Introduction:
Now, in that rare occasion you can just plant a full computer somewhere, get an IP and no one would notice, you can make a "slam" box. Whats a slam box? Its a combination of VPN machine and hacking machine designed to be always on and run background tasks not on your desktop. Many times these functions can be done by compromised boxes, but sometimes you get the ability to simply rack your own. A slam box hosts no web services, perhaps except decoys. Ideally its invisible.
Best case scenario you get access to a datacenter and you re-purpose old Xeon based rackmount chassis. Worse case you're on a rasberri pi dropped in a crawlspace. Likely, you'll be using an old desktop.
Step One
Survey what hardware you have access to, and what space you can stick the box in as well as your internet situation. Best case scenario you have un-natted, un-firewalled internet in both directions. Second best scenario is you can setup NAT for your VPN incoming and have relatively unrestricted out going. Its also gotta be on a network that is not going to be suspicious, and won't draw ire to you, so no slam boxes at home, or your friends houses.
A decent place for a stealth slam box is a bar you frequent with wifi. The best is a datacenter you have access to, or somewhere else that houses computers or networking equipment. The best locations are hidden in plain sight, where your box looks like every other box. You are also going to need semi-regular access. Being able to access your box about once every month, mostly for maintenance.
You are also want to get DNS for you machine, to make it easier to connect to. Namecheap.com sells domains for bitcoin, and allows DynamicDNS. You only need Dynamic DNS if your box is on a home or commercial network. generally if you are using NAT you might need dynamic DNS.
Its also recommended
Step Two
Pick your weapon. Most likely find old machine. Hardware a few years old is fine. Just make sure you can easily get parts. If HW is cheap there is no reason not to fill out the RAM slots. 8GB of ram should be fine, but the more the merrier. Same with CPUs. If the motherboard supports multiple CPUs not reason not to load it out, if they are cheap enough. Not only is this box going to be a VPN, but also run background tasks.
The NIC card is key, if you are on a gigabit lan, get a gigabit card, its OK to spurge for a better NIC. If you can get a slam box into a datacenter a multi-que NIC just might be worth it, especially if your on unrestricted gigabit/10GBE
Depending on use you probably won't need the biggest hard disks, but getting a pair of matching ones for RAID-1, especially if you easily get more of the same type is important. Software RAID is preferable, but if you need to deal with hardware raid make sure you figure out to how use the software for your RAID card. You will also need to know how to easily get replacement hard disks. They are the first things to fail.
Other hardware you could use are things like video cards for password cracking. You likely won't be able to fit enough GPU power for a mini-supercomputer(another box type), because you don't have the space, and your rig won't handle the power consumption. A single low end GPU is still better than nothing, For password cracking you'll need a mini-supercomputer, i.e. a alt-coin mining rig.
Step Three
Install. You are going to want to choose a high performance OS that handles software raid, VPN software and has a wide collection of software as well as stable releases. Arch and Gentoo are out, as rolling releases are likely to break setups, and bump major versions. CentOS/RHEL does not have the required package base needed, so your best options are either Debian or Ubuntu server. You also need to make sure that NAT is configured to forward VPN packets to your server, if you are behind a NAT like most home/business routers are. This doesn't apply to datacenters for the most part, but you may need to configure firewall rules. Specifically UDP Port 1194 needs to be forwarded to your machine.
Personal recommendation: Debian stable. Don't play games with your VPN server.
In the debian install, make sure you set a static IP, and pick the basic options plus the OpenSSH server. When you get done with the server, make sure you uninstall RPCBIND, and setup your VPN.
https://stribika.github.io/2015/01/04/secure-secure-shell.html
If you need dynamic DNS you should install ddclient
make sure you have ssl=yes in there to enable ssl for requests. You most likely need to do some more reading on this. Feel free to set long poll times as modern ISPs don't change IPs very often, perhaps once every six months perhaps even longer. Its possible to go without this and set the IP address manually and update it manually. Thats your choice. I generally don't use dynamic dns.
For this exercise we are going to use OpenVPN. Its a high quality FOSS VPN that works great with GNU/Linux as both client and server. It also has a good android port. For performance reasons we are going to use the recommended settings of using UDP with a tunnel, and use certificate based authentication and TLS packet encryption.
https://wiki.debian.org/OpenVPN
Now make your DH params and TLS encryption files:
in your openvpn server config:
Local configuration
You are going to need to drag ca.crt, ta.key and all your local certificate and key files you generated from easy rsa to your local machine. this can be done with sftp, built into ssh.
PRO-TIP: keep your cert files in an encrypted space, such as using truecrypt/veracrypt containers
You can follow the debian instructions for clients, or if you are using networkmanager, install the openvpn plugin
In the network manager GUI you enter in your hostname, certs, and then click advanced -> security
Now select AES-256-CBC as for cipher, and SHA-384 for HMAC authentication
Click on TLS authentication tab, and select "Use Aditional TLS Authentication", and then select your ta.key file. Next set key direction to 1.
Click OK.
Under the IPv4 settings, you will see a button called "routes", click this. You will see a setting that says "Use this connection only for resources on its own network", check this. If you uncheck this, you will automatically forward all traffic over your VPN tunnel. Keep this in mind, because you will likely want to do this at some point.
Step Five
Test and enable the VPN. On the server
Try connecting from the client, it should connect, if not fix all errors reported. Once that is working, control C out and then restart the vpn with systemctl
Step 6
VPN pass through. Now that you've tested OpenVPN setup your machine to be able to forward traffic
http://whatsmyip.net/
Contrats, you now have a slam box you can route traffic through and run background tasks and VPN though.
Step 7
Hardening, the most important part. You also gain some stealth. If you do this right, the box should be relatively invisible. It won't be detectable to nmap and won't respond to pings. All traffic to is going to be over UDP that will only respond to encrypted packets.
SSH.
Have SSH listen only on the VPN tunnel.
edit /etc/ssh/sshd_config and change ListenAddress to the address of tun0. restart sshd. ssh is now only available over the tunnel.
iptables. Because the only thing that should be connecting to this is your VPN Tunnel:
Step 8
Enjoy. You now have a hardened slambox that will either re-route your traffic, or run background tasks for you. It would be hard detecting this box with active scans. Its somewhat hardened and it would be hard for someone to attack this box back if they get your IP. You can use this for all manner of outgoing connection including IRC, and forwarding web traffic, and downloads. You have the choice of connecting from the box itself, or forwarding traffic and no one would know the difference.
Now, in that rare occasion you can just plant a full computer somewhere, get an IP and no one would notice, you can make a "slam" box. Whats a slam box? Its a combination of VPN machine and hacking machine designed to be always on and run background tasks not on your desktop. Many times these functions can be done by compromised boxes, but sometimes you get the ability to simply rack your own. A slam box hosts no web services, perhaps except decoys. Ideally its invisible.
Best case scenario you get access to a datacenter and you re-purpose old Xeon based rackmount chassis. Worse case you're on a rasberri pi dropped in a crawlspace. Likely, you'll be using an old desktop.
Step One
Survey what hardware you have access to, and what space you can stick the box in as well as your internet situation. Best case scenario you have un-natted, un-firewalled internet in both directions. Second best scenario is you can setup NAT for your VPN incoming and have relatively unrestricted out going. Its also gotta be on a network that is not going to be suspicious, and won't draw ire to you, so no slam boxes at home, or your friends houses.
A decent place for a stealth slam box is a bar you frequent with wifi. The best is a datacenter you have access to, or somewhere else that houses computers or networking equipment. The best locations are hidden in plain sight, where your box looks like every other box. You are also going to need semi-regular access. Being able to access your box about once every month, mostly for maintenance.
You are also want to get DNS for you machine, to make it easier to connect to. Namecheap.com sells domains for bitcoin, and allows DynamicDNS. You only need Dynamic DNS if your box is on a home or commercial network. generally if you are using NAT you might need dynamic DNS.
Its also recommended
Step Two
Pick your weapon. Most likely find old machine. Hardware a few years old is fine. Just make sure you can easily get parts. If HW is cheap there is no reason not to fill out the RAM slots. 8GB of ram should be fine, but the more the merrier. Same with CPUs. If the motherboard supports multiple CPUs not reason not to load it out, if they are cheap enough. Not only is this box going to be a VPN, but also run background tasks.
The NIC card is key, if you are on a gigabit lan, get a gigabit card, its OK to spurge for a better NIC. If you can get a slam box into a datacenter a multi-que NIC just might be worth it, especially if your on unrestricted gigabit/10GBE
Depending on use you probably won't need the biggest hard disks, but getting a pair of matching ones for RAID-1, especially if you easily get more of the same type is important. Software RAID is preferable, but if you need to deal with hardware raid make sure you figure out to how use the software for your RAID card. You will also need to know how to easily get replacement hard disks. They are the first things to fail.
Other hardware you could use are things like video cards for password cracking. You likely won't be able to fit enough GPU power for a mini-supercomputer(another box type), because you don't have the space, and your rig won't handle the power consumption. A single low end GPU is still better than nothing, For password cracking you'll need a mini-supercomputer, i.e. a alt-coin mining rig.
Step Three
Install. You are going to want to choose a high performance OS that handles software raid, VPN software and has a wide collection of software as well as stable releases. Arch and Gentoo are out, as rolling releases are likely to break setups, and bump major versions. CentOS/RHEL does not have the required package base needed, so your best options are either Debian or Ubuntu server. You also need to make sure that NAT is configured to forward VPN packets to your server, if you are behind a NAT like most home/business routers are. This doesn't apply to datacenters for the most part, but you may need to configure firewall rules. Specifically UDP Port 1194 needs to be forwarded to your machine.
Personal recommendation: Debian stable. Don't play games with your VPN server.
In the debian install, make sure you set a static IP, and pick the basic options plus the OpenSSH server. When you get done with the server, make sure you uninstall RPCBIND, and setup your VPN.
apt-get remove rpcbindNOTE: SSH hardening really isn't neccary as we'll be tunnelling SSH over OpenVPN, but if you want to secure SSH,there are instructions here:
https://stribika.github.io/2015/01/04/secure-secure-shell.html
If you need dynamic DNS you should install ddclient
apt-get install ddclienthttps://unix.stackexchange.com/questions/218841/configure-debian-ddclient-with-dyndns-noip-com
make sure you have ssl=yes in there to enable ssl for requests. You most likely need to do some more reading on this. Feel free to set long poll times as modern ISPs don't change IPs very often, perhaps once every six months perhaps even longer. Its possible to go without this and set the IP address manually and update it manually. Thats your choice. I generally don't use dynamic dns.
For this exercise we are going to use OpenVPN. Its a high quality FOSS VPN that works great with GNU/Linux as both client and server. It also has a good android port. For performance reasons we are going to use the recommended settings of using UDP with a tunnel, and use certificate based authentication and TLS packet encryption.
apt-get openvpn easy-rsafollow the base instructions here:
https://wiki.debian.org/OpenVPN
Now make your DH params and TLS encryption files:
Once you've got that working, now time to do some hardening:openssl dhparam -out /etc/openvpn/dh.pem 2048openvpn --genkey --secret ta.key
in your openvpn server config:
# TLS packet authenticationNow with your favorite text editor make a new file /etc/openvpn/start_ssh.sh with the contents:
tls-auth /etc/openvpn/ta.key 0 # This file is secret
#crypto selection
cipher AES-256-CBC
auth SHA384
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA
#restart sshd after the VPN starts
script-security 2
up "/etc/openvpn/start_sshd.sh"
#!/bin/shMark the file executable
logger OpenVPN: starting sshd
systemctl restart sshd.service || logger OpenVPN failed to start sshd
chmod +x /etc/openvpn/start_ssh.shStep Four
Local configuration
You are going to need to drag ca.crt, ta.key and all your local certificate and key files you generated from easy rsa to your local machine. this can be done with sftp, built into ssh.
PRO-TIP: keep your cert files in an encrypted space, such as using truecrypt/veracrypt containers
You can follow the debian instructions for clients, or if you are using networkmanager, install the openvpn plugin
apt-get install network-manager-openvpnon debian, or whatever your distribution uses for this software.
In the network manager GUI you enter in your hostname, certs, and then click advanced -> security
Now select AES-256-CBC as for cipher, and SHA-384 for HMAC authentication
Click on TLS authentication tab, and select "Use Aditional TLS Authentication", and then select your ta.key file. Next set key direction to 1.
Click OK.
Under the IPv4 settings, you will see a button called "routes", click this. You will see a setting that says "Use this connection only for resources on its own network", check this. If you uncheck this, you will automatically forward all traffic over your VPN tunnel. Keep this in mind, because you will likely want to do this at some point.
Step Five
Test and enable the VPN. On the server
or whatever the server config name is.
openvpn /etc/openvpn/tun0.conf
Try connecting from the client, it should connect, if not fix all errors reported. Once that is working, control C out and then restart the vpn with systemctl
systemctl start openvpn@tun0Your VPN should now start at boot. Also try connecting to ssh over the vpn tunnel to make sure it works.
systemctl enable openvpn@tun0
Step 6
VPN pass through. Now that you've tested OpenVPN setup your machine to be able to forward traffic
https://wiki.debian.org/OpenVPN#Forward_traffic_via_VPNNext setup iptables to keep settings on reboot
https://wiki.debian.org/iptablesYou can now test this by unchecking the box in IPv4 Settings that says "Use this connection only for resources on its network". Check with
apt-get install iptables-persistant
http://whatsmyip.net/
Contrats, you now have a slam box you can route traffic through and run background tasks and VPN though.
Step 7
Hardening, the most important part. You also gain some stealth. If you do this right, the box should be relatively invisible. It won't be detectable to nmap and won't respond to pings. All traffic to is going to be over UDP that will only respond to encrypted packets.
SSH.
Have SSH listen only on the VPN tunnel.
edit /etc/ssh/sshd_config and change ListenAddress to the address of tun0. restart sshd. ssh is now only available over the tunnel.
iptables. Because the only thing that should be connecting to this is your VPN Tunnel:
iptables -A INPUT -i eth0 -m state --state NEW -p udp --dport 1194 -j ACCEPTedit /etc/iptables/rules.v4
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -m state --state NEW -p udp --dport 1194 -j ACCEPTand then change
-A INPUT -i tun+ -j ACCEPT
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
:INPUT ACCEPT [0:0]to
:INPUT DROP [0:0]to make them permanent.
Step 8
Enjoy. You now have a hardened slambox that will either re-route your traffic, or run background tasks for you. It would be hard detecting this box with active scans. Its somewhat hardened and it would be hard for someone to attack this box back if they get your IP. You can use this for all manner of outgoing connection including IRC, and forwarding web traffic, and downloads. You have the choice of connecting from the box itself, or forwarding traffic and no one would know the difference.
Comments
Post a Comment