I performed the following on Ubuntu 15.10. My USB Armory (UA) is using the current Debian Jessie image. I used an Anker to format and image my SD card.
System setup
I use UFW to manage my main system’s iptables firewall, which is always enabled, but we need to allow routed traffic:
sudo ufw default allow routed sudo ufw reload
When plugging in my UA, I have to verify in the kernel log what Ubuntu is calling the UA:
sudo cat /var/log/kern.log |grep usb0
See “enx1a5589a26942: renamed from usb0”, where enx1a5589a26942 is the name of the UA.
Then:
sudo /sbin/ip link set enx1a5589a26942 up sudo /sbin/ip addr add 10.0.0.2/24 dev enx1a5589a26942 sudo /sbin/iptables -t nat -A POSTROUTING -s 10.0.0.1/32 -o wlan0 -j MASQUERADE sudo echo 1 > /proc/sys/net/ipv4/ip_forward
Now I can SSH to my UA.
Configure the USB Armory
ssh usbarmory@10.0.0.1
Set the locale (I use en_US.UTF-8):
sudo dpkg-reconfigure locales
Create a new user with admin privileges then delete the default UA user:
sudo adduser yawnbox sudo adduser yawnbox sudo sudo su yawnbox sudo deluser --remove-home usbarmory
Then I configure the time. ntp is obsolete, use Jake’s tlsdate.
sudo apt-get update sudo apt-get dist-upgrade -V sudo apt-get remove --purge ntp -y sudo apt-get install tlsdate -y sudo tlsdate -V
Now we need to assure that the system time is going to be updated every time it boots.
sudo crontab -e
I <3 vim. Then add this line to the bottom:
@reboot tlsdate -V -n -H encrypted.google.com
Install tor:
sudo vim /etc/apt/sources.list
Add:
deb http://deb.torproject.org/torproject.org jessie main deb-src http://deb.torproject.org/torproject.org jessie main deb http://deb.torproject.org/torproject.org tor-experimental-0.2.7.x-jessie main deb-src http://deb.torproject.org/torproject.org tor-experimental-0.2.7.x-jessie main
Then:
gpg --keyserver keys.gnupg.net --recv 886DDD89 gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -
Then install:
sudo apt-get update sudo apt-get install tor deb.torproject.org-keyring
Configure your hidden service:
sudo vim /etc/tor/torrc
Uncomment these two lines only:
HiddenServiceDir /var/lib/tor/other_hidden_service/ HiddenServicePort 22 127.0.0.1:22
Restart tor:
sudo service tor restart
Get (and document it somewhere) your onion address:
sudo cat /var/lib/tor/other_hidden_service/hostname
Configure openssh-server :
sudo vim /etc/ssh/sshd_config
Comment out these lines:
#HostKey /etc/ssh/ssh_host_dsa_key #HostKey /etc/ssh/ssh_host_ecdsa_key
Edit these lines:
ServerKeyBits 4096 PermitRootLogin no
Test access
Edit your openssh-client to torify your SSH:
sudo vim /etc/ssh/ssh_config
Add (under “Host *”)
proxyCommand ncat --proxy 127.0.0.1:9050 --proxy-type socks5 %h %p
Then:
sudo service ssh restart
Then SSH to the hidden service address hosted on your UA:
ssh yawnbox@2f4ov33h7utnjs.onion
Other thoughts
When inserting the UA into a Windows 7 client, it auto installs a driver for a “USB Ethernet/RNDIS Gadget”. Windows assigns it a non-routable 169.254.* address, but the UA will send out over 100 packets within the first 5 minutes. Tor and tlsdate can’t wait to touch the net ;)