/tech/ - Technology

Where proprietary software comes to die

Posting mode: Reply

Drawing x size canvas

Remember to follow the rules

Max file size: 350.00 MB

Max files: 5

Max message length: 4096

Manage Board | Moderate Thread

Return | Catalog | Bottom

Expand All Images

Internet Security Anonymous 01/20/2016 (Wed) 06:48:08 [Preview] No. 597
Post Tips for anonymous web browsing and downloads. Tips on browsers and browser configurations for the security concious.

Anonymous 01/20/2016 (Wed) 06:51:38 [Preview] No. 598 del
Hey wow, I can post without cookies behind links browser behind tor. This is a great chan. I use links and xlinks chained to tor for browsing, proxychains and youtube-dl for downloading videos from youtube. mpv for playback. On an arch linux distribution. Proxychains is great because after tor exit you can add on more anonymous socks5 proxies to the chain to make your entrance more obscure.

Anonymous 01/20/2016 (Wed) 06:52:08 [Preview] No. 599 del
Hey wow, I can post without cookies behind links browser behind tor. This is a great chan. I use links and xlinks chained to tor for browsing, proxychains and youtube-dl for downloading videos from youtube. mpv for playback. On an arch linux distribution. Proxychains is great because after tor exit you can add on more anonymous socks5 proxies to the chain to make your entrance more obscure.

Anonymous 01/20/2016 (Wed) 06:58:16 [Preview] No. 600 del
On arch-linux
su pacman -S tor torsocks proxychains youtube-dl links
to chain more proxies edit the file /etc/proxychains.conf and go to the bottom of the file. you can add more socks5 proxies following the same pattern as given for tor.

What are some good fresh proxy sites? Here is one I found from message boards:


does anyone have any other good fresh proxy list sites?

Anonymous 01/20/2016 (Wed) 07:07:40 [Preview] No. 601 del
su yum install tor torsocks links

su apt-get install tor torsocks links links2

Anonymous 01/20/2016 (Wed) 07:09:09 [Preview] No. 602 del
Other tools:

su pacman -S wget curl

Anonymous 01/20/2016 (Wed) 07:13:35 [Preview] No. 603 del
###### Change USER AGENT for youtube-dl

## youtube-dl
$ youtube-dl --dump-user-agent
mkdir ~/.config/youtube-dl
echo "--user-agent "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0"" >> ~/.config/youtube-dl/config
youtube-dl --dump-user-agent

Anonymous 01/20/2016 (Wed) 07:17:24 [Preview] No. 604 del
## Change User agent for wget, curl ##
echo " user_agent = "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0"" >> ~/.wgetrc
echo "user-agent = "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0"" >> ~/.curlrc

Anonymous 01/20/2016 (Wed) 07:20:48 [Preview] No. 605 del
Use youtube-dl, curl, wget, pacman behind tor on arch.
su systemctl start tor
torify pacman -Syy
torify pacman -Syu

torify wget https://www.website.com/file
torify curl https://www.website.com
torify youtube-dl https://www.youtube.com/watch?v=BlAhBlaH

Anonymous 01/20/2016 (Wed) 07:27:04 [Preview] No. 606 del
To download a list of videos open a text file (leafpad, gedit etc) and start up links -g links2 -g or xlinks -g and browse to youtube.com
right click over the links of videos that you would like to download and select "Copy link location". Press middle mouse button in the editor to drop the link location. Repeat on next line in text file for all videos that you wish to download. Save file as list.txt

Next perform a random sort of the videos:

$ sort -R list.txt >> list.srt

Now queue up to download
$ proxychains youtube-dl --batch-file list.srt
$ torify youtube-dl --batch-file list.srt

when the list has finished downloading watch the videos

$ su pacman -S mpv

$ mpv *

or create a playlist

$ ls *.m* >> playlist.txt

randomize playlist
$ sort -R playlist.txt >> playlist.srt

play playlist

$ mpv --playlist=playlist.srt

Anonymous 01/20/2016 (Wed) 07:28:43 [Preview] No. 607 del
Any other good proxy sites?


Anonymous 01/20/2016 (Wed) 07:40:24 [Preview] No. 608 del
########### Links graphical mode ####
$links -g
links2 -g
xlinks -g

Anonymous 01/20/2016 (Wed) 07:51:21 [Preview] No. 609 del
######### Configuring Links for Tor

1) Press ESC
[X] Async DNS lookup
socks4A proxy :
[X] Connect only via proxies or SOCKS

[X] Send fake firefox
[X] Send do not track request
[X] No referer

Fake User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0


Number of formated documents 5->2
[]Aggressive cache ## uncheck this



use s key to bring up bookmarks and save bookmarks and g key to enter a url. Now you're ready to use tor. Use your current tor browser to bring copy over your favorite onion links and save them into your links browser bookmarks manually one by one. Do the same for youtube pages and other Clearnet pages that you frequent.

Anonymous 01/20/2016 (Wed) 11:08:44 [Preview] No. 611 del
##### TOR SETTINGS #############
$ cd /etc/tor
$ su echo " " >> torrc-defaults
$ su nano torrc-defaults
#### /etc/tor/torrc-defaults
FetchDirInfoEarly 1
sandbox 1
KeepalivePeriod 150
CircuitPriorityHalflife 0
ExcludeSingleHopRelays 1
CircuitIdleTimeout 1000
CircuitBuildTimeout 30
ClientOnly 1
GeoIPExcludeUnknown 1
NewCircuitPeriod 10
MaxCircuitDirtiness 300
EnforceDistinctSubnets 1
StrictNodes 1
UseEntryGuards 1
UseEntryGuardsAsDirGuards 1
FastFirstHopPK 0
AllowSingleHopCircuits 0
Tor2webMode 0

ExcludeNodes {??},{CN},{TW}
EntryNodes {GB}
ExitNodes {RU}

^X and save file

Exclude countries that you feel are sophisticated, and change the country codes for EntryNodes and ExitNodes to match your needs

su systemctl restart tor
su systemctl status tor

Anonymous 01/20/2016 (Wed) 12:29:06 [Preview] No. 613 del
>using UK entry nodes

>mfw this entire thread is AUR tier mediocre trash

Anonymous 01/20/2016 (Wed) 23:18:13 [Preview] No. 619 del
ExcludeNodes {US},{UK},{GB},{NZ},{CA},{AU},{CN},{TW}
EntryNodes {DE}
ExitNodes {RU}

There is that better?

Anonymous 01/20/2016 (Wed) 23:26:38 [Preview] No. 620 del
OK so what are your tips?
Any good things to add to torrc-defaults?

Anonymous 01/20/2016 (Wed) 23:29:45 [Preview] No. 621 del

Anonymous 01/21/2016 (Thu) 01:07:03 [Preview] No. 630 del
##### Add proxies to Proxychains ###

$ su torify pacman -S proxychains

$ su nano /etc/proxychains.conf
page down to the end of file
socks4 9050
socks5 IPv4_address port#

^X and save

add 2 or 3 more socks5 proxies in the chain.

Anonymous 01/21/2016 (Thu) 01:13:23 [Preview] No. 632 del
##### Download videos from Youtube ##

$ proxychains youtube-dl --batch-file list.srt
[proxychains] Strict chain ... ... ... www.youtube.com:443 ...OK

Anonymous 01/21/2016 (Thu) 01:30:46 [Preview] No. 637 del
I use a VPN: mullvad

Its nice but now I want to do proxy chains like these anons.

I use youtube-dl, deactivated Javascript and Flash, use the IceCat browser. I use ixquick for searches.

Anonymous 01/21/2016 (Thu) 05:36:42 [Preview] No. 644 del
I just chained behind a tor->socks5 proxy->https proxy -> youtube
$ proxychains youtube-dl https://www.youtube.com/watch?v=video
I'm getting transfer rates of around 100Kb/s , not great but acceptable. Good if it increases anonymity.

Anonymous 01/21/2016 (Thu) 23:34:52 [Preview] No. 646 del
Regular download speeds behind tor vary from 300-600Kb/s. So a slow down to 100 Kb/s isn't that bad. This may or may not increase anonimity, it may actually decrease it. Most trafic will come from an exit node, so coming off of a lone proxy may help to pin down that kind of traffic. Switching front end proxies every couple of downloads might be a good idea.

Anonymous 01/23/2016 (Sat) 06:43:37 [Preview] No. 661 del
tor exit Chained to 2 socks5 proxies in near geography:
[download] 36.8% of 82.19MiB at 259.79KiB/s ETA 03:24

Works pretty good.

Anonymous 01/24/2016 (Sun) 02:54:26 [Preview] No. 672 del
[download] 7.3% of 429.40MiB at 408.52KiB/s ETA 14:23

Anonymous 01/24/2016 (Sun) 03:51:58 [Preview] No. 674 del
Theory: Entry and Exit nodes are monitored. Traffic is encrypted. Not all proxies are monitored. M represents monitoring. M is used for correlation.

Hope: correlation between M1 and M3 is obscured by indirect connection and differential lag between servers. Status: Unknown

Anonymous 01/24/2016 (Sun) 03:57:10 [Preview] No. 675 del
Status: Deanonamization certain.

youtube is prism it is M3
all tor entry and exit nodes are logged by NSA.

Anonymous 01/24/2016 (Sun) 03:59:01 [Preview] No. 676 del
Packett content is encrypted until it hits M3. Even if you use https://www.youtube.com the server will still relay the information about which video you watched. The sequence of video downloads, and the ip of the requesting server.

Anonymous 01/24/2016 (Sun) 04:09:34 [Preview] No. 677 del
Content clusters (what types of videos, which channels, sequence of downloads between channels) can be used to statistically deanonymize the user.

What are some non-prism video services to replace youtube with? Any suggestions?

Anonymous 01/24/2016 (Sun) 05:32:47 [Preview] No. 678 del
change the proxylist from socks4 9050 to socks5 9050

You ->M1-> torEnter->relay->Exit->M2->S1->S2->S3->M3=youtube.com

3 socks 5 proxies reduces the transfer rate to around 80KiB/s

change the outgoing Socks5 proxy every day to a fresh proxy.

Anonymous 01/24/2016 (Sun) 05:39:20 [Preview] No. 679 del
Everything is socks5 until it hits youtube. Even with monitoring at each stage it is encrypted until the request from S3 to M3=youtube.com

The only possible way to deanonymize you at that point is direct access to your computer or statistically through your viewing habits.

Anonymous 01/24/2016 (Sun) 05:39:23 [Preview] No. 680 del
Everything is socks5 until it hits youtube. Even with monitoring at each stage it is encrypted until the request from S3 to M3=youtube.com

The only possible way to deanonymize you at that point is direct access to your computer or statistically through your viewing habits.

Anonymous 01/25/2016 (Mon) 08:54:47 [Preview] No. 722 del
Are the parabola servers down?
I can't seem to update or see the wiki?

$proxychains pacman -Syy
$proxychains pacman -Syu
$torify pacman -Syy
$torify pacman -Syu

Posting from Gentoo Linux ->Links->Tor

Anonymous 01/25/2016 (Mon) 08:58:41 [Preview] No. 723 del
Another tip for parabola:
The keyserver seems to go down all the time which can mess up your packages if the keys are updated.
So this will fail often:
$ su pacman-key --refresh-keys
$ su pacman-key --populate
To fix this to this
$su pacman-key --refresh-keys --keyserver=http://pgp.mit.edu

something like that and it will change the key server away from the flakey one that ships with parabola.

$ pacman-key --help

Anonymous 01/25/2016 (Mon) 12:26:54 [Preview] No. 741 del
Oh shit OP, you're right, wiki.parabola.nu is down, and it's taking forever to refresh my keys. You're also that same guy from 8ch where many shills and trolls thought you were schizo. My God, the end is nigh. They're onto Parabola, but probably Archlinux as well. Ever since that new backdoor was found, those fuckers were taking forever to put up the patch. parabola.nu was using Gandi as their webhost but idk what happened. Just hope this is a temporary fuckup.

BTW, if you were curious as to how I use my firejail (you know who I am), I run firejail --noroot --seccomp --protocol=unix,inet,inet6 icecat

It could be more restricted but I decided not to blacklist certain directories since it's still going to be inside the sandbox anyways.

Anonymous 01/25/2016 (Mon) 12:38:19 [Preview] No. 742 del
Parabola GNU/Linux-libre news
Gandi sponsors Parabola's domain name
Fri, 08 Jan 2016 04:43:50

We want to thank Gandi for sponsoring Parabola GNU/Linux-libre by renewing our domain name parabola.nu for 1 year and offering to renew it for the years to come.
Gandi is the "no bullshit(tm)" domain name registrar which helps alternative and libre projects like Parabola through their support program.
We should also mention that this sponsorship came through Fundația Ceata help in its efforts to make Parabola sustainable to its hackers.
Many thanks to Gandi and Gandi's team, and also to our previous domain donors! (you know who you are :)

Anonymous 01/25/2016 (Mon) 12:54:38 [Preview] No. 745 del
A bit off topic but if any of you guys know how to configure pacman2pacman, that'll be great.

Anonymous 01/25/2016 (Mon) 18:17:05 [Preview] No. 755 del
Since firejail does not have an icecat profile thing, you need to copy the firefox one and name it icecat.profile then preferably placed in ~/.config/firejail/

# Firejail profile for Mozilla Firefox (Iceweasel in Debian)
noblacklist ${HOME}/.mozilla
include /etc/firejail/disable-mgmt.inc
include /etc/firejail/disable-secret.inc
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
caps.drop all
protocol unix,inet,inet6
whitelist ~/.mozilla
whitelist ~/Downloads
whitelist ~/dwhelper
whitelist ~/.gtkrc-2.0

# common
whitelist ~/.fonts
whitelist ~/.fonts.d
whitelist ~/.fontconfig
whitelist ~/.fonts.conf
whitelist ~/.fonts.conf.d

Anonymous 01/25/2016 (Mon) 18:19:22 [Preview] No. 756 del
One could place it in /etc/firejail/ instead, I just prefer to keep it vanilla.

Anonymous 01/25/2016 (Mon) 18:27:50 [Preview] No. 759 del
oh shit wait don't listen to >>756
firejail reads the user config profile over the default profile provided in /etc/firejail/ so if you want to customize it, you should do it in ~/.config/firejail/ but if you just make firejail run icecat, the icecat.profile in /etc/firejail/ would redirect to firefox.profile in /etc/firejail/ and that has its own config file which looks like this:

# Firejail profile for Mozilla Firefox (Iceweasel in Debian)
noblacklist ${HOME}/.mozilla
include /etc/firejail/disable-mgmt.inc
include /etc/firejail/disable-secret.inc
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
caps.drop all
protocol unix,inet,inet6
whitelist ~/.mozilla
whitelist ~/Downloads
whitelist ~/dwhelper
whitelist ~/.zotero
whitelist ~/.lastpass
whitelist ~/.gtkrc-2.0
whitelist ~/.vimperatorrc
whitelist ~/.vimperator
whitelist ~/.pentadactylrc
whitelist ~/.pentadactyl

# common
whitelist ~/.fonts
whitelist ~/.fonts.d
whitelist ~/.fontconfig
whitelist ~/.fonts.conf
whitelist ~/.fonts.conf.d

As you might noticed, I changed it up to suit my needs as seen in >>755

Again, you can edit the profiles in /etc/firejail/ directly but I just keep it as it is as a reference while putting icecat.profile in ~/.config/firejail/

Anonymous 01/25/2016 (Mon) 18:33:33 [Preview] No. 760 del
You can make aliases in your .bashrc to make your life easier by not typing it all in. Add a line like this:

alias icejail='firejail --noroot --seccomp --protocol=unix,inet,inet6 icecat'

would then make bash run that command when you make it run "icejail" or whatever you name the alias.

Anonymous 01/25/2016 (Mon) 18:47:52 [Preview] No. 764 del
I did the normal pacman-key refresh thing without using the mit server, just the default in Parabola and it just worked. I have no system updates but I can install anything I want to so I assume some of the parabola mirror servers are working. I think you might consider enabling all of the parabola mirror servers though you are quite conscious about avoid certain countries and such.

Anonymous 01/25/2016 (Mon) 18:49:11 [Preview] No. 765 del

# Parabola GNU/Linux-libre - Last Updated: Sun Nov 1 19:59:22 GMT 2015

# Location: Bucharest, Romania
# Responsible: 4096R/8E9AC62779085582 Daniel Petre <daniel.petre@rcs-rds.ro>
# Company: RCS&RDS - http://www.rcs-rds.ro/
# Work hours: 24*7
Server = http://parabolagnulinux.mirrors.linux.ro/$repo/os/$arch

# Location: Flevoland, Netherlands
# Responsible: 4096R/C3F4FFCF3EAE8697 Luke R. <g4jc@openmailbox.org>
# Work hours: 24*7
# HTTPS cert SHA1 09:2D:8E:88:B5:96:ED:63:F4:35:F3:5E:10:95:CF:A0:C0:9C:E4:56
Server = https://parabola.goodgnus.com.ar/$repo/os/$arch

# Location: St Petersburg, Russia Federation
# Responsible: 4096R/953311F67B9EAA23 Michael Wolf <m@mw.gg>
# Work hours: 24*7
# HTTPS cert SHA1 FF:86:EB:70:14:41:6A:FA:D1:2C:3B:A7:51:FA:0D:71:60:BC:9B:DE
Server = https://dgix.ru/mirrors/parabola/$repo/os/$arch

# Location: Moscow, Russian Federation
# Responsible: Yandex <opensource@yandex-team.ru>
# Work hours: 24*7
Server = http://mirror.yandex.ru/mirrors/parabola/$repo/os/$arch

# Location: Charlotte, NC, USA
# Responsible: 2048R/44BC7D7F49B9A5A4 alfplayer <alfplayer@mailoo.org>
# Work hours: 24*7
Server = http://alfplayer.com/parabola/$repo/os/$arch

# Location: Guadalajara, Mexico
# Responsible: 4096R/33466E12EC7BA943 Isaac David <isacdaavid@isacdaavid.info>
# Work hours: 24*7
Server = http://parabola.isacdaavid.info:8081/$repo/os/$arch

# Location: London, UK
# Responsible: Parabola Project
Server = http://repo.parabola.nu/$repo/os/$arch

# Location: Milan, Italy
# Responsible: 4096R/177A2DB9EA08BF5D Andrey Korobkov <korobkov@fryxell.info>
# Work hours: 24*7
# HTTPS cert SHA1 24:F2:51:EB:3C:93:AF:FC:87:6C:42:F2:85:51:9E:11:70:3C:3E:8D
# Sync source: 15,45 * * * * (UTC) via rsync://mirrors.linux.ro/parabolagnulinux/
Server = https://b.mirrors.fryxell.info/parabolagnulinux/$repo/os/$arch

Anonymous 01/25/2016 (Mon) 19:37:47 [Preview] No. 773 del
Yeah it's working. I had some of the mirrors commented out. I don't trust the netherlands mirror.

Anonymous 01/25/2016 (Mon) 19:49:30 [Preview] No. 774 del
Moscow Mirror = UP
St. Petersburg = Down
London (tier 0) = Down
Italy = Down
Bucharest = Down
Netherlands = UP
USA = Down

Anonymous 01/25/2016 (Mon) 20:04:32 [Preview] No. 775 del
Mexico = Down / too slow

Anonymous 01/25/2016 (Mon) 20:32:19 [Preview] No. 776 del
icejail is now working thanks for that. I'll run icecat that way from now on. Good tip.

Anonymous 01/25/2016 (Mon) 23:24:50 [Preview] No. 781 del
Goddamn Parabola, it really needs to get its shit together for real.

Anonymous 01/25/2016 (Mon) 23:39:47 [Preview] No. 783 del
Seems like shit's back online


^OP should look into this

Anonymous 01/29/2016 (Fri) 03:44:44 [Preview] No. 891 del
I am new and I find this thread very hard to understand. It is mostly the way information is being posted.

Anonymous 01/29/2016 (Fri) 06:52:50 [Preview] No. 924 del
I'm sorry, but why do you need proxychains if you already have torsocks?
And why when I digit "proxychains" on searx I just get skiddies on Kali linux?

You can do a transparent proxy and force all trafic without a wrapper, too:

Some other configurations for torrc:

AutomapHostsOnResolve 1
AutomapHostsSuffixes .exit, .onion
TransPort 9040
DNSPort 53
MaxCircuitDirtiness 30
DisableAllSwap 1
Sandbox 1
SafeSocks 1
StrictNodes 1
ExcludeNodes {??},{US},{UK},{GB},{CN},{RU},{AF},{CO},{CU},{CZ},{IL},{IQ},{IR},{SA},{SY},{UA},{VE}

Anonymous 01/30/2016 (Sat) 00:40:53 [Preview] No. 947 del
Damn it OP, I know that you're honest and all, but please upload a .txt of your iptables configuration or something.

Anonymous 01/30/2016 (Sat) 00:46:52 [Preview] No. 948 del
Random reminder that about:about is a thing.

Anonymous 01/30/2016 (Sat) 03:05:49 [Preview] No. 952 del
yea that would be helpful for a dumbass like me.

Anonymous 01/30/2016 (Sat) 04:21:40 [Preview] No. 954 del
Try out the "decentraleyes" addon, OP.

Anonymous 01/30/2016 (Sat) 04:30:14 [Preview] No. 956 del
try something like https://cocaine.ninja/

Anonymous 01/30/2016 (Sat) 04:44:28 [Preview] No. 957 del
Maybe the problem is this board.

By the way, are you so paranoid that you avoid using the clipboard to copy paste things?

Anonymous 01/30/2016 (Sat) 05:37:55 [Preview] No. 960 del

idk how this shit works but I assume that it will update itself whenever it feels like updating.

Anonymous 01/30/2016 (Sat) 07:24:55 [Preview] No. 965 del
I currently can't test it because I would have to change from having a random mac address to a specified one. I'll do it when I have the time. I'm not sure as to how useful it is for me as I'm using Knock. https://wiki.parabola.nu/Knock

Anonymous 01/30/2016 (Sat) 19:22:26 [Preview] No. 988 del
>404 not found
I hope this is temporary as being a part of the guys behind https://cocaine.ninja transfering their data to another server...unless OP had set up a auto delete time limit on it.

Anonymous 01/31/2016 (Sun) 01:52:32 [Preview] No. 1000 del
Clones: Pomf.io, Pomf.pl, Pomf.hummingbird.moe, Maxfile.ro, 1339.cf, Mixtape.moe, Pomf.cat, Pantsu.cat, Bucket.pw, Madokami.com, etc.

Anonymous 01/31/2016 (Sun) 02:13:03 [Preview] No. 1002 del
You mean in 8chan or in this thread?

So...yeah, you're welcome but I'm learning things from you as well. I'm a bit hesitant to use Voidlinux because of the lack of packages that I want it to have and I've tried setting up OpenBSD but I had given up using it within 3 hours or so. I've installed FreeBSD with some help from someone but in the end, it was being installed on a really shitty netbook which I didn't have the patience to deal with compiling ports. For the time being, I feel more at home with Parabola as if I regained some of my innocence in the good ol' Win XP days, just with less backdoors and more control (than Win XP). Hell, being in endchan is the very spirit of seeking a new home. Shit keeps happening you know, but we keep on going.

Anonymous 01/31/2016 (Sun) 02:59:15 [Preview] No. 1004 del
BTW, FreeBSD devs are fine with Systemd so if you're anti Systemd, forget about FreeBSD because one day, Systemd might not only be ported to work on FreeBSD, but also have it installed by default.

Anonymous 01/31/2016 (Sun) 03:11:01 [Preview] No. 1006 del
...or not, this is just rumors I've heard so go ahead and try FreeBSD but in terms of security, OpenBSD is preferred.

Anonymous 01/31/2016 (Sun) 03:44:44 [Preview] No. 1009 del
Though this is a FreeBSD link, it applies to the general *BSD community and how they think.

Anonymous 01/31/2016 (Sun) 03:55:33 [Preview] No. 1010 del

Anonymous 01/31/2016 (Sun) 04:24:23 [Preview] No. 1013 del
and I'll stop with this link

Anonymous 01/31/2016 (Sun) 04:49:34 [Preview] No. 1014 del
Why not use syslinux?

Anonymous 01/31/2016 (Sun) 09:07:40 [Preview] No. 1031 del
You can do it in lass than 1 minute:

- Find your intallation HD, like:

# disklabel wd0


# fdisk -i wd0
# disklabel -E wd0
> a b
[....] 1g
[****] swap [just hit enter]

> a a
[...] RAID [write RAID]


# bioctl -c C -l /dev/wd0a softraid0

disk mounted on sd4a

Done. When the ./install ask you about "where is root disk" you say "sd4a" and it's it.

Anonymous 01/31/2016 (Sun) 09:21:32 [Preview] No. 1032 del

Alternate DNS settings for your devices. I recommend offshore DNS servers

Anonymous 01/31/2016 (Sun) 21:01:39 [Preview] No. 1040 del
I just realized that whenever I disconnect and reconnect, my host ip changes which I have to edit endwall.sh every time to work for the new address. I should just pick a random mac address to be set permanently instead of having a random mac every time to prevent this, but if I were to do that, I should just use the regular script. Other than that, this works with my setup. When it comes to writing scripts, I'm worse than a script kiddie since grammar and language in general is my weakness. Maybe I should start somewhere by learning how to use kali linux and pentest my other computers within my own network for educational purposes, but then again, this is my secondary hobby which I'm somewhat fine being a typical user.

Anonymous 01/31/2016 (Sun) 21:22:27 [Preview] No. 1041 del
Unless you pay to be on ICANN network, I don't think that host a server with unbound is enough to be a root server. It will just cache your requests and prevent dns poisoning.

Since basically all the things on thread use Tor, the best would be use TorDNS. Just use the tips on >>924

Anonymous 01/31/2016 (Sun) 22:27:42 [Preview] No. 1043 del
Thank you again OP, you're a good man.

I'm not sure if TorDNS and dnscrypt-proxy can work together but then again, I haven't looked all that into it. Since I can't mess with my ISP's router but only edit the configs, I've set it up to use and some other dns server. According to https://dns.d0wn.biz/ that dns server is a DNS(Crypt) randomizer. It randomize your DNS queries through 25 servers with a roundrobin feature. So every new query got a new server. This randomizer is also reachable with and without DNSCrypt. Since it's an OpenNIC dns server, I can go on .chan websites like say onii.chan or 314.chan. Well anyways, I then use TorDNS on my computer so it goes through d0wn's dns servers first. I don't use the ISP's DNS servers but of course they would be able to see what shit goes through and I should really get a VPS or perhaps a shitty proxy so that my setup can be libreboot > LUKS encryption > parabola grsec > VPN/VPS > probably unnecessary firejail > qemu > whonix vm > Tor > firejail > Tor browser > sigaintevyh2rzvw.onion

Anonymous 02/01/2016 (Mon) 01:19:33 [Preview] No. 1057 del
I don't host my own website, just using this to shitpost with protection.

Anonymous 02/01/2016 (Mon) 01:41:24 [Preview] No. 1061 del
By the way, knockd and knock are completely separate things. Knock is implemented in the kernel while knockd isn't. The concept of Port Knocking is implemented through various means.

Here's a good definition of Port Knocking: http://www.portknocking.org/view/about/features
Here's an example of SSH Port Knocking: https://n0where.net/ssh-port-knocking/

Anonymous 02/01/2016 (Mon) 01:44:18 [Preview] No. 1062 del
Your setup is a mess.
Less software == less attack surface.

Also, emulation and virtualization does nothing to protect you, unless you use another architecture that support virtualization in-hardware, like sparc, sparc64 and power. The virtualization on x86 ISA is done by microcode, full of bugs and (probably) backdoors from security agencies.

The best would be libreboo > openbsd softraid_crypto > openiked > Tor

just it.

Anonymous 02/01/2016 (Mon) 01:44:39 [Preview] No. 1063 del

I don't really like the Wikipedia article about port knocking, but knock yourself out if you like.

Anonymous 02/01/2016 (Mon) 01:45:44 [Preview] No. 1064 del
lol literally wrong thread m8

Anonymous 02/01/2016 (Mon) 02:36:14 [Preview] No. 1072 del
Not wrong thread, I just hit the wrong buttons: the comment >>1062 is meant to >>1043

Anonymous 02/01/2016 (Mon) 03:28:19 [Preview] No. 1074 del
I can technically do Libreboot > LUKS encryption > VPN > Tor so ditching qemu and firejail (seccomp sandbox) but you're a minimalist like all *BSDfags strive to do less for more with reliable clean coding. Also, it's partially a joke to put sandboxes in sandboxes although that's basically what QubesOS does which would be "ideal" for someone focused on stacking sandboxes and virtualization. However, if one has a reliable VPS, then most of the setup is not connected physically to your computer but in some offshore server (ideally) to avoid jurisdictional crap which is in some ways better but in some ways not so good.

Anonymous 02/01/2016 (Mon) 03:35:55 [Preview] No. 1075 del
My actual chain is Libreboot > LUKS serpent 512 LVM > Parabola GNU/Linux-libre-grsec-knock > systemd-knock > zsh > xorg > tor > firejail > icecat > example.com

zsh is not "better" than bash, but I like its tab completion over bash's tab completion. I should use wayland, but I need to find ways to make it not look ugly for me to being comfortable using it full time.

Anonymous 02/01/2016 (Mon) 03:43:29 [Preview] No. 1076 del

I think one way to describe this is that those who try to look up the ports won't find any without proper authentification, and that it is pretty much set up by default without changing up iptables. I might be wrong in this but that is what I childishly assumed.

Anonymous 02/01/2016 (Mon) 04:23:32 [Preview] No. 1081 del
Forgot to mention that I'm using amd64/x86_64/x64 or whatever. If you've read my screenfetch info in one of my screenshots, you would already know what CPU I'm using. x86 is not trustworthy, I know, I've also see that 8chan thread but even before then I knew that x86 is too old and popular to not be audited by now in the hardware level, not the same as the hard coded embedded OS in all these multi core and vPro shit. Hell, CRT TVs have the V-chip so don't expect it to work in the future, although they don't have an one way hidden camera and speaker inside the TV like what all potential LCD Smart TV monitor listening in, but even having a CRT monitor isn't good for you because of the flicker rates. People with eye problems should find a tested flicker free LCD monitor to save their eyes, but there's no guarantee of it not being bugged. A bit off topic, but man, there's many things to look out for concerning consumerism stuff.

Anonymous 02/01/2016 (Mon) 04:28:15 [Preview] No. 1082 del
>which repo is it in

Anonymous 02/01/2016 (Mon) 04:41:13 [Preview] No. 1084 del
I use those Cree lightbulbs. I can't trust shitty General Electric that purposely overcharge you for something inherently cheap, although Cree is somewhat also expensive compared to what it should be. I don't recommend people buying Cree at all, especially if their motives are to save money. They're better off installing solar panels or that Tesla home battery thing inside the home. 4chan's /diy/ is fairly okay with such things though I assume that there's better places and forums to get such "off the grid" stuff.

Anonymous 02/01/2016 (Mon) 04:51:57 [Preview] No. 1085 del
Try to find a LED light bulb that's like around 5W or lower but works for 40W or 60W light sockets or something that's still bright enough for that room. Switching from incandescent to LED is worthwhile but switching from CFL to LED is not really worth while, especially if the LED lightbulb uses 10W or something.

Anonymous 02/01/2016 (Mon) 05:25:45 [Preview] No. 1088 del

Anonymous 02/01/2016 (Mon) 07:20:33 [Preview] No. 1092 del
somewhat related: >>>/pol/4836

Anonymous 02/01/2016 (Mon) 20:46:42 [Preview] No. 1102 del
besides installing systemd-knock and openssh-knock, I don't know of any configuration that needs to be done, nor can I find any proper documentation concerning this besides configuration during the setup to patch it to the kernel manually which is different from using an already patched kernel. I'm stumped concerning this, it's better to ask the Parabola devs themselves in IRC.

Anonymous 02/01/2016 (Mon) 21:31:58 [Preview] No. 1103 del
openssh -z does that TCP stealth thing but I don't know how to setup systemd to do that for programs. I think one way of testing out if you can see any ports on your computer is to use nmap on another computer to do a port scan on your computer with knock installed. In theory, none of those ports should be open nor found by the port scan.

Anonymous 02/01/2016 (Mon) 21:47:00 [Preview] No. 1104 del
Of course to test knock is to use an empty iptables ruleset

Anonymous 02/01/2016 (Mon) 22:32:23 [Preview] No. 1106 del
Use macchiato instead of macchanger:

Anonymous 02/01/2016 (Mon) 22:48:59 [Preview] No. 1108 del
I should use this but I'm such a lazy fuck when it comes to compiling shit from git. Too bad it's not in Parabola's repos. I don't know how it's better than say macchanger -A though.

Anonymous 02/03/2016 (Wed) 07:38:44 [Preview] No. 1153 del
Random reminder that RMS does not even bother installing Gentoo, other people installs GNU/Linux for him. See

I think RMS cares more about philosophical freedoms more than computer security.

Anonymous 02/03/2016 (Wed) 08:54:29 [Preview] No. 1162 del
OP: Play the X-Files theme....
delete are you kidding me.
The irony...

On another note, I just finished compiling Weston on Gentoo. I had to work around a bug. You have to read log files and find out what tools are missing and then recompile them evertime there is a compile time error...getting closer.

Anonymous 02/03/2016 (Wed) 08:56:20 [Preview] No. 1164 del
Good thing you linked this early on.

Anonymous 02/03/2016 (Wed) 09:34:38 [Preview] No. 1165 del
Did you delete your posts or is that the board owner's fault for being spooked by

BTW, that hasn't been updated much so you don't see any of the pomf.is links

Anonymous 02/03/2016 (Wed) 09:49:42 [Preview] No. 1166 del
OP: It was the board administrator. I'll redo some of the content later. The last thing I posted was about avoiding pacman errors in proxychains:

#proxychains pacman -Syy
#proxychains pacman -Syuw
#pacman -Su

-w downloads the packages only and then upgrade offline.

Anonymous 02/03/2016 (Wed) 09:49:53 [Preview] No. 1167 del
OP: It was the board administrator. I'll redo some of the content later. The last thing I posted was about avoiding pacman errors in proxychains:

#proxychains pacman -Syy
#proxychains pacman -Syuw
#pacman -Su

-w downloads the packages only and then upgrade offline.

Anonymous 02/03/2016 (Wed) 09:55:49 [Preview] No. 1168 del
(668.38 KB 1366x768 free magick.png)
Eh, I know what happened now. As you can see, I don't use the hidden service for this website.

Anonymous 02/03/2016 (Wed) 10:09:16 [Preview] No. 1169 del

Anonymous 02/03/2016 (Wed) 10:11:49 [Preview] No. 1170 del

Anonymous 02/03/2016 (Wed) 10:49:32 [Preview] No. 1171 del
My firewall script was stitched together from 4 other firewall scripts that I've read on the internet + my novel observation about not opening all the ports on localhost, along with a reference implementation of specific port openning on local host.
That being said https://pomf.io is down. *Cue X-Files theme.*

Anonymous 02/03/2016 (Wed) 10:54:18 [Preview] No. 1172 del
startx works on gentoo but It freezes and the mouse and keyboard don't work. No input. Gentoo is a pain, nothing works and you have to manually configure everything. Hobby box. Also internet is not working when I boot it from reboot using the parabola kernel. the Gentoo kernel doesn't like grub 1 and can't see the crypto mount...I have to install another boot loader. I'll try grub2 and then syslinux if that fails. I'm starting to see why everyone is on binary distributions. You need an expert with patience to set up the guts of the OS.

Anonymous 02/03/2016 (Wed) 11:28:45 [Preview] No. 1173 del
OP: in links out of GUI on bash behind tor.

DistroHop Roadmap for those new to linux:
Debian->ArchBang/Antergos/Manjero->Arch Linux -> Parabola Linux-Libre -> Gentoo -> LFS (Linux From Scratch).

You'll spend alot of time just installing programs and using them, then become more dependent on the command line, learn how to shell script, and then set up the following servers (DNS Unbound ,smtp Postfix,http nginx or httpd (apache) ). Once you can do that and edit configuration files. The move to ArchBang or Antergos will give you a chance to learn arch and it's package manager. Then after living with that, you'll want to do it from scratch with Arch, and then once you can do that, might as well make it libre/free and go with Parabola. That's sort of the path I took, only I went more like this

Solaris 7 -> RHEL -> Debian ->Fedora ->Cygwin -> Fedora -> CentOS -> Debian -> ArchBang -> Arch -> Parabola -> Gentoo
My transition to Gentoo is still in progress but I'm making some headway.

Also at the Parabola level of knowledge you should want to try out OpenBSD and FreeBSD, *BSD. OpenBSD and Gentoo are my hobby projects. I need to translate my iptables firewall into PF before I can put OpenBSD onto the internet.

Anonymous 02/03/2016 (Wed) 11:30:30 [Preview] No. 1174 del
Dovecot for imap pop3 access to your server.

Anonymous 02/03/2016 (Wed) 19:36:38 [Preview] No. 1182 del
I put these:

In the hosts file list for uMatrix.

One could use something like this: https://github.com/StevenBlack/hosts to update their hosts file, but I hope you guys know what you're doing by all this.

Anonymous 02/04/2016 (Thu) 02:27:48 [Preview] No. 1190 del
#Testing proxies with proxychains:

$ proxychains curl www.google.com

Anonymous 02/04/2016 (Thu) 04:43:11 [Preview] No. 1204 del
#### Command Line GeoIP lookup

download the *.dat files from here:

$ mkdir geoip
$ cd geoip
$ proxychains wget http://geolite.maxmind.com/.../GeoIP.dat.gz , GeoLiteCitey.dat.gz, GeoIPASNum.dat.gz

unpack these gzip files
$ gunzip *.gz

Download pygeoip and geoip python modules:
# torify pacman -S python geoip python-geoip python-pygeoip

make a python script using these python modules:
$nano iplookup.py
#! /usr/bin/python

import sys
import os
import GeoIP
import pygeoip


for arg in sys.argv[1:]:


^X (save and exit nano)
### Call script on an ip address

$ ./iplookup.py

Anonymous 02/04/2016 (Thu) 04:53:13 [Preview] No. 1206 del
OP: Post back if the script works or not.

Anonymous 02/04/2016 (Thu) 05:27:06 [Preview] No. 1207 del
(112.18 KB 960x960 yes.jpg)
106 no mac works.

Anonymous 02/04/2016 (Thu) 05:39:18 [Preview] No. 1208 del
iplookup.py v1.01

Anonymous 02/04/2016 (Thu) 06:00:35 [Preview] No. 1209 del
iplookup.py version 1.02

Anonymous 02/04/2016 (Thu) 06:01:32 [Preview] No. 1210 del
wrong address typo:


Anonymous 02/04/2016 (Thu) 06:07:16 [Preview] No. 1211 del
iplookup.py v1.03

Anonymous 02/04/2016 (Thu) 06:17:33 [Preview] No. 1212 del
>same link
>different versions

Anonymous 02/04/2016 (Thu) 06:19:00 [Preview] No. 1213 del
OP: wrong link
iplookup.py v1.03

Anonymous 02/04/2016 (Thu) 06:47:52 [Preview] No. 1216 del
iplookup v1.04

Anonymous 02/04/2016 (Thu) 06:52:27 [Preview] No. 1217 del
OP HERE: Post back if you get iplookup.py v1.04 working. Thanks

Anonymous 02/04/2016 (Thu) 08:45:49 [Preview] No. 1222 del
Repost on 1339.cf

I've commented out all the servers except for DNS. Add new localhost ports,clients servers as per the format presented (cut and paste and change the port numbers).

Anonymous 02/04/2016 (Thu) 21:52:47 [Preview] No. 1233 del
OP: in the instructions for iplookup.py I forgot to add
$ chmod u+wrx iplookup.py
$ ./iplookup.py

hope that helps.

Anonymous 02/05/2016 (Fri) 05:04:37 [Preview] No. 1240 del
endwall version 1.07

New Features: Pulls in interface, mac address and ip address from $ ip link and $ ip addr using grep and gawk.

Test if this works with your arch/parabola setup and post back whether or not you can get back onto the internet/tor.
You still need to set the mac address of and ip addresses of your gateway and clients.

Anonymous 02/05/2016 (Fri) 06:13:23 [Preview] No. 1250 del
endwall.sh version 1.08

This version runs macchanger -A on both interfaces before running the script, still requires the static input for the gateway and 2 clients. I will look at automating the gateway next.

Test this out and post back here if it works. Thanks. If it works spread it onto 8chan and 4chan and elsewhere. Also make a version for Debian and spread that too.

Anonymous 02/05/2016 (Fri) 08:23:40 [Preview] No. 1257 del

Anonymous 02/05/2016 (Fri) 22:27:31 [Preview] No. 1284 del
This works

Anonymous 02/06/2016 (Sat) 00:30:26 [Preview] No. 1289 del
Weird, I keep getting kicked out and having to use the script again every now and then. I have commented out the macchanger lines and I think I won't have any trouble again. Maybe I need to disable wicd to use macchanger -A in preconnect...

Anonymous 02/06/2016 (Sat) 00:31:46 [Preview] No. 1290 del
*disable the preconnect script for wicd that uses macchanger -A before it connects to the network

Anonymous 02/06/2016 (Sat) 06:12:51 [Preview] No. 1296 del
endwall version 1.09

Changes: Automated gateway ip and mac address population.
Requires you to change the mac address and ip address of the clients for security. If no clients comment out the lines and comment out the lines in internal servers.

Test if this works on your arch/parabola setup and post back results.

Anonymous 02/06/2016 (Sat) 06:50:00 [Preview] No. 1298 del
endwall version 1.10

Fixed some of the documentation in the header. Turned off macchanger and clients by default.

This script works only with wired devices through a gateway. It can be modified for wireless devices, and I have personaly done this with my laptop. I'll release a wifi laptop version later when I have time. Test and post results.

Anonymous 02/06/2016 (Sat) 08:14:04 [Preview] No. 1299 del
Wouldn't be better just create a github repo?

Anonymous 02/06/2016 (Sat) 08:31:43 [Preview] No. 1300 del
You're probably right, I'll do that later. I've never done that before (setup a github repo) but thanks for the tip. I'm done working on this for the week, I've got other work to do now. Hope this script helps. It works use it.

Place additional linux/unix security and internet security, web browsing, and downloading tips below. Thanks for all of your help.

Anonymous 02/06/2016 (Sat) 08:41:46 [Preview] No. 1301 del
Github is okay, just be careful around SJWs or use another git website like https://git.pantsu.cat or https://about.gitlab.com/ or host your own at your own risk.

Anonymous 02/06/2016 (Sat) 08:51:17 [Preview] No. 1302 del
Random tip: use disposable emails to make shitty accounts, but of course, buying things with disposable emails are stupid.

https://10minutemail.net/ < This one tends to bypass some disposable email filters better than the rest.

https://www.fakenamegenerator.com/ < If you need to fake some info during account creation with your disposable email, here's some inspiration.

Anonymous 02/06/2016 (Sat) 09:00:56 [Preview] No. 1303 del
Just ran the script, shit works without editing it. Thanks bunches, OP.

Anonymous 02/06/2016 (Sat) 13:25:31 [Preview] No. 1308 del
Well, if you're going to host yourself, I would suggest darcs:

Anonymous 02/07/2016 (Sun) 22:14:10 [Preview] No. 1373 del
To get the script to run on debian you have to change the last line in the save section at the end of the script to this:

iptables-save > /etc/iptables/rules.v4
iptables-save > /etc/iptables/rules.v6

Anonymous 02/07/2016 (Sun) 22:14:54 [Preview] No. 1374 del
ip6tables-save > /etc/iptables/rules.v6

Anonymous 02/07/2016 (Sun) 23:35:32 [Preview] No. 1376 del
yet another public proxy list https://incloak.com/proxy-list/

What do you guys think of the foxyproxy addon for firefox based web browsers? Is it unreliable or a security risk than say using proxychains instead?

Anonymous 02/08/2016 (Mon) 00:18:59 [Preview] No. 1377 del
endwall.sh version 1.11 arch linux

endwall.sh version 1.11 debian

Report any problems here.

Anonymous 02/08/2016 (Mon) 02:16:33 [Preview] No. 1380 del
(25.52 KB 214x255 loser.swf.gif)
I've got a problem.

After I unlock LVM, login as user which I set it up to automatically boot xorg and openbox, I then have to manually turn tor on for some gay reason I don't know and after than I cd into the endwall directory and run that script and then I run firejail to run icecat. I have to run that endwall script every single time I turn on my crap but because lol TorDNS, I don't think that it works from boot because Tor doesn't run on boot. It hurts to live.

Anonymous 02/08/2016 (Mon) 04:10:44 [Preview] No. 1385 del
OP HERE: I think you can auto start tor as follows:

$ su
# systemctl enable tor
# systemctl enable tor.service
# systemctl start tor
# systemctl status tor
# reboot

Anonymous 02/08/2016 (Mon) 04:13:29 [Preview] No. 1386 del
OP: You should be able to put the script into an rc.d or chron.d for it to auto run on boot. If someone knows how to do this post below.

Anonymous 02/08/2016 (Mon) 04:16:48 [Preview] No. 1387 del
try putting the call to the script into ~/.bashrc . I haven't tried this but it might work.

Anonymous 02/08/2016 (Mon) 07:24:28 [Preview] No. 1389 del
I tried to do that before and it didn't work but now it does oddly enough. I either have shit luck or my own enemy. Now all I need to do is to automate endwall.sh somehow...

Anonymous 02/08/2016 (Mon) 09:11:29 [Preview] No. 1391 del

Anonymous 02/08/2016 (Mon) 13:08:35 [Preview] No. 1396 del
Is proxyfying your package manager safe?

Anonymous 02/08/2016 (Mon) 13:39:36 [Preview] No. 1397 del
idk, though mitm attacks and honeypots are not something to be brushed away with, they do exist. Some proxies log, some don't. Some are encrypted, some are transparant, some are simply not that great but still works. Some works with Tor, some can be stacked when done right. Do some more research, but assuming that you have a good VPN (not recommending anything here), it's no different from using your computer in another country, just you don't have to physically be in said different country. Of course jurisdiction also comes in play. I know nothing, this is just my opinion.

Anonymous 02/08/2016 (Mon) 20:00:42 [Preview] No. 1409 del
I'm not entirely sure.
Is this safe?
You->Package Repo out in the open?
Is this safe?
You->Torify->exitnode-> Package Repo
given that all exit nodes are monitored?

Theory: Bad actors monitoring tor conisder tor users suspicious may intercept package traffic using man in middle, or control the repository and set a rule that:
if (connect from tor) then (feed poison packages).
if (ip in bad list) then (feed poison packages)

Why enter from proxy after tor? Pick high anonymous proxy (socks5) 3 in a row.


Hope: Repo or Government does not flag proxy as suspicious. Avoid rules against you and rules against tor network.

Status: Unknown

Anonymous 02/08/2016 (Mon) 21:42:54 [Preview] No. 1410 del
Just put on crontab.
Like, but your script on your home say: ~/myscript.sh


# crontab -e

He will open your default editor. Then you write:

@reboot ~/myscript.sh

Now every time you reboot it will run. If you need it to run every N minutes, just see the man pages for crontab. For example, this will run the script every 1 minute:

# crontab -e

*/1 * * * * ~/myscript.sh

Just do the same above. To run Tor every time you boot, do:

# crontab -e

Will open your default editor. Then you write:

@reboot tor

Anonymous 02/08/2016 (Mon) 23:02:07 [Preview] No. 1412 del

>Is proxyfying your package manager safe?

If your package manager checks to ensure that packages are signed, and you initially received your software and signing keys through a secure channel, and there are no security vulnerabilities in gnupg/signify/whatever and the package manager that a MITM has the capability to exploit.

tl;dr Probably.

Of course, if your distro doesn't sign packages, a MITM can send you anything they want. Arch didn't for a long time, but they finally got on the ball a few years ago.

Anonymous 02/08/2016 (Mon) 23:20:36 [Preview] No. 1413 del

True. The packages are signed. You should be recieving what you want. My concern is that you may not be able to trust the repo or the package signer. Also to avoid leaking knowledge of what packages you have to 3rd party. This may reveal your attack surface.

Anonymous package downloads obscures information about what programs are on your system. Also obscures who you are in case there are policies to deliver certain pacakages to cetain classess of users and certain packages to others (both signed).

I use socks5 proxies to obscure the fact that i'm exiting from a tor exit node, which may increase anonymity, increase access to tor blocked websites and ports,and evade tor network exit node monitoring.

Anonymous 02/09/2016 (Tue) 00:24:46 [Preview] No. 1414 del
never ever use proxies after your Tor exit node. This is like offering free measurement points for either confirmation attacks, traffic fingerprinting or mitm entry nodes.

If you have to use proxies after Tor, use only ones you absolutely trust (which is pretty much impossible) and paid for anonymously.

Using proxychains filled with public proxies after exit node is like sticking your dick into a fucking bear trap.

Anonymous 02/09/2016 (Tue) 00:33:38 [Preview] No. 1415 del
I only add a proxy when I need to get around cloudflare's bullshit.

Anonymous 02/09/2016 (Tue) 04:28:35 [Preview] No. 1443 del
auti.st might be preferred for disposable emails.

Anonymous 02/09/2016 (Tue) 10:16:05 [Preview] No. 1488 del
Although I didn't need to do this for Tor, it really was exactly what I was looking for for my problem. I just had to use a different editor (lol nano) for crontab -e because I can't get myself to use vi at all.

I had found these links in /tech/ to be somewhat useful and insightful: https://raw.githubusercontent.com/ioerror/duraconf/master/configs/gnupg/gpg.conf

I think that FOSDEM talk was the one that prompted people to look into the thoroughly audited OpenSSL. Also, I've lost hope in FreeBSD. Use Illumos or OpenBSD but avoid FreeBSD and that shitty PC-BSD. I don't know if NetBSD is good.

Anonymous 02/09/2016 (Tue) 22:23:14 [Preview] No. 1545 del
iplookup.py version 1.05


Anonymous 02/09/2016 (Tue) 22:52:09 [Preview] No. 1548 del

Why all this autism? What's wrong in the geoiplookup tool?
No, don't reply

Anonymous 02/11/2016 (Thu) 07:50:55 [Preview] No. 1627 del
Random reminder to edit /etc/sudoers with
Defaults env_reset,timestamp_timeout=0
Defaults:ALL !syslog
Defaults:ALL logfile=/var/log/secure.log

then su -c "pacman -Rsc sudo" and use su from now on if you want to be like OP.

Now I want to hear what he has to say about it though he self identifies as an anonymous autist over being called "paranoid".

Anonymous 02/11/2016 (Thu) 08:16:32 [Preview] No. 1628 del
I really dislike searx since the default settings are shit and to customize it I need to use cookies. If that was not a problem, I would use searx to use ixquick and enable all the other search engines. However, since there are no Tor instances for ixquick, searx is preferred over ddg. I wish searx makes it so that all the stuff they gather from other search engines are done through their servers, acting as a proxy between them and you. I don't think they had considered doing that yet.

My custom settings for ixquick: https://eu.ixquick.com/do/mypage.pl?prf=541ce5745e24cae81905bc38bc47058c

Anonymous 02/11/2016 (Thu) 08:41:38 [Preview] No. 1629 del
Similar to that except it uses asian servers instead of european.


Yes ixquick has ads, but uMatrix and uBlock Origin and good ad blockers blocks them. I prefer quality of the search results over quantity of results. I generally find better stuff on ixquick than Google, but if you're looking for images, it's not that great and you're better off using either searx or bing or even Google for that. Again, if searx was configured to be a proxy server for all its requests to go through it first then from searx to the user, it would be great for me at least.

Anonymous 02/11/2016 (Thu) 11:58:33 [Preview] No. 1631 del
$ geoiplookup
GeoIP Country Edition: US, United States
$ ./iplookup.py
AS15169 Google Inc.
{'time_zone': 'America/Los_Angeles', 'region_code': 'CA', 'metro_code': 'San Fra
ncisco, CA', 'latitude': 37.385999999999996, 'continent': 'NA', 'country_name':
'United States', 'dma_code': 807, 'longitude': -122.0838, 'city': 'Mountain View
', 'country_code3': 'USA', 'postal_code': '94040', 'country_code': 'US', 'area_c
ode': 650}

I can use this to target my bans as narrow or as wide as I need to. geoiplookup seems to only give country. if I want to ban an organization i need to do the ip math and target all off the ranges belonging to that block. My script gives this granularity.

Anonymous 02/11/2016 (Thu) 12:13:01 [Preview] No. 1632 del

copy the IPv4 CIDR blocks into a text file called CIDR.txt. This will come in handy when doing your bans of CIDR blocks. Also

$ su -c "pacman -S calc"
will be useful for quickly calculating the CIDR size to ban based on the attack source location. My public server is attacked daily. It's ridiculous.

Anonymous 02/11/2016 (Thu) 12:14:34 [Preview] No. 1633 del
$ ./iplookup.py

Anonymous 02/11/2016 (Thu) 12:31:35 [Preview] No. 1634 del
reading httpd log reveals that accessed my website and attempted to post something to a non existant cgi/bin

reveals that this is from ISPsystem, cjsc in RU. Trial and error on reveals that is IP-Only Networks from SE
and all ips down to are in RU and belong to ISPsystem. I decide I'm a nice guy and don't want to ban Sweeden as well as russia. so I target ISPsystem for banning.

Step 1) find the range of domains belonging to that ISP by trial and error using ./iplookup.py here from 62.109.0->62.109.31
Step 2) $calc 31-0 ( in this case easy to do) others will be $ calc 58-32 etc
Step 3) Consult CIDR.txt for the appropriate ban. In this case a /19 ban will be appropriate.
Step 4) add range to http_blacklist.txt

$ echo "" >> http_blacklist.txt

Step5) re run endwall.sh

Step 6) watch scroll across my terminal and snicker. (Saddly the only enjoyment I get from the process)

Try it out.

Anonymous 02/11/2016 (Thu) 20:18:21 [Preview] No. 1644 del
>geoiplookup seems to only give country. if I want to ban an organization i need to do the ip math and target all off the ranges belonging to that block. My script gives this granularity.

Pls staph.
$ geoiplookup
GeoIP Country Edition: US, United States
GeoIP City Edition, Rev 1: US, CA, California, Mountain View, 94040, 37.384499, -122.088097, 807, 650
GeoIP ASNum Edition: AS15169 Google Inc.

Read up the geoiplookup manual. No, please don't reply.

Anonymous 02/11/2016 (Thu) 20:30:53 [Preview] No. 1645 del
Ahhh I have to put the *.dat files into /usr/share/GeoIP

CityLite.dat doesn't work with this. I have to go find the full city data.

Anonymous 02/11/2016 (Thu) 20:42:51 [Preview] No. 1647 del
OP: change the name to GeoIPCity.dat from GeoLiteCity.dat and it works.


Anonymous 02/11/2016 (Thu) 20:46:31 [Preview] No. 1648 del
my script can do multiple lookups on one go.
$ ./iplookup.py

Beat that geoiplookup!

Anonymous 02/11/2016 (Thu) 20:49:03 [Preview] No. 1649 del
$ mv GeoLiteCity.dat GeoIPCity.dat
# cp GeoIPCity.dat GeoIPOrg.dat GeoIPASNum.dat /usr/share/GeoIP

Anonymous 02/11/2016 (Thu) 22:19:42 [Preview] No. 1652 del
Didn't even check what that was... please, please stop. Use pgl or ipset to integrate dynamic blacklists in iptables. What's wrong with you re-inventing the wheel?
99% of the drop rules can changed with a one-liner.
All the changes made directly echoing /proc/sys are impermanent, why, why are you doing that... Stop messing with a dangerous bash script. There are a lot of bad assumption, there ain't a check for daemons, alternative firewalls (firewalld is the default on some distributions), a lot of configs are inane, I don't even if it's worth to comment it..

It's nice to see some enthusiasm, but please stop, seriously, stop now. Learn the ropes and then you'll see that never, never someone sane would use such a script.

Anonymous 02/11/2016 (Thu) 23:26:57 [Preview] No. 1653 del
# pacman -S ipset

ok now I have to find a manual with worked examples for this thing. Anyone got a link?

Anonymous 02/11/2016 (Thu) 23:36:46 [Preview] No. 1654 del

Any other good examples for this?

Anonymous 02/12/2016 (Fri) 00:06:02 [Preview] No. 1656 del
#ipset create http_blacklist hash:ip,port

#ipset add http_blacklist,80
#ipset add http_blacklist,443
#ipset list http_blacklist

OK now what? how to add to drop in iptables? I'll keep reading but post expert answer. Thanks.

Anonymous 02/12/2016 (Fri) 00:43:18 [Preview] No. 1658 del

Yeah this should speed up my run times.
Thanks good add. I'll work on this and release a new version next week.

Anonymous 02/12/2016 (Fri) 02:18:52 [Preview] No. 1659 del
ipset v6.27: Hash is full, cannot add more elements

What is this nonsense?

ipset is useless. I have alot of rules to add. post the work around.

Anonymous 02/12/2016 (Fri) 02:20:11 [Preview] No. 1660 del
ipset flush
ipset destroy

ipset create blacklist hash:ip hashsize 65536

for blackout in $(cat blacklist.txt);
ipset add blacklist $blackout
echo $blackout ;

Anonymous 02/12/2016 (Fri) 02:22:51 [Preview] No. 1661 del

it would seem that ipset is only good for dealing with singleton ip addresses not for CIDR block bans. Pretty useless for me except for the attackers list and whitelists.

adding CIDR /16 or /8 ranges fills up the hash table almost immediately. No Good.

Anonymous 02/12/2016 (Fri) 02:44:51 [Preview] No. 1663 del
ipset create blacklist hash:net hashsize 65536

That should take the CIDR ranges. Let me try that.

Anonymous 02/12/2016 (Fri) 04:32:07 [Preview] No. 1665 del
endset.sh version 1.01


Anonymous 02/12/2016 (Fri) 04:53:45 [Preview] No. 1666 del
endwall.sh version 1.13
EXPERIMENTAL - incorporates ipset lists




Anonymous 02/12/2016 (Fri) 08:50:30 [Preview] No. 1667 del
endset.sh version 1.02

Fixed a bug with the whitelists
I'm testing these scripts but so far they seem to work, If I add an ip to the http_blacklist.txt and re run endset.sh i loose access to that website or range without having to re run endwall.sh. Seems to work dynamically. Thanks for the suggestion. Great Add!

Test it out and post if if works below.

Anonymous 02/12/2016 (Fri) 10:23:11 [Preview] No. 1668 del
>my website
How much traffic you get on your website generally every week and what kind of a website is it? Just curious.

Anonymous 02/12/2016 (Fri) 21:27:22 [Preview] No. 1674 del
using this new script with ipset somehow reset all the default policies to accept with no rules on reboot. very strange I'm going to have to look into this further. Does anyone know why this would have happened?

Anonymous 02/12/2016 (Fri) 21:35:49 [Preview] No. 1675 del
spamalertz.sh version 1.01

Description script to read some flagged log variables from endwall.sh

Post if this script works with endwall on your setup. Modify it to work if it doesn't.

Anonymous 02/12/2016 (Fri) 21:43:37 [Preview] No. 1676 del
OP HERE: I'm going to try this
$export EDITOR=nano
$crontab -e

@reboot ~/endwall/endset.sh
@reboot ~/endwall/endwall.sh

I'll see if that works

Anonymous 02/12/2016 (Fri) 22:45:11 [Preview] No. 1677 del

DO NOT USE endwall.sh version 1.13

iptables does not recognize the sets when it initializes, fails and then defaults to the INPUT ACCEPT policy on reboot.

There is a work around I'll post that tonight. I'll release 2 scripts one that has no blacklists/whitelists that saves the state at the end of the script and one with blacklists that doesn't save the rules at the end of the script. That way you run the first non blacklist/ non sets script once and it reboots with that state saved, and then you update the rule set with the sets based blacklisting script.

Anonymous 02/12/2016 (Fri) 22:46:28 [Preview] No. 1678 del
That could be potentially catestrophic to start your server with no firewall.

Anonymous 02/13/2016 (Sat) 02:38:33 [Preview] No. 1682 del
(2.86 MB 1680x1050 bustanut.webm)
Mein Gott, what's up with blogspot and proxies, seriously. Do people really make money by shilling proxy services? Pic unrelated.

Anonymous 02/13/2016 (Sat) 02:42:39 [Preview] No. 1683 del
BTW OP, I hope you use [code]your code here[/code]

Anonymous 02/13/2016 (Sat) 04:13:12 [Preview] No. 1684 del
endset.sh version 1.06

endwall.sh version 1.14

Instructions: read the headers. run endwall.sh first, then run endset.sh if you have blacklists. Populate the blacklists into the text files specified. Feel free to modify the scripts

use spamalertz.sh to search for blocked spammers in your log. use geoiplookup or my iplookup.py to target ip ranges to add to your blacklists/whitelists. Only whitelist singleton ips or /24 ranges from mail hosts (places you recieve mail from that you trust won't attack you).

Test these out and place comments below

Anonymous 02/13/2016 (Sat) 04:18:18 [Preview] No. 1685 del
If you tell your router to send you syslog, you can take spamalertz.sh and modify it to search your logs for attackers using grep. you can also do this without syslog from your router.

cat $tmp1 | grep -a "SPT=443"

change the grep pipes to search for specific ports or phrases from your router or logs. I have about 5 of these that I run everyday to check my logs for attacks. I also do this for my postfix mail log and apache logs.

Anonymous 02/13/2016 (Sat) 04:21:26 [Preview] No. 1686 del
I've seperated the blacklists and sets from the main script. That way it doesn't fail on reboot and maintains the endwall.sh rules persistently past reboot. I've moved the security booleans over to enset.sh as you have to run endset.sh each time you reboot, while endwall.sh has to be run once, unless you change something like mac address or email/html spam strings.

I'm goint to tar them and make a release.

Anonymous 02/13/2016 (Sat) 05:50:25 [Preview] No. 1687 del
This might be a big waste of time, but what license would you use for your shit and why?

Anonymous 02/13/2016 (Sat) 05:53:23 [Preview] No. 1688 del
Figured out how to make a new snapshot for this thread:

Anonymous 02/13/2016 (Sat) 06:38:51 [Preview] No. 1689 del

Step 0) $ mkdir ~/endtools
Step 1) $ mv jzqqvzh.tar.xz ~/endtools/endtools.tar.xz
Step 1) unpack the compressed tar file
$ cd ~/endtools
$ tar -xvjf endtools.tar.xz
Step 2) Read the headers of the files
Step 3) chmod u+rwx *
Step 4) run the files in this order

$ ./endwall_v107.sh
$ ./endset_v105.sh

add ip ranges to your blacklists using
$ geoiplookup or
$ ./iplookup.py

check if blacklists are working using
$ ./spamalertz.sh

Anonymous 02/13/2016 (Sat) 06:42:47 [Preview] No. 1691 del
To update the snapshot, just go to archive.is, put in the url in the search bar and it should prompt to ask if you would like to take a new screenshot. Select that option and let it run.

Anonymous 02/13/2016 (Sat) 06:51:33 [Preview] No. 1692 del
1)My hope was to get some help with internet security by starting a thread asking for contributions of techniques and ideas. So far that's worked out pretty well. that ip sets thing as solved a major problem my server was running into. I'm glad I got that tip from here. Thanks >>1652 good work!

2) I think every newb should run this as standard fair. Every new linux user should run this endwall. I don't care what >>1652 is implying. This script stands between me and the ridiculous daily hack attempts against my tiny little mail server / website. I run this script on all my laptops (modified) all my network machines in my house, and I want everyone in the world to use this or the ideas in it as the defacto standard starting point. I think my script works. I think this script endwall_v115.sh should be run after install on any/every linux machine period.

3) I found several problems in my personal version of this script while reading and fixing endwall.sh so that was worth the exercise in its self.

Anonymous 02/13/2016 (Sat) 06:51:33 [Preview] No. 1693 del
1)My hope was to get some help with internet security by starting a thread asking for contributions of techniques and ideas. So far that's worked out pretty well. that ip sets thing as solved a major problem my server was running into. I'm glad I got that tip from here. Thanks >>1652 good work!

2) I think every newb should run this as standard fair. Every new linux user should run this endwall. I don't care what >>1652 is implying. This script stands between me and the ridiculous daily hack attempts against my tiny little mail server / website. I run this script on all my laptops (modified) all my network machines in my house, and I want everyone in the world to use this or the ideas in it as the defacto standard starting point. I think my script works. I think this script endwall_v115.sh should be run after install on any/every linux machine period.

3) I found several problems in my personal version of this script while reading and fixing endwall.sh so that was worth the exercise in its self.

odilitime Root 02/13/2016 (Sat) 06:51:33 [Preview] No. 1694 del
is that named after endchan?

Anonymous 02/13/2016 (Sat) 06:59:17 [Preview] No. 1697 del
Yes I renamed my firewall after endchan.

odilitime Root 02/13/2016 (Sat) 06:59:43 [Preview] No. 1698 del
cool, I'm plugging it on Twitter

odilitime Root 02/13/2016 (Sat) 07:08:09 [Preview] No. 1699 del

Anonymous 02/13/2016 (Sat) 07:10:54 [Preview] No. 1700 del

"endwall the firewall inspired by endchan"

If everyone starts using it and modifying it / fixing / developing it you could say: Endwall the official firewall from endchan.xyz

Anonymous 02/13/2016 (Sat) 07:27:44 [Preview] No. 1701 del
Wow, from being called a paranoid neckbeard in 8ch to being noticed by odilitime promoting an honest attempt of a firewall setup. Good job OP. I hope more people come and help you.

Anonymous 02/13/2016 (Sat) 07:28:28 [Preview] No. 1702 del
>>1699 das it mane

I love it! Spread this to the 4 winds. Let endchan.xyz take the credit.

License. I'll think about this. It's all based on free software, i want everyone to protect themselves with it. I want bug reports, bug fixes, and freedom for modification, but i want to know about improvements to the script or errors in it.

There should be specialty branches, branches for laptops with wifi and branches for newbs. The core ideas of keeping all ports but those use locked down in localhost should be preserved. That is the core strength of this firewall the rest are details /icing.

It works use it. If you find an error bug report it and suggest a modification.
Endchan can take the credit for the project.

I've got other work to do so I'll be off of this for the next 2 weeks. I think its in a workable state as of right now.

Thanks for all of your help / suggestions, even the negative critism, because it took the development in the right direction.

Keep putting security tips below and maybe fork a new thread specifically for endwall.sh endset.sh endtools development.

Anonymous 02/13/2016 (Sat) 07:33:26 [Preview] No. 1703 del
get a repo going on gitgud.io, will make it easier for others to contirbute

Anonymous 02/13/2016 (Sat) 09:09:58 [Preview] No. 1706 del
Is the Tor Browser really safe in comparison to say Icecat? I don't have the same trust that I have with the Tor Browser that I have with Icecat. Also, it's not available on Parabola GNU/Linux-libre so that might be something, might not be anything.

Anonymous 02/13/2016 (Sat) 18:03:30 [Preview] No. 1712 del
jesus christ, are you serious? No sane techie would use those scripts.

Anonymous 02/13/2016 (Sat) 18:04:44 [Preview] No. 1713 del
>Are oranges better than apples?
That's how you sound.

Anonymous 02/13/2016 (Sat) 20:56:05 [Preview] No. 1717 del
the ban process works.
Step 1) run ./endwall.sh
Step 2) populate the banlists
$echo "" >> http_blacklist.txt
$ echo "" >> smtp_blacklist.txt
Step 3) run ./endset.sh
Step 4) on the fly bans
# ipset add http_blacklist
# ipset add smtp_blacklist
# ipset add blacklist
then add the ip ranges to the text files as well. http_blacklist blocks port 80 and 443 access to those ips, smtp_blacklist blocks ip access to ports 25,465,587, blacklist blocks all accsss to anything on any port or protocol.

you will have to run ./endwall.sh once if you have static mac static ip, or don't change any of the email blacklists or html spam blacklists. To add email string spam (content or email address) to blacklist :
$ echo "Bronie_Angus@fakesite.com" >> email_blacklist.txt
$ su
# ./endwall.sh

to add html diving spam to blacklist
$echo "/config/getconfig.php" >> html_blacklist.txt
# ./endwall.sh


Anonymous 02/13/2016 (Sat) 20:59:09 [Preview] No. 1718 del
the ipsets are not persistent after reboot. ./endwall.sh rules are persistent after reboot, so you restart with shields up. On reboot re-run ./endset.sh to reactivate the ipsets and repopulate the blacklists.

Anonymous 02/13/2016 (Sat) 21:09:14 [Preview] No. 1719 del
If you're a "Techie" expert, then write your own script. Or use what you're told too/ what you know is good. This script was designed for my personal self defense, and I intend to distribute it to newbs. I consider myself a newb. I am newb champion. This script is designed to be run at first installation of any of the above mentioned linux distributions, designed to protect newbs and new linux users that can read simple instructions.
I also want experts to pen test my firewall in a simulated attack (not on me personally please) with a one touch ban policy.

Attacker -> Firewall
Defender (read logs) + 1 touch ban policy.

The simulation should be an attack against a server with 3 ports open to input ( postfix smtp port 25, and ports 443,80 on apache or nginx )

If my firewall fails, point out where it failed. And recommend suggested fixes. Then I'll try to fix it.

Anonymous 02/13/2016 (Sat) 22:27:14 [Preview] No. 1720 del
In the simulation the attacker will have a 6 hour lag time before the 1 touch ban is implemented. This will also require best practice settings for apache, nginx and postfix.

I have personally fought off round robin attacks by a botnet with these scripts.

Anonymous 02/13/2016 (Sat) 22:32:42 [Preview] No. 1721 del
I say that because it enables some nasty shit by default the last time I used the Tor Browser. Look at this: http://pastebin.com/kX7yhrmp That used to apply to all firefox based web browsers, and these days, you need a bigger user.js to make firefox usable: http://www.ghacks.net/2015/08/18/a-comprehensive-list-of-firefox-privacy-and-security-settings/

Icecat removes many of the crap firefox has by default and makes certain configurations, patches, etc., even uses Tor Browser patches now and then. You can disable javascript and other shit that's necessary in Tor Browser on Icecet. Firefox and the Tor Browser had been a piece of shit for a very long time and I don't think it's going to earn back my trust any time soon. Hell, if you're on Windows, I would use PCXFirefox instead of wasting your time trying to compile Icecat for Windows.

Firefox had been a piece of shit for so long, many people had migrated to Chrome/Chromium. It's hard to not deny how Google fucked up Mozilla. No I am not blaming Tor devs and the US Navy and such. What made Firefox based web browsers (including Tor Browser) vulnerable is Firefox itself. Only a couple of forks of Firefox are worth using while the rest are just pig disgusting.

Anonymous 02/14/2016 (Sun) 01:08:02 [Preview] No. 1731 del
All end wall related discussion is now directed here >>1725

Anonymous 02/14/2016 (Sun) 03:48:19 [Preview] No. 1739 del
OP HERE: Post internet security tips and OS security tips below:

linux /BSD focus but windows tips are good too if they're solid. I'm a newb and I need to increase my computing security.

Anonymous 02/14/2016 (Sun) 21:30:58 [Preview] No. 1754 del
The security conscious don't use browsers.

Anonymous 02/14/2016 (Sun) 21:48:23 [Preview] No. 1756 del
Jesus fuck, why didn't you listen? Stop.

No, you had to open yet another thread ( >>1725 ) where you spam "changelogs".
You probably don't even know how to setup a git{lab,gud,hub} account, so you have to spam over and over this non-sense. I'm astonished that odili endorsed this shit, I guess this tells us (yet another time) a lot about his technical expertise.

>If you're a "Techie" expert, then write your own script.

NO! You don't write fucking scripts. You learn the already existing tools. You're reinventing the wheel.

>This script was designed for my personal self defense, and I intend to distribute it to newbs. I consider myself a newb. I am newb champion.

Nice to see that you acknowledge you're a noob, but stop! Read the fine manuals, learn the ropes, don't fucking spam with this shit.

>This script is designed to be run at first installation of any of the above mentioned linux distributions, designed to protect newbs and new linux users that can read simple instructions.

NO! This "set of scripts" are outright dangerous and should not be spawned for "newbs" nor for "first installs". Newbies shall use the already existing tools and refer to the documentation.

>I also want experts to pen test my firewall in a simulated attack (not on me personally please) with a one touch ban policy.

You don't have the slightest idea about what you are doing. You rules are problematic at best, learn the contemporary firewall compliance. But you won't. You've learned now that the "ipset" tool exists but I've read in some of your posts that "ipset is not permanent" (sign that you still haven't read the fine manuals). You don't know how to use existing known blocklists, nor how to block the tens of shodan.io-alike scanners. You don't seem to know how to automate the process (using init scripts, not bash? zsh? sh? scripts). I don't even know if you are aware of sysctl (the horrifying endwall script I did open showed sheer ignorance about it and about why you should use it rather than ech

Anonymous 02/14/2016 (Sun) 21:51:18 [Preview] No. 1757 del
(cont.) rather than echoing values like an autist). You just copy-pasted old, dated answers about iptables you found on google. You explicitly drop packets without any schema, you don't seem know what to actually allow, and how different installs require different rules. You don't know how to chain rules.

Take your adderall and read the docs. Now.

Anonymous 02/14/2016 (Sun) 22:30:42 [Preview] No. 1758 del

You seem pretty ticked off about my script...are you with NSA?

OK post your best practice settings for your existing tools.

> This set of scripts is DANGEROUS

I don't know what's dangerous about reading your logs. Sounds innocuous to me.

Hey link me to a guide on these new best practice settings for Iptables, ipsets. Thanks.


Anonymous 02/14/2016 (Sun) 22:47:47 [Preview] No. 1759 del
The Book of PF, 3rd Edition:
Don't know about Iptables.

Your script is probably dangerous because you're promising security, when you actually don't really know what your own script is doing. Struture a firewall is something a bit complex, and situation-dependent.

[not the same guy, btw]

Anonymous 02/15/2016 (Mon) 00:36:15 [Preview] No. 1764 del
Thank you very much sir. I appreciate the link and your comment.

I will be using this guide to re-write my script (as best I can) into pf this summer.

I more or less know what my script is doing (or what I think I want it to do). I'm not an expert but I think that my script is better than nothing and better than alot of scripts I've read on the internet. A lot of the implementations are my original ideas. Some of the material is taken from other scripts I've read, notably the first line defense section.

If you're an expert and you want to have chains that go into chains that go into chains. Well work it out. My script just gives you the following: Default DROP policies. Well known well used ports that work on localhost and outgoing, so that you can get onto the internet after running it. All other ports completely shut off disabled at localhost/loopback level. Most users will be able to use the script and get onto the internet. Add 2 more hardware firewalls in your signal path for extra security.

My script can be run by new users and studied and modified by intermediate users for their own needs.

If you don't want to use a script and want to go pre-fab, then that's fine too don't use my script. Ok move all endwall complaints to the endwall thread.

Thanks for the link.

Anonymous 02/15/2016 (Mon) 00:48:42 [Preview] No. 1766 del
Very honored comment. You seem a nice and honest men. I did not read all the script, but I'm sure some people could make use of it. Hope you keep with this insane hunger to knowledge, this is a very precious quality.
My comment was not to offend you or your work, it's just a observation.

Anonymous 02/15/2016 (Mon) 16:57:46 [Preview] No. 1781 del
>You seem pretty ticked off about my script...are you with NSA?
Irrational fear grows where's ignorance or incompetence

>Don't know where to start
>I don't see how it's unsafe
I've cited the fine manuals like.. half a dozen times? You need to be spoon-fed? You don't know how to write a bash script, you don't declare which shell you're using (not all shells behave the same), you don't check for existing daemons/systemd services (there are no tests in the bash scripts), literally the 80% of the rules can be changed with a one-liner, you don't know how to conveniently chain rules... after having read all the manuals suggested by apropos iptables and the {ipset,pgl} manuals (and eventually manuals on the related systemd services) you shall learn cron jobs and chain rules. Possibly, you shall learn how to create custom systemd services and cron jobs. The fine manuals cover that too.
Once done that, read the sysctl.conf and sysctl.d manuals (and if you're going to always assume systemd, systemd-sysctl as well) to consistently change all those /proc/sys values. There's no "one recipe for all". Absolutely.
Any script going to write should check that the system is what you're expecting it to be. Any script should be absolutely barebones and suited for one single well-defined job.
Any "bad guys" list should not be added "manually" like this. It's highly inefficient and a maintenance nightmare. Also, iptables are not suited for this job. You're making false assumption about the usefulness on blocking entire ip ranges on a first contact as well.
You're too busy rewriting sloppy versions of existing tool, so you won't listen.
Disconnect from the internet and read the manuals. Once done, use well-respected wikis like arch's one. Once done, google. You're doing all this in reverse order (hitting actually just a few inch beneath the surface), a recipe for disaster.

Anonymous 02/15/2016 (Mon) 20:47:11 [Preview] No. 1785 del
That's fair. I still think that my script has some value. I'll check out pgl (PeerGuardian Linux)and play with it.


I will continue investigating iptables and ipset from the official manuals, and from online guides.

I will RTFM (Read the Fine Manuals).


And then I'll continue writing my script.
But I'll add #!/bin/bash to the first line on all of my scripts first.

When I generalize my script I'll add daemon checks and init checks. Yes I do need to learn more about linux system administration I've only been doing this for about 3-4 years. I was a casual/business environment user of unix/linux before that time. I'm guessing that you're a computer science major that works professionally as a programmer or network system administrator and that sloppy code annoys you. I hear you...I agree with you. I'll fix it...when it's working for me and then when I have time.

My script is potentially educational to people who want to know about iptables. And it's mostly functional. It has some value. It works for me, it might work for someone else too. I want bug fixes and error correction for my code so I released it ( a stripped down version of what I use at home).

I'll do some more learning and come back later. Thanks for your advice.

Anonymous 02/15/2016 (Mon) 21:09:18 [Preview] No. 1786 del



$ man -k iptables
$ man -k ipset
$ man -k pgl

$ man iptables
$ man ipset
$ man pgl

Great advice, thanks.

Anonymous 02/15/2016 (Mon) 21:28:48 [Preview] No. 1787 del
$man sysctl
$man systemd
$man systemctl
$man journalctl
$man cron
$man crontab

OK I hear you. I have more reading to do. I'll suspend development on my project for now until I have a better understanding. My scripts have demonstrated my ignorance of the details of linux system administration.

I plan to keep developing this however once I get more knowledge.

Anonymous 02/15/2016 (Mon) 21:32:18 [Preview] No. 1788 del
Post security tips and best practices for OSs (linux,bsd,unix,windows nt) and internet use , browsers, downloading, tor, anonymity, etc. below.

Anonymous 02/15/2016 (Mon) 22:20:15 [Preview] No. 1789 del

This might be good for windows as well.
I have specialty firewall rules for windows advanced firewall, but I'll check this out as well.

Newbie Champion 02/18/2016 (Thu) 05:04:02 [Preview] No. 1884 del
I'm a noob... I can't even set up a git hub!!!

I think that BSD users need to stop using pf immediately and start using my favorite Windows 7 tool Peer Guardian. pf rules are dangerous...like Michael Jackson. Do you remember?...uhh!

Post security tips below:
OS:(windows nt, linux, bsd, unix),
techniques, browsers, download tools, anonymity tools, tor settings, programs, add ons, methods, registry key edits/hacks, etc to increase computing anonymity and security...

Anonymous 02/18/2016 (Thu) 05:11:20 [Preview] No. 1885 del
Dangerous! uhh!
The girl is so Dangerous!
Hee hee
Take away my money
Throw away my time
You can call me honey
But youre no damn lover of mine!

Anonymous 02/18/2016 (Thu) 09:57:13 [Preview] No. 1889 del
Got an Windows XP 32 bit computer?

Besides recommending newbies (like myself) to look at the Wilders Security forums for Windows related stuff and to promote dnscrypt-proxy for Windows and to avoid Windows 10 and above, everything else has more to do with not using Windows stuff in general, and also Macintosh crap.

Some random tips for Windows Vista to 7 (don't know much about 8, 8.1, 10) is to try to make portable versions of web browsers, tor browser bundle, antivirus scanners, crap cleaners (privazer, ccleaner, bleachbit, revo uninstaller) and other .exe files you like in a password protected compressed folder using peazip for Windows that you put in a USB drive. Use sandboxie but stacking VMs are stupid though fun it is.


I've once made a portable firefox + tor instance setup in WINE. I must had been pretty depressed to do something as disgusting as that.

Anonymous 02/18/2016 (Thu) 10:00:15 [Preview] No. 1890 del
oh, forgot to mention I use evince when I was on windows and I still use evince. Some PDFs that I have breaks when I use crappier PDF viewers unless if it's evince. Fuck adobe.

Anonymous 02/18/2016 (Thu) 10:23:38 [Preview] No. 1892 del
The accursed GWX update is what makes Windows 7, 8, and 8.1 pretty shitty. Also, I think magic lantern is still a threat for all Windows computers and is whitelisted by almost all antivirus programs maybe except for the Russian Kaspersky but I have no proof of that.


If you have no luck in removing the upgrade icon using the typical methods then I have a trick to remove this for good or until you do another upgrade. I’m not sure if you can achieve the same results using a Windows Safe Boot but I can tell you that Linux works perfectly. Simply boot up your machine with either a pre-installed dual booting Linux distribution or a Live CD/USB version of Linux. Now open your file manager and head to the drive containing your windows ‘C:\’ which may be called ‘sda1’ or something similar on Linux. Now head into the \Windows\System32 directories and completely remove/delete the entire GWX directory from that hard-drive. Now you’ll never have any more issues with GWX bugging you with the upgrade. You can view but not delete this folder whilst utilizing the Windows operating system (Safe mode may be different).


How it Works

In the main C++ file, the program makes sure it's not being run on any Windows other than Windows 7 and Windows 8.1, and makes sure that if it's being run under WoW64 to disable file system redirection. The program then executes a system() call to wusa /uninstall /kb:3035583 to finally uninstall the GWX update.

Anonymous 02/18/2016 (Thu) 10:34:28 [Preview] No. 1893 del
Tor and proxies are psuedonymity, anonymity is not guaranteed. If you make the same dumb mistakes that silkroad guy did leaving a trail of breadcrumbs, you will be tracked down. Since there are some tumblr people that realize how terrible and stupid they were when they get doxxed, stuff like this would help such people: http://paranoidsbible.tumblr.com/library

Anonymous 02/18/2016 (Thu) 14:13:00 [Preview] No. 1895 del
>Tor and proxies are psuedonymity, anonymity is not guaranteed

Tor grants anonymity, does not grant privacy.

Proxies (and VPNs, given that those are glorified proxies) grant privacy, not anonymity.

Nothing in Tor grants "psuedonymity". Bitcoin is pseudonymous. Tripfagging and namefagging like you (with all those mailto:a@a ) is pseudonymous. Signing consistently all the messages with GnuPG is pseudonymous. Not Tor.

If you mistake anonymity, privacy and "psuedonymity" you're in for a hell of a ride.

>mega link
Are you serious?

Anonymous 02/19/2016 (Fri) 03:55:52 [Preview] No. 1916 del
lol I know I'm a namefag, I'm pretty trackable and there's probably some other namefags that know me just by how my desktop looks like.

I am thinking in a different mindset. Anything that has an ip address is in itself an identity tied to a geolocation, a ISP, etc. Anything from Tor, i2p, proxies, when accessing the clearnet through such systems, that ip address is not your real ip address assuming nothing is leaked. You're wearing a "mask", a persona, pretending to be completely somewhere and someone else. That is not really "anonymous". Accessing onion websites and such is different than accessing clearnet.

I am differenting (though was not initially clear) the shit one says as to who they are from the things that the "machine" sees. You already know but too prideful in your intellect to realize that I know at least somewhat about this. Any ISP has to power to know that you're using different dns servers and behind a proxy since everything goes through them. Sending encrypted material won't make the ISP not realize that it's encrypted. One could hide the fact that they might be using Tor by using a VPN conceptually speaking, but if you do that at your home network with your own internet setup, they (ISP) could assume that your ip that they give to you is tied with that VPN. So to avoid this like say using McDonald's internet, you're still using their internet as you, they have their own ISP that hold the logs to what websites you had gone to and such, and you're using their ip address, hiding behind an identity. (cont)

Anonymous 02/19/2016 (Fri) 03:56:29 [Preview] No. 1917 del
I'm stretching the boundaries between anonymity and pseudonymity because really, in many levels, any attempt to connect to anything concerning these machines are done on a one on one basis and it's also highly centralized (concerning clearnet stuff). Having an everchanging ip does not guarantee anything as they're many points from you to whatever website where there's potential logs and metadata stuff. Trying to setup a decentralized network can't really work 100% when we still have ISPs. The base of everything of the internet is a huge ass botnet because of ISPs.

Anonymous can be defined as many people behind one (herd) identity that is unknown. In reality, things don't work like that. Mac addresses and dns leaks, they tell the ISP what you (the computer) are, so using a different mac address and different dns servers from your ISP's is to pretend you are someone else('s computer) yet connecting one on one to the ISP through that one computer. You might have some level of privacy, as long as there's other things that leaks information concerning who you are, no matter where in the world you are, what you do on the clearnet is trackable through other means outside of the ISP. Privacy is limited towards certain parts of the chain between you and whatever silly cat pictures you download.

Anonymous 02/19/2016 (Fri) 03:57:08 [Preview] No. 1918 del
There is also a different concept of pseudonymity and anonymity outside of the way the machine thinks which is the shit that we leak ourselves connected to our physical identity. You've seen my desktop and "a@a" in the email field. That's the human level, the individual identity though behind one other individual identity. "Anonymous" on the CLEARNET is any INDIVIDUAL using a COMPUTER tied with an designated IP from the ISP that uses a GROUP identity to shitpost on websites. Using VPNs, Tor, encryption, and other privacy oriented measures does not change the fact that you're an INDIVIDUAL using a COMPUTER using the internet paid by whoever paid for the internet and they would be held accountable more so than those that use said paid internet although they could log whoever connects to the router and have those computers liable for certain shit they looked up with their internet, but if said computer is not a shared computer, it could be blamed on one person based on the metadata that they get while using said computer. In every attempt to make the trail not go to you is to "scramble" the evidence in every step of the way but you will always leave something behind. Machine level pseudonymity with human level anonymity is what people are calling "anonymous" these days. It's really a mix between pseudonymity and anonymity. If like, everyone (including me) uses my computer 24/7 with the same damn IP address, there's more room for plausible deniability. That's why there's some open WiFi promoters out there that just leaves their WiFi unprotected for everyone to use freely. (cont)

Anonymous 02/19/2016 (Fri) 03:57:25 [Preview] No. 1919 del
Plausible deniability is neither pseudonymity nor anonymity. It is simply any plausible reason to deny certain claims. There can be a "Legion", but one can never become two people at once, except for people born with two or more functioning heads. If you're a multi headed Alaskan bushman way off the grid, you're not anonymous nor pseudonymous, you're simply separate from, outside the bounds of the internet. Wake me up when there's a completely anonymous system in all levels, for that is what an aggregated universal consciousness is, literally Avatar tier stuff where you directly connect to the world tree with your mind. Until then, there will always be machine level pseudonymity somewhere that can potentially be tracked down to one building, one household, one room, one person.

Anonymous 02/19/2016 (Fri) 04:12:36 [Preview] No. 1920 del
Also to make it clear, IRL personality is not always a pseudonymous identity, which is not always an anonymous identity...and don't talk to tripfags or namefags if you can't deal with their self warranted self importance that is unwarranted by others.

Anonymous 02/19/2016 (Fri) 04:31:49 [Preview] No. 1921 del
(12.01 MB 1280x720 loldidntread.webm)
Deer God.

How foolish of you! Never reply to a tripfag, that's the rule numbero uno

Anonymous 02/19/2016 (Fri) 04:42:46 [Preview] No. 1922 del
tbqh 49.5% of the posts are signed "OP HERE" or "######### Inane Configs" and 49.5% of the posts feature a "a@a" in the Email field (never saw before, didn't know he was a self-perceived sort-of celebrity)

Most of the proposed settings are plain inane, I just skimmed through the thread and noticed the brilliant idea to ExcludeNodes on a whole country basis with StrictNodes 1 (that's an absolute no-no)
Can't be bothered to read most of the rest, it's an unsorted mess

This board is still pretty desert

OP 02/19/2016 (Fri) 08:40:46 [Preview] No. 1923 del
If you set strictnodes=1 and then exclude a country then you can't look at hidden services from that country or route relays through that country. If you need to do that set it to strictnodes=0. If you're trying to avoid any activity in a country that you think is offensively sophisticated (China, Russia) Then why wouldn't you completely avoid routing through those locations?

It deppends on what you're trying to do. If there is a hidden service in russia that you like visiting but then you block russian nodes and set strictnodes=1 then you won't be able to visit that site. I don't read cantonese or manderine so I won't be visiting hidden services, exiting from china or routing through china.

Strictnodes=0 with a country ban {CN} says avoid China in general for circuits but If I ask for a Chinese hidden service then ignore the ban and go look at it or grab directory information from there.

If you ban USA but want to route to MX this again would cause a problem. Good point. I'm leaving it on 1 because when I say ban I mean ban (exclude). If I have to I'll switch it to 0 and restart tor. Hasn't been a problem so for but thanks for pointing that out.

If anyone sees a mistake or fuck up in the configs I or anyone else posts please point it out.

Anonymous 02/19/2016 (Fri) 10:30:52 [Preview] No. 1926 del

Did actually try to document yourself? Because what you're saying does not makes sense.

> If you're trying to avoid any activity in a country that you think is offensively sophisticated (China,

China (with the exception of Hong Kong) has zero Tor exit nodes... Are you serious? Outside of Hong Kong it's incredibly difficult to bypass the Great Firewall of China ( obfsproxy and a special proxy called Shadowsocks, the Chinese police "pressured" the developer to abandon it... https://archive.is/348Uf )

>I don't read cantonese or manderine so I won't be visiting hidden services
Banning exit nodes in a country does not prevent access to hidden services in that country. The whole concept behind hidden services is that nobody knows where those are hosted, not even exit nodes. That's why after the first three hops there are additionally three relay hops before you reach the hidden service. The exit node doesn't know where's the hidden service, and so you.
Again, China does not offer any node.

>Strictnodes=0 with a country ban {CN} says avoid China in general for circuits but If I ask for a Chinese hidden service then ignore the ban
No. Strictnodes=0 means "generally avoid this country, but if you really can't create a circuit in a reasonable amount of time or perform self-tests.... use that country". It has zero impact on connection to a hidden service location, which is - again - unknown.

May I also strongly suggest to Tor's documentation...

>We recommend you do not use these — they are intended for testing and may disappear in future versions. You get the best security that Tor can provide when you leave the route selection to Tor; overriding the entry / exit nodes can mess up your anonymity in ways we don't understand.
Quite frankly, I don't think you understand anonymity better than Tor developers. No offence.

Enforcing exit nodes could be of use if for example a site restricts access to people in their country (bbc b

Anonymous 02/19/2016 (Fri) 10:36:33 [Preview] No. 1927 del
Oh, my post was cut. I was saying:

(bbc behaves like this) but that's pretty much all.

Have a quick map of Tor btw https://torflow.uncharted.software/

Some time ago there was a guy listing known unreliable nodes (for example, there were nodes messing with your traffic and inserting text/rewriting addresses or simply running an obsolete version of Tor) and he offered a bunch of fingerprints to add to the .torrc. Even that has been deprecated since Tor itself "knows it best" and these tasks/computations are performed without messing with the torrc file. Tor knows how to exclude unreliable/suspect nodes.

Some typos....
>May I also strongly suggest to Tor's documentation...
May I also strongly suggest to read Tor's documentation...
>Did actually try to document yourself?
Did you actually try to document yourself?
>obfsproxy and a special proxy called Shadowsocks
Tor is accessible practically only via obfsproxy and a special proxy called Shadowsocks

OP 02/19/2016 (Fri) 20:11:11 [Preview] No. 1931 del

Thanks for the comments.
I read the documentation but I may have gotten the wrong impression from reading the lines on Strictnodes,ExcludeNodes, and interpreted what it was saying incorrectly.

Thanks for the tips and for your perspective. That was very constructive criticism.

OP 02/19/2016 (Fri) 20:19:04 [Preview] No. 1933 del

Very nice graphic chart. Excellent find. This really helps me visuallize this better. Thanks. (requires java script)

OP 02/19/2016 (Fri) 20:21:07 [Preview] No. 1934 del

Very nice graphic chart. Excellent find. This really helps me visuallize this better. Thanks. (requires java script)

Anonymous 02/23/2016 (Tue) 02:29:00 [Preview] No. 1985 del
Here's that PDF for babbies

Anonymous 02/23/2016 (Tue) 04:10:27 [Preview] No. 1986 del
In a security thread, download a unknow pdf file with possible javascript is not a good practice...

Anonymous 02/23/2016 (Tue) 04:42:47 [Preview] No. 1987 del
opie+febe+cleo= backup your iceweasel/jondofox/firefox addons and prefenced (i think including about:config and user.js?) into an xpi file. simply drag the backup on your new browser (or distro) and return to your configured state.

Addons i Reccomend
random agent spoofer

Does anyone know how to use anonymouth?

I got to where you load it into eclipse and at that moment it eclipses my understanding.

Anonymous 02/23/2016 (Tue) 04:53:15 [Preview] No. 1988 del
the tumbler library of basic opsec. its in this thread i think or the culture jamming one on /pol/

Anonymous 02/23/2016 (Tue) 05:05:41 [Preview] No. 1989 del
$ firejail
$ torsocks wget http://endchan5doxvprs5.onion/tech/media/490.pdf/alias/The%20Paranoid%27s%20Bible.pdf
$ mat The\ Paranoid\'s\ Bible.pdf
[*] Cleaning The Paranoid's Bible.pdf
[+] The Paranoid's Bible.pdf cleaned!
$ firejail --net=none --shell=none xpdf The\ Paranoid\'s\ Bible.pdf

After some cursory reading, I'd say you don't miss anything.

>pgl or ipset
ipset is more efficient and native, there are tools to convert from pgl lists to ipset-native ones (one of these tools is in plain sight in arch's wiki...); there are a bunch of working basic scripts for importing blacklists from various sources (including project honeypot) in ipset, and keep it updated with cron jobs.
I'd never use a script more complicate than this.
Blocking any random scanners (including some "institutional" ones) means usually "security via obscurity". Usually security via obscurity is despised (meaning that it's pointless to block random scans unless it's an attack), still it may be of some relief in some scenarios. ipset list:set lets you chain all the ipset sets in one single entry for iptables, the goal usually is to keep the iptables rules as short as possible (long chains will have a cost), I don't get what's the point to drop all the possible "xmas scans" when we have "--ctstate INVALID -j DROP''.. the only two other cases where you may wish to handle it directly could be to FIN,SYN,RST,ACK SYN on NEW ctstate (to reject with tcp-reset, not to drop) and limit generally FIN,SYN,RST,ACK SYN.

Anonymous 02/23/2016 (Tue) 05:55:23 [Preview] No. 1991 del
(12.79 KB 192x178 the game.jpg)
RAS does what dolus does, but it doesn't do what ipfuck does. Why use dolus at all?

OP 02/23/2016 (Tue) 05:56:05 [Preview] No. 1992 del
Thanks for the tips, I'll update my script with your suggestions. Thanks.

Anonymous 02/23/2016 (Tue) 05:59:18 [Preview] No. 1993 del
I set RAS to "per request" dolus changes the x-forward seperately usually every 10 minutes or so. I like the double spoofing

Anonymous 02/23/2016 (Tue) 06:02:48 [Preview] No. 1994 del
Ok you got me there, big guy.

Anonymous 02/23/2016 (Tue) 07:07:11 [Preview] No. 1996 del
(127.01 KB 1280x800 image.png)
My shitlist

Anonymous 02/23/2016 (Tue) 08:09:18 [Preview] No. 1997 del
pretty sure half of those are redundant

Anonymous 02/23/2016 (Tue) 08:32:55 [Preview] No. 1998 del
Besides dolus and maybe GNU LibreJS, every addon does its own thing that the other can't do. I would say that there is overlapping of features between addons which would be around a third of all the addons, but really, I used to use more addons before RAS came into the picture. uMatrix's user agent spoofing sucks, uBlock Origin and uMatrix is better when both are used together which it had replaced NoScript and RequestPolicy though for normal people, uBlock Origin is enough.

Anonymous 02/23/2016 (Tue) 08:35:23 [Preview] No. 1999 del
(577.66 KB 299x198 maru1.gif)

Anonymous 02/23/2016 (Tue) 08:35:39 [Preview] No. 2000 del
(573.53 KB 299x198 maru2.gif)

Anonymous 02/23/2016 (Tue) 08:51:05 [Preview] No. 2001 del
It seems like the current version of RAS is the same as the one available on the firefox website, but when in doubt, dl from github: https://github.com/dillbyrne/random-agent-spoofer/releases

Anonymous 02/24/2016 (Wed) 00:25:06 [Preview] No. 2002 del
I'd use, but it's designed for an Arch distro. You should specify

Anonymous 02/24/2016 (Wed) 00:26:01 [Preview] No. 2003 del
I think this should also be making dot files instead of just folders in the home folder

Anonymous 02/24/2016 (Wed) 00:27:26 [Preview] No. 2004 del
My mistake. You have it for other systems as well, but the one you want to run first is using Arch's package manager, so it doesn't work.

Anonymous 02/24/2016 (Wed) 00:57:38 [Preview] No. 2005 del
There are a lot of problems in your shell scripts. This is a list of some of them:
- You constantly repeat long commands that are (mostly) the same. Use shell functions for that.
- Use %e with date to get a space padded day, so you don't have to use your own weird solution.
- Never do 'arg1="$1" # argument 1 from terminal'. You can just use $1 everywhere you now use $arg1, which makes your script shorter and easier to understand.
- If you want to grep through a file, specify the file as the second argument, instead of opening it with cat.
- $# is a variable that contains the number of arguments the script got. Use it, so you don't need ugly things like '[ "$arg1 " != " " ]'.
- Put a line containing only #!/bin/sh (or #!/bin/bash if you use bash features, but I don't see any) at the top of the file. That way the scripts can be made into executables.
- Not all Debian systems use systemd (so you can't rely on systemctl working).
- The way you use gawk is supported by POSIX awk, so just use awk as the command name instead of gawk. Not all systems have gawk installed, just about all of them have some version of awk.
- It's good practice to put quotes around all strings you echo, to make sure they come out the way you want them to.
- You don't need to use parentheses in for loops. They have advanced effects that don't have anything to do with for loops or what you're doing.
- Semicolons are more or less replacements for newlines. They don't do anything if you put them at the end of a line.
- Always put quotes around shell variables, unless you know you need them to split up into separate arguments.
- See if you can merge your scripts for different distros

OP 02/24/2016 (Wed) 03:46:32 [Preview] No. 2009 del
Those are some good tips/ reviews. I'll make some of these changes and fix this up next week. Thanks. If anyone else sees any problems/errors and wants to share please do and I'll try to fix it. Thanks.

Endwall/Endlists/Endsets/Endtools scripts OP 02/24/2016 (Wed) 05:37:57 [Preview] No. 2010 del
Development on endwall.sh, endlists.sh endsets.sh, endtools: spamalertz.sh, mlogalertz.sh, alogalertz.sh, iplookup.py may be found in the following thread:
and is on post
If anyone sees serious problems in my scripts please point out the errors and I will try to fix them or improve them according to the comments.

I'll look into using functions next week. I have too much on the go until next wednesday to break out a book and read about it. But I can already see how that is going to work out. So thanks for the idea / tip.


Endwall, Endtools OP 02/24/2016 (Wed) 05:41:07 [Preview] No. 2011 del
the files can be found here:

If anyone can't access these files, let me know over here or over in the endwall thread and I'll post them in the endwall thread on debian paste or using pomf.


OP 02/24/2016 (Wed) 06:13:32 [Preview] No. 2016 del
Files are found here:
Please let me know if you find any style issues or errors.

I'll work on reducing the repeatitions using shell functions next friday. I've got stuff on the go until then. Thanks for your comments/help.

Anonymous 02/27/2016 (Sat) 18:46:35 [Preview] No. 2072 del
>>The fourth time someone pointed out he didn't even add a shebang, he eventually added it
>bash, for no reasons at all. He doesn't even perform a test the bash way (e.g. to check the OS, gee what's os-release?) but let's pick a shell at random
>the third time someone pointed out that all those xmas dropping are obsolete, he added ctstate invalid checks... but in the wrong way
>...and left all those useless xmas and bad flags drop
>doesn't know how that has to reject only tcp flags:0x17/0x02 ! ctstate NEW reject-with tcp-reset after dropping ctstate INVALID after accepting ctstate RELATED,ESTABLISHED and boom 100% of his rules are fucking useless
>let's add a bunch of useless checks on loopback
>let's use a geoiplookup in python with less functionality; let's miss the chance to add whois.rbd lookups for ASNUM (in order to import entire ip blocks)
>let's miss the chance to add aggregate/sipcalc to crunch the ipset list
>what is sysctl

Find a different hobby.
There are a bunch of better scripts for ipset and iptables, better read them before rolling your own inanity.

Anonymous 03/15/2016 (Tue) 18:28:51 [Preview] No. 2316 del
SO OP, did you change your Tor configs or is it pretty much default now?

OP 03/15/2016 (Tue) 22:02:55 [Preview] No. 2320 del
I've changed a couple of things. But its been static for a while. I'm thinking of switching to using it for DNS lookup to see if I can loose the feds. The feds are still onto me. I can tell, but I don't know exactly how they're doing it.

testing proxies for use with proxychains:

$ curl --socks4 ipv4:port www.google.com
$ curl --socks5 ipv4:port www.google.com

I'll post my changes. In a bit. My youtube video usage is still being pinpointed even behind all of this. These fuckers are good.

Anonymous 03/15/2016 (Tue) 22:45:48 [Preview] No. 2321 del
>My youtube video usage is still being pinpointed
What do you mean?

OP 03/16/2016 (Wed) 00:12:13 [Preview] No. 2322 del
$ torsocks curl --socks4 ipv4:port www.google.com

If it connects try it in the proxychains chain.

OP 03/16/2016 (Wed) 00:23:24 [Preview] No. 2323 del
Poor andy. MI5 is giving him a heavy burtation.

Anonymous 03/16/2016 (Wed) 00:33:30 [Preview] No. 2325 del
Time Attacks:

TL;DR disable TCP timestamps and disable NNTP.

Anonymous 03/16/2016 (Wed) 00:54:00 [Preview] No. 2326 del
How do I disable tcp timestamps?

I use OpenNTPd to sync the time but it's disabled and off all the time unless i need to sync the time which is like once a month.

I'll searx it. Thanks. Any other tips post them below.

OP 03/16/2016 (Wed) 00:55:27 [Preview] No. 2327 del
OK that link has the solution. Good post. Thanks.

OP 03/16/2016 (Wed) 00:59:19 [Preview] No. 2328 del
$ su
# sysctl net.ipv4.tcp_timestamps=0
# sysctl -a | grep -a "timestamps"

Anonymous 03/16/2016 (Wed) 10:15:16 [Preview] No. 2332 del
It seems that pf(4) have a rule for randomize tcp timestamps, so you don't need to disable it (some servers may need it):

echo "match in all scrub (reassemble tcp)" >> /etc/pf.conf

OP 03/18/2016 (Fri) 01:41:03 [Preview] No. 2355 del

God told me. He tells me I'm doing a great job with endwall. I just have to keep adding up all the different numbers...

That was actually a fairly good Tom Baker impression. Repost that video in the Temple OS forum for Terry, he might appreciate it.

OP 03/18/2016 (Fri) 02:18:21 [Preview] No. 2357 del
>God told me.
That was a joke by the way. video related.

Its more like this. I add up the clues,j ust like John Riley in the video . For instance If I use 2 Polish open proxy server at the end of my proxychain, and then a wave of 10 polish ip's start flooding my public server with fishing spam. Little clues like that. The Bot net controller is having a go at me / mocking me.

Once is an accident, twice coincidence, three times coordinated, four times a conspiracy.

OP 03/18/2016 (Fri) 02:52:06 [Preview] No. 2358 del
some links frm searx on sysctl

I'll do a little more reading and update my scripts in a week or two when I have some free time.

Anonymous 03/18/2016 (Fri) 04:00:53 [Preview] No. 2360 del
>four times a conspiracy
I would say that this reasoning fall on "fallacy of the maturity of chances":

But since in your example in specific it's a objective event, you could say that the probability of someone targetting you is higher than normal.
Now, if you assume that the author of such attacks is actually the government or some other corporation, then you are probably schizophrenic.
The strange thing about this hypothesis (we all being schizo's) is that you would never know if this is true or not.

I just don't buy the idea of conspiracy "theory". The massive spying over all means of communication by security organizations is not a "theory", it's actually a real conspiracy, because we have proofs for that, we don't need to believe it.

Anonymous 03/18/2016 (Fri) 04:18:13 [Preview] No. 2361 del
My server uses this sysctl.conf


It's for openbsd, though. I think gnu+linux don't have a securelevel equivalent and don't have the xf86 aperture driver...
If you know any other trick on sysctl to tight the security, let me know.

If you are this paranoid, you could actually just lock the server:

- remove the user from wheel, so he can't access the "su";
- remove the user from sudo groupd or "doas";
- modify your /etc/fstab to mount all the filesystems as read-only and with all 4 flags: noexec, nodev, nosuid and noatime
- use root to turn all files immutable using chflags: # chflags -R schg /.
- use the securelevel to 2;
- remove the "secure" flag from all tty's and from console on /etc/ttys so that root can't access the system anymore and the system will ask for password when entering single-user mode;

Done. Now, only the user have the permission to enter on the system, and any files can be modified, so no intrusion attacks. Could still deanonymise you or cause denial of service. The offender could exploit some buffer overflow, but if your memory is encrypted (like with W^X) you don't need to worry. The only possible attacks I can see would be a hardware attack, like with Intel AMT, ring 0 priviledges on x86, rowhammer and the side channel attackes. Besides that, I can't see how someone would exploit this system to, say, put some backdoor.
Of course, this is highly impractical, since you would need to reinstall all the server if some update is needed. But for a hidden service of a imageboard, I think this could be practical since you don't need maintainance and you can access the web interface as admin to moderate. There's also the possibility to synchronized the databased used by your site using some distributed filesystem like tahoe-lafs, and spread many servers. So, if one server is down, the other automatically server the page again. If you have enough boards, it would be very difficult to remove the website from the net. Could do it using arm development board, for example.
Just some random thoughts, don't listen to a schizophrenic.

OP 03/18/2016 (Fri) 05:34:06 [Preview] No. 2363 del
This is gold. Thanks for the advice/post. You're not just helping me but all passers by. Any other good security tips for linux/bsd place them below.

Even good stuff for Windows NT if anyone has ideas / methods. If you have to work at a company (and not as a a programer) you'll end up having to deal with windows NT. Usually you wont have administrator rights to do much but all the same...

Anonymous 03/18/2016 (Fri) 16:40:05 [Preview] No. 2364 del
probably meant to quote >>2361

OP 03/19/2016 (Sat) 08:02:27 [Preview] No. 2373 del
Yeah. It was late, typo. I meant >>2361.

Typing behind links is difficult it's hard to cut and paste, I have to type it all out.

Keep the security tips coming. Thanks.

Anonymous 03/20/2016 (Sun) 09:51:58 [Preview] No. 2383 del
Ixquick is moving to .eu, changing .com to .eu with the custom obfuscuated url won't work.

Here's the two that I use:

Asian servers:

European servers:

Startpage is GARBAGE, and I don't use searx without Tor or a simple proxy.

Anonymous 03/20/2016 (Sun) 09:58:11 [Preview] No. 2384 del
Hmm...shit don't work as intended. Perhaps after March 25th of the Ixquick-Startpage merger, Ixquick.eu would get its shit together. Avoid the .eu for now.

Anonymous 03/20/2016 (Sun) 10:12:04 [Preview] No. 2386 del

Anonymous 03/21/2016 (Mon) 07:59:21 [Preview] No. 2414 del
Random reminder that Shadowsocks is an app that can be installed via Google Play, although the alternative to bypass the Great Firewall of China is to install the FreeBrowser app.

Though flashing your Android with a custom ROM might be better than default, if you have shit like KNOX and such, you're pretty much cucked. Getting a $1 SGS5 during Black Friday is not worth it if you've done the stupid mistake of updating it to Lolipop, but then your shit would be outdated and vulnerable to shitty bugs.

If you're in a non shit country and if you want to use a smartphone, get a Jolla phone. If you're in a shit country, using a phone is dangerous in itself. You might want to consider getting one of those anti signal pouches that puts your phone in a proper faraday cage, or use the airplane mode in standby for when you want to use it though if the battery's in, you will be tracked.

Also, selfies is a DARPA/DoD meme to collect biometric data and metadata. Try to get a smartphone without a front facing camera or better yet, without a camera, or even better, don't get a smartphone when you can get a smart device that requires Wi-Fi, or even better yet, don't use Wi-Fi or a smart device that has no slot for a SIM card and just do VoIP shit on your hardened computer setup.

Anonymous 03/21/2016 (Mon) 11:34:44 [Preview] No. 2415 del
Neat, thanks.

Anonymous 03/21/2016 (Mon) 20:42:49 [Preview] No. 2416 del
Don't use a PTD (personal tracking device). That's the rule if you want privacy/security... after deleting your social media and google accounts, of course.

Anonymous 03/21/2016 (Mon) 23:27:51 [Preview] No. 2417 del
Some people have freedom restricting lives that demands freedom restricting PTDs to talk to people. Perhaps when biometric IDs are pushed in the US like it's already is in other countries, maybe then a little more people might start caring about their dystopian cyberpunk reality.

Anonymous 03/23/2016 (Wed) 20:34:45 [Preview] No. 2420 del
add these to trackmenot like

i set it to 5 per minute it spoofs and make random searches

Anonymous 03/23/2016 (Wed) 20:39:15 [Preview] No. 2421 del

Anonymous 03/27/2016 (Sun) 01:02:05 [Preview] No. 2438 del
Update your user agent for uMatrix:


I use uMatrix's user agent spoofer with Random Agent Spoofer addon. uMatrix does not update the user agent strings by default, but RAS does. I set RAS on per request and uMatrix in a single digit amount of minutes to change the user agent. Overkill? Perhaps.

Anonymous 03/27/2016 (Sun) 01:08:49 [Preview] No. 2439 del

Seems down on my end, maybe it's temporary.

Anonymous 03/31/2016 (Thu) 12:19:05 [Preview] No. 2463 del
Shitposting on http://fuacantanj2vhfpw.onion/webos/

Also, http://glitch.news/2016-03-30-police-may-use-wi-fi-routers-to-identify-criminals-even-before-a-crime-is-ever-committed.html https://archive.is/iTeHh

If you have a Wi-Fi card, remove it. If you have Wi-Fi on for your router, disable it. If you have proprietary software on your router, install dd-wrt on a compatible router and disable Wi-Fi (and don't pirate shit).

Anonymous 04/01/2016 (Fri) 00:22:25 [Preview] No. 2467 del
If you stop doing things you want to do just because of world massive surveilance, then they already won, then all the protection of your privacy means nothing. Don't stop doing things just because they want to destroy your privacy.
I don't agree with all types of piracy, but you got the idea.

Anonymous 04/01/2016 (Fri) 00:47:35 [Preview] No. 2468 del
what are you, too retarded to configure openwrt? too in love of proprietary cock for librewrt?

OP 04/01/2016 (Fri) 01:32:41 [Preview] No. 2471 del

I picked up some old TP-Link gear to put libreCMC on


I'm currently behind a medium tier wired/(non wireless) router with a non-free firmware (up to date)for my edge router/firewall. Its firewall is configured in a block all inbound and outbound and then opens only what I use simillar to my iptables firewall. It works pretty good, but I can't be certain of its security/integrity. It also feeds me syslog on port 514 so I can see all of the ridiculous stuff going on that it doesn't let through as well in my logging scripts.

I'm going to experiment with libreCMC spring/summer. The TP-link stuff is pretty flimsy looking though, so it's not going to the front of the line until I test it out thoroughly. I also picked up an older Lynksys for using with openwrt.


I'll make a thread on that when I get working on configuring that stuff in July/August.
Thanks for the Hosts file I'm using it on my web browsing rig.

Keep the good stuff coming in below.

Anonymous 04/01/2016 (Fri) 02:18:34 [Preview] No. 2473 del
With all due respect, I use Wi-Fi and stuff, but I do them on a different computer, think physical sandbox isolation. It all depends on what you think you want to do. If you have unprotected Wi-Fi on and if you torrent shit, you can get away with claiming that people used your unprotected Wi-Fi to download copyrighted furry porn, all the while if you're in USA, plead the 5th. However, not everybody wants to have the FBI snoop the Wi-Fi waves via the partyvan to be "guilty" before proven innocent. In the courtroom, people are guilty or not guilty, being in the courtroom itself assumes many things in itself. One silly way to significantly reduce the range of the Wi-Fi signal of one's router (that "Respects Your Freedom") is to use one of these silly contraptions: http://smartmeterguard.com/products/router-guard

Also, I haven't looked that much into alternatives to dd-wrt so that is my own ignorance, not willfully ignorant.

Having free and open source software and hardware is good, but it doesn't always have "security". To have security is not always to have muh four freedoms. There's probably some high level goverment tier secure and proprietary software and programs, they're "secure" but not having freedums. Freedoms doesn't guarantee privacy, especially what the people give out by their own volition about who they are, and sometimes it's necessary to give out some information. Nobody is forced to listen to me or RMS or the botnet, they just need to make a conscious effort to resist oppression by at least being aware of what consequences their own decisions are creating and affecting them and everyone else. The golden rule is up to every individual to decide what they adhere to, though that doesn't mean people can't share ideology or use memetics.

Anonymous 04/05/2016 (Tue) 07:35:16 [Preview] No. 2519 del
Using a proxy bypasses hosts filtering, I think. I don't know if that applies to transparent proxification of your system via Tor. One could add something like this: https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/gambling-porn-social/hosts into uBlock Origin and/or uMatrix's list of hosts files.

Anonymous 04/05/2016 (Tue) 08:17:36 [Preview] No. 2520 del

I use both uBlock Origin and uMatrix but I use the following for uMatrix while leaving uBlock Origin alone with almost everything checked:


I uncheck the following in uMatrix due to redundancy:

MVPs.org Hosts file at http://winhelp2002.mvps.org/hosts.htm,
Dan Pollock at http://someonewhocares.org/hosts/,
Malware Domain List at http://www.malwaredomainlist.com/,
Peter Lowe at http://pgl.yoyo.org/adservers/

Anonymous 04/05/2016 (Tue) 08:19:00 [Preview] No. 2521 del
meant to quote >>2519

Anonymous 04/06/2016 (Wed) 13:05:17 [Preview] No. 2546 del
use this to keep random agent spoofer from splattering notifications all over your screen when you set it to per request.

commonly forgotten about:config settings



geo.enabled;false (not commonly forgotton but very important)






media.getusermedia.screensharing.allowed_domains;delete the value



Anonymous 04/06/2016 (Wed) 14:28:04 [Preview] No. 2553 del
You should not use Gecko, Blink or Webkit if you value your privacy and security. dot.

Anonymous 04/06/2016 (Wed) 23:16:53 [Preview] No. 2560 del
Do you do everything in a terminal without Xorg or Wayland using a text based web browser and tmux?

Anonymous 04/07/2016 (Thu) 03:38:58 [Preview] No. 2566 del
When I used gnu+linux yes, I used to not even install xorg, because the kernel has support for framebuffer.
But I switched to BSD, and this system has no support for framebuffer.
But, not everyone need to reach this level of autism like I did in past. You can just use other browsers without the engines I mentioned. I'm currently using Links 2.12 and I find this awesome. You need to use with ion3, though, to have tabs working.

Anonymous 04/07/2016 (Thu) 09:21:18 [Preview] No. 2577 del
I disabled it natively on that addon's setting

Anonymous 04/07/2016 (Thu) 14:47:52 [Preview] No. 2585 del
The voodoo is some next level shit. open source too.
someone mentioned cryptostorm. I have articulated the voodoo network as such:

voodoo is amnesiatic interlude between the masked presentation layer and the masked exit layer. With rythmic ease the nat is given a dose of its own disease.
it is the balance of anonymity and privacy in a way that cant be described for that is a testament to its own inherant obfuscation.

As a further testament to my appreciation i will not even explain what is already insanely brilliant

Anonymous 04/07/2016 (Thu) 14:59:38 [Preview] No. 2586 del

this was linked in the voodoo discussion. its a good thread on becoming security sufficient

Anonymous 04/07/2016 (Thu) 18:06:14 [Preview] No. 2587 del
Next time post the code, not the forum, please:

Cryptostorm seems, to me, a honeypot. Do not trust them. Also, this "voodoo" is just a idea because most people on this forum don't know how to code.
TLS is not secure enough. IPsec is the current best practice. OpenVPN is full of bugs, too.
>[using] :-)
If you use smile face or !bang in you readme this is a big signal that you are a lame.
>outgoing to VPS server
So, you'll trust all your data to a VPS server? Tell me more about how VPS providers do not participate from XKEYSCORE.

overall: too long; didn't read.

Anonymous 04/09/2016 (Sat) 03:14:24 [Preview] No. 2598 del
sorry bout that. I use mullvlad but have used cryptofree on vms as an extra layer of security. apparently the dns and localhost does not connect to the same tunnle as the real ip on the vps. not sure.

Anonymous 04/09/2016 (Sat) 03:35:09 [Preview] No. 2599 del
as far as them being shills I can't say in their defense they have the following in their config files to connect
Suspicious or reassuring? not for me to decide. also the smileyface was appropriate in the context of confusing the hell out of correlation attacks because it is amusing to imagine that.

Anonymous 04/12/2016 (Tue) 21:54:21 [Preview] No. 2609 del
Android security in a nutshell:
Install CopperHeadOS and only use FOSS from f-droid. Use Icecatmobile for web-browsing. Noscript + HTTPS Everywhere + ublock origin + Adaway

PC Security in a nutshell:
This on a thinkpad with libreboot installed

And your done.

Anonymous 04/12/2016 (Tue) 22:35:09 [Preview] No. 2610 del
Why would you need this if you already have Ublock? You and the link probably think that more addon == better security, but that's wrong. Firefox itself is a gigantic piece of shit, and add more and more addons will just make it even more bloated.

Seems cool, but only ported to Nexus. When will some system like Replicant and this one be ported to more popular phones like Samsung Galaxy's? Don't need to be blob-less, just a little hardened and audited system would be already good.
[should not use PTD's anyway]

Anonymous 04/12/2016 (Tue) 23:01:24 [Preview] No. 2611 del
No, More addons is not a good thing.

They should be kept to a minimum. imo 3 is not bad.

>Why adaway
Surely you use some app that has ads? AdAway is good to have for other apps. BTW replicant has an s3 port, But you need the expensive as hell unlocked version.

Anonymous 04/13/2016 (Wed) 05:39:47 [Preview] No. 2618 del
Hey guys, see >>2594

Why don't you guys create another thread just about these gecko engine configs?
Here is three very complete user.js:

You guys could try to maintain one of these l33t user.js, add css/hosts blocking and suggest good addons (like in privacytools.io):
class="quoteLink" href="/tech/res/597.html#2609">>>2609
>posting outdated TRASH
>using anything .deb in current year
Well, guess some people learn things the hard way.

Anonymous 04/13/2016 (Wed) 05:41:22 [Preview] No. 2619 del
the fuck is wrong with that...
meant to quote >>2609

Anonymous 04/15/2016 (Fri) 00:46:48 [Preview] No. 2686 del
Does anyone have a method to block youtube embed? I'd like to stop google's code wherever i can, Already stopped using any google services long ago.

I play youtube videos in MPV. if i wanted to watch the video i would put the link in my terminal.

Anonymous 04/15/2016 (Fri) 00:55:06 [Preview] No. 2687 del
An extension like uMatrix can easily block them.

Anonymous 04/16/2016 (Sat) 07:49:29 [Preview] No. 2738 del

Anonymous 04/23/2016 (Sat) 09:01:54 [Preview] No. 2901 del

Anonymous 04/23/2016 (Sat) 09:03:29 [Preview] No. 2902 del
last attempt (what a clusterfuck of a setup I have right now)

Anonymous 04/23/2016 (Sat) 09:07:47 [Preview] No. 2903 del
one of these things are fucking me up with file uploads or something

Anonymous 04/23/2016 (Sat) 09:43:24 [Preview] No. 2905 del
Install more addons don't make you more secure. I actually make you more vulnerable, since your attack surface is expanded.
Almost every addon you have can be configured using about:config.
Just remove everything except the uMatrix and HTTPS Everywhere. Then use this user.js:

Anonymous 04/23/2016 (Sat) 11:29:28 [Preview] No. 2906 del
sorry but not sorry, that user.js is simply not enough.

Anonymous 04/23/2016 (Sat) 15:11:36 [Preview] No. 2907 del
All the "Disable" addons can be replaced by straightforward about:config modifications. uMatrix has functionality for Random Agent Spoofer and Self-Destructing Cookies.

Anonymous 04/23/2016 (Sat) 21:09:44 [Preview] No. 2913 del
uMatrix can't do all of what RAS can do, if you think it can, you know shit breh.

Anonymous 04/23/2016 (Sat) 21:37:11 [Preview] No. 2914 del
also self destructing cookies can delete unused cookies within in seconds while the smallest interval uMatrix lets me use is 15 minutes.

Anonymous 04/23/2016 (Sat) 21:51:00 [Preview] No. 2915 del
Disable visited links is more of an css problem that isn't resolved by about:config stuff. The other two Disable addons are replaceable.

Anonymous 04/23/2016 (Sat) 23:38:09 [Preview] No. 2916 del

var a = 1;

Anonymous 04/24/2016 (Sun) 01:14:06 [Preview] No. 2924 del
(58.68 KB 600x800 clusterfuck.jpg)
This is what your addons seems like.

Anonymous 04/24/2016 (Sun) 01:30:32 [Preview] No. 2926 del
mmm delicious

Like two of the addons listed are not necessary in terms of security but for mere convenience XD (torrenting shit via Tor within the browser being one of them)

Anonymous 04/24/2016 (Sun) 18:48:45 [Preview] No. 2933 del
>torrenting shit via Tor
You can't torrent via Tor.
Tor dosn't support UDP.

Anonymous 04/24/2016 (Sun) 23:58:46 [Preview] No. 2937 del
(11.62 KB 960x457 loldongs.png)
fuck you and your assumptions, I bet you've never tried.

Anonymous 04/25/2016 (Mon) 00:04:12 [Preview] No. 2938 del
All the UDP parts of the protocol are leaking. You're putting load on the Tor network, broadcasting what you're doing, and telling people you actually want your torrenting to stay secret, all at the same time.

Anonymous 04/25/2016 (Mon) 00:11:12 [Preview] No. 2939 del
In other words, one doesn't absolutely need to use UDP to torrent shit that doesn't rely in UDP.

Anonymous 04/25/2016 (Mon) 00:22:04 [Preview] No. 2940 del
just throw this at em www.arxiv.org/pdf/1004.1267v1.pdf

Anonymous 04/25/2016 (Mon) 00:33:27 [Preview] No. 2941 del
Too bad they didn'tt try deanonymizing TCP torrents

Anonymous 04/25/2016 (Mon) 03:43:49 [Preview] No. 2942 del
This. Try this:
- Put your /etc/resolv.conf to
- Put "DNSPort 5353" on /etc/tor/torrc
- Restart tor and the network

Now try again. It will not work, because your UDP connection is redirecting to localhost and then tor try to connect throught localhost:5353, but he can't since it does not support UDP, just TCP.
If you want a alternative, Tribbler is trying to create a onion protocol subset just for torrents:

Anonymous 05/03/2016 (Tue) 06:16:25 [Preview] No. 3116 del
Install sic IRC client
$ sudo torsocks apt-get install sic
$ sudo torsocks pacman -S sic

$ torsocks sic -h onionirchubx5363.onion -p 6667 -n nickname

:j #main

Anonymous 05/03/2016 (Tue) 16:47:40 [Preview] No. 3124 del
BASH Tutorial: by 1337 Haxorz mona&lisa

Anonymous 05/03/2016 (Tue) 16:49:19 [Preview] No. 3125 del
>>3124 1337 h4x0r from Anonymous

Anonymous 05/05/2016 (Thu) 16:12:36 [Preview] No. 3166 del

allyour4nert7pkh.onion port 6667 plaintext

Anonymous 05/05/2016 (Thu) 16:16:03 [Preview] No. 3167 del
channel is #overchan and #anonet

Anonymous 05/05/2016 (Thu) 16:31:30 [Preview] No. 3168 del
This won't work.
Most websites will fingerprint all of the headers (including their order).
Only changing the user agent will probably make you easier to identify, not harder.

Pretending them to be browsers probably won't work anyways, as websites can also fingerprint your screen resolution (even if you disable JS)[1] but I can't explain how that works.

Your best bet is probably using the Tor Browser Bundle without resizing your window but disabling JS and cookies.

1: http://ip-check.info/?lang=en

Anonymous 05/05/2016 (Thu) 17:40:54 [Preview] No. 3171 del
What's the default screen resolution for the tor browser bundle?

Anonymous 05/05/2016 (Thu) 18:13:42 [Preview] No. 3172 del
Nevermind, it resets every time it's opened.

Anonymous 05/05/2016 (Thu) 18:27:06 [Preview] No. 3173 del
Sorry, I messed up. It measures your browser's display resolution, not the screen resolution.

I also discovered one possible candidate on how they do it: https://css-tricks.com/resolution-specific-stylesheets/
You can make browsers use (and therefore send HTTP requests for) different CSSes depending on their display resolution.
With this, you could at least detect different screen sizes (if the browser is in fullscreen).

Curl or wget could actually always detected because they don't download any stylesheets, scripts or other content embedded into the site.
Same with youtube-dl which also only downloads some of the stuff on the page.

Anonymous 05/05/2016 (Thu) 18:40:34 [Preview] No. 3174 del
(1.86 MB 640x640 builtfordtough.webm)

>Most websites will fingerprint all of the headers (including their order).

[citation needed]

I find this unlikely, because this would be a lot of unnecessary information to store with limited value for advertising and conversion analysis, and because so few people bother to try to avoid fingerprinting in the first place.

I'm sure the FBI and DEA gather all of that information when they take over a darknet site, though.

webbum unrelated

Anonymous 05/05/2016 (Thu) 19:19:27 [Preview] No. 3177 del
you are clueless

Anonymous 05/05/2016 (Thu) 19:31:45 [Preview] No. 3178 del
If I were to write a tracker, my first approach would be to just concatenate all the info (headers, IP's country, fonts, addons, etc), hash it and store that hash as the identifier.
I assume most trackers will do something along those lines.

Anonymous 05/05/2016 (Thu) 20:00:58 [Preview] No. 3179 del
It's better to make several hashes and then concat those (one hash for http headers, one for browser properties etc). The final identifier is bigger, but it allows you to link different identifiers together if they contain identical sub-strings of one or more hashes, especially if those sub-strings are unique.

Anonymous 05/05/2016 (Thu) 20:46:57 [Preview] No. 3181 del

Excellent citation.

Anonymous 05/05/2016 (Thu) 20:50:44 [Preview] No. 3182 del

Super. Now all that's left is for


to justify the claim that:

>Most websites will fingerprint all of the headers (including their order).

Anonymous 05/05/2016 (Thu) 21:09:44 [Preview] No. 3183 del
I can't prove that it's true.
Actually, I don't think there's very much public knowledge about what fingerprinting techniques are actually being deployed out there, so our best bet is thinking about how we'd do it ourselves and look at all those browser fingerprinting test pages.
Given you use the hash method, hashing all the headers (which would implicitly include their order) isn't any more work than hashing just the user agent, but would result in a finer grained fingerprint.
Looking at the order of the headers might also be a way to bypass user agent switching because different browsers might send the headers in a different order.

Anonymous 05/05/2016 (Thu) 22:46:17 [Preview] No. 3185 del
problem solved

Anonymous 05/05/2016 (Thu) 22:49:03 [Preview] No. 3187 del
there is plenty of info when adding the search engines to trackmenot you have to use the url of the search engine result of you searching trackmeot with no spaces. on candel a pdf of obfuscating fingerprinting came up.

Anonymous 05/06/2016 (Fri) 04:32:18 [Preview] No. 3198 del
If there is an alternative source of videos that are provided on youtube, substitute away to the alternative provider. For instance download from:


Instead of from youtube. Do the same for anything else that you watch on youtube if there is an alternative source.

Anonymous 05/06/2016 (Fri) 10:54:45 [Preview] No. 3204 del
This borders into OPSEC but there exist techniques to identify you from your writing style called stylometry.
This page has some good papers about it: https://psal.cs.drexel.edu/index.php/Main_Page
If you want to be anonymous or pseudononymous you will have to alter your writing style across different websites/identities.
A tool for this is Anonymouth: https://psal.cs.drexel.edu/index.php/JStylo-Anonymouth

Anonymous 05/06/2016 (Fri) 13:15:58 [Preview] No. 3209 del
I've thought about that before. Can people recognize my posts on imageboards solely by the way I write? I would try out that second link but I get an "Untrusted Connection" warning.

Anonymous 05/06/2016 (Fri) 15:37:38 [Preview] No. 3213 del
Huh, strange...
I get that as well now.

Anonymous 05/12/2016 (Thu) 22:19:02 [Preview] No. 3343 del
This is has a few good tips on securing firefox: https://github.com/w00w/security/blob/master/firefox.md

build tor from source Endwall 06/01/2016 (Wed) 05:05:58 [Preview] No. 4368 del
Compiling tor from the source tarball:

STEP 1) Get the Source Tar, check it and unpack it.
$ cd ~/
$ mkdir tor
$ cd tor
$ wget https://www.torproject.org/dist/tor-
$ wget https://www.torproject.org/dist/tor-
$ wget https://www.torproject.org/dist/tor-
$ wget https://www.torproject.org/dist/tor-


$ torsocks wget http://e5qcqoax4chithot.onion/dist/tor-
$ torsocks wget http://e5qcqoax4chithot.onion/dist/tor-
$ torsocks wget http://e5qcqoax4chithot.onion/dist/tor-
$ torsocks wget http://e5qcqoax4chithot.onion/dist/tor-

$ gpg --keyserver hkp://pool.sks-keyservers.net --recv-keys 0x4E2C6E8793298290
$ gpg --keyserver hkp://pool.sks-keyservers.net --recv-keys 0x910397D88D29319A

$ gpg --verify tor- tor-
$ gpg --verify tor- tor-

If signature is good continue or check the md5sum or sha256 sum etc then continue if good.

$ tar -xf tor-
$ tar -xf tor.

$ mv tor- tor_stable
$ mv tor. tor_alpha

$ cd tor_stable

build tor from source Endwall 06/01/2016 (Wed) 05:18:37 [Preview] No. 4369 del
Step 2) configure, make/ complile, link.

$ ./configure
$ make
$ mkdir ~/bin
$ export PATH=$PATH:~/bin
$ cd ~/bin
$ ln -s ~/tor/tor_stable/src/or/tor tor_stable
$ cd ~/tor/src/config
$ su
# mkdir /usr/local/etc
# mkdir /usr/local/etc/tor
# mkdir /usr/local/share/tor
# cp torr.sample /usr/local/etc/tor/torrc
# cp geoip /usr/local/share/tor/geoip
# cp geoip6 /usr/local/share/tor/geoip6
# cd /usr/local/etc/tor
# tor_stable &
# torsocks wget http://ix.io/NjZ
# wget http://ix.io/NjZ
# mv NjZ torrc-defaults
# fg 1
# ^C ( Cntrl + C)
# exit
$ tor_stable

repeat for tor_alpha

Don't use the package for tor in your distro repository moving forward unless you have a very good reason to.

build tor from source Endwall 06/01/2016 (Wed) 05:25:06 [Preview] No. 4370 del
STEP 3) Repeat for tor_alpha
$ cd ~/tor/tor_alpha
$ ./configure
$ make
$ cd ~/bin
$ ln -s ~/tor/tor_alpha/src/or/tor tor_alpha
$ cd ~
$ tor_alpha &
$ fg 1
$ Ctrl + C

Anonymous 07/09/2016 (Sat) 18:48:59 [Preview] No. 5794 del
I know I'm bumping an old thread, but I think it's worth archiving and creating a sticky for important threads like this. I think it serves a lot of information for newcomers, and being such a long and involved discussion on internet security, something that this board seems to emphasize a lot, it's important to endchan/tech/'s history.

Anonymous 07/10/2016 (Sun) 17:00:08 [Preview] No. 5801 del
i second that bump of yours

Anonymous 07/13/2016 (Wed) 10:49:35 [Preview] No. 5834 del

Anonymous 08/07/2016 (Sun) 01:21:08 [Preview] No. 6106 del
(22.26 KB 500x247 1984-2.jpg)

TOR and VPNs will likely be illegal in the U.S. come 2017. FBI's reach extended globally


Anonymous 08/07/2016 (Sun) 15:08:22 [Preview] No. 6119 del
Stay safe anonymous ghost

Anonymous 10/02/2016 (Sun) 04:44:54 [Preview] No. 6926 del

Anonymous 11/06/2016 (Sun) 05:48:02 [Preview] No. 7301 del

Anonymous 11/06/2016 (Sun) 15:04:27 [Preview] No. 7305 del

Anonymous 11/06/2016 (Sun) 15:05:33 [Preview] No. 7306 del

Anonymous 12/15/2016 (Thu) 18:29:41 [Preview] No. 7630 del
how was this bumped without a new post, how does that work?

Anonymous 12/16/2016 (Fri) 12:42:19 [Preview] No. 7634 del
It was bumped by link spam. The spam post was deleted, the bump remains.

Top | Return | Catalog | Post a reply