Artemis originates from antique Greek and means - amongst other - unharmful or safe. Exactly that, Artemis should deliver to you: safety for your data and no harm to your communications.
In detail, Artemis is a simple RaspberryPi packed up with different kinds of software packages, meshed up configurations, which results in an isolated, secure server.
Artemis' can be used in two different modes:
Hardware | Quantity |
---|---|
RaspberryPi + MicroUSB / Power Adapter | 1 |
MicroSD Card | 1 |
USB Thumbdrive | 1 |
RJ45 | 1 |
You either can proceed with the following advices or just jump to configuration and head on with encryption of the filesystem.
Ensure that you download and install the ArchLinux ARM to a non-infected SD card on a secured computer. We recommand the following way of proceeding.
<sxh bash;># dd bs=1m if=./archlinux-YYYY.MM.DD-dual.iso of=/dev/sdX</sxh>
fdisk /dev/mmcplk0
<sxh>
mkfs.vfat /dev/sdX1 mkdir boot mount /dev/sdX1 boot</sxh> - Create and mount the ext4 filesystem: <sxh> mkfs.ext4 /dev/sdX2 mkdir root mount /dev/sdX2 root </sxh> - Download and extract the root filesystem (as root, not via sudo): <sxh> wget http://archlinuxarm.org/os/ArchLinuxARM-rpi-latest.tar.gz http://archlinuxarm.org/os/ArchLinuxARM-rpi-latest.tar.md5 # GNU/Linux md5sum ArchLinuxARM-rpi-latest.tar.gz > md5sums.md5 cat ArchLinuxARM-rpi-latest.tar.gz.md5 >> md5sums.md5 md5sum -c md5sums.md5 # MacOS X md5 ArchLinuxARM-rpi-latest.tar.gz > ArchLinuxARM-rpi-latest.tar.gz.original.md5 diff ArchLinuxARM-rpi-latest.tar.gz.original.md5 ArchLinuxARM-rpi-latest.tar.gz.md5 # If there is no return given / 0 as exit code, the match was successful. tar -xf ArchLinuxARM-rpi-latest.tar.gz -C root sync </sxh> - Move boot files to the first partition: <code> mv root/boot/* boot </code> - Unmount the two partitions: <code> umount boot root</code> - Insert the SD card into the Raspberry Pi, connect ethernet, and apply 5V power. - Use the serial console or SSH to the IP address given to the board by your router. The default root password is 'root'.
When finished, fire up the RaspberryPi with the new system connected to a display and keyboard, but not to a network. Log in with username root and password root.
In order to network-secure Artemis tight as possible, we are just going to drop every input and output traffic by default, and whitelist whatever services we need.
Safe the following commands in /etc/iptables/purge-all-rules.sh
<sxh bash;Purging all iptable rules> iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X iptables -t raw -F iptables -t raw -X iptables -t security -F iptables -t security -X iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT </sxh>
<sxh bash;title:Dropping all packages;> # iptables -N TCP # iptables -N UDP </sxh>
Now, that you have sealed off your RaspberryPi, you'll have to reboot and we can finally get on the encryption and configuration parameters.
<sxh bash; title:Setting hostname> # hostnamectl set-hostname your-desired-hostname </sxh>
We upgraded this configuration to the medium as we are going to use some software as which needs a bit more power than usual. Pleas adapt this to your needs.
<sxh bash; title:Boosting computational power of RPi> # vim /boot/config.txt ##Medium arm_freq=900 core_freq=333 sdram_freq=450 over_voltage=2 </sxh>
By default RPi receives IP address via DHCP. We'll assign it a static one.
<sxh bash;> # cp /etc/netctl/examples/ethernet-static /etc/netctl # vim /etc/netctl/ethernet-static
PUT CONFIG HERE </sxh>
<sxh bash; title:Disabling default network settings> # systemctl disable dhcpcd@eth0.service # systemctl disable dhcpcd # systemctl disable netctl-ifplugd@eth0 </sxh>
<sxh bash; title:Enabling new network config> # netctl enable ethernet-static </sxh>
<sxh bash;> # pacman -Syyu </sxh>
The first both programs are needed in order to complete the howto, vim is a comfortable choice though.
<sxh bash;> # pacman -S rsync mkinitcpio vim </sxh>
Step | Command |
---|---|
1 | n |
2 | p |
3 | ENTER |
4 | ENTER |
5 | w |