thecolorjay

thecolorjay

Apt

Configuring Apt.

Using HTTP with Apt.

  • Overwrite /etc/apt/sources.list with the following entries.
sudo nano /etc/apt/sources.list

deb http://archive.ubuntu.com/ubuntu/ bionic main restricted universe multiverse deb-src http://archive.ubuntu.com/ubuntu/ bionic main restricted universe multiverse

deb http://archive.ubuntu.com/ubuntu/ bionic-security main restricted universe multiverse deb-src http://archive.ubuntu.com/ubuntu/ bionic-security main restricted universe multiverse

deb http://archive.ubuntu.com/ubuntu/ bionic-updates main restricted universe multiverse deb-src http://archive.ubuntu.com/ubuntu/ bionic-updates main restricted universe multiverse

  • Update package list.
sudo apt update -y
sudo apt install apt-transport-https curl debian-keyring -y

Using Tor with Apt.

  • Write the following entries to the /etc/apt/sources.list.d/torproject.list file.
sudo nano /etc/apt/sources.list.d/torproject.list

deb https://deb.torproject.org/torproject.org bionic main deb-src https://deb.torproject.org/torproject.org bionic main

  • Add the Tor Project signing key.
curl https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --import
gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -
  • Update package list.
sudo apt update -y
sudo apt install apt-transport-tor tor deb.torproject.org-keyring -y
  • Overwrite /etc/apt/sources.list.d/torproject.list with the following entries.
sudo nano /etc/apt/sources.list/torproject.list

deb tor://sdscoq7snqtznauu.onion/torproject.org bionic main deb-src tor://sdscoq7snqtznauu.onion/torproject.org bionic main

Update, upgrade and cleanup packages.

  • Update package list.
sudo apt update -y
  • Upgrade packages.
sudo apt dist-upgrade -y
  • Cleanup packages.
sudo apt autoremove -y

Uncomplicated Firewall

Installing and configuring UFW.

Install packages.

sudo apt install ufw gufw -y

Reset, enable or disable UFW.

  • Reset ufw, and disable start up on boot.
sudo ufw reset
  • Enable ufw, and enable start up on boot.
sudo ufw enable
  • Disable ufw, and disable start up on boot.
sudo ufw disable

Deny, allow or limit all incoming requests by default.

sudo ufw default deny incoming
sudo ufw default allow incoming
  • Limit all incoming requests by default. (Blacklisting with incoming DDoS protection)
sudo ufw default limit incoming

Deny, allow or limit all outgoing requests by default.

sudo ufw default deny outgoing
sudo ufw default allow outgoing
  • Limit all outgoing requests by default. (Blacklisting with outgoing DDoS protection)
sudo ufw default limit outgoing

Disable or enable logging.

  • Disable logging.
sudo ufw logging off
  • Enable low logging.
sudo ufw logging low
  • Enable high logging.
sudo ufw logging high

Deny, allow or limit incoming requests from a specific IP address to any IP address on a specific port.

  • Deny incoming TCP requests from a specific IP address to any IP address on a specific port. (If you're allowing all incoming requests by default)
sudo ufw deny in proto tcp from <ip-address> to any port <port>
  • Allow incoming TCP requests from a specific IP address to any IP address on a specific port. (If you're denying all incoming requests by default)
sudo ufw allow in proto tcp from <ip-address> to any port <port>
  • Limit incoming TCP requests from a specific IP address to any IP address on a specific port. (If you're denying all incoming requests by default, and you require incoming DDoS protection)
sudo ufw limit in proto tcp from <ip-address> to any port <port>

Deny, allow or limit outgoing requests to a specific IP address on a specific port from any IP address.

  • Deny outgoing TCP requests to a specific IP address on a specific port, from any IP address. (If you're allowing all outgoing requests by default)
sudo ufw deny out proto tcp to <ip-address> port <port> from any
  • Allow outgoing TCP requests to a specific IP address on a specific port, from any IP address. (If you're denying all outgoing requests by default)
sudo ufw allow out proto tcp to <ip-address> port <port> from any
  • Limit outgoing TCP requests to a specific IP address on a specific port, from any IP address. (If you're denying all outgoing requests by default, and you require outgoing DDoS protection)
sudo ufw limit out proto tcp to <ip-address> port <port> from any

Display the status, verbose status or numbered status of UFW.

  • Display the status of ufw.
sudo ufw status
  • Display the verbose status of ufw.
sudo ufw status verbose
  • Display the numbered status of ufw.
sudo ufw status numbered

ClamAV

Installing and configuring ClamAV.

Install packages.

sudo apt install clamav clamav-daemon clamav-freshclam clamtk -y

Update database.

  • Update Virus Definitions.
sudo freshclam

Scan for viruses.

ClamAV is able to scan separate files or if necessary entire directories.

  • Scan a file.
sudo clamscan <file>
  • Scan a directory.
sudo clamscan --recursive=yes --infected /home
  • Scan a directory, and remove infected files.
sudo clamscan --recursive=yes --infected /home --remove
  • Scan a directory with files larger than 20Mb.
sudo clamscan --max-filesize=2000M --max-scansize=2000M --recursive=yes --infected /home
  • Scan a directory with files larger than 20Mb, and remove infected files larger than 20Mb.
sudo clamscan --max-filesize=2000M --max-scansize=2000M --recursive=yes --infected /home --remove

AppArmor

Installing AppArmor.

Install packages.

Firejail

Installing and configuring Firejail.

Install packages.

sudo nano /usr/local/bin/firefox

#!/bin/bash /usr/bin/firejail —apparmor —seccomp —private —dns=1.1.1.1 —dns=1.0.0.1 /usr/bin/firefox -no-remote -private-window

sudo chmod +x /usr/local/bin/firefox

That’ll set it up so that by default, your Firefox profile will erase itself completely when you’re done with it.

After this, you’ll want to create a launcher for each of your sandboxed Firefox profiles using Firejail.

  • Create a launcher for your Firefox Personal profile.
sudo cp /usr/share/applications/firefox.desktop /usr/share/applications/firefox-personal.desktop

firefox-personal

firejail --apparmor --seccomp --private=/home/user/Desktop/Firejail/Firefox/Personal --dns=1.1.1.1 --dns=1.0.0.1 firefox -no-remote -private %u
  • Create a launcher for your Firefox Work profile.
sudo cp /usr/share/applications/firefox.desktop /usr/share/applications/firefox-work.desktop

firefox-work

firejail --apparmor --seccomp --private=/home/user/Desktop/Firejail/Firefox/Work --dns=1.1.1.1 --dns=1.0.0.1 firefox -no-remote -private %u
  • Create a launcher for your Firefox Banking profile.
sudo cp /usr/share/applications/firefox.desktop /usr/share/applications/firefox-banking.desktop

firefox-banking

firejail --apparmor --seccomp --private=/home/user/Desktop/Firejail/Firefox/Banking --dns=1.1.1.1 --dns=1.0.0.1 firefox -no-remote -private %u
  • Create a launcher for your Firefox Shopping profile.
sudo cp /usr/share/applications/firefox.desktop /usr/share/applications/firefox-shopping.desktop

firefox-shopping

firejail --apparmor --seccomp --private=/home/user/Desktop/Firejail/Firefox/Shopping --dns=1.1.1.1 --dns=1.0.0.1 firefox -no-remote -private %u

This will set it up in the same way that Firefox Multi-Account Containers would, only you're sandboxing everything with Firejail.

WireGuard

Installing and configuring WireGuard.

Install packages.

  • Add WireGuard repository.
sudo add-apt-repository ppa:wireguard/wireguard
  • Update package list.
sudo apt update -y
sudo apt install wireguard -y

wg-ipv4-ch1ro1

wg-ipv6-ch1ro1

  • Copy the configuration file over to the /etc/wireguard directory.
sudo cp mullvadch1ro1.conf /etc/wireguard
  • Update the permissions.
sudo chown root:root -R /etc/wireguard && sudo chmod 600 -R /etc/wireguard

Start or stop WireGuard.

  • Start WireGuard.
sudo wg-quick up mullvadch1ro1
  • Stop WireGuard.
sudo wg-quick down mullvad-ch1ro1

Enable or disable WireGuard start up on boot.

  • Enable WireGuard start up on boot.
systemctl enable wg-quick@mullvadch1ro1
  • Disable WireGuard start up on boot.
systemctl disable wg-quick@mullvadch1ro1

“If they want to get you, over time they will.” Edward Snowden.

A Tor circuit consists of 3 relays. A bridge/guard relay, middle relay, and exit relay. All of your DNS queries are encrypted via your Tor circuit. Only the Tor exit relay is able to decrypt your DNS queries.

A VPN circuit consists of 1 server (or 2-3 servers if you're using multihop). All of your DNS queries are encrypted via your VPN circuit. All of the VPN servers are able to decrypt your DNS queries.

With Tor, you're anonymous. Whereas with a VPN, you're pseudonymous.

But, why? A VPN is centralized, whereas Tor is decentralized. Your VPN provider is a Man-in-the-middle (MITM) to your VPN circuit.

For plausible deniability, you'll want to set up a Tor bridge/guard relay over your VPN.

By doing this, you'll generate white noise (cover traffic) so your VPN provider won't be able to distinguish your subscriber traffic from other subscriber traffic, providing you with better anonymity.

If you're using Firefox, I'd enable DNS over HTTPS (DoH) and Encrypted SNI (ESNI). I recommend using BlahDNS as your DoH resolver.

user_pref("network.trr.mode", 3);
user_pref("network.trr.uri", "https://doh-jp.blahdns.com/dns-query");
user_pref("network.trr.bootstrapAddress", "45.32.55.94");
user_pref("network.security.esni.enabled", true);

All of your DNS queries will be encrypted via your DoH resolver, over your VPN. Only your DoH resolver will be able to decrypt your DNS queries.

As for Android, you'll want to install NetGuard for your firewall, WireGuard for your VPN, Orbot for your Tor bridge/guard relay, Bromite for your web browsing, Silence for your secure SMS/MMS messaging, and Syncthing for peer-to-peer file sharing.