Originally written April 2016, updated March 2022
If you like this content, consider sending me an anonymous tip with Zcash:
zs195rfh80s5m6chxrqej57fg9vxw2ypw2p9ppv3e5f44dstcu36f59pxfukugmgzxnp2djvu6w2jd
Never Forget
Never Forget DSA-3733, aka Validating signatures > MitM > RCE
The Debian developer community refused to implement transport cryptography for updates because “signing packages is secure enough”. Fuck that incompetence. This post is about “the how”. If you want to read about “the why”, please read my earlier post: https://yawnbox.com/blog/privacy-proposal-for-debian/
This is a quick guide on how to significantly improves the privacy and security of your Ubuntu server. It requires the installation of apt-transport-tor, an application that will allow apt transfers to occur over Tor. There is also an application called apt-transport-https that is already installed in Ubuntu 20.04 that we’ll leverage first.
The Wikimedia Ubuntu repo has a good TLS configuration, IPv6 and IPv4 support, and they don’t block Tor: mirrors.wikimedia.org
Qualys SSL Labs grade: https://www.ssllabs.com/ssltest/analyze.html?d=mirrors.wikimedia.org&latest
If you only want increased security, this is what your /etc/apt/sources.list should look like:
deb https://mirrors.wikimedia.org/ubuntu/ focal main restricted universe multiverse
deb https://mirrors.wikimedia.org/ubuntu/ focal-updates main restricted universe multiverse
deb https://mirrors.wikimedia.org/ubuntu/ focal-backports main restricted universe multiverse
deb https://mirrors.wikimedia.org/ubuntu/ focal-security main restricted universe multiverse
If you want security and privacy, use tor.
Ubuntu Server 20.04 Focal apt privacy upgrade script
#!/bin/bash
mv /etc/apt/sources.list /etc/apt.sources.backup1
touch /etc/apt/sources.list
echo 'deb https://mirrors.wikimedia.org/ubuntu/ focal main restricted universe multiverse' >> /etc/apt/sources.list
echo 'deb https://mirrors.wikimedia.org/ubuntu/ focal-updates main restricted universe multiverse' >> /etc/apt/sources.list
echo 'deb https://mirrors.wikimedia.org/ubuntu/ focal-backports main restricted universe multiverse' >> /etc/apt/sources.list
echo 'deb https://mirrors.wikimedia.org/ubuntu/ focal-security main restricted universe multiverse' >> /etc/apt/sources.list
echo 'deb [arch=amd64] https://deb.torproject.org/torproject.org focal main' >> /etc/apt/sources.list
wget -qO- https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --import
gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | apt-key add -
apt update
apt install tor deb.torproject.org-keyring apt-transport-tor -y
mv /etc/apt/sources.list /etc/apt.sources.backup2
touch /etc/apt/sources.list
echo 'deb tor+https://mirrors.wikimedia.org/ubuntu/ focal main restricted universe multiverse' >> /etc/apt/sources.list
echo 'deb tor+https://mirrors.wikimedia.org/ubuntu/ focal-updates main restricted universe multiverse' >> /etc/apt/sources.list
echo 'deb tor+https://mirrors.wikimedia.org/ubuntu/ focal-backports main restricted universe multiverse' >> /etc/apt/sources.list
echo 'deb tor+https://mirrors.wikimedia.org/ubuntu/ focal-security main restricted universe multiverse' >> /etc/apt/sources.list
echo 'deb [arch=amd64] tor+https://deb.torproject.org/torproject.org focal main' >> /etc/apt/sources.list
apt update && apt dist-upgrade -V
Or, if you trust me, run this script:
curl -s https://yawnbox.com/scripts/focal_apt_upgrade.sh | sudo sh
All your future apt update and dist-upgrade commands will now be performed via high-grade TLS over Tor.
March 2022 update
DNS needs love too. If you are reading this and know of a way to push DoT or DoH traffic out Tor (like with a SOCKS5 proxy pointing to 127.0.0.1:9050 or something), please send me a message!
Edit Netplan:
sudo vim /etc/netplan/01-netcfg.yaml
Add Quad9 nameservers:
nameservers:
addresses:
- 9.9.9.9
- 149.112.112.112
- 2620:fe::fe
- 2620:fe::9
Apply netplan changes:
sudo netplan apply
Edit resolved.conf by enabling DNSOverTLS:
sudo sed -i 's/#DNSOverTLS=no/DNSOverTLS=yes/g' /etc/systemd/resolved.conf
sudo cat /etc/systemd/resolved.conf
Output should look like:
[Resolve]
#DNS=
#FallbackDNS=
#Domains=
#LLMNR=no
#MulticastDNS=no
#DNSSEC=no
DNSOverTLS=yes
#Cache=no-negative
#DNSStubListener=yes
#ReadEtcHosts=yes
Restart systemd-resolved:
sudo systemctl restart systemd-resolved.service
You can validate this by using ufw. If, like me, you are denying all outbound (ufw default deny outgoing), all you have to do is delete the allow out 53/udp rule, and add an allow out 853/tcp rule. Otherwise, add a deny out 53/udp rule and test.
sudo ufw delete 53/udp
sudo ufw allow out 853/tcp
sudo ufw reload
or
sudo ufw deny out 53/udp
sudo ufw allow out 853/tcp
sudo ufw reload
Then simply try an outbound web request, like with sudo apt update! If it works, then your DNS queries are TLS encrypted to Quad9!
yawnbox