: 100% (36625/36625), 28.79 MiB | 1.92 MiB/s, done.
+Resolving deltas: 100% (22579/22579), done.
+
+[ mainpc ] [ /dev/pts/2 ] [~/Documents]
+→ cd haveno
+
+[ mainpc ] [ /dev/pts/2 ] [~/Documents/haveno]
+→ git checkout master
+Already on 'master'
+Your branch is up to date with 'origin/master'.
+
+[ mainpc ] [ /dev/pts/2 ] [~/Documents/haveno]
+→ make skip-tests
+mkdir -p .localnet
+./gradlew build -x test -x checkstyleMain -x checkstyleTest
+Starting a Gradle Daemon, 1 incompatible Daemon could not be reused, use --status for details
+
+> Task :cli:compileJava
+Note: /home/nihilist/Documents/haveno/cli/src/main/java/haveno/cli/CliMain.java uses or overrides a deprecated API.
+Note: Recompile with -Xlint:deprecation for details.
+
+> Task :common:compileJava
+Note: Some input files use or override a deprecated API.
+Note: Recompile with -Xlint:deprecation for details.
+Note: Some input files use unchecked or unsafe operations.
+Note: Recompile with -Xlint:unchecked for details.
+
+> Task :p2p:compileJava
+Note: Some input files use or override a deprecated API.
+Note: Recompile with -Xlint:deprecation for details.
+
+[...]
+
+
+> Task :relay:compileJava
+Note: /home/nihilist/Documents/haveno/relay/src/main/java/haveno/relay/RelayMain.java uses or overrides a deprecated API.
+Note: Recompile with -Xlint:deprecation for details.
+
+Deprecated Gradle features were used in this build, making it incompatible with Gradle 9.0.
+
+You can use '--warning-mode all' to show the individual deprecation warnings and determine if they come from your own scripts or plugins.
+
+For more on this, please refer to https://docs.gradle.org/8.6/userguide/command_line_interface.html#sec:command_line_warnings in the Gradle documentation.
+
+BUILD SUCCESSFUL in 2m 20s
+81 actionable tasks: 78 executed, 3 up-to-date
+
+Now that's done, let's join the public test network:
+
+[ mainpc ] [ /dev/pts/2 ] [~/Documents/haveno]
+→ make user1-desktop-stagenet
+./haveno-desktop \
+ --baseCurrencyNetwork=XMR_STAGENET \
+ --useLocalhostForP2P=false \
+ --useDevPrivilegeKeys=false \
+ --nodePort=9999 \
+ --appName=haveno-XMR_STAGENET_user1 \
+ --apiPassword=apitest \
+ --apiPort=3201 \
+ --useNativeXmrWallet=false \
+
+WARNING: Unknown module: javafx.controls specified to --add-opens
+WARNING: Unknown module: javafx.controls specified to --add-opens
+WARNING: Unknown module: javafx.graphics specified to --add-opens
+May-13 19:39:41.967 [main] INFO haveno.common.util.Utilities: System info: os.name=Linux; os.version=6.1.0-20-amd64; os.arch=amd64; sun.arch.data.model=64; JRE=21.0.3+7-LTS-152 (Oracle Corporation); JVM=21.0.3+7-LTS-152 (Java HotSpot(TM) 64-Bit Server VM)
+May-13 19:39:41.990 [main] INFO haveno.common.app.AsciiLogo:
+
+
+
+
+ 0X
+ OOdolcck
+ KXKNN0occcccccck: :Kxxk0d
+ klccccccccccccccccck0xcccccccxK'
+ xccccccccccccccclOKKOocccccccccclxK
+ .xccccccccccccccclWMMMMMd:::::::::ccco
+ 'dccccccc:::cccccclWMMMMMo:::::::::::cc;
+ ,occccc:::::::::::::cxO0kl:::::::::::::cd
+ ;occccc:::::cddddddc;;;;;;;;:ddddddl:::::coldOK
+ :occccc::::::xMMMMMMo,,,,,,,,cMMMMMMk::::::cccccoOc
+ llccccc:::::;;dMMMMMMo,,,,,,,,cMMMMMMk:::::::cccccc,
+ 'cccccc::::;,,dMMMMMMl'''''',,cMMMMMMk::::::::ccccc.
+ .cccccc::::,,,dMMMMMMo'''''',,cMMMMMMk::::::::ccccc
+ :ccccc:::::;;dMMMMMM0xxxxxxxxOMMMMMMk::::::::ccc'
+ ;ccccc:::::::xMMMMMMMMMMMMMMMMMMMMMMk::::::ccccco
+ 'ccccc:::::::xMMMMMMMMMMMMMMMMMMMMMMk:::::ccccccco
+ .ccccccc:::::xMMMMMMd::::::::oMMMMMMk:::::ccccccc
+ :cccccccc:::xMMMMMMo,,,,,,,,cMMMMMMk:::::cccccc
+ cccccccccc:xMMMMMMo,,,,,,,,cMMMMMMk::::cccccc
+ :ccccccccccxMMMMMMo,,,,,,,,cMMMMMMO:cccccccc
+ ccccccccccxMMMMMMd;;;;;;;:lMMMMMMOcccccccc
+ ccccccclooooooc::::::::cddddddlcccccc:
+ .ccccc::::::::::::::ccccccccccccccc
+ :cccc:::::::::::ccccccccccccc
+ .cccc:::::::ccccccccccc,
+ 'ccccccccccccc.
+ ;ccccc:
+
+
+
+
+ .XXX. .XXX. .XXXk dXX0 ;XXX.KXXXXXX, xXX0 :XX0 ,XK000KK
+ .ccc. .ccc. xccccc ;cco .occ. ccccccc. :cccdo ;cc: oxlccccccco0.
+ .ccc. .ccc. dcc'ccl. :ccl dcc. ccc' :cccccO. ;cc: lccc 'ccd
+ .ccclllllccc. ccc: .ccx .ccl,dcc' cccllll. :cc, ccox;cc: :cc: .ccc.
+ .ccc ccc. 'lccl0kcccd .cclcc, ccc. :cc; .ccocc: .ccco kcc:
+ .ccc. .ccc. dcc. :ccl .ccc; cccd000' :cc; cccc: cccxO0kocc,
+ :ccc.
+
+
+
+
+
+
+
+May-13 19:39:42.009 [main] INFO haveno.common.app.Version: Version{VERSION=1.0.3, P2P_NETWORK_VERSION=A, LOCAL_DB_VERSION=1, TRADE_PROTOCOL_VERSION=1, BASE_CURRENCY_NETWORK=1, getP2PNetworkId()=1A}
+May-13 19:39:42.009 [main] INFO haveno.common.setup.CommonSetup: Path to Haveno jar file: /home/nihilist/Documents/haveno/lib/common.jar
+May-13 19:39:42.010 [main] INFO haveno.common.util.Profiler: Total memory: 66 MB; Used memory: 25.56 MB; Free memory: 40.44 MB; Max memory: 1 GB; No. of threads: 1
+May-13 19:39:42.029 [main] INFO h.core.setup.CoreNetworkCapabilities: TRADE_STATISTICS [0], TRADE_STATISTICS_2 [1], ACCOUNT_AGE_WITNESS [2], PROPOSAL [5], BLIND_VOTE [6], ACK_MSG [7], BUNDLE_OF_ENVELOPES [10], SIGNED_ACCOUNT_AGE_WITNESS [11], MEDIATION [12], REFUND_AGENT [13], TRADE_STATISTICS_HASH_UPDATE [14], NO_ADDRESS_PRE_FIX [15], TRADE_STATISTICS_3 [16]
+May-13 19:39:42.031 [main] INFO haveno.core.locale.GlobalSettings: Locale info: en_US
+May 13, 2024 7:39:42 PM com.sun.javafx.application.PlatformImpl startup
+WARNING: Unsupported JavaFX configuration: classes were loaded from 'unnamed module @1de5f259'
+May-13 19:39:42.809 [JavaFX Application Thread] INFO haveno.core.app.AvoidStandbyModeService: Started -- disabled power management via /usr/bin/gnome-session-inhibit --app-id Haveno --inhibit suspend --reason Avoid Standby --inhibit-only
+May-13 19:39:42.812 [JavaFX Application Thread] INFO haveno.core.app.HavenoExecutable: Creating Haveno account with null password
+May-13 19:39:43.058 [JavaFX Application Thread] INFO h.c.n.p2p.seed.DefaultSeedNodeRepository: Seed nodes: [3cqlkowdu766sto5wrdqpntpsi7kezwkkakc532i6jeiyu7hha726ead.onion:3003, dl57jitswby4yhzpqpu7pwq6iyqg2x6vkio73araparbftlqoqxhvqad.onion:2002]
+May-13 19:39:43.620 [JavaFX Application Thread] INFO haveno.core.provider.ProvidersRepository: Selected price provider: http://elaxlgigphpicy5q7pi5wkz2ko2vgjbq4576vic7febmx4xcxvk6deqd.onion/
+May-13 19:39:43.760 [JavaFX Application Thread] INFO haveno.desktop.app.HavenoApp: Starting application
+May-13 19:39:43.895 [JavaFX Application Thread] INFO haveno.core.app.AppStartupState: Combined initialized state = false = updatedDataReceived=false && isBlockDownloadComplete=false && isWalletSynced=false && hasSufficientPeersForBroadcast=false && allDomainServicesInitialized=false
+May-13 19:39:44.867 [JavaFX Application Thread] INFO haveno.desktop.app.HavenoAppMain: Using JavaFX 21.0.2
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
+In this tutorial we're going to cover an instant SEPA transfer (which is a bank transfer) transaction for monero, this is one of the most popular payment options in the EU region. (for more details on how SEPA works, check out this, video). Instant SEPA was a personal favorite of mine back on the now defunct Localmonero, due to the speed of the transanction, the only requirement being that the other peer has a bank account that supports instant SEPA transfers.
+
+If you want to install Haveno DEX (on the Haveno Reto network) check out this tutorial i previously made.
+WARNING: SEPA transactions become risky when it starts to become large transactions and volumes over time:
+
+For SEPA, if you do big volume, also expect interrogation from KYC/Compliance department
+From request for SoF/PoI to full on phonecall interrogation, asking about specific groups of transactions
+Varies according to bank: some will ban, others will let you continue
+Once again, with EMIs and online banks they are less lenient, whereas with physical banks you have wiggle-room
+If you do get banned from an EMI/online bank, it is not uncommon to have IBANs associated with your name to be blacklisted (cannot receive from those EMIs/online banks)
+If you get banned from a physical bank, they may put your name on a fraud registry
+
+In short, keep in mind that this may not be a reliable way to purchase monero in the long run especially if you do large transactions each time. (thanks xmrfamily for the infos)
+ + +
+First step, you need to create your account in the application, in the account:
+
+Then hit "Save account", and make sure you read carefully the trade protocol for SEPA bank transfers:
+
+Currently we're limited to 3 XMR, but gradually over time we're going to be able to do up to 12 XMR trades at once after 60 days signing. This is to reduce chargebacks risks. One thing to note here is that we are able to create multiple sepa for xmr trades, unlike in our previous examples.
+ +
+Here, Alice creates her account for sepa instant payments on her Haveno DEX, but in contrast to Bob, she wants to only allow payments from her own country (France), as for her, that reduces risks of having to transact to a bank that can't do Instant SEPA transfers:
+
+
+ Then Alice creates the new Offer to sell her XMR:
+
+Here Alice wants to sell 0.1014 XMR at current market price (which amounts to 13 euros), and to fund her offer in total she needs to put in 0.201907 XMR as it includes her side of the security deposit.
+
+Alice uses her monero wallet to fund the offer, and then it shows as pending on her Haveno DEX as Pending:
+
+
+Then once the offer is funded, the offer is enabled, and other peers can see Alice's offer on the Buy section:
+
+
+
+Now from Bob's point of view, we see Alice's offer here, and we take the offer:
+
+Bob also funds the offer as we explained here:
+
+Bob confirms he want to buy monero:
+
+
+
+Next, Bob has to pay 13 Euros to the Alice, via a bank transfer (SEPA instant) as he can now see her bank information:
+
+Sidenote: Tying back to my explanation on why Decentralised exchanges are going to be very costly to an adversary that wants to deanonymize users, the adversary would have to massively fund offers in monero, and loose their side of the security deposit each time, in an attempt to try and regulate the end user directly, that's way harder than just knocking on a centralised exchange owner's door to ask him to / force him to deanonymize his entire userbase for the adversary. This is where the Haveno DEX multiplies potential adversaries' efforts manyfold compared to centralised exchanges.
+So here Bob can follow this procedure to do the sepa instant transfer; he goes on his banking application to add Alice Liddell as a third-party account using her IBAN (see example IBANs per country in the EU here), and then he sends her the 13 euros as a transaction between private individuals, using the instant transaction feature provided by his Bank.
+
+Once completed, Bob declares that he has sent payment. and in case if Alice tries to deny that she recieved payment, Bob can take a screenshot to prove that he has sent the payment, from his bank account by clicking on viewing more details on his transaction (checking the receipt). That way, in case if there is a dispute, (meaning if Alice tries to scam Bob), he will be on the right side of arbitration, and the Arbitrator will favor him.
+
+Back to Alice's side, we see that the trade has been initiated:
+
+So here Alice checks if she recieved payment on her account from the bank account of Bob (whose name just got revealed as "Bob Marley" with a specific IBAN) As a Buyer (like Bob), don't try to use a fake IBAN and name because the infos you use are going to be required by the XMR seller (Alice) to verify from whom the payment came from. The Arbitrators are likely to favor Alice if you use false banking information.
+
+Alice just checked her banking application, she recieved payment from Bob Marley, and she clicks "Confirm payment Receipt" to complete the trade.
+
+
+And lastly, Bob gets his Monero without any issue (he needs to wait 20 minutes for the monero to be spendable from his haveno monero wallet):
+
+
+
+ And then he can also withdraw his monero from his Haveno DEX to his other monero wallet like so:
+
+
+
+And that's it! We now covered one of the fastest and easiest way people can purchase and sell Monero in the EU region. Coming up next we'll cover how to do the most popular option there was on LocalMonero: Cash by Mail, it is the best option if you intend to exchange in large quantities.
+ +Check out my other tutorials on Decentralised Finances below:
+ + ++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
+In this tutorial we're going to cover how to setup the open source hypervisor QEMU/KVM in Linux host OS, using the libvirt technology.
+ +Bob has a problem, he wants to use his laptop for 4 different internet uses:
+
+But currently, he has only one laptop with linux as the host OS.
+
+So the idea basically is that Bob does not need to purchase 4 laptops each for a different usage, he just needs to virtualise those machines using a Hypervisor:
+
+Bob is going to use a QEMU/KVM hypervisor to virtualize 4 VMs, each for a specific use. The windows VM will be for public use, the debian VM will be for the private use, the Whonix VM will be for Anonymous use, and the other whonix VMs in the veracrypt hidden volume be used for sensitive uses.
+ + + +Next we do not virtualize anything using closed-source software like VMWare Workstation or else. We use QEMU/KVM with virt-manager, which is an open source hypervisor:
+
+nihilist@debian:~# sudo apt install libvirt0 virt-manager dnsmasq bridge-utils
+
+sudo systemctl enable --now libvirtd
+
+nihilist@debian:~# sudo usermod -a -G libvirt nihilist
+nihilist@debian:~# sudo usermod -a -G kvm nihilist
+
+nihilist@debian:~# sudo vim /etc/libvirt/libvirtd.conf
+nihilist@debian:~# cat /etc/libvirt/libvirtd.conf | grep sock_group
+unix_sock_group = "libvirt"
+unix_sock_rw_perms = "0770"
+
+nihilist@debian:~# sudo chmod 770 -R VMs
+nihilist@debian:~# sudo chown nihilist:libvirt -R VMs
+
+nihilist@debian:~# cat /etc/libvirt/qemu.conf
+group = "libvirt"
+user = "nihilist"
+
+nihilist@debian:~# systemctl restart libvirtd.service
+
+ virt-manager
+
+Next just make sure that the NAT network is created, and that the ISOs and VMs folders are with the correct permissions:
+
+
+nihilist@debian:~$ mkdir ISOs
+nihilist@debian:~$ mkdir VMs
+
+nihilist@debian:~$ sudo chmod 770 -R VMs
+nihilist@debian:~$ sudo chmod 770 -R ISOs
+
+nihilist@debian:~$ sudo chown nihilist:libvirt -R VMs
+nihilist@debian:~$ sudo chown nihilist:libvirt -R ISOs
+Then you can add the file directories in virt-manager like so:
+
+
+And now you're all set to start making VMs while maintaining the open-source requirement. If you still want to use a closed-source OS, you can do so in a QEMU VM from virt-manager. always remember that closed-source OSes like Windows belong in a VM, never out of one.
+ +Additional notes: you can prevent an adversary to tamper with your laptop, by using glitter polish as shown in mullvad's tutorial, and also make sure that your phone does not have a closed-source host OS by using Graphene OS.
+ +Next, Bob needs to use VMs for 2 basic needs: Public internet usage, and Private internet usage. He first needs to download the Windows ISO file, and the debian iso file too:
+First he creates the windows VM like so:
+
+
+
+
+
+
+
+
+
+
+
+Then he creates the debian VM like so:
+
+
+Then in both VMs he installs the OS on the virtual disk:
+
+
+Then Bob can launch both VMs (make sure that the VM boots onto the disk instead of the iso in the boot settings):
+
+
+Then Bob can use the windows VM for his public usage (such as KYC services, and closed-source software), and use the debian VM for his private usage (any personal matter, with only open source software)
+Next, Bob can setup a VPN by default into his debian VM.
+ + ++ Until there is nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
+In this tutorial we're going to cover why it's important to have an Opensource host-OS and virtualisation software for privacy purposes and we're going to go through all the steps we need to set it up. We'll also cover how to harden the OS using kickstart (which was made by the whonix developers), and we'll look at how to virtualize VMs while still using opensource software.
+ +Most people talk about opsec, but they don't realize how bad their opsec is. You would'nt barricade your bedroom door before barricading the frontdoor right ? In this case, the hardware and the host OS are the front door, and the rest is inside your house. You are leaving your front door opened when you're using a closed source Host OS (for example Windows, or MacOS, or similar). Hence you need a Linux host OS. for example we're going to setup the latest Debian in this case.
+
+[ mainpc ] [ /dev/pts/4 ] [~/Downloads]
+→ wget https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/debian-12.4.0-amd64-netinst.iso
+--2024-01-30 14:53:15-- https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/debian-12.4.0-amd64-netinst.iso
+Resolving cdimage.debian.org (cdimage.debian.org)... 194.71.11.165, 194.71.11.173, 194.71.11.163, ...
+Connecting to cdimage.debian.org (cdimage.debian.org)|194.71.11.165|:443... connected.
+HTTP request sent, awaiting response... 302 Found
+Location: https://gemmei.ftp.acc.umu.se/debian-cd/current/amd64/iso-cd/debian-12.4.0-amd64-netinst.iso [following]
+--2024-01-30 14:53:15-- https://gemmei.ftp.acc.umu.se/debian-cd/current/amd64/iso-cd/debian-12.4.0-amd64-netinst.iso
+Resolving gemmei.ftp.acc.umu.se (gemmei.ftp.acc.umu.se)... 194.71.11.137, 2001:6b0:19::137
+Connecting to gemmei.ftp.acc.umu.se (gemmei.ftp.acc.umu.se)|194.71.11.137|:443... connected.
+HTTP request sent, awaiting response... 200 OK
+Length: 658505728 (628M) [application/x-iso9660-image]
+Saving to: ‘debian-12.4.0-amd64-netinst.iso’
+
+debian-12.4.0-amd64-netinst.i 100%[=================================================>] 628.00M 6.85MB/s in 83s
+
+2024-01-30 14:54:39 (7.55 MB/s) - ‘debian-12.4.0-amd64-netinst.iso’ saved [658505728/658505728]
+
+
+Then flash it onto an usb stick (heres how you do it from linux below):
+
+[ mainpc ] [ /dev/pts/1 ] [~/Downloads]
+→ lsblk
+NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
+sda 8:0 0 3.6T 0 disk
+sdb 8:16 1 14.6G 0 disk
+└─sdb1 8:17 1 14.6G 0 part /media/nihilist/022E-0C69
+
+
+[ mainpc ] [ /dev/pts/1 ] [~/Downloads]
+→ sudo umount /media/nihilist/022E-0C69
+umount: /media/nihilist/022E-0C69: not mounted.
+
+[ mainpc ] [ /dev/pts/1 ] [~/Downloads]
+→ lsblk
+NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
+sda 8:0 0 3.6T 0 disk
+sdb 8:16 1 14.6G 0 disk
+└─sdb1 8:17 1 14.6G 0 part
+
+→ sudo dd if=debian-12.4.0-amd64-netinst.iso of=/dev/sdb1 bs=8M status=progress
+[sudo] password for nihilist:
+78+1 records in
+78+1 records out
+658505728 bytes (659 MB, 628 MiB) copied, 45.6007 s, 14.4 MB/s
+
+You can use tools like balenaetcher to do the same from other OSes like Windows.
+Now that's done, we need to reboot the host OS and get into the BIOS:
+
+In this case we need to spam the F2 key upon booting to arrive into the BIOS. Then navigate to the Boot selection in order to boot to the USB key. for example it can be :
+
+
+
+
+Here instead you just choose the usb key you flashed the linux image on, and boot onto it. Then do as follows:
+
+
+Now that's done, follow the installation of the host OS on the harddrive you prefer. Make sure its' not LUKS encrypted, as Kicksecure still didn't fix the ram-wipe feature for LUKS systems (as of 30/01/2024). Besides, a simple LUKS encryption would not be enough in a situation where you are forced to give out your password. (see veracrypt's details on Plausible Deniability.)
+ + +
+
+
+Then make sure it has a desktop environment (i recommend cinnamon).
+
+Then let the install finish and then reboot the computer and remove the usb key, it should then boot into a clean host OS.
+ + + + +Now that we're in our host OS, let's harden it by turning it into a Kicksecure distro:
+
+su -
+apt update ; apt full-upgrade ; apt install --no-install-recommends sudo adduser curl apt-transport-tor tor torsocks
+
+/usr/sbin/addgroup --system console
+
+/usr/sbin/adduser nothing console #replace nothing with your username
+/usr/sbin/adduser nothing sudo #replace nothing with your username
+
+reboot now
+
+After rebooting, install kicksecure like so: (beware it must be done as the user mentionned above. in this case user is nothing:
+
+nothing@debian:~$ sudo apt update -y ; sudo apt full-upgrade -y
+
+Then we download the kicksecure keyring via tor:
+
+nothing@debian:~$ sudo torsocks curl --output /usr/share/keyrings/derivative.asc --url http://www.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion/keys/derivative.asc
+nothing@debian:~$ echo "deb [signed-by=/usr/share/keyrings/derivative.asc] tor+http://deb.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion bookworm main contrib non-free" | sudo tee /etc/apt/sources.list.d/derivative.list
+
+nothing@debian:~$ sudo apt update -y
+Hit:1 http://security.debian.org/debian-security bookworm-security InRelease
+Hit:2 http://deb.debian.org/debian bookworm InRelease
+Hit:3 http://deb.debian.org/debian bookworm-updates InRelease
+Get:4 tor+http://deb.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion bookworm InRelease [39.6 kB]
+Get:5 tor+http://deb.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion bookworm/main amd64 Packages [34.3 kB]
+Get:6 tor+http://deb.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion bookworm/contrib amd64 Packages [506 B]
+Get:7 tor+http://deb.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion bookworm/non-free amd64 Packages [896 B]
+Fetched 75.3 kB in 31s (2,419 B/s)
+Reading package lists... Done
+Building dependency tree... Done
+Reading state information... Done
+All packages are up to date.
+
+nothing@debian:~$ sudo apt full-upgrade -y
+Reading package lists... Done
+Building dependency tree... Done
+Reading state information... Done
+Calculating upgrade... Done
+0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
+
+sudo apt install --no-install-recommends kicksecure-cli-host -y
+#tor connection may crash sometimes, so just relaunch that command again if it fails
+
+Then we do the Post-upgrade steps:
+
+sudo mv /etc/apt/sources.list ~/
+sudo touch /etc/apt/sources.list
+
+sudo reboot now
+Then as you reboot you'll see that grub shows that it's now kicksecure instead of debian:
+
+
+Next, we make sure that unattended upgrades are activated so that minor package updates are automatically carried out by the system.
+
+nothing@debian:~$ sudo apt install unattended-upgrades apt-listchanges -y
+nothing@debian:~$ sudo dpkg-reconfigure -plow unattended-upgrades
+
+Next we're going to make sure that the ram gets overwritten upon shutdowns to prevent cold boot attacks.
+
+nothing@debian:~$ sudo apt install --no-install-recommends ram-wipe
+
+If you are testing from a VM, you need to do the following:
+
+nothing@debian:~$ echo 'GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT wiperam=force"' | sudo tee -a /etc/default/grub.d/50_user.cfg
+GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT wiperam=force"
+
+nothing@debian:~$ sudo update-grub
+Generating grub configuration file ...
+Found background image: .background_cache.png
+Found linux image: /boot/vmlinuz-6.1.0-17-amd64
+Found initrd image: /boot/initrd.img-6.1.0-17-amd64
+Found linux image: /boot/vmlinuz-6.1.0-15-amd64
+Found initrd image: /boot/initrd.img-6.1.0-15-amd64
+Warning: os-prober will not be executed to detect other bootable partitions.
+Systems on them will not be added to the GRUB boot configuration.
+Check GRUB_DISABLE_OS_PROBER documentation entry.
+done
+
+Then you can test if it's working by rebooting and checking the shutdown output logs.Next, we're going to trim out what we don't need from our Host OS. First and foremost, let's get rid of all the logs (both system and kernel logs) on the system. We first make sure that logs are cleared upon startup like so:
+
+root@debian:~# cat startup.sh
+#!/bin/bash
+sudo rm -rf /var/log
+sudo rm -rf /dev/shm/*
+
+sudo ln -s /dev/shm /var/log
+
+sudo dmesg -c
+sudo dmesg -n 1
+sudo dmesg -c
+
+#also uncomment the kernel.printk line in /etc/sysctl.conf to avoid the kernel from printing out errors
+
+root@debian:~# chmod +x startup.sh
+
+root@debian:~# vim /etc/sysctl.conf
+
+root@debian:~# cat /etc/sysctl.conf | grep printk
+kernel.printk = 3 4 1 3
+
+
+root@debian:~# vim /etc/systemd/system/startup.service
+
+root@debian:~# cat /etc/systemd/system/startup.service
+[Unit]
+Description=Clearing logs at startup
+Wants=network.target
+After=network-online.target
+
+[Service]
+Type=oneshot
+ExecStart=/root/startup.sh
+TimeoutStartSec=0
+
+[Install]
+WantedBy=shutdown.target
+
+root@debian:~# systemctl daemon-reload
+
+root@debian:~# systemctl enable startup
+Created symlink /etc/systemd/system/shutdown.target.wants/startup.service → /etc/systemd/system/startup.service.
+
+Then we make sure that logs are being cleared out minutely:
+
+root@debian:~# cat removelogs.sh
+#!/bin/bash
+
+rm -rf /dev/shm/*
+rm -rf /var/log/*
+dmesg -c
+
+root@debian:~# chmod +x removelogs.sh
+
+root@debian:~# crontab -e
+
+Then we make sure that logs are cleared out upon shutdown, along with VMs shutdowns if there are any, veracrypt volumes closing, and log cleanups:
+
+root@debian:~# vim shutdown.sh
+root@debian:~# cat shutdown.sh
+#!/bin/bash
+
+#remove VMs
+
+sudo virsh -c qemu:///system destroy Whonix-Gateway
+sudo virsh -c qemu:///system destroy Whonix-Workstation
+sudo virsh -c qemu:///system undefine Whonix-Gateway
+sudo virsh -c qemu:///system undefine Whonix-Workstation
+sudo virsh -c qemu:///system net-destroy Whonix-External
+sudo virsh -c qemu:///system net-destroy Whonix-Internal
+sudo virsh -c qemu:///system net-undefine Whonix-External
+sudo virsh -c qemu:///system net-undefine Whonix-External
+
+#then unmount veracrypt volumes
+
+sudo veracrypt -d -f
+
+# then cleanup logs
+
+sudo rm -rf /dev/shm/*
+sudo rm -rf /var/log/*
+sudo dmesg -c
+
+root@debian:~# chmod +x shutdown.sh
+
+root@debian:~# vim /etc/systemd/system/shutdown.service
+root@debian:~# cat /etc/systemd/system/shutdown.service
+[Unit]
+Description=Shutdown Anti forensics
+DefaultDependencies=no
+Before=shutdown.target reboot.target halt.target
+
+[Service]
+Type=oneshot
+ExecStart=/root/shutdown.sh
+TimeoutStartSec=0
+
+[Install]
+WantedBy=shutdown.target reboot.target halt.target
+root@debian:~# systemctl daemon-reload
+root@debian:~# systemctl enable shutdown
+Created symlink /etc/systemd/system/shutdown.target.wants/shutdown.service → /etc/systemd/system/shutdown.service.
+Created symlink /etc/systemd/system/reboot.target.wants/shutdown.service → /etc/systemd/system/shutdown.service.
+Created symlink /etc/systemd/system/halt.target.wants/shutdown.service → /etc/systemd/system/shutdown.service.
+
+Then you can reboot to see that all logs are removed as intended:
+
+sudo reboot now
+
+root@debian:~# ls -lash /var | grep log
+ 0 lrwxrwxrwx 1 root root 8 Jan 30 14:13 log -> /dev/shm
+
+root@debian:~# tail -f /var/log/*.log
+tail: cannot open '/var/log/*.log' for reading: No such file or directory
+tail: no files remaining
+
+root@debian:~# tail -f /dev/shm/*.log
+tail: cannot open '/dev/shm/*.log' for reading: No such file or directory
+tail: no files remaining
+
+root@debian:~# dmesg
+root@debian:~#
+
+Next step, we do not virtualize anything using closed-source software like vmware or else. We use QEMU/KVM with virt-manager:
+
+nothing@debian:~# sudo apt install libvirt0 virt-manager dnsmasq bridge-utils
+
+sudo systemctl enable --now libvirtd
+
+nothing@debian:~# sudo usermod -a -G libvirt nothing
+nothing@debian:~# sudo usermod -a -G kvm nothing
+
+nothing@debian:~# sudo vim /etc/libvirt/libvirtd.conf
+nothing@debian:~# cat /etc/libvirt/libvirtd.conf | grep sock_group
+unix_sock_group = "libvirt"
+unix_sock_rw_perms = "0770"
+
+nothing@debian:~# sudo chmod 770 -R VMs
+nothing@debian:~# sudo chown nothing:libvirt -R VMs
+
+nothing@debian:~# cat /etc/libvirt/qemu.conf
+group = "libvirt"
+user = "nothing"
+
+nothing@debian:~# systemctl restart libvirtd.service
+
+ virt-manager
+
+Next just make sure that the NAT network is created, and that the ISOs and VMs folders are with the correct permissions:
+
+
+nothing@debian:~$ mkdir ISOs
+nothing@debian:~$ mkdir VMs
+
+nothing@debian:~$ sudo chmod 770 -R VMs
+nothing@debian:~$ sudo chmod 770 -R ISOs
+
+nothing@debian:~$ sudo chown nothing:libvirt -R VMs
+nothing@debian:~$ sudo chown nothing:libvirt -R ISOs
+Then you can add the file directories in virt-manager like so:
+
+
+And now you're all set to start making VMs while maintaining the open-source requirement.
+ ++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+Just a bunch of scripts and tutorials that i personally use, to setup servers in an automated or quickest possible way. + For servers that can't be setup using scripts, i create step-by-step tutorials to set them up properly. + I have a certain quality standard as to how i do these tutorials, if there are any improvements i can do on them please let me know. +
++ CONTRIBUTORS : +
+LEGAL DISCLAIMER:
+Across the entirety of my blog, in all articles that I made, I advocate for the legal use of technologies, even when I am talking about Privacy-enhancing and Anonymity-enabling technologies. In no way am I advocating for any illegal use of any technology showcased in any article on my blog, as the goal of this blog is to remain stricly informative and educative.
+
+I decline any and all responsibility for any mis-use of any of the technology i showcase in the entirety of my blog. I also decline any and all responsibility for any physical, digital and psychological damage caused by the mis-use of any showcased technology, as the responsibility of such acts remains with the perpretating third-party. By reading this blog, you permanently, irrevocably and world-widely agree that I am in no way am responsible for any illegal action done by you or anyone that uses any of the showcased technology in my blog articles.
+
+📝 Security
+ + +📝 Privacy Front-ends
+📝 Productivity
+💻 Collaborative Work
+⭐ Personal Favorites
+🪟 Windows Server
+🎦 Media
+🟦 pfSense Administration
+🐐 Debian Server Administration
+🔁 Automation
+🖥️ Monitoring
+📜 Scripted Setups:
+🚧Complete Professionnal Projects
+ + + +🗄️ Databases
+🚢 Docker - Management
+🚢 Docker - Containers
+📦 Backups
+🔍 Search Engines
+ +⚠️ Minimal / Experimental / Games
+📡 DNS
+ + ++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
In this tutorial we're going to cover how to properly segment your internet usage. This is the most common opsec practice that you should always use. We're going to base ourselves off from the pyramid of internet use that we have seen previously, to be able to replicate each of the 4 OPSEC levels into our current setup:
+
+
+ The most common OPSEC mistake out there is the lack of internet usage segmentation. Most people don't have this reflex when they first discover Anonymity and Privacy online. Thing is, it is not possible to be fully anonymous for everything that you do online, there will always be some service that is vital to you, which you will need to access with your real world identity (for example, to access your bank account, or some insurance website, etc). However it is definitely possible to implement proper internet usage segmentation:
+ +In this case we're going to differentiate 4 types of Internet usage:
+
+Internet Uses:
+Public use: What you do is public knowledge
Private use: What you do is not meant to be known (private)
Anonymous use: What you do is meant to be done without revealing your identity
Sensitive use: What you do is meant to remain secret at all cost, only to be known by you
With each different Internet usage, we have different requirements:
+
+Requirements:
+Public use: No requirement ; you can use closed source software (meaning it's all public)
Private use: only open source software, + you use a pseudonym, to practice privacy
Anonymous use: open source, using a false identity to practice anonymity, not sensitive
Sensitive use: open source, using an other false identity and must be plausibly deniable
Now with this we identified the 4 most typical internet use cases, and their requirements.
+As we said previously, segmentation is required for each internet use. This extends to the Identity you use online. For example you cannot use your real name when trying to use the internet anonymously. So you need a different identity for each use case:
+
+Different Identities:
+Public Identity: Linus Torvalds (used on websites that ask for your identity)
Private Identity: Nihilist (used on websites that may KYC, but pseudonym is preferred)
Anonymous Identity: ZacharyJr (used on anonymous websites, non-sensitive use)
Sensitive Identity: Dread Pirate Roberts (used on anonymous websites, sensitive use)
The important thing here is that you must make sure that each identity have nothing in common, it must always remain impossible for and adversary to be able to link those identities together.
+ + +To help you implement your internet usage segmentation, you can use VMs to make sure the segmentation is present inside the system:
+
+Virtual Machines:
+Public use: No requirement ; you can use a windows VM for all closed source software and KYC use
Private use: you can use a Debian VM, with only open source software (ex:matrix and element)
Anonymous use: you can use Whonix VMs, (can also have a with a Tor -> VPN setup)
Sensitive use: You can use Whonix VMs, but they need to be inside a veracrypt hidden volume
Now with this setup, one can segment their Internet use with a system implementation (VMs) along with the associated Identities for each usecase.
+
+For further details on how to dissect your OPSEC, check out this tutorial here, because using the right technologies is only the first half of the work, you also need to have the correct behavior while using them.
+ ++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
+In this tutorial, we're going to look at the first and foremost thing anyone can do to remove surveillance from their digital lives, by installing a free and open source software (FOSS) host operating system: Linux, in this case we're going to setup the latest Debian.
+ +So here we are Bob, and we have decided that having an entire crowd watching what we were doing with out computer was no longer acceptable. What can we do from here ?
+
+Bob, after searching for a while on the web, Bob realized that Windows was the problem here. Because it is closed-source (meaning the source code is not available) he couldn't know what Windows was doing in the background. Because that is so, Bob is now certain that his Operating System could be used for surveillance, without him being aware of it.
+"What the hell can I do on Windows privately then ?", Bob thought for a while.
+
+"... Nothing!", He realized. While he was using windows, he would never have any privacy with his digital life.
+Allegory: You have a house, and you have an annoying neighbor (Jack) that wants to know everything you do in your House. If you have windows installed on your computer as a host OS, it is the same as leaving the front door wide open for Jack to enter and watch what you're doing in your house, no matter how much you try to barricade the windows, or the doors. It makes more sense to try and barricade the front door first, before trying to barricade the windows and other rooms in your house, isn't it ?
+ +So Bob looked for an open source operating system to replace Windows, and he found the Linux sourcecode, he read the entire code and found no spyware in it. Then he decided that he would use that instead of using Windows.
+
+Because it is through Windows, that Microsoft employees are able to spy on what Bob was doing so far! By removing windows from the equation, he is also removing Microsoft's surveillance from his digital life!
+Bob has decided that he would use Linux from now on, because he is no longer tolerating being watched by an entire crowd, without his consent.
+First Bob, goes on the web to find a Linux distribution he likes, that is Open Source:
+
+He sees there are many options like Linux Mint, Ubuntu, etc
+
+But he settles on Debian. (Disclaimer: if you use closed-source hardware, like 99.9999999999% of people out there, you will invariably have to use non-free firmware too [1] [2] [3]). If you want a purely FOSS host OS, and you are willing to not have firmware for your CPU, GPU, Motherboard, Ethernet/wifi, check out the OSes recommended by the Free Software Foundation [4] (but it will be at the expense of having your peripherals not working [5]). The status of Open source Hardware is not even competitive in this closed-source hardware domination of the market., hopefully this will change in the future, but for now that's how it is. TLDR: If you don't want to install proprietary firmware, check out PureOS instead of debian.
+
+Now Bob has the Debian ISO image.
+
+But now he needs to put that ISO image on a USB stick. To do so he can use Rufus or Balena Etcher:
+
+
+So Bob installs BalenaEtcher:
+
+
+Once installed, he selects the ISO image in balenaetcher:
+
+Then, Bob plugs in his USB stick in his computer, to be able to put the ISO image into it:
+
+Then, Bob selects his USB stick from balenaetcher:
+
+Then he clicks "Flash", that way Balenaetecher will put the ISO image on the USB stick.
+
+
+Bob waits a few minutes, and now he has a USB stick with the latest Debian OS on it.
+
+Bob will now be able to use it to install Linux and replace Windows with it.
+ +This is where it gets a bit technical for Bob. But here are the steps he needs to do:
+He needs to plug his USB stick in his computer
He needs to restart his computer
As his computer restarts, he needs to repeatedly press the F1 or F2 or DEL or F10 key in order to enter his computer's BIOS (depending on which brand his computer is)
once he is in the BIOS, he then needs to boot on his USB stick that has the Debian image
Then once he boots on his USB stick, he can install debian on his computer
The key that Bob needs to press to enter his computer's BIOS depends on what brand his computer is (see this blogpost for examples).
+Now Bob restarts his computer:
+
+And now, as he has an ASUS motherboard, he repeatedly presses the F2 key to enter his computer's BIOS:
+
+and from there, Bob needs to navigate the BIOS to boot on his USB key. Be aware that the Steps may vary, feel free to research how to change the boot options of your computer's BIOS settings. In Bob's example below, he is on an ASUS computer/motherboard, so he has these specific BIOS steps to do:
+Boot > OS Type > Other OS
+
+Boot > CSM settings > Launch CSM Auto
+
+Boot device Selection > his USB stick
+
+Once he selects his USB Stick, Bob can now boot from it, and he is greeted by Debian's welcome screen:
+
+And from there, Bob installs linux as per his needs:
+
+
+
+
+
+
+
+
+
+Here Bob decides that he wants to encrypt his whole harddrive too. That way, if someone were to steal his computer, without knowing his password, they would have no way to access Bob's local data.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Here Bob can select his window manager. Gnome is the default option, but he chooses Cinnamon to keep the feel similar to how it was on windows.
+
+
+
+
+
+And there, Bob finished the Debian installation, he can unplug his USB stick, and click Continue to reboot his computer:
+
+As he reboots his computer, he is greeted by the Debian boot screen, and he then types his password to unlock his harddrive encryption:
+
+
+Then he logs in using the password he set earlier:
+
+And now that Bob is logged in, he is greeted by the Cinnamon window manager, the feel of his OS remains similar to what he previously had on Windows, but now it's all open source!
+
+And that's it! Bob has managed to get privacy from Microsoft's constant surveillance by replacing Windows with a Linux distribution.
+
+From there, Bob can update his linux distribution and install new packages, following this tutorial here.
+ ++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
+In this tutorial, we're going to take a look at how you can install and update your programs on linux:
+ +First we need to open up a terminal:
+
+and then we can run the following command sudo apt update to make sure that our linux OS has the data regarding which are latest package versions:
+
+nihilist@mainpc:~$ sudo apt update
+[sudo] password for nihilist:
+Hit:1 http://deb.debian.org/debian bookworm InRelease
+Get:2 http://security.debian.org/debian-security bookworm-security InRelease [48.0 kB]
+Get:3 http://deb.debian.org/debian bookworm-updates InRelease [55.4 kB]
+Hit:4 https://repository.mullvad.net/deb/stable bookworm InRelease
+Get:5 http://security.debian.org/debian-security bookworm-security/main Sources [99.0 kB]
+Get:6 http://security.debian.org/debian-security bookworm-security/main amd64 Packages [160 kB]
+Get:7 http://security.debian.org/debian-security bookworm-security/main Translation-en [96.4 kB]
+Get:8 https://packages.element.io/debian default InRelease [3,618 B]
+Get:9 https://packages.element.io/debian default/main amd64 Packages [1,030 B]
+Get:10 tor+http://deb.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion bookworm InRelease [62.0 kB]
+Get:11 tor+http://deb.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion bookworm/main amd64 Packages [36.1 kB]
+Fetched 561 kB in 20s (28.5 kB/s)
+Reading package lists... Done
+Building dependency tree... Done
+Reading state information... Done
+24 packages can be upgraded. Run 'apt list --upgradable' to see them.
+
+And at the bottom you see that there are 24 packages that can be upgraded, so we run sudo apt upgrade to make sure that those packages are on the latest available versions:
+
+nihilist@mainpc:~$ sudo apt upgrade
+Reading package lists... Done
+Building dependency tree... Done
+Reading state information... Done
+Calculating upgrade... Done
+The following packages were automatically installed and are no longer required:
+ default-jdk-headless libice-dev libpthread-stubs0-dev libsm-dev libwpe-1.0-1 libwpebackend-fdo-1.0-1 libx11-dev libxau-dev libxcb1-dev libxdmcp-dev libxt-dev linux-image-6.1.0-17-amd64 openjdk-17-jdk openjdk-17-jdk-headless x11proto-dev
+ xorg-sgml-doctools xtrans-dev
+Use 'sudo apt autoremove' to remove them.
+The following packages will be upgraded:
+ element-desktop ffmpeg firefox-esr gir1.2-gst-plugins-base-1.0 gstreamer1.0-alsa gstreamer1.0-gl gstreamer1.0-plugins-base gstreamer1.0-x libarchive-tools libarchive13 libavcodec59 libavdevice59 libavfilter8 libavformat59 libavutil57
+ libgstreamer-gl1.0-0 libgstreamer-plugins-base1.0-0 libpostproc56 libswresample4 libswscale6 python3-pil python3-pil.imagetk tb-updater thunderbird
+24 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
+Need to get 134 MB/234 MB of archives.
+After this operation, 5,378 kB of additional disk space will be used.
+Do you want to continue? [Y/n] y
+
+Here we press y and enter to continue, then let it run:
+
+Do you want to continue? [Y/n] y
+Get:1 http://security.debian.org/debian-security bookworm-security/main amd64 libswscale6 amd64 7:5.1.5-0+deb12u1 [215 kB]
+Get:2 http://security.debian.org/debian-security bookworm-security/main amd64 libavdevice59 amd64 7:5.1.5-0+deb12u1 [114 kB]
+Get:3 http://security.debian.org/debian-security bookworm-security/main amd64 libavformat59 amd64 7:5.1.5-0+deb12u1 [1,102 kB]
+Get:4 http://security.debian.org/debian-security bookworm-security/main amd64 libavfilter8 amd64 7:5.1.5-0+deb12u1 [3,703 kB]
+Get:5 http://security.debian.org/debian-security bookworm-security/main amd64 libavcodec59 amd64 7:5.1.5-0+deb12u1 [5,216 kB]
+Get:6 http://security.debian.org/debian-security bookworm-security/main amd64 libavutil57 amd64 7:5.1.5-0+deb12u1 [363 kB]
+Get:7 http://security.debian.org/debian-security bookworm-security/main amd64 libpostproc56 amd64 7:5.1.5-0+deb12u1 [94.0 kB]
+Get:8 http://security.debian.org/debian-security bookworm-security/main amd64 libswresample4 amd64 7:5.1.5-0+deb12u1 [97.3 kB]
+Get:9 http://security.debian.org/debian-security bookworm-security/main amd64 ffmpeg amd64 7:5.1.5-0+deb12u1 [1,814 kB]
+Get:10 http://security.debian.org/debian-security bookworm-security/main amd64 firefox-esr amd64 115.12.0esr-1~deb12u1 [63.1 MB]
+Get:11 tor+http://deb.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion bookworm/main amd64 tb-updater all 3:33.4-1 [245 kB]
+Get:12 http://security.debian.org/debian-security bookworm-security/main amd64 thunderbird amd64 1:115.12.0-1~deb12u1 [58.3 MB]
+Fetched 134 MB in 20s (6,658 kB/s)
+Reading changelogs... Done
+(Reading database ... 219964 files and directories currently installed.)
+Preparing to unpack .../00-element-desktop_1.11.68_amd64.deb ...
+Unpacking element-desktop (1.11.68) over (1.11.67) ...
+Preparing to unpack .../01-libswscale6_7%3a5.1.5-0+deb12u1_amd64.deb ...
+Unpacking libswscale6:amd64 (7:5.1.5-0+deb12u1) over (7:5.1.4-0+deb12u1) ...
+Preparing to unpack .../02-libavdevice59_7%3a5.1.5-0+deb12u1_amd64.deb ...
+Unpacking libavdevice59:amd64 (7:5.1.5-0+deb12u1) over (7:5.1.4-0+deb12u1) ...
+Preparing to unpack .../03-libavformat59_7%3a5.1.5-0+deb12u1_amd64.deb ...
+Unpacking libavformat59:amd64 (7:5.1.5-0+deb12u1) over (7:5.1.4-0+deb12u1) ...
+Preparing to unpack .../04-libavfilter8_7%3a5.1.5-0+deb12u1_amd64.deb ...
+Unpacking libavfilter8:amd64 (7:5.1.5-0+deb12u1) over (7:5.1.4-0+deb12u1) ...
+Preparing to unpack .../05-libavcodec59_7%3a5.1.5-0+deb12u1_amd64.deb ...
+Unpacking libavcodec59:amd64 (7:5.1.5-0+deb12u1) over (7:5.1.4-0+deb12u1) ...
+Preparing to unpack .../06-libavutil57_7%3a5.1.5-0+deb12u1_amd64.deb ...
+Unpacking libavutil57:amd64 (7:5.1.5-0+deb12u1) over (7:5.1.4-0+deb12u1) ...
+Preparing to unpack .../07-libpostproc56_7%3a5.1.5-0+deb12u1_amd64.deb ...
+Unpacking libpostproc56:amd64 (7:5.1.5-0+deb12u1) over (7:5.1.4-0+deb12u1) ...
+Preparing to unpack .../08-libswresample4_7%3a5.1.5-0+deb12u1_amd64.deb ...
+Unpacking libswresample4:amd64 (7:5.1.5-0+deb12u1) over (7:5.1.4-0+deb12u1) ...
+Preparing to unpack .../09-ffmpeg_7%3a5.1.5-0+deb12u1_amd64.deb ...
+Unpacking ffmpeg (7:5.1.5-0+deb12u1) over (7:5.1.4-0+deb12u1) ...
+Preparing to unpack .../10-firefox-esr_115.12.0esr-1~deb12u1_amd64.deb ...
+Leaving 'diversion of /usr/bin/firefox to /usr/bin/firefox.real by firefox-esr'
+Unpacking firefox-esr (115.12.0esr-1~deb12u1) over (115.11.0esr-1~deb12u1) ...
+Preparing to unpack .../11-libgstreamer-plugins-base1.0-0_1.22.0-3+deb12u2_amd64.deb ...
+Unpacking libgstreamer-plugins-base1.0-0:amd64 (1.22.0-3+deb12u2) over (1.22.0-3+deb12u1) ...
+Preparing to unpack .../12-libgstreamer-gl1.0-0_1.22.0-3+deb12u2_amd64.deb ...
+Unpacking libgstreamer-gl1.0-0:amd64 (1.22.0-3+deb12u2) over (1.22.0-3+deb12u1) ...
+Preparing to unpack .../13-gir1.2-gst-plugins-base-1.0_1.22.0-3+deb12u2_amd64.deb ...
+Unpacking gir1.2-gst-plugins-base-1.0:amd64 (1.22.0-3+deb12u2) over (1.22.0-3+deb12u1) ...
+Preparing to unpack .../14-gstreamer1.0-alsa_1.22.0-3+deb12u2_amd64.deb ...
+Unpacking gstreamer1.0-alsa:amd64 (1.22.0-3+deb12u2) over (1.22.0-3+deb12u1) ...
+Preparing to unpack .../15-gstreamer1.0-gl_1.22.0-3+deb12u2_amd64.deb ...
+Unpacking gstreamer1.0-gl:amd64 (1.22.0-3+deb12u2) over (1.22.0-3+deb12u1) ...
+Preparing to unpack .../16-gstreamer1.0-plugins-base_1.22.0-3+deb12u2_amd64.deb ...
+Unpacking gstreamer1.0-plugins-base:amd64 (1.22.0-3+deb12u2) over (1.22.0-3+deb12u1) ...
+Preparing to unpack .../17-gstreamer1.0-x_1.22.0-3+deb12u2_amd64.deb ...
+Unpacking gstreamer1.0-x:amd64 (1.22.0-3+deb12u2) over (1.22.0-3+deb12u1) ...
+Preparing to unpack .../18-libarchive-tools_3.6.2-1+deb12u1_amd64.deb ...
+Unpacking libarchive-tools (3.6.2-1+deb12u1) over (3.6.2-1) ...
+Preparing to unpack .../19-libarchive13_3.6.2-1+deb12u1_amd64.deb ...
+Unpacking libarchive13:amd64 (3.6.2-1+deb12u1) over (3.6.2-1) ...
+Preparing to unpack .../20-python3-pil.imagetk_9.4.0-1.1+deb12u1_amd64.deb ...
+Unpacking python3-pil.imagetk:amd64 (9.4.0-1.1+deb12u1) over (9.4.0-1.1+b1) ...
+Preparing to unpack .../21-python3-pil_9.4.0-1.1+deb12u1_amd64.deb ...
+Unpacking python3-pil:amd64 (9.4.0-1.1+deb12u1) over (9.4.0-1.1+b1) ...
+Preparing to unpack .../22-tb-updater_3%3a33.4-1_all.deb ...
+Unpacking tb-updater (3:33.4-1) over (3:33.0-1) ...
+Preparing to unpack .../23-thunderbird_1%3a115.12.0-1~deb12u1_amd64.deb ...
+Unpacking thunderbird (1:115.12.0-1~deb12u1) over (1:115.11.0-1~deb12u1) ...
+Setting up libarchive13:amd64 (3.6.2-1+deb12u1) ...
+Setting up element-desktop (1.11.68) ...
+update-alternatives is /usr/bin/update-alternatives
+Setting up libgstreamer-plugins-base1.0-0:amd64 (1.22.0-3+deb12u2) ...
+Setting up python3-pil:amd64 (9.4.0-1.1+deb12u1) ...
+Setting up libavutil57:amd64 (7:5.1.5-0+deb12u1) ...
+Setting up libgstreamer-gl1.0-0:amd64 (1.22.0-3+deb12u2) ...
+Setting up gstreamer1.0-plugins-base:amd64 (1.22.0-3+deb12u2) ...
+Setting up python3-pil.imagetk:amd64 (9.4.0-1.1+deb12u1) ...
+Setting up libswresample4:amd64 (7:5.1.5-0+deb12u1) ...
+Setting up thunderbird (1:115.12.0-1~deb12u1) ...
+Skipping profile in /etc/apparmor.d/disable: usr.bin.thunderbird
+Setting up libpostproc56:amd64 (7:5.1.5-0+deb12u1) ...
+Setting up libavcodec59:amd64 (7:5.1.5-0+deb12u1) ...
+Setting up libswscale6:amd64 (7:5.1.5-0+deb12u1) ...
+Setting up firefox-esr (115.12.0esr-1~deb12u1) ...
+Setting up gstreamer1.0-gl:amd64 (1.22.0-3+deb12u2) ...
+Setting up libarchive-tools (3.6.2-1+deb12u1) ...
+Setting up gstreamer1.0-x:amd64 (1.22.0-3+deb12u2) ...
+Setting up gstreamer1.0-alsa:amd64 (1.22.0-3+deb12u2) ...
+Setting up libavformat59:amd64 (7:5.1.5-0+deb12u1) ...
+Setting up gir1.2-gst-plugins-base-1.0:amd64 (1.22.0-3+deb12u2) ...
+Setting up libavfilter8:amd64 (7:5.1.5-0+deb12u1) ...
+Setting up tb-updater (3:33.4-1) ...
+INFO: Using '--postinst' option but outside of Qubes Template, skipping, ok.
+Setting up libavdevice59:amd64 (7:5.1.5-0+deb12u1) ...
+Setting up ffmpeg (7:5.1.5-0+deb12u1) ...
+Processing triggers for desktop-file-utils (0.26-1) ...
+Processing triggers for hicolor-icon-theme (0.17-2) ...
+Processing triggers for libc-bin (2.36-9+deb12u7) ...
+Processing triggers for man-db (2.11.2-2) ...
+Processing triggers for mailcap (3.70+nmu1) ...
+Scanning processes...
+Scanning candidates...
+Scanning linux images...
+
+Running kernel seems to be up-to-date.
+
+Restarting services...
+ systemctl restart fwupd.service
+
+No containers need to be restarted.
+
+User sessions running outdated binaries:
+ nihilist @ session #2: cinnamon[1513], element-desktop[103821,103826,103827,103829], firefox-esr[1238857]
+ nihilist @ user manager service: systemd[1229]
+
+No VM guests are running outdated hypervisor (qemu) binaries on this host.
+
+during the package upgrade it can prompt you if you want to restart processes:
+
+Just press enter to allow the process to be restarted, and for the package upgrade to finish.
+First we can use the apt search pkgname command to look for available packages:
+
+nihilist@mainpc:~$ apt search firefox-esr
+Sorting... Done
+Full Text Search... Done
+
+firefox-esr/stable-security,now 115.12.0esr-1~deb12u1 amd64
+ Mozilla Firefox web browser - Extended Support Release (ESR)
+
+Here we see that the firefox package is available, so let's install it with the apt install pgkname command:
+
+nihilist@mainpc:~$ sudo apt install firefox-esr -y
+Reading package lists... Done
+Building dependency tree... Done
+Reading state information... Done
+firefox-esr is already the newest version (115.12.0esr-1~deb12u1).
+
+And then you can launch it:
+
+nihilist@mainpc:~$ which firefox
+/usr/bin/firefox
+nihilist@mainpc:~$ firefox
+
+and if you want to remove the package you can use the command apt purge firefox-esr
+Next, Bob can setup an open-source hypervisor on his linux laptop to properly segment his internet usage.
+ ++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
Before we start, you will need a Debian 10+ VPS (you can get one on digitalocean for example), if you prefer to use your own self hosted server, make sure that port 80, 443, 587 and 993 are correctly port forwarded so that the public ip points to the server and not the router. Once that's done, go and ssh into your debian 10 server.
+You cannot use DuckDNS for this one because you will need to add specific DNS records, most importantly the MX and DKIM records which are crucial for this tutorial. + Therefore go get an actual paid domain name, i got mine on Infomaniak :
+
+ So let's add a subdomain to point at our mail server, to do so you need to go to the DNS Zone settings to add a few entries starting with the MX record:
+
+ Here make sure you do not forget the trailing dot (.) at the end of the Target. Next you want to setup that mail subdomain aswell, and to do so you will do + add a CNAME record, that is if your mail server is the SAME as your main server (mail.domain.com == domain.com): +
+
+ In the other case where your mailserver is NOT the same as the main server (mail.domain.com != domain.com) you will need an A record which is going to tell + Which IP to goto in order to reach that mail server: +
+
+ In this case we're going to make it point to our DigitalOcean VPS as usual and once it's done we can simply ssh into it:
+EDIT: DIGITALOCEAN IS BLOCKING PORT 25 (SMTP) i have to redo this tutorial on another VPS.
+ + + + + + + +
+[ 192.168.100.1/24 ] [ /dev/pts/8 ] [~]
+→ ssh root@mail.void.yt
+The authenticity of host 'mail.void.yt (161.35.41.22)' can't be established.
+ECDSA key fingerprint is SHA256:AMDSjSs4f3CDvivmjFRjGDjmuz079vsS/A+9hdYi9a0.
+Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
+Warning: Permanently added 'mail.void.yt,161.35.41.22' (ECDSA) to the list of known hosts.
+Linux debian-s-1vcpu-1gb-lon1-01 4.19.0-10-cloud-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24) x86_64
+
+The programs included with the Debian GNU/Linux system are free software;
+the exact distribution terms for each program are described in the
+individual files in /usr/share/doc/*/copyright.
+
+Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
+permitted by applicable law.
+root@debian-s-1vcpu-1gb-lon1-01:~#
+
+Once you've logged in via SSH, install the following dependencies:
+
+apt install nginx socat curl -y
+
+Once that's done, download the nginx config and edit it:
+
+wget https://blog.nihilism.network/servers/mail/mail.conf -O /etc/nginx/sites-available/mail.conf
+nano /etc/nginx/sites-available/mail.conf
+Make sure you put your own domain name in there:
+
+Next we're going to get our free TLS certificate by using acme.sh:
+
+wget -O - https://get.acme.sh | sh
+source ~/.bashrc
+
+systemctl stop nginx
+acme.sh --issue --standalone -d mail.void.yt -k 4096
+Once you're done, hit CTRL+S to save, and CTRL+X to exit nano.
+
+ln -s /etc/nginx/sites-available/mail.conf /etc/nginx/sites-enabled/mail.conf
+nginx -t
+systemctl start nginx
+
+Once you're here, nginx should tell you the configuration is successful, if not, make sure you followed the syntax of the original file. Next we're going to see that our configuration works by browsing to it:
+
+Here the 404 error is intended, you also see that the website redirects to https (tls 1.3). Now from here we'll simply need to use Luke Smith's script:
+ + +
+cd ~
+wget https://raw.githubusercontent.com/LukeSmithxyz/emailwiz/master/emailwiz.sh
+chmod +x emailwiz.sh
+sh emailwiz.sh
+
+When postfix asks you something, hit "internet site":
+
+Next postfix is going to ask you the FQDN, make sure you type the domain name, NOT the subdomain:
+
+Then hit enter, and wait for the script to install postfix and dovecot. + Luke intended this script to be run and to configure postfix and dovecot together. The main feature here is that once you create an user + added to the mail group, it's going make them able to recieve and send mail. + +
+ + +Once the script finished running, we need to go back to our DNS settings to configure DKIM:
+
+First things first we add the following TXT record:
+
+
+If it doesnt work try out the DKIM option and hit save:
+ +
+Next we're going to add DMARC:
+ +
+
+And lastly the @ TXT record:
+
+
+
+Once that's done, save your DNS settings, Create the user ON THE SERVER, and install thunderbird locally:
+
+useradd -m -G mail -s /bin/bash someone
+passwd someone
+
+Then run thunderbird with the user's credentials, make sure you use the manual config tab:
+
+And welcome to DigitalOcean, where you can't run mail servers lol. I did some research on DO's forums, and i found out that basically + they are blocking port 25 (SMTP) which, in general indicates that they do not allow any mail hosting on their VPS, so for once i am not going to recommend DO +
+
+TLDR i am incredibly suprised at how difficult it is to setup your own email server. In france, most ISPs simply do not allow port 25 apart from OVH. + Online, both DigitalOcean and Vultr block port 25 to avoid mail spam which makes me wonder where exactly do you even host your mail server. +If anyone knows a particular hosting service that ALLOWS port 25 and other mail-specific ports (993 587 etc) please let me know.
+ + + ++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
+In this tutorial we're going to cover how to setup mailinabox on an ubuntu 18.04 VPS:
+yes i was lazy to add comments in this tutorial, it's very straightforward as you'll see:
+ +
+root@mail:~# curl -s https://mailinabox.email/setup.sh | sudo bash
+
+Out of the box you will need to fix things on your mailbox, so let's do them one by one:
+
+root@mail:~# vim /etc/ssh/sshd_config
+root@mail:~# cat /etc/ssh/sshd_config | grep 'PasswordAuthentication'
+PasswordAuthentication no
+root@mail:~# systemctl restart sshd
+root@mail:~# reboot now
+
+Now that's done, most of the DNS related issues should be dealt with (give it a few hours once you made the modifications because DNS can be slow to update records) After a few hours we check again:
+ ++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
+In this tutorial we will setup a local mail server (to be able to keep control of our data), we will make it available publicly (so that it can communicate with other mail servers), but we'll make it go through TOR to guarantee Anonymity.
+Note that this setup involves self-hosting, which I do not recommend if the service is supposed to be sensitive. If this is an issue for you, just install it on a non-KYC remote VPS and skip the port-forwarding part if you don't want to host it at your house.
+
+
+ First let's make it use an external VPS as a VPN server (make sure that you get it from a non-KYC cloud provider, where you create your account with an email that you also registered through TOR.), see this tutorial i made for the full reasoning.
+
+root@mail:~# apt update -y ; apt upgrade -y ; apt autoremove -y ; apt install vim tor obfs4proxy -y
+
+Then we need to have the systemd services:
+
+root@mail:~# vim /etc/systemd/system/tortables.service
+root@mail:~# vim /etc/systemd/system/torwatch.service
+root@mail:~# vim /etc/systemd/system/vpn.service
+root@mail:~# vim /etc/systemd/system/sshtunnel.service
+
+The tortables systemd service will run iptables to make sure our server only communicates locally:
+
+root@mail:~# cat /etc/systemd/system/tortables.service
+[Unit]
+Description=Tor IP Tables
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=simple
+ExecStart=/root/iptables_vpn_tor.sh
+
+[Install]
+WantedBy=multi-user.target
+
+root@mail:~# vim iptables_vpn_tor.sh
+root@mail:~# cat iptables_vpn_tor.sh
+#!/bin/bash
+
+
+#default private networks
+sudo iptables -F
+
+sudo iptables -A INPUT -m iprange --src-range 192.168.0.0-192.168.255.255 -j ACCEPT
+sudo iptables -A INPUT -m iprange --src-range 172.16.0.0-172.31.255.255 -j ACCEPT
+sudo iptables -A INPUT -m iprange --src-range 10.0.0.0-10.255.255.255 -j ACCEPT
+sudo iptables -A INPUT -m iprange --src-range 127.0.0.0-127.255.255.255 -j ACCEPT
+
+sudo iptables -A OUTPUT -m iprange --dst-range 192.168.0.0-192.168.255.255 -j ACCEPT
+sudo iptables -A OUTPUT -m iprange --dst-range 172.16.0.0-172.31.255.255 -j ACCEPT
+sudo iptables -A OUTPUT -m iprange --dst-range 10.0.0.0-10.255.255.255 -j ACCEPT
+sudo iptables -A OUTPUT -m iprange --dst-range 127.0.0.0-127.255.255.255 -j ACCEPT
+
+#ip range of tor VPN:
+
+sudo iptables -A OUTPUT -o tun0 -j ACCEPT
+sudo iptables -A INPUT -i tun0 -j ACCEPT
+
+sudo iptables -A INPUT -j DROP
+sudo iptables -A OUTPUT -j DROP
+
+The torwatch systemd service will make sure the tor connection is still up:
+
+root@mail:~# cat /etc/systemd/system/torwatch.service
+[Unit]
+Description=torwatcher
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=simple
+ExecStart=/root/monitor_tor.sh
+ExecStop=kill -9 $(pidof /root/monitor_tor.sh)
+Restart=always
+
+[Install]
+WantedBy=multi-user.target
+root@mail:~# vim monitor_tor.sh
+root@mail:~# cat monitor_tor.sh
+#!/bin/bash
+
+counter=0
+while true; do
+ echo TESTING
+ timeout 10 ping -c1 10.8.0.1 &>/dev/null
+ if [ $? -eq 0 ]; then
+ echo OK;
+ sleep 3
+ else
+ if [ $counter -gt 0 ];
+ then
+ echo 'RESTARTING TOR...'
+ systemctl restart tor@default
+ counter=0
+ sleep 10
+ else
+ counter=$((counter+1))
+ echo "FAIL ( $counter / 2)";
+ sleep 3
+ fi
+ fi
+done
+
+But as you can see it checks it by pinging 10.8.0.1, the OpenVPN server IP, meaning we need the vpn systemd service:
+
+root@mail:~# cat /etc/systemd/system/vpn.service
+[Unit]
+Description=VPN
+After=network-online.target
+Wants=network-online.target
+
+[Install]
+WantedBy=multi-user.target
+
+[Service]
+Type=simple
+ExecStart=/usr/sbin/openvpn /root/mail.ovpn
+ExecStop=kill -9 $(pidof openvpn)
+Restart=always
+
+root@mail:~# apt install openvpn -y
+
+Then we get the .ovpn file and modify it (if you want to see how to make a openvpn server, see it here) the only requirement here is that you will need to setup the openvpn server to work on TCP, and not UDP as it is set by default. Why? because it will need to go through tor:
+
+root@mail:~# vim mail.ovpn
+root@mail:~# cat mail.ovpn
+client
+proto tcp-client
+remote x.x.x.x 1194
+dev tun
+resolv-retry infinite
+nobind
+persist-key
+persist-tun
+remote-cert-tls server
+verify-x509-name server_6SQ8FnOk0eJa3n0F name
+auth SHA256
+auth-nocache
+cipher AES-128-GCM
+tls-client
+tls-version-min 1.2
+tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
+ignore-unknown-option block-outside-dns
+setenv opt block-outside-dns # Prevent Windows 10 DNS leak
+verb 3
+
+### TOR SETTINGS ###
+socks-proxy 127.0.0.1 9050
+socks-proxy-retry
+up-delay
+route 10.0.0.195 255.255.255.255 net_gateway
+###################
+
+This will essentially force the openvpn connection to go through TOR, then we also edit our /etc/tor/torrc file, note that i intentionally route the traffic through a local bridge node, if you want to know how to set it up, please check this tutorial:
+
+root@mail-nihilism:~# cat /etc/tor/torrc
+UseBridges 1
+ClientTransportPlugin obfs4 exec /usr/bin/obfs4proxy
+Bridge obfs4 10.0.1.195:8042 6E9324EC8317DE331DE1EA7969BD868136785748 cert=tyhAPcDxgIcuqcUXXxtkYVPKrWMH7bYf7RJcLa8d+oGbQjoYSK10g4Pz7a/dbJkMXLVvAA iat-mode=0
+DataDirectory /var/lib/tor
+TransPort 9040
+SocksPort 9050
+DNSPort 53
+User debian-tor
+
+root@mail:~# systemctl stop tor
+root@mail:~# tor
+May 15 12:00:17.068 [notice] Tor 0.3.5.16 running on Linux with Libevent 2.1.8-stable, OpenSSL 1.1.1n, Zlib 1.2.11, Liblzma 5.2.4, and Libzstd 1.3.8.
+May 15 12:00:17.068 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
+May 15 12:00:17.068 [notice] Read configuration file "/etc/tor/torrc".
+May 15 12:00:17.076 [notice] Opening Socks listener on 127.0.0.1:9050
+May 15 12:00:17.076 [notice] Opened Socks listener on 127.0.0.1:9050
+May 15 12:00:17.076 [notice] Opening DNS listener on 127.0.0.1:53
+May 15 12:00:17.076 [notice] Opened DNS listener on 127.0.0.1:53
+May 15 12:00:17.076 [notice] Opening Transparent pf/netfilter listener on 127.0.0.1:9040
+May 15 12:00:17.076 [notice] Opened Transparent pf/netfilter listener on 127.0.0.1:9040
+May 15 12:00:17.000 [notice] Parsing GEOIP IPv4 file /usr/share/tor/geoip.
+May 15 12:00:17.000 [notice] Parsing GEOIP IPv6 file /usr/share/tor/geoip6.
+May 15 12:00:17.000 [notice] Bootstrapped 0%: Starting
+May 15 12:00:18.000 [notice] Starting with guard context "bridges"
+May 15 12:00:18.000 [notice] new bridge descriptor 'voidyt' (cached): $2E73653A148DFFF3CA28D53F0C366936FE554335~voidyt at 10.0.0.195
+May 15 12:00:18.000 [notice] Delaying directory fetches: Pluggable transport proxies still configuring
+May 15 12:00:19.000 [notice] Bootstrapped 5%: Connecting to directory server
+May 15 12:00:19.000 [notice] Bootstrapped 10%: Finishing handshake with directory server
+May 15 12:00:19.000 [notice] Bootstrapped 80%: Connecting to the Tor network
+May 15 12:00:19.000 [notice] Bootstrapped 90%: Establishing a Tor circuit
+May 15 12:00:19.000 [notice] Bootstrapped 100%: Done
+
+root@mail-nihilism:~# systemctl restart tor@default.service
+root@mail-nihilism:~# systemctl status tor@default.service
+● tor@default.service - Anonymizing overlay network for TCP
+ Loaded: loaded (/lib/systemd/system/tor@default.service; enabled-runtime; vendor preset: enabled)
+ Active: active (running) since Thu 2022-12-08 12:14:21 CST; 29s ago
+ Process: 3515 ExecStartPre=/usr/bin/install -Z -m 02755 -o debian-tor -g debian-tor -d /run/tor (code=exited, status=0/SUCCESS)
+ Process: 3516 ExecStartPre=/usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 0 --verify-config (code=exited, status=0/SUCCESS)
+ Main PID: 3517 (tor)
+ Tasks: 8 (limit: 4673)
+ Memory: 25.7M
+ CPU: 1.180s
+ CGroup: /system.slice/system-tor.slice/tor@default.service
+ ├─3517 /usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 0
+ └─3518 /usr/bin/obfs4proxy
+
+Dec 08 12:14:22 mail-nihilism Tor[3517]: Bootstrapped 1% (conn_pt): Connecting to pluggable transport
+Dec 08 12:14:23 mail-nihilism Tor[3517]: Opening Control listener on /run/tor/control
+Dec 08 12:14:23 mail-nihilism Tor[3517]: Opened Control listener connection (ready) on /run/tor/control
+Dec 08 12:14:23 mail-nihilism Tor[3517]: Bootstrapped 2% (conn_done_pt): Connected to pluggable transport
+Dec 08 12:14:23 mail-nihilism Tor[3517]: Bootstrapped 10% (conn_done): Connected to a relay
+Dec 08 12:14:23 mail-nihilism Tor[3517]: Bootstrapped 14% (handshake): Handshaking with a relay
+Dec 08 12:14:23 mail-nihilism Tor[3517]: Bootstrapped 15% (handshake_done): Handshake with a relay done
+Dec 08 12:14:23 mail-nihilism Tor[3517]: Bootstrapped 75% (enough_dirinfo): Loaded enough directory info to build circuits
+Dec 08 12:14:23 mail-nihilism Tor[3517]: Bootstrapped 95% (circuit_create): Establishing a Tor circuit
+Dec 08 12:14:23 mail-nihilism Tor[3517]: Bootstrapped 100% (done): Done
+
+Now that tor has been setup to use the local TOR relay, we apply iptable rules:
+
+root@mail:~# ls
+iptables_vpn_tor.sh mail.ovpn monitor_tor.sh
+root@mail:~# chmod +x *.sh
+
+root@mail:~# systemctl daemon-reload
+root@mail-nihilism:~# systemctl enable --now tor@default.service tortables
+Synchronizing state of tor.service with SysV service script with /lib/systemd/systemd-sysv-install.
+Executing: /lib/systemd/systemd-sysv-install enable tor
+Created symlink /etc/systemd/system/multi-user.target.wants/tortables.service → /etc/systemd/system/tortables.service.
+root@mail:~# iptables -L
+
+Chain INPUT (policy ACCEPT)
+target prot opt source destination
+ACCEPT all -- anywhere anywhere source IP range 192.168.0.0-192.168.255.255
+ACCEPT all -- anywhere anywhere source IP range 172.16.0.0-172.31.255.255
+ACCEPT all -- anywhere anywhere source IP range 10.0.0.0-10.255.255.255
+ACCEPT all -- anywhere anywhere source IP range 127.0.0.0-127.255.255.255
+ACCEPT all -- anywhere anywhere
+DROP all -- anywhere anywhere
+
+Chain FORWARD (policy ACCEPT)
+target prot opt source destination
+
+Chain OUTPUT (policy ACCEPT)
+target prot opt source destination
+ACCEPT all -- anywhere anywhere destination IP range 192.168.0.0-192.168.255.255
+ACCEPT all -- anywhere anywhere destination IP range 172.16.0.0-172.31.255.255
+ACCEPT all -- anywhere anywhere destination IP range 10.0.0.0-10.255.255.255
+ACCEPT all -- anywhere anywhere destination IP range 127.0.0.0-127.255.255.255
+ACCEPT all -- anywhere anywhere
+DROP all -- anywhere anywhere
+
+And from there we can connect to the VPN server:
+
+root@mail:~# systemctl enable --now vpn torwatch
+Created symlink /etc/systemd/system/multi-user.target.wants/torwatch.service → /etc/systemd/system/torwatch.service.
+root@mail:~# systemctl status vpn torwatch
+
+root@mail:~# systemctl status vpn torwatch
+● vpn.service - VPN
+ Loaded: loaded (/etc/systemd/system/vpn.service; static; vendor preset: enabled)
+ Active: active (running) since Sun 2022-05-15 12:03:26 CEST; 18s ago
+ Main PID: 3144 (openvpn)
+ Tasks: 1 (limit: 2359)
+ Memory: 1.5M
+ CGroup: /system.slice/vpn.service
+ └─3144 /usr/sbin/openvpn /root/mail.ovpn
+
+May 15 12:03:28 mail openvpn[3144]: Sun May 15 12:03:28 2022 ROUTE_GATEWAY 10.0.0.1/255.255.0.0 IFACE=ens18 HWADDR=ee:b5:c9:3a:c3:fe
+May 15 12:03:28 mail openvpn[3144]: Sun May 15 12:03:28 2022 TUN/TAP device tun0 opened
+May 15 12:03:28 mail openvpn[3144]: Sun May 15 12:03:28 2022 TUN/TAP TX queue length set to 100
+May 15 12:03:28 mail openvpn[3144]: Sun May 15 12:03:28 2022 /sbin/ip link set dev tun0 up mtu 1500
+May 15 12:03:28 mail openvpn[3144]: Sun May 15 12:03:28 2022 /sbin/ip addr add dev tun0 10.8.0.2/24 broadcast 10.8.0.255
+May 15 12:03:28 mail openvpn[3144]: Sun May 15 12:03:28 2022 /sbin/ip route add 127.0.0.1/32 via 10.0.0.1
+May 15 12:03:28 mail openvpn[3144]: Sun May 15 12:03:28 2022 /sbin/ip route add 0.0.0.0/1 via 10.8.0.1
+May 15 12:03:28 mail openvpn[3144]: Sun May 15 12:03:28 2022 /sbin/ip route add 128.0.0.0/1 via 10.8.0.1
+May 15 12:03:28 mail openvpn[3144]: Sun May 15 12:03:28 2022 /sbin/ip route add 10.0.0.195/32 dev ens18
+May 15 12:03:28 mail openvpn[3144]: Sun May 15 12:03:28 2022 Initialization Sequence Completed
+
+● torwatch.service - torwatcher
+ Loaded: loaded (/etc/systemd/system/torwatch.service; enabled; vendor preset: enabled)
+ Active: active (running) since Sun 2022-05-15 12:03:26 CEST; 18s ago
+ Main PID: 3145 (monitor_tor.sh)
+ Tasks: 2 (limit: 2359)
+ Memory: 1.1M
+ CGroup: /system.slice/torwatch.service
+ ├─3145 /bin/bash /root/monitor_tor.sh
+ └─3172 sleep 3
+
+May 15 12:03:26 mail systemd[1]: Started torwatcher.
+May 15 12:03:26 mail monitor_tor.sh[3145]: TESTING
+May 15 12:03:36 mail monitor_tor.sh[3145]: FAIL ( 1 / 2)
+May 15 12:03:39 mail monitor_tor.sh[3145]: TESTING
+May 15 12:03:39 mail monitor_tor.sh[3145]: OK
+May 15 12:03:42 mail monitor_tor.sh[3145]: TESTING
+May 15 12:03:42 mail monitor_tor.sh[3145]: OK
+
+And now our mail server uses the remote server as a VPN server, but only through TOR, meaning even if the VPS provider were to check the server logs, or the networking traffic, he would see that it all came from tor exit nodes, never from public ips.
+Then we setup the mail itself on the local mail VM which is now connected to the VPN:
+
+root@mail:~# apt update -y ; apt upgrade -y ; apt install vim tmux curl certbot python3-certbot-nginx nginx -y
+
+Then we make sure that the ports are forwarded through the vpn connection:
+
+#on the VPN server we forward the ports to the local VM via iptables:
+
+root@mail-gw:~# cat iptables_forwardrules.sh
+#!/bin/bash
+iptables -A PREROUTING -t nat -i ens3 -p tcp -d 23.137.250.140 --dport 25 -j DNAT --to-destination 10.8.0.2:25
+iptables -A PREROUTING -t nat -i ens3 -p tcp -d 23.137.250.140 --dport 80 -j DNAT --to-destination 10.8.0.2:80
+iptables -A PREROUTING -t nat -i ens3 -p tcp -d 23.137.250.140 --dport 443 -j DNAT --to-destination 10.8.0.2:443
+iptables -A PREROUTING -t nat -i ens3 -p tcp -d 23.137.250.140 --dport 143 -j DNAT --to-destination 10.8.0.2:143
+iptables -A PREROUTING -t nat -i ens3 -p tcp -d 23.137.250.140 --dport 465 -j DNAT --to-destination 10.8.0.2:465
+iptables -A PREROUTING -t nat -i ens3 -p tcp -d 23.137.250.140 --dport 587 -j DNAT --to-destination 10.8.0.2:587
+iptables -A PREROUTING -t nat -i ens3 -p tcp -d 23.137.250.140 --dport 993 -j DNAT --to-destination 10.8.0.2:993
+
+root@mail:~# chmod +x iptables_forwardrules.sh
+root@mail:~# ./iptables_forwardrules.sh
+
+#from the VM we allow the packets to be forwarded to us:
+
+root@mail-nihilism:~# cat iptables_forwardrules.sh
+#!/bin/bash
+iptables -A FORWARD -p tcp -d 10.8.0.2 --dport 25 -j ACCEPT
+iptables -A FORWARD -p tcp -d 10.8.0.2 --dport 143 -j ACCEPT
+iptables -A FORWARD -p tcp -d 10.8.0.2 --dport 465 -j ACCEPT
+iptables -A FORWARD -p tcp -d 10.8.0.2 --dport 587 -j ACCEPT
+iptables -A FORWARD -p tcp -d 10.8.0.2 --dport 993 -j ACCEPT
+iptables -A FORWARD -p tcp -d 10.8.0.2 --dport 443 -j ACCEPT
+iptables -A FORWARD -p tcp -d 10.8.0.2 --dport 80 -j ACCEPT
+
+root@mail-nihilism:~# chmod +x iptables_forwardrules.sh
+root@mail-nihilism:~# ./iptables_forwardrules.sh
+
+Dont forget to allow ip forwarding on the vpn server:
+
+root@mail-gw:~# sysctl net.ipv4.conf.ens3.forwarding=1
+net.ipv4.conf.ens3.forwarding = 1
+root@mail-gw:~# sysctl net.ipv6.conf.ens3.forwarding=1
+net.ipv6.conf.ens3.forwarding = 1
+root@mail-gw:~# echo " net.ipv6.conf.ens3.forwarding=1" >>/etc/sysctl.conf
+root@mail-gw:~# echo " net.ipv4.conf.ens3.forwarding=1" >>/etc/sysctl.conf
+root@mail-gw:~# sysctl -p
+net.ipv6.conf.ens3.forwarding = 1
+net.ipv4.conf.ens3.forwarding = 1
+
+#for arch users, install libvirt:
+sudo pacman -S libvirt
+vim /etc/sysctl.d/30-ipforward.conf
+cat /etc/sysctl.d/30-ipforward.conf
+net.ipv4.ip_forward=1
+net.ipv6.conf.default.forwarding=1
+net.ipv6.conf.all.forwarding=1
+
+[ nihilism ] [ /dev/pts/1 ] [~]
+→ sysctl net.ipv4.ip_forward=1
+net.ipv4.ip_forward = 1
+
+Then you make sure that your DNS records are set properly:
+
+example of the record on a bind9 server:
+
+root@mail-gw:~# cat /var/cache/bind/db.nihilism.network
+
+mail.nihilism.network. IN A 23.137.250.140
+
+Then wait for it to propagate:
+
+root@mail-nihilism:~# curl ifconfig.me
+23.137.250.140root@mail-nihilism:~#
+root@mail-nihilism:~# curl ifconfig.me ; echo
+23.137.250.140
+root@mail-nihilism:~# ping mail.nihilism.network
+PING mail.nihilism.network (23.137.250.140) 56(84) bytes of data.
+64 bytes from 23.137.250.140 (23.137.250.140): icmp_seq=1 ttl=64 time=160 ms
+
+--- mail.nihilism.network ping statistics ---
+2 packets transmitted, 1 received, 50% packet loss, time 1001ms
+rtt min/avg/max/mdev = 160.031/160.031/160.031/0.000 ms
+root@mail-nihilism:~# ping nihilism.network
+PING nihilism.network (23.137.250.141) 56(84) bytes of data.
+64 bytes from 23.137.250.141 (23.137.250.141): icmp_seq=1 ttl=63 time=204 ms
+
+Once that's done we prepare nginx on the local VM still:
+
+root@mail-nihilism:~# rm /etc/nginx/sites-*/default
+
+root@mail-nihilism:~# cat /etc/nginx/sites-available/mail.nihilism.network.conf
+server {
+ listen 80;
+ listen [::]:80;
+ root /var/www/mail;
+
+ index index.html;
+
+ server_name mail.nihilism.network;
+
+ location / {
+ try_files $uri $uri/ =404;
+ }
+}
+
+root@mail-nihilism:~# ln -s /etc/nginx/sites-available/mail.nihilism.network.conf /etc/nginx/sites-enabled/
+
+root@mail-nihilism:~# systemctl restart nginx
+root@mail-nihilism:~# systemctl status nginx
+● nginx.service - A high performance web server and a reverse proxy server
+ Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
+ Active: active (running) since Thu 2022-12-08 13:18:14 CST; 19s ago
+ Docs: man:nginx(8)
+ Process: 5903 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
+ Process: 5904 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
+ Main PID: 5905 (nginx)
+ Tasks: 3 (limit: 4673)
+ Memory: 3.2M
+ CPU: 49ms
+ CGroup: /system.slice/nginx.service
+ ├─5905 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
+ ├─5906 nginx: worker process
+ └─5907 nginx: worker process
+
+Dec 08 13:18:14 mail-nihilism systemd[1]: Starting A high performance web server and a reverse proxy server...
+Dec 08 13:18:14 mail-nihilism systemd[1]: Started A high performance web server and a reverse proxy server.
+
+root@mail-nihilism:~# mkdir -p /var/www/mail/
+root@mail-nihilism:~# echo 'Nihilism Network' > /var/www/mail/index.html
+root@mail-nihilism:~# curl 127.0.0.1
+Nihilism Network
+root@mail-nihilism:~# ip a | grep inet
+ inet 127.0.0.1/8 scope host lo
+ inet6 ::1/128 scope host
+ inet 10.0.0.203/16 brd 10.0.255.255 scope global dynamic ens18
+ inet6 fe80::e4e7:41ff:fe70:e9a6/64 scope link
+ inet 10.8.0.2/24 scope global tun0
+ inet6 fe80::18b1:efc9:1ae0:d93f/64 scope link stable-privacy
+
+#from the vpn server:
+root@mail-gw:~# curl 10.8.0.2
+Nihilism Network
+
+Now that's done we use certbot to get certificate from the local mail server:
+ +
+root@mail-nihilism:~# certbot --nginx
+Saving debug log to /var/log/letsencrypt/letsencrypt.log
+Plugins selected: Authenticator nginx, Installer nginx
+Enter email address (used for urgent renewal and security notices)
+ (Enter 'c' to cancel): nihilist@nihilism.network
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Please read the Terms of Service at
+https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf. You must
+agree in order to register with the ACME server. Do you agree?
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+(Y)es/(N)o: Y
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Would you be willing, once your first certificate is successfully issued, to
+share your email address with the Electronic Frontier Foundation, a founding
+partner of the Let's Encrypt project and the non-profit organization that
+develops Certbot? We'd like to send you email about our work encrypting the web,
+EFF news, campaigns, and ways to support digital freedom.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+(Y)es/(N)o: N
+Account registered.
+
+Which names would you like to activate HTTPS for?
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+1: mail.nihilism.network
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Select the appropriate numbers separated by commas and/or spaces, or leave input
+blank to select all options shown (Enter 'c' to cancel):
+Requesting a certificate for mail.nihilism.network
+Performing the following challenges:
+http-01 challenge for mail.nihilism.network
+Waiting for verification...
+Cleaning up challenges
+Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/mail.nihilism.network.conf
+Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/mail.nihilism.network.conf
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Congratulations! You have successfully enabled https://mail.nihilism.network
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+IMPORTANT NOTES:
+ - Congratulations! Your certificate and chain have been saved at:
+ /etc/letsencrypt/live/mail.nihilism.network/fullchain.pem
+ Your key file has been saved at:
+ /etc/letsencrypt/live/mail.nihilism.network/privkey.pem
+ Your certificate will expire on 2023-03-08. To obtain a new or
+ tweaked version of this certificate in the future, simply run
+ certbot again with the "certonly" option. To non-interactively
+ renew *all* of your certificates, run "certbot renew"
+ - If you like Certbot, please consider supporting our work by:
+
+ Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
+ Donating to EFF: https://eff.org/donate-le
+
+root@mail-nihilism:~# cat /etc/nginx/sites-available/mail.nihilism.network.conf
+server {
+ root /var/www/mail;
+
+ index index.html;
+
+ server_name mail.nihilism.network;
+
+ location / {
+ try_files $uri $uri/ =404;
+ }
+
+ listen [::]:443 ssl ipv6only=on; # managed by Certbot
+ listen 443 ssl; # managed by Certbot
+ ssl_certificate /etc/letsencrypt/live/mail.nihilism.network/fullchain.pem; # managed by Certbot
+ ssl_certificate_key /etc/letsencrypt/live/mail.nihilism.network/privkey.pem; # managed by Certbot
+ include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+ ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+
+}
+
+server {
+ if ($host = mail.nihilism.network) {
+ return 301 https://$host$request_uri;
+ } # managed by Certbot
+
+
+ listen 80;
+ listen [::]:80;
+
+ server_name mail.nihilism.network;
+ return 404; # managed by Certbot
+
+And that's it! Now we can proceed with creating the mail server locally:
+
+root@mail-nihilism:~# wget https://raw.githubusercontent.com/LukeSmithxyz/emailwiz/master/emailwiz.sh -O emailwiz.sh
+--2022-12-08 13:27:42-- https://raw.githubusercontent.com/LukeSmithxyz/emailwiz/master/emailwiz.sh
+Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.109.133, 185.199.110.133, 185.199.111.133, ...
+Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.109.133|:443... connected.
+HTTP request sent, awaiting response... 200 OK
+Length: 13320 (13K) [text/plain]
+Saving to: ‘emailwiz.sh’
+
+emailwiz.sh 100%[==========================================================================================================================================>] 13.01K --.-KB/s in 0.06s
+
+2022-12-08 13:27:44 (225 KB/s) - ‘emailwiz.sh’ saved [13320/13320]
+
+root@mail-nihilism:~# chmod +x emailwiz.sh
+root@mail-nihilism:~# sh emailwiz.sh
+
+(putting the TLD instead of mail.nihilism.network here is intentional)
+
+if it complains with the error "Please point your domain (nihilism.network) to your server's ipv4 address, do the following:
+
+#add it into your /etc/hosts
+
+vim /etc/hosts
+cat /etc/hosts | grep nihilism.network
+23.137.250.140 nihilism.network
+
+#add it into your DNS zone too (ex in bind9 below):
+
+Then we change edit the DNS records as described above:
+ +
+
+
+Here's how you can set it up on a bind9 DNS server:
+
+$TTL 604800
+@ IN SOA ns1.nihilism.network. nihilist.nihilism.network. (
+ 33 ; Serial
+ 604800 ; Refresh
+ 86400 ; Retry
+ 2419200 ; Expire
+ 604800 ) ; Negative Cache TTL
+;
+; name servers - NS records
+ 3600 IN NS ns1.nihilism.network.
+ 3600 IN NS ns2.nihilism.network.
+ 3600 IN A 23.137.250.141
+ 3600 IN AAAA fe80::216:3eff:fe6c:c335
+
+; mail-gw services
+@ IN MX 0 mail.nihilism.network.
+nihilism.network. IN TXT "v=spf1 mx a:mail.nihilism.network -all"
+mail.nihilism.network. IN A 23.137.250.140
+mail._domainkey.nihilism.network. IN TXT (
+ "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu94n6zyhzWLZZrgvRq5HrSAh29TRi"
+ "jw6AXzFoJeahRPoAnJ3njOfOgbCzxUsVNO1L2+NX2P5iZMkdiVtB7rE71wUutegAb0wCDY5k5RNLUlAThxdlou0ro37H"
+ "SWK5GRAcEFKm1iab63uTtAXtIvZDPLYMxZMIUq4osxYEgAXY4BCzFBCyfohvr+eGd/kPbfOC9f7jrBnFiOVllnB+yPQKe"
+ "XwPeVlPrw68muFiVg4vWfMMzayINQgC12d73hKVZIwD8T6V9Kznv0dPi929CDWns2alU2dZypVSHxWm3BZyb4SCobdrFNW"
+ "xfzb1dz7n6/ms5u0EVAKU9ufGOgS4A70oQIDAQAB")
+_dmarc.nihilism.network. IN TXT "v=DMARC1; p=reject; rua=mailto:dmarc@nihilism.network; fo=1"
+
+[...]
+Please note that on average the DNS records need 1-2 days to propagate fully throughout the world. So be patient once you've made the changes. Also note the DKIM record is on multiple lines, that's because there is a length limit that bind9 has for some reason, so above is how i managed to get around that restriction.
+Then we add our first user:
+
+root@mail-nihilism:~# useradd -G mail -m nihilist
+useradd: user 'nihilist' already exists
+root@mail-nihilism:~# id nihilist
+uid=1000(nihilist) gid=1000(nihilist) groups=1000(nihilist),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev)
+root@mail-nihilism:~# passwd nihilist
+New password:
+Retype new password:
+passwd: password updated successfully
+
+root@mail:~# apt install nmap -y
+
+root@mail-nihilism:~# nmap 127.0.0.1
+Starting Nmap 7.80 ( https://nmap.org ) at 2022-12-08 13:49 CST
+Nmap scan report for localhost (127.0.0.1)
+Host is up (0.000026s latency).
+Not shown: 989 closed ports
+PORT STATE SERVICE
+22/tcp open ssh
+25/tcp open smtp
+80/tcp open http
+143/tcp open imap
+443/tcp open https
+465/tcp open smtps
+587/tcp open submission
+783/tcp open spamassassin
+993/tcp open imaps
+9040/tcp open tor-trans
+9050/tcp open tor-socks
+
+Nmap done: 1 IP address (1 host up) scanned in 0.27 seconds
+root@mail-nihilism:~# nmap 10.0.0.202
+Starting Nmap 7.80 ( https://nmap.org ) at 2022-12-08 13:49 CST
+Nmap scan report for 10.0.0.202
+Host is up (0.000097s latency).
+Not shown: 992 closed ports
+PORT STATE SERVICE
+22/tcp open ssh
+25/tcp open smtp
+80/tcp open http
+143/tcp open imap
+443/tcp open https
+465/tcp open smtps
+587/tcp open submission
+993/tcp open imaps
+MAC Address: EE:B5:C9:3A:C3:FE (Unknown)
+
+The ports we need are ready to be used locally, so let's login:
+
+[ 10.66.66.2/32 ] [ /dev/pts/38 ] [~]
+→ sudo pacman -S thunderbird
+
+[ 10.66.66.2/32 ] [ /dev/pts/38 ] [~]
+→ thunderbird
+
+Then test it on thunderbird:
+
+
+And that's it! We managed to connect! now we test if the mail works:
+
+(You probably guessed it, i accessed protonmail via tor to make sure i don't leak any personal info) And sending a mail to the VPS gets properly routed through the openvpn connection which is being sent through tor.
+ +If you want to use PGP encryption, you can manually do it in your terminal, please see this tutorial to know how to do it.
+However there's a way to do it in thunderbird:
+
+If you don't have one, you can click create a new OpenPGP key, but i have one so i'll just import it:
+
+[ 10.8.0.3/24 ] [ nowhere ] [~]
+→ gpg --output ~/.nihilist.privkey --export-secret-keys nihilist@nihilism.network
+
+So from here you can copy your public key and paste it wherever you want, for example on your website, so that the users who want to message you will be able to encrypt their messages. Also add the following settings in thunderbird to automatically encrypt messages you wish to send out:
+
+Now let's test it:
+
+As you can see, by default you don't have the destination's PGP key, so for this first mail we won't encrypt it and see how it looks like on the receiver's end:
+
+
+Now we see that the receiver got the unencrypted message, with our PGP signature as an attachement. The recipient can now save it, and use it to encrypt his messages with us.
+
+[ 10.8.0.3/24 ] [ nowhere ] [~]
+→ gpg --gen-key
+gpg (GnuPG) 2.2.40; Copyright (C) 2022 g10 Code GmbH
+This is free software: you are free to change and redistribute it.
+There is NO WARRANTY, to the extent permitted by law.
+
+Note: Use "gpg --full-generate-key" for a full featured key generation dialog.
+
+GnuPG needs to construct a user ID to identify your key.
+
+Real name: nothing
+Email address: nothing@void.yt
+You selected this USER-ID:
+ "nothing <nothing@void.yt>"
+
+Change (N)ame, (E)mail, or (O)kay/(Q)uit? O
+We need to generate a lot of random bytes. It is a good idea to perform
+some other action (type on the keyboard, move the mouse, utilize the
+disks) during the prime generation; this gives the random number
+generator a better chance to gain enough entropy.
+We need to generate a lot of random bytes. It is a good idea to perform
+some other action (type on the keyboard, move the mouse, utilize the
+disks) during the prime generation; this gives the random number
+generator a better chance to gain enough entropy.
+gpg: revocation certificate stored as '/home/nothing/.gnupg/openpgp-revocs.d/95FC37D748FA891A9C33B821CF39FCDC8049F9FE.rev'
+public and secret key created and signed.
+
+pub rsa3072 2022-12-10 [SC] [expires: 2024-12-09]
+ 95FC37D748FA891A9C33B821CF39FCDC8049F9FE
+uid nothing <nothing@void.yt>
+sub rsa3072 2022-12-10 [E] [expires: 2024-12-09]
+
+[ 10.8.0.3/24 ] [ nowhere ] [~]
+→ gpg --output ~/.nothing.privkey --export-secret-keys nothing@void.yt
+
+Now the user nothing can use his PGP key and import it into thunderbird aswell:
+
+
+
+Same as before, now the user nothing also has E2E encryption setup, so let's now send a reply to nihilist but this time encrypted:
+
+And that's it! We managed to setup a mail service, whose origin is unknown from the cloud provider's perspective, and who's able to send and recieve E2EE mails to prevent any unauthorized third-party from seeing the mails content.
+ + ++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
Explaining why I have a blog in the first place.
+At first, this blog started out as a hacking writeup blog, to show everyone how i hacked half of HackTheBox back in 2022, it was my way of showing that i understood how systems worked from the adversarial point of view. Then once i learned the pentesting methodology i realized that i was doing the same thing over and over again with different technologies, got bored with it, and decided to move on to Sysadmin topics.
+At that point, i dabbled heavily into the self-hosting community, running a servers at home, running every possible service from home, open source only, remaining the only one in control of my data, etc.
+But something was missing. I realized that Decentralisation and Privacy were not enough when reading the news, i realized that the very same governments that were supposed to be at the head of democracies were starting to turn into dictatorships. When that is the case, you have no choice but to fit into their view of a perfect law abiding citizen because any reason is a good reason to put you behind bars.
+That's why i decided to move on to Anonymity topics specifically, because that is the key to remain in control of your freedom, is to make sure your sensitive actions remain secret, while portraying yourself as the perfect citizen. Wether you see this as right or wrong, it does not matter to me.
+What truly matters here, is exploring how you can use technology to protect your abilities, and enhance them.
+ +
+"If you pull that trigger, right, you pull that trigger for a fucking honorable reason. Like an honorable man, not like some fucking civilian that does not understand the wicked way of our world, mate" -Alfie Solomons, Peaky Blinders
+
+First of all let's cover the reasons that I see justify the vast majority of actions done out there in our current world:
+
+Limited Reasons:
+-Self-preservation
+-Pleasure seeking
+-Acting
+
+The most limited reason behind one's action is that of self-preservation, nothing wrong with it, but every other animal out there is already doing it, you're supposed to be able to be more than just any other creature out there.
+Seeking pleasure (ex: Playing video games, watching movies, behavioral addiction or substance abuse) is alright, but at some point you need to grow up and to realize that it's an immature waste of time.
+Willingly getting things done is a great, until everything you do revolves around your limited sense of self, and identity.
+ +So, here are the reasons that i consider honorable, which all stem out of a broader sense of self (daily practiced as part of my morning routine):
+
+Honorable reasons:
+-Purifying
+-Percieving
+-Transcending
+
+I am motivated by my will to purify, refine and enhance my abilities using tools and technology, and I want anyone that also shares that same drive, to be able to explore the full scope of what they can do aswell.
+I am also motivated by my will to clear out any misconceptions and help everyone percieve technology for what it truly is, regardless of any morality or any political view. My blog aims to bring to light that any usage of any technology is to be justified with a clear reason, to be described, and showcased in great detail.
+Yes, anyone that tries to mix politics and ideologies into technology, is merely trying to preserve what they are currently identified with. Such people cannot pretend to have an objective view when talking about anything.
+Transcending limitations is what i consider the most honorable way behind any action. Ultimately, this blog aims to showcase that Technology, when used correctly, can allow one to transcend any limitation. Be it to transcend surveillance, centralisation, deanonymization, lack of security. Any ability that we have as Humans, such as Privacy, Decentralisation, Anonymity, Security, Plausible Deniability can be protected and enhanced by using the correct Technology.
+TLDR: You want to know the most effective technologies that can enhance your life ? It's right there. Just read it up, understand what they are, understand why they are used, understand how they are used, and use them yourself.
+ + + +We, humans are able to do things, and no matter what we can do, we are able to enhance what we can do using tools. We can run that far, but with a car we can run farther, we can calculate fast, but with a computer we can calculate much faster.
+You wished you could do more in the world right now ? Well, maybe you should have turned to technology, a long time ago.
+People are not reliable, as their values, intentions, identities, habits change over time. Technology that you can audit (open source technology) is the only thing you should rely on.
+You should not pay someone, nor put your trust into anyone to enhance your ability to do anything. Understand your needs, understand your abilities, understand your limits and then Look for tools, study those tools, and learn to use those tools to enhance what you can do in the world.
+Yes, noone can be trusted, do not expect anyone to uphold any promise. Putting your trust into politicians will always remain a meaningless circus of broken promises, they are only interested in keeping their current power.
+Everyone's greedy, and the vast majority are only pretending to care for you, they're only looking after their own personal interests.
+Look at what people are doing, but look even closer at the reason behind their actions.
+ +TLDR: Technology dictates the way of our world. So, that's what I focus on. I will continue to share it with everyone, until there is nothing left to cover.
+ ++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
+
+
+
+
+
+https://docs.joinmastodon.org/admin/install/
+
+
+[ Belladona ] [ /dev/pts/16 ] [~]
+→ adduser --disabled-login mastodon
+Adding user `mastodon' ...
+Adding new group `mastodon' (1000) ...
+Adding new user `mastodon' (1000) with group `mastodon (1000)' ...
+Creating home directory `/home/mastodon' ...
+Copying files from `/etc/skel' ...
+Changing the user information for mastodon
+Enter the new value, or press ENTER for the default
+ Full Name []:
+ Room Number []:
+ Work Phone []:
+ Home Phone []:
+ Other []:
+Is the information correct? [Y/n]
+Adding new user `mastodon' to supplemental / extra groups `users' ...
+Adding user `mastodon' to group `users' ...
+
+[ Belladona ] [ /dev/pts/16 ] [~]
+→ su - mastodon
+This account is currently not available.
+
+[ Belladona ] [ /dev/pts/16 ] [~]
+→ su - mastodon
+This account is currently not available.
+
+[ Belladona ] [ /dev/pts/16 ] [~]
+→ sudo -u mastodon
+usage: sudo -h | -K | -k | -V
+usage: sudo -v [-ABkNnS] [-g group] [-h host] [-p prompt] [-u user]
+usage: sudo -l [-ABkNnS] [-g group] [-h host] [-p prompt] [-U user] [-u user] [command [arg ...]]
+usage: sudo [-ABbEHkNnPS] [-r role] [-t type] [-C num] [-D directory] [-g group] [-h host] [-p prompt] [-R directory] [-T timeout] [-u user] [VAR=value] [-i | -s] [command [arg ...]]
+usage: sudo -e [-ABkNnS] [-r role] [-t type] [-C num] [-D directory] [-g group] [-h host] [-p prompt] [-R directory] [-T timeout] [-u user] file ...
+
+[ Belladona ] [ /dev/pts/16 ] [~]
+→ sudo -u mastodon bash
+mastodon@Belladona:/root$ pwd
+/root
+mastodon@Belladona:/root$ exit
+exit
+
+[ Belladona ] [ /dev/pts/16 ] [~]
+→ mkdir /srv/mastodon
+mkdir: cannot create directory ‘/srv/mastodon’: File exists
+
+[ Belladona ] [ /dev/pts/16 ] [~]
+→ sudo -u mastodon bash
+mastodon@Belladona:/root$ id
+uid=1000(mastodon) gid=1000(mastodon) groups=1000(mastodon),100(users)
+mastodon@Belladona:/root$ ls
+ls: cannot open directory '.': Permission denied
+mastodon@Belladona:/root$ exit
+exit
+
+[ Belladona ] [ /dev/pts/16 ] [~]
+→ mkdir /home/mastodon
+mkdir: cannot create directory ‘/home/mastodon’: File exists
+
+[ Belladona ] [ /dev/pts/16 ] [~]
+→ sudo -u mastodon bash
+mastodon@Belladona:/root$ cd /home/mastodon
+mastodon@Belladona:~$ ls
+mastodon@Belladona:~$ ls -lash
+total 24K
+4.0K drwx------ 2 mastodon mastodon 4.0K Mar 23 15:24 .
+4.0K drwxr-xr-x 3 root root 4.0K Mar 23 15:22 ..
+4.0K -rw------- 1 mastodon mastodon 20 Mar 23 15:24 .bash_history
+4.0K -rw-r--r-- 1 mastodon mastodon 220 Mar 23 15:22 .bash_logout
+4.0K -rw-r--r-- 1 mastodon mastodon 3.5K Mar 23 15:22 .bashrc
+ 0 -rw-r--r-- 1 mastodon mastodon 0 Mar 23 15:22 .cloud-locale-test.skip
+4.0K -rw-r--r-- 1 mastodon mastodon 807 Mar 23 15:22 .profile
+mastodon@Belladona:~$ git clone https://github.com/rbenv/rbenv.git ~/.rbenv
+Cloning into '/home/mastodon/.rbenv'...
+remote: Enumerating objects: 3270, done.
+remote: Counting objects: 100% (420/420), done.
+remote: Compressing objects: 100% (218/218), done.
+remote: Total 3270 (delta 234), reused 327 (delta 188), pack-reused 2850
+Receiving objects: 100% (3270/3270), 662.28 KiB | 5.56 MiB/s, done.
+Resolving deltas: 100% (2024/2024), done.
+mastodon@Belladona:~$ echo 'export PATH="$HOME/.rbenv/bin:$PATH"' >> ~/.bashrc
+mastodon@Belladona:~$ echo 'eval "$(rbenv init -)"' >> ~/.bashrc
+mastodon@Belladona:~$ exec bash
+mastodon@Belladona:~$ git clone https://github.com/rbenv/ruby-build.git ~/.rbenv/plugins/ruby-build
+Cloning into '/home/mastodon/.rbenv/plugins/ruby-build'...
+remote: Enumerating objects: 15923, done.
+remote: Counting objects: 100% (4057/4057), done.
+remote: Compressing objects: 100% (363/363), done.
+remote: Total 15923 (delta 3854), reused 3819 (delta 3682), pack-reused 11866
+Receiving objects: 100% (15923/15923), 3.11 MiB | 15.55 MiB/s, done.
+Resolving deltas: 100% (11360/11360), done.
+mastodon@Belladona:~$ RUBY_CONFIGURE_OPTS=--with-jemalloc rbenv install 3.2.3
+==> Downloading ruby-3.2.3.tar.gz...
+-> curl -q -fL -o ruby-3.2.3.tar.gz https://cache.ruby-lang.org/pub/ruby/3.2/ruby-3.2.3.tar.gz
+ % Total % Received % Xferd Average Speed Time Time Time Current
+ Dload Upload Total Spent Left Speed
+100 19.6M 100 19.6M 0 0 18.7M 0 0:00:01 0:00:01 --:--:-- 18.7M
+==> Installing ruby-3.2.3...
+-> ./configure "--prefix=$HOME/.rbenv/versions/3.2.3" --enable-shared --with-ext=openssl,psych,+ --with-jemalloc
+-> make -j 12
+-> make install
+==> Installed ruby-3.2.3 to /home/mastodon/.rbenv/versions/3.2.3
+
+NOTE: to activate this Ruby version as the new default, run: rbenv global 3.2.3
+mastodon@Belladona:~$ rbenv global 3.2.3
+mastodon@Belladona:~$ gem install bundler --no-document
+Fetching bundler-2.5.7.gem
+Successfully installed bundler-2.5.7
+1 gem installed
+
+A new release of RubyGems is available: 3.4.19 → 3.5.7!
+Run `gem update --system 3.5.7` to update your installation.
+
+mastodon@Belladona:~$ exit
+exit
+
+[ Belladona ] [ /dev/pts/16 ] [~]
+→ sudo -u postgres psql
+psql (16.2 (Debian 16.2-1.pgdg120+2))
+Type "help" for help.
+
+postgres=# CREATE USER mastodon CREATEDB;
+CREATE ROLE
+postgres=# \q
+
+[ Belladona ] [ /dev/pts/16 ] [~]
+→ su - mastodon
+This account is currently not available.
+
+[ Belladona ] [ /dev/pts/16 ] [~]
+→ sudo -u mastodon bash
+mastodon@Belladona:/root$ cd /home/mastodon
+mastodon@Belladona:~$ git clone https://github.com/mastodon/mastodon.git live && cd live
+Cloning into 'live'...
+remote: Enumerating objects: 190880, done.
+remote: Counting objects: 100% (17/17), done.
+remote: Compressing objects: 100% (17/17), done.
+remote: Total 190880 (delta 0), reused 1 (delta 0), pack-reused 190863
+Receiving objects: 100% (190880/190880), 228.45 MiB | 14.19 MiB/s, done.
+Resolving deltas: 100% (141462/141462), done.
+mastodon@Belladona:~/live$ git checkout $(git tag -l | grep '^v[0-9.]*$' | sort -V | tail -n 1)
+Note: switching to 'v4.2.8'.
+
+You are in 'detached HEAD' state. You can look around, make experimental
+changes and commit them, and you can discard any commits you make in this
+state without impacting any branches by switching back to a branch.
+
+If you want to create a new branch to retain commits you create, you may
+do so (now or later) by using -c with the switch command. Example:
+
+ git switch -c new-branch-name>
+
+Or undo this operation with:
+
+ git switch -
+
+Turn off this advice by setting config variable advice.detachedHead to false
+
+HEAD is now at bdb6650eb Bump version to v4.2.8 (#29370)
+mastodon@Belladona:~/live$ bundle config deployment 'true'
+mastodon@Belladona:~/live$ bundle config without 'development test'
+mastodon@Belladona:~/live$ bundle install -j$(getconf _NPROCESSORS_ONLN)
+Bundler 2.5.7 is running, but your lockfile was generated with 2.4.13. Installing Bundler 2.4.13 and restarting using that version.
+Fetching gem metadata from https://rubygems.org/.
+Fetching bundler 2.4.13
+Installing bundler 2.4.13
+Fetching gem metadata from https://rubygems.org/.........
+Fetching https://github.com/stanhu/omniauth-cas.git
+Fetching https://github.com/mastodon/rails-settings-cached.git
+Fetching https://github.com/ClearlyClaire/webpush.git
+Fetching rake 13.0.6
+Installing rake 13.0.6
+Fetching date 3.3.4
+Fetching mini_mime 1.1.5
+Fetching minitest 5.19.0
+Fetching concurrent-ruby 1.2.3
+Fetching erubi 1.12.0
+Fetching racc 1.7.3
+Fetching crass 1.0.6
+Fetching rack 2.2.8.1
+Fetching nio4r 2.7.0
+Fetching websocket-extensions 0.1.5
+Fetching marcel 1.0.2
+Fetching builder 3.2.4
+Installing erubi 1.12.0
+Installing crass 1.0.6
+Installing websocket-extensions 0.1.5
+Installing mini_mime 1.1.5
+Fetching timeout 0.4.1
+Installing builder 3.2.4
+Installing marcel 1.0.2
+Installing date 3.3.4 with native extensions
+Installing racc 1.7.3 with native extensions
+Fetching jsonapi-renderer 0.2.2
+Installing timeout 0.4.1
+Installing minitest 5.19.0
+Installing nio4r 2.7.0 with native extensions
+Fetching public_suffix 5.0.3
+Installing jsonapi-renderer 0.2.2
+Fetching aes_key_wrap 1.1.0
+Installing rack 2.2.8.1
+Fetching android_key_attestation 0.3.0
+Installing aes_key_wrap 1.1.0
+Fetching encryptor 3.0.0
+Fetching attr_required 1.0.1
+Installing android_key_attestation 0.3.0
+Installing public_suffix 5.0.3
+Installing concurrent-ruby 1.2.3
+Installing attr_required 1.0.1
+Fetching awrence 1.2.1
+Fetching aws-eventstream 1.2.0
+Installing awrence 1.2.1
+Fetching aws-partitions 1.809.0
+Installing aws-eventstream 1.2.0
+Fetching jmespath 1.6.2
+Fetching faraday-em_http 1.0.0
+Fetching faraday-em_synchrony 1.0.0
+Installing encryptor 3.0.0
+Installing faraday-em_http 1.0.0
+Installing jmespath 1.6.2
+Installing aws-partitions 1.809.0
+Installing faraday-em_synchrony 1.0.0
+Fetching faraday-excon 1.1.0
+Fetching faraday-httpclient 1.0.1
+Installing faraday-excon 1.1.0
+Fetching multipart-post 2.3.0
+Fetching faraday-net_http 1.0.1
+Installing faraday-httpclient 1.0.1
+Fetching faraday-patron 1.0.0
+Installing multipart-post 2.3.0
+Fetching faraday-net_http_persistent 1.2.0
+Installing faraday-net_http 1.0.1
+Fetching faraday-rack 1.0.0
+Installing faraday-patron 1.0.0
+Installing faraday-net_http_persistent 1.2.0
+Fetching faraday-retry 1.0.3
+Using ruby2_keywords 0.0.5
+Fetching connection_pool 2.4.1
+Fetching bcp47_spec 0.2.1
+Fetching bcrypt 3.1.18
+Installing faraday-rack 1.0.0
+Fetching bindata 2.4.15
+Installing faraday-retry 1.0.3
+Installing connection_pool 2.4.1
+Fetching blurhash 0.1.7
+Installing bcp47_spec 0.2.1
+Fetching msgpack 1.7.1
+Installing blurhash 0.1.7 with native extensions
+Fetching browser 5.3.1
+Fetching redis 4.8.1
+Using bundler 2.4.13
+Fetching cbor 0.5.9.6
+Installing bcrypt 3.1.18 with native extensions
+Installing bindata 2.4.15
+Fetching charlock_holmes 0.7.7
+Fetching multi_json 1.15.0
+Installing msgpack 1.7.1 with native extensions
+Installing cbor 0.5.9.6 with native extensions
+Installing redis 4.8.1
+Installing browser 5.3.1
+Installing charlock_holmes 0.7.7 with native extensions
+Installing multi_json 1.15.0
+Fetching elasticsearch-dsl 0.1.10
+Fetching chunky_png 1.4.0
+Fetching climate_control 0.2.0
+Fetching cocoon 1.2.15
+Installing elasticsearch-dsl 0.1.10
+Installing climate_control 0.2.0
+Fetching color_diff 0.1
+Using openssl 3.1.0
+Fetching orm_adapter 0.5.0
+Installing cocoon 1.2.15
+Installing color_diff 0.1
+Installing chunky_png 1.4.0
+Fetching method_source 1.0.0
+Fetching thor 1.3.0
+Installing method_source 1.0.0
+Fetching rotp 6.2.2
+Fetching zeitwerk 2.6.13
+Installing orm_adapter 0.5.0
+Fetching unf_ext 0.0.8.2
+Installing thor 1.3.0
+Fetching dotenv 2.8.1
+Installing rotp 6.2.2
+Installing zeitwerk 2.6.13
+Installing dotenv 2.8.1
+Fetching ed25519 1.3.0
+Fetching excon 0.100.0
+Fetching fast_blank 1.0.1
+Installing ed25519 1.3.0 with native extensions
+Installing unf_ext 0.0.8.2 with native extensions
+Installing fast_blank 1.0.1 with native extensions
+Fetching fastimage 2.2.7
+Installing excon 0.100.0
+Installing fastimage 2.2.7
+Fetching ffi 1.15.5
+Fetching formatador 0.3.0
+Installing formatador 0.3.0
+Fetching mime-types-data 3.2023.0808
+Fetching ipaddress 0.8.3
+Fetching raabro 1.4.0
+Installing ffi 1.15.5 with native extensions
+Installing mime-types-data 3.2023.0808
+Installing raabro 1.4.0
+Fetching temple 0.10.2
+Fetching tilt 2.2.0
+Installing ipaddress 0.8.3
+Fetching hashie 5.0.0
+Using json 2.6.3
+Fetching hiredis 0.6.3
+Installing temple 0.10.2
+Installing tilt 2.2.0
+Installing hashie 5.0.0
+Fetching hkdf 0.3.0
+Fetching htmlentities 4.3.4
+Fetching http-form_data 2.3.0
+Installing hkdf 0.3.0
+Fetching http_accept_language 2.1.1
+Installing hiredis 0.6.3 with native extensions
+Installing htmlentities 4.3.4
+Installing http_accept_language 2.1.1
+Fetching httpclient 2.8.3
+Fetching rainbow 3.1.1
+Installing http-form_data 2.3.0
+Installing rainbow 3.1.1
+Fetching json-canonicalization 1.0.0
+Fetching idn-ruby 0.1.5
+Installing httpclient 2.8.3
+Installing json-canonicalization 1.0.0
+Installing idn-ruby 0.1.5 with native extensions
+Fetching link_header 0.0.8
+Fetching jwt 2.7.1
+Installing jwt 2.7.1
+Fetching kaminari-core 1.2.2
+Installing kaminari-core 1.2.2
+Using uri 0.12.2
+Installing link_header 0.0.8
+Fetching statsd-ruby 1.5.0
+Fetching net-ldap 0.18.0
+Installing statsd-ruby 1.5.0
+Installing net-ldap 0.18.0
+Fetching oj 3.16.1
+Fetching rexml 3.2.6
+Installing rexml 3.2.6
+Installing oj 3.16.1 with native extensions
+Fetching ox 2.14.17
+Installing ox 2.14.17 with native extensions
+Fetching parslet 2.0.0
+Installing parslet 2.0.0
+Fetching tty-color 0.6.0
+Installing tty-color 0.6.0
+Fetching pg 1.5.5
+Installing pg 1.5.5 with native extensions
+Fetching posix-spawn 0.3.15
+Fetching private_address_check 0.5.0
+Installing posix-spawn 0.3.15 with native extensions
+Installing private_address_check 0.5.0
+Fetching redcarpet 3.6.0
+Installing redcarpet 3.6.0 with native extensions
+Fetching rqrcode_core 1.2.0
+Installing rqrcode_core 1.2.0
+Fetching ruby-progressbar 1.13.0
+Installing ruby-progressbar 1.13.0
+Fetching rubyzip 2.3.2
+Installing rubyzip 2.3.2
+Fetching semantic_range 3.0.0
+Installing semantic_range 3.0.0
+Fetching tty-cursor 0.7.1
+Installing tty-cursor 0.7.1
+Fetching tty-screen 0.8.1
+Installing tty-screen 0.8.1
+Fetching wisper 2.0.1
+Installing wisper 2.0.1
+Fetching xorcist 1.1.3
+Fetching websocket-driver 0.7.6
+Installing xorcist 1.1.3 with native extensions
+Installing websocket-driver 0.7.6 with native extensions
+Fetching net-protocol 0.2.2
+Fetching aws-sigv4 1.6.0
+Installing aws-sigv4 1.6.0
+Installing net-protocol 0.2.2
+Fetching addressable 2.8.5
+Fetching nokogiri 1.16.2 (x86_64-linux)
+Fetching attr_encrypted 4.0.0
+Installing addressable 2.8.5
+Installing attr_encrypted 4.0.0
+Fetching rack-test 2.1.0
+Fetching warden 1.2.9
+Installing rack-test 2.1.0
+Fetching request_store 1.5.1
+Installing warden 1.2.9
+Fetching rack-protection 3.0.5
+Installing request_store 1.5.1
+Installing rack-protection 3.0.5
+Fetching rack-attack 6.7.0
+Fetching rack-cors 2.0.1
+Installing rack-cors 2.0.1
+Installing rack-attack 6.7.0
+Fetching rack-proxy 0.7.6
+Fetching faraday-multipart 1.0.4
+Fetching net-http-persistent 4.0.2
+Installing nokogiri 1.16.2 (x86_64-linux)
+Installing rack-proxy 0.7.6
+Fetching i18n 1.14.1
+Installing net-http-persistent 4.0.2
+Fetching sprockets 3.7.2
+Installing faraday-multipart 1.0.4
+Fetching brpoplpush-redis_script 0.1.3
+Fetching tzinfo 2.0.6
+Installing sprockets 3.7.2
+Installing i18n 1.14.1
+Installing brpoplpush-redis_script 0.1.3
+Fetching mario-redis-lock 1.2.1
+Fetching sidekiq 6.5.12
+Fetching redis-namespace 1.11.0
+Installing tzinfo 2.0.6
+Installing mario-redis-lock 1.2.1
+Fetching redlock 1.3.2
+Fetching elasticsearch-api 7.13.3
+Installing redis-namespace 1.11.0
+Fetching openssl-signature_algorithm 1.3.0
+Installing redlock 1.3.2
+Fetching terrapin 0.6.0
+Installing openssl-signature_algorithm 1.3.0
+Installing sidekiq 6.5.12
+Installing elasticsearch-api 7.13.3
+Installing terrapin 0.6.0
+Fetching mime-types 3.5.1
+Fetching hcaptcha 7.1.0
+Installing mime-types 3.5.1
+Installing hcaptcha 7.1.0
+Fetching haml 6.1.2
+Fetching httplog 1.6.2
+Installing haml 6.1.2 with native extensions
+Fetching safety_net_attestation 0.4.0
+Installing httplog 1.6.2
+Using webpush 0.3.8 from https://github.com/ClearlyClaire/webpush.git (at f14a4d5@f14a4d5)
+Installing safety_net_attestation 0.4.0
+Fetching rdf 3.3.1
+Fetching net-http 0.3.2
+Fetching unf 0.1.4
+Installing rdf 3.3.1
+Installing net-http 0.3.2
+Fetching pastel 0.8.0
+Installing unf 0.1.4
+Installing pastel 0.8.0
+Fetching rqrcode 2.2.0
+Fetching puma 6.4.2
+Fetching tty-reader 0.9.0
+Fetching net-pop 0.1.2
+Fetching net-smtp 0.3.4
+Installing tty-reader 0.9.0
+Fetching aws-sdk-core 3.181.0
+Installing rqrcode 2.2.0
+Installing net-smtp 0.3.4
+Fetching css_parser 1.14.0
+Installing net-pop 0.1.2
+Installing puma 6.4.2 with native extensions
+Fetching omniauth 2.1.1
+Fetching faraday 1.10.3
+Fetching activesupport 7.0.8.1
+Installing css_parser 1.14.0
+Installing omniauth 2.1.1
+Installing aws-sdk-core 3.181.0
+Installing faraday 1.10.3
+Fetching et-orbi 1.2.7
+Installing et-orbi 1.2.7
+Fetching tzinfo-data 1.2023.3
+Fetching stoplight 3.0.2
+Installing stoplight 3.0.2
+Fetching cose 1.3.0
+Installing activesupport 7.0.8.1
+Installing cose 1.3.0
+Fetching tpm-key_attestation 0.12.0
+Installing tpm-key_attestation 0.12.0
+Installing tzinfo-data 1.2023.3
+Fetching sidekiq-bulk 0.2.0
+Installing sidekiq-bulk 0.2.0
+Fetching sidekiq-unique-jobs 7.1.33
+Fetching fog-core 2.1.0
+Fetching bootsnap 1.16.0
+Fetching loofah 2.21.4
+Installing bootsnap 1.16.0 with native extensions
+Installing sidekiq-unique-jobs 7.1.33
+Installing fog-core 2.1.0
+Installing loofah 2.21.4
+Fetching ruby-saml 1.15.0
+Installing ruby-saml 1.15.0
+Fetching sanitize 6.0.2
+Installing sanitize 6.0.2
+Fetching domain_name 0.5.20190701
+Fetching twitter-text 3.1.0
+Fetching json-ld 3.3.1
+Fetching rdf-normalize 0.6.1
+Fetching tty-prompt 0.23.1
+Installing twitter-text 3.1.0
+Installing domain_name 0.5.20190701
+Installing rdf-normalize 0.6.1
+Fetching premailer 1.21.0
+Using omniauth-cas 2.0.0 from https://github.com/stanhu/omniauth-cas.git (at 4211e6d@4211e6d)
+Fetching fugit 1.8.1
+Installing json-ld 3.3.1
+Fetching net-imap 0.3.7
+Fetching faraday_middleware 1.2.0
+Installing tty-prompt 0.23.1
+Installing premailer 1.21.0
+Installing fugit 1.8.1
+Installing faraday_middleware 1.2.0
+Installing net-imap 0.3.7
+Fetching elasticsearch-transport 7.13.3
+Fetching rails-html-sanitizer 1.6.0
+Fetching webauthn 3.0.0
+Fetching rails-dom-testing 2.1.1
+Fetching globalid 1.1.0
+Installing rails-dom-testing 2.1.1
+Installing rails-html-sanitizer 1.6.0
+Fetching activemodel 7.0.8.1
+Installing globalid 1.1.0
+Fetching case_transform 0.2
+Installing webauthn 3.0.0
+Installing elasticsearch-transport 7.13.3
+Fetching json-jwt 1.15.3
+Fetching nsa 0.3.0
+Installing activemodel 7.0.8.1
+Installing case_transform 0.2
+Fetching swd 1.3.0
+Installing nsa 0.3.0
+Installing json-jwt 1.15.3
+Fetching webfinger 1.2.0
+Fetching pundit 2.3.0
+Installing swd 1.3.0
+Fetching simple-navigation 4.4.0
+Fetching fog-json 1.2.0
+Fetching omniauth-saml 2.1.0
+Installing pundit 2.3.0
+Installing webfinger 1.2.0
+Installing fog-json 1.2.0
+Installing omniauth-saml 2.1.0
+Fetching aws-sdk-kms 1.71.0
+Installing simple-navigation 4.4.0
+Fetching http-cookie 1.0.5
+Fetching json-ld-preloaded 3.2.2
+Fetching rufus-scheduler 3.9.1
+Fetching azure-storage-common 2.0.4
+Installing http-cookie 1.0.5
+Installing rufus-scheduler 3.9.1
+Fetching actionview 7.0.8.1
+Installing aws-sdk-kms 1.71.0
+Installing azure-storage-common 2.0.4
+Installing json-ld-preloaded 3.2.2
+Fetching activejob 7.0.8.1
+Fetching mail 2.8.1
+Fetching elasticsearch 7.13.3
+Fetching rack-oauth2 1.21.3
+Fetching activerecord 7.0.8.1
+Installing actionview 7.0.8.1
+Installing activejob 7.0.8.1
+Installing rack-oauth2 1.21.3
+Installing elasticsearch 7.13.3
+Fetching kt-paperclip 7.2.1
+Fetching validate_url 1.0.15
+Installing mail 2.8.1
+Installing validate_url 1.0.15
+Fetching fog-openstack 0.3.10
+Installing activerecord 7.0.8.1
+Fetching sidekiq-scheduler 5.0.3
+Fetching aws-sdk-s3 1.133.0
+Installing kt-paperclip 7.2.1
+Installing sidekiq-scheduler 5.0.3
+Installing fog-openstack 0.3.10
+Fetching azure-storage-blob 2.0.3
+Installing azure-storage-blob 2.0.3
+Installing aws-sdk-s3 1.133.0
+Fetching chewy 7.3.4
+Fetching actionpack 7.0.8.1
+Fetching kaminari-actionview 1.2.2
+Fetching md-paperclip-azure 2.2.0
+Installing chewy 7.3.4
+Installing kaminari-actionview 1.2.2
+Fetching validate_email 0.1.6
+Installing actionpack 7.0.8.1
+Installing md-paperclip-azure 2.2.0
+Installing validate_email 0.1.6
+Fetching openid_connect 1.4.2
+Installing openid_connect 1.4.2
+Fetching discard 1.2.1
+Fetching kaminari-activerecord 1.2.2
+Fetching strong_migrations 0.8.0
+Fetching pghero 3.3.4
+Fetching omniauth_openid_connect 0.6.1
+Installing discard 1.2.1
+Installing kaminari-activerecord 1.2.2
+Fetching kaminari 1.2.2
+Installing omniauth_openid_connect 0.6.1
+Installing strong_migrations 0.8.0
+Installing kaminari 1.2.2
+Fetching actioncable 7.0.8.1
+Fetching actionmailer 7.0.8.1
+Fetching activestorage 7.0.8.1
+Installing pghero 3.3.4
+Installing actioncable 7.0.8.1
+Installing actionmailer 7.0.8.1
+Fetching active_model_serializers 0.10.13
+Fetching railties 7.0.8.1
+Installing activestorage 7.0.8.1
+Fetching omniauth-rails_csrf_protection 1.0.1
+Installing active_model_serializers 0.10.13
+Fetching simple_form 5.2.0
+Installing omniauth-rails_csrf_protection 1.0.1
+Fetching sprockets-rails 3.4.2
+Installing sprockets-rails 3.4.2
+Fetching premailer-rails 1.12.0
+Installing simple_form 5.2.0
+Fetching ffi-compiler 1.0.1
+Installing railties 7.0.8.1
+Installing premailer-rails 1.12.0
+Installing ffi-compiler 1.0.1
+Fetching llhttp-ffi 0.4.0
+Fetching actiontext 7.0.8.1
+Fetching actionmailbox 7.0.8.1
+Installing llhttp-ffi 0.4.0 with native extensions
+Installing actionmailbox 7.0.8.1
+Installing actiontext 7.0.8.1
+Fetching responders 3.1.0
+Fetching dotenv-rails 2.8.1
+Fetching haml-rails 2.1.0
+Fetching rails 7.0.8.1
+Fetching doorkeeper 5.6.6
+Fetching lograge 0.13.0
+Fetching rails-i18n 7.0.7
+Installing dotenv-rails 2.8.1
+Installing responders 3.1.0
+Installing haml-rails 2.1.0
+Installing rails 7.0.8.1
+Installing lograge 0.13.0
+Fetching scenic 1.7.0
+Installing rails-i18n 7.0.7
+Fetching webpacker 5.4.4
+Using rails-settings-cached 0.6.6 from https://github.com/mastodon/rails-settings-cached.git (at v0.6.6-aliases-true@86328ef)
+Installing doorkeeper 5.6.6
+Installing scenic 1.7.0
+Fetching devise 4.9.2
+Installing webpacker 5.4.4
+Installing devise 4.9.2
+Fetching http 5.1.1
+Installing http 5.1.1
+Fetching devise-two-factor 4.1.0
+Installing devise-two-factor 4.1.0
+Bundle complete! 130 Gemfile dependencies, 243 gems now installed.
+Gems in the groups 'development' and 'test' were not installed.
+Bundled gems are installed into `./vendor/bundle`
+Post-install message from encryptor:
+
+
+
+Please be aware that Encryptor v2.0.0 had a major security bug when using AES-*-GCM algorithms.
+
+By default You will not be able to decrypt data that was previously encrypted using an AES-*-GCM algorithm.
+
+Please see the README and https://github.com/attr-encrypted/encryptor/pull/22 for more information.
+
+
+Post-install message from attr_encrypted:
+
+
+
+WARNING: Using `#encrypted_attributes` is no longer supported. Instead, use `#attr_encrypted_encrypted_attributes` to avoid
+ collision with Active Record 7 native encryption.
+
+
+Post-install message from devise:
+
+[DEVISE] Please review the [changelog] and [upgrade guide] for more info on Hotwire / Turbo integration.
+
+ [changelog] https://github.com/heartcombo/devise/blob/main/CHANGELOG.md
+ [upgrade guide] https://github.com/heartcombo/devise/wiki/How-To:-Upgrade-to-Devise-4.9.0-%5BHotwire-Turbo-integration%5D
+ Post-install message from doorkeeper:
+Starting from 5.5.0 RC1 Doorkeeper requires client authentication for Resource Owner Password Grant
+as stated in the OAuth RFC. You have to create a new OAuth client (Doorkeeper::Application) if you didn't
+have it before and use client credentials in HTTP Basic auth if you previously used this grant flow without
+client authentication.
+
+To opt out of this you could set the "skip_client_authentication_for_password_grant" configuration option
+to "true", but note that this is in violation of the OAuth spec and represents a security risk.
+
+Read https://github.com/doorkeeper-gem/doorkeeper/issues/561#issuecomment-612857163 for more details.
+Post-install message from kt-paperclip:
+##################################################
+# NOTE FOR UPGRADING FROM 4.3.0 OR EARLIER #
+##################################################
+
+Paperclip is now compatible with aws-sdk-s3.
+
+If you are using S3 storage, aws-sdk-s3 requires you to make a few small
+changes:
+
+* You must set the `s3_region`
+* If you are explicitly setting permissions anywhere, such as in an initializer,
+ note that the format of the permissions changed from using an underscore to
+ using a hyphen. For example, `:public_read` needs to be changed to
+ `public-read`.
+
+For a walkthrough of upgrading from 4 to *5* (not 6) and aws-sdk >= 2.0 you can watch
+http://rubythursday.com/episodes/ruby-snack-27-upgrade-paperclip-and-aws-sdk-in-prep-for-rails-5
+Post-install message from rubyzip:
+RubyZip 3.0 is coming!
+**********************
+
+The public API of some Rubyzip classes has been modernized to use named
+parameters for optional arguments. Please check your usage of the
+following classes:
+ * `Zip::File`
+ * `Zip::Entry`
+ * `Zip::InputStream`
+ * `Zip::OutputStream`
+
+Please ensure that your Gemfiles and .gemspecs are suitably restrictive
+to avoid an unexpected breakage when 3.0 is released (e.g. ~> 2.3.0).
+See https://github.com/rubyzip/rubyzip for details. The Changelog also
+lists other enhancements and bugfixes that have been implemented since
+version 2.3.0.
+Post-install message from sidekiq-unique-jobs:
+IMPORTANT!
+
+Automatic configuration of the sidekiq middleware is no longer done.
+Please see: https://github.com/mhenrixon/sidekiq-unique-jobs/blob/master/README.md#add-the-middleware
+
+This version deprecated the following sidekiq_options
+
+ - sidekiq_options lock_args: :method_name
+
+It is now configured with:
+
+ - sidekiq_options lock_args_method: :method_name
+
+This is also true for `Sidekiq.default_worker_options`
+
+We also deprecated the global configuration options:
+ - default_lock_ttl
+ - default_lock_ttl=
+ - default_lock_timeout
+ - default_lock_timeout=
+
+The new methods to use are:
+ - lock_ttl
+ - lock_ttl=
+ - lock_timeout
+ - lock_timeout=
+mastodon@Belladona:~/live$ yarn install --pure-lockfile
+yarn install v1.22.22
+[1/6] Validating package.json...
+[2/6] Resolving packages...
+[3/6] Fetching packages...
+warning Pattern ["strip-ansi@^6.0.1"] is trying to unpack in the same destination "/home/mastodon/.cache/yarn/v6/npm-strip-ansi-cjs-6.0.1-9e26c63d30f53443e9489495b2105d37b67a85d9-integrity/node_modules/strip-ansi-cjs" as pattern ["strip-ansi-cjs@npm:strip-ansi@^6.0.1"]. This could result in non-deterministic behavior, skipping.
+warning Pattern ["string-width@^4.1.0"] is trying to unpack in the same destination "/home/mastodon/.cache/yarn/v6/npm-string-width-cjs-4.2.3-269c7117d27b05ad2e536830a8ec895ef9c6d010-integrity/node_modules/string-width-cjs" as pattern ["string-width-cjs@npm:string-width@^4.2.0"]. This could result in non-deterministic behavior, skipping.
+warning Pattern ["strip-ansi@^6.0.0"] is trying to unpack in the same destination "/home/mastodon/.cache/yarn/v6/npm-strip-ansi-cjs-6.0.1-9e26c63d30f53443e9489495b2105d37b67a85d9-integrity/node_modules/strip-ansi-cjs" as pattern ["strip-ansi-cjs@npm:strip-ansi@^6.0.1"]. This could result in non-deterministic behavior, skipping.
+warning Pattern ["string-width@^4.2.3"] is trying to unpack in the same destination "/home/mastodon/.cache/yarn/v6/npm-string-width-cjs-4.2.3-269c7117d27b05ad2e536830a8ec895ef9c6d010-integrity/node_modules/string-width-cjs" as pattern ["string-width-cjs@npm:string-width@^4.2.0"]. This could result in non-deterministic behavior, skipping.
+warning Pattern ["string-width@^1.0.2 || 2 || 3 || 4"] is trying to unpack in the same destination "/home/mastodon/.cache/yarn/v6/npm-string-width-cjs-4.2.3-269c7117d27b05ad2e536830a8ec895ef9c6d010-integrity/node_modules/string-width-cjs" as pattern ["string-width-cjs@npm:string-width@^4.2.0"]. This could result in non-deterministic behavior, skipping.
+warning Pattern ["string-width@^4.2.0"] is trying to unpack in the same destination "/home/mastodon/.cache/yarn/v6/npm-string-width-cjs-4.2.3-269c7117d27b05ad2e536830a8ec895ef9c6d010-integrity/node_modules/string-width-cjs" as pattern ["string-width-cjs@npm:string-width@^4.2.0"]. This could result in non-deterministic behavior, skipping.
+warning Pattern ["wrap-ansi@^7.0.0"] is trying to unpack in the same destination "/home/mastodon/.cache/yarn/v6/npm-wrap-ansi-cjs-7.0.0-67e145cff510a6a6984bdf1152911d69d2eb9e43-integrity/node_modules/wrap-ansi-cjs" as pattern ["wrap-ansi-cjs@npm:wrap-ansi@^7.0.0"]. This could result in non-deterministic behavior, skipping.
+[4/6] Linking dependencies...
+warning " > emoji-mart@3.0.1-j" has incorrect peer dependency "react@^0.14.0 || ^15.0.0-0 || ^16.0.0 || ^17.0.0".
+warning " > react-motion@0.5.2" has incorrect peer dependency "react@^0.14.9 || ^15.3.0 || ^16.0.0".
+warning " > react-notification@6.8.5" has incorrect peer dependency "react@^0.14.0 || ^15.0.0 || ^16.0.0".
+warning " > react-router-scroll-4@1.0.0-beta.2" has incorrect peer dependency "react@^15.0.0 || ^16.0.0".
+warning " > react-router-scroll-4@1.0.0-beta.2" has incorrect peer dependency "react-dom@^15.0.0 || ^16.0.0".
+warning " > react-swipeable-views@0.14.0" has incorrect peer dependency "react@^15.3.0 || ^16.0.0 || ^17.0.0".
+warning "react-swipeable-views > react-swipeable-views-utils > react-event-listener@0.6.6" has incorrect peer dependency "react@^16.3.0".
+[5/6] Building fresh packages...
+[6/6] Cleaning modules...
+$ husky install
+[##################################################################################################################################################################################################################################] 5661/5661husky - Git hooks installed
+Done in 39.39s.
+mastodon@Belladona:~/live$ RAILS_ENV=production bundle exec rake mastodon:setup
+Your instance is identified by its domain name. Changing it afterward will break things.
+Domain name: mastodon.datura.network
+
+Single user mode disables registrations and redirects the landing page to your public profile.
+Do you want to enable single user mode? No
+
+Are you using Docker to run Mastodon? no
+
+PostgreSQL host: /var/run/postgresql
+PostgreSQL port: 5432
+Name of PostgreSQL database: mastodon_production
+Name of PostgreSQL user: mastodon
+Password of PostgreSQL user:
+Database configuration works! 🎆
+
+Redis host: localhost
+Redis port: 6379
+Redis password:
+Redis configuration works! 🎆
+
+Do you want to store uploaded files on the cloud? No
+
+Do you want to send e-mails from localhost? No
+SMTP server: mail.nihilism.network
+SMTP port: 587
+SMTP username: surveillance
+SMTP password:
+SMTP authentication: starttls
+SMTP OpenSSL verify mode: client_once
+Enable STARTTLS: always
+E-mail address to send e-mails "from": surveillance@nihilism.network
+Send a test e-mail with this configuration right now? Yes
+Send test e-mail to: nihilist@nihilism.network
+E-mail could not be sent with this configuration, try again.
+wrong authentication type starttls
+Try again? Yes
+Do you want to send e-mails from localhost? No
+SMTP server: mail.nihilism.network
+SMTP port: 587
+SMTP username: surveillance
+SMTP password:
+SMTP authentication: plain
+SMTP OpenSSL verify mode: none
+Enable STARTTLS: always
+E-mail address to send e-mails "from": surveillance@nihilism.network
+Send a test e-mail with this configuration right now? Yes
+Send test e-mail to: nihilist@nihilism.network
+
+Do you want Mastodon to periodically check for important updates and notify you? (Recommended) Yes
+
+This configuration will be written to .env.production
+Save configuration? Yes
+
+Now that configuration is saved, the database schema must be loaded.
+If the database already exists, this will erase its contents.
+Prepare the database now? Yes
+Running `RAILS_ENV=production rails db:setup` ...
+
+
+Created database 'mastodon_production'
+Done!
+
+The final step is compiling CSS/JS assets.
+This may take a while and consume a lot of RAM.
+Compile the assets now? Yes
+Running `RAILS_ENV=production rails assets:precompile` ...
+
+
+I, [2024-03-23T15:37:10.410961 #561860] INFO -- : Writing /home/mastodon/live/public/assets/doorkeeper/admin/application-a644908e7bab54fb749be0f59fb64a7480bbf9c4c2b79d4a65791cb7ab4d8730.css
+I, [2024-03-23T15:37:10.411250 #561860] INFO -- : Writing /home/mastodon/live/public/assets/doorkeeper/admin/application-a644908e7bab54fb749be0f59fb64a7480bbf9c4c2b79d4a65791cb7ab4d8730.css.gz
+I, [2024-03-23T15:37:10.418962 #561860] INFO -- : Writing /home/mastodon/live/public/assets/doorkeeper/application-c93dac2ad9d65e3393e0e2c958481e86ef7a5e5b0f6ce406842a7b99b25a4850.css
+I, [2024-03-23T15:37:10.419052 #561860] INFO -- : Writing /home/mastodon/live/public/assets/doorkeeper/application-c93dac2ad9d65e3393e0e2c958481e86ef7a5e5b0f6ce406842a7b99b25a4850.css.gz
+I, [2024-03-23T15:37:10.420412 #561860] INFO -- : Writing /home/mastodon/live/public/assets/pghero/favicon-db10337a56c45eb43c22ff5019546b520fa22c7281d4d385f235cbca67ed26bb.png
+I, [2024-03-23T15:37:10.683030 #561860] INFO -- : Writing /home/mastodon/live/public/assets/pghero/application-fc5c893e805df52338bef3bda5a5431f74f1401da68e4f0381ac9ecb7a801e1a.js
+I, [2024-03-23T15:37:10.683160 #561860] INFO -- : Writing /home/mastodon/live/public/assets/pghero/application-fc5c893e805df52338bef3bda5a5431f74f1401da68e4f0381ac9ecb7a801e1a.js.gz
+I, [2024-03-23T15:37:10.689346 #561860] INFO -- : Writing /home/mastodon/live/public/assets/pghero/application-29fa393e673685cdbf2fb2b637098a15b988605f46bfa962f6e0cb94d15bc567.css
+I, [2024-03-23T15:37:10.689459 #561860] INFO -- : Writing /home/mastodon/live/public/assets/pghero/application-29fa393e673685cdbf2fb2b637098a15b988605f46bfa962f6e0cb94d15bc567.css.gz
+Compiling...
+Compiled all packs in /home/mastodon/live/public/packs
+Browserslist: caniuse-lite is outdated. Please run:
+ npx update-browserslist-db@latest
+ Why you should do it regularly: https://github.com/browserslist/update-db#readme
+`isModuleDeclaration` has been deprecated, please migrate to `isImportOrExportDeclaration`
+ at isModuleDeclaration (/home/mastodon/live/node_modules/babel-plugin-lodash/node_modules/@babel/types/lib/validators/generated/index.js:2740:35)
+ at PluginPass.Program (/home/mastodon/live/node_modules/babel-plugin-lodash/lib/index.js:102:44)
+Browserslist: caniuse-lite is outdated. Please run:
+ npx update-browserslist-db@latest
+ Why you should do it regularly: https://github.com/browserslist/update-db#readme
+Browserslist: caniuse-lite is outdated. Please run:
+ npx update-browserslist-db@latest
+ Why you should do it regularly: https://github.com/browserslist/update-db#readme
+
+Done!
+
+All done! You can now power on the Mastodon server 🐘
+
+Do you want to create an admin user straight away? Yes
+Username: nihilist
+E-mail: nihilist@nihilism.network
+You can login with the password:
+You can change your password once you login.
+
+
+
+
+
+
+
+
+
+
+
+
++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
+In this tutorial we're going to setup a private matrix chat server along with VoIP support for the element desktop client.
+Disclaimer: If you want this service to remain anonymous, make sure you at least keep TOR between you and the service from the VPS acquisition to actual service usage.
+ +First install the required packages:
+
+apt install docker.io docker-compose
+
+Then create the directories required:
+
+mkdir /srv/matrix/data -p
+chown -R 755 /srv/matrix/data
+cd /srv/matrix
+
+Then we'll create the docker-compose.yml file and the generateconfig.sh script:
+
+[ Datura-Network ] [ /dev/pts/1 ] [/srv/matrix]
+→ cat docker-compose.yml
+version: "3.3"
+
+services:
+ synapse:
+ image: "matrixdotorg/synapse:latest"
+ container_name: "matrix_synapse"
+ ports:
+ - 8008:8008
+ volumes:
+ - "./data:/data" #it will look at the current directory where you save the file and look for the data folder inside
+ environment:
+ VIRTUAL_HOST: "m.datura.network"
+ VIRTUAL_PORT: 8008
+ LETSENCRYPT_HOST: "m.datura.network"
+ SYNAPSE_SERVER_NAME: "m.datura.network"
+ SYNAPSE_REPORT_STATS: "yes"
+ coturn:
+ image: instrumentisto/coturn:latest
+ restart: unless-stopped
+ volumes:
+ - ./coturn/turnserver.conf:/etc/coturn/turnserver.conf
+ ports:
+ - 47160-47200:47160-47200/udp
+ - 3478:3478
+ - 5349:5349
+ networks:
+ - mybridge
+networks:
+ mybridge:
+ driver: bridge
+
+[ Datura-Network ] [ /dev/pts/1 ] [/srv/matrix]
+→ cat generateconfig.sh
+#!/bin/bash
+
+docker-compose run --rm -e SYNAPSE_SERVER_NAME=m.datura.network -e SYNAPSE_REPORT_STATS=yes synapse generate
+
+My matrix server will have the "m.datura.network" domain name. The coturn config mentionned here is used for the VOIP support. Now let's generate the initial keys of the matrix server like so:
+
+[ Datura-Network ] [ /dev/pts/1 ] [/srv/matrix]
+→ ./generateconfig.sh
+Creating network "matrix_default" with the default driver
+Creating network "matrix_mybridge" with driver "bridge"
+Setting ownership on /data to 991:991
+Creating log config /data/m.datura.network.log.config
+Generating config file /data/homeserver.yaml
+Generating signing key file /data/m.datura.network.signing.key
+A config file has been generated in '/data/homeserver.yaml' for server name 'm.datura.network'. Please review this file and customise it to your needs.
+
+[ Datura-Network ] [ /dev/pts/1 ] [/srv/matrix]
+→ ls
+coturn data docker-compose.yml docker-compose.yml.coturn generateconfig.sh m.datura.network.conf.nginx
+
+[ Datura-Network ] [ /dev/pts/1 ] [/srv/matrix]
+→ ls data -lash
+total 20K
+4.0K drwxr-xr-x 2 991 991 4.0K Jan 14 11:12 .
+4.0K drwxr-xr-x 4 root root 4.0K Jan 4 13:50 ..
+4.0K -rw-r--r-- 1 root root 1.3K Jan 14 11:12 homeserver.yaml
+4.0K -rw-r--r-- 1 root root 694 Jan 14 11:12 m.datura.network.log.config
+4.0K -rw-r--r-- 1 root root 59 Jan 14 11:12 m.datura.network.signing.key
+
+Now that's done, we can edit the homeserver.yaml if you want to remove trust into the "matrix.org" keys for federation to make it a truly private server:
+
+[ Datura-Network ] [ /dev/pts/1 ] [/srv/matrix]
+→ cat data/homeserver.yaml | grep server
+
+trusted_key_servers:
+ - server_name: ""
+
+Then we can edit the coturn config like so:
+
+[ Datura-Network ] [ /dev/pts/1 ] [/srv/matrix]
+→ ls
+coturn data docker-compose.yml docker-compose.yml.coturn generateconfig.sh m.datura.network.conf.nginx
+
+[ Datura-Network ] [ /dev/pts/1 ] [/srv/matrix]
+→ cat coturn/turnserver.conf
+use-auth-secret
+static-auth-secret=cuAWWAAWWAAWWAWADDWADWADWADWADWADWAWADDWADWWADWADDWADWDWoy
+realm=m.datura.network
+listening-port=3478
+tls-listening-port=5349
+min-port=47160
+max-port=47200
+verbose
+allow-loopback-peers
+cli-password=cuAWWAAWWAAWWAWADDWADWADWADWADWADWAWADDWADWWADWADDWADWDWoy
+external-ip=116.202.216.190
+
+[ Datura-Network ] [ /dev/pts/1 ] [/srv/matrix]
+→ cat data/homeserver.yaml | grep turn
+turn_uris: [ "turn:m.datura.network?transport=udp", "turn:m.datura.network?transport=tcp" ]
+turn_shared_secret: "cuAWWAAWWAAWWAWADDWADWADWADWADWADWAWADDWADWWADWADDWADWDWoy"
+turn_user_lifetime: 86400000
+turn_allow_guests: true
+
+
+Make sure the ports match the ones in the docker-compose.yml file, and the external IP is the one of your server:
+
+[ Datura-Network ] [ /dev/pts/1 ] [/srv/matrix]
+→ curl ifconfig.me -4
+116.202.216.190
+
+Then we start the docker-compose:
+
+[ Datura-Network ] [ /dev/pts/1 ] [/srv/matrix]
+→ docker-compose up -d
+Creating matrix_coturn_1 ... done
+Creating matrix_synapse ... done
+
+Then we create the accounts like so:
+
+[ Datura-Network ] [ /dev/pts/1 ] [/srv/matrix]
+→ docker container ls | grep matrixdot
+134d440b1480 matrixdotorg/synapse:latest "/start.py" About a minute ago Up 25 seconds (healthy) 8009/tcp, 0.0.0.0:8008->8008/tcp, :::8008->8008/tcp, 8448/tcp matrix_synapse
+
+[ Datura-Network ] [ /dev/pts/1 ] [/srv/matrix]
+→ docker exec -it 134 bash
+root@134d440b1480:/#
+[ Datura-Network ] [ /dev/pts/1 ] [/srv/matrix]
+→ docker exec -it 134 bash
+
+root@134d440b1480:/# register_new_matrix_user -c /data/homeserver.yaml http://localhost:8008
+New user localpart [root]: nihilist
+Password:
+Confirm password:
+Make admin [no]: yes
+Sending registration request...
+Success!
+
+root@134d440b1480:/# exit
+exit
+
+Then we make sure that we can access the matrix server via nginx:
+
+[ Datura-Network ] [ /dev/pts/1 ] [/srv/matrix]
+→ cat /etc/nginx/sites-enabled/m.datura.network.conf
+server {
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+
+ # For the federation port
+ listen 8448 ssl http2;
+ listen [::]:8448 ssl http2;
+
+ server_name m.datura.network;
+
+ ssl_certificate /etc/acme/certs/m.datura.network/fullchain.cer;
+ ssl_certificate_key /etc/acme/certs/m.datura.network/m.datura.network.key;
+
+ location ~ ^(/_matrix|/_synapse/client) {
+ # note: do not add a path (even a single /) after the port in `proxy_pass`,
+ # otherwise nginx will canonicalise the URI and cause signature verification
+ # errors.
+ proxy_pass http://localhost:8008;
+ proxy_set_header X-Forwarded-For $remote_addr;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ proxy_set_header Host $host;
+
+ # Nginx by default only allows file uploads up to 1M in size
+ # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
+ client_max_body_size 50M;
+
+ # Synapse responses may be chunked, which is an HTTP/1.1 feature.
+ proxy_http_version 1.1;
+ }
+}
+
+[ Datura-Network ] [ /dev/pts/1 ] [/srv/matrix]
+→ nginx -t
+nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
+nginx: configuration file /etc/nginx/nginx.conf test is successful
+
+Then we test that we can login from a matrix client (which can be installed inside a whonix VM), let's use element because we want to be able to do voicecalls:
+
+
+
+
+
+Here we will setup a secure backup password, that is a separate password, for end to end encryption purposes. Then you can do the following steps:
+
+Make sure you log out of every unverified session:
+
+
+You may need to log in and log out before being able to send messages so do that, then create the space along with the chatroom
+
+
+
+
+
+
+
+
+ + Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
+In this tutorial we're going to take a look at how to setup a monero node on a Ubuntu VM:
+ +first install monero from the repositories:
+
+[ Datura Network ] [ /dev/pts/0 ] [/srv/datura.network]
+→ apt install monero -y
+
+create the systemd service
+
+[ Datura Network ] [ /dev/pts/0 ] [/srv/datura.network]
+→ vim /etc/systemd/system/moneronode.service
+
+[ Datura Network ] [ /dev/pts/0 ] [/srv/datura.network]
+→ cat /etc/systemd/system/moneronode.service
+[Unit]
+Description=monerod
+After=network.target
+Wants=network.target
+
+[Service]
+ExecStart=/usr/bin/monerod --zmq-pub tcp://127.0.0.1:18083 --disable-dns-checkpoints --enable-dns-blocklist --data-dir /srv/XMR --block-sync-size=50 --out-peers 100 --prep-blocks-threads=128 --prune-blockchain --sync-pruned-blocks --rpc-bind-port=18081 --rpc-bind-ip=0.0.0.0 --p2p-bind-ip=0.0.0.0 --p2p-bind-port=18080 --confirm-external-bind --non-interactive
+Restart=on-failure
+RestartSec=10s
+
+
+StandardOutput=journal
+StandardError=journal
+
+[Install]
+WantedBy=multi-user.target
+
+Then enable it:
+
+[ Datura Network ] [ /dev/pts/0 ] [/srv/datura.network]
+→ systemctl daemon-reload
+
+[ Datura Network ] [ /dev/pts/0 ] [/srv/datura.network]
+→ systemctl enable --now moneronode
+Created symlink /etc/systemd/system/multi-user.target.wants/moneronode.service → /etc/systemd/system/moneronode.service.
+Then wait for it to sync:
+
+[ Datura Network ] [ /dev/pts/0 ] [/srv/datura.network]
+→ systemctl status moneronode
+● moneronode.service - monerod
+ Loaded: loaded (/etc/systemd/system/moneronode.service; enabled; preset: enabled)
+ Active: active (running) since Sun 2023-07-09 15:36:44 CEST; 2min 22s ago
+ Main PID: 8410 (monerod)
+ Tasks: 30 (limit: 77000)
+ Memory: 1.7G
+ CPU: 1min 53.681s
+ CGroup: /system.slice/moneronode.service
+ └─8410 /usr/bin/monerod --zmq-pub tcp://127.0.0.1:18083 --disable-dns-checkpoints --enable-dns-blocklist --data-dir /srv/XMR --block-sync-size=50 --out-peers 100 --prep-blocks-threads=128 --prune-blockchain --sync-pruned-blocks --rpc-bind-port=18081 --rpc-bind-ip=0.0.0.0 ->
+
+Jul 09 15:39:06 Datura monerod[8410]: 2023-07-09 13:39:06.055 I Synced 88702/2925934 (3%, 2837232 left)
+Jul 09 15:39:06 Datura monerod[8410]: 2023-07-09 13:39:06.188 I Synced 88752/2925934 (3%, 2837182 left)
+Jul 09 15:39:06 Datura monerod[8410]: 2023-07-09 13:39:06.310 I Synced 88802/2925934 (3%, 2837132 left)
+Jul 09 15:39:06 Datura monerod[8410]: 2023-07-09 13:39:06.452 I Synced 88852/2925934 (3%, 2837082 left)
+Jul 09 15:39:06 Datura monerod[8410]: 2023-07-09 13:39:06.576 I Synced 88902/2925934 (3%, 2837032 left)
+Jul 09 15:39:06 Datura monerod[8410]: 2023-07-09 13:39:06.756 I Synced 88952/2925934 (3%, 2836982 left)
+Jul 09 15:39:06 Datura monerod[8410]: 2023-07-09 13:39:06.890 I Synced 89002/2925934 (3%, 2836932 left)
+Jul 09 15:39:07 Datura monerod[8410]: 2023-07-09 13:39:07.060 I Synced 89052/2925934 (3%, 2836882 left)
+Jul 09 15:39:07 Datura monerod[8410]: 2023-07-09 13:39:07.182 I Synced 89088/2925934 (3%, 2836846 left)
+Jul 09 15:39:07 Datura monerod[8410]: 2023-07-09 13:39:07.376 I Synced 89138/2925934 (3%, 2836796 left)
+
+On a SSD it may take 1 day, and weigh approximately 60 gigs as of writing this tutorial. The synchronisation is a very disk-intensive process, and so it is required to do it on a nvme disk or ssd at least. If you try to do that on a HDD it will take much, much longer. If you don't have a choice, sync it on a nvme somewhere and then rsync it to a server that has only HDDs.
+First let's setup the required dependencies:
+
+root@XMR:~# sudo ufw allow 18080
+Rules updated
+Rules updated (v6)
+root@XMR:~# wget https://downloads.getmonero.org/linux64
+--2021-12-07 17:46:09-- https://downloads.getmonero.org/linux64
+Resolving downloads.getmonero.org (downloads.getmonero.org)... 157.185.175.107, 157.185.145.90
+Connecting to downloads.getmonero.org (downloads.getmonero.org)|157.185.175.107|:443... connected.
+HTTP request sent, awaiting response... 302 Moved Temporarily
+Location: https://downloads.getmonero.org/cli/monero-linux-x64-v0.17.3.0.tar.bz2 [following]
+--2021-12-07 17:46:10-- https://downloads.getmonero.org/cli/monero-linux-x64-v0.17.3.0.tar.bz2
+Reusing existing connection to downloads.getmonero.org:443.
+HTTP request sent, awaiting response... 200 OK
+Length: 75791408 (72M) [application/octet-stream]
+Saving to: 'linux64'
+
+linux64 100%[======================================================================================================================>] 72.28M 505KB/s in 2m 29s
+
+2021-12-07 17:48:39 (497 KB/s) - 'linux64' saved [75791408/75791408]
+
+root@XMR:~# mkdir monero
+root@XMR:~# tar -xjvf linux64 -C monero
+root@XMR:~# cd monero
+root@XMR:~/monero# cd monero-x86_64-linux-gnu-v0.17.3.0/
+
+root@XMR:~/monero/monero-x86_64-linux-gnu-v0.17.3.0# ls -l
+total 218860
+-rw-r--r-- 1 root root 10083 Nov 30 22:07 ANONYMITY_NETWORKS.md
+-rw-r--r-- 1 root root 2730 Nov 30 22:07 LICENSE
+-rw-r--r-- 1 root root 44212 Nov 30 22:07 README.md
+-rwxr-xr-x 1 root root 13548008 Nov 30 22:07 monero-blockchain-ancestry
+-rwxr-xr-x 1 root root 12499760 Nov 30 22:07 monero-blockchain-depth
+-rwxr-xr-x 1 root root 12569272 Nov 30 22:07 monero-blockchain-export
+-rwxr-xr-x 1 root root 12927888 Nov 30 22:07 monero-blockchain-import
+-rwxr-xr-x 1 root root 9722384 Nov 30 22:07 monero-blockchain-mark-spent-outputs
+-rwxr-xr-x 1 root root 12529472 Nov 30 22:07 monero-blockchain-prune
+-rwxr-xr-x 1 root root 12501264 Nov 30 22:07 monero-blockchain-prune-known-spent-data
+-rwxr-xr-x 1 root root 12492048 Nov 30 22:07 monero-blockchain-stats
+-rwxr-xr-x 1 root root 12515000 Nov 30 22:07 monero-blockchain-usage
+-rwxr-xr-x 1 root root 8721000 Nov 30 22:07 monero-gen-ssl-cert
+-rwxr-xr-x 1 root root 25978048 Nov 30 22:07 monero-gen-trusted-multisig
+-rwxr-xr-x 1 root root 27279384 Nov 30 22:07 monero-wallet-cli
+-rwxr-xr-x 1 root root 27732200 Nov 30 22:07 monero-wallet-rpc
+-rwxr-xr-x 1 root root 23004560 Nov 30 22:07 monerod
+root@XMR:~/monero/monero-x86_64-linux-gnu-v0.17.3.0# ./monerod
+To add the monero commands to your PATH, do the following:
+
+root@anonymity:~/monero/monero-x86_64-linux-gnu-v0.18.2.0# PATH=$PATH:$(pwd)
+root@anonymity:~/monero/monero-x86_64-linux-gnu-v0.18.2.0# cd
+root@anonymity:~# monerod --version
+Monero 'Fluorine Fermi' (v0.18.2.0-release)
+
+Now from here, the monerod daemon will start synchronizing with the network.
+
+root@XMR:~/monero/monero-x86_64-linux-gnu-v0.17.3.0# ./monerod
+2021-12-07 17:50:41.765 I Monero 'Oxygen Orion' (v0.17.3.0-release)
+2021-12-07 17:50:41.765 I Initializing cryptonote protocol...
+2021-12-07 17:50:41.765 I Cryptonote protocol initialized OK
+2021-12-07 17:50:41.766 I Initializing core...
+2021-12-07 17:50:41.767 I Loading blockchain from folder /root/.bitmonero/lmdb ...
+2021-12-07 17:50:41.767 W The blockchain is on a rotating drive: this will be very slow, use an SSD if possible
+2021-12-07 17:50:41.918 I Loading checkpoints
+2021-12-07 17:50:41.918 I Core initialized OK
+2021-12-07 17:50:41.918 I Initializing p2p server...
+2021-12-07 17:50:41.919 I p2p server initialized OK
+2021-12-07 17:50:41.919 I Initializing core RPC server...
+2021-12-07 17:50:41.919 I Binding on 127.0.0.1 (IPv4):18081
+2021-12-07 17:50:43.028 I core RPC server initialized OK on port: 18081
+2021-12-07 17:50:43.029 I Starting core RPC server...
+2021-12-07 17:50:43.029 I core RPC server started ok
+2021-12-07 17:50:43.030 I Starting p2p net loop...
+2021-12-07 17:50:44.030 I
+2021-12-07 17:50:44.030 I **********************************************************************
+2021-12-07 17:50:44.031 I The daemon will start synchronizing with the network. This may take a long time to complete.
+2021-12-07 17:50:44.031 I
+2021-12-07 17:50:44.031 I You can set the level of process detailization through "set_log <level|categories>" command,
+2021-12-07 17:50:44.031 I where <level> is between 0 (no details) and 4 (very verbose), or custom category based levels (eg, *:WARNING).
+2021-12-07 17:50:44.031 I
+2021-12-07 17:50:44.031 I Use the "help" command to see the list of available commands.
+2021-12-07 17:50:44.031 I Use "help <command>" to see a command's documentation.
+2021-12-07 17:50:44.031 I **********************************************************************
+2021-12-07 17:50:46.924 I [217.168.143.169:18080 OUT] Sync data returned a new top block candidate: 1 -> 2509762 [Your node is 2509761 blocks (7.6 years) behind]
+2021-12-07 17:50:46.924 I SYNCHRONIZATION started
+2021-12-07 17:50:47.704 I Synced 101/2509762 (0%, 2509661 left)
+2021-12-07 17:50:48.003 I Synced 201/2509762 (0%, 2509561 left)
+2021-12-07 17:50:48.270 I Synced 301/2509762 (0%, 2509461 left)
+2021-12-07 17:50:48.489 I Synced 401/2509762 (0%, 2509361 left)
+2021-12-07 17:50:48.737 I Synced 501/2509762 (0%, 2509261 left)
+2021-12-07 17:50:49.404 I Synced 601/2509762 (0%, 2509161 left)
+2021-12-07 17:50:49.747 I Synced 701/2509762 (0%, 2509061 left)
+2021-12-07 17:50:50.105 I Synced 801/2509762 (0%, 2508961 left)
+2021-12-07 17:50:50.466 I Synced 901/2509762 (0%, 2508861 left)
+2021-12-07 17:50:50.812 I Synced 1001/2509762 (0%, 2508761 left)
+2021-12-07 17:50:51.142 I Synced 1101/2509762 (0%, 2508661 left)
+2021-12-07 17:50:51.478 I Synced 1201/2509762 (0%, 2508561 left)
+2021-12-07 17:50:51.798 I Synced 1301/2509762 (0%, 2508461 left)
+2021-12-07 17:50:52.106 I Synced 1401/2509762 (0%, 2508361 left)
+2021-12-07 17:50:52.311 I Synced 1501/2509762 (0%, 2508261 left)
+2021-12-07 17:50:52.486 I Synced 1601/2509762 (0%, 2508161 left)
+2021-12-07 17:50:52.705 I Synced 1701/2509762 (0%, 2508061 left)
+2021-12-07 17:50:53.052 I Synced 1801/2509762 (0%, 2507961 left)
+2021-12-07 17:50:53.301 I Synced 1901/2509762 (0%, 2507861 left)
+2021-12-07 17:50:53.486 I Synced 2001/2509762 (0%, 2507761 left)
+
+[...]
+
+2021-12-08 22:43:43.742 I Synced 2510440/2510616 (99%, 176 left, 99% of total synced, estimated 1.4 minutes left)
+2021-12-08 22:43:54.585 I Synced 2510460/2510616 (99%, 156 left)
+2021-12-08 22:44:05.633 I Synced 2510480/2510616 (99%, 136 left)
+2021-12-08 22:44:16.890 I Synced 2510500/2510616 (99%, 116 left)
+2021-12-08 22:44:29.678 I Synced 2510520/2510616 (99%, 96 left)
+2021-12-08 22:44:38.997 I Synced 2510540/2510616 (99%, 76 left)
+2021-12-08 22:44:50.386 I Synced 2510560/2510616 (99%, 56 left)
+2021-12-08 22:45:00.147 I Synced 2510580/2510616 (99%, 36 left)
+2021-12-08 22:45:10.336 I Synced 2510600/2510616 (99%, 16 left)
+2021-12-08 22:45:20.776 I Synced 2510615/2510616 (99%, 1 left)
+2021-12-08 22:45:21.325 I Synced 2510616/2510616
+2021-12-08 22:46:17.775 I Synced 2510617/2510617
+2021-12-08 22:46:17.776 I SYNCHRONIZED OK
+2021-12-08 22:46:17.776 I
+2021-12-08 22:46:17.776 I **********************************************************************
+2021-12-08 22:46:17.776 I You are now synchronized with the network. You may now start monero-wallet-cli.
+2021-12-08 22:46:17.776 I
+2021-12-08 22:46:17.776 I Use the "help" command to see the list of available commands.
+2021-12-08 22:46:17.776 I **********************************************************************
+Now from there you can select the monero node's IP from the monero wallet, or simply choose a local node if you have a ssd and CPU:
+
+
+ In order to mine monero, let's use xmrig and the p2pool network:
+
+[ 10.66.66.2/32 ] [ /dev/pts/13 ] [~]
+→ yay -S p2pool-git
+:: Checking for conflicts...
+:: Checking for inner conflicts...
+[Repo Make:2] rhash-1.4.2-1 cmake-3.22.1-1
+[Aur:1] p2pool-git-1.0.r16.g2a3cd13-1
+
+==> Remove make dependencies after install? [y/N] y
+ 1 p2pool-git (Build Files Exist)
+==> Packages to cleanBuild?
+==> [N]one [A]ll [Ab]ort [I]nstalled [No]tInstalled or (1 2 3, 1-3, ^4)
+==>
+:: PKGBUILD up to date, Skipping (1/0): p2pool-git
+ 1 p2pool-git (Build Files Exist)
+==> Diffs to show?
+==> [N]one [A]ll [Ab]ort [I]nstalled [No]tInstalled or (1 2 3, 1-3, ^4)
+==>
+:: (1/1) Parsing SRCINFO: p2pool-git
+resolving dependencies...
+looking for conflicting packages...
+
+
+[ 10.66.66.2/32 ] [ /dev/pts/9 ] [~]
+→ monerod --zmq-pub tcp://127.0.0.1:18083 --disable-dns-checkpoints --enable-dns-blocklist
+
+
+[ 10.66.66.2/32 ] [ /dev/pts/13 ] [~/Documents/Github]
+→ p2pool
+P2Pool v1.4.0 (built with GCC/11.1.0 on Dec 11 2021)
+
+Usage:
+
+--wallet Wallet address to mine to. Subaddresses and integrated addresses are not supported!
+--host IP address of your Monero node, default is 127.0.0.1
+--rpc-port monerod RPC API port number, default is 18081
+--zmq-port monerod ZMQ pub port number, default is 18083 (same port as in monerod's "--zmq-pub" command line parameter)
+--stratum Comma-separated list of IP:port for stratum server to listen on
+--p2p Comma-separated list of IP:port for p2p server to listen on
+--addpeers Comma-separated list of IP:port of other p2pool nodes to connect to
+--light-mode Don't allocate RandomX dataset, saves 2GB of RAM
+--loglevel Verbosity of the log, integer number between 0 and 6
+--config Name of the p2pool config file
+--data-api Path to the p2pool JSON data (use it in tandem with an external web-server)
+--stratum-api Enable /local/ path in api path for Stratum Server statistics
+--no-cache Disable p2pool.cache
+--no-color Disable colors in console output
+--no-randomx Disable internal RandomX hasher: p2pool will use RPC calls to monerod to check PoW hashes
+--help Show this help message
+
+Example command line:
+
+./p2pool --host 127.0.0.1 --rpc-port 18081 --zmq-port 18083 --wallet YOUR_WALLET_ADDRESS --stratum 0.0.0.0:3333 --p2p 0.0.0.0:37889
+
+2021-12-11 18:54:36.8175 Log started
+2021-12-11 18:54:36.8176 Log stopped
+
+
+[ 10.66.66.2/32 ] [ /dev/pts/13 ] [~/Documents/Github]
+→ p2pool --host 127.0.0.1 --wallet 447KnLGYbQrHD4npGPmqdGQ3ARqz9kgLLQfaYY9KDC7eUcyKfnwZtj1JLNSqQHKEudHNyuDeKLBbhWtPdS7SoVM54nWHw1b
+2021-12-11 18:56:08.2917 Log started
+2021-12-11 18:56:08.2918 P2Pool v1.4.0 (built with GCC/11.1.0 on Dec 11 2021)
+2021-12-11 18:56:08.2920 SideChain network type = mainnet
+2021-12-11 18:56:08.2920 SideChain using default config
+2021-12-11 18:56:08.2920 SideChain pool name = default
+2021-12-11 18:56:08.2920 SideChain block time = 10 seconds
+2021-12-11 18:56:08.2920 SideChain min diff = 100000
+2021-12-11 18:56:08.2921 SideChain PPLNS window = 2160 blocks
+2021-12-11 18:56:08.2921 SideChain uncle penalty = 20%
+2021-12-11 18:56:08.2921 SideChain generating consensus ID
+2021-12-11 18:56:08.2921 SideChain consensus ID = 22af7ee7************************************************4407f918
+2021-12-11 18:56:08.2921 RandomX_Hasher couldn't allocate RandomX dataset using large pages
+2021-12-11 18:56:08.2921 RandomX_Hasher couldn't allocate RandomX cache using large pages
+2021-12-11 18:56:08.2922 RandomX_Hasher couldn't allocate RandomX cache using large pages
+2021-12-11 18:56:08.2922 RandomX_Hasher allocated 2592 MB
+2021-12-11 18:56:08.2923 ConsoleCommands started
+2021-12-11 18:56:08.4697 P2Pool new miner data
+---------------------------------------------------------------------------------------------------------------
+major_version = 14
+height = 2512684
+prev_id = 9e12d7a34b225e84a9febe1effcdbee003c956cc77c25cd7f6fb446e5ce2f4c4
+seed_hash = 8954432e62d63ad320107fbdae7fdd8667c1d69391660cffd7f99b30d0592147
+difficulty = 353157222750
+median_weight = 300000
+already_generated_coins = 18044465200878847465
+transactions = 45
+---------------------------------------------------------------------------------------------------------------
+2021-12-11 18:56:08.4697 BlockTemplate base reward = 0.767286058102 XMR, 0 transactions, fees = 0.000000000000 XMR, weight = 0
+2021-12-11 18:56:08.4697 RandomX_Hasher new seed 8954432e62d63ad320107fbdae7fdd8667c1d69391660cffd7f99b30d0592147
+2021-12-11 18:56:08.4699 BlockTemplate final reward = 0.767286058102 XMR, weight = 126, outputs = 1, 0 of 0 transactions included
+2021-12-11 18:56:08.4707 RandomX_Hasher old seed 72e85eed124de1b5098f779d89ca07c00ccf7de79f94fcc085e15bc2b45c6c73
+2021-12-11 18:56:08.7374 RandomX_Hasher couldn't allocate RandomX light VM using large pages
+2021-12-11 18:56:08.7374 RandomX_Hasher cache updated
+2021-12-11 18:56:08.7374 RandomX_Hasher running 8 threads to update dataset
+2021-12-11 18:56:12.3926 RandomX_Hasher couldn't allocate RandomX VM using large pages
+2021-12-11 18:56:12.3927 RandomX_Hasher dataset updated
+2021-12-11 18:56:12.6746 RandomX_Hasher couldn't allocate RandomX light VM using large pages
+2021-12-11 18:56:12.6747 RandomX_Hasher old cache updated
+2021-12-11 18:56:12.7170 StratumServer listening on [::]:3333
+2021-12-11 18:56:12.7170 StratumServer listening on 0.0.0.0:3333
+2021-12-11 18:56:12.7170 StratumServer event loop started
+2021-12-11 18:56:12.7175 ZMQReader connected to tcp://127.0.0.1:18083
+2021-12-11 18:56:12.7176 BlockCache loading cached blocks
+2021-12-11 18:56:12.7177 ZMQReader connected to tcp://127.0.0.1:37891
+2021-12-11 18:56:12.7177 ZMQReader worker thread ready
+2021-12-11 18:56:12.7838 BlockCache loaded 0 cached blocks
+2021-12-11 18:56:12.8336 P2PServer listening on [::]:37889
+2021-12-11 18:56:12.8336 P2PServer listening on 0.0.0.0:37889
+2021-12-11 18:56:12.8337 P2PServer event loop started
+Now let's install xmrig:
+
+
+[ 10.66.66.2/32 ] [ /dev/pts/15 ] [~]
+→ mv Downloads/xmrig-6.16.2-linux-static-x64.tar.gz .
+
+[ 10.66.66.2/32 ] [ /dev/pts/15 ] [~]
+→ mkdir xmrig
+
+[ 10.66.66.2/32 ] [ /dev/pts/15 ] [~]
+→ mv xmrig-6.16.2-linux-static-x64.tar.gz xmrig/
+
+[ 10.66.66.2/32 ] [ /dev/pts/15 ] [~]
+→ cd xmrig
+
+[ 10.66.66.2/32 ] [ /dev/pts/15 ] [~/xmrig]
+→ tar xvf xmrig-6.16.2-linux-static-x64.tar.gz
+xmrig-6.16.2/
+xmrig-6.16.2/config.json
+xmrig-6.16.2/xmrig
+xmrig-6.16.2/SHA256SUMS
+
+[ 10.66.66.2/32 ] [ /dev/pts/15 ] [~/xmrig]
+→ ls -l
+total 2912
+drwxr-xr-x 2 nothing nothing 4096 Dec 2 14:05 xmrig-6.16.2
+-rw-r--r-- 1 nothing nothing 2974083 Dec 11 19:02 xmrig-6.16.2-linux-static-x64.tar.gz
+
+[ 10.66.66.2/32 ] [ /dev/pts/15 ] [~/xmrig]
+→ cd xmrig-6.16.2
+
+[ 10.66.66.2/32 ] [ /dev/pts/15 ] [~/xmrig/xmrig-6.16.2]
+→ ls -l
+total 6892
+-rw-r--r-- 1 nothing nothing 2351 Dec 2 14:05 config.json
+-rw-r--r-- 1 nothing nothing 150 Dec 2 14:05 SHA256SUMS
+-rwxr-xr-x 1 nothing nothing 7047360 Dec 2 14:05 xmrig
+
+[ 10.66.66.2/32 ] [ /dev/pts/15 ] [~/xmrig/xmrig-6.16.2]
+→ cd ..
+
+[ 10.66.66.2/32 ] [ /dev/pts/15 ] [~/xmrig]
+→ mv xmrig-6.16.2/* .
+
+[ 10.66.66.2/32 ] [ /dev/pts/15 ] [~/xmrig]
+→ ls -l
+total 9804
+-rw-r--r-- 1 nothing nothing 2351 Dec 2 14:05 config.json
+-rw-r--r-- 1 nothing nothing 150 Dec 2 14:05 SHA256SUMS
+-rwxr-xr-x 1 nothing nothing 7047360 Dec 2 14:05 xmrig
+drwxr-xr-x 2 nothing nothing 4096 Dec 11 19:04 xmrig-6.16.2
+-rw-r--r-- 1 nothing nothing 2974083 Dec 11 19:02 xmrig-6.16.2-linux-static-x64.tar.gz
+
+[ 10.66.66.2/32 ] [ /dev/pts/15 ] [~/xmrig]
+→ rm xmrig-6.16.2-linux-static-x64.tar.gz
+
+[ 10.66.66.2/32 ] [ /dev/pts/15 ] [~/xmrig]
+→ rm -rf xmrig-6.16.2
+
+[ 10.66.66.2/32 ] [ /dev/pts/15 ] [~/xmrig]
+→ vim config.json
+
+[ 10.66.66.2/32 ] [ /dev/pts/15 ] [~/xmrig]
+→ cat config.json
+{
+ "api": {
+ "id": null,
+ "worker-id": null
+ },
+ "http": {
+ "enabled": false,
+ "host": "127.0.0.1",
+ "port": 0,
+ "access-token": null,
+ "restricted": true
+ },
+ "autosave": true,
+ "background": false,
+ "colors": true,
+ "title": true,
+ "randomx": {
+ "init": -1,
+ "init-avx2": -1,
+ "mode": "auto",
+ "1gb-pages": false,
+ "rdmsr": true,
+ "wrmsr": true,
+ "cache_qos": false,
+ "numa": true,
+ "scratchpad_prefetch_mode": 1
+ },
+ "cpu": {
+ "enabled": true,
+ "huge-pages": true,
+ "huge-pages-jit": false,
+ "hw-aes": null,
+ "priority": null,
+ "memory-pool": false,
+ "yield": true,
+ "max-threads-hint": 100,
+ "asm": true,
+ "argon2-impl": null,
+ "astrobwt-max-size": 550,
+ "astrobwt-avx2": false,
+ "cn/0": false,
+ "cn-lite/0": false
+ },
+ "opencl": {
+ "enabled": false,
+ "cache": true,
+ "loader": null,
+ "platform": "AMD",
+ "adl": true,
+ "cn/0": false,
+ "cn-lite/0": false
+ },
+ "cuda": {
+ "enabled": false,
+ "loader": null,
+ "nvml": true,
+ "cn/0": false,
+ "cn-lite/0": false
+ },
+ "donate-level": 0,
+ "donate-over-proxy": 1,
+ "log-file": null,
+ "pools": [
+ {
+ "algo": null,
+ "coin": null,
+ "url": "donate.v2.xmrig.com:3333",
+ "user": "YOUR_WALLET_ADDRESS",
+ "pass": "x",
+ "rig-id": null,
+ "nicehash": false,
+ "keepalive": false,
+ "enabled": true,
+ "tls": false,
+ "tls-fingerprint": null,
+ "daemon": false,
+ "socks5": null,
+ "self-select": null,
+ "submit-to-origin": false
+ }
+ ],
+ "print-time": 60,
+ "health-print-time": 60,
+ "dmi": true,
+ "retries": 5,
+ "retry-pause": 5,
+ "syslog": false,
+ "tls": {
+ "enabled": false,
+ "protocols": null,
+ "cert": null,
+ "cert_key": null,
+ "ciphers": null,
+ "ciphersuites": null,
+ "dhparam": null
+ },
+ "user-agent": null,
+ "verbose": 0,
+ "watch": true,
+ "pause-on-battery": false,
+ "pause-on-active": false
+}
+
+[ 10.66.66.2/32 ] [ /dev/pts/15 ] [~/xmrig]
+→ ./xmrig
+
+Now we need to add our wallet address and change the pool to be the p2pool address 127.0.0.1:3333
+
+[ 10.66.66.2/32 ] [ /dev/pts/16 ] [~/xmrig]
+→ nmap 127.0.0.1 -p 3333
+Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-11 19:10 UTC
+Nmap scan report for localhost (127.0.0.1)
+Host is up (0.000054s latency).
+
+PORT STATE SERVICE
+3333/tcp open dec-notes
+
+Nmap done: 1 IP address (1 host up) scanned in 0.05 seconds
+
+[ 10.66.66.2/32 ] [ /dev/pts/16 ] [~/xmrig]
+→ cat config.json
+{
+ "api": {
+ "id": null,
+ "worker-id": null
+ },
+ "http": {
+ "enabled": false,
+ "host": "127.0.0.1",
+ "port": 0,
+ "access-token": null,
+ "restricted": true
+ },
+ "autosave": true,
+ "background": false,
+ "colors": true,
+ "title": true,
+ "randomx": {
+ "init": -1,
+ "init-avx2": -1,
+ "mode": "auto",
+ "1gb-pages": false,
+ "rdmsr": true,
+ "wrmsr": true,
+ "cache_qos": false,
+ "numa": true,
+ "scratchpad_prefetch_mode": 1
+ },
+ "cpu": {
+ "enabled": true,
+ "huge-pages": true,
+ "huge-pages-jit": false,
+ "hw-aes": null,
+ "priority": null,
+ "memory-pool": false,
+ "yield": true,
+ "asm": true,
+ "argon2-impl": null,
+ "astrobwt-max-size": 550,
+ "astrobwt-avx2": false,
+ "argon2": [0, 8, 1, 9, 2, 10, 3, 11, 4, 12, 5, 13, 6, 14, 7, 15],
+ "astrobwt": [0, 8, 1, 9, 2, 10, 3, 11, 4, 12, 5, 13, 6, 14, 7, 15],
+ "cn": [
+ [1, 0],
+ [1, 1],
+ [1, 2],
+ [1, 3],
+ [1, 4],
+ [1, 5],
+ [1, 6],
+ [1, 7]
+ ],
+ "cn-heavy": [
+ [1, 0],
+ [1, 1],
+ [1, 2],
+ [1, 3]
+ ],
+ "cn-lite": [
+ [1, 0],
+ [1, 8],
+ [1, 1],
+ [1, 9],
+ [1, 2],
+ [1, 10],
+ [1, 3],
+ [1, 11],
+ [1, 4],
+ [1, 12],
+ [1, 5],
+ [1, 13],
+ [1, 6],
+ [1, 14],
+ [1, 7],
+ [1, 15]
+ ],
+ "cn-pico": [
+ [2, 0],
+ [2, 8],
+ [2, 1],
+ [2, 9],
+ [2, 2],
+ [2, 10],
+ [2, 3],
+ [2, 11],
+ [2, 4],
+ [2, 12],
+ [2, 5],
+ [2, 13],
+ [2, 6],
+ [2, 14],
+ [2, 7],
+ [2, 15]
+ ],
+ "cn/upx2": [
+ [2, 0],
+ [2, 8],
+ [2, 1],
+ [2, 9],
+ [2, 2],
+ [2, 10],
+ [2, 3],
+ [2, 11],
+ [2, 4],
+ [2, 12],
+ [2, 5],
+ [2, 13],
+ [2, 6],
+ [2, 14],
+ [2, 7],
+ [2, 15]
+ ],
+ "ghostrider": [
+ [8, 0],
+ [8, 1],
+ [8, 2],
+ [8, 3],
+ [8, 4],
+ [8, 5],
+ [8, 6],
+ [8, 7]
+ ],
+ "rx": [0, 1, 2, 3, 4, 5, 6, 7],
+ "rx/wow": [0, 8, 1, 9, 2, 10, 3, 11, 4, 12, 5, 13, 6, 14, 7, 15],
+ "cn-lite/0": false,
+ "cn/0": false,
+ "rx/arq": "rx/wow",
+ "rx/keva": "rx/wow"
+ },
+ "log-file": null,
+ "donate-level": 1,
+ "donate-over-proxy": 1,
+ "pools": [
+ {
+ "algo": null,
+ "coin": null,
+ "url": "127.0.0.1:3333",
+ "user": "447KnLGYbQrHD4npGPmqdGQ3ARqz9kgLLQfaYY9KDC7eUcyKfnwZtj1JLNSqQHKEudHNyuDeKLBbhWtPdS7SoVM54nWHw1b",
+ "pass": "x",
+ "rig-id": null,
+ "nicehash": false,
+ "keepalive": false,
+ "enabled": true,
+ "tls": false,
+ "tls-fingerprint": null,
+ "daemon": false,
+ "socks5": null,
+ "self-select": null,
+ "submit-to-origin": false
+ }
+ ],
+ "retries": 5,
+ "retry-pause": 5,
+ "print-time": 60,
+ "dmi": true,
+ "syslog": false,
+ "tls": {
+ "enabled": false,
+ "protocols": null,
+ "cert": null,
+ "cert_key": null,
+ "ciphers": null,
+ "ciphersuites": null,
+ "dhparam": null
+ },
+ "dns": {
+ "ipv6": false,
+ "ttl": 30
+ },
+ "user-agent": null,
+ "verbose": 0,
+ "watch": true,
+ "pause-on-battery": false,
+ "pause-on-active": false
+}
+
+[ 10.66.66.2/32 ] [ /dev/pts/15 ] [~/xmrig]
+→ ./xmrig -o 127.0.0.1:3333
+
+[term2]
+
+[ 10.66.66.2/32 ] [ /dev/pts/7 ] [blog/servers/exodus]
+→ watch -n 0.1 sensors
+And that's it! We managed to start mining on the p2pool using xmrig, by default it is using half of the CPU. To summarize, here's the commands you want to run:
+
+monerod --zmq-pub tcp://127.0.0.1:18083 --disable-dns-checkpoints --enable-dns-blocklist
+p2pool --host 127.0.0.1 --wallet 447KnLGYbQrHD4npGPmqdGQ3ARqz9kgLLQfaYY9KDC7eUcyKfnwZtj1JLNSqQHKEudHNyuDeKLBbhWtPdS7SoVM54nWHw1b
+sudo ./xmrig -o 127.0.0.1:3333
+watch -n 0.1 sensors
+htop
+
+EDIT: run xmrig with SUDO privileges, to enable msr support see here. It nearly doubles the hashrate!!!
+EDIT: if you want to mine from another location (for example another drive with more space)
+
+monerod --zmq-pub tcp://127.0.0.1:18083 --disable-dns-checkpoints --enable-dns-blocklist --data-dir /mnt/VAULT/XMR
+p2pool --host 127.0.0.1 --wallet 447KnLGYbQrHD4npGPmqdGQ3ARqz9kgLLQfaYY9KDC7eUcyKfnwZtj1JLNSqQHKEudHNyuDeKLBbhWtPdS7SoVM54nWHw1b
+sudo ./xmrig -o 127.0.0.1:3333
+watch -n 0.1 sensors
+htop
+
+If you want to make it a tmux session automatically, you can put it in your bashrc/ zshrc like so ((careful i added my custom location /mnt/VAULT/XMR/ in here):
+
+xmr(){
+ num=$(tmux list-sessions | grep XMR | wc -l)
+
+ # set up tmux
+ #tmux start-server
+
+ set -g mouse on
+
+ # create a new tmux session, starting vim from a saved session in the new window
+ #tmux kill-session -t $session 2>/dev/null
+ #tmux new -d -s $session -n Blog -y 100 -x 200
+ if [ "$num" -eq "0" ]; then
+ tmux rename-session XMR
+ #tmux rename-window -t 0 'BlogDir'
+
+ tmux splitw -h -p 50
+ #second pane : monerod
+ tmux selectp -t 2
+ tmux send-keys "cd /mnt/VAULT/XMR/" C-m
+ tmux send-keys "monerod --zmq-pub tcp://127.0.0.1:18083 --disable-dns-checkpoints --enable-dns-blocklist --data-dir /mnt/VAULT/XMR --block-sync-size=50 --out-peers 100 --prep-blocks-threads=128 --prune-blockchain --sync-pruned-blocks --rpc-bind-port=18081 --rpc-bind-ip=0.0.0.0 --p2p-bind-ip=0.0.0.0 --p2p-bind-port=18080 --confirm-external-bind" C-m
+
+ sleep 2
+ #after 5 secs, first pane: p2pool
+ tmux selectp -t 1
+ tmux send-keys "p2pool --host 127.0.0.1 --wallet 447KnLGYbQrHD4npGPmqdGQ3ARqz9kgLLQfaYY9KDC7eUcyKfnwZtj1JLNSqQHKEudHNyuDeKLBbhWtPdS7SoVM54nWHw1b" C-m
+ #select 2nd pane, split vertically
+ tmux selectp -t 2
+ tmux splitw -v -p 50
+ tmux send-keys "cd /mnt/VAULT/XMR/xmrig" C-m
+ tmux send-keys "sudo ./xmrig -o 127.0.0.1:3333 -t 4 --cpu-priority=0 -u x+10000" C-m
+ #select 3rd pane, split vertically
+ tmux selectp -t 3
+ tmux splitw -v -p 50
+ tmux send-keys "htop" C-m
+ #select 2nd pane, split horizontally, displaying sensors
+ tmux selectp -t 2
+ tmux splitw -h -p 50
+ tmux send-keys "watch -n0.1 sensors" C-m
+
+ #select 2nd pane, split horizontally, displaying sensors
+ tmux selectp -t 3
+ tmux splitw -v -p 50
+ tmux send-keys "watch -n0.1 dfc" C-m
+ tmux selectp -t 5
+
+#ctrl+b+q to show the tmux pane numbers
+
+ else
+ if [[ $TMUX ]]; then
+ tmux switch -t XMR
+ else
+ tmux attach -t XMR -d
+ fi
+ fi
+
+ }
+
+If you want to run a simple node on a debian server, you can use the following systemd service (in this example the node is stored in /srv/XMR/:
+
+[ 10.8.0.2/24 ] [ home ] [~]
+→ cat /etc/systemd/system/moneronode.service
+[Unit]
+Description=monerod
+After=network.target
+Wants=network.target
+
+[Service]
+ExecStart=/usr/bin/monerod --zmq-pub tcp://127.0.0.1:18083 --disable-dns-checkpoints --enable-dns-blocklist --data-dir /srv/XMR --block-sync-size=50 --out-peers 100 --prep-blocks-threads=128 --prune-blockchain --sync-pruned-blocks --rpc-bind-port=18081 --rpc-bind-ip=0.0.0.0 --p2p-bind-ip=0.0.0.0 --p2p-bind-port=18080 --confirm-external-bind --non-interactive
+Restart=on-failure
+RestartSec=10s
+
+
+StandardOutput=journal
+StandardError=journal
+
+[Install]
+WantedBy=multi-user.target
+
++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
+In this tutorial we're going to take a look at how to setup a monero wallet locally, how to recieve some monero there, and how to send monero to someone else.
+ +Now on whonix there can be some issues with syncing to the monero nodes over the CLI monero wallet, due to the slow tor network and connection timeouts, So we'll first cover how to install the GUI monero wallet:
+First let's download the monero GUI wallet from https://getmonero.org: (.onion address: http://monerotoruzizulg5ttgat2emf4d6fbmiea25detrmmy7erypseyteyd.onion )
+
+Then we unpack it on the desktop and run the appimage:
+
+[ Whonix ] [ /dev/pts/5 ] [~]
+→ mv /home/user/.tb/tor-browser/Browser/Downloads/monero-gui-linux-x64-v0.18.3.3.tar.bz2 ~/Desktop/
+
+[ Whonix ] [ /dev/pts/5 ] [~/Desktop]
+→ cd Desktop
+
+
+[ Whonix ] [ /dev/pts/5 ] [~/Desktop]
+→ tar -xvf monero-gui-linux-x64-v0.18.3.3.tar.bz2 (2)
+monero-gui-v0.18.3.3/
+monero-gui-v0.18.3.3/LICENSE
+monero-gui-v0.18.3.3/extras/
+monero-gui-v0.18.3.3/extras/monero-blockchain-ancestry
+
+[...]
+
+monero-gui-v0.18.3.3/monero-wallet-gui
+monero-gui-v0.18.3.3/monero-wallet-gui.AppImage
+monero-gui-v0.18.3.3/monerod
+
+[ Whonix ] [ /dev/pts/5 ] [~/Desktop]
+→ cd monero-gui-v0.18.3.3
+
+[ Whonix ] [ /dev/pts/5 ] [~/Desktop/monero-gui-v0.18.3.3]
+→ ls
+LICENSE extras monero-gui-wallet-guide.pdf monero-wallet-gui monero-wallet-gui.AppImage monerod
+
+[ Whonix ] [ /dev/pts/5 ] [~/Desktop/monero-gui-v0.18.3.3]
+→ ./monero-wallet-gui.AppImage (130)
+2024-04-27 09:57:47.456 W Qt:5.15.13 GUI:- | screen: 3840x2160 - available: QSize(3840, 2129) - dpi: 96 - ratio:2.22803
+2024-04-27 09:57:49.847 W qrc:/qt-project.org/imports/QtQuick/Dialogs/DefaultFileDialog.qml:413:17: QML ToolButton: Binding loop detected for property "implicitHeight"
+2024-04-27 09:57:49.850 W qrc:/qt-project.org/imports/QtQuick/Dialogs/DefaultFileDialog.qml:309:21: QML Button: Binding loop detected for property "implicitHeight"
+
+Now that the archive is extracted, make sure that the monero wallet gets added to the list of software of your OS:
+
+
+Here we use advanced mode as we want to choose our node:
+
+
+
+
+Here very important, make sure you save your monero mnemonic phrase (recovery phrase) into your keepass, along with the recovery height, :
+
+
+Then have a wallet password (local password) to open your wallet locally::
+
+
+
+Here we pick a clearnet monero node (if you dont want to, scroll down to know how to setup a .onion monero node)
+
+
+
+
+Here just wait for the monero wallet to finish synchronizing with the monero node:
+
+Now here you can use the monero wallet like that without going through tor (but here we're in whonix so it goes through tor anyway), if you want to use .onion monero nodes you will need to enable the SOCKS5 proxy option inside the wallet:
+
+
+Now with this setup we can use .onion monero nodes as follows (pick one you trust from https://monero.fail/ for example my .onion monero node at this URL: http://daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion:18081
+
+Here again, wait for the monero wallet to finish synchronizing to be able to recieve and send monero:
+
+Now that we're setup let's get some monero from localmonero.co:
+AS OF 7TH OF MAY 2024 LOCALMONERO HAS STOPPED OPERATING, THEY WERE THE ONLY DIRECT FIAT -> XMR OPTION WITHOUT ANY KYC. this means you're now forced to use Haveno DEX!!!!
+
+
+
+
+Now we want to buy monero for euros, for speed i recommend just buying some using SEPA instant transfer if your bank accepts it. However if you don't mind waiting weeks, the preferred method on localmonero.co is cash-by-mail, as cash can't be traced. But still, it shoudln't matter even if you buy monero with your credit card to a random vendor, your bank will see that you sent money to someone, and if the vendor is malicious they may log that you bought some monero, but still they will be unable to know what you do with your monero. it's like retrieving cash from the bank, the bank knows you bought some cash but they can't know what you do with it.
+So here we want to find a vendor that offers monero for SEPA instant transfers, preferably someone who doesn't do KYC.
+
+The trade should go like this:
+
+if trade is completed smoothly, always rate vendors as trustworthy, as this is how localmonero works, always on trust.
+Now that you recieved some monero, you can send them to whoever has a XMR address like i do:
+
+for example if you want to donate a few leftovers moneros like this feel free to do so:
+
+Keep in mind that services that ask you to pay monero, they will ask you to send an EXACT monero amount for purchases (ex: 0.763011 XMR), that is intentional, do not send more than requested as it is used to know from which customer the monero comes from.
+ +BONUS: CLI Wallet Setup +If you want to get the full Haxx0r vibes, you can install the monero CLI wallet aswell:
+
+[ mainpc ] [ /dev/pts/2 ] [~/Desktop]
+→ apt install monero -y
+
+[ mainpc ] [ /dev/pts/2 ] [~/Desktop]
+→ monero-wallet-cli --version
+Monero 'Fluorine Fermi' (v0.18.0.0-unknown)
+
+
+Once it finishes installing, create your monero wallet:
+
+If you're doing it from a whonix VM, then say no to mining and use an onion-based monero daemon (if not on a whonix VM, then use a clearnet monero node), like the one i'm hosting, you can find a full list of other ones on monero.fail or on xmr.datura.network :
+
+Wait for it to finish synchronizing, then you can go get some monero from a vendor on localmonero.co (by giving them a wallet address you'd have created:
+
+apt install monero -y
+
+monero-wallet-cli
+#follow the instructions to create your wallet
+#synchronize it with this command:
+set_daemon http://uyjehlovjudh2wlvkp5a2seme5vgqc4o463atkv2ulsovloqrqw2icyd.onion:18081 trusted
+#then wait for the daemon to finish synchronizing, and type "refresh" regularly to make sure that it synchronizes with the node, expect to type that command a few times as tor connections are unstable at times.
+
+#OR you can use a clearnet monero node, but this is not recommended because you may be spied on!
+
+[wallet 49vq93 (no daemon)]: set_daemon http://datura.network:18081
+Error: This is not Tor/I2P address, and is not a trusted daemon.
+Error: Either use your own trusted node, connect via Tor or I2P, or pass this-is-probably-a-spy-node and be spied on.
+
+[wallet 49vq93 (no daemon)]: set_daemon http://datura.network:18081 this-is-probably-a-spy-node
+Warning: connecting to a non-local daemon without SSL, passive adversaries will be able to spy on you.
+Daemon set to http://datura.network:18081, untrusted
+[wallet 49vq93 (out of sync)]: refresh
+Starting refresh...
+
+[wallet 49vq93 (out of sync)]: refresh
+Starting refresh...
+Refresh done, blocks received: 19388
+Currently selected account: [0] Primary account
+Tag: (No tag assigned)
+Balance: 0.000000000000, unlocked balance: 0.000000000000
+
+
+Once that's done, you can order monero from a non-KYC exchange here (out of which i recommend using Haveno DEX.
+You're going to need to create a monero address first like so:
+
+[wallet 49vq93]: help
+
+Important commands:
+
+"welcome" - Show welcome message.
+"help all" - Show the list of all available commands.
+"help <command>" - Show a command's documentation.
+"apropos <keyword>" - Show commands related to a keyword.
+
+"wallet_info" - Show wallet main address and other info.
+"balance" - Show balance.
+"address all" - Show all addresses.
+"address new" - Create new subaddress.
+"transfer <address> " - Send XMR to an address.
+"show_transfers [in|out|pending|failed|pool]" - Show transactions.
+"sweep_all <address>" - Send whole balance to another wallet.
+"seed" - Show secret 25 words that can be used to recover this wallet.
+"refresh" - Synchronize wallet with the Monero network.
+"status" - Check current status of wallet.
+"version" - Check software version.
+"exit" - Exit wallet.
+
+"donate <amount>" - Donate XMR to the development team.
+
+[wallet 49vq93 (out of sync)]: address new
+1 85j1rw64XoMhrXc55kwdCdFAmXaiU23MHYf1VBSLExTve5WM1NeFfw13wXrDeUumj48h5G4nuw3tuAxqpw5WyXniE8pE8uK (Untitled address)
+[wallet 49vq93 (out of sync)]: address new localmonero
+2 89uyMGJunXfSC375iEptD2WLCb5uidKJSEuUYL3n5fRMg6ccM7L5prSUi9YGgGFPS5T8Z95BJh93HKykUYWECmNfJhNFb9z localmonero
+
+ in this case, we'll use the 89uyMGJunXfSC375iEptD2WLCb5uidKJSEuUYL3n5fRMg6ccM7L5prSUi9YGgGFPS5T8Z95BJh93HKykUYWECmNfJhNFb9z address for all trades on haveno DEX. DO NOT USE IT ELSEWHERE! just like passwords, you want to have one per service. If you want to recieve monero from another place, create a new address.
+ + +Check out my other tutorials on Decentralised Finances below:
+ + + ++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
+In this tutorial we're going to take a look at how to setup a monero node
+ +First install monero from the repositories:
+
+[ Datura Network ] [ /dev/pts/0 ] [/srv/datura.network]
+→ apt install monero -y
+
+[ Datura Network ] [ /dev/pts/0 ] [/srv/datura.network]
+→ vim /etc/systemd/system/moneronode.service
+
+[ Datura Network ] [ /dev/pts/0 ] [/srv/datura.network]
+→ cat /etc/systemd/system/moneronode.service
+[Unit]
+Description=monerod
+After=network.target
+Wants=network.target
+
+[Service]
+ExecStart=/usr/bin/monerod --zmq-pub tcp://127.0.0.1:18083 --disable-dns-checkpoints --enable-dns-blocklist --data-dir /srv/XMR --block-sync-size=50 --out-peers 100 --prep-blocks-threads=128 --prune-blockchain --sync-pruned-blocks --rpc-bind-port=18081 --rpc-bind-ip=0.0.0.0 --p2p-bind-ip=0.0.0.0 --p2p-bind-port=18080 --confirm-external-bind --non-interactive
+Restart=on-failure
+RestartSec=10s
+
+
+StandardOutput=journal
+StandardError=journal
+
+[Install]
+WantedBy=multi-user.target
+If you want to have a local-only monero node to use over tor, you can use this config instead:
+
+[ Wonderland ] [ /dev/pts/9 ] [/mnt/md3]
+→ cat /etc/systemd/system/moneronode.service
+[Unit]
+Description=monerod
+After=network.target
+Wants=network.target
+
+[Service]
+ExecStart=/usr/bin/monerod --zmq-pub tcp://127.0.0.1:18083 --disable-dns-checkpoints --enable-dns-blocklist --data-dir /mnt/md3/XMR --block-sync-size=50 --out-peers 100 --prep-blocks-threads=128 --prune-blockchain --sync-pruned-blocks --rpc-bind-port=18081 --rpc-bind-ip=127.0.0.1 --p2p-bind-ip=127.0.0.1 --p2p-bind-port=18080 --non-interactive
+Restart=on-failure
+RestartSec=10s
+
+
+StandardOutput=journal
+StandardError=journal
+
+[Install]
+WantedBy=multi-user.target
+
+
+Then wait for it to sync after enabling the systemd service:
+
+[ Datura Network ] [ /dev/pts/0 ] [/srv/datura.network]
+→ systemctl daemon-reload
+
+[ Datura Network ] [ /dev/pts/0 ] [/srv/datura.network]
+→ systemctl enable --now moneronode
+Created symlink /etc/systemd/system/multi-user.target.wants/moneronode.service → /etc/systemd/system/moneronode.service.
+
+[ Datura Network ] [ /dev/pts/0 ] [/srv/datura.network]
+→ systemctl status moneronode
+● moneronode.service - monerod
+ Loaded: loaded (/etc/systemd/system/moneronode.service; enabled; preset: enabled)
+ Active: active (running) since Sun 2023-07-09 15:36:44 CEST; 2min 22s ago
+ Main PID: 8410 (monerod)
+ Tasks: 30 (limit: 77000)
+ Memory: 1.7G
+ CPU: 1min 53.681s
+ CGroup: /system.slice/moneronode.service
+ └─8410 /usr/bin/monerod --zmq-pub tcp://127.0.0.1:18083 --disable-dns-checkpoints --enable-dns-blocklist --data-dir /srv/XMR --block-sync-size=50 --out-peers 100 --prep-blocks-threads=128 --prune-blockchain --sync-pruned-blocks --rpc-bind-port=18081 --rpc-bind-ip=0.0.0.0 ->
+
+Jul 09 15:39:06 Datura monerod[8410]: 2023-07-09 13:39:06.055 I Synced 88702/2925934 (3%, 2837232 left)
+Jul 09 15:39:06 Datura monerod[8410]: 2023-07-09 13:39:06.188 I Synced 88752/2925934 (3%, 2837182 left)
+Jul 09 15:39:06 Datura monerod[8410]: 2023-07-09 13:39:06.310 I Synced 88802/2925934 (3%, 2837132 left)
+Jul 09 15:39:06 Datura monerod[8410]: 2023-07-09 13:39:06.452 I Synced 88852/2925934 (3%, 2837082 left)
+Jul 09 15:39:06 Datura monerod[8410]: 2023-07-09 13:39:06.576 I Synced 88902/2925934 (3%, 2837032 left)
+Jul 09 15:39:06 Datura monerod[8410]: 2023-07-09 13:39:06.756 I Synced 88952/2925934 (3%, 2836982 left)
+Jul 09 15:39:06 Datura monerod[8410]: 2023-07-09 13:39:06.890 I Synced 89002/2925934 (3%, 2836932 left)
+Jul 09 15:39:07 Datura monerod[8410]: 2023-07-09 13:39:07.060 I Synced 89052/2925934 (3%, 2836882 left)
+Jul 09 15:39:07 Datura monerod[8410]: 2023-07-09 13:39:07.182 I Synced 89088/2925934 (3%, 2836846 left)
+Jul 09 15:39:07 Datura monerod[8410]: 2023-07-09 13:39:07.376 I Synced 89138/2925934 (3%, 2836796 left)
+
+On a SSD it may take 1 day, and weigh approximately 60 gigs as of writing this tutorial. The synchronisation is a very disk-intensive process, and so it is required to do it on a nvme disk or ssd at least. If you try to do that on a HDD it will take much, much longer. If you don't have a choice, sync it on a nvme somewhere and then rsync it to a server that has only HDDs.
+
+Then allow the ports you want from ufw:
+
+root@XMR:~# sudo ufw allow 18080
+Rules updated
+Rules updated (v6)
+
+root@XMR:~# sudo ufw allow 18081
+Rules updated
+Rules updated (v6)
+
+Once you've finished setting up your monero instance, make sure you have it listed on https://monero.fail or on https://xmr.datura.network.
+Once your monero node is synchronized, you can allow tor users to access it via a .onion link like so:
+
+[ Wonderland ] [ /dev/pts/9 ] [~]
+→ apt install tor
+
+[ Wonderland ] [ /dev/pts/9 ] [~]
+→ cat /etc/tor/torrc
+HiddenServiceDir /var/lib/tor/monero-service/
+HiddenServicePort 18080 127.0.0.1:18080
+HiddenServicePort 18081 127.0.0.1:18081
+
+
+[ Wonderland ] [ /dev/pts/9 ] [~]
+→ systemctl restart tor@default
+
+Then find your onion link right here:
+
+[ Wonderland ] [ /dev/pts/9 ] [~]
+→ cat /var/lib/tor/monero-service/hostname
+uyjehlovjudh2wlvkp5a2seme5vgqc4o463atkv2ulsovloqrqw2icyd.onion
+
+And then you can use it to connect to it via your monero wallet. as shown here
+
+apt install monero -y
+
+monero-wallet-cli
+#follow the instructions to create your wallet
+#synchronize it with this command:
+set_daemon http://uyjehlovjudh2wlvkp5a2seme5vgqc4o463atkv2ulsovloqrqw2icyd.onion:18081 trusted
+#then wait for the daemon to finish synchronizing, and type "refresh" regularly to make sure that it synchronizes with the node, expect to type that command a few times as tor connections are unstable at times.
+refresh
+status
+
++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
+In this tutorial we're going to look at how to get a domain name without giving away your personal data:
+ +Lets' buy a domain at a non-KYC registrar that isn't njal.la. So for this tutorial i'll use incognet.io, and make sure you access their website using the tor browser:
+ +
+
+
+Then we choose the nameservers, i'll leave it at default for now:
+
+
+
+Here very important that you specify an email address that cannot be traced back to you, as we saw in our previous tutorial, and make sure you also pay using monero:
+
+
+
+
+
+
+
+Now incognet.io registers the domain names manually, so we need to wait a bit:
+ + ++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
+
+ When we're talking Privacy, we have one key requirement: It must be open source. If you don't know/ can't know the inner details of your system, then you can't tell if the manufacturer has the ability to spy on you through the product. It is a matter of Transparency, to be able to verify if you are not being spied on, you must be able to inspect the ins and outs of your system in it's entirety. Only after having verified the entire system can you proclaim that you have privacy (from the manufacturer in this case) while using the system.
+
+When we're talking Computers, we have these 5 basic layers:
+Layer 4: OS and Applications (ex: matrix chat, firefox, etc)
Layer 3: Kernel (ex: the Linux Kernel (written in C))
Layer 2: Assembler (ex: Direct CPU instructions derived from the C compilation)
Layer 1: Firmware (ex: low-level software to provide control over CPU, motherboard, GPU, etc)
Layer 0: Hardware (ex: your motherboard, CPU, GPU, Ethernet port etc)
The problem is, if you have closed-source hardware (such as an Intel or AMD CPU, or a nvidia graphics card, or a msi motherboard), you can at most have open-source software and protocols all the way down to layer 2, but not further below. That's because you have hardware manufacturers creating products, but they are keeping the method as to how they create them a proprietary secret. Because you can't audit it yourself, you can't tell if there is any spyware baked into it or not.
+
+Take for example AMD's PSP or Intel's Management Engine, which are both alleged backdoors implemented directly in consummers' CPUs. In the case of Intel's processor chipsets, all CPUs since 2008 are to be considered backdoored by Intel ME, and there's nothing you can do about it, without knowing intel's secret way to disable it.[1][2][3] It is located in the Platform Controller Hub of modern Intel motherboards.
+check out this video for a deep dive into Intel's Management Engine from 36c3 chaoswest 2019.
+Regarding non-free firmware, even Debian has been forced to accept this reality in 2022 in their general resolution vote. In short, they now ship non-free firmware by default because 99.999999% of the people out there are running closed-source hardware CPUs, or GPUs, etc.
+TLDR: if you use closed-source hardware, you won't be able to get open source firware for the CPU, GPU or motherboard. You cannot ever be 100% sure that your hardware itself contains a spying mechanism, because you can't check it yourself, be it in your motherboard, CPU, GPU, or network interfaces.
+Hardware production is a much more costly endeavor than software production, given the energy and techniques required to create the electronic components to produce computers. Profit companies don't want to share their production secrets just like software companies to avoid competition and soak up all the profits they can get.
+Let's look currently at what's the status of hardware on the market, are there that many open source options ?
+
+
+
+
+
+
+
+In short, no, the market is currently utterly dominated and saturated by these profit companies, which are all selling closed-source hardware. Open source hardware as a concept is not even a thing for them, it's all proprietary hardware, and firmware, this applies to Graphics Cards, CPUs, Motherboards, and Computers in general.
+ +You can count companies that sell open source hardware on your fingers currently, they are of a very rare breed. We have the example of MNT Reform
+ +
+Here we have the example of MNT reform, selling a laptop that you can entirely repair (by buying the hardware parts) yourself. from the batteries, to the Keyboard, to the monitor, hell, even the motherboard, but still even here the CPU and it's firmware are not open source [1]. For the rest, they try to maintain the open hardware requirement. They ship the laptop with all the electrical schematics for you to look through them and see if it holds true that they aren't spying on you.
+Check out this video for a full unbox review of the mnt reform laptop.
+Performance wise, can this compare to consumer grade laptops ? Sadly, not yet. Not even close. In the future if this project picks up steam big time, you might see competitors to Intel and AMD's monopoly.
+Another top candidate coming up slowly is the Open RISC-V CPU architecture, aimed at dethroning the 2 CPU giants. But the project is still trying to pick up speed and adoption currently.
+
+
+While i am very hopeful that with enough education spreading out the need for open hardware in the industry, for individuals' right to privacy, the market will change for the better. But the fact remains that the main manufacturers are under false democracies, where individual liberties are trampled on every day. The only thing they care about is profit, not your individual freedoms.
+Therefore i'll conclude with the following: Even for Privacy purposes, We use the tools that we have at our disposal currently, even if it means using open-source software on closed-source hardware, until the market finally embraces fully open-source software, and fully open-source hardware.
+ ++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
OPSEC, or Operational Security, is a process aimed at identifying if your actions can be observed by an adversary. In this context, how good your OPSEC is, determines the level of your privacy and anonymity.
+
+By default, if you're not careful with the technology you use, your very ability to have privacy and anonymity is not possible. And if your behavior isn't strictly controlled to protect your anonymity while using those technologies, that can also compromise both privacy and anonymity.
+
+If you wish to have Privacy and Anonymity online, you need to use the correct technologies, and to have the correct behavior when using them.
+ +The first and foremost step when you wish to protect your OPSEC, is to use the correct technologies that will let you have Privacy (lack of surveillance), and Anonymity (lack of identification). Be sure of one thing; You will never have privacy, nor anonymity until you use the right techonologies.
+We're going to cover 6 scenarios into which Bob tries to be anonymous online, as you will see, Bob's level of privacy and anonymity will vary greatly, based on what technologies he uses to access and use his account on nowhere.com
+ +Scenario 1: Closed source software, and no protection
+
+Technology used:
+Host OS: Windows (closed source)
Web Browser: google chrome (closed source)
Internet Connection: direct connection via his Internet service provider
Bob uses his windows OS to open his web browser
Bob uses the google chrome web browser to access nowhere.com
Bob goes on nowhere.com and creates an account
Bob logs on his account and posts a comment
Microsoft is aware of everything that Bob did with his windows OS
Google is aware of everything that Bob did with his chrome web browser
Bob's ISP is aware that Bob went on nowhere.com
the nowhere.com admins sees that Bob's home IP address logged into the account and posted a comment
Summary: Bob posted a comment on nowhere.com and Microsoft; Google; his ISP; and the nowhere.com admins are all aware that it is Bob that did it. Bob has no privacy, and no anonymity whatsoever.
+ +Scenario 2: Closed source software, and using a VPN
+
+Technology used:
+Host OS: Windows (closed source)
Web Browser: google chrome (closed source)
Internet Connection: using a VPN
Bob uses his windows OS to open his vpn connection
Bob, once connected via his VPN, opens his google chrome web browser
Bob uses the google chrome web browser to access nowhere.com
Bob goes on nowhere.com and creates an account
Bob logs on his account and posts a comment
Microsoft is aware of everything that Bob did with his windows OS
Google is aware of everything that Bob did with his chrome web browser
Bob's ISP is only aware that Bob connected to his VPN provider.
the VPN provider sees that Bob's home IP address connected to the service, and that Bob connected to nowhere.com
the nowhere.com admins sees that the VPN IP address logged into the account and posted a comment
Summary: Bob posted a comment on nowhere.com and Microsoft and Google are aware that it is Bob that did it, the VPN provider knows that Bob connected to nowhere.com, and the nowhere.com admins see that a VPN IP logged on the account and posted the comment. Bob has only managed to gain privacy from his ISP, but he has only shifted the issue to his VPN provider. Bob still has no privacy, and no anonymity whatsoever.
+ + +Scenario 3: Open source software, and a VPN
+
+Technology used:
+Host OS: Linux (open source)
Web Browser: firefox (open source)
Internet Connection: using a VPN
Bob uses his debian OS to open his vpn connection
Bob, once connected via his VPN, opens his firefox web browser
Bob uses the firefox web browser to access nowhere.com
Bob goes on nowhere.com and creates an account
Bob logs on his account and posts a comment
Only Bob can know what he did with his linux OS
Only Bob can know what he did with his firefox web browser
Bob's ISP is only aware that Bob connected to his VPN provider.
the VPN provider sees that Bob's home IP address connected to the service, and that Bob connected to nowhere.com
the nowhere.com admins sees that the VPN IP address logged into the account and posted a comment
Summary: Bob posted a comment on nowhere.com, his VPN provider knows that he connected to nowhere.com, and the nowhere.com admins are aware that someone used a VPN to do it. Bob has managed to gain privacy from his ISP, but also from the companies that spied on him while he was using closed source software (microsoft and google in this case), however Bob is still being spied on by his VPN provider, and he has no anonymity whatsoever.
+ +Scenario 4: Open source software, and Tor
+
+Technology used:
+Host OS: Linux (open source)
Web Browser: Tor browser (open source)
Internet Connection: direct via ISP
Bob uses his debian OS to open his tor web browser
Bob uses the tor web browser to access nowhere.com
Bob goes on nowhere.com and creates an account
Bob logs on his account and posts a comment
Only Bob can know what he did with his linux OS
Only Bob can know what he did with his tor web browser
Bob's ISP is only aware that Bob used Tor.
The tor entry node sees that Bob's home IP has connected, but cant tell where he tried to connect.
The tor middle node doesn't know who's connecting, nor where it's connecting.
The tor exit node doesn't know who's connecting, but knows that the traffic is going to nowhere.com (There is a very low chance that all 3 tor nodes (entry, middle and exit) collaborate to see that Bob's home IP address connected to nowhere.com)
the nowhere.com admins sees that a Tor exit node IP has logged into the account and posted a comment
Summary: Bob posted a comment on nowhere.com, and there is only a very low chance that an adversary knows that he connected to nowhere.com, and the nowhere.com admins are only aware that someone used Tor to do it. Bob has managed to gain privacy, and has posted the comment anonymously. Bob's ISP knows that he used tor, but he doesn't know what he did with it. the nowhere.com admins know that someone used tor to post a comment, but they don't know who did it.
+Now, you are Bob, and you have decided that you would maintain your anonymity online for your use of nowhere.com as detailed in scenario 6 above: you use open source technology, and you use the tor browser.
+You have implemented all the correct technologies as explained above and you have created your account on nowhere.com anonymously.
+But still, you may deanonymize yourself by having the wrong behavior with your actions!
+
+
+Scenario 1: Self-Identification
+
+Situation: Bob has an account on nowhere.com
+Bob registered his account via Tor on nowhere.com
Bob mentionned his real life name into the information of his account
Bob mentionned where he lived on the account information too.
Summary: Bob deanonymized himself by his actions, despite using the correct technology. He identified himself (or KYC'd himself) on nowhere.com
+ +Scenario 2: Pseudonymity
+
+Situation: Bob has an account on nowhere.com
+Bob registered his account via Tor on nowhere.com
Bob uses a pseudonym into the information of his account
Bob mentionned that his pseudonym lived in wonderland.
Summary: Bob used the right technology, and then on the website he uses a pseudonym, and mentionned random useless information about his pseudonym. For now his anonymity is preserved.
+ +Scenario 3: When pseudonymity goes wrong
+
+Situation: Bob has an account on nowhere.com
+Bob registered his account via Tor on nowhere.com
Bob uses a pseudonym into the information of his account
Bob used this account to talk into many conversations over the years, and has built up a big reputation.
Bob is drunk one night, and accidentally mentionned his real life name online.
Summary: Bob used the right technology, and then on the website he used a pseudonym successfully for a few years, his anonymity was preserved all this time up until he got drunk and accidentally revealed who he was. From there, Bob can no longer be anonymous using that pseudonym.
+ +Scenario 4: Anonymity: when reputation doesn't matter
+
+Situation: Bob has an account on nowhere.com
+Bob regularly registers accounts via Tor on nowhere.com
Bob enters different random names into the information of his accounts
Bob stricly uses those accounts only for specific purposes.
Bob talks into many conversations over the years, but using different accounts every week/month.
Bob is never drunk when in front of the keyboard, and he is always careful to reveal nothing about his real life identity.
Summary: Bob uses the right technology, and then on the website he preserves his anonymity by never revealing who he is, and by keeping multiple accounts on the same service for specific usecases, and only for limited amounts of time. In this case, Bob maintains anonymity without getting popular.
++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
In this tutorial we're going to explore how you can audit your own level of Operational Security (also known as opsec), using the following 6 parameters:Complexity, Transparency, Surveillance, Centralisation, Onymity, and Deniability. The goal is to determine the level of Privacy, Anonymity and Deniability of your operations online to determine what you can do safely.
+ +
+Based on those, we are able to determine the most appropriate Internet use.
+ +
+Auditing your own OPSEC is an essential skill that you must possess, we're going to audit the 4 different setups below, to be able to determine where they fit.
+To do so, we are going to simplify it down to 4 OPSEC levels: Public, Private, Anonymous and Sensitive.
+
+Sidenote: If your setup is suitable only for public internet use, you CANNOT use it for any private use, and so on.
+ +
+
Complexity: Bob didn't put any effort. He bought his PC and windows was pre-installed, and he used it as it was.
Transparency: Bob uses windows as a host OS, and google chrome as his web browser. Both are closed-source, he does not know what his software is doing.
Surveillance: Since bob uses closed-source software, he is under constant surveillance while using his computer.
Centralisation: Bob uses popular services that are centralised in nature, he depends on the goodwill of others to use their services
Onymity: Because there is no privacy, anonymity is impossible for Bob.
Deniability: Bob cannot deny anything that he's doing on his computer, as he is under constant surveillance, without any possibility of anonymity.
Conclusion: Bob's setup is suitable only for Public internet use, as he is under constant surveillance while using it.
+
+
Complexity: Alice has put some effort to get her current setup, she is willing to go out of her comfort zone to improve her OPSEC.
Transparency: Alice only uses open source software (Linux and Firefox) she can see from the sourcecode that it only does what it should do.
Surveillance: Alice has verified that the open source software that she was using wasn't spying on her
Centralisation:Alice is starting to move away from centralised services, she's looking at other alternatives, but they are still centralised.
Onymity: Alice is exploring anonymity, but through a pseudonym online, she is not anonymous yet.
Deniability: Alice cannot deny that she has used her current setup
Conclusion: Alice's setup is suitable for Private use, as she managed to remove surveillance from her setup.
+ +
+
Complexity: Charlie is willing to go at great lengths to improve his OPSEC
Transparency: Charlie only uses open source software, that way he knows that the software he uses only does what he wants it to do.
Surveillance: Charlie has verified that the software he is using, is not surveilling what he's doing
Centralisation: Charlie has moved away from centralised services, and is using their decentralised counterpart from the fediverse
Onymity: Charlie is anonymous online, thanks to it's use of the tor network through Whonix and tor browser
Deniability: Charlie, thanks to his use of anonymity technologies, may be able to deny that he has used this setup depending on the context. However if an adversary gets physical access to his computer, he won't be able to deny that he has ever used it.
Conclusion: Charlie's setup is suitable for Anonymous use, as he managed to implement anonymity technologies into his setup.
+ + + +
+Complexity: Dave is willing to go at great lengths to improve his OPSEC
Transparency: Dave only uses open source software, that way he knows that the software he uses only does what he wants it to do.
Surveillance: Dave has verified that the software he is using, is not surveilling what he's doing
Centralisation: Dave has moved away from centralised services, and is using their decentralised counterpart from the fediverse
Onymity: Dave is anonymous online, thanks to it's use of the tor network through Whonix and tor browser
Deniability: Dave can deny that he has commited any anonymous activity, because the VM he uses is inside a veracrypt hidden volume, that he can deny the existance of.
Conclusion: Dave's setup is suitable for Sensitive use, as he managed to implement plausible deniability on top of anonymity technologies into his setup.
+ +
+Now as you can see, the higher the opsec level, the more complexity one must be willing to bear with, in order to increase their own operational security.
+Take the 6 parameters into account before trying to use a specific setup for an inappropriate internet usage. If you want to have all of those 4 setups at once, check out my tutorial on VM-based internet usage segmentation
++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+If you have seen my Offensive Security blog section, or the numerous news regarding massive companies being hacked, you should be aware that no matter where you choose to put your data out there, nowhere is truly safe.
+Now let's take the following example, Bob is being lazy (again), and he uses the same password for his laptop, all of his accounts online, and at some point he creates an account on "Spotify":
+
+So Bob has one password for everything he does online. What happens when one of those services (ex: Spotify) gets hacked ?
+
+First thing that happens, is that Bob's password gets leaked online publicly, his password may even end up in the popular password wordlists like in seclists.
+This means, that a potential hacker may gain access in not only bob's spotify account, but also in all of his other accounts, since Bob used the same password everywhere.
+
+This could have been avoided if Bob had a different strong password for every service. That way, if one of those services got hacked, only one meaningless password would have been revealed. That is why Keepass is relevant here, because it will remember all of those passwords so that Bob doesn't have to.
+Bob can install KeepassXC using apt on debian:
+
+nihilist@mainpc:~/Nextcloud/blog$ sudo apt install keepassxc
+
+nihilist@mainpc:~/Nextcloud/blog$ which keepassxc
+/usr/bin/keepassxc
+
+nihilist@mainpc:~/Nextcloud/blog$ keepassxc
+
+
+
+
+
+
+That way, Bob can have a unique, strong password for every website he registers an account onto. If one of them gets hacked, the adversary won't gain access to every other account that Bob has.
+
+The only password reuse that there may be is only local to Bob's computer, where he uses a password to unlock his harddrive, and log onto his host OS, and open his keepass file. The rest of remote logins are now managed and remembered by Keepass.
+Next, Bob learns to use PGP encryption using Gnupg.
+ ++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
In this tutorial we will setup a pfsense captive portal making use of a LDAP connection to an Active Directory and the built-in captive portal feature.
+We are going to work on the following architecture
+
+Basically we want the network clients that are on the LAN side of our pfsense virtualized (or physical) router to login through our captive portal.
+ +Follow this tutorial to setup pfsense on virt-manager, if you want you can also install pfsense on proxmox like i did, these are fundamentally the same concepts, +now looking from a client's POV, setup Windows Server 2019 with DNS + AD, check out this guide if you didn't do it already here. Once the WS2019 is properly setup with DNS + AD, we will need to add our AD user to the pfsense admin group:
+
+
+
+
+create a bind user:
+ +
+
+
+
+ + Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
In this tutorial we're going to cover how to setup an open source router inside of a QEMU/KVM VM (also an open source hypervisor):
+ +First install virt-manager in your debian system:
+
+sudo apt install virt-manager qemu libvirt0 qemu-kvm ebtables dnsmasq bridge-utils -y
+
+sudo gpasswd -a $USER libvirt
+
+sudo systemctl enable --now libvirtd
+sudo systemctl status libvirtd
+
+sudo virt-manager
+Then configure the network (NAT for the WAN interface of pfsense + an ip-less interface for the LAN interface of pfsense and the other VMs)
+
+
+so we get the following lan network, and a /24 NAT network, DO NOT ACTIVATE DHCP ON THE LAN network, because +our pfsense will do it instead:
+now we activate them both and install our pfsense VM following this network graph:
+
+
+
+
+
+
+here we make sure that our pfsense VM has 2 NICs, one is the WAN interface with our NAT, the other is the isolated 10.0.0.0/16 network.
+
+
+Next we install pfsense :
+
+
+
+
+Next select reboot, and we're going to configure our pfsense as the gateway router for the 10.0.0.0/16 network as 10.0.0.1/16, and then we will configure the WAN side of pfsense +to be the other NIC as a static address in 192.168.100.0/24:
+
+Now if we look at the vm's 2 NICs, we see that the WAN interface has the following mac address:
+
+And we see that the LAN interface has the following mac address:
+
+So we assign the interfaces in pfsense accordingly:
+
+
+Next step, we assign static ips to both the interfaces we just setup:
+
+for the upstream gateway address, we will simply use our host machine ip:
+
+
+Now we setup the LAN-side ip address:
+
+
+Now here we want to setup DHCP on the LAN following the settings we set earlier.
+
+So we get the following result, and we reboot our pfsense:
+
+now what we need here is to install a client VM to put inside of our LAN network, and from there we will be able to access the pfsense web interface.
+
+
+Now install debian as usual, we won't use any graphical interface to avoid the installation process to take too long, also make sure to install debian on the WAN interface to avoid any connection problems:
+
+
+Once the installation is done, you get the following:
+
+However we want our machine to be on the 10.0.0.0/16 subnet, and we also want to be able to browse the web from our debian machine, so before we shut the machine off and change the NIC, we run the following commands:
+
+apt update -y ; apt upgrade -y ; apt install lightdm xfce4 xfwm4 lightdm firefox-esr -y
+systemctl enable lightdm --now
+
+So now we have our debian VM with graphical display, but it's not on the correct subnet, so we shut it down to correct that:
+
+
+We select the LAN network, and start the VM again:
+
+And here we see that we are on the correct subnet, and we are able to ping the LAN interface of our pfsense VM, so let's access it from the web browser:
+
+If for some reason you can't access the pfsense web interface on 10.0.0.1, you can always re-configure it again:
+
+now you can login with the admin:pfsense default credentials
+
+since our WAN network is also a private subnet
+
+Then follow the rest of the install and you end up with the following result:
+
+And there you have it! We have been able to install pfsense on virt-manager, with a 10.0.0.0/16 LAN network.
+ ++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
+In this tutorial we're going to look at how to setup PGP keys, and use them to encrypt messages
+ +Bob wants to send a sensitive message to Alice. Bob intends to send his sensitive message to Alice through various means, for example on Teams, Discord or even on Wickr. However Bob knows that these service providers will never respect his privacy, they will always spy on Bob's conversation:
+
+Bob then decides that noone other than Alice will be able to decrypt his message. So, Bob decides to use PGP encryption, to be able to send a sensitive message to Alice on any platform he wishes, because he knows that only Alice will be able to decrypt it:
+ +
+Why should you even care about PGP ? Simple, you only want one person to be able to read your message, so you use PGP. You can use it when you do not trust the chat platform you are using, or the email provider, or any other form of communication with text. PGP gives you a simple way of encrypting your messages with others' public key, so that way you're sure that noone can read your messages.
+Let's begin by generating your first key:
+
+[ 10.8.0.3/24 ] [ nowhere ] [~]
+→ gpg --gen-key
+gpg (GnuPG) 2.2.40; Copyright (C) 2022 g10 Code GmbH
+This is free software: you are free to change and redistribute it.
+There is NO WARRANTY, to the extent permitted by law.
+
+Note: Use "gpg --full-generate-key" for a full featured key generation dialog.
+
+GnuPG needs to construct a user ID to identify your key.
+
+Real name: nihilist
+Email address: nihilist@nihilism.network
+You selected this USER-ID:
+ "nihilist <nihilist@nihilism.network>"
+
+Change (N)ame, (E)mail, or (O)kay/(Q)uit? o
+We need to generate a lot of random bytes. It is a good idea to perform
+some other action (type on the keyboard, move the mouse, utilize the
+disks) during the prime generation; this gives the random number
+generator a better chance to gain enough entropy.
+We need to generate a lot of random bytes. It is a good idea to perform
+some other action (type on the keyboard, move the mouse, utilize the
+disks) during the prime generation; this gives the random number
+generator a better chance to gain enough entropy.
+gpg: revocation certificate stored as '/home/nothing/.gnupg/openpgp-revocs.d/89C359E4110050AA5BDDEA3E0284FFC275D0931B.rev'
+public and secret key created and signed.
+
+pub rsa3072 2022-12-05 [SC] [expires: 2024-12-04]
+ 89C359E4110050AA5BDDEA3E0284FFC275D0931B
+uid nihilist <nihilist@nihilism.network>
+sub rsa3072 2022-12-05 [E] [expires: 2024-12-04]
+
+Then we can list our keys like so:
+
+[ 10.8.0.3/24 ] [ nowhere ] [~]
+→ gpg --list-keys
+/home/nothing/.gnupg/pubring.kbx
+--------------------------------
+pub rsa3072 2022-12-05 [SC] [expires: 2024-12-04]
+ 89C359E4110050AA5BDDEA3E0284FFC275D0931B
+uid [ultimate] nihilist <nihilist@nihilism.network>
+sub rsa3072 2022-12-05 [E] [expires: 2024-12-04]
+
+
+#to list the key fingerprint:
+[ 10.8.0.3/24 ] [ nowhere ] [~]
+→ gpg --fingerprint nihilist@nihilism.network
+pub rsa3072 2022-12-05 [SC] [expires: 2024-12-04]
+ 89C3 59E4 1100 50AA 5BDD EA3E 0284 FFC2 75D0 931B
+uid [ultimate] nihilist <nihilist@nihilism.network>
+sub rsa3072 2022-12-05 [E] [expires: 2024-12-04]
+
+
+
+Now let's export our public key like so:
+
+[ 10.8.0.3/24 ] [ nowhere ] [~]
+→ gpg --output ~/nihilist.pubkey --armor --export nihilist@nihilism.network
+
+[ 10.8.0.3/24 ] [ nowhere ] [~]
+→ cat ~/nihilist.pubkey
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQGNBGOOO2gBDADj/R45nL64Sew/i7QQo8LlxRPbdDCkEiy4zxVq3ryDAyAqZsB9
+Nqd+LJxPOYQTbefWhKqgZgQIggJVtvfixmOfgzwvbIqAduAYL8MHh3sA0lYpBhLA
+aJwRUicDzBJawJiEyd4GuddktfO3AhwKVlmI3bMtqdTn+px+vhCkz2L6r68Jf6LW
+esJaql61+9t0zAQ83GROMEZv63ubvhnAr1SHfCVT0LxDZOjgBlyz6w90kSQMOjnT
+dnFM/cK2iyuoynWghI3mlHHtkLmQP3bX2OMf1nwJjgRXK+xG/Sjv4qC5hlMAkQa4
+P03QVxFVFgD0s0EiGgHNlWq/hFZfVs3J9+yxtGIu6RRxuXogTb9Hqvi6bbFA1RIB
+SdJOqbgR+7c9tFOhC/HlMhjr6gggEjfaXgW3EOHW8nuGoj5KuhY6XArUGFvo5RxQ
+yRz6BrnBSsAuS+wowxYIb0NTLDVa0wX+V36Ltqc8ODIMxF2hWceZ+uQm9NbKS/mm
+meqwqyfvF/3UO2sAEQEAAbQkbmloaWxpc3QgPG5paGlsaXN0QG5paGlsaXNtLm5l
+dHdvcms+iQHUBBMBCAA+FiEEicNZ5BEAUKpb3eo+AoT/wnXQkxsFAmOOO2gCGwMF
+CQPCZwAFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQAoT/wnXQkxt28AwAnchT
+3+AK5/9+Osfx9KC8ob3XWU2vJ9n7kELTUPYk88jy4uSxkK2Ho9DGwlEWexAVM7YD
+tqcJ3TBMrUTZiJQNZimZAglBOlBdDLGS3QqinqEccppF554kLY5Y/Tktf1h1rL46
+p9PPBdYZf4n4M0HCEWtzDc5SQbRnlMZq+qtEEpcJj9Eb8DGFPVHKVXfrInfPWr+A
+MyVn/KZF79fAFLgDazNk2QBg2UAiW4gwJiOnb+nxFNcrGtY7b05zasC5f76s8nXc
+qXVdg/QSM3BsCgXLssD4WxzZ1LiraZGJvtsI+H7EX/ih2B6DNJ7J80aIIjhOAeWt
+g70rw8vG1x1KP3AKe11aqwbo+msF6/J8Fbl5vWgWWFIx0Sj+EUs43rVAQ++3sCpt
+aE1bxgiX+zhtSujdqZUVCCfpKnSMy3js6WpRrpwezlwA4BIm2pHWymDqpGHq6iv1
+jpqPAV5zufk4xEOE4gO9YILn0HF8O7fibseFZ8AJsyzbSkpp7NTzSbEAMT4AuQGN
+BGOOO2gBDADAQWC3kbaiJNyyuSeIuHLd1vYx9h5fU5qxhMg0U29y0ydRbaWzGl04
+E8s+oHD4EYtsbDHgBud+25Mizm9hmuuw/WkLvPvMOxCBgEunppJhFbOYefRgg4Yq
+ufKIg8N0Vp0xx4o/yLDm+wxpc6rln2zhC7HK8pkaTyvJZtfQ5VoQgMcqsJ97hxwW
+RxZgy0wVXfx+kAFKn8dG9jPzAMljIWC6QYzR4zgfAc9V3AIwePuA1BxWZ8fxwArY
+CxBpZv+JCYS4JpEcAIfScfKNvF7mQEHVeqMjlvVtJRWTewYzCgjwZmGfOuAibiQV
+ZwMttwuDJs2HMUMOUx2qDdFX85c9ucYL1BLNvpbL7lcppGwnw9wJCY8pOQPqKmpM
+XMDuCn2h/QgWvqu3JP++rr0+55J2qMp7rKicOWhNNBT+gxs+hvSg5n6Or16XpzQu
+HsDtz3P23vZwK1BVaWdp787BRXi8sIwqJhgeyzoEAlMvKN6l4RfjBLnOB1//TkjS
+rghaSN+a51sAEQEAAYkBvAQYAQgAJhYhBInDWeQRAFCqW93qPgKE/8J10JMbBQJj
+jjtoAhsMBQkDwmcAAAoJEAKE/8J10JMb2RAMAJftMsLskC02DxtboRXUwyOhcZz7
+1toenEKo2xqa9dZ7XvSbrR5zsZ8mzJ0stj2tDZBqK7wFx+mL1+XownsAlL+YHn37
+MsxMXvW9EaGXAeRVSQ3SFU8uulHbYgeUXUqlCkdpSgvDYcnO/bgSubS30Noead6N
+0e0ysORO+tXPl1Hfx0Anje//y8ouKki94TP96NpRiL+J5yWrrqA+ZpCAYvMF5DpG
+piOeAjYHyu2EIEyCc1VyTaAiolwUrukTaAXwySquYwUj6qOXElBprCvb/90nlEtH
++Rp4O2TIel4bPdegsBMO8H29r1ppxtYYM87uQHiSA7C5DjuAKLM4yLuMwUj+m1Wn
+yh0JyQFCmjWuFaXNp0cTjWk7vwpeg6sKKfZ+Tn87uwkZAbOzA3Vfj0OqTmDxZHeA
+AKsge1fp/a5jEYMXvGnZ64eX/2FYKfrOm/BIGqCkS+oTfmIaGqQOiAGlhUvdO+oY
+5DG7X8sJauKPjhhHELWVrghx6GRTgjX9SLcZRQ==
+=B+QD
+-----END PGP PUBLIC KEY BLOCK-----
+
+This can be put publicly on your website, so that users will be able to encrypt their messages before sending it to you.
Now let's encrypt our messages with alice's public key after she generates her pgp keys:
+
+[ 10.8.0.3/24 ] [ nowhere ] [~]
+→ gpg --gen-key
+gpg (GnuPG) 2.2.40; Copyright (C) 2022 g10 Code GmbH
+This is free software: you are free to change and redistribute it.
+There is NO WARRANTY, to the extent permitted by law.
+
+Note: Use "gpg --full-generate-key" for a full featured key generation dialog.
+
+GnuPG needs to construct a user ID to identify your key.
+
+Real name: alice
+Email address: alice@nowhere.com
+You selected this USER-ID:
+ "alice <alice@nowhere.com>"
+
+Change (N)ame, (E)mail, or (O)kay/(Q)uit? o
+We need to generate a lot of random bytes. It is a good idea to perform
+some other action (type on the keyboard, move the mouse, utilize the
+disks) during the prime generation; this gives the random number
+generator a better chance to gain enough entropy.
+We need to generate a lot of random bytes. It is a good idea to perform
+some other action (type on the keyboard, move the mouse, utilize the
+disks) during the prime generation; this gives the random number
+generator a better chance to gain enough entropy.
+gpg: revocation certificate stored as '/home/nothing/.gnupg/openpgp-revocs.d/2A4ACCAC38F55DEE59EA38CBCA761853B6A47483.rev'
+public and secret key created and signed.
+
+pub rsa3072 2022-12-05 [SC] [expires: 2024-12-04]
+ 2A4ACCAC38F55DEE59EA38CBCA761853B6A47483
+uid alice <alice@nowhere.com>
+sub rsa3072 2022-12-05 [E] [expires: 2024-12-04]
+
+[ 10.8.0.3/24 ] [ nowhere ] [~]
+→ gpg --output ~/alice.pubkey --armor --export alice@nowhere.com
+
+[ 10.8.0.3/24 ] [ nowhere ] [~]
+→ cat ~/alice.pubkey
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQGNBGOOPtABDAC2i7v3qZFdhxnyGOcDlOSoJGijMKW45YgrxGKwvi80m8x76yOE
+CsNiVPsZB+DNWzbKtzZqqzOB2dJPQlEtvivd5Sg9Qn35D24kkb17k1WsIRZX8ZtW
+GPZKckIrjHNjeTnOMN14Fa6qr6jXtIgXKewGGh1w4Vv8CDfquTmuvQ462k05i2cQ
+m0oIPCG5nuOQvFg3nLJF9ZAKspXcZ/FzowBUbQFpCfFmYsDEBWpUSEGZvzTV/t2L
+Hp1AqxTze8DU1ll0rH7TxMnXNVG+gSRkloJfUxp6GCKKjiTmXiQxLQesbb2lcPON
+EY5tcoSuntV7tLvz6Fcfqs71aEQLZ7lr6l546GARBJ+gnKTMro7RZd+mc4ICncGg
+wZQ/k5I5XU7fdZUNFZWI4vP502fWJOF0XM16mNLs4kTKCfg1XFtBjC0t0MZWoE2x
+AtvpGZyC6jWrDeH7m2Bg9guOvNWOl5HkH9ak6zR3NpNotyOpVgcVe1mSCLdK/Ewm
+uI9dKWDyFI7B3C0AEQEAAbQZYWxpY2UgPGFsaWNlQG5vd2hlcmUuY29tPokB1AQT
+AQgAPhYhBCpKzKw49V3uWeo4y8p2GFO2pHSDBQJjjj7QAhsDBQkDwmcABQsJCAcC
+BhUKCQgLAgQWAgMBAh4BAheAAAoJEMp2GFO2pHSDzsoMAJCn3B+tB6h9IhUubGSt
+c8A7C3E2dEgzXKAcQs3qSvRpjJys6csAVdbsdJ8aGYIxT9u3ta4c7Xtq0CkJLkB4
+sqpNMb9r6wHt/Q08EGR0fAVzZ/FspiLeROQZRmFEUJRbKj9og9b0zSH5+dA5Adv2
+oIakqUeRIK2VeELQkQE+SnzMfiI2IQ55MdsCKG1UwN35E+x/st8tfzrhv24SM63x
+sg5fQ1XWuPY6xOD1+DEkKCyPJlKSj6s2R1MFWp5aSH+29tp0ScGAypY7XnQ5kbyW
+p99BWyTqub4FZw6P4VEJGFep2AabTHAzJrRrQ7kdzSWABUsfrmXfjeAk16AnuACa
+4sDow1cpW85XTm7W+dE4RV2y7WMuvSAaZfHv9iJwDYgc99t0HdrlNmEnNX4j82ET
+TOD9V1WrbwPtacl9Iojv5MR+hVIlvVD1WEziJiChflJjqRWjZVo+C6xoAS5GojQv
+PX2nBOtzSqyjlTBzFwKw/Och+7JYXDvmUmlmaE8pBXFw+LkBjQRjjj7QAQwA6Kuy
+0rDgRSLKl5WRa6kr9xZ2UBvuDN+RHqXXWFBM6xKox4Q88/AGR2wcsjkKOJ0fpNX9
+ISOexORtWO10WcK+KsTAZjLSBzUJhTok8o2sKGACWPZLW4ZoqJtMq24wAW7YBwNG
+WWuFW8shdu/oxQ/UuaLPqR/b9YJmry9c/WR72kC3USwoZS8he8lEl550DzQsa+If
+lODLAvk5mXfPsxTpvfT+gJvBz+50FWPz1LVOWBQiwcK6dJdKvux3bp30GhvOCR7K
+R6U3ZP37idNc8wtg7cybJhKh01HB/Na7dnLEQAE9pqKFzm6aYwwsnD8Q7Co0LNrv
+J9YsTZ68onpF7Yb5Ndlmi/h/sOIB3J4yhfaX4JiwBzltiyhXwaRtBG8I9+DRr/1c
+Gkga08WfTFvNGjajf52nCJqxtJeb7Mjyr6w9MKBSq+/+yKb4yJSjTXryKfLS5S4l
+Mb23Wss9cucDe6XCncUo8ukJakAUdLJsnoxj10J6Nk9EPIJFi3bLmv40aeRjABEB
+AAGJAbwEGAEIACYWIQQqSsysOPVd7lnqOMvKdhhTtqR0gwUCY44+0AIbDAUJA8Jn
+AAAKCRDKdhhTtqR0gyigC/9XSrbStJlQQWg3cq+XFokGv+fP0Bl3y+wVNzyL2Twc
+R70g/NqS2q5Ztd9bq5SleYn94n2tc5zULnuc5TUeVF303goFxsFQcjVQpe+vw6BA
+IcL+VdAvu4UQRVBCzUeW6Jd5n1oemIsyhdET40PRT5UTOwpdpoQQRvdHs2XCGR1q
+FMkbyxDg444lUzYD1l655yhwN9b7YHWA6Eih5tyIeBxZDXA586M8TGrCfzC67g0f
+bkp/pmA5xH7nxMHAR+A9sC/r1RW41qZ9Or6Wbqyrbyt7Whknoz0sCfm41MEUSkeF
+lS4EdjbGtEFzbpZGCs3FwH0kQdHl0nczyYnblBpmNccq5aPC6xhOj1FiBktoaqD0
+J0f4srQ8RZpPaRJo6ZD1JzSyKDLtQ/oZES741Fgi2UAfxBXslRktq/0J5ehJww3Q
+YWu3a5PAJWX6wkutFKp4eswvBr8na53CX4w2DF3hizl5w2+hff9gk8Qvrq77D3ht
+CdIDJHjajZtj14jc+uBRMMc=
+=up53
+-----END PGP PUBLIC KEY BLOCK-----
+
+So let's first import alice's public key like so:
+
+[ 10.8.0.3/24 ] [ nowhere ] [~]
+→ gpg --import alice.pubkey
+gpg: key CA761853B6A47483: "alice " not changed
+gpg: Total number processed: 1
+gpg: unchanged: 1
+
+ In order to make sure this is alice's public key, check the fingerprint of it:
+
+[ 10.8.0.3/24 ] [ nowhere ] [~]
+→ gpg --fingerprint alice@nowhere.com
+pub rsa3072 2022-12-05 [SC] [expires: 2024-12-04]
+ 2A4A CCAC 38F5 5DEE 59EA 38CB CA76 1853 B6A4 7483
+uid [ultimate] alice <alice@nowhere.com>
+sub rsa3072 2022-12-05 [E] [expires: 2024-12-04]
+
+Once you're sure that it is alice's public key, you can "sign it", which basically means that you trust that key:
+
+[ 10.8.0.3/24 ] [ nowhere ] [~]
+→ gpg --sign-key alice@nowhere.com
+
+sec rsa3072/CA761853B6A47483
+ created: 2022-12-05 expires: 2024-12-04 usage: SC
+ trust: ultimate validity: ultimate
+ssb rsa3072/7A75B89E1AA090CF
+ created: 2022-12-05 expires: 2024-12-04 usage: E
+[ultimate] (1). alice
+
+
+sec rsa3072/CA761853B6A47483
+ created: 2022-12-05 expires: 2024-12-04 usage: SC
+ trust: ultimate validity: ultimate
+ Primary key fingerprint: 2A4A CCAC 38F5 5DEE 59EA 38CB CA76 1853 B6A4 7483
+
+ alice
+
+This key is due to expire on 2024-12-04.
+Are you sure that you want to sign this key with your
+key "nihilist "
+
+Really sign? (y/N) y
+
+ From there we can encrypt our message.txt:
+
+[ 10.8.0.3/24 ] [ nowhere ] [~]
+→ vim message.txt
+
+[ 10.8.0.3/24 ] [ nowhere ] [~]
+→ cat message.txt
+this is my very secret message !
+
+Before encrypting it, we can also sign it, although it is optional. There are 3 ways to sign the message:
+
+Create binary or ASCII-armored detached signature from input
+--detach-sign
+
+Wrap input in plaintext signature
+--clearsign
+
+Encode input into binary or ASCII-armored output with an integrated signature
+--sign
+
+To sign the message while also remaining in plaintext, we use the second option --clearsign (also, if you have multiple private keys like me, choose it with the -u flag to specify who is sending the message):
+
+[ 10.8.0.3/24 ] [ nowhere ] [~]
+→ gpg -u nihilist@nihilism.network --clearsign message.txt
+
+[ 10.8.0.3/24 ] [ nowhere ] [~]
+→ cat message.txt.asc
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA256
+
+this is my very secret message !
+-----BEGIN PGP SIGNATURE-----
+
+iQHOBAEBCAA4FiEEicNZ5BEAUKpb3eo+AoT/wnXQkxsFAmOOR1waHG5paGlsaXN0
+QG5paGlsaXNtLm5ldHdvcmsACgkQAoT/wnXQkxubCwwAgxB2JIFz/vSewL0ScF1i
+K307GR4mNIyMy3VRgtuVdONau4X8p68tRS+wqoVRFB8GDLXTkzJsaULwghm8RQaV
+x0NOx60kgmXckP00uQM+ySDRqpHoVb5HYRqPrbOhJ6L1AFnexyhuhclvQoS4Zm0e
+PkvcMFaWOevQnbS8Vh2fVby4fsq5YdzSig4mu6KjQeR+Gu29xkAJp+lgMT1Ia0pL
+DVZaUw+AVHyaeQzdokdw0eoU01gl+dzPyaPamAGTbqI5Z7+DMOMgtgC9cpPP+26F
+jTpmq7fFxQ3fpAbEIlcahZzNBSyd1QGu6uKs/V4hqx4Fj7qg4puq+raxgg0JlyEZ
+greVnUYBONlTTIDgIKqI8D5iFhW6cCHQzXvYjLqCCuY35ZHP0TRkSycZaNjO1/4/
+EaNNvLm/uzi3+HhvPW57a9+bcGiVvTLhhje8sVUxioDd36DA4fYkd8BqBNkYvjRa
+e/D6QxqcdeK/RM0tUdlEsypp0KV3musGbyrYRhycEQPF
+=GuJm
+-----END PGP SIGNATURE-----
+
+The signed message is saved as "message.txt.asc", now let's encrypt it using alice's public key, and also don't forget to encrypt it with the private key you want with the -u flag again:
+
+[ 10.8.0.3/24 ] [ nowhere ] [~]
+→ gpg --encrypt --sign --armor -u nihilist@nihilism.network -r alice@nowhere.com message.txt.asc
+
+[ 10.8.0.3/24 ] [ nowhere ] [~]
+→ ls -lash | grep message
+4.0K -rw-r--r-- 1 nothing nothing 33 Dec 5 19:03 message.txt
+4.0K -rw-r--r-- 1 nothing nothing 741 Dec 5 19:13 message.txt.asc
+4.0K -rw-r--r-- 1 nothing nothing 2.2K Dec 5 19:14 message.txt.asc.asc
+
+[ 10.8.0.3/24 ] [ nowhere ] [~]
+→ cat message.txt.asc.asc
+-----BEGIN PGP MESSAGE-----
+
+hQGMA3p1uJ4aoJDPAQwAmziBMlZIwlbmvLlVuBiux76xliI2CVthnlHRZGPwghgY
+yBPCOHpfZUX3M44vO9/ONVurA8/u5vgxwDZZxCOfYUHiJbI2iW6+Pmp/opF0fKa9
+gsArICw2YwyJ3uH+AmpYQ9mlDXs1MFFfUuV/4uIh0QFJshuGNHl5ahdLd7AlyrW2
+U63BibwpqTqZLH/4rsbKtZ4isJPL4ZcHhymSdel+fy+N5wy11HZt8QJrwyUUbWHB
+jHbwgDJ2HKP6Yvf0etiMWEeEyjnsjQVdPI7CqO4l12k7+s78dde9RCN1I/R53Jiy
+HUO2Wd6m68REIL3S6o0jwWxeQZMyW9PAMIArKWPWYUCkR9uxC1yKoiu/sYv7zf1Y
+TtwAMExTfzyCogD0TvVcahSgbBUjLfHpe7MFLrSKugpb8pgMszBxVrvnKbYbVVRc
+x090o+pE0TCAf+s4IOUtnzYZjesvYkW16psKS7O1ZWbF6LGyDm92en6I377drEoc
+x4WytIkoDtV+L3qHP6wA0uoBp8aieGsvyHmgQvVbXgbYQE2Z3yDoCWuJGAy0MRpK
+xg/zz8vwsr1QEIxutT3T9MqO9d/zXxi8S8B4lIxoiI3HcHff8pnn3B1ok1Yl+tCz
+5ns0kBWPLobMta5J5QdxEJDqJTBLna9Npk08YkNXIVgU8Kd+EkvrYH8jrKJLDyis
+FfvRGZwTeWto6t4q4W4z/hEzSwXmuTICYKkThc17Hs5LX5WwMPo4W/LaB4VidOi7
+I7wXkFEgw/l/lFk3MAq8eq1ZKCZ/adsxlOy+xsT8WM7va7l+gtyT4EU5JcAklLgh
+8m+R6rqdc34eCnKjtilhZ8jSsiij/hXzeSYs1uNCRcHylRJ57hLiQWwqlFCenBBT
+Zjj4uY09RkXXn2LCCMdIrhpF9oLV+vDep9PD61qMqacGnOSYAI7jPHRqlxMe6GWu
+h/Elip+h8Cujek5rUa0y8z+vdeGBaEoz27QV8PsuEw9JeXkcwCwm5rt165bvG5Fq
+2RHV7/glS42JLKmb1ru1dxZ2gYUDomghkWNTm1ycPS3mR2BIKBieEmgpdm8Gn4hL
+UDrBQYLBdlJ0XQOb5tp4V/hHHx2Z9FpEAWz6U2uRBHf7b7EmJH0x0o95E4CpgX6k
++Gcx6CkNrpdMfyaL7sFUV58tyQzpfffRHFvZ3Q3waMRFwhd6rCzFVTrsdHyIMrJH
+gD7Qrn69sy38KK0ndUuSzuY9oTMPp7Suze8bKjQ3IRC9/vuzoGYpJT0lYaVcAu5I
+yNWOGI2i2VreDQoUXTS76AosuznyATpTgpgj5dBb4/2myhBvYYNC5dvHBlTECaCI
+wa8MTuv8yhGlXhG2dxgQrNzM3SVw3w9ESD4oynvhjVEiHYCq4zRfXEeAwNJUYVjA
+uS0ZESLdVKTabqofkL50w2M7RmMeV131DRLnW+5DogsCHVw9x2wWSF00u0ruS2CF
+GNSg3MdNMEPopP43MoL6eZ2kIayvg2QW0Lgu6jcWjDg5Xwt/X605u6le4R7rq1O1
+xP8QItSAapu1pKQ3lP/t/FUeA+PEtOSlRtPQLg+k4lgyM9/sev8wT3JhqtLne7w3
+4Qb8boNeXSQqT/+ZJmi4blOK8gGe0XPoYJmwiuCiRzDCbzHEgMl8b31uTbTjj261
+b8DqU+WmJo2bzDfFmbOiDDhJ/Fd+Bv71wFeCZyCKvhWnpN5vu/WJudP/jRQOoWq4
+B01LYEfmH2iQcT2My8bmiy7hUDPX82sApkDgSGn5DGwKo+MIcQ0lAMqfUbh9JMzl
+P3PQ9m8AU3nJxm8ONeujONlpNGJl2T0TA6XDIB8OxYPkR37oCUlK8LXv4Kg0sN40
++hpc+7J8Mxuxd9KlneyWlSvf7zlBc0B7bOCGGwMlkg+zwBJmsUBWE+PfMeZscWGx
+JbvFxIkku+4mY/Z1ENdTwdwvW5ffW71V2PLK54iX3fMrP0TEUtv4kXmTYS5HbwNs
+CXvia2UNZAre/1ZpqsMoHmXxYduddawIYc61jDZyWAq/C2XTOyqyseiwFgPqVNnc
+E5SMO6iUHZ89Eb+bWmRhSUeFhytKXcmDkNaoK/IZ9GnaEX0XVfk/Ge8VWx9prtLs
+a2G4PbtX3KEPCYjqS2N2HDPUEqGVgGVdSqeya2J/SeoEcdpOqTIJu+KT+iDyeIGM
+B8xjrEs=
+=kY62
+-----END PGP MESSAGE-----
+
+The encrypted message is created as "message.txt.asc.asc", so now we can send it to alice anywhere (teams, gmail, outlook, protonmail), wherever you want, because only alice will be able to decode the message. Once alice retrieves the message.txt.asc.asc she can decrypt it like so:
+
+[ 10.8.0.3/24 ] [ nowhere ] [~]
+→ gpg -d message.txt.asc.asc
+gpg: encrypted with 3072-bit RSA key, ID 7A75B89E1AA090CF, created 2022-12-05
+ "alice <alice@nowhere.com>"
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA256
+
+this is my very secret message !
+-----BEGIN PGP SIGNATURE-----
+
+iQHOBAEBCAA4FiEEicNZ5BEAUKpb3eo+AoT/wnXQkxsFAmOOR1waHG5paGlsaXN0
+QG5paGlsaXNtLm5ldHdvcmsACgkQAoT/wnXQkxubCwwAgxB2JIFz/vSewL0ScF1i
+K307GR4mNIyMy3VRgtuVdONau4X8p68tRS+wqoVRFB8GDLXTkzJsaULwghm8RQaV
+x0NOx60kgmXckP00uQM+ySDRqpHoVb5HYRqPrbOhJ6L1AFnexyhuhclvQoS4Zm0e
+PkvcMFaWOevQnbS8Vh2fVby4fsq5YdzSig4mu6KjQeR+Gu29xkAJp+lgMT1Ia0pL
+DVZaUw+AVHyaeQzdokdw0eoU01gl+dzPyaPamAGTbqI5Z7+DMOMgtgC9cpPP+26F
+jTpmq7fFxQ3fpAbEIlcahZzNBSyd1QGu6uKs/V4hqx4Fj7qg4puq+raxgg0JlyEZ
+greVnUYBONlTTIDgIKqI8D5iFhW6cCHQzXvYjLqCCuY35ZHP0TRkSycZaNjO1/4/
+EaNNvLm/uzi3+HhvPW57a9+bcGiVvTLhhje8sVUxioDd36DA4fYkd8BqBNkYvjRa
+e/D6QxqcdeK/RM0tUdlEsypp0KV3musGbyrYRhycEQPF
+=GuJm
+-----END PGP SIGNATURE-----
+gpg: Signature made Mon 05 Dec 2022 07:34:36 PM UTC
+gpg: using RSA key 89C359E4110050AA5BDDEA3E0284FFC275D0931B
+gpg: issuer "nihilist@nihilism.network"
+gpg: Good signature from "nihilist <nihilist@nihilism.network>" [ultimate]
+
+Once decrypted, she can see that the message has our PGP signature.
+
+And that's it! That covers the basics of how to use PGP
+ + ++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+A Simcard is what you need to put into your smartphone in order to have a phone number. These simcards, once inserted into your smartphone are always communicating their geographical position to the nearest mobile carrier antennas. Meaning the mobile carriers knows where your simcard is, at all times, and they know where this simcard has been ever since it got inserted into your phone.
+Now, it is possible for you to purchase a sim card (or e-SIM) anonymously using for example this service here, but the fact remains the same, that once the simcard is active into your smartphone, there is a permanent record of where that simcard has ever been and there is nothing you can do about it.
+Naturally, law enforcement agencies LOVE to keep their hands on this data. They use it all the time. For example, all it takes for LE to figure out who has been in a public protest is to record the protesters up close, while keeping track of the current time. Then, if any of the protesters did anything illegal out there, they can know who did the act by simply looking at which simcards were at the exact same time, at the exact same place.
+As we discussed previously for the law to be respected, it needs to be enforced. And to be enforced, the authorities need to know:
+What happened ? (lack of Privacy)
Who did it ? (lack of Anonymity)
That's why protesters make the conscious choice to not go out to protest with their phones in their pockets, as they can get deanonymized very easily while wearing them.
+Let's suppose the following scenario:
+You bought an old phone (let's say a google pixel) anonymously using Monero, without going on a Centralised marketplace, Peer to Peer.
You wiped that google pixel OS to install an open source host OS such as GrapheneOS
you made sure that phone never connected to the internet since you got it, and never used a simcard either.
You then purchase an e-SIM card anonymously from a non-KYC service such as silent.link, using monero, and you activate it inside the phone.
Great, you now think that you obtained an anonymous phone number right ? Did you just forget that there is a permanent record of where that simcard and phone number is, at all times ? And did you forget that this record of where your simcard is, is always consulted by LE at all times ?
+Where do you plan to use that simcard ? At your own house ? The moment that simcard (and phone number) becomes active, LE knows that the simcard associated with that phone number is locatd your own house. And then you take it with you to go to work ? If you are seen going anywhere at anytime, and LE looks at where the simcard went, they can easily correlate that you are the owner of that simcard.
+ +If you have a simcard next to you, no matter how anonymous you managed to get it, the moment you start to use it, you are deanonymized
+
+So the only way to be able to use a phone number anonymously, is to use a remote service provider, that allows you to use a phone number, anonymously (allows tor connections, and monero payments), and even then, don't expect to get privacy going that route. Examples of such services: Crypton or Smspool. (see the full list here)
+If a chat service requires you to enter your phone number, it means they categorically refuse that you can use their service anonymously. Moreover, it means that they want to be able to inform the authorities of your actions, and rest assured that LE will pay big money for that sensitive info they may have of your actions.
+Yes, you heard me correctly. If a service asks for your phone number, they are anti-privacy and anti-anonymity by design. This means that you can already stop using the following services: +
+Hall of Shame:
+Signal markets itself as providing Privacy, yet, it requires a phone number upon signup[1][2], for more reasons to stop using Signal, check out these blogposts [1] [2]
+Telegram also markets itself as providing privacy, yet it also requires a phone number upon signup
+
+When you take into consideration how phone numbers harm your Privacy and Anonymity as i listed above, Nothing can can possibly justify requiring a phone number upon sign up.
+ +The only reason for such a requirement, is that the service takes bribes from LE, for successfully lying that their users are safe. Make no mistake, the bigger the service, the more lucrative it is!
+ ++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
In this tutorial we're going to look at how you can protect a set of QEMU VMs running in a veracrypt hidden partition from being discovered by an adversary.
+For this tutorial we have the following threat model:
+What if an adversary enters the room where the physical server is ?
What if an adversary opens up the case of the physical server ?
What if an adversary plugs in or removes any usb device on the server ?
What if an adversary shuts down the electricity of the entire house before coming in ?
What if an adversary steals your password or ssh key somehow and manages to login via SSH on the server ?
What if an adversary physically destroys the harddrive containing the veracrypt partition ?
What if an adversary tries to do a cold boot attack ? (meaning forensics regarding server logs and RAM live memory)
What if an adversary forces you to type in your password to your encrypted data ?
Let's take all those threat vectors into account, and setup our homeserver with the following physical security setup:
+
+
+ First we setup a debian QEMU VM in the hidden veracrypt partition:
+ +DISCLAIMER: we're using only harddrives (HDDs) here, because using SSDs are not a secure way to have Plausible Deniability, that is due to hidden Volumes being detectable on devices that utilize wear-leveling +
+source: https://anonymousplanet.org/guide.html#understanding-hdd-vs-ssd
+
+regarding wear leveling:
+"Also as mentioned earlier, disabling Trim will reduce the lifetime of your SSD drive and will significantly impact its performance over time (your laptop will become slower and slower over several months of use until it becomes almost unusable, you will then have to clean the drive and re-install everything). But you must do it to prevent data leaks that could allow forensics to defeat your plausible deniability. The only way around this at the moment is to have a laptop with a classic HDD drive instead."
+
+Look at this tutorial on how to create a veracrypt hidden partition, now create a volume that can contain a debian VM inside the hidden partition (ex: outer volume 140G, and inner/hidden volume 70G). Also follow this tutorial to know how to setup a QEMU hypervisor to virtualize VMs on linux. Now in the hidden partition we will create the debian QEMU VM (whose disk is 50Gb) as follows (keep in mind that we will also need to copy it into the decoy partition without overwriting the hidden partition, so make sure you can fit the same VM there aswell when you are creating the veracrypt volume!):
+ +
+
+
+
+
+
+
+
+
+root@debian:~# apt update -y ; apt upgrade -y ; apt autoremove -y
+
+side note: make sure that you also copy the same VM into the decoy partition in case if you are asked to disprove the claim that said vm name inside the veracrypt partition contains something sensitive.
+we make it run a .onion service like so as shown on this tutorial
+ +So now we have the following graph:
+
+We now have a server at home, that contains a veracrypt hidden partition (whose existance shouldnt be revealed), that hidden partition contains a VM, which contains a .onion service we want to hide the existance of. So now let's protect it:
+First let's define how to shutdown the services and hide the veracrypt hidden partition in one simple bash script:
+We have the following order of events:
+First we open the veracrypt volume, then we add the QEMU VM in virt-manager while naming it, then we power it on, and then we have our plausibly-deniable onion service.
+
+So for an emergency shutdown, we need to do the same in the reverse order: First we shutdown the VM forcefully, then we close the hidden veracrypt partition forcefully, then we wipe the logs, then we kill the veracrypt process, and then then we wipe the ram 3 times to erase all potential trace of VMs in live memory.
+
+Then we assemble that in a bashscript like so:
+
+[ Wonderland ] [ /dev/pts/1 ] [~]
+→ sudo cat /root/emergencyshutdown.sh
+[sudo] password for nihilist:
+#!/bin/bash
+
+#remove VM and undefine it: (make sure that the VM name is exact!!!)
+sudo virsh -c qemu:///system destroy debian12-VM
+sudo virsh -c qemu:///system undefine debian12-VM
+#make sure that there is also an innocent VM called debian12-VM in the outer partition (for plausible deniability)
+
+#unmount veracrypt drives forcefully
+sudo veracrypt -d -f
+
+# then cleanup logs
+sudo rm -rf /dev/shm/*
+sudo rm -rf /var/log/*
+sudo dmesg -c >/dev/null 2>/dev/null
+
+# kill veracrypt to avoid having the veracrypt window display which drive/volume was selected
+kill $(pidof veracrypt)
+
+# then wipe ram 3 times
+# apt install stress
+# below change 128G to the number of Gigabytes in your system ! put 16 if you only have 16Gb of ram!
+stress -m 1 --vm-bytes 128G -t 10
+stress -m 1 --vm-bytes 128G -t 10
+stress -m 1 --vm-bytes 128G -t 10
+
+you can run it like so:
+
+chmod +x ./emergencyshutdown.sh
+./emergencyshutdown.sh
+
+Next we need to be able to send an email from the server to the administrator to notify him that an emergency shutdown just happened.
+ +
+We'll be using ssmtp from the homeserver itself , it's going to connect to a remote mail server to send the mail we want. (check this tutorial if you want to know how to setup your SMTP mail server):
+
+[ Wonderland ] [ /dev/pts/1 ] [~]
+→ apt install ssmtp
+
+Then make sure the user exists on the smtp server:
+
+root@mail-nihilism:~# useradd -G mail -m surveillance
+root@mail-nihilism:~# id surveillance
+uid=1003(surveillance) gid=1003(surveillance) groups=1003(surveillance),8(mail)
+root@mail-nihilism:~# passwd surveillance
+New password:
+Retype new password:
+passwd: password updated successfully
+
+And then just send the mail after configuring ssmtp to send to the right place as the correct user:
+
+[ Wonderland ] [ /dev/pts/5 ] [~]
+→ cat /etc/ssmtp/revaliases
+# sSMTP aliases
+#
+# Format: local_account:outgoing_address:mailhub
+#
+# Example: root:your_login@your.domain:mailhub.your.domain[:port]
+# where [:port] is an optional port number that defaults to 25.
+
+root:surveillance:mail.nihilism.network:587
+
+[ Wonderland ] [ /dev/pts/5 ] [~]
+→ cat /etc/ssmtp/ssmtp.conf
+rewriteDomain=nihilism.network
+mailhub=mail.nihilism.network:587
+useSTARTTLS=YES
+AuthUser=surveillance
+AuthPass=D9IJWDOAHWHUHWUHDAWHDUWHAHDWAIHA3213221123312F
+
+[ Wonderland ] [ /dev/pts/5 ] [~]
+→ echo "Test message from Linux server using ssmtp" | sudo ssmtp -vvv nihilist@nihilism.network
+[<-] 220 mail.nihilism.network ESMTP nihilism.network (Debian/GNU)
+[->] EHLO wonderland
+[<-] 250 CHUNKING
+[->] STARTTLS
+[<-] 220 2.0.0 Ready to start TLS
+[->] EHLO wonderland
+[<-] 250 CHUNKING
+[->] AUTH LOGIN
+[<-] 334 VXNlcm5hbWU6
+[->] c3VydmVpbGxhbmNl
+[<-] 334 UGFzc3dvcmQ6
+[<-] 235 2.7.0 Authentication successful
+[->] MAIL FROM:<surveillance@nihilism.network>
+[<-] 250 2.1.0 Ok
+[->] RCPT TO:<nihilist@nihilism.network>
+[<-] 250 2.1.5 Ok
+[->] DATA
+[<-] 354 End data with <CR><LF>.<CR><LF>
+[->] Received: by wonderland (sSMTP sendmail emulation); Sat, 30 Mar 2024 17:01:44 +0100
+[->] From: "root" <surveillance@nihilism.network>
+[->] Date: Sat, 30 Mar 2024 17:01:44 +0100
+[->] Test message from Linux server using ssmtp
+[->]
+[->] .
+[<-] 250 2.0.0 Ok: queued as 9FB5E26A92
+[->] QUIT
+[<-] 221 2.0.0 Bye
+
+And there we see that we recieved the mail on thunderbird:
+ +
+Meaning we have the following emergency shutdown script:
+
+[ Wonderland ] [ /dev/pts/1 ] [~]
+→ sudo cat /root/emergencyshutdown.sh
+[sudo] password for nihilist:
+#!/bin/bash
+
+#notify the admin that the emergency shutdown is being performed
+echo "PERFORMING EMERGENCY SHUTDOWN!" | sudo ssmtp -vvv nihilist@nihilism.network
+
+#perform the emergency shutdown:
+
+#remove VM and undefine it: (make sure that the VM name is exact!!!)
+sudo virsh -c qemu:///system destroy debian12-VM
+sudo virsh -c qemu:///system undefine debian12-VM
+#make sure that there is also an innocent VM called debian12-VM in the outer partition (for plausible deniability)
+
+#unmount veracrypt drives forcefully
+sudo veracrypt -d -f
+
+# then cleanup logs
+sudo rm -rf /dev/shm/*
+sudo rm -rf /var/log/*
+sudo dmesg -c >/dev/null 2>/dev/null
+
+# kill veracrypt to avoid having the veracrypt window display which drive/volume was selected
+kill $(pidof veracrypt)
+
+# then wipe ram 3 times
+# apt install stress
+# below change 128G to the number of Gigabytes in your system ! put 16 if you only have 16Gb of ram!
+stress -m 1 --vm-bytes 128G -t 10
+stress -m 1 --vm-bytes 128G -t 10
+stress -m 1 --vm-bytes 128G -t 10
+
+
+So now that we have our actions completed (emergency shutdown and sending a mail), we need to make sure that both are triggered whenever necessary, as shown below:
+
+To look out for any usb change on the homeserver, we have the following script:
+
+[ Wonderland ] [ /dev/pts/5 ] [~]
+→ cat checkusb.sh
+#!/bin/bash
+
+action_for_unauthorized_usb_change () {
+ echo "[+] ACTION : SEND MAIL TO NOTIFY ADMIN"
+ echo -en "Subject: USB CHANGE DETECTED ON $(hostname) \n\n USB CHANGE DETECTED on $(hostname) at $(date): \n\n LSUSB WAS: \n $defaultlsusb \n\n LSUSB NOW IS: \n $(lsusb)" | sudo ssmtp -vvv nihilist@nihilism.network
+
+ #echo "[+] ACTION : EMERGENCY SHUTDOWN SCRIPT"
+}
+
+#defaultusb = check usb store it as default usb
+defaultusb=$(lsusb | sha512sum)
+defaultlsusb=$(lsusb )
+
+#set maintenanece to 0
+echo 0 > /tmp/maintenance
+
+while true; do
+ # check if maintenance mode or not:
+ if [ $(cat /tmp/maintenance) -eq 0 ]; # if no maintenance, look for usb changes
+ then
+ usbnow=$(lsusb | sha512sum)
+ if [ "$usbnow" = "$defaultusb" ]; #detect usb changes
+ then
+ echo "[+] No usb change..."
+ else
+ echo "[+] USB change detected, peforming action"
+ echo $defaultusb
+ echo $usbnow
+ action_for_unauthorized_usb_change
+ #sleep 3600
+ sleep 10
+ defaultlsusb=$(lsusb)
+ defaultusb=$(lsusb | sha512sum)
+ fi
+ else #maintenance ongoing, then not checking for usb changes
+ echo "[+] Maintenance mode, not checking for usb changes..."
+ fi
+ sleep 1
+done
+
+Then to detect any movement in the room we setup motion, this will make it possible for a cheap usb webcam to take pictures upon detecting movement in the room where the homeserver is:
+
+[ Wonderland ] [ /dev/pts/5 ] [~]
+→ apt-get install v4l-utils motion -y
+
+
+[ Wonderland ] [ /dev/pts/5 ] [~]
+→ cat /etc/motion/motion.conf
+# Rename this distribution example file to motion.conf
+#
+# This config file was generated by motion 4.5.1
+# Documentation: /usr/share/doc/motion/motion_guide.html
+#
+# This file contains only the basic configuration options to get a
+# system working. There are many more options available. Please
+# consult the documentation for the complete list of all options.
+#
+
+############################################################
+# System control configuration parameters
+############################################################
+
+# Start in daemon (background) mode and release terminal.
+daemon off
+
+# Start in Setup-Mode, daemon disabled.
+setup_mode off
+
+# File to store the process ID.
+; pid_file value
+
+# File to write logs messages into. If not defined stderr and syslog is used.
+#log_file /var/log/motion/motion.log
+log_file /dev/null
+
+# Level of log messages [1..9] (EMG, ALR, CRT, ERR, WRN, NTC, INF, DBG, ALL).
+log_level 6
+
+# Target directory for pictures, snapshots and movies
+target_dir /tmp/room
+
+# Video device (e.g. /dev/video0) to be used for capturing.
+video_device /dev/video0
+
+# Parameters to control video device. See motion_guide.html
+; video_params value
+
+# The full URL of the network camera stream.
+; netcam_url value
+
+# Name of mmal camera (e.g. vc.ril.camera for pi camera).
+; mmalcam_name value
+
+# Camera control parameters (see raspivid/raspistill tool documentation)
+; mmalcam_params value
+
+############################################################
+# Image Processing configuration parameters
+############################################################
+
+# Image width in pixels.
+width 640
+
+# Image height in pixels.
+height 480
+
+# Maximum number of frames to be captured per second.
+framerate 1
+
+# Text to be overlayed in the lower left corner of images
+text_left ROOM1
+
+# Text to be overlayed in the lower right corner of images.
+text_right %Y-%m-%d\n%T-%q
+
+############################################################
+# Motion detection configuration parameters
+############################################################
+
+# Always save pictures and movies even if there was no motion.
+emulate_motion off
+
+# Threshold for number of changed pixels that triggers motion.
+threshold 1500
+
+# Noise threshold for the motion detection.
+; noise_level 32
+
+# Despeckle the image using (E/e)rode or (D/d)ilate or (l)abel.
+despeckle_filter EedDl
+
+# Number of images that must contain motion to trigger an event.
+minimum_motion_frames 1
+
+# Gap in seconds of no motion detected that triggers the end of an event.
+event_gap 60
+
+# The number of pre-captured (buffered) pictures from before motion.
+pre_capture 3
+
+# Number of frames to capture after motion is no longer detected.
+post_capture 0
+
+############################################################
+# Script execution configuration parameters
+############################################################
+
+# Command to be executed when an event starts.
+; on_event_start value
+
+# Command to be executed when an event ends.
+; on_event_end value
+
+# Command to be executed when a movie file is closed.
+; on_movie_end value
+
+############################################################
+# Picture output configuration parameters
+############################################################
+
+# Output pictures when motion is detected
+picture_output on
+
+# File name(without extension) for pictures relative to target directory
+picture_filename %Y%m%d%H%M%S-%q
+
+############################################################
+# Movie output configuration parameters
+############################################################
+
+# Create movies of motion events.
+movie_output off
+
+# Maximum length of movie in seconds.
+movie_max_time 60
+
+# The encoding quality of the movie. (0=use bitrate. 1=worst quality, 100=best)
+movie_quality 45
+
+# Container/Codec to used for the movie. See motion_guide.html
+movie_codec mkv
+
+# File name(without extension) for movies relative to target directory
+movie_filename %t-%v-%Y%m%d%H%M%S
+
+############################################################
+# Webcontrol configuration parameters
+############################################################
+
+# Port number used for the webcontrol.
+webcontrol_port 8080
+
+# Restrict webcontrol connections to the localhost.
+webcontrol_localhost off
+
+# Type of configuration options to allow via the webcontrol.
+webcontrol_parms 0
+
+############################################################
+# Live stream configuration parameters
+############################################################
+
+# The port number for the live stream.
+stream_port 8081
+
+# Restrict stream connections to the localhost.
+stream_localhost off
+
+##############################################################
+# Camera config files - One for each camera.
+##############################################################
+; camera /usr/etc/motion/camera1.conf
+; camera /usr/etc/motion/camera2.conf
+; camera /usr/etc/motion/camera3.conf
+; camera /usr/etc/motion/camera4.conf
+
+##############################################################
+# Directory to read '.conf' files for cameras.
+##############################################################
+; camera_dir /usr/etc/motion/conf.d
+
+
+
+[ Wonderland ] [ /dev/pts/5 ] [~]
+→ mkdir /tmp/room
+
+[ Wonderland ] [ /dev/pts/5 ] [~]
+→ chown -R motion:motion /tmp/room
+
+[ Wonderland ] [ /dev/pts/5 ] [~]
+→ systemctl restart motion
+
+From there you can see if the webcam works on port 9091:
+
+Then we can see that motion to saves pictures once per second once it detects movement in /tmp/room:
+
+Every 1.0s: ls -l /tmp/room wonderland: Thu Mar 28 17:07:51 2024
+
+total 368
+-rw-r--r-- 1 motion motion 52251 Mar 28 17:07 20240328170745-01.jpg
+-rw-r--r-- 1 motion motion 52129 Mar 28 17:07 20240328170746-00.jpg
+-rw-r--r-- 1 motion motion 52471 Mar 28 17:07 20240328170746-01.jpg
+-rw-r--r-- 1 motion motion 37158 Mar 28 17:07 20240328170747-00.jpg
+-rw-r--r-- 1 motion motion 33439 Mar 28 17:07 20240328170747-01.jpg
+-rw-r--r-- 1 motion motion 22586 Mar 28 17:07 20240328170748-00.jpg
+-rw-r--r-- 1 motion motion 19099 Mar 28 17:07 20240328170748-01.jpg
+-rw-r--r-- 1 motion motion 18205 Mar 28 17:07 20240328170749-00.jpg
+-rw-r--r-- 1 motion motion 19284 Mar 28 17:07 20240328170749-01.jpg
+-rw-r--r-- 1 motion motion 49770 Mar 28 17:07 20240328170750-00.jpg
+
+Then we have this script to check if there are any new files in /tmp/room/ and if there are then we put them in a zipfile before SEND it via mail to the admin:
+
+[ Wonderland ] [ /dev/pts/5 ] [~]
+→ cat checkmovement_room.sh
+#!/bin/bash
+
+
+#apt-get install v4l-utils motion -y
+#vim /etc/motion/motion.conf
+
+action_for_unauthorized_room_motion () {
+ echo "[+] ACTION : SEND MAIL TO NOTIFY ADMIN"
+ find /tmp/room/ -name *.jpg > /tmp/newfiles
+ newfiles=$(diff -u /tmp/oldfiles /tmp/newfiles | grep -E "^\+" | grep -v "+++" | tr -d '+')
+
+ linelist=$(for line in $newfiles; do echo -en "$line " ;done)
+ zip /tmp/images.zip $linelist
+ echo -e "Subject: MOVEMENT DETECTED IN ROOM OF $(hostname) \n\n MOVEMENT DETECTED IN ROOM OF $(hostname) AT $(date):"| (cat - && uuencode /tmp/images.zip images.zip) | sudo ssmtp -vvv nihilist@nihilism.network
+ rm /tmp/images.zip
+ rm /tmp/room/* -rf
+}
+
+
+#set maintenanece to 0
+mkdir /tmp/room/ 2>/dev/null
+rm /tmp/room/* -rf
+chown motion: /tmp/room/ -R
+echo 0 > /tmp/maintenance
+find /tmp/room/ -name *.jpg > /tmp/oldfiles
+
+#defaultusb = check usb store it as default usb
+defaultroom=$(ls /tmp/room | sha512sum)
+
+while true; do
+
+
+
+ # check if maintenance mode or not:
+ if [ $(cat /tmp/maintenance) -eq 0 ]; # if no room maintenance, look for room changes
+ then
+ roomnow=$(ls /tmp/room | sha512sum)
+ if [ "$roomnow" = "$defaultroom" ]; #detect usb changes
+ then
+ echo "[+] No Room Movement..."
+ else
+ echo "[+] Room movement detected, peforming action"
+ echo $defaulroom
+ echo $roomnow
+ action_for_unauthorized_room_motion
+ #sleep 3600
+ sleep 10
+ defaultroom=$(ls /tmp/room | sha512sum)
+ find /tmp/room/ -name *.jpg > /tmp/oldfiles
+ fi
+ else #maintenance ongoing, then not checking for room movements
+ echo "[+] Maintenance mode, not checking for room movements..."
+ fi
+ sleep 1
+done
+
+We also make a systemd service to automatically launch/relaunch the checkusb.sh script and checkmovement_room script, and also to make sure they auto start when the server boots up:
+
+
+[ Wonderland ] [ /dev/pts/5 ] [~]
+→ vim /etc/systemd/system/usbwatcher.service
+
+[ Wonderland ] [ /dev/pts/5 ] [~]
+→ cat/etc/systemd/system/usbwatcher.service
+
+[Unit]
+Description=usbwatcher
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=simple
+ExecStart=/root/checkusb.sh
+ExecStop=kill -9 $(pidof /root/checkusb.sh)
+Restart=always
+
+[Install]
+WantedBy=multi-user.target
+
+[ Wonderland ] [ /dev/pts/5 ] [~]
+→ vim /etc/systemd/system/motionwatcher.service
+
+[ Wonderland ] [ /dev/pts/5 ] [~]
+→ cat/etc/systemd/system/motionwatcher.service
+
+[Unit]
+Description=motionwatcher
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=simple
+ExecStart=/root/checkmovement_room.sh
+ExecStop=kill -9 $(pidof /root/checkmovement_room.sh)
+Restart=always
+
+[Install]
+WantedBy=multi-user.target
+
+
+[ Wonderland ] [ /dev/pts/5 ] [~]
+→ systemctl daemon-reload
+
+[ Wonderland ] [ /dev/pts/5 ] [~]
+→ systemctl enable --now motionwatcher.service usbwatcher.service motion.service
+Created symlink /etc/systemd/system/multi-user.target.wants/motionwatcher.service → /etc/systemd/system/motionwatcher.service.
+Created symlink /etc/systemd/system/multi-user.target.wants/usbwatcher.service → /etc/systemd/system/usbwatcher.service.
+Created symlink /etc/systemd/system/multi-user.target.wants/motion.service → /etc/systemd/system/motion.service.
+
+[ Wonderland ] [ /dev/pts/5 ] [~]
+→ systemctl status motionwatcher.service usbwatcher.service
+● motionwatcher.service - motionwatcher
+ Loaded: loaded (/etc/systemd/system/motionwatcher.service; enabled; preset: enabled)
+ Active: active (running) since Mon 2024-04-01 14:38:01 CEST; 6s ago
+ Main PID: 3799951 (checkmovement_r)
+ Tasks: 2 (limit: 76929)
+ Memory: 676.0K
+ CPU: 24ms
+ CGroup: /system.slice/motionwatcher.service
+ ├─3799951 /bin/bash /root/checkmovement_room.sh
+ └─3800321 sleep 1
+
+Apr 01 14:38:01 wonderland systemd[1]: Started motionwatcher.service - motionwatcher.
+Apr 01 14:38:01 wonderland checkmovement_room.sh[3799951]: [+] No Room Movement...
+Apr 01 14:38:02 wonderland checkmovement_room.sh[3799951]: [+] No Room Movement...
+Apr 01 14:38:03 wonderland checkmovement_room.sh[3799951]: [+] No Room Movement...
+Apr 01 14:38:04 wonderland checkmovement_room.sh[3799951]: [+] No Room Movement...
+Apr 01 14:38:05 wonderland checkmovement_room.sh[3799951]: [+] No Room Movement...
+Apr 01 14:38:06 wonderland checkmovement_room.sh[3799951]: [+] No Room Movement...
+Apr 01 14:38:07 wonderland checkmovement_room.sh[3799951]: [+] No Room Movement...
+
+● usbwatcher.service - usbwatcher
+ Loaded: loaded (/etc/systemd/system/usbwatcher.service; enabled; preset: enabled)
+ Active: active (running) since Mon 2024-04-01 14:38:01 CEST; 6s ago
+ Main PID: 3799953 (checkusb.sh)
+ Tasks: 2 (limit: 76929)
+ Memory: 664.0K
+ CPU: 40ms
+ CGroup: /system.slice/usbwatcher.service
+ ├─3799953 /bin/bash /root/checkusb.sh
+ └─3800327 sleep 1
+
+Apr 01 14:38:01 wonderland systemd[1]: Started usbwatcher.service - usbwatcher.
+Apr 01 14:38:01 wonderland checkusb.sh[3799953]: [+] No usb change...
+Apr 01 14:38:02 wonderland checkusb.sh[3799953]: [+] No usb change...
+Apr 01 14:38:03 wonderland checkusb.sh[3799953]: [+] No usb change...
+Apr 01 14:38:04 wonderland checkusb.sh[3799953]: [+] No usb change...
+Apr 01 14:38:05 wonderland checkusb.sh[3799953]: [+] No usb change...
+Apr 01 14:38:06 wonderland checkusb.sh[3799953]: [+] No usb change...
+Apr 01 14:38:07 wonderland checkusb.sh[3799953]: [+] No usb change...
+
+
+then just watch it run:
+ +
+Every 1.0s: systemctl status motionwatcher.service usbwatcher.service wonderland: Mon Apr 1 14:40:55 2024
+
+● motionwatcher.service - motionwatcher
+ Loaded: loaded (/etc/systemd/system/motionwatcher.service; enabled; preset: enabled)
+ Active: active (running) since Mon 2024-04-01 14:38:01 CEST; 2min 54s ago
+ Main PID: 3799951 (checkmovement_r)
+ Tasks: 2 (limit: 76929)
+ Memory: 680.0K
+ CPU: 457ms
+ CGroup: /system.slice/motionwatcher.service
+ ├─3799951 /bin/bash /root/checkmovement_room.sh
+ └─3810241 sleep 10
+
+Apr 01 14:40:45 wonderland checkmovement_room.sh[3799951]: [+] No Room Movement...
+Apr 01 14:40:46 wonderland checkmovement_room.sh[3799951]: [+] No Room Movement...
+Apr 01 14:40:47 wonderland checkmovement_room.sh[3799951]: [+] No Room Movement...
+Apr 01 14:40:48 wonderland checkmovement_room.sh[3799951]: [+] No Room Movement...
+Apr 01 14:40:49 wonderland checkmovement_room.sh[3799951]: [+] No Room Movement...
+Apr 01 14:40:50 wonderland checkmovement_room.sh[3799951]: [+] No Room Movement...
+Apr 01 14:40:51 wonderland checkmovement_room.sh[3799951]: [+] No Room Movement...
+Apr 01 14:40:52 wonderland checkmovement_room.sh[3799951]: [+] Room movement detected, peforming action
+Apr 01 14:40:52 wonderland checkmovement_room.sh[3799951]: 20c1a997bdf538923ed863a64bd1c0d73a7e15337011e576bf9f473c88865fe7e95627774c8035d7f6ee00d998d0f9926cf7442b297ab8d91373ff8d2b587c2c -
+Apr 01 14:40:52 wonderland checkmovement_room.sh[3799951]: [+] ACTION : SEND MAIL TO NOTIFY ADMIN
+
+● usbwatcher.service - usbwatcher
+ Loaded: loaded (/etc/systemd/system/usbwatcher.service; enabled; preset: enabled)
+ Active: active (running) since Mon 2024-04-01 14:38:01 CEST; 2min 54s ago
+ Main PID: 3799953 (checkusb.sh)
+ Tasks: 2 (limit: 76929)
+ Memory: 800.0K
+ CPU: 929ms
+ CGroup: /system.slice/usbwatcher.service
+ ├─3799953 /bin/bash /root/checkusb.sh
+ └─3810361 sleep 1
+
+Apr 01 14:40:38 wonderland checkusb.sh[3799953]: [+] No usb change...
+Apr 01 14:40:39 wonderland checkusb.sh[3799953]: [+] No usb change...
+Apr 01 14:40:40 wonderland checkusb.sh[3799953]: [+] No usb change...
+Apr 01 14:40:41 wonderland checkusb.sh[3799953]: [+] USB change detected, peforming action
+Apr 01 14:40:41 wonderland checkusb.sh[3799953]: 140e9f95759026b6626bbc1098544bab9f85289c15c44f0fac44951100fbbb140214c00884f13bb50c959fc817bcdd1b6e8050781e1a987f6ea3a289c72c3198 -
+Apr 01 14:40:41 wonderland checkusb.sh[3799953]: 482600aa9446e3bbe616534a224785512995e80cd70a16e84c8315e569885a5d52ac0b8363055a6973476521321c767d8b54c918c8443f96cdf0eead35b17cb9 -
+Apr 01 14:40:41 wonderland checkusb.sh[3799953]: [+] ACTION : SEND MAIL TO NOTIFY ADMIN
+Apr 01 14:40:52 wonderland checkusb.sh[3799953]: [+] No usb change...
+Apr 01 14:40:53 wonderland checkusb.sh[3799953]: [+] No usb change...
+Apr 01 14:40:54 wonderland checkusb.sh[3799953]: [+] No usb change...
+
+You can also see it sending mails whenever there is a usb change detected or a room movement detected:
+ +
+The first mail contains the details regarding what usb got plugged in or plugged out:
+
+The second mail contains the zipfiles with the images taken upon movement detection:
+
+And if you need to do a maintenance you can always disable them like so:
+
+[ Wonderland ] [ /dev/pts/5 ] [~]
+→ systemctl stop motionwatcher.service usbwatcher.service
+
+[ Wonderland ] [ /dev/pts/5 ] [~]
+→ systemctl status motionwatcher.service usbwatcher.service
+× motionwatcher.service - motionwatcher
+ Loaded: loaded (/etc/systemd/system/motionwatcher.service; enabled; preset: enabled)
+ Active: failed (Result: exit-code) since Mon 2024-04-01 14:41:37 CEST; 1min 17s ago
+ Duration: 3min 35.887s
+ Process: 3799951 ExecStart=/root/checkmovement_room.sh (code=killed, signal=TERM)
+ Process: 3812925 ExecStop=kill -9 $(pidof /root/checkmovement_room.sh) (code=exited, status=1/FAILURE)
+ Main PID: 3799951 (code=killed, signal=TERM)
+ CPU: 545ms
+
+Apr 01 14:41:32 wonderland checkmovement_room.sh[3799951]: [+] No Room Movement...
+Apr 01 14:41:33 wonderland checkmovement_room.sh[3799951]: [+] No Room Movement...
+Apr 01 14:41:34 wonderland checkmovement_room.sh[3799951]: [+] No Room Movement...
+Apr 01 14:41:35 wonderland checkmovement_room.sh[3799951]: [+] No Room Movement...
+Apr 01 14:41:36 wonderland checkmovement_room.sh[3799951]: [+] No Room Movement...
+Apr 01 14:41:37 wonderland systemd[1]: Stopping motionwatcher.service - motionwatcher...
+Apr 01 14:41:37 wonderland kill[3812925]: kill: failed to parse argument: '/root/checkmovement_room.sh)'
+Apr 01 14:41:37 wonderland systemd[1]: motionwatcher.service: Control process exited, code=exited, status=1/FAILURE
+Apr 01 14:41:37 wonderland systemd[1]: motionwatcher.service: Failed with result 'exit-code'.
+Apr 01 14:41:37 wonderland systemd[1]: Stopped motionwatcher.service - motionwatcher.
+
+× usbwatcher.service - usbwatcher
+ Loaded: loaded (/etc/systemd/system/usbwatcher.service; enabled; preset: enabled)
+ Active: failed (Result: exit-code) since Mon 2024-04-01 14:41:37 CEST; 1min 17s ago
+ Duration: 3min 35.888s
+ Process: 3799953 ExecStart=/root/checkusb.sh (code=killed, signal=TERM)
+ Process: 3812926 ExecStop=kill -9 $(pidof /root/checkusb.sh) (code=exited, status=1/FAILURE)
+ Main PID: 3799953 (code=killed, signal=TERM)
+ CPU: 1.176s
+
+Apr 01 14:41:33 wonderland checkusb.sh[3799953]: [+] No usb change...
+Apr 01 14:41:34 wonderland checkusb.sh[3799953]: [+] No usb change...
+Apr 01 14:41:35 wonderland checkusb.sh[3799953]: [+] No usb change...
+Apr 01 14:41:36 wonderland checkusb.sh[3799953]: [+] No usb change...
+Apr 01 14:41:37 wonderland systemd[1]: Stopping usbwatcher.service - usbwatcher...
+Apr 01 14:41:37 wonderland kill[3812926]: kill: failed to parse argument: '/root/checkusb.sh)'
+Apr 01 14:41:37 wonderland systemd[1]: usbwatcher.service: Control process exited, code=exited, status=1/FAILURE
+Apr 01 14:41:37 wonderland systemd[1]: usbwatcher.service: Failed with result 'exit-code'.
+Apr 01 14:41:37 wonderland systemd[1]: Stopped usbwatcher.service - usbwatcher.
+Apr 01 14:41:37 wonderland systemd[1]: usbwatcher.service: Consumed 1.176s CPU time.
+
+Or you can also set the /tmp/maintenance flag to 1, but dont forget to set it back to 0 afterward.
+
+[ Wonderland ] [ /dev/pts/5 ] [~]
+→ echo "1" >/tmp/maintenance
+
+[ Wonderland ] [ /dev/pts/5 ] [~]
+→ systemctl status usbwatcher.service motionwatcher.service
+● usbwatcher.service - usbwatcher
+ Loaded: loaded (/etc/systemd/system/usbwatcher.service; enabled; preset: enabled)
+ Active: active (running) since Mon 2024-04-01 16:14:29 CEST; 5min ago
+ Main PID: 4087848 (checkusb.sh)
+ Tasks: 2 (limit: 76929)
+ Memory: 584.0K
+ CPU: 1.969s
+ CGroup: /system.slice/usbwatcher.service
+ ├─4087848 /bin/bash /root/checkusb.sh
+ └─4099926 sleep 1
+
+Apr 01 16:19:52 wonderland checkusb.sh[4087848]: [+] No usb change...
+Apr 01 16:19:53 wonderland checkusb.sh[4087848]: [+] No usb change...
+Apr 01 16:19:54 wonderland checkusb.sh[4087848]: [+] No usb change...
+Apr 01 16:19:55 wonderland checkusb.sh[4087848]: [+] No usb change...
+Apr 01 16:19:56 wonderland checkusb.sh[4087848]: [+] No usb change...
+Apr 01 16:19:57 wonderland checkusb.sh[4087848]: [+] No usb change...
+Apr 01 16:19:58 wonderland checkusb.sh[4087848]: [+] Maintenance mode, not checking for usb changes...
+Apr 01 16:19:59 wonderland checkusb.sh[4087848]: [+] Maintenance mode, not checking for usb changes...
+Apr 01 16:20:00 wonderland checkusb.sh[4087848]: [+] Maintenance mode, not checking for usb changes...
+Apr 01 16:20:01 wonderland checkusb.sh[4087848]: [+] Maintenance mode, not checking for usb changes...
+
+● motionwatcher.service - motionwatcher
+ Loaded: loaded (/etc/systemd/system/motionwatcher.service; enabled; preset: enabled)
+ Active: active (running) since Mon 2024-04-01 16:14:29 CEST; 5min ago
+ Main PID: 4087847 (checkmovement_r)
+ Tasks: 2 (limit: 76929)
+ Memory: 644.0K
+ CPU: 1.006s
+ CGroup: /system.slice/motionwatcher.service
+ ├─4087847 /bin/bash /root/checkmovement_room.sh
+ └─4099976 sleep 1
+
+Apr 01 16:19:53 wonderland checkmovement_room.sh[4087847]: [+] No Room Movement...
+Apr 01 16:19:54 wonderland checkmovement_room.sh[4087847]: [+] No Room Movement...
+Apr 01 16:19:55 wonderland checkmovement_room.sh[4087847]: [+] No Room Movement...
+Apr 01 16:19:56 wonderland checkmovement_room.sh[4087847]: [+] No Room Movement...
+Apr 01 16:19:57 wonderland checkmovement_room.sh[4087847]: [+] No Room Movement...
+Apr 01 16:19:58 wonderland checkmovement_room.sh[4087847]: [+] No Room Movement...
+Apr 01 16:19:59 wonderland checkmovement_room.sh[4087847]: [+] Maintenance mode, not checking for room movements...
+Apr 01 16:20:00 wonderland checkmovement_room.sh[4087847]: [+] Maintenance mode, not checking for room movements...
+Apr 01 16:20:01 wonderland checkmovement_room.sh[4087847]: [+] Maintenance mode, not checking for room movements...
+Apr 01 16:20:02 wonderland checkmovement_room.sh[4087847]: [+] Maintenance mode, not checking for room movements...
+
+Once your maintenance is over, start them again like so:
+
+[ Wonderland ] [ /dev/pts/5 ] [~]
+→ systemctl start motionwatcher.service usbwatcher.service
+
+[ Wonderland ] [ /dev/pts/5 ] [~]
+→ systemctl status motionwatcher.service usbwatcher.service
+● motionwatcher.service - motionwatcher
+ Loaded: loaded (/etc/systemd/system/motionwatcher.service; enabled; preset: enabled)
+ Active: active (running) since Mon 2024-04-01 14:43:28 CEST; 1s ago
+ Main PID: 3818336 (checkmovement_r)
+ Tasks: 2 (limit: 76929)
+ Memory: 572.0K
+ CPU: 9ms
+ CGroup: /system.slice/motionwatcher.service
+ ├─3818336 /bin/bash /root/checkmovement_room.sh
+ └─3818411 sleep 1
+
+Apr 01 14:43:28 wonderland systemd[1]: Started motionwatcher.service - motionwatcher.
+Apr 01 14:43:28 wonderland checkmovement_room.sh[3818336]: [+] No Room Movement...
+Apr 01 14:43:29 wonderland checkmovement_room.sh[3818336]: [+] No Room Movement...
+
+● usbwatcher.service - usbwatcher
+ Loaded: loaded (/etc/systemd/system/usbwatcher.service; enabled; preset: enabled)
+ Active: active (running) since Mon 2024-04-01 14:43:28 CEST; 1s ago
+ Main PID: 3818339 (checkusb.sh)
+ Tasks: 2 (limit: 76929)
+ Memory: 572.0K
+ CPU: 14ms
+ CGroup: /system.slice/usbwatcher.service
+ ├─3818339 /bin/bash /root/checkusb.sh
+ └─3818417 sleep 1
+
+Apr 01 14:43:28 wonderland systemd[1]: Started usbwatcher.service - usbwatcher.
+Apr 01 14:43:28 wonderland checkusb.sh[3818339]: [+] No usb change...
+Apr 01 14:43:29 wonderland checkusb.sh[3818339]: [+] No usb change...
+
+Or by just resetting the /tmp/maintenance flag to 0:
+
+[ Wonderland ] [ /dev/pts/5 ] [~]
+→ echo "0" >/tmp/maintenance
+
+[ Wonderland ] [ /dev/pts/5 ] [~]
+→ systemctl status usbwatcher.service motionwatcher.service
+● usbwatcher.service - usbwatcher
+ Loaded: loaded (/etc/systemd/system/usbwatcher.service; enabled; preset: enabled)
+ Active: active (running) since Mon 2024-04-01 16:14:29 CEST; 6min ago
+ Main PID: 4087848 (checkusb.sh)
+ Tasks: 2 (limit: 76929)
+ Memory: 588.0K
+ CPU: 2.035s
+ CGroup: /system.slice/usbwatcher.service
+ ├─4087848 /bin/bash /root/checkusb.sh
+ └─4101731 sleep 1
+
+Apr 01 16:20:26 wonderland checkusb.sh[4087848]: [+] Maintenance mode, not checking for usb changes...
+Apr 01 16:20:27 wonderland checkusb.sh[4087848]: [+] Maintenance mode, not checking for usb changes...
+Apr 01 16:20:28 wonderland checkusb.sh[4087848]: [+] Maintenance mode, not checking for usb changes...
+Apr 01 16:20:29 wonderland checkusb.sh[4087848]: [+] Maintenance mode, not checking for usb changes...
+Apr 01 16:20:30 wonderland checkusb.sh[4087848]: [+] Maintenance mode, not checking for usb changes...
+Apr 01 16:20:31 wonderland checkusb.sh[4087848]: [+] Maintenance mode, not checking for usb changes...
+Apr 01 16:20:32 wonderland checkusb.sh[4087848]: [+] Maintenance mode, not checking for usb changes...
+Apr 01 16:20:33 wonderland checkusb.sh[4087848]: [+] No usb change...
+Apr 01 16:20:34 wonderland checkusb.sh[4087848]: [+] No usb change...
+Apr 01 16:20:35 wonderland checkusb.sh[4087848]: [+] No usb change...
+
+● motionwatcher.service - motionwatcher
+ Loaded: loaded (/etc/systemd/system/motionwatcher.service; enabled; preset: enabled)
+ Active: active (running) since Mon 2024-04-01 16:14:29 CEST; 6min ago
+ Main PID: 4087847 (checkmovement_r)
+ Tasks: 2 (limit: 76929)
+ Memory: 800.0K
+ CPU: 1.050s
+ CGroup: /system.slice/motionwatcher.service
+ ├─4087847 /bin/bash /root/checkmovement_room.sh
+ └─4101784 sleep 1
+
+Apr 01 16:20:27 wonderland checkmovement_room.sh[4087847]: [+] Maintenance mode, not checking for room movements...
+Apr 01 16:20:28 wonderland checkmovement_room.sh[4087847]: [+] Maintenance mode, not checking for room movements...
+Apr 01 16:20:29 wonderland checkmovement_room.sh[4087847]: [+] Maintenance mode, not checking for room movements...
+Apr 01 16:20:30 wonderland checkmovement_room.sh[4087847]: [+] Maintenance mode, not checking for room movements...
+Apr 01 16:20:31 wonderland checkmovement_room.sh[4087847]: [+] Maintenance mode, not checking for room movements...
+Apr 01 16:20:32 wonderland checkmovement_room.sh[4087847]: [+] Maintenance mode, not checking for room movements...
+Apr 01 16:20:33 wonderland checkmovement_room.sh[4087847]: [+] Maintenance mode, not checking for room movements...
+Apr 01 16:20:34 wonderland checkmovement_room.sh[4087847]: [+] No Room Movement...
+Apr 01 16:20:35 wonderland checkmovement_room.sh[4087847]: [+] No Room Movement...
+Apr 01 16:20:36 wonderland checkmovement_room.sh[4087847]: [+] No Room Movement...
+
+Then we make sure that if there is any unauthorized ssh login we should get notified by mail (using knockd and a secret ssh port)
+
+
+
+[ Wonderland ] [ /dev/pts/23 ] [~]
+→ apt install knockd
+
+[ Wonderland ] [ /dev/pts/23 ] [~]
+→ vim /etc/knockd.conf
+
+[ Wonderland ] [ /dev/pts/23 ] [~]
+→ cat /etc/knockd.conf
+[options]
+ UseSyslog
+
+[openSSH]
+ sequence = 7000,8000,9000
+ seq_timeout = 5
+ command = /usr/bin/systemctl start sshd2
+ tcpflags = syn
+
+[closeSSH]
+ sequence = 9000,8000,7000
+ seq_timeout = 5
+ command = /usr/bin/systemctl stop sshd2
+ tcpflags = syn
+
+[emergencyshutdown]
+ sequence = 12345,54321,24680,13579
+ seq_timeout = 5
+ command = /root/emergencyshutdown.sh
+ tcpflags = syn
+
+[ Wonderland ] [ /dev/pts/23 ] [~]
+→ cat /etc/default/knockd
+# control if we start knockd at init or not
+# 1 = start
+# anything else = don't start
+# PLEASE EDIT /etc/knockd.conf BEFORE ENABLING
+START_KNOCKD=1
+
+# command line options
+KNOCKD_OPTS="-i enp8s0"
+
+[ Wonderland ] [ /dev/pts/23 ] [~]
+→ systemctl restart knockd
+
+[ Wonderland ] [ /dev/pts/5 ] [~]
+→ cat /etc/systemd/system/sshd2.service
+[Unit]
+Description=OpenBSD Secure Shell server
+Documentation=man:sshd(8) man:sshd_config(5)
+After=network.target auditd.service
+ConditionPathExists=!/etc/ssh/sshd_not_to_be_run
+
+[Service]
+EnvironmentFile=-/etc/default/ssh2
+ExecStartPre=/usr/sbin/sshd -t
+ExecStart=/usr/sbin/sshd -D $SSHD_OPTS -f /etc/ssh/sshd2_config
+ExecReload=/usr/sbin/sshd -t
+ExecReload=/bin/kill -HUP $MAINPID
+KillMode=process
+Restart=on-failure
+RestartPreventExitStatus=255
+Type=notify
+RuntimeDirectory=sshd2
+RuntimeDirectoryMode=0755
+
+[Install]
+WantedBy=multi-user.target
+Alias=sshd2.service
+
+[ Wonderland ] [ /dev/pts/24 ] [/etc/systemd/system]
+→ cat /etc/ssh/sshd2_config| grep Port
+Port 2222
+
+[ Wonderland ] [ /dev/pts/24 ] [/etc/systemd/system]
+→ systemctl start sshd2
+
+[ Wonderland ] [ /dev/pts/24 ] [/etc/systemd/system]
+→ systemctl status sshd2
+● sshd2.service - OpenBSD Secure Shell server
+ Loaded: loaded (/etc/systemd/system/sshd2.service; disabled; preset: enabled)
+ Active: active (running) since Fri 2024-03-29 13:44:07 CET; 5s ago
+ Docs: man:sshd(8)
+ man:sshd_config(5)
+ Process: 1735677 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS)
+ Main PID: 1735678 (sshd)
+ Tasks: 1 (limit: 76929)
+ Memory: 1.4M
+ CPU: 10ms
+ CGroup: /system.slice/sshd2.service
+ └─1735678 "sshd: /usr/sbin/sshd -D -f /etc/ssh/sshd2_config [listener] 0 of 10-100 startups"
+
+Mar 29 13:44:07 wonderland systemd[1]: Starting sshd2.service - OpenBSD Secure Shell server...
+Mar 29 13:44:07 wonderland sshd[1735678]: Server listening on 0.0.0.0 port 2222.
+Mar 29 13:44:07 wonderland sshd[1735678]: Server listening on :: port 2222.
+Mar 29 13:44:07 wonderland systemd[1]: Started sshd2.service - OpenBSD Secure Shell server.
+
+#now to open sshd2 on port 2222 you do the following:
+[ mainpc ] [ /dev/pts/4 ] [~/Nextcloud/blog]
+→ for x in 7000 8000 9000; do nmap -Pn --max-retries 0 -p $x 192.168.0.100; done >/dev/null
+
+[ Wonderland ] [ /dev/pts/24 ] [/etc/systemd/system]
+→ systemctl status sshd2
+● sshd2.service - OpenBSD Secure Shell server
+ Loaded: loaded (/etc/systemd/system/sshd2.service; disabled; preset: enabled)
+ Active: active (running) since Fri 2024-03-29 13:55:44 CET; 4min 11s ago
+ Docs: man:sshd(8)
+ man:sshd_config(5)
+ Process: 1807467 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS)
+ Main PID: 1807468 (sshd)
+ Tasks: 1 (limit: 76929)
+ Memory: 1.4M
+ CPU: 12ms
+ CGroup: /system.slice/sshd2.service
+ └─1807468 "sshd: /usr/sbin/sshd -D -f /etc/ssh/sshd2_config [listener] 0 of 10-100 startups"
+
+Mar 29 13:55:44 wonderland systemd[1]: Starting sshd2.service - OpenBSD Secure Shell server...
+Mar 29 13:55:44 wonderland sshd[1807468]: Server listening on 0.0.0.0 port 2222.
+Mar 29 13:55:44 wonderland sshd[1807468]: Server listening on :: port 2222.
+Mar 29 13:55:44 wonderland systemd[1]: Started sshd2.service - OpenBSD Secure Shell server.
+
+#now to close sshd2 on port 2222 you do the following:
+[ mainpc ] [ /dev/pts/4 ] [~/Nextcloud/blog]
+→ for x in 9000 8000 7000; do nmap -Pn --max-retries 0 -p $x 192.168.0.100; done >/dev/null
+
+[ Wonderland ] [ /dev/pts/24 ] [/etc/systemd/system]
+→ systemctl status sshd2
+● sshd2.service - OpenBSD Secure Shell server
+ Loaded: loaded (/etc/systemd/system/sshd2.service; disabled; preset: enabled)
+ Active: active (running) since Fri 2024-03-29 13:55:44 CET; 4min 11s ago
+ Docs: man:sshd(8)
+ man:sshd_config(5)
+ Process: 1807467 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS)
+ Main PID: 1807468 (sshd)
+ Tasks: 1 (limit: 76929)
+ Memory: 1.4M
+ CPU: 12ms
+ CGroup: /system.slice/sshd2.service
+ └─1807468 "sshd: /usr/sbin/sshd -D -f /etc/ssh/sshd2_config [listener] 0 of 10-100 startups"
+
+Mar 29 13:55:44 wonderland systemd[1]: Starting sshd2.service - OpenBSD Secure Shell server...
+Mar 29 13:55:44 wonderland sshd[1807468]: Server listening on 0.0.0.0 port 2222.
+Mar 29 13:55:44 wonderland sshd[1807468]: Server listening on :: port 2222.
+Mar 29 13:55:44 wonderland systemd[1]: Started sshd2.service - OpenBSD Secure Shell server.
+
+Now that we setup the real sshd service, we can edit the original sshd service to become a trap like so:
+
+[ Wonderland ] [ /dev/pts/5 ] [~]
+→ vim emergencyshutdown.sh
+
+[ Wonderland ] [ /dev/pts/5 ] [~]
+→ chmod +x emergencyshutdown.sh
+
+[ Wonderland ] [ /dev/pts/5 ] [~]
+→ cat emergencyshutdown.sh
+#!/bin/bash
+echo "Unauthorized, reporting incident to administrator, and performing emergency shutdown"
+
+[ Wonderland ] [ /dev/pts/5 ] [~]
+→ vim /etc/ssh/sshd_config
+
+[ Wonderland ] [ /dev/pts/5 ] [~]
+→ tail -n10 /etc/ssh/sshd_config
+
+Match Group root,sudo
+ ForceCommand /root/emergencyshutdown.sh
+ AllowTcpForwarding no
+ PermitTunnel no
+ X11Forwarding no
+
+[ Wonderland ] [ /dev/pts/5 ] [~]
+→ systemctl restart sshd
+
+[ Wonderland ] [ /dev/pts/5 ] [~]
+→ systemctl status sshd
+● ssh.service - OpenBSD Secure Shell server
+ Loaded: loaded (/lib/systemd/system/ssh.service; enabled; preset: enabled)
+ Active: active (running) since Mon 2024-04-01 10:31:40 CEST; 3s ago
+ Docs: man:sshd(8)
+ man:sshd_config(5)
+ Process: 3103408 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS)
+ Main PID: 3103410 (sshd)
+ Tasks: 1 (limit: 76929)
+ Memory: 1.4M
+ CPU: 10ms
+ CGroup: /system.slice/ssh.service
+ └─3103410 "sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups"
+
+Apr 01 10:31:40 wonderland systemd[1]: Starting ssh.service - OpenBSD Secure Shell server...
+Apr 01 10:31:40 wonderland sshd[3103410]: debug1: Set /proc/self/oom_score_adj from 0 to -1000
+Apr 01 10:31:40 wonderland sshd[3103410]: debug1: Bind to port 22 on 0.0.0.0.
+Apr 01 10:31:40 wonderland systemd[1]: Started ssh.service - OpenBSD Secure Shell server.
+Apr 01 10:31:40 wonderland sshd[3103410]: Server listening on 0.0.0.0 port 22.
+Apr 01 10:31:40 wonderland sshd[3103410]: debug1: Bind to port 22 on ::.
+Apr 01 10:31:40 wonderland sshd[3103410]: Server listening on :: port 22.
+
+
+Now like this, the trap ssh service on port 22 is going to force the execution of only our emergency shutdown script if any user manages to login. Meaning the only way to get in is through the sshd2 port on port 2222 after doing the port knocking procedure:
+
+
+#testing to login on port 22 shows that the emergencyshutdown script is triggered:
+[ mainpc ] [ /dev/pts/7 ] [~]
+→ ssh root@192.168.0.100 -i ~/.ssh/torified
+Enter passphrase for key '/home/nihilist/.ssh/torified':
+Unauthorized, reporting incident to administrator, and performing emergency shutdown
+Connection to 192.168.0.100 closed.
+
+#trying to evade the forced command execution fails:
+[ mainpc ] [ /dev/pts/7 ] [~]
+→ ssh root@192.168.0.100 -i ~/.ssh/torified bash
+Enter passphrase for key '/home/nihilist/.ssh/torified':
+Unauthorized, reporting incident to administrator, and performing emergency shutdown
+
+#so in order to login we need to open the secret sshd2 port with the specific port knocking procedure as follows:
+[ mainpc ] [ /dev/pts/7 ] [~]
+→ for x in 7000 8000 9000; do nmap -Pn --max-retries 0 -p $x 192.168.0.100; done >/dev/null
+
+#now that the port knocking is completed, we can login via ssh on port 2222:
+[ mainpc ] [ /dev/pts/7 ] [~]
+→ ssh root@192.168.0.100 -i ~/.ssh/torified -p 2222
+Enter passphrase for key '/home/nihilist/.ssh/torified':
+Linux wonderland 6.1.0-18-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.76-1 (2024-02-01) x86_64
+
+The programs included with the Debian GNU/Linux system are free software;
+the exact distribution terms for each program are described in the
+individual files in /usr/share/doc/*/copyright.
+
+Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
+permitted by applicable law.
+Web console: https://wonderland:9090/ or https://192.168.0.100:9090/
+
+Last login: Mon Apr 1 10:34:46 2024 from 192.168.0.61
+
+#login successful, without any forced command execution
+[ Wonderland ] [ /dev/pts/25 ] [~]
+→ id
+uid=0(root) gid=0(root) groups=0(root),104(kvm),126(libvirt)
+
+[ Wonderland ] [ /dev/pts/25 ] [~]
+→ exit
+Connection to 192.168.0.100 closed.
+
+#maintenance is over, we then close the sshd2 port.
+[ mainpc ] [ /dev/pts/7 ] [~]
+→ for x in 9000 8000 7000; do nmap -Pn --max-retries 0 -p $x 192.168.0.100; done >/dev/null
+
+#we then verify that the port is closed.
+[ mainpc ] [ /dev/pts/7 ] [~]
+→ ssh root@192.168.0.100 -i ~/.ssh/torified -p 2222
+ssh: connect to host 192.168.0.100 port 2222: Connection refused
+
+
+Next, to make sure that failed ssh login attempts get banned with fail2ban, we make sure that sshd outputs to auth.log, that way we ward off any potential ssh bruteforce attack, you can check out how to setup fail2ban with this tutorial to know how to do it.
+ + + +So here we want to mke a bash/zsh command function to simplify the opening and closing of the secret ssh port. You can use the one i made below for the same:
+
+[ mainpc ] [ /dev/pts/10 ] [~/Nextcloud/blog]
+→ vim ~/.zshrc
+
+[ mainpc ] [ /dev/pts/10 ] [~/Nextcloud/blog]
+→ zsh
+
+[ mainpc ] [ /dev/pts/10 ] [~/Nextcloud/blog]
+→ which secretssh
+secretssh () {
+ if [[ $# -ne 6 ]]
+ then
+ echo "incorrect, use the following syntax:" >&2
+ echo "secretssh 192.168.0.1 111 222 333 wonderland 2222" >&2
+ echo "192.168.0.1 = host to port knock to" >&2
+ echo "111 222 333 = port knocking procedure to OPEN the port (in reverse = close the port)" >&2
+ echo "wonderland = ssh alias to connect to." >&2
+ echo "2222 = the secret ssh port to connect to" >&2
+ else
+ echo "OPENIGN SECRET SSH: port knocking $1 with sequence $2 $3 $4"
+ for x in $2 $3 $4
+ do
+ nmap -Pn --max-retries 0 -p $x $1
+ done > /dev/null
+ sleep 1
+ ssh $5 -p $6
+ echo "CLOSING SECRET SSH: port knocking $1 with sequence $4 $3 $2"
+ for x in $4 $3 $2
+ do
+ nmap -Pn --max-retries 0 -p $x $1
+ done > /dev/null
+ fi
+}
+
+you can test it as follows, using an ssh alias (which doesn't reveal the secret ssh port!):
+
+[ mainpc ] [ /dev/pts/10 ] [~/Nextcloud/blog]
+→ cat ~/.ssh/config
+Host wonderland
+ User root
+ Hostname 192.168.0.100
+ IdentityFile ~/.ssh/torified
+
+
+[ mainpc ] [ /dev/pts/10 ] [~/Nextcloud/blog]
+→ secretssh 192.168.0.100 7000 8000 9000 wonderland 2222
+number of arguements: 6
+opening secret ssh port:
+port knocking 192.168.0.100 with sequence 7000 8000 9000
+Enter passphrase for key '/home/nihilist/.ssh/torified':
+Linux wonderland 6.1.0-18-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.76-1 (2024-02-01) x86_64
+
+The programs included with the Debian GNU/Linux system are free software;
+the exact distribution terms for each program are described in the
+individual files in /usr/share/doc/*/copyright.
+
+Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
+permitted by applicable law.
+Web console: https://wonderland:9090/ or https://192.168.0.100:9090/
+
+Last login: Mon Apr 1 11:32:21 2024 from 192.168.0.61
+
+[ Wonderland ] [ /dev/pts/25 ] [~]
+→ id
+uid=0(root) gid=0(root) groups=0(root),104(kvm),126(libvirt)
+
+[ Wonderland ] [ /dev/pts/25 ] [~]
+→ exit
+Connection to 192.168.0.100 closed.
+closing secret ssh port:
+port knocking 192.168.0.100 with sequence 9000 8000 7000
+
+That way, we make sure that we do not hardcode the port sequence to open/close the secret ssh port, and we also make sure that the secret ssh port is not revealed. This means that from now on you will need to remember the port sequence to open the secret ssh port, and also the secret ssh port itself. Without those, you will be unable to login to the server.
+Now however the risk is that you'd reveal the port sequence and ssh port from the bash or zsh history file:
+
+[ mainpc ] [ /dev/pts/10 ] [~/Nextcloud/blog]
+→ history | grep secretssh
+ 534 secretssh
+ 535 secretssh 111 222 333
+ 537 secretssh 111 222 333
+ 539 secretssh 111 222 333
+ 540 secretssh 192.168.0.100 111 222 333
+ 542 secretssh 111 222 333
+ 543 secretssh 192.168.0.100 111 222 333 333
+ 544 secretssh 192.168.0.100 111 222 333 333 444
+ 546 secretssh 192.168.0.100 111 222 333 333 444
+ 547 secretssh 192.168.0.100 111 222 333 333
+ 548 secretssh 192.168.0.100 111 222 333
+ 549 secretssh 192.168.0.100 111 222
+ 550 secretssh 192.168.0.100 111
+ 553 secretssh 192.168.0.100 111
+ 554 secretssh 192.168.0.100 111 222
+ 555 secretssh 192.168.0.100 111 222 333
+ 556 secretssh 192.168.0.100 111 222 333 444
+ 557 secretssh 192.168.0.100 111 222 333 444 555
+ 558 secretssh 192.168.0.100 111 222 333 666
+ 559 secretssh 192.168.0.100 111
+ 560 secretssh 192.168.0.100 111 222
+ 561 secretssh 192.168.0.100 111 222 333
+ 564 secretssh 192.168.0.100 111 222 333
+ 565 secretssh 192.168.0.100 111 222 333 wonderland
+ 568 secretssh 192.168.0.100 111 222 333 wonderland
+ 569 secretssh 192.168.0.100 111 222 333 wonderland 2222
+ 571 secretssh 192.168.0.100 111 222 333 wonderland 2222
+ 572 secretssh 192.168.0.100 7000 8000 9000 wonderland 2222
+ 574 secretssh 192.168.0.100 7000 8000 9000 wonderland 2222
+ 576 secretssh 192.168.0.100 7000 8000 9000 wonderland 2222
+ 578 secretssh 192.168.0.100 7000 8000 9000 wonderland 2222
+ 580 secretssh 192.168.0.100 7000 8000 9000 wonderland 2222
+ 582 secretssh 192.168.0.100 7000 8000 9000 wonderland 2222
+ 583 which secretssh
+ 586 which secretssh
+ 588 which secretssh
+
+so let's make sure that there is a cronjob that runs on the clientside to sed out the lines containing ssh, scp, rsync, nmap and secretssh on the /home/*/.zsh_history files:
+
+[ mainpc ] [ /dev/pts/10 ] [~/Nextcloud/blog]
+→ sed -i s'/.*nmap.*//gi' /home/*/.zsh_history /home/*/.bash_history /root/.zsh_history /root/.bash_history
+sed: can't read /root/.zsh_history: Permission denied
+sed: can't read /root/.bash_history: Permission denied
+
+[ mainpc ] [ /dev/pts/10 ] [~/Nextcloud/blog]
+→ zsh
+
+[ mainpc ] [ /dev/pts/10 ] [~/Nextcloud/blog]
+→ history | grep nmap
+ 602 history | grep nmap
+
+[ mainpc ] [ /dev/pts/10 ] [~/Nextcloud/blog]
+→ sudo crontab -e
+
+* * * * * sed -i s'/.*nmap.*//gi' /home/*/.zsh_history /home/*/.bash_history /root/.zsh_history /root/.bash_history
+* * * * * sed -i s'/.*ssh.*//gi' /home/*/.zsh_history /home/*/.bash_history /root/.zsh_history /root/.bash_history
+* * * * * sed -i s'/.*scp.*//gi' /home/*/.zsh_history /home/*/.bash_history /root/.zsh_history /root/.bash_history
+* * * * * sed -i s'/.*rsync.*//gi' /home/*/.zsh_history /home/*/.bash_history /root/.zsh_history /root/.bash_history
+* * * * * sed -i s'/.*secretssh.*//gi' /home/*/.zsh_history /home/*/.bash_history /root/.zsh_history /root/.bash_history
+
+
+[ mainpc ] [ /dev/pts/10 ] [~/Nextcloud/blog]
+→ history | grep secretssh
+ 582 secretssh 192.168.0.100 7000 8000 9000 wonderland 2222
+ 588 which secretssh
+ 590 history | grep secretssh
+
+[ mainpc ] [ /dev/pts/10 ] [~/Nextcloud/blog]
+→ /usr/bin/sed -i s'/.*secretssh.*//gi' /home/*/.zsh_history /home/*/.bash_history /root/.zsh_history /root/.bash_history
+
+/usr/bin/sed: can't read /root/.zsh_history: Permission denied
+/usr/bin/sed: can't read /root/.bash_history: Permission denied
+
+[ mainpc ] [ /dev/pts/10 ] [~/Nextcloud/blog]
+→ zsh
+
+[ mainpc ] [ /dev/pts/10 ] [~/Nextcloud/blog]
+→ history | grep secretssh
+ 611 history | grep secretssh
+
+And that's it! now we have a secure way of accessing the server, without revealing the port knocking sequence nor the secret ssh port.
+TODO: Then we make sure that when the power goes out, the UPS gives the signal for the homeserver to do the emergency shutdown script before shutting down, in order to hide the content of the server, before gracefully shutting down.
+
+Next step is to look at how to make sure the .onion service keeps running even after shutting down the entire homeserver, to make sure that it is impossible to prove that you are maintaining the sensitive service. We'll go into it with how Endgame V3 can be setup in a future tutorial.
+ ++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
+In this tutorial we're going to look at how you can backup your critical data (Keepass accesses, pgp key, ssh key, etc) while still maintaining the plausible deniability.
+ +
+source: https://anonymousplanet.org/guide.html#understanding-hdd-vs-ssd
+
+regarding wear leveling:
+"Also as mentioned earlier, disabling Trim will reduce the lifetime of your SSD drive and will significantly impact its performance over time (your laptop will become slower and slower over several months of use until it becomes almost unusable, you will then have to clean the drive and re-install everything). But you must do it to prevent data leaks that could allow forensics to defeat your plausible deniability. The only way around this at the moment is to have a laptop with a classic HDD drive instead."
+
+First install veracrypt in the plausibly deniable whonix VM (for more details on how to set that environment up in this previous tutorial), go there to download the latest .deb package:
+
+wget https://launchpad.net/veracrypt/trunk/1.26.7/+download/veracrypt-1.26.7-Debian-12-amd64.deb
+
+dpkg -i veracrypt-1.26.7-Debian-12-amd64.deb
+apt install -f
+dpkg -i veracrypt-1.26.7-Debian-12-amd64.deb
+
+Once veracrypt is setup, we're going to create a small volume with a hidden partition, which will contain all of your critical data, and the decoy partition will contain a weekly diary.
+So let's create the volume, we want to keep the size to be low so that it will contain only the critical information.
+ +
+
+
+
+
+
+
+
+
+
+
+
+
+Note: It is important to make sure that the decoy partition is changed everytime the hidden partition is changed, because as it is detailed here it is not advised to backup veracrypt drives online because cloud services almost always retain history of files, meaning if you give your decoy password to all of the previous veracrypt file versions, it must justify that the entire container is different. If the entire container is different while the decoy partition is the same, it means that an adversary can prove that there is a hidden partition. Hence there needs to be a procedure as to how you backup your veracrypt volume online.
+
+Weekly procedure to backup your critical data:
+-open the hidden volume of the veracrypt volume diary.vc
+-backup all of your critical data (ssh config, ssh keys, pgp keys, keepass .kdbx files, etc.) (max size= 10Mb)
+-close the hidden volume
+-open the decoy volume of the veracrypt volume diary.vc
+-recap your week in a small text file, name it with today's date. (don't reveal the presence of a hidden file in the text content)
+-close the decoy volume
+
+ONLY THEN the veracrypt volume is completed, and can be backed up somewhere else:
+-copy it to your mainpc, laptop, homeserver and phone
+-copy it to a usb key, which is to be hidden somewhere
+-hide it in plain sight using steghide inside of a very large image.
+
+Now let's take a look at how this looks like once it's applied:
+ + +First we open the hidden volume:
+
+
+Backup all of your critical data (ssh config, ssh keys, pgp keys, keepass .kdbx files, etc.) (max size= 10Mb)
+
+Then close the hidden volume:
+
+Open the decoy volume of the veracrypt volume diary.vc
+
+write something in there such as your week in a small text file, name it with today's date. (don't reveal the presence of a hidden file in the text content). This is just an example as to what content you could put there. Goal is that the content must make sense in case if you're forced to type in your password there. Second goal is that for each veracrypt hidden volume changes that occur, the content of the decoy partition must also change because otherwise it will reveal the existance of the hidden volume if the remote server keeps the previous versions of each file.
+
+Once you have closed the decoy volume, the veracrypt volume is ready to be backed up:
+
+copy it to a server (wherever you want online), and then copy the file on your mainpc, your laptop and then you can also put it on a usb key to be hidden somewhere.
+
+Like so you're covered in case if you are forced to give away your password, and in case if an adversary fills the decoy partitions of your veracrypt volumes in an attempt to destroy the hidden partitions.
+You can get creative as to how you choose to hide the veracrypt volume aswell, such as replacing a random linux binary in the /bin/ folder, or a library in /lib, or a file in /etc/, burying the usb key somewhere underground, etc
+ ++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
This is where the Journey begins. We're going to look at why you should bother with Privacy first of all, and what it is exactly.
+ +
+In short, Privacy means that you are not under surveillance. In this example, Bob wants to talk to Alice privately, so he shuts the door on the prying eyes of Jack. So that he can't hear their conversation.
+Privacy is Bob and Alice's ability to seclude themselves from the awareness of others. It is the ability that Bob has, to close the door on Jack, so that he cannot see his actions anymore.
+Make no mistake, as we discussed previously, governments NEED surveillance to be able to fulfill the first condition to be able to enforce their laws: They need to know what happened. To be able to know what happened, they need surveillance to be implemented wherever they can, and it is definitely easy for them to force large businesses providing large centralised services to act on their behalf.
+Yes, ANY company can act on any government's behalf. Take for example Microsoft spying on everyone through their closed source software Windows 10, or Apple spying on their users through their MacOS closed-source software, The US government is very open about it (see FISA 702).
+In this current world we live in, Surveillance is nearly omnipresent, where there is a business involved, and especially closed-source software, Surveillance is right there.
+
+Here's an example where Bob (which represents nearly 99% of the people out there) is being spied on by:
+Microsoft (because Bob uses Windows)
Google (because he uses Google and Google Chrome)
Bob's ISP (because he doesnt use a VPN nor Tor)
If Bob were to do something sketchy using his computer, Law Enforcement would obtain all the information they need to know what Bob did, because he used Windows, Google Chrome, and no VPN/Anonymization network.
+And it does not stop there, even when LE is not involved, politicians can also request and pay to get private user data, at the discretion of those large companies that specialize on infringing upon users' privacy for their own profit (see the cambridge analytica scandal).
+Your personal data is being sold by large corporations, for their own profit, and your consent is of no concern to them.
+ + +Ask yourself this simple question: "Who should be aware of what i do ?"
+Let's take the most common example you can encounter: "Should a company (such as Microsoft) be able to spy on what I do with my computer ?"
+How many people are we talking about exactly ? How big is Microsoft Corporation ? How many of them can see what you do with your computer ?
+
+In other words, are you ok with having an entire crowd being aware of your actions ?
+You better be a good speaker if that is the intent, remain aware that you are stepping up on a stage for many people to see what you are doing, when using closed-source software.
+Is that normal to you ? Do you like putting your every action on display for everyone to see ?
+If your answer to that question is no, Then it's time for you to close the curtains, so that this crowd can't see anymore. To close the curtain, you need to stop using closed-source software.
+ + ++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
+ +
Analogy
+
+Alice is talking to Bob, but Jack can hear their conversation, they have no privacy.
+Alice is talking to Bob, behind closed doors. Jack can't hear their conversation, they now have privacy.
+
+The most common place you hear about privacy nowadays is with VPNs, it's their favorite marketing word:
+ + + + +
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
A popular debate that keeps reoccuring, is where exactly can you run sensitive .onion services.
+It comes with 2 challenges:
+Running the service, with as much uptime as possible (making sure it keeps running in case of takedowns)
Making sure you can't be traced back as the owner/administrator of the server
Out of those requirements, we have 2 possibilities as to where you can run a sensitive service.
+
+Pros:
+Everyone has an internet connection, and if you live in a country that does not actively sensor the tor network, it can be interesting to host your own physical server which runs your hidden .onion service
+If you have your own physical server at home, it means you have complete control over the physical proximity of the server itself. as i detailed in my tutorial on physical security there are many things you can do to detect if an adversary is breaking into your home to try and find if you host a hidden service (such as movement detection, unauthorized ssh detection, unauthorized USB interaction detection, etc)
+In short, it's ideal if the technology is perfect and never has any flaws, but you can't ever be sure of that, (for example: Tor had security flaws in the past)
+ + +Cons: +Almost everyone has an internet connection at home, that is tied to your real name. Due to that fact alone, most people refuse to host anything sensitive locally.
+The strategy here is "I use secure technology, come at me!", if there is any undisclosed flaw/ 0day vulnerability in anything related to the technology used (tor, veracrypt, etc), an adversary could reveal the location of the server, and try to get their hands on the server.
+If the adversary has the ability to crack open the security of the technology used (very unlikely but possible), you're screwed, because the server sits at your home, and they 100% know it is yours in case if the technology fails to protect your service along the way.
+ +
+Cons:
+Since the Idea here is to run the sensitive service (and most of the time, it's not allowed by the cloud provider), If there is no redundancy / high availability, The longevity of the service would depend on how long the service remains unnoticed by the cloud provider.
+If the longevity of the service is of concern, you have to take into account that the service is very likely to get taken down regularly. So to avoid downtimes, you will have to scale up and implement high availability, this is multiplying the costs per new server
+Since the goal is for a service to remain undetected for as long as possible on each server, you will have to stay away from VPSes as their kernels often come with monitoring modules, you will need a dedicated server, with the ability to upload your custom ISO
+You will also need to monitor for any physical interaction with the server, in order to protect the plausible deniability inside the server, for any unauthorized change or interaction by the cloud provider, there must be an immediate emergency shutdown to be triggered.
+ +And you will need to perform integrity checks after each unauthorized server maintenance to make sure that there are no spyware installed on your server, that may compromise the confidentialtiy from the cloud provider itself.
+In theory, since the server is not there physically with you, you can't fully protect it physically, you can't just encrypt all of the contents of the RAM to protect against cold boot attacks.
+ + +Pros: +As i have detailed in my tutorial on how to acquire remote servers anonymously, if you make sure that you anonymously:
+You will be safe to assume that whatever happens on that server, it won't get tied back to you
+The strategy here is "Whatever I do, I do it as far away from my real identity!", this anonymity safeguard is what many consider worth all the trouble mentionned before.
+ ++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
As we discussed previously, Encryption is about providing privacy, Bob and Alice use encryption, for their conversation to remain private from the adversary Jack.
+
+One way to close the door on Jack, is to use PGP encryption:
+
+the logic behind using PGP encryption is for Bob and Alice to encrypt their conversation themselves, because they don't trust anyone else. Bob encrypts his message using PGP, and no matter where he sends it (over mail, over discord, over IRC, XMPP, facebook, etc) only Alice will be able to decrypt the message.
+In short, Bob uses PGP because he doesn't trust the platform on which you wish to talk to Alice.
+When we are talking about Serverside Encryption, Who is Bob, Who is Alice and Who is Jack ?
+In the case of the Incognito Market, an illegal Darknet Market (DNM), the platform admins told it's users to trust their own encryption
+
+What happens here, is that Bob decides to trust Jack with the confidentiality of his data, instead of encrypting his sensitive data with PGP. What can happen from there ?
+ +Darknet Markets have 2 possible ends: they are either seized by authorities, or they are exit-scamming with their users' cryptocurrencies that are still in custody.
+In the case of Incognito Market, they exit scammed, but something else happened:
+
+There is a third exit option for DNMs : they can extort all of the users who decided to trust serverside encryption.
+
+They saved every unencrypted message (including Bob and Alice's unencrypted messages), and they decided to extort them, by threatening them to give out their sensitive data (such as their home adress), to the authorities.
+All of that situation could have been avoided if Bob and Alice didn't trust the platform with serverside encryption.
+In short, never trust serverside encryption, the only encryption you can trust, is your own encryption (such as using PGP encryption).
+To learn how to use PGP, check out this tutorial.
+ ++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
+In this tutorial we're going to look at how you can run Tails OS (The Amnesic Incognito Linux System) in a QEMU VM, following the official documentation here.
+ +First we download Tails OS as a USB image here:
+
+Then we resize the image size to be able to contain persistant storage (in this case, i'll make it 8Gbs):
+
+[ nowhere ] [ /dev/pts/8 ] [nihilist/VAULT/Isos]
+→ ls tails-amd64-6.3.img -lash
+1.4G -rw-r--r-- 1 nihilist nihilist 1.4G Jun 14 10:15 tails-amd64-6.3.img
+
+[ nowhere ] [ /dev/pts/8 ] [nihilist/VAULT/Isos]
+→ truncate -s 8192M tails-amd64-6.3.img
+
+And now we can create the VM in virt-manager like so:
+
+
+
+
+
+
+Then press enter to launch tails:
+
+(wait a few seconds for it to load)
+
+Once in there, depending on your use, you can select to have an admin password and a persistant storage if you need it. Otherwise everything you do in the VM will be wiped clean upon shutdown (hence the word amnesic).
+
+Then we select connect to tor automatically:
+
+And here we click start the Tor browser to browse the web anonymously, and if you're curious and want to see the tor Circuits you can view them also:
+
+
+ Next, if you want to enable the persistant storage go there:
+
+make sure you enter a strong password that can't be bruteforced easily:
+
+then hit "create persistant storage" and wait a bit for the operation to complete:
+
+Then adjust the settings as per your liking, if you want the persistant storage to store more than it does by default:
+
+
+Then if you want to install additional software you can launch a terminal:
+
+Then from there you can use sudo because you enabled the administrator password, and install software:
+
+amnesia@amnesia:~$ sudo apt update -y ; sudo apt install neofetch -y
+[sudo] password for amnesia:
+Get:1 tor+https://cdn-fastly.deb.debian.org/debian bookworm InRelease [151 kB]
+Get:2 tor+http://apow7mjfryruh65chtdydfmqfpj5btws7nbocgtaovhvezgccyjazpqd.onion/torproject.org bookworm InRelease [3,526 B]
+Get:3 tor+https://cdn-fastly.deb.debian.org/debian-security bookworm-security InRelease [48.0 kB]
+
+[...]
+
+Then once the software installed, you have the possibility to store it in the persistant storage aswell, so that it can be available when you launch tails again:
+
+
+
+amnesia@amnesia:~$ neofetch
+ `` amnesia@amnesia
+ ./yhNh ---------------
+syy/Nshh `:o/ OS: Tails x86_64
+N:dsNshh \u2588 `ohNMMd Host: KVM/QEMU (Standard PC (Q35 + ICH9, 2009) pc-q35-9.0)
+N-/+Nshh `yMMMMd Kernel: 6.1.0-21-amd64
+N-yhMshh yMMMMd Uptime: 13 mins
+N-s:hshh \u2588 yMMMMd so//. Packages: 1854 (dpkg)
+N-oyNsyh yMMMMd d Mms. Shell: bash 5.2.15
+N:hohhhd:. yMMMMd syMMM+ Resolution: 1280x800
+Nsyh+-..+y+- yMMMMd :mMM+ DE: GNOME 43.9
++hy- -ss/`yMMMM `+d+ WM: Mutter
+ :sy/. ./yNMMMMm `` WM Theme: Adwaita
+ .+ys- `:+hNMMMMMMy/` Theme: Adwaita [GTK2/3]
+ `hNmmMMMMMMMMMMMMdo. Icons: Adwaita [GTK2/3]
+ dMMMMMMMMMMMMMMMMMNh: Terminal: gnome-terminal
+ +hMMMMMMMMMMMMMMMMMmy. CPU: 11th Gen Intel i7-11700K (2) @ 3.600GHz
+ -oNMMMMMMMMMMmy+.` GPU: 00:01.0 Red Hat, Inc. Virtio 1.0 GPU
+ `:yNMMMds/.` Memory: 1313MiB / 3915MiB
+ .//`
+
+And that's it! We managed to run tails OS from a QEMU VM and install some software into the persistant storage.
+ ++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
+ Before we start, you will need a Debian VPS (you can get one on digitalocean for example), if you prefer to use your own self hosted server, make sure that port 80 and 443 are correctly port forwarded so that the public ip points to the server and not the router. Once that's done, go and ssh into your Debian server.
+ +
+
+apt update -y && apt upgrade -y
+apt install curl tmux vim obfs4proxy nyx gnupg2 -y
+
+root@Datura:~# cat /etc/apt/sources.list |head -n3
+
+deb [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org bookworm main
+deb-src [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org bookworm main
+
+root@Datura:~# wget -qO- https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --dearmor | tee /usr/share/keyrings/tor-archive-keyring.gpg >/dev/null
+
+apt update -y
+apt install tor nyx
+
+#To configure tor we need to edit the configuration file with the following entry. Replace the TODOs with the port numbers you wish to use
+
+#Open conf file
+vim /etc/tor/torrc
+
+#Added configuration
+BridgeRelay 1
+
+# Replace "TODO1" with a Tor port of your choice.
+# This port must be externally reachable.
+# Avoid port 9001 because it's commonly associated with Tor and censors may be scanning the Internet for this port.
+ORPort 37051
+
+ServerTransportPlugin obfs4 exec /usr/bin/obfs4proxy
+
+# Replace "TODO2" with an obfs4 port of your choice.
+# This port must be externally reachable and must be different from the one specified for ORPort.
+# Avoid port 9001 because it's commonly associated with Tor and censors may be scanning the Internet for this port.
+ServerTransportListenAddr obfs4 0.0.0.0:8042
+
+# Local communication port between Tor and obfs4. Always set this to "auto".
+# "Ext" means "extended", not "external". Don't try to set a specific port number, nor listen on 0.0.0.0.
+ExtORPort auto
+
+# Replace "<address@email.com>" with your email address so we can contact you if there are problems with your bridge.
+# This is optional but encouraged.
+ContactInfo nihilist@nihilism.network
+
+# Pick a nickname that you like for your bridge. This is optional.
+Nickname Nihilist
+
+Then restart the tor service + enable it:
+
+#Restart service
+systemctl restart tor@default
+
+#Enable at boot
+systemctl enable --now tor@default
+Once it finished installing, you can monitor your tor bridge node activity with nyx:
+
+sudo -u debian-tor nyx
+
+Next install tor-browser (in arch linux you can do it from the AUR), if not just go to the downloads page.
+
+yay -S torbrowser-launcher
+
+Then Launch it, and go in your preferences:
+
+
+Here specifying your own bridge is not that simple, you need to use the following syntax:
+
+Bridge obfs4 <IP ADDRESS>:<PORT> <FINGERPRINT> cert=<CERTIFICATE> iat-mode=0
+
+First find the ip address of your server:
+
+root@debian-s-1vcpu-1gb-lon1-01:~# curl ifconfig.me && echo && echo
+134.209.26.190
+
+Next find the port :
+
+sudo -u debian-tor nyx
+
+Just hit right arrow 3 times to get to your torrc config preview:
+
+And here we have port 8042. Next we need the fingerprint which is at page 1 of nyx, so press leftarrow to get back to page 1 and then scroll down using the downarrow:
+
+Here it is 829165B21621041E7A9CDF7192AFFC51CA640B0E, be careful not to copy the other one above which is the HASHED identity key. Here we want the original identity key fingerprint. +After this, we need the server's certificate:
+
+
+root@debian-s-1vcpu-1gb-lon1-01:~# cat /var/lib/tor/pt_state/obfs4_bridgeline.txt
+# obfs4 torrc client bridge line
+#
+# This file is an automatically generated bridge line based on
+# the current obfs4proxy configuration. EDITING IT WILL HAVE
+# NO EFFECT.
+#
+# Before distributing this Bridge, edit the placeholder fields
+# to contain the actual values:
+# <IP ADDRESS> - The public IP address of your obfs4 bridge.
+# <PORT> - The TCP/IP port of your obfs4 bridge.
+# <FINGERPRINT> - The bridge's fingerprint.
+
+Bridge obfs4 <IP ADDRESS>:<PORT> <FINGERPRINT> cert=L04rcSpDJb9xdGUy/LgAlxbNgtQUWPJFsdF3q2i8lKRmzffiVFJU5ARjr4RYXRZSrsNYXg iat-mode=0
+Here in this case we need the last part: cert=L04rcSpDJb9xdGUy/LgAlxbNgtQUWPJFsdF3q2i8lKRmzffiVFJU5ARjr4RYXRZSrsNYXg iat-mode=0
+And so we combine it all to get the string we need:
+
+Bridge obfs4 134.209.26.190:8042 829165B21621041E7A9CDF7192AFFC51CA640B0E cert=L04rcSpDJb9xdGUy/LgAlxbNgtQUWPJFsdF3q2i8lKRmzffiVFJU5ARjr4RYXRZSrsNYXg iat-mode=0
+Paste it in and hit "new identity":
+
+Then we check if it is working on check.torproject.org:
+
+And that's it! we have been able to use our own VPS-hosted tor bridge!
++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
+ Before we start, make sure you either rent a VPS anonymously (tor+XMR + ssh via tor) click here for the list of anonymity-friendly hosting providers or rent a VPS on a cloud provider that explicitely allows for tor exit nodes to be hosted on their platform.
+ +
+As a disclaimer, you need to know who allows these tor exit nodes, if you're going to pick a random host provider to host an exit node for you, + you really don't know how the host may respond to that. Therefore it is best to pre-emptively see who actually accepts those exit nodes by looking at their TOS or + by contacting them for additional information.
+
+
+⚠️ Beware that authorities aren't always aware of tor exit node and what to do from a legal stand point. Before hosting an exit node, please take time to do sufficient legal research. +People have been arrested all around the world and had a lot of trouble with authorities because they hosted exit nodes. +If you are still motivated to get your own exit node, keep the phone number of a lawyer specialised in this field just in case anything goes wrong. ⚠️
+ +Now you can get a domain name to resolve to your exit node, or just use the one provided by njal.la :
+
+
+
+
+apt update && apt -y dist-upgrade && apt -y autoremove && apt install -y curl tmux vim obfs4proxy gnupg2
+
+apt update -y && apt upgrade -y
+apt install curl tmux vim -y
+
+root@Datura:~# cat /etc/apt/sources.list |head -n3
+
+deb [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org bookworm main
+deb-src [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org bookworm main
+
+root@Datura:~# wget -qO- https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --dearmor | tee /usr/share/keyrings/tor-archive-keyring.gpg >/dev/null
+
+apt update -y
+apt install tor nyx
+
+
+From inside nyx you can view tor's status :
+
+root@exit:~# nyx
+
+inside nyx you can use the left and right arrow to navigate the different pages:
+
+Above you can see the connections, pressing right again shows how your server is configurated, along with extra details on each setting:
+
+Next we make sure it's an exit like so: (be aware that this is where it gets dangerous if you're not doing this on a non-KYC VPS, or on a cloud provider that doesnt accept tor exit nodes.
+
+root@exit:~# vim /etc/tor/torrc
+root@exit:~# cat /etc/tor/torrc
+RunAsDaemon 1
+ControlPort 9051
+CookieAuthentication 1
+ORPort 9001
+Nickname anonymous
+
+ExitPolicy accept *:* # Accept exit connections
+ExitPolicy reject private:* # Block private IPv4
+IPv6Exit 1 # Allow IPv6 connections
+ExitPolicy accept6 *:* # Accept IPv6
+ExitPolicy reject6 [FC00::]/7:* # Block private IPv6
+ExitPolicy reject6 [FE80::]/10:* # Block link-local IPv6
+ExitPolicy reject6 [2002::]/16:* # Block 6to4 addresses
+
+you can also make a stricter tor exit policy like so:
+
+root@Datura:~# cat /etc/tor/torrc
+RunAsDaemon 1
+ControlPort 9051
+CookieAuthentication 1
+ORPort 9001
+Nickname Datura
+
+ExitPolicy accept *:20-21 # FTP
+ExitPolicy accept *:43 # WHOIS
+ExitPolicy accept *:53 # DNS
+ExitPolicy accept *:80-81 # HTTP, HTTP alt.
+ExitPolicy accept *:443 # HTTPS
+ExitPolicy accept *:5222-5223 # XMPP, XMPP over
+ExitPolicy accept *:6667-7000 # IRC
+ExitPolicy accept *:8008 # HTTP alternate
+ExitPolicy accept *:8082 # HTTPS Electrum Bitcoin port
+ExitPolicy accept *:8332-8333 # Bitcoin
+ExitPolicy accept *:8888 # HTTP Proxies, NewsEDGE, HUSH coin
+ExitPolicy accept *:9418 # git - Git pack transfer service
+ExitPolicy accept *:50002 # Electrum Bitcoin SSL
+ExitPolicy accept *:64738 # Mumble - voice over IP
+ExitPolicy accept *:18080-18081 # Monero
+ExitPolicy reject *:*
+
+ExitPolicy reject private:* # Block private IPv4
+IPv6Exit 1 # Allow IPv6 connections
+ExitPolicy accept6 *:* # Accept IPv6
+ExitPolicy reject6 [FC00::]/7:* # Block private IPv6
+ExitPolicy reject6 [FE80::]/10:* # Block link-local IPv6
+ExitPolicy reject6 [2002::]/16:* # Block 6to4 addresses
+
+And then just restart the tor service to make sure the exit node is active:
+
+root@exit:~# systemctl restart tor@default
+root@exit:~# systemctl status tor@default
+● tor@default.service - Anonymizing overlay network for TCP
+ Loaded: loaded (/lib/systemd/system/tor@default.service; enabled-runtime; preset: enabled)
+ Active: active (running) since Mon 2024-01-29 10:43:02 UTC; 5s ago
+ Process: 3852 ExecStartPre=/usr/bin/install -Z -m 02755 -o debian-tor -g debian-tor -d /run/tor (code=exited, status=0/SUCCESS)
+ Process: 3853 ExecStartPre=/usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 0 --verify-config (code=exited, status=0/SUCCESS)
+ Main PID: 3855 (tor)
+ Tasks: 3 (limit: 19110)
+ Memory: 140.1M
+ CGroup: /system.slice/system-tor.slice/tor@default.service
+ └─3855 /usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 0
+
+Jan 29 10:43:03 exit Tor[3855]: Bootstrapped 75% (enough_dirinfo): Loaded enough directory info to build circuits
+Jan 29 10:43:04 exit Tor[3855]: Bootstrapped 89% (ap_handshake): Finishing handshake with a relay to build circuits
+Jan 29 10:43:04 exit Tor[3855]: Bootstrapped 90% (ap_handshake_done): Handshake finished with a relay to build circuits
+Jan 29 10:43:04 exit Tor[3855]: Bootstrapped 95% (circuit_create): Establishing a Tor circuit
+Jan 29 10:43:05 exit Tor[3855]: Bootstrapped 100% (done): Done
+Jan 29 10:43:05 exit Tor[3855]: Now checking whether IPv4 ORPort 80.78.22.215:9001 is reachable... (this may take up to 20 minutes -- look for log messages indicating success)
+Jan 29 10:43:05 exit Tor[3855]: Now checking whether IPv6 ORPort [2a0a:3840:8078:22:0:504e:16d7:1337]:9001 is reachable... (this may take up to 20 minutes -- look for log messages indicating success)
+Jan 29 10:43:06 exit Tor[3855]: Self-testing indicates your ORPort [2a0a:3840:8078:22:0:504e:16d7:1337]:9001 is reachable from the outside. Excellent.
+Jan 29 10:43:06 exit Tor[3855]: Self-testing indicates your ORPort 80.78.22.215:9001 is reachable from the outside. Excellent. Publishing server descriptor.
+Jan 29 10:43:06 exit Tor[3855]: Performing bandwidth self-test...done.
+
+root@exit:~# nyx
+
+Then wait a few hours for the exit node to appear on tor metrics, then you can take the node fingerprint (example 916EDD8E5D61613BBC7B6CCEFB2778AE706786B9) and check it's status on torproject.org here.
+After that, you need to wait 2 weeks for the exit node to be fully operational as explained here.
+
+"A new relay, assuming it is reliable and has plenty of bandwidth, goes through four phases: the unmeasured phase (days 0-3) where it gets roughly no use, the remote-measurement phase (days 3-8) where load starts to increase, the ramp-up guard phase (days 8-68) where load counterintuitively drops and then rises higher, and the steady-state guard phase (days 68+). "
+
++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
+ Before we start, you will need a Debian VPS (you can get one on digitalocean for example), if you prefer to use your own self hosted server, make sure that port 80 and 443 are correctly port forwarded so that the public ip points to the server and not the router. Once that's done, go and ssh into your debian 10 server.
+You will also need to make sure that the VPS provider allows the hosting of a tor node! check torproject's good/bad isps page here.
+
+ For example, you wouldn't be able to host an exit node on DigitalOcean, however hosting a regular node is completely fine.
+ +
+apt update -y && apt upgrade -y
+apt install curl tmux vim gnupg2 -y
+
+root@Datura:~# cat /etc/apt/sources.list |head -n3
+
+deb [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org bookworm main
+deb-src [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org bookworm main
+
+root@Datura:~# wget -qO- https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --dearmor | tee /usr/share/keyrings/tor-archive-keyring.gpg >/dev/null
+
+apt update -y
+apt install tor nyx
+
+#To configure tor we need to edit the configuration file with the following entry. Replace the TODOs with the port numbers you wish to use
+
+#Open conf file
+vim /etc/tor/torrc
+
+# Replace "TODO1" with a Tor port of your choice.
+# This port must be externally reachable.
+# Avoid port 9001 because it's commonly associated with Tor and censors may be scanning the Internet for this port.
+ORPort 37051
+
+# Local communication port between Tor and obfs4. Always set this to "auto".
+# "Ext" means "extended", not "external". Don't try to set a specific port number, nor listen on 0.0.0.0.
+ExtORPort auto
+
+# Replace "<address@email.com>" with your email address so we can contact you if there are problems with your bridge.
+# This is optional but encouraged.
+ContactInfo nihilist@nihilism.network
+
+# Pick a nickname that you like for your bridge. This is optional.
+Nickname Nihilist
+
+Then restart the tor service + enable it:
+
+#Restart service
+systemctl restart tor@default
+
+#Enable at boot
+systemctl enable --now tor@default
+
+#monitor it with nyx
+nyx
+You can also monitor connections by switching to the menu (pressing m)
+
+and then just use the arrow keys to navigate:
+
+Hit spacebar to choose "connection"
+EDIT: you can just use left arrow and right arrow to change menus quickly lol
+
+This is going to list the active connections (Circuits) to your tor node with their ip addresses.
++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
+In this tutorial we're going to cover how to browse the web anonymously, and some simple rules to follow to protect your anonymity.
+ +If you have a regular debian distribution, do as follows to install the tor browser:
+
+[ mainpc ] [ /dev/pts/5 ] [~]
+→ sudo apt install tor torsocks curl apt-transport-tor gnupg2 -y
+
+[ mainpc ] [ /dev/pts/1 ] [~]
+→ sudo torsocks curl --output /usr/share/keyrings/derivative.asc --url http://www.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion/keys/derivative.asc
+ % Total % Received % Xferd Average Speed Time Time Time Current
+ Dload Upload Total Spent Left Speed
+100 77312 100 77312 0 0 7106 0 0:00:10 0:00:10 --:--:-- 23126
+
+[ mainpc ] [ /dev/pts/1 ] [~]
+→ echo "deb [signed-by=/usr/share/keyrings/derivative.asc] tor+http://deb.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion bookworm main contrib non-free" | sudo tee /etc/apt/sources.list.d/derivative.list
+deb [signed-by=/usr/share/keyrings/derivative.asc] tor+http://deb.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion bookworm main contrib non-free
+
+[ mainpc ] [ /dev/pts/1 ] [~]
+→ sudo apt update -y
+Hit:1 http://deb.debian.org/debian bookworm InRelease
+Hit:2 http://security.debian.org/debian-security bookworm-security InRelease
+Hit:3 http://deb.debian.org/debian bookworm-updates InRelease
+Hit:4 https://packages.element.io/debian default InRelease
+Get:5 tor+http://deb.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion bookworm InRelease [39.6 kB]
+Get:6 tor+http://deb.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion bookworm/main amd64 Packages [34.3 kB]
+Get:7 tor+http://deb.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion bookworm/contrib amd64 Packages [506 B]
+Get:8 tor+http://deb.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion bookworm/non-free amd64 Packages [896 B]
+Fetched 75.3 kB in 12s (6,284 B/s)
+Reading package lists... Done
+Building dependency tree... Done
+Reading state information... Done
+16 packages can be upgraded. Run 'apt list --upgradable' to see them.
+
+[ mainpc ] [ /dev/pts/1 ] [~]
+→ sudo apt install tb-starter tb-updater -y
+
+[ mainpc ] [ /dev/pts/6 ] [~/Nextcloud/blog]
+→ systemctl enable --now tb-updater-first-boot.service (3)
+
+Created symlink /etc/systemd/system/multi-user.target.wants/tb-updater-first-boot.service → /lib/systemd/system/tb-updater-first-boot.service.
+
+[ mainpc ] [ /dev/pts/6 ] [~/Nextcloud/blog]
+→ systemctl --no-pager --no-block status tb-updater-first-boot.service
+
+● tb-updater-first-boot.service - Helper Service for /usr/bin/torbrowser to determine when it is save to Copy Tor Browser from /var/cache/tb-binary to user home by Whonix developers
+ Loaded: loaded (/lib/systemd/system/tb-updater-first-boot.service; enabled; preset: enabled)
+ Active: active (exited) since Wed 2024-01-31 08:59:34 CET; 2s ago
+ Docs: https://github.com/Whonix/tb-updater
+ Process: 140334 ExecStart=/bin/true (code=exited, status=0/SUCCESS)
+ Main PID: 140334 (code=exited, status=0/SUCCESS)
+ CPU: 690us
+
+[ mainpc ] [ /dev/pts/1 ] [~]
+→ torbrowser
+INFO: ARCH 'x86_64' detected.
+INFO: ARCH_DOWNLOAD 'linux-x86_64' detected.
+INFO: CURL_PROXY:
+INFO: Not running inside Qubes Disposable Template, ok.
+INFO: Using stable version. For alpha version, see: https://www.whonix.org/wiki/Tor_Browser#Alpha
+INFO: Running connectivity check... Downloading...: https://www.torproject.org
+INFO: CURL_OUT_FILE: /home/nihilist/.cache/tb/temp/tbb_remote_folder
+INFO: Connectivity check succeeded.
+INFO: Find out latest version... Downloading...: https://aus1.torproject.org/torbrowser/update_3/release/downloads.json
+INFO: CURL_OUT_FILE: /home/nihilist/.cache/tb/RecommendedTBBVersions
+INFO: Learn more about this Download Confirmation Notification.
+https://www.whonix.org/wiki/Tor_Browser#Download_Confirmation_Notification
+INFO: Previously downloaded version: none
+INFO: Currently installed version: None installed. (Folder /home/nihilist/.tb/tor-browser does not exist.)
+INFO: Online detected version: 13.0.9
+QUESTION: Download now?
+y/n?
+y
+
+INFO: Because you are not using --nokilltb, now killing potentially still running instances of Tor Browser...
+firefox.real: no process found
+INFO: Digital signature (GPG) download... Will take a moment...
+INFO: Downloading...: https://www.torproject.org/dist/torbrowser/13.0.9/tor-browser-linux-x86_64-13.0.9.tar.xz.asc
+INFO: CURL_OUT_FILE: /home/nihilist/.cache/tb/files/tor-browser-linux-x86_64-13.0.9.tar.xz.asc
+INFO: Downloading Tor Browser...
+INFO: Downloading...: https://www.torproject.org/dist/torbrowser/13.0.9/tor-browser-linux-x86_64-13.0.9.tar.xz
+INFO: CURL_OUT_FILE: /home/nihilist/.cache/tb/files/tor-browser-linux-x86_64-13.0.9.tar.xz
+INFO: Digital signature (GPG) verification... This will take a moment...
+INFO: Using digital signature signing key by The Tor Project.
+INFO: Digital signature (GPG) verification ok.
+INFO: Installation confirmation
+Currently installed version: None installed. (Folder /home/nihilist/.tb/tor-browser does not exist.)
+Downloaded version : 13.0.9
+We have not previously accepted a signature yet. Therefore assisted check for downgrade or indefinite freeze attacks skipped. Please check the Current Signature Creation Date looks sane.
+Previous Signature Creation Date: Unknown. Probably never downloaded a signature before.
+Last Signature Creation Date : January 23 13:14:38 UTC 2024
+According to your system clock, the signature was created 8 days 3 hours 25 minutes 2 seconds ago.
+gpg reports:
+gpg: Signature made Tue 23 Jan 2024 02:14:38 PM CET
+gpg: using RSA key 613188FC5BE2176E3ED54901E53D989A9E2D47BF
+gpg: Good signature from "Tor Browser Developers (signing key) " [ultimate]
+Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290
+ Subkey fingerprint: 6131 88FC 5BE2 176E 3ED5 4901 E53D 989A 9E2D 47BF
+Learn more about this Installation Confirmation Notification.
+https://www.whonix.org/wiki/Tor_Browser#Installation_Confirmation_Notification
+QUESTION: Install now?
+y/n?
+y
+
+INFO: Extracting /home/nihilist/.cache/tb/files/tor-browser-linux-x86_64-13.0.9.tar.xz ...
+extraction percent done: 19 / 100
+extraction percent done: 44 / 100
+extraction percent done: 63 / 100
+extraction percent done: 82 / 100
+extraction percent done: 100 / 100
+
+Next, we'll do some slight configuration changes, starting with the automatic connection:
+
+Then we make sure that all javascript is disabled, using the shield option on the top right corner, make sure it's set to the "Safest" setting:
+
+Then a personal preference, let's switch on the dark theme:
+
+
+And from there you can start browsing. You can browse the clearnet first to see how the tor connection works:
+
+As you can see here, when browsing to the clearnet, your traffic is being encapsulated threefold, meaning that you are entrusting your connection to 3 tor node owners around the globe. And on top of that, they are in 3 different countries.
+
+Next, when you browse to a website that can be accessed via a .onion link, you might get the above message that shows up. I prefer to not prioritize onions to avoid unecessary page refreshes. Instead i click on the .onion available button if it appears.
+
+Now when you're connected to the .onion hidden service, you can see that your connection goes through more tor nodes, this is the best way to access websites online, you're not leaking any info they don't need to know that way. Plus, since we are on the "safest" setting, we are not loading any javascript that may be used to fingerprint our activity online.
++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
As we went over this comparaison in the previous blogpost here i will briefly recap it here:
+VPNS: +VPNs can provide Privacy from your ISP , but by using one you are getting privacy from someone (most likely your ISP), but the VPN provider can see what you're doing with your internet connection.
In other words, you're just shifting the privacy problem from your ISP to your VPN provider. You are moving your trust from one centralized entity to another
The Tor Network provides Anonymity by routing your traffic through 3 random servers that are spread across the world.
+Using Tor means you are employing Decentralisation, by using it you are placing your trust into 3 random entities (which can be individuals, companies or adversaries), in 3 different legislations (due to being in 3 different countries), rather than in one centralized entity, hence providing Anonymity on the IP layer.
There is always a low probability of risk, where if you are unlucky and tor circuits go through 3 nodes that are hosted by the same malicious entity, leading to deanonymization.
Combining Tor and VPNs require to be justified depending on the clientside context, and on the serverside context:
+ +
+First comes the clientside context: Does your country allow anonymity ?
Check if your country allows Tor traffic or not. If it's not illegal, you can use tor traffic as is. (you -> tor)
+If you are in a country where tor traffic is illegal, you need to hide tor use behind a vpn (you -> vpn -> tor)
+If you are in a country where both Tor and VPNs are illegal, know that this is too risky to try and be anonymous online personally i wouldn't even try to be anonymous online in that context, because you risk being persecuted for just using the technology. If you still want to have anonymity anyway, you'll have to use censorship evasion techniques like using tor bridges. (you -> tor bridge -> tor)
+ +
+Second comes serverside context: Does the service allow anonymity?
Check if you can use the service using tor only,(tor -> website)
+If the website doesn't allow tor traffic, hide tor traffic behind a VPN (tor -> vpn -> website)
+If the website doesn't allow vpn traffic either, personally i would stop trying there, but you could try using residential proxies (tor -> residential proxy -> website)
+ +In conclusion, there are only 4 valid Tor / VPN combinations:
+
+#country allows tor traffic:
+you -> Tor -> service
+you -> Tor -> VPN -> service
+
+#country doesn't allow tor traffic, but allows VPNs:
+you -> VPN -> Tor -> service
+you -> VPN -> Tor -> VPN -> service
+
+If you want to experiment with multiple tor / vpn setups at once (as part of the internet segmentation Opsec practice), you can try each setup in a VM separately like so:
+
+
Sidenote: there is no point in having a setup that is going twice through Tor, only once is enough to obtain anonymity.
+Great, you found out about Tor, you want to be anonymous while browsing the web, and now you start to use your favorite centralised services (google, youtube for example) but you realize that they don't allow you to use their service while you use tor!
+
+
+You -> Tor -> Destination
+
+Keep in mind that Tor exit nodes are all public, it's easy for website administrators to block Tor exit nodes IPs by blocking their public IPs directly. So you can expect popular services that are openly hostile to both anonymity and privacy to block Tor traffic.
+So the constraint here is to access the service without showing up as a tor exit node IP from their end.
+To get around that problem, the idea is to force a VPN to connect through Tor (VPN through Tor Setup):
+
+
+You -> Tor -> VPN -> Destination
+
+That way, we have the following result:
+Your ISP only sees Tor traffic
The VPN provider does not know who's using their infrastructure
The website administrators of popular services think you are using their service using a simple VPN
A constraint here of course is to acquire the VPN connection anonymously, to do so we only use Tor and Monero as explained in my tutorial on Anonymity Management:
+
+If the popular service does not block VPNs, you're good to keep using their service while still maintaining Anonymity.
+/!\ Be warned that this setup takes into account that you're properly segmenting your Internet Usage, because initially when you use this setup (you -> tor -> VPN), you may be anonymous, but depending on your usage over time, you are increasingly more likely to be deanonymized if you are improperly segmenting your internet usage. (see details on OPSEC for more details)
+ +Another scenario is when you need to hide the fact that you're using Tor from your ISP, we have the following setup which is useful to prevent Tor usage correlation.
+
+
+You -> VPN -> Tor -> Destination
+
+WARNING: in this setup you are trusting your VPN provider to not snitch to your ISP that you are using Tor!
+From your ISP's point of view, using Tor alone definitely stand out from regular traffic, a popular option you can go for is to use a VPN (as this is a much more common occurence), and to use the Tor browser while keeping the VPN connection open.
+In the unlikely event that you get deanonymized while using Tor, only your VPN IP would get revealed instead of your home IP address. And if the VPN provider has strict no-log policies and they actually follow through with their promises, it's very unlikely that both your VPN and Tor would be compromised at the same time.
+ +DISCLAIMER ON VPNs: Keep in mind that if you choose to use a VPN anyway, you must conduct a strict VPN selection, see Privacy Guides' Recommendations on that topic, out of which i recommend Mullvad because they accept Monero without any KYC.
+ +A popular scenario people encounter, especially in heavily censored countries (the prime example being China with their "Great Firewall"), is that the state blocks all VPN connections, on top of making them illegal.
+Citizens don't want their ISP to know that they are using the Tor network. Because otherwise they would be prosecuted for simply using the technology.
+Out of that situation, Tor bridge nodes were created. Tor bridge nodes are purposefully not listed in the public Tor directory to avoid being blocked by governments. Tor bridges include multiple pluggable transports to help users in heavily censored countries:
+From Torproject's explanation on tor bridge nodes:
+
+Bridges are useful for Tor users under oppressive regimes, and for people who want an extra layer of security because they're worried somebody will recognize that they are contacting a public Tor relay IP address.
+
+Several countries, including China and Iran, have found ways to detect and block connections to Tor bridges. Obfsproxy bridges address this by adding another layer of obfuscation.
+
+WARNING: be aware that this setup may provide transient censorship circumvention, but it does not protect against the threat where an adversary finds out, let's say 5 months later, that you connected to a tor bridge node in the past, and may prosecute you for it. This scenario is to be considered only when all VPNs are blocked or illegal in your country.
+Personally, if i were to live in a heavily censored country like china, i wouldn't try to be anonymous online, to avoid the risk of being prosecuted for just using the technology, as the risks are too high there.
+
+Using this setup allows you to use the Tor network even if your government doesn't allow it, but again, you run the risk that they find out later on, that you used tor in the past.
+ + + ++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
+Privacy Analogy:
+Alice is talking to Bob, but Jack can hear their conversation, they have no privacy.
+Alice is talking to Bob, behind closed doors. Jack can't hear their conversation, they now have privacy.
+
+As explained previously, Privacy is about excluding someone from being able to spy on what you're doing, the whole marketing point for VPNs is to provide privacy for your internet usage, from your internet service provider (ISP)
+
+By default, you are using your computer from home, from your home connection which is provided by your Internet Service Provider (ISP), and you are using it to access services remotely. In that scenario, your ISP is able to see (to spy on) what you're doing with your internet connection. From there, the entire VPN industry emerged.
+
+A VPN provider is a centralised entity (see our previous explanation on why these are highly likely to be used as a spying proxy for the governments), they offer you to connect to their infrastructure in order to offer you privacy from your ISP.
+However when you do that, the VPN provider becomes your ISP, The VPN provider becomes the one who is able to spy on your internet traffic, instead of your ISP.
+By connecting to a VPN you are moving your trust from your ISP to the VPN provider, but since both your ISP and your VPN provider are centralised entities, you can be damn sure they are spying on what you're doing.
+Moving your trust from a centralised entity to another is not going to protect you against targeted surveillance. It won't protect you from being reported to the authorities either if you do something illegal.
+DISCLAIMER ON VPNs: Keep in mind that if you choose to use a VPN anyway, you must conduct a strict VPN selection, see Privacy Guides' Recommendations on that topic, out of which i recommend Mullvad because they accept Monero without any KYC.
+
+Anonymity Analogy:
+Jack sees that Alice is talking to Someone. But Jack can't make out who that person is.
+Until Jack can figure out who that Someone is, that someone is Anonymous.
+
+So we can't trust our ISP, nor VPNs alone, what can we trust then ?
+That situation is what started the Tor Project. Tor is above all an open source routing protocol, that aims to not only encrypt traffic (like what VPNs do) but the aim is also to obscure where connections come from, and where they go.
+It aims to blend all of the users together, to make everyone look the same to prevent any identity correlation. (that is also why you shouldn't edit your tor browser configs, as it will make you stand out as an unique user.
+
+
We have the following scenario: you don't want your internet service provider to know what you're doing, but you also don't want the end services like google youtube or duckduckgo to know that you are accessing their service. in other words, you want to remain Anonymous while browsing the web, and Tor provides that for you.
+
+Tor is unique as it is the anonymity network that recieved the most donations, studies and patches, but also due to it's popularity there's alot of nodes ran by anyone (individuals, companies, and potentially also governments), the decentralised aspect is vital there, because by using Tor, you are trusting 3 random entities, in 3 different countries
+It takes all 3 nodes used by your tor circuit (in 3 different legislations if they are in 3 different countries) to actually be malicious and to record connections to be able to successfully deanonymize you. While at the same time, the Tor protocol does not log any connection by default.
+For more details you can see the repartition of tor nodes per country, or per ISP on metrics.torproject.org
+
+Keep in mind that it is still possible for you to get deanonymized sometimes if you're unlucky to have all 3 nodes ran by the same entity. So it is not perfect, but it is definitely many times more trustworthy than having to trust a centralised entity providing you with a VPN connection.
+As we have discussed previously, sometimes Anonymity is the difference-maker between Life and Death, especially for Journalism in censorship-heavy countries, Tor's main attraction is that De-anonymization attacks are made to be as expensive as possible, even for state-actors.
+Some people argue that Tor can't be trusted, but as we have discussed previously, Governments need to be able to know what happened (lack of Privacy), and once they know what happened, they need to know who did it (lack of Anonymity), in order to enforce their laws. When that is the case, how come is there still so many illegal marketplaces with years of uptime on the Tor network ? One thing is for sure, these marketplaces are very high on international authorities' priority list. If they are still there after all this time, It must be because the Tor network is protecting them from being discovered by the authorities isn't it ?
+Even though i don't recommend to use Tor for any illegal purposes, the fact that these marketplaces have remained in activity for such a long time are a clear testament to the resilliency of the Tor network.
++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
+In this tutorial we'll setup a TOR website, which can be accessed via a .onion link. We'll set it up using nginx and Tor.
+ +First compute your tor domain:
+
+
+[ Datura-Network ] [ /dev/pts/11 ] [/srv]
+→ apt install gcc libc6-dev libsodium-dev make autoconf tor
+
+[ Datura-Network ] [ /dev/pts/11 ] [/srv]
+→ git clone https://github.com/cathugger/mkp224o
+Cloning into 'mkp224o'...
+remote: Enumerating objects: 1571, done.
+remote: Counting objects: 100% (402/402), done.
+remote: Compressing objects: 100% (83/83), done.
+remote: Total 1571 (delta 341), reused 350 (delta 317), pack-reused 1169
+Receiving objects: 100% (1571/1571), 1.89 MiB | 6.32 MiB/s, done.
+Resolving deltas: 100% (982/982), done.
+
+[ Datura-Network ] [ /dev/pts/11 ] [/srv]
+→ cd mkp224o
+
+[ Datura-Network ] [ /dev/pts/11 ] [/srv/mkp224o]
+→ ls
+autogen.sh base64_to.c filters_common.inc.h ioutil.h test_base64.c worker.h
+base16_from.c calcest.c filters.h keccak.c test_ed25519.c worker_impl.inc.h
+base16.h common.h filters_inc.inc.h keccak.h testutil.h yaml.c
+base16_to.c configure.ac filters_main.inc.h likely.h types.h yaml.h
+base32_from.c contrib filters_worker.inc.h main.c vec.c
+base32.h COPYING.txt GNUmakefile.in OPTIMISATION.txt vec.h
+base32_to.c cpucount.c hex.h README.md worker_batch.inc.h
+base64_from.c cpucount.h ifilter_bitsum.h test_base16.c worker_batch_pass.inc.h
+base64.h ed25519 ioutil.c test_base32.c worker.c
+
+[ Datura-Network ] [ /dev/pts/11 ] [/srv/mkp224o]
+→ ./autogen.sh
+
+[ Datura-Network ] [ /dev/pts/11 ] [/srv/mkp224o]
+→ ./configure
+checking for gcc... gcc
+checking whether the C compiler works... yes
+checking for C compiler default output file name... a.out
+checking for suffix of executables...
+checking whether we are cross compiling... no
+checking for suffix of object files... o
+checking whether the compiler supports GNU C... yes
+checking whether gcc accepts -g... yes
+checking for gcc option to enable C11 features... none needed
+checking whether CC supports -march=native... yes
+checking whether CC supports -fomit-frame-pointer... yes
+checking whether CC supports -fPIE... yes
+checking whether CC supports -std=c99... yes
+checking whether CC supports -Wall... yes
+checking whether CC supports -Wextra... yes
+checking whether CC supports -Wno-maybe-uninitialized... yes
+checking whether CC supports and needs -Wno-format -Wno-pedantic-ms-format... no
+checking whether CC supports -Wno-unused-function... yes
+checking whether CC supports -Wmissing-prototypes... yes
+checking whether CC supports -Wstrict-prototypes... yes
+checking whether ARGON2ID13 is supported by libsodium... yes
+configure: creating ./config.status
+config.status: creating GNUmakefile
+
+[ Datura-Network ] [ /dev/pts/11 ] [/srv/mkp224o]
+→ make
+
+Now i want my tor domain to contain the "datura" characters so i do the following:
+
+[ Datura-Network ] [ /dev/pts/11 ] [/srv/mkp224o]
+→ ./mkp224o datura
+sorting filters... done.
+filters:
+ datura
+in total, 1 filter
+using 12 threads
+daturacccspczuluj2hbgqfcpkjo75hn7bzmuzsm5zys3az6k3su45ad.onion
+daturaxnp7x4ubwlslgyeaft5dabaxotmsaxanayocnpxarc7wi36kid.onion
+
+[ Datura-Network ] [ /dev/pts/11 ] [lib/tor/onions]
+→ ls -lash
+total 16K
+4.0K drwx------ 4 debian-tor debian-tor 4.0K Jan 27 15:33 .
+4.0K drwx--S--- 8 debian-tor debian-tor 4.0K Feb 1 15:08 ..
+4.0K drwx------ 3 debian-tor debian-tor 4.0K Jul 12 2023 daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion
+4.0K drwx------ 3 debian-tor debian-tor 4.0K Jan 27 15:48 nihilhfjmj55gfbleupwl2ub7lvbhq4kkoioatiopahfqwkcnglsawyd.onion
+
+[ Datura-Network ] [ /dev/pts/11 ] [lib/tor/onions]
+→ ls -lash daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion
+total 24K
+4.0K drwx------ 3 debian-tor debian-tor 4.0K Jul 12 2023 .
+4.0K drwx------ 4 debian-tor debian-tor 4.0K Jan 27 15:33 ..
+4.0K drwx------ 2 debian-tor debian-tor 4.0K Jul 12 2023 authorized_clients
+4.0K -r-------- 1 debian-tor debian-tor 63 Jul 12 2023 hostname
+4.0K -r-------- 1 debian-tor debian-tor 64 Jul 12 2023 hs_ed25519_public_key
+4.0K -r-------- 1 debian-tor debian-tor 96 Jul 12 2023 hs_ed25519_secret_key
+
+
+[ Datura-Network ] [ /dev/pts/11 ] [/srv/mkp224o]
+→ cat /etc/tor/torrc
+HiddenServiceDir /var/lib/tor/onions/daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion/
+HiddenServicePort 80 127.0.0.1:4443 # for web service HTTP (recommended!)
+HiddenServicePort 443 127.0.0.1:4444 # for web service HTTPS (but not recommended!)
+
+HiddenServicePort 18080 127.0.0.1:18080 # for monero nodes
+HiddenServicePort 18081 127.0.0.1:18081 # for monero nodes
+
+# to have another hidden service, you can append it afterward like so; but you need to use different ports:
+
+HiddenServiceDir /var/lib/tor/onions/nihilhfjmj55gfbleupwl2ub7lvbhq4kkoioatiopahfqwkcnglsawyd.onion/
+HiddenServicePort 80 127.0.0.1:4445
+
+Make sure that the file permissions are correct in the /var/lib/tor/onions/datura...onion/ directory:
+
+[ Datura-Network ] [ /dev/pts/11 ] [lib/tor/onions]
+→ chmod 700 daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion
+
+[ Datura-Network ] [ /dev/pts/11 ] [lib/tor/onions]
+→ chmod 400 daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion/*
+
+[ Datura-Network ] [ /dev/pts/11 ] [~debian-tor/onions]
+→ chmod 700 daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion/authorized_clients -R
+
+Now let's set it up on our webserver:
+
+[ Datura-Network ] [ /dev/pts/11 ] [~debian-tor/onions]
+→ cat /etc/nginx/sites-available/datura.network.conf
+server {
+ listen 80;
+ listen [::]:80;
+ server_name datura.network;
+ return 301 https://$server_name$request_uri;
+}
+
+server {
+ ######## TOR CHANGES ########
+ listen 4443;
+ listen [::]:4443;
+ server_name daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion;
+ add_header Onion-Location "http://daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion$request_uri" always;
+ ######## TOR CHANGES ########
+
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+ server_name datura.network;
+
+ ssl_certificate /etc/acme/certs/datura.network/fullchain.cer;
+ ssl_trusted_certificate /etc/acme/certs/datura.network/datura.network.cer;
+ ssl_certificate_key /etc/acme/certs/datura.network/datura.network.key;
+
+[...]
+ root /srv/datura.network/;
+}
+
+[ Datura-Network ] [ /dev/pts/11 ] [~debian-tor/onions]
+→ cat /etc/nginx/sites-available/nihilism.network.conf
+server {
+ listen 80;
+ listen [::]:80;
+ server_name nihilism.network;
+ return 301 https://$server_name$request_uri;
+}
+
+server {
+ ######## TOR CHANGES ########
+ listen 4445;
+ listen [::]:4445;
+ server_name nihilhfjmj55gfbleupwl2ub7lvbhq4kkoioatiopahfqwkcnglsawyd.onion;
+ add_header Onion-Location "http://nihilhfjmj55gfbleupwl2ub7lvbhq4kkoioatiopahfqwkcnglsawyd.onion$request_uri" always;
+ ######## TOR CHANGES ########
+
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+ server_name nihilism.network;
+[...]
+
+ root /srv/datura.network/;
+
+ ssl_certificate /etc/acme/certs/datura.network/fullchain.cer;
+ ssl_trusted_certificate /etc/acme/certs/datura.network/datura.network.cer;
+ ssl_certificate_key /etc/acme/certs/datura.network/datura.network.key;
+}
+
+[ Datura Network ] [ /dev/pts/0 ] [tor/onions/daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion]
+→ nginx -t
+2023/07/12 21:46:16 [emerg] 113983#113983: could not build server_names_hash, you should increase server_names_hash_bucket_size: 64
+nginx: configuration file /etc/nginx/nginx.conf test failed
+
+#if it gives you this error do the following:
+
+[ Datura Network ] [ /dev/pts/0 ] [tor/onions/daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion]
+→ vim /etc/nginx/nginx.conf
+
+[ Datura Network ] [ /dev/pts/0 ] [tor/onions/daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion]
+→ cat /etc/nginx/nginx.conf |grep 128
+ server_names_hash_bucket_size 128;
+
+
+[ 10.0.0.101/16 ] [ /dev/pts/12 ] [/var/lib/tor]
+→ nginx -t
+nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
+nginx: configuration file /etc/nginx/nginx.conf test is successful
+
+[ 10.0.0.101/16 ] [ /dev/pts/12 ] [/var/lib/tor]
+→ nginx -s reload
+
+[ 10.0.0.101/16 ] [ /dev/pts/8 ] [~debian-tor]
+→ sudo -u debian-tor tor
+Jan 23 16:57:19.270 [notice] Tor 0.3.5.16 running on Linux with Libevent 2.1.8-stable, OpenSSL 1.1.1d, Zlib 1.2.11, Liblzma 5.2.4, and Libzstd 1.3.8.
+Jan 23 16:57:19.270 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
+Jan 23 16:57:19.270 [notice] Read configuration file "/etc/tor/torrc".
+Jan 23 16:57:19.278 [notice] Opening Socks listener on 127.0.0.1:9050
+Jan 23 16:57:19.278 [notice] Opened Socks listener on 127.0.0.1:9050
+Jan 23 16:57:19.000 [notice] Parsing GEOIP IPv4 file /usr/share/tor/geoip.
+Jan 23 16:57:19.000 [notice] Parsing GEOIP IPv6 file /usr/share/tor/geoip6.
+Jan 23 16:57:19.000 [warn] You are running Tor as root. You don't need to, and you probably shouldn't.
+Jan 23 16:57:19.000 [notice] Bootstrapped 0%: Starting
+Jan 23 16:57:20.000 [notice] Starting with guard context "default"
+Jan 23 16:57:20.000 [notice] Bootstrapped 10%: Finishing handshake with directory server
+Jan 23 16:57:20.000 [notice] Bootstrapped 80%: Connecting to the Tor network
+Jan 23 16:57:20.000 [notice] Bootstrapped 90%: Establishing a Tor circuit
+Jan 23 16:57:21.000 [notice] Bootstrapped 100%: Done
+
+From there we can check if our tor website is up:
+
+
+It works! Now let's use systemctl to start tor instead:
+
+[ Datura-Network ] [ /dev/pts/11 ] [~debian-tor/onions]
+→ systemctl restart tor@default
+
+[ Datura-Network ] [ /dev/pts/11 ] [~debian-tor/onions]
+→ systemctl status tor@default
+● tor@default.service - Anonymizing overlay network for TCP
+ Loaded: loaded (/lib/systemd/system/tor@default.service; enabled-runtime; preset: enabled)
+ Active: active (running) since Thu 2024-02-01 15:24:07 CET; 18min ago
+ Process: 3027334 ExecStartPre=/usr/bin/install -Z -m 02755 -o debian-tor -g debian-tor -d /run/tor (code=exited, status=0/SUCCESS)
+ Process: 3027335 ExecStartPre=/usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 0 --verify-config (code=exited, status=0/SUCCESS)
+ Main PID: 3027336 (tor)
+ Tasks: 30 (limit: 77000)
+ Memory: 636.4M
+ CPU: 49.885s
+ CGroup: /system.slice/system-tor.slice/tor@default.service
+ ├─3027336 /usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 0
+ └─3027337 /usr/bin/obfs4proxy
+
+Feb 01 15:24:26 Datura-Network Tor[3027336]: Your network connection speed appears to have changed. Resetting timeout to 60000ms after 18 timeouts and 1000 buildtimes.
+Feb 01 15:25:09 Datura-Network Tor[3027336]: Performing bandwidth self-test...done.
+
+Now we can do the same for a subdomain:
+
+
+[ Datura-Network ] [ /dev/pts/11 ] [/etc/nginx/sites-available]
+→ cat cringe.datura.network.conf
+server {
+ listen 443 ssl;
+ server_name cringe.datura.network;
+
+ ssl_certificate /etc/acme/certs/cringe.datura.network/cringe.datura.network.cer;
+ ssl_certificate_key /etc/acme/certs/cringe.datura.network/cringe.datura.network.key;
+
+ ######## TOR CHANGES ########
+ listen 4443;
+ listen [::]:4443;
+ server_name cringe.daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion;
+ add_header Onion-Location "http://cringe.daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion$request_uri" always;
+ ######## TOR CHANGES ########
+
+[...]
+
+ location / {
+ proxy_pass http://localhost:8083;
+ }
+
+ location = /robots.txt {
+ add_header Content-Type text/plain;
+ return 200 "User-agent: *\nDisallow: /\n";
+ }
+}
+
+[ Datura-Network ] [ /dev/pts/11 ] [/etc/nginx/sites-available]
+→ nginx -t
+nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
+nginx: configuration file /etc/nginx/nginx.conf test is successful
+
+[ Datura-Network ] [ /dev/pts/11 ] [/etc/nginx/sites-available]
+→ nginx -s reload
+2024/02/01 15:45:18 [notice] 3045373#3045373: signal process started
+
++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
+VeraCrypt is a free open source disk encryption software for Windows, Mac OSX and Linux. It is based on Truecrypt, This tool will be used for Plausible Deniability.
+But why is Plausible Deniability important first of all ? From a legal perspective, depending on jurisdictions, you may be forced to type your password into an encrypted drive if requested. All it takes is for an adversary to be able to prove the existance of an encrypted drive to be able to force you to reveal the password to unlock it. Hence for example the regular LUKS encryption is not enough, because you need to be able to deny the existance of the encrypted volume. If that is the case, we have to use Veracrypt, which is an encryption tool used to provide protection (which is Plausible Deniability) against that scenario where you're forced to provide a password.
+ +
+source: https://anonymousplanet.org/guide.html#understanding-hdd-vs-ssd
+
+regarding wear leveling:
+"Also as mentioned earlier, disabling Trim will reduce the lifetime of your SSD drive and will significantly impact its performance over time (your laptop will become slower and slower over several months of use until it becomes almost unusable, you will then have to clean the drive and re-install everything). But you must do it to prevent data leaks that could allow forensics to defeat your plausible deniability. The only way around this at the moment is to have a laptop with a classic HDD drive instead."
+
+Let's install the .deb package for veracrypt:
+
+
+[ mainpc ] [ /dev/pts/1 ] [~/Downloads]
+→ wget https://launchpad.net/veracrypt/trunk/1.26.7/+download/veracrypt-1.26.7-Debian-12-amd64.deb
+
+[ mainpc ] [ /dev/pts/1 ] [~/Downloads]
+→ sudo dpkg -i veracrypt-1.26.7-Debian-12-amd64.deb
+
+[ mainpc ] [ /dev/pts/1 ] [~/Downloads]
+→ sudo apt install -f
+
+[ mainpc ] [ /dev/pts/1 ] [~/Downloads]
+→ sudo dpkg -i veracrypt-1.26.7-Debian-12-amd64.deb
+
+[ mainpc ] [ /dev/pts/1 ] [~/Downloads]
+→ which veracrypt
+/usr/bin/veracrypt
+
+[ mainpc ] [ /dev/pts/1 ] [~/Downloads]
+→ veracrypt
+
+Now from there we can create encrypted volumes (either as files or as entire drives). In this case we'll create an encrypted file:
+
+Here we select that we want a Hidden veracrypt volume aswell (which will be able to deny it's existance).
+
+Then we want it to be a simple file in my home directory
+
+Leave the default settings for the encryption
+
+As a test we'll make a 1Gb volume, can be smaller or as big as all the available space.
+
+Now here we want to remember our first password A, for the decoy volume, This is the password you'll type when you're forced to give out your password.
+
+Here we can select the FAT filesystem
+
+Then move your mouse to make sure the randomness of the encryption is best, then let it complete the formatting. If you are creating a large encrypted volume, it will take time to overwrite all the data. DO NOT SELECT QUICK FORMAT, or you risk having the hidden volume being discoverable by an adversary.
+
+
+Now that's completed, we then create the Hidden Volume, which we'll open only when we are all alone, the existance of this volume must never be revealed to anyone except you.. then we repeat the previous steps:
+
+
+Here we select the size we need for the hidden volume.
+
+And here we use the second password, this is the one you must remember in order to access the data you want to hide from an adversary. Then we repeat the previous steps to create the volume:
+
+
+
+
+
+ Now let's mount both volumes to see the difference:
+
+Here when we type the first password we see that the volume is mounted as normal type:
+
+Then dismount the volume, and mount the hidden volume next with the second password:
+
+And here you see that the volume mounted is now of the "hidden" type
+
+
+ + Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
Before we start, you will need a Debian 10+ VPS (you can get one on digitalocean for example), if you prefer to use your own self hosted server, make sure that port 80 and 443 are correctly port forwarded so that the public ip points to the server and not the router. Once that's done, go and ssh into your debian 10 server.
+You can use DuckDNS to get a free domain name:
+
+
+[ 192.168.100.1/24 ] [ /dev/pts/13 ] [~/Nextcloud/blog/Conf]
+→ ssh root@ech4.duckdns.org
+The authenticity of host 'ech4.duckdns.org (178.128.46.38)' can't be established.
+ECDSA key fingerprint is SHA256:z2HAncB99pfbAUfj9tJY7vlo8EGUzCIUxWBAnjAflcA.
+Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
+Warning: Permanently added 'ech4.duckdns.org,178.128.46.38' (ECDSA) to the list of known hosts.
+Linux debian-s-1vcpu-1gb-lon1-01 4.19.0-10-cloud-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24) x86_64
+
+The programs included with the Debian GNU/Linux system are free software;
+the exact distribution terms for each program are described in the
+individual files in /usr/share/doc/*/copyright.
+
+Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
+permitted by applicable law.
+root@debian-s-1vcpu-1gb-lon1-01:~#
+
+
+rm -rf ~/.vim
+rm ~/.vimrc
+vim ~/.vimrc
+
+Here are some safe default options:
+
+syntax on
+
+set noerrorbells
+set tabstop=4 softtabstop=4
+set shiftwidth=4
+set expandtab
+set smartindent
+set nu
+set nowrap
+set smartcase
+set noswapfile
+set nobackup
+set undodir=~/.vim/undodir
+set undofile
+set incsearch
+
+set colorcolumn=80
+highlight ColorColumn ctermbg=0 guibg=lightgrey
+
+Then: you can type /set and it will find the set word!! so /word!
+To refresh the config:
+
+:source %
+
+
+mkdir ~/.vim/undodir -p
+mkdir ~/
+
+PLUGINS (https://github.com/Junegunn/vim-plug) :
+
+curl -fLo ~/.vim/autoload/plug.vim --create-dirs \
+ https://raw.githubusercontent.com/junegunn/vim-plug/master/plug.vim
+
+Then add the following line to vimrc:
+
+call plug#begin('~/.vim/plugged')
+
+Plug 'morhetz/gruvbox'
+Plug 'terryma/vim-multiple-cursors'
+Plug 'jremmen/vim-ripgrep'
+Plug 'tpope/vim-fugitive'
+Plug 'leafgarland/typescript-vim'
+Plug 'vim-utils/vim-man'
+Plug 'lyuts/vim-rtags'
+Plug 'neoclide/coc.nvim', {'branch':'release'}
+Plug 'mbbill/undotree'
+
+call plug#end()
+
+To refresh the config:
+
+:source %
+:PlugInstall
+
+type :q to exit the extra vim pan once it finished, and add the following to your vimrc:
+
+
+colorscheme gruvbox
+set background=dark
+
+if executable ('rg')
+ let g:rg_derive_root='true'
+endif
+
+let g:ctrlp_user_command = ['.git/','git --git-dir=%s/.git ls-files -oc --exclude-standard']
+let g:netrw_browse_split=2
+let g:netrw_banner=0
+let g:netrw_winsize = 25
+let g:ctrlp_use_caching = 0
+
+
+
+To refresh the config:
+
+:w
+:source %
+And there you have it!
+
+Now let's add a few conveniences in our vimrc:
+
+curl https://blog.nihilism.network/vimrc/shortcuts >> ~/.vimrc
+vim ~/.vimrc
+
+Now the vim keybinds are:
+
+MODKEY = spacebar
+
+space+pv (opens the filetree with size 30)
+space+ARROW (moves from tab left to right or up/down)
+space+u (shows undotree)
+:q close a vim tab
+space+ps (then type something) and repgrep will find that pattern in your system
+
+space++
+space+- (resizes the vertical split vim tabs)
+
+i to insert
+ESC to exit insert mode
+
+V to enter visual mode (downarrow to select lines downward)
+d to delete
+y to copy
+:s/match/replace/
+ESC to exit Visual Mode
+
+MULTIPLE CURSORS:
+CTRL+N
++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+Bob now has Linux as his host operating system on his computer, with a debian private VM setup thanks to the QEMU/KVM hypervisor. Now as per his private internet usage in his debian VM, he was thinking: "My Debian VM only has open source software, but who else may spy on me?"
+As he browsed the web from his linux laptop he realised one thing; He's paying for an internet connection. A company is offering the internet service to his house.
+
+Meaning, that when Bob is browsing the web on google.com; youtube.com or duckduckgo.com, his internet service provider can see that he's connecting there!
+That doesn't sit well with Bob. Bob decides that his ISP shouldn't be aware of what he's doing with his internet usage. Therefore, he wants to use a VPN.
+
+But thing is, Bob realises that the VPN market is over-saturated, there's alot of choice. He wants to know what's the best VPN out there. After browsing for some time, he found this article from Privacy Guides where they compare popular VPN services according to their standards. From there, Bob decides he's going to try to use Mullvad VPN.
+Bob goes on mullvad.net to purchase the VPN (which is 5 euros monthly)
+
+
+
+
+Here Bob can pay with various means. For ease of use he can pay using his credit card for example, but as we'll see in later tutorials on decentralised finances, Monero is the ideal payment choice for financial privacy.
+So Bob pays for the VPN, then his account has time added:
+
+
+
+# Download the Mullvad signing key
+sudo curl -fsSLo /usr/share/keyrings/mullvad-keyring.asc https://repository.mullvad.net/deb/mullvad-keyring.asc
+
+# Add the Mullvad repository server to apt
+echo "deb [signed-by=/usr/share/keyrings/mullvad-keyring.asc arch=$( dpkg --print-architecture )] https://repository.mullvad.net/deb/stable $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/mullvad.list
+# Or add the Mullvad BETA repository server to apt
+echo "deb [signed-by=/usr/share/keyrings/mullvad-keyring.asc arch=$( dpkg --print-architecture )] https://repository.mullvad.net/deb/beta $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/mullvad.list
+
+# Install the package
+sudo apt update
+sudo apt install mullvad-vpn
+
+From there, Bob can launch the VPN from his desktop:
+
+And he can see that his IP got changed accordingly to the location he picked:
+
+The VPN is also protecting against DNS and WebRTC leaks, according to https://mullvad.net/en/check
+ +So now currently, Bob has managed to setup a Debian VM (with only open source software) with a VPN in order to use it and gain privacy from his ISP.
+
+Currently, Bob's setup is suitable for Public use (thanks to his windows VM), AND suitable for Private use too (thanks to his debian VM with the VPN setup).
+Next, Bob can setup KeepassXC to implement proper Password Management.
+ ++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
+In this tutorial we're going to look at how to use whonix in a plausible deniability environment using QEMU KVM and veracrypt.
+ +First go here to download whonix for qemu,
+
+Then extract the .xz file where you want the image to be at:
+
+[ 10.8.0.3/24 ] [ nowhere ] [~/Downloads]
+→ mv Whonix-XFCE-16.0.9.0.Intel_AMD64.qcow2.libvirt.xz /mnt/VAULT/ISOs/whonix/
+
+[ 10.8.0.3/24 ] [ nowhere ] [~/Downloads]
+→ cd /mnt/VAULT/ISOs/whonix/
+
+[ 10.8.0.3/24 ] [ nowhere ] [VAULT/ISOs/whonix]
+→ tar -xvf Whonix-XFCE-16.0.9.0.Intel_AMD64.qcow2.libvirt.xz
+WHONIX_BINARY_LICENSE_AGREEMENT
+WHONIX_DISCLAIMER
+Whonix-Gateway-XFCE-16.0.9.0.xml
+Whonix-Workstation-XFCE-16.0.9.0.xml
+Whonix_external_network-16.0.9.0.xml
+Whonix_internal_network-16.0.9.0.xml
+Whonix-Gateway-XFCE-16.0.9.0.Intel_AMD64.qcow2
+
+[ 10.8.0.3/24 ] [ nowhere ] [VAULT/ISOs/whonix]
+→ touch WHONIX_BINARY_LICENSE_AGREEMENT_accepted
+
+[ 10.8.0.3/24 ] [ nowhere ] [VAULT/ISOs/whonix]
+→ ls -lash
+total 7.9G
+4.0K drwxr-xr-x 2 nothing nothing 4.0K Dec 29 20:10 .
+4.0K drwxr-xr-x 4 nothing nothing 4.0K Dec 29 20:09 ..
+ 40K -rw-r--r-- 1 nothing nothing 39K Oct 21 2015 WHONIX_BINARY_LICENSE_AGREEMENT
+ 0 -rw-r--r-- 1 nothing nothing 0 Dec 29 20:10 WHONIX_BINARY_LICENSE_AGREEMENT_accepted
+8.0K -rw-r--r-- 1 nothing nothing 4.1K Oct 21 2015 WHONIX_DISCLAIMER
+4.0K -rw-r--r-- 1 nothing nothing 172 Oct 21 2015 Whonix_external_network-16.0.9.0.xml
+2.7G -rw-r--r-- 1 nothing nothing 101G Oct 21 2015 Whonix-Gateway-XFCE-16.0.9.0.Intel_AMD64.qcow2
+4.0K -rw-r--r-- 1 nothing nothing 2.3K Oct 21 2015 Whonix-Gateway-XFCE-16.0.9.0.xml
+4.0K -rw-r--r-- 1 nothing nothing 97 Oct 21 2015 Whonix_internal_network-16.0.9.0.xml
+3.8G -rw-r--r-- 1 nothing nothing 101G Oct 21 2015 Whonix-Workstation-XFCE-16.0.9.0.Intel_AMD64.qcow2
+4.0K -rw-r--r-- 1 nothing nothing 2.3K Oct 21 2015 Whonix-Workstation-XFCE-16.0.9.0.xml
+1.4G -rw-r--r-- 1 nothing nothing 1.4G Dec 29 20:06 Whonix-XFCE-16.0.9.0.Intel_AMD64.qcow2.libvirt.xz
+
+So now we have the qcow2 files, so we can proceed following the instructions:
+
+[ 10.0.2.2/24 ] [ nowhere ] [VAULT/ISOs/whonix]
+→ vim Whonix-Gateway-XFCE-16.0.9.0.xml
+
+[ 10.0.2.2/24 ] [ nowhere ] [VAULT/ISOs/whonix]
+→ cat Whonix-Gateway-XFCE-16.0.9.0.xml | grep VAULT
+ <source file='/mnt/VAULT/ISOs/whonix/Whonix-Gateway-XFCE-16.0.9.0.Intel_AMD64.qcow2'/>
+
+[ 10.0.2.2/24 ] [ nowhere ] [VAULT/ISOs/whonix]
+→ vim Whonix-Workstation-XFCE-16.0.9.0.xml
+
+[ 10.0.2.2/24 ] [ nowhere ] [VAULT/ISOs/whonix]
+→ cat Whonix-Workstation-XFCE-16.0.9.0.xml | grep VAULT
+ <source file='/mnt/VAULT/ISOs/whonix/Whonix-Workstation-XFCE-16.0.9.0.Intel_AMD64.qcow2'/>
+
+
+
+[ 10.8.0.3/24 ] [ nowhere ] [VAULT/ISOs/whonix]
+→ sudo virsh -c qemu:///system net-define Whonix_external*.xml
+[sudo] password for nothing:
+Network Whonix-External defined from Whonix_external_network-16.0.9.0.xml
+
+
+[ 10.8.0.3/24 ] [ nowhere ] [VAULT/ISOs/whonix]
+→ sudo virsh -c qemu:///system net-define Whonix_internal*.xml
+Network Whonix-Internal defined from Whonix_internal_network-16.0.9.0.xml
+
+
+[ 10.8.0.3/24 ] [ nowhere ] [VAULT/ISOs/whonix]
+→ sudo virsh -c qemu:///system net-autostart Whonix-External
+Network Whonix-External marked as autostarted
+
+
+[ 10.8.0.3/24 ] [ nowhere ] [VAULT/ISOs/whonix]
+→ sudo virsh -c qemu:///system net-start Whonix-External
+Network Whonix-External started
+
+
+[ 10.8.0.3/24 ] [ nowhere ] [VAULT/ISOs/whonix]
+→ sudo virsh -c qemu:///system net-autostart Whonix-Internal
+Network Whonix-Internal marked as autostarted
+
+
+[ 10.8.0.3/24 ] [ nowhere ] [VAULT/ISOs/whonix]
+→ sudo virsh -c qemu:///system net-start Whonix-Internal
+Network Whonix-Internal started
+
+
+[ 10.8.0.3/24 ] [ nowhere ] [VAULT/ISOs/whonix]
+→ sudo virsh -c qemu:///system define Whonix-Gateway*.xml
+Domain 'Whonix-Gateway' defined from Whonix-Gateway-XFCE-16.0.9.0.xml
+
+
+[ 10.8.0.3/24 ] [ nowhere ] [VAULT/ISOs/whonix]
+→ sudo virsh -c qemu:///system define Whonix-Workstation*.xml
+Domain 'Whonix-Workstation' defined from Whonix-Workstation-XFCE-16.0.9.0.xml
+
+make sure you give them 4gb of RAM before launching them, then launch them:
+
+On the whonix gateway side:
+
+
+Here if you want to specify a tor bridge node to connect to you can, but if not then you can click Next:
+
+
+Then we follow what the systemcheck suggests us to do, updating the packages:
+
+Then just use the VM as intended:
+
+
+And that's it! We have been able to install the Whonix Workspace and Whonix Gateway.
+There are times when you might be forced to reveal the contents of a harddrive. To combat this you can go for a "Plausible Deniability Setup" where you have a drive that can be split. In my case i use a harddrive for this purpose, so it is actually possible to completely wipe it's contents if needed unlike on a SSD.
+ +
+
+First install veracrypt:
+
+[ 10.0.2.2/24 ] [ /dev/pts/35 ] [/mnt]
+→ sudo pacman -S veracrypt
+
+Then just select the following:
+ +
+
+
+
+
+
+
+
+
+
+
+Then setup the hidden inner volume:
+
+
+
+
+
+
+
+
+
+
+Then you can just mount the volume you created like so:
+ +
+
+
+Now we successfully mounted it in /mnt/veracrypt1 and as you can see it's type "Normal". This is the procedure to do if you want to are forced to give away your password. Now if you want to mount the real hidden volume instead you do the following:
+
+
+And there you go ! You have plausible deniability setup on a drive connected to your computer. It is also being mounted in /mnt/veracrypt1, this time as the type "Hidden". Then you can put the whonix VMs in both partitions:
+
+[ 10.0.2.2/24 ] [ /dev/pts/34 ] [/mnt]
+→ cd veracrypt1
+
+[ 10.0.2.2/24 ] [ /dev/pts/34 ] [/mnt/veracrypt1]
+→ wget https://download.whonix.org/libvirt/16.0.9.0/Whonix-XFCE-16.0.9.0.Intel_AMD64.qcow2.libvirt.xz
+
+You can go through the above setup we saw in the first part to setup the whonix VMs on both partitions.
+ +Keep in mind that there may be forensics clues on the Host OS (like command history) that may lead to the VMs so you have to replicate the VMs on both partitions. Such a setup will allow you to completely deny the existance of the whonix VMs B and their real usage. Instead when you are forced to reveal the password of your harddrive you can give the password of the Decoy outer volume with password A. NEVER mention password B anywhere, memorize it yourself. So go through the above process to setup the whonix VMs on both partitions after installing the veracrypt hidden volume (do not select "will mount only on linux" otherwise it will give you an error.) Then we will use 2 scripts to ensure a quick setup and trackscleaning:
+
+[ 10.0.2.2/24 ] [ /dev/pts/34 ] [/mnt/veracrypt1]
+→ cat cleantraces.sh
+#!/bin/bash
+sudo virsh -c qemu:///system destroy Whonix-Gateway
+sudo virsh -c qemu:///system destroy Whonix-Workstation
+sudo virsh -c qemu:///system undefine Whonix-Gateway
+sudo virsh -c qemu:///system undefine Whonix-Workstation
+sudo virsh -c qemu:///system net-destroy Whonix-External
+sudo virsh -c qemu:///system net-destroy Whonix-Internal
+sudo virsh -c qemu:///system net-undefine Whonix-External
+sudo virsh -c qemu:///system net-undefine Whonix-External
+
+sudo virsh undefine Whonix-Workstation
+sudo virsh undefine Whonix-Gateway
+
+[ 10.0.2.2/24 ] [ /dev/pts/34 ] [/mnt/veracrypt1]
+→ cat getvms.sh
+#!/bin/bash
+
+sudo virsh -c qemu:///system net-define Whonix_external*.xml
+sudo virsh -c qemu:///system net-define Whonix_internal*.xml
+sudo virsh -c qemu:///system net-autostart Whonix-External
+sudo virsh -c qemu:///system net-start Whonix-External
+sudo virsh -c qemu:///system net-autostart Whonix-Internal
+sudo virsh -c qemu:///system net-start Whonix-Internal
+sudo virsh -c qemu:///system define Whonix-Gateway*.xml
+sudo virsh -c qemu:///system define Whonix-Workstation*.xml
+
+One is used to setup the VMs, the other is there to remove the VMs. I combine them into one script:
+
+
+
+
+[ 10.0.2.2/24 ] [ /dev/pts/34 ] [/mnt/veracrypt1]
+→ cat refreshvms.sh
+#!/bin/bash
+
+#remove VMs
+
+sudo virsh -c qemu:///system destroy Whonix-Gateway
+sudo virsh -c qemu:///system destroy Whonix-Workstation
+sudo virsh -c qemu:///system undefine Whonix-Gateway
+sudo virsh -c qemu:///system undefine Whonix-Workstation
+sudo virsh -c qemu:///system net-destroy Whonix-External
+sudo virsh -c qemu:///system net-destroy Whonix-Internal
+sudo virsh -c qemu:///system net-undefine Whonix-External
+sudo virsh -c qemu:///system net-undefine Whonix-External
+
+echo '[+] VMs removed, re-install them ? (ctrl+c to exit)'
+read
+
+#install VMs
+
+sudo virsh -c qemu:///system net-define Whonix_external*.xml
+sudo virsh -c qemu:///system net-define Whonix_internal*.xml
+sudo virsh -c qemu:///system net-autostart Whonix-External
+sudo virsh -c qemu:///system net-start Whonix-External
+sudo virsh -c qemu:///system net-autostart Whonix-Internal
+sudo virsh -c qemu:///system net-start Whonix-Internal
+sudo virsh -c qemu:///system define Whonix-Gateway*.xml
+sudo virsh -c qemu:///system define Whonix-Workstation*.xml
+
+That way you can have that script on both partitions, and simply refresh the VMs back to normal after you're done using it on the hidden volume.
+
+[ 10.0.2.2/24 ] [ /dev/pts/34 ] [/mnt/veracrypt1]
+→ chmod +x refreshvms.sh
+
+[ 10.0.2.2/24 ] [ /dev/pts/34 ] [/mnt/veracrypt1]
+→ ./refreshvms.sh
+[sudo] password for nothing:
+Domain 'Whonix-Gateway' destroyed
+
+Domain 'Whonix-Workstation' destroyed
+
+Domain 'Whonix-Gateway' has been undefined
+
+Domain 'Whonix-Workstation' has been undefined
+
+Network Whonix-External destroyed
+
+Network Whonix-Internal destroyed
+
+Network Whonix-External has been undefined
+
+error: failed to get network 'Whonix-External'
+error: Network not found: no network with matching name 'Whonix-External'
+
+Network Whonix-External defined from Whonix_external_network-16.0.9.0.xml
+
+error: Failed to define network from Whonix_internal_network-16.0.9.0.xml
+
+Network Whonix-External marked as autostarted
+
+Network Whonix-External started
+
+Network Whonix-Internal marked as autostarted
+
+Network Whonix-Internal started
+
+Domain 'Whonix-Gateway' defined from Whonix-Gateway-XFCE-16.0.9.0.xml
+
+Domain 'Whonix-Workstation' defined from Whonix-Workstation-XFCE-16.0.9.0.xml
+
++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
+Whonix is an open-source OS made specifically for general anonymous activities. In this tutorial we're going to set it up using the QEMU virtualization setup we installed previously.
+ +Make sure that you have setup the QEMU / virt-viewer setup we described in this earlier tutorial
+Then install download the whonix VMS as follows:
+First go here to download whonix for qemu,
+
+Then extract the .xz file where you want the image to be at:
+
+[ 10.8.0.3/24 ] [ nowhere ] [~/Downloads]
+→ mv Whonix-XFCE-17.0.3.0.Intel_AMD64.qcow2.libvirt.xz /mnt/VAULT/VMs/
+
+[ 10.8.0.3/24 ] [ nowhere ] [~/Downloads]
+→ cd /mnt/VAULT/VMs/
+
+[ 10.8.0.3/24 ] [ nowhere ] [VAULT/VMs]
+→ tar -xvf Whonix-XFCE-17.0.3.0.Intel_AMD64.qcow2.libvirt.xz
+WHONIX_BINARY_LICENSE_AGREEMENT
+WHONIX_DISCLAIMER
+Whonix-Gateway-XFCE-17.0.3.0.xml
+Whonix-Workstation-XFCE-17.0.3.0.xml
+Whonix_external_network-17.0.3.0.xml
+Whonix_internal_network-17.0.3.0.xml
+Whonix-Gateway-XFCE-17.0.3.0.Intel_AMD64.qcow2
+
+[ 10.8.0.3/24 ] [ nowhere ] [VAULT/VMs]
+→ touch WHONIX_BINARY_LICENSE_AGREEMENT_accepted
+
+[ 10.8.0.3/24 ] [ nowhere ] [VAULT/VMs]
+→ ls -lash
+total 7.9G
+4.0K drwxr-xr-x 2 nothing nothing 4.0K Dec 29 20:10 .
+4.0K drwxr-xr-x 4 nothing nothing 4.0K Dec 29 20:09 ..
+ 40K -rw-r--r-- 1 nothing nothing 39K Oct 21 2015 WHONIX_BINARY_LICENSE_AGREEMENT
+ 0 -rw-r--r-- 1 nothing nothing 0 Dec 29 20:10 WHONIX_BINARY_LICENSE_AGREEMENT_accepted
+8.0K -rw-r--r-- 1 nothing nothing 4.1K Oct 21 2015 WHONIX_DISCLAIMER
+4.0K -rw-r--r-- 1 nothing nothing 172 Oct 21 2015 Whonix_external_network-17.0.3.0.xml
+2.7G -rw-r--r-- 1 nothing nothing 101G Oct 21 2015 Whonix-Gateway-XFCE-17.0.3.0.Intel_AMD64.qcow2
+4.0K -rw-r--r-- 1 nothing nothing 2.3K Oct 21 2015 Whonix-Gateway-XFCE-17.0.3.0.xml
+4.0K -rw-r--r-- 1 nothing nothing 97 Oct 21 2015 Whonix_internal_network-17.0.3.0.xml
+3.8G -rw-r--r-- 1 nothing nothing 101G Oct 21 2015 Whonix-Workstation-XFCE-17.0.3.0.Intel_AMD64.qcow2
+4.0K -rw-r--r-- 1 nothing nothing 2.3K Oct 21 2015 Whonix-Workstation-XFCE-17.0.3.0.xml
+1.4G -rw-r--r-- 1 nothing nothing 1.4G Dec 29 20:06 Whonix-XFCE-17.0.3.0.Intel_AMD64.qcow2.libvirt.xz
+
+So now we have the qcow2 files (take note that it can), so we can proceed following the instructions:
+
+[ 10.0.2.2/24 ] [ nowhere ] [VAULT/VMs]
+→ vim Whonix-Gateway-XFCE-17.0.3.0.xml
+
+[ 10.0.2.2/24 ] [ nowhere ] [VAULT/VMs]
+→ cat Whonix-Gateway-XFCE-17.0.3.0.xml | grep VAULT
+ <source file='/mnt/VAULT/VMs/Whonix-Gateway-XFCE-17.0.3.0.Intel_AMD64.qcow2'/>
+
+[ 10.0.2.2/24 ] [ nowhere ] [VAULT/VMs]
+→ vim Whonix-Workstation-XFCE-17.0.3.0.xml
+
+[ 10.0.2.2/24 ] [ nowhere ] [VAULT/VMs]
+→ cat Whonix-Workstation-XFCE-17.0.3.0.xml | grep VAULT
+ <source file='/mnt/VAULT/VMs/Whonix-Workstation-XFCE-17.0.3.0.Intel_AMD64.qcow2'/>
+
+
+
+[ 10.8.0.3/24 ] [ nowhere ] [VAULT/VMs]
+→ sudo virsh -c qemu:///system net-define Whonix_external*.xml
+[sudo] password for nothing:
+Network Whonix-External defined from Whonix_external_network-17.0.3.0.xml
+
+
+[ 10.8.0.3/24 ] [ nowhere ] [VAULT/VMs]
+→ sudo virsh -c qemu:///system net-define Whonix_internal*.xml
+Network Whonix-Internal defined from Whonix_internal_network-17.0.3.0.xml
+
+
+[ 10.8.0.3/24 ] [ nowhere ] [VAULT/VMs]
+→ sudo virsh -c qemu:///system net-autostart Whonix-External
+Network Whonix-External marked as autostarted
+
+
+[ 10.8.0.3/24 ] [ nowhere ] [VAULT/VMs]
+→ sudo virsh -c qemu:///system net-start Whonix-External
+Network Whonix-External started
+
+
+[ 10.8.0.3/24 ] [ nowhere ] [VAULT/VMs]
+→ sudo virsh -c qemu:///system net-autostart Whonix-Internal
+Network Whonix-Internal marked as autostarted
+
+
+[ 10.8.0.3/24 ] [ nowhere ] [VAULT/VMs]
+→ sudo virsh -c qemu:///system net-start Whonix-Internal
+Network Whonix-Internal started
+
+
+[ 10.8.0.3/24 ] [ nowhere ] [VAULT/VMs]
+→ sudo virsh -c qemu:///system define Whonix-Gateway*.xml
+Domain 'Whonix-Gateway' defined from Whonix-Gateway-XFCE-17.0.3.0.xml
+
+
+[ 10.8.0.3/24 ] [ nowhere ] [VAULT/VMs]
+→ sudo virsh -c qemu:///system define Whonix-Workstation*.xml
+Domain 'Whonix-Workstation' defined from Whonix-Workstation-XFCE-17.0.3.0.xml
+
+make sure you give them 4gb of RAM before launching them, then launch them:
+ +
+[nihilist@nowhere VMs]$ cat Whonix-Gateway.xml | grep KiB
+ <memory dumpCore="off" unit="KiB">2097152
+ <currentMemory unit="KiB">2097152
+[nihilist@nowhere VMs]$ cat Whonix-Workstation.xml | grep KiB
+ <memory dumpCore="off" unit="KiB">4194304
+ <currentMemory unit="KiB">4194304
+
+we can automate the VM startup procedure with a simple bashscript like so :
+
+[nihilist@nowhere VMs]$ cat refreshvms.sh
+#!/bin/bash
+
+#remove VMs
+
+sudo virsh -c qemu:///system destroy Whonix-Gateway
+sudo virsh -c qemu:///system destroy Whonix-Workstation
+sudo virsh -c qemu:///system undefine Whonix-Gateway
+sudo virsh -c qemu:///system undefine Whonix-Workstation
+sudo virsh -c qemu:///system net-destroy Whonix-External
+sudo virsh -c qemu:///system net-destroy Whonix-Internal
+sudo virsh -c qemu:///system net-undefine Whonix-External
+sudo virsh -c qemu:///system net-undefine Whonix-External
+
+echo '[+] VMs removed, re-install them ? (ctrl+c to exit)'
+read
+
+#install VMs
+
+sudo virsh -c qemu:///system net-define Whonix_external*.xml
+sudo virsh -c qemu:///system net-define Whonix_internal*.xml
+sudo virsh -c qemu:///system net-autostart Whonix-External
+sudo virsh -c qemu:///system net-start Whonix-External
+sudo virsh -c qemu:///system net-autostart Whonix-Internal
+sudo virsh -c qemu:///system net-start Whonix-Internal
+sudo virsh -c qemu:///system define Whonix-Gateway.xml
+sudo virsh -c qemu:///system define Whonix-Workstation.xml
+
+You can run it like so:
+
+[nihilist@nowhere VMs]$ chmod +x refreshvms.sh
+[nihilist@nowhere VMs]$ ./refreshvms.sh
+[sudo] password for nihilist:
+Domain 'Whonix-Gateway' destroyed
+
+Domain 'Whonix-Workstation' destroyed
+
+Domain 'Whonix-Gateway' has been undefined
+
+Domain 'Whonix-Workstation' has been undefined
+
+Network Whonix-External destroyed
+
+Network Whonix-Internal destroyed
+
+Network Whonix-External has been undefined
+
+error: failed to get network 'Whonix-External'
+error: Network not found: no network with matching name 'Whonix-External'
+
+[+] VMs removed, re-install them ? (ctrl+c to exit)
+
+Network Whonix-External defined from Whonix_external_network-17.0.3.0.xml
+
+error: Failed to define network from Whonix_internal_network-17.0.3.0.xml
+error: operation failed: network 'Whonix-Internal' already exists with uuid 878828d6-fd1f-49ac-9d0c-9c829c414b80
+
+Network Whonix-External marked as autostarted
+
+Network Whonix-External started
+
+Network Whonix-Internal marked as autostarted
+
+Network Whonix-Internal started
+
+Domain 'Whonix-Gateway' defined from Whonix-Gateway.xml
+
+Domain 'Whonix-Workstation' defined from Whonix-Workstation.xml
+
+So now you can compatmentalize your anonymous usage in a separate VM by using the tor browser there, along with keepass and monero:
+You can open Onion Circuits on the gateway VM to view the tor connections being built up in real time like so :
+
+And inside the Workstation VM you can browse Tor, and use Keepass just like in the previous tutorial:
+
+you can also use monero (take note that the default sudo password in whonix is "changeme", so dont forget to change it):
+
+[workstation user ~]% passwd
+[workstation user ~]% sudo apt install monero -y
+[workstation user ~]% monero-wallet-cli
+
++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+
In this tutorial we're going to cover how to setup an XMPP chatting service over Tor.
+Disclaimer: If you want this service to remain anonymous, make sure you at least keep TOR between you and the service from the VPS acquisition to actual service usage.
+ + + +First let's install the required packages, and then run the xmpp server using docker (you can check the documentation here), we'll follow Lukesmith's tutorial specifically:
+
+apt install ejabberd -y
+
+Now we need the following domain names to point to your server:
+
+ datura.network - Your XMPP hostname
+ xmpp.datura.network - For mod_muc, Multi User Chats (MUCs)
+ upload.datura.network - For mod_http_upload, file upload support
+ proxy.datura.network - For mod_proxy65, SOCKS5 proxy support
+ pubsub.datura.network - For mod_pubsub, publish-subscribe support (A fancier RSS)
+
+Then we edit the ejabberd config file accordingly:
+
+[ Datura ] [ /dev/pts/10 ] [/srv]
+→ vim /etc/ejabberd/ejabberd.yml
+
+[...]
+
+hosts:
+ - datura.network
+
+[...]
+
+ mod_muc:
+ host: xmpp.datura.network
+
+[...]
+
+Next we need to obtain the TLS certificate for the xmpp.datura.network domain, to do so we'll use acme.sh:
+
+[ Datura ] [ /dev/pts/10 ] [~]
+→ systemctl stop nginx ; acme.sh --issue --standalone -d xmpp.datura.network -k 4096 ; systemctl start nginx
+
+[Sun Jun 9 07:12:21 PM CEST 2024] Using CA: https://acme-v02.api.letsencrypt.org/directory
+[Sun Jun 9 07:12:21 PM CEST 2024] Standalone mode.
+[Sun Jun 9 07:12:21 PM CEST 2024] Creating domain key
+[Sun Jun 9 07:12:23 PM CEST 2024] The domain key is here: /root/.acme.sh/xmpp.datura.network/xmpp.datura.network.key
+[Sun Jun 9 07:12:23 PM CEST 2024] Single domain='xmpp.datura.network'
+[Sun Jun 9 07:12:25 PM CEST 2024] Getting webroot for domain='xmpp.datura.network'
+[Sun Jun 9 07:12:25 PM CEST 2024] Verifying: xmpp.datura.network
+[Sun Jun 9 07:12:25 PM CEST 2024] Standalone mode server
+[Sun Jun 9 07:12:26 PM CEST 2024] Pending, The CA is processing your order, please just wait. (1/30)
+[Sun Jun 9 07:12:30 PM CEST 2024] Pending, The CA is processing your order, please just wait. (2/30)
+[Sun Jun 9 07:12:33 PM CEST 2024] Pending, The CA is processing your order, please just wait. (3/30)
+[Sun Jun 9 07:12:37 PM CEST 2024] Success
+[Sun Jun 9 07:12:37 PM CEST 2024] Verify finished, start to sign.
+[Sun Jun 9 07:12:37 PM CEST 2024] Lets finalize the order.
+[Sun Jun 9 07:12:37 PM CEST 2024] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/1581078457/276884921497'
+[Sun Jun 9 07:12:38 PM CEST 2024] Downloading cert.
+[Sun Jun 9 07:12:38 PM CEST 2024] Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/03a21dfde3a1a017ddaec55ef3c43a3cae0c'
+[Sun Jun 9 07:12:39 PM CEST 2024] Cert success.
+
+[...]
+
+[Sun Jun 9 07:12:39 PM CEST 2024] Your cert is in: /root/.acme.sh/xmpp.datura.network/xmpp.datura.network.cer
+[Sun Jun 9 07:12:39 PM CEST 2024] Your cert key is in: /root/.acme.sh/xmpp.datura.network/xmpp.datura.network.key
+[Sun Jun 9 07:12:39 PM CEST 2024] The intermediate CA cert is in: /root/.acme.sh/xmpp.datura.network/ca.cer
+[Sun Jun 9 07:12:39 PM CEST 2024] And the full chain certs is there: /root/.acme.sh/xmpp.datura.network/fullchain.cer
+
+[ Datura ] [ /dev/pts/10 ] [~]
+→ chown -R ejabberd:ejabberd /root/.acme.sh/xmpp.datura.network
+
+[ Datura ] [ /dev/pts/10 ] [~]
+→ cat /etc/ejabberd/ejabberd.yml
+
+[...]
+
+certfiles:
+ - "/root/.acme.sh/xmpp.datura.network/fullchain.cer"
+
+[...]
+
+Then we add the admin user in ejabberd.yml:
+
+[ Datura ] [ /dev/pts/10 ] [~]
+→ cat /etc/ejabberd/ejabberd.yml
+
+[...]
+
+acl:
+ admin:
+ user:
+ - "nihilist"
+
+[...]
+
+We also add the File Uploads:
+
+[ Datura ] [ /dev/pts/10 ] [~]
+→ cat /etc/ejabberd/ejabberd.yml
+
+[...]
+
+ mod_http_upload:
+ put_url: https://@HOST@:5443/upload
+ docroot: /srv/xmpp/upload/
+ custom_headers:
+ "Access-Control-Allow-Origin": "https://@HOST@"
+ "Access-Control-Allow-Methods": "GET,HEAD,PUT,OPTIONS"
+ "Access-Control-Allow-Headers": "Content-Type"
+
+[...]
+
+[ Datura ] [ /dev/pts/10 ] [~]
+→ mkdir /srv/xmpp/upload/ -p
+
+[ Datura ] [ /dev/pts/10 ] [~]
+→ chown -R ejabberd:ejabberd /srv/xmpp/upload/
+
+We enable message archives too:
+
+[ Datura ] [ /dev/pts/10 ] [~]
+→ cat /etc/ejabberd/ejabberd.yml
+
+[...]
+
+ mod_mam:
+ ## Mnesia is limited to 2GB, better to use an SQL backend
+ ## For small servers SQLite is a good fit and is very easy
+ ## to configure. Uncomment this when you have SQL configured:
+ ## db_type: sql
+ assume_mam_usage: true
+ default: always
+
+[...]
+
+Next, you setup a coturn service for the VOIP here, but in this case we'll use the same coturn service that we previously setup for the matrix server
+
+[ Datura ] [ /dev/pts/10 ] [~]
+→ cat /etc/ejabberd/ejabberd.yml
+
+[...]
+
+ mod_stun_disco:
+ secret: "DAWDDWADWADAWDWAWDDWAADWADWDWADWADWAAWDDWAWAD"
+ services:
+ -
+ host: m.datura.network
+ type: stun
+ -
+ host: m.datura.network
+ type: turn
+
+[...]
+
+Then we restart the ejabberd service:
+
+[ Datura ] [ /dev/pts/10 ] [~]
+→ systemctl restart ejabberd
+
+[ Datura ] [ /dev/pts/10 ] [~]
+→ systemctl status ejabberd
+● ejabberd.service - robust, scalable and extensible realtime platform (XMPP server + MQTT broker + SIP service)
+ Loaded: loaded (/lib/systemd/system/ejabberd.service; enabled; preset: enabled)
+ Active: active (running) since Sun 2024-06-09 21:21:41 CEST; 6s ago
+ Docs: https://www.process-one.net/en/ejabberd/docs/
+ Main PID: 3664214 (sh)
+ Tasks: 116 (limit: 77002)
+ Memory: 111.9M
+ CPU: 3.022s
+ CGroup: /system.slice/ejabberd.service
+
+Now that the ejabberd service has restarted successfully, we can register the admin user:
+
+[ Datura ] [ /dev/pts/10 ] [~]
+→ ejabberdctl register nihilist datura.network P@SSW0RD
+
+User nihilist@datura.network successfully registered
+
+
+Now the xmpp server is active, along with your nihilist user, so let's connect to it from a XMPP client like gajim:
+
+[ mainpc ] [ /dev/pts/8 ] [~]
+→ sudo apt install gajim -y
+
+
+
+
+
+
+
+
+
+
+
+
+
++ Until there is Nothing left. + +
+
+
+ RSS Feed
Matrix Chat
+
+
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@nihilism.network (PGP)
+