I have previously mentioned Mixmaster ont his blog, a great software tool to send anonymous email and also used to post to Usenet groups anonymously, but visiting a website in order to send an anonymous email is not a good idea because your IP will be logged by the site server.

You could use a proxy to get around this, or maybe you just want light anonymity, or you may be using a restricted computer and need to send an urgent untreaceable anonymous email or Usenet message.

That is when a web interface to send anonymous messages through Mixmaster will come in handy.

If you want to run a web interface for the Mixmaster remailer on your server you could use Pyano, recently released (March 2010) and heavily inspired by the mixweb perl script (last updated in 2005) at cotse.net.

Pyano web interface mixmaster remailer for administrators

If you are a simply remailer user and want to send an anonymous message or if you want to see how Pyano works, then visit:

Mattherhorn remailer web interface for users

Send email anonymous

The German Privacy Foundation also has a remailer web interface on its website, although it does not run on Pyano. And in my experience messages get lost far too often. I suspect this is is because by default the web interface uses a fixed chain of five random remailers, it increases security but also the likehood of something happening to message in transit.

With Pyano you can choose how many remailer proxies you want to use and which ones in particular, even entry and exit nodes.

The German Privacy Foundation also runs a tor proxy and a i2P proxy.

German Privacy Foundation remailer web interface for users

The Free Technology Academy aims to contribute to a society that permits all users to study, participate and build upon existing knowledge without restrictions.

The software used in the Free Technology Academy virtual campus is free software built upon an open standards framework.

The Free Technology Academy is financially supported by the Life Long Learning programme (LLP) of the European Commission.

You can download two great free Linux related eBooks from their materials webpage.

These books are released under the Creative Commons license, and it is likely that there will be new ones added to their course materials.

Check the Free Technology Academy website for updates and to learn what they are about.

Downloads:

Free eBook: Introduction to Free Software

Free eBook: GNU/Linux Advanced Administration

Unix server hacker (Creative Commons licensed picture)

Other great free open source Linux related eBooks that will help you build your knowledge can be found at:

Linux From Scratch

Not specifically Unix related, you can also try your luck at Wikibooks for all kind of free books online, although, unlike the others, Wikibooks does not seem to have a PDF download option.

Wikibooks

Geeky programmers can visit the free tech books website to download free online computer science, engineering and programming ebooks, text books and lecture notes. All of them legally released to the internet comunity. There are some interesting open source books in the FreeBSD section.

FreeTechBooks

Mixmaster is is an anonymous remailer software. It encrypts your email messages before sending them, it typically fires off the messages through a series of anonymous proxies, you can choose how many and what proxies you want on the chain, it also provides protection against traffic analysis by delaying the sending of the messages at random.

This excellent Linux Journal video introduces Mixmaster and explains how you can download it to your own Unix machine and help the internet anonymity cause running an anonymous email server.

Mixmaster runs on *BSD, Linux and Microsoft Windows. If you have questions about remailers and Mixmaster one of the best points of calls is the newsgroup: alt.privacy.anon.server

You can read the mailing list for remailer operators, and subscribe, at:

http://lists.mixmin.net/mailman/listinfo/remops

Mixmaster remailer software homepage:

http://mixmaster.sourceforge.net/

There are some spammers out there, specially in the adult business,who take some of the highest ranked Google images and then hotlink to them in order to get your traffic, it is also possible that you have limited hosting account bandwith or put simply, you do not want anyone to hotlink to any of your images, here is what you do to stop it.

Go to your webhosting account and edit your .htaccess file, or create it if it does not exist, then add these lines (RewriteEngine will typically be already set to on if you have a Wordpress blog, you will then omit this line and do not write it twice):

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourdomain.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ http://unix.privacylover.com/wp-content/uploads/2009/11/bandwidth_theft_message.gif [NC,R,L]

That is it! The most important part is to get yourdomain.com right, if you do not do this you will see the nasty image served by unix.privacylover.com/wp-content/uploads/2009/11/bandwidth_theft_message.gif

To whitelist search engines and let them hotlink to your images, you should add these lines to your .htaccess file (add other search engines at will):

RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourdomain.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?google.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?google.de [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?google.nl [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?google.co.uk [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?google.es [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?google.ca [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?bing.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?bing.co.uk [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?bing.de [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?bing.ca [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yahoo.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yahoo.ca [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yahoo.de [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yahoo.co.uk [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?ask.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ http://unix.privacylover.com/wp-content/uploads/2009/11/bandwidth_theft_message.gif [NC,R,L]

Stop bandwidth theft

Code explanation:

RewriteCond %{HTTP_REFERER} !^$ > Allow blank referrers (recommended). Some users surf under firewall and they do not provide any referrers, disallowing blank referrers will block them from accessing these images, but if you still want to do that simply delete this line.

RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourdomain.com [NC] > Site allowed to link your images, if you do not add your domain here you will be blocking your own blog from displaying the images. You can also add Google and Bing here so that they can still link to the images.

RewriteRule \.(jpg|jpeg|png|gif)$ http://unix.privacylover.com/wp-content/uploads/2009/11/bandwidth_theft_message.gif [NC,R,L] > In between the () are type of files you want to block from hotlinking, you can also add .css and other extensions like .bmp. To add more seperate them with”|”.

Change ‘http://unix.privacylover.com/wp-content/uploads/2009/11/bandwidth_theft_message.gif‘ to your own message, whenever image hotlinking is detected this image will show up. It will be better if you host the image somewhere else out from your own webhost.

Warning: Make sure the image you are serving is not hotlink protected or your server can go into an endless loop.

Other ways to protect image hotlinking:

You may turn on hotlink protection at your CPanel webhosting account but this allows for far less customization than adding the manual .htaccess code.

There is a plugin for Wordpress to stop hotlinking: WordPress Automatic Image Hotlink Protection

To check out if your hotlink protection is working visit this free hotlink checker

If you are having performance problems with Voice over IP, gaming online, or any other service, you can now find out whether you have a bandwidth problem, slow response times, or packet loss. There is a new service from the hands of the creators of Speedtest, called PingTest.

They will tell yo about your packet loss, ping time (This measurement tells how long it takes for a packet of data to travel from your computer to a server on the Internet and back) and jitter (the variance in measuring successive ping tests).

You will need an internet browser with at least Flash9.0 installed, in order to see the results.

PingTest

When working using bash, zsh, ksh or any other Unix shell the default is to save the history of the typed in commands, this can become a security and privacy risk.

Stop the history file keeping a copy of typed in commands

This can be used any time  you like assuming you have administrator rights (using bash shell as example).

# kill -9 $$

$$ gives the pid of the current shell instance, and the kill ends the process.

You could also use the history command, see man history:

# history -c (clear the history)
# history -w (write to the file – overwrite!)

Delete the bash history file, find out where your shell saves the history of typed in commands and delete it the same way. You may also use the shred command to overwrite it safely.

# rm -rf ~/.bash_history

But even if you delete the ~/.bash_history file, your current bash session will still be written to history once you log out, this is because it is being stored in RAM, you will need to use the previous history -c command to avoid this.

Stop writting to the history file for good

Examples based on the bash shell configuration files:

Turn off bash history for all users, append unset HISTFILE to /etc/profile

# echo “unset HISTFILE” >> /etc/profile

Set size of the history to zero:

HISTSIZE: The number of commands to remember in the command history. The default value in bash is 500, You can set this to 0 and disable the usage of the history file.

Introduce the following command in your personal bash configuration file ~/.bashrc (~/.zshrc for the zsh shell users) or in the global bash configuration file /etc/bash.bashrc

export HISTSIZE=0

You will need to restart your bash session in order to activate the settings, you can check if your configuration were entered correctly by going at the command prompt and typing:

env

If you don’t see your configuration in the environment variables than you have done something wrong.

The name of the configuration files can depend from your Linux distribution and bash version, you can always see your particular options using man bash.

Unix shell configuration files

Unix shell configuration table files explained:

• Blank means a file is not read by a shell at all

• “yes” means a file is always read by a shell upon startup

• “login” means a file is read if the shell is a login shell

• “n/login” means a file is read if the shell is not a login shell

• “int.” means a file is read if the shell is interactive

• “i.login” means a file is read if the shell is an interactive login shell

To find out what shell you are using type: echo $SHELL

To change your shell see chsh –help

A Virtual Private Server can work well to set up your own anonymous internet browsing proxy. A VPS can cost as little as $8 a month, which is roughly the same a private proxy or VPN provider would charge you. But with you being in full control over the logs and resources on the server which can be used for other things besides hiding your IP when browsing the internet, like for example IRC chat through the shell with irssi or hosting a website with lighttpd.

You could also open this proxy for friends and even set up your own anonymous proxy business open to the public. You do not need a great kowledge of Unix to do this, I will write down an step by step tutorial, this was done on a Debian server.

Proxy Server Diagram

1) You will need to install a proxy sever on your machine, this example uses  micro proxy,  a small Unix based HTTP/HTTPS proxy that runs from inetd.

privacylover# apt-get install micro-proxy
Reading package lists… Done
Building dependency tree
Reading state information… Done
Suggested packages:
micro-httpd micro-inetd
The following NEW packages will be installed:
micro-proxy
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 9838B of archives.
After this operation, 65.5kB of additional disk space will be used.
Get:1 http://ftp.us.debian.org lenny/main micro-proxy 20021030+debian-5 [9838B]
Fetched 9838B in 0s (24.8kB/s)
Selecting previously deselected package micro-proxy.
(Reading database … 16543 files and directories currently installed.)
Unpacking micro-proxy (from …/micro-proxy_20021030+debian-5_amd64.deb) …
Processing triggers for man-db …
Setting up micro-proxy (20021030+debian-5) …

2) Install xinetd on your sever:

privacylover# apt-get install xinetd
Reading package lists… Done
Building dependency tree
Reading state information… Done
The following NEW packages will be installed:
xinetd
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 147kB of archives.
After this operation, 336kB of additional disk space will be used.
Get:1 http://ftp.us.debian.org lenny/main xinetd 1:2.3.14-7 [147kB]
Fetched 147kB in 1s (140kB/s)
Selecting previously deselected package xinetd.
(Reading database … 16548 files and directories currently installed.)
Unpacking xinetd (from …/xinetd_1%3a2.3.14-7_amd64.deb) …
Processing triggers for man-db …
Setting up xinetd (1:2.3.14-7) …
Stopping internet superserver: xinetd.
Starting internet superserver: xinetd.

Set micro proxy to run via xinetd (or inetd if you use that instead). Here goes my xinetd.conf file configured to use microproxy:

service microproxy
{
disable = no
bind = 127.0.0.1
socket_type = stream
protocol = tcp
user = root
wait = no
server = /usr/sbin/micro_proxy
}service microproxyssl
{
disable = no
bind = 127.0.0.1
socket_type = stream
protocol = tcp
user = root
wait = no
server = /usr/sbin/micro_proxy
}

3) Force xinetd to start the service for you by adding the following snippet of code in your etc/services file:

microproxy 2280/tcp
microproxyssl 2243/tcp

Notice that I am using port 2280 for HTTP and port 2243 for HTTPS, you can use any ports you like but make sure they are open in your server. You will also need to comment out any existing entries in /etc/services that try to define the same service ports.

After you have modified etc/services you will need to restart xinetd for the changes to take effect:

/etc/init.d/xinetd restart

4) Make sure the ports you want to use are open on the server, there are various methods to achieve this:

a) Install  lsoft and then:

lsof -i -nN -P | grep 2280
xinetd 29568 root 5u IPv4 1152793 TCP 127.0.0.1:2280 (LISTEN)

As you can see the line returns listen, this means that port 2280 is open. Change the port in the grep statement  for the port you want to check.

b) You can use netstat to check for open ports:

netstat -vatn

privacylover:/etc# netstat -vatn
Active Internet connections (servers and established)
Proto                        Recv-Q Send-Q Local Address                  Foreign                                 Address State
tcp                                  0 0 0.0.0.0:111 0.0.0.0:*                                                                      LISTEN
tcp                                  0 0 64.62.173.51:53 0.0.0.0:*                                                            LISTEN
tcp                                 0 0 127.0.0.1:53 0.0.0.0:*                                                                    LISTEN
tcp                                 0 0 127.0.0.1:982 0.0.0.0:*                                                                 LISTEN
tcp                                 0 0 0.0.0.0:22 0.0.0.0:*                                                                       LISTEN
tcp                                0 0 0.0.0.0:25 0.0.0.0:*                                                                       LISTEN
tcp                                0 0 127.0.0.1:953 0.0.0.0:*                                                                LISTEN
tcp6                             0 0 :::80 :::*                                                                                                LISTEN
tcp6                             0 0 :::53 :::*                                                                                                LISTEN
tcp6                             0 0 :::22 :::*                                                                                                LISTEN
tcp6                            0 0 ::1:953 :::*                                                                                           LISTEN

c) Another method to check for open ports on the server is to scan yourself with nmap:

privacylover# nmap localhost
Starting Nmap 4.62 ( http://nmap.org ) at 2009-03-30 05:21 UTC

5) Once you have installed micro proxy, configured xinetd and edited etc/services you should be done on the server side, now it is time to configure your internet browser.

If you are using Opera 9.*, go to Tools>Preferences>Advanced>Network>Proxy Servers now enter 127.0.0.1 port 5000 in the HTTP box and 127.0.0.1 port 5043 in the HTTPS box.

If you are using Firefox 3.* you will need to go to Tools>Options>Advanced>Settings and do exactly the same.

You only have left setting up the tunnel from the shell. Before start surfing with your browser, type:

ssh -L 5000:127.0.0.1:2280 -L 5043:127.0.0.1:2243 user...@machine.net

machine.net=your hostname, you will need to change the port numbers if you are using different ones.

To surf through the SSH tunnel on a Windows machine without shell you can use KiTTY

Firewall:
If you have IPtables installed, you will need to instruct your firewall to allow traffic through those ports, the following code will open port 2280 in IPTables:

iptables -A INPUT -p tcp -i eth0 –dport 2280 -j ACCEPT

To find out the list of open ports in the firewall use iptables -L:

privacylover# iptables -L
Chain INPUT (policy ACCEPT)
target                 prot                         opt                     source                        destination
ACCEPT             tcp                             —                       anywhere                  anywhere                                      tcp dpt:2280
ACCEPT              tcp                            –                       anywhere                  anywhere                                      tcp dpt:2243

Reference links:

- Alternative to micro proxy, proxy server software Antispyd

-List of open source proxy server software

- How to turn off IPtables firewall completely

-Find out what ports are listening on your server

Newsgroup dealing with port forwarding: comp.security.ssh

This article is from 2007, I found it to be an excellent and detailed review of the most common tools that exist to encrypt data in Unix systems. These different tools and methods are still valid and in use nowadays.

It provides some insights on encryption techniques, code quality, and the relative merits of the various solutions. The following encrypted file systems are examined:

• Loop-AES

• DM-Crypt

• Truecrypt

• Crypto-FS

• Enc-FS

In addition to looking at technologies and techniques the performance parameters for these encryption options are also assessed.

Download link(pdf article):
Review of tools to create an encrypted filesystem

This study was carried out by Linux Magazine

eCryptfs is a cryptographic filesystem embedded inside the Linux kernel (versions 2.6.19 and later), it is also a stacked filesystem, which means that eCryptfs is a layer that works on top of other standard, lower file systems, such as ext4, FAT32, XFS and ReiserFS.

Some of the great advantadges of eCryptfs over other encryption methods such as LUKS are:

1. Dynamic size of the encrypted tree: The size of the encrypted part does not need to be fixed in advance, you don’t have to pre-allocate a big chunk of your hard disk space to store your sensitive data that maybe only few megabytes.
2. All the cryptographic metadata is stored in the header of the file. This means that the encrypted file can be copied and moved from one location to another not leaving any metadata behind.
3. Files can be encrypted with multiple keys so that multiple different users can have access to encrypted but shared files. You can have different files encrypted by different users and each user can access only his files.

Disavantadges of using eCryptfs (this may change in future versions):

1. eCryptfs does not encrypt filenames, only the content.
2. Certain patterns, such as a typical distribution of file size in a directory, will always give a clear hint of what is being stored, even if it is encrypted.

eCryptfs should not be used if you want to hide the fact that something is stored! You will not be able to deny the existance of encrypted files!

To install eCryptfs in RPM based linux (Fedora, Mandriva, OpenSuse, etc):

su -c ‘yum install ecrypt-utils’

To install eCryptfs  in DEB based linux (Debian, Knoppix, GRML, etc):

sudo aptitude install ecryptfs-utils

eCryptfs Linux Kernel chart

First create a folder in your Home directory and name it secret:

mkdir ~/secret

Now you need to change the folder permissions to make sure nobody else will access it:

chmod 700 ~/private

Then mount the ecryptfs to the private folder using the following command as root:

mount -t ecryptfs ~/private ~/private

eCryptfs will then prompt you to answer a few questions, see screenshot below:

After you have made your choices and mounted the encrypted folder you can add files inside.

To test the reliability of eCryptfs, unmount your encrypted folder and see if you can open the files inside the secret folder.

sudo umount ~/secret

If it is working properly, you should not be able to open any files inside the folder.

Warning: Once the encrypted data is accessed it will leave traces all over your operating system (swap, print spool, spell-checker, backups …). If you really care about your private data falling in the wrong hands then use whole disk encryption!

This is a video tutorial from Christian Brüffer at MeetBSD 2007 in Warsaw, Poland. This video will teach you how to protect your privacy with tor and FreeBSD.