Last active
January 25, 2021 18:43
-
-
Save hellresistor/10d5334e17f7bd24d2d5eb6ed59c8b05 to your computer and use it in GitHub Desktop.
Revisions
-
hellresistor revised this gist
Jan 25, 2021 . 1 changed file with 2 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -4,6 +4,8 @@ # Setting TOR as a Bridge, Relay, Exit Node # V2.3 # Hellgarve Resistence Crew # Donate Bitcoin: 13Gr4JiWQBnhCs6AdUNapdfHVu3tG9G6zL # Donate Bitcanna: B73RRFVtndfPRNSgSQg34yqz4e9eWyKRSv ## # Pre-Requirements: ufw OR iptables, fail2ban # -
May 24, 2020 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,357 @@ #!/bin/bash # # HellRezistor # Setting TOR as a Bridge, Relay, Exit Node # V2.3 # Hellgarve Resistence Crew ## # Pre-Requirements: ufw OR iptables, fail2ban # # https://community.torproject.org/relay/setup/ # https://trac.torproject.org/projects/tor/wiki/doc/ReducedExitPolicy myapt(){ apt-get install -y apt-transport-https if ! grep -q "https://deb.torproject.org/torproject.org" /etc/apt/sources.list; then echo "== Adding the official Tor repository" echo "deb https://deb.torproject.org/torproject.org $(lsb_release -cs) main" >> /etc/apt/sources.list wget -qO- https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --import gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | apt-key add - apt-get update fi echo "== Installing Tor and related packages" if [[ "$OPTTOR" == "1" ]]; then apt install -y deb.torproject.org-keyring tor tor-arm tor-geoipdb elif [[ "$OPTTOR" == "2" ]]; then apt install -y tor elif [[ "$OPTTOR" == "3" ]]; then apt install -y tor fi sleep 2 systemctl stop tor } mybridge(){ echo "## Configuring TORRC file ... ##" cp --preserve /etc/tor/torrc /etc/tor/torrc.bck cat <<EOF> /etc/tor/torrc Log notice file /var/log/tor/notices.log #Log debug file /var/log/tor/debug.log DataDirectory /var/lib/tor RunAsDaemon 1 ORPort 9090 #DirPort 9030 RelayBandwidthRate 30 MBytes RelayBandwidthBurst 100 MBytes #AccountingMax 32 GB #AccountingStart day 00:00 SocksPort 0 SocksPolicy reject * ExitPolicy reject *:* ServerTransportPlugin obfs4 exec /usr/bin/obfs4proxy ServerTransportListenAddr obfs4 0.0.0.0:9095 ExtORPort auto Nickname $MYNICK ContactInfo $MYEMAIL BridgeRelay 1 EOF sed -i '/^NoNewPrivileges=yes/c\NoNewPrivileges=no' /lib/systemd/system/[email protected] sed -i '/^NoNewPrivileges=yes/c\NoNewPrivileges=no' /lib/systemd/system/[email protected] } mytrelay(){ echo "## Configuring TORRC file ... ##" cp --preserve /etc/tor/torrc /etc/tor/torrc.bck cat <<EOF> /etc/tor/torrc Log notice file /var/log/tor/notices.log #Log debug file /var/log/tor/debug.log DataDirectory /var/lib/tor RunAsDaemon 1 ORPort 443 ExitRelay 0 SocksPort 0 ControlSocket 0 Nickname $MYNICK ContactInfo $MYEMAIL EOF } mytexit(){ echo "## Configuring TORRC file ... ##" cp --preserve /etc/tor/torrc /etc/tor/torrc.bck cat <<EOF> /etc/tor/torrc Log notice file /var/log/tor/notices.log #Log debug file /var/log/tor/debug.log DataDirectory /var/lib/tor RunAsDaemon 1 ORPort 443 #ORPort $MYIPV6:9001 SocksPort 0 ControlSocket 0 Nickname $MYNICK ContactInfo $MYEMAIL DirPort 80 DirPortFrontPage /path/to/html/file ExitRelay 1 #IPv6Exit 1 ExitPolicy accept *:$SSHPORT # SSH ExitPolicy accept *:80-81 # HTTP ExitPolicy accept *:443 # HTTPS ExitPolicy accept *:853 # DNS over TLS ExitPolicy accept *:1194 # OpenVPN ExitPolicy accept *:8080 # HTTP Proxies ExitPolicy accept *:8443 # PCsync HTTPS ExitPolicy accept *:8888 # HTTP Proxies, NewsEDGE ExitPolicy accept *:10000 # Network Data Management Protocol ExitPolicy accept *:11371 # OpenPGP hkp (http keyserver protocol) ExitPolicy reject *:* EOF } mybck(){ echo "BackingUp Tor Fingerprints and KEYS" chmod 400 /root/BCK/FamilyADDkey.info cp -R /var/lib/tor/keys /root/BCK/keys chmod 400 -R /root/BCK/keys echo "PUT THIS IN SAFE LOCATION ... USB .. DISKETE o que quizeres..." && sleep 2 } myautoapt(){ ## updates apt-get install -y unattended-upgrades apt-listchanges cat <<EOF> /etc/apt/apt.conf.d/20auto-upgrades APT::Periodic::Update-Package-Lists "1"; APT::Periodic::AutocleanInterval "5"; APT::Periodic::Unattended-Upgrade "1"; APT::Periodic::Verbose "1"; EOF service unattended-upgrades restart } myfw(){ read -r -p "You use (U)FW or (I)PTABLES? U/I" OPTFW if [[ "$OPTFW" == "u" ]] || [[ "$OPTFW" == "U" ]]; then echo "== Configuring UFW firewall rules" if [[ "$OPTTOR" == "1" ]]; then ufw allow 9090/tcp ufw allow 9050/tcp #ufw allow 9030/tcp elif [[ "$OPTTOR" == "2" ]]; then ufw allow 443/tcp elif [[ "$OPTTOR" == "3" ]]; then ufw allow 443/tcp ufw allow 80/tcp fi elif [[ "$OPTFW" == "i" ]] || [[ "$OPTFW" == "I" ]]; then echo "== Configuring IPtables firewall rules" apt-get install -y debconf-utils echo "iptables-persistent iptables-persistent/autosave_v6 boolean true" | debconf-set-selections echo "iptables-persistent iptables-persistent/autosave_v4 boolean true" | debconf-set-selections apt-get install -y iptables iptables-persistent cp --preserve /etc/iptables/rules.v4 /etc/iptables/rules.v4.bck cat<<EOF> /etc/iptables/rules.v4 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] :fail2ban-ssh - ## Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0 -A INPUT -i lo -j ACCEPT ## allow incoming SSH -A INPUT -p tcp --dport $SSHPORT -j ACCEPT EOF if [[ "$OPTTOR" == "1" ]]; then echo "-A INPUT -p tcp --dport 9090 -j ACCEPT" >> /etc/iptables/rules.v4 echo "-A INPUT -p tcp --dport 9050 -j ACCEPT" >> /etc/iptables/rules.v4 #echo "-A INPUT -p tcp --dport 9030 -j ACCEPT" >> /etc/iptables/rules.v4 elif [[ "$OPTTOR" == "2" ]]; then echo "-A INPUT -p tcp --dport 443 -j ACCEPT" >> /etc/iptables/rules.v4 elif [[ "$OPTTOR" == "3" ]]; then echo "-A INPUT -p tcp --dport 443 -j ACCEPT" >> /etc/iptables/rules.v4 echo "-A INPUT -p tcp --dport 80 -j ACCEPT" >> /etc/iptables/rules.v4 fi cat<<EOF>> /etc/iptables/rules.v4 ## ratelimit ICMP echo, allow all others -A INPUT -p icmp --icmp-type echo-request -m limit --limit 2/s -j ACCEPT -A INPUT -p icmp --icmp-type echo-request -j DROP -A INPUT -p icmp -j ACCEPT ## to log denied packets uncomment this line -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -m state --state INVALID -j DROP -A fail2ban-ssh -j RETURN COMMIT EOF cp --preserve /etc/iptables/rules.v6 /etc/iptables/rules.v6.bck cat<<EOF> /etc/iptables/rules.v6 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] ## Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0 -A INPUT -i lo -j ACCEPT ## allow incoming SSH -A INPUT -p tcp --dport $SSHPORT -j ACCEPT EOF if [[ "$OPTTOR" == "1" ]]; then echo "-A INPUT -p tcp --dport 9090 -j ACCEPT" >> /etc/iptables/rules.v6 echo "-A INPUT -p tcp --dport 9050 -j ACCEPT" >> /etc/iptables/rules.v6 #echo "-A INPUT -p tcp --dport 9030 -j ACCEPT" >> /etc/iptables/rules.v6 elif [[ "$OPTTOR" == "2" ]]; then echo "-A INPUT -p tcp --dport 443 -j ACCEPT" >> /etc/iptables/rules.v6 elif [[ "$OPTTOR" == "3" ]]; then echo "-A INPUT -p tcp --dport 443 -j ACCEPT" >> /etc/iptables/rules.v6 echo "-A INPUT -p tcp --dport 80 -j ACCEPT" >> /etc/iptables/rules.v6 fi cat<<EOF>> /etc/iptables/rules.v6 ## ratelimit ICMP echo, allow all others -A INPUT -p ipv6-icmp --icmpv6-type echo-request -m limit --limit 2/s -j ACCEPT -A INPUT -p ipv6-icmp --icmpv6-type echo-request -j DROP -A INPUT -p ipv6-icmp -j ACCEPT ## to log denied packets uncomment this line -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -m state --state INVALID -j DROP COMMIT EOF chmod 600 /etc/iptables/rules.v4 chmod 600 /etc/iptables/rules.v6 iptables-restore < /etc/iptables/rules.v4 ip6tables-restore < /etc/iptables/rules.v6 else echo "wrong option" && mysec fi } mymon(){ apt-get install -y monit cat<<EOF> /etc/monit/conf.d/tor-relay.conf check process tor with pidfile "/var/run/tor/tor.pid" start program = "/etc/init.d/tor start" stop program = "/etc/init.d/tor stop" check process fail2ban with pidfile "/var/run/fail2ban/fail2ban.pid" start program = "/etc/init.d/fail2ban start" stop program = "/etc/init.d/fail2ban stop" check process unbound with pidfile "/var/run/unbound.pid" start program = "/etc/init.d/unbound start" stop program = "/etc/init.d/unbound stop" EOF service monit restart echo "### Setting Unbound DNS Resolver ###" apt install -y unbound cp --preserve /etc/resolv.conf /etc/resolv.conf.bck echo "nameserver 127.0.0.1" > /etc/resolv.conf chattr +i /etc/resolv.conf ## install apparmor echo "### Setting AppArmor and Fail2Ban ###" apt-get install -y ntp apparmor apparmor-profiles apparmor-utils fail2ban sed -i.bck 's/GRUB_CMDLINE_LINUX="\(.*\)"/GRUB_CMDLINE_LINUX="\1 apparmor=1 security=apparmor"/' /etc/default/grub update-grub } getfamkeys(){ while [ ! -f /var/lib/tor/fingerprint ] do echo "Please wait... Generating Fingerprint" sleep 5 done read -r -p "############################## ## Have Family keys to add? ## ############################## (Y/N) " HAVEKEYS if [[ "$HAVEKEYS" == "y" ]] || [[ "$HAVEKEYS" == "Y" ]]; then MYKEY=$(grep "$MYNICK " /var/lib/tor/fingerprint | awk '{print $2}' | sed -e 's/\"//g') if grep -wq "MyFamily" /etc/tor/torrc; then read -r -p "Paste here a Key fingerprint: " MYKEY sed -i "s/^MyFamily .*/&,$MYKEY/" /etc/tor/torrc echo "$MYKEY" >> /root/BCK/FamilyADDkey.info getfamkeys else echo " Getting My Key..." && sleep 2 echo "MyFamily $MYKEY" >> /etc/tor/torrc echo "$MYKEY" >> /root/BCK/FamilyADDkey.info echo "$MYKEY <-- Added to My Family." echo "Please add other Fingerprint Key of other tor node family!" && sleep 2 getfamkeys fi elif [[ "$HAVEKEYS" == "n" ]] || [[ "$HAVEKEYS" == "N" ]]; then echo "No Keys to ADD... will Continue.." && sleep 1 echo "$MYKEY" >> /root/BCK/FamilyADDkey.info else echo "wrong option" && getfamkeys fi } mytor(){ if [[ "$OPTTOR" == "1" ]]; then mybridge elif [[ "$OPTTOR" == "2" ]]; then mytrelay elif [[ "$OPTTOR" == "3" ]]; then mytexit fi echo "Restarting Tor to LAST Configurations.." systemctl daemon-reload systemctl restart tor@default getfamkeys } rest(){ read -r -p "What you want? 1- New Tor Node (Install and Configure TOR) 2- Restore (Older Tor Settings) =====WORKIN ON THIS ======" OPTTR if [[ "$OPTTR" == "1" ]]; then getinf myapt myautoapt myfw mymon mytor elif [[ "$OPTTR" == "2" ]]; then myapt myautoapt myfw mymon else echo "wrong option" && rest fi } getinf(){ SSHPORT=$(grep "Port " /etc/ssh/sshd_config | awk '{print $2}' | sed -e 's/\"//g') OPTTOR="dummy" read -r -p "What is your ContactInfo (email/BTC):" MYEMAIL read -r -p "What is your Nickname:" MYNICK while [[ "$OPTTOR" -ne "1" && "$OPTTOR" -ne "2" && "$OPTTOR" -ne "3" ]];do read -r -p "What Type of TOR you want? 1- Bridge 2- Midle/Guard Relay 3- Exit Node # WORKING ON THIS # : " OPTTOR done } torfinish(){ echo "Installation and Configuration of Tor Completed!" && sleep 1 if [[ "$OPTTOR" == "1" ]]; then systemctl restart tor elif [[ "$OPTTOR" == "2" ]]; then systemctl restart tor@default elif [[ "$OPTTOR" == "3" ]]; then systemctl restart tor@default fi sleep 5 && clear mybck echo "BOA!! CONSEGUISTE!!! Já tens um TOR NODE A BOMBARI!!!!!" sleep 2 echo "ENJOY ;) " } [ -d /root/BCK ] || mkdir -p /root/BCK rest torfinish