forked from nihilist/blog-contributions
1464 lines
60 KiB
HTML
1464 lines
60 KiB
HTML
<!DOCTYPE html>
|
||
<html lang="en">
|
||
<head>
|
||
<meta charset="utf-8">
|
||
<meta http-equiv="X-UA-Compatible" content="IE=edge">
|
||
<meta name="viewport" content="width=device-width, initial-scale=1.0">
|
||
<meta name="description" content="">
|
||
<meta name="author" content="">
|
||
<link rel="shortcut icon" href="../../../../../../assets/img/favicon.png">
|
||
|
||
<title>Plausible Deniability Protection for an .onion Service </title>
|
||
|
||
<!-- Bootstrap core CSS -->
|
||
<link href="../../assets/css/bootstrap.css" rel="stylesheet">
|
||
<link href="../../assets/css/xt256.css" rel="stylesheet">
|
||
|
||
|
||
|
||
<!-- Custom styles for this template -->
|
||
<link href="../../assets/css/main.css" rel="stylesheet">
|
||
|
||
|
||
|
||
<!-- HTML5 shim and Respond.js IE8 support of HTML5 elements and media queries -->
|
||
<!--[if lt IE 9]>
|
||
<script src="https://oss.maxcdn.com/libs/html5shiv/3.7.0/html5shiv.js"></script>
|
||
<script src="https://oss.maxcdn.com/libs/respond.js/1.3.0/respond.min.js"></script>
|
||
<![endif]-->
|
||
</head>
|
||
|
||
<body>
|
||
|
||
<!-- Static navbar -->
|
||
<div class="navbar navbar-inverse-anon navbar-static-top">
|
||
<div class="container">
|
||
<div class="navbar-header">
|
||
<button type="button" class="navbar-toggle" data-toggle="collapse" data-target=".navbar-collapse">
|
||
<span class="icon-bar"></span>
|
||
<span class="icon-bar"></span>
|
||
<span class="icon-bar"></span>
|
||
</button>
|
||
<a class="navbar-brand-anon" href="\index.html">nihilist`s Blog</a>
|
||
</div>
|
||
<div class="navbar-collapse collapse">
|
||
<ul class="nav navbar-nav navbar-right">
|
||
|
||
<li><a href="/about.html">About</a></li>
|
||
<li><a href="/blog.html">Categories</a></li>
|
||
<li><a href="https://blog.nowhere.moe/donate.html">Donate</a></li>
|
||
<li><a href="/contact.html">Contact</a></li>
|
||
</ul>
|
||
</div><!--/.nav-collapse -->
|
||
|
||
</div>
|
||
</div>
|
||
|
||
<!-- +++++ Posts Lists +++++ -->
|
||
<!-- +++++ First Post +++++ -->
|
||
<div id="anon2">
|
||
<div class="container">
|
||
<div class="row">
|
||
<div class="col-lg-8 col-lg-offset-2">
|
||
<a href="../index.html">Previous Page</a></br></br><p><img src="../../assets/img/user.png" width="50px" height="50px"> <ba>nihilist@mainpc - 2024-03-28</ba></p>
|
||
<h1> Plausible Deniability Protection for an .onion Service</h1>
|
||
<p>In this tutorial we're going to look at how you can protect a set of QEMU VMs running in a veracrypt hidden partition from being discovered by an adversary.</p>
|
||
<p>For this tutorial we have the following threat model:</p>
|
||
<ol>
|
||
<li><p>What if an adversary enters the room where the physical server is ?</p></li>
|
||
<li><p>What if an adversary opens up the case of the physical server ?</p></li>
|
||
<li><p>What if an adversary plugs in or removes any usb device on the server ?</p></li>
|
||
<li><p>What if an adversary shuts down the electricity of the entire house before coming in ?</p></li>
|
||
<li><p>What if an adversary steals your password or ssh key somehow and manages to login via SSH on the server ?</p></li>
|
||
<li><p>What if an adversary physically destroys the harddrive containing the veracrypt partition ?</p></li>
|
||
<li><p>What if an adversary tries to do a cold boot attack ? (meaning forensics regarding server logs and RAM live memory)</p></li>
|
||
<li><p>What if an adversary forces you to type in your password to your encrypted data ?</p></li>
|
||
</ol>
|
||
<p>Let's take all those threat vectors into account, and setup our homeserver with the following physical security setup:</p>
|
||
<img src="0.png" class="imgRz">
|
||
|
||
</div>
|
||
</div><!-- /row -->
|
||
</div> <!-- /container -->
|
||
</div><!-- /grey -->
|
||
|
||
|
||
<!-- +++++ Second Post +++++ -->
|
||
<div id="anon3">
|
||
<div class="container">
|
||
<div class="row">
|
||
<div class="col-lg-8 col-lg-offset-2">
|
||
<h2><b>Initial Setup </b></h2>
|
||
<p>First we setup a debian QEMU VM in the hidden veracrypt partition:</p>
|
||
|
||
<b>DISCLAIMER: we're using only harddrives (HDDs) here, because using SSDs are not a secure way to have Plausible Deniability, that is due to hidden Volumes being detectable on devices that utilize wear-leveling</b>
|
||
<pre><code class="nim">
|
||
source: https://anonymousplanet.org/guide.html#understanding-hdd-vs-ssd
|
||
|
||
regarding wear leveling:
|
||
"Also as mentioned earlier, disabling Trim will reduce the lifetime of your SSD drive and will significantly impact its performance over time (your laptop will become slower and slower over several months of use until it becomes almost unusable, you will then have to clean the drive and re-install everything). But you must do it to prevent data leaks that could allow forensics to defeat your plausible deniability. The only way around this at the moment is to have a laptop with a classic HDD drive instead."
|
||
|
||
</pre></code>
|
||
|
||
<p>Look at <a href="../veracrypt/index.html">this tutorial</a> on how to create a veracrypt hidden partition, now create a volume that can contain a debian VM inside the hidden partition (ex: outer volume 140G, and inner/hidden volume 70G). Also follow <a href="../antiforensics/index.html">this tutorial</a> to know how to setup a QEMU hypervisor to virtualize VMs on linux. Now in the hidden partition we will create the debian QEMU VM (whose disk is 50Gb) as follows (keep in mind that we will also need to copy it into the decoy partition without overwriting the hidden partition, so make sure you can fit the same VM there aswell when you are creating the veracrypt volume!):</p>
|
||
|
||
<img src="2.png" class="imgRz">
|
||
<img src="3.png" class="imgRz">
|
||
<img src="4.png" class="imgRz">
|
||
<img src="5.png" class="imgRz">
|
||
<img src="6.png" class="imgRz">
|
||
<img src="7.png" class="imgRz">
|
||
<img src="8.png" class="imgRz">
|
||
<img src="9.png" class="imgRz">
|
||
<pre><code class="nim">
|
||
root@debian:~# apt update -y ; apt upgrade -y ; apt autoremove -y
|
||
|
||
</pre></code>
|
||
<p>side note: make sure that you also copy the same VM into the decoy partition in case if you are asked to disprove the claim that said vm name inside the veracrypt partition contains something sensitive. </p>
|
||
<p>we make it run a .onion service like so as shown on <a href="../torwebsite/index.html">this tutorial</a></p>
|
||
|
||
<p>So now we have the following graph:</p>
|
||
<img src="10.png" style="width:300px">
|
||
<p>We now have a server at home, that contains a veracrypt hidden partition (whose existance shouldnt be revealed), that hidden partition contains a VM, which contains a .onion service we want to hide the existence of. So now let's protect it: </p>
|
||
</div>
|
||
</div><!-- /row -->
|
||
</div> <!-- /container -->
|
||
</div><!-- /white -->
|
||
|
||
<!-- +++++ Second Post +++++ -->
|
||
<div id="anon2">
|
||
<div class="container">
|
||
<div class="row">
|
||
<div class="col-lg-8 col-lg-offset-2">
|
||
<h2><b>Emergency Shutdown setup</b></h2> </br> </br>
|
||
<p>First let's define how to shutdown the services and hide the veracrypt hidden partition in one simple bash script:</p>
|
||
<p>We have the following order of events:</p>
|
||
<p>First we open the veracrypt volume, then we add the QEMU VM in virt-manager while naming it, then we power it on, and then we have our plausibly-deniable onion service.</p>
|
||
<img src="12.png" class="imgRz">
|
||
<p>So for an emergency shutdown, we need to do the same in the reverse order: First we shutdown the VM forcefully, then we close the hidden veracrypt partition forcefully, then we wipe the logs, then we kill the veracrypt process, and then then we wipe the ram 3 times to erase all potential trace of VMs in live memory. </p>
|
||
<img src="14.png" class="imgRz">
|
||
<p>Then we assemble that in a bashscript like so:</p>
|
||
<pre><code class="nim">
|
||
[ Wonderland ] [ /dev/pts/1 ] [~]
|
||
→ sudo cat /root/emergencyshutdown.sh
|
||
[sudo] password for nihilist:
|
||
#!/bin/bash
|
||
|
||
#remove VM and undefine it: (make sure that the VM name is exact!!!)
|
||
sudo virsh -c qemu:///system destroy debian12-VM
|
||
sudo virsh -c qemu:///system undefine debian12-VM
|
||
#make sure that there is also an innocent VM called debian12-VM in the outer partition (for plausible deniability)
|
||
|
||
#unmount veracrypt drives forcefully
|
||
sudo veracrypt -d -f
|
||
|
||
# then cleanup logs
|
||
sudo rm -rf /dev/shm/*
|
||
sudo rm -rf /var/log/*
|
||
sudo dmesg -c >/dev/null 2>/dev/null
|
||
|
||
# kill veracrypt to avoid having the veracrypt window display which drive/volume was selected
|
||
kill $(pidof veracrypt)
|
||
|
||
# then wipe ram 3 times
|
||
# apt install stress
|
||
# below change 128G to the number of Gigabytes in your system ! put 16 if you only have 16Gb of ram!
|
||
stress -m 1 --vm-bytes 128G -t 10
|
||
stress -m 1 --vm-bytes 128G -t 10
|
||
stress -m 1 --vm-bytes 128G -t 10
|
||
|
||
</code></pre>
|
||
<p>you can run it like so:</p>
|
||
<pre><code class="nim">
|
||
chmod +x ./emergencyshutdown.sh
|
||
./emergencyshutdown.sh
|
||
|
||
</code></pre>
|
||
<p>Next we need to be able to send an email from the server to the administrator to notify him that an emergency shutdown just happened.</p>
|
||
|
||
<img src="17.png" class="imgRz">
|
||
<p>We'll be using ssmtp from the homeserver itself , it's going to connect to a remote mail server to send the mail we want. (check <a href="../mailprivate/index.html">this tutorial</a> if you want to know how to setup your SMTP mail server):</p>
|
||
<pre><code class="nim">
|
||
[ Wonderland ] [ /dev/pts/1 ] [~]
|
||
→ apt install ssmtp
|
||
|
||
</code></pre>
|
||
<p>Then make sure the user exists on the smtp server:</p>
|
||
<pre><code class="nim">
|
||
root@mail-nihilism:~# useradd -G mail -m surveillance
|
||
root@mail-nihilism:~# id surveillance
|
||
uid=1003(surveillance) gid=1003(surveillance) groups=1003(surveillance),8(mail)
|
||
root@mail-nihilism:~# passwd surveillance
|
||
New password:
|
||
Retype new password:
|
||
passwd: password updated successfully
|
||
|
||
</code></pre>
|
||
<p>And then just send the mail after configuring ssmtp to send to the right place as the correct user:</p>
|
||
<pre><code class="nim">
|
||
[ Wonderland ] [ /dev/pts/5 ] [~]
|
||
→ cat /etc/ssmtp/revaliases
|
||
# sSMTP aliases
|
||
#
|
||
# Format: local_account:outgoing_address:mailhub
|
||
#
|
||
# Example: root:your_login@your.domain:mailhub.your.domain[:port]
|
||
# where [:port] is an optional port number that defaults to 25.
|
||
|
||
root:surveillance:mail.nowhere.moe:587
|
||
|
||
[ Wonderland ] [ /dev/pts/5 ] [~]
|
||
→ cat /etc/ssmtp/ssmtp.conf
|
||
rewriteDomain=nowhere.moe
|
||
mailhub=mail.nowhere.moe:587
|
||
useSTARTTLS=YES
|
||
AuthUser=surveillance
|
||
AuthPass=D9IJWDOAHWHUHWUHDAWHDUWHAHDWAIHA3213221123312F
|
||
|
||
[ Wonderland ] [ /dev/pts/5 ] [~]
|
||
→ echo "Test message from Linux server using ssmtp" | sudo ssmtp -vvv nihilist@nowhere.moe
|
||
[<<b></b>-] 220 mail.nowhere.moe ESMTP nowhere.moe (Debian/GNU)
|
||
[->] EHLO wonderland
|
||
[<<b></b>-] 250 CHUNKING
|
||
[->] STARTTLS
|
||
[<<b></b>-] 220 2.0.0 Ready to start TLS
|
||
[->] EHLO wonderland
|
||
[<<b></b>-] 250 CHUNKING
|
||
[->] AUTH LOGIN
|
||
[<<b></b>-] 334 VXNlcm5hbWU6
|
||
[->] c3VydmVpbGxhbmNl
|
||
[<<b></b>-] 334 UGFzc3dvcmQ6
|
||
[<<b></b>-] 235 2.7.0 Authentication successful
|
||
[->] MAIL FROM:<<b></b>surveillance@nowhere.moe>
|
||
[<<b></b>-] 250 2.1.0 Ok
|
||
[->] RCPT TO:<<b></b>nihilist@nowhere.moe>
|
||
[<<b></b>-] 250 2.1.5 Ok
|
||
[->] DATA
|
||
[<<b></b>-] 354 End data with <<b></b>CR><<b></b>LF>.<<b></b>CR><<b></b>LF>
|
||
[->] Received: by wonderland (sSMTP sendmail emulation); Sat, 30 Mar 2024 17:01:44 +0100
|
||
[->] From: "root" <<b></b>surveillance@nowhere.moe>
|
||
[->] Date: Sat, 30 Mar 2024 17:01:44 +0100
|
||
[->] Test message from Linux server using ssmtp
|
||
[->]
|
||
[->] .
|
||
[<<b></b>-] 250 2.0.0 Ok: queued as 9FB5E26A92
|
||
[->] QUIT
|
||
[<<b></b>-] 221 2.0.0 Bye
|
||
|
||
</code></pre>
|
||
|
||
<p>And there we see that we recieved the mail on thunderbird: </p>
|
||
|
||
<img src="11.png" class="imgRz">
|
||
<p>Meaning we have the following emergency shutdown script:</p>
|
||
<pre><code class="nim">
|
||
[ Wonderland ] [ /dev/pts/1 ] [~]
|
||
→ sudo cat /root/emergencyshutdown.sh
|
||
[sudo] password for nihilist:
|
||
#!/bin/bash
|
||
|
||
#notify the admin that the emergency shutdown is being performed
|
||
echo "PERFORMING EMERGENCY SHUTDOWN!" | sudo ssmtp -vvv nihilist@nowhere.moe
|
||
|
||
#perform the emergency shutdown:
|
||
|
||
#remove VM and undefine it: (make sure that the VM name is exact!!!)
|
||
sudo virsh -c qemu:///system destroy debian12-VM
|
||
sudo virsh -c qemu:///system undefine debian12-VM
|
||
#make sure that there is also an innocent VM called debian12-VM in the outer partition (for plausible deniability)
|
||
|
||
#unmount veracrypt drives forcefully
|
||
sudo veracrypt -d -f
|
||
|
||
# then cleanup logs
|
||
sudo rm -rf /dev/shm/*
|
||
sudo rm -rf /var/log/*
|
||
sudo dmesg -c >/dev/null 2>/dev/null
|
||
|
||
# kill veracrypt to avoid having the veracrypt window display which drive/volume was selected
|
||
kill $(pidof veracrypt)
|
||
|
||
# then wipe ram 3 times
|
||
# apt install stress
|
||
# below change 128G to the number of Gigabytes in your system ! put 16 if you only have 16Gb of ram!
|
||
stress -m 1 --vm-bytes 128G -t 10
|
||
stress -m 1 --vm-bytes 128G -t 10
|
||
stress -m 1 --vm-bytes 128G -t 10
|
||
|
||
|
||
</pre></code>
|
||
|
||
|
||
|
||
</div>
|
||
</div><!-- /row -->
|
||
</div> <!-- /container -->
|
||
</div><!-- /white -->
|
||
|
||
|
||
<div id="anon1">
|
||
<div class="container">
|
||
<div class="row">
|
||
<div class="col-lg-8 col-lg-offset-2">
|
||
<h2><b>Surveillance Setup</b></h2> </br> </br>
|
||
<p>So now that we have our actions completed (emergency shutdown and sending a mail), we need to make sure that both are triggered whenever necessary, as shown below:</p>
|
||
<img src="16.png" class="imgRz">
|
||
<p>To look out for any usb change on the homeserver, we have the following script:</p>
|
||
<pre><code class="nim">
|
||
[ Wonderland ] [ /dev/pts/5 ] [~]
|
||
→ cat checkusb.sh
|
||
#!/bin/bash
|
||
|
||
action_for_unauthorized_usb_change () {
|
||
echo "[+] ACTION : SEND MAIL TO NOTIFY ADMIN"
|
||
echo -en "Subject: USB CHANGE DETECTED ON $(hostname) \n\n USB CHANGE DETECTED on $(hostname) at $(date): \n\n LSUSB WAS: \n $defaultlsusb \n\n LSUSB NOW IS: \n $(lsusb)" | sudo ssmtp -vvv nihilist@nowhere.moe
|
||
|
||
#echo "[+] ACTION : EMERGENCY SHUTDOWN SCRIPT"
|
||
}
|
||
|
||
#defaultusb = check usb store it as default usb
|
||
defaultusb=$(lsusb | sha512sum)
|
||
defaultlsusb=$(lsusb )
|
||
|
||
#set maintenanece to 0
|
||
echo 0 > /tmp/maintenance
|
||
|
||
while true; do
|
||
# check if maintenance mode or not:
|
||
if [ $(cat /tmp/maintenance) -eq 0 ]; # if no maintenance, look for usb changes
|
||
then
|
||
usbnow=$(lsusb | sha512sum)
|
||
if [ "$usbnow" = "$defaultusb" ]; #detect usb changes
|
||
then
|
||
echo "[+] No usb change..."
|
||
else
|
||
echo "[+] USB change detected, peforming action"
|
||
echo $defaultusb
|
||
echo $usbnow
|
||
action_for_unauthorized_usb_change
|
||
#sleep 3600
|
||
sleep 10
|
||
defaultlsusb=$(lsusb)
|
||
defaultusb=$(lsusb | sha512sum)
|
||
fi
|
||
else #maintenance ongoing, then not checking for usb changes
|
||
echo "[+] Maintenance mode, not checking for usb changes..."
|
||
fi
|
||
sleep 1
|
||
done
|
||
|
||
</code></pre>
|
||
<p>Then to detect any movement in the room we setup motion, this will make it possible for a cheap usb webcam to take pictures upon detecting movement in the room where the homeserver is:</p>
|
||
<pre><code class="nim">
|
||
[ Wonderland ] [ /dev/pts/5 ] [~]
|
||
→ apt-get install v4l-utils motion -y
|
||
|
||
|
||
[ Wonderland ] [ /dev/pts/5 ] [~]
|
||
→ cat /etc/motion/motion.conf
|
||
# Rename this distribution example file to motion.conf
|
||
#
|
||
# This config file was generated by motion 4.5.1
|
||
# Documentation: /usr/share/doc/motion/motion_guide.html
|
||
#
|
||
# This file contains only the basic configuration options to get a
|
||
# system working. There are many more options available. Please
|
||
# consult the documentation for the complete list of all options.
|
||
#
|
||
|
||
############################################################
|
||
# System control configuration parameters
|
||
############################################################
|
||
|
||
# Start in daemon (background) mode and release terminal.
|
||
daemon off
|
||
|
||
# Start in Setup-Mode, daemon disabled.
|
||
setup_mode off
|
||
|
||
# File to store the process ID.
|
||
; pid_file value
|
||
|
||
# File to write logs messages into. If not defined stderr and syslog is used.
|
||
#log_file /var/log/motion/motion.log
|
||
log_file /dev/null
|
||
|
||
# Level of log messages [1..9] (EMG, ALR, CRT, ERR, WRN, NTC, INF, DBG, ALL).
|
||
log_level 6
|
||
|
||
# Target directory for pictures, snapshots and movies
|
||
target_dir /tmp/room
|
||
|
||
# Video device (e.g. /dev/video0) to be used for capturing.
|
||
video_device /dev/video0
|
||
|
||
# Parameters to control video device. See motion_guide.html
|
||
; video_params value
|
||
|
||
# The full URL of the network camera stream.
|
||
; netcam_url value
|
||
|
||
# Name of mmal camera (e.g. vc.ril.camera for pi camera).
|
||
; mmalcam_name value
|
||
|
||
# Camera control parameters (see raspivid/raspistill tool documentation)
|
||
; mmalcam_params value
|
||
|
||
############################################################
|
||
# Image Processing configuration parameters
|
||
############################################################
|
||
|
||
# Image width in pixels.
|
||
width 640
|
||
|
||
# Image height in pixels.
|
||
height 480
|
||
|
||
# Maximum number of frames to be captured per second.
|
||
framerate 1
|
||
|
||
# Text to be overlayed in the lower left corner of images
|
||
text_left ROOM1
|
||
|
||
# Text to be overlayed in the lower right corner of images.
|
||
text_right %Y-%m-%d\n%T-%q
|
||
|
||
############################################################
|
||
# Motion detection configuration parameters
|
||
############################################################
|
||
|
||
# Always save pictures and movies even if there was no motion.
|
||
emulate_motion off
|
||
|
||
# Threshold for number of changed pixels that triggers motion.
|
||
threshold 1500
|
||
|
||
# Noise threshold for the motion detection.
|
||
; noise_level 32
|
||
|
||
# Despeckle the image using (E/e)rode or (D/d)ilate or (l)abel.
|
||
despeckle_filter EedDl
|
||
|
||
# Number of images that must contain motion to trigger an event.
|
||
minimum_motion_frames 1
|
||
|
||
# Gap in seconds of no motion detected that triggers the end of an event.
|
||
event_gap 60
|
||
|
||
# The number of pre-captured (buffered) pictures from before motion.
|
||
pre_capture 3
|
||
|
||
# Number of frames to capture after motion is no longer detected.
|
||
post_capture 0
|
||
|
||
############################################################
|
||
# Script execution configuration parameters
|
||
############################################################
|
||
|
||
# Command to be executed when an event starts.
|
||
; on_event_start value
|
||
|
||
# Command to be executed when an event ends.
|
||
; on_event_end value
|
||
|
||
# Command to be executed when a movie file is closed.
|
||
; on_movie_end value
|
||
|
||
############################################################
|
||
# Picture output configuration parameters
|
||
############################################################
|
||
|
||
# Output pictures when motion is detected
|
||
picture_output on
|
||
|
||
# File name(without extension) for pictures relative to target directory
|
||
picture_filename %Y%m%d%H%M%S-%q
|
||
|
||
############################################################
|
||
# Movie output configuration parameters
|
||
############################################################
|
||
|
||
# Create movies of motion events.
|
||
movie_output off
|
||
|
||
# Maximum length of movie in seconds.
|
||
movie_max_time 60
|
||
|
||
# The encoding quality of the movie. (0=use bitrate. 1=worst quality, 100=best)
|
||
movie_quality 45
|
||
|
||
# Container/Codec to used for the movie. See motion_guide.html
|
||
movie_codec mkv
|
||
|
||
# File name(without extension) for movies relative to target directory
|
||
movie_filename %t-%v-%Y%m%d%H%M%S
|
||
|
||
############################################################
|
||
# Webcontrol configuration parameters
|
||
############################################################
|
||
|
||
# Port number used for the webcontrol.
|
||
webcontrol_port 8080
|
||
|
||
# Restrict webcontrol connections to the localhost.
|
||
webcontrol_localhost off
|
||
|
||
# Type of configuration options to allow via the webcontrol.
|
||
webcontrol_parms 0
|
||
|
||
############################################################
|
||
# Live stream configuration parameters
|
||
############################################################
|
||
|
||
# The port number for the live stream.
|
||
stream_port 8081
|
||
|
||
# Restrict stream connections to the localhost.
|
||
stream_localhost off
|
||
|
||
##############################################################
|
||
# Camera config files - One for each camera.
|
||
##############################################################
|
||
; camera /usr/etc/motion/camera1.conf
|
||
; camera /usr/etc/motion/camera2.conf
|
||
; camera /usr/etc/motion/camera3.conf
|
||
; camera /usr/etc/motion/camera4.conf
|
||
|
||
##############################################################
|
||
# Directory to read '.conf' files for cameras.
|
||
##############################################################
|
||
; camera_dir /usr/etc/motion/conf.d
|
||
|
||
|
||
|
||
[ Wonderland ] [ /dev/pts/5 ] [~]
|
||
→ mkdir /tmp/room
|
||
|
||
[ Wonderland ] [ /dev/pts/5 ] [~]
|
||
→ chown -R motion:motion /tmp/room
|
||
|
||
[ Wonderland ] [ /dev/pts/5 ] [~]
|
||
→ systemctl restart motion
|
||
|
||
</code></pre>
|
||
<p>From there you can see if the webcam works on port 9091:</p>
|
||
<img src="1.png" class="imgRz">
|
||
<p>Then we can see that motion to saves pictures once per second once it detects movement in /tmp/room:</p>
|
||
<pre><code class="nim">
|
||
Every 1.0s: ls -l /tmp/room wonderland: Thu Mar 28 17:07:51 2024
|
||
|
||
total 368
|
||
-rw-r--r-- 1 motion motion 52251 Mar 28 17:07 20240328170745-01.jpg
|
||
-rw-r--r-- 1 motion motion 52129 Mar 28 17:07 20240328170746-00.jpg
|
||
-rw-r--r-- 1 motion motion 52471 Mar 28 17:07 20240328170746-01.jpg
|
||
-rw-r--r-- 1 motion motion 37158 Mar 28 17:07 20240328170747-00.jpg
|
||
-rw-r--r-- 1 motion motion 33439 Mar 28 17:07 20240328170747-01.jpg
|
||
-rw-r--r-- 1 motion motion 22586 Mar 28 17:07 20240328170748-00.jpg
|
||
-rw-r--r-- 1 motion motion 19099 Mar 28 17:07 20240328170748-01.jpg
|
||
-rw-r--r-- 1 motion motion 18205 Mar 28 17:07 20240328170749-00.jpg
|
||
-rw-r--r-- 1 motion motion 19284 Mar 28 17:07 20240328170749-01.jpg
|
||
-rw-r--r-- 1 motion motion 49770 Mar 28 17:07 20240328170750-00.jpg
|
||
|
||
</code></pre>
|
||
|
||
<p>Then we have this script to check if there are any new files in /tmp/room/ and if there are then we put them in a zipfile before SEND it via mail to the admin:</p>
|
||
<pre><code class="nim">
|
||
[ Wonderland ] [ /dev/pts/5 ] [~]
|
||
→ cat checkmovement_room.sh
|
||
#!/bin/bash
|
||
|
||
|
||
#apt-get install v4l-utils motion -y
|
||
#vim /etc/motion/motion.conf
|
||
|
||
action_for_unauthorized_room_motion () {
|
||
echo "[+] ACTION : SEND MAIL TO NOTIFY ADMIN"
|
||
find /tmp/room/ -name *.jpg > /tmp/newfiles
|
||
newfiles=$(diff -u /tmp/oldfiles /tmp/newfiles | grep -E "^\+" | grep -v "+++" | tr -d '+')
|
||
|
||
linelist=$(for line in $newfiles; do echo -en "$line " ;done)
|
||
zip /tmp/images.zip $linelist
|
||
echo -e "Subject: MOVEMENT DETECTED IN ROOM OF $(hostname) \n\n MOVEMENT DETECTED IN ROOM OF $(hostname) AT $(date):"| (cat - && uuencode /tmp/images.zip images.zip) | sudo ssmtp -vvv nihilist@nowhere.moe
|
||
rm /tmp/images.zip
|
||
rm /tmp/room/* -rf
|
||
}
|
||
|
||
|
||
#set maintenanece to 0
|
||
mkdir /tmp/room/ 2>/dev/null
|
||
rm /tmp/room/* -rf
|
||
chown motion: /tmp/room/ -R
|
||
echo 0 > /tmp/maintenance
|
||
find /tmp/room/ -name *.jpg > /tmp/oldfiles
|
||
|
||
#defaultusb = check usb store it as default usb
|
||
defaultroom=$(ls /tmp/room | sha512sum)
|
||
|
||
while true; do
|
||
|
||
|
||
|
||
# check if maintenance mode or not:
|
||
if [ $(cat /tmp/maintenance) -eq 0 ]; # if no room maintenance, look for room changes
|
||
then
|
||
roomnow=$(ls /tmp/room | sha512sum)
|
||
if [ "$roomnow" = "$defaultroom" ]; #detect usb changes
|
||
then
|
||
echo "[+] No Room Movement..."
|
||
else
|
||
echo "[+] Room movement detected, peforming action"
|
||
echo $defaulroom
|
||
echo $roomnow
|
||
action_for_unauthorized_room_motion
|
||
#sleep 3600
|
||
sleep 10
|
||
defaultroom=$(ls /tmp/room | sha512sum)
|
||
find /tmp/room/ -name *.jpg > /tmp/oldfiles
|
||
fi
|
||
else #maintenance ongoing, then not checking for room movements
|
||
echo "[+] Maintenance mode, not checking for room movements..."
|
||
fi
|
||
sleep 1
|
||
done
|
||
|
||
</code></pre>
|
||
<p>We also make a systemd service to automatically launch/relaunch the checkusb.sh script and checkmovement_room script, and also to make sure they auto start when the server boots up:</p>
|
||
<pre><code class="nim">
|
||
|
||
[ Wonderland ] [ /dev/pts/5 ] [~]
|
||
→ vim /etc/systemd/system/usbwatcher.service
|
||
|
||
[ Wonderland ] [ /dev/pts/5 ] [~]
|
||
→ cat/etc/systemd/system/usbwatcher.service
|
||
|
||
[Unit]
|
||
Description=usbwatcher
|
||
After=network-online.target
|
||
Wants=network-online.target
|
||
|
||
[Service]
|
||
Type=simple
|
||
ExecStart=/root/checkusb.sh
|
||
ExecStop=kill -9 $(pidof /root/checkusb.sh)
|
||
Restart=always
|
||
|
||
[Install]
|
||
WantedBy=multi-user.target
|
||
|
||
[ Wonderland ] [ /dev/pts/5 ] [~]
|
||
→ vim /etc/systemd/system/motionwatcher.service
|
||
|
||
[ Wonderland ] [ /dev/pts/5 ] [~]
|
||
→ cat/etc/systemd/system/motionwatcher.service
|
||
|
||
[Unit]
|
||
Description=motionwatcher
|
||
After=network-online.target
|
||
Wants=network-online.target
|
||
|
||
[Service]
|
||
Type=simple
|
||
ExecStart=/root/checkmovement_room.sh
|
||
ExecStop=kill -9 $(pidof /root/checkmovement_room.sh)
|
||
Restart=always
|
||
|
||
[Install]
|
||
WantedBy=multi-user.target
|
||
|
||
|
||
[ Wonderland ] [ /dev/pts/5 ] [~]
|
||
→ systemctl daemon-reload
|
||
|
||
[ Wonderland ] [ /dev/pts/5 ] [~]
|
||
→ systemctl enable --now motionwatcher.service usbwatcher.service motion.service
|
||
Created symlink /etc/systemd/system/multi-user.target.wants/motionwatcher.service → /etc/systemd/system/motionwatcher.service.
|
||
Created symlink /etc/systemd/system/multi-user.target.wants/usbwatcher.service → /etc/systemd/system/usbwatcher.service.
|
||
Created symlink /etc/systemd/system/multi-user.target.wants/motion.service → /etc/systemd/system/motion.service.
|
||
|
||
[ Wonderland ] [ /dev/pts/5 ] [~]
|
||
→ systemctl status motionwatcher.service usbwatcher.service
|
||
● motionwatcher.service - motionwatcher
|
||
Loaded: loaded (/etc/systemd/system/motionwatcher.service; enabled; preset: enabled)
|
||
Active: active (running) since Mon 2024-04-01 14:38:01 CEST; 6s ago
|
||
Main PID: 3799951 (checkmovement_r)
|
||
Tasks: 2 (limit: 76929)
|
||
Memory: 676.0K
|
||
CPU: 24ms
|
||
CGroup: /system.slice/motionwatcher.service
|
||
├─3799951 /bin/bash /root/checkmovement_room.sh
|
||
└─3800321 sleep 1
|
||
|
||
Apr 01 14:38:01 wonderland systemd[1]: Started motionwatcher.service - motionwatcher.
|
||
Apr 01 14:38:01 wonderland checkmovement_room.sh[3799951]: [+] No Room Movement...
|
||
Apr 01 14:38:02 wonderland checkmovement_room.sh[3799951]: [+] No Room Movement...
|
||
Apr 01 14:38:03 wonderland checkmovement_room.sh[3799951]: [+] No Room Movement...
|
||
Apr 01 14:38:04 wonderland checkmovement_room.sh[3799951]: [+] No Room Movement...
|
||
Apr 01 14:38:05 wonderland checkmovement_room.sh[3799951]: [+] No Room Movement...
|
||
Apr 01 14:38:06 wonderland checkmovement_room.sh[3799951]: [+] No Room Movement...
|
||
Apr 01 14:38:07 wonderland checkmovement_room.sh[3799951]: [+] No Room Movement...
|
||
|
||
● usbwatcher.service - usbwatcher
|
||
Loaded: loaded (/etc/systemd/system/usbwatcher.service; enabled; preset: enabled)
|
||
Active: active (running) since Mon 2024-04-01 14:38:01 CEST; 6s ago
|
||
Main PID: 3799953 (checkusb.sh)
|
||
Tasks: 2 (limit: 76929)
|
||
Memory: 664.0K
|
||
CPU: 40ms
|
||
CGroup: /system.slice/usbwatcher.service
|
||
├─3799953 /bin/bash /root/checkusb.sh
|
||
└─3800327 sleep 1
|
||
|
||
Apr 01 14:38:01 wonderland systemd[1]: Started usbwatcher.service - usbwatcher.
|
||
Apr 01 14:38:01 wonderland checkusb.sh[3799953]: [+] No usb change...
|
||
Apr 01 14:38:02 wonderland checkusb.sh[3799953]: [+] No usb change...
|
||
Apr 01 14:38:03 wonderland checkusb.sh[3799953]: [+] No usb change...
|
||
Apr 01 14:38:04 wonderland checkusb.sh[3799953]: [+] No usb change...
|
||
Apr 01 14:38:05 wonderland checkusb.sh[3799953]: [+] No usb change...
|
||
Apr 01 14:38:06 wonderland checkusb.sh[3799953]: [+] No usb change...
|
||
Apr 01 14:38:07 wonderland checkusb.sh[3799953]: [+] No usb change...
|
||
|
||
|
||
</pre></code>
|
||
<p>then just watch it run:</p>
|
||
|
||
<pre><code class="nim">
|
||
Every 1.0s: systemctl status motionwatcher.service usbwatcher.service wonderland: Mon Apr 1 14:40:55 2024
|
||
|
||
● motionwatcher.service - motionwatcher
|
||
Loaded: loaded (/etc/systemd/system/motionwatcher.service; enabled; preset: enabled)
|
||
Active: active (running) since Mon 2024-04-01 14:38:01 CEST; 2min 54s ago
|
||
Main PID: 3799951 (checkmovement_r)
|
||
Tasks: 2 (limit: 76929)
|
||
Memory: 680.0K
|
||
CPU: 457ms
|
||
CGroup: /system.slice/motionwatcher.service
|
||
├─3799951 /bin/bash /root/checkmovement_room.sh
|
||
└─3810241 sleep 10
|
||
|
||
Apr 01 14:40:45 wonderland checkmovement_room.sh[3799951]: [+] No Room Movement...
|
||
Apr 01 14:40:46 wonderland checkmovement_room.sh[3799951]: [+] No Room Movement...
|
||
Apr 01 14:40:47 wonderland checkmovement_room.sh[3799951]: [+] No Room Movement...
|
||
Apr 01 14:40:48 wonderland checkmovement_room.sh[3799951]: [+] No Room Movement...
|
||
Apr 01 14:40:49 wonderland checkmovement_room.sh[3799951]: [+] No Room Movement...
|
||
Apr 01 14:40:50 wonderland checkmovement_room.sh[3799951]: [+] No Room Movement...
|
||
Apr 01 14:40:51 wonderland checkmovement_room.sh[3799951]: [+] No Room Movement...
|
||
Apr 01 14:40:52 wonderland checkmovement_room.sh[3799951]: [+] Room movement detected, peforming action
|
||
Apr 01 14:40:52 wonderland checkmovement_room.sh[3799951]: 20c1a997bdf538923ed863a64bd1c0d73a7e15337011e576bf9f473c88865fe7e95627774c8035d7f6ee00d998d0f9926cf7442b297ab8d91373ff8d2b587c2c -
|
||
Apr 01 14:40:52 wonderland checkmovement_room.sh[3799951]: [+] ACTION : SEND MAIL TO NOTIFY ADMIN
|
||
|
||
● usbwatcher.service - usbwatcher
|
||
Loaded: loaded (/etc/systemd/system/usbwatcher.service; enabled; preset: enabled)
|
||
Active: active (running) since Mon 2024-04-01 14:38:01 CEST; 2min 54s ago
|
||
Main PID: 3799953 (checkusb.sh)
|
||
Tasks: 2 (limit: 76929)
|
||
Memory: 800.0K
|
||
CPU: 929ms
|
||
CGroup: /system.slice/usbwatcher.service
|
||
├─3799953 /bin/bash /root/checkusb.sh
|
||
└─3810361 sleep 1
|
||
|
||
Apr 01 14:40:38 wonderland checkusb.sh[3799953]: [+] No usb change...
|
||
Apr 01 14:40:39 wonderland checkusb.sh[3799953]: [+] No usb change...
|
||
Apr 01 14:40:40 wonderland checkusb.sh[3799953]: [+] No usb change...
|
||
Apr 01 14:40:41 wonderland checkusb.sh[3799953]: [+] USB change detected, peforming action
|
||
Apr 01 14:40:41 wonderland checkusb.sh[3799953]: 140e9f95759026b6626bbc1098544bab9f85289c15c44f0fac44951100fbbb140214c00884f13bb50c959fc817bcdd1b6e8050781e1a987f6ea3a289c72c3198 -
|
||
Apr 01 14:40:41 wonderland checkusb.sh[3799953]: 482600aa9446e3bbe616534a224785512995e80cd70a16e84c8315e569885a5d52ac0b8363055a6973476521321c767d8b54c918c8443f96cdf0eead35b17cb9 -
|
||
Apr 01 14:40:41 wonderland checkusb.sh[3799953]: [+] ACTION : SEND MAIL TO NOTIFY ADMIN
|
||
Apr 01 14:40:52 wonderland checkusb.sh[3799953]: [+] No usb change...
|
||
Apr 01 14:40:53 wonderland checkusb.sh[3799953]: [+] No usb change...
|
||
Apr 01 14:40:54 wonderland checkusb.sh[3799953]: [+] No usb change...
|
||
|
||
</pre></code>
|
||
<p>You can also see it sending mails whenever there is a usb change detected or a room movement detected:</p>
|
||
|
||
<img src="18.png" class="imgRz">
|
||
<p>The first mail contains the details regarding what usb got plugged in or plugged out:</p>
|
||
<img src="19.png" class="imgRz">
|
||
<p>The second mail contains the zipfiles with the images taken upon movement detection:</p>
|
||
<img src="20.png" class="imgRz">
|
||
<p>And if you need to do a maintenance you can always disable them like so:</p>
|
||
<pre><code class="nim">
|
||
[ Wonderland ] [ /dev/pts/5 ] [~]
|
||
→ systemctl stop motionwatcher.service usbwatcher.service
|
||
|
||
[ Wonderland ] [ /dev/pts/5 ] [~]
|
||
→ systemctl status motionwatcher.service usbwatcher.service
|
||
× motionwatcher.service - motionwatcher
|
||
Loaded: loaded (/etc/systemd/system/motionwatcher.service; enabled; preset: enabled)
|
||
Active: failed (Result: exit-code) since Mon 2024-04-01 14:41:37 CEST; 1min 17s ago
|
||
Duration: 3min 35.887s
|
||
Process: 3799951 ExecStart=/root/checkmovement_room.sh (code=killed, signal=TERM)
|
||
Process: 3812925 ExecStop=kill -9 $(pidof /root/checkmovement_room.sh) (code=exited, status=1/FAILURE)
|
||
Main PID: 3799951 (code=killed, signal=TERM)
|
||
CPU: 545ms
|
||
|
||
Apr 01 14:41:32 wonderland checkmovement_room.sh[3799951]: [+] No Room Movement...
|
||
Apr 01 14:41:33 wonderland checkmovement_room.sh[3799951]: [+] No Room Movement...
|
||
Apr 01 14:41:34 wonderland checkmovement_room.sh[3799951]: [+] No Room Movement...
|
||
Apr 01 14:41:35 wonderland checkmovement_room.sh[3799951]: [+] No Room Movement...
|
||
Apr 01 14:41:36 wonderland checkmovement_room.sh[3799951]: [+] No Room Movement...
|
||
Apr 01 14:41:37 wonderland systemd[1]: Stopping motionwatcher.service - motionwatcher...
|
||
Apr 01 14:41:37 wonderland kill[3812925]: kill: failed to parse argument: '/root/checkmovement_room.sh)'
|
||
Apr 01 14:41:37 wonderland systemd[1]: motionwatcher.service: Control process exited, code=exited, status=1/FAILURE
|
||
Apr 01 14:41:37 wonderland systemd[1]: motionwatcher.service: Failed with result 'exit-code'.
|
||
Apr 01 14:41:37 wonderland systemd[1]: Stopped motionwatcher.service - motionwatcher.
|
||
|
||
× usbwatcher.service - usbwatcher
|
||
Loaded: loaded (/etc/systemd/system/usbwatcher.service; enabled; preset: enabled)
|
||
Active: failed (Result: exit-code) since Mon 2024-04-01 14:41:37 CEST; 1min 17s ago
|
||
Duration: 3min 35.888s
|
||
Process: 3799953 ExecStart=/root/checkusb.sh (code=killed, signal=TERM)
|
||
Process: 3812926 ExecStop=kill -9 $(pidof /root/checkusb.sh) (code=exited, status=1/FAILURE)
|
||
Main PID: 3799953 (code=killed, signal=TERM)
|
||
CPU: 1.176s
|
||
|
||
Apr 01 14:41:33 wonderland checkusb.sh[3799953]: [+] No usb change...
|
||
Apr 01 14:41:34 wonderland checkusb.sh[3799953]: [+] No usb change...
|
||
Apr 01 14:41:35 wonderland checkusb.sh[3799953]: [+] No usb change...
|
||
Apr 01 14:41:36 wonderland checkusb.sh[3799953]: [+] No usb change...
|
||
Apr 01 14:41:37 wonderland systemd[1]: Stopping usbwatcher.service - usbwatcher...
|
||
Apr 01 14:41:37 wonderland kill[3812926]: kill: failed to parse argument: '/root/checkusb.sh)'
|
||
Apr 01 14:41:37 wonderland systemd[1]: usbwatcher.service: Control process exited, code=exited, status=1/FAILURE
|
||
Apr 01 14:41:37 wonderland systemd[1]: usbwatcher.service: Failed with result 'exit-code'.
|
||
Apr 01 14:41:37 wonderland systemd[1]: Stopped usbwatcher.service - usbwatcher.
|
||
Apr 01 14:41:37 wonderland systemd[1]: usbwatcher.service: Consumed 1.176s CPU time.
|
||
|
||
</pre></code>
|
||
<p>Or you can also set the /tmp/maintenance flag to 1, but dont forget to set it back to 0 afterward.</p>
|
||
<pre><code class="nim">
|
||
[ Wonderland ] [ /dev/pts/5 ] [~]
|
||
→ echo "1" >/tmp/maintenance
|
||
|
||
[ Wonderland ] [ /dev/pts/5 ] [~]
|
||
→ systemctl status usbwatcher.service motionwatcher.service
|
||
● usbwatcher.service - usbwatcher
|
||
Loaded: loaded (/etc/systemd/system/usbwatcher.service; enabled; preset: enabled)
|
||
Active: active (running) since Mon 2024-04-01 16:14:29 CEST; 5min ago
|
||
Main PID: 4087848 (checkusb.sh)
|
||
Tasks: 2 (limit: 76929)
|
||
Memory: 584.0K
|
||
CPU: 1.969s
|
||
CGroup: /system.slice/usbwatcher.service
|
||
├─4087848 /bin/bash /root/checkusb.sh
|
||
└─4099926 sleep 1
|
||
|
||
Apr 01 16:19:52 wonderland checkusb.sh[4087848]: [+] No usb change...
|
||
Apr 01 16:19:53 wonderland checkusb.sh[4087848]: [+] No usb change...
|
||
Apr 01 16:19:54 wonderland checkusb.sh[4087848]: [+] No usb change...
|
||
Apr 01 16:19:55 wonderland checkusb.sh[4087848]: [+] No usb change...
|
||
Apr 01 16:19:56 wonderland checkusb.sh[4087848]: [+] No usb change...
|
||
Apr 01 16:19:57 wonderland checkusb.sh[4087848]: [+] No usb change...
|
||
Apr 01 16:19:58 wonderland checkusb.sh[4087848]: [+] Maintenance mode, not checking for usb changes...
|
||
Apr 01 16:19:59 wonderland checkusb.sh[4087848]: [+] Maintenance mode, not checking for usb changes...
|
||
Apr 01 16:20:00 wonderland checkusb.sh[4087848]: [+] Maintenance mode, not checking for usb changes...
|
||
Apr 01 16:20:01 wonderland checkusb.sh[4087848]: [+] Maintenance mode, not checking for usb changes...
|
||
|
||
● motionwatcher.service - motionwatcher
|
||
Loaded: loaded (/etc/systemd/system/motionwatcher.service; enabled; preset: enabled)
|
||
Active: active (running) since Mon 2024-04-01 16:14:29 CEST; 5min ago
|
||
Main PID: 4087847 (checkmovement_r)
|
||
Tasks: 2 (limit: 76929)
|
||
Memory: 644.0K
|
||
CPU: 1.006s
|
||
CGroup: /system.slice/motionwatcher.service
|
||
├─4087847 /bin/bash /root/checkmovement_room.sh
|
||
└─4099976 sleep 1
|
||
|
||
Apr 01 16:19:53 wonderland checkmovement_room.sh[4087847]: [+] No Room Movement...
|
||
Apr 01 16:19:54 wonderland checkmovement_room.sh[4087847]: [+] No Room Movement...
|
||
Apr 01 16:19:55 wonderland checkmovement_room.sh[4087847]: [+] No Room Movement...
|
||
Apr 01 16:19:56 wonderland checkmovement_room.sh[4087847]: [+] No Room Movement...
|
||
Apr 01 16:19:57 wonderland checkmovement_room.sh[4087847]: [+] No Room Movement...
|
||
Apr 01 16:19:58 wonderland checkmovement_room.sh[4087847]: [+] No Room Movement...
|
||
Apr 01 16:19:59 wonderland checkmovement_room.sh[4087847]: [+] Maintenance mode, not checking for room movements...
|
||
Apr 01 16:20:00 wonderland checkmovement_room.sh[4087847]: [+] Maintenance mode, not checking for room movements...
|
||
Apr 01 16:20:01 wonderland checkmovement_room.sh[4087847]: [+] Maintenance mode, not checking for room movements...
|
||
Apr 01 16:20:02 wonderland checkmovement_room.sh[4087847]: [+] Maintenance mode, not checking for room movements...
|
||
|
||
</pre></code>
|
||
<p>Once your maintenance is over, start them again like so:</p>
|
||
<pre><code class="nim">
|
||
[ Wonderland ] [ /dev/pts/5 ] [~]
|
||
→ systemctl start motionwatcher.service usbwatcher.service
|
||
|
||
[ Wonderland ] [ /dev/pts/5 ] [~]
|
||
→ systemctl status motionwatcher.service usbwatcher.service
|
||
● motionwatcher.service - motionwatcher
|
||
Loaded: loaded (/etc/systemd/system/motionwatcher.service; enabled; preset: enabled)
|
||
Active: active (running) since Mon 2024-04-01 14:43:28 CEST; 1s ago
|
||
Main PID: 3818336 (checkmovement_r)
|
||
Tasks: 2 (limit: 76929)
|
||
Memory: 572.0K
|
||
CPU: 9ms
|
||
CGroup: /system.slice/motionwatcher.service
|
||
├─3818336 /bin/bash /root/checkmovement_room.sh
|
||
└─3818411 sleep 1
|
||
|
||
Apr 01 14:43:28 wonderland systemd[1]: Started motionwatcher.service - motionwatcher.
|
||
Apr 01 14:43:28 wonderland checkmovement_room.sh[3818336]: [+] No Room Movement...
|
||
Apr 01 14:43:29 wonderland checkmovement_room.sh[3818336]: [+] No Room Movement...
|
||
|
||
● usbwatcher.service - usbwatcher
|
||
Loaded: loaded (/etc/systemd/system/usbwatcher.service; enabled; preset: enabled)
|
||
Active: active (running) since Mon 2024-04-01 14:43:28 CEST; 1s ago
|
||
Main PID: 3818339 (checkusb.sh)
|
||
Tasks: 2 (limit: 76929)
|
||
Memory: 572.0K
|
||
CPU: 14ms
|
||
CGroup: /system.slice/usbwatcher.service
|
||
├─3818339 /bin/bash /root/checkusb.sh
|
||
└─3818417 sleep 1
|
||
|
||
Apr 01 14:43:28 wonderland systemd[1]: Started usbwatcher.service - usbwatcher.
|
||
Apr 01 14:43:28 wonderland checkusb.sh[3818339]: [+] No usb change...
|
||
Apr 01 14:43:29 wonderland checkusb.sh[3818339]: [+] No usb change...
|
||
|
||
</pre></code>
|
||
<p>Or by just resetting the /tmp/maintenance flag to 0:</p>
|
||
<pre><code class="nim">
|
||
[ Wonderland ] [ /dev/pts/5 ] [~]
|
||
→ echo "0" >/tmp/maintenance
|
||
|
||
[ Wonderland ] [ /dev/pts/5 ] [~]
|
||
→ systemctl status usbwatcher.service motionwatcher.service
|
||
● usbwatcher.service - usbwatcher
|
||
Loaded: loaded (/etc/systemd/system/usbwatcher.service; enabled; preset: enabled)
|
||
Active: active (running) since Mon 2024-04-01 16:14:29 CEST; 6min ago
|
||
Main PID: 4087848 (checkusb.sh)
|
||
Tasks: 2 (limit: 76929)
|
||
Memory: 588.0K
|
||
CPU: 2.035s
|
||
CGroup: /system.slice/usbwatcher.service
|
||
├─4087848 /bin/bash /root/checkusb.sh
|
||
└─4101731 sleep 1
|
||
|
||
Apr 01 16:20:26 wonderland checkusb.sh[4087848]: [+] Maintenance mode, not checking for usb changes...
|
||
Apr 01 16:20:27 wonderland checkusb.sh[4087848]: [+] Maintenance mode, not checking for usb changes...
|
||
Apr 01 16:20:28 wonderland checkusb.sh[4087848]: [+] Maintenance mode, not checking for usb changes...
|
||
Apr 01 16:20:29 wonderland checkusb.sh[4087848]: [+] Maintenance mode, not checking for usb changes...
|
||
Apr 01 16:20:30 wonderland checkusb.sh[4087848]: [+] Maintenance mode, not checking for usb changes...
|
||
Apr 01 16:20:31 wonderland checkusb.sh[4087848]: [+] Maintenance mode, not checking for usb changes...
|
||
Apr 01 16:20:32 wonderland checkusb.sh[4087848]: [+] Maintenance mode, not checking for usb changes...
|
||
Apr 01 16:20:33 wonderland checkusb.sh[4087848]: [+] No usb change...
|
||
Apr 01 16:20:34 wonderland checkusb.sh[4087848]: [+] No usb change...
|
||
Apr 01 16:20:35 wonderland checkusb.sh[4087848]: [+] No usb change...
|
||
|
||
● motionwatcher.service - motionwatcher
|
||
Loaded: loaded (/etc/systemd/system/motionwatcher.service; enabled; preset: enabled)
|
||
Active: active (running) since Mon 2024-04-01 16:14:29 CEST; 6min ago
|
||
Main PID: 4087847 (checkmovement_r)
|
||
Tasks: 2 (limit: 76929)
|
||
Memory: 800.0K
|
||
CPU: 1.050s
|
||
CGroup: /system.slice/motionwatcher.service
|
||
├─4087847 /bin/bash /root/checkmovement_room.sh
|
||
└─4101784 sleep 1
|
||
|
||
Apr 01 16:20:27 wonderland checkmovement_room.sh[4087847]: [+] Maintenance mode, not checking for room movements...
|
||
Apr 01 16:20:28 wonderland checkmovement_room.sh[4087847]: [+] Maintenance mode, not checking for room movements...
|
||
Apr 01 16:20:29 wonderland checkmovement_room.sh[4087847]: [+] Maintenance mode, not checking for room movements...
|
||
Apr 01 16:20:30 wonderland checkmovement_room.sh[4087847]: [+] Maintenance mode, not checking for room movements...
|
||
Apr 01 16:20:31 wonderland checkmovement_room.sh[4087847]: [+] Maintenance mode, not checking for room movements...
|
||
Apr 01 16:20:32 wonderland checkmovement_room.sh[4087847]: [+] Maintenance mode, not checking for room movements...
|
||
Apr 01 16:20:33 wonderland checkmovement_room.sh[4087847]: [+] Maintenance mode, not checking for room movements...
|
||
Apr 01 16:20:34 wonderland checkmovement_room.sh[4087847]: [+] No Room Movement...
|
||
Apr 01 16:20:35 wonderland checkmovement_room.sh[4087847]: [+] No Room Movement...
|
||
Apr 01 16:20:36 wonderland checkmovement_room.sh[4087847]: [+] No Room Movement...
|
||
|
||
</pre></code>
|
||
|
||
|
||
<p>Then we make sure that if there is any unauthorized ssh login we should get notified by mail (using knockd and a secret ssh port)</p>
|
||
<img src="15.png" class="imgRz">
|
||
|
||
<pre><code class="nim">
|
||
[ Wonderland ] [ /dev/pts/23 ] [~]
|
||
→ apt install knockd
|
||
|
||
[ Wonderland ] [ /dev/pts/23 ] [~]
|
||
→ vim /etc/knockd.conf
|
||
|
||
[ Wonderland ] [ /dev/pts/23 ] [~]
|
||
→ cat /etc/knockd.conf
|
||
[options]
|
||
UseSyslog
|
||
|
||
[openSSH]
|
||
sequence = 7000,8000,9000
|
||
seq_timeout = 5
|
||
command = /usr/bin/systemctl start sshd2
|
||
tcpflags = syn
|
||
|
||
[closeSSH]
|
||
sequence = 9000,8000,7000
|
||
seq_timeout = 5
|
||
command = /usr/bin/systemctl stop sshd2
|
||
tcpflags = syn
|
||
|
||
[emergencyshutdown]
|
||
sequence = 12345,54321,24680,13579
|
||
seq_timeout = 5
|
||
command = /root/emergencyshutdown.sh
|
||
tcpflags = syn
|
||
|
||
[ Wonderland ] [ /dev/pts/23 ] [~]
|
||
→ cat /etc/default/knockd
|
||
# control if we start knockd at init or not
|
||
# 1 = start
|
||
# anything else = don't start
|
||
# PLEASE EDIT /etc/knockd.conf BEFORE ENABLING
|
||
START_KNOCKD=1
|
||
|
||
# command line options
|
||
KNOCKD_OPTS="-i enp8s0"
|
||
|
||
[ Wonderland ] [ /dev/pts/23 ] [~]
|
||
→ systemctl restart knockd
|
||
|
||
[ Wonderland ] [ /dev/pts/5 ] [~]
|
||
→ cat /etc/systemd/system/sshd2.service
|
||
[Unit]
|
||
Description=OpenBSD Secure Shell server
|
||
Documentation=man:sshd(8) man:sshd_config(5)
|
||
After=network.target auditd.service
|
||
ConditionPathExists=!/etc/ssh/sshd_not_to_be_run
|
||
|
||
[Service]
|
||
EnvironmentFile=-/etc/default/ssh2
|
||
ExecStartPre=/usr/sbin/sshd -t
|
||
ExecStart=/usr/sbin/sshd -D $SSHD_OPTS -f /etc/ssh/sshd2_config
|
||
ExecReload=/usr/sbin/sshd -t
|
||
ExecReload=/bin/kill -HUP $MAINPID
|
||
KillMode=process
|
||
Restart=on-failure
|
||
RestartPreventExitStatus=255
|
||
Type=notify
|
||
RuntimeDirectory=sshd2
|
||
RuntimeDirectoryMode=0755
|
||
|
||
[Install]
|
||
WantedBy=multi-user.target
|
||
Alias=sshd2.service
|
||
|
||
[ Wonderland ] [ /dev/pts/24 ] [/etc/systemd/system]
|
||
→ cat /etc/ssh/sshd2_config| grep Port
|
||
Port 2222
|
||
|
||
[ Wonderland ] [ /dev/pts/24 ] [/etc/systemd/system]
|
||
→ systemctl start sshd2
|
||
|
||
[ Wonderland ] [ /dev/pts/24 ] [/etc/systemd/system]
|
||
→ systemctl status sshd2
|
||
● sshd2.service - OpenBSD Secure Shell server
|
||
Loaded: loaded (/etc/systemd/system/sshd2.service; disabled; preset: enabled)
|
||
Active: active (running) since Fri 2024-03-29 13:44:07 CET; 5s ago
|
||
Docs: man:sshd(8)
|
||
man:sshd_config(5)
|
||
Process: 1735677 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS)
|
||
Main PID: 1735678 (sshd)
|
||
Tasks: 1 (limit: 76929)
|
||
Memory: 1.4M
|
||
CPU: 10ms
|
||
CGroup: /system.slice/sshd2.service
|
||
└─1735678 "sshd: /usr/sbin/sshd -D -f /etc/ssh/sshd2_config [listener] 0 of 10-100 startups"
|
||
|
||
Mar 29 13:44:07 wonderland systemd[1]: Starting sshd2.service - OpenBSD Secure Shell server...
|
||
Mar 29 13:44:07 wonderland sshd[1735678]: Server listening on 0.0.0.0 port 2222.
|
||
Mar 29 13:44:07 wonderland sshd[1735678]: Server listening on :: port 2222.
|
||
Mar 29 13:44:07 wonderland systemd[1]: Started sshd2.service - OpenBSD Secure Shell server.
|
||
|
||
#now to open sshd2 on port 2222 you do the following:
|
||
[ mainpc ] [ /dev/pts/4 ] [~/Nextcloud/blog]
|
||
→ for x in 7000 8000 9000; do nmap -Pn --max-retries 0 -p $x 192.168.0.100; done >/dev/null
|
||
|
||
[ Wonderland ] [ /dev/pts/24 ] [/etc/systemd/system]
|
||
→ systemctl status sshd2
|
||
● sshd2.service - OpenBSD Secure Shell server
|
||
Loaded: loaded (/etc/systemd/system/sshd2.service; disabled; preset: enabled)
|
||
Active: active (running) since Fri 2024-03-29 13:55:44 CET; 4min 11s ago
|
||
Docs: man:sshd(8)
|
||
man:sshd_config(5)
|
||
Process: 1807467 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS)
|
||
Main PID: 1807468 (sshd)
|
||
Tasks: 1 (limit: 76929)
|
||
Memory: 1.4M
|
||
CPU: 12ms
|
||
CGroup: /system.slice/sshd2.service
|
||
└─1807468 "sshd: /usr/sbin/sshd -D -f /etc/ssh/sshd2_config [listener] 0 of 10-100 startups"
|
||
|
||
Mar 29 13:55:44 wonderland systemd[1]: Starting sshd2.service - OpenBSD Secure Shell server...
|
||
Mar 29 13:55:44 wonderland sshd[1807468]: Server listening on 0.0.0.0 port 2222.
|
||
Mar 29 13:55:44 wonderland sshd[1807468]: Server listening on :: port 2222.
|
||
Mar 29 13:55:44 wonderland systemd[1]: Started sshd2.service - OpenBSD Secure Shell server.
|
||
|
||
#now to close sshd2 on port 2222 you do the following:
|
||
[ mainpc ] [ /dev/pts/4 ] [~/Nextcloud/blog]
|
||
→ for x in 9000 8000 7000; do nmap -Pn --max-retries 0 -p $x 192.168.0.100; done >/dev/null
|
||
|
||
[ Wonderland ] [ /dev/pts/24 ] [/etc/systemd/system]
|
||
→ systemctl status sshd2
|
||
● sshd2.service - OpenBSD Secure Shell server
|
||
Loaded: loaded (/etc/systemd/system/sshd2.service; disabled; preset: enabled)
|
||
Active: active (running) since Fri 2024-03-29 13:55:44 CET; 4min 11s ago
|
||
Docs: man:sshd(8)
|
||
man:sshd_config(5)
|
||
Process: 1807467 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS)
|
||
Main PID: 1807468 (sshd)
|
||
Tasks: 1 (limit: 76929)
|
||
Memory: 1.4M
|
||
CPU: 12ms
|
||
CGroup: /system.slice/sshd2.service
|
||
└─1807468 "sshd: /usr/sbin/sshd -D -f /etc/ssh/sshd2_config [listener] 0 of 10-100 startups"
|
||
|
||
Mar 29 13:55:44 wonderland systemd[1]: Starting sshd2.service - OpenBSD Secure Shell server...
|
||
Mar 29 13:55:44 wonderland sshd[1807468]: Server listening on 0.0.0.0 port 2222.
|
||
Mar 29 13:55:44 wonderland sshd[1807468]: Server listening on :: port 2222.
|
||
Mar 29 13:55:44 wonderland systemd[1]: Started sshd2.service - OpenBSD Secure Shell server.
|
||
|
||
</code></pre>
|
||
<p>Now that we setup the real sshd service, we can edit the original sshd service to become a trap like so:</p>
|
||
<pre><code class="nim">
|
||
[ Wonderland ] [ /dev/pts/5 ] [~]
|
||
→ vim emergencyshutdown.sh
|
||
|
||
[ Wonderland ] [ /dev/pts/5 ] [~]
|
||
→ chmod +x emergencyshutdown.sh
|
||
|
||
[ Wonderland ] [ /dev/pts/5 ] [~]
|
||
→ cat emergencyshutdown.sh
|
||
#!/bin/bash
|
||
echo "Unauthorized, reporting incident to administrator, and performing emergency shutdown"
|
||
|
||
[ Wonderland ] [ /dev/pts/5 ] [~]
|
||
→ vim /etc/ssh/sshd_config
|
||
|
||
[ Wonderland ] [ /dev/pts/5 ] [~]
|
||
→ tail -n10 /etc/ssh/sshd_config
|
||
|
||
Match Group root,sudo
|
||
ForceCommand /root/emergencyshutdown.sh
|
||
AllowTcpForwarding no
|
||
PermitTunnel no
|
||
X11Forwarding no
|
||
|
||
[ Wonderland ] [ /dev/pts/5 ] [~]
|
||
→ systemctl restart sshd
|
||
|
||
[ Wonderland ] [ /dev/pts/5 ] [~]
|
||
→ systemctl status sshd
|
||
● ssh.service - OpenBSD Secure Shell server
|
||
Loaded: loaded (/lib/systemd/system/ssh.service; enabled; preset: enabled)
|
||
Active: active (running) since Mon 2024-04-01 10:31:40 CEST; 3s ago
|
||
Docs: man:sshd(8)
|
||
man:sshd_config(5)
|
||
Process: 3103408 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS)
|
||
Main PID: 3103410 (sshd)
|
||
Tasks: 1 (limit: 76929)
|
||
Memory: 1.4M
|
||
CPU: 10ms
|
||
CGroup: /system.slice/ssh.service
|
||
└─3103410 "sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups"
|
||
|
||
Apr 01 10:31:40 wonderland systemd[1]: Starting ssh.service - OpenBSD Secure Shell server...
|
||
Apr 01 10:31:40 wonderland sshd[3103410]: debug1: Set /proc/self/oom_score_adj from 0 to -1000
|
||
Apr 01 10:31:40 wonderland sshd[3103410]: debug1: Bind to port 22 on 0.0.0.0.
|
||
Apr 01 10:31:40 wonderland systemd[1]: Started ssh.service - OpenBSD Secure Shell server.
|
||
Apr 01 10:31:40 wonderland sshd[3103410]: Server listening on 0.0.0.0 port 22.
|
||
Apr 01 10:31:40 wonderland sshd[3103410]: debug1: Bind to port 22 on ::.
|
||
Apr 01 10:31:40 wonderland sshd[3103410]: Server listening on :: port 22.
|
||
|
||
|
||
</pre></code>
|
||
<p>Now like this, the trap ssh service on port 22 is going to force the execution of only our emergency shutdown script if any user manages to login. Meaning the only way to get in is through the sshd2 port on port 2222 after doing the port knocking procedure:</p>
|
||
<pre><code class="nim">
|
||
|
||
#testing to login on port 22 shows that the emergencyshutdown script is triggered:
|
||
[ mainpc ] [ /dev/pts/7 ] [~]
|
||
→ ssh root@192.168.0.100 -i ~/.ssh/torified
|
||
Enter passphrase for key '/home/nihilist/.ssh/torified':
|
||
<b>Unauthorized, reporting incident to administrator, and performing emergency shutdown </b>
|
||
Connection to 192.168.0.100 closed.
|
||
|
||
#trying to evade the forced command execution fails:
|
||
[ mainpc ] [ /dev/pts/7 ] [~]
|
||
→ ssh root@192.168.0.100 -i ~/.ssh/torified bash
|
||
Enter passphrase for key '/home/nihilist/.ssh/torified':
|
||
<b>Unauthorized, reporting incident to administrator, and performing emergency shutdown</b>
|
||
|
||
#so in order to login we need to open the secret sshd2 port with the specific port knocking procedure as follows:
|
||
[ mainpc ] [ /dev/pts/7 ] [~]
|
||
→ for x in 7000 8000 9000; do nmap -Pn --max-retries 0 -p $x 192.168.0.100; done >/dev/null
|
||
|
||
#now that the port knocking is completed, we can login via ssh on port 2222:
|
||
[ mainpc ] [ /dev/pts/7 ] [~]
|
||
→ ssh root@192.168.0.100 -i ~/.ssh/torified -p 2222
|
||
Enter passphrase for key '/home/nihilist/.ssh/torified':
|
||
Linux wonderland 6.1.0-18-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.76-1 (2024-02-01) x86_64
|
||
|
||
The programs included with the Debian GNU/Linux system are free software;
|
||
the exact distribution terms for each program are described in the
|
||
individual files in /usr/share/doc/*/copyright.
|
||
|
||
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
|
||
permitted by applicable law.
|
||
Web console: https://wonderland:9090/ or https://192.168.0.100:9090/
|
||
|
||
Last login: Mon Apr 1 10:34:46 2024 from 192.168.0.61
|
||
|
||
#login successful, without any forced command execution
|
||
<b>[ Wonderland ] [ /dev/pts/25 ] [~]
|
||
→ id
|
||
uid=0(root) gid=0(root) groups=0(root),104(kvm),126(libvirt)</b>
|
||
|
||
[ Wonderland ] [ /dev/pts/25 ] [~]
|
||
→ exit
|
||
Connection to 192.168.0.100 closed.
|
||
|
||
#maintenance is over, we then close the sshd2 port.
|
||
[ mainpc ] [ /dev/pts/7 ] [~]
|
||
→ for x in 9000 8000 7000; do nmap -Pn --max-retries 0 -p $x 192.168.0.100; done >/dev/null
|
||
|
||
#we then verify that the port is closed.
|
||
[ mainpc ] [ /dev/pts/7 ] [~]
|
||
→ ssh root@192.168.0.100 -i ~/.ssh/torified -p 2222
|
||
ssh: connect to host 192.168.0.100 port 2222: Connection refused
|
||
|
||
|
||
</pre></code>
|
||
|
||
<p>Next, to make sure that failed ssh login attempts get banned with fail2ban, we make sure that sshd outputs to auth.log, that way we ward off any potential ssh bruteforce attack, you can check out how to setup fail2ban with <a href="../fail2banssh/index.html">this tutorial</a> to know how to do it.</p>
|
||
|
||
|
||
|
||
</div>
|
||
</div><!-- /row -->
|
||
</div> <!-- /container -->
|
||
</div><!-- /white -->
|
||
<div id="anon2">
|
||
<div class="container">
|
||
<div class="row">
|
||
<div class="col-lg-8 col-lg-offset-2">
|
||
<h2><b>Clientside precautions</b></h2> </br> </br>
|
||
<p>So here we want to mke a bash/zsh command function to simplify the opening and closing of the secret ssh port. You can use the one i made below for the same:</p>
|
||
<pre><code class="nim">
|
||
[ mainpc ] [ /dev/pts/10 ] [~/Nextcloud/blog]
|
||
→ vim ~/.zshrc
|
||
|
||
[ mainpc ] [ /dev/pts/10 ] [~/Nextcloud/blog]
|
||
→ zsh
|
||
|
||
[ mainpc ] [ /dev/pts/10 ] [~/Nextcloud/blog]
|
||
→ which secretssh
|
||
secretssh () {
|
||
if [[ $# -ne 6 ]]
|
||
then
|
||
echo "incorrect, use the following syntax:" >&2
|
||
echo "secretssh 192.168.0.1 111 222 333 wonderland 2222" >&2
|
||
echo "192.168.0.1 = host to port knock to" >&2
|
||
echo "111 222 333 = port knocking procedure to OPEN the port (in reverse = close the port)" >&2
|
||
echo "wonderland = ssh alias to connect to." >&2
|
||
echo "2222 = the secret ssh port to connect to" >&2
|
||
else
|
||
echo "OPENIGN SECRET SSH: port knocking $1 with sequence $2 $3 $4"
|
||
for x in $2 $3 $4
|
||
do
|
||
nmap -Pn --max-retries 0 -p $x $1
|
||
done > /dev/null
|
||
sleep 1
|
||
ssh $5 -p $6
|
||
echo "CLOSING SECRET SSH: port knocking $1 with sequence $4 $3 $2"
|
||
for x in $4 $3 $2
|
||
do
|
||
nmap -Pn --max-retries 0 -p $x $1
|
||
done > /dev/null
|
||
fi
|
||
}
|
||
|
||
</pre></code>
|
||
<p>you can test it as follows, using an ssh alias (which doesn't reveal the secret ssh port!):</p>
|
||
<pre><code class="nim">
|
||
[ mainpc ] [ /dev/pts/10 ] [~/Nextcloud/blog]
|
||
→ cat ~/.ssh/config
|
||
Host wonderland
|
||
User root
|
||
Hostname 192.168.0.100
|
||
IdentityFile ~/.ssh/torified
|
||
|
||
|
||
[ mainpc ] [ /dev/pts/10 ] [~/Nextcloud/blog]
|
||
→ secretssh 192.168.0.100 7000 8000 9000 wonderland 2222
|
||
number of arguements: 6
|
||
opening secret ssh port:
|
||
port knocking 192.168.0.100 with sequence 7000 8000 9000
|
||
Enter passphrase for key '/home/nihilist/.ssh/torified':
|
||
Linux wonderland 6.1.0-18-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.76-1 (2024-02-01) x86_64
|
||
|
||
The programs included with the Debian GNU/Linux system are free software;
|
||
the exact distribution terms for each program are described in the
|
||
individual files in /usr/share/doc/*/copyright.
|
||
|
||
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
|
||
permitted by applicable law.
|
||
Web console: https://wonderland:9090/ or https://192.168.0.100:9090/
|
||
|
||
Last login: Mon Apr 1 11:32:21 2024 from 192.168.0.61
|
||
|
||
[ Wonderland ] [ /dev/pts/25 ] [~]
|
||
→ id
|
||
uid=0(root) gid=0(root) groups=0(root),104(kvm),126(libvirt)
|
||
|
||
[ Wonderland ] [ /dev/pts/25 ] [~]
|
||
→ exit
|
||
Connection to 192.168.0.100 closed.
|
||
closing secret ssh port:
|
||
port knocking 192.168.0.100 with sequence 9000 8000 7000
|
||
|
||
</pre></code>
|
||
<p>That way, we make sure that we do not hardcode the port sequence to open/close the secret ssh port, and we also make sure that the secret ssh port is not revealed. This means that from now on you will need to remember the port sequence to open the secret ssh port, and also the secret ssh port itself. Without those, you will be unable to login to the server.</p>
|
||
<p>Now however the risk is that you'd reveal the port sequence and ssh port from the bash or zsh history file: </p>
|
||
<pre><code class="nim">
|
||
[ mainpc ] [ /dev/pts/10 ] [~/Nextcloud/blog]
|
||
→ history | grep secretssh
|
||
534 secretssh
|
||
535 secretssh 111 222 333
|
||
537 secretssh 111 222 333
|
||
539 secretssh 111 222 333
|
||
540 secretssh 192.168.0.100 111 222 333
|
||
542 secretssh 111 222 333
|
||
543 secretssh 192.168.0.100 111 222 333 333
|
||
544 secretssh 192.168.0.100 111 222 333 333 444
|
||
546 secretssh 192.168.0.100 111 222 333 333 444
|
||
547 secretssh 192.168.0.100 111 222 333 333
|
||
548 secretssh 192.168.0.100 111 222 333
|
||
549 secretssh 192.168.0.100 111 222
|
||
550 secretssh 192.168.0.100 111
|
||
553 secretssh 192.168.0.100 111
|
||
554 secretssh 192.168.0.100 111 222
|
||
555 secretssh 192.168.0.100 111 222 333
|
||
556 secretssh 192.168.0.100 111 222 333 444
|
||
557 secretssh 192.168.0.100 111 222 333 444 555
|
||
558 secretssh 192.168.0.100 111 222 333 666
|
||
559 secretssh 192.168.0.100 111
|
||
560 secretssh 192.168.0.100 111 222
|
||
561 secretssh 192.168.0.100 111 222 333
|
||
564 secretssh 192.168.0.100 111 222 333
|
||
565 secretssh 192.168.0.100 111 222 333 wonderland
|
||
568 secretssh 192.168.0.100 111 222 333 wonderland
|
||
569 secretssh 192.168.0.100 111 222 333 wonderland 2222
|
||
571 secretssh 192.168.0.100 111 222 333 wonderland 2222
|
||
572 secretssh 192.168.0.100 7000 8000 9000 wonderland 2222
|
||
574 secretssh 192.168.0.100 7000 8000 9000 wonderland 2222
|
||
576 secretssh 192.168.0.100 7000 8000 9000 wonderland 2222
|
||
578 secretssh 192.168.0.100 7000 8000 9000 wonderland 2222
|
||
580 secretssh 192.168.0.100 7000 8000 9000 wonderland 2222
|
||
582 secretssh 192.168.0.100 7000 8000 9000 wonderland 2222
|
||
583 which secretssh
|
||
586 which secretssh
|
||
588 which secretssh
|
||
|
||
</pre></code>
|
||
<p>so let's make sure that there is a cronjob that runs on the clientside to sed out the lines containing ssh, scp, rsync, nmap and secretssh on the /home/*/.zsh_history files:</p>
|
||
<pre><code class="nim">
|
||
[ mainpc ] [ /dev/pts/10 ] [~/Nextcloud/blog]
|
||
→ sed -i s'/.*nmap.*//gi' /home/*/.zsh_history /home/*/.bash_history /root/.zsh_history /root/.bash_history
|
||
sed: can't read /root/.zsh_history: Permission denied
|
||
sed: can't read /root/.bash_history: Permission denied
|
||
|
||
[ mainpc ] [ /dev/pts/10 ] [~/Nextcloud/blog]
|
||
→ zsh
|
||
|
||
[ mainpc ] [ /dev/pts/10 ] [~/Nextcloud/blog]
|
||
→ history | grep nmap
|
||
602 history | grep nmap
|
||
|
||
[ mainpc ] [ /dev/pts/10 ] [~/Nextcloud/blog]
|
||
→ sudo crontab -e
|
||
|
||
* * * * * sed -i s'/.*nmap.*//gi' /home/*/.zsh_history /home/*/.bash_history /root/.zsh_history /root/.bash_history
|
||
* * * * * sed -i s'/.*ssh.*//gi' /home/*/.zsh_history /home/*/.bash_history /root/.zsh_history /root/.bash_history
|
||
* * * * * sed -i s'/.*scp.*//gi' /home/*/.zsh_history /home/*/.bash_history /root/.zsh_history /root/.bash_history
|
||
* * * * * sed -i s'/.*rsync.*//gi' /home/*/.zsh_history /home/*/.bash_history /root/.zsh_history /root/.bash_history
|
||
* * * * * sed -i s'/.*secretssh.*//gi' /home/*/.zsh_history /home/*/.bash_history /root/.zsh_history /root/.bash_history
|
||
|
||
|
||
[ mainpc ] [ /dev/pts/10 ] [~/Nextcloud/blog]
|
||
→ history | grep secretssh
|
||
582 secretssh 192.168.0.100 7000 8000 9000 wonderland 2222
|
||
588 which secretssh
|
||
590 history | grep secretssh
|
||
|
||
[ mainpc ] [ /dev/pts/10 ] [~/Nextcloud/blog]
|
||
→ /usr/bin/sed -i s'/.*secretssh.*//gi' /home/*/.zsh_history /home/*/.bash_history /root/.zsh_history /root/.bash_history
|
||
|
||
/usr/bin/sed: can't read /root/.zsh_history: Permission denied
|
||
/usr/bin/sed: can't read /root/.bash_history: Permission denied
|
||
|
||
[ mainpc ] [ /dev/pts/10 ] [~/Nextcloud/blog]
|
||
→ zsh
|
||
|
||
[ mainpc ] [ /dev/pts/10 ] [~/Nextcloud/blog]
|
||
→ history | grep secretssh
|
||
611 history | grep secretssh
|
||
|
||
</pre></code>
|
||
<p>And that's it! now we have a secure way of accessing the server, without revealing the port knocking sequence nor the secret ssh port.</p>
|
||
</div>
|
||
</div><!-- /row -->
|
||
</div> <!-- /container -->
|
||
</div><!-- /white -->
|
||
<div id="anon1">
|
||
<div class="container">
|
||
<div class="row">
|
||
<div class="col-lg-8 col-lg-offset-2">
|
||
<h2><b>UPS setup in case of a power outage (WIP)</b></h2> </br> </br>
|
||
<p>TODO: Then we make sure that when the power goes out, the UPS gives the signal for the homeserver to do the emergency shutdown script before shutting down, in order to hide the content of the server, before gracefully shutting down. </p>
|
||
<pre><code class="nim">
|
||
</pre></code>
|
||
<p>Next step is to look at how to make sure the .onion service keeps running even after shutting down the entire homeserver, to make sure that it is impossible to prove that you are maintaining the sensitive service. We'll go into it with how Endgame V3 can be setup in a future tutorial.</p>
|
||
|
||
</div>
|
||
</div><!-- /row -->
|
||
</div> <!-- /container -->
|
||
</div><!-- /white -->
|
||
|
||
|
||
<!-- +++++ Footer Section +++++ -->
|
||
|
||
<div id="anonb">
|
||
<div class="container">
|
||
<div class="row">
|
||
<div class="col-lg-4">
|
||
<h4>Nihilism</h4>
|
||
<p>
|
||
Until there is Nothing left.
|
||
|
||
</p>
|
||
</div><!-- /col-lg-4 -->
|
||
|
||
<div class="col-lg-4">
|
||
<h4>My Links</h4>
|
||
<p>
|
||
|
||
<a target="_blank" rel="noopener noreferrer" href="http://blog.nowhere.moe/rss/feed.xml">RSS Feed</a><br/><a target="_blank" rel="noopener noreferrer" href="https://matrix.to/#/#nowheremoe:nowhere.moe">Matrix Chat</a><br/>
|
||
|
||
</p>
|
||
</div><!-- /col-lg-4 -->
|
||
|
||
<div class="col-lg-4">
|
||
<h4>About nihilist</h4>
|
||
<p style="word-wrap: break-word;"><u>Donate XMR:</u> 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8</p></br><p><u>Contact:</u> nihilist@nowhere.moe (<a href="https://nowhere.moe/nihilist.pubkey">PGP</a>)</p>
|
||
</div><!-- /col-lg-4 -->
|
||
|
||
</div>
|
||
|
||
</div>
|
||
</div>
|
||
|
||
|
||
<!-- Bootstrap core JavaScript
|
||
================================================== -->
|
||
<!-- Placed at the end of the document so the pages load faster -->
|
||
|
||
</body>
|
||
</html>
|